Antivirus & Antispam Management

This section contains directions to manage the ClamAV Anti-Virus engine.

ClamAV Signatures Updater

ClamAV abilities include loading external signatures, which are lists of hashes or fingerprints of viruses organised into so-called signature database, used to recognise a broader range of possible threats sent by e-mail.

There are many signatures provider that ClamAV can use, most of them licenced as Open Source; however using multiple signature databases may not always result in a higher precision of the ClamAV engine. Indeed, using too many signature databases may in some circumstances lead to false positive, therefore marking legitimate e-mails as as virus and send them to the quarantine or deleted. Moreover, since the signatures are loaded in RAM to allow for faster checks, this can lead to high CPU usage and, in case of a DB or a signature is corrupted or not 100% compatible, to the failure of the whole ClamAV engine.

For this reasons, Carbonio receives its signatures by a security partner, which are guaranteed to be 100% compatible with ClamAV and reduce the risk of false positives. In order to keep the signatures updated, Carbonio implements a system service, carbonio-avdb-updater.

To install it (in case it is not already present), login to the Proxy Node then update the list of packages to make sure the latest version is picked up and install the updater

Ubuntu

# apt install carbonio-avdb-updater

RHEL

# dnf install carbonio-avdb-updater

To complete the installation, run

# pending-setups -a

The command will ask for the password stored in the /var/lib/service-discover/password on the Directory Leader Node (i.e., the node on which the Mesh server is installed).

Verify Signature Status

In order to verify that the service is working and signatures are updated, you can check the service’s log.

# journalctl -u carbonio-avdb-updater.service

If the signatures are updated, you will find in the log a block similar to:

Oct 18 09:28:25 srv2.example.com systemd[1]: Started Carbonio anti-virus updater
..
Oct 18 09:28:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:28:28.028 [AVDB Scheduler_Worker-1] INFO  com.zextras.avdb.jobs.AvdbJob - ********************* S T A R T I N G ********************
Oct 18 09:28:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:28:28.039 [pool-1-thread-1] INFO  c.z.a.client.networking.Downloader - download starting : /md5list.txt
Oct 18 09:28:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:28:28.343 [pool-1-thread-1] INFO  c.z.a.client.networking.Downloader - download finished : /md5list.txt
Oct 18 09:28:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:28:28.361 [ForkJoinPool.commonPool-worker-2] INFO  c.z.a.client.networking.Downloader - download starting : /securiteinfopdf.hdb
Oct 18 09:28:29 srv2.example.com carbonio-avdb-updater[2628063]: 09:28:29.594 [ForkJoinPool.commonPool-worker-2] INFO  c.z.a.client.networking.Downloader - download finished : /securiteinfopdf.hdb
..
Oct 18 09:28:44 srv2.example.com carbonio-avdb-updater[2628063]: 09:28:44.383 [pool-2-thread-1] INFO  c.z.a.client.networking.Downloader - download finished : /javascript.ndb
Oct 18 09:28:51 srv2.example.com carbonio-avdb-updater[2628063]: 09:28:51.582 [AVDB Scheduler_Worker-1] INFO  c.z.a.c.processing.ProcessExecutor - Added entry [/opt/zextras/bin/zmprov mcf +carbonioClamAVDat>
..
Oct 18 09:29:48 srv2.example.com carbonio-avdb-updater[2628063]: 09:29:48.930 [AVDB Scheduler_Worker-1] INFO  com.zextras.avdb.jobs.AvdbJob - ********************* F I N I S H E D ********************

Note

The above snippet it shortened for clarity.

The important information here are the S T A R T I N G and F I N I S H E D messages, which sign the start and successful termination of the signature update process. The same two messages are present if no update is available and downloaded:

Oct 18 09:34:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:34:28.017 [AVDB Scheduler_Worker-1] INFO  com.zextras.avdb.jobs.AvdbJob - ********************* S T A R T I N G ********************
Oct 18 09:34:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:34:28.019 [pool-21-thread-1] INFO  c.z.a.client.networking.Downloader - download starting : /md5list.txt
Oct 18 09:34:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:34:28.035 [pool-21-thread-1] INFO  c.z.a.client.networking.Downloader - download finished : /md5list.txt
Oct 18 09:34:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:34:28.039 [AVDB Scheduler_Worker-1] INFO  com.zextras.avdb.jobs.AvdbJob - ********************* F I N I S H E D ********************

The update process in detail

The signature update service maintains a list of the files/databases it downloads and their md5 checksums (md5sum) in file /opt/zextras/av_signatures/md5list.txt, which is also referenced from the LDAP. All the downloaded databases are stored under the same /opt/zextras/av_signatures/ directory.

The first task that the updater carries out is to download the md5list.txt file and verify the md5sums of the signature databases; a new signature database is downloaded only when the md5sum in the file does not match the one of the local file. This also means that if a signature database is not present (e.g., because it was deleted by mistake), it will be automatically downloaded.

A new database can be added by simply adding a new database and its md5sum in the /opt/zextras/av_signatures/md5list.txt file, while removing an entry from that file will make it unavailable to ClamAV.

Remove Signatures Updater

In order to remove completely the automatic download of ClamAV’s signatures databases, you can uninstall the package carbonio-avdb-updater from every Proxy Node.

# apt purge carbonio-avdb-updater

Disable ClamAV

Guidance on Disabling Antivirus and Antispam Services

Disabling Carbonio’s internal Antivirus (AV) and Antispam (AS) services should only be performed if your infrastructure is protected by an external mail filtering system (e.g., an email security gateway, cloud-based filtering service, or upstream MTA with integrated AV/AS capabilities).

These services play a critical role in scanning inbound and outbound mail for malware and unsolicited content. If no equivalent protection is enforced externally, disabling them may expose your mail system to threats and significantly reduce the overall security posture of your environment.

Recommendation: Keep AS/AV services enabled by default unless explicitly offloaded to an external system that ensures equivalent or stronger protections.

Disable Amavis virus check

Execute the following commands as the zextras user to disable Amavis from the CLI

zextras$ carbonio prov mcf carbonioAmavisDisableVirusCheck TRUE
zextras$ zmlocalconfig -e zmtrainsa_cleanup_host=false

Restart the service on every MTA Node to make sure the new value is picked up by the system

zextras$ zmamavisdctl restart

You can check at any time the status of the variable and of the service with

zextras$ carbonio prov gcf carbonioAmavisDisableVirusCheck

Note

If you never modified the value of the variable, this command may return no output, meaning that amavis is running.

Disable ClamAV

To disable ClamAV, execute the following commands as the root user

# systemctl disable carbonio-clamav-sidecar.service

Restart the following service as the root user to let systemd pick up the changes

• Carbonio Mesh

  # systemctl restart service-discover
  

• The services on the MTA Node

  Ubuntu 22.04

  As the zextras user execute

  zextras$ zmcontrol restart
  

  Ubuntu 24.04

  As the root user execute

  # systemctl restart carbonio-mta.target
  

  RHEL 8

  As the zextras user execute

  zextras$ zmcontrol restart
  

  RHEL 9

  As the root user execute

  # systemctl restart carbonio-mta.target
  

Amavis is required if you want to use an e-mail disclaimer in Carbonio, because Amavis processes and modifies any outgoing email to append the disclaimer.

If you do not need a disclaimer and you want to disable Amavis, run the following command on every MTA Node

zextras$ carbonio prov ms $(zmhostname) \
-zimbraServiceEnabled amavis

Additionally, you can also disable the other related services, by executing on every MTA Node the command

zextras$ carbonio prov ms $(zmhostname) \
-zimbraServiceEnabled antivirus \
-zimbraServiceEnabled antispam

Disable OpenDKIM

If your emails are sent through an external MTA relay that already adds an OpenDKIM signature, you must disable the OpenDKIM service on Carbonio to prevent signature conflicts.

To disable OpenDKIM, execute the following commands.

First, as the zextras user execute

zextras$ zextras$ carbonio prov ms \
$(zmhostname) -zimbraServiceEnabled opendkim

Then, depending on the OS you installed

Ubuntu 22.04

As the zextras user execute

zextras$ zmcontrol restart

Ubuntu 24.04

As the root user execute

# systemctl restart carbonio-mta.target

RHEL 8

As the zextras user execute

zextras$ zmcontrol restart

RHEL 9

As the root user execute

# systemctl restart carbonio-mta.target

Note

Disabling OpenDKIM means Carbonio will no longer sign outgoing emails with DKIM. Ensure your external MTA is handling DKIM signing correctly.

Completely remove ClamAV

To prevent Carbonio Mesh from reporting a service that is not running, remove from the MTAs the ClamAV definition file for service-discover:

Warning

This file will be restored during future upgrades of ClamAV or Carbonio, so make sure to remove it each time you upgrade.

# rm /etc/zextras/service-discover/carbonio-clamav.hcl