git subrepo clone https://github.com/mailcow/mailcow-dockerized.git mailcow/src/mailcow-dockerized
subrepo: subdir: "mailcow/src/mailcow-dockerized"
merged: "a832becb"
upstream: origin: "https://github.com/mailcow/mailcow-dockerized.git"
branch: "master"
commit: "a832becb"
git-subrepo: version: "0.4.3"
origin: "???"
commit: "???"
Change-Id: If5be2d621a211e164c9b6577adaa7884449f16b5
diff --git a/mailcow/src/mailcow-dockerized/data/Dockerfiles/clamd/Dockerfile b/mailcow/src/mailcow-dockerized/data/Dockerfiles/clamd/Dockerfile
new file mode 100644
index 0000000..4c30cf2
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/Dockerfiles/clamd/Dockerfile
@@ -0,0 +1,61 @@
+FROM debian:buster-slim
+
+LABEL maintainer "André Peters <andre.peters@servercow.de>"
+
+ARG CLAMAV=0.103.0
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+ ca-certificates \
+ zlib1g-dev \
+ libcurl4-openssl-dev \
+ libncurses5-dev \
+ libzip-dev \
+ libpcre2-dev \
+ libxml2-dev \
+ libssl-dev \
+ build-essential \
+ libjson-c-dev \
+ curl \
+ bash \
+ wget \
+ tzdata \
+ dnsutils \
+ rsync \
+ dos2unix \
+ netcat \
+ && rm -rf /var/lib/apt/lists/* \
+ && wget -O - https://www.clamav.net/downloads/production/clamav-${CLAMAV}.tar.gz | tar xfvz - \
+ && cd clamav-${CLAMAV} \
+ && ./configure \
+ --prefix=/usr \
+ --libdir=/usr/lib \
+ --sysconfdir=/etc/clamav \
+ --mandir=/usr/share/man \
+ --infodir=/usr/share/info \
+ --disable-llvm \
+ --with-user=clamav \
+ --with-group=clamav \
+ --with-dbdir=/var/lib/clamav \
+ --enable-clamdtop \
+ --enable-bigstack \
+ --with-pcre \
+ && make -j4 \
+ && make install \
+ && make clean \
+ && cd .. && rm -rf clamav-${CLAMAV} \
+ && apt-get -y --auto-remove purge build-essential \
+ && apt-get -y purge zlib1g-dev \
+ libncurses5-dev \
+ libzip-dev \
+ libpcre2-dev \
+ libxml2-dev \
+ libssl-dev \
+ libjson-c-dev \
+ && addgroup --system --gid 700 clamav \
+ && adduser --system --no-create-home --home /var/lib/clamav --uid 700 --gid 700 --disabled-login clamav \
+ && rm -rf /tmp/* /var/tmp/*
+
+COPY clamd.sh ./
+COPY tini /sbin/tini
+
+CMD ["/sbin/tini", "-g", "--", "/clamd.sh"]
diff --git a/mailcow/src/mailcow-dockerized/data/Dockerfiles/clamd/clamd.sh b/mailcow/src/mailcow-dockerized/data/Dockerfiles/clamd/clamd.sh
new file mode 100755
index 0000000..10df807
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/Dockerfiles/clamd/clamd.sh
@@ -0,0 +1,105 @@
+#!/bin/bash
+
+if [[ "${SKIP_CLAMD}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+ echo "SKIP_CLAMD=y, skipping ClamAV..."
+ sleep 365d
+ exit 0
+fi
+
+# Cleaning up garbage
+echo "Cleaning up tmp files..."
+rm -rf /var/lib/clamav/clamav-*.tmp
+
+# Prepare whitelist
+
+mkdir -p /run/clamav /var/lib/clamav
+
+if [[ -s /etc/clamav/whitelist.ign2 ]]; then
+ echo "Copying non-empty whitelist.ign2 to /var/lib/clamav/whitelist.ign2"
+ cp /etc/clamav/whitelist.ign2 /var/lib/clamav/whitelist.ign2
+fi
+
+if [[ ! -f /var/lib/clamav/whitelist.ign2 ]]; then
+ echo "Creating /var/lib/clamav/whitelist.ign2"
+ cat <<EOF > /var/lib/clamav/whitelist.ign2
+# Please restart ClamAV after changing signatures
+Example-Signature.Ignore-1
+PUA.Win.Trojan.EmbeddedPDF-1
+PUA.Pdf.Trojan.EmbeddedJavaScript-1
+PUA.Pdf.Trojan.OpenActionObjectwithJavascript-1
+EOF
+fi
+
+chown clamav:clamav -R /var/lib/clamav /run/clamav
+
+chmod 755 /var/lib/clamav
+chmod 644 -R /var/lib/clamav/*
+chmod 750 /run/clamav
+
+stat /var/lib/clamav/whitelist.ign2
+dos2unix /var/lib/clamav/whitelist.ign2
+sed -i '/^\s*$/d' /var/lib/clamav/whitelist.ign2
+# Copying to /etc/clamav to expose file as-is to administrator
+cp -p /var/lib/clamav/whitelist.ign2 /etc/clamav/whitelist.ign2
+
+
+BACKGROUND_TASKS=()
+
+echo "Running freshclam..."
+freshclam
+
+(
+while true; do
+ sleep 12600
+ freshclam
+done
+) &
+BACKGROUND_TASKS+=($!)
+
+(
+while true; do
+ sleep 10m
+ SANE_MIRRORS="$(dig +ignore +short rsync.sanesecurity.net)"
+ for sane_mirror in ${SANE_MIRRORS}; do
+ CE=
+ rsync -avp --chown=clamav:clamav --chmod=Du=rwx,Dgo=rx,Fu=rw,Fog=r --timeout=5 rsync://${sane_mirror}/sanesecurity/ \
+ --include 'blurl.ndb' \
+ --include 'junk.ndb' \
+ --include 'jurlbl.ndb' \
+ --include 'jurbla.ndb' \
+ --include 'phishtank.ndb' \
+ --include 'phish.ndb' \
+ --include 'spamimg.hdb' \
+ --include 'scam.ndb' \
+ --include 'rogue.hdb' \
+ --include 'sanesecurity.ftm' \
+ --include 'sigwhitelist.ign2' \
+ --exclude='*' /var/lib/clamav/
+ CE=$?
+ chmod 755 /var/lib/clamav/
+ if [ ${CE} -eq 0 ]; then
+ while [ ! -z "$(pidof freshclam)" ]; do
+ echo "Freshclam is active, waiting..."
+ sleep 5
+ done
+ echo RELOAD | nc clamd-mailcow 3310
+ break
+ fi
+ done
+ sleep 12h
+done
+) &
+BACKGROUND_TASKS+=($!)
+
+nice -n10 clamd &
+BACKGROUND_TASKS+=($!)
+
+while true; do
+ for bg_task in ${BACKGROUND_TASKS[*]}; do
+ if ! kill -0 ${bg_task} 1>&2; then
+ echo "Worker ${bg_task} died, stopping container waiting for respawn..."
+ kill -TERM 1
+ fi
+ sleep 10
+ done
+done
diff --git a/mailcow/src/mailcow-dockerized/data/Dockerfiles/clamd/tini b/mailcow/src/mailcow-dockerized/data/Dockerfiles/clamd/tini
new file mode 100755
index 0000000..03af82f
--- /dev/null
+++ b/mailcow/src/mailcow-dockerized/data/Dockerfiles/clamd/tini
Binary files differ