Currently Browsing: Tech

Dovecot ssl certificaat niet vertrouwd

In Postfix, staat mijn ssl certificaat zo ingesteld:

smtpd_tls_CAfile     = /etc/ssl/cacert.pem
smtpd_tls_key_file   = /etc/ssl/server.key
smtpd_tls_cert_file  = /etc/ssl/server.pem

In dovecot, zijn er maar 2 opties:

ssl_cert = </etc/ssl/server.pem
ssl_key = </etc/ssl/server.key

Hoe stel ik het certificaat zo in dat het vertrouwd wordt?

Je hebt daar de hele certificaat “chain”voor nodig. Die kun je zo maken:

cat /etc/ssl/server.pem /etc/ssl/cacert.pem > /etc/ssl/chain.pem

en dan deze “chain” als server certificaat gebruiken.

ssl_cert = </etc/ssl/chain.pem
ssl_key = </etc/ssl/server.key

Om te testen kun je openssl gebruiken:

openssl s_client -connect server:993

Manual update clamav

ClamAV antivirus software is in most Linux distribution repositories. The problem is, ClamAV gets updated faster than the new versions can be added to the respositories, so every time you run a freshclam virus database update, ClamAV will inform you that it’s not the latest version. Not ideal, especially when you’re talking about security.
The only way to get the latest latest version is to download the stable source code release direct from ClamAV’s website and install it manually. Which is what we’re going to do 🙂

First, you’ll need to grab the source code. You can download the tar.gz file here for the latest stable release version. As of the time of writing, the latest version is 0.98.3. I’m just going to copy the download URL and download it with wget.


Then you’ll need to unpack the archive.

tar -xvzf clamav-0.98.3.tar.gz
cd clamav-0.98.3

Okay, you should now be in the ClamAV directory. I want to install my new version of ClamAV in ‘/usr/local/clamav-0.98.3′. So I’ll need to configure it to install to that directory. If you run into dependency problems, you’ll probably need to install GCC/Make if it isn’t already. If you do need to do this, you can do it under Debian with:

sudo apt-get install gcc make

On the 0.98.x versions of clamav there’s a requisite that you’ve installed openssl. Under debian it might be something like:

sudo apt-get install libssl libssl-dev

Once you’ve got all the prerequisites installed, you can run the configure script. Make sure you’re still in the sub-directory where you unpacked the archive and run: –

./configure –prefix=/usr/local/clamav-0.98.3

Once this is complete and you have no errors, you can run: –

make install

This will install the new version of ClamAV to the directory you specified in the configure script. If you have the version of ClamAV installed from your distribution’s repositories, you have two choices. You can either keep the repository version and use aliasing to run the version you want or you can uninstall the repo version and add append the path to the system $PATH environment variable. I’ll show you both.

Assuming you want to keep the version of ClamAV you have in case it ever gets updated via the repositories, you’ll need to copy your ‘/etc/freshclam.conf’ to the new location.

cp /etc/freshclam.conf /usr/local/clamav-0.98.3/etc

However, if you try to run ClamAV from anywhere but the ‘/usr/local/clamav-0.98.3/bin’ directory where the program executables are, you’ll still get the warning that ClamAV is out of date. This is because the system $PATH variable finds the old version first as it’s part of the system path. We want to override this and run our new manually installed version. Since we’re only going to be running ClamAV with the root user so that we have permissions to scan the entire file system, we’ll add a new alias.

vi ~/.bashrc

Then add the following lines:-

alias clamscan=’/usr/local/clamav-0.98.3/bin/clamscan’
alias freshclam=’/usr/local/clamav-0.98.3/bin/freshclam’
alias clamd=’/usr/local/clamav-0.98.3/sbin/clamd’

Aliases are very handy. Basically, when the alias is typed as a command, it points to the command we specify, regardless of what is in the system $PATH environment variable. Save this file and logout. The new settings for the ‘.bashrc’ file are only picked up on login of that user. Once you login again you should be running the latest version of ClamAV.

If you want to remove the repo version of ClamAV, you’ll need to uninstall it. Under Debian, use:

sudo apt-get remove clamav-*

Once this is done, you’ll need to add the new ClamAV to the system path. Under Debian, this is:

vi /etc/environment

Find the following section, or something that looks similar: –


Above this line add the line: –

export PATH=$PATH:/usr/local/clamav-0.98.3/bin

This appends the path to the binary directory of our new ClamAV to the system path. Again, for this to take effect, you’ll need to logout and log back in again. You can verify the path by typing: –

echo $PATH

When you simply run freshclam to update, it should find the configuration file under it’s own /etc directory and you should now be able to scan the filesystem using ‘clamscan’ without having to type in the absolute path to the new binary executable.