private mirror server for clamav
October 16, 2025•685 words
Ubuntu 24.04
Many mail servers make use of ClamAV. ClamAV is an open source (GPLv2) anti-virus toolkit, designed especially for e-mail scanning on mail gateways. Default configuration is to check for updates on database.clamav.net. This is often defined somewhere in the UI or in a config file named freshclam.conf.
As of result of rate limiting by clamav.net client IP's can be greylisted. I've seen configurations where clients check every minute (!) so it is understandable this greylisting occurs. Probably they receive zillions of requests every second.
It is a good thing, especially when one has multiple mail servers in their network, to install a private mirror server. This mirror serves the internal network and checks for updates serveral times a day, which IMHO is sufficient.
1- install a webserver
I prefer nginx but apache or any other webserver is fine. It can be installed on the same server as the client (the application requesting ClamAV updates) or on a separate server.
Since you're building a private mirror consider blocking the webserver from tou outside world (drop traffic to ports 80 and 443 or whatever ports your webserver is listening to).
The hostname/url of your mirror can be something like mirror.mydomain.com, mydomain2.com:8080, localhost:4321.
2- install Python
apt install python3-pip
apt install pipx
3- install cvdupdate
pip3 install cvdupdate
pipx ensurepath
Check the ouput; sometimes a path must be set.
4- set the path for the clamav files
cvd config set --dbdir /opt/www/clamav
The path must be the same as the document root of your webserver.
5- test run
cvd update
If it went well the ClamAV files are downloaded to the webserver root directory, like this:
root@mirror:/# ls -l /opt/www/clamav/
total 232364
-rw-r--r-- 1 root root 806 Oct 14 20:28 bytecode-339.cdiff
-rw-r--r-- 1 root root 9078 Oct 14 20:28 bytecode-339.cdiff.sign
-rw-r--r-- 1 root root 9078 Oct 14 20:28 bytecode-339.cvd.sign
-rw-r--r-- 1 root root 281702 Oct 14 20:28 bytecode.cvd
-rw-r--r-- 1 root root 1652 Oct 14 20:28 daily-27792.cdiff
-rw-r--r-- 1 root root 9078 Oct 14 20:28 daily-27792.cdiff.sign
-rw-r--r-- 1 root root 9078 Oct 14 20:28 daily-27792.cvd.sign
-rw-r--r-- 1 root root 2129 Oct 15 14:00 daily-27793.cdiff
-rw-r--r-- 1 root root 9078 Oct 15 14:00 daily-27793.cdiff.sign
-rw-r--r-- 1 root root 9078 Oct 15 14:00 daily-27793.cvd.sign
-rw-r--r-- 1 root root 789 Oct 16 12:00 daily-27794.cdiff
-rw-r--r-- 1 root root 9078 Oct 16 12:00 daily-27794.cdiff.sign
-rw-r--r-- 1 root root 9078 Oct 16 12:00 daily-27794.cvd.sign
-rw-r--r-- 1 root root 64733862 Oct 16 12:00 daily.cvd
-rw-r--r-- 1 root root 40 Oct 16 12:00 dns.txt
-rw-r--r-- 1 root root 2282177 Oct 14 20:27 main-62.cdiff
-rw-r--r-- 1 root root 9078 Oct 14 20:27 main-62.cdiff.sign
-rw-r--r-- 1 root root 9078 Oct 14 20:28 main-62.cvd.sign
-rw-r--r-- 1 root root 170479789 Oct 14 20:28 main.cvd
6- create a cron job
Now, it's time to set a cron job in order the let the machine download updates automatically.
crontab -e
// add this line (in vi: press i cmd-v Esc :x):
0 */7 * * * /bin/sh -c "/home/.local/bin/cvd update >> /var/log/cvdupdate.log 2>&1"
This job is executed every 7 hours. (Why not 6 or 12? It is to avoid to coincide with a lot of other requests. Besides, I like prime numbers, which can be considered as a tiny but innocent brain injury.)
7- edit config of the requesting clients
Now your mirror server is up and running it's time to tell your clients (mail servers/gateways) to use this mirror. Most of the time this is configured in the UI or in a file called freshclam.conf. Replace database.clamav.net by the hostname of the mirror server.
- Proxmox Mail Gateway: UI
- Mailcow: config on docker host, e.g. /opt/mailcow-dockerized/data/conf/clamav/freshclam.conf; don't forget to restart the clamd docker
99- references
- https://docs.clamav.net/appendix/CvdPrivateMirror.html
- https://github.com/Cisco-Talos/cvdupdate
- you can use your mirror for rspamd maps files also: https://listed.to/@jertaa/66296/rspamd-errors-maps-rspamd-com
-jer