Domino 12.0.2 EAP CD 1 – ClamAV & ICAP

A word of warning. The described features of Domino 12.0.2 EAP are subject to change in later code drops.
The described configuration of ClamAV & ICAP is NOT intended to be used in production. I take no responsibility for any damage or data loss caused by using the configuration on test or production systems.

A new feature “Virus scanning for message attachments” has been added to Domino 12.0.2 EAP. You can set up HCL Domino to work with any virus scanning server that supports the ICAP protocol to scan attachments in mail messages for viruses. In addition to Domino 12.0.2 , you need a third-party ICAP protocol server to do the virus scanning. Domino has been tested with the products Trend Micro Web Security and McAfee Web Gateway. TLS is required in Domino 12.0.2 GA to connect to the server, but it is disabled by now.


The installation uses CentOS 8 Stream. The minimum installation was chosen for the software selection. All required packages are installed later via dnf.

For my tests, I have set SELinux to permissive as described here:

We need to download and configure some files during the setup. This can be down using VI or any other text editor. I prefer NANO.

dnf -y install nano wget

Next, we install an additional repository

dnf -y install epel-release

Install ClamAV, freshclam and clamd

and install ClamAV and related services.

dnf --enablerepo=epel -y install clamav clamd clamav-update



to initialize or update the virus signature databases.

For a scheduled update, we will run freshclam as service. create a new file ( nano will create an empty file, if it does not exists.)

nano /usr/lib/systemd/system/freshclam.service

and add the following content to it

Description = ClamAV Scanner
After =

Type = forking
ExecStart = /usr/bin/freshclam -d -c 1
Restart = on-failure
PrivateTmp =true


Save and close the file. Then start the freshclam service and enable it to start on server startup. freshclam will update the signatures once a day.

systemctl start freshclam
systemctl enable freshclam

Created symlink /etc/systemd/system/ → /usr/lib/systemd/system/freshclam.service.

Check the freshclam status.

systemctl status freshclam

● freshclam.service - ClamAV Scanner
   Loaded: loaded (/usr/lib/systemd/system/freshclam.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2022-05-31 07:07:48 CEST; 16s ago
 Main PID: 1809 (freshclam)
    Tasks: 1 (limit: 11344)
   Memory: 2.2M
   CGroup: /system.slice/freshclam.service
           └─1809 /usr/bin/freshclam -d -c 1

May 31 07:07:48 localhost.localdomain systemd[1]: Starting ClamAV Scanner...
May 31 07:07:48 localhost.localdomain systemd[1]: Started ClamAV Scanner.

To configure Clamd edit the /etc/clamd.d/scan.conf

nano /etc/clamd.d/scan.conf

and enable / change the existing values

LogFile /var/log/clamd.scan
PidFile /run/clamd.scan/
TemporaryDirectory /var/tmp
LocalSocket /run/clamd.scan/clamd.sock
LocalSocketGroup root
TCPSocket 3310
User root

then initialize the logfile with

touch /var/log/clamd.scan

Create a new file

nano /etc/tmpfiles.d/clamd.scan.conf

and add the following content

d /run/clamd.scan 0770 root root -

Next, start, enable and get the status of clamd.service

systemctl start clamd@scan
systemctl enable clamd@scan
systemctl status clamd@scan

[root@localhost ~]# systemctl status clamd@scan
● clamd@scan.service - clamd scanner (scan) daemon
   Loaded: loaded (/usr/lib/systemd/system/clamd@.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2022-05-31 06:41:23 CEST; 4s ago
     Docs: man:clamd(8)
  Process: 1727 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf (code=exited, status=0/SUCCESS)
 Main PID: 1728 (clamd)
    Tasks: 2 (limit: 11344)
   Memory: 1.3G
   CGroup: /system.slice/system-clamd.slice/clamd@scan.service
           └─1728 /usr/sbin/clamd -c /etc/clamd.d/scan.conf

Install c-icap

dnf -y install gcc make
curl -L -O
tar zxvf c_icap-0.5.10.tar.gz
cd c_icap-0.5.10

We need to modify the source code to work with Domino 12.0.2 EAP1. this is subject to become obsolete in a future Domino code drop.

Find all occurrencies of “HTTP/1.0” in the source code. The mailscan task in Domino 12.0.2 expects “HTTP/1.1”.

grep -r -e “HTTP/1.0” *

You will get 3 matches in 2 source files.

info.c:    ci_http_response_add_header(req, "HTTP/1.0 200 OK");
utils/c-icap-client.c:    ci_headers_add(headers, "HTTP/1.0 200 OK");
utils/c-icap-client.c:    snprintf(lbuf,1024, "%s %s HTTP/1.0", method, url);

Replace HTTP/1.0 with HTTP/1.1

sed -i 's/HTTP\/1.0/HTTP\/1.1/g' info.c
sed -i 's/HTTP\/1.0/HTTP\/1.1/g' utils/c-icap-client.c

Run the following commands to build and install the binaries

make install

cp /usr/local/etc/c-icap.conf /etc

Create a new file

nano /etc/tmpfiles.d/c-icap.conf

and add the following content

d /var/run/c-icap 0755 root root -

Create the c-icap service. Create a new file

nano /usr/lib/systemd/system/c-icap.service

and add the following content

Description=c-icap service

ExecStart=/usr/local/bin/c-icap -f /etc/c-icap.conf


Now you can start, enable and check the status of the c-icap service

systemctl start c-icap
systemctl enable c-icap

 systemctl status c-icap
● c-icap.service - c-icap service
   Loaded: loaded (/usr/lib/systemd/system/c-icap.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2022-05-31 07:25:30 CEST; 15s ago
 Main PID: 7757 (c-icap)
    Tasks: 37 (limit: 11344)
   Memory: 2.3M
   CGroup: /system.slice/c-icap.service
           ├─7757 /usr/local/bin/c-icap -f /etc/c-icap.conf
           ├─7758 /usr/local/bin/c-icap -f /etc/c-icap.conf
           ├─7759 /usr/local/bin/c-icap -f /etc/c-icap.conf
           └─7760 /usr/local/bin/c-icap -f /etc/c-icap.conf

May 31 07:25:30 localhost.localdomain systemd[1]: Starting c-icap service...
May 31 07:25:30 localhost.localdomain systemd[1]: Started c-icap service.

Install squidclamav

curl -L -O

tar zxvf squidclamav-7.1.tar.gz
cd squidclamav-7.1

As with c-icap, we need to modify the source code to work with Domino 12.0.2 EAP1.

grep -r -e "HTTP/1.0" *
src/squidclamav.c:    ci_http_response_add_header(req, "HTTP/1.0 403 Forbidden");
src/squidclamav.c:    ci_http_response_add_header(req, "HTTP/1.0 307 Temporary Redirect");

sed -i 's/HTTP\/1.0/HTTP\/1.1/g' src/squidclamav.c

Build and deploy the binaries

./configure --with-c-icap
make install

Edit c-icap configuration

nano /etc/c-icap.conf

and add the squidclamav service after the existing echo service

Service squidclamav

Create a symlink for the squidclamav configuration file

ln -s /usr/local/etc/squidclamav.conf /etc/squidclamav.conf

Edit /etc/squidclamav.conf and apply the changes

nano /etc/squidclamav.conf

## comment redirect (we don't need it here)
#redirect http://proxy.domain.dom/cgi-bin/clwarn.cgi

## change clamd_local /var/run/clamav/clamd.ctl to
clamd_local /run/clamd.scan/clamd.sock

Restart c-icap

systemctl restart c-icap

Finally, we need to open port 1344 in the firewall

firewall-cmd --zone=public --add-port=1344/tcp --permanent
firewall-cmd --reload

Congratulations! You now have a ICAP server that uses ClamAV to scan your attachments for viruses.

You can now use the ICAP server in your mailscan configuration in Domino 12.0.2. You’ll find information on how to configure mailscan in Domino 12.0.2 here

And last but not least, here is an example of a scanlog for the EICAR virus

I will update this post / write additional information during the Beta phase of Domino 12.0.2.