Implement centralized ClamAV signature distribution system.

[maneeshaxyz]

📌 Description

Implements centralized ClamAV signature distribution system with polling-based updates.

• Closes [FEATURE] Centralized ClamAV Signature Distribution #240

What this does:

• Central server pulls ClamAV signatures and serves them via nginx
• Silver instances download signatures every 2 hours via custom updater
• Disables freshclam on Silver instances to prevent independent updates
• Provides full control over signature distribution across all deployments

---

🔍 Changes Made

Central Server:

• Added freshclam container to pull signatures from ClamAV official sources
• Added nginx container to serve signature files on port 8800
• Exposes signatures at http://[IP]:8080/

Silver Instances:

• Disabled freshclam on clamav-server (CLAMAV_NO_FRESHCLAMD=true)
• Added clam-updater container with custom update script
• Updater downloads 3 signature files (main.cld, daily.cld, bytecode.cvd) every 2 hours
• Shared clamav_db volume between updater and ClamAV scanner

---

✅ Checklist (Email System)

• Core services tested (SMTP, IMAP, mail storage, end-to-end delivery)
• Security & compliance verified (auth via Thunder IDP, TLS, DKIM/SPF/DMARC, spam/virus filtering)
• Configuration & deployment checked (configs generated, Docker/Compose updated)
• Reliability confirmed (error handling, logging, monitoring)
• Documentation & usage notes updated (README, deployment, API)

---

🧪 Testing Instructions

Central Server Setup:

1. Deploy central server: docker-compose up -d
2. Verify freshclam downloads signatures: docker logs clamav-updater
3. Check signatures in volume: ls -lh ./signatures/
4. Test nginx serving: curl http://localhost:8080/ (should show file listing)
5. Download signature from remote machine: curl http://[IP]:8080/main.cld --head

Silver Instance Setup:

1. Deploy Silver: docker-compose up -d
2. Verify updater downloads: docker logs -f clam-updater
3. Check ClamAV logs: docker logs -f clamav-server
   • Should NOT see "ClamAV update process started" (freshclam disabled)
   • Should see "Database modification detected. Forcing reload" when updater brings new files
4. Verify signatures: docker exec clamav-server ls -lh /var/lib/clamav/
5. Test mail scanning with updated signatures

Verify 2-hour Polling:

1. Wait 2+ hours
2. Check updater logs for multiple "Download complete" entries
3. Verify ClamAV reloaded signatures: docker logs clamav-server | grep "Database modification detected"

---

📷 Screenshots / Logs (if applicable)

Central Server - nginx serving signatures:

$ curl http://<ip>:8800/ --head
HTTP/1.1 200 OK
Server: nginx/1.29.4
Content-Type: text/html

Silver Updater - successful download:

Downloading signatures from http://31.97.207.164:8800...
main.cld            100%[==================>] 264.81M   460MB/s    in 0.6s
daily.cld           100%[==================>] 103.30M   418MB/s    in 0.2s
bytecode.cvd        100%[==================>] 275.10K   264MB/s    in 0.001s
Download complete at Thu Jan  8 06:33:14 UTC 2026

ClamAV - loading signatures (NO freshclam running):

Starting ClamAV
Thu Jan  8 09:16:29 2026 -> Limits: Global time limit set to 120000 milliseconds.
...
socket found, clamd started.
Thu Jan  8 11:16:48 2026 -> Database modification detected. Forcing reload.
Thu Jan  8 11:16:48 2026 -> Reading databases from /var/lib/clamav

Signature files:

total 368M   
-rw-r--r--    1 clamav   clamav    275.1K Dec  8 16:13 bytecode.cvd
-rw-r--r--    1 clamav   clamav    103.3M Jan  8 06:46 daily.cld
-rw-r--r--    1 clamav   clamav    264.8M Jan  8 06:47 main.cld

---

⚠️ Notes for Reviewers

Configuration Changes:

• Central server requires port 8800 exposed
• Silver instances no longer contact ClamAV official servers directly
• Silver's CLAMAV_NO_FRESHCLAMD=true environment variable is critical

Network Requirements:

• Central server needs outbound access to ClamAV official sources
• Silver instances need outbound access to central server on port 8080
• No inbound ports required on Silver instances

Future Improvements (not in this PR):

• Add --timestamping to wget for version checking (reduce bandwidth)
• Add monitoring endpoint for Silver instances to report update status
• Add HTTPS with SSL certificates
• Consider switching to PrivateMirror approach if needed

Trade-offs Accepted:

• 2-hour max update delay (acceptable: ClamAV updates 1-2x daily)

[Aravinda-HWK]

LGTM