Postfix supports filtering mail through a filter that acts like an SMTP server. This is how clamsmtp was designed. Postfix supports before-queue and after-queue filters. Before-queue filters make a poor choice for anti-virus scanners so this document will describe the latter. For more details on why and how this all works, read the above links on the Postfix site.
Put the following lines in your Postfix main.cf file:
content_filter = scan:127.0.0.1:10025 receive_override_options = no_address_mappings
The content_filter tells Postfix to send all mail through the service called 'scan' on port 10025. We'll set up clamsmtpd to listen on this port later.
Next we add the following to the Postfix master.cf file:
# AV scan filter (used by content_filter) scan unix - - n - 16 smtp -o smtp_send_xforward_command=yes # For injecting mail back into postfix from the filter 127.0.0.1:10026 inet n - n - 16 smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks_style=host -o smtpd_authorized_xforward_hosts=127.0.0.0/8
Make sure there's no spaces around the equal signs or commas in the text you added. The first 2 lines create the 'scan' service. The rest set up a service for accepting mail back into postfix. All the options prevent a mail loop as well as relax address checking and the like, since that's already been done.
Specify the OutAddress option in clamsmtpd.conf as 127.0.0.1:10026. Make sure to run it as the same user as you run clamd or they'll have problems accessing each other's temporary files. You can use the User option to accomplish that.
Now start up clamsmtpd like this.
# clamsmtpd -f /path/to/clamsmtpd.conf
Make sure clamd (the ClamAV daemon) is running, and its listening on the socket you specified. You can set this in clamav.conf using the LocalSocket or TCPSocket directives (only uncomment one). Also make sure the ScanMail directive is on.
And that's all there is to it. If something's not working, check mail-queues, logs, etc... If you have trouble with clamsmtpd or send me a bug report, be sure to try the debug log mode which can be a valuable aid in figuring things out:
# clamsmtpd -d 4 -f /path/to/clamsmtpd.conf
[Note: You may have to keep this in mind if you're trying out the above setup in a jail, and change the smtpd_authorized_xforward_hosts line accordingly.]