Re: simscan and clamav driving me nuts
Manfred Langthaller <manfred.langthaller <at> aon.at>
2007-01-03 15:33:41 GMT
Roger Thomas schrieb:
> I have a working qmail-ldap and decided today to try out clamav with simscan.
>
> 1) I started off with the installation of clamav. In clamd.conf, I set the User variable to root.
>
> 2) I setup freshclam under cron and then started clamd.
>
> 3) Then I created the simscan user with
> useradd -g clamav -s /bin/false -c "Simscan" simscan
>
> 4) I ran configure with:
> ./configure --enable-attach=y --enable-clamav=y \
> --enable-received=y --enable-clamavdb-path=/var/lib/clamav
>
> (I have daily.cvd and main.cvd under /var/lib/clamav)
>
> and got these:
>
> Current settings
> ---------------------------------------
> user = simscan
> qmail directory = /var/qmail
> work directory = /var/qmail/simscan
> control directory = /var/qmail/control
> qmail queue program = /var/qmail/bin/qmail-queue
> clamdscan program = /usr/local/bin/clamdscan
> clamav scan = ON
> trophie scanning = OFF
> attachement scan = ON
> ripmime program = /usr/local/bin/ripmime
> custom smtp reject = OFF
> drop message = OFF
> regex scanner = OFF
> quarantine processing = OFF
> domain based checking = OFF
> add received header = ON
> spam scanning = OFF
>
> 5) Then I ran make and make install-strip
>
> 6) I have the simcontrol file in /var/qmail/control like this:
> :clam=yes,spam=no
>
> 7) Then I ran
> /var/qmail/bin/simscanmk
> /var/qmail/bin/simscanmk -g
>
> 8) In /var/qmail/control/ssattach, I have:
> .vbs
> .scr
> .wsh
> .hta
> .pif
> .lnk
> .cpl
> .exe
> .bat
> .com
> .bas
> .class
> .ocx
>
>
> 9) Then I tested simscan from the command line:
> # env QMAILQUEUE=/var/qmail/bin/simscan SIMSCAN_DEBUG=2 /var/qmail/bin/qmail-inject
sniper <at> home.net.my < /etc/passwd
>
> which spitted these msgs that everything was OK:
>
> simscan: starting: work dir: /var/qmail/simscan/1167833067.205258.29673
> simscan: cdb looking up version attach
> simscan: calling clamdscan
> simscan: cdb looking up version clamav
> simscan: normal clamdscan return code: 0
> simscan: done, execing qmail-queue
> simscan: qmail-queue exited 0
>
>
> 10) Then I edited my /var/qmail/service/smtpd/tcp to activate simscan:
> 127.:allow,RELAYCLIENT=""
> 192.168.10.221:allow,RBL="",RCPTCHECK="",RELAYCLIENT="",SMTPAUTH="AUTHREQUIRED",QMAILQUEUE="/var/qmail/bin/simscan"
> :allow,RBL="",RCPTCHECK="",SMTPAUTH="AUTHREQUIRED",QMAILQUEUE="/var/qmail/bin/simscan"
>
> Then I ran make in /var/qmail/service/smtpd
>
> 11) My /var/qmail/service/smtpd/run looks like:
> #!/bin/sh
> exec 2>&1 \
> envdir ./env \
> sh -c '
> case "$REMOTENAME" in h) H=;; p) H=p;; *) H=H;; esac
> case "$REMOTEINFO" in r) R=;; [0-9]*) R="t$REMOTEINFO";; *) R=R;; esac
> exec \
> envuidgid qmaild \
> softlimit ${DATALIMIT+"-d$DATALIMIT"} \
> /usr/local/bin/tcpserver \
> -vDU"$H$R" \
> ${LOCALNAME+"-l$LOCALNAME"} \
> ${BACKLOG+"-b$BACKLOG"} \
> ${CONCURRENCY+"-c$CONCURRENCY"} \
> -xtcp.cdb \
> -- "${IP-0}" "${PORT-25}" \
> /var/qmail/bin/qmail-smtpd /var/qmail/bin/auth_smtp /usr/bin/true
> '
>
> 12) I am able to send a plain email with NO attachment and also able to send email with attachment that is NOT a
virus. All went thru.
>
> 13) But when I sent an email with a virus attachment (eicar_com.zip), I will get this error msg:
>
> <at> 40000000459bbad0233b5b14 qmail-smtpd 30456: message permanently not accepted because: mail server
permanently rejected message (#5.3.0)
>
>
>
> I have read some archives but am not sure what and how to proceed. I need help, please.
>
>
> --
> roger
>
Hi Roger!
I think you did nothing wrong, it is simscans default behavior to reject
mails containing viruses.
You can use the qmail-queue-custom-error.patch (attached)
http://qmailwiki.org/Simscan/README#How_SMTP_rejection_works
and/or have a look at "quarantine processing"
Regards,
Manfred
--- qmail.c.old 2005-07-04 08:22:18.000000000 -0500
+++ qmail.c 2005-07-04 08:23:01.000000000 -0500
<at> <at> -32,6 +32,7 <at> <at>
{
int pim[2];
int pie[2];
+ int pierr[2];
#ifdef ALTQUEUE
setup_qqargs();
<at> <at> -39,17 +40,26 <at> <at>
if (pipe(pim) == -1) return -1;
if (pipe(pie) == -1) { close(pim[0]); close(pim[1]); return -1; }
+ if (pipe(pierr) == -1) {
+ close(pim[0]); close(pim[1]);
+ close(pie[0]); close(pie[1]);
+ close(pierr[0]); close(pierr[1]);
+ return -1;
+ }
switch(qq->pid = vfork()) {
case -1:
+ close(pierr[0]); close(pierr[1]);
close(pim[0]); close(pim[1]);
close(pie[0]); close(pie[1]);
return -1;
case 0:
close(pim[1]);
close(pie[1]);
+ close(pierr[0]); /* we want to receive data */
if (fd_move(0,pim[0]) == -1) _exit(120);
if (fd_move(1,pie[0]) == -1) _exit(120);
+ if (fd_move(4,pierr[1]) == -1) _exit(120);
if (chdir(auto_qmail) == -1) _exit(61);
execv(*binqqargs,binqqargs);
_exit(120);
<at> <at> -57,6 +67,7 <at> <at>
qq->fdm = pim[1]; close(pim[0]);
qq->fde = pie[1]; close(pie[0]);
+ qq->fderr = pierr[0]; close(pierr[1]);
substdio_fdbuf(&qq->ss,subwrite,qq->fdm,qq->buf,sizeof(qq->buf));
qq->flagerr = 0;
return 0;
<at> <at> -141,10 +152,21 <at> <at>
{
int wstat;
int exitcode;
+ int match;
+ char ch;
+ static char errstr[256];
+ int len = 0;
qmail_put(qq,"",1);
if (!qq->flagerr) if (substdio_flush(&qq->ss) == -1) qq->flagerr = 1;
close(qq->fde);
+ substdio_fdbuf(&qq->ss,read,qq->fderr,qq->buf,sizeof(qq->buf));
+ while( substdio_bget(&qq->ss,&ch,1) && len < 255){
+ errstr[len]=ch;
+ len++;
+ }
+ if (len > 0) errstr[len]='\0'; /* add str-term */
+ close(qq->fderr);
if ((unsigned long)wait_pid(&wstat,qq->pid) != qq->pid)
return "Zqq waitpid surprise (#4.3.0)";
<at> <at> -177,8 +199,11 <at> <at>
case 81: return "Zqq internal bug (#4.3.0)";
case 120: return "Zunable to exec qq (#4.3.0)";
default:
+ if (exitcode == 82 && len > 2){
+ return errstr;
+ }
if ((exitcode >= 11) && (exitcode <= 40))
- return "Dqq permanent problem (#5.3.0)";
+ return "Dqq permanent problem (#5.3.0)";
return "Zqq temporary problem (#4.3.0)";
}
}
--- qmail.h.old 2005-07-04 08:22:18.000000000 -0500
+++ qmail.h 2005-07-04 08:22:36.000000000 -0500
<at> <at> -8,6 +8,7 <at> <at>
unsigned long pid;
int fdm;
int fde;
+ int fderr;
substdio ss;
char buf[1024];
} ;
I found a strange behaviour:
1) Change LDAP entry of $user to new size.
2) empty $user/Maildir/maildirsize
3) send message to $user.
4) check content of $user/Maildir/maildirsize.
I did this several times until I found this "magic" boundary:
LDAP (mailQuotaSize) maildirsize (first line)
4290000000 4290000000S,20000C
4300000000 5032704S,20000C
16000000000 3115098112S,20000C
If you increase mailQuotaSize beyond 4300000000, the values stored in
maildirsize increase, too. But not to the values expected, as you can
see above.
I did a quick check with nrg4u.com, google and MARC, which did not come
up with any explanations, bugfixes or workarounds.
What am I missing here? Any hints are very welcome!
Thanks for your time,
Max
P.S.: I am not on the list, please include my address separately.
RSS Feed