Hello Wash,
Monday, May 3, 2004, 2:00:00 PM, you wrote:
OGW> * Graham Dodd <g.dodd@???> [20040503 14:44]: wrote:
>> Hello Wash,
>>
>> sorry for not being specific.
>>
>> Exim 4.24 with exiscan-acl patch 12
>> Cyrus, SA 2.60, RAV (Due to expire), and ClamAV 0.60
>>
>> I have tried to get ClamAV upgraded, but if run from my scanner script it
>> flags all incoming attachments as a virus, running ver 0.60 works
OGW> Hmm, so you possibly just need help to fix the virus scanning problems
OGW> and you are done (at least for now). Then you simply need to explain how
OGW> you are doing the virus scanning. If it's done globally for everyone,
OGW> it should be easy to fix. If it's done selectively, then there are also
OGW> LDAP guys on this list who can help.
OGW> What mechanism is used at your site for malware filtering? You can show
OGW> your Exim configuration after manging any sensitive info in it.
we do global scanning currently 2 scanners are called RAV and ClamAV using
the following line
av_scanner = cmdline:/etc/exim/scanner.sh %s:INFECTED:(.+)
In scanner.sh is the following:
--------- start scanner.sh ------------------
#!/bin/sh
logger $0 $1
found=0
VIR=
VIRUS=
/opt/rav/bin/ravav --all $1 2>&1 > /tmp/antivir$$.log
ERR=$?
if [ $ERR -ne 20 ] ; then
if [ $ERR -gt 1 ] ; then
#!/bin/sh
logger $0 $1
found=0
VIR=
VIRUS=
/opt/rav/bin/ravav --all $1 2>&1 > /tmp/antivir$$.log
ERR=$?
if [ $ERR -ne 20 ] ; then
if [ $ERR -gt 1 ] ; then
VIRUS="`cat /tmp/antivir$$.log | grep " Infected:" | perl -p -e 's/.*Infected: (.*)/\1/' -p -`"
logger "infected found by rav: $VIRUS ERR:$ERR"
echo "infected: $VIRUS"
found=1
VIR="$VIRUS $VIR"
fi
fi
rm -f /tmp/antivir$$.log
/usr/bin/clamdscan --disable-summary --stdout $1 >/tmp/antivir$$.log
ERR=$?
if [ $ERR -gt 0 ] ; then
VIRUS="`cat /tmp/antivir$$.log | grep "FOUND" | perl -p -e 's/.*: (.*) FOUND/\1/' -p -`"
logger "infected: $VIRUS"
echo "infected: $VIRUS"
found=3
VIR="$VIRUS $VIR"
fi
rm -f /tmp/antivir$$.log
if [ "$found" -gt 0 ] ; then
logger "INFECTED: $found $VIR"
echo "INFECTED: $VIR"
fi
--------- end scanner.sh ------------------
This script works with RAV and ClamAV 0.60, as soon as I try to upgrade
ClamAV to any newer version it flags all attachments as containing viruses.
I've tried a number of times to figure out the problem, but I always end up
by switching back to 0.60
>> I cannot upgrade exiscan-acl because our setup uses some patches for LDAP
>> and I don't have the sources, and the guy that created them is gone....
OGW> Are you saying that you don't have the patches that guy wrote or you
OGW> don't have the sources for Exim and Exiscan??
Yep, I don't have the patches or the source, just the RPM's
>> I don't understand all this LDAP configuration!!
OGW> Again, look at that file, mask any passwords and let's have a look at
OGW> it.
LDAP is too much for what we need (50 users) and I don't understand it.
MySQL is simple, so ideal for storing user info, vacation info, forwarding
etc., and I understand MySQL
>> So I'm aiming for a basic Exim, Exiscan, MySQL setup
OGW> Your system is not so critical or is it? ;-)
OGW> You need to weigh the nature of inconvenience (down time) that you will
OGW> cause the users in any case.
If I tell the boss that email will be down for a few days he will "not be
very happy" - and this is one of my secondary jobs so I don't get to play
Linux for more than an hour at a time.
OGW> Anyway, if you really want to start afresh (and it's better for you),
OGW> then this document
OGW> http://www.timj.co.uk/linux/Exim-SpamAndVirusScanning.pdf
OGW> Is a good start.
OGW> I don't remember if it talks about setting up a MySQL server. Tim
OGW> Jackson might just do that. He's the type that writes!!! Anyway in
OGW> this one, you have to find your own way of
OGW> 1. Installing your own MySQL server.
OGW> 2. Configuring your Cyrus IMAP server to talk to MySQL server and Exim.
OGW> 3. Migrating your users from LDAP to MySQL. Now that is what I dread;)
Actually migrating them is easy, just export the LDIF, run it through Perl
to clean it up and import into MySQL, the only part that fails is the
password.
I'll check out Tim's document, I was hoping that someone had maybe put
something together that might fit my needs - it would save a lot of time.
thanks for the help,
Graham
