Autor: exim-users Data: A: Exim-users Assumpte: Re: [Fwd: [exim] deferring when clamd/spamd is down]
Ian Eiloart schrieb: >
> --On February 22, 2005 17:47:11 +0100 exim-users@??? wrote:
>
>> Hello fellow exim users,
>>
>> I'm using clamav and sa via exiscan and I thought everything was fine
>> until lately. After upgrading sa, I forgot to restart it. And when I
>> tested my exim installation, I realized that when either spamd or clamd
>> is down, mails can enter my system without being content scanned for spam
>> or malware.
>>
>> If I put the "spam" or "malware" condition in a deny statement, the mail
>> gets deferred as expected, if spamd or clamd is down. But if I have these
>> conditions in a warn statement, the warn statement gets ignored and
>> processing goes on to the next statement. Eventually, the mail enters my
>> system, which is not good.
>
>
> Why would you be accepting malware at all? Put it back in the deny
> statement where it belongs.
Some of my users want spam and/or malware to be quarantined. For those
users I can not use the deny statement.
Anyway, the problem also shows with sa. Hm, I just realized, I do things
slightly differently from the exiscan specification. There, the deny
statement with the second spam condition causes the defer, in case spamd
is down. Whereas I add sa's spam score to my own one (gathered from
other checks) in my only one spam condition, which resides in a warn
statement. And later I deny based on the overall score. If spamd is
down, the warn statement is simply skipped :(
Looks like I have to stay with my tri-state logic.
> I use defer=ok on my clamav scanning, but I make sure that the daemon
> stays up by using MacOSX watchdog to launch it - it gets relaunched
> immediately if it falls over.
I have a cron job, checking once a minute. And in a minute, a lot of
mail can flow in unscanned. But I want zero mail in this condition.
Why do you use defer_ok? Doing so, you tell exim to accept the mail even
though it wasn't scanned! Even if you trust your watchdog that much, is
there really a need for this setting? What is "immediately" with your
watchdog? How is "immediately" implemented? Is something like
"immediately" even possible? But since your malware condition is in a
deny statement, you should be safe, once you remove the defer_ok. Unless
your policy forbids you to do so, of course.
>> To avoid this and have the mails deferred as long as one of the demons is
>> down, I implemented the kind of tri-state logic that was given before on
>> the list for sender verification (ok/bad/unknown). Since this is not the
>> most beautiful solution in my eyes, I wonder whether there is another way
>> to achieve the same goal. How do others on the list tackle this
>> situation?
>>
>>
>> Thanks for your feedback,
>> Patrick
>>