Re: [exim] Exim and clamav

Top Page
Delete this message
Reply to this message
Author: fhuet
Date:  
To: Simon Windsor
CC: exim-users
Subject: Re: [exim] Exim and clamav
Simon Windsor wrote:

> Hi
>
> Having recently got exim and clamav to work, could I ask
>
> - is clamd working
> - how is configured in exim (see av-scanner)
> - have you checked access via Unix (socket or IP)
>
> All the best
>
> SImon
>
> fhuet wrote:
>
>> Hello all,
>>
>> Well, I'm still on my clamav problem. Spamassassin seems working :
>>
>> 2005-03-04 06:23:03 1D75HC-00030m-Vx <= <> U=Debian-exim
>> P=spam-scanned S=958 id=E1D75HC-00030j-T4@smtp001
>> 2005-03-04 06:23:03 1D75HC-00030m-Vx User 0 set for local_delivery
>> transport is on the never_users list
>> 2005-03-04 06:23:03 1D75HC-00030m-Vx == root@???
>> R=real_local T=local_delivery defer (-29): User 0 set for
>> local_delivery transport is on the never_users list
>> 2005-03-04 06:23:03 1D75HC-00030j-T4 => root
>> <postmaster@???> R=spamcheck_router T=spamcheck
>> 2005-03-04 06:23:03 1D75HC-00030j-T4 Completed
>>
>>
>> But Clamav doesn't. I sent me an "eicar mail" with an virus and I
>> receveid it without scanning in my mailbox.
>>
>> Here is several informations:
>> /etc/passwd :
>> Debian-exim:x:102:102::/var/spool/exim4:/bin/false
>> clamav:x:103:103::/var/lib/clamav:/bin/false
>>
>> /etc/group:
>> Debian-exim:x:102:clamav
>> clamav:x:103:Debian-exim
>>
>> ls -la /var/log/exim4
>> total 16472
>> drwxr-s---    2 Debian-e adm          4096 Mar  4 06:25 .
>> drwxr-xr-x    7 root     root         4096 Mar  4 06:25 ..
>> -rw-r-----    1 Debian-e adm       1405022 Mar  4 10:26 mainlog
>> -rw-r-----    1 Debian-e adm          1664 Mar  4 10:23 paniclog
>> -rw-r-----    1 Debian-e adm        487560 Mar  4 10:26 rejectlog
>> ...

>>
>> ls -la /var/spool/exim4/
>> total 76
>> drwxr-x---    8 Debian-e Debian-e     4096 Mar  3 01:53 .
>> drwxr-xr-x    5 root     root         4096 Mar  1 09:14 ..
>> drwx------    2 Debian-e Debian-e     4096 Mar  4 10:23 .spamassassin
>> drwxr-x---    2 Debian-e Debian-e     4096 Feb 24 17:34 db
>> drwxr-x---    2 Debian-e Debian-e    36864 Mar  4 10:25 input
>> drwxr-x---    2 Debian-e Debian-e    16384 Mar  4 10:23 msglog
>> drwxr-xr-x    2 Debian-e Debian-e     4096 Mar  1 09:15 rejects
>> drwxr-x---    2 Debian-e Debian-e     4096 Mar  3 00:32 scan

>>
>> in my exim4.conf:
>> av_scanner = clamd:/var/run/clamav/clamd.ctl
>>
>> clamd.conf:
>> LocalSocket /var/run/clamav/clamd.ctl
>> FixStaleSocket
>> User clamav
>> AllowSupplementaryGroups
>> ScanMail
>> ScanArchive
>> ArchiveMaxRecursion 5
>> ArchiveMaxFiles 1000
>> ArchiveMaxFileSize 10M
>> ArchiveMaxCompressionRatio 250
>> ReadTimeout 180
>> MaxThreads 12
>> MaxConnectionQueueLength 15
>> LogFile /var/log/clamav/clamav.log
>> LogTime
>> LogFileMaxSize 0
>> PidFile /var/run/clamav/clamd.pid
>> DatabaseDirectory /var/lib/clamav
>> SelfCheck 3600
>> ScanOLE2
>> ScanPE
>> DetectBrokenExecutables
>> ScanHTML
>> ArchiveBlockMax
>>
>> ps axf:
>> 24054 ?        S      0:01 /usr/sbin/spamd --create-prefs 
>> --max-children 10 --helper-home-dir -d --pidfile=/var/run/spamd.pid
>> 24076 ?        S      0:00  \_ spamd child
>> 24077 ?        S      0:00  \_ spamd child
>> 24078 ?        S      0:00  \_ spamd child
>> 24079 ?        S      0:00  \_ spamd child
>> 24080 ?        S      0:00  \_ spamd child
>> 24081 ?        S      0:00  \_ spamd child
>> 24082 ?        S      0:00  \_ spamd child
>> 24083 ?        S      0:00  \_ spamd child
>> 24084 ?        S      0:00  \_ spamd child
>> 24085 ?        S      0:00  \_ spamd child
>> 24067 ?        S      0:08 /usr/sbin/exim4 -bd -q30m
>> 24870 ?        S      0:00 /usr/sbin/clamd

>>
>> Well, I don't understand why clamav doesn't do any scan. I have
>> nothing in clamav.log
>> Tue Mar 1 12:01:56 2005 -> clamd daemon 0.83 (OS: linux-gnu, ARCH:
>> i386, CPU: i386)
>> Tue Mar 1 12:01:56 2005 -> Log file size limit disabled.
>> Tue Mar 1 12:01:56 2005 -> Running as user clamav (UID 103, GID 103)
>> Tue Mar 1 12:01:56 2005 -> Reading databases from /var/lib/clamav
>> Tue Mar 1 12:01:57 2005 -> Protecting against 31060 viruses.
>> Tue Mar 1 12:01:57 2005 -> Unix socket file /var/run/clamav/clamd.ctl
>> Tue Mar 1 12:01:57 2005 -> Setting connection queue length to 15
>> Tue Mar 1 12:01:57 2005 -> Archive: Archived file size limit set to
>> 10485760 bytes.
>>
>> That's all...
>>
>> Sorry for this mail, but I must be in production next week.
>>
>> Thank you.
>>
>> Franck
>>
>
>

Hello,

Yes clamd is working fine now.
i have in my exim4.conf ( I have just one file for exim conf, this one
is coming from an update of exim3) :

acl_smtp_data = acl_clamav
...
av_scanner = clamd:/var/run/clamav/clamd.ctl
...
##### clamav ACL, reject virus infected mails with proper error
#Deny viruses
acl_clamav:
        deny message = virus no good, go home!
        malware = *
        demime = 
ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:p
cd:reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc
  accept



see my logs :
smtp002:/var/log/exim4# tail -f /var/log/clamav/clamav.log
Fri Mar 4 16:57:06 2005 ->
/var/spool/exim4/scan/1D7FAm-0002cb-Si/1D7FAm-0002cb-Si.eml: Worm.Zafi.B
FOUND
Fri Mar 4 16:57:26 2005 ->
/var/spool/exim4/scan/1D7FB7-0002cs-Hk/1D7FB7-0002cs-Hk.eml:
Worm.SomeFool.P FOUND
Fri Mar 4 16:57:40 2005 ->
/var/spool/exim4/scan/1D7FBL-0002d4-S3/1D7FBL-0002d4-S3.eml:
Worm.SomeFool.P FOUND
Fri Mar 4 16:57:56 2005 ->
/var/spool/exim4/scan/1D7FBX-0002dC-B8/1D7FBX-0002dC-B8.eml:
Worm.Sober.K FOUND
Fri Mar 4 16:57:58 2005 ->
/var/spool/exim4/scan/1D7FBQ-0002cz-5R/1D7FBQ-0002cz-5R.eml: Worm.Zafi.B
FOUND

Here is my clamd.conf:
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket
User clamav
AllowSupplementaryGroups
ScanMail
ScanArchive
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
ArchiveMaxFileSize 10M
ArchiveMaxCompressionRatio 250
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogFile /var/log/clamav/clamav.log
LogTime
LogFileMaxSize 0
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/lib/clamav
SelfCheck 3600
ScanOLE2
ScanPE
DetectBrokenExecutables
ScanHTML
ArchiveBlockMax

Regards

Franck

--
Franck Huet
Administrateur Unix
Boursorama
Tel : 01-46-09-48-17