[exim] Exim, clamd, and spamd

Top Page
Delete this message
Reply to this message
Author: Herb Martin
Date:  
To: exim-users
Subject: [exim] Exim, clamd, and spamd
Does anyone have either clamd or spamd running under cygwin? (3.50+ Exim)
AND willing to share your config settings with me?

[This stuff is so new that apparently the docs have not really caught up --
showing more examples of the deprecated "demime" in the Data ACL than of the
"decode" and "malware" from the MIME acl.]

How does one test a Unix socket (in general)? Is there a program that will
let me pipe a file to clamd when using a unix (/tmp/clamd) socket, and get
back the response interactively?

[Something simple where I can analyze the output or capture it to a file...]

I tried NetCat to the clamd but didn't know how to format request so I will
research that in the clamd documentation.

[Neither my O'Reilly Linux book nor my Shell programming book, nor any
Google search I have contrived has given me an example of testing a socket.]

Whethere I use the Unix socket OR the TCP socket, my exim errors on the
malware/clamd test.

Here are the lines from MIME ACL that I am forced to comment out in order to
run:

deny message = This message contains malware ($malware_name)
   decode    = default
   malware   = */defer_ok



accept
######

[I put in the defer_ok in an effort to allow these lines to remain until I
fix the problem, but not cause all mail to be rejected -- but even that
doesn't work with TCP sockets although IIRC it was ok with the UNIX socket,
just didn't succeed in testing.]

These lines are in the Data ACL: 
deny message = This message contains malware ($malware_name)
     demime  = 
     malware = */defer_ok 


#...etc...
accept
######

I have various files containing virus which I can pump through exim: exim
-bh 192.168.2.1 <qIIFGYK-251687.cnm ...including one with this:

Content-Type: application/octet-stream;
    name="text.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
    filename="text.zip"


Errors I get include this (using exim -bh IP_ADDRESS <file)     

>>> processing "deny"
>>> check decode = default
>>> check malware = */defer_ok
>>> deny: condition test error


From the command line, clamscan shows this containing an infected file --
but I thought perhaps that clamd has trouble unpacking/scanning the whole
file rather than the individual mime parts (clamscan does work on the entire
file.)

I even tried using the cmdline AV setup and got this same error -- this
would lead me towards permissions perhaps.
(But all is run from the same powerful account.)

Exim also errors on TCP socket for spamd to SpamAssassin, but this time the
error is more benign: claiming it cannot parse the output. (commands and
actual error text below)

I know that the spamd is operation since I am using these daemons for other
purposes and they are responding on the same (default ports and local
addresses.)

Being new to Cygwin (and not a Linux expert), I have a suspicion that this
may be either a permission or a local.cf configuration issue. Since this is
Cygwin, both Exim and the Daemon's are running under the same user -- and
admin -- even though that probably isn't the best practice from a security
standpoint.

As to spamassassin configuration, I am re-writing headers and subject by
default and suspect that perhaps Exim is not calling SpamD with switches
suitable to choose it's own output format rather than re-write the file
(which probably would be ignored anyway.)

These lines in the DATA ACL:

warn  message = X-Spam-Score: $spam_score ($spam_bar)
         spam = nobody:true/defer_ok


(followed by accept)

...give this result (to exim -bh IP_ADDRESS <filenam):

>>> processing "warn"
>>> check spam = nobody:true/defer_ok
>>> trying server 127.0.0.1, port 783

LOG: IIHHDM-0003DK-EL spam acl condition: cannot parse spamd output
>>> warn: condition test failed


The IP 127.0.0.1 is instead the actual IP which is setup in the Main section
and which works for other processes using spamd.

Versions:
cygwin (current as of last 2005-05-20)
ClamAV 0.85.1/948/Tue Jun 21 00:52:23 2005 Windows 2003 current with all
fixes:
Microsoft Windows [Version 5.2.3790]
Exim 4.51 with Scanning and deprecated DEMIME Exim version 4.51 #2 built
20-Jun-2005 11:17:13 Probably GDBM (native mode) Support for: iconv() PAM
OpenSSL Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz dnsdb dsearch
ldap ldapdn ldapm passwd
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply pipe smtp
Configuration file is /etc/exim.conf SpamAssassin version 3.0.4
running on Perl version 5.8.6

spamd startup command:
perl -T -w -S spamd -A ALL_LOCAL_IPs -i ONE_DAEMON_EACH_LOCAL_IP -d -m 3


Herb Martin
HerbM@??? http://LearnQuick.Com Accelerated MCSE in a Week
Seminars