Re: [exim] exim and clamd on fc5

Top Page
Delete this message
Reply to this message
Author: Asbjorn Aarrestad
Date:  
To: W B Hacker
CC: exim users
Subject: Re: [exim] exim and clamd on fc5
>> As far as I understand, clamd is called in the "local_scan" part, but
>> when runnig with -d+deliver, I get the following:
>> calling local_scan(); timeout=300
>> local_scan() returned 0 NULL
>>
>>
>> any ideas?
>>
>>
>
> Well - that debug AFAIK doesn't submit a 'known infected' message to be
> scanned,
> so a null return may be OK. Not my area of expertise.


I'm submitting the eicar test virus. When submitting it to another of my
mailservers the other server replies "virus", so the message should be
detected.

>
> Anyway - that isn't how I would test.
>
> Instead;
>
> 1) Check 'top' or 'ps' to see if clamd has *continued to run* after being
> started. You may find something in ~/log/messages, ~/log/maillog (or
> wherever...) that shows it started up, then died for lack of, for example,
> privs
> to write its logs, read its DB, chdir, etc.



>From ps -ef:

------------------------
clamexim 20343     1  0 Aug24 ?        00:00:00 clamd.exim -c
/etc/clamd.d/exim.conf
------------------------


so it is running.

looking at the log:
------------------------
[root@web log]# cat clamd.exim
Thu Aug 24 22:53:29 2006 -> +++ Started at Thu Aug 24 22:53:29 2006
Thu Aug 24 22:53:29 2006 -> clamd daemon 0.88.4 (OS: linux-gnu, ARCH:
i386, CPU: i386)
Thu Aug 24 22:53:29 2006 -> Log file size limited to 1048576 bytes.
Thu Aug 24 22:53:29 2006 -> Running as user clamexim (UID 100, GID 93)
Thu Aug 24 22:53:29 2006 -> Reading databases from /var/lib/clamav
Thu Aug 24 22:53:31 2006 -> Protecting against 66700 viruses.
Thu Aug 24 22:53:31 2006 -> Unix socket file /var/run/clamd.exim/clamd.sock
Thu Aug 24 22:53:31 2006 -> Setting connection queue length to 15
Thu Aug 24 22:53:31 2006 -> Archive: Archived file size limit set to
10485760 bytes.
Thu Aug 24 22:53:31 2006 -> Archive: Recursion level limit set to 8.
Thu Aug 24 22:53:31 2006 -> Archive: Files limit set to 1000.
Thu Aug 24 22:53:31 2006 -> Archive: Compression ratio limit set to 250.
Thu Aug 24 22:53:31 2006 -> Archive support enabled.
Thu Aug 24 22:53:31 2006 -> Archive: RAR support disabled.
Thu Aug 24 22:53:31 2006 -> Portable Executable support enabled.
Thu Aug 24 22:53:31 2006 -> Mail files support enabled.
Thu Aug 24 22:53:31 2006 -> OLE2 support enabled.
Thu Aug 24 22:53:31 2006 -> HTML support enabled.
Thu Aug 24 22:53:31 2006 -> Self checking every 1800 seconds.
[root@web log]#
------------------------

it looks like it's running, but it has not done anything since I started it.


>
> 2) Once you are sure it is staying alive, try turning up your logging
> verbosity
> and send in a known-bad message message. Look at wherever clamd is logging
> as
> well as in Exim's logs.


I've tried this a couple of times. Exim is logging the message as "local
delivery":
------------------------
2006-08-25 08:03:34 1GGUn0-0001gU-8n <= root@??? U=root P=local S=355
2006-08-25 08:03:34 1GGUn0-0001gU-8n => jostein <jostein@???>
R=localuser T=local_delivery
2006-08-25 08:03:34 1GGUn0-0001gU-8n Completed
------------------------

but there is no change in the clamd.exim log


>
> The most common problem we had when we first started using Exim with clamd
> was
> that of clamd not having rightd to all the resources it needed to stay on
> its feet.
>
> Second most common was when we used to start Exim before clamd and SA were
> available. Mere nuisance, fixed by sequencing the startups.
>



clamd and SA is started before exim. But as far as I can see, neither
clamd nor SA is called when submitting a message.




Trying to run "exim -d [user@domain] < eicar.com" I get among others the
following:

---------------------
Exim version 4.62 uid=0 gid=0 pid=6478 D=fbb95cfd
Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (March 24, 2006)
Support for: crypteq iconv() IPv6 PAM Perl TCPwrappers OpenSSL
Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb
dsearch ldap ldapdn ldapm mysql nis nis0 nisplus passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect

* snip *

skipping ACL configuration - not needed

* snip *
--------------------------



does any of this give you a hint why it's not working for me?

As I mentioned in the first e-mail, I installed exim on fc5 using the
precompiled rpm's, but as far as I've understood, they have been compiled
to support clamd and sa...


thank's for you help!

- asbjørn



-- 
--------------------------------------------------
Asbjørn Høiland Aarrestad    asbjorn@???
http://asbjorn.aarrestad.com/