Hello,
due to the fact that I wasn't able to send out some
messages with attachments I tried to analyzed how
exim parses email messages to clamd.
I started both applications Exim and Clamd in debug
mode and sent a small email with a zip-attachment.
The used Exim ACL condition looks like this:
warn log_message = This message contains malware
malware = *
As a result I found out that the attachment has been
scanned twice although I cannot find a reason for this.
What I can say is, that Exim places four files in its
local scan directory. Based on the assumption that Exim
parses all files to clamd it would be possible that the
attachment will scanned multiple times:
1Jep0N-0000XK-QN-00000 50724
-> the mime parts of the message incl. attachment
1Jep0N-0000XK-QN-00001 65
-> the message text
1Jep0N-0000XK-QN-00002 37163
-> the binary attachment
1Jep0N-0000XK-QN.eml 51503
-> the complete message incl. header and attachment
Can anyone shed some light on this mechanism or tell me
how I can prevent Exim/Clamd from scanning one attachment
multiple times?
Thank you in advance!
Regards,
Juergen
--
GPG Key available
