Hello Phil,
>> > Some days ago I realized that messages are not temporarily deferred
>> > if the malware scanner ClamAV is not running but are forwarded to
>> > the end user without being checked at all.
>> >
>> > Now I wonder how I need to modify the ACL part to make sure that
>> > this doesn't happen anymore. Is there any reliable way to find
>> > out if the malware scanner is running or not?
>> >
>> > This is the currently used ACL part:
>> >
>> > acl_check_data:
>> > warn log_message = This message contains malware ($malware_name)
>> > malware = *
>> >
>> > accept
>> > ...
>
> Something more is going on here and you'll need to provide logs for
> where this happens.
>
> By default, "malware = *" should be deferring if it can't talk to the
> malware scanner. You need to explicitly say "malware = */defer_ok" if
> it's acceptable to continue on without scanning.
that's exactly how I understood the function.
Therefore I've stopped the malware scanner and have run a test with
the Eicar test virus. Although the malware acl condition returns a
'deferred' the warn statement is skipped and the next acl statement
is processed.
After reading through the acl documentation several times I thought
it should instantly defer the message on a malware scanner failure
without processing any further statements.
This is the related debug trace:
22650 using ACL "acl_check_data"
22650 processing "warn"
22650 check malware = *
22650 LOG: MAIN PANIC
22650 malware acl condition: clamd: unable to connect to UNIX socket
/var/run/clamd (No such file or directory)
22650 warn: condition test deferred
22650 LOG: MAIN
22650 H=host.test.lan (mail.domain.de) [192.168.6.11] Warning: ACL
"warn" statement skipped: condition test deferred
22650 processing "warn"
22650 warn: condition test succeeded
22650 processing "accept"
22650 accept: condition test succeeded
Thanks
Juergen
--
Mail: juergen.edner@???
GPG Key available