Re: [exim] av_scanner is broken suddenly?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MJeremy Harris at <-
MVictor Sudakov at ->
Delete this message
Reply to this message
Author: Victor Sudakov
Date:  
To: exim-users
Subject: Re: [exim] av_scanner is broken suddenly?
Jeremy Harris via Exim-users wrote:
> On 30/12/2020 13:20, Victor Sudakov via Exim-users wrote:
> > In my situation, I set net.inet.tcp.fastopen.client_enable=0 on the
> > client (exim host) and it cured the problem.
>
> Good to know. It's a workaround, not a fix, IMO.
>
> > I could probably have set
> > net.inet.tcp.fastopen.server_enable=1 on the server side (clamd host)
> > and it would cure the problem too?
>
> It's worth trying. However, a TFO implementation is *required*
> to operate properly talking to a non-TFO peer.
>
> > Jeremy, I did not quite understand if the whole problem is a bug in
> > FreeBSD
>
> This.

Maybe I should file a PR to the FreeBSD team, but could you suggest a
very simple test case? Maybe a couple of lines of code to open a TCP
connection and fail?


>
> > or a bug in Exim, or both, but if I can provide any help or
> > additional info/testing to clear the situation once and for all, I'd be
> > glad to.
>
> If you could get a run with the original configuration, but with debug
> enabled (command-line "-d+all") on the exim that ends up calling
> out to Clam, that will help to locate that "close(-1)" we saw.
>
> If that's the exim daemon:
>
> - Check using "ps" for any extra args normally used on your
> exim daemon process
> - stop the exim service
> - run
> # exim -d+all -bd 2>&1 | tee logfile
> to get a daemon with debug.

I now have this log and am ready to send it privately to you or another
person requesting it, preferably in encrypted form. I would not like to
publish such a detailed log somewhere on the Internet.

A relevant snippet from the log is below:


13:54:33 63708 Malware scan: clamd tmo=2m
13:54:33 63708 trying server name 192.168.153.104, port 3310
13:54:33 63708 TFO mode connection attempt to 192.168.153.104, 10 data
13:54:33 63708 Malware scan: issuing clamd new-style remote scan (zINSTREAM)
13:54:33 63708 socket: domain AF_INET lcl [95.170.141.50]:47149 type SOCK_STREAM proto tcp
13:54:33 63708 LOG: MAIN PANIC
13:54:33 63708 malware acl condition: clamd : unable to send file body to socket (192.168.153.104)
13:54:33 63708 deny: condition test failed in ACL "acl_check_data"


--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] av_scanner is broken suddenly?[exim] A couple questions about strings expansion using ${addresses} from header->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)