Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
Virus/Malware errors
exim-users at exim
Jan 18, 2021, 11:06 PM
Post #1 of 5 (647 views)
Permalink
I was looking at a message that had somehow gotten through my spam
filters to see if I could figure out why, when I discovered a line in
the header that said the message had not been virus scanned by exim.
THAT was a surprise. I have clamd running and the exim.conf points to it
(spamd_address = 127.0.0.1 783), so why on earth is it not scanning? I
looked, and clamd is running correctly. I even grabbed the EICAR.COM
test string and fed it to clamdscan. clamd caught it just fine. But when
I included the string in an email to myself, the message was delivered.

My next step was to test the file with the -bmalware option. THAT caused
an error (from the panic.log):
2021-01-18 23:52:21.261 dummy-808545818 Could not open datafile for
message dummy-808545818
2021-01-18 23:52:21.261 dummy-808545818 malware acl condition: error
while creating mbox spool file

My first thought is WHAT MBOX FILE? I don't use mbox, I use maildir!
Then I wondered if the permissions on the /var/spool/exim4/scan
directory were wrong. But they look right for Ubuntu 20.04LTS:
drwxr-x--- 2 Debian-exim clamav      4096 Jan 19 00:02 scan

On a whim, I changed the permissions to 777, and I STILL got the errors
about not being able to open the datafile and not being able to create
the mbox file.

I tried looking on google,  and while I found a lot of messages
referring to this same kind of error, nothing looked solved. Maybe my
google-fu isn't strong enough right now, but I'm stumped. Please help!?

Thanks!


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Virus/Malware errors [ In reply to ]
exim-users at exim
Jan 18, 2021, 11:46 PM
Post #2 of 5 (647 views)
Permalink
On 2021-01-19 Dan Egli via Exim-users <exim-users@exim.org> wrote:
> I was looking at a message that had somehow gotten through my spam filters
> to see if I could figure out why, when I discovered a line in the header
> that said the message had not been virus scanned by exim. THAT was a
> surprise. I have clamd running
^^^^^ virus scanner

> and the exim.conf points to it (spamd_address > = 127.0.0.1 783),
^^^^^
Spam scanner

You seem to be mixing up malware and spam scanning.

Also configuration of either of these has two parts. Telling exim *how* to
run the respective test (main configuration), and on *when* to run it
and how to act on its results (ACL setting).

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-content_scanning_at_acl_time.html

cu Andreas

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Virus/Malware errors [ In reply to ]
exim-users at exim
Jan 19, 2021, 12:03 AM
Post #3 of 5 (647 views)
Permalink
My bad. I pasted the wrong line. Sorry,

av_scanner = clamd:/var/run/clamav/clamd.ctl

And it's enabled. I'm using the exim4u config patches, and in
exim4u_global_spam_virus:

# ClamAV Global Setting
# When enabled, Exim4U uses ClamAV to scan incoming mail for viruses during
# the SMTP connection. ClamAV is enabled (on) or disabled (off):
#ClamAV: off
ClamAV: on

Then in the main exim4.conf:

CLAMENABLED = ${lookup{ClamAV}lsearch{/etc/exim4/exim4u_global_spam_virus}}

and

acl_check_content:

# Accept any messages that are larger than 256k because they are not
likely to contain
# viruses... that large size of virus will take too long to replicate ;)
  accept condition              = ${if >{$message_size}{256k}{yes}{no}}

# Now process the rest
  warn  condition               = ${if eq{CLAMENABLED}{on}{yes}{no}}
        add_header              = X-Scanned-By:
${extract{1}{/}{${readsocket{inet:localhost:3310}{VERSION}{1s}{}
{unscanned}}}} \
                                  $acl_m_interface_opt $acl_m_helo_data
($acl_m_interface); $tod_full\n



I looked at the documentation link you provided, and I don't see
anything there that isn't already set.

On 1/19/2021 12:46 AM, Andreas Metzler via Exim-users wrote:
> On 2021-01-19 Dan Egli via Exim-users <exim-users@exim.org> wrote:
>> I was looking at a message that had somehow gotten through my spam filters
>> to see if I could figure out why, when I discovered a line in the header
>> that said the message had not been virus scanned by exim. THAT was a
>> surprise. I have clamd running
> ^^^^^ virus scanner
>
>> and the exim.conf points to it (spamd_address > = 127.0.0.1 783),
> ^^^^^
> Spam scanner
>
> You seem to be mixing up malware and spam scanning.
>
> Also configuration of either of these has two parts. Telling exim *how* to
> run the respective test (main configuration), and on *when* to run it
> and how to act on its results (ACL setting).
>
> https://www.exim.org/exim-html-current/doc/html/spec_html/ch-content_scanning_at_acl_time.html
>
> cu Andreas
>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Virus/Malware errors [ In reply to ]
exim-users at exim
Jan 19, 2021, 12:46 AM
Post #4 of 5 (647 views)
Permalink
Hi

On 19 Jan 2021, at 08:03, Dan Egli via Exim-users <exim-users@exim.org> wrote:
> My bad. I pasted the wrong line. Sorry,
>
> av_scanner = clamd:/var/run/clamav/clamd.ctl
>
> And it's enabled. I'm using the exim4u config patches, and in exim4u_global_spam_virus:
>
> # ClamAV Global Setting
> # When enabled, Exim4U uses ClamAV to scan incoming mail for viruses during
> # the SMTP connection. ClamAV is enabled (on) or disabled (off):
> #ClamAV: off
> ClamAV: on
>
> Then in the main exim4.conf:
>
> CLAMENABLED = ${lookup{ClamAV}lsearch{/etc/exim4/exim4u_global_spam_virus}}
>
> and
>
> acl_check_content:
>
> # Accept any messages that are larger than 256k because they are not likely to contain
> # viruses... that large size of virus will take too long to replicate ;)
> accept condition = ${if >{$message_size}{256k}{yes}{no}}
>
> # Now process the rest
> warn condition = ${if eq{CLAMENABLED}{on}{yes}{no}}
> add_header = X-Scanned-By: ${extract{1}{/}{${readsocket{inet:localhost:3310}{VERSION}{1s}{} {unscanned}}}} \
> $acl_m_interface_opt $acl_m_helo_data ($acl_m_interface); $tod_full\n

There is nothing in the above telling Exim to scan the email. That would be a line of the form:

malware = *

somwhere in your DATA ACL.

Given that this is not a stock Exim, with a lot of config tweaks by an external 3rd party, you may need to ask your question of that 3rd party.

Graeme
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Virus/Malware errors [ In reply to ]
exim-users at exim
Jan 19, 2021, 1:12 AM
Post #5 of 5 (647 views)
Permalink
I don't claim to have any idea what happened, but all of a sudden it
started working. I am glad to see it working but hate it when things
change mysteriously. Anyway, as long as it's working I won't complain
very loud about not understanding WHY.


On 1/19/2021 1:46 AM, Graeme Fowler via Exim-users wrote:
> Hi
>
> On 19 Jan 2021, at 08:03, Dan Egli via Exim-users <exim-users@exim.org> wrote:
>> My bad. I pasted the wrong line. Sorry,
>>
>> av_scanner = clamd:/var/run/clamav/clamd.ctl
>>
>> And it's enabled. I'm using the exim4u config patches, and in exim4u_global_spam_virus:
>>
>> # ClamAV Global Setting
>> # When enabled, Exim4U uses ClamAV to scan incoming mail for viruses during
>> # the SMTP connection. ClamAV is enabled (on) or disabled (off):
>> #ClamAV: off
>> ClamAV: on
>>
>> Then in the main exim4.conf:
>>
>> CLAMENABLED = ${lookup{ClamAV}lsearch{/etc/exim4/exim4u_global_spam_virus}}
>>
>> and
>>
>> acl_check_content:
>>
>> # Accept any messages that are larger than 256k because they are not likely to contain
>> # viruses... that large size of virus will take too long to replicate ;)
>> accept condition = ${if >{$message_size}{256k}{yes}{no}}
>>
>> # Now process the rest
>> warn condition = ${if eq{CLAMENABLED}{on}{yes}{no}}
>> add_header = X-Scanned-By: ${extract{1}{/}{${readsocket{inet:localhost:3310}{VERSION}{1s}{} {unscanned}}}} \
>> $acl_m_interface_opt $acl_m_helo_data ($acl_m_interface); $tod_full\n
> There is nothing in the above telling Exim to scan the email. That would be a line of the form:
>
> malware = *
>
> somwhere in your DATA ACL.
>
> Given that this is not a stock Exim, with a lot of config tweaks by an external 3rd party, you may need to ask your question of that 3rd party.
>
> Graeme

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal