[Postfixbuch-users] probleme mit amavisd+clamav+spamassasinnewbie
Lars Ernst
Lars.Ernst at schramlsoft.de
Mi Apr 12 13:50:11 CEST 2006
So, ich hoffe nun ist es besser.?
> Das System ist ein SELS9 clamav war erst version 0.88 mit
> webclamav 0.6.2 (für webmin) und nun 0.88.1
Die Frage wurde von Martin Haegele gestellt.
>
> Lars Ernst wrote:
> > Hallo Sandy,
> >
> > vielen Dank für die fixe Antwort. Ich habe meinen Senf ;)
> unter die kommentare gesetzt sodass der Kontext gewahrt bleibt.
> > Unterm Strich ist der Status leider noch unverändert. :(
> > was mach ich hier noch falsch?
>
> Du hast den Virusscan in der amavisd.conf aktiviert, aber
> keinen Virenscanner?
>
> >>Apr 10 16:20:42 orion amavisd[32596]: (client-XXZIbaob)
> Clam Antivirus-clamd: sl
> >>eeping for 1 s
> >>Apr 10 16:20:43 orion amavisd[32596]: (client-XXZIbaob)
> Clam Antivirus-clamd: Co
> >>nnecting to socket /var/run/clamav/clamd, retry #1
> >>Apr 10 16:20:43 orion amavisd[32596]: (client-XXZIbaob)
> Clam Antivirus-clamd: Ca
> >>n't connect to UNIX socket /var/run/clamav/clamd: No such
> file or directory, ret
> >>rying (2)
> >>Apr 10 16:20:43 orion amavisd[32596]: (client-XXZIbaob)
> Clam Antivirus-clamd: sl
> >>eeping for 6 s
>
> Was sagt er (clamd) denn, wenn du versuchst zu starten?
>
der lief/läuft die ganze zeit.
>
> >>Apr 10 16:20:49 orion amavisd[32596]: (client-XXZIbaob)
> Clam Antivirus-clamd: Co
> >>nnecting to socket /var/run/clamav/clamd, retry #2
> >>Apr 10 16:20:49 orion amavisd[32596]: (client-XXZIbaob)
> Clam Antivirus-clamd av-
> >>scanner FAILED: Too many retries to talk to
> /var/run/clamav/clamd (Can't connect
> >> to UNIX socket /var/run/clamav/clamd: No such file or
> directory) at (eval 51) l
> >>ine 180.
> >>Apr 10 16:20:49 orion amavisd[32596]: (client-XXZIbaob)
> WARN: all primary virus
> >>scanners failed, considering backups
> >
> >
> > Korrigiere das!
> >
> > Alle Viren-Scanner auskommentiert. Vorerst.
>
> Dann deaktiviere besser die Virenprüfung durch amavis.
>
OK.
>
> >
> >
> >>Apr 10 16:20:49 orion amavisd[32596]: (client-XXZIbaob)
> Using Clam Antivirus - c
> >>lamscan: /usr/bin/clamscan --stdout --no-summary -r
> /var/spool/amavis/amavis-cli
> >>ent-XXZIbaob/parts
> >
> >
> > Secondary Scanner command line clam scheint zu funktionieren.
> >
> > Nun, er mosert nich. Jedoch erkannte er kein
> EICAR-TEST-File. Also Viren-Priorität erstmal zurückgestellt.
> >
> >
> >>Apr 10 16:20:50 orion amavisd[32596]: (client-XXZIbaob)
> TROUBLE in check_mail: d
> >>elivery-notification FAILED: Explicit forwarding, but not
> all recips done at /us
> >>r/sbin/amavisd line 1412, <GEN3> line 76.
> >
> >
> > Da hängt es dann.
> >
> > Ja, und ich vermute das ist wohl das hauptproblem,
> jedenfalls hängen alle mails in der Queu fest wenn ich
> Amavisd aktiviere. *grübl* hab mal in der Amavisd-Datei
> (code) auf der Zeile nachgekuckt, nur is so ein Code für mich
> ein Böhmisches Dorf und ausser das ich dort die Zeil mit dem
> "Explicit forwarding, but not all recips done..." gefunden
> hab sagt mir das nix. :(
>
> >
> > Das wichtigste fehlt:
> > Logs von Postfix und die Konfiguration von Amavis.
> >
> > Postfix-Log:
> > Apr 11 11:14:43 orion postfix/smtpd[4178]: connect from
> lexp.w-schraml.loc
> > Apr 11 11:14:43 orion postfix/smtpd[4178]: 126561E08:
> client=lexp.w-schraml.loc
> > Apr 11 11:14:43 orion postfix/cleanup[4180]: 126561E08:
> message-id=<002401c65d48$00422080$196ea8c0 at WSCHRAML.LOC>
> > Apr 11 11:14:43 orion postfix/qmgr[4014]: 126561E08:
> from=<Lars.Ernst at schramlsoft.de>, size=921, nrcpt=1 (queue active)
> > Apr 11 11:14:43 orion postfix/smtpd[4178]: disconnect from
> lexp.w-schraml.loc
> > Apr 11 11:14:44 orion postfix/pipe[4181]: 126561E08:
> to=<lars.ernst at schramlsoft.de>, relay=amavisd, delay=1,
> status=deferred (temporary failure)
>
> Postfix versucht also, die mail an den contentfilter zu
> übergeben, was
> jedoch scheitert.
>
>
> > Amavisd Fonfig (da ich nicht weiss obs hier sowas wie
> postconf -n gibt kommt nun der ganze baatz):
> > # Section I - Essential daemon and MTA settings
>
> Das war genau der grep-Befehl, der unten kommt. Deshalb mal das ganze
> gelöscht...
>
>
> >
> >
> > Zeige mal die Ausgaben von
> > egrep '(fatal|error|panic|warning) /var/log/mail
> >
> > Apr 11 10:08:14 orion postfix/smtpd[3589]: warning:
> smtpd_peer_init: 61.11.16.89: hostname
> 61.11.16.89.bb-static.vsnl.net.in verification failed: Name
> or service not known
> > Apr 11 10:16:44 orion postfix/smtpd[3641]: warning:
> smtpd_peer_init: 201.245.131.90: hostname
> adsl_plus_245131-90.etb.net.co verification failed: Name or
> service not known
> > Apr 11 10:18:14 orion postfix/smtpd[3649]: warning:
> smtpd_peer_init: 62.81.151.163: hostname
> 163-151-81-62.libre.auna.net verification failed: Name or
> service not known
> > Apr 11 10:26:40 orion postfix/smtpd[3649]: warning:
> smtpd_peer_init: 218.61.33.41: hostname cncln.online.ln.cn
> verification failed: Name or service not known
> > Apr 11 10:29:00 orion postfix/smtpd[3678]: NOQUEUE:
> reject_warning: RCPT from
> dslb-084-056-036-218.pools.arcor-ip.net[84.56.36.218]: 450
> <hildegard at alam-latin.de>: Sender address rejected: Domain
> not found; from=<hildegard at alam-latin.de>
> to=<bernhard.roedel at schramlsoft.de> proto=SMTP helo=<schramlsoft.de>
> > Apr 11 10:30:25 orion postfix/smtpd[3677]: warning:
> smtpd_peer_init: 83.230.176.196: hostname
> cliente-28870.iberbanda.es verification failed: Name or
> service not known
> > Apr 11 10:32:32 orion postfix/smtpd[3678]: warning:
> smtpd_peer_init: 81.210.81.162: hostname curie.pfeso.edu.pl
> verification failed: Name or service not known
> > Apr 11 10:33:09 orion postfix/smtpd[3678]: warning:
> smtpd_peer_init: 84.24.250.62: hostname
> cp530967-a.tilbu1.nb.home.nl verification failed: Name or
> service not known
> > Apr 11 10:54:41 orion postfix/smtpd[4027]: warning:
> smtpd_peer_init: 201.14.108.92: hostname
> 201-14-106-92.gnace701.t.brasiltelecom.net.br verification
> failed: Name or service not known
> > Apr 11 11:08:07 orion postfix/smtpd[4027]: warning:
> smtpd_peer_init: 202.134.169.253: hostname
> 202.134.169.253.customer.7starnet.com verification failed:
> Name or service not known
> > Apr 11 11:11:31 orion postfix/smtpd[4148]: warning:
> smtpd_peer_init: 84.24.250.62: hostname
> cp530967-a.tilbu1.nb.home.nl verification failed: Name or
> service not known
> > Apr 11 11:11:40 orion postfix/smtpd[4027]: warning:
> smtpd_peer_init: 201.245.131.90: hostname
> adsl_plus_245131-90.etb.net.co verification failed: Name or
> service not known
> > Apr 11 11:21:18 orion postfix/smtpd[4325]: warning:
> smtpd_peer_init: 203.150.96.185: hostname
> 203-150-96-185.inter.net.th verification failed: Name or
> service not known
> > Apr 11 11:27:12 orion postfix/smtpd[4325]: warning:
> smtpd_peer_init: 210.211.169.60: hostname
> 210.211.169.60.bb-static.vsnl.net.in verification failed:
> Name or service not known
> > Apr 11 11:27:55 orion postfix/smtpd[4446]: warning:
> smtpd_peer_init: 148.235.6.86: hostname
> customer-148-235-6-86.uninet-ide.com.mx verification failed:
> Name or service not known
> > Apr 11 11:28:46 orion postfix/smtpd[4325]: warning:
> smtpd_peer_init: 203.131.131.250: hostname
> adsl-131.131.250.info.com.ph verification failed: Name or
> service not known
> > Apr 11 11:28:53 orion postfix/smtpd[4446]: warning:
> smtpd_peer_init: 220.134.78.16: address not listed for
> hostname 220-134-79-16.HINET-IP.hinet.net
> > Apr 11 11:29:10 orion postfix/smtpd[4446]: warning:
> smtpd_peer_init: 61.63.99.6: hostname
> 61-63-99-6.nty.dynamic.lsc.net.tw verification failed: Name
> or service not known
> > Apr 11 11:31:31 orion postfix/smtpd[4325]: warning:
> smtpd_peer_init: 201.37.64.159: hostname
> C925409F.poa.virtua.com.br verification failed: Name or
> service not known
> > Apr 11 11:32:33 orion postfix/smtpd[4325]: warning:
> smtpd_peer_init: 84.119.109.16: hostname
> fr-ssy-C3-04-084119109016.chello.fr verification failed: Name
> or service not known
> > Apr 11 11:38:06 orion postfix/smtpd[4325]: warning:
> smtpd_peer_init: 222.124.144.227: hostname
> 227.subnet144.astinet.telkom.net.id verification failed: Name
> or service not known
> > Apr 11 11:45:22 orion postfix/smtpd[4525]: warning:
> smtpd_peer_init: 203.199.185.200: hostname
> illhyd-203.199.185.200.static.vsnl.net.in verification
> failed: Name or service not known
> > Apr 11 11:54:41 orion postfix/smtpd[4553]: warning:
> smtpd_peer_init: 201.144.137.222: hostname
> dsl-201-144-137-222.prod-infinitum.com.mx verification
> failed: Name or service not known
> > Apr 11 11:54:57 orion postfix/smtpd[4525]: warning:
> smtpd_peer_init: 24.106.201.145: hostname
> rrcs-24-106-201-145.se.biz.rr.com verification failed: Name
> or service not known
> > Apr 11 11:57:44 orion postfix/smtpd[4553]: warning:
> smtpd_peer_init: 200.47.5.76: hostname line76.equal.net.ar
> verification failed: Name or service not known
> >
>
> Das sind alles nur harmlose Warnungen. Scheint aber nur im laufenden
> Betrieb zu sein, nicht nach Neustart von Postfix.
>
> >
> > und
> > egrep -v '^#|^$|^[ ]+#' /etc/amavisd.conf
> > use strict;
> > $MYHOME = '/var/spool/amavis';
> > $mydomain = 'w-schraml.loc';
> > $daemon_user = 'vscan';
> > $daemon_group = 'vscan';
> > $TEMPBASE = $MYHOME; # (must be set if other
> config vars use is)
> > $ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but
> not obligatory
> > $forward_method = 'lmtp:127.0.0.1:10025'; # where to
> forward checked mail
>
> Warum lmtp?
>
Halte lmtp für vielseitiger und flexibler -> geändert auf smtp.
>
>
> > $notify_method = $forward_method; # where to
> submit notifications
> > $max_servers = 2; # number of pre-forked children
> (default 2)
> > $max_requests = 10; # retire a child after that many
> accepts (default 10)
> > $child_timeout=5*60; # abort child if it does not complete
> each task in n sec
> > @local_domains_acl = ( ".$mydomain" ); # $mydomain and its
> subdomains
> > # (does not apply to
> sendmail/milter)
> > # (default is true)
> > $unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper
> protocol socket
> > $inet_socket_port = 10024; # accept SMTP on this
> local TCP port
>
> Okay, dann ändere doch mal die Übermittlung von Postfix nach
> Amavis auf
> smtp um! Hier hängt es nämlich.
>
> In master.cf folgende Zeile:
> smtp inet n - n - 20 smtpd
> -o content_filter=smtp:127.0.0.1:10024
>
OK, master.cf:
amavisd unix n - n - 2 smtpd
-o smtp_data_done_timeout=1200s
-o disable_dns_lookups=yes
-o smtp_send_xforward_command=yes
>
> Schalte besser die content_filter Option in main.cf dafür ab.
> Danach mal
> einen "postfix reload" und eine Testmail. Wenn das
> funktioniert, dann kann
> man den Transport etwas sauberer definieren.
>
Testmail klappte. nach scharfschalten des content_filter in
main.cf gingen leider alle mails wieder nur noch in die Queue
und blieben dort bis ich den content_filter in main.cf wieder
auskommentierte.
Immerhin ist die Trouble-Meldung weg. Ich vermute das der Weg
von amavisd zurück an Postfix nich funzt. irre ich?
amavisd debug:
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
prolong_timer after viru _scan: remaining time = 300 s
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
white_black_list: checkin
g sender <Inge.Puchta at schramlsoft.de>
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
lookup_acl: key="Inge.Puc
hta at schramlsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
lookup_RE: key="Inge.Puch
ta at schramlsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
lookup_hash: key="inge.pu
chta at schramlsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
lookup_hash: key="inge.pu
chta@", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
lookup_hash: key="schraml
soft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
lookup_hash: key=".schram
lsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
lookup_hash: key=".de", n
o match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
lookup_hash: key=".", no
match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
lookup_acl: key="Inge.Puc
hta at schramlsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
lookup_acl: key="le at schra
mlsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
calling SA parse, SA vers
ion 2.64
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
CALLING SA check
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
RETURNED FROM NoMailAudit
::check, time left: 30 s
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
prolong_timer after spam_
scan_SA: remaining time = 300 s
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
spam_scan: hits=0 tests=
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
prolong_timer after spam_
scan: remaining time = 300 s
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
lookup: (scalar) matches,
result="5"
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
header: Received: from un
known by localhost (amavisd-new, unix socket)\n id
client-XX86WuZQ for <le at schra
mlsoft.de>;\n Wed, 12 Apr 2006 10:26:54 +0200 (CEST)\n
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
header: X-Virus-Scanned:
by amavisd-new at w-schraml.loc\n
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
lookup_acl: key="le at schra
mlsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
lookup_acl: key="le at schra
mlsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
lookup: (scalar) matches,
result="3"
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
lookup: (scalar) matches,
result="5"
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
headers CLUSTERING: NEW C
LUSTER <le at schramlsoft.de>: hits=0.0, tag=0, tag2=0, subj=0,
subj_u=0, local=0,
bl=0
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
headers CLUSTERING: done
all 1 recips in one go
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) FWD
via SMTP: [127.0.0.1]
:10025 <Inge.Puchta at schramlsoft.de> -> <le at schramlsoft.de>
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
prolong_timer after fwd-c
onnect: remaining time = 300 s
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
mail_via_smtp: session fa
iled: Can't connect to 127.0.0.1 port 10025, Connection
refused at /usr/sbin/ama
visd line 2872, <GEN64> line 146.
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
mail_via_smtp: 450 4.4.1
Can't connect to 127.0.0.1 port 10025, Connection refused at
/usr/sbin/amavisd l
ine 2872, <GEN64> line 146., id=client-XX86WuZQ
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
mail_via_smtp: DATA skipp
ed, 0, 0, 0
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
prolong_timer after forwa
rding: remaining time = 300 s
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
one_response_for_all <Ing
e.Puchta at schramlsoft.de>: 4xx found, '450 4.4.1 Can't connect
to 127.0.0.1 port
10025, Connection refused at /usr/sbin/amavisd line 2872,
<GEN64> line 146., id=
client-XX86WuZQ'
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
warnsender_with_pass=(,,,
), dsn_needed=, exit=75, 450 4.4.1 Can't connect to 127.0.0.1
port 10025, Connec
tion refused at /usr/sbin/amavisd line 2872, <GEN64> line
146., id=client-XX86Wu
ZQ
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
Not-Delivered, <Inge.Puch
ta at schramlsoft.de> -> <le at schramlsoft.de>, Message-ID:
<001001c65e09$ecf120e0$16
6ea8c0 at WSCHRAML.LOC>, Hits: 0
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
tempdir being removed: /v
ar/spool/amavis/amavis-client-XX86WuZQ
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
rmdir_recursively: /var/s
pool/amavis/amavis-client-XX86WuZQ, excl=
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ)
rmdir_recursively: /var/s
pool/amavis/amavis-client-XX86WuZQ/parts, excl=0
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) mail
checking ended: exit
_code=75 (450 4.4.1 Can't connect to 127.0.0.1 port 10025,
Connection refused at
/usr/sbin/amavisd line 2872, <GEN64> line 146., id=client-XX86WuZQ)
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) TIMING
[total 7090 ms] -
got data: 1 (0%), body hash: 1 (0%), mkdir parts: 1 (0%),
mime_decode: 8 (0%), g
et-file-type: 12 (0%), decompose_part: 2 (0%), parts: 0 (0%),
AV-scan-1: 7006 (9
9%), AV-scan-2: 0 (0%), SA msg read: 2 (0%), SA parse: 1
(0%), SA check: 48 (1%)
, fwd-rundown: 5 (0%), unlink-1-files: 3 (0%), rmdir: 0 (0%),
unlink-1-files: 0
(0%), rmdir: 0 (0%), rundown: 0 (0%)
also spams werden wohl erkannt und in quarantäne? gestellt,
nur der connect auf sich mit
Port 10025 klappt nicht nur wieso?
>
>
> > @inet_acl = qw( 127.0.0.1 ); # allow SMTP access only
> from localhost IP
> > $DO_SYSLOG = 1; # (defaults to false)
> > $LOGFILE = "$MYHOME/amavis.log"; # (defaults to empty, no log)
> > $log_level = 2; # (defaults to 0)
> > $log_templ = '[? %#V |[? %#F
> |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], #
> > <%o> -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c';
> > $final_virus_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
> > $final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
> > $final_spam_destiny = D_PASS;
> > $final_bad_header_destiny = D_PASS; # (defaults to
> D_PASS), D_BOUNCE suggested
> > $viruses_that_fake_sender_re = new_RE(
> >
> qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|pei
> do|holar'i,
> >
> qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|
> spaces'i,
> >
> qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val
> (hal)?la'i,
> >
> qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|some
> fool|moodown'i,
> > qr'@mm|@MM', # mass mailing viruses as labeled by
> f-prot and uvscan
> > qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc
> > [qr'^(EICAR|Joke\.|Junk\.)'i => 0],
> > [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
> > [qr/.*/ => 1], # true by default (remove or comment-out
> if undesired)
> > );
> > $virus_admin = "virusalert\@$mydomain";
>
> Ist das eine gültige Adresse?
>
virusalert is ein mailalias auf root.
Vielen Dank.
Lars Ernst
>
> Sandy
>
> --
> _______________________________________________
> Postfixbuch-users mailingliste
> Heinlein Professional Linux Support GmbH
>
> Postfixbuch-users at listi.jpberlin.de
> http://listi.jpberlin.de/mailman/listinfo/postfixbuch-users
>
Mehr Informationen über die Mailingliste Postfixbuch-users