Rspamd: Antivirus-Modul funktioniert nicht
Andreas
postfix at linuxmaker.de
Di Mär 30 09:35:24 CEST 2021
Habe ich gemacht
> Schick Dir selbst eine Mail und schreibe nur den Eicar-Teststring hinein:
>
> https://www.eicar.org/?page_id=3950 <https://www.eicar.org/?page_id=3950>
> Abschnitt "The Anti-Malware Testfile", der String, der mit X5O... anfängt.
>
Die Mail geht durch und ich sehe in dem Log nichts was auf Clamav hinweisen
könnte:
2021-03-30 09:27:21 #21552(rspamd_proxy) <61f921>; proxy; proxy_accept_socket:
accepted milter connection from ::1 port 34572
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; milter;
rspamd_milter_process_command: got connection from 93.220.240.201:39246
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy;
rspamd_message_parse: loaded message; id: <1718393.pc0sDAHv4L at stuttgart>;
queue-id: <5DE1D12005D>; size: 1360; checksum:
<098d1f73438de343dde440b579977062>
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy;
rspamd_mime_part_detect_language: detected part language: en
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy;
rspamd_mime_part_detect_language: detected part language: en
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; lua; greylist.lua:204: skip
greylisting for local networks and/or authorized users
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy;
dkim_symbol_callback: skip DKIM checks for local networks and authorized users
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; lua; spf.lua:185: skip SPF
checks for local networks and authorized users
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; lua; dmarc.lua:596: skip
DMARC checks as either SPF or DKIM were not checked
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; lua; once_received.lua:99:
Skipping once_received for authenticated user or local network
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy;
rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of
classifier bayes: not enough learns 2; 200 required
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy;
rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of
classifier bayes: not enough learns 16; 200 required
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy;
rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; lua; greylist.lua:318:
Score too low - skip greylisting
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy;
rspamd_task_write_log: id: <1718393.pc0sDAHv4L at stuttgart>, qid: <5DE1D12005D>,
ip: 93.220.240.201, user: postfix at linuxmaker.de, from:
<postfix at linuxmaker.de>, (default: F (no action): [2.90/15.00]
[MISSING_MIME_VERSION(2.00){},CTE_CASE(0.50){},MID_RHS_NOT_FQDN(0.50)
{},MIME_GOOD(-0.10){multipart/alternative;text/plain;},ARC_NA(0.00)
{},ASN(0.00){asn:3320, ipnet:93.192.0.0/10, country:DE;},DKIM_SIGNED(0.00)
{linuxmaker.de:s=2021;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00)
{},MIME_TRACE(0.00){0:+;1:+;2:~;},RCPT_COUNT_ONE(0.00)
{1;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_NONE(0.00){},TO_EQ_FROM(0.00)
{},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 1360, time: 16.134ms, dns req: 1,
digest: <098d1f73438de343dde440b579977062>, rcpts: <postfix at linuxmaker.de>,
mime_rcpts: <postfix at linuxmaker.de>
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy;
rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 3
regexps matched, 174 regexps total, 42 regexps cached, 0B scanned using pcre,
1.35KiB scanned total
2021-03-30 09:27:23 #21552(rspamd_proxy) <649a1d>; proxy;
proxy_milter_finish_handler: finished milter connection
> Falls das erkannt wird füge in local.d/antivirus.conf folgende Optionen
> hinzu und starte rspamd neu:
>
> clamav {
> ...
> scan_mime_parts = true;
> scan_text_mime = true;
> scan_image_mime = true;
> retransmits = 4;
> timeout = 15;
> ...
> }
Das habe ich vorsorglich auch eingefügt.
>
> Schau auch im Systemlog ob clamav selbst Eicar erkennt.
>
>
> Alternativ prüfe die clamd.conf (von clamav, nicht von rspamd):
>
> ScanMail BOOL
> Enable scanning of mail files.
> If you turn off this option, the original files will still be
> scanned, but without parsing individual messages/attachments. Default: yes
Nun, das ist mit
"ScanMail true"
aktiv. Ebenfalls habe ich in der clamd.conf
TCPAddr 127.0.0.1
TCPSocket 3310
gesetzt. So funktioniert auch
ss -tulpen | grep 3310
tcp LISTEN 0 15 127.0.0.1:3310 0.0.0.0:*
users:(("clamd",pid=12798,fd=4)) uid:112 ino:2057446 sk:1b <->
Aber er scannt leider nicht die Mails.
Beste Grüße
Andreas
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20210330/1201050b/attachment-0001.htm>
Mehr Informationen über die Mailingliste Postfixbuch-users