Rspamd: Antivirus-Modul funktioniert nicht

Andreas postfix at linuxmaker.de
Di Mär 30 09:35:24 CEST 2021 

Habe ich gemacht
> Schick Dir selbst eine Mail und schreibe nur den Eicar-Teststring hinein:
> 
> https://www.eicar.org/?page_id=3950 <https://www.eicar.org/?page_id=3950>
> Abschnitt "The Anti-Malware Testfile", der String, der mit X5O... anfängt.
> 
Die Mail geht durch und ich sehe in dem Log nichts was auf Clamav hinweisen 
könnte:
2021-03-30 09:27:21 #21552(rspamd_proxy) <61f921>; proxy; proxy_accept_socket: 
accepted milter connection from ::1 port 34572
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; milter; 
rspamd_milter_process_command: got connection from 93.220.240.201:39246
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy; 
rspamd_message_parse: loaded message; id: <1718393.pc0sDAHv4L at stuttgart>; 
queue-id: <5DE1D12005D>; size: 1360; checksum: 
<098d1f73438de343dde440b579977062>
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy; 
rspamd_mime_part_detect_language: detected part language: en
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy; 
rspamd_mime_part_detect_language: detected part language: en
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; lua; greylist.lua:204: skip 
greylisting for local networks and/or authorized users
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy; 
dkim_symbol_callback: skip DKIM checks for local networks and authorized users
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; lua; spf.lua:185: skip SPF 
checks for local networks and authorized users
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; lua; dmarc.lua:596: skip 
DMARC checks as either SPF or DKIM were not checked
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; lua; once_received.lua:99: 
Skipping once_received for authenticated user or local network
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy; 
rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of 
classifier bayes: not enough learns 2; 200 required
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy; 
rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of 
classifier bayes: not enough learns 16; 200 required
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy; 
rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; lua; greylist.lua:318: 
Score too low - skip greylisting
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy; 
rspamd_task_write_log: id: <1718393.pc0sDAHv4L at stuttgart>, qid: <5DE1D12005D>, 
ip: 93.220.240.201, user: postfix at linuxmaker.de, from: 
<postfix at linuxmaker.de>, (default: F (no action): [2.90/15.00] 
[MISSING_MIME_VERSION(2.00){},CTE_CASE(0.50){},MID_RHS_NOT_FQDN(0.50)
{},MIME_GOOD(-0.10){multipart/alternative;text/plain;},ARC_NA(0.00)
{},ASN(0.00){asn:3320, ipnet:93.192.0.0/10, country:DE;},DKIM_SIGNED(0.00)
{linuxmaker.de:s=2021;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00)
{},MIME_TRACE(0.00){0:+;1:+;2:~;},RCPT_COUNT_ONE(0.00)
{1;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_NONE(0.00){},TO_EQ_FROM(0.00)
{},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 1360, time: 16.134ms, dns req: 1, 
digest: <098d1f73438de343dde440b579977062>, rcpts: <postfix at linuxmaker.de>, 
mime_rcpts: <postfix at linuxmaker.de>
2021-03-30 09:27:23 #21552(rspamd_proxy) <61f921>; proxy; 
rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 3 
regexps matched, 174 regexps total, 42 regexps cached, 0B scanned using pcre, 
1.35KiB scanned total
2021-03-30 09:27:23 #21552(rspamd_proxy) <649a1d>; proxy; 
proxy_milter_finish_handler: finished milter connection
> Falls das erkannt wird füge in local.d/antivirus.conf folgende Optionen
> hinzu und starte rspamd neu:
> 
> clamav {
>     ...
>     scan_mime_parts = true;
>     scan_text_mime = true;
>     scan_image_mime = true;
>     retransmits = 4;
>     timeout = 15;
>     ...
> }
Das habe ich vorsorglich auch eingefügt.
> 
> Schau auch im Systemlog ob clamav selbst Eicar erkennt.
> 
> 
> Alternativ prüfe die clamd.conf (von clamav, nicht von rspamd):
> 
> ScanMail BOOL
>               Enable scanning of mail files.
>               If you turn off this option, the original files will still be
> scanned, but without parsing individual messages/attachments. Default: yes
Nun, das ist mit
"ScanMail true"
aktiv. Ebenfalls habe ich in der clamd.conf
TCPAddr 127.0.0.1 
TCPSocket 3310

gesetzt. So funktioniert auch 
ss -tulpen | grep 3310 
tcp     LISTEN   0        15             127.0.0.1:3310           0.0.0.0:* 
     users:(("clamd",pid=12798,fd=4)) uid:112 ino:2057446 sk:1b <->  

Aber er scannt leider nicht die Mails.

Beste Grüße

Andreas


-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20210330/1201050b/attachment-0001.htm>

Mehr Informationen über die Mailingliste Postfixbuch-users