Erneut "4.7.1 Tempfail - internal scan engine error." auf anderer Maschine

Oliver Dobler oliverdobler67 at gmail.com
Do Aug 10 15:58:24 CEST 2023


Hallo,
ich hatte dieses Problem letzte Woche nach einem Distupgrade Debian 11
nach 12 schon einmal. Und diesmal ebenfalls auf einem frisch
geupgradeten Debian 12.

Allerdings mit erneuten Neustarts der Services klappt das diesmal nicht:
systemctl restart rspamd.service
systemctl restart clamav-daemon.service
systemctl restart clamav-freshclam.service
systemctl restart clamav-clamonacc.service

Der Milter ist erreichbar:
telnet localhost 11332
funktioniert und
netstat -tulpen | fgrep 11332
tcp        0      0 127.0.0.1:11332         0.0.0.0:*
LISTEN      111        52940      2675/rspamd: main p
tcp6       0      0 ::1:11332               :::*
LISTEN      111        52941      2675/rspamd: main p
liefert auch eine Verbindung.
Kein Ergebnis liefert
netstat -tulpen | fgrep clamd

Auszug aus der mail.log beim Sendeversuch eines Attachments:

2023-08-10T15:50:09.146600+02:00 mx postfix/submission/smtpd[6481]:
connect from mx.example.tld[192.168.1.71]
2023-08-10T15:50:09.193712+02:00 mx postfix/submission/smtpd[6481]:
Anonymous TLS connection established from
mx.example.tld[192.168.1.71]: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (2048 bits) server-digest SHA256
2023-08-10T15:50:10.854579+02:00 mx postfix/postscreen[1049]: CONNECT
from [202.74.56.82]:37620 to [192.168.1.71]:25
2023-08-10T15:50:10.856976+02:00 mx postfix/submission/smtpd[6481]:
D1172620038: client=mx.example.tld[192.168.1.71], sasl_method=PLAIN,
sasl_username=systemmails at example.tld
2023-08-10T15:50:10.858953+02:00 mx postfix/cleanup[6689]:
D1172620038: message-id=<806846898fc701d355d90c7a43aec9fd at example.tld>
2023-08-10T15:50:10.871617+02:00 mx postfix/dnsblog[6637]: addr
202.74.56.82 listed by domain zen.spamhaus.org as 127.0.0.2
2023-08-10T15:50:10.872112+02:00 mx postfix/postscreen[1049]: CONNECT
from [202.74.56.82]:37622 to [192.168.1.71]:25
2023-08-10T15:50:10.926570+02:00 mx postfix/submission/smtpd[6480]:
Anonymous TLS connection established from unknown[196.0.11.138]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2023-08-10T15:50:11.129474+02:00 mx postfix/cleanup[6689]:
D1172620038: milter-reject: END-OF-MESSAGE from
mx.example.tld[192.168.1.71]: 4.7.1 Tempfail - internal scan engine
error. (support-id D1172620038); from=<systemmails at example.tld>
to=<wh at example.tld> proto=ESMTP helo=<mail.example.tld>


Die dazugehörige main.cf:
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
compatibility_level = 2
confirm_delay_cleared = yes
delay_warning_time = 60
disable_vrfy_command = yes
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
local_recipient_maps = $virtual_mailbox_maps
mailbox_size_limit = 0
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
milter_default_action = tempfail
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
minimal_backoff_time = 5m
mua_client_restrictions = permit_mynetworks permit_sasl_authenticated reject
mua_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks
permit_sasl_authenticated reject
mua_sender_restrictions = permit_mynetworks reject_non_fqdn_sender
reject_sender_login_mismatch permit_sasl_authenticated reject
mydestination = mx.example.tld, localhost.example.tld, localhost
myhostname = mx.example.tld
mynetworks = 127.0.0.0/8 192.168.1.0/24 192.119.24.0/24
[::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:11332
plaintext_reject_code = 550
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 24h
postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7
dnsbl.inps.de=127.0.0.2*7 bl.mailspike.net=127.0.0.2*5
bl.mailspike.net=127.0.0.[10;11;12]*4 dnsbl.sorbs.net=127.0.0.10*8
dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3
dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2
dnsbl.sorbs.net=127.0.0.9*2 zen.spamhaus.org=127.0.0.[4..7]*6
zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3
hostkarma.junkemailfilter.com=127.0.0.2*3
hostkarma.junkemailfilter.com=127.0.0.4*1
hostkarma.junkemailfilter.com=127.0.1.2*1
wl.mailspike.net=127.0.0.[18;19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-2
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_ttl = 5m
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 2d
postscreen_greet_wait = 3s
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
proxy_read_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf,
proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_out_policy.cf,
proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_in_policy.cf,
proxy:mysql:/etc/postfix/sql/sender-login-maps.cf,
$local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $mynetworks
$smtpd_sender_login_maps
queue_run_delay = 5m
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_mxdomain_maps.cf
relay_recipient_maps =
proxy:mysql:/etc/postfix/sql/mysql_relay_recipient_maps.cf
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = medium
smtp_tls_loglevel = 1
smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname
smtpd_client_restrictions = permit_mynetworks check_client_access
hash:/etc/postfix/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_error_sleep_time = 10s
smtpd_hard_error_limit = ${stress?1}${stress:5}
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_invalid_helo_hostname,
reject_unknown_reverse_client_hostname, reject_unauth_destination
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks
reject_unauth_destination
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf
smtpd_soft_error_limit = 3
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mx.example.tld/fullchain.pem
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams_2048.pem
smtpd_tls_dh512_param_file = /etc/ssl/mail/dhparams_512.pem
smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL
smtpd_tls_key_file = /etc/letsencrypt/live/mx.example.tld/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_medium_cipherlist = EECDH+AESGCM:EDH+AESGCM
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
virtual_alias_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_spamalias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 104
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000

Allerdings lässt sich dieser Sevice nicht starten:
# systemctl status clamav-clamonacc.service
× clamav-clamonacc.service - ClamAV On-Access Scanner
    Loaded: loaded (/lib/systemd/system/clamav-clamonacc.service;
enabled; preset: enabled)
    Active: failed (Result: exit-code) since Thu 2023-08-10 15:26:44
CEST; 29min ago
  Duration: 19ms
      Docs: man:clamonacc(8)
            man:clamd.conf(5)
            https://docs.clamav.net/
   Process: 4527 ExecStartPre=/bin/bash -c while [ ! -S
/run/clamav/clamd.ctl ]; do sleep 1; done (code=exited,
status=0/SUCCESS)
   Process: 4528 ExecStart=/usr/sbin/clamonacc -F
--log=/var/log/clamav/clamonacc.log --move=/root/quarantine
(code=exited, status=2)
  Main PID: 4528 (code=exited, status=2)
       CPU: 22ms

Aug 10 15:26:44 mx systemd[1]: Starting clamav-clamonacc.service -
ClamAV On-Access Scanner...
Aug 10 15:26:44 mx systemd[1]: Started clamav-clamonacc.service -
ClamAV On-Access Scanner.
Aug 10 15:26:44 mx clamonacc[4528]: --------------------------------------
Aug 10 15:26:44 mx clamonacc[4528]: ERROR: Clamonacc: at least one of
OnAccessExcludeUID, OnAccessExcludeUname, or OnAccessExcludeRootUID
must be specified ... it is recommended you exclude t>
Aug 10 15:26:44 mx systemd[1]: clamav-clamonacc.service: Main process
exited, code=exited, status=2/INVALIDARGUMENT
Aug 10 15:26:44 mx systemd[1]: clamav-clamonacc.service: Failed with
result 'exit-code'.

Vielleicht könnt ihr mir bei der Fehlerbehebung noch einmal behilflich sein?

Viele Grüße
Oliver


Mehr Informationen über die Mailingliste Postfixbuch-users