Erneut "4.7.1 Tempfail - internal scan engine error." auf anderer Maschine

So Aug 13 18:50:49 CEST 2023

Am Donnerstag, 10. August 2023, 15:58:24 CEST schrieb Oliver Dobler via 
Postfixbuch-users:
> Hallo,
> ich hatte dieses Problem letzte Woche nach einem Distupgrade Debian 11
> nach 12 schon einmal. Und diesmal ebenfalls auf einem frisch
> geupgradeten Debian 12.
> 
> Allerdings mit erneuten Neustarts der Services klappt das diesmal nicht:
> systemctl restart rspamd.service
> systemctl restart clamav-daemon.service
> systemctl restart clamav-freshclam.service
> systemctl restart clamav-clamonacc.service
> 
> Der Milter ist erreichbar:
> telnet localhost 11332
> funktioniert und
> netstat -tulpen | fgrep 11332
> tcp        0      0 127.0.0.1:11332         0.0.0.0:*
> LISTEN      111        52940      2675/rspamd: main p
> tcp6       0      0 ::1:11332               :::*
> LISTEN      111        52941      2675/rspamd: main p
> liefert auch eine Verbindung.
> Kein Ergebnis liefert
> netstat -tulpen | fgrep clamd
> 
> Auszug aus der mail.log beim Sendeversuch eines Attachments:
> 
> 2023-08-10T15:50:09.146600+02:00 mx postfix/submission/smtpd[6481]:
> connect from mx.example.tld[192.168.1.71]
> 2023-08-10T15:50:09.193712+02:00 mx postfix/submission/smtpd[6481]:
> Anonymous TLS connection established from
> mx.example.tld[192.168.1.71]: TLSv1.3 with cipher
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
> server-signature RSA-PSS (2048 bits) server-digest SHA256
> 2023-08-10T15:50:10.854579+02:00 mx postfix/postscreen[1049]: CONNECT
> from [202.74.56.82]:37620 to [192.168.1.71]:25
> 2023-08-10T15:50:10.856976+02:00 mx postfix/submission/smtpd[6481]:
> D1172620038: client=mx.example.tld[192.168.1.71], sasl_method=PLAIN,
> sasl_username=systemmails at example.tld
> 2023-08-10T15:50:10.858953+02:00 mx postfix/cleanup[6689]:
> D1172620038: message-id=<806846898fc701d355d90c7a43aec9fd at example.tld>
> 2023-08-10T15:50:10.871617+02:00 mx postfix/dnsblog[6637]: addr
> 202.74.56.82 listed by domain zen.spamhaus.org as 127.0.0.2
> 2023-08-10T15:50:10.872112+02:00 mx postfix/postscreen[1049]: CONNECT
> from [202.74.56.82]:37622 to [192.168.1.71]:25
> 2023-08-10T15:50:10.926570+02:00 mx postfix/submission/smtpd[6480]:
> Anonymous TLS connection established from unknown[196.0.11.138]:
> TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> 2023-08-10T15:50:11.129474+02:00 mx postfix/cleanup[6689]:
> D1172620038: milter-reject: END-OF-MESSAGE from
> mx.example.tld[192.168.1.71]: 4.7.1 Tempfail - internal scan engine
> error. (support-id D1172620038); from=<systemmails at example.tld>
> to=<wh at example.tld> proto=ESMTP helo=<mail.example.tld>
> 
> 
> Die dazugehörige main.cf:
> append_dot_mydomain = no
> biff = no
> bounce_queue_lifetime = 1h
> compatibility_level = 2
> confirm_delay_cleared = yes
> delay_warning_time = 60
> disable_vrfy_command = yes
> html_directory = /usr/share/doc/postfix/html
> inet_interfaces = all
> local_recipient_maps = $virtual_mailbox_maps
> mailbox_size_limit = 0
> maximal_backoff_time = 15m
> maximal_queue_lifetime = 1h
> message_size_limit = 52428800
> milter_default_action = tempfail
> milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
> milter_protocol = 6
> minimal_backoff_time = 5m
> mua_client_restrictions = permit_mynetworks permit_sasl_authenticated reject
> mua_relay_restrictions = reject_non_fqdn_recipient
> reject_unknown_recipient_domain permit_mynetworks
> permit_sasl_authenticated reject
> mua_sender_restrictions = permit_mynetworks reject_non_fqdn_sender
> reject_sender_login_mismatch permit_sasl_authenticated reject
> mydestination = mx.example.tld, localhost.example.tld, localhost
> myhostname = mx.example.tld
> mynetworks = 127.0.0.0/8 192.168.1.0/24 192.119.24.0/24
> [::ffff:127.0.0.0]/104 [::1]/128
> myorigin = /etc/mailname
> non_smtpd_milters = inet:localhost:11332
> plaintext_reject_code = 550
> postscreen_access_list = permit_mynetworks
> cidr:/etc/postfix/postscreen_access postscreen_bare_newline_enable = no
> postscreen_blacklist_action = drop
> postscreen_cache_cleanup_interval = 24h
> postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7
> dnsbl.inps.de=127.0.0.2*7 bl.mailspike.net=127.0.0.2*5
> bl.mailspike.net=127.0.0.[10;11;12]*4 dnsbl.sorbs.net=127.0.0.10*8
> dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3
> dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2
> dnsbl.sorbs.net=127.0.0.9*2 zen.spamhaus.org=127.0.0.[4..7]*6
> zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3
> hostkarma.junkemailfilter.com=127.0.0.2*3
> hostkarma.junkemailfilter.com=127.0.0.4*1
> hostkarma.junkemailfilter.com=127.0.1.2*1
> wl.mailspike.net=127.0.0.[18;19;20]*-2
> hostkarma.junkemailfilter.com=127.0.0.1*-2
> postscreen_dnsbl_threshold = 8
> postscreen_dnsbl_ttl = 5m
> postscreen_greet_action = enforce
> postscreen_greet_banner = $smtpd_banner
> postscreen_greet_ttl = 2d
> postscreen_greet_wait = 3s
> postscreen_non_smtp_command_enable = no
> postscreen_pipelining_enable = no
> proxy_read_maps =
> proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf,
> proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_out_policy.cf,
> proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_in_policy.cf,
> proxy:mysql:/etc/postfix/sql/sender-login-maps.cf,
> $local_recipient_maps $mydestination $virtual_alias_maps
> $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
> $relay_recipient_maps $relay_domains $mynetworks
> $smtpd_sender_login_maps
> queue_run_delay = 5m
> readme_directory = /usr/share/doc/postfix
> recipient_delimiter = +
> relay_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_mxdomain_maps.cf
> relay_recipient_maps =
> proxy:mysql:/etc/postfix/sql/mysql_relay_recipient_maps.cf
> smtp_dns_support_level = dnssec
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
> smtp_tls_ciphers = medium
> smtp_tls_loglevel = 1
> smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
> smtp_tls_protocols = !SSLv2, !SSLv3
> smtp_tls_security_level = dane
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname
> smtpd_client_restrictions = permit_mynetworks check_client_access
> hash:/etc/postfix/without_ptr reject_unknown_client_hostname
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_error_sleep_time = 10s
> smtpd_hard_error_limit = ${stress?1}${stress:5}
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks
> reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
> reject_unknown_helo_hostname
> smtpd_milters = inet:localhost:11332
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_invalid_helo_hostname,
> reject_unknown_reverse_client_hostname, reject_unauth_destination
> smtpd_relay_restrictions = reject_non_fqdn_recipient
> reject_unknown_recipient_domain permit_mynetworks
> reject_unauth_destination
> smtpd_sender_login_maps =
> proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf
> smtpd_soft_error_limit = 3
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/letsencrypt/live/mx.example.tld/fullchain.pem
> smtpd_tls_ciphers = medium
> smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams_2048.pem
> smtpd_tls_dh512_param_file = /etc/ssl/mail/dhparams_512.pem
> smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL
> smtpd_tls_key_file = /etc/letsencrypt/live/mx.example.tld/privkey.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_mandatory_ciphers = medium
> smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL
> smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
> smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> tls_medium_cipherlist = EECDH+AESGCM:EDH+AESGCM
> tls_preempt_cipherlist = yes
> tls_ssl_options = NO_COMPRESSION
> virtual_alias_maps =
> proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
> proxy:mysql:/etc/postfix/sql/mysql_virtual_spamalias_maps.cf
> virtual_gid_maps = static:5000
> virtual_mailbox_domains =
> proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
> virtual_mailbox_maps =
> proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf
> virtual_minimum_uid = 104
> virtual_transport = lmtp:unix:private/dovecot-lmtp
> virtual_uid_maps = static:5000
> 
> Allerdings lässt sich dieser Sevice nicht starten:
> # systemctl status clamav-clamonacc.service
> × clamav-clamonacc.service - ClamAV On-Access Scanner
>     Loaded: loaded (/lib/systemd/system/clamav-clamonacc.service;
> enabled; preset: enabled)
>     Active: failed (Result: exit-code) since Thu 2023-08-10 15:26:44
> CEST; 29min ago
>   Duration: 19ms
>       Docs: man:clamonacc(8)
>             man:clamd.conf(5)
>             https://docs.clamav.net/
>    Process: 4527 ExecStartPre=/bin/bash -c while [ ! -S
> /run/clamav/clamd.ctl ]; do sleep 1; done (code=exited,
> status=0/SUCCESS)
>    Process: 4528 ExecStart=/usr/sbin/clamonacc -F
> --log=/var/log/clamav/clamonacc.log --move=/root/quarantine
> (code=exited, status=2)
>   Main PID: 4528 (code=exited, status=2)
>        CPU: 22ms
> 
> Aug 10 15:26:44 mx systemd[1]: Starting clamav-clamonacc.service -
> ClamAV On-Access Scanner...
> Aug 10 15:26:44 mx systemd[1]: Started clamav-clamonacc.service -
> ClamAV On-Access Scanner.
> Aug 10 15:26:44 mx clamonacc[4528]: --------------------------------------
> Aug 10 15:26:44 mx clamonacc[4528]: ERROR: Clamonacc: at least one of
> OnAccessExcludeUID, OnAccessExcludeUname, or OnAccessExcludeRootUID
> must be specified ... it is recommended you exclude t>
> Aug 10 15:26:44 mx systemd[1]: clamav-clamonacc.service: Main process
> exited, code=exited, status=2/INVALIDARGUMENT
> Aug 10 15:26:44 mx systemd[1]: clamav-clamonacc.service: Failed with
> result 'exit-code'.
> 
> Vielleicht könnt ihr mir bei der Fehlerbehebung noch einmal behilflich sein?
> 
> Viele Grüße
> Oliver

Hallo Oliver 

und alle die dasselbe Problem bei Debian 12 haben. 
systemctl disable --now clamav-daemon.socket
systemctl enable --now clamav-daemon.service 
sollte helfen 

Beste Grüße 

Andreas