[Postfixbuch-users] probleme mit amavisd+clamav+spamassasinnewbie
Lars Ernst
Lars.Ernst at schramlsoft.de
Mi Apr 12 12:14:30 CEST 2006
Das System ist ein SELS9 clamav war erst version 0.88 mit webclamav 0.6.2 (für webmin) und nun 0.88.1
Lars Ernst wrote:
> Hallo Sandy,
>
> vielen Dank für die fixe Antwort. Ich habe meinen Senf ;) unter die kommentare gesetzt sodass der Kontext gewahrt bleibt.
> Unterm Strich ist der Status leider noch unverändert. :(
> was mach ich hier noch falsch?
Du hast den Virusscan in der amavisd.conf aktiviert, aber keinen Virenscanner?
>>Apr 10 16:20:42 orion amavisd[32596]: (client-XXZIbaob) Clam Antivirus-clamd: sl
>>eeping for 1 s
>>Apr 10 16:20:43 orion amavisd[32596]: (client-XXZIbaob) Clam Antivirus-clamd: Co
>>nnecting to socket /var/run/clamav/clamd, retry #1
>>Apr 10 16:20:43 orion amavisd[32596]: (client-XXZIbaob) Clam Antivirus-clamd: Ca
>>n't connect to UNIX socket /var/run/clamav/clamd: No such file or directory, ret
>>rying (2)
>>Apr 10 16:20:43 orion amavisd[32596]: (client-XXZIbaob) Clam Antivirus-clamd: sl
>>eeping for 6 s
Was sagt er (clamd) denn, wenn du versuchst zu starten?
der lief/läuft die ganze zeit.
>>Apr 10 16:20:49 orion amavisd[32596]: (client-XXZIbaob) Clam Antivirus-clamd: Co
>>nnecting to socket /var/run/clamav/clamd, retry #2
>>Apr 10 16:20:49 orion amavisd[32596]: (client-XXZIbaob) Clam Antivirus-clamd av-
>>scanner FAILED: Too many retries to talk to /var/run/clamav/clamd (Can't connect
>> to UNIX socket /var/run/clamav/clamd: No such file or directory) at (eval 51) l
>>ine 180.
>>Apr 10 16:20:49 orion amavisd[32596]: (client-XXZIbaob) WARN: all primary virus
>>scanners failed, considering backups
>
>
> Korrigiere das!
>
> Alle Viren-Scanner auskommentiert. Vorerst.
Dann deaktiviere besser die Virenprüfung durch amavis.
OK.
>
>
>>Apr 10 16:20:49 orion amavisd[32596]: (client-XXZIbaob) Using Clam Antivirus - c
>>lamscan: /usr/bin/clamscan --stdout --no-summary -r /var/spool/amavis/amavis-cli
>>ent-XXZIbaob/parts
>
>
> Secondary Scanner command line clam scheint zu funktionieren.
>
> Nun, er mosert nich. Jedoch erkannte er kein EICAR-TEST-File. Also Viren-Priorität erstmal zurückgestellt.
>
>
>>Apr 10 16:20:50 orion amavisd[32596]: (client-XXZIbaob) TROUBLE in check_mail: d
>>elivery-notification FAILED: Explicit forwarding, but not all recips done at /us
>>r/sbin/amavisd line 1412, <GEN3> line 76.
>
>
> Da hängt es dann.
>
> Ja, und ich vermute das ist wohl das hauptproblem, jedenfalls hängen alle mails in der Queu fest wenn ich Amavisd aktiviere. *grübl* hab mal in der Amavisd-Datei (code) auf der Zeile nachgekuckt, nur is so ein Code für mich ein Böhmisches Dorf und ausser das ich dort die Zeil mit dem "Explicit forwarding, but not all recips done..." gefunden hab sagt mir das nix. :(
>
> Das wichtigste fehlt:
> Logs von Postfix und die Konfiguration von Amavis.
>
> Postfix-Log:
> Apr 11 11:14:43 orion postfix/smtpd[4178]: connect from lexp.w-schraml.loc
> Apr 11 11:14:43 orion postfix/smtpd[4178]: 126561E08: client=lexp.w-schraml.loc
> Apr 11 11:14:43 orion postfix/cleanup[4180]: 126561E08: message-id=<002401c65d48$00422080$196ea8c0 at WSCHRAML.LOC>
> Apr 11 11:14:43 orion postfix/qmgr[4014]: 126561E08: from=<Lars.Ernst at schramlsoft.de>, size=921, nrcpt=1 (queue active)
> Apr 11 11:14:43 orion postfix/smtpd[4178]: disconnect from lexp.w-schraml.loc
> Apr 11 11:14:44 orion postfix/pipe[4181]: 126561E08: to=<lars.ernst at schramlsoft.de>, relay=amavisd, delay=1, status=deferred (temporary failure)
Postfix versucht also, die mail an den contentfilter zu übergeben, was
jedoch scheitert.
> Amavisd Fonfig (da ich nicht weiss obs hier sowas wie postconf -n gibt kommt nun der ganze baatz):
> # Section I - Essential daemon and MTA settings
Das war genau der grep-Befehl, der unten kommt. Deshalb mal das ganze
gelöscht...
>
>
> Zeige mal die Ausgaben von
> egrep '(fatal|error|panic|warning) /var/log/mail
>
> Apr 11 10:08:14 orion postfix/smtpd[3589]: warning: smtpd_peer_init: 61.11.16.89: hostname 61.11.16.89.bb-static.vsnl.net.in verification failed: Name or service not known
> Apr 11 10:16:44 orion postfix/smtpd[3641]: warning: smtpd_peer_init: 201.245.131.90: hostname adsl_plus_245131-90.etb.net.co verification failed: Name or service not known
> Apr 11 10:18:14 orion postfix/smtpd[3649]: warning: smtpd_peer_init: 62.81.151.163: hostname 163-151-81-62.libre.auna.net verification failed: Name or service not known
> Apr 11 10:26:40 orion postfix/smtpd[3649]: warning: smtpd_peer_init: 218.61.33.41: hostname cncln.online.ln.cn verification failed: Name or service not known
> Apr 11 10:29:00 orion postfix/smtpd[3678]: NOQUEUE: reject_warning: RCPT from dslb-084-056-036-218.pools.arcor-ip.net[84.56.36.218]: 450 <hildegard at alam-latin.de>: Sender address rejected: Domain not found; from=<hildegard at alam-latin.de> to=<bernhard.roedel at schramlsoft.de> proto=SMTP helo=<schramlsoft.de>
> Apr 11 10:30:25 orion postfix/smtpd[3677]: warning: smtpd_peer_init: 83.230.176.196: hostname cliente-28870.iberbanda.es verification failed: Name or service not known
> Apr 11 10:32:32 orion postfix/smtpd[3678]: warning: smtpd_peer_init: 81.210.81.162: hostname curie.pfeso.edu.pl verification failed: Name or service not known
> Apr 11 10:33:09 orion postfix/smtpd[3678]: warning: smtpd_peer_init: 84.24.250.62: hostname cp530967-a.tilbu1.nb.home.nl verification failed: Name or service not known
> Apr 11 10:54:41 orion postfix/smtpd[4027]: warning: smtpd_peer_init: 201.14.108.92: hostname 201-14-106-92.gnace701.t.brasiltelecom.net.br verification failed: Name or service not known
> Apr 11 11:08:07 orion postfix/smtpd[4027]: warning: smtpd_peer_init: 202.134.169.253: hostname 202.134.169.253.customer.7starnet.com verification failed: Name or service not known
> Apr 11 11:11:31 orion postfix/smtpd[4148]: warning: smtpd_peer_init: 84.24.250.62: hostname cp530967-a.tilbu1.nb.home.nl verification failed: Name or service not known
> Apr 11 11:11:40 orion postfix/smtpd[4027]: warning: smtpd_peer_init: 201.245.131.90: hostname adsl_plus_245131-90.etb.net.co verification failed: Name or service not known
> Apr 11 11:21:18 orion postfix/smtpd[4325]: warning: smtpd_peer_init: 203.150.96.185: hostname 203-150-96-185.inter.net.th verification failed: Name or service not known
> Apr 11 11:27:12 orion postfix/smtpd[4325]: warning: smtpd_peer_init: 210.211.169.60: hostname 210.211.169.60.bb-static.vsnl.net.in verification failed: Name or service not known
> Apr 11 11:27:55 orion postfix/smtpd[4446]: warning: smtpd_peer_init: 148.235.6.86: hostname customer-148-235-6-86.uninet-ide.com.mx verification failed: Name or service not known
> Apr 11 11:28:46 orion postfix/smtpd[4325]: warning: smtpd_peer_init: 203.131.131.250: hostname adsl-131.131.250.info.com.ph verification failed: Name or service not known
> Apr 11 11:28:53 orion postfix/smtpd[4446]: warning: smtpd_peer_init: 220.134.78.16: address not listed for hostname 220-134-79-16.HINET-IP.hinet.net
> Apr 11 11:29:10 orion postfix/smtpd[4446]: warning: smtpd_peer_init: 61.63.99.6: hostname 61-63-99-6.nty.dynamic.lsc.net.tw verification failed: Name or service not known
> Apr 11 11:31:31 orion postfix/smtpd[4325]: warning: smtpd_peer_init: 201.37.64.159: hostname C925409F.poa.virtua.com.br verification failed: Name or service not known
> Apr 11 11:32:33 orion postfix/smtpd[4325]: warning: smtpd_peer_init: 84.119.109.16: hostname fr-ssy-C3-04-084119109016.chello.fr verification failed: Name or service not known
> Apr 11 11:38:06 orion postfix/smtpd[4325]: warning: smtpd_peer_init: 222.124.144.227: hostname 227.subnet144.astinet.telkom.net.id verification failed: Name or service not known
> Apr 11 11:45:22 orion postfix/smtpd[4525]: warning: smtpd_peer_init: 203.199.185.200: hostname illhyd-203.199.185.200.static.vsnl.net.in verification failed: Name or service not known
> Apr 11 11:54:41 orion postfix/smtpd[4553]: warning: smtpd_peer_init: 201.144.137.222: hostname dsl-201-144-137-222.prod-infinitum.com.mx verification failed: Name or service not known
> Apr 11 11:54:57 orion postfix/smtpd[4525]: warning: smtpd_peer_init: 24.106.201.145: hostname rrcs-24-106-201-145.se.biz.rr.com verification failed: Name or service not known
> Apr 11 11:57:44 orion postfix/smtpd[4553]: warning: smtpd_peer_init: 200.47.5.76: hostname line76.equal.net.ar verification failed: Name or service not known
>
Das sind alles nur harmlose Warnungen. Scheint aber nur im laufenden
Betrieb zu sein, nicht nach Neustart von Postfix.
>
> und
> egrep -v '^#|^$|^[ ]+#' /etc/amavisd.conf
> use strict;
> $MYHOME = '/var/spool/amavis';
> $mydomain = 'w-schraml.loc';
> $daemon_user = 'vscan';
> $daemon_group = 'vscan';
> $TEMPBASE = $MYHOME; # (must be set if other config vars use is)
> $ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory
> $forward_method = 'lmtp:127.0.0.1:10025'; # where to forward checked mail
Warum lmtp?
Halte lmtp für vielseitiger und flexibler -> geändert auf smtp.
> $notify_method = $forward_method; # where to submit notifications
> $max_servers = 2; # number of pre-forked children (default 2)
> $max_requests = 10; # retire a child after that many accepts (default 10)
> $child_timeout=5*60; # abort child if it does not complete each task in n sec
> @local_domains_acl = ( ".$mydomain" ); # $mydomain and its subdomains
> # (does not apply to sendmail/milter)
> # (default is true)
> $unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket
> $inet_socket_port = 10024; # accept SMTP on this local TCP port
Okay, dann ändere doch mal die Übermittlung von Postfix nach Amavis auf
smtp um! Hier hängt es nämlich.
In master.cf folgende Zeile:
smtp inet n - n - 20 smtpd
-o content_filter=smtp:127.0.0.1:10024
OK, master.cf:
amavisd unix n - n - 2 smtpd
-o smtp_data_done_timeout=1200s
-o disable_dns_lookups=yes
-o smtp_send_xforward_command=yes
Schalte besser die content_filter Option in main.cf dafür ab. Danach mal
einen "postfix reload" und eine Testmail. Wenn das funktioniert, dann kann
man den Transport etwas sauberer definieren.
Testmail klappte. nach scharfschalten des content_filter in main.cf gingen leider alle mails wieder nur noch in die Queue und blieben dort bis ich den content_filter in main.cf wieder auskommentierte.
Immerhin ist die Trouble-Meldung weg. Ich vermute das der Weg von amavisd zurück an Postfix nich funzt. irre ich?
amavisd debug:
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) prolong_timer after virus
_scan: remaining time = 300 s
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) white_black_list: checkin
g sender <Inge.Puchta at schramlsoft.de>
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) lookup_acl: key="Inge.Puc
hta at schramlsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) lookup_RE: key="Inge.Puch
ta at schramlsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) lookup_hash: key="inge.pu
chta at schramlsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) lookup_hash: key="inge.pu
chta@", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) lookup_hash: key="schraml
soft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) lookup_hash: key=".schram
lsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) lookup_hash: key=".de", n
o match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) lookup_hash: key=".", no
match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) lookup_acl: key="Inge.Puc
hta at schramlsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) lookup_acl: key="le at schra
mlsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) calling SA parse, SA vers
ion 2.64
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) CALLING SA check
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) RETURNED FROM NoMailAudit
::check, time left: 30 s
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) prolong_timer after spam_
scan_SA: remaining time = 300 s
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) spam_scan: hits=0 tests=
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) prolong_timer after spam_
scan: remaining time = 300 s
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) lookup: (scalar) matches,
result="5"
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) header: Received: from un
known by localhost (amavisd-new, unix socket)\n id client-XX86WuZQ for <le at schra
mlsoft.de>;\n Wed, 12 Apr 2006 10:26:54 +0200 (CEST)\n
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) header: X-Virus-Scanned:
by amavisd-new at w-schraml.loc\n
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) lookup_acl: key="le at schra
mlsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) lookup_acl: key="le at schra
mlsoft.de", no match
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) lookup: (scalar) matches,
result="3"
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) lookup: (scalar) matches,
result="5"
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) headers CLUSTERING: NEW C
LUSTER <le at schramlsoft.de>: hits=0.0, tag=0, tag2=0, subj=0, subj_u=0, local=0,
bl=0
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) headers CLUSTERING: done
all 1 recips in one go
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) FWD via SMTP: [127.0.0.1]
:10025 <Inge.Puchta at schramlsoft.de> -> <le at schramlsoft.de>
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) prolong_timer after fwd-c
onnect: remaining time = 300 s
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) mail_via_smtp: session fa
iled: Can't connect to 127.0.0.1 port 10025, Connection refused at /usr/sbin/ama
visd line 2872, <GEN64> line 146.
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) mail_via_smtp: 450 4.4.1
Can't connect to 127.0.0.1 port 10025, Connection refused at /usr/sbin/amavisd l
ine 2872, <GEN64> line 146., id=client-XX86WuZQ
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) mail_via_smtp: DATA skipp
ed, 0, 0, 0
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) prolong_timer after forwa
rding: remaining time = 300 s
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) one_response_for_all <Ing
e.Puchta at schramlsoft.de>: 4xx found, '450 4.4.1 Can't connect to 127.0.0.1 port
10025, Connection refused at /usr/sbin/amavisd line 2872, <GEN64> line 146., id=
client-XX86WuZQ'
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) warnsender_with_pass=(,,,
), dsn_needed=, exit=75, 450 4.4.1 Can't connect to 127.0.0.1 port 10025, Connec
tion refused at /usr/sbin/amavisd line 2872, <GEN64> line 146., id=client-XX86Wu
ZQ
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) Not-Delivered, <Inge.Puch
ta at schramlsoft.de> -> <le at schramlsoft.de>, Message-ID: <001001c65e09$ecf120e0$16
6ea8c0 at WSCHRAML.LOC>, Hits: 0
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) tempdir being removed: /v
ar/spool/amavis/amavis-client-XX86WuZQ
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) rmdir_recursively: /var/s
pool/amavis/amavis-client-XX86WuZQ, excl=
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) rmdir_recursively: /var/s
pool/amavis/amavis-client-XX86WuZQ/parts, excl=0
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) mail checking ended: exit
_code=75 (450 4.4.1 Can't connect to 127.0.0.1 port 10025, Connection refused at
/usr/sbin/amavisd line 2872, <GEN64> line 146., id=client-XX86WuZQ)
Apr 12 10:27:01 orion amavisd[9728]: (client-XX86WuZQ) TIMING [total 7090 ms] -
got data: 1 (0%), body hash: 1 (0%), mkdir parts: 1 (0%), mime_decode: 8 (0%), g
et-file-type: 12 (0%), decompose_part: 2 (0%), parts: 0 (0%), AV-scan-1: 7006 (9
9%), AV-scan-2: 0 (0%), SA msg read: 2 (0%), SA parse: 1 (0%), SA check: 48 (1%)
, fwd-rundown: 5 (0%), unlink-1-files: 3 (0%), rmdir: 0 (0%), unlink-1-files: 0
(0%), rmdir: 0 (0%), rundown: 0 (0%)
also spams werden wohl erkannt und in quarantäne? gestellt, nur der connect auf sich mit
Port 10025 klappt nicht nur wieso?
> @inet_acl = qw( 127.0.0.1 ); # allow SMTP access only from localhost IP
> $DO_SYSLOG = 1; # (defaults to false)
> $LOGFILE = "$MYHOME/amavis.log"; # (defaults to empty, no log)
> $log_level = 2; # (defaults to 0)
> $log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], #
> <%o> -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c';
> $final_virus_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
> $final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
> $final_spam_destiny = D_PASS;
> $final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested
> $viruses_that_fake_sender_re = new_RE(
> qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
> qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
> qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
> qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
> qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan
> qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc
> [qr'^(EICAR|Joke\.|Junk\.)'i => 0],
> [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
> [qr/.*/ => 1], # true by default (remove or comment-out if undesired)
> );
> $virus_admin = "virusalert\@$mydomain";
Ist das eine gültige Adresse?
virusalert is ein mailalias auf root.
Vielen Dank.
Lars Ernst
Sandy
--
_______________________________________________
Postfixbuch-users mailingliste
Heinlein Professional Linux Support GmbH
Postfixbuch-users at listi.jpberlin.de
http://listi.jpberlin.de/mailman/listinfo/postfixbuch-users
Mehr Informationen über die Mailingliste Postfixbuch-users