Clamd and problems with some TNEF attachments.

Wed Mar 12 06:48:26 GMT 2008

Hi all.

For a long time now I've been using the MailScanner packages as distributed by Debian.
Recently the maintainer updated the package to use version 4.66.5 of MailScanner (it was previously at 4.58.9).
This means that I can now take advantage of the ClamAV daemon to do virus scanning instead of invoking clamav for each batch or messages.

But I am encountering a strange error that occurs for some, but not all TNEF attachments.

Here is an example of the messages that occur in syslog when processing an email with this problem.
Note that I've changed the email address in the second line of output:

	Mar 12 13:20:35 mail MailScanner[27855]: Spam Checks: Starting
	Mar 12 13:20:35 mail MailScanner[27855]: Message 1JZIS6-00043a-FQ from 10.128.3.10 (user at ddihealth.com) is whitelisted
	Mar 12 13:20:35 mail MailScanner[27855]: Spam Checks completed at 83746 bytes per second
	Mar 12 13:20:36 mail MailScanner[27855]: Expanding TNEF archive at /var/spool/MailScanner/incoming/27855/1JZIS6-00043a-FQ/winmail.dat
	Mar 12 13:20:42 mail MailScanner[27855]: Message 1JZIS6-00043a-FQ added TNEF contents image001.jpg,image002.jpg
	Mar 12 13:20:42 mail MailScanner[27855]: Message 1JZIS6-00043a-FQ has had TNEF winmail.dat removed
	Mar 12 13:20:42 mail MailScanner[27855]: Virus and Content Scanning: Starting
	Mar 12 13:20:43 mail MailScanner[27855]: Clamd::ERROR:: Unable to open file or directory ERROR :: ./1JZIS6-00043a-FQ/mha1BpYaNZ
	Mar 12 13:20:43 mail MailScanner[27855]: Clamd::ERROR:: Unable to open file or directory ERROR :: ./1JZIS6-00043a-FQ/RRZFcL3LVX
	Mar 12 13:20:43 mail MailScanner[27855]: Virus Scanning: Clamd found 2 infections
	Mar 12 13:20:43 mail MailScanner[27855]: Virus Scanning: Found 2 viruses
	Mar 12 13:20:44 mail MailScanner[27855]: Virus Scanning completed at 7944 bytes per second
	Mar 12 13:20:44 mail MailScanner[27855]: Uninfected: Delivered 2 messages
	Mar 12 13:20:44 mail MailScanner[27855]: Virus Processing completed at 195783 bytes per second
	Mar 12 13:20:44 mail MailScanner[27855]: Batch completed at 6458 bytes per second (63292 / 9)

Note that the problem only seems to happen to TNEF attachments where the following log entry occurs:

	MailScanner[$PID]: Message $MSG_ID added TNEF contents $FILES
eg.
	MailScanner[$PID]: Expanding TNEF archive at /var/spool/MailScanner/incoming/$PID/$MSG_ID/winmail.dat
	MailScanner[$PID]: Message $MSG_ID added TNEF contents $FILES
	MailScanner[$PID]: Message $MSG_ID has had TNEF winmail.dat removed

However If I only get the following messages then the virus scan will be fine:

	MailScanner[$PID]: Expanding TNEF archive at /var/spool/MailScanner/incoming/$PID/$MSG_ID/winmail.dat
	MailScanner[$PID]: Message $MSG_ID has had TNEF winmail.dat removed

I have the following TNEF settings in my MailScanner.conf file:

	Expand TNEF = yes
	Use TNEF Contents = replace
	Deliver Unparsable TNEF = no
	TNEF Expander  = internal
	TNEF Timeout = 120

I changed the "TNEF Expander" to be "internal" a long time ago.
I found that having it set to "/usr/bin/tnef --maxsize=100000000" choked on some messages that the internal one was able to handle.

The ClamAV daemon is successfully scanning all other emails okay.
I've only ever seen the problem associated with certain TNEF attachments.

I've left all clamd settings in the MailScanner.conf at their default settings.
The clamd virus scanner is found when MailScanner starts as shown in the following log message:

	Mar 12 11:51:54 mail MailScanner[27855]: I have found clamd scanners installed, and will use them all by default.

My MailScanner incoming file system is using tmpfs and is shown as follows in 'df' output:

	tmpfs                   258528       704    257824   1% /var/spool/MailScanner/incoming

Any ideas what is going wrong?

Thanks.

----------
Jim Barber
DDI Health