Clamd and problems with some TNEF attachments.

Julian Field MailScanner at ecs.soton.ac.uk
Wed Mar 12 19:22:11 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

And he hasn't responded to my question about what MTA he's using and 
what his "Run As" settings are. I suspect it's just a permissions problem.

Scott Silva wrote:
> on 3-11-2008 11:48 PM Jim Barber spake the following:
>> Hi all.
>>
>> For a long time now I've been using the MailScanner packages as 
>> distributed by Debian.
>> Recently the maintainer updated the package to use version 4.66.5 of 
>> MailScanner (it was previously at 4.58.9).
>> This means that I can now take advantage of the ClamAV daemon to do 
>> virus scanning instead of invoking clamav for each batch or messages.
>>
>> But I am encountering a strange error that occurs for some, but not 
>> all TNEF attachments.
>>
>> Here is an example of the messages that occur in syslog when 
>> processing an email with this problem.
>> Note that I've changed the email address in the second line of output:
>>
>>     Mar 12 13:20:35 mail MailScanner[27855]: Spam Checks: Starting
>>     Mar 12 13:20:35 mail MailScanner[27855]: Message 1JZIS6-00043a-FQ 
>> from 10.128.3.10 (user at ddihealth.com) is whitelisted
>>     Mar 12 13:20:35 mail MailScanner[27855]: Spam Checks completed at 
>> 83746 bytes per second
>>     Mar 12 13:20:36 mail MailScanner[27855]: Expanding TNEF archive 
>> at /var/spool/MailScanner/incoming/27855/1JZIS6-00043a-FQ/winmail.dat
>>     Mar 12 13:20:42 mail MailScanner[27855]: Message 1JZIS6-00043a-FQ 
>> added TNEF contents image001.jpg,image002.jpg
>>     Mar 12 13:20:42 mail MailScanner[27855]: Message 1JZIS6-00043a-FQ 
>> has had TNEF winmail.dat removed
>>     Mar 12 13:20:42 mail MailScanner[27855]: Virus and Content 
>> Scanning: Starting
>>     Mar 12 13:20:43 mail MailScanner[27855]: Clamd::ERROR:: Unable to 
>> open file or directory ERROR :: ./1JZIS6-00043a-FQ/mha1BpYaNZ
>>     Mar 12 13:20:43 mail MailScanner[27855]: Clamd::ERROR:: Unable to 
>> open file or directory ERROR :: ./1JZIS6-00043a-FQ/RRZFcL3LVX
>>     Mar 12 13:20:43 mail MailScanner[27855]: Virus Scanning: Clamd 
>> found 2 infections
>>     Mar 12 13:20:43 mail MailScanner[27855]: Virus Scanning: Found 2 
>> viruses
>>     Mar 12 13:20:44 mail MailScanner[27855]: Virus Scanning completed 
>> at 7944 bytes per second
>>     Mar 12 13:20:44 mail MailScanner[27855]: Uninfected: Delivered 2 
>> messages
>>     Mar 12 13:20:44 mail MailScanner[27855]: Virus Processing 
>> completed at 195783 bytes per second
>>     Mar 12 13:20:44 mail MailScanner[27855]: Batch completed at 6458 
>> bytes per second (63292 / 9)
>>
>> Note that the problem only seems to happen to TNEF attachments where 
>> the following log entry occurs:
>>
>>     MailScanner[$PID]: Message $MSG_ID added TNEF contents $FILES
>> eg.
>>     MailScanner[$PID]: Expanding TNEF archive at 
>> /var/spool/MailScanner/incoming/$PID/$MSG_ID/winmail.dat
>>     MailScanner[$PID]: Message $MSG_ID added TNEF contents $FILES
>>     MailScanner[$PID]: Message $MSG_ID has had TNEF winmail.dat removed
>>
>> However If I only get the following messages then the virus scan will 
>> be fine:
>>
>>     MailScanner[$PID]: Expanding TNEF archive at 
>> /var/spool/MailScanner/incoming/$PID/$MSG_ID/winmail.dat
>>     MailScanner[$PID]: Message $MSG_ID has had TNEF winmail.dat removed
>>
>> I have the following TNEF settings in my MailScanner.conf file:
>>
>>     Expand TNEF = yes
>>     Use TNEF Contents = replace
>>     Deliver Unparsable TNEF = no
>>     TNEF Expander  = internal
>>     TNEF Timeout = 120
>>
>> I changed the "TNEF Expander" to be "internal" a long time ago.
>> I found that having it set to "/usr/bin/tnef --maxsize=100000000" 
>> choked on some messages that the internal one was able to handle.
>>
>> The ClamAV daemon is successfully scanning all other emails okay.
>> I've only ever seen the problem associated with certain TNEF 
>> attachments.
>>
>> I've left all clamd settings in the MailScanner.conf at their default 
>> settings.
>> The clamd virus scanner is found when MailScanner starts as shown in 
>> the following log message:
>>
>>     Mar 12 11:51:54 mail MailScanner[27855]: I have found clamd 
>> scanners installed, and will use them all by default.
>>
>> My MailScanner incoming file system is using tmpfs and is shown as 
>> follows in 'df' output:
>>
>>     tmpfs                   258528       704    257824   1% 
>> /var/spool/MailScanner/incoming
>>
>> Any ideas what is going wrong?
>>
>> Thanks.
> Hijacking threads has caused bad karma on your mailserver. Repent, say 
> 10 hail Julian's,  and hijack no more!
>
>
>

Jules

- -- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.1 (Build 2523)
Comment: Use Thunderbird Enigmail to verify this message
Charset: UTF-8

wj8DBQFH2C1pEfZZRxQVtlQRAouqAKCwYzfLbu+o85ItSQbvcZZR7yQUSQCgncAA
a8GG/klJIu16WtxroRclBb8=
=rggL
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list