virus scan not available -> no virus check!

Frank Cusack fcusack at fcusack.com
Fri Nov 27 17:44:55 GMT 2009


On November 23, 2009 10:23:41 PM -0500 Rick Cooper <rcooper at dwford.com> 
wrote:
> ----Original Message----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Frank
> Cusack Sent: Monday, November 23, 2009 8:56 PM To:
> mailscanner at lists.mailscanner.info Subject: virus scan not available -> no
> virus check!
>
>> I can't believe this is the default behavior.  Also, I can't find a
>> way to change it.
>>
>>> Nov 23 18:09:05 localhost MailScanner[26984]: Virus and Content
>>> Scanning: Starting Nov 23 18:09:05 localhost MailScanner[26997]: Cannot
>>> find Socket (/tmp/clamd.socket) Exiting!
>>
>> and then mailscanner goes on to bless the email as "clean".  Note that
>> I do not have virus scanning set to "auto", I have it explicitly set
>> to "clamd".
>>
>> My preferred behavior would be to send an email to postmaster (or
>> whoever) at some regular interval if the virus scanner is not available.
>> Anyway to get some semblance of that configured?
>>
>> -frank
>
> As with any Daemon including MailScanner it's self you should have some
> kind of monitoring installed that restarts and notifies you that is not
> MailScanner's job.

Of course.  I run Solaris 10 and using the built-in svcadm facility
this all works automatically.

> Should it send an email for each issue with all
> externals and internals to the postmaster?

No.  As I suggested, it "should" send an email to postmaster at some
regular interval.  Like swatch but built-in.

> It did the best thing I could
> think of, it issues an error to the log and moves on.

That is my point.  The best thing it could think of is not very good.
It is simply not checking viruses when this happens.

> I guess it could shut MailScanner down I suppose.

I don't know about shut down -- but at least mails should not be
marked clean.  At the *very least*, the signature it puts on the bottom
should say "this message was not checked for viruses" rather than
saying it is clean.  That doesn't help me since I do not put a signature
on clean messages, so I'm just noting it for completeness.

> It would appear to be a configuration
> error since clam doesn't remove it's socket if it crashes and MailScanner
> --lint would have caught it. Monit, Webmin, PingClamd.pl in a cron job,
> some kind of monitoring should be in place for both ClamD and MailScanner
> it's self, and what ever mta you are using...

Yup, as I said I do have the built-in OS facilities doing the monitoring.
And through dependencies, it is capable of disabling MailScanner if clamd
is not running.  But that doesn't put MailScanner in the clear.

My point is that in a software of this type, ie security software, there
can't be vague external requirements like "your monitoring system must
stop the flow of mail".  MailScanner itself is in a position to know if
the configured virus check actually occurred and should not be passing
unchecked mail on, and at the very least should not be claiming that it
was checked.

Judging from the responses, it seems this is simply how MailScanner works
today.  I am surprised that more folks here haven't jumped in to agree
with me that this failure mode is not a good one.

I strongly suggest that this be changed for future versions.

-frank


More information about the MailScanner mailing list