weird mailscanner clamd error

Randal, Phil prandal at HEREFORDSHIRE.GOV.UK
Thu Jan 6 10:24:11 GMT 2011


The only workaround I've found is to run clamd as root.

I've seen the same issue with MailScanner / sendmail on CentOS.

Cheers,

Phil
--
Phil Randal | Infrastructure Engineer
NHS Herefordshire & Herefordshire Council  | Deputy Chief Executive's Office | I.C.T. Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160

From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Curu Wong
Sent: 06 January 2011 08:40
To: MailScanner discussion
Subject: Re: weird mailscanner clamd error

My system also has this problem. When a zip archive is scanned, I will always get clamd error like:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Jan  5 16:47:34 spamsnake MailScanner[3887]: Clamd::ERROR:: Access denied. ERROR :: ./BAD697FE65.AD0DB/zbeyond3g.jpg
Jan  5 16:47:34 spamsnake MailScanner[3887]: Clamd::ERROR:: Access denied. ERROR :: ./BAD697FE65.AD0DB/zchi_button-02.jpg
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

all other attachent type, like rar, works fine.

the files in ms incoming queue get removed after it finished processing,  and I use this command to monitor file permissions under the incoming queue:

while true; do ls -lR /var/spool/MailScanner/incoming/ >> file_list.txt; sleep 1;done

Send an email with rar attachment:
=======================================================
-rw-r----- 1 postfix www-data       4 2011-01-06 16:13 nmsg-24184-11.txt
-rw-r----- 1 postfix www-data 1536750 2011-01-06 16:13 nPI2.3.2.rar
-rw-r----- 1 postfix www-data  150576 2011-01-06 16:13 rPI2.3.2.pdf
-rw-r----- 1 postfix www-data 2141878 2011-01-06 16:13 rPoisonIvy2.3.2.exe
=======================================================

Send an email with zip attachment
=================================================
-rw-r----- 1 postfix www-data       4 2011-01-06 15:57 nmsg-24198-1.txt
-rw-r----- 1 postfix www-data 1665916 2011-01-06 15:57 ntest.zip
-rw------- 1 postfix www-data     238 2010-10-15 18:58 zall-wcprops
-rw------- 1 postfix www-data   23100 2010-10-15 18:58 zbeyond3g.jpg
-rw------- 1 postfix www-data   26180 2010-10-15 18:58 zchi_button-02.jpg
-rw------- 1 postfix www-data    2472 2010-10-15 23:33 zchi_button-reset.jpg
-rw------- 1 postfix www-data    2478 2010-10-15 23:33 zchi_button-submit.jpg
-rw------- 1 postfix www-data    6042 2010-10-18 15:34 zchi_edm.html
-rw------- 1 postfix www-data    4345 2010-10-18 15:35 zchi_web.html
========================================================

And I have this settings in MailScanner.conf:

Incoming Work Permissions = 0640

We can see that the test.zip file has the correct permissions, but its extracted files have wrong permission.
In fact, even if I change Incoming Work Permissions to 0777, the file permissions is still  rw------, so weird.

Can anyone point out the problem?

I think there maybe something wrong with the perl Archive::Zip module or MS itself.
2011/1/5 Naz Snidanko <nsnidanko at harperpowerproducts.com<mailto:nsnidanko at harperpowerproducts.com>>
MailScanner --lint was generating "found 2 viruses" instead of a proper
"found 1 virus". So I got fed up, scrapped clamd and went with clamav.
Clamav works as it should: --lint generates "found 1 virus" and no more
errors with .ZIP archives. This is a small site and speed should not be
a factor.

Tons of thanks,

Naz Snidanko
Desktop & Network Support
Harper Power Products Inc.
(p) 416 201- 7506
 nsnidanko at harperpowerproducts.com<mailto:nsnidanko at harperpowerproducts.com>
-----Original Message-----
Date: Tue, 4 Jan 2011 14:45:51 -0500
From: "Rick Cooper" <rcooper at dwford.com<mailto:rcooper at dwford.com>>
Subject: RE: weird mailscanner clamd error
To: "'MailScanner discussion'" <mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>>
Message-ID: <3AD1272E15D14A43BD27F7E3F3C17BD1 at SAHOMELT>
Content-Type: text/plain; charset="us-ascii"

Have you attempted to manually scan an example file with clamscan or
clamdscan? (preferably as the same user as would mailscanner).  Have you
tried sending with MailScanner running in debug mode? The error you are
seeing is coming from clamd,

 _____

From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info>
[mailto:mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info>] On Behalf Of Naz
Snidanko
Sent: Tuesday, January 04, 2011 10:07 AM
To: mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
Subject: Re: weird mailscanner clamd error



Glenn,



/tmp and incoming directories both have chmod 777. Also from my guess if
it
had something to do with permissions it would generate this error for
all
files, not just ZIP archives created by Winrar and Winzip programs. I
also
completely removed apparmor (even though it originally had rw
permissions
for clamd on incoming directory).



Is there a module within MailScanner that does .zip file extracting
before
it goes for a clamd scan?

Any help is much appreciated.

Thank you,

Naz Snidanko

Desktop & Network Support

Harper Power Products Inc.

(p) 416 201- 7506
 <mailto:nsnidanko at harperpowerproducts.com<mailto:nsnidanko at harperpowerproducts.com>>
nsnidanko at harperpowerproducts.com<mailto:nsnidanko at harperpowerproducts.com>

------------------------------



Message: 4

Date: Tue, 4 Jan 2011 11:40:03 +0100

From: Glenn Steen <glenn.steen at gmail.com<mailto:glenn.steen at gmail.com>>

Subject: Re: weird mailscanner clamd error

To: MailScanner discussion <mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>>

Message-ID:

     <AANLkTikQ0EraC0imktQRZ-L-q2sqwqOE+503D-uSTMug at mail.gmail.com<mailto:AANLkTikQ0EraC0imktQRZ-L-q2sqwqOE%2B503D-uSTMug at mail.gmail.com>>

Content-Type: text/plain; charset=windows-1252



On 3 January 2011 21:34, Naz Snidanko
<nsnidanko at harperpowerproducts.com<mailto:nsnidanko at harperpowerproducts.com>>
wrote:

> I have weird stuff happening. When we put any file into ZIP archive
created

> from Winzip or Winrar I get the following log in mail.log:

>

>

>

> Jan  3 15:14:43 ares MailScanner[5103]: Virus and Content Scanning:
Starting

>

> Jan  3 15:14:43 ares MailScanner[5103]: Clamd::ERROR:: Access denied.
ERROR

> :: ./66522203B7.AD6EB/zRicohdeviceUsersetup.doc

>

> Jan  3 15:14:43 ares MailScanner[5103]: Virus Scanning: Clamd found 1

> infections

>

> Jan  3 15:14:43 ares MailScanner[5103]: Virus Scanning: Found 1
viruses

>

> Jan  3 15:14:43 ares MailScanner[5103]: Spam Checks: Starting

>

>

>

> File delivered after passing mailscanner to final destination.

>

>

>

> When I put the same file into ZIP archive using built-in Windows XP
engine

> it works flawlessly and no error log is generated. No error is
generated

> when same file is put within .rar archive either.

>

>

>

> I've tried different files anything from jpeg to pdf and end up with
error

> described above.

>

>

>

> Can someone point me in the right direct how to troubleshoot this
within

> mailscanner.

>

>

>

> System:

>

>

>

> Clamd 0.96.5

>

> Ubuntu Server 10.04

>

> MailScanner 4.82.3

>

> Perl 5.10.1

>

>

Check that both postfix and clamav (or whatever the users/groups are

called) have relevant perms... Run As User/Group and 0660 perms in

MailScanner.conf, correct perms on your incoming directory (perhaps

/var/spool/MailScanner/incoming), Also check your clamd settings, of

course.

Perhaps the most crucial bit though... is to make sure that you have

sane permissions on /tmp, and that they can create files/directories

there as needed.



Cheers

--

-- Glenn

email: glenn < dot > steen < at > gmail < dot > com

work: glenn < dot > steen < at > ap1 < dot > se




--
This message has been scanned for viruses and
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is

believed to be clean.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110104
/c3d769b6/attachment-0001.html<http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110104%0A/c3d769b6/attachment-0001.html>

------------------------------


--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council.
You should be aware that Herefordshire Council monitors its email service.
This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110106/d09cbf2b/attachment.html


More information about the MailScanner mailing list