Owner/group/perms on /var/spool/MailScanner keep clamav from scanning

Glenn Steen glenn.steen at gmail.com
Tue Nov 20 14:22:05 GMT 2012

On 20 November 2012 12:55, Martijn <mailinglist at mindconnect.nl> wrote:
> Hi there,
> In MailScanner.conf, I can set the user/group under which MailScanner
> should do it's work. I'm using Postfix, which is running as user
> postfix, so this is set to:
> Run As User = postfix
> Run As Group = postfix
> Then I can set the path, user, group and permissions for the Work Dir. I
> use clamav with user clamav for clamscan and clamdscan, so I set this to:
> Incoming Work Dir = /var/spool/MailScanner/incoming
> Incoming Work User = (empty so this is postfix, taken from Run As User)
> Incoming Work Group = clamav
> Incoming Work Permissions = 0640
> This is as suggested in de configuration. In addition I also needed to
> adjust my apparmor configuration to allow clamav to scan in that directory.
> Now the problem I have doesn't seem related to the permissions for the
> Work Dir, but to a higher directory. Every time MailScanner is
> restarted, it (re)sets to owner for /var/spool/MailScanner to
> postfix:postfix. The permissions on this dir are 640, not allowing the
> user clamav entry to the lower /var/spool/MailScanner/incoming.
> If /var/spool/MailScanner is postfix:clamav, all works fine.
> Should the permissions on /var/spool/MailScanner be 640, and if so, how
> can the suggested settings work combined with the reset of the
> permissions on the higher directory?
> This is on Ubuntu 10.04 with a recent MailScanner .deb from Baruwa.
> - Martijn
You can easily test what is happening by becoming the sepective users
and try to cd/ls the directories from root (/) on down to the
/var/spool/MailScanner/incoming directory (e.g. "su - postfix -s
/bin/bash" etc).
What is very likely happening is that the "toplevel" directory
/var/spool/MailScanner, due to the --- perms for other, simply don't
allow the clamd-process to change directory into it's child directory
incoming. Simply make that one 4 (1.e. r-x) as well and you'll be
fine. I suppose you need tell all (filesystem, MailScanner.conf and
AppArmour) what the deal is.

-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list