Owner/group/perms on /var/spool/MailScanner keep clamav from scanning

Martijn mailinglist at mindconnect.nl
Tue Nov 20 23:57:14 GMT 2012

Hi Glen,

On 20-11-2012 15:22, Glenn Steen wrote:
> On 20 November 2012 12:55, Martijn <mailinglist at mindconnect.nl> wrote:
> You can easily test what is happening by becoming the sepective users
> and try to cd/ls the directories from root (/) on down to the
> /var/spool/MailScanner/incoming directory (e.g. "su - postfix -s
> /bin/bash" etc).
> What is very likely happening is that the "toplevel" directory
> /var/spool/MailScanner, due to the --- perms for other, simply don't
> allow the clamd-process to change directory into it's child directory
> incoming. Simply make that one 4 (1.e. r-x) as well and you'll be
> fine. I suppose you need tell all (filesystem, MailScanner.conf and
> AppArmour) what the deal is.
> Cheers

That is a good suggestion for everyone running into this. With this, I 
have verified that the root cause is not the ownership or perms on 
/var/spool/MailScanner/incoming OR the directories higher up the tree 
where the files are stored, but the owner/perms on 
/var/spool/MailScanner itself, PLUS that MailScanner resets these 
settings every restart.

Reason I'm on to this is that there seems to be some confusion about 
this. A lot of people are looking for clues at the wrong directory. For 

So, cutting it short:
- The suggested settings for clamav/clamd in the configuration file 
don't work 100% on some systems, and this is causing some confusion. 
Mainly, because the error in the logs suggest a problem with the 
permissions of the directory higher up the tree: the Incoming Dir.

I couldn't find anyone reporting the true cause as the owner/perms on 
/var/spool/MailScanner, so I thought it was a good idea to start a new 
thread. My aim would be to just reduce the confusion :-) Everyone seeing 
the lstat() error the first time will investigate.

The hints for adding

   # For MailScanner
   /var/spool/MailScanner/** rw,

to /etc/apparmor.d/usr.sbin.clamd is a keeper, particularly for users on 

Also, I would like to aim at a common solution that . So far, I have 
read several fixes, which I think may not be a good idea:
- Set less strict permissions on directories, opening up those dirs not 
just for clamav but for who knows what.
- Adding clamav to the postfix group, or reversed. Again, opening things 
up on a much larger scale then needed.

Those work in the sense that they get rid of the error. But they also 
'fix' a lot more than just the error in the logs.

Setting the ownership of /var/spool/MailScanner to postfix:clamav and 
perms 640 I think would be a very good fix, if it weren't for 
MailScanner resetting those values.

I think fixing this may need some extra settings in the configuration, 
to regulate the ownership and perms in /var/spool/MailScanner 
specifically, instead of assuming Run As values.

Any thoughts on this from the community?

- Martijn

More information about the MailScanner mailing list