MailScanner blocking ClamAV emails
Antony Stone
Antony.Stone at mailscanner.open.source.it
Sat Mar 25 16:00:56 UTC 2017
On Saturday 25 March 2017 at 16:50:34, Walt Thiessen wrote:
> What exactly should we whitelist? My admins claim that the only thing
> you can whitelist in ClamAV is a signature, and they say there are no
> signatures in the log entries to whitelist.
I would suggest you want to whitelist emails from 127.0.0.1.
After all, your objective is to scan & filter "inbound" emails and "outbound"
emails, and I'd say that emails from 127.0.0.1 on the email host itself don't
count as either.
Antony.
> On 3/25/2017 7:46 AM, Jerry Benton wrote:
> > Sane Security: http://sanesecurity.com/usage/signatures/
> >
> > Did you add those rules to freshclam.conf ?
> >
> > Regardless, you need to whitelist at the clam level, not MailScanner.
> >
> > -
> > Jerry Benton
> > www.mailborder.com <http://www.mailborder.com>
> > +1 - 844-436-6245
> >
> >> On Mar 25, 2017, at 7:45 AM, Walt Thiessen <wt at dld2000.com
> >> <mailto:wt at dld2000.com>> wrote:
> >>
> >> I'm not sure what a Sane rule is.
> >>
> >> On 3/25/2017 7:40 AM, Jerry Benton wrote:
> >>> Whitelisting in MailScanner. Whitelisting is for spam checks. You
> >>> will need to whitelist in clamav. It looks like a Sane rule is
> >>> catching it?
> >>>
> >>> -
> >>> Jerry Benton
> >>> www.mailborder.com <http://www.mailborder.com/>
> >>> +1 - 844-436-6245
> >>>
> >>>> On Mar 25, 2017, at 7:38 AM, Walt Thiessen <wt at dld2000.com
> >>>> <mailto:wt at dld2000.com>> wrote:
> >>>>
> >>>> I have MailScanner set to check all inbound and outbound email
> >>>> using ClamAV.
> >>>>
> >>>> I have ClamAV set up to send me an email each day informing me of
> >>>> any possible infections.
> >>>>
> >>>> For about a week or two now, this email has failed to arrive.
> >>>>
> >>>> My admins found the problem. ClamAV is apparently blocking itself
> >>>> via MailScanner.
> >>>>
> >>>> From the maillog:
> >>>>
> >>>> [root at server ~]# grep 1cqtVW-0002rF-UX /var/log/maillog
> >>>> Mar 22 23:33:50 server MailScanner: Filename Checks: Allowing
> >>>> 1cqtVW-0002rF-UX clamav-2017-03-22.log (no rule matched)
> >>>> Mar 22 23:33:51 server MailScanner: Filetype Checks: Allowing
> >>>> 1cqtVW-0002rF-UX clamav-2017-03-22.log
> >>>> Mar 22 23:33:51 server MailScanner: Clamd::INFECTED::
> >>>> YARA.r57shell_php_php.UNOFFICIAL ::
> >>>> ./1cqtVW-0002rF-UX/clamav-2017-03-22.log
> >>>> Mar 22 23:33:51 server MailScanner: Infected message
> >>>> 1cqtVW-0002rF-UX came from 127.0.0.1
> >>>> Mar 22 23:33:51 server MailScanner: 1cqtVW-0002rF-UX: Received for
> >>>> MailControl Database
> >>>> Mar 22 23:33:51 server MailScanner: 1cqtVW-0002rF-UX: MailControl
> >>>> cannot insert row:
> >>>> %%C7RPN1O2FYP5LGSYVTBFOC2X10OGEDRXXIPRGRGJJJI5KDWFI8S
> >>>>
> >>>> We tried whitelisting root at server or 127.0.0.1, but it didn't help.
> >>>>
> >>>> Any ideas?
> >>>>
> >>>> Walt
--
Perfection in design is achieved not when there is nothing left to add, but
rather when there is nothing left to take away.
- Antoine de Saint-Exupery
Please reply to the list;
please *don't* CC me.
More information about the MailScanner
mailing list