<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<tt>Hi.<br>
<br>
I've hi-jacked a thread?<br>
Sorry, I don't know what you mean?<br>
I checked the mailing lists for a similar problem before I posted and
saw no related topic.<br>
<br>
Sorry for the delay in responding.<br>
I suspect I'm way out of sync with you guys regarding time zones hence
why I haven't responded to your question yet Julian.<br>
I sent this off towards the end of work yesterday and I'm back in now
this morning.<br>
<br>
Anyway, I'll try to explain as much as I can about the permissions side
of things and see if you spot any problems.<br>
<br>
I'm using the exim4 (v4.69-2) package in Debian.<br>
The configuration has been modified to have an incoming and outgoing
queue so that MailScanner can intercept the emails.<br>
Exim4 runs under a user name called "Debian-exim" who is a member of a
groups that is also called "Debian-exim".<br>
<br>
The clamd process runs under a user called "clamav" who is also a
member of the "clamav" group.<br>
I've also added this user to the "Debian-exim" group:<br>
<br>
$ groups clamav<br>
clamav : clamav Debian-exim<br>
<br>
The permissions on the /var/spool/MailScanner/incoming/ directory is as
follows:<br>
<br>
drwxr-x--- 4 Debian-exim Debian-exim 100 2008-03-13 09:13
/var/spool/MailScanner/incoming/<br>
<br>
Under here a directory is created with the PID of MailScanner, and at
the moment it looks as follows:<br>
<br>
drwxr-x--- 2 Debian-exim Debian-exim 40 2008-03-13 09:13 21152/<br>
<br>
If I do a 'ls -lR' on this directory and catch a message in transit I
see permissions like so:<br>
<br>
# ls -lR 21152/<br>
21152/:<br>
total 80<br>
drwxr-x--- 2 Debian-exim Debian-exim 80 2008-03-13 09:14
1JZb5m-0001MG-06/<br>
-rw-r----- 1 Debian-exim Debian-exim 870 2008-03-13 09:14
1JZb5m-0001MG-06.header<br>
-rw-rw---- 1 Debian-exim Debian-exim 65713 2008-03-13 09:14
1JZb5m-0001MG-06.message<br>
<br>
21152/1JZb5m-0001MG-06:<br>
total 64<br>
-rw-r----- 1 Debian-exim Debian-exim 7061 2008-03-13 09:14
msg-21152-127.txt<br>
-rw-r----- 1 Debian-exim Debian-exim 53896 2008-03-13 09:14
msg-21152-128.html<br>
<br>
Here are the settings that I think may be relevant from the
MailScanner.conf file:<br>
<br>
Run As User = Debian-exim<br>
Run As Group = Debian-exim<br>
Incoming Queue Dir = /var/spool/exim4_incoming/input<br>
Outgoing Queue Dir = /var/spool/exim4/input<br>
Incoming Work Dir = /var/spool/MailScanner/incoming<br>
MTA = exim<br>
Sendmail = /usr/sbin/exim4 -DOUTGOING<br>
Sendmail2 = /usr/sbin/exim4 -DOUTGOING<br>
Incoming Work User =<br>
Incoming Work Group =<br>
Incoming Work Permissions = 0640<br>
<br>
As far as I can tell this should be okay since the clamav user is part
of the Debian-exim group?<br>
It seems to be scanning everything else okay?<br>
<br>
Thanks.<br>
</tt>
<pre class="moz-signature" cols="1000">----------
Jim Barber
DDI Health
</pre>
<br>
<br>
Julian Field wrote:
<blockquote cite="mid:47D82D63.9040301@ecs.soton.ac.uk" type="cite">
<pre wrap="">-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
And he hasn't responded to my question about what MTA he's using and
what his "Run As" settings are. I suspect it's just a permissions problem.
Scott Silva wrote:
</pre>
<blockquote type="cite">
<pre wrap="">on 3-11-2008 11:48 PM Jim Barber spake the following:
</pre>
<blockquote type="cite">
<pre wrap="">Hi all.
For a long time now I've been using the MailScanner packages as
distributed by Debian.
Recently the maintainer updated the package to use version 4.66.5 of
MailScanner (it was previously at 4.58.9).
This means that I can now take advantage of the ClamAV daemon to do
virus scanning instead of invoking clamav for each batch or messages.
But I am encountering a strange error that occurs for some, but not
all TNEF attachments.
Here is an example of the messages that occur in syslog when
processing an email with this problem.
Note that I've changed the email address in the second line of output:
Mar 12 13:20:35 mail MailScanner[27855]: Spam Checks: Starting
Mar 12 13:20:35 mail MailScanner[27855]: Message 1JZIS6-00043a-FQ
from 10.128.3.10 (<a class="moz-txt-link-abbreviated" href="mailto:user@ddihealth.com">user@ddihealth.com</a>) is whitelisted
Mar 12 13:20:35 mail MailScanner[27855]: Spam Checks completed at
83746 bytes per second
Mar 12 13:20:36 mail MailScanner[27855]: Expanding TNEF archive
at /var/spool/MailScanner/incoming/27855/1JZIS6-00043a-FQ/winmail.dat
Mar 12 13:20:42 mail MailScanner[27855]: Message 1JZIS6-00043a-FQ
added TNEF contents image001.jpg,image002.jpg
Mar 12 13:20:42 mail MailScanner[27855]: Message 1JZIS6-00043a-FQ
has had TNEF winmail.dat removed
Mar 12 13:20:42 mail MailScanner[27855]: Virus and Content
Scanning: Starting
Mar 12 13:20:43 mail MailScanner[27855]: Clamd::ERROR:: Unable to
open file or directory ERROR :: ./1JZIS6-00043a-FQ/mha1BpYaNZ
Mar 12 13:20:43 mail MailScanner[27855]: Clamd::ERROR:: Unable to
open file or directory ERROR :: ./1JZIS6-00043a-FQ/RRZFcL3LVX
Mar 12 13:20:43 mail MailScanner[27855]: Virus Scanning: Clamd
found 2 infections
Mar 12 13:20:43 mail MailScanner[27855]: Virus Scanning: Found 2
viruses
Mar 12 13:20:44 mail MailScanner[27855]: Virus Scanning completed
at 7944 bytes per second
Mar 12 13:20:44 mail MailScanner[27855]: Uninfected: Delivered 2
messages
Mar 12 13:20:44 mail MailScanner[27855]: Virus Processing
completed at 195783 bytes per second
Mar 12 13:20:44 mail MailScanner[27855]: Batch completed at 6458
bytes per second (63292 / 9)
Note that the problem only seems to happen to TNEF attachments where
the following log entry occurs:
MailScanner[$PID]: Message $MSG_ID added TNEF contents $FILES
eg.
MailScanner[$PID]: Expanding TNEF archive at
/var/spool/MailScanner/incoming/$PID/$MSG_ID/winmail.dat
MailScanner[$PID]: Message $MSG_ID added TNEF contents $FILES
MailScanner[$PID]: Message $MSG_ID has had TNEF winmail.dat removed
However If I only get the following messages then the virus scan will
be fine:
MailScanner[$PID]: Expanding TNEF archive at
/var/spool/MailScanner/incoming/$PID/$MSG_ID/winmail.dat
MailScanner[$PID]: Message $MSG_ID has had TNEF winmail.dat removed
I have the following TNEF settings in my MailScanner.conf file:
Expand TNEF = yes
Use TNEF Contents = replace
Deliver Unparsable TNEF = no
TNEF Expander = internal
TNEF Timeout = 120
I changed the "TNEF Expander" to be "internal" a long time ago.
I found that having it set to "/usr/bin/tnef --maxsize=100000000"
choked on some messages that the internal one was able to handle.
The ClamAV daemon is successfully scanning all other emails okay.
I've only ever seen the problem associated with certain TNEF
attachments.
I've left all clamd settings in the MailScanner.conf at their default
settings.
The clamd virus scanner is found when MailScanner starts as shown in
the following log message:
Mar 12 11:51:54 mail MailScanner[27855]: I have found clamd
scanners installed, and will use them all by default.
My MailScanner incoming file system is using tmpfs and is shown as
follows in 'df' output:
tmpfs 258528 704 257824 1%
/var/spool/MailScanner/incoming
Any ideas what is going wrong?
Thanks.
</pre>
</blockquote>
<pre wrap="">Hijacking threads has caused bad karma on your mailserver. Repent, say
10 hail Julian's, and hijack no more!
</pre>
</blockquote>
<pre wrap=""><!---->
Jules
- --
Julian Field MEng CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.MailScanner.info">www.MailScanner.info</a>
Buy the MailScanner book at <a class="moz-txt-link-abbreviated" href="http://www.MailScanner.info/store">www.MailScanner.info/store</a>
MailScanner customisation, or any advanced system administration help?
Contact me at <a class="moz-txt-link-abbreviated" href="mailto:Jules@Jules.FM">Jules@Jules.FM</a>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: <a class="moz-txt-link-freetext" href="http://www.jules.fm/julesfm.asc">http://www.jules.fm/julesfm.asc</a>
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.1 (Build 2523)
Comment: Use Thunderbird Enigmail to verify this message
Charset: UTF-8
wj8DBQFH2C1pEfZZRxQVtlQRAouqAKCwYzfLbu+o85ItSQbvcZZR7yQUSQCgncAA
a8GG/klJIu16WtxroRclBb8=
=rggL
-----END PGP SIGNATURE----</pre>
</blockquote>
</body>
</html>