On Fri, Jul 07, 2006 at 04:32:45PM +0900, Jorgen Lundman wrote:
>
>
> Solaris 10, postfix, OpenLDAP, amavisd-new 2.4.2, clamd.
>
> It appears to run quite well when scanning all mails received. Seems to be
> pushing roughly 17 emails/second using clamd (1 email/second using 2ndary
> clamscan).
>
> All users are in LDAP, no local account informations.
>
> Since some users will chose not to use Virus-checks (and/or Spam-checks) I
> need
> to enable, or disable, these checks in LDAP.
>
> I would prefer it if the users who has it disabled would waste as little
> resources as possible. (Ie, passing it through clamd, find virus, and still
> deliver it seems like a waste of time).
>
> I thought that by adding:
>
> add objectClass:
> qmailUser
> + amavisAccount
> + add amavisBypassVirusChecks:
> + TRUE
> + add amavisBypassSpamChecks:
> + TRUE
> + add amavisBypassHeaderChecks:
> + TRUE
> + add amavisBypassBannedChecks:
> + TRUE
>
> Would disable it. However, if I send the user the
> "EICAR-STANDARD-ANTIVIRUS-TEST" it recognises it, copies the file to
> /var/quarantine, and sends the "you got a virus template" as configured for
> users with Virus checking enabled.
>
> debug output features highlights like:
> Jul 7 16:14:49 vmx01.unix /usr/local/sbin/amavisd[27096]: (27096-01)
> lookup_ldap([EMAIL PROTECTED]) matches,
> result=(amavisbypassbannedchecks=>"TRUE",
> amavisbypassspamchecks=>"TRUE", amavisbypassheaderchecks=>"TRUE",
> amavisbypassviruschecks=>"TRUE",
> dn=>"uid=bob,o=uranus.com,ou=mail,dc=example,dc=com")
>
> Jul 7 16:14:49 vmx01.unix /usr/local/sbin/amavisd[27096]: (27096-01) lookup
> (bypass_virus_checks) => true, "[EMAIL PROTECTED]" matches, result="1",
> matching_key="/cached/"
> Jul 7 16:14:49 vmx01.unix /usr/local/sbin/amavisd[27096]: (27096-01) lookup:
> (scalar) matches, result="1"
What is the above from? Do you have a map/entry in the amavsid.conf file?
> Jul 7 16:14:49 vmx01.unix /usr/local/sbin/amavisd[27096]: (27096-01) lookup
> (viruses_that_fake_sender) => true, "Eicar-Test-Signature" matches,
> result="1",
> matching_key="(constant:1)"
>
> Jul 7 16:14:49 vmx01.unix /usr/local/sbin/amavisd[27096]: (27096-01) lookup
> (virus_quarantine_to) => true, "[EMAIL PROTECTED]" matches,
> result="virus-quarantine", matching_key="(constant:virus-quarantine)"
>
>
> So it seems to do a lot of work for an account that is disabled, and still
> detects that it is a virus.
>
> What is the best way to disable some users? I tried setting VirusLover but it
> had no direct effect (on fixing the issue).
>
> Any hints?
Setting 'amavisBypassVirusChecks' and 'amavisVirusLover' will do it. Below
are my log snippets sending myself an Eicar test message. It doesn't get
scanned and passes right through:
Jul 18 03:47:59 ukiah amavis[82166]: (82166-01) lookup_ldap([EMAIL PROTECTED])
matches, result=(amaviswhitelistsender=>"ARRAY(0xbbc4260)", amavisbypassbannedc
hecks=>"TRUE", amavisbadheaderlover=>"TRUE", amavisbypassheaderchecks=>"TRUE", a
mavisbannedrulenames=>"ALLOW_EXE, DEFAULT", amavisviruslover=>"TRUE", amavisspam
taglevel=>"-999", amavisbannedfileslover=>"TRUE", amavisbypassspamchecks=>"FALSE
", amavisblacklistsender=>"ARRAY(0xbbc4dc0)", amavisspamtag2level=>"5", amavissp
amkilllevel=>"5", amavisspamlover=>"FALSE", amavisspammodifiessubj=>"FALSE", ama
visbypassviruschecks=>"TRUE", dn=>"uid=mhall,ou=People,dc=riverside,dc=org")
...
Jul 18 03:47:59 ukiah amavis[82166]: (82166-01) lookup_ldap_attr(amavisbypassvir
uschecks) "[EMAIL PROTECTED]" result=(1)
Jul 18 03:47:59 ukiah amavis[82166]: (82166-01) lookup (bypass_virus_checks) =>
true, "[EMAIL PROTECTED]" matches, result="1", matching_key="/cached/"
Jul 18 03:47:59 ukiah amavis[82166]: (82166-01) Extracting mime components
...
Jul 18 03:47:59 ukiah amavis[82166]: (82166-01) lookup_ldap_attr(amavisbypasshea
derchecks) "[EMAIL PROTECTED]" result=(1)
Jul 18 03:47:59 ukiah amavis[82166]: (82166-01) lookup (bypass_header_checks) =>
true, "[EMAIL PROTECTED]" matches, result="1", matching_key="/cached/"
Jul 18 03:47:59 ukiah amavis[82166]: (82166-01) Checking for banned types and fi
lenames
Jul 18 03:47:59 ukiah amavis[82166]: (82166-01) lookup_ldap_attr(amavisbypassban
nedchecks) "[EMAIL PROTECTED]" result=(1)
Jul 18 03:47:59 ukiah amavis[82166]: (82166-01) lookup (bypass_banned_checks) =>
true, "[EMAIL PROTECTED]" matches, result="1", matching_key="/cached/"
Jul 18 03:47:59 ukiah amavis[82166]: (82166-01) skipping banned check: all recip
ients bypass banned checks
Jul 18 03:47:59 ukiah amavis[82166]: (82166-01) banned check: any=0, all=N (1)
Jul 18 03:47:59 ukiah amavis[82166]: (82166-01) bypassing of virus checks reques
ted
*** Note the above line and the absence of an 'AV-scan' test in the TIMING
below.
Jul 18 03:48:00 ukiah amavis[82166]: (82166-01) TIMING [total 1039 ms] - ldap-pr
epare: 16 (2%)2, SMTP EHLO: 12 (1%)3, SMTP pre-MAIL: 12 (1%)4, mkdir tempdir: 2
(0%)4, create email.txt: 2 (0%)4, ldap-connect: 17 (2%)6, lookup_ldap: 34 (3%)9,
SMTP pre-DATA-flush: 7 (1%)10, SMTP DATA: 34 (3%)13, body_digest: 4 (0%)13, gen
_mail_id: 2 (0%)14, mkdir parts: 1 (0%)14, mime_decode: 22 (2%)16, get-file-type
1: 50 (5%)21, decompose_part: 3 (0%)21, parts_decode: 0 (0%)21, spam-wb-list: 18
(2%)23, SA msg read: 2 (0%)23, SA parse: 5 (0%)23, SA check: 500 (48%)71, SA fi
nish: 7 (1%)72, update_cache: 4 (0%)73, decide_mail_destiny: 6 (1%)73, fwd-conne
ct: 77 (7%)81, fwd-xforward: 2 (0%)81, fwd-mail-from: 4 (0%)81, fwd-rcpt-to: 6 (
1%)82, fwd-data-cmd: 3 (0%)82, write-header: 5 (1%)83, fwd-data-contents: 1 (0%)
83, fwd-data-end: 120 (12%)94, fwd-rundown: 19 (2%)96, prepare-dsn: 5 (0%)97, ma
in_log_entry: 29 (3%)99, update_snmp: 2 (0%)100, unlink-1-files: 3 (0%)100, rund
own: 1 (0%)100
Below is a TIMING line with the attributes set on (normal for me) and you can
see it did an virus scan: 'AV-scan-1: 8 (0%)9'.
Jul 18 00:10:52 ukiah amavis[63903]: (63903-03) TIMING [total 3134 ms] - SMTP EH
LO: 5 (0%)0, SMTP pre-MAIL: 3 (0%)0, lookup_ldap: 29 (1%)1, SMTP pre-DATA-flush:
4 (0%)1, SMTP DATA: 168 (5%)7, body_digest: 4 (0%)7, gen_mail_id: 1 (0%)7, mime
_decode: 34 (1%)8, get-file-type1: 39 (1%)9, decompose_part: 2 (0%)9, parts_deco
de: 0 (0%)9, AV-scan-1: 8 (0%)9, spam-wb-list: 5 (0%)10, SA msg read: 3 (0%)10,
SA parse: 10 (0%)10, SA check: 2548 (81%)91, SA finish: 8 (0%)92, update_cache:
4 (0%)92, decide_mail_destiny: 2 (0%)92, fwd-connect: 64 (2%)94, fwd-xforward: 1
(0%)94, fwd-mail-from: 3 (0%)94, fwd-rcpt-to: 4 (0%)94, fwd-data-cmd: 2 (0%)94,
write-header: 5 (0%)94, fwd-data-contents: 2 (0%)94, fwd-data-end: 121 (4%)98,
fwd-rundown: 20 (1%)99, prepare-dsn: 1 (0%)99, main_log_entry: 21 (1%)100, updat
e_snmp: 3 (0%)100, unlink-1-files: 2 (0%)100, rundown: 9 (0%)100
--
Mike Hall
San Juan Island, WA
System Admin - Rock Island Communications <[EMAIL PROTECTED]>
System Admin - riverside.org, ssdd.org <[EMAIL PROTECTED]>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
