On Thu, 15 Oct 2020 at 09:52, Nikolaos Milas <[email protected]> wrote: > > Hello, > > As you may also see in another mail (thread) I have started (for bayes > db migration), we have an installation with > postfix/amavis/clamav/spamassassin on CentOS 6 using (legacy?) rpmforge > packages (for amavis/clamav). > > The setup includes scamp 5.6 > (https://sourceforge.net/projects/scamp/files/scamp/scamp-5.6/), which > seems unsupported (not updated since 2013), to include additional clamav > definition files. > > In fact, we have two identical mail gateway servers for incoming mail. I > have started migrating the one of them, so it is no more available as an > MX server. > > My problem is with our currently one and only MX Server (yes the one > with the rpmforge installation): it seems to be allowing virus-infected > mails to pass through. (The same problem was occurring to the other twin > server, that's why I started migration.) > > Our users have started receiving significant amounts of virus-infected > mails, and this issue has triggered an investigation from our part, to > find out the cause. > > I have tested with a test signature > (https://www.eicar.org/?page_id=3950) in an attachment and although it > was detected, it reached its destination as sent, without modification. > I found in amavisd.log: > > ... > > Please advise me: how can I find out what is going wrong with > clamav/amavis and correct things? > > In essence, we need to stop the virus-infected mail flooding.
start with something like this to check your amavis virus settings: grep -r virus_ /etc/amavis/conf.d|sed 's/\s*#.*//;/^$/d;/.*:$/d'|sort This would be typical to be included in the output (and not overridden by later lines): $final_virus_destiny = D_DISCARD; $virus_quarantine_method = 'local:virus-%m'; - with these settings the incoming email is not actually discarded, it is placed in local quarantine. But if you have D_PASS then the virus passes straight through. There are other possible explanations too e.g. is amavis calling clamav for incoming mails or is clamav being called directly by the MTA? have you got clamav and amavis user permissions sorted (ensured that clamav and amavis users are both members of each other's group)?
