[Clamav-users] no logging or email notice of detected viruses (clamav-milter 0.70o)

Wed, 21 Apr 2004 22:48:25 -0700 

I'm using clamav 0.70, with clamav-milter 0.70o, under RH 9. It appears to drop
infected mail as it should, but I'm not getting a copy to postmaster or to the 
quarantine
address. Nothing is logged in /var/log/clamav/*, and there's no log entry in the
maillog showing that the message was infected. The sendmail log shows:


----------------INFECTED MAIL------------------------
Apr 20 14:53:16 server1 clamav-milter[28718]: clamfi_envfrom: <[EMAIL PROTECTED]>
Apr 20 14:53:17 server1 clamav-milter[28718]: clamfi_envrcpt: <[EMAIL PROTECTED]>
Apr 20 14:53:18 server1 sendmail[28948]: i3KJrFsG028948: collect: premature EOM: 
unexpected close
Apr 20 14:53:18 server1 sendmail[28948]: i3KJrFsG028948: collect: unexpected close on 
connection from localhost, sender=<[EMAIL PROTECTED]>
Apr 20 14:53:18 server1 sendmail[28948]: i3KJrFsG028948: from=<[EMAIL PROTECTED]>, 
size=203, class=0, nrcpts=1, proto=ESMTP, [EMAIL PROTECTED]
Apr 20 14:53:18 server1 clamav-milter[28718]: clamfi_close


Running clamd with debugging on shows:
        LibClamAV debug: clamfi_envfrom: <[EMAIL PROTECTED]>
        LibClamAV debug: >n_children = 1
        LibClamAV debug: clamfi_envrcpt: <[EMAIL PROTECTED]>
for an infected message. Note that there's no "connect2clamd" statement.

-------END OF INFECTED MAIL------------------------


Messages that do not have viruses are delivered correctly, and the sendmail
log shows:
-----------------------CLEAN MESSAGE-------------------------------
Apr 20 14:59:29 server1 clamav-milter[28718]: clamfi_envfrom: <[EMAIL PROTECTED]>
Apr 20 14:59:30 server1 clamav-milter[28718]: clamfi_envrcpt: <[EMAIL PROTECTED]>
Apr 20 14:59:29 server1 clamav-milter[28718]: clamfi_envfrom: <[EMAIL PROTECTED]>
Apr 20 14:59:30 server1 clamav-milter[28718]: clamfi_envrcpt: <[EMAIL PROTECTED]>
Apr 20 14:59:31 server1 sendmail[29627]: i3KJxSED029627: from=<[EMAIL PROTECTED]>, 
size=43, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, [EMAIL PROTECTED]
Apr 20 14:59:31 server1 clamav-milter[28718]: clamfi_eoh
Apr 20 14:59:31 server1 clamav-milter[28718]: clamfi_envbody: 44 bytes
Apr 20 14:59:31 server1 clamav-milter[28718]: clamfi_eom
Apr 20 14:59:31 server1 clamav-milter[28718]: clamfi_eom: read stream: OK
Apr 20 14:59:31 server1 clamav-milter[28718]: i3KJxSED029627: clean message from 
<[EMAIL PROTECTED]>
Apr 20 14:59:31 server1 sendmail[29627]: i3KJxSED029627: Milter add: header: 
X-Virus-Scanned: clamd / ClamAV version 0.70, clamav-milter version 0.70o
Apr 20 14:59:31 server1 sendmail[29627]: i3KJxSED029627: Milter add: header: 
X-Virus-Status: Clean
Apr 20 14:59:31 server1 sendmail[29638]: i3KJxSED029627: to=<[EMAIL PROTECTED]>, 
delay=00:00:01, xdelay=00:00:00, mailer=local, pri=30452, dsn=2.0.0, stat=Sent
Apr 20 14:59:31 server1 sendmail[29638]: i3KJxSED029627: done; delay=00:00:01, ntries=1
Apr 20 14:59:31 server1 clamav-milter[28718]: clamfi_close


Running clamd with debugging on shows:
        LibClamAV debug: clamfi_envfrom: <[EMAIL PROTECTED]>
        LibClamAV debug: >n_children = 1
        LibClamAV debug: clamfi_envrcpt: <[EMAIL PROTECTED]>
        LibClamAV debug: connect2clamd OK
        LibClamAV debug: clamfi_eom: read stream: OK
for a clean message.
------------------END OF CLEAN MESSAGE-------------------------------


I'm running clamav-milter with the options:

        --debug
        --headers
        --local
        --outgoing
        --max-children=10
        --force-scan
        [EMAIL PROTECTED]
        [EMAIL PROTECTED]
        local:/var/run/clamav/clamav-milter.sock

The clamav.conf file has:
        LogFile /var/log/clamav/clamd.log
        LogClean
        LogSyslog
        LogVerbose
        PidFile /var/run/clamav/clamd.pid
        DatabaseDirectory /var/lib/clamav
        LocalSocket /var/run/clamav/clamd.socket
        StreamSaveToDisk
        StreamMaxLength 10M
        MaxDirectoryRecursion 15
        User clamav
        ScanOLE2
        ScanMail
        ScanArchive
        ArchiveMaxFileSize 10M
        ArchiveMaxRecursion 5
        ArchiveMaxFiles 1000
        ArchiveMaxCompressionRatio 200
        ClamukoScanOnOpen
        ClamukoScanOnClose
        ClamukoScanOnExec
        ClamukoIncludePath /home
        ClamukoMaxFileSize 1M
        ClamukoScanArchive

As I understand it, I should be getting a notice that a virus was detected
sent to "[EMAIL PROTECTED]", with the actual infected message forwared to
"[EMAIL PROTECTED]", and I'd expect some logging to
/var/log/clamav/clamd.log or the syslog.

Any suggestions? Any ideas for getting more debugging detail?

Can anyone spot a configuration problem that I'm overlooking?

Thanks,

Mark



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Reply via email to