Hi there,
On Wed, 25 Nov 2009 Ken Campney wrote:
> ... there is no destination logged when a infection is processed.
> My guess this is because its not being delivered. Which would explain
> why the clamav-milter.log has the intended "local" delivery address.
Can you change the verbosity of Sendmail's logging? Here's an edited
extract from my logs, the lines may wrap in your mail client but they
all begin with the date ("Nov 2"), time and mailserver name ("mail3").
It would be easy to grab the envelope recipient from this log:
Nov 2 07:54:50 mail3 sm-mta[20703]: NOQUEUE: connect from ha20.Scsend.net
[64.50.150.20]
Nov 2 07:55:53 mail3 sm-mta[20703]: nA27somI020703: ---
220-mail3.jubileegroup.co.uk ESMTP You will be billed fifty US dollars for each
and e
Nov 2 07:55:53 mail3 sm-mta[20703]: nA27somI020703: --- 220 server ready
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: <-- EHLO ha20.Scsend.net
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: ---
250-mail3.jubileegroup.co.uk Hello ha20.Scsend.net [64.50.150.20], pleased to
meet yo
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: --- 250 [snip, snip]
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: <-- MAIL
FROM:<[email protected]> SIZE=4927
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: --- 250 2.1.0
<[email protected]>... Sender ok
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: <-- RCPT
TO:<[email protected]>
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: --- 050
/home/sales/.forward: line 1: forwarding to [snip]
Nov 2 07:55:54 mail3 sm-mta[20703]: nA27somI020703: forward
<[email protected]> => [snip]
Nov 2 07:55:55 mail3 sm-mta[20703]: nA27somI020703: --- 250 2.1.5
<[email protected]>... Recipient ok
Nov 2 07:55:55 mail3 sm-mta[20703]: nA27somI020703: <-- DATA
Nov 2 07:55:55 mail3 sm-mta[20703]: nA27somI020703: --- 354 Enter mail, end
with "." on a line by itself
Nov 2 07:55:55 mail3 sm-mta[20703]: nA27somI020703:
from=<[email protected]>, size=4810, class=0, nrcpts=3,
msgid=<20091102075451.8C47717A
Nov 2 07:55:55 mail3 sm-mta[20703]: nA27somI020703: Milter insert (0): header:
Received-SPF: pass (mail3.jubileegroup.co.uk: domain of b...@bou
Nov 2 07:55:57 mail3 sm-mta[20703]: nA27somI020703: Milter add: header:
X-Greylist: Recipient e-mail whitelisted, not delayed by milter-greyl
Nov 2 07:55:57 mail3 sm-mta[20703]: nA27somI020703: Milter insert (1): header:
X-Virus-Status: Infected (Sanesecurity.Jurlbl.8643.UNOFFICIAL)
Nov 2 07:55:57 mail3 sm-mta[20703]: nA27somI020703: Milter: data, reject=554
5.7.1 Command rejected
Nov 2 07:55:57 mail3 sm-mta[20703]: nA27somI020703: to=[snip], delay=00:00:02,
pri=94810, stat=Command rejected
Nov 2 07:55:57 mail3 sm-mta[20703]: nA27somI020703: --- 554 5.7.1 Command
rejected (held)
Nov 2 07:55:57 mail3 sm-mta[20703]: nA27somJ020703: <-- QUIT
Nov 2 07:55:57 mail3 sm-mta[20703]: nA27somJ020703: --- 221 2.0.0
mail3.jubileegroup.co.uk closing connection
You'll need to start Sendmail with LogLevel 9 or above to get this
information. In my local copy of the "Bat Book" (ISBN 1-56592-222-0,
"Sendmail", 2nd edition 1997 from one of the O'Reilly Networking CDs)
this is in the "Logging and Statistics" chapter, section 26.1.3. All
administrators running Sendmail need access to a copy of the Bat Book.
You can find it online if you look hard enough.
--
73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
