On Sun, April 15, 2012 11:08, G.W. Haywood wrote: > Hi there, > > On Sat, 14 Apr 2012, James B. Byrne wrote: > >> I have several MX servers running ClamAV in conjunction >> with MailScanner and Sendmail or Amavisd-new and >> Postfix. >> >> These machines forward logwatch reports to a central >> email address on a daily basis. The delivery hub >> also has clamd running. >> >> ... certain reports are being categorized as phishing >> messages by clamd and thus the report never arrives. > > Could you disable the phishing checks on the hub?
That is what I ended up having to do, but only for the URL checks. PhishingScanURLs no. The problem appears to be that the logwatch report module for mailscanner sends the actual phishing urls trapped at the gateway as part of the report, with the results witnessed at the hub. > >> I have looked at the MailScanner rules and removed the >> report delivery address from virus_scanning. > > It sounds reasonable, although I'd have said that in > principle it would be better to whitelist a sender > address, one which you only use internally and so will > probably never be forged. That way you can > change where you send the reports without changing your > mail server's other configuration. However I've never > used MailScanner and I can't claim to know. The originating address was already whitelisted. In the event exempting the delivery address also had little effect. > >> Is there a way to avoid this for either one delivery >> address or one senders address? > > To do this you need to work on the mail server > configuration, not on clamd's configuration. As it turns out, when I successfully removed the delivery address from mailscanner's attention clamd caught the same file on disk in any case. The only change was that the clamd log entry moved from /var/log/maillog to /var/log/messages. > >> I have no desire to change things on a system-wide >> basis. Is clamd actually scanning the same files twice? > > Well it does sound like you're scanning both on the mail > exchangers and on the mail hub, which seems like a waste, > but I don't think that's your question. We have internal mail which does not pass through our external MX hosts. Some of these are MicroSoft systems and it is considered best to assume that these are a potential source of compromise and thus everything needs to be checked, incoming and outgoing, at the hub. > >> ... once when passed by MailScanner and then again >> simply because the file is on disk? > > No, clamd only scans what it's told to scan by other > software. By itself it does absolutely nothing except > consume resources, by loading a database and sitting > around as a process waiting for connections. > Well, I cannot seem to find a way to prevent clamd from scanning those messages so in the end I had to partially turn off the phishing checks in clamd itself. I cannot identify any resident filesystem scanner that uses clamd but I find it odd that the clamd messages moved from maillog to messages after I stopped scanning email to the delivery address. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:[email protected] Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
