I'm stumped...
What difference does clamdscan see when invoked from clamav-milter and when invoked via mimedefang ?
I'm using the stock mimedefang-filter
I've just converted from running spamass-milter + clamav-milter to mimedefang (running all three at first, to ensure things are working).
I've now removed spamass-milter as the mimedefang integration is workin well in that regard.
I've not been able to remove the subsequent clamav-milter as of yet because it is catching viruses that it doesn't when invoked by mimedefang ?!?
You need to look at your mimedefang-filter. Mime defang is just a perl program that breaks up email into mime parts and gives you the ability to do things with those mime parts. This is what makes mimedefang so wonderful, it gives you complete control over your email in perl syntax, and without the typical perl performance hit to boot. It's a beautiful thing!!!
That said, if it's not doing what you want, then you need to update your mimedefang-filter and tell it what you want to do.
Older versions of mimedefang passed each attachment to clamd for scanning, but there are viruses out there that break the MIME rfc so mimedefang doesn't break out the attachment because it isn't valid. Since the scanmail feature in clamd is specifically designed to detect viruses despite broken mime you may want to add:
md_copy_orig_msg_to_work_dir_as_mbox_file();
to the top of your filter_begin() rule add enable scanmail in your clamd.conf. This will tell mime-defang to put the complete message in mbox format in the tmp extraction dir before calling clamd which will find the virus in the mbox file. This is really a better solution anyway because you have two mime implementations parsing the message.
Another way around this (better?) is to use the action_rebuild() function to tell mimedefang to rebuild each message with a valid mime format. This may cause things to break for clients that do not produce valid mime messages, but it can stop a lot problems. It's your call (as David puts it).
HTH,
schu _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
