Re: [Clamav-users] sendmail: clmilter.sock is unsafe: I AM AN IDIOT

[Kritof Petr]

Ryan Moore wrote:

The sock file was defined with one name in sendmail.mc and another in 
the
configuration file for the milter itself. I made them the same and 
sendmail is
happy.

so what's supposed to happen when it detects a virus? When I send 
myself a
message with eicar.com attached,  this header gets added, but nothing 
is done:

X-Virus-Scanned: clamd / ClamAV version 0.70rc, clamav-milter version 
0.70

clamav-milter is started with these parms:

/usr/sbin/clamav-milter -lo --max-children=10 --force-scan --quiet
--dont-log-clean --server=localhost 
local:/var/run/clamav/clamav-milter.sock

 


You probably want the -b option to reject the DATA phase of the SMTP 
session if the milter detects a virus. 


No you dont need '-b option'.

Petr





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail: clmilter.sock is unsafe: I AM AN IDIOT

[Kritof Petr]

Steven Stern wrote:

so what's supposed to happen when it detects a virus? When I send myself a
message with eicar.com attached,  this header gets added, but nothing is done:
What does it mean nothing is done exactly?
Tha mail is delivered to recipient or is it rejected?
X-Virus-Scanned: clamd / ClamAV version 0.70rc, clamav-milter version 0.70

 

Be sure your virus db is up to date by running freshclam.

Petr



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] sendmail: clmilter.sock is unsafe: I AM AN IDIOT

[Nigel Horne]

 You probably want the -b option to reject the DATA phase of the SMTP 
 session if the milter detects a virus. 

Using the -b option is not recommended.

-Nigel 


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail: clmilter.sock is unsafe: I AM AN IDIOT

[Steven Stern]

On Mon, 22 Mar 2004 16:33:36 +0100, Krištof Petr [EMAIL PROTECTED]
wrote:


Be sure your virus db is up to date by running freshclam.

Petr

crontab -l
  [snip]
17 */4 * * * /usr/bin/freshclam --quiet -l /var/log/clam-update.log

--
   Steve
   


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail: clmilter.sock is unsafe: I AM AN IDIOT

[B. van Ouwerkerk]

You probably want the -b option to reject the DATA phase of the SMTP 
session if the milter detects a virus.


No you dont need '-b option'.
I'm new to Clamav but from the manpage it looks like -N would be more 
appropriate.
If I understand everything correctly then -b will bounce the message with 
virus to the sender. Given the high amount of spoofed senders this isn't a 
smart move since you may bounce a virus to a person who is not infected (yet).

-N, --noreject
This option causes clamav-milter to silently discard such messages.
See man clamav-milter for more information. It has been written for a good 
reason.



B. 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] sendmail: clmilter.sock is unsafe: I AM AN IDIOT

[Steven Stern]

I am an idiot.

The sock file was defined with one name in sendmail.mc and another in the
configuration file for the milter itself. I made them the same and sendmail is
happy.


so what's supposed to happen when it detects a virus? When I send myself a
message with eicar.com attached,  this header gets added, but nothing is done:

X-Virus-Scanned: clamd / ClamAV version 0.70rc, clamav-milter version 0.70


clamav-milter is started with these parms:

/usr/sbin/clamav-milter -lo --max-children=10 --force-scan --quiet
--dont-log-clean --server=localhost local:/var/run/clamav/clamav-milter.sock

--
   Steve
   


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail: clmilter.sock is unsafe: I AM AN IDIOT

[Steven Stern]

On Fri, 19 Mar 2004 17:51:11 -0500, Ryan Moore [EMAIL PROTECTED] wrote:



You probably want the -b option to reject the DATA phase of the SMTP 
session if the milter detects a virus.

I added the -b option to clamav-milter.

As root, i typed  cat eircar.com | mail steve -s test 

Sendmail didn't like it. There's got to be more to it, I think.

Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWJw020091: from=root, size=97,
class=0, nrcpts=1, msgid=[EMAIL PROTECTED],
[EMAIL PROTECTED]
Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWSR020093:
from=[EMAIL PROTECTED], size=398, class=0, nrcpts=1,
msgid=[EMAIL PROTECTED], proto=ESMTP,
daemon=MTA, relay=ciscy.sterndata.com [127.0.0.1]
Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWSR020093: Milter: data,
reject=550 5.7.1 Virus detected by ClamAV - http://www.clamav.net

 OK, the milter sets the 550 code

Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWSR020093:
to=[EMAIL PROTECTED], delay=00:00:00, pri=30398, stat=Virus detected
by ClamAV - http://www.clamav.net
Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWJw020091: to=steve, ctladdr=root
(0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30097,
relay=[127.0.0.1] [127.0.0.1], dsn=5.0.0, stat=Service unavailable
Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWJw020091: i2JNlWJx020091: DSN:
Service unavailable
Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWST020093: from=, size=2019,
class=0, nrcpts=1, msgid=[EMAIL PROTECTED],
proto=ESMTP, daemon=MTA, relay=ciscy.sterndata.com [127.0.0.1]
Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWST020093: Milter: data,
reject=550 5.7.1 Virus detected by ClamAV - http://www.clamav.net
Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWST020093:
to=[EMAIL PROTECTED], delay=00:00:00, pri=32019, stat=Virus detected
by ClamAV - http://www.clamav.net
Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWJx020091: to=root,
delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=31121, relay=[127.0.0.1]
[127.0.0.1], dsn=5.0.0, stat=Service unavailable
Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWJx020091: i2JNlWK0020091: return
to sender: Service unavailable

 but sendmail doesn't know what to do with it but we can see the virus
file contines to get passed around, getting passed through the milter again

Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWSV020093: from=, size=3690,
class=0, nrcpts=1, msgid=[EMAIL PROTECTED],
proto=ESMTP, daemon=MTA, relay=ciscy.sterndata.com [127.0.0.1]
Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWSV020093: Milter: data,
reject=550 5.7.1 Virus detected by ClamAV - http://www.clamav.net
Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWSV020093:
to=[EMAIL PROTECTED], delay=00:00:00, pri=33690, stat=Virus
detected by ClamAV - http://www.clamav.net
Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWK0020091: to=postmaster,
delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=32145, relay=[127.0.0.1]
[127.0.0.1], dsn=5.0.0, stat=Service unavailable
Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWJx020091: Losing
./qfi2JNlWJx020091: savemail panic
Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWJx020091: SYSERR(root): savemail:
cannot save rejected email anywhere

*** and it's gone
--
   Steve
   


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail: clmilter.sock is unsafe: I AM AN IDIOT

[Ryan Moore]

Steven Stern wrote:
On Fri, 19 Mar 2004 17:55:03 -0600, Steven Stern
[EMAIL PROTECTED] wrote:


It works appropriately if the mail comes from an external server. I'm leaving
-b in place and will see how it goes for a while.
--
   Steve
   


Yea thats how we do it here, I wasn't thinking mail being delivered 
locally (or how it would handle that). Our sendmail box is just a relay 
gateway for a few rbls and milters before being passed onto 
spamassassin/amavisd and a pop3 server.

--
Ryan Moore
--
Perigee.net Corporation
704-849-8355 (sales)
704-849-8017 (tech)
www.perigee.net


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users