Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/23/2015 02:27 PM, Ian Eiloart wrote: If your goal is to separate authenticated from unauthenticated mail, the place to do it is not at the port, but at the IP address. Use a different server, and publish new MX records. Here, we don’t use a different physical server, we have two IP addresses on one physical interface, and separate Exim processes listening on the different IP addresses: It's not exactly why I wrote to the list, but this would certainly make things a bit easier. Thanks, I'll definitively take that into consideration. The process configured to use mx.example.com would listen only on port 25 The process configured to use msa.example.com (or more likely smtp.example.com to satisfy some autoconfiguration algorithms) would listen on ports 587, 25, and 465 (unfortunately, there are still clients that like to use this port for ssl-on-connect) I disabled port 465 a while ago. However, I still have clients authenticating on port 25, which I learned is the default port for some applications when setting up STARTSSL (e.g. the Android AOSP mail client). This configuration would make things easier... Of course, our documentation and autoconfiguration servers all recommend port 587, but there’s no harm in (for example) local clients using port 25. I don’t use Postfix, so I don’t know whether you can configure it to listen only on one virtual interface. If not, you may need two physical hosts, or you might be able to do this on one host by virtualising your servers. Postfix natively supports multi instance setups. Daniel ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 22 Feb 2015, at 02:13, Daniel Spies ds20150222c...@pskx.net wrote: On 02/22/2015 02:47 AM, Noel Jones wrote: Anyway, if your goal is to disable scanning on submission, it's probably best to edit the master.cf submission service to not call clamav-milter at all. (I would strongly recommend scanning all mail, but that's a local policy decision) As already suspected below, I still have a few clients who are sending e-mail to port 25. I would like to disable authentication for port 25 but it's no option at the moment. If your goal is to separate authenticated from unauthenticated mail, the place to do it is not at the port, but at the IP address. Use a different server, and publish new MX records. Here, we don’t use a different physical server, we have two IP addresses on one physical interface, and separate Exim processes listening on the different IP addresses: The process configured to use mx.example.com would listen only on port 25 The process configured to use msa.example.com (or more likely smtp.example.com to satisfy some autoconfiguration algorithms) would listen on ports 587, 25, and 465 (unfortunately, there are still clients that like to use this port for ssl-on-connect) Of course, our documentation and autoconfiguration servers all recommend port 587, but there’s no harm in (for example) local clients using port 25. I don’t use Postfix, so I don’t know whether you can configure it to listen only on one virtual interface. If not, you may need two physical hosts, or you might be able to do this on one host by virtualising your servers. -- Ian Eiloart Postmaster, University of Sussex +44 (0) 1273 87-3148 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 23.02.15 14:46, Daniel Spies wrote: The process configured to use msa.example.com (or more likely smtp.example.com to satisfy some autoconfiguration algorithms) would listen on ports 587, 25, and 465 (unfortunately, there are still clients that like to use this port for ssl-on-connect) On 02/23/2015 02:27 PM, Ian Eiloart wrote: I disabled port 465 a while ago. just a week or two ago I read discussion where the 465 was preferred, because SSL is mandatory there, so there's no chance for clients to authenticate without SSL encryption. ...just FYI. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On Monday, February 23, 2015 03:35:57 PM Matus UHLAR - fantomas wrote: On 23.02.15 14:46, Daniel Spies wrote: The process configured to use msa.example.com (or more likely smtp.example.com to satisfy some autoconfiguration algorithms) would listen on ports 587, 25, and 465 (unfortunately, there are still clients that like to use this port for ssl-on-connect) On 02/23/2015 02:27 PM, Ian Eiloart wrote: I disabled port 465 a while ago. just a week or two ago I read discussion where the 465 was preferred, because SSL is mandatory there, so there's no chance for clients to authenticate without SSL encryption. ...just FYI. SMTPS (which is what you use on port 465) is an obsolete protocol that there's no need to support unless you need to deal with old Microsoft Outlook/OE versions. SMTP+TLS on port 587 is the modern solution. You should configure your MTA not to accept unencrypted connections on port 587. Scott K ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/23/2015 03:35 PM, Matus UHLAR - fantomas wrote: just a week or two ago I read discussion where the 465 was preferred, because SSL is mandatory there, so there's no chance for clients to authenticate without SSL encryption. ...just FYI. Encryption in my setup is mandatory, too. I just don't allow connections to the deprecated port 465 (see [1] for an explanation). Clients are only allowed to authenticate after STARTTLS on port 587 or (unfortunately) port 25. [1] http://stackoverflow.com/a/19942206 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 23.02.15 14:46, Daniel Spies wrote: The process configured to use msa.example.com (or more likely smtp.example.com to satisfy some autoconfiguration algorithms) would listen on ports 587, 25, and 465 (unfortunately, there are still clients that like to use this port for ssl-on-connect) On 02/23/2015 02:27 PM, Ian Eiloart wrote: I disabled port 465 a while ago. On Monday, February 23, 2015 03:35:57 PM Matus UHLAR - fantomas wrote: just a week or two ago I read discussion where the 465 was preferred, because SSL is mandatory there, so there's no chance for clients to authenticate without SSL encryption. ...just FYI. On 23.02.15 09:45, Scott Kitterman wrote: SMTPS (which is what you use on port 465) is an obsolete protocol that there's no need to support unless you need to deal with old Microsoft Outlook/OE versions. I know. SMTP+TLS on port 587 is the modern solution. I have just explained that I have _read_ opinion of someone who preferred SMTPS and why they did. You can read it at: http://sourceforge.net/p/courier/mailman/message/33365926/ and, please, discuss on courier-users with original posters, not me. You should configure your MTA not to accept unencrypted connections on port 587. Why do you tell _me_? I have encountered an issue with submission/starttls a few years ago, so, when I configure mail submission, I set up both submission+starttls and smtps. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux - It's now safe to turn on your computer. Linux - Teraz mozete pocitac bez obav zapnut. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/23/2015 03:35 PM, Matus UHLAR - fantomas wrote: just a week or two ago I read discussion where the 465 was preferred, because SSL is mandatory there, so there's no chance for clients to authenticate without SSL encryption. ...just FYI. On 23.02.15 15:45, Daniel Spies wrote: Encryption in my setup is mandatory, too. I just don't allow connections to the deprecated port 465 (see [1] for an explanation). Clients are only allowed to authenticate after STARTTLS on port 587 or (unfortunately) port 25. [1] http://stackoverflow.com/a/19942206 read the contrary opinion at: http://sourceforge.net/p/courier/mailman/message/33365647/ (in another mail I have posted next mail in thread, but this one also contains interesting information) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it ! ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
Daniel Spies ds20150222c...@pskx.net wrote: I don't get how you find it more appropriate to silently reject someone's e-mail I don't. I don't know where you got that from - perhaps it's from seeing so many examples of bad practice that's become the norm so you assume everyone is that bad ? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 2/22/2015 12:18 AM, Benny Pedersen wrote: Daniel Spies skrev den 2015-02-22 03:19: Yes, but I have (still) enabled sending e-mail to port 25. This would only work for submission (see my other e-mail). yes i remember that problem here aswell, so far i think postfix does not honner it to disable smtp auth on port 25 while have it enabled on other ports :( It's easy to offer AUTH on selected ports in postfix. # main.cf smtpd_sasl_auth_enable = no # master.cf submission ... ... smtpd_sasl_auth_enable=yes But this is OT here. For further details, feel free to ask on the postfix-users list. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
Daniel Spies ds20150222c...@pskx.net wrote: In my opinion, it doesn't make any sense to scan e-mail leaving the server. The recipient will never trust these tags anyway. So why scan at all? It's important to scan incoming mail, be it from a local or an external client. I disagree. Recipients may not trust the tags, but it *should* stop outbound spam/infected mail should your machine (or one of the clients) get compromised. IMO spam and malware is not just something to stop coming in, it's something to porevent going out - if more networks prevented it going out then there'd be less of a problem. On my systems I scan *everything*, and I firewall off everything I can - including preventing outbound connections to port 25. At work I run mail servers that are used by customers - including as smart relays. It's not all that uncommon to find one of the customer compromised and sending out thousands (or millions) of spam emails - so my latest server also does rate limiting to limit the damage done before it gets spotted and blocked. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/22/2015 10:08 AM, Simon Hobson wrote: Recipients may not trust the tags, but it *should* stop outbound spam/infected mail should your machine (or one of the clients) get compromised. IMO spam and malware is not just something to stop coming in, it's something to porevent going out - if more networks prevented it going out then there'd be less of a problem. It's not always black and white. I assume you're responsible for the clients you're talking about, i.e. they are your customers or colleagues. While spoon-feeding colleagues or customers may be okay for the sake of security, my clients would certainly raise hell if they would receive errors due to false positives. Most people expect their system to just work -- no matter what. By the way: I don't even reject virus/spam mail, I just tag them. If a client is dumb enough to open the attachment of a tagged e-mail, so be it. On my systems I scan *everything*, and I firewall off everything I can - including preventing outbound connections to port 25. I am not in the situation where all my clients sit in a firewalled private network; it's more the free-mail kind of situation. What and when my clients send e-mail is non of my concern, as long as they do it in common dimensions, i.e. in a way that matches a real person. At work I run mail servers that are used by customers - including as smart relays. It's not all that uncommon to find one of the customer compromised and sending out thousands (or millions) of spam emails - so my latest server also does rate limiting to limit the damage done before it gets spotted and blocked. Rate limiting is certainly a good idea to mitigate the damage that's being done by a compromised client. Manual intervention might still be necessary, possibly after automated sanctions (e.g. consistently lowering the rate limit for a misbehaving client). However, rejecting outgoing e-mail right away is not an option, which ultimately makes the scanning of these messages redundant. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
OK, this is getting well off-topic for this list, this will be my final say on the matter - and from some of the other comments I see I'm not alone in considering you part of the problem. Daniel Spies ds20150222c...@pskx.net wrote: Recipients may not trust the tags, but it *should* stop outbound spam/infected mail should your machine (or one of the clients) get compromised. IMO spam and malware is not just something to stop coming in, it's something to porevent going out - if more networks prevented it going out then there'd be less of a problem. It's not always black and white. I assume you're responsible for the clients you're talking about, i.e. they are your customers or colleagues. It varies, but in the general case they may be managed customers (where we look after the network, servers, and clients) through to customers only in that they use our mail servers. Regardless, all mail they send through my servers is scanned - and I do block anything that reaches a sufficient spamminess score or fails the AV checks. While spoon-feeding colleagues or customers may be okay for the sake of security, my clients would certainly raise hell if they would receive errors due to false positives. Most people expect their system to just work -- no matter what. Which is one reason it's very important to make sure you are not part of the problem. Allowing a customer to sent nasties through your mail server is a good way of getting it blacklisted - and then it certainly doesn't just work. I can assure you that when your server gets on a blacklist, your customers do complain - and they complain a lot louder than if you block one or two spammy messages. The best way to stay off blacklists is to block spam and nasties at source - not just rely on the recipient to catch it later ... By the way: I don't even reject virus/spam mail, I just tag them. If a client is dumb enough to open the attachment of a tagged e-mail, so be it. So you are part of the problem. It's already been said that tagging is meaningless - yet you assume it's reasonable to expect others to act on your tags. On my systems I scan *everything*, and I firewall off everything I can - including preventing outbound connections to port 25. I am not in the situation where all my clients sit in a firewalled private network; it's more the free-mail kind of situation. What and when my clients send e-mail is non of my concern, as long as they do it in common dimensions, i.e. in a way that matches a real person. Most of the customers are also not on managed networks. But on my own systems I block outbound connections to port 25 other than what's needed (actually, I mostly have a block everything and allow what's needed policy). It's all part of a layered approach - you protect your systems, but you also add a layer that limits the damage if they do get compromised. However, rejecting outgoing e-mail right away is not an option, which ultimately makes the scanning of these messages redundant. Which makes you part of the problem. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/22/2015 07:13 PM, Matus UHLAR - fantomas wrote: sure it makes sense to scan outgoing mail. Maybe in a company network, yes. But I don't care for the computers of my clients -- these are their computers. *If* they get infected somehow, I have measures to stop them from doing harm through my servers. the tags never make sense. Turn them off by setting AddHeader no to clamav-milter.conf, but not by not scanning the mail. But if I *don't* reject e-mail, the incoming tag makes sense to inform a client about the virus/phishing/spam status. The outgoing scan and tag both make no sense, given the fact that I don't want to reject outgoing mail. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 2/22/15 12:32 PM, Daniel Spies wrote: On 02/22/2015 09:18 PM, Dennis Peterson wrote: While I disagree with everything you've said I am glad you've spoken out. My job would be far easier if everyone did so. Could you be more precise? The quintessence of my last message was: 1. A company network is different, one has to care for the clients 2. I don't care for my clients = I don't need to reject viruses/spam 3. I don't reject incoming mail = tagging makes sense to inform clients 4. I don't reject outgoing e-mail = scan/tag makes no sense at all So, you disagree with all of these points? I am almost certain there is a misunderstanding. I do. And I disagree with your conclusion there has been a misunderstanding. There is none on my part, at least. I'm unconflicted regarding my responsibility to my clients, customers, and internet messaging peers. It is a big tent though and there is ample room for disagreement and, of course, consequences resulting from our decisions. dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/22/2015 10:43 PM, Simon Hobson wrote: OK, this is getting well off-topic for this list, this will be my final say on the matter Agreed. Which is one reason it's very important to make sure you are not part of the problem. Allowing a customer to sent nasties through your mail server is a good way of getting it blacklisted - and then it certainly doesn't just work. I can assure you that when your server gets on a blacklist, your customers do complain - and they complain a lot louder than if you block one or two spammy messages. The best way to stay off blacklists is to block spam and nasties at source - not just rely on the recipient to catch it later ... It may be *one* way but it's certainly not the *best* way. In order to get blacklisted, your sever would have to send at least a decent amount of nasties. To prevent that, you could either take the easy road and just reject your customers' mail or you could sanction those specific customers who are the actual cause. In the former case I'd accuse you of being lazy, just as you accuse me of being part of some problem. Don't get me wrong: I don't say it's impossible to get blacklisted -- I say there are more sophisticated approaches to prevent being blacklisted. By the way: I don't even reject virus/spam mail, I just tag them. If a client is dumb enough to open the attachment of a tagged e-mail, so be it. So you are part of the problem. It's already been said that tagging is meaningless - yet you assume it's reasonable to expect others to act on your tags. It seems you got something wrong: Tagging of outgoing e-mails is meaningless because the recipient will not pay any attention to the tags. Tagging of incoming e-mail, however, is a way of telling your client There is something wrong with that e-mail. Therefore, I put it into your Junk folder; better don't open it. If you still do, it's all your fault.. I don't get how you find it more appropriate to silently reject someone's e-mail, be it infected or not. I also don't get how you can be so disrespectful and declare me part of some problem for the second time. It appears to me as if this is more of a personal problem for you. Most of the customers are also not on managed networks. But on my own systems I block outbound connections to port 25 other than what's needed (actually, I mostly have a block everything and allow what's needed policy). It's all part of a layered approach - you protect your systems, but you also add a layer that limits the damage if they do get compromised. Again: this scenario does not apply to me. But, for what it's worth, let's assume one of your clients gets infected by a false negative (all because you failed to raise your clients' awareness and gave them a false sense of security by silently rejecting mail). This infected client does two things: It tries to send spam through port 25 and gathers information (keylogger/passwords, emails, internal information, etc.) to upload it via https. The only way you would notice the latter, is by analyzing logs and thereby discovering the former. But you just silently dropped all those packets... Or is your answer to simply block port 443 as well? However, rejecting outgoing e-mail right away is not an option, which ultimately makes the scanning of these messages redundant. Which makes you part of the problem. Maybe you should rather start educating people than to infantilize them. Ask them to take over responsibility for their computers, to think twice before opening attachments, especially if the mail is *not* stored in the Junk folder. Let them send whatever they want, and check your logs to find those clients who don't play along. Most of all though: Stop insulting strangers on the internet by calling them part of a problem that you and a few others made up. Or, at least define what that supposedly problem is. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 2/21/2015 7:28 PM, Daniel Spies wrote: On 02/22/2015 01:54 AM, Benny Pedersen wrote: LocalNet localdomain This gives no error, but clamav-milter is still scanning/tagging outgoing e-mail. I'm sending e-mail from port 587 (smtp/submission, postfix). The originating client is the system connecting to submission, not localhost. Anyway, if your goal is to disable scanning on submission, it's probably best to edit the master.cf submission service to not call clamav-milter at all. (I would strongly recommend scanning all mail, but that's a local policy decision) # master.cf ... submission smtpd ... other stuff smtpd_milters= ie. set smtpd_milters empty for that service. If you need to do this in clamav-milter, such as if you need to do this for port 25 as well as submission, you should probably look at the SkipAuthenticated option. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/22/2015 02:47 AM, Noel Jones wrote: Anyway, if your goal is to disable scanning on submission, it's probably best to edit the master.cf submission service to not call clamav-milter at all. (I would strongly recommend scanning all mail, but that's a local policy decision) As already suspected below, I still have a few clients who are sending e-mail to port 25. I would like to disable authentication for port 25 but it's no option at the moment. If you need to do this in clamav-milter, such as if you need to do this for port 25 as well as submission, you should probably look at the SkipAuthenticated option. SkipAuthenticated ^.*$ does what I want, thank you! Well, actually it would be perfect if incoming local mail would be scanned too, i.e. sending auth mail from any port - DO NOT SCAN receiving mail (port 25) - SCAN In my opinion, it doesn't make any sense to scan e-mail leaving the server. The recipient will never trust these tags anyway. So why scan at all? It's important to scan incoming mail, be it from a local or an external client. Daniel ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
Hello, what is the correct way to prevent clamav-milter (0.98.5 in Debian Wheezy) from scanning and tagging _outgoing_ e-mail? I assumed it was the LocalNet option; however, I did not manage to get it to work. Here is the man entry: LocalNet STRING Messages originating from these hosts/networks will not be scanned. This option takes a host(name)/mask pair in CIRD notation and can be repeated several times. If /mask is omitted, a host is assumed. To specify a locally orignated, non-smtp, email use the keyword local Default: unset (scan everything regardless of the origin) Here is what I tried: LocalNet 127.0.0.1/32 ::1/128 local clamav-milterERROR: Can't resolve LocalNet hostname 127.0.0.1/32 ::1 LocalNet 127.0.0.1/32 ::1/128 clamav-milterERROR: Can't resolve LocalNet hostname 127.0.0.1/32 ::1 LocalNet 127.0.0.1/32 OK, BUT scan/tag happens LocalNet ::1/128 OK, BUT scan/tag happens LocalNet local OK, BUT scan/tag happens LocalNet 127.0.0.1 OK, BUT scan/tag happens LocalNet local OK, BUT scan/tag happens LocalNet local 127.0.0.1 ::1 clamav-milterERROR: Can't resolve LocalNet hostname local 127.0.0.1 ::1 LocalNet 127.0.0.1 ::1 local OK, BUT scan/tag happens Any help is greatly appreciated. Daniel ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
Daniel Spies skrev den 2015-02-22 03:19: Yes, but I have (still) enabled sending e-mail to port 25. This would only work for submission (see my other e-mail). yes i remember that problem here aswell, so far i think postfix does not honner it to disable smtp auth on port 25 while have it enabled on other ports :( atleast i see AUTH discarded in skip ehlo prefer to keep STARTTLS on :=) but postfix keep AUTH, dont flame me, but test it, if 3 or more can confirm it then we can possible report this problem on postfix maillist note check man resolv.conf for inet6, and or /etc/gai.conf eg make sure ipv4 first for non routeble ips Do you mean I should add IPv4 addresses first to the LocalNet option? if its more simple to make all ipv6 addresses resolve with local TLD no problem :=) ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/22/2015 01:54 AM, Benny Pedersen wrote: LocalNet localdomain This gives no error, but clamav-milter is still scanning/tagging outgoing e-mail. I'm sending e-mail from port 587 (smtp/submission, postfix). PS: why does 127.0.0.1 not resolve ? It does though: LocalNet 127.0.0.1 -- OK, BUT scan/tag happens Or do you mean something else? post /etc/hosts for more help :=) # IPv4 127.0.0.1 localhost.localdomain localhost 175.8.41.129 sub.example.com sub # # IPv6 ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts 2b01:4c7:250:41ad::2 sub.example.com sub is the client ip in clamav-milter really in local domain ip listed ? Maybe LocalNet is the wrong option (?) but how else would I stop clamav-milter from scanning outgoing e-mail then? check whitelist sender in clamav milter conf if its just to have system users not scanned, if its users that have @ in username use smtp auth There is no whitelist so far. Thanks for your quick reply! ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
Daniel Spies skrev den 2015-02-22 02:28: Maybe LocalNet is the wrong option (?) but how else would I stop clamav-milter from scanning outgoing e-mail then? in postfix master.cf: for the pickup add -o non_smtpd_milters= eg no milter for this service or much better dont add milters in main.cf, but only in master.cf for the incomming service port 25 note check man resolv.conf for inet6, and or /etc/gai.conf eg make sure ipv4 first for non routeble ips ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml