Bug#823864: [pkg-lxc-devel] Bug#823864: Bug#823864: libpam-cgfs: installing libpam-cgfs from backport on stable prevent session from opening
Hi Evgeni I confirm that I can't reproduce the bug with kernel linux-image-4.6.0-0.bpo.1-amd64 4.6.1-1~bpo8+1 I had no opportunity to look at stretch for the moment i have no issue with the bug being closed since upgrading backport kernel solves the problem. Thanks for your efforts Best regards Xavier -- Xavier Quost
Bug#823864: [pkg-lxc-devel] Bug#823864: libpam-cgfs: installing libpam-cgfs from backport on stable prevent session from opening
You have done most of the work Thank you -- Xavier Quost > Le 16 juin 2016 à 21:00, Evgeni Golov <evg...@golov.de> a écrit : > > Hi, > > On Sun, Jun 05, 2016 at 05:41:58PM +0200, Xavier Quost wrote: > >>> Any pointers how to reproduce your setup would be awesome. >> >> Yes, and good news, I was able to precise the problem and to reproduce it on >> another jessie + backports box : >> >> To reproduce the problem, both boxes need : >> (1) sysinit (no systemd) as system startup >> (2) cgroupfs-mount installed > > One thing was missing from that list: libpam-systemd. > I was able to reproduce this by taking a plain jessie vm and installing the > following: > - libpam-cgfs > - cgroupfs-mount > - sysvinit-core > - libpam-systemd > - linux-image-4.5.0-0.bpo.2-amd64 > > Not using kernel 4.5.x does not trigger the issue. > >> Please, what would be the following steps ? > > I guess this is an issue somewhere between the new cgroups in 4.5 and > systemd-shim. > I'll try to pinpoint that futher when I have some time. > > Thanks a lot for the report and helping to debug it so far! > > Greets > Evgeni
Bug#823864: [pkg-lxc-devel] Bug#823864: libpam-cgfs: installing libpam-cgfs from backport on stable prevent session from opening
Hi Evgeni Still sorry for this late answer, I'm back home now and will be able to answer more quickly. >Any pointers how to reproduce your setup would be awesome. Yes, and good news, I was able to precise the problem and to reproduce it on another jessie + backports box : To reproduce the problem, both boxes need : (1) sysinit (no systemd) as system startup (2) cgroupfs-mount installed Both boxes use kernel 4.5.0-0.bpo.2-amd64 # dpkg --list | grep cgroup ii cgmanager 0.33-2+deb8u2 amd64Central cgroup manager daemon ii cgroup-bin0.41-6 all control and monitor control groups (transitional package) ii cgroup-tools 0.41-6 amd64control and monitor control groups (tools) ii cgroupfs-mount1.1 all Light-weight package to set up cgroupfs mounts ii libcgmanager0:amd64 0.33-2+deb8u2 amd64Central cgroup manager daemon (client library) ii libcgroup1:amd64 0.41-6 amd64control and monitor control groups (library) ii libpam-cgfs 2.0.0-3~bpo8+1 amd64PAM module for managing cgroups for LXC # dpkg --list | grep sysvi ii sysvinit-core 2.88dsf-59 amd64System-V-like init utilities ii sysvinit-utils2.88dsf-59.3 amd64System-V-like utilities # stat /proc/1/exe Fichier : « /proc/1/exe » -> « /sbin/init » Taille : 0 Blocs : 0 Blocs d'E/S : 1024 lien symbolique Périphérique : 4h/4dInœud : 14273 Liens : 1 Accès : (0777/lrwxrwxrwx) UID : (0/root) GID : (0/root) Accès : 2016-06-05 16:32:37.623997097 +0200 Modif. : 2016-06-05 16:32:37.619997096 +0200 Changt : 2016-06-05 16:32:37.619997096 +0200 Créé : - cgroupfs-mount change /sys/fs/cgroup mount point without this package : # mount |grep "/sys/" pstore on /sys/fs/pstore type pstore (rw,relatime) fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime) cgroup on /sys/fs/cgroup type tmpfs (rw,relatime,size=12k) with this package # mount |grep "/sys/" pstore on /sys/fs/pstore type pstore (rw,relatime) fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime) cgroup on /sys/fs/cgroup type tmpfs (rw,relatime,size=12k) cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,relatime,cpuset,release_agent=/run/cgmanager/agents/cgm-release-agent.cpuset,clone_children) cgroup on /sys/fs/cgroup/cpu type cgroup (rw,relatime,cpu,release_agent=/run/cgmanager/agents/cgm-release-agent.cpu) cgroup on /sys/fs/cgroup/cpuacct type cgroup (rw,relatime,cpuacct,release_agent=/run/cgmanager/agents/cgm-release-agent.cpuacct) cgroup on /sys/fs/cgroup/blkio type cgroup (rw,relatime,blkio,release_agent=/run/cgmanager/agents/cgm-release-agent.blkio) cgroup on /sys/fs/cgroup/devices type cgroup (rw,relatime,devices,release_agent=/run/cgmanager/agents/cgm-release-agent.devices) cgroup on /sys/fs/cgroup/freezer type cgroup (rw,relatime,freezer,release_agent=/run/cgmanager/agents/cgm-release-agent.freezer) cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,relatime,net_cls,release_agent=/run/cgmanager/agents/cgm-release-agent.net_cls) cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,relatime,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event) cgroup on /sys/fs/cgroup/net_prio type cgroup (rw,relatime,net_prio,release_agent=/run/cgmanager/agents/cgm-release-agent.net_prio) cgroup on /sys/fs/cgroup/pids type cgroup (rw,relatime,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids) I don't remember why this package was originally installed; I guess I was trying to install unprivileged lxc on the box. I will retrace a step by step installation without this package to check if it's required for this purpose Please, what would be the following steps ? Thanks, Best regards XQ
Bug#823864: [pkg-lxc-devel] Bug#823864: libpam-cgfs: installing libpam-cgfs from backport on stable prevent session from opening
Hi Evgeni Sorry for this late answer. > Strictly speaking bugs about backports should go to > debian-backports@l.d.o and not the BTS, but I personally do not care, so > lets keep it here for now. Ok I will keep this in mind. > Could you still provide stippets of auth.log and messages around that > time? Just to crosscheck. Here are auth.log with libpam-cgfs installed May 19 11:37:31 pc251270 saslauthd[1938]: detach_tty : master pid is: 1938 May 19 11:37:31 pc251270 saslauthd[1938]: ipc_init: listening on socket: /var/run/saslauthd/mux May 19 11:37:31 pc251270 sshd[2371]: Server listening on 0.0.0.0 port 22. May 19 11:37:31 pc251270 sshd[2371]: Server listening on :: port 22. May 19 11:37:32 pc251270 sshd[2371]: Received signal 15; terminating. May 19 11:37:32 pc251270 sshd[3058]: Server listening on 0.0.0.0 port 22. May 19 11:37:32 pc251270 sshd[3058]: Server listening on :: port 22. May 19 11:37:49 pc251270 kdm: :0[3246]: pam_unix(kdm:session): session opened for user xquost by (uid=0) May 19 11:37:55 pc251270 login[3763]: pam_unix(login:session): session opened for user root by LOGIN(uid=0) May 19 11:37:55 pc251270 login[3801]: ROOT LOGIN on '/dev/tty1' May 19 11:38:01 pc251270 login[3804]: pam_unix(login:session): session opened for user xquost by LOGIN(uid=0) May 19 11:38:05 pc251270 login[3814]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=root May 19 11:38:08 pc251270 login[3814]: FAILED LOGIN (1) on '/dev/tty1' FOR 'root', Authentication failure May 19 11:38:14 pc251270 login[3814]: FAILED LOGIN (2) on '/dev/tty1' FOR 'root', Authentication failure May 19 11:38:19 pc251270 login[3814]: pam_unix(login:session): session opened for user root by LOGIN(uid=0) May 19 11:38:19 pc251270 login[3823]: ROOT LOGIN on '/dev/tty1' May 19 11:38:29 pc251270 saslauthd[1938]: server_exit : master exited: 1938 May 19 11:38:30 pc251270 sshd[3058]: Received signal 15; terminating. As I was saying auth.log shows normal login (NB 2 false password as root to eased the research in log file) Here are auth.log with libpam-cgfs uninstalled May 19 11:40:00 pc251270 saslauthd[2063]: detach_tty : master pid is: 2063 May 19 11:40:00 pc251270 saslauthd[2063]: ipc_init: listening on socket: /var/run/saslauthd/mux May 19 11:40:00 pc251270 sshd[2416]: Server listening on 0.0.0.0 port 22. May 19 11:40:00 pc251270 sshd[2416]: Server listening on :: port 22. May 19 11:40:00 pc251270 sshd[2416]: Received signal 15; terminating. May 19 11:40:00 pc251270 sshd[3110]: Server listening on 0.0.0.0 port 22. May 19 11:40:00 pc251270 sshd[3110]: Server listening on :: port 22. May 19 11:40:12 pc251270 kdm: :0[3298]: pam_unix(kdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=xquost May 19 11:40:22 pc251270 kdm: :0[3298]: pam_unix(kdm:session): session opened for user xquost by (uid=0) May 19 11:40:31 pc251270 polkitd(authority=local): Registered Authentication Agent for unix-session:1 (system bus name :1.28 [/usr/lib/kde4/libexec/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale fr_FR.UTF-8) May 19 11:40:39 pc251270 su[4207]: Successful su for root by xquost May 19 11:40:39 pc251270 su[4207]: + /dev/pts/0 xquost:root May 19 11:40:39 pc251270 su[4207]: pam_unix(su:session): session opened for user root by xquost(uid=1000) > Do you mean you have other Jessie systems where libpam-cgfs does not > trigger this behaviour? Yes, but on those systems, there was no attempt to install lxc > Do you by any chance have SELinux or AppArmor enabled on these boxes? Yes, apparmor comes as a requirement of lxc # apt-get install -t jessie-backports lxc Lecture des listes de paquets... Fait Construction de l'arbre des dépendances Lecture des informations d'état... Fait Les paquets suivants ont été installés automatiquement et ne sont plus nécessaires : linux-headers-4.4.0-0.bpo.1-amd64 linux-headers-4.4.0-0.bpo.1-common linux-image-4.4.0-0.bpo.1-amd64 linux-kbuild-4.4 Veuillez utiliser « apt-get autoremove » pour les supprimer. Les paquets supplémentaires suivants seront installés : apparmor libapparmor-perl libapparmor1 liblxc1 libpam-cgfs libseccomp2 lxcfs Paquets suggérés : apparmor-profiles apparmor-profiles-extra apparmor-docs apparmor-utils btrfs-tools lua5.2 lvm2 Les NOUVEAUX paquets suivants seront installés : apparmor libapparmor-perl libapparmor1 liblxc1 libpam-cgfs libseccomp2 lxc lxcfs 0 mis à jour, 8 nouvellement installés, 0 à enlever et 25 non mis à jour. Il est nécessaire de prendre 37,0 ko/1 506 ko dans les archives. Après cette opération, 4 891 ko d'espace disque supplémentaires seront utilisés. Souhaitez-vous continuer ? [O/n] n however before filling this bug report, lxc and apparmor were removed dpkg -l |grep appar rc apparmor 2.9.0-3 amd64User-space parser
Bug#822444: Solved
Hello Sebastian >> remarks : >> (1) I have made no editing of clamd.conf file (but still not an excuse for >> not checking this file). It's a file resulting (not provided by) from >> installation of clamav-daemon package. >> (2) It seems that starting clamd by sysinit does not enforce right >> permissions ( shall I open a bug report for that ? ). > > can you describe the problem a little? Just saying what you wrote below (1) default for clamd is AllowSupplementaryGroups false (2) when starting with sysinit this option is not taken into account >> (3) are not AllowSupplementaryGroups and LocalSocketMode somehow >> contradictory ? > > No I don't think so. AllowSupplementaryGroups is basically what enables > the user of all groups which are part of the clamav user. The second is > just the socket mode. > The problem here, as far as I understand it, is that clamsmtp keeps the > folder + files owned by the clamsmtp group and without the option clamd > is not part of the group and can't access them. Ok thanks for explaining > Now going forward on fixing this. On one hand the problem is not setting > AllowSupplementaryGroups to yes. Since clamsmtp adds the clamsmtp group > to the clamav group it would be their job let the user know to do so. > On the other we have different behaviour between systemd and systemv > which is not good. > Anyone an idea what we should do here? I am kind of leaning towards > removing the AllowSupplementaryGroups option and makeing it on by default > since I see currently no reason why one would not want that. Basically I was cloning configuration for mail server from wheezy to Jessie and could not understand my mistake. Confronting configuration files between wheezy and Jessie seeing nothing relevant lead me to look at init process. A simple comment in clamd configuration files like "clamd started with systemd is enforcing strongly this options whereas started with sysinit it might not" would have been enough for not bothering you. Best regards and thanks for your kind explanations. XQ
Bug#822444: Solved
Hello Sebastian > A lot of the stuff in clamav-daemon is legacy stuff and solved in > systemd differently. To give an example: > - we pass `-c /etc/clamav/clamd.conf' in the non-systemd case. But this > is the default settings so we could drop it. Therefore it makes no > difference if you pass this in systemd case or not (nothing changes). > - In the systemv case we start the daemon via start-stop-daemon and pass > the user from the config as an argument. We could however start clamd > as root and let the daemon itself change the user to whatever is > selected in clamd.conf. This is what happens in the systemd case.Solvede Thanks, so no use to specify configuration file in systemd clamav-daemon.service > I installed clamsmtp and been looking a little around and I think I > found the problem: You clamd.conf says > AllowSupplementaryGroups disabled > but clamsmtp adds the group clamsmtp to the clamav user: > # id clamav > uid=108(clamav) gid=113(clamav) groups=113(clamav),114(clamsmtp) > > With this option set to disabled / false clamav has only access to the > clamav user+group. I think if you revert your changes and instead set > true here (to AllowSupplementaryGroups) then it should work again. I > *think* systemd + start-stop-daemon do this by default and that is why > we did not notice this before. > Could you please check if this change works for you? Yes it solves the problem. Sorry for not having look further than user in clamd.conf configuration file. remarks : (1) I have made no editing of clamd.conf file (but still not an excuse for not checking this file). It's a file resulting (not provided by) from installation of clamav-daemon package. (2) It seems that starting clamd by sysinit does not enforce right permissions ( shall I open a bug report for that ? ). (3) are not AllowSupplementaryGroups and LocalSocketMode somehow contradictory ? Best regards XQ
Bug#822444: Found the problem
Hello Sebastian, I found the problem, and we were both right (that's worth saying :-)) It seems that systemd doesn't start clamd daemon with the right user / group that's why the rigth on the socket are not consistent when clamav-daemon (clamd) is started by systemd. lstat() failed on: /var/spool/clamsmtp/clamsmtpd.EfRJY5 The following modification solve the problem: /lib/systemd/system/clamav-daemon.service -- [Unit] Description=Clam AntiVirus userspace daemon Documentation=man:clamd(8) man:clamd.conf(5) http://www.clamav.net/lang/en/doc/ Requires=clamav-daemon.socket # Check for database existence ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc} ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc} [Service] #ExecStart=/usr/sbin/clamd --foreground=true # XQ 26/04/2016 add config file ExecStart=/usr/sbin/clamd -c /etc/clamav/clamd.conf --foreground=true ExecReload=/bin/kill -USR2 $MAINPID StandardOutput=syslog # XQ 26/04/2016 add user and group User=clamav Group=clamav -- Specifying User / Group seems enough, however to be sure I added the config file in the ExecStart line. I made also the same for clamav-freshclam.service -- [Unit] Description=ClamAV virus database updater Documentation=man:freshclam(1) man:freshclam.conf(5) http://www.clamav.net/lang/en/doc/ # If user wants it run from cron, don't start the daemon. ConditionPathExists=!/etc/cron.d/clamav-freshclam [Service] #ExecStart=/usr/bin/freshclam -d --foreground=true ## XQ 26/04/2016 adding conf files and others options not sure that's useful ExecStart=/usr/bin/freshclam -d --quiet --config-file=/etc/clamav/freshclam.conf --foreground=true StandardOutput=syslog ## XQ 26/04/2016 adding a kill options not sure that's useful ExecReload=/bin/kill -USR2 $MAINPID # XQ 26/04/2016 add user and group User=clamav Group=clamav [Install] WantedBy=multi-user.target - I'm not familiar with systemd, however I'm surprised that when /etc/init.d/clamav-daemon is somethink like 400 lines, systemd is something like 10 lines. But still I'm not familiar with systemd. Please would you tell me if those modifications make sense, or if those shall be made elsewhere in the system. Best regards XQ
Bug#822444: [Pkg-clamav-devel] Bug#822444: clamav-daemon does not start with same options using sysinit and systemd
Dear Sebastian Thanks for your quick answer. Le dimanche 24 avril 2016 21:07:16, vous avez écrit : > On 2016-04-24 17:39:37 [+0200], xavier quost wrote: > > It seems that clamav-daemon does not start with thes sames options when > > using systemd or sysvinit. This leads to problem with clamsmtp / clamd > > communication breaking mail checking systeme. > From browsing through the logs here I can't spot the difference / error. You are right except clamstmp error coming from postfix nothing give a clear error message. I checked the /var/log/clamav.log (I should have started there, sorry) some lines bothers me : Sun Apr 24 21:36:52 2016 -> Received 0 file descriptor(s) from systemd. vs Sun Apr 24 17:11:21 2016 -> Received 1 file descriptor(s) from systemd. nothing vs Sun Apr 24 17:11:21 2016 -> Running as user clamav (UID 126, GID 134) Sun Apr 24 21:36:59 2016 -> LOCAL: Unix socket file /var/run/clamav/clamd.ctl Sun Apr 24 21:36:59 2016 -> LOCAL: Setting connection queue length to 15 vs Sun Apr 24 17:11:28 2016 -> TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from systemd. Sun Apr 24 17:11:28 2016 -> LOCAL: Received AF_UNIX SOCK_STREAM socket from systemd. then the error corresponding to mail.info logs no error vs Sun Apr 24 17:14:02 2016 -> WARNING: lstat() failed on: /var/spool/clamsmtp/clamsmtpd.9g7gF4 This is the content when sysv start clamav-daemon Sun Apr 24 21:36:52 2016 -> +++ Started at Sun Apr 24 21:36:52 2016 Sun Apr 24 21:36:52 2016 -> Received 0 file descriptor(s) from systemd. Sun Apr 24 21:36:52 2016 -> clamd daemon 0.99 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Sun Apr 24 21:36:52 2016 -> Log file size limited to 4294967295bytes. Sun Apr 24 21:36:52 2016 -> Reading databases from /var/lib/clamav Sun Apr 24 21:36:52 2016 -> Not loading PUA signatures. Sun Apr 24 21:36:52 2016 -> Bytecode: Security mode set to "TrustSigned". Sun Apr 24 21:36:58 2016 -> Loaded 4300057 signatures. Sun Apr 24 21:36:59 2016 -> LOCAL: Unix socket file /var/run/clamav/clamd.ctl Sun Apr 24 21:36:59 2016 -> LOCAL: Setting connection queue length to 15 Sun Apr 24 21:36:59 2016 -> Limits: Global size limit set to 104857600 bytes. Sun Apr 24 21:36:59 2016 -> Limits: File size limit set to 26214400 bytes. Sun Apr 24 21:36:59 2016 -> Limits: Recursion level limit set to 16. Sun Apr 24 21:36:59 2016 -> Limits: Files limit set to 1. Sun Apr 24 21:36:59 2016 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes. Sun Apr 24 21:36:59 2016 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes. Sun Apr 24 21:36:59 2016 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes. Sun Apr 24 21:36:59 2016 -> Limits: MaxScriptNormalize limit set to 5242880 bytes. Sun Apr 24 21:36:59 2016 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes. Sun Apr 24 21:36:59 2016 -> Limits: MaxPartitions limit set to 50. Sun Apr 24 21:36:59 2016 -> Limits: MaxIconsPE limit set to 100. Sun Apr 24 21:36:59 2016 -> Limits: PCREMatchLimit limit set to 1. Sun Apr 24 21:36:59 2016 -> Limits: PCRERecMatchLimit limit set to 5000. Sun Apr 24 21:36:59 2016 -> Limits: PCREMaxFileSize limit set to 26214400. Sun Apr 24 21:36:59 2016 -> Archive support enabled. Sun Apr 24 21:36:59 2016 -> Algorithmic detection enabled. Sun Apr 24 21:36:59 2016 -> Portable Executable support enabled. Sun Apr 24 21:36:59 2016 -> ELF support enabled. Sun Apr 24 21:36:59 2016 -> Mail files support enabled. Sun Apr 24 21:36:59 2016 -> OLE2 support enabled. Sun Apr 24 21:36:59 2016 -> PDF support enabled. Sun Apr 24 21:36:59 2016 -> SWF support enabled. Sun Apr 24 21:36:59 2016 -> HTML support enabled. Sun Apr 24 21:36:59 2016 -> Self checking every 3600 seconds. and this when systemd start clamav-daemon Sun Apr 24 17:11:21 2016 -> +++ Started at Sun Apr 24 17:11:21 2016 Sun Apr 24 17:11:21 2016 -> Received 1 file descriptor(s) from systemd. Sun Apr 24 17:11:21 2016 -> clamd daemon 0.99 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Sun Apr 24 17:11:21 2016 -> Running as user clamav (UID 126, GID 134) Sun Apr 24 17:11:21 2016 -> Log file size limited to 4294967295bytes. Sun Apr 24 17:11:21 2016 -> Reading databases from /var/lib/clamav Sun Apr 24 17:11:21 2016 -> Not loading PUA signatures. Sun Apr 24 17:11:21 2016 -> Bytecode: Security mode set to "TrustSigned". Sun Apr 24 17:11:27 2016 -> Loaded 4300057 signatures. Sun Apr 24 17:11:28 2016 -> TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from systemd. Sun Apr 24 17:11:28 2016 -> LOCAL: Received AF_UNIX SOCK_STREAM socket from systemd. Sun Apr 24 17:11:28 2016 -> Limits: Global size limit set to 104857600 bytes. Sun Apr 24 17:11:28 2016 -> Limits: File size limit set to 26214400 bytes. Sun Apr 24 17:11:28 2016 -> Limits: Recursion level limit set to 16. Sun Apr 24 17:1
Bug#822444: clamav-daemon does not start with same options using sysinit and systemd
Package: clamav-daemon Version: 0.99+dfsg-0+deb8u2 Severity: important Dear Maintainer, It seems that clamav-daemon does not start with thes sames options when using systemd or sysvinit. This leads to problem with clamsmtp / clamd communication breaking mail checking systeme. when using sysv ## check sysv # pidof /sbin/init 1 # pidof systemd zsh: exit 1 pidof systemd clamd process is started with those default options : # ps -ef |grep clam clamav6673 1 0 16:53 ?00:00:00 /usr/bin/freshclam -d --quiet --config-file=/etc/clamav/freshclam.conf --pid=/run/clamav/freshclam.pid clamav8357 1 0 16:57 ?00:00:00 /usr/sbin/clamd -c /etc/clamav/clamd.conf --pid=/run/clamav/clamd.pid clamsmtp 8409 1 0 16:58 ?00:00:00 /usr/sbin/clamsmtpd root 8430 4011 0 16:58 pts/000:00:00 grep clam and communication between clamsmtp and clamd works (extract from mail.info) : Apr 24 16:59:47 pc251270 postfix/pickup[3311]: 39761221B8E: uid=0 from= Apr 24 16:59:47 pc251270 postfix/cleanup[8443]: 39761221B8E: message-id=<20160424145947.39761221...@pc251270.valfontenay.ratp> Apr 24 16:59:47 pc251270 postfix/qmgr[3312]: 39761221B8E: from=, size=459, nrcpt=1 (queue active) Apr 24 16:59:47 pc251270 clamsmtpd: 10: accepted connection from: 127.0.0.1 Apr 24 16:59:47 pc251270 postfix/smtpd[8447]: connect from localhost[127.0.0.1] Apr 24 16:59:47 pc251270 postfix/smtpd[8447]: 4956C221DD1: client=localhost[127.0.0.1] Apr 24 16:59:47 pc251270 postfix/cleanup[8443]: 4956C221DD1: message-id=<20160424145947.39761221...@pc251270.valfontenay.ratp> switching to systemd (and rebooting ;-)) ) ## check systemd # pidof systemd 1188 # pidof /sbin/init 1190 1188 1 ## it seems that clamav-daemon is no more start with good options # ps -ef |grep clam clamav 678 1 0 17:11 ?00:00:00 /usr/bin/freshclam -d --foreground=true clamsmtp 747 1 0 17:11 ?00:00:00 /usr/sbin/clamsmtpd clamav 791 1 7 17:11 ?00:00:07 /usr/sbin/clamd --foreground=true root 1996 1733 0 17:12 pts/000:00:00 grep clam Communication beetween clamsmtp and clamd is now failing Apr 24 17:14:02 pc251270 postfix/pickup[1163]: 3CC4F221B8E: uid=1000 from= Apr 24 17:14:02 pc251270 postfix/cleanup[2006]: 3CC4F221B8E: message-id=<20160424151402.3cc4f221...@pc251270.valfontenay.ratp> Apr 24 17:14:02 pc251270 postfix/qmgr[1164]: 3CC4F221B8E: from= , size=473, nrcpt=1 (queue active) Apr 24 17:14:02 pc251270 clamsmtpd: 10: accepted connection from: 127.0.0.1 Apr 24 17:14:02 pc251270 postfix/smtpd[2010]: connect from localhost[127.0.0.1] Apr 24 17:14:02 pc251270 postfix/smtpd[2010]: 535FA221DD1: client=localhost[127.0.0.1] Apr 24 17:14:02 pc251270 clamsmtpd: 10: clamav error: /var/spool/clamsmtp/clamsmtpd.9g7gF4: lstat() failed: Permission denied. ERROR Apr 24 17:14:02 pc251270 clamsmtpd: 10: from=xqu...@pc251270.valfontenay.ratp, to=xquost@localhost, status=CLAMAV-ERROR Thanks, best regards XQ Clamsmtp configuration file : # -- #SAMPLE CLAMSMTPD CONFIG FILE # -- # # - Comments are a line that starts with a # # - All the options are found below with their defaults commented out # The address to send scanned mail to. # This option is required unless TransparentProxy is enabled OutAddress: 10026 # The maximum number of connection allowed at once. # Be sure that clamd can also handle this many connections #MaxConnections: 64 # Amount of time (in seconds) to wait on network IO #TimeOut: 180 # Address to listen on (defaults to all local addresses on port 10025) Listen: 127.0.0.1:10025 # The address clamd is listening on ClamAddress: /var/run/clamav/clamd.ctl # A header to add to all scanned email #Header: X-AV-Checked: ClamAV using ClamSMTP # Directory for temporary files TempDirectory: /var/spool/clamsmtp # PidFile: location of PID file PidFile: /var/run/clamsmtp/clamsmtpd.pid # Whether or not to bounce email (default is to silently drop) #Bounce: off # Whether or not to keep virus files #Quarantine: off # Enable transparent proxy support #TransparentProxy: off # User to run as User: clamsmtp # Virus actions: There's an option to run a script every time a # virus is found. Read the man page for clamsmtpd.conf for details. -- Package-specific info: --- configuration --- Checking configuration files in /etc/clamav Config file: clamd.conf --- LogFile = "/var/log/clamav/clamav.log" StatsHostID = "auto" StatsEnabled disabled StatsPEDisabled = "yes" StatsTimeout = "10" LogFileUnlock disabled LogFileMaxSize = "4294967295" LogTime = "yes" LogClean disabled LogSyslog disabled LogFacility = "LOG_LOCAL6"