Re: [qmailtoaster] ClamAV and Viruses
Hi Eric: One thing I've noticed is that there's a message size limit on what simscan/spamd/clamd will check. Messages over several megabytes are skipped. Is there a config file somewhere controlling that? Jeff On 9/16/2020 2:07 PM, Eric Broch wrote: Hi Jeff, I'm not sure why ClamAV would miss a virus. Maybe they'd have a better ideal on the ClamAV mailing list. I've never really depended on ClamAV or Spamassassin, though I'd like to, but when killing spam was absolutely necessary I used a third party spam gateway. Eric On 9/16/2020 9:43 AM, Jeff Koch wrote: We think we're having a problem with one of our mailservers whereby user's PC's are getting hit with viruses. All mailservers have had ClamAV recently updated to version 0.102.4. The logs at /var/log/qmail/smtp and /var/log/qmail/submission show that ClamAV is indeed analyzing emails and attachments so we're trying to figure out how these viruses are getting through. We do see that most 'Virus Drops' are due to spoofed domains. Very, very few are noted as Trojans or actual viruses. Can anyone share the results of: grep simscan /var/log/qmail/smtp/current|tai64nlocal |less showing that clamav is finding actual viruses? Any thoughts or suggestions would be appreciated. Jeff
Re: [qmailtoaster] Mailserver temporarily rejected message
Hello Angus and Remo, This looked whats happening. After a few day the server starts "temporarily rejected" messages again and I need to restart the mail server. Is there a log file were I can see if Clamav is crashed? An other question is there a way to skip the clamav check. My mail server is only used to send reset password mails. Thanks for your advices. Peter Angus McIntyre schreef op 2020-09-16 17:19: Also, use 'toaststat' or equivalent to make sure all the components of your toaster are up and running. If you don't have enough memory on your box, then ClamAV will sometimes crash, making mail undeliverable and generating the "temporarily rejected" message you've seen. Rebooting will cure that ... until the next time. ClamAV's appetite for memory is large and growing, and last time I looked the consensus was that you'd need a minimum 3-4GB available. Angus Remo Mattei wrote on 9/16/20 11:10 AM: Enable debug to get more info. :allow,SIMSCAN_DEBUG="2”,x on /etc/tcprules.d/tcp.smtp Remo On Sep 16, 2020, at 8:07 AM, pe...@peterse-uithuizen.com wrote: Hello, I've seen recently my mail server stops accepting mails with the following message: === 451 mail server temporarily rejected message (#4.3.0) === Does any one knows what is going on here? Is there any log which give me some feedback why the mailserver give this error message? I suspect that the load was to high. But at the moment that I looked the load is mimimal, however, the mail server still gives this return message, so it looks like qmail isn't restoring the level that it will accept messages again. My only solution was to reboot the server. After that the mailserver accepts messages. I hope someone can help me. Regards, Peter - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] ClamAV and Viruses
Hi Jeff, I'm not sure why ClamAV would miss a virus. Maybe they'd have a better ideal on the ClamAV mailing list. I've never really depended on ClamAV or Spamassassin, though I'd like to, but when killing spam was absolutely necessary I used a third party spam gateway. Eric On 9/16/2020 9:43 AM, Jeff Koch wrote: We think we're having a problem with one of our mailservers whereby user's PC's are getting hit with viruses. All mailservers have had ClamAV recently updated to version 0.102.4. The logs at /var/log/qmail/smtp and /var/log/qmail/submission show that ClamAV is indeed analyzing emails and attachments so we're trying to figure out how these viruses are getting through. We do see that most 'Virus Drops' are due to spoofed domains. Very, very few are noted as Trojans or actual viruses. Can anyone share the results of: grep simscan /var/log/qmail/smtp/current|tai64nlocal |less showing that clamav is finding actual viruses? Any thoughts or suggestions would be appreciated. Jeff
Re: [qmailtoaster] Mailserver temporarily rejected message
did you upgrade Clam? can you send the /etc/fstab? can you make sure the permissions are set correctly in the /var/qmail/simscan? Sounds like a little miss configuration > On Sep 16, 2020, at 8:45 AM, pe...@peterse-uithuizen.com wrote: > > Hello Angus and Remo, > > This looked whats happening. After a few day the server starts "temporarily > rejected" messages again and I need to restart the mail server. > Is there a log file were I can see if Clamav is crashed? > An other question is there a way to skip the clamav check. My mail server is > only used to send reset password mails. > > Thanks for your advices. > Peter > > > Angus McIntyre schreef op 2020-09-16 17:19: >> Also, use 'toaststat' or equivalent to make sure all the components of >> your toaster are up and running. >> If you don't have enough memory on your box, then ClamAV will >> sometimes crash, making mail undeliverable and generating the >> "temporarily rejected" message you've seen. Rebooting will cure that >> ... until the next time. >> ClamAV's appetite for memory is large and growing, and last time I >> looked the consensus was that you'd need a minimum 3-4GB available. >> Angus >> Remo Mattei wrote on 9/16/20 11:10 AM: >>> Enable debug to get more info. >>> :allow,SIMSCAN_DEBUG="2”,x >>> on /etc/tcprules.d/tcp.smtp >>> Remo On Sep 16, 2020, at 8:07 AM, pe...@peterse-uithuizen.com wrote: Hello, I've seen recently my mail server stops accepting mails with the following message: === 451 mail server temporarily rejected message (#4.3.0) === Does any one knows what is going on here? Is there any log which give me some feedback why the mailserver give this error message? I suspect that the load was to high. But at the moment that I looked the load is mimimal, however, the mail server still gives this return message, so it looks like qmail isn't restoring the level that it will accept messages again. My only solution was to reboot the server. After that the mailserver accepts messages. I hope someone can help me. Regards, Peter - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >>> - >>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com >>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com >> - >> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com >> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > - > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] ClamAV and Viruses
We think we're having a problem with one of our mailservers whereby user's PC's are getting hit with viruses. All mailservers have had ClamAV recently updated to version 0.102.4. The logs at /var/log/qmail/smtp and /var/log/qmail/submission show that ClamAV is indeed analyzing emails and attachments so we're trying to figure out how these viruses are getting through. We do see that most 'Virus Drops' are due to spoofed domains. Very, very few are noted as Trojans or actual viruses. Can anyone share the results of: grep simscan /var/log/qmail/smtp/current|tai64nlocal |less showing that clamav is finding actual viruses? Any thoughts or suggestions would be appreciated. Jeff
Re: [qmailtoaster] clamscan error
Eric - thanks - a lot of interesting hints. Jeff On 9/16/2020 9:42 AM, Eric Broch wrote: https://www.howtoforge.com/community/threads/clamd-will-not-start.34559/ On 9/16/2020 7:40 AM, Eric Broch wrote: Sorry, missed the first part of your question. Have a look here: https://github.com/kylefarris/clamscan/issues/25 On 9/16/2020 7:29 AM, Eric Broch wrote: Is the service started? On 9/16/2020 7:17 AM, Jeff Koch wrote: Hi Eric: I'm getting the following error when trying to restart clamd@scan simscan: clamdscan: ERROR: Could not connect to clamd on LocalSocket /run/clamd.scan/clamd.sock: No such file or directory Any idea how to handle this? Jeff
Re: [qmailtoaster] Mailserver temporarily rejected message
Also, use 'toaststat' or equivalent to make sure all the components of your toaster are up and running. If you don't have enough memory on your box, then ClamAV will sometimes crash, making mail undeliverable and generating the "temporarily rejected" message you've seen. Rebooting will cure that ... until the next time. ClamAV's appetite for memory is large and growing, and last time I looked the consensus was that you'd need a minimum 3-4GB available. Angus Remo Mattei wrote on 9/16/20 11:10 AM: Enable debug to get more info. :allow,SIMSCAN_DEBUG="2”,x on /etc/tcprules.d/tcp.smtp Remo On Sep 16, 2020, at 8:07 AM, pe...@peterse-uithuizen.com wrote: Hello, I've seen recently my mail server stops accepting mails with the following message: === 451 mail server temporarily rejected message (#4.3.0) === Does any one knows what is going on here? Is there any log which give me some feedback why the mailserver give this error message? I suspect that the load was to high. But at the moment that I looked the load is mimimal, however, the mail server still gives this return message, so it looks like qmail isn't restoring the level that it will accept messages again. My only solution was to reboot the server. After that the mailserver accepts messages. I hope someone can help me. Regards, Peter - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Mailserver temporarily rejected message
Enable debug to get more info. :allow,SIMSCAN_DEBUG="2”,x on /etc/tcprules.d/tcp.smtp Remo > On Sep 16, 2020, at 8:07 AM, pe...@peterse-uithuizen.com wrote: > > Hello, > > I've seen recently my mail server stops accepting mails with the following > message: > === > 451 mail server temporarily rejected message (#4.3.0) > === > > Does any one knows what is going on here? Is there any log which give me some > feedback why the mailserver give this error message? > > I suspect that the load was to high. But at the moment that I looked the load > is mimimal, however, the mail server still gives this return message, so it > looks like qmail isn't restoring the level that it will accept messages again. > My only solution was to reboot the server. After that the mailserver accepts > messages. > > I hope someone can help me. > > Regards, > Peter > > - > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Mailserver temporarily rejected message
Hello, I've seen recently my mail server stops accepting mails with the following message: === 451 mail server temporarily rejected message (#4.3.0) === Does any one knows what is going on here? Is there any log which give me some feedback why the mailserver give this error message? I suspect that the load was to high. But at the moment that I looked the load is mimimal, however, the mail server still gives this return message, so it looks like qmail isn't restoring the level that it will accept messages again. My only solution was to reboot the server. After that the mailserver accepts messages. I hope someone can help me. Regards, Peter - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] clamscan error
https://www.howtoforge.com/community/threads/clamd-will-not-start.34559/ On 9/16/2020 7:40 AM, Eric Broch wrote: Sorry, missed the first part of your question. Have a look here: https://github.com/kylefarris/clamscan/issues/25 On 9/16/2020 7:29 AM, Eric Broch wrote: Is the service started? On 9/16/2020 7:17 AM, Jeff Koch wrote: Hi Eric: I'm getting the following error when trying to restart clamd@scan simscan: clamdscan: ERROR: Could not connect to clamd on LocalSocket /run/clamd.scan/clamd.sock: No such file or directory Any idea how to handle this? Jeff
Re: [qmailtoaster] clamscan error
Sorry, missed the first part of your question. Have a look here: https://github.com/kylefarris/clamscan/issues/25 On 9/16/2020 7:29 AM, Eric Broch wrote: Is the service started? On 9/16/2020 7:17 AM, Jeff Koch wrote: Hi Eric: I'm getting the following error when trying to restart clamd@scan simscan: clamdscan: ERROR: Could not connect to clamd on LocalSocket /run/clamd.scan/clamd.sock: No such file or directory Any idea how to handle this? Jeff
Re: [qmailtoaster] clamscan error
Is the service started? On 9/16/2020 7:17 AM, Jeff Koch wrote: Hi Eric: I'm getting the following error when trying to restart clamd@scan simscan: clamdscan: ERROR: Could not connect to clamd on LocalSocket /run/clamd.scan/clamd.sock: No such file or directory Any idea how to handle this? Jeff
[qmailtoaster] clamscan error
Hi Eric: I'm getting the following error when trying to restart clamd@scan simscan: clamdscan: ERROR: Could not connect to clamd on LocalSocket /run/clamd.scan/clamd.sock: No such file or directory Any idea how to handle this? Jeff
