Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 2/21/2015 7:28 PM, Daniel Spies wrote: On 02/22/2015 01:54 AM, Benny Pedersen wrote: LocalNet localdomain This gives no error, but clamav-milter is still scanning/tagging outgoing e-mail. I'm sending e-mail from port 587 (smtp/submission, postfix). The originating client is the system connecting to submission, not localhost. Anyway, if your goal is to disable scanning on submission, it's probably best to edit the master.cf submission service to not call clamav-milter at all. (I would strongly recommend scanning all mail, but that's a local policy decision) # master.cf ... submission smtpd ... other stuff smtpd_milters= ie. set smtpd_milters empty for that service. If you need to do this in clamav-milter, such as if you need to do this for port 25 as well as submission, you should probably look at the SkipAuthenticated option. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/22/2015 02:47 AM, Noel Jones wrote: Anyway, if your goal is to disable scanning on submission, it's probably best to edit the master.cf submission service to not call clamav-milter at all. (I would strongly recommend scanning all mail, but that's a local policy decision) As already suspected below, I still have a few clients who are sending e-mail to port 25. I would like to disable authentication for port 25 but it's no option at the moment. If you need to do this in clamav-milter, such as if you need to do this for port 25 as well as submission, you should probably look at the SkipAuthenticated option. SkipAuthenticated ^.*$ does what I want, thank you! Well, actually it would be perfect if incoming local mail would be scanned too, i.e. sending auth mail from any port - DO NOT SCAN receiving mail (port 25) - SCAN In my opinion, it doesn't make any sense to scan e-mail leaving the server. The recipient will never trust these tags anyway. So why scan at all? It's important to scan incoming mail, be it from a local or an external client. Daniel ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
Hello, what is the correct way to prevent clamav-milter (0.98.5 in Debian Wheezy) from scanning and tagging _outgoing_ e-mail? I assumed it was the LocalNet option; however, I did not manage to get it to work. Here is the man entry: LocalNet STRING Messages originating from these hosts/networks will not be scanned. This option takes a host(name)/mask pair in CIRD notation and can be repeated several times. If /mask is omitted, a host is assumed. To specify a locally orignated, non-smtp, email use the keyword local Default: unset (scan everything regardless of the origin) Here is what I tried: LocalNet 127.0.0.1/32 ::1/128 local clamav-milterERROR: Can't resolve LocalNet hostname 127.0.0.1/32 ::1 LocalNet 127.0.0.1/32 ::1/128 clamav-milterERROR: Can't resolve LocalNet hostname 127.0.0.1/32 ::1 LocalNet 127.0.0.1/32 OK, BUT scan/tag happens LocalNet ::1/128 OK, BUT scan/tag happens LocalNet local OK, BUT scan/tag happens LocalNet 127.0.0.1 OK, BUT scan/tag happens LocalNet local OK, BUT scan/tag happens LocalNet local 127.0.0.1 ::1 clamav-milterERROR: Can't resolve LocalNet hostname local 127.0.0.1 ::1 LocalNet 127.0.0.1 ::1 local OK, BUT scan/tag happens Any help is greatly appreciated. Daniel ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
Daniel Spies skrev den 2015-02-22 03:19: Yes, but I have (still) enabled sending e-mail to port 25. This would only work for submission (see my other e-mail). yes i remember that problem here aswell, so far i think postfix does not honner it to disable smtp auth on port 25 while have it enabled on other ports :( atleast i see AUTH discarded in skip ehlo prefer to keep STARTTLS on :=) but postfix keep AUTH, dont flame me, but test it, if 3 or more can confirm it then we can possible report this problem on postfix maillist note check man resolv.conf for inet6, and or /etc/gai.conf eg make sure ipv4 first for non routeble ips Do you mean I should add IPv4 addresses first to the LocalNet option? if its more simple to make all ipv6 addresses resolve with local TLD no problem :=) ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 02/22/2015 01:54 AM, Benny Pedersen wrote: LocalNet localdomain This gives no error, but clamav-milter is still scanning/tagging outgoing e-mail. I'm sending e-mail from port 587 (smtp/submission, postfix). PS: why does 127.0.0.1 not resolve ? It does though: LocalNet 127.0.0.1 -- OK, BUT scan/tag happens Or do you mean something else? post /etc/hosts for more help :=) # IPv4 127.0.0.1 localhost.localdomain localhost 175.8.41.129 sub.example.com sub # # IPv6 ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts 2b01:4c7:250:41ad::2 sub.example.com sub is the client ip in clamav-milter really in local domain ip listed ? Maybe LocalNet is the wrong option (?) but how else would I stop clamav-milter from scanning outgoing e-mail then? check whitelist sender in clamav milter conf if its just to have system users not scanned, if its users that have @ in username use smtp auth There is no whitelist so far. Thanks for your quick reply! ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
Daniel Spies skrev den 2015-02-22 02:28: Maybe LocalNet is the wrong option (?) but how else would I stop clamav-milter from scanning outgoing e-mail then? in postfix master.cf: for the pickup add -o non_smtpd_milters= eg no milter for this service or much better dont add milters in main.cf, but only in master.cf for the incomming service port 25 note check man resolv.conf for inet6, and or /etc/gai.conf eg make sure ipv4 first for non routeble ips ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
