Answering my own question: The last part (here: p004) contains the message in full. It was sent as first part to be inspected.
p@rick * Patrick Ben Koetter <p...@sys4.de>: > Does amavis clamav to scan the mail (header + body) or only parts of it? > > I specified @keep_decoded_original_maps on a Debian 2.10.1 install to "retain > full original message for virus checking" like this: > > @keep_decoded_original_maps = (new_RE( > qr'^MAIL$', # retain full original message for virus checking (can be > slow) > qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains > undecipherables > qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, > )); > > From this I would suspect amavis to tell clamav to scan the whole mail, which > I assume to be stored in $tempdir/email.txt. But I don't see that, when I look > at the communication that takes place between amavis and clamav. > > From what I read from the recorded tcpdump session (see below) amavis tells > clamd to > > - CONTSCAN > /var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/parts/p004 > - CONTSCAN > /var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/parts/p002 > > There's no CONTSCAN > /var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/email.txt (allthough > it would work as I tested manually). > > Did I miss something? Is my assumption amavis will let clamav scan the > complete message, wrong? > > Thanks > > p@rick > > > > > 13:51:34.667566 IP localhost.localdomain.60081 > localhost.localdomain.3310: > Flags [S], seq 4241060098, win 43690, options [mss 65495,sackOK,TS val > 2109639026 ecr 0,nop,wscale 7], length 0 > E..<.p@.@.DI..............q..........0......... > }..r........ > 13:51:34.667588 IP localhost.localdomain.3310 > localhost.localdomain.60081: > Flags [S.], seq 3782527681, ack 4241060099, win 43690, options [mss > 65495,sackOK,TS val 2109639026 ecr 2109639026,nop,wscale 7], length 0 > E..<..@.@.<..............t....q......0......... > }..r}..r.... > 13:51:34.667601 IP localhost.localdomain.60081 > localhost.localdomain.3310: > Flags [.], ack 1, win 342, options [nop,nop,TS val 2109639026 ecr > 2109639026], length 0 > E..4.q@.@.DP..............q..t.....V.(..... > }..r}..r > 13:51:34.668699 IP localhost.localdomain.60081 > localhost.localdomain.3310: > Flags [P.], seq 1:74, ack 1, win 342, options [nop,nop,TS val 2109639026 ecr > 2109639026], length 73 > E..}.r@.@.D...............q..t.....V.q..... > }..r}..rCONTSCAN > /var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/parts > > 13:51:34.668729 IP localhost.localdomain.3310 > localhost.localdomain.60081: > Flags [.], ack 74, win 342, options [nop,nop,TS val 2109639026 ecr > 2109639026], length 0 > E..4C.@.@................t....qL...V.(..... > }..r}..r > 13:51:34.671151 IP localhost.localdomain.3310 > localhost.localdomain.60081: > Flags [P.], seq 1:98, ack 74, win 342, options [nop,nop,TS val 2109639027 ecr > 2109639026], length 97 > E...C.@.@................t....qL...V....... > }..s}..r/var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/parts/p004: > VirusDB: FOUND > > 13:51:34.671176 IP localhost.localdomain.60081 > localhost.localdomain.3310: > Flags [.], ack 98, win 342, options [nop,nop,TS val 2109639027 ecr > 2109639027], length 0 > E..4.s@.@.DN..............qL.t.#...V.(..... > }..s}..s > 13:51:34.671608 IP localhost.localdomain.3310 > localhost.localdomain.60081: > Flags [P.], seq 98:195, ack 74, win 342, options [nop,nop,TS val 2109639027 > ecr 2109639027], length 97 > E...C.@.@................t.#..qL...V....... > }..s}..s/var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/parts/p002: > VirusDB: FOUND > > 13:51:34.671624 IP localhost.localdomain.60081 > localhost.localdomain.3310: > Flags [.], ack 195, win 342, options [nop,nop,TS val 2109639027 ecr > 2109639027], length 0 > E..4.t@.@.DM..............qL.t.....V.(..... > }..s}..s > 13:51:34.671743 IP localhost.localdomain.3310 > localhost.localdomain.60081: > Flags [F.], seq 195, ack 74, win 342, options [nop,nop,TS val 2109639027 ecr > 2109639027], length 0 > E..4C.@.@................t....qL...V.(..... > }..s}..s > 13:51:34.671917 IP localhost.localdomain.60081 > localhost.localdomain.3310: > Flags [F.], seq 74, ack 196, win 342, options [nop,nop,TS val 2109639027 ecr > 2109639027], length 0 > E..4.u@.@.DL..............qL.t.....V.(..... > }..s}..s > 13:51:34.671938 IP localhost.localdomain.3310 > localhost.localdomain.60081: > Flags [.], ack 75, win 342, options [nop,nop,TS val 2109639027 ecr > 2109639027], length 0 > E..4C.@.@................t....qM...V.(..... > }..s}..s > > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Franziskanerstraße 15, 81669 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
