On 15/05/2021 16:55, Luc Pardon wrote:
Recently I decided to do some restructuring of a Postfix/Amavis/ClamAV
installation and ran into a puzzling situation. After some head-scratching, I
came up with a solution and thought I'd share it, in case it should be helpful
to others (that's also why I'm posting here, rather than to the developers
list).
FWIW, the setup is Amavis 2.12.1 on Linux with Perl 5.30, and ClamAV 0.103.2.
The packages are loosely based on Fedora but locally-built.
Now, as for the setup:
* There are two user accounts, "amavis" and "clamscan".
* Both are members of "clamgroup".
* The ClamAV socket is owned by user "clamscan",
* and "clamgroup" has r+w permission on it.
Unfortunately, that won't fly, at least not with $daemon_group = "amavis" in
amavisd.conf. That brings the infamous "Permission denied" on the socket.
However, with $daemon_group = "clamgroup", all is well, and the amavisd
daemon can talk to clamd, as expected. Incidentally, that means that
things on disk are OK...
I believe that if you use the new preferred way of calling clamav i.e.
with --fdpass, the whole permissions issue disappears.
Example:
@av_scanners = (
['ClamAV-clamdscan', 'clamdscan', "--fdpass --stdout --no-summary {}",
[0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
);
