Your message dated Fri, 29 May 2009 10:52:51 -0500
with message-id <[email protected]>
and subject line [SOLVED] Re: [exim] clamd av_scanner does not use configured
port
has caused the Debian Bug report #530963,
regarding exim4-daemon-heavy: clamd av_scanner does not use configured port
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
530963: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530963
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: exim4-daemon-heavy
Version: 4.69-9
Severity: normal
I'm getting errors in my /var/log/exim4/paniclog:
2009-05-28 20:15:17 1M9m0T-00059K-21 malware acl condition: clamd:
connection to 172.20.2.91, port 1189 failed (Connection refused)
2009-05-28 20:18:42 1M9m3l-0005GE-PF malware acl condition: clamd:
connection to 172.20.2.91, port 1114 failed (Connection refused)
2009-05-28 20:19:25 1M9m4T-0005GL-94 malware acl condition: clamd:
connection to 172.20.2.91, port 1520 failed (Connection refused)
2009-05-28 20:20:09 1M9m5B-0005GQ-4V malware acl condition: clamd:
connection to 172.20.2.91, port 1533 failed (Connection refused)
2009-05-28 20:20:37 1M9m5c-0005GV-Vu malware acl condition: clamd:
connection to 172.20.2.91, port 1574 failed (Connection refused)
2009-05-28 20:24:40 1M9m9Y-0005Ga-L0 malware acl condition: clamd:
connection to 172.20.2.91, port 1703 failed (Connection refused)
2009-05-28 20:26:15 1M9mB5-0005Gf-Bk malware acl condition: clamd:
connection to 172.20.2.91, port 1426 failed (Connection refused)
2009-05-28 20:28:03 1M9mCl-0005Gk-9s malware acl condition: clamd:
connection to 172.20.2.91, port 1221 failed (Connection refused)
2009-05-28 20:29:40 1M9mEN-0005Gp-Q4 malware acl condition: clamd:
connection to 172.20.2.91, port 1966 failed (Connection refused)
2009-05-28 20:31:42 1M9mGJ-0005Gu-NB malware acl condition: clamd:
connection to 172.20.2.91, port 1697 failed (Connection refused)
Notice that the port varies, for some reason.
What I think is relevant about my configuration is:
(on the exim4 server)
/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs-local:
CHECK_DATA_LOCAL_ACL_FILE = CONFDIR/conf.d/local/acl_check_data
/etc/exim4/conf.d/main/02_exim4-config_options-local:
av_scanner = clamd:ichi 3310
/etc/exim4/conf.d/acl/40_exim4-config_check_data:
.ifdef CHECK_DATA_LOCAL_ACL_FILE
.include CHECK_DATA_LOCAL_ACL_FILE
.endif
/etc/exim4/conf.d/local/acl_check_data:
deny
add_header = X-Virus-Scanned: [email protected]
message = This message was detected as possible malware ($malware_name).
malware = */defer_ok
/etc/hosts:
172.20.2.91 ichi.iguanasuicide.net ichi
I looked at the package source, specifically malware.c and I didn't see
anything immediately wrong. I also didn't notice any Debian patches to the
file, so I suppose it could be an upstream issue, but I'm not sure.
Please, let me know if I can provide any assistance in resolving the bug.
- Package-specific info:
Exim version 4.69 #1 built 30-Sep-2008 18:55:37
Copyright (c) University of Cambridge 2006
Berkeley DB: Berkeley DB 4.6.21: (September 27, 2007)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS
move_frozen_messages Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch
ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to replace
# the DEBCONFsomethingDEBCONF strings in the configuration template files.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file
dc_eximconfig_configtype='internet'
dc_other_hostnames='iguanasuicide.net;iguanasuicide.org;iguanasuicide.com'
dc_local_interfaces=''
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets='172.20.0.0/16'
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='dovecot_lda'
mailname:iguanasuicide.net
-- System Information:
Debian Release: 5.0.1
APT prefers stable
APT policy: (900, 'stable'), (700, 'testing'), (500, 'unstable'), (300,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.24-19-xen (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages exim4-daemon-heavy depends on:
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii exim4-base 4.69-9 support files for all Exim MTA (v4
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libdb4.6 4.6.21-11 Berkeley v4.6 Database Libraries [
ii libgnutls26 2.4.2-6+lenny1 the GNU TLS library - runtime libr
ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries
ii libmysqlclient15off 5.0.51a-24+lenny1 MySQL database client library
ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules l
ii libpcre3 7.6-2.1 Perl 5 Compatible Regular Expressi
ii libperl5.10 5.10.0-19 Shared Perl library
ii libpq5 8.3.7-0lenny1 PostgreSQL C client library
ii libsasl2-2 2.1.22.dfsg1-23 Cyrus SASL - authentication abstra
ii libsqlite3-0 3.5.9-6 SQLite 3 shared library
exim4-daemon-heavy recommends no packages.
exim4-daemon-heavy suggests no packages.
-- debconf information:
exim4-daemon-heavy/drec:
--- End Message ---
--- Begin Message ---
In <[email protected]>, Boyd Stephen Smith Jr. wrote:
>In <[email protected]>, Graeme Fowler wrote:
>>On Thu, 2009-05-28 at 21:32 -0500, Boyd Stephen Smith Jr. wrote:
>>> Notice that the port varies, for some reason.
>>
>>That's in response to the ClamAV API STREAM command, which is used for
>>TCP connections to the scanning daemon. You make a connection and then
>>this happens:
>>
>>Client: STREAM
>>Server: PORT 12345
>>
>>The client then opens a connection to port 12345 and streams the message
>>down it for ClamAV to scan.
>
>That is unfortunate. Is there any way to restrict ClamAV to only one port
> for that? Or possibly an iptables conntrack helper to load?
This got me looking in the right direction. You can control which ports
this secondary connection is on through the simple use of clamd.conf.
Specifically, the StreamMinPort and StramMaxPort options.
This might not even be an issue in the future, since the INSTREAM command is
supported by modern clamd.
Thanks for the help; sorry for the noise.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
[email protected] ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
