byrnejb at harte-lyne
Apr 15, 2012, 10:11 AM
Post #3 of 4
On Sun, April 15, 2012 11:08, G.W. Haywood wrote:
Re: Howto: Allow logwatch reports through clamav?
[In reply to]
> Hi there,
> On Sat, 14 Apr 2012, James B. Byrne wrote:
>> I have several MX servers running ClamAV in conjunction
>> with MailScanner and Sendmail or Amavisd-new and
>> These machines forward logwatch reports to a central
>> email address on a daily basis. The delivery hub
>> also has clamd running.
>> ... certain reports are being categorized as phishing
>> messages by clamd and thus the report never arrives.
> Could you disable the phishing checks on the hub?
That is what I ended up having to do, but only for the URL
checks. PhishingScanURLs no. The problem appears to be
that the logwatch report module for mailscanner sends the
actual phishing urls trapped at the gateway as part of the
report, with the results witnessed at the hub.
>> I have looked at the MailScanner rules and removed the
>> report delivery address from virus_scanning.
> It sounds reasonable, although I'd have said that in
> principle it would be better to whitelist a sender
> address, one which you only use internally and so will
> probably never be forged. That way you can
> change where you send the reports without changing your
> mail server's other configuration. However I've never
> used MailScanner and I can't claim to know.
The originating address was already whitelisted. In the
event exempting the delivery address also had little
>> Is there a way to avoid this for either one delivery
>> address or one senders address?
> To do this you need to work on the mail server
> configuration, not on clamd's configuration.
As it turns out, when I successfully removed the delivery
address from mailscanner's attention clamd caught the same
file on disk in any case. The only change was that the
clamd log entry moved from /var/log/maillog to
>> I have no desire to change things on a system-wide
>> basis. Is clamd actually scanning the same files twice?
> Well it does sound like you're scanning both on the mail
> exchangers and on the mail hub, which seems like a waste,
> but I don't think that's your question.
We have internal mail which does not pass through our
external MX hosts. Some of these are MicroSoft systems
and it is considered best to assume that these are a
potential source of compromise and thus everything needs
to be checked, incoming and outgoing, at the hub.
>> ... once when passed by MailScanner and then again
>> simply because the file is on disk?
> No, clamd only scans what it's told to scan by other
> software. By itself it does absolutely nothing except
> consume resources, by loading a database and sitting
> around as a process waiting for connections.
Well, I cannot seem to find a way to prevent clamd from
scanning those messages so in the end I had to partially
turn off the phishing checks in clamd itself. I cannot
identify any resident filesystem scanner that uses clamd
but I find it odd that the clamd messages moved from
maillog to messages after I stopped scanning email to the
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB [at] Harte-Lyne
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net