Mailing List Archive: exim: users

Exim 4.69- defer message on malware scanner failure

Index | Next | Previous | View Threaded

juergen.edner at telejeck

Nov 6, 2009, 11:45 AM

Post #1 of 3 (722 views)
Permalink

Exim 4.69- defer message on malware scanner failure

Hello,
I'm currently trying to optimize my Exim configuration a little bit,
especially the malware ACL part. At the moment incoming messages,
which have marked as malware, are forwarded to a shared folder for
verification purposes. This process works very well.

Some days ago I realized that messages are not temporarily deferred
if the malware scanner ClamAV is not running but are forwarded to
the end user without being checked at all.

Now I wonder how I need to modify the ACL part to make sure that
this doesn't happen anymore. Is there any reliable way to find
out if the malware scanner is running or not?

This is the currently used ACL part:

acl_check_data:
warn log_message = This message contains malware ($malware_name)
malware = *

warn message = X-Redirect-To: virus [at] domain
malware = *
...

Thank you in advance for your help!

Regards
Juergen
--
GPG Key available

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim-users at spodhuis

Nov 6, 2009, 4:30 PM

Post #2 of 3 (673 views)
Permalink

Re: Exim 4.69- defer message on malware scanner failure [In reply to]

On 2009-11-06 at 20:45 +0100, Juergen Edner wrote:
> Hello,
> I'm currently trying to optimize my Exim configuration a little bit,
> especially the malware ACL part. At the moment incoming messages,
> which have marked as malware, are forwarded to a shared folder for
> verification purposes. This process works very well.
>
> Some days ago I realized that messages are not temporarily deferred
> if the malware scanner ClamAV is not running but are forwarded to
> the end user without being checked at all.
>
> Now I wonder how I need to modify the ACL part to make sure that
> this doesn't happen anymore. Is there any reliable way to find
> out if the malware scanner is running or not?
>
> This is the currently used ACL part:
>
> acl_check_data:
> warn log_message = This message contains malware ($malware_name)
> malware = *
>
> warn message = X-Redirect-To: virus [at] domain
> malware = *
> ...

Something more is going on here and you'll need to provide logs for
where this happens.

By default, "malware = *" should be deferring if it can't talk to the
malware scanner. You need to explicitly say "malware = */defer_ok" if
it's acceptable to continue on without scanning.

-Phil

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

juergen.edner at telejeck

Dec 2, 2009, 9:19 AM

Post #3 of 3 (560 views)
Permalink

Re: Exim 4.69- defer message on malware scanner failure [In reply to]

Hello Phil,

>> > Some days ago I realized that messages are not temporarily deferred
>> > if the malware scanner ClamAV is not running but are forwarded to
>> > the end user without being checked at all.
>> >
>> > Now I wonder how I need to modify the ACL part to make sure that
>> > this doesn't happen anymore. Is there any reliable way to find
>> > out if the malware scanner is running or not?
>> >
>> > This is the currently used ACL part:
>> >
>> > acl_check_data:
>> > warn log_message = This message contains malware ($malware_name)
>> > malware = *
>> >
>> > accept
>> > ...
>
> Something more is going on here and you'll need to provide logs for
> where this happens.
>
> By default, "malware = *" should be deferring if it can't talk to the
> malware scanner. You need to explicitly say "malware = */defer_ok" if
> it's acceptable to continue on without scanning.

that's exactly how I understood the function.

Therefore I've stopped the malware scanner and have run a test with
the Eicar test virus. Although the malware acl condition returns a
'deferred' the warn statement is skipped and the next acl statement
is processed.
After reading through the acl documentation several times I thought
it should instantly defer the message on a malware scanner failure
without processing any further statements.

This is the related debug trace:

22650 using ACL "acl_check_data"
22650 processing "warn"
22650 check malware = *
22650 LOG: MAIN PANIC
22650 malware acl condition: clamd: unable to connect to UNIX socket
/var/run/clamd (No such file or directory)
22650 warn: condition test deferred
22650 LOG: MAIN
22650 H=host.test.lan (mail.domain.de) [192.168.6.11] Warning: ACL
"warn" statement skipped: condition test deferred
22650 processing "warn"
22650 warn: condition test succeeded
22650 processing "accept"
22650 accept: condition test succeeded

Thanks
Juergen
--
Mail: juergen.edner [at] telejeck
GPG Key available

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads