1 (edited by tyllee 2016-08-11 16:01:30)

Topic: Clamav not working with "AllowSupplementaryGroups true" in clamd.conf

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
- Linux/BSD distribution name and version:  Debian 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue: /var/log/mail.log
====

ps -ef|grep clamd
root      2505  1774  0 09:10 pts/2    00:00:00 nano /etc/clamav/clamd.conf
root      3338  2614  0 09:31 pts/4    00:00:00 grep clcmd

Clamav deb 8 version 0.99.2

The problem seems to be:
AllowSupplementaryGroups true
in clcmd.conf

Commenting out the clamd.conf line with "AllowSupplementaryGroups true" and restarting service worked.

Is this any problem for iRedMail?


/var/log/mail.log

Aug 11 09:17:17 iRedMailSrv amavis[2500]: (02500-10) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.ctl: No such file or directory
Aug 11 09:17:18 iRedMailSrv amavis[2500]: (02500-10) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.ctl: No such file or directory
Aug 11 09:17:18 iRedMailSrv amavis[2500]: (02500-10) (!)ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamav/clamd.ctl, retrying (2)
Aug 11 09:17:24 iRedMailSrv amavis[2500]: (02500-10) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.ctl: No such file or directory
Aug 11 09:17:24 iRedMailSrv amavis[2500]: (02500-10) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (All attempts (1) failed connecting to /var/run/clamav/clamd.ctl) at (eval 103) line 613.\n
Aug 11 09:17:24 iRedMailSrv amavis[2500]: (02500-10) (!)WARN: all primary virus scanners failed, considering backups

CLAMD is not running:




Configurations

/etc/clamav/clamd.conf
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
AllowSupplementaryGroups true
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
DetectBrokenExecutables false
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
ScanOnAccess false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
ScanOnAccess false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
StatsEnabled false
StatsPEDisabled true
StatsHostID auto
StatsTimeout 10
StreamMaxLength 25M
#LogFile /var/log/clamav/clamav.log
LogTime true
#LogFileUnlock false
#LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000

/etc/amavis/conf.d/50-user

use strict;

#
# Place your configuration directives here.  They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#

#
#       IREDMAIL 0.9.5 implementation
#       http://www.iredmail.org/docs/upgrade.ir … 0.9.5.html
#
# Custom short log template (at log_level 0), add SpamAssassin testing result (Tests: [xxx])
#
# Note: You can find the original log template at the bottom of
#       /usr/sbin/amavisd-new.
$log_templ = '
[?%#D|#|Passed #
[? [:ccat|major] |#
OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER-[:ccat|minor]|SPAMMY|SPAM|\
UNCHECKED[?[:ccat|minor]||-ENCRYPTED|]|BANNED (%F)|INFECTED (%V)]#
{[:actions_performed]}#
,[?%p|| %p][?%a||[?%l|| LOCAL] [:client_addr_port]][?%e|| \[%e\]] [:mail_addr_decode_octets|%s] -> [%D|[:mail_addr_decode_octets|%D]|,]#
[? %q ||, quarantine: %q]#
[? %Q ||, Queue-ID: %Q]#
[? %m ||, Message-ID: [:mail_addr_decode_octets|%m]]#
[? %r ||, Resent-Message-ID: [:mail_addr_decode_octets|%r]]#
[? %i ||, mail_id: %i]#
, Hits: [:SCORE]#
, size: %z#
[? [:partition_tag] ||, pt: [:partition_tag]]#
[~[:remote_mta_smtp_response]|["^$"]||[", queued_as: "]]\
[remote_mta_smtp_response|[~%x|["queued as ([0-9A-Za-z]+)$"]|["%1"]|["%0"]]|/]#
#, Subject: [:dquote|[:mime2utf8|[:header_field_octets|Subject]|100|1]]#
#, From: [:uquote|[:mail_addr_decode_octets|[:rfc2822_from]]]#
[? [:dkim|sig_sd]    ||, dkim_sd=[:dkim|sig_sd]]#
[? [:dkim|newsig_sd] ||, dkim_new=[:dkim|newsig_sd]]#
, %y ms#
[? %#T ||, Tests: \[[%T|,]\]]#
]
[?%#O|#|Blocked #
[? [:ccat|major|blocking] |#
OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER-[:ccat|minor]|SPAMMY|SPAM|\
UNCHECKED[?[:ccat|minor]||-ENCRYPTED|]|BANNED (%F)|INFECTED (%V)]#
{[:actions_performed]}#
,[?%p|| %p][?%a||[?%l|| LOCAL] [:client_addr_port]][?%e|| \[%e\]] [:mail_addr_decode_octets|%s] -> [%O|[:mail_addr_decode_octets|%O]|,]#
[? %q ||, quarantine: %q]#
[? %Q ||, Queue-ID: %Q]#
[? %m ||, Message-ID: [:mail_addr_decode_octets|%m]]#
[? %r ||, Resent-Message-ID: [:mail_addr_decode_octets|%r]]#
[? %i ||, mail_id: %i]#
, Hits: [:SCORE]#
, size: %z#
[? [:partition_tag] ||, pt: [:partition_tag]]#
#, Subject: [:dquote|[:mime2utf8|[:header_field_octets|Subject]|100|1]]#
#, From: [:uquote|[:mail_addr_decode_octets|[:rfc2822_from]]]#
[? [:dkim|sig_sd]    ||, dkim_sd=[:dkim|sig_sd]]#
[? [:dkim|newsig_sd] ||, dkim_new=[:dkim|newsig_sd]]#
, %y ms#
[? %#T ||, Tests: \[[%T|,]\]]#
]';

#
##       IREDMAIL 0.9.5 implementation END
#


#------------ Do not modify anything below this line -------------
#{1}


chomp($mydomain = "iRedMailSrv");
@local_domains_maps = 1;
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
                  10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );

# listen on multiple TCP ports. 9998 is used for releasing quarantined mails.
$inet_socket_port = [10024, 10026, 9998];

# Enable virus check.
@bypass_virus_checks_maps = (
   \%bypass_virus_checks,
   \@bypass_virus_checks_acl,
   $bypass_virus_checks_re,
   );

# Enable spam check.
@bypass_spam_checks_maps = (
    \%bypass_spam_checks,
    \@bypass_spam_checks_acl,
    $bypass_spam_checks_re,
    );

$mailfrom_notify_admin = "root\@$mydomain";
$mailfrom_notify_recip = "root\@$mydomain";
$mailfrom_notify_spamadmin = "root\@$mydomain";

# Mail notify.
$mailfrom_notify_admin     = "root\@$mydomain";  # notifications sender
$mailfrom_notify_recip     = "root\@$mydomain";  # notifications sender
$mailfrom_notify_spamadmin = "root\@$mydomain"; # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef

# Disable defang banned mail.
$defang_banned = 0;  # MIME-wrap passed mail containing banned name

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients
  allow_disclaimers => 1,  # enables disclaimer insertion if available
};

# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10026) for filtering
$interface_policy{'10026'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
    originating => 1,  # declare that mail was submitted by our smtp client
    allow_disclaimers => 1,  # enables disclaimer insertion if available

    # notify administrator of locally originating malware
    virus_admin_maps => ["root\@$mydomain"],
    spam_admin_maps  => [],
    bad_header_admin_maps => [],
    banned_admin_maps => ["root\@$mydomain"],
    warnbadhsender   => 1,
    warnbannedsender => 1,

    # force MTA conversion to 7-bit (e.g. before DKIM signing)
    #smtpd_discard_ehlo_keywords => ['8BITMIME'],

    # don't remove NOTIFY=SUCCESS option
    terminate_dsn_on_notify_success => 0,

    # don't perform spam/virus/header check.
    #bypass_spam_checks_maps => [1],    # spam
    #bypass_header_checks_maps => [1],  # bad header
    #bypass_virus_checks_maps => [1],   # virus    #bypass_banned_checks_maps => [1],  # banned file names and types
};

# Set hostname.
$myhostname = "iRedMailSrv";
$localhost_name = $myhostname;

# Set listen IP/PORT.
$notify_method  = 'smtp:[127.0.0.1]:10025';
$forward_method = 'smtp:[127.0.0.1]:10025';

@av_scanners = (
    #### http://www.clamav.net/
    ['ClamAV-clamd',
    \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
    qr/\bOK$/, qr/\bFOUND$/,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

@av_scanners_backup = (
    ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
    ['ClamAV-clamscan', 'clamscan',
    "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1],
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

#
# Port used to release quarantined mails.
#
$interface_policy{'9998'} = 'AM.PDP-INET';
$policy_bank{'AM.PDP-INET'} = {
    protocol => 'AM.PDP',       # select Amavis policy delegation protocol
    inet_acl => [qw( 127.0.0.1 [::1] )],    # restrict access to these IP addresses
    auth_required_release => 1,    # 0 - don't require secret_id for amavisd-release
    #log_level => 4,
    #always_bcc_by_ccat => {CC_CLEAN, 'admin@example.com'},
};

# Set default action.
# Available actions: D_PASS, D_BOUNCE, D_REJECT, D_DISCARD.
$final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_BOUNCE;
$final_spam_destiny       = D_PASS;
$final_bad_header_destiny = D_PASS;

#########################
# Quarantine mails.
#

# Where to store quarantined mail message:
#   - 'local:spam-%i-%m', quarantine mail on local file system.
#   - 'sql:', quarantine mail in SQL server specified in @storage_sql_dsn.
#   - undef, do not quarantine mail.

# Bad header.
$bad_header_quarantine_method = undef;
#$bad_header_quarantine_method = 'sql:';
#$bad_header_quarantine_to = 'bad-header-quarantine';

# SPAM.
$spam_quarantine_method = undef;
#$spam_quarantine_method = 'sql:';
#$spam_quarantine_to = 'spam-quarantine';

# Virus
$virus_quarantine_to     = 'virus-quarantine';
$virus_quarantine_method = 'sql:';

# Banned
$banned_files_quarantine_method = undef;#$banned_files_quarantine_method = 'sql:';
#$banned_quarantine_to = 'banned-quarantine';

#########################
# Quarantine CLEAN mails.
# Don't forget to enable clean quarantine in policy bank 'MYUSERS'.
#
#$clean_quarantine_method = 'sql:';
#$clean_quarantine_to = 'clean-quarantine';

$sql_allow_8bit_address = 1;
$timestamp_fmt_mysql = 1;

# a string to prepend to Subject (for local recipients only) if mail could
# not be decoded or checked entirely, e.g. due to password-protected archives
#$undecipherable_subject_tag = '***UNCHECKED*** ';  # undef disables it
$undecipherable_subject_tag = undef;
# Hope to fix 'nested MAIL command' issue on high load server.
$smtp_connection_cache_enable = 0;

# The default set of header fields to be signed can be controlled
# by setting %signed_header_fields elements to true (to sign) or
# to false (not to sign). Keys must be in lowercase, e.g.:
# 0 -> off
# 1 -> on
$signed_header_fields{'received'} = 0;
$signed_header_fields{'to'} = 1;

# Add dkim_key here.
dkim_key("iredmail.domain", "dkim", "/var/lib/dkim/iredmail.domain.pem");




# Note that signing mail for subdomains with a key of a parent
# domain is treated by recipients as a third-party key, which
# may 'hold less merit' in their eyes. If one has a choice,
# it is better to publish a key for each domain (e.g. host1.a.cn)
# if mail is really coming from it. Sharing a pem file
# for multiple domains may be acceptable, so you don't need
# to generate a different key for each subdomain, but you
# do need to publish it in each subdomain. It is probably
# easier to avoid sending addresses like host1.a.cn and
# always use a parent domain (a.cn) in 'From:', thus
# avoiding the issue altogether.
#dkim_key("host1.iredmail.domain", "dkim", "/var/lib/dkim/iredmail.domain.pem");
#dkim_key("host3.iredmail.domain", "dkim", "/var/lib/dkim/iredmail.domain.pem");

# Add new dkim_key for other domain.
#dkim_key('Your_New_Domain_Name', 'dkim', 'Your_New_Pem_File');

@dkim_signature_options_bysender_maps = ( {
    # ------------------------------------
    # For domain: iredmail.domain.
    # ------------------------------------
    # 'd' defaults to a domain of an author/sender address,
    # 's' defaults to whatever selector is offered by a matching key

    #'postmaster@iredmail.domain'    => { d => "iredmail.domain", a => 'rsa-sha256', ttl =>  7*24*3600 },
    #"spam-reporter@iredmail.domain"    => { d => "iredmail.domain", a => 'rsa-sha256', ttl =>  7*24*3600 },

    # explicit 'd' forces a third-party signature on foreign (hosted) domains
    "iredmail.domain"      => { d => "iredmail.domain", a => 'rsa-sha256', ttl => 10*24*3600 },


        #"host1.iredmail.domain"  => { d => "host1.iredmail.domain", a => 'rsa-sha256', ttl => 10*24*3600 },
        #"host2.iredmail.domain"  => { d => "host2.iredmail.domain", a => 'rsa-sha256', ttl => 10*24*3600 },
        # ---- End domain: iredmail.domain ----

        # catchall defaults
        '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },
    } );
    # ------------ Disclaimer Setting ---------------
    # Uncomment this line to enable singing disclaimer in outgoing mails.
    #$defang_maps_by_ccat{+CC_CATCHALL} = [ 'disclaimer' ];

    # Program used to signing disclaimer in outgoing mails.
    $altermime = '/usr/bin/altermime';

    # Disclaimer in plain text formart.
    @altermime_args_disclaimer = qw(--disclaimer=/etc/postfix/disclaimer/_OPTION_.txt --disclaimer-html=/etc/postfix/disclaimer/_OPTION_.txt --force-for-bad-html);

    @disclaimer_options_bysender_maps = ({
        # Per-domain disclaimer setting: /etc/postfix/disclaimer/host1.iredmail.org.txt
        #'host1.iredmail.org' => 'host1.iredmail.org',

        # Sub-domain disclaimer setting: /etc/postfix/disclaimer/iredmail.org.txt
        #'.iredmail.org'      => 'iredmail.org',

        # Per-user disclaimer setting: /etc/postfix/disclaimer/boss.iredmail.org.txt
        #'boss@iredmail.org'  => 'boss.iredmail.org',
   
       # Catch-all disclaimer setting: /etc/postfix/disclaimer/default.txt
        '.' => 'default',
    },);
    # ------------ End Disclaimer Setting ---------------
    # Reporting and quarantining.
    @storage_sql_dsn = (
        ['DBI:mysql:database=amavisd;host=127.0.0.1;port=3306', 'amavisd', 'Qg1irwrO6neGO3LhifVonCraQTUU0k'],
    );

    # Lookup for per-recipient, per-domain and global policy.
    @lookup_sql_dsn = @storage_sql_dsn;
    # Don't send email with subject "UNCHECKED contents in mail FROM xxx".
    delete $admin_maps_by_ccat{&CC_UNCHECKED};

    # Do not notify administrator about SPAM/VIRUS from remote servers.
    $virus_admin = undef;
    $spam_admin = undef;
    $banned_admin = undef;
    $bad_header_admin = undef;

    # Num of pre-forked children.
    # WARNING: it must match (equal to or larger than) the number set in
    # /etc/postfix/master.cf "maxproc" column for the 'smtp-amavis' service.
    $max_servers = 2;

    # Enable DKIM signing/verification
    $enable_dkim_verification = 1;
    $enable_dkim_signing = 1;

    # Amavisd log level. Verbosity: 0, 1, 2, 3, 4, 5, -d.
    $log_level = 0;
    # SpamAssassin debugging (require $log_level). Default if off (0).
    $sa_debug = 0;

    # Listen on specified addresses.
    # Don't send email with subject "UNCHECKED contents in mail FROM xxx".
    delete $admin_maps_by_ccat{&CC_UNCHECKED};

    # Do not notify administrator about SPAM/VIRUS from remote servers.
    $virus_admin = undef;
    $spam_admin = undef;
    $banned_admin = undef;
    $bad_header_admin = undef;

    # Num of pre-forked children.
    # WARNING: it must match (equal to or larger than) the number set in
    # /etc/postfix/master.cf "maxproc" column for the 'smtp-amavis' service.
    $max_servers = 2;

    # Enable DKIM signing/verification
    $enable_dkim_verification = 1;
    $enable_dkim_signing = 1;

    # Amavisd log level. Verbosity: 0, 1, 2, 3, 4, 5, -d.
    $log_level = 0;
    # SpamAssassin debugging (require $log_level). Default if off (0).
    $sa_debug = 0;

    # Listen on specified addresses.
    $inet_socket_bind = ['127.0.0.1'];

    # Selectively disable some of the header checks
    #
    # Duplicate or multiple occurrence of a header field
    $allowed_header_tests{'multiple'} = 0;

    # Missing some headers. e.g. 'Date:'
    $allowed_header_tests{'missing'} = 0;

    1;  # insure a defined return

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Clamav not working with "AllowSupplementaryGroups true" in clamd.conf

The latest ClamAV doesn't support this parameter anymore, you have to either comment it out or remove it.

3

Re: Clamav not working with "AllowSupplementaryGroups true" in clamd.conf

ZhangHuangbin wrote:

The latest ClamAV doesn't support this parameter anymore, you have to either comment it out or remove it.

No need to downgrade?

There is no functions in iRedmail that depends on this parameter?

4

Re: Clamav not working with "AllowSupplementaryGroups true" in clamd.conf

It's just used by ClamAV, and if clamav doesn't support it, just remove it.