Problems Setting up Amavis - Messages Unchecked

Mark Martinec Mark.Martinec+amavis at ijs.si
Wed Apr 4 11:40:58 CEST 2012 

Schiz0,

> I'm setting up an email server on FreeBSD. I have Postfix configured,
> Dovecot, and Squirrelmail. I then wanted to add virus filtering via
> ClamAV and spam filtering via SpamAssassin, both being run through
> amavis-new. I installed everything through the FreeBSD ports system. I
> also followed various tutorials I've found through google.
> 
> Here's the software information:
> ===>>> p5-Mail-SpamAssassin-3.3.2_6
> ===>>> clamav-0.97.4
> ===>>> dovecot-1.2.17
> ===>>> mutt-1.4.2.3_6
> ===>>> postfix-2.9.1,1
> FreeBSD sub.domain.com 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Thu Feb 16
> 11:20:09 EST 2012     root at hostname:/usr/obj/usr/src/sys/KERNEL  amd64
> 
> The problem is, all incoming mail seems to be marked **UNCHECKED** in
> the subject. In addition, when I read my logs, amavis seems to be
> having problems detecting ClamAV (Is this related to the UNCHECKED?)

Yes, failure of all virus scanners results in **UNCHECKED**
That is new with 2.7.0:

amavisd-new-2.7.0 release notes
COMPATIBILITY WITH 2.6.4 / 2.6.5 / 2.6.6
- a failure of all virus scanners no longer automatically tempfails the
  operation, but flags a message with a CC_UNCHECKED contents category
  (just like a failure of decoders/dearchivers), and allows the usual
  controls (*_destiny, *_quarantine_*) to be used to choose behaviour.
  The $virus_scanners_failure_is_fatal=1 reverts to previous behaviour,
  see below; 

> Here is a snip from my mail.log (which logs postfix and amavis) when I
> send myself a mail from gmail to my server.
> http://pastebin.com/0swTuaT1
> 
> Here is my amavisd.conf configuration file
> http://pastebin.com/VDYmcedB

> Apr  3 23:45:12 hostname amavis[65898]: (65898-01) (!)run_av (ClamAV-clamd)
> FAILED - unexpected , output="/var/amavis/tmp/amavis-20120403T234512-65898-
> msThX8GE/parts: lstat() failed: Permission denied. ERROR\n"

Clamd reported that it can't access the mail file.

In clamd.conf you need:
  AllowSupplementaryGroups yes

and in /etc/group you need to add clamav to a group vscan:
  vscan:*:110:clamav

This is documented in the amavis INSTALL file:

- some virus scanners run as daemons or change UID when checking files.
  It is easiest to run such virus scanners under the same UID/GID (or at least
  within the same group) as amavisd, to avoid file permission problems
  when virus scanner reads files prepared for checking by amavisd daemon.
  Some virus scanners may require write permission to the $TEMPBASE directory
  to be able to create auxiliary files there.

  If a different UID is preferred for an AV scanner, a solution for ClamAV
  is to add user clamav to the amavis group (e.g.:  vscan:*:110:clamav
  in a file /etc/group), and then add:  AllowSupplementaryGroups yes
  to clamd.conf.

> Another issue I just remembered - I have tried to enable DKIM signing
> of mails. I setup the DNS record and followed instructions using
> amavis genrsa/showkeys/testkeys. However, when I send a mail to one of
> the various DKIM testing systems, it says my key does not validate. My
> DNS record exists properly, when I view the raw body of the mail the
> DKIM header exists. But for some reason, it is not validating. Any
> ideas come to mind?

Let's see a sample: send a signed mail, either to the list, or to me directly.

  Mark

More information about the amavis-users mailing list