Virus notification question

Mark Martinec Mark.Martinec+amavis at ijs.si
Tue Feb 14 16:32:49 CET 2012 

Stephen,

> Following is an excerpt from my mail log when a virus is detected
> by amavisd-new-2.7.0 and amavisd-milter-1.5.0.
> What might be wrong with my config?
[...] 
> $inet_socket_port = 10026;   # listen on this local TCP port(s)
> $notify_method  = 'smtp:[127.0.0.1]:10026';
[...]
> Feb 12 12:22:28 mustang amavis[9071]: (09071) Request: AM.PDP  
>   /var/amavis/tmp/afq1C1qKLZ012522:
>   <anonymous at unitary.ru> -> <sdc at sdc.com.au>
> Feb 12 12:22:28 mustang amavis[9071]: (09071)
>   Checking: cM4dH5-zzumM AM.PDP-SOCK [81.176.77.242]
>   <anonymous at unitary.ru> -> <sdc at sdc.com.au>
[...]
> Feb 12 12:22:28 mustang amavis[9070]: (09070-04) ESMTP::10026 
>   /var/amavis/tmp/amavis-20120212T122228-09070-52jpecv4:
>   <virusalert at sdc.com.au> -> <virusalert at sdc.com.au>
>   ENVID=AM.09071.20120212T015228Z at mustang.sdc.com.au 
[...]
> Feb 12 12:22:29 mustang amavis[9070]: (09070-04) Passed CLEAN
>   {AcceptedInternal}, ORIGINATING
>   <virusalert at sdc.com.au> -> <virusalert at sdc.com.au>,
>   Message-ID: <VAcM4dH5-zzumM at mustang.sdc.com.au>, 
>   mail_id: BciVU7H-sYYI, Hits: 0, size: 2410, 868 ms
> Feb 12 12:22:29 mustang amavis[9070]: (09070-04) (!!)TROUBLE in 
> process_request: NOT ALL RECIPIENTS DONE, EMPTY DELIVERY_METHOD!
> 
> The "smtp server" at 10026 is amavisd.


This isn't right:

  $inet_socket_port = 10026;
  $notify_method = 'smtp:[127.0.0.1]:10026';

Notifications as generated by amavisd are not supposed to be
fed back to itself. They should be fed to an MTA, preferably on a
port where content filtering is disabled, otherwise one runs a risk
of blocking own notifications.

In case of Postfix this is achieved by having a dedicated smtpd service
(often on port 10025) which has content filtering disabled, e.g. by
cleaning these two options on a service:
  -o smtpd_milters=
  -o content_filter=

I'm not sure what is the most convenient way to do so with sendmail.
One clean way is to have two MTA instances, where the front-end
instance has content filtering enabled, while the back-end instance
has it disabled. The $notify_method should then point to the second
MTA instance.

What happened in your case was the notification was fed via SMTP
protocol back to amavisd, where a policy bank sitting on that
port did not have $forward_method configured, so amavisd
did not know how to forward the message - which should explain
the message you received.

  Mark

More information about the amavis-users mailing list