Virus notification question

Mark Martinec Mark.Martinec+amavis at
Tue Feb 14 16:32:49 CET 2012


> Following is an excerpt from my mail log when a virus is detected
> by amavisd-new-2.7.0 and amavisd-milter-1.5.0.
> What might be wrong with my config?
> $inet_socket_port = 10026;   # listen on this local TCP port(s)
> $notify_method  = 'smtp:[]:10026';
> Feb 12 12:22:28 mustang amavis[9071]: (09071) Request: AM.PDP  
>   /var/amavis/tmp/afq1C1qKLZ012522:
>   <anonymous at> -> <sdc at>
> Feb 12 12:22:28 mustang amavis[9071]: (09071)
>   Checking: cM4dH5-zzumM AM.PDP-SOCK []
>   <anonymous at> -> <sdc at>
> Feb 12 12:22:28 mustang amavis[9070]: (09070-04) ESMTP::10026 
>   /var/amavis/tmp/amavis-20120212T122228-09070-52jpecv4:
>   <virusalert at> -> <virusalert at>
>   ENVID=AM.09071.20120212T015228Z at 
> Feb 12 12:22:29 mustang amavis[9070]: (09070-04) Passed CLEAN
>   {AcceptedInternal}, ORIGINATING
>   <virusalert at> -> <virusalert at>,
>   Message-ID: <VAcM4dH5-zzumM at>, 
>   mail_id: BciVU7H-sYYI, Hits: 0, size: 2410, 868 ms
> Feb 12 12:22:29 mustang amavis[9070]: (09070-04) (!!)TROUBLE in 
> The "smtp server" at 10026 is amavisd.

This isn't right:

  $inet_socket_port = 10026;
  $notify_method = 'smtp:[]:10026';

Notifications as generated by amavisd are not supposed to be
fed back to itself. They should be fed to an MTA, preferably on a
port where content filtering is disabled, otherwise one runs a risk
of blocking own notifications.

In case of Postfix this is achieved by having a dedicated smtpd service
(often on port 10025) which has content filtering disabled, e.g. by
cleaning these two options on a service:
  -o smtpd_milters=
  -o content_filter=

I'm not sure what is the most convenient way to do so with sendmail.
One clean way is to have two MTA instances, where the front-end
instance has content filtering enabled, while the back-end instance
has it disabled. The $notify_method should then point to the second
MTA instance.

What happened in your case was the notification was fed via SMTP
protocol back to amavisd, where a policy bank sitting on that
port did not have $forward_method configured, so amavisd
did not know how to forward the message - which should explain
the message you received.


More information about the amavis-users mailing list