Patrick Domack via amavis-users amavis-users at amavis.org
Tue Apr 15 19:55:19 CEST 2014 

Did you check apparmor permissions?

Quoting Alexander Dalloz via amavis-users <amavis-users at amavis.org>:

> Hello,
>
> I have some questions about the interoperability between amavisd-new and
> helper tools like the Kaspersky anti-virus solution. I am facing problems
> which I have already summarized in a post on the Kaspersky forum:
>
> http://forum.kaspersky.com/index.php?showtopic=293506
>
> I hope it is ok to reference that other posting.
>
> There had been a posting in January 2014 on this mailinglist about more or
> less the same problem situation:
>
> http://lists.amavis.org/pipermail/amavis-users/2014-January/002737.html
>
> Unfortunately it hadn't much response and in fact no solution.
>
> From what I have found and tested it feels to be more an amavisd-new issue
> than a Kaspersky software problem. Information about the Debian Wheezy
> amavisd-new version and its Perl helper modules, which I haven't added to
> the Kaspersky forum post, are these:
>
> Apr 15 14:18:06 ikes19 amavis[3125]: logging initialized, log level 2,
> syslog: amavis.mail
> Apr 15 14:18:06 ikes19 amavis[3125]: starting. /usr/sbin/amavisd-new at
> iskeg03.iske.net amavisd-new-2.7.1 (20120429), Unicode aware
> , LANG="en_GB.UTF-8"
> Apr 15 14:18:06 ikes19 amavis[3125]: perl=5.014002, user=, EUID: 106
> (106);  group=, EGID: 110 110 (110 110)
> Apr 15 14:18:07 ikes19 amavis[3125]: INFO: no optional modules:
> Unix::Getrusage
> Apr 15 14:18:07 ikes19 amavis[3125]: SpamControl: scanner SpamAssassin,
> module Amavis::SpamControl::SpamAssassin
> Apr 15 14:18:07 ikes19 amavis[3125]: INFO: SA version: 3.3.2, 3.003002, no
> optional modules: Net::CIDR::Lite Encode::Detect Razor2::
> Client::Agent IP::Country::Fast Image::Info Image::Info::GIF
> Image::Info::JPEG Image::Info::PNG Image::Info::BMP Image::Info::TIFF Ma
> il::SPF Mail::SPF::Server Mail::SPF::Request Mail::SPF::Mech
> Mail::SPF::Mech::A Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::
> Mech::Exists Mail::SPF::Mech::IP4 Mail::SPF::Mech::IP6
> Mail::SPF::Mech::Include Mail::SPF::Mech::MX Mail::SPF::Mod
> Mail::SPF::Mod::Ex
> p Mail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMech
> Mail::SPF::v1::Record Mail::SPF::v2::Record auto::NetAddr::IP::full6
> auto::Net
> Addr::IP::Util::inet_n2dx auto::NetAddr::IP::Util::inet_n2ad
> auto::NetAddr::IP::Util::inet_any2n auto::NetAddr::IP::Util::ipv6_aton
> Apr 15 14:18:07 ikes19 amavis[3125]: SpamControl: init_pre_chroot on
> SpamAssassin done
> Apr 15 14:18:07 ikes19 amavis[3174]: Net::Server: Process Backgrounded
> Apr 15 14:18:07 ikes19 amavis[3174]: Net::Server: 2014/04/15-14:18:07
> Amavis (type Net::Server::PreForkSimple) starting! pid(3174)
> Apr 15 14:18:07 ikes19 amavis[3174]: Net::Server: Binding to UNIX socket
> file "/var/lib/amavis/amavisd.sock"
> Apr 15 14:18:07 ikes19 amavis[3174]: Net::Server: Binding to TCP port
> 10022 on host 127.0.0.1 with IPv4
> Apr 15 14:18:07 ikes19 amavis[3174]: Net::Server: Binding to TCP port
> 10024 on host 127.0.0.1 with IPv4
> Apr 15 14:18:07 ikes19 amavis[3174]: Net::Server: Group Not Defined.
> Defaulting to EGID '110 110'
> Apr 15 14:18:07 ikes19 amavis[3174]: Net::Server: User Not Defined.
> Defaulting to EUID '106'
> Apr 15 14:18:07 ikes19 amavis[3174]: config files read:
> /usr/share/amavis/conf.d/10-debian_scripts,
> /usr/share/amavis/conf.d/20-pack
> age, /etc/amavis/conf.d/01-debian, /etc/amavis/conf.d/05-domain_id,
> /etc/amavis/conf.d/05-node_id, /etc/amavis/conf.d/15-av_scanners,
>  /etc/amavis/conf.d/15-content_filter_mode,
> /etc/amavis/conf.d/20-debian_defaults,
> /etc/amavis/conf.d/25-amavis_helpers, /etc/amavis/
> conf.d/30-template_localization, /etc/amavis/conf.d/50-user
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Amavis::Conf        2.303
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Archive::Zip        1.30
> Apr 15 14:18:07 ikes19 amavis[3174]: Module BerkeleyDB          0.51
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Compress::Zlib      2.033
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Convert::TNEF       0.17
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Convert::UUlib      1.4
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Crypt::OpenSSL::RSA 0.28
> Apr 15 14:18:07 ikes19 amavis[3174]: Module DB_File             1.821
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Digest::MD5         2.51
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Digest::SHA         5.61
> Apr 15 14:18:07 ikes19 amavis[3174]: Module File::Temp          0.22
> Apr 15 14:18:07 ikes19 amavis[3174]: Module IO::Socket::INET6   2.69
> Apr 15 14:18:07 ikes19 amavis[3174]: Module MIME::Entity        5.503
> Apr 15 14:18:07 ikes19 amavis[3174]: Module MIME::Parser        5.503
> Apr 15 14:18:07 ikes19 amavis[3174]: Module MIME::Tools         5.503
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Mail::DKIM::Signer  0.39
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Mail::DKIM::Verifier 0.39
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Mail::Header        2.09
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Mail::Internet      2.09
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Mail::SpamAssassin  3.003002
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Net::DNS            0.66
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Net::Server         2.006
> Apr 15 14:18:07 ikes19 amavis[3174]: Module NetAddr::IP         4.062
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Socket6             0.23
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Time::HiRes         1.972101
> Apr 15 14:18:07 ikes19 amavis[3174]: Module URI                 1.60
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Unix::Syslog        1.1
> Apr 15 14:18:07 ikes19 amavis[3174]: Amavis::DB code      loaded
>
> Perl's Net::Server is a central component as much as I know and takes care
> for binding to the defined ports. Which part is responsible for the EGID
> und EUID used by the amavisd-new processes? It looks like there is a main
> issue. Why else would there be an error
>
> Apr 14 17:14:29 ikes19 amavis[4265]: (04265-01) (!)connect to
> /var/run/klms/rds_av failed, attempt #1: Can't connect to UNIX socket
> /var/run/klms/rds_av: Permission denied
>
> when the amavisd-new daemon runs as amavis:amavis (106:110) and the UNIX
> permissions for the Kaspersky socket including the complete path are as
> outlined in the forum post:
>
> # ls -ld / /var /var/run /var/run/klms
> drwxr-xr-x 24 root root 4096 Mar 27 16:24 /
> drwxr-xr-x 11 root root 4096 Mar 27 16:16 /var
> lrwxrwxrwx 1 root root 4 Mar 24 16:00 /var/run -> /run
> drwxrwx--- 2 kluser klusers 1980 Apr 14 18:25 /var/run/klms
> # ls -al /var/run/klms/rds_av
> srw-rw---- 1 kluser klusers 0 Apr 14 17:47 /var/run/klms/rds_av
>
> # getent group klusers
> klusers:x:111:kluser,amavis
>
> The amavis user part of the klusers group.
>
> Regarding the other error situation where the on-demand Kaspersky scanner
> fails with "Can't connect to facade" seems to originate from the same
> permissions situation.
>
> # ls -al /var/run/klms/facade
> srwxr-xr-x 1 kluser klusers 0 Apr 14 17:47 /var/run/klms/facade
>
> amavisd-new isn't setup to run chrooted, while Postfix is (as in Debian's
> default configuration).
>
> How to debug this further? I would be really greatful if someone more
> intimate with amavisd-new could comment on this and if my report does not
> end in the same way as the January posts by Jakob Curdes.
>
> I am a long-time user of amavisd-new and hadn't such problems so far using
> ClamAV. It's the firt time that I use the Kaspersky Security 8.0 for Linux
> Mail Server product (the anti-virus part only) as a helper for
> amavisd-new.
>
> Kind regards
>
> Alexander

More information about the amavis-users mailing list