amavis -> clamav: Scan mail or only parts?

Patrick Ben Koetter p at sys4.de
Tue Feb 16 14:06:57 CET 2016


Does amavis clamav to scan the mail (header + body) or only parts of it?

I specified @keep_decoded_original_maps on a Debian 2.10.1 install to "retain
full original message for virus checking" like this:

@keep_decoded_original_maps = (new_RE(
  qr'^MAIL$',   # retain full original message for virus checking (can be slow)
  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));

>From this I would suspect amavis to tell clamav to scan the whole mail, which
I assume to be stored in $tempdir/email.txt. But I don't see that, when I look
at the communication that takes place between amavis and clamav.

>From what I read from the recorded tcpdump session (see below) amavis tells
clamd to 

- CONTSCAN /var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/parts/p004
- CONTSCAN /var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/parts/p002

There's no CONTSCAN
/var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/email.txt (allthough
it would work as I tested manually).

Did I miss something? Is my assumption amavis will let clamav scan the
complete message, wrong?

Thanks

p at rick




13:51:34.667566 IP localhost.localdomain.60081 > localhost.localdomain.3310: Flags [S], seq 4241060098, win 43690, options [mss 65495,sackOK,TS val 2109639026 ecr 0,nop,wscale 7], length 0
E..<.p at .@.DI..............q..........0.........
}..r........
13:51:34.667588 IP localhost.localdomain.3310 > localhost.localdomain.60081: Flags [S.], seq 3782527681, ack 4241060099, win 43690, options [mss 65495,sackOK,TS val 2109639026 ecr 2109639026,nop,wscale 7], length 0
E..<.. at .@.<..............t....q......0.........
}..r}..r....
13:51:34.667601 IP localhost.localdomain.60081 > localhost.localdomain.3310: Flags [.], ack 1, win 342, options [nop,nop,TS val 2109639026 ecr 2109639026], length 0
E..4.q at .@.DP..............q..t.....V.(.....
}..r}..r
13:51:34.668699 IP localhost.localdomain.60081 > localhost.localdomain.3310: Flags [P.], seq 1:74, ack 1, win 342, options [nop,nop,TS val 2109639026 ecr 2109639026], length 73
E..}.r at .@.D...............q..t.....V.q.....
}..r}..rCONTSCAN /var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/parts

13:51:34.668729 IP localhost.localdomain.3310 > localhost.localdomain.60081: Flags [.], ack 74, win 342, options [nop,nop,TS val 2109639026 ecr 2109639026], length 0
E..4C. at .@................t....qL...V.(.....
}..r}..r
13:51:34.671151 IP localhost.localdomain.3310 > localhost.localdomain.60081: Flags [P.], seq 1:98, ack 74, win 342, options [nop,nop,TS val 2109639027 ecr 2109639026], length 97
E...C. at .@................t....qL...V.......
}..s}..r/var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/parts/p004: VirusDB: FOUND

13:51:34.671176 IP localhost.localdomain.60081 > localhost.localdomain.3310: Flags [.], ack 98, win 342, options [nop,nop,TS val 2109639027 ecr 2109639027], length 0
E..4.s at .@.DN..............qL.t.#...V.(.....
}..s}..s
13:51:34.671608 IP localhost.localdomain.3310 > localhost.localdomain.60081: Flags [P.], seq 98:195, ack 74, win 342, options [nop,nop,TS val 2109639027 ecr 2109639027], length 97
E...C. at .@................t.#..qL...V.......
}..s}..s/var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/parts/p002: VirusDB: FOUND

13:51:34.671624 IP localhost.localdomain.60081 > localhost.localdomain.3310: Flags [.], ack 195, win 342, options [nop,nop,TS val 2109639027 ecr 2109639027], length 0
E..4.t at .@.DM..............qL.t.....V.(.....
}..s}..s
13:51:34.671743 IP localhost.localdomain.3310 > localhost.localdomain.60081: Flags [F.], seq 195, ack 74, win 342, options [nop,nop,TS val 2109639027 ecr 2109639027], length 0
E..4C. at .@................t....qL...V.(.....
}..s}..s
13:51:34.671917 IP localhost.localdomain.60081 > localhost.localdomain.3310: Flags [F.], seq 74, ack 196, win 342, options [nop,nop,TS val 2109639027 ecr 2109639027], length 0
E..4.u at .@.DL..............qL.t.....V.(.....
}..s}..s
13:51:34.671938 IP localhost.localdomain.3310 > localhost.localdomain.60081: Flags [.], ack 75, win 342, options [nop,nop,TS val 2109639027 ecr 2109639027], length 0
E..4C. at .@................t....qM...V.(.....
}..s}..s


-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
 


More information about the amavis-users mailing list