CLOSED: Re: amavis -> clamav: Scan mail or only parts?

Patrick Ben Koetter p at sys4.de
Tue Feb 16 15:18:08 CET 2016


Answering my own question: The last part (here: p004) contains the message in
full. It was sent as first part to be inspected.

p at rick

* Patrick Ben Koetter <p at sys4.de>:
> Does amavis clamav to scan the mail (header + body) or only parts of it?
> 
> I specified @keep_decoded_original_maps on a Debian 2.10.1 install to "retain
> full original message for virus checking" like this:
> 
> @keep_decoded_original_maps = (new_RE(
>   qr'^MAIL$',   # retain full original message for virus checking (can be slow)
>   qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
>   qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
> ));
> 
> From this I would suspect amavis to tell clamav to scan the whole mail, which
> I assume to be stored in $tempdir/email.txt. But I don't see that, when I look
> at the communication that takes place between amavis and clamav.
> 
> From what I read from the recorded tcpdump session (see below) amavis tells
> clamd to 
> 
> - CONTSCAN /var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/parts/p004
> - CONTSCAN /var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/parts/p002
> 
> There's no CONTSCAN
> /var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/email.txt (allthough
> it would work as I tested manually).
> 
> Did I miss something? Is my assumption amavis will let clamav scan the
> complete message, wrong?
> 
> Thanks
> 
> p at rick
> 
> 
> 
> 
> 13:51:34.667566 IP localhost.localdomain.60081 > localhost.localdomain.3310: Flags [S], seq 4241060098, win 43690, options [mss 65495,sackOK,TS val 2109639026 ecr 0,nop,wscale 7], length 0
> E..<.p at .@.DI..............q..........0.........
> }..r........
> 13:51:34.667588 IP localhost.localdomain.3310 > localhost.localdomain.60081: Flags [S.], seq 3782527681, ack 4241060099, win 43690, options [mss 65495,sackOK,TS val 2109639026 ecr 2109639026,nop,wscale 7], length 0
> E..<.. at .@.<..............t....q......0.........
> }..r}..r....
> 13:51:34.667601 IP localhost.localdomain.60081 > localhost.localdomain.3310: Flags [.], ack 1, win 342, options [nop,nop,TS val 2109639026 ecr 2109639026], length 0
> E..4.q at .@.DP..............q..t.....V.(.....
> }..r}..r
> 13:51:34.668699 IP localhost.localdomain.60081 > localhost.localdomain.3310: Flags [P.], seq 1:74, ack 1, win 342, options [nop,nop,TS val 2109639026 ecr 2109639026], length 73
> E..}.r at .@.D...............q..t.....V.q.....
> }..r}..rCONTSCAN /var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/parts
> 
> 13:51:34.668729 IP localhost.localdomain.3310 > localhost.localdomain.60081: Flags [.], ack 74, win 342, options [nop,nop,TS val 2109639026 ecr 2109639026], length 0
> E..4C. at .@................t....qL...V.(.....
> }..r}..r
> 13:51:34.671151 IP localhost.localdomain.3310 > localhost.localdomain.60081: Flags [P.], seq 1:98, ack 74, win 342, options [nop,nop,TS val 2109639027 ecr 2109639026], length 97
> E...C. at .@................t....qL...V.......
> }..s}..r/var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/parts/p004: VirusDB: FOUND
> 
> 13:51:34.671176 IP localhost.localdomain.60081 > localhost.localdomain.3310: Flags [.], ack 98, win 342, options [nop,nop,TS val 2109639027 ecr 2109639027], length 0
> E..4.s at .@.DN..............qL.t.#...V.(.....
> }..s}..s
> 13:51:34.671608 IP localhost.localdomain.3310 > localhost.localdomain.60081: Flags [P.], seq 98:195, ack 74, win 342, options [nop,nop,TS val 2109639027 ecr 2109639027], length 97
> E...C. at .@................t.#..qL...V.......
> }..s}..s/var/lib/amavis/tmp/amavis-20160216T131521-08377-MZJAqZlB/parts/p002: VirusDB: FOUND
> 
> 13:51:34.671624 IP localhost.localdomain.60081 > localhost.localdomain.3310: Flags [.], ack 195, win 342, options [nop,nop,TS val 2109639027 ecr 2109639027], length 0
> E..4.t at .@.DM..............qL.t.....V.(.....
> }..s}..s
> 13:51:34.671743 IP localhost.localdomain.3310 > localhost.localdomain.60081: Flags [F.], seq 195, ack 74, win 342, options [nop,nop,TS val 2109639027 ecr 2109639027], length 0
> E..4C. at .@................t....qL...V.(.....
> }..s}..s
> 13:51:34.671917 IP localhost.localdomain.60081 > localhost.localdomain.3310: Flags [F.], seq 74, ack 196, win 342, options [nop,nop,TS val 2109639027 ecr 2109639027], length 0
> E..4.u at .@.DL..............qL.t.....V.(.....
> }..s}..s
> 13:51:34.671938 IP localhost.localdomain.3310 > localhost.localdomain.60081: Flags [.], ack 75, win 342, options [nop,nop,TS val 2109639027 ecr 2109639027], length 0
> E..4C. at .@................t....qM...V.(.....
> }..s}..s
> 
> 
> -- 
> [*] sys4 AG
>  
> https://sys4.de, +49 (89) 30 90 46 64
> Franziskanerstraße 15, 81669 München
>  
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein
>  

-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
 


More information about the amavis-users mailing list