Loading ...
Sorry, an error occurred while loading the content.

295609Re: need to purge clamav from postfix configuration

Expand Messages
  • DTNX Postmaster
    Sep 21, 2013
    • 0 Attachment
      On Sep 21, 2013, at 18:02, David Benfell <dbenfell@...> wrote:

      > On 09/21/2013 07:36 AM, Scott Kitterman wrote:
      >> On Saturday, September 21, 2013 03:34:57 David Benfell wrote:
      >>> Hi all,
      >>> As near as I can tell debian's clamav is just broken. It keeps
      >>> whining about clamd.ctl and nothing I can find on the web fixes
      >>> it.
      >> You didn't post your original configuration, so I don't know what
      >> your original problem was. If you're using a Unix socket and
      >> having a Debian specific problem, it's probably a matter of the
      >> socket not being available in the chroot that postfix, on Debian,
      >> uses by default. Assuming this was your original problem, there
      >> are three ways to solve it:
      >> 1. Make the socket available in the chroot (/var/spool/postfix/).
      >> 2. Take postfix out of the chroot. 3. Using TCP sockets instead.
      > The lines I had taken out in main.cf, based on something I found on
      > the web, are:
      > #content_filter = scan:
      > #receive_override_options = no_address_mappings
      > And out of master.cf are:
      > # inet n - n - 16 smtpd
      > #-o content_filter=
      > #-o
      > receive_override_options=no_unknown_recipient_checks,no_header_body_checks
      > #-o smtpd_helo_restrictions=
      > #-o smtpd_client_restrictions=
      > #-o smtpd_sender_restrictions=
      > #-o smtpd_recipient_restrictions=permit_mynetworks,reject
      > #-o mynetworks_style=host
      > #-o smtpd_authorized_xforward_hosts=
      > I think of the three choices you offer, I would prefer to take postfix
      > out of the chroot. Postfix's configuration is already far more
      > complicated than I can even begin to make any sense of, the
      > configuration, copied over from a hosed Arch installation (thanks
      > systemd upgrade), was not written for it (looking at
      > https://we.riseup.net/debian/authenticated-smtp it appears the
      > question becomes what else do I need to do to kill the chroot), and I
      > would prefer to move in the direction of simplicity.
      >> I use the Debian clamav packages every day. I also maintain them
      >> for the distro. If you are having problems, I encourage you to
      >> file bugs in the Debian BTS. I do look at them and try to solve
      >> them.
      > If this were back in the 1970s or early 1980s, when I was a
      > programmer, I might be able to discern what is and is not a bug. The
      > world has moved quite a ways since then, often leaving me in a state
      > of fury, because what everybody else thinks is correct behavior I see
      > as absolutely broken. (And systemd on Arch is not the example I would
      > choose here: it may be a good idea but it's just not stable yet, it
      > obscures far too much, and it's a mistake for me to rely on it.)
      > There's no reconciling those worldviews. I can't tell a bug from
      > design behavior these days. I just want it to work so I can go back to
      > focusing on my Ph.D. program which is *not* technology related.

      While the desire to have it 'just work' is recognizable, you cannot
      expect it to always do so if you copy bits and pieces from here to
      there without understanding what they actually do. Especially if you
      have copied an older configuration from a different distro that may
      have its own quirks.

      We use Postfix on Debian in its 'stock' Debian chroot setup, with
      clamav-milter as the bridge between Postfix and clamd. This requires no
      configuration in 'master.cf' and only two lines in 'main.cf';

      smtpd_milters = unix:/clamav/clamav-milter.ctl
      milter_default_action = accept

      Permissions is where it gets tricky, because the socket needs to be
      writable by both processes. As our own ClamAV setup is up for review
      anyway, I don't mind writing up a bit of a how-to for it that you can
      use to reimplement virus scanning with ClamAV, if you are still
      interested in doing so?

    • Show all 14 messages in this topic