Loading ...
Sorry, an error occurred while loading the content.

Re: need to purge clamav from postfix configuration

Expand Messages
  • Wietse Venema
    ... Some messages still need to be filtered. To clear that flag: # postsuper -r ALL Wietse
    Message 1 of 14 , Sep 21, 2013
    • 0 Attachment
      David Benfell:
      > As near as I can tell debian's clamav is just broken. It keeps whining
      > about clamd.ctl and nothing I can find on the web fixes it.
      >
      > So fine. It's broken. I want it gone.
      >
      > I tried commenting out the lines in master.cf and main.cf. But now it
      > complains about connection refused on port 10026.

      Some messages still need to be filtered. To "clear" that flag:

      # postsuper -r ALL

      Wietse
    • Scott Kitterman
      ... You didn t post your original configuration, so I don t know what your original problem was. If you re using a Unix socket and having a Debian specific
      Message 2 of 14 , Sep 21, 2013
      • 0 Attachment
        On Saturday, September 21, 2013 03:34:57 David Benfell wrote:
        > Hi all,
        >
        > As near as I can tell debian's clamav is just broken. It keeps whining
        > about clamd.ctl and nothing I can find on the web fixes it.

        You didn't post your original configuration, so I don't know what your original
        problem was. If you're using a Unix socket and having a Debian specific
        problem, it's probably a matter of the socket not being available in the
        chroot that postfix, on Debian, uses by default. Assuming this was your
        original problem, there are three ways to solve it:

        1. Make the socket available in the chroot (/var/spool/postfix/).
        2. Take postfix out of the chroot.
        3. Using TCP sockets instead.

        I use the Debian clamav packages every day. I also maintain them for the
        distro. If you are having problems, I encourage you to file bugs in the Debian
        BTS. I do look at them and try to solve them.

        Scott K
      • DTNX Postmaster
        ... +1 on using Debian ClamAV packages without any problems. We use the milter package to integrate it with Postfix, using unix sockets. The problem people
        Message 3 of 14 , Sep 21, 2013
        • 0 Attachment
          On Sep 21, 2013, at 16:36, Scott Kitterman <postfix@...> wrote:

          > On Saturday, September 21, 2013 03:34:57 David Benfell wrote:
          >> Hi all,
          >>
          >> As near as I can tell debian's clamav is just broken. It keeps whining
          >> about clamd.ctl and nothing I can find on the web fixes it.
          >
          > You didn't post your original configuration, so I don't know what your original
          > problem was. If you're using a Unix socket and having a Debian specific
          > problem, it's probably a matter of the socket not being available in the
          > chroot that postfix, on Debian, uses by default. Assuming this was your
          > original problem, there are three ways to solve it:
          >
          > 1. Make the socket available in the chroot (/var/spool/postfix/).
          > 2. Take postfix out of the chroot.
          > 3. Using TCP sockets instead.
          >
          > I use the Debian clamav packages every day. I also maintain them for the
          > distro. If you are having problems, I encourage you to file bugs in the Debian
          > BTS. I do look at them and try to solve them.

          +1 on using Debian ClamAV packages without any problems. We use the
          milter package to integrate it with Postfix, using unix sockets.

          The problem people generally run into with unix sockets is one of
          permissions. The milter socket needs to be stored inside the Postfix
          chroot, and be writable by both Postfix and the milter daemon.

          Mvg,
          Joni
        • lists@rhsoft.net
          ... which leaves the question open why the Debian postfix-maintainer insists in the *non upstream* chroot-default after years of most problems reported here
          Message 4 of 14 , Sep 21, 2013
          • 0 Attachment
            Am 21.09.2013 17:25, schrieb DTNX Postmaster:
            > +1 on using Debian ClamAV packages without any problems. We use the
            > milter package to integrate it with Postfix, using unix sockets.
            >
            > The problem people generally run into with unix sockets is one of
            > permissions. The milter socket needs to be stored inside the Postfix
            > chroot, and be writable by both Postfix and the milter daemon

            which leaves the question open why the Debian postfix-maintainer
            insists in the *non upstream* chroot-default after years of most
            problems reported here are caused by it?
          • Scott Kitterman
            ... That s a question best asked on a Debian specific channel. Personally, I don t have any problems with it, it works fine for me. Scott K
            Message 5 of 14 , Sep 21, 2013
            • 0 Attachment
              On Saturday, September 21, 2013 17:34:35 lists@... wrote:
              > Am 21.09.2013 17:25, schrieb DTNX Postmaster:
              > > +1 on using Debian ClamAV packages without any problems. We use the
              > > milter package to integrate it with Postfix, using unix sockets.
              > >
              > > The problem people generally run into with unix sockets is one of
              > > permissions. The milter socket needs to be stored inside the Postfix
              > > chroot, and be writable by both Postfix and the milter daemon
              >
              > which leaves the question open why the Debian postfix-maintainer
              > insists in the *non upstream* chroot-default after years of most
              > problems reported here are caused by it?

              That's a question best asked on a Debian specific channel. Personally, I don't
              have any problems with it, it works fine for me.

              Scott K
            • David Benfell
              ... Hash: SHA1 ... The lines I had taken out in main.cf, based on something I found on the web, are: #content_filter = scan:127.0.0.1:10026
              Message 6 of 14 , Sep 21, 2013
              • 0 Attachment
                -----BEGIN PGP SIGNED MESSAGE-----
                Hash: SHA1

                On 09/21/2013 07:36 AM, Scott Kitterman wrote:
                > On Saturday, September 21, 2013 03:34:57 David Benfell wrote:
                >> Hi all,
                >>
                >> As near as I can tell debian's clamav is just broken. It keeps
                >> whining about clamd.ctl and nothing I can find on the web fixes
                >> it.
                >
                > You didn't post your original configuration, so I don't know what
                > your original problem was. If you're using a Unix socket and
                > having a Debian specific problem, it's probably a matter of the
                > socket not being available in the chroot that postfix, on Debian,
                > uses by default. Assuming this was your original problem, there
                > are three ways to solve it:
                >
                > 1. Make the socket available in the chroot (/var/spool/postfix/).
                > 2. Take postfix out of the chroot. 3. Using TCP sockets instead.

                The lines I had taken out in main.cf, based on something I found on
                the web, are:

                #content_filter = scan:127.0.0.1:10026
                #receive_override_options = no_address_mappings

                And out of master.cf are:

                #127.0.0.1:10025 inet n - n - 16 smtpd
                #-o content_filter=
                #-o
                receive_override_options=no_unknown_recipient_checks,no_header_body_checks
                #-o smtpd_helo_restrictions=
                #-o smtpd_client_restrictions=
                #-o smtpd_sender_restrictions=
                #-o smtpd_recipient_restrictions=permit_mynetworks,reject
                #-o mynetworks_style=host
                #-o smtpd_authorized_xforward_hosts=127.0.0.0/8

                I think of the three choices you offer, I would prefer to take postfix
                out of the chroot. Postfix's configuration is already far more
                complicated than I can even begin to make any sense of, the
                configuration, copied over from a hosed Arch installation (thanks
                systemd upgrade), was not written for it (looking at
                https://we.riseup.net/debian/authenticated-smtp it appears the
                question becomes what else do I need to do to kill the chroot), and I
                would prefer to move in the direction of simplicity.
                >
                > I use the Debian clamav packages every day. I also maintain them
                > for the distro. If you are having problems, I encourage you to
                > file bugs in the Debian BTS. I do look at them and try to solve
                > them.

                If this were back in the 1970s or early 1980s, when I was a
                programmer, I might be able to discern what is and is not a bug. The
                world has moved quite a ways since then, often leaving me in a state
                of fury, because what everybody else thinks is correct behavior I see
                as absolutely broken. (And systemd on Arch is not the example I would
                choose here: it may be a good idea but it's just not stable yet, it
                obscures far too much, and it's a mistake for me to rely on it.)
                There's no reconciling those worldviews. I can't tell a bug from
                design behavior these days. I just want it to work so I can go back to
                focusing on my Ph.D. program which is *not* technology related.

                Thanks!

                - --
                David Benfell
                see https://parts-unknown.org/node/2 if you don't understand the
                attachment
                -----BEGIN PGP SIGNATURE-----
                Version: GnuPG v2.0.21 (GNU/Linux)
                Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

                iQIcBAEBAgAGBQJSPcL9AAoJEKrN0Ha7pkCO5LgP/09Bghza4wVq3/0ek13rMKuO
                A3zNd1g3/0VIviQgzzeeRrOy8IYVxraqPZm2jP5yvmIgxAJVHv2o9xk9X+j/GLRO
                XEcEuHHWcvFE4ersJgY+YOGbQaE1saFdFYpEdnIigSv+145i7pFzmQkX/tXiBf8/
                GxmQRBYCCSb9Fj7xySSfEIdYhi5Vngru8qbuHGGKLgcR+PO/5XEZSVJzJVAUBGac
                DxbGtRZav73NiCHnoVQpfd9TfFOohMe565KfRTtJDHlunXfrRxTQwtqMfRW5xeJb
                fGGsT8QqX1pcs9QtfgjMARpRvapiIKZBxpGEuYlcnsxvMh4s3QSemMz3w2KxBRN9
                LmwgrqlzfRXRg/aTYRT2V4Uk8P1ZjjUFCdOAkvfPZBVcXvwQQPqFSIRbVFZlb/BO
                x65EBPOdGMGmC9Wl4+AZnwLyI+xkxcc0i89cLCS98JU+U8fdbObf+HXMO31DyGkr
                Ed1qb6Wo/+zdZe5n1ZwOZc4DcRYf0mxuEudNe68yE1rrY3tY3/WmdJHzECM3O7kR
                H7FpOzapHK7jDjhhrZ1vdE+owFOrttAvqVOVWZPIprqwDe4X8AljnfZygSY35uaG
                Ygm6t6Bz8/yIzYJGpxFT+qaSA+ZemEgISboqhVBWf6WWofCfrle8BGRHVsHLZBXU
                M8CSTUs57oC+255z1vRR
                =mry2
                -----END PGP SIGNATURE-----
              • Scott Kitterman
                ... What had you configured to listen on port 10026? Personally, I use clamsmtp and amavisd-new (depending on if I m just doing virus scanning or also doing
                Message 7 of 14 , Sep 21, 2013
                • 0 Attachment
                  On Saturday, September 21, 2013 09:02:05 David Benfell wrote:
                  > On 09/21/2013 07:36 AM, Scott Kitterman wrote:
                  > > On Saturday, September 21, 2013 03:34:57 David Benfell wrote:
                  > >> Hi all,
                  > >>
                  > >> As near as I can tell debian's clamav is just broken. It keeps
                  > >> whining about clamd.ctl and nothing I can find on the web fixes
                  > >> it.
                  > >
                  > > You didn't post your original configuration, so I don't know what
                  > > your original problem was. If you're using a Unix socket and
                  > > having a Debian specific problem, it's probably a matter of the
                  > > socket not being available in the chroot that postfix, on Debian,
                  > > uses by default. Assuming this was your original problem, there
                  > > are three ways to solve it:
                  > >
                  > > 1. Make the socket available in the chroot (/var/spool/postfix/).
                  > > 2. Take postfix out of the chroot. 3. Using TCP sockets instead.
                  >
                  > The lines I had taken out in main.cf, based on something I found on
                  > the web, are:
                  >
                  > #content_filter = scan:127.0.0.1:10026
                  > #receive_override_options = no_address_mappings

                  What had you configured to listen on port 10026? Personally, I use clamsmtp
                  and amavisd-new (depending on if I'm just doing virus scanning or also doing
                  content scanning for spam, etc.)

                  > And out of master.cf are:
                  >
                  > #127.0.0.1:10025 inet n - n - 16 smtpd
                  > #-o content_filter=
                  > #-o
                  > receive_override_options=no_unknown_recipient_checks,no_header_body_checks
                  > #-o smtpd_helo_restrictions=
                  > #-o smtpd_client_restrictions=
                  > #-o smtpd_sender_restrictions=
                  > #-o smtpd_recipient_restrictions=permit_mynetworks,reject
                  > #-o mynetworks_style=host
                  > #-o smtpd_authorized_xforward_hosts=127.0.0.0/8
                  >
                  > I think of the three choices you offer, I would prefer to take postfix
                  > out of the chroot. Postfix's configuration is already far more
                  > complicated than I can even begin to make any sense of, the
                  > configuration, copied over from a hosed Arch installation (thanks
                  > systemd upgrade), was not written for it (looking at
                  > https://we.riseup.net/debian/authenticated-smtp it appears the
                  > question becomes what else do I need to do to kill the chroot), and I
                  > would prefer to move in the direction of simplicity.

                  The upstream master.cf is shipped in /usr/share/postfix (it's master.cf.dist).
                  You can check it to verify which services should be removed from the chroot.

                  > > I use the Debian clamav packages every day. I also maintain them
                  > > for the distro. If you are having problems, I encourage you to
                  > > file bugs in the Debian BTS. I do look at them and try to solve
                  > > them.
                  >
                  > If this were back in the 1970s or early 1980s, when I was a
                  > programmer, I might be able to discern what is and is not a bug. The
                  > world has moved quite a ways since then, often leaving me in a state
                  > of fury, because what everybody else thinks is correct behavior I see
                  > as absolutely broken. (And systemd on Arch is not the example I would
                  > choose here: it may be a good idea but it's just not stable yet, it
                  > obscures far too much, and it's a mistake for me to rely on it.)
                  > There's no reconciling those worldviews. I can't tell a bug from
                  > design behavior these days. I just want it to work so I can go back to
                  > focusing on my Ph.D. program which is *not* technology related.

                  I think this is likely a configuration issue and not a bug in any case.

                  Scott K
                • DTNX Postmaster
                  ... While the desire to have it just work is recognizable, you cannot expect it to always do so if you copy bits and pieces from here to there without
                  Message 8 of 14 , Sep 21, 2013
                  • 0 Attachment
                    On Sep 21, 2013, at 18:02, David Benfell <dbenfell@...> wrote:

                    > On 09/21/2013 07:36 AM, Scott Kitterman wrote:
                    >> On Saturday, September 21, 2013 03:34:57 David Benfell wrote:
                    >>> Hi all,
                    >>>
                    >>> As near as I can tell debian's clamav is just broken. It keeps
                    >>> whining about clamd.ctl and nothing I can find on the web fixes
                    >>> it.
                    >>
                    >> You didn't post your original configuration, so I don't know what
                    >> your original problem was. If you're using a Unix socket and
                    >> having a Debian specific problem, it's probably a matter of the
                    >> socket not being available in the chroot that postfix, on Debian,
                    >> uses by default. Assuming this was your original problem, there
                    >> are three ways to solve it:
                    >>
                    >> 1. Make the socket available in the chroot (/var/spool/postfix/).
                    >> 2. Take postfix out of the chroot. 3. Using TCP sockets instead.
                    >
                    > The lines I had taken out in main.cf, based on something I found on
                    > the web, are:
                    >
                    > #content_filter = scan:127.0.0.1:10026
                    > #receive_override_options = no_address_mappings
                    >
                    > And out of master.cf are:
                    >
                    > #127.0.0.1:10025 inet n - n - 16 smtpd
                    > #-o content_filter=
                    > #-o
                    > receive_override_options=no_unknown_recipient_checks,no_header_body_checks
                    > #-o smtpd_helo_restrictions=
                    > #-o smtpd_client_restrictions=
                    > #-o smtpd_sender_restrictions=
                    > #-o smtpd_recipient_restrictions=permit_mynetworks,reject
                    > #-o mynetworks_style=host
                    > #-o smtpd_authorized_xforward_hosts=127.0.0.0/8
                    >
                    > I think of the three choices you offer, I would prefer to take postfix
                    > out of the chroot. Postfix's configuration is already far more
                    > complicated than I can even begin to make any sense of, the
                    > configuration, copied over from a hosed Arch installation (thanks
                    > systemd upgrade), was not written for it (looking at
                    > https://we.riseup.net/debian/authenticated-smtp it appears the
                    > question becomes what else do I need to do to kill the chroot), and I
                    > would prefer to move in the direction of simplicity.
                    >
                    >> I use the Debian clamav packages every day. I also maintain them
                    >> for the distro. If you are having problems, I encourage you to
                    >> file bugs in the Debian BTS. I do look at them and try to solve
                    >> them.
                    >
                    > If this were back in the 1970s or early 1980s, when I was a
                    > programmer, I might be able to discern what is and is not a bug. The
                    > world has moved quite a ways since then, often leaving me in a state
                    > of fury, because what everybody else thinks is correct behavior I see
                    > as absolutely broken. (And systemd on Arch is not the example I would
                    > choose here: it may be a good idea but it's just not stable yet, it
                    > obscures far too much, and it's a mistake for me to rely on it.)
                    > There's no reconciling those worldviews. I can't tell a bug from
                    > design behavior these days. I just want it to work so I can go back to
                    > focusing on my Ph.D. program which is *not* technology related.

                    While the desire to have it 'just work' is recognizable, you cannot
                    expect it to always do so if you copy bits and pieces from here to
                    there without understanding what they actually do. Especially if you
                    have copied an older configuration from a different distro that may
                    have its own quirks.

                    We use Postfix on Debian in its 'stock' Debian chroot setup, with
                    clamav-milter as the bridge between Postfix and clamd. This requires no
                    configuration in 'master.cf' and only two lines in 'main.cf';

                    smtpd_milters = unix:/clamav/clamav-milter.ctl
                    milter_default_action = accept

                    Permissions is where it gets tricky, because the socket needs to be
                    writable by both processes. As our own ClamAV setup is up for review
                    anyway, I don't mind writing up a bit of a how-to for it that you can
                    use to reimplement virus scanning with ClamAV, if you are still
                    interested in doing so?

                    Mvg,
                    Joni
                  • David Benfell
                    ... Hash: SHA1 ... Then we are very close to the point where I ll just have to turn everything over to Google Apps. Because I am *never* going to understand
                    Message 9 of 14 , Sep 21, 2013
                    • 0 Attachment
                      -----BEGIN PGP SIGNED MESSAGE-----
                      Hash: SHA1

                      On 09/21/2013 09:39 AM, DTNX Postmaster wrote:

                      >
                      > While the desire to have it 'just work' is recognizable, you cannot
                      > expect it to always do so if you copy bits and pieces from here to
                      > there without understanding what they actually do. Especially if
                      > you have copied an older configuration from a different distro that
                      > may have its own quirks.

                      Then we are very close to the point where I'll just have to turn
                      everything over to Google Apps. Because I am *never* going to
                      understand postfix configuration. This isn't even something that's
                      within a fuzzy or distant view, let alone just outside my grasp. It's
                      all complete magic to me.
                      >
                      > We use Postfix on Debian in its 'stock' Debian chroot setup, with
                      > clamav-milter as the bridge between Postfix and clamd. This
                      > requires no configuration in 'master.cf' and only two lines in
                      > 'main.cf';
                      >
                      > smtpd_milters = unix:/clamav/clamav-milter.ctl
                      > milter_default_action = accept
                      >
                      > Permissions is where it gets tricky, because the socket needs to be
                      > writable by both processes. As our own ClamAV setup is up for
                      > review anyway, I don't mind writing up a bit of a how-to for it
                      > that you can use to reimplement virus scanning with ClamAV, if you
                      > are still interested in doing so?

                      At least within postfix, there is a very nice command to just fix the
                      permissions. (Did Wietse get tired of seeing that particular problem?)
                      I have no idea what they should be for clamd.ctl because, as near as I
                      can tell, it isn't a permanent file, so I can't even see it in the
                      emergency backup I did from a rescue system after the Arch upgrade
                      hosed my server (which is remote, by the way).

                      At this point, my first priority has to be just getting mail back up.
                      I've had a lot of these domains for a decade or more. I get a lot of
                      spam, hence the postscreen stuff, but I also get a lot of mail. Then,
                      maybe, I can think about reimplementing clamav.

                      - --
                      David Benfell
                      see https://parts-unknown.org/node/2 if you don't understand the
                      attachment
                      -----BEGIN PGP SIGNATURE-----
                      Version: GnuPG v2.0.21 (GNU/Linux)
                      Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

                      iQIcBAEBAgAGBQJSPfOpAAoJEKrN0Ha7pkCOupQQAJQWxZFBxViEmK9M2AJ2b5Ps
                      S/R/Q2ZiAzFZtXn+N0NxGBWH4bHlEM/UZ5BzRz/RVcdhyvJ+1BzZ88xGWEzteQH8
                      l0EjFx5QQEODdZ6JPGS17pS+zMtHzivrfq0l4Z9Oem3aYuoW+x0qmRBCqLMIztc5
                      MSJe/OOZKeZT7rA6zrLI5OaqtYU3w92UpKvFE9FTs1jXDyNgeSRFA94/V7c96+s+
                      0/pHu9NlIaF+zw5ljC1aVz7oZ20p+Pe8RUNOEt5OcmivaFMPvs+qVGcFe/CYBug0
                      lzGHD6IAAJbIqDPpF/mAr6oIfpvM2KeHImBeWDbETHj2eGQziiS58K1oXDOPEY8E
                      7XmcB/HQDalUtBYOsTSBJI5l7x44zWuxm9Ra39L+Daq81z8z4eoMvmmH34kGib7h
                      hKo9iSDV5VCFVUbw3cQYq1JQAVuWrz+2kNBLb+VTy+rmaZgkTlsS+wj6j2s/56dh
                      X16ze0giKBytOppip5zz885omLWyCgkvnBUWoCZVtoS+WGNHkumKEqp3FkvkEQ4n
                      A3VT2gecKh+qGngrCO3j+l6V12YqXYalf3PkPMtZ/hLYo9yC/fWbSBsSdNK6yX65
                      qK/g852qsOlyQ9OP5/DY0S2pMrkiSgjc3JssRpz4b3erb0ZKiVmNC9B4HaicY83a
                      fcfNCRNFPrcdaZdEu5QP
                      =33ef
                      -----END PGP SIGNATURE-----
                    • David Benfell
                      ... Hash: SHA1 ... My apologies. In part because my mail is not now getting sorted in its normal way, I m seeing some of these replies out of order. There *is*
                      Message 10 of 14 , Sep 21, 2013
                      • 0 Attachment
                        -----BEGIN PGP SIGNED MESSAGE-----
                        Hash: SHA1

                        On 09/21/2013 08:34 AM, lists@... wrote:
                        >
                        > Am 21.09.2013 17:25, schrieb DTNX Postmaster:
                        >> +1 on using Debian ClamAV packages without any problems. We use
                        >> the milter package to integrate it with Postfix, using unix
                        >> sockets.
                        >>
                        >> The problem people generally run into with unix sockets is one of
                        >> permissions. The milter socket needs to be stored inside the
                        >> Postfix chroot, and be writable by both Postfix and the milter
                        >> daemon
                        >
                        > which leaves the question open why the Debian postfix-maintainer
                        > insists in the *non upstream* chroot-default after years of most
                        > problems reported here are caused by it?
                        >
                        >
                        My apologies. In part because my mail is not now getting sorted in its
                        normal way, I'm seeing some of these replies out of order.

                        There *is* a problem here. And actually my experience with systemd
                        suddenly becomes a little relevant. While I don't know of anyone
                        worshipping at the feet of the Debian Postfix maintainer, apparently
                        s/he is doing things that work for some people and not for others.

                        The same can be said, except that I *do* see people worshipping at the
                        feet of, the developer of pulseaudio and systemd. I think in general
                        distributions need to be more careful about adopting radical notions
                        that may not be necessary for things to actually work. (And while I
                        like keeping software up to date, a case can be made that many of the
                        recent changes in Arch Linux, which I've had to suddenly abandon,
                        leading to my dilemma with postfix on Debian, are changes for the sake
                        of change.)

                        Probably a bunch of people here have seen pulseaudio flame wars. I
                        don't mean to start anything of the sort here. But there are
                        occasionally problems where people developing something stop listening
                        to people who are actually trying to use it and who are running into
                        problems. The assumption seems to be it works for the developers,
                        therefore if you run into problems, it is *you* who are the idiot. (In
                        my line, I saw something very similar to this with
                        post-modernists--it's called intellectual bullying.)

                        That is, emphatically, not the case with postfix itself, but possibly
                        with the Debian maintainer of postfix. It is certainly also not the
                        only cause of flame wars, but I think it is one.

                        - From what I can see, the case for chrooting postfix is dubious at
                        best. Likewise, I was never satisfied with the case for wholesale
                        adoption of pulseaudio. In these cases, the problem is not so much
                        with the original software--there *does* need to be space for
                        innovation--but with the distribution(s).

                        And I think I'm now using a distribution that is, at least for me,
                        sabotaging postfix. Which means I'll need to use something else.
                        That's not a knock on postfix, but rather a critique of Debian on this
                        particular package.

                        - --
                        David Benfell
                        see https://parts-unknown.org/node/2 if you don't understand the
                        attachment
                        -----BEGIN PGP SIGNATURE-----
                        Version: GnuPG v2.0.21 (GNU/Linux)
                        Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

                        iQIcBAEBAgAGBQJSPf6gAAoJEKrN0Ha7pkCOSXEP/RLnPFN13AGykNNi2ktw40uU
                        pJl6eLqNcdMrOdNcQo8IAB4y7B9SkSYtLtrM7C6lLCNP9zL1Z9fxLiuZLw04bUEc
                        QBJp82L/2aZRmqiQs/S5jkTLagA+Xf6QSTFN4txMKz7VUWjkDhMq26xW1rIcHXlB
                        9uSmSWKIhFcvH9c4AjGyXDqr9E8H30H5AJQCpA7d99E9NHVhcoPd2DlTCDqiyqnm
                        NXtScLSxCPFcHlWDe8qYD7B2IUrMT/FJ9EU1MRSJez7cITUMHgQRsWRM/kZVaadc
                        SxiPqTLig11WgqFsjkatypWPxqYA2/IAQYU8ZdvQ7fNwb/EUfMMBT5lLrrTAAvhq
                        fvZP3D1nQ3x+ApFtZNI4Lu03wtFxUs2PmhWBEWz910zp8IG9OejYqeWnVjyk1DmA
                        oV1wsjHXvEsrqPYX7PCM6IjOzG9NITL0RObo+waa3RcmvfhrOqSDQa5zeRMnEpNJ
                        FoSRt18nLvG1JnBJnGvd/1L0HuFn2DU1AaPMHQw36QcGFz1bwKfnJNzIKdDG+qKM
                        0AcJ786WnqjlHNyfKGsxa3e54W6BJQ3XhtAg8S9CCN7FwEp47H/IShvxJpwswG6G
                        yO9KEVFBG5yBNkzoPutFmSi+KrUviGhPi8jS0Zqvn398VtRdG/Js0HmW/INY7Pqd
                        KyMmfu6ojPX/H5SMDYwt
                        =/gws
                        -----END PGP SIGNATURE-----
                      • DTNX Postmaster
                        ... Outsourcing front-end processing to an external service is also an option; someone does the baseline stuff for you, like fending off bots and zombies and
                        Message 11 of 14 , Sep 21, 2013
                        • 0 Attachment
                          On Sep 21, 2013, at 21:29, David Benfell <dbenfell@...> wrote:

                          > On 09/21/2013 09:39 AM, DTNX Postmaster wrote:
                          >
                          >> While the desire to have it 'just work' is recognizable, you cannot
                          >> expect it to always do so if you copy bits and pieces from here to
                          >> there without understanding what they actually do. Especially if
                          >> you have copied an older configuration from a different distro that
                          >> may have its own quirks.
                          >
                          > Then we are very close to the point where I'll just have to turn
                          > everything over to Google Apps. Because I am *never* going to
                          > understand postfix configuration. This isn't even something that's
                          > within a fuzzy or distant view, let alone just outside my grasp. It's
                          > all complete magic to me.

                          Outsourcing front-end processing to an external service is also an
                          option; someone does the baseline stuff for you, like fending off bots
                          and zombies and anything else that is obviously garbage, and then
                          forwards the cleaned up feed to your server. This is how we operate our
                          relay service, for example, and I bet there's a dozen others on this
                          list that do something similar.

                          Also, Google Apps is pretty much paid now, is it not? Except up to ten
                          users, if you're already an existing client?

                          You could also outsource the fix, and take over daily management again
                          after that; there's a lot of consultants on this list as well. Or
                          perhaps a basic hosting package somewhere that allows for some custom
                          routing and whatnot, with a good filtering frontend, but that depends
                          on what exactly your needs are?

                          >> We use Postfix on Debian in its 'stock' Debian chroot setup, with
                          >> clamav-milter as the bridge between Postfix and clamd. This
                          >> requires no configuration in 'master.cf' and only two lines in
                          >> 'main.cf';
                          >>
                          >> smtpd_milters = unix:/clamav/clamav-milter.ctl
                          >> milter_default_action = accept
                          >>
                          >> Permissions is where it gets tricky, because the socket needs to be
                          >> writable by both processes. As our own ClamAV setup is up for
                          >> review anyway, I don't mind writing up a bit of a how-to for it
                          >> that you can use to reimplement virus scanning with ClamAV, if you
                          >> are still interested in doing so?
                          >
                          > At least within postfix, there is a very nice command to just fix the
                          > permissions. (Did Wietse get tired of seeing that particular problem?)
                          > I have no idea what they should be for clamd.ctl because, as near as I
                          > can tell, it isn't a permanent file, so I can't even see it in the
                          > emergency backup I did from a rescue system after the Arch upgrade
                          > hosed my server (which is remote, by the way).
                          >
                          > At this point, my first priority has to be just getting mail back up.
                          > I've had a lot of these domains for a decade or more. I get a lot of
                          > spam, hence the postscreen stuff, but I also get a lot of mail. Then,
                          > maybe, I can think about reimplementing clamav.

                          Sounds like a decent plan, given the situation you found yourself in.
                          Basics first.

                          Mvg,
                          Joni
                        • DTNX Postmaster
                          ... This is the socket, and it is or should be created by the ClamAV daemon on startup. Check your ClamAV configuration for details, on Debian the config files
                          Message 12 of 14 , Sep 21, 2013
                          • 0 Attachment
                            On Sep 21, 2013, at 21:29, David Benfell <dbenfell@...> wrote:

                            > At least within postfix, there is a very nice command to just fix the
                            > permissions. (Did Wietse get tired of seeing that particular problem?)
                            > I have no idea what they should be for clamd.ctl because, as near as I
                            > can tell, it isn't a permanent file, so I can't even see it in the
                            > emergency backup I did from a rescue system after the Arch upgrade
                            > hosed my server (which is remote, by the way).

                            This is the socket, and it is or should be created by the ClamAV daemon
                            on startup. Check your ClamAV configuration for details, on Debian the
                            config files are in '/etc/clamav' by default. If there is no entry
                            specifying the location, check the ClamAV docs for the default
                            location, which is probably somewhere in '/var/run' or similar.

                            Mvg,
                            Joni
                          • Scott Kitterman
                            ... On Debian (and Ubuntu), as root (or using sudo depending on your system configuration) run dpkg-reconfigure clamav-base. It will, among other things, ask
                            Message 13 of 14 , Sep 21, 2013
                            • 0 Attachment
                              On Saturday, September 21, 2013 23:50:00 DTNX Postmaster wrote:
                              > On Sep 21, 2013, at 21:29, David Benfell <dbenfell@...> wrote:
                              > > At least within postfix, there is a very nice command to just fix the
                              > > permissions. (Did Wietse get tired of seeing that particular problem?)
                              > > I have no idea what they should be for clamd.ctl because, as near as I
                              > > can tell, it isn't a permanent file, so I can't even see it in the
                              > > emergency backup I did from a rescue system after the Arch upgrade
                              > > hosed my server (which is remote, by the way).
                              >
                              > This is the socket, and it is or should be created by the ClamAV daemon
                              > on startup. Check your ClamAV configuration for details, on Debian the
                              > config files are in '/etc/clamav' by default. If there is no entry
                              > specifying the location, check the ClamAV docs for the default
                              > location, which is probably somewhere in '/var/run' or similar.

                              On Debian (and Ubuntu), as root (or using sudo depending on your system
                              configuration) run dpkg-reconfigure clamav-base. It will, among other things,
                              ask you if you want a Unix socket or a TCP socket and what port to listen on.
                              This is documented at the top of /etc/clamav/clamd.conf

                              Scott K
                            Your message has been successfully submitted and would be delivered to recipients shortly.