Loading ...
Sorry, an error occurred while loading the content.
 

Postfix+pflogsumm+clamav = email blocked

Expand Messages
  • inteq
    Hello For some time now I was wondering why some of my pflogsumm emails were not received. Digging deeper into the problem today, I can see the emails are
    Message 1 of 13 , Nov 4, 2013
      Hello

      For some time now I was wondering why some of my pflogsumm emails were not
      received.
      Digging deeper into the problem today, I can see the emails are being
      blocked by Postfix because it "contains" a virus.

      Nov 4 21:36:52 ns4 postfix/smtp[9383]: 338E14303B: to=<tech@...>,
      relay=127.0.0.1[127.0.0.1]:10025, delay=0.14, delays=0.06/0/0.05/0.03,
      dsn=2.0.0, status=sent (250 Virus Detected; Discarded Email)
      Nov 4 21:36:52 ns4 clamsmtpd: 100013: from=root@...,
      to=tech@..., status=VIRUS:Sanesecurity.Jurlbl.3425.UNOFFICIAL
      Nov 4 21:36:52 ns4 postfix/qmgr[4676]: 338E14303B: removed

      I have the latest version (beta) 1.1.5 of pflogsumm and I have tried
      everything I could find to make Postfix "play nice" and allow my log to be
      delivered.
      I am using additional ClamAV signatures, indeed.

      Any hints how to whitelist emails sent from root@..., or bypass
      somehow the virus checks for some addresses?


      Thank you



      --
      View this message in context: http://postfix.1071664.n5.nabble.com/Postfix-pflogsumm-clamav-email-blocked-tp62737.html
      Sent from the Postfix Users mailing list archive at Nabble.com.
    • LuKreme
      ... Nothing to do with postfix, clamsmtpd is blocking your email. -- I thought that they were angels, but to my surprise, we climbed aboard their starship, we
      Message 2 of 13 , Nov 4, 2013
        On 04 Nov 2013, at 12:42 , inteq <tech@...> wrote:

        > Nov 4 21:36:52 ns4 clamsmtpd: 100013: from=root@...,
        > to=tech@..., status=VIRUS:Sanesecurity.Jurlbl.3425.UNOFFICIAL

        Nothing to do with postfix, clamsmtpd is blocking your email.

        --
        I thought that they were angels, but to my surprise, we climbed aboard
        their starship, we headed for the skies.
      • Noel Jones
        ... Looks as if you re using the clamsmtp proxy. Arrange for you pflogsumm reports to be submitted to the postfix reinjection port after clamsmtp. One fairly
        Message 3 of 13 , Nov 4, 2013
          On 11/4/2013 1:42 PM, inteq wrote:
          > Hello
          >
          > For some time now I was wondering why some of my pflogsumm emails were not
          > received.
          > Digging deeper into the problem today, I can see the emails are being
          > blocked by Postfix because it "contains" a virus.
          >
          > Nov 4 21:36:52 ns4 postfix/smtp[9383]: 338E14303B: to=<tech@...>,
          > relay=127.0.0.1[127.0.0.1]:10025, delay=0.14, delays=0.06/0/0.05/0.03,
          > dsn=2.0.0, status=sent (250 Virus Detected; Discarded Email)
          > Nov 4 21:36:52 ns4 clamsmtpd: 100013: from=root@...,
          > to=tech@..., status=VIRUS:Sanesecurity.Jurlbl.3425.UNOFFICIAL
          > Nov 4 21:36:52 ns4 postfix/qmgr[4676]: 338E14303B: removed
          >
          > I have the latest version (beta) 1.1.5 of pflogsumm and I have tried
          > everything I could find to make Postfix "play nice" and allow my log to be
          > delivered.
          > I am using additional ClamAV signatures, indeed.
          >
          > Any hints how to whitelist emails sent from root@..., or bypass
          > somehow the virus checks for some addresses?


          Looks as if you're using the clamsmtp proxy. Arrange for you
          pflogsumm reports to be submitted to the postfix reinjection port
          after clamsmtp.

          One fairly tool to do this is with the simple mini_sendmail program.



          -- Noel Jones
        • Stan Hoeppner
          ... You should contact the author of Sanesecurity.Jurlbl.3425.UNOFFICIAL This script is not just badly written, but horribly broken. pflogsumm email output is
          Message 4 of 13 , Nov 4, 2013
            On 11/4/2013 3:54 PM, Noel Jones wrote:
            > On 11/4/2013 1:42 PM, inteq wrote:
            >> Hello
            >>
            >> For some time now I was wondering why some of my pflogsumm emails were not
            >> received.
            >> Digging deeper into the problem today, I can see the emails are being
            >> blocked by Postfix because it "contains" a virus.
            >>
            >> Nov 4 21:36:52 ns4 postfix/smtp[9383]: 338E14303B: to=<tech@...>,
            >> relay=127.0.0.1[127.0.0.1]:10025, delay=0.14, delays=0.06/0/0.05/0.03,
            >> dsn=2.0.0, status=sent (250 Virus Detected; Discarded Email)
            >> Nov 4 21:36:52 ns4 clamsmtpd: 100013: from=root@...,
            >> to=tech@..., status=VIRUS:Sanesecurity.Jurlbl.3425.UNOFFICIAL
            >> Nov 4 21:36:52 ns4 postfix/qmgr[4676]: 338E14303B: removed
            >>
            >> I have the latest version (beta) 1.1.5 of pflogsumm and I have tried
            >> everything I could find to make Postfix "play nice" and allow my log to be
            >> delivered.
            >> I am using additional ClamAV signatures, indeed.
            >>
            >> Any hints how to whitelist emails sent from root@..., or bypass
            >> somehow the virus checks for some addresses?
            >
            >
            > Looks as if you're using the clamsmtp proxy. Arrange for you
            > pflogsumm reports to be submitted to the postfix reinjection port
            > after clamsmtp.
            >
            > One fairly tool to do this is with the simple mini_sendmail program.

            You should contact the author of Sanesecurity.Jurlbl.3425.UNOFFICIAL

            This script is not just badly written, but horribly broken. pflogsumm
            email output is a text only file, no binary attachment, so it obviously
            can't contain a virus payload. So this script is clearly matching
            hostnames and/or domains in the content section of the email, known to
            host viri/malware, and rejecting the email based solely on this, with a
            reason of "VIRUS". This concept, and the reason code, is simply wrong
            headed. If you say you're rejecting the email because it contains a
            VIRUS it better well have a binary attachment that contains a virus.
            Simply matching suspect domains should add score to a spam filter, not
            outright reject an email, and especially not with a reason code of "VIRUS".

            I don't use any of the CLAM software, but I'd guess "UNOFFICIAL"
            actually means something. Thus you can probably fix this by simply not
            using UNOFFICIAL Sanesecurity signatures.

            --
            Stan
          • Manuel Bieling
            ... [...] ... I m not quite sure what is your scenario. I guess the mail stats are generated on a third party machine and delivered to a hub (ns4). Then it s
            Message 5 of 13 , Nov 4, 2013
              On 2013.11.04 11:42:51 -0800, inteq wrote:
              > Nov 4 21:36:52 ns4 postfix/smtp[9383]: 338E14303B: to=<tech@...>,
              > relay=127.0.0.1[127.0.0.1]:10025, delay=0.14, delays=0.06/0/0.05/0.03,
              > dsn=2.0.0, status=sent (250 Virus Detected; Discarded Email)
              > Nov 4 21:36:52 ns4 clamsmtpd: 100013: from=root@...,
              > to=tech@..., status=VIRUS:Sanesecurity.Jurlbl.3425.UNOFFICIAL
              > Nov 4 21:36:52 ns4 postfix/qmgr[4676]: 338E14303B: removed

              [...]

              > Any hints how to whitelist emails sent from root@..., or bypass
              > somehow the virus checks for some addresses?

              I'm not quite sure what is your scenario. I guess the mail stats are
              generated on a third party machine and delivered to a hub (ns4). Then it's
              sufficient to open a maintenance port or use submission.

              The other idea is to use an access table (witch has higher precedence) and
              override 'content_filter' with a null filter.

              What the others said. That shouldn't happen. It's a problem with clamav.

              --
              Best regards,
              Manuel
            • Benny Pedersen
              ... life would be more simple if you change from clamsmtp to clamav-milter, after that you can disable virus scanning on localhost senders, just note to make
              Message 6 of 13 , Nov 4, 2013
                inteq skrev den 2013-11-04 20:42:

                > Any hints how to whitelist emails sent from root@..., or
                > bypass
                > somehow the virus checks for some addresses?

                life would be more simple if you change from clamsmtp to clamav-milter,
                after that you can disable virus scanning on localhost senders, just
                note to make sure this does not affect sasl auth senders

                the virus here is, just a note to see sanesecuity works for you :)

                # clamav-milter.conf
                LocalNet 127.0.0.0/8
              • Benny Pedersen
                ... incorrect, clamsmpt is at fault here, mails should not block on localhost, its fault is that clamsmtp is only for proxy scaning with postfix, not usable as
                Message 7 of 13 , Nov 4, 2013
                  Manuel Bieling skrev den 2013-11-05 00:22:

                  > What the others said. That shouldn't happen. It's a problem with
                  > clamav.

                  incorrect, clamsmpt is at fault here, mails should not block on
                  localhost, its fault is that clamsmtp is only for proxy scaning with
                  postfix, not usable as a global content filter

                  this is why i prefer clamav-milter
                • Manuel Bieling
                  ... Sorry, I m not as familiar with clam*. But why do you assume the mails coming from a localhost sender? -- Best regards, Manuel
                  Message 8 of 13 , Nov 4, 2013
                    On 2013.11.05 00:29:41 +0100, Benny Pedersen wrote:
                    > Manuel Bieling skrev den 2013-11-05 00:22:
                    >
                    > >What the others said. That shouldn't happen. It's a problem with
                    > >clamav.
                    >
                    > incorrect, clamsmpt is at fault here, mails should not block on
                    > localhost, its fault is that clamsmtp is only for proxy scaning with
                    > postfix, not usable as a global content filter

                    Sorry, I'm not as familiar with clam*. But why do you assume the mails
                    coming from a localhost sender?

                    --
                    Best regards,
                    Manuel
                  • inteq
                    Thank you for your replies. The message is from localhost, not from another postfix machine, but the machine has multiple virtual servers/aliases. The reason
                    Message 9 of 13 , Nov 4, 2013
                      Thank you for your replies.

                      The message is from localhost, not from another postfix machine, but the
                      machine has multiple virtual servers/aliases.

                      The reason behind a log file containing no malware but still being flagged
                      as virus, is because the scanner is configured to check links also (links
                      that are known to contain viruses), which are present in the log file.

                      Will try switching from clamsmtpd to clamav-milter, see how it goes and get
                      back with details.
                      Another workaround I was thinking is to compress the log file before
                      sending.





                      --
                      View this message in context: http://postfix.1071664.n5.nabble.com/Postfix-pflogsumm-clamav-email-blocked-tp62737p62751.html
                      Sent from the Postfix Users mailing list archive at Nabble.com.
                    • Benny Pedersen
                      ... i dont trust, its 127.0.0.1 networking with is always me, why should i block myself ? i did not write root@localhost as sender
                      Message 10 of 13 , Nov 4, 2013
                        Manuel Bieling skrev den 2013-11-05 01:21:

                        > Sorry, I'm not as familiar with clam*. But why do you assume the mails
                        > coming from a localhost sender?

                        i dont trust, its 127.0.0.1 networking with is always me, why should i
                        block myself ?

                        i did not write root@localhost as sender
                      • Benny Pedersen
                        ... should then be something clamav cant unpack :) eg lzip
                        Message 11 of 13 , Nov 4, 2013
                          inteq skrev den 2013-11-05 02:26:

                          > Another workaround I was thinking is to compress the log file before
                          > sending.

                          should then be something clamav cant unpack :)

                          eg lzip
                        • inteq
                          Decided to tar my log and send it. Tested with the yesterday log containing malware links and it works.(so far) Thank you for your input My approach:
                          Message 12 of 13 , Nov 4, 2013
                            Decided to tar my log and send it.
                            Tested with the yesterday log containing malware links and it works.(so far)

                            Thank you for your input

                            My approach:

                            #!/bin/bash
                            # Use apt-get install sendemail (this is NOT sendmail) if you do not have it
                            /usr/sbin/pflogsumm -d today --problems_first --smtpd-stats
                            /var/log/mail.log > log.txt 2>&1
                            tar czf postfix.tar.gz log.txt
                            sendemail -f sender[at]domain[dot]com -t recipient[at]domain[dot]com -m
                            "Check the attached file" -u "Postfix report for $(hostname) on $(date)" -a
                            postfix.tar.gz
                            rm log.txt
                            rm postfix.tar.gz



                            --
                            View this message in context: http://postfix.1071664.n5.nabble.com/Postfix-pflogsumm-clamav-email-blocked-tp62737p62754.html
                            Sent from the Postfix Users mailing list archive at Nabble.com.
                          • Noel Jones
                            ... You re making this so much harder than it needs to be. Just bypass clamav. You re on the right track with the sendemail program. Use the -s server:port
                            Message 13 of 13 , Nov 5, 2013
                              On 11/4/2013 9:47 PM, inteq wrote:
                              > Decided to tar my log and send it.
                              > Tested with the yesterday log containing malware links and it works.(so far)
                              >
                              > Thank you for your input
                              >
                              > My approach:
                              >
                              > #!/bin/bash
                              > # Use apt-get install sendemail (this is NOT sendmail) if you do not have it
                              > /usr/sbin/pflogsumm -d today --problems_first --smtpd-stats
                              > /var/log/mail.log > log.txt 2>&1
                              > tar czf postfix.tar.gz log.txt
                              > sendemail -f sender[at]domain[dot]com -t recipient[at]domain[dot]com -m
                              > "Check the attached file" -u "Postfix report for $(hostname) on $(date)" -a
                              > postfix.tar.gz

                              You're making this so much harder than it needs to be. Just bypass
                              clamav.

                              You're on the right track with the sendemail program. Use the -s
                              server:port option to send the mail to a port that doesn't have
                              clamav enabled, typically something like

                              sendemail ... -s 127.0.0.1:10025 ...




                              -- Noel Jones
                            Your message has been successfully submitted and would be delivered to recipients shortly.