# qmail-scanner not being called [Solved]

## newtonian

Hi-

I'm trying to get clamav to reject infected mail.

I went through the qmail howto at:

http://www.gentoo.org/doc/en/qmail-howto.xml

Here are the versions I'm working with:

```

*  app-antivirus/clamav

      Latest version available: 0.81

      Latest version installed: 0.81

*  mail-filter/qmail-scanner

      Latest version available: 1.24

      Latest version installed: 1.24

*  sys-apps/ucspi-tcp

      Latest version available: 0.88-r9

      Latest version installed: 0.88-r9

*  mail-mta/qmail

      Latest version available: 1.03-r13

      Latest version installed: 1.03-r13

```

I think that /etc/clamav.conf has been superseeded by 

vim /etc/clamd.conf

Here are the lines I changed:

```

# Comment or remove the line below.

#Example

# Uncomment this option to enable logging.

# LogFile must be writable for the user running daemon.

LogFile /var/log/clamd.log

```

/etc/conf.d/clamd 

```

hawk conf.d # cat /etc/conf.d/clamd

# Config file for /etc/init.d/clamd

START_CLAMD=yes

CLAMD_OPTS=""

CLAMD_LOG="/var/log/clamd.log"

START_FRESHCLAM=yes

FRESHCLAM_OPTS="-d -c 2 -u qscand"

FRESHCLAM_LOG="/var/log/clam-update.log"

```

my clamscan binary in /var/qmail/bin/qmail-scanner-queue.pl 

is set to: 

```

my $clamscan_binary='/usr/bin/clamscan';

my $clamscan_options="-r -m --unzip --unrar --unzoo --lha --disable-summary --max-recursion=10 --max-space=100000";

my $clamdscan_binary='/usr/bin/clamdscan';

```

next I re-emerged qmail-scanner.  But still no luck.

Then I tried the ownership recommendations on this page:[url]

https://forums.gentoo.org/viewtopic.php?t=132271&highlight=clamd+qmail

[/url]

I plopped a virus/worm on to my home directory and ran:

```

hawk david # clamscan -r -l scan.txt /home/david/infected/

/home/david/infected/virus.exe: Trojan.Downloader.Small-165 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 30065

Scanned directories: 1

Scanned files: 1

Infected files: 1

Data scanned: 0.02 MB

I/O buffer size: 131072 bytes

Time: 0.476 sec (0 m 0 s)

```

Which shows that clamscan is working ok from the command line.

But when I send myself an attachment with the same infected file, the file doesn't get stopped.

re-emerging qmail-scanner gives me this output:

```

Content/Virus Scanners installed on your System

clamdscan=/usr/bin/clamdscan (which means clamscan won't be used as clamdscan is better)

fast_spamassassin=/usr/bin/spamc

```

So it seems to me that the qmail-scanner knows about clamdscan.

A tail -f /var/log/mail/current shows (files only logged when test_instalation.sh is run):

```

spamd[16230]: [info] setuid to root succeeded_

spamd[16230]: [Still running as root] user not specified with -u, not found, or set to root.  Fall back to nobody._

spamd[16230]: [checking message <GTUBE1.1010101@example.net> for root] 65534._

spamd[16230]: [identified spam (997.2/6.0) for root] 65534 in 0.1 seconds, 799 bytes._

spamd[16230]: [result] Y 997 - ALL_TRUSTED,GTUBE scantime=0.1,size=799,mid=<GTUBE1.1010101@example.net>,autolearn=failed_

Feb  1 01:35:39 [imapd-ssl] DISCONNECTED, user=ds@mydomain.com, ip=[::ffff:220.159.38.78], headers=0, body=0, time=6442, starttls=1

Feb  1 01:36:20 [imapd-ssl] Connection, ip=[::ffff:220.159.38.78]

Feb  1 01:36:22 [imapd-ssl] LOGIN, user=ds@mydomain.com, ip=[::ffff:220.159.38.78], protocol=IMAP

```

```

hawk david # /etc/init.d/clamd status 

```

shows: 

```
 * status:  started
```

Here's the output from clamd.log

```

--- Stopped at Tue Feb  1 00:58:51 2005

+++ Started at Tue Feb  1 00:59:14 2005

clamd daemon 0.81 (OS: linux-gnu, ARCH: i386, CPU: i686)

Log file size limited to 1048576 bytes.

Reading databases from /var/lib/clamav

Protecting against 30065 viruses.

Unix socket file /tmp/clamd

Setting connection queue length to 15

Archive: Archived file size limit set to 10485760 bytes.

Archive: Recursion level limit set to 8.

Archive: Files limit set to 1000.

Archive: Compression ratio limit set to 250.

Archive support enabled.

Archive: RAR support disabled.

Portable Executable support enabled.

Mail files support enabled.

OLE2 support enabled.

HTML support enabled.

Self checking every 1800 seconds.

/tmp/mkt_qs.16523-1107220924/eicar.com: Eicar-Test-Signature FOUND

```

/etc/tcp.smtp

```

127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

192.168.1.10:allow,RELAYCLIENT="",RBLSMTPD=""

:allow

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"

192.168.1.10:allow,RELAYCLIENT="",RBLSMTPD=""

```

If you know of where else I could look it would be greatly appreciated.

CheersLast edited by newtonian on Tue Feb 08, 2005 8:21 pm; edited 6 times in total

----------

## asph

try as tcp.smtp

```
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

192.168.1.10:allow,RELAYCLIENT="",RBLSMTPD=""

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"
```

note: this depends on the versions of qmail and qmail-scanner you are using, since the .pl is not longer used (instead it uses a wrapper)

----------

## newtonian

Thanks- 

I think my tcp.smtp was incorrect as you noted so I updated it to what you listed.  But I don't see any change.  

I don't see clamd in the /var/mail/current log unless I do a: 

```

/etc/init.d/clamd restart

```

Sending and recieving mail doesn't seem to call spamd or clamd.

At least their not showing up in the logs.

----------

## newtonian

as root, ran :

```
./test_installation.sh -doit
```

the sh script sends 4 emails to root 2 of the 4 are supposed to be blocked.

Mail 1 of 4 wasn't blocked (this is correct):

 *Quote:*   

> 
> 
> Message 1/4
> 
> This is a test message. It should arrive unaffected.
> ...

 

Message 2/4 was not blocked (this is not correct)

Here's the message from root's mailbox.

 *Quote:*   

> 
> 
> This is an example of an Email message containing a virus. It should
> 
> trigger the Qmail-Scanner system, and as such not be delivered to it's
> ...

 

Here's what the test script says about the 2nd email.

 *Quote:*   

> 
> 
> The second contains the EICAR.COM test virus, and the in-built perlscan
> 
> module should catch that.
> ...

 

The 3rd message was blocked (this is correct)

Here's what the test script says about the 3rd email.

 *Quote:*   

> 
> 
> The third also contains the EICAR.COM test virus - but the filename is
> 
> different. Therefore it will bypass the perlscan module, but should still
> ...

 

The 4th email isn't blocked and is marked as spam (this is correct).  Here is the marked message:

 *Quote:*   

> 
> 
> Return-Path: <>
> 
> Delivered-To: david@mydomain.com
> ...

 

So, from the test script it sounds like the problem is  with the in-built perlscan module.  Which makes sense because clamav works fine from the command line.

Any ideas?

Cheers,Last edited by newtonian on Sat Feb 05, 2005 3:32 pm; edited 4 times in total

----------

## petterg

You're editing /etc/tcp*

You'll probably be better of by editing /etc/tcprules/*

----------

## newtonian

Thanks-  

I don't know if I really need both files or what but I checked them both out and here are the contents:

```

hawk etc # cat /etc/tcp.smtp | sed -e "/^#/d" | sed -e "/^\s*$/d"

127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

192.168.1.10:allow,RELAYCLIENT="",RBLSMTPD=""

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"

```

```

hawk etc # cat /etc/tcprules.d/tcp.qmail-smtp | sed -e "/^#/d" | sed -e "/^\s*$/d"

127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

192.168.1.10:allow,RELAYCLIENT="",RBLSMTPD=""

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"

```

----------

## newtonian

as root ran: 

```

/var/qmail/bin/qmail-scanner-queue.pl -g

```

in hopes of updating 

/var/spool/qmailscan/quarantine-attachments.txt

but the 2nd email still gets through.

----------

## newtonian

the test script email gets logged in: 

 /var/spool/qmailscan/qmail-queue.log

and in 

/var/spool/qmailscan/mailstats.csv

but no email from the internet (or from mutt on the server) gets logged in the above log files.  

Ran: 

```

hawk tmp # cd /etc/tcprules.d/

hawk tcprules.d # tcprules tcp.qmail-smtp.cdb tcp.qmail-smtp.tmp < tcp.qmail-smtp

```

re-ran just the above code just to be sure.  But virus files still go straight  through without being detected. 

I'm beginning to think that main problem is that qmail-scanner is simply not getting called at all unless the test_instalation.sh is run.Last edited by newtonian on Sat Feb 05, 2005 7:55 pm; edited 1 time in total

----------

## newtonian

I went over the qmail-scanner faq:

 *Quote:*   

> 
> 
> Q-S doesn't work with Vpopmail Vpopmail - when used in its "pop-before-smtp" configuration - basically strips out environment variables set within the tcpserver SMTP rules file - specifically the QMAILQUEUE environment variable. As it is responsible for starting qmail-smtpd, that means Qmail-Scanner never gets called. This is really a bug with Vpopmail, but a workaround is to set QMAILQUEUE within /service/smtpd/run instead. However , you must realise that you will lose Q-S functionality - such as altering Q-S components based on SMTP server IP address, etc. This will only get worse... If you don't like it - join the Vpopmail list and bring it up there - this is not anything Qmail-Scanner can do anything about. Note: Alex Pleiner has created a patch for vpopmail's roaming users feature that allows it to interoperate with Qmail-Scanner. See the contrib/ directory for the patch (vpopmail-issues.eml)
> 
> 

 

So I added this line to /service/qmail-smtpd/run

```

QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"

```

But it didn't seem to make a difference.Last edited by newtonian on Tue Feb 08, 2005 11:04 am; edited 1 time in total

----------

## newtonian

 *Quote:*   

> 
> 
> This is looking more and more qmail-scanner specific so I'm going to post to qmail-scanner-general@lists.sourceforge.net.
> 
> If I get it figured out 'll post the answer back here.
> ...

 

so I tried: 

 *Quote:*   

> 
> 
> David Sperling wrote:
> 
> >
> ...

 

And now I'm back. 

 :Embarassed: Last edited by newtonian on Tue Feb 08, 2005 9:27 am; edited 1 time in total

----------

## petterg

the test_instalation script forces to run qmail-scanner. It would do so nomatter if you defined it in tcprules or not.

If the test_instalation script works, then qmail-scanner is ok.

Your problem is that the smtp service does not call qmail-scanner.

Do you have the ipv6 flag set? If so try to disable it and reemerge ucspi-tcp

----------

## newtonian

 *petterg wrote:*   

> the test_instalation script forces to run qmail-scanner. It would do so nomatter if you defined it in tcprules or not.
> 
> If the test_instalation script works, then qmail-scanner is ok.
> 
> Your problem is that the smtp service does not call qmail-scanner.
> ...

 

Did as you suggested in the posts below:Last edited by newtonian on Tue Feb 08, 2005 5:56 pm; edited 1 time in total

----------

## newtonian

When I try to point the run qmail run script to /etc/tcprules.d/qmail-smtp.cdb and restart svscan

My mail server on port 25 stops accepting connections:  

```

hawk tcprules.d # telnet 192.168.1.10 25

Trying 192.168.1.10...

telnet: Unable to connect to remote host: Connection refused

```

Here's my /service/qmail-smtpd/run

```

hawk tcprules.d # cat /service/qmail-smtpd/run  | sed -e "/^#/d" | sed -e "/^\s*$/d"

SERVICE=qmail-smtp

. /etc/profile

[ -s ${QMAIL_CONTROLDIR}/conf-common ] && source ${QMAIL_CONTROLDIR}/conf-common

[ -s ${QMAIL_CONTROLDIR}/conf-${SERVICE}d ] && source ${QMAIL_CONTROLDIR}/conf-${SERVICE}d

[ -s /var/qmail/bin/config-sanity-check ] && source /var/qmail/bin/config-sanity-check

exec /usr/bin/softlimit ${SOFTLIMIT_OPTS} \

    ${QMAIL_TCPSERVER_PRE} \

    /usr/bin/tcpserver ${TCPSERVER_OPTS} -x /etc/tcprules.d/tcp.${SERVICE}.cdb \

    -c ${MAXCONN} -u ${QMAILDUID} -g ${NOFILESGID} \

    ${TCPSERVER_HOST} ${TCPSERVER_PORT} \

    ${QMAIL_SMTP_PRE} /var/qmail/bin/qmail-${SERVICE}d ${QMAIL_SMTP_POST} \

    2>&1

```

my qmail-smtp is just the standard 3 line file from /etc/tcprules.d/ listed above.

Cheers,Last edited by newtonian on Tue Feb 08, 2005 2:22 pm; edited 1 time in total

----------

## newtonian

Re-emerging ucspi-tcp

did 

```

emerge -C sys-apps/ucspi-tcp

```

then 

```

hawk tcprules.d #  env USE="-ipv6" emerge sys-apps/ucspi-tcp

Calculating dependencies ...done!

>>> emerge (1 of 1) sys-apps/ucspi-tcp-0.88-r9 to /

>>> md5 src_uri ;-) ucspi-tcp-0.88.tar.gz

>>> md5 src_uri ;-) ucspi-rss.diff

>>> md5 src_uri ;-) ucspi-tcp-ssl-20020705.patch.gz

>>> md5 src_uri ;-) ucspi-tcp-0.88-ipv6-ssl-nm1.patch.bz2

>>> Unpacking source...

```

Then did the same with courier-imap, courier auth and qmail.

----------

## newtonian

The re-emerge of qmail made run point back to /etc/

as opposed to /etc/tcprules.d/

```

 /usr/bin/tcpserver ${TCPSERVER_OPTS} -x /etc/tcp.${SERVICE}.cdb \

```

So I checked /etc/tcp.smtp

```

hawk etc # cat /etc/tcp.smtp | sed -e "/^#/d" | sed -e "/^\s*$/d"

127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

192.168.1.10:allow,RELAYCLIENT="",RBLSMTPD=""

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"

```

compiled it and restarted svscan

```

hawk etc # tcprules /etc/tcp.smtp.cdb /etc/.tcp.smtp.tmp < /etc/tcp.smtp

hawk etc # /etc/init.d/svscan restart

```

next I telnet in from the internet to port 25:

```

220 myserver.com ESMTP

HELO eMont

250 myserver.com

mail From:<test@test.com>

250 ok

rcpt to:<zzzouch@myvirtdomain.com>

250 ok

data

354 go ahead

This is a test email

.

554 qq permanent problem (#5.3.0)

quit

221 myserver.com

```

if I switch 

```

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue" 

```

to

```

:allow

```

everything works fine, but no qmail-scanner

----------

## newtonian

doing:

```

tail -f /var/log/qmail/qmail-smtpd/current

```

shows this error:

 *Quote:*   

> 
> 
> Out of memory!
> 
> 

 

Ahh!! finally qmail-scanner talking

The faq says you've got to up the memory. So I vim vim /var/qmail/control/conf-common 

and add a new line and comment the old:

```

#SOFTLIMIT_OPTS="-m 8000000"

SOFTLIMIT_OPTS="-m 80000000"

```

----------

## newtonian

Next time I try to telnet port 25 I get 

 *Quote:*   

> 
> 
> qq temporary problem (#4.3.0)
> 
> 

 

/var/log/qmail/qmail-smtpd/current says:

 *Quote:*   

> 
> 
> X-Qmail-Scanner-1.24st:[hawk11078915636808907] cannot open  /var/spool/qmailscan/quarantine-attachments.db - Permission denied
> 
> 

 

so I googled and came up with the following fix:

```

chown -R qscand:qscand /var/spool/qmailscan

```

The next telnet 25 attempt didn't create any errors in the logs.

Next I send a copy of worm from the internet to my server(You should probably work with a test virus instead).

I check the /var/log/mail/current log and:

 *Quote:*   

> 
> 
> Feb  9 04:52:55 [clamd] /var/spool/qmailscan/tmp/hawk11078923756809020/textfile0: OK_
> 
> Feb  9 04:52:55 [clamd] /var/spool/qmailscan/tmp/hawk11078923756809020/textfile1: OK_
> ...

 

It works!!!

----------

## newtonian

In conclusion, I think it was petterg's

suggestion about getting rid of the ipv6 flag that finally got Q-S moving.  Another thing that helped was learning that qmail calls smtp.cdb from the /service/qmail-smtpd/run script.  Then there was learning how to talk to qmail via telnet on port 25 while watching /var/log/qmail/qmail-smtpd/current.

 *Quote:*   

> 
> 
> Do you have the ipv6 flag set? If so try to disable it and reemerge ucspi-tcp
> 
> 

 

Cheers,     :Laughing: 

----------

## born

I have had the same problem with qmail and with this thread I solved it in about 5 minutes. It took me more than 5 hours to analyze my config files yesterday... without a solution.

This thread really helped me.

Thanks a lot!

----------

## newtonian

cool- 

Nice to know it was helpful to somebody. :Wink: 

----------

