# ClamAV-clamd av-scanner FAILED

## mkiler

Hi 

I have problem with my postfix. Server worked fine but two days ago something happened. Emails can not be delivered to recipients, but only  when in /etc/amavisd.conf option bypass is comment:

```
#@bypass_virus_checks_maps = (1);  # uncomment to DISABLE anti-virus code

#@bypass_spam_checks_maps  = (1);  # uncomment to DISABLE anti-spam code
```

When is uncomment mails are delivered.

When bypass is comment and I do   /etc/init.d/clamd start     log from /var/log/messages is:

```

May 22 13:29:21 papa freshclam[2772]: Current working dir is /var/lib/clamav

May 22 13:29:21 papa freshclam[2773]: freshclam daemon 0.90.3 (OS: linux-gnu, ARCH: i386, CPU: i686)

May 22 13:29:21 papa freshclam[2773]: Max retries == 3

May 22 13:29:21 papa freshclam[2773]: ClamAV update process started at Thu May 22 13:29:21 2008

May 22 13:29:21 papa freshclam[2773]: Querying current.cvd.clamav.net

May 22 13:29:22 papa freshclam[2773]: TTL: 30

May 22 13:29:22 papa freshclam[2773]: Software version from DNS: 0.93

May 22 13:29:22 papa freshclam[2773]: Your ClamAV installation is OUTDATED!

May 22 13:29:22 papa freshclam[2773]: Local version: 0.90.3 Recommended version: 0.93

May 22 13:29:22 papa freshclam[2773]: DON'T PANIC! Read http://www.clamav.net/support/faq

May 22 13:29:22 papa freshclam[2773]: Waiting to lock database directory: /var/lib/clamav

May 22 13:29:27 papa freshclam[2773]: Waiting to lock database directory: /var/lib/clamav

May 22 13:29:32 papa freshclam[2773]: Waiting to lock database directory: /var/lib/clamav

May 22 13:29:37 papa freshclam[2773]: Waiting to lock database directory: /var/lib/clamav

May 22 13:29:42 papa freshclam[2773]: Waiting to lock database directory: /var/lib/clamav

May 22 13:29:46 papa pop3d: Connection, ip=[83.6.115.9]

May 22 13:29:46 papa pop3d: LOGIN, user=poltarzewski, ip=[83.6.115.9]

May 22 13:29:47 papa pop3d: LOGOUT, user=poltarzewski, ip=[83.6.115.9], top=0, retr=0, time=1

May 22 13:29:47 papa freshclam[2773]: Waiting to lock database directory: /var/lib/clamav

May 22 13:29:52 papa freshclam[2773]: main.cvd version from DNS: 46

May 22 13:29:52 papa freshclam[2773]: main.cvd is up to date (version: 46, sigs: 231834, f-level: 26, builder: sven)

May 22 13:29:52 papa freshclam[2773]: daily.cvd version from DNS: 7213

May 22 13:29:52 papa freshclam[2773]: daily.inc is up to date (version: 7213, sigs: 65401, f-level: 26, builder: ccordes)

May 22 13:29:52 papa freshclam[2773]: --------------------------------------

```

next  step   /etc/init.d/amavisd start    log is:

```
May 22 13:32:08 papa amavis[2849]: (02849-01) (!!) ClamAV-clamd av-scanner FAILED: Too many retries to talk to /var/amavis/clamd (Can't connect to UNIX socket /var/amavis/clamd: Connection refused) at (eval 66) line 268.

May 22 13:32:08 papa amavis[2849]: (02849-01) (!!) WARN: all primary virus scanners failed, considering backups

```

What is wrong??

And when scanning in amavis is on and I try to send message log is:

```
May 22 14:00:52 papa postfix/smtpd[6395]: 8D1D3508326: client=aatd227.neoplus.adsl.tpnet.pl[83.5.241.227], sasl_method=PLAIN, sasl_username=mkiljanski

May 22 14:00:52 papa postfix/cleanup[6396]: 8D1D3508326: message-id=<48357380.6020001@example.pl>

May 22 14:00:52 papa postfix/qmgr[6382]: 8D1D3508326: from=<m.kiljanski@example.pl>, size=527, nrcpt=1 (queue active)

May 22 14:00:52 papa postfix/smtpd[6395]: disconnect from aatd227.neoplus.adsl.tpnet.pl[83.5.241.227]

May 22 14:00:52 papa postfix/pickup[6381]: C42F450833B: uid=1150 from=<m.kiljanski@example.pl>

May 22 14:00:52 papa postfix/cleanup[6472]: C42F450833B: message-id=<48357380.6020001@example.pl>

May 22 14:00:52 papa postfix/pipe[6397]: 8D1D3508326: to=<m.kiljanski@example.pl>, relay=dfilt, delay=0.4, delays=0.33/0/0/0.07, dsn=2.0.0, status=sent (delivered via dfilt service)

May 22 14:00:52 papa postfix/qmgr[6382]: 8D1D3508326: removed

May 22 14:00:52 papa postfix/qmgr[6382]: C42F450833B: from=<m.kiljanski@example.pl>, size=711, nrcpt=1 (queue active)
```

Apreciate your advice  :Smile: 

----------

## magic919

Sounds a lot like your aged clamav is stuffed.  Update it and fix it.

----------

## mkiler

ok updated

```
papa ~ # emerge -s clamav

Searching...

[ Results for search key : clamav ]

[ Applications found : 5 ]

*  app-antivirus/clamav

      Latest version available: 0.93

      Latest version installed: 0.93

      Size of files: 15,756 kB

      Homepage:      http://www.clamav.net/

      Description:   Clam Anti-Virus Scanner

      License:       GPL-2
```

but when amavis starts 

```
May 22 18:13:34 papa amavis[19319]: ANTI-VIRUS code      loaded

May 22 18:13:34 papa amavis[19319]: ANTI-SPAM code       loaded

May 22 18:13:34 papa amavis[19319]: ANTI-SPAM-SA code    loaded

```

log:

```
May 22 18:15:02 papa amavis[19333]: (19333-01) (!!) ClamAV-clamd av-scanner FAILED: Too many retries to talk to /var/amavis/clamd (Can't connect to UNIX socket /var/amavis/clamd: Connection refused) at (eval 66) line 268.

May 22 18:15:02 papa amavis[19333]: (19333-01) (!!) WARN: all primary virus scanners failed, considering backups
```

emails are delivered!  :Smile: 

but this error, whats wrong?

----------

## bunder

i need to see your amavis and clam configs please...  usually when i see this:

 *Quote:*   

> May 22 18:15:02 papa amavis[19333]: (19333-01) (!!) ClamAV-clamd av-scanner FAILED: Too many retries to talk to /var/amavis/clamd (Can't connect to UNIX socket /var/amavis/clamd: Connection refused) at (eval 66) line 268. 

 

either clamd isn't running, or there is a configuation issue between clam/amavis.

cheers

----------

## mkiler

clamd

```
##

## Example config file for the Clam AV daemon

## Please read the clamd.conf(5) manual before editing this file.

##

# Comment or remove the line below.

# Example

# Uncomment this option to enable logging.

# LogFile must be writable for the user running daemon.

# A full path is required.

# Default: disabled

LogVerbose yes

LogFile /var/log/clamav/clamd.log

# By default the log file is locked for writing - the lock protects against

# running clamd multiple times (if want to run another clamd, please

# copy the configuration file, change the LogFile variable, and run

# the daemon with --config-file option).

# This option disables log file locking.

# Default: no

#LogFileUnlock yes

# Maximum size of the log file.

# Value of 0 disables the limit.

# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)

# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size

# in bytes just don't use modifiers.

# Default: 1M

#LogFileMaxSize 2M

# Log time with each message.

# Default: no

LogTime yes

# Also log clean files. Useful in debugging but drastically increases the

# log size.

# Default: no

#LogClean yes

# Use system logger (can work together with LogFile).

# Default: no

#LogSyslog yes

# Specify the type of syslog messages - please refer to 'man syslog'

# for facility names.

# Default: LOG_LOCAL6

#LogFacility LOG_MAIL

# Enable verbose logging.

# Default: no

#LogVerbose yes

# This option allows you to save a process identifier of the listening

# daemon (main thread).

# Default: disabled

#PidFile /var/run/amavis/clamd.pid

PidFile /var/amavis/clamd.pid

# Optional path to the global temporary directory.

# Default: system specific (usually /tmp or /var/tmp).

#TemporaryDirectory /var/tmp

# Path to the database directory.

# Default: hardcoded (depends on installation options)

#DatabaseDirectory /var/lib/clamav

# The daemon works in a local OR a network mode. Due to security reasons we

# recommend the local mode.

# Path to a local socket file the daemon will listen on.

# Default: disabled (must be specified by a user)

LocalSocket /var/amavis/clamd

# Remove stale socket after unclean shutdown.

# Default: no

FixStaleSocket yes

# TCP port address.

# Default: no

#TCPSocket 3310

# TCP address.

# By default we bind to INADDR_ANY, probably not wise.

# Enable the following to provide some degree of protection

# from the outside world.

# Default: no

#TCPAddr 127.0.0.1

# Maximum length the queue of pending connections may grow to.

# Default: 15

#MaxConnectionQueueLength 30

# Clamd uses FTP-like protocol to receive data from remote clients.

# If you are using clamav-milter to balance load between remote clamd daemons

# on firewall servers you may need to tune the options below.

# Close the connection when the data size limit is exceeded.

# The value should match your MTA's limit for a maximum attachment size.

# Default: 10M

StreamMaxLength 10M

# Limit port range.

# Default: 1024

#StreamMinPort 30000

# Default: 2048

#StreamMaxPort 32000

# Maximum number of threads running at the same time.

# Default: 10

#MaxThreads 20

# Waiting for data from a client socket will timeout after this time (seconds).

# Value of 0 disables the timeout.

# Default: 120

#ReadTimeout 300

# Waiting for a new job will timeout after this time (seconds).

# Default: 30

#IdleTimeout 60

# Maximum depth directories are scanned at.

# Default: 15

#MaxDirectoryRecursion 20

# Follow directory symlinks.

# Default: no

#FollowDirectorySymlinks yes

# Follow regular file symlinks.

# Default: no

#FollowFileSymlinks yes

# Perform a database check.

# Default: 1800 (30 min)

#SelfCheck 600

# Execute a command when virus is found. In the command string %v will

# be replaced with the virus name.

# Default: no

#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

# Run as another user (clamd must be started by root to make this option

# working).

# Default: don't drop privileges

User amavis

# Initialize supplementary group access (clamd must be started by root).

# Default: no

#AllowSupplementaryGroups no

# Stop daemon when libclamav reports out of memory condition.

#ExitOnOOM yes

# Don't fork into background.

# Default: no

#Foreground yes

# Enable debug messages in libclamav.

# Default: no

#Debug yes

# Do not remove temporary files (for debug purposes).

# Default: no

#LeaveTemporaryFiles yes

# In some cases (eg. complex malware, exploits in graphic files, and others),

# ClamAV uses special algorithms to provide accurate detection. This option

# controls the algorithmic detection.

# Default: yes

#AlgorithmicDetection yes

##

## Executable files

##

# PE stands for Portable Executable - it's an executable file format used

# in all 32 and 64-bit versions of Windows operating systems. This option allows

# ClamAV to perform a deeper analysis of executable files and it's also

# required for decompression of popular executable packers such as UPX, FSG,

# and Petite.

# Default: yes

#ScanPE yes

# Executable and Linking Format is a standard format for UN*X executables.

# This option allows you to control the scanning of ELF files.

# Default: yes

#ScanELF yes

# With this option clamav will try to detect broken executables (both PE and

# ELF) and mark them as Broken.Executable.

# Default: no

#DetectBrokenExecutables yes

##

## Documents

##

# This option enables scanning of OLE2 files, such as Microsoft Office

# documents and .msi files.

# Default: yes

#ScanOLE2 yes

# This option enables scanning within PDF files.

# Default: no

#ScanPDF yes

##

## Mail files

##

# Enable internal e-mail scanner.

# Default: yes

ScanMail yes

# If an email contains URLs ClamAV can download and scan them.

# WARNING: This option may open your system to a DoS attack.

#      Never use it on loaded servers.

# Default: no

#MailFollowURLs no

# Recursion level limit for the mail scanner.

# Default: 64

#MailMaxRecursion 128

# With this option enabled ClamAV will try to detect phishing attempts by using

# signatures.

# Default: yes

#PhishingSignatures yes

# Scan urls found in mails for phishing attempts.

# (available in experimental builds only) 

# Default: yes

#PhishingScanURLs yes

# Use phishing detection only for domains listed in the .pdb database. It is

# not recommended to have this option turned off, because scanning of all

# domains may lead to many false positives!

# (available in experimental builds only)

# Default: yes

#PhishingRestrictedScan yes

# Always block SSL mismatches in URLs, even if the URL isn't in the database.

# This can lead to false positives.

# (available in experimental builds only)

#

# Default: no

#PhishingAlwaysBlockSSLMismatch no

# Always block cloaked URLs, even if URL isn't in database.

# This can lead to false positives.

# (available in experimental builds only)

#

# Default: no

#PhishingAlwaysBlockCloak no

##

## HTML

##

# Perform HTML normalisation and decryption of MS Script Encoder code.

# Default: yes

#ScanHTML yes

##

## Archives

##

# ClamAV can scan within archives and compressed files.

# Default: yes

ScanArchive yes

# The options below protect your system against Denial of Service attacks

# using archive bombs.

# Files in archives larger than this limit won't be scanned.

# Value of 0 disables the limit.

# Default: 10M

#ArchiveMaxFileSize 15M

# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR

# file, all files within it will also be scanned. This options specifies how

# deeply the process should be continued.

# Value of 0 disables the limit.

# Default: 8

#ArchiveMaxRecursion 10

# Number of files to be scanned within an archive.

# Value of 0 disables the limit.

# Default: 1000

#ArchiveMaxFiles 1500

# If a file in an archive is compressed more than ArchiveMaxCompressionRatio

# times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip)

# Value of 0 disables the limit.

# Default: 250

#ArchiveMaxCompressionRatio 300

# Use slower but memory efficient decompression algorithm.

# only affects the bzip2 decompressor.

# Default: no

#ArchiveLimitMemoryUsage yes

# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

# Default: no

#ArchiveBlockEncrypted no

# Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit)

# if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is

# reached.

# Default: no

#ArchiveBlockMax no

# Enable support for Sensory Networks' NodalCore hardware accelerator.

# Default: no

#NodalCoreAcceleration yes

##

## Clamuko settings

## WARNING: This is experimental software. It is very likely it will hang

##       up your system!!!

##

# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.

# Default: no

#ClamukoScanOnAccess yes

# Set access mask for Clamuko.

# Default: no

#ClamukoScanOnOpen yes

#ClamukoScanOnClose yes

#ClamukoScanOnExec yes

# Set the include paths (all files inside them will be scanned). You can have

# multiple ClamukoIncludePath directives but each directory must be added

# in a seperate line.

# Default: disabled

#ClamukoIncludePath /home

#ClamukoIncludePath /students

# Set the exclude paths. All subdirectories are also excluded.

# Default: disabled

#ClamukoExcludePath /home/bofh

# Don't scan files larger than ClamukoMaxFileSize

# Value of 0 disables the limit.

# Default: 5M

#ClamukoMaxFileSize 10M

```

amavis

```

use strict;

# Sample configuration file for amavisd-new (traditional style, chatty,

# you may prefer to start with the more concise supplied amavisd.conf)

#

# See amavisd.conf-default for a list of all variables with their defaults;

# for more details see documentation in INSTALL, README_FILES/*

# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html

# This software is licensed under the GNU General Public License (GPL).

# See comments at the start of amavisd-new for the whole license text.

#Sections:

# Section I    - Essential daemon and MTA settings

# Section II   - MTA specific

# Section III  - Logging

# Section IV   - Notifications/DSN, bounce/reject/discard/pass, quarantine

# Section V    - Per-recipient and per-sender handling, whitelisting, etc.

# Section VI   - Resource limits

# Section VII  - External programs, virus scanners, SpamAssassin

# Section VIII - Debugging

# Section IX   - Policy banks (dynamic policy switching)

#GENERAL NOTES:

#  This file is a normal Perl code, interpreted by Perl itself.

#  - make sure this file (or directory where it resides) is NOT WRITABLE

#    by mere mortals (not even vscan/amavis; best to make it owned by root),

#    otherwise it can represent a severe security risk!

#  - for values which are interpreted as booleans, it is recommended

#    to use 1 for true, and 0 or undef or '' for false;

#    Note that this interpretation of boolean values does not apply directly

#    to LDAP and SQL lookups, which follow their own rules - see README.lookups

#    and README.ldap (in short: use Y/N in SQL, and TRUE/FALSE in LDAP);

#  - Perl syntax applies. Most notably: strings in "" may include variables

#    (which start with $ or @); to include characters $ and @ and \ in double

#    quoted strings precede them by a backslash; in single-quoted strings

#    the $ and @ lose their special meaning, so it is usually easier to use

#    single quoted strings (or qw operator) for e-mail addresses.

#    In both types of quoting a backslash should to be doubled.

#  - variables with names starting with a '@' are lists, the values assigned

#    to them should be lists too, e.g. ('one@foo', $mydomain, "three");

#    note the comma-separation and parenthesis. If strings in the list

#    do not contain spaces nor variables, a Perl operator qw() may be used

#    as a shorthand to split its argument on whitespace and produce a list

#    of strings, e.g. qw( one@foo example.com three );  Note that the argument

#    to qw is quoted implicitly and no variable interpretation is done within

#    (no '$' variable evaluations). The #-initiated comments can NOT be used

#    within a string. In other words, $ and # lose their special meaning

#    within a qw argument, just like within '...' strings.

#  - all e-mail addresses in this file and as used internally by the daemon

#    are in their raw (rfc2821-unquoted and non-bracketed) form, i.e.

#    Bob "Funny" Dude@example.com, not: "Bob \"Funny\" Dude"@example.com

#    and not <"Bob \"Funny\" Dude"@example.com>; also: '' and not '<>'.

#  - the term 'default value' in examples below refers to the value of a

#    variable pre-assigned to it by the program; any explicit assignment

#    to a variable in this configuration file overrides the default value;

#

# Section I - Essential daemon and MTA settings

#

# $MYHOME serves as a quick default for some other configuration settings.

# More refined control is available with each individual setting further down.

# $MYHOME is not used directly by the program. No trailing slash!

$MYHOME = '/var/amavis';   # (default is '/var/amavis')

# $mydomain serves as a quick default for some other configuration settings.

# More refined control is available with each individual setting further down.

# $mydomain is never used directly by the program.

$mydomain = 'gsz.pl';      # (no useful default)

$myhostname = 'papa.gsz.pl';

# $myhostname = 'host.example.com';  # fqdn of this host, default by uname(3)

# Set the user and group to which the daemon will change if started as root

# (otherwise just keeps the UID unchanged, and these settings have no effect):

$daemon_user  = 'amavis';   # (no default;  customary: vscan or amavis)

$daemon_group = 'amavis';   # (no default;  customary: vscan or amavis or sweep)

# Runtime working directory (cwd), and a place where

# temporary directories for unpacking mail are created.

# (no trailing slash, may be a scratch file system)

#$TEMPBASE = $MYHOME;           # (must be set if other config vars use is)

$TEMPBASE = "$MYHOME/tmp";     # prefer to keep home dir /var/amavis clean?

#$db_home = "$MYHOME/db";   # DB databases directory, default "$MYHOME/db"

# $helpers_home sets environment variable HOME, and is passed as option

# 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory

# on a normal persistent file system, not a scratch or temporary file system

#$helpers_home = $MYHOME;   # (defaults to $MYHOME)

# Run the daemon in the specified chroot jail if nonempty:

#$daemon_chroot_dir = $MYHOME;  # (default is undef, meaning: do not chroot)

#$pid_file  = "$MYHOME/amavisd.pid";  # (default is "$MYHOME/amavisd.pid")

#$lock_file = "$MYHOME/amavisd.lock"; # (default is "$MYHOME/amavisd.lock")

# set environment variables if you want (no defaults):

$ENV{TMPDIR} = $TEMPBASE;       # wise to set TMPDIR, but not obligatory

#...

####################################################################################################

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)

$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

####################################################################################################

# MTA SETTINGS, UNCOMMENT AS APPROPRIATE,

# both $forward_method and $notify_method default to 'smtp:[127.0.0.1]:10025'

# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4

# (set host and port number as required; host can be specified

# as an IP address or a DNS name (A or CNAME, but MX is ignored)

#$forward_method = 'smtp:[127.0.0.1]:10025';  # where to forward checked mail

#$notify_method = $forward_method;            # where to submit notifications

#$os_fingerprint_method = 'p0f:127.0.0.1:2345';  # query p0f-analyzer.pl

# To make it possible for several hosts to share one content checking daemon,

# the IP address and/or the port number in $forward_method and $notify_method

# may be spacified as an asterisk. An asterisk in the colon-separated

# second field (host) will be replaced by the SMTP client peer address,

# An asterisk in the third field (tcp port) will be replaced by the incoming

# SMTP/LMTP session port number plus one. This obsoletes the previously used

# less flexible configuration parameter $relayhost_is_client. An example:

#   $forward_method = 'smtp:*:*'; $notify_method = 'smtp:*:10587';

# NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST

#       uncomment the appropriate settings below if using other setups!

# SENDMAIL MILTER, using amavis-milter.c helper program:

#$forward_method = undef;  # no explicit forwarding, sendmail does it by itself

# milter; option -odd is needed to avoid deadlocks

#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}';

# just a thought: can we use use -Am instead of -odd ?

# SENDMAIL (old non-milter setup, as relay, deprecated):

#$forward_method = 'pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f ${sender} -- ${recipient}';

#$notify_method = $forward_method;

# SENDMAIL (old non-milter setup, amavis.c calls local delivery agent, deprecated):

#$forward_method = undef;  # no explicit forwarding, amavis.c will call LDA

#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}';

# EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead):

#$forward_method = 'pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f ${sender} -- ${recipient}';

#$notify_method = $forward_method;

# prefer to collect mail for forwarding as BSMTP files?

#$forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp";

#$notify_method = $forward_method;

# Net::Server pre-forking settings

# The $max_servers should match the width of your MTA pipe

# feeding amavisd, e.g. with Postfix the 'Max procs' field in the

# master.cf file, like the '2' in the:  smtp-amavis unix - - n - 2 smtp

#

$max_servers  =  4;   # number of pre-forked children          (default 2)

$max_requests = 20;   # retire a child after that many accepts (default 10)

$child_timeout=5*60;  # abort child if it does not complete its processing in

                      # approximately n seconds (default: 8*60 seconds)

$smtpd_timeout = 120; # disconnect session if client is idle for too long

                      # (default: 8*60 seconds); should be higher than a

                      # Postfix setting max_idle (default 100s)

# Here is a QUICK WAY to completely DISABLE some sections of code

# that WE DO NOT WANT (it won't even be compiled-in).

# For more refined controls leave the following two lines commented out,

# and see further down what these two lookup lists really mean.

#

#@bypass_virus_checks_maps = (1);  # uncomment to DISABLE anti-virus code

#@bypass_spam_checks_maps  = (1);  # uncomment to DISABLE anti-spam code

#

# Any setting can be changed with a new assignment, so make sure

# you do not unintentionally override these settings further down!

# Check also the settings of @av_scanners at the end if you want to use

# virus scanners. If not, you may want to delete the whole long assignment

# to the variable @av_scanners and @av_scanners_backup, which will also

# remove the virus checking code (e.g. if you only want to do spam scanning).

# Lookup list of local domains (see README.lookups for syntax details)

#

# @local_domains_maps list of lookup tables are used in deciding whether a

# recipient is local or not, or in other words, if the message is outgoing

# or not. This affects inserting spam-related headers for local recipients,

# limiting recipient virus notifications (if enabled) to local recipients,

# in deciding if address extension may be appended, and in SQL lookups

# for non-fqdn addresses. Set it up correctly if you need features

# that rely on this setting (or just leave empty otherwise).

#

# With Postfix (2.0) a quick hint on what local domains normally are:

# a union of domains specified in: mydestination, virtual_alias_domains,

# virtual_mailbox_domains, and relay_domains.

@local_domains_maps = ( [".$mydomain"] );  # $mydomain and its subdomains

# @local_domains_maps = (); # default is empty list, no recip. considered local

# @local_domains_maps =  # using ACL lookup table

#   ( [ ".$mydomain", 'sub.example.net', '.example.com' ] );

# @local_domains_maps =  # similar, split list elements on whitespace

#   ( [qw( .example.com !host.sub.example.net .sub.example.net )] );

# @local_domains_maps = ( new_RE( qr'[@.]example\.com$'i ) );   # using regexp

# @local_domains_maps = ( read_hash("$MYHOME/local_domains") ); # using hash

#   perhaps combined with Postfix: mydestination = /var/amavis/local_domains

# for debugging purposes: dump_hash($local_domains_maps[0]);

#

# Section II - MTA specific (defaults should be ok)

#

#$insert_received_line = 1;       # behave like MTA: insert 'Received:' header

                   # (does not apply to sendmail/milter)

                   # (default is true)

# AMAVIS-CLIENT PROTOCOL INPUT SETTINGS (e.g. with sendmail milter)

#   (used with amavis helper clients like amavis-milter.c and amavis.c,

#   NOT needed for Postfix or Exim or dual-sendmail - keep it undefined.

$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket

#$unix_socketname = undef;        # disable listening on a unix socket

                                  # (default is undef, i.e. disabled)

                                  # (usual setting is $MYHOME/amavisd.sock)

# SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...)

#   (used when MTA is configured to pass mail to amavisd via SMTP or LMTP)

$inet_socket_port = 10024;        # accept SMTP on this local TCP port

                                  # (default is undef, i.e. disabled)

# multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028];

# SMTP SERVER (INPUT) access control

# - do not allow free access to the amavisd SMTP port !!!

#

# when MTA is at the same host, use the following (one or the other or both):

$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface

                                  # (default is '127.0.0.1')

@inet_acl = qw(127.0.0.1 [::1]);  # allow SMTP access only from localhost IP

                                  # (default is qw(127.0.0.1 [::1]) )

# when MTA (one or more) is on a different host, use the following:

#@inet_acl = qw(127.0.0.0/8 [::1] 10.1.0.1 10.1.0.2);  # adjust list as needed

#$inet_socket_bind = undef;       # bind to all IP interfaces if undef

#

# Example1:

# @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 );

# permit only SMTP access from loopback and rfc1918 private address space

#

# Example2:

# @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0

#        127.0.0.1 10/8 172.16/12 192.168/16 );

# matches loopback and rfc1918 private address space except host 192.168.1.12

# and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches)

#

# Example3:

# @inet_acl = qw( 127/8

#        !172.16.3.0   !172.16.3.127 172.16.3.0/25

#        !172.16.3.128 !172.16.3.255 172.16.3.128/25 );

# matches loopback and both halves of the 172.16.3/24 C-class,

# split into two subnets, except all four broadcast addresses

# for these subnets

# @mynetworks is an IP access list which determines if the original SMTP client

# IP address belongs to our internal networks, i.e. mail is coming from inside.

# It is much like the Postfix parameter 'mynetworks' in semantics and similar

# in syntax, and its value should normally match the Postfix counterpart.

# It only affects the value of a macro %l (=sender-is-local),

# and the loading of policy 'MYNETS' if present (see below).

# Note that '-o smtp_send_xforward_command=yes' (or its lmtp counterpart)

# must be enabled in the Postfix service that feeds amavisd, otherwise

# client IP address is not available to amavisd-new.

#

# @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10

#                   10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );  # default

#

# A list of networks can also be read from a file, either as an IP acl in

# CIDR notation, one address per line (comments and empty lines are allowed):

#   @mynetworks_maps = (read_array('/etc/amavisd-mynetworks'), \@mynetworks);

#

# or less flexibly (but provides faster lookups for large lists) by reading

# into a hash lookup table, which only allows for full addresses or classful

# IPv4 subnets with truncated octets, such as 127, 10, 192.168, 10.11.12.13,

# one address per line (comments and empty lines are allowed):

#   @mynetworks_maps = (read_hash('/etc/amavisd-mynetworks'), \@mynetworks);

# See README.lookups for details on specifying access control lists.

#

# Section III - Logging

#

# true (e.g. 1) => syslog;  false (e.g. 0) => logging to file

$DO_SYSLOG = 1;                   # (defaults to 0)

$syslog_ident = 'amavis';     # Syslog ident string (defaults to 'amavis')

$syslog_facility = 'mail';    # Syslog facility as a string

           # e.g.: mail, daemon, user, local0, ... local7, ...

$syslog_priority = 'debug';   # Syslog base (minimal) priority as a string,

           # choose from: emerg, alert, crit, err, warning, notice, info, debug

# Log file (if not using syslog)

$LOGFILE = "$MYHOME/amavis.log";  # (defaults to empty, no log)

#NOTE: levels are not strictly observed and are somewhat arbitrary

# 0: startup/exit/failure messages, viruses detected

# 1: args passed from client, some more interesting messages

# 2: virus scanner output, timing

# 3: server, client

# 4: decompose parts

# 5: more debug details

$log_level = 2;        # (defaults to 0)

# Customizable template for the most interesting log file entry (e.g. with

# $log_level=0) (take care to properly quote Perl special characters like '\')

# For a list of available macros see README.customize .

# $log_templ = undef;      # undef disables by-message level-0 log entries

$log_recip_templ = undef;  # undef disables by-recipient level-0 log entries

# log both infected and noninfected messages (as deflt, with size,subj,tests):

# (remove the leading '#' and a space in the following lines to activate)

# $log_templ = <<'EOD';

# [?%#D|#|Passed #

# [? [:ccat_maj] |OTHER|CLEAN|TEMPFAIL|OVERSIZED|BAD-HEADER|SPAMMY|SPAM|\

# UNCHECKED|BANNED (%F)|INFECTED (%V)]#

# #([:ccat_maj],[:ccat_min])#

# , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]%s -> [%D|,]#

# [? %q ||, quarantine: %q]#

# [? %Q ||, Queue-ID: %Q]#

# [? %m ||, Message-ID: %m]#

# [? %r ||, Resent-Message-ID: %r]#

# , mail_id: %i#

# , Hits: %c#

# , size: %z#

# [~[:remote_mta_smtp_response]|["^$"]||[", queued_as: "]]\

# [remote_mta_smtp_response|[~%x|["queued as ([0-9A-Z]+)$"]|["%1"]|["%0"]]|/]#

# [? %j ||, Subject: "%j\"]#

# [? %#T ||, Tests: \[[%T|,]\]]#

# , %y ms#

# ]

# [?%#O|#|Blocked #

# [? [:ccat_maj] |OTHER|CLEAN|TEMPFAIL|OVERSIZED|BAD-HEADER|SPAMMY|SPAM|\

# UNCHECKED|BANNED (%F)|INFECTED (%V)]#

# #([:ccat_maj],[:ccat_min])#

# , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]%s -> [%O|,]#

# [? %q ||, quarantine: %q]#

# [? %Q ||, Queue-ID: %Q]#

# [? %m ||, Message-ID: %m]#

# [? %r ||, Resent-Message-ID: %r]#

# , mail_id: %i#

# , Hits: %c#

# , size: %z#

# #, smtp_resp: [:smtp_response]#

# [? %j ||, Subject: "%j\"]#

# [? %#T ||, Tests: \[[%T|,]\]]#

# , %y ms#

# ]

# EOD

#

# Section IV - Notifications/DSN, bounce/reject/discard/pass, quarantine

#

# Select notifications text encoding when Unicode-aware Perl is converting

# text from internal character representation to external encoding (charset

# in MIME terminology). Used as argument to Perl Encode::encode subroutine.

#

#   to be used in RFC 2047-encoded header field bodies, e.g. in Subject:

#$hdr_encoding = 'iso-8859-1';  # MIME charset (default: 'iso-8859-1')

#$hdr_encoding_qb = 'Q';        # MIME encoding: quoted-printable (default)

#$hdr_encoding_qb = 'B';        # MIME encoding: base64

#

#   to be used in notification body text: its encoding and Content-type.charset

#$bdy_encoding = 'iso-8859-1';  # (default: 'iso-8859-1')

# Default template texts for notifications may be overruled by directly

# assigning new text to template variables, or by reading template text

# from files. A second argument may be specified in a call to read_text(),

# specifying character encoding layer to be used when reading from the

# external file, e.g. 'utf8', 'iso-8859-1', or often just $bdy_encoding.

# Text will be converted to internal character representation by Perl 5.8.0

# or later; second argument is ignored otherwise. See PerlIO::encoding,

# Encode::PerlIO and perluniintro man pages.

#

# $notify_sender_templ      = read_text("$MYHOME/notify_sender.txt");

# $notify_virus_sender_templ= read_text("$MYHOME/notify_virus_sender.txt");

# $notify_virus_admin_templ = read_text("$MYHOME/notify_virus_admin.txt");

# $notify_virus_recips_templ= read_text("$MYHOME/notify_virus_recips.txt");

# $notify_spam_sender_templ = read_text("$MYHOME/notify_spam_sender.txt");

# $notify_spam_admin_templ  = read_text("$MYHOME/notify_spam_admin.txt");

# If notification template files are collectively available in some directory,

# one may call read_l10n_templates which invokes read_text for each known

# template. This is primarily a Debian-specific feature, but was incorporated

# into base code to facilitate porting.

#

#   read_l10n_templates('/etc/amavis/en_US');

#

# If read_l10n_templates is called, a localization template directory must

# contain the following files:

#   charset                       this file should contain a one-line name

#                                 of the character set used in the template

#                                 files (e.g. utf8, iso-8859-2, ...) and is

#                                 passed as the second argument to read_text;

#   template-dsn.txt              content fills the $notify_sender_templ

#   template-virus-sender.txt     content fills the $notify_virus_sender_templ

#   template-virus-admin.txt      content fills the $notify_virus_admin_templ

#   template-virus-recipient.txt  content fills the $notify_virus_recips_templ

#   template-spam-sender.txt      content fills the $notify_spam_sender_templ

#   template-spam-admin.txt       content fills the $notify_spam_admin_templ

# Here is an overall picture (sequence of events) of how pieces fit together

#

#   bypass_virus_checks set for all recipients? ==> PASS

#   no viruses?   ==> PASS

#   log virus     if $log_templ is nonempty

#   quarantine    if $virus_quarantine_to is nonempty

#   notify admin  if $virus_admin (lookup) nonempty

#   notify recips if $warnvirusrecip and (recipient is local or $warn_offsite)

#   add address extensions for local recipients (when enabled)

#   send (non-)delivery notifications

#      to sender if DSN needed (BOUNCE or ($warnvirussender and D_PASS))

#   virus_lovers or final_destiny==D_PASS  ==> PASS

#   DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny)

#

# Equivalent flow diagram applies for spam checks.

# If a virus is detected, spam checking is skipped entirely.

# The following symbolic constants can be used in *_destiny settings:

#

# D_PASS     mail will pass to recipients, regardless of bad contents;

#

# D_DISCARD  mail will not be delivered to its recipients, sender will NOT be

#            notified. Effectively we lose mail (but will be quarantined

#            unless disabled). Losing mail is not decent for a mailer,

#            but might be desired.

#

# D_BOUNCE   mail will not be delivered to its recipients, a non-delivery

#            notification (bounce) will be sent to the sender by amavisd-new;

#            Exception: bounce (DSN) will not be sent if a virus name matches

#            @viruses_that_fake_sender_maps, or to messages from mailing lists

#            (Precedence: bulk|list|junk), or for spam level that exceeds

#            the $sa_dsn_cutoff_level.

#

# D_REJECT   mail will not be delivered to its recipients, sender should

#            preferably get a reject, e.g. SMTP permanent reject response

#            (e.g. with milter), or non-delivery notification from MTA

#            (e.g. Postfix). If this is not possible (e.g. different recipients

#            have different tolerances to bad mail contents and not using LMTP)

#            amavisd-new sends a bounce by itself (same as D_BOUNCE).

#            Not to be used with Postfix or dual-MTA setups!

#

# Notes:

#   D_REJECT and D_BOUNCE are similar, the difference is in who is responsible

#            for informing the sender about non-delivery, and how informative

#            the notification can be (amavisd-new knows more than MTA);

#   With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status

#            notification, colloquially called 'bounce') - depending on MTA;

#            Best suited for sendmail milter and Courier, especially for spam.

#   With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the

#            reason for mail non-delivery or even suppress DSN, but unable

#            to reject the original SMTP session). Best suited to reporting

#            viruses, and for Postfix and other dual-MTA setups, which can't

#            reject original client SMTP session, as the mail has already

#            been enqueued.

# Alternatives to consider for spam:

# - use D_PASS if clients will do filtering based on inserted

#   mail headers or added address extensions ('plus-addressing')2;

# - use D_DISCARD, if kill_level is set comfortably high;

#

# D_BOUNCE is preferred for viruses, but consider:

# - use D_PASS (or virus_lovers) to deliver viruses;

# - use D_REJECT instead of D_BOUNCE if using Courier or milter and under heavy

#   virus storm;

# The use of new *_by_ccat hashes is illustrated by the following examples

# on configuring final_*_destiny.

# using traditional settings of $final_*_destiny variables, relying on a

# default setting of an associative array %final_destiny_by_ccat which is

# backwards compatible and contains references to these traditional variables:

#

#$final_virus_destiny      = D_DISCARD; # (defaults to D_DISCARD)

#$final_banned_destiny     = D_BOUNCE;  # (defaults to D_BOUNCE)

#$final_spam_destiny       = D_BOUNCE;  # (defaults to D_BOUNCE)

#$final_bad_header_destiny = D_PASS;    # (defaults to D_PASS)

########

#

# Please think about what you are doing when you set these options.

# If necessary, question your origanization's e-mail policies:

#

# D_BOUNCE contributes to the overall spread of virii and spam on the

# internet. Both the envelope and header from addresses can be forged

# accurately with no effort, causing the bounces to go to innocent parties,

# whose addresses have been forged.

# 

# D_DISCARD breaks internet mail specifications. However, with a

# properly implemented Quaratine system, the concern for breaking the

# specification is addressed to some extent.

#

# D_PASS is the safest way to handle e-mails. You must implement

# client-side filtering to handle this method.

#

# -Cory Visi <merlin@gentoo.org> 07/28/04

#

#######

# to explicitly list all (or most) possible contents category (ccat) keys:

%final_destiny_by_ccat = (

  CC_VIRUS,      D_DISCARD,

  CC_BANNED,     D_BOUNCE,

  CC_UNCHECKED,  D_PASS,

  CC_SPAM,       D_DISCARD,

  CC_BADH,       D_PASS,

  CC_OVERSIZED,  D_BOUNCE,

  CC_CLEAN,      D_PASS,

  CC_CATCHALL,   D_PASS,

);

# to rely on a catchall ccat key and only list exceptions (alternative 1):

#%final_destiny_by_ccat = (

#  CC_VIRUS,      D_DISCARD,

#  CC_BANNED,     D_BOUNCE,

#  CC_SPAM,       D_BOUNCE,

#  CC_BADH.',4',  D_BOUNCE, # BadHdrSpace

#  CC_BADH.',3',  D_BOUNCE, # BadHdrChar

#  CC_OVERSIZED,  D_BOUNCE,

#  CC_CATCHALL,   D_PASS,

#);

# to rely on a catchall ccat key and list exceptions (alternative 2):

#%final_destiny_by_ccat = (

#  CC_VIRUS,      D_DISCARD,

#  CC_UNCHECKED,  D_PASS,

#  CC_BADH.',6',  D_PASS,   # BadHdrSyntax

#  CC_BADH.',5',  D_PASS,   # BadHdrLong

#  CC_BADH.',2',  D_PASS,   # BadHdr8bit

#  CC_BADH.',1',  D_PASS,   # BadHdrMime

#  CC_CLEAN,      D_PASS,

#  CC_CATCHALL,   D_BOUNCE,

#);

# to rely on a catchall ccat key and list exceptions (alternative 3):

#%final_destiny_by_ccat = (

#  CC_VIRUS,      D_DISCARD,

#  CC_UNCHECKED,  D_PASS,

#  CC_BADH.',4',  D_BOUNCE, # BadHdrSpace

#  CC_BADH.',3',  D_BOUNCE, # BadHdrChar

#  CC_BADH,       D_PASS,   # sub-catchall for CC_BADH

#  CC_CLEAN,      D_PASS,

#  CC_CATCHALL,   D_BOUNCE,

#);

# to rely on a default %final_destiny_by_ccat and only change few settings:

#$final_destiny_by_ccat{CC_SPAM} = D_PASS;

#$final_destiny_by_ccat{CC_BADH} = D_BOUNCE;

#$final_destiny_by_ccat{CC_BADH.',2'} = D_PASS;  # BadHdr8bit

# For monitoring / testing purposes let the administrator receive a copy

# of certain delivery status notifications that are mailed back to senders:

#

#%dsn_bcc_by_ccat = (

# CC_BANNED,    undef,

# CC_SPAM,      undef,

# CC_BADH,      undef,

# CC_CATCHALL,  'admin+test@example.com',

#);

#

# or use a simpler form, taking advantage of defaults in %dsn_bcc_by_ccat:

#$dsn_bcc = 'admin+test@example.com';

# The following $warn*sender settings are ONLY used when mail is

# actually passed to recipients ($final_*_destiny=D_PASS, or *_lovers*).

# Bounces or rejects produce non-delivery status notification regardless.

#

# Notify sender of banned files?

#$warnbannedsender = 1;   # (defaults to false (undef))

#

# Notify sender of syntactically invalid header containing non-ASCII chars?

#$warnbadhsender = 1;   # (defaults to false (undef))

# Notify virus (or banned files or bad headers) RECIPIENT?

#  (not very useful, but some policies demand it)

#$warnvirusrecip = 1;   # (defaults to false (undef))

#$warnbannedrecip = 1;   # (defaults to false (undef))

#$warnbadhrecip = 1;   # (defaults to false (undef))

# Notify also non-local virus/banned recipients if $warn*recip is true?

#  (including those not matching local_domains*)

#$warn_offsite = 1;   # (defaults to false (undef), i.e. only notify locals)

# Treat envelope sender address as unreliable and don't send sender

# notification / bounces if name(s) of detected virus(es) match the list.

# Note that virus names are supplied by external virus scanner(s) and are

# not standardized, so virus names may need to be adjusted.

# See README.lookups for syntax, check also README.policy-on-notifications.

# If the intention is to treat all viruses as faking the sender address, it

# is equivalent but more efficient to just set $final_virus_destiny=D_DISCARD;

#

@viruses_that_fake_sender_maps = (new_RE(

  qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,

  qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,

  qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,

  qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,

  qr'@mm|@MM',    # mass mailing viruses as labeled by f-prot and uvscan

  qr'Worm'i,      # worms as labeled by ClamAV, Kaspersky, etc

# [qr'^(EICAR|Joke\.|Junk\.)'i         => 0],

# [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i  => 0],

  [qr/^/ => 1],   # true by default  (remove or comment-out if undesired)

));

# where to send ADMIN VIRUS NOTIFICATIONS (should be a fully qualified address)

# - the administrator envelope address may be a simple fixed e-mail address

#   (a scalar), or may depend on the RECIPIENT address (e.g. its domain).

#

#   Empty or undef lookup disables virus admin notifications.

# The full set of configurable administrator addresses is:

#   @virus_admin_maps    ... notifications to admin about viruses

#   @newvirus_admin_maps ... newly encountered viruses since amavisd startup

#   @spam_admin_maps     ... notifications to admin about spam

#   @banned_admin_maps   ... notifications to admin about banned contents

#   @bad_header_admin_maps ... notifications to admin about bad headers

$virus_admin = "virusalert\@$mydomain";

# $virus_admin = 'virus-admin@example.com';

# $virus_admin = undef;   # do not send virus admin notifications (default)

#

#@virus_admin_maps = (    # by-recipient maps

#  {'not.example.com' => '',

#   '.' => 'virusalert@example.com'},

#  $virus_admin,   # the usual default

#);

# equivalent to $virus_admin, but for spam admin notifications:

# $spam_admin = "spamalert\@$mydomain";

# $spam_admin = undef;    # do not send spam admin notifications (default)

#@spam_admin_maps = (     # by-recipient maps

#  {'not.example.com' => '',

#   '.' => 'spamalert@example.com'},

#  $spam_admin,   # the usual default

#);

# receive a copy of all delivery status notifications sent;

# useful for testing or monitoring

#$dsn_bcc = "mailadmin\@$mydomain";

#advanced example, using a hash lookup table and a scalar default,

#lookup key is a recipient envelope address:

#@virus_admin_maps = (    # by-recipient maps

#  { 'baduser@sub1.example.com' => 'HisBoss@sub1.example.com',

#    '.sub1.example.com'  => 'virusalert@sub1.example.com',

#    '.sub2.example.com'  => '',               # don't send admin notifications

#    'a.sub3.example.com' => 'abuse@sub3.example.com',

#    '.sub3.example.com'  => 'virusalert@sub3.example.com',

#    '.example.com'       => 'noc@example.com', # default for our virus senders

#  },

#  'virusalert@hq.example.com',  # catchall for the rest

#);

# sender envelope address, from which notification reports are sent from;

# may be a null reverse path, or a fully qualified address:

#   (admin and recip sender addresses default to a null return path).

#   If using strings in double quotes, don't forget to quote @, i.e. \@

#

$mailfrom_notify_admin     = "virusalert\@$mydomain";

$mailfrom_notify_recip     = "virusalert\@$mydomain";

$mailfrom_notify_spamadmin = "spam.police\@$mydomain";

# 'From' HEADER FIELD for sender and admin notifications.

# This should be a replyable address, see rfc1894. Not to be confused

# with $mailfrom_notify_sender, which is the envelope return address

# and can be empty (null reverse path) according to rfc2821.

#

# The syntax of the 'From' header field is specified in rfc2822, section

# '3.4. Address Specification'. Note in particular that display-name must be

# a quoted-string if it contains any special characters like spaces and dots.

#

# $hdrfrom_notify_sender = "amavisd-new <postmaster\@$mydomain>";

# $hdrfrom_notify_sender = 'amavisd-new <postmaster@example.com>';

# $hdrfrom_notify_sender = '"Content-Filter Master" <postmaster@example.com>';

# $hdrfrom_notify_admin = $mailfrom_notify_admin;

# $hdrfrom_notify_spamadmin = $mailfrom_notify_spamadmin;

#   (default: "\"Content-filter at $myhostname\" <postmaster\@$myhostname>")

# whom quarantined messages appear to be sent from (envelope sender);

# keeps original sender if undef, or set it explicitly, default is undef

$mailfrom_to_quarantine = '';   # override sender address with null return path

# Location to put infected mail into: (applies to 'local:' quarantine method)

#   empty for not quarantining, may be a file (Unix-style mailbox),

#   or a directory (no trailing slash)

#   (the default value is undef, meaning no quarantine)

#

$QUARANTINEDIR = "$MYHOME/quarantine";

#$quarantine_subdir_levels = 1;  # add level of subdirs to disperse quarantine

#$clean_quarantine_method          = 'local:clean-%m';  # disabled by default

#$virus_quarantine_method          = 'local:virus-%m';     # default

#$spam_quarantine_method           = 'local:spam-%m.gz';   # default

#$banned_files_quarantine_method   = 'local:banned-%m';    # default

#$bad_header_quarantine_method     = 'local:badh-%m';      # default

# Separate quarantine subdirectories virus, spam, banned and badh within

# the directory $QUARANTINEDIR may be specified by the following settings

# (the subdirectories need to exist - must be created manually):

#$clean_quarantine_method          = 'local:clean/%m';

#$virus_quarantine_method          = 'local:virus/%m';

#$spam_quarantine_method           = 'local:spam/%m.gz';

#$banned_files_quarantine_method   = 'local:banned/%m';

#$bad_header_quarantine_method     = 'local:badh/%m';

#

#use the 'bsmtp:' method as an alternative to the default 'local:'

#$virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%m.bsmtp";

#$spam_quarantine_method  = "bsmtp:$QUARANTINEDIR/spam-%m.bsmtp";

#

#using the 'pipe:' method might be useful for some special purpose:

#$mailfrom_to_quarantine = undef;  # pass on the original sender address

#$spam_quarantine_method = 'pipe:argv=/usr/bin/myscript.sh spam-%b ${sender}';

#

#using the 'sql:' method to store quarantined message to a SQL database:

#$virus_quarantine_method = $spam_quarantine_method =

#  $banned_files_quarantine_method = $bad_header_quarantine_method = 'sql:';

# When using the 'local:' quarantine method (default), the following applies:

#

# A finer control of quarantining is available through

# variables $virus_quarantine_method/$spam_quarantine_method/

# $banned_files_quarantine_method/$bad_header_quarantine_method.

#

# The value of scalar $virus_quarantine_to/$spam_quarantine_to (or a

# per-recipient lookup result from lookup tables @virus_quarantine_to_maps)

# is/are interpreted as follows:

#

# VARIANT 1:

#   empty or undef disables quarantine;

#

# VARIANT 2:

#   a string NOT containing an '@';

# amavisd will behave as a local delivery agent (LDA) and will quarantine

# viruses to local files according to hash %local_delivery_aliases (pseudo

# aliases map) - see subroutine mail_to_local_mailbox() for details.

# Some of the predefined aliases are 'virus-quarantine' and 'spam-quarantine'.

# Setting $virus_quarantine_to ($spam_quarantine_to) to this string will:

#

# * if $QUARANTINEDIR is a directory, each quarantined virus will go

#   to a separate file in the $QUARANTINEDIR directory (traditional

#   amavis style, similar to maildir mailbox format);

#

# * otherwise $QUARANTINEDIR is treated as a file name of a Unix-style

#   mailbox. All quarantined messages will be appended to this file.

#   Amavisd child process must obtain an exclusive lock on the file during

#   delivery, so this may be less efficient than using individual files

#   or forwarding to MTA, and it may not work across NFS or other non-local

#   file systems (but may be handy for pickup of quarantined files via IMAP

#   for example);

#

# VARIANT 3:

#   any email address (must contain '@').

# The e-mail messages to be quarantined will be handed to MTA

# for delivery to the specified address. If a recipient address local to MTA

# is desired, you may leave the domain part empty, e.g. 'infected@', but the

# '@' character must nevertheless be included to distinguish it from variant 2.

#

# This variant enables more refined delivery control made available by MTA

# (e.g. its aliases file, other local delivery agents, dealing with

# privileges and file locking when delivering to user's mailbox, nonlocal

# delivery and forwarding, fan-out lists). Make sure the mail-to-be-quarantined

# will not be handed back to amavisd for checking, as this will cause a loop

# (hopefully broken at some stage)! If this can be assured, notifications

# will benefit too from not being unnecessarily virus-scanned.

#

# By default this is safe to do with Postfix and Exim v4 and dual-sendmail

# setup, but probably not safe with sendmail milter interface without tricks.

# (default values are: virus-quarantine, banned-quarantine, spam-quarantine)

####$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine

#$virus_quarantine_to = 'infected@';           # forward to MTA for delivery

#$virus_quarantine_to = "virus-quarantine\@$mydomain";   # similar

$virus_quarantine_to = "wirusy\@$mydomain";   # similar

#$virus_quarantine_to = 'virus-quarantine@example.com';  # similar

#$virus_quarantine_to = undef;                 # no quarantine

#

# lookup key is envelope recipient address:

#@virus_quarantine_to_maps = (   # per-recip multiple quarantines

#  new_RE( [qr'^user@example\.com$'i => 'infected@'],

#          [qr'^(.*)@example\.com$'i => 'virus-${1}@example.com'],

#          [qr'^(.*)(@[^@])?$'i      => 'virus-${1}${2}'] ),

#  $virus_quarantine_to,  # the usual default

#);

# similar for banned names and bad headers and spam (set to undef to disable)

#####$banned_quarantine_to     = 'banned-quarantine';     # local quarantine

$banned_quarantine_to     = "blokowane\@$mydomain";     # local quarantine

#####$bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine

$bad_header_quarantine_to = "badh\@$mydomain"; # local quarantine

#$spam_quarantine_to       = 'spam-quarantine';       # local quarantine

####$spam_quarantine_to       = "spamtrap\@$myhostname";       # local quarantine

$spam_quarantine_to       = "spamtrap\@$mydomain";       # local quarantine

# or to a mailbox:

#$spam_quarantine_to = "spam-quarantine\@$mydomain";

#

#@spam_quarantine_to_maps = (    # per-recip multiple quarantines

#  new_RE( [qr'^(.*)@example\.com$'i => 'spam-${1}@example.com'] ),

#  $spam_quarantine_to,  # the usual default

#);

# In addition to per-recip quarantine, a by-sender lookup is possible.

# It is similar to $spam_quarantine_to, but the lookup key is the

# envelope sender address:

#$spam_quarantine_bysender_to = undef;   # dflt: no by-sender spam quarantine

# Spam level beyond which quarantining is disabled (global value):

#$sa_quarantine_cutoff_level = 20;  # dflt: undef, which disables this feature

#@spam_quarantine_cutoff_level_maps = (  # per-recip. quarantine cutoff levels

#  { 'user1@example.com' => 20.5,

#    'postmaster@example.com' => 9999,

#    '.example.com' => 25 },

#  \$sa_quarantine_cutoff_level,   # catchall default

#);

# Add X-Virus-Scanned header field to mail?

$X_HEADER_TAG = 'X-Virus-Scanned';   # (default: 'X-Virus-Scanned')

# Set to empty to add no header field   # (dflt "$myproduct_name at $mydomain")

# $X_HEADER_LINE = "$myproduct_name at $mydomain";

# $X_HEADER_LINE = "by $myproduct_name using ClamAV at $mydomain";

# $X_HEADER_LINE = "$myproduct_name $myversion_id ($myversion_date) at $mydomain";

# a string to prepend to Subject (for local recipients only) if mail could

# not be decoded or checked entirely, e.g. due to password-protected archives

$undecipherable_subject_tag = '***UNCHECKED*** ';  # undef disables it

# MIME defanging wraps the entire original mail in a MIME container of type

# 'Content-type: multipart/mixed', where the first part is a text/plain with

# a short explanation, and the second part is a complete original mail,

# enclosed in a 'Content-type: message/rfc822' MIME part.

# Defanging is only done when enabled (selectively by malware type),

# and mail is considered malware (virus/spam/...), and the malware is allowed

# to pass (*_lovers or *_destiny=D_PASS)

#

$defang_virus  = 1;  # default is false: don't modify mail body

$defang_banned = 1;  # default is false: don't modify mail body

# $defang_bad_header     = 1;  # default is false: don't modify mail body

# $defang_undecipherable = 1;  # default is false: don't modify mail body

# $defang_spam = 1;  # default is false: don't modify mail body

$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone

#$remove_existing_x_scanned_headers= 1; # remove existing headers

               # (defaults to false)

#$remove_existing_spam_headers = 0;     # leave existing X-Spam* headers alone

$remove_existing_spam_headers  = 1;     # remove existing spam headers if

               # spam scanning is enabled (default)

# set $bypass_decode_parts to true if you only do spam scanning, or if you

# have a good virus scanner that can deal with compression and recursively

# unpacking archives by itself, and save amavisd the trouble.

# Disabling decoding also causes banned_files checking to only see

# MIME names and MIME content types, not the content classification types

# as provided by the file(1) utility.

# It is a double-edged sword, make sure you know what you are doing!

#

#$bypass_decode_parts = 1;      # (defaults to false)

# don't trust this file type or corresponding unpacker for this file type,

# keep both the original and the unpacked file for a virus checker to see

# (lookup key is what file(1) utility returned):

#

@keep_decoded_original_maps = (new_RE(

# qr'^MAIL$',   # retain full original message for virus checking (can be slow)

  qr'^MAIL-UNDECIPHERABLE$',  # retain full mail if it contains undecipherables

  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,

# qr'^Zip archive data',      # don't trust Archive::Zip

));

# Checking for banned MIME types and names. If any mail part matches,

# the whole mail is rejected. Object $banned_filename_re provides a list

# of Perl regular expressions to be matched against each part's:

#

#  * Content-Type value (both declared and effective mime-type),

#    such as the possible security-risk content types

#    'message/partial' and 'message/external-body', as specified in rfc2046

#    or 'application/x-msdownload' and 'application/x-msdos-program';

#

#  * declared (recommended) file names as specified by MIME subfields

#    Content-Disposition.filename and Content-Type.name, both in their

#    raw (encoded) form and in rfc2047-decoded form if applicable

#    as well as (recommended) file names specified in archives;

#

#  * file content type as guessed by 'file(1)' utility, mapped

#    (by @map_full_type_to_short_type_maps) into short type names such as

#    .asc, .txt, .html, .doc, .jpg, .pdf, .zip, .exe-ms, ..., which always

#    starts with a dot. These short types are available unless

#    $bypass_decode_parts is true.

#

# All nodes (mail parts) of the fully recursively decoded mail and embedded

# archives are checked, each node independently from remaining nodes.

#

# For each node all its ancestor nodes including itself are checked against

# $banned_filename_re lookup list, top-down. The search for a node stops

# at the first match, the right-hand side of the matching key determines

# the result (true or false, absent right-hand side implies true, as explained

# in README.lookups).

#

# Although repeatedly re-checking ancestor nodes may seem excessive, it gives

# the opportunity to specify rules which make a particular node hide its

# descendents, e.g. allow any name or file type within a .zip, even though

# .exe files may otherwise not be allowed.

#

# Leave $banned_filename_re undefined to disable these checks

# (giving an empty list to new_RE() will also always return false)

$banned_filename_re = new_RE(

# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components

  # block certain double extensions anywhere in the base name

  qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i,  # Class ID extensions - CLSID

  qr'^application/x-msdownload$'i,                  # block these MIME types

  qr'^application/x-msdos-program$'i,

  qr'^application/hta$'i,

# qr'^(application/x-msmetafile|image/x-wmf)$'i,    # Windows Metafile MIME

# qr'^\.wmf$',                            # Windows Metafile file(1) type

# qr'^message/partial$'i,                           # rfc2046 MIME type

# qr'^message/external-body$'i,                     # rfc2046 MIME type

#    (btw, note that allowing 'message/external-body' is probably no worse

#    than allowing mail with HTML and/or allowing a user to browse the web)

# [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed

  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives

# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives

  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic

# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|

#        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|

#        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|

#        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.

  qr'^\.(exe-ms)$',                       # banned file(1) types

# qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types

);

# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631

# and http://www.cknow.com/vtutor/vtextensions.htm

# A little trick: a pattern qr'\.exe$' matches both a short type name '.exe',

# as well as any file name which happens to end with .exe. If only matching

# a file name is desired, but not the short type, a pattern qr'.\.exe$'i

# or similar may be used, which requires that at least one character precedes

# the '.exe', and so it will never match short file types which always start

# with a dot.

# the syntax of these Perl regular expressions is a bit awkward if not

# familiar with them, so please do follow examples and stick to the idioms:

#   \A        ... at the beginning of the first component

#   \z        ... at the end of the the last (leaf) component

#   ^         ... at the beginning of each component in the path

#   $         ... at the end of each component in the path

#   (.*\t)?   ... at the beginning of a field

#   (\t.*)?   ... at the end of a field

#   \t(.*\t)* ... separating fields

#   [^\t\n]   ... any single character, but don't escape from this field

#   (.*\n)+   ... one or more levels down

#   (?#...)   ... a comment within a regexp

# new-style of banned lookup table

$banned_namepath_re = new_RE(

  # block these MIME types

  qr'(?#NO X-MSDOWNLOAD)   ^(.*\t)? M=application/x-msdownload   (\t.*)? $'xmi,

  qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi,

  qr'(?#NO HTA)            ^(.*\t)? M=application/hta            (\t.*)? $'xmi,

# # block rfc2046 MIME types

# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/partial       (\t.*)? $'xmi,

# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/external-body (\t.*)? $'xmi,

# qr'(?#No Metafile MIME) ^(.*\t)? M=application/x-msmetafile (\t.*)? $'xmi,

# qr'(?#No Metafile MIME) ^(.*\t)? M=image/x-wmf              (\t.*)? $'xmi,

# qr'(?#No Metafile file) ^(.*\t)? T=wmf                      (\t.*)? $'xm,

# # within traditional Unix compressions allow any name and type

# [ qr'(?#rule-3) ^ (.*\t)? T=(Z|gz|bz2)     (\t.*)? $'xmi => 0 ],  # allow

  # within traditional Unix archives allow any name and type

  [ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ],  # allow

# # block anything within a zip

# qr'(?#rule-5) ^ (.*\t)? T=zip (\t.*)? (.*\n)+ .* $'xmi,

  # block certain double extensions in filenames

  qr'(?# BLOCK DOUBLE-EXTENSIONS )

     ^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \.

                  (exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi,

```

----------

## bunder

ok, those look good.  can you restart amavisd, then clamd, and give us the last 100 or so lines from /var/log/mail.info and the last 25 or so from /var/log/clamav/clamd.log ?  also, what are the permissions on /var/log/clamav/ /var/amavis /var/lib/clamav ?

thanks

----------

## mkiler

restart amavisd, nest clamd.

log from /var/log/messages - I don't have /var/log/mail.info 

```
papa ~ # tail -200 /var/log/messages

May 22 21:52:24 papa postfix/qmgr[7086]: 5FD53508326: removed

May 22 21:52:24 papa postfix/qmgr[7086]: 0AB15508329: from=<Christy@knology.net>, size=808, nrcpt=1 (queue active)

May 22 21:52:24 papa amavis[21782]: (21782-14) ESMTP::10024 /var/amavis/tmp/amavis-20080522T203830-21782: <Christy@knology.net> -> <mailer-daemon@example.pl> SIZE=808 Received: from papa.example.pl ([127.0.0.1]) by localhost (papa.example.pl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <mailer-daemon@example.pl>; Thu, 22 May 2008 21:52:24 +0200 (CEST)

May 22 21:52:24 papa amavis[21782]: (21782-14) Checking: 9U3GzMqc2wcH <Christy@knology.net> -> <mailer-daemon@example.pl>

May 22 21:52:24 papa amavis[21782]: (21782-14) p001 1 Content-Type: text/plain, size: 167 B, name:

May 22 21:52:24 papa amavis[21782]: (21782-14) ClamAV-clamd: Can't send to socket /var/amavis/clamd: Transport endpoint is not connected, retrying (1)

May 22 21:52:24 papa postfix/smtpd[23568]: disconnect from unknown[190.40.109.64]

May 22 21:52:25 papa amavis[21782]: (21782-14) (!) ClamAV-clamd: Can't connect to UNIX socket /var/amavis/clamd: Connection refused, retrying (2)

May 22 21:52:31 papa amavis[21782]: (21782-14) (!!) ClamAV-clamd av-scanner FAILED: Too many retries to talk to /var/amavis/clamd (Can't connect to UNIX socket /var/amavis/clamd: Connection refused) at (eval 66) line 268.

May 22 21:52:31 papa amavis[21782]: (21782-14) (!!) WARN: all primary virus scanners failed, considering backups

May 22 21:52:36 papa postfix/smtpd[23584]: connect from localhost[127.0.0.1]

May 22 21:52:36 papa postfix/smtpd[23584]: 43DBA508326: client=localhost[127.0.0.1]

May 22 21:52:36 papa postfix/cleanup[23571]: 43DBA508326: message-id=<5913F61E.B1D6289F@knology.net>

May 22 21:52:36 papa postfix/qmgr[7086]: 43DBA508326: from=<>, size=1682, nrcpt=1 (queue active)

May 22 21:52:36 papa amavis[21782]: (21782-14) SEND via SMTP: <> -> <spamtrap@example.pl>, ENVID=AM.9U3GzMqc2wcH.20080522T195236Z@papa.example.pl 250 2.6.0 Ok, id=21782-14, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 43DBA508326

May 22 21:52:36 papa amavis[21782]: (21782-14) SPAM, <Christy@knology.net> -> <mailer-daemon@example.pl>, Yes, score=13.722 tag=-100 tag2=6.3 kill=6.3 tests=[BAYES_99=3.5, DATE_IN_PAST_03_06=0.044, FB_GET_MEDS=0.803, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_NONE=0.1], autolearn=spam, quarantine 9U3GzMqc2wcH (spamtrap@example.pl)

May 22 21:52:36 papa amavis[21782]: (21782-14) Blocked SPAM, [190.40.109.64] <Christy@knology.net> -> <mailer-daemon@example.pl>, quarantine: spamtrap@example.pl, Message-ID: <5913F61E.B1D6289F@knology.net>, mail_id: 9U3GzMqc2wcH, Hits: 13.722, 12269 ms

May 22 21:52:36 papa amavis[21782]: (21782-14) TIMING [total 12272 ms] - SMTP EHLO: 2 (0%)0, SMTP pre-MAIL: 0 (0%)0, SMTP pre-DATA-flush: 2 (0%)0, SMTP DATA: 40 (0%)0, body_digest: 1 (0%)0, gen_mail_id: 0 (0%)0, mime_decode: 6 (0%)0, get-file-type1: 12 (0%)1, decompose_part: 1 (0%)1, parts_decode: 0 (0%)1, AV-scan-1: 7011 (57%)58, AV-scan-2: 3227 (26%)84, spam-wb-list: 2 (0%)84, SA msg read: 0 (0%)84, SA parse: 2 (0%)84, SA check: 1887 (15%)99, SA finish: 3 (0%)99, update_cache: 2 (0%)99, decide_mail_destiny: 1 (0%)99, fwd-connect: 14 (0%)100, fwd-mail-from: 1 (0%)100, fwd-rcpt-to: 1 (0%)100, fwd-data-cmd: 0 (0%)100, write-header: 1 (0%)100, fwd-data-contents: 0 (0%)100, fwd-data-end: 44 (0%)100, fwd-rundown: 1 (0%)100, prepare-dsn: 1 (0%)100, main_log_entry: 6 (0%)100, update_snmp: 2 (0%)100, unlink-1-files: 1 (0%)100, rundown: 0 (0%)100

May 22 21:52:36 papa postfix/smtp[23580]: 0AB15508329: to=<mailer-daemon@example.pl>, relay=127.0.0.1[127.0.0.1]:10024, delay=12, delays=0.02/0.01/0/12, dsn=2.7.1, status=sent (250 2.7.1 Ok, discarded, id=21782-14 - SPAM)

May 22 21:52:36 papa postfix/qmgr[7086]: 0AB15508329: removed

May 22 21:52:36 papa amavis[21782]: (21782-14) extra modules loaded: Mail/SpamAssassin/Locales.pm, Mail/SpamAssassin/Plugin/Bayes.pm, Mail/SpamAssassin/Plugin/BodyEval.pm, Mail/SpamAssassin/Plugin/Check.pm, Mail/SpamAssassin/Plugin/DNSEval.pm, Mail/SpamAssassin/Plugin/HTMLEval.pm, Mail/SpamAssassin/Plugin/HTTPSMismatch.pm, Mail/SpamAssassin/Plugin/HeaderEval.pm, Mail/SpamAssassin/Plugin/ImageInfo.pm, Mail/SpamAssassin/Plugin/MIMEEval.pm, Mail/SpamAssassin/Plugin/RelayEval.pm, Mail/SpamAssassin/Plugin/URIDetail.pm, Mail/SpamAssassin/Plugin/URIEval.pm, Mail/SpamAssassin/Plugin/VBounce.pm, Mail/SpamAssassin/Plugin/WLBLEval.pm, unicore/lib/gc_sc/Digit.pl, unicore/lib/gc_sc/SpacePer.pl, unicore/lib/gc_sc/Word.pl

May 22 21:52:36 papa postfix/smtpd[23584]: disconnect from localhost[127.0.0.1]

May 22 21:52:36 papa postfix/local[23585]: 43DBA508326: to=<spamtrap@example.pl>, relay=local, delay=0.07, delays=0.05/0.02/0/0.01, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail)

May 22 21:52:36 papa postfix/qmgr[7086]: 43DBA508326: removed

May 22 21:52:41 papa postfix/smtpd[23568]: connect from pc-208-92-104-200.cm.vtr.net[200.104.92.208]

May 22 21:52:42 papa postfix/smtpd[23568]: 29CF3508326: client=pc-208-92-104-200.cm.vtr.net[200.104.92.208]

May 22 21:52:42 papa postfix/cleanup[23571]: 29CF3508326: message-id=<000701c8bc50$05d2df55$1075cc9e@gigorac>

May 22 21:52:42 papa postfix/qmgr[7086]: 29CF3508326: from=<rastus5@my-deja.com>, size=1595, nrcpt=1 (queue active)

May 22 21:52:42 papa postfix/pickup[23515]: BB305508329: uid=1150 from=<rastus5@my-deja.com>

May 22 21:52:42 papa postfix/cleanup[23571]: BB305508329: message-id=<000701c8bc50$05d2df55$1075cc9e@gigorac>

May 22 21:52:42 papa postfix/pipe[23572]: 29CF3508326: to=<d.blaszczak@example.pl>, relay=dfilt, delay=0.6, delays=0.58/0/0/0.02, dsn=2.0.0, status=sent (delivered via dfilt service)

May 22 21:52:42 papa postfix/qmgr[7086]: 29CF3508326: removed

May 22 21:52:42 papa postfix/qmgr[7086]: BB305508329: from=<rastus5@my-deja.com>, size=1706, nrcpt=1 (queue active)

May 22 21:52:42 papa amavis[23197]: (23197-10) ESMTP::10024 /var/amavis/tmp/amavis-20080522T212502-23197: <rastus5@my-deja.com> -> <d.blaszczak@example.pl> SIZE=1706 Received: from papa.example.pl ([127.0.0.1]) by localhost (papa.example.pl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <d.blaszczak@example.pl>; Thu, 22 May 2008 21:52:42 +0200 (CEST)

May 22 21:52:42 papa amavis[23197]: (23197-10) Checking: ELRA5YKchk2X <rastus5@my-deja.com> -> <d.blaszczak@example.pl>

May 22 21:52:42 papa amavis[23197]: (23197-10) p003 1 Content-Type: multipart/alternative

May 22 21:52:42 papa amavis[23197]: (23197-10) p001 1/1 Content-Type: text/plain, size: 91 B, name:

May 22 21:52:42 papa amavis[23197]: (23197-10) p002 1/2 Content-Type: text/html, size: 404 B, name:

May 22 21:52:42 papa amavis[23197]: (23197-10) ClamAV-clamd: Can't send to socket /var/amavis/clamd: Transport endpoint is not connected, retrying (1)

May 22 21:52:43 papa postfix/smtpd[23568]: disconnect from pc-208-92-104-200.cm.vtr.net[200.104.92.208]

May 22 21:52:43 papa amavis[23197]: (23197-10) (!) ClamAV-clamd: Can't connect to UNIX socket /var/amavis/clamd: Connection refused, retrying (2)

May 22 21:52:49 papa amavis[23197]: (23197-10) (!!) ClamAV-clamd av-scanner FAILED: Too many retries to talk to /var/amavis/clamd (Can't connect to UNIX socket /var/amavis/clamd: Connection refused) at (eval 66) line 268.

May 22 21:52:49 papa amavis[23197]: (23197-10) (!!) WARN: all primary virus scanners failed, considering backups

May 22 21:52:55 papa postfix/smtpd[23584]: connect from localhost[127.0.0.1]

May 22 21:52:55 papa postfix/smtpd[23584]: DB924508326: client=localhost[127.0.0.1]

May 22 21:52:55 papa postfix/cleanup[23571]: DB924508326: message-id=<000701c8bc50$05d2df55$1075cc9e@gigorac>

May 22 21:52:55 papa postfix/qmgr[7086]: DB924508326: from=<>, size=2579, nrcpt=1 (queue active)

May 22 21:52:55 papa amavis[23197]: (23197-10) SEND via SMTP: <> -> <spamtrap@example.pl>, ENVID=AM.ELRA5YKchk2X.20080522T195255Z@papa.example.pl 250 2.6.0 Ok, id=23197-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as DB924508326

May 22 21:52:55 papa amavis[23197]: (23197-10) SPAM, <rastus5@my-deja.com> -> <d.blaszczak@example.pl>, Yes, score=14.785 tag=-100 tag2=6.3 kill=6.3 tests=[BAYES_99=3.5, DNS_FROM_RFC_BOGUSMX=1.482, FH_HELO_EQ_D_D_D_D=0.001, HELO_DYNAMIC_IPADDR=2.426, HTML_MESSAGE=0.001, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1], autolearn=spam, quarantine ELRA5YKchk2X (spamtrap@example.pl)

May 22 21:52:55 papa amavis[23197]: (23197-10) Blocked SPAM, [200.104.92.208] <rastus5@my-deja.com> -> <d.blaszczak@example.pl>, quarantine: spamtrap@example.pl, Message-ID: <000701c8bc50$05d2df55$1075cc9e@gigorac>, mail_id: ELRA5YKchk2X, Hits: 14.785, 13173 ms

May 22 21:52:55 papa postfix/smtpd[23584]: disconnect from localhost[127.0.0.1]

May 22 21:52:55 papa amavis[23197]: (23197-10) TIMING [total 13177 ms] - SMTP EHLO: 2 (0%)0, SMTP pre-MAIL: 0 (0%)0, SMTP pre-DATA-flush: 2 (0%)0, SMTP DATA: 38 (0%)0, body_digest: 1 (0%)0, gen_mail_id: 0 (0%)0, mime_decode: 12 (0%)0, get-file-type2: 13 (0%)1, decompose_part: 0 (0%)1, parts_decode: 0 (0%)1, AV-scan-1: 7017 (53%)54, AV-scan-2: 3223 (24%)78, spam-wb-list: 2 (0%)78, SA msg read: 1 (0%)78, SA parse: 3 (0%)78, SA check: 2794 (21%)99, SA finish: 3 (0%)99, update_cache: 1 (0%)100, decide_mail_destiny: 1 (0%)100, fwd-connect: 6 (0%)100, fwd-mail-from: 1 (0%)100, fwd-rcpt-to: 1 (0%)100, fwd-data-cmd: 0 (0%)100, write-header: 1 (0%)100, fwd-data-contents: 1 (0%)100, fwd-data-end: 44 (0%)100, fwd-rundown: 1 (0%)100, prepare-dsn: 1 (0%)100, main_log_entry: 6 (0%)100, update_snmp: 2 (0%)100, unlink-2-files: 1 (0%)100, rundown: 0 (0%)100

May 22 21:52:55 papa postfix/smtp[23580]: BB305508329: to=<d.blaszczak@example.pl>, relay=127.0.0.1[127.0.0.1]:10024, delay=13, delays=0.02/0/0/13, dsn=2.7.1, status=sent (250 2.7.1 Ok, discarded, id=23197-10 - SPAM)

May 22 21:52:55 papa postfix/qmgr[7086]: BB305508329: removed

May 22 21:52:55 papa amavis[23197]: (23197-10) extra modules loaded: Mail/SpamAssassin/Locales.pm, Mail/SpamAssassin/Plugin/Bayes.pm, Mail/SpamAssassin/Plugin/BodyEval.pm, Mail/SpamAssassin/Plugin/Check.pm, Mail/SpamAssassin/Plugin/DNSEval.pm, Mail/SpamAssassin/Plugin/HTMLEval.pm, Mail/SpamAssassin/Plugin/HTTPSMismatch.pm, Mail/SpamAssassin/Plugin/HeaderEval.pm, Mail/SpamAssassin/Plugin/ImageInfo.pm, Mail/SpamAssassin/Plugin/MIMEEval.pm, Mail/SpamAssassin/Plugin/RelayEval.pm, Mail/SpamAssassin/Plugin/URIDetail.pm, Mail/SpamAssassin/Plugin/URIEval.pm, Mail/SpamAssassin/Plugin/VBounce.pm, Mail/SpamAssassin/Plugin/WLBLEval.pm

May 22 21:52:55 papa postfix/local[23585]: DB924508326: to=<spamtrap@example.pl>, relay=local, delay=0.08, delays=0.05/0.01/0/0.03, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail)

May 22 21:52:55 papa postfix/qmgr[7086]: DB924508326: removed

May 22 21:53:18 papa postfix/anvil[23307]: statistics: max connection rate 1/60s for (smtp:190.42.98.44) at May 22 21:44:01

May 22 21:53:18 papa postfix/anvil[23307]: statistics: max connection count 1 for (smtp:190.42.98.44) at May 22 21:44:01

May 22 21:53:18 papa postfix/anvil[23307]: statistics: max cache size 3 at May 22 21:47:19

May 22 21:53:30 papa amavis[19319]: Net::Server: 2008/05/22-21:53:30 Server closing!

May 22 21:53:33 papa amavis[23657]: starting.  /usr/sbin/amavisd at papa.example.pl amavisd-new-2.4.1 (20060508), Unicode aware

May 22 21:53:33 papa amavis[23657]: user=, EUID: 0 (0);  group=, EGID: 0 27 26 20 11 10 6 4 3 2 1 0 (0 27 26 20 11 10 6 4 3 2 1 0); log_level=2

May 22 21:53:33 papa amavis[23657]: Perl version               5.008008

May 22 21:53:34 papa amavis[23657]: INFO: no optional modules: Sys::Hostname::Long Mail::SPF::Query Net::CIDR::Lite Mail::SpamAssassin::Plugin::DomainKeys Mail::DomainKeys::Header Mail::DomainKeys::Message Mail::DomainKeys::Policy Mail::DomainKeys::Signature Mail::DomainKeys::Key Mail::DomainKeys::Key::Public Crypt::OpenSSL::RSA auto::Crypt::OpenSSL::RSA::new_public_key auto::Crypt::OpenSSL::RSA::load_public_key auto::Crypt::OpenSSL::RSA::_new auto::Crypt::OpenSSL::RSA::DESTROY IP::Country::Fast

May 22 21:53:34 papa amavis[23657]: SpamControl: init_pre_chroot done

May 22 21:53:34 papa amavis[23658]: Net::Server: Process Backgrounded

May 22 21:53:34 papa amavis[23658]: Net::Server: 2008/05/22-21:53:34 Amavis (type Net::Server::PreForkSimple) starting! pid(23658)

May 22 21:53:34 papa amavis[23658]: Net::Server: Binding to UNIX socket file /var/amavis/amavisd.sock using SOCK_STREAM

May 22 21:53:34 papa amavis[23658]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1

May 22 21:53:34 papa amavis[23658]: Net::Server: Setting gid to "1002 1002"

May 22 21:53:34 papa amavis[23658]: Net::Server: Setting uid to "101"

May 22 21:53:34 papa amavis[23658]: Module Amavis::Conf        2.065

May 22 21:53:34 papa amavis[23658]: Module Archive::Tar        1.30

May 22 21:53:34 papa amavis[23658]: Module Archive::Zip        1.16

May 22 21:53:34 papa amavis[23658]: Module BerkeleyDB          0.31

May 22 21:53:34 papa amavis[23658]: Module Compress::Zlib      2.001

May 22 21:53:34 papa amavis[23658]: Module Convert::TNEF       0.17

May 22 21:53:34 papa amavis[23658]: Module Convert::UUlib      1.06

May 22 21:53:34 papa amavis[23658]: Module DBD::mysql          3.0008

May 22 21:53:34 papa amavis[23658]: Module DBI                 1.54

May 22 21:53:34 papa amavis[23658]: Module DB_File             1.814

May 22 21:53:34 papa amavis[23658]: Module Digest::MD5         2.36

May 22 21:53:34 papa amavis[23658]: Module MIME::Entity        5.420

May 22 21:53:34 papa amavis[23658]: Module MIME::Parser        5.420

May 22 21:53:34 papa amavis[23658]: Module MIME::Tools         5.420

May 22 21:53:34 papa amavis[23658]: Module Mail::Header        1.74

May 22 21:53:34 papa amavis[23658]: Module Mail::Internet      1.74

May 22 21:53:34 papa amavis[23658]: Module Mail::SpamAssassin  3.002001

May 22 21:53:34 papa amavis[23658]: Module Net::Cmd            2.26

May 22 21:53:34 papa amavis[23658]: Module Net::DNS            0.59

May 22 21:53:34 papa amavis[23658]: Module Net::SMTP           2.29

May 22 21:53:34 papa amavis[23658]: Module Net::Server         0.94

May 22 21:53:34 papa amavis[23658]: Module Razor2::Client::Version 2.82

May 22 21:53:34 papa amavis[23658]: Module Time::HiRes         1.9

May 22 21:53:34 papa amavis[23658]: Module Unix::Syslog        0.100

May 22 21:53:34 papa amavis[23658]: Amavis::DB code      loaded

May 22 21:53:34 papa amavis[23658]: Amavis::Cache code   loaded

May 22 21:53:34 papa amavis[23658]: SQL base code        NOT loaded

May 22 21:53:34 papa amavis[23658]: SQL::Log code        NOT loaded

May 22 21:53:34 papa amavis[23658]: SQL::Quarantine      NOT loaded

May 22 21:53:34 papa amavis[23658]: Lookup::SQL code     NOT loaded

May 22 21:53:34 papa amavis[23658]: Lookup::LDAP code    NOT loaded

May 22 21:53:34 papa amavis[23658]: AM.PDP-in proto code loaded

May 22 21:53:34 papa amavis[23658]: SMTP-in proto code   loaded

May 22 21:53:34 papa amavis[23658]: Courier proto code   NOT loaded

May 22 21:53:34 papa amavis[23658]: SMTP-out proto code  loaded

May 22 21:53:34 papa amavis[23658]: Pipe-out proto code  NOT loaded

May 22 21:53:34 papa amavis[23658]: BSMTP-out proto code NOT loaded

May 22 21:53:34 papa amavis[23658]: Local-out proto code loaded

May 22 21:53:34 papa amavis[23658]: OS_Fingerprint code  NOT loaded

May 22 21:53:34 papa amavis[23658]: ANTI-VIRUS code      loaded

May 22 21:53:34 papa amavis[23658]: ANTI-SPAM code       loaded

May 22 21:53:34 papa amavis[23658]: ANTI-SPAM-SA code    loaded

May 22 21:53:34 papa amavis[23658]: Unpackers code       loaded

May 22 21:53:34 papa amavis[23658]: Found $file            at /usr/bin/file

May 22 21:53:34 papa amavis[23658]: No $dspam,             not using it

May 22 21:53:34 papa amavis[23658]: Internal decoder for .mail

May 22 21:53:34 papa amavis[23658]: Internal decoder for .asc

May 22 21:53:34 papa amavis[23658]: Internal decoder for .uue

May 22 21:53:34 papa amavis[23658]: Internal decoder for .hqx

May 22 21:53:34 papa amavis[23658]: Internal decoder for .ync

May 22 21:53:34 papa amavis[23658]: Found decoder for    .F    at /usr/bin/unfreeze

May 22 21:53:34 papa amavis[23658]: Found decoder for    .Z    at /bin/gzip -d

May 22 21:53:34 papa amavis[23658]: Internal decoder for .gz

May 22 21:53:34 papa amavis[23658]: Found decoder for    .gz   at /bin/gzip -d (backup, not used)

May 22 21:53:34 papa amavis[23658]: Found decoder for    .bz2  at /bin/bzip2 -d

May 22 21:53:34 papa amavis[23658]: No decoder for       .lzo  tried: lzop -d

May 22 21:53:34 papa amavis[23658]: No decoder for       .rpm  tried: rpm2cpio.pl, rpm2cpio

May 22 21:53:34 papa amavis[23658]: Found decoder for    .cpio at /bin/cpio

May 22 21:53:34 papa amavis[23658]: Found decoder for    .tar  at /bin/cpio

May 22 21:53:34 papa amavis[23658]: Internal decoder for .tar  (backup, not used)

May 22 21:53:34 papa amavis[23658]: Found decoder for    .deb  at /usr/bin/ar

May 22 21:53:34 papa amavis[23658]: Internal decoder for .zip

May 22 21:53:34 papa amavis[23658]: Found decoder for    .rar  at /usr/bin/unrar

May 22 21:53:34 papa amavis[23658]: Found decoder for    .arj  at /usr/bin/unarj

May 22 21:53:34 papa amavis[23658]: Found decoder for    .arc  at /usr/bin/arc

May 22 21:53:34 papa amavis[23658]: Found decoder for    .zoo  at /usr/bin/zoo

May 22 21:53:34 papa amavis[23658]: Found decoder for    .lha  at /usr/bin/lha

May 22 21:53:34 papa amavis[23658]: Found decoder for    .cab  at /usr/bin/cabextract

May 22 21:53:34 papa amavis[23658]: No decoder for       .tnef tried: tnef

May 22 21:53:34 papa amavis[23658]: Internal decoder for .tnef

May 22 21:53:34 papa amavis[23658]: Found decoder for    .exe  at /usr/bin/unrar; /usr/bin/lha; /usr/bin/unarj

May 22 21:53:34 papa amavis[23658]: Using internal av scanner code for (primary) ClamAV-clamd

May 22 21:53:34 papa amavis[23658]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan

May 22 21:53:34 papa amavis[23658]: Creating db in /var/amavis/db/; BerkeleyDB 0.31, libdb 4.3

May 22 21:53:34 papa amavis[23658]: SpamControl: initializing Mail::SpamAssassin

May 22 21:53:38 papa amavis[23658]: SpamControl: init_pre_fork done

May 22 21:53:38 papa amavis[23670]: TIMING [total 9 ms] - bdb-open: 9 (100%)100, rundown: 0 (0%)100

May 22 21:53:38 papa amavis[23671]: TIMING [total 11 ms] - bdb-open: 11 (100%)100, rundown: 0 (0%)100

May 22 21:53:38 papa amavis[23672]: TIMING [total 9 ms] - bdb-open: 9 (100%)100, rundown: 0 (0%)100

May 22 21:53:38 papa amavis[23673]: TIMING [total 8 ms] - bdb-open: 8 (100%)100, rundown: 0 (0%)100

May 22 21:53:45 papa freshclam[23755]: Current working dir is /var/lib/clamav

May 22 21:53:45 papa freshclam[23756]: freshclam daemon 0.93 (OS: linux-gnu, ARCH: i386, CPU: i686)

May 22 21:53:45 papa freshclam[23756]: Max retries == 3

May 22 21:53:45 papa freshclam[23756]: ClamAV update process started at Thu May 22 21:53:45 2008

May 22 21:53:45 papa freshclam[23756]: Querying current.cvd.clamav.net

May 22 21:53:45 papa freshclam[23756]: TTL: 92

May 22 21:53:45 papa freshclam[23756]: Software version from DNS: 0.93

May 22 21:53:45 papa freshclam[23756]: main.cvd version from DNS: 46

May 22 21:53:45 papa freshclam[23756]: main.cvd is up to date (version: 46, sigs: 231834, f-level: 26, builder: sven)

May 22 21:53:45 papa freshclam[23756]: daily.cvd version from DNS: 7218

May 22 21:53:45 papa freshclam[23756]: daily.cld is up to date (version: 7218, sigs: 65298, f-level: 26, builder: neo)

May 22 21:53:45 papa freshclam[23756]: --------------------------------------

```

log /var/log/clamav/clamd.log

```

papa ~ # tail -50 /var/log/clamav/clamd.log

Thu May 22 02:27:07 2008 -> Log file size limited to 1048576 bytes.

Thu May 22 02:27:07 2008 -> Reading databases from /var/lib/clamav

Thu May 22 02:44:04 2008 -> +++ Started at Thu May 22 02:44:04 2008

Thu May 22 02:44:04 2008 -> clamd daemon 0.90.3 (OS: linux-gnu, ARCH: i386, CPU: i686)

Thu May 22 02:44:04 2008 -> Log file size limited to 1048576 bytes.

Thu May 22 02:44:04 2008 -> Reading databases from /var/lib/clamav

Thu May 22 01:38:27 2008 -> +++ Started at Thu May 22 01:38:27 2008

Thu May 22 01:38:27 2008 -> clamd daemon 0.90.3 (OS: linux-gnu, ARCH: i386, CPU: i686)

Thu May 22 01:38:27 2008 -> Log file size limited to 1048576 bytes.

Thu May 22 01:38:27 2008 -> Reading databases from /var/lib/clamav

Thu May 22 02:05:24 2008 -> +++ Started at Thu May 22 02:05:24 2008

Thu May 22 02:05:24 2008 -> clamd daemon 0.90.3 (OS: linux-gnu, ARCH: i386, CPU: i686)

Thu May 22 02:05:24 2008 -> Log file size limited to 1048576 bytes.

Thu May 22 02:05:24 2008 -> Reading databases from /var/lib/clamav

Thu May 22 02:05:24 2008 -> ERROR: Not supported data format

Thu May 22 02:07:22 2008 -> +++ Started at Thu May 22 02:07:22 2008

Thu May 22 02:07:22 2008 -> clamd daemon 0.90.3 (OS: linux-gnu, ARCH: i386, CPU: i686)

Thu May 22 02:07:22 2008 -> Log file size limited to 1048576 bytes.

Thu May 22 02:07:22 2008 -> Reading databases from /var/lib/clamav

Thu May 22 02:24:39 2008 -> +++ Started at Thu May 22 02:24:39 2008

Thu May 22 02:24:39 2008 -> clamd daemon 0.90.3 (OS: linux-gnu, ARCH: i386, CPU: i686)

Thu May 22 02:24:39 2008 -> Log file size limited to 1048576 bytes.

Thu May 22 02:24:39 2008 -> Reading databases from /var/lib/clamav

Thu May 22 02:24:39 2008 -> ERROR: Not supported data format

Thu May 22 02:35:16 2008 -> +++ Started at Thu May 22 02:35:16 2008

Thu May 22 02:35:16 2008 -> clamd daemon 0.90.3 (OS: linux-gnu, ARCH: i386, CPU: i686)

Thu May 22 02:35:16 2008 -> Log file size limited to 1048576 bytes.

Thu May 22 02:35:16 2008 -> Reading databases from /var/lib/clamav

Thu May 22 02:35:24 2008 -> Loaded 120423 signatures.

Thu May 22 02:35:24 2008 -> ERROR: Socket file /var/amavis/clamd exists. Either remove it, or configure a different one.

Thu May 22 10:24:59 2008 -> +++ Started at Thu May 22 10:24:59 2008

Thu May 22 10:24:59 2008 -> clamd daemon 0.90.3 (OS: linux-gnu, ARCH: i386, CPU: i686)

Thu May 22 10:24:59 2008 -> Log file size limited to 1048576 bytes.

Thu May 22 10:24:59 2008 -> Reading databases from /var/lib/clamav

Thu May 22 10:31:06 2008 -> +++ Started at Thu May 22 10:31:06 2008

Thu May 22 10:31:06 2008 -> clamd daemon 0.90.3 (OS: linux-gnu, ARCH: i386, CPU: i686)

Thu May 22 10:31:06 2008 -> Log file size limited to 1048576 bytes.

Thu May 22 10:31:06 2008 -> Reading databases from /var/lib/clamav

Thu May 22 10:37:11 2008 -> +++ Started at Thu May 22 10:37:11 2008

Thu May 22 10:37:11 2008 -> clamd daemon 0.90.3 (OS: linux-gnu, ARCH: i386, CPU: i686)

Thu May 22 10:37:11 2008 -> Log file size limited to 1048576 bytes.

Thu May 22 10:37:11 2008 -> Reading databases from /var/lib/clamav

Thu May 22 10:41:25 2008 -> +++ Started at Thu May 22 10:41:25 2008

Thu May 22 10:41:25 2008 -> clamd daemon 0.90.3 (OS: linux-gnu, ARCH: i386, CPU: i686)

Thu May 22 10:41:25 2008 -> Log file size limited to 1048576 bytes.

Thu May 22 10:41:25 2008 -> Reading databases from /var/lib/clamav

Thu May 22 11:10:59 2008 -> +++ Started at Thu May 22 11:10:59 2008

Thu May 22 11:10:59 2008 -> clamd daemon 0.90.3 (OS: linux-gnu, ARCH: i386, CPU: i686)

Thu May 22 11:10:59 2008 -> Log file size limited to 1048576 bytes.

Thu May 22 11:10:59 2008 -> Reading databases from /var/lib/clamav

```

/var/log/clamav/     owner clamav      group clamav 40755

/var/amavis            owner amavis      group mailuser      40777         | i don't knowy why is mailuser but I check many configurations maybe my mistake

/var/lib/clamav        owner amavis      group amavis       40777

/etc/group 

```

amavis:x:1002:clamav
```

example.pl    I change from my real domain name.

----------

## mkiler

file /var/amavis/clamd  exist - I touched this file today

----------

## mkiler

now permissions to /var/amavis  are correct

```

netstat -anpl|grep clamd

```

returns nothing, but into log when I restart clamd

```

May 23 10:03:13 papa freshclam[3061]: Current working dir is /var/lib/clamav

May 23 10:03:13 papa freshclam[3062]: freshclam daemon 0.93 (OS: linux-gnu, ARCH: i386, CPU: i686)

May 23 10:03:13 papa freshclam[3062]: Max retries == 3

May 23 10:03:13 papa freshclam[3062]: ClamAV update process started at Fri May 23 10:03:13 2008

May 23 10:03:13 papa freshclam[3062]: Querying current.cvd.clamav.net

May 23 10:03:13 papa freshclam[3062]: TTL: 4

May 23 10:03:13 papa freshclam[3062]: Software version from DNS: 0.93

May 23 10:03:13 papa freshclam[3062]: main.cvd version from DNS: 46

May 23 10:03:13 papa freshclam[3062]: main.cvd is up to date (version: 46, sigs: 231834, f-level: 26, builder: sven)

May 23 10:03:13 papa freshclam[3062]: daily.cvd version from DNS: 7220

May 23 10:03:13 papa freshclam[3062]: daily.cld is up to date (version: 7220, sigs: 65308, f-level: 26, builder: ccordes)

May 23 10:03:13 papa freshclam[3062]: --------------------------------------

```

now I change /etc/init.d/clamd      now file is:

```

#!/sbin/runscript

# Copyright 1999-2005 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/app-antivirus/clamav/files/clamd.rc,v 1.15 20                        07/04/13 20:56:34 ticho Exp $

opts="logfix"

depend() {

        use net

        provide antivirus

}

start() {

        local clamd_socket=`awk '$1 == "LocalSocket" { print $2 }' /etc/clamd.co                        nf`

        logfix

        if [ "${START_CLAMD}" = "yes" ]; then

                if [ -S "${clamd_socket:-/tmp/clamd}" ]; then

                        rm -f ${clamd_socket:-/tmp/clamd}

                fi

                ebegin "Starting clamd"

#start-stop-daemon --stop --quiet --pidfile /var/amavis/clamd.pid

                        start-stop-daemon --start --quiet \

                         --exec /usr/sbin/clamd

                eend $? "Failed to start clamd"

        fi

        if [ "${START_FRESHCLAM}" = "yes" ]; then

                ebegin "Starting freshclam"

                start-stop-daemon --start --quiet \

                        --exec /usr/bin/freshclam -- -d

                retcode=$?

                if [ ${retcode} = 1 ]; then

                        eend 0

                        einfo "Virus databases are already up to date."

                else

                        eend ${retcode} "Failed to start freshclam"

                fi

        fi

        if [ "${START_MILTER}" = "yes" ]; then

                if [ -S "${MILTER_SOCKET}" ]; then

                        rm -f ${MILTER_SOCKET}

                fi

                local milter_ext=no

                local milter_svr=no

                args=`getopt -q --options "es" --longoptions "external,server" -                        -  $MILTER_OPTS`

                for arg in $args; do

                        case "$arg" in

                        -e | --external)

                                milter_ext=yes;

                                shift;;

                        -s | --server)

                                milter_svr=yes;

                                shift;;

                        --)

                                shift;

                                break;;

                        esac

                done

                if [[ $milter_ext == yes && $milter_svr == no ]]; then

                        local clamd_socket_wait_count=0

                        local clamd_socket_wait_max=10

                        local clamd_socket_wait_result=-1

                        ebegin "Waiting for clamd to create ${clamd_socket}"

                        while (( clamd_socket_wait < clamd_socket_wait_max )); d                        o

                                if [ -S "${clamd_socket:-/tmp/clamd}" ]; then

                                        clamd_socket_wait_result=0

                                        break

                                else

                                        echo -n " ."

                                        let clamd_socket_wait++

                                        sleep 1

                                fi

                        done

                        echo

                        eend $clamd_socket_wait_result "Timeout waiting for ${cl                        amd_socket}"

                fi

                ebegin "Starting clamav-milter"

                start-stop-daemon --start --quiet \

                        --exec /usr/sbin/clamav-milter -- ${MILTER_OPTS} ${MILTE                        R_SOCKET}

                eend $? "Failed to start clamav-milter"

        fi

}

stop() {

        if [ "${START_CLAMD}" = "yes" ]; then

                ebegin "Stopping clamd"

                start-stop-daemon --stop --quiet --name clamd

                eend $? "Failed to stop clamd"

        fi

        if [ "${START_FRESHCLAM}" = "yes" ]; then

                ebegin "Stopping freshclam"

                start-stop-daemon --stop --quiet --name freshclam

                eend $? "Failed to stop freshclam"

        fi

        if [ "${START_MILTER}" = "yes" ]; then

                ebegin "Stopping clamav-milter"

                start-stop-daemon --stop --quiet --name clamav-milter

                eend $? "Failed to stop clamav-milter"

        fi

}

logfix() {

        if [ "${START_CLAMD}" = "yes" ]; then

                # fix clamd log permissions

                # (might be clobbered by logrotate or something)

                local logfile=`awk '$1 == "LogFile" { print $2 }' /etc/clamd.con                        f`

                local clamav_user=`awk '$1 == "User" { print $2 }' /etc/clamd.co                        nf`

                if [ -n "${logfile}" ] && [ -n "${clamav_user}" ]; then

                        if [ ! -f "${logfile}" ]; then

                                touch ${logfile}

                        fi

                        chown ${clamav_user} ${logfile}

                        chmod 640 ${logfile}

                fi

        fi

        if [ "${START_FRESHCLAM}" = "yes" ]; then

                # fix freshclam log permissions

                # (might be clobbered by logrotate or something)

                logfile=`awk '$1 == "UpdateLogFile" { print $2 }' /etc/freshclam                        .conf`

                local freshclam_user=`awk '$1 == "DatabaseOwner" { print $2 }' /                        etc/freshclam.conf`

                if [ -n "${logfile}" -a -n "${clamav_user}" ]; then

                        if [ ! -f "${logfile}" ]; then

                                touch ${logfile}

                        fi

                        chown ${freshclam_user} ${logfile}

                        chmod 640 ${logfile}

                fi

        fi

}

```

little change in /etc/clamd.conf

```

AllowSupplementaryGroups yes

```

restart and now when I do  

```

netstat -anpl|grep clamd

```

log is 

```

unix  2      [ ACC ]     STREAM     LISTENING     601505 3402/clamd          /var/amavis/clamd

```

Previous error has disappear, but now sometimes in log I have

```

papa amavis[2913]: (02913-05) ClamAV-clamd: Can't send to socket /var/amavis/clamd: Transport endpoint is not connected, retrying (1)

```

Bunder  thanks for your help

----------

## bunder

check the clamav part of your /etc/amavisd.conf

 *Quote:*   

>  ['ClamAV-clamd',
> 
>    \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
> 
>    qr/\bOK$/, qr/\bFOUND$/,
> ...

 

it's probably set to /var/amavis/clamd   :Wink: 

edit: you must be using a different logger than i am, that might be why you don't have a /var/log/mail.info...  not sure where your logger stores mail logs.   :Embarassed: 

double edit: here are the perms on my side-

drwxrwxr-x  7 amavis amavis 4096 May 22 17:01 /var/amavis

drwxrwxr-x  4 clamav amavis     4096 May 22 23:01 /var/lib/clamav

drwxr-xr-x 2 clamav amavis   1024 May  9 03:05 /var/log/clamav

seems to work fine for me...  give it all a go and let me know how things turn out.  cheers

----------

## mkiler

yes I have 

```

['ClamAV-clamd',

\&ask_daemon, ["CONTSCAN {}\n", "/var/amavis/clamd"],

qr/\bOK$/, qr/\bFOUND$/,

qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ]
```

but when I change to your version email are not delivered. I think it's ok now because I check my log file and error this error 

```

papa amavis[2913]: (02913-05) ClamAV-clamd: Can't send to socket /var/amavis/clamd: Transport endpoint is not connected, retrying (1)

```

doesn't exist.

Thanks once again. I think we can close this subject

----------

