1

Topic: clamav running on a remote server?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.2.1
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version: FreeBSD 11.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL (MariaDB)
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Has anyone been able to configure their iRedMail to use clamav running on a separate server? 

I've looked for instructions on how to setup amavis to use a clamav server IP/port, but have not found a solution.

Thanks in advance!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: clamav running on a remote server?

Sure it's possible. we have this setup running in iRedMail load-balance cluster.

- Configure ClamAV to listen on a network port and accessible by iRedMail server.
- on iRedMail server, configure Amavisd to connect to ClamAV service via inet (IP:Port) instead of local socket.

3

Re: clamav running on a remote server?

In

/usr/local/etc/amavisd.conf

I changed

@av_scanners = (
    ['clamav-socket',
    \&ask_daemon, ["CONTSCAN {}\n", '/var/run/clamav/clamd.sock'],
    qr/\bOK$/, qr/\bFOUND$/,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

to

@av_scanners = (
    ['clamav-socket',
    \&ask_daemon, ["CONTSCAN {}\n", 'X.X.X.X:3310'],
    qr/\bOK$/, qr/\bFOUND$/,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

Where X.X.X.X is my clamav server's local IP address.  Is that the correct config?  I could not find any docs.

Also, I noticed the @av_scanners_backup section.  Since there is no clamav freshclam service running on the iRedMail server anymore, do I need to change this also?  If so, how?

@av_scanners_backup = (
    ['clamav-clamscan', 'clamscan',
    "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1],
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

4

Re: clamav running on a remote server?

Replace "<IP>:<PORT>":

    ['clamav-cluster-inet',
    \&ask_daemon, ["CONTSCAN {}\n", "<IP>:<PORT>"],
    qr/\bOK$/, qr/\bFOUND$/,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

5

Re: clamav running on a remote server?

Right.  That's very similar to what I did.

I was wondering what, if anything, to do with the @av_scanners_backup section?  I suppose it can be disabled.

6

Re: clamav running on a remote server?

blacksteel1288 wrote:

I was wondering what, if anything, to do with the @av_scanners_backup section?  I suppose it can be disabled.

Just comment out the parameter.

7

Re: clamav running on a remote server?

Since making this change, I'm getting these errors in the /var/log/maillog file:

Aug  3 13:16:45 <mail.warn> mx amavis[92329]: (92329-01) (!)run_av (clamav-server) FAILED - unexpected , output="/var/amavis/tmp/amavis-20200803T131645-92329-R0b40gXT/parts: lstat() failed: No such file or directory. ERROR\n"
Aug  3 13:16:45 <mail.warn> mx amavis[92329]: (92329-01) (!)clamav-server av-scanner FAILED: CODE(0x8097b1738) unexpected , output="/var/amavis/tmp/amavis-20200803T131645-92329-R0b40gXT/parts: lstat() failed: No such file or directory. ERROR\n" at (eval 110) line 951.
Aug  3 13:16:45 <mail.warn> mx amavis[92329]: (92329-01) (!)WARN: all primary virus scanners failed, considering backups
Aug  3 13:16:45 <mail.err> mx amavis[92329]: (92329-01) (!!)AV: ALL VIRUS SCANNERS FAILED

The /var/amavis/tmp/amavis-XXX/parts directories do exist on the iredmail server, so it's not clear why the virus scans fail.  Any suggestions?

8

Re: clamav running on a remote server?

It failed to run or connect to AV scanner.

9 (edited by blacksteel1288 2020-08-04 22:58:14)

Re: clamav running on a remote server?

I don't think it is a connection problem.  avavis on the iredmail server is connecting to the clamav server, because in the /var/log/clamav/clamd.log file I see entries like this:

WARNING: lstat() failed on: /var/amavis/tmp/amavis-20200803T230013-12526-6msKJSpY/parts
WARNING: lstat() failed on: /var/amavis/tmp/amavis-20200803T230014-12527-qTOkrG5F/parts

But, no additional details.  In clamd.conf, the value LogVerbose is "yes", but this is all that is shown.

I've seen permissions issues related to clamav servers in other posts, but in those cases the error messages clearly say "Permission Denied".  In my case, it is saying the file does not exist.  Still, it could be related.

What permissions and users do you have configured on your clamav-cluster-inet server?

10

Re: clamav running on a remote server?

blacksteel1288 wrote:

WARNING: lstat() failed on: /var/amavis/tmp/amavis-20200803T230013-12526-6msKJSpY/parts

This is MIME parts extracted by Amavisd, it's not relevant to clamav (yet).

11

Re: clamav running on a remote server?

Ok, so you're saying that the maillog message only refers to the MIME parts, but the rest of the message was scanned by the clam-av server successfully, correct?

12

Re: clamav running on a remote server?

No. I mean the files were extracted/decoded MIME parts, they're waiting for Amavisd to call ClamAV for virus scanning. But clamav was not running.

13

Re: clamav running on a remote server?

Ok, I understand.

I have verified that my remote ClamAV server is working correctly, because it is also used by my nextcloud server.  Uploading a test virus to nextcloud triggers the remote clamd process successfully.  So, I am sure the problem is with how iredmail's amavis calls clamd.

I saw this article, that says the scanning temporary directory must be shared (NFS) for the CONTSCAN command to work.
https://amavis-users.amavis.narkive.com … g-anything

I suspect that your cluster instance works because you are sharing that temporary directory between the clamav server and the amavis server.

There does appear to be a clamav command called INSTREAM (or zINSTREAM) that would send the files to clamd in a stream without the need to share a common temporary directory.  However, I wasn't able to find any documentation on how to use INSTREAM with amavis in the amavisd.conf file.  It looks like you need to specify the size of the stream and other info.
https://linux.die.net/man/8/clamd

It'd be great if there was a way to use INSTREAM, but until then, I'll share the directories.

14

Re: clamav running on a remote server?

blacksteel1288 wrote:

I suspect that your cluster instance works because you are sharing that temporary directory between the clamav server and the amavis server.

We don't share the temporary directory. Instead, we call clamav local socket first, remote inet as backup av scanner.

15

Re: clamav running on a remote server?

ok to close this one, then.  I have a separate question about virus scanning rules, but I'll start a different thread for it.