1 Topic by ired_mania (edited by ired_mania 2020-06-22 14:05:47)

  • ired_mania
  • Member
  • Offline
  • Registered: 2019-06-20
  • Posts: 173

Topic: clamav logging

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi
when I run clam@amavis service, number of delivered e-mails decreases, so I want to know about details and why it does not deliver some of my emails. there is no special clamav log file in my server.I have just freshclam log in /var/log/messages. would u plz help me?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ired_mania

  • ired_mania
  • Member
  • Offline
  • Registered: 2019-06-20
  • Posts: 173

Re: clamav logging

hi guys
any idea?

ired_mania wrote:

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi
when I run clam@amavis service, number of delivered e-mails decreases, so I want to know about details and why it does not deliver some of my emails. there is no special clamav log file in my server.I have just freshclam log in /var/log/messages. would u plz help me?

3 Reply by MuPp3t33r (edited by MuPp3t33r 2020-06-23 18:15:01)

  • MuPp3t33r
  • Member
  • Offline
  • Registered: 2017-01-17
  • Posts: 149

Re: clamav logging

clam@amavis

user = clam ; service = amavis

In this case, Amavis is logging the events to your mail log.

Here's an example of a mail blocked due to virus signature: (notice the event is logged by amavis, not clam)

Jun 23 11:57:43 mail01 postfix/submission/smtpd[18099]: disconnect from mail01.server.local[127.0.0.1] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Jun 23 11:57:45 mail01 postfix/10025/smtpd[18135]: connect from mail01.server.local[127.0.0.1]
Jun 23 11:57:45 mail01 postfix/10025/smtpd[18135]: 49rhXn2gthzBs06: client=mail01.server.local[127.0.0.1]
Jun 23 11:57:45 mail01 postfix/cleanup[18112]: 49rhXn2gthzBs06: message-id=<VAp6WpTh5RVGou@mail01.server.local>
Jun 23 11:57:45 mail01 postfix/10025/smtpd[18135]: disconnect from mail01.server.local[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jun 23 11:57:45 mail01 postfix/qmgr[1689]: 49rhXn2gthzBs06: from=<postmaster@mail01.server.local>, size=3112, nrcpt=1 (queue active)
Jun 23 11:57:45 mail01 amavis[2104]: (02104-01) Blocked INFECTED (Win.Test.EICAR_HDB-1) {DiscardedInternal,Quarantined}, ORIGINATING/MYNETS LOCAL [127.0.0.1]:53560 ESMTP/ESMTP <from@domain.tld> -> <to@domain.tld>, (), quarantine: p6WpTh5RVGou, Queue-ID: 49rhXl46przBrKP, Message-ID: <e322cb9aacc61b56dd6375ee6998bf15@domain.tld>, mail_id: p6WpTh5RVGou, b: 2cjcNIYCe, Hits: -, size: 892, Subject: "test", From: <from@domain.tld>, User-Agent: Roundcube_Webmail, helo=localhost, b.key=(?^i:.\\.(exe|vbs|pif|scr|cpl)$), b.com=(?^i:.\\.(exe|vbs|pif|scr|cpl)$), b.rhs=1, b.parts=P=p002,L=1,M=multipart/mixed | P=p001,L=1/1,M=text/plain,T=dat,N=eicr.exe, 1723 ms
Jun 23 11:57:45 mail01 postfix/cleanup[18112]: 49rhXn4s8NzBs0Q: message-id=<VAp6WpTh5RVGou@mail01.server.local>
Jun 23 11:57:45 mail01 postfix/amavis/smtp[18118]: 49rhXl46przBrKP: to=<to@domain.tld>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.2, delays=0.25/0/0.01/2, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=02104-01 - INFECTED: Win.Test.EICAR_HDB-1)
Jun 23 11:57:45 mail01 postfix/qmgr[1689]: 49rhXl46przBrKP: removed