Koozali.org formerly Contribs.org

Problems with outgoing email, PDF's

Problems with outgoing email, PDF's
« on: September 16, 2020, 01:22:48 PM »
Hi
Have a bit of an issue, and have managed to replicate this on a number of SME servers. It seems that the virus scanning, on incoming and outgoing is stamping on PDF documents. Proved it by disabling scanning and email arrives fine. All files have been confirmed virus free with Sophos.
No idea turning this off I must admit, but wondered if anyone else has had this happen? Going to have a read up, pretty sure somewhere you can disable PDF's from being scanned?

Regards Paul
Infamy, Infamy, they all have it in for me!

Offline ReetP

  • *
  • 2,676
Re: Problems with outgoing email, PDF's
« Reply #1 on: September 16, 2020, 02:17:21 PM »
So, what do your logs say?

They give you the brutal truth.

Have a look in /var/log/qpsmtpd for stuff like this

Code: [Select]
virus::clamdscan: fail, found virus Heuristics.Phishing.Email.SpoofedDomain
You also need to check the wiki pages and look at the signatures of the PDFs getting blocked:

https://wiki.contribs.org/Virus:Email_Attachment_Blocking

[Edit to fix typo]
« Last Edit: September 16, 2020, 03:35:48 PM by ReetP »
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Problems with outgoing email, PDF's
« Reply #2 on: September 16, 2020, 02:36:56 PM »
Thanks for the reply, started to have a poke about, but a bit limited in knowledge here :-)

Did see this which equates to one of the messages not being delivered:-

@400000005f61f40139a58ba4 23139 (deny) logging::logterse: ` 212.69.*.*        mxfilter0.myisp.net     mxfilter0.myisp.net     <*****@ducron.co.uk>  <****@thannet.com>   virus::clamdscan        902     Unable to scan for viruses   msg denied before queued
@400000005f61f40139a656c4 23139 452 Unable to scan for viruses
Infamy, Infamy, they all have it in for me!

Offline ReetP

  • *
  • 2,676
Re: Problems with outgoing email, PDF's
« Reply #3 on: September 16, 2020, 03:35:16 PM »
Quote
but a bit limited in knowledge here

Blind leading the blind then ;-)

With your log snippet I assume that is from qpsmtpd/current.

Try to grep for the whole of that message using the message ID

Code: [Select]
grep 23139 /var/log/qpsmtpd/current
Also what have we got here?

Code: [Select]
config show clamd

config show clamav

config show clamscan

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline warren

  • *
  • 281
Re: Problems with outgoing email, PDF's
« Reply #4 on: September 17, 2020, 10:45:41 AM »
Thanks for the reply, started to have a poke about, but a bit limited in knowledge here :-)

Did see this which equates to one of the messages not being delivered:-

@400000005f61f40139a58ba4 23139 (deny) logging::logterse: ` 212.69.*.*        mxfilter0.myisp.net     mxfilter0.myisp.net     <*****@ducron.co.uk>  <****@thannet.com>   virus::clamdscan        902     Unable to scan for viruses   msg denied before queued
@400000005f61f40139a656c4 23139 452 Unable to scan for viruses

I've seen this on a restart of the server after applying updates,   that emails came in a minute or so after the restart, the email failed "902 Unable to scan for virus " the issue was that it took clamd a good 3-4 minutes to restart, so the email failed as clamd had yet to start.

If it happens again , the check quickl that clamd is running.
Code: [Select]

sv s clamd

Offline ReetP

  • *
  • 2,676
Re: Problems with outgoing email, PDF's
« Reply #5 on: September 17, 2020, 01:17:26 PM »
Good thinking Warren.

Can take quite a while to fire up clam especially on older hardware.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Problems with outgoing email, PDF's
« Reply #6 on: September 17, 2020, 02:12:46 PM »
I'm replying to this thread because I encountered a similar, perhaps related, problem two days ago.  Email sans attachments were sent and received without issue.  Emails with attachments were sent and received inconsistently, possibly related to file type and/or size.

Reviewing /var/log/clamd/, I found: 

@400000005f60fe17021a2b7c SelfCheck: Database status OK.
@400000005f61003c0a6f68dc LibClamAV Warning: fmap: map allocation failed
@400000005f61003c0a6f6cc4 LibClamAV Error: CRITICAL: fmap() failed
@400000005f61003c0a6fa374 /var/spool/qpsmtpd/1600192546:43746:0: Can't allocate memory ERROR

In any case, this forum post https://forums.contribs.org/index.php?topic=54070.0 contained the solution, which for me was:

db configuration setprop clamd MemLimit 1800000000
signal-event clamav-update

Users have reported no issues since.  Hope this will help out someone else.  Good luck!

 



Offline Smitro

  • *
  • 345
Re: Problems with outgoing email, PDF's
« Reply #7 on: October 13, 2020, 01:20:14 AM »
I'll add a 'me too' on this one. I had the same problem above and fixed it in the same way as Curtis mentioned. I first noticed it on the 6th September. So possibly caused by a clam update around that time?
.........

Re: Problems with outgoing email, PDF's
« Reply #8 on: October 13, 2020, 10:50:07 AM »
So possibly caused by a clam update around that time?

Nope, number of signatures just keeps getting bigger. Soon everyone is going to hit this.

> The database contains 8895465 virus signatures. - reported by sme9admin

> Database correctly reloaded (9328954 signatures) - taken from clamd log

Difference is from unofficial sigs, currently running wo issues with MemLimit 2GB (server has 8GB).