Hi guys,
Before I start, and to save people from trying to go through toubleshooting methods I've already done, ClamAV is installed. Freshclam has run and databases are up-to-date. The "scan email" option is enabled for both clam and postfix on every domain. There are no errors in procmail's log. There are no errors in maillog.
Problem: Spamc shows in the logs and works just fine. It is set to run as a service/server. CalmAV however doesn't show on the logs anywhere, nor does it leave its imprint in the mail headers (ie X-Virus). ClamAV is enabled both for each domain and under the Email Messages > Spam and Virus Scanning settings page. ClamAV is also running in service/server mode, however for troubleshooting I tried switching it to stand-alone (single process) scanner. This had no effect that differed.
Running CentOS Linux 6.6
Procmail conf:
LOGFILE=/var/log/procmail.log
TRAP=/etc/webmin/virtual-server/procmail-logger.pl
:0wi
VIRTUALMIN=|/etc/webmin/virtual-server/lookup-domain.pl --exitcode 73 $LOGNAME
EXITCODE=$?
:0
* ?/usr/bin/test "$EXITCODE" = "73"
/dev/null
EXITCODE=0
:0
* ?/usr/bin/test "$VIRTUALMIN" != ""
{
INCLUDERC=/etc/webmin/virtual-server/procmail/$VIRTUALMIN
}
DEFAULT=$HOME/Maildir/
ORGMAIL=$HOME/Maildir/
DROPPRIVS=yes
Procmail Log (-tail)
Subject: Cron <my@box19> php -q /home/my/public_html/pipe/pop.php
Folder: /home/my/Maildir/new/1429468922.30660_0.box19.g#######o 2384
Time:1429468922 From:root@box19.g############ To:my@box19.g########## User:my Size:2448 Dest:/home/my/Maildir/new/1429468922.30660_0.box19.g########## Mode:None
From root@box19.g################# Sun Apr 19 14:43:01 2015
Subject: Cron <my@box19> php -q /home/my/public_html/pipe/pop.php
Folder: /home/my/Maildir/new/1429468982.30771_0.box19.g######### 2384
Time:1429468982 From:root@box19.g################ To:my@box19.g############ User:my Size:2448 Dest:/home/my/Maildir/new/1429468982.30771_0.box19.g########### Mode:None
If anyone knows anything that can help get this solved, I would appreciate it. The only suspician I have right now is maybe it something to do with my perl setup as this is a fresh Virtualmin install -- I've touched no configuration files yet, I have installed some perl modules. So just in case anyone knows of any conflicting perl modules here is what I have installed:
rpm -qa | grep perl
perl-IO-Socket-SSL-1.31-2.el6.noarch
perl-XML-Simple-2.18-6.el6.noarch
perl-DBD-Pg-2.15.1-4.el6_3.x86_64
perl-Crypt-SSLeay-0.57-17.el6.x86_64
perl-IO-Tty-1.08-4.el6.x86_64
perl-Module-Pluggable-3.90-136.el6_6.1.x86_64
perl-ExtUtils-ParseXS-2.2003.0-136.el6_6.1.x86_64
perl-Test-Simple-0.92-136.el6_6.1.x86_64
perl-DBI-1.609-4.el6.x86_64
perl-Compress-Zlib-2.021-136.el6_6.1.x86_64
perl-Digest-SHA-5.47-136.el6_6.1.x86_64
perl-Socket6-0.23-4.el6.x86_64
perl-Test-Mock-LWP-0.05-4.el6.noarch
perl-Net-DNS-0.65-5.el6.x86_64
perl-GDGraph-1.44-7.el6.noarch
perl-HTML-Tagset-3.20-4.el6.noarch
perl-MailTools-2.04-4.el6.noarch
perl-Crypt-OpenSSL-RSA-0.25-10.1.el6.x86_64
perl-version-0.77-136.el6_6.1.x86_64
perl-Pod-Simple-3.13-136.el6_6.1.x86_64
perl-5.10.1-136.el6_6.1.x86_64
perl-Test-Harness-3.17-136.el6_6.1.x86_64
perl-ExtUtils-MakeMaker-6.55-136.el6_6.1.x86_64
perl-CGI-3.51-136.el6_6.1.x86_64
perl-URI-1.40-2.el6.noarch
perl-Compress-Raw-Zlib-2.021-136.el6_6.1.x86_64
perl-IO-Compress-Zlib-2.021-136.el6_6.1.x86_64
perl-IO-Zlib-1.09-136.el6_6.1.x86_64
perl-Encode-Detect-1.01-2.el6.x86_64
perl-Time-HiRes-1.9721-136.el6_6.1.x86_64
perl-IO-Socket-INET6-2.56-4.el6.noarch
perl-Digest-HMAC-1.01-22.el6.noarch
perl-UNIVERSAL-isa-1.03-1.el6.noarch
perl-HTML-Parser-3.64-2.el6.x86_64
perl-XML-Parser-2.36-7.el6.x86_64
perl-TimeDate-1.16-13.el6.noarch
perl-Package-Constants-0.02-136.el6_6.1.x86_64
perl-Net-LibIDN-0.12-3.el6.x86_64
mod_perl-2.0.4-11.el6_5.x86_64
perl-YAML-Syck-1.07-4.el6.x86_64
perl-Mail-Sendmail-0.79-12.el6.noarch
perl-GDTextUtil-0.86-15.el6.noarch
perl-Net-SSLeay-1.35-9.el6.x86_64
perl-Crypt-OpenSSL-Bignum-0.04-8.1.el6.x86_64
perl-Mail-DKIM-0.37-2.el6.noarch
perl-NetAddr-IP-4.027-7.el6.x86_64
perl-Date-Manip-6.24-1.el6.noarch
perl-Pod-Escapes-1.04-136.el6_6.1.x86_64
perl-libs-5.10.1-136.el6_6.1.x86_64
perl-devel-5.10.1-136.el6_6.1.x86_64
perl-IO-Compress-Base-2.021-136.el6_6.1.x86_64
perl-DBD-MySQL-4.013-3.el6.x86_64
perl-UNIVERSAL-can-1.15-1.el6.noarch
perl-Geo-IP-1.38-6.el6.x86_64
perl-Digest-SHA1-2.12-2.el6.x86_64
perl-GD-2.44-3.el6.x86_64
perl-Test-MockObject-1.09-4.el6.noarch
perl-libwww-perl-5.833-2.el6.noarch
perl-Archive-Tar-1.58-136.el6_6.1.x86_64
perl-Crypt-OpenSSL-Random-0.04-9.1.el6.x86_64
perl-BSD-Resource-1.29.03-3.el6.x86_64
Thanks for any help you can provide.
PS: I can scan test files (eicars.txt) with clamscan and clamdscan without any issues (both commands identify the file as a virus). Also spamd is working fine as well. I'm seeing emails properly being flagged as spam and written to the .spam directories. The problem is there is no header indication that clam is scanning and if I use a eicars test site to send myself the test virus, it goes straight to my inbox. The maillog shows that spamd does process the email, but clamd never does.
From eicar@aleph-tec.com Sun Apr 19 17:11:11 2015
Subject: EICAR anti-virus test file:
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477871. 2526
Time:1429477871 From:eicar@aleph-tec.com To:admin@a_domain_name.com User:a_user-a_domain_name.com Size:2577 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477871.29567_0.box19.a_host_name.com Mode:None
From eicar@aleph-tec.com Sun Apr 19 17:11:10 2015
Subject: EICAR anti-virus test file:
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477880. 4784
Time:1429477880 From:eicar@aleph-tec.com To:admin@a_domain_name.com User:a_user-a_domain_name.com Size:4835 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477880.29532_0.box19.a_host_name.com Mode:None
From root@box19.a_host_name.com Sun Apr 19 17:12:01 2015
Subject: Cron <user_dir_2@box19> php -q /home/user_dir_2/public_html/pipe/pop.php
Folder: /home/user_dir_2/Maildir/new/1429477922.29668_0.box19.a_host_name 2384
Time:1429477922 From:root@box19.a_host_name.com To:user_dir_2@box19.a_host_name.com User:user_dir_2 Size:2448 Dest:/home/user_dir_2/Maildir/new/1429477922.29668_0.box19.a_host_name.com Mode:None
From root@box19.a_host_name.com Sun Apr 19 17:13:02 2015
Subject: Cron <user_dir_2@box19> php -q /home/user_dir_2/public_html/pipe/pop.php
Folder: /home/user_dir_2/Maildir/new/1429477982.29795_0.box19.a_host_name 2384
Time:1429477983 From:root@box19.a_host_name.com To:user_dir_2@box19.a_host_name.com User:user_dir_2 Size:2448 Dest:/home/user_dir_2/Maildir/new/1429477982.29795_0.box19.a_host_name.com Mode:None
From server@box20.a_host_name.com Sun Apr 19 17:13:02 2015
Subject: lfd on box20.a_host_name.com: Suspicious File Alert
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477983. 1209
Time:1429477983 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1275 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477983.29811_0.box19.a_host_name.com Mode:None
From server@box20.a_host_name.com Sun Apr 19 17:13:02 2015
Subject: lfd on box20.a_host_name.com: Suspicious File Alert
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477983. 1193
Time:1429477983 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1259 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477983.29827_0.box19.a_host_name.com Mode:None
From server@box20.a_host_name.com Sun Apr 19 17:13:03 2015
Subject: lfd on box20.a_host_name.com: Suspicious File Alert
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477983. 1194
Time:1429477983 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1260 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477983.29879_0.box19.a_host_name.com Mode:None
From server@box20.a_host_name.com Sun Apr 19 17:13:03 2015
Subject: lfd on box20.a_host_name.com: Suspicious File Alert
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477983. 1193
Time:1429477983 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1259 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477983.29894_0.box19.a_host_name.com Mode:None
From server@box20.a_host_name.com Sun Apr 19 17:13:03 2015
Subject: lfd on box20.a_host_name.com: Suspicious File Alert
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477983. 1193
Time:1429477984 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1259 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477983.29930_0.box19.a_host_name.com Mode:None
From server@box20.a_host_name.com Sun Apr 19 17:13:03 2015
Subject: lfd on box20.a_host_name.com: Suspicious File Alert
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477984. 1209
Time:1429477984 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1275 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477984.29943_0.box19.a_host_name.com Mode:None
From server@box20.a_host_name.com Sun Apr 19 17:13:04 2015
Subject: lfd on box20.a_host_name.com: Suspicious File Alert
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477984. 1209
Time:1429477984 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1275 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477984.29978_0.box19.a_host_name.com Mode:None
From server@box20.a_host_name.com Sun Apr 19 17:13:04 2015
Subject: lfd on box20.a_host_name.com: Suspicious File Alert
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477984. 1193
Time:1429477984 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1259 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477984.29991_0.box19.a_host_name.com Mode:None
From server@box20.a_host_name.com Sun Apr 19 17:13:04 2015
Subject: lfd on box20.a_host_name.com: Suspicious File Alert
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477984. 1193
Time:1429477984 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1259 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477984.30015_0.box19.a_host_name.com Mode:None
From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:06 2015
Subject: Email Security Check: Please confirm your registration
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477987. 8114
Time:1429477987 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:8182 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477987.30054_0.box19.a_host_name.com Mode:None
From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:16 2015
Subject: Test mail 1/7 (ID=htPL9B!!SyXxcd*Fx*Foyw==)
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477996. 1837
Time:1429477996 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1905 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477996.30087_0.box19.a_host_name.com Mode:None
procmail: Program failure (1) of "/etc/webmin/virtual-server/clam-wrapper.pl"
From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:16 2015
Subject: Test mail 2/7 (ID=htPL9B!!SyXxcd*Fx*Foyw==)
Folder: /dev/null 1869
Time:1429477996 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1869 Dest:/dev/null Mode:Virus
From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:16 2015
Subject: [SPAM] Test mail 3/7 (ID=htPL9B!!SyXxcd*Fx*Foyw==)
Folder: /home/user_dir/homes/a_user/Maildir/.spam/new/14294 1998
Time:1429477997 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:2066 Dest:/home/user_dir/homes/a_user/Maildir/.spam/new/1429477997.30128_0.box19.a_host_name.com Mode:Spam
From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:16 2015
Subject: Test mail 4/7 (ID=htPL9B!!SyXxcd*Fx*Foyw==)
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477997. 1913
Time:1429477997 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1981 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477997.30138_0.box19.a_host_name.com Mode:None
From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:17 2015
Subject: Test mail 6/7 (ID=htPL9B!!SyXxcd*Fx*Foyw==)
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477998. 1842
Time:1429477998 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1910 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477998.30188_0.box19.a_host_name.com Mode:None
From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:18 2015
Subject: Test mail 7/7 (ID=htPL9B!!SyXxcd*Fx*Foyw==)
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477998. 1861
Time:1429477998 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1929 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477998.30231_0.box19.a_host_name.com Mode:None
From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:17 2015
Subject: Test mail 5/7 (ID=htPL9B!!SyXxcd*Fx*Foyw==)
Folder: /home/user_dir/homes/a_user/Maildir/new/1429477998. 1841
Time:1429477998 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1909 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477998.30183_0.box19.a_host_name.com Mode:None
There you can see these test viruses passing right through procmail without any issue whatsoever.
Found the issue... If:
Allow mailbox users to create mail filters? Yes No
Is set to "YES" it will stop all virus scanning for every domain.