Clamd not activated

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
simred
Advanced member
Advanced member
Posts: 53
Joined: Wed Jun 28, 2017 9:40 am

Clamd not activated

Postby simred » Tue Nov 26, 2019 11:41 am

Hello,
we use ZCS 8.8.9_GA FOOS. We have a multi node setup. We configured the topology in order to have some MTA to only receive external mail (they are under a load balancer - I'll call them MTA-IN) and some other MTAs was configured to only send domain originated email to the external (I'll call them MTA-OUT).
We have a strange behavior on clamd. I'll explain two different scenarios.

Scenario 1. (MTA OUT successfully detect the virus)
I use Zimbra webmail to send an email with a virus attached to an internal email address. The mail is successfully scanned by clamd and the virus is found. OK!

Nov 26 10:08:01 ml-mta02 amavis[1927]: (01927-01) Checking: R7nCF_-JFXZp ORIGINATING/MYNETS [192.168.6.6] <sf2@xxxxxxx.eu> -> <sf4@xxxxxxx.eu>,<prova@test.com>
Nov 26 10:08:01 ml-mta02 clamd[3454]: /opt/zimbra/data/amavisd/tmp/amavis-20191126T100801-01927-VJXFb4_V/parts/p006: Rtf.Dropper.Agent-7389950-0 FOUND
...
Nov 26 10:08:02 ml-mta02 amavis[1927]: (01927-01) Blocked INFECTED (Rtf.Dropper.Agent-7389950-0) {DiscardedInternal,DiscardedOutbound,Quarantined}, ORIGINATING/MYNETS LOCAL [192.168.6.6]:45449 <sf2@xxxxxxx.eu> -> <sf4@xxxxxxx.eu>,<prova@test.com>, quarantine: virus-quarantine.sr8zk46mge@ml-ldap01.yyyyyyyy.internal, Queue-ID: 3AD552605DC, Message-ID: <1529751224.15339103.1574759281018.JavaMail.zimbra@xxxxxxx.eu>, mail_id: R7nCF_-JFXZp, Hits: -, size: 1406159, 974 ms


Scenario 2. (MTA IN does not detect the virus)
I send an email from an external mta to Zimbra. The email was received by MTA-IN, but clamd is not activated and the virus is delivered to the inbox.

Nov 26 11:06:18 ml-mta03 amavis[29348]: (29348-02) Checking: sFbKnoM8UL7t [110.61.9.236] <sf2@xxxxxxx.eu> -> <sf4@xxxxxxx.eu>,<prova@test.com>
...
Nov 26 11:06:19 ml-mta03 amavis[29348]: (29348-02) Passed CLEAN {RelayedInbound,RelayedOpenRelay}, [110.61.9.236]:47849 [110.61.9.236] <sf2@xxxxxxx.eu> -> <sf4@xxxxxxx.eu>,<prova@test.com>, Queue-ID: 50890C0634, Message-ID: <5ddcf919.gcXNwxLYaDr/1qtb%sf2@xxxxxxx.eu>, mail_id: sFbKnoM8UL7t, Hits: 3.142, size: 1406540, queued_as: E6EAAC0637/09605C0639, 667 ms
Nov 26 11:06:19 ml-mta03 postfix/smtp[14758]: 50890C0634: to=<sf4@xxxxxxx.eu>, relay=127.0.0.1[127.0.0.1]:10024, delay=1, delays=0.32/0.01/0/0.67, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E6EAAC0637)

In attachment you can find the mta zimbra.log for both cases.

Please note that manually scanning for virus the email on ml-mta03 (MTA-IN) the virus is found by clamd:
[zimbra@ml-mta03 ~]$ /opt/zimbra/common/bin/clamscan --database=/opt/zimbra/data/clamav/db /tmp/PEDIDO16587.msg
/tmp/PEDIDO16587.msg: Rtf.Dropper.Agent-7389950-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6563646
Engine version: 0.99.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.96 MB
Data read: 0.98 MB (ratio 0.98:1)
Time: 66.162 sec (1 m 6 s)


Any help will be greatly appreciated.

tnx & br


simred
Advanced member
Advanced member
Posts: 53
Joined: Wed Jun 28, 2017 9:40 am

Re: Clamd not activated

Postby simred » Tue Nov 26, 2019 11:52 am

Hello,
I'm unable to upload the log file, so I will dump here (MTA-OUT):

Nov 26 10:08:01 ml-mta02 postfix/postscreen[3799]: CONNECT from [192.168.6.6]:45449 to [192.168.4.2]:2500
Nov 26 10:08:01 ml-mta02 postfix/postscreen[3799]: WHITELISTED [192.168.6.6]:45449
Nov 26 10:08:01 ml-mta02 postfix/smtpd[10490]: connect from ml-store03.yyyyyyyy.internal[192.168.6.6]
Nov 26 10:08:01 ml-mta02 postfix/smtpd[10490]: NOQUEUE: filter: RCPT from ml-store03.yyyyyyyy.internal[192.168.6.6]: <sf2@xxxxxxx.eu>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<sf2@xxxxxxx.eu> to=<sf4@xxxxxxx.eu> proto=ESMTP helo=<ml-store03.yyyyyyyy.internal>
Nov 26 10:08:01 ml-mta02 postfix/smtpd[10490]: 3AD552605DC: client=ml-store03.yyyyyyyy.internal[192.168.6.6]
Nov 26 10:08:01 ml-mta02 postfix/cleanup[10511]: 3AD552605DC: message-id=<1529751224.15339103.1574759281018.JavaMail.zimbra@xxxxxxx.eu>
Nov 26 10:08:01 ml-mta02 postfix/qmgr[3763]: 3AD552605DC: from=<sf2@xxxxxxx.eu>, size=1406161, nrcpt=2 (queue active)
Nov 26 10:08:01 ml-mta02 postfix/smtpd[10490]: disconnect from ml-store03.yyyyyyyy.internal[192.168.6.6] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 26 10:08:01 ml-mta02 amavis[1927]: (01927-01) ESMTP :10026 /opt/zimbra/data/amavisd/tmp/amavis-20191126T100801-01927-VJXFb4_V: <sf2@xxxxxxx.eu> -> <sf4@xxxxxxx.eu>,<prova@test.com> Received: from mta02.yyyyyyyy.com ([127.0.0.1]) by localhost (ml-mta02.yyyyyyyy.internal [127.0.0.1]) (amavisd-new, port 10026) with ESMTP; Tue, 26 Nov 2019 10:08:01 +0100 (CET)
Nov 26 10:08:01 ml-mta02 amavis[1927]: (01927-01) Checking: R7nCF_-JFXZp ORIGINATING/MYNETS [192.168.6.6] <sf2@xxxxxxx.eu> -> <sf4@xxxxxxx.eu>,<prova@test.com>
Nov 26 10:08:01 ml-mta02 clamd[3454]: /opt/zimbra/data/amavisd/tmp/amavis-20191126T100801-01927-VJXFb4_V/parts/p006: Rtf.Dropper.Agent-7389950-0 FOUND
Nov 26 10:08:02 ml-mta02 clamd[3454]: /opt/zimbra/data/amavisd/tmp/amavis-20191126T100801-01927-VJXFb4_V/parts/p003: Rtf.Dropper.Agent-7389950-0 FOUND
Nov 26 10:08:02 ml-mta02 postfix/amavisd/smtpd[10911]: connect from localhost[127.0.0.1]
Nov 26 10:08:02 ml-mta02 postfix/amavisd/smtpd[10911]: 0854526064B: client=localhost[127.0.0.1]
Nov 26 10:08:02 ml-mta02 postfix/cleanup[10511]: 0854526064B: message-id=<1529751224.15339103.1574759281018.JavaMail.zimbra@xxxxxxx.eu>
Nov 26 10:08:02 ml-mta02 amavis[1927]: (01927-01) R7nCF_-JFXZp(R7nCF_-JFXZp) SEND from <> -> <virus-quarantine.sr8zk46mge@ml-ldap01.yyyyyyyy.internal>, ENVID=AM.R7nCF_-JFXZp.20191126T090802Z@ ... y.internal BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0854526064B
Nov 26 10:08:02 ml-mta02 postfix/qmgr[3763]: 0854526064B: from=<>, size=1406965, nrcpt=1 (queue active)
Nov 26 10:08:02 ml-mta02 postfix/amavisd/smtpd[10911]: 2B291260650: client=localhost[127.0.0.1]
Nov 26 10:08:02 ml-mta02 postfix/cleanup[10511]: 2B291260650: message-id=<VAR7nCF_-JFXZp@ml-mta02.yyyyyyyy.internal>
Nov 26 10:08:02 ml-mta02 postfix/qmgr[3763]: 2B291260650: from=<admin@ml-mta02.yyyyyyyy.internal>, size=2993, nrcpt=1 (queue active)
Nov 26 10:08:02 ml-mta02 amavis[1927]: (01927-01) YzK2lfYhB92Z(R7nCF_-JFXZp) SEND from <admin@ml-mta02.yyyyyyyy.internal> -> <admin@ml-mta02.yyyyyyyy.internal>, ENVID=AM.YzK2lfYhB92Z.20191126T090802Z@ ... y.internal 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2B291260650
Nov 26 10:08:02 ml-mta02 postfix/smtp[10517]: 2B291260650: to=<admin@ml-mta02.yyyyyyyy.internal>, relay=none, delay=0.03, delays=0.02/0.01/0/0, dsn=5.4.6, status=bounced (mail for ml-mta02.yyyyyyyy.internal loops back to myself)
Nov 26 10:08:02 ml-mta02 postfix/cleanup[10511]: 32D03260653: message-id=<20191126090802.32D03260653@mta02.yyyyyyyy.com>
Nov 26 10:08:02 ml-mta02 postfix/qmgr[3763]: 32D03260653: from=<>, size=5180, nrcpt=1 (queue active)
Nov 26 10:08:02 ml-mta02 postfix/bounce[10518]: 2B291260650: sender non-delivery notification: 32D03260653
Nov 26 10:08:02 ml-mta02 postfix/amavisd/smtpd[10911]: 392C8260658: client=localhost[127.0.0.1]
Nov 26 10:08:02 ml-mta02 postfix/qmgr[3763]: 2B291260650: removed
Nov 26 10:08:02 ml-mta02 postfix/cleanup[10511]: 392C8260658: message-id=<VRR7nCF_-JFXZp@ml-mta02.yyyyyyyy.internal>
Nov 26 10:08:02 ml-mta02 amavis[1927]: (01927-01) BtM1Z9jJX9ev(R7nCF_-JFXZp) SEND from <admin@ml-mta02.yyyyyyyy.internal> -> <sf4@xxxxxxx.eu>, ENVID=AM.BtM1Z9jJX9ev.20191126T090802Z@ ... y.internal 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 392C8260658
Nov 26 10:08:02 ml-mta02 postfix/qmgr[3763]: 392C8260658: from=<admin@ml-mta02.yyyyyyyy.internal>, size=1404, nrcpt=1 (queue active)
Nov 26 10:08:02 ml-mta02 postfix/smtp[10517]: 32D03260653: to=<admin@ml-mta02.yyyyyyyy.internal>, relay=none, delay=0.04, delays=0.03/0.01/0/0, dsn=5.4.6, status=bounced (mail for ml-mta02.yyyyyyyy.internal loops back to myself)
Nov 26 10:08:02 ml-mta02 postfix/qmgr[3763]: 32D03260653: removed
Nov 26 10:08:02 ml-mta02 amavis[1927]: (01927-01) Blocked INFECTED (Rtf.Dropper.Agent-7389950-0) {DiscardedInternal,DiscardedOutbound,Quarantined}, ORIGINATING/MYNETS LOCAL [192.168.6.6]:45449 <sf2@xxxxxxx.eu> -> <sf4@xxxxxxx.eu>,<prova@test.com>, quarantine: virus-quarantine.sr8zk46mge@ml-ldap01.yyyyyyyy.internal, Queue-ID: 3AD552605DC, Message-ID: <1529751224.15339103.1574759281018.JavaMail.zimbra@xxxxxxx.eu>, mail_id: R7nCF_-JFXZp, Hits: -, size: 1406159, 974 ms
Nov 26 10:08:02 ml-mta02 postfix/smtp[10512]: 3AD552605DC: to=<sf4@xxxxxxx.eu>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.1, delays=0.11/0/0.02/0.96, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=01927-01 - INFECTED: Rtf.Dropper.Agent-7389950-0)
Nov 26 10:08:02 ml-mta02 postfix/smtp[10512]: 3AD552605DC: to=<prova@test.com>, orig_to=<sf4@xxxxxxx.eu>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.1, delays=0.11/0/0.02/0.96, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=01927-01 - INFECTED: Rtf.Dropper.Agent-7389950-0)
Nov 26 10:08:02 ml-mta02 postfix/qmgr[3763]: 3AD552605DC: removed
Nov 26 10:08:02 ml-mta02 amavis[1927]: (01927-01) extra modules loaded: /opt/zimbra/common/lib/perl5/x86_64-linux-thread-multi/auto/Net/SSLeay/autosplit.ix, /opt/zimbra/common/lib/perl5/x86_64-linux-thread-multi/auto/Net/SSLeay/randomize.al, IO/Socket/SSL.pm, IO/Socket/SSL/PublicSuffix.pm, Mozilla/CA.pm, Net/SSLeay.pm
Nov 26 10:08:02 ml-mta02 postfix/lmtp[10516]: 392C8260658: to=<sf4@xxxxxxx.eu>, relay=ml-store02.yyyyyyyy.internal[192.168.5.6]:7025, delay=0.15, delays=0.03/0.01/0.05/0.06, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Nov 26 10:08:02 ml-mta02 postfix/qmgr[3763]: 392C8260658: removed
Nov 26 10:08:02 ml-mta02 postfix/lmtp[10519]: 0854526064B: to=<virus-quarantine.sr8zk46mge@ml-ldap01.yyyyyyyy.internal>, relay=ml-store01.yyyyyyyy.internal[192.168.4.6]:7025, delay=0.53, delays=0.12/0.01/0.06/0.34, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Nov 26 10:08:02 ml-mta02 postfix/qmgr[3763]: 0854526064B: removed
Nov 26 10:08:03 ml-mta02 postfix/postscreen[3799]: CONNECT from [192.168.4.2]:51091 to [192.168.5.34]:25
Nov 26 10:08:03 ml-mta02 postfix/postscreen[3799]: WHITELISTED [192.168.4.2]:51091
Nov 26 10:08:03 ml-mta02 postfix/smtpd[10490]: connect from ml-fe.yyyyyyyy.internal[192.168.4.2]
Nov 26 10:08:03 ml-mta02 postfix/smtpd[10490]: lost connection after CONNECT from ml-fe.yyyyyyyy.internal[192.168.4.2]
Nov 26 10:08:03 ml-mta02 postfix/smtpd[10490]: disconnect from ml-fe.yyyyyyyy.internal[192.168.4.2] commands=0/0
Nov 26 10:08:03 ml-mta02 zmconfigd[21915]: Fetching All configs
Nov 26 10:08:03 ml-mta02 zmconfigd[21915]: All configs fetched in 0.08 seconds
simred
Advanced member
Advanced member
Posts: 53
Joined: Wed Jun 28, 2017 9:40 am

Re: Clamd not activated

Postby simred » Tue Nov 26, 2019 11:52 am

Hello,
I'm unable to upload the log file, so I will dump here (MTA-IN):

Nov 26 11:06:14 ml-mta03 postfix/postscreen[10700]: DISCONNECT [192.168.4.2]:39721
Nov 26 11:06:16 ml-mta03 postfix/postscreen[10700]: CONNECT from [192.168.4.2]:39725 to [192.168.4.42]:25
Nov 26 11:06:16 ml-mta03 postfix/postscreen[10700]: HANGUP after 0 from [192.168.4.2]:39725 in tests before SMTP handshake
Nov 26 11:06:16 ml-mta03 postfix/postscreen[10700]: DISCONNECT [192.168.4.2]:39725
Nov 26 11:06:18 ml-mta03 postfix/postscreen[10700]: CONNECT from [110.61.9.236]:47849 to [192.168.4.2]:25
Nov 26 11:06:18 ml-mta03 postfix/postscreen[10700]: PASS OLD [110.61.9.236]:47849
Nov 26 11:06:18 ml-mta03 postfix/smtpd[14756]: connect from unknown[110.61.9.236]
Nov 26 11:06:18 ml-mta03 postfix/smtpd[14756]: NOQUEUE: filter: RCPT from unknown[110.61.9.236]: <sf2@xxxxxxx.eu>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<sf2@xxxxxxx.eu> to=<sf4@xxxxxxx.eu> proto=ESMTP helo=<yyyyyyyy.com>
Nov 26 11:06:18 ml-mta03 postfix/smtpd[14756]: NOQUEUE: filter: RCPT from unknown[110.61.9.236]: <sf2@xxxxxxx.eu>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<sf2@xxxxxxx.eu> to=<sf4@xxxxxxx.eu> proto=ESMTP helo=<yyyyyyyy.com>
Nov 26 11:06:18 ml-mta03 postfix/smtpd[14756]: 50890C0634: client=unknown[110.61.9.236]
Nov 26 11:06:18 ml-mta03 postfix/cleanup[14055]: 50890C0634: message-id=<5ddcf919.gcXNwxLYaDr/1qtb%sf2@xxxxxxx.eu>
Nov 26 11:06:18 ml-mta03 postfix/qmgr[10698]: 50890C0634: from=<sf2@xxxxxxx.eu>, size=1406540, nrcpt=2 (queue active)
Nov 26 11:06:18 ml-mta03 postfix/smtpd[14756]: disconnect from unknown[110.61.9.236] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 26 11:06:18 ml-mta03 amavis[29348]: (29348-02) ESMTP :10024 /opt/zimbra/data/amavisd/tmp/amavis-20191126T105254-29348-UwBk10SQ: <sf2@xxxxxxx.eu> -> <sf4@xxxxxxx.eu>,<prova@test.com> SIZE=1406540 Received: from mta03.yyyyyyyy.com ([127.0.0.1]) by localhost (ml-mta03.yyyyyyyy.internal [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Tue, 26 Nov 2019 11:06:18 +0100 (CET)
Nov 26 11:06:18 ml-mta03 postfix/postscreen[10700]: CONNECT from [110.61.9.236]:47850 to [192.168.4.2]:25
Nov 26 11:06:18 ml-mta03 postfix/postscreen[10700]: PASS OLD [110.61.9.236]:47850
Nov 26 11:06:18 ml-mta03 postfix/smtpd[14756]: connect from unknown[110.61.9.236]
Nov 26 11:06:18 ml-mta03 amavis[29348]: (29348-02) Checking: sFbKnoM8UL7t [110.61.9.236] <sf2@xxxxxxx.eu> -> <sf4@xxxxxxx.eu>,<prova@test.com>
Nov 26 11:06:18 ml-mta03 amavis[29348]: (29348-02) Open relay? Nonlocal recips but not originating: prova@test.com
Nov 26 11:06:18 ml-mta03 postfix/smtpd[14756]: NOQUEUE: reject: RCPT from unknown[110.61.9.236]: 450 4.7.25 Client host rejected: cannot find your hostname, [110.61.9.236]; from=<> to=<sf2@xxxxxxx.eu> proto=ESMTP helo=<yyyyyyyy.com>
Nov 26 11:06:18 ml-mta03 postfix/smtpd[14756]: disconnect from unknown[110.61.9.236] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=4/6
Nov 26 11:06:18 ml-mta03 postfix/postscreen[10700]: CONNECT from [192.168.4.2]:39731 to [192.168.4.42]:25
Nov 26 11:06:18 ml-mta03 postfix/postscreen[10700]: HANGUP after 0 from [192.168.4.2]:39731 in tests before SMTP handshake
Nov 26 11:06:18 ml-mta03 postfix/postscreen[10700]: DISCONNECT [192.168.4.2]:39731
Nov 26 11:06:18 ml-mta03 postfix/amavisd/smtpd[14760]: connect from localhost[127.0.0.1]
Nov 26 11:06:18 ml-mta03 postfix/amavisd/smtpd[14760]: E6EAAC0637: client=localhost[127.0.0.1]
Nov 26 11:06:18 ml-mta03 postfix/cleanup[14055]: E6EAAC0637: message-id=<5ddcf919.gcXNwxLYaDr/1qtb%sf2@xxxxxxx.eu>
Nov 26 11:06:19 ml-mta03 postfix/qmgr[10698]: E6EAAC0637: from=<sf2@xxxxxxx.eu>, size=1407182, nrcpt=1 (queue active)
Nov 26 11:06:19 ml-mta03 amavis[29348]: (29348-02) sFbKnoM8UL7t FWD from <sf2@xxxxxxx.eu> -> <sf4@xxxxxxx.eu>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E6EAAC0637
Nov 26 11:06:19 ml-mta03 postfix/amavisd/smtpd[14760]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 26 11:06:19 ml-mta03 postfix/amavisd/smtpd[14760]: connect from localhost[127.0.0.1]
Nov 26 11:06:19 ml-mta03 postfix/amavisd/smtpd[14760]: 09605C0639: client=localhost[127.0.0.1]
Nov 26 11:06:19 ml-mta03 postfix/cleanup[14055]: 09605C0639: message-id=<5ddcf919.gcXNwxLYaDr/1qtb%sf2@xxxxxxx.eu>
Nov 26 11:06:19 ml-mta03 amavis[29348]: (29348-02) sFbKnoM8UL7t FWD from <sf2@xxxxxxx.eu> -> <prova@test.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 09605C0639
Nov 26 11:06:19 ml-mta03 postfix/qmgr[10698]: 09605C0639: from=<sf2@xxxxxxx.eu>, size=1406974, nrcpt=1 (queue active)
Nov 26 11:06:19 ml-mta03 postfix/amavisd/smtpd[14760]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 26 11:06:19 ml-mta03 amavis[29348]: (29348-02) Passed CLEAN {RelayedInbound,RelayedOpenRelay}, [110.61.9.236]:47849 [110.61.9.236] <sf2@xxxxxxx.eu> -> <sf4@xxxxxxx.eu>,<prova@test.com>, Queue-ID: 50890C0634, Message-ID: <5ddcf919.gcXNwxLYaDr/1qtb%sf2@xxxxxxx.eu>, mail_id: sFbKnoM8UL7t, Hits: 3.142, size: 1406540, queued_as: E6EAAC0637/09605C0639, 667 ms
Nov 26 11:06:19 ml-mta03 postfix/smtp[14758]: 50890C0634: to=<sf4@xxxxxxx.eu>, relay=127.0.0.1[127.0.0.1]:10024, delay=1, delays=0.32/0.01/0/0.67, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E6EAAC0637)
Nov 26 11:06:19 ml-mta03 postfix/smtp[14758]: 50890C0634: to=<prova@test.com>, orig_to=<sf4@xxxxxxx.eu>, relay=127.0.0.1[127.0.0.1]:10024, delay=1, delays=0.32/0.01/0/0.67, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E6EAAC0637)
Nov 26 11:06:19 ml-mta03 postfix/qmgr[10698]: 50890C0634: removed
Nov 26 11:06:19 ml-mta03 postfix/lmtp[14058]: E6EAAC0637: to=<sf4@xxxxxxx.eu>, relay=ml-store02.yyyyyyyy.internal[192.168.5.6]:7025, delay=0.32, delays=0.08/0/0.06/0.18, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Nov 26 11:06:19 ml-mta03 postfix/qmgr[10698]: E6EAAC0637: removed
Nov 26 11:06:19 ml-mta03 postfix/smtp[14059]: 09605C0639: to=<prova@test.com>, relay=mx.spamexperts.com[130.117.249.136]:25, delay=0.52, delays=0.09/0/0.18/0.24, dsn=5.0.0, status=bounced (host mx.spamexperts.com[130.117.249.136] said: 550 no mailbox by that name is currently available (in reply to RCPT TO command))
Nov 26 11:06:19 ml-mta03 postfix/cleanup[14055]: 8F887C0637: message-id=<20191126100619.8F887C0637@mta03.yyyyyyyy.com>
Nov 26 11:06:19 ml-mta03 postfix/qmgr[10698]: 8F887C0637: from=<>, size=3051, nrcpt=1 (queue active)
Nov 26 11:06:19 ml-mta03 postfix/bounce[14062]: 09605C0639: sender non-delivery notification: 8F887C0637
Nov 26 11:06:19 ml-mta03 postfix/qmgr[10698]: 09605C0639: removed
Nov 26 11:06:19 ml-mta03 postfix/lmtp[14058]: 8F887C0637: to=<sf2@xxxxxxx.eu>, relay=ml-store03.yyyyyyyy.internal[192.168.6.6]:7025, delay=0.12, delays=0.01/0/0.05/0.06, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Nov 26 11:06:19 ml-mta03 postfix/qmgr[10698]: 8F887C0637: removed
Nov 26 11:06:20 ml-mta03 postfix/postscreen[10700]: CONNECT from [192.168.4.2]:39735 to [192.168.4.42]:25
Nov 26 11:06:20 ml-mta03 postfix/postscreen[10700]: HANGUP after 0 from [192.168.4.2]:39735 in tests before SMTP handshake
Nov 26 11:06:20 ml-mta03 postfix/postscreen[10700]: DISCONNECT [192.168.4.2]:39735
Nov 26 11:06:22 ml-mta03 postfix/postscreen[10700]: CONNECT from [192.168.4.2]:39740 to [192.168.4.42]:25
Nov 26 11:06:22 ml-mta03 postfix/postscreen[10700]: HANGUP after 0 from [192.168.4.2]:39740 in tests before SMTP handshake
Nov 26 11:06:22 ml-mta03 postfix/postscreen[10700]: DISCONNECT [192.168.4.2]:39740
Nov 26 11:06:24 ml-mta03 postfix/postscreen[10700]: CONNECT from [192.168.4.2]:39744 to [192.168.4.42]:25
Nov 26 11:06:24 ml-mta03 postfix/postscreen[10700]: HANGUP after 0 from [192.168.4.2]:39744 in tests before SMTP handshake
Nov 26 11:06:24 ml-mta03 postfix/postscreen[10700]: DISCONNECT [192.168.4.2]:39744
Nov 26 11:06:26 ml-mta03 postfix/postscreen[10700]: CONNECT from [192.168.4.2]:39748 to [192.168.4.42]:25
Nov 26 11:06:26 ml-mta03 postfix/postscreen[10700]: HANGUP after 0 from [192.168.4.2]:39748 in tests before SMTP handshake
Nov 26 11:06:26 ml-mta03 postfix/postscreen[10700]: DISCONNECT [192.168.4.2]:39748
Nov 26 11:06:28 ml-mta03 postfix/postscreen[10700]: CONNECT from [192.168.4.2]:39752 to [192.168.4.42]:25
Nov 26 11:06:28 ml-mta03 postfix/postscreen[10700]: HANGUP after 0 from [192.168.4.2]:39752 in tests before SMTP handshake


tnx & br
simred
Advanced member
Advanced member
Posts: 53
Joined: Wed Jun 28, 2017 9:40 am

Re: Clamd not activated

Postby simred » Thu Nov 28, 2019 5:08 pm

Hello,
I noticed an additonal strange think: mta-03 is able to launch clamav:

Nov 28 03:16:58 ml-mta03 amavis[5976]: (05976-11) ESMTP :10024 /opt/zimbra/data/amavisd/tmp/amavis-20191128T025425-05976-_8ZENUDO: <info@ccccccccc.com> -> <mihv8@vvvvvvvvvvvvv.it> SIZE=157736 Received: from mta03.vvvvvvvvvvvvv.com ([127.0.0.1]) by localhost (ml-mta03.vvvvvvvvvvvvv.internal [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <mihv8@vvvvvvvvvvvvv.it>; Thu, 28 Nov 2019 03:16:58 +0100 (CET)
Nov 28 03:16:58 ml-mta03 postfix/smtpd[22490]: disconnect from rs14.hosdepgo.com[13.128.189.242] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov 28 03:16:59 ml-mta03 amavis[5976]: (05976-11) Checking: qY4v9KqfA_bz [138.128.189.242] <info@ccccccccc.com> -> <mihv8@vvvvvvvvvvvvv.it>
Nov 28 03:16:59 ml-mta03 clamd[3294]: /opt/zimbra/data/amavisd/tmp/amavis-20191128T025425-05976-_8ZENUDO/parts/p004: Doc.Downloader.Mruk-7411402-0 FOUND
Nov 28 03:16:59 ml-mta03 clamd[3294]: /opt/zimbra/data/amavisd/tmp/amavis-20191128T025425-05976-_8ZENUDO/parts/p002: Doc.Downloader.Mruk-7411402-0 FOUND

So, on ml-mta-03 the virus is found with a manually scan. However the same virus is not found when in a mail. Other virus are recognized by the same mta as you can see fomr the above logs.

tnx & br
simred
Advanced member
Advanced member
Posts: 53
Joined: Wed Jun 28, 2017 9:40 am

Re: Clamd not activated

Postby simred » Wed Dec 11, 2019 6:06 pm

Hello,
we solved by manually downloading the fresh clamd DB: /opt/zimbra/common/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.conf

tnx & br

Return to “Administrators”

Who is online

Users browsing this forum: MSN [Bot] and 9 guests