[Avcheck] Starting problems

Michael Tokarev mjt@tls.msk.ru
Sun, 12 Aug 2001 23:16:36 +0400


Fridtjof Busse wrote:
> 
[]
> OK, the admin is now getting a virus warning.
> The problem is just that now the mailsystem sends me hundreds of
> warning, just deleted a "650 mails" queue.
> This shouldn't happen, there are more mails every second, until the
> system breaks down.
> What's going wrong?

There is a loop somewhere.  For now, I can't imagine where.
First of all, where you placed "content_filter=" parameter --
in main.cf (global) or in smtpd's line in master.cf?

> If I comment #sendrep f "" "$SENDER", everything works normal again.
> Just a little text of /var/log/maillog (that was a 'tailf
> /var/log/maillog > log'!):
> 
> Aug 12 11:07:57 merlin postfix/cleanup[21978]: B9A63FBC1:
> message-id=<20010812090757.B9A63FBC1@merlin.fbunet.de>
> 
> Aug 12 11:07:57 merlin postfix/pipe[21979]: 7FB95FBC8:
> to=<MAILER-DAEMON@merlin.fbunet.de>, relay=avcheck, delay=0, status=sent
> (merlin.fbunet.de)

Woops.  Woops.  It sends mail to MAILER-DAEMON!
This is an issue Ralf mentioned in his HOWTO (about limitations).

> Aug 12 11:07:57 merlin postfix/pipe[21979]: 7FB95FBC8:
> to=<virus-admin@merlin.fbunet.de>, relay=avcheck, delay=0, status=sent
> (merlin.fbunet.de)
> 
> Aug 12 11:07:57 merlin postfix/qmgr[21961]: B9A63FBC1: from=<>,
> size=104942, nrcpt=2 (queue active)
> 
> Aug 12 11:07:57 merlin avcheck: infected:
> from=MAILER-DAEMON@merlin.fbunet.de to=MAILER-DAEMON@merlin.fbunet.de
> virus-admin@merlin.fbunet.de msg=infected: EICAR-Test-File

Message that was sent by avcheck again passed to it.  A loop.
A bad loop.  Grrr...

Ok.  It seems that you have content_filter=avcheck in main.cf.
This is interesting situation, perhaps a point I was missed when
split avpcheck into two components.

When you set content_filter=avcheck in main.cf, any mail comes
into postfix will be placed to query for "inspection", except
of any smtpd configured in master.cf to specially omit that
inspection (so that mail injected back to postfix from apcheck
will not be scanned again -- and non-infected mails goes this
way).  But mail generated by `infected' script injected back
using standard sendmail command (the only way to go here).
Script sends alert that *is* infected, this message comes
to postfix with "to check" label, and passed back to avcheck...

I just can't imagine why and how it successefully sends whole
infected message to virus-admin address.  Maybe it tries to
send only headers (the only case I think of)?

I suggest you to remove global content_filter from main.cf
and move it into main.cf file (add it to normal smtpd, as
 smtp inet ... smtpd -o content_filter=avcheck
as temporary solution.  This way, mail injected using sendmail
command will NOT be checked (and virus-alerts too), but mails
comes via smtp will.  In order to check all incoming mails
(including those comes via sendmail program), we need to
have other submission tools (avcheck itself has mini-smtp
client, and it was used in former avpcheck to submit
virus alerts too).  Well, this is a real problem...
(btw, in order to test if things will work, you'll need
to submit mail using smtp, e.g. from another machine).

I missed this point because I use content_inspector
instead of content_filter (good mail does not need to be
reinjected), and because I never check locally-submitted
mails.  Me bad.

And also, script it should not attempt to send mail to mailer-daemon.
In infected.ex2 there is some code around this, but not in
infected.ex1.  In short: sendrep .. $SENDER should be wrapped to
case statement, like this:

 case "$SENDER" in
   ""|MAILER-DAEMON@*) ;; # do nothing
   *) sendrep f "" "$SENDER"
   ;;
 esac

(there are other places in infected.ex1 where $SENDER used as an address).

A time to release new version...  Oh, ma... :)

Regards,
 Michael.