[Avcheck] Problem (what else?)

Michael Tokarev mjt@tls.msk.ru
Mon, 27 Aug 2001 20:35:27 +0400 

"Milan P. Stanic" wrote:
> 
[]
> >> and excerpt from mail.log
> >> ----------------------------
> >> Aug 26 21:19:04 dl postfix/qmgr[2310]: 607E617BFD:
> >> from=<mps@rns-nis.co.yu>, size=597, nrcpt=1 (queue active)
> >> Aug 26 21:19:04 dl postfix/smtpd[2319]: disconnect from
> >> localhost[127.0.0.1]
> >> Aug 26 21:19:04 dl postfix/pipe[2315]: 641C217B3B:
> >> to=<mps@rns-nis.co.yu>,
> >> relay=avcheck, delay=38, status=sent (dl.rns-nis.co.yu)
> >> Aug 26 21:19:04 dl postfix/local[2321]: 607E617BFD:
> >> to=<mps@rns-nis.co.yu>,
> >> relay=local, delay=0, status=sent (mailbox)
> >> ----------------------------------------
> >>
> >> I don't understand why postfix sends it to the "local" relay?
> >
> > You posted somewhat incomplete log.  We see here two messages (actually
>
> Log is complete because I cleaned it before sending test message. And these
> lines are only relevant ones.

No it is incomplete.

You not provided an entry when 607E617BFD and 641C217B3B was received by postfix.
You not provided an entry when smtpd[2319] was started SMTP session (connect from ...)

I suspect that you first sent a test message, and *then* cleared log, but
not before.  This way, you can lose random pieces of logs.  With complete
log, things will be clearer even for you yourself.
 
> > second one is reinjected back first) -- with ids 607E617BFD and
> > 607E617BFD. 607E617BFD sent to local mailbox (where it should be
> > delivered? I suppose it is your local domain, is it?) -- but it was
> 
> Yes, I'm using single machine for testing, but it should work because I'm
> sending mail over smtp.

I told you that postfix should send that message using "local" relay
(see above), and not that you should use more than one machine.  Please
don't mix different things ;)  Ofcourse it is ok to use one machine.

[]
> With unmodified avcheck I didn't have any idea what can be wrong. When I

avcheck *always* writes *any* strange conditions to stderr that is *always*
captured by pipe(8) and written to syslog.

> added syslog support I could see that avcheck works and that it communicates
> with AvpDaemon. And I liked idea to see its state during execution.

Postfix logs are verbose already: pipe(8) logs that message was sent
to avcheck -- this *almost* means it was successefully tested ("almost"
because in case of infected mail, your handler will be responsible to
do something).  Well, it is ok if you like another line per message
in your maillog in addition to extra 4 or 5 lines logged already... ;)

> > First, you said that your modified avcheck logs "unexpected return
> > code", but not provided what code it received.  I strongly suggest
> > you to use unmodified one -- all required info will be available
> > anyway (no, I don't want to say that you did some bad things with
> > code, but it was just unnecessary, and a *possible* source for other
> > errors).  And then post message it logs (or reason for deferred mail
> > message).
> 
> No. I mean that I modified avcheck to test it. Logs and configs posted here
> was with unmodified avcheck.

Ok.

> > Next, it is better to actually test your configuration manually.
> > The procedure described inside avcheck tarball.
> 
> As I said, I did it right as it is described in README.AVP. Until that all
> works as expected (and described). When I give the next command:
> 
> /var/spool/avp/uchroot -u avpc / /var/spool/avp/avcheck -n -f root -d
> /var/spool/avp/./tst -s avp:/var/spool/avp/ctl/AvpSocket root < eicar.txt
> 
> I got the line:
> 
> Message didn't pass the virus check: infected: EICAR-Test-File
> 
> So far, so good.
> 
> But, when I tried to setup postfix (as described in README.Postfix) it does
> not work.

So something wan't work between postfix and avcheck, yes?

> Ralh Hildebrandt pointed me to try ziped EICAR.TXT. Well, I ziped
> eicar.txt and send it. And surprise, postfix+avcheck+AvpDaemom detected
> virus.
> So the new question is: Why it detects virus in ziped file but not if I
> send the same file as text?

This is inaccurate.  Things aren't like this.  AvpDaemon either detects
non-zipped variant in both cases or not detects it in both cases.
AvpDaemon either detects zipped variant in both cases or not detects
it in both cases (i mean: when executed manually or when executed by
postfix: that are two cases).  No more, no less.  If it sometimes detects
something, and sometimes doew not detects the same -- well, either your
system does not work, or AvpDaemon is damn buggy.  I'm against the last
case -- that version of AvpDaemon worked here (and not only here) for a
long time without problems of this sort.  Or, another variant, your tests
are inaccurate.  I see no other reason for such strange behaviour.

Note the text in eicar.msg -- I created this file especially to be
recognized by avpdaemon (with proper .com extension and content-type
things).  And it *is* recognized.  And it will be recognized in zipped
form as well, again, with proper mime/uuencode/... things.

One idea.  Maybe this all is due to line endings problem of some
sort?  For example, extra CRs when you injected mail into postfix's
smtp?  Very unlikely, but still...  In this case, last reason is
true : your tests was inaccurate.

I'm sorry but I have no other ideas.

And please excuse me if you fell I was too strong here -- that was
not to offend you, really.

Regards,
 Michael.