[Rspamd-Users] New to rspamd
Ian Springett
ian.springett at giacom.com
Wed Feb 6 13:32:33 UTC 2019
Debug was set to:
debug_modules = ["lua", "lua_tcp", "antivirus"]
output was:
2019-01-31 11:36:07 #25850(rspamd_proxy) <3cb69d>; proxy; proxy_milter_finish_handler: finished milter connection
2019-01-31 11:36:07 #25850(rspamd_proxy) <917bae>; proxy; proxy_accept_socket: accepted milter connection from 127.0.0.1 port 46564
2019-01-31 11:36:07 #25850(rspamd_proxy) <917bae>; milter; rspamd_milter_process_command: got connection from 46.175.55.200:43526
2019-01-31 11:36:07 #25854(normal) <c1a793>; task; accept_socket: accepted connection from ::1 port 0, task ptr: 00007FD9561D5D00
2019-01-31 11:36:07 #25854(normal) <c1a793>; task; rspamd_message_parse: loaded message; id: <71ee268adc104e7db799dacc848d3676 at cloudplatform4.com>; queue-id: <B288B60129DA8>; size: 2912; checksum: <c17d433e4690e7b5037d0b400abdd126>
2019-01-31 11:36:07 #25854(normal) <c1a793>; lua; settings.lua:358: check for settings
2019-01-31 11:36:07 #25854(normal) <c1a793>; task; rspamd_mime_text_part_utf8_convert: converted from ISO_8859-1:1987 to UTF-8 inlen: 5, outlen: 5 (5 UTF16 chars)
2019-01-31 11:36:07 #25854(normal) <c1a793>; task; rspamd_mime_text_part_utf8_convert: converted from ISO_8859-1:1987 to UTF-8 inlen: 380, outlen: 380 (380 UTF16 chars)
2019-01-31 11:36:07 #25854(normal) <c1a793>; surbl; surbl_test_url: disable surbl multi.uribl.com as it is reported to be offline
2019-01-31 11:36:08 #25854(normal) <c1a793>; task; rspamd_redis_connected: error getting reply from redis server localhost: Connection refused
2019-01-31 11:36:08 #25854(normal) <c1a793>; task; rspamd_redis_processed: error getting reply from redis server localhost: Connection refused
2019-01-31 11:36:08 #25854(normal) <c1a793>; lua; greylist.lua:260: Score too low - skip greylisting
2019-01-31 11:36:08 #25854(normal) <c1a793>; lua; history_redis.lua:97: got error Connection refused when writing history row: no value
2019-01-31 11:36:08 #25854(normal) <c1a793>; task; rspamd_task_write_log: id: <71ee268adc104e7db799dacc848d3676 at cloudplatform4.com>, qid: <B288B60129DA8>, ip: 46.175.55.200, from: <Administrator at cloudplatform4.com>, (default: F (no action): [0.40/15.00] [HFILTER_HELO_IP_A(1.00){cp4-rly-01.localdomain;},DMARC_POLICY_ALLOW(-0.50){cloudplatform4.com;reject;},HFILTER_HELO_NORES_A_OR_MX(0.30){cp4-rly-01.localdomain;},R_DKIM_ALLOW(-0.20){cloudplatform4.com:s=default;},R_SPF_ALLOW(-0.20){+ip4:46.175.55.200;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},RCVD_NO_TLS_LAST(0.10){},ARC_NA(0.00){},ASN(0.00){asn:203067, ipnet:46.175.55.0/24, country:GB;},DKIM_TRACE(0.00){cloudplatform4.com:+;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_XOIP(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;},PREVIOUSLY_DELIVERED(0.00){ian.springett at giacom.com;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_FIVE(0.00){6;},TO_DN_EQ_ADDR_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 2912, time: 250.195ms real, 7.135ms virtual, dns req: 32, digest: <c17d433e4690e7b5037d0b400abdd126>, rcpts: <ian.springett at giacom.com>, mime_rcpts: <ian.springett at giacom.com>
2019-01-31 11:36:08 #25854(normal) <c1a793>; task; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 regexps matched, 180 regexps total, 93 regexps cached, 0B bytes scanned using pcre, 2.90k bytes scanned total
2019-01-31 11:36:08 #25850(rspamd_proxy) <100c3b>; proxy; proxy_milter_finish_handler: finished milter connection
2019-01-31 11:36:09 #25854(normal) rspamd_redis_stat_keys: cannot get keys to gather stat: Connection refused
2019-01-31 11:36:09 #25853(normal) rspamd_redis_stat_keys: cannot get keys to gather stat: Connection refused
2019-01-31 11:36:11 #25851(controller) rspamd_redis_stat_keys: cannot get keys to gather stat: Connection refused
2019-01-31 11:36:16 #25850(rspamd_proxy) <d854d3>; proxy; proxy_accept_socket: accepted milter connection from 127.0.0.1 port 46586
2019-01-31 11:36:16 #25850(rspamd_proxy) <d854d3>; milter; rspamd_milter_process_command: got connection from 10.200.10.10:12133
2019-01-31 11:36:16 #25850(rspamd_proxy) <d854d3>; proxy; proxy_milter_finish_handler: finished milter connection
-----Original Message-----
From: Users <users-bounces at lists.rspamd.com> On Behalf Of Manuel Garbin
Sent: 06 February 2019 13:19
To: User questions <users at lists.rspamd.com>
Subject: Re: [Rspamd-Users] New to rspamd
Have you tried to enable debug on this module? ( /etc/rspamd/local.d/logging.inc -> debug_modules = ["antivirus"]; or level = "debug"; ) Have you tried to sniff network traffic over 3310 port?
----- Messaggio originale -----
Da: "Ian Springett" <ian.springett at giacom.com>
A: "User questions" <users at lists.rspamd.com>
Inviato: Mercoledì, 6 febbraio 2019 10:58:44
Oggetto: Re: [Rspamd-Users] New to rspamd
Outlook autocorrect feature!
It is /local.d/antivirus.conf
-----Original Message-----
From: Users <users-bounces at lists.rspamd.com> On Behalf Of Manuel Garbin
Sent: 06 February 2019 09:57
To: User questions <users at lists.rspamd.com>
Subject: Re: [Rspamd-Users] [ext] Re: New to rspamd
Hi Ian,
change file name to antivirus.conf ( all lowercase )
----- Messaggio originale -----
Da: "Ian Springett" <ian.springett at giacom.com>
A: "User questions" <users at lists.rspamd.com>
Inviato: Mercoledì, 6 febbraio 2019 10:43:58
Oggetto: Re: [Rspamd-Users] [ext] Re: New to rspamd
This is what I have in place, and it does not work. There is nothing in any logs that even suggests the AV engine has been invoked:
Local.d//Antivirus.conf
clamav {
action = "reject";
message = '${SCANNER}: virus found: "${VIRUS}"';
symbol = "CLAM_VIRUS";
type = "clamav";
log_clean = true;
servers = "127.0.0.1:3310";
patterns {
# symbol_name = "pattern";
JUST_EICAR = '^Eicar-Test-Signature$';
}
whitelist = "/etc/rspamd/antivirus.wl"; }
Ss -latn
LISTEN 0 128 127.0.0.1:3310 *:*
-----Original Message-----
From: Users <users-bounces at lists.rspamd.com> On Behalf Of Ralf Hildebrandt
Sent: 06 February 2019 09:29
To: users at lists.rspamd.com
Subject: Re: [Rspamd-Users] [ext] Re: New to rspamd
* Ian Springett <ian.springett at giacom.com>:
> Clamav integration is documented but doesn't work as advertised.
...
> To wit:
>
> where is the clamav integration covered? I have looked at:
>
> https://rspamd.com/doc/modules/antivirus.html
All I did in /etc/rspamd/local.d/antivirus.conf was:
first {
action = "reject";
scan_mime_parts = true;
scan_text_mime = true;
scan_image_mime = true;
symbol = "CLAM_VIRUS";
type = "clamav";
log_clean = false;
timeout = 30.0;
retransmits = 4;
servers = "127.0.0.1:3310";
patterns = [{SANE_MAL = 'Sanesecurity\.Malware\.*'}, {CLAM_UNOFFICIAL = 'UNOFFICIAL$'}, {CLAM_OLE2_VBA_MACRO = '^Heuristics\.OLE2\.ContainsMacros$'}];
whitelist = "/etc/rspamd/antivirus.wl"; }
The section is called "first", since I have a second scanner.
I use patterns to transform the "unoffical" clamav signatures into symbols.
I had to make clamd listen on a TCP socket:
# netstat -tulpen |fgrep 3310
tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 106 712192245 35943/clamd
clamd.conf:
...
LocalSocket /var/run/clamav/clamd.ctl
TCPAddr localhost
TCPSocket 3310
FixStaleSocket true
...
Can't help you with SELinux, though.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt at charite.de Campus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
--
Users mailing list
Users at lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users
--
Users mailing list
Users at lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users
--
Users mailing list
Users at lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users
--
Users mailing list
Users at lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users
--
Users mailing list
Users at lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users
More information about the Users
mailing list