[Rspamd-Users] New to rspamd

Ian Springett ian.springett at giacom.com
Wed Feb 6 13:32:33 UTC 2019


Debug was set to:

debug_modules = ["lua", "lua_tcp", "antivirus"]

output was:

 2019-01-31 11:36:07 #25850(rspamd_proxy) <3cb69d>; proxy; proxy_milter_finish_handler: finished milter connection
2019-01-31 11:36:07 #25850(rspamd_proxy) <917bae>; proxy; proxy_accept_socket: accepted milter connection from 127.0.0.1 port 46564
2019-01-31 11:36:07 #25850(rspamd_proxy) <917bae>; milter; rspamd_milter_process_command: got connection from 46.175.55.200:43526
2019-01-31 11:36:07 #25854(normal) <c1a793>; task; accept_socket: accepted connection from ::1 port 0, task ptr: 00007FD9561D5D00
2019-01-31 11:36:07 #25854(normal) <c1a793>; task; rspamd_message_parse: loaded message; id: <71ee268adc104e7db799dacc848d3676 at cloudplatform4.com>; queue-id: <B288B60129DA8>; size: 2912; checksum: <c17d433e4690e7b5037d0b400abdd126>
2019-01-31 11:36:07 #25854(normal) <c1a793>; lua; settings.lua:358: check for settings
2019-01-31 11:36:07 #25854(normal) <c1a793>; task; rspamd_mime_text_part_utf8_convert: converted from ISO_8859-1:1987 to UTF-8 inlen: 5, outlen: 5 (5 UTF16 chars)
2019-01-31 11:36:07 #25854(normal) <c1a793>; task; rspamd_mime_text_part_utf8_convert: converted from ISO_8859-1:1987 to UTF-8 inlen: 380, outlen: 380 (380 UTF16 chars)
2019-01-31 11:36:07 #25854(normal) <c1a793>; surbl; surbl_test_url: disable surbl multi.uribl.com as it is reported to be offline
2019-01-31 11:36:08 #25854(normal) <c1a793>; task; rspamd_redis_connected: error getting reply from redis server localhost: Connection refused
2019-01-31 11:36:08 #25854(normal) <c1a793>; task; rspamd_redis_processed: error getting reply from redis server localhost: Connection refused
2019-01-31 11:36:08 #25854(normal) <c1a793>; lua; greylist.lua:260: Score too low - skip greylisting
2019-01-31 11:36:08 #25854(normal) <c1a793>; lua; history_redis.lua:97: got error Connection refused when writing history row: no value
2019-01-31 11:36:08 #25854(normal) <c1a793>; task; rspamd_task_write_log: id: <71ee268adc104e7db799dacc848d3676 at cloudplatform4.com>, qid: <B288B60129DA8>, ip: 46.175.55.200, from: <Administrator at cloudplatform4.com>, (default: F (no action): [0.40/15.00] [HFILTER_HELO_IP_A(1.00){cp4-rly-01.localdomain;},DMARC_POLICY_ALLOW(-0.50){cloudplatform4.com;reject;},HFILTER_HELO_NORES_A_OR_MX(0.30){cp4-rly-01.localdomain;},R_DKIM_ALLOW(-0.20){cloudplatform4.com:s=default;},R_SPF_ALLOW(-0.20){+ip4:46.175.55.200;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},RCVD_NO_TLS_LAST(0.10){},ARC_NA(0.00){},ASN(0.00){asn:203067, ipnet:46.175.55.0/24, country:GB;},DKIM_TRACE(0.00){cloudplatform4.com:+;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_XOIP(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;},PREVIOUSLY_DELIVERED(0.00){ian.springett at giacom.com;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_FIVE(0.00){6;},TO_DN_EQ_ADDR_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 2912, time: 250.195ms real, 7.135ms virtual, dns req: 32, digest: <c17d433e4690e7b5037d0b400abdd126>, rcpts: <ian.springett at giacom.com>, mime_rcpts: <ian.springett at giacom.com>
2019-01-31 11:36:08 #25854(normal) <c1a793>; task; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 regexps matched, 180 regexps total, 93 regexps cached, 0B bytes scanned using pcre, 2.90k bytes scanned total
2019-01-31 11:36:08 #25850(rspamd_proxy) <100c3b>; proxy; proxy_milter_finish_handler: finished milter connection
2019-01-31 11:36:09 #25854(normal) rspamd_redis_stat_keys: cannot get keys to gather stat: Connection refused
2019-01-31 11:36:09 #25853(normal) rspamd_redis_stat_keys: cannot get keys to gather stat: Connection refused
2019-01-31 11:36:11 #25851(controller) rspamd_redis_stat_keys: cannot get keys to gather stat: Connection refused
2019-01-31 11:36:16 #25850(rspamd_proxy) <d854d3>; proxy; proxy_accept_socket: accepted milter connection from 127.0.0.1 port 46586
2019-01-31 11:36:16 #25850(rspamd_proxy) <d854d3>; milter; rspamd_milter_process_command: got connection from 10.200.10.10:12133
2019-01-31 11:36:16 #25850(rspamd_proxy) <d854d3>; proxy; proxy_milter_finish_handler: finished milter connection

-----Original Message-----
From: Users <users-bounces at lists.rspamd.com> On Behalf Of Manuel Garbin
Sent: 06 February 2019 13:19
To: User questions <users at lists.rspamd.com>
Subject: Re: [Rspamd-Users] New to rspamd

Have you tried to enable debug on this module? ( /etc/rspamd/local.d/logging.inc -> debug_modules = ["antivirus"]; or level = "debug"; ) Have you tried to sniff network traffic over 3310 port?


----- Messaggio originale -----
Da: "Ian Springett" <ian.springett at giacom.com>
A: "User questions" <users at lists.rspamd.com>
Inviato: Mercoledì, 6 febbraio 2019 10:58:44
Oggetto: Re: [Rspamd-Users] New to rspamd

Outlook autocorrect feature!

It is /local.d/antivirus.conf

-----Original Message-----
From: Users <users-bounces at lists.rspamd.com> On Behalf Of Manuel Garbin
Sent: 06 February 2019 09:57
To: User questions <users at lists.rspamd.com>
Subject: Re: [Rspamd-Users] [ext] Re: New to rspamd

Hi Ian,
change file name to antivirus.conf  ( all lowercase ) 

----- Messaggio originale -----
Da: "Ian Springett" <ian.springett at giacom.com>
A: "User questions" <users at lists.rspamd.com>
Inviato: Mercoledì, 6 febbraio 2019 10:43:58
Oggetto: Re: [Rspamd-Users] [ext] Re:  New to rspamd

This is what I have in place, and it does not work. There is nothing in any logs that even suggests the AV engine has been invoked:

Local.d//Antivirus.conf

clamav {
  action = "reject";
  message = '${SCANNER}: virus found: "${VIRUS}"';
  symbol = "CLAM_VIRUS";
  type = "clamav";
  log_clean = true;
  servers = "127.0.0.1:3310";
  patterns {
    # symbol_name = "pattern";
    JUST_EICAR = '^Eicar-Test-Signature$';
  }
  whitelist = "/etc/rspamd/antivirus.wl"; }

Ss -latn
LISTEN      0      128                                                                   127.0.0.1:3310                                                                                      *:*

-----Original Message-----
From: Users <users-bounces at lists.rspamd.com> On Behalf Of Ralf Hildebrandt
Sent: 06 February 2019 09:29
To: users at lists.rspamd.com
Subject: Re: [Rspamd-Users] [ext] Re: New to rspamd

* Ian Springett <ian.springett at giacom.com>:

> Clamav integration is documented but doesn't work as advertised. 

...

> To wit:
> 
> where is the clamav integration covered?  I have looked at:
> 
> https://rspamd.com/doc/modules/antivirus.html

All I did in /etc/rspamd/local.d/antivirus.conf was:

first {
  action = "reject";
    
  scan_mime_parts = true;
  scan_text_mime = true;
  scan_image_mime = true;
	    
  symbol = "CLAM_VIRUS";
  type = "clamav";
  log_clean = false;
  timeout = 30.0;
  retransmits = 4;
  servers = "127.0.0.1:3310";
  patterns = [{SANE_MAL = 'Sanesecurity\.Malware\.*'}, {CLAM_UNOFFICIAL = 'UNOFFICIAL$'}, {CLAM_OLE2_VBA_MACRO = '^Heuristics\.OLE2\.ContainsMacros$'}];
  whitelist = "/etc/rspamd/antivirus.wl"; }

The section is called "first", since I have a second scanner.
I use patterns to transform the "unoffical" clamav signatures into symbols.

I had to make clamd listen on a TCP socket:

# netstat -tulpen |fgrep 3310
tcp        0      0 127.0.0.1:3310          0.0.0.0:* LISTEN      106        712192245  35943/clamd  

clamd.conf:

...
LocalSocket /var/run/clamav/clamd.ctl
TCPAddr localhost
TCPSocket 3310
FixStaleSocket true
...

Can't help you with SELinux, though.

-- 
Ralf Hildebrandt                   Charite Universitätsmedizin Berlin
ralf.hildebrandt at charite.de        Campus Benjamin Franklin
https://www.charite.de             Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
--
Users mailing list
Users at lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users
--
Users mailing list
Users at lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users
--
Users mailing list
Users at lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users
--
Users mailing list
Users at lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users
--
Users mailing list
Users at lists.rspamd.com
https://lists.rspamd.com/mailman/listinfo/users


More information about the Users mailing list