[Rspamd-Users] ICAP still not working

lutz.niederer at gmx.net lutz.niederer at gmx.net
Wed Aug 17 06:18:11 UTC 2022 

Hi.

I started all over again with a fresh and clean install.

I am on jammy (22.04), did install the libs from focal (libicu66 & libssl1.1), downloaded & installed the rspamd experimental deb package for focal (3.3-0).  I did enable very verbose operation and let it run.

The ICAP server is waiting for connections.  I did verify that the ICAP server really works with c-icap-client and an eicar file.  Everything is fine.

Now I sent an email with eicar as body.  The ICAP server was not triggered in any way by rspamd.  It means that the ICAP server was not even tried to be contacted by rspamd.

Here comes the config:

# local.d/external_services.conf
icap {
  enabled = true;  #dont't know if this is needed
  servers = "127.0.0.1:1344";
  user_agent = "agent_coulson";
  scheme = "respmod";
  x_client_header = true,
  x_rcpt_header = true,
  x_from_header = true,
  symbol = "ICAP_VIRUS";
  type = "icap";
  scan_mime_parts = true;
  scan_text_mime = true;
  scan_image_mime = true;
  action = "reject";
  log_clean = true;
  patterns {
    # symbol_name = "pattern";
    JUST_EICAR = '^Eicar-Test-Signature$';
  }
}


And this is what I see in rspamd.log:

2022-08-16 23:23:20 #26730(main) <79z7ay>; lua_redis; lua_redis.lua:476: cannot load redis server from obj: {[dcc] = {[whitelist] = /etc/rspamd/antivirus.wl, [patterns] = {}, [max_size] = 20000000}, [icap] = {[user_agent] = agent_coulson, [x_client_header] = true, [x_rcpt_header] = true, [x_from_header] = true, [servers] = 127.0.0.1:1344, [scan_mime_parts] = true, [log_clean] = true, [type] = icap, [enabled] = true, [patterns] = {[JUST_EICAR] = ^Eicar-Test-Signature$}, [scan_text_mime] = true, [symbol] = ICAP_VIRUS, [scheme] = respmod, [action] = reject, [scan_image_mime] = true}, [oletools] = {[whitelist] = /etc/rspamd/antivirus.wl, [mime_parts_filter_ext] = {[xltm] = xltm, [xlam] = xlam, [xlsb] = xlsb, [pot] = pot, [pps] = pps, [ppa] = ppa, [pptx] = pptx, [ppsx] = ppsx, [ppam] = ppam, [pptm] = pptm, [potm] = potm, [ppsm] = ppsm, [dot] = dot, [dotx] = dotx, [docm] = docm, [dotm] = dotm, [xlt] = xlt, [xla] = xla, [xltx] = xltx, [doc] = doc, [xls] = xls, [ppt] = ppt, [xlsx] = xlsx, [docx] = docx, [potx] = potx, [xlsm] = xlsm}, [patterns] = {}, [mime_parts_filter_regex] = {[DOC2] = application/msword, [DOC3] = application/vnd.ms-word.*, [XLS] = application/vnd.ms-excel.*, [GEN2] = application/vnd.openxmlformats-officedocument.*, [PPT] = application/vnd.ms-powerpoint.*}}}, processed to {[expand_keys] = false, [timeout] = 1, [read_only] = true}
2022-08-16 23:23:20 #26730(main) <79z7ay>; lua; lua_redis.lua:574: use default Redis settings for external_services
2022-08-16 23:23:20 #26730(main) <>; lua_redis; lua_redis.lua:381: reused redis server: {[write_servers] = rspamd{upstream_list}(00007F2083EB4C30), [read_servers] = rspamd{upstream_list}(00007F2083EB4BF0), [timeout] = 1, [read_servers_str] = localhost, [write_servers_str] = localhost, [expand_keys] = false, [read_only] = false}
2022-08-16 23:23:20 #26730(main) <hy8w5x>; upstream; rspamd_upstreams_add_upstream: added upstream 127.0.0.1:1344 (numeric ip)
2022-08-16 23:23:20 #26730(main) <79z7ay>; lua; external_services.lua:194: registered external services rule: symbol ICAP_VIRUS; type icap
2022-08-16 23:23:20 #26730(main) <79z7ay>; config; rspamd_config_new_symbol: registered symbol ICAP_VIRUS with weight 0.00 in and group external_services
2022-08-16 23:23:20 #26730(main) <79z7ay>; config; rspamd_config_new_symbol: registered symbol ICAP_VIRUS_FAIL with weight 0.00 in and group external_services
2022-08-16 23:23:20 #26730(main) <79z7ay>; config; rspamd_config_new_symbol: registered symbol ICAP_VIRUS_ENCRYPTED with weight 0.00 in and group external_services
2022-08-16 23:23:20 #26730(main) <79z7ay>; config; rspamd_config_new_symbol: registered symbol ICAP_VIRUS_MACRO with weight 0.00 in and group external_services
2022-08-16 23:23:20 #26730(main) <79z7ay>; config; rspamd_config_new_symbol: registered symbol JUST_EICAR with weight 0.00 in and group external_services
2022-08-16 23:23:20 #26730(main) <79z7ay>; cfg; rspamd_init_lua_filters: init lua module external_services from /usr/share/rspamd/plugins/external_services.lua; digest: 4ddcaf455d
[...]
2022-08-16 23:23:21 #26730(main) <79z7ay>; symcache; resort: visiting node: ICAP_VIRUS (0)
[...]
2022-08-16 23:23:21 #26730(main) <79z7ay>; symcache; validate: symbol ICAP_VIRUS is registered as ghost symbol, it won't be inserted to any metric
2022-08-16 23:23:21 #26730(main) <79z7ay>; symcache; validate: symbol ICAP_VIRUS_FAIL is registered as ghost symbol, it won't be inserted to any metric
2022-08-16 23:23:21 #26730(main) <79z7ay>; symcache; validate: symbol ICAP_VIRUS_ENCRYPTED is registered as ghost symbol, it won't be inserted to any metric
2022-08-16 23:23:21 #26730(main) <79z7ay>; symcache; validate: symbol ICAP_VIRUS_MACRO is registered as ghost symbol, it won't be inserted to any metric
2022-08-16 23:23:21 #26730(main) <79z7ay>; symcache; validate: symbol JUST_EICAR is registered as ghost symbol, it won't be inserted to any metric
[...]
>>>>>>  then I sent the email  <<<<<<
2022-08-16 23:24:34 #26734(normal) <db911a>; symcache; process_symbol: execute ICAP_VIRUS, 335; symbol type = filter
2022-08-16 23:24:34 #26734(normal) <db911a>; symcache; rspamd_symcache_item_async_inc_full: increase async events counter for ICAP_VIRUS(335) = 0 + 1; subsystem lua symbol (./src/lua/lua_config.c:1224)
2022-08-16 23:24:34 #26734(normal) <db911a>; symcache; rspamd_symcache_item_async_dec_full: increase async events counter for ICAP_VIRUS(335) = 1 + 1; subsystem lua symbol (./src/lua/lua_config.c:1337)
2022-08-16 23:24:34 #26734(normal) <db911a>; symcache; finalize_item: process finalize for item ICAP_VIRUS(335)


I set the ICAP server to 130.0.0.1 and expected some sort of error, but the output was the same (except server=130.0.0.1).
I did also install the latest stable version for focal (3.2.1), samesame.
So I see that with the latest & experimental versions it does not work.  Because some things seem to load I am unsure if there may be an error in my configuration.
Am I right that only adding that snippet to external_services.conf should enable ICAP?  Did I forget something?  Is anything else needed?

I thank you very much for any help!
-lutzn

More information about the Users mailing list