[Rspamd-Users] ClamAV and rspamd : log question

G.W. Haywood rspamd at jubileegroup.co.uk
Fri Feb 17 16:35:14 UTC 2023


Hi there,

On Fri, 17 Feb 2023, Mickaël Dequidt wrote:

> Hello, me again /o\
> 
> Things are moving forward

:)

> ... NOT all successful smtp transactions were scanned ...

:(

> ... all greylisted emails are scanned, and so far every message I saw that 
> was accepted by rspamd without a direct clamav scan, was a previously 
> greylisted message.
>
> So, from a purely rspamd point of view, is rspamd keeping its scan
> results cached ... so as not to re-scan them if they come back ... ?

If your guess is correct it seems in conflict with the documentation,
which says that greylisting takes place at the SMTP DATA stage, while
scanning takes place later in the conversation, at EOM.  See paragraph
headed "The order of checks" in

https://rspamd.com/rmilter/configuration.html

which I interpret to mean that for a greylisted message no virus scan
will yet have taken place - but that doesn't seem to be what you see
in the logs.

Can you describe exactly how your interface between ClamAV and rspamd
is implemented?  Looking at

https://www.rspamd.com/doc/modules/external_services.html

it seems that you might be using something like an ICAP server with
squidclamav to interface between rspamd and ClamAV.  Is that right?
If so, the rabbit-hole goes deeper.

If all else fails one can read the code... :(

-- 

73,
Ged.


More information about the Users mailing list