[Rspamd-Users] ClamAV and rspamd : log question

[Mickaël Dequidt]

Hello all,


> If your guess is correct it seems in conflict with the documentation,
> which says that greylisting takes place at the SMTP DATA stage, while
> scanning takes place later in the conversation, at EOM.  See paragraph
> headed "The order of checks" in
> 
> https://rspamd.com/rmilter/configuration.html
> 
> which I interpret to mean that for a greylisted message no virus scan
> will yet have taken place - but that doesn't seem to be what you see
> in the logs.
> 

I would have interpreted that way as well, and that's the general way of 
implementing greylisting, as I reckon. But the greylisting module of 
rspamd doesn't seem to behave like the obsoleted rmilter.

I use clamav directly through the antivirus module, and after having 
activated debugging for this module, I can now confirm that greylisting 
is evaluated at the same time as other modules, during the actual and 
complete analysis of a message. Said analysis (clamav scanning in 
particular) being cached in redis and reloaded if the message comes back :

> Feb 20 11:10:30 server-val rspamd[2216335]: <c720ad>; clamav; common.lua:295: clamav: saved cached result for rs_clamav_fdae6f1e7ec0ae7b32fe4e444b3645b1: OK - score 1 - ttl 3600
> Feb 20 11:10:31 server-val rspamd[2216335]: <c720ad>; lua; greylist.lua:430: greylisted until "Mon, 20 Feb 2023 10:15:31 GMT", new record

Then :

> Feb 20 11:15:42 server-val rspamd[2216333]: <bcb19a>; clamav; common.lua:238: clamav: got cached negative result for rs_clamav_fdae6f1e7ec0ae7b32fe4e444b3645b1: OK


That is now settled, and quite a relief too !
I can only advise that this piece of information be added to the online 
doc, if rspamd admins consider it to be noteworthy (I certainly do !)

Thanks all for your help.

-- 
Mickaël DEQUIDT
IFREMER - Service IRSI/RIC
Centre Ifremer Bretagne - ZI de la pointe du diable
CS 10070 - 29280 Plouzané
Tel : +33 (0)2 98 22 46 04 - Fax : +33 (0)2 98 22 46 47