Re: restarting ClamAV and configuration

[Joe Savelberg <joe@xxxxxxxxxxx>]

Eric,

At 12:39 -0700 18/06/2004, Eric Yang wrote:
> Is it possible that you have two copies of clamd running on your 
> server?  The Post.Office installs it's own clamd, but this version 
> is configured to use LocalSocket instead of TCPSocket.  Therefore, 
> telnet 127.0.0.1 3310 won't give you a connection.  We don't keep 
> port 3310 open to offer to scan virus through TCPSocket so there is 
> a little less chance that a remote hacker could abuse your ClamAV. 
> ClamAV has been running solid on mail.tenon.com since April, and it 
> was rock solid.

There is only 1 ClamAV process running on our server. When I checked 
the Tenon ClamAV configuration in /usr/local/clamav/etc/clamav.conf I 
see following line:

TCPSocket 3310

and also

TCPAddr 127.0.0.1

These are also the settings that are installed by the Tenon ClamAV 
package on a clean system. It's nothing that I had changed. So the 
latest ClamAV installer does open a TCPSocket.

The Local Socket is disabled:

#LocalSocket /tmp/clamd

I experienced 3 clamd crashes today: at 04:38 AM, 22:35 PM, 23:51 PM. 
Looking at the log file didn't reveal anything interesting. Maybe I 
should enable the debug log file just to gather more information. I 
did get some entries in a crash log at those times: EXEC_BAD_ACCESS 
and KERN_PROTECTION_FAILURE. However the CrashLog was called 
???.crash.log instead of clamd.crash.log



> In addition, the current design is to seal user from any virus, 
> therefore, when clamd failed, the mails should be collected in a 
> filtered mail box until Postmaster take action.  This might not be 
> the most desired behavior for postmasters, but it's certainly most 
> secure.  If more customer demands that the filter should let email 
> pass through when clamd is down, then we will update our plug-in to 
> function accordingly.

The default Post.Office setup (on a clean system) lists 2 filters: 
one for SpamAssassin (in first place) and a second filter for ClamAV 
(in second place). As ClamAV should be the first filter, I think the 
default PO setup should be changed. Also, the ClamAV filter is set to 
discard any trapped e-mails which is contrary to what you recommend, 
i.e. that ClamAV messages should be collected in a filtered mailbox.

I still prefer that mails get through to the final recipient when 
ClamAV is down. If ClamAV would go down during the weekend, when 
nobody can check the filtered mailbox then all mail needs to be 
re-sorted on Monday morning which would be delayed quite a bit 
because of phone calls of angry customers who were unable to receive 
any e-mails.

This is a big issue, especially when dealing with lots of e-mails and 
many different clients.

Joe.
--
-----------------+----------------+----------------------------------
Jochen Savelberg | Euregio.Net AG | domain registrations, co-location
joe@xxxxxxxxxxx  | Wirtzfeld 140  | hosting, marketing, entertainment
Online Producer  | 4760 Bullingen | consulting, training, development
MIS/IT Director  | Belgium        |      http://www.euregio.net
-----------------+----------------+----------------------------------
Internet Services since 1995 - AFS-Returnee '93, Belgium to Australia
---------
Tenon Intersystems' Post.Office Mailing List
To unsubscribe: send mailto:post_office-request@xxxxxxxxxxxxxxx
with the body only containing: 
unsubscribe
Find the searchable mailing list archives at:
http://postoffice.computeroil.com/