Clamav failed to scan email with an attachment in email

antivirus
mail
v7

(And) #1

NethServer Version: 7.6.1810 (final) + all last update
Module: email

Hi!
I use email+rspamd+antivirus(clamav).
In rspamd, i often see symbols

CLAM_VIRUS_FAIL (0) [failed to scan and retransmits exceed]

With an attachment in email.
What does it mean?

Sorry my English…


(Ralf Jeckel) #2

Just googled, so the following is only if I understood it correctly. I’m not an expert on this!

Message comes from this function:

The function trys to check upstream-server. If upstream returns err, it trys to contact different upstream for retransmits-1 times. If this doesn’t help, the function returns the message.

Here is something abot to configure upstream server:
https://rspamd.com/doc/configuration/upstream.html

Maybe @stephdl can help here?


(Stéphane de Labrusse) #3

how many time please ?, to test

grep -srni 'CLAM_VIRUS_FAIL' /var/lib/nethserver/vmail/YourUser@YourDOmain.com

I tested on my server, for now only two times on 11 years of email :smiley:

EDIT : 5 times


(Stéphane de Labrusse) #4

does your server is not powerful enough to run the email stack ?

This is the the clamd service we run

[root@prometheus ~]# systemctl cat clamd\@rspamd
# /usr/lib/systemd/system/clamd@.service
[Unit]
Description = clamd scanner (%i) daemon
Documentation=man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/
# Check for database existence
# ConditionPathExistsGlob=@DBDIR@/main.{c[vl]d,inc}
# ConditionPathExistsGlob=@DBDIR@/daily.{c[vl]d,inc}
After = syslog.target nss-lookup.target network.target

[Service]
Type = forking
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf
Restart = on-failure

# /usr/lib/systemd/system/clamd@rspamd.service.d/nethserver.conf
[Unit]
Conflicts=clamd@amavisd.service

[Service]
User=_rspamd
Group=mail
RuntimeDirectory=clamd@rspamd
RuntimeDirectoryMode=0755
TimeoutStartSec=300

maybe we could make a timeout a bit longer (not set actually)


(And) #5

i use only nethserver+email+rspamd+clamav
and found 19 times


(Stéphane de Labrusse) #6

how many users, does the server is restricte to your usage or for a company ?


(And) #7

127 users


(Stéphane de Labrusse) #8

would you please test something, add

# Set bytecode timeout in milliseconds.
# 
# Default: 5000
# BytecodeTimeout 1000

maybe we could start by BytecodeTimeout 10000

add this in /etc/clamd.d/rspamd.conf

then

systemctl restart clamd\@rspamd


(Stéphane de Labrusse) #9

you could run like some days, but waiting to see if we could have others errors, please could you dive inside /var/log/maillog looking with the rspamd ID (for example rspamd[26918]: <31e2e3>) of the transaction if you could catch some errors of clamd (all transaction are written inside this logs)

I am sure the answer is inside your logs why clamd failed, please keep us in touch


(Stéphane de Labrusse) #10

ok I can reproduce, I have myself these warnings in my maillog.

In fact when it fails, it is reloading its database and it take a long time on my server, probably 10s is not enought, we could try a bit longer or accept to fail to scan

cc @davidep cc @filippo_carletti

May  5 19:46:56 prometheus clamd[4618]: SelfCheck: Database modification detected. Forcing reload.
May  5 19:46:57 prometheus clamd[4618]: Reading databases from /var/lib/clamav
May  5 19:47:35 prometheus clamd[4618]: Database correctly reloaded (6289711 signatures)

each time I reload the database, I have the warning if I receive an email at this moment


(Stéphane de Labrusse) #11

from this link https://github.com/rspamd/rspamd/blob/master/lualib/lua_scanners/clamav.lua

we can see:

timeout = 5.0, -- FIXME: this will break task_timeout!
detection_category = "virus",
retransmits = 2,

(Stéphane de Labrusse) #12

ok this is what I added in /etc/rspamd/local.d/antivirus.conf (it is a template)

timeout = 15;

then systemctl restart rspamd

on my server, to load the new DB it takes between 15-30 seconds, rspamd attempts two times, so it should be good enough.

after this I can see the new DB loaded in maillog (Database correctly reloaded) but no more CLAM_VIRUS_FAIL


(Stéphane de Labrusse) #13

another approach could be to force an action

[root@prometheus ~]# cat /etc/rspamd/local.d/force_actions.conf 
rules {
    CLAM_VIRUS_FAIL { 
        action = "soft reject";
        message = "Cannot validate the message now. Try again later";
        expression = "CLAM_VIRUS_FAIL";
    }
}

then we could find this in header

default: F (soft reject): [-0.76/19.90] [FORCE_ACTION_CLAM_VIRUS_FAIL(1.00){soft reject;}


(And) #14

Thank!
Do I need to test something?
or do you test it yourself?


(Stéphane de Labrusse) #15

yes please, could you check https://github.com/NethServer/dev/issues/5755#issuecomment-491284607

the rpm to install is

yum install http://packages.nethserver.org/nethserver/7.6.1810/testing/x86_64/Packages/nethserver-mail-filter-2.6.0-1.3.g1e5e315.ns7.noarch.rpm


(And) #16

Thank you very much!
I installed your package.
and so far I do not see the errors “CLAM_VIRUS_FAIL (0) [failed to scan and retransmits exceed]”.
I think I need to test for a few days or a week.


(Stéphane de Labrusse) #17

You can simulate the db reloading, check the qa link, send you some emails with attachments and during this you can launch the command each 10s/5s in a terminal of your server.

The pragmatic wait and see is good also


(And) #18

i see new Symblos in rspamd
CLAM_VIRUS_FAIL (0) [failed to scan and retransmits exceed]
FORCE_ACTION_CLAM_VIRUS_FAIL (0) [soft reject]

and Action soft reject
my mail with attachments


(Stéphane de Labrusse) #19

yep this is good, do you have a github account to write in the issue how you tested and what is the output of the log transaction ?

soft reject, means try later please, the smtp will do it accordingly its sender policy


(And) #20

I don’t have github account.
How i tested?
I installed your package and saw the Symbols in rspamd webui.
The only way