Clamav failed to scan email with an attachment in email

ok I can reproduce, this occurs when you use the smtp of the server and you send an email that needs to be scanned by clamav (gets an attachment), if the email cannot be scanned by clamav then the smtp rejects it, you gets the error and you cannot send the email

cc @davidep @giacomo

The question now is, does your server is under load, or not, because normally the db reload occurs about by 4 hours time slot (something like this)

question you can find how time you failed

this is for example the number of time I failed to scan

FORCE_ACTION_CLAM_VIRUS_FAIL   avg. weight 1.000, hits 33(1.818%):
  Ham   81.818%,     27/1170   (  2.308%)
  Spam   6.061%,      2/244    (  0.820%)
  Junk  12.121%,      4/401    (  0.998%)

Spam changes (ham/junk -> spam):      0/33     (  0.000%)
Spam  changes / total spam hits:      0/244    (  0.000%)
Junk changes      (ham -> junk):      2/33     (  6.061%)
Junk  changes / total junk hits:      2/401    (  0.499%)

how to find

rspamd_stats </var/log/maillog | less

then sort in less by CLAM_VIRUS_FAIL

you could find other interesting stats by

rspamc stat

1 Like

for the record, we could disabled the outbound spam check for authenticated users, but my concern is if an authenticated user then send back an email with a virus (I tested with eicar) to an internal user or an external user :slightly_smiling_face:

  • for the internal user, the virus is not scanned
  • for an external user your server could be blacklisted because your user sends virus
authenticated {
	priority = high;
	authenticated = yes;
	apply {
		groups_disabled = ["antivirus"];

Should not be an option…
Or antivirus is enabled (and should check every message) or antivirus is disabled (so is Sysadmin concern manage risks and alternatives).
CLAMAV of course is not the best antivirus on the market but… it’s a start.


Yes I agree to not differentiate SMTP scan policies on authentication basis.

@xcod you could try @stephdl’s group_disabled workaround but I’d like to understand if this behavior originates from a performance issue. Maybe clamav takes too long to reload on your server and users hit the soft reject too frequently…

We could increase timeouts anyway. @stephdl do you think it’s possible?

yes it is possible, see the rate_limit in my first post

1 Like

Has any sense have the capability to customize from Cockpit the timeout?

To internal and to external
an error occurs in both cases.
Also, the same error occurs when sending
from external users (another domain) to my users(in my server).


sorry to bother you (we are devs) we need the full maillog to state, send it at stephdl (at)

subj: mail log

nothing :slight_smile:

edit in spam :slight_smile:

what is your clam configuration please

ll /etc/clamd.d/

I can see you ping the clamav database every ten minutes, it is more often than me, and your server takes 45s to 1 minute to reload

For what I understand the timeout for task is only for the task_timeout of the worker-normal and we do not use it because we are on self-scan mode

with the worker-proxy the timeout is set to 120s, we could try something experimental on your server, and you could come back in few days to report please

add inside the clamav bracket in /etc/rspamd/local.d/antivirus.conf (it is a template)

clamav {
    timeout = 15.0;
    retransmits = 4;

then systemctl restart rspamd

cc @davidep

obviously if you save something in the filter panel, your changes will be removed

ll /etc/clamd.d/
-rw-r–r-- 1 root root 546 Oct 18 2018 amavisd.conf
-rw-r–r-- 1 root root 584 May 15 20:58 rspamd.conf
-rw-r–r-- 1 root root 23654 Mar 28 06:57 scan.conf

I do not have it on my server

rpm -qf /etc/clamd.d/amavisd.conf

rpm -qf /etc/clamd.d/amavisd.conf

ok you installed the old email stack, then you have migrated to rspamd ?


I would go to my trick, I bet we need it everywhere, maybe we could state on something like timout=10;retransmit=5

but what about to remove amavisd-new, maybe you could remove the 10 minutes setting to ping if the database must be reloaded, it could help

cc @davidep

I did.
I will watch it!

1 Like