ClamAV stopping Mail working

I’m running Kernel Release 3.10.0-1160.119.1.el7.x86_64, Operating System=NethServer release 7.9.2009 (final) on a Dell Inc. Precision WorkStation T3500

I noticed that, for no apparent reason, I’m not recieving emails, though the web serving seems OK. I looked in the log and found the following after a restart:

19:14 <016acf>; proxy; fuzzy_check_timer_callback: got IO timeout with server fuzzy2.rspamd.com:11335(127.0.0.1:11335), after 1/1 retransmits rspamd

19:14 <016acf>; lua; clamav.lua:119: clamav: failed to scan, maximum retransmits exceed rspamd

19:13 <0bc749>; lua; clamav.lua:119: clamav: failed to scan, maximum retransmits exceed rspamd

19:12 <954fcb>; lua; clamav.lua:119: clamav: failed to scan, maximum retransmits exceed rspamd

19:09 <549dc2>; proxy; fuzzy_check_timer_callback: got IO timeout with server fuzzy1.rspamd.com:11335(127.0.0.1:11335), after 1/1 retransmits rspamd

19:09 <549dc2>; lua; clamav.lua:119: clamav: failed to scan, maximum retransmits exceed rspamd

19:03 <39af64>; proxy; fuzzy_check_timer_callback: got IO timeout with server fuzzy1.rspamd.com:11335(127.0.0.1:11335), after 1/1 retransmits rspamd

19:03 <39af64>; lua; clamav.lua:119: clamav: failed to scan, maximum retransmits exceed rspamd

19:01 ; lua; clamav.lua:119: clamav: failed to scan, maximum retransmits exceed rspamd

19:01 ; proxy; fuzzy_check_timer_callback: got IO timeout with server fuzzy1.rspamd.com:11335(127.0.0.1:11335), after 1/1 retransmits rspamd

19:01 ; lua; clamav.lua:119: clamav: failed to scan, maximum retransmits exceed rspamd

19:01 Failed to save freshclam.dat! freshclam

19:01 Can’t create freshclam.dat in /var/clamav freshclam

19:00 <743065>; proxy; fuzzy_check_timer_callback: got IO timeout with server fuzzy2.rspamd.com:11335(127.0.0.1:11335), after 1/1 retransmits rspamd

19:00 <743065>; lua; clamav.lua:119: clamav: failed to scan, maximum retransmits exceed rspamd

18:59 <2be5fa>; proxy; fuzzy_check_timer_callback: got IO timeout with server fuzzy1.rspamd.com:11335(127.0.0.1:11335), after 1/1 retransmits rspamd

18:59 <2be5fa>; lua; clamav.lua:119: clamav: failed to scan, maximum retransmits exceed rspamd

18:58 <8029e2>; lua; clamav.lua:119: clamav: failed to scan, maximum retransmits exceed rspamd

18:58 <1d21c5>; lua; clamav.lua:119: clamav: failed to scan, maximum retransmits exceed rspamd

18:57 <5b8f49>; lua; clamav.lua:119: clamav: failed to scan, maximum retransmits exceed rspamd

18:55 pam_listfile(cockpit:auth): Refused user root for service cockpit cockpit-session

18:55 ***** nmbd

18:55 nmbd

18:55 Samba name server BASTION is now a local master browser for workgroup BLAKE-ONLINE on subnet 192.168.200.98 nmbd

18:55nmbd

18:55 ***** nmbd

18:55 [2025/10/22 18:55:12.678509, 0] ../../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2) nmbd

18:55 ***** nmbd

18:55 nmbd

18:55 Samba name server XXXXXXX is now a local master browser for workgroup NAME-ONLINE on subnet 192.168.xxx.yyy nmbd

18:55 nmbd

18:55 ***** nmbd

18:55 [2025/10/22 18:55:12.678300, 0] ../../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2) nmbd

18:55 nt_printing_init: error checking published printers: WERR_ACCESS_DENIED smbd

18:55 [2025/10/22 18:55:02.032329, 0] ../../source3/printing/nt_printing.c:249(nt_printing_init) smbd

18:55 daemon_ready: daemon ‘smbd’ finished starting up and ready to serve connections smbd

18:55 [2025/10/22 18:55:01.756300, 0] ../../lib/util/become_daemon.c:136(daemon_ready) smbd

18:54 daemon_ready: daemon ‘winbindd’ finished starting up and ready to serve connections winbindd

18:54 [2025/10/22 18:54:48.671204, 0] ../../lib/util/become_daemon.c:136(daemon_ready) winbindd

18:54 initialize_winbindd_cache: clearing cache and re-creating with version number 2 winbindd

18:54 [2025/10/22 18:54:47.928819, 0] ../../source3/winbindd/winbindd_cache.c:3166(initialize_winbindd_cache) winbindd

18:54 daemon_ready: daemon ‘nmbd’ finished starting up and ready to serve connections nmbd

18:54 [2025/10/22 18:54:47.448335, 0] ../../lib/util/become_daemon.c:136(daemon_ready) nmbd

18:54 Failed to start Clam AntiVirus userspace daemon. systemd

From what I can see, ClamAV is not able to start so mail is not able to recieve, but beyond that, I have no idea what is going on, or wht could have caused this…

Sorry for such a wide open question, but what can I do to restore email functionality?

Thanks

Jim

It seems the file can’t be created.

It’s strange, I don’t have this directory on my NS7:

[root@server ~]# whereis clamav
clamav: /usr/share/clamav
[root@server ~]# ls /var/clamav
ls: cannot access /var/clamav: No such file or directory

Is the disk full?

df -h

Please check permissions of /var/clamav:

ls -l /var/clamav

What’s the status of the clamd service?

systemctl status clamd@rspamd

Did you already try to restart the mail filter?

signal-event nethserver-mail-filter-update

Does it help to start freshclam manually?

freshclam

Related docs:

I got some answers to your questions. The answers make it all look like a bit of a mess, I’m afraid:

[root@bastion jim]# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 7.8G 0 7.8G 0% /dev
tmpfs 7.8G 2.1M 7.8G 1% /dev/shm
tmpfs 7.8G 12M 7.8G 1% /run
tmpfs 7.8G 0 7.8G 0% /sys/fs/cgroup
/dev/mapper/VolGroup-lv_root 922G 147G 775G 16% /
/dev/md1 1016M 266M 751M 27% /boot
tmpfs 1.6G 0 1.6G 0% /run/user/880801106

[root@bastion jim]# ls -l /var/clamav
total 8
-rw-r–r-- 1 clamupdate clamupdate 77 Mar 18 2020 ASL.hdb
-rwxrwxrwx 1 clamupdate clamupdate 69 Oct 22 20:01 freshclam.dat
[root@bastion jim]#

Note: the entry “-rwxrwxrwx 1 clamupdate clamupdate 69 Oct 22 20:01 freshclam.dat” is there because I created it to see if it helped. Needless to say, it didn’t, so will be removed after all other changes.

[root@bastion jim]# systemctl status clamd@rspamd
Unit clamd@rspamd.service could not be found.
[root@bastion jim]#

[root@bastion jim]#
[root@bastion jim]# signal-event nethserver-mail-filter-update
bash: signal-event: command not found
[root@bastion jim]#

[root@bastion jim]# freshclam
ClamAV update process started at Wed Oct 22 20:32:33 2025
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 1.0.3 Recommended version: 1.0.9
DON’T PANIC! Read Installing - ClamAV Documentation
ERROR: Can’t create temporary directory /var/lib/clamav/tmp.cf31494ed8
Hint: The database directory must be writable for UID 976 or GID 971
ERROR: Update failed.
[root@bastion jim]#

I looked at those results and tried

find / -name clamav

and got the result:

[root@bastion jim]# find / -name clamav
find: ‘/proc/2937/task/9489’: No such file or directory
/run/clamav
/etc/logrotate.d/clamav
/var/lib/clamav
/var/log/clamav
/var/clamav
/usr/share/clamav
[root@bastion jim]#

Let me know if you need more….

Thanks for your amazingly quick response !

Jim

I think you logged in as user jim and ran su to get root.
If that’s the case please logout and login again with user jim and use

su -

to get root.

Then the signal-event command should work.

Let’s check permissions/owner of the directory…

ls -ld /var/lib/clamav

…and the content:

ls -l /var/lib/clamav

To reset the owner and group you could run the following command:

chown -R clamupdate: /var/lib/clamav

If nothing helps you could try to disable the antivirus in the settings to at least get the mails without scanning them: (not the best for security but better than no mails)

grafik1488×1434 131 KB

I did as you suggested to log on and the command

signal-event nethserver-mail-filter-update

worked. No output was given, but it returned to a prompt:

[root@bastion ~]#
[root@bastion ~]# signal-event nethserver-mail-filter-update
[root@bastion ~]#

Then I issued the

ls -ld /var/lib/clamav

command, which gave:

[root@bastion ~]# ls -ld /var/lib/clamav
drwxr-xr-x 2 clamupdate clamupdate 4096 Oct 22 15:20 /var/lib/clamav
[root@bastion ~]#

I then issued

ls -l /var/lib/clamav

which resulted in

[root@bastion ~]# ls -l /var/lib/clamav
total 253680
-rw-r–r-- 1 clamupdate clamupdate 128760 Oct 22 00:36 blurl.ndb
-rw-r–r-- 1 clamupdate clamupdate 3448 Dec 2 2021 bofhland_cracked_URL.ndb
-rw-r–r-- 1 clamupdate clamupdate 106247 Dec 2 2021 bofhland_malware_attach.hdb
-rw-r–r-- 1 clamupdate clamupdate 610 Dec 2 2021 bofhland_malware_URL.ndb
-rw-r–r-- 1 clamupdate clamupdate 9676 Dec 2 2021 bofhland_phishing_URL.ndb
-rw-r–r-- 1 clamupdate clamupdate 281702 Oct 3 09:06 bytecode.cvd
-rw-r–r-- 1 clamupdate clamupdate 64728484 Oct 3 09:05 daily.cvd
-rw-r–r-- 1 clamupdate clamupdate 317058 Oct 21 12:39 foxhole_filename.cdb
-rw-r–r-- 1 clamupdate clamupdate 52436 Apr 15 2025 foxhole_generic.cdb
-rw-r–r-- 1 clamupdate clamupdate 69 Oct 3 09:05 freshclam.dat
-rw-r–r-- 1 clamupdate clamupdate 48176 Aug 5 2015 hackingteam.hsb
-rw-r–r-- 1 clamupdate clamupdate 3429690 Oct 11 21:02 interserver256.hdb
-rw-r–r-- 1 clamupdate clamupdate 7068901 Oct 21 14:34 junk.ndb
-rw-r–r-- 1 clamupdate clamupdate 1710594 Oct 21 14:34 jurlbl.ndb
-rw-r–r-- 1 clamupdate clamupdate 170479789 Oct 3 09:06 main.cvd
-rw-r–r-- 1 clamupdate clamupdate 100848 Sep 12 2022 malwarehash.hsb
-rw-r–r-- 1 clamupdate clamupdate 4810916 Oct 15 13:34 phish.ndb
-rw-r–r-- 1 clamupdate clamupdate 107 Oct 3 08:30 phishtank.ndb
-rw-r–r-- 1 clamupdate clamupdate 11794 Oct 22 10:30 porcupine.hsb
-rw-r–r-- 1 clamupdate clamupdate 170590 Oct 22 04:30 porcupine.ndb
-rw-r–r-- 1 clamupdate clamupdate 873016 Oct 4 07:22 rfxn.hdb
-rw-r–r-- 1 clamupdate clamupdate 454193 Oct 4 07:19 rfxn.ndb
-rw-r–r-- 1 clamupdate clamupdate 77582 Oct 22 08:11 rogue.hdb
-rw-r–r-- 1 clamupdate clamupdate 12598 Mar 12 2025 sanesecurity.ftm
-rw-r–r-- 1 clamupdate clamupdate 2002619 Oct 14 15:33 scam.ndb
-rw-r–r-- 1 clamupdate clamupdate 558 Mar 13 2025 sigwhitelist.ign2
-rw-r–r-- 1 clamupdate clamupdate 1391 Apr 28 2017 spamattach.hdb
-rw-r–r-- 1 clamupdate clamupdate 48018 Oct 22 13:34 spamimg.hdb
-rw-r–r-- 1 clamupdate clamupdate 2562282 Oct 15 13:20 twinclams.ldb
-rw-r–r-- 1 clamupdate clamupdate 2306 Oct 17 13:22 twinwave.ign2
-rw-r–r-- 1 clamupdate clamupdate 174370 Sep 13 2022 whitelist.fp
-rw-r–r-- 1 clamupdate clamupdate 64 Apr 20 2022 winnow.attachments.hdb
-rw-r–r-- 1 clamupdate clamupdate 66 Mar 5 2018 winnow_bad_cw.hdb
-rw-r–r-- 1 clamupdate clamupdate 65 Apr 20 2022 winnow_extended_malware.hdb
-rw-r–r-- 1 clamupdate clamupdate 65 Apr 20 2022 winnow_malware.hdb
-rw-r–r-- 1 clamupdate clamupdate 14709 Nov 26 2019 winnow_malware_links.ndb
-rw-r–r-- 1 clamupdate clamupdate 6505 Dec 10 2022 winnow_phish_complete_url.ndb
[root@bastion ~]#

Then I issues

chown -R clamupdate: /var/lib/clamav

which completed without output:

[root@bastion ~]# chown -R clamupdate: /var/lib/clamav
[root@bastion ~]#

Then I went into the console (all other work above done through putty) and found under services :

Please, review the following settings:

1. clamd@squidclamav : The service is either not running or not enabled
2. clamd@rspamd : The service is either not running or not enabled

Then I went into rspamd and got the following status:

* rspamd.service - rapid spam filtering system
   Loaded: loaded (/usr/lib/systemd/system/rspamd.service; enabled; vendor preset: enabled)
  Drop-In: /usr/lib/systemd/system/rspamd.service.d
           `-nethserver.conf
   Active: active (running) since Wed 2025-10-22 21:19:11 BST; 6min ago
     Docs: https://rspamd.com/doc/
 Main PID: 25580 (rspamd)
   CGroup: /system.slice/rspamd.service
           |-25580 rspamd: main process; 0.1 msg/sec, 0.0 msg/sec spam, 0.0 msg/sec ham; 1.87s avg processing tim
           |-25587 rspamd: fuzzy process (localhost:11335)      
           |-25588 rspamd: rspamd_proxy process (/var/run/rspamd/worker-proxy mode=0770 owner=_rspamd group=mail
           |-25589 rspamd: controller process (127.0.0.1:11334) 
           `-25590 rspamd: hs_helper process                    

Oct 22 21:22:22 bastion.blake-online.net rspamd[25588]: <d65e17>; lua; clamav.lua:119: clamav: failed to scan, maximum retransmits exceed
Oct 22 21:22:22 bastion.blake-online.net rspamd[25588]: <d65e17>; lua; common.lua:110: clamav: result - FAILED with error: "failed to scan and retransmits exceed - score: 0"
Oct 22 21:22:22 bastion.blake-online.net rspamd[25588]: <d65e17>; proxy; rspamd_add_passthrough_result: <AM7P189MB107658E3FB3FC3DFC0D2D5E6C9F3A@AM7P189MB1076.EURP189.PROD.OUTLOOK.COM>: set pre-result to 'soft reject' (no score): 'Cannot validate the message now. Try again later' from force_actions(0)
Oct 22 21:22:23 bastion.blake-online.net rspamd[25588]: <d65e17>; proxy; rspamd_task_write_log: id: <AM7P189MB107658E3FB3FC3DFC0D2D5E6C9F3A@AM7P189MB1076.EURP189.PROD.OUTLOOK.COM>, qid: <D635CC2B8A>, ip: 40.107.159.134, from: <jim.blake@netunity.co.uk>, (default: F (soft reject): [-0.88/20.00] [DKIM_REPUTATION(-0.60){-0.60970927806895;},R_PARTS_DIFFER(0.50){100.0%;},IP_REPUTATION_HAM(-0.26){asn: 8075(-0.26), country: US(-0.00), ip: 40.107.159.134(0.00);},R_DKIM_ALLOW(-0.20){phoenixopensystems.onmicrosoft.com:s=selector2-phoenixopensystems-onmicrosoft-com;},R_SPF_ALLOW(-0.20){+ip4:40.107.0.0/16:c;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},MX_GOOD(-0.01){},ASN(0.00){asn:8075, ipnet:40.104.0.0/14, country:US;},CLAM_VIRUS_FAIL(0.00){failed to scan and retransmits exceed;},DKIM_TRACE(0.00){phoenixopensystems.onmicrosoft.com:+;},DMARC_NA(0.00){netunity.co.uk;},FORCE_ACTION_CLAM_VIRUS_FAIL(0.00){soft reject;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_THREE(0.00){3;},RCVD_TLS_LAST(0.00){},RWL_MAILSPIKE_POSSIBLE(0.00){40.107.159.134:from;},TO_DN_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 10330, time: 212.743ms, dns req: 10, digest: <3e385ec3bad8871136e6413a1ae30318>, rcpts: <jim@blake-online.net>, mime_rcpts: <jim@blake-online.net>, forced: soft reject "Cannot validate the message now. Try again later"; score=nan (set by force_actions)
Oct 22 21:22:23 bastion.blake-online.net rspamd[25588]: <d65e17>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 regexps matched, 172 regexps total, 61 regexps cached, 0B scanned using pcre, 3.36KiB scanned total
Oct 22 21:22:23 bastion.blake-online.net rspamd[25588]: <aca49d>; proxy; proxy_milter_finish_handler: finished milter connection
Oct 22 21:23:19 bastion.blake-online.net rspamd[25589]: <z8tg5x>; lua; bayes_expiry.lua:440: finished expiry step 14: 985 items checked, 358 significant (0 made persistent), 3 insignificant (0 ttls set), 1 common (0 discriminated), 623 infrequent (0 ttls set), 5 mean, 12 std
Oct 22 21:24:33 bastion.blake-online.net rspamd[25589]: <z8tg5x>; lua; bayes_expiry.lua:440: finished expiry step 15: 993 items checked, 220 significant (0 made persistent), 0 insignificant (0 ttls set), 0 common (0 discriminated), 773 infrequent (0 ttls set), 6 mean, 14 std
Oct 22 21:25:35 bastion.blake-online.net rspamd[25589]: <z8tg5x>; lua; bayes_expiry.lua:440: finished expiry step 16: 997 items checked, 232 significant (0 made persistent), 1 insignificant (0 ttls set), 1 common (0 discriminated), 763 infrequent (0 ttls set), 6 mean, 21 std
Oct 22 21:25:49 bastion.blake-online.net rspamd[25589]: <k4k3se>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for bl.score.senderscore.com while 'no records with this name' was expected when querying for '1.0.0.127.bl.score.senderscore.com'(likely DNS spoofing or BL internal issues)

Then I viewed the status and got this:

image3227×340 47 KB

I haven’t disabled yet, because I’m not sure thats what you meant, but within the console I couldn’t do exactly as you suggested because I couldn’t see the page you showed.

If all I need to do is hit “disable”, that’s fine I’m happy to run without protection for a while, there are no importatnt accounts on this server, and that should give me time to do a proper fix while not losing emails

I’m not sure if disabling the service (as shown in your screenshot) is working because rspamd still wants to check the mails and may fail.

I think it’s better to disable the scanning for mails in the mail filter settings.

Go to the mail app settings:

grafik2890×1418 344 KB

Go to the filter settings:

grafik2794×1662 174 KB

Disable antivirus and “Save”:

grafik1716×1412 143 KB

OK, I disabled as you suggested and I’m able to send and recieve as normal (….and breath again!)

Can I impose upon your knowledge and time to take this to the next step and find what went wrong?

Thanks…I owe you one!

Jim

Great that mailing is working again!

Sure, we can try to fix it tomorrow or the next days…

You’re welcome.