HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   HOWTO-Related Questions (http://www.howtoforge.com/forums/forumdisplay.php?f=2)
-   -   ClamAV Milter Issues - Virtual Hosting Howto With Virtualmin On CentOS 5.1 (http://www.howtoforge.com/forums/showthread.php?t=21043)

pheniks 6th March 2008 06:23

ClamAV Milter Issues - Virtual Hosting Howto With Virtualmin On CentOS 5.1
 
After following this How To, I ran into some problems with Postfix and the ClamAV Milter. I pm'ed topdog on the issues and thought that maybe someone might benefit from the exchange we have had so far and that we might solve the issue below is the communication thus far:

Quote:

Quote:

Originally Posted by pheniks
I am having issues with the clamav-milter setup as described in your how to. As almost every issue that I have come across has been my missing a detail, I am sure that this is what has occurred. However, I am unable to locate why I am getting the following messages in the mail log and am unable to test sending email via the telnet tests suggested.

Mail Log Messages
Code:

Mar 5 19:52:39 ares postfix/cleanup[8498]: 0B47FEB0319: milter-reject: CONNECT from localhost[127.0.0.1]: 4.7.1 Service unavailable - try again later; from=<root@pheniks.net> Mar 5 19:52:42 ares postfix/smtpd[8708]: NOQUEUE: milter-reject: MAIL from tx-67-76-233-45.sta.embarqhsd.net[67.76.233.45]: 451 4.7.1 Service unavailable - try again later; proto=SMTP helo=<me> Mar 5 19:52:52 ares postfix/smtpd[8708]: NOQUEUE: milter-reject: UNKNOWN from tx-67-76-233-45.sta.embarqhsd.net[67.76.233.45]: 451 4.7.1 Service unavailable - try again later; proto=SMTP helo=<me> Mar 5 19:52:55 ares postfix/smtpd[8708]: disconnect from tx-67-76-233-45.sta.embarqhsd.net[67.76.233.45] Mar 5 19:53:39 ares postfix/pickup[8494]: BC325EB0319: uid=0 from=<root> Mar 5 19:53:39 ares postfix/cleanup[8496]: warning: connect to Milter service unix:/var/clamav/clmilter.socket: Permission denied Mar 5 19:53:39 ares postfix/cleanup[8496]: BC325EB0319: milter-reject: CONNECT from localhost[127.0.0.1]: 4.7.1 Service unavailable - try again later; from=<root@pheniks.net>
I will get you any configuration information you request.
Thanks in advance,
Aaron
Hi Aaron,
This is usually a permissions problem with the socket file. It seems to be a problem with the startup of the milter, at times when started the socket delays in being created meaning the command that changes the sockets ownership to the mail user is run before the socket is created.

Please try restarting the milter. Please send me the output of
Code:

ls -l /var/clamav/clmilter.socket

Quote:

Output of ls -l /var/clamav/clmilter.socket:
Code:

srwxrwxr-x 1 clamav postfix 0 Mar 5 16:08 /var/clamav/clmilter.socket
Additionally, on service clamav-milter restart, I receive the following:
Code:

Stopping Clamav Milter Daemon: [ OK ] Starting Clamav Milter Daemon: Your LANG environment variable is set to 'en_US.UTF-8' This is known to cause problems for some clamav-milter installations. If you get failures with temporary files, please try again with LANG unset. Loaded ClamAV 0.92.1/6136/Wed Mar 5 03:32:22 2008 ClamAV: Protecting against 243377 viruses [ OK ]

Quote:


Quote:

Originally Posted by topdog
Does that fix the issue ? Yes you can go for that, i have noticed that it happens on startup. I will try look at the source to see if it can be patched to set the group on the socket file.
That did not solve the issue. Are the user and group correct on the socket file? Should the config files be using unix vs. local.

On Page 3 of your How To, there is a section of the config file /etc/postfix/main.cf that goes like this:
Code:

smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock non_smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock
While on Page 5, the config file /etc/sysconfig/clamav-milter reads:
Code:

. . . SOCKET_ADDRESS="local:/var/clamav/clmilter.socket"
I changed both to the local: prefix and still have the issue. Should it be the unix: prefix?
Now, I have changed both to the unix: prefix and have not resolved the issue.

topdog 6th March 2008 06:50

Postfix and milter syntax are different so local: does not work within postfix

Try using tcp sockets.
Code:

SOCKET_ADDRESS="inet:3381@localhost"
and in postfix
Code:

smtpd_milters = inet:localhost:3381
non_smtpd_milters = inet:localhost:3381


pheniks 6th March 2008 07:24

Converting to inet:localhost:3381 / inet:3381@localhost seems to have solved the issue with clamav-milter. Now, I am getting the same issue with the spamass-milter. Would there be a similar fix for this and what port?

From Postfix Website:
Quote:

Milter error handling

The milter_default_action parameter specifies how Postfix handles Milter application errors. The default action is to respond with a temporary error status, so that the client will try again later. Specify "accept" if you want to receive mail as if the filter does not exist, and "reject" to reject mail with a permanent status.

/etc/postfix/main.cf:
# What to do in case of errors? Specify accept, reject, or tempfail.
milter_default_action = tempfail
I don't recommend using this on a production system. We install these milters for a reason and passing over them if they aren't cooperating may not be the best idea from the standpoint of knowing that there is an issue.

I tried this in the event that it might pass over the errors on the milter and let me know if postfix was operating properly without the failing milters. I still receive a 451 4.7.1 Service unavailable - try again later message from telnet-ing into the smtpd service.

topdog 6th March 2008 08:02

The spamass-milter cannot use tcp connections. can you modify your init script like this
Code:

start() {
        echo -n $"Starting $desc ($prog): "
        daemon $prog -p $SOCKET -f $EXTRA_FLAGS
        RETVAL=$?
        sleep 5
        echo
        chgrp postfix /var/run/spamass.sock
        chmod g+w /var/run/spamass.sock
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
        return $RETVAL
}


pheniks 7th March 2008 02:02

Sleep doesn't appear to have worked...
 
I am now getting the 451 4.7.1 Service unavailable - try again later earlier in the telnet session:

Code:

telnet mail.pheniks.net 25
Trying 67.76.233.45...
Connected to mail.pheniks.net (67.76.233.45).
Escape character is '^]'.
220 ares.pheniks.net ESMTP Postfix
helo me
250 ares.pheniks.net
mail from:root@pheniks.net
451 4.7.1 Service unavailable - try again later

This is now the output of ls -l /var/run/spamass.sock:

Code:

srwxrwxr-x 1 root postfix    0 Mar  6 18:43 spamass.sock
From /var/log/maillog:
Code:

Mar  6 18:47:39 ares postfix/smtpd[31808]: warning: connect to Milter service unix:/var/run/spamass.sock: Permission denied
Mar  6 18:47:39 ares postfix/smtpd[31808]: NOQUEUE: milter-reject: CONNECT from tx-67-76-233-45.sta.embarqhsd.net[67.76.233.45]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
Mar  6 18:47:42 ares postfix/smtpd[31808]: NOQUEUE: milter-reject: HELO from tx-67-76-233-45.sta.embarqhsd.net[67.76.233.45]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
Mar  6 18:48:01 ares postfix/smtpd[31808]: NOQUEUE: milter-reject: MAIL from tx-67-76-233-45.sta.embarqhsd.net[67.76.233.45]: 451 4.7.1 Service unavailable - try again later; proto=SMTP helo=<me>
Mar  6 18:48:42 ares postfix/smtpd[31808]: disconnect from tx-67-76-233-45.sta.embarqhsd.net[67.76.233.45]


topdog 7th March 2008 07:19

Are you sure you loaded the selinux policy ?

pheniks 7th March 2008 07:26

Errr... I'm pretty sure that I disabled SELinux. But, I think I wound up having to do it manually through a config file and then turn off the service.

topdog 7th March 2008 07:37

Selinux does not run as a service its loaded at boot time by the kernel
what is the output of
Code:

sestatus

pheniks 7th March 2008 07:41

Output of sestatus:
Code:

SELinux status:                enabled
SELinuxfs mount:                /selinux
Current mode:                  enforcing
Mode from config file:          disabled
Policy version:                21
Policy from config file:        targeted

I must note here that you are quite thorough and I appreciate all the help.

Thank you!

falko 7th March 2008 15:49

Please reboot your system and run
Code:

sestatus
again.


All times are GMT +2. The time now is 11:41.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.