search

docker-mailserver / docker-mailserver

Production-ready fullstack but simple mail server (SMTP, IMAP, LDAP, Antispam, Antivirus, etc.) running inside a container.
https://docker-mailserver.github.io/docker-mailserver/latest/
MIT License
14.32k stars 1.81k forks source link

bug report: rspamd -> clamav doesn't scan mails #4189

Open tekvsakdan opened 20 hours ago

tekvsakdan commented 20 hours ago

📝 Preliminary Checks

👀 What Happened?

Clamav doesn't scan mail if rspamd is enabled and amavis is disabled by recommendation from manual. Basically nothing happens. It does not show up in any of the logs. Whatever I put in antivirus.conf does not work. It work fine with amavis.

enabled = true;

ClamAV {
    type = "clamav";
    servers = "/var/run/clamav/clamd.ctl";
    action = "reject";
    message = '${SCANNER} FOUND VIRUS "${VIRUS}"';
    scan_mime_parts = false;
    symbol = "CLAM_VIRUS";
    log_clean = true;
    max_size = 25000000;
    timeout = 10;
    retransmits = 2;
}

👟 Reproduction Steps

  1. run docker command
  2. log file rspamd.log shows that the antivirus is enabled
  3. send EICAR.txt or EICAR.zip to my e-mail
  4. email was not scanned/rejected

🐋 DMS Version

v14.0.0

💻 Operating System and Architecture

Debian 12.7 / amd64

⚙️ Container configuration files

docker run -d \
    --restart=always \
    --net=host \
    --name=mailserver \
    --cap-add=NET_ADMIN \
    --dns=9.9.9.10 \
    --dns=149.112.112.10 \
    -e LOG_LEVEL=debug \
    -e ENABLE_RSPAMD=1 \
    -e ENABLE_CLAMAV=1 \
    -e ENABLE_OPENDKIM=0 \
    -e ENABLE_OPENDMARC=0 \
    -e ENABLE_POLICYD_SPF=0 \
    -e ENABLE_AMAVIS=0 \
    -e ENABLE_SPAMASSASSIN=0 \
    -e ENABLE_POSTGREY=0 \
    -e ENABLE_FAIL2BAN=1 \
    -e SPOOF_PROTECTION=1 \
    -e SSL_TYPE=letsencrypt \
    -e NETWORK_INTERFACE=eth0 \
    -e POSTFIX_MESSAGE_SIZE_LIMIT=25000000 \
    -v /srv/docker/dms/mail-data/:/var/mail/ \
    -v /srv/docker/dms/mail-state/:/var/mail-state/ \
    -v /srv/docker/dms/mail-logs/:/var/log/mail/ \
    -v /srv/docker/dms/config/:/tmp/docker-mailserver/ \
    -v /srv/docker/certbot/certs/:/etc/letsencrypt \
    -v /etc/localtime:/etc/localtime:ro \
    --hostname=mail.example.com \
    mailserver/docker-mailserver:latest

📜 Relevant log output

rspamd.log after startup

2024-09-21 10:14:05 #750(main) <pru76z>; lua; lua_redis.lua:603: use default Redis settings for antivirus
2024-09-21 10:14:05 #750(main) <pru76z>; lua; antivirus.lua:209: added antivirus engine ClamAV -> CLAM_VIRUS
2024-09-21 10:14:05 #750(main) <pru76z>; cfg; rspamd_init_lua_filters: init lua module antivirus from /usr/share/rspamd/plugins/antivirus.lua; digest: d0f8ebf97e

rspamd.log after sending mail

2024-09-21 10:40:51 #798(rspamd_proxy) <1e3913>; proxy; rspamd_task_write_log: id: <555497d6-660e-442a-a164-706617d198c7@example.com>, qid: <4A0209816BD>, ip: 1.2.3.4, user: mickey.mouse@example.com, from: <mickey.mouse@example.com>, (default: F (no action): [0.00/11.00] [DKIM_SIGNED(0.00){example.com:s=mail;}]), len: 1018, time: 48.959ms, dns req: 1, digest: <adbbf710cfb899809074ce1d616982d0>, rcpts: <admin@example.com>, mime_rcpts: <admin@example.com>, settings_id: authenticated
2024-09-21 10:40:51 #798(rspamd_proxy) <1e3913>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 0 regexps matched, 176 regexps total, 0 regexps cached, 0B scanned using pcre, 0B scanned total

Improvements to this form?

No response

georglauterbach commented 6 hours ago

Can you please put X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* into the body of the test e-mail to check whether it is rejected? :) This way, we can verify that ClamAV is actually working, but probably not configured for scanning attachments.

Our tests check whether this works, so I expect it to work for you. Checking attachments should nevertheless be done as well.

Then, please try this configuration:

enabled = true;

ClamAV {
    type = "clamav";
    servers = "/var/run/clamav/clamd.ctl";
    action = "reject";
    message = '${SCANNER} FOUND VIRUS "${VIRUS}"';
    scan_mime_parts = true;
    scan_text_mime = true;
    scan_image_mime = true;
    symbol = "CLAM_VIRUS";
    log_clean = true;
    max_size = 250000000;
    timeout = 20;
    retransmits = 2;
}
georglauterbach commented 6 hours ago

Just FYI: GTube patterns are disabled by default, if you proceed with testing them next. You would need this too:

gtube_patterns = "all"