CentOS 5, Scalix 11.2 & ClamAV: Mapper Error

[Mike_from_Newfoundland]

Folks - I've just installed Scalix 11.2 on CentOS 5 and everything is working well EXCEPT that I cannot get the ClamAV antivirus working.

I've followed the directions at http://swifttide.com/scalix/Scalix_Setup.html and in the Scalix Administration Guide's Virus Protection chapter, scanned the Scalix Community Forums and Googled without any luck.

I've added clamav to the scalix group.
I've

Code: Select all

# cp /opt/scalix/examples/general/omvscan.map /var/opt/scalix/MYSERVER/s/rules/
# chown root /var/opt/scalix/MYSERVER/s/rules/omvscan.map
# chmod 555 /var/opt/scalix/MYSERVER/s/rules/omvscan.map


I have the ALL-ROUTES.VIR file simply down to:

Code: Select all

VIRUS-UNCLEANED=1 ACTION=REJECT NDN-INFO=!ndninfo.txt

and ndinfo.txt is simply

Code: Select all

Rejected due to virus

The

Code: Select all

rules

directory has the following permissions/owners/groups:

Code: Select all

-rw-r--r--  1 root   root      54 Nov 27 23:01 ALL-ROUTES.VIR
-rw-r--r--  1 root   root      81 Nov 27 23:02 ndninfo.txt
-r-xr-xr-x  1 root   root   35809 Nov 27 23:02 omvscan.map


The error is:

Code: Select all


ERROR                          Service Router(Service Router) 11.27.07 22:32:21
[OM 5181] Reply timed out or invalid - Mapper protocol problem.
Command sent: QUIT Please Close This Session
Reply received:


ERROR                          Service Router(Service Router) 11.27.07 22:32:21
[OM 5183] A Mapper error has been detected.
Current errno value: 4
        <- rsl_GetRuleValue
        -> rsl_GetRuleValue
        <- rsl_GetRuleValue
        -> rsl_GetRuleValue
        <- rsl_GetRuleValue
        -> rsl_GetRuleValue
        <- rsl_GetRuleValue
        <- rsl_GetRuleSet
        <- sr_CheckForVirusRule
        -> vs_ScanInit
        -> vs_ScanActive
        <- vs_ScanActive
        -> vs_omScanInit
        -> vs_GenericScanInit
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:244[100,5183]
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:398[100,5183]


SERIOUS ERROR                  Service Router(Service Router) 11.27.07 22:32:21
[OM 5183] A Mapper error has been detected.
        -> rsl_GetRuleValue
        <- rsl_GetRuleValue
        -> rsl_GetRuleValue
        <- rsl_GetRuleValue
        -> rsl_GetRuleValue
        <- rsl_GetRuleValue
        <- rsl_GetRuleSet
        <- sr_CheckForVirusRule
        -> vs_ScanInit
        -> vs_ScanActive
        <- vs_ScanActive
        -> vs_omScanInit
        -> vs_GenericScanInit
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:244[100,5183]
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:756[100,5183]
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:1454[100,5183]


ERROR                          Service Router(Service Router) 11.27.07 23:07:28
[OM 5181] Reply timed out or invalid - Mapper protocol problem.
Command sent: <none - expect greeting reply>
Reply received: 503 "ClamAV" cannot scan Scalix-owned file


ERROR                          Service Router(Service Router) 11.27.07 23:08:01
[OM 5181] Reply timed out or invalid - Mapper protocol problem.
Command sent: QUIT Please Close This Session
Reply received:


ERROR                          Service Router(Service Router) 11.27.07 23:08:01
[OM 5183] A Mapper error has been detected.
Current errno value: 4
        <- rsl_GetRuleValue
        -> rsl_GetRuleValue
        -> cvc_enhCnvString
        -> cvc_CnvStringTryIconv
        <- cvc_CnvStringTryIconv
        <- cvc_enhCnvString
        <- rsl_GetRuleValue
        <- rsl_GetRuleSet
        <- sr_CheckForVirusRule
        -> vs_ScanInit
        -> vs_ScanActive
        <- vs_ScanActive
        -> vs_omScanInit
        -> vs_GenericScanInit
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:244[100,5183]
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:398[100,5183]


SERIOUS ERROR                  Service Router(Service Router) 11.27.07 23:08:01
[OM 5183] A Mapper error has been detected.
        -> rsl_GetRuleValue
        -> cvc_enhCnvString
        -> cvc_CnvStringTryIconv
        <- cvc_CnvStringTryIconv
        <- cvc_enhCnvString
        <- rsl_GetRuleValue
        <- rsl_GetRuleSet
        <- sr_CheckForVirusRule
        -> vs_ScanInit
        -> vs_ScanActive
        <- vs_ScanActive
        -> vs_omScanInit
        -> vs_GenericScanInit
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:244[100,5183]
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:756[100,5183]
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:1454[100,5183]


ERROR                          Service Router(Service Router) 11.27.07 23:32:23
[OM 5181] Reply timed out or invalid - Mapper protocol problem.
Command sent: <none - expect greeting reply>
Reply received: 503 "ClamAV" cannot scan Scalix-owned file


ERROR                          Service Router(Service Router) 11.27.07 23:32:54
[OM 5181] Reply timed out or invalid - Mapper protocol problem.
Command sent: QUIT Please Close This Session
Reply received:


ERROR                          Service Router(Service Router) 11.27.07 23:32:54
[OM 5183] A Mapper error has been detected.
Current errno value: 4
        <- rsl_GetRuleValue
        -> rsl_GetRuleValue
        -> cvc_enhCnvString
        -> cvc_CnvStringTryIconv
        <- cvc_CnvStringTryIconv
        <- cvc_enhCnvString
        <- rsl_GetRuleValue
        <- rsl_GetRuleSet
        <- sr_CheckForVirusRule
        -> vs_ScanInit
        -> vs_ScanActive
        <- vs_ScanActive
        -> vs_omScanInit
        -> vs_GenericScanInit
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:244[100,5183]
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:398[100,5183]


SERIOUS ERROR                  Service Router(Service Router) 11.27.07 23:32:54
[OM 5183] A Mapper error has been detected.
        -> rsl_GetRuleValue
        -> cvc_enhCnvString
        -> cvc_CnvStringTryIconv
        <- cvc_CnvStringTryIconv
        <- cvc_enhCnvString
        <- rsl_GetRuleValue
        <- rsl_GetRuleSet
        <- sr_CheckForVirusRule
        -> vs_ScanInit
        -> vs_ScanActive
        <- vs_ScanActive
        -> vs_omScanInit
        -> vs_GenericScanInit
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:244[100,5183]
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:756[100,5183]
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:1454[100,5183]


ERROR                          Service Router(Service Router) 11.27.07 23:33:22
[OM 5181] Reply timed out or invalid - Mapper protocol problem.
Command sent: <none - expect greeting reply>
Reply received: 503 "ClamAV" cannot scan Scalix-owned file


ERROR                          Service Router(Service Router) 11.27.07 23:33:52
[OM 5181] Reply timed out or invalid - Mapper protocol problem.
Command sent: QUIT Please Close This Session
Reply received:


ERROR                          Service Router(Service Router) 11.27.07 23:33:52
[OM 5183] A Mapper error has been detected.
Current errno value: 4
        <- rsl_GetRuleValue
        -> rsl_GetRuleValue
        -> cvc_enhCnvString
        -> cvc_CnvStringTryIconv
        <- cvc_CnvStringTryIconv
        <- cvc_enhCnvString
        <- rsl_GetRuleValue
        <- rsl_GetRuleSet
        <- sr_CheckForVirusRule
        -> vs_ScanInit
        -> vs_ScanActive
        <- vs_ScanActive
        -> vs_omScanInit
        -> vs_GenericScanInit
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:244[100,5183]
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:398[100,5183]


SERIOUS ERROR                  Service Router(Service Router) 11.27.07 23:33:52
[OM 5183] A Mapper error has been detected.
        -> rsl_GetRuleValue
        -> cvc_enhCnvString
        -> cvc_CnvStringTryIconv
        <- cvc_CnvStringTryIconv
        <- cvc_enhCnvString
        <- rsl_GetRuleValue
        <- rsl_GetRuleSet
        <- sr_CheckForVirusRule
        -> vs_ScanInit
        -> vs_ScanActive
        <- vs_ScanActive
        -> vs_omScanInit
        -> vs_GenericScanInit
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:244[100,5183]
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:756[100,5183]
        <- /build/11.2.0/src/lib/rsl/rsl_match.c:1454[100,5183]


ERROR                          Service Router(Service Router) 11.27.07 23:35:08
[OM 5181] Reply timed out or invalid - Mapper protocol problem.
Command sent: <none - expect greeting reply>
Reply received: 503 "ClamAV" cannot scan Scalix-owned file



Any idea of how to fix this? I really hate to be running without antivirus. And I can't get SpamAssassin implemented until I get the antivirus issue resolved!

Thanks
Mike

[Valerion]

run clamdscan on one of the files in the data directory and see if that works.

[Mike_from_Newfoundland]

Here's the output:

Code: Select all

[root@marconi 0000001]# clamdscan *
/var/opt/scalix/mi/s/data/0000001/000010g: OK
/var/opt/scalix/mi/s/data/0000001/000010i: OK
/var/opt/scalix/mi/s/data/0000001/000010j: OK
/var/opt/scalix/mi/s/data/0000001/000010k: OK
/var/opt/scalix/mi/s/data/0000001/000010l: OK
/var/opt/scalix/mi/s/data/0000001/000010m: OK
/var/opt/scalix/mi/s/data/0000001/000010n: OK
/var/opt/scalix/mi/s/data/0000001/000010o: OK
/var/opt/scalix/mi/s/data/0000001/000010p: OK
/var/opt/scalix/mi/s/data/0000001/000010q: OK
/var/opt/scalix/mi/s/data/0000001/000010r: OK
/var/opt/scalix/mi/s/data/0000001/000010t: OK
/var/opt/scalix/mi/s/data/0000001/000010u: OK
/var/opt/scalix/mi/s/data/0000001/000010v: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.849 sec (0 m 0 s)

[Valerion]

Mm .... very funny. That looks correct. Could be that for some reason it can't be executed properly. Check the contents of the Scalix scripts you copied and make sure the path to clamdscan is correct, it may for some reason be different on your system.

Also, see what happens if you replace clamdscan with clamscan. It is a lot less picky about permissions, but will consume more resources and be slower. Good for testing where the problem is, though.

If that fails, turn up debugging in the scripts and see if that helps you figure it out - maybe clamdscan is encountering an error the script is not seeing properly. Remember to restart the Service Router every time after you make changes.

[matzer]

Yesterday we had a similiar problem here while upgrading from openuse 10.1 to SLES 10 and from Scalix 11.1 to 11.2

The solution here was just "to wait some time" till clamd was "really" running.

Look in your /var/log/mail log and search for "clam" -> If you see only a message like

"Reading databases from /var/lib/clamav"

you have to wait until you see a message like this

"Loaded 171567 signatures."
"Bound to address 127.0.0.1 on tcp port 3310"

You can also check via netstat, if clamd has bind to the correct port

---snip---
netstat -anp |grep -i clam
tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 11220/clamd
---snap---

After you see the above message in mail and after you checked that clamd has opened the port -> restart sendmail.

Maybe it will work for you too.

Regards,

Matthias

[les]

ERROR Service Router(Service Router) 11.27.07 23:35:08
[OM 5181] Reply timed out or invalid - Mapper protocol problem.
Command sent: <none - expect greeting reply>
Reply received: 503 "ClamAV" cannot scan Scalix-owned file

[/code]

Any idea of how to fix this? I really hate to be running without antivirus. And I can't get SpamAssassin implemented until I get the antivirus issue resolved!

Thanks
Mike

the above error suggests that clamav cannot scan a scalix owned file.

by default the clamav daemon runs under the "clamav" user. The clamav user needs to belong to the scalix group.

What user is your clamd running as? check /etc/clamd.conf for "^User clamav"

Have you got clamav in the scalix group in /etc/group?

if you need to make changes restart clamd and scalix.

p.s. it is also necessary to ensure that "AllowSupplementaryGroups yes" is set in the /etc/clamd.conf file.

These days i prefer to run clamav and spamassassin out of sendmail using clamav-milter and spamass-milter. But no need to change everything, the above will work.

[Mike_from_Newfoundland]

Here's my configuration:

Snippets from

Code: Select all

/etc/clamd

Code: Select all

# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User clamav

# Initialize supplementary group access (clamd must be started by root).
# Default: no
AllowSupplementaryGroups yes

From /etc/group

Code: Select all

scalix:x:101:clamav
clamav:x:102:


Both clamav and scalix have been restarted (and I even rebooted the server...)

[Mike_from_Newfoundland]

The socket for Clamd seems to be open:

Code: Select all

[root@marconi 0000001]# netstat -anp | grep -i clam
tcp        0      0 127.0.0.1:3310              0.0.0.0:*                   LISTEN      1854/clamd
unix  2      [ ACC ]     STREAM     LISTENING     6493   1854/clamd          /var/run/clamav/clamav-milter.sock
unix  2      [ ACC ]     STREAM     LISTENING     6958   2188/clamav-milter  /var/run/clamav/clamav-milter.sock
unix  2      [ ]         DGRAM                    6956   2188/clamav-milter


I've noticed in /var/log/maillog that there seems to be clamav-milter scanning (maybe...)

Code: Select all

 Nov 29 19:43:11 marconi sendmail[3828]: lATNDAeK003828: Milter add: header: X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on marconi.pelleys.com
Nov 29 19:43:11 marconi sendmail[3828]: lATNDAeK003828: Milter add: header: X-Virus-Status: Clean
Nov 29 19:43:11 marconi sendmail[3827]: lATND1tT003827: to=<mike@pelleys.com>,<mpelley@pelleys.com>, delay=00:00:10, xdelay=00:00:01, mailer=relay, pri=65732, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (lATNDAeK003828 Message accepted for delivery)
Nov 29 19:43:13 marconi sendmail[3837]: lATNDAeK003828: to=<mpelley@pelleys.com>,<mike@pelleys.com>, delay=00:00:02, xdelay=00:00:01, mailer=scalix_mime, pri=155894, relay=marconi, dsn=2.0.0, stat=Sent (Ok)

However, as soon as I add

Code: Select all

SMTPFILTER=TRUE

to

Code: Select all

/var/opt/scalix/xx/s/sys/smtpd.cfg

the Service Router hangs at first. I can restart the Service Router and it *looks* like it keeps running but as soon as I look at the queue for Service Router the entries keep building until I remove the

Code: Select all

SMTPFILTER=TRUE

from smtpd.cfg and restart scalix.

More suggestions are welcome!

[Mike_from_Newfoundland]

Okay - I just re-did everything again just changing the loglevel to 2 in

Code: Select all

/var/opt/scalix/mi/s/sys/omvscan.cfg

and it seems now to be working - more-or-less.

If I send the ClamAV EICAR test I don't get the response of a virus infection going back to the sender but I can see in /var/log/maillog the following:

Code: Select all

Nov 29 20:31:36 marconi sendmail[5561]: lAU01WY3005561: from=<mPelley@pelleys.com>, size=5975, class=0, nrcpts=1, msgid=<LF93CC0CBCA404d4dAE95DF0BC0CF7D57.1196380884.marconi.pelleys.com@MHS>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 29 20:31:36 marconi sendmail[5561]: lAU01WY3005561: Milter add: header: X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on marconi.pelleys.com
Nov 29 20:31:36 marconi sendmail[5561]: lAU01WY3005561: Milter add: header: X-Virus-Status: Infected with ClamAV-Test-File
Nov 29 20:31:36 marconi sendmail[5561]: lAU01WY3005561: Milter: data, discard
Nov 29 20:31:36 marconi sendmail[5561]: lAU01WY3005561: discarded

However, I'm not seeing the rejection messages other than in the logs (no e-mail).

AND I don't I don't know what I changed to get this to work!!! (Any suggestions as to where to get the messages sent back to postmaster as well?)

Thanks!

[les]

Okay - I just re-did everything again just changing the loglevel to 2 in

Code: Select all

/var/opt/scalix/mi/s/sys/omvscan.cfg

and it seems now to be working - more-or-less.

If I send the ClamAV EICAR test I don't get the response of a virus infection going back to the sender but I can see in /var/log/maillog the following:

Code: Select all

Nov 29 20:31:36 marconi sendmail[5561]: lAU01WY3005561: from=<mPelley@pelleys.com>, size=5975, class=0, nrcpts=1, msgid=<LF93CC0CBCA404d4dAE95DF0BC0CF7D57.1196380884.marconi.pelleys.com@MHS>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 29 20:31:36 marconi sendmail[5561]: lAU01WY3005561: Milter add: header: X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on marconi.pelleys.com
Nov 29 20:31:36 marconi sendmail[5561]: lAU01WY3005561: Milter add: header: X-Virus-Status: Infected with ClamAV-Test-File
Nov 29 20:31:36 marconi sendmail[5561]: lAU01WY3005561: Milter: data, discard
Nov 29 20:31:36 marconi sendmail[5561]: lAU01WY3005561: discarded

However, I'm not seeing the rejection messages other than in the logs (no e-mail).

AND I don't I don't know what I changed to get this to work!!! (Any suggestions as to where to get the messages sent back to postmaster as well?)

Thanks!

hmmm.......

sounds like you are "doubling up" on scanning messages.

adding SMTPFILTER=TRUE tells scalix to pass through sendmail.

before that happens, the service router can be configured, using ALL-ROUTES.VIR to filter via clamav.
If this is the way you want it then you should not see anything related to clamav scanning in /var/log/maillog because its done by scalix's service router.

if on the other hand you use clamav-milter, integrated into sendmail via sendmail.mc then you will see messages in /var/log/maillog.

This is one reason why i prefer it filtering outside of the service router, i get to see some useful log information.

you dont need ALL-ROUTES.VIR if using clamav-milter, but you still need SMTPFILTER=TRUE to funnel into sendmail for filtering.

to get notifications see /etc/sysconfig/clamav-milter and "man clamav-milter"