I have MailScanner set to check all inbound and outbound email using ClamAV.
I have ClamAV set up to send me an email each day informing me of any possible infections.
For about a week or two now, this email has failed to arrive.
My admins found the problem. ClamAV is apparently blocking itself via MailScanner.
From the maillog:
[root@server ~]# grep 1cqtVW-0002rF-UX /var/log/maillog
Mar 22 23:33:50 server MailScanner: Filename Checks: Allowing 1cqtVW-0002rF-UX clamav-2017-03-22.log (no rule matched)
Mar 22 23:33:51 server MailScanner: Filetype Checks: Allowing 1cqtVW-0002rF-UX clamav-2017-03-22.log
Mar 22 23:33:51 server MailScanner: Clamd::INFECTED:: YARA.r57shell_php_php.UNOFFICIAL :: ./1cqtVW-0002rF-UX/clamav-2017-03-22.log
Mar 22 23:33:51 server MailScanner: Infected message 1cqtVW-0002rF-UX came from 127.0.0.1
Mar 22 23:33:51 server MailScanner: 1cqtVW-0002rF-UX: Received for MailControl Database
Mar 22 23:33:51 server MailScanner: 1cqtVW-0002rF-UX: MailControl cannot insert row: %%C7RPN1O2FYP5LGSYVTBFOC2X10OGEDRXXIPRGRGJJJI5KDWFI8S
We tried whitelisting root@server or 127.0.0.1, but it didn't help.
Any ideas?
ClamAV email blocked by MailScanner
Re: ClamAV email blocked by MailScanner
(Post modified with steps to fix this)
To fix this, do the following:
- check where is located %rules-dir%/virus.scanning.rules
Once in that folder edit virus.scanning.rules and add the email address that you don't want to be checked by viruses, per example:
From: 127.0.0.1 and From: postmaster@server.domain.com no # postmaster
- Save the file and restart MailScanner.
That will fix the issue.
Sergio
To fix this, do the following:
- check where is located %rules-dir%/virus.scanning.rules
Once in that folder edit virus.scanning.rules and add the email address that you don't want to be checked by viruses, per example:
From: 127.0.0.1 and From: postmaster@server.domain.com no # postmaster
- Save the file and restart MailScanner.
That will fix the issue.
Sergio