postfix + clamav-milter

Hi,
I'm using postfix and clamav-milter on debian lenny. Unfortunatelly
virus count is not working. I read the changelog, that clamav-milter is
supported since 1.09. I'm using 1.14. Probably the clamav-milter only
works with sendmail, right? In mail-log there is following log:

Sep 16 21:54:37 server postfix/smtpd[6899]: connect from
web.heise.de[193.99.144.71]
Sep 16 21:54:37 server postfix/smtpd[6899]: EB07C23F41:
client=web.heise.de[193.99.144.71]
Sep 16 21:54:38 server postfix/cleanup[6903]: EB07C23F41:
message-id=<E1Mo0aK-0000Yv-Ss.octo09@...>
Sep 16 21:54:38 server postfix/cleanup[6903]: EB07C23F41: milter-reject:
END-OF-MESSAGE from web.heise.de[193.99.144.71]: 5.7.1 This eMail is
infected by "Eicar-Test-Signature"; from=<emailcheck-robot@...>
to=<floh@...> proto=ESMTP helo=<web.heise.de>
Sep 16 21:54:38 server postfix/smtpd[6899]: disconnect from
web.heise.de[193.99.144.71]

I looked into perl script and found "clamav-milter" but in perl it
checks if $prog=="clamav-milter" actually (if you look my pasted log)
$prog == "cleanup". So I found in perlscript, where $prog == "cleanup".
I added some lines there:

--- mailgraph   2009-09-17 10:01:26.000000000 +0200
+++ mailgraph-modified  2009-09-17 09:58:22.000000000 +0200
@@ -628,7 +628,12 @@
                        }
                }
                elsif($prog eq 'cleanup') {
-                       if($text =~ /^[0-9A-Z]+: (?:reject|discard): /) {
+                       if($text =~ /^(?:[0-9A-Z]+: )?milter-reject: /) {
+                               if($text =~ /infected/) {
+                                       event($time, 'virus');
+                               }
+                       }
+                       elsif($text =~ /^[0-9A-Z]+: (?:reject|discard): /) {
                                event($time, 'rejected');
                        }
                }

Now it works fine. But the following message is written by me in
(/etc/clamav/clamav-milter.log in ) so this text is user-defined, so
if($text =~ /infected/) only works if the custom log-text actually
contains this word:
This eMail is infected by "Eicar-Test-Signature"

1. What is the best way to parse this virus report in mail.log to get
virus-count working? Probably the custom-text must have some (generic)
keywords, maybe like "milter-virusscan". I said generic since I don't
want to "reply"(reject) virus-sender with information which virusscanner
I'm using.
2. @devs: Could you fix mailgraph perlscript, so it works fine with
clamav-milter+postfix in next version?

If you need more information, let me know please and I'll provide this.
And... no... I don't know much about perl-programming. ( it was just my
luck *cough* ;) )

cu Floh

--
Unsubscribe mailto:mailgraph-request@...?subject=unsubscribe
Help        mailto:mailgraph-request@...?subject=help
Archive     http://lists.ee.ethz.ch/mailgraph
WebAdmin    http://lists.ee.ethz.ch/lsg2.cgi

On Thu, Sep 17, 2009 at 10:21:59 +0200, Florian Erfurth wrote:
> I looked into perl script and found "clamav-milter" but in perl it
> checks if $prog=="clamav-milter" actually (if you look my pasted log)
> $prog == "cleanup".

Can't you configure clamav-milter to write something to syslog?

Cheers
David

--
Unsubscribe mailto:mailgraph-request@...?subject=unsubscribe
Help        mailto:mailgraph-request@...?subject=help
Archive     http://lists.ee.ethz.ch/mailgraph
WebAdmin    http://lists.ee.ethz.ch/lsg2.cgi

David Schweikert schrieb:
> On Thu, Sep 17, 2009 at 10:21:59 +0200, Florian Erfurth wrote:
>  
>> I looked into perl script and found "clamav-milter" but in perl it
>> checks if $prog=="clamav-milter" actually (if you look my pasted log)
>> $prog == "cleanup".
>>    
>
> Can't you configure clamav-milter to write something to syslog?
>  
Yes I think its possible. I have to look into configure-files and try
it. I'll do that today evening when I'm home.
I thought, mailgraph is only "looking" into mail.log. By the way...
every sent mail counts 1x sent (which is ok) and 1x received (today I
sent to 3 recipients: 3x sent & 1x received. why???).

Thanx!
Floh

--
Unsubscribe mailto:mailgraph-request@...?subject=unsubscribe
Help        mailto:mailgraph-request@...?subject=help
Archive     http://lists.ee.ethz.ch/mailgraph
WebAdmin    http://lists.ee.ethz.ch/lsg2.cgi

Florian Erfurth schrieb:
> David Schweikert schrieb:
>  
>> Can't you configure clamav-milter to write something to syslog?
>>    
>
> Yes I think its possible. I have to look into configure-files and try
> it. I'll do that today evening when I'm home.
> I thought, mailgraph is only "looking" into mail.log.

Ok, I enabled clamav-milter to write syslog. The perl-script mailgraph
still need 1 modification in order to get clamav-milter working. In
mailgraph if $prog=="clamav-milter", then it look after "Intercepted",
but there is no "Intercepted" but "infected" from clamav-milter log.
But ok, I can live with this.

> By the way...
> every sent mail counts 1x sent (which is ok) and 1x received (today I
> sent to 3 recipients: 3x sent & 1x received. why???).
>  

Resolved. I enabled "ignore-localhost" now it look good. Only 1 thing
goes wrong:
If clamav-milter tells postfix to reject this mail (because of virus),
mailgraph get count for virus *and* received. This is wrong because
postfix didn't received but rejected this mail. Why?

cu Floh

--
Unsubscribe mailto:mailgraph-request@...?subject=unsubscribe
Help        mailto:mailgraph-request@...?subject=help
Archive     http://lists.ee.ethz.ch/mailgraph
WebAdmin    http://lists.ee.ethz.ch/lsg2.cgi