ClamAV not called by Procmail

Hi guys,

Before I start, and to save people from trying to go through toubleshooting methods I’ve already done, ClamAV is installed. Freshclam has run and databases are up-to-date. The “scan email” option is enabled for both clam and postfix on every domain. There are no errors in procmail’s log. There are no errors in maillog.

Problem:
Spamc shows in the logs and works just fine. It is set to run as a service/server. CalmAV however doesn’t show on the logs anywhere, nor does it leave its imprint in the mail headers (ie X-Virus). ClamAV is enabled both for each domain and under the Email Messages > Spam and Virus Scanning settings page. ClamAV is also running in service/server mode, however for troubleshooting I tried switching it to stand-alone (single process) scanner. This had no effect that differed.

Running CentOS Linux 6.6

Procmail conf:

LOGFILE=/var/log/procmail.log
TRAP=/etc/webmin/virtual-server/procmail-logger.pl
:0wi
VIRTUALMIN=|/etc/webmin/virtual-server/lookup-domain.pl --exitcode 73 $LOGNAME
EXITCODE=$?
:0

  • ?/usr/bin/test “$EXITCODE” = “73”
    /dev/null
    EXITCODE=0
    :0
  • ?/usr/bin/test “$VIRTUALMIN” != “”
    {
    INCLUDERC=/etc/webmin/virtual-server/procmail/$VIRTUALMIN
    }
    DEFAULT=$HOME/Maildir/
    ORGMAIL=$HOME/Maildir/
    DROPPRIVS=yes

    Procmail Log (-tail)

    Subject: Cron my@box19 php -q /home/my/public_html/pipe/pop.php
    Folder: /home/my/Maildir/new/1429468922.30660_0.box19.g#######o 2384
    Time:1429468922 From:root@box19.g############ To:my@box19.g########## User:my Size:2448 Dest:/home/my/Maildir/new/1429468922.30660_0.box19.g########## Mode:None
    From root@box19.g################# Sun Apr 19 14:43:01 2015
    Subject: Cron my@box19 php -q /home/my/public_html/pipe/pop.php
    Folder: /home/my/Maildir/new/1429468982.30771_0.box19.g######### 2384
    Time:1429468982 From:root@box19.g################ To:my@box19.g############ User:my Size:2448 Dest:/home/my/Maildir/new/1429468982.30771_0.box19.g########### Mode:None

    If anyone knows anything that can help get this solved, I would appreciate it. The only suspician I have right now is maybe it something to do with my perl setup as this is a fresh Virtualmin install – I’ve touched no configuration files yet, I have installed some perl modules. So just in case anyone knows of any conflicting perl modules here is what I have installed:

    rpm -qa | grep perl
    perl-IO-Socket-SSL-1.31-2.el6.noarch
    perl-XML-Simple-2.18-6.el6.noarch
    perl-DBD-Pg-2.15.1-4.el6_3.x86_64
    perl-Crypt-SSLeay-0.57-17.el6.x86_64
    perl-IO-Tty-1.08-4.el6.x86_64
    perl-Module-Pluggable-3.90-136.el6_6.1.x86_64
    perl-ExtUtils-ParseXS-2.2003.0-136.el6_6.1.x86_64
    perl-Test-Simple-0.92-136.el6_6.1.x86_64
    perl-DBI-1.609-4.el6.x86_64
    perl-Compress-Zlib-2.021-136.el6_6.1.x86_64
    perl-Digest-SHA-5.47-136.el6_6.1.x86_64
    perl-Socket6-0.23-4.el6.x86_64
    perl-Test-Mock-LWP-0.05-4.el6.noarch
    perl-Net-DNS-0.65-5.el6.x86_64
    perl-GDGraph-1.44-7.el6.noarch
    perl-HTML-Tagset-3.20-4.el6.noarch
    perl-MailTools-2.04-4.el6.noarch
    perl-Crypt-OpenSSL-RSA-0.25-10.1.el6.x86_64
    perl-version-0.77-136.el6_6.1.x86_64
    perl-Pod-Simple-3.13-136.el6_6.1.x86_64
    perl-5.10.1-136.el6_6.1.x86_64
    perl-Test-Harness-3.17-136.el6_6.1.x86_64
    perl-ExtUtils-MakeMaker-6.55-136.el6_6.1.x86_64
    perl-CGI-3.51-136.el6_6.1.x86_64
    perl-URI-1.40-2.el6.noarch
    perl-Compress-Raw-Zlib-2.021-136.el6_6.1.x86_64
    perl-IO-Compress-Zlib-2.021-136.el6_6.1.x86_64
    perl-IO-Zlib-1.09-136.el6_6.1.x86_64
    perl-Encode-Detect-1.01-2.el6.x86_64
    perl-Time-HiRes-1.9721-136.el6_6.1.x86_64
    perl-IO-Socket-INET6-2.56-4.el6.noarch
    perl-Digest-HMAC-1.01-22.el6.noarch
    perl-UNIVERSAL-isa-1.03-1.el6.noarch
    perl-HTML-Parser-3.64-2.el6.x86_64
    perl-XML-Parser-2.36-7.el6.x86_64
    perl-TimeDate-1.16-13.el6.noarch
    perl-Package-Constants-0.02-136.el6_6.1.x86_64
    perl-Net-LibIDN-0.12-3.el6.x86_64
    mod_perl-2.0.4-11.el6_5.x86_64
    perl-YAML-Syck-1.07-4.el6.x86_64
    perl-Mail-Sendmail-0.79-12.el6.noarch
    perl-GDTextUtil-0.86-15.el6.noarch
    perl-Net-SSLeay-1.35-9.el6.x86_64
    perl-Crypt-OpenSSL-Bignum-0.04-8.1.el6.x86_64
    perl-Mail-DKIM-0.37-2.el6.noarch
    perl-NetAddr-IP-4.027-7.el6.x86_64
    perl-Date-Manip-6.24-1.el6.noarch
    perl-Pod-Escapes-1.04-136.el6_6.1.x86_64
    perl-libs-5.10.1-136.el6_6.1.x86_64
    perl-devel-5.10.1-136.el6_6.1.x86_64
    perl-IO-Compress-Base-2.021-136.el6_6.1.x86_64
    perl-DBD-MySQL-4.013-3.el6.x86_64
    perl-UNIVERSAL-can-1.15-1.el6.noarch
    perl-Geo-IP-1.38-6.el6.x86_64
    perl-Digest-SHA1-2.12-2.el6.x86_64
    perl-GD-2.44-3.el6.x86_64
    perl-Test-MockObject-1.09-4.el6.noarch
    perl-libwww-perl-5.833-2.el6.noarch
    perl-Archive-Tar-1.58-136.el6_6.1.x86_64
    perl-Crypt-OpenSSL-Random-0.04-9.1.el6.x86_64
    perl-BSD-Resource-1.29.03-3.el6.x86_64

    Thanks for any help you can provide.

PS: I can scan test files (eicars.txt) with clamscan and clamdscan without any issues (both commands identify the file as a virus). Also spamd is working fine as well. I’m seeing emails properly being flagged as spam and written to the .spam directories. The problem is there is no header indication that clam is scanning and if I use a eicars test site to send myself the test virus, it goes straight to my inbox. The maillog shows that spamd does process the email, but clamd never does.

From eicar@aleph-tec.com Sun Apr 19 17:11:11 2015 Subject: EICAR anti-virus test file: Folder: /home/user_dir/homes/a_user/Maildir/new/1429477871. 2526 Time:1429477871 From:eicar@aleph-tec.com To:admin@a_domain_name.com User:a_user-a_domain_name.com Size:2577 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477871.29567_0.box19.a_host_name.com Mode:None From eicar@aleph-tec.com Sun Apr 19 17:11:10 2015 Subject: EICAR anti-virus test file: Folder: /home/user_dir/homes/a_user/Maildir/new/1429477880. 4784 Time:1429477880 From:eicar@aleph-tec.com To:admin@a_domain_name.com User:a_user-a_domain_name.com Size:4835 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477880.29532_0.box19.a_host_name.com Mode:None From root@box19.a_host_name.com Sun Apr 19 17:12:01 2015 Subject: Cron php -q /home/user_dir_2/public_html/pipe/pop.php Folder: /home/user_dir_2/Maildir/new/1429477922.29668_0.box19.a_host_name 2384 Time:1429477922 From:root@box19.a_host_name.com To:user_dir_2@box19.a_host_name.com User:user_dir_2 Size:2448 Dest:/home/user_dir_2/Maildir/new/1429477922.29668_0.box19.a_host_name.com Mode:None From root@box19.a_host_name.com Sun Apr 19 17:13:02 2015 Subject: Cron php -q /home/user_dir_2/public_html/pipe/pop.php Folder: /home/user_dir_2/Maildir/new/1429477982.29795_0.box19.a_host_name 2384 Time:1429477983 From:root@box19.a_host_name.com To:user_dir_2@box19.a_host_name.com User:user_dir_2 Size:2448 Dest:/home/user_dir_2/Maildir/new/1429477982.29795_0.box19.a_host_name.com Mode:None From server@box20.a_host_name.com Sun Apr 19 17:13:02 2015 Subject: lfd on box20.a_host_name.com: Suspicious File Alert Folder: /home/user_dir/homes/a_user/Maildir/new/1429477983. 1209 Time:1429477983 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1275 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477983.29811_0.box19.a_host_name.com Mode:None From server@box20.a_host_name.com Sun Apr 19 17:13:02 2015 Subject: lfd on box20.a_host_name.com: Suspicious File Alert Folder: /home/user_dir/homes/a_user/Maildir/new/1429477983. 1193 Time:1429477983 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1259 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477983.29827_0.box19.a_host_name.com Mode:None From server@box20.a_host_name.com Sun Apr 19 17:13:03 2015 Subject: lfd on box20.a_host_name.com: Suspicious File Alert Folder: /home/user_dir/homes/a_user/Maildir/new/1429477983. 1194 Time:1429477983 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1260 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477983.29879_0.box19.a_host_name.com Mode:None From server@box20.a_host_name.com Sun Apr 19 17:13:03 2015 Subject: lfd on box20.a_host_name.com: Suspicious File Alert Folder: /home/user_dir/homes/a_user/Maildir/new/1429477983. 1193 Time:1429477983 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1259 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477983.29894_0.box19.a_host_name.com Mode:None From server@box20.a_host_name.com Sun Apr 19 17:13:03 2015 Subject: lfd on box20.a_host_name.com: Suspicious File Alert Folder: /home/user_dir/homes/a_user/Maildir/new/1429477983. 1193 Time:1429477984 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1259 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477983.29930_0.box19.a_host_name.com Mode:None From server@box20.a_host_name.com Sun Apr 19 17:13:03 2015 Subject: lfd on box20.a_host_name.com: Suspicious File Alert Folder: /home/user_dir/homes/a_user/Maildir/new/1429477984. 1209 Time:1429477984 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1275 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477984.29943_0.box19.a_host_name.com Mode:None From server@box20.a_host_name.com Sun Apr 19 17:13:04 2015 Subject: lfd on box20.a_host_name.com: Suspicious File Alert Folder: /home/user_dir/homes/a_user/Maildir/new/1429477984. 1209 Time:1429477984 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1275 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477984.29978_0.box19.a_host_name.com Mode:None From server@box20.a_host_name.com Sun Apr 19 17:13:04 2015 Subject: lfd on box20.a_host_name.com: Suspicious File Alert Folder: /home/user_dir/homes/a_user/Maildir/new/1429477984. 1193 Time:1429477984 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1259 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477984.29991_0.box19.a_host_name.com Mode:None From server@box20.a_host_name.com Sun Apr 19 17:13:04 2015 Subject: lfd on box20.a_host_name.com: Suspicious File Alert Folder: /home/user_dir/homes/a_user/Maildir/new/1429477984. 1193 Time:1429477984 From:server@box20.a_host_name.com To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1259 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477984.30015_0.box19.a_host_name.com Mode:None From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:06 2015 Subject: Email Security Check: Please confirm your registration Folder: /home/user_dir/homes/a_user/Maildir/new/1429477987. 8114 Time:1429477987 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:8182 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477987.30054_0.box19.a_host_name.com Mode:None From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:16 2015 Subject: Test mail 1/7 (ID=htPL9B!!SyXxcd*Fx*Foyw==) Folder: /home/user_dir/homes/a_user/Maildir/new/1429477996. 1837 Time:1429477996 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1905 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477996.30087_0.box19.a_host_name.com Mode:None procmail: Program failure (1) of "/etc/webmin/virtual-server/clam-wrapper.pl" From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:16 2015 Subject: Test mail 2/7 (ID=htPL9B!!SyXxcd*Fx*Foyw==) Folder: /dev/null 1869 Time:1429477996 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1869 Dest:/dev/null Mode:Virus From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:16 2015 Subject: [SPAM] Test mail 3/7 (ID=htPL9B!!SyXxcd*Fx*Foyw==) Folder: /home/user_dir/homes/a_user/Maildir/.spam/new/14294 1998 Time:1429477997 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:2066 Dest:/home/user_dir/homes/a_user/Maildir/.spam/new/1429477997.30128_0.box19.a_host_name.com Mode:Spam From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:16 2015 Subject: Test mail 4/7 (ID=htPL9B!!SyXxcd*Fx*Foyw==) Folder: /home/user_dir/homes/a_user/Maildir/new/1429477997. 1913 Time:1429477997 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1981 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477997.30138_0.box19.a_host_name.com Mode:None From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:17 2015 Subject: Test mail 6/7 (ID=htPL9B!!SyXxcd*Fx*Foyw==) Folder: /home/user_dir/homes/a_user/Maildir/new/1429477998. 1842 Time:1429477998 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1910 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477998.30188_0.box19.a_host_name.com Mode:None From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:18 2015 Subject: Test mail 7/7 (ID=htPL9B!!SyXxcd*Fx*Foyw==) Folder: /home/user_dir/homes/a_user/Maildir/new/1429477998. 1861 Time:1429477998 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1929 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477998.30231_0.box19.a_host_name.com Mode:None From securitycheck@emailsecuritycheck.net Sun Apr 19 17:13:17 2015 Subject: Test mail 5/7 (ID=htPL9B!!SyXxcd*Fx*Foyw==) Folder: /home/user_dir/homes/a_user/Maildir/new/1429477998. 1841 Time:1429477998 From:securitycheck@emailsecuritycheck.net To:a_user@a_domain_name.com User:a_user-a_domain_name.com Size:1909 Dest:/home/user_dir/homes/a_user/Maildir/new/1429477998.30183_0.box19.a_host_name.com Mode:None

There you can see these test viruses passing right through procmail without any issue whatsoever.

Found the issue… If:

Allow mailbox users to create mail filters? Yes No

Is set to “YES” it will stop all virus scanning for every domain.