amavis-user April 2014 archive
Main Archive Page > Month Archives  > amavis-user archives
amavis-user: Re: your mail

Re: your mail

From: Patrick Ben Koetter via amavis-users <amavis-users_at_nospam>
Date: Wed Apr 16 2014 - 17:33:09 GMT
To: amavis-users@amavis.org

Alexander,

* Alexander Dalloz via amavis-users <ad+lists@uni-x.org>:
> There had been a posting in January 2014 on this mailinglist about more or
> less the same problem situation:
>
> http://lists.amavis.org/pipermail/amavis-users/2014-January/002737.html
>
> Unfortunately it hadn't much response and in fact no solution.
>
> From what I have found and tested it feels to be more an amavisd-new issue
> than a Kaspersky software problem. Information about the Debian Wheezy
> amavisd-new version and its Perl helper modules, which I haven't added to
> the Kaspersky forum post, are these:
>
> Apr 15 14:18:06 ikes19 amavis[3125]: logging initialized, log level 2, syslog: amavis.mail
> Apr 15 14:18:06 ikes19 amavis[3125]: starting. /usr/sbin/amavisd-new at iskeg03.iske.net amavisd-new-2.7.1 (20120429), Unicode aware, LANG="en_GB.UTF-8"
> Apr 15 14:18:06 ikes19 amavis[3125]: perl=5.014002, user=, EUID: 106 (106); group=, EGID: 110 110 (110 110)
> Apr 15 14:18:07 ikes19 amavis[3125]: INFO: no optional modules: Unix::Getrusage
> Apr 15 14:18:07 ikes19 amavis[3125]: SpamControl: scanner SpamAssassin, module Amavis::SpamControl::SpamAssassin
> Apr 15 14:18:07 ikes19 amavis[3125]: INFO: SA version: 3.3.2, 3.003002, no optional modules: Net::CIDR::Lite Encode::Detect Razor2:: Client::Agent IP::Country::Fast Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::BMP Image::Info::TIFF Mail::SPF Mail::SPF::Server Mail::SPF::Request Mail::SPF::MechMail::SPF::Mech::A Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::Mech::Exists Mail::SPF::Mech::IP4 Mail::SPF::Mech:: Mail::SPF::Mech::Include Mail::SPF::Mech::MX Mail::SPF::ModMail::SPF::Mod::Exp Mail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMechMail::SPF::v1::Record Mail::SPF::v2::Record auto::NetAddr::IP::full6 auto::NetAddr::IP::Util::inet_n2dx auto::NetAddr::IP::Util::inet_n2adauto::NetAddr::IP::Util::inet_any2n auto::NetAddr::IP::Util::ipv6_aton
> Apr 15 14:18:07 ikes19 amavis[3125]: SpamControl: init_pre_chroot on > SpamAssassin done
> Apr 15 14:18:07 ikes19 amavis[3174]: Net::Server: Process Backgrounded
> Apr 15 14:18:07 ikes19 amavis[3174]: Net::Server: 2014/04/15-14:18:07 Amavis (type Net::Server::PreForkSimple) starting! pid(3174)
> Apr 15 14:18:07 ikes19 amavis[3174]: Net::Server: Binding to UNIX socket file "/var/lib/amavis/amavisd.sock"
> Apr 15 14:18:07 ikes19 amavis[3174]: Net::Server: Binding to TCP port 10022 on host 127.0.0.1 with IPv4
> Apr 15 14:18:07 ikes19 amavis[3174]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1 with IPv4
> Apr 15 14:18:07 ikes19 amavis[3174]: Net::Server: Group Not Defined. Defaulting to EGID '110 110'
> Apr 15 14:18:07 ikes19 amavis[3174]: Net::Server: User Not Defined. Defaulting to EUID '106'
> Apr 15 14:18:07 ikes19 amavis[3174]: config files read: /usr/share/amavis/conf.d/10-debian_scripts, /usr/share/amavis/conf.d/20-package, /etc/amavis/conf.d/01-debian, /etc/amavis/conf.d/05-domain_id, /etc/amavis/conf.d/05-node_id, /etc/amavis/conf.d/15-av_scanners, /etc/amavis/conf.d/15-content_filter_mode, /etc/amavis/conf.d/20-debian_defaults, /etc/amavis/conf.d/25-amavis_helpers, /etc/amavis/ conf.d/30-template_localization, /etc/amavis/conf.d/50-user
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Amavis::Conf 2.303
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Archive::Zip 1.30
> Apr 15 14:18:07 ikes19 amavis[3174]: Module BerkeleyDB 0.51
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Compress::Zlib 2.033
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Convert::TNEF 0.17
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Convert::UUlib 1.4
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Crypt::OpenSSL::RSA 0.28
> Apr 15 14:18:07 ikes19 amavis[3174]: Module DB_File 1.821
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Digest::MD5 2.51
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Digest::SHA 5.61
> Apr 15 14:18:07 ikes19 amavis[3174]: Module File::Temp 0.22
> Apr 15 14:18:07 ikes19 amavis[3174]: Module IO::Socket::INET6 2.69
> Apr 15 14:18:07 ikes19 amavis[3174]: Module MIME::Entity 5.503
> Apr 15 14:18:07 ikes19 amavis[3174]: Module MIME::Parser 5.503
> Apr 15 14:18:07 ikes19 amavis[3174]: Module MIME::Tools 5.503
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Mail::DKIM::Signer 0.39
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Mail::DKIM::Verifier 0.39
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Mail::Header 2.09
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Mail::Internet 2.09
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Mail::SpamAssassin 3.003002
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Net::DNS 0.66
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Net::Server 2.006
> Apr 15 14:18:07 ikes19 amavis[3174]: Module NetAddr::IP 4.062
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Socket6 0.23
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Time::HiRes 1.972101
> Apr 15 14:18:07 ikes19 amavis[3174]: Module URI 1.60
> Apr 15 14:18:07 ikes19 amavis[3174]: Module Unix::Syslog 1.1
> Apr 15 14:18:07 ikes19 amavis[3174]: Amavis::DB code loaded
>
> Perl's Net::Server is a central component as much as I know and takes care
> for binding to the defined ports. Which part is responsible for the EGID
> und EUID used by the amavisd-new processes? It looks like there is a main
> issue. Why else would there be an error
>
> Apr 14 17:14:29 ikes19 amavis[4265]: (04265-01) (!)connect to
> /var/run/klms/rds_av failed, attempt #1: Can't connect to UNIX socket
> /var/run/klms/rds_av: Permission denied
> when the amavisd-new daemon runs as amavis:amavis (106:110) and the UNIX
> permissions for the Kaspersky socket including the complete path are as
> outlined in the forum post:
>
> # ls -ld / /var /var/run /var/run/klms
> drwxr-xr-x 24 root root 4096 Mar 27 16:24 /
> drwxr-xr-x 11 root root 4096 Mar 27 16:16 /var
> lrwxrwxrwx 1 root root 4 Mar 24 16:00 /var/run -> /run
> drwxrwx--- 2 kluser klusers 1980 Apr 14 18:25 /var/run/klms
> # ls -al /var/run/klms/rds_av
> srw-rw---- 1 kluser klusers 0 Apr 14 17:47 /var/run/klms/rds_av
>
> # getent group klusers
> klusers:x:111:kluser,amavis
>
> The amavis user part of the klusers group.

counter evidence: Have you tried to give 777 ogu access to the socket all the
way down just to prove the permissions are causing the problem?

> Regarding the other error situation where the on-demand Kaspersky scanner
> fails with "Can't connect to facade" seems to originate from the same
> permissions situation.

If both applications - amavis and kav - fail to connect the same path the
problem is like not in these applications. The first thing that comes to my
mind is some third component. But as you've already outlined you don't have
app-armor in place/production.

> # ls -al /var/run/klms/facade
> srwxr-xr-x 1 kluser klusers 0 Apr 14 17:47 /var/run/klms/facade

Can you strace the Kaspersky scanner?
Have you tried to run amavis at its highest log level? You need an extra disc
for that... ;)

> amavisd-new isn't setup to run chrooted, while Postfix is (as in Debian's
> default configuration).

amavis runs outside Postfix and is not affected by Postfix chroot.

p@rick

-- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein