Topic: Help needed please: Cannot send or receive emails since update: ClamAV problem

[firefox2k2]

Hi I am fairly new to the world od SME so go please easy   
I updated the server the other day (we are running SME server 7.5.1) and upon rebooting the server was unable to send or receive any emails.  If I attempt to send an email via the web panel I get the message There was an error sending your message: unable to send data

i checked the qpsmtpd current log and get the following output.

@400000004db405f129fff9dc 8879 dispatching RCPT TO:<example@gmail.com>
@400000004db405f12a0f8654 8879 250 <example@gmail.com>, recipient ok
@400000004db405f12a165484 8879 dispatching DATA
@400000004db405f12a1a2514 8879 354 go ahead
@400000004db405f12a220c84 8879 spooling message to disk
@400000004db405f12ab53464 8879 virus::clamav plugin (data_post): Changing permissions on file to permit scanner access
@400000004db405f12ad510a4 8879 virus::clamav plugin (data_post): clamscan results: /var/spool/qpsmtpd/1303643623:8879:0: lstat() failed: Permission denied. ERROR
@400000004db405f12ad5e394 8879 virus::clamav plugin (data_post): ClamAV error: /usr/bin/clamdscan --stdout  --config-file=/etc/clamd.conf --no-summary /var/spool/qpsmtpd/1303643623:8879:0 2>&1: 2
@400000004db405f12ad5ef4c
@400000004db405f12adb5dec 8879 logging::logterse plugin (deny): ` 127.0.0.1localhost       localhost    <unknown@whatever.co.uk>       <example@gmail.com>  virus::clamav   902             msg denied before queued
@400000004db405f12addc71c 8879 452 Message denied temporarily
@400000004db405f2277956cc 4979 cleaning up after 8879

Output of /Var/log/clamd/current

@400000004db405f12ad18664 WARNING: lstat() failed on: /var/spool/qpsmtpd/1303643623:8879:0
@400000004db4098b1ac6d1fc No stats for Database check - forcing reload
@400000004db4098b2048176c Reading databases from /var/clamav
@400000004db409901e45793c Database correctly reloaded (950437 signatures)
@400000004db40990244dd4b4 Reading databases from /var/clamav
@400000004db4099523f475cc Database correctly reloaded (950437 signatures)

looking at the log I could see it was a problem with Clam, I disabled Virus scanning from the server-manager panel and can now send and receive emails, obviously this is not ideal.

i have tried updating with "yum update clamav" and restarted the server but still have the same problem. there was a problem with duplicate databases so I deleted the database and ran "freshclam -v"

It looks like a permissions problem and looking in the /var/clamav directory the file permissions are:

-rw-r--r--    1     clamav     402        464384        Apr 13 15:37         bytecode.cld
srw-rw-rw-  1     clamav     402        0                Apr 24 11:56          clamd.socket
-rw-r--r--    1     clamav     402        6638592       Apr 24 06:14         daily.cld
-rw-r--r--    1     clamav     402       26224310      Apr 24 12:28         main.cvd
-rw-------    1     clamav     clamav    2704           Apr 24 12:29         mirrors.dat

if anyone can offer any help i would really appreciate it.

Thank you for reading.

[mmccarn]

Here's what I have for owners/permissions on my SME 7.5.1 system:

Code: [Select]

# ls -l /var/spool
total 384
drwxr-xr-x   2 root    root     4096 Aug  1  2006 anacron
drwx------   3 daemon  daemon   4096 Jan 31  2008 at
drwxr-xr-x   3 root    root     4096 Jun  9  2010 clamav
drwx------   2 root    root     4096 Mar 27  2010 cron
drwxr-xr-x   2 root    root     4096 Feb 21  2005 lpd
drwxrwxr-x   2 root    mail     4096 Jul 24  2010 mail
drwxr-s---  98 qpsmtpd clamav 344064 Apr 24 08:46 qpsmtpd
drwxr-xr-x   2 root    root     4096 Sep  7  2010 repackage
drwxrwxrwt   2 root    root     4096 Mar  2 21:23 samba
drwxr-s---   5 spamd   spamd    4096 Apr 19  2010 spamd
drwxr-x---  18 squid   squid    4096 Apr 24 02:16 squid
drwxrwxrwt   2 root    root     4096 Jun  1  2009 vbox

Code: [Select]

# ls -l /var/spool/qpsmtpd/ |more
total 481320
-rw-------  1 qpsmtpd clamav      106 Jul  8  2006 1152403129:10465:0
-rw-------  1 qpsmtpd clamav       51 Jul  8  2006 1152413712:16427:0
-rw-------  1 qpsmtpd clamav    24626 Jul  8  2006 1152417067:18348:0
-rw-------  1 qpsmtpd clamav    20520 Jul  9  2006 1152422321:21564:0
-rw-------  1 qpsmtpd clamav    41013 Jul  9  2006 1152444201:19127:0
-rw-------  1 qpsmtpd clamav       54 Jul  9  2006 1152453817:25183:0
-rw-------  1 qpsmtpd clamav       52 Jul  9  2006 1152457637:29853:0
-rw-------  1 qpsmtpd clamav    41012 Jul  9  2006 1152457688:29862:0
...


Code: [Select]

# ls -l /var/clamav
total 105624
-rw-r--r--  1 clamav clamav   464384 Apr 13 09:54 bytecode.cld
-rw-r--r--  1 clamav clamav   140872 Aug 16  2006 clamav-643e35b172c4572a
srw-rw-rw-  1 clamav clamav        0 Apr 13 20:38 clamd.socket
-rw-r--r--  1 clamav clamav  6638592 Apr 24 00:52 daily.cld
-rw-r--r--  1 clamav clamav   911975 Mar  2  2007 daily.cvd.rpmnew
drwxr-xr-x  2 clamav clamav     4096 May 11  2008 daily.inc
-rw-r--r--  1 clamav clamav 65422336 Dec 23 16:53 main.cld
-rw-r--r--  1 clamav clamav 26224310 Feb  8 04:42 main.cvd
-rw-r--r--  1 clamav clamav  8189490 Mar  2  2007 main.cvd.rpmnew
drwxr-xr-x  2 clamav clamav     4096 May 11  2008 main.inc
-rw-------  1 clamav clamav     3172 Apr 24 07:52 mirrors.dat

I think your only concrete problem is indicated in these two lines from your logs:

Code: [Select]

@400000004db405f12ab53464 8879 virus::clamav plugin (data_post): Changing permissions on file to permit scanner access
@400000004db405f12ad510a4 8879 virus::clamav plugin (data_post): clamscan results: /var/spool/qpsmtpd/1303643623:8879:0: lstat() failed: Permission denied. ERROR
You can change owner & permissions on /var/spool/qpsmtpd to match mine using:

Code: [Select]

chown -R qpsmtpd:clamav /var/spool/qpsmtpd
chmod 2750 /var/spool/qpsmtpd
chmod 600 /var/spool/qpsmtpd/*

Unless you already know what happened, you should also be concerned about why your clamav configs belong to the group "402" - this would seem to indicate that something odd happened.  Perhaps you updated clam from a non-SME repository at some point (which might imply that other core components have been updated from non-SME sources)?

[firefox2k2]

Hi mmccarn,

Thank you for the reply it is very much appreciated. I have not long joined the company and SME has been running here a long time so unfortunately have no idea if it has ever been updated with a non-sme package. but did think the persmissions in the /var/clamav directory looked odd.

Outpit of ls -l /var/spool/

drwxr-xr-x     2 root    root         4096 Aug  1  2009    anacron
drwx------     3 daemon  daemon 4096 Sep 28  2009   at
drwxr-xr-x     3 root    root         4096 Jun  9  2010    clamav
drwx------     2 root    root         4096 Feb  6 16:20    cron
drwxr-xr-x     2 root    root        4096 Dec  6 12:04    lpd
drwxrwxr-x    2 root    mail        4096 Feb  2 07:39    mail
drwxr-s---     3 qpsmtpd clamav 4096 Apr 24 13:03    qpsmtpd
drwxr-xr-x     2 root    root        4096 Sep  7  2010    repackage
drwxrwxrwt   2 root    root        4096 Mar  3 02:23    samba
drwxr-s---     5 spamd   spamd  4096 Apr 19  2010    spamd
drwxr-x---    18 squid   squid    4096 Apr 24 11:09    squid
drwxrwxrwt   2 root    root        4096 Jun  1  2009     vbox

Here is the output of /var/spool/qpsmtpd/
total 2200
-rwxrwx---  1 qpsmtpd clamav   4733 Mar 30  2010 1269947966:30329:0
-rwxrwx---  1 qpsmtpd clamav  10186 Apr 21  2010 1271822407:2816:0
-rwxrwx---  1 qpsmtpd clamav 109126 Apr 21  2010 1271822708:2871:0
-rwxrwx---  1 qpsmtpd clamav  31216 Apr 21  2010 1271823010:2922:0
-rwxrwx---  1 qpsmtpd clamav   9945 Apr 21  2010 1271823311:3096:0
-rwxrwx---  1 qpsmtpd clamav 204052 Apr 21  2010 1271823612:3149:0
-rwxrwx---  1 qpsmtpd clamav  30365 Apr 21  2010 1271831724:8438:0
-rwxrwx---  1 qpsmtpd clamav 712740 Jun 10  2010 1276187620:5776:30
-rwxrwx---  1 qpsmtpd clamav 991268 Jun 10  2010 1276190711:7665:13
-rwxrwx---  1 qpsmtpd clamav  98340 Jun 10  2010 1276191337:7992:20
drwxrwx---  2 qpsmtpd clamav   4096 Apr 13  2010 msg-1271151320-23248-4

As you can see the persmissions for whatever reason are a lot more open than yours, if you would like to see the output of any logs then let me know. Thank you again for the help

[mmccarn]

Hmmm.

If your permissions were already correct then I'd recommend opening a bug in bugzilla (as soon as it's back online).  The next diagnostic steps involve uploading log files and command output that is pretty frustrating to deal with in the forums.

You mention that you just upgraded to v7.5.1 -- what were you upgrading from?

Do you know what yum repositories were involved in your update?  On my system, I have the following repositories enabled by default:
  base
  smeaddons
  smeextras
  smeos
  smeupdates
  updates

Does "clamav" show up in the output of /etc/e-smith/audittools/newrpms?

Is there any mention of clamd.conf in the output of /sbin/e-smith/audittools/templates?

Is there any evidence that your SME is using the Additional Signatures for clam?

I notice the following on my system - indicating that perhaps 402 is the correct group ID for clamav on SME, which poses the question - why isn't clamav still group 402 on your system?:

Code: [Select]

# grep clamav /etc/group
clamav:x:402:

# grep clamav /etc/passwd
clamav:x:407:402:Clam Anti Virus Checker:/var/clamav:/sbin/nologin
If there's any chance you haven't done it yet, I would do the following:

Code: [Select]

signal-event post-upgrade; signal-event reboot


[firefox2k2]

Hi mmccarn,

In the software Installer section of the server manager the following repositories are selected:

CentOS - os
Centos - updates
SME Server - addons
SME Server - extras
SME Server - os
SME Server - updates

Does "clamav" show up in the output of /etc/e-smith/audittools/newrpms?

i have no audittools directory under /etc/e-smith/

Is there any mention of clamd.conf in the output of /sbin/e-smith/audittools/templates?

#!/usr/bin/perl -w

#----------------------------------------------------------------------
# copyright (C) 2006 Gordon Rowell <gordonr@gormand.com.au>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
#----------------------------------------------------------------------

use strict;
use warnings;


Is there any evidence that your SME is using the Additional Signatures for clam?

No


# grep clamav /etc/group
clamav:x:452:

grep clamav /etc/passwd
clamav:x:407:402:Clam Anti Virus Checker:/var/clamav:/sbin/nologin
clamav:x:452:452:Clam Anti Virus Checker:/var/clamav:/sbin/nologin

# id clamav
uid=407(clamav) gid=402 groups=402

Something very wrong there I think, I have already done a signal-event post-upgrade; signal-event reboot

[CharlieBrady]

grep clamav /etc/passwd
clamav:x:407:402:Clam Anti Virus Checker:/var/clamav:/sbin/nologin
clamav:x:452:452:Clam Anti Virus Checker:/var/clamav:/sbin/nologin

This is quite likely to be due to a manual edit /etc/passwd at some time in the past.

[firefox2k2]

This is quite likely to be due to a manual edit /etc/passwd at some time in the past.

Hi Charlie, Thank you for the reply, you think someone added this due to a previous permissions problem?

It was working fine until the software update, first problem was duplicate databases detected, fixed that by deleteing and running freshclam, but we are still having this problem, we can still send and receive emails if antivirus is disabled.

Regards

Paul

[CharlieBrady]

Hi Charlie, Thank you for the reply, you think someone added this due to a previous permissions problem?

I don't know why someone may have added it. I'm sure, however, that it does give some clue as to why your system is confused.

Show:

ls -l /etc/passwd*

To fix your problem, you will need to choose one of the passwd file entries, delete the other, and then reset any clamav file or directory ownerships which have the wrong uid/gid values. Then restarting the system (or at least freshclam, clamd and qpstmpd) should give you back a working system.

[mmccarn]

i have no audittools directory under /etc/e-smith/

Doh.  I meant /sbin/e-smith/audittools/newrpms

#!/usr/bin/perl -w

#----------------------------------------------------------------------
# copyright (C) 2006 Gordon Rowell <gordonr@gormand.com.au>
....

I wasn't looking for the contents of the file, but for the results you get when you run the program (same for "newrpms" above).

The above items may be irrelevant given the extra "clamav" account in /etc/passwd.

I'd recommend deleting the clamav line with userid/groupid "452" from your /etc/passwd (since my system says clamav:x:407:402:Clam Anti Virus Checker:/var/clamav:/sbin/nologin).

[CharlieBrady]

This looks quite similar to:

http://bugs.contribs.org/show_bug.cgi?id=321

[CharlieBrady]

I'd recommend deleting the clamav line with userid/groupid "452" from your /etc/passwd (since my system says clamav:x:407:402:Clam Anti Virus Checker:/var/clamav:/sbin/nologin).

I don't think that would be sufficient. The 452 gid in /etc/group also needs to be changed to 402. Then any files or directories with gid of 452 need to be chgrp'd to 402. Then services restarted (freshclam, clamd, and maybe qpsmtpd).

[firefox2k2]

Morning Guys,

# ls -l /etc/passwd*
-rw-r--r--  1 root root 9007 Apr 24 10:58 /etc/passwd
-rw-r--r--  1 root root 9007 Apr 24 10:58 /etc/passwd-
-rw-r--r--  1 root root 7970 Sep 17  2009 /etc/passwd_original

So if I remove the 452 clamav from the /etc/password and change the /etc/group to 402 then change all directories relating to GID 452 to 402 and restart the server it should work?

I cant do this at the moment as its being used but will try later and report back.  Thank you again for the help.