Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: firefox2k2 on April 24, 2011, 02:02:15 PM
-
Hi I am fairly new to the world od SME so go please easy :-D
I updated the server the other day (we are running SME server 7.5.1) and upon rebooting the server was unable to send or receive any emails. If I attempt to send an email via the web panel I get the message There was an error sending your message: unable to send data
i checked the qpsmtpd current log and get the following output.
@400000004db405f129fff9dc 8879 dispatching RCPT TO:<example@gmail.com>
@400000004db405f12a0f8654 8879 250 <example@gmail.com>, recipient ok
@400000004db405f12a165484 8879 dispatching DATA
@400000004db405f12a1a2514 8879 354 go ahead
@400000004db405f12a220c84 8879 spooling message to disk
@400000004db405f12ab53464 8879 virus::clamav plugin (data_post): Changing permissions on file to permit scanner access
@400000004db405f12ad510a4 8879 virus::clamav plugin (data_post): clamscan results: /var/spool/qpsmtpd/1303643623:8879:0: lstat() failed: Permission denied. ERROR
@400000004db405f12ad5e394 8879 virus::clamav plugin (data_post): ClamAV error: /usr/bin/clamdscan --stdout --config-file=/etc/clamd.conf --no-summary /var/spool/qpsmtpd/1303643623:8879:0 2>&1: 2
@400000004db405f12ad5ef4c
@400000004db405f12adb5dec 8879 logging::logterse plugin (deny): ` 127.0.0.1localhost localhost <unknown@whatever.co.uk> <example@gmail.com> virus::clamav 902 msg denied before queued
@400000004db405f12addc71c 8879 452 Message denied temporarily
@400000004db405f2277956cc 4979 cleaning up after 8879
Output of /Var/log/clamd/current
@400000004db405f12ad18664 WARNING: lstat() failed on: /var/spool/qpsmtpd/1303643623:8879:0
@400000004db4098b1ac6d1fc No stats for Database check - forcing reload
@400000004db4098b2048176c Reading databases from /var/clamav
@400000004db409901e45793c Database correctly reloaded (950437 signatures)
@400000004db40990244dd4b4 Reading databases from /var/clamav
@400000004db4099523f475cc Database correctly reloaded (950437 signatures)
looking at the log I could see it was a problem with Clam, I disabled Virus scanning from the server-manager panel and can now send and receive emails, obviously this is not ideal.
i have tried updating with "yum update clamav" and restarted the server but still have the same problem. there was a problem with duplicate databases so I deleted the database and ran "freshclam -v"
It looks like a permissions problem and looking in the /var/clamav directory the file permissions are:
-rw-r--r-- 1 clamav 402 464384 Apr 13 15:37 bytecode.cld
srw-rw-rw- 1 clamav 402 0 Apr 24 11:56 clamd.socket
-rw-r--r-- 1 clamav 402 6638592 Apr 24 06:14 daily.cld
-rw-r--r-- 1 clamav 402 26224310 Apr 24 12:28 main.cvd
-rw------- 1 clamav clamav 2704 Apr 24 12:29 mirrors.dat
if anyone can offer any help i would really appreciate it.
Thank you for reading.
-
Here's what I have for owners/permissions on my SME 7.5.1 system:
# ls -l /var/spool
total 384
drwxr-xr-x 2 root root 4096 Aug 1 2006 anacron
drwx------ 3 daemon daemon 4096 Jan 31 2008 at
drwxr-xr-x 3 root root 4096 Jun 9 2010 clamav
drwx------ 2 root root 4096 Mar 27 2010 cron
drwxr-xr-x 2 root root 4096 Feb 21 2005 lpd
drwxrwxr-x 2 root mail 4096 Jul 24 2010 mail
drwxr-s--- 98 qpsmtpd clamav 344064 Apr 24 08:46 qpsmtpd
drwxr-xr-x 2 root root 4096 Sep 7 2010 repackage
drwxrwxrwt 2 root root 4096 Mar 2 21:23 samba
drwxr-s--- 5 spamd spamd 4096 Apr 19 2010 spamd
drwxr-x--- 18 squid squid 4096 Apr 24 02:16 squid
drwxrwxrwt 2 root root 4096 Jun 1 2009 vbox
# ls -l /var/spool/qpsmtpd/ |more
total 481320
-rw------- 1 qpsmtpd clamav 106 Jul 8 2006 1152403129:10465:0
-rw------- 1 qpsmtpd clamav 51 Jul 8 2006 1152413712:16427:0
-rw------- 1 qpsmtpd clamav 24626 Jul 8 2006 1152417067:18348:0
-rw------- 1 qpsmtpd clamav 20520 Jul 9 2006 1152422321:21564:0
-rw------- 1 qpsmtpd clamav 41013 Jul 9 2006 1152444201:19127:0
-rw------- 1 qpsmtpd clamav 54 Jul 9 2006 1152453817:25183:0
-rw------- 1 qpsmtpd clamav 52 Jul 9 2006 1152457637:29853:0
-rw------- 1 qpsmtpd clamav 41012 Jul 9 2006 1152457688:29862:0
...
# ls -l /var/clamav
total 105624
-rw-r--r-- 1 clamav clamav 464384 Apr 13 09:54 bytecode.cld
-rw-r--r-- 1 clamav clamav 140872 Aug 16 2006 clamav-643e35b172c4572a
srw-rw-rw- 1 clamav clamav 0 Apr 13 20:38 clamd.socket
-rw-r--r-- 1 clamav clamav 6638592 Apr 24 00:52 daily.cld
-rw-r--r-- 1 clamav clamav 911975 Mar 2 2007 daily.cvd.rpmnew
drwxr-xr-x 2 clamav clamav 4096 May 11 2008 daily.inc
-rw-r--r-- 1 clamav clamav 65422336 Dec 23 16:53 main.cld
-rw-r--r-- 1 clamav clamav 26224310 Feb 8 04:42 main.cvd
-rw-r--r-- 1 clamav clamav 8189490 Mar 2 2007 main.cvd.rpmnew
drwxr-xr-x 2 clamav clamav 4096 May 11 2008 main.inc
-rw------- 1 clamav clamav 3172 Apr 24 07:52 mirrors.dat
I think your only concrete problem is indicated in these two lines from your logs:@400000004db405f12ab53464 8879 virus::clamav plugin (data_post): Changing permissions on file to permit scanner access
@400000004db405f12ad510a4 8879 virus::clamav plugin (data_post): clamscan results: /var/spool/qpsmtpd/1303643623:8879:0: lstat() failed: Permission denied. ERROR
You can change owner & permissions on /var/spool/qpsmtpd to match mine using: chown -R qpsmtpd:clamav /var/spool/qpsmtpd
chmod 2750 /var/spool/qpsmtpd
chmod 600 /var/spool/qpsmtpd/*
Unless you already know what happened, you should also be concerned about why your clamav configs belong to the group "402" - this would seem to indicate that something odd happened. Perhaps you updated clam from a non-SME repository at some point (which might imply that other core components have been updated from non-SME sources)?
-
Hi mmccarn,
Thank you for the reply it is very much appreciated. I have not long joined the company and SME has been running here a long time so unfortunately have no idea if it has ever been updated with a non-sme package. but did think the persmissions in the /var/clamav directory looked odd.
Outpit of ls -l /var/spool/
drwxr-xr-x 2 root root 4096 Aug 1 2009 anacron
drwx------ 3 daemon daemon 4096 Sep 28 2009 at
drwxr-xr-x 3 root root 4096 Jun 9 2010 clamav
drwx------ 2 root root 4096 Feb 6 16:20 cron
drwxr-xr-x 2 root root 4096 Dec 6 12:04 lpd
drwxrwxr-x 2 root mail 4096 Feb 2 07:39 mail
drwxr-s--- 3 qpsmtpd clamav 4096 Apr 24 13:03 qpsmtpd
drwxr-xr-x 2 root root 4096 Sep 7 2010 repackage
drwxrwxrwt 2 root root 4096 Mar 3 02:23 samba
drwxr-s--- 5 spamd spamd 4096 Apr 19 2010 spamd
drwxr-x--- 18 squid squid 4096 Apr 24 11:09 squid
drwxrwxrwt 2 root root 4096 Jun 1 2009 vbox
Here is the output of /var/spool/qpsmtpd/
total 2200
-rwxrwx--- 1 qpsmtpd clamav 4733 Mar 30 2010 1269947966:30329:0
-rwxrwx--- 1 qpsmtpd clamav 10186 Apr 21 2010 1271822407:2816:0
-rwxrwx--- 1 qpsmtpd clamav 109126 Apr 21 2010 1271822708:2871:0
-rwxrwx--- 1 qpsmtpd clamav 31216 Apr 21 2010 1271823010:2922:0
-rwxrwx--- 1 qpsmtpd clamav 9945 Apr 21 2010 1271823311:3096:0
-rwxrwx--- 1 qpsmtpd clamav 204052 Apr 21 2010 1271823612:3149:0
-rwxrwx--- 1 qpsmtpd clamav 30365 Apr 21 2010 1271831724:8438:0
-rwxrwx--- 1 qpsmtpd clamav 712740 Jun 10 2010 1276187620:5776:30
-rwxrwx--- 1 qpsmtpd clamav 991268 Jun 10 2010 1276190711:7665:13
-rwxrwx--- 1 qpsmtpd clamav 98340 Jun 10 2010 1276191337:7992:20
drwxrwx--- 2 qpsmtpd clamav 4096 Apr 13 2010 msg-1271151320-23248-4
As you can see the persmissions for whatever reason are a lot more open than yours, if you would like to see the output of any logs then let me know. Thank you again for the help
-
Hmmm.
If your permissions were already correct then I'd recommend opening a bug in bugzilla (as soon as it's back online). The next diagnostic steps involve uploading log files and command output that is pretty frustrating to deal with in the forums.
You mention that you just upgraded to v7.5.1 -- what were you upgrading from?
Do you know what yum repositories were involved in your update? On my system, I have the following repositories enabled by default:
base
smeaddons
smeextras
smeos
smeupdates
updates
Does "clamav" show up in the output of /etc/e-smith/audittools/newrpms?
Is there any mention of clamd.conf in the output of /sbin/e-smith/audittools/templates?
Is there any evidence that your SME is using the Additional Signatures (http://wiki.contribs.org/Virus:Additional_Signatures) for clam?
I notice the following on my system - indicating that perhaps 402 is the correct group ID for clamav on SME, which poses the question - why isn't clamav still group 402 on your system?:# grep clamav /etc/group
clamav:x:402:
# grep clamav /etc/passwd
clamav:x:407:402:Clam Anti Virus Checker:/var/clamav:/sbin/nologin
If there's any chance you haven't done it yet, I would do the following:signal-event post-upgrade; signal-event reboot
-
Hi mmccarn,
In the software Installer section of the server manager the following repositories are selected:
CentOS - os
Centos - updates
SME Server - addons
SME Server - extras
SME Server - os
SME Server - updates
Does "clamav" show up in the output of /etc/e-smith/audittools/newrpms?
i have no audittools directory under /etc/e-smith/
Is there any mention of clamd.conf in the output of /sbin/e-smith/audittools/templates?
#!/usr/bin/perl -w
#----------------------------------------------------------------------
# copyright (C) 2006 Gordon Rowell <gordonr@gormand.com.au>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#----------------------------------------------------------------------
use strict;
use warnings;
Is there any evidence that your SME is using the Additional Signatures for clam?
No
# grep clamav /etc/group
clamav:x:452:
grep clamav /etc/passwd
clamav:x:407:402:Clam Anti Virus Checker:/var/clamav:/sbin/nologin
clamav:x:452:452:Clam Anti Virus Checker:/var/clamav:/sbin/nologin
# id clamav
uid=407(clamav) gid=402 groups=402
Something very wrong there I think, I have already done a signal-event post-upgrade; signal-event reboot
-
grep clamav /etc/passwd
clamav:x:407:402:Clam Anti Virus Checker:/var/clamav:/sbin/nologin
clamav:x:452:452:Clam Anti Virus Checker:/var/clamav:/sbin/nologin
This is quite likely to be due to a manual edit /etc/passwd at some time in the past.
-
This is quite likely to be due to a manual edit /etc/passwd at some time in the past.
Hi Charlie, Thank you for the reply, you think someone added this due to a previous permissions problem?
It was working fine until the software update, first problem was duplicate databases detected, fixed that by deleteing and running freshclam, but we are still having this problem, we can still send and receive emails if antivirus is disabled.
Regards
Paul
-
Hi Charlie, Thank you for the reply, you think someone added this due to a previous permissions problem?
I don't know why someone may have added it. I'm sure, however, that it does give some clue as to why your system is confused.
Show:
ls -l /etc/passwd*
To fix your problem, you will need to choose one of the passwd file entries, delete the other, and then reset any clamav file or directory ownerships which have the wrong uid/gid values. Then restarting the system (or at least freshclam, clamd and qpstmpd) should give you back a working system.
-
i have no audittools directory under /etc/e-smith/
Doh. I meant /sbin/e-smith/audittools/newrpms
#!/usr/bin/perl -w
#----------------------------------------------------------------------
# copyright (C) 2006 Gordon Rowell <gordonr@gormand.com.au>
....
I wasn't looking for the contents of the file, but for the results you get when you run the program (same for "newrpms" above).
The above items may be irrelevant given the extra "clamav" account in /etc/passwd.
I'd recommend deleting the clamav line with userid/groupid "452" from your /etc/passwd (since my system says clamav:x:407:402:Clam Anti Virus Checker:/var/clamav:/sbin/nologin).
-
This looks quite similar to:
http://bugs.contribs.org/show_bug.cgi?id=321
-
I'd recommend deleting the clamav line with userid/groupid "452" from your /etc/passwd (since my system says clamav:x:407:402:Clam Anti Virus Checker:/var/clamav:/sbin/nologin).
I don't think that would be sufficient. The 452 gid in /etc/group also needs to be changed to 402. Then any files or directories with gid of 452 need to be chgrp'd to 402. Then services restarted (freshclam, clamd, and maybe qpsmtpd).
-
Morning Guys,
# ls -l /etc/passwd*
-rw-r--r-- 1 root root 9007 Apr 24 10:58 /etc/passwd
-rw-r--r-- 1 root root 9007 Apr 24 10:58 /etc/passwd-
-rw-r--r-- 1 root root 7970 Sep 17 2009 /etc/passwd_original
So if I remove the 452 clamav from the /etc/password and change the /etc/group to 402 then change all directories relating to GID 452 to 402 and restart the server it should work?
I cant do this at the moment as its being used but will try later and report back. Thank you again for the help.