bonar wrote: > Now I'm able to get the "Virus > intercepted". > It was great to know you. This is my /var/log/maillog : > > Jun 3 12:55:49 uetheta sendmail[8717]: j534t8CU008717: > from=<[EMAIL PROTECTED]>, size=1482, class=0, nrcpts=1, > msgid=<[EMAIL PROTECTED]>, > proto=ESMTP, daemon=MTA, relay=uealpha [192.168.1.10] > Jun 3 12:55:49 uetheta sendmail[8717]: j534t8CU008717: Milter add: > header: X-Virus-Scanned: ClamAV version 0.85.1, clamav-milter version > 0.85 on uetheta > Jun 3 12:55:49 uetheta sendmail[8717]: j534t8CU008717: Milter add: > header: X-Virus-Status: Infected with Eicar-Test-Signature > Jun 3 12:56:10 uetheta sendmail[8759]: j534tnMO008759: from=clamav, > size=1251, class=0, nrcpts=2, > msgid=<[EMAIL PROTECTED]>, > [EMAIL PROTECTED]
Here it looks like sendmail, which is being used to send the local message, is taking the machine's name as localhost.localdomain . This could be defined in /etc/hosts if one of the machine's names is exactly that; you can also see this by running hostname or hostname with a parameter I don't recall that shows the fully qualified name. > Jun 3 12:56:10 uetheta sendmail[8770]: STARTTLS=server, relay=uetheta > [192.168.1.1], version=TLSv1/SSLv3, verify=NO, > cipher=DHE-RSA-AES256-SHA, bits=256/256 > Jun 3 12:56:10 uetheta sendmail[8759]: STARTTLS=client, > relay=[192.168.1.1], version=TLSv1/SSLv3, verify=FAIL, > cipher=DHE-RSA-AES256-SHA, bits=256/256 > Jun 3 12:56:30 uetheta sendmail[8770]: j534uA54008770: > from=<[EMAIL PROTECTED]>, size=1486, class=0, nrcpts=2, > msgid=<[EMAIL PROTECTED]>, proto=ESMTP, > daemon=MTA, relay=uetheta [192.168.1.1] [snip] > And this is the email that I got, > > > > A message sent from <[EMAIL PROTECTED]> to > <[EMAIL PROTECTED]> > contained Eicar-Test-Signature and has not been delivered. > > The message in question has been quarantined as > /usr/local/clamav-0.85.1/quarantine/050603/j534nVeE008497.Eicar-Test-Sig > nature > > The message was received by mydomain.com from <[EMAIL PROTECTED]> via > uealpha [192.168.1.10] > > For your information, the original message headers were: > > Received: from 192.168.1.10 > (SquirrelMail authenticated user bonar) > by webmail. mydomain.com with HTTP; > Fri, 3 Jun 2005 12:50:03 +0800 (MYT) > Message-ID: <55890. [EMAIL PROTECTED] > mydomain.com> > Date: Fri, 3 Jun 2005 12:50:03 +0800 (MYT) > Subject: [Fwd: test virus] > From: "Bonar" <bonar@ mydomain.com> -----------------------^ What's this space doing here? [snip] But I still have this problem > "ctladdr=<[EMAIL PROTECTED]> (501/501)". It's not been change > to [EMAIL PROTECTED] > > Still need your advice. Just to check sendmail, run the following (you may need to add the full path to sendmail): echo '$=R' | sendmail -bt -d0.10 This will show at the end sendmail's machine and domain name configuration; let's see if "localdomain" does appear. If it does appear it could be a problem with /etc/hosts like I said before or the configuration of sendmail. Let's see if the names are OK or the problem shows. -- René Berber _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
