On 11/4/2013 3:54 PM, Noel Jones wrote: > On 11/4/2013 1:42 PM, inteq wrote: >> Hello >> >> For some time now I was wondering why some of my pflogsumm emails were not >> received. >> Digging deeper into the problem today, I can see the emails are being >> blocked by Postfix because it "contains" a virus. >> >> Nov 4 21:36:52 ns4 postfix/smtp[9383]: 338E14303B: to=<t...@example.com>, >> relay=127.0.0.1[127.0.0.1]:10025, delay=0.14, delays=0.06/0/0.05/0.03, >> dsn=2.0.0, status=sent (250 Virus Detected; Discarded Email) >> Nov 4 21:36:52 ns4 clamsmtpd: 100013: from=r...@ns4.example.com, >> to=t...@example.com, status=VIRUS:Sanesecurity.Jurlbl.3425.UNOFFICIAL >> Nov 4 21:36:52 ns4 postfix/qmgr[4676]: 338E14303B: removed >> >> I have the latest version (beta) 1.1.5 of pflogsumm and I have tried >> everything I could find to make Postfix "play nice" and allow my log to be >> delivered. >> I am using additional ClamAV signatures, indeed. >> >> Any hints how to whitelist emails sent from r...@ns4.example.com, or bypass >> somehow the virus checks for some addresses? > > > Looks as if you're using the clamsmtp proxy. Arrange for you > pflogsumm reports to be submitted to the postfix reinjection port > after clamsmtp. > > One fairly tool to do this is with the simple mini_sendmail program.
You should contact the author of Sanesecurity.Jurlbl.3425.UNOFFICIAL This script is not just badly written, but horribly broken. pflogsumm email output is a text only file, no binary attachment, so it obviously can't contain a virus payload. So this script is clearly matching hostnames and/or domains in the content section of the email, known to host viri/malware, and rejecting the email based solely on this, with a reason of "VIRUS". This concept, and the reason code, is simply wrong headed. If you say you're rejecting the email because it contains a VIRUS it better well have a binary attachment that contains a virus. Simply matching suspect domains should add score to a spam filter, not outright reject an email, and especially not with a reason code of "VIRUS". I don't use any of the CLAM software, but I'd guess "UNOFFICIAL" actually means something. Thus you can probably fix this by simply not using UNOFFICIAL Sanesecurity signatures. -- Stan
