4

I am running postfix postfix-3.3.1_1,1 and clamav-milter clamav-milter-0.100.1_1 on FreeBSD 11.2. Postfix and the milter are set to communicate via a socket. I am not able to get the milter and postfix work together, I must be overlooking something.

In my maillog I get these messages:

xSep 21 11:33:57 mail2 postfix/smtpd[85759]: warning: connect to Milter service unix:/var/run/clamav/clmilter.sock: Permission denied

Postfix runs as user:group postfix:postfix. Clamav runs as clamav:clamav. (When I run clamav as postfix:postfix, the problem still persists.) User postfix is also member of the clamav group.

The permissions on the socket itself are:

srwxrwxrwx 1 clamav clamav 0B Sep 21 11:46:26 2018 /var/run/clamav/clmilter.sock

In clamav-milter.conf I run default values, changing the user to postfix did not work:

MilterSocket unix:/var/run/clamav/clmilter.sock

# MilterSocket unix:/var/spool/postfix/var/run/clamav/clmilter.sock
# MilterSocket inet:8890

# ClamdSocket unix:/var/run/clamav/clmilter.sock

#MilterSocket inet:7357

# Define the group ownership for the (unix) milter socket.
# Default: disabled (the primary group of the user running clamd)
#MilterSocketGroup postfix

# Sets the permissions on the (unix) milter socket to the specified mode.
# Default: disabled (obey umask)
#MilterSocketMode 660

# Remove stale socket after unclean shutdown.
#
# Default: yes
FixStaleSocket yes

# Run as another user (clamav-milter must be started by root for this option to work)
#
# Default: unset (don't drop privileges)
User postfix

In rc.conf

clamav_milter_enable="YES"
clamav_milter_socket="/var/run/clamav/clmilter.sock"
clamav_milter_socket_user="postfix"
clamav_milter_socket_group="postfix"

In main.cf of postfix it is also quite standard:

smtpd_milters = unix:/var/run/clamav/clmilter.sock inet:127.0.0.1:8891
Lexib0y
  • 41
  • 1
  • 8
  • The socket's user & group is set in `rc.conf` (see the file `/usr/local/etc/rc.d/clamav-milter`), so if you change it in `clamav-milter.conf` - it's effectively ignored (but I think it should work with the defaults anyway). Are you sure that the unix socket is open? Use `sockstat` to see if it's listed. – Richard Smith Sep 21 '18 at 13:33
  • You are correct, and indeed I am using the default that is also in the rc.d/clamav-milter. But I do not see the one for milter mentioned with sockstat, only the one for clamd. – Lexib0y Sep 21 '18 at 14:19
  • Is the `clamav-milter` service actually running? Use `top` or `ps -aux`. – Richard Smith Sep 21 '18 at 14:34
  • It wasnt running anymore, but I fixed that by copying the sample config over the config. It is running. I still get: xSep 21 16:57:10 mail2 postfix/smtpd[2694]: warning: connect to Milter service unix:/var/run/clamav/clmilter.sock: Permission denied – Lexib0y Sep 21 '18 at 14:58
  • The connection refused is gone. – Lexib0y Sep 21 '18 at 14:59
  • And it appears in `sockstat` now? I haven't used Postfix with ClamAV, but my next step would be to set the socket's user and group to `postfix` by setting the appropriate variables in `/etc/rc.conf`. And maybe change the permissions of the `/var/run/clamav` directory. – Richard Smith Sep 21 '18 at 15:06
  • Yes it does appear in sockstat now. I will experiment some more now and let you know the results. – Lexib0y Sep 21 '18 at 20:11

2 Answers2

1

By default FreeBSD postfix runs chrooted to /var/spool/postfix. Change your smtpd_milters line so that that directory is your root. For example:

smtpd_milters = unix:/clamav/clamav-milter.ctl, ...
  • What will be the actual location of the socket? /var/spool/postfix/clamav/clmilter.sock ? – Lexib0y Sep 23 '18 at 22:21
  • Hi @Lexib0y. I believe it should be `/var/run/clamav/clamd.sock`, but I still remember when I was a FreeBSD user that this link is unsafe! so `/var/spool/postfix/clamav/clmilter.sock` should be fine. I have to check! –  Sep 23 '18 at 22:30
  • I have tried this, but to no avail yet. It is quite a nasty problem, because I have had different results on different attemps. I have had either 'cannot find' or 'no permission' and even both at the same time. I did not manage yet with "/var/spool/postfix/clamav/clmilter.sock" but will experiment some more. – Lexib0y Sep 23 '18 at 22:42
  • @Lexib0y I know it is indeed a nasty one. When I was FreeBSD user, I had to deal with this `problem` till I figure out the solution mentioned above. I hope things will work for you. Good luck! ;-) –  Sep 23 '18 at 22:55
  • 1
    Out of weeknes I changed to the inet socket, that seems to work now. But I do want to solve this problem, so going on tomorrow. – Lexib0y Sep 23 '18 at 22:59
0

I forgot about this question, but I have it working for some time now, so here is how I have it configured now.

Versions of Postfix and Clamav:

clamav-0.102.2,1 postfix-3.5.1,1

in /usr/local/etc/postfix/main.cf I have clamav-milter via inet on port 7357:

smtpd_milters = inet:127.0.0.1:7357 inet:127.0.0.1:8891
milter_default_action = accept

in /usr/local/etc/clamav-milter.conf:

MilterSocket inet:7357
FixStaleSocket yes
PidFile /var/run/clamav/clamav-milter.pid
ClamdSocket unix:/var/run/clamav/clamd.sock

in /usr/local/etc/clamd.conf:

PidFile /var/run/clamav/clamd.pid
LocalSocket /var/run/clamav/clamd.sock
User clamav

in /etc/rc.conf:

clamav_freshclam_enable="YES"
clamav_clamd_enable="YES"
clamav_milter_enable="YES"
clamav_milter_socket="inet:7357"
clamav_milter_socket_mode=777
Lexib0y
  • 41
  • 1
  • 8