Messages

i put 0.0.0.0 into listen address instead of the internal ip fw address.

same result:
tftp> status
Connected to <myintfwip>
Mode: netascii Verbose: off Tracing: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp> get test
Transfer timed out.

/var/log/rspamd # cat rspamd.log | grep antivirus   shows nothing
/var/log/rspamd # cat rspamd.log | grep clamav
shows this single entry:
2022-12-10 09:25:07 #5307(normal) <0c1b62>; lua; clamav.lua:131: clamav: message or mime_part is clean

but the id <0c1b62> is not the id from the message/mail with the eicar attachment <48af5d>

thanks, I've created this directory and placed a file 'test' into it
IPaddr is the internal IP of my fw. service has started.

I logged into a rpi, which has an ip of the internal net.
follwing test:
tftp <ip_of_int_fw>
tftp> status
Connected to <ip_of_int_fw>
Mode: netascii Verbose: off Tracing: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp> get test
Transfer timed out.
tftp> quit

in opnsense logfile:
tftpd: read(ack): Connection refused

fw rule: pls. see attachment

just installed TFTP plugin on OPNsense 22.7.9_3-amd64

listen addr: 127.0.0.1
enable
and save

service is not starting

logmsg:
Notice   root   /usr/local/etc/rc.d/tftpd: WARNING: failed to start tftpd

I did the change (uncomment) in /usr/local/opnsense/service/templates/OPNsense/Rspamd/antivirus.conf
reapply rspamd config in gui

send an email with eicar attachment, rspamd logs the entry, but no entry (message or mime_part is clean) in rspam log

just checked again, sending email with eicar attachment and observing on opnsense:

/var/log/clamav # tail -f clamd.log
...
Thu Dec  8 09:45:23 2022 -> SelfCheck: Database status OK.

no scan entry at all

eicar email is in my inbox

tail -f /var/log/rspamd/rspamd.log :

2022-12-08 10:01:46 #91594(rspamd_proxy) <39070b>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/milter.sock port 0
2022-12-08 10:01:46 #91594(rspamd_proxy) <39070b>; milter; rspamd_milter_process_command: got connection from 134.255.237.108:46794
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_worker_body_handler: accepted connection from /var/run/rspamd/normal.sock port 0, task ptr: 00000008087368A0
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_message_parse: loaded message; id: <20221208090145.E5515A07D4@mx.mycompany.com>; queue-id: <2BA002549F>; size: 1047; checksum: <b329334dcb0c7b0d8d4f1c6680c5468a>
2022-12-08 10:01:46 #92749(normal) <3f0e65>; lua; ratelimit.lua:557: skip ratelimit for whitelisted recipient
2022-12-08 10:01:46 #92749(normal) <3f0e65>; lua; spf.lua:160: use cached record for mycompany.com (0x1c03809a7b10fcaf) in LRU cache for 247 seconds
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 96; 200 required
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 87; 200 required
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
2022-12-08 10:01:46 #92749(normal) <3f0e65>; lua; greylist.lua:331: Score too low - skip greylisting
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_stat_check_autolearn: <20221208090145.E5515A07D4@mx.mycompany.com>: autolearn ham for classifier 'bayes' as message's score is negative: -0.81
2022-12-08 10:01:46 #92749(normal) <3f0e65>; lua; neural.lua:442: skip ham sample to keep spam/ham balance; probability 0.39834024896265563; 580 spam and 963 ham vectors stored
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_task_write_log: id: <20221208090145.E5515A07D4@mx.mycompany.com>, qid: <2BA002549F>, ip: 134.255.237.108, from: <postmaster@mycompany.com>, (default: F (no action): [-0.81/15.00] [DMARC_POLICY_ALLOW(-0.50){mycompany.com;none;},R_SPF_ALLOW(-0.20){+a:mx.mycompany.com:c;},MIME_GOOD(-0.10){multipart/mixed;text/plain;},MX_GOOD(-0.01){},ARC_NA(0.00){},ASN(0.00){asn:197071, ipnet:134.255.237.0/24, country:DE;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},HAS_ATTACHMENT(0.00){},MID_RHS_MATCH_FROMTLD(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},R_DKIM_NA(0.00){},TO_DN_NONE(0.00){},TO_EQ_FROM(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 1047, time: 441.904ms, dns req: 17, digest: <b329334dcb0c7b0d8d4f1c6680c5468a>, rcpts: <postmaster@mycompany.com>, mime_rcpts: <postmaster@mycompany.com>
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 regexps matched, 172 regexps total, 78 regexps cached, 0B scanned using pcre, 710B scanned total
2022-12-08 10:01:46 #91594(rspamd_proxy) <d0edc5>; proxy; proxy_milter_finish_handler: finished milter connection

pls. see attachment. In Lobby, clamd service is marked with green triangle.

root@gatersv:/usr/local/etc/rspamd # sockstat -n | grep clam
106      clamd      76606 4  tcp4   127.0.0.1:3310        *:*
106      clamd      76606 5  stream /var/run/clamav/clamd.sock

/usr/local/etc/rspamd/local.d/antivirus.conf:
clamav {
    action = "reject";
    scan_mime_parts = true;
    # If `max_size` is set, messages > n bytes in size are not scanned
    max_size = 20000000;
    symbol = "CLAM_VIRUS";
    type = "clamav";
    #log_clean = true;
    servers = "/var/run/clamav/clamd.sock";
    whitelist = "/usr/local/etc/rspamd/local.d/antivirus.wl";
}

cat /var/log/clamav/clamd.log
...
Thu Dec  8 09:04:59 2022 -> +++ Started at Thu Dec  8 09:04:59 2022
Thu Dec  8 09:04:59 2022 -> Received 0 file descriptor(s) from systemd.
Thu Dec  8 09:04:59 2022 -> clamd daemon 1.0.0 (OS: FreeBSD, ARCH: amd64, CPU: amd64)
Thu Dec  8 09:04:59 2022 -> Log file size limited to 1048576 bytes.
Thu Dec  8 09:04:59 2022 -> Reading databases from /var/db/clamav
Thu Dec  8 09:04:59 2022 -> Not loading PUA signatures.
Thu Dec  8 09:04:59 2022 -> Bytecode: Security mode set to "TrustSigned".
Thu Dec  8 09:05:19 2022 -> Loaded 8650696 signatures.
Thu Dec  8 09:05:23 2022 -> TCP: Bound to [127.0.0.1]:3310
Thu Dec  8 09:05:23 2022 -> TCP: Setting connection queue length to 200
Thu Dec  8 09:05:23 2022 -> LOCAL: Unix socket file /var/run/clamav/clamd.sock
Thu Dec  8 09:05:23 2022 -> LOCAL: Setting connection queue length to 200
Thu Dec  8 09:05:23 2022 -> Limits: Global time limit set to 120000 milliseconds.
Thu Dec  8 09:05:23 2022 -> Limits: Global size limit set to 104857600 bytes.
Thu Dec  8 09:05:23 2022 -> Limits: File size limit set to 26214400 bytes.
Thu Dec  8 09:05:23 2022 -> Limits: Recursion level limit set to 16.
Thu Dec  8 09:05:23 2022 -> Limits: Files limit set to 10000.
Thu Dec  8 09:05:23 2022 -> Limits: MaxEmbeddedPE limit set to 41943040 bytes.
Thu Dec  8 09:05:23 2022 -> Limits: MaxHTMLNormalize limit set to 41943040 bytes.
Thu Dec  8 09:05:23 2022 -> Limits: MaxHTMLNoTags limit set to 8388608 bytes.
Thu Dec  8 09:05:23 2022 -> Limits: MaxScriptNormalize limit set to 20971520 bytes.
Thu Dec  8 09:05:23 2022 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Thu Dec  8 09:05:23 2022 -> Limits: MaxPartitions limit set to 50.
Thu Dec  8 09:05:23 2022 -> Limits: MaxIconsPE limit set to 100.
Thu Dec  8 09:05:23 2022 -> Limits: MaxRecHWP3 limit set to 16.
Thu Dec  8 09:05:23 2022 -> Limits: PCREMatchLimit limit set to 100000.
Thu Dec  8 09:05:23 2022 -> Limits: PCRERecMatchLimit limit set to 2000.
Thu Dec  8 09:05:23 2022 -> Limits: PCREMaxFileSize limit set to 104857600.
Thu Dec  8 09:05:23 2022 -> Archive support enabled.
Thu Dec  8 09:05:23 2022 -> AlertExceedsMax heuristic detection disabled.
Thu Dec  8 09:05:23 2022 -> Heuristic alerts enabled.
Thu Dec  8 09:05:23 2022 -> Portable Executable support enabled.
Thu Dec  8 09:05:23 2022 -> ELF support enabled.
Thu Dec  8 09:05:23 2022 -> Mail files support enabled.
Thu Dec  8 09:05:23 2022 -> OLE2 support enabled.
Thu Dec  8 09:05:23 2022 -> PDF support enabled.
Thu Dec  8 09:05:23 2022 -> SWF support enabled.
Thu Dec  8 09:05:23 2022 -> HTML support enabled.
Thu Dec  8 09:05:23 2022 -> XMLDOCS support enabled.
Thu Dec  8 09:05:23 2022 -> HWP3 support enabled.
Thu Dec  8 09:05:23 2022 -> Self checking every 600 seconds.
Thu Dec  8 09:05:23 2022 -> Set stacksize to 2162688
Thu Dec  8 09:15:23 2022 -> SelfCheck: Database status OK.
Thu Dec  8 09:25:23 2022 -> SelfCheck: Database status OK.
Thu Dec  8 09:35:23 2022 -> SelfCheck: Database status OK.
Thu Dec  8 09:45:23 2022 -> SelfCheck: Database status OK.

my config is not checking/rejecting an email with eicar attachement

what should i enable in rspamd service to make clamav work?

has no one a suggestion?

Hello,
I have setup a mailgw on opnsense latest release according to https://docs.opnsense.org/manual/how-tos/mailgateway.html
sending an email with an attached file which includes the eicar virus pattern is not detected by my opnsense fw.

tail -f /var/log/postfix/latest.log will show me the incoming email.
tail -f /var/log/rspamd/rspamd.log show that rspamd is invoked, spf and dkim checks.

But there is no activation of clamav. no logfile entry of the check.
after enabling in /usr/local/etc/clamav-milter.conf
LogSyslog yes
LogFile /tmp/clamav-milter.log

restart clamv service
also no log entry at all.

It looks like that clamav will be not activated in this milter chain.

Hi,
just replaced my firewall from endian to opnsense. everything worked so far in my esxi environment.
I added a new debian vm. an ip4 dhcp was assigend, but this vm can not access the apt mirror (ip6).
Lookes like internal vm can not acces via ip6.
How can I solve it.

regards.

Thanx,
just disabled it.

Hello,

I use postfix and get the following warning:
Warning   postfix/smtpd   warning: permit_tls_clientcerts is requested, but "smtpd_tls_ask_ccert = no"

How can I set via Web UI this parameter in /usr/local/etc/postfix/main.cf ?
I can not set it directly, because webUI will overwrite it.
It would be neat, if Web UI would allow to place extra params in a text field

regards
rudi

Hi,
I have one public IP/domain name. I want to access multiple backend http(s) servers (upstreams).
I have it working with one backend http server (int ip 10.0.0.5).
https://myhost.mydom.com will show content of internal webserver

now I want to have 2 seperate internal webservers (int ip 10.0.0.5 and 10.0.0.6):
access from internet:
https://myhost.mydom.com/server1
https://myhost.mydom.com/server2

how to achive this?
I want to get rid of the server1 and server2 url part, which will reach the internal web servers.

Any ideas, working examples?

regards
rudi