Technical Support

How to test SpamAssassin To test the spam filter, it is necessary to send a Gtube test spam email using the command below (Replacing emailonserver@example.com with a real email account on the server). If the Anti-spam is working correctly you will see it listed in the maillog and in Warden log under Warden -> Logs -> Message Log. While testing, note that Gtube test email gives +1000 scores to spam. So, even if a mailbox is in the whitelist, mail still be detected as spam because whitelisted email gets -100 scores. Disable Greylisting: If greylisting is enabled then you must disable it on the recipient domain before running these tests. /usr/local/psa/bin/grey_listing --update-domain example.com -status off Centos/RHEL/CloudLinux/AlmaLinux: echo "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X" | mail -S smtp=localhost -r sender@test.com -s "Spam test example" emailonserver@example.com Debian/Ubuntu: apt-get install s-nail echo "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X" | s-nail -S smtp=localhost -r sender@test.com -s "Spam test example" emailonserver@example.com How to test ClamAV
To test the virus filter, it is necessary to download the eicar test virus email and send it using the command below (Replacing emailonserver@example.com with a real email account on the server). If the Anti-virus is working correctly you will see it get blocked and it will be listed in the maillog and in Warden -> Logs -> Message Log. Disable Greylisting: If greylisting is enabled then you must disable it on the recipient domain before running these tests. /usr/local/psa/bin/grey_listing --update-domain example.com -status off Centos/RHEL/CloudLinux/AlmaLinux: wget http://www.eicar.org/download/eicar.com.txt echo "TEST MESSAGE w/ ATTACHMENT" | mail -S smtp=localhost -r sender@test.com -s "A/V test example" -a eicar.com.txt emailonserver@example.com Debian/Ubuntu: apt-get install s-nail wget http://www.eicar.org/download/eicar.com.txt echo "TEST MESSAGE w/ ATTACHMENT" | s-nail -S smtp=localhost -r sender@test.com -s "A/V test example" -a eicar.com.txt emailonserver@example.com
View Full Article...

Check the Status of the ClamAV Daemon You can check the ClamAV daemon status under the Anti-virus line in the Services dashboard widget. It should be green and Active. You can click on the Active or Inactive in the status column to get more information. Check the Status of the ClamAV Daemon From the Command Line AlmaLinux/Centos/RockyLinux/RHEL/CloudLinux systemctl status clamd@scan Debian/Ubuntu systemctl status clamav-daemon Checking the Current Configuration From the Command Line You can view the current ClamAV configuration using the clamconf command: clamconf Viewing the ClamAV Daemon Logs You can view the ClamAV deamon logs under Warden -> Logs -> Anti-virus Logs. To view the logs on the command line:
AlmaLinux/Centos/RockyLinux/RHEL/CloudLinux tail -f /var/log/clamd.scan Debian/Ubuntu tail -f /var/log/clamav/clamav.log Monitoring the ClamAV Daemon Memory and CPU Usage Administrators can use the clamdtop command to monitor ClamAV daemon memory and CPU usage statistics from the command line: RHEL/Almalinux/CloudLinux/RockyLinux clamdtop --config-file=/etc/clamd.d/scan.conf Debian/Ubuntu clamdtop --config-file=/etc/clamav/clamd.conf High Server Load / CPU Usage Problems Normally high server load is caused by the clamscan binary when the ClamAV daemon is down. By default Amavis will fall back to the secondary clamscan binary when the ClamAV daemon is down or having problems. Note that the clamscan binary is NOT the same as clamd. Clamd is the highly efficient daemon version of ClamAV while clamscan is the inefficient non-demonized version. Clamscan is not suitable for scanning large amounts of mail because the ClamAV signatures have to be loaded into memory for every scan (This is what causes the high load on the server). Look below for how to disable the clamscan secondary fallback scanner if you don't want Amavis to fall back to it. How to Disable the Clamscan Fallback Scanner To disable the secondary fallback scanner go to Warden -> Settings -> Scanner Settings -> Scanner backup template -> set it to None. Then press the Update button to save the page. ClamAV Memory Problems The most common problem is not enough free memory for the ClamAV daemon. You can check the free memory of the server using the command: free -m: # free -m total used free shared buff/cache available Mem: 64049 30895 15313 3113 17840 29387 Swap: 15259 4333 10926 If the server is running low on free memory sometimes the out of memory killer (OOM Killer) will kill the ClamAV daemon. We recommend a minimum of at least 4 GB of server memory (sometimes more depending on how many services you have running): // AlmaLinux/Centos/RockyLinux/CloudLinux/RHEL zgrep "Out of memory" /var/log/messages* // Debian/Ubuntu zgrep "Out of memory" /var/log/syslog* Jun 19 19:35:21 el8p18 kernel: Out of memory: Killed process 1650121 (clamd) total-vm:3118856kB, anon-rss:2262988kB, file-rss:0kB, shmem-rss:0kB, UID:981 pgtables:5888kB oom_score_adj:0 Jun 19 20:30:33 el8p18 kernel: Out of memory: Killed process 1992340 (clamd) total-vm:3072516kB, anon-rss:1895824kB, file-rss:0kB, shmem-rss:0kB, UID:981 pgtables:5792kB oom_score_adj:0 Jun 19 21:22:52 el8p18 kernel: Out of memory: Killed process 2007089 (clamd) total-vm:3093760kB, anon-rss:1779240kB, file-rss:0kB, shmem-rss:0kB, UID:981 pgtables:5816kB oom_score_adj:0 Create a Swap File if your VM Doesn't Have One
Some times service providers create a virtual machine without any swap file. If your virtual machine doesn't have a swap file then you should create one. You can check if your VM has a swap file using the command: # cat /proc/swaps Filename Type Size Used Priority /dev/dm-1 partition 2097148 735832 -2 Instructions for creating a swap file can be found here. Disable the Out of Memory Killer for ClamAV Edit the ClamAV service file: // RHEL/CloudLinux/AlmaLinux/RockyLinux systemctl edit --full clamd@scan // Debian/Ubuntu # systemctl edit --full clamav-daemon Add the option OOMScoreAdjust=-1000 to the [Service] section: Example (taken from Ubuntu 22.04): [Unit] Description=Clam AntiVirus userspace daemon Documentation=man:clamd(8) man:clamd.conf(5) https://docs.clamav.net/ # Check for database existence ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc} ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc} [Service] ExecStart=/usr/sbin/clamd --foreground=true # Reload the database ExecReload=/bin/kill -USR2 $MAINPID StandardOutput=syslog TimeoutStartSec=420 OOMScoreAdjust=-1000 [Install] WantedBy=multi-user.target Restart ClamAV // RHEL/CloudLinux/AlmaLinux/RockyLinux systemctl restart clamd@scan // Debian/Ubuntu systemctl restart clamav-daemon Disable Concurrent Database Reloads to Free Up Memory
If the option ConcurrentDatabaseReload in enabled in ClamAV then during a database reload clamd will load the new DB first and then drop the old one. This concurrent database reload strategy allows it to keep scanning files while loading the new database. The drawback is that it requires twice as much memory as during normal operations. As a result the clamd process can keep getting killed. For servers with under 8 GB of memory we recommend that you disable this option. You can disable this under Warden -> Settings -> Anti-virus Settings -> Concurrent database reload (make sure it is unchecked). Adjusting How Much Memory Amavis Uses Admins can adjust how much free memory Amavis uses by lowering the Max servers option under Warden -> Settings -> Content Filter -> Filter Settings. See here for more information.
View Full Article...

Reject log In the Warden reject log you see the message: Service unavailable - try again later. In the /var/log/maillog Nov 6 02:57:42 el7p17 postfix/smtpd[18663]: 1934840B4BF3: milter-reject: DATA from localhost.localdomain[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; from=<sender@example.com> to=<test@example.com> proto=SMTP helo=<localhost.localdomain> Nov 6 02:57:44 el7p17 postfix/smtpd[18663]: A914C40B4BF3: milter-reject: DATA from localhost.localdomain[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; from=<sender@example.com> to=<test@example.com> proto=SMTP helo=<localhost.localdomain> This is normal behaviour when you have greylisting spam protection enabled. This option can be found under Tools & Settings -> Mail -> Spam Filter. What is Greylisting?
Greylisting is a powerful Anti-Spam technology that is used to detect if the sending server of a message is RFC compliant. This is done through temporarily blocking unknown senders and caching details of the initial message. Since a majority of SPAM Servers or SPAMBots are not, large volumes of unwanted emails can potentially be filtered during SMTP transmission. Compliant Sending Mailservers, however, will resend the message after a short delay and it will be permitted. How does Greylisting work?
When a message from an unknown sender arrives, it will be initially blocked by Greylisting. This block is in the form of a temporary 451 Error being returned to the Sending Server. This temporary error is considered by this server to be a "Delivery Delayed" notification and will resend the message after a period of time.
View Full Article...

ClamAV Problems First check and see that the ClamAV daemon is running properly. See: How can I check the status of ClamAV and fix any problems? Password Protected Archives Amavis will prepend to Subject (for local recipients only) if mail could not be decoded or checked entirely, e.g. due to password-protected archives. To Disable the UNCHECKED Header To disable this on Centos/RHEL edit the file /etc/amavisd/warden.conf or on Debian/Ubuntu edit the file /etc/amavis/conf.d/99-warden and add the line (before the last line 1;): $undecipherable_subject_tag = undef; After making the changes restart Amavis: // Centos/RHEL/CloudLinux/AlmaLinux systemctl restart amavisd // Debian/Ubuntu systemctl restart amavis
View Full Article...

As of ClamAV 0.103.2 the SafeBrowsing config option was deprecated. See here for more information. To fix the error edit the file freshclam.conf and comment out the SafeBrowsing line in the config file. You can use the command: Centos/RHEL/Cloudlinux/AlmaLinux sed -i -e "s/^SafeBrowsing /#SafeBrowsing /" /etc/freshclam.conf Debian/Ubuntu sed -i -e "s/^SafeBrowsing /#SafeBrowsing /" /etc/clamav/freshclam.conf This has been fixed in Warden 2.08-1 and Sentinel 1-14-1 which was published to the Plesk extension directory.
View Full Article...

When trying to start Amavis you see this in the mail log: Oct 02 03:20:15 condor3648 systemd[1]: Starting LSB: Starts amavisd-new mailfilter... Oct 02 03:20:16 condor3648 amavis[1697]: starting. /usr/sbin/amavisd-new at condor3648.startdedicated.com amavisd-new-2.11.0 (20160426), Unicode aware, LC_ALL="C", LANG="en_US.UTF-8" Oct 02 03:20:16 condor3648 amavis[1705]: (!)Net::Server: 2020/10/02-03:20:16 Can't connect to TCP port 10024 on ::1 [Cannot assign requested address]\n at line 64 in file /usr/share/perl5/Net/Server/Proto/TCP.pm Oct 02 03:20:16 condor3648 amavis[1690]: Starting amavisd: amavisd-new. Oct 02 03:20:16 condor3648 systemd[1]: Started LSB: Starts amavisd-new mailfilter. To fix this edit the file /etc/amavisd/warden.conf on Centos/RHEL/Cloudlinux/AlmaLinux or /etc/amavis/conf.d/99-warden on Debian/Ubuntu and add the following line: $inet_socket_bind = '127.0.0.1'; Now restart Amavis: Centos/RHEL/CloudLinux/AlmaLinux systemctl restart amavisd Debian/Ubuntu systemctl restart amavis    
View Full Article...

Bad Header Destiny By default mail with bad headers is quarantined for review but are still delivered to the users mailbox. If you would like to change this to discard or reject mail with bad headers you can change the setting under Warden -> Settings -> Filter Settings -> Final bad header destiny from pass to discard or reject. To disable all bad header tests: To disable all bad header tests on Centos/RHEL/CloudLinux/AlmaLinux edit the file /etc/amavisd/warden.conf or on Debian/Ubuntu edit the file /etc/amavis/conf.d/99-warden and search for the @bypass_header_checks_maps option. Change from: @bypass_header_checks_maps = (\%bypass_header_checks, \@bypass_header_checks_acl, \$bypass_header_checks_re); Change to: @bypass_header_checks_maps = [1]; After making these changes restart Amavis: // Centos/RHEL/CloudLinux/AlmaLinux systemctl restart amavisd // Debian/Ubuntu systemctl restart amavis To disable all bad header tests for a specific policy bank (outgoing email only): Go to Warden -> Settings -> Policy Banks and set the Disable bad header filter to Yes for the policy you want to disable it on. To disable specific bad header tests: There is an $allowed_header_tests option by which you can define what should be looked up during the bad-header checks, and the list is as follows: other catchall for everything else - normally not used mime Bad MIME (sub)headers or bad MIME structure 8bit Invalid non-encoded 8-bit characters in header control Invalid control characters in header (CR or NUL) empty Folded header field made up entirely of whitespace long Header line longer than RFC 2822 limit of 998 characters syntax Header field syntax error missing Missing required header field multiple Duplicate or multiple occurrence of a header field To disable certain tests on Centos/RHEL/CloudLinux/AlmaLinux edit the file /etc/amavisd/warden.conf or on Debian/Ubuntu edit the file /etc/amavis/conf.d/99-warden and search for the $allowed_header_tests option. Setting a test to 0 will disable that test: $allowed_header_tests{'multiple'} = 0; $allowed_header_tests{'missing'} = 0; After making these changes restart Amavis: // Centos/RHEL/CloudLinux/AlmaLinux systemctl restart amavisd // Debian/Ubuntu systemctl restart amavis  
View Full Article...

ClamAV refuses to start and when viewing the status you see ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc} was not met. This error means that ClamAV wasn't able to download any anti-virus signatures. # systemctl status clamav-daemon ● clamav-daemon.service - Clam AntiVirus userspace daemon Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/clamav-daemon.service.d └─extend.conf Active: inactive (dead) since Thu 2021-09-09 04:02:59 MDT; 16min ago Condition: start condition failed at Thu 2021-09-09 04:08:49 MDT; 11min ago └─ ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc} was not met Docs: man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/ Common Problems Freshclam should only be run once per hour as ClamAV will rate limit you otherwise: # /usr/bin/freshclam -d --foreground=true Thu Sep 9 04:22:56 2021 -> ClamAV update process started at Thu Sep 9 04:22:56 2021 Thu Sep 9 04:22:57 2021 -> ^Can't download daily.cvd from https://database.clamav.net/daily.cvd Thu Sep 9 04:22:57 2021 -> ^FreshClam received error code 429 from the ClamAV Content Delivery Network (CDN). Thu Sep 9 04:22:57 2021 -> This means that you have been rate limited by the CDN. Thu Sep 9 04:22:57 2021 -> 1. Run FreshClam no more than once an hour to check for updates. Thu Sep 9 04:22:57 2021 -> FreshClam should check DNS first to see if an update is needed. Thu Sep 9 04:22:57 2021 -> 2. If you have more than 10 hosts on your network attempting to download, Thu Sep 9 04:22:57 2021 -> it is recommended that you set up a private mirror on your network using Thu Sep 9 04:22:57 2021 -> cvdupdate (https://pypi.org/project/cvdupdate/) to save bandwidth on the Thu Sep 9 04:22:57 2021 -> CDN and your own network. Thu Sep 9 04:22:57 2021 -> 3. Please do not open a ticket asking for an exemption from the rate limit, Thu Sep 9 04:22:57 2021 -> it will not be granted. Thu Sep 9 04:22:57 2021 -> ^You are on cool-down until after: 2021-09-09 08:22:57 Thu Sep 9 04:22:57 2021 -> main database available for download (remote version: 61) You can try to download them manually and check for any errors: Centos/RHEL/CloudLinux/AlmaLinux // first stop the freshclam service (Centos/RHEL/CloudLinux/AlmaLinux 8 only) systemctl stop clamav-freshclam // run the freshclam command to try to download the signatures and check for any errors /usr/bin/freshclam -d --foreground=true // start up the freshclam service (Centos/RHEL/CloudLinux/AlmaLinux 8 only) systemctl start clamav-freshclam // try to start clamav systemctl restart clamd@scan Debian/Ubuntu // first stop the freshclam service systemctl stop clamav-freshclam // run the freshclam command to try to download the signatures and check for any errors /usr/bin/freshclam -d --foreground=true // start up the freshclam service systemctl start clamav-freshclam // try to start clamav systemctl restart clamav-daemon Manually Downloading Signatures As a last resort you can manually download ClamAV signatures from us to get ClamAV started: // Centos/RHEL/CloudLinux/AlmaLinux cd /var/lib/clamav/ wget https://www.danami.com/hotfix/clamav/main.cvd wget https://www.danami.com/hotfix/clamav/daily.cld chown clamupdate:clamupdate main.cvd chown clamupdate:clamupdate daily.cld systemctl restart clamd@scan // Debian/Ubuntu cd /var/lib/clamav/ wget https://www.danami.com/hotfix/clamav/main.cvd wget https://www.danami.com/hotfix/clamav/daily.cld chown clamav:clamav main.cvd chown clamav:clamav daily.cld systemctl restart clamav-daemon
View Full Article...