Not Receiving Email since uninstalling ClamAV

snowweb

Verified User
Joined
Aug 31, 2007
Messages
144
Location
Antipolo City, Rizal, Philippines (a British Natio
Not Receiving Email Since Uninstalling ClamAV

Hi, earlier today, due to other problems, I uninstalled ClamAV. I also removed manually, all related files and the antivirus entry in exim.conf (sorry, can't remember the exact line now).

Since I did this, no domain appears to be receiving emails. They can send emails successfully, but when they are sent to a local domain, they never seem to arrive. Emails from the outside world are also not being delivered.

It looks like I might have found the undelivered messages.

They appear to be at /var/spool/virtual/snowweb.net(or whatever other affected domain)/ in a file called by the users name.

I have tried all the usual things like restarting my VPS container, Exim, DA, etc. I have also switched to the default exim.conf and exim.pl files. I have also tried disabling SpamAssassin but it made no difference.

I tried reinstalling ClamAV too, but even that didn't resolve it, so I stripped it out again.

Please see the log entries below relating to the test email I tried to send from [email protected] to [email protected]:

Exim Mainlog:
2009-06-02 17:48:10 1MBQbK-0003gn-1z <= [email protected] H=(snow-laptop) [124.104.182.33] P=esmtpa A=plain:[email protected] S=3651 [email protected] T="test 11" from <[email protected]> for [email protected]
2009-06-02 17:48:10 1MBQbK-0003gn-1z => peter <[email protected]> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=3815

System Maillog
Jun 2 17:48:58 s1 dovecot[6040]: POP3([email protected]): Disconnected: Logged out top=0/0, retr=0/0, del=0/7, size=543911

There was no reference to the test email in the Exim Rejectlog or Paniclog.

I have been working on this issue for the last 12 hours and I'm becoming very unpopular (not to mention, tired and hungry!). I have run out of things to check now.

Please, please can someone help me?
 
Last edited:
You're running Dovecot and the Maildir file system, but it appears that your exim.conf file only works with the old mbox file system.

The easy way to resolve this is to just convert your system to Dovecot; you can find threads here. Just do the entire conversion, following all the steps.

Jeff
 
Hi Jeff, boy am I glad to see you!!

Sorry for the delay here, we've had a lengthy power cut since I posted (what timing!).

I'm trying to convert now, I'm following the instructions here, but got this error,

[root@s1 ~]# cd /usr/local/directadmin/custombuild
[root@s1 custombuild]# ./build clean
There is wrong default PHP in /usr/local/directadmin/custombuild/options.conf set.
[root@s1 custombuild]#

Any ideas?

If anyone else has any ideas, please feel free to join in, as I think Jeff may be offline now and I'm really in trouble now as we're nearly 19 hours without email :(

Thanks,

pete
 
Last edited:
Please can someone help me. For almost 24 hours now we have had no email on any domain. Direct Admin support have not responded to my support request and I can't remember when I last ate or slept.

If somehow I've offended somebody, I apologize from in all sincerity. If you PM me and explain how I've created offense, I'll apologize more completely.

Please, please help me.

Regards,

pete
 
It seems that this problem is caused by the fact that I have removed clamav but exim is still looking for it to scan the messages.

There are a lot of people with the same issue, I've found about 5 on this forum so far and only two appeared to be solved. Unfortunately, those two were both fixed by someone who logged in and did the job for the poster and the solution was never explained here.

At one point I typed exim start at the command line and it told me what line of exim.conf has an error (I can't make exim stop, start or restart now for some reason), but I fixed the line error anyway and next time I tried exim start the error was different. It was about not being able to open SMTP stream.

I checked Exim Mainlog again:

malware acl condition: unable to connect to sophie UNIX socket (/var/run/sophie). errno=2

I've done some research an sophie appears to be concerning antivirus, probably clamav.

So somewhere it would appear that Clamav did not uninstall cleanly and Exim is still trying to use it. May question is how can I stop Exim from trying to do that please?
 
Is there someway I can search for 'sofphie' or 'clam' inside every file on the server to try to locate any reference directing Exim to try to connect to clamav/sophie?

I've tried,

grep -r 'sophie' /*

It returns this:
grep: /dev/log: No such device or address
grep: /dev/vzfs: Permission denied

but it does not give me back a command prompt. Could it still be searching?
 
Last edited:
Hello,

Just a followup for a few of the issues relating to this thread (after logging in to check a few things)

1) The /etc/exim.conf wasn't patched for dovecot.
I used this guide to update the exim.conf and repatch it:
http://help.directadmin.com/item.php?id=51

2) regarding the custombuild "default php" error, that was a bit strange, but simply deleting the options.conf and running "./build" forces it to generate a new one. The value appeared to be set correct in the options.conf, so I wasn't sure what the issue was there.. regardless, it's fixed. The working build script would have fixed step 1, but I did it manually anyway. I think the previous build script was a bit older (didn't check exactly).

3) since mail was being delivered to /var/spool/virtual, I ran:
./build todovecot

which reconverted everything over. I renamed /var/spool/virtual to virtual.moved, just so that if you run it again, you don't get duplciates, and so that the original emails isn't deleted. (delete that directory once you're satisfied everything is working ok)

That should do the trick, the clamav stuff, you can attempt again. If you need to undo and start back to the default exim.conf again, use the guide mentioned above id=51 and don't forget to repatch for dovecot

John
 
I could kiss you!

Thanks John, you don't know how much you helped me. I really, really appreciate it.

I've just recieved about 50 emails that were caught up and I'm sure the other domains are all back on form now too.

I tried sending and that's working fine too.

I might try ClamAV again if I really can't find an alternative. Rest assured, if I do, I will back up all system files and config next time, before I start.

I'll check the guide you linked to also, so I can understand what you did.

Thanks again for all your help.

Regards,

pete
 
I've done some research an sophie appears to be concerning antivirus, probably clamav.

It is. Make sure the following are removed from exim.conf:

Code:
av_scanner = clamd:/var/run/clamav/clamd

Make sure that check_message: looks like:

Code:
check_message:
  accept

All the lines between check_message: and accept are used by ClamAV. Remove them and you should be good to go.
 
I'm sorry I didn't get back to earlier, and I'm happy that John was able to help you. We had unexpected thunderstorms all day yesterday and one of the power outages was jittery; it caused the (older) UPS protecting my office network (and connection to the 'net) to fail.

Rather than risk further damage I used my laptop to take care of customer emergency issues yesterday.

Today the sun is shining :).

I'm surprised I didn't catch earlier that when you uninstall clamav you need to make changes to to exim.conf. Since we all make changes to exim.conf when we install clamav we should all remember to undo those changes when we remove it, but as I proved the other day, we don't always remember that.

The final release of SpamBlocker3 will include copious remarks on the subject (and on other subjects as well) and use the key word EDIT so you can search through it to find all the places where it needs to be edited.

As an added note, we don't usually get thunderstorms here on the edge of the So. California desert, but when we do, they're doozies. A lady was hit by lightning and killed about ten miles from here yesterday. Desert thunderstorms are nothing to take lightly.

Jeff
 
Hi Jeff,

It's ok, I understand completely, having also experienced 12 hours of blackout in the last 24! This is unfortunately not uncommon in the Philippines though.

I think between yourself and John, you've just about solved most of my mail problems now, just minor issues left to deal with now.

The new exim.conf sounds great. I'll be watching out for it.

I guess if ClamAV alters exim.conf, when it is installed; If I have just replaced exim.conf, I'm now missing the ClamAV entries. The odd thing is that I can't find those entries in the previous exim.conf I was using (which I made a copy of).

Do you know where I can find the alterations I need to make? Thanks.

Pete
 
It's ok, I understand completely, having also experienced 12 hours of blackout in the last 24! This is unfortunately not uncommon in the Philippines though.
A bunch of years ago I lived in Jacksonville Florida (one of the cities where our extended family has some roots; my uncle has his name on a lot of the municipal buildings there); it was at the time (and may still be) considered the lightning capital of the U.S. The office building where I had my office was the tallest downtown, and was hit by lightning generally at least once each major storm.
I guess if ClamAV alters exim.conf, when it is installed; If I have just replaced exim.conf, I'm now missing the ClamAV entries. The odd thing is that I can't find those entries in the previous exim.conf I was using (which I made a copy of).

Do you know where I can find the alterations I need to make?
The standard exim.conf file, found here, does not include entries for ClamAV; you have to make those entries when you follow the installation instructions for ClamAV.

My current distribution of the SpamBlocker exim.conf file, found on my site, here, does include the code, but it's commented out. While a work in progress, I consider it to be better overall than the one distributed by DirectAdmin. It's just not ready for mass distribution by them yet. If you decide to use it, then make sure you have the most recent exim.pl file downloaded from the same location, or perhaps a later one from the DirectAdmin download pages, if available. And be sure to look for those EDIT keywords and make changes as required.

(I have an even newer version, which changes often, as I continue to fine-tune, but I don't recommend it except for systems administrators which specific needs who are fully conversant in exim.conf and it's modifications.)

Jeff
 
That's great. I think I'm about there now. I've found the ClamAV entries in your exim.conf 3.1beta and copied them over, also grabbed a few other snippets out of it too.

Think I'll wait for a few weeks after the release before leap in with both feet though... I don't have the guts or the Unix experience to try out any betas on Linux! You know me, I'm always lucky if I can get a 'stable release' to work on Linux... You'll only end up fixing the mess I make for me!

Looks like its all working great now though. My CPU usage and memory usage has nearly halfed since I upgraded ClamAV to the latest version (which is what started this week of hell!), so at least some good came out of it. Not to mention, I learned a fair bit from those who helped.

Thanks to everyone. I'm planning to stick around and try to get to know this animal a bit better - who knows, maybe someday I might be able to help someone out someday!

pete
 
Hopefully you're also using the SpamBlocker features built into your version of exim.conf; they generally block about 90% of the email coming into the server, which really cuts down the use of resources.

Jeff
 
Hopefully you're also using the SpamBlocker features built into your version of exim.conf; they generally block about 90% of the email coming into the server, which really cuts down the use of resources.

Jeff

Yeah, I believe I am, there's not much left commented in it and I'm using all available DNSBL's as well as SpamAssassin. I'm planning to see what extra modules SpamAssassin can have added in, to enhance it's efficiency too. I noticed somewhere, something about 'Autolearn', which might be useful.

However, I'm noticing a significant reduction in spam to our inboxes since we installed the new exim.conf and exim.pl. I think ClamAV also has an element of spam filtering built-in too, so possibly having just upgraded it, is having a limited effect too.

All in all, I'm gonna sleep better tonight!

pete
 
I suppose we should just backup the exim.conf file and append an extension such as .noclamav for a quick reversal should it be required. Yeah?
 
Back
Top