SoftPiXEL

We were getting this series of errors when running the qmail-scanner test script (/downloads/qmailrocks/qmail-scanner-1.25/contrib/test_installation.sh -doit):

spamd[18368]: spamd: connection from localhost.localdomain [127.0.0.1] at port 51721 
spamd[18368]: spamd: setuid to qscand succeeded 
spamd[18368]: spamd: creating default_prefs: /home/qscand/.spamassassin/user_prefs 
spamd[18368]: config: cannot write to /home/qscand/.spamassassin/user_prefs: Permission denied 
spamd[18368]: spamd: failed to create readable default_prefs: /home/qscand/.spamassassin/user_prefs 
spamd[18368]: spamd: checking message <20061020172304.21308.qmail@leikata.softpixel.com> for qscand:509 
spamd[18368]: locker: safe_lock: cannot create tmp lockfile /home/qscand/.spamassassin/auto-whitelist.lock.leikata.softpixel.com.18368 for /home/qscand/.spamassassin/auto-whitelist.lock: Permission denied 
spamd[18368]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /home/qscand/.spamassassin/auto-whitelist.lock.leikata.softpixel.com.18368 for /home/qscand/.spamassassin/auto-whitelist.lock: Permission denied 
spamd[18368]: bayes: locker: safe_lock: cannot create tmp lockfile /home/qscand/.spamassassin/bayes.lock.leikata.softpixel.com.18368 for /home/qscand/.spamassassin/bayes.lock: Permission denied 
spamd[18368]: spamd: clean message (-0.0/5.0) for qscand:509 in 0.0 seconds, 327 bytes. 
spamd[18368]: spamd: result: . 0 - NO_RECEIVED,NO_RELAYS scantime=0.0, size=327,user=qscand,uid=509, required_score=5.0,rhost=localhost.localdomain, raddr=127.0.0.1, rport=51721,mid=< 20061020172304.21308.qmail@leikata.softpixel.com>, autolearn=failed 
spamd[18366]: prefork: child states: II 
qmail-scanner[21309]: Clear:RC:1(127.0.0.1):SA:0(0.0/5.0): 0.068512 327 <> postmaster@softpixel.com Qmail-Scanner_test_(1/4):_inoffensive_message <20061020172304.21308.qmail@leikata.softpixel.com> 1161364984.21311-0.leikata:68 orig-leikata116136498477521309:327 
X-Antivirus-MYDOMAIN-1.25-st-qms: [leikata116136498577521320] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2 

I had to manually create the .spamassassin directory for user spamd:

# cd /home/qscand
# mkdir .spamassassin
# chown qscand:qscand .spamassassin/
# chmod 700 .spamassassin/

This solved the first few errors.

We still got the qmail-scanner error, however:

spamd[21615]: spamd: connection from localhost.localdomain [127.0.0.1] at port 52795 
spamd[21615]: spamd: checking message <20061020174801.21726.qmail@leikata.softpixel.com> for root:510 
spamd[21615]: spamd: clean message (-0.0/5.0) for root:510 in 0.1 seconds, 327 bytes. 
spamd[21615]: spamd: result: . 0 - NO_RECEIVED,NO_RELAYS scantime=0.1,size=327,user=root,uid=510, required_score=5.0, rhost=localhost.localdomain, raddr=127.0.0.1,rport=52795, mid=< 20061020174801.21726.qmail@leikata.softpixel.com>, autolearn=ham 
spamd[21612]: prefork: child states: II 
qmail-scanner[21727]: Clear:RC:1(127.0.0.1):SA:0(0.0/5.0): 0.105559 327 <> postmaster@softpixel.com Qmail-Scanner_test_(1/4):_inoffensive_message < 20061020174801.21726.qmail@leikata.softpixel.com> orig-leikata116136648177521727:327 1161366481.21729-0.leikata:68 
X-Antivirus-MYDOMAIN-1.25-st-qms: [leikata116136648177521738] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2 

By turning on debugging in qmail-scanner.pl, I determined that this was a permissions issue: qmail-scanner was running clamd as user qscand, but user qscand didn’t have privileges to see the files qmail-scanner wanted it to scan.

Making qmail-scanner run as root by disabling the setuid line in /etc/clamd.conf…

# Run as a selected user (clamd must be started by root).
# Default: disabled
#User qscand

…causes it to work (and the qmail-scanner test script to execute successfully), but we really shouldn’t be doing this.

Instead we need to make qmail-scanner write the files to scan with appropriate permissions.

Here’s the path I took to install http://www.qmailrocks.org/ on fedora core 5 x86_64 running on an Athlon 64.

• pre-install
  • yum install php-imap
  • yum install php-mysql
  • cpan Digest::SHA1
  • cpan Digest::HMAC
  • cpan Net::DNS
  • cpan Time::HiRes
  • cpan HTML::Tagset
  • cpan HTML::Parser
• downloaded, compiled, etc. according to the qmailrocks redhat howto with the following exceptions:
  • skipped installing the autoresponder – we don’t want any autoresponder functionality.
  • installed vpopmail WITH mysql integration.
  • mysql integration failed with some compilation errors. It looks like this is a 64-bit compatibility issue – it seems to be trying to link against 32-bit libraries and the ld line is failing. I don’t have time to troubleshoot this now.
  • went back and installed autoresponder because it was required for another install. Sigh.
  • skipped vqadmin because it gave us inscrutable compile errors and wouldn’t install.
• tested SMTP with no problems
• Post-install add-ons
  • Clam Antivirus
    • Clam is not installing properly due to dependency conflicts. Upon further investigation, certain perl modules were missing. ran:
      • cpan Time::HiRes — for some reason this did an install when i ran it this time, although earlier it had said it was UTD.
      • cpan The Pod::Usage
      • cpan Parse::Syslog
      • cpan Statistics::Distributions
    • Clam is now not able to install because the qmailrocks RPMs won’t work on the 64-bit processor, so i’m yumming them.
      • yum install perl-suidperl
      • yum install clamav clamav-milter clamav-server clamav-update
    • ClamReadMe
      • [root@leikata etc]# mv /etc/clamd.conf /etc/clamd.d/softpixel.conf
      • [root@leikata etc]# ln -s /etc/clamd.d/softpixel.conf /etc/clamd.conf
      • replaced all “<SERVICE>” tags with “softpixel” (also removing brackets) in the clamd.conf file.
      • [root@leikata template]# mv clamd.logrotate /etc/logrotate.d
      • replaced all “<SERVICE>” tags with “softpixel” (also removing brackets) in the clamd.logrotate
      • [root@leikata clamd.d]# mkdir /var/log/clamav/
      • [root@leikata clamd.d]# touch /var/log/clamav/clamd.softpixel
      • [root@leikata clamd.d]# chgrp qscand /var/log/clamav/clamd.softpixel
      • [root@leikata clamd.d]# chmod 0620 /var/log/clamav/clamd.softpixel
    • Setting the updater:
      • [root@leikata clamav]# touch /var/log/clamav/clam-update.log
      • [root@leikata clamav]# chmod 775 /var/log/clamav/clam-update.log
      • [root@leikata clamav]# chown qscand:qscand /var/log/clamav/clam-update.log
      • [root@leikata log]# chown qscand:qscand -R /var/lib/clamav
      • [root@leikata log]# /usr/bin/freshclam -l /var/log/clamav/clam-update.log
      • it updated.
  • SpamAssasin
    • cpan Mail::SpamAssassin
    • /var/log/maillog qmail-scanner error and troubleshooting
  • Qmail Scanner
    • [root@leikata qlogtools-3.1]# vi /usr/local/qmailanalog/bin/zfailures <— replaced the “sort +2” pipe with “sort -n -r -k 2” – the version of sort included with fedora doesn’t support the “+2” syntax.
    • [root@leikata qlogtools-3.1]# vi /usr/local/qmailanalog/bin/zdeferrals <— replaced the “sort +2” pipe with “sort -n -r -k 2”

After this, we discovered clamd wasn’t starting properly at boot-time. SELinux was bitching:

Clamd started happily when we disabled SELinux protection for it:

• in system-config-securitylevel, under SELinux / Modify SELinux Policy, I checked:
  • Other / clamscan_disable_trans
  • SELinux Service Protection / Disable SELinux protection for clamd daemon

Of course, I first tried to create a new policy allowing exactly what clamd was needing (which would be way preferable to disabling SELinux), but I got the following error…

… and haven’t been able to figure this out yet.