[SOLVED] Clamav expiration notification

[artimus]

Several months ago I had quite a success migrating from CommuniGate Pro to Zimbra. We also have an exchange server that will be migrated to zimbra as well. So far we love it, and have very few complaints about it. Pretty much the only complaint I have is that it's not using regular Maildir.

Anyway, all was fine until this morning when zimbra stopped delivering mail. I didn't see anything in zimbra that would explain what was wrong, but I did find in the postfix logs that there was an issue connecting to clamav. The freshclam log file noted that my clamav engine was out of date.. I had to download the latest stable source from clam, compile install and reboot. The standard zmcontrol stop start didn't take to the change, and I didn't have time to poke around at it. When it came back up, everything was fine. I flushed the postfix queue and all the mail started delivering.

I happen to be very experienced unix admin, and this problem was pretty easy to resolve. But if I weren't, I could have been out of email for a full day trying to figure out how to fix this. Zimbra (as far as i know) doesn't have any method of telling me what the problem is, and how to fix it.

Feature Request:
When logging into the zimbra admin page, it should immediately show you if there are any critical problems. It would have been nice if I logged in and saw: CRITICAL: Your ClamAV engine is out of date. Run somescript to upgrade to the latest clamav.

Would be even nicer if there was a way to send a message to administrators before there is a problem too.

[mmorse]

what's your version?
(zmcontrol -v)

[jholder]

ClamAV updates their Engine like every 60 seconds (I'm being sarcastic )

Unless there's a huge vulnerability in your current ClamAV version, then it's not a big deal. They just like to panic users by saying DON'T PANIC!

Currently, we upgrade ClamAV with each maintenance release, so we try to keep the version up to date

[mmorse]

They really do call everything critical...

The last version that I see from your posts is on 8-27-07:

Quote:

Originally Posted by artimus

Using CentOS 5, with Zimbra 4.5.6_GA_1044.RHEL5-20070706174250

If you still are on 4.5.6, it would lead me to believe that you had hit the bug:
[SOLVED] Clamd.pid - no such file
Bug 18312 - ClamAV: clamd corrupt db

[artimus]

I suppose then that I am mostly to blame. Being held up entirely by other projects, I haven't kept my mail server up to date. Is there a yum repo for zimbra?

Release 4.5.6_GA_1044.RHEL5_20070706174250 CentOS5{i} FOSS edition


I know my signatures are kept up to date, but the clam software itself needs updating.. It would still be nice if zimbra told the admin in advance before this happens. Could also show when zimbra update packages are available, or had an option to force clam to run with an out of date engine. It wouldn't have been so bad, if it just used the old anti-virus. The problem was that it wouldn't attache amavisd to port 10024, so postfix had to defer the mail.


Anyway, if there are others who find themselves in a jam, and need a quick fix. I'll provide a clam upgrade script... Use it at your own risk, or better yet just use it for reference only!

Code:

#!/bin/bash
#
#
#   !!!!!! WARNING !!!!!!!!!!
#   This script is absolutely untested.  I wrote it after the fact
#   as reference, for the next time this happens.  I repeat I have
#   not actually tested to see if it even runs.  You probobly want
#   to just run through the steps manually to prevent harming your
#   system...  Again, this script took 2 minutes to write, and has
#   never been tested, and there absolutely no error checking.
#
#   Otherwise, if you really want to run it, uncomment the exit
#   satement.
#
#   Anonomous - 20071119
#
##################################################################
exit
NOW=date +%Y%m%d%H%M%S
BUILDDIR=${NOW}_clamav_build

ClamVer="clamav-0.91.2"
ClamURL="http://easynews.dl.sourceforge.net/sourceforge/clamav/clamav-0.91.2.tar.gz"

echo "Installing dependencies if nessesary"
yum -y install gcc glibc zlib-devel gmp-devel bzip2-devel


echo "Preparing Source"
mkdir ${BUILDDIR} && cd ${BUILDDIR}
wget ${ClamURL}



tar -zxvf ${ClamVer}.tar.gz
cd ${ClamVer}
echo "==== Building and Installing ClamAV ===="
./configure --prefix=/opt/zimbra/${ClamVer} --with-user=zimbra --with-group=zimbra

make && make check && make install


chown -R zimbra:zimbra /opt/zimbra/${ClamVer}

cd /opt/zimbra/${ClamVer}/etc
mv clamd.conf clamd.conf.orig
mv freshclam.conf freshclam.conf.orig

cp /opt/zimbra/conf/clamd.conf .
cp /opt/zimbra/conf/freshclam.conf .


sudo -u zmcontrol stop
cd /opt/zimbra
unlink clamav
ln -s ${ClamVer} clamav


echo "==== Freshen ========="
sudo -u zimbra /opt/zimbra/clamav/bin/freshclam


echo "===== Starting Zimbra ======="
echo " If it doesn't work, try a reboot"
sudo -u zimbra zmcontrol start

[jholder]

You're amazing
Send me your shipping info. I'm sending you some Zimbra Gear!

Yeah, 4.5.6 had a particularly bad Clam Bug that caused long startup times. I totally agree that we should have a notification. Please file it in our bugzilla. There is already a bug open to allow external updating of the ClamD core.

Once again, great job!

Extra points if you create a wiki page for this

[mmorse]

That deserves a spot here! Updating CLAMAV - Zimbra :: Wiki

[mmorse]

There's also: Bug 15137 - Breakout RPM packages for ClamAV, SpamAssassin and Others to allow out of cycle updates

[mmorse]

Quote:

Originally Posted by artimus

Feature Request:
When logging into the zimbra admin page, it should immediately show you if there are any critical problems. It would have been nice if I logged in and saw: CRITICAL: Your ClamAV engine is out of date. Run somescript to upgrade to the latest clamav.

Bug 7686 - immediate clamav update from admin console

Quote:

Originally Posted by artimus

Would be even nicer if there was a way to send a message to administrators before there is a problem too.

Could you open a RFE for the admin email notification?
Of course until the other two are solved we don't want to make the warning too harsh (as it's not as easy to update for some). Infact, I think having the daily email reports also include your clamav version (/kindly tell you if it's out of date) might be the way to go.