clamav problem?

[dcm]

I'm running Zimbra 3.1.4 with all components on the same Suse 10.1 (32-bit)server. The server is in a colocation site so we are not on the same network as the server. In addition to the Apache and MySQL that are installed with Zimbra, I have an additional Apache and MySQL install running, without any problems, off of a different network card. I installed zimbra a couple of weeks ago. It is working for the most part but I have a few questions. One is more of an issue than the others and will take some explaining so I'll just do that one in this post and cover the others in a separate post.

The most pressing issue is a problem, I think, with the anti-virus component. The server has twice stopped receiving mail. Any mail sent to the server never arrived in the inboxes and there was no evidence that I could find that it had even come into zimbra at all.

I checked the status from within the admin console and it said everything was running. When I did used zmcontrol to check the status, it showed that the antivirus was stopped. I refreshed the admin console and ran zmcontrol status again and got the same results.

I found this error in /opt/zimbra/log/freshclam.log: "ERROR: Clamd was NOT notified: Can't connect to clamd on 127.0.0.1:3310". This error matched the approximate times the server stopped receiving mail but was also in there a bunch of other times. After a little googling it seems that this might be a problem or it might not mean anything at all depending on how ClamAV is being used.

The first time, I just rebooted the server and everything was happy again. The second time, I tried to use zmcontrol to stop and start Zimbra. I tried it about three times but the antivirus component was still showing as being stopped. Mail seemed to be coming into the system at that point, though, so I just left it. When I checked the status again later, antivirus was back showing as running and, a week later, everything is still running fine.

Any ideas on what this might be or what log I should be looking at to diagnose the problem.

dcm

[jholder]

What does /var/log/zimbra.log say?

[dcm]

I don't see anything that stands out other than this:

Aug 18 15:18:03 mail zimbramon[21954]: 21954:info: 2006-08-18 15:18:01, STATUS: mail.somedomain.com: antispam: Running
Aug 18 15:18:03 mail zimbramon[21954]: 21954:info: 2006-08-18 15:18:01, STATUS: mail.somedomain.com: antivirus: Running
Aug 18 15:18:03 mail zimbramon[21954]: 21954:info: 2006-08-18 15:18:01, STATUS: mail.somedomain.com: ldap: Running
Aug 18 15:18:03 mail zimbramon[21954]: 21954:info: 2006-08-18 15:18:01, STATUS: mail.somedomain.com: logger: Running
Aug 18 15:18:03 mail zimbramon[21954]: 21954:info: 2006-08-18 15:18:01, STATUS: mail.somedomain.com: mailbox: Running
Aug 18 15:18:03 mail zimbramon[21954]: 21954:info: 2006-08-18 15:18:01, STATUS: mail.somedomain.com: mta: Running
Aug 18 15:18:03 mail zimbramon[21954]: 21954:info: 2006-08-18 15:18:01, STATUS: mail.somedomain.com: snmp: Running
Aug 18 15:18:03 mail zimbramon[21954]: 21954:info: 2006-08-18 15:18:01, STATUS: mail.somedomain.com: spell: Running

I don't know the exact time it went down and, to be honest, I didn't take good notes and am not even sure what time I brought it back up. During the period that I think it was down, it shows everything as being up and running. I'm not even sure that clamav has anything to do with the problem.

I think the thing to do on this issue is to wait until it happens again. If it does I'll try to nail down the time we stopped receiving email and go over all the logs really carefully (and maybe take better notes). Both instances happened within the first three days of being live and it has not repeated for more than a week now so hopefully it will not be a problem again.

dcm