Fixing problems with Exim4 and ClamAV after apt-get upgrade

So this was one of the weeks where I learned Linux configuration the hard way. I simply thought of getting my virtual server up to the most recent version. It was/is running a Debian 3.1 (Sarge), I guess. You’ll probably realize by now that I know a lot about my server…

Anyway, I simply ran
apt-get upgrade
which brought about 20+ packages to the most recent version. Including exim, my mail agent, and clamav, a virus-scanner that runs with mail agents. I guess because of a version change in either exim, or clamav, or both I was asked to do so configuration stuff which I followed to my best knowledge and guess. However, I ended up with bouncing mails to my server. After a while, I found out that clamav got a version change, but the configuration on the system didn’t go with it. The exim4 logfile /var/log/exim4/paniclog kept telling me malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd.ctl (Connection refused) While exim4 was already properly calling clamav, clamav refused to answer.

A little bit of search with that phrase revealed the following page http://koivi.com/exim4-config/ which was quite instructive to me to some degree. There was a problem with the access privileges to the clamav runtime files from exim4. So gave some privileges:
adduser clamav Debian-exim
which was already done before. I then checked that /etc/clamav/clamd.conf contains a line that reads:
AllowSupplementaryGroups
Done. Then I gave permissions for the /var/run/clamav directory to allow for the correct user to use it:
chown Debian-exim.Debian-exim /var/run/clamav
Since /var/run/clamav/ contained a file freshclam.pid I also ran
chown Debian-exim.Debian-exim /var/run/clamav/freshclam.pid
Now a restart with
/etc/init.d/clamav-daemon restart
gave me an error that AllowSupplementaryGroups in /etc/clamav/clamd.conf requires a BOOL value. Luckily Ping! from the ClarkConnect Forums pointed out that

In my /etc/clamd.conf file, there was an error in every line that required a BOOL value. I had to add “yes” or “1” to the followin options to get the clamd to succeed

I did that to each line of /etc/clamav/clamd.conf that had no argument next to it and the
/etc/init.d/clamav-daemon restart
succeeded. However, I still got bouncing mails and /var/run/clamav/clamd.ctl was still missing. It appears that clamav and exim4 just need the existence of that file, no specific content, plus proper access rights. A
touch /var/run/clamav/clamd.ctl
chown Debian-exim.Debian-exim /var/run/clamav/clamd.ctl
/etc/init.d/clamav-daemon restart

did the trick. Thanks to aioshin.

update Well… that didn’t help… therefore I did it the hard way:
apt-get --purge remove clamav clamav-base clamav-daemon clamav-freshclam libclamav1
apt-get -t sarge install clamav clamav-daemon
adduser clamav Debian-exim
reboot

Thanks to D.J.Fan. After the apt install, I told the setup to take the package maintainer’s version of the configuration file. A choice I made wrong earlier… grrr.

One thought on “Fixing problems with Exim4 and ClamAV after apt-get upgrade

  1. Hi Dirk,
    I see you have solved this issue a long time ago.

    However, it still seems to exist even with Debian Etch. So I tried to find out what is going on.

    My resolution is:
    * Make sure that Debian-exim user is in the clamav group and the clamav user is in the Debian-exim group (/etc/group)
    * Make sure that the group write permissions are set on /var/spool/exim/scan/ (where exim temporarily puts the file for clamav to scan) and on /var/run/clamav/ (where it tries to create the clamav.ctl socket file, but does not if it does not have access to /var/spool/exim/scan/.

    This message of clamav is rather misleading, as I believe the failign write access to /var/spool/exim/scan is the real culprit and this seems to be changed by upgrading exim or clamav (note sure which)

    Thanks for documenting your experiences

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s