hMailServer - conflict with Antivirus - wrong HELO-EHLO

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
LBPO
New user
New user
Posts: 21
Joined: 2011-01-13 16:20

hMailServer - conflict with Antivirus - wrong HELO-EHLO

Post by LBPO » 2012-02-13 15:43

Problem is complex. I've got hope that I'll be able to explain it good enough to get help, but please remember that I'm not english native speaker, so if anything is unclear I'll try to explain it better.

We are using hMailServer 5.3.3-B1879. Mail server is running on ports 110 (pop3), 143 (imap) and 587 (smtp). In SMTP settings local hostname is set to mail.mydomain.com welcome banner is set to mail.mydomain.com ESMTP. DNS, rDNS and MX record are also set to mail.mydomain.com. I belive that this settings are correct.

Unfortunately there is a problem with sending mails to some recipients. They reject our mails and mark them like spam. I was able to figure out that it happens, because our server doesn't sent proper FQDN in HELO/EHLO. Instead of sending mail.mydomain.com (FQDN) it send only local computer name - in this case it just SB1A.

Furthermore I found out, that this is caused by some conflict between hMailServer and our Antivirus. We are using Avast Pro Antivirus 6.0.1367. Avast is set to monitor ports 110, 143, 587 and 25 (we are not using it, but it has to be monitored in case that some malicious software would use this port).

When I disable mail real time protection in Avast or disable port 25 monitoring (doesn't matter if port 587 monitoring is on or off) everything seems to work fine - FQDN is send in HELO/EHLO.

I could leave it like that way, but machine in which hMailServer is running won't be fully protected.

I tried to set up hMailServer to use external mail scaner in hope, that it may help, but it's not working properly, since it's not deleting any mails with EICAR test file.


I used following commandline
aswCmd.exe /a /c /t=A /_ C:\Program Files\Alwil Software\Avast6

In log file there is only this information:
CustomVirusScanner::Scan()

Nothing about deleting messages or detecting virus.

Am I doing something wrong? I'm not sure that setting up Avast properly to work with hMailServer external scanner will solve my problem, but I think it;s worth a try.

Please feel free to ask additional question. Maybe I should do something complete different to deal with the problem?

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: hMailServer - conflict with Antivirus - wrong HELO-EHLO

Post by ^DooM^ » 2012-02-13 15:56

This is an avast issue. It uses a transparent proxy to monitor ports in this case port 25 and breaks it.

Avast is not a server antivirus software and should not be used as such. Use a proper server antivirus like ClamAV.

If you must still persist and use Avast follow this doc http://www.hmailserver.com/documentatio ... eturnvalue

And exclude hmailserver Data Directory from realtime scanning.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

LBPO
New user
New user
Posts: 21
Joined: 2011-01-13 16:20

Re: hMailServer - conflict with Antivirus - wrong HELO-EHLO

Post by LBPO » 2012-02-14 13:42

I've set hMailserver like this

Scanner executable:
"C:\Program Files\Alwil Software\Avast6\ashCmd.exe" /a /c /t=A /_ "%FILE%"

Return value:
1

I asumme this is correct since mails with EICAR are deleted and logs looks like this

Code: Select all

"DEBUG"	2164	"2012-02-14 12:17:56.296"	"CustomVirusScanner::Scan() - "C:\Program Files\Alwil Software\Avast6\ashCmd.exe" /a /c /t=A /_ "C:\Program Files\hMailServer\Data\{8BEFED65-92BD-4922-B267-898A0236FD90}.eml" - Returned 1"
"DEBUG"	2164	"2012-02-14 12:17:56.296"	"CustomVirusScanner::~Scan()"
"DEBUG"	2164	"2012-02-14 12:17:56.296"	"SMTPVirusNotifier::CreateMessageDeletedNotification"
"DEBUG"	2164	"2012-02-14 12:17:56.296"	"Saving message: C:\Program Files\hMailServer\Data\{1B099E62-7D86-45B5-8294-7A79701389CB}.eml"
"DEBUG"	2164	"2012-02-14 12:17:56.296"	"Requesting SMTPDeliveryManager to start message delivery"
"DEBUG"	2152	"2012-02-14 12:17:56.296"	"Reading message from database"
"DEBUG"	2164	"2012-02-14 12:17:56.296"	"SMTPVirusNotifier::~CreateMessageDeletedNotification"
"DEBUG"	2168	"2012-02-14 12:17:56.296"	"Delivering message..."
"APPLICATION"	2164	"2012-02-14 12:17:56.312"	"SMTPDeliverer - Message 44710: Message deleted (contained virus)."
hMailServer directory is excluded from realtime scanning:
Image

Unfortunatelly it did'nt change anything. Port 25 is still broken and our server send it's local name insted of FQDN to other smtp server.

Any further advice, or it's just impossible to make it work and I have to disable completly monitoring on port 25 or use other Antivirus?

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: hMailServer - conflict with Antivirus - wrong HELO-EHLO

Post by ^DooM^ » 2012-02-14 13:49

Have you disabled the mail realtime protection? You don't need it on if you are using the custom command line scanner.

Also it is NOT the server that sends the broken helo it's AVAST.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

LBPO
New user
New user
Posts: 21
Joined: 2011-01-13 16:20

Re: hMailServer - conflict with Antivirus - wrong HELO-EHLO

Post by LBPO » 2012-02-14 14:09

I'm aware it's Avast fault, but I thought that it can be resolved by changing some config in hMailServer or Avast.

I didn't disable realtime protection, but i know that it will work when i do so.

The problem is that if this protection is off port 25 is vulnerable and can be used by some kind of malicious software - for example spam sending bot.

Of course Avast should detect such trojan, but you can't always be sure. We had already such problem with our previous antivirus software. Trojan was not found, but antivirus blocked sending spam messages, when it detected that computer is trying to send same messages to many recipients in short time.

User avatar
mattg
Moderator
Moderator
Posts: 20132
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: hMailServer - conflict with Antivirus - wrong HELO-EHLO

Post by mattg » 2012-02-14 14:30

FWIW, I use Avast almost always, even on my servers

I never use AVAST line scanner, I always just use realtime mail protection.

I do also have ClamAV doing line scanning, and it rarely catches much. Most is picked up by Avast.
Even the EICAR test...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: hMailServer - conflict with Antivirus - wrong HELO-EHLO

Post by ^DooM^ » 2012-02-14 14:35

Matt I don't use Avast so I am not familiar with it. Is there a setting somewhere to set the HELO message?
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

LBPO
New user
New user
Posts: 21
Joined: 2011-01-13 16:20

Re: hMailServer - conflict with Antivirus - wrong HELO-EHLO

Post by LBPO » 2012-02-16 14:17

I solved the problem with help from Avast support:

http://forum.avast.com/index.php?topic=93380.0

Long story short - I configured mail scanner to ignore connections established by the hMailServer.

It's good solution, because port 25 and 587 are always monitored and mails recieved by hMailServer are still scanned thanks to external scaner option.

If I may ask, please confirm, that command line for this option is set correctly:



Scanner executable:
"C:\Program Files\Alwil Software\Avast6\ashCmd.exe" /a /c /t=A /_ "%FILE%"

Return value:
1

/a - scan all files
/c - scan whole files
/t=A - scan all archives
/_ - all output data sent to STDOUT

I assume this is correct since mails with EICAR are deleted and logs looks like this:

Code: Select all

"DEBUG"   2164   "2012-02-14 12:17:56.296"   "CustomVirusScanner::Scan() - "C:\Program Files\Alwil Software\Avast6\ashCmd.exe" /a /c /t=A /_ "C:\Program Files\hMailServer\Data\{8BEFED65-92BD-4922-B267-898A0236FD90}.eml" - Returned 1"
"DEBUG"   2164   "2012-02-14 12:17:56.296"   "CustomVirusScanner::~Scan()"
"DEBUG"   2164   "2012-02-14 12:17:56.296"   "SMTPVirusNotifier::CreateMessageDeletedNotification"
"DEBUG"   2164   "2012-02-14 12:17:56.296"   "Saving message: C:\Program Files\hMailServer\Data\{1B099E62-7D86-45B5-8294-7A79701389CB}.eml"
"DEBUG"   2164   "2012-02-14 12:17:56.296"   "Requesting SMTPDeliveryManager to start message delivery"
"DEBUG"   2152   "2012-02-14 12:17:56.296"   "Reading message from database"
"DEBUG"   2164   "2012-02-14 12:17:56.296"   "SMTPVirusNotifier::~CreateMessageDeletedNotification"
"DEBUG"   2168   "2012-02-14 12:17:56.296"   "Delivering message..."
"APPLICATION"   2164   "2012-02-14 12:17:56.312"   "SMTPDeliverer - Message 44710: Message deleted (contained virus)."

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: hMailServer - conflict with Antivirus - wrong HELO-EHLO

Post by ^DooM^ » 2012-02-16 20:35

That external scanner string has nothing to do with hmail. All hmail does is send that command to avast and the path to the file. Avast then returns a number. Depending on that number hmail will either delete it or let it through. So what I am saying we have no idea if your string is right or not, looks ok to me but I have never used Avast on a server so your best bet would be to ask someone on Avast support if that is correct.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

LBPO
New user
New user
Posts: 21
Joined: 2011-01-13 16:20

Re: hMailServer - conflict with Antivirus - wrong HELO-EHLO

Post by LBPO » 2012-02-17 09:07

Avast string is ok, I have confirmation from Avast support.

I just had doubt about hMailServer, because of doubled line CustomVirusScanner::~Scan () in logs. So the main question is that (according to logs) hMailServer is configured properly.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: hMailServer - conflict with Antivirus - wrong HELO-EHLO

Post by ^DooM^ » 2012-02-17 13:53

It's just line wrapped, nothing to worry about.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

Post Reply