From 816158db7dea0fc3b6653960c2dbc66b50c6320e Mon Sep 17 00:00:00 2001 From: Filip Hajny Date: Sat, 28 Sep 2019 09:50:37 +0200 Subject: [PATCH] Add information on how to whitelist ClamAV signatures --- docs/u_e-rspamd.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/u_e-rspamd.md b/docs/u_e-rspamd.md index a565cf8b0..6493b38f8 100644 --- a/docs/u_e-rspamd.md +++ b/docs/u_e-rspamd.md @@ -70,3 +70,19 @@ Simply add the line: Save the file and then restart the rspamd container. See [Rspamd documentation](https://rspamd.com/doc/index.html) + +## Whitelist specific ClamAV signatures + +You may find that legitimate (clean) mail is being blocked by ClamAV (Rspamd will flag the mail with `VIRUS_FOUND`). For instance, interactive PDF form attachments are blocked by default because the embedded Javascript code may be used for nefarious purposes. Confirm by looking at the clamd logs, e.g.: + +`docker-compose logs clamd-mailcow | grep FOUND` + +This line confirms that such was identified: + +`clamd-mailcow_1 | Sat Sep 28 07:43:24 2019 -> instream(local): PUA.Pdf.Trojan.EmbeddedJavaScript-1(e887d2ac324ce90750768b86b63d0749:363325) FOUND` + +To whitelist this particular signature (and enable sending this type of file attached), add it to the ClamAV signature whitelist file: + +`echo 'PUA.Pdf.Trojan.EmbeddedJavaScript-1' >> data/conf/clamav/whitelist.ign2` + +Then restart the clamd-mailcow service.