SurgeMail List,

We recently noticed an influx of phishing emails with .doc and .pdf attachements along with a number of customer complaints.  After enabling g_virus_cmd_log, we discovered the following error message when running clamdscan. 

virus: stdout (ERROR: Could not connect to clamd on LocalSocket /var/run/clamd.mail/clamd.sock: No such file or directory

Further research determined that the path was valid but that the "mail" user did not have permissions to access this folder.  On CentOS 7, the users who are able to access this directory are controlled by membership in the "virusgroup" group.  The mail user was a member of this group but was still mysteriously unable to access the folder.

We recently upgraded SurgeMail to version 7.3i2-2.  Did a recent update perhaps cause SurgeMail to not include any supplementary groups when switching to the mail user on startup?

As an example, the test in the SurgeMail documentation (https://netwinsite.com/surgemail/help/virus_unix.htm) also fails because the supplementary groups are not loaded.

su mail -g mail
$ id
uid=8(mail) gid=12(mail) groups=12(mail)
clamdscan would fail because "virusgroup" IS NOT included in groups.

su mail
$ id
uid=8(mail) gid=12(mail) groups=12(mail),993(clamscan),994(virusgroup)
clamdscan works because "virusgroup" IS included in groups.

My suspicion is that SurgeMail is now doing something similar to the first example when it starts.

Any assistance would be appreciated.

Thank you,

Jim Lohiser
N2Net