Thanks Micah, now getting a different error:
Jul 16 10:59:23 storm clamav-milter[32079]: ClamAV: Unable to remove /var/run/clamd.scan/clamd.sock: Permission denied
Jul 16 10:59:23 storm clamav-milter[32079]: ERROR: Failed to create socket /var/run/clamd.scan/clamd.sock
Jul 16 10:59:23 storm clamav-milter[32079]: ClamAV: Unable to create listening socket on conn /var/run/clamd.scan/clamd.sock

ls -l /var/run/clamd.scan/clamd.sock
srw-rw-rw- 1 clamscan clamscan 0 Jul 16 10:57 /var/run/clamd.scan/clamd.sock

In the /etc/mail/clamav-milter.conf I have:
MilterSocket /var/run/clamd.scan/clamd.sock
ClamdSocket unix:/var/run/clamd.scan/clamd.sock

Clamd is running, note as the user clamscan:
ps -auwx | grep clam
clamupd+  2252  0.0  0.0  50740  3832 ?        Ss   Jul11   0:38 /usr/bin/freshclam -d -c 4
root     17462  0.0  0.0 119104  3264 ?        Ss   09:00   0:00 /bin/bash /usr/share/clamav/freshclam-sleep
clamscan 30407  0.0  4.6 1406020 1141612 ?     Ssl  10:57   0:00 /usr/sbin/clamd -c /etc/clamd.d/scan.conf

The last few lines of /var/log/clamav-milter.log has:
Mon Jul 16 10:30:15 2018 -> Failed to establish a connection to clamd
Mon Jul 16 10:30:15 2018 -> Probe for slot 1 returned: failed
Mon Jul 16 10:30:15 2018 -> Failed to establish a connection to clamd
Mon Jul 16 10:30:15 2018 -> Probe for slot 2 returned: failed
Mon Jul 16 10:30:15 2018 -> Probe for slot 3 returned: success

You wrote: "You should use only 1 ( TCP _or_ Unix/Local ) socket for clamd"
But in the clamav-milter.conf it says:
# This option can be repeated several times with different sockets or even
# with the same socket: clamd servers will be selected in a round-robin
# fashion.

Anyways, seems to be a permission problem. Is clamav-milter trying to restart clamd based on the logs above??

On Fri, Jul 13, 2018 at 9:06 AM, Micah Snyder (micasnyd) <micasnyd@cisco.com> wrote:
It looks to me like you have 2 types of sockets set up in your milter config, and only 1 type of socket set up in your clamd config:


ClamdSocket tcp:localhost:3310
ClamdSocket unix:/var/run/clamd.scan/clamd.sock

Lines in /etc/clamd.d/scan.conf

TCPSocket 3310
TCPAddr 127.0.0.1

You should use only 1 ( TCP _or_ Unix/Local ) socket for clamd.  We recommend using Unix/Local sockets.

 
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Jul 10, 2018, at 5:12 PM, Robert Kudyba <rkudyba@fordham.edu> wrote:


ClamdSocket tcp:localhost:3310
ClamdSocket unix:/var/run/clamd.scan/clamd.sock

Lines in /etc/clamd.d/scan.conf

TCPSocket 3310
TCPAddr 127.0.0.1



_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.clamav.net_cgi-2Dbin_mailman_listinfo_clamav-2Dusers&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=unhaF4uJnMs3AVEXQaA4Mffu_38QO9gp0_R1MQ-vQbQ&s=WuF3C5NO_kof-zA6OSL5C7p8pwYXzTfQq5aoMOg0GSM&e=


Help us build a comprehensive ClamAV guide:
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=unhaF4uJnMs3AVEXQaA4Mffu_38QO9gp0_R1MQ-vQbQ&s=iUmHiP0ZFNaK22hm6e5QIA7sGao0Gh0ztdSLV2Qhg9U&e=

https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=unhaF4uJnMs3AVEXQaA4Mffu_38QO9gp0_R1MQ-vQbQ&s=d-9aIaJVTefoOJR2YIGYgVGiD73p8LHdsXg3uY8WeNs&e=