Discussion:
MCP announcements not forwarded
Peter Lemieux
2014-03-28 14:16:04 UTC
Permalink
I've been a happy MailScanner user for many years now, but I have
encountered a problem that has me stumped. We use MCP to scan outbound
mail and have had it working for quite some time. Messages that trip
the MCP rules are forwarded to the alias mcpmonitor at localhost which
redirects the messages to the relevant staff members for review.

Sometime in the past couple of months the forwarding stopped working.
The alias works properly since I can send a message to the alias from
the command prompt. MailScanner reports in the logs that suspect
messages are being forwarded:

Mar 23 18:21:12 mail MailScanner[15851]: MCP Actions: message
s2NMLCAK020553 actions are mcpmonitor at localhost,forward

However there are no other entries in the log with that message ID, nor
is the message sent to the alias. It appears in no queue nor in the
quarantine area. It simply disappears.

I wondered if there is some conflict among the Perl modules since some
of them might have been updated with versions from CenOS or rpmforge. I
upgraded from 4.84.3-1 to 4-84.6-1 and let the installer rebuild the
modules as always, but the problem persists.

The platform is CentOS 6.5 with sendmail 8.14.4. Any help on diagnosing
this would be greatly appreciated! The scanner also uses SpamAssassin
and clamd, but those work fine for all messages.

Thanks!

Peter
Peter Lemieux
2014-04-07 15:38:16 UTC
Permalink
I hate to be a nudge, but doesn't anyone have a suggestion for how I
could diagnose this problem? Maybe there aren't any other MCP users on
this list?

I'd really like to fix this problem so my client will be happy once again.

Peter


On 03/28/2014 10:16 AM, Peter Lemieux wrote:
> I've been a happy MailScanner user for many years now, but I have
> encountered a problem that has me stumped. We use MCP to scan outbound
> mail and have had it working for quite some time. Messages that trip
> the MCP rules are forwarded to the alias mcpmonitor at localhost which
> redirects the messages to the relevant staff members for review.
>
> Sometime in the past couple of months the forwarding stopped working.
> The alias works properly since I can send a message to the alias from
> the command prompt. MailScanner reports in the logs that suspect
> messages are being forwarded:
>
> Mar 23 18:21:12 mail MailScanner[15851]: MCP Actions: message
> s2NMLCAK020553 actions are mcpmonitor at localhost,forward
>
> However there are no other entries in the log with that message ID, nor
> is the message sent to the alias. It appears in no queue nor in the
> quarantine area. It simply disappears.
>
> I wondered if there is some conflict among the Perl modules since some
> of them might have been updated with versions from CenOS or rpmforge. I
> upgraded from 4.84.3-1 to 4-84.6-1 and let the installer rebuild the
> modules as always, but the problem persists.
>
> The platform is CentOS 6.5 with sendmail 8.14.4. Any help on diagnosing
> this would be greatly appreciated! The scanner also uses SpamAssassin
> and clamd, but those work fine for all messages.
>
> Thanks!
>
> Peter
>
Jeremy McSpadden
2014-04-07 15:51:39 UTC
Permalink
Which MTA ?

--
Jeremy McSpadden
Flux Labs | http://www.fluxlabs.net | Endless Solutions
Office : 850-250-5590x501<tel:850-250-5590;501> | Cell : 850-890-2543<tel:850-890-2543> | Fax : 850-254-2955<tel:850-254-2955>




On Mon, Apr 7, 2014 at 8:50 AM -0700, "Peter Lemieux" <mailscanner at replies.cyways.com<mailto:mailscanner at replies.cyways.com>> wrote:

I hate to be a nudge, but doesn't anyone have a suggestion for how I
could diagnose this problem? Maybe there aren't any other MCP users on
this list?

I'd really like to fix this problem so my client will be happy once again.

Peter


On 03/28/2014 10:16 AM, Peter Lemieux wrote:
> I've been a happy MailScanner user for many years now, but I have
> encountered a problem that has me stumped. We use MCP to scan outbound
> mail and have had it working for quite some time. Messages that trip
> the MCP rules are forwarded to the alias mcpmonitor at localhost which
> redirects the messages to the relevant staff members for review.
>
> Sometime in the past couple of months the forwarding stopped working.
> The alias works properly since I can send a message to the alias from
> the command prompt. MailScanner reports in the logs that suspect
> messages are being forwarded:
>
> Mar 23 18:21:12 mail MailScanner[15851]: MCP Actions: message
> s2NMLCAK020553 actions are mcpmonitor at localhost,forward
>
> However there are no other entries in the log with that message ID, nor
> is the message sent to the alias. It appears in no queue nor in the
> quarantine area. It simply disappears.
>
> I wondered if there is some conflict among the Perl modules since some
> of them might have been updated with versions from CenOS or rpmforge. I
> upgraded from 4.84.3-1 to 4-84.6-1 and let the installer rebuild the
> modules as always, but the problem persists.
>
> The platform is CentOS 6.5 with sendmail 8.14.4. Any help on diagnosing
> this would be greatly appreciated! The scanner also uses SpamAssassin
> and clamd, but those work fine for all messages.
>
> Thanks!
>
> Peter
>

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140407/6fad79a5/attachment.html
Richard Mealing
2014-04-07 16:18:42 UTC
Permalink
It looks like sendmail from the messageID...

Are you sure you have no script that deletes the emails, in the cron job or something like that?


From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jeremy McSpadden
Sent: 07 April 2014 16:52
To: MailScanner discussion
Subject: Re: MCP announcements not forwarded

Which MTA ?

--
Jeremy McSpadden
Flux Labs | http://www.fluxlabs.net | Endless Solutions
Office : 850-250-5590x501<tel:850-250-5590;501> | Cell : 850-890-2543<tel:850-890-2543> | Fax : 850-254-2955<tel:850-254-2955>



On Mon, Apr 7, 2014 at 8:50 AM -0700, "Peter Lemieux" <mailscanner at replies.cyways.com<mailto:mailscanner at replies.cyways.com>> wrote:
I hate to be a nudge, but doesn't anyone have a suggestion for how I
could diagnose this problem? Maybe there aren't any other MCP users on
this list?

I'd really like to fix this problem so my client will be happy once again.

Peter


On 03/28/2014 10:16 AM, Peter Lemieux wrote:
> I've been a happy MailScanner user for many years now, but I have
> encountered a problem that has me stumped. We use MCP to scan outbound
> mail and have had it working for quite some time. Messages that trip
> the MCP rules are forwarded to the alias mcpmonitor at localhost which
> redirects the messages to the relevant staff members for review.
>
> Sometime in the past couple of months the forwarding stopped working.
> The alias works properly since I can send a message to the alias from
> the command prompt. MailScanner reports in the logs that suspect
> messages are being forwarded:
>
> Mar 23 18:21:12 mail MailScanner[15851]: MCP Actions: message
> s2NMLCAK020553 actions are mcpmonitor at localhost,forward
>
> However there are no other entries in the log with that message ID, nor
> is the message sent to the alias. It appears in no queue nor in the
> quarantine area. It simply disappears.
>
> I wondered if there is some conflict among the Perl modules since some
> of them might have been updated with versions from CenOS or rpmforge. I
> upgraded from 4.84.3-1 to 4-84.6-1 and let the installer rebuild the
> modules as always, but the problem persists.
>
> The platform is CentOS 6.5 with sendmail 8.14.4. Any help on diagnosing
> this would be greatly appreciated! The scanner also uses SpamAssassin
> and clamd, but those work fine for all messages.
>
> Thanks!
>
> Peter
>

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140407/adc94a66/attachment.html
Peter Lemieux
2014-04-07 19:08:10 UTC
Permalink
> The platform is CentOS 6.5 with sendmail 8.14.4.

And, no there is no script that deletes the emails. When forwarding was
working correctly there would be additional entries in the log that
reported on the forward being handed to sendmail for delivery and the
consequent sendmail entries. Now, as I say, MailScanner reports in the
logs that it has forwarded the message, but that never actually happens.

MCP is set only to screen messages coming from the client's Exchange
server which relays all outbound mail to the gateway running MailScanner
for final delivery. The Exchange server, 10.10.1.5 below, is
whitelisted for spam scanning. So a complete log entry for a message
that trips the MCP filters looks like this:

Apr 7 14:18:10 mail MailScanner[21372]: Message s37II94R022529 from
10.10.1.5 () to xxxxx.com is MCP, MCP-Checker (score=10, required 5,
BODY_SBID5 10.00)
Apr 7 14:18:10 mail MailScanner[21372]: MCP Checks: Found 1 MCP messages
Apr 7 14:18:10 mail MailScanner[21372]: MCP Actions: message
s37II94R022529 actions are mcpmonitor at localhost,forward
Apr 7 14:18:10 mail MailScanner[21372]: MCP Checks completed at 324382
bytes per second
Apr 7 14:18:10 mail MailScanner[21372]: Spam Checks: Starting
Apr 7 14:18:10 mail MailScanner[21372]: Message s37II94R022529 from
10.10.1.5 () is whitelisted

Is it possible that being whitelisted for spam somehow interferes with
the MCP handling? It didn't seem to matter before. Also I have

First Check = MCP

in MailScanner.conf. I thought that meant that a message that trips on
MCP would not even make it to the spam filtering.

I've added "store-mcp" to the disposition options so a copy of these
messages should appear in the quarantine. We'll see.

Peter


On 04/07/2014 12:18 PM, Richard Mealing wrote:
> It looks like sendmail from the messageID?
>
> Are you sure you have no script that deletes the emails, in the cron job
> or something like that?
>
> *From:*mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] *On Behalf Of
> *Jeremy McSpadden
> *Sent:* 07 April 2014 16:52
> *To:* MailScanner discussion
> *Subject:* Re: MCP announcements not forwarded
>
> Which MTA ?
>
>
> --
> Jeremy McSpadden
> Flux Labs | http://www.fluxlabs.net | Endless Solutions
> Office : 850-250-5590x501 <tel:850-250-5590;501> | Cell : 850-890-2543
> <tel:850-890-2543> | Fax : 850-254-2955 <tel:850-254-2955>
>
>
>
> On Mon, Apr 7, 2014 at 8:50 AM -0700, "Peter Lemieux"
> <mailscanner at replies.cyways.com <mailto:mailscanner at replies.cyways.com>>
> wrote:
>
> I hate to be a nudge, but doesn't anyone have a suggestion for how I
> could diagnose this problem? Maybe there aren't any other MCP users on
> this list?
>
> I'd really like to fix this problem so my client will be happy once again.
>
> Peter
>
>
> On 03/28/2014 10:16 AM, Peter Lemieux wrote:
>> I've been a happy MailScanner user for many years now, but I have
>> encountered a problem that has me stumped. We use MCP to scan outbound
>> mail and have had it working for quite some time. Messages that trip
>> the MCP rules are forwarded to the alias mcpmonitor at localhost which
>> redirects the messages to the relevant staff members for review.
>>
>> Sometime in the past couple of months the forwarding stopped working.
>> The alias works properly since I can send a message to the alias from
>> the command prompt. MailScanner reports in the logs that suspect
>> messages are being forwarded:
>>
>> Mar 23 18:21:12 mail MailScanner[15851]: MCP Actions: message
>> s2NMLCAK020553 actions are mcpmonitor at localhost,forward
>>
>> However there are no other entries in the log with that message ID, nor
>> is the message sent to the alias. It appears in no queue nor in the
>> quarantine area. It simply disappears.
>>
>> I wondered if there is some conflict among the Perl modules since some
>> of them might have been updated with versions from CenOS or rpmforge. I
>> upgraded from 4.84.3-1 to 4-84.6-1 and let the installer rebuild the
>> modules as always, but the problem persists.
>>
>> The platform is CentOS 6.5 with sendmail 8.14.4. Any help on diagnosing
>> this would be greatly appreciated! The scanner also uses SpamAssassin
>> and clamd, but those work fine for all messages.
>>
>> Thanks!
>>
>> Peter
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
>
Valentin Laskov
2014-04-08 07:49:21 UTC
Permalink
Hi Peter,

1. Please show forwarding rule
2. Check for these lines in MailScanner.conf
#
MTA = sendmail
Sendmail = /usr/lib/sendmail
#
and
3. Check is there executable or link to sendmail in /usr/lib/sendmail

I think your forwarding rule is wrong.
It must be something like
MCP Actions = forward mcpmonitor at localhost

Regards
Valentin Laskov
Peter Lemieux
2014-04-08 15:45:03 UTC
Permalink
Thanks, Valentin.

The MCP rules in /etc/MailScanner/MailScanner.conf read:


MCP Checks = /etc/MailScanner/rules/mcp_checks.rules

First Check = MCP

MCP Required SpamAssassin Score = 5
MCP High SpamAssassin Score = 9
MCP Error Score = 1
MCP Header = X-%org-name%-MailScanner-MCPCheck:

Non MCP Actions = deliver
MCP Actions = store-mcp forward mcpmonitor at localhost
High Scoring MCP Actions = store-mcp forward mcpmonitor at localhost
Bounce MCP As Attachment = no

MCP Modify Subject = start
MCP Subject Text = [HIPAA]

High Scoring MCP Modify Subject = start
High Scoring MCP Subject Text = [HIPAA]

Is Definitely MCP = no
Is Definitely Not MCP = no
Definite MCP Is High Scoring = no
Always Include MCP Report = yes
Detailed MCP Report = yes
Include Scores In MCP Report = yes


I added "store-mcp" to the Actions list yesterday as I wrote before.
The rules in mcp_checks.rules apply MCP to all messages arriving from
the client's Exchange server IP but exempts a couple of specific sender
addresses like the admins.

As for sendmail, yes I have "MTA = sendmail" and of course the
application can find it. This gateway handles hundreds of messages each
day and works well for everything except MCP. The command "sendmail -bv
mcpmonitor at localhost" returns the correct list of aliased recipients.

I'll also reiterate that this configuration worked correctly for many
months but now no longer does. That's why I wondered in my original
post whether it had to do with the Perl modules being used.

Perhaps I should just remove all the Perl modules that MS creates and
run the installer again? It looks like the install.sh file for RedHat
flavors does not rebuild any modules it finds already existing on the
system. Is that correct?

Peter


On 04/08/2014 03:49 AM, Valentin Laskov wrote:
> Hi Peter,
>
> 1. Please show forwarding rule
> 2. Check for these lines in MailScanner.conf
> #
> MTA = sendmail
> Sendmail = /usr/lib/sendmail
> #
> and
> 3. Check is there executable or link to sendmail in /usr/lib/sendmail
>
> I think your forwarding rule is wrong.
> It must be something like
> MCP Actions = forward mcpmonitor at localhost
>
> Regards
> Valentin Laskov
>
Peter Lemieux
2014-04-08 19:48:01 UTC
Permalink
On 04/07/2014 03:08 PM, Peter Lemieux wrote:
> I've added "store-mcp" to the disposition options so a copy of these
> messages should appear in the quarantine. We'll see.

Test messages appear in the MCP quarantine but are not forwarded. I
expected that to be the case since the MCP scores are logged.

> Apr 8 15:31:20 mail MailScanner[3599]: Message s38JVJR6007899 from
> 10.10.1.93 (user at example.com) to somewhere.com is MCP, MCP-Checker
> (score=10, required 5, BODY_SSN1 10.00)

So now I'm trying to think of methods to trigger a notice to the admins
when a message appears in the quarantine. I'll take a shot at a cron
script as a work-around for the time being, but I'd sure like to fix the
problem for good.


Peter
Peter Lemieux
2014-04-10 14:37:09 UTC
Permalink
I've taken the cron script route. Thanks for the help!

Peter


On 04/08/2014 03:48 PM, Peter Lemieux wrote:
> So now I'm trying to think of methods to trigger a notice to the admins
> when a message appears in the quarantine. I'll take a shot at a cron
> script as a work-around for the time being, but I'd sure like to fix the
> problem for good.
Continue reading on narkive:
Loading...