Discussion:
Single email, multiple Spamassassin attempls
Robert Lopez
2013-05-15 17:31:17 UTC
Permalink
Do I have a MailScanner configuration problem or is this expected behavior?

MailScanner 4.84.5-3
Clamd 0.97.7-1
SpamAssassin 3.3.1
Perl 5.10.1
Postfix 2.10.0

A new email gateway is sending the much discussed "Problem Email"
messages. As far as I see there is not a problem with anything other
than the emails that are listed in the "Problem Email" messages.

However, I see a pattern that looks like this, where there are
apparently multiple attempts to scan of each email by SpamAssassin:

May 15 10:18:08 mg08 postfix/cleanup[7331]: 780574C02AB: hold: header
Received: from apn-37-7-144-188.dynamic.gprs.plus.pl (unknown
[5.174.118.246])??by mg08.cnm.edu (Postfix) with ESMTP id
780574C02AB??for <xxxxxxxx at cnm.edu>; Wed, 15 May 2013 10:18:06 -0600
(MDT) from unknown[5.174.118.246];
from=<wBlUzCw213 at apostolic-voice.org> to=<xxxxxxxx at cnm.edu>
proto=ESMTP helo=<apn-37-7-144-188.dynamic.gprs.plus.pl>
May 15 10:18:08 mg08 postfix/cleanup[7331]: 780574C02AB: warning:
header Subject: I cant be the only one in this from
unknown[5.174.118.246]; from=<wBlUzCw213 at apostolic-voice.org>
to=<xxxxxxxx at cnm.edu> proto=ESMTP
helo=<apn-37-7-144-188.dynamic.gprs.plus.pl>
May 15 10:18:08 mg08 postfix/cleanup[7331]: 780574C02AB:
message-id=<9BAEEC48-4130-08D1-E84A-F0DF63F3D233 at apn-37-7-144-188.dynamic.gprs.plus.pl>
May 15 10:18:13 mg08 MailScanner[4633]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (not cached, score=16.991, required 6,
autolearn=disabled, CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24,
RDNS_NONE 1.27, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM
1.70, URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:18:13 mg08 MailScanner[4633]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:18:13 mg08 MailScanner[4633]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:20:54 mg08 MailScanner[7342]: Making attempt 2 at processing
message 780574C02AB.A2DEA
May 15 10:20:54 mg08 MailScanner[7342]: SpamAssassin cache hit for
message 780574C02AB.A2DEA
May 15 10:20:54 mg08 MailScanner[7342]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (cached, score=16.991, required 6, autolearn=disabled,
CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27,
URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70,
URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:20:54 mg08 MailScanner[7342]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:20:54 mg08 MailScanner[7342]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:25:16 mg08 MailScanner[4579]: Making attempt 3 at processing
message 780574C02AB.A2DEA
May 15 10:25:16 mg08 MailScanner[4579]: SpamAssassin cache hit for
message 780574C02AB.A2DEA
May 15 10:25:16 mg08 MailScanner[4579]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (cached, score=16.991, required 6, autolearn=disabled,
CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27,
URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70,
URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:25:16 mg08 MailScanner[4579]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:25:16 mg08 MailScanner[4579]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:28:34 mg08 MailScanner[4746]: Making attempt 4 at processing
message 780574C02AB.A2DEA
May 15 10:28:34 mg08 MailScanner[4746]: SpamAssassin cache hit for
message 780574C02AB.A2DEA
May 15 10:28:34 mg08 MailScanner[4746]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (cached, score=16.991, required 6, autolearn=disabled,
CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27,
URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70,
URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:28:34 mg08 MailScanner[4746]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:28:34 mg08 MailScanner[4746]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:30:38 mg08 MailScanner[7382]: Making attempt 5 at processing
message 780574C02AB.A2DEA
May 15 10:30:38 mg08 MailScanner[7382]: SpamAssassin cache hit for
message 780574C02AB.A2DEA
May 15 10:30:38 mg08 MailScanner[7382]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (cached, score=16.991, required 6, autolearn=disabled,
CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27,
URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70,
URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:30:38 mg08 MailScanner[7382]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:30:38 mg08 MailScanner[7382]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:34:24 mg08 MailScanner[7439]: Making attempt 6 at processing
message 780574C02AB.A2DEA
May 15 10:34:24 mg08 MailScanner[7439]: SpamAssassin cache hit for
message 780574C02AB.A2DEA
May 15 10:34:24 mg08 MailScanner[7439]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (cached, score=16.991, required 6, autolearn=disabled,
CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27,
URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70,
URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:34:24 mg08 MailScanner[7439]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:34:24 mg08 MailScanner[7439]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:34:24 mg08 MailScanner[7422]: Warning: skipping message
780574C02AB.A2DEA as it has been attempted too many times
May 15 10:34:24 mg08 MailScanner[7422]: Quarantined message
780574C02AB.A2DEA as it caused MailScanner to crash several times
May 15 10:34:24 mg08 MailScanner[7422]: Saved entire message to
/var/spool/MailScanner/quarantine/20130515/780574C02AB.A2DEA


Do I have a MailScanner configuration problem or is this expected behavior?


--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
Martin Hepworth
2013-05-16 10:24:13 UTC
Permalink
not normal, but it's telling you whats happening as it can't get a proper
scan out of the message. I'd check you're permissions and the like are good
to start with
then run the problem message through a debug session (loggied in as postfix
user first so you get a proper look at any permissions issues)
--
Martin Hepworth, CISSP
Oxford, UK
Post by Robert Lopez
Do I have a MailScanner configuration problem or is this expected behavior?
MailScanner 4.84.5-3
Clamd 0.97.7-1
SpamAssassin 3.3.1
Perl 5.10.1
Postfix 2.10.0
A new email gateway is sending the much discussed "Problem Email"
messages. As far as I see there is not a problem with anything other
than the emails that are listed in the "Problem Email" messages.
However, I see a pattern that looks like this, where there are
May 15 10:18:08 mg08 postfix/cleanup[7331]: 780574C02AB: hold: header
Received: from apn-37-7-144-188.dynamic.gprs.plus.pl (unknown
[5.174.118.246])??by mg08.cnm.edu (Postfix) with ESMTP id
780574C02AB??for <xxxxxxxx at cnm.edu>; Wed, 15 May 2013 10:18:06 -0600
(MDT) from unknown[5.174.118.246];
from=<wBlUzCw213 at apostolic-voice.org> to=<xxxxxxxx at cnm.edu>
proto=ESMTP helo=<apn-37-7-144-188.dynamic.gprs.plus.pl>
header Subject: I cant be the only one in this from
unknown[5.174.118.246]; from=<wBlUzCw213 at apostolic-voice.org>
to=<xxxxxxxx at cnm.edu> proto=ESMTP
helo=<apn-37-7-144-188.dynamic.gprs.plus.pl>
message-id=<
9BAEEC48-4130-08D1-E84A-F0DF63F3D233 at apn-37-7-144-188.dynamic.gprs.plus.pl
May 15 10:18:13 mg08 MailScanner[4633]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (not cached, score=16.991, required 6,
autolearn=disabled, CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24,
RDNS_NONE 1.27, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM
1.70, URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:18:13 mg08 MailScanner[4633]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:18:13 mg08 MailScanner[4633]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:20:54 mg08 MailScanner[7342]: Making attempt 2 at processing
message 780574C02AB.A2DEA
May 15 10:20:54 mg08 MailScanner[7342]: SpamAssassin cache hit for
message 780574C02AB.A2DEA
May 15 10:20:54 mg08 MailScanner[7342]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (cached, score=16.991, required 6, autolearn=disabled,
CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27,
URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70,
URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:20:54 mg08 MailScanner[7342]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:20:54 mg08 MailScanner[7342]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:25:16 mg08 MailScanner[4579]: Making attempt 3 at processing
message 780574C02AB.A2DEA
May 15 10:25:16 mg08 MailScanner[4579]: SpamAssassin cache hit for
message 780574C02AB.A2DEA
May 15 10:25:16 mg08 MailScanner[4579]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (cached, score=16.991, required 6, autolearn=disabled,
CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27,
URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70,
URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:25:16 mg08 MailScanner[4579]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:25:16 mg08 MailScanner[4579]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:28:34 mg08 MailScanner[4746]: Making attempt 4 at processing
message 780574C02AB.A2DEA
May 15 10:28:34 mg08 MailScanner[4746]: SpamAssassin cache hit for
message 780574C02AB.A2DEA
May 15 10:28:34 mg08 MailScanner[4746]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (cached, score=16.991, required 6, autolearn=disabled,
CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27,
URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70,
URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:28:34 mg08 MailScanner[4746]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:28:34 mg08 MailScanner[4746]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:30:38 mg08 MailScanner[7382]: Making attempt 5 at processing
message 780574C02AB.A2DEA
May 15 10:30:38 mg08 MailScanner[7382]: SpamAssassin cache hit for
message 780574C02AB.A2DEA
May 15 10:30:38 mg08 MailScanner[7382]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (cached, score=16.991, required 6, autolearn=disabled,
CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27,
URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70,
URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:30:38 mg08 MailScanner[7382]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:30:38 mg08 MailScanner[7382]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:34:24 mg08 MailScanner[7439]: Making attempt 6 at processing
message 780574C02AB.A2DEA
May 15 10:34:24 mg08 MailScanner[7439]: SpamAssassin cache hit for
message 780574C02AB.A2DEA
May 15 10:34:24 mg08 MailScanner[7439]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (cached, score=16.991, required 6, autolearn=disabled,
CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27,
URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70,
URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:34:24 mg08 MailScanner[7439]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:34:24 mg08 MailScanner[7439]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:34:24 mg08 MailScanner[7422]: Warning: skipping message
780574C02AB.A2DEA as it has been attempted too many times
May 15 10:34:24 mg08 MailScanner[7422]: Quarantined message
780574C02AB.A2DEA as it caused MailScanner to crash several times
May 15 10:34:24 mg08 MailScanner[7422]: Saved entire message to
/var/spool/MailScanner/quarantine/20130515/780574C02AB.A2DEA
Do I have a MailScanner configuration problem or is this expected behavior?
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130516/35feac7a/attachment.html
Robert Lopez
2013-05-17 00:08:30 UTC
Permalink
Post by Martin Hepworth
not normal, but it's telling you whats happening as it can't get a proper
scan out of the message. I'd check you're permissions and the like are good
to start with
then run the problem message through a debug session (loggied in as postfix
user first so you get a proper look at any permissions issues)
You lost me on "logged in as postfix" ...

# grep postfix /etc/passwd
postfix:x:89:89::/var/spool/postfix:/sbin/nologin

The above is from the new RHEL gateway.

All our older Ubuntu gateways are ...
# grep postfix /etc/passwd
postfix:x:108:116::/var/spool/postfix:/bin/false

I never considered that

Run As User = postfix
Run As Group = postfix

actually required the postfix account to support being "logged into".

Do you mean sudo -u postfix MailScanner ... ?

If I do "sudo -u postfix MailScanner --lint" both this new and the older
gateways (which have been working for years) fail but fail differently
(different versions of MailScanner as well).

How do I "run the problem message through a debug session"?
In the man pages and in the book I have failed to see how to do that.


--
Robert Lopez
Richard Mealing
2013-05-17 15:53:21 UTC
Permalink
Robert,

You need to change user to postfix, so - su postfix

For Ubuntu, I would normally 'su' to root first, then - su postfix
http://manpages.ubuntu.com/manpages/jaunty/man1/su.1.html


Thanks,



-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Robert Lopez
Sent: 17 May 2013 01:09
To: MailScanner discussion
Subject: Re: Single email, multiple Spamassassin attempls
Post by Martin Hepworth
not normal, but it's telling you whats happening as it can't get a
proper scan out of the message. I'd check you're permissions and the
like are good to start with then run the problem message through a
debug session (loggied in as postfix user first so you get a proper
look at any permissions issues)
You lost me on "logged in as postfix" ...

# grep postfix /etc/passwd
postfix:x:89:89::/var/spool/postfix:/sbin/nologin

The above is from the new RHEL gateway.

All our older Ubuntu gateways are ...
# grep postfix /etc/passwd
postfix:x:108:116::/var/spool/postfix:/bin/false

I never considered that

Run As User = postfix
Run As Group = postfix

actually required the postfix account to support being "logged into".

Do you mean sudo -u postfix MailScanner ... ?

If I do "sudo -u postfix MailScanner --lint" both this new and the older gateways (which have been working for years) fail but fail differently (different versions of MailScanner as well).

How do I "run the problem message through a debug session"?
In the man pages and in the book I have failed to see how to do that.


--
Robert Lopez
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
Jerry Benton
2013-05-17 16:52:19 UTC
Permalink
Robert,

There are three primary things I check for when dealing with this problem:

1. Selinux. You know the drill for this one.
2. MailScanner Run As and directory ownership and permissions.
3. Making sure you add the -U option to MailScanner for the newer versions
of perl.

sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' /usr/sbin/MailScanner


Jerry Benton
Post by Robert Lopez
Do I have a MailScanner configuration problem or is this expected behavior?
MailScanner 4.84.5-3
Clamd 0.97.7-1
SpamAssassin 3.3.1
Perl 5.10.1
Postfix 2.10.0
A new email gateway is sending the much discussed "Problem Email"
messages. As far as I see there is not a problem with anything other
than the emails that are listed in the "Problem Email" messages.
However, I see a pattern that looks like this, where there are
May 15 10:18:08 mg08 postfix/cleanup[7331]: 780574C02AB: hold: header
Received: from apn-37-7-144-188.dynamic.gprs.plus.pl (unknown
[5.174.118.246])??by mg08.cnm.edu (Postfix) with ESMTP id
780574C02AB??for <xxxxxxxx at cnm.edu>; Wed, 15 May 2013 10:18:06 -0600
(MDT) from unknown[5.174.118.246];
from=<wBlUzCw213 at apostolic-voice.org> to=<xxxxxxxx at cnm.edu>
proto=ESMTP helo=<apn-37-7-144-188.dynamic.gprs.plus.pl>
header Subject: I cant be the only one in this from
unknown[5.174.118.246]; from=<wBlUzCw213 at apostolic-voice.org>
to=<xxxxxxxx at cnm.edu> proto=ESMTP
helo=<apn-37-7-144-188.dynamic.gprs.plus.pl>
message-id=<
9BAEEC48-4130-08D1-E84A-F0DF63F3D233 at apn-37-7-144-188.dynamic.gprs.plus.pl
May 15 10:18:13 mg08 MailScanner[4633]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (not cached, score=16.991, required 6,
autolearn=disabled, CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24,
RDNS_NONE 1.27, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM
1.70, URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:18:13 mg08 MailScanner[4633]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:18:13 mg08 MailScanner[4633]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:20:54 mg08 MailScanner[7342]: Making attempt 2 at processing
message 780574C02AB.A2DEA
May 15 10:20:54 mg08 MailScanner[7342]: SpamAssassin cache hit for
message 780574C02AB.A2DEA
May 15 10:20:54 mg08 MailScanner[7342]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (cached, score=16.991, required 6, autolearn=disabled,
CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27,
URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70,
URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:20:54 mg08 MailScanner[7342]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:20:54 mg08 MailScanner[7342]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:25:16 mg08 MailScanner[4579]: Making attempt 3 at processing
message 780574C02AB.A2DEA
May 15 10:25:16 mg08 MailScanner[4579]: SpamAssassin cache hit for
message 780574C02AB.A2DEA
May 15 10:25:16 mg08 MailScanner[4579]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (cached, score=16.991, required 6, autolearn=disabled,
CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27,
URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70,
URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:25:16 mg08 MailScanner[4579]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:25:16 mg08 MailScanner[4579]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:28:34 mg08 MailScanner[4746]: Making attempt 4 at processing
message 780574C02AB.A2DEA
May 15 10:28:34 mg08 MailScanner[4746]: SpamAssassin cache hit for
message 780574C02AB.A2DEA
May 15 10:28:34 mg08 MailScanner[4746]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (cached, score=16.991, required 6, autolearn=disabled,
CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27,
URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70,
URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:28:34 mg08 MailScanner[4746]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:28:34 mg08 MailScanner[4746]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:30:38 mg08 MailScanner[7382]: Making attempt 5 at processing
message 780574C02AB.A2DEA
May 15 10:30:38 mg08 MailScanner[7382]: SpamAssassin cache hit for
message 780574C02AB.A2DEA
May 15 10:30:38 mg08 MailScanner[7382]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (cached, score=16.991, required 6, autolearn=disabled,
CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27,
URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70,
URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:30:38 mg08 MailScanner[7382]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:30:38 mg08 MailScanner[7382]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:34:24 mg08 MailScanner[7439]: Making attempt 6 at processing
message 780574C02AB.A2DEA
May 15 10:34:24 mg08 MailScanner[7439]: SpamAssassin cache hit for
message 780574C02AB.A2DEA
May 15 10:34:24 mg08 MailScanner[7439]: Message 780574C02AB.A2DEA from
5.174.118.246 (wbluzcw213 at apostolic-voice.org) to cnm.edu is spam,
SpamAssassin (cached, score=16.991, required 6, autolearn=disabled,
CK_HELO_GENERIC 0.25, HELO_DYNAMIC_IPADDR 3.24, RDNS_NONE 1.27,
URIBL_AB_SURBL 4.50, URIBL_BLACK 1.77, URIBL_DBL_SPAM 1.70,
URIBL_JP_SURBL 1.95, URIBL_SBL 0.64, URIBL_WS_SURBL 1.66)
May 15 10:34:24 mg08 MailScanner[7439]: Non-delivery of spam: message
780574C02AB.A2DEA from wbluzcw213 at apostolic-voice.org to
xxxxxxxx at cnm.edu with subject I cant be the only one in this
May 15 10:34:24 mg08 MailScanner[7439]: Spam Actions: message
780574C02AB.A2DEA actions are store
May 15 10:34:24 mg08 MailScanner[7422]: Warning: skipping message
780574C02AB.A2DEA as it has been attempted too many times
May 15 10:34:24 mg08 MailScanner[7422]: Quarantined message
780574C02AB.A2DEA as it caused MailScanner to crash several times
May 15 10:34:24 mg08 MailScanner[7422]: Saved entire message to
/var/spool/MailScanner/quarantine/20130515/780574C02AB.A2DEA
Do I have a MailScanner configuration problem or is this expected behavior?
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130517/5dcffdf7/attachment.html
Robert Lopez
2013-05-17 19:08:35 UTC
Permalink
On Fri, May 17, 2013 at 10:52 AM, Jerry Benton
Post by Richard Mealing
Robert,
1. Selinux. You know the drill for this one.
2. MailScanner Run As and directory ownership and permissions.
3. Making sure you add the -U option to MailScanner for the newer versions
of perl.
sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' /usr/sbin/MailScanner
Jerry Benton
Jerry,

I really believe selinux not an issue in this case.

/etc/MailScanner/MailScanner.conf: Run As User =
/etc/MailScanner/MailScanner.conf:Run As Group =
/etc/MailScanner/conf.d/CNM-MailScanner.conf:Run As User = postfix
/etc/MailScanner/conf.d/CNM-MailScanner.conf:Run As Group = postfix

I have seen you advise the -U many times in this discussion group.
I have always been hesitant to allow unsafe operations, favouring
fixing them if possible.

I do see something is changing group of /var/spool/MailScanner/incoming to:
drwxrwxr-x 9 postfix clamav 4096 May 17 12:50 /var/spool/MailScanner/incoming/

I have tried to change it to postfix postfix but it changes back to as above.
(To change I stop postfix, MailScanner, and clamd; make changes; start all)

Worse, I think, is I see this:
drwxr-x--- 2 postfix clamav 4096 May 17 12:45
/var/spool/MailScanner/incoming/17603/
drwxr-x--- 2 postfix clamav 4096 May 17 12:47
/var/spool/MailScanner/incoming/17637/
drwxr-x--- 2 postfix clamav 4096 May 17 12:50
/var/spool/MailScanner/incoming/17661/
...

Are you aware of any unsafe perl code that is involved in this
situation that if allowed to run would fix this problem?

Kind Regards

--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
Robert Lopez
2013-05-17 19:20:48 UTC
Permalink
Post by Robert Lopez
On Fri, May 17, 2013 at 10:52 AM, Jerry Benton
Post by Jerry Benton
sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g' /usr/sbin/MailScanner
[root at mg08 ~]# service clamd start
Starting Clam AntiVirus Daemon: [ OK ]
[root at mg08 ~]# service MailScanner start
Starting MailScanner and postfix:
postfix: [ OK ]
MailScanner: [ OK ]
[root at mg08 ~]# find /var/spool -group clamav
/var/spool/MailScanner/incoming
/var/spool/MailScanner/incoming/18338
/var/spool/MailScanner/incoming/18315
[root at mg08 ~]# find /var/spool -group clamav -exec chgrp postfix {} \;
[root at mg08 ~]# find /var/spool -group clamav
[root at mg08 ~]# sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g'
/usr/sbin/MailScanner
[root at mg08 ~]# head -1 /usr/sbin/MailScanner
#!/usr/bin/perl -U -I/usr/lib/MailScanner
[root at mg08 ~]# service clamd start
Starting Clam AntiVirus Daemon: [ OK ]
[root at mg08 ~]# service MailScanner start
Starting MailScanner and postfix:
postfix: [ OK ]
MailScanner: [ OK ]
[root at mg08 ~]# find /var/spool -group clamav
/var/spool/MailScanner/incoming
/var/spool/MailScanner/incoming/18589

--
Robert Lopez
Jerry Benton
2013-05-17 20:12:31 UTC
Permalink
Does that mean they cleared?

I also use a third group called mtagroup for this. I add both postfix and
clamav to that group and in MailScanner.conf use the third group under Run
As Group. (WIth permission 0660) This allows both postfix and clamav to
access the files with no problem.
Post by Jerry Benton
Post by Robert Lopez
On Fri, May 17, 2013 at 10:52 AM, Jerry Benton
Post by Jerry Benton
sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g'
/usr/sbin/MailScanner
[root at mg08 ~]# service clamd start
Starting Clam AntiVirus Daemon: [ OK ]
[root at mg08 ~]# service MailScanner start
postfix: [ OK ]
MailScanner: [ OK ]
[root at mg08 ~]# find /var/spool -group clamav
/var/spool/MailScanner/incoming
/var/spool/MailScanner/incoming/18338
/var/spool/MailScanner/incoming/18315
[root at mg08 ~]# find /var/spool -group clamav -exec chgrp postfix {} \;
[root at mg08 ~]# find /var/spool -group clamav
[root at mg08 ~]# sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g'
/usr/sbin/MailScanner
[root at mg08 ~]# head -1 /usr/sbin/MailScanner
#!/usr/bin/perl -U -I/usr/lib/MailScanner
[root at mg08 ~]# service clamd start
Starting Clam AntiVirus Daemon: [ OK ]
[root at mg08 ~]# service MailScanner start
postfix: [ OK ]
MailScanner: [ OK ]
[root at mg08 ~]# find /var/spool -group clamav
/var/spool/MailScanner/incoming
/var/spool/MailScanner/incoming/18589
--
Robert Lopez
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130517/17811669/attachment.html
Jerry Benton
2013-05-17 20:14:49 UTC
Permalink
Hit send on accident on the last email. Example using the group:

Incoming Work Group = mtagroup
Quarantine Group = mtagroup
Run As Group = mtagroup
Incoming Work Permissions = 0660
Quarantine Permissions = 0660




On Fri, May 17, 2013 at 10:12 PM, Jerry Benton
Post by Jerry Benton
Does that mean they cleared?
I also use a third group called mtagroup for this. I add both postfix and
clamav to that group and in MailScanner.conf use the third group under Run
As Group. (WIth permission 0660) This allows both postfix and clamav to
access the files with no problem.
Post by Jerry Benton
Post by Robert Lopez
On Fri, May 17, 2013 at 10:52 AM, Jerry Benton
Post by Jerry Benton
sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g'
/usr/sbin/MailScanner
[root at mg08 ~]# service clamd start
Starting Clam AntiVirus Daemon: [ OK ]
[root at mg08 ~]# service MailScanner start
postfix: [ OK ]
MailScanner: [ OK ]
[root at mg08 ~]# find /var/spool -group clamav
/var/spool/MailScanner/incoming
/var/spool/MailScanner/incoming/18338
/var/spool/MailScanner/incoming/18315
[root at mg08 ~]# find /var/spool -group clamav -exec chgrp postfix {} \;
[root at mg08 ~]# find /var/spool -group clamav
[root at mg08 ~]# sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g'
/usr/sbin/MailScanner
[root at mg08 ~]# head -1 /usr/sbin/MailScanner
#!/usr/bin/perl -U -I/usr/lib/MailScanner
[root at mg08 ~]# service clamd start
Starting Clam AntiVirus Daemon: [ OK ]
[root at mg08 ~]# service MailScanner start
postfix: [ OK ]
MailScanner: [ OK ]
[root at mg08 ~]# find /var/spool -group clamav
/var/spool/MailScanner/incoming
/var/spool/MailScanner/incoming/18589
--
Robert Lopez
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
--
Jerry Benton
Mailborder Systems
www.mailborder.com
--
--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130517/f06ecfa5/attachment.html
Jerry Benton
2013-05-17 19:56:16 UTC
Permalink
As for Selinux, I wouldn't know without looking at the logs. I would of
course try putting it in permissive mode and testing. If it does turn out
to be Selinux, you can build your own policies from the logs.
From what I understand, the newer versions of Perl think some of the stuff
MailScanner does is unsafe and therefore does not allow it. Hence adding
the -U flag. Same program (MailScanner) as before, just a different version
of Perl that will not let it do things it did in previous versions.

I could of course be totally wrong.
On Fri, May 17, 2013 at 10:52 AM, Jerry Benton
Post by Richard Mealing
Robert,
There are three primary things I check for when dealing with this
1. Selinux. You know the drill for this one.
2. MailScanner Run As and directory ownership and permissions.
3. Making sure you add the -U option to MailScanner for the newer
versions
Post by Richard Mealing
of perl.
sed -i 's:#!/usr/bin/perl -I:#!/usr/bin/perl -U -I:g'
/usr/sbin/MailScanner
Post by Richard Mealing
Jerry Benton
Jerry,
I really believe selinux not an issue in this case.
/etc/MailScanner/MailScanner.conf: Run As User =
/etc/MailScanner/MailScanner.conf:Run As Group =
/etc/MailScanner/conf.d/CNM-MailScanner.conf:Run As User = postfix
/etc/MailScanner/conf.d/CNM-MailScanner.conf:Run As Group = postfix
I have seen you advise the -U many times in this discussion group.
I have always been hesitant to allow unsafe operations, favouring
fixing them if possible.
drwxrwxr-x 9 postfix clamav 4096 May 17 12:50
/var/spool/MailScanner/incoming/
I have tried to change it to postfix postfix but it changes back to as above.
(To change I stop postfix, MailScanner, and clamd; make changes; start all)
drwxr-x--- 2 postfix clamav 4096 May 17 12:45
/var/spool/MailScanner/incoming/17603/
drwxr-x--- 2 postfix clamav 4096 May 17 12:47
/var/spool/MailScanner/incoming/17637/
drwxr-x--- 2 postfix clamav 4096 May 17 12:50
/var/spool/MailScanner/incoming/17661/
...
Are you aware of any unsafe perl code that is involved in this
situation that if allowed to run would fix this problem?
Kind Regards
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130517/2d4dc8bc/attachment.html
Robert Lopez
2013-05-17 22:53:14 UTC
Permalink
Jerry,

Acknowledge the selinux tips. Logs say no problem there.

Made the -U change. No affect on problem. Thanks.


--
Robert Lopez
Robert Lopez
2013-05-18 00:10:44 UTC
Permalink
Commented out
#Incoming Work Group = clamav
#Incoming Work Permissions = 0640
in /etc/MailScanner/conf.d/CNM-MailScanner.conf

The notes in MailScanner.conf still convince me I should those in.
However, just went past the hourly time to receive a Problem Email
report and there has been none.
Post by Robert Lopez
Jerry,
Acknowledge the selinux tips. Logs say no problem there.
Made the -U change. No affect on problem. Thanks.
--
Robert Lopez
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
Jerry Benton
2013-05-18 03:11:39 UTC
Permalink
If you don't define those in your custom config, it is using what is
defined in /etc/MailScanner/MailScanner.conf.
Post by Robert Lopez
Commented out
#Incoming Work Group = clamav
#Incoming Work Permissions = 0640
in /etc/MailScanner/conf.d/CNM-MailScanner.conf
The notes in MailScanner.conf still convince me I should those in.
However, just went past the hourly time to receive a Problem Email
report and there has been none.
On Fri, May 17, 2013 at 4:53 PM, Robert Lopez <rlopezcnm at gmail.com<javascript:;>>
Post by Robert Lopez
Jerry,
Acknowledge the selinux tips. Logs say no problem there.
Made the -U change. No affect on problem. Thanks.
--
Robert Lopez
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
--
MailScanner mailing list
mailscanner at lists.mailscanner.info <javascript:;>
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130518/90ae6d91/attachment.html
Loading...