From MailScanner at ecs.soton.ac.uk Thu Dec 11 14:28:39 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu, 11 Dec 2008 14:28:39 +0000 Subject: MailScanner 4.74.6 Message-ID: <49412397.8040706@ecs.soton.ac.uk> Please can you try this new version. It includes solutions to all the known symlink attack vulnerabilities, which would only have affected you if you let arbitrary users log on to your mail server. Please let me know what works and what doesn't. Thanks! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jaearick at colby.edu Thu Dec 11 21:06:33 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu, 11 Dec 2008 16:06:33 -0500 (EST) Subject: MailScanner 4.74.6 In-Reply-To: <49412397.8040706@ecs.soton.ac.uk> References: <49412397.8040706@ecs.soton.ac.uk> Message-ID: Julian, Any chance that tnef 1.4.5 can be added to the next release? Jeff Earickson Colby College On Thu, 11 Dec 2008, Julian Field wrote: > Date: Thu, 11 Dec 2008 14:28:39 +0000 > From: Julian Field > Reply-To: MailScanner Beta-testers > To: MailScanner-Beta mailing list > Subject: MailScanner 4.74.6 > > Please can you try this new version. > It includes solutions to all the known symlink attack vulnerabilities, which > would only have affected you if you let arbitrary users log on to your mail > server. > > Please let me know what works and what doesn't. > > Thanks! > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner-Beta mailing list > mailscanner-beta at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner-beta > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From MailScanner at ecs.soton.ac.uk Sat Dec 13 19:07:11 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat, 13 Dec 2008 19:07:11 +0000 Subject: MailScanner 4.74.6 In-Reply-To: References: <49412397.8040706@ecs.soton.ac.uk> Message-ID: <494407DF.9000901@ecs.soton.ac.uk> It's in there now. On 11/12/08 21:06, Jeff A. Earickson wrote: > Julian, > > Any chance that tnef 1.4.5 can be added to the next release? > > Jeff Earickson > Colby College > > On Thu, 11 Dec 2008, Julian Field wrote: > >> Date: Thu, 11 Dec 2008 14:28:39 +0000 >> From: Julian Field >> Reply-To: MailScanner Beta-testers >> >> To: MailScanner-Beta mailing list >> >> Subject: MailScanner 4.74.6 >> >> Please can you try this new version. >> It includes solutions to all the known symlink attack >> vulnerabilities, which would only have affected you if you let >> arbitrary users log on to your mail server. >> >> Please let me know what works and what doesn't. >> >> Thanks! >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner-Beta mailing list >> mailscanner-beta at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner-beta >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules at Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jaearick at colby.edu Wed Dec 17 14:57:14 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed, 17 Dec 2008 09:57:14 -0500 (EST) Subject: 4.74.9-1 strangeness/bugs Message-ID: Julian, I attempted to go with 4.74.9-1 this morning, and got bit. Here is my list of issues: 1) I noticed that "Lockfile Dir" is now /var/spool/MailScanner/incoming/Locks instead of /tmp. This directory didn't exist, but I notice that starting up MailScanner created both this directory and a "locks" directory there, and populated it with [antivirus]Busy.lock files. At startup, I got the complaint: -n Starting MailScanner... sh: /usr/sbin/mailscanner_create_locks: not found Error: Attempt to create locks in /var/spool/MailScanner/incoming/Locks failed! These complaints are new. 2) I ran the update_virus_scanner, and got: # /opt/MailScanner/bin/update_virus_scanners Can't open /etc/MailScanner/MailScanner.conf: No such file or directory. Can't open /etc/MailScanner/MailScanner.conf: No such file or directory. Can't open /etc/MailScanner/MailScanner.conf: No such file or directory. My MailScanner.conf lives in /opt/MailScanner/etc/MailScanner.conf, not /etc/MailScanner. /etc/MailScanner only contains my customized rules/reports files. Hmmm. I could create a symlink there but don't want to. 3) BUG: The permissions on /tmp got changed from 1777 to 700 on me during my debug run of 4.74.9-1. Ouch! My Setup: Solaris 10 sparc, install MS via tarball. Jeff Earickson Colby College (BTW: Merry Christmas, I hope you find that liver that you need under the tree.) From MailScanner at ecs.soton.ac.uk Wed Dec 17 20:02:11 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed, 17 Dec 2008 20:02:11 +0000 Subject: 4.74.9-1 strangeness/bugs In-Reply-To: References: Message-ID: <49495AC3.2040401@ecs.soton.ac.uk> On 17/12/08 14:57, Jeff A. Earickson wrote: > Julian, > > I attempted to go with 4.74.9-1 this morning, and got bit. > Here is my list of issues: > > 1) I noticed that "Lockfile Dir" is now > /var/spool/MailScanner/incoming/Locks instead of /tmp. > This directory didn't exist, but I notice that starting up > MailScanner created both this directory and a "locks" directory > there, and populated it with [antivirus]Busy.lock files. Correct. > > At startup, I got the complaint: > > -n Starting MailScanner... > sh: /usr/sbin/mailscanner_create_locks: not found Fixed. > Error: Attempt to create locks in > /var/spool/MailScanner/incoming/Locks failed! Caused by the previous error. > > These complaints are new. > > 2) I ran the update_virus_scanner, and got: > > # /opt/MailScanner/bin/update_virus_scanners > Can't open /etc/MailScanner/MailScanner.conf: No such file or directory. > Can't open /etc/MailScanner/MailScanner.conf: No such file or directory. > Can't open /etc/MailScanner/MailScanner.conf: No such file or directory. > > My MailScanner.conf lives in /opt/MailScanner/etc/MailScanner.conf, not > /etc/MailScanner. /etc/MailScanner only contains my customized > rules/reports > files. Hmmm. I could create a symlink there but don't want to. Fixed. > > 3) BUG: The permissions on /tmp got changed from 1777 to 700 on me > during my debug run of 4.74.9-1. Ouch! Fixed. > > My Setup: Solaris 10 sparc, install MS via tarball. Many thanks for those reports. This is, after all, a beta, and it's exactly these reports that I want to hear about. I'll push out a new version in a minute. > > Jeff Earickson > Colby College > > (BTW: Merry Christmas, I hope you find that liver that you need under > the tree.) That would be nice :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules at Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jaearick at colby.edu Wed Dec 17 22:08:17 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed, 17 Dec 2008 17:08:17 -0500 (EST) Subject: 4.74.9-1 strangeness/bugs In-Reply-To: <49495AC3.2040401@ecs.soton.ac.uk> References: <49495AC3.2040401@ecs.soton.ac.uk> Message-ID: On Wed, 17 Dec 2008, Julian Field wrote: > On 17/12/08 14:57, Jeff A. Earickson wrote: >> Julian, >> >> I attempted to go with 4.74.9-1 this morning, and got bit. >> Here is my list of issues: >> >> 1) I noticed that "Lockfile Dir" is now >> /var/spool/MailScanner/incoming/Locks instead of /tmp. >> This directory didn't exist, but I notice that starting up >> MailScanner created both this directory and a "locks" directory >> there, and populated it with [antivirus]Busy.lock files. > Correct. >> >> At startup, I got the complaint: >> >> -n Starting MailScanner... >> sh: /usr/sbin/mailscanner_create_locks: not found > Fixed. >> Error: Attempt to create locks in /var/spool/MailScanner/incoming/Locks >> failed! > Caused by the previous error. >> >> These complaints are new. >> >> 2) I ran the update_virus_scanner, and got: >> >> # /opt/MailScanner/bin/update_virus_scanners >> Can't open /etc/MailScanner/MailScanner.conf: No such file or directory. >> Can't open /etc/MailScanner/MailScanner.conf: No such file or directory. >> Can't open /etc/MailScanner/MailScanner.conf: No such file or directory. >> >> My MailScanner.conf lives in /opt/MailScanner/etc/MailScanner.conf, not >> /etc/MailScanner. /etc/MailScanner only contains my customized >> rules/reports >> files. Hmmm. I could create a symlink there but don't want to. > Fixed. >> >> 3) BUG: The permissions on /tmp got changed from 1777 to 700 on me >> during my debug run of 4.74.9-1. Ouch! > Fixed. Errr, not true. The other bugs above went away but this one remained with MailScanner-4.74.10-1. I checked the status of /tmp (owner and group = root, chmod 1777) before running a debug version of 4.74.10-1. Bang! It chmoded /tmp to 700 right away, so I changed the permissions by hand while the debug version was still churning. The test otherwise finished normally. I repeated the whole process again to make sure I was not dreaming. Same result. Question: Does /var/spool/MailScanner/incoming/Locks and locks get a lot of traffic, or just occasional use when anti-virus profiles are updated? In previous versions, all of this lived in /tmp which is ramdisk in Solaris -- fast. Will the change to "Lockfile Dir" slow us down? Jeff Earickson Colby College From MailScanner at ecs.soton.ac.uk Thu Dec 18 10:05:05 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu, 18 Dec 2008 10:05:05 +0000 Subject: 4.74.9-1 strangeness/bugs In-Reply-To: References: <49495AC3.2040401@ecs.soton.ac.uk> Message-ID: <494A2051.5070701@ecs.soton.ac.uk> On 17/12/08 22:08, Jeff A. Earickson wrote: > On Wed, 17 Dec 2008, Julian Field wrote: > >> On 17/12/08 14:57, Jeff A. Earickson wrote: >>> Julian, >>> >>> I attempted to go with 4.74.9-1 this morning, and got bit. >>> Here is my list of issues: >>> >>> 1) I noticed that "Lockfile Dir" is now >>> /var/spool/MailScanner/incoming/Locks instead of /tmp. >>> This directory didn't exist, but I notice that starting up >>> MailScanner created both this directory and a "locks" directory >>> there, and populated it with [antivirus]Busy.lock files. >> Correct. >>> >>> At startup, I got the complaint: >>> >>> -n Starting MailScanner... >>> sh: /usr/sbin/mailscanner_create_locks: not found >> Fixed. >>> Error: Attempt to create locks in >>> /var/spool/MailScanner/incoming/Locks failed! >> Caused by the previous error. >>> >>> These complaints are new. >>> >>> 2) I ran the update_virus_scanner, and got: >>> >>> # /opt/MailScanner/bin/update_virus_scanners >>> Can't open /etc/MailScanner/MailScanner.conf: No such file or >>> directory. >>> Can't open /etc/MailScanner/MailScanner.conf: No such file or >>> directory. >>> Can't open /etc/MailScanner/MailScanner.conf: No such file or >>> directory. >>> >>> My MailScanner.conf lives in /opt/MailScanner/etc/MailScanner.conf, not >>> /etc/MailScanner. /etc/MailScanner only contains my customized >>> rules/reports >>> files. Hmmm. I could create a symlink there but don't want to. >> Fixed. >>> >>> 3) BUG: The permissions on /tmp got changed from 1777 to 700 on me >>> during my debug run of 4.74.9-1. Ouch! >> Fixed. > > Errr, not true. The other bugs above went away but this one remained > with MailScanner-4.74.10-1. I checked the status of /tmp (owner and > group = root, chmod 1777) before running a debug version of 4.74.10-1. > Bang! It chmoded /tmp to 700 right away, so I changed the permissions > by hand while the debug version was still churning. The test > otherwise finished normally. I repeated the whole process again to > make sure I was > not dreaming. Same result. Okay, I'll take another look at that one. > > Question: Does /var/spool/MailScanner/incoming/Locks and locks get There should just be Locks and not locks as well. Where is "locks" getting created? > a lot of traffic, or just occasional use when anti-virus profiles are > updated? In previous versions, all of this lived in /tmp which is > ramdisk in Solaris -- fast. Will the change to "Lockfile Dir" slow > us down? That's why I put it in /var/spool/MailScanner/incoming as that should also be on tmpfs in any decently-configured system. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jaearick at colby.edu Thu Dec 18 11:34:48 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu, 18 Dec 2008 06:34:48 -0500 (EST) Subject: 4.74.9-1 strangeness/bugs In-Reply-To: <494A2051.5070701@ecs.soton.ac.uk> References: <49495AC3.2040401@ecs.soton.ac.uk> <494A2051.5070701@ecs.soton.ac.uk> Message-ID: On Thu, 18 Dec 2008, Julian Field wrote: >>>> 3) BUG: The permissions on /tmp got changed from 1777 to 700 on me >>>> during my debug run of 4.74.9-1. Ouch! >>> Fixed. >> >> Errr, not true. The other bugs above went away but this one remained >> with MailScanner-4.74.10-1. I checked the status of /tmp (owner and >> group = root, chmod 1777) before running a debug version of 4.74.10-1. >> Bang! It chmoded /tmp to 700 right away, so I changed the permissions by >> hand while the debug version was still churning. The test otherwise >> finished normally. I repeated the whole process again to make sure I was >> not dreaming. Same result. > Okay, I'll take another look at that one. >> >> Question: Does /var/spool/MailScanner/incoming/Locks and locks get > There should just be Locks and not locks as well. Where is "locks" getting > created? >> a lot of traffic, or just occasional use when anti-virus profiles are >> updated? In previous versions, all of this lived in /tmp which is >> ramdisk in Solaris -- fast. Will the change to "Lockfile Dir" slow >> us down? > That's why I put it in /var/spool/MailScanner/incoming as that should also be > on tmpfs in any decently-configured system. The only thing /var/spool/MailScanner/incoming had on my system before playing with the beta version was SpamAssassin.cache.db. Both a "Locks" and a "locks" dir appeared there after starting the beta versions, and both dirs contain [av]Busy.lock files. In my case (Solaris) this directory has always resided on real disk. /tmp and /var/run are the only tmpfs filesystems in out-of-the-box Solaris 10. So maybe I should be using a /var/run/MailScanner directory for Lockfile Dir? Any other settings that should be scribbling to /var/run? Maybe comments should be added to the MailScanner.conf file for settings saying "this file can reside in tmpfs, not needed across reboots" or "this file is needed across reboots, store on physical disk"? Jeff Earickson Colby College From MailScanner at ecs.soton.ac.uk Thu Dec 18 14:33:31 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu, 18 Dec 2008 14:33:31 +0000 Subject: 4.74.9-1 strangeness/bugs In-Reply-To: References: <49495AC3.2040401@ecs.soton.ac.uk> <494A2051.5070701@ecs.soton.ac.uk> Message-ID: <494A5F3B.3080700@ecs.soton.ac.uk> On 18/12/08 11:34, Jeff A. Earickson wrote: > On Thu, 18 Dec 2008, Julian Field wrote: > >>>>> 3) BUG: The permissions on /tmp got changed from 1777 to 700 on me >>>>> during my debug run of 4.74.9-1. Ouch! >>>> Fixed. >>> >>> Errr, not true. The other bugs above went away but this one remained >>> with MailScanner-4.74.10-1. I checked the status of /tmp (owner and >>> group = root, chmod 1777) before running a debug version of 4.74.10-1. >>> Bang! It chmoded /tmp to 700 right away, so I changed the >>> permissions by hand while the debug version was still churning. The >>> test otherwise finished normally. I repeated the whole process >>> again to make sure I was >>> not dreaming. Same result. >> Okay, I'll take another look at that one. >>> >>> Question: Does /var/spool/MailScanner/incoming/Locks and locks get >> There should just be Locks and not locks as well. Where is "locks" >> getting created? >>> a lot of traffic, or just occasional use when anti-virus profiles are >>> updated? In previous versions, all of this lived in /tmp which is >>> ramdisk in Solaris -- fast. Will the change to "Lockfile Dir" slow >>> us down? >> That's why I put it in /var/spool/MailScanner/incoming as that should >> also be on tmpfs in any decently-configured system. > > The only thing /var/spool/MailScanner/incoming had on my system before > playing with the beta version was SpamAssassin.cache.db. Both a "Locks" > and a "locks" dir appeared there after starting the beta versions, The .10 version should only have created a Locks and not a locks dirs there. Please check with .11 after removing Locks and locks. > and > both dirs contain [av]Busy.lock files. In my case (Solaris) this > directory has always resided on real disk. /tmp and /var/run are the > only tmpfs filesystems in out-of-the-box Solaris 10. So maybe I > should be using a /var/run/MailScanner directory for Lockfile Dir? No, it's mentioned in plenty of the docs that /var/spool/MailScanner/incoming can be on tmpfs. > Any other settings > that should be scribbling to /var/run? No, you should be mounting /var/spool/MailScanner/incoming on tmpfs and using the default paths. > Maybe comments should be added > to the MailScanner.conf file for settings saying "this file can reside > in tmpfs, not needed across reboots" or "this file is needed across > reboots, store on physical disk"? This is already mentioned in the "Incoming Work Dir" setting, which is the only place it is relevant. RTFM :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules at Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.