[Fwd: mail delay and can't parse message]

Peter Valian valianp at SOUTHWESTERN.EDU
Wed Apr 3 22:13:26 IST 2002

Does anyone at all have a suggestion on this?

-------- Original Message --------
Subject: mail delay and can't parse message
Date: Mon, 01 Apr 2002 09:49:32 -0600
From: Peter Valian <valianp at southwestern.edu>
Organization: Southwestern University
CC: Peter Valian <valianp at southwestern.edu>

Hi all,

Im having a heap of trouble with Mailscanner.  For the most part it
works fantastic.

However, Im getting many calls from users claiming that some email is
delayed by several hours.  I have not personally witnessed this
phenomenon but it's more than just a couple users making this
claim...(they claim to receive mail as normal but then every now and
again get a message timestamped before several emails they have already
received.  I don't know if the problem is with Mailscanner/Sendmail or
with Qpopper (4.0.3).

Also, several warnings a day get sent to postmaster about 'could not
parse message xxx, e.g.
   Report: Could not parse message g313LlZ19901

I don't know if these messages just got dropped or went through or what.

attached is my conf.  One thing that's special to our set up is that the
mail spools are NFS mounted...so perhaps some file locking issues?

I would appreaciate any suggestions.


Peter Valian
Network & Systems Administrator
Southwestern University
Georgetown, Texas

Peter Valian
Network & Systems Administrator
Southwestern University
Georgetown, Texas
512.863.1586 office
512.863.1605 fax
-------------- next part --------------
# Configuration file for MailScanner E-Mail Virus Scanner
# This file assumes everything is in the default locations provided
# by the MailScanner and RedHat 6.2 and upwards.

# User to run as (provided for Exim users)
#Run As User = mail

# Group to run as (provided for Exim users)
#Run As Group = mail

# In every batch of virus-scanning, limit the maximum
# a) number of text-only messages to deliver
# b) number of potentially infected messages to unpack and scan
# c) total size of text-only messages to deliver
# d) total size of potentially infected messages to unpack and scan
Max Safe   Messages Per Scan = 500
Max Unsafe Messages Per Scan = 100
Max Safe   Bytes Per Scan = 100000000
Max Unsafe Bytes Per Scan = 50000000

# To avoid resource leaks, re-start periodically.
Restart Every = 14400 # 4 hours

# Name of this host, or just "the MailScanner" if you want to hide this info.
# It can be placed in the Help Desk note contained in virus warnings sent to users.
Host name          = the MailScanner

# Add this extra header to all mail as it is scanned.
# (this must *include* terminating colon).
Mail Header = X-MailScanner:

# Set the mail header to these values for clean/infected messages.
Clean Header       = Found to be clean
Infected Header    = Found to be infected
Disinfected Header = Disinfected

# Set where to unpack incoming messages before scanning them
Incoming Work Dir  = /var/spool/MailScanner/incoming

# Set where to store infected message attachments (if they are kept)
Quarantine Dir     = /var/spool/MailScanner/quarantine

# Set where to store the process id so you can easily stop the scanner
Pid File           = /usr/local/MailScanner/var/virus.pid

# Set where to find the attachment filename ruleset.
# The structure of this file is explained elsewhere, but it is used to
# accept or reject file attachments based on their name, regardless of
# whether they are infected or not.
Filename Rules     = /usr/local/MailScanner/etc/filename.rules.conf

# Set where to find the message text sent to users when one of their
# attachments has been quarantined.
Stored Virus Message Report  = /usr/local/MailScanner/etc/stored.virus.message.txt
Stored Bad Filename Message Report  = /usr/local/MailScanner/etc/stored.filename.message.txt

# Set where to find the message text sent to users when one of their
# attachments has been deleted.
Deleted Virus Message Report = /usr/local/MailScanner/etc/deleted.virus.message.txt
Deleted Bad Filename Message Report = /usr/local/MailScanner/etc/deleted.filename.message.txt

# Set where to find the message text sent to users explaining about the
# attached disinfected documents.
Disinfected Report = /usr/local/MailScanner/etc/disinfected.report.txt

# Set location of incoming mail queue
# and location of outgoing mail queue.
Incoming Queue Dir = /var/spool/MailScanner/mqueue.in
Outgoing Queue Dir = /var/spool/MailScanner/mqueue

# Set whether to use sendmail or exim (default is sendmail)
MTA                = sendmail

# Set how to invoke MTA when sending created message
# (e.g. to sender/recipient saying "found a virus in your message")
Sendmail           = /usr/sbin/sendmail

# Sendmail2 is provided for Exim users.
# It defaults to the value supplied for Sendmail.
# It is the command used to attempt delivery of outgoing
# (scanned/cleaned) messages.
# This is not usually required for sendmail.
#Sendmail2          = /usr/sbin/exim -C /etc/exim_send.conf

# Do you want to scan email for viruses?
# A few people have wanted to disable the entire virus scanning.
Virus Scanning     = yes

# Which Virus Scanning package to use:
# sophos    from www.sophos.com, or
# mcafee    from www.mcafee.com, or
# command   from www.command.co.uk, or
# kaspersky from www.kaspersky.com, or
# inoculate from www.cai.com/products/inoculateit.htm, or
# f-secure  from www.f-secure.com, or
# f-prot    from www.f-prot.com (which is *free* for Linux as of 1/1/2002)
# Note: If you want to use multiple virus scanners, then this should be a
# comma-separated list of virus scanners. For example:
# Virus Scanner      = sophos, f-prot
Virus Scanner      = mcafee

# Where the Virus scanner is installed. This is the command needed to run it.
# Note: If you want to use multiple virus scanners, then this should be a
# comma-separated list of commands, **in the same order** as they are listed
# in the "Virus Scanner" keyword just above. For example:
# Sweep = /usr/local/Sophos/bin/sophoswrapper, /usr/local/f-prot/f-protwrapper
Sweep = /usr/local/mcafee/mcafeewrapper

# The maximum length of time the commercial virus scanner is allowed to run
# for 1 batch of messages (in seconds).
Virus Scanner Timeout = 300

# Expand TNEF attachments using an external program?
# This should be "yes" except for Sophos (when it should be "no")
# as Sophos has the facility built-in.
Expand TNEF        = yes

# Where the MS-TNEF expander is installed.
# The new --maxsize option limits the maximum size that any expanded attachment
# may be. It helps protect against Denial Of Service attacks in TNEF files.
TNEF Expander      = /usr/local/MailScanner/bin/tnef --maxsize=100000000

# The maximum length of time the TNEF Expander is allowed to run for 1 message.
# (in seconds)
TNEF Timeout       = 120

# What should the attachments be called that replace virus-infected files?
Attachment Warning Filename = VirusWarning.txt

# Should we scan all messages, including plain-text messages which are normally
# harmless? This should be "yes" since the MyParty message appeared.
Scan All Messages = yes

# Once we have removed viruses from an email message and replaced them with
# VirusWarning.txt attachments, should we deliver the clean result to the
# original recipients (or just delete them if "no")?
Deliver To Recipients = yes

# Deliver messages with viruses removed to their original recipients
# if they came from a local address, or just delete them so no-one knows
# we have a virus outbreak on our site?
Deliver From Local Domains = yes

# Notify the senders of infected messages that they should check out
# their systems?
Notify Senders = yes

# Set where to find the message text sent to the senders of infected
# messages.
#Sender Report = /usr/local/MailScanner/etc/sender.report.txt
Sender Virus Report        = /usr/local/MailScanner/etc/sender.virus.report.txt
Sender Bad Filename Report = /usr/local/MailScanner/etc/sender.filename.report.txt
Sender Error Report        = /usr/local/MailScanner/etc/sender.error.report.txt

# Notify the local postmaster when any infections are found?
Notify Local Postmaster = yes

# Include the full headers of each message in the postmaster notification?
Postmaster Gets Full Headers = yes

# Set email address of who to notify about any infections found.
# Should put your full domain name here too,
#    e.g. postmaster at your.domain.com
Local Postmaster = virusalert at southwestern.edu

# Set what to do with infected attachments or messages.
# keep   ==> Store under the "Quarantine Dir"
# delete ==> Just delete them
#Action = delete
Action = keep

# Should I attempt to disinfect infected attachments and then deliver
# the clean ones
Deliver Disinfected Files = yes

# Local domain name, or filename containing a list of local domain names
# The file supports blank entries, '#' and ';' comment characters and
# uses the first word off each line. This should be compatible with all
# such lines in a sendmail or Exim configuration file.
#Local Domains = /usr/local/MailScanner/etc/localdomains.conf
Local Domains = southwestern.edu

# Mark infected messages in the message body.
# There can now be more than 1 of these configuration lines here, so you can
# break the warning message over multiple lines.
Mark Infected Messages = yes
Inline Text Warning = Warning: This message has had one or more attachments removed.
Inline Text Warning = Warning: Please read the "VirusWarning.txt" attachment(s) for more information.
Inline HTML Warning = <P><B><FONT SIZE="+1" COLOR="red">Warning: </FONT>This message has had one or more attachments removed. Please read the "VirusWarning.txt" attachment(s) for more information.</B><BR></P>

# Sign clean messages in the message body.
# There can be more than 1 of these configuration lines here, so you can
# break the signature message over multiple lines.
# Note that enabling this option will add to the overall system load as some
# major optimisations will no longer be possible!
Sign Clean Messages = no
Inline Text Signature = --
Inline Text Signature = This message has been scanned for viruses and
Inline Text Signature = dangerous content by MailScanner, and is
Inline Text Signature = believed to be clean.
Inline HTML Signature = <BR>--
Inline HTML Signature = <BR>This message has been scanned for viruses and
Inline HTML Signature = <BR>dangerous content by
Inline HTML Signature = <A HREF="http://www.mailscanner.info/"><B>MailScanner</B></A>,
Inline HTML Signature = and is<BR>believed to be clean.

# Spam Detection
# Should the anti-spam checks be done on all incoming messages?
Spam Checks = no

# Set the name of the extra header to add to all messages found to be
# likely spam.
Spam Header = X-MailScanner-SpamCheck:

# Do you want to put some text on the front of the subject line when
# we think it is spam?
Spam Modify Subject = yes

# What text do we want to put on the front (gets followed by a " ")
Spam Subject Text = {SPAM?}

# Do we have the SpamAssassin package installed?
# This is a very good, very clever heuristics-based spam checker.
# For more info and installation instructions, see http://spamassassin.taint.org/
Use SpamAssassin = no

# Set the maximum size of message which we will check with SpamAssassin
# Don't set this too large as your system load will get very high processing
# huge messages.
Max SpamAssassin Size = 100000

# Set the maximum time to allow SpamAssassin to process 1 message
SpamAssassin Timeout = 10

# Set the list of database names and their corresponding DNS domains.
# All of these databases work in a similar way, allowing the simple use
# of multiple databases.
# See www.ordb.org and www.mail-abuse.org for more information.
Spam List = ORDB-RBL, relays.ordb.org.
# MAPS now charge for their services, so you'll have to buy a contract before
# attempting to use the next 3 lines.
#Spam List = MAPS-RBL, blackholes.mail-abuse.org.
#Spam List = MAPS-DUL, dialups.mail-abuse.org.
#Spam List = MAPS-RSS, relays.mail-abuse.org.
# This next line works for JANET UK Academic sites only
#Spam List = MAPS-RBL+, rbl-plus.mail-abuse.ja.net.

# Define local networks from whom you should always accept mail, and
# never mark it as spam. This is useful in case your own mail servers
# are ever in the ORBS or MAPS lists.
#Accept Spam From = 152.78.
#Accept Spam From = 139.166.
Accept Spam From = 161.13.

# Define a list of email addresses and email domains from whom you should
# always accept mail, and never mark it as spam. This is useful in case
# someone you correspond with a lot has their mail servers in the ORBS or
# MAPS lists.
Spam White List = /usr/local/MailScanner/etc/spam.whitelist.conf

# Advanced Features
# =================
# Don't bother changing anything below this unless you really know what
# you are doing.

# Set Debug to 1 to stop it running as a daemon
# and produce more verbose output
Debug = 0

# Attempt immediate delivery of messages, or just place them in the outgoing
# queue for the MTA to deliver at a time of its own choosing?
# If attempting immediate delivery, do them one at a time,
#                                or do them in batches of 30 at a time?
Delivery Method = queue
# Delivery Method = individual
#Delivery Method = batch

# How to lock spool files.
# Don't set this unless you *know* you need to.
# For sendmail, it defaults to "flock".
# For Exim, it defaults to "posix".
# No other type is implemented.
#Lock Type          = flock

# Where to put the virus scanning engine lock files.
# These lock files are used between MailScanner and the virus signature
# "autoupdate" scripts, to ensure that they aren't both working at the
# same time (which could cause MailScanner to let a virus through).
Lock File Dir = /tmp

# What to do when you get several MailScanner headers in one message,
# from multiple MailScanner servers. Values are
# "append"  : Append the new data to the existing header
# "add"     : Add a new header
# "replace" : Replace the old data with the new data
# Default is "append"
Multiple Headers = append

# Some versions of Microsoft Outlook generate unparsable Rich Text
# format attachments. Do we want to deliver these bad attachments anyway?
# Setting this to yes introduces the slight risk of a virus getting through,
# but if you have a lot of troubled Outlook users you might need to do this.
# We are working on a replacement for the TNEF decoder.
Deliver Unparsable TNEF = yes

# When attempting delivery of outgoing messages, should we do it in the
# background or wait for it to complete? The danger of doing it in the
# background is that the machine load goes ever upwards while all the
# slow sendmail processes run to completion. However, running it in the
# foreground may cause the mail server to run too slowly.
Deliver In Background = no

# Minimum acceptable code stability status -- if we come across code
# that's not at least as stable as this, we barf.
# This is currently only used to check that you don't end up using untested
# virus scanner support code without realising it.
# Levels used are:
# none          - there may not even be any code.
# unsupported   - code may be completely untested, a contributed dirty hack,
#                 anything, really.
# alpha         - code is pretty well untested. Don't assume it will work.
# beta          - code is tested a bit. It should work.
# supported     - code *should* be reliable.
# Don't even *think* about setting this to anything other than "beta" or
# "supported" on a system that receives real mail until you have tested it
# yourself and are happy that it is all working as you expect it to.
# Don't set it to anything other than "supported" on a system that could
# ever receive important mail.
Minimum Code Status = supported

More information about the MailScanner mailing list