Problem with MailScanner, postfix and corrupt mails

Julian Field MailScanner at ecs.soton.ac.uk
Mon Mar 7 16:46:50 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

In PFDiskStore.pm, around line 271, there is a chunk of code that looks
like this:

      # We have to tell the caller what the child's pid is in order to
      # reap it. Although IO::Pipe does this for us when it is told to
      # fork and exec, it unfortunately doesn't have a neat hook for us
      # to tell it the pid when we do the fork. Bah.
      $pipe->close();
      $Tf->flush(); # JKF 20050307
      waitpid $pid, 0;
    } else { # Child
      $pipe->writer();
      $entity->print_body($pipe)
        or MailScanner::Log::WarnLog("WriteMIMEBody to %s possibly
failed, %s",
                                     $tfile, $!);
      $pipe->close();
      $Tf->flush();


Move one line in it (the flush call), so it says this instead:

      # We have to tell the caller what the child's pid is in order to
      # reap it. Although IO::Pipe does this for us when it is told to
      # fork and exec, it unfortunately doesn't have a neat hook for us
      # to tell it the pid when we do the fork. Bah.
      $pipe->close();
      $Tf->flush(); # JKF 20050307 < ----- NEW LINE
      waitpid $pid, 0;
    } else { # Child
      $pipe->writer();
      $entity->print_body($pipe)
        or MailScanner::Log::WarnLog("WriteMIMEBody to %s possibly
failed, %s",
                                     $tfile, $!);
      $pipe->close();
      #$Tf->flush(); # JKF 20050307 <----- COMMENT OUT THIS

Let me know if this makes any difference. I am pretty sure it is a perl
problem, as what is happening is that a variable called $predata is
being written twice, regardless of the fact that there is only one
print($predata) call.

Also, does this only happen to messages where MailScanner has changed
the body of the message, or only ones where it hasn't, or both?



Julian Field wrote:

> I have seen this once before on a client's system. I have never been
> able to reliably reproduce the problem, which makes it pretty much
> impossible to fix. Even exactly the same message would behave properly
> most of the time, but occasionally not.
>
> How big are your mail batches (as picked up by MailScanner)?
> What version of MailScanner are you running? ("MailScanner -v" please)
>
> Robert Waldner wrote:
>
>> Hi!
>>
>> On two boxen, I constantly have mails which are, apparingly, damaged by
>> MailScanner so that postfix, after picking them up again, quarantines
>> them into its "corrupt"-folder.
>>
>> When I `postcat` such a damaged mail, I invariably see the same
>> pattern, which I think is best explained by an example:
>>
>> .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
>> message_size:            9158             317
>> 2               0
>> message_arrival_time: Mon Nov 15 22:28:40 2004
>> sender: sender at domain
>> named_attribute: client_name=mail.gmx.de
>> named_attribute: client_address=213.165.64.20
>> named_attribute: message_origin=mail.gmx.de[213.165.64.20]
>> named_attribute: helo_name=mail.gmx.net
>> named_attribute: protocol_name=SMTP
>> warning_message_time: Tue Nov 16 02:28:40 2004
>> original_recipient: user at domain
>> recipient: user at domain
>> *** MESSAGE CONTENTS 4C80A7375E ***
>> Received: from mail.gmx.net (mail.gmx.de [213.165.64.20])
>> ...
>> <Received:- and other headers>
>>
>> message_size:               0               0
>> 0               0
>> message_arrival_time: Mon Nov 15 22:28:40 2004
>> sender: sender at domain
>> named_attribute: client_name=mail.gmx.de
>> named_attribute: client_address=213.165.64.20
>> named_attribute: message_origin=mail.gmx.de[213.165.64.20]
>> original_recipient: user at domain
>> recipient: user at domain
>> *** MESSAGE CONTENTS 4C80A7375E ***
>> Received: from mail.gmx.net (mail.gmx.de [213.165.64.20])
>> ...
>> <all the various headers again, plus the actual message content this
>> time>
>>
>> X-host-MailScanner: Did not find any virus
>> X-host-MailScanner-SpamCheck: not spam,
>>        SpamAssassin (Wertung=0.108, benoetigt 5, AWL 0.00...)
>> X-MailScanner-From: sender at domain
>>
>> <message content (no headers), again>
>> .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
>>
>> So, the pattern is
>> postfix-headers
>> *** MESSAGE CONTENTS queue-id ***
>> normal mail-headers
>> postfix-headers
>> *** MESSAGE CONTENTS queue-id ***
>> normail mail-headers
>> mail content
>> MailScanner-headers
>> mail-contents again
>>
>> Both boxen are i386 and run Debian Sarge, MailScanner 4.38.10-1/
>> postfix 2.1.5-6 on one, 4.35.3-1/2.1.5-0 on the other. I don't see
>> this happening on another box, which runs 4.37.7-1/2.1.5-5, but on
>> sun4u instead of i386.
>>
>> Any hints? The only thing I could google up was filesystem corruption,
>> which I'm pretty sure I can rule out here. Judging from the position
>> of the MailScanner headers, I'd guess it's MailScanner screwing up
>> somehow, but since I don't know, I ask ;)
>>
>> cheers+TIA,
>> &rw
>> --
>> -- A sendmail / by any other name
>> -- Would still / HELO just.as.swe.et
>> --                            - Greg
>>
>>
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
> Buy the MailScanner book at www.MailScanner.info/store
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list