Mail disaster - semi-new system

[Mike Kercher]

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> Of G. Armour Van Horn
> Sent: Monday, May 15, 2006 7:48 PM
> To: MailScanner discussion
> Subject: Re: Mail disaster - semi-new system
> 
> A new hint just arrived. One of my many test messages just 
> generated a bounce, here's a snip:
> 
>    ----- Transcript of session follows -----
> procmail: Couldn't create "/var/mail/vanhorn"
> procmail: Error while writing to "/var/log/maillog"
> <vanhorn at verbose.twistedhistory.com>... Deferred: local 
> mailer (/usr/bin/procmail) exited with EX_TEMPFAIL
> 
> 
> Suddenly I'm wondering what's with "/var/mail/vanhorn" as 
> mail on this machine get written to /var/spool/mail as far as 
> I know. There is a /var/mail, but it's a link to 
> /var/spool/mail anyway. Privs on /var/spool/mail were 755 and 
> owned by root, I just did go+w on it to eliminate that 
> possibility, but it doesn't look like it actually changed anything.
> 
> Van

Personally, I'd turn selinux off and get your mail running again.  If
you want to tinker with selinux, I'd set another box up and tinker with
it offline and, as Jon suggested, set it to log violations and build
your own policy.  Seeing as your previous box was compromised, I think
it would behoove you to firewall that box up as tight as you can and
maybe run tripwire.  Chances are, they may look your IP up again to see
if you learned anything from the prior hack.

Mike