Ruleset for Quarantine Infections

Pascal Maes pascal.maes at elec.ucl.ac.be
Fri Dec 21 11:29:24 GMT 2007 

Le 21-déc.-07 à 09:48, Glenn Steen a écrit :

> On 20/12/2007, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
>>
>> Le 20-déc.-07 à 14:34, Glenn Steen a écrit :
>>
>>>> [...]
>>>> Hello,
>>>>
>>>>
>>>> I have followed the instructions from <http://www.mailscanner.info/postfix.html
>>>>>
>>>> bu we have also an before-queue filter (clamsmtp) that could  
>>>> explain
>>>> why the mail is coming from our server.
>>>>
>>>> I have changed the way tat the message is re-inected into postfix
>>>> from
>>>> clamsmtp.
>>>> Now we have :
>>>>
>>>> # postcat 98B581C5CE2
>>>> *** ENVELOPE RECORDS 98B581C5CE2 ***
>>>> message_size:            2970             545
>>>> 1               0            2970
>>>> message_arrival_time: Thu Dec 20 11:02:02 2007
>>>> create_time: Thu Dec 20 11:02:02 2007
>>>> named_attribute: rewrite_context=remote
>>>> sender:
>>>> named_attribute: log_client_address=212.35.125.182
>>>> named_attribute: log_message_origin=unknown[212.35.125.182]
>>>> named_attribute: log_helo_name=web3.e-zone.net
>>>> named_attribute: log_protocol_name=ESMTP
>>>> named_attribute: client_name=localhost.localdomain
>>>> named_attribute: reverse_client_name=localhost.localdomain
>>>> named_attribute: client_address=127.0.0.1
>>>> named_attribute: helo_name=smtp3.sgsi.ucl.ac.be
>>>> named_attribute: client_address_type=2
>>>> named_attribute: dsn_orig_rcpt=rfc822;pascal.maes at uclouvain.be
>>>> original_recipient: pascal.maes at uclouvain.be
>>>> recipient: pascal.maes at uclouvain.be
>>>> *** MESSAGE CONTENTS 98B581C5CE2 ***
>>>> [...]
>>>>
>>> Looking good so far:-).
>>>
>>>>
>>>> And the message is still put in quarantine !
>>>
>>> What reason is given? The same?
>>>
>>> If you try the setting with the MailScanner command, does it return
>>> the expected result?
>>> MailScanner --value=quarantineinfections --ip=212.35.125.182
>>> ... or similar, what do you get?
>>>
>>> Cheers
>>> --
>>> -- Glenn
>>> email: glenn < dot > steen < at > gmail < dot > com
>>> work: glenn < dot > steen < at > ap1 < dot > se
>>
>> Tha's what I get :
>>
>> ./MailScanner --value=quarantineinfections --ip=212.35.125.182
>> Looked up internal option name "quarantineinfections"
>> With sender =
>> Client IP = 212.35.125.182
>> Virus =
>> Result is "0"
>>
>> 0=No 1=Yes
>>
>>
>>
>> Seems good.
> Yep, so then it must be "something else" making it go into
> quarantine... What does the logs say (Do you use MailWatch? What does
> the details there look like?)?
> ... Or you have a genuine bug on your hands... You're not suffering
> from the recent MailTools or MIME-tools and rpmforge problems?
>
> Cheers
> -- 
> -- Glenn

We doesn't use mailwatch and all I can see in the logfile is that the  
email is saved in quarantine.

When I made the upgrade to MailScanner-4.65.3-1, I have also upgraded  
all the Perl modules...
and then made a downgrade to MailTools-1.7.7

Below are the main perl packages installed

Package namespace         installed    latest  in CPAN file
Archive::Zip                   1.18      1.23
Compress::Zlib                2.004     2.008
DBD::SQLite                    1.13      1.14
File::Temp                     0.18      0.19
Filesys::Df                    0.90      0.92
Getopt::Long                   2.36      2.37
Mail::Address                  1.77      2.02
Test::Builder                  0.70      0.74
Test::Harness                  2.64      3.05
Time::HiRes                  1.9707    1.9711
MIME::Parser::Filer    (DONEILL/MIME-tools-5.425.tar.gz)

--
Pascal

More information about the MailScanner mailing list