Ruleset for Quarantine Infections
Glenn Steen
glenn.steen at gmail.com
Fri Dec 21 12:58:55 GMT 2007
On 21/12/2007, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
>
> Le 21-déc.-07 à 09:48, Glenn Steen a écrit :
>
> > On 20/12/2007, Pascal Maes <pascal.maes at elec.ucl.ac.be> wrote:
> >>
> >> Le 20-déc.-07 à 14:34, Glenn Steen a écrit :
> >>
> >>>> [...]
> >>>> Hello,
> >>>>
> >>>>
> >>>> I have followed the instructions from <http://www.mailscanner.info/postfix.html
> >>>>>
> >>>> bu we have also an before-queue filter (clamsmtp) that could
> >>>> explain
> >>>> why the mail is coming from our server.
> >>>>
> >>>> I have changed the way tat the message is re-inected into postfix
> >>>> from
> >>>> clamsmtp.
> >>>> Now we have :
> >>>>
> >>>> # postcat 98B581C5CE2
> >>>> *** ENVELOPE RECORDS 98B581C5CE2 ***
> >>>> message_size: 2970 545
> >>>> 1 0 2970
> >>>> message_arrival_time: Thu Dec 20 11:02:02 2007
> >>>> create_time: Thu Dec 20 11:02:02 2007
> >>>> named_attribute: rewrite_context=remote
> >>>> sender:
> >>>> named_attribute: log_client_address=212.35.125.182
> >>>> named_attribute: log_message_origin=unknown[212.35.125.182]
> >>>> named_attribute: log_helo_name=web3.e-zone.net
> >>>> named_attribute: log_protocol_name=ESMTP
> >>>> named_attribute: client_name=localhost.localdomain
> >>>> named_attribute: reverse_client_name=localhost.localdomain
> >>>> named_attribute: client_address=127.0.0.1
> >>>> named_attribute: helo_name=smtp3.sgsi.ucl.ac.be
> >>>> named_attribute: client_address_type=2
> >>>> named_attribute: dsn_orig_rcpt=rfc822;pascal.maes at uclouvain.be
> >>>> original_recipient: pascal.maes at uclouvain.be
> >>>> recipient: pascal.maes at uclouvain.be
> >>>> *** MESSAGE CONTENTS 98B581C5CE2 ***
> >>>> [...]
> >>>>
> >>> Looking good so far:-).
> >>>
> >>>>
> >>>> And the message is still put in quarantine !
> >>>
> >>> What reason is given? The same?
> >>>
> >>> If you try the setting with the MailScanner command, does it return
> >>> the expected result?
> >>> MailScanner --value=quarantineinfections --ip=212.35.125.182
> >>> ... or similar, what do you get?
> >>>
> >>> Cheers
> >>> --
> >>> -- Glenn
> >>> email: glenn < dot > steen < at > gmail < dot > com
> >>> work: glenn < dot > steen < at > ap1 < dot > se
> >>
> >> Tha's what I get :
> >>
> >> ./MailScanner --value=quarantineinfections --ip=212.35.125.182
> >> Looked up internal option name "quarantineinfections"
> >> With sender =
> >> Client IP = 212.35.125.182
> >> Virus =
> >> Result is "0"
> >>
> >> 0=No 1=Yes
> >>
> >>
> >>
> >> Seems good.
> > Yep, so then it must be "something else" making it go into
> > quarantine... What does the logs say (Do you use MailWatch? What does
> > the details there look like?)?
> > ... Or you have a genuine bug on your hands... You're not suffering
> > from the recent MailTools or MIME-tools and rpmforge problems?
> >
> > Cheers
> > --
> > -- Glenn
>
> We doesn't use mailwatch and all I can see in the logfile is that the
> email is saved in quarantine.
>
> When I made the upgrade to MailScanner-4.65.3-1, I have also upgraded
> all the Perl modules...
> and then made a downgrade to MailTools-1.7.7
>
> Below are the main perl packages installed
>
> Package namespace installed latest in CPAN file
> Archive::Zip 1.18 1.23
> Compress::Zlib 2.004 2.008
> DBD::SQLite 1.13 1.14
> File::Temp 0.18 0.19
> Filesys::Df 0.90 0.92
> Getopt::Long 2.36 2.37
> Mail::Address 1.77 2.02
> Test::Builder 0.70 0.74
> Test::Harness 2.64 3.05
> Time::HiRes 1.9707 1.9711
> MIME::Parser::Filer (DONEILL/MIME-tools-5.425.tar.gz)
>
You could try downgrading MIME-tools to 5.420 and see what happens...
Is the one you'äev got built from CPAN?
Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner
mailing list