MailScanner + Sendmail = stuck mail?

Thu Apr 10 18:42:43 IST 2008

Rich West wrote:
> Mike Kercher wrote:
>   
>>  
>>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Rich
>> West
>> Sent: Thursday, April 10, 2008 10:18 AM
>> To: MailScanner discussion
>> Subject: Re: MailScanner + Sendmail = stuck mail?
>>
>> Julian Field wrote:
>>   
>>     
>>> Rich West wrote:
>>>     
>>>       
>>>> Mike Kercher wrote:
>>>>  
>>>>       
>>>>         
>>>>>  
>>>>>
>>>>> -----Original Message-----
>>>>> From: mailscanner-bounces at lists.mailscanner.info
>>>>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of 
>>>>> Rich West
>>>>> Sent: Wednesday, April 09, 2008 12:44 PM
>>>>> To: mailscanner at lists.mailscanner.info
>>>>> Subject: MailScanner + Sendmail = "user unknown"
>>>>>
>>>>> I've inherited a MailScanner setup that is pretty questionable (from
>>>>>         
>>>>>           
>>   
>>     
>>>>> a security standpoint), and I'm rebuilding the box from scratch.  
>>>>> I've gotten everything installed (CentOS, clamav, SA, MailScanner, 
>>>>> Sendmail) to have the system act as a relay to an exchange backend.
>>>>>
>>>>> Oddly, it does not seem to be picking up the messages that are being
>>>>>         
>>>>>           
>>   
>>     
>>>>> left in /var/spool/mqueue.in.  I see the messages being deposited 
>>>>> there, but they don't seem to be acted upon.  Is there, perhaps, 
>>>>> setting that I might have missed/glossed over that is obvious?
>>>>>     
>>>>>         
>>>>>           
>>> Don't need to touch your sendmail config at all when installing 
>>> MailScanner.
>>>     
>>>       
>> Ahh.. ok.. that's what I was looking for.
>>
>> Reverting the sendmail configuration back to a null client, it happily
>> sends email back to the exchange server farm.  From there, if I stop
>> sendmail and start up MailScanner (with it starting up sendmail), email
>> passes right through to the exchange server as if MailScanner never
>> touched it.
>>
>> Watching the MailScanner --debug output, all I see is:
>> /usr/sbin/MailScanner --debug
>> In Debugging mode, not forking...
>> Trying to setlogsock(unix)
>> SpamAssassin temp dir =
>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>> Building a message batch to scan...
>>
>> And /var/log/maillog shows:
>> root     24494     1  0 09:53 ?        00:00:00 sendmail: accepting
>> connections
>> smmsp    24500     1  0 09:53 ?        00:00:00 sendmail: Queue
>> runner at 00:15:00 for /var/spool/clientmqueue
>> root     24507     1  0 09:53 ?        00:00:00 sendmail: Queue
>> runner at 00:15:00 for /var/spool/mqueue
>> smmsp    25062 25058  0 11:01 ?        00:00:00 /usr/sbin/sendmail
>> -FCronDaemon -i -odi -oem -oi -t
>>
>> Interesting since my inbound queue is set to /var/spool/mqueue.in and
>> outbound queue is set to /var/spool/mqueue...
>>
>> -Rich
>> --
>>
>> This is the output of ps, not the maillog.  We need to see the maillog
>> to see what may or may not be happening.
>>
>> Mike
>>   
>>     
>
> Ooops.. it's here:
> pr 10 11:26:30 mail-gw-new MailScanner[25608]: MailScanner E-Mail Virus
> Scanner version 4.68.8 starting...
> Apr 10 11:26:30 mail-gw-new MailScanner[25608]: Read 817 hostnames from
> the phishing whitelist
> Apr 10 11:26:31 mail-gw-new MailScanner[25608]: Read 6241 hostnames from
> the phishing blacklist
> Apr 10 11:26:31 mail-gw-new MailScanner[25608]: Config: calling custom
> init function SQLBlacklist
> Apr 10 11:26:31 mail-gw-new MailScanner[25608]: Starting up SQL Blacklist
> Apr 10 11:26:31 mail-gw-new MailScanner[25608]: Read 0 blacklist entries
> Apr 10 11:26:31 mail-gw-new MailScanner[25608]: Config: calling custom
> init function MailWatchLogging
> Apr 10 11:26:31 mail-gw-new MailScanner[25608]: Config: calling custom
> init function SQLWhitelist
> Apr 10 11:26:31 mail-gw-new MailScanner[25608]: Starting up SQL Whitelist
> Apr 10 11:26:31 mail-gw-new MailScanner[25608]: Read 0 whitelist entries
> Apr 10 11:26:31 mail-gw-new MailScanner[25608]: SpamAssassin temporary
> working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
> Apr 10 11:26:32 mail-gw-new MailScanner[25600]: Using locktype = posix
> Apr 10 11:26:33 mail-gw-new MailScanner[25608]: Using SpamAssassin
> results cache
> Apr 10 11:26:33 mail-gw-new MailScanner[25608]: Connected to
> SpamAssassin cache database
> Apr 10 11:26:33 mail-gw-new MailScanner[25608]: Enabling SpamAssassin
> auto-whitelist functionality...
> Apr 10 11:26:35 mail-gw-new MailScanner[25611]: MailScanner E-Mail Virus
> Scanner version 4.68.8 starting...
> Apr 10 11:26:35 mail-gw-new MailScanner[25611]: Read 817 hostnames from
> the phishing whitelist
> Apr 10 11:26:36 mail-gw-new MailScanner[25611]: Read 6241 hostnames from
> the phishing blacklist
> Apr 10 11:26:36 mail-gw-new MailScanner[25611]: Config: calling custom
> init function SQLBlacklist
> Apr 10 11:26:36 mail-gw-new MailScanner[25611]: Starting up SQL Blacklist
> Apr 10 11:26:36 mail-gw-new MailScanner[25611]: Read 0 blacklist entries
> Apr 10 11:26:36 mail-gw-new MailScanner[25611]: Config: calling custom
> init function MailWatchLogging
> Apr 10 11:26:36 mail-gw-new MailScanner[25611]: Config: calling custom
> init function SQLWhitelist
> Apr 10 11:26:36 mail-gw-new MailScanner[25611]: Starting up SQL Whitelist
> Apr 10 11:26:36 mail-gw-new MailScanner[25611]: Read 0 whitelist entries
> Apr 10 11:26:36 mail-gw-new MailScanner[25611]: SpamAssassin temporary
> working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
> Apr 10 11:26:37 mail-gw-new MailScanner[25608]: Using locktype = posix
> Apr 10 11:26:38 mail-gw-new MailScanner[25611]: Using SpamAssassin
> results cache
> Apr 10 11:26:38 mail-gw-new MailScanner[25611]: Connected to
> SpamAssassin cache database
> Apr 10 11:26:39 mail-gw-new MailScanner[25611]: Enabling SpamAssassin
> auto-whitelist functionality...
> Apr 10 11:26:43 mail-gw-new MailScanner[25611]: Using locktype = posix
> Apr 10 11:56:53 mail-gw-new sendmail[25677]: m3AFurMN025677: from=root,
> size=41, class=0, nrcpts=1,
> msgid=<200804101556.m3AFurMN025677 at mail-gw-new.mydomain.com>,
> relay=root at localhost
> Apr 10 11:56:53 mail-gw-new sendmail[25680]: m3AFurnW025680:
> from=<root at mail-gw-new.mydomain.com>, size=343, class=0, nrcpts=1,
> msgid=<200804101556.m3AFurMN025677 at mail-gw-new.mydomain.com>,
> proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
> Apr 10 11:56:54 mail-gw-new sendmail[25680]: m3AFurnW025680:
> to=<rwest at mydomain.com>, delay=00:00:01, xdelay=00:00:01, mailer=relay,
> pri=30343, relay=chadcex004.chahq.local. [192.168.8.34], dsn=2.0.0,
> stat=Sent ( <200804101556.m3AFurMN025677 at mail-gw-new.mydomain.com>
> Queued mail for delivery)
> Apr 10 11:56:54 mail-gw-new sendmail[25677]: m3AFurMN025677:
> to=rwest at mydomain.com, ctladdr=root (0/0), delay=00:00:01,
> xdelay=00:00:01, mailer=relay, pri=30041, relay=[127.0.0.1] [127.0.0.1],
> dsn=2.0.0, stat=Sent (m3AFurnW025680 Message accepted for delivery)
>
>
>
>   

I just nuked the sendmail install and re-installed the CentOS RPM to see
if that made any difference. The only configuration change I made was to
update mailertable and relay-domains (in an attempt to keep it as
vanilla as possible).  Now, the messages just get dropped in to the
mqueue.in directory and they sit there.  It doesn't look as if
MailScanner is even touching them..

Wait.. wait.. wait.. Stupidity alert.  The permissions on the spool
directory were good, but the individual spool items (as they were
getting created by the sendmail process) were owned and readable ONLY by
root, and since I had the "Run As User" set to "smmsp" in
MailScanner.conf, MailScanner couldn't read it.

Once I fixed that, email started flowing through. :)

I knew it was something simple (and stupid) that I must have been doing
incorrectly.

Thanks for all of the great input!

-Rich