Scan Messages = %rules-dir%/scan.messages.rules

Thu May 23 15:05:00 IST 2013

On 22 May 2013 23:42, Robert Lopez <rlopezcnm at gmail.com> wrote:
> On Wed, May 22, 2013 at 12:28 PM, Steve Campbell <campbell at cnpapers.com> wrote:
>> Perhaps you should send us the "Scan Messages" line from your
>> MailScanner.conf file and what you have in your file that is pointed to
>> in by line above.
>>
>> Have you restarted or reloaded MS since you changed the file?
>>
>> Depending on what you have in that line and file, you probably shouldn't
>> be seeing those lines in your mail log.
>>
>> steve campbell
>
> The situation I am trying to understand is email being scanned by
> SpamAssassin when I thought
> I had all the systems configured to not scan the email at all.
>
> Email generated by an office where the persons use Outlook to compose
> email goes to an Exchange server and it is then relayed to an email
> gateway. These email are from CNM_Official_Info at cnm.edu to
> students at cnm.edu. The email gateway relays the email to a Mailman ($
> postmap -q students /etc/postfix/virtualaliases -> students at listserv)
> server.
>
> Mailman then sends the message to all the students who are members of
> the students list.  So each student has a copy generated that is from
> students-bounces at cnm.edu to <individual-student>@cnm.edu which is sent
> back to the email gateways.
>
> A Postfix rewrite via a virtualaliases map sends each email from
> students-bounces at cnm.edu to <individual-student>@...gmail.com.
>
> MailScanner.conf and conf.d/CNM-MailScanner.conf (newest gateway)
> all have "Scan Messages = %rules-dir%/scan.messages.rules".
> I had put both 'From' in scan.messages.rules:
>
> From:  students-bounces at cnm.edu  no
> From:  cnm_official_info at cnm.edu no    #This is not a case match to original
>
> This directive and data file have been working for years.
> However yesterday I noticed the email in this case (students list)
> do get a SpamAssassin score and my thinking is this should not be happening.
>
> Each email has a line such as this example:
>
> May 20 12:55:08 mg04 MailScanner[11127]: Message 55370642025.7712B
> from 198.133.182.29 () to cnm.edu is not spam, SpamAssassin (not
> cached, score=-1.699, required 6, autolearn=disabled, CNM_EXCUSE 0.30,
> CNM_FROM -1.00, CNM_ITS -1.00, HTML_MESSAGE 0.00)
>
> There has been no recent change to any of these files. MailScanner is always
> restarted or reloaded when ever any configuration file is modified. In fact,
> the scripts to modify any component and copy them to the gateways do the
> force-reload and test ($?) to see the return status.
Hello Robert,

Two things come to mind:
1) Go look in the logs (on the MailScanner host) again... Track one of
the messages that shouldn't have been scanned to see the actual
envelope sender and recipient(s)... Do they match what you have there?
2) Use the eminent inbuilt ruleset checking capabilities of the
MailScanner command to check what will actually happen... Do
"MailScanner --help" to see the possible things you can do... Then do
something like:
MailScanner --value=scanmessages --from=students-bounces at cnm.edu
to see what the effect would be.

I use the Scan Messages setting to do a blanket whitelist for
releasing from localhost, so ... Here's an example (run as the postfix
user):
-bash-3.2$ /usr/sbin/MailScanner --value=scanmessages
--from=tony.irving at nowhere.com --to=glenn.steen at ap1.se --ip=127.0.0.1
Looked up internal option name "scanmail"
With sender = tony.irving at nowhere.com
  recipient = glenn.steen at ap1.se
Client IP = 127.0.0.1
Virus =
Result is "0"

0=No 1=Yes
-bash-3.2$ /usr/sbin/MailScanner --value=scanmessages
--from=tony.irving at nowhere.com --to=glenn.steen at ap1.se --ip=127.0.0.2
Looked up internal option name "scanmail"
With sender = tony.irving at nowhere.com
  recipient = glenn.steen at ap1.se
Client IP = 127.0.0.2
Virus =
Result is "1"

0=No 1=Yes
-bash-3.2$

You should probably do both the above suggestions:-).
Cheers!
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se