From richard at fastnet.co.uk Tue Apr 1 13:35:13 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Tue, 1 Apr 2014 12:35:13 +0000 Subject: Log Non Spam Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EB7A098@BTN-EXCHANGE-V1.fastnet.local> Hi, Can this be turned into a ruleset? It would be really useful to me. Thanks, Rich -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140401/46a72880/attachment.html From jerry.benton at mailborder.com Tue Apr 1 14:21:34 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 1 Apr 2014 15:21:34 +0200 Subject: Log Non Spam In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EB7A098@BTN-EXCHANGE-V1.fastnet.local> References: <6EE47AF64C339A4F8F7F50507241B3795EB7A098@BTN-EXCHANGE-V1.fastnet.local> Message-ID: Rich, I'll talk to the team to see if it is possible. I do not know off hand. On Tue, Apr 1, 2014 at 2:35 PM, Richard Mealing wrote: > Hi, > > > > Can this be turned into a ruleset? It would be really useful to me. > > > > > > Thanks, > > Rich > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140401/9bea41ec/attachment.html From maxsec at gmail.com Tue Apr 1 15:54:32 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Tue, 1 Apr 2014 15:54:32 +0100 Subject: Log Non Spam In-Reply-To: References: <6EE47AF64C339A4F8F7F50507241B3795EB7A098@BTN-EXCHANGE-V1.fastnet.local> Message-ID: What do you mean by 'log' ? drop the score info to the logs, do something like archive each message?? -- Martin Hepworth, CISSP Oxford, UK On 1 April 2014 14:21, Jerry Benton wrote: > Rich, > > I'll talk to the team to see if it is possible. I do not know off hand. > > > On Tue, Apr 1, 2014 at 2:35 PM, Richard Mealing wrote: > >> Hi, >> >> >> >> Can this be turned into a ruleset? It would be really useful to me. >> >> >> >> >> >> Thanks, >> >> Rich >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140401/91947a37/attachment.html From jerry.benton at mailborder.com Tue Apr 1 18:47:26 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 1 Apr 2014 19:47:26 +0200 Subject: Log Non Spam In-Reply-To: References: <6EE47AF64C339A4F8F7F50507241B3795EB7A098@BTN-EXCHANGE-V1.fastnet.local>

Message-ID: Martin, It is a MS setting. On Tue, Apr 1, 2014 at 4:54 PM, Martin Hepworth wrote: > What do you mean by 'log' ? drop the score info to the logs, do something > like archive each message?? > > -- > Martin Hepworth, CISSP > Oxford, UK > > > On 1 April 2014 14:21, Jerry Benton wrote: > >> Rich, >> >> I'll talk to the team to see if it is possible. I do not know off hand. >> >> >> On Tue, Apr 1, 2014 at 2:35 PM, Richard Mealing wrote: >> >>> Hi, >>> >>> >>> >>> Can this be turned into a ruleset? It would be really useful to me. >>> >>> >>> >>> >>> >>> Thanks, >>> >>> Rich >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> >> -- >> >> -- >> Jerry Benton >> Mailborder Systems >> www.mailborder.com >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140401/8e751eab/attachment.html From stef at aoc-uk.com Fri Apr 4 15:54:19 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 4 Apr 2014 14:54:19 +0000 Subject: Pyzor not working within MS, fine from command line Message-ID: <92665C7597419742B19470DFA3D5BEA2091414BF@vonLipwig.aoc-uk.com> I wonder if any of you can shed any light on this: I've got: This is CentOS release 6.5 (Final) This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.84.6 3.004000 Mail::SpamAssassin And Pyzor refuses work correctly, this output from running MS with both debug and debug SA turned on: 15:16:58 Apr 4 15:16:58.529 [3554] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC 15:16:58 Apr 4 15:16:58.531 [3554] dbg: pyzor: network tests on, attempting Pyzor 15:16:58 Apr 4 15:16:58.804 [3554] dbg: config: fixed relative path: /var/lib/spamassassin/3.004000/updates_spamassassin_org/25_pyzor.cf 15:16:58 Apr 4 15:16:58.804 [3554] dbg: config: using "/var/lib/spamassassin/3.004000/updates_spamassassin_org/25_pyzor.cf" for included file 15:16:58 Apr 4 15:16:58.804 [3554] dbg: config: read file /var/lib/spamassassin/3.004000/updates_spamassassin_org/25_pyzor.cf 15:17:00 Apr 4 15:17:00.409 [3554] dbg: pyzor: pyzor is available: /usr/bin/pyzor 15:17:00 Apr 4 15:17:00.410 [3554] dbg: pyzor: opening pipe: /usr/bin/pyzor --homedir /var/spool/postfix/.pyzor check < /var/spool/MailScanner/incoming/SpamAssassin-Temp/.spamassassin3554JjLLoPtmp 15:17:00 Apr 4 15:17:00.414 [3554] info: pyzor: [3574] error: exit 6 15:17:00 Apr 4 15:17:00.414 [3554] dbg: pyzor: check failed: no response 15:17:30 Apr 4 15:17:30.711 [3591] dbg: pyzor: pyzor is available: /usr/bin/pyzor 15:17:30 Apr 4 15:17:30.712 [3591] dbg: pyzor: opening pipe: /usr/bin/pyzor --homedir /var/spool/postfix/.pyzor check < /var/spool/MailScanner/incoming/SpamAssassin-Temp/.spamassassin3591ncweDTtmp 15:17:30 Apr 4 15:17:30.716 [3591] info: pyzor: [3594] error: exit 6 15:17:30 Apr 4 15:17:30.716 [3591] dbg: pyzor: check failed: no response Initially postfix couldn't pyzor ping, so I wondered about permissions and created a .pyzor in /var/spool/postfix and as you can see from the log above specified that path. Still no luck, though postfix can now run pyzor happily from command line. [root at fedecks mailscanner]# su - postfix -s /bin/bash -bash-4.1$ pyzor ping public.pyzor.org:24441 (200, 'OK') -bash-4.1$ cd /var/spool/postfix/hold/ -bash-4.1$ pyzor check < 4FCB5E0406 public.pyzor.org:24441 (200, 'OK') 0 0 -bash-4.1$ logout Which isn't ruling out permissions, but puts it beyond me :) Has anyone any bright ideas? From mark at msapiro.net Fri Apr 4 16:48:04 2014 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 04 Apr 2014 08:48:04 -0700 Subject: Pyzor not working within MS, fine from command line In-Reply-To: <92665C7597419742B19470DFA3D5BEA2091414BF@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091414BF@vonLipwig.aoc-uk.com> Message-ID: <533ED434.3040000@msapiro.net> On 04/04/2014 07:54 AM, Stef Morrell wrote: > > Initially postfix couldn't pyzor ping, so I wondered about permissions and created a .pyzor in /var/spool/postfix and as you can see from the log above specified that path. Still no luck, though postfix can now run pyzor happily from command line. Try cp -a ~postfix/.pyzor/* /var/spool/postfix/.pyzor/ -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From stef at aoc-uk.com Fri Apr 4 17:06:31 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 4 Apr 2014 16:06:31 +0000 Subject: Pyzor not working within MS, fine from command line In-Reply-To: References: <92665C7597419742B19470DFA3D5BEA2091414BF@vonLipwig.aoc-uk.com> Message-ID: <92665C7597419742B19470DFA3D5BEA209141F13@vonLipwig.aoc-uk.com> On 04 April 2014 16:48 Mark Sapiro wrote: > On 04/04/2014 07:54 AM, Stef Morrell wrote: > > > > Initially postfix couldn't pyzor ping, so I wondered about permissions > and created a .pyzor in /var/spool/postfix and as you can see from the log > above specified that path. Still no luck, though postfix can now run pyzor > happily from command line. > > > Try > > cp -a ~postfix/.pyzor/* /var/spool/postfix/.pyzor/ Pointless as: postfix:x:89:89::/var/spool/postfix:/sbin/nologin ~postfix == /var/spool/postfix From dudi at kolcore.com Fri Apr 4 18:45:57 2014 From: dudi at kolcore.com (Dudi Goldenberg) Date: Fri, 4 Apr 2014 17:45:57 +0000 Subject: Pyzor not working within MS, fine from command line In-Reply-To: <92665C7597419742B19470DFA3D5BEA209141F13@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091414BF@vonLipwig.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209141F13@vonLipwig.aoc-uk.com> Message-ID: >> Try >> >> cp -a ~postfix/.pyzor/* /var/spool/postfix/.pyzor/ > >Pointless as: > >postfix:x:89:89::/var/spool/postfix:/sbin/nologin > >~postfix == /var/spool/postfix This is not pointless if postfix is chrooted. D. From mailscanner at replies.cyways.com Mon Apr 7 16:38:16 2014 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Mon, 07 Apr 2014 11:38:16 -0400 Subject: MCP announcements not forwarded In-Reply-To: <53358424.6060904@replies.cyways.com> References: <53358424.6060904@replies.cyways.com> Message-ID: <5342C668.9080506@replies.cyways.com> I hate to be a nudge, but doesn't anyone have a suggestion for how I could diagnose this problem? Maybe there aren't any other MCP users on this list? I'd really like to fix this problem so my client will be happy once again. Peter On 03/28/2014 10:16 AM, Peter Lemieux wrote: > I've been a happy MailScanner user for many years now, but I have > encountered a problem that has me stumped. We use MCP to scan outbound > mail and have had it working for quite some time. Messages that trip > the MCP rules are forwarded to the alias mcpmonitor at localhost which > redirects the messages to the relevant staff members for review. > > Sometime in the past couple of months the forwarding stopped working. > The alias works properly since I can send a message to the alias from > the command prompt. MailScanner reports in the logs that suspect > messages are being forwarded: > > Mar 23 18:21:12 mail MailScanner[15851]: MCP Actions: message > s2NMLCAK020553 actions are mcpmonitor at localhost,forward > > However there are no other entries in the log with that message ID, nor > is the message sent to the alias. It appears in no queue nor in the > quarantine area. It simply disappears. > > I wondered if there is some conflict among the Perl modules since some > of them might have been updated with versions from CenOS or rpmforge. I > upgraded from 4.84.3-1 to 4-84.6-1 and let the installer rebuild the > modules as always, but the problem persists. > > The platform is CentOS 6.5 with sendmail 8.14.4. Any help on diagnosing > this would be greatly appreciated! The scanner also uses SpamAssassin > and clamd, but those work fine for all messages. > > Thanks! > > Peter > From jeremy at fluxlabs.net Mon Apr 7 16:51:39 2014 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Mon, 7 Apr 2014 15:51:39 +0000 Subject: MCP announcements not forwarded In-Reply-To: <5342C668.9080506@replies.cyways.com> References: <53358424.6060904@replies.cyways.com>, <5342C668.9080506@replies.cyways.com> Message-ID: <2EF71902367BF60B.B7F6A2BB-F3E5-4C85-AD86-BCA4DF9B644F@acompli.com> Which MTA ? -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Mon, Apr 7, 2014 at 8:50 AM -0700, "Peter Lemieux" > wrote: I hate to be a nudge, but doesn't anyone have a suggestion for how I could diagnose this problem? Maybe there aren't any other MCP users on this list? I'd really like to fix this problem so my client will be happy once again. Peter On 03/28/2014 10:16 AM, Peter Lemieux wrote: > I've been a happy MailScanner user for many years now, but I have > encountered a problem that has me stumped. We use MCP to scan outbound > mail and have had it working for quite some time. Messages that trip > the MCP rules are forwarded to the alias mcpmonitor at localhost which > redirects the messages to the relevant staff members for review. > > Sometime in the past couple of months the forwarding stopped working. > The alias works properly since I can send a message to the alias from > the command prompt. MailScanner reports in the logs that suspect > messages are being forwarded: > > Mar 23 18:21:12 mail MailScanner[15851]: MCP Actions: message > s2NMLCAK020553 actions are mcpmonitor at localhost,forward > > However there are no other entries in the log with that message ID, nor > is the message sent to the alias. It appears in no queue nor in the > quarantine area. It simply disappears. > > I wondered if there is some conflict among the Perl modules since some > of them might have been updated with versions from CenOS or rpmforge. I > upgraded from 4.84.3-1 to 4-84.6-1 and let the installer rebuild the > modules as always, but the problem persists. > > The platform is CentOS 6.5 with sendmail 8.14.4. Any help on diagnosing > this would be greatly appreciated! The scanner also uses SpamAssassin > and clamd, but those work fine for all messages. > > Thanks! > > Peter > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140407/6fad79a5/attachment.html From richard at fastnet.co.uk Mon Apr 7 17:18:42 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Mon, 7 Apr 2014 16:18:42 +0000 Subject: MCP announcements not forwarded In-Reply-To: <2EF71902367BF60B.B7F6A2BB-F3E5-4C85-AD86-BCA4DF9B644F@acompli.com> References: <53358424.6060904@replies.cyways.com>, <5342C668.9080506@replies.cyways.com> <2EF71902367BF60B.B7F6A2BB-F3E5-4C85-AD86-BCA4DF9B644F@acompli.com> Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EB8195C@BTN-EXCHANGE-V1.fastnet.local> It looks like sendmail from the messageID... Are you sure you have no script that deletes the emails, in the cron job or something like that? From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jeremy McSpadden Sent: 07 April 2014 16:52 To: MailScanner discussion Subject: Re: MCP announcements not forwarded Which MTA ? -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Mon, Apr 7, 2014 at 8:50 AM -0700, "Peter Lemieux" > wrote: I hate to be a nudge, but doesn't anyone have a suggestion for how I could diagnose this problem? Maybe there aren't any other MCP users on this list? I'd really like to fix this problem so my client will be happy once again. Peter On 03/28/2014 10:16 AM, Peter Lemieux wrote: > I've been a happy MailScanner user for many years now, but I have > encountered a problem that has me stumped. We use MCP to scan outbound > mail and have had it working for quite some time. Messages that trip > the MCP rules are forwarded to the alias mcpmonitor at localhost which > redirects the messages to the relevant staff members for review. > > Sometime in the past couple of months the forwarding stopped working. > The alias works properly since I can send a message to the alias from > the command prompt. MailScanner reports in the logs that suspect > messages are being forwarded: > > Mar 23 18:21:12 mail MailScanner[15851]: MCP Actions: message > s2NMLCAK020553 actions are mcpmonitor at localhost,forward > > However there are no other entries in the log with that message ID, nor > is the message sent to the alias. It appears in no queue nor in the > quarantine area. It simply disappears. > > I wondered if there is some conflict among the Perl modules since some > of them might have been updated with versions from CenOS or rpmforge. I > upgraded from 4.84.3-1 to 4-84.6-1 and let the installer rebuild the > modules as always, but the problem persists. > > The platform is CentOS 6.5 with sendmail 8.14.4. Any help on diagnosing > this would be greatly appreciated! The scanner also uses SpamAssassin > and clamd, but those work fine for all messages. > > Thanks! > > Peter > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140407/adc94a66/attachment.html From mailscanner at replies.cyways.com Mon Apr 7 20:08:10 2014 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Mon, 07 Apr 2014 15:08:10 -0400 Subject: MCP announcements not forwarded In-Reply-To: <6EE47AF64C339A4F8F7F50507241B3795EB8195C@BTN-EXCHANGE-V1.fastnet.local> References: <53358424.6060904@replies.cyways.com>, <5342C668.9080506@replies.cyways.com> <2EF71902367BF60B.B7F6A2BB-F3E5-4C85-AD86-BCA4DF9B644F@acompli.com> <6EE47AF64C339A4F8F7F50507241B3795EB8195C@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <5342F79A.5000402@replies.cyways.com> > The platform is CentOS 6.5 with sendmail 8.14.4. And, no there is no script that deletes the emails. When forwarding was working correctly there would be additional entries in the log that reported on the forward being handed to sendmail for delivery and the consequent sendmail entries. Now, as I say, MailScanner reports in the logs that it has forwarded the message, but that never actually happens. MCP is set only to screen messages coming from the client's Exchange server which relays all outbound mail to the gateway running MailScanner for final delivery. The Exchange server, 10.10.1.5 below, is whitelisted for spam scanning. So a complete log entry for a message that trips the MCP filters looks like this: Apr 7 14:18:10 mail MailScanner[21372]: Message s37II94R022529 from 10.10.1.5 () to xxxxx.com is MCP, MCP-Checker (score=10, required 5, BODY_SBID5 10.00) Apr 7 14:18:10 mail MailScanner[21372]: MCP Checks: Found 1 MCP messages Apr 7 14:18:10 mail MailScanner[21372]: MCP Actions: message s37II94R022529 actions are mcpmonitor at localhost,forward Apr 7 14:18:10 mail MailScanner[21372]: MCP Checks completed at 324382 bytes per second Apr 7 14:18:10 mail MailScanner[21372]: Spam Checks: Starting Apr 7 14:18:10 mail MailScanner[21372]: Message s37II94R022529 from 10.10.1.5 () is whitelisted Is it possible that being whitelisted for spam somehow interferes with the MCP handling? It didn't seem to matter before. Also I have First Check = MCP in MailScanner.conf. I thought that meant that a message that trips on MCP would not even make it to the spam filtering. I've added "store-mcp" to the disposition options so a copy of these messages should appear in the quarantine. We'll see. Peter On 04/07/2014 12:18 PM, Richard Mealing wrote: > It looks like sendmail from the messageID? > > Are you sure you have no script that deletes the emails, in the cron job > or something like that? > > *From:*mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] *On Behalf Of > *Jeremy McSpadden > *Sent:* 07 April 2014 16:52 > *To:* MailScanner discussion > *Subject:* Re: MCP announcements not forwarded > > Which MTA ? > > > -- > Jeremy McSpadden > Flux Labs | http://www.fluxlabs.net | Endless Solutions > Office : 850-250-5590x501 | Cell : 850-890-2543 > | Fax : 850-254-2955 > > > > On Mon, Apr 7, 2014 at 8:50 AM -0700, "Peter Lemieux" > > > wrote: > > I hate to be a nudge, but doesn't anyone have a suggestion for how I > could diagnose this problem? Maybe there aren't any other MCP users on > this list? > > I'd really like to fix this problem so my client will be happy once again. > > Peter > > > On 03/28/2014 10:16 AM, Peter Lemieux wrote: >> I've been a happy MailScanner user for many years now, but I have >> encountered a problem that has me stumped. We use MCP to scan outbound >> mail and have had it working for quite some time. Messages that trip >> the MCP rules are forwarded to the alias mcpmonitor at localhost which >> redirects the messages to the relevant staff members for review. >> >> Sometime in the past couple of months the forwarding stopped working. >> The alias works properly since I can send a message to the alias from >> the command prompt. MailScanner reports in the logs that suspect >> messages are being forwarded: >> >> Mar 23 18:21:12 mail MailScanner[15851]: MCP Actions: message >> s2NMLCAK020553 actions are mcpmonitor at localhost,forward >> >> However there are no other entries in the log with that message ID, nor >> is the message sent to the alias. It appears in no queue nor in the >> quarantine area. It simply disappears. >> >> I wondered if there is some conflict among the Perl modules since some >> of them might have been updated with versions from CenOS or rpmforge. I >> upgraded from 4.84.3-1 to 4-84.6-1 and let the installer rebuild the >> modules as always, but the problem persists. >> >> The platform is CentOS 6.5 with sendmail 8.14.4. Any help on diagnosing >> this would be greatly appreciated! The scanner also uses SpamAssassin >> and clamd, but those work fine for all messages. >> >> Thanks! >> >> Peter >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From it at festa.bg Tue Apr 8 08:49:21 2014 From: it at festa.bg (Valentin Laskov) Date: Tue, 8 Apr 2014 10:49:21 +0300 Subject: MCP announcements not forwarded References: <53358424.6060904@replies.cyways.com>, <5342C668.9080506@replies.cyways.com> <2EF71902367BF60B.B7F6A2BB-F3E5-4C85-AD86-BCA4DF9B644F@acompli.com><6EE47AF64C339A4F8F7F50507241B3795EB8195C@BTN-EXCHANGE-V1.fastnet.local> <5342F79A.5000402@replies.cyways.com> Message-ID: <2BDC5A67DFDA4B56A84B2E3FAD8CB33A@festa.bg> Hi Peter, 1. Please show forwarding rule 2. Check for these lines in MailScanner.conf # MTA = sendmail Sendmail = /usr/lib/sendmail # and 3. Check is there executable or link to sendmail in /usr/lib/sendmail I think your forwarding rule is wrong. It must be something like MCP Actions = forward mcpmonitor at localhost Regards Valentin Laskov From glenn.steen at gmail.com Tue Apr 8 10:22:28 2014 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue, 8 Apr 2014 11:22:28 +0200 Subject: Pyzor not working within MS, fine from command line In-Reply-To: References: <92665C7597419742B19470DFA3D5BEA2091414BF@vonLipwig.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209141F13@vonLipwig.aoc-uk.com> Message-ID: No Dudi, Stef is quite right... It'd expand to cp -a /var/spool/postfix/.pyzor /var/spool/postfix/.pyzor ...;-) So, to the problem... When you (Stef) do a discove/ping, does it take ... a long while? ISTR there being some settings in SA and/or MS for timeouts that are ... Very optimistic. Upping them significantly used to be a given (and still am!) for things like huge bayes files etc, so that they don't get ... rudely interrupted:-). The returncode might lead in that direction... Cheers! -- -- Glenn On 4 April 2014 19:45, Dudi Goldenberg wrote: > >> Try > >> > >> cp -a ~postfix/.pyzor/* /var/spool/postfix/.pyzor/ > > > >Pointless as: > > > >postfix:x:89:89::/var/spool/postfix:/sbin/nologin > > > >~postfix == /var/spool/postfix > > This is not pointless if postfix is chrooted. > > D. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140408/fa2adee7/attachment.html From stef at aoc-uk.com Tue Apr 8 11:25:17 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Tue, 8 Apr 2014 10:25:17 +0000 Subject: Pyzor not working within MS, fine from command line In-Reply-To: <7c6e7668-2ea2-4ad3-860c-b403457e91f6@VONLIPWIG.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091414BF@vonLipwig.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209141F13@vonLipwig.aoc-uk.com> <7c6e7668-2ea2-4ad3-860c-b403457e91f6@VONLIPWIG.aoc-uk.com> Message-ID: <92665C7597419742B19470DFA3D5BEA2091423B3@vonLipwig.aoc-uk.com> Hi Glenn, On 08 April 2014 10:22 Glenn Steen wrote: > So, to the problem... When you (Stef) do a discove/ping, does > it take ... a long while? ISTR there being some settings in > SA and/or MS for timeouts that are ... Very optimistic. > Upping them significantly used to be a given (and still am!) > for things like huge bayes files etc, so that they don't get > ... rudely interrupted:-). The returncode might lead in that > direction... No, from command line (as postfix, or indeed as root) it's pretty much instant. SA is reporting Pyzor as giving exit 6, however my Google-fu fails me on getting any useful information about that (or any!) return code. Also if you look at the log fragment I posted it's less than a second for it to fail when running MS with debug. 15:17:00 Apr 4 15:17:00.409 [3554] dbg: pyzor: pyzor is available: /usr/bin/pyzor 15:17:00 Apr 4 15:17:00.410 [3554] dbg: pyzor: opening pipe: /usr/bin/pyzor --homedir /var/spool/postfix/.pyzor check < /var/spool/MailScanner/incoming/SpamAssassin-Temp/.spamassassin3554JjLLoPtmp 15:17:00 Apr 4 15:17:00.414 [3554] info: pyzor: [3574] error: exit 6 15:17:00 Apr 4 15:17:00.414 [3554] dbg: pyzor: check failed: no response From jerry.benton at mailborder.com Tue Apr 8 12:22:02 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Tue, 8 Apr 2014 13:22:02 +0200 Subject: Critical OpenSSL Vulnerability Message-ID: A critical vulnerability (CVE-2014-0160) has been found in OpenSSL v1.0.1. The vulnerability can be used to reveal the content of encrypted traffic and can even expose primary and secondary keys. The fix is addressed in v1.0.1g and should now be available in most Linux distributions. For more information: Debian: http://www.debian.org/security/2014/dsa-2896 Ubuntu: http://askubuntu.com/questions/444702/how-to-patch-cve-2014-0160-in-openssl RedHat: https://access.redhat.com/security/cve/CVE-2014-0160 -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140408/a9dcb499/attachment.html From glenn.steen at gmail.com Tue Apr 8 14:10:46 2014 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue, 8 Apr 2014 15:10:46 +0200 Subject: Pyzor not working within MS, fine from command line In-Reply-To: <92665C7597419742B19470DFA3D5BEA2091423B3@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091414BF@vonLipwig.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209141F13@vonLipwig.aoc-uk.com> <7c6e7668-2ea2-4ad3-860c-b403457e91f6@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA2091423B3@vonLipwig.aoc-uk.com> Message-ID: True, it does look that way... I was more thinking the whole SA run, not the individual subcommand, but that'd likely look different... Return 6 in the OS sense is "no such device or address" ... And looking at the code for pyzor, that seems pretty much to be it (... Not the strongest python coder there is, so I might well be wrong.). Question then becomes why, when it works from a "su - postfix -s /bin/bash" (or similar). If the host was wrong, it'd be an exit code of 2, likely, if it was a stranght FW/routing problem, likely a normal timeout. Hmmm. Sorry, I'm out of ideas. -- -- Glenn On 8 April 2014 12:25, Stef Morrell wrote: > Hi Glenn, > > On 08 April 2014 10:22 Glenn Steen wrote: > > So, to the problem... When you (Stef) do a discove/ping, does > > it take ... a long while? ISTR there being some settings in > > SA and/or MS for timeouts that are ... Very optimistic. > > Upping them significantly used to be a given (and still am!) > > for things like huge bayes files etc, so that they don't get > > ... rudely interrupted:-). The returncode might lead in that > > direction... > > No, from command line (as postfix, or indeed as root) it's > pretty much instant. SA is reporting Pyzor as giving exit 6, > however my Google-fu fails me on getting any useful information > about that (or any!) return code. > > Also if you look at the log fragment I posted it's less than a > second for it to fail when running MS with debug. > > 15:17:00 Apr 4 15:17:00.409 [3554] dbg: pyzor: pyzor is available: > /usr/bin/pyzor > 15:17:00 Apr 4 15:17:00.410 [3554] dbg: pyzor: opening pipe: > /usr/bin/pyzor --homedir /var/spool/postfix/.pyzor check < > /var/spool/MailScanner/incoming/SpamAssassin-Temp/.spamassassin3554JjLLoPtmp > 15:17:00 Apr 4 15:17:00.414 [3554] info: pyzor: [3574] error: exit 6 > 15:17:00 Apr 4 15:17:00.414 [3554] dbg: pyzor: check failed: no response > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140408/f30aae25/attachment.html From mailscanner at replies.cyways.com Tue Apr 8 16:45:03 2014 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Tue, 08 Apr 2014 11:45:03 -0400 Subject: MCP announcements not forwarded In-Reply-To: <2BDC5A67DFDA4B56A84B2E3FAD8CB33A@festa.bg> References: <53358424.6060904@replies.cyways.com>, <5342C668.9080506@replies.cyways.com> <2EF71902367BF60B.B7F6A2BB-F3E5-4C85-AD86-BCA4DF9B644F@acompli.com><6EE47AF64C339A4F8F7F50507241B3795EB8195C@BTN-EXCHANGE-V1.fastnet.local> <5342F79A.5000402@replies.cyways.com> <2BDC5A67DFDA4B56A84B2E3FAD8CB33A@festa.bg> Message-ID: <5344197F.9030508@replies.cyways.com> Thanks, Valentin. The MCP rules in /etc/MailScanner/MailScanner.conf read: MCP Checks = /etc/MailScanner/rules/mcp_checks.rules First Check = MCP MCP Required SpamAssassin Score = 5 MCP High SpamAssassin Score = 9 MCP Error Score = 1 MCP Header = X-%org-name%-MailScanner-MCPCheck: Non MCP Actions = deliver MCP Actions = store-mcp forward mcpmonitor at localhost High Scoring MCP Actions = store-mcp forward mcpmonitor at localhost Bounce MCP As Attachment = no MCP Modify Subject = start MCP Subject Text = [HIPAA] High Scoring MCP Modify Subject = start High Scoring MCP Subject Text = [HIPAA] Is Definitely MCP = no Is Definitely Not MCP = no Definite MCP Is High Scoring = no Always Include MCP Report = yes Detailed MCP Report = yes Include Scores In MCP Report = yes I added "store-mcp" to the Actions list yesterday as I wrote before. The rules in mcp_checks.rules apply MCP to all messages arriving from the client's Exchange server IP but exempts a couple of specific sender addresses like the admins. As for sendmail, yes I have "MTA = sendmail" and of course the application can find it. This gateway handles hundreds of messages each day and works well for everything except MCP. The command "sendmail -bv mcpmonitor at localhost" returns the correct list of aliased recipients. I'll also reiterate that this configuration worked correctly for many months but now no longer does. That's why I wondered in my original post whether it had to do with the Perl modules being used. Perhaps I should just remove all the Perl modules that MS creates and run the installer again? It looks like the install.sh file for RedHat flavors does not rebuild any modules it finds already existing on the system. Is that correct? Peter On 04/08/2014 03:49 AM, Valentin Laskov wrote: > Hi Peter, > > 1. Please show forwarding rule > 2. Check for these lines in MailScanner.conf > # > MTA = sendmail > Sendmail = /usr/lib/sendmail > # > and > 3. Check is there executable or link to sendmail in /usr/lib/sendmail > > I think your forwarding rule is wrong. > It must be something like > MCP Actions = forward mcpmonitor at localhost > > Regards > Valentin Laskov > From pparsons at techeez.com Tue Apr 8 18:04:32 2014 From: pparsons at techeez.com (Philip Parsons) Date: Tue, 8 Apr 2014 17:04:32 +0000 Subject: Spamassassin 3.4.0 Message-ID: <11D8E491D9562549A61FD3186F36342001D54E23E2@exchange.techeez.com> Does anyone have Spamassassin 3.4.0 running with Mailscanner 4.84.6-1 ? are there any issues or items one should look out for ? Thank you. Philip Parsons IT and Telecommunication Specialist Techeez IT Consulting 250-818-2879 Skype ID: techeez www.techeez.com "Making IT easy" IMPORTANT NOTICE This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140408/843e877e/attachment.html From jaearick at colby.edu Tue Apr 8 18:25:46 2014 From: jaearick at colby.edu (Jeff Earickson) Date: Tue, 8 Apr 2014 13:25:46 -0400 Subject: Spamassassin 3.4.0 In-Reply-To: <11D8E491D9562549A61FD3186F36342001D54E23E2@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D54E23E2@exchange.techeez.com> Message-ID: I just downloaded it and I am building/testing SA 3.4.0. Once it passes its tests, I plan to put it into production. This is a Redhat 6.5 system running sendmail 8.14.8 and MailScanner 4.84.6-1. ----------------------------------- Jeff A. Earickson, Ph.D Senior Server System Administrator Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 207-859-4214 (fax 207-859-4186) Eastern Time Zone, USA ----------------------------------- On Tue, Apr 8, 2014 at 1:04 PM, Philip Parsons wrote: > Does anyone have Spamassassin 3.4.0 running with Mailscanner 4.84.6-1 ? > are there any issues or items one should look out for ? > > > > > > Thank you. > Philip Parsons > IT and Telecommunication Specialist > > Techeez IT Consulting > > 250-818-2879 > > Skype ID: techeez > www.techeez.com "Making IT easy" > > > > IMPORTANT NOTICE > This e-mail is confidential, may be legally privileged, and is for the > intended recipient only. Access, disclosure, copying and distribution or > reliance on any of it by anyone else is prohibited and may be a criminal > offence. Please delete if obtained in error and e-mail confirmation to the > sender. > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140408/1efb36cf/attachment.html From mark at msapiro.net Tue Apr 8 18:38:35 2014 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 08 Apr 2014 10:38:35 -0700 Subject: Spamassassin 3.4.0 In-Reply-To: <11D8E491D9562549A61FD3186F36342001D54E23E2@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D54E23E2@exchange.techeez.com> Message-ID: <5344341B.1010607@msapiro.net> On 04/08/2014 10:04 AM, Philip Parsons wrote: > Does anyone have Spamassassin 3.4.0 running with Mailscanner 4.84.6-1 ? > are there any issues or items one should look out for ? I have Spamassassin 3.4.0 running with Mailscanner 4.84.6-1 and I have seen no problems. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pparsons at techeez.com Tue Apr 8 19:39:04 2014 From: pparsons at techeez.com (Philip Parsons) Date: Tue, 8 Apr 2014 18:39:04 +0000 Subject: Spamassassin 3.4.0 In-Reply-To: <5344341B.1010607@msapiro.net> References: <11D8E491D9562549A61FD3186F36342001D54E23E2@exchange.techeez.com> <5344341B.1010607@msapiro.net> Message-ID: <11D8E491D9562549A61FD3186F36342001D54E2825@exchange.techeez.com> Did you have to do the patches to Spamassassin to get MCP to work with 3.4 ? -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: April-08-14 10:39 AM To: mailscanner at lists.mailscanner.info Subject: Re: Spamassassin 3.4.0 On 04/08/2014 10:04 AM, Philip Parsons wrote: > Does anyone have Spamassassin 3.4.0 running with Mailscanner 4.84.6-1 ? > are there any issues or items one should look out for ? I have Spamassassin 3.4.0 running with Mailscanner 4.84.6-1 and I have seen no problems. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Tue Apr 8 20:04:50 2014 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 08 Apr 2014 12:04:50 -0700 Subject: Spamassassin 3.4.0 In-Reply-To: <11D8E491D9562549A61FD3186F36342001D54E2825@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D54E23E2@exchange.techeez.com> <5344341B.1010607@msapiro.net> <11D8E491D9562549A61FD3186F36342001D54E2825@exchange.techeez.com> Message-ID: <53444852.2020400@msapiro.net> On 04/08/2014 11:39 AM, Philip Parsons wrote: > Did you have to do the patches to Spamassassin to get MCP to work with 3.4 ? I don't use MCP. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Tue Apr 8 20:35:38 2014 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 08 Apr 2014 12:35:38 -0700 Subject: Spamassassin 3.4.0 In-Reply-To: <53444852.2020400@msapiro.net> References: <11D8E491D9562549A61FD3186F36342001D54E23E2@exchange.techeez.com> <5344341B.1010607@msapiro.net> <11D8E491D9562549A61FD3186F36342001D54E2825@exchange.techeez.com> <53444852.2020400@msapiro.net> Message-ID: <53444F8A.3070106@msapiro.net> On 04/08/2014 12:04 PM, Mark Sapiro wrote: > On 04/08/2014 11:39 AM, Philip Parsons wrote: >> Did you have to do the patches to Spamassassin to get MCP to work with 3.4 ? > > > I don't use MCP. > Also note from "Do not use MCP, "SpamAssassin Rule Actions" can do everything much faster." Also see and -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mailscanner at replies.cyways.com Tue Apr 8 20:48:01 2014 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Tue, 08 Apr 2014 15:48:01 -0400 Subject: MCP announcements not forwarded In-Reply-To: <5342F79A.5000402@replies.cyways.com> References: <53358424.6060904@replies.cyways.com>, <5342C668.9080506@replies.cyways.com> <2EF71902367BF60B.B7F6A2BB-F3E5-4C85-AD86-BCA4DF9B644F@acompli.com> <6EE47AF64C339A4F8F7F50507241B3795EB8195C@BTN-EXCHANGE-V1.fastnet.local> <5342F79A.5000402@replies.cyways.com> Message-ID: <53445271.5090700@replies.cyways.com> On 04/07/2014 03:08 PM, Peter Lemieux wrote: > I've added "store-mcp" to the disposition options so a copy of these > messages should appear in the quarantine. We'll see. Test messages appear in the MCP quarantine but are not forwarded. I expected that to be the case since the MCP scores are logged. > Apr 8 15:31:20 mail MailScanner[3599]: Message s38JVJR6007899 from > 10.10.1.93 (user at example.com) to somewhere.com is MCP, MCP-Checker > (score=10, required 5, BODY_SSN1 10.00) So now I'm trying to think of methods to trigger a notice to the admins when a message appears in the quarantine. I'll take a shot at a cron script as a work-around for the time being, but I'd sure like to fix the problem for good. Peter From brad at comstyle.com Tue Apr 8 20:50:31 2014 From: brad at comstyle.com (Brad Smith) Date: Tue, 08 Apr 2014 15:50:31 -0400 Subject: Spamassassin 3.4.0 In-Reply-To: <11D8E491D9562549A61FD3186F36342001D54E23E2@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342001D54E23E2@exchange.techeez.com> Message-ID: <53445307.5050109@comstyle.com> On 08/04/14 1:04 PM, Philip Parsons wrote: > Does anyone have Spamassassin 3.4.0 running with Mailscanner 4.84.6-1 ? > are there any issues or items one should look out for ? The OpenBSD -current ports tree has had SA 3.4.0 for a bit under a month now and I have been running SA 3.4.0 with the latest MailScanner without any noticeable issues so far. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pparsons at techeez.com Tue Apr 8 21:24:02 2014 From: pparsons at techeez.com (Philip Parsons) Date: Tue, 8 Apr 2014 20:24:02 +0000 Subject: Spamassassin 3.4.0 In-Reply-To: <53444852.2020400@msapiro.net> References: <11D8E491D9562549A61FD3186F36342001D54E23E2@exchange.techeez.com> <5344341B.1010607@msapiro.net> <11D8E491D9562549A61FD3186F36342001D54E2825@exchange.techeez.com> <53444852.2020400@msapiro.net> Message-ID: <11D8E491D9562549A61FD3186F36342001D54E2E69@exchange.techeez.com> Oh ok thanks hopefully someone else might be -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: April-08-14 12:05 PM To: mailscanner at lists.mailscanner.info Subject: Re: Spamassassin 3.4.0 On 04/08/2014 11:39 AM, Philip Parsons wrote: > Did you have to do the patches to Spamassassin to get MCP to work with 3.4 ? I don't use MCP. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From oliveiros at gmail.com Wed Apr 9 20:04:53 2014 From: oliveiros at gmail.com (Oliveiros Peixoto (Netinho)) Date: Wed, 09 Apr 2014 16:04:53 -0300 Subject: Zimbra MailScanner SpamAssassin Message-ID: <534599D5.70102@gmail.com> Hello! I have integrated MailScanner with zimbra, but the mailscanner don't found spamassassin installation. How can set spamassassin installation directory? Thanks! From chris at twinn.co.uk Wed Apr 9 21:05:08 2014 From: chris at twinn.co.uk (Chris Twinn) Date: Wed, 09 Apr 2014 21:05:08 +0100 Subject: Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185 Message-ID: <5345A7F4.6020202@twinn.co.uk> Hi, Fresh MailScanner 4.84.6 is failing to do pretty much anything with messages (except rewrite subject). I followed this old message:http://lists.mailscanner.info/pipermail/mailscanner/2006-May/061477.html [Quote] * Shutdown MailScanner and your MTA * Start only your incoming MTA. This is usually done by the command |service MailScanner startin| on Redhat. Other distros/OS may vary * Set ?Debug = yes? and ?Debug SpamAssassin = yes? in MailScanner.conf, then run ?check_MailScanner?. * Watch carefully the output for error messages and fix what you can fix. [/Quote] Which then fails with: 20:14:03 Building a message batch to scan... 20:14:03 Have a batch of 2 messages. 20:14:14 Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. Failed. maillog has maillog:Apr 9 20:14:14 centos65 MailScanner[14512]: Spam Checks: Found 1 spam messages maillog:Apr 9 20:14:14 centos65 MailScanner[14512]: Non-delivery of spam: message BEADFC1A94.AF100 from to abc at domain.uk with subject Be maillog:Apr 9 20:14:14 centos65 MailScanner[14512]: Spam Actions: message BEADFC1A94.AF100 actions are store MailScanner - v gives CentOS release 6.5 (Final) [Note this is a virgin at 6.5 install, not 6.x upgrade], Perl version 5.010001 (5.10.1), MailScanner version 4.84.6 I have SELinux enabled but disabling does not appear to make any difference. 20:50:47 Apr 9 20:50:47.345 [16515] dbg: locker: safe_unlock: unlocked /var/spo l/postfix/.spamassassin/bayes.mutex 20:50:47 Apr 9 20:50:47.345 [16515] dbg: learn: initializing learner 20:50:47 Insecure dependency in open while running with -T switch at /usr/lib64/ erl5/IO/File.pm line 185. Failed. Can anyone guide me where to look for a cure to "Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185." or which files would help? Many Thanks Chris From stef at aoc-uk.com Thu Apr 10 10:17:14 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Thu, 10 Apr 2014 09:17:14 +0000 Subject: Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185 In-Reply-To: <41d442fd-1f56-484b-836a-6cef6bd5e743@VONLIPWIG.aoc-uk.com> References: <41d442fd-1f56-484b-836a-6cef6bd5e743@VONLIPWIG.aoc-uk.com> Message-ID: <92665C7597419742B19470DFA3D5BEA209150322@vonLipwig.aoc-uk.com> Hi Chris, On 09 April 2014 21:05 Chris Twinn wrote: > Fresh MailScanner 4.84.6 is failing to do pretty much anything with > messages (except rewrite subject). > > Which then fails with: > 20:14:03 Building a message batch to scan... > 20:14:03 Have a batch of 2 messages. > 20:14:14 Insecure dependency in open while running with -T switch at > /usr/lib64/perl5/IO/File.pm line 185. > Failed. Have you added a -U to the shebang line of the main mailscanner script? That's quite an old problem, see the archives for details. Stef From stef at aoc-uk.com Thu Apr 10 10:22:35 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Thu, 10 Apr 2014 09:22:35 +0000 Subject: Pyzor not working within MS, fine from command line In-Reply-To: References: <92665C7597419742B19470DFA3D5BEA2091414BF@vonLipwig.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209141F13@vonLipwig.aoc-uk.com> <7c6e7668-2ea2-4ad3-860c-b403457e91f6@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA2091423B3@vonLipwig.aoc-uk.com> Message-ID: <92665C7597419742B19470DFA3D5BEA209152332@vonLipwig.aoc-uk.com> Thanks everyone who gave me ideas. It still apparently fails in a debug batch, but I found various instances of PYZOR_CHECK 1.39 and similar in the mail log. So is mysteriously working fine, except when I run a test. Very odd, but I guess I won't complain. From mailscanner at replies.cyways.com Thu Apr 10 15:37:09 2014 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Thu, 10 Apr 2014 10:37:09 -0400 Subject: MCP announcements not forwarded In-Reply-To: <53445271.5090700@replies.cyways.com> References: <53358424.6060904@replies.cyways.com>, <5342C668.9080506@replies.cyways.com> <2EF71902367BF60B.B7F6A2BB-F3E5-4C85-AD86-BCA4DF9B644F@acompli.com> <6EE47AF64C339A4F8F7F50507241B3795EB8195C@BTN-EXCHANGE-V1.fastnet.local> <5342F79A.5000402@replies.cyways.com> <53445271.5090700@replies.cyways.com> Message-ID: <5346AC95.2070702@replies.cyways.com> I've taken the cron script route. Thanks for the help! Peter On 04/08/2014 03:48 PM, Peter Lemieux wrote: > So now I'm trying to think of methods to trigger a notice to the admins > when a message appears in the quarantine. I'll take a shot at a cron > script as a work-around for the time being, but I'd sure like to fix the > problem for good. From chris at twinn.co.uk Thu Apr 10 21:20:26 2014 From: chris at twinn.co.uk (Chris Twinn) Date: Thu, 10 Apr 2014 21:20:26 +0100 Subject: Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185 In-Reply-To: <92665C7597419742B19470DFA3D5BEA209150322@vonLipwig.aoc-uk.com> References: <41d442fd-1f56-484b-836a-6cef6bd5e743@VONLIPWIG.aoc-uk.com> <92665C7597419742B19470DFA3D5BEA209150322@vonLipwig.aoc-uk.com> Message-ID: <5346FD0A.3070301@twinn.co.uk> Thanks Stef, worked a charm. On 10/04/2014 10:17, Stef Morrell wrote: > Hi Chris, > > On 09 April 2014 21:05 Chris Twinn wrote: >> Fresh MailScanner 4.84.6 is failing to do pretty much anything with >> messages (except rewrite subject). >> >> Which then fails with: >> 20:14:03 Building a message batch to scan... >> 20:14:03 Have a batch of 2 messages. >> 20:14:14 Insecure dependency in open while running with -T switch at >> /usr/lib64/perl5/IO/File.pm line 185. >> Failed. > Have you added a -U to the shebang line of the main mailscanner script? > > That's quite an old problem, see the archives for details. > > Stef From stef at aoc-uk.com Fri Apr 11 11:21:04 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 11 Apr 2014 10:21:04 +0000 Subject: (not)spam.action.rules syntax Message-ID: <92665C7597419742B19470DFA3D5BEA2091558AC@vonLipwig.aoc-uk.com> Is the following valid to forward email from user to both user2 & user3? To: user at blah.com delete forward user2 at blah.com user3 at blah.com Should it be? To: user at blah.com delete forward user2 at blah.com forward user3 at blah.com or can't I do it? From jerry.benton at mailborder.com Fri Apr 11 13:17:13 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Fri, 11 Apr 2014 14:17:13 +0200 Subject: (not)spam.action.rules syntax In-Reply-To: <92665C7597419742B19470DFA3D5BEA2091558AC@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091558AC@vonLipwig.aoc-uk.com> Message-ID: I sent the answer to this out over Mailborder's technical advisories, but you unsubscribed! Ok, just kidding. I would suggest using your MTA to do this and not MailScanner. Jerry Benton www.mailborder.com On Fri, Apr 11, 2014 at 12:21 PM, Stef Morrell wrote: > Is the following valid to forward email from user to both user2 & user3? > > To: user at blah.com delete forward user2 at blah.com user3 at blah.com > > Should it be? > > To: user at blah.com delete forward user2 at blah.com forward user3 at blah.com > > or can't I do it? > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140411/02c28677/attachment.html From phil.randal at hoopleltd.co.uk Fri Apr 11 13:44:22 2014 From: phil.randal at hoopleltd.co.uk (Randal, Phil) Date: Fri, 11 Apr 2014 12:44:22 +0000 Subject: (not)spam.action.rules syntax In-Reply-To: References: <92665C7597419742B19470DFA3D5BEA2091558AC@vonLipwig.aoc-uk.com> Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B857E941E82@HC-EXMBX04.herefordshire.gov.uk> That is, alas, the only way. Only one email address allowed. Cheers, Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.randal at hoopleltd.co.uk From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jerry Benton Sent: 11 April 2014 13:17 To: MailScanner discussion Subject: Re: (not)spam.action.rules syntax I sent the answer to this out over Mailborder's technical advisories, but you unsubscribed! Ok, just kidding. I would suggest using your MTA to do this and not MailScanner. Jerry Benton www.mailborder.com On Fri, Apr 11, 2014 at 12:21 PM, Stef Morrell > wrote: Is the following valid to forward email from user to both user2 & user3? To: user at blah.com delete forward user2 at blah.com user3 at blah.com Should it be? To: user at blah.com delete forward user2 at blah.com forward user3 at blah.com or can't I do it? -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- -- Jerry Benton Mailborder Systems www.mailborder.com Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140411/84963abb/attachment.html From stef at aoc-uk.com Fri Apr 11 13:57:07 2014 From: stef at aoc-uk.com (Stef Morrell) Date: Fri, 11 Apr 2014 12:57:07 +0000 Subject: (not)spam.action.rules syntax In-Reply-To: <1b4a130c-a4fa-4850-9526-5ce4ffbc6b1d@VONLIPWIG.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091558AC@vonLipwig.aoc-uk.com> <1b4a130c-a4fa-4850-9526-5ce4ffbc6b1d@VONLIPWIG.aoc-uk.com> Message-ID: <92665C7597419742B19470DFA3D5BEA209156995@vonLipwig.aoc-uk.com> On 11 April 2014 13:17 Jerry Benton wrote: > I sent the answer to this out over Mailborder's technical advisories, but > you unsubscribed! Ok, just kidding. Well, being as I'm not using Mailborder - but thanks, I did a yum update yesterday ;) > I would suggest using your MTA to do this and not MailScanner. Yeah I've done that now. MS being so flexible, for some reason I tend to get a mental block on the other stages in the email flow. From phil.randal at hoopleltd.co.uk Fri Apr 11 14:39:25 2014 From: phil.randal at hoopleltd.co.uk (Randal, Phil) Date: Fri, 11 Apr 2014 13:39:25 +0000 Subject: (not)spam.action.rules syntax In-Reply-To: <92665C7597419742B19470DFA3D5BEA2091558AC@vonLipwig.aoc-uk.com> References: <92665C7597419742B19470DFA3D5BEA2091558AC@vonLipwig.aoc-uk.com> Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B857E942146@HC-EXMBX04.herefordshire.gov.uk> Looking at the code in Config.pm, To: user at blah.com delete forward user2 at blah.com forward user3 at blah.com might work. Cheers, Phil -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Stef Morrell Sent: 11 April 2014 11:21 To: mailscanner at lists.mailscanner.info Subject: (not)spam.action.rules syntax Is the following valid to forward email from user to both user2 & user3? To: user at blah.com delete forward user2 at blah.com user3 at blah.com Should it be? To: user at blah.com delete forward user2 at blah.com forward user3 at blah.com or can't I do it? -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it." From dudi at kolcore.com Fri Apr 11 20:50:26 2014 From: dudi at kolcore.com (Dudi Goldenberg) Date: Fri, 11 Apr 2014 19:50:26 +0000 Subject: (not)spam.action.rules syntax In-Reply-To: <7CA580B59C1ABD45B4614ED90D4C7B857E942146@HC-EXMBX04.herefordshire.gov.uk> References: <92665C7597419742B19470DFA3D5BEA2091558AC@vonLipwig.aoc-uk.com> <7CA580B59C1ABD45B4614ED90D4C7B857E942146@HC-EXMBX04.herefordshire.gov.uk> Message-ID: <4e4124ccf6fd40b38d3fa4a436647d4c@DB4PR05MB333.eurprd05.prod.outlook.com> Easiest way would be to create an alias that targets the 2 users, then use the alias in the rule. D. -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Friday, April 11, 2014 16:39 To: MailScanner discussion Subject: RE: (not)spam.action.rules syntax Looking at the code in Config.pm, To: user at blah.com delete forward user2 at blah.com forward user3 at blah.com might work. Cheers, Phil -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Stef Morrell Sent: 11 April 2014 11:21 To: mailscanner at lists.mailscanner.info Subject: (not)spam.action.rules syntax Is the following valid to forward email from user to both user2 & user3? To: user at blah.com delete forward user2 at blah.com user3 at blah.com Should it be? To: user at blah.com delete forward user2 at blah.com forward user3 at blah.com or can't I do it? -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it." -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From goetz.reinicke at filmakademie.de Tue Apr 15 13:04:17 2014 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke_-_IT_Koordinator?=) Date: Tue, 15 Apr 2014 14:04:17 +0200 Subject: Whitelisting an email sender and/or files Message-ID: <534D2041.9090606@filmakademie.de> Hi, we got a new server software, which sends messages for notifications. But it currently attaches some files, which are marked by the spam rules. I tried to whitemask/allow the files (in archives.filename.rules.conf) and the sender address (in spam.whitelist.rules), but both fails. I dont see why. Any help and/or suggestion for solving this is welcome. Thanks and regards . G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 82 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: J?rgen Walter MdL Staatssekret?r im Ministerium f?r Wissenschaft, Forschung und Kunst Baden-W?rttemberg Gesch?ftsf?hrer: Prof. Thomas Schadt -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140415/e86537f0/attachment.bin From richard at fastnet.co.uk Tue Apr 15 13:14:25 2014 From: richard at fastnet.co.uk (Richard Mealing) Date: Tue, 15 Apr 2014 12:14:25 +0000 Subject: Still Deliver Silent Viruses Message-ID: <6EE47AF64C339A4F8F7F50507241B3795EB8A557@BTN-EXCHANGE-V1.fastnet.local> Hi everyone, I was wondering if there is an option to "Still Deliver Silent Viruses" as attachments? At the moment the emails come through with a tagged virus header which I configured, but they are not being sent as an attachment like my default "Spam Actions" rule. I created a rule in my ruleset for still deliver silent viruses, with the following - To: default attachment deliver When I run a lint I get an error - Syntax error in line 23 of ruleset file /myrulesets/notify.recipients.of.viruses at /usr/local/lib/MailScanner/MailScanner/Config.pm line 2811 Found syntax errors in /myrulesets /notify.recipients.of.viruses. at /usr/local/lib/MailScanner/MailScanner/Config.pm line 2666 Thanks, Rich -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140415/dd84a94a/attachment.html From mailscanner at replies.cyways.com Tue Apr 15 16:12:38 2014 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Tue, 15 Apr 2014 11:12:38 -0400 Subject: Whitelisting an email sender and/or files In-Reply-To: <534D2041.9090606@filmakademie.de> References: <534D2041.9090606@filmakademie.de> Message-ID: <534D4C66.7000203@replies.cyways.com> How about whitelisting the server's IP, or would that permit too much? I'm running MS between the Internet and an Exchange server. We scan inbound mail for spam but exempt mail sent from Exchange with From: 10.10.10.10 yes in spam.whitelist.rules. Peter On 04/15/2014 08:04 AM, G?tz Reinicke - IT Koordinator wrote: > Hi, > > we got a new server software, which sends messages for notifications. > > But it currently attaches some files, which are marked by the spam rules. > > I tried to whitemask/allow the files (in archives.filename.rules.conf) > and the sender address (in spam.whitelist.rules), but both fails. > > I dont see why. > > Any help and/or suggestion for solving this is welcome. > > Thanks and regards . G?tz > > > From goetz.reinicke at filmakademie.de Tue Apr 22 09:55:46 2014 From: goetz.reinicke at filmakademie.de (=?ISO-8859-1?Q?G=F6tz_Reinicke_-_IT_Koordinator?=) Date: Tue, 22 Apr 2014 10:55:46 +0200 Subject: Whitelisting an email sender and/or files In-Reply-To: <534D4C66.7000203@replies.cyways.com> References: <534D2041.9090606@filmakademie.de> <534D4C66.7000203@replies.cyways.com> Message-ID: <53562E92.9070806@filmakademie.de> Hi, I whitelisted the servers IP, but still get the files send by it marked. MailScanner: Attempt to hide real filename extension (likes.like.png) ... Any idea or suggestion how to allow the file? Regards . G?tz Am 15.04.14 17:12, schrieb Peter Lemieux: > How about whitelisting the server's IP, or would that permit too much? > I'm running MS between the Internet and an Exchange server. We scan > inbound mail for spam but exempt mail sent from Exchange with > > From: 10.10.10.10 yes > > in spam.whitelist.rules. > > Peter > > > On 04/15/2014 08:04 AM, G?tz Reinicke - IT Koordinator wrote: >> Hi, >> >> we got a new server software, which sends messages for notifications. >> >> But it currently attaches some files, which are marked by the spam rules. >> >> I tried to whitemask/allow the files (in archives.filename.rules.conf) >> and the sender address (in spam.whitelist.rules), but both fails. >> >> I dont see why. >> >> Any help and/or suggestion for solving this is welcome. >> >> Thanks and regards . G?tz >> >> >> -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 82 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: J?rgen Walter MdL Staatssekret?r im Ministerium f?r Wissenschaft, Forschung und Kunst Baden-W?rttemberg Gesch?ftsf?hrer: Prof. Thomas Schadt -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140422/74c84f75/attachment.bin From Antony.Stone at mailscanner.open.source.it Tue Apr 22 10:42:11 2014 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Tue, 22 Apr 2014 10:42:11 +0100 Subject: Whitelisting an email sender and/or files In-Reply-To: <53562E92.9070806@filmakademie.de> References: <534D2041.9090606@filmakademie.de> <534D4C66.7000203@replies.cyways.com> <53562E92.9070806@filmakademie.de> Message-ID: <201404221042.11416.Antony.Stone@mailscanner.open.source.it> On Tuesday 22 April 2014 at 09:55, G?tz Reinicke - IT Koordinator wrote: > Hi, > > I whitelisted the servers IP What configuration parameter did you set to whitelist the IP? > but still get the files send by it marked. > > MailScanner: Attempt to hide real filename extension (likes.like.png) ... > > Any idea or suggestion how to allow the file? Make sure you're setting the rule for "filename extensions" when whitelisting the address. Regards, Antony. -- Normal people think "If it ain't broke, don't fix it". Engineers think "If it ain't broke, it doesn't have enough features yet". Please reply to the list; please don't CC me. From it at festa.bg Tue Apr 22 10:58:25 2014 From: it at festa.bg (Valentin Laskov) Date: Tue, 22 Apr 2014 12:58:25 +0300 Subject: MailScanner marks messages as DOS attact References: <7ea166175a9a76de86d4c5437a00c76a.squirrel@webmail.baladia.gov.kw><532DCDD9.5010700@msapiro.net> Message-ID: <3D0485A4762640AFB89EFEFE8A4AAD65@festa.bg> Hi, There are some timeouts configured in MailScanner.conf which you may increase. You can decrease MailScanner child processes too. Valentin ----- Original Message ----- From: "Chris Stone" To: "MailScanner discussion" Sent: Tuesday, March 25, 2014 8:15 PM Subject: Re: MailScanner marks messages as DOS attact |I had a similar issue on a server build on CentOS 6 and the latest | MailScanner. Never have found specific messages that cause the problem, but | typically 5-6 times a week, I'd get an alert from our Nagios installation | stating that there were zombie processes on the filtering server. I'd go | look and see MailScanner processing, crashing and looping on messages - | after 6 loops through, putting in the quarantine tagged as DoS message. | | So, I tried disabling the Processing Attempts Database by setting: | | Maximum Processing Attempts = 0 | | in MailScanner.conf. I no longer am seeing *any* problem - the crashes have | stopped, the looping has stopped (as expected with disabling), no messages | marked as DoS sources and none quarantined as a result. All appears to be | fine. | | So, it kind of looks like something with the Processing Attempts Database | code - although I do use that on a number of other CentOS 4 and CentOS 5 | servers without issue. | | | Chris | | | | On Sat, Mar 22, 2014 at 11:52 AM, Mark Sapiro wrote: | | > On 03/22/2014 10:12 AM, simon at kmun.gov.kw wrote: | > > | > > after more investigation i realized the following.. | > > | > > many of the users have subscribed to google groups .. | > > now when a email is received from a user who belongs to the same group as | > > our users belong maybe about 15 to 20 messages are marked clean .. | > > subsequent messages are being marked with RED and the details page shows | > > denial of service attack. | > > Also the System becomes very slow as MailScanner consumes the entire CPU | > > and also the outgoin email takes long time to reach the recipent. | > > | > > it remains in the incomming queue for a long time.. maybe 10 to 15 min at | > > times | > | > | > I'm not sure what the underlying issue is in this case, but looking at | > the code I think that the DOS attack is raised when one of your virus | > scanners times out on a message. You might try looking at logs to see if | > you can determine why this happens. | > | > As a workaround, you could establish a "Virus Scanning" ruleset to skip | > virus scanning for these messages. See | > >. | > | > -- | > Mark Sapiro The highway is for gamblers, | > San Francisco Bay Area, California better use your sense - B. Dylan | > -- | > MailScanner mailing list | > mailscanner at lists.mailscanner.info | > http://lists.mailscanner.info/mailman/listinfo/mailscanner | > | > Before posting, read http://wiki.mailscanner.info/posting | > | > Support MailScanner development - buy the book off the website! | > | | | | -- | Chris Stone | AxisInternet, Inc. | www.axint.net | -------------------------------------------------------------------------------- | -- | MailScanner mailing list | mailscanner at lists.mailscanner.info | http://lists.mailscanner.info/mailman/listinfo/mailscanner | | Before posting, read http://wiki.mailscanner.info/posting | | Support MailScanner development - buy the book off the website! | From it at festa.bg Tue Apr 22 11:24:32 2014 From: it at festa.bg (Valentin Laskov) Date: Tue, 22 Apr 2014 13:24:32 +0300 Subject: Centos Postfix no Notice Signature and exe's delivered References: <531F23CF.40804@twinn.co.uk> Message-ID: <8EDD386DA3624D5294702A0A183EE987@festa.bg> Hi Chris, If you want to block exe files check this: 1. Is there file command installed and where ? root at mail:~# which file /usr/bin/file 2. Is file works? root at ns:~# file /home/laskov/tmp/putty.exe /home/laskov/tmp/putty.exe: PE executable for MS Windows (GUI) Intel 80386 32-bit 3. Is there a line in MailScanner.conf File Command = /usr/bin/file 4. What is in %etc-dir%/filetype.rules.conf Cheers Valentin From goetz.reinicke at filmakademie.de Tue Apr 22 12:33:02 2014 From: goetz.reinicke at filmakademie.de (=?UTF-8?B?R8O2dHogUmVpbmlja2UgLSBJVCBLb29yZGluYXRvcg==?=) Date: Tue, 22 Apr 2014 13:33:02 +0200 Subject: Whitelisting an email sender and/or files In-Reply-To: <201404221042.11416.Antony.Stone@mailscanner.open.source.it> References: <534D2041.9090606@filmakademie.de> <534D4C66.7000203@replies.cyways.com> <53562E92.9070806@filmakademie.de> <201404221042.11416.Antony.Stone@mailscanner.open.source.it> Message-ID: <5356536E.1090002@filmakademie.de> Hi, Am 22.04.14 11:42, schrieb Antony Stone: > On Tuesday 22 April 2014 at 09:55, G?tz Reinicke - IT Koordinator wrote: > >> Hi, >> >> I whitelisted the servers IP > > What configuration parameter did you set to whitelist the IP? /etc/MailScanner/rules/spam.whitelist.rules From: 172.17.20.58 yes > >> but still get the files send by it marked. >> >> MailScanner: Attempt to hide real filename extension (likes.like.png) ... >> >> Any idea or suggestion how to allow the file? > > Make sure you're setting the rule for "filename extensions" when whitelisting > the address. hmm .. where/how do I set that? Thanks and regards . G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 82 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: J?rgen Walter MdL Staatssekret?r im Ministerium f?r Wissenschaft, Forschung und Kunst Baden-W?rttemberg Gesch?ftsf?hrer: Prof. Thomas Schadt -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140422/1a7977ef/attachment.bin From Antony.Stone at mailscanner.open.source.it Tue Apr 22 13:28:30 2014 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Tue, 22 Apr 2014 13:28:30 +0100 Subject: Whitelisting an email sender and/or files In-Reply-To: <5356536E.1090002@filmakademie.de> References: <534D2041.9090606@filmakademie.de> <201404221042.11416.Antony.Stone@mailscanner.open.source.it> <5356536E.1090002@filmakademie.de> Message-ID: <201404221328.30718.Antony.Stone@mailscanner.open.source.it> On Tuesday 22 April 2014 at 12:33, G?tz Reinicke - IT Koordinator wrote: > Am 22.04.14 11:42, schrieb Antony Stone: > > On Tuesday 22 April 2014 at 09:55, G?tz Reinicke - IT Koordinator wrote: > >> Hi, > >> > >> I whitelisted the servers IP > > > > What configuration parameter did you set to whitelist the IP? > > /etc/MailScanner/rules/spam.whitelist.rules > > From: 172.17.20.58 yes So, that defines what to do if the mail gets identified as spam. Blocked filenames are not the same as spam. > > Make sure you're setting the rule for "filename extensions" when > > whitelisting the address. > > hmm .. where/how do I set that? /etc/MailScanner/rules/filename.rules.conf Regards, Antony. -- You can spend the whole of your life trying to be popular, but at the end of the day the size of the crowd at your funeral will be largely dictated by the weather. - Frank Skinner Please reply to the list; please don't CC me. From goetz.reinicke at filmakademie.de Tue Apr 22 16:00:41 2014 From: goetz.reinicke at filmakademie.de (=?UTF-8?B?R8O2dHogUmVpbmlja2UgLSBJVCBLb29yZGluYXRvcg==?=) Date: Tue, 22 Apr 2014 17:00:41 +0200 Subject: Whitelisting an email sender and/or files In-Reply-To: <201404221328.30718.Antony.Stone@mailscanner.open.source.it> References: <534D2041.9090606@filmakademie.de> <201404221042.11416.Antony.Stone@mailscanner.open.source.it> <5356536E.1090002@filmakademie.de> <201404221328.30718.Antony.Stone@mailscanner.open.source.it> Message-ID: <53568419.4060507@filmakademie.de> Am 22.04.14 14:28, schrieb Antony Stone: > On Tuesday 22 April 2014 at 12:33, G?tz Reinicke - IT Koordinator wrote: > >> Am 22.04.14 11:42, schrieb Antony Stone: >>> On Tuesday 22 April 2014 at 09:55, G?tz Reinicke - IT Koordinator wrote: >>>> Hi, >>>> >>>> I whitelisted the servers IP >>> >>> What configuration parameter did you set to whitelist the IP? >> >> /etc/MailScanner/rules/spam.whitelist.rules >> >> From: 172.17.20.58 yes > > So, that defines what to do if the mail gets identified as spam. > > Blocked filenames are not the same as spam. > >>> Make sure you're setting the rule for "filename extensions" when >>> whitelisting the address. >> >> hmm .. where/how do I set that? > > /etc/MailScanner/rules/filename.rules.conf Thanks, at first I edited the wrong file :-/ ... now I'm in the right one: # f?r Confluence allow \likes.like.png$ - - allow \confluence.mail.templates.view.page.png$ - - But confluence.mail.templates.view.page.png is still catched as hiding real filename. Or is the syntax wrong? dose it has to have the regex \...$ ? Thanks onece moer & regards . G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 82 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: J?rgen Walter MdL Staatssekret?r im Ministerium f?r Wissenschaft, Forschung und Kunst Baden-W?rttemberg Gesch?ftsf?hrer: Prof. Thomas Schadt -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140422/74af1ced/attachment.bin From Antony.Stone at mailscanner.open.source.it Tue Apr 22 17:04:53 2014 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Tue, 22 Apr 2014 17:04:53 +0100 Subject: Whitelisting an email sender and/or files In-Reply-To: <53568419.4060507@filmakademie.de> References: <534D2041.9090606@filmakademie.de> <201404221328.30718.Antony.Stone@mailscanner.open.source.it> <53568419.4060507@filmakademie.de> Message-ID: <201404221704.53723.Antony.Stone@mailscanner.open.source.it> On Tuesday 22 April 2014 at 16:00, G?tz Reinicke - IT Koordinator wrote: > # f?r Confluence > allow \likes.like.png$ - - > allow \confluence.mail.templates.view.page.png$ - - > > But confluence.mail.templates.view.page.png is still catched as hiding > real filename. > > Or is the syntax wrong? dose it has to have the regex \...$ ? Do the above rules come before or after something more generic, which would also match the filename? As far as I recall, the rules in this file are processed in order, first match wins, so you'd need to make sure your rules for Confluence come before the rules for generic filenames. Regards, Antony. -- "640 kilobytes (of RAM) should be enough for anybody." - Bill Gates Please reply to the list; please don't CC me. From Denis.Beauchemin at usherbrooke.ca Tue Apr 22 19:08:41 2014 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Tue, 22 Apr 2014 18:08:41 +0000 Subject: Whitelisting an email sender and/or files In-Reply-To: <201404221704.53723.Antony.Stone@mailscanner.open.source.it> References: <534D2041.9090606@filmakademie.de> <201404221328.30718.Antony.Stone@mailscanner.open.source.it> <53568419.4060507@filmakademie.de> <201404221704.53723.Antony.Stone@mailscanner.open.source.it> Message-ID: Don't forget that there are 2 different mechanisms for checking the attachments: the first one checks the name of the attachment and the second one check the contents of the attachment with the "file" command. # Set where to find the attachment filename ruleset. # The structure of this file is explained elsewhere, but it is used to # accept or reject file attachments based on their name, regardless of # whether they are infected or not. # # This can also point to a ruleset, but the ruleset filename must end in # ".rules" so that MailScanner can determine if the filename given is # a ruleset or not! Filename Rules = %etc-dir%/filename.rules.conf # Where the "file" command is installed. # This is used for checking the content type of files, regardless of their # filename. # To disable Filetype checking, set this value to blank. File Command = /usr/bin/file # Set where to find the attachment filetype ruleset. # The structure of this file is explained elsewhere, but it is used to # accept or reject file attachments based on their content as determined # by the "file" command, regardless of whether they are infected or not. # # This can also point to a ruleset, but the ruleset filename must end in # ".rules" so that MailScanner can determine if the filename given is # a ruleset or not! # # To disable this feature, set this to just "Filetype Rules =" or set # the location of the file command to a blank string. Filetype Rules = %etc-dir%/filetype.rules.conf I also found this third mechanism: # Allow any attachment MIME types matching any of the patterns listed here. # If this setting is empty, it is ignored and no matches are made. # This can also be the filename of a ruleset. Allow File MIME Types = # Deny any attachment MIME types matching any of the patterns listed here. # If this setting is empty, it is ignored and no matches are made. # This can also be the filename of a ruleset. Deny File MIME Types = And don't forget the settings for files within archives! Denis -----Message d'origine----- De?: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] De la part de Antony Stone Envoy??: 22 avril 2014 12:13 ??: MailScanner discussion Objet?: Re: Whitelisting an email sender and/or files On Tuesday 22 April 2014 at 16:00, G?tz Reinicke - IT Koordinator wrote: > # f?r Confluence > allow \likes.like.png$ - - > allow \confluence.mail.templates.view.page.png$ - - > > But confluence.mail.templates.view.page.png is still catched as hiding > real filename. > > Or is the syntax wrong? dose it has to have the regex \...$ ? Do the above rules come before or after something more generic, which would also match the filename? As far as I recall, the rules in this file are processed in order, first match wins, so you'd need to make sure your rules for Confluence come before the rules for generic filenames. Regards, Antony. -- "640 kilobytes (of RAM) should be enough for anybody." - Bill Gates Please reply to the list; please don't CC me. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From goetz.reinicke at filmakademie.de Wed Apr 23 08:21:40 2014 From: goetz.reinicke at filmakademie.de (=?UTF-8?B?R8O2dHogUmVpbmlja2UgLSBJVCBLb29yZGluYXRvcg==?=) Date: Wed, 23 Apr 2014 09:21:40 +0200 Subject: Whitelisting an email sender and/or files In-Reply-To: References: <534D2041.9090606@filmakademie.de> <201404221328.30718.Antony.Stone@mailscanner.open.source.it> <53568419.4060507@filmakademie.de> <201404221704.53723.Antony.Stone@mailscanner.open.source.it> Message-ID: <53576A04.4060209@filmakademie.de> Hi Thanks, I checked, all config files, but still get a warning, which is confusing to me: Confluence sends a message with a lot of pictures/icons: e.g. likes.like.png avatar_5aa2c6294a72d4e8d7c83ec33ae.png page-icon.png confluence.mail.templates.add.comment.png <- is allowed confluence.mail.templates.view.page.png <- is denied and I get the warning message in my filename.rules.conf I have at the top (first rules) with tabs - -. # f?r Confluence allow \likes.like.png$ - - allow \confluence.mail.templates.view.page.png$ - - and a bit later allow \.png$ - - Any more hints? Thanks and Regards . G?tz Am 22.04.14 20:08, schrieb Denis Beauchemin: > Don't forget that there are 2 different mechanisms for checking the attachments: the first one checks the name of the attachment and the second one check the contents of the attachment with the "file" command. <...> > > And don't forget the settings for files within archives! > > Denis -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 82 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: J?rgen Walter MdL Staatssekret?r im Ministerium f?r Wissenschaft, Forschung und Kunst Baden-W?rttemberg Gesch?ftsf?hrer: Prof. Thomas Schadt -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140423/7e1b9252/attachment.bin From jerry.benton at mailborder.com Wed Apr 23 09:08:12 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 23 Apr 2014 10:08:12 +0200 Subject: Whitelisting an email sender and/or files In-Reply-To: <53576A04.4060209@filmakademie.de> References: <534D2041.9090606@filmakademie.de> <201404221328.30718.Antony.Stone@mailscanner.open.source.it> <53568419.4060507@filmakademie.de> <201404221704.53723.Antony.Stone@mailscanner.open.source.it> <53576A04.4060209@filmakademie.de> Message-ID: Check filenames.rules.conf for the length of file names. It should be 150 by default. On Wed, Apr 23, 2014 at 9:21 AM, G?tz Reinicke - IT Koordinator < goetz.reinicke at filmakademie.de> wrote: > Hi Thanks, > > I checked, all config files, but still get a warning, which is confusing > to me: > > Confluence sends a message with a lot of pictures/icons: > > e.g. > > likes.like.png > avatar_5aa2c6294a72d4e8d7c83ec33ae.png > page-icon.png > > confluence.mail.templates.add.comment.png <- is allowed > > confluence.mail.templates.view.page.png <- is denied and I get the > warning message > > > > in my filename.rules.conf I have at the top (first rules) with tabs - -. > > # f?r Confluence > allow \likes.like.png$ - - > allow \confluence.mail.templates.view.page.png$ - - > > and a bit later > > allow \.png$ - - > > > Any more hints? > > Thanks and Regards . G?tz > > > > > Am 22.04.14 20:08, schrieb Denis Beauchemin: > > Don't forget that there are 2 different mechanisms for checking the > attachments: the first one checks the name of the attachment and the second > one check the contents of the attachment with the "file" command. > <...> > > > > And don't forget the settings for files within archives! > > > > Denis > > > -- > G?tz Reinicke > IT-Koordinator > > Tel. +49 7141 969 82 420 > E-Mail goetz.reinicke at filmakademie.de > > Filmakademie Baden-W?rttemberg GmbH > Akademiehof 10 > 71638 Ludwigsburg > www.filmakademie.de > > Eintragung Amtsgericht Stuttgart HRB 205016 > > Vorsitzender des Aufsichtsrats: J?rgen Walter MdL > Staatssekret?r im Ministerium f?r Wissenschaft, > Forschung und Kunst Baden-W?rttemberg > > Gesch?ftsf?hrer: Prof. Thomas Schadt > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140423/823c68dd/attachment.html From maxsec at gmail.com Wed Apr 23 09:13:37 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Wed, 23 Apr 2014 09:13:37 +0100 Subject: Whitelisting an email sender and/or files In-Reply-To: <53576A04.4060209@filmakademie.de> References: <534D2041.9090606@filmakademie.de> <201404221328.30718.Antony.Stone@mailscanner.open.source.it> <53568419.4060507@filmakademie.de> <201404221704.53723.Antony.Stone@mailscanner.open.source.it> <53576A04.4060209@filmakademie.de> Message-ID: Can you not add the confluence ipaddress to the "do not scan" ruleset? If this is an internal system why are you pushing this through the scanner and not direct to the the email server? Martin On Wednesday, 23 April 2014, G?tz Reinicke - IT Koordinator < goetz.reinicke at filmakademie.de> wrote: > Hi Thanks, > > I checked, all config files, but still get a warning, which is confusing > to me: > > Confluence sends a message with a lot of pictures/icons: > > e.g. > > likes.like.png > avatar_5aa2c6294a72d4e8d7c83ec33ae.png > page-icon.png > > confluence.mail.templates.add.comment.png <- is allowed > > confluence.mail.templates.view.page.png <- is denied and I get the > warning message > > > > in my filename.rules.conf I have at the top (first rules) with tabs - -. > > # f?r Confluence > allow \likes.like.png$ - - > allow \confluence.mail.templates.view.page.png$ - - > > and a bit later > > allow \.png$ - - > > > Any more hints? > > Thanks and Regards . G?tz > > > > > Am 22.04.14 20:08, schrieb Denis Beauchemin: > > Don't forget that there are 2 different mechanisms for checking the > attachments: the first one checks the name of the attachment and the second > one check the contents of the attachment with the "file" command. > <...> > > > > And don't forget the settings for files within archives! > > > > Denis > > > -- > G?tz Reinicke > IT-Koordinator > > Tel. +49 7141 969 82 420 > E-Mail goetz.reinicke at filmakademie.de > > Filmakademie Baden-W?rttemberg GmbH > Akademiehof 10 > 71638 Ludwigsburg > www.filmakademie.de > > Eintragung Amtsgericht Stuttgart HRB 205016 > > Vorsitzender des Aufsichtsrats: J?rgen Walter MdL > Staatssekret?r im Ministerium f?r Wissenschaft, > Forschung und Kunst Baden-W?rttemberg > > Gesch?ftsf?hrer: Prof. Thomas Schadt > > -- -- Martin Hepworth, CISSP Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140423/036be698/attachment.html From goetz.reinicke at filmakademie.de Wed Apr 23 09:31:19 2014 From: goetz.reinicke at filmakademie.de (=?ISO-8859-1?Q?G=F6tz_Reinicke_-_IT_Koordinator?=) Date: Wed, 23 Apr 2014 10:31:19 +0200 Subject: Whitelisting an email sender and/or files In-Reply-To: References: <534D2041.9090606@filmakademie.de> <201404221328.30718.Antony.Stone@mailscanner.open.source.it> <53568419.4060507@filmakademie.de> <201404221704.53723.Antony.Stone@mailscanner.open.source.it> <53576A04.4060209@filmakademie.de> Message-ID: <53577A57.3070101@filmakademie.de> Hi, its still the 150 default value. /G?tz Am 23.04.14 10:08, schrieb Jerry Benton: > Check filenames.rules.conf for the length of file names. It should be > 150 by default. > > > On Wed, Apr 23, 2014 at 9:21 AM, G?tz Reinicke - IT Koordinator > > > wrote: > > Hi Thanks, > > I checked, all config files, but still get a warning, which is confusing > to me: > > Confluence sends a message with a lot of pictures/icons: > > e.g. > > likes.like.png > avatar_5aa2c6294a72d4e8d7c83ec33ae.png > page-icon.png > > confluence.mail.templates.add.comment.png <- is allowed > > confluence.mail.templates.view.page.png <- is denied and I > get the > warning message > > > > in my filename.rules.conf I have at the top (first rules) with tabs - -. > > # f?r Confluence > allow \likes.like.png$ - - > allow \confluence.mail.templates.view.page.png$ - - > > and a bit later > > allow \.png$ - - > > > Any more hints? > > Thanks and Regards . G?tz <..> -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 82 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: J?rgen Walter MdL Staatssekret?r im Ministerium f?r Wissenschaft, Forschung und Kunst Baden-W?rttemberg Gesch?ftsf?hrer: Prof. Thomas Schadt -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140423/e9cf52fc/attachment.bin From goetz.reinicke at filmakademie.de Wed Apr 23 09:39:24 2014 From: goetz.reinicke at filmakademie.de (=?ISO-8859-1?Q?G=F6tz_Reinicke_-_IT_Koordinator?=) Date: Wed, 23 Apr 2014 10:39:24 +0200 Subject: Whitelisting an email sender and/or files In-Reply-To: References: <534D2041.9090606@filmakademie.de> <201404221328.30718.Antony.Stone@mailscanner.open.source.it> <53568419.4060507@filmakademie.de> <201404221704.53723.Antony.Stone@mailscanner.open.source.it> <53576A04.4060209@filmakademie.de> Message-ID: <53577C3C.7020203@filmakademie.de> Hi, yes, I could whitelist the whole server; it is in rules/spam.whitelist.rules already, but the rule dose not catche ... From: 172.17.20.58 yes Is that the same as your "do not scan" ruleset ? Or wher is that? /G?tz Am 23.04.14 10:13, schrieb Martin Hepworth: > Can you not add the confluence ipaddress to the "do not scan" ruleset? > > If this is an internal system why are you pushing this through the > scanner and not direct to the the email server? > > Martin > > On Wednesday, 23 April 2014, G?tz Reinicke - IT Koordinator > > > wrote: > > Hi Thanks, > > I checked, all config files, but still get a warning, which is confusing > to me: > > Confluence sends a message with a lot of pictures/icons: > > e.g. > > likes.like.png > avatar_5aa2c6294a72d4e8d7c83ec33ae.png > page-icon.png > > confluence.mail.templates.add.comment.png <- is allowed > > confluence.mail.templates.view.page.png <- is denied and I > get the > warning message > > > > in my filename.rules.conf I have at the top (first rules) with tabs - -. > > # f?r Confluence > allow \likes.like.png$ - - > allow \confluence.mail.templates.view.page.png$ - - > > and a bit later > > allow \.png$ - - > > > Any more hints? > > Thanks and Regards . G?tz > > > > > Am 22.04.14 20:08, schrieb Denis Beauchemin: > > Don't forget that there are 2 different mechanisms for checking > the attachments: the first one checks the name of the attachment and > the second one check the contents of the attachment with the "file" > command. > <...> > > > > And don't forget the settings for files within archives! > > > > Denis > a > > -- > G?tz Reinicke > IT-Koordinator > > Tel. +49 7141 969 82 420 > E-Mail goetz.reinicke at filmakademie.de > > Filmakademie Baden-W?rttemberg GmbH > Akademiehof 10 > 71638 Ludwigsburg > www.filmakademie.de > > Eintragung Amtsgericht Stuttgart HRB 205016 > > Vorsitzender des Aufsichtsrats: J?rgen Walter MdL > Staatssekret?r im Ministerium f?r Wissenschaft, > Forschung und Kunst Baden-W?rttemberg > > Gesch?ftsf?hrer: Prof. Thomas Schadt > > > > -- > -- > Martin Hepworth, CISSP > Oxford, UK > > -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 82 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: J?rgen Walter MdL Staatssekret?r im Ministerium f?r Wissenschaft, Forschung und Kunst Baden-W?rttemberg Gesch?ftsf?hrer: Prof. Thomas Schadt -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140423/9c029b96/attachment.bin From maxsec at gmail.com Wed Apr 23 15:25:45 2014 From: maxsec at gmail.com (Martin Hepworth) Date: Wed, 23 Apr 2014 15:25:45 +0100 Subject: Whitelisting an email sender and/or files In-Reply-To: <53577C3C.7020203@filmakademie.de> References: <534D2041.9090606@filmakademie.de> <201404221328.30718.Antony.Stone@mailscanner.open.source.it> <53568419.4060507@filmakademie.de> <201404221704.53723.Antony.Stone@mailscanner.open.source.it> <53576A04.4060209@filmakademie.de> <53577C3C.7020203@filmakademie.de> Message-ID: Gotz this setting... http://www.mailscanner.info/MailScanner.conf.index.html#Scan%20Messages big on/off switch basically -- Martin Hepworth, CISSP Oxford, UK On 23 April 2014 09:39, G?tz Reinicke - IT Koordinator < goetz.reinicke at filmakademie.de> wrote: > Hi, > > yes, I could whitelist the whole server; it is in > rules/spam.whitelist.rules already, but the rule dose not catche ... > > From: 172.17.20.58 yes > > > Is that the same as your "do not scan" ruleset ? > Or wher is that? > > /G?tz > > Am 23.04.14 10:13, schrieb Martin Hepworth: > > Can you not add the confluence ipaddress to the "do not scan" ruleset? > > > > If this is an internal system why are you pushing this through the > > scanner and not direct to the the email server? > > > > Martin > > > > On Wednesday, 23 April 2014, G?tz Reinicke - IT Koordinator > > > > > wrote: > > > > Hi Thanks, > > > > I checked, all config files, but still get a warning, which is > confusing > > to me: > > > > Confluence sends a message with a lot of pictures/icons: > > > > e.g. > > > > likes.like.png > > avatar_5aa2c6294a72d4e8d7c83ec33ae.png > > page-icon.png > > > > confluence.mail.templates.add.comment.png <- is allowed > > > > confluence.mail.templates.view.page.png <- is denied and I > > get the > > warning message > > > > > > > > in my filename.rules.conf I have at the top (first rules) with tabs > - -. > > > > # f?r Confluence > > allow \likes.like.png$ - - > > allow \confluence.mail.templates.view.page.png$ - - > > > > and a bit later > > > > allow \.png$ - - > > > > > > Any more hints? > > > > Thanks and Regards . G?tz > > > > > > > > > > Am 22.04.14 20:08, schrieb Denis Beauchemin: > > > Don't forget that there are 2 different mechanisms for checking > > the attachments: the first one checks the name of the attachment and > > the second one check the contents of the attachment with the "file" > > command. > > <...> > > > > > > And don't forget the settings for files within archives! > > > > > > Denis > > a > > > > -- > > G?tz Reinicke > > IT-Koordinator > > > > Tel. +49 7141 969 82 420 > > E-Mail goetz.reinicke at filmakademie.de > > > > Filmakademie Baden-W?rttemberg GmbH > > Akademiehof 10 > > 71638 Ludwigsburg > > www.filmakademie.de > > > > Eintragung Amtsgericht Stuttgart HRB 205016 > > > > Vorsitzender des Aufsichtsrats: J?rgen Walter MdL > > Staatssekret?r im Ministerium f?r Wissenschaft, > > Forschung und Kunst Baden-W?rttemberg > > > > Gesch?ftsf?hrer: Prof. Thomas Schadt > > > > > > > > -- > > -- > > Martin Hepworth, CISSP > > Oxford, UK > > > > > > > -- > G?tz Reinicke > IT-Koordinator > > Tel. +49 7141 969 82 420 > E-Mail goetz.reinicke at filmakademie.de > > Filmakademie Baden-W?rttemberg GmbH > Akademiehof 10 > 71638 Ludwigsburg > www.filmakademie.de > > Eintragung Amtsgericht Stuttgart HRB 205016 > > Vorsitzender des Aufsichtsrats: J?rgen Walter MdL > Staatssekret?r im Ministerium f?r Wissenschaft, > Forschung und Kunst Baden-W?rttemberg > > Gesch?ftsf?hrer: Prof. Thomas Schadt > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140423/3e42ed34/attachment.html From ravennaita at gmail.com Mon Apr 28 15:56:25 2014 From: ravennaita at gmail.com (Ravenna Ita) Date: Mon, 28 Apr 2014 21:56:25 +0700 Subject: Rewritte Sender Address Message-ID: Hello forum members, is it possible to re-writte sender email address using mailscanner? i can do it in postfix (using sender canonical maps), but this is not what i am looking for. (because postfix re-writte the sender address before message is processed in mailscanner, where i was looking the opposite) appreciate suggestion/help rgds -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140428/503098e7/attachment.html From ravennaita at gmail.com Mon Apr 28 17:52:09 2014 From: ravennaita at gmail.com (Ravenna Ita) Date: Mon, 28 Apr 2014 23:52:09 +0700 Subject: [solved]: Rewritte Sender Address Message-ID: On Mon, Apr 28, 2014 at 9:56 PM, Ravenna Ita wrote: > Hello forum members, > > is it possible to re-writte sender email address using mailscanner? > > i can do it in postfix (using sender canonical maps), but this is not what > i am looking for. (because postfix re-writte the sender address before > message is processed in mailscanner, where i was looking the opposite) > > appreciate suggestion/help > > rgds > sorry for this dumb question, i didn't do my homework. i manage to get what i want using postfix (smtp_generic_maps = hash:/etc/postfix/generic). -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140428/8402f893/attachment.html From Kevin_Miller at ci.juneau.ak.us Mon Apr 28 19:21:35 2014 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon, 28 Apr 2014 10:21:35 -0800 Subject: Bayes scores Message-ID: I was reviewing my configs and noticed this in spam.assassin.prefs.conf: # Bump up SpamAssassin scores on the high and low end # score BAYES_00 -15.0 # score BAYES_05 -5.0 score BAYES_50 2.5 score BAYES_60 2.75 score BAYES_70 3.0 score BAYES_80 4.0 score BAYES_90 4.5 score BAYES_95 4.75 score BAYES_99 6.0 Given that spamassassin is constantly being tuned and updated, is is prudent to leave those uncommented or would one be better served by going with the spamassassin defaults? I'm sure Julian had a good reason to tweak them some years back, but given the ever shifting spam landscape I'm not sure if it's as applicable as it once was... ?...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From Michael.Bradley at bakerbotts.com Mon Apr 28 19:33:06 2014 From: Michael.Bradley at bakerbotts.com (Michael.Bradley at bakerbotts.com) Date: Mon, 28 Apr 2014 18:33:06 +0000 Subject: Bayes scores In-Reply-To: References: Message-ID: <2878571D934E074B8C23482DECE586B7C8F21367@BBEXMBXN02.bakerbotts.net> +1 Great question and I've been wondering the same. MB -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Kevin Miller Sent: Monday, April 28, 2014 1:22 PM To: MailScanner List (mailscanner at lists.mailscanner.info) Subject: Bayes scores I was reviewing my configs and noticed this in spam.assassin.prefs.conf: # Bump up SpamAssassin scores on the high and low end # score BAYES_00 -15.0 # score BAYES_05 -5.0 score BAYES_50 2.5 score BAYES_60 2.75 score BAYES_70 3.0 score BAYES_80 4.0 score BAYES_90 4.5 score BAYES_95 4.75 score BAYES_99 6.0 Given that spamassassin is constantly being tuned and updated, is is prudent to leave those uncommented or would one be better served by going with the spamassassin defaults? I'm sure Julian had a good reason to tweak them some years back, but given the ever shifting spam landscape I'm not sure if it's as applicable as it once was... ?...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Confidentiality Notice: The information contained in this email and any attachments is intended only for the recipient[s] listed above and may be privileged and confidential. Any dissemination, copying, or use of or reliance upon such information by or to anyone other than the recipient[s] listed above is prohibited. If you have received this message in error, please notify the sender immediately at the email address above and destroy any and all copies of this message. From jerry.benton at mailborder.com Mon Apr 28 21:45:03 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 28 Apr 2014 22:45:03 +0200 Subject: Bayes scores In-Reply-To: <2878571D934E074B8C23482DECE586B7C8F21367@BBEXMBXN02.bakerbotts.net> References: <2878571D934E074B8C23482DECE586B7C8F21367@BBEXMBXN02.bakerbotts.net> Message-ID: Those are commented out by default in the prefs file. You should only define them to override spamassassin defaults. See http://spamassassin.apache.org/tests_3_0_x.html Jerry Benton www.mailborder.com On Mon, Apr 28, 2014 at 8:33 PM, wrote: > +1 > > Great question and I've been wondering the same. > > MB > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info [mailto: > mailscanner-bounces at lists.mailscanner.info] On Behalf Of Kevin Miller > Sent: Monday, April 28, 2014 1:22 PM > To: MailScanner List (mailscanner at lists.mailscanner.info) > Subject: Bayes scores > > I was reviewing my configs and noticed this in spam.assassin.prefs.conf: > > # Bump up SpamAssassin scores on the high and low end # score BAYES_00 > -15.0 # score BAYES_05 -5.0 score BAYES_50 2.5 score BAYES_60 2.75 score > BAYES_70 3.0 score BAYES_80 4.0 score BAYES_90 4.5 score BAYES_95 4.75 > score BAYES_99 6.0 > > Given that spamassassin is constantly being tuned and updated, is is > prudent to leave those uncommented or would one be better served by going > with the spamassassin defaults? I'm sure Julian had a good reason to tweak > them some years back, but given the ever shifting spam landscape I'm not > sure if it's as applicable as it once was... > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Confidentiality Notice: The information contained in this email and any > attachments is intended only for the recipient[s] listed above and may be > privileged and confidential. Any dissemination, copying, or use of or > reliance upon such information by or to anyone other than the recipient[s] > listed above is prohibited. If you have received this message in error, > please notify the sender immediately at the email address above and destroy > any and all copies of this message. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140428/4b169969/attachment.html From alvaro at hostalia.com Wed Apr 30 09:40:28 2014 From: alvaro at hostalia.com (=?ISO-8859-15?Q?Alvaro_Mar=EDn?=) Date: Wed, 30 Apr 2014 10:40:28 +0200 Subject: Postfix long queue IDs Message-ID: <5360B6FC.6000403@hostalia.com> Hi, I've found this thread: http://lists.mailscanner.info/pipermail/mailscanner/2013-March/100441.html about the long queue IDs in Postfix (>2.9). Is there any solution to this problem (MailScanner doesn't recognize the long Postfix queue IDs)? I've tried that solution but it doesn't work for me. Thanks! Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From maillists at conactive.com Wed Apr 30 10:37:18 2014 From: maillists at conactive.com (Kai Schaetzl) Date: Wed, 30 Apr 2014 11:37:18 +0200 Subject: Bayes scores In-Reply-To: References: Message-ID: I would certainly *not* change the defaults of the middle Bayes values as given by SA, especially not Bayes_50. Only the values at both ends of the scale. Moderately. (e.g. I set _99 to 5. That's good enough. If you have other rules that constantly "tune down" the Bayes ruling too much for getting caught as spam then you should look at the other rules and why they do it and fix them (e.g. set to 0) as they don't seem to work very well in your environment (or in general). The FP risk is much too high for tuning middle values. And if Bayes runs smoothly you get > 90 for spam. Note, that latest SA introduced a new _999 that *adds* to the _99 score. (At least I think it does, there was some discussion about this on the SA list and I'm not sure about the final outcome.) It adds that little "extra" that you may need to overcome the down-ruling mentioned above. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From mailscanner at joolee.nl Wed Apr 30 10:56:03 2014 From: mailscanner at joolee.nl (Joolee) Date: Wed, 30 Apr 2014 11:56:03 +0200 Subject: Postfix long queue IDs In-Reply-To: <5360B6FC.6000403@hostalia.com> References: <5360B6FC.6000403@hostalia.com> Message-ID: Not the correct answer but you can disable long queue id's in postfix: http://www.postfix.org/postconf.5.html#enable_long_queue_ids On 30 April 2014 10:40, Alvaro Mar?n wrote: > Hi, > > I've found this thread: > > http://lists.mailscanner.info/pipermail/mailscanner/2013-March/100441.html > > about the long queue IDs in Postfix (>2.9). > Is there any solution to this problem (MailScanner doesn't recognize the > long Postfix queue IDs)? I've tried that solution but it doesn't work > for me. > > Thanks! > Regards, > > -- > Alvaro Mar?n Illera > Hostalia Internet > www.hostalia.com > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140430/d032aace/attachment.html From jerry.benton at mailborder.com Wed Apr 30 11:05:11 2014 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 30 Apr 2014 12:05:11 +0200 Subject: Postfix long queue IDs In-Reply-To: <5360B6FC.6000403@hostalia.com> References: <5360B6FC.6000403@hostalia.com> Message-ID: Are you running long queue ID's? If so, try disabling that in Postfix until we can get the source updated to handle the long format. http://www.postfix.org/postconf.5.html#enable_long_queue_ids On Wed, Apr 30, 2014 at 10:40 AM, Alvaro Mar?n wrote: > Hi, > > I've found this thread: > > http://lists.mailscanner.info/pipermail/mailscanner/2013-March/100441.html > > about the long queue IDs in Postfix (>2.9). > Is there any solution to this problem (MailScanner doesn't recognize the > long Postfix queue IDs)? I've tried that solution but it doesn't work > for me. > > Thanks! > Regards, > > -- > Alvaro Mar?n Illera > Hostalia Internet > www.hostalia.com > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Jerry Benton Mailborder Systems www.mailborder.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140430/5d7b7aa4/attachment.html From alvaro at hostalia.com Wed Apr 30 11:46:31 2014 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Wed, 30 Apr 2014 12:46:31 +0200 Subject: Postfix long queue IDs In-Reply-To: References: <5360B6FC.6000403@hostalia.com> Message-ID: <5360D487.9040609@hostalia.com> Yes, I know that it can be disabled, but I would prefer to use it (sometimes, Postfix IDs are repeated). Perhaps someone has a patch to can use it, if not, I'll try to do it. Thanks. Regards, On 30/04/14 12:05, Jerry Benton wrote: > Are you running long queue ID's? If so, try disabling that in Postfix > until we can get the source updated to handle the long format. > > http://www.postfix.org/postconf.5.html#enable_long_queue_ids > > > On Wed, Apr 30, 2014 at 10:40 AM, Alvaro Mar?n > wrote: > > Hi, > > I've found this thread: > > http://lists.mailscanner.info/pipermail/mailscanner/2013-March/100441.html > > about the long queue IDs in Postfix (>2.9). > Is there any solution to this problem (MailScanner doesn't recognize the > long Postfix queue IDs)? I've tried that solution but it doesn't work > for me. > > Thanks! > Regards, > > -- > Alvaro Mar?n Illera > Hostalia Internet > www.hostalia.com > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > > -- > Jerry Benton > Mailborder Systems > www.mailborder.com > > -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com