Difference in MailScanner behaviour between Ubuntu 10.04 LTS and 12.04 LTS

Mon Jun 16 00:17:58 IST 2014

I'm running tests for upgrading a system to a newer version of Ubuntu 
LTS, and during my tests I found a difference in behaviour between the 
MailScanner I have on 10.04 LTS and the one that's on 12.04 LTS.

The 12.04 LTS system is an upgraded install of a copy of the 10.04 LTS 
install. MailScanner version is: 4.84.5 from the apt.baruwa.org 
repository, both before and after the upgrade.

The MailScanner configuration between the two systems is completely 
identical. MailScanner --debug --lint shows no issues.

I've found two seperate issues:

Issue #1: The install on 10.04 doesn't send blocked filename 
notifications but the install on 12.04 does.

Deny Filenames list is configured as:
Deny Filenames = \.com$ \.exe$ \.msi$ \.pif$ \.bat$ \.cpl$ \.vbs$ \.vb$ 
\.scr$ \.dll$ \.reg$

And:
Notify Senders Of Blocked Filenames Or Filetypes = yes

On 10.04, when sending an eicar test file, the mail is considered to 
contain a virus and therefor deleted. No notification mail is sent, 
although the configuration would suggest it should. The logs say this:

New Batch: Scanning 1 messages, 1965 bytes
Virus and Content Scanning: Starting
Clamd::INFECTED::Eicar-Test-Signature :: ./DECEF36C443.ACC6F/
Virus Scanning: Clamd found 1 infections
Infected message DECEF36C443.ACC6F came from 195.241.145.230
Virus Scanning: Found 1 viruses
Virus Scanning completed at 10980 bytes per second
Saved entire message to 
/var/spool/MailScanner/quarantine/20140616/DECEF36C443.ACC6F
Spam Checks: Starting
Message DECEF36C443.ACC6F from 195.241.145.230 (victim at testdomain.ext) 
to testdomain.ext is not spam, SpamAssassin (not cached, score=-3.228, 
required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL -0.33, BAYES_00 
-1.90)
Spam Checks completed at 271 bytes per second
Cleaned: Delivered 1 cleaned messages
Deleted 1 messages from processing-database
Batch completed at 264 bytes per second (1965 / 7)
Batch (1 message) processed in 7.42 seconds

After upgrading to 12.04, the difference in behaviour is that 
MailScanner now suddenly DOES sends a notification message to notify of 
a deleted attachment. The log now has this:

New Batch: Scanning 1 messages, 1841 bytes
Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED::Eicar-Test-Signature :: ./7CE27442AE.AFD34/
Virus Scanning: Clamd found 1 infections
Infected message 7CE27442AE.AFD34 came from 10.0.3.2
Virus Scanning: Found 1 viruses
Virus Scanning completed at 2784 bytes per second
Saved entire message to 
/var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34
Saved infected "eicar.com" to 
/var/spool/MailScanner/quarantine/20140616/7CE27442AE.AFD34
Spam Checks: Starting
Expired 1 records from the SpamAssassin cache
Message 7CE27442AE.AFD34 from 10.0.3.2 (victim at testdomain.ext) to 
testdomain.ext is not spam, SpamAssassin (not cached, score=-0.879, 
required 3, autolearn=not spam, ALL_TRUSTED -1.00, AWL 0.12)
Spam Checks completed at 209 bytes per second
Requeue: 7CE27442AE.AFD34 to 0BD61442B7
Cleaned: Delivered 1 cleaned messages
Virus Processing completed at 3872 bytes per second
Deleted 1 messages from processing-database
Batch completed at 185 bytes per second (1841 / 9)
Batch (1 message) processed in 9.92 seconds

Notice the "Filename Checks: Blocked Filename Detected (7CE27442AE.AFD34 
eicar.com)". This notice wasn't there on 10.04 LTS.

Question: does anyone know what the cause of this difference in 
behaviour is, as the MailScanner version and configuration are the same?

Issue #2:
So, notifications are sent on 12.04, but:
The option called "Notify Senders Of Blocked Filenames Or Filetypes" 
doesn't send a notification to the sender. It sends the notification to 
the _receiver_ of the message.

Questions: Is this expected behaviour and should all those options 
actually be called 'Notify Recipient *' or am I missing something here ;-)

Thanks,
- Martijn