Messages being disarmed

Jason Waters jason at geeknocity.com
Tue Dec 20 13:10:04 UTC 2016 

Well I thought it was fixed because I didn't get any for awhile but they
seem to be back.  That is what I don't get.  Why it works and then just
stops!  I also have some issues where it stops logging to SQL.  Still does
all the checks and it says it logs to SQL, but it doesn't.  I reboot and
then it starts again.  So here is some more information:

cat /var/log/mail.log |grep "died, status = 13" -B5 -A5

Dec 20 07:03:22 mailscanner MailScanner[12173]: Virus and Content Scanning:
Starting
Dec 20 07:03:25 mailscanner postfix/smtpd[14291]: disconnect from
ccm183.constantcontact.com[208.75.123.183] ehlo=1 mail=1 rcpt=1 data=1
quit=1 commands=5
Dec 20 07:03:28 mailscanner MailScanner[12173]: <A> tag found in message
D45B4E0B1B.A2260 from
aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@
in.constantcontact.com
Dec 20 07:03:28 mailscanner MailScanner[12173]: HTML Img tag found in
message D45B4E0B1B.A2260 from
aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@
in.constantcontact.com
Dec 20 07:03:44 mailscanner postfix/smtpd[14291]: connect from
unknown[78.142.18.89]
Dec 20 07:03:52 mailscanner MailScanner[12173]: HTML disarming died, status
= 13
Dec 20 07:03:52 mailscanner MailScanner[12173]: Content Checks: Detected
and have disarmed KILLED tags in HTML message in D45B4E0B1B.A2260 from
aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@
in.constantcontact.com
Dec 20 07:03:53 mailscanner MailScanner[12173]: Requeue: D45B4E0B1B.A2260
to 14619E0B20
Dec 20 07:03:53 mailscanner postfix/qmgr[1736]: 14619E0B20:
from=<aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@
in.constantcontact.com>, size=19291, nrcpt=1 (queue active)
Dec 20 07:03:53 mailscanner MailScanner[12173]: Uninfected: Delivered 1
messages
Dec 20 07:03:53 mailscanner MailScanner[12173]: Deleted 1 messages from
processing-database
--
Dec 20 07:16:22 mailscanner MailScanner[13973]: Deleted 1 messages from
processing-database
Dec 20 07:16:22 mailscanner MailScanner[13973]: Logging message
2EDE1E0B20.ACEF5 to SQL
Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Found 2 messages
waiting
Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Scanning 1
messages, 707697 bytes
Dec 20 07:16:23 mailscanner MailScanner[13973]: Virus and Content Scanning:
Starting
Dec 20 07:16:26 mailscanner MailScanner[12173]: HTML disarming died, status
= 13
Dec 20 07:16:26 mailscanner MailScanner[12173]: Content Checks: Detected
and have disarmed KILLED tags in HTML message in D0DA1E0B21.A9AD3 from
bo-b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com
Dec 20 07:16:27 mailscanner MailScanner[12173]: Requeue: D0DA1E0B21.A9AD3
to B6E49E0B20
Dec 20 07:16:27 mailscanner postfix/qmgr[1736]: B6E49E0B20: from=<
bo-b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com>, size=52671, nrcpt=1
(queue active)
Dec 20 07:16:27 mailscanner MailScanner[12173]: Uninfected: Delivered 1
messages
Dec 20 07:16:27 mailscanner MailScanner[12173]: Deleted 1 messages from
processing-database

I thought I had everything setup to run as postfix..

root at mailscanner:/etc/MailScanner# grep "= postfix" MailScanner.conf
#Run As User = postfix
Run As User = postfix
#Run As Group = postfix
Run As Group = postfix
MTA = postfix
Incoming Work User = postfix
Incoming Work Group = postfix
Quarantine User = postfix
Quarantine Group = postfix

Here is the entry for postfix in /etc/group
postfix:x:117:clamav,www-data,mail


Spool Permissions
root at mailscanner:/var/spool/MailScanner# ls -l *
-rw-------  1 postfix postfix   23 Nov 15 13:14 servers

archive:
total 0

incoming:
total 576
drwxrwx--- 2 postfix postfix   4096 Dec 13 14:49 11490
drwxrwx--- 2 postfix postfix   4096 Dec 20 07:43 12173
drwxrwx--- 2 postfix postfix   4096 Dec 18 01:10 15039
drwxrwx--- 2 postfix postfix   4096 Dec 20 08:08 1934
drwxrwx--- 2 postfix postfix   4096 Dec 20 08:08 1972
drwxrwx--- 2 postfix postfix   4096 Dec 20 08:05 2006
drwxrwx--- 2 postfix postfix   4096 Dec 20 08:02 2042
drwxrwx--- 2 postfix postfix   4096 Dec 20 08:03 2096
drwxrwx--- 2 postfix postfix   4096 Dec 14 11:24 21119
drwxrwx--- 2 postfix postfix   4096 Dec  9 07:18 25816
drwxrwx--- 2 postfix postfix   4096 Dec 12 01:31 26221
drwxrwx--- 2 postfix postfix   4096 Dec 19 11:03 2718
drwxrwx--- 3 postfix postfix   4096 Dec  8 11:14 27928
drwxrwx--- 2 postfix postfix   4096 Dec 19 16:01 5050
drwxrwx--- 2 postfix postfix   4096 Dec  7 09:08 5209
drwxr-xr-x 2 postfix postfix   4096 Dec 20 07:45 Locks
-rw-rw---- 1 postfix postfix  11264 Dec 20 08:08 Processing.db
-rw-rw---- 1 postfix postfix 502784 Dec 20 08:08 SpamAssassin.cache.db
drwxr-xr-x 2 postfix postfix   4096 Dec 20 08:08 SpamAssassin-Temp

quarantine:
total 128
drwxrwx---  4 postfix postfix 4096 Nov 19 00:05 20161119
drwxrwx---  4 postfix postfix 4096 Nov 20 00:35 20161120
drwxrwx---  6 postfix postfix 4096 Nov 21 17:20 20161121
drwxrwx---  9 postfix postfix 4096 Nov 22 17:48 20161122
drwxrwx---  5 postfix postfix 4096 Nov 23 08:21 20161123
drwxrwx---  5 postfix postfix 4096 Nov 24 08:12 20161124
drwxrwx---  6 postfix postfix 4096 Nov 25 00:55 20161125
drwxrwx---  4 postfix postfix 4096 Nov 26 01:00 20161126
drwxrwx---  4 postfix postfix 4096 Nov 27 01:38 20161127
drwxrwx---  4 postfix postfix 4096 Nov 28 00:01 20161128
drwxrwx---  7 postfix postfix 4096 Nov 29 09:41 20161129
drwxrwx---  7 postfix postfix 4096 Nov 30 22:28 20161130
drwxrwx---  6 postfix postfix 4096 Dec  1 20:15 20161201
drwxrwx---  9 postfix postfix 4096 Dec  2 10:15 20161202
drwxrwx---  4 postfix postfix 4096 Dec  3 01:33 20161203
drwxrwx---  4 postfix postfix 4096 Dec  4 01:05 20161204
drwxrwx---  6 postfix postfix 4096 Dec  5 21:56 20161205
drwxrwx---  8 postfix postfix 4096 Dec  6 22:40 20161206
drwxrwx---  5 postfix postfix 4096 Dec  7 19:16 20161207
drwxrwx--- 59 postfix postfix 4096 Dec  8 13:51 20161208
drwxrwx--- 14 postfix postfix 4096 Dec  9 19:05 20161209
drwxrwx---  5 postfix postfix 4096 Dec 10 07:18 20161210
drwxrwx---  6 postfix postfix 4096 Dec 11 13:35 20161211
drwxrwx---  9 postfix postfix 4096 Dec 12 20:51 20161212
drwxrwx---  7 postfix postfix 4096 Dec 13 15:11 20161213
drwxrwx--- 11 postfix postfix 4096 Dec 14 22:08 20161214
drwxrwx---  7 postfix postfix 4096 Dec 15 15:40 20161215
drwxrwx--- 10 postfix postfix 4096 Dec 16 16:11 20161216
drwxrwx---  6 postfix postfix 4096 Dec 17 15:11 20161217
drwxrwx---  7 postfix postfix 4096 Dec 18 15:10 20161218
drwxrwx--- 12 postfix postfix 4096 Dec 19 20:10 20161219
drwxrwx---  6 postfix postfix 4096 Dec 20 07:18 20161220

spamassassin:
total 28
-rwxrwx--- 1 postfix postfix     6 Nov  9 14:48 bayes.mutex
-rwxrwx--- 1 postfix postfix 12288 Nov  9 14:48 bayes_seen
-rwxrwx--- 1 postfix postfix 12288 Nov  9 14:48 bayes_toks



Any other thoughts or places to check?  Can I get more detail on the status
13?





On Thu, Dec 8, 2016 at 12:52 PM, Jason Waters <jason at geeknocity.com> wrote:

> Thanks for the help!  I'll grep the log file and see what I see!
>
> On Thu, Dec 8, 2016 at 12:08 PM, Mark Sapiro <mark at msapiro.net> wrote:
>
>> On 12/08/2016 08:41 AM, Jason Waters wrote:
>> > Great that seemed to fix it.  So does that mean any email that had those
>> > tags failed?  Because it didn't seem to be the case.  I would think the
>> > majority of the emails have html in them.  Thanks for your help!
>>
>>
>> I'm not sure what it was that triggered the issue. I think you'll just
>> have to wait and see if it recurs or not. If the test message was
>> flagged as {disarmed} by MailScanner or you see "Content Checks:
>> Detected and have disarmed xxx tags in HTML message" where xxx isn't
>> KILLED, you're probably OK.
>>
>> One thing you can check is if all such log messages said KILLED prior to
>> your changing the ownership and now they say other things and not
>> KILLED, I'm sure it's fixed.
>>
>> --
>> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
>> San Francisco Bay Area, California    better use your sense - B. Dylan
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20161220/dd558c1d/attachment.html>

More information about the MailScanner mailing list