Messages being disarmed

Shawn Iverson iversons at rushville.k12.in.us
Wed Dec 21 12:29:24 UTC 2016 

Permissions and/or MAC (selinux, etc.) related.

On Wed, Dec 21, 2016 at 7:21 AM, Jason Waters <jason at geeknocity.com> wrote:

> Any ideas?  I seem to be getting this a lot.  I wouldn't care if I could
> still see the email, but the email is just gone!
>
> root at mailscanner:/var/log# cat /var/log/mail.log |grep "died, status = 13"
> Dec 19 10:31:05 mailscanner MailScanner[2718]: HTML disarming died, status
> = 13
> Dec 19 11:02:59 mailscanner MailScanner[2718]: HTML disarming died, status
> = 13
> Dec 19 14:33:51 mailscanner MailScanner[5050]: HTML disarming died, status
> = 13
> Dec 19 14:40:52 mailscanner MailScanner[5050]: HTML disarming died, status
> = 13
> Dec 19 14:54:22 mailscanner MailScanner[5050]: HTML disarming died, status
> = 13
> Dec 19 15:13:40 mailscanner MailScanner[5050]: HTML disarming died, status
> = 13
> Dec 19 15:32:42 mailscanner MailScanner[5050]: HTML disarming died, status
> = 13
> Dec 19 15:46:28 mailscanner MailScanner[5050]: HTML disarming died, status
> = 13
> Dec 19 16:01:04 mailscanner MailScanner[5050]: HTML disarming died, status
> = 13
> Dec 19 20:24:19 mailscanner MailScanner[6774]: HTML disarming died, status
> = 13
> Dec 20 06:27:09 mailscanner MailScanner[12173]: HTML disarming died,
> status = 13
> Dec 20 07:02:15 mailscanner MailScanner[12173]: HTML disarming died,
> status = 13
> Dec 20 07:03:52 mailscanner MailScanner[12173]: HTML disarming died,
> status = 13
> Dec 20 07:16:26 mailscanner MailScanner[12173]: HTML disarming died,
> status = 13
> Dec 20 18:47:15 mailscanner MailScanner[29724]: HTML disarming died,
> status = 13
> Dec 20 19:48:13 mailscanner MailScanner[29724]: HTML disarming died,
> status = 13
> Dec 20 20:01:14 mailscanner MailScanner[29724]: HTML disarming died,
> status = 13
> Dec 20 20:01:14 mailscanner MailScanner[29724]: HTML disarming died,
> status = 13
> Dec 20 20:02:16 mailscanner MailScanner[29724]: HTML disarming died,
> status = 13
> Dec 20 21:32:22 mailscanner MailScanner[29724]: HTML disarming died,
> status = 13
> Dec 21 06:28:23 mailscanner MailScanner[416]: HTML disarming died, status
> = 13
> Dec 21 06:31:59 mailscanner MailScanner[416]: HTML disarming died, status
> = 13
> Dec 21 06:35:14 mailscanner MailScanner[416]: HTML disarming died, status
> = 13
> Dec 21 06:54:42 mailscanner MailScanner[416]: HTML disarming died, status
> = 13
> Dec 21 07:01:20 mailscanner MailScanner[416]: HTML disarming died, status
> = 13
> Dec 21 07:02:34 mailscanner MailScanner[416]: HTML disarming died, status
> = 13
> Dec 21 07:07:01 mailscanner MailScanner[416]: HTML disarming died, status
> = 13
>
>
> On Tue, Dec 20, 2016 at 8:10 AM, Jason Waters <jason at geeknocity.com>
> wrote:
>
>> Well I thought it was fixed because I didn't get any for awhile but they
>> seem to be back.  That is what I don't get.  Why it works and then just
>> stops!  I also have some issues where it stops logging to SQL.  Still does
>> all the checks and it says it logs to SQL, but it doesn't.  I reboot and
>> then it starts again.  So here is some more information:
>>
>> cat /var/log/mail.log |grep "died, status = 13" -B5 -A5
>>
>> Dec 20 07:03:22 mailscanner MailScanner[12173]: Virus and Content
>> Scanning: Starting
>> Dec 20 07:03:25 mailscanner postfix/smtpd[14291]: disconnect from
>> ccm183.constantcontact.com[208.75.123.183] ehlo=1 mail=1 rcpt=1 data=1
>> quit=1 commands=5
>> Dec 20 07:03:28 mailscanner MailScanner[12173]: <A> tag found in message
>> D45B4E0B1B.A2260 from aysehmj0arkojatvg1/xivw==_1103
>> 817698109_jrzjsl+leeokdtsuuo6t6q==@in.constantcontact.com
>> Dec 20 07:03:28 mailscanner MailScanner[12173]: HTML Img tag found in
>> message D45B4E0B1B.A2260 from aysehmj0arkojatvg1/xivw==_1103
>> 817698109_jrzjsl+leeokdtsuuo6t6q==@in.constantcontact.com
>> Dec 20 07:03:44 mailscanner postfix/smtpd[14291]: connect from
>> unknown[78.142.18.89]
>> Dec 20 07:03:52 mailscanner MailScanner[12173]: HTML disarming died,
>> status = 13
>> Dec 20 07:03:52 mailscanner MailScanner[12173]: Content Checks: Detected
>> and have disarmed KILLED tags in HTML message in D45B4E0B1B.A2260 from
>> aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@
>> in.constantcontact.com
>> Dec 20 07:03:53 mailscanner MailScanner[12173]: Requeue: D45B4E0B1B.A2260
>> to 14619E0B20
>> Dec 20 07:03:53 mailscanner postfix/qmgr[1736]: 14619E0B20:
>> from=<aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@
>> in.constantcontact.com>, size=19291, nrcpt=1 (queue active)
>> Dec 20 07:03:53 mailscanner MailScanner[12173]: Uninfected: Delivered 1
>> messages
>> Dec 20 07:03:53 mailscanner MailScanner[12173]: Deleted 1 messages from
>> processing-database
>> --
>> Dec 20 07:16:22 mailscanner MailScanner[13973]: Deleted 1 messages from
>> processing-database
>> Dec 20 07:16:22 mailscanner MailScanner[13973]: Logging message
>> 2EDE1E0B20.ACEF5 to SQL
>> Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Found 2
>> messages waiting
>> Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Scanning 1
>> messages, 707697 bytes
>> Dec 20 07:16:23 mailscanner MailScanner[13973]: Virus and Content
>> Scanning: Starting
>> Dec 20 07:16:26 mailscanner MailScanner[12173]: HTML disarming died,
>> status = 13
>> Dec 20 07:16:26 mailscanner MailScanner[12173]: Content Checks: Detected
>> and have disarmed KILLED tags in HTML message in D0DA1E0B21.A9AD3 from
>> bo-b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com
>> Dec 20 07:16:27 mailscanner MailScanner[12173]: Requeue: D0DA1E0B21.A9AD3
>> to B6E49E0B20
>> Dec 20 07:16:27 mailscanner postfix/qmgr[1736]: B6E49E0B20: from=<
>> bo-b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com>, size=52671, nrcpt=1
>> (queue active)
>> Dec 20 07:16:27 mailscanner MailScanner[12173]: Uninfected: Delivered 1
>> messages
>> Dec 20 07:16:27 mailscanner MailScanner[12173]: Deleted 1 messages from
>> processing-database
>>
>> I thought I had everything setup to run as postfix..
>>
>> root at mailscanner:/etc/MailScanner# grep "= postfix" MailScanner.conf
>> #Run As User = postfix
>> Run As User = postfix
>> #Run As Group = postfix
>> Run As Group = postfix
>> MTA = postfix
>> Incoming Work User = postfix
>> Incoming Work Group = postfix
>> Quarantine User = postfix
>> Quarantine Group = postfix
>>
>> Here is the entry for postfix in /etc/group
>> postfix:x:117:clamav,www-data,mail
>>
>>
>> Spool Permissions
>> root at mailscanner:/var/spool/MailScanner# ls -l *
>> -rw-------  1 postfix postfix   23 Nov 15 13:14 servers
>>
>> archive:
>> total 0
>>
>> incoming:
>> total 576
>> drwxrwx--- 2 postfix postfix   4096 Dec 13 14:49 11490
>> drwxrwx--- 2 postfix postfix   4096 Dec 20 07:43 12173
>> drwxrwx--- 2 postfix postfix   4096 Dec 18 01:10 15039
>> drwxrwx--- 2 postfix postfix   4096 Dec 20 08:08 1934
>> drwxrwx--- 2 postfix postfix   4096 Dec 20 08:08 1972
>> drwxrwx--- 2 postfix postfix   4096 Dec 20 08:05 2006
>> drwxrwx--- 2 postfix postfix   4096 Dec 20 08:02 2042
>> drwxrwx--- 2 postfix postfix   4096 Dec 20 08:03 2096
>> drwxrwx--- 2 postfix postfix   4096 Dec 14 11:24 21119
>> drwxrwx--- 2 postfix postfix   4096 Dec  9 07:18 25816
>> drwxrwx--- 2 postfix postfix   4096 Dec 12 01:31 26221
>> drwxrwx--- 2 postfix postfix   4096 Dec 19 11:03 2718
>> drwxrwx--- 3 postfix postfix   4096 Dec  8 11:14 27928
>> drwxrwx--- 2 postfix postfix   4096 Dec 19 16:01 5050
>> drwxrwx--- 2 postfix postfix   4096 Dec  7 09:08 5209
>> drwxr-xr-x 2 postfix postfix   4096 Dec 20 07:45 Locks
>> -rw-rw---- 1 postfix postfix  11264 Dec 20 08:08 Processing.db
>> -rw-rw---- 1 postfix postfix 502784 Dec 20 08:08 SpamAssassin.cache.db
>> drwxr-xr-x 2 postfix postfix   4096 Dec 20 08:08 SpamAssassin-Temp
>>
>> quarantine:
>> total 128
>> drwxrwx---  4 postfix postfix 4096 Nov 19 00:05 20161119
>> drwxrwx---  4 postfix postfix 4096 Nov 20 00:35 20161120
>> drwxrwx---  6 postfix postfix 4096 Nov 21 17:20 20161121
>> drwxrwx---  9 postfix postfix 4096 Nov 22 17:48 20161122
>> drwxrwx---  5 postfix postfix 4096 Nov 23 08:21 20161123
>> drwxrwx---  5 postfix postfix 4096 Nov 24 08:12 20161124
>> drwxrwx---  6 postfix postfix 4096 Nov 25 00:55 20161125
>> drwxrwx---  4 postfix postfix 4096 Nov 26 01:00 20161126
>> drwxrwx---  4 postfix postfix 4096 Nov 27 01:38 20161127
>> drwxrwx---  4 postfix postfix 4096 Nov 28 00:01 20161128
>> drwxrwx---  7 postfix postfix 4096 Nov 29 09:41 20161129
>> drwxrwx---  7 postfix postfix 4096 Nov 30 22:28 20161130
>> drwxrwx---  6 postfix postfix 4096 Dec  1 20:15 20161201
>> drwxrwx---  9 postfix postfix 4096 Dec  2 10:15 20161202
>> drwxrwx---  4 postfix postfix 4096 Dec  3 01:33 20161203
>> drwxrwx---  4 postfix postfix 4096 Dec  4 01:05 20161204
>> drwxrwx---  6 postfix postfix 4096 Dec  5 21:56 20161205
>> drwxrwx---  8 postfix postfix 4096 Dec  6 22:40 20161206
>> drwxrwx---  5 postfix postfix 4096 Dec  7 19:16 20161207
>> drwxrwx--- 59 postfix postfix 4096 Dec  8 13:51 20161208
>> drwxrwx--- 14 postfix postfix 4096 Dec  9 19:05 20161209
>> drwxrwx---  5 postfix postfix 4096 Dec 10 07:18 20161210
>> drwxrwx---  6 postfix postfix 4096 Dec 11 13:35 20161211
>> drwxrwx---  9 postfix postfix 4096 Dec 12 20:51 20161212
>> drwxrwx---  7 postfix postfix 4096 Dec 13 15:11 20161213
>> drwxrwx--- 11 postfix postfix 4096 Dec 14 22:08 20161214
>> drwxrwx---  7 postfix postfix 4096 Dec 15 15:40 20161215
>> drwxrwx--- 10 postfix postfix 4096 Dec 16 16:11 20161216
>> drwxrwx---  6 postfix postfix 4096 Dec 17 15:11 20161217
>> drwxrwx---  7 postfix postfix 4096 Dec 18 15:10 20161218
>> drwxrwx--- 12 postfix postfix 4096 Dec 19 20:10 20161219
>> drwxrwx---  6 postfix postfix 4096 Dec 20 07:18 20161220
>>
>> spamassassin:
>> total 28
>> -rwxrwx--- 1 postfix postfix     6 Nov  9 14:48 bayes.mutex
>> -rwxrwx--- 1 postfix postfix 12288 Nov  9 14:48 bayes_seen
>> -rwxrwx--- 1 postfix postfix 12288 Nov  9 14:48 bayes_toks
>>
>>
>>
>> Any other thoughts or places to check?  Can I get more detail on the
>> status 13?
>>
>>
>>
>>
>>
>> On Thu, Dec 8, 2016 at 12:52 PM, Jason Waters <jason at geeknocity.com>
>> wrote:
>>
>>> Thanks for the help!  I'll grep the log file and see what I see!
>>>
>>> On Thu, Dec 8, 2016 at 12:08 PM, Mark Sapiro <mark at msapiro.net> wrote:
>>>
>>>> On 12/08/2016 08:41 AM, Jason Waters wrote:
>>>> > Great that seemed to fix it.  So does that mean any email that had
>>>> those
>>>> > tags failed?  Because it didn't seem to be the case.  I would think
>>>> the
>>>> > majority of the emails have html in them.  Thanks for your help!
>>>>
>>>>
>>>> I'm not sure what it was that triggered the issue. I think you'll just
>>>> have to wait and see if it recurs or not. If the test message was
>>>> flagged as {disarmed} by MailScanner or you see "Content Checks:
>>>> Detected and have disarmed xxx tags in HTML message" where xxx isn't
>>>> KILLED, you're probably OK.
>>>>
>>>> One thing you can check is if all such log messages said KILLED prior to
>>>> your changing the ownership and now they say other things and not
>>>> KILLED, I'm sure it's fixed.
>>>>
>>>> --
>>>> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
>>>> San Francisco Bay Area, California    better use your sense - B. Dylan
>>>>
>>>>
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>>
>>>
>>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>


-- 
Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20161221/315b0878/attachment.html>

More information about the MailScanner mailing list