Messages being disarmed

Jason Waters jason at geeknocity.com
Wed Dec 21 12:37:02 UTC 2016


I would tend to agree...I just can't find where!  I have everything set as
postfix.  All the permissions seem to still be postfix.  Do I need to run
clamd or spamassassin as postfix? Can I turn the logging up so I can see
what is actually happening?  Thanks for the reply!

Jason

On Wed, Dec 21, 2016 at 7:29 AM, Shawn Iverson <iversons at rushville.k12.in.us
> wrote:

> Permissions and/or MAC (selinux, etc.) related.
>
> On Wed, Dec 21, 2016 at 7:21 AM, Jason Waters <jason at geeknocity.com>
> wrote:
>
>> Any ideas?  I seem to be getting this a lot.  I wouldn't care if I could
>> still see the email, but the email is just gone!
>>
>> root at mailscanner:/var/log# cat /var/log/mail.log |grep "died, status =
>> 13"
>> Dec 19 10:31:05 mailscanner MailScanner[2718]: HTML disarming died,
>> status = 13
>> Dec 19 11:02:59 mailscanner MailScanner[2718]: HTML disarming died,
>> status = 13
>> Dec 19 14:33:51 mailscanner MailScanner[5050]: HTML disarming died,
>> status = 13
>> Dec 19 14:40:52 mailscanner MailScanner[5050]: HTML disarming died,
>> status = 13
>> Dec 19 14:54:22 mailscanner MailScanner[5050]: HTML disarming died,
>> status = 13
>> Dec 19 15:13:40 mailscanner MailScanner[5050]: HTML disarming died,
>> status = 13
>> Dec 19 15:32:42 mailscanner MailScanner[5050]: HTML disarming died,
>> status = 13
>> Dec 19 15:46:28 mailscanner MailScanner[5050]: HTML disarming died,
>> status = 13
>> Dec 19 16:01:04 mailscanner MailScanner[5050]: HTML disarming died,
>> status = 13
>> Dec 19 20:24:19 mailscanner MailScanner[6774]: HTML disarming died,
>> status = 13
>> Dec 20 06:27:09 mailscanner MailScanner[12173]: HTML disarming died,
>> status = 13
>> Dec 20 07:02:15 mailscanner MailScanner[12173]: HTML disarming died,
>> status = 13
>> Dec 20 07:03:52 mailscanner MailScanner[12173]: HTML disarming died,
>> status = 13
>> Dec 20 07:16:26 mailscanner MailScanner[12173]: HTML disarming died,
>> status = 13
>> Dec 20 18:47:15 mailscanner MailScanner[29724]: HTML disarming died,
>> status = 13
>> Dec 20 19:48:13 mailscanner MailScanner[29724]: HTML disarming died,
>> status = 13
>> Dec 20 20:01:14 mailscanner MailScanner[29724]: HTML disarming died,
>> status = 13
>> Dec 20 20:01:14 mailscanner MailScanner[29724]: HTML disarming died,
>> status = 13
>> Dec 20 20:02:16 mailscanner MailScanner[29724]: HTML disarming died,
>> status = 13
>> Dec 20 21:32:22 mailscanner MailScanner[29724]: HTML disarming died,
>> status = 13
>> Dec 21 06:28:23 mailscanner MailScanner[416]: HTML disarming died, status
>> = 13
>> Dec 21 06:31:59 mailscanner MailScanner[416]: HTML disarming died, status
>> = 13
>> Dec 21 06:35:14 mailscanner MailScanner[416]: HTML disarming died, status
>> = 13
>> Dec 21 06:54:42 mailscanner MailScanner[416]: HTML disarming died, status
>> = 13
>> Dec 21 07:01:20 mailscanner MailScanner[416]: HTML disarming died, status
>> = 13
>> Dec 21 07:02:34 mailscanner MailScanner[416]: HTML disarming died, status
>> = 13
>> Dec 21 07:07:01 mailscanner MailScanner[416]: HTML disarming died, status
>> = 13
>>
>>
>> On Tue, Dec 20, 2016 at 8:10 AM, Jason Waters <jason at geeknocity.com>
>> wrote:
>>
>>> Well I thought it was fixed because I didn't get any for awhile but they
>>> seem to be back.  That is what I don't get.  Why it works and then just
>>> stops!  I also have some issues where it stops logging to SQL.  Still does
>>> all the checks and it says it logs to SQL, but it doesn't.  I reboot and
>>> then it starts again.  So here is some more information:
>>>
>>> cat /var/log/mail.log |grep "died, status = 13" -B5 -A5
>>>
>>> Dec 20 07:03:22 mailscanner MailScanner[12173]: Virus and Content
>>> Scanning: Starting
>>> Dec 20 07:03:25 mailscanner postfix/smtpd[14291]: disconnect from
>>> ccm183.constantcontact.com[208.75.123.183] ehlo=1 mail=1 rcpt=1 data=1
>>> quit=1 commands=5
>>> Dec 20 07:03:28 mailscanner MailScanner[12173]: <A> tag found in message
>>> D45B4E0B1B.A2260 from aysehmj0arkojatvg1/xivw==_1103
>>> 817698109_jrzjsl+leeokdtsuuo6t6q==@in.constantcontact.com
>>> Dec 20 07:03:28 mailscanner MailScanner[12173]: HTML Img tag found in
>>> message D45B4E0B1B.A2260 from aysehmj0arkojatvg1/xivw==_1103
>>> 817698109_jrzjsl+leeokdtsuuo6t6q==@in.constantcontact.com
>>> Dec 20 07:03:44 mailscanner postfix/smtpd[14291]: connect from
>>> unknown[78.142.18.89]
>>> Dec 20 07:03:52 mailscanner MailScanner[12173]: HTML disarming died,
>>> status = 13
>>> Dec 20 07:03:52 mailscanner MailScanner[12173]: Content Checks: Detected
>>> and have disarmed KILLED tags in HTML message in D45B4E0B1B.A2260 from
>>> aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@
>>> in.constantcontact.com
>>> Dec 20 07:03:53 mailscanner MailScanner[12173]: Requeue:
>>> D45B4E0B1B.A2260 to 14619E0B20
>>> Dec 20 07:03:53 mailscanner postfix/qmgr[1736]: 14619E0B20:
>>> from=<aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@
>>> in.constantcontact.com>, size=19291, nrcpt=1 (queue active)
>>> Dec 20 07:03:53 mailscanner MailScanner[12173]: Uninfected: Delivered 1
>>> messages
>>> Dec 20 07:03:53 mailscanner MailScanner[12173]: Deleted 1 messages from
>>> processing-database
>>> --
>>> Dec 20 07:16:22 mailscanner MailScanner[13973]: Deleted 1 messages from
>>> processing-database
>>> Dec 20 07:16:22 mailscanner MailScanner[13973]: Logging message
>>> 2EDE1E0B20.ACEF5 to SQL
>>> Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Found 2
>>> messages waiting
>>> Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Scanning 1
>>> messages, 707697 bytes
>>> Dec 20 07:16:23 mailscanner MailScanner[13973]: Virus and Content
>>> Scanning: Starting
>>> Dec 20 07:16:26 mailscanner MailScanner[12173]: HTML disarming died,
>>> status = 13
>>> Dec 20 07:16:26 mailscanner MailScanner[12173]: Content Checks: Detected
>>> and have disarmed KILLED tags in HTML message in D0DA1E0B21.A9AD3 from
>>> bo-b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com
>>> Dec 20 07:16:27 mailscanner MailScanner[12173]: Requeue:
>>> D0DA1E0B21.A9AD3 to B6E49E0B20
>>> Dec 20 07:16:27 mailscanner postfix/qmgr[1736]: B6E49E0B20: from=<
>>> bo-b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com>, size=52671, nrcpt=1
>>> (queue active)
>>> Dec 20 07:16:27 mailscanner MailScanner[12173]: Uninfected: Delivered 1
>>> messages
>>> Dec 20 07:16:27 mailscanner MailScanner[12173]: Deleted 1 messages from
>>> processing-database
>>>
>>> I thought I had everything setup to run as postfix..
>>>
>>> root at mailscanner:/etc/MailScanner# grep "= postfix" MailScanner.conf
>>> #Run As User = postfix
>>> Run As User = postfix
>>> #Run As Group = postfix
>>> Run As Group = postfix
>>> MTA = postfix
>>> Incoming Work User = postfix
>>> Incoming Work Group = postfix
>>> Quarantine User = postfix
>>> Quarantine Group = postfix
>>>
>>> Here is the entry for postfix in /etc/group
>>> postfix:x:117:clamav,www-data,mail
>>>
>>>
>>> Spool Permissions
>>> root at mailscanner:/var/spool/MailScanner# ls -l *
>>> -rw-------  1 postfix postfix   23 Nov 15 13:14 servers
>>>
>>> archive:
>>> total 0
>>>
>>> incoming:
>>> total 576
>>> drwxrwx--- 2 postfix postfix   4096 Dec 13 14:49 11490
>>> drwxrwx--- 2 postfix postfix   4096 Dec 20 07:43 12173
>>> drwxrwx--- 2 postfix postfix   4096 Dec 18 01:10 15039
>>> drwxrwx--- 2 postfix postfix   4096 Dec 20 08:08 1934
>>> drwxrwx--- 2 postfix postfix   4096 Dec 20 08:08 1972
>>> drwxrwx--- 2 postfix postfix   4096 Dec 20 08:05 2006
>>> drwxrwx--- 2 postfix postfix   4096 Dec 20 08:02 2042
>>> drwxrwx--- 2 postfix postfix   4096 Dec 20 08:03 2096
>>> drwxrwx--- 2 postfix postfix   4096 Dec 14 11:24 21119
>>> drwxrwx--- 2 postfix postfix   4096 Dec  9 07:18 25816
>>> drwxrwx--- 2 postfix postfix   4096 Dec 12 01:31 26221
>>> drwxrwx--- 2 postfix postfix   4096 Dec 19 11:03 2718
>>> drwxrwx--- 3 postfix postfix   4096 Dec  8 11:14 27928
>>> drwxrwx--- 2 postfix postfix   4096 Dec 19 16:01 5050
>>> drwxrwx--- 2 postfix postfix   4096 Dec  7 09:08 5209
>>> drwxr-xr-x 2 postfix postfix   4096 Dec 20 07:45 Locks
>>> -rw-rw---- 1 postfix postfix  11264 Dec 20 08:08 Processing.db
>>> -rw-rw---- 1 postfix postfix 502784 Dec 20 08:08 SpamAssassin.cache.db
>>> drwxr-xr-x 2 postfix postfix   4096 Dec 20 08:08 SpamAssassin-Temp
>>>
>>> quarantine:
>>> total 128
>>> drwxrwx---  4 postfix postfix 4096 Nov 19 00:05 20161119
>>> drwxrwx---  4 postfix postfix 4096 Nov 20 00:35 20161120
>>> drwxrwx---  6 postfix postfix 4096 Nov 21 17:20 20161121
>>> drwxrwx---  9 postfix postfix 4096 Nov 22 17:48 20161122
>>> drwxrwx---  5 postfix postfix 4096 Nov 23 08:21 20161123
>>> drwxrwx---  5 postfix postfix 4096 Nov 24 08:12 20161124
>>> drwxrwx---  6 postfix postfix 4096 Nov 25 00:55 20161125
>>> drwxrwx---  4 postfix postfix 4096 Nov 26 01:00 20161126
>>> drwxrwx---  4 postfix postfix 4096 Nov 27 01:38 20161127
>>> drwxrwx---  4 postfix postfix 4096 Nov 28 00:01 20161128
>>> drwxrwx---  7 postfix postfix 4096 Nov 29 09:41 20161129
>>> drwxrwx---  7 postfix postfix 4096 Nov 30 22:28 20161130
>>> drwxrwx---  6 postfix postfix 4096 Dec  1 20:15 20161201
>>> drwxrwx---  9 postfix postfix 4096 Dec  2 10:15 20161202
>>> drwxrwx---  4 postfix postfix 4096 Dec  3 01:33 20161203
>>> drwxrwx---  4 postfix postfix 4096 Dec  4 01:05 20161204
>>> drwxrwx---  6 postfix postfix 4096 Dec  5 21:56 20161205
>>> drwxrwx---  8 postfix postfix 4096 Dec  6 22:40 20161206
>>> drwxrwx---  5 postfix postfix 4096 Dec  7 19:16 20161207
>>> drwxrwx--- 59 postfix postfix 4096 Dec  8 13:51 20161208
>>> drwxrwx--- 14 postfix postfix 4096 Dec  9 19:05 20161209
>>> drwxrwx---  5 postfix postfix 4096 Dec 10 07:18 20161210
>>> drwxrwx---  6 postfix postfix 4096 Dec 11 13:35 20161211
>>> drwxrwx---  9 postfix postfix 4096 Dec 12 20:51 20161212
>>> drwxrwx---  7 postfix postfix 4096 Dec 13 15:11 20161213
>>> drwxrwx--- 11 postfix postfix 4096 Dec 14 22:08 20161214
>>> drwxrwx---  7 postfix postfix 4096 Dec 15 15:40 20161215
>>> drwxrwx--- 10 postfix postfix 4096 Dec 16 16:11 20161216
>>> drwxrwx---  6 postfix postfix 4096 Dec 17 15:11 20161217
>>> drwxrwx---  7 postfix postfix 4096 Dec 18 15:10 20161218
>>> drwxrwx--- 12 postfix postfix 4096 Dec 19 20:10 20161219
>>> drwxrwx---  6 postfix postfix 4096 Dec 20 07:18 20161220
>>>
>>> spamassassin:
>>> total 28
>>> -rwxrwx--- 1 postfix postfix     6 Nov  9 14:48 bayes.mutex
>>> -rwxrwx--- 1 postfix postfix 12288 Nov  9 14:48 bayes_seen
>>> -rwxrwx--- 1 postfix postfix 12288 Nov  9 14:48 bayes_toks
>>>
>>>
>>>
>>> Any other thoughts or places to check?  Can I get more detail on the
>>> status 13?
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Dec 8, 2016 at 12:52 PM, Jason Waters <jason at geeknocity.com>
>>> wrote:
>>>
>>>> Thanks for the help!  I'll grep the log file and see what I see!
>>>>
>>>> On Thu, Dec 8, 2016 at 12:08 PM, Mark Sapiro <mark at msapiro.net> wrote:
>>>>
>>>>> On 12/08/2016 08:41 AM, Jason Waters wrote:
>>>>> > Great that seemed to fix it.  So does that mean any email that had
>>>>> those
>>>>> > tags failed?  Because it didn't seem to be the case.  I would think
>>>>> the
>>>>> > majority of the emails have html in them.  Thanks for your help!
>>>>>
>>>>>
>>>>> I'm not sure what it was that triggered the issue. I think you'll just
>>>>> have to wait and see if it recurs or not. If the test message was
>>>>> flagged as {disarmed} by MailScanner or you see "Content Checks:
>>>>> Detected and have disarmed xxx tags in HTML message" where xxx isn't
>>>>> KILLED, you're probably OK.
>>>>>
>>>>> One thing you can check is if all such log messages said KILLED prior
>>>>> to
>>>>> your changing the ownership and now they say other things and not
>>>>> KILLED, I'm sure it's fixed.
>>>>>
>>>>> --
>>>>> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
>>>>> San Francisco Bay Area, California    better use your sense - B. Dylan
>>>>>
>>>>>
>>>>> --
>>>>> MailScanner mailing list
>>>>> mailscanner at lists.mailscanner.info
>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>
>>>>>
>>>>
>>>
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>
>>
>
>
> --
> Shawn Iverson
> Director of Technology
> Rush County Schools
> 765-932-3901 x271 <(765)%20932-3901>
> iversons at rushville.k12.in.us
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20161221/e5e38db7/attachment.html>


More information about the MailScanner mailing list