Denial Of Service attack
Jason Voorhees
jvoorhees1 at gmail.com
Tue Aug 8 18:30:05 UTC 2017
Hey guys, sorry if I try to reopen this old thread. It's just that I
don't know what else to do. This problem started ocurring a couple of
months ago under the same settings I always do for every MailScanner
installation.
This is my scenario:
OS: CentOS 7 x86_64
SELinux: Disabled
MailScanner: 5.0.3
MailServer: Zimbra 8.7.11
MailScanner settings:
- Run As User: postfix
- Run As Group: postfix
- Incoming Work Group = postfix
- Incoming Work Permissions = 0660
ClamAV settings:
- LocalSocketGroup postfix
- User postfix
- AllowSupplementaryGroups yes
User and group settings:
$ id postfix
uid=89(postfix) gid=89(postfix)
groups=89(postfix),12(mail),994(clamupdate),48(apache),993(clamscan),1000(mtagroup)
Directory permissions:
$ ls -ld /var/spool/MailScanner
drwxr-xr-x 5 root root 75 Jul 27 11:53 /var/spool/MailScanner/
$ ls -ld /var/run/clamd.scan/
drwx--x--- 2 postfix postfix 80 Aug 8 13:09 /var/run/clamd.scan/
$ ls -l /var/spool/MailScanner/
total 0
drwxrwxr-x 2 postfix postfix 6 Aug 14 2016 archive
drwxrwx--- 17 postfix postfix 380 Aug 8 13:23 incoming
lrwxrwxrwx 1 root root 28 Jul 27 11:53 quarantine ->
/opt/MailScanner/quarantine/
drwxrwxr-x 4 postfix postfix 82 Jul 15 11:01 spamassassin
$ ls -l /var/run/clamd.scan/
total 4
-rw-rw-r-- 1 postfix postfix 6 Aug 8 13:09 clamd.pid
srw-rw-rw- 1 postfix postfix 0 Aug 8 13:09 clamd.sock
I've made a recursive chown + chmod command like this:
# chown -R postfix:postfix /var/spool/MailScanner/incoming
# chmod -R g+rw /var/spool/MailScanner/incoming
# chmod -R g+X /var/spool/MailScanner/incoming
This is how my processes are running with their effective UIDs and GIDs:
$ ps -eo user,group,comm | grep -iE "(mailscanner|clam|postfix|user)"
USER GROUP COMMAND
root root freshclam-sleep
postfix postfix smtpd
postfix postfix smtpd
postfix postfix pickup
postfix postfix smtpd
postfix postfix smtpd
postfix postfix postscreen
postfix postfix showq
postfix postfix smtpd
postfix postfix clamd
postfix postfix cleanup
postfix postfix lmtp
postfix postfix trivial-rewrite
postfix postfix MailScanner: ma
postfix postfix MailScanner: wa
postfix postfix MailScanner: wa
postfix postfix MailScanner: wa
postfix postfix MailScanner: wa
postfix postfix MailScanner: wa
postfix postfix MailWatch SQL
postfix postfix proxymap
postfix postfix qmgr
postfix postfix tlsmgr
postfix postfix anvil
As you can see, everything (MailScanner, postfix and ClamD) is running
as postfix user and postfix group.
What might be wrong?
How can I modify/patch some MailScanner code to show some debug lines
when this problem occurs? I even think this is not a SELinux,
ownership nor permissions problem... :(
I hope someone can help me.
On Wed, Jan 25, 2017 at 10:41 AM, Glenn Steen <glenn.steen at gmail.com> wrote:
> You might have a problem with MailWatch as well, but I'd be interrested to
> hear what your findings about the permission bits are.
> Also, check that you only have queue files in the postfix hold... If for
> example SpamAssassin puts files/directories in there, bad things will
> happen:).
>
> Looking at the MailWatch thing, have you verified that
> - Your database is up and running
> - You can connect to it with the credentials used in MailWatch.pm
> - You have no typos in MailWatch.pm file (specifically the my($db,,,)
> settings? Note that these need be in single quoteslike so:
> my($db_name) = 'mailscanner';
> my($db_host) = 'localhost';
> my($db_user) = 'mailwatch';
> my($db_pass) = 'secretpassword';
>
> Cheers!
> --
> -- Glenn
>
> 2017-01-25 13:27 GMT+01:00 Marcelo Machado <mmgomess at gmail.com>:
>>
>> Hi everyone.
>>
>> I have not said that I use MailWatch and it seems that the problem is
>> related to it.
>>
>> See this. https://github.com/mailwatch/1.2.0/issues/430
>>
>> 2017-01-24 8:51 GMT-02:00 Glenn Steen <glenn.steen at gmail.com>:
>> > Marcelo,
>> >
>> > Could you please check the following:
>> >
>> > ps -ef |egrep "postfix|clamd"
>> >
>> > depending on the result, check the user running postfix and clamd with
>> > something like:
>> > id postfix
>> > id clamav
>> > change the users as needed/found in the ps listing.
>> >
>> > This will show what your MailScanner.conf settings need be for both
>> > clamd
>> > and postfix to be able to access the incoming work directory. The theory
>> > is
>> > quite simple, just set the user to the one needed by the postfix
>> > processes,
>> > and the group to match the clamd one.
>> > Now, stop Mailscanner the ususal way, and use chown to change the actual
>> > ownership on the actual files&directories. Something like
>> > chown -R postfix.clamscan /var/spool/MailScanner/incoming
>> > (adjust as neede, of course)
>> > Start Mailscanner the usual way, and try sending a messege through...
>> > Other
>> > things to check:
>> > The permissions on the SpamAssassin directory (either you use the
>> > ~postfix/.spamassassin, or /var/spool/MailScanner/spamassassin ... or
>> > both... it all depends...:))
>> > Permissions on the quarantine directory
>> > Permissions on the configuration files (remember that MailScanner has to
>> > run
>> > as the postfix user, so all tests, like debugging and linting need be
>> > done
>> > as that user! "su - postfix -s /bin/bash" is your friend... You might
>> > need
>> > do a "sudo -i " first;-)).
>> >
>> > Cheers!
>> > --
>> > -- Glenn
>> >
>> >
>> >
>> > 2017-01-23 10:43 GMT+01:00 Glenn Steen <glenn.steen at gmail.com>:
>> >>
>> >> Actually, unless the OP has done something to the user/group setup,
>> >> this
>> >> is simply a case of malconfihuration...:-)
>> >>
>> >> Looking at my 16.04 install, postfix runs as user postfix with group
>> >> postfix, and I wouldn't even hazard a guess at whst clamd is running
>> >> as...
>> >> These things should be checked, and the MS config made to comply (use
>> >> ps to
>> >> learn more:), and fix any errors with chown (with MS/postfix shut
>> >> down)...
>> >> After that, things should start working;-)
>> >>
>> >> Cheers
>> >> --
>> >> -- Glenn
>> >>
>> >> Den 22 jan. 2017 7:40 em skrev "Mark Sapiro" <mark at msapiro.net>:
>> >>
>> >> On 01/22/2017 10:32 AM, Marcelo Machado wrote:
>> >> >
>> >> > I work with some Ubuntu servers with MailScanner installed and I
>> >> > noticed right now that this error does not occur in version 14.04,
>> >> > but
>> >> > only in version 16.04.
>> >>
>> >>
>> >> Which makes it likely that the issue is with apparmor.
>> >>
>> >> --
>> >> Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
>> >> San Francisco Bay Area, California better use your sense - B. Dylan
>> >>
>> >>
>> >> --
>> >> MailScanner mailing list
>> >> mailscanner at lists.mailscanner.info
>> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > -- Glenn
>> > email: glenn < dot > steen < at > gmail < dot > com
>> > work: glenn < dot > steen < at > ap1 < dot > se
>> >
>> >
>> >
>> > --
>> > MailScanner mailing list
>> > mailscanner at lists.mailscanner.info
>> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >
>> >
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>
>
>
> --
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
More information about the MailScanner
mailing list