Denial Of Service attack

Jason Voorhees jvoorhees1 at gmail.com
Tue Aug 8 19:08:20 UTC 2017 

At least, how can I completely disable HTML disarming at all? I've
tried these settings in the past without luck:

Allow IFrame Tags = yes
Allow Form Tags = yes
Allow Script Tags = yes
Allow Object Codebase Tags = yes



On Tue, Aug 8, 2017 at 1:30 PM, Jason Voorhees <jvoorhees1 at gmail.com> wrote:
> Hey guys, sorry if I try to reopen this old thread. It's just that I
> don't know what else to do. This problem started ocurring a couple of
> months ago under the same settings I always do for every MailScanner
> installation.
>
> This is my scenario:
>
> OS: CentOS 7 x86_64
>
> SELinux: Disabled
>
> MailScanner: 5.0.3
>
> MailServer: Zimbra 8.7.11
>
> MailScanner settings:
> - Run As User: postfix
> - Run As Group: postfix
> - Incoming Work Group = postfix
> - Incoming Work Permissions = 0660
>
> ClamAV settings:
> - LocalSocketGroup postfix
> - User postfix
> - AllowSupplementaryGroups yes
>
> User and group settings:
>
> $ id postfix
> uid=89(postfix) gid=89(postfix)
> groups=89(postfix),12(mail),994(clamupdate),48(apache),993(clamscan),1000(mtagroup)
>
> Directory permissions:
>
> $ ls -ld /var/spool/MailScanner
> drwxr-xr-x 5 root root 75 Jul 27 11:53 /var/spool/MailScanner/
>
> $ ls -ld /var/run/clamd.scan/
> drwx--x--- 2 postfix postfix 80 Aug  8 13:09 /var/run/clamd.scan/
>
> $ ls -l /var/spool/MailScanner/
> total 0
> drwxrwxr-x  2 postfix postfix   6 Aug 14  2016 archive
> drwxrwx--- 17 postfix postfix 380 Aug  8 13:23 incoming
> lrwxrwxrwx  1 root    root     28 Jul 27 11:53 quarantine ->
> /opt/MailScanner/quarantine/
> drwxrwxr-x  4 postfix postfix  82 Jul 15 11:01 spamassassin
>
> $ ls -l /var/run/clamd.scan/
> total 4
> -rw-rw-r-- 1 postfix postfix 6 Aug  8 13:09 clamd.pid
> srw-rw-rw- 1 postfix postfix 0 Aug  8 13:09 clamd.sock
>
> I've made a recursive chown + chmod command like this:
>
> # chown -R postfix:postfix /var/spool/MailScanner/incoming
> # chmod -R g+rw /var/spool/MailScanner/incoming
> # chmod -R g+X /var/spool/MailScanner/incoming
>
> This is how my processes are running with their effective UIDs and GIDs:
>
> $ ps -eo user,group,comm | grep -iE "(mailscanner|clam|postfix|user)"
> USER     GROUP    COMMAND
> root     root     freshclam-sleep
> postfix  postfix  smtpd
> postfix  postfix  smtpd
> postfix  postfix  pickup
> postfix  postfix  smtpd
> postfix  postfix  smtpd
> postfix  postfix  postscreen
> postfix  postfix  showq
> postfix  postfix  smtpd
> postfix  postfix  clamd
> postfix  postfix  cleanup
> postfix  postfix  lmtp
> postfix  postfix  trivial-rewrite
> postfix  postfix  MailScanner: ma
> postfix  postfix  MailScanner: wa
> postfix  postfix  MailScanner: wa
> postfix  postfix  MailScanner: wa
> postfix  postfix  MailScanner: wa
> postfix  postfix  MailScanner: wa
> postfix  postfix  MailWatch SQL
> postfix  postfix  proxymap
> postfix  postfix  qmgr
> postfix  postfix  tlsmgr
> postfix  postfix  anvil
>
> As you can see, everything (MailScanner, postfix and ClamD) is running
> as postfix user and postfix group.
>
> What might be wrong?
>
> How can I modify/patch some MailScanner code to show some debug lines
> when this problem occurs? I even think this is not a SELinux,
> ownership nor permissions problem... :(
>
> I hope someone can help me.
>
> On Wed, Jan 25, 2017 at 10:41 AM, Glenn Steen <glenn.steen at gmail.com> wrote:
>> You might have a problem with MailWatch as well, but I'd be interrested to
>> hear what your findings about the permission bits are.
>> Also, check that you only have queue files in the postfix hold... If  for
>> example SpamAssassin puts files/directories in there, bad things will
>> happen:).
>>
>> Looking at the MailWatch thing, have you verified that
>> - Your database is up and running
>> - You can connect to it with the credentials used in MailWatch.pm
>> - You have no typos in MailWatch.pm file (specifically the my($db,,,)
>> settings? Note that these need be in single quoteslike so:
>> my($db_name) = 'mailscanner';
>> my($db_host) = 'localhost';
>> my($db_user) = 'mailwatch';
>> my($db_pass) = 'secretpassword';
>>
>> Cheers!
>> --
>> -- Glenn
>>
>> 2017-01-25 13:27 GMT+01:00 Marcelo Machado <mmgomess at gmail.com>:
>>>
>>> Hi everyone.
>>>
>>> I have not said that I use MailWatch and it seems that the problem is
>>> related to it.
>>>
>>> See this. https://github.com/mailwatch/1.2.0/issues/430
>>>
>>> 2017-01-24 8:51 GMT-02:00 Glenn Steen <glenn.steen at gmail.com>:
>>> > Marcelo,
>>> >
>>> > Could you please check the following:
>>> >
>>> > ps -ef |egrep "postfix|clamd"
>>> >
>>> > depending on the result, check the user running postfix and clamd with
>>> > something like:
>>> > id postfix
>>> > id clamav
>>> > change the users as needed/found in the ps listing.
>>> >
>>> > This will show what your MailScanner.conf settings need be for both
>>> > clamd
>>> > and postfix to be able to access the incoming work directory. The theory
>>> > is
>>> > quite simple, just set the user to the one needed by the postfix
>>> > processes,
>>> > and the group to match the clamd one.
>>> > Now, stop Mailscanner the ususal way, and use chown to change the actual
>>> > ownership on the actual files&directories. Something like
>>> > chown -R postfix.clamscan /var/spool/MailScanner/incoming
>>> > (adjust as neede, of course)
>>> > Start Mailscanner the usual way, and try sending a messege through...
>>> > Other
>>> > things to check:
>>> > The permissions on the SpamAssassin directory (either you use the
>>> > ~postfix/.spamassassin, or /var/spool/MailScanner/spamassassin ... or
>>> > both... it all depends...:))
>>> > Permissions on the quarantine directory
>>> > Permissions on the configuration files (remember that MailScanner has to
>>> > run
>>> > as the postfix user, so all tests, like debugging and linting need be
>>> > done
>>> > as that user! "su - postfix -s /bin/bash" is your friend... You might
>>> > need
>>> > do a "sudo -i " first;-)).
>>> >
>>> > Cheers!
>>> > --
>>> > -- Glenn
>>> >
>>> >
>>> >
>>> > 2017-01-23 10:43 GMT+01:00 Glenn Steen <glenn.steen at gmail.com>:
>>> >>
>>> >> Actually, unless the OP has done something to the user/group setup,
>>> >> this
>>> >> is simply a case of malconfihuration...:-)
>>> >>
>>> >> Looking at my 16.04 install, postfix runs as user postfix with group
>>> >> postfix, and I wouldn't even hazard a guess at whst clamd is running
>>> >> as...
>>> >> These things should be checked, and the MS config made to comply (use
>>> >> ps to
>>> >> learn more:), and fix any errors with chown (with MS/postfix shut
>>> >> down)...
>>> >> After that, things should start working;-)
>>> >>
>>> >> Cheers
>>> >> --
>>> >> -- Glenn
>>> >>
>>> >> Den 22 jan. 2017 7:40 em skrev "Mark Sapiro" <mark at msapiro.net>:
>>> >>
>>> >> On 01/22/2017 10:32 AM, Marcelo Machado wrote:
>>> >> >
>>> >> > I work with some Ubuntu servers with MailScanner installed and I
>>> >> > noticed right now that this error does not occur in version 14.04,
>>> >> > but
>>> >> > only in version 16.04.
>>> >>
>>> >>
>>> >> Which makes it likely that the issue is with apparmor.
>>> >>
>>> >> --
>>> >> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
>>> >> San Francisco Bay Area, California    better use your sense - B. Dylan
>>> >>
>>> >>
>>> >> --
>>> >> MailScanner mailing list
>>> >> mailscanner at lists.mailscanner.info
>>> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>> >>
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > -- Glenn
>>> > email: glenn < dot > steen < at > gmail < dot > com
>>> > work: glenn < dot > steen < at > ap1 < dot > se
>>> >
>>> >
>>> >
>>> > --
>>> > MailScanner mailing list
>>> > mailscanner at lists.mailscanner.info
>>> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>> >
>>> >
>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>
>>
>>
>> --
>> -- Glenn
>> email: glenn < dot > steen < at > gmail < dot > com
>> work: glenn < dot > steen < at > ap1 < dot > se
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>

More information about the MailScanner mailing list