From dobril at stanga.net Mon Aug 6 10:56:52 2018 From: dobril at stanga.net (DobriL Dobrilov) Date: Mon, 6 Aug 2018 13:56:52 +0300 Subject: MailScanner: Message attempted to kill MailScanner Message-ID: <00c601d42d74$2effa870$8cfef950$@stanga.net> Hello, Please help me to debug follow issue: All emails sent from my webmail to same domain cannot be processes by mailscanner. Aug 6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1] Aug 6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header Received: from mail.stanga.net (localhost [IPv6:::1])??by mail.stanga.net (Postfix) with ESMTPA id CE4AB62C48??for ; Mon, 6 Aug 2018 13:19:15 +0300 (EEST) from localhost[::1]; from= to= proto=ESMTP helo= Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net> Aug 6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added (s=mail, d=stanga.net) Aug 6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6 Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages, 3097 bytes Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: Starting Aug 6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018 bytes per second Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:23:37 mail MailScanner[32582]: Making attempt 2 at processing message CE4AB62C48.A8F32 Aug 6 13:23:37 mail MailScanner[32582]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:26:15 mail MailScanner[2138]: Making attempt 3 at processing message CE4AB62C48.A8F32 Aug 6 13:26:15 mail MailScanner[2138]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:30:55 mail MailScanner[1659]: Making attempt 4 at processing message CE4AB62C48.A8F32 Aug 6 13:30:55 mail MailScanner[1659]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:35:44 mail MailScanner[1736]: Making attempt 5 at processing message CE4AB62C48.A8F32 Aug 6 13:35:44 mail MailScanner[1736]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:39:03 mail MailScanner[2946]: Making attempt 6 at processing message CE4AB62C48.A8F32 Aug 6 13:39:03 mail MailScanner[2946]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:39:05 mail MailScanner[2589]: Warning: skipping message CE4AB62C48.A8F32 as it has been attempted too many times Aug 6 13:39:05 mail MailScanner[2589]: Quarantined message CE4AB62C48.A8F32 as it caused MailScanner to crash several times Aug 6 13:39:05 mail MailScanner[2589]: Saved entire message to /var/spool/MailScanner/quarantine/20180806/CE4AB62C48.A8F32 Aug 6 13:39:05 mail MailScanner[2589]: MailWatch: Logging message CE4AB62C48.A8F32 to SQL Then I started in with debug option. Aug 6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1] Aug 6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header Received: from mail.stanga.net (localhost [IPv6:::1])??by mail.stanga.net (Postfix) with ESMTPA id CE4AB62C48??for ; Mon, 6 Aug 2018 13:19:15 +0300 (EEST) from localhost[::1]; from= to= proto=ESMTP helo= Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net> Aug 6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added (s=mail, d=stanga.net) Aug 6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6 Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Found 4 messages waiting Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages, 3097 bytes Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:19:18 mail MailScanner[31554]: Created attachment dirs for 1 messages Aug 6 13:19:19 mail MailScanner[31554]: Completed checking by /usr/bin/file Aug 6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: Starting Aug 6 13:19:19 mail MailScanner[31554]: Commencing scanning with clamd... Aug 6 13:19:19 mail MailScanner[31726]: Debug Mode Is On Aug 6 13:19:19 mail MailScanner[31726]: Use Threads : YES Aug 6 13:19:19 mail MailScanner[31726]: Socket : /var/run/clamav/clamd.sock Aug 6 13:19:19 mail MailScanner[31726]: IP : Using Sockets Aug 6 13:19:19 mail MailScanner[31726]: Lock File : NOT USED Aug 6 13:19:19 mail MailScanner[31726]: Time Out : 300 Aug 6 13:19:19 mail MailScanner[31726]: Scan Dir : /var/spool/MailScanner/incoming/31554 Aug 6 13:19:19 mail MailScanner[31726]: Clamd : Sending PING Aug 6 13:19:19 mail MailScanner[31726]: Clamd : GOT 'PONG' Aug 6 13:19:19 mail MailScanner[31726]: ClamD is running Aug 6 13:19:19 mail MailScanner[31726]: SENT : MULTISCAN /var/spool/MailScanner/incoming/31554 Aug 6 13:19:19 mail MailScanner[31554]: Completed AV scan with clamd Aug 6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018 bytes per second Aug 6 13:19:19 mail root[31735]: MailScanner failed to start Aug 6 13:19:19 mail root[31736]: Found a possible dead PID. Stopping all MailScanner rogue processes ... How I can find out what cause this issue. -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Mon Aug 6 11:03:56 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 6 Aug 2018 07:03:56 -0400 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: <00c601d42d74$2effa870$8cfef950$@stanga.net> References: <00c601d42d74$2effa870$8cfef950$@stanga.net> Message-ID: Very first thing I would check is whether you have enough memory to carry out virus scanning, and make sure that OOM is not occurring. On Mon, Aug 6, 2018 at 6:56 AM, DobriL Dobrilov wrote: > Hello, > > > > Please help me to debug follow issue: > > All emails sent from my webmail to same domain cannot be processes by > mailscanner. > > > > Aug 6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1] > > Aug 6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: > client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net > > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header > Received: from mail.stanga.net (localhost [IPv6:::1])??by mail.stanga.net > (Postfix) with ESMTPA id CE4AB62C48??for > ril at stanga.net>; Mon, 6 Aug 2018 13:19:15 +0300 (EEST) from > localhost[::1]; from= to= > proto=ESMTP helo= > > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: message-id=< > 0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net> > > Aug 6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field > added (s=mail, d=stanga.net) > > Aug 6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1] > ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6 > > Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages, > 3097 bytes > > Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: > Starting > > Aug 6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018 > bytes per second > > Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:23:37 mail MailScanner[32582]: Making attempt 2 at processing > message CE4AB62C48.A8F32 > > Aug 6 13:23:37 mail MailScanner[32582]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:26:15 mail MailScanner[2138]: Making attempt 3 at processing > message CE4AB62C48.A8F32 > > Aug 6 13:26:15 mail MailScanner[2138]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:30:55 mail MailScanner[1659]: Making attempt 4 at processing > message CE4AB62C48.A8F32 > > Aug 6 13:30:55 mail MailScanner[1659]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:35:44 mail MailScanner[1736]: Making attempt 5 at processing > message CE4AB62C48.A8F32 > > Aug 6 13:35:44 mail MailScanner[1736]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:39:03 mail MailScanner[2946]: Making attempt 6 at processing > message CE4AB62C48.A8F32 > > Aug 6 13:39:03 mail MailScanner[2946]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:39:05 mail MailScanner[2589]: Warning: skipping message > CE4AB62C48.A8F32 as it has been attempted too many times > > Aug 6 13:39:05 mail MailScanner[2589]: Quarantined message > CE4AB62C48.A8F32 as it caused MailScanner to crash several times > > Aug 6 13:39:05 mail MailScanner[2589]: Saved entire message to > /var/spool/MailScanner/quarantine/20180806/CE4AB62C48.A8F32 > > Aug 6 13:39:05 mail MailScanner[2589]: MailWatch: Logging message > CE4AB62C48.A8F32 to SQL > > > > > > Then I started in with debug option. > > Aug 6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1] > > Aug 6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: > client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net > > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header > Received: from mail.stanga.net (localhost [IPv6:::1])??by mail.stanga.net > (Postfix) with ESMTPA id CE4AB62C48??for ; Mon, 6 Aug > 2018 13:19:15 +0300 (EEST) from localhost[::1]; from= > to= proto=ESMTP helo= > > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: message-id=< > 0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net> > > Aug 6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field > added (s=mail, d=stanga.net) > > Aug 6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1] > ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6 > > Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Found 4 messages > waiting > > Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages, > 3097 bytes > > Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:19:18 mail MailScanner[31554]: Created attachment dirs for 1 > messages > > Aug 6 13:19:19 mail MailScanner[31554]: Completed checking by > /usr/bin/file > > Aug 6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: > Starting > > Aug 6 13:19:19 mail MailScanner[31554]: Commencing scanning with clamd... > > Aug 6 13:19:19 mail MailScanner[31726]: Debug Mode Is On > > Aug 6 13:19:19 mail MailScanner[31726]: Use Threads : YES > > Aug 6 13:19:19 mail MailScanner[31726]: Socket : > /var/run/clamav/clamd.sock > > Aug 6 13:19:19 mail MailScanner[31726]: IP : Using Sockets > > Aug 6 13:19:19 mail MailScanner[31726]: Lock File : NOT USED > > Aug 6 13:19:19 mail MailScanner[31726]: Time Out : 300 > > Aug 6 13:19:19 mail MailScanner[31726]: Scan Dir : > /var/spool/MailScanner/incoming/31554 > > Aug 6 13:19:19 mail MailScanner[31726]: Clamd : Sending PING > > Aug 6 13:19:19 mail MailScanner[31726]: Clamd : GOT 'PONG' > > Aug 6 13:19:19 mail MailScanner[31726]: ClamD is running > > Aug 6 13:19:19 mail MailScanner[31726]: SENT : MULTISCAN > /var/spool/MailScanner/incoming/31554 > > Aug 6 13:19:19 mail MailScanner[31554]: Completed AV scan with clamd > > Aug 6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018 > bytes per second > > Aug 6 13:19:19 mail root[31735]: MailScanner failed to start > > Aug 6 13:19:19 mail root[31736]: Found a possible dead PID. Stopping all > MailScanner rogue processes ... > > > > > > How I can find out what cause this issue. > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From dobril at stanga.net Mon Aug 6 11:08:12 2018 From: dobril at stanga.net (DobriL Dobrilov) Date: Mon, 6 Aug 2018 14:08:12 +0300 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: References: <00c601d42d74$2effa870$8cfef950$@stanga.net> Message-ID: <00e001d42d75$c41fd0f0$4c5f72d0$@stanga.net> The same thing after I disable Virus scan , memory is enough. Something else cause the issue , and happen only with email send by webmail From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of Shawn Iverson Sent: Monday, August 6, 2018 2:04 PM To: MailScanner Discussion Subject: Re: MailScanner: Message attempted to kill MailScanner Very first thing I would check is whether you have enough memory to carry out virus scanning, and make sure that OOM is not occurring. On Mon, Aug 6, 2018 at 6:56 AM, DobriL Dobrilov > wrote: Hello, Please help me to debug follow issue: All emails sent from my webmail to same domain cannot be processes by mailscanner. Aug 6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1] Aug 6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header Received: from mail.stanga.net (localhost [IPv6:::1])??by mail.stanga.net (Postfix) with ESMTPA id CE4AB62C48??for >; Mon, 6 Aug 2018 13:19:15 +0300 (EEST) from localhost[::1]; from= > to= > proto=ESMTP helo= > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net > Aug 6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added (s=mail, d=stanga.net ) Aug 6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6 Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages, 3097 bytes Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: Starting Aug 6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018 bytes per second Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:23:37 mail MailScanner[32582]: Making attempt 2 at processing message CE4AB62C48.A8F32 Aug 6 13:23:37 mail MailScanner[32582]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:26:15 mail MailScanner[2138]: Making attempt 3 at processing message CE4AB62C48.A8F32 Aug 6 13:26:15 mail MailScanner[2138]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:30:55 mail MailScanner[1659]: Making attempt 4 at processing message CE4AB62C48.A8F32 Aug 6 13:30:55 mail MailScanner[1659]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:35:44 mail MailScanner[1736]: Making attempt 5 at processing message CE4AB62C48.A8F32 Aug 6 13:35:44 mail MailScanner[1736]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:39:03 mail MailScanner[2946]: Making attempt 6 at processing message CE4AB62C48.A8F32 Aug 6 13:39:03 mail MailScanner[2946]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:39:05 mail MailScanner[2589]: Warning: skipping message CE4AB62C48.A8F32 as it has been attempted too many times Aug 6 13:39:05 mail MailScanner[2589]: Quarantined message CE4AB62C48.A8F32 as it caused MailScanner to crash several times Aug 6 13:39:05 mail MailScanner[2589]: Saved entire message to /var/spool/MailScanner/quarantine/20180806/CE4AB62C48.A8F32 Aug 6 13:39:05 mail MailScanner[2589]: MailWatch: Logging message CE4AB62C48.A8F32 to SQL Then I started in with debug option. Aug 6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1] Aug 6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header Received: from mail.stanga.net (localhost [IPv6:::1])??by mail.stanga.net (Postfix) with ESMTPA id CE4AB62C48??for >; Mon, 6 Aug 2018 13:19:15 +0300 (EEST) from localhost[::1]; from= > to= > proto=ESMTP helo= > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net > Aug 6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added (s=mail, d=stanga.net ) Aug 6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6 Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Found 4 messages waiting Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages, 3097 bytes Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:19:18 mail MailScanner[31554]: Created attachment dirs for 1 messages Aug 6 13:19:19 mail MailScanner[31554]: Completed checking by /usr/bin/file Aug 6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: Starting Aug 6 13:19:19 mail MailScanner[31554]: Commencing scanning with clamd... Aug 6 13:19:19 mail MailScanner[31726]: Debug Mode Is On Aug 6 13:19:19 mail MailScanner[31726]: Use Threads : YES Aug 6 13:19:19 mail MailScanner[31726]: Socket : /var/run/clamav/clamd.sock Aug 6 13:19:19 mail MailScanner[31726]: IP : Using Sockets Aug 6 13:19:19 mail MailScanner[31726]: Lock File : NOT USED Aug 6 13:19:19 mail MailScanner[31726]: Time Out : 300 Aug 6 13:19:19 mail MailScanner[31726]: Scan Dir : /var/spool/MailScanner/incoming/31554 Aug 6 13:19:19 mail MailScanner[31726]: Clamd : Sending PING Aug 6 13:19:19 mail MailScanner[31726]: Clamd : GOT 'PONG' Aug 6 13:19:19 mail MailScanner[31726]: ClamD is running Aug 6 13:19:19 mail MailScanner[31726]: SENT : MULTISCAN /var/spool/MailScanner/incoming/31554 Aug 6 13:19:19 mail MailScanner[31554]: Completed AV scan with clamd Aug 6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018 bytes per second Aug 6 13:19:19 mail root[31735]: MailScanner failed to start Aug 6 13:19:19 mail root[31736]: Found a possible dead PID. Stopping all MailScanner rogue processes ... How I can find out what cause this issue. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From dobril at stanga.net Mon Aug 6 11:55:36 2018 From: dobril at stanga.net (DobriL Dobrilov) Date: Mon, 6 Aug 2018 14:55:36 +0300 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: <00e001d42d75$c41fd0f0$4c5f72d0$@stanga.net> References: <00c601d42d74$2effa870$8cfef950$@stanga.net> <00e001d42d75$c41fd0f0$4c5f72d0$@stanga.net> Message-ID: <00ee01d42d7c$636b7b90$2a4272b0$@stanga.net> Some other ideas, because unfortunately this Live system and It?s very critical ? L Dobril Dobrilov IT Manager dobril at stanga.net 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 Mobile: +359 878 749 387 We shape Digital www.stanga.net We re-invent Video www.bsbvision.com We build Apps www.shanga.co We support Start-Ups www.mysbar.net From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of DobriL Dobrilov Sent: Monday, August 6, 2018 2:08 PM To: 'MailScanner Discussion' Subject: RE: MailScanner: Message attempted to kill MailScanner The same thing after I disable Virus scan , memory is enough. Something else cause the issue , and happen only with email send by webmail From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of Shawn Iverson Sent: Monday, August 6, 2018 2:04 PM To: MailScanner Discussion > Subject: Re: MailScanner: Message attempted to kill MailScanner Very first thing I would check is whether you have enough memory to carry out virus scanning, and make sure that OOM is not occurring. On Mon, Aug 6, 2018 at 6:56 AM, DobriL Dobrilov > wrote: Hello, Please help me to debug follow issue: All emails sent from my webmail to same domain cannot be processes by mailscanner. Aug 6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1] Aug 6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header Received: from mail.stanga.net (localhost [IPv6:::1])??by mail.stanga.net (Postfix) with ESMTPA id CE4AB62C48??for >; Mon, 6 Aug 2018 13:19:15 +0300 (EEST) from localhost[::1]; from= > to= > proto=ESMTP helo= > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net > Aug 6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added (s=mail, d=stanga.net ) Aug 6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6 Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages, 3097 bytes Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: Starting Aug 6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018 bytes per second Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:23:37 mail MailScanner[32582]: Making attempt 2 at processing message CE4AB62C48.A8F32 Aug 6 13:23:37 mail MailScanner[32582]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:26:15 mail MailScanner[2138]: Making attempt 3 at processing message CE4AB62C48.A8F32 Aug 6 13:26:15 mail MailScanner[2138]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:30:55 mail MailScanner[1659]: Making attempt 4 at processing message CE4AB62C48.A8F32 Aug 6 13:30:55 mail MailScanner[1659]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:35:44 mail MailScanner[1736]: Making attempt 5 at processing message CE4AB62C48.A8F32 Aug 6 13:35:44 mail MailScanner[1736]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:39:03 mail MailScanner[2946]: Making attempt 6 at processing message CE4AB62C48.A8F32 Aug 6 13:39:03 mail MailScanner[2946]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:39:05 mail MailScanner[2589]: Warning: skipping message CE4AB62C48.A8F32 as it has been attempted too many times Aug 6 13:39:05 mail MailScanner[2589]: Quarantined message CE4AB62C48.A8F32 as it caused MailScanner to crash several times Aug 6 13:39:05 mail MailScanner[2589]: Saved entire message to /var/spool/MailScanner/quarantine/20180806/CE4AB62C48.A8F32 Aug 6 13:39:05 mail MailScanner[2589]: MailWatch: Logging message CE4AB62C48.A8F32 to SQL Then I started in with debug option. Aug 6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1] Aug 6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header Received: from mail.stanga.net (localhost [IPv6:::1])??by mail.stanga.net (Postfix) with ESMTPA id CE4AB62C48??for >; Mon, 6 Aug 2018 13:19:15 +0300 (EEST) from localhost[::1]; from= > to= > proto=ESMTP helo= > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net > Aug 6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added (s=mail, d=stanga.net ) Aug 6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6 Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Found 4 messages waiting Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages, 3097 bytes Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of CE4AB62C48.A8F32 Aug 6 13:19:18 mail MailScanner[31554]: Created attachment dirs for 1 messages Aug 6 13:19:19 mail MailScanner[31554]: Completed checking by /usr/bin/file Aug 6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: Starting Aug 6 13:19:19 mail MailScanner[31554]: Commencing scanning with clamd... Aug 6 13:19:19 mail MailScanner[31726]: Debug Mode Is On Aug 6 13:19:19 mail MailScanner[31726]: Use Threads : YES Aug 6 13:19:19 mail MailScanner[31726]: Socket : /var/run/clamav/clamd.sock Aug 6 13:19:19 mail MailScanner[31726]: IP : Using Sockets Aug 6 13:19:19 mail MailScanner[31726]: Lock File : NOT USED Aug 6 13:19:19 mail MailScanner[31726]: Time Out : 300 Aug 6 13:19:19 mail MailScanner[31726]: Scan Dir : /var/spool/MailScanner/incoming/31554 Aug 6 13:19:19 mail MailScanner[31726]: Clamd : Sending PING Aug 6 13:19:19 mail MailScanner[31726]: Clamd : GOT 'PONG' Aug 6 13:19:19 mail MailScanner[31726]: ClamD is running Aug 6 13:19:19 mail MailScanner[31726]: SENT : MULTISCAN /var/spool/MailScanner/incoming/31554 Aug 6 13:19:19 mail MailScanner[31554]: Completed AV scan with clamd Aug 6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018 bytes per second Aug 6 13:19:19 mail root[31735]: MailScanner failed to start Aug 6 13:19:19 mail root[31736]: Found a possible dead PID. Stopping all MailScanner rogue processes ... How I can find out what cause this issue. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 3762 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 1151 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 853 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.jpg Type: image/jpeg Size: 1286 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image005.jpg Type: image/jpeg Size: 930 bytes Desc: not available URL: From Antony.Stone at mailscanner.open.source.it Mon Aug 6 12:00:35 2018 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Mon, 6 Aug 2018 14:00:35 +0200 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: <00ee01d42d7c$636b7b90$2a4272b0$@stanga.net> References: <00c601d42d74$2effa870$8cfef950$@stanga.net> <00e001d42d75$c41fd0f0$4c5f72d0$@stanga.net> <00ee01d42d7c$636b7b90$2a4272b0$@stanga.net> Message-ID: <201808061400.35462.Antony.Stone@mailscanner.open.source.it> On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote: > Some other ideas, because unfortunately this Live system and It?s very > critical ? When did the problem start happening? What changed on the MS server around that time? Can you show us full headers of an example email from webmail (which MS can't process) and another one to and from the same addresses, but not from webmail (which MS processes okay)? Antony > From: MailScanner > Sent: Monday, August 6, 2018 2:08 PM > To: 'MailScanner Discussion' > Subject: RE: MailScanner: Message attempted to kill MailScanner > > The same thing after I disable Virus scan , memory is enough. Something > else cause the issue , and happen only with email send by webmail > > > From: MailScanner > Sent: Monday, August 6, 2018 2:04 PM > To: MailScanner Discussion > Subject: Re: MailScanner: > Message attempted to kill MailScanner > > Very first thing I would check is whether you have enough memory to carry > out virus scanning, and make sure that OOM is not occurring. > > On Mon, Aug 6, 2018 at 6:56 AM, DobriL Dobrilov wrote: > > Hello, > > > Please help me to debug follow issue: > > All emails sent from my webmail to same domain cannot be processes by > mailscanner. > > > > Aug 6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1] > > Aug 6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: > client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net > > > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header > Received: from mail.stanga.net (localhost > [IPv6:::1])??by mail.stanga.net (Postfix) with > ESMTPA id CE4AB62C48??for > ril at stanga.net >; Mon, 6 Aug 2018 13:19:15 +0300 > (EEST) from localhost[::1]; from= > to= > proto=ESMTP helo= > > > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: > message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net > > > > Aug 6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added > (s=mail, d=stanga.net ) > > Aug 6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1] > ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6 > > Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages, > 3097 bytes > > Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: > Starting > > Aug 6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018 > bytes per second > > Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:23:37 mail MailScanner[32582]: Making attempt 2 at processing > message CE4AB62C48.A8F32 > > Aug 6 13:23:37 mail MailScanner[32582]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:26:15 mail MailScanner[2138]: Making attempt 3 at processing > message CE4AB62C48.A8F32 > > Aug 6 13:26:15 mail MailScanner[2138]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:30:55 mail MailScanner[1659]: Making attempt 4 at processing > message CE4AB62C48.A8F32 > > Aug 6 13:30:55 mail MailScanner[1659]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:35:44 mail MailScanner[1736]: Making attempt 5 at processing > message CE4AB62C48.A8F32 > > Aug 6 13:35:44 mail MailScanner[1736]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:39:03 mail MailScanner[2946]: Making attempt 6 at processing > message CE4AB62C48.A8F32 > > Aug 6 13:39:03 mail MailScanner[2946]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:39:05 mail MailScanner[2589]: Warning: skipping message > CE4AB62C48.A8F32 as it has been attempted too many times > > Aug 6 13:39:05 mail MailScanner[2589]: Quarantined message > CE4AB62C48.A8F32 as it caused MailScanner to crash several times > > Aug 6 13:39:05 mail MailScanner[2589]: Saved entire message to > /var/spool/MailScanner/quarantine/20180806/CE4AB62C48.A8F32 > > Aug 6 13:39:05 mail MailScanner[2589]: MailWatch: Logging message > CE4AB62C48.A8F32 to SQL > > > > > > Then I started in with debug option. > > Aug 6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1] > > Aug 6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: > client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net > > > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header > Received: from mail.stanga.net (localhost > [IPv6:::1])??by mail.stanga.net (Postfix) with > ESMTPA id CE4AB62C48??for >; > Mon, 6 Aug 2018 13:19:15 +0300 (EEST) from localhost[::1]; > from= > to= > proto=ESMTP helo= > > > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: > message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net > > > > Aug 6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added > (s=mail, d=stanga.net ) > > Aug 6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1] > ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6 > > Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Found 4 messages > waiting > > Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages, > 3097 bytes > > Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:19:18 mail MailScanner[31554]: Created attachment dirs for 1 > messages > > Aug 6 13:19:19 mail MailScanner[31554]: Completed checking by > /usr/bin/file > > Aug 6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: > Starting > > Aug 6 13:19:19 mail MailScanner[31554]: Commencing scanning with clamd... > > Aug 6 13:19:19 mail MailScanner[31726]: Debug Mode Is On > > Aug 6 13:19:19 mail MailScanner[31726]: Use Threads : YES > > Aug 6 13:19:19 mail MailScanner[31726]: Socket : > /var/run/clamav/clamd.sock > > Aug 6 13:19:19 mail MailScanner[31726]: IP : Using Sockets > > Aug 6 13:19:19 mail MailScanner[31726]: Lock File : NOT USED > > Aug 6 13:19:19 mail MailScanner[31726]: Time Out : 300 > > Aug 6 13:19:19 mail MailScanner[31726]: Scan Dir : > /var/spool/MailScanner/incoming/31554 > > Aug 6 13:19:19 mail MailScanner[31726]: Clamd : Sending PING > > Aug 6 13:19:19 mail MailScanner[31726]: Clamd : GOT 'PONG' > > Aug 6 13:19:19 mail MailScanner[31726]: ClamD is running > > Aug 6 13:19:19 mail MailScanner[31726]: SENT : MULTISCAN > /var/spool/MailScanner/incoming/31554 > > Aug 6 13:19:19 mail MailScanner[31554]: Completed AV scan with clamd > > Aug 6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018 > bytes per second > > Aug 6 13:19:19 mail root[31735]: MailScanner failed to start > > Aug 6 13:19:19 mail root[31736]: Found a possible dead PID. Stopping all > MailScanner rogue processes ... > > > > > > How I can find out what cause this issue. -- When you find yourself arguing with an idiot, you should first of all make sure that the other person isn't doing the same thing. Please reply to the list; please *don't* CC me. From dobril at stanga.net Mon Aug 6 12:13:03 2018 From: dobril at stanga.net (DobriL Dobrilov) Date: Mon, 6 Aug 2018 15:13:03 +0300 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: <201808061400.35462.Antony.Stone@mailscanner.open.source.it> References: <00c601d42d74$2effa870$8cfef950$@stanga.net> <00e001d42d75$c41fd0f0$4c5f72d0$@stanga.net> <00ee01d42d7c$636b7b90$2a4272b0$@stanga.net> <201808061400.35462.Antony.Stone@mailscanner.open.source.it> Message-ID: <00ff01d42d7e$d3476df0$79d649d0$@stanga.net> Until now the Mail Server was with old postfix and MailScanner 4.79. I migrated to new server with MailScanner 5.0.7. MS config is same as before. >From webmail I can send messages out of my domain without problems. Msg from webmail Received: from mail.stanga.net (localhost [IPv6:::1]) by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F for ; Mon, 6 Aug 2018 14:33:37 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; s=mail; t=1533555217; bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=; h=Date:From:To:Subject; b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwYF YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE= MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_75de8e069c6b4423276ecc8efe3eaa14" Date: Mon, 06 Aug 2018 14:33:37 +0300 From: Dobril Dobrilov To: dobril at stanga.net Subject: Test2 Organization: StangaOne1 Message-ID: X-Sender: dobril at stanga.net User-Agent: Roundcube Webmail/1.3.7 Msg from Mail Client Received: from DL (unknown [192.168.0.222]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84 for ; Mon, 6 Aug 2018 15:11:28 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; s=mail; t=1533557488; bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=; h=From:To:Subject:Date; b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJpN FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k= From: "DobriL Dobrilov" To: "'DobriL Dobrilov'" Subject: Test Date: Mon, 6 Aug 2018 15:11:34 +0300 Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ== Content-Language: bg X-MS-TNEF-Correlator: 000000005234E38E73D4914094E5D7D34B79F6A564F78F00 Dobril Dobrilov IT Manager dobril at stanga.net 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 Mobile: +359 878 749 387 We shape Digital www.stanga.net We re-invent Video www.bsbvision.com We build Apps www.shanga.co We support Start-Ups www.mysbar.net -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM To: MailScanner Discussion Subject: Re: MailScanner: Message attempted to kill MailScanner On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote: > Some other ideas, because unfortunately this Live system and It?s very > critical ? When did the problem start happening? What changed on the MS server around that time? Can you show us full headers of an example email from webmail (which MS can't process) and another one to and from the same addresses, but not from webmail (which MS processes okay)? Antony > From: MailScanner > Sent: Monday, August 6, 2018 2:08 PM > To: 'MailScanner Discussion' > Subject: RE: MailScanner: Message attempted to kill MailScanner > > The same thing after I disable Virus scan , memory is enough. > Something else cause the issue , and happen only with email send by > webmail > > > From: MailScanner > Sent: Monday, August 6, 2018 2:04 PM > To: MailScanner Discussion > Subject: Re: MailScanner: > Message attempted to kill MailScanner > > Very first thing I would check is whether you have enough memory to > carry out virus scanning, and make sure that OOM is not occurring. > > On Mon, Aug 6, 2018 at 6:56 AM, DobriL Dobrilov wrote: > > Hello, > > > Please help me to debug follow issue: > > All emails sent from my webmail to same domain cannot be processes by > mailscanner. > > > > Aug 6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1] > > Aug 6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: > client=localhost[::1], sasl_method=LOGIN, > sasl_username=dobril at stanga.net > > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header > Received: from mail.stanga.net (localhost > [IPv6:::1])??by mail.stanga.net (Postfix) > with ESMTPA id CE4AB62C48??for > ril at stanga.net >; Mon, 6 Aug 2018 13:19:15 > +0300 > (EEST) from localhost[::1]; from= > to= > proto=ESMTP helo= > > > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: > message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net > > > > Aug 6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field > added (s=mail, d=stanga.net ) > > Aug 6 13:19:15 mail postfix/smtpd[31702]: disconnect from > localhost[::1] > ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6 > > Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 > messages, > 3097 bytes > > Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: > Starting > > Aug 6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at > 24018 bytes per second > > Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:23:37 mail MailScanner[32582]: Making attempt 2 at > processing message CE4AB62C48.A8F32 > > Aug 6 13:23:37 mail MailScanner[32582]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:26:15 mail MailScanner[2138]: Making attempt 3 at processing > message CE4AB62C48.A8F32 > > Aug 6 13:26:15 mail MailScanner[2138]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:30:55 mail MailScanner[1659]: Making attempt 4 at processing > message CE4AB62C48.A8F32 > > Aug 6 13:30:55 mail MailScanner[1659]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:35:44 mail MailScanner[1736]: Making attempt 5 at processing > message CE4AB62C48.A8F32 > > Aug 6 13:35:44 mail MailScanner[1736]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:39:03 mail MailScanner[2946]: Making attempt 6 at processing > message CE4AB62C48.A8F32 > > Aug 6 13:39:03 mail MailScanner[2946]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:39:05 mail MailScanner[2589]: Warning: skipping message > CE4AB62C48.A8F32 as it has been attempted too many times > > Aug 6 13:39:05 mail MailScanner[2589]: Quarantined message > CE4AB62C48.A8F32 as it caused MailScanner to crash several times > > Aug 6 13:39:05 mail MailScanner[2589]: Saved entire message to > /var/spool/MailScanner/quarantine/20180806/CE4AB62C48.A8F32 > > Aug 6 13:39:05 mail MailScanner[2589]: MailWatch: Logging message > CE4AB62C48.A8F32 to SQL > > > > > > Then I started in with debug option. > > Aug 6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1] > > Aug 6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: > client=localhost[::1], sasl_method=LOGIN, > sasl_username=dobril at stanga.net > > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header > Received: from mail.stanga.net (localhost > [IPv6:::1])??by mail.stanga.net (Postfix) > with ESMTPA id CE4AB62C48??for >; Mon, 6 Aug 2018 13:19:15 +0300 (EEST) > from localhost[::1]; from= > to= > proto=ESMTP helo= > > > Aug 6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: > message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net > > > > Aug 6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field > added (s=mail, d=stanga.net ) > > Aug 6 13:19:15 mail postfix/smtpd[31702]: disconnect from > localhost[::1] > ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6 > > Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Found 4 messages > waiting > > Aug 6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 > messages, > 3097 bytes > > Aug 6 13:19:18 mail MailScanner[31554]: Saved archive copies of > CE4AB62C48.A8F32 > > Aug 6 13:19:18 mail MailScanner[31554]: Created attachment dirs for 1 > messages > > Aug 6 13:19:19 mail MailScanner[31554]: Completed checking by > /usr/bin/file > > Aug 6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: > Starting > > Aug 6 13:19:19 mail MailScanner[31554]: Commencing scanning with clamd... > > Aug 6 13:19:19 mail MailScanner[31726]: Debug Mode Is On > > Aug 6 13:19:19 mail MailScanner[31726]: Use Threads : YES > > Aug 6 13:19:19 mail MailScanner[31726]: Socket : > /var/run/clamav/clamd.sock > > Aug 6 13:19:19 mail MailScanner[31726]: IP : Using Sockets > > Aug 6 13:19:19 mail MailScanner[31726]: Lock File : NOT USED > > Aug 6 13:19:19 mail MailScanner[31726]: Time Out : 300 > > Aug 6 13:19:19 mail MailScanner[31726]: Scan Dir : > /var/spool/MailScanner/incoming/31554 > > Aug 6 13:19:19 mail MailScanner[31726]: Clamd : Sending PING > > Aug 6 13:19:19 mail MailScanner[31726]: Clamd : GOT 'PONG' > > Aug 6 13:19:19 mail MailScanner[31726]: ClamD is running > > Aug 6 13:19:19 mail MailScanner[31726]: SENT : MULTISCAN > /var/spool/MailScanner/incoming/31554 > > Aug 6 13:19:19 mail MailScanner[31554]: Completed AV scan with clamd > > Aug 6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at > 24018 bytes per second > > Aug 6 13:19:19 mail root[31735]: MailScanner failed to start > > Aug 6 13:19:19 mail root[31736]: Found a possible dead PID. Stopping > all MailScanner rogue processes ... > > > > > > How I can find out what cause this issue. -- When you find yourself arguing with an idiot, you should first of all make sure that the other person isn't doing the same thing. Please reply to the list; please *don't* CC me. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From Antony.Stone at mailscanner.open.source.it Mon Aug 6 12:22:58 2018 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Mon, 6 Aug 2018 14:22:58 +0200 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: <00ff01d42d7e$d3476df0$79d649d0$@stanga.net> References: <00c601d42d74$2effa870$8cfef950$@stanga.net> <201808061400.35462.Antony.Stone@mailscanner.open.source.it> <00ff01d42d7e$d3476df0$79d649d0$@stanga.net> Message-ID: <201808061422.58793.Antony.Stone@mailscanner.open.source.it> On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote: > Until now the Mail Server was with old postfix and MailScanner 4.79. I > migrated to new server with MailScanner 5.0.7. MS config is same as > before. Maybe someone with more knowledge than of any configuration differences ebtween those version can comment on just keeping the same configuration file... > From webmail I can send messages out of my domain without problems. So, what *does* cause the problem? Your original email said "All emails sent from my webmail to same domain cannot be processes by mailscanner." > Msg from webmail > Received: from mail.stanga.net (localhost [IPv6:::1]) > by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F > for ; Mon, 6 Aug 2018 14:33:37 +0300 (EEST) > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; s=mail; > t=1533555217; bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=; > h=Date:From:To:Subject; > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwYF > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz > EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE= > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="=_75de8e069c6b4423276ecc8efe3eaa14" > Date: Mon, 06 Aug 2018 14:33:37 +0300 > From: Dobril Dobrilov > To: dobril at stanga.net > Subject: Test2 > Organization: StangaOne1 > Message-ID: > X-Sender: dobril at stanga.net > User-Agent: Roundcube Webmail/1.3.7 > > Msg from Mail Client > Received: from DL (unknown [192.168.0.222]) > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) > (No client certificate requested) > by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84 > for ; Mon, 6 Aug 2018 15:11:28 +0300 (EEST) > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; s=mail; > t=1533557488; bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=; > h=From:To:Subject:Date; > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJpN > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a > rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k= > From: "DobriL Dobrilov" > To: "'DobriL Dobrilov'" > Subject: Test > Date: Mon, 6 Aug 2018 15:11:34 +0300 > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net> > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0" > X-Mailer: Microsoft Outlook 16.0 > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ== > Content-Language: bg > X-MS-TNEF-Correlator: 000000005234E38E73D4914094E5D7D34B79F6A564F78F00 Is one of the above emails an example which causes the problem and the other an example which does not cause the problem (if so, which one is which)? Or are both the above emails examples which do not cause the problem (in which case please send us the headers from one which does cause the problem)? Regards, Antony. > -----Original Message----- > From: MailScanner > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM > To: MailScanner Discussion > Subject: Re: MailScanner: Message attempted to kill MailScanner > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote: > > Some other ideas, because unfortunately this Live system and It?s very > > critical ? > > When did the problem start happening? > > What changed on the MS server around that time? > > Can you show us full headers of an example email from webmail (which MS > can't process) and another one to and from the same addresses, but not > from webmail (which MS processes okay)? > > Antony -- Neurotics build castles in the sky; Psychotics live in them; Psychiatrists collect the rent. Please reply to the list; please *don't* CC me. From belle at bazuin.nl Mon Aug 6 12:45:06 2018 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Mon, 6 Aug 2018 14:45:06 +0200 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: <201808061422.58793.Antony.Stone@mailscanner.open.source.it> References: <00ff01d42d7e$d3476df0$79d649d0$@stanga.net> Message-ID: Are you using Yara rules or other clamav unoffical databases. Remove these, restart clamav and try again. You might have a bad clamav database file. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: MailScanner > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner. > info] Namens Antony Stone > Verzonden: maandag 6 augustus 2018 14:23 > Aan: MailScanner Discussion > Onderwerp: Re: MailScanner: Message attempted to kill MailScanner > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote: > > > Until now the Mail Server was with old postfix and > MailScanner 4.79. I > > migrated to new server with MailScanner 5.0.7. MS config is same as > > before. > > Maybe someone with more knowledge than of any configuration > differences ebtween > those version can comment on just keeping the same > configuration file... > > > From webmail I can send messages out of my domain without problems. > > So, what *does* cause the problem? > > Your original email said "All emails sent from my webmail to > same domain > cannot be processes by mailscanner." > > > Msg from webmail > > Received: from mail.stanga.net (localhost [IPv6:::1]) > > by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F > > for ; Mon, 6 Aug 2018 14:33:37 +0300 (EEST) > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > d=stanga.net; s=mail; > > t=1533555217; bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=; > > h=Date:From:To:Subject; > > > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwYF > > > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz > > EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE= > > MIME-Version: 1.0 > > Content-Type: multipart/alternative; > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14" > > Date: Mon, 06 Aug 2018 14:33:37 +0300 > > From: Dobril Dobrilov > > To: dobril at stanga.net > > Subject: Test2 > > Organization: StangaOne1 > > Message-ID: > > X-Sender: dobril at stanga.net > > User-Agent: Roundcube Webmail/1.3.7 > > > > Msg from Mail Client > > Received: from DL (unknown [192.168.0.222]) > > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > (256/256 bits)) > > (No client certificate requested) > > by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84 > > for ; Mon, 6 Aug 2018 15:11:28 +0300 (EEST) > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > d=stanga.net; s=mail; > > t=1533557488; bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=; > > h=From:To:Subject:Date; > > > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJpN > > > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a > > rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k= > > From: "DobriL Dobrilov" > > To: "'DobriL Dobrilov'" > > Subject: Test > > Date: Mon, 6 Aug 2018 15:11:34 +0300 > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net> > > MIME-Version: 1.0 > > Content-Type: multipart/mixed; > > boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0" > > X-Mailer: Microsoft Outlook 16.0 > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ== > > Content-Language: bg > > X-MS-TNEF-Correlator: > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00 > > Is one of the above emails an example which causes the > problem and the other > an example which does not cause the problem (if so, which one > is which)? > > Or are both the above emails examples which do not cause the > problem (in which > case please send us the headers from one which does cause the > problem)? > > > Regards, > > > Antony. > > > -----Original Message----- > > From: MailScanner > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > r.info] On > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM > > To: MailScanner Discussion > > Subject: Re: MailScanner: Message attempted to kill MailScanner > > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote: > > > Some other ideas, because unfortunately this Live system > and It?s very > > > critical ? > > > > When did the problem start happening? > > > > What changed on the MS server around that time? > > > > Can you show us full headers of an example email from > webmail (which MS > > can't process) and another one to and from the same > addresses, but not > > from webmail (which MS processes okay)? > > > > Antony > > -- > Neurotics build castles in the sky; > Psychotics live in them; > Psychiatrists collect the rent. > > > Please > reply to the list; > > please *don't* CC me. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > From dobril at stanga.net Mon Aug 6 12:53:03 2018 From: dobril at stanga.net (DobriL Dobrilov) Date: Mon, 6 Aug 2018 15:53:03 +0300 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: References: <00ff01d42d7e$d3476df0$79d649d0$@stanga.net> Message-ID: <000201d42d84$69dd22a0$3d9767e0$@stanga.net> AV scan is off , something else cause the issue. Dobril Dobrilov IT Manager dobril at stanga.net 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 Mobile: +359 878 749 387 We shape Digital?www.stanga.net We re-invent Video?www.bsbvision.com We build Apps?www.shanga.co We support Start-Ups?www.mysbar.net -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of L.P.H. van Belle via MailScanner Sent: Monday, August 6, 2018 3:45 PM To: MailScanner Discussion Cc: L.P.H. van Belle Subject: RE: MailScanner: Message attempted to kill MailScanner Are you using Yara rules or other clamav unoffical databases. Remove these, restart clamav and try again. You might have a bad clamav database file. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: MailScanner > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner. > info] Namens Antony Stone > Verzonden: maandag 6 augustus 2018 14:23 > Aan: MailScanner Discussion > Onderwerp: Re: MailScanner: Message attempted to kill MailScanner > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote: > > > Until now the Mail Server was with old postfix and > MailScanner 4.79. I > > migrated to new server with MailScanner 5.0.7. MS config is same as > > before. > > Maybe someone with more knowledge than of any configuration > differences ebtween those version can comment on just keeping the same > configuration file... > > > From webmail I can send messages out of my domain without problems. > > So, what *does* cause the problem? > > Your original email said "All emails sent from my webmail to same > domain cannot be processes by mailscanner." > > > Msg from webmail > > Received: from mail.stanga.net (localhost [IPv6:::1]) > > by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F > > for ; Mon, 6 Aug 2018 14:33:37 +0300 (EEST) > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > d=stanga.net; s=mail; > > t=1533555217; bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=; > > h=Date:From:To:Subject; > > > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwYF > > > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz > > EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE= > > MIME-Version: 1.0 > > Content-Type: multipart/alternative; > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14" > > Date: Mon, 06 Aug 2018 14:33:37 +0300 > > From: Dobril Dobrilov > > To: dobril at stanga.net > > Subject: Test2 > > Organization: StangaOne1 > > Message-ID: > > X-Sender: dobril at stanga.net > > User-Agent: Roundcube Webmail/1.3.7 > > > > Msg from Mail Client > > Received: from DL (unknown [192.168.0.222]) > > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > (256/256 bits)) > > (No client certificate requested) > > by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84 > > for ; Mon, 6 Aug 2018 15:11:28 +0300 (EEST) > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > d=stanga.net; s=mail; > > t=1533557488; bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=; > > h=From:To:Subject:Date; > > > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJpN > > > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a > > rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k= > > From: "DobriL Dobrilov" > > To: "'DobriL Dobrilov'" > > Subject: Test > > Date: Mon, 6 Aug 2018 15:11:34 +0300 > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net> > > MIME-Version: 1.0 > > Content-Type: multipart/mixed; > > boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0" > > X-Mailer: Microsoft Outlook 16.0 > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ== > > Content-Language: bg > > X-MS-TNEF-Correlator: > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00 > > Is one of the above emails an example which causes the problem and the > other an example which does not cause the problem (if so, which one is > which)? > > Or are both the above emails examples which do not cause the problem > (in which case please send us the headers from one which does cause > the problem)? > > > Regards, > > > Antony. > > > -----Original Message----- > > From: MailScanner > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > r.info] On > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM > > To: MailScanner Discussion > > Subject: Re: MailScanner: Message attempted to kill MailScanner > > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote: > > > Some other ideas, because unfortunately this Live system > and It's very > > > critical ? > > > > When did the problem start happening? > > > > What changed on the MS server around that time? > > > > Can you show us full headers of an example email from > webmail (which MS > > can't process) and another one to and from the same > addresses, but not > > from webmail (which MS processes okay)? > > > > Antony > > -- > Neurotics build castles in the sky; > Psychotics live in them; > Psychiatrists collect the rent. > > > Please > reply to the list; > > please *don't* CC me. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From belle at bazuin.nl Mon Aug 6 13:22:25 2018 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Mon, 6 Aug 2018 15:22:25 +0200 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: <000201d42d84$69dd22a0$3d9767e0$@stanga.net> References: Message-ID: Hai, What is the os your running? That might help me a bit. Did you follow a site for this upgrade, show me which one if you did. Your group members are correct ? # *( im running debian 9 ) an i have these configured. mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data clamav:x:119:postfix,www-data opendkim:x:122:postfix And can you post a more complete mail.log, if needed, pm it to me or anonimize it here needed. Preffered from the time frame, when you try to send your the message. I still say its your antivirus, if you did not remove the old messages from your queue. And now its not working because postfix/mailscanner try to deliver to clamd and thats turned of. If the AV is off then why is you log showing the av scanner? Your disk it not full? If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner. I also reused my settings. I'll try to find if i can seen what i changed ( if so ), that was months ago.. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: DobriL Dobrilov [mailto:dobril at stanga.net] > Verzonden: maandag 6 augustus 2018 14:53 > Aan: 'MailScanner Discussion' > CC: 'L.P.H. van Belle' > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner > > AV scan is off , something else cause the issue. > > > Dobril Dobrilov > IT Manager > dobril at stanga.net > > > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 > Mobile: +359 878 749 387 > > > We shape Digital?www.stanga.net > > We re-invent Video?www.bsbvision.com > > We build Apps?www.shanga.co > > We support Start-Ups?www.mysbar.net > > > > -----Original Message----- > From: MailScanner > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > r.info] On > Behalf Of L.P.H. van Belle via MailScanner > Sent: Monday, August 6, 2018 3:45 PM > To: MailScanner Discussion > Cc: L.P.H. van Belle > Subject: RE: MailScanner: Message attempted to kill MailScanner > > Are you using Yara rules or other clamav unoffical databases. > Remove these, restart clamav and try again. > > You might have a bad clamav database file. > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: MailScanner > > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner. > > info] Namens Antony Stone > > Verzonden: maandag 6 augustus 2018 14:23 > > Aan: MailScanner Discussion > > Onderwerp: Re: MailScanner: Message attempted to kill MailScanner > > > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote: > > > > > Until now the Mail Server was with old postfix and > > MailScanner 4.79. I > > > migrated to new server with MailScanner 5.0.7. MS config > is same as > > > before. > > > > Maybe someone with more knowledge than of any configuration > > differences ebtween those version can comment on just > keeping the same > > configuration file... > > > > > From webmail I can send messages out of my domain without > problems. > > > > So, what *does* cause the problem? > > > > Your original email said "All emails sent from my webmail to same > > domain cannot be processes by mailscanner." > > > > > Msg from webmail > > > Received: from mail.stanga.net (localhost [IPv6:::1]) > > > by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F > > > for ; Mon, 6 Aug 2018 14:33:37 > +0300 (EEST) > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > d=stanga.net; s=mail; > > > t=1533555217; > bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=; > > > h=Date:From:To:Subject; > > > > > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwYF > > > > > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz > > > EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE= > > > MIME-Version: 1.0 > > > Content-Type: multipart/alternative; > > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14" > > > Date: Mon, 06 Aug 2018 14:33:37 +0300 > > > From: Dobril Dobrilov > > > To: dobril at stanga.net > > > Subject: Test2 > > > Organization: StangaOne1 > > > Message-ID: > > > X-Sender: dobril at stanga.net > > > User-Agent: Roundcube Webmail/1.3.7 > > > > > > Msg from Mail Client > > > Received: from DL (unknown [192.168.0.222]) > > > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > > (256/256 bits)) > > > (No client certificate requested) > > > by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84 > > > for ; Mon, 6 Aug 2018 15:11:28 > +0300 (EEST) > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > d=stanga.net; s=mail; > > > t=1533557488; > bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=; > > > h=From:To:Subject:Date; > > > > > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJpN > > > > > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a > > > rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k= > > > From: "DobriL Dobrilov" > > > To: "'DobriL Dobrilov'" > > > Subject: Test > > > Date: Mon, 6 Aug 2018 15:11:34 +0300 > > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net> > > > MIME-Version: 1.0 > > > Content-Type: multipart/mixed; > > > boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0" > > > X-Mailer: Microsoft Outlook 16.0 > > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ== > > > Content-Language: bg > > > X-MS-TNEF-Correlator: > > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00 > > > > Is one of the above emails an example which causes the > problem and the > > other an example which does not cause the problem (if so, > which one is > > which)? > > > > Or are both the above emails examples which do not cause > the problem > > (in which case please send us the headers from one which does cause > > the problem)? > > > > > > Regards, > > > > > > Antony. > > > > > -----Original Message----- > > > From: MailScanner > > > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > > r.info] On > > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM > > > To: MailScanner Discussion > > > Subject: Re: MailScanner: Message attempted to kill MailScanner > > > > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote: > > > > Some other ideas, because unfortunately this Live system > > and It's very > > > > critical ? > > > > > > When did the problem start happening? > > > > > > What changed on the MS server around that time? > > > > > > Can you show us full headers of an example email from > > webmail (which MS > > > can't process) and another one to and from the same > > addresses, but not > > > from webmail (which MS processes okay)? > > > > > > Antony > > > > -- > > Neurotics build castles in the sky; > > Psychotics live in them; > > Psychiatrists collect the rent. > > > > > > Please > > reply to the list; > > > > please *don't* CC me. > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > From dobril at stanga.net Mon Aug 6 14:14:39 2018 From: dobril at stanga.net (DobriL Dobrilov) Date: Mon, 6 Aug 2018 17:14:39 +0300 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: References: Message-ID: <000501d42d8f$d0358a50$70a09ef0$@stanga.net> Definitely this is something related only to my webmail and only when I send emails to the same domain. I can send same message without any issue if I'm using outlook or other mail client. I can send messages from Webmail to all external domain without problem. All thing mean that the problem cannot be disk space , ram or bad permissions. echo Test |mail dobril at stanga.net , from the same server deliver messages without problem. -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of L.P.H. van Belle via MailScanner Sent: Monday, August 6, 2018 4:22 PM To: MailScanner Discussion Cc: L.P.H. van Belle Subject: RE: MailScanner: Message attempted to kill MailScanner Hai, What is the os your running? That might help me a bit. Did you follow a site for this upgrade, show me which one if you did. Your group members are correct ? # *( im running debian 9 ) an i have these configured. mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data clamav:x:119:postfix,www-data opendkim:x:122:postfix And can you post a more complete mail.log, if needed, pm it to me or anonimize it here needed. Preffered from the time frame, when you try to send your the message. I still say its your antivirus, if you did not remove the old messages from your queue. And now its not working because postfix/mailscanner try to deliver to clamd and thats turned of. If the AV is off then why is you log showing the av scanner? Your disk it not full? If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner. I also reused my settings. I'll try to find if i can seen what i changed ( if so ), that was months ago.. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: DobriL Dobrilov [mailto:dobril at stanga.net] > Verzonden: maandag 6 augustus 2018 14:53 > Aan: 'MailScanner Discussion' > CC: 'L.P.H. van Belle' > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner > > AV scan is off , something else cause the issue. > > > Dobril Dobrilov > IT Manager > dobril at stanga.net > > > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 > Mobile: +359 878 749 387 > > > We shape Digital?www.stanga.net > > We re-invent Video?www.bsbvision.com > > We build Apps?www.shanga.co > > We support Start-Ups?www.mysbar.net > > > > -----Original Message----- > From: MailScanner > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > r.info] On > Behalf Of L.P.H. van Belle via MailScanner > Sent: Monday, August 6, 2018 3:45 PM > To: MailScanner Discussion > Cc: L.P.H. van Belle > Subject: RE: MailScanner: Message attempted to kill MailScanner > > Are you using Yara rules or other clamav unoffical databases. > Remove these, restart clamav and try again. > > You might have a bad clamav database file. > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: MailScanner > > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner. > > info] Namens Antony Stone > > Verzonden: maandag 6 augustus 2018 14:23 > > Aan: MailScanner Discussion > > Onderwerp: Re: MailScanner: Message attempted to kill MailScanner > > > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote: > > > > > Until now the Mail Server was with old postfix and > > MailScanner 4.79. I > > > migrated to new server with MailScanner 5.0.7. MS config > is same as > > > before. > > > > Maybe someone with more knowledge than of any configuration > > differences ebtween those version can comment on just > keeping the same > > configuration file... > > > > > From webmail I can send messages out of my domain without > problems. > > > > So, what *does* cause the problem? > > > > Your original email said "All emails sent from my webmail to same > > domain cannot be processes by mailscanner." > > > > > Msg from webmail > > > Received: from mail.stanga.net (localhost [IPv6:::1]) > > > by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F > > > for ; Mon, 6 Aug 2018 14:33:37 > +0300 (EEST) > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > d=stanga.net; s=mail; > > > t=1533555217; > bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=; > > > h=Date:From:To:Subject; > > > > > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwYF > > > > > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz > > > EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE= > > > MIME-Version: 1.0 > > > Content-Type: multipart/alternative; > > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14" > > > Date: Mon, 06 Aug 2018 14:33:37 +0300 > > > From: Dobril Dobrilov > > > To: dobril at stanga.net > > > Subject: Test2 > > > Organization: StangaOne1 > > > Message-ID: > > > X-Sender: dobril at stanga.net > > > User-Agent: Roundcube Webmail/1.3.7 > > > > > > Msg from Mail Client > > > Received: from DL (unknown [192.168.0.222]) > > > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > > (256/256 bits)) > > > (No client certificate requested) > > > by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84 > > > for ; Mon, 6 Aug 2018 15:11:28 > +0300 (EEST) > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > d=stanga.net; s=mail; > > > t=1533557488; > bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=; > > > h=From:To:Subject:Date; > > > > > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJpN > > > > > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a > > > rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k= > > > From: "DobriL Dobrilov" > > > To: "'DobriL Dobrilov'" > > > Subject: Test > > > Date: Mon, 6 Aug 2018 15:11:34 +0300 > > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net> > > > MIME-Version: 1.0 > > > Content-Type: multipart/mixed; > > > boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0" > > > X-Mailer: Microsoft Outlook 16.0 > > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ== > > > Content-Language: bg > > > X-MS-TNEF-Correlator: > > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00 > > > > Is one of the above emails an example which causes the > problem and the > > other an example which does not cause the problem (if so, > which one is > > which)? > > > > Or are both the above emails examples which do not cause > the problem > > (in which case please send us the headers from one which does cause > > the problem)? > > > > > > Regards, > > > > > > Antony. > > > > > -----Original Message----- > > > From: MailScanner > > > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > > r.info] On > > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM > > > To: MailScanner Discussion > > > Subject: Re: MailScanner: Message attempted to kill MailScanner > > > > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote: > > > > Some other ideas, because unfortunately this Live system > > and It's very > > > > critical ? > > > > > > When did the problem start happening? > > > > > > What changed on the MS server around that time? > > > > > > Can you show us full headers of an example email from > > webmail (which MS > > > can't process) and another one to and from the same > > addresses, but not > > > from webmail (which MS processes okay)? > > > > > > Antony > > > > -- > > Neurotics build castles in the sky; > > Psychotics live in them; > > Psychiatrists collect the rent. > > > > > > Please reply to > > the list; > > > > please *don't* CC me. > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From Antony.Stone at mailscanner.open.source.it Mon Aug 6 14:17:54 2018 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Mon, 6 Aug 2018 16:17:54 +0200 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: <000501d42d8f$d0358a50$70a09ef0$@stanga.net> References: <000501d42d8f$d0358a50$70a09ef0$@stanga.net> Message-ID: <201808061617.54939.Antony.Stone@mailscanner.open.source.it> On Monday 06 August 2018 at 16:14:39, DobriL Dobrilov wrote: > Definitely this is something related only to my webmail and only when I > send emails to the same domain. I can send same message without any issue > if I'm using outlook or other mail client. > I can send messages from Webmail to all external domain without problem. > All thing mean that the problem cannot be disk space , ram or bad > permissions. echo Test |mail dobril at stanga.net , from the same server > deliver messages without problem. Can you show us full headers of an example email from webmail (which MS can't process) and another one to and from the same addresses, but not from webmail (which MS processes okay)? Antony. > -----Original Message----- > From: MailScanner > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On > Behalf Of L.P.H. van Belle via MailScanner > Sent: Monday, August 6, 2018 4:22 PM > To: MailScanner Discussion > Cc: L.P.H. van Belle > Subject: RE: MailScanner: Message attempted to kill MailScanner > > Hai, > > What is the os your running? > That might help me a bit. > > Did you follow a site for this upgrade, show me which one if you did. > > Your group members are correct ? > # *( im running debian 9 ) an i have these configured. > mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data > clamav:x:119:postfix,www-data > opendkim:x:122:postfix > > > And can you post a more complete mail.log, if needed, pm it to me or > anonimize it here needed. > Preffered from the time frame, when you try to send your the message. > > I still say its your antivirus, if you did not remove the old messages from > your queue. > And now its not working because postfix/mailscanner try to deliver to clamd > and thats turned of. > > If the AV is off then why is you log showing the av scanner? > Your disk it not full? > > If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner. > I also reused my settings. > I'll try to find if i can seen what i changed ( if so ), that was months > ago.. > > > Greetz, > > Louis > > > -----Oorspronkelijk bericht----- > > Van: DobriL Dobrilov [mailto:dobril at stanga.net] > > Verzonden: maandag 6 augustus 2018 14:53 > > Aan: 'MailScanner Discussion' > > CC: 'L.P.H. van Belle' > > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner > > > > AV scan is off , something else cause the issue. > > > > > > Dobril Dobrilov > > IT Manager > > dobril at stanga.net > > > > > > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria > > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 > > Mobile: +359 878 749 387 > > > > > > We shape Digital www.stanga.net > > > > We re-invent Video www.bsbvision.com > > > > We build Apps www.shanga.co > > > > We support Start-Ups www.mysbar.net > > > > > > > > -----Original Message----- > > From: MailScanner > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > > r.info] On > > Behalf Of L.P.H. van Belle via MailScanner > > Sent: Monday, August 6, 2018 3:45 PM > > To: MailScanner Discussion > > Cc: L.P.H. van Belle > > Subject: RE: MailScanner: Message attempted to kill MailScanner > > > > Are you using Yara rules or other clamav unoffical databases. > > Remove these, restart clamav and try again. > > > > You might have a bad clamav database file. > > > > Greetz, > > > > Louis > > > > > -----Oorspronkelijk bericht----- > > > Van: MailScanner > > > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner. > > > info] Namens Antony Stone > > > Verzonden: maandag 6 augustus 2018 14:23 > > > Aan: MailScanner Discussion > > > Onderwerp: Re: MailScanner: Message attempted to kill MailScanner > > > > > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote: > > > > Until now the Mail Server was with old postfix and > > > > > > MailScanner 4.79. I > > > > > > > migrated to new server with MailScanner 5.0.7. MS config > > > > is same as > > > > > > before. > > > > > > Maybe someone with more knowledge than of any configuration > > > differences ebtween those version can comment on just > > > > keeping the same > > > > > configuration file... > > > > > > > From webmail I can send messages out of my domain without > > > > problems. > > > > > So, what *does* cause the problem? > > > > > > Your original email said "All emails sent from my webmail to same > > > domain cannot be processes by mailscanner." > > > > > > > Msg from webmail > > > > Received: from mail.stanga.net (localhost [IPv6:::1]) > > > > > > > > by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F > > > > for ; Mon, 6 Aug 2018 14:33:37 > > > > +0300 (EEST) > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > > > > > d=stanga.net; s=mail; > > > > > > > t=1533555217; > > > > bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=; > > > > > > h=Date:From:To:Subject; > > > > > > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwYF > > > > > > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz > > > > > > > EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE= > > > > > > > > MIME-Version: 1.0 > > > > Content-Type: multipart/alternative; > > > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14" > > > > Date: Mon, 06 Aug 2018 14:33:37 +0300 > > > > From: Dobril Dobrilov > > > > To: dobril at stanga.net > > > > Subject: Test2 > > > > Organization: StangaOne1 > > > > Message-ID: > > > > X-Sender: dobril at stanga.net > > > > User-Agent: Roundcube Webmail/1.3.7 > > > > > > > > Msg from Mail Client > > > > Received: from DL (unknown [192.168.0.222]) > > > > > > > > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > > > > > > (256/256 bits)) > > > > > > > (No client certificate requested) > > > > by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84 > > > > for ; Mon, 6 Aug 2018 15:11:28 > > > > +0300 (EEST) > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > > > > > d=stanga.net; s=mail; > > > > > > > t=1533557488; > > > > bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=; > > > > > > h=From:To:Subject:Date; > > > > > > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJpN > > > > > > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a > > > > > > > rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k= > > > > > > > > From: "DobriL Dobrilov" > > > > To: "'DobriL Dobrilov'" > > > > Subject: Test > > > > Date: Mon, 6 Aug 2018 15:11:34 +0300 > > > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net> > > > > MIME-Version: 1.0 > > > > Content-Type: multipart/mixed; > > > > > > > > boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0" > > > > > > > > X-Mailer: Microsoft Outlook 16.0 > > > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ== > > > > Content-Language: bg > > > > > > > X-MS-TNEF-Correlator: > > > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00 > > > > > > Is one of the above emails an example which causes the > > > > problem and the > > > > > other an example which does not cause the problem (if so, > > > > which one is > > > > > which)? > > > > > > Or are both the above emails examples which do not cause > > > > the problem > > > > > (in which case please send us the headers from one which does cause > > > the problem)? > > > > > > > > > Regards, > > > > > > > > > Antony. > > > > > > > -----Original Message----- > > > > From: MailScanner > > > > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > > > r.info] On > > > > > > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM > > > > To: MailScanner Discussion > > > > Subject: Re: MailScanner: Message attempted to kill MailScanner > > > > > > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote: > > > > > Some other ideas, because unfortunately this Live system > > > > > > and It's very > > > > > > > > critical ? > > > > > > > > When did the problem start happening? > > > > > > > > What changed on the MS server around that time? > > > > > > > > Can you show us full headers of an example email from > > > > > > webmail (which MS > > > > > > > can't process) and another one to and from the same > > > > > > addresses, but not > > > > > > > from webmail (which MS processes okay)? > > > > > > > > Antony > > > > > > -- > > > Neurotics build castles in the sky; > > > Psychotics live in them; > > > Psychiatrists collect the rent. > > > > > > Please reply to > > > > > > the list; > > > > > > please *don't* CC me. > > > > > > > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner From dobril at stanga.net Mon Aug 6 14:43:40 2018 From: dobril at stanga.net (DobriL Dobrilov) Date: Mon, 6 Aug 2018 17:43:40 +0300 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: <201808061617.54939.Antony.Stone@mailscanner.open.source.it> References: <000501d42d8f$d0358a50$70a09ef0$@stanga.net> <201808061617.54939.Antony.Stone@mailscanner.open.source.it> Message-ID: <001d01d42d93$ddc896e0$9959c4a0$@stanga.net> Webmail ------------ Received: from mail.stanga.net (localhost [IPv6:::1]) by mail.stanga.net (Postfix) with ESMTPA id 5772D62C57 for ; Mon, 6 Aug 2018 14:52:00 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; s=mail; t=1533556320; bh=4I/hR/SP5y+TSO6ckrsWbUfz/ulzfgg21OOLy4t7Qcw=; h=Date:From:To:Subject:Reply-To; b=LHHTCrdhwEuGskWyqw0sWd1Km3VgyVhuTGiQ+b00rQmMg5EoEvx0ro12ob/zWes9m jtgr30krr1OkHUcBPXOoYUyCDOzLU3VwKUjYO8mX2L1C3ZCZsvgFkbjtP7QbrIHzM6 EsRQn070GPV/w75A43jCSxetrKKtM6se6osKZvaM= MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Mon, 06 Aug 2018 14:52:00 +0300 From: Dobril Dobrilov To: dobril at stanga.net Subject: AAA Organization: StangaOne1 Reply-To: dobril at stanga.net Mail-Reply-To: dobril at stanga.net Message-ID: <8e5ddc58218e715f2ec6286fe0b60f03 at stanga.net> X-Sender: dobril at stanga.net User-Agent: Roundcube Webmail/1.3.7 Outlook ------------ Return-Path: X-Original-To: dobril at stanga.net Delivered-To: dobril at stanga.net Received: from DL (unknown [192.168.0.222]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.stanga.net (Postfix) with ESMTPSA id D6F6D62C8E for ; Mon, 6 Aug 2018 17:42:45 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; s=mail; t=1533566565; bh=1ooy+DYxraTnYWXxssyteq3EYaC5wdAbrolTC0mL5bA=; h=From:To:Subject:Date; b=XZzNLHycLcbdsjqXFtWJT96Q0lPhhtOS/+ZGIZpVWNfu68gw1nFHitcIUfV5zGCk2 L419FGzTaLO9GiE1pAGnzruH5dh1BCHU+9AxLu3rB3oijr2BOEXeltH1TREFq4E0f+ erOPUx3jdywpL6vJFLR2YixmUfIrdLScxOTcUKk0= From: "DobriL Dobrilov" To: "'DobriL Dobrilov'" Subject: Test Date: Mon, 6 Aug 2018 17:42:52 +0300 Message-ID: <001701d42d93$c0ff3460$42fd9d20$@stanga.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0018_01D42DAC.E64C6C60" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdQtk77S62N7R+6qQV66SqVGhFQY4A== Content-Language: bg X-MS-TNEF-Correlator: 000000005234E38E73D4914094E5D7D34B79F6A504FD8F00 X-Stanga-MailScanner-Information: Please contact the ISP for more information X-Stanga-MailScanner-ID: D6F6D62C8E.AB5F9 X-Stanga-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-Stanga-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=-99.887, required 5, ALL_TRUSTED -1.00, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, TVD_RCVD_SINGLE 1.21, USER_IN_WHITELIST -100.00) X-Stanga-MailScanner-From: dobril at stanga.net X-Spam-Status: No X-EsetId: 37303A2960736C61677D6A -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of Antony Stone Sent: Monday, August 6, 2018 5:18 PM To: MailScanner Discussion Subject: Re: MailScanner: Message attempted to kill MailScanner On Monday 06 August 2018 at 16:14:39, DobriL Dobrilov wrote: > Definitely this is something related only to my webmail and only when > I send emails to the same domain. I can send same message without any > issue if I'm using outlook or other mail client. > I can send messages from Webmail to all external domain without problem. > All thing mean that the problem cannot be disk space , ram or bad > permissions. echo Test |mail dobril at stanga.net , from the same server > deliver messages without problem. Can you show us full headers of an example email from webmail (which MS can't process) and another one to and from the same addresses, but not from webmail (which MS processes okay)? Antony. > -----Original Message----- > From: MailScanner > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] > On Behalf Of L.P.H. van Belle via MailScanner > Sent: Monday, August 6, 2018 4:22 PM > To: MailScanner Discussion > Cc: L.P.H. van Belle > Subject: RE: MailScanner: Message attempted to kill MailScanner > > Hai, > > What is the os your running? > That might help me a bit. > > Did you follow a site for this upgrade, show me which one if you did. > > Your group members are correct ? > # *( im running debian 9 ) an i have these configured. > mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data > clamav:x:119:postfix,www-data > opendkim:x:122:postfix > > > And can you post a more complete mail.log, if needed, pm it to me or > anonimize it here needed. > Preffered from the time frame, when you try to send your the message. > > I still say its your antivirus, if you did not remove the old messages > from your queue. > And now its not working because postfix/mailscanner try to deliver to > clamd and thats turned of. > > If the AV is off then why is you log showing the av scanner? > Your disk it not full? > > If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner. > I also reused my settings. > I'll try to find if i can seen what i changed ( if so ), that was > months ago.. > > > Greetz, > > Louis > > > -----Oorspronkelijk bericht----- > > Van: DobriL Dobrilov [mailto:dobril at stanga.net] > > Verzonden: maandag 6 augustus 2018 14:53 > > Aan: 'MailScanner Discussion' > > CC: 'L.P.H. van Belle' > > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner > > > > AV scan is off , something else cause the issue. > > > > > > Dobril Dobrilov > > IT Manager > > dobril at stanga.net > > > > > > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria > > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 > > Mobile: +359 878 749 387 > > > > > > We shape Digital www.stanga.net > > > > We re-invent Video www.bsbvision.com > > > > We build Apps www.shanga.co > > > > We support Start-Ups www.mysbar.net > > > > > > > > -----Original Message----- > > From: MailScanner > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > > r.info] On > > Behalf Of L.P.H. van Belle via MailScanner > > Sent: Monday, August 6, 2018 3:45 PM > > To: MailScanner Discussion > > Cc: L.P.H. van Belle > > Subject: RE: MailScanner: Message attempted to kill MailScanner > > > > Are you using Yara rules or other clamav unoffical databases. > > Remove these, restart clamav and try again. > > > > You might have a bad clamav database file. > > > > Greetz, > > > > Louis > > > > > -----Oorspronkelijk bericht----- > > > Van: MailScanner > > > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner. > > > info] Namens Antony Stone > > > Verzonden: maandag 6 augustus 2018 14:23 > > > Aan: MailScanner Discussion > > > Onderwerp: Re: MailScanner: Message attempted to kill MailScanner > > > > > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote: > > > > Until now the Mail Server was with old postfix and > > > > > > MailScanner 4.79. I > > > > > > > migrated to new server with MailScanner 5.0.7. MS config > > > > is same as > > > > > > before. > > > > > > Maybe someone with more knowledge than of any configuration > > > differences ebtween those version can comment on just > > > > keeping the same > > > > > configuration file... > > > > > > > From webmail I can send messages out of my domain without > > > > problems. > > > > > So, what *does* cause the problem? > > > > > > Your original email said "All emails sent from my webmail to same > > > domain cannot be processes by mailscanner." > > > > > > > Msg from webmail > > > > Received: from mail.stanga.net (localhost [IPv6:::1]) > > > > > > > > by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F > > > > for ; Mon, 6 Aug 2018 14:33:37 > > > > +0300 (EEST) > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > > > > > d=stanga.net; s=mail; > > > > > > > t=1533555217; > > > > bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=; > > > > > > h=Date:From:To:Subject; > > > > > > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwY > > > F > > > > > > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz > > > > > > > EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE= > > > > > > > > MIME-Version: 1.0 > > > > Content-Type: multipart/alternative; > > > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14" > > > > Date: Mon, 06 Aug 2018 14:33:37 +0300 > > > > From: Dobril Dobrilov > > > > To: dobril at stanga.net > > > > Subject: Test2 > > > > Organization: StangaOne1 > > > > Message-ID: > > > > X-Sender: dobril at stanga.net > > > > User-Agent: Roundcube Webmail/1.3.7 > > > > > > > > Msg from Mail Client > > > > Received: from DL (unknown [192.168.0.222]) > > > > > > > > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > > > > > > (256/256 bits)) > > > > > > > (No client certificate requested) > > > > by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84 > > > > for ; Mon, 6 Aug 2018 15:11:28 > > > > +0300 (EEST) > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > > > > > d=stanga.net; s=mail; > > > > > > > t=1533557488; > > > > bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=; > > > > > > h=From:To:Subject:Date; > > > > > > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJp > > > N > > > > > > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a > > > > > > > rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k= > > > > > > > > From: "DobriL Dobrilov" > > > > To: "'DobriL Dobrilov'" > > > > Subject: Test > > > > Date: Mon, 6 Aug 2018 15:11:34 +0300 > > > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net> > > > > MIME-Version: 1.0 > > > > Content-Type: multipart/mixed; > > > > > > > > boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0" > > > > > > > > X-Mailer: Microsoft Outlook 16.0 > > > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ== > > > > Content-Language: bg > > > > > > > X-MS-TNEF-Correlator: > > > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00 > > > > > > Is one of the above emails an example which causes the > > > > problem and the > > > > > other an example which does not cause the problem (if so, > > > > which one is > > > > > which)? > > > > > > Or are both the above emails examples which do not cause > > > > the problem > > > > > (in which case please send us the headers from one which does > > > cause the problem)? > > > > > > > > > Regards, > > > > > > > > > Antony. > > > > > > > -----Original Message----- > > > > From: MailScanner > > > > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > > > r.info] On > > > > > > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM > > > > To: MailScanner Discussion > > > > Subject: Re: MailScanner: Message attempted to kill MailScanner > > > > > > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote: > > > > > Some other ideas, because unfortunately this Live system > > > > > > and It's very > > > > > > > > critical ? > > > > > > > > When did the problem start happening? > > > > > > > > What changed on the MS server around that time? > > > > > > > > Can you show us full headers of an example email from > > > > > > webmail (which MS > > > > > > > can't process) and another one to and from the same > > > > > > addresses, but not > > > > > > > from webmail (which MS processes okay)? > > > > > > > > Antony > > > > > > -- > > > Neurotics build castles in the sky; Psychotics live in them; > > > Psychiatrists collect the rent. > > > > > > Please reply to > > > > > > the list; > > > > > > please *don't* CC me. > > > > > > > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From belle at bazuin.nl Mon Aug 6 15:10:31 2018 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Mon, 6 Aug 2018 17:10:31 +0200 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: <001d01d42d93$ddc896e0$9959c4a0$@stanga.net> References: <201808061617.54939.Antony.Stone@mailscanner.open.source.it> Message-ID: You webserver is not "localhost"... Pointing to : from mail.stanga.net (localhost [IPv6:::1]) Choose... By example. cat /etc/hosts 127.0.0.1 localhost 194.124.193.23 mail.domain.tld 192.168.1.1 mail.internal.domain.tld mail # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters Just beware when you change it, you might hit more, but if you fix that all your ok for the futere. Imo. Your resolving is giving the problems. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: MailScanner > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner. info] Namens DobriL Dobrilov > Verzonden: maandag 6 augustus 2018 16:44 > Aan: 'MailScanner Discussion' > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner > > Webmail > ------------ > Received: from mail.stanga.net (localhost [IPv6:::1]) > by mail.stanga.net (Postfix) with ESMTPA id 5772D62C57 > for ; Mon, 6 Aug 2018 14:52:00 +0300 (EEST) > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > d=stanga.net; s=mail; > t=1533556320; bh=4I/hR/SP5y+TSO6ckrsWbUfz/ulzfgg21OOLy4t7Qcw=; > h=Date:From:To:Subject:Reply-To; > > b=LHHTCrdhwEuGskWyqw0sWd1Km3VgyVhuTGiQ+b00rQmMg5EoEvx0ro12ob/zWes9m > > jtgr30krr1OkHUcBPXOoYUyCDOzLU3VwKUjYO8mX2L1C3ZCZsvgFkbjtP7QbrIHzM6 > EsRQn070GPV/w75A43jCSxetrKKtM6se6osKZvaM= > MIME-Version: 1.0 > Content-Type: text/plain; charset=US-ASCII; > format=flowed > Content-Transfer-Encoding: 7bit > Date: Mon, 06 Aug 2018 14:52:00 +0300 > From: Dobril Dobrilov > To: dobril at stanga.net > Subject: AAA > Organization: StangaOne1 > Reply-To: dobril at stanga.net > Mail-Reply-To: dobril at stanga.net > Message-ID: <8e5ddc58218e715f2ec6286fe0b60f03 at stanga.net> > X-Sender: dobril at stanga.net > User-Agent: Roundcube Webmail/1.3.7 > > > Outlook > ------------ > Return-Path: > X-Original-To: dobril at stanga.net > Delivered-To: dobril at stanga.net > Received: from DL (unknown [192.168.0.222]) > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 > bits)) > (No client certificate requested) > by mail.stanga.net (Postfix) with ESMTPSA id D6F6D62C8E > for ; Mon, 6 Aug 2018 17:42:45 +0300 (EEST) > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > d=stanga.net; s=mail; > t=1533566565; bh=1ooy+DYxraTnYWXxssyteq3EYaC5wdAbrolTC0mL5bA=; > h=From:To:Subject:Date; > > b=XZzNLHycLcbdsjqXFtWJT96Q0lPhhtOS/+ZGIZpVWNfu68gw1nFHitcIUfV5zGCk2 > > L419FGzTaLO9GiE1pAGnzruH5dh1BCHU+9AxLu3rB3oijr2BOEXeltH1TREFq4E0f+ > erOPUx3jdywpL6vJFLR2YixmUfIrdLScxOTcUKk0= > From: "DobriL Dobrilov" > To: "'DobriL Dobrilov'" > Subject: Test > Date: Mon, 6 Aug 2018 17:42:52 +0300 > Message-ID: <001701d42d93$c0ff3460$42fd9d20$@stanga.net> > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_NextPart_000_0018_01D42DAC.E64C6C60" > X-Mailer: Microsoft Outlook 16.0 > Thread-Index: AdQtk77S62N7R+6qQV66SqVGhFQY4A== > Content-Language: bg > X-MS-TNEF-Correlator: 000000005234E38E73D4914094E5D7D34B79F6A504FD8F00 > X-Stanga-MailScanner-Information: Please contact the ISP for more > information > X-Stanga-MailScanner-ID: D6F6D62C8E.AB5F9 > X-Stanga-MailScanner: Not scanned: please contact your Internet E-Mail > Service Provider for details > X-Stanga-MailScanner-SpamCheck: not spam (whitelisted), > SpamAssassin (not cached, score=-99.887, required 5, > ALL_TRUSTED -1.00, DKIM_SIGNED 0.10, DKIM_VALID -0.10, > DKIM_VALID_AU -0.10, TVD_RCVD_SINGLE 1.21, > USER_IN_WHITELIST -100.00) > X-Stanga-MailScanner-From: dobril at stanga.net > X-Spam-Status: No > X-EsetId: 37303A2960736C61677D6A > > > -----Original Message----- > From: MailScanner > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne r.info] On > Behalf Of Antony Stone > Sent: Monday, August 6, 2018 5:18 PM > To: MailScanner Discussion > Subject: Re: MailScanner: Message attempted to kill MailScanner > > On Monday 06 August 2018 at 16:14:39, DobriL Dobrilov wrote: > > > Definitely this is something related only to my webmail and > only when > > I send emails to the same domain. I can send same message > without any > > issue if I'm using outlook or other mail client. > > I can send messages from Webmail to all external domain > without problem. > > All thing mean that the problem cannot be disk space , ram or bad > > permissions. echo Test |mail dobril at stanga.net , from the > same server > > deliver messages without problem. > > Can you show us full headers of an example email from webmail > (which MS > can't > process) and another one to and from the same addresses, but not from > webmail (which MS processes okay)? > > Antony. > > > -----Original Message----- > > From: MailScanner > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] > > On Behalf Of L.P.H. van Belle via MailScanner > > Sent: Monday, August 6, 2018 4:22 PM > > To: MailScanner Discussion > > Cc: L.P.H. van Belle > > Subject: RE: MailScanner: Message attempted to kill MailScanner > > > > Hai, > > > > What is the os your running? > > That might help me a bit. > > > > Did you follow a site for this upgrade, show me which one > if you did. > > > > Your group members are correct ? > > # *( im running debian 9 ) an i have these configured. > > mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data > > clamav:x:119:postfix,www-data > > opendkim:x:122:postfix > > > > > > And can you post a more complete mail.log, if needed, pm it > to me or > > anonimize it here needed. > > Preffered from the time frame, when you try to send your > the message. > > > > I still say its your antivirus, if you did not remove the > old messages > > from your queue. > > And now its not working because postfix/mailscanner try to > deliver to > > clamd and thats turned of. > > > > If the AV is off then why is you log showing the av scanner? > > Your disk it not full? > > > > If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner. > > I also reused my settings. > > I'll try to find if i can seen what i changed ( if so ), that was > > months ago.. > > > > > > Greetz, > > > > Louis > > > > > -----Oorspronkelijk bericht----- > > > Van: DobriL Dobrilov [mailto:dobril at stanga.net] > > > Verzonden: maandag 6 augustus 2018 14:53 > > > Aan: 'MailScanner Discussion' > > > CC: 'L.P.H. van Belle' > > > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner > > > > > > AV scan is off , something else cause the issue. > > > > > > > > > Dobril Dobrilov > > > IT Manager > > > dobril at stanga.net > > > > > > > > > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria > > > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 > > > Mobile: +359 878 749 387 > > > > > > > > > We shape Digital www.stanga.net > > > > > > We re-invent Video www.bsbvision.com > > > > > > We build Apps www.shanga.co > > > > > > We support Start-Ups www.mysbar.net > > > > > > > > > > > > -----Original Message----- > > > From: MailScanner > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > > > r.info] On > > > Behalf Of L.P.H. van Belle via MailScanner > > > Sent: Monday, August 6, 2018 3:45 PM > > > To: MailScanner Discussion > > > Cc: L.P.H. van Belle > > > Subject: RE: MailScanner: Message attempted to kill MailScanner > > > > > > Are you using Yara rules or other clamav unoffical databases. > > > Remove these, restart clamav and try again. > > > > > > You might have a bad clamav database file. > > > > > > Greetz, > > > > > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > > > Van: MailScanner > > > > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner. > > > > info] Namens Antony Stone > > > > Verzonden: maandag 6 augustus 2018 14:23 > > > > Aan: MailScanner Discussion > > > > Onderwerp: Re: MailScanner: Message attempted to kill > MailScanner > > > > > > > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote: > > > > > Until now the Mail Server was with old postfix and > > > > > > > > MailScanner 4.79. I > > > > > > > > > migrated to new server with MailScanner 5.0.7. MS config > > > > > > is same as > > > > > > > > before. > > > > > > > > Maybe someone with more knowledge than of any configuration > > > > differences ebtween those version can comment on just > > > > > > keeping the same > > > > > > > configuration file... > > > > > > > > > From webmail I can send messages out of my domain without > > > > > > problems. > > > > > > > So, what *does* cause the problem? > > > > > > > > Your original email said "All emails sent from my > webmail to same > > > > domain cannot be processes by mailscanner." > > > > > > > > > Msg from webmail > > > > > Received: from mail.stanga.net (localhost [IPv6:::1]) > > > > > > > > > > by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F > > > > > for ; Mon, 6 Aug 2018 14:33:37 > > > > > > +0300 (EEST) > > > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > > > > > > > d=stanga.net; s=mail; > > > > > > > > > t=1533555217; > > > > > > bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=; > > > > > > > > h=Date:From:To:Subject; > > > > > > > > > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwY > > > > F > > > > > > > > > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz > > > > > > > > > EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE= > > > > > > > > > > MIME-Version: 1.0 > > > > > Content-Type: multipart/alternative; > > > > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14" > > > > > Date: Mon, 06 Aug 2018 14:33:37 +0300 > > > > > From: Dobril Dobrilov > > > > > To: dobril at stanga.net > > > > > Subject: Test2 > > > > > Organization: StangaOne1 > > > > > Message-ID: > > > > > X-Sender: dobril at stanga.net > > > > > User-Agent: Roundcube Webmail/1.3.7 > > > > > > > > > > Msg from Mail Client > > > > > Received: from DL (unknown [192.168.0.222]) > > > > > > > > > > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > > > > > > > > (256/256 bits)) > > > > > > > > > (No client certificate requested) > > > > > by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84 > > > > > for ; Mon, 6 Aug 2018 15:11:28 > > > > > > +0300 (EEST) > > > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > > > > > > > d=stanga.net; s=mail; > > > > > > > > > t=1533557488; > > > > > > bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=; > > > > > > > > h=From:To:Subject:Date; > > > > > > > > > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJp > > > > N > > > > > > > > > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a > > > > > > > > > rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k= > > > > > > > > > > From: "DobriL Dobrilov" > > > > > To: "'DobriL Dobrilov'" > > > > > Subject: Test > > > > > Date: Mon, 6 Aug 2018 15:11:34 +0300 > > > > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net> > > > > > MIME-Version: 1.0 > > > > > Content-Type: multipart/mixed; > > > > > > > > > > boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0" > > > > > > > > > > X-Mailer: Microsoft Outlook 16.0 > > > > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ== > > > > > Content-Language: bg > > > > > > > > > X-MS-TNEF-Correlator: > > > > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00 > > > > > > > > Is one of the above emails an example which causes the > > > > > > problem and the > > > > > > > other an example which does not cause the problem (if so, > > > > > > which one is > > > > > > > which)? > > > > > > > > Or are both the above emails examples which do not cause > > > > > > the problem > > > > > > > (in which case please send us the headers from one which does > > > > cause the problem)? > > > > > > > > > > > > Regards, > > > > > > > > > > > > Antony. > > > > > > > > > -----Original Message----- > > > > > From: MailScanner > > > > > > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > > > > r.info] On > > > > > > > > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM > > > > > To: MailScanner Discussion > > > > > > Subject: Re: MailScanner: Message attempted to kill > MailScanner > > > > > > > > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote: > > > > > > Some other ideas, because unfortunately this Live system > > > > > > > > and It's very > > > > > > > > > > critical ? > > > > > > > > > > When did the problem start happening? > > > > > > > > > > What changed on the MS server around that time? > > > > > > > > > > Can you show us full headers of an example email from > > > > > > > > webmail (which MS > > > > > > > > > can't process) and another one to and from the same > > > > > > > > addresses, but not > > > > > > > > > from webmail (which MS processes okay)? > > > > > > > > > > Antony > > > > > > > > -- > > > > Neurotics build castles in the sky; Psychotics live in them; > > > > Psychiatrists collect the rent. > > > > > > > > > Please reply to > > > > > > > > the list; > > > > > > > > please *don't* CC me. > > > > > > > > > > > > -- > > > > MailScanner mailing list > > > > mailscanner at lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > From dobril at stanga.net Mon Aug 6 15:16:57 2018 From: dobril at stanga.net (DobriL Dobrilov) Date: Mon, 6 Aug 2018 18:16:57 +0300 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: References: <201808061617.54939.Antony.Stone@mailscanner.open.source.it> Message-ID: <002401d42d98$842d57b0$8c880710$@stanga.net> Thank you for the hint. I find what exactly cause my issue with Webmail. During the Webmail upgrade , somehow disappeared $config['smtp_server'] = 'mail.stanga.net'; from the config file... I found it after install 2nd Webmail to test..... Although is very strange how the Webmail managed to send messages to foreign hosts. Sorry for disturbing all of you for this. Dobril Dobrilov IT Manager dobril at stanga.net 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 Mobile: +359 878 749 387 We shape Digital?www.stanga.net We re-invent Video?www.bsbvision.com We build Apps?www.shanga.co We support Start-Ups?www.mysbar.net -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of L.P.H. van Belle via MailScanner Sent: Monday, August 6, 2018 6:11 PM To: MailScanner Discussion Cc: L.P.H. van Belle Subject: RE: MailScanner: Message attempted to kill MailScanner You webserver is not "localhost"... Pointing to : from mail.stanga.net (localhost [IPv6:::1]) Choose... By example. cat /etc/hosts 127.0.0.1 localhost 194.124.193.23 mail.domain.tld 192.168.1.1 mail.internal.domain.tld mail # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters Just beware when you change it, you might hit more, but if you fix that all your ok for the futere. Imo. Your resolving is giving the problems. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: MailScanner > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner. info] Namens DobriL Dobrilov > Verzonden: maandag 6 augustus 2018 16:44 > Aan: 'MailScanner Discussion' > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner > > Webmail > ------------ > Received: from mail.stanga.net (localhost [IPv6:::1]) > by mail.stanga.net (Postfix) with ESMTPA id 5772D62C57 > for ; Mon, 6 Aug 2018 14:52:00 +0300 (EEST) > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; > s=mail; > t=1533556320; bh=4I/hR/SP5y+TSO6ckrsWbUfz/ulzfgg21OOLy4t7Qcw=; > h=Date:From:To:Subject:Reply-To; > > b=LHHTCrdhwEuGskWyqw0sWd1Km3VgyVhuTGiQ+b00rQmMg5EoEvx0ro12ob/zWes9m > > jtgr30krr1OkHUcBPXOoYUyCDOzLU3VwKUjYO8mX2L1C3ZCZsvgFkbjtP7QbrIHzM6 > EsRQn070GPV/w75A43jCSxetrKKtM6se6osKZvaM= > MIME-Version: 1.0 > Content-Type: text/plain; charset=US-ASCII; format=flowed > Content-Transfer-Encoding: 7bit > Date: Mon, 06 Aug 2018 14:52:00 +0300 > From: Dobril Dobrilov > To: dobril at stanga.net > Subject: AAA > Organization: StangaOne1 > Reply-To: dobril at stanga.net > Mail-Reply-To: dobril at stanga.net > Message-ID: <8e5ddc58218e715f2ec6286fe0b60f03 at stanga.net> > X-Sender: dobril at stanga.net > User-Agent: Roundcube Webmail/1.3.7 > > > Outlook > ------------ > Return-Path: > X-Original-To: dobril at stanga.net > Delivered-To: dobril at stanga.net > Received: from DL (unknown [192.168.0.222]) > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 > bits)) > (No client certificate requested) > by mail.stanga.net (Postfix) with ESMTPSA id D6F6D62C8E > for ; Mon, 6 Aug 2018 17:42:45 +0300 (EEST) > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; > s=mail; > t=1533566565; bh=1ooy+DYxraTnYWXxssyteq3EYaC5wdAbrolTC0mL5bA=; > h=From:To:Subject:Date; > > b=XZzNLHycLcbdsjqXFtWJT96Q0lPhhtOS/+ZGIZpVWNfu68gw1nFHitcIUfV5zGCk2 > > L419FGzTaLO9GiE1pAGnzruH5dh1BCHU+9AxLu3rB3oijr2BOEXeltH1TREFq4E0f+ > erOPUx3jdywpL6vJFLR2YixmUfIrdLScxOTcUKk0= > From: "DobriL Dobrilov" > To: "'DobriL Dobrilov'" > Subject: Test > Date: Mon, 6 Aug 2018 17:42:52 +0300 > Message-ID: <001701d42d93$c0ff3460$42fd9d20$@stanga.net> > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_NextPart_000_0018_01D42DAC.E64C6C60" > X-Mailer: Microsoft Outlook 16.0 > Thread-Index: AdQtk77S62N7R+6qQV66SqVGhFQY4A== > Content-Language: bg > X-MS-TNEF-Correlator: 000000005234E38E73D4914094E5D7D34B79F6A504FD8F00 > X-Stanga-MailScanner-Information: Please contact the ISP for more > information > X-Stanga-MailScanner-ID: D6F6D62C8E.AB5F9 > X-Stanga-MailScanner: Not scanned: please contact your Internet E-Mail > Service Provider for details > X-Stanga-MailScanner-SpamCheck: not spam (whitelisted), > SpamAssassin (not cached, score=-99.887, required 5, > ALL_TRUSTED -1.00, DKIM_SIGNED 0.10, DKIM_VALID -0.10, > DKIM_VALID_AU -0.10, TVD_RCVD_SINGLE 1.21, > USER_IN_WHITELIST -100.00) > X-Stanga-MailScanner-From: dobril at stanga.net > X-Spam-Status: No > X-EsetId: 37303A2960736C61677D6A > > > -----Original Message----- > From: MailScanner > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne r.info] On > Behalf Of Antony Stone > Sent: Monday, August 6, 2018 5:18 PM > To: MailScanner Discussion > Subject: Re: MailScanner: Message attempted to kill MailScanner > > On Monday 06 August 2018 at 16:14:39, DobriL Dobrilov wrote: > > > Definitely this is something related only to my webmail and > only when > > I send emails to the same domain. I can send same message > without any > > issue if I'm using outlook or other mail client. > > I can send messages from Webmail to all external domain > without problem. > > All thing mean that the problem cannot be disk space , ram or bad > > permissions. echo Test |mail dobril at stanga.net , from the > same server > > deliver messages without problem. > > Can you show us full headers of an example email from webmail (which > MS can't > process) and another one to and from the same addresses, but not from > webmail (which MS processes okay)? > > Antony. > > > -----Original Message----- > > From: MailScanner > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] > > On Behalf Of L.P.H. van Belle via MailScanner > > Sent: Monday, August 6, 2018 4:22 PM > > To: MailScanner Discussion > > Cc: L.P.H. van Belle > > Subject: RE: MailScanner: Message attempted to kill MailScanner > > > > Hai, > > > > What is the os your running? > > That might help me a bit. > > > > Did you follow a site for this upgrade, show me which one > if you did. > > > > Your group members are correct ? > > # *( im running debian 9 ) an i have these configured. > > mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data > > clamav:x:119:postfix,www-data > > opendkim:x:122:postfix > > > > > > And can you post a more complete mail.log, if needed, pm it > to me or > > anonimize it here needed. > > Preffered from the time frame, when you try to send your > the message. > > > > I still say its your antivirus, if you did not remove the > old messages > > from your queue. > > And now its not working because postfix/mailscanner try to > deliver to > > clamd and thats turned of. > > > > If the AV is off then why is you log showing the av scanner? > > Your disk it not full? > > > > If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner. > > I also reused my settings. > > I'll try to find if i can seen what i changed ( if so ), that was > > months ago.. > > > > > > Greetz, > > > > Louis > > > > > -----Oorspronkelijk bericht----- > > > Van: DobriL Dobrilov [mailto:dobril at stanga.net] > > > Verzonden: maandag 6 augustus 2018 14:53 > > > Aan: 'MailScanner Discussion' > > > CC: 'L.P.H. van Belle' > > > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner > > > > > > AV scan is off , something else cause the issue. > > > > > > > > > Dobril Dobrilov > > > IT Manager > > > dobril at stanga.net > > > > > > > > > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria > > > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 > > > Mobile: +359 878 749 387 > > > > > > > > > We shape Digital www.stanga.net > > > > > > We re-invent Video www.bsbvision.com > > > > > > We build Apps www.shanga.co > > > > > > We support Start-Ups www.mysbar.net > > > > > > > > > > > > -----Original Message----- > > > From: MailScanner > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > > > r.info] On > > > Behalf Of L.P.H. van Belle via MailScanner > > > Sent: Monday, August 6, 2018 3:45 PM > > > To: MailScanner Discussion > > > Cc: L.P.H. van Belle > > > Subject: RE: MailScanner: Message attempted to kill MailScanner > > > > > > Are you using Yara rules or other clamav unoffical databases. > > > Remove these, restart clamav and try again. > > > > > > You might have a bad clamav database file. > > > > > > Greetz, > > > > > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > > > Van: MailScanner > > > > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner. > > > > info] Namens Antony Stone > > > > Verzonden: maandag 6 augustus 2018 14:23 > > > > Aan: MailScanner Discussion > > > > Onderwerp: Re: MailScanner: Message attempted to kill > MailScanner > > > > > > > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote: > > > > > Until now the Mail Server was with old postfix and > > > > > > > > MailScanner 4.79. I > > > > > > > > > migrated to new server with MailScanner 5.0.7. MS config > > > > > > is same as > > > > > > > > before. > > > > > > > > Maybe someone with more knowledge than of any configuration > > > > differences ebtween those version can comment on just > > > > > > keeping the same > > > > > > > configuration file... > > > > > > > > > From webmail I can send messages out of my domain without > > > > > > problems. > > > > > > > So, what *does* cause the problem? > > > > > > > > Your original email said "All emails sent from my > webmail to same > > > > domain cannot be processes by mailscanner." > > > > > > > > > Msg from webmail > > > > > Received: from mail.stanga.net (localhost [IPv6:::1]) > > > > > > > > > > by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F > > > > > for ; Mon, 6 Aug 2018 14:33:37 > > > > > > +0300 (EEST) > > > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > > > > > > > d=stanga.net; s=mail; > > > > > > > > > t=1533555217; > > > > > > bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=; > > > > > > > > h=Date:From:To:Subject; > > > > > > > > > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwY > > > > F > > > > > > > > > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz > > > > > > > > > EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE= > > > > > > > > > > MIME-Version: 1.0 > > > > > Content-Type: multipart/alternative; > > > > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14" > > > > > Date: Mon, 06 Aug 2018 14:33:37 +0300 > > > > > From: Dobril Dobrilov > > > > > To: dobril at stanga.net > > > > > Subject: Test2 > > > > > Organization: StangaOne1 > > > > > Message-ID: > > > > > X-Sender: dobril at stanga.net > > > > > User-Agent: Roundcube Webmail/1.3.7 > > > > > > > > > > Msg from Mail Client > > > > > Received: from DL (unknown [192.168.0.222]) > > > > > > > > > > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > > > > > > > > (256/256 bits)) > > > > > > > > > (No client certificate requested) > > > > > by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84 > > > > > for ; Mon, 6 Aug 2018 15:11:28 > > > > > > +0300 (EEST) > > > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > > > > > > > d=stanga.net; s=mail; > > > > > > > > > t=1533557488; > > > > > > bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=; > > > > > > > > h=From:To:Subject:Date; > > > > > > > > > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJp > > > > N > > > > > > > > > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a > > > > > > > > > rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k= > > > > > > > > > > From: "DobriL Dobrilov" > > > > > To: "'DobriL Dobrilov'" > > > > > Subject: Test > > > > > Date: Mon, 6 Aug 2018 15:11:34 +0300 > > > > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net> > > > > > MIME-Version: 1.0 > > > > > Content-Type: multipart/mixed; > > > > > > > > > > boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0" > > > > > > > > > > X-Mailer: Microsoft Outlook 16.0 > > > > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ== > > > > > Content-Language: bg > > > > > > > > > X-MS-TNEF-Correlator: > > > > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00 > > > > > > > > Is one of the above emails an example which causes the > > > > > > problem and the > > > > > > > other an example which does not cause the problem (if so, > > > > > > which one is > > > > > > > which)? > > > > > > > > Or are both the above emails examples which do not cause > > > > > > the problem > > > > > > > (in which case please send us the headers from one which does > > > > cause the problem)? > > > > > > > > > > > > Regards, > > > > > > > > > > > > Antony. > > > > > > > > > -----Original Message----- > > > > > From: MailScanner > > > > > > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > > > > r.info] On > > > > > > > > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM > > > > > To: MailScanner Discussion > > > > > > Subject: Re: MailScanner: Message attempted to kill > MailScanner > > > > > > > > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote: > > > > > > Some other ideas, because unfortunately this Live system > > > > > > > > and It's very > > > > > > > > > > critical ? > > > > > > > > > > When did the problem start happening? > > > > > > > > > > What changed on the MS server around that time? > > > > > > > > > > Can you show us full headers of an example email from > > > > > > > > webmail (which MS > > > > > > > > > can't process) and another one to and from the same > > > > > > > > addresses, but not > > > > > > > > > from webmail (which MS processes okay)? > > > > > > > > > > Antony > > > > > > > > -- > > > > Neurotics build castles in the sky; Psychotics live in them; > > > > Psychiatrists collect the rent. > > > > > > > > > Please reply to > > > > > > > > the list; > > > > > > > > please *don't* CC me. > > > > > > > > > > > > -- > > > > MailScanner mailing list > > > > mailscanner at lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From iversons at rushville.k12.in.us Mon Aug 6 21:51:47 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 6 Aug 2018 17:51:47 -0400 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: <002401d42d98$842d57b0$8c880710$@stanga.net> References: <201808061617.54939.Antony.Stone@mailscanner.open.source.it> <002401d42d98$842d57b0$8c880710$@stanga.net> Message-ID: Was this the root cause of the issue? (sorry been a very busy day) On Mon, Aug 6, 2018 at 11:16 AM, DobriL Dobrilov wrote: > Thank you for the hint. > I find what exactly cause my issue with Webmail. > During the Webmail upgrade , somehow disappeared $config['smtp_server'] = > 'mail.stanga.net'; from the config file... > I found it after install 2nd Webmail to test..... > Although is very strange how the Webmail managed to send messages to > foreign > hosts. > > Sorry for disturbing all of you for this. > > > > Dobril Dobrilov > IT Manager > dobril at stanga.net > > > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 > Mobile: +359 878 749 387 > > > We shape Digital www.stanga.net > > We re-invent Video www.bsbvision.com > > We build Apps www.shanga.co > > We support Start-Ups www.mysbar.net > > > > > -----Original Message----- > From: MailScanner > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On > Behalf Of L.P.H. van Belle via MailScanner > Sent: Monday, August 6, 2018 6:11 PM > To: MailScanner Discussion > Cc: L.P.H. van Belle > Subject: RE: MailScanner: Message attempted to kill MailScanner > > You webserver is not "localhost"... Pointing to : from mail.stanga.net > (localhost [IPv6:::1]) Choose... > > By example. cat /etc/hosts > 127.0.0.1 localhost > 194.124.193.23 mail.domain.tld > 192.168.1.1 mail.internal.domain.tld mail > > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > Just beware when you change it, you might hit more, but if you fix that > all > your ok for the futere. > Imo. Your resolving is giving the problems. > > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: MailScanner > > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner. > info] Namens DobriL Dobrilov > > Verzonden: maandag 6 augustus 2018 16:44 > > Aan: 'MailScanner Discussion' > > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner > > > > Webmail > > ------------ > > Received: from mail.stanga.net (localhost [IPv6:::1]) > > by mail.stanga.net (Postfix) with ESMTPA id 5772D62C57 > > for ; Mon, 6 Aug 2018 14:52:00 +0300 (EEST) > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; > > s=mail; > > t=1533556320; bh=4I/hR/SP5y+TSO6ckrsWbUfz/ulzfgg21OOLy4t7Qcw=; > > h=Date:From:To:Subject:Reply-To; > > > > b=LHHTCrdhwEuGskWyqw0sWd1Km3VgyVhuTGiQ+b00rQmMg5EoEvx0ro12ob/zWes9m > > > > jtgr30krr1OkHUcBPXOoYUyCDOzLU3VwKUjYO8mX2L1C3ZCZsvgFkbjtP7QbrIHzM6 > > EsRQn070GPV/w75A43jCSxetrKKtM6se6osKZvaM= > > MIME-Version: 1.0 > > Content-Type: text/plain; charset=US-ASCII; format=flowed > > Content-Transfer-Encoding: 7bit > > Date: Mon, 06 Aug 2018 14:52:00 +0300 > > From: Dobril Dobrilov > > To: dobril at stanga.net > > Subject: AAA > > Organization: StangaOne1 > > Reply-To: dobril at stanga.net > > Mail-Reply-To: dobril at stanga.net > > Message-ID: <8e5ddc58218e715f2ec6286fe0b60f03 at stanga.net> > > X-Sender: dobril at stanga.net > > User-Agent: Roundcube Webmail/1.3.7 > > > > > > Outlook > > ------------ > > Return-Path: > > X-Original-To: dobril at stanga.net > > Delivered-To: dobril at stanga.net > > Received: from DL (unknown [192.168.0.222]) > > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 > > bits)) > > (No client certificate requested) > > by mail.stanga.net (Postfix) with ESMTPSA id D6F6D62C8E > > for ; Mon, 6 Aug 2018 17:42:45 +0300 (EEST) > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; > > s=mail; > > t=1533566565; bh=1ooy+DYxraTnYWXxssyteq3EYaC5wdAbrolTC0mL5bA=; > > h=From:To:Subject:Date; > > > > b=XZzNLHycLcbdsjqXFtWJT96Q0lPhhtOS/+ZGIZpVWNfu68gw1nFHitcIUfV5zGCk2 > > > > L419FGzTaLO9GiE1pAGnzruH5dh1BCHU+9AxLu3rB3oijr2BOEXeltH1TREFq4E0f+ > > erOPUx3jdywpL6vJFLR2YixmUfIrdLScxOTcUKk0= > > From: "DobriL Dobrilov" > > To: "'DobriL Dobrilov'" > > Subject: Test > > Date: Mon, 6 Aug 2018 17:42:52 +0300 > > Message-ID: <001701d42d93$c0ff3460$42fd9d20$@stanga.net> > > MIME-Version: 1.0 > > Content-Type: multipart/mixed; > > boundary="----=_NextPart_000_0018_01D42DAC.E64C6C60" > > X-Mailer: Microsoft Outlook 16.0 > > Thread-Index: AdQtk77S62N7R+6qQV66SqVGhFQY4A== > > Content-Language: bg > > X-MS-TNEF-Correlator: 000000005234E38E73D4914094E5D7D34B79F6A504FD8F00 > > X-Stanga-MailScanner-Information: Please contact the ISP for more > > information > > X-Stanga-MailScanner-ID: D6F6D62C8E.AB5F9 > > X-Stanga-MailScanner: Not scanned: please contact your Internet E-Mail > > Service Provider for details > > X-Stanga-MailScanner-SpamCheck: not spam (whitelisted), > > SpamAssassin (not cached, score=-99.887, required 5, > > ALL_TRUSTED -1.00, DKIM_SIGNED 0.10, DKIM_VALID -0.10, > > DKIM_VALID_AU -0.10, TVD_RCVD_SINGLE 1.21, > > USER_IN_WHITELIST -100.00) > > X-Stanga-MailScanner-From: dobril at stanga.net > > X-Spam-Status: No > > X-EsetId: 37303A2960736C61677D6A > > > > > > -----Original Message----- > > From: MailScanner > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > r.info] On > > Behalf Of Antony Stone > > Sent: Monday, August 6, 2018 5:18 PM > > To: MailScanner Discussion > > Subject: Re: MailScanner: Message attempted to kill MailScanner > > > > On Monday 06 August 2018 at 16:14:39, DobriL Dobrilov wrote: > > > > > Definitely this is something related only to my webmail and > > only when > > > I send emails to the same domain. I can send same message > > without any > > > issue if I'm using outlook or other mail client. > > > I can send messages from Webmail to all external domain > > without problem. > > > All thing mean that the problem cannot be disk space , ram or bad > > > permissions. echo Test |mail dobril at stanga.net , from the > > same server > > > deliver messages without problem. > > > > Can you show us full headers of an example email from webmail (which > > MS can't > > process) and another one to and from the same addresses, but not from > > webmail (which MS processes okay)? > > > > Antony. > > > > > -----Original Message----- > > > From: MailScanner > > > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] > > > On Behalf Of L.P.H. van Belle via MailScanner > > > Sent: Monday, August 6, 2018 4:22 PM > > > To: MailScanner Discussion > > > Cc: L.P.H. van Belle > > > Subject: RE: MailScanner: Message attempted to kill MailScanner > > > > > > Hai, > > > > > > What is the os your running? > > > That might help me a bit. > > > > > > Did you follow a site for this upgrade, show me which one > > if you did. > > > > > > Your group members are correct ? > > > # *( im running debian 9 ) an i have these configured. > > > mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data > > > clamav:x:119:postfix,www-data > > > opendkim:x:122:postfix > > > > > > > > > And can you post a more complete mail.log, if needed, pm it > > to me or > > > anonimize it here needed. > > > Preffered from the time frame, when you try to send your > > the message. > > > > > > I still say its your antivirus, if you did not remove the > > old messages > > > from your queue. > > > And now its not working because postfix/mailscanner try to > > deliver to > > > clamd and thats turned of. > > > > > > If the AV is off then why is you log showing the av scanner? > > > Your disk it not full? > > > > > > If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner. > > > I also reused my settings. > > > I'll try to find if i can seen what i changed ( if so ), that was > > > months ago.. > > > > > > > > > Greetz, > > > > > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > > > Van: DobriL Dobrilov [mailto:dobril at stanga.net] > > > > Verzonden: maandag 6 augustus 2018 14:53 > > > > Aan: 'MailScanner Discussion' > > > > CC: 'L.P.H. van Belle' > > > > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner > > > > > > > > AV scan is off , something else cause the issue. > > > > > > > > > > > > Dobril Dobrilov > > > > IT Manager > > > > dobril at stanga.net > > > > > > > > > > > > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria > > > > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 > > > > Mobile: +359 878 749 387 > > > > > > > > > > > > We shape Digital www.stanga.net > > > > > > > > We re-invent Video www.bsbvision.com > > > > > > > > We build Apps www.shanga.co > > > > > > > > We support Start-Ups www.mysbar.net > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: MailScanner > > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > > > > r.info] On > > > > Behalf Of L.P.H. van Belle via MailScanner > > > > Sent: Monday, August 6, 2018 3:45 PM > > > > To: MailScanner Discussion > > > > Cc: L.P.H. van Belle > > > > Subject: RE: MailScanner: Message attempted to kill MailScanner > > > > > > > > Are you using Yara rules or other clamav unoffical databases. > > > > Remove these, restart clamav and try again. > > > > > > > > You might have a bad clamav database file. > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > -----Oorspronkelijk bericht----- > > > > > Van: MailScanner > > > > > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner. > > > > > info] Namens Antony Stone > > > > > Verzonden: maandag 6 augustus 2018 14:23 > > > > > Aan: MailScanner Discussion > > > > > Onderwerp: Re: MailScanner: Message attempted to kill > > MailScanner > > > > > > > > > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote: > > > > > > Until now the Mail Server was with old postfix and > > > > > > > > > > MailScanner 4.79. I > > > > > > > > > > > migrated to new server with MailScanner 5.0.7. MS config > > > > > > > > is same as > > > > > > > > > > before. > > > > > > > > > > Maybe someone with more knowledge than of any configuration > > > > > differences ebtween those version can comment on just > > > > > > > > keeping the same > > > > > > > > > configuration file... > > > > > > > > > > > From webmail I can send messages out of my domain without > > > > > > > > problems. > > > > > > > > > So, what *does* cause the problem? > > > > > > > > > > Your original email said "All emails sent from my > > webmail to same > > > > > domain cannot be processes by mailscanner." > > > > > > > > > > > Msg from webmail > > > > > > Received: from mail.stanga.net (localhost [IPv6:::1]) > > > > > > > > > > > > by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F > > > > > > for ; Mon, 6 Aug 2018 14:33:37 > > > > > > > > +0300 (EEST) > > > > > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > > > > > > > > > d=stanga.net; s=mail; > > > > > > > > > > > t=1533555217; > > > > > > > > bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=; > > > > > > > > > > h=Date:From:To:Subject; > > > > > > > > > > > > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwY > > > > > F > > > > > > > > > > > > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz > > > > > > > > > > > EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE= > > > > > > > > > > > > MIME-Version: 1.0 > > > > > > Content-Type: multipart/alternative; > > > > > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14" > > > > > > Date: Mon, 06 Aug 2018 14:33:37 +0300 > > > > > > From: Dobril Dobrilov > > > > > > To: dobril at stanga.net > > > > > > Subject: Test2 > > > > > > Organization: StangaOne1 > > > > > > Message-ID: > > > > > > X-Sender: dobril at stanga.net > > > > > > User-Agent: Roundcube Webmail/1.3.7 > > > > > > > > > > > > Msg from Mail Client > > > > > > Received: from DL (unknown [192.168.0.222]) > > > > > > > > > > > > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > > > > > > > > > > (256/256 bits)) > > > > > > > > > > > (No client certificate requested) > > > > > > by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84 > > > > > > for ; Mon, 6 Aug 2018 15:11:28 > > > > > > > > +0300 (EEST) > > > > > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > > > > > > > > > d=stanga.net; s=mail; > > > > > > > > > > > t=1533557488; > > > > > > > > bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=; > > > > > > > > > > h=From:To:Subject:Date; > > > > > > > > > > > > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJp > > > > > N > > > > > > > > > > > > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a > > > > > > > > > > > rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k= > > > > > > > > > > > > From: "DobriL Dobrilov" > > > > > > To: "'DobriL Dobrilov'" > > > > > > Subject: Test > > > > > > Date: Mon, 6 Aug 2018 15:11:34 +0300 > > > > > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net> > > > > > > MIME-Version: 1.0 > > > > > > Content-Type: multipart/mixed; > > > > > > > > > > > > boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0" > > > > > > > > > > > > X-Mailer: Microsoft Outlook 16.0 > > > > > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ== > > > > > > Content-Language: bg > > > > > > > > > > > X-MS-TNEF-Correlator: > > > > > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00 > > > > > > > > > > Is one of the above emails an example which causes the > > > > > > > > problem and the > > > > > > > > > other an example which does not cause the problem (if so, > > > > > > > > which one is > > > > > > > > > which)? > > > > > > > > > > Or are both the above emails examples which do not cause > > > > > > > > the problem > > > > > > > > > (in which case please send us the headers from one which does > > > > > cause the problem)? > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > Antony. > > > > > > > > > > > -----Original Message----- > > > > > > From: MailScanner > > > > > > > > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne > > > > > r.info] On > > > > > > > > > > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM > > > > > > To: MailScanner Discussion > > > > > > > > Subject: Re: MailScanner: Message attempted to kill > > MailScanner > > > > > > > > > > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote: > > > > > > > Some other ideas, because unfortunately this Live system > > > > > > > > > > and It's very > > > > > > > > > > > > critical ? > > > > > > > > > > > > When did the problem start happening? > > > > > > > > > > > > What changed on the MS server around that time? > > > > > > > > > > > > Can you show us full headers of an example email from > > > > > > > > > > webmail (which MS > > > > > > > > > > > can't process) and another one to and from the same > > > > > > > > > > addresses, but not > > > > > > > > > > > from webmail (which MS processes okay)? > > > > > > > > > > > > Antony > > > > > > > > > > -- > > > > > Neurotics build castles in the sky; Psychotics live in them; > > > > > Psychiatrists collect the rent. > > > > > > > > > > > > Please reply to > > > > > > > > > > the list; > > > > > > > > > > please *don't* CC me. > > > > > > > > > > > > > > > -- > > > > > MailScanner mailing list > > > > > mailscanner at lists.mailscanner.info > > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > -- > > > > MailScanner mailing list > > > > mailscanner at lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From dobril at stanga.net Tue Aug 7 05:27:59 2018 From: dobril at stanga.net (DobriL Dobrilov) Date: Tue, 7 Aug 2018 08:27:59 +0300 Subject: MailScanner: Message attempted to kill MailScanner In-Reply-To: References: <201808061617.54939.Antony.Stone@mailscanner.open.source.it> <002401d42d98$842d57b0$8c880710$@stanga.net> Message-ID: <002101d42e0f$6733c460$359b4d20$@stanga.net> Yes, because everything else was fine? The tricky moment was that mails from Webmail to Internet was sent without any issue. Without explicit definition in the Webmail for SMTP , it try to use localhost and this looks like cause issue only for mails sent in same domain. From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of Shawn Iverson Sent: Tuesday, August 7, 2018 12:52 AM To: MailScanner Discussion Subject: Re: MailScanner: Message attempted to kill MailScanner Was this the root cause of the issue? (sorry been a very busy day) On Mon, Aug 6, 2018 at 11:16 AM, DobriL Dobrilov > wrote: Thank you for the hint. I find what exactly cause my issue with Webmail. During the Webmail upgrade , somehow disappeared $config['smtp_server'] = 'mail.stanga.net '; from the config file... I found it after install 2nd Webmail to test..... Although is very strange how the Webmail managed to send messages to foreign hosts. Sorry for disturbing all of you for this. Dobril Dobrilov IT Manager dobril at stanga.net 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 Mobile: +359 878 749 387 We shape Digital www.stanga.net We re-invent Video www.bsbvision.com We build Apps www.shanga.co We support Start-Ups www.mysbar.net -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+dobril =stanga.net at lists.mailscanner.info ] On Behalf Of L.P.H. van Belle via MailScanner Sent: Monday, August 6, 2018 6:11 PM To: MailScanner Discussion > Cc: L.P.H. van Belle > Subject: RE: MailScanner: Message attempted to kill MailScanner You webserver is not "localhost"... Pointing to : from mail.stanga.net (localhost [IPv6:::1]) Choose... By example. cat /etc/hosts 127.0.0.1 localhost 194.124.193.23 mail.domain.tld 192.168.1.1 mail.internal.domain.tld mail # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters Just beware when you change it, you might hit more, but if you fix that all your ok for the futere. Imo. Your resolving is giving the problems. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: MailScanner > [mailto:mailscanner-bounces+belle =bazuin.nl at lists.mailscanner. info] Namens DobriL Dobrilov > Verzonden: maandag 6 augustus 2018 16:44 > Aan: 'MailScanner Discussion' > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner > > Webmail > ------------ > Received: from mail.stanga.net (localhost [IPv6:::1]) > by mail.stanga.net (Postfix) with ESMTPA id 5772D62C57 > for >; Mon, 6 Aug 2018 14:52:00 +0300 (EEST) > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net ; > s=mail; > t=1533556320; bh=4I/hR/SP5y+TSO6ckrsWbUfz/ulzfgg21OOLy4t7Qcw=; > h=Date:From:To:Subject:Reply-To; > > b=LHHTCrdhwEuGskWyqw0sWd1Km3VgyVhuTGiQ+b00rQmMg5EoEvx0ro12ob/zWes9m > > jtgr30krr1OkHUcBPXOoYUyCDOzLU3VwKUjYO8mX2L1C3ZCZsvgFkbjtP7QbrIHzM6 > EsRQn070GPV/w75A43jCSxetrKKtM6se6osKZvaM= > MIME-Version: 1.0 > Content-Type: text/plain; charset=US-ASCII; format=flowed > Content-Transfer-Encoding: 7bit > Date: Mon, 06 Aug 2018 14:52:00 +0300 > From: Dobril Dobrilov > > To: dobril at stanga.net > Subject: AAA > Organization: StangaOne1 > Reply-To: dobril at stanga.net > Mail-Reply-To: dobril at stanga.net > Message-ID: <8e5ddc58218e715f2ec6286fe0b60f03 at stanga.net > > X-Sender: dobril at stanga.net > User-Agent: Roundcube Webmail/1.3.7 > > > Outlook > ------------ > Return-Path: > > X-Original-To: dobril at stanga.net > Delivered-To: dobril at stanga.net > Received: from DL (unknown [192.168.0.222]) > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 > bits)) > (No client certificate requested) > by mail.stanga.net (Postfix) with ESMTPSA id D6F6D62C8E > for >; Mon, 6 Aug 2018 17:42:45 +0300 (EEST) > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net ; > s=mail; > t=1533566565; bh=1ooy+DYxraTnYWXxssyteq3EYaC5wdAbrolTC0mL5bA=; > h=From:To:Subject:Date; > > b=XZzNLHycLcbdsjqXFtWJT96Q0lPhhtOS/+ZGIZpVWNfu68gw1nFHitcIUfV5zGCk2 > > L419FGzTaLO9GiE1pAGnzruH5dh1BCHU+9AxLu3rB3oijr2BOEXeltH1TREFq4E0f+ > erOPUx3jdywpL6vJFLR2YixmUfIrdLScxOTcUKk0= > From: "DobriL Dobrilov" > > To: "'DobriL Dobrilov'" > > Subject: Test > Date: Mon, 6 Aug 2018 17:42:52 +0300 > Message-ID: <001701d42d93$c0ff3460$42fd9d20$@stanga.net > > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_NextPart_000_0018_01D42DAC.E64C6C60" > X-Mailer: Microsoft Outlook 16.0 > Thread-Index: AdQtk77S62N7R+6qQV66SqVGhFQY4A== > Content-Language: bg > X-MS-TNEF-Correlator: 000000005234E38E73D4914094E5D7D34B79F6A504FD8F00 > X-Stanga-MailScanner-Information: Please contact the ISP for more > information > X-Stanga-MailScanner-ID: D6F6D62C8E.AB5F9 > X-Stanga-MailScanner: Not scanned: please contact your Internet E-Mail > Service Provider for details > X-Stanga-MailScanner-SpamCheck: not spam (whitelisted), > SpamAssassin (not cached, score=-99.887, required 5, > ALL_TRUSTED -1.00, DKIM_SIGNED 0.10, DKIM_VALID -0.10, > DKIM_VALID_AU -0.10, TVD_RCVD_SINGLE 1.21, > USER_IN_WHITELIST -100.00) > X-Stanga-MailScanner-From: dobril at stanga.net > X-Spam-Status: No > X-EsetId: 37303A2960736C61677D6A > > > -----Original Message----- > From: MailScanner > [mailto:mailscanner-bounces+dobril =stanga.net at lists.mailscanne r.info ] On > Behalf Of Antony Stone > Sent: Monday, August 6, 2018 5:18 PM > To: MailScanner Discussion > > Subject: Re: MailScanner: Message attempted to kill MailScanner > > On Monday 06 August 2018 at 16:14:39, DobriL Dobrilov wrote: > > > Definitely this is something related only to my webmail and > only when > > I send emails to the same domain. I can send same message > without any > > issue if I'm using outlook or other mail client. > > I can send messages from Webmail to all external domain > without problem. > > All thing mean that the problem cannot be disk space , ram or bad > > permissions. echo Test |mail dobril at stanga.net , from the > same server > > deliver messages without problem. > > Can you show us full headers of an example email from webmail (which > MS can't > process) and another one to and from the same addresses, but not from > webmail (which MS processes okay)? > > Antony. > > > -----Original Message----- > > From: MailScanner > > > [mailto:mailscanner-bounces+dobril =stanga.net at lists.mailscanner.info ] > > On Behalf Of L.P.H. van Belle via MailScanner > > Sent: Monday, August 6, 2018 4:22 PM > > To: MailScanner Discussion > > > Cc: L.P.H. van Belle > > > Subject: RE: MailScanner: Message attempted to kill MailScanner > > > > Hai, > > > > What is the os your running? > > That might help me a bit. > > > > Did you follow a site for this upgrade, show me which one > if you did. > > > > Your group members are correct ? > > # *( im running debian 9 ) an i have these configured. > > mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data > > clamav:x:119:postfix,www-data > > opendkim:x:122:postfix > > > > > > And can you post a more complete mail.log, if needed, pm it > to me or > > anonimize it here needed. > > Preffered from the time frame, when you try to send your > the message. > > > > I still say its your antivirus, if you did not remove the > old messages > > from your queue. > > And now its not working because postfix/mailscanner try to > deliver to > > clamd and thats turned of. > > > > If the AV is off then why is you log showing the av scanner? > > Your disk it not full? > > > > If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner. > > I also reused my settings. > > I'll try to find if i can seen what i changed ( if so ), that was > > months ago.. > > > > > > Greetz, > > > > Louis > > > > > -----Oorspronkelijk bericht----- > > > Van: DobriL Dobrilov [mailto:dobril at stanga.net ] > > > Verzonden: maandag 6 augustus 2018 14:53 > > > Aan: 'MailScanner Discussion' > > > CC: 'L.P.H. van Belle' > > > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner > > > > > > AV scan is off , something else cause the issue. > > > > > > > > > Dobril Dobrilov > > > IT Manager > > > dobril at stanga.net > > > > > > > > > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria > > > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 > > > Mobile: +359 878 749 387 > > > > > > > > > We shape Digital www.stanga.net > > > > > > We re-invent Video www.bsbvision.com > > > > > > We build Apps www.shanga.co > > > > > > We support Start-Ups www.mysbar.net > > > > > > > > > > > > -----Original Message----- > > > From: MailScanner > > > [mailto:mailscanner-bounces+dobril =stanga.net at lists.mailscanne > > > r.info ] On > > > Behalf Of L.P.H. van Belle via MailScanner > > > Sent: Monday, August 6, 2018 3:45 PM > > > To: MailScanner Discussion > > > > Cc: L.P.H. van Belle > > > > Subject: RE: MailScanner: Message attempted to kill MailScanner > > > > > > Are you using Yara rules or other clamav unoffical databases. > > > Remove these, restart clamav and try again. > > > > > > You might have a bad clamav database file. > > > > > > Greetz, > > > > > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > > > Van: MailScanner > > > > [mailto:mailscanner-bounces+belle =bazuin.nl at lists.mailscanner. > > > > info] Namens Antony Stone > > > > Verzonden: maandag 6 augustus 2018 14:23 > > > > Aan: MailScanner Discussion > > > > Onderwerp: Re: MailScanner: Message attempted to kill > MailScanner > > > > > > > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote: > > > > > Until now the Mail Server was with old postfix and > > > > > > > > MailScanner 4.79. I > > > > > > > > > migrated to new server with MailScanner 5.0.7. MS config > > > > > > is same as > > > > > > > > before. > > > > > > > > Maybe someone with more knowledge than of any configuration > > > > differences ebtween those version can comment on just > > > > > > keeping the same > > > > > > > configuration file... > > > > > > > > > From webmail I can send messages out of my domain without > > > > > > problems. > > > > > > > So, what *does* cause the problem? > > > > > > > > Your original email said "All emails sent from my > webmail to same > > > > domain cannot be processes by mailscanner." > > > > > > > > > Msg from webmail > > > > > Received: from mail.stanga.net (localhost [IPv6:::1]) > > > > > > > > > > by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F > > > > > for >; Mon, 6 Aug 2018 14:33:37 > > > > > > +0300 (EEST) > > > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > > > > > > > d=stanga.net ; s=mail; > > > > > > > > > t=1533555217; > > > > > > bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=; > > > > > > > > h=Date:From:To:Subject; > > > > > > > > > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwY > > > > F > > > > > > > > > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz > > > > > > > > > EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE= > > > > > > > > > > MIME-Version: 1.0 > > > > > Content-Type: multipart/alternative; > > > > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14" > > > > > Date: Mon, 06 Aug 2018 14:33:37 +0300 > > > > > From: Dobril Dobrilov > > > > > > To: dobril at stanga.net > > > > > Subject: Test2 > > > > > Organization: StangaOne1 > > > > > Message-ID: > > > > > > X-Sender: dobril at stanga.net > > > > > User-Agent: Roundcube Webmail/1.3.7 > > > > > > > > > > Msg from Mail Client > > > > > Received: from DL (unknown [192.168.0.222]) > > > > > > > > > > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > > > > > > > > (256/256 bits)) > > > > > > > > > (No client certificate requested) > > > > > by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84 > > > > > for >; Mon, 6 Aug 2018 15:11:28 > > > > > > +0300 (EEST) > > > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; > > > > > > > > d=stanga.net ; s=mail; > > > > > > > > > t=1533557488; > > > > > > bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=; > > > > > > > > h=From:To:Subject:Date; > > > > > > > > > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJp > > > > N > > > > > > > > > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a > > > > > > > > > rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k= > > > > > > > > > > From: "DobriL Dobrilov" > > > > > > To: "'DobriL Dobrilov'" > > > > > > Subject: Test > > > > > Date: Mon, 6 Aug 2018 15:11:34 +0300 > > > > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net > > > > > > MIME-Version: 1.0 > > > > > Content-Type: multipart/mixed; > > > > > > > > > > boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0" > > > > > > > > > > X-Mailer: Microsoft Outlook 16.0 > > > > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ== > > > > > Content-Language: bg > > > > > > > > > X-MS-TNEF-Correlator: > > > > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00 > > > > > > > > Is one of the above emails an example which causes the > > > > > > problem and the > > > > > > > other an example which does not cause the problem (if so, > > > > > > which one is > > > > > > > which)? > > > > > > > > Or are both the above emails examples which do not cause > > > > > > the problem > > > > > > > (in which case please send us the headers from one which does > > > > cause the problem)? > > > > > > > > > > > > Regards, > > > > > > > > > > > > Antony. > > > > > > > > > -----Original Message----- > > > > > From: MailScanner > > > > > > > > [mailto:mailscanner-bounces+dobril =stanga.net at lists.mailscanne > > > > r.info ] On > > > > > > > > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM > > > > > To: MailScanner Discussion > > > > > > > Subject: Re: MailScanner: Message attempted to kill > MailScanner > > > > > > > > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote: > > > > > > Some other ideas, because unfortunately this Live system > > > > > > > > and It's very > > > > > > > > > > critical ? > > > > > > > > > > When did the problem start happening? > > > > > > > > > > What changed on the MS server around that time? > > > > > > > > > > Can you show us full headers of an example email from > > > > > > > > webmail (which MS > > > > > > > > > can't process) and another one to and from the same > > > > > > > > addresses, but not > > > > > > > > > from webmail (which MS processes okay)? > > > > > > > > > > Antony > > > > > > > > -- > > > > Neurotics build castles in the sky; Psychotics live in them; > > > > Psychiatrists collect the rent. > > > > > > > > > Please reply to > > > > > > > > the list; > > > > > > > > please *don't* CC me. > > > > > > > > > > > > -- > > > > MailScanner mailing list > > > > mailscanner at lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at schroeffu.ch Tue Aug 7 10:03:32 2018 From: info at schroeffu.ch (info at schroeffu.ch) Date: Tue, 07 Aug 2018 10:03:32 +0000 Subject: Mailscanner milter to reject high score spam at MTA level Message-ID: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> Hi Mailscanner friends, is there any progress to make MailScanner usable as a postfix milter? The most biggest problem I have is, SPAM is not possible to reject when reaching a high score at MTA level. For my understanding, connect via milter instead of queue ^HOLD would be the solution. For the next decade we are still using MailScanner instead of others like Rspamd, because MailScanner is like a mail suite for mail security, but if there will never be the possibility to reject at MTA level the high score spam, we will also change in 1-3 years while replacing the OS beyond. -------------- next part -------------- An HTML attachment was scrubbed... URL: From djones at ena.com Tue Aug 7 14:51:54 2018 From: djones at ena.com (David Jones) Date: Tue, 7 Aug 2018 09:51:54 -0500 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> Message-ID: On 08/07/2018 05:03 AM, info at schroeffu.ch wrote: > > Hi Mailscanner friends, > > is there any progress to make MailScanner usable as a postfix milter? > The most biggest problem I have is, SPAM is not possible to reject when > reaching a high score at MTA level. For my understanding, connect via > milter instead of queue ^HOLD would be the solution. > > For the next decade we are still using MailScanner instead of others > like Rspamd, because MailScanner is like a mail suite for mail security, > but if there will never be the possibility to reject at MTA level the > high score spam, we will also change in 1-3 years while replacing the OS > beyond. > One of MailScanner's strongest features is it's batch mode processing that will allow it to handle a very high volume of mail flow. I doubt that MailScanner will ever be changed to run as a milter for this reason. I tried rspamd and found it wasn't as good as the author claims so no reason to try to use that as a milter. It also wasn't as fast as it claims. I could not send high volumes of mail through it like I could with MailScanner. If you want to block high scoring spam at the MTA level, I suggest using amavis or spamd with the same SA rulesets as MailScanner. This will get you most of the power of MailScanner's blocking at the MTA. https://wiki.apache.org/spamassassin/IntegratedInMta If you you use postscreen and postwhite at the Postfix MTA level, you can block most of the obvious spam with a tuned list of RBLs. See the SA users mailing list over the past year for details on this from me and a few others. I suggest setting up a quick test VM with iRedmail to get a good example of how to do TLS and amavis integration well with Postfix. -- David Jones From dobril at stanga.net Wed Aug 8 15:39:44 2018 From: dobril at stanga.net (DobriL Dobrilov) Date: Wed, 8 Aug 2018 18:39:44 +0300 Subject: Message kill MailWatch SQL Loggin Message-ID: <003901d42f2e$07fb5560$17f20020$@stanga.net> I just saw there are no any processed emails for last 2 hours in MailWatch panel. In same there received messages emails and on each received I can see usual MailScanner[9303]: MailWatch: Logging message 804C46217E.A23FB to SQL: Then I find this in the logs, after no more messages in Database. Aug 8 16:32:08 mail MailScanner[5960]: Could not use Custom Function code MailScanner::CustomConfig::InitMailWatchLogging, it could not be "eval"ed. Make sure the module is correct with perl -wc (Error: DBD::mysql::st execute failed: Incorrect string value: '\xF0\x9F\x92\xB2\xF0\x9F...' for column 'subject' at row 1 at /usr/share/MailScanner/perl/custom/MailWatch.pm line 221, line 7931. MailScanner restart and it's working again , but somehow the some message kill it. Dobril Dobrilov IT Manager dobril at stanga.net 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 Mobile: +359 878 749 387 We shape Digital www.stanga.net We re-invent Video www.bsbvision.com We build Apps www.shanga.co We support Start-Ups www.mysbar.net -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 3762 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 1151 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 853 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.jpg Type: image/jpeg Size: 1286 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image005.jpg Type: image/jpeg Size: 930 bytes Desc: not available URL: From iversons at rushville.k12.in.us Wed Aug 8 18:05:22 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Wed, 8 Aug 2018 14:05:22 -0400 Subject: Message kill MailWatch SQL Loggin In-Reply-To: <003901d42f2e$07fb5560$17f20020$@stanga.net> References: <003901d42f2e$07fb5560$17f20020$@stanga.net> Message-ID: This is a MailWatch issue, and probably is a result of the MailWatch DB/tables not set to use utf8mb4. On Wed, Aug 8, 2018 at 11:39 AM, DobriL Dobrilov wrote: > I just saw there are no any processed emails for last 2 hours in MailWatch > panel. In same there received messages emails and on each received I can > see usual MailScanner[9303]: MailWatch: Logging message 804C46217E.A23FB to > SQL? > > > > Then I find this in the logs, after no more messages in Database. > > > > Aug 8 16:32:08 mail MailScanner[5960]: Could not use Custom Function code > MailScanner::CustomConfig::InitMailWatchLogging, it could not be > "eval"ed. Make sure the module is correct with perl -wc (Error: > DBD::mysql::st execute failed: Incorrect string value: > '\xF0\x9F\x92\xB2\xF0\x9F...' for column 'subject' at row 1 at > /usr/share/MailScanner/perl/custom/MailWatch.pm line 221, line > 7931. > > > > MailScanner restart and it?s working again , but somehow the some message > kill it. > > > > > > *Dobril Dobrilov* > > IT Manager > > *dobril at stanga.net * > > [image: StangaOne1 unit fo STANGA AD] > > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 > Mobile: +359 878 749 387 > > > > [image: StangaOne1] > > We shape Digital *www.stanga.net* > > [image: BSB] > > We re-invent Video *www.bsbvision.com* > > [image: Shanga] > > We build Apps *www.shanga.co* > > [image: S*Bar] > > We support Start-Ups *www.mysbar.net* > > > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 3762 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 1151 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 853 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image005.jpg Type: image/jpeg Size: 930 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.jpg Type: image/jpeg Size: 1286 bytes Desc: not available URL: From dobril at stanga.net Wed Aug 8 20:59:18 2018 From: dobril at stanga.net (DobriL Dobrilov) Date: Wed, 8 Aug 2018 23:59:18 +0300 Subject: Message kill MailWatch SQL Loggin In-Reply-To: References: <003901d42f2e$07fb5560$17f20020$@stanga.net> Message-ID: <004f01d42f5a$ac7dba70$05792f50$@stanga.net> Thank you Shawn, now I converted all columns from utf8 to utf8mb4. Just I didn?t know for those bug. Dobril Dobrilov IT Manager dobril at stanga.net 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 Mobile: +359 878 749 387 We shape Digital www.stanga.net We re-invent Video www.bsbvision.com We build Apps www.shanga.co We support Start-Ups www.mysbar.net From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of Shawn Iverson Sent: Wednesday, August 8, 2018 9:05 PM To: MailScanner Discussion Subject: Re: Message kill MailWatch SQL Loggin This is a MailWatch issue, and probably is a result of the MailWatch DB/tables not set to use utf8mb4. On Wed, Aug 8, 2018 at 11:39 AM, DobriL Dobrilov > wrote: I just saw there are no any processed emails for last 2 hours in MailWatch panel. In same there received messages emails and on each received I can see usual MailScanner[9303]: MailWatch: Logging message 804C46217E.A23FB to SQL? Then I find this in the logs, after no more messages in Database. Aug 8 16:32:08 mail MailScanner[5960]: Could not use Custom Function code MailScanner::CustomConfig::InitMailWatchLogging, it could not be "eval"ed. Make sure the module is correct with perl -wc (Error: DBD::mysql::st execute failed: Incorrect string value: '\xF0\x9F\x92\xB2\xF0\x9F...' for column 'subject' at row 1 at /usr/share/MailScanner/perl/custom/MailWatch.pm line 221, line 7931. MailScanner restart and it?s working again , but somehow the some message kill it. Dobril Dobrilov IT Manager dobril at stanga.net 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 Mobile: +359 878 749 387 We shape Digital www.stanga.net We re-invent Video www.bsbvision.com We build Apps www.shanga.co We support Start-Ups www.mysbar.net -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 3762 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 1151 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 853 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.jpg Type: image/jpeg Size: 1286 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image005.jpg Type: image/jpeg Size: 930 bytes Desc: not available URL: From belle at bazuin.nl Fri Aug 10 08:50:41 2018 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Fri, 10 Aug 2018 10:50:41 +0200 Subject: Message kill MailWatch SQL Loggin In-Reply-To: <003901d42f2e$07fb5560$17f20020$@stanga.net> References: <003901d42f2e$07fb5560$17f20020$@stanga.net> Message-ID: hai, ? You can try the following, Make a backup, test your backup. Now try the following. ? set your mysql column's charset to utf8mb4 and Collation to utf8mb4_general_ci set your connection string of charset to utf8mb4 like charset=utf8mb4 ? If there are emoije in the subject, then above might fix it. ? ? Greetz, ? Louis ? ? Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens DobriL Dobrilov Verzonden: woensdag 8 augustus 2018 17:40 Aan: 'MailScanner Discussion' Onderwerp: Message kill MailWatch SQL Loggin I just saw there are no any processed emails for last 2 hours in MailWatch panel. In same there received messages emails and on each received I can see usual MailScanner[9303]: MailWatch: Logging message 804C46217E.A23FB to SQL? ? Then I find this in the logs, after no more messages in Database. ? Aug? 8 16:32:08 mail MailScanner[5960]: Could not use Custom Function code MailScanner::CustomConfig::InitMailWatchLogging, it could not be "eval"ed. Make sure the module is correct with perl -wc (Error: DBD::mysql::st execute failed: Incorrect string value: '\xF0\x9F\x92\xB2\xF0\x9F...' for column 'subject' at row 1 at /usr/share/MailScanner/perl/custom/MailWatch.pm line 221, line 7931. ? MailScanner restart and it?s working again , but somehow the some message kill it. ? ? Dobril Dobrilov IT Manager dobril at stanga.net 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria Phone: +359 2 81 960 69 Fax: +359 2 81 960 70 Mobile: +359 878 749 387 ? We shape Digital?www.stanga.net We re-invent Video?www.bsbvision.com We build Apps?www.shanga.co We support Start-Ups?www.mysbar.net ? ? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 3762 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 1151 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 853 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.jpg Type: image/jpeg Size: 1286 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image005.jpg Type: image/jpeg Size: 930 bytes Desc: not available URL: From iversons at rushville.k12.in.us Sat Aug 11 13:15:08 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sat, 11 Aug 2018 09:15:08 -0400 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> Message-ID: I have been planning for a MailScanner milter for quite some time. I have been specifically studying rpamd's milter source for this purpose. Alas, lack of time and lack of money are always an issue, and I put a lot of hours in my day job. As Jerry would say, I like to eat and have a roof over my head :D If I do find the time to build a milter, performance will definitely be impacted. The reason is that postfix will have to keep each session open for the duration of scanning, and each MailScanner child would have to issue a callback to postfix after scanning the spam so that postfix can responds to the connection appropriately (i.e. reject or accept). This will slow down mail processing considerably. If I do this, I am going to keep the HOLD queue around, so you would have to choose between speed or MTA level rejection functionality. On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner < mailscanner at lists.mailscanner.info> wrote: > On 08/07/2018 05:03 AM, info at schroeffu.ch wrote: > > > > Hi Mailscanner friends, > > > > is there any progress to make MailScanner usable as a postfix milter? > > The most biggest problem I have is, SPAM is not possible to reject when > > reaching a high score at MTA level. For my understanding, connect via > > milter instead of queue ^HOLD would be the solution. > > > > For the next decade we are still using MailScanner instead of others > > like Rspamd, because MailScanner is like a mail suite for mail security, > > but if there will never be the possibility to reject at MTA level the > > high score spam, we will also change in 1-3 years while replacing the OS > > beyond. > > > > One of MailScanner's strongest features is it's batch mode processing > that will allow it to handle a very high volume of mail flow. I doubt > that MailScanner will ever be changed to run as a milter for this reason. > > I tried rspamd and found it wasn't as good as the author claims so no > reason to try to use that as a milter. It also wasn't as fast as it > claims. I could not send high volumes of mail through it like I could > with MailScanner. > > If you want to block high scoring spam at the MTA level, I suggest using > amavis or spamd with the same SA rulesets as MailScanner. This will get > you most of the power of MailScanner's blocking at the MTA. > > https://wiki.apache.org/spamassassin/IntegratedInMta > > If you you use postscreen and postwhite at the Postfix MTA level, you > can block most of the obvious spam with a tuned list of RBLs. See the > SA users mailing list over the past year for details on this from me and > a few others. > > I suggest setting up a quick test VM with iRedmail to get a good example > of how to do TLS and amavis integration well with Postfix. > > -- > David Jones > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From djones at ena.com Sat Aug 11 13:38:54 2018 From: djones at ena.com (David Jones) Date: Sat, 11 Aug 2018 08:38:54 -0500 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> Message-ID: <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> On 08/11/2018 08:15 AM, Shawn Iverson wrote: > I have been planning for a MailScanner milter for quite some time.? I > have been specifically studying rpamd's milter source for this purpose. > Alas, lack of time and lack of money are always an issue, and I put a > lot of hours in my day job.? As Jerry would say, I like to eat and have > a roof over my head :D > > If I do find the time to build a milter, performance will definitely be > impacted.? The reason is that postfix will have to keep each session > open for the duration of scanning, and each MailScanner child would have > to issue a callback to postfix after scanning the spam so that postfix > can responds to the connection appropriately? (i.e. reject or accept). > This will slow down mail processing considerably.? If I do this, I am > going to keep the HOLD queue around, so you would have to choose between > speed or MTA level rejection functionality. > > > My gut tells me that this is going to be so slow, that it's not going to be worth the time to put into it. If you want to reject at MTA time, throw in amavis-new or spamd (not rspamd) using the same SpamAsssassin rules and Bayes DB to get most of the same features as MailScanner during the SMTP conversation. Then the mail that gets through can be filtered by MailScanner for it's extra features that make it unique. I understand there are different local legal requirements around the world that if email is accepted at MTA time then it has to be passed on to the end user's mailbox. If you are located in one of these countries, then this would be more of an issue. But since I am in a country that doesn't have this legal requirement, I do block email post-MTA by MailScanner. The majority of my spam is blocked at the MTA level already by highly tuned RBLs and postscreen's RBL weighting which is very, very good. Only a small percentage of spam that is zero-hour or from compromised accounts makes it to MailScanner. I highly recommend the Invaluement RBL. It's very accurate -- only 1 or 2 false positives over 5+ the years. This RBL is very cost effective and has allowed me to disable all Spamhaus RBL checks in SpamAssassin saving thousands of dollars a year. (We have too high a volume to stay under the free usage limits of Spamhaus so we were having to pay for the RBL feed.) > > > > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner > > wrote: > > On 08/07/2018 05:03 AM, info at schroeffu.ch > wrote: > > > > Hi Mailscanner friends, > > > > is there any progress to make MailScanner usable as a postfix milter? > > The most biggest problem I have is, SPAM is not possible to > reject when > > reaching a high score at MTA level. For my understanding, connect > via > > milter instead of queue ^HOLD would be the solution. > > > > For the next decade we are still using MailScanner instead of others > > like Rspamd, because MailScanner is like a mail suite for mail > security, > > but if there will never be the possibility to reject at MTA level > the > > high score spam, we will also change in 1-3 years while replacing > the OS > > beyond. > > > > One of MailScanner's strongest features is it's batch mode processing > that will allow it to handle a very high volume of mail flow.? I doubt > that MailScanner will ever be changed to run as a milter for this > reason. > > I tried rspamd and found it wasn't as good as the author claims so no > reason to try to use that as a milter.? It also wasn't as fast as it > claims.? I could not send high volumes of mail through it like I could > with MailScanner. > > If you want to block high scoring spam at the MTA level, I suggest > using > amavis or spamd with the same SA rulesets as MailScanner.? This will > get > you most of the power of MailScanner's blocking at the MTA. > > https://wiki.apache.org/spamassassin/IntegratedInMta > > If you you use postscreen and postwhite at the Postfix MTA level, you > can block most of the obvious spam with a tuned list of RBLs.? See the > SA users mailing list over the past year for details on this from me > and > a few others. > > I suggest setting up a quick test VM with iRedmail to get a good > example > of how to do TLS and amavis integration well with Postfix. > > -- > David Jones > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 x1171 > iversons at rushville.k12.in.us > > -- David Jones From iversons at rushville.k12.in.us Sat Aug 11 13:52:46 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sat, 11 Aug 2018 09:52:46 -0400 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> Message-ID: David, I agree that this is true, and part of my lack of motivation to do it. One reason I wanted it as an option was to reconcile the ongoing conflict with the postfix community and return MailScanner to good standing to this community. Weitze has been very stern about MailScanner directly tapping the postfix queues. Perhaps an alternative option would be to create a fast MailScanner milter that behaves more like the HOLD queue. Basically just a milter that immediately fires back accept to postfix and places all the messages in a MailScanner HOLD queue as opposed to a postfix HOLD queue. Doing so would maintain speed, simplicity, and be more compliant with postfix. The code would also be very simple. Then, as you say, if you need MTA level functionality for SA, use other software and methods. On Sat, Aug 11, 2018 at 9:39 AM David Jones wrote: > On 08/11/2018 08:15 AM, Shawn Iverson wrote: > > I have been planning for a MailScanner milter for quite some time. I > > have been specifically studying rpamd's milter source for this purpose. > > Alas, lack of time and lack of money are always an issue, and I put a > > lot of hours in my day job. As Jerry would say, I like to eat and have > > a roof over my head :D > > > > If I do find the time to build a milter, performance will definitely be > > impacted. The reason is that postfix will have to keep each session > > open for the duration of scanning, and each MailScanner child would have > > to issue a callback to postfix after scanning the spam so that postfix > > can responds to the connection appropriately (i.e. reject or accept). > > This will slow down mail processing considerably. If I do this, I am > > going to keep the HOLD queue around, so you would have to choose between > > speed or MTA level rejection functionality. > > > > > > > > My gut tells me that this is going to be so slow, that it's not going to > be worth the time to put into it. If you want to reject at MTA time, > throw in amavis-new or spamd (not rspamd) using the same SpamAsssassin > rules and Bayes DB to get most of the same features as MailScanner > during the SMTP conversation. Then the mail that gets through can be > filtered by MailScanner for it's extra features that make it unique. > > I understand there are different local legal requirements around the > world that if email is accepted at MTA time then it has to be passed on > to the end user's mailbox. If you are located in one of these > countries, then this would be more of an issue. But since I am in a > country that doesn't have this legal requirement, I do block email > post-MTA by MailScanner. > > The majority of my spam is blocked at the MTA level already by highly > tuned RBLs and postscreen's RBL weighting which is very, very good. > Only a small percentage of spam that is zero-hour or from compromised > accounts makes it to MailScanner. > > I highly recommend the Invaluement RBL. It's very accurate -- only 1 or > 2 false positives over 5+ the years. This RBL is very cost effective > and has allowed me to disable all Spamhaus RBL checks in SpamAssassin > saving thousands of dollars a year. (We have too high a volume to stay > under the free usage limits of Spamhaus so we were having to pay for the > RBL feed.) > > > > > > > > > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner > > > > wrote: > > > > On 08/07/2018 05:03 AM, info at schroeffu.ch > > wrote: > > > > > > Hi Mailscanner friends, > > > > > > is there any progress to make MailScanner usable as a postfix > milter? > > > The most biggest problem I have is, SPAM is not possible to > > reject when > > > reaching a high score at MTA level. For my understanding, connect > > via > > > milter instead of queue ^HOLD would be the solution. > > > > > > For the next decade we are still using MailScanner instead of > others > > > like Rspamd, because MailScanner is like a mail suite for mail > > security, > > > but if there will never be the possibility to reject at MTA level > > the > > > high score spam, we will also change in 1-3 years while replacing > > the OS > > > beyond. > > > > > > > One of MailScanner's strongest features is it's batch mode processing > > that will allow it to handle a very high volume of mail flow. I > doubt > > that MailScanner will ever be changed to run as a milter for this > > reason. > > > > I tried rspamd and found it wasn't as good as the author claims so no > > reason to try to use that as a milter. It also wasn't as fast as it > > claims. I could not send high volumes of mail through it like I > could > > with MailScanner. > > > > If you want to block high scoring spam at the MTA level, I suggest > > using > > amavis or spamd with the same SA rulesets as MailScanner. This will > > get > > you most of the power of MailScanner's blocking at the MTA. > > > > https://wiki.apache.org/spamassassin/IntegratedInMta > > > > If you you use postscreen and postwhite at the Postfix MTA level, you > > can block most of the obvious spam with a tuned list of RBLs. See > the > > SA users mailing list over the past year for details on this from me > > and > > a few others. > > > > I suggest setting up a quick test VM with iRedmail to get a good > > example > > of how to do TLS and amavis integration well with Postfix. > > > > -- > > David Jones > > > > > > -- > > MailScanner mailing list > > mailscanner at lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > -- > > Shawn Iverson, CETL > > Director of Technology > > Rush County Schools > > 765-932-3901 x1171 > > iversons at rushville.k12.in.us > > > > > > -- > David Jones > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From djones at ena.com Sat Aug 11 13:58:02 2018 From: djones at ena.com (David Jones) Date: Sat, 11 Aug 2018 08:58:02 -0500 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> Message-ID: <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com> On 08/11/2018 08:52 AM, Shawn Iverson wrote: > David, > > I agree that this is true, and part of my lack of motivation to do it. > One reason I wanted it as an option was to reconcile the ongoing > conflict with the postfix community and return MailScanner to good > standing to this community.? Weitze has been very stern about > MailScanner directly tapping the postfix queues. > > Perhaps an alternative option would be to create a fast MailScanner > milter that behaves more like the HOLD queue.? Basically just a milter > that immediately fires back accept to postfix and places all the > messages in a MailScanner HOLD queue as opposed to a postfix HOLD > queue.? Doing so would maintain speed, simplicity, and be more compliant > with postfix. The code would also be very simple. > > Then, as you say, if you need MTA level functionality for SA, use other > software and methods. > > This light MS milter would make a lot of sense based on your goal to get compliant with Postfix and back "in" with the Postfix community. +1 > > On Sat, Aug 11, 2018 at 9:39 AM David Jones > wrote: > > On 08/11/2018 08:15 AM, Shawn Iverson wrote: > > I have been planning for a MailScanner milter for quite some > time.? I > > have been specifically studying rpamd's milter source for this > purpose. > > Alas, lack of time and lack of money are always an issue, and I > put a > > lot of hours in my day job.? As Jerry would say, I like to eat > and have > > a roof over my head :D > > > > If I do find the time to build a milter, performance will > definitely be > > impacted.? The reason is that postfix will have to keep each session > > open for the duration of scanning, and each MailScanner child > would have > > to issue a callback to postfix after scanning the spam so that > postfix > > can responds to the connection appropriately? (i.e. reject or > accept). > > This will slow down mail processing considerably.? If I do this, > I am > > going to keep the HOLD queue around, so you would have to choose > between > > speed or MTA level rejection functionality. > > > > > > > > My gut tells me that this is going to be so slow, that it's not > going to > be worth the time to put into it.? If you want to reject at MTA time, > throw in amavis-new or spamd (not rspamd) using the same SpamAsssassin > rules and Bayes DB to get most of the same features as MailScanner > during the SMTP conversation.? Then the mail that gets through can be > filtered by MailScanner for it's extra features that make it unique. > > I understand there are different local legal requirements around the > world that if email is accepted at MTA time then it has to be passed on > to the end user's mailbox.? If you are located in one of these > countries, then this would be more of an issue.? But since I am in a > country that doesn't have this legal requirement, I do block email > post-MTA by MailScanner. > > The majority of my spam is blocked at the MTA level already by highly > tuned RBLs and postscreen's RBL weighting which is very, very good. > Only a small percentage of spam that is zero-hour or from compromised > accounts makes it to MailScanner. > > I highly recommend the Invaluement RBL.? It's very accurate -- only > 1 or > 2 false positives over 5+ the years.? This RBL is very cost effective > and has allowed me to disable all Spamhaus RBL checks in SpamAssassin > saving thousands of dollars a year.? (We have too high a volume to stay > under the free usage limits of Spamhaus so we were having to pay for > the > RBL feed.) > > > > > > > > > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner > > > > >> wrote: > > > >? ? ?On 08/07/2018 05:03 AM, info at schroeffu.ch > > > >? ? ?wrote: > >? ? ? > > >? ? ? > Hi Mailscanner friends, > >? ? ? > > >? ? ? > is there any progress to make MailScanner usable as a > postfix milter? > >? ? ? > The most biggest problem I have is, SPAM is not possible to > >? ? ?reject when > >? ? ? > reaching a high score at MTA level. For my understanding, > connect > >? ? ?via > >? ? ? > milter instead of queue ^HOLD would be the solution. > >? ? ? > > >? ? ? > For the next decade we are still using MailScanner instead > of others > >? ? ? > like Rspamd, because MailScanner is like a mail suite for mail > >? ? ?security, > >? ? ? > but if there will never be the possibility to reject at > MTA level > >? ? ?the > >? ? ? > high score spam, we will also change in 1-3 years while > replacing > >? ? ?the OS > >? ? ? > beyond. > >? ? ? > > > > >? ? ?One of MailScanner's strongest features is it's batch mode > processing > >? ? ?that will allow it to handle a very high volume of mail > flow.? I doubt > >? ? ?that MailScanner will ever be changed to run as a milter for this > >? ? ?reason. > > > >? ? ?I tried rspamd and found it wasn't as good as the author > claims so no > >? ? ?reason to try to use that as a milter.? It also wasn't as > fast as it > >? ? ?claims.? I could not send high volumes of mail through it > like I could > >? ? ?with MailScanner. > > > >? ? ?If you want to block high scoring spam at the MTA level, I > suggest > >? ? ?using > >? ? ?amavis or spamd with the same SA rulesets as MailScanner. > This will > >? ? ?get > >? ? ?you most of the power of MailScanner's blocking at the MTA. > > > > https://wiki.apache.org/spamassassin/IntegratedInMta > > > >? ? ?If you you use postscreen and postwhite at the Postfix MTA > level, you > >? ? ?can block most of the obvious spam with a tuned list of > RBLs.? See the > >? ? ?SA users mailing list over the past year for details on this > from me > >? ? ?and > >? ? ?a few others. > > > >? ? ?I suggest setting up a quick test VM with iRedmail to get a good > >? ? ?example > >? ? ?of how to do TLS and amavis integration well with Postfix. > > > >? ? ?-- > >? ? ?David Jones > > > > > >? ? ?-- > >? ? ?MailScanner mailing list > > mailscanner at lists.mailscanner.info > > >? ? ? > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > -- > > Shawn Iverson, CETL > > Director of Technology > > Rush County Schools > > 765-932-3901 x1171 > > iversons at rushville.k12.in.us > > > > > > > > > -- > David Jones > > > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 x1171 > iversons at rushville.k12.in.us > > -- David Jones From belle at bazuin.nl Sat Aug 11 16:14:31 2018 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Sat, 11 Aug 2018 18:14:31 +0200 Subject: Mailscanner milter to reject high score spam at MTA level Message-ID: +1 Great idea. > Op 11 aug. 2018 om 15:58 heeft David Jones via MailScanner het volgende geschreven: > >> On 08/11/2018 08:52 AM, Shawn Iverson wrote: >> David, >> >> I agree that this is true, and part of my lack of motivation to do it. >> One reason I wanted it as an option was to reconcile the ongoing >> conflict with the postfix community and return MailScanner to good >> standing to this community. Weitze has been very stern about >> MailScanner directly tapping the postfix queues. >> >> Perhaps an alternative option would be to create a fast MailScanner >> milter that behaves more like the HOLD queue. Basically just a milter >> that immediately fires back accept to postfix and places all the >> messages in a MailScanner HOLD queue as opposed to a postfix HOLD >> queue. Doing so would maintain speed, simplicity, and be more compliant >> with postfix. The code would also be very simple. >> >> Then, as you say, if you need MTA level functionality for SA, use other >> software and methods. >> >> > > This light MS milter would make a lot of sense based on your goal to get > compliant with Postfix and back "in" with the Postfix community. +1 > >> >> On Sat, Aug 11, 2018 at 9:39 AM David Jones > > wrote: >> >>> On 08/11/2018 08:15 AM, Shawn Iverson wrote: >>> I have been planning for a MailScanner milter for quite some >> time. I >>> have been specifically studying rpamd's milter source for this >> purpose. >>> Alas, lack of time and lack of money are always an issue, and I >> put a >>> lot of hours in my day job. As Jerry would say, I like to eat >> and have >>> a roof over my head :D >>> >>> If I do find the time to build a milter, performance will >> definitely be >>> impacted. The reason is that postfix will have to keep each session >>> open for the duration of scanning, and each MailScanner child >> would have >>> to issue a callback to postfix after scanning the spam so that >> postfix >>> can responds to the connection appropriately (i.e. reject or >> accept). >>> This will slow down mail processing considerably. If I do this, >> I am >>> going to keep the HOLD queue around, so you would have to choose >> between >>> speed or MTA level rejection functionality. >>> >>> >>> >> >> My gut tells me that this is going to be so slow, that it's not >> going to >> be worth the time to put into it. If you want to reject at MTA time, >> throw in amavis-new or spamd (not rspamd) using the same SpamAsssassin >> rules and Bayes DB to get most of the same features as MailScanner >> during the SMTP conversation. Then the mail that gets through can be >> filtered by MailScanner for it's extra features that make it unique. >> >> I understand there are different local legal requirements around the >> world that if email is accepted at MTA time then it has to be passed on >> to the end user's mailbox. If you are located in one of these >> countries, then this would be more of an issue. But since I am in a >> country that doesn't have this legal requirement, I do block email >> post-MTA by MailScanner. >> >> The majority of my spam is blocked at the MTA level already by highly >> tuned RBLs and postscreen's RBL weighting which is very, very good. >> Only a small percentage of spam that is zero-hour or from compromised >> accounts makes it to MailScanner. >> >> I highly recommend the Invaluement RBL. It's very accurate -- only >> 1 or >> 2 false positives over 5+ the years. This RBL is very cost effective >> and has allowed me to disable all Spamhaus RBL checks in SpamAssassin >> saving thousands of dollars a year. (We have too high a volume to stay >> under the free usage limits of Spamhaus so we were having to pay for >> the >> RBL feed.) >> >>> >>> >>> >>> On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner >>> > >>> > >> wrote: >>> >>> On 08/07/2018 05:03 AM, info at schroeffu.ch >> > > >>> wrote: >>> > >>> > Hi Mailscanner friends, >>> > >>> > is there any progress to make MailScanner usable as a >> postfix milter? >>> > The most biggest problem I have is, SPAM is not possible to >>> reject when >>> > reaching a high score at MTA level. For my understanding, >> connect >>> via >>> > milter instead of queue ^HOLD would be the solution. >>> > >>> > For the next decade we are still using MailScanner instead >> of others >>> > like Rspamd, because MailScanner is like a mail suite for mail >>> security, >>> > but if there will never be the possibility to reject at >> MTA level >>> the >>> > high score spam, we will also change in 1-3 years while >> replacing >>> the OS >>> > beyond. >>> > >>> >>> One of MailScanner's strongest features is it's batch mode >> processing >>> that will allow it to handle a very high volume of mail >> flow. I doubt >>> that MailScanner will ever be changed to run as a milter for this >>> reason. >>> >>> I tried rspamd and found it wasn't as good as the author >> claims so no >>> reason to try to use that as a milter. It also wasn't as >> fast as it >>> claims. I could not send high volumes of mail through it >> like I could >>> with MailScanner. >>> >>> If you want to block high scoring spam at the MTA level, I >> suggest >>> using >>> amavis or spamd with the same SA rulesets as MailScanner. >> This will >>> get >>> you most of the power of MailScanner's blocking at the MTA. >>> >>> https://wiki.apache.org/spamassassin/IntegratedInMta >>> >>> If you you use postscreen and postwhite at the Postfix MTA >> level, you >>> can block most of the obvious spam with a tuned list of >> RBLs. See the >>> SA users mailing list over the past year for details on this >> from me >>> and >>> a few others. >>> >>> I suggest setting up a quick test VM with iRedmail to get a good >>> example >>> of how to do TLS and amavis integration well with Postfix. >>> >>> -- >>> David Jones >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >> >>> > > >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> >>> >>> -- >>> Shawn Iverson, CETL >>> Director of Technology >>> Rush County Schools >>> 765-932-3901 x1171 >>> iversons at rushville.k12.in.us >> >> > > >>> >>> >> >> -- >> David Jones >> >> >> >> -- >> Shawn Iverson, CETL >> Director of Technology >> Rush County Schools >> 765-932-3901 x1171 >> iversons at rushville.k12.in.us >> >> > > > -- > David Jones > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > From pramod at mindspring.co.za Tue Aug 14 08:33:15 2018 From: pramod at mindspring.co.za (Pramod Daya) Date: Tue, 14 Aug 2018 08:33:15 +0000 Subject: Phishing Whitelisting entries not working In-Reply-To: References: Message-ID: I upgraded to MailScanner 5.0.7-4 and unfortunately I?m seeing that whitelisted entries are still getting tagged with ?Disarmed? tags. On a different server with Centos 6.9 and mailscanner 4.84.6, the Phishing Whitelisting is working correctly. .. From: MailScanner On Behalf Of Pramod Daya Sent: Friday, 27 July 2018 11:03 To: MailScanner Discussion Subject: RE: Phishing Whitelisting entries not working Thank you, will give that a bash. From: MailScanner On Behalf Of Shawn Iverson Sent: Thursday, 26 July 2018 16:34 To: MailScanner Discussion > Subject: Re: Phishing Whitelisting entries not working See this commit: https://github.com/MailScanner/v5/commit/7c121ba4934135e5ad4d4518aaf0e2e041dabee5 Please upgrade to version 5.0.7-4, there was an issue parsing the phishing whitelists and blacklists properly and let us know if you see a change. On Thu, Jul 26, 2018 at 10:11 AM, Pramod Daya > wrote: Ver 5.0.3-7 From: MailScanner > On Behalf Of Shawn Iverson Sent: Thursday, 26 July 2018 15:47 To: MailScanner Discussion > Subject: Re: Phishing Whitelisting entries not working Version of mailscanner? On Thu, Jul 26, 2018, 3:03 AM Pramod Daya > wrote: Hi, I?m using the latest version of ms-update-phishing to download phishing lists, and putting whitelisted sites into /etc/MailScanner/phishing.safe.sites.custom. They get merged with phishing.safe.sites.conf when ms-update-phishing runs. However, email from sites that I whitelist still get a {Disarmed} tag. I?ve tried adding user at site.com , .site.com , *.site.com , but I?m not winning. Any pearls of wisdom, please ? Tnx, Pramod -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5538 bytes Desc: not available URL: From iversons at rushville.k12.in.us Tue Aug 14 14:56:59 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Tue, 14 Aug 2018 10:56:59 -0400 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com> References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com> Message-ID: Dear MailScanner users: I am officially working on creating a lightweight milter for MailScanner. This milter will not provide MTA protocol rejection for postfix, due to the severe performance penalty it would cause. All mail will be intercepted, accepted, and silently dropped from the postfix queue and placed in a MailScanner queue. I have a working prototype, and it is processing mail! It is in need of heavy refactoring and some bug squashing. Currently it attempts to create a postfix formatted queue file (very ugly, who thought up this file format???!!!). I may instead create a new Milter Processor for MailScanner that reduces the overhead of doing this and can read the incoming email in a simple line-by-line format. This may also increase performance overall and reduce all the conversions happening. The other side of the coin is what to do when MailScanner is done processing mail. Currently, it generates a postfix queue file and drops it into postfix incoming directory. It should not do this but instead drop the message into postfix using native postfix tools. That will be the next part I tackle as part of the Milter Processor. Why am I doing this? I want to place MailScanner back in a good standing with Postfix folks (at least when the milter + postfix method is in use). I have no plans of removing the old method but rather provide a more supported path for postfix users. Wish me luck. I could be heard across the neighborhood when MailScanner processed an email from the Milter for the first time! :D On Sat, Aug 11, 2018 at 9:58 AM David Jones wrote: > On 08/11/2018 08:52 AM, Shawn Iverson wrote: > > David, > > > > I agree that this is true, and part of my lack of motivation to do it. > > One reason I wanted it as an option was to reconcile the ongoing > > conflict with the postfix community and return MailScanner to good > > standing to this community. Weitze has been very stern about > > MailScanner directly tapping the postfix queues. > > > > Perhaps an alternative option would be to create a fast MailScanner > > milter that behaves more like the HOLD queue. Basically just a milter > > that immediately fires back accept to postfix and places all the > > messages in a MailScanner HOLD queue as opposed to a postfix HOLD > > queue. Doing so would maintain speed, simplicity, and be more compliant > > with postfix. The code would also be very simple. > > > > Then, as you say, if you need MTA level functionality for SA, use other > > software and methods. > > > > > > This light MS milter would make a lot of sense based on your goal to get > compliant with Postfix and back "in" with the Postfix community. +1 > > > > > On Sat, Aug 11, 2018 at 9:39 AM David Jones > > wrote: > > > > On 08/11/2018 08:15 AM, Shawn Iverson wrote: > > > I have been planning for a MailScanner milter for quite some > > time. I > > > have been specifically studying rpamd's milter source for this > > purpose. > > > Alas, lack of time and lack of money are always an issue, and I > > put a > > > lot of hours in my day job. As Jerry would say, I like to eat > > and have > > > a roof over my head :D > > > > > > If I do find the time to build a milter, performance will > > definitely be > > > impacted. The reason is that postfix will have to keep each > session > > > open for the duration of scanning, and each MailScanner child > > would have > > > to issue a callback to postfix after scanning the spam so that > > postfix > > > can responds to the connection appropriately (i.e. reject or > > accept). > > > This will slow down mail processing considerably. If I do this, > > I am > > > going to keep the HOLD queue around, so you would have to choose > > between > > > speed or MTA level rejection functionality. > > > > > > > > > > > > > My gut tells me that this is going to be so slow, that it's not > > going to > > be worth the time to put into it. If you want to reject at MTA time, > > throw in amavis-new or spamd (not rspamd) using the same > SpamAsssassin > > rules and Bayes DB to get most of the same features as MailScanner > > during the SMTP conversation. Then the mail that gets through can be > > filtered by MailScanner for it's extra features that make it unique. > > > > I understand there are different local legal requirements around the > > world that if email is accepted at MTA time then it has to be passed > on > > to the end user's mailbox. If you are located in one of these > > countries, then this would be more of an issue. But since I am in a > > country that doesn't have this legal requirement, I do block email > > post-MTA by MailScanner. > > > > The majority of my spam is blocked at the MTA level already by highly > > tuned RBLs and postscreen's RBL weighting which is very, very good. > > Only a small percentage of spam that is zero-hour or from compromised > > accounts makes it to MailScanner. > > > > I highly recommend the Invaluement RBL. It's very accurate -- only > > 1 or > > 2 false positives over 5+ the years. This RBL is very cost effective > > and has allowed me to disable all Spamhaus RBL checks in SpamAssassin > > saving thousands of dollars a year. (We have too high a volume to > stay > > under the free usage limits of Spamhaus so we were having to pay for > > the > > RBL feed.) > > > > > > > > > > > > > > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner > > > > > > > > >> wrote: > > > > > > On 08/07/2018 05:03 AM, info at schroeffu.ch > > > > > > > wrote: > > > > > > > > Hi Mailscanner friends, > > > > > > > > is there any progress to make MailScanner usable as a > > postfix milter? > > > > The most biggest problem I have is, SPAM is not possible to > > > reject when > > > > reaching a high score at MTA level. For my understanding, > > connect > > > via > > > > milter instead of queue ^HOLD would be the solution. > > > > > > > > For the next decade we are still using MailScanner instead > > of others > > > > like Rspamd, because MailScanner is like a mail suite for > mail > > > security, > > > > but if there will never be the possibility to reject at > > MTA level > > > the > > > > high score spam, we will also change in 1-3 years while > > replacing > > > the OS > > > > beyond. > > > > > > > > > > One of MailScanner's strongest features is it's batch mode > > processing > > > that will allow it to handle a very high volume of mail > > flow. I doubt > > > that MailScanner will ever be changed to run as a milter for > this > > > reason. > > > > > > I tried rspamd and found it wasn't as good as the author > > claims so no > > > reason to try to use that as a milter. It also wasn't as > > fast as it > > > claims. I could not send high volumes of mail through it > > like I could > > > with MailScanner. > > > > > > If you want to block high scoring spam at the MTA level, I > > suggest > > > using > > > amavis or spamd with the same SA rulesets as MailScanner. > > This will > > > get > > > you most of the power of MailScanner's blocking at the MTA. > > > > > > https://wiki.apache.org/spamassassin/IntegratedInMta > > > > > > If you you use postscreen and postwhite at the Postfix MTA > > level, you > > > can block most of the obvious spam with a tuned list of > > RBLs. See the > > > SA users mailing list over the past year for details on this > > from me > > > and > > > a few others. > > > > > > I suggest setting up a quick test VM with iRedmail to get a > good > > > example > > > of how to do TLS and amavis integration well with Postfix. > > > > > > -- > > > David Jones > > > > > > > > > -- > > > MailScanner mailing list > > > mailscanner at lists.mailscanner.info > > > > > > > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > > > > > -- > > > Shawn Iverson, CETL > > > Director of Technology > > > Rush County Schools > > > 765-932-3901 x1171 > > > iversons at rushville.k12.in.us > > > > > > > > > > > > > > > > -- > > David Jones > > > > > > > > -- > > Shawn Iverson, CETL > > Director of Technology > > Rush County Schools > > 765-932-3901 x1171 > > iversons at rushville.k12.in.us > > > > > > > -- > David Jones > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Tue Aug 14 14:58:40 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Tue, 14 Aug 2018 10:58:40 -0400 Subject: Phishing Whitelisting entries not working In-Reply-To: References: Message-ID: Thank you for the feedback. I will dive into the code deeper and see if I can pinpoint the issue. On Tue, Aug 14, 2018 at 4:33 AM Pramod Daya wrote: > I upgraded to MailScanner 5.0.7-4 and unfortunately I?m seeing that > whitelisted entries are still getting tagged with ?Disarmed? tags. > > > > On a different server with Centos 6.9 and mailscanner 4.84.6, the Phishing > Whitelisting is working correctly. .. > > > > *From:* MailScanner mindspring.co.za at lists.mailscanner.info> *On Behalf Of *Pramod Daya > *Sent:* Friday, 27 July 2018 11:03 > *To:* MailScanner Discussion > *Subject:* RE: Phishing Whitelisting entries not working > > > > Thank you, will give that a bash. > > > > *From:* MailScanner < > mailscanner-bounces+pramod=mindspring.co.za at lists.mailscanner.info> *On > Behalf Of *Shawn Iverson > *Sent:* Thursday, 26 July 2018 16:34 > *To:* MailScanner Discussion > *Subject:* Re: Phishing Whitelisting entries not working > > > > See this commit: > https://github.com/MailScanner/v5/commit/7c121ba4934135e5ad4d4518aaf0e2e041dabee5 > > > > Please upgrade to version 5.0.7-4, there was an issue parsing the phishing > whitelists and blacklists properly and let us know if you see a change. > > > > On Thu, Jul 26, 2018 at 10:11 AM, Pramod Daya > wrote: > > Ver 5.0.3-7 > > > > *From:* MailScanner mindspring.co.za at lists.mailscanner.info> *On Behalf Of *Shawn Iverson > *Sent:* Thursday, 26 July 2018 15:47 > *To:* MailScanner Discussion > *Subject:* Re: Phishing Whitelisting entries not working > > > > Version of mailscanner? > > > > On Thu, Jul 26, 2018, 3:03 AM Pramod Daya wrote: > > Hi, > > > > I?m using the latest version of ms-update-phishing to download phishing > lists, and putting whitelisted sites into > /etc/MailScanner/phishing.safe.sites.custom. They get merged with > phishing.safe.sites.conf when ms-update-phishing runs. > > > > However, email from sites that I whitelist still get a {Disarmed} tag. > > > > I?ve tried adding user at site.com, .site.com, *.site.com, but I?m not > winning. > > > > Any pearls of wisdom, please ? > > > > Tnx, > > Pramod > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > -- > > Shawn Iverson, CETL > > Director of Technology > > Rush County Schools > > 765-932-3901 x1171 > > iversons at rushville.k12.in.us > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From belle at bazuin.nl Tue Aug 14 15:05:43 2018 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 14 Aug 2018 17:05:43 +0200 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: References: <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com> Message-ID: Good luck Shawn, ? Best of luck and keep us posted :-) ? Greetz, ? Louis ? Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Shawn Iverson Verzonden: dinsdag 14 augustus 2018 16:57 Aan: mailscanner at lists.mailscanner.info Onderwerp: Re: Mailscanner milter to reject high score spam at MTA level Dear MailScanner users: I am officially working on creating a lightweight milter for MailScanner.?? This milter will not provide MTA protocol rejection for postfix, due to the severe performance penalty it would cause.? All mail will be intercepted, accepted, and silently dropped from the postfix queue and placed in a MailScanner queue. I have a working prototype, and it is processing mail!? It is in need of heavy refactoring and some bug squashing. Currently it attempts to create a postfix formatted queue file (very ugly, who thought up this file format???!!!).? I may instead create a new Milter Processor for MailScanner that reduces the overhead of doing this and can read the incoming email in a simple line-by-line format.? This may also increase performance overall and reduce all the conversions happening. The other side of the coin is what to do when MailScanner is done processing mail.? Currently, it generates a postfix queue file and drops it into postfix incoming directory.? It should not do this but instead drop the message into postfix using native postfix tools.? That will be the next part I tackle as part of the Milter Processor. Why am I doing this?? I want to place MailScanner back in a good standing with Postfix folks (at least when the milter + postfix method is in use).? I have no plans of removing the old method but rather provide a more supported path for postfix users. Wish me luck.? I could be heard across the neighborhood when MailScanner processed an email from the Milter for the first time! :D On Sat, Aug 11, 2018 at 9:58 AM David Jones wrote: On 08/11/2018 08:52 AM, Shawn Iverson wrote: > David, > > I agree that this is true, and part of my lack of motivation to do it.? > One reason I wanted it as an option was to reconcile the ongoing > conflict with the postfix community and return MailScanner to good > standing to this community.? Weitze has been very stern about > MailScanner directly tapping the postfix queues. > > Perhaps an alternative option would be to create a fast MailScanner > milter that behaves more like the HOLD queue.? Basically just a milter > that immediately fires back accept to postfix and places all the > messages in a MailScanner HOLD queue as opposed to a postfix HOLD > queue.? Doing so would maintain speed, simplicity, and be more compliant > with postfix. The code would also be very simple. > > Then, as you say, if you need MTA level functionality for SA, use other > software and methods. > > This light MS milter would make a lot of sense based on your goal to get compliant with Postfix and back "in" with the Postfix community.? +1 > > On Sat, Aug 11, 2018 at 9:39 AM David Jones > wrote: > >? ? ?On 08/11/2018 08:15 AM, Shawn Iverson wrote: >? ? ? > I have been planning for a MailScanner milter for quite some >? ? ?time.? I >? ? ? > have been specifically studying rpamd's milter source for this >? ? ?purpose. >? ? ? > Alas, lack of time and lack of money are always an issue, and I >? ? ?put a >? ? ? > lot of hours in my day job.? As Jerry would say, I like to eat >? ? ?and have >? ? ? > a roof over my head :D >? ? ? > >? ? ? > If I do find the time to build a milter, performance will >? ? ?definitely be >? ? ? > impacted.? The reason is that postfix will have to keep each session >? ? ? > open for the duration of scanning, and each MailScanner child >? ? ?would have >? ? ? > to issue a callback to postfix after scanning the spam so that >? ? ?postfix >? ? ? > can responds to the connection appropriately? (i.e. reject or >? ? ?accept). >? ? ? > This will slow down mail processing considerably.? If I do this, >? ? ?I am >? ? ? > going to keep the HOLD queue around, so you would have to choose >? ? ?between >? ? ? > speed or MTA level rejection functionality. >? ? ? > >? ? ? > >? ? ? > > >? ? ?My gut tells me that this is going to be so slow, that it's not >? ? ?going to >? ? ?be worth the time to put into it.? If you want to reject at MTA time, >? ? ?throw in amavis-new or spamd (not rspamd) using the same SpamAsssassin >? ? ?rules and Bayes DB to get most of the same features as MailScanner >? ? ?during the SMTP conversation.? Then the mail that gets through can be >? ? ?filtered by MailScanner for it's extra features that make it unique. > >? ? ?I understand there are different local legal requirements around the >? ? ?world that if email is accepted at MTA time then it has to be passed on >? ? ?to the end user's mailbox.? If you are located in one of these >? ? ?countries, then this would be more of an issue.? But since I am in a >? ? ?country that doesn't have this legal requirement, I do block email >? ? ?post-MTA by MailScanner. > >? ? ?The majority of my spam is blocked at the MTA level already by highly >? ? ?tuned RBLs and postscreen's RBL weighting which is very, very good. >? ? ?Only a small percentage of spam that is zero-hour or from compromised >? ? ?accounts makes it to MailScanner. > >? ? ?I highly recommend the Invaluement RBL.? It's very accurate -- only >? ? ?1 or >? ? ?2 false positives over 5+ the years.? This RBL is very cost effective >? ? ?and has allowed me to disable all Spamhaus RBL checks in SpamAssassin >? ? ?saving thousands of dollars a year.? (We have too high a volume to stay >? ? ?under the free usage limits of Spamhaus so we were having to pay for >? ? ?the >? ? ?RBL feed.) > >? ? ? > >? ? ? > >? ? ? > >? ? ? > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner >? ? ? > ? ? ? >? ? ? > ? ? ?>> wrote: >? ? ? > >? ? ? >? ? ?On 08/07/2018 05:03 AM, info at schroeffu.ch >? ? ? ? ? ?> >? ? ? >? ? ?wrote: >? ? ? >? ? ? > >? ? ? >? ? ? > Hi Mailscanner friends, >? ? ? >? ? ? > >? ? ? >? ? ? > is there any progress to make MailScanner usable as a >? ? ?postfix milter? >? ? ? >? ? ? > The most biggest problem I have is, SPAM is not possible to >? ? ? >? ? ?reject when >? ? ? >? ? ? > reaching a high score at MTA level. For my understanding, >? ? ?connect >? ? ? >? ? ?via >? ? ? >? ? ? > milter instead of queue ^HOLD would be the solution. >? ? ? >? ? ? > >? ? ? >? ? ? > For the next decade we are still using MailScanner instead >? ? ?of others >? ? ? >? ? ? > like Rspamd, because MailScanner is like a mail suite for mail >? ? ? >? ? ?security, >? ? ? >? ? ? > but if there will never be the possibility to reject at >? ? ?MTA level >? ? ? >? ? ?the >? ? ? >? ? ? > high score spam, we will also change in 1-3 years while >? ? ?replacing >? ? ? >? ? ?the OS >? ? ? >? ? ? > beyond. >? ? ? >? ? ? > >? ? ? > >? ? ? >? ? ?One of MailScanner's strongest features is it's batch mode >? ? ?processing >? ? ? >? ? ?that will allow it to handle a very high volume of mail >? ? ?flow.? I doubt >? ? ? >? ? ?that MailScanner will ever be changed to run as a milter for this >? ? ? >? ? ?reason. >? ? ? > >? ? ? >? ? ?I tried rspamd and found it wasn't as good as the author >? ? ?claims so no >? ? ? >? ? ?reason to try to use that as a milter.? It also wasn't as >? ? ?fast as it >? ? ? >? ? ?claims.? I could not send high volumes of mail through it >? ? ?like I could >? ? ? >? ? ?with MailScanner. >? ? ? > >? ? ? >? ? ?If you want to block high scoring spam at the MTA level, I >? ? ?suggest >? ? ? >? ? ?using >? ? ? >? ? ?amavis or spamd with the same SA rulesets as MailScanner. >? ? ?This will >? ? ? >? ? ?get >? ? ? >? ? ?you most of the power of MailScanner's blocking at the MTA. >? ? ? > >? ? ? > https://wiki.apache.org/spamassassin/IntegratedInMta >? ? ? > >? ? ? >? ? ?If you you use postscreen and postwhite at the Postfix MTA >? ? ?level, you >? ? ? >? ? ?can block most of the obvious spam with a tuned list of >? ? ?RBLs.? See the >? ? ? >? ? ?SA users mailing list over the past year for details on this >? ? ?from me >? ? ? >? ? ?and >? ? ? >? ? ?a few others. >? ? ? > >? ? ? >? ? ?I suggest setting up a quick test VM with iRedmail to get a good >? ? ? >? ? ?example >? ? ? >? ? ?of how to do TLS and amavis integration well with Postfix. >? ? ? > >? ? ? >? ? ?-- >? ? ? >? ? ?David Jones >? ? ? > >? ? ? > >? ? ? >? ? ?-- >? ? ? >? ? ?MailScanner mailing list >? ? ? > mailscanner at lists.mailscanner.info >? ? ? >? ? ? >? ? ?? ? ?> >? ? ? > http://lists.mailscanner.info/mailman/listinfo/mailscanner >? ? ? > >? ? ? > >? ? ? > >? ? ? > -- >? ? ? > Shawn Iverson, CETL >? ? ? > Director of Technology >? ? ? > Rush County Schools >? ? ? > 765-932-3901 x1171 >? ? ? > iversons at rushville.k12.in.us >? ? ? >? ? ?? ? ?> >? ? ? > >? ? ? > > >? ? ?-- >? ? ?David Jones > > > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 x1171 > iversons at rushville.k12.in.us > > -- David Jones -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Tue Aug 14 17:08:58 2018 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 14 Aug 2018 10:08:58 -0700 Subject: Phishing Whitelisting entries not working In-Reply-To: References: Message-ID: <8c5306da-1eec-1c22-95f8-0263c3d72c59@msapiro.net> On 08/14/2018 01:33 AM, Pramod Daya wrote: > I upgraded to MailScanner 5.0.7-4 and unfortunately I?m seeing that > whitelisted entries are still getting tagged with ?Disarmed? tags.? > > On a different server with Centos 6.9 and mailscanner 4.84.6, the > Phishing Whitelisting is working correctly. .. Please see and confirm that the disarming you are seeing is "phishing fraud" and not some other disarming. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pramod at mindspring.co.za Thu Aug 16 07:23:50 2018 From: pramod at mindspring.co.za (Pramod Daya) Date: Thu, 16 Aug 2018 07:23:50 +0000 Subject: Phishing Whitelisting entries not working In-Reply-To: <8c5306da-1eec-1c22-95f8-0263c3d72c59@msapiro.net> References: <8c5306da-1eec-1c22-95f8-0263c3d72c59@msapiro.net> Message-ID: It's actually the reverse situation - entries that should be whitelisted are being marked as "Phishing". -----Original Message----- From: MailScanner On Behalf Of Mark Sapiro Sent: Tuesday, 14 August 2018 19:09 To: mailscanner at lists.mailscanner.info Subject: Re: Phishing Whitelisting entries not working On 08/14/2018 01:33 AM, Pramod Daya wrote: > I upgraded to MailScanner 5.0.7-4 and unfortunately I?m seeing that > whitelisted entries are still getting tagged with ?Disarmed? tags. > > On a different server with Centos 6.9 and mailscanner 4.84.6, the > Phishing Whitelisting is working correctly. .. Please see and confirm that the disarming you are seeing is "phishing fraud" and not some other disarming. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5538 bytes Desc: not available URL: From iversons at rushville.k12.in.us Sun Aug 19 03:28:04 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sat, 18 Aug 2018 23:28:04 -0400 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com> Message-ID: MailScanner users: The MailScanner Milter project is coming along nicely. https://github.com/shawniverson/v5/commits/081118msmilter I am currently running this on a split relay to test the milter without impacting production email. The design is fairly simple, although development has taken about 40 hours of my time. I know more about MailScanner (and perl) than I ever have :D The Milter is integrated into MailScanner and forks as a branch of the MailScanner process tree, keeping systemd happy. The Milter process intercepts incoming email and tells postfix to DISCARD, which basically accepts the mail and silently drops it before entering the queue. At the same time, the Milter writes a raw email file to the /var/spool/MailScanner/milterin queue. MailScanner picks up the message batches in the milterin directory, processes them, and spits them out to /var/spool/MailScanner/milterout directory as raw email files. The MSMail Processor (new) relays the messages to postfix for further processing over port 25. A optional localhost rule in header_checks removes the local entry from the header before delivery. The benefits are that the postfix queue is not touched at all throughout this process, making the solution (hopefully) an acceptable one within the postfix community. It is also very fast, and the codebase for this method is smaller than even the Postfix Processor, and MailScanner gets its own queues, separate from postfix. One drawback to this method is there is no apparent way to extract the Envelope From address (at least not yet, perhaps I am missing a milter code), although it doesn't appear that MailScanner is all that concerned about it and doesn't go out of its way to capture it. I think it is important though, for spoof detection, so I will continue to research this. Anyone that is willing to get their feet wet and test can apply the following files from my branch: (In common) /usr/sbin/MailScanner /usr/share/MailScanner/perl/MailScanner/Milter.pm /usr/share/MailScanner/perl/MailScanner/MSMail.pm /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm Then create the following dirs: mkdir -p /var/spool/MailScanner/milterin chown postfix:mtagroup /var/spool/MailScanner/milterin mkdir -p /var/spool/MailScanner/milterout chown postfix:mtagroup /var/spool/MailScanner/milterout Apply the following to /etc/MailScanner/MailScanner.conf: Incoming Queue Dir = /var/spool/MailScanner/milterin Outgoing Queue Dir = /var/spool/MailScanner/milterout MTA = MSMail MSMail Queue Type = short | long (pick one that matches your postfix setting) I recommend doing this in a test or split relay environment that blackholes email. Do not use in production yet ;) Known issues at the moment: MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do not appear More validation and error handling is needed throughout. Weird emails abound! Need to know the envelope from sender. Currently hidden from the milter, but hopefully exposable via a callback code. On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson wrote: > Dear MailScanner users: > > I am officially working on creating a lightweight milter for MailScanner. > > This milter will not provide MTA protocol rejection for postfix, due to > the severe performance penalty it would cause. All mail will be > intercepted, accepted, and silently dropped from the postfix queue and > placed in a MailScanner queue. > > I have a working prototype, and it is processing mail! It is in need of > heavy refactoring and some bug squashing. > > Currently it attempts to create a postfix formatted queue file (very ugly, > who thought up this file format???!!!). I may instead create a new Milter > Processor for MailScanner that reduces the overhead of doing this and can > read the incoming email in a simple line-by-line format. This may also > increase performance overall and reduce all the conversions happening. > > The other side of the coin is what to do when MailScanner is done > processing mail. Currently, it generates a postfix queue file and drops it > into postfix incoming directory. It should not do this but instead drop > the message into postfix using native postfix tools. That will be the next > part I tackle as part of the Milter Processor. > > Why am I doing this? I want to place MailScanner back in a good standing > with Postfix folks (at least when the milter + postfix method is in use). > > I have no plans of removing the old method but rather provide a more > supported path for postfix users. > > Wish me luck. I could be heard across the neighborhood when MailScanner > processed an email from the Milter for the first time! :D > > > > > On Sat, Aug 11, 2018 at 9:58 AM David Jones wrote: > >> On 08/11/2018 08:52 AM, Shawn Iverson wrote: >> > David, >> > >> > I agree that this is true, and part of my lack of motivation to do it. >> > One reason I wanted it as an option was to reconcile the ongoing >> > conflict with the postfix community and return MailScanner to good >> > standing to this community. Weitze has been very stern about >> > MailScanner directly tapping the postfix queues. >> > >> > Perhaps an alternative option would be to create a fast MailScanner >> > milter that behaves more like the HOLD queue. Basically just a milter >> > that immediately fires back accept to postfix and places all the >> > messages in a MailScanner HOLD queue as opposed to a postfix HOLD >> > queue. Doing so would maintain speed, simplicity, and be more >> compliant >> > with postfix. The code would also be very simple. >> > >> > Then, as you say, if you need MTA level functionality for SA, use other >> > software and methods. >> > >> > >> >> This light MS milter would make a lot of sense based on your goal to get >> compliant with Postfix and back "in" with the Postfix community. +1 >> >> > >> > On Sat, Aug 11, 2018 at 9:39 AM David Jones > > > wrote: >> > >> > On 08/11/2018 08:15 AM, Shawn Iverson wrote: >> > > I have been planning for a MailScanner milter for quite some >> > time. I >> > > have been specifically studying rpamd's milter source for this >> > purpose. >> > > Alas, lack of time and lack of money are always an issue, and I >> > put a >> > > lot of hours in my day job. As Jerry would say, I like to eat >> > and have >> > > a roof over my head :D >> > > >> > > If I do find the time to build a milter, performance will >> > definitely be >> > > impacted. The reason is that postfix will have to keep each >> session >> > > open for the duration of scanning, and each MailScanner child >> > would have >> > > to issue a callback to postfix after scanning the spam so that >> > postfix >> > > can responds to the connection appropriately (i.e. reject or >> > accept). >> > > This will slow down mail processing considerably. If I do this, >> > I am >> > > going to keep the HOLD queue around, so you would have to choose >> > between >> > > speed or MTA level rejection functionality. >> > > >> > > >> > > >> > >> > My gut tells me that this is going to be so slow, that it's not >> > going to >> > be worth the time to put into it. If you want to reject at MTA >> time, >> > throw in amavis-new or spamd (not rspamd) using the same >> SpamAsssassin >> > rules and Bayes DB to get most of the same features as MailScanner >> > during the SMTP conversation. Then the mail that gets through can >> be >> > filtered by MailScanner for it's extra features that make it unique. >> > >> > I understand there are different local legal requirements around the >> > world that if email is accepted at MTA time then it has to be >> passed on >> > to the end user's mailbox. If you are located in one of these >> > countries, then this would be more of an issue. But since I am in a >> > country that doesn't have this legal requirement, I do block email >> > post-MTA by MailScanner. >> > >> > The majority of my spam is blocked at the MTA level already by >> highly >> > tuned RBLs and postscreen's RBL weighting which is very, very good. >> > Only a small percentage of spam that is zero-hour or from >> compromised >> > accounts makes it to MailScanner. >> > >> > I highly recommend the Invaluement RBL. It's very accurate -- only >> > 1 or >> > 2 false positives over 5+ the years. This RBL is very cost >> effective >> > and has allowed me to disable all Spamhaus RBL checks in >> SpamAssassin >> > saving thousands of dollars a year. (We have too high a volume to >> stay >> > under the free usage limits of Spamhaus so we were having to pay for >> > the >> > RBL feed.) >> > >> > > >> > > >> > > >> > > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner >> > > > > >> > > > > >> wrote: >> > > >> > > On 08/07/2018 05:03 AM, info at schroeffu.ch >> > > > > >> > > wrote: >> > > > >> > > > Hi Mailscanner friends, >> > > > >> > > > is there any progress to make MailScanner usable as a >> > postfix milter? >> > > > The most biggest problem I have is, SPAM is not possible >> to >> > > reject when >> > > > reaching a high score at MTA level. For my understanding, >> > connect >> > > via >> > > > milter instead of queue ^HOLD would be the solution. >> > > > >> > > > For the next decade we are still using MailScanner instead >> > of others >> > > > like Rspamd, because MailScanner is like a mail suite for >> mail >> > > security, >> > > > but if there will never be the possibility to reject at >> > MTA level >> > > the >> > > > high score spam, we will also change in 1-3 years while >> > replacing >> > > the OS >> > > > beyond. >> > > > >> > > >> > > One of MailScanner's strongest features is it's batch mode >> > processing >> > > that will allow it to handle a very high volume of mail >> > flow. I doubt >> > > that MailScanner will ever be changed to run as a milter for >> this >> > > reason. >> > > >> > > I tried rspamd and found it wasn't as good as the author >> > claims so no >> > > reason to try to use that as a milter. It also wasn't as >> > fast as it >> > > claims. I could not send high volumes of mail through it >> > like I could >> > > with MailScanner. >> > > >> > > If you want to block high scoring spam at the MTA level, I >> > suggest >> > > using >> > > amavis or spamd with the same SA rulesets as MailScanner. >> > This will >> > > get >> > > you most of the power of MailScanner's blocking at the MTA. >> > > >> > > https://wiki.apache.org/spamassassin/IntegratedInMta >> > > >> > > If you you use postscreen and postwhite at the Postfix MTA >> > level, you >> > > can block most of the obvious spam with a tuned list of >> > RBLs. See the >> > > SA users mailing list over the past year for details on this >> > from me >> > > and >> > > a few others. >> > > >> > > I suggest setting up a quick test VM with iRedmail to get a >> good >> > > example >> > > of how to do TLS and amavis integration well with Postfix. >> > > >> > > -- >> > > David Jones >> > > >> > > >> > > -- >> > > MailScanner mailing list >> > > mailscanner at lists.mailscanner.info >> > >> > > > > > >> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > > >> > > >> > > >> > > -- >> > > Shawn Iverson, CETL >> > > Director of Technology >> > > Rush County Schools >> > > 765-932-3901 x1171 >> > > iversons at rushville.k12.in.us >> > >> > > > > >> > > >> > > >> > >> > -- >> > David Jones >> > >> > >> > >> > -- >> > Shawn Iverson, CETL >> > Director of Technology >> > Rush County Schools >> > 765-932-3901 x1171 >> > iversons at rushville.k12.in.us >> > >> > >> >> >> -- >> David Jones >> > > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 x1171 > iversons at rushville.k12.in.us > > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Sun Aug 19 13:30:24 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sun, 19 Aug 2018 09:30:24 -0400 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com> Message-ID: Oh yeah, here's the config for Postfix: smtpd_milters = inet:127.0.0.1:33333 smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map /etc/postfix/smtpd_milter_map: 127.0.0.0/8 DISABLE ::/64 DISABLE This allows scanned emails to pass the milter, as well as notifications sent from the localhost. You do need at least Postfix version 3.2 I believe to have milter map support. On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson wrote: > MailScanner users: > > The MailScanner Milter project is coming along nicely. > > https://github.com/shawniverson/v5/commits/081118msmilter > > I am currently running this on a split relay to test the milter without > impacting production email. > > The design is fairly simple, although development has taken about 40 hours > of my time. I know more about MailScanner (and perl) than I ever have :D > > The Milter is integrated into MailScanner and forks as a branch of the > MailScanner process tree, keeping systemd happy. > > The Milter process intercepts incoming email and tells postfix to DISCARD, > which basically accepts the mail and silently drops it before entering the > queue. At the same time, the Milter writes a raw email file to the > /var/spool/MailScanner/milterin queue. > > MailScanner picks up the message batches in the milterin directory, > processes them, and spits them out to /var/spool/MailScanner/milterout > directory as raw email files. > > The MSMail Processor (new) relays the messages to postfix for further > processing over port 25. A optional localhost rule in header_checks > removes the local entry from the header before delivery. > > The benefits are that the postfix queue is not touched at all throughout > this process, making the solution (hopefully) an acceptable one within the > postfix community. It is also very fast, and the codebase for this method > is smaller than even the Postfix Processor, and MailScanner gets its own > queues, separate from postfix. > > One drawback to this method is there is no apparent way to extract the > Envelope From address (at least not yet, perhaps I am missing a milter > code), although it doesn't appear that MailScanner is all that concerned > about it and doesn't go out of its way to capture it. I think it is > important though, for spoof detection, so I will continue to research this. > > Anyone that is willing to get their feet wet and test can apply the > following files from my branch: > > (In common) > /usr/sbin/MailScanner > /usr/share/MailScanner/perl/MailScanner/Milter.pm > /usr/share/MailScanner/perl/MailScanner/MSMail.pm > /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm > /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm > > Then create the following dirs: > mkdir -p /var/spool/MailScanner/milterin > chown postfix:mtagroup /var/spool/MailScanner/milterin > mkdir -p /var/spool/MailScanner/milterout > chown postfix:mtagroup /var/spool/MailScanner/milterout > > Apply the following to /etc/MailScanner/MailScanner.conf: > Incoming Queue Dir = /var/spool/MailScanner/milterin > Outgoing Queue Dir = /var/spool/MailScanner/milterout > MTA = MSMail > MSMail Queue Type = short | long (pick one that matches your postfix > setting) > > I recommend doing this in a test or split relay environment that > blackholes email. Do not use in production yet ;) > > Known issues at the moment: > MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do not > appear > More validation and error handling is needed throughout. Weird emails > abound! > Need to know the envelope from sender. Currently hidden from the milter, > but hopefully exposable via a callback code. > > > > > On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > >> Dear MailScanner users: >> >> I am officially working on creating a lightweight milter for >> MailScanner. >> >> This milter will not provide MTA protocol rejection for postfix, due to >> the severe performance penalty it would cause. All mail will be >> intercepted, accepted, and silently dropped from the postfix queue and >> placed in a MailScanner queue. >> >> I have a working prototype, and it is processing mail! It is in need of >> heavy refactoring and some bug squashing. >> >> Currently it attempts to create a postfix formatted queue file (very >> ugly, who thought up this file format???!!!). I may instead create a new >> Milter Processor for MailScanner that reduces the overhead of doing this >> and can read the incoming email in a simple line-by-line format. This may >> also increase performance overall and reduce all the conversions happening. >> >> The other side of the coin is what to do when MailScanner is done >> processing mail. Currently, it generates a postfix queue file and drops it >> into postfix incoming directory. It should not do this but instead drop >> the message into postfix using native postfix tools. That will be the next >> part I tackle as part of the Milter Processor. >> >> Why am I doing this? I want to place MailScanner back in a good standing >> with Postfix folks (at least when the milter + postfix method is in use). >> >> I have no plans of removing the old method but rather provide a more >> supported path for postfix users. >> >> Wish me luck. I could be heard across the neighborhood when MailScanner >> processed an email from the Milter for the first time! :D >> >> >> >> >> On Sat, Aug 11, 2018 at 9:58 AM David Jones wrote: >> >>> On 08/11/2018 08:52 AM, Shawn Iverson wrote: >>> > David, >>> > >>> > I agree that this is true, and part of my lack of motivation to do >>> it. >>> > One reason I wanted it as an option was to reconcile the ongoing >>> > conflict with the postfix community and return MailScanner to good >>> > standing to this community. Weitze has been very stern about >>> > MailScanner directly tapping the postfix queues. >>> > >>> > Perhaps an alternative option would be to create a fast MailScanner >>> > milter that behaves more like the HOLD queue. Basically just a milter >>> > that immediately fires back accept to postfix and places all the >>> > messages in a MailScanner HOLD queue as opposed to a postfix HOLD >>> > queue. Doing so would maintain speed, simplicity, and be more >>> compliant >>> > with postfix. The code would also be very simple. >>> > >>> > Then, as you say, if you need MTA level functionality for SA, use >>> other >>> > software and methods. >>> > >>> > >>> >>> This light MS milter would make a lot of sense based on your goal to get >>> compliant with Postfix and back "in" with the Postfix community. +1 >>> >>> > >>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones >> > > wrote: >>> > >>> > On 08/11/2018 08:15 AM, Shawn Iverson wrote: >>> > > I have been planning for a MailScanner milter for quite some >>> > time. I >>> > > have been specifically studying rpamd's milter source for this >>> > purpose. >>> > > Alas, lack of time and lack of money are always an issue, and I >>> > put a >>> > > lot of hours in my day job. As Jerry would say, I like to eat >>> > and have >>> > > a roof over my head :D >>> > > >>> > > If I do find the time to build a milter, performance will >>> > definitely be >>> > > impacted. The reason is that postfix will have to keep each >>> session >>> > > open for the duration of scanning, and each MailScanner child >>> > would have >>> > > to issue a callback to postfix after scanning the spam so that >>> > postfix >>> > > can responds to the connection appropriately (i.e. reject or >>> > accept). >>> > > This will slow down mail processing considerably. If I do this, >>> > I am >>> > > going to keep the HOLD queue around, so you would have to choose >>> > between >>> > > speed or MTA level rejection functionality. >>> > > >>> > > >>> > > >>> > >>> > My gut tells me that this is going to be so slow, that it's not >>> > going to >>> > be worth the time to put into it. If you want to reject at MTA >>> time, >>> > throw in amavis-new or spamd (not rspamd) using the same >>> SpamAsssassin >>> > rules and Bayes DB to get most of the same features as MailScanner >>> > during the SMTP conversation. Then the mail that gets through can >>> be >>> > filtered by MailScanner for it's extra features that make it >>> unique. >>> > >>> > I understand there are different local legal requirements around >>> the >>> > world that if email is accepted at MTA time then it has to be >>> passed on >>> > to the end user's mailbox. If you are located in one of these >>> > countries, then this would be more of an issue. But since I am in >>> a >>> > country that doesn't have this legal requirement, I do block email >>> > post-MTA by MailScanner. >>> > >>> > The majority of my spam is blocked at the MTA level already by >>> highly >>> > tuned RBLs and postscreen's RBL weighting which is very, very good. >>> > Only a small percentage of spam that is zero-hour or from >>> compromised >>> > accounts makes it to MailScanner. >>> > >>> > I highly recommend the Invaluement RBL. It's very accurate -- only >>> > 1 or >>> > 2 false positives over 5+ the years. This RBL is very cost >>> effective >>> > and has allowed me to disable all Spamhaus RBL checks in >>> SpamAssassin >>> > saving thousands of dollars a year. (We have too high a volume to >>> stay >>> > under the free usage limits of Spamhaus so we were having to pay >>> for >>> > the >>> > RBL feed.) >>> > >>> > > >>> > > >>> > > >>> > > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner >>> > > >> > >>> > > >> > >> wrote: >>> > > >>> > > On 08/07/2018 05:03 AM, info at schroeffu.ch >>> > >> > > >>> > > wrote: >>> > > > >>> > > > Hi Mailscanner friends, >>> > > > >>> > > > is there any progress to make MailScanner usable as a >>> > postfix milter? >>> > > > The most biggest problem I have is, SPAM is not possible >>> to >>> > > reject when >>> > > > reaching a high score at MTA level. For my understanding, >>> > connect >>> > > via >>> > > > milter instead of queue ^HOLD would be the solution. >>> > > > >>> > > > For the next decade we are still using MailScanner >>> instead >>> > of others >>> > > > like Rspamd, because MailScanner is like a mail suite >>> for mail >>> > > security, >>> > > > but if there will never be the possibility to reject at >>> > MTA level >>> > > the >>> > > > high score spam, we will also change in 1-3 years while >>> > replacing >>> > > the OS >>> > > > beyond. >>> > > > >>> > > >>> > > One of MailScanner's strongest features is it's batch mode >>> > processing >>> > > that will allow it to handle a very high volume of mail >>> > flow. I doubt >>> > > that MailScanner will ever be changed to run as a milter >>> for this >>> > > reason. >>> > > >>> > > I tried rspamd and found it wasn't as good as the author >>> > claims so no >>> > > reason to try to use that as a milter. It also wasn't as >>> > fast as it >>> > > claims. I could not send high volumes of mail through it >>> > like I could >>> > > with MailScanner. >>> > > >>> > > If you want to block high scoring spam at the MTA level, I >>> > suggest >>> > > using >>> > > amavis or spamd with the same SA rulesets as MailScanner. >>> > This will >>> > > get >>> > > you most of the power of MailScanner's blocking at the MTA. >>> > > >>> > > https://wiki.apache.org/spamassassin/IntegratedInMta >>> > > >>> > > If you you use postscreen and postwhite at the Postfix MTA >>> > level, you >>> > > can block most of the obvious spam with a tuned list of >>> > RBLs. See the >>> > > SA users mailing list over the past year for details on this >>> > from me >>> > > and >>> > > a few others. >>> > > >>> > > I suggest setting up a quick test VM with iRedmail to get a >>> good >>> > > example >>> > > of how to do TLS and amavis integration well with Postfix. >>> > > >>> > > -- >>> > > David Jones >>> > > >>> > > >>> > > -- >>> > > MailScanner mailing list >>> > > mailscanner at lists.mailscanner.info >>> > >>> > > >> > > >>> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> > > >>> > > >>> > > >>> > > -- >>> > > Shawn Iverson, CETL >>> > > Director of Technology >>> > > Rush County Schools >>> > > 765-932-3901 x1171 >>> > > iversons at rushville.k12.in.us >>> > >>> > >> > > >>> > > >>> > > >>> > >>> > -- >>> > David Jones >>> > >>> > >>> > >>> > -- >>> > Shawn Iverson, CETL >>> > Director of Technology >>> > Rush County Schools >>> > 765-932-3901 x1171 >>> > iversons at rushville.k12.in.us >>> > >>> > >>> >>> >>> -- >>> David Jones >>> >> >> >> -- >> Shawn Iverson, CETL >> Director of Technology >> Rush County Schools >> 765-932-3901 x1171 >> iversons at rushville.k12.in.us >> >> >> > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 x1171 > iversons at rushville.k12.in.us > > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Sun Aug 19 20:04:29 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sun, 19 Aug 2018 16:04:29 -0400 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com> Message-ID: Another update The latest commit to my branch includes more fixes and a new thing that needs handled now that a Milter is in play. When mail is submitted back to postfix, it needs to be processed by other things that could reject the email (such as an blocked sender). This is a problem because MailScanner does not know how to handle rejects since it has always been part of the queue process interacting directly with the queues, not before queue process. During message delivery, if a reject is detected, I inject a special header to the message and requeue it to MailScanner. MailScanner has a chance, based on this special header to flag the message, remove the special header, add diagnostic info to the header about the relay, and quarantine the message. The mail admin is happy knowing that the message didn't just vanish and has an opportunity to resolve the issue and release it or know the disposition of the email. Another cool thing about this Milter Processor I discovered is you can simply drop a message into /var/spool/MailScanner/milterin from /var/spool/MailScanner/quarantine, and it will try to redeliver it :D This new code is in Message.pm and only becomes active if the milter is activated. On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson wrote: > Oh yeah, here's the config for Postfix: > > smtpd_milters = inet:127.0.0.1:33333 > smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map > > /etc/postfix/smtpd_milter_map: > 127.0.0.0/8 DISABLE > ::/64 DISABLE > > This allows scanned emails to pass the milter, as well as notifications > sent from the localhost. You do need at least Postfix version 3.2 I > believe to have milter map support. > > > > > On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > >> MailScanner users: >> >> The MailScanner Milter project is coming along nicely. >> >> https://github.com/shawniverson/v5/commits/081118msmilter >> >> I am currently running this on a split relay to test the milter without >> impacting production email. >> >> The design is fairly simple, although development has taken about 40 >> hours of my time. I know more about MailScanner (and perl) than I ever >> have :D >> >> The Milter is integrated into MailScanner and forks as a branch of the >> MailScanner process tree, keeping systemd happy. >> >> The Milter process intercepts incoming email and tells postfix to >> DISCARD, which basically accepts the mail and silently drops it before >> entering the queue. At the same time, the Milter writes a raw email file >> to the /var/spool/MailScanner/milterin queue. >> >> MailScanner picks up the message batches in the milterin directory, >> processes them, and spits them out to /var/spool/MailScanner/milterout >> directory as raw email files. >> >> The MSMail Processor (new) relays the messages to postfix for further >> processing over port 25. A optional localhost rule in header_checks >> removes the local entry from the header before delivery. >> >> The benefits are that the postfix queue is not touched at all throughout >> this process, making the solution (hopefully) an acceptable one within the >> postfix community. It is also very fast, and the codebase for this method >> is smaller than even the Postfix Processor, and MailScanner gets its own >> queues, separate from postfix. >> >> One drawback to this method is there is no apparent way to extract the >> Envelope From address (at least not yet, perhaps I am missing a milter >> code), although it doesn't appear that MailScanner is all that concerned >> about it and doesn't go out of its way to capture it. I think it is >> important though, for spoof detection, so I will continue to research this. >> >> Anyone that is willing to get their feet wet and test can apply the >> following files from my branch: >> >> (In common) >> /usr/sbin/MailScanner >> /usr/share/MailScanner/perl/MailScanner/Milter.pm >> /usr/share/MailScanner/perl/MailScanner/MSMail.pm >> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm >> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm >> >> Then create the following dirs: >> mkdir -p /var/spool/MailScanner/milterin >> chown postfix:mtagroup /var/spool/MailScanner/milterin >> mkdir -p /var/spool/MailScanner/milterout >> chown postfix:mtagroup /var/spool/MailScanner/milterout >> >> Apply the following to /etc/MailScanner/MailScanner.conf: >> Incoming Queue Dir = /var/spool/MailScanner/milterin >> Outgoing Queue Dir = /var/spool/MailScanner/milterout >> MTA = MSMail >> MSMail Queue Type = short | long (pick one that matches your postfix >> setting) >> >> I recommend doing this in a test or split relay environment that >> blackholes email. Do not use in production yet ;) >> >> Known issues at the moment: >> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do not >> appear >> More validation and error handling is needed throughout. Weird emails >> abound! >> Need to know the envelope from sender. Currently hidden from the milter, >> but hopefully exposable via a callback code. >> >> >> >> >> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson < >> iversons at rushville.k12.in.us> wrote: >> >>> Dear MailScanner users: >>> >>> I am officially working on creating a lightweight milter for >>> MailScanner. >>> >>> This milter will not provide MTA protocol rejection for postfix, due to >>> the severe performance penalty it would cause. All mail will be >>> intercepted, accepted, and silently dropped from the postfix queue and >>> placed in a MailScanner queue. >>> >>> I have a working prototype, and it is processing mail! It is in need of >>> heavy refactoring and some bug squashing. >>> >>> Currently it attempts to create a postfix formatted queue file (very >>> ugly, who thought up this file format???!!!). I may instead create a new >>> Milter Processor for MailScanner that reduces the overhead of doing this >>> and can read the incoming email in a simple line-by-line format. This may >>> also increase performance overall and reduce all the conversions happening. >>> >>> The other side of the coin is what to do when MailScanner is done >>> processing mail. Currently, it generates a postfix queue file and drops it >>> into postfix incoming directory. It should not do this but instead drop >>> the message into postfix using native postfix tools. That will be the next >>> part I tackle as part of the Milter Processor. >>> >>> Why am I doing this? I want to place MailScanner back in a good >>> standing with Postfix folks (at least when the milter + postfix method is >>> in use). >>> >>> I have no plans of removing the old method but rather provide a more >>> supported path for postfix users. >>> >>> Wish me luck. I could be heard across the neighborhood when MailScanner >>> processed an email from the Milter for the first time! :D >>> >>> >>> >>> >>> On Sat, Aug 11, 2018 at 9:58 AM David Jones wrote: >>> >>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote: >>>> > David, >>>> > >>>> > I agree that this is true, and part of my lack of motivation to do >>>> it. >>>> > One reason I wanted it as an option was to reconcile the ongoing >>>> > conflict with the postfix community and return MailScanner to good >>>> > standing to this community. Weitze has been very stern about >>>> > MailScanner directly tapping the postfix queues. >>>> > >>>> > Perhaps an alternative option would be to create a fast MailScanner >>>> > milter that behaves more like the HOLD queue. Basically just a >>>> milter >>>> > that immediately fires back accept to postfix and places all the >>>> > messages in a MailScanner HOLD queue as opposed to a postfix HOLD >>>> > queue. Doing so would maintain speed, simplicity, and be more >>>> compliant >>>> > with postfix. The code would also be very simple. >>>> > >>>> > Then, as you say, if you need MTA level functionality for SA, use >>>> other >>>> > software and methods. >>>> > >>>> > >>>> >>>> This light MS milter would make a lot of sense based on your goal to >>>> get >>>> compliant with Postfix and back "in" with the Postfix community. +1 >>>> >>>> > >>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones >>> > > wrote: >>>> > >>>> > On 08/11/2018 08:15 AM, Shawn Iverson wrote: >>>> > > I have been planning for a MailScanner milter for quite some >>>> > time. I >>>> > > have been specifically studying rpamd's milter source for this >>>> > purpose. >>>> > > Alas, lack of time and lack of money are always an issue, and I >>>> > put a >>>> > > lot of hours in my day job. As Jerry would say, I like to eat >>>> > and have >>>> > > a roof over my head :D >>>> > > >>>> > > If I do find the time to build a milter, performance will >>>> > definitely be >>>> > > impacted. The reason is that postfix will have to keep each >>>> session >>>> > > open for the duration of scanning, and each MailScanner child >>>> > would have >>>> > > to issue a callback to postfix after scanning the spam so that >>>> > postfix >>>> > > can responds to the connection appropriately (i.e. reject or >>>> > accept). >>>> > > This will slow down mail processing considerably. If I do >>>> this, >>>> > I am >>>> > > going to keep the HOLD queue around, so you would have to >>>> choose >>>> > between >>>> > > speed or MTA level rejection functionality. >>>> > > >>>> > > >>>> > > >>>> > >>>> > My gut tells me that this is going to be so slow, that it's not >>>> > going to >>>> > be worth the time to put into it. If you want to reject at MTA >>>> time, >>>> > throw in amavis-new or spamd (not rspamd) using the same >>>> SpamAsssassin >>>> > rules and Bayes DB to get most of the same features as MailScanner >>>> > during the SMTP conversation. Then the mail that gets through >>>> can be >>>> > filtered by MailScanner for it's extra features that make it >>>> unique. >>>> > >>>> > I understand there are different local legal requirements around >>>> the >>>> > world that if email is accepted at MTA time then it has to be >>>> passed on >>>> > to the end user's mailbox. If you are located in one of these >>>> > countries, then this would be more of an issue. But since I am >>>> in a >>>> > country that doesn't have this legal requirement, I do block email >>>> > post-MTA by MailScanner. >>>> > >>>> > The majority of my spam is blocked at the MTA level already by >>>> highly >>>> > tuned RBLs and postscreen's RBL weighting which is very, very >>>> good. >>>> > Only a small percentage of spam that is zero-hour or from >>>> compromised >>>> > accounts makes it to MailScanner. >>>> > >>>> > I highly recommend the Invaluement RBL. It's very accurate -- >>>> only >>>> > 1 or >>>> > 2 false positives over 5+ the years. This RBL is very cost >>>> effective >>>> > and has allowed me to disable all Spamhaus RBL checks in >>>> SpamAssassin >>>> > saving thousands of dollars a year. (We have too high a volume >>>> to stay >>>> > under the free usage limits of Spamhaus so we were having to pay >>>> for >>>> > the >>>> > RBL feed.) >>>> > >>>> > > >>>> > > >>>> > > >>>> > > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner >>>> > > >>> > >>>> > > >>> > >> wrote: >>>> > > >>>> > > On 08/07/2018 05:03 AM, info at schroeffu.ch >>>> > >>> > > >>>> > > wrote: >>>> > > > >>>> > > > Hi Mailscanner friends, >>>> > > > >>>> > > > is there any progress to make MailScanner usable as a >>>> > postfix milter? >>>> > > > The most biggest problem I have is, SPAM is not >>>> possible to >>>> > > reject when >>>> > > > reaching a high score at MTA level. For my >>>> understanding, >>>> > connect >>>> > > via >>>> > > > milter instead of queue ^HOLD would be the solution. >>>> > > > >>>> > > > For the next decade we are still using MailScanner >>>> instead >>>> > of others >>>> > > > like Rspamd, because MailScanner is like a mail suite >>>> for mail >>>> > > security, >>>> > > > but if there will never be the possibility to reject at >>>> > MTA level >>>> > > the >>>> > > > high score spam, we will also change in 1-3 years while >>>> > replacing >>>> > > the OS >>>> > > > beyond. >>>> > > > >>>> > > >>>> > > One of MailScanner's strongest features is it's batch mode >>>> > processing >>>> > > that will allow it to handle a very high volume of mail >>>> > flow. I doubt >>>> > > that MailScanner will ever be changed to run as a milter >>>> for this >>>> > > reason. >>>> > > >>>> > > I tried rspamd and found it wasn't as good as the author >>>> > claims so no >>>> > > reason to try to use that as a milter. It also wasn't as >>>> > fast as it >>>> > > claims. I could not send high volumes of mail through it >>>> > like I could >>>> > > with MailScanner. >>>> > > >>>> > > If you want to block high scoring spam at the MTA level, I >>>> > suggest >>>> > > using >>>> > > amavis or spamd with the same SA rulesets as MailScanner. >>>> > This will >>>> > > get >>>> > > you most of the power of MailScanner's blocking at the MTA. >>>> > > >>>> > > https://wiki.apache.org/spamassassin/IntegratedInMta >>>> > > >>>> > > If you you use postscreen and postwhite at the Postfix MTA >>>> > level, you >>>> > > can block most of the obvious spam with a tuned list of >>>> > RBLs. See the >>>> > > SA users mailing list over the past year for details on >>>> this >>>> > from me >>>> > > and >>>> > > a few others. >>>> > > >>>> > > I suggest setting up a quick test VM with iRedmail to get >>>> a good >>>> > > example >>>> > > of how to do TLS and amavis integration well with Postfix. >>>> > > >>>> > > -- >>>> > > David Jones >>>> > > >>>> > > >>>> > > -- >>>> > > MailScanner mailing list >>>> > > mailscanner at lists.mailscanner.info >>>> > >>>> > > >>> > > >>>> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> > > >>>> > > >>>> > > >>>> > > -- >>>> > > Shawn Iverson, CETL >>>> > > Director of Technology >>>> > > Rush County Schools >>>> > > 765-932-3901 x1171 >>>> > > iversons at rushville.k12.in.us >>>> > >>>> > >>> > > >>>> > > >>>> > > >>>> > >>>> > -- >>>> > David Jones >>>> > >>>> > >>>> > >>>> > -- >>>> > Shawn Iverson, CETL >>>> > Director of Technology >>>> > Rush County Schools >>>> > 765-932-3901 x1171 >>>> > iversons at rushville.k12.in.us >>>> > >>>> > >>>> >>>> >>>> -- >>>> David Jones >>>> >>> >>> >>> -- >>> Shawn Iverson, CETL >>> Director of Technology >>> Rush County Schools >>> 765-932-3901 x1171 >>> iversons at rushville.k12.in.us >>> >>> >>> >> >> -- >> Shawn Iverson, CETL >> Director of Technology >> Rush County Schools >> 765-932-3901 x1171 >> iversons at rushville.k12.in.us >> >> >> > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 x1171 > iversons at rushville.k12.in.us > > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Sun Aug 19 20:26:11 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sun, 19 Aug 2018 16:26:11 -0400 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com> Message-ID: Found the callback code for MAIL FROM: 'M' SMFIC_MAIL MAIL FROM: information Expected response: Accept/reject action Time for some more coding :D On Sun, Aug 19, 2018 at 4:04 PM Shawn Iverson wrote: > Another update > > The latest commit to my branch includes more fixes and a new thing that > needs handled now that a Milter is in play. When mail is submitted back to > postfix, it needs to be processed by other things that could reject the > email (such as an blocked sender). This is a problem because MailScanner > does not know how to handle rejects since it has always been part of the > queue process interacting directly with the queues, not before queue > process. > > During message delivery, if a reject is detected, I inject a special > header to the message and requeue it to MailScanner. MailScanner has a > chance, based on this special header to flag the message, remove the > special header, add diagnostic info to the header about the relay, and > quarantine the message. The mail admin is happy knowing that the message > didn't just vanish and has an opportunity to resolve the issue and release > it or know the disposition of the email. > > Another cool thing about this Milter Processor I discovered is you can > simply drop a message into /var/spool/MailScanner/milterin from > /var/spool/MailScanner/quarantine, and it will try to redeliver it :D > > This new code is in Message.pm and only becomes active if the milter is > activated. > > On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > >> Oh yeah, here's the config for Postfix: >> >> smtpd_milters = inet:127.0.0.1:33333 >> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map >> >> /etc/postfix/smtpd_milter_map: >> 127.0.0.0/8 DISABLE >> ::/64 DISABLE >> >> This allows scanned emails to pass the milter, as well as notifications >> sent from the localhost. You do need at least Postfix version 3.2 I >> believe to have milter map support. >> >> >> >> >> On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson < >> iversons at rushville.k12.in.us> wrote: >> >>> MailScanner users: >>> >>> The MailScanner Milter project is coming along nicely. >>> >>> https://github.com/shawniverson/v5/commits/081118msmilter >>> >>> I am currently running this on a split relay to test the milter without >>> impacting production email. >>> >>> The design is fairly simple, although development has taken about 40 >>> hours of my time. I know more about MailScanner (and perl) than I ever >>> have :D >>> >>> The Milter is integrated into MailScanner and forks as a branch of the >>> MailScanner process tree, keeping systemd happy. >>> >>> The Milter process intercepts incoming email and tells postfix to >>> DISCARD, which basically accepts the mail and silently drops it before >>> entering the queue. At the same time, the Milter writes a raw email file >>> to the /var/spool/MailScanner/milterin queue. >>> >>> MailScanner picks up the message batches in the milterin directory, >>> processes them, and spits them out to /var/spool/MailScanner/milterout >>> directory as raw email files. >>> >>> The MSMail Processor (new) relays the messages to postfix for further >>> processing over port 25. A optional localhost rule in header_checks >>> removes the local entry from the header before delivery. >>> >>> The benefits are that the postfix queue is not touched at all throughout >>> this process, making the solution (hopefully) an acceptable one within the >>> postfix community. It is also very fast, and the codebase for this method >>> is smaller than even the Postfix Processor, and MailScanner gets its own >>> queues, separate from postfix. >>> >>> One drawback to this method is there is no apparent way to extract the >>> Envelope From address (at least not yet, perhaps I am missing a milter >>> code), although it doesn't appear that MailScanner is all that concerned >>> about it and doesn't go out of its way to capture it. I think it is >>> important though, for spoof detection, so I will continue to research this. >>> >>> Anyone that is willing to get their feet wet and test can apply the >>> following files from my branch: >>> >>> (In common) >>> /usr/sbin/MailScanner >>> /usr/share/MailScanner/perl/MailScanner/Milter.pm >>> /usr/share/MailScanner/perl/MailScanner/MSMail.pm >>> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm >>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm >>> >>> Then create the following dirs: >>> mkdir -p /var/spool/MailScanner/milterin >>> chown postfix:mtagroup /var/spool/MailScanner/milterin >>> mkdir -p /var/spool/MailScanner/milterout >>> chown postfix:mtagroup /var/spool/MailScanner/milterout >>> >>> Apply the following to /etc/MailScanner/MailScanner.conf: >>> Incoming Queue Dir = /var/spool/MailScanner/milterin >>> Outgoing Queue Dir = /var/spool/MailScanner/milterout >>> MTA = MSMail >>> MSMail Queue Type = short | long (pick one that matches your postfix >>> setting) >>> >>> I recommend doing this in a test or split relay environment that >>> blackholes email. Do not use in production yet ;) >>> >>> Known issues at the moment: >>> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do not >>> appear >>> More validation and error handling is needed throughout. Weird emails >>> abound! >>> Need to know the envelope from sender. Currently hidden from the >>> milter, but hopefully exposable via a callback code. >>> >>> >>> >>> >>> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson < >>> iversons at rushville.k12.in.us> wrote: >>> >>>> Dear MailScanner users: >>>> >>>> I am officially working on creating a lightweight milter for >>>> MailScanner. >>>> >>>> This milter will not provide MTA protocol rejection for postfix, due to >>>> the severe performance penalty it would cause. All mail will be >>>> intercepted, accepted, and silently dropped from the postfix queue and >>>> placed in a MailScanner queue. >>>> >>>> I have a working prototype, and it is processing mail! It is in need >>>> of heavy refactoring and some bug squashing. >>>> >>>> Currently it attempts to create a postfix formatted queue file (very >>>> ugly, who thought up this file format???!!!). I may instead create a new >>>> Milter Processor for MailScanner that reduces the overhead of doing this >>>> and can read the incoming email in a simple line-by-line format. This may >>>> also increase performance overall and reduce all the conversions happening. >>>> >>>> The other side of the coin is what to do when MailScanner is done >>>> processing mail. Currently, it generates a postfix queue file and drops it >>>> into postfix incoming directory. It should not do this but instead drop >>>> the message into postfix using native postfix tools. That will be the next >>>> part I tackle as part of the Milter Processor. >>>> >>>> Why am I doing this? I want to place MailScanner back in a good >>>> standing with Postfix folks (at least when the milter + postfix method is >>>> in use). >>>> >>>> I have no plans of removing the old method but rather provide a more >>>> supported path for postfix users. >>>> >>>> Wish me luck. I could be heard across the neighborhood when >>>> MailScanner processed an email from the Milter for the first time! :D >>>> >>>> >>>> >>>> >>>> On Sat, Aug 11, 2018 at 9:58 AM David Jones wrote: >>>> >>>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote: >>>>> > David, >>>>> > >>>>> > I agree that this is true, and part of my lack of motivation to do >>>>> it. >>>>> > One reason I wanted it as an option was to reconcile the ongoing >>>>> > conflict with the postfix community and return MailScanner to good >>>>> > standing to this community. Weitze has been very stern about >>>>> > MailScanner directly tapping the postfix queues. >>>>> > >>>>> > Perhaps an alternative option would be to create a fast MailScanner >>>>> > milter that behaves more like the HOLD queue. Basically just a >>>>> milter >>>>> > that immediately fires back accept to postfix and places all the >>>>> > messages in a MailScanner HOLD queue as opposed to a postfix HOLD >>>>> > queue. Doing so would maintain speed, simplicity, and be more >>>>> compliant >>>>> > with postfix. The code would also be very simple. >>>>> > >>>>> > Then, as you say, if you need MTA level functionality for SA, use >>>>> other >>>>> > software and methods. >>>>> > >>>>> > >>>>> >>>>> This light MS milter would make a lot of sense based on your goal to >>>>> get >>>>> compliant with Postfix and back "in" with the Postfix community. +1 >>>>> >>>>> > >>>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones >>>> > > wrote: >>>>> > >>>>> > On 08/11/2018 08:15 AM, Shawn Iverson wrote: >>>>> > > I have been planning for a MailScanner milter for quite some >>>>> > time. I >>>>> > > have been specifically studying rpamd's milter source for this >>>>> > purpose. >>>>> > > Alas, lack of time and lack of money are always an issue, and >>>>> I >>>>> > put a >>>>> > > lot of hours in my day job. As Jerry would say, I like to eat >>>>> > and have >>>>> > > a roof over my head :D >>>>> > > >>>>> > > If I do find the time to build a milter, performance will >>>>> > definitely be >>>>> > > impacted. The reason is that postfix will have to keep each >>>>> session >>>>> > > open for the duration of scanning, and each MailScanner child >>>>> > would have >>>>> > > to issue a callback to postfix after scanning the spam so that >>>>> > postfix >>>>> > > can responds to the connection appropriately (i.e. reject or >>>>> > accept). >>>>> > > This will slow down mail processing considerably. If I do >>>>> this, >>>>> > I am >>>>> > > going to keep the HOLD queue around, so you would have to >>>>> choose >>>>> > between >>>>> > > speed or MTA level rejection functionality. >>>>> > > >>>>> > > >>>>> > > >>>>> > >>>>> > My gut tells me that this is going to be so slow, that it's not >>>>> > going to >>>>> > be worth the time to put into it. If you want to reject at MTA >>>>> time, >>>>> > throw in amavis-new or spamd (not rspamd) using the same >>>>> SpamAsssassin >>>>> > rules and Bayes DB to get most of the same features as >>>>> MailScanner >>>>> > during the SMTP conversation. Then the mail that gets through >>>>> can be >>>>> > filtered by MailScanner for it's extra features that make it >>>>> unique. >>>>> > >>>>> > I understand there are different local legal requirements around >>>>> the >>>>> > world that if email is accepted at MTA time then it has to be >>>>> passed on >>>>> > to the end user's mailbox. If you are located in one of these >>>>> > countries, then this would be more of an issue. But since I am >>>>> in a >>>>> > country that doesn't have this legal requirement, I do block >>>>> email >>>>> > post-MTA by MailScanner. >>>>> > >>>>> > The majority of my spam is blocked at the MTA level already by >>>>> highly >>>>> > tuned RBLs and postscreen's RBL weighting which is very, very >>>>> good. >>>>> > Only a small percentage of spam that is zero-hour or from >>>>> compromised >>>>> > accounts makes it to MailScanner. >>>>> > >>>>> > I highly recommend the Invaluement RBL. It's very accurate -- >>>>> only >>>>> > 1 or >>>>> > 2 false positives over 5+ the years. This RBL is very cost >>>>> effective >>>>> > and has allowed me to disable all Spamhaus RBL checks in >>>>> SpamAssassin >>>>> > saving thousands of dollars a year. (We have too high a volume >>>>> to stay >>>>> > under the free usage limits of Spamhaus so we were having to pay >>>>> for >>>>> > the >>>>> > RBL feed.) >>>>> > >>>>> > > >>>>> > > >>>>> > > >>>>> > > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner >>>>> > > >>>> > >>>>> > > >>>> > >> wrote: >>>>> > > >>>>> > > On 08/07/2018 05:03 AM, info at schroeffu.ch >>>>> > >>>> > > >>>>> > > wrote: >>>>> > > > >>>>> > > > Hi Mailscanner friends, >>>>> > > > >>>>> > > > is there any progress to make MailScanner usable as a >>>>> > postfix milter? >>>>> > > > The most biggest problem I have is, SPAM is not >>>>> possible to >>>>> > > reject when >>>>> > > > reaching a high score at MTA level. For my >>>>> understanding, >>>>> > connect >>>>> > > via >>>>> > > > milter instead of queue ^HOLD would be the solution. >>>>> > > > >>>>> > > > For the next decade we are still using MailScanner >>>>> instead >>>>> > of others >>>>> > > > like Rspamd, because MailScanner is like a mail suite >>>>> for mail >>>>> > > security, >>>>> > > > but if there will never be the possibility to reject at >>>>> > MTA level >>>>> > > the >>>>> > > > high score spam, we will also change in 1-3 years while >>>>> > replacing >>>>> > > the OS >>>>> > > > beyond. >>>>> > > > >>>>> > > >>>>> > > One of MailScanner's strongest features is it's batch mode >>>>> > processing >>>>> > > that will allow it to handle a very high volume of mail >>>>> > flow. I doubt >>>>> > > that MailScanner will ever be changed to run as a milter >>>>> for this >>>>> > > reason. >>>>> > > >>>>> > > I tried rspamd and found it wasn't as good as the author >>>>> > claims so no >>>>> > > reason to try to use that as a milter. It also wasn't as >>>>> > fast as it >>>>> > > claims. I could not send high volumes of mail through it >>>>> > like I could >>>>> > > with MailScanner. >>>>> > > >>>>> > > If you want to block high scoring spam at the MTA level, I >>>>> > suggest >>>>> > > using >>>>> > > amavis or spamd with the same SA rulesets as MailScanner. >>>>> > This will >>>>> > > get >>>>> > > you most of the power of MailScanner's blocking at the >>>>> MTA. >>>>> > > >>>>> > > https://wiki.apache.org/spamassassin/IntegratedInMta >>>>> > > >>>>> > > If you you use postscreen and postwhite at the Postfix MTA >>>>> > level, you >>>>> > > can block most of the obvious spam with a tuned list of >>>>> > RBLs. See the >>>>> > > SA users mailing list over the past year for details on >>>>> this >>>>> > from me >>>>> > > and >>>>> > > a few others. >>>>> > > >>>>> > > I suggest setting up a quick test VM with iRedmail to get >>>>> a good >>>>> > > example >>>>> > > of how to do TLS and amavis integration well with Postfix. >>>>> > > >>>>> > > -- >>>>> > > David Jones >>>>> > > >>>>> > > >>>>> > > -- >>>>> > > MailScanner mailing list >>>>> > > mailscanner at lists.mailscanner.info >>>>> > >>>>> > > >>>> > > >>>>> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> > > >>>>> > > >>>>> > > >>>>> > > -- >>>>> > > Shawn Iverson, CETL >>>>> > > Director of Technology >>>>> > > Rush County Schools >>>>> > > 765-932-3901 x1171 >>>>> > > iversons at rushville.k12.in.us >>>>> > >>>>> > >>>> > > >>>>> > > >>>>> > > >>>>> > >>>>> > -- >>>>> > David Jones >>>>> > >>>>> > >>>>> > >>>>> > -- >>>>> > Shawn Iverson, CETL >>>>> > Director of Technology >>>>> > Rush County Schools >>>>> > 765-932-3901 x1171 >>>>> > iversons at rushville.k12.in.us >>>>> > >>>>> > >>>>> >>>>> >>>>> -- >>>>> David Jones >>>>> >>>> >>>> >>>> -- >>>> Shawn Iverson, CETL >>>> Director of Technology >>>> Rush County Schools >>>> 765-932-3901 x1171 >>>> iversons at rushville.k12.in.us >>>> >>>> >>>> >>> >>> -- >>> Shawn Iverson, CETL >>> Director of Technology >>> Rush County Schools >>> 765-932-3901 x1171 >>> iversons at rushville.k12.in.us >>> >>> >>> >> >> -- >> Shawn Iverson, CETL >> Director of Technology >> Rush County Schools >> 765-932-3901 x1171 >> iversons at rushville.k12.in.us >> >> >> > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 x1171 > iversons at rushville.k12.in.us > > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Sun Aug 19 21:14:47 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sun, 19 Aug 2018 17:14:47 -0400 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com> Message-ID: Latest commit Spamassassin/MailScanner are now comparing envelope from and from properly :) https://github.com/shawniverson/v5/commit/625040caedc93b2c4e78edf305b69ac8a82bc25b Todo: Cleanup code Add more options to mailscanner config, such as # of milter threads, etc. Remove hard coded items where feasible Honor placement of Header entries in header (top or bottom) Test Test Test (anyone interested is welcome!) Patches for MailWatch to handle new queues and process counts Fix bug observed where mailscanner thinks processes are still running when stopping (but aren't, harmless, just weird) Feedback is welcome. On Sun, Aug 19, 2018 at 4:26 PM Shawn Iverson wrote: > Found the callback code for MAIL FROM: > > 'M' SMFIC_MAIL MAIL FROM: information > Expected response: Accept/reject action > > Time for some more coding :D > > On Sun, Aug 19, 2018 at 4:04 PM Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > >> Another update >> >> The latest commit to my branch includes more fixes and a new thing that >> needs handled now that a Milter is in play. When mail is submitted back to >> postfix, it needs to be processed by other things that could reject the >> email (such as an blocked sender). This is a problem because MailScanner >> does not know how to handle rejects since it has always been part of the >> queue process interacting directly with the queues, not before queue >> process. >> >> During message delivery, if a reject is detected, I inject a special >> header to the message and requeue it to MailScanner. MailScanner has a >> chance, based on this special header to flag the message, remove the >> special header, add diagnostic info to the header about the relay, and >> quarantine the message. The mail admin is happy knowing that the message >> didn't just vanish and has an opportunity to resolve the issue and release >> it or know the disposition of the email. >> >> Another cool thing about this Milter Processor I discovered is you can >> simply drop a message into /var/spool/MailScanner/milterin from >> /var/spool/MailScanner/quarantine, and it will try to redeliver it :D >> >> This new code is in Message.pm and only becomes active if the milter is >> activated. >> >> On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson < >> iversons at rushville.k12.in.us> wrote: >> >>> Oh yeah, here's the config for Postfix: >>> >>> smtpd_milters = inet:127.0.0.1:33333 >>> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map >>> >>> /etc/postfix/smtpd_milter_map: >>> 127.0.0.0/8 DISABLE >>> ::/64 DISABLE >>> >>> This allows scanned emails to pass the milter, as well as notifications >>> sent from the localhost. You do need at least Postfix version 3.2 I >>> believe to have milter map support. >>> >>> >>> >>> >>> On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson < >>> iversons at rushville.k12.in.us> wrote: >>> >>>> MailScanner users: >>>> >>>> The MailScanner Milter project is coming along nicely. >>>> >>>> https://github.com/shawniverson/v5/commits/081118msmilter >>>> >>>> I am currently running this on a split relay to test the milter without >>>> impacting production email. >>>> >>>> The design is fairly simple, although development has taken about 40 >>>> hours of my time. I know more about MailScanner (and perl) than I ever >>>> have :D >>>> >>>> The Milter is integrated into MailScanner and forks as a branch of the >>>> MailScanner process tree, keeping systemd happy. >>>> >>>> The Milter process intercepts incoming email and tells postfix to >>>> DISCARD, which basically accepts the mail and silently drops it before >>>> entering the queue. At the same time, the Milter writes a raw email file >>>> to the /var/spool/MailScanner/milterin queue. >>>> >>>> MailScanner picks up the message batches in the milterin directory, >>>> processes them, and spits them out to /var/spool/MailScanner/milterout >>>> directory as raw email files. >>>> >>>> The MSMail Processor (new) relays the messages to postfix for further >>>> processing over port 25. A optional localhost rule in header_checks >>>> removes the local entry from the header before delivery. >>>> >>>> The benefits are that the postfix queue is not touched at all >>>> throughout this process, making the solution (hopefully) an acceptable one >>>> within the postfix community. It is also very fast, and the codebase for >>>> this method is smaller than even the Postfix Processor, and MailScanner >>>> gets its own queues, separate from postfix. >>>> >>>> One drawback to this method is there is no apparent way to extract the >>>> Envelope From address (at least not yet, perhaps I am missing a milter >>>> code), although it doesn't appear that MailScanner is all that concerned >>>> about it and doesn't go out of its way to capture it. I think it is >>>> important though, for spoof detection, so I will continue to research this. >>>> >>>> Anyone that is willing to get their feet wet and test can apply the >>>> following files from my branch: >>>> >>>> (In common) >>>> /usr/sbin/MailScanner >>>> /usr/share/MailScanner/perl/MailScanner/Milter.pm >>>> /usr/share/MailScanner/perl/MailScanner/MSMail.pm >>>> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm >>>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm >>>> >>>> Then create the following dirs: >>>> mkdir -p /var/spool/MailScanner/milterin >>>> chown postfix:mtagroup /var/spool/MailScanner/milterin >>>> mkdir -p /var/spool/MailScanner/milterout >>>> chown postfix:mtagroup /var/spool/MailScanner/milterout >>>> >>>> Apply the following to /etc/MailScanner/MailScanner.conf: >>>> Incoming Queue Dir = /var/spool/MailScanner/milterin >>>> Outgoing Queue Dir = /var/spool/MailScanner/milterout >>>> MTA = MSMail >>>> MSMail Queue Type = short | long (pick one that matches your postfix >>>> setting) >>>> >>>> I recommend doing this in a test or split relay environment that >>>> blackholes email. Do not use in production yet ;) >>>> >>>> Known issues at the moment: >>>> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do not >>>> appear >>>> More validation and error handling is needed throughout. Weird emails >>>> abound! >>>> Need to know the envelope from sender. Currently hidden from the >>>> milter, but hopefully exposable via a callback code. >>>> >>>> >>>> >>>> >>>> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson < >>>> iversons at rushville.k12.in.us> wrote: >>>> >>>>> Dear MailScanner users: >>>>> >>>>> I am officially working on creating a lightweight milter for >>>>> MailScanner. >>>>> >>>>> This milter will not provide MTA protocol rejection for postfix, due >>>>> to the severe performance penalty it would cause. All mail will be >>>>> intercepted, accepted, and silently dropped from the postfix queue and >>>>> placed in a MailScanner queue. >>>>> >>>>> I have a working prototype, and it is processing mail! It is in need >>>>> of heavy refactoring and some bug squashing. >>>>> >>>>> Currently it attempts to create a postfix formatted queue file (very >>>>> ugly, who thought up this file format???!!!). I may instead create a new >>>>> Milter Processor for MailScanner that reduces the overhead of doing this >>>>> and can read the incoming email in a simple line-by-line format. This may >>>>> also increase performance overall and reduce all the conversions happening. >>>>> >>>>> The other side of the coin is what to do when MailScanner is done >>>>> processing mail. Currently, it generates a postfix queue file and drops it >>>>> into postfix incoming directory. It should not do this but instead drop >>>>> the message into postfix using native postfix tools. That will be the next >>>>> part I tackle as part of the Milter Processor. >>>>> >>>>> Why am I doing this? I want to place MailScanner back in a good >>>>> standing with Postfix folks (at least when the milter + postfix method is >>>>> in use). >>>>> >>>>> I have no plans of removing the old method but rather provide a more >>>>> supported path for postfix users. >>>>> >>>>> Wish me luck. I could be heard across the neighborhood when >>>>> MailScanner processed an email from the Milter for the first time! :D >>>>> >>>>> >>>>> >>>>> >>>>> On Sat, Aug 11, 2018 at 9:58 AM David Jones wrote: >>>>> >>>>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote: >>>>>> > David, >>>>>> > >>>>>> > I agree that this is true, and part of my lack of motivation to do >>>>>> it. >>>>>> > One reason I wanted it as an option was to reconcile the ongoing >>>>>> > conflict with the postfix community and return MailScanner to good >>>>>> > standing to this community. Weitze has been very stern about >>>>>> > MailScanner directly tapping the postfix queues. >>>>>> > >>>>>> > Perhaps an alternative option would be to create a fast MailScanner >>>>>> > milter that behaves more like the HOLD queue. Basically just a >>>>>> milter >>>>>> > that immediately fires back accept to postfix and places all the >>>>>> > messages in a MailScanner HOLD queue as opposed to a postfix HOLD >>>>>> > queue. Doing so would maintain speed, simplicity, and be more >>>>>> compliant >>>>>> > with postfix. The code would also be very simple. >>>>>> > >>>>>> > Then, as you say, if you need MTA level functionality for SA, use >>>>>> other >>>>>> > software and methods. >>>>>> > >>>>>> > >>>>>> >>>>>> This light MS milter would make a lot of sense based on your goal to >>>>>> get >>>>>> compliant with Postfix and back "in" with the Postfix community. +1 >>>>>> >>>>>> > >>>>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones >>>>> > > wrote: >>>>>> > >>>>>> > On 08/11/2018 08:15 AM, Shawn Iverson wrote: >>>>>> > > I have been planning for a MailScanner milter for quite some >>>>>> > time. I >>>>>> > > have been specifically studying rpamd's milter source for >>>>>> this >>>>>> > purpose. >>>>>> > > Alas, lack of time and lack of money are always an issue, >>>>>> and I >>>>>> > put a >>>>>> > > lot of hours in my day job. As Jerry would say, I like to >>>>>> eat >>>>>> > and have >>>>>> > > a roof over my head :D >>>>>> > > >>>>>> > > If I do find the time to build a milter, performance will >>>>>> > definitely be >>>>>> > > impacted. The reason is that postfix will have to keep each >>>>>> session >>>>>> > > open for the duration of scanning, and each MailScanner child >>>>>> > would have >>>>>> > > to issue a callback to postfix after scanning the spam so >>>>>> that >>>>>> > postfix >>>>>> > > can responds to the connection appropriately (i.e. reject or >>>>>> > accept). >>>>>> > > This will slow down mail processing considerably. If I do >>>>>> this, >>>>>> > I am >>>>>> > > going to keep the HOLD queue around, so you would have to >>>>>> choose >>>>>> > between >>>>>> > > speed or MTA level rejection functionality. >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > >>>>>> > My gut tells me that this is going to be so slow, that it's not >>>>>> > going to >>>>>> > be worth the time to put into it. If you want to reject at MTA >>>>>> time, >>>>>> > throw in amavis-new or spamd (not rspamd) using the same >>>>>> SpamAsssassin >>>>>> > rules and Bayes DB to get most of the same features as >>>>>> MailScanner >>>>>> > during the SMTP conversation. Then the mail that gets through >>>>>> can be >>>>>> > filtered by MailScanner for it's extra features that make it >>>>>> unique. >>>>>> > >>>>>> > I understand there are different local legal requirements >>>>>> around the >>>>>> > world that if email is accepted at MTA time then it has to be >>>>>> passed on >>>>>> > to the end user's mailbox. If you are located in one of these >>>>>> > countries, then this would be more of an issue. But since I am >>>>>> in a >>>>>> > country that doesn't have this legal requirement, I do block >>>>>> email >>>>>> > post-MTA by MailScanner. >>>>>> > >>>>>> > The majority of my spam is blocked at the MTA level already by >>>>>> highly >>>>>> > tuned RBLs and postscreen's RBL weighting which is very, very >>>>>> good. >>>>>> > Only a small percentage of spam that is zero-hour or from >>>>>> compromised >>>>>> > accounts makes it to MailScanner. >>>>>> > >>>>>> > I highly recommend the Invaluement RBL. It's very accurate -- >>>>>> only >>>>>> > 1 or >>>>>> > 2 false positives over 5+ the years. This RBL is very cost >>>>>> effective >>>>>> > and has allowed me to disable all Spamhaus RBL checks in >>>>>> SpamAssassin >>>>>> > saving thousands of dollars a year. (We have too high a volume >>>>>> to stay >>>>>> > under the free usage limits of Spamhaus so we were having to >>>>>> pay for >>>>>> > the >>>>>> > RBL feed.) >>>>>> > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner >>>>>> > > >>>>> > >>>>>> > > >>>>> > >> wrote: >>>>>> > > >>>>>> > > On 08/07/2018 05:03 AM, info at schroeffu.ch >>>>>> > >>>>> > > >>>>>> > > wrote: >>>>>> > > > >>>>>> > > > Hi Mailscanner friends, >>>>>> > > > >>>>>> > > > is there any progress to make MailScanner usable as a >>>>>> > postfix milter? >>>>>> > > > The most biggest problem I have is, SPAM is not >>>>>> possible to >>>>>> > > reject when >>>>>> > > > reaching a high score at MTA level. For my >>>>>> understanding, >>>>>> > connect >>>>>> > > via >>>>>> > > > milter instead of queue ^HOLD would be the solution. >>>>>> > > > >>>>>> > > > For the next decade we are still using MailScanner >>>>>> instead >>>>>> > of others >>>>>> > > > like Rspamd, because MailScanner is like a mail suite >>>>>> for mail >>>>>> > > security, >>>>>> > > > but if there will never be the possibility to reject >>>>>> at >>>>>> > MTA level >>>>>> > > the >>>>>> > > > high score spam, we will also change in 1-3 years >>>>>> while >>>>>> > replacing >>>>>> > > the OS >>>>>> > > > beyond. >>>>>> > > > >>>>>> > > >>>>>> > > One of MailScanner's strongest features is it's batch >>>>>> mode >>>>>> > processing >>>>>> > > that will allow it to handle a very high volume of mail >>>>>> > flow. I doubt >>>>>> > > that MailScanner will ever be changed to run as a milter >>>>>> for this >>>>>> > > reason. >>>>>> > > >>>>>> > > I tried rspamd and found it wasn't as good as the author >>>>>> > claims so no >>>>>> > > reason to try to use that as a milter. It also wasn't as >>>>>> > fast as it >>>>>> > > claims. I could not send high volumes of mail through it >>>>>> > like I could >>>>>> > > with MailScanner. >>>>>> > > >>>>>> > > If you want to block high scoring spam at the MTA level, >>>>>> I >>>>>> > suggest >>>>>> > > using >>>>>> > > amavis or spamd with the same SA rulesets as >>>>>> MailScanner. >>>>>> > This will >>>>>> > > get >>>>>> > > you most of the power of MailScanner's blocking at the >>>>>> MTA. >>>>>> > > >>>>>> > > https://wiki.apache.org/spamassassin/IntegratedInMta >>>>>> > > >>>>>> > > If you you use postscreen and postwhite at the Postfix >>>>>> MTA >>>>>> > level, you >>>>>> > > can block most of the obvious spam with a tuned list of >>>>>> > RBLs. See the >>>>>> > > SA users mailing list over the past year for details on >>>>>> this >>>>>> > from me >>>>>> > > and >>>>>> > > a few others. >>>>>> > > >>>>>> > > I suggest setting up a quick test VM with iRedmail to >>>>>> get a good >>>>>> > > example >>>>>> > > of how to do TLS and amavis integration well with >>>>>> Postfix. >>>>>> > > >>>>>> > > -- >>>>>> > > David Jones >>>>>> > > >>>>>> > > >>>>>> > > -- >>>>>> > > MailScanner mailing list >>>>>> > > mailscanner at lists.mailscanner.info >>>>>> > >>>>>> > > >>>>> > > >>>>>> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > -- >>>>>> > > Shawn Iverson, CETL >>>>>> > > Director of Technology >>>>>> > > Rush County Schools >>>>>> > > 765-932-3901 x1171 >>>>>> > > iversons at rushville.k12.in.us >>>>>> > >>>>>> > >>>>> > > >>>>>> > > >>>>>> > > >>>>>> > >>>>>> > -- >>>>>> > David Jones >>>>>> > >>>>>> > >>>>>> > >>>>>> > -- >>>>>> > Shawn Iverson, CETL >>>>>> > Director of Technology >>>>>> > Rush County Schools >>>>>> > 765-932-3901 x1171 >>>>>> > iversons at rushville.k12.in.us >>>>>> > >>>>>> > >>>>>> >>>>>> >>>>>> -- >>>>>> David Jones >>>>>> >>>>> >>>>> >>>>> -- >>>>> Shawn Iverson, CETL >>>>> Director of Technology >>>>> Rush County Schools >>>>> 765-932-3901 x1171 >>>>> iversons at rushville.k12.in.us >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Shawn Iverson, CETL >>>> Director of Technology >>>> Rush County Schools >>>> 765-932-3901 x1171 >>>> iversons at rushville.k12.in.us >>>> >>>> >>>> >>> >>> -- >>> Shawn Iverson, CETL >>> Director of Technology >>> Rush County Schools >>> 765-932-3901 x1171 >>> iversons at rushville.k12.in.us >>> >>> >>> >> >> -- >> Shawn Iverson, CETL >> Director of Technology >> Rush County Schools >> 765-932-3901 x1171 >> iversons at rushville.k12.in.us >> >> >> > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 x1171 > iversons at rushville.k12.in.us > > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Mon Aug 20 15:49:14 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 20 Aug 2018 11:49:14 -0400 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com> Message-ID: RFC 5321 support added. Also reviewing RFC 822, particularly handling of delivery failure notices, with respect to the milter. https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de351645321 Currently addressing a bug with the daemon forking new children. Seems to be caused by the Milter being a child process of MailScanner. If I cannot resolve, I plan to separate the Milter into its own daemon. This may be better anyway and allow both to be managed independently. On Sun, Aug 19, 2018 at 5:14 PM Shawn Iverson wrote: > Latest commit > > Spamassassin/MailScanner are now comparing envelope from and from properly > :) > > > https://github.com/shawniverson/v5/commit/625040caedc93b2c4e78edf305b69ac8a82bc25b > > Todo: > > Cleanup code > Add more options to mailscanner config, such as # of milter threads, etc. > Remove hard coded items where feasible > Honor placement of Header entries in header (top or bottom) > Test Test Test (anyone interested is welcome!) > Patches for MailWatch to handle new queues and process counts > Fix bug observed where mailscanner thinks processes are still running when > stopping (but aren't, harmless, just weird) > > Feedback is welcome. > > > > > > > > On Sun, Aug 19, 2018 at 4:26 PM Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > >> Found the callback code for MAIL FROM: >> >> 'M' SMFIC_MAIL MAIL FROM: information >> Expected response: Accept/reject action >> >> Time for some more coding :D >> >> On Sun, Aug 19, 2018 at 4:04 PM Shawn Iverson < >> iversons at rushville.k12.in.us> wrote: >> >>> Another update >>> >>> The latest commit to my branch includes more fixes and a new thing that >>> needs handled now that a Milter is in play. When mail is submitted back to >>> postfix, it needs to be processed by other things that could reject the >>> email (such as an blocked sender). This is a problem because MailScanner >>> does not know how to handle rejects since it has always been part of the >>> queue process interacting directly with the queues, not before queue >>> process. >>> >>> During message delivery, if a reject is detected, I inject a special >>> header to the message and requeue it to MailScanner. MailScanner has a >>> chance, based on this special header to flag the message, remove the >>> special header, add diagnostic info to the header about the relay, and >>> quarantine the message. The mail admin is happy knowing that the message >>> didn't just vanish and has an opportunity to resolve the issue and release >>> it or know the disposition of the email. >>> >>> Another cool thing about this Milter Processor I discovered is you can >>> simply drop a message into /var/spool/MailScanner/milterin from >>> /var/spool/MailScanner/quarantine, and it will try to redeliver it :D >>> >>> This new code is in Message.pm and only becomes active if the milter is >>> activated. >>> >>> On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson < >>> iversons at rushville.k12.in.us> wrote: >>> >>>> Oh yeah, here's the config for Postfix: >>>> >>>> smtpd_milters = inet:127.0.0.1:33333 >>>> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map >>>> >>>> /etc/postfix/smtpd_milter_map: >>>> 127.0.0.0/8 DISABLE >>>> ::/64 DISABLE >>>> >>>> This allows scanned emails to pass the milter, as well as notifications >>>> sent from the localhost. You do need at least Postfix version 3.2 I >>>> believe to have milter map support. >>>> >>>> >>>> >>>> >>>> On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson < >>>> iversons at rushville.k12.in.us> wrote: >>>> >>>>> MailScanner users: >>>>> >>>>> The MailScanner Milter project is coming along nicely. >>>>> >>>>> https://github.com/shawniverson/v5/commits/081118msmilter >>>>> >>>>> I am currently running this on a split relay to test the milter >>>>> without impacting production email. >>>>> >>>>> The design is fairly simple, although development has taken about 40 >>>>> hours of my time. I know more about MailScanner (and perl) than I ever >>>>> have :D >>>>> >>>>> The Milter is integrated into MailScanner and forks as a branch of the >>>>> MailScanner process tree, keeping systemd happy. >>>>> >>>>> The Milter process intercepts incoming email and tells postfix to >>>>> DISCARD, which basically accepts the mail and silently drops it before >>>>> entering the queue. At the same time, the Milter writes a raw email file >>>>> to the /var/spool/MailScanner/milterin queue. >>>>> >>>>> MailScanner picks up the message batches in the milterin directory, >>>>> processes them, and spits them out to /var/spool/MailScanner/milterout >>>>> directory as raw email files. >>>>> >>>>> The MSMail Processor (new) relays the messages to postfix for further >>>>> processing over port 25. A optional localhost rule in header_checks >>>>> removes the local entry from the header before delivery. >>>>> >>>>> The benefits are that the postfix queue is not touched at all >>>>> throughout this process, making the solution (hopefully) an acceptable one >>>>> within the postfix community. It is also very fast, and the codebase for >>>>> this method is smaller than even the Postfix Processor, and MailScanner >>>>> gets its own queues, separate from postfix. >>>>> >>>>> One drawback to this method is there is no apparent way to extract the >>>>> Envelope From address (at least not yet, perhaps I am missing a milter >>>>> code), although it doesn't appear that MailScanner is all that concerned >>>>> about it and doesn't go out of its way to capture it. I think it is >>>>> important though, for spoof detection, so I will continue to research this. >>>>> >>>>> Anyone that is willing to get their feet wet and test can apply the >>>>> following files from my branch: >>>>> >>>>> (In common) >>>>> /usr/sbin/MailScanner >>>>> /usr/share/MailScanner/perl/MailScanner/Milter.pm >>>>> /usr/share/MailScanner/perl/MailScanner/MSMail.pm >>>>> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm >>>>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm >>>>> >>>>> Then create the following dirs: >>>>> mkdir -p /var/spool/MailScanner/milterin >>>>> chown postfix:mtagroup /var/spool/MailScanner/milterin >>>>> mkdir -p /var/spool/MailScanner/milterout >>>>> chown postfix:mtagroup /var/spool/MailScanner/milterout >>>>> >>>>> Apply the following to /etc/MailScanner/MailScanner.conf: >>>>> Incoming Queue Dir = /var/spool/MailScanner/milterin >>>>> Outgoing Queue Dir = /var/spool/MailScanner/milterout >>>>> MTA = MSMail >>>>> MSMail Queue Type = short | long (pick one that matches your postfix >>>>> setting) >>>>> >>>>> I recommend doing this in a test or split relay environment that >>>>> blackholes email. Do not use in production yet ;) >>>>> >>>>> Known issues at the moment: >>>>> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do >>>>> not appear >>>>> More validation and error handling is needed throughout. Weird emails >>>>> abound! >>>>> Need to know the envelope from sender. Currently hidden from the >>>>> milter, but hopefully exposable via a callback code. >>>>> >>>>> >>>>> >>>>> >>>>> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson < >>>>> iversons at rushville.k12.in.us> wrote: >>>>> >>>>>> Dear MailScanner users: >>>>>> >>>>>> I am officially working on creating a lightweight milter for >>>>>> MailScanner. >>>>>> >>>>>> This milter will not provide MTA protocol rejection for postfix, due >>>>>> to the severe performance penalty it would cause. All mail will be >>>>>> intercepted, accepted, and silently dropped from the postfix queue and >>>>>> placed in a MailScanner queue. >>>>>> >>>>>> I have a working prototype, and it is processing mail! It is in need >>>>>> of heavy refactoring and some bug squashing. >>>>>> >>>>>> Currently it attempts to create a postfix formatted queue file (very >>>>>> ugly, who thought up this file format???!!!). I may instead create a new >>>>>> Milter Processor for MailScanner that reduces the overhead of doing this >>>>>> and can read the incoming email in a simple line-by-line format. This may >>>>>> also increase performance overall and reduce all the conversions happening. >>>>>> >>>>>> The other side of the coin is what to do when MailScanner is done >>>>>> processing mail. Currently, it generates a postfix queue file and drops it >>>>>> into postfix incoming directory. It should not do this but instead drop >>>>>> the message into postfix using native postfix tools. That will be the next >>>>>> part I tackle as part of the Milter Processor. >>>>>> >>>>>> Why am I doing this? I want to place MailScanner back in a good >>>>>> standing with Postfix folks (at least when the milter + postfix method is >>>>>> in use). >>>>>> >>>>>> I have no plans of removing the old method but rather provide a more >>>>>> supported path for postfix users. >>>>>> >>>>>> Wish me luck. I could be heard across the neighborhood when >>>>>> MailScanner processed an email from the Milter for the first time! :D >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Sat, Aug 11, 2018 at 9:58 AM David Jones wrote: >>>>>> >>>>>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote: >>>>>>> > David, >>>>>>> > >>>>>>> > I agree that this is true, and part of my lack of motivation to do >>>>>>> it. >>>>>>> > One reason I wanted it as an option was to reconcile the ongoing >>>>>>> > conflict with the postfix community and return MailScanner to good >>>>>>> > standing to this community. Weitze has been very stern about >>>>>>> > MailScanner directly tapping the postfix queues. >>>>>>> > >>>>>>> > Perhaps an alternative option would be to create a fast >>>>>>> MailScanner >>>>>>> > milter that behaves more like the HOLD queue. Basically just a >>>>>>> milter >>>>>>> > that immediately fires back accept to postfix and places all the >>>>>>> > messages in a MailScanner HOLD queue as opposed to a postfix HOLD >>>>>>> > queue. Doing so would maintain speed, simplicity, and be more >>>>>>> compliant >>>>>>> > with postfix. The code would also be very simple. >>>>>>> > >>>>>>> > Then, as you say, if you need MTA level functionality for SA, use >>>>>>> other >>>>>>> > software and methods. >>>>>>> > >>>>>>> > >>>>>>> >>>>>>> This light MS milter would make a lot of sense based on your goal to >>>>>>> get >>>>>>> compliant with Postfix and back "in" with the Postfix community. +1 >>>>>>> >>>>>>> > >>>>>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones >>>>>> > > wrote: >>>>>>> > >>>>>>> > On 08/11/2018 08:15 AM, Shawn Iverson wrote: >>>>>>> > > I have been planning for a MailScanner milter for quite some >>>>>>> > time. I >>>>>>> > > have been specifically studying rpamd's milter source for >>>>>>> this >>>>>>> > purpose. >>>>>>> > > Alas, lack of time and lack of money are always an issue, >>>>>>> and I >>>>>>> > put a >>>>>>> > > lot of hours in my day job. As Jerry would say, I like to >>>>>>> eat >>>>>>> > and have >>>>>>> > > a roof over my head :D >>>>>>> > > >>>>>>> > > If I do find the time to build a milter, performance will >>>>>>> > definitely be >>>>>>> > > impacted. The reason is that postfix will have to keep >>>>>>> each session >>>>>>> > > open for the duration of scanning, and each MailScanner >>>>>>> child >>>>>>> > would have >>>>>>> > > to issue a callback to postfix after scanning the spam so >>>>>>> that >>>>>>> > postfix >>>>>>> > > can responds to the connection appropriately (i.e. reject >>>>>>> or >>>>>>> > accept). >>>>>>> > > This will slow down mail processing considerably. If I do >>>>>>> this, >>>>>>> > I am >>>>>>> > > going to keep the HOLD queue around, so you would have to >>>>>>> choose >>>>>>> > between >>>>>>> > > speed or MTA level rejection functionality. >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > >>>>>>> > My gut tells me that this is going to be so slow, that it's not >>>>>>> > going to >>>>>>> > be worth the time to put into it. If you want to reject at >>>>>>> MTA time, >>>>>>> > throw in amavis-new or spamd (not rspamd) using the same >>>>>>> SpamAsssassin >>>>>>> > rules and Bayes DB to get most of the same features as >>>>>>> MailScanner >>>>>>> > during the SMTP conversation. Then the mail that gets through >>>>>>> can be >>>>>>> > filtered by MailScanner for it's extra features that make it >>>>>>> unique. >>>>>>> > >>>>>>> > I understand there are different local legal requirements >>>>>>> around the >>>>>>> > world that if email is accepted at MTA time then it has to be >>>>>>> passed on >>>>>>> > to the end user's mailbox. If you are located in one of these >>>>>>> > countries, then this would be more of an issue. But since I >>>>>>> am in a >>>>>>> > country that doesn't have this legal requirement, I do block >>>>>>> email >>>>>>> > post-MTA by MailScanner. >>>>>>> > >>>>>>> > The majority of my spam is blocked at the MTA level already by >>>>>>> highly >>>>>>> > tuned RBLs and postscreen's RBL weighting which is very, very >>>>>>> good. >>>>>>> > Only a small percentage of spam that is zero-hour or from >>>>>>> compromised >>>>>>> > accounts makes it to MailScanner. >>>>>>> > >>>>>>> > I highly recommend the Invaluement RBL. It's very accurate -- >>>>>>> only >>>>>>> > 1 or >>>>>>> > 2 false positives over 5+ the years. This RBL is very cost >>>>>>> effective >>>>>>> > and has allowed me to disable all Spamhaus RBL checks in >>>>>>> SpamAssassin >>>>>>> > saving thousands of dollars a year. (We have too high a >>>>>>> volume to stay >>>>>>> > under the free usage limits of Spamhaus so we were having to >>>>>>> pay for >>>>>>> > the >>>>>>> > RBL feed.) >>>>>>> > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner >>>>>>> > > >>>>>> > >>>>>>> > > >>>>>> > >> wrote: >>>>>>> > > >>>>>>> > > On 08/07/2018 05:03 AM, info at schroeffu.ch >>>>>>> > >>>>>> > > >>>>>>> > > wrote: >>>>>>> > > > >>>>>>> > > > Hi Mailscanner friends, >>>>>>> > > > >>>>>>> > > > is there any progress to make MailScanner usable as a >>>>>>> > postfix milter? >>>>>>> > > > The most biggest problem I have is, SPAM is not >>>>>>> possible to >>>>>>> > > reject when >>>>>>> > > > reaching a high score at MTA level. For my >>>>>>> understanding, >>>>>>> > connect >>>>>>> > > via >>>>>>> > > > milter instead of queue ^HOLD would be the solution. >>>>>>> > > > >>>>>>> > > > For the next decade we are still using MailScanner >>>>>>> instead >>>>>>> > of others >>>>>>> > > > like Rspamd, because MailScanner is like a mail >>>>>>> suite for mail >>>>>>> > > security, >>>>>>> > > > but if there will never be the possibility to reject >>>>>>> at >>>>>>> > MTA level >>>>>>> > > the >>>>>>> > > > high score spam, we will also change in 1-3 years >>>>>>> while >>>>>>> > replacing >>>>>>> > > the OS >>>>>>> > > > beyond. >>>>>>> > > > >>>>>>> > > >>>>>>> > > One of MailScanner's strongest features is it's batch >>>>>>> mode >>>>>>> > processing >>>>>>> > > that will allow it to handle a very high volume of mail >>>>>>> > flow. I doubt >>>>>>> > > that MailScanner will ever be changed to run as a >>>>>>> milter for this >>>>>>> > > reason. >>>>>>> > > >>>>>>> > > I tried rspamd and found it wasn't as good as the author >>>>>>> > claims so no >>>>>>> > > reason to try to use that as a milter. It also wasn't >>>>>>> as >>>>>>> > fast as it >>>>>>> > > claims. I could not send high volumes of mail through >>>>>>> it >>>>>>> > like I could >>>>>>> > > with MailScanner. >>>>>>> > > >>>>>>> > > If you want to block high scoring spam at the MTA >>>>>>> level, I >>>>>>> > suggest >>>>>>> > > using >>>>>>> > > amavis or spamd with the same SA rulesets as >>>>>>> MailScanner. >>>>>>> > This will >>>>>>> > > get >>>>>>> > > you most of the power of MailScanner's blocking at the >>>>>>> MTA. >>>>>>> > > >>>>>>> > > https://wiki.apache.org/spamassassin/IntegratedInMta >>>>>>> > > >>>>>>> > > If you you use postscreen and postwhite at the Postfix >>>>>>> MTA >>>>>>> > level, you >>>>>>> > > can block most of the obvious spam with a tuned list of >>>>>>> > RBLs. See the >>>>>>> > > SA users mailing list over the past year for details on >>>>>>> this >>>>>>> > from me >>>>>>> > > and >>>>>>> > > a few others. >>>>>>> > > >>>>>>> > > I suggest setting up a quick test VM with iRedmail to >>>>>>> get a good >>>>>>> > > example >>>>>>> > > of how to do TLS and amavis integration well with >>>>>>> Postfix. >>>>>>> > > >>>>>>> > > -- >>>>>>> > > David Jones >>>>>>> > > >>>>>>> > > >>>>>>> > > -- >>>>>>> > > MailScanner mailing list >>>>>>> > > mailscanner at lists.mailscanner.info >>>>>>> > >>>>>>> > > >>>>>> > > >>>>>>> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > -- >>>>>>> > > Shawn Iverson, CETL >>>>>>> > > Director of Technology >>>>>>> > > Rush County Schools >>>>>>> > > 765-932-3901 x1171 >>>>>>> > > iversons at rushville.k12.in.us >>>>>>> > >>>>>>> > >>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > >>>>>>> > -- >>>>>>> > David Jones >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > -- >>>>>>> > Shawn Iverson, CETL >>>>>>> > Director of Technology >>>>>>> > Rush County Schools >>>>>>> > 765-932-3901 x1171 >>>>>>> > iversons at rushville.k12.in.us >>>>>>> > >>>>>>> > >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> David Jones >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Shawn Iverson, CETL >>>>>> Director of Technology >>>>>> Rush County Schools >>>>>> 765-932-3901 x1171 >>>>>> iversons at rushville.k12.in.us >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Shawn Iverson, CETL >>>>> Director of Technology >>>>> Rush County Schools >>>>> 765-932-3901 x1171 >>>>> iversons at rushville.k12.in.us >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Shawn Iverson, CETL >>>> Director of Technology >>>> Rush County Schools >>>> 765-932-3901 x1171 >>>> iversons at rushville.k12.in.us >>>> >>>> >>>> >>> >>> -- >>> Shawn Iverson, CETL >>> Director of Technology >>> Rush County Schools >>> 765-932-3901 x1171 >>> iversons at rushville.k12.in.us >>> >>> >>> >> >> -- >> Shawn Iverson, CETL >> Director of Technology >> Rush County Schools >> 765-932-3901 x1171 >> iversons at rushville.k12.in.us >> >> >> > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 x1171 > iversons at rushville.k12.in.us > > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Mon Aug 20 15:49:46 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 20 Aug 2018 11:49:46 -0400 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com> Message-ID: Corrected link https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de35164 On Mon, Aug 20, 2018 at 11:49 AM Shawn Iverson wrote: > RFC 5321 support added. > > Also reviewing RFC 822, particularly handling of delivery failure notices, > with respect to the milter. > > > https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de351645321 > > > Currently addressing a bug with the daemon forking new children. Seems > to be caused by the Milter being a child process of MailScanner. If I > cannot resolve, I plan to separate the Milter into its own daemon. This > may be better anyway and allow both to be managed independently. > > On Sun, Aug 19, 2018 at 5:14 PM Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > >> Latest commit >> >> Spamassassin/MailScanner are now comparing envelope from and from >> properly :) >> >> >> https://github.com/shawniverson/v5/commit/625040caedc93b2c4e78edf305b69ac8a82bc25b >> >> Todo: >> >> Cleanup code >> Add more options to mailscanner config, such as # of milter threads, etc. >> Remove hard coded items where feasible >> Honor placement of Header entries in header (top or bottom) >> Test Test Test (anyone interested is welcome!) >> Patches for MailWatch to handle new queues and process counts >> Fix bug observed where mailscanner thinks processes are still running >> when stopping (but aren't, harmless, just weird) >> >> Feedback is welcome. >> >> >> >> >> >> >> >> On Sun, Aug 19, 2018 at 4:26 PM Shawn Iverson < >> iversons at rushville.k12.in.us> wrote: >> >>> Found the callback code for MAIL FROM: >>> >>> 'M' SMFIC_MAIL MAIL FROM: information >>> Expected response: Accept/reject action >>> >>> Time for some more coding :D >>> >>> On Sun, Aug 19, 2018 at 4:04 PM Shawn Iverson < >>> iversons at rushville.k12.in.us> wrote: >>> >>>> Another update >>>> >>>> The latest commit to my branch includes more fixes and a new thing that >>>> needs handled now that a Milter is in play. When mail is submitted back to >>>> postfix, it needs to be processed by other things that could reject the >>>> email (such as an blocked sender). This is a problem because MailScanner >>>> does not know how to handle rejects since it has always been part of the >>>> queue process interacting directly with the queues, not before queue >>>> process. >>>> >>>> During message delivery, if a reject is detected, I inject a special >>>> header to the message and requeue it to MailScanner. MailScanner has a >>>> chance, based on this special header to flag the message, remove the >>>> special header, add diagnostic info to the header about the relay, and >>>> quarantine the message. The mail admin is happy knowing that the message >>>> didn't just vanish and has an opportunity to resolve the issue and release >>>> it or know the disposition of the email. >>>> >>>> Another cool thing about this Milter Processor I discovered is you can >>>> simply drop a message into /var/spool/MailScanner/milterin from >>>> /var/spool/MailScanner/quarantine, and it will try to redeliver it :D >>>> >>>> This new code is in Message.pm and only becomes active if the milter is >>>> activated. >>>> >>>> On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson < >>>> iversons at rushville.k12.in.us> wrote: >>>> >>>>> Oh yeah, here's the config for Postfix: >>>>> >>>>> smtpd_milters = inet:127.0.0.1:33333 >>>>> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map >>>>> >>>>> /etc/postfix/smtpd_milter_map: >>>>> 127.0.0.0/8 DISABLE >>>>> ::/64 DISABLE >>>>> >>>>> This allows scanned emails to pass the milter, as well as >>>>> notifications sent from the localhost. You do need at least Postfix >>>>> version 3.2 I believe to have milter map support. >>>>> >>>>> >>>>> >>>>> >>>>> On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson < >>>>> iversons at rushville.k12.in.us> wrote: >>>>> >>>>>> MailScanner users: >>>>>> >>>>>> The MailScanner Milter project is coming along nicely. >>>>>> >>>>>> https://github.com/shawniverson/v5/commits/081118msmilter >>>>>> >>>>>> I am currently running this on a split relay to test the milter >>>>>> without impacting production email. >>>>>> >>>>>> The design is fairly simple, although development has taken about 40 >>>>>> hours of my time. I know more about MailScanner (and perl) than I ever >>>>>> have :D >>>>>> >>>>>> The Milter is integrated into MailScanner and forks as a branch of >>>>>> the MailScanner process tree, keeping systemd happy. >>>>>> >>>>>> The Milter process intercepts incoming email and tells postfix to >>>>>> DISCARD, which basically accepts the mail and silently drops it before >>>>>> entering the queue. At the same time, the Milter writes a raw email file >>>>>> to the /var/spool/MailScanner/milterin queue. >>>>>> >>>>>> MailScanner picks up the message batches in the milterin directory, >>>>>> processes them, and spits them out to /var/spool/MailScanner/milterout >>>>>> directory as raw email files. >>>>>> >>>>>> The MSMail Processor (new) relays the messages to postfix for further >>>>>> processing over port 25. A optional localhost rule in header_checks >>>>>> removes the local entry from the header before delivery. >>>>>> >>>>>> The benefits are that the postfix queue is not touched at all >>>>>> throughout this process, making the solution (hopefully) an acceptable one >>>>>> within the postfix community. It is also very fast, and the codebase for >>>>>> this method is smaller than even the Postfix Processor, and MailScanner >>>>>> gets its own queues, separate from postfix. >>>>>> >>>>>> One drawback to this method is there is no apparent way to extract >>>>>> the Envelope From address (at least not yet, perhaps I am missing a milter >>>>>> code), although it doesn't appear that MailScanner is all that concerned >>>>>> about it and doesn't go out of its way to capture it. I think it is >>>>>> important though, for spoof detection, so I will continue to research this. >>>>>> >>>>>> Anyone that is willing to get their feet wet and test can apply the >>>>>> following files from my branch: >>>>>> >>>>>> (In common) >>>>>> /usr/sbin/MailScanner >>>>>> /usr/share/MailScanner/perl/MailScanner/Milter.pm >>>>>> /usr/share/MailScanner/perl/MailScanner/MSMail.pm >>>>>> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm >>>>>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm >>>>>> >>>>>> Then create the following dirs: >>>>>> mkdir -p /var/spool/MailScanner/milterin >>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterin >>>>>> mkdir -p /var/spool/MailScanner/milterout >>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterout >>>>>> >>>>>> Apply the following to /etc/MailScanner/MailScanner.conf: >>>>>> Incoming Queue Dir = /var/spool/MailScanner/milterin >>>>>> Outgoing Queue Dir = /var/spool/MailScanner/milterout >>>>>> MTA = MSMail >>>>>> MSMail Queue Type = short | long (pick one that matches your postfix >>>>>> setting) >>>>>> >>>>>> I recommend doing this in a test or split relay environment that >>>>>> blackholes email. Do not use in production yet ;) >>>>>> >>>>>> Known issues at the moment: >>>>>> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do >>>>>> not appear >>>>>> More validation and error handling is needed throughout. Weird >>>>>> emails abound! >>>>>> Need to know the envelope from sender. Currently hidden from the >>>>>> milter, but hopefully exposable via a callback code. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson < >>>>>> iversons at rushville.k12.in.us> wrote: >>>>>> >>>>>>> Dear MailScanner users: >>>>>>> >>>>>>> I am officially working on creating a lightweight milter for >>>>>>> MailScanner. >>>>>>> >>>>>>> This milter will not provide MTA protocol rejection for postfix, due >>>>>>> to the severe performance penalty it would cause. All mail will be >>>>>>> intercepted, accepted, and silently dropped from the postfix queue and >>>>>>> placed in a MailScanner queue. >>>>>>> >>>>>>> I have a working prototype, and it is processing mail! It is in >>>>>>> need of heavy refactoring and some bug squashing. >>>>>>> >>>>>>> Currently it attempts to create a postfix formatted queue file (very >>>>>>> ugly, who thought up this file format???!!!). I may instead create a new >>>>>>> Milter Processor for MailScanner that reduces the overhead of doing this >>>>>>> and can read the incoming email in a simple line-by-line format. This may >>>>>>> also increase performance overall and reduce all the conversions happening. >>>>>>> >>>>>>> The other side of the coin is what to do when MailScanner is done >>>>>>> processing mail. Currently, it generates a postfix queue file and drops it >>>>>>> into postfix incoming directory. It should not do this but instead drop >>>>>>> the message into postfix using native postfix tools. That will be the next >>>>>>> part I tackle as part of the Milter Processor. >>>>>>> >>>>>>> Why am I doing this? I want to place MailScanner back in a good >>>>>>> standing with Postfix folks (at least when the milter + postfix method is >>>>>>> in use). >>>>>>> >>>>>>> I have no plans of removing the old method but rather provide a more >>>>>>> supported path for postfix users. >>>>>>> >>>>>>> Wish me luck. I could be heard across the neighborhood when >>>>>>> MailScanner processed an email from the Milter for the first time! :D >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Sat, Aug 11, 2018 at 9:58 AM David Jones wrote: >>>>>>> >>>>>>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote: >>>>>>>> > David, >>>>>>>> > >>>>>>>> > I agree that this is true, and part of my lack of motivation to >>>>>>>> do it. >>>>>>>> > One reason I wanted it as an option was to reconcile the ongoing >>>>>>>> > conflict with the postfix community and return MailScanner to >>>>>>>> good >>>>>>>> > standing to this community. Weitze has been very stern about >>>>>>>> > MailScanner directly tapping the postfix queues. >>>>>>>> > >>>>>>>> > Perhaps an alternative option would be to create a fast >>>>>>>> MailScanner >>>>>>>> > milter that behaves more like the HOLD queue. Basically just a >>>>>>>> milter >>>>>>>> > that immediately fires back accept to postfix and places all the >>>>>>>> > messages in a MailScanner HOLD queue as opposed to a postfix HOLD >>>>>>>> > queue. Doing so would maintain speed, simplicity, and be more >>>>>>>> compliant >>>>>>>> > with postfix. The code would also be very simple. >>>>>>>> > >>>>>>>> > Then, as you say, if you need MTA level functionality for SA, use >>>>>>>> other >>>>>>>> > software and methods. >>>>>>>> > >>>>>>>> > >>>>>>>> >>>>>>>> This light MS milter would make a lot of sense based on your goal >>>>>>>> to get >>>>>>>> compliant with Postfix and back "in" with the Postfix community. +1 >>>>>>>> >>>>>>>> > >>>>>>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones >>>>>>> > > wrote: >>>>>>>> > >>>>>>>> > On 08/11/2018 08:15 AM, Shawn Iverson wrote: >>>>>>>> > > I have been planning for a MailScanner milter for quite >>>>>>>> some >>>>>>>> > time. I >>>>>>>> > > have been specifically studying rpamd's milter source for >>>>>>>> this >>>>>>>> > purpose. >>>>>>>> > > Alas, lack of time and lack of money are always an issue, >>>>>>>> and I >>>>>>>> > put a >>>>>>>> > > lot of hours in my day job. As Jerry would say, I like to >>>>>>>> eat >>>>>>>> > and have >>>>>>>> > > a roof over my head :D >>>>>>>> > > >>>>>>>> > > If I do find the time to build a milter, performance will >>>>>>>> > definitely be >>>>>>>> > > impacted. The reason is that postfix will have to keep >>>>>>>> each session >>>>>>>> > > open for the duration of scanning, and each MailScanner >>>>>>>> child >>>>>>>> > would have >>>>>>>> > > to issue a callback to postfix after scanning the spam so >>>>>>>> that >>>>>>>> > postfix >>>>>>>> > > can responds to the connection appropriately (i.e. reject >>>>>>>> or >>>>>>>> > accept). >>>>>>>> > > This will slow down mail processing considerably. If I do >>>>>>>> this, >>>>>>>> > I am >>>>>>>> > > going to keep the HOLD queue around, so you would have to >>>>>>>> choose >>>>>>>> > between >>>>>>>> > > speed or MTA level rejection functionality. >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > >>>>>>>> > My gut tells me that this is going to be so slow, that it's >>>>>>>> not >>>>>>>> > going to >>>>>>>> > be worth the time to put into it. If you want to reject at >>>>>>>> MTA time, >>>>>>>> > throw in amavis-new or spamd (not rspamd) using the same >>>>>>>> SpamAsssassin >>>>>>>> > rules and Bayes DB to get most of the same features as >>>>>>>> MailScanner >>>>>>>> > during the SMTP conversation. Then the mail that gets >>>>>>>> through can be >>>>>>>> > filtered by MailScanner for it's extra features that make it >>>>>>>> unique. >>>>>>>> > >>>>>>>> > I understand there are different local legal requirements >>>>>>>> around the >>>>>>>> > world that if email is accepted at MTA time then it has to be >>>>>>>> passed on >>>>>>>> > to the end user's mailbox. If you are located in one of these >>>>>>>> > countries, then this would be more of an issue. But since I >>>>>>>> am in a >>>>>>>> > country that doesn't have this legal requirement, I do block >>>>>>>> email >>>>>>>> > post-MTA by MailScanner. >>>>>>>> > >>>>>>>> > The majority of my spam is blocked at the MTA level already >>>>>>>> by highly >>>>>>>> > tuned RBLs and postscreen's RBL weighting which is very, very >>>>>>>> good. >>>>>>>> > Only a small percentage of spam that is zero-hour or from >>>>>>>> compromised >>>>>>>> > accounts makes it to MailScanner. >>>>>>>> > >>>>>>>> > I highly recommend the Invaluement RBL. It's very accurate >>>>>>>> -- only >>>>>>>> > 1 or >>>>>>>> > 2 false positives over 5+ the years. This RBL is very cost >>>>>>>> effective >>>>>>>> > and has allowed me to disable all Spamhaus RBL checks in >>>>>>>> SpamAssassin >>>>>>>> > saving thousands of dollars a year. (We have too high a >>>>>>>> volume to stay >>>>>>>> > under the free usage limits of Spamhaus so we were having to >>>>>>>> pay for >>>>>>>> > the >>>>>>>> > RBL feed.) >>>>>>>> > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner >>>>>>>> > > >>>>>>> > >>>>>>>> > > >>>>>>> > >> wrote: >>>>>>>> > > >>>>>>>> > > On 08/07/2018 05:03 AM, info at schroeffu.ch >>>>>>>> > >>>>>>> > > >>>>>>>> > > wrote: >>>>>>>> > > > >>>>>>>> > > > Hi Mailscanner friends, >>>>>>>> > > > >>>>>>>> > > > is there any progress to make MailScanner usable as >>>>>>>> a >>>>>>>> > postfix milter? >>>>>>>> > > > The most biggest problem I have is, SPAM is not >>>>>>>> possible to >>>>>>>> > > reject when >>>>>>>> > > > reaching a high score at MTA level. For my >>>>>>>> understanding, >>>>>>>> > connect >>>>>>>> > > via >>>>>>>> > > > milter instead of queue ^HOLD would be the solution. >>>>>>>> > > > >>>>>>>> > > > For the next decade we are still using MailScanner >>>>>>>> instead >>>>>>>> > of others >>>>>>>> > > > like Rspamd, because MailScanner is like a mail >>>>>>>> suite for mail >>>>>>>> > > security, >>>>>>>> > > > but if there will never be the possibility to >>>>>>>> reject at >>>>>>>> > MTA level >>>>>>>> > > the >>>>>>>> > > > high score spam, we will also change in 1-3 years >>>>>>>> while >>>>>>>> > replacing >>>>>>>> > > the OS >>>>>>>> > > > beyond. >>>>>>>> > > > >>>>>>>> > > >>>>>>>> > > One of MailScanner's strongest features is it's batch >>>>>>>> mode >>>>>>>> > processing >>>>>>>> > > that will allow it to handle a very high volume of mail >>>>>>>> > flow. I doubt >>>>>>>> > > that MailScanner will ever be changed to run as a >>>>>>>> milter for this >>>>>>>> > > reason. >>>>>>>> > > >>>>>>>> > > I tried rspamd and found it wasn't as good as the >>>>>>>> author >>>>>>>> > claims so no >>>>>>>> > > reason to try to use that as a milter. It also wasn't >>>>>>>> as >>>>>>>> > fast as it >>>>>>>> > > claims. I could not send high volumes of mail through >>>>>>>> it >>>>>>>> > like I could >>>>>>>> > > with MailScanner. >>>>>>>> > > >>>>>>>> > > If you want to block high scoring spam at the MTA >>>>>>>> level, I >>>>>>>> > suggest >>>>>>>> > > using >>>>>>>> > > amavis or spamd with the same SA rulesets as >>>>>>>> MailScanner. >>>>>>>> > This will >>>>>>>> > > get >>>>>>>> > > you most of the power of MailScanner's blocking at the >>>>>>>> MTA. >>>>>>>> > > >>>>>>>> > > https://wiki.apache.org/spamassassin/IntegratedInMta >>>>>>>> > > >>>>>>>> > > If you you use postscreen and postwhite at the Postfix >>>>>>>> MTA >>>>>>>> > level, you >>>>>>>> > > can block most of the obvious spam with a tuned list of >>>>>>>> > RBLs. See the >>>>>>>> > > SA users mailing list over the past year for details >>>>>>>> on this >>>>>>>> > from me >>>>>>>> > > and >>>>>>>> > > a few others. >>>>>>>> > > >>>>>>>> > > I suggest setting up a quick test VM with iRedmail to >>>>>>>> get a good >>>>>>>> > > example >>>>>>>> > > of how to do TLS and amavis integration well with >>>>>>>> Postfix. >>>>>>>> > > >>>>>>>> > > -- >>>>>>>> > > David Jones >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > -- >>>>>>>> > > MailScanner mailing list >>>>>>>> > > mailscanner at lists.mailscanner.info >>>>>>>> > >>>>>>>> > > >>>>>>> > > >>>>>>>> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > -- >>>>>>>> > > Shawn Iverson, CETL >>>>>>>> > > Director of Technology >>>>>>>> > > Rush County Schools >>>>>>>> > > 765-932-3901 x1171 >>>>>>>> > > iversons at rushville.k12.in.us >>>>>>>> > >>>>>>>> > >>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > >>>>>>>> > -- >>>>>>>> > David Jones >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > -- >>>>>>>> > Shawn Iverson, CETL >>>>>>>> > Director of Technology >>>>>>>> > Rush County Schools >>>>>>>> > 765-932-3901 x1171 >>>>>>>> > iversons at rushville.k12.in.us >>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> David Jones >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Shawn Iverson, CETL >>>>>>> Director of Technology >>>>>>> Rush County Schools >>>>>>> 765-932-3901 x1171 >>>>>>> iversons at rushville.k12.in.us >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Shawn Iverson, CETL >>>>>> Director of Technology >>>>>> Rush County Schools >>>>>> 765-932-3901 x1171 >>>>>> iversons at rushville.k12.in.us >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Shawn Iverson, CETL >>>>> Director of Technology >>>>> Rush County Schools >>>>> 765-932-3901 x1171 >>>>> iversons at rushville.k12.in.us >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Shawn Iverson, CETL >>>> Director of Technology >>>> Rush County Schools >>>> 765-932-3901 x1171 >>>> iversons at rushville.k12.in.us >>>> >>>> >>>> >>> >>> -- >>> Shawn Iverson, CETL >>> Director of Technology >>> Rush County Schools >>> 765-932-3901 x1171 >>> iversons at rushville.k12.in.us >>> >>> >>> >> >> -- >> Shawn Iverson, CETL >> Director of Technology >> Rush County Schools >> 765-932-3901 x1171 >> iversons at rushville.k12.in.us >> >> >> > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 x1171 > iversons at rushville.k12.in.us > > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Mon Aug 20 22:33:16 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 20 Aug 2018 18:33:16 -0400 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com> Message-ID: Daemonized the Milter https://github.com/shawniverson/v5/commit/3614686575763cceac965c43212544f37f9f6a24 On Mon, Aug 20, 2018 at 11:49 AM Shawn Iverson wrote: > Corrected link > > > https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de35164 > > On Mon, Aug 20, 2018 at 11:49 AM Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > >> RFC 5321 support added. >> >> Also reviewing RFC 822, particularly handling of delivery failure >> notices, with respect to the milter. >> >> >> https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de351645321 >> >> >> Currently addressing a bug with the daemon forking new children. Seems >> to be caused by the Milter being a child process of MailScanner. If I >> cannot resolve, I plan to separate the Milter into its own daemon. This >> may be better anyway and allow both to be managed independently. >> >> On Sun, Aug 19, 2018 at 5:14 PM Shawn Iverson < >> iversons at rushville.k12.in.us> wrote: >> >>> Latest commit >>> >>> Spamassassin/MailScanner are now comparing envelope from and from >>> properly :) >>> >>> >>> https://github.com/shawniverson/v5/commit/625040caedc93b2c4e78edf305b69ac8a82bc25b >>> >>> Todo: >>> >>> Cleanup code >>> Add more options to mailscanner config, such as # of milter threads, etc. >>> Remove hard coded items where feasible >>> Honor placement of Header entries in header (top or bottom) >>> Test Test Test (anyone interested is welcome!) >>> Patches for MailWatch to handle new queues and process counts >>> Fix bug observed where mailscanner thinks processes are still running >>> when stopping (but aren't, harmless, just weird) >>> >>> Feedback is welcome. >>> >>> >>> >>> >>> >>> >>> >>> On Sun, Aug 19, 2018 at 4:26 PM Shawn Iverson < >>> iversons at rushville.k12.in.us> wrote: >>> >>>> Found the callback code for MAIL FROM: >>>> >>>> 'M' SMFIC_MAIL MAIL FROM: information >>>> Expected response: Accept/reject action >>>> >>>> Time for some more coding :D >>>> >>>> On Sun, Aug 19, 2018 at 4:04 PM Shawn Iverson < >>>> iversons at rushville.k12.in.us> wrote: >>>> >>>>> Another update >>>>> >>>>> The latest commit to my branch includes more fixes and a new thing >>>>> that needs handled now that a Milter is in play. When mail is submitted >>>>> back to postfix, it needs to be processed by other things that could reject >>>>> the email (such as an blocked sender). This is a problem because >>>>> MailScanner does not know how to handle rejects since it has always been >>>>> part of the queue process interacting directly with the queues, not before >>>>> queue process. >>>>> >>>>> During message delivery, if a reject is detected, I inject a special >>>>> header to the message and requeue it to MailScanner. MailScanner has a >>>>> chance, based on this special header to flag the message, remove the >>>>> special header, add diagnostic info to the header about the relay, and >>>>> quarantine the message. The mail admin is happy knowing that the message >>>>> didn't just vanish and has an opportunity to resolve the issue and release >>>>> it or know the disposition of the email. >>>>> >>>>> Another cool thing about this Milter Processor I discovered is you can >>>>> simply drop a message into /var/spool/MailScanner/milterin from >>>>> /var/spool/MailScanner/quarantine, and it will try to redeliver it :D >>>>> >>>>> This new code is in Message.pm and only becomes active if the milter >>>>> is activated. >>>>> >>>>> On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson < >>>>> iversons at rushville.k12.in.us> wrote: >>>>> >>>>>> Oh yeah, here's the config for Postfix: >>>>>> >>>>>> smtpd_milters = inet:127.0.0.1:33333 >>>>>> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map >>>>>> >>>>>> /etc/postfix/smtpd_milter_map: >>>>>> 127.0.0.0/8 DISABLE >>>>>> ::/64 DISABLE >>>>>> >>>>>> This allows scanned emails to pass the milter, as well as >>>>>> notifications sent from the localhost. You do need at least Postfix >>>>>> version 3.2 I believe to have milter map support. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson < >>>>>> iversons at rushville.k12.in.us> wrote: >>>>>> >>>>>>> MailScanner users: >>>>>>> >>>>>>> The MailScanner Milter project is coming along nicely. >>>>>>> >>>>>>> https://github.com/shawniverson/v5/commits/081118msmilter >>>>>>> >>>>>>> I am currently running this on a split relay to test the milter >>>>>>> without impacting production email. >>>>>>> >>>>>>> The design is fairly simple, although development has taken about 40 >>>>>>> hours of my time. I know more about MailScanner (and perl) than I ever >>>>>>> have :D >>>>>>> >>>>>>> The Milter is integrated into MailScanner and forks as a branch of >>>>>>> the MailScanner process tree, keeping systemd happy. >>>>>>> >>>>>>> The Milter process intercepts incoming email and tells postfix to >>>>>>> DISCARD, which basically accepts the mail and silently drops it before >>>>>>> entering the queue. At the same time, the Milter writes a raw email file >>>>>>> to the /var/spool/MailScanner/milterin queue. >>>>>>> >>>>>>> MailScanner picks up the message batches in the milterin directory, >>>>>>> processes them, and spits them out to /var/spool/MailScanner/milterout >>>>>>> directory as raw email files. >>>>>>> >>>>>>> The MSMail Processor (new) relays the messages to postfix for >>>>>>> further processing over port 25. A optional localhost rule in >>>>>>> header_checks removes the local entry from the header before delivery. >>>>>>> >>>>>>> The benefits are that the postfix queue is not touched at all >>>>>>> throughout this process, making the solution (hopefully) an acceptable one >>>>>>> within the postfix community. It is also very fast, and the codebase for >>>>>>> this method is smaller than even the Postfix Processor, and MailScanner >>>>>>> gets its own queues, separate from postfix. >>>>>>> >>>>>>> One drawback to this method is there is no apparent way to extract >>>>>>> the Envelope From address (at least not yet, perhaps I am missing a milter >>>>>>> code), although it doesn't appear that MailScanner is all that concerned >>>>>>> about it and doesn't go out of its way to capture it. I think it is >>>>>>> important though, for spoof detection, so I will continue to research this. >>>>>>> >>>>>>> Anyone that is willing to get their feet wet and test can apply the >>>>>>> following files from my branch: >>>>>>> >>>>>>> (In common) >>>>>>> /usr/sbin/MailScanner >>>>>>> /usr/share/MailScanner/perl/MailScanner/Milter.pm >>>>>>> /usr/share/MailScanner/perl/MailScanner/MSMail.pm >>>>>>> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm >>>>>>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm >>>>>>> >>>>>>> Then create the following dirs: >>>>>>> mkdir -p /var/spool/MailScanner/milterin >>>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterin >>>>>>> mkdir -p /var/spool/MailScanner/milterout >>>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterout >>>>>>> >>>>>>> Apply the following to /etc/MailScanner/MailScanner.conf: >>>>>>> Incoming Queue Dir = /var/spool/MailScanner/milterin >>>>>>> Outgoing Queue Dir = /var/spool/MailScanner/milterout >>>>>>> MTA = MSMail >>>>>>> MSMail Queue Type = short | long (pick one that matches your postfix >>>>>>> setting) >>>>>>> >>>>>>> I recommend doing this in a test or split relay environment that >>>>>>> blackholes email. Do not use in production yet ;) >>>>>>> >>>>>>> Known issues at the moment: >>>>>>> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do >>>>>>> not appear >>>>>>> More validation and error handling is needed throughout. Weird >>>>>>> emails abound! >>>>>>> Need to know the envelope from sender. Currently hidden from the >>>>>>> milter, but hopefully exposable via a callback code. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson < >>>>>>> iversons at rushville.k12.in.us> wrote: >>>>>>> >>>>>>>> Dear MailScanner users: >>>>>>>> >>>>>>>> I am officially working on creating a lightweight milter for >>>>>>>> MailScanner. >>>>>>>> >>>>>>>> This milter will not provide MTA protocol rejection for postfix, >>>>>>>> due to the severe performance penalty it would cause. All mail will be >>>>>>>> intercepted, accepted, and silently dropped from the postfix queue and >>>>>>>> placed in a MailScanner queue. >>>>>>>> >>>>>>>> I have a working prototype, and it is processing mail! It is in >>>>>>>> need of heavy refactoring and some bug squashing. >>>>>>>> >>>>>>>> Currently it attempts to create a postfix formatted queue file >>>>>>>> (very ugly, who thought up this file format???!!!). I may instead create a >>>>>>>> new Milter Processor for MailScanner that reduces the overhead of doing >>>>>>>> this and can read the incoming email in a simple line-by-line format. This >>>>>>>> may also increase performance overall and reduce all the conversions >>>>>>>> happening. >>>>>>>> >>>>>>>> The other side of the coin is what to do when MailScanner is done >>>>>>>> processing mail. Currently, it generates a postfix queue file and drops it >>>>>>>> into postfix incoming directory. It should not do this but instead drop >>>>>>>> the message into postfix using native postfix tools. That will be the next >>>>>>>> part I tackle as part of the Milter Processor. >>>>>>>> >>>>>>>> Why am I doing this? I want to place MailScanner back in a good >>>>>>>> standing with Postfix folks (at least when the milter + postfix method is >>>>>>>> in use). >>>>>>>> >>>>>>>> I have no plans of removing the old method but rather provide a >>>>>>>> more supported path for postfix users. >>>>>>>> >>>>>>>> Wish me luck. I could be heard across the neighborhood when >>>>>>>> MailScanner processed an email from the Milter for the first time! :D >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Sat, Aug 11, 2018 at 9:58 AM David Jones wrote: >>>>>>>> >>>>>>>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote: >>>>>>>>> > David, >>>>>>>>> > >>>>>>>>> > I agree that this is true, and part of my lack of motivation to >>>>>>>>> do it. >>>>>>>>> > One reason I wanted it as an option was to reconcile the ongoing >>>>>>>>> > conflict with the postfix community and return MailScanner to >>>>>>>>> good >>>>>>>>> > standing to this community. Weitze has been very stern about >>>>>>>>> > MailScanner directly tapping the postfix queues. >>>>>>>>> > >>>>>>>>> > Perhaps an alternative option would be to create a fast >>>>>>>>> MailScanner >>>>>>>>> > milter that behaves more like the HOLD queue. Basically just a >>>>>>>>> milter >>>>>>>>> > that immediately fires back accept to postfix and places all the >>>>>>>>> > messages in a MailScanner HOLD queue as opposed to a postfix >>>>>>>>> HOLD >>>>>>>>> > queue. Doing so would maintain speed, simplicity, and be more >>>>>>>>> compliant >>>>>>>>> > with postfix. The code would also be very simple. >>>>>>>>> > >>>>>>>>> > Then, as you say, if you need MTA level functionality for SA, >>>>>>>>> use other >>>>>>>>> > software and methods. >>>>>>>>> > >>>>>>>>> > >>>>>>>>> >>>>>>>>> This light MS milter would make a lot of sense based on your goal >>>>>>>>> to get >>>>>>>>> compliant with Postfix and back "in" with the Postfix community. >>>>>>>>> +1 >>>>>>>>> >>>>>>>>> > >>>>>>>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones >>>>>>>> > > wrote: >>>>>>>>> > >>>>>>>>> > On 08/11/2018 08:15 AM, Shawn Iverson wrote: >>>>>>>>> > > I have been planning for a MailScanner milter for quite >>>>>>>>> some >>>>>>>>> > time. I >>>>>>>>> > > have been specifically studying rpamd's milter source for >>>>>>>>> this >>>>>>>>> > purpose. >>>>>>>>> > > Alas, lack of time and lack of money are always an issue, >>>>>>>>> and I >>>>>>>>> > put a >>>>>>>>> > > lot of hours in my day job. As Jerry would say, I like >>>>>>>>> to eat >>>>>>>>> > and have >>>>>>>>> > > a roof over my head :D >>>>>>>>> > > >>>>>>>>> > > If I do find the time to build a milter, performance will >>>>>>>>> > definitely be >>>>>>>>> > > impacted. The reason is that postfix will have to keep >>>>>>>>> each session >>>>>>>>> > > open for the duration of scanning, and each MailScanner >>>>>>>>> child >>>>>>>>> > would have >>>>>>>>> > > to issue a callback to postfix after scanning the spam so >>>>>>>>> that >>>>>>>>> > postfix >>>>>>>>> > > can responds to the connection appropriately (i.e. >>>>>>>>> reject or >>>>>>>>> > accept). >>>>>>>>> > > This will slow down mail processing considerably. If I >>>>>>>>> do this, >>>>>>>>> > I am >>>>>>>>> > > going to keep the HOLD queue around, so you would have to >>>>>>>>> choose >>>>>>>>> > between >>>>>>>>> > > speed or MTA level rejection functionality. >>>>>>>>> > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>>> > >>>>>>>>> > My gut tells me that this is going to be so slow, that it's >>>>>>>>> not >>>>>>>>> > going to >>>>>>>>> > be worth the time to put into it. If you want to reject at >>>>>>>>> MTA time, >>>>>>>>> > throw in amavis-new or spamd (not rspamd) using the same >>>>>>>>> SpamAsssassin >>>>>>>>> > rules and Bayes DB to get most of the same features as >>>>>>>>> MailScanner >>>>>>>>> > during the SMTP conversation. Then the mail that gets >>>>>>>>> through can be >>>>>>>>> > filtered by MailScanner for it's extra features that make it >>>>>>>>> unique. >>>>>>>>> > >>>>>>>>> > I understand there are different local legal requirements >>>>>>>>> around the >>>>>>>>> > world that if email is accepted at MTA time then it has to >>>>>>>>> be passed on >>>>>>>>> > to the end user's mailbox. If you are located in one of >>>>>>>>> these >>>>>>>>> > countries, then this would be more of an issue. But since I >>>>>>>>> am in a >>>>>>>>> > country that doesn't have this legal requirement, I do block >>>>>>>>> email >>>>>>>>> > post-MTA by MailScanner. >>>>>>>>> > >>>>>>>>> > The majority of my spam is blocked at the MTA level already >>>>>>>>> by highly >>>>>>>>> > tuned RBLs and postscreen's RBL weighting which is very, >>>>>>>>> very good. >>>>>>>>> > Only a small percentage of spam that is zero-hour or from >>>>>>>>> compromised >>>>>>>>> > accounts makes it to MailScanner. >>>>>>>>> > >>>>>>>>> > I highly recommend the Invaluement RBL. It's very accurate >>>>>>>>> -- only >>>>>>>>> > 1 or >>>>>>>>> > 2 false positives over 5+ the years. This RBL is very cost >>>>>>>>> effective >>>>>>>>> > and has allowed me to disable all Spamhaus RBL checks in >>>>>>>>> SpamAssassin >>>>>>>>> > saving thousands of dollars a year. (We have too high a >>>>>>>>> volume to stay >>>>>>>>> > under the free usage limits of Spamhaus so we were having to >>>>>>>>> pay for >>>>>>>>> > the >>>>>>>>> > RBL feed.) >>>>>>>>> > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>>> > > On Tue, Aug 7, 2018 at 10:52 AM David Jones via >>>>>>>>> MailScanner >>>>>>>>> > > >>>>>>>> > >>>>>>>>> > > >>>>>>>> > >> wrote: >>>>>>>>> > > >>>>>>>>> > > On 08/07/2018 05:03 AM, info at schroeffu.ch >>>>>>>>> > >>>>>>>> > > >>>>>>>>> > > wrote: >>>>>>>>> > > > >>>>>>>>> > > > Hi Mailscanner friends, >>>>>>>>> > > > >>>>>>>>> > > > is there any progress to make MailScanner usable >>>>>>>>> as a >>>>>>>>> > postfix milter? >>>>>>>>> > > > The most biggest problem I have is, SPAM is not >>>>>>>>> possible to >>>>>>>>> > > reject when >>>>>>>>> > > > reaching a high score at MTA level. For my >>>>>>>>> understanding, >>>>>>>>> > connect >>>>>>>>> > > via >>>>>>>>> > > > milter instead of queue ^HOLD would be the >>>>>>>>> solution. >>>>>>>>> > > > >>>>>>>>> > > > For the next decade we are still using MailScanner >>>>>>>>> instead >>>>>>>>> > of others >>>>>>>>> > > > like Rspamd, because MailScanner is like a mail >>>>>>>>> suite for mail >>>>>>>>> > > security, >>>>>>>>> > > > but if there will never be the possibility to >>>>>>>>> reject at >>>>>>>>> > MTA level >>>>>>>>> > > the >>>>>>>>> > > > high score spam, we will also change in 1-3 years >>>>>>>>> while >>>>>>>>> > replacing >>>>>>>>> > > the OS >>>>>>>>> > > > beyond. >>>>>>>>> > > > >>>>>>>>> > > >>>>>>>>> > > One of MailScanner's strongest features is it's batch >>>>>>>>> mode >>>>>>>>> > processing >>>>>>>>> > > that will allow it to handle a very high volume of >>>>>>>>> mail >>>>>>>>> > flow. I doubt >>>>>>>>> > > that MailScanner will ever be changed to run as a >>>>>>>>> milter for this >>>>>>>>> > > reason. >>>>>>>>> > > >>>>>>>>> > > I tried rspamd and found it wasn't as good as the >>>>>>>>> author >>>>>>>>> > claims so no >>>>>>>>> > > reason to try to use that as a milter. It also >>>>>>>>> wasn't as >>>>>>>>> > fast as it >>>>>>>>> > > claims. I could not send high volumes of mail >>>>>>>>> through it >>>>>>>>> > like I could >>>>>>>>> > > with MailScanner. >>>>>>>>> > > >>>>>>>>> > > If you want to block high scoring spam at the MTA >>>>>>>>> level, I >>>>>>>>> > suggest >>>>>>>>> > > using >>>>>>>>> > > amavis or spamd with the same SA rulesets as >>>>>>>>> MailScanner. >>>>>>>>> > This will >>>>>>>>> > > get >>>>>>>>> > > you most of the power of MailScanner's blocking at >>>>>>>>> the MTA. >>>>>>>>> > > >>>>>>>>> > > https://wiki.apache.org/spamassassin/IntegratedInMta >>>>>>>>> > > >>>>>>>>> > > If you you use postscreen and postwhite at the >>>>>>>>> Postfix MTA >>>>>>>>> > level, you >>>>>>>>> > > can block most of the obvious spam with a tuned list >>>>>>>>> of >>>>>>>>> > RBLs. See the >>>>>>>>> > > SA users mailing list over the past year for details >>>>>>>>> on this >>>>>>>>> > from me >>>>>>>>> > > and >>>>>>>>> > > a few others. >>>>>>>>> > > >>>>>>>>> > > I suggest setting up a quick test VM with iRedmail to >>>>>>>>> get a good >>>>>>>>> > > example >>>>>>>>> > > of how to do TLS and amavis integration well with >>>>>>>>> Postfix. >>>>>>>>> > > >>>>>>>>> > > -- >>>>>>>>> > > David Jones >>>>>>>>> > > >>>>>>>>> > > >>>>>>>>> > > -- >>>>>>>>> > > MailScanner mailing list >>>>>>>>> > > mailscanner at lists.mailscanner.info >>>>>>>>> > >>>>>>>>> > > >>>>>>>> > > >>>>>>>>> > > >>>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>>>> > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>>> > > -- >>>>>>>>> > > Shawn Iverson, CETL >>>>>>>>> > > Director of Technology >>>>>>>>> > > Rush County Schools >>>>>>>>> > > 765-932-3901 x1171 >>>>>>>>> > > iversons at rushville.k12.in.us >>>>>>>>> > >>>>>>>>> > >>>>>>>> > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>>> > >>>>>>>>> > -- >>>>>>>>> > David Jones >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > -- >>>>>>>>> > Shawn Iverson, CETL >>>>>>>>> > Director of Technology >>>>>>>>> > Rush County Schools >>>>>>>>> > 765-932-3901 x1171 >>>>>>>>> > iversons at rushville.k12.in.us >>>>>>>> iversons at rushville.k12.in.us> >>>>>>>>> > >>>>>>>>> > >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> David Jones >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Shawn Iverson, CETL >>>>>>>> Director of Technology >>>>>>>> Rush County Schools >>>>>>>> 765-932-3901 x1171 >>>>>>>> iversons at rushville.k12.in.us >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Shawn Iverson, CETL >>>>>>> Director of Technology >>>>>>> Rush County Schools >>>>>>> 765-932-3901 x1171 >>>>>>> iversons at rushville.k12.in.us >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Shawn Iverson, CETL >>>>>> Director of Technology >>>>>> Rush County Schools >>>>>> 765-932-3901 x1171 >>>>>> iversons at rushville.k12.in.us >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Shawn Iverson, CETL >>>>> Director of Technology >>>>> Rush County Schools >>>>> 765-932-3901 x1171 >>>>> iversons at rushville.k12.in.us >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Shawn Iverson, CETL >>>> Director of Technology >>>> Rush County Schools >>>> 765-932-3901 x1171 >>>> iversons at rushville.k12.in.us >>>> >>>> >>>> >>> >>> -- >>> Shawn Iverson, CETL >>> Director of Technology >>> Rush County Schools >>> 765-932-3901 x1171 >>> iversons at rushville.k12.in.us >>> >>> >>> >> >> -- >> Shawn Iverson, CETL >> Director of Technology >> Rush County Schools >> 765-932-3901 x1171 >> iversons at rushville.k12.in.us >> >> >> > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 x1171 > iversons at rushville.k12.in.us > > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at meelhuysen.com Tue Aug 21 07:19:24 2018 From: mark at meelhuysen.com (Mark Meelhuysen) Date: Tue, 21 Aug 2018 07:19:24 +0000 Subject: RBL Check Message-ID: <198cd95f133a4964ae9fabba945746d7@DC01.meelhuysen.com> Hi All, I got triggerd by email received from Google (Gmail.com) being listed as spam. MS states it is on the SORBS RBL (Komt voor in RBL: Y (SORBS)). When checking the adress directly at sorbs gives me : Not found in the database. Can someone tell me what i should check? Versions: MailWatch Versie: 1.2.6 Operating System Version: CentOS Linux 7 (Core) Postfix Versie: 2.10.1 MailScanner Versie: 5.0.6 ClamAV Versie: 0.100.1 SpamAssassin Versie: 3.4.0 (Yes, I know, i?m not running latest versions). Thank you in advance. Mark -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at meelhuysen.com Tue Aug 21 07:23:49 2018 From: mark at meelhuysen.com (Mark Meelhuysen) Date: Tue, 21 Aug 2018 07:23:49 +0000 Subject: ClamAV logging Message-ID: Hi All, Was just testing my system for AV response and concluded that in the maillog there are no entries for ClamAV. If I remember correctly this was the case in the past and i never noticed that it is not anymore. I think after installing a new MailScanner box. Anyone can point me in the right direction of checking why logging is not added? Mailscanner ? lint gives me: Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 1500 hostnames from the phishing whitelist Read 16729 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist MailWatch: Starting up MailWatch SQL Blacklist MailWatch: Read 1 blacklist entries Config: calling custom init function MailWatchLogging MailWatch: Started MailWatch SQL Logging child Config: calling custom init function SQLWhitelist MailWatch: Starting up MailWatch SQL Whitelist MailWatch: Read 4 whitelist entries Checking version numbers... Version number in MailScanner.conf (5.0.6) is correct. Your envelope_sender_header in spamassassin.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist MailWatch: Closing down MailWatch SQL Blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist MailWatch: Closing down MailWatch SQL Whitelist Versions: MailWatch Versie: 1.2.6 Operating System Version: CentOS Linux 7 (Core) Postfix Versie: 2.10.1 MailScanner Versie: 5.0.6 ClamAV Versie: 0.100.1 SpamAssassin Versie: 3.4.0 (Yes, I know, i?m not running latest versions). Thank you in advance. Mark -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From thom at vdb.nl Tue Aug 21 07:35:27 2018 From: thom at vdb.nl (Thom van der Boon) Date: Tue, 21 Aug 2018 09:35:27 +0200 (CEST) Subject: ClamAV logging Message-ID: An HTML attachment was scrubbed... URL: From mark at meelhuysen.com Tue Aug 21 07:49:34 2018 From: mark at meelhuysen.com (Mark Meelhuysen) Date: Tue, 21 Aug 2018 07:49:34 +0000 Subject: ClamAV logging In-Reply-To: References: Message-ID: Hi Thom, I noticed that indeed and removed the main.cvd, so now there are only *.cld files. The ?lint does not produce the error anymore, but stil no logging. Thanks. Mark Van: MailScanner Namens Thom van der Boon Verzonden: dinsdag 21 augustus 2018 09:35 Aan: MailScanner Discussion Onderwerp: Re: ClamAV logging Hi Mark, Take a look at the error message in you MailScanner --lint output LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them" Met vriendelijke groet, Best regards, Thom van der Boon E-Mail: thom at vdb.nl ===== Thom.H. van der Boon b.v. Transito 4 6909 DA Babberich Tel.: +31 (0)88 4272727 Fax: +31 (0)88 4272789 Home Page: http://www.vdb.nl/ Op 21 aug. 2018 09:24 schreef Mark Meelhuysen >: Hi All, Was just testing my system for AV response and concluded that in the maillog there are no entries for ClamAV. If I remember correctly this was the case in the past and i never noticed that it is not anymore. I think after installing a new MailScanner box. Anyone can point me in the right direction of checking why logging is not added? Mailscanner ? lint gives me: Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 1500 hostnames from the phishing whitelist Read 16729 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist MailWatch: Starting up MailWatch SQL Blacklist MailWatch: Read 1 blacklist entries Config: calling custom init function MailWatchLogging MailWatch: Started MailWatch SQL Logging child Config: calling custom init function SQLWhitelist MailWatch: Starting up MailWatch SQL Whitelist MailWatch: Read 4 whitelist entries Checking version numbers... Version number in MailScanner.conf (5.0.6) is correct. Your envelope_sender_header in spamassassin.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist MailWatch: Closing down MailWatch SQL Blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist MailWatch: Closing down MailWatch SQL Whitelist Versions: MailWatch Versie: 1.2.6 Operating System Version: CentOS Linux 7 (Core) Postfix Versie: 2.10.1 MailScanner Versie: 5.0.6 ClamAV Versie: 0.100.1 SpamAssassin Versie: 3.4.0 (Yes, I know, i?m not running latest versions). Thank you in advance. Mark -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From belle at bazuin.nl Tue Aug 21 08:17:03 2018 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 21 Aug 2018 10:17:03 +0200 Subject: RBL Check In-Reply-To: <198cd95f133a4964ae9fabba945746d7@DC01.meelhuysen.com> References: <198cd95f133a4964ae9fabba945746d7@DC01.meelhuysen.com> Message-ID: Hai, ? i see the following.? ( from the mail headers ) ms.meelhuysen.com (unknown??[IPv6:2001:985:d013:1:c0a8:7bde:718e:9c74]) So maybe gmail blocked you because you did not set your PTR for your IPv6 record. ? I did a small check. MX? ( dig mx ) meelhuysen.com.???????? 788???? IN????? MX????? 10 mx01.meelhuysen.com. meelhuysen.com.???????? 788???? IN????? MX????? 20 mx02.meelhuysen.com. ( dig a ) mx01.meelhuysen.com.??? 776???? IN????? A?????? 62.251.122.185 mx02.meelhuysen.com.??? 291???? IN????? A?????? 83.162.255.45 ( dig -x ) 185.122.251.62.in-addr.arpa. 21453 IN?? PTR???? mx01.meelhuysen.com. 45.255.162.83.in-addr.arpa. 19414 IN??? PTR???? mx02.meelhuysen.com. ? mx01.meelhuysen.com.??? 899???? IN????? AAAA??? 2001:985:d013:1:c0a8:7bde:718e:9c74 mx02.meelhuysen.com.??? 899???? IN????? AAAA??? 2001:985:d011::1 both ipv6 does not have a PTR and you sending from server outside through name ms.meelhuysen.com ? ms.meelhuysen.com.????? 619???? IN????? A?????? 62.251.122.185 ms.meelhuysen.com.????? 603???? IN????? AAAA??? 2001:985:d013:1:c0a8:7bde:718e:9c74 Your SPF looks ok? but fix the first then missing PTR for you ipv6. ? ? Greetz, ? Louis ? ? ? ? Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Mark Meelhuysen Verzonden: dinsdag 21 augustus 2018 9:19 Aan: MailScanner Discussion Onderwerp: RBL Check Hi All, ? I got triggerd by email received from Google (Gmail.com) being listed as spam. MS states it is on the SORBS RBL (Komt voor in RBL:? Y? (SORBS)). When checking the adress directly at sorbs gives me : ?Not found in the database. ? Can someone tell me what i should check? ? Versions: MailWatch Versie: 1.2.6 Operating System Version: CentOS Linux 7 (Core) Postfix Versie: 2.10.1 MailScanner Versie: 5.0.6 ClamAV Versie: 0.100.1 SpamAssassin Versie: 3.4.0 ? (Yes, I know, i?m not running latest versions). ? Thank you in advance. ? Mark -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Tue Aug 21 08:51:23 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Tue, 21 Aug 2018 04:51:23 -0400 Subject: ClamAV logging In-Reply-To: References: Message-ID: Mark, Not sure when this behavior changed (a v5 change?), but I only see entries when a virus is detected. On Tue, Aug 21, 2018 at 3:24 AM Mark Meelhuysen wrote: > Hi All, > > > > Was just testing my system for AV response and concluded that in the > maillog there are no entries for ClamAV. If I remember correctly this was > the case in the past and i never noticed that it is not anymore. I think > after installing a new MailScanner box. > > Anyone can point me in the right direction of checking why logging is not > added? > > > > Mailscanner ? lint gives me: > > > > > > Trying to setlogsock(unix) > > > > Reading configuration file /etc/MailScanner/MailScanner.conf > > Reading configuration file /etc/MailScanner/conf.d/README > > Read 1500 hostnames from the phishing whitelist > > Read 16729 hostnames from the phishing blacklists > > Config: calling custom init function SQLBlacklist > > MailWatch: Starting up MailWatch SQL Blacklist > > MailWatch: Read 1 blacklist entries > > Config: calling custom init function MailWatchLogging > > MailWatch: Started MailWatch SQL Logging child > > Config: calling custom init function SQLWhitelist > > MailWatch: Starting up MailWatch SQL Whitelist > > MailWatch: Read 4 whitelist entries > > > > Checking version numbers... > > Version number in MailScanner.conf (5.0.6) is correct. > > > > Your envelope_sender_header in spamassassin.conf is correct. > > MailScanner setting GID to (89) > > MailScanner setting UID to (89) > > > > Checking for SpamAssassin errors (if you use it)... > > Using SpamAssassin results cache > > Connected to SpamAssassin cache database > > SpamAssassin reported no errors. > > Connected to Processing Attempts Database > > Created Processing Attempts Database successfully > > There are 0 messages in the Processing Attempts Database > > Using locktype = posix > > MailScanner.conf says "Virus Scanners = clamav" > > Found these virus scanners installed: clamav > > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com) > > Other Checks: Found 1 problems > > Virus and Content Scanning: Starting > > LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd > and /var/lib/clamav/main.cld, please manually remove one of them > > ./1/eicar.com: Eicar-Test-Signature FOUND > > > > Virus Scanning: ClamAV found 2 infections > > Infected message 1 came from 10.1.1.1 > > Virus Scanning: Found 2 viruses > > =========================================================================== > > Virus Scanner test reports: > > ClamAV said "eicar.com contains Eicar-Test-Signature" > > > > If any of your virus scanners (clamav) > > are not listed there, you should check that they are installed correctly > > and that MailScanner is finding them correctly via its virus.scanners.conf. > > Config: calling custom end function SQLBlacklist > > MailWatch: Closing down MailWatch SQL Blacklist > > Config: calling custom end function MailWatchLogging > > Config: calling custom end function SQLWhitelist > > MailWatch: Closing down MailWatch SQL Whitelist > > > > > > Versions: > > MailWatch Versie: 1.2.6 > > Operating System Version: CentOS Linux 7 (Core) > > Postfix Versie: 2.10.1 > > MailScanner Versie: 5.0.6 > > ClamAV Versie: 0.100.1 > > SpamAssassin Versie: 3.4.0 > > > > (Yes, I know, i?m not running latest versions). > > > > Thank you in advance. > > > > Mark > > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at meelhuysen.com Tue Aug 21 08:54:04 2018 From: mark at meelhuysen.com (Mark Meelhuysen) Date: Tue, 21 Aug 2018 08:54:04 +0000 Subject: RBL Check In-Reply-To: References: <198cd95f133a4964ae9fabba945746d7@DC01.meelhuysen.com> Message-ID: Hi Louis, Thank you for your reply. We recently changed ISP, and this ISP is actively using IPV6. It was not before. So, indeed, Gmail blocked us for IPV6 restraints. I adjusted my DNS and config for IPV6 and then mailflow from Google was ok. Before we received delay notices or NDR?s. But offcourse i will go and fix the things you mentioned ?. I think first I will change the hostname of MS to mx01. After that i will check the PTR?s. Van: MailScanner Namens L.P.H. van Belle via MailScanner Verzonden: dinsdag 21 augustus 2018 10:17 Aan: MailScanner Discussion CC: L.P.H. van Belle Onderwerp: RE: RBL Check Hai, i see the following. ( from the mail headers ) ms.meelhuysen.com (unknown [IPv6:2001:985:d013:1:c0a8:7bde:718e:9c74]) So maybe gmail blocked you because you did not set your PTR for your IPv6 record. I did a small check. MX ( dig mx ) meelhuysen.com. 788 IN MX 10 mx01.meelhuysen.com. meelhuysen.com. 788 IN MX 20 mx02.meelhuysen.com. ( dig a ) mx01.meelhuysen.com. 776 IN A 62.251.122.185 mx02.meelhuysen.com. 291 IN A 83.162.255.45 ( dig -x ) 185.122.251.62.in-addr.arpa. 21453 IN PTR mx01.meelhuysen.com. 45.255.162.83.in-addr.arpa. 19414 IN PTR mx02.meelhuysen.com. mx01.meelhuysen.com. 899 IN AAAA 2001:985:d013:1:c0a8:7bde:718e:9c74 mx02.meelhuysen.com. 899 IN AAAA 2001:985:d011::1 both ipv6 does not have a PTR and you sending from server outside through name ms.meelhuysen.com ms.meelhuysen.com. 619 IN A 62.251.122.185 ms.meelhuysen.com. 603 IN AAAA 2001:985:d013:1:c0a8:7bde:718e:9c74 Your SPF looks ok but fix the first then missing PTR for you ipv6. Greetz, Louis ________________________________ Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Mark Meelhuysen Verzonden: dinsdag 21 augustus 2018 9:19 Aan: MailScanner Discussion Onderwerp: RBL Check Hi All, I got triggerd by email received from Google (Gmail.com) being listed as spam. MS states it is on the SORBS RBL (Komt voor in RBL: Y (SORBS)). When checking the adress directly at sorbs gives me : Not found in the database. Can someone tell me what i should check? Versions: MailWatch Versie: 1.2.6 Operating System Version: CentOS Linux 7 (Core) Postfix Versie: 2.10.1 MailScanner Versie: 5.0.6 ClamAV Versie: 0.100.1 SpamAssassin Versie: 3.4.0 (Yes, I know, i?m not running latest versions). Thank you in advance. Mark -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at meelhuysen.com Tue Aug 21 08:57:35 2018 From: mark at meelhuysen.com (Mark Meelhuysen) Date: Tue, 21 Aug 2018 08:57:35 +0000 Subject: ClamAV logging In-Reply-To: References: Message-ID: <7f409d1b7fd3434ea634e6159a6329b4@DC01.meelhuysen.com> Hi Shawn, Thats why it triggered me. I di dan online test and the mails were not delivered (good behaviour) but i could not see anything in the log, accept that the connection was incoming and closing. Mark Van: MailScanner Namens Shawn Iverson Verzonden: dinsdag 21 augustus 2018 10:51 Aan: mailscanner at lists.mailscanner.info Onderwerp: Re: ClamAV logging Mark, Not sure when this behavior changed (a v5 change?), but I only see entries when a virus is detected. On Tue, Aug 21, 2018 at 3:24 AM Mark Meelhuysen > wrote: Hi All, Was just testing my system for AV response and concluded that in the maillog there are no entries for ClamAV. If I remember correctly this was the case in the past and i never noticed that it is not anymore. I think after installing a new MailScanner box. Anyone can point me in the right direction of checking why logging is not added? Mailscanner ? lint gives me: Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 1500 hostnames from the phishing whitelist Read 16729 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist MailWatch: Starting up MailWatch SQL Blacklist MailWatch: Read 1 blacklist entries Config: calling custom init function MailWatchLogging MailWatch: Started MailWatch SQL Logging child Config: calling custom init function SQLWhitelist MailWatch: Starting up MailWatch SQL Whitelist MailWatch: Read 4 whitelist entries Checking version numbers... Version number in MailScanner.conf (5.0.6) is correct. Your envelope_sender_header in spamassassin.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist MailWatch: Closing down MailWatch SQL Blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist MailWatch: Closing down MailWatch SQL Whitelist Versions: MailWatch Versie: 1.2.6 Operating System Version: CentOS Linux 7 (Core) Postfix Versie: 2.10.1 MailScanner Versie: 5.0.6 ClamAV Versie: 0.100.1 SpamAssassin Versie: 3.4.0 (Yes, I know, i?m not running latest versions). Thank you in advance. Mark -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us [https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_cy1OZFNIZ0drYVU&revid=0Bw5iD0ToYvs_UitIcHVIWkJVVTl2VGpxVUE0d0FQcHBIRXk4PQ][https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_Zkh4eEs3R01yWXc&revid=0Bw5iD0ToYvs_QWpBK2Y2ajJtYjhOMDRFekZwK2xOamk5Q3Y0PQ] [https://docs.google.com/uc?export=download&id=1aBrlQou4gjB04FY-twHN_0Dn3GHVNxqa&revid=0Bw5iD0ToYvs_RnQ0eDhHcm95WHBFdkNRbXhQRXpoYkR6SEEwPQ] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From belle at bazuin.nl Tue Aug 21 09:07:13 2018 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 21 Aug 2018 11:07:13 +0200 Subject: ClamAV logging In-Reply-To: <7f409d1b7fd3434ea634e6159a6329b4@DC01.meelhuysen.com> References: Message-ID: Now, im dont know centos much but clamav is in debian logging to its own logfile. You could adjust the syslogger and make clamav log to mail.log ? Your using postfix, and you see an incoming and disconnects. Spammers try to abuse your server and if postfix is setup ok, then its disconnect the session. That is OK.? ( most of the time then ) And?to analyse that i need much more info. ( and time. )? ;-) ? As far i see below, looks ok to me. ? Greetz, ? Louis ? ? ? Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Mark Meelhuysen Verzonden: dinsdag 21 augustus 2018 10:58 Aan: MailScanner Discussion Onderwerp: RE: ClamAV logging Hi Shawn, ? Thats why it triggered me. I di dan online test and the mails were not delivered (good behaviour) but i could not see anything in the log, accept that the connection was incoming and closing. ? Mark ? Van: MailScanner Namens Shawn Iverson Verzonden: dinsdag 21 augustus 2018 10:51 Aan: mailscanner at lists.mailscanner.info Onderwerp: Re: ClamAV logging ? Mark, ? Not sure when this behavior changed (a v5 change?), but I only see entries when a virus is detected. ? On Tue, Aug 21, 2018 at 3:24 AM Mark Meelhuysen wrote: Hi All, ? Was just testing my system for AV response and concluded that in the maillog there are no entries for ClamAV. If I remember correctly this was the case in the past and i never noticed that it is not anymore. I think after installing a new MailScanner box. Anyone can point me in the right direction of checking why logging is not added? ? Mailscanner ? lint gives me: ? ? Trying to setlogsock(unix) ? Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 1500 hostnames from the phishing whitelist Read 16729 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist MailWatch: Starting up MailWatch SQL Blacklist MailWatch: Read 1 blacklist entries Config: calling custom init function MailWatchLogging MailWatch: Started MailWatch SQL Logging child Config: calling custom init function SQLWhitelist MailWatch: Starting up MailWatch SQL Whitelist MailWatch: Read 4 whitelist entries ? Checking version numbers... Version number in MailScanner.conf (5.0.6) is correct. ? Your envelope_sender_header in spamassassin.conf is correct. MailScanner setting GID to? (89) MailScanner setting UID to? (89) ? Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them ./1/eicar.com: Eicar-Test-Signature FOUND ? Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" ? If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist MailWatch: Closing down MailWatch SQL Blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist MailWatch: Closing down MailWatch SQL Whitelist ? ? Versions: MailWatch Versie: 1.2.6 Operating System Version: CentOS Linux 7 (Core) Postfix Versie: 2.10.1 MailScanner Versie: 5.0.6 ClamAV Versie: 0.100.1 SpamAssassin Versie: 3.4.0 ? (Yes, I know, i?m not running latest versions). ? Thank you in advance. ? Mark ? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner ? -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us ? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Wed Aug 22 12:51:41 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Wed, 22 Aug 2018 08:51:41 -0400 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com> Message-ID: Getting closer to a 1.0 release of the milter and the next update to MailScanner: RFC 821/1123 null sender support RFC 822 unfolding support https://github.com/shawniverson/v5/commit/9c9bb7fb344957be83477c40003aa1e1a64ec832 On Mon, Aug 20, 2018 at 6:33 PM Shawn Iverson wrote: > Daemonized the Milter > > > https://github.com/shawniverson/v5/commit/3614686575763cceac965c43212544f37f9f6a24 > > On Mon, Aug 20, 2018 at 11:49 AM Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > >> Corrected link >> >> >> https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de35164 >> >> On Mon, Aug 20, 2018 at 11:49 AM Shawn Iverson < >> iversons at rushville.k12.in.us> wrote: >> >>> RFC 5321 support added. >>> >>> Also reviewing RFC 822, particularly handling of delivery failure >>> notices, with respect to the milter. >>> >>> >>> https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de351645321 >>> >>> >>> Currently addressing a bug with the daemon forking new children. Seems >>> to be caused by the Milter being a child process of MailScanner. If I >>> cannot resolve, I plan to separate the Milter into its own daemon. This >>> may be better anyway and allow both to be managed independently. >>> >>> On Sun, Aug 19, 2018 at 5:14 PM Shawn Iverson < >>> iversons at rushville.k12.in.us> wrote: >>> >>>> Latest commit >>>> >>>> Spamassassin/MailScanner are now comparing envelope from and from >>>> properly :) >>>> >>>> >>>> https://github.com/shawniverson/v5/commit/625040caedc93b2c4e78edf305b69ac8a82bc25b >>>> >>>> Todo: >>>> >>>> Cleanup code >>>> Add more options to mailscanner config, such as # of milter threads, >>>> etc. >>>> Remove hard coded items where feasible >>>> Honor placement of Header entries in header (top or bottom) >>>> Test Test Test (anyone interested is welcome!) >>>> Patches for MailWatch to handle new queues and process counts >>>> Fix bug observed where mailscanner thinks processes are still running >>>> when stopping (but aren't, harmless, just weird) >>>> >>>> Feedback is welcome. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Sun, Aug 19, 2018 at 4:26 PM Shawn Iverson < >>>> iversons at rushville.k12.in.us> wrote: >>>> >>>>> Found the callback code for MAIL FROM: >>>>> >>>>> 'M' SMFIC_MAIL MAIL FROM: information >>>>> Expected response: Accept/reject action >>>>> >>>>> Time for some more coding :D >>>>> >>>>> On Sun, Aug 19, 2018 at 4:04 PM Shawn Iverson < >>>>> iversons at rushville.k12.in.us> wrote: >>>>> >>>>>> Another update >>>>>> >>>>>> The latest commit to my branch includes more fixes and a new thing >>>>>> that needs handled now that a Milter is in play. When mail is submitted >>>>>> back to postfix, it needs to be processed by other things that could reject >>>>>> the email (such as an blocked sender). This is a problem because >>>>>> MailScanner does not know how to handle rejects since it has always been >>>>>> part of the queue process interacting directly with the queues, not before >>>>>> queue process. >>>>>> >>>>>> During message delivery, if a reject is detected, I inject a special >>>>>> header to the message and requeue it to MailScanner. MailScanner has a >>>>>> chance, based on this special header to flag the message, remove the >>>>>> special header, add diagnostic info to the header about the relay, and >>>>>> quarantine the message. The mail admin is happy knowing that the message >>>>>> didn't just vanish and has an opportunity to resolve the issue and release >>>>>> it or know the disposition of the email. >>>>>> >>>>>> Another cool thing about this Milter Processor I discovered is you >>>>>> can simply drop a message into /var/spool/MailScanner/milterin from >>>>>> /var/spool/MailScanner/quarantine, and it will try to redeliver it :D >>>>>> >>>>>> This new code is in Message.pm and only becomes active if the milter >>>>>> is activated. >>>>>> >>>>>> On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson < >>>>>> iversons at rushville.k12.in.us> wrote: >>>>>> >>>>>>> Oh yeah, here's the config for Postfix: >>>>>>> >>>>>>> smtpd_milters = inet:127.0.0.1:33333 >>>>>>> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map >>>>>>> >>>>>>> /etc/postfix/smtpd_milter_map: >>>>>>> 127.0.0.0/8 DISABLE >>>>>>> ::/64 DISABLE >>>>>>> >>>>>>> This allows scanned emails to pass the milter, as well as >>>>>>> notifications sent from the localhost. You do need at least Postfix >>>>>>> version 3.2 I believe to have milter map support. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson < >>>>>>> iversons at rushville.k12.in.us> wrote: >>>>>>> >>>>>>>> MailScanner users: >>>>>>>> >>>>>>>> The MailScanner Milter project is coming along nicely. >>>>>>>> >>>>>>>> https://github.com/shawniverson/v5/commits/081118msmilter >>>>>>>> >>>>>>>> I am currently running this on a split relay to test the milter >>>>>>>> without impacting production email. >>>>>>>> >>>>>>>> The design is fairly simple, although development has taken about >>>>>>>> 40 hours of my time. I know more about MailScanner (and perl) than I ever >>>>>>>> have :D >>>>>>>> >>>>>>>> The Milter is integrated into MailScanner and forks as a branch of >>>>>>>> the MailScanner process tree, keeping systemd happy. >>>>>>>> >>>>>>>> The Milter process intercepts incoming email and tells postfix to >>>>>>>> DISCARD, which basically accepts the mail and silently drops it before >>>>>>>> entering the queue. At the same time, the Milter writes a raw email file >>>>>>>> to the /var/spool/MailScanner/milterin queue. >>>>>>>> >>>>>>>> MailScanner picks up the message batches in the milterin directory, >>>>>>>> processes them, and spits them out to /var/spool/MailScanner/milterout >>>>>>>> directory as raw email files. >>>>>>>> >>>>>>>> The MSMail Processor (new) relays the messages to postfix for >>>>>>>> further processing over port 25. A optional localhost rule in >>>>>>>> header_checks removes the local entry from the header before delivery. >>>>>>>> >>>>>>>> The benefits are that the postfix queue is not touched at all >>>>>>>> throughout this process, making the solution (hopefully) an acceptable one >>>>>>>> within the postfix community. It is also very fast, and the codebase for >>>>>>>> this method is smaller than even the Postfix Processor, and MailScanner >>>>>>>> gets its own queues, separate from postfix. >>>>>>>> >>>>>>>> One drawback to this method is there is no apparent way to extract >>>>>>>> the Envelope From address (at least not yet, perhaps I am missing a milter >>>>>>>> code), although it doesn't appear that MailScanner is all that concerned >>>>>>>> about it and doesn't go out of its way to capture it. I think it is >>>>>>>> important though, for spoof detection, so I will continue to research this. >>>>>>>> >>>>>>>> Anyone that is willing to get their feet wet and test can apply the >>>>>>>> following files from my branch: >>>>>>>> >>>>>>>> (In common) >>>>>>>> /usr/sbin/MailScanner >>>>>>>> /usr/share/MailScanner/perl/MailScanner/Milter.pm >>>>>>>> /usr/share/MailScanner/perl/MailScanner/MSMail.pm >>>>>>>> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm >>>>>>>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm >>>>>>>> >>>>>>>> Then create the following dirs: >>>>>>>> mkdir -p /var/spool/MailScanner/milterin >>>>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterin >>>>>>>> mkdir -p /var/spool/MailScanner/milterout >>>>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterout >>>>>>>> >>>>>>>> Apply the following to /etc/MailScanner/MailScanner.conf: >>>>>>>> Incoming Queue Dir = /var/spool/MailScanner/milterin >>>>>>>> Outgoing Queue Dir = /var/spool/MailScanner/milterout >>>>>>>> MTA = MSMail >>>>>>>> MSMail Queue Type = short | long (pick one that matches your >>>>>>>> postfix setting) >>>>>>>> >>>>>>>> I recommend doing this in a test or split relay environment that >>>>>>>> blackholes email. Do not use in production yet ;) >>>>>>>> >>>>>>>> Known issues at the moment: >>>>>>>> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do >>>>>>>> not appear >>>>>>>> More validation and error handling is needed throughout. Weird >>>>>>>> emails abound! >>>>>>>> Need to know the envelope from sender. Currently hidden from the >>>>>>>> milter, but hopefully exposable via a callback code. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson < >>>>>>>> iversons at rushville.k12.in.us> wrote: >>>>>>>> >>>>>>>>> Dear MailScanner users: >>>>>>>>> >>>>>>>>> I am officially working on creating a lightweight milter for >>>>>>>>> MailScanner. >>>>>>>>> >>>>>>>>> This milter will not provide MTA protocol rejection for postfix, >>>>>>>>> due to the severe performance penalty it would cause. All mail will be >>>>>>>>> intercepted, accepted, and silently dropped from the postfix queue and >>>>>>>>> placed in a MailScanner queue. >>>>>>>>> >>>>>>>>> I have a working prototype, and it is processing mail! It is in >>>>>>>>> need of heavy refactoring and some bug squashing. >>>>>>>>> >>>>>>>>> Currently it attempts to create a postfix formatted queue file >>>>>>>>> (very ugly, who thought up this file format???!!!). I may instead create a >>>>>>>>> new Milter Processor for MailScanner that reduces the overhead of doing >>>>>>>>> this and can read the incoming email in a simple line-by-line format. This >>>>>>>>> may also increase performance overall and reduce all the conversions >>>>>>>>> happening. >>>>>>>>> >>>>>>>>> The other side of the coin is what to do when MailScanner is done >>>>>>>>> processing mail. Currently, it generates a postfix queue file and drops it >>>>>>>>> into postfix incoming directory. It should not do this but instead drop >>>>>>>>> the message into postfix using native postfix tools. That will be the next >>>>>>>>> part I tackle as part of the Milter Processor. >>>>>>>>> >>>>>>>>> Why am I doing this? I want to place MailScanner back in a good >>>>>>>>> standing with Postfix folks (at least when the milter + postfix method is >>>>>>>>> in use). >>>>>>>>> >>>>>>>>> I have no plans of removing the old method but rather provide a >>>>>>>>> more supported path for postfix users. >>>>>>>>> >>>>>>>>> Wish me luck. I could be heard across the neighborhood when >>>>>>>>> MailScanner processed an email from the Milter for the first time! :D >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Sat, Aug 11, 2018 at 9:58 AM David Jones >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote: >>>>>>>>>> > David, >>>>>>>>>> > >>>>>>>>>> > I agree that this is true, and part of my lack of motivation to >>>>>>>>>> do it. >>>>>>>>>> > One reason I wanted it as an option was to reconcile the >>>>>>>>>> ongoing >>>>>>>>>> > conflict with the postfix community and return MailScanner to >>>>>>>>>> good >>>>>>>>>> > standing to this community. Weitze has been very stern about >>>>>>>>>> > MailScanner directly tapping the postfix queues. >>>>>>>>>> > >>>>>>>>>> > Perhaps an alternative option would be to create a fast >>>>>>>>>> MailScanner >>>>>>>>>> > milter that behaves more like the HOLD queue. Basically just a >>>>>>>>>> milter >>>>>>>>>> > that immediately fires back accept to postfix and places all >>>>>>>>>> the >>>>>>>>>> > messages in a MailScanner HOLD queue as opposed to a postfix >>>>>>>>>> HOLD >>>>>>>>>> > queue. Doing so would maintain speed, simplicity, and be more >>>>>>>>>> compliant >>>>>>>>>> > with postfix. The code would also be very simple. >>>>>>>>>> > >>>>>>>>>> > Then, as you say, if you need MTA level functionality for SA, >>>>>>>>>> use other >>>>>>>>>> > software and methods. >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>> This light MS milter would make a lot of sense based on your goal >>>>>>>>>> to get >>>>>>>>>> compliant with Postfix and back "in" with the Postfix community. >>>>>>>>>> +1 >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones >>>>>>>>> > > wrote: >>>>>>>>>> > >>>>>>>>>> > On 08/11/2018 08:15 AM, Shawn Iverson wrote: >>>>>>>>>> > > I have been planning for a MailScanner milter for quite >>>>>>>>>> some >>>>>>>>>> > time. I >>>>>>>>>> > > have been specifically studying rpamd's milter source >>>>>>>>>> for this >>>>>>>>>> > purpose. >>>>>>>>>> > > Alas, lack of time and lack of money are always an >>>>>>>>>> issue, and I >>>>>>>>>> > put a >>>>>>>>>> > > lot of hours in my day job. As Jerry would say, I like >>>>>>>>>> to eat >>>>>>>>>> > and have >>>>>>>>>> > > a roof over my head :D >>>>>>>>>> > > >>>>>>>>>> > > If I do find the time to build a milter, performance will >>>>>>>>>> > definitely be >>>>>>>>>> > > impacted. The reason is that postfix will have to keep >>>>>>>>>> each session >>>>>>>>>> > > open for the duration of scanning, and each MailScanner >>>>>>>>>> child >>>>>>>>>> > would have >>>>>>>>>> > > to issue a callback to postfix after scanning the spam >>>>>>>>>> so that >>>>>>>>>> > postfix >>>>>>>>>> > > can responds to the connection appropriately (i.e. >>>>>>>>>> reject or >>>>>>>>>> > accept). >>>>>>>>>> > > This will slow down mail processing considerably. If I >>>>>>>>>> do this, >>>>>>>>>> > I am >>>>>>>>>> > > going to keep the HOLD queue around, so you would have >>>>>>>>>> to choose >>>>>>>>>> > between >>>>>>>>>> > > speed or MTA level rejection functionality. >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> > >>>>>>>>>> > My gut tells me that this is going to be so slow, that it's >>>>>>>>>> not >>>>>>>>>> > going to >>>>>>>>>> > be worth the time to put into it. If you want to reject at >>>>>>>>>> MTA time, >>>>>>>>>> > throw in amavis-new or spamd (not rspamd) using the same >>>>>>>>>> SpamAsssassin >>>>>>>>>> > rules and Bayes DB to get most of the same features as >>>>>>>>>> MailScanner >>>>>>>>>> > during the SMTP conversation. Then the mail that gets >>>>>>>>>> through can be >>>>>>>>>> > filtered by MailScanner for it's extra features that make >>>>>>>>>> it unique. >>>>>>>>>> > >>>>>>>>>> > I understand there are different local legal requirements >>>>>>>>>> around the >>>>>>>>>> > world that if email is accepted at MTA time then it has to >>>>>>>>>> be passed on >>>>>>>>>> > to the end user's mailbox. If you are located in one of >>>>>>>>>> these >>>>>>>>>> > countries, then this would be more of an issue. But since >>>>>>>>>> I am in a >>>>>>>>>> > country that doesn't have this legal requirement, I do >>>>>>>>>> block email >>>>>>>>>> > post-MTA by MailScanner. >>>>>>>>>> > >>>>>>>>>> > The majority of my spam is blocked at the MTA level already >>>>>>>>>> by highly >>>>>>>>>> > tuned RBLs and postscreen's RBL weighting which is very, >>>>>>>>>> very good. >>>>>>>>>> > Only a small percentage of spam that is zero-hour or from >>>>>>>>>> compromised >>>>>>>>>> > accounts makes it to MailScanner. >>>>>>>>>> > >>>>>>>>>> > I highly recommend the Invaluement RBL. It's very accurate >>>>>>>>>> -- only >>>>>>>>>> > 1 or >>>>>>>>>> > 2 false positives over 5+ the years. This RBL is very cost >>>>>>>>>> effective >>>>>>>>>> > and has allowed me to disable all Spamhaus RBL checks in >>>>>>>>>> SpamAssassin >>>>>>>>>> > saving thousands of dollars a year. (We have too high a >>>>>>>>>> volume to stay >>>>>>>>>> > under the free usage limits of Spamhaus so we were having >>>>>>>>>> to pay for >>>>>>>>>> > the >>>>>>>>>> > RBL feed.) >>>>>>>>>> > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> > > On Tue, Aug 7, 2018 at 10:52 AM David Jones via >>>>>>>>>> MailScanner >>>>>>>>>> > > >>>>>>>>> > >>>>>>>>>> > > >>>>>>>>> > >> wrote: >>>>>>>>>> > > >>>>>>>>>> > > On 08/07/2018 05:03 AM, info at schroeffu.ch >>>>>>>>>> > >>>>>>>>> > > >>>>>>>>>> > > wrote: >>>>>>>>>> > > > >>>>>>>>>> > > > Hi Mailscanner friends, >>>>>>>>>> > > > >>>>>>>>>> > > > is there any progress to make MailScanner usable >>>>>>>>>> as a >>>>>>>>>> > postfix milter? >>>>>>>>>> > > > The most biggest problem I have is, SPAM is not >>>>>>>>>> possible to >>>>>>>>>> > > reject when >>>>>>>>>> > > > reaching a high score at MTA level. For my >>>>>>>>>> understanding, >>>>>>>>>> > connect >>>>>>>>>> > > via >>>>>>>>>> > > > milter instead of queue ^HOLD would be the >>>>>>>>>> solution. >>>>>>>>>> > > > >>>>>>>>>> > > > For the next decade we are still using >>>>>>>>>> MailScanner instead >>>>>>>>>> > of others >>>>>>>>>> > > > like Rspamd, because MailScanner is like a mail >>>>>>>>>> suite for mail >>>>>>>>>> > > security, >>>>>>>>>> > > > but if there will never be the possibility to >>>>>>>>>> reject at >>>>>>>>>> > MTA level >>>>>>>>>> > > the >>>>>>>>>> > > > high score spam, we will also change in 1-3 years >>>>>>>>>> while >>>>>>>>>> > replacing >>>>>>>>>> > > the OS >>>>>>>>>> > > > beyond. >>>>>>>>>> > > > >>>>>>>>>> > > >>>>>>>>>> > > One of MailScanner's strongest features is it's >>>>>>>>>> batch mode >>>>>>>>>> > processing >>>>>>>>>> > > that will allow it to handle a very high volume of >>>>>>>>>> mail >>>>>>>>>> > flow. I doubt >>>>>>>>>> > > that MailScanner will ever be changed to run as a >>>>>>>>>> milter for this >>>>>>>>>> > > reason. >>>>>>>>>> > > >>>>>>>>>> > > I tried rspamd and found it wasn't as good as the >>>>>>>>>> author >>>>>>>>>> > claims so no >>>>>>>>>> > > reason to try to use that as a milter. It also >>>>>>>>>> wasn't as >>>>>>>>>> > fast as it >>>>>>>>>> > > claims. I could not send high volumes of mail >>>>>>>>>> through it >>>>>>>>>> > like I could >>>>>>>>>> > > with MailScanner. >>>>>>>>>> > > >>>>>>>>>> > > If you want to block high scoring spam at the MTA >>>>>>>>>> level, I >>>>>>>>>> > suggest >>>>>>>>>> > > using >>>>>>>>>> > > amavis or spamd with the same SA rulesets as >>>>>>>>>> MailScanner. >>>>>>>>>> > This will >>>>>>>>>> > > get >>>>>>>>>> > > you most of the power of MailScanner's blocking at >>>>>>>>>> the MTA. >>>>>>>>>> > > >>>>>>>>>> > > https://wiki.apache.org/spamassassin/IntegratedInMta >>>>>>>>>> > > >>>>>>>>>> > > If you you use postscreen and postwhite at the >>>>>>>>>> Postfix MTA >>>>>>>>>> > level, you >>>>>>>>>> > > can block most of the obvious spam with a tuned list >>>>>>>>>> of >>>>>>>>>> > RBLs. See the >>>>>>>>>> > > SA users mailing list over the past year for details >>>>>>>>>> on this >>>>>>>>>> > from me >>>>>>>>>> > > and >>>>>>>>>> > > a few others. >>>>>>>>>> > > >>>>>>>>>> > > I suggest setting up a quick test VM with iRedmail >>>>>>>>>> to get a good >>>>>>>>>> > > example >>>>>>>>>> > > of how to do TLS and amavis integration well with >>>>>>>>>> Postfix. >>>>>>>>>> > > >>>>>>>>>> > > -- >>>>>>>>>> > > David Jones >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> > > -- >>>>>>>>>> > > MailScanner mailing list >>>>>>>>>> > > mailscanner at lists.mailscanner.info >>>>>>>>>> > >>>>>>>>>> > > >>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> > > -- >>>>>>>>>> > > Shawn Iverson, CETL >>>>>>>>>> > > Director of Technology >>>>>>>>>> > > Rush County Schools >>>>>>>>>> > > 765-932-3901 x1171 >>>>>>>>>> > > iversons at rushville.k12.in.us >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> > >>>>>>>>>> > -- >>>>>>>>>> > David Jones >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > -- >>>>>>>>>> > Shawn Iverson, CETL >>>>>>>>>> > Director of Technology >>>>>>>>>> > Rush County Schools >>>>>>>>>> > 765-932-3901 x1171 >>>>>>>>>> > iversons at rushville.k12.in.us >>>>>>>>> iversons at rushville.k12.in.us> >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> David Jones >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Shawn Iverson, CETL >>>>>>>>> Director of Technology >>>>>>>>> Rush County Schools >>>>>>>>> 765-932-3901 x1171 >>>>>>>>> iversons at rushville.k12.in.us >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Shawn Iverson, CETL >>>>>>>> Director of Technology >>>>>>>> Rush County Schools >>>>>>>> 765-932-3901 x1171 >>>>>>>> iversons at rushville.k12.in.us >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Shawn Iverson, CETL >>>>>>> Director of Technology >>>>>>> Rush County Schools >>>>>>> 765-932-3901 x1171 >>>>>>> iversons at rushville.k12.in.us >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Shawn Iverson, CETL >>>>>> Director of Technology >>>>>> Rush County Schools >>>>>> 765-932-3901 x1171 >>>>>> iversons at rushville.k12.in.us >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Shawn Iverson, CETL >>>>> Director of Technology >>>>> Rush County Schools >>>>> 765-932-3901 x1171 >>>>> iversons at rushville.k12.in.us >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Shawn Iverson, CETL >>>> Director of Technology >>>> Rush County Schools >>>> 765-932-3901 x1171 >>>> iversons at rushville.k12.in.us >>>> >>>> >>>> >>> >>> -- >>> Shawn Iverson, CETL >>> Director of Technology >>> Rush County Schools >>> 765-932-3901 x1171 >>> iversons at rushville.k12.in.us >>> >>> >>> >> >> -- >> Shawn Iverson, CETL >> Director of Technology >> Rush County Schools >> 765-932-3901 x1171 >> iversons at rushville.k12.in.us >> >> >> > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 x1171 > iversons at rushville.k12.in.us > > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Sat Aug 25 02:56:43 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Fri, 24 Aug 2018 22:56:43 -0400 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com> Message-ID: New milestone...version 0.9 Milter now supports REJECT of blacklisted emails and IP addresses with a message of "554 5.7.1 Message Blacklisted" when the new Milter Scanner mode is activated. https://github.com/shawniverson/v5/commit/a6e22ebe51357e0d92bae534092074eee7162f24 This just made sense to do, since blacklist checking is very fast and can happen while the milter is active. On Wed, Aug 22, 2018 at 8:51 AM Shawn Iverson wrote: > Getting closer to a 1.0 release of the milter and the next update to > MailScanner: > > RFC 821/1123 null sender support > RFC 822 unfolding support > > > https://github.com/shawniverson/v5/commit/9c9bb7fb344957be83477c40003aa1e1a64ec832 > > > > On Mon, Aug 20, 2018 at 6:33 PM Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > >> Daemonized the Milter >> >> >> https://github.com/shawniverson/v5/commit/3614686575763cceac965c43212544f37f9f6a24 >> >> On Mon, Aug 20, 2018 at 11:49 AM Shawn Iverson < >> iversons at rushville.k12.in.us> wrote: >> >>> Corrected link >>> >>> >>> https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de35164 >>> >>> On Mon, Aug 20, 2018 at 11:49 AM Shawn Iverson < >>> iversons at rushville.k12.in.us> wrote: >>> >>>> RFC 5321 support added. >>>> >>>> Also reviewing RFC 822, particularly handling of delivery failure >>>> notices, with respect to the milter. >>>> >>>> >>>> https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de351645321 >>>> >>>> >>>> Currently addressing a bug with the daemon forking new children. >>>> Seems to be caused by the Milter being a child process of MailScanner. If >>>> I cannot resolve, I plan to separate the Milter into its own daemon. This >>>> may be better anyway and allow both to be managed independently. >>>> >>>> On Sun, Aug 19, 2018 at 5:14 PM Shawn Iverson < >>>> iversons at rushville.k12.in.us> wrote: >>>> >>>>> Latest commit >>>>> >>>>> Spamassassin/MailScanner are now comparing envelope from and from >>>>> properly :) >>>>> >>>>> >>>>> https://github.com/shawniverson/v5/commit/625040caedc93b2c4e78edf305b69ac8a82bc25b >>>>> >>>>> Todo: >>>>> >>>>> Cleanup code >>>>> Add more options to mailscanner config, such as # of milter threads, >>>>> etc. >>>>> Remove hard coded items where feasible >>>>> Honor placement of Header entries in header (top or bottom) >>>>> Test Test Test (anyone interested is welcome!) >>>>> Patches for MailWatch to handle new queues and process counts >>>>> Fix bug observed where mailscanner thinks processes are still running >>>>> when stopping (but aren't, harmless, just weird) >>>>> >>>>> Feedback is welcome. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Sun, Aug 19, 2018 at 4:26 PM Shawn Iverson < >>>>> iversons at rushville.k12.in.us> wrote: >>>>> >>>>>> Found the callback code for MAIL FROM: >>>>>> >>>>>> 'M' SMFIC_MAIL MAIL FROM: information >>>>>> Expected response: Accept/reject action >>>>>> >>>>>> Time for some more coding :D >>>>>> >>>>>> On Sun, Aug 19, 2018 at 4:04 PM Shawn Iverson < >>>>>> iversons at rushville.k12.in.us> wrote: >>>>>> >>>>>>> Another update >>>>>>> >>>>>>> The latest commit to my branch includes more fixes and a new thing >>>>>>> that needs handled now that a Milter is in play. When mail is submitted >>>>>>> back to postfix, it needs to be processed by other things that could reject >>>>>>> the email (such as an blocked sender). This is a problem because >>>>>>> MailScanner does not know how to handle rejects since it has always been >>>>>>> part of the queue process interacting directly with the queues, not before >>>>>>> queue process. >>>>>>> >>>>>>> During message delivery, if a reject is detected, I inject a special >>>>>>> header to the message and requeue it to MailScanner. MailScanner has a >>>>>>> chance, based on this special header to flag the message, remove the >>>>>>> special header, add diagnostic info to the header about the relay, and >>>>>>> quarantine the message. The mail admin is happy knowing that the message >>>>>>> didn't just vanish and has an opportunity to resolve the issue and release >>>>>>> it or know the disposition of the email. >>>>>>> >>>>>>> Another cool thing about this Milter Processor I discovered is you >>>>>>> can simply drop a message into /var/spool/MailScanner/milterin from >>>>>>> /var/spool/MailScanner/quarantine, and it will try to redeliver it :D >>>>>>> >>>>>>> This new code is in Message.pm and only becomes active if the milter >>>>>>> is activated. >>>>>>> >>>>>>> On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson < >>>>>>> iversons at rushville.k12.in.us> wrote: >>>>>>> >>>>>>>> Oh yeah, here's the config for Postfix: >>>>>>>> >>>>>>>> smtpd_milters = inet:127.0.0.1:33333 >>>>>>>> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map >>>>>>>> >>>>>>>> /etc/postfix/smtpd_milter_map: >>>>>>>> 127.0.0.0/8 DISABLE >>>>>>>> ::/64 DISABLE >>>>>>>> >>>>>>>> This allows scanned emails to pass the milter, as well as >>>>>>>> notifications sent from the localhost. You do need at least Postfix >>>>>>>> version 3.2 I believe to have milter map support. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson < >>>>>>>> iversons at rushville.k12.in.us> wrote: >>>>>>>> >>>>>>>>> MailScanner users: >>>>>>>>> >>>>>>>>> The MailScanner Milter project is coming along nicely. >>>>>>>>> >>>>>>>>> https://github.com/shawniverson/v5/commits/081118msmilter >>>>>>>>> >>>>>>>>> I am currently running this on a split relay to test the milter >>>>>>>>> without impacting production email. >>>>>>>>> >>>>>>>>> The design is fairly simple, although development has taken about >>>>>>>>> 40 hours of my time. I know more about MailScanner (and perl) than I ever >>>>>>>>> have :D >>>>>>>>> >>>>>>>>> The Milter is integrated into MailScanner and forks as a branch of >>>>>>>>> the MailScanner process tree, keeping systemd happy. >>>>>>>>> >>>>>>>>> The Milter process intercepts incoming email and tells postfix to >>>>>>>>> DISCARD, which basically accepts the mail and silently drops it before >>>>>>>>> entering the queue. At the same time, the Milter writes a raw email file >>>>>>>>> to the /var/spool/MailScanner/milterin queue. >>>>>>>>> >>>>>>>>> MailScanner picks up the message batches in the milterin >>>>>>>>> directory, processes them, and spits them out to >>>>>>>>> /var/spool/MailScanner/milterout directory as raw email files. >>>>>>>>> >>>>>>>>> The MSMail Processor (new) relays the messages to postfix for >>>>>>>>> further processing over port 25. A optional localhost rule in >>>>>>>>> header_checks removes the local entry from the header before delivery. >>>>>>>>> >>>>>>>>> The benefits are that the postfix queue is not touched at all >>>>>>>>> throughout this process, making the solution (hopefully) an acceptable one >>>>>>>>> within the postfix community. It is also very fast, and the codebase for >>>>>>>>> this method is smaller than even the Postfix Processor, and MailScanner >>>>>>>>> gets its own queues, separate from postfix. >>>>>>>>> >>>>>>>>> One drawback to this method is there is no apparent way to extract >>>>>>>>> the Envelope From address (at least not yet, perhaps I am missing a milter >>>>>>>>> code), although it doesn't appear that MailScanner is all that concerned >>>>>>>>> about it and doesn't go out of its way to capture it. I think it is >>>>>>>>> important though, for spoof detection, so I will continue to research this. >>>>>>>>> >>>>>>>>> Anyone that is willing to get their feet wet and test can apply >>>>>>>>> the following files from my branch: >>>>>>>>> >>>>>>>>> (In common) >>>>>>>>> /usr/sbin/MailScanner >>>>>>>>> /usr/share/MailScanner/perl/MailScanner/Milter.pm >>>>>>>>> /usr/share/MailScanner/perl/MailScanner/MSMail.pm >>>>>>>>> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm >>>>>>>>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm >>>>>>>>> >>>>>>>>> Then create the following dirs: >>>>>>>>> mkdir -p /var/spool/MailScanner/milterin >>>>>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterin >>>>>>>>> mkdir -p /var/spool/MailScanner/milterout >>>>>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterout >>>>>>>>> >>>>>>>>> Apply the following to /etc/MailScanner/MailScanner.conf: >>>>>>>>> Incoming Queue Dir = /var/spool/MailScanner/milterin >>>>>>>>> Outgoing Queue Dir = /var/spool/MailScanner/milterout >>>>>>>>> MTA = MSMail >>>>>>>>> MSMail Queue Type = short | long (pick one that matches your >>>>>>>>> postfix setting) >>>>>>>>> >>>>>>>>> I recommend doing this in a test or split relay environment that >>>>>>>>> blackholes email. Do not use in production yet ;) >>>>>>>>> >>>>>>>>> Known issues at the moment: >>>>>>>>> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats >>>>>>>>> do not appear >>>>>>>>> More validation and error handling is needed throughout. Weird >>>>>>>>> emails abound! >>>>>>>>> Need to know the envelope from sender. Currently hidden from the >>>>>>>>> milter, but hopefully exposable via a callback code. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson < >>>>>>>>> iversons at rushville.k12.in.us> wrote: >>>>>>>>> >>>>>>>>>> Dear MailScanner users: >>>>>>>>>> >>>>>>>>>> I am officially working on creating a lightweight milter for >>>>>>>>>> MailScanner. >>>>>>>>>> >>>>>>>>>> This milter will not provide MTA protocol rejection for postfix, >>>>>>>>>> due to the severe performance penalty it would cause. All mail will be >>>>>>>>>> intercepted, accepted, and silently dropped from the postfix queue and >>>>>>>>>> placed in a MailScanner queue. >>>>>>>>>> >>>>>>>>>> I have a working prototype, and it is processing mail! It is in >>>>>>>>>> need of heavy refactoring and some bug squashing. >>>>>>>>>> >>>>>>>>>> Currently it attempts to create a postfix formatted queue file >>>>>>>>>> (very ugly, who thought up this file format???!!!). I may instead create a >>>>>>>>>> new Milter Processor for MailScanner that reduces the overhead of doing >>>>>>>>>> this and can read the incoming email in a simple line-by-line format. This >>>>>>>>>> may also increase performance overall and reduce all the conversions >>>>>>>>>> happening. >>>>>>>>>> >>>>>>>>>> The other side of the coin is what to do when MailScanner is done >>>>>>>>>> processing mail. Currently, it generates a postfix queue file and drops it >>>>>>>>>> into postfix incoming directory. It should not do this but instead drop >>>>>>>>>> the message into postfix using native postfix tools. That will be the next >>>>>>>>>> part I tackle as part of the Milter Processor. >>>>>>>>>> >>>>>>>>>> Why am I doing this? I want to place MailScanner back in a good >>>>>>>>>> standing with Postfix folks (at least when the milter + postfix method is >>>>>>>>>> in use). >>>>>>>>>> >>>>>>>>>> I have no plans of removing the old method but rather provide a >>>>>>>>>> more supported path for postfix users. >>>>>>>>>> >>>>>>>>>> Wish me luck. I could be heard across the neighborhood when >>>>>>>>>> MailScanner processed an email from the Milter for the first time! :D >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Sat, Aug 11, 2018 at 9:58 AM David Jones >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote: >>>>>>>>>>> > David, >>>>>>>>>>> > >>>>>>>>>>> > I agree that this is true, and part of my lack of motivation >>>>>>>>>>> to do it. >>>>>>>>>>> > One reason I wanted it as an option was to reconcile the >>>>>>>>>>> ongoing >>>>>>>>>>> > conflict with the postfix community and return MailScanner to >>>>>>>>>>> good >>>>>>>>>>> > standing to this community. Weitze has been very stern about >>>>>>>>>>> > MailScanner directly tapping the postfix queues. >>>>>>>>>>> > >>>>>>>>>>> > Perhaps an alternative option would be to create a fast >>>>>>>>>>> MailScanner >>>>>>>>>>> > milter that behaves more like the HOLD queue. Basically just >>>>>>>>>>> a milter >>>>>>>>>>> > that immediately fires back accept to postfix and places all >>>>>>>>>>> the >>>>>>>>>>> > messages in a MailScanner HOLD queue as opposed to a postfix >>>>>>>>>>> HOLD >>>>>>>>>>> > queue. Doing so would maintain speed, simplicity, and be more >>>>>>>>>>> compliant >>>>>>>>>>> > with postfix. The code would also be very simple. >>>>>>>>>>> > >>>>>>>>>>> > Then, as you say, if you need MTA level functionality for SA, >>>>>>>>>>> use other >>>>>>>>>>> > software and methods. >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>>> This light MS milter would make a lot of sense based on your >>>>>>>>>>> goal to get >>>>>>>>>>> compliant with Postfix and back "in" with the Postfix >>>>>>>>>>> community. +1 >>>>>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones >>>>>>>>>> > > wrote: >>>>>>>>>>> > >>>>>>>>>>> > On 08/11/2018 08:15 AM, Shawn Iverson wrote: >>>>>>>>>>> > > I have been planning for a MailScanner milter for quite >>>>>>>>>>> some >>>>>>>>>>> > time. I >>>>>>>>>>> > > have been specifically studying rpamd's milter source >>>>>>>>>>> for this >>>>>>>>>>> > purpose. >>>>>>>>>>> > > Alas, lack of time and lack of money are always an >>>>>>>>>>> issue, and I >>>>>>>>>>> > put a >>>>>>>>>>> > > lot of hours in my day job. As Jerry would say, I like >>>>>>>>>>> to eat >>>>>>>>>>> > and have >>>>>>>>>>> > > a roof over my head :D >>>>>>>>>>> > > >>>>>>>>>>> > > If I do find the time to build a milter, performance >>>>>>>>>>> will >>>>>>>>>>> > definitely be >>>>>>>>>>> > > impacted. The reason is that postfix will have to keep >>>>>>>>>>> each session >>>>>>>>>>> > > open for the duration of scanning, and each MailScanner >>>>>>>>>>> child >>>>>>>>>>> > would have >>>>>>>>>>> > > to issue a callback to postfix after scanning the spam >>>>>>>>>>> so that >>>>>>>>>>> > postfix >>>>>>>>>>> > > can responds to the connection appropriately (i.e. >>>>>>>>>>> reject or >>>>>>>>>>> > accept). >>>>>>>>>>> > > This will slow down mail processing considerably. If I >>>>>>>>>>> do this, >>>>>>>>>>> > I am >>>>>>>>>>> > > going to keep the HOLD queue around, so you would have >>>>>>>>>>> to choose >>>>>>>>>>> > between >>>>>>>>>>> > > speed or MTA level rejection functionality. >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>>> > >>>>>>>>>>> > My gut tells me that this is going to be so slow, that >>>>>>>>>>> it's not >>>>>>>>>>> > going to >>>>>>>>>>> > be worth the time to put into it. If you want to reject >>>>>>>>>>> at MTA time, >>>>>>>>>>> > throw in amavis-new or spamd (not rspamd) using the same >>>>>>>>>>> SpamAsssassin >>>>>>>>>>> > rules and Bayes DB to get most of the same features as >>>>>>>>>>> MailScanner >>>>>>>>>>> > during the SMTP conversation. Then the mail that gets >>>>>>>>>>> through can be >>>>>>>>>>> > filtered by MailScanner for it's extra features that make >>>>>>>>>>> it unique. >>>>>>>>>>> > >>>>>>>>>>> > I understand there are different local legal requirements >>>>>>>>>>> around the >>>>>>>>>>> > world that if email is accepted at MTA time then it has to >>>>>>>>>>> be passed on >>>>>>>>>>> > to the end user's mailbox. If you are located in one of >>>>>>>>>>> these >>>>>>>>>>> > countries, then this would be more of an issue. But since >>>>>>>>>>> I am in a >>>>>>>>>>> > country that doesn't have this legal requirement, I do >>>>>>>>>>> block email >>>>>>>>>>> > post-MTA by MailScanner. >>>>>>>>>>> > >>>>>>>>>>> > The majority of my spam is blocked at the MTA level >>>>>>>>>>> already by highly >>>>>>>>>>> > tuned RBLs and postscreen's RBL weighting which is very, >>>>>>>>>>> very good. >>>>>>>>>>> > Only a small percentage of spam that is zero-hour or from >>>>>>>>>>> compromised >>>>>>>>>>> > accounts makes it to MailScanner. >>>>>>>>>>> > >>>>>>>>>>> > I highly recommend the Invaluement RBL. It's very >>>>>>>>>>> accurate -- only >>>>>>>>>>> > 1 or >>>>>>>>>>> > 2 false positives over 5+ the years. This RBL is very >>>>>>>>>>> cost effective >>>>>>>>>>> > and has allowed me to disable all Spamhaus RBL checks in >>>>>>>>>>> SpamAssassin >>>>>>>>>>> > saving thousands of dollars a year. (We have too high a >>>>>>>>>>> volume to stay >>>>>>>>>>> > under the free usage limits of Spamhaus so we were having >>>>>>>>>>> to pay for >>>>>>>>>>> > the >>>>>>>>>>> > RBL feed.) >>>>>>>>>>> > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>>> > > On Tue, Aug 7, 2018 at 10:52 AM David Jones via >>>>>>>>>>> MailScanner >>>>>>>>>>> > > >>>>>>>>>> > >>>>>>>>>>> > > >>>>>>>>>> > >> wrote: >>>>>>>>>>> > > >>>>>>>>>>> > > On 08/07/2018 05:03 AM, info at schroeffu.ch >>>>>>>>>>> > >>>>>>>>>> > > >>>>>>>>>>> > > wrote: >>>>>>>>>>> > > > >>>>>>>>>>> > > > Hi Mailscanner friends, >>>>>>>>>>> > > > >>>>>>>>>>> > > > is there any progress to make MailScanner usable >>>>>>>>>>> as a >>>>>>>>>>> > postfix milter? >>>>>>>>>>> > > > The most biggest problem I have is, SPAM is not >>>>>>>>>>> possible to >>>>>>>>>>> > > reject when >>>>>>>>>>> > > > reaching a high score at MTA level. For my >>>>>>>>>>> understanding, >>>>>>>>>>> > connect >>>>>>>>>>> > > via >>>>>>>>>>> > > > milter instead of queue ^HOLD would be the >>>>>>>>>>> solution. >>>>>>>>>>> > > > >>>>>>>>>>> > > > For the next decade we are still using >>>>>>>>>>> MailScanner instead >>>>>>>>>>> > of others >>>>>>>>>>> > > > like Rspamd, because MailScanner is like a mail >>>>>>>>>>> suite for mail >>>>>>>>>>> > > security, >>>>>>>>>>> > > > but if there will never be the possibility to >>>>>>>>>>> reject at >>>>>>>>>>> > MTA level >>>>>>>>>>> > > the >>>>>>>>>>> > > > high score spam, we will also change in 1-3 >>>>>>>>>>> years while >>>>>>>>>>> > replacing >>>>>>>>>>> > > the OS >>>>>>>>>>> > > > beyond. >>>>>>>>>>> > > > >>>>>>>>>>> > > >>>>>>>>>>> > > One of MailScanner's strongest features is it's >>>>>>>>>>> batch mode >>>>>>>>>>> > processing >>>>>>>>>>> > > that will allow it to handle a very high volume of >>>>>>>>>>> mail >>>>>>>>>>> > flow. I doubt >>>>>>>>>>> > > that MailScanner will ever be changed to run as a >>>>>>>>>>> milter for this >>>>>>>>>>> > > reason. >>>>>>>>>>> > > >>>>>>>>>>> > > I tried rspamd and found it wasn't as good as the >>>>>>>>>>> author >>>>>>>>>>> > claims so no >>>>>>>>>>> > > reason to try to use that as a milter. It also >>>>>>>>>>> wasn't as >>>>>>>>>>> > fast as it >>>>>>>>>>> > > claims. I could not send high volumes of mail >>>>>>>>>>> through it >>>>>>>>>>> > like I could >>>>>>>>>>> > > with MailScanner. >>>>>>>>>>> > > >>>>>>>>>>> > > If you want to block high scoring spam at the MTA >>>>>>>>>>> level, I >>>>>>>>>>> > suggest >>>>>>>>>>> > > using >>>>>>>>>>> > > amavis or spamd with the same SA rulesets as >>>>>>>>>>> MailScanner. >>>>>>>>>>> > This will >>>>>>>>>>> > > get >>>>>>>>>>> > > you most of the power of MailScanner's blocking at >>>>>>>>>>> the MTA. >>>>>>>>>>> > > >>>>>>>>>>> > > https://wiki.apache.org/spamassassin/IntegratedInMta >>>>>>>>>>> > > >>>>>>>>>>> > > If you you use postscreen and postwhite at the >>>>>>>>>>> Postfix MTA >>>>>>>>>>> > level, you >>>>>>>>>>> > > can block most of the obvious spam with a tuned >>>>>>>>>>> list of >>>>>>>>>>> > RBLs. See the >>>>>>>>>>> > > SA users mailing list over the past year for >>>>>>>>>>> details on this >>>>>>>>>>> > from me >>>>>>>>>>> > > and >>>>>>>>>>> > > a few others. >>>>>>>>>>> > > >>>>>>>>>>> > > I suggest setting up a quick test VM with iRedmail >>>>>>>>>>> to get a good >>>>>>>>>>> > > example >>>>>>>>>>> > > of how to do TLS and amavis integration well with >>>>>>>>>>> Postfix. >>>>>>>>>>> > > >>>>>>>>>>> > > -- >>>>>>>>>>> > > David Jones >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>>> > > -- >>>>>>>>>>> > > MailScanner mailing list >>>>>>>>>>> > > mailscanner at lists.mailscanner.info >>>>>>>>>>> > >>>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>>> > > -- >>>>>>>>>>> > > Shawn Iverson, CETL >>>>>>>>>>> > > Director of Technology >>>>>>>>>>> > > Rush County Schools >>>>>>>>>>> > > 765-932-3901 x1171 >>>>>>>>>>> > > iversons at rushville.k12.in.us >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>>> > >>>>>>>>>>> > -- >>>>>>>>>>> > David Jones >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > -- >>>>>>>>>>> > Shawn Iverson, CETL >>>>>>>>>>> > Director of Technology >>>>>>>>>>> > Rush County Schools >>>>>>>>>>> > 765-932-3901 x1171 >>>>>>>>>>> > iversons at rushville.k12.in.us >>>>>>>>>> iversons at rushville.k12.in.us> >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> David Jones >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Shawn Iverson, CETL >>>>>>>>>> Director of Technology >>>>>>>>>> Rush County Schools >>>>>>>>>> 765-932-3901 x1171 >>>>>>>>>> iversons at rushville.k12.in.us >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Shawn Iverson, CETL >>>>>>>>> Director of Technology >>>>>>>>> Rush County Schools >>>>>>>>> 765-932-3901 x1171 >>>>>>>>> iversons at rushville.k12.in.us >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Shawn Iverson, CETL >>>>>>>> Director of Technology >>>>>>>> Rush County Schools >>>>>>>> 765-932-3901 x1171 >>>>>>>> iversons at rushville.k12.in.us >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Shawn Iverson, CETL >>>>>>> Director of Technology >>>>>>> Rush County Schools >>>>>>> 765-932-3901 x1171 >>>>>>> iversons at rushville.k12.in.us >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Shawn Iverson, CETL >>>>>> Director of Technology >>>>>> Rush County Schools >>>>>> 765-932-3901 x1171 >>>>>> iversons at rushville.k12.in.us >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Shawn Iverson, CETL >>>>> Director of Technology >>>>> Rush County Schools >>>>> 765-932-3901 x1171 >>>>> iversons at rushville.k12.in.us >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Shawn Iverson, CETL >>>> Director of Technology >>>> Rush County Schools >>>> 765-932-3901 x1171 >>>> iversons at rushville.k12.in.us >>>> >>>> >>>> >>> >>> -- >>> Shawn Iverson, CETL >>> Director of Technology >>> Rush County Schools >>> 765-932-3901 x1171 >>> iversons at rushville.k12.in.us >>> >>> >>> >> >> -- >> Shawn Iverson, CETL >> Director of Technology >> Rush County Schools >> 765-932-3901 x1171 >> iversons at rushville.k12.in.us >> >> >> > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 x1171 > iversons at rushville.k12.in.us > > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From djones at ena.com Sat Aug 25 13:20:45 2018 From: djones at ena.com (David Jones) Date: Sat, 25 Aug 2018 08:20:45 -0500 Subject: Mailscanner milter to reject high score spam at MTA level In-Reply-To: References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch> <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com> <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com> Message-ID: <2574b09c-4df1-4c63-6d17-4bbb28230122@ena.com> On 08/24/2018 09:56 PM, Shawn Iverson wrote: > New milestone...version 0.9 > > Milter now supports REJECT of blacklisted emails and IP addresses with a > message of "554 5.7.1 Message Blacklisted" when the new Milter Scanner > mode is activated. > > https://github.com/shawniverson/v5/commit/a6e22ebe51357e0d92bae534092074eee7162f24 > > This just made sense to do, since blacklist checking is very fast and > can happen while the milter is active. > Excellent work on this Shawn. That REJECT logic makes a lot of sense. I don't use the MailScanner white/black lists since they are vulnerable to spoofing. I use the SA whitelist_auth, whitelist_spf, whitelist_dkim, and whitelist_from_rcvd (when no SPF) entries since they can limit the exposure to spoofing. I don't know how you do this with all of the "back to school" work at your day job. You must really have things under control and well managed at your school district or you only sleep about 2 hours a night. :) -- David Jones From mailinglists at feedmebits.nl Thu Aug 23 21:11:51 2018 From: mailinglists at feedmebits.nl (Maarten) Date: Thu, 23 Aug 2018 23:11:51 +0200 Subject: handling spam Message-ID: <782f8c5a-1761-f706-3704-163dbfaa5b1e@feedmebits.nl> I don't know much about dealing with spam, what's the best way to deal with spam messages like these coming through? Make custom spamassassin rules or some other way? Return-Path: X-Original-To: mailinglists at feedmebits.nl X-Spam-Status: No X-FMB-MailScanner-From: owresyb at zimerton.biz.ua X-FMB-MailScanner-SpamScore: s X-FMB-MailScanner: Found to be clean X-FMB-MailScanner-ID: D21F4308D3.A0A81 X-FMB-MailScanner-Information: Please contact hostmaster at feedmebits.nl for more information X-Greylist: delayed 4233 seconds by postgrey-1.34 at supernova; Thu, 23 Aug 2018 01:54:33 CEST DKIM-Filter: OpenDKIM Filter v2.11.0 a.mx.feedmebits.nl D21F4308D3 Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=89.163.142.60; helo=mail.zimerton.biz.ua; envelope-from=owresyb at zimerton.biz.ua; receiver=mailinglists at feedmebits.nl Received: from mail.zimerton.biz.ua (mail.zimerton.biz.ua [89.163.142.60]) by a.mx.feedmebits.nl (Postfix) with ESMTP id D21F4308D3 for ; Thu, 23 Aug 2018 01:54:33 +0200 (CEST) Received: from zimerton.biz.ua (unknown [188.127.251.138]) by mail.zimerton.biz.ua (Postfix) with ESMTPA id DFE7C71005C; Wed, 22 Aug 2018 23:20:22 +0300 (EEST) Message-ID: Reply-To: "BTC Investor" From: "BTC Investor" To: Subject: Invest in a brighter future today Date: Wed, 22 Aug 2018 23:20:31 +0300 What are good starting points to start reading up on when it comes to dealing and handling spam and what would be a good place to start reading? https://wiki.apache.org/spamassassin or other recommendations? Regards, Maarten From iversons at rushville.k12.in.us Mon Aug 27 02:07:04 2018 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sun, 26 Aug 2018 22:07:04 -0400 Subject: handling spam In-Reply-To: <782f8c5a-1761-f706-3704-163dbfaa5b1e@feedmebits.nl> References: <782f8c5a-1761-f706-3704-163dbfaa5b1e@feedmebits.nl> Message-ID: Maarten, RBLs are your friend... http://multirbl.valli.org/lookup/89.163.142.60.html reveals that it is blacklisted on several RBLs So you could leverage one or more of these RBLs, either in postfix or SA, to filter out this email. Be sure to check the RBL for its terms and conditions, since some of them have limits and/or are paid services. On Sun, Aug 26, 2018 at 9:11 PM Maarten wrote: > I don't know much about dealing with spam, what's the best way to deal > with spam messages like these coming through? > Make custom spamassassin rules or some other way? > > Return-Path: > X-Original-To: mailinglists at feedmebits.nl > X-Spam-Status: No > X-FMB-MailScanner-From: owresyb at zimerton.biz.ua > X-FMB-MailScanner-SpamScore: s > X-FMB-MailScanner: Found to be clean > X-FMB-MailScanner-ID: D21F4308D3.A0A81 > X-FMB-MailScanner-Information: Please contact hostmaster at feedmebits.nl > for more information > X-Greylist: delayed 4233 seconds by postgrey-1.34 at supernova; Thu, 23 > Aug 2018 01:54:33 CEST > DKIM-Filter: OpenDKIM Filter v2.11.0 a.mx.feedmebits.nl D21F4308D3 > Received-SPF: Pass (sender SPF authorized) identity=mailfrom; > client-ip=89.163.142.60; helo=mail.zimerton.biz.ua; envelope-from= > owresyb at zimerton.biz.ua; receiver=mailinglists at feedmebits.nl > Received: from mail.zimerton.biz.ua (mail.zimerton.biz.ua [89.163.142.60]) > by a.mx.feedmebits.nl (Postfix) with ESMTP id D21F4308D3 > for ; Thu, 23 Aug 2018 01:54:33 +0200 > (CEST) > Received: from zimerton.biz.ua (unknown [188.127.251.138]) > by mail.zimerton.biz.ua (Postfix) with ESMTPA id DFE7C71005C; > Wed, 22 Aug 2018 23:20:22 +0300 (EEST) > Message-ID: > Reply-To: "BTC Investor" > From: "BTC Investor" > To: > Subject: Invest in a brighter future today > Date: Wed, 22 Aug 2018 23:20:31 +0300 > > What are good starting points to start reading up on when it comes > to dealing and handling spam and what would be a good place to start > reading? https://wiki.apache.org/spamassassin or other recommendations? > > Regards, > > Maarten > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From Denis.Beauchemin at usherbrooke.ca Mon Aug 27 13:30:08 2018 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Mon, 27 Aug 2018 13:30:08 +0000 Subject: What is causing this delay? Message-ID: Hello all, After many years away from MailScanner I installed new MS servers a couple of weeks ago. I?m happy to see that MS has continued to thrive! Now my problem: my 2 new servers are running into some timeout during messages scan as can be seen here: [root at smtpi3 conf.d]# MailScanner --lint 2>&1 | while true; do read l; echo "$(date +%T): $l";done 08:01:56: Trying to setlogsock(unix) 08:01:56: 08:01:56: Reading configuration file /etc/MailScanner/MailScanner.conf 08:01:56: Reading configuration file /etc/MailScanner/conf.d/README 08:01:56: Reading configuration file /etc/MailScanner/conf.d/UdeS.conf 08:01:56: Read 1500 hostnames from the phishing whitelist 08:01:56: Read 17028 hostnames from the phishing blacklists 08:01:56: 08:01:56: Checking version numbers... 08:01:56: Version number in MailScanner.conf (5.0.7) is correct. 08:01:56: 08:01:56: Your envelope_sender_header in spamassassin.conf is correct. 08:01:56: 08:01:56: Checking for SpamAssassin errors (if you use it)... 08:01:56: Using SpamAssassin results cache 08:01:56: Connected to SpamAssassin cache database 08:02:14: SpamAssassin reported no errors. 08:02:14: Connected to Processing Attempts Database 08:02:14: Created Processing Attempts Database successfully 08:02:14: There is 1 message in the Processing Attempts Database 08:02:14: Using locktype = posix 08:02:14: MailScanner.conf says "Virus Scanners = clamd" 08:02:14: Found these virus scanners installed: clamd 08:02:14: =========================================================================== 08:02:14: Filename Checks: Windows/DOS Executable (1 eicar.com) 08:02:14: Other Checks: Found 1 problems 08:02:14: Virus and Content Scanning: Starting 08:02:14: Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com 08:02:14: Virus Scanning: Clamd found 1 infections 08:02:14: Infected message 1 came from 10.1.1.1 08:02:14: Virus Scanning: Found 1 viruses 08:02:14: =========================================================================== 08:02:14: Virus Scanner test reports: 08:02:14: Clamd said "eicar.com was infected: Eicar-Test-Signature" 08:02:14: 08:02:14: If any of your virus scanners (clamd) 08:02:14: are not listed there, you should check that they are installed correctly 08:02:14: and that MailScanner is finding them correctly via its virus.scanners.conf. If you look at the timestamps between "Connected to SpamAssassin cache database" and "SpamAssassin reported no errors", you'll see a 18 seconds delay, which seems excessive. I've redone this many times and it never goes lower than 10 seconds. If I do a "MailScanner --debug-sa" I get the following delays: In Debugging mode, not forking... Trying to setlogsock(unix) 08:18:36 Aug 24 08:18:36.710 [10096] dbg: logger: adding facilities: all ... 08:18:37 Aug 24 08:18:37.643 [10096] dbg: rules: run_eval_tests - compiling eval code: 13, priority 0 08:18:37 Aug 24 08:18:37.644 [10096] dbg: dns: entering helper-app run mode 08:18:42 Aug 24 08:18:42.645 [10096] dbg: dns: leaving helper-app run mode ... 08:18:42 Building a message batch to scan... 08:19:36 Have a batch of 1 message. 08:19:36 Stopping now as you are debugging me. I tried to look at the dns settings but couldn't figure out what might be off. I am not running a caching nameserver. My old MS servers are not either and do not show this delay. Thanks for you help. I'm running this version: [root at smtpi3 conf.d]# MailScanner -v Running on Linux smtpi3.usherbrooke.ca 3.10.0-862.11.6.el7.x86_64 #1 SMP Fri Aug 10 16:55:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux This is Red Hat Enterprise Linux Server release 7.5 (Maipo) This is Perl version 5.016003 (5.16.3) This is MailScanner version 5.0.7 Module versions are: 1.01 AnyDBM_File 1.30 Archive::Zip 0.29 bignum 1.26 Carp 2.061 Compress::Zlib 1.119 Convert::BinHex 0.18 Convert::TNEF 2.145 Data::Dumper 2.30 Date::Parse 1.04 DirHandle 1.11 Fcntl 2.84 File::Basename 2.23 File::Copy 2.02 FileHandle 2.09 File::Path 0.2301 File::Temp 0.92 Filesys::Df 3.69 HTML::Entities 3.71 HTML::Parser 3.69 HTML::TokeParser 1.16 IO::File 1.15 IO::Pipe 2.12 Mail::Header 1.998 Math::BigInt 0.2603 Math::BigRat 3.13 MIME::Base64 5.509 MIME::Decoder 5.509 MIME::Decoder::UU 5.509 MIME::Head 5.509 MIME::Parser 3.13 MIME::QuotedPrint 5.509 MIME::Tools 0.18 Net::CIDR 1.26 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.28 Pod::Simple 1.30 POSIX 1.27 Scalar::Util 2.010 Socket 2.45 Storable 1.5 Sys::Hostname::Long 0.33 Sys::Syslog 1.48 Test::Pod 1.302140 Test::Simple 1.9725 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.92 Archive::Tar 0.29 bignum 2.06 Business::ISBN 20120719.001 Business::ISBN::Data 1.22 Data::Dump 1.83 DB_File 1.39 DBD::SQLite 1.627 DBI 1.17 Digest 1.03 Digest::HMAC 2.52 Digest::MD5 2.13 Digest::SHA1 1.01 Encode::Detect 0.17020 Error 0.280206 ExtUtils::CBuilder 3.18 ExtUtils::ParseXS 2.4 Getopt::Long 0.53 Inline 1.08 IO::String 1.10 IO::Zlib 2.28 IP::Country missing Mail::ClamAV 3.004000 Mail::SpamAssassin v2.008 Mail::SPF 1.999001 Mail::SPF::Query 0.4005 Module::Build 0.21 Net::CIDR::Lite 0.72 Net::DNS v0.003 Net::DNS::Resolver::Programmable 0.56 Net::LDAP 4.069 NetAddr::IP 1.967009 Parse::RecDescent missing SAVI 3.28 Test::Harness 1.23 Test::Manifest 2.02 Text::Balanced 1.60 URI 0.9907 version 0.84 YAML Denis From jerry.benton at mailborder.com Tue Aug 28 03:26:49 2018 From: jerry.benton at mailborder.com (Jerry Benton) Date: Mon, 27 Aug 2018 23:26:49 -0400 Subject: What is causing this delay? In-Reply-To: References: Message-ID: <017b01d43e7e$f5708360$e0518a20$@mailborder.com> Setup a caching DNS server on the same box and you should see those numbers drop from 10 seconds to about 2 seconds or less. Just finished testing this in the lab. -- Jerry Benton www.mailborder.com +1 (843) 800-8605 +44 (020) 3883-8605 -----Original Message----- From: MailScanner On Behalf Of Denis Beauchemin Sent: Monday, August 27, 2018 09:30 To: mailscanner at lists.mailscanner.info Subject: What is causing this delay? Hello all, After many years away from MailScanner I installed new MS servers a couple of weeks ago. I?m happy to see that MS has continued to thrive! Now my problem: my 2 new servers are running into some timeout during messages scan as can be seen here: [root at smtpi3 conf.d]# MailScanner --lint 2>&1 | while true; do read l; echo "$(date +%T): $l";done 08:01:56: Trying to setlogsock(unix) 08:01:56: 08:01:56: Reading configuration file /etc/MailScanner/MailScanner.conf 08:01:56: Reading configuration file /etc/MailScanner/conf.d/README 08:01:56: Reading configuration file /etc/MailScanner/conf.d/UdeS.conf 08:01:56: Read 1500 hostnames from the phishing whitelist 08:01:56: Read 17028 hostnames from the phishing blacklists 08:01:56: 08:01:56: Checking version numbers... 08:01:56: Version number in MailScanner.conf (5.0.7) is correct. 08:01:56: 08:01:56: Your envelope_sender_header in spamassassin.conf is correct. 08:01:56: 08:01:56: Checking for SpamAssassin errors (if you use it)... 08:01:56: Using SpamAssassin results cache 08:01:56: Connected to SpamAssassin cache database 08:02:14: SpamAssassin reported no errors. 08:02:14: Connected to Processing Attempts Database 08:02:14: Created Processing Attempts Database successfully 08:02:14: There is 1 message in the Processing Attempts Database 08:02:14: Using locktype = posix 08:02:14: MailScanner.conf says "Virus Scanners = clamd" 08:02:14: Found these virus scanners installed: clamd 08:02:14: =========================================================================== 08:02:14: Filename Checks: Windows/DOS Executable (1 eicar.com) 08:02:14: Other Checks: Found 1 problems 08:02:14: Virus and Content Scanning: Starting 08:02:14: Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com 08:02:14: Virus Scanning: Clamd found 1 infections 08:02:14: Infected message 1 came from 10.1.1.1 08:02:14: Virus Scanning: Found 1 viruses 08:02:14: =========================================================================== 08:02:14: Virus Scanner test reports: 08:02:14: Clamd said "eicar.com was infected: Eicar-Test-Signature" 08:02:14: 08:02:14: If any of your virus scanners (clamd) 08:02:14: are not listed there, you should check that they are installed correctly 08:02:14: and that MailScanner is finding them correctly via its virus.scanners.conf. If you look at the timestamps between "Connected to SpamAssassin cache database" and "SpamAssassin reported no errors", you'll see a 18 seconds delay, which seems excessive. I've redone this many times and it never goes lower than 10 seconds. If I do a "MailScanner --debug-sa" I get the following delays: In Debugging mode, not forking... Trying to setlogsock(unix) 08:18:36 Aug 24 08:18:36.710 [10096] dbg: logger: adding facilities: all ... 08:18:37 Aug 24 08:18:37.643 [10096] dbg: rules: run_eval_tests - compiling eval code: 13, priority 0 08:18:37 Aug 24 08:18:37.644 [10096] dbg: dns: entering helper-app run mode 08:18:42 Aug 24 08:18:42.645 [10096] dbg: dns: leaving helper-app run mode ... 08:18:42 Building a message batch to scan... 08:19:36 Have a batch of 1 message. 08:19:36 Stopping now as you are debugging me. I tried to look at the dns settings but couldn't figure out what might be off. I am not running a caching nameserver. My old MS servers are not either and do not show this delay. Thanks for you help. I'm running this version: [root at smtpi3 conf.d]# MailScanner -v Running on Linux smtpi3.usherbrooke.ca 3.10.0-862.11.6.el7.x86_64 #1 SMP Fri Aug 10 16:55:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux This is Red Hat Enterprise Linux Server release 7.5 (Maipo) This is Perl version 5.016003 (5.16.3) This is MailScanner version 5.0.7 Module versions are: 1.01 AnyDBM_File 1.30 Archive::Zip 0.29 bignum 1.26 Carp 2.061 Compress::Zlib 1.119 Convert::BinHex 0.18 Convert::TNEF 2.145 Data::Dumper 2.30 Date::Parse 1.04 DirHandle 1.11 Fcntl 2.84 File::Basename 2.23 File::Copy 2.02 FileHandle 2.09 File::Path 0.2301 File::Temp 0.92 Filesys::Df 3.69 HTML::Entities 3.71 HTML::Parser 3.69 HTML::TokeParser 1.16 IO::File 1.15 IO::Pipe 2.12 Mail::Header 1.998 Math::BigInt 0.2603 Math::BigRat 3.13 MIME::Base64 5.509 MIME::Decoder 5.509 MIME::Decoder::UU 5.509 MIME::Head 5.509 MIME::Parser 3.13 MIME::QuotedPrint 5.509 MIME::Tools 0.18 Net::CIDR 1.26 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.28 Pod::Simple 1.30 POSIX 1.27 Scalar::Util 2.010 Socket 2.45 Storable 1.5 Sys::Hostname::Long 0.33 Sys::Syslog 1.48 Test::Pod 1.302140 Test::Simple 1.9725 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.92 Archive::Tar 0.29 bignum 2.06 Business::ISBN 20120719.001 Business::ISBN::Data 1.22 Data::Dump 1.83 DB_File 1.39 DBD::SQLite 1.627 DBI 1.17 Digest 1.03 Digest::HMAC 2.52 Digest::MD5 2.13 Digest::SHA1 1.01 Encode::Detect 0.17020 Error 0.280206 ExtUtils::CBuilder 3.18 ExtUtils::ParseXS 2.4 Getopt::Long 0.53 Inline 1.08 IO::String 1.10 IO::Zlib 2.28 IP::Country missing Mail::ClamAV 3.004000 Mail::SpamAssassin v2.008 Mail::SPF 1.999001 Mail::SPF::Query 0.4005 Module::Build 0.21 Net::CIDR::Lite 0.72 Net::DNS v0.003 Net::DNS::Resolver::Programmable 0.56 Net::LDAP 4.069 NetAddr::IP 1.967009 Parse::RecDescent missing SAVI 3.28 Test::Harness 1.23 Test::Manifest 2.02 Text::Balanced 1.60 URI 0.9907 version 0.84 YAML Denis -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5530 bytes Desc: not available URL: From Denis.Beauchemin at usherbrooke.ca Tue Aug 28 12:39:33 2018 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Tue, 28 Aug 2018 12:39:33 +0000 Subject: What is causing this delay? In-Reply-To: <017b01d43e7e$f5708360$e0518a20$@mailborder.com> References: <017b01d43e7e$f5708360$e0518a20$@mailborder.com> Message-ID: Hello Jerry, Installed one but it didn't do any good: 08:35:02: Checking for SpamAssassin errors (if you use it)... 08:35:02: Using SpamAssassin results cache 08:35:02: Connected to SpamAssassin cache database 08:35:12: SpamAssassin reported no errors. 08:35:12: Connected to Processing Attempts Database dig www.apache.org returns: ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 28 08:36:12 EDT 2018 ;; MSG SIZE rcvd: 376 Any other suggestions?? Denis -----Message d'origine----- De?: MailScanner De la part de Jerry Benton Envoy??: 27 ao?t 2018 23:27 ??: 'MailScanner Discussion' Objet?: RE: What is causing this delay? Setup a caching DNS server on the same box and you should see those numbers drop from 10 seconds to about 2 seconds or less. Just finished testing this in the lab. -- Jerry Benton www.mailborder.com +1 (843) 800-8605 +44 (020) 3883-8605 -----Original Message----- From: MailScanner On Behalf Of Denis Beauchemin Sent: Monday, August 27, 2018 09:30 To: mailscanner at lists.mailscanner.info Subject: What is causing this delay? Hello all, After many years away from MailScanner I installed new MS servers a couple of weeks ago. I?m happy to see that MS has continued to thrive! Now my problem: my 2 new servers are running into some timeout during messages scan as can be seen here: [root at smtpi3 conf.d]# MailScanner --lint 2>&1 | while true; do read l; echo "$(date +%T): $l";done 08:01:56: Trying to setlogsock(unix) 08:01:56: 08:01:56: Reading configuration file /etc/MailScanner/MailScanner.conf 08:01:56: Reading configuration file /etc/MailScanner/conf.d/README 08:01:56: Reading configuration file /etc/MailScanner/conf.d/UdeS.conf 08:01:56: Read 1500 hostnames from the phishing whitelist 08:01:56: Read 17028 hostnames from the phishing blacklists 08:01:56: 08:01:56: Checking version numbers... 08:01:56: Version number in MailScanner.conf (5.0.7) is correct. 08:01:56: 08:01:56: Your envelope_sender_header in spamassassin.conf is correct. 08:01:56: 08:01:56: Checking for SpamAssassin errors (if you use it)... 08:01:56: Using SpamAssassin results cache 08:01:56: Connected to SpamAssassin cache database 08:02:14: SpamAssassin reported no errors. 08:02:14: Connected to Processing Attempts Database 08:02:14: Created Processing Attempts Database successfully 08:02:14: There is 1 message in the Processing Attempts Database 08:02:14: Using locktype = posix 08:02:14: MailScanner.conf says "Virus Scanners = clamd" 08:02:14: Found these virus scanners installed: clamd 08:02:14: =========================================================================== 08:02:14: Filename Checks: Windows/DOS Executable (1 eicar.com) 08:02:14: Other Checks: Found 1 problems 08:02:14: Virus and Content Scanning: Starting 08:02:14: Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com 08:02:14: Virus Scanning: Clamd found 1 infections 08:02:14: Infected message 1 came from 10.1.1.1 08:02:14: Virus Scanning: Found 1 viruses 08:02:14: =========================================================================== 08:02:14: Virus Scanner test reports: 08:02:14: Clamd said "eicar.com was infected: Eicar-Test-Signature" 08:02:14: 08:02:14: If any of your virus scanners (clamd) 08:02:14: are not listed there, you should check that they are installed correctly 08:02:14: and that MailScanner is finding them correctly via its virus.scanners.conf. If you look at the timestamps between "Connected to SpamAssassin cache database" and "SpamAssassin reported no errors", you'll see a 18 seconds delay, which seems excessive. I've redone this many times and it never goes lower than 10 seconds. If I do a "MailScanner --debug-sa" I get the following delays: In Debugging mode, not forking... Trying to setlogsock(unix) 08:18:36 Aug 24 08:18:36.710 [10096] dbg: logger: adding facilities: all ... 08:18:37 Aug 24 08:18:37.643 [10096] dbg: rules: run_eval_tests - compiling eval code: 13, priority 0 08:18:37 Aug 24 08:18:37.644 [10096] dbg: dns: entering helper-app run mode 08:18:42 Aug 24 08:18:42.645 [10096] dbg: dns: leaving helper-app run mode ... 08:18:42 Building a message batch to scan... 08:19:36 Have a batch of 1 message. 08:19:36 Stopping now as you are debugging me. I tried to look at the dns settings but couldn't figure out what might be off. I am not running a caching nameserver. My old MS servers are not either and do not show this delay. Thanks for you help. I'm running this version: [root at smtpi3 conf.d]# MailScanner -v Running on Linux smtpi3.usherbrooke.ca 3.10.0-862.11.6.el7.x86_64 #1 SMP Fri Aug 10 16:55:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux This is Red Hat Enterprise Linux Server release 7.5 (Maipo) This is Perl version 5.016003 (5.16.3) This is MailScanner version 5.0.7 Module versions are: 1.01 AnyDBM_File 1.30 Archive::Zip 0.29 bignum 1.26 Carp 2.061 Compress::Zlib 1.119 Convert::BinHex 0.18 Convert::TNEF 2.145 Data::Dumper 2.30 Date::Parse 1.04 DirHandle 1.11 Fcntl 2.84 File::Basename 2.23 File::Copy 2.02 FileHandle 2.09 File::Path 0.2301 File::Temp 0.92 Filesys::Df 3.69 HTML::Entities 3.71 HTML::Parser 3.69 HTML::TokeParser 1.16 IO::File 1.15 IO::Pipe 2.12 Mail::Header 1.998 Math::BigInt 0.2603 Math::BigRat 3.13 MIME::Base64 5.509 MIME::Decoder 5.509 MIME::Decoder::UU 5.509 MIME::Head 5.509 MIME::Parser 3.13 MIME::QuotedPrint 5.509 MIME::Tools 0.18 Net::CIDR 1.26 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.28 Pod::Simple 1.30 POSIX 1.27 Scalar::Util 2.010 Socket 2.45 Storable 1.5 Sys::Hostname::Long 0.33 Sys::Syslog 1.48 Test::Pod 1.302140 Test::Simple 1.9725 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.92 Archive::Tar 0.29 bignum 2.06 Business::ISBN 20120719.001 Business::ISBN::Data 1.22 Data::Dump 1.83 DB_File 1.39 DBD::SQLite 1.627 DBI 1.17 Digest 1.03 Digest::HMAC 2.52 Digest::MD5 2.13 Digest::SHA1 1.01 Encode::Detect 0.17020 Error 0.280206 ExtUtils::CBuilder 3.18 ExtUtils::ParseXS 2.4 Getopt::Long 0.53 Inline 1.08 IO::String 1.10 IO::Zlib 2.28 IP::Country missing Mail::ClamAV 3.004000 Mail::SpamAssassin v2.008 Mail::SPF 1.999001 Mail::SPF::Query 0.4005 Module::Build 0.21 Net::CIDR::Lite 0.72 Net::DNS v0.003 Net::DNS::Resolver::Programmable 0.56 Net::LDAP 4.069 NetAddr::IP 1.967009 Parse::RecDescent missing SAVI 3.28 Test::Harness 1.23 Test::Manifest 2.02 Text::Balanced 1.60 URI 0.9907 version 0.84 YAML Denis -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From djones at ena.com Tue Aug 28 12:44:16 2018 From: djones at ena.com (David Jones) Date: Tue, 28 Aug 2018 12:44:16 +0000 Subject: What is causing this delay? In-Reply-To: References: <017b01d43e7e$f5708360$e0518a20$@mailborder.com>, Message-ID: Try finding any errors/delays in the output of: spamassassin -D --lint 2>&1 > debug.log ________________________________ From: MailScanner on behalf of Denis Beauchemin Sent: Tuesday, August 28, 2018 7:39 AM To: MailScanner Discussion Subject: RE: What is causing this delay? Hello Jerry, Installed one but it didn't do any good: 08:35:02: Checking for SpamAssassin errors (if you use it)... 08:35:02: Using SpamAssassin results cache 08:35:02: Connected to SpamAssassin cache database 08:35:12: SpamAssassin reported no errors. 08:35:12: Connected to Processing Attempts Database dig www.apache.org returns: ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 28 08:36:12 EDT 2018 ;; MSG SIZE rcvd: 376 Any other suggestions ? Denis -----Message d'origine----- De : MailScanner De la part de Jerry Benton Envoy? : 27 ao?t 2018 23:27 ? : 'MailScanner Discussion' Objet : RE: What is causing this delay? Setup a caching DNS server on the same box and you should see those numbers drop from 10 seconds to about 2 seconds or less. Just finished testing this in the lab. -- Jerry Benton www.mailborder.com +1 (843) 800-8605 +44 (020) 3883-8605 -----Original Message----- From: MailScanner On Behalf Of Denis Beauchemin Sent: Monday, August 27, 2018 09:30 To: mailscanner at lists.mailscanner.info Subject: What is causing this delay? Hello all, After many years away from MailScanner I installed new MS servers a couple of weeks ago. I?m happy to see that MS has continued to thrive! Now my problem: my 2 new servers are running into some timeout during messages scan as can be seen here: [root at smtpi3 conf.d]# MailScanner --lint 2>&1 | while true; do read l; echo "$(date +%T): $l";done 08:01:56: Trying to setlogsock(unix) 08:01:56: 08:01:56: Reading configuration file /etc/MailScanner/MailScanner.conf 08:01:56: Reading configuration file /etc/MailScanner/conf.d/README 08:01:56: Reading configuration file /etc/MailScanner/conf.d/UdeS.conf 08:01:56: Read 1500 hostnames from the phishing whitelist 08:01:56: Read 17028 hostnames from the phishing blacklists 08:01:56: 08:01:56: Checking version numbers... 08:01:56: Version number in MailScanner.conf (5.0.7) is correct. 08:01:56: 08:01:56: Your envelope_sender_header in spamassassin.conf is correct. 08:01:56: 08:01:56: Checking for SpamAssassin errors (if you use it)... 08:01:56: Using SpamAssassin results cache 08:01:56: Connected to SpamAssassin cache database 08:02:14: SpamAssassin reported no errors. 08:02:14: Connected to Processing Attempts Database 08:02:14: Created Processing Attempts Database successfully 08:02:14: There is 1 message in the Processing Attempts Database 08:02:14: Using locktype = posix 08:02:14: MailScanner.conf says "Virus Scanners = clamd" 08:02:14: Found these virus scanners installed: clamd 08:02:14: =========================================================================== 08:02:14: Filename Checks: Windows/DOS Executable (1 eicar.com) 08:02:14: Other Checks: Found 1 problems 08:02:14: Virus and Content Scanning: Starting 08:02:14: Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com 08:02:14: Virus Scanning: Clamd found 1 infections 08:02:14: Infected message 1 came from 10.1.1.1 08:02:14: Virus Scanning: Found 1 viruses 08:02:14: =========================================================================== 08:02:14: Virus Scanner test reports: 08:02:14: Clamd said "eicar.com was infected: Eicar-Test-Signature" 08:02:14: 08:02:14: If any of your virus scanners (clamd) 08:02:14: are not listed there, you should check that they are installed correctly 08:02:14: and that MailScanner is finding them correctly via its virus.scanners.conf. If you look at the timestamps between "Connected to SpamAssassin cache database" and "SpamAssassin reported no errors", you'll see a 18 seconds delay, which seems excessive. I've redone this many times and it never goes lower than 10 seconds. If I do a "MailScanner --debug-sa" I get the following delays: In Debugging mode, not forking... Trying to setlogsock(unix) 08:18:36 Aug 24 08:18:36.710 [10096] dbg: logger: adding facilities: all ... 08:18:37 Aug 24 08:18:37.643 [10096] dbg: rules: run_eval_tests - compiling eval code: 13, priority 0 08:18:37 Aug 24 08:18:37.644 [10096] dbg: dns: entering helper-app run mode 08:18:42 Aug 24 08:18:42.645 [10096] dbg: dns: leaving helper-app run mode ... 08:18:42 Building a message batch to scan... 08:19:36 Have a batch of 1 message. 08:19:36 Stopping now as you are debugging me. I tried to look at the dns settings but couldn't figure out what might be off. I am not running a caching nameserver. My old MS servers are not either and do not show this delay. Thanks for you help. I'm running this version: [root at smtpi3 conf.d]# MailScanner -v Running on Linux smtpi3.usherbrooke.ca 3.10.0-862.11.6.el7.x86_64 #1 SMP Fri Aug 10 16:55:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux This is Red Hat Enterprise Linux Server release 7.5 (Maipo) This is Perl version 5.016003 (5.16.3) This is MailScanner version 5.0.7 Module versions are: 1.01 AnyDBM_File 1.30 Archive::Zip 0.29 bignum 1.26 Carp 2.061 Compress::Zlib 1.119 Convert::BinHex 0.18 Convert::TNEF 2.145 Data::Dumper 2.30 Date::Parse 1.04 DirHandle 1.11 Fcntl 2.84 File::Basename 2.23 File::Copy 2.02 FileHandle 2.09 File::Path 0.2301 File::Temp 0.92 Filesys::Df 3.69 HTML::Entities 3.71 HTML::Parser 3.69 HTML::TokeParser 1.16 IO::File 1.15 IO::Pipe 2.12 Mail::Header 1.998 Math::BigInt 0.2603 Math::BigRat 3.13 MIME::Base64 5.509 MIME::Decoder 5.509 MIME::Decoder::UU 5.509 MIME::Head 5.509 MIME::Parser 3.13 MIME::QuotedPrint 5.509 MIME::Tools 0.18 Net::CIDR 1.26 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.28 Pod::Simple 1.30 POSIX 1.27 Scalar::Util 2.010 Socket 2.45 Storable 1.5 Sys::Hostname::Long 0.33 Sys::Syslog 1.48 Test::Pod 1.302140 Test::Simple 1.9725 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.92 Archive::Tar 0.29 bignum 2.06 Business::ISBN 20120719.001 Business::ISBN::Data 1.22 Data::Dump 1.83 DB_File 1.39 DBD::SQLite 1.627 DBI 1.17 Digest 1.03 Digest::HMAC 2.52 Digest::MD5 2.13 Digest::SHA1 1.01 Encode::Detect 0.17020 Error 0.280206 ExtUtils::CBuilder 3.18 ExtUtils::ParseXS 2.4 Getopt::Long 0.53 Inline 1.08 IO::String 1.10 IO::Zlib 2.28 IP::Country missing Mail::ClamAV 3.004000 Mail::SpamAssassin v2.008 Mail::SPF 1.999001 Mail::SPF::Query 0.4005 Module::Build 0.21 Net::CIDR::Lite 0.72 Net::DNS v0.003 Net::DNS::Resolver::Programmable 0.56 Net::LDAP 4.069 NetAddr::IP 1.967009 Parse::RecDescent missing SAVI 3.28 Test::Harness 1.23 Test::Manifest 2.02 Text::Balanced 1.60 URI 0.9907 version 0.84 YAML Denis -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -------------- next part -------------- An HTML attachment was scrubbed... URL: From Denis.Beauchemin at usherbrooke.ca Tue Aug 28 12:52:05 2018 From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin) Date: Tue, 28 Aug 2018 12:52:05 +0000 Subject: What is causing this delay? In-Reply-To: References: <017b01d43e7e$f5708360$e0518a20$@mailborder.com>, Message-ID: I think I found it. I just uncommented the following lines in /etc/mail/spamassassin/MailScanner.cf: use_razor2 0 use_pyzor 0 And now I get: 08:49:32: Checking for SpamAssassin errors (if you use it)... 08:49:32: Using SpamAssassin results cache 08:49:32: Connected to SpamAssassin cache database 08:49:33: SpamAssassin reported no errors. 08:49:33: Connected to Processing Attempts Database 08:49:33: Created Processing Attempts Database successfully :-) Thanks all for your suggestions. Denis De?: MailScanner De la part de David Jones via MailScanner Envoy??: 28 ao?t 2018 08:44 ??: MailScanner Discussion Cc?: David Jones Objet?: Re: What is causing this delay? Try finding any errors/delays in the output of: spamassassin -D --lint 2>&1 > debug.log ________________________________________ From: MailScanner on behalf of Denis Beauchemin Sent: Tuesday, August 28, 2018 7:39 AM To: MailScanner Discussion Subject: RE: What is causing this delay? ? Hello Jerry, Installed one but it didn't do any good: 08:35:02: Checking for SpamAssassin errors (if you use it)... 08:35:02: Using SpamAssassin results cache 08:35:02: Connected to SpamAssassin cache database 08:35:12: SpamAssassin reported no errors. 08:35:12: Connected to Processing Attempts Database dig http://www.apache.org returns: ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 28 08:36:12 EDT 2018 ;; MSG SIZE? rcvd: 376 Any other suggestions?? Denis -----Message d'origine----- De?: MailScanner De la part de Jerry Benton Envoy??: 27 ao?t 2018 23:27 ??: 'MailScanner Discussion' Objet?: RE: What is causing this delay? Setup a caching DNS server on the same box and you should see those numbers drop from 10 seconds to about 2 seconds or less. Just finished testing this in the lab. -- Jerry Benton http://www.mailborder.com +1?? (843) 800-8605 +44 (020) 3883-8605 -----Original Message----- From: MailScanner On Behalf Of Denis Beauchemin Sent: Monday, August 27, 2018 09:30 To: mailto:mailscanner at lists.mailscanner.info Subject: What is causing this delay? Hello all, After many years away from MailScanner I installed new MS servers a couple of weeks ago. I?m happy to see that MS has continued to thrive! Now my problem: my 2 new servers are running into some timeout during messages scan as can be seen here: [root at smtpi3 conf.d]# MailScanner --lint 2>&1 | while true; do read l; echo "$(date +%T): $l";done 08:01:56: Trying to setlogsock(unix) 08:01:56: 08:01:56: Reading configuration file /etc/MailScanner/MailScanner.conf 08:01:56: Reading configuration file /etc/MailScanner/conf.d/README 08:01:56: Reading configuration file /etc/MailScanner/conf.d/UdeS.conf 08:01:56: Read 1500 hostnames from the phishing whitelist 08:01:56: Read 17028 hostnames from the phishing blacklists 08:01:56: 08:01:56: Checking version numbers... 08:01:56: Version number in MailScanner.conf (5.0.7) is correct. 08:01:56: 08:01:56: Your envelope_sender_header in spamassassin.conf is correct. 08:01:56: 08:01:56: Checking for SpamAssassin errors (if you use it)... 08:01:56: Using SpamAssassin results cache 08:01:56: Connected to SpamAssassin cache database 08:02:14: SpamAssassin reported no errors. 08:02:14: Connected to Processing Attempts Database 08:02:14: Created Processing Attempts Database successfully 08:02:14: There is 1 message in the Processing Attempts Database 08:02:14: Using locktype = posix 08:02:14: MailScanner.conf says "Virus Scanners = clamd" 08:02:14: Found these virus scanners installed: clamd 08:02:14: =========================================================================== 08:02:14: Filename Checks: Windows/DOS Executable (1 eicar.com) 08:02:14: Other Checks: Found 1 problems 08:02:14: Virus and Content Scanning: Starting 08:02:14: Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com 08:02:14: Virus Scanning: Clamd found 1 infections 08:02:14: Infected message 1 came from 10.1.1.1 08:02:14: Virus Scanning: Found 1 viruses 08:02:14: =========================================================================== 08:02:14: Virus Scanner test reports: 08:02:14: Clamd said "eicar.com was infected: Eicar-Test-Signature" 08:02:14: 08:02:14: If any of your virus scanners (clamd) 08:02:14: are not listed there, you should check that they are installed correctly 08:02:14: and that MailScanner is finding them correctly via its virus.scanners.conf. If you look at the timestamps between "Connected to SpamAssassin cache database" and "SpamAssassin reported no errors", you'll see a 18 seconds delay, which seems excessive. I've redone this many times and it never goes lower than 10 seconds. If I do a "MailScanner --debug-sa" I get the following delays: In Debugging mode, not forking... Trying to setlogsock(unix) 08:18:36 Aug 24 08:18:36.710 [10096] dbg: logger: adding facilities: all ... 08:18:37 Aug 24 08:18:37.643 [10096] dbg: rules: run_eval_tests - compiling eval code: 13, priority 0 08:18:37 Aug 24 08:18:37.644 [10096] dbg: dns: entering helper-app run mode 08:18:42 Aug 24 08:18:42.645 [10096] dbg: dns: leaving helper-app run mode ... 08:18:42 Building a message batch to scan... 08:19:36 Have a batch of 1 message. 08:19:36 Stopping now as you are debugging me. I tried to look at the dns settings but couldn't figure out what might be off. I am not running a caching nameserver. My old MS servers are not either and do not show this delay. Thanks for you help. I'm running this version: [root at smtpi3 conf.d]# MailScanner -v Running on Linux smtpi3.usherbrooke.ca 3.10.0-862.11.6.el7.x86_64 #1 SMP Fri Aug 10 16:55:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux This is Red Hat Enterprise Linux Server release 7.5 (Maipo) This is Perl version 5.016003 (5.16.3) This is MailScanner version 5.0.7 Module versions are: 1.01??? AnyDBM_File 1.30??? Archive::Zip 0.29??? bignum 1.26??? Carp 2.061?? Compress::Zlib 1.119?? Convert::BinHex 0.18??? Convert::TNEF 2.145?? Data::Dumper 2.30??? Date::Parse 1.04??? DirHandle 1.11??? Fcntl 2.84??? File::Basename 2.23??? File::Copy 2.02??? FileHandle 2.09??? File::Path 0.2301? File::Temp 0.92??? Filesys::Df 3.69??? HTML::Entities 3.71??? HTML::Parser 3.69??? HTML::TokeParser 1.16??? IO::File 1.15??? IO::Pipe 2.12??? Mail::Header 1.998?? Math::BigInt 0.2603? Math::BigRat 3.13??? MIME::Base64 5.509?? MIME::Decoder 5.509?? MIME::Decoder::UU 5.509?? MIME::Head 5.509?? MIME::Parser 3.13??? MIME::QuotedPrint 5.509?? MIME::Tools 0.18??? Net::CIDR 1.26??? Net::IP 0.19??? OLE::Storage_Lite 1.04??? Pod::Escapes 3.28??? Pod::Simple 1.30??? POSIX 1.27??? Scalar::Util 2.010?? Socket 2.45??? Storable 1.5???? Sys::Hostname::Long 0.33??? Sys::Syslog 1.48??? Test::Pod 1.302140??????? Test::Simple 1.9725? Time::HiRes 1.02??? Time::localtime Optional module versions are: 1.92??? Archive::Tar 0.29??? bignum 2.06??? Business::ISBN 20120719.001??? Business::ISBN::Data 1.22??? Data::Dump 1.83??? DB_File 1.39??? DBD::SQLite 1.627?? DBI 1.17??? Digest 1.03??? Digest::HMAC 2.52??? Digest::MD5 2.13??? Digest::SHA1 1.01??? Encode::Detect 0.17020 Error 0.280206??????? ExtUtils::CBuilder 3.18??? ExtUtils::ParseXS 2.4???? Getopt::Long 0.53??? Inline 1.08??? IO::String 1.10??? IO::Zlib 2.28??? IP::Country missing Mail::ClamAV 3.004000??????? Mail::SpamAssassin v2.008? Mail::SPF 1.999001??????? Mail::SPF::Query 0.4005? Module::Build 0.21??? Net::CIDR::Lite 0.72??? Net::DNS v0.003? Net::DNS::Resolver::Programmable 0.56??? Net::LDAP ?4.069? NetAddr::IP 1.967009??????? Parse::RecDescent missing SAVI 3.28??? Test::Harness 1.23??? Test::Manifest 2.02??? Text::Balanced 1.60??? URI 0.9907? version 0.84??? YAML Denis -- MailScanner mailing list mailto:mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailto:mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From zephyr at flytonet.com Wed Aug 29 08:40:14 2018 From: zephyr at flytonet.com (=?big5?B?t0ypTaq6rbc=?=) Date: Wed, 29 Aug 2018 16:40:14 +0800 Subject: Help~Setup MailScanner v5.0.7-4 error Message-ID: <000001d43f73$e7ff8aa0$b7fe9fe0$@flytonet.com> Hi, I use CentOS v7(1804),and download MailScanner 5.0.7 from https://s3.amazonaws.com/msv5/release/MailScanner-5.0.7-4.rhel.tar.gz. But I got some problem. I try some commands to slove them,but it?s not working. ================================================== mkdir /var/spool/MailScanner/spamassassin chown postfix.postfix /var/spool/MailScanner/spamassassin chown -R postfix.postfix /var/spool/MailScanner/incoming chown -R postfix.postfix /var/spool/MailScanner/quarantine ==================================================== Could someone help me ? Thanks a lot. zephyr file path ==>/var/log/maillog Aug 29 11:31:09 ftp MailScanner[18173]: MailScanner Email Processor version 5.0.7 starting... Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file /etc/MailScanner/MailScanner.conf Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file /etc/MailScanner/conf.d/README Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory /var/spool/MailScanner/incoming Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line 200, directory /var/spool/MailScanner/incoming for incomingworkdir does not exist (or is not readable) Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory /var/spool/MailScanner/incoming/Locks Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line 3069, directory /var/spool/MailScanner/incoming/Locks for lockfiledir does not exist (or is not readable) Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory /var/spool/postfix/incoming Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line 190, directory /var/spool/postfix/incoming for outqueuedir does not exist (or is not readable) Aug 29 11:31:09 ftp MailScanner[18173]: File containing list of incoming queue dirs (/var/spool/postfix/hold) does not exist Aug 29 11:31:09 ftp MailScanner[18173]: Read 1500 hostnames from the phishing whitelist Aug 29 11:31:10 ftp MailScanner[18173]: Read 15767 hostnames from the phishing blacklists Aug 29 11:31:10 ftp MailScanner[18173]: Using SpamAssassin results cache Aug 29 11:31:10 ftp MailScanner[18173]: Could not create SpamAssassin cache database /var/spool/MailScanner/incoming/SpamAssassin.cache.db Aug 29 11:31:10 ftp MailScanner[18173]: Enabling SpamAssassin auto-whitelist functionality... file path ==>/etc/MailScanner/MailScanner.conf MTA = postfix Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir =/var/spool/postfix/incoming SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin Deliver Unparsable TNEF = yes -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglists at feedmebits.nl Wed Aug 29 16:04:46 2018 From: mailinglists at feedmebits.nl (Maarten) Date: Wed, 29 Aug 2018 18:04:46 +0200 Subject: Help~Setup MailScanner v5.0.7-4 error In-Reply-To: <000001d43f73$e7ff8aa0$b7fe9fe0$@flytonet.com> References: <000001d43f73$e7ff8aa0$b7fe9fe0$@flytonet.com> Message-ID: Hello Zephyr, My guess would be that it's selinux the problem, try? setenforce 0 and try restarting mailscanner. If it works like that you need to configure selinux so that it allows the creation of those directories. On 29-08-18 10:40, ???? wrote: > > Hi, > > I use CentOS v7(1804),and download MailScanner 5.0.7 from > https://s3.amazonaws.com/msv5/release/MailScanner-5.0.7-4.rhel.tar.gz. > > But I got some problem. I try some commands to slove them,but it?s not > working. > > ================================================== > > mkdir /var/spool/MailScanner/spamassassin > > chown postfix.postfix /var/spool/MailScanner/spamassassin > > chown -R postfix.postfix /var/spool/MailScanner/incoming > > chown -R postfix.postfix /var/spool/MailScanner/quarantine > > ==================================================== > > Could someone help me ? Thanks a lot. > > zephyr > > file path ?/var/log/maillog > > Aug 29 11:31:09 ftp MailScanner[18173]: MailScanner Email Processor > version 5.0.7 starting... > > Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file > /etc/MailScanner/MailScanner.conf > > Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file > /etc/MailScanner/conf.d/README > > Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory > /var/spool/MailScanner/incoming > > *Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file > line 200, directory /var/spool/MailScanner/incoming for > incomingworkdir does not exist (or is not readable)* > > *Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory > /var/spool/MailScanner/incoming/Locks* > > *Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file > line 3069, directory /var/spool/MailScanner/incoming/Locks for > lockfiledir does not exist (or is not readable)* > > Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory > /var/spool/postfix/incoming > > *Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file > line 190, directory /var/spool/postfix/incoming for outqueuedir does > not exist (or is not readable)* > > Aug 29 11:31:09 ftp MailScanner[18173]: File containing list of > incoming queue dirs (/var/spool/postfix/hold) does not exist > > Aug 29 11:31:09 ftp MailScanner[18173]: Read 1500 hostnames from the > phishing whitelist > > Aug 29 11:31:10 ftp MailScanner[18173]: Read 15767 hostnames from the > phishing blacklists > > Aug 29 11:31:10 ftp MailScanner[18173]: Using SpamAssassin results cache > > *Aug 29 11:31:10 ftp MailScanner[18173]: Could not create SpamAssassin > cache database /var/spool/MailScanner/incoming/SpamAssassin.cache.db* > > Aug 29 11:31:10 ftp MailScanner[18173]: Enabling SpamAssassin > auto-whitelist functionality... > > file path ?/etc/MailScanner/MailScanner.conf > > MTA = postfix > > Run As User = postfix > > Run As Group = postfix > > Incoming Queue Dir = /var/spool/postfix/hold > > Outgoing Queue Dir =/var/spool/postfix/incoming > > SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin > > Deliver Unparsable TNEF = yes > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry.benton at mailborder.com Wed Aug 29 16:06:27 2018 From: jerry.benton at mailborder.com (Jerry Benton) Date: Wed, 29 Aug 2018 12:06:27 -0400 Subject: Help~Setup MailScanner v5.0.7-4 error In-Reply-To: References: <000001d43f73$e7ff8aa0$b7fe9fe0$@flytonet.com> Message-ID: <009b01d43fb2$3e0c0250$ba2406f0$@mailborder.com> Also: postfix:mtagroup not postfix:postfix -- Jerry Benton www.mailborder.com +1 (843) 800-8605 +44 (020) 3883-8605 From: MailScanner On Behalf Of Maarten Sent: Wednesday, August 29, 2018 12:05 To: MailScanner Discussion Subject: Re: Help~Setup MailScanner v5.0.7-4 error Hello Zephyr, My guess would be that it's selinux the problem, try setenforce 0 and try restarting mailscanner. If it works like that you need to configure selinux so that it allows the creation of those directories. On 29-08-18 10:40, ???? wrote: Hi, I use CentOS v7(1804),and download MailScanner 5.0.7 from https://s3.amazonaws.com/msv5/release/MailScanner-5.0.7-4.rhel.tar.gz. But I got some problem. I try some commands to slove them,but it?s not working. ================================================== mkdir /var/spool/MailScanner/spamassassin chown postfix.postfix /var/spool/MailScanner/spamassassin chown -R postfix.postfix /var/spool/MailScanner/incoming chown -R postfix.postfix /var/spool/MailScanner/quarantine ==================================================== Could someone help me ? Thanks a lot. zephyr file path ==>/var/log/maillog Aug 29 11:31:09 ftp MailScanner[18173]: MailScanner Email Processor version 5.0.7 starting... Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file /etc/MailScanner/MailScanner.conf Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file /etc/MailScanner/conf.d/README Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory /var/spool/MailScanner/incoming Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line 200, directory /var/spool/MailScanner/incoming for incomingworkdir does not exist (or is not readable) Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory /var/spool/MailScanner/incoming/Locks Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line 3069, directory /var/spool/MailScanner/incoming/Locks for lockfiledir does not exist (or is not readable) Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory /var/spool/postfix/incoming Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line 190, directory /var/spool/postfix/incoming for outqueuedir does not exist (or is not readable) Aug 29 11:31:09 ftp MailScanner[18173]: File containing list of incoming queue dirs (/var/spool/postfix/hold) does not exist Aug 29 11:31:09 ftp MailScanner[18173]: Read 1500 hostnames from the phishing whitelist Aug 29 11:31:10 ftp MailScanner[18173]: Read 15767 hostnames from the phishing blacklists Aug 29 11:31:10 ftp MailScanner[18173]: Using SpamAssassin results cache Aug 29 11:31:10 ftp MailScanner[18173]: Could not create SpamAssassin cache database /var/spool/MailScanner/incoming/SpamAssassin.cache.db Aug 29 11:31:10 ftp MailScanner[18173]: Enabling SpamAssassin auto-whitelist functionality... file path ==>/etc/MailScanner/MailScanner.conf MTA = postfix Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir =/var/spool/postfix/incoming SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin Deliver Unparsable TNEF = yes -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5530 bytes Desc: not available URL: From zephyr at flytonet.com Fri Aug 31 00:26:44 2018 From: zephyr at flytonet.com (=?big5?B?t0ypTaq6rbc=?=) Date: Fri, 31 Aug 2018 08:26:44 +0800 Subject: Help~Setup MailScanner v5.0.7-4 error Message-ID: <000601d440c1$4c2d4cd0$e487e670$@flytonet.com> The problem is solved. Thanks for Maarten and Jerry Benton. /var/log/maillog Aug 31 08:20:00 ftp MailScanner[16310]: MailScanner Email Processor version 5.0.7 starting... Aug 31 08:20:00 ftp MailScanner[16310]: Reading configuration file /etc/MailScanner/MailScanner.conf Aug 31 08:20:00 ftp MailScanner[16310]: Reading configuration file /etc/MailScanner/conf.d/README Aug 31 08:20:00 ftp MailScanner[16310]: Read 1500 hostnames from the phishing whitelist Aug 31 08:20:00 ftp MailScanner[16310]: Read 16138 hostnames from the phishing blacklists Aug 31 08:20:00 ftp MailScanner[16310]: Using SpamAssassin results cache Aug 31 08:20:00 ftp MailScanner[16310]: Connected to SpamAssassin cache database Aug 31 08:20:00 ftp MailScanner[16310]: Enabling SpamAssassin auto-whitelist functionality... Aug 31 08:20:05 ftp MailScanner[16421]: MailScanner Email Processor version 5.0.7 starting... Aug 31 08:20:05 ftp MailScanner[16421]: Reading configuration file /etc/MailScanner/MailScanner.conf Aug 31 08:20:05 ftp MailScanner[16421]: Reading configuration file /etc/MailScanner/conf.d/README Aug 31 08:20:05 ftp MailScanner[16421]: Read 1500 hostnames from the phishing whitelist Aug 31 08:20:05 ftp MailScanner[16421]: Read 16138 hostnames from the phishing blacklists Aug 31 08:20:05 ftp MailScanner[16421]: Using SpamAssassin results cache Aug 31 08:20:05 ftp MailScanner[16421]: Connected to SpamAssassin cache database Aug 31 08:20:05 ftp MailScanner[16421]: Enabling SpamAssassin auto-whitelist functionality... Message: 1 Date: Wed, 29 Aug 2018 16:40:14 +0800 From: ???? > To: > Subject: Help~Setup MailScanner v5.0.7-4 error Message-ID: <000001d43f73$e7ff8aa0$b7fe9fe0$@flytonet.com > Content-Type: text/plain; charset="big5" Hi, I use CentOS v7(1804),and download MailScanner 5.0.7 from https://s3.amazonaws.com/msv5/release/MailScanner-5.0.7-4.rhel.tar.gz. But I got some problem. I try some commands to slove them,but it?s not working. ================================================== mkdir /var/spool/MailScanner/spamassassin chown postfix.postfix /var/spool/MailScanner/spamassassin chown -R postfix.postfix /var/spool/MailScanner/incoming chown -R postfix.postfix /var/spool/MailScanner/quarantine ==================================================== Could someone help me ? Thanks a lot. zephyr file path ==>/var/log/maillog Aug 29 11:31:09 ftp MailScanner[18173]: MailScanner Email Processor version 5.0.7 starting... Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file /etc/MailScanner/MailScanner.conf Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file /etc/MailScanner/conf.d/README Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory /var/spool/MailScanner/incoming Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line 200, directory /var/spool/MailScanner/incoming for incomingworkdir does not exist (or is not readable) Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory /var/spool/MailScanner/incoming/Locks Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line 3069, directory /var/spool/MailScanner/incoming/Locks for lockfiledir does not exist (or is not readable) Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory /var/spool/postfix/incoming Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line 190, directory /var/spool/postfix/incoming for outqueuedir does not exist (or is not readable) Aug 29 11:31:09 ftp MailScanner[18173]: File containing list of incoming queue dirs (/var/spool/postfix/hold) does not exist Aug 29 11:31:09 ftp MailScanner[18173]: Read 1500 hostnames from the phishing whitelist Aug 29 11:31:10 ftp MailScanner[18173]: Read 15767 hostnames from the phishing blacklists Aug 29 11:31:10 ftp MailScanner[18173]: Using SpamAssassin results cache Aug 29 11:31:10 ftp MailScanner[18173]: Could not create SpamAssassin cache database /var/spool/MailScanner/incoming/SpamAssassin.cache.db Aug 29 11:31:10 ftp MailScanner[18173]: Enabling SpamAssassin auto-whitelist functionality... file path ==>/etc/MailScanner/MailScanner.conf MTA = postfix Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir =/var/spool/postfix/incoming SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin Deliver Unparsable TNEF = yes -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Message: 2 Date: Wed, 29 Aug 2018 18:04:46 +0200 From: Maarten > To: MailScanner Discussion > Subject: Re: Help~Setup MailScanner v5.0.7-4 error Message-ID: > Content-Type: text/plain; charset="utf-8"; Format="flowed" Hello Zephyr, My guess would be that it's selinux the problem, try? setenforce 0 and try restarting mailscanner. If it works like that you need to configure selinux so that it allows the creation of those directories. Message: 3 Date: Wed, 29 Aug 2018 12:06:27 -0400 From: "Jerry Benton" > To: "'MailScanner Discussion'" > Subject: RE: Help~Setup MailScanner v5.0.7-4 error Message-ID: <009b01d43fb2$3e0c0250$ba2406f0$@mailborder.com > Content-Type: text/plain; charset="utf-8" Also: postfix:mtagroup not postfix:postfix -- Jerry Benton www.mailborder.com +1 (843) 800-8605 +44 (020) 3883-8605 -------------- next part -------------- An HTML attachment was scrubbed... URL: