From dobril at stanga.net  Mon Aug  6 10:56:52 2018
From: dobril at stanga.net (DobriL Dobrilov)
Date: Mon, 6 Aug 2018 13:56:52 +0300
Subject: MailScanner: Message attempted to kill MailScanner
Message-ID: <00c601d42d74$2effa870$8cfef950$@stanga.net>

Hello,

 

Please help me to debug follow issue:

All emails sent from my webmail to same domain cannot be processes by
mailscanner.

 

Aug  6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1]

Aug  6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48:
client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net

Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header
Received: from mail.stanga.net (localhost [IPv6:::1])??by mail.stanga.net
(Postfix) with ESMTPA id CE4AB62C48??for <dob

ril at stanga.net>; Mon,  6 Aug 2018 13:19:15 +0300 (EEST) from localhost[::1];
from=<dobril at stanga.net> to=<dobril at stanga.net> proto=ESMTP
helo=<mail.stanga.net>

Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48:
message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net>

Aug  6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added
(s=mail, d=stanga.net)

Aug  6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1]
ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6

Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages,
3097 bytes

Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of
CE4AB62C48.A8F32

Aug  6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning:
Starting

Aug  6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018
bytes per second

Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of
CE4AB62C48.A8F32

Aug  6 13:23:37 mail MailScanner[32582]: Making attempt 2 at processing
message CE4AB62C48.A8F32

Aug  6 13:23:37 mail MailScanner[32582]: Saved archive copies of
CE4AB62C48.A8F32

Aug  6 13:26:15 mail MailScanner[2138]: Making attempt 3 at processing
message CE4AB62C48.A8F32

Aug  6 13:26:15 mail MailScanner[2138]: Saved archive copies of
CE4AB62C48.A8F32

Aug  6 13:30:55 mail MailScanner[1659]: Making attempt 4 at processing
message CE4AB62C48.A8F32

Aug  6 13:30:55 mail MailScanner[1659]: Saved archive copies of
CE4AB62C48.A8F32

Aug  6 13:35:44 mail MailScanner[1736]: Making attempt 5 at processing
message CE4AB62C48.A8F32

Aug  6 13:35:44 mail MailScanner[1736]: Saved archive copies of
CE4AB62C48.A8F32

Aug  6 13:39:03 mail MailScanner[2946]: Making attempt 6 at processing
message CE4AB62C48.A8F32

Aug  6 13:39:03 mail MailScanner[2946]: Saved archive copies of
CE4AB62C48.A8F32

Aug  6 13:39:05 mail MailScanner[2589]: Warning: skipping message
CE4AB62C48.A8F32 as it has been attempted too many times

Aug  6 13:39:05 mail MailScanner[2589]: Quarantined message CE4AB62C48.A8F32
as it caused MailScanner to crash several times

Aug  6 13:39:05 mail MailScanner[2589]: Saved entire message to
/var/spool/MailScanner/quarantine/20180806/CE4AB62C48.A8F32

Aug  6 13:39:05 mail MailScanner[2589]: MailWatch: Logging message
CE4AB62C48.A8F32 to SQL

 

 

Then I started in  with debug option.

Aug  6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1]

Aug  6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48:
client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net

Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header
Received: from mail.stanga.net (localhost [IPv6:::1])??by mail.stanga.net
(Postfix) with ESMTPA id CE4AB62C48??for <dobril at stanga.net>; Mon,  6 Aug
2018 13:19:15 +0300 (EEST) from localhost[::1]; from=<dobril at stanga.net>
to=<dobril at stanga.net> proto=ESMTP helo=<mail.stanga.net>

Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48:
message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net>

Aug  6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added
(s=mail, d=stanga.net)

Aug  6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1]
ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6

Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Found 4 messages waiting

Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages,
3097 bytes

Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of
CE4AB62C48.A8F32

Aug  6 13:19:18 mail MailScanner[31554]: Created attachment dirs for 1
messages

Aug  6 13:19:19 mail MailScanner[31554]: Completed checking by /usr/bin/file

Aug  6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning:
Starting

Aug  6 13:19:19 mail MailScanner[31554]: Commencing scanning with clamd...

Aug  6 13:19:19 mail MailScanner[31726]: Debug Mode Is On

Aug  6 13:19:19 mail MailScanner[31726]: Use Threads : YES

Aug  6 13:19:19 mail MailScanner[31726]: Socket    :
/var/run/clamav/clamd.sock

Aug  6 13:19:19 mail MailScanner[31726]: IP        : Using Sockets

Aug  6 13:19:19 mail MailScanner[31726]: Lock File : NOT USED

Aug  6 13:19:19 mail MailScanner[31726]: Time Out  : 300

Aug  6 13:19:19 mail MailScanner[31726]: Scan Dir  :
/var/spool/MailScanner/incoming/31554

Aug  6 13:19:19 mail MailScanner[31726]: Clamd : Sending PING

Aug  6 13:19:19 mail MailScanner[31726]: Clamd : GOT 'PONG'

Aug  6 13:19:19 mail MailScanner[31726]: ClamD is running

Aug  6 13:19:19 mail MailScanner[31726]: SENT : MULTISCAN
/var/spool/MailScanner/incoming/31554

Aug  6 13:19:19 mail MailScanner[31554]: Completed AV scan with clamd

Aug  6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018
bytes per second

Aug  6 13:19:19 mail root[31735]: MailScanner failed to start

Aug  6 13:19:19 mail root[31736]: Found a possible dead PID. Stopping all
MailScanner rogue processes ...

 

 

How I can find out what cause this issue.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180806/b391969d/attachment.html>

From iversons at rushville.k12.in.us  Mon Aug  6 11:03:56 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Mon, 6 Aug 2018 07:03:56 -0400
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <00c601d42d74$2effa870$8cfef950$@stanga.net>
References: <00c601d42d74$2effa870$8cfef950$@stanga.net>
Message-ID: <CABu_8z+D994DtW5Yh6mhVj97QoWYXQK9hnbN+ZsxmpQX5y_RMA@mail.gmail.com>

Very first thing I would check is whether you have enough memory to carry
out virus scanning, and make sure that OOM is not occurring.



On Mon, Aug 6, 2018 at 6:56 AM, DobriL Dobrilov <dobril at stanga.net> wrote:

> Hello,
>
>
>
> Please help me to debug follow issue:
>
> All emails sent from my webmail to same domain cannot be processes by
> mailscanner.
>
>
>
> Aug  6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1]
>
> Aug  6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48:
> client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net
>
> Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header
> Received: from mail.stanga.net (localhost [IPv6:::1])??by mail.stanga.net
> (Postfix) with ESMTPA id CE4AB62C48??for <dob
>
> ril at stanga.net>; Mon,  6 Aug 2018 13:19:15 +0300 (EEST) from
> localhost[::1]; from=<dobril at stanga.net> to=<dobril at stanga.net>
> proto=ESMTP helo=<mail.stanga.net>
>
> Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: message-id=<
> 0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net>
>
> Aug  6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field
> added (s=mail, d=stanga.net)
>
> Aug  6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1]
> ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
>
> Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages,
> 3097 bytes
>
> Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of
> CE4AB62C48.A8F32
>
> Aug  6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning:
> Starting
>
> Aug  6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018
> bytes per second
>
> Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of
> CE4AB62C48.A8F32
>
> Aug  6 13:23:37 mail MailScanner[32582]: Making attempt 2 at processing
> message CE4AB62C48.A8F32
>
> Aug  6 13:23:37 mail MailScanner[32582]: Saved archive copies of
> CE4AB62C48.A8F32
>
> Aug  6 13:26:15 mail MailScanner[2138]: Making attempt 3 at processing
> message CE4AB62C48.A8F32
>
> Aug  6 13:26:15 mail MailScanner[2138]: Saved archive copies of
> CE4AB62C48.A8F32
>
> Aug  6 13:30:55 mail MailScanner[1659]: Making attempt 4 at processing
> message CE4AB62C48.A8F32
>
> Aug  6 13:30:55 mail MailScanner[1659]: Saved archive copies of
> CE4AB62C48.A8F32
>
> Aug  6 13:35:44 mail MailScanner[1736]: Making attempt 5 at processing
> message CE4AB62C48.A8F32
>
> Aug  6 13:35:44 mail MailScanner[1736]: Saved archive copies of
> CE4AB62C48.A8F32
>
> Aug  6 13:39:03 mail MailScanner[2946]: Making attempt 6 at processing
> message CE4AB62C48.A8F32
>
> Aug  6 13:39:03 mail MailScanner[2946]: Saved archive copies of
> CE4AB62C48.A8F32
>
> Aug  6 13:39:05 mail MailScanner[2589]: Warning: skipping message
> CE4AB62C48.A8F32 as it has been attempted too many times
>
> Aug  6 13:39:05 mail MailScanner[2589]: Quarantined message
> CE4AB62C48.A8F32 as it caused MailScanner to crash several times
>
> Aug  6 13:39:05 mail MailScanner[2589]: Saved entire message to
> /var/spool/MailScanner/quarantine/20180806/CE4AB62C48.A8F32
>
> Aug  6 13:39:05 mail MailScanner[2589]: MailWatch: Logging message
> CE4AB62C48.A8F32 to SQL
>
>
>
>
>
> Then I started in  with debug option.
>
> Aug  6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1]
>
> Aug  6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48:
> client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net
>
> Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header
> Received: from mail.stanga.net (localhost [IPv6:::1])??by mail.stanga.net
> (Postfix) with ESMTPA id CE4AB62C48??for <dobril at stanga.net>; Mon,  6 Aug
> 2018 13:19:15 +0300 (EEST) from localhost[::1]; from=<dobril at stanga.net>
> to=<dobril at stanga.net> proto=ESMTP helo=<mail.stanga.net>
>
> Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: message-id=<
> 0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net>
>
> Aug  6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field
> added (s=mail, d=stanga.net)
>
> Aug  6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1]
> ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
>
> Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Found 4 messages
> waiting
>
> Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages,
> 3097 bytes
>
> Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of
> CE4AB62C48.A8F32
>
> Aug  6 13:19:18 mail MailScanner[31554]: Created attachment dirs for 1
> messages
>
> Aug  6 13:19:19 mail MailScanner[31554]: Completed checking by
> /usr/bin/file
>
> Aug  6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning:
> Starting
>
> Aug  6 13:19:19 mail MailScanner[31554]: Commencing scanning with clamd...
>
> Aug  6 13:19:19 mail MailScanner[31726]: Debug Mode Is On
>
> Aug  6 13:19:19 mail MailScanner[31726]: Use Threads : YES
>
> Aug  6 13:19:19 mail MailScanner[31726]: Socket    :
> /var/run/clamav/clamd.sock
>
> Aug  6 13:19:19 mail MailScanner[31726]: IP        : Using Sockets
>
> Aug  6 13:19:19 mail MailScanner[31726]: Lock File : NOT USED
>
> Aug  6 13:19:19 mail MailScanner[31726]: Time Out  : 300
>
> Aug  6 13:19:19 mail MailScanner[31726]: Scan Dir  :
> /var/spool/MailScanner/incoming/31554
>
> Aug  6 13:19:19 mail MailScanner[31726]: Clamd : Sending PING
>
> Aug  6 13:19:19 mail MailScanner[31726]: Clamd : GOT 'PONG'
>
> Aug  6 13:19:19 mail MailScanner[31726]: ClamD is running
>
> Aug  6 13:19:19 mail MailScanner[31726]: SENT : MULTISCAN
> /var/spool/MailScanner/incoming/31554
>
> Aug  6 13:19:19 mail MailScanner[31554]: Completed AV scan with clamd
>
> Aug  6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018
> bytes per second
>
> Aug  6 13:19:19 mail root[31735]: MailScanner failed to start
>
> Aug  6 13:19:19 mail root[31736]: Found a possible dead PID. Stopping all
> MailScanner rogue processes ...
>
>
>
>
>
> How I can find out what cause this issue.
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>


-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180806/7d5399ae/attachment.html>

From dobril at stanga.net  Mon Aug  6 11:08:12 2018
From: dobril at stanga.net (DobriL Dobrilov)
Date: Mon, 6 Aug 2018 14:08:12 +0300
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <CABu_8z+D994DtW5Yh6mhVj97QoWYXQK9hnbN+ZsxmpQX5y_RMA@mail.gmail.com>
References: <00c601d42d74$2effa870$8cfef950$@stanga.net>
 <CABu_8z+D994DtW5Yh6mhVj97QoWYXQK9hnbN+ZsxmpQX5y_RMA@mail.gmail.com>
Message-ID: <00e001d42d75$c41fd0f0$4c5f72d0$@stanga.net>

The same thing after I disable Virus scan , memory is enough. Something else cause the issue , and happen only with email send by webmail

 

 

From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: Monday, August 6, 2018 2:04 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: MailScanner: Message attempted to kill MailScanner

 

Very first thing I would check is whether you have enough memory to carry out virus scanning, and make sure that OOM is not occurring.

 

 

 

On Mon, Aug 6, 2018 at 6:56 AM, DobriL Dobrilov <dobril at stanga.net <mailto:dobril at stanga.net> > wrote:

Hello,

 

Please help me to debug follow issue:

All emails sent from my webmail to same domain cannot be processes by mailscanner.

 

Aug  6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1]

Aug  6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net <mailto:dobril at stanga.net> 

Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header Received: from mail.stanga.net <http://mail.stanga.net>  (localhost [IPv6:::1])??by mail.stanga.net <http://mail.stanga.net>  (Postfix) with ESMTPA id CE4AB62C48??for <dob

ril at stanga.net <mailto:ril at stanga.net> >; Mon,  6 Aug 2018 13:19:15 +0300 (EEST) from localhost[::1]; from=<dobril at stanga.net <mailto:dobril at stanga.net> > to=<dobril at stanga.net <mailto:dobril at stanga.net> > proto=ESMTP helo=<mail.stanga.net <http://mail.stanga.net> >

Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net <mailto:0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net> >

Aug  6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added (s=mail, d=stanga.net <http://stanga.net> )

Aug  6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6

Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages, 3097 bytes

Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: Starting

Aug  6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018 bytes per second

Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:23:37 mail MailScanner[32582]: Making attempt 2 at processing message CE4AB62C48.A8F32

Aug  6 13:23:37 mail MailScanner[32582]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:26:15 mail MailScanner[2138]: Making attempt 3 at processing message CE4AB62C48.A8F32

Aug  6 13:26:15 mail MailScanner[2138]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:30:55 mail MailScanner[1659]: Making attempt 4 at processing message CE4AB62C48.A8F32

Aug  6 13:30:55 mail MailScanner[1659]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:35:44 mail MailScanner[1736]: Making attempt 5 at processing message CE4AB62C48.A8F32

Aug  6 13:35:44 mail MailScanner[1736]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:39:03 mail MailScanner[2946]: Making attempt 6 at processing message CE4AB62C48.A8F32

Aug  6 13:39:03 mail MailScanner[2946]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:39:05 mail MailScanner[2589]: Warning: skipping message CE4AB62C48.A8F32 as it has been attempted too many times

Aug  6 13:39:05 mail MailScanner[2589]: Quarantined message CE4AB62C48.A8F32 as it caused MailScanner to crash several times

Aug  6 13:39:05 mail MailScanner[2589]: Saved entire message to /var/spool/MailScanner/quarantine/20180806/CE4AB62C48.A8F32

Aug  6 13:39:05 mail MailScanner[2589]: MailWatch: Logging message CE4AB62C48.A8F32 to SQL

 

 

Then I started in  with debug option.

Aug  6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1]

Aug  6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net <mailto:dobril at stanga.net> 

Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header Received: from mail.stanga.net <http://mail.stanga.net>  (localhost [IPv6:::1])??by mail.stanga.net <http://mail.stanga.net>  (Postfix) with ESMTPA id CE4AB62C48??for <dobril at stanga.net <mailto:dobril at stanga.net> >; Mon,  6 Aug 2018 13:19:15 +0300 (EEST) from localhost[::1]; from=<dobril at stanga.net <mailto:dobril at stanga.net> > to=<dobril at stanga.net <mailto:dobril at stanga.net> > proto=ESMTP helo=<mail.stanga.net <http://mail.stanga.net> >

Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net <mailto:0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net> >

Aug  6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added (s=mail, d=stanga.net <http://stanga.net> )

Aug  6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6

Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Found 4 messages waiting

Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages, 3097 bytes

Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:19:18 mail MailScanner[31554]: Created attachment dirs for 1 messages

Aug  6 13:19:19 mail MailScanner[31554]: Completed checking by /usr/bin/file

Aug  6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: Starting

Aug  6 13:19:19 mail MailScanner[31554]: Commencing scanning with clamd...

Aug  6 13:19:19 mail MailScanner[31726]: Debug Mode Is On

Aug  6 13:19:19 mail MailScanner[31726]: Use Threads : YES

Aug  6 13:19:19 mail MailScanner[31726]: Socket    : /var/run/clamav/clamd.sock

Aug  6 13:19:19 mail MailScanner[31726]: IP        : Using Sockets

Aug  6 13:19:19 mail MailScanner[31726]: Lock File : NOT USED

Aug  6 13:19:19 mail MailScanner[31726]: Time Out  : 300

Aug  6 13:19:19 mail MailScanner[31726]: Scan Dir  : /var/spool/MailScanner/incoming/31554

Aug  6 13:19:19 mail MailScanner[31726]: Clamd : Sending PING

Aug  6 13:19:19 mail MailScanner[31726]: Clamd : GOT 'PONG'

Aug  6 13:19:19 mail MailScanner[31726]: ClamD is running

Aug  6 13:19:19 mail MailScanner[31726]: SENT : MULTISCAN /var/spool/MailScanner/incoming/31554

Aug  6 13:19:19 mail MailScanner[31554]: Completed AV scan with clamd

Aug  6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018 bytes per second

Aug  6 13:19:19 mail root[31735]: MailScanner failed to start

Aug  6 13:19:19 mail root[31736]: Found a possible dead PID. Stopping all MailScanner rogue processes ...

 

 

How I can find out what cause this issue.




-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> 
http://lists.mailscanner.info/mailman/listinfo/mailscanner







 

-- 

Shawn Iverson, CETL

Director of Technology

Rush County Schools

765-932-3901 x1171

iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us> 

 

  <https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_cy1OZFNIZ0drYVU&revid=0Bw5iD0ToYvs_UitIcHVIWkJVVTl2VGpxVUE0d0FQcHBIRXk4PQ>   <https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_Zkh4eEs3R01yWXc&revid=0Bw5iD0ToYvs_QWpBK2Y2ajJtYjhOMDRFekZwK2xOamk5Q3Y0PQ> 

  <https://docs.google.com/uc?export=download&id=1aBrlQou4gjB04FY-twHN_0Dn3GHVNxqa&revid=0Bw5iD0ToYvs_RnQ0eDhHcm95WHBFdkNRbXhQRXpoYkR6SEEwPQ> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180806/6d349b3c/attachment.html>

From dobril at stanga.net  Mon Aug  6 11:55:36 2018
From: dobril at stanga.net (DobriL Dobrilov)
Date: Mon, 6 Aug 2018 14:55:36 +0300
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <00e001d42d75$c41fd0f0$4c5f72d0$@stanga.net>
References: <00c601d42d74$2effa870$8cfef950$@stanga.net>
 <CABu_8z+D994DtW5Yh6mhVj97QoWYXQK9hnbN+ZsxmpQX5y_RMA@mail.gmail.com>
 <00e001d42d75$c41fd0f0$4c5f72d0$@stanga.net>
Message-ID: <00ee01d42d7c$636b7b90$2a4272b0$@stanga.net>

Some other ideas, because unfortunately this Live system and It?s very critical ? L

 

 



Dobril Dobrilov


IT Manager


 <mailto:dobril at stanga.net> dobril at stanga.net






43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
Mobile: +359 878 749 387

 




We shape Digital  <http://www.stanga.net> www.stanga.net




We re-invent Video  <http://www.bsbvision.com> www.bsbvision.com




We build Apps  <http://www.shanga.co> www.shanga.co




We support Start-Ups  <http://www.mysbar.net> www.mysbar.net

 

 

From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of DobriL Dobrilov
Sent: Monday, August 6, 2018 2:08 PM
To: 'MailScanner Discussion' <mailscanner at lists.mailscanner.info>
Subject: RE: MailScanner: Message attempted to kill MailScanner

 

The same thing after I disable Virus scan , memory is enough. Something else cause the issue , and happen only with email send by webmail

 

 

From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: Monday, August 6, 2018 2:04 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> >
Subject: Re: MailScanner: Message attempted to kill MailScanner

 

Very first thing I would check is whether you have enough memory to carry out virus scanning, and make sure that OOM is not occurring.

 

 

 

On Mon, Aug 6, 2018 at 6:56 AM, DobriL Dobrilov <dobril at stanga.net <mailto:dobril at stanga.net> > wrote:

Hello,

 

Please help me to debug follow issue:

All emails sent from my webmail to same domain cannot be processes by mailscanner.

 

Aug  6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1]

Aug  6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net <mailto:dobril at stanga.net> 

Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header Received: from mail.stanga.net <http://mail.stanga.net>  (localhost [IPv6:::1])??by mail.stanga.net <http://mail.stanga.net>  (Postfix) with ESMTPA id CE4AB62C48??for <dob

ril at stanga.net <mailto:ril at stanga.net> >; Mon,  6 Aug 2018 13:19:15 +0300 (EEST) from localhost[::1]; from=<dobril at stanga.net <mailto:dobril at stanga.net> > to=<dobril at stanga.net <mailto:dobril at stanga.net> > proto=ESMTP helo=<mail.stanga.net <http://mail.stanga.net> >

Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net <mailto:0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net> >

Aug  6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added (s=mail, d=stanga.net <http://stanga.net> )

Aug  6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6

Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages, 3097 bytes

Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: Starting

Aug  6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018 bytes per second

Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:23:37 mail MailScanner[32582]: Making attempt 2 at processing message CE4AB62C48.A8F32

Aug  6 13:23:37 mail MailScanner[32582]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:26:15 mail MailScanner[2138]: Making attempt 3 at processing message CE4AB62C48.A8F32

Aug  6 13:26:15 mail MailScanner[2138]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:30:55 mail MailScanner[1659]: Making attempt 4 at processing message CE4AB62C48.A8F32

Aug  6 13:30:55 mail MailScanner[1659]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:35:44 mail MailScanner[1736]: Making attempt 5 at processing message CE4AB62C48.A8F32

Aug  6 13:35:44 mail MailScanner[1736]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:39:03 mail MailScanner[2946]: Making attempt 6 at processing message CE4AB62C48.A8F32

Aug  6 13:39:03 mail MailScanner[2946]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:39:05 mail MailScanner[2589]: Warning: skipping message CE4AB62C48.A8F32 as it has been attempted too many times

Aug  6 13:39:05 mail MailScanner[2589]: Quarantined message CE4AB62C48.A8F32 as it caused MailScanner to crash several times

Aug  6 13:39:05 mail MailScanner[2589]: Saved entire message to /var/spool/MailScanner/quarantine/20180806/CE4AB62C48.A8F32

Aug  6 13:39:05 mail MailScanner[2589]: MailWatch: Logging message CE4AB62C48.A8F32 to SQL

 

 

Then I started in  with debug option.

Aug  6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1]

Aug  6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48: client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net <mailto:dobril at stanga.net> 

Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header Received: from mail.stanga.net <http://mail.stanga.net>  (localhost [IPv6:::1])??by mail.stanga.net <http://mail.stanga.net>  (Postfix) with ESMTPA id CE4AB62C48??for <dobril at stanga.net <mailto:dobril at stanga.net> >; Mon,  6 Aug 2018 13:19:15 +0300 (EEST) from localhost[::1]; from=<dobril at stanga.net <mailto:dobril at stanga.net> > to=<dobril at stanga.net <mailto:dobril at stanga.net> > proto=ESMTP helo=<mail.stanga.net <http://mail.stanga.net> >

Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net <mailto:0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net> >

Aug  6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added (s=mail, d=stanga.net <http://stanga.net> )

Aug  6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6

Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Found 4 messages waiting

Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages, 3097 bytes

Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of CE4AB62C48.A8F32

Aug  6 13:19:18 mail MailScanner[31554]: Created attachment dirs for 1 messages

Aug  6 13:19:19 mail MailScanner[31554]: Completed checking by /usr/bin/file

Aug  6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning: Starting

Aug  6 13:19:19 mail MailScanner[31554]: Commencing scanning with clamd...

Aug  6 13:19:19 mail MailScanner[31726]: Debug Mode Is On

Aug  6 13:19:19 mail MailScanner[31726]: Use Threads : YES

Aug  6 13:19:19 mail MailScanner[31726]: Socket    : /var/run/clamav/clamd.sock

Aug  6 13:19:19 mail MailScanner[31726]: IP        : Using Sockets

Aug  6 13:19:19 mail MailScanner[31726]: Lock File : NOT USED

Aug  6 13:19:19 mail MailScanner[31726]: Time Out  : 300

Aug  6 13:19:19 mail MailScanner[31726]: Scan Dir  : /var/spool/MailScanner/incoming/31554

Aug  6 13:19:19 mail MailScanner[31726]: Clamd : Sending PING

Aug  6 13:19:19 mail MailScanner[31726]: Clamd : GOT 'PONG'

Aug  6 13:19:19 mail MailScanner[31726]: ClamD is running

Aug  6 13:19:19 mail MailScanner[31726]: SENT : MULTISCAN /var/spool/MailScanner/incoming/31554

Aug  6 13:19:19 mail MailScanner[31554]: Completed AV scan with clamd

Aug  6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018 bytes per second

Aug  6 13:19:19 mail root[31735]: MailScanner failed to start

Aug  6 13:19:19 mail root[31736]: Found a possible dead PID. Stopping all MailScanner rogue processes ...

 

 

How I can find out what cause this issue.




-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> 
http://lists.mailscanner.info/mailman/listinfo/mailscanner





 

-- 

Shawn Iverson, CETL

Director of Technology

Rush County Schools

765-932-3901 x1171

iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us> 

 

  <https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_cy1OZFNIZ0drYVU&revid=0Bw5iD0ToYvs_UitIcHVIWkJVVTl2VGpxVUE0d0FQcHBIRXk4PQ>   <https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_Zkh4eEs3R01yWXc&revid=0Bw5iD0ToYvs_QWpBK2Y2ajJtYjhOMDRFekZwK2xOamk5Q3Y0PQ> 

  <https://docs.google.com/uc?export=download&id=1aBrlQou4gjB04FY-twHN_0Dn3GHVNxqa&revid=0Bw5iD0ToYvs_RnQ0eDhHcm95WHBFdkNRbXhQRXpoYkR6SEEwPQ> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180806/11e3a09d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3762 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180806/11e3a09d/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1151 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180806/11e3a09d/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 853 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180806/11e3a09d/attachment-0005.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 1286 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180806/11e3a09d/attachment-0006.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.jpg
Type: image/jpeg
Size: 930 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180806/11e3a09d/attachment-0007.jpg>

From Antony.Stone at mailscanner.open.source.it  Mon Aug  6 12:00:35 2018
From: Antony.Stone at mailscanner.open.source.it (Antony Stone)
Date: Mon, 6 Aug 2018 14:00:35 +0200
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <00ee01d42d7c$636b7b90$2a4272b0$@stanga.net>
References: <00c601d42d74$2effa870$8cfef950$@stanga.net>
 <00e001d42d75$c41fd0f0$4c5f72d0$@stanga.net>
 <00ee01d42d7c$636b7b90$2a4272b0$@stanga.net>
Message-ID: <201808061400.35462.Antony.Stone@mailscanner.open.source.it>

On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote:

> Some other ideas, because unfortunately this Live system and It?s very
> critical ?

When did the problem start happening?

What changed on the MS server around that time?

Can you show us full headers of an example email from webmail (which MS can't 
process) and another one to and from the same addresses, but not from webmail 
(which MS processes okay)?

Antony

> From: MailScanner
> Sent: Monday, August 6, 2018 2:08 PM
> To: 'MailScanner Discussion' <mailscanner at lists.mailscanner.info>
> Subject: RE: MailScanner: Message attempted to kill MailScanner
> 
> The same thing after I disable Virus scan , memory is enough. Something
> else cause the issue , and happen only with email send by webmail
> 
> 
> From: MailScanner
> Sent: Monday, August 6, 2018 2:04 PM
> To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> Subject: Re: MailScanner:
> Message attempted to kill MailScanner
> 
> Very first thing I would check is whether you have enough memory to carry
> out virus scanning, and make sure that OOM is not occurring.
> 
> On Mon, Aug 6, 2018 at 6:56 AM, DobriL Dobrilov wrote:
> 
> Hello,
> 
> 
> Please help me to debug follow issue:
> 
> All emails sent from my webmail to same domain cannot be processes by
> mailscanner.
> 
> 
> 
> Aug  6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1]
> 
> Aug  6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48:
> client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net
> <mailto:dobril at stanga.net>
> 
> Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header
> Received: from mail.stanga.net <http://mail.stanga.net>  (localhost
> [IPv6:::1])??by mail.stanga.net <http://mail.stanga.net>  (Postfix) with
> ESMTPA id CE4AB62C48??for <dob
> 
> ril at stanga.net <mailto:ril at stanga.net> >; Mon,  6 Aug 2018 13:19:15 +0300
> (EEST) from localhost[::1]; from=<dobril at stanga.net
> <mailto:dobril at stanga.net> > to=<dobril at stanga.net
> <mailto:dobril at stanga.net> > proto=ESMTP helo=<mail.stanga.net
> <http://mail.stanga.net> >
> 
> Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48:
> message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net
> <mailto:0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net> >
> 
> Aug  6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added
> (s=mail, d=stanga.net <http://stanga.net> )
> 
> Aug  6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1]
> ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
> 
> Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages,
> 3097 bytes
> 
> Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning:
> Starting
> 
> Aug  6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018
> bytes per second
> 
> Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:23:37 mail MailScanner[32582]: Making attempt 2 at processing
> message CE4AB62C48.A8F32
> 
> Aug  6 13:23:37 mail MailScanner[32582]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:26:15 mail MailScanner[2138]: Making attempt 3 at processing
> message CE4AB62C48.A8F32
> 
> Aug  6 13:26:15 mail MailScanner[2138]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:30:55 mail MailScanner[1659]: Making attempt 4 at processing
> message CE4AB62C48.A8F32
> 
> Aug  6 13:30:55 mail MailScanner[1659]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:35:44 mail MailScanner[1736]: Making attempt 5 at processing
> message CE4AB62C48.A8F32
> 
> Aug  6 13:35:44 mail MailScanner[1736]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:39:03 mail MailScanner[2946]: Making attempt 6 at processing
> message CE4AB62C48.A8F32
> 
> Aug  6 13:39:03 mail MailScanner[2946]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:39:05 mail MailScanner[2589]: Warning: skipping message
> CE4AB62C48.A8F32 as it has been attempted too many times
> 
> Aug  6 13:39:05 mail MailScanner[2589]: Quarantined message
> CE4AB62C48.A8F32 as it caused MailScanner to crash several times
> 
> Aug  6 13:39:05 mail MailScanner[2589]: Saved entire message to
> /var/spool/MailScanner/quarantine/20180806/CE4AB62C48.A8F32
> 
> Aug  6 13:39:05 mail MailScanner[2589]: MailWatch: Logging message
> CE4AB62C48.A8F32 to SQL
> 
> 
> 
> 
> 
> Then I started in  with debug option.
> 
> Aug  6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1]
> 
> Aug  6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48:
> client=localhost[::1], sasl_method=LOGIN, sasl_username=dobril at stanga.net
> <mailto:dobril at stanga.net>
> 
> Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header
> Received: from mail.stanga.net <http://mail.stanga.net>  (localhost
> [IPv6:::1])??by mail.stanga.net <http://mail.stanga.net>  (Postfix) with
> ESMTPA id CE4AB62C48??for <dobril at stanga.net <mailto:dobril at stanga.net> >;
> Mon,  6 Aug 2018 13:19:15 +0300 (EEST) from localhost[::1];
> from=<dobril at stanga.net <mailto:dobril at stanga.net> > to=<dobril at stanga.net
> <mailto:dobril at stanga.net> > proto=ESMTP helo=<mail.stanga.net
> <http://mail.stanga.net> >
> 
> Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48:
> message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net
> <mailto:0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net> >
> 
> Aug  6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field added
> (s=mail, d=stanga.net <http://stanga.net> )
> 
> Aug  6 13:19:15 mail postfix/smtpd[31702]: disconnect from localhost[::1]
> ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
> 
> Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Found 4 messages
> waiting
> 
> Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 messages,
> 3097 bytes
> 
> Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:19:18 mail MailScanner[31554]: Created attachment dirs for 1
> messages
> 
> Aug  6 13:19:19 mail MailScanner[31554]: Completed checking by
> /usr/bin/file
> 
> Aug  6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning:
> Starting
> 
> Aug  6 13:19:19 mail MailScanner[31554]: Commencing scanning with clamd...
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Debug Mode Is On
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Use Threads : YES
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Socket    :
> /var/run/clamav/clamd.sock
> 
> Aug  6 13:19:19 mail MailScanner[31726]: IP        : Using Sockets
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Lock File : NOT USED
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Time Out  : 300
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Scan Dir  :
> /var/spool/MailScanner/incoming/31554
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Clamd : Sending PING
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Clamd : GOT 'PONG'
> 
> Aug  6 13:19:19 mail MailScanner[31726]: ClamD is running
> 
> Aug  6 13:19:19 mail MailScanner[31726]: SENT : MULTISCAN
> /var/spool/MailScanner/incoming/31554
> 
> Aug  6 13:19:19 mail MailScanner[31554]: Completed AV scan with clamd
> 
> Aug  6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 24018
> bytes per second
> 
> Aug  6 13:19:19 mail root[31735]: MailScanner failed to start
> 
> Aug  6 13:19:19 mail root[31736]: Found a possible dead PID. Stopping all
> MailScanner rogue processes ...
> 
> 
> 
> 
> 
> How I can find out what cause this issue.

-- 
When you find yourself arguing with an idiot,
you should first of all make sure that the other person isn't doing the same 
thing.

                                                   Please reply to the list;
                                                         please *don't* CC me.

From dobril at stanga.net  Mon Aug  6 12:13:03 2018
From: dobril at stanga.net (DobriL Dobrilov)
Date: Mon, 6 Aug 2018 15:13:03 +0300
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <201808061400.35462.Antony.Stone@mailscanner.open.source.it>
References: <00c601d42d74$2effa870$8cfef950$@stanga.net>
 <00e001d42d75$c41fd0f0$4c5f72d0$@stanga.net>
 <00ee01d42d7c$636b7b90$2a4272b0$@stanga.net>
 <201808061400.35462.Antony.Stone@mailscanner.open.source.it>
Message-ID: <00ff01d42d7e$d3476df0$79d649d0$@stanga.net>

Until now the Mail Server was with old postfix and MailScanner 4.79. I migrated to new server with MailScanner 5.0.7. MS config is same as before.
>From webmail I can send messages out of my domain without problems.

Msg from webmail
Received: from mail.stanga.net (localhost [IPv6:::1])
     by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F
     for <dobril at stanga.net>; Mon, 6 Aug 2018 14:33:37 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; s=mail;
     t=1533555217; bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=;
     h=Date:From:To:Subject;
     b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwYF
      YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz
      EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE=
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_75de8e069c6b4423276ecc8efe3eaa14"
Date: Mon, 06 Aug 2018 14:33:37 +0300
From: Dobril Dobrilov <dobril at stanga.net>
To: dobril at stanga.net
Subject: Test2
Organization: StangaOne1
Message-ID: <e836f2d9d2be88a49da5da675eba919e at stanga.net>
X-Sender: dobril at stanga.net
User-Agent: Roundcube Webmail/1.3.7

Msg from Mail Client
Received: from DL (unknown [192.168.0.222])
     (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
     (No client certificate requested)
     by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84
     for <dobril at stanga.net>; Mon, 6 Aug 2018 15:11:28 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; s=mail;
     t=1533557488; bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=;
     h=From:To:Subject:Date;
     b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJpN
      FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a
      rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k=
From: "DobriL Dobrilov" <dobril at stanga.net>
To: "'DobriL Dobrilov'" <dobril at stanga.net>
Subject: Test
Date: Mon, 6 Aug 2018 15:11:34 +0300
Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net>
MIME-Version: 1.0
Content-Type: multipart/mixed;
     boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ==
Content-Language: bg
X-MS-TNEF-Correlator: 000000005234E38E73D4914094E5D7D34B79F6A564F78F00


Dobril Dobrilov
IT Manager
dobril at stanga.net


43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
Mobile: +359 878 749 387


We shape Digital www.stanga.net

We re-invent Video www.bsbvision.com

We build Apps www.shanga.co

We support Start-Ups www.mysbar.net




-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of Antony Stone
Sent: Monday, August 6, 2018 3:01 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: MailScanner: Message attempted to kill MailScanner

On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote:

> Some other ideas, because unfortunately this Live system and It?s very 
> critical ?

When did the problem start happening?

What changed on the MS server around that time?

Can you show us full headers of an example email from webmail (which MS can't
process) and another one to and from the same addresses, but not from webmail (which MS processes okay)?

Antony

> From: MailScanner
> Sent: Monday, August 6, 2018 2:08 PM
> To: 'MailScanner Discussion' <mailscanner at lists.mailscanner.info>
> Subject: RE: MailScanner: Message attempted to kill MailScanner
> 
> The same thing after I disable Virus scan , memory is enough. 
> Something else cause the issue , and happen only with email send by 
> webmail
> 
> 
> From: MailScanner
> Sent: Monday, August 6, 2018 2:04 PM
> To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> Subject: Re: MailScanner:
> Message attempted to kill MailScanner
> 
> Very first thing I would check is whether you have enough memory to 
> carry out virus scanning, and make sure that OOM is not occurring.
> 
> On Mon, Aug 6, 2018 at 6:56 AM, DobriL Dobrilov wrote:
> 
> Hello,
> 
> 
> Please help me to debug follow issue:
> 
> All emails sent from my webmail to same domain cannot be processes by 
> mailscanner.
> 
> 
> 
> Aug  6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1]
> 
> Aug  6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48:
> client=localhost[::1], sasl_method=LOGIN, 
> sasl_username=dobril at stanga.net <mailto:dobril at stanga.net>
> 
> Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header
> Received: from mail.stanga.net <http://mail.stanga.net>  (localhost 
> [IPv6:::1])??by mail.stanga.net <http://mail.stanga.net>  (Postfix) 
> with ESMTPA id CE4AB62C48??for <dob
> 
> ril at stanga.net <mailto:ril at stanga.net> >; Mon,  6 Aug 2018 13:19:15 
> +0300
> (EEST) from localhost[::1]; from=<dobril at stanga.net 
> <mailto:dobril at stanga.net> > to=<dobril at stanga.net 
> <mailto:dobril at stanga.net> > proto=ESMTP helo=<mail.stanga.net 
> <http://mail.stanga.net> >
> 
> Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48:
> message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net
> <mailto:0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net> >
> 
> Aug  6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field 
> added (s=mail, d=stanga.net <http://stanga.net> )
> 
> Aug  6 13:19:15 mail postfix/smtpd[31702]: disconnect from 
> localhost[::1]
> ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
> 
> Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 
> messages,
> 3097 bytes
> 
> Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning:
> Starting
> 
> Aug  6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 
> 24018 bytes per second
> 
> Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:23:37 mail MailScanner[32582]: Making attempt 2 at 
> processing message CE4AB62C48.A8F32
> 
> Aug  6 13:23:37 mail MailScanner[32582]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:26:15 mail MailScanner[2138]: Making attempt 3 at processing 
> message CE4AB62C48.A8F32
> 
> Aug  6 13:26:15 mail MailScanner[2138]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:30:55 mail MailScanner[1659]: Making attempt 4 at processing 
> message CE4AB62C48.A8F32
> 
> Aug  6 13:30:55 mail MailScanner[1659]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:35:44 mail MailScanner[1736]: Making attempt 5 at processing 
> message CE4AB62C48.A8F32
> 
> Aug  6 13:35:44 mail MailScanner[1736]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:39:03 mail MailScanner[2946]: Making attempt 6 at processing 
> message CE4AB62C48.A8F32
> 
> Aug  6 13:39:03 mail MailScanner[2946]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:39:05 mail MailScanner[2589]: Warning: skipping message
> CE4AB62C48.A8F32 as it has been attempted too many times
> 
> Aug  6 13:39:05 mail MailScanner[2589]: Quarantined message
> CE4AB62C48.A8F32 as it caused MailScanner to crash several times
> 
> Aug  6 13:39:05 mail MailScanner[2589]: Saved entire message to
> /var/spool/MailScanner/quarantine/20180806/CE4AB62C48.A8F32
> 
> Aug  6 13:39:05 mail MailScanner[2589]: MailWatch: Logging message
> CE4AB62C48.A8F32 to SQL
> 
> 
> 
> 
> 
> Then I started in  with debug option.
> 
> Aug  6 13:19:15 mail postfix/smtpd[31702]: connect from localhost[::1]
> 
> Aug  6 13:19:15 mail postfix/smtpd[31702]: CE4AB62C48:
> client=localhost[::1], sasl_method=LOGIN, 
> sasl_username=dobril at stanga.net <mailto:dobril at stanga.net>
> 
> Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48: hold: header
> Received: from mail.stanga.net <http://mail.stanga.net>  (localhost 
> [IPv6:::1])??by mail.stanga.net <http://mail.stanga.net>  (Postfix) 
> with ESMTPA id CE4AB62C48??for <dobril at stanga.net 
> <mailto:dobril at stanga.net> >; Mon,  6 Aug 2018 13:19:15 +0300 (EEST) 
> from localhost[::1]; from=<dobril at stanga.net 
> <mailto:dobril at stanga.net> > to=<dobril at stanga.net 
> <mailto:dobril at stanga.net> > proto=ESMTP helo=<mail.stanga.net 
> <http://mail.stanga.net> >
> 
> Aug  6 13:19:15 mail postfix/cleanup[31703]: CE4AB62C48:
> message-id=<0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net
> <mailto:0a5acc9eeddaa3cd9256ba112f5270d5 at stanga.net> >
> 
> Aug  6 13:19:15 mail opendkim[3326]: CE4AB62C48: DKIM-Signature field 
> added (s=mail, d=stanga.net <http://stanga.net> )
> 
> Aug  6 13:19:15 mail postfix/smtpd[31702]: disconnect from 
> localhost[::1]
> ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
> 
> Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Found 4 messages 
> waiting
> 
> Aug  6 13:19:18 mail MailScanner[31554]: New Batch: Scanning 1 
> messages,
> 3097 bytes
> 
> Aug  6 13:19:18 mail MailScanner[31554]: Saved archive copies of
> CE4AB62C48.A8F32
> 
> Aug  6 13:19:18 mail MailScanner[31554]: Created attachment dirs for 1 
> messages
> 
> Aug  6 13:19:19 mail MailScanner[31554]: Completed checking by 
> /usr/bin/file
> 
> Aug  6 13:19:19 mail MailScanner[31554]: Virus and Content Scanning:
> Starting
> 
> Aug  6 13:19:19 mail MailScanner[31554]: Commencing scanning with clamd...
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Debug Mode Is On
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Use Threads : YES
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Socket    :
> /var/run/clamav/clamd.sock
> 
> Aug  6 13:19:19 mail MailScanner[31726]: IP        : Using Sockets
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Lock File : NOT USED
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Time Out  : 300
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Scan Dir  :
> /var/spool/MailScanner/incoming/31554
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Clamd : Sending PING
> 
> Aug  6 13:19:19 mail MailScanner[31726]: Clamd : GOT 'PONG'
> 
> Aug  6 13:19:19 mail MailScanner[31726]: ClamD is running
> 
> Aug  6 13:19:19 mail MailScanner[31726]: SENT : MULTISCAN
> /var/spool/MailScanner/incoming/31554
> 
> Aug  6 13:19:19 mail MailScanner[31554]: Completed AV scan with clamd
> 
> Aug  6 13:19:19 mail MailScanner[31554]: Virus Scanning completed at 
> 24018 bytes per second
> 
> Aug  6 13:19:19 mail root[31735]: MailScanner failed to start
> 
> Aug  6 13:19:19 mail root[31736]: Found a possible dead PID. Stopping 
> all MailScanner rogue processes ...
> 
> 
> 
> 
> 
> How I can find out what cause this issue.

--
When you find yourself arguing with an idiot, you should first of all make sure that the other person isn't doing the same thing.

                                                   Please reply to the list;
                                                         please *don't* CC me.


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner



From Antony.Stone at mailscanner.open.source.it  Mon Aug  6 12:22:58 2018
From: Antony.Stone at mailscanner.open.source.it (Antony Stone)
Date: Mon, 6 Aug 2018 14:22:58 +0200
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <00ff01d42d7e$d3476df0$79d649d0$@stanga.net>
References: <00c601d42d74$2effa870$8cfef950$@stanga.net>
 <201808061400.35462.Antony.Stone@mailscanner.open.source.it>
 <00ff01d42d7e$d3476df0$79d649d0$@stanga.net>
Message-ID: <201808061422.58793.Antony.Stone@mailscanner.open.source.it>

On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote:

> Until now the Mail Server was with old postfix and MailScanner 4.79. I
> migrated to new server with MailScanner 5.0.7. MS config is same as
> before.

Maybe someone with more knowledge than of any configuration differences ebtween 
those version can comment on just keeping the same configuration file...

> From webmail I can send messages out of my domain without problems.

So, what *does* cause the problem?

Your original email said "All emails sent from my webmail to same domain 
cannot be processes by mailscanner."

> Msg from webmail
> Received: from mail.stanga.net (localhost [IPv6:::1])
>      by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F
>      for <dobril at stanga.net>; Mon, 6 Aug 2018 14:33:37 +0300 (EEST)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; s=mail;
>      t=1533555217; bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=;
>      h=Date:From:To:Subject;
>      b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwYF
>       YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz
>       EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE=
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="=_75de8e069c6b4423276ecc8efe3eaa14"
> Date: Mon, 06 Aug 2018 14:33:37 +0300
> From: Dobril Dobrilov <dobril at stanga.net>
> To: dobril at stanga.net
> Subject: Test2
> Organization: StangaOne1
> Message-ID: <e836f2d9d2be88a49da5da675eba919e at stanga.net>
> X-Sender: dobril at stanga.net
> User-Agent: Roundcube Webmail/1.3.7
> 
> Msg from Mail Client
> Received: from DL (unknown [192.168.0.222])
>      (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
>      (No client certificate requested)
>      by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84
>      for <dobril at stanga.net>; Mon, 6 Aug 2018 15:11:28 +0300 (EEST)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; s=mail;
>      t=1533557488; bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=;
>      h=From:To:Subject:Date;
>      b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJpN
>       FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a
>       rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k=
> From: "DobriL Dobrilov" <dobril at stanga.net>
> To: "'DobriL Dobrilov'" <dobril at stanga.net>
> Subject: Test
> Date: Mon, 6 Aug 2018 15:11:34 +0300
> Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net>
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
>      boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0"
> X-Mailer: Microsoft Outlook 16.0
> Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ==
> Content-Language: bg
> X-MS-TNEF-Correlator: 000000005234E38E73D4914094E5D7D34B79F6A564F78F00

Is one of the above emails an example which causes the problem and the other 
an example which does not cause the problem (if so, which one is which)?

Or are both the above emails examples which do not cause the problem (in which 
case please send us the headers from one which does cause the problem)?


Regards,


Antony.

> -----Original Message-----
> From: MailScanner
> [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On
> Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM
> To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> Subject: Re: MailScanner: Message attempted to kill MailScanner
> 
> On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote:
> > Some other ideas, because unfortunately this Live system and It?s very
> > critical ?
> 
> When did the problem start happening?
> 
> What changed on the MS server around that time?
> 
> Can you show us full headers of an example email from webmail (which MS
> can't process) and another one to and from the same addresses, but not
> from webmail (which MS processes okay)?
> 
> Antony

-- 
Neurotics build castles in the sky;
Psychotics live in them;
Psychiatrists collect the rent.


                                                   Please reply to the list;
                                                         please *don't* CC me.

From belle at bazuin.nl  Mon Aug  6 12:45:06 2018
From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=)
Date: Mon, 6 Aug 2018 14:45:06 +0200
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <201808061422.58793.Antony.Stone@mailscanner.open.source.it>
References: <00ff01d42d7e$d3476df0$79d649d0$@stanga.net>
Message-ID: <vmime.5b6842d2.3a82.133d67be2465eaf2@ms249-lin-003.rotterdam.bazuin.nl>

Are you using Yara rules or other clamav unoffical databases.
Remove these, restart clamav and try again. 

You might have a bad clamav database file. 

Greetz, 

Louis

 

> -----Oorspronkelijk bericht-----
> Van: MailScanner 
> [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
> info] Namens Antony Stone
> Verzonden: maandag 6 augustus 2018 14:23
> Aan: MailScanner Discussion
> Onderwerp: Re: MailScanner: Message attempted to kill MailScanner
> 
> On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote:
> 
> > Until now the Mail Server was with old postfix and 
> MailScanner 4.79. I
> > migrated to new server with MailScanner 5.0.7. MS config is same as
> > before.
> 
> Maybe someone with more knowledge than of any configuration 
> differences ebtween 
> those version can comment on just keeping the same 
> configuration file...
> 
> > From webmail I can send messages out of my domain without problems.
> 
> So, what *does* cause the problem?
> 
> Your original email said "All emails sent from my webmail to 
> same domain 
> cannot be processes by mailscanner."
> 
> > Msg from webmail
> > Received: from mail.stanga.net (localhost [IPv6:::1])
> >      by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F
> >      for <dobril at stanga.net>; Mon, 6 Aug 2018 14:33:37 +0300 (EEST)
> > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; 
> d=stanga.net; s=mail;
> >      t=1533555217; bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=;
> >      h=Date:From:To:Subject;
> >      
> b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwYF
> >       
> YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz
> >       EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE=
> > MIME-Version: 1.0
> > Content-Type: multipart/alternative;
> > boundary="=_75de8e069c6b4423276ecc8efe3eaa14"
> > Date: Mon, 06 Aug 2018 14:33:37 +0300
> > From: Dobril Dobrilov <dobril at stanga.net>
> > To: dobril at stanga.net
> > Subject: Test2
> > Organization: StangaOne1
> > Message-ID: <e836f2d9d2be88a49da5da675eba919e at stanga.net>
> > X-Sender: dobril at stanga.net
> > User-Agent: Roundcube Webmail/1.3.7
> > 
> > Msg from Mail Client
> > Received: from DL (unknown [192.168.0.222])
> >      (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 
> (256/256 bits))
> >      (No client certificate requested)
> >      by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84
> >      for <dobril at stanga.net>; Mon, 6 Aug 2018 15:11:28 +0300 (EEST)
> > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; 
> d=stanga.net; s=mail;
> >      t=1533557488; bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=;
> >      h=From:To:Subject:Date;
> >      
> b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJpN
> >       
> FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a
> >       rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k=
> > From: "DobriL Dobrilov" <dobril at stanga.net>
> > To: "'DobriL Dobrilov'" <dobril at stanga.net>
> > Subject: Test
> > Date: Mon, 6 Aug 2018 15:11:34 +0300
> > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net>
> > MIME-Version: 1.0
> > Content-Type: multipart/mixed;
> >      boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0"
> > X-Mailer: Microsoft Outlook 16.0
> > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ==
> > Content-Language: bg
> > X-MS-TNEF-Correlator: 
> 000000005234E38E73D4914094E5D7D34B79F6A564F78F00
> 
> Is one of the above emails an example which causes the 
> problem and the other 
> an example which does not cause the problem (if so, which one 
> is which)?
> 
> Or are both the above emails examples which do not cause the 
> problem (in which 
> case please send us the headers from one which does cause the 
> problem)?
> 
> 
> Regards,
> 
> 
> Antony.
> 
> > -----Original Message-----
> > From: MailScanner
> > 
> [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> r.info] On
> > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM
> > To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> > Subject: Re: MailScanner: Message attempted to kill MailScanner
> > 
> > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote:
> > > Some other ideas, because unfortunately this Live system 
> and It?s very
> > > critical ?
> > 
> > When did the problem start happening?
> > 
> > What changed on the MS server around that time?
> > 
> > Can you show us full headers of an example email from 
> webmail (which MS
> > can't process) and another one to and from the same 
> addresses, but not
> > from webmail (which MS processes okay)?
> > 
> > Antony
> 
> -- 
> Neurotics build castles in the sky;
> Psychotics live in them;
> Psychiatrists collect the rent.
> 
> 
>                                                    Please 
> reply to the list;
>                                                          
> please *don't* CC me.
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> 


From dobril at stanga.net  Mon Aug  6 12:53:03 2018
From: dobril at stanga.net (DobriL Dobrilov)
Date: Mon, 6 Aug 2018 15:53:03 +0300
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <vmime.5b6842d2.3a82.133d67be2465eaf2@ms249-lin-003.rotterdam.bazuin.nl>
References: <00ff01d42d7e$d3476df0$79d649d0$@stanga.net>
 <vmime.5b6842d2.3a82.133d67be2465eaf2@ms249-lin-003.rotterdam.bazuin.nl>
Message-ID: <000201d42d84$69dd22a0$3d9767e0$@stanga.net>

AV scan is off , something else cause the issue.


Dobril Dobrilov
IT Manager
dobril at stanga.net


43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
Mobile: +359 878 749 387


We shape Digital?www.stanga.net

We re-invent Video?www.bsbvision.com

We build Apps?www.shanga.co

We support Start-Ups?www.mysbar.net



-----Original Message-----
From: MailScanner
[mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On
Behalf Of L.P.H. van Belle via MailScanner
Sent: Monday, August 6, 2018 3:45 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Cc: L.P.H. van Belle <belle at bazuin.nl>
Subject: RE: MailScanner: Message attempted to kill MailScanner

Are you using Yara rules or other clamav unoffical databases.
Remove these, restart clamav and try again. 

You might have a bad clamav database file. 

Greetz, 

Louis

 

> -----Oorspronkelijk bericht-----
> Van: MailScanner
> [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
> info] Namens Antony Stone
> Verzonden: maandag 6 augustus 2018 14:23
> Aan: MailScanner Discussion
> Onderwerp: Re: MailScanner: Message attempted to kill MailScanner
> 
> On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote:
> 
> > Until now the Mail Server was with old postfix and
> MailScanner 4.79. I
> > migrated to new server with MailScanner 5.0.7. MS config is same as 
> > before.
> 
> Maybe someone with more knowledge than of any configuration 
> differences ebtween those version can comment on just keeping the same 
> configuration file...
> 
> > From webmail I can send messages out of my domain without problems.
> 
> So, what *does* cause the problem?
> 
> Your original email said "All emails sent from my webmail to same 
> domain cannot be processes by mailscanner."
> 
> > Msg from webmail
> > Received: from mail.stanga.net (localhost [IPv6:::1])
> >      by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F
> >      for <dobril at stanga.net>; Mon, 6 Aug 2018 14:33:37 +0300 (EEST)
> > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> d=stanga.net; s=mail;
> >      t=1533555217; bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=;
> >      h=Date:From:To:Subject;
> >      
> b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwYF
> >       
> YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz
> >       EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE=
> > MIME-Version: 1.0
> > Content-Type: multipart/alternative; 
> > boundary="=_75de8e069c6b4423276ecc8efe3eaa14"
> > Date: Mon, 06 Aug 2018 14:33:37 +0300
> > From: Dobril Dobrilov <dobril at stanga.net>
> > To: dobril at stanga.net
> > Subject: Test2
> > Organization: StangaOne1
> > Message-ID: <e836f2d9d2be88a49da5da675eba919e at stanga.net>
> > X-Sender: dobril at stanga.net
> > User-Agent: Roundcube Webmail/1.3.7
> > 
> > Msg from Mail Client
> > Received: from DL (unknown [192.168.0.222])
> >      (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
> (256/256 bits))
> >      (No client certificate requested)
> >      by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84
> >      for <dobril at stanga.net>; Mon, 6 Aug 2018 15:11:28 +0300 (EEST)
> > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> d=stanga.net; s=mail;
> >      t=1533557488; bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=;
> >      h=From:To:Subject:Date;
> >      
> b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJpN
> >       
> FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a
> >       rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k=
> > From: "DobriL Dobrilov" <dobril at stanga.net>
> > To: "'DobriL Dobrilov'" <dobril at stanga.net>
> > Subject: Test
> > Date: Mon, 6 Aug 2018 15:11:34 +0300
> > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net>
> > MIME-Version: 1.0
> > Content-Type: multipart/mixed;
> >      boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0"
> > X-Mailer: Microsoft Outlook 16.0
> > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ==
> > Content-Language: bg
> > X-MS-TNEF-Correlator: 
> 000000005234E38E73D4914094E5D7D34B79F6A564F78F00
> 
> Is one of the above emails an example which causes the problem and the 
> other an example which does not cause the problem (if so, which one is 
> which)?
> 
> Or are both the above emails examples which do not cause the problem 
> (in which case please send us the headers from one which does cause 
> the problem)?
> 
> 
> Regards,
> 
> 
> Antony.
> 
> > -----Original Message-----
> > From: MailScanner
> > 
> [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> r.info] On
> > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM
> > To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> > Subject: Re: MailScanner: Message attempted to kill MailScanner
> > 
> > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote:
> > > Some other ideas, because unfortunately this Live system 
> and It's very
> > > critical ?
> > 
> > When did the problem start happening?
> > 
> > What changed on the MS server around that time?
> > 
> > Can you show us full headers of an example email from 
> webmail (which MS
> > can't process) and another one to and from the same 
> addresses, but not
> > from webmail (which MS processes okay)?
> > 
> > Antony
> 
> -- 
> Neurotics build castles in the sky;
> Psychotics live in them;
> Psychiatrists collect the rent.
> 
> 
>                                                    Please 
> reply to the list;
>                                                          
> please *don't* CC me.
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> 



-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner


From belle at bazuin.nl  Mon Aug  6 13:22:25 2018
From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=)
Date: Mon, 6 Aug 2018 15:22:25 +0200
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <000201d42d84$69dd22a0$3d9767e0$@stanga.net>
References: <vmime.5b6842d2.3a82.133d67be2465eaf2@ms249-lin-003.rotterdam.bazuin.nl>
Message-ID: <vmime.5b684b91.51e0.2818eaf77be9fe21@ms249-lin-003.rotterdam.bazuin.nl>

Hai, 

What is the os your running? 
That might help me a bit. 

Did you follow a site for this upgrade, show me which one if you did. 

Your group members are correct ? 
# *( im running debian 9 ) an i have these configured. 
mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data
clamav:x:119:postfix,www-data
opendkim:x:122:postfix


And can you post a more complete mail.log, if needed, pm it to me or anonimize it here needed. 
Preffered from the time frame, when you try to send your the message. 

I still say its your antivirus, if you did not remove the old messages from your queue.
And now its not working because postfix/mailscanner try to deliver to clamd and thats turned of. 

If the AV is off then why is you log showing the av scanner? 
Your disk it not full?  

If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner. 
I also reused my settings. 
I'll try to find if i can seen what i changed ( if so ), that was months ago.. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: DobriL Dobrilov [mailto:dobril at stanga.net] 
> Verzonden: maandag 6 augustus 2018 14:53
> Aan: 'MailScanner Discussion'
> CC: 'L.P.H. van Belle'
> Onderwerp: RE: MailScanner: Message attempted to kill MailScanner
> 
> AV scan is off , something else cause the issue.
> 
> 
> Dobril Dobrilov
> IT Manager
> dobril at stanga.net
> 
> 
> 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
> Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
> Mobile: +359 878 749 387
> 
> 
> We shape Digital?www.stanga.net
> 
> We re-invent Video?www.bsbvision.com
> 
> We build Apps?www.shanga.co
> 
> We support Start-Ups?www.mysbar.net
> 
> 
> 
> -----Original Message-----
> From: MailScanner
> [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> r.info] On
> Behalf Of L.P.H. van Belle via MailScanner
> Sent: Monday, August 6, 2018 3:45 PM
> To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> Cc: L.P.H. van Belle <belle at bazuin.nl>
> Subject: RE: MailScanner: Message attempted to kill MailScanner
> 
> Are you using Yara rules or other clamav unoffical databases.
> Remove these, restart clamav and try again. 
> 
> You might have a bad clamav database file. 
> 
> Greetz, 
> 
> Louis
> 
>  
> 
> > -----Oorspronkelijk bericht-----
> > Van: MailScanner
> > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
> > info] Namens Antony Stone
> > Verzonden: maandag 6 augustus 2018 14:23
> > Aan: MailScanner Discussion
> > Onderwerp: Re: MailScanner: Message attempted to kill MailScanner
> > 
> > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote:
> > 
> > > Until now the Mail Server was with old postfix and
> > MailScanner 4.79. I
> > > migrated to new server with MailScanner 5.0.7. MS config 
> is same as 
> > > before.
> > 
> > Maybe someone with more knowledge than of any configuration 
> > differences ebtween those version can comment on just 
> keeping the same 
> > configuration file...
> > 
> > > From webmail I can send messages out of my domain without 
> problems.
> > 
> > So, what *does* cause the problem?
> > 
> > Your original email said "All emails sent from my webmail to same 
> > domain cannot be processes by mailscanner."
> > 
> > > Msg from webmail
> > > Received: from mail.stanga.net (localhost [IPv6:::1])
> > >      by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F
> > >      for <dobril at stanga.net>; Mon, 6 Aug 2018 14:33:37 
> +0300 (EEST)
> > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > d=stanga.net; s=mail;
> > >      t=1533555217; 
> bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=;
> > >      h=Date:From:To:Subject;
> > >      
> > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwYF
> > >       
> > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz
> > >       EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE=
> > > MIME-Version: 1.0
> > > Content-Type: multipart/alternative; 
> > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14"
> > > Date: Mon, 06 Aug 2018 14:33:37 +0300
> > > From: Dobril Dobrilov <dobril at stanga.net>
> > > To: dobril at stanga.net
> > > Subject: Test2
> > > Organization: StangaOne1
> > > Message-ID: <e836f2d9d2be88a49da5da675eba919e at stanga.net>
> > > X-Sender: dobril at stanga.net
> > > User-Agent: Roundcube Webmail/1.3.7
> > > 
> > > Msg from Mail Client
> > > Received: from DL (unknown [192.168.0.222])
> > >      (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
> > (256/256 bits))
> > >      (No client certificate requested)
> > >      by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84
> > >      for <dobril at stanga.net>; Mon, 6 Aug 2018 15:11:28 
> +0300 (EEST)
> > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > d=stanga.net; s=mail;
> > >      t=1533557488; 
> bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=;
> > >      h=From:To:Subject:Date;
> > >      
> > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJpN
> > >       
> > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a
> > >       rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k=
> > > From: "DobriL Dobrilov" <dobril at stanga.net>
> > > To: "'DobriL Dobrilov'" <dobril at stanga.net>
> > > Subject: Test
> > > Date: Mon, 6 Aug 2018 15:11:34 +0300
> > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net>
> > > MIME-Version: 1.0
> > > Content-Type: multipart/mixed;
> > >      boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0"
> > > X-Mailer: Microsoft Outlook 16.0
> > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ==
> > > Content-Language: bg
> > > X-MS-TNEF-Correlator: 
> > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00
> > 
> > Is one of the above emails an example which causes the 
> problem and the 
> > other an example which does not cause the problem (if so, 
> which one is 
> > which)?
> > 
> > Or are both the above emails examples which do not cause 
> the problem 
> > (in which case please send us the headers from one which does cause 
> > the problem)?
> > 
> > 
> > Regards,
> > 
> > 
> > Antony.
> > 
> > > -----Original Message-----
> > > From: MailScanner
> > > 
> > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> > r.info] On
> > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM
> > > To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> > > Subject: Re: MailScanner: Message attempted to kill MailScanner
> > > 
> > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote:
> > > > Some other ideas, because unfortunately this Live system 
> > and It's very
> > > > critical ?
> > > 
> > > When did the problem start happening?
> > > 
> > > What changed on the MS server around that time?
> > > 
> > > Can you show us full headers of an example email from 
> > webmail (which MS
> > > can't process) and another one to and from the same 
> > addresses, but not
> > > from webmail (which MS processes okay)?
> > > 
> > > Antony
> > 
> > -- 
> > Neurotics build castles in the sky;
> > Psychotics live in them;
> > Psychiatrists collect the rent.
> > 
> > 
> >                                                    Please 
> > reply to the list;
> >                                                          
> > please *don't* CC me.
> > 
> > 
> > -- 
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > 
> > 
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> 


From dobril at stanga.net  Mon Aug  6 14:14:39 2018
From: dobril at stanga.net (DobriL Dobrilov)
Date: Mon, 6 Aug 2018 17:14:39 +0300
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <vmime.5b684b91.51e0.2818eaf77be9fe21@ms249-lin-003.rotterdam.bazuin.nl>
References: <vmime.5b6842d2.3a82.133d67be2465eaf2@ms249-lin-003.rotterdam.bazuin.nl>
 <vmime.5b684b91.51e0.2818eaf77be9fe21@ms249-lin-003.rotterdam.bazuin.nl>
Message-ID: <000501d42d8f$d0358a50$70a09ef0$@stanga.net>

Definitely this is something related only to my webmail and only when I send
emails to the same domain. I can send same message without any issue if I'm
using outlook or other mail client.
I can send messages from Webmail to all external domain without problem. All
thing mean that the problem cannot be disk space , ram or bad permissions.
echo Test |mail dobril at stanga.net , from the same server deliver messages
without problem.


-----Original Message-----
From: MailScanner
[mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On
Behalf Of L.P.H. van Belle via MailScanner
Sent: Monday, August 6, 2018 4:22 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Cc: L.P.H. van Belle <belle at bazuin.nl>
Subject: RE: MailScanner: Message attempted to kill MailScanner

Hai, 

What is the os your running? 
That might help me a bit. 

Did you follow a site for this upgrade, show me which one if you did. 

Your group members are correct ? 
# *( im running debian 9 ) an i have these configured. 
mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data
clamav:x:119:postfix,www-data
opendkim:x:122:postfix


And can you post a more complete mail.log, if needed, pm it to me or
anonimize it here needed. 
Preffered from the time frame, when you try to send your the message. 

I still say its your antivirus, if you did not remove the old messages from
your queue.
And now its not working because postfix/mailscanner try to deliver to clamd
and thats turned of. 

If the AV is off then why is you log showing the av scanner? 
Your disk it not full?  

If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner. 
I also reused my settings. 
I'll try to find if i can seen what i changed ( if so ), that was months
ago.. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: DobriL Dobrilov [mailto:dobril at stanga.net]
> Verzonden: maandag 6 augustus 2018 14:53
> Aan: 'MailScanner Discussion'
> CC: 'L.P.H. van Belle'
> Onderwerp: RE: MailScanner: Message attempted to kill MailScanner
> 
> AV scan is off , something else cause the issue.
> 
> 
> Dobril Dobrilov
> IT Manager
> dobril at stanga.net
> 
> 
> 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
> Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
> Mobile: +359 878 749 387
> 
> 
> We shape Digital?www.stanga.net
> 
> We re-invent Video?www.bsbvision.com
> 
> We build Apps?www.shanga.co
> 
> We support Start-Ups?www.mysbar.net
> 
> 
> 
> -----Original Message-----
> From: MailScanner
> [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> r.info] On
> Behalf Of L.P.H. van Belle via MailScanner
> Sent: Monday, August 6, 2018 3:45 PM
> To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> Cc: L.P.H. van Belle <belle at bazuin.nl>
> Subject: RE: MailScanner: Message attempted to kill MailScanner
> 
> Are you using Yara rules or other clamav unoffical databases.
> Remove these, restart clamav and try again. 
> 
> You might have a bad clamav database file. 
> 
> Greetz,
> 
> Louis
> 
>  
> 
> > -----Oorspronkelijk bericht-----
> > Van: MailScanner
> > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
> > info] Namens Antony Stone
> > Verzonden: maandag 6 augustus 2018 14:23
> > Aan: MailScanner Discussion
> > Onderwerp: Re: MailScanner: Message attempted to kill MailScanner
> > 
> > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote:
> > 
> > > Until now the Mail Server was with old postfix and
> > MailScanner 4.79. I
> > > migrated to new server with MailScanner 5.0.7. MS config
> is same as
> > > before.
> > 
> > Maybe someone with more knowledge than of any configuration 
> > differences ebtween those version can comment on just
> keeping the same
> > configuration file...
> > 
> > > From webmail I can send messages out of my domain without
> problems.
> > 
> > So, what *does* cause the problem?
> > 
> > Your original email said "All emails sent from my webmail to same 
> > domain cannot be processes by mailscanner."
> > 
> > > Msg from webmail
> > > Received: from mail.stanga.net (localhost [IPv6:::1])
> > >      by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F
> > >      for <dobril at stanga.net>; Mon, 6 Aug 2018 14:33:37
> +0300 (EEST)
> > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > d=stanga.net; s=mail;
> > >      t=1533555217;
> bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=;
> > >      h=Date:From:To:Subject;
> > >      
> > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwYF
> > >       
> > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz
> > >       EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE=
> > > MIME-Version: 1.0
> > > Content-Type: multipart/alternative; 
> > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14"
> > > Date: Mon, 06 Aug 2018 14:33:37 +0300
> > > From: Dobril Dobrilov <dobril at stanga.net>
> > > To: dobril at stanga.net
> > > Subject: Test2
> > > Organization: StangaOne1
> > > Message-ID: <e836f2d9d2be88a49da5da675eba919e at stanga.net>
> > > X-Sender: dobril at stanga.net
> > > User-Agent: Roundcube Webmail/1.3.7
> > > 
> > > Msg from Mail Client
> > > Received: from DL (unknown [192.168.0.222])
> > >      (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
> > (256/256 bits))
> > >      (No client certificate requested)
> > >      by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84
> > >      for <dobril at stanga.net>; Mon, 6 Aug 2018 15:11:28
> +0300 (EEST)
> > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > d=stanga.net; s=mail;
> > >      t=1533557488;
> bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=;
> > >      h=From:To:Subject:Date;
> > >      
> > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJpN
> > >       
> > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a
> > >       rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k=
> > > From: "DobriL Dobrilov" <dobril at stanga.net>
> > > To: "'DobriL Dobrilov'" <dobril at stanga.net>
> > > Subject: Test
> > > Date: Mon, 6 Aug 2018 15:11:34 +0300
> > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net>
> > > MIME-Version: 1.0
> > > Content-Type: multipart/mixed;
> > >      boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0"
> > > X-Mailer: Microsoft Outlook 16.0
> > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ==
> > > Content-Language: bg
> > > X-MS-TNEF-Correlator: 
> > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00
> > 
> > Is one of the above emails an example which causes the
> problem and the
> > other an example which does not cause the problem (if so,
> which one is
> > which)?
> > 
> > Or are both the above emails examples which do not cause
> the problem
> > (in which case please send us the headers from one which does cause 
> > the problem)?
> > 
> > 
> > Regards,
> > 
> > 
> > Antony.
> > 
> > > -----Original Message-----
> > > From: MailScanner
> > > 
> > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> > r.info] On
> > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM
> > > To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> > > Subject: Re: MailScanner: Message attempted to kill MailScanner
> > > 
> > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote:
> > > > Some other ideas, because unfortunately this Live system
> > and It's very
> > > > critical ?
> > > 
> > > When did the problem start happening?
> > > 
> > > What changed on the MS server around that time?
> > > 
> > > Can you show us full headers of an example email from
> > webmail (which MS
> > > can't process) and another one to and from the same
> > addresses, but not
> > > from webmail (which MS processes okay)?
> > > 
> > > Antony
> > 
> > --
> > Neurotics build castles in the sky;
> > Psychotics live in them;
> > Psychiatrists collect the rent.
> > 
> > 
> >                                                    Please reply to 
> > the list;
> >                                                          
> > please *don't* CC me.
> > 
> > 
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > 
> > 
> 
> 
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> 



--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner


From Antony.Stone at mailscanner.open.source.it  Mon Aug  6 14:17:54 2018
From: Antony.Stone at mailscanner.open.source.it (Antony Stone)
Date: Mon, 6 Aug 2018 16:17:54 +0200
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <000501d42d8f$d0358a50$70a09ef0$@stanga.net>
References: <vmime.5b6842d2.3a82.133d67be2465eaf2@ms249-lin-003.rotterdam.bazuin.nl>
 <vmime.5b684b91.51e0.2818eaf77be9fe21@ms249-lin-003.rotterdam.bazuin.nl>
 <000501d42d8f$d0358a50$70a09ef0$@stanga.net>
Message-ID: <201808061617.54939.Antony.Stone@mailscanner.open.source.it>

On Monday 06 August 2018 at 16:14:39, DobriL Dobrilov wrote:

> Definitely this is something related only to my webmail and only when I
> send emails to the same domain. I can send same message without any issue
> if I'm using outlook or other mail client.
> I can send messages from Webmail to all external domain without problem.
> All thing mean that the problem cannot be disk space , ram or bad
> permissions. echo Test |mail dobril at stanga.net , from the same server
> deliver messages without problem.

Can you show us full headers of an example email from webmail (which MS can't 
process) and another one to and from the same addresses, but not from webmail 
(which MS processes okay)?

Antony.

> -----Original Message-----
> From: MailScanner
> [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On
> Behalf Of L.P.H. van Belle via MailScanner
> Sent: Monday, August 6, 2018 4:22 PM
> To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> Cc: L.P.H. van Belle <belle at bazuin.nl>
> Subject: RE: MailScanner: Message attempted to kill MailScanner
> 
> Hai,
> 
> What is the os your running?
> That might help me a bit.
> 
> Did you follow a site for this upgrade, show me which one if you did.
> 
> Your group members are correct ?
> # *( im running debian 9 ) an i have these configured.
> mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data
> clamav:x:119:postfix,www-data
> opendkim:x:122:postfix
> 
> 
> And can you post a more complete mail.log, if needed, pm it to me or
> anonimize it here needed.
> Preffered from the time frame, when you try to send your the message.
> 
> I still say its your antivirus, if you did not remove the old messages from
> your queue.
> And now its not working because postfix/mailscanner try to deliver to clamd
> and thats turned of.
> 
> If the AV is off then why is you log showing the av scanner?
> Your disk it not full?
> 
> If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner.
> I also reused my settings.
> I'll try to find if i can seen what i changed ( if so ), that was months
> ago..
> 
> 
> Greetz,
> 
> Louis
> 
> > -----Oorspronkelijk bericht-----
> > Van: DobriL Dobrilov [mailto:dobril at stanga.net]
> > Verzonden: maandag 6 augustus 2018 14:53
> > Aan: 'MailScanner Discussion'
> > CC: 'L.P.H. van Belle'
> > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner
> > 
> > AV scan is off , something else cause the issue.
> > 
> > 
> > Dobril Dobrilov
> > IT Manager
> > dobril at stanga.net
> > 
> > 
> > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
> > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
> > Mobile: +359 878 749 387
> > 
> > 
> > We shape Digital www.stanga.net
> > 
> > We re-invent Video www.bsbvision.com
> > 
> > We build Apps www.shanga.co
> > 
> > We support Start-Ups www.mysbar.net
> > 
> > 
> > 
> > -----Original Message-----
> > From: MailScanner
> > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> > r.info] On
> > Behalf Of L.P.H. van Belle via MailScanner
> > Sent: Monday, August 6, 2018 3:45 PM
> > To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> > Cc: L.P.H. van Belle <belle at bazuin.nl>
> > Subject: RE: MailScanner: Message attempted to kill MailScanner
> > 
> > Are you using Yara rules or other clamav unoffical databases.
> > Remove these, restart clamav and try again.
> > 
> > You might have a bad clamav database file.
> > 
> > Greetz,
> > 
> > Louis
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: MailScanner
> > > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
> > > info] Namens Antony Stone
> > > Verzonden: maandag 6 augustus 2018 14:23
> > > Aan: MailScanner Discussion
> > > Onderwerp: Re: MailScanner: Message attempted to kill MailScanner
> > > 
> > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote:
> > > > Until now the Mail Server was with old postfix and
> > > 
> > > MailScanner 4.79. I
> > > 
> > > > migrated to new server with MailScanner 5.0.7. MS config
> > 
> > is same as
> > 
> > > > before.
> > > 
> > > Maybe someone with more knowledge than of any configuration
> > > differences ebtween those version can comment on just
> > 
> > keeping the same
> > 
> > > configuration file...
> > > 
> > > > From webmail I can send messages out of my domain without
> > 
> > problems.
> > 
> > > So, what *does* cause the problem?
> > > 
> > > Your original email said "All emails sent from my webmail to same
> > > domain cannot be processes by mailscanner."
> > > 
> > > > Msg from webmail
> > > > Received: from mail.stanga.net (localhost [IPv6:::1])
> > > > 
> > > >      by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F
> > > >      for <dobril at stanga.net>; Mon, 6 Aug 2018 14:33:37
> > 
> > +0300 (EEST)
> > 
> > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > > 
> > > d=stanga.net; s=mail;
> > > 
> > > >      t=1533555217;
> > 
> > bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=;
> > 
> > > >      h=Date:From:To:Subject;
> > > 
> > > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwYF
> > > 
> > > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz
> > > 
> > > >       EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE=
> > > > 
> > > > MIME-Version: 1.0
> > > > Content-Type: multipart/alternative;
> > > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14"
> > > > Date: Mon, 06 Aug 2018 14:33:37 +0300
> > > > From: Dobril Dobrilov <dobril at stanga.net>
> > > > To: dobril at stanga.net
> > > > Subject: Test2
> > > > Organization: StangaOne1
> > > > Message-ID: <e836f2d9d2be88a49da5da675eba919e at stanga.net>
> > > > X-Sender: dobril at stanga.net
> > > > User-Agent: Roundcube Webmail/1.3.7
> > > > 
> > > > Msg from Mail Client
> > > > Received: from DL (unknown [192.168.0.222])
> > > > 
> > > >      (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
> > > 
> > > (256/256 bits))
> > > 
> > > >      (No client certificate requested)
> > > >      by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84
> > > >      for <dobril at stanga.net>; Mon, 6 Aug 2018 15:11:28
> > 
> > +0300 (EEST)
> > 
> > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > > 
> > > d=stanga.net; s=mail;
> > > 
> > > >      t=1533557488;
> > 
> > bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=;
> > 
> > > >      h=From:To:Subject:Date;
> > > 
> > > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJpN
> > > 
> > > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a
> > > 
> > > >       rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k=
> > > > 
> > > > From: "DobriL Dobrilov" <dobril at stanga.net>
> > > > To: "'DobriL Dobrilov'" <dobril at stanga.net>
> > > > Subject: Test
> > > > Date: Mon, 6 Aug 2018 15:11:34 +0300
> > > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net>
> > > > MIME-Version: 1.0
> > > > Content-Type: multipart/mixed;
> > > > 
> > > >      boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0"
> > > > 
> > > > X-Mailer: Microsoft Outlook 16.0
> > > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ==
> > > > Content-Language: bg
> > > 
> > > > X-MS-TNEF-Correlator:
> > > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00
> > > 
> > > Is one of the above emails an example which causes the
> > 
> > problem and the
> > 
> > > other an example which does not cause the problem (if so,
> > 
> > which one is
> > 
> > > which)?
> > > 
> > > Or are both the above emails examples which do not cause
> > 
> > the problem
> > 
> > > (in which case please send us the headers from one which does cause
> > > the problem)?
> > > 
> > > 
> > > Regards,
> > > 
> > > 
> > > Antony.
> > > 
> > > > -----Original Message-----
> > > > From: MailScanner
> > > 
> > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> > > r.info] On
> > > 
> > > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM
> > > > To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> > > > Subject: Re: MailScanner: Message attempted to kill MailScanner
> > > > 
> > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote:
> > > > > Some other ideas, because unfortunately this Live system
> > > 
> > > and It's very
> > > 
> > > > > critical ?
> > > > 
> > > > When did the problem start happening?
> > > > 
> > > > What changed on the MS server around that time?
> > > > 
> > > > Can you show us full headers of an example email from
> > > 
> > > webmail (which MS
> > > 
> > > > can't process) and another one to and from the same
> > > 
> > > addresses, but not
> > > 
> > > > from webmail (which MS processes okay)?
> > > > 
> > > > Antony
> > > 
> > > --
> > > Neurotics build castles in the sky;
> > > Psychotics live in them;
> > > Psychiatrists collect the rent.
> > > 
> > >                                                    Please reply to
> > > 
> > > the list;
> > > 
> > > please *don't* CC me.
> > > 
> > > 
> > > --
> > > MailScanner mailing list
> > > mailscanner at lists.mailscanner.info
> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > 
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner

From dobril at stanga.net  Mon Aug  6 14:43:40 2018
From: dobril at stanga.net (DobriL Dobrilov)
Date: Mon, 6 Aug 2018 17:43:40 +0300
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <201808061617.54939.Antony.Stone@mailscanner.open.source.it>
References: <vmime.5b6842d2.3a82.133d67be2465eaf2@ms249-lin-003.rotterdam.bazuin.nl>
 <vmime.5b684b91.51e0.2818eaf77be9fe21@ms249-lin-003.rotterdam.bazuin.nl>
 <000501d42d8f$d0358a50$70a09ef0$@stanga.net>
 <201808061617.54939.Antony.Stone@mailscanner.open.source.it>
Message-ID: <001d01d42d93$ddc896e0$9959c4a0$@stanga.net>

Webmail
------------
Received: from mail.stanga.net (localhost [IPv6:::1])
	by mail.stanga.net (Postfix) with ESMTPA id 5772D62C57
	for <dobril at stanga.net>; Mon,  6 Aug 2018 14:52:00 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; s=mail;
	t=1533556320; bh=4I/hR/SP5y+TSO6ckrsWbUfz/ulzfgg21OOLy4t7Qcw=;
	h=Date:From:To:Subject:Reply-To;
	b=LHHTCrdhwEuGskWyqw0sWd1Km3VgyVhuTGiQ+b00rQmMg5EoEvx0ro12ob/zWes9m
	 jtgr30krr1OkHUcBPXOoYUyCDOzLU3VwKUjYO8mX2L1C3ZCZsvgFkbjtP7QbrIHzM6
	 EsRQn070GPV/w75A43jCSxetrKKtM6se6osKZvaM=
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date: Mon, 06 Aug 2018 14:52:00 +0300
From: Dobril Dobrilov <dobril at stanga.net>
To: dobril at stanga.net
Subject: AAA
Organization: StangaOne1
Reply-To: dobril at stanga.net
Mail-Reply-To: dobril at stanga.net
Message-ID: <8e5ddc58218e715f2ec6286fe0b60f03 at stanga.net>
X-Sender: dobril at stanga.net
User-Agent: Roundcube Webmail/1.3.7


Outlook
------------
Return-Path: <dobril at stanga.net>
X-Original-To: dobril at stanga.net
Delivered-To: dobril at stanga.net
Received: from DL (unknown [192.168.0.222])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
bits))
	(No client certificate requested)
	by mail.stanga.net (Postfix) with ESMTPSA id D6F6D62C8E
	for <dobril at stanga.net>; Mon,  6 Aug 2018 17:42:45 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; s=mail;
	t=1533566565; bh=1ooy+DYxraTnYWXxssyteq3EYaC5wdAbrolTC0mL5bA=;
	h=From:To:Subject:Date;
	b=XZzNLHycLcbdsjqXFtWJT96Q0lPhhtOS/+ZGIZpVWNfu68gw1nFHitcIUfV5zGCk2
	 L419FGzTaLO9GiE1pAGnzruH5dh1BCHU+9AxLu3rB3oijr2BOEXeltH1TREFq4E0f+
	 erOPUx3jdywpL6vJFLR2YixmUfIrdLScxOTcUKk0=
From: "DobriL Dobrilov" <dobril at stanga.net>
To: "'DobriL Dobrilov'" <dobril at stanga.net>
Subject: Test
Date: Mon, 6 Aug 2018 17:42:52 +0300
Message-ID: <001701d42d93$c0ff3460$42fd9d20$@stanga.net>
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0018_01D42DAC.E64C6C60"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdQtk77S62N7R+6qQV66SqVGhFQY4A==
Content-Language: bg
X-MS-TNEF-Correlator: 000000005234E38E73D4914094E5D7D34B79F6A504FD8F00
X-Stanga-MailScanner-Information: Please contact the ISP for more
information
X-Stanga-MailScanner-ID: D6F6D62C8E.AB5F9
X-Stanga-MailScanner: Not scanned: please contact your Internet E-Mail
Service Provider for details
X-Stanga-MailScanner-SpamCheck: not spam (whitelisted),
	SpamAssassin (not cached, score=-99.887, required 5,
	ALL_TRUSTED -1.00, DKIM_SIGNED 0.10, DKIM_VALID -0.10,
	DKIM_VALID_AU -0.10, TVD_RCVD_SINGLE 1.21,
	USER_IN_WHITELIST -100.00)
X-Stanga-MailScanner-From: dobril at stanga.net
X-Spam-Status: No
X-EsetId: 37303A2960736C61677D6A


-----Original Message-----
From: MailScanner
[mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On
Behalf Of Antony Stone
Sent: Monday, August 6, 2018 5:18 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: MailScanner: Message attempted to kill MailScanner

On Monday 06 August 2018 at 16:14:39, DobriL Dobrilov wrote:

> Definitely this is something related only to my webmail and only when 
> I send emails to the same domain. I can send same message without any 
> issue if I'm using outlook or other mail client.
> I can send messages from Webmail to all external domain without problem.
> All thing mean that the problem cannot be disk space , ram or bad 
> permissions. echo Test |mail dobril at stanga.net , from the same server 
> deliver messages without problem.

Can you show us full headers of an example email from webmail (which MS
can't
process) and another one to and from the same addresses, but not from
webmail (which MS processes okay)?

Antony.

> -----Original Message-----
> From: MailScanner
> [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] 
> On Behalf Of L.P.H. van Belle via MailScanner
> Sent: Monday, August 6, 2018 4:22 PM
> To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> Cc: L.P.H. van Belle <belle at bazuin.nl>
> Subject: RE: MailScanner: Message attempted to kill MailScanner
> 
> Hai,
> 
> What is the os your running?
> That might help me a bit.
> 
> Did you follow a site for this upgrade, show me which one if you did.
> 
> Your group members are correct ?
> # *( im running debian 9 ) an i have these configured.
> mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data
> clamav:x:119:postfix,www-data
> opendkim:x:122:postfix
> 
> 
> And can you post a more complete mail.log, if needed, pm it to me or 
> anonimize it here needed.
> Preffered from the time frame, when you try to send your the message.
> 
> I still say its your antivirus, if you did not remove the old messages 
> from your queue.
> And now its not working because postfix/mailscanner try to deliver to 
> clamd and thats turned of.
> 
> If the AV is off then why is you log showing the av scanner?
> Your disk it not full?
> 
> If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner.
> I also reused my settings.
> I'll try to find if i can seen what i changed ( if so ), that was 
> months ago..
> 
> 
> Greetz,
> 
> Louis
> 
> > -----Oorspronkelijk bericht-----
> > Van: DobriL Dobrilov [mailto:dobril at stanga.net]
> > Verzonden: maandag 6 augustus 2018 14:53
> > Aan: 'MailScanner Discussion'
> > CC: 'L.P.H. van Belle'
> > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner
> > 
> > AV scan is off , something else cause the issue.
> > 
> > 
> > Dobril Dobrilov
> > IT Manager
> > dobril at stanga.net
> > 
> > 
> > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
> > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
> > Mobile: +359 878 749 387
> > 
> > 
> > We shape Digital www.stanga.net
> > 
> > We re-invent Video www.bsbvision.com
> > 
> > We build Apps www.shanga.co
> > 
> > We support Start-Ups www.mysbar.net
> > 
> > 
> > 
> > -----Original Message-----
> > From: MailScanner
> > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> > r.info] On
> > Behalf Of L.P.H. van Belle via MailScanner
> > Sent: Monday, August 6, 2018 3:45 PM
> > To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> > Cc: L.P.H. van Belle <belle at bazuin.nl>
> > Subject: RE: MailScanner: Message attempted to kill MailScanner
> > 
> > Are you using Yara rules or other clamav unoffical databases.
> > Remove these, restart clamav and try again.
> > 
> > You might have a bad clamav database file.
> > 
> > Greetz,
> > 
> > Louis
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: MailScanner
> > > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
> > > info] Namens Antony Stone
> > > Verzonden: maandag 6 augustus 2018 14:23
> > > Aan: MailScanner Discussion
> > > Onderwerp: Re: MailScanner: Message attempted to kill MailScanner
> > > 
> > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote:
> > > > Until now the Mail Server was with old postfix and
> > > 
> > > MailScanner 4.79. I
> > > 
> > > > migrated to new server with MailScanner 5.0.7. MS config
> > 
> > is same as
> > 
> > > > before.
> > > 
> > > Maybe someone with more knowledge than of any configuration 
> > > differences ebtween those version can comment on just
> > 
> > keeping the same
> > 
> > > configuration file...
> > > 
> > > > From webmail I can send messages out of my domain without
> > 
> > problems.
> > 
> > > So, what *does* cause the problem?
> > > 
> > > Your original email said "All emails sent from my webmail to same 
> > > domain cannot be processes by mailscanner."
> > > 
> > > > Msg from webmail
> > > > Received: from mail.stanga.net (localhost [IPv6:::1])
> > > > 
> > > >      by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F
> > > >      for <dobril at stanga.net>; Mon, 6 Aug 2018 14:33:37
> > 
> > +0300 (EEST)
> > 
> > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > > 
> > > d=stanga.net; s=mail;
> > > 
> > > >      t=1533555217;
> > 
> > bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=;
> > 
> > > >      h=Date:From:To:Subject;
> > > 
> > > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwY
> > > F
> > > 
> > > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz
> > > 
> > > >       EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE=
> > > > 
> > > > MIME-Version: 1.0
> > > > Content-Type: multipart/alternative; 
> > > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14"
> > > > Date: Mon, 06 Aug 2018 14:33:37 +0300
> > > > From: Dobril Dobrilov <dobril at stanga.net>
> > > > To: dobril at stanga.net
> > > > Subject: Test2
> > > > Organization: StangaOne1
> > > > Message-ID: <e836f2d9d2be88a49da5da675eba919e at stanga.net>
> > > > X-Sender: dobril at stanga.net
> > > > User-Agent: Roundcube Webmail/1.3.7
> > > > 
> > > > Msg from Mail Client
> > > > Received: from DL (unknown [192.168.0.222])
> > > > 
> > > >      (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
> > > 
> > > (256/256 bits))
> > > 
> > > >      (No client certificate requested)
> > > >      by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84
> > > >      for <dobril at stanga.net>; Mon, 6 Aug 2018 15:11:28
> > 
> > +0300 (EEST)
> > 
> > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > > 
> > > d=stanga.net; s=mail;
> > > 
> > > >      t=1533557488;
> > 
> > bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=;
> > 
> > > >      h=From:To:Subject:Date;
> > > 
> > > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJp
> > > N
> > > 
> > > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a
> > > 
> > > >       rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k=
> > > > 
> > > > From: "DobriL Dobrilov" <dobril at stanga.net>
> > > > To: "'DobriL Dobrilov'" <dobril at stanga.net>
> > > > Subject: Test
> > > > Date: Mon, 6 Aug 2018 15:11:34 +0300
> > > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net>
> > > > MIME-Version: 1.0
> > > > Content-Type: multipart/mixed;
> > > > 
> > > >      boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0"
> > > > 
> > > > X-Mailer: Microsoft Outlook 16.0
> > > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ==
> > > > Content-Language: bg
> > > 
> > > > X-MS-TNEF-Correlator:
> > > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00
> > > 
> > > Is one of the above emails an example which causes the
> > 
> > problem and the
> > 
> > > other an example which does not cause the problem (if so,
> > 
> > which one is
> > 
> > > which)?
> > > 
> > > Or are both the above emails examples which do not cause
> > 
> > the problem
> > 
> > > (in which case please send us the headers from one which does 
> > > cause the problem)?
> > > 
> > > 
> > > Regards,
> > > 
> > > 
> > > Antony.
> > > 
> > > > -----Original Message-----
> > > > From: MailScanner
> > > 
> > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> > > r.info] On
> > > 
> > > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM
> > > > To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> > > > Subject: Re: MailScanner: Message attempted to kill MailScanner
> > > > 
> > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote:
> > > > > Some other ideas, because unfortunately this Live system
> > > 
> > > and It's very
> > > 
> > > > > critical ?
> > > > 
> > > > When did the problem start happening?
> > > > 
> > > > What changed on the MS server around that time?
> > > > 
> > > > Can you show us full headers of an example email from
> > > 
> > > webmail (which MS
> > > 
> > > > can't process) and another one to and from the same
> > > 
> > > addresses, but not
> > > 
> > > > from webmail (which MS processes okay)?
> > > > 
> > > > Antony
> > > 
> > > --
> > > Neurotics build castles in the sky; Psychotics live in them; 
> > > Psychiatrists collect the rent.
> > > 
> > >                                                    Please reply to
> > > 
> > > the list;
> > > 
> > > please *don't* CC me.
> > > 
> > > 
> > > --
> > > MailScanner mailing list
> > > mailscanner at lists.mailscanner.info
> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > 
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner


From belle at bazuin.nl  Mon Aug  6 15:10:31 2018
From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=)
Date: Mon, 6 Aug 2018 17:10:31 +0200
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <001d01d42d93$ddc896e0$9959c4a0$@stanga.net>
References: <201808061617.54939.Antony.Stone@mailscanner.open.source.it>
Message-ID: <vmime.5b6864e7.696.697185129bd6dd7@ms249-lin-003.rotterdam.bazuin.nl>

You webserver is not "localhost"... Pointing to : from mail.stanga.net (localhost [IPv6:::1]) 
Choose... 

By example. cat /etc/hosts 
127.0.0.1      localhost
194.124.193.23 mail.domain.tld
192.168.1.1	   mail.internal.domain.tld mail


# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Just beware when you change it, you might hit more, but if you fix  that all your ok for the futere. 
Imo. Your resolving is giving the problems. 


Greetz, 

Louis

 

> -----Oorspronkelijk bericht-----
> Van: MailScanner 
> [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
info] Namens DobriL Dobrilov
> Verzonden: maandag 6 augustus 2018 16:44
> Aan: 'MailScanner Discussion'
> Onderwerp: RE: MailScanner: Message attempted to kill MailScanner
> 
> Webmail
> ------------
> Received: from mail.stanga.net (localhost [IPv6:::1])
> 	by mail.stanga.net (Postfix) with ESMTPA id 5772D62C57
> 	for <dobril at stanga.net>; Mon,  6 Aug 2018 14:52:00 +0300 (EEST)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; 
> d=stanga.net; s=mail;
> 	t=1533556320; bh=4I/hR/SP5y+TSO6ckrsWbUfz/ulzfgg21OOLy4t7Qcw=;
> 	h=Date:From:To:Subject:Reply-To;
> 	
> b=LHHTCrdhwEuGskWyqw0sWd1Km3VgyVhuTGiQ+b00rQmMg5EoEvx0ro12ob/zWes9m
> 	 
> jtgr30krr1OkHUcBPXOoYUyCDOzLU3VwKUjYO8mX2L1C3ZCZsvgFkbjtP7QbrIHzM6
> 	 EsRQn070GPV/w75A43jCSxetrKKtM6se6osKZvaM=
> MIME-Version: 1.0
> Content-Type: text/plain; charset=US-ASCII;
>  format=flowed
> Content-Transfer-Encoding: 7bit
> Date: Mon, 06 Aug 2018 14:52:00 +0300
> From: Dobril Dobrilov <dobril at stanga.net>
> To: dobril at stanga.net
> Subject: AAA
> Organization: StangaOne1
> Reply-To: dobril at stanga.net
> Mail-Reply-To: dobril at stanga.net
> Message-ID: <8e5ddc58218e715f2ec6286fe0b60f03 at stanga.net>
> X-Sender: dobril at stanga.net
> User-Agent: Roundcube Webmail/1.3.7
> 
> 
> Outlook
> ------------
> Return-Path: <dobril at stanga.net>
> X-Original-To: dobril at stanga.net
> Delivered-To: dobril at stanga.net
> Received: from DL (unknown [192.168.0.222])
> 	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
> bits))
> 	(No client certificate requested)
> 	by mail.stanga.net (Postfix) with ESMTPSA id D6F6D62C8E
> 	for <dobril at stanga.net>; Mon,  6 Aug 2018 17:42:45 +0300 (EEST)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; 
> d=stanga.net; s=mail;
> 	t=1533566565; bh=1ooy+DYxraTnYWXxssyteq3EYaC5wdAbrolTC0mL5bA=;
> 	h=From:To:Subject:Date;
> 	
> b=XZzNLHycLcbdsjqXFtWJT96Q0lPhhtOS/+ZGIZpVWNfu68gw1nFHitcIUfV5zGCk2
> 	 
> L419FGzTaLO9GiE1pAGnzruH5dh1BCHU+9AxLu3rB3oijr2BOEXeltH1TREFq4E0f+
> 	 erOPUx3jdywpL6vJFLR2YixmUfIrdLScxOTcUKk0=
> From: "DobriL Dobrilov" <dobril at stanga.net>
> To: "'DobriL Dobrilov'" <dobril at stanga.net>
> Subject: Test
> Date: Mon, 6 Aug 2018 17:42:52 +0300
> Message-ID: <001701d42d93$c0ff3460$42fd9d20$@stanga.net>
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> 	boundary="----=_NextPart_000_0018_01D42DAC.E64C6C60"
> X-Mailer: Microsoft Outlook 16.0
> Thread-Index: AdQtk77S62N7R+6qQV66SqVGhFQY4A==
> Content-Language: bg
> X-MS-TNEF-Correlator: 000000005234E38E73D4914094E5D7D34B79F6A504FD8F00
> X-Stanga-MailScanner-Information: Please contact the ISP for more
> information
> X-Stanga-MailScanner-ID: D6F6D62C8E.AB5F9
> X-Stanga-MailScanner: Not scanned: please contact your Internet E-Mail
> Service Provider for details
> X-Stanga-MailScanner-SpamCheck: not spam (whitelisted),
> 	SpamAssassin (not cached, score=-99.887, required 5,
> 	ALL_TRUSTED -1.00, DKIM_SIGNED 0.10, DKIM_VALID -0.10,
> 	DKIM_VALID_AU -0.10, TVD_RCVD_SINGLE 1.21,
> 	USER_IN_WHITELIST -100.00)
> X-Stanga-MailScanner-From: dobril at stanga.net
> X-Spam-Status: No
> X-EsetId: 37303A2960736C61677D6A
> 
> 
> -----Original Message-----
> From: MailScanner
> [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
r.info] On
> Behalf Of Antony Stone
> Sent: Monday, August 6, 2018 5:18 PM
> To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> Subject: Re: MailScanner: Message attempted to kill MailScanner
> 
> On Monday 06 August 2018 at 16:14:39, DobriL Dobrilov wrote:
> 
> > Definitely this is something related only to my webmail and 
> only when 
> > I send emails to the same domain. I can send same message 
> without any 
> > issue if I'm using outlook or other mail client.
> > I can send messages from Webmail to all external domain 
> without problem.
> > All thing mean that the problem cannot be disk space , ram or bad 
> > permissions. echo Test |mail dobril at stanga.net , from the 
> same server 
> > deliver messages without problem.
> 
> Can you show us full headers of an example email from webmail 
> (which MS
> can't
> process) and another one to and from the same addresses, but not from
> webmail (which MS processes okay)?
> 
> Antony.
> 
> > -----Original Message-----
> > From: MailScanner
> > 
> [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] 
> > On Behalf Of L.P.H. van Belle via MailScanner
> > Sent: Monday, August 6, 2018 4:22 PM
> > To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> > Cc: L.P.H. van Belle <belle at bazuin.nl>
> > Subject: RE: MailScanner: Message attempted to kill MailScanner
> > 
> > Hai,
> > 
> > What is the os your running?
> > That might help me a bit.
> > 
> > Did you follow a site for this upgrade, show me which one 
> if you did.
> > 
> > Your group members are correct ?
> > # *( im running debian 9 ) an i have these configured.
> > mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data
> > clamav:x:119:postfix,www-data
> > opendkim:x:122:postfix
> > 
> > 
> > And can you post a more complete mail.log, if needed, pm it 
> to me or 
> > anonimize it here needed.
> > Preffered from the time frame, when you try to send your 
> the message.
> > 
> > I still say its your antivirus, if you did not remove the 
> old messages 
> > from your queue.
> > And now its not working because postfix/mailscanner try to 
> deliver to 
> > clamd and thats turned of.
> > 
> > If the AV is off then why is you log showing the av scanner?
> > Your disk it not full?
> > 
> > If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner.
> > I also reused my settings.
> > I'll try to find if i can seen what i changed ( if so ), that was 
> > months ago..
> > 
> > 
> > Greetz,
> > 
> > Louis
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: DobriL Dobrilov [mailto:dobril at stanga.net]
> > > Verzonden: maandag 6 augustus 2018 14:53
> > > Aan: 'MailScanner Discussion'
> > > CC: 'L.P.H. van Belle'
> > > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner
> > > 
> > > AV scan is off , something else cause the issue.
> > > 
> > > 
> > > Dobril Dobrilov
> > > IT Manager
> > > dobril at stanga.net
> > > 
> > > 
> > > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
> > > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
> > > Mobile: +359 878 749 387
> > > 
> > > 
> > > We shape Digital www.stanga.net
> > > 
> > > We re-invent Video www.bsbvision.com
> > > 
> > > We build Apps www.shanga.co
> > > 
> > > We support Start-Ups www.mysbar.net
> > > 
> > > 
> > > 
> > > -----Original Message-----
> > > From: MailScanner
> > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> > > r.info] On
> > > Behalf Of L.P.H. van Belle via MailScanner
> > > Sent: Monday, August 6, 2018 3:45 PM
> > > To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> > > Cc: L.P.H. van Belle <belle at bazuin.nl>
> > > Subject: RE: MailScanner: Message attempted to kill MailScanner
> > > 
> > > Are you using Yara rules or other clamav unoffical databases.
> > > Remove these, restart clamav and try again.
> > > 
> > > You might have a bad clamav database file.
> > > 
> > > Greetz,
> > > 
> > > Louis
> > > 
> > > > -----Oorspronkelijk bericht-----
> > > > Van: MailScanner
> > > > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
> > > > info] Namens Antony Stone
> > > > Verzonden: maandag 6 augustus 2018 14:23
> > > > Aan: MailScanner Discussion
> > > > Onderwerp: Re: MailScanner: Message attempted to kill 
> MailScanner
> > > > 
> > > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote:
> > > > > Until now the Mail Server was with old postfix and
> > > > 
> > > > MailScanner 4.79. I
> > > > 
> > > > > migrated to new server with MailScanner 5.0.7. MS config
> > > 
> > > is same as
> > > 
> > > > > before.
> > > > 
> > > > Maybe someone with more knowledge than of any configuration 
> > > > differences ebtween those version can comment on just
> > > 
> > > keeping the same
> > > 
> > > > configuration file...
> > > > 
> > > > > From webmail I can send messages out of my domain without
> > > 
> > > problems.
> > > 
> > > > So, what *does* cause the problem?
> > > > 
> > > > Your original email said "All emails sent from my 
> webmail to same 
> > > > domain cannot be processes by mailscanner."
> > > > 
> > > > > Msg from webmail
> > > > > Received: from mail.stanga.net (localhost [IPv6:::1])
> > > > > 
> > > > >      by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F
> > > > >      for <dobril at stanga.net>; Mon, 6 Aug 2018 14:33:37
> > > 
> > > +0300 (EEST)
> > > 
> > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > > > 
> > > > d=stanga.net; s=mail;
> > > > 
> > > > >      t=1533555217;
> > > 
> > > bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=;
> > > 
> > > > >      h=Date:From:To:Subject;
> > > > 
> > > > 
> b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwY
> > > > F
> > > > 
> > > > 
> YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz
> > > > 
> > > > >       EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE=
> > > > > 
> > > > > MIME-Version: 1.0
> > > > > Content-Type: multipart/alternative; 
> > > > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14"
> > > > > Date: Mon, 06 Aug 2018 14:33:37 +0300
> > > > > From: Dobril Dobrilov <dobril at stanga.net>
> > > > > To: dobril at stanga.net
> > > > > Subject: Test2
> > > > > Organization: StangaOne1
> > > > > Message-ID: <e836f2d9d2be88a49da5da675eba919e at stanga.net>
> > > > > X-Sender: dobril at stanga.net
> > > > > User-Agent: Roundcube Webmail/1.3.7
> > > > > 
> > > > > Msg from Mail Client
> > > > > Received: from DL (unknown [192.168.0.222])
> > > > > 
> > > > >      (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
> > > > 
> > > > (256/256 bits))
> > > > 
> > > > >      (No client certificate requested)
> > > > >      by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84
> > > > >      for <dobril at stanga.net>; Mon, 6 Aug 2018 15:11:28
> > > 
> > > +0300 (EEST)
> > > 
> > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > > > 
> > > > d=stanga.net; s=mail;
> > > > 
> > > > >      t=1533557488;
> > > 
> > > bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=;
> > > 
> > > > >      h=From:To:Subject:Date;
> > > > 
> > > > 
> b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJp
> > > > N
> > > > 
> > > > 
> FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a
> > > > 
> > > > >       rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k=
> > > > > 
> > > > > From: "DobriL Dobrilov" <dobril at stanga.net>
> > > > > To: "'DobriL Dobrilov'" <dobril at stanga.net>
> > > > > Subject: Test
> > > > > Date: Mon, 6 Aug 2018 15:11:34 +0300
> > > > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net>
> > > > > MIME-Version: 1.0
> > > > > Content-Type: multipart/mixed;
> > > > > 
> > > > >      boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0"
> > > > > 
> > > > > X-Mailer: Microsoft Outlook 16.0
> > > > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ==
> > > > > Content-Language: bg
> > > > 
> > > > > X-MS-TNEF-Correlator:
> > > > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00
> > > > 
> > > > Is one of the above emails an example which causes the
> > > 
> > > problem and the
> > > 
> > > > other an example which does not cause the problem (if so,
> > > 
> > > which one is
> > > 
> > > > which)?
> > > > 
> > > > Or are both the above emails examples which do not cause
> > > 
> > > the problem
> > > 
> > > > (in which case please send us the headers from one which does 
> > > > cause the problem)?
> > > > 
> > > > 
> > > > Regards,
> > > > 
> > > > 
> > > > Antony.
> > > > 
> > > > > -----Original Message-----
> > > > > From: MailScanner
> > > > 
> > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> > > > r.info] On
> > > > 
> > > > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM
> > > > > To: MailScanner Discussion 
> <mailscanner at lists.mailscanner.info>
> > > > > Subject: Re: MailScanner: Message attempted to kill 
> MailScanner
> > > > > 
> > > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote:
> > > > > > Some other ideas, because unfortunately this Live system
> > > > 
> > > > and It's very
> > > > 
> > > > > > critical ?
> > > > > 
> > > > > When did the problem start happening?
> > > > > 
> > > > > What changed on the MS server around that time?
> > > > > 
> > > > > Can you show us full headers of an example email from
> > > > 
> > > > webmail (which MS
> > > > 
> > > > > can't process) and another one to and from the same
> > > > 
> > > > addresses, but not
> > > > 
> > > > > from webmail (which MS processes okay)?
> > > > > 
> > > > > Antony
> > > > 
> > > > --
> > > > Neurotics build castles in the sky; Psychotics live in them; 
> > > > Psychiatrists collect the rent.
> > > > 
> > > >                                                    
> Please reply to
> > > > 
> > > > the list;
> > > > 
> > > > please *don't* CC me.
> > > > 
> > > > 
> > > > --
> > > > MailScanner mailing list
> > > > mailscanner at lists.mailscanner.info
> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > > 
> > > --
> > > MailScanner mailing list
> > > mailscanner at lists.mailscanner.info
> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > 
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> 


From dobril at stanga.net  Mon Aug  6 15:16:57 2018
From: dobril at stanga.net (DobriL Dobrilov)
Date: Mon, 6 Aug 2018 18:16:57 +0300
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <vmime.5b6864e7.696.697185129bd6dd7@ms249-lin-003.rotterdam.bazuin.nl>
References: <201808061617.54939.Antony.Stone@mailscanner.open.source.it>
 <vmime.5b6864e7.696.697185129bd6dd7@ms249-lin-003.rotterdam.bazuin.nl>
Message-ID: <002401d42d98$842d57b0$8c880710$@stanga.net>

Thank you for the hint.
I find what exactly cause my issue with Webmail.
During the Webmail upgrade , somehow disappeared $config['smtp_server'] =
'mail.stanga.net'; from the config file...
I found it after install 2nd Webmail to test.....
Although is very strange how the Webmail managed to send messages to foreign
hosts.

Sorry for disturbing all of you for this.



Dobril Dobrilov
IT Manager
dobril at stanga.net


43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
Mobile: +359 878 749 387


We shape Digital?www.stanga.net

We re-invent Video?www.bsbvision.com

We build Apps?www.shanga.co

We support Start-Ups?www.mysbar.net




-----Original Message-----
From: MailScanner
[mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On
Behalf Of L.P.H. van Belle via MailScanner
Sent: Monday, August 6, 2018 6:11 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Cc: L.P.H. van Belle <belle at bazuin.nl>
Subject: RE: MailScanner: Message attempted to kill MailScanner

You webserver is not "localhost"... Pointing to : from mail.stanga.net
(localhost [IPv6:::1]) Choose... 

By example. cat /etc/hosts 
127.0.0.1      localhost
194.124.193.23 mail.domain.tld
192.168.1.1	   mail.internal.domain.tld mail


# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Just beware when you change it, you might hit more, but if you fix  that all
your ok for the futere. 
Imo. Your resolving is giving the problems. 


Greetz, 

Louis

 

> -----Oorspronkelijk bericht-----
> Van: MailScanner
> [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
info] Namens DobriL Dobrilov
> Verzonden: maandag 6 augustus 2018 16:44
> Aan: 'MailScanner Discussion'
> Onderwerp: RE: MailScanner: Message attempted to kill MailScanner
> 
> Webmail
> ------------
> Received: from mail.stanga.net (localhost [IPv6:::1])
> 	by mail.stanga.net (Postfix) with ESMTPA id 5772D62C57
> 	for <dobril at stanga.net>; Mon,  6 Aug 2018 14:52:00 +0300 (EEST)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; 
> s=mail;
> 	t=1533556320; bh=4I/hR/SP5y+TSO6ckrsWbUfz/ulzfgg21OOLy4t7Qcw=;
> 	h=Date:From:To:Subject:Reply-To;
> 	
> b=LHHTCrdhwEuGskWyqw0sWd1Km3VgyVhuTGiQ+b00rQmMg5EoEvx0ro12ob/zWes9m
> 	 
> jtgr30krr1OkHUcBPXOoYUyCDOzLU3VwKUjYO8mX2L1C3ZCZsvgFkbjtP7QbrIHzM6
> 	 EsRQn070GPV/w75A43jCSxetrKKtM6se6osKZvaM=
> MIME-Version: 1.0
> Content-Type: text/plain; charset=US-ASCII;  format=flowed
> Content-Transfer-Encoding: 7bit
> Date: Mon, 06 Aug 2018 14:52:00 +0300
> From: Dobril Dobrilov <dobril at stanga.net>
> To: dobril at stanga.net
> Subject: AAA
> Organization: StangaOne1
> Reply-To: dobril at stanga.net
> Mail-Reply-To: dobril at stanga.net
> Message-ID: <8e5ddc58218e715f2ec6286fe0b60f03 at stanga.net>
> X-Sender: dobril at stanga.net
> User-Agent: Roundcube Webmail/1.3.7
> 
> 
> Outlook
> ------------
> Return-Path: <dobril at stanga.net>
> X-Original-To: dobril at stanga.net
> Delivered-To: dobril at stanga.net
> Received: from DL (unknown [192.168.0.222])
> 	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
> bits))
> 	(No client certificate requested)
> 	by mail.stanga.net (Postfix) with ESMTPSA id D6F6D62C8E
> 	for <dobril at stanga.net>; Mon,  6 Aug 2018 17:42:45 +0300 (EEST)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net; 
> s=mail;
> 	t=1533566565; bh=1ooy+DYxraTnYWXxssyteq3EYaC5wdAbrolTC0mL5bA=;
> 	h=From:To:Subject:Date;
> 	
> b=XZzNLHycLcbdsjqXFtWJT96Q0lPhhtOS/+ZGIZpVWNfu68gw1nFHitcIUfV5zGCk2
> 	 
> L419FGzTaLO9GiE1pAGnzruH5dh1BCHU+9AxLu3rB3oijr2BOEXeltH1TREFq4E0f+
> 	 erOPUx3jdywpL6vJFLR2YixmUfIrdLScxOTcUKk0=
> From: "DobriL Dobrilov" <dobril at stanga.net>
> To: "'DobriL Dobrilov'" <dobril at stanga.net>
> Subject: Test
> Date: Mon, 6 Aug 2018 17:42:52 +0300
> Message-ID: <001701d42d93$c0ff3460$42fd9d20$@stanga.net>
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> 	boundary="----=_NextPart_000_0018_01D42DAC.E64C6C60"
> X-Mailer: Microsoft Outlook 16.0
> Thread-Index: AdQtk77S62N7R+6qQV66SqVGhFQY4A==
> Content-Language: bg
> X-MS-TNEF-Correlator: 000000005234E38E73D4914094E5D7D34B79F6A504FD8F00
> X-Stanga-MailScanner-Information: Please contact the ISP for more 
> information
> X-Stanga-MailScanner-ID: D6F6D62C8E.AB5F9
> X-Stanga-MailScanner: Not scanned: please contact your Internet E-Mail 
> Service Provider for details
> X-Stanga-MailScanner-SpamCheck: not spam (whitelisted),
> 	SpamAssassin (not cached, score=-99.887, required 5,
> 	ALL_TRUSTED -1.00, DKIM_SIGNED 0.10, DKIM_VALID -0.10,
> 	DKIM_VALID_AU -0.10, TVD_RCVD_SINGLE 1.21,
> 	USER_IN_WHITELIST -100.00)
> X-Stanga-MailScanner-From: dobril at stanga.net
> X-Spam-Status: No
> X-EsetId: 37303A2960736C61677D6A
> 
> 
> -----Original Message-----
> From: MailScanner
> [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
r.info] On
> Behalf Of Antony Stone
> Sent: Monday, August 6, 2018 5:18 PM
> To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> Subject: Re: MailScanner: Message attempted to kill MailScanner
> 
> On Monday 06 August 2018 at 16:14:39, DobriL Dobrilov wrote:
> 
> > Definitely this is something related only to my webmail and
> only when
> > I send emails to the same domain. I can send same message
> without any
> > issue if I'm using outlook or other mail client.
> > I can send messages from Webmail to all external domain
> without problem.
> > All thing mean that the problem cannot be disk space , ram or bad 
> > permissions. echo Test |mail dobril at stanga.net , from the
> same server
> > deliver messages without problem.
> 
> Can you show us full headers of an example email from webmail (which 
> MS can't
> process) and another one to and from the same addresses, but not from 
> webmail (which MS processes okay)?
> 
> Antony.
> 
> > -----Original Message-----
> > From: MailScanner
> > 
> [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info]
> > On Behalf Of L.P.H. van Belle via MailScanner
> > Sent: Monday, August 6, 2018 4:22 PM
> > To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> > Cc: L.P.H. van Belle <belle at bazuin.nl>
> > Subject: RE: MailScanner: Message attempted to kill MailScanner
> > 
> > Hai,
> > 
> > What is the os your running?
> > That might help me a bit.
> > 
> > Did you follow a site for this upgrade, show me which one
> if you did.
> > 
> > Your group members are correct ?
> > # *( im running debian 9 ) an i have these configured.
> > mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data
> > clamav:x:119:postfix,www-data
> > opendkim:x:122:postfix
> > 
> > 
> > And can you post a more complete mail.log, if needed, pm it
> to me or
> > anonimize it here needed.
> > Preffered from the time frame, when you try to send your
> the message.
> > 
> > I still say its your antivirus, if you did not remove the
> old messages
> > from your queue.
> > And now its not working because postfix/mailscanner try to
> deliver to
> > clamd and thats turned of.
> > 
> > If the AV is off then why is you log showing the av scanner?
> > Your disk it not full?
> > 
> > If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner.
> > I also reused my settings.
> > I'll try to find if i can seen what i changed ( if so ), that was 
> > months ago..
> > 
> > 
> > Greetz,
> > 
> > Louis
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: DobriL Dobrilov [mailto:dobril at stanga.net]
> > > Verzonden: maandag 6 augustus 2018 14:53
> > > Aan: 'MailScanner Discussion'
> > > CC: 'L.P.H. van Belle'
> > > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner
> > > 
> > > AV scan is off , something else cause the issue.
> > > 
> > > 
> > > Dobril Dobrilov
> > > IT Manager
> > > dobril at stanga.net
> > > 
> > > 
> > > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
> > > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
> > > Mobile: +359 878 749 387
> > > 
> > > 
> > > We shape Digital www.stanga.net
> > > 
> > > We re-invent Video www.bsbvision.com
> > > 
> > > We build Apps www.shanga.co
> > > 
> > > We support Start-Ups www.mysbar.net
> > > 
> > > 
> > > 
> > > -----Original Message-----
> > > From: MailScanner
> > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> > > r.info] On
> > > Behalf Of L.P.H. van Belle via MailScanner
> > > Sent: Monday, August 6, 2018 3:45 PM
> > > To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> > > Cc: L.P.H. van Belle <belle at bazuin.nl>
> > > Subject: RE: MailScanner: Message attempted to kill MailScanner
> > > 
> > > Are you using Yara rules or other clamav unoffical databases.
> > > Remove these, restart clamav and try again.
> > > 
> > > You might have a bad clamav database file.
> > > 
> > > Greetz,
> > > 
> > > Louis
> > > 
> > > > -----Oorspronkelijk bericht-----
> > > > Van: MailScanner
> > > > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
> > > > info] Namens Antony Stone
> > > > Verzonden: maandag 6 augustus 2018 14:23
> > > > Aan: MailScanner Discussion
> > > > Onderwerp: Re: MailScanner: Message attempted to kill
> MailScanner
> > > > 
> > > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote:
> > > > > Until now the Mail Server was with old postfix and
> > > > 
> > > > MailScanner 4.79. I
> > > > 
> > > > > migrated to new server with MailScanner 5.0.7. MS config
> > > 
> > > is same as
> > > 
> > > > > before.
> > > > 
> > > > Maybe someone with more knowledge than of any configuration 
> > > > differences ebtween those version can comment on just
> > > 
> > > keeping the same
> > > 
> > > > configuration file...
> > > > 
> > > > > From webmail I can send messages out of my domain without
> > > 
> > > problems.
> > > 
> > > > So, what *does* cause the problem?
> > > > 
> > > > Your original email said "All emails sent from my
> webmail to same
> > > > domain cannot be processes by mailscanner."
> > > > 
> > > > > Msg from webmail
> > > > > Received: from mail.stanga.net (localhost [IPv6:::1])
> > > > > 
> > > > >      by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F
> > > > >      for <dobril at stanga.net>; Mon, 6 Aug 2018 14:33:37
> > > 
> > > +0300 (EEST)
> > > 
> > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > > > 
> > > > d=stanga.net; s=mail;
> > > > 
> > > > >      t=1533555217;
> > > 
> > > bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=;
> > > 
> > > > >      h=Date:From:To:Subject;
> > > > 
> > > > 
> b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwY
> > > > F
> > > > 
> > > > 
> YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz
> > > > 
> > > > >       EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE=
> > > > > 
> > > > > MIME-Version: 1.0
> > > > > Content-Type: multipart/alternative; 
> > > > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14"
> > > > > Date: Mon, 06 Aug 2018 14:33:37 +0300
> > > > > From: Dobril Dobrilov <dobril at stanga.net>
> > > > > To: dobril at stanga.net
> > > > > Subject: Test2
> > > > > Organization: StangaOne1
> > > > > Message-ID: <e836f2d9d2be88a49da5da675eba919e at stanga.net>
> > > > > X-Sender: dobril at stanga.net
> > > > > User-Agent: Roundcube Webmail/1.3.7
> > > > > 
> > > > > Msg from Mail Client
> > > > > Received: from DL (unknown [192.168.0.222])
> > > > > 
> > > > >      (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
> > > > 
> > > > (256/256 bits))
> > > > 
> > > > >      (No client certificate requested)
> > > > >      by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84
> > > > >      for <dobril at stanga.net>; Mon, 6 Aug 2018 15:11:28
> > > 
> > > +0300 (EEST)
> > > 
> > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > > > 
> > > > d=stanga.net; s=mail;
> > > > 
> > > > >      t=1533557488;
> > > 
> > > bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=;
> > > 
> > > > >      h=From:To:Subject:Date;
> > > > 
> > > > 
> b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJp
> > > > N
> > > > 
> > > > 
> FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a
> > > > 
> > > > >       rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k=
> > > > > 
> > > > > From: "DobriL Dobrilov" <dobril at stanga.net>
> > > > > To: "'DobriL Dobrilov'" <dobril at stanga.net>
> > > > > Subject: Test
> > > > > Date: Mon, 6 Aug 2018 15:11:34 +0300
> > > > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net>
> > > > > MIME-Version: 1.0
> > > > > Content-Type: multipart/mixed;
> > > > > 
> > > > >      boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0"
> > > > > 
> > > > > X-Mailer: Microsoft Outlook 16.0
> > > > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ==
> > > > > Content-Language: bg
> > > > 
> > > > > X-MS-TNEF-Correlator:
> > > > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00
> > > > 
> > > > Is one of the above emails an example which causes the
> > > 
> > > problem and the
> > > 
> > > > other an example which does not cause the problem (if so,
> > > 
> > > which one is
> > > 
> > > > which)?
> > > > 
> > > > Or are both the above emails examples which do not cause
> > > 
> > > the problem
> > > 
> > > > (in which case please send us the headers from one which does 
> > > > cause the problem)?
> > > > 
> > > > 
> > > > Regards,
> > > > 
> > > > 
> > > > Antony.
> > > > 
> > > > > -----Original Message-----
> > > > > From: MailScanner
> > > > 
> > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> > > > r.info] On
> > > > 
> > > > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM
> > > > > To: MailScanner Discussion
> <mailscanner at lists.mailscanner.info>
> > > > > Subject: Re: MailScanner: Message attempted to kill
> MailScanner
> > > > > 
> > > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote:
> > > > > > Some other ideas, because unfortunately this Live system
> > > > 
> > > > and It's very
> > > > 
> > > > > > critical ?
> > > > > 
> > > > > When did the problem start happening?
> > > > > 
> > > > > What changed on the MS server around that time?
> > > > > 
> > > > > Can you show us full headers of an example email from
> > > > 
> > > > webmail (which MS
> > > > 
> > > > > can't process) and another one to and from the same
> > > > 
> > > > addresses, but not
> > > > 
> > > > > from webmail (which MS processes okay)?
> > > > > 
> > > > > Antony
> > > > 
> > > > --
> > > > Neurotics build castles in the sky; Psychotics live in them; 
> > > > Psychiatrists collect the rent.
> > > > 
> > > >                                                    
> Please reply to
> > > > 
> > > > the list;
> > > > 
> > > > please *don't* CC me.
> > > > 
> > > > 
> > > > --
> > > > MailScanner mailing list
> > > > mailscanner at lists.mailscanner.info
> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > > 
> > > --
> > > MailScanner mailing list
> > > mailscanner at lists.mailscanner.info
> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > 
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> 
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> 



--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner


From iversons at rushville.k12.in.us  Mon Aug  6 21:51:47 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Mon, 6 Aug 2018 17:51:47 -0400
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <002401d42d98$842d57b0$8c880710$@stanga.net>
References: <201808061617.54939.Antony.Stone@mailscanner.open.source.it>
 <vmime.5b6864e7.696.697185129bd6dd7@ms249-lin-003.rotterdam.bazuin.nl>
 <002401d42d98$842d57b0$8c880710$@stanga.net>
Message-ID: <CABu_8zL6+QJGFHHcBYkDw27vnWuriGi9gKky5Ungq1S+SG0DYQ@mail.gmail.com>

Was this the root cause of the issue?

(sorry been a very busy day)

On Mon, Aug 6, 2018 at 11:16 AM, DobriL Dobrilov <dobril at stanga.net> wrote:

> Thank you for the hint.
> I find what exactly cause my issue with Webmail.
> During the Webmail upgrade , somehow disappeared $config['smtp_server'] =
> 'mail.stanga.net'; from the config file...
> I found it after install 2nd Webmail to test.....
> Although is very strange how the Webmail managed to send messages to
> foreign
> hosts.
>
> Sorry for disturbing all of you for this.
>
>
>
> Dobril Dobrilov
> IT Manager
> dobril at stanga.net
>
>
> 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
> Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
> Mobile: +359 878 749 387
>
>
> We shape Digital www.stanga.net
>
> We re-invent Video www.bsbvision.com
>
> We build Apps www.shanga.co
>
> We support Start-Ups www.mysbar.net
>
>
>
>
> -----Original Message-----
> From: MailScanner
> [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On
> Behalf Of L.P.H. van Belle via MailScanner
> Sent: Monday, August 6, 2018 6:11 PM
> To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> Cc: L.P.H. van Belle <belle at bazuin.nl>
> Subject: RE: MailScanner: Message attempted to kill MailScanner
>
> You webserver is not "localhost"... Pointing to : from mail.stanga.net
> (localhost [IPv6:::1]) Choose...
>
> By example. cat /etc/hosts
> 127.0.0.1      localhost
> 194.124.193.23 mail.domain.tld
> 192.168.1.1        mail.internal.domain.tld mail
>
>
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> Just beware when you change it, you might hit more, but if you fix  that
> all
> your ok for the futere.
> Imo. Your resolving is giving the problems.
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: MailScanner
> > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
> info] Namens DobriL Dobrilov
> > Verzonden: maandag 6 augustus 2018 16:44
> > Aan: 'MailScanner Discussion'
> > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner
> >
> > Webmail
> > ------------
> > Received: from mail.stanga.net (localhost [IPv6:::1])
> >       by mail.stanga.net (Postfix) with ESMTPA id 5772D62C57
> >       for <dobril at stanga.net>; Mon,  6 Aug 2018 14:52:00 +0300 (EEST)
> > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net;
> > s=mail;
> >       t=1533556320; bh=4I/hR/SP5y+TSO6ckrsWbUfz/ulzfgg21OOLy4t7Qcw=;
> >       h=Date:From:To:Subject:Reply-To;
> >
> > b=LHHTCrdhwEuGskWyqw0sWd1Km3VgyVhuTGiQ+b00rQmMg5EoEvx0ro12ob/zWes9m
> >
> > jtgr30krr1OkHUcBPXOoYUyCDOzLU3VwKUjYO8mX2L1C3ZCZsvgFkbjtP7QbrIHzM6
> >        EsRQn070GPV/w75A43jCSxetrKKtM6se6osKZvaM=
> > MIME-Version: 1.0
> > Content-Type: text/plain; charset=US-ASCII;  format=flowed
> > Content-Transfer-Encoding: 7bit
> > Date: Mon, 06 Aug 2018 14:52:00 +0300
> > From: Dobril Dobrilov <dobril at stanga.net>
> > To: dobril at stanga.net
> > Subject: AAA
> > Organization: StangaOne1
> > Reply-To: dobril at stanga.net
> > Mail-Reply-To: dobril at stanga.net
> > Message-ID: <8e5ddc58218e715f2ec6286fe0b60f03 at stanga.net>
> > X-Sender: dobril at stanga.net
> > User-Agent: Roundcube Webmail/1.3.7
> >
> >
> > Outlook
> > ------------
> > Return-Path: <dobril at stanga.net>
> > X-Original-To: dobril at stanga.net
> > Delivered-To: dobril at stanga.net
> > Received: from DL (unknown [192.168.0.222])
> >       (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
> > bits))
> >       (No client certificate requested)
> >       by mail.stanga.net (Postfix) with ESMTPSA id D6F6D62C8E
> >       for <dobril at stanga.net>; Mon,  6 Aug 2018 17:42:45 +0300 (EEST)
> > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net;
> > s=mail;
> >       t=1533566565; bh=1ooy+DYxraTnYWXxssyteq3EYaC5wdAbrolTC0mL5bA=;
> >       h=From:To:Subject:Date;
> >
> > b=XZzNLHycLcbdsjqXFtWJT96Q0lPhhtOS/+ZGIZpVWNfu68gw1nFHitcIUfV5zGCk2
> >
> > L419FGzTaLO9GiE1pAGnzruH5dh1BCHU+9AxLu3rB3oijr2BOEXeltH1TREFq4E0f+
> >        erOPUx3jdywpL6vJFLR2YixmUfIrdLScxOTcUKk0=
> > From: "DobriL Dobrilov" <dobril at stanga.net>
> > To: "'DobriL Dobrilov'" <dobril at stanga.net>
> > Subject: Test
> > Date: Mon, 6 Aug 2018 17:42:52 +0300
> > Message-ID: <001701d42d93$c0ff3460$42fd9d20$@stanga.net>
> > MIME-Version: 1.0
> > Content-Type: multipart/mixed;
> >       boundary="----=_NextPart_000_0018_01D42DAC.E64C6C60"
> > X-Mailer: Microsoft Outlook 16.0
> > Thread-Index: AdQtk77S62N7R+6qQV66SqVGhFQY4A==
> > Content-Language: bg
> > X-MS-TNEF-Correlator: 000000005234E38E73D4914094E5D7D34B79F6A504FD8F00
> > X-Stanga-MailScanner-Information: Please contact the ISP for more
> > information
> > X-Stanga-MailScanner-ID: D6F6D62C8E.AB5F9
> > X-Stanga-MailScanner: Not scanned: please contact your Internet E-Mail
> > Service Provider for details
> > X-Stanga-MailScanner-SpamCheck: not spam (whitelisted),
> >       SpamAssassin (not cached, score=-99.887, required 5,
> >       ALL_TRUSTED -1.00, DKIM_SIGNED 0.10, DKIM_VALID -0.10,
> >       DKIM_VALID_AU -0.10, TVD_RCVD_SINGLE 1.21,
> >       USER_IN_WHITELIST -100.00)
> > X-Stanga-MailScanner-From: dobril at stanga.net
> > X-Spam-Status: No
> > X-EsetId: 37303A2960736C61677D6A
> >
> >
> > -----Original Message-----
> > From: MailScanner
> > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> r.info] On
> > Behalf Of Antony Stone
> > Sent: Monday, August 6, 2018 5:18 PM
> > To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> > Subject: Re: MailScanner: Message attempted to kill MailScanner
> >
> > On Monday 06 August 2018 at 16:14:39, DobriL Dobrilov wrote:
> >
> > > Definitely this is something related only to my webmail and
> > only when
> > > I send emails to the same domain. I can send same message
> > without any
> > > issue if I'm using outlook or other mail client.
> > > I can send messages from Webmail to all external domain
> > without problem.
> > > All thing mean that the problem cannot be disk space , ram or bad
> > > permissions. echo Test |mail dobril at stanga.net , from the
> > same server
> > > deliver messages without problem.
> >
> > Can you show us full headers of an example email from webmail (which
> > MS can't
> > process) and another one to and from the same addresses, but not from
> > webmail (which MS processes okay)?
> >
> > Antony.
> >
> > > -----Original Message-----
> > > From: MailScanner
> > >
> > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info]
> > > On Behalf Of L.P.H. van Belle via MailScanner
> > > Sent: Monday, August 6, 2018 4:22 PM
> > > To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> > > Cc: L.P.H. van Belle <belle at bazuin.nl>
> > > Subject: RE: MailScanner: Message attempted to kill MailScanner
> > >
> > > Hai,
> > >
> > > What is the os your running?
> > > That might help me a bit.
> > >
> > > Did you follow a site for this upgrade, show me which one
> > if you did.
> > >
> > > Your group members are correct ?
> > > # *( im running debian 9 ) an i have these configured.
> > > mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data
> > > clamav:x:119:postfix,www-data
> > > opendkim:x:122:postfix
> > >
> > >
> > > And can you post a more complete mail.log, if needed, pm it
> > to me or
> > > anonimize it here needed.
> > > Preffered from the time frame, when you try to send your
> > the message.
> > >
> > > I still say its your antivirus, if you did not remove the
> > old messages
> > > from your queue.
> > > And now its not working because postfix/mailscanner try to
> > deliver to
> > > clamd and thats turned of.
> > >
> > > If the AV is off then why is you log showing the av scanner?
> > > Your disk it not full?
> > >
> > > If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner.
> > > I also reused my settings.
> > > I'll try to find if i can seen what i changed ( if so ), that was
> > > months ago..
> > >
> > >
> > > Greetz,
> > >
> > > Louis
> > >
> > > > -----Oorspronkelijk bericht-----
> > > > Van: DobriL Dobrilov [mailto:dobril at stanga.net]
> > > > Verzonden: maandag 6 augustus 2018 14:53
> > > > Aan: 'MailScanner Discussion'
> > > > CC: 'L.P.H. van Belle'
> > > > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner
> > > >
> > > > AV scan is off , something else cause the issue.
> > > >
> > > >
> > > > Dobril Dobrilov
> > > > IT Manager
> > > > dobril at stanga.net
> > > >
> > > >
> > > > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
> > > > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
> > > > Mobile: +359 878 749 387
> > > >
> > > >
> > > > We shape Digital www.stanga.net
> > > >
> > > > We re-invent Video www.bsbvision.com
> > > >
> > > > We build Apps www.shanga.co
> > > >
> > > > We support Start-Ups www.mysbar.net
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: MailScanner
> > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> > > > r.info] On
> > > > Behalf Of L.P.H. van Belle via MailScanner
> > > > Sent: Monday, August 6, 2018 3:45 PM
> > > > To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> > > > Cc: L.P.H. van Belle <belle at bazuin.nl>
> > > > Subject: RE: MailScanner: Message attempted to kill MailScanner
> > > >
> > > > Are you using Yara rules or other clamav unoffical databases.
> > > > Remove these, restart clamav and try again.
> > > >
> > > > You might have a bad clamav database file.
> > > >
> > > > Greetz,
> > > >
> > > > Louis
> > > >
> > > > > -----Oorspronkelijk bericht-----
> > > > > Van: MailScanner
> > > > > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
> > > > > info] Namens Antony Stone
> > > > > Verzonden: maandag 6 augustus 2018 14:23
> > > > > Aan: MailScanner Discussion
> > > > > Onderwerp: Re: MailScanner: Message attempted to kill
> > MailScanner
> > > > >
> > > > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote:
> > > > > > Until now the Mail Server was with old postfix and
> > > > >
> > > > > MailScanner 4.79. I
> > > > >
> > > > > > migrated to new server with MailScanner 5.0.7. MS config
> > > >
> > > > is same as
> > > >
> > > > > > before.
> > > > >
> > > > > Maybe someone with more knowledge than of any configuration
> > > > > differences ebtween those version can comment on just
> > > >
> > > > keeping the same
> > > >
> > > > > configuration file...
> > > > >
> > > > > > From webmail I can send messages out of my domain without
> > > >
> > > > problems.
> > > >
> > > > > So, what *does* cause the problem?
> > > > >
> > > > > Your original email said "All emails sent from my
> > webmail to same
> > > > > domain cannot be processes by mailscanner."
> > > > >
> > > > > > Msg from webmail
> > > > > > Received: from mail.stanga.net (localhost [IPv6:::1])
> > > > > >
> > > > > >      by mail.stanga.net (Postfix) with ESMTPA id 8990B62C7F
> > > > > >      for <dobril at stanga.net>; Mon, 6 Aug 2018 14:33:37
> > > >
> > > > +0300 (EEST)
> > > >
> > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > > > >
> > > > > d=stanga.net; s=mail;
> > > > >
> > > > > >      t=1533555217;
> > > >
> > > > bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=;
> > > >
> > > > > >      h=Date:From:To:Subject;
> > > > >
> > > > >
> > b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwY
> > > > > F
> > > > >
> > > > >
> > YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz
> > > > >
> > > > > >       EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE=
> > > > > >
> > > > > > MIME-Version: 1.0
> > > > > > Content-Type: multipart/alternative;
> > > > > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14"
> > > > > > Date: Mon, 06 Aug 2018 14:33:37 +0300
> > > > > > From: Dobril Dobrilov <dobril at stanga.net>
> > > > > > To: dobril at stanga.net
> > > > > > Subject: Test2
> > > > > > Organization: StangaOne1
> > > > > > Message-ID: <e836f2d9d2be88a49da5da675eba919e at stanga.net>
> > > > > > X-Sender: dobril at stanga.net
> > > > > > User-Agent: Roundcube Webmail/1.3.7
> > > > > >
> > > > > > Msg from Mail Client
> > > > > > Received: from DL (unknown [192.168.0.222])
> > > > > >
> > > > > >      (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
> > > > >
> > > > > (256/256 bits))
> > > > >
> > > > > >      (No client certificate requested)
> > > > > >      by mail.stanga.net (Postfix) with ESMTPSA id CB1BD62C84
> > > > > >      for <dobril at stanga.net>; Mon, 6 Aug 2018 15:11:28
> > > >
> > > > +0300 (EEST)
> > > >
> > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > > > >
> > > > > d=stanga.net; s=mail;
> > > > >
> > > > > >      t=1533557488;
> > > >
> > > > bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=;
> > > >
> > > > > >      h=From:To:Subject:Date;
> > > > >
> > > > >
> > b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJp
> > > > > N
> > > > >
> > > > >
> > FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a
> > > > >
> > > > > >       rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k=
> > > > > >
> > > > > > From: "DobriL Dobrilov" <dobril at stanga.net>
> > > > > > To: "'DobriL Dobrilov'" <dobril at stanga.net>
> > > > > > Subject: Test
> > > > > > Date: Mon, 6 Aug 2018 15:11:34 +0300
> > > > > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net>
> > > > > > MIME-Version: 1.0
> > > > > > Content-Type: multipart/mixed;
> > > > > >
> > > > > >      boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0"
> > > > > >
> > > > > > X-Mailer: Microsoft Outlook 16.0
> > > > > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ==
> > > > > > Content-Language: bg
> > > > >
> > > > > > X-MS-TNEF-Correlator:
> > > > > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00
> > > > >
> > > > > Is one of the above emails an example which causes the
> > > >
> > > > problem and the
> > > >
> > > > > other an example which does not cause the problem (if so,
> > > >
> > > > which one is
> > > >
> > > > > which)?
> > > > >
> > > > > Or are both the above emails examples which do not cause
> > > >
> > > > the problem
> > > >
> > > > > (in which case please send us the headers from one which does
> > > > > cause the problem)?
> > > > >
> > > > >
> > > > > Regards,
> > > > >
> > > > >
> > > > > Antony.
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: MailScanner
> > > > >
> > > > > [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanne
> > > > > r.info] On
> > > > >
> > > > > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM
> > > > > > To: MailScanner Discussion
> > <mailscanner at lists.mailscanner.info>
> > > > > > Subject: Re: MailScanner: Message attempted to kill
> > MailScanner
> > > > > >
> > > > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote:
> > > > > > > Some other ideas, because unfortunately this Live system
> > > > >
> > > > > and It's very
> > > > >
> > > > > > > critical ?
> > > > > >
> > > > > > When did the problem start happening?
> > > > > >
> > > > > > What changed on the MS server around that time?
> > > > > >
> > > > > > Can you show us full headers of an example email from
> > > > >
> > > > > webmail (which MS
> > > > >
> > > > > > can't process) and another one to and from the same
> > > > >
> > > > > addresses, but not
> > > > >
> > > > > > from webmail (which MS processes okay)?
> > > > > >
> > > > > > Antony
> > > > >
> > > > > --
> > > > > Neurotics build castles in the sky; Psychotics live in them;
> > > > > Psychiatrists collect the rent.
> > > > >
> > > > >
> > Please reply to
> > > > >
> > > > > the list;
> > > > >
> > > > > please *don't* CC me.
> > > > >
> > > > >
> > > > > --
> > > > > MailScanner mailing list
> > > > > mailscanner at lists.mailscanner.info
> > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > > >
> > > > --
> > > > MailScanner mailing list
> > > > mailscanner at lists.mailscanner.info
> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > >
> > > --
> > > MailScanner mailing list
> > > mailscanner at lists.mailscanner.info
> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> >
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> >
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>


-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180806/e47e0347/attachment.html>

From dobril at stanga.net  Tue Aug  7 05:27:59 2018
From: dobril at stanga.net (DobriL Dobrilov)
Date: Tue, 7 Aug 2018 08:27:59 +0300
Subject: MailScanner: Message attempted to kill MailScanner
In-Reply-To: <CABu_8zL6+QJGFHHcBYkDw27vnWuriGi9gKky5Ungq1S+SG0DYQ@mail.gmail.com>
References: <201808061617.54939.Antony.Stone@mailscanner.open.source.it>
 <vmime.5b6864e7.696.697185129bd6dd7@ms249-lin-003.rotterdam.bazuin.nl>
 <002401d42d98$842d57b0$8c880710$@stanga.net>
 <CABu_8zL6+QJGFHHcBYkDw27vnWuriGi9gKky5Ungq1S+SG0DYQ@mail.gmail.com>
Message-ID: <002101d42e0f$6733c460$359b4d20$@stanga.net>

Yes, because everything else was fine? The tricky moment was that mails from Webmail to Internet was sent without any issue.

Without explicit definition in the Webmail for SMTP , it try to use localhost and this looks like cause issue only for mails sent in same domain.

 

From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: Tuesday, August 7, 2018 12:52 AM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: MailScanner: Message attempted to kill MailScanner

 

Was this the root cause of the issue?

 

(sorry been a very busy day)

 

On Mon, Aug 6, 2018 at 11:16 AM, DobriL Dobrilov <dobril at stanga.net <mailto:dobril at stanga.net> > wrote:

Thank you for the hint.
I find what exactly cause my issue with Webmail.
During the Webmail upgrade , somehow disappeared $config['smtp_server'] =
'mail.stanga.net <http://mail.stanga.net> '; from the config file...
I found it after install 2nd Webmail to test.....
Although is very strange how the Webmail managed to send messages to foreign
hosts.

Sorry for disturbing all of you for this.



Dobril Dobrilov
IT Manager
dobril at stanga.net <mailto:dobril at stanga.net> 


43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
Mobile: +359 878 749 387


We shape Digital www.stanga.net <http://www.stanga.net> 

We re-invent Video www.bsbvision.com <http://www.bsbvision.com> 

We build Apps www.shanga.co <http://www.shanga.co> 

We support Start-Ups www.mysbar.net <http://www.mysbar.net> 




-----Original Message-----
From: MailScanner
[mailto:mailscanner-bounces+dobril <mailto:mailscanner-bounces%2Bdobril> =stanga.net at lists.mailscanner.info <mailto:stanga.net at lists.mailscanner.info> ] On
Behalf Of L.P.H. van Belle via MailScanner
Sent: Monday, August 6, 2018 6:11 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> >
Cc: L.P.H. van Belle <belle at bazuin.nl <mailto:belle at bazuin.nl> >
Subject: RE: MailScanner: Message attempted to kill MailScanner

You webserver is not "localhost"... Pointing to : from mail.stanga.net <http://mail.stanga.net> 
(localhost [IPv6:::1]) Choose... 

By example. cat /etc/hosts 
127.0.0.1      localhost
194.124.193.23 mail.domain.tld
192.168.1.1        mail.internal.domain.tld mail


# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Just beware when you change it, you might hit more, but if you fix  that all
your ok for the futere. 
Imo. Your resolving is giving the problems. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: MailScanner
> [mailto:mailscanner-bounces+belle <mailto:mailscanner-bounces%2Bbelle> =bazuin.nl at lists.mailscanner.
info] Namens DobriL Dobrilov
> Verzonden: maandag 6 augustus 2018 16:44
> Aan: 'MailScanner Discussion'
> Onderwerp: RE: MailScanner: Message attempted to kill MailScanner
> 
> Webmail
> ------------
> Received: from mail.stanga.net <http://mail.stanga.net>  (localhost [IPv6:::1])
>       by mail.stanga.net <http://mail.stanga.net>  (Postfix) with ESMTPA id 5772D62C57
>       for <dobril at stanga.net <mailto:dobril at stanga.net> >; Mon,  6 Aug 2018 14:52:00 +0300 (EEST)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net <http://stanga.net> ; 
> s=mail;
>       t=1533556320; bh=4I/hR/SP5y+TSO6ckrsWbUfz/ulzfgg21OOLy4t7Qcw=;
>       h=Date:From:To:Subject:Reply-To;
>       
> b=LHHTCrdhwEuGskWyqw0sWd1Km3VgyVhuTGiQ+b00rQmMg5EoEvx0ro12ob/zWes9m
>        
> jtgr30krr1OkHUcBPXOoYUyCDOzLU3VwKUjYO8mX2L1C3ZCZsvgFkbjtP7QbrIHzM6
>        EsRQn070GPV/w75A43jCSxetrKKtM6se6osKZvaM=
> MIME-Version: 1.0
> Content-Type: text/plain; charset=US-ASCII;  format=flowed
> Content-Transfer-Encoding: 7bit
> Date: Mon, 06 Aug 2018 14:52:00 +0300
> From: Dobril Dobrilov <dobril at stanga.net <mailto:dobril at stanga.net> >
> To: dobril at stanga.net <mailto:dobril at stanga.net> 
> Subject: AAA
> Organization: StangaOne1
> Reply-To: dobril at stanga.net <mailto:dobril at stanga.net> 
> Mail-Reply-To: dobril at stanga.net <mailto:dobril at stanga.net> 
> Message-ID: <8e5ddc58218e715f2ec6286fe0b60f03 at stanga.net <mailto:8e5ddc58218e715f2ec6286fe0b60f03 at stanga.net> >
> X-Sender: dobril at stanga.net <mailto:dobril at stanga.net> 
> User-Agent: Roundcube Webmail/1.3.7
> 
> 
> Outlook
> ------------
> Return-Path: <dobril at stanga.net <mailto:dobril at stanga.net> >
> X-Original-To: dobril at stanga.net <mailto:dobril at stanga.net> 
> Delivered-To: dobril at stanga.net <mailto:dobril at stanga.net> 
> Received: from DL (unknown [192.168.0.222])
>       (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
> bits))
>       (No client certificate requested)
>       by mail.stanga.net <http://mail.stanga.net>  (Postfix) with ESMTPSA id D6F6D62C8E
>       for <dobril at stanga.net <mailto:dobril at stanga.net> >; Mon,  6 Aug 2018 17:42:45 +0300 (EEST)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=stanga.net <http://stanga.net> ; 
> s=mail;
>       t=1533566565; bh=1ooy+DYxraTnYWXxssyteq3EYaC5wdAbrolTC0mL5bA=;
>       h=From:To:Subject:Date;
>       
> b=XZzNLHycLcbdsjqXFtWJT96Q0lPhhtOS/+ZGIZpVWNfu68gw1nFHitcIUfV5zGCk2
>        
> L419FGzTaLO9GiE1pAGnzruH5dh1BCHU+9AxLu3rB3oijr2BOEXeltH1TREFq4E0f+
>        erOPUx3jdywpL6vJFLR2YixmUfIrdLScxOTcUKk0=
> From: "DobriL Dobrilov" <dobril at stanga.net <mailto:dobril at stanga.net> >
> To: "'DobriL Dobrilov'" <dobril at stanga.net <mailto:dobril at stanga.net> >
> Subject: Test
> Date: Mon, 6 Aug 2018 17:42:52 +0300
> Message-ID: <001701d42d93$c0ff3460$42fd9d20$@stanga.net <http://stanga.net> >
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
>       boundary="----=_NextPart_000_0018_01D42DAC.E64C6C60"
> X-Mailer: Microsoft Outlook 16.0
> Thread-Index: AdQtk77S62N7R+6qQV66SqVGhFQY4A==
> Content-Language: bg
> X-MS-TNEF-Correlator: 000000005234E38E73D4914094E5D7D34B79F6A504FD8F00
> X-Stanga-MailScanner-Information: Please contact the ISP for more 
> information
> X-Stanga-MailScanner-ID: D6F6D62C8E.AB5F9
> X-Stanga-MailScanner: Not scanned: please contact your Internet E-Mail 
> Service Provider for details
> X-Stanga-MailScanner-SpamCheck: not spam (whitelisted),
>       SpamAssassin (not cached, score=-99.887, required 5,
>       ALL_TRUSTED -1.00, DKIM_SIGNED 0.10, DKIM_VALID -0.10,
>       DKIM_VALID_AU -0.10, TVD_RCVD_SINGLE 1.21,
>       USER_IN_WHITELIST -100.00)
> X-Stanga-MailScanner-From: dobril at stanga.net <mailto:dobril at stanga.net> 
> X-Spam-Status: No
> X-EsetId: 37303A2960736C61677D6A
> 
> 
> -----Original Message-----
> From: MailScanner
> [mailto:mailscanner-bounces+dobril <mailto:mailscanner-bounces%2Bdobril> =stanga.net at lists.mailscanne
r.info <http://r.info> ] On
> Behalf Of Antony Stone
> Sent: Monday, August 6, 2018 5:18 PM
> To: MailScanner Discussion <mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> >
> Subject: Re: MailScanner: Message attempted to kill MailScanner
> 
> On Monday 06 August 2018 at 16:14:39, DobriL Dobrilov wrote:
> 
> > Definitely this is something related only to my webmail and
> only when
> > I send emails to the same domain. I can send same message
> without any
> > issue if I'm using outlook or other mail client.
> > I can send messages from Webmail to all external domain
> without problem.
> > All thing mean that the problem cannot be disk space , ram or bad 
> > permissions. echo Test |mail dobril at stanga.net <mailto:dobril at stanga.net>  , from the
> same server
> > deliver messages without problem.
> 
> Can you show us full headers of an example email from webmail (which 
> MS can't
> process) and another one to and from the same addresses, but not from 
> webmail (which MS processes okay)?
> 
> Antony.
> 
> > -----Original Message-----
> > From: MailScanner
> > 
> [mailto:mailscanner-bounces+dobril <mailto:mailscanner-bounces%2Bdobril> =stanga.net at lists.mailscanner.info <mailto:stanga.net at lists.mailscanner.info> ]
> > On Behalf Of L.P.H. van Belle via MailScanner
> > Sent: Monday, August 6, 2018 4:22 PM
> > To: MailScanner Discussion <mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> >
> > Cc: L.P.H. van Belle <belle at bazuin.nl <mailto:belle at bazuin.nl> >
> > Subject: RE: MailScanner: Message attempted to kill MailScanner
> > 
> > Hai,
> > 
> > What is the os your running?
> > That might help me a bit.
> > 
> > Did you follow a site for this upgrade, show me which one
> if you did.
> > 
> > Your group members are correct ?
> > # *( im running debian 9 ) an i have these configured.
> > mtagroup:x:1001:clamav,Debian-exim,postfix,mail,www-data
> > clamav:x:119:postfix,www-data
> > opendkim:x:122:postfix
> > 
> > 
> > And can you post a more complete mail.log, if needed, pm it
> to me or
> > anonimize it here needed.
> > Preffered from the time frame, when you try to send your
> the message.
> > 
> > I still say its your antivirus, if you did not remove the
> old messages
> > from your queue.
> > And now its not working because postfix/mailscanner try to
> deliver to
> > clamd and thats turned of.
> > 
> > If the AV is off then why is you log showing the av scanner?
> > Your disk it not full?
> > 
> > If upgrade my debian 7 + mailscanner 4.7x to debian 9 + mailscanner.
> > I also reused my settings.
> > I'll try to find if i can seen what i changed ( if so ), that was 
> > months ago..
> > 
> > 
> > Greetz,
> > 
> > Louis
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: DobriL Dobrilov [mailto:dobril at stanga.net <mailto:dobril at stanga.net> ]
> > > Verzonden: maandag 6 augustus 2018 14:53
> > > Aan: 'MailScanner Discussion'
> > > CC: 'L.P.H. van Belle'
> > > Onderwerp: RE: MailScanner: Message attempted to kill MailScanner
> > > 
> > > AV scan is off , something else cause the issue.
> > > 
> > > 
> > > Dobril Dobrilov
> > > IT Manager
> > > dobril at stanga.net <mailto:dobril at stanga.net> 
> > > 
> > > 
> > > 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
> > > Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
> > > Mobile: +359 878 749 387
> > > 
> > > 
> > > We shape Digital www.stanga.net <http://www.stanga.net> 
> > > 
> > > We re-invent Video www.bsbvision.com <http://www.bsbvision.com> 
> > > 
> > > We build Apps www.shanga.co <http://www.shanga.co> 
> > > 
> > > We support Start-Ups www.mysbar.net <http://www.mysbar.net> 
> > > 
> > > 
> > > 
> > > -----Original Message-----
> > > From: MailScanner
> > > [mailto:mailscanner-bounces+dobril <mailto:mailscanner-bounces%2Bdobril> =stanga.net at lists.mailscanne
> > > r.info <http://r.info> ] On
> > > Behalf Of L.P.H. van Belle via MailScanner
> > > Sent: Monday, August 6, 2018 3:45 PM
> > > To: MailScanner Discussion <mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> >
> > > Cc: L.P.H. van Belle <belle at bazuin.nl <mailto:belle at bazuin.nl> >
> > > Subject: RE: MailScanner: Message attempted to kill MailScanner
> > > 
> > > Are you using Yara rules or other clamav unoffical databases.
> > > Remove these, restart clamav and try again.
> > > 
> > > You might have a bad clamav database file.
> > > 
> > > Greetz,
> > > 
> > > Louis
> > > 
> > > > -----Oorspronkelijk bericht-----
> > > > Van: MailScanner
> > > > [mailto:mailscanner-bounces+belle <mailto:mailscanner-bounces%2Bbelle> =bazuin.nl at lists.mailscanner.
> > > > info] Namens Antony Stone
> > > > Verzonden: maandag 6 augustus 2018 14:23
> > > > Aan: MailScanner Discussion
> > > > Onderwerp: Re: MailScanner: Message attempted to kill
> MailScanner
> > > > 
> > > > On Monday 06 August 2018 at 14:13:03, DobriL Dobrilov wrote:
> > > > > Until now the Mail Server was with old postfix and
> > > > 
> > > > MailScanner 4.79. I
> > > > 
> > > > > migrated to new server with MailScanner 5.0.7. MS config
> > > 
> > > is same as
> > > 
> > > > > before.
> > > > 
> > > > Maybe someone with more knowledge than of any configuration 
> > > > differences ebtween those version can comment on just
> > > 
> > > keeping the same
> > > 
> > > > configuration file...
> > > > 
> > > > > From webmail I can send messages out of my domain without
> > > 
> > > problems.
> > > 
> > > > So, what *does* cause the problem?
> > > > 
> > > > Your original email said "All emails sent from my
> webmail to same
> > > > domain cannot be processes by mailscanner."
> > > > 
> > > > > Msg from webmail
> > > > > Received: from mail.stanga.net <http://mail.stanga.net>  (localhost [IPv6:::1])
> > > > > 
> > > > >      by mail.stanga.net <http://mail.stanga.net>  (Postfix) with ESMTPA id 8990B62C7F
> > > > >      for <dobril at stanga.net <mailto:dobril at stanga.net> >; Mon, 6 Aug 2018 14:33:37
> > > 
> > > +0300 (EEST)
> > > 
> > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > > > 
> > > > d=stanga.net <http://stanga.net> ; s=mail;
> > > > 
> > > > >      t=1533555217;
> > > 
> > > bh=mZ+uaN6Z/8N6WGVqk2wnIiNbWhm5wweetthyGV+rcTs=;
> > > 
> > > > >      h=Date:From:To:Subject;
> > > > 
> > > > 
> b=ex87f2OAPGbMz0sU6XWbhYCD03Et+mEjtKr925BfRPT5HgYLDlL8HqB+ZrCXHJwY
> > > > F
> > > > 
> > > > 
> YeklCaEhAz5eGuRaDcJThrwidzLyqdC8pAErnLbc49SmF0HIafTMMmnqxkhRqYefqz
> > > > 
> > > > >       EKNjrsrHGMMqNKqMUApcumMBXGt8zKEXw/S9HlrE=
> > > > > 
> > > > > MIME-Version: 1.0
> > > > > Content-Type: multipart/alternative; 
> > > > > boundary="=_75de8e069c6b4423276ecc8efe3eaa14"
> > > > > Date: Mon, 06 Aug 2018 14:33:37 +0300
> > > > > From: Dobril Dobrilov <dobril at stanga.net <mailto:dobril at stanga.net> >
> > > > > To: dobril at stanga.net <mailto:dobril at stanga.net> 
> > > > > Subject: Test2
> > > > > Organization: StangaOne1
> > > > > Message-ID: <e836f2d9d2be88a49da5da675eba919e at stanga.net <mailto:e836f2d9d2be88a49da5da675eba919e at stanga.net> >
> > > > > X-Sender: dobril at stanga.net <mailto:dobril at stanga.net> 
> > > > > User-Agent: Roundcube Webmail/1.3.7
> > > > > 
> > > > > Msg from Mail Client
> > > > > Received: from DL (unknown [192.168.0.222])
> > > > > 
> > > > >      (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
> > > > 
> > > > (256/256 bits))
> > > > 
> > > > >      (No client certificate requested)
> > > > >      by mail.stanga.net <http://mail.stanga.net>  (Postfix) with ESMTPSA id CB1BD62C84
> > > > >      for <dobril at stanga.net <mailto:dobril at stanga.net> >; Mon, 6 Aug 2018 15:11:28
> > > 
> > > +0300 (EEST)
> > > 
> > > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
> > > > 
> > > > d=stanga.net <http://stanga.net> ; s=mail;
> > > > 
> > > > >      t=1533557488;
> > > 
> > > bh=PuTju5S6EPeO7sbRMZ/5jISvR+vw7+9AwwsxuKLvTZ8=;
> > > 
> > > > >      h=From:To:Subject:Date;
> > > > 
> > > > 
> b=IcMCXoZ3cdkehwkEMYfCytEDcgduiWi8Bats1ypadvf6hD/Mq/I0s7k6Lc3lBzJp
> > > > N
> > > > 
> > > > 
> FNopdMhbJ7HQ1irLN8fyHRvMPFzyCAE3rPZjIDm1Olf23G4E510mYtRvE1A/i1Dt0a
> > > > 
> > > > >       rHJVnjxltdYZ6+aaENwzE/oXaaO1XSW1zaSciN6k=
> > > > > 
> > > > > From: "DobriL Dobrilov" <dobril at stanga.net <mailto:dobril at stanga.net> >
> > > > > To: "'DobriL Dobrilov'" <dobril at stanga.net <mailto:dobril at stanga.net> >
> > > > > Subject: Test
> > > > > Date: Mon, 6 Aug 2018 15:11:34 +0300
> > > > > Message-ID: <00f901d42d7e$9e87dbe0$db9793a0$@stanga.net <http://stanga.net> >
> > > > > MIME-Version: 1.0
> > > > > Content-Type: multipart/mixed;
> > > > > 
> > > > >      boundary="----=_NextPart_000_00FA_01D42D97.C3D513E0"
> > > > > 
> > > > > X-Mailer: Microsoft Outlook 16.0
> > > > > Thread-Index: AdQtfptmFdgLS/d8QKixvWPS7nKlOQ==
> > > > > Content-Language: bg
> > > > 
> > > > > X-MS-TNEF-Correlator:
> > > > 000000005234E38E73D4914094E5D7D34B79F6A564F78F00
> > > > 
> > > > Is one of the above emails an example which causes the
> > > 
> > > problem and the
> > > 
> > > > other an example which does not cause the problem (if so,
> > > 
> > > which one is
> > > 
> > > > which)?
> > > > 
> > > > Or are both the above emails examples which do not cause
> > > 
> > > the problem
> > > 
> > > > (in which case please send us the headers from one which does 
> > > > cause the problem)?
> > > > 
> > > > 
> > > > Regards,
> > > > 
> > > > 
> > > > Antony.
> > > > 
> > > > > -----Original Message-----
> > > > > From: MailScanner
> > > > 
> > > > [mailto:mailscanner-bounces+dobril <mailto:mailscanner-bounces%2Bdobril> =stanga.net at lists.mailscanne
> > > > r.info <http://r.info> ] On
> > > > 
> > > > > Behalf Of Antony Stone Sent: Monday, August 6, 2018 3:01 PM
> > > > > To: MailScanner Discussion
> <mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> >
> > > > > Subject: Re: MailScanner: Message attempted to kill
> MailScanner
> > > > > 
> > > > > On Monday 06 August 2018 at 13:55:36, DobriL Dobrilov wrote:
> > > > > > Some other ideas, because unfortunately this Live system
> > > > 
> > > > and It's very
> > > > 
> > > > > > critical ?
> > > > > 
> > > > > When did the problem start happening?
> > > > > 
> > > > > What changed on the MS server around that time?
> > > > > 
> > > > > Can you show us full headers of an example email from
> > > > 
> > > > webmail (which MS
> > > > 
> > > > > can't process) and another one to and from the same
> > > > 
> > > > addresses, but not
> > > > 
> > > > > from webmail (which MS processes okay)?
> > > > > 
> > > > > Antony
> > > > 
> > > > --
> > > > Neurotics build castles in the sky; Psychotics live in them; 
> > > > Psychiatrists collect the rent.
> > > > 
> > > >                                                    
> Please reply to
> > > > 
> > > > the list;
> > > > 
> > > > please *don't* CC me.
> > > > 
> > > > 
> > > > --
> > > > MailScanner mailing list
> > > > mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> 
> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > > 
> > > --
> > > MailScanner mailing list
> > > mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> 
> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > 
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> 
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> 
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> 
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> 
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> 



--
MailScanner mailing list
mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> 
http://lists.mailscanner.info/mailman/listinfo/mailscanner



-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> 
http://lists.mailscanner.info/mailman/listinfo/mailscanner





 

-- 

Shawn Iverson, CETL

Director of Technology

Rush County Schools

765-932-3901 x1171

iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us> 

 

  <https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_cy1OZFNIZ0drYVU&revid=0Bw5iD0ToYvs_UitIcHVIWkJVVTl2VGpxVUE0d0FQcHBIRXk4PQ>   <https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_Zkh4eEs3R01yWXc&revid=0Bw5iD0ToYvs_QWpBK2Y2ajJtYjhOMDRFekZwK2xOamk5Q3Y0PQ> 

  <https://docs.google.com/uc?export=download&id=1aBrlQou4gjB04FY-twHN_0Dn3GHVNxqa&revid=0Bw5iD0ToYvs_RnQ0eDhHcm95WHBFdkNRbXhQRXpoYkR6SEEwPQ> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180807/c24c1313/attachment-0001.html>

From info at schroeffu.ch  Tue Aug  7 10:03:32 2018
From: info at schroeffu.ch (info at schroeffu.ch)
Date: Tue, 07 Aug 2018 10:03:32 +0000
Subject: Mailscanner milter to reject high score spam at MTA level
Message-ID: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>

Hi Mailscanner friends,

is there any progress to make MailScanner usable as a postfix milter?
The most biggest problem I have is, SPAM is not possible to reject when reaching a high score at MTA level. For my understanding, connect via milter instead of queue ^HOLD would be the solution.

For the next decade we are still using MailScanner instead of others like Rspamd, because MailScanner is like a mail suite for mail security, but if there will never be the possibility to reject at MTA level the high score spam, we will also change in 1-3 years while replacing the OS beyond.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180807/555f353d/attachment.html>

From djones at ena.com  Tue Aug  7 14:51:54 2018
From: djones at ena.com (David Jones)
Date: Tue, 7 Aug 2018 09:51:54 -0500
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
Message-ID: <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>

On 08/07/2018 05:03 AM, info at schroeffu.ch wrote:
> 
> Hi Mailscanner friends,
> 
> is there any progress to make MailScanner usable as a postfix milter?
> The most biggest problem I have is, SPAM is not possible to reject when 
> reaching a high score at MTA level. For my understanding, connect via 
> milter instead of queue ^HOLD would be the solution.
> 
> For the next decade we are still using MailScanner instead of others 
> like Rspamd, because MailScanner is like a mail suite for mail security, 
> but if there will never be the possibility to reject at MTA level the 
> high score spam, we will also change in 1-3 years while replacing the OS 
> beyond.
> 

One of MailScanner's strongest features is it's batch mode processing 
that will allow it to handle a very high volume of mail flow.  I doubt 
that MailScanner will ever be changed to run as a milter for this reason.

I tried rspamd and found it wasn't as good as the author claims so no 
reason to try to use that as a milter.  It also wasn't as fast as it 
claims.  I could not send high volumes of mail through it like I could 
with MailScanner.

If you want to block high scoring spam at the MTA level, I suggest using 
amavis or spamd with the same SA rulesets as MailScanner.  This will get 
you most of the power of MailScanner's blocking at the MTA.

https://wiki.apache.org/spamassassin/IntegratedInMta

If you you use postscreen and postwhite at the Postfix MTA level, you 
can block most of the obvious spam with a tuned list of RBLs.  See the 
SA users mailing list over the past year for details on this from me and 
a few others.

I suggest setting up a quick test VM with iRedmail to get a good example 
of how to do TLS and amavis integration well with Postfix.

-- 
David Jones

From dobril at stanga.net  Wed Aug  8 15:39:44 2018
From: dobril at stanga.net (DobriL Dobrilov)
Date: Wed, 8 Aug 2018 18:39:44 +0300
Subject: Message kill MailWatch SQL Loggin
Message-ID: <003901d42f2e$07fb5560$17f20020$@stanga.net>

I just saw there are no any processed emails for last 2 hours in MailWatch
panel. In same there received messages emails and on each received I can see
usual MailScanner[9303]: MailWatch: Logging message 804C46217E.A23FB to SQL:

 

Then I find this in the logs, after no more messages in Database.

 

Aug  8 16:32:08 mail MailScanner[5960]: Could not use Custom Function code
MailScanner::CustomConfig::InitMailWatchLogging, it could not be "eval"ed.
Make sure the module is correct with perl -wc (Error: DBD::mysql::st execute
failed: Incorrect string value: '\xF0\x9F\x92\xB2\xF0\x9F...' for column
'subject' at row 1 at /usr/share/MailScanner/perl/custom/MailWatch.pm line
221, <CLIENT> line 7931.

 

MailScanner restart and it's working again , but somehow the some message
kill it.

 

 



Dobril Dobrilov


IT Manager


 <mailto:dobril at stanga.net> dobril at stanga.net






43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
Mobile: +359 878 749 387

 




We shape Digital  <http://www.stanga.net> www.stanga.net




We re-invent Video  <http://www.bsbvision.com> www.bsbvision.com




We build Apps  <http://www.shanga.co> www.shanga.co




We support Start-Ups  <http://www.mysbar.net> www.mysbar.net

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/19771ff7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3762 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/19771ff7/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1151 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/19771ff7/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 853 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/19771ff7/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 1286 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/19771ff7/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.jpg
Type: image/jpeg
Size: 930 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/19771ff7/attachment-0003.jpg>

From iversons at rushville.k12.in.us  Wed Aug  8 18:05:22 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Wed, 8 Aug 2018 14:05:22 -0400
Subject: Message kill MailWatch SQL Loggin
In-Reply-To: <003901d42f2e$07fb5560$17f20020$@stanga.net>
References: <003901d42f2e$07fb5560$17f20020$@stanga.net>
Message-ID: <CABu_8zLSs58zreS0Z_C6drOgOFBuZYPdBa0t5UN8diR=6qH9MQ@mail.gmail.com>

This is a MailWatch issue, and probably is a result of the MailWatch
DB/tables not set to use utf8mb4.

On Wed, Aug 8, 2018 at 11:39 AM, DobriL Dobrilov <dobril at stanga.net> wrote:

> I just saw there are no any processed emails for last 2 hours in MailWatch
> panel. In same there received messages emails and on each received I can
> see usual MailScanner[9303]: MailWatch: Logging message 804C46217E.A23FB to
> SQL?
>
>
>
> Then I find this in the logs, after no more messages in Database.
>
>
>
> Aug  8 16:32:08 mail MailScanner[5960]: Could not use Custom Function code
> MailScanner::CustomConfig::InitMailWatchLogging, it could not be
> "eval"ed. Make sure the module is correct with perl -wc (Error:
> DBD::mysql::st execute failed: Incorrect string value:
> '\xF0\x9F\x92\xB2\xF0\x9F...' for column 'subject' at row 1 at
> /usr/share/MailScanner/perl/custom/MailWatch.pm line 221, <CLIENT> line
> 7931.
>
>
>
> MailScanner restart and it?s working again , but somehow the some message
> kill it.
>
>
>
>
>
> *Dobril Dobrilov*
>
> IT Manager
>
> *dobril at stanga.net <dobril at stanga.net>*
>
> [image: StangaOne1 unit fo STANGA AD]
>
> 43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
> Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
> Mobile: +359 878 749 387
>
>
>
> [image: StangaOne1]
>
> We shape Digital *www.stanga.net* <http://www.stanga.net>
>
> [image: BSB]
>
> We re-invent Video *www.bsbvision.com* <http://www.bsbvision.com>
>
> [image: Shanga]
>
> We build Apps *www.shanga.co* <http://www.shanga.co>
>
> [image: S*Bar]
>
> We support Start-Ups *www.mysbar.net* <http://www.mysbar.net>
>
>
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>


-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/129d7063/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3762 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/129d7063/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1151 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/129d7063/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 853 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/129d7063/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.jpg
Type: image/jpeg
Size: 930 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/129d7063/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 1286 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/129d7063/attachment-0003.jpg>

From dobril at stanga.net  Wed Aug  8 20:59:18 2018
From: dobril at stanga.net (DobriL Dobrilov)
Date: Wed, 8 Aug 2018 23:59:18 +0300
Subject: Message kill MailWatch SQL Loggin
In-Reply-To: <CABu_8zLSs58zreS0Z_C6drOgOFBuZYPdBa0t5UN8diR=6qH9MQ@mail.gmail.com>
References: <003901d42f2e$07fb5560$17f20020$@stanga.net>
 <CABu_8zLSs58zreS0Z_C6drOgOFBuZYPdBa0t5UN8diR=6qH9MQ@mail.gmail.com>
Message-ID: <004f01d42f5a$ac7dba70$05792f50$@stanga.net>

Thank you Shawn, now I converted all columns from utf8 to utf8mb4. Just I didn?t know for those bug.

 

 



Dobril Dobrilov


IT Manager


 <mailto:dobril at stanga.net> dobril at stanga.net






43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
Mobile: +359 878 749 387

 




We shape Digital  <http://www.stanga.net> www.stanga.net




We re-invent Video  <http://www.bsbvision.com> www.bsbvision.com




We build Apps  <http://www.shanga.co> www.shanga.co




We support Start-Ups  <http://www.mysbar.net> www.mysbar.net

 

 

From: MailScanner [mailto:mailscanner-bounces+dobril=stanga.net at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: Wednesday, August 8, 2018 9:05 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: Message kill MailWatch SQL Loggin

 

This is a MailWatch issue, and probably is a result of the MailWatch DB/tables not set to use utf8mb4.

 

On Wed, Aug 8, 2018 at 11:39 AM, DobriL Dobrilov <dobril at stanga.net <mailto:dobril at stanga.net> > wrote:

I just saw there are no any processed emails for last 2 hours in MailWatch panel. In same there received messages emails and on each received I can see usual MailScanner[9303]: MailWatch: Logging message 804C46217E.A23FB to SQL?

 

Then I find this in the logs, after no more messages in Database.

 

Aug  8 16:32:08 mail MailScanner[5960]: Could not use Custom Function code MailScanner::CustomConfig::InitMailWatchLogging, it could not be "eval"ed. Make sure the module is correct with perl -wc (Error: DBD::mysql::st execute failed: Incorrect string value: '\xF0\x9F\x92\xB2\xF0\x9F...' for column 'subject' at row 1 at /usr/share/MailScanner/perl/custom/MailWatch.pm line 221, <CLIENT> line 7931.

 

MailScanner restart and it?s working again , but somehow the some message kill it.

 

 



Dobril Dobrilov


IT Manager


 <mailto:dobril at stanga.net> dobril at stanga.net






43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
Mobile: +359 878 749 387

 




We shape Digital  <http://www.stanga.net> www.stanga.net




We re-invent Video  <http://www.bsbvision.com> www.bsbvision.com




We build Apps  <http://www.shanga.co> www.shanga.co




We support Start-Ups  <http://www.mysbar.net> www.mysbar.net

 

 




-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> 
http://lists.mailscanner.info/mailman/listinfo/mailscanner







 

-- 

Shawn Iverson, CETL

Director of Technology

Rush County Schools

765-932-3901 x1171

iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us> 

 

  <https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_cy1OZFNIZ0drYVU&revid=0Bw5iD0ToYvs_UitIcHVIWkJVVTl2VGpxVUE0d0FQcHBIRXk4PQ>   <https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_Zkh4eEs3R01yWXc&revid=0Bw5iD0ToYvs_QWpBK2Y2ajJtYjhOMDRFekZwK2xOamk5Q3Y0PQ> 

  <https://docs.google.com/uc?export=download&id=1aBrlQou4gjB04FY-twHN_0Dn3GHVNxqa&revid=0Bw5iD0ToYvs_RnQ0eDhHcm95WHBFdkNRbXhQRXpoYkR6SEEwPQ> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/d9d15b1b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3762 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/d9d15b1b/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1151 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/d9d15b1b/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 853 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/d9d15b1b/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 1286 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/d9d15b1b/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.jpg
Type: image/jpeg
Size: 930 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180808/d9d15b1b/attachment-0003.jpg>

From belle at bazuin.nl  Fri Aug 10 08:50:41 2018
From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=)
Date: Fri, 10 Aug 2018 10:50:41 +0200
Subject: Message kill MailWatch SQL Loggin
In-Reply-To: <003901d42f2e$07fb5560$17f20020$@stanga.net>
References: <003901d42f2e$07fb5560$17f20020$@stanga.net>
Message-ID: <vmime.5b6d51e1.648c.119b9f8765811@ms249-lin-003.rotterdam.bazuin.nl>

hai, 
?
You can try the following,
Make a backup, test your backup. 
Now try the following. 
?
set your mysql column's charset to utf8mb4 and Collation to utf8mb4_general_ci
set your connection string of charset to utf8mb4 like charset=utf8mb4
?
If there are emoije in the subject, then above might fix it. 
?
?
Greetz, 
?
Louis
?
?

Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens DobriL Dobrilov
Verzonden: woensdag 8 augustus 2018 17:40
Aan: 'MailScanner Discussion'
Onderwerp: Message kill MailWatch SQL Loggin




I just saw there are no any processed emails for last 2 hours in MailWatch panel. In same there received messages emails and on each received I can see usual MailScanner[9303]: MailWatch: Logging message 804C46217E.A23FB to SQL?

?

Then I find this in the logs, after no more messages in Database.

?

Aug? 8 16:32:08 mail MailScanner[5960]: Could not use Custom Function code MailScanner::CustomConfig::InitMailWatchLogging, it could not be "eval"ed. Make sure the module is correct with perl -wc (Error: DBD::mysql::st execute failed: Incorrect string value: '\xF0\x9F\x92\xB2\xF0\x9F...' for column 'subject' at row 1 at /usr/share/MailScanner/perl/custom/MailWatch.pm line 221, <CLIENT> line 7931.

?

MailScanner restart and it?s working again , but somehow the some message kill it.

?

?

Dobril Dobrilov

IT Manager

dobril at stanga.net



43, Cherni Vrah Blvd. | 1407 Sofia - Bulgaria
Phone: +359 2 81 960 69 Fax: +359 2 81 960 70
Mobile: +359 878 749 387

?


	
We shape Digital?www.stanga.net


	
We re-invent Video?www.bsbvision.com


	
We build Apps?www.shanga.co


	
We support Start-Ups?www.mysbar.net



?

?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180810/9ccb5495/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3762 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180810/9ccb5495/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1151 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180810/9ccb5495/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 853 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180810/9ccb5495/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 1286 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180810/9ccb5495/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.jpg
Type: image/jpeg
Size: 930 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180810/9ccb5495/attachment-0003.jpg>

From iversons at rushville.k12.in.us  Sat Aug 11 13:15:08 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Sat, 11 Aug 2018 09:15:08 -0400
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
Message-ID: <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>

I have been planning for a MailScanner milter for quite some time.  I have
been specifically studying rpamd's milter source for this purpose.  Alas,
lack of time and lack of money are always an issue, and I put a lot of
hours in my day job.  As Jerry would say, I like to eat and have a roof
over my head :D

If I do find the time to build a milter, performance will definitely be
impacted.  The reason is that postfix will have to keep each session open
for the duration of scanning, and each MailScanner child would have to
issue a callback to postfix after scanning the spam so that postfix can
responds to the connection appropriately  (i.e. reject or accept).  This
will slow down mail processing considerably.  If I do this, I am going to
keep the HOLD queue around, so you would have to choose between speed or
MTA level rejection functionality.






On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner <
mailscanner at lists.mailscanner.info> wrote:

> On 08/07/2018 05:03 AM, info at schroeffu.ch wrote:
> >
> > Hi Mailscanner friends,
> >
> > is there any progress to make MailScanner usable as a postfix milter?
> > The most biggest problem I have is, SPAM is not possible to reject when
> > reaching a high score at MTA level. For my understanding, connect via
> > milter instead of queue ^HOLD would be the solution.
> >
> > For the next decade we are still using MailScanner instead of others
> > like Rspamd, because MailScanner is like a mail suite for mail security,
> > but if there will never be the possibility to reject at MTA level the
> > high score spam, we will also change in 1-3 years while replacing the OS
> > beyond.
> >
>
> One of MailScanner's strongest features is it's batch mode processing
> that will allow it to handle a very high volume of mail flow.  I doubt
> that MailScanner will ever be changed to run as a milter for this reason.
>
> I tried rspamd and found it wasn't as good as the author claims so no
> reason to try to use that as a milter.  It also wasn't as fast as it
> claims.  I could not send high volumes of mail through it like I could
> with MailScanner.
>
> If you want to block high scoring spam at the MTA level, I suggest using
> amavis or spamd with the same SA rulesets as MailScanner.  This will get
> you most of the power of MailScanner's blocking at the MTA.
>
> https://wiki.apache.org/spamassassin/IntegratedInMta
>
> If you you use postscreen and postwhite at the Postfix MTA level, you
> can block most of the obvious spam with a tuned list of RBLs.  See the
> SA users mailing list over the past year for details on this from me and
> a few others.
>
> I suggest setting up a quick test VM with iRedmail to get a good example
> of how to do TLS and amavis integration well with Postfix.
>
> --
> David Jones
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180811/ad7cedb7/attachment.html>

From djones at ena.com  Sat Aug 11 13:38:54 2018
From: djones at ena.com (David Jones)
Date: Sat, 11 Aug 2018 08:38:54 -0500
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
 <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>
Message-ID: <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>

On 08/11/2018 08:15 AM, Shawn Iverson wrote:
> I have been planning for a MailScanner milter for quite some time.? I 
> have been specifically studying rpamd's milter source for this purpose.  
> Alas, lack of time and lack of money are always an issue, and I put a 
> lot of hours in my day job.? As Jerry would say, I like to eat and have 
> a roof over my head :D
> 
> If I do find the time to build a milter, performance will definitely be 
> impacted.? The reason is that postfix will have to keep each session 
> open for the duration of scanning, and each MailScanner child would have 
> to issue a callback to postfix after scanning the spam so that postfix 
> can responds to the connection appropriately? (i.e. reject or accept).  
> This will slow down mail processing considerably.? If I do this, I am 
> going to keep the HOLD queue around, so you would have to choose between 
> speed or MTA level rejection functionality.
> 
> 
> 

My gut tells me that this is going to be so slow, that it's not going to 
be worth the time to put into it.  If you want to reject at MTA time, 
throw in amavis-new or spamd (not rspamd) using the same SpamAsssassin 
rules and Bayes DB to get most of the same features as MailScanner 
during the SMTP conversation.  Then the mail that gets through can be 
filtered by MailScanner for it's extra features that make it unique.

I understand there are different local legal requirements around the 
world that if email is accepted at MTA time then it has to be passed on 
to the end user's mailbox.  If you are located in one of these 
countries, then this would be more of an issue.  But since I am in a 
country that doesn't have this legal requirement, I do block email 
post-MTA by MailScanner.

The majority of my spam is blocked at the MTA level already by highly 
tuned RBLs and postscreen's RBL weighting which is very, very good. 
Only a small percentage of spam that is zero-hour or from compromised 
accounts makes it to MailScanner.

I highly recommend the Invaluement RBL.  It's very accurate -- only 1 or 
2 false positives over 5+ the years.  This RBL is very cost effective 
and has allowed me to disable all Spamhaus RBL checks in SpamAssassin 
saving thousands of dollars a year.  (We have too high a volume to stay 
under the free usage limits of Spamhaus so we were having to pay for the 
RBL feed.)

> 
> 
> 
> On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner 
> <mailscanner at lists.mailscanner.info 
> <mailto:mailscanner at lists.mailscanner.info>> wrote:
> 
>     On 08/07/2018 05:03 AM, info at schroeffu.ch <mailto:info at schroeffu.ch>
>     wrote:
>      >
>      > Hi Mailscanner friends,
>      >
>      > is there any progress to make MailScanner usable as a postfix milter?
>      > The most biggest problem I have is, SPAM is not possible to
>     reject when
>      > reaching a high score at MTA level. For my understanding, connect
>     via
>      > milter instead of queue ^HOLD would be the solution.
>      >
>      > For the next decade we are still using MailScanner instead of others
>      > like Rspamd, because MailScanner is like a mail suite for mail
>     security,
>      > but if there will never be the possibility to reject at MTA level
>     the
>      > high score spam, we will also change in 1-3 years while replacing
>     the OS
>      > beyond.
>      >
> 
>     One of MailScanner's strongest features is it's batch mode processing
>     that will allow it to handle a very high volume of mail flow.? I doubt
>     that MailScanner will ever be changed to run as a milter for this
>     reason.
> 
>     I tried rspamd and found it wasn't as good as the author claims so no
>     reason to try to use that as a milter.? It also wasn't as fast as it
>     claims.? I could not send high volumes of mail through it like I could
>     with MailScanner.
> 
>     If you want to block high scoring spam at the MTA level, I suggest
>     using
>     amavis or spamd with the same SA rulesets as MailScanner.? This will
>     get
>     you most of the power of MailScanner's blocking at the MTA.
> 
>     https://wiki.apache.org/spamassassin/IntegratedInMta
> 
>     If you you use postscreen and postwhite at the Postfix MTA level, you
>     can block most of the obvious spam with a tuned list of RBLs.? See the
>     SA users mailing list over the past year for details on this from me
>     and
>     a few others.
> 
>     I suggest setting up a quick test VM with iRedmail to get a good
>     example
>     of how to do TLS and amavis integration well with Postfix.
> 
>     -- 
>     David Jones
> 
> 
>     -- 
>     MailScanner mailing list
>     mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>
>     http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> 
> 
> -- 
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 x1171
> iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
> 
> 

-- 
David Jones

From iversons at rushville.k12.in.us  Sat Aug 11 13:52:46 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Sat, 11 Aug 2018 09:52:46 -0400
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
 <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>
 <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>
Message-ID: <CABu_8zKtdTWSyFQ6iLBkK-Wg7TVQ7Szw13EXhx7BzrG6RuZ0Zg@mail.gmail.com>

David,

I agree that this is true, and part of my lack of motivation to do it.  One
reason I wanted it as an option was to reconcile the ongoing conflict with
the postfix community and return MailScanner to good standing to this
community.  Weitze has been very stern about MailScanner directly tapping
the postfix queues.

Perhaps an alternative option would be to create a fast MailScanner milter
that behaves more like the HOLD queue.  Basically just a milter that
immediately fires back accept to postfix and places all the messages in a
MailScanner HOLD queue as opposed to a postfix HOLD queue.  Doing so would
maintain speed, simplicity, and be more compliant with postfix. The code
would also be very simple.

Then, as you say, if you need MTA level functionality for SA, use other
software and methods.



On Sat, Aug 11, 2018 at 9:39 AM David Jones <djones at ena.com> wrote:

> On 08/11/2018 08:15 AM, Shawn Iverson wrote:
> > I have been planning for a MailScanner milter for quite some time.  I
> > have been specifically studying rpamd's milter source for this purpose.
> > Alas, lack of time and lack of money are always an issue, and I put a
> > lot of hours in my day job.  As Jerry would say, I like to eat and have
> > a roof over my head :D
> >
> > If I do find the time to build a milter, performance will definitely be
> > impacted.  The reason is that postfix will have to keep each session
> > open for the duration of scanning, and each MailScanner child would have
> > to issue a callback to postfix after scanning the spam so that postfix
> > can responds to the connection appropriately  (i.e. reject or accept).
> > This will slow down mail processing considerably.  If I do this, I am
> > going to keep the HOLD queue around, so you would have to choose between
> > speed or MTA level rejection functionality.
> >
> >
> >
>
> My gut tells me that this is going to be so slow, that it's not going to
> be worth the time to put into it.  If you want to reject at MTA time,
> throw in amavis-new or spamd (not rspamd) using the same SpamAsssassin
> rules and Bayes DB to get most of the same features as MailScanner
> during the SMTP conversation.  Then the mail that gets through can be
> filtered by MailScanner for it's extra features that make it unique.
>
> I understand there are different local legal requirements around the
> world that if email is accepted at MTA time then it has to be passed on
> to the end user's mailbox.  If you are located in one of these
> countries, then this would be more of an issue.  But since I am in a
> country that doesn't have this legal requirement, I do block email
> post-MTA by MailScanner.
>
> The majority of my spam is blocked at the MTA level already by highly
> tuned RBLs and postscreen's RBL weighting which is very, very good.
> Only a small percentage of spam that is zero-hour or from compromised
> accounts makes it to MailScanner.
>
> I highly recommend the Invaluement RBL.  It's very accurate -- only 1 or
> 2 false positives over 5+ the years.  This RBL is very cost effective
> and has allowed me to disable all Spamhaus RBL checks in SpamAssassin
> saving thousands of dollars a year.  (We have too high a volume to stay
> under the free usage limits of Spamhaus so we were having to pay for the
> RBL feed.)
>
> >
> >
> >
> > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner
> > <mailscanner at lists.mailscanner.info
> > <mailto:mailscanner at lists.mailscanner.info>> wrote:
> >
> >     On 08/07/2018 05:03 AM, info at schroeffu.ch <mailto:info at schroeffu.ch>
> >     wrote:
> >      >
> >      > Hi Mailscanner friends,
> >      >
> >      > is there any progress to make MailScanner usable as a postfix
> milter?
> >      > The most biggest problem I have is, SPAM is not possible to
> >     reject when
> >      > reaching a high score at MTA level. For my understanding, connect
> >     via
> >      > milter instead of queue ^HOLD would be the solution.
> >      >
> >      > For the next decade we are still using MailScanner instead of
> others
> >      > like Rspamd, because MailScanner is like a mail suite for mail
> >     security,
> >      > but if there will never be the possibility to reject at MTA level
> >     the
> >      > high score spam, we will also change in 1-3 years while replacing
> >     the OS
> >      > beyond.
> >      >
> >
> >     One of MailScanner's strongest features is it's batch mode processing
> >     that will allow it to handle a very high volume of mail flow.  I
> doubt
> >     that MailScanner will ever be changed to run as a milter for this
> >     reason.
> >
> >     I tried rspamd and found it wasn't as good as the author claims so no
> >     reason to try to use that as a milter.  It also wasn't as fast as it
> >     claims.  I could not send high volumes of mail through it like I
> could
> >     with MailScanner.
> >
> >     If you want to block high scoring spam at the MTA level, I suggest
> >     using
> >     amavis or spamd with the same SA rulesets as MailScanner.  This will
> >     get
> >     you most of the power of MailScanner's blocking at the MTA.
> >
> >     https://wiki.apache.org/spamassassin/IntegratedInMta
> >
> >     If you you use postscreen and postwhite at the Postfix MTA level, you
> >     can block most of the obvious spam with a tuned list of RBLs.  See
> the
> >     SA users mailing list over the past year for details on this from me
> >     and
> >     a few others.
> >
> >     I suggest setting up a quick test VM with iRedmail to get a good
> >     example
> >     of how to do TLS and amavis integration well with Postfix.
> >
> >     --
> >     David Jones
> >
> >
> >     --
> >     MailScanner mailing list
> >     mailscanner at lists.mailscanner.info
> >     <mailto:mailscanner at lists.mailscanner.info>
> >     http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> >
> >
> > --
> > Shawn Iverson, CETL
> > Director of Technology
> > Rush County Schools
> > 765-932-3901 x1171
> > iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
> >
> >
>
> --
> David Jones
>


-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180811/43b08d25/attachment.html>

From djones at ena.com  Sat Aug 11 13:58:02 2018
From: djones at ena.com (David Jones)
Date: Sat, 11 Aug 2018 08:58:02 -0500
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <CABu_8zKtdTWSyFQ6iLBkK-Wg7TVQ7Szw13EXhx7BzrG6RuZ0Zg@mail.gmail.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
 <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>
 <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>
 <CABu_8zKtdTWSyFQ6iLBkK-Wg7TVQ7Szw13EXhx7BzrG6RuZ0Zg@mail.gmail.com>
Message-ID: <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com>

On 08/11/2018 08:52 AM, Shawn Iverson wrote:
> David,
> 
> I agree that this is true, and part of my lack of motivation to do it.  
> One reason I wanted it as an option was to reconcile the ongoing 
> conflict with the postfix community and return MailScanner to good 
> standing to this community.? Weitze has been very stern about 
> MailScanner directly tapping the postfix queues.
> 
> Perhaps an alternative option would be to create a fast MailScanner 
> milter that behaves more like the HOLD queue.? Basically just a milter 
> that immediately fires back accept to postfix and places all the 
> messages in a MailScanner HOLD queue as opposed to a postfix HOLD 
> queue.? Doing so would maintain speed, simplicity, and be more compliant 
> with postfix. The code would also be very simple.
> 
> Then, as you say, if you need MTA level functionality for SA, use other 
> software and methods.
> 
> 

This light MS milter would make a lot of sense based on your goal to get 
compliant with Postfix and back "in" with the Postfix community.  +1

> 
> On Sat, Aug 11, 2018 at 9:39 AM David Jones <djones at ena.com 
> <mailto:djones at ena.com>> wrote:
> 
>     On 08/11/2018 08:15 AM, Shawn Iverson wrote:
>      > I have been planning for a MailScanner milter for quite some
>     time.? I
>      > have been specifically studying rpamd's milter source for this
>     purpose.
>      > Alas, lack of time and lack of money are always an issue, and I
>     put a
>      > lot of hours in my day job.? As Jerry would say, I like to eat
>     and have
>      > a roof over my head :D
>      >
>      > If I do find the time to build a milter, performance will
>     definitely be
>      > impacted.? The reason is that postfix will have to keep each session
>      > open for the duration of scanning, and each MailScanner child
>     would have
>      > to issue a callback to postfix after scanning the spam so that
>     postfix
>      > can responds to the connection appropriately? (i.e. reject or
>     accept).
>      > This will slow down mail processing considerably.? If I do this,
>     I am
>      > going to keep the HOLD queue around, so you would have to choose
>     between
>      > speed or MTA level rejection functionality.
>      >
>      >
>      >
> 
>     My gut tells me that this is going to be so slow, that it's not
>     going to
>     be worth the time to put into it.? If you want to reject at MTA time,
>     throw in amavis-new or spamd (not rspamd) using the same SpamAsssassin
>     rules and Bayes DB to get most of the same features as MailScanner
>     during the SMTP conversation.? Then the mail that gets through can be
>     filtered by MailScanner for it's extra features that make it unique.
> 
>     I understand there are different local legal requirements around the
>     world that if email is accepted at MTA time then it has to be passed on
>     to the end user's mailbox.? If you are located in one of these
>     countries, then this would be more of an issue.? But since I am in a
>     country that doesn't have this legal requirement, I do block email
>     post-MTA by MailScanner.
> 
>     The majority of my spam is blocked at the MTA level already by highly
>     tuned RBLs and postscreen's RBL weighting which is very, very good.
>     Only a small percentage of spam that is zero-hour or from compromised
>     accounts makes it to MailScanner.
> 
>     I highly recommend the Invaluement RBL.? It's very accurate -- only
>     1 or
>     2 false positives over 5+ the years.? This RBL is very cost effective
>     and has allowed me to disable all Spamhaus RBL checks in SpamAssassin
>     saving thousands of dollars a year.? (We have too high a volume to stay
>     under the free usage limits of Spamhaus so we were having to pay for
>     the
>     RBL feed.)
> 
>      >
>      >
>      >
>      > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner
>      > <mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>
>      > <mailto:mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>>> wrote:
>      >
>      >? ? ?On 08/07/2018 05:03 AM, info at schroeffu.ch
>     <mailto:info at schroeffu.ch> <mailto:info at schroeffu.ch
>     <mailto:info at schroeffu.ch>>
>      >? ? ?wrote:
>      >? ? ? >
>      >? ? ? > Hi Mailscanner friends,
>      >? ? ? >
>      >? ? ? > is there any progress to make MailScanner usable as a
>     postfix milter?
>      >? ? ? > The most biggest problem I have is, SPAM is not possible to
>      >? ? ?reject when
>      >? ? ? > reaching a high score at MTA level. For my understanding,
>     connect
>      >? ? ?via
>      >? ? ? > milter instead of queue ^HOLD would be the solution.
>      >? ? ? >
>      >? ? ? > For the next decade we are still using MailScanner instead
>     of others
>      >? ? ? > like Rspamd, because MailScanner is like a mail suite for mail
>      >? ? ?security,
>      >? ? ? > but if there will never be the possibility to reject at
>     MTA level
>      >? ? ?the
>      >? ? ? > high score spam, we will also change in 1-3 years while
>     replacing
>      >? ? ?the OS
>      >? ? ? > beyond.
>      >? ? ? >
>      >
>      >? ? ?One of MailScanner's strongest features is it's batch mode
>     processing
>      >? ? ?that will allow it to handle a very high volume of mail
>     flow.? I doubt
>      >? ? ?that MailScanner will ever be changed to run as a milter for this
>      >? ? ?reason.
>      >
>      >? ? ?I tried rspamd and found it wasn't as good as the author
>     claims so no
>      >? ? ?reason to try to use that as a milter.? It also wasn't as
>     fast as it
>      >? ? ?claims.? I could not send high volumes of mail through it
>     like I could
>      >? ? ?with MailScanner.
>      >
>      >? ? ?If you want to block high scoring spam at the MTA level, I
>     suggest
>      >? ? ?using
>      >? ? ?amavis or spamd with the same SA rulesets as MailScanner. 
>     This will
>      >? ? ?get
>      >? ? ?you most of the power of MailScanner's blocking at the MTA.
>      >
>      > https://wiki.apache.org/spamassassin/IntegratedInMta
>      >
>      >? ? ?If you you use postscreen and postwhite at the Postfix MTA
>     level, you
>      >? ? ?can block most of the obvious spam with a tuned list of
>     RBLs.? See the
>      >? ? ?SA users mailing list over the past year for details on this
>     from me
>      >? ? ?and
>      >? ? ?a few others.
>      >
>      >? ? ?I suggest setting up a quick test VM with iRedmail to get a good
>      >? ? ?example
>      >? ? ?of how to do TLS and amavis integration well with Postfix.
>      >
>      >? ? ?--
>      >? ? ?David Jones
>      >
>      >
>      >? ? ?--
>      >? ? ?MailScanner mailing list
>      > mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>
>      >? ? ?<mailto:mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>>
>      > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>      >
>      >
>      >
>      > --
>      > Shawn Iverson, CETL
>      > Director of Technology
>      > Rush County Schools
>      > 765-932-3901 x1171
>      > iversons at rushville.k12.in.us
>     <mailto:iversons at rushville.k12.in.us>
>     <mailto:iversons at rushville.k12.in.us
>     <mailto:iversons at rushville.k12.in.us>>
>      >
>      >
> 
>     -- 
>     David Jones
> 
> 
> 
> -- 
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 x1171
> iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
> 
> 


-- 
David Jones

From belle at bazuin.nl  Sat Aug 11 16:14:31 2018
From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=)
Date: Sat, 11 Aug 2018 18:14:31 +0200
Subject: Mailscanner milter to reject high score spam at MTA level
Message-ID: <vmime.5b6f0b67.6bd5.587ea5d162b83c57@ms249-lin-003.rotterdam.bazuin.nl>

+1 

Great idea.


> Op 11 aug. 2018 om 15:58 heeft David Jones via MailScanner <mailscanner at lists.mailscanner.info> het volgende geschreven:
> 
>> On 08/11/2018 08:52 AM, Shawn Iverson wrote:
>> David,
>> 
>> I agree that this is true, and part of my lack of motivation to do it.  
>> One reason I wanted it as an option was to reconcile the ongoing 
>> conflict with the postfix community and return MailScanner to good 
>> standing to this community.  Weitze has been very stern about 
>> MailScanner directly tapping the postfix queues.
>> 
>> Perhaps an alternative option would be to create a fast MailScanner 
>> milter that behaves more like the HOLD queue.  Basically just a milter 
>> that immediately fires back accept to postfix and places all the 
>> messages in a MailScanner HOLD queue as opposed to a postfix HOLD 
>> queue.  Doing so would maintain speed, simplicity, and be more compliant 
>> with postfix. The code would also be very simple.
>> 
>> Then, as you say, if you need MTA level functionality for SA, use other 
>> software and methods.
>> 
>> 
> 
> This light MS milter would make a lot of sense based on your goal to get 
> compliant with Postfix and back "in" with the Postfix community.  +1
> 
>> 
>> On Sat, Aug 11, 2018 at 9:39 AM David Jones <djones at ena.com 
>> <mailto:djones at ena.com>> wrote:
>> 
>>>    On 08/11/2018 08:15 AM, Shawn Iverson wrote:
>>> I have been planning for a MailScanner milter for quite some
>>    time.  I
>>> have been specifically studying rpamd's milter source for this
>>    purpose.
>>> Alas, lack of time and lack of money are always an issue, and I
>>    put a
>>> lot of hours in my day job.  As Jerry would say, I like to eat
>>    and have
>>> a roof over my head :D
>>> 
>>> If I do find the time to build a milter, performance will
>>    definitely be
>>> impacted.  The reason is that postfix will have to keep each session
>>> open for the duration of scanning, and each MailScanner child
>>    would have
>>> to issue a callback to postfix after scanning the spam so that
>>    postfix
>>> can responds to the connection appropriately  (i.e. reject or
>>    accept).
>>> This will slow down mail processing considerably.  If I do this,
>>    I am
>>> going to keep the HOLD queue around, so you would have to choose
>>    between
>>> speed or MTA level rejection functionality.
>>> 
>>> 
>>> 
>> 
>>    My gut tells me that this is going to be so slow, that it's not
>>    going to
>>    be worth the time to put into it.  If you want to reject at MTA time,
>>    throw in amavis-new or spamd (not rspamd) using the same SpamAsssassin
>>    rules and Bayes DB to get most of the same features as MailScanner
>>    during the SMTP conversation.  Then the mail that gets through can be
>>    filtered by MailScanner for it's extra features that make it unique.
>> 
>>    I understand there are different local legal requirements around the
>>    world that if email is accepted at MTA time then it has to be passed on
>>    to the end user's mailbox.  If you are located in one of these
>>    countries, then this would be more of an issue.  But since I am in a
>>    country that doesn't have this legal requirement, I do block email
>>    post-MTA by MailScanner.
>> 
>>    The majority of my spam is blocked at the MTA level already by highly
>>    tuned RBLs and postscreen's RBL weighting which is very, very good.
>>    Only a small percentage of spam that is zero-hour or from compromised
>>    accounts makes it to MailScanner.
>> 
>>    I highly recommend the Invaluement RBL.  It's very accurate -- only
>>    1 or
>>    2 false positives over 5+ the years.  This RBL is very cost effective
>>    and has allowed me to disable all Spamhaus RBL checks in SpamAssassin
>>    saving thousands of dollars a year.  (We have too high a volume to stay
>>    under the free usage limits of Spamhaus so we were having to pay for
>>    the
>>    RBL feed.)
>> 
>>> 
>>> 
>>> 
>>> On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner
>>> <mailscanner at lists.mailscanner.info
>>    <mailto:mailscanner at lists.mailscanner.info>
>>> <mailto:mailscanner at lists.mailscanner.info
>>    <mailto:mailscanner at lists.mailscanner.info>>> wrote:
>>> 
>>>      On 08/07/2018 05:03 AM, info at schroeffu.ch
>>    <mailto:info at schroeffu.ch> <mailto:info at schroeffu.ch
>>    <mailto:info at schroeffu.ch>>
>>>      wrote:
>>>       >
>>>       > Hi Mailscanner friends,
>>>       >
>>>       > is there any progress to make MailScanner usable as a
>>    postfix milter?
>>>       > The most biggest problem I have is, SPAM is not possible to
>>>      reject when
>>>       > reaching a high score at MTA level. For my understanding,
>>    connect
>>>      via
>>>       > milter instead of queue ^HOLD would be the solution.
>>>       >
>>>       > For the next decade we are still using MailScanner instead
>>    of others
>>>       > like Rspamd, because MailScanner is like a mail suite for mail
>>>      security,
>>>       > but if there will never be the possibility to reject at
>>    MTA level
>>>      the
>>>       > high score spam, we will also change in 1-3 years while
>>    replacing
>>>      the OS
>>>       > beyond.
>>>       >
>>> 
>>>      One of MailScanner's strongest features is it's batch mode
>>    processing
>>>      that will allow it to handle a very high volume of mail
>>    flow.  I doubt
>>>      that MailScanner will ever be changed to run as a milter for this
>>>      reason.
>>> 
>>>      I tried rspamd and found it wasn't as good as the author
>>    claims so no
>>>      reason to try to use that as a milter.  It also wasn't as
>>    fast as it
>>>      claims.  I could not send high volumes of mail through it
>>    like I could
>>>      with MailScanner.
>>> 
>>>      If you want to block high scoring spam at the MTA level, I
>>    suggest
>>>      using
>>>      amavis or spamd with the same SA rulesets as MailScanner. 
>>    This will
>>>      get
>>>      you most of the power of MailScanner's blocking at the MTA.
>>> 
>>> https://wiki.apache.org/spamassassin/IntegratedInMta
>>> 
>>>      If you you use postscreen and postwhite at the Postfix MTA
>>    level, you
>>>      can block most of the obvious spam with a tuned list of
>>    RBLs.  See the
>>>      SA users mailing list over the past year for details on this
>>    from me
>>>      and
>>>      a few others.
>>> 
>>>      I suggest setting up a quick test VM with iRedmail to get a good
>>>      example
>>>      of how to do TLS and amavis integration well with Postfix.
>>> 
>>>      --
>>>      David Jones
>>> 
>>> 
>>>      --
>>>      MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>    <mailto:mailscanner at lists.mailscanner.info>
>>>      <mailto:mailscanner at lists.mailscanner.info
>>    <mailto:mailscanner at lists.mailscanner.info>>
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>> 
>>> 
>>> 
>>> --
>>> Shawn Iverson, CETL
>>> Director of Technology
>>> Rush County Schools
>>> 765-932-3901 x1171
>>> iversons at rushville.k12.in.us
>>    <mailto:iversons at rushville.k12.in.us>
>>    <mailto:iversons at rushville.k12.in.us
>>    <mailto:iversons at rushville.k12.in.us>>
>>> 
>>> 
>> 
>>    -- 
>>    David Jones
>> 
>> 
>> 
>> -- 
>> Shawn Iverson, CETL
>> Director of Technology
>> Rush County Schools
>> 765-932-3901 x1171
>> iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
>> 
>> 
> 
> 
> -- 
> David Jones
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 


From pramod at mindspring.co.za  Tue Aug 14 08:33:15 2018
From: pramod at mindspring.co.za (Pramod Daya)
Date: Tue, 14 Aug 2018 08:33:15 +0000
Subject: Phishing Whitelisting entries not working
In-Reply-To: <DB3PR0402MB383682C8FF151A5D90E06397F72A0@DB3PR0402MB3836.eurprd04.prod.outlook.com>
References: <DB3PR0402MB38366B6BB9F0AF68C4CADB26F72B0@DB3PR0402MB3836.eurprd04.prod.outlook.com>
 <CABu_8zJA9o8dMfDjZtQrCdAZ0sAYpoLG1Fpjr=w97Ks-s+KH3A@mail.gmail.com>
 <DB3PR0402MB3836F78FC5E8AE7EDCB50435F72B0@DB3PR0402MB3836.eurprd04.prod.outlook.com>
 <CABu_8zJ+hmcSyL_OKVH518HqQGdOTeo4KKmZgqZS380ioXa_=Q@mail.gmail.com>
 <DB3PR0402MB383682C8FF151A5D90E06397F72A0@DB3PR0402MB3836.eurprd04.prod.outlook.com>
Message-ID: <DB3PR0402MB3836C430CA3DFBB6A02DC798F7380@DB3PR0402MB3836.eurprd04.prod.outlook.com>

I upgraded to MailScanner 5.0.7-4 and unfortunately I?m seeing that whitelisted entries are still getting tagged with ?Disarmed? tags.  

 

On a different server with Centos 6.9 and mailscanner 4.84.6, the Phishing Whitelisting is working correctly. ..

 

From: MailScanner <mailscanner-bounces+pramod=mindspring.co.za at lists.mailscanner.info> On Behalf Of Pramod Daya
Sent: Friday, 27 July 2018 11:03
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: RE: Phishing Whitelisting entries not working

 

Thank you, will give that a bash. 

 

From: MailScanner <mailscanner-bounces+pramod=mindspring.co.za at lists.mailscanner.info> On Behalf Of Shawn Iverson
Sent: Thursday, 26 July 2018 16:34
To: MailScanner Discussion <mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> >
Subject: Re: Phishing Whitelisting entries not working

 

See this commit: https://github.com/MailScanner/v5/commit/7c121ba4934135e5ad4d4518aaf0e2e041dabee5

 

Please upgrade to version 5.0.7-4, there was an issue parsing the phishing whitelists and blacklists properly and let us know if you see a change.

 

On Thu, Jul 26, 2018 at 10:11 AM, Pramod Daya <pramod at mindspring.co.za <mailto:pramod at mindspring.co.za> > wrote:

Ver 5.0.3-7

 

From: MailScanner <mailscanner-bounces+pramod=mindspring.co.za at lists.mailscanner.info <mailto:mindspring.co.za at lists.mailscanner.info> > On Behalf Of Shawn Iverson
Sent: Thursday, 26 July 2018 15:47
To: MailScanner Discussion <mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> >
Subject: Re: Phishing Whitelisting entries not working

 

Version of mailscanner?

 

On Thu, Jul 26, 2018, 3:03 AM Pramod Daya <pramod at mindspring.co.za <mailto:pramod at mindspring.co.za> > wrote:

Hi,

 

I?m using the latest version of ms-update-phishing to download phishing lists, and putting whitelisted sites into /etc/MailScanner/phishing.safe.sites.custom.   They get merged with phishing.safe.sites.conf when ms-update-phishing runs. 

 

However, email from sites that I whitelist still get a {Disarmed} tag. 

 

I?ve tried adding user at site.com <mailto:user at site.com> , .site.com <http://site.com> , *.site.com <http://site.com> , but I?m not winning. 

 

Any pearls of wisdom, please ? 

 

Tnx,

Pramod 

 



-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> 
http://lists.mailscanner.info/mailman/listinfo/mailscanner




-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> 
http://lists.mailscanner.info/mailman/listinfo/mailscanner





 

-- 

Shawn Iverson, CETL

Director of Technology

Rush County Schools

765-932-3901 x1171

iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us> 

 

  <https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_cy1OZFNIZ0drYVU&revid=0Bw5iD0ToYvs_UitIcHVIWkJVVTl2VGpxVUE0d0FQcHBIRXk4PQ>   <https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_Zkh4eEs3R01yWXc&revid=0Bw5iD0ToYvs_QWpBK2Y2ajJtYjhOMDRFekZwK2xOamk5Q3Y0PQ> 

  <https://docs.google.com/uc?export=download&id=1aBrlQou4gjB04FY-twHN_0Dn3GHVNxqa&revid=0Bw5iD0ToYvs_RnQ0eDhHcm95WHBFdkNRbXhQRXpoYkR6SEEwPQ> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180814/8defd42e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5538 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180814/8defd42e/attachment.bin>

From iversons at rushville.k12.in.us  Tue Aug 14 14:56:59 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Tue, 14 Aug 2018 10:56:59 -0400
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
 <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>
 <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>
 <CABu_8zKtdTWSyFQ6iLBkK-Wg7TVQ7Szw13EXhx7BzrG6RuZ0Zg@mail.gmail.com>
 <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com>
Message-ID: <CABu_8zLyd+NhG38SGCMPtJEHdxwnZbGEZE5xzSgpMtr+9sH1mQ@mail.gmail.com>

Dear MailScanner users:

I am officially working on creating a lightweight milter for MailScanner.

This milter will not provide MTA protocol rejection for postfix, due to the
severe performance penalty it would cause.  All mail will be intercepted,
accepted, and silently dropped from the postfix queue and placed in a
MailScanner queue.

I have a working prototype, and it is processing mail!  It is in need of
heavy refactoring and some bug squashing.

Currently it attempts to create a postfix formatted queue file (very ugly,
who thought up this file format???!!!).  I may instead create a new Milter
Processor for MailScanner that reduces the overhead of doing this and can
read the incoming email in a simple line-by-line format.  This may also
increase performance overall and reduce all the conversions happening.

The other side of the coin is what to do when MailScanner is done
processing mail.  Currently, it generates a postfix queue file and drops it
into postfix incoming directory.  It should not do this but instead drop
the message into postfix using native postfix tools.  That will be the next
part I tackle as part of the Milter Processor.

Why am I doing this?  I want to place MailScanner back in a good standing
with Postfix folks (at least when the milter + postfix method is in use).

I have no plans of removing the old method but rather provide a more
supported path for postfix users.

Wish me luck.  I could be heard across the neighborhood when MailScanner
processed an email from the Milter for the first time! :D




On Sat, Aug 11, 2018 at 9:58 AM David Jones <djones at ena.com> wrote:

> On 08/11/2018 08:52 AM, Shawn Iverson wrote:
> > David,
> >
> > I agree that this is true, and part of my lack of motivation to do it.
> > One reason I wanted it as an option was to reconcile the ongoing
> > conflict with the postfix community and return MailScanner to good
> > standing to this community.  Weitze has been very stern about
> > MailScanner directly tapping the postfix queues.
> >
> > Perhaps an alternative option would be to create a fast MailScanner
> > milter that behaves more like the HOLD queue.  Basically just a milter
> > that immediately fires back accept to postfix and places all the
> > messages in a MailScanner HOLD queue as opposed to a postfix HOLD
> > queue.  Doing so would maintain speed, simplicity, and be more compliant
> > with postfix. The code would also be very simple.
> >
> > Then, as you say, if you need MTA level functionality for SA, use other
> > software and methods.
> >
> >
>
> This light MS milter would make a lot of sense based on your goal to get
> compliant with Postfix and back "in" with the Postfix community.  +1
>
> >
> > On Sat, Aug 11, 2018 at 9:39 AM David Jones <djones at ena.com
> > <mailto:djones at ena.com>> wrote:
> >
> >     On 08/11/2018 08:15 AM, Shawn Iverson wrote:
> >      > I have been planning for a MailScanner milter for quite some
> >     time.  I
> >      > have been specifically studying rpamd's milter source for this
> >     purpose.
> >      > Alas, lack of time and lack of money are always an issue, and I
> >     put a
> >      > lot of hours in my day job.  As Jerry would say, I like to eat
> >     and have
> >      > a roof over my head :D
> >      >
> >      > If I do find the time to build a milter, performance will
> >     definitely be
> >      > impacted.  The reason is that postfix will have to keep each
> session
> >      > open for the duration of scanning, and each MailScanner child
> >     would have
> >      > to issue a callback to postfix after scanning the spam so that
> >     postfix
> >      > can responds to the connection appropriately  (i.e. reject or
> >     accept).
> >      > This will slow down mail processing considerably.  If I do this,
> >     I am
> >      > going to keep the HOLD queue around, so you would have to choose
> >     between
> >      > speed or MTA level rejection functionality.
> >      >
> >      >
> >      >
> >
> >     My gut tells me that this is going to be so slow, that it's not
> >     going to
> >     be worth the time to put into it.  If you want to reject at MTA time,
> >     throw in amavis-new or spamd (not rspamd) using the same
> SpamAsssassin
> >     rules and Bayes DB to get most of the same features as MailScanner
> >     during the SMTP conversation.  Then the mail that gets through can be
> >     filtered by MailScanner for it's extra features that make it unique.
> >
> >     I understand there are different local legal requirements around the
> >     world that if email is accepted at MTA time then it has to be passed
> on
> >     to the end user's mailbox.  If you are located in one of these
> >     countries, then this would be more of an issue.  But since I am in a
> >     country that doesn't have this legal requirement, I do block email
> >     post-MTA by MailScanner.
> >
> >     The majority of my spam is blocked at the MTA level already by highly
> >     tuned RBLs and postscreen's RBL weighting which is very, very good.
> >     Only a small percentage of spam that is zero-hour or from compromised
> >     accounts makes it to MailScanner.
> >
> >     I highly recommend the Invaluement RBL.  It's very accurate -- only
> >     1 or
> >     2 false positives over 5+ the years.  This RBL is very cost effective
> >     and has allowed me to disable all Spamhaus RBL checks in SpamAssassin
> >     saving thousands of dollars a year.  (We have too high a volume to
> stay
> >     under the free usage limits of Spamhaus so we were having to pay for
> >     the
> >     RBL feed.)
> >
> >      >
> >      >
> >      >
> >      > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner
> >      > <mailscanner at lists.mailscanner.info
> >     <mailto:mailscanner at lists.mailscanner.info>
> >      > <mailto:mailscanner at lists.mailscanner.info
> >     <mailto:mailscanner at lists.mailscanner.info>>> wrote:
> >      >
> >      >     On 08/07/2018 05:03 AM, info at schroeffu.ch
> >     <mailto:info at schroeffu.ch> <mailto:info at schroeffu.ch
> >     <mailto:info at schroeffu.ch>>
> >      >     wrote:
> >      >      >
> >      >      > Hi Mailscanner friends,
> >      >      >
> >      >      > is there any progress to make MailScanner usable as a
> >     postfix milter?
> >      >      > The most biggest problem I have is, SPAM is not possible to
> >      >     reject when
> >      >      > reaching a high score at MTA level. For my understanding,
> >     connect
> >      >     via
> >      >      > milter instead of queue ^HOLD would be the solution.
> >      >      >
> >      >      > For the next decade we are still using MailScanner instead
> >     of others
> >      >      > like Rspamd, because MailScanner is like a mail suite for
> mail
> >      >     security,
> >      >      > but if there will never be the possibility to reject at
> >     MTA level
> >      >     the
> >      >      > high score spam, we will also change in 1-3 years while
> >     replacing
> >      >     the OS
> >      >      > beyond.
> >      >      >
> >      >
> >      >     One of MailScanner's strongest features is it's batch mode
> >     processing
> >      >     that will allow it to handle a very high volume of mail
> >     flow.  I doubt
> >      >     that MailScanner will ever be changed to run as a milter for
> this
> >      >     reason.
> >      >
> >      >     I tried rspamd and found it wasn't as good as the author
> >     claims so no
> >      >     reason to try to use that as a milter.  It also wasn't as
> >     fast as it
> >      >     claims.  I could not send high volumes of mail through it
> >     like I could
> >      >     with MailScanner.
> >      >
> >      >     If you want to block high scoring spam at the MTA level, I
> >     suggest
> >      >     using
> >      >     amavis or spamd with the same SA rulesets as MailScanner.
> >     This will
> >      >     get
> >      >     you most of the power of MailScanner's blocking at the MTA.
> >      >
> >      > https://wiki.apache.org/spamassassin/IntegratedInMta
> >      >
> >      >     If you you use postscreen and postwhite at the Postfix MTA
> >     level, you
> >      >     can block most of the obvious spam with a tuned list of
> >     RBLs.  See the
> >      >     SA users mailing list over the past year for details on this
> >     from me
> >      >     and
> >      >     a few others.
> >      >
> >      >     I suggest setting up a quick test VM with iRedmail to get a
> good
> >      >     example
> >      >     of how to do TLS and amavis integration well with Postfix.
> >      >
> >      >     --
> >      >     David Jones
> >      >
> >      >
> >      >     --
> >      >     MailScanner mailing list
> >      > mailscanner at lists.mailscanner.info
> >     <mailto:mailscanner at lists.mailscanner.info>
> >      >     <mailto:mailscanner at lists.mailscanner.info
> >     <mailto:mailscanner at lists.mailscanner.info>>
> >      > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >      >
> >      >
> >      >
> >      > --
> >      > Shawn Iverson, CETL
> >      > Director of Technology
> >      > Rush County Schools
> >      > 765-932-3901 x1171
> >      > iversons at rushville.k12.in.us
> >     <mailto:iversons at rushville.k12.in.us>
> >     <mailto:iversons at rushville.k12.in.us
> >     <mailto:iversons at rushville.k12.in.us>>
> >      >
> >      >
> >
> >     --
> >     David Jones
> >
> >
> >
> > --
> > Shawn Iverson, CETL
> > Director of Technology
> > Rush County Schools
> > 765-932-3901 x1171
> > iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
> >
> >
>
>
> --
> David Jones
>


-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180814/1134da86/attachment.html>

From iversons at rushville.k12.in.us  Tue Aug 14 14:58:40 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Tue, 14 Aug 2018 10:58:40 -0400
Subject: Phishing Whitelisting entries not working
In-Reply-To: <DB3PR0402MB3836C430CA3DFBB6A02DC798F7380@DB3PR0402MB3836.eurprd04.prod.outlook.com>
References: <DB3PR0402MB38366B6BB9F0AF68C4CADB26F72B0@DB3PR0402MB3836.eurprd04.prod.outlook.com>
 <CABu_8zJA9o8dMfDjZtQrCdAZ0sAYpoLG1Fpjr=w97Ks-s+KH3A@mail.gmail.com>
 <DB3PR0402MB3836F78FC5E8AE7EDCB50435F72B0@DB3PR0402MB3836.eurprd04.prod.outlook.com>
 <CABu_8zJ+hmcSyL_OKVH518HqQGdOTeo4KKmZgqZS380ioXa_=Q@mail.gmail.com>
 <DB3PR0402MB383682C8FF151A5D90E06397F72A0@DB3PR0402MB3836.eurprd04.prod.outlook.com>
 <DB3PR0402MB3836C430CA3DFBB6A02DC798F7380@DB3PR0402MB3836.eurprd04.prod.outlook.com>
Message-ID: <CABu_8z+aQ2Q-7+w_UM0cXBeAXnjDkfxjgSu-EgTKfrhm5ue92A@mail.gmail.com>

Thank you for the feedback.  I will dive into the code deeper and see if I
can pinpoint the issue.

On Tue, Aug 14, 2018 at 4:33 AM Pramod Daya <pramod at mindspring.co.za> wrote:

> I upgraded to MailScanner 5.0.7-4 and unfortunately I?m seeing that
> whitelisted entries are still getting tagged with ?Disarmed? tags.
>
>
>
> On a different server with Centos 6.9 and mailscanner 4.84.6, the Phishing
> Whitelisting is working correctly. ..
>
>
>
> *From:* MailScanner <mailscanner-bounces+pramod=
> mindspring.co.za at lists.mailscanner.info> *On Behalf Of *Pramod Daya
> *Sent:* Friday, 27 July 2018 11:03
> *To:* MailScanner Discussion <mailscanner at lists.mailscanner.info>
> *Subject:* RE: Phishing Whitelisting entries not working
>
>
>
> Thank you, will give that a bash.
>
>
>
> *From:* MailScanner <
> mailscanner-bounces+pramod=mindspring.co.za at lists.mailscanner.info> *On
> Behalf Of *Shawn Iverson
> *Sent:* Thursday, 26 July 2018 16:34
> *To:* MailScanner Discussion <mailscanner at lists.mailscanner.info>
> *Subject:* Re: Phishing Whitelisting entries not working
>
>
>
> See this commit:
> https://github.com/MailScanner/v5/commit/7c121ba4934135e5ad4d4518aaf0e2e041dabee5
>
>
>
> Please upgrade to version 5.0.7-4, there was an issue parsing the phishing
> whitelists and blacklists properly and let us know if you see a change.
>
>
>
> On Thu, Jul 26, 2018 at 10:11 AM, Pramod Daya <pramod at mindspring.co.za>
> wrote:
>
> Ver 5.0.3-7
>
>
>
> *From:* MailScanner <mailscanner-bounces+pramod=
> mindspring.co.za at lists.mailscanner.info> *On Behalf Of *Shawn Iverson
> *Sent:* Thursday, 26 July 2018 15:47
> *To:* MailScanner Discussion <mailscanner at lists.mailscanner.info>
> *Subject:* Re: Phishing Whitelisting entries not working
>
>
>
> Version of mailscanner?
>
>
>
> On Thu, Jul 26, 2018, 3:03 AM Pramod Daya <pramod at mindspring.co.za> wrote:
>
> Hi,
>
>
>
> I?m using the latest version of ms-update-phishing to download phishing
> lists, and putting whitelisted sites into
> /etc/MailScanner/phishing.safe.sites.custom.   They get merged with
> phishing.safe.sites.conf when ms-update-phishing runs.
>
>
>
> However, email from sites that I whitelist still get a {Disarmed} tag.
>
>
>
> I?ve tried adding user at site.com, .site.com, *.site.com, but I?m not
> winning.
>
>
>
> Any pearls of wisdom, please ?
>
>
>
> Tnx,
>
> Pramod
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>
>
>
> --
>
> Shawn Iverson, CETL
>
> Director of Technology
>
> Rush County Schools
>
> 765-932-3901 x1171
>
> iversons at rushville.k12.in.us
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180814/062d3b80/attachment.html>

From belle at bazuin.nl  Tue Aug 14 15:05:43 2018
From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=)
Date: Tue, 14 Aug 2018 17:05:43 +0200
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <CABu_8zLyd+NhG38SGCMPtJEHdxwnZbGEZE5xzSgpMtr+9sH1mQ@mail.gmail.com>
References: <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com>
Message-ID: <vmime.5b72efc7.75f.2657a47143ecf6b7@ms249-lin-003.rotterdam.bazuin.nl>

Good luck Shawn, 
?
Best of luck and keep us posted :-) 
?
Greetz, 
?
Louis
?

Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Shawn Iverson
Verzonden: dinsdag 14 augustus 2018 16:57
Aan: mailscanner at lists.mailscanner.info
Onderwerp: Re: Mailscanner milter to reject high score spam at MTA level



Dear MailScanner users: 

I am officially working on creating a lightweight milter for MailScanner.??


This milter will not provide MTA protocol rejection for postfix, due to the severe performance penalty it would cause.? All mail will be intercepted, accepted, and silently dropped from the postfix queue and placed in a MailScanner queue.



I have a working prototype, and it is processing mail!? It is in need of heavy refactoring and some bug squashing.


Currently it attempts to create a postfix formatted queue file (very ugly, who thought up this file format???!!!).? I may instead create a new Milter Processor for MailScanner that reduces the overhead of doing this and can read the incoming email in a simple line-by-line format.? This may also increase performance overall and reduce all the conversions happening.


The other side of the coin is what to do when MailScanner is done processing mail.? Currently, it generates a postfix queue file and drops it into postfix incoming directory.? It should not do this but instead drop the message into postfix using native postfix tools.? That will be the next part I tackle as part of the Milter Processor.


Why am I doing this?? I want to place MailScanner back in a good standing with Postfix folks (at least when the milter + postfix method is in use).?


I have no plans of removing the old method but rather provide a more supported path for postfix users.


Wish me luck.? I could be heard across the neighborhood when MailScanner processed an email from the Milter for the first time! :D








On Sat, Aug 11, 2018 at 9:58 AM David Jones <djones at ena.com> wrote:

On 08/11/2018 08:52 AM, Shawn Iverson wrote:
> David,
> 
> I agree that this is true, and part of my lack of motivation to do it.? 
> One reason I wanted it as an option was to reconcile the ongoing 
> conflict with the postfix community and return MailScanner to good 
> standing to this community.? Weitze has been very stern about 
> MailScanner directly tapping the postfix queues.
> 
> Perhaps an alternative option would be to create a fast MailScanner 
> milter that behaves more like the HOLD queue.? Basically just a milter 
> that immediately fires back accept to postfix and places all the 
> messages in a MailScanner HOLD queue as opposed to a postfix HOLD 
> queue.? Doing so would maintain speed, simplicity, and be more compliant 
> with postfix. The code would also be very simple.
> 
> Then, as you say, if you need MTA level functionality for SA, use other 
> software and methods.
> 
> 

This light MS milter would make a lot of sense based on your goal to get 
compliant with Postfix and back "in" with the Postfix community.? +1

> 
> On Sat, Aug 11, 2018 at 9:39 AM David Jones <djones at ena.com 
> <mailto:djones at ena.com>> wrote:
> 
>? ? ?On 08/11/2018 08:15 AM, Shawn Iverson wrote:
>? ? ? > I have been planning for a MailScanner milter for quite some
>? ? ?time.? I
>? ? ? > have been specifically studying rpamd's milter source for this
>? ? ?purpose.
>? ? ? > Alas, lack of time and lack of money are always an issue, and I
>? ? ?put a
>? ? ? > lot of hours in my day job.? As Jerry would say, I like to eat
>? ? ?and have
>? ? ? > a roof over my head :D
>? ? ? >
>? ? ? > If I do find the time to build a milter, performance will
>? ? ?definitely be
>? ? ? > impacted.? The reason is that postfix will have to keep each session
>? ? ? > open for the duration of scanning, and each MailScanner child
>? ? ?would have
>? ? ? > to issue a callback to postfix after scanning the spam so that
>? ? ?postfix
>? ? ? > can responds to the connection appropriately? (i.e. reject or
>? ? ?accept).
>? ? ? > This will slow down mail processing considerably.? If I do this,
>? ? ?I am
>? ? ? > going to keep the HOLD queue around, so you would have to choose
>? ? ?between
>? ? ? > speed or MTA level rejection functionality.
>? ? ? >
>? ? ? >
>? ? ? >
> 
>? ? ?My gut tells me that this is going to be so slow, that it's not
>? ? ?going to
>? ? ?be worth the time to put into it.? If you want to reject at MTA time,
>? ? ?throw in amavis-new or spamd (not rspamd) using the same SpamAsssassin
>? ? ?rules and Bayes DB to get most of the same features as MailScanner
>? ? ?during the SMTP conversation.? Then the mail that gets through can be
>? ? ?filtered by MailScanner for it's extra features that make it unique.
> 
>? ? ?I understand there are different local legal requirements around the
>? ? ?world that if email is accepted at MTA time then it has to be passed on
>? ? ?to the end user's mailbox.? If you are located in one of these
>? ? ?countries, then this would be more of an issue.? But since I am in a
>? ? ?country that doesn't have this legal requirement, I do block email
>? ? ?post-MTA by MailScanner.
> 
>? ? ?The majority of my spam is blocked at the MTA level already by highly
>? ? ?tuned RBLs and postscreen's RBL weighting which is very, very good.
>? ? ?Only a small percentage of spam that is zero-hour or from compromised
>? ? ?accounts makes it to MailScanner.
> 
>? ? ?I highly recommend the Invaluement RBL.? It's very accurate -- only
>? ? ?1 or
>? ? ?2 false positives over 5+ the years.? This RBL is very cost effective
>? ? ?and has allowed me to disable all Spamhaus RBL checks in SpamAssassin
>? ? ?saving thousands of dollars a year.? (We have too high a volume to stay
>? ? ?under the free usage limits of Spamhaus so we were having to pay for
>? ? ?the
>? ? ?RBL feed.)
> 
>? ? ? >
>? ? ? >
>? ? ? >
>? ? ? > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner
>? ? ? > <mailscanner at lists.mailscanner.info
>? ? ?<mailto:mailscanner at lists.mailscanner.info>
>? ? ? > <mailto:mailscanner at lists.mailscanner.info
>? ? ?<mailto:mailscanner at lists.mailscanner.info>>> wrote:
>? ? ? >
>? ? ? >? ? ?On 08/07/2018 05:03 AM, info at schroeffu.ch
>? ? ?<mailto:info at schroeffu.ch> <mailto:info at schroeffu.ch
>? ? ?<mailto:info at schroeffu.ch>>
>? ? ? >? ? ?wrote:
>? ? ? >? ? ? >
>? ? ? >? ? ? > Hi Mailscanner friends,
>? ? ? >? ? ? >
>? ? ? >? ? ? > is there any progress to make MailScanner usable as a
>? ? ?postfix milter?
>? ? ? >? ? ? > The most biggest problem I have is, SPAM is not possible to
>? ? ? >? ? ?reject when
>? ? ? >? ? ? > reaching a high score at MTA level. For my understanding,
>? ? ?connect
>? ? ? >? ? ?via
>? ? ? >? ? ? > milter instead of queue ^HOLD would be the solution.
>? ? ? >? ? ? >
>? ? ? >? ? ? > For the next decade we are still using MailScanner instead
>? ? ?of others
>? ? ? >? ? ? > like Rspamd, because MailScanner is like a mail suite for mail
>? ? ? >? ? ?security,
>? ? ? >? ? ? > but if there will never be the possibility to reject at
>? ? ?MTA level
>? ? ? >? ? ?the
>? ? ? >? ? ? > high score spam, we will also change in 1-3 years while
>? ? ?replacing
>? ? ? >? ? ?the OS
>? ? ? >? ? ? > beyond.
>? ? ? >? ? ? >
>? ? ? >
>? ? ? >? ? ?One of MailScanner's strongest features is it's batch mode
>? ? ?processing
>? ? ? >? ? ?that will allow it to handle a very high volume of mail
>? ? ?flow.? I doubt
>? ? ? >? ? ?that MailScanner will ever be changed to run as a milter for this
>? ? ? >? ? ?reason.
>? ? ? >
>? ? ? >? ? ?I tried rspamd and found it wasn't as good as the author
>? ? ?claims so no
>? ? ? >? ? ?reason to try to use that as a milter.? It also wasn't as
>? ? ?fast as it
>? ? ? >? ? ?claims.? I could not send high volumes of mail through it
>? ? ?like I could
>? ? ? >? ? ?with MailScanner.
>? ? ? >
>? ? ? >? ? ?If you want to block high scoring spam at the MTA level, I
>? ? ?suggest
>? ? ? >? ? ?using
>? ? ? >? ? ?amavis or spamd with the same SA rulesets as MailScanner. 
>? ? ?This will
>? ? ? >? ? ?get
>? ? ? >? ? ?you most of the power of MailScanner's blocking at the MTA.
>? ? ? >
>? ? ? > https://wiki.apache.org/spamassassin/IntegratedInMta
>? ? ? >
>? ? ? >? ? ?If you you use postscreen and postwhite at the Postfix MTA
>? ? ?level, you
>? ? ? >? ? ?can block most of the obvious spam with a tuned list of
>? ? ?RBLs.? See the
>? ? ? >? ? ?SA users mailing list over the past year for details on this
>? ? ?from me
>? ? ? >? ? ?and
>? ? ? >? ? ?a few others.
>? ? ? >
>? ? ? >? ? ?I suggest setting up a quick test VM with iRedmail to get a good
>? ? ? >? ? ?example
>? ? ? >? ? ?of how to do TLS and amavis integration well with Postfix.
>? ? ? >
>? ? ? >? ? ?--
>? ? ? >? ? ?David Jones
>? ? ? >
>? ? ? >
>? ? ? >? ? ?--
>? ? ? >? ? ?MailScanner mailing list
>? ? ? > mailscanner at lists.mailscanner.info
>? ? ?<mailto:mailscanner at lists.mailscanner.info>
>? ? ? >? ? ?<mailto:mailscanner at lists.mailscanner.info
>? ? ?<mailto:mailscanner at lists.mailscanner.info>>
>? ? ? > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>? ? ? >
>? ? ? >
>? ? ? >
>? ? ? > --
>? ? ? > Shawn Iverson, CETL
>? ? ? > Director of Technology
>? ? ? > Rush County Schools
>? ? ? > 765-932-3901 x1171
>? ? ? > iversons at rushville.k12.in.us
>? ? ?<mailto:iversons at rushville.k12.in.us>
>? ? ?<mailto:iversons at rushville.k12.in.us
>? ? ?<mailto:iversons at rushville.k12.in.us>>
>? ? ? >
>? ? ? >
> 
>? ? ?-- 
>? ? ?David Jones
> 
> 
> 
> -- 
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 x1171
> iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
> 
> 


-- 
David Jones




-- 
Shawn Iverson, CETL Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us





















-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180814/3e2719a7/attachment.html>

From mark at msapiro.net  Tue Aug 14 17:08:58 2018
From: mark at msapiro.net (Mark Sapiro)
Date: Tue, 14 Aug 2018 10:08:58 -0700
Subject: Phishing Whitelisting entries not working
In-Reply-To: <DB3PR0402MB3836C430CA3DFBB6A02DC798F7380@DB3PR0402MB3836.eurprd04.prod.outlook.com>
References: <DB3PR0402MB38366B6BB9F0AF68C4CADB26F72B0@DB3PR0402MB3836.eurprd04.prod.outlook.com>
 <CABu_8zJA9o8dMfDjZtQrCdAZ0sAYpoLG1Fpjr=w97Ks-s+KH3A@mail.gmail.com>
 <DB3PR0402MB3836F78FC5E8AE7EDCB50435F72B0@DB3PR0402MB3836.eurprd04.prod.outlook.com>
 <CABu_8zJ+hmcSyL_OKVH518HqQGdOTeo4KKmZgqZS380ioXa_=Q@mail.gmail.com>
 <DB3PR0402MB383682C8FF151A5D90E06397F72A0@DB3PR0402MB3836.eurprd04.prod.outlook.com>
 <DB3PR0402MB3836C430CA3DFBB6A02DC798F7380@DB3PR0402MB3836.eurprd04.prod.outlook.com>
Message-ID: <8c5306da-1eec-1c22-95f8-0263c3d72c59@msapiro.net>

On 08/14/2018 01:33 AM, Pramod Daya wrote:
> I upgraded to MailScanner 5.0.7-4 and unfortunately I?m seeing that
> whitelisted entries are still getting tagged with ?Disarmed? tags.?
> 
> On a different server with Centos 6.9 and mailscanner 4.84.6, the
> Phishing Whitelisting is working correctly. ..


Please see
<http://lists.mailscanner.info/pipermail/mailscanner/2018-July/105254.html>
and confirm that the disarming you are seeing is "phishing fraud" and
not some other disarming.


-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

From pramod at mindspring.co.za  Thu Aug 16 07:23:50 2018
From: pramod at mindspring.co.za (Pramod Daya)
Date: Thu, 16 Aug 2018 07:23:50 +0000
Subject: Phishing Whitelisting entries not working
In-Reply-To: <8c5306da-1eec-1c22-95f8-0263c3d72c59@msapiro.net>
References: <DB3PR0402MB38366B6BB9F0AF68C4CADB26F72B0@DB3PR0402MB3836.eurprd04.prod.outlook.com>
 <CABu_8zJA9o8dMfDjZtQrCdAZ0sAYpoLG1Fpjr=w97Ks-s+KH3A@mail.gmail.com>
 <DB3PR0402MB3836F78FC5E8AE7EDCB50435F72B0@DB3PR0402MB3836.eurprd04.prod.outlook.com>
 <CABu_8zJ+hmcSyL_OKVH518HqQGdOTeo4KKmZgqZS380ioXa_=Q@mail.gmail.com>
 <DB3PR0402MB383682C8FF151A5D90E06397F72A0@DB3PR0402MB3836.eurprd04.prod.outlook.com>
 <DB3PR0402MB3836C430CA3DFBB6A02DC798F7380@DB3PR0402MB3836.eurprd04.prod.outlook.com>
 <8c5306da-1eec-1c22-95f8-0263c3d72c59@msapiro.net>
Message-ID: <DB3PR0402MB38362ED7A7A0B9435D3B7BD6F73E0@DB3PR0402MB3836.eurprd04.prod.outlook.com>

It's actually the reverse situation - entries that should be whitelisted are being marked as "Phishing". 

-----Original Message-----
From: MailScanner <mailscanner-bounces+pramod=mindspring.co.za at lists.mailscanner.info> On Behalf Of Mark Sapiro
Sent: Tuesday, 14 August 2018 19:09
To: mailscanner at lists.mailscanner.info
Subject: Re: Phishing Whitelisting entries not working

On 08/14/2018 01:33 AM, Pramod Daya wrote:
> I upgraded to MailScanner 5.0.7-4 and unfortunately I?m seeing that 
> whitelisted entries are still getting tagged with ?Disarmed? tags.
> 
> On a different server with Centos 6.9 and mailscanner 4.84.6, the 
> Phishing Whitelisting is working correctly. ..


Please see
<http://lists.mailscanner.info/pipermail/mailscanner/2018-July/105254.html>
and confirm that the disarming you are seeing is "phishing fraud" and not some other disarming.


-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5538 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180816/17c045ce/attachment.bin>

From iversons at rushville.k12.in.us  Sun Aug 19 03:28:04 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Sat, 18 Aug 2018 23:28:04 -0400
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <CABu_8zLyd+NhG38SGCMPtJEHdxwnZbGEZE5xzSgpMtr+9sH1mQ@mail.gmail.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
 <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>
 <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>
 <CABu_8zKtdTWSyFQ6iLBkK-Wg7TVQ7Szw13EXhx7BzrG6RuZ0Zg@mail.gmail.com>
 <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com>
 <CABu_8zLyd+NhG38SGCMPtJEHdxwnZbGEZE5xzSgpMtr+9sH1mQ@mail.gmail.com>
Message-ID: <CABu_8zJt7gBO0zyx15hLMV1Tuq4pia6XhsPFgQ_dLCKH7qX5dg@mail.gmail.com>

MailScanner users:

The MailScanner Milter project is coming along nicely.

https://github.com/shawniverson/v5/commits/081118msmilter

I am currently running this on a split relay to test the milter without
impacting production email.

The design is fairly simple, although development has taken about 40 hours
of my time.  I know more about MailScanner (and perl) than I ever have :D

The Milter is integrated into MailScanner and forks as a branch of the
MailScanner process tree, keeping systemd happy.

The Milter process intercepts incoming email and tells postfix to DISCARD,
which basically accepts the mail and silently drops it before entering the
queue.  At the same time, the Milter writes a raw email file to the
/var/spool/MailScanner/milterin queue.

MailScanner picks up the message batches in the milterin directory,
processes them, and spits them out to /var/spool/MailScanner/milterout
directory as raw email files.

The MSMail Processor (new) relays the messages to postfix for further
processing over port 25.  A optional localhost rule in header_checks
removes the local entry from the header before delivery.

The benefits are that the postfix queue is not touched at all throughout
this process, making the solution (hopefully) an acceptable one within the
postfix community.  It is also very fast, and the codebase for this method
is smaller than even the Postfix Processor, and MailScanner gets its own
queues, separate from postfix.

One drawback to this method is there is no apparent way to extract the
Envelope From address (at least not yet, perhaps I am missing a milter
code), although it doesn't appear that MailScanner is all that concerned
about it and doesn't go out of its way to capture it.  I think it is
important though, for spoof detection, so I will continue to research this.

Anyone that is willing to get their feet wet and test can apply the
following files from my branch:

(In common)
/usr/sbin/MailScanner
/usr/share/MailScanner/perl/MailScanner/Milter.pm
/usr/share/MailScanner/perl/MailScanner/MSMail.pm
/usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm
/usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm

Then create the following dirs:
mkdir -p /var/spool/MailScanner/milterin
chown postfix:mtagroup /var/spool/MailScanner/milterin
mkdir -p /var/spool/MailScanner/milterout
chown postfix:mtagroup /var/spool/MailScanner/milterout

Apply the following to /etc/MailScanner/MailScanner.conf:
Incoming Queue Dir = /var/spool/MailScanner/milterin
Outgoing Queue Dir = /var/spool/MailScanner/milterout
MTA = MSMail
MSMail Queue Type = short | long (pick one that matches your postfix
setting)

I recommend doing this in a test or split relay environment that blackholes
email.  Do not use in production yet ;)

Known issues at the moment:
MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do not
appear
More validation and error handling is needed throughout.  Weird emails
abound!
Need to know the envelope from sender.  Currently hidden from the milter,
but hopefully exposable via a callback code.




On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson <iversons at rushville.k12.in.us>
wrote:

> Dear MailScanner users:
>
> I am officially working on creating a lightweight milter for MailScanner.
>
> This milter will not provide MTA protocol rejection for postfix, due to
> the severe performance penalty it would cause.  All mail will be
> intercepted, accepted, and silently dropped from the postfix queue and
> placed in a MailScanner queue.
>
> I have a working prototype, and it is processing mail!  It is in need of
> heavy refactoring and some bug squashing.
>
> Currently it attempts to create a postfix formatted queue file (very ugly,
> who thought up this file format???!!!).  I may instead create a new Milter
> Processor for MailScanner that reduces the overhead of doing this and can
> read the incoming email in a simple line-by-line format.  This may also
> increase performance overall and reduce all the conversions happening.
>
> The other side of the coin is what to do when MailScanner is done
> processing mail.  Currently, it generates a postfix queue file and drops it
> into postfix incoming directory.  It should not do this but instead drop
> the message into postfix using native postfix tools.  That will be the next
> part I tackle as part of the Milter Processor.
>
> Why am I doing this?  I want to place MailScanner back in a good standing
> with Postfix folks (at least when the milter + postfix method is in use).
>
> I have no plans of removing the old method but rather provide a more
> supported path for postfix users.
>
> Wish me luck.  I could be heard across the neighborhood when MailScanner
> processed an email from the Milter for the first time! :D
>
>
>
>
> On Sat, Aug 11, 2018 at 9:58 AM David Jones <djones at ena.com> wrote:
>
>> On 08/11/2018 08:52 AM, Shawn Iverson wrote:
>> > David,
>> >
>> > I agree that this is true, and part of my lack of motivation to do it.
>> > One reason I wanted it as an option was to reconcile the ongoing
>> > conflict with the postfix community and return MailScanner to good
>> > standing to this community.  Weitze has been very stern about
>> > MailScanner directly tapping the postfix queues.
>> >
>> > Perhaps an alternative option would be to create a fast MailScanner
>> > milter that behaves more like the HOLD queue.  Basically just a milter
>> > that immediately fires back accept to postfix and places all the
>> > messages in a MailScanner HOLD queue as opposed to a postfix HOLD
>> > queue.  Doing so would maintain speed, simplicity, and be more
>> compliant
>> > with postfix. The code would also be very simple.
>> >
>> > Then, as you say, if you need MTA level functionality for SA, use other
>> > software and methods.
>> >
>> >
>>
>> This light MS milter would make a lot of sense based on your goal to get
>> compliant with Postfix and back "in" with the Postfix community.  +1
>>
>> >
>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones <djones at ena.com
>> > <mailto:djones at ena.com>> wrote:
>> >
>> >     On 08/11/2018 08:15 AM, Shawn Iverson wrote:
>> >      > I have been planning for a MailScanner milter for quite some
>> >     time.  I
>> >      > have been specifically studying rpamd's milter source for this
>> >     purpose.
>> >      > Alas, lack of time and lack of money are always an issue, and I
>> >     put a
>> >      > lot of hours in my day job.  As Jerry would say, I like to eat
>> >     and have
>> >      > a roof over my head :D
>> >      >
>> >      > If I do find the time to build a milter, performance will
>> >     definitely be
>> >      > impacted.  The reason is that postfix will have to keep each
>> session
>> >      > open for the duration of scanning, and each MailScanner child
>> >     would have
>> >      > to issue a callback to postfix after scanning the spam so that
>> >     postfix
>> >      > can responds to the connection appropriately  (i.e. reject or
>> >     accept).
>> >      > This will slow down mail processing considerably.  If I do this,
>> >     I am
>> >      > going to keep the HOLD queue around, so you would have to choose
>> >     between
>> >      > speed or MTA level rejection functionality.
>> >      >
>> >      >
>> >      >
>> >
>> >     My gut tells me that this is going to be so slow, that it's not
>> >     going to
>> >     be worth the time to put into it.  If you want to reject at MTA
>> time,
>> >     throw in amavis-new or spamd (not rspamd) using the same
>> SpamAsssassin
>> >     rules and Bayes DB to get most of the same features as MailScanner
>> >     during the SMTP conversation.  Then the mail that gets through can
>> be
>> >     filtered by MailScanner for it's extra features that make it unique.
>> >
>> >     I understand there are different local legal requirements around the
>> >     world that if email is accepted at MTA time then it has to be
>> passed on
>> >     to the end user's mailbox.  If you are located in one of these
>> >     countries, then this would be more of an issue.  But since I am in a
>> >     country that doesn't have this legal requirement, I do block email
>> >     post-MTA by MailScanner.
>> >
>> >     The majority of my spam is blocked at the MTA level already by
>> highly
>> >     tuned RBLs and postscreen's RBL weighting which is very, very good.
>> >     Only a small percentage of spam that is zero-hour or from
>> compromised
>> >     accounts makes it to MailScanner.
>> >
>> >     I highly recommend the Invaluement RBL.  It's very accurate -- only
>> >     1 or
>> >     2 false positives over 5+ the years.  This RBL is very cost
>> effective
>> >     and has allowed me to disable all Spamhaus RBL checks in
>> SpamAssassin
>> >     saving thousands of dollars a year.  (We have too high a volume to
>> stay
>> >     under the free usage limits of Spamhaus so we were having to pay for
>> >     the
>> >     RBL feed.)
>> >
>> >      >
>> >      >
>> >      >
>> >      > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner
>> >      > <mailscanner at lists.mailscanner.info
>> >     <mailto:mailscanner at lists.mailscanner.info>
>> >      > <mailto:mailscanner at lists.mailscanner.info
>> >     <mailto:mailscanner at lists.mailscanner.info>>> wrote:
>> >      >
>> >      >     On 08/07/2018 05:03 AM, info at schroeffu.ch
>> >     <mailto:info at schroeffu.ch> <mailto:info at schroeffu.ch
>> >     <mailto:info at schroeffu.ch>>
>> >      >     wrote:
>> >      >      >
>> >      >      > Hi Mailscanner friends,
>> >      >      >
>> >      >      > is there any progress to make MailScanner usable as a
>> >     postfix milter?
>> >      >      > The most biggest problem I have is, SPAM is not possible
>> to
>> >      >     reject when
>> >      >      > reaching a high score at MTA level. For my understanding,
>> >     connect
>> >      >     via
>> >      >      > milter instead of queue ^HOLD would be the solution.
>> >      >      >
>> >      >      > For the next decade we are still using MailScanner instead
>> >     of others
>> >      >      > like Rspamd, because MailScanner is like a mail suite for
>> mail
>> >      >     security,
>> >      >      > but if there will never be the possibility to reject at
>> >     MTA level
>> >      >     the
>> >      >      > high score spam, we will also change in 1-3 years while
>> >     replacing
>> >      >     the OS
>> >      >      > beyond.
>> >      >      >
>> >      >
>> >      >     One of MailScanner's strongest features is it's batch mode
>> >     processing
>> >      >     that will allow it to handle a very high volume of mail
>> >     flow.  I doubt
>> >      >     that MailScanner will ever be changed to run as a milter for
>> this
>> >      >     reason.
>> >      >
>> >      >     I tried rspamd and found it wasn't as good as the author
>> >     claims so no
>> >      >     reason to try to use that as a milter.  It also wasn't as
>> >     fast as it
>> >      >     claims.  I could not send high volumes of mail through it
>> >     like I could
>> >      >     with MailScanner.
>> >      >
>> >      >     If you want to block high scoring spam at the MTA level, I
>> >     suggest
>> >      >     using
>> >      >     amavis or spamd with the same SA rulesets as MailScanner.
>> >     This will
>> >      >     get
>> >      >     you most of the power of MailScanner's blocking at the MTA.
>> >      >
>> >      > https://wiki.apache.org/spamassassin/IntegratedInMta
>> >      >
>> >      >     If you you use postscreen and postwhite at the Postfix MTA
>> >     level, you
>> >      >     can block most of the obvious spam with a tuned list of
>> >     RBLs.  See the
>> >      >     SA users mailing list over the past year for details on this
>> >     from me
>> >      >     and
>> >      >     a few others.
>> >      >
>> >      >     I suggest setting up a quick test VM with iRedmail to get a
>> good
>> >      >     example
>> >      >     of how to do TLS and amavis integration well with Postfix.
>> >      >
>> >      >     --
>> >      >     David Jones
>> >      >
>> >      >
>> >      >     --
>> >      >     MailScanner mailing list
>> >      > mailscanner at lists.mailscanner.info
>> >     <mailto:mailscanner at lists.mailscanner.info>
>> >      >     <mailto:mailscanner at lists.mailscanner.info
>> >     <mailto:mailscanner at lists.mailscanner.info>>
>> >      > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >      >
>> >      >
>> >      >
>> >      > --
>> >      > Shawn Iverson, CETL
>> >      > Director of Technology
>> >      > Rush County Schools
>> >      > 765-932-3901 x1171
>> >      > iversons at rushville.k12.in.us
>> >     <mailto:iversons at rushville.k12.in.us>
>> >     <mailto:iversons at rushville.k12.in.us
>> >     <mailto:iversons at rushville.k12.in.us>>
>> >      >
>> >      >
>> >
>> >     --
>> >     David Jones
>> >
>> >
>> >
>> > --
>> > Shawn Iverson, CETL
>> > Director of Technology
>> > Rush County Schools
>> > 765-932-3901 x1171
>> > iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
>> >
>> >
>>
>>
>> --
>> David Jones
>>
>
>
> --
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 x1171
> iversons at rushville.k12.in.us
>
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180818/15203dff/attachment.html>

From iversons at rushville.k12.in.us  Sun Aug 19 13:30:24 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Sun, 19 Aug 2018 09:30:24 -0400
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <CABu_8zJt7gBO0zyx15hLMV1Tuq4pia6XhsPFgQ_dLCKH7qX5dg@mail.gmail.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
 <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>
 <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>
 <CABu_8zKtdTWSyFQ6iLBkK-Wg7TVQ7Szw13EXhx7BzrG6RuZ0Zg@mail.gmail.com>
 <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com>
 <CABu_8zLyd+NhG38SGCMPtJEHdxwnZbGEZE5xzSgpMtr+9sH1mQ@mail.gmail.com>
 <CABu_8zJt7gBO0zyx15hLMV1Tuq4pia6XhsPFgQ_dLCKH7qX5dg@mail.gmail.com>
Message-ID: <CABu_8zLWpk=SRxHK_g+O+5uYBsYCxeay4dyV-88MVPLC9wQ+5A@mail.gmail.com>

Oh yeah, here's the config for Postfix:

smtpd_milters = inet:127.0.0.1:33333
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map

/etc/postfix/smtpd_milter_map:
127.0.0.0/8 DISABLE
::/64 DISABLE

This allows scanned emails to pass the milter, as well as notifications
sent from the localhost.  You do need at least Postfix version 3.2 I
believe to have milter map support.




On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson <iversons at rushville.k12.in.us>
wrote:

> MailScanner users:
>
> The MailScanner Milter project is coming along nicely.
>
> https://github.com/shawniverson/v5/commits/081118msmilter
>
> I am currently running this on a split relay to test the milter without
> impacting production email.
>
> The design is fairly simple, although development has taken about 40 hours
> of my time.  I know more about MailScanner (and perl) than I ever have :D
>
> The Milter is integrated into MailScanner and forks as a branch of the
> MailScanner process tree, keeping systemd happy.
>
> The Milter process intercepts incoming email and tells postfix to DISCARD,
> which basically accepts the mail and silently drops it before entering the
> queue.  At the same time, the Milter writes a raw email file to the
> /var/spool/MailScanner/milterin queue.
>
> MailScanner picks up the message batches in the milterin directory,
> processes them, and spits them out to /var/spool/MailScanner/milterout
> directory as raw email files.
>
> The MSMail Processor (new) relays the messages to postfix for further
> processing over port 25.  A optional localhost rule in header_checks
> removes the local entry from the header before delivery.
>
> The benefits are that the postfix queue is not touched at all throughout
> this process, making the solution (hopefully) an acceptable one within the
> postfix community.  It is also very fast, and the codebase for this method
> is smaller than even the Postfix Processor, and MailScanner gets its own
> queues, separate from postfix.
>
> One drawback to this method is there is no apparent way to extract the
> Envelope From address (at least not yet, perhaps I am missing a milter
> code), although it doesn't appear that MailScanner is all that concerned
> about it and doesn't go out of its way to capture it.  I think it is
> important though, for spoof detection, so I will continue to research this.
>
> Anyone that is willing to get their feet wet and test can apply the
> following files from my branch:
>
> (In common)
> /usr/sbin/MailScanner
> /usr/share/MailScanner/perl/MailScanner/Milter.pm
> /usr/share/MailScanner/perl/MailScanner/MSMail.pm
> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm
> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm
>
> Then create the following dirs:
> mkdir -p /var/spool/MailScanner/milterin
> chown postfix:mtagroup /var/spool/MailScanner/milterin
> mkdir -p /var/spool/MailScanner/milterout
> chown postfix:mtagroup /var/spool/MailScanner/milterout
>
> Apply the following to /etc/MailScanner/MailScanner.conf:
> Incoming Queue Dir = /var/spool/MailScanner/milterin
> Outgoing Queue Dir = /var/spool/MailScanner/milterout
> MTA = MSMail
> MSMail Queue Type = short | long (pick one that matches your postfix
> setting)
>
> I recommend doing this in a test or split relay environment that
> blackholes email.  Do not use in production yet ;)
>
> Known issues at the moment:
> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do not
> appear
> More validation and error handling is needed throughout.  Weird emails
> abound!
> Need to know the envelope from sender.  Currently hidden from the milter,
> but hopefully exposable via a callback code.
>
>
>
>
> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson <
> iversons at rushville.k12.in.us> wrote:
>
>> Dear MailScanner users:
>>
>> I am officially working on creating a lightweight milter for
>> MailScanner.
>>
>> This milter will not provide MTA protocol rejection for postfix, due to
>> the severe performance penalty it would cause.  All mail will be
>> intercepted, accepted, and silently dropped from the postfix queue and
>> placed in a MailScanner queue.
>>
>> I have a working prototype, and it is processing mail!  It is in need of
>> heavy refactoring and some bug squashing.
>>
>> Currently it attempts to create a postfix formatted queue file (very
>> ugly, who thought up this file format???!!!).  I may instead create a new
>> Milter Processor for MailScanner that reduces the overhead of doing this
>> and can read the incoming email in a simple line-by-line format.  This may
>> also increase performance overall and reduce all the conversions happening.
>>
>> The other side of the coin is what to do when MailScanner is done
>> processing mail.  Currently, it generates a postfix queue file and drops it
>> into postfix incoming directory.  It should not do this but instead drop
>> the message into postfix using native postfix tools.  That will be the next
>> part I tackle as part of the Milter Processor.
>>
>> Why am I doing this?  I want to place MailScanner back in a good standing
>> with Postfix folks (at least when the milter + postfix method is in use).
>>
>> I have no plans of removing the old method but rather provide a more
>> supported path for postfix users.
>>
>> Wish me luck.  I could be heard across the neighborhood when MailScanner
>> processed an email from the Milter for the first time! :D
>>
>>
>>
>>
>> On Sat, Aug 11, 2018 at 9:58 AM David Jones <djones at ena.com> wrote:
>>
>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote:
>>> > David,
>>> >
>>> > I agree that this is true, and part of my lack of motivation to do
>>> it.
>>> > One reason I wanted it as an option was to reconcile the ongoing
>>> > conflict with the postfix community and return MailScanner to good
>>> > standing to this community.  Weitze has been very stern about
>>> > MailScanner directly tapping the postfix queues.
>>> >
>>> > Perhaps an alternative option would be to create a fast MailScanner
>>> > milter that behaves more like the HOLD queue.  Basically just a milter
>>> > that immediately fires back accept to postfix and places all the
>>> > messages in a MailScanner HOLD queue as opposed to a postfix HOLD
>>> > queue.  Doing so would maintain speed, simplicity, and be more
>>> compliant
>>> > with postfix. The code would also be very simple.
>>> >
>>> > Then, as you say, if you need MTA level functionality for SA, use
>>> other
>>> > software and methods.
>>> >
>>> >
>>>
>>> This light MS milter would make a lot of sense based on your goal to get
>>> compliant with Postfix and back "in" with the Postfix community.  +1
>>>
>>> >
>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones <djones at ena.com
>>> > <mailto:djones at ena.com>> wrote:
>>> >
>>> >     On 08/11/2018 08:15 AM, Shawn Iverson wrote:
>>> >      > I have been planning for a MailScanner milter for quite some
>>> >     time.  I
>>> >      > have been specifically studying rpamd's milter source for this
>>> >     purpose.
>>> >      > Alas, lack of time and lack of money are always an issue, and I
>>> >     put a
>>> >      > lot of hours in my day job.  As Jerry would say, I like to eat
>>> >     and have
>>> >      > a roof over my head :D
>>> >      >
>>> >      > If I do find the time to build a milter, performance will
>>> >     definitely be
>>> >      > impacted.  The reason is that postfix will have to keep each
>>> session
>>> >      > open for the duration of scanning, and each MailScanner child
>>> >     would have
>>> >      > to issue a callback to postfix after scanning the spam so that
>>> >     postfix
>>> >      > can responds to the connection appropriately  (i.e. reject or
>>> >     accept).
>>> >      > This will slow down mail processing considerably.  If I do this,
>>> >     I am
>>> >      > going to keep the HOLD queue around, so you would have to choose
>>> >     between
>>> >      > speed or MTA level rejection functionality.
>>> >      >
>>> >      >
>>> >      >
>>> >
>>> >     My gut tells me that this is going to be so slow, that it's not
>>> >     going to
>>> >     be worth the time to put into it.  If you want to reject at MTA
>>> time,
>>> >     throw in amavis-new or spamd (not rspamd) using the same
>>> SpamAsssassin
>>> >     rules and Bayes DB to get most of the same features as MailScanner
>>> >     during the SMTP conversation.  Then the mail that gets through can
>>> be
>>> >     filtered by MailScanner for it's extra features that make it
>>> unique.
>>> >
>>> >     I understand there are different local legal requirements around
>>> the
>>> >     world that if email is accepted at MTA time then it has to be
>>> passed on
>>> >     to the end user's mailbox.  If you are located in one of these
>>> >     countries, then this would be more of an issue.  But since I am in
>>> a
>>> >     country that doesn't have this legal requirement, I do block email
>>> >     post-MTA by MailScanner.
>>> >
>>> >     The majority of my spam is blocked at the MTA level already by
>>> highly
>>> >     tuned RBLs and postscreen's RBL weighting which is very, very good.
>>> >     Only a small percentage of spam that is zero-hour or from
>>> compromised
>>> >     accounts makes it to MailScanner.
>>> >
>>> >     I highly recommend the Invaluement RBL.  It's very accurate -- only
>>> >     1 or
>>> >     2 false positives over 5+ the years.  This RBL is very cost
>>> effective
>>> >     and has allowed me to disable all Spamhaus RBL checks in
>>> SpamAssassin
>>> >     saving thousands of dollars a year.  (We have too high a volume to
>>> stay
>>> >     under the free usage limits of Spamhaus so we were having to pay
>>> for
>>> >     the
>>> >     RBL feed.)
>>> >
>>> >      >
>>> >      >
>>> >      >
>>> >      > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner
>>> >      > <mailscanner at lists.mailscanner.info
>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>> >      > <mailto:mailscanner at lists.mailscanner.info
>>> >     <mailto:mailscanner at lists.mailscanner.info>>> wrote:
>>> >      >
>>> >      >     On 08/07/2018 05:03 AM, info at schroeffu.ch
>>> >     <mailto:info at schroeffu.ch> <mailto:info at schroeffu.ch
>>> >     <mailto:info at schroeffu.ch>>
>>> >      >     wrote:
>>> >      >      >
>>> >      >      > Hi Mailscanner friends,
>>> >      >      >
>>> >      >      > is there any progress to make MailScanner usable as a
>>> >     postfix milter?
>>> >      >      > The most biggest problem I have is, SPAM is not possible
>>> to
>>> >      >     reject when
>>> >      >      > reaching a high score at MTA level. For my understanding,
>>> >     connect
>>> >      >     via
>>> >      >      > milter instead of queue ^HOLD would be the solution.
>>> >      >      >
>>> >      >      > For the next decade we are still using MailScanner
>>> instead
>>> >     of others
>>> >      >      > like Rspamd, because MailScanner is like a mail suite
>>> for mail
>>> >      >     security,
>>> >      >      > but if there will never be the possibility to reject at
>>> >     MTA level
>>> >      >     the
>>> >      >      > high score spam, we will also change in 1-3 years while
>>> >     replacing
>>> >      >     the OS
>>> >      >      > beyond.
>>> >      >      >
>>> >      >
>>> >      >     One of MailScanner's strongest features is it's batch mode
>>> >     processing
>>> >      >     that will allow it to handle a very high volume of mail
>>> >     flow.  I doubt
>>> >      >     that MailScanner will ever be changed to run as a milter
>>> for this
>>> >      >     reason.
>>> >      >
>>> >      >     I tried rspamd and found it wasn't as good as the author
>>> >     claims so no
>>> >      >     reason to try to use that as a milter.  It also wasn't as
>>> >     fast as it
>>> >      >     claims.  I could not send high volumes of mail through it
>>> >     like I could
>>> >      >     with MailScanner.
>>> >      >
>>> >      >     If you want to block high scoring spam at the MTA level, I
>>> >     suggest
>>> >      >     using
>>> >      >     amavis or spamd with the same SA rulesets as MailScanner.
>>> >     This will
>>> >      >     get
>>> >      >     you most of the power of MailScanner's blocking at the MTA.
>>> >      >
>>> >      > https://wiki.apache.org/spamassassin/IntegratedInMta
>>> >      >
>>> >      >     If you you use postscreen and postwhite at the Postfix MTA
>>> >     level, you
>>> >      >     can block most of the obvious spam with a tuned list of
>>> >     RBLs.  See the
>>> >      >     SA users mailing list over the past year for details on this
>>> >     from me
>>> >      >     and
>>> >      >     a few others.
>>> >      >
>>> >      >     I suggest setting up a quick test VM with iRedmail to get a
>>> good
>>> >      >     example
>>> >      >     of how to do TLS and amavis integration well with Postfix.
>>> >      >
>>> >      >     --
>>> >      >     David Jones
>>> >      >
>>> >      >
>>> >      >     --
>>> >      >     MailScanner mailing list
>>> >      > mailscanner at lists.mailscanner.info
>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>> >      >     <mailto:mailscanner at lists.mailscanner.info
>>> >     <mailto:mailscanner at lists.mailscanner.info>>
>>> >      > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>> >      >
>>> >      >
>>> >      >
>>> >      > --
>>> >      > Shawn Iverson, CETL
>>> >      > Director of Technology
>>> >      > Rush County Schools
>>> >      > 765-932-3901 x1171
>>> >      > iversons at rushville.k12.in.us
>>> >     <mailto:iversons at rushville.k12.in.us>
>>> >     <mailto:iversons at rushville.k12.in.us
>>> >     <mailto:iversons at rushville.k12.in.us>>
>>> >      >
>>> >      >
>>> >
>>> >     --
>>> >     David Jones
>>> >
>>> >
>>> >
>>> > --
>>> > Shawn Iverson, CETL
>>> > Director of Technology
>>> > Rush County Schools
>>> > 765-932-3901 x1171
>>> > iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
>>> >
>>> >
>>>
>>>
>>> --
>>> David Jones
>>>
>>
>>
>> --
>> Shawn Iverson, CETL
>> Director of Technology
>> Rush County Schools
>> 765-932-3901 x1171
>> iversons at rushville.k12.in.us
>>
>>
>>
>
> --
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 x1171
> iversons at rushville.k12.in.us
>
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180819/d4db6f48/attachment.html>

From iversons at rushville.k12.in.us  Sun Aug 19 20:04:29 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Sun, 19 Aug 2018 16:04:29 -0400
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <CABu_8zLWpk=SRxHK_g+O+5uYBsYCxeay4dyV-88MVPLC9wQ+5A@mail.gmail.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
 <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>
 <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>
 <CABu_8zKtdTWSyFQ6iLBkK-Wg7TVQ7Szw13EXhx7BzrG6RuZ0Zg@mail.gmail.com>
 <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com>
 <CABu_8zLyd+NhG38SGCMPtJEHdxwnZbGEZE5xzSgpMtr+9sH1mQ@mail.gmail.com>
 <CABu_8zJt7gBO0zyx15hLMV1Tuq4pia6XhsPFgQ_dLCKH7qX5dg@mail.gmail.com>
 <CABu_8zLWpk=SRxHK_g+O+5uYBsYCxeay4dyV-88MVPLC9wQ+5A@mail.gmail.com>
Message-ID: <CABu_8zLdNnFqmvUesCGqObmeb7gS+ZDyyirC-Fzra80H02EFHw@mail.gmail.com>

Another update

The latest commit to my branch includes more fixes and a new thing that
needs handled now that a Milter is in play.  When mail is submitted back to
postfix, it needs to be processed by other things that could reject the
email (such as an blocked sender).  This is a problem because MailScanner
does not know how to handle rejects since it has always been part of the
queue process interacting directly with the queues, not before queue
process.

During message delivery, if a reject is detected, I inject a special header
to the message and requeue it to MailScanner.  MailScanner has a chance,
based on this special header to flag the message, remove the special
header, add diagnostic info to the header about the relay, and quarantine
the message.  The mail admin is happy knowing that the message didn't just
vanish and has an opportunity to resolve the issue and release it or know
the disposition of the email.

Another cool thing about this Milter Processor I discovered is you can
simply drop a message into /var/spool/MailScanner/milterin from
/var/spool/MailScanner/quarantine, and it will try to redeliver it :D

This new code is in Message.pm and only becomes active if the milter is
activated.

On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson <iversons at rushville.k12.in.us>
wrote:

> Oh yeah, here's the config for Postfix:
>
> smtpd_milters = inet:127.0.0.1:33333
> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
>
> /etc/postfix/smtpd_milter_map:
> 127.0.0.0/8 DISABLE
> ::/64 DISABLE
>
> This allows scanned emails to pass the milter, as well as notifications
> sent from the localhost.  You do need at least Postfix version 3.2 I
> believe to have milter map support.
>
>
>
>
> On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson <
> iversons at rushville.k12.in.us> wrote:
>
>> MailScanner users:
>>
>> The MailScanner Milter project is coming along nicely.
>>
>> https://github.com/shawniverson/v5/commits/081118msmilter
>>
>> I am currently running this on a split relay to test the milter without
>> impacting production email.
>>
>> The design is fairly simple, although development has taken about 40
>> hours of my time.  I know more about MailScanner (and perl) than I ever
>> have :D
>>
>> The Milter is integrated into MailScanner and forks as a branch of the
>> MailScanner process tree, keeping systemd happy.
>>
>> The Milter process intercepts incoming email and tells postfix to
>> DISCARD, which basically accepts the mail and silently drops it before
>> entering the queue.  At the same time, the Milter writes a raw email file
>> to the /var/spool/MailScanner/milterin queue.
>>
>> MailScanner picks up the message batches in the milterin directory,
>> processes them, and spits them out to /var/spool/MailScanner/milterout
>> directory as raw email files.
>>
>> The MSMail Processor (new) relays the messages to postfix for further
>> processing over port 25.  A optional localhost rule in header_checks
>> removes the local entry from the header before delivery.
>>
>> The benefits are that the postfix queue is not touched at all throughout
>> this process, making the solution (hopefully) an acceptable one within the
>> postfix community.  It is also very fast, and the codebase for this method
>> is smaller than even the Postfix Processor, and MailScanner gets its own
>> queues, separate from postfix.
>>
>> One drawback to this method is there is no apparent way to extract the
>> Envelope From address (at least not yet, perhaps I am missing a milter
>> code), although it doesn't appear that MailScanner is all that concerned
>> about it and doesn't go out of its way to capture it.  I think it is
>> important though, for spoof detection, so I will continue to research this.
>>
>> Anyone that is willing to get their feet wet and test can apply the
>> following files from my branch:
>>
>> (In common)
>> /usr/sbin/MailScanner
>> /usr/share/MailScanner/perl/MailScanner/Milter.pm
>> /usr/share/MailScanner/perl/MailScanner/MSMail.pm
>> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm
>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm
>>
>> Then create the following dirs:
>> mkdir -p /var/spool/MailScanner/milterin
>> chown postfix:mtagroup /var/spool/MailScanner/milterin
>> mkdir -p /var/spool/MailScanner/milterout
>> chown postfix:mtagroup /var/spool/MailScanner/milterout
>>
>> Apply the following to /etc/MailScanner/MailScanner.conf:
>> Incoming Queue Dir = /var/spool/MailScanner/milterin
>> Outgoing Queue Dir = /var/spool/MailScanner/milterout
>> MTA = MSMail
>> MSMail Queue Type = short | long (pick one that matches your postfix
>> setting)
>>
>> I recommend doing this in a test or split relay environment that
>> blackholes email.  Do not use in production yet ;)
>>
>> Known issues at the moment:
>> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do not
>> appear
>> More validation and error handling is needed throughout.  Weird emails
>> abound!
>> Need to know the envelope from sender.  Currently hidden from the milter,
>> but hopefully exposable via a callback code.
>>
>>
>>
>>
>> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson <
>> iversons at rushville.k12.in.us> wrote:
>>
>>> Dear MailScanner users:
>>>
>>> I am officially working on creating a lightweight milter for
>>> MailScanner.
>>>
>>> This milter will not provide MTA protocol rejection for postfix, due to
>>> the severe performance penalty it would cause.  All mail will be
>>> intercepted, accepted, and silently dropped from the postfix queue and
>>> placed in a MailScanner queue.
>>>
>>> I have a working prototype, and it is processing mail!  It is in need of
>>> heavy refactoring and some bug squashing.
>>>
>>> Currently it attempts to create a postfix formatted queue file (very
>>> ugly, who thought up this file format???!!!).  I may instead create a new
>>> Milter Processor for MailScanner that reduces the overhead of doing this
>>> and can read the incoming email in a simple line-by-line format.  This may
>>> also increase performance overall and reduce all the conversions happening.
>>>
>>> The other side of the coin is what to do when MailScanner is done
>>> processing mail.  Currently, it generates a postfix queue file and drops it
>>> into postfix incoming directory.  It should not do this but instead drop
>>> the message into postfix using native postfix tools.  That will be the next
>>> part I tackle as part of the Milter Processor.
>>>
>>> Why am I doing this?  I want to place MailScanner back in a good
>>> standing with Postfix folks (at least when the milter + postfix method is
>>> in use).
>>>
>>> I have no plans of removing the old method but rather provide a more
>>> supported path for postfix users.
>>>
>>> Wish me luck.  I could be heard across the neighborhood when MailScanner
>>> processed an email from the Milter for the first time! :D
>>>
>>>
>>>
>>>
>>> On Sat, Aug 11, 2018 at 9:58 AM David Jones <djones at ena.com> wrote:
>>>
>>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote:
>>>> > David,
>>>> >
>>>> > I agree that this is true, and part of my lack of motivation to do
>>>> it.
>>>> > One reason I wanted it as an option was to reconcile the ongoing
>>>> > conflict with the postfix community and return MailScanner to good
>>>> > standing to this community.  Weitze has been very stern about
>>>> > MailScanner directly tapping the postfix queues.
>>>> >
>>>> > Perhaps an alternative option would be to create a fast MailScanner
>>>> > milter that behaves more like the HOLD queue.  Basically just a
>>>> milter
>>>> > that immediately fires back accept to postfix and places all the
>>>> > messages in a MailScanner HOLD queue as opposed to a postfix HOLD
>>>> > queue.  Doing so would maintain speed, simplicity, and be more
>>>> compliant
>>>> > with postfix. The code would also be very simple.
>>>> >
>>>> > Then, as you say, if you need MTA level functionality for SA, use
>>>> other
>>>> > software and methods.
>>>> >
>>>> >
>>>>
>>>> This light MS milter would make a lot of sense based on your goal to
>>>> get
>>>> compliant with Postfix and back "in" with the Postfix community.  +1
>>>>
>>>> >
>>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones <djones at ena.com
>>>> > <mailto:djones at ena.com>> wrote:
>>>> >
>>>> >     On 08/11/2018 08:15 AM, Shawn Iverson wrote:
>>>> >      > I have been planning for a MailScanner milter for quite some
>>>> >     time.  I
>>>> >      > have been specifically studying rpamd's milter source for this
>>>> >     purpose.
>>>> >      > Alas, lack of time and lack of money are always an issue, and I
>>>> >     put a
>>>> >      > lot of hours in my day job.  As Jerry would say, I like to eat
>>>> >     and have
>>>> >      > a roof over my head :D
>>>> >      >
>>>> >      > If I do find the time to build a milter, performance will
>>>> >     definitely be
>>>> >      > impacted.  The reason is that postfix will have to keep each
>>>> session
>>>> >      > open for the duration of scanning, and each MailScanner child
>>>> >     would have
>>>> >      > to issue a callback to postfix after scanning the spam so that
>>>> >     postfix
>>>> >      > can responds to the connection appropriately  (i.e. reject or
>>>> >     accept).
>>>> >      > This will slow down mail processing considerably.  If I do
>>>> this,
>>>> >     I am
>>>> >      > going to keep the HOLD queue around, so you would have to
>>>> choose
>>>> >     between
>>>> >      > speed or MTA level rejection functionality.
>>>> >      >
>>>> >      >
>>>> >      >
>>>> >
>>>> >     My gut tells me that this is going to be so slow, that it's not
>>>> >     going to
>>>> >     be worth the time to put into it.  If you want to reject at MTA
>>>> time,
>>>> >     throw in amavis-new or spamd (not rspamd) using the same
>>>> SpamAsssassin
>>>> >     rules and Bayes DB to get most of the same features as MailScanner
>>>> >     during the SMTP conversation.  Then the mail that gets through
>>>> can be
>>>> >     filtered by MailScanner for it's extra features that make it
>>>> unique.
>>>> >
>>>> >     I understand there are different local legal requirements around
>>>> the
>>>> >     world that if email is accepted at MTA time then it has to be
>>>> passed on
>>>> >     to the end user's mailbox.  If you are located in one of these
>>>> >     countries, then this would be more of an issue.  But since I am
>>>> in a
>>>> >     country that doesn't have this legal requirement, I do block email
>>>> >     post-MTA by MailScanner.
>>>> >
>>>> >     The majority of my spam is blocked at the MTA level already by
>>>> highly
>>>> >     tuned RBLs and postscreen's RBL weighting which is very, very
>>>> good.
>>>> >     Only a small percentage of spam that is zero-hour or from
>>>> compromised
>>>> >     accounts makes it to MailScanner.
>>>> >
>>>> >     I highly recommend the Invaluement RBL.  It's very accurate --
>>>> only
>>>> >     1 or
>>>> >     2 false positives over 5+ the years.  This RBL is very cost
>>>> effective
>>>> >     and has allowed me to disable all Spamhaus RBL checks in
>>>> SpamAssassin
>>>> >     saving thousands of dollars a year.  (We have too high a volume
>>>> to stay
>>>> >     under the free usage limits of Spamhaus so we were having to pay
>>>> for
>>>> >     the
>>>> >     RBL feed.)
>>>> >
>>>> >      >
>>>> >      >
>>>> >      >
>>>> >      > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner
>>>> >      > <mailscanner at lists.mailscanner.info
>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>> >      > <mailto:mailscanner at lists.mailscanner.info
>>>> >     <mailto:mailscanner at lists.mailscanner.info>>> wrote:
>>>> >      >
>>>> >      >     On 08/07/2018 05:03 AM, info at schroeffu.ch
>>>> >     <mailto:info at schroeffu.ch> <mailto:info at schroeffu.ch
>>>> >     <mailto:info at schroeffu.ch>>
>>>> >      >     wrote:
>>>> >      >      >
>>>> >      >      > Hi Mailscanner friends,
>>>> >      >      >
>>>> >      >      > is there any progress to make MailScanner usable as a
>>>> >     postfix milter?
>>>> >      >      > The most biggest problem I have is, SPAM is not
>>>> possible to
>>>> >      >     reject when
>>>> >      >      > reaching a high score at MTA level. For my
>>>> understanding,
>>>> >     connect
>>>> >      >     via
>>>> >      >      > milter instead of queue ^HOLD would be the solution.
>>>> >      >      >
>>>> >      >      > For the next decade we are still using MailScanner
>>>> instead
>>>> >     of others
>>>> >      >      > like Rspamd, because MailScanner is like a mail suite
>>>> for mail
>>>> >      >     security,
>>>> >      >      > but if there will never be the possibility to reject at
>>>> >     MTA level
>>>> >      >     the
>>>> >      >      > high score spam, we will also change in 1-3 years while
>>>> >     replacing
>>>> >      >     the OS
>>>> >      >      > beyond.
>>>> >      >      >
>>>> >      >
>>>> >      >     One of MailScanner's strongest features is it's batch mode
>>>> >     processing
>>>> >      >     that will allow it to handle a very high volume of mail
>>>> >     flow.  I doubt
>>>> >      >     that MailScanner will ever be changed to run as a milter
>>>> for this
>>>> >      >     reason.
>>>> >      >
>>>> >      >     I tried rspamd and found it wasn't as good as the author
>>>> >     claims so no
>>>> >      >     reason to try to use that as a milter.  It also wasn't as
>>>> >     fast as it
>>>> >      >     claims.  I could not send high volumes of mail through it
>>>> >     like I could
>>>> >      >     with MailScanner.
>>>> >      >
>>>> >      >     If you want to block high scoring spam at the MTA level, I
>>>> >     suggest
>>>> >      >     using
>>>> >      >     amavis or spamd with the same SA rulesets as MailScanner.
>>>> >     This will
>>>> >      >     get
>>>> >      >     you most of the power of MailScanner's blocking at the MTA.
>>>> >      >
>>>> >      > https://wiki.apache.org/spamassassin/IntegratedInMta
>>>> >      >
>>>> >      >     If you you use postscreen and postwhite at the Postfix MTA
>>>> >     level, you
>>>> >      >     can block most of the obvious spam with a tuned list of
>>>> >     RBLs.  See the
>>>> >      >     SA users mailing list over the past year for details on
>>>> this
>>>> >     from me
>>>> >      >     and
>>>> >      >     a few others.
>>>> >      >
>>>> >      >     I suggest setting up a quick test VM with iRedmail to get
>>>> a good
>>>> >      >     example
>>>> >      >     of how to do TLS and amavis integration well with Postfix.
>>>> >      >
>>>> >      >     --
>>>> >      >     David Jones
>>>> >      >
>>>> >      >
>>>> >      >     --
>>>> >      >     MailScanner mailing list
>>>> >      > mailscanner at lists.mailscanner.info
>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>> >      >     <mailto:mailscanner at lists.mailscanner.info
>>>> >     <mailto:mailscanner at lists.mailscanner.info>>
>>>> >      > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>> >      >
>>>> >      >
>>>> >      >
>>>> >      > --
>>>> >      > Shawn Iverson, CETL
>>>> >      > Director of Technology
>>>> >      > Rush County Schools
>>>> >      > 765-932-3901 x1171
>>>> >      > iversons at rushville.k12.in.us
>>>> >     <mailto:iversons at rushville.k12.in.us>
>>>> >     <mailto:iversons at rushville.k12.in.us
>>>> >     <mailto:iversons at rushville.k12.in.us>>
>>>> >      >
>>>> >      >
>>>> >
>>>> >     --
>>>> >     David Jones
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Shawn Iverson, CETL
>>>> > Director of Technology
>>>> > Rush County Schools
>>>> > 765-932-3901 x1171
>>>> > iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
>>>> >
>>>> >
>>>>
>>>>
>>>> --
>>>> David Jones
>>>>
>>>
>>>
>>> --
>>> Shawn Iverson, CETL
>>> Director of Technology
>>> Rush County Schools
>>> 765-932-3901 x1171
>>> iversons at rushville.k12.in.us
>>>
>>>
>>>
>>
>> --
>> Shawn Iverson, CETL
>> Director of Technology
>> Rush County Schools
>> 765-932-3901 x1171
>> iversons at rushville.k12.in.us
>>
>>
>>
>
> --
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 x1171
> iversons at rushville.k12.in.us
>
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180819/fae9acfb/attachment.html>

From iversons at rushville.k12.in.us  Sun Aug 19 20:26:11 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Sun, 19 Aug 2018 16:26:11 -0400
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <CABu_8zLdNnFqmvUesCGqObmeb7gS+ZDyyirC-Fzra80H02EFHw@mail.gmail.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
 <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>
 <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>
 <CABu_8zKtdTWSyFQ6iLBkK-Wg7TVQ7Szw13EXhx7BzrG6RuZ0Zg@mail.gmail.com>
 <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com>
 <CABu_8zLyd+NhG38SGCMPtJEHdxwnZbGEZE5xzSgpMtr+9sH1mQ@mail.gmail.com>
 <CABu_8zJt7gBO0zyx15hLMV1Tuq4pia6XhsPFgQ_dLCKH7qX5dg@mail.gmail.com>
 <CABu_8zLWpk=SRxHK_g+O+5uYBsYCxeay4dyV-88MVPLC9wQ+5A@mail.gmail.com>
 <CABu_8zLdNnFqmvUesCGqObmeb7gS+ZDyyirC-Fzra80H02EFHw@mail.gmail.com>
Message-ID: <CABu_8zJQ4ZioeuKfHJzfdDVSfJuj1zF2N7YZT7sHsb=r3mmJFw@mail.gmail.com>

Found the callback code for MAIL FROM:

'M'     SMFIC_MAIL      MAIL FROM: information
                        Expected response:  Accept/reject action

Time for some more coding :D

On Sun, Aug 19, 2018 at 4:04 PM Shawn Iverson <iversons at rushville.k12.in.us>
wrote:

> Another update
>
> The latest commit to my branch includes more fixes and a new thing that
> needs handled now that a Milter is in play.  When mail is submitted back to
> postfix, it needs to be processed by other things that could reject the
> email (such as an blocked sender).  This is a problem because MailScanner
> does not know how to handle rejects since it has always been part of the
> queue process interacting directly with the queues, not before queue
> process.
>
> During message delivery, if a reject is detected, I inject a special
> header to the message and requeue it to MailScanner.  MailScanner has a
> chance, based on this special header to flag the message, remove the
> special header, add diagnostic info to the header about the relay, and
> quarantine the message.  The mail admin is happy knowing that the message
> didn't just vanish and has an opportunity to resolve the issue and release
> it or know the disposition of the email.
>
> Another cool thing about this Milter Processor I discovered is you can
> simply drop a message into /var/spool/MailScanner/milterin from
> /var/spool/MailScanner/quarantine, and it will try to redeliver it :D
>
> This new code is in Message.pm and only becomes active if the milter is
> activated.
>
> On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson <
> iversons at rushville.k12.in.us> wrote:
>
>> Oh yeah, here's the config for Postfix:
>>
>> smtpd_milters = inet:127.0.0.1:33333
>> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
>>
>> /etc/postfix/smtpd_milter_map:
>> 127.0.0.0/8 DISABLE
>> ::/64 DISABLE
>>
>> This allows scanned emails to pass the milter, as well as notifications
>> sent from the localhost.  You do need at least Postfix version 3.2 I
>> believe to have milter map support.
>>
>>
>>
>>
>> On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson <
>> iversons at rushville.k12.in.us> wrote:
>>
>>> MailScanner users:
>>>
>>> The MailScanner Milter project is coming along nicely.
>>>
>>> https://github.com/shawniverson/v5/commits/081118msmilter
>>>
>>> I am currently running this on a split relay to test the milter without
>>> impacting production email.
>>>
>>> The design is fairly simple, although development has taken about 40
>>> hours of my time.  I know more about MailScanner (and perl) than I ever
>>> have :D
>>>
>>> The Milter is integrated into MailScanner and forks as a branch of the
>>> MailScanner process tree, keeping systemd happy.
>>>
>>> The Milter process intercepts incoming email and tells postfix to
>>> DISCARD, which basically accepts the mail and silently drops it before
>>> entering the queue.  At the same time, the Milter writes a raw email file
>>> to the /var/spool/MailScanner/milterin queue.
>>>
>>> MailScanner picks up the message batches in the milterin directory,
>>> processes them, and spits them out to /var/spool/MailScanner/milterout
>>> directory as raw email files.
>>>
>>> The MSMail Processor (new) relays the messages to postfix for further
>>> processing over port 25.  A optional localhost rule in header_checks
>>> removes the local entry from the header before delivery.
>>>
>>> The benefits are that the postfix queue is not touched at all throughout
>>> this process, making the solution (hopefully) an acceptable one within the
>>> postfix community.  It is also very fast, and the codebase for this method
>>> is smaller than even the Postfix Processor, and MailScanner gets its own
>>> queues, separate from postfix.
>>>
>>> One drawback to this method is there is no apparent way to extract the
>>> Envelope From address (at least not yet, perhaps I am missing a milter
>>> code), although it doesn't appear that MailScanner is all that concerned
>>> about it and doesn't go out of its way to capture it.  I think it is
>>> important though, for spoof detection, so I will continue to research this.
>>>
>>> Anyone that is willing to get their feet wet and test can apply the
>>> following files from my branch:
>>>
>>> (In common)
>>> /usr/sbin/MailScanner
>>> /usr/share/MailScanner/perl/MailScanner/Milter.pm
>>> /usr/share/MailScanner/perl/MailScanner/MSMail.pm
>>> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm
>>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm
>>>
>>> Then create the following dirs:
>>> mkdir -p /var/spool/MailScanner/milterin
>>> chown postfix:mtagroup /var/spool/MailScanner/milterin
>>> mkdir -p /var/spool/MailScanner/milterout
>>> chown postfix:mtagroup /var/spool/MailScanner/milterout
>>>
>>> Apply the following to /etc/MailScanner/MailScanner.conf:
>>> Incoming Queue Dir = /var/spool/MailScanner/milterin
>>> Outgoing Queue Dir = /var/spool/MailScanner/milterout
>>> MTA = MSMail
>>> MSMail Queue Type = short | long (pick one that matches your postfix
>>> setting)
>>>
>>> I recommend doing this in a test or split relay environment that
>>> blackholes email.  Do not use in production yet ;)
>>>
>>> Known issues at the moment:
>>> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do not
>>> appear
>>> More validation and error handling is needed throughout.  Weird emails
>>> abound!
>>> Need to know the envelope from sender.  Currently hidden from the
>>> milter, but hopefully exposable via a callback code.
>>>
>>>
>>>
>>>
>>> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson <
>>> iversons at rushville.k12.in.us> wrote:
>>>
>>>> Dear MailScanner users:
>>>>
>>>> I am officially working on creating a lightweight milter for
>>>> MailScanner.
>>>>
>>>> This milter will not provide MTA protocol rejection for postfix, due to
>>>> the severe performance penalty it would cause.  All mail will be
>>>> intercepted, accepted, and silently dropped from the postfix queue and
>>>> placed in a MailScanner queue.
>>>>
>>>> I have a working prototype, and it is processing mail!  It is in need
>>>> of heavy refactoring and some bug squashing.
>>>>
>>>> Currently it attempts to create a postfix formatted queue file (very
>>>> ugly, who thought up this file format???!!!).  I may instead create a new
>>>> Milter Processor for MailScanner that reduces the overhead of doing this
>>>> and can read the incoming email in a simple line-by-line format.  This may
>>>> also increase performance overall and reduce all the conversions happening.
>>>>
>>>> The other side of the coin is what to do when MailScanner is done
>>>> processing mail.  Currently, it generates a postfix queue file and drops it
>>>> into postfix incoming directory.  It should not do this but instead drop
>>>> the message into postfix using native postfix tools.  That will be the next
>>>> part I tackle as part of the Milter Processor.
>>>>
>>>> Why am I doing this?  I want to place MailScanner back in a good
>>>> standing with Postfix folks (at least when the milter + postfix method is
>>>> in use).
>>>>
>>>> I have no plans of removing the old method but rather provide a more
>>>> supported path for postfix users.
>>>>
>>>> Wish me luck.  I could be heard across the neighborhood when
>>>> MailScanner processed an email from the Milter for the first time! :D
>>>>
>>>>
>>>>
>>>>
>>>> On Sat, Aug 11, 2018 at 9:58 AM David Jones <djones at ena.com> wrote:
>>>>
>>>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote:
>>>>> > David,
>>>>> >
>>>>> > I agree that this is true, and part of my lack of motivation to do
>>>>> it.
>>>>> > One reason I wanted it as an option was to reconcile the ongoing
>>>>> > conflict with the postfix community and return MailScanner to good
>>>>> > standing to this community.  Weitze has been very stern about
>>>>> > MailScanner directly tapping the postfix queues.
>>>>> >
>>>>> > Perhaps an alternative option would be to create a fast MailScanner
>>>>> > milter that behaves more like the HOLD queue.  Basically just a
>>>>> milter
>>>>> > that immediately fires back accept to postfix and places all the
>>>>> > messages in a MailScanner HOLD queue as opposed to a postfix HOLD
>>>>> > queue.  Doing so would maintain speed, simplicity, and be more
>>>>> compliant
>>>>> > with postfix. The code would also be very simple.
>>>>> >
>>>>> > Then, as you say, if you need MTA level functionality for SA, use
>>>>> other
>>>>> > software and methods.
>>>>> >
>>>>> >
>>>>>
>>>>> This light MS milter would make a lot of sense based on your goal to
>>>>> get
>>>>> compliant with Postfix and back "in" with the Postfix community.  +1
>>>>>
>>>>> >
>>>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones <djones at ena.com
>>>>> > <mailto:djones at ena.com>> wrote:
>>>>> >
>>>>> >     On 08/11/2018 08:15 AM, Shawn Iverson wrote:
>>>>> >      > I have been planning for a MailScanner milter for quite some
>>>>> >     time.  I
>>>>> >      > have been specifically studying rpamd's milter source for this
>>>>> >     purpose.
>>>>> >      > Alas, lack of time and lack of money are always an issue, and
>>>>> I
>>>>> >     put a
>>>>> >      > lot of hours in my day job.  As Jerry would say, I like to eat
>>>>> >     and have
>>>>> >      > a roof over my head :D
>>>>> >      >
>>>>> >      > If I do find the time to build a milter, performance will
>>>>> >     definitely be
>>>>> >      > impacted.  The reason is that postfix will have to keep each
>>>>> session
>>>>> >      > open for the duration of scanning, and each MailScanner child
>>>>> >     would have
>>>>> >      > to issue a callback to postfix after scanning the spam so that
>>>>> >     postfix
>>>>> >      > can responds to the connection appropriately  (i.e. reject or
>>>>> >     accept).
>>>>> >      > This will slow down mail processing considerably.  If I do
>>>>> this,
>>>>> >     I am
>>>>> >      > going to keep the HOLD queue around, so you would have to
>>>>> choose
>>>>> >     between
>>>>> >      > speed or MTA level rejection functionality.
>>>>> >      >
>>>>> >      >
>>>>> >      >
>>>>> >
>>>>> >     My gut tells me that this is going to be so slow, that it's not
>>>>> >     going to
>>>>> >     be worth the time to put into it.  If you want to reject at MTA
>>>>> time,
>>>>> >     throw in amavis-new or spamd (not rspamd) using the same
>>>>> SpamAsssassin
>>>>> >     rules and Bayes DB to get most of the same features as
>>>>> MailScanner
>>>>> >     during the SMTP conversation.  Then the mail that gets through
>>>>> can be
>>>>> >     filtered by MailScanner for it's extra features that make it
>>>>> unique.
>>>>> >
>>>>> >     I understand there are different local legal requirements around
>>>>> the
>>>>> >     world that if email is accepted at MTA time then it has to be
>>>>> passed on
>>>>> >     to the end user's mailbox.  If you are located in one of these
>>>>> >     countries, then this would be more of an issue.  But since I am
>>>>> in a
>>>>> >     country that doesn't have this legal requirement, I do block
>>>>> email
>>>>> >     post-MTA by MailScanner.
>>>>> >
>>>>> >     The majority of my spam is blocked at the MTA level already by
>>>>> highly
>>>>> >     tuned RBLs and postscreen's RBL weighting which is very, very
>>>>> good.
>>>>> >     Only a small percentage of spam that is zero-hour or from
>>>>> compromised
>>>>> >     accounts makes it to MailScanner.
>>>>> >
>>>>> >     I highly recommend the Invaluement RBL.  It's very accurate --
>>>>> only
>>>>> >     1 or
>>>>> >     2 false positives over 5+ the years.  This RBL is very cost
>>>>> effective
>>>>> >     and has allowed me to disable all Spamhaus RBL checks in
>>>>> SpamAssassin
>>>>> >     saving thousands of dollars a year.  (We have too high a volume
>>>>> to stay
>>>>> >     under the free usage limits of Spamhaus so we were having to pay
>>>>> for
>>>>> >     the
>>>>> >     RBL feed.)
>>>>> >
>>>>> >      >
>>>>> >      >
>>>>> >      >
>>>>> >      > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner
>>>>> >      > <mailscanner at lists.mailscanner.info
>>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>>> >      > <mailto:mailscanner at lists.mailscanner.info
>>>>> >     <mailto:mailscanner at lists.mailscanner.info>>> wrote:
>>>>> >      >
>>>>> >      >     On 08/07/2018 05:03 AM, info at schroeffu.ch
>>>>> >     <mailto:info at schroeffu.ch> <mailto:info at schroeffu.ch
>>>>> >     <mailto:info at schroeffu.ch>>
>>>>> >      >     wrote:
>>>>> >      >      >
>>>>> >      >      > Hi Mailscanner friends,
>>>>> >      >      >
>>>>> >      >      > is there any progress to make MailScanner usable as a
>>>>> >     postfix milter?
>>>>> >      >      > The most biggest problem I have is, SPAM is not
>>>>> possible to
>>>>> >      >     reject when
>>>>> >      >      > reaching a high score at MTA level. For my
>>>>> understanding,
>>>>> >     connect
>>>>> >      >     via
>>>>> >      >      > milter instead of queue ^HOLD would be the solution.
>>>>> >      >      >
>>>>> >      >      > For the next decade we are still using MailScanner
>>>>> instead
>>>>> >     of others
>>>>> >      >      > like Rspamd, because MailScanner is like a mail suite
>>>>> for mail
>>>>> >      >     security,
>>>>> >      >      > but if there will never be the possibility to reject at
>>>>> >     MTA level
>>>>> >      >     the
>>>>> >      >      > high score spam, we will also change in 1-3 years while
>>>>> >     replacing
>>>>> >      >     the OS
>>>>> >      >      > beyond.
>>>>> >      >      >
>>>>> >      >
>>>>> >      >     One of MailScanner's strongest features is it's batch mode
>>>>> >     processing
>>>>> >      >     that will allow it to handle a very high volume of mail
>>>>> >     flow.  I doubt
>>>>> >      >     that MailScanner will ever be changed to run as a milter
>>>>> for this
>>>>> >      >     reason.
>>>>> >      >
>>>>> >      >     I tried rspamd and found it wasn't as good as the author
>>>>> >     claims so no
>>>>> >      >     reason to try to use that as a milter.  It also wasn't as
>>>>> >     fast as it
>>>>> >      >     claims.  I could not send high volumes of mail through it
>>>>> >     like I could
>>>>> >      >     with MailScanner.
>>>>> >      >
>>>>> >      >     If you want to block high scoring spam at the MTA level, I
>>>>> >     suggest
>>>>> >      >     using
>>>>> >      >     amavis or spamd with the same SA rulesets as MailScanner.
>>>>> >     This will
>>>>> >      >     get
>>>>> >      >     you most of the power of MailScanner's blocking at the
>>>>> MTA.
>>>>> >      >
>>>>> >      > https://wiki.apache.org/spamassassin/IntegratedInMta
>>>>> >      >
>>>>> >      >     If you you use postscreen and postwhite at the Postfix MTA
>>>>> >     level, you
>>>>> >      >     can block most of the obvious spam with a tuned list of
>>>>> >     RBLs.  See the
>>>>> >      >     SA users mailing list over the past year for details on
>>>>> this
>>>>> >     from me
>>>>> >      >     and
>>>>> >      >     a few others.
>>>>> >      >
>>>>> >      >     I suggest setting up a quick test VM with iRedmail to get
>>>>> a good
>>>>> >      >     example
>>>>> >      >     of how to do TLS and amavis integration well with Postfix.
>>>>> >      >
>>>>> >      >     --
>>>>> >      >     David Jones
>>>>> >      >
>>>>> >      >
>>>>> >      >     --
>>>>> >      >     MailScanner mailing list
>>>>> >      > mailscanner at lists.mailscanner.info
>>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>>> >      >     <mailto:mailscanner at lists.mailscanner.info
>>>>> >     <mailto:mailscanner at lists.mailscanner.info>>
>>>>> >      > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>> >      >
>>>>> >      >
>>>>> >      >
>>>>> >      > --
>>>>> >      > Shawn Iverson, CETL
>>>>> >      > Director of Technology
>>>>> >      > Rush County Schools
>>>>> >      > 765-932-3901 x1171
>>>>> >      > iversons at rushville.k12.in.us
>>>>> >     <mailto:iversons at rushville.k12.in.us>
>>>>> >     <mailto:iversons at rushville.k12.in.us
>>>>> >     <mailto:iversons at rushville.k12.in.us>>
>>>>> >      >
>>>>> >      >
>>>>> >
>>>>> >     --
>>>>> >     David Jones
>>>>> >
>>>>> >
>>>>> >
>>>>> > --
>>>>> > Shawn Iverson, CETL
>>>>> > Director of Technology
>>>>> > Rush County Schools
>>>>> > 765-932-3901 x1171
>>>>> > iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
>>>>> >
>>>>> >
>>>>>
>>>>>
>>>>> --
>>>>> David Jones
>>>>>
>>>>
>>>>
>>>> --
>>>> Shawn Iverson, CETL
>>>> Director of Technology
>>>> Rush County Schools
>>>> 765-932-3901 x1171
>>>> iversons at rushville.k12.in.us
>>>>
>>>>
>>>>
>>>
>>> --
>>> Shawn Iverson, CETL
>>> Director of Technology
>>> Rush County Schools
>>> 765-932-3901 x1171
>>> iversons at rushville.k12.in.us
>>>
>>>
>>>
>>
>> --
>> Shawn Iverson, CETL
>> Director of Technology
>> Rush County Schools
>> 765-932-3901 x1171
>> iversons at rushville.k12.in.us
>>
>>
>>
>
> --
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 x1171
> iversons at rushville.k12.in.us
>
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180819/74af0df2/attachment-0001.html>

From iversons at rushville.k12.in.us  Sun Aug 19 21:14:47 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Sun, 19 Aug 2018 17:14:47 -0400
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <CABu_8zJQ4ZioeuKfHJzfdDVSfJuj1zF2N7YZT7sHsb=r3mmJFw@mail.gmail.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
 <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>
 <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>
 <CABu_8zKtdTWSyFQ6iLBkK-Wg7TVQ7Szw13EXhx7BzrG6RuZ0Zg@mail.gmail.com>
 <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com>
 <CABu_8zLyd+NhG38SGCMPtJEHdxwnZbGEZE5xzSgpMtr+9sH1mQ@mail.gmail.com>
 <CABu_8zJt7gBO0zyx15hLMV1Tuq4pia6XhsPFgQ_dLCKH7qX5dg@mail.gmail.com>
 <CABu_8zLWpk=SRxHK_g+O+5uYBsYCxeay4dyV-88MVPLC9wQ+5A@mail.gmail.com>
 <CABu_8zLdNnFqmvUesCGqObmeb7gS+ZDyyirC-Fzra80H02EFHw@mail.gmail.com>
 <CABu_8zJQ4ZioeuKfHJzfdDVSfJuj1zF2N7YZT7sHsb=r3mmJFw@mail.gmail.com>
Message-ID: <CABu_8zLdP0tROOL4Vc8WbJzjyVDCKZhJtuP-ZNd8RTYQqWGh3A@mail.gmail.com>

Latest commit

Spamassassin/MailScanner are now comparing envelope from and from properly
:)

https://github.com/shawniverson/v5/commit/625040caedc93b2c4e78edf305b69ac8a82bc25b

Todo:

Cleanup code
Add more options to mailscanner config, such as # of milter threads, etc.
Remove hard coded items where feasible
Honor placement of Header entries in header (top or bottom)
Test Test Test (anyone interested is welcome!)
Patches for MailWatch to handle new queues and process counts
Fix bug observed where mailscanner thinks processes are still running when
stopping (but aren't, harmless, just weird)

Feedback is welcome.







On Sun, Aug 19, 2018 at 4:26 PM Shawn Iverson <iversons at rushville.k12.in.us>
wrote:

> Found the callback code for MAIL FROM:
>
> 'M'     SMFIC_MAIL      MAIL FROM: information
>                         Expected response:  Accept/reject action
>
> Time for some more coding :D
>
> On Sun, Aug 19, 2018 at 4:04 PM Shawn Iverson <
> iversons at rushville.k12.in.us> wrote:
>
>> Another update
>>
>> The latest commit to my branch includes more fixes and a new thing that
>> needs handled now that a Milter is in play.  When mail is submitted back to
>> postfix, it needs to be processed by other things that could reject the
>> email (such as an blocked sender).  This is a problem because MailScanner
>> does not know how to handle rejects since it has always been part of the
>> queue process interacting directly with the queues, not before queue
>> process.
>>
>> During message delivery, if a reject is detected, I inject a special
>> header to the message and requeue it to MailScanner.  MailScanner has a
>> chance, based on this special header to flag the message, remove the
>> special header, add diagnostic info to the header about the relay, and
>> quarantine the message.  The mail admin is happy knowing that the message
>> didn't just vanish and has an opportunity to resolve the issue and release
>> it or know the disposition of the email.
>>
>> Another cool thing about this Milter Processor I discovered is you can
>> simply drop a message into /var/spool/MailScanner/milterin from
>> /var/spool/MailScanner/quarantine, and it will try to redeliver it :D
>>
>> This new code is in Message.pm and only becomes active if the milter is
>> activated.
>>
>> On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson <
>> iversons at rushville.k12.in.us> wrote:
>>
>>> Oh yeah, here's the config for Postfix:
>>>
>>> smtpd_milters = inet:127.0.0.1:33333
>>> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
>>>
>>> /etc/postfix/smtpd_milter_map:
>>> 127.0.0.0/8 DISABLE
>>> ::/64 DISABLE
>>>
>>> This allows scanned emails to pass the milter, as well as notifications
>>> sent from the localhost.  You do need at least Postfix version 3.2 I
>>> believe to have milter map support.
>>>
>>>
>>>
>>>
>>> On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson <
>>> iversons at rushville.k12.in.us> wrote:
>>>
>>>> MailScanner users:
>>>>
>>>> The MailScanner Milter project is coming along nicely.
>>>>
>>>> https://github.com/shawniverson/v5/commits/081118msmilter
>>>>
>>>> I am currently running this on a split relay to test the milter without
>>>> impacting production email.
>>>>
>>>> The design is fairly simple, although development has taken about 40
>>>> hours of my time.  I know more about MailScanner (and perl) than I ever
>>>> have :D
>>>>
>>>> The Milter is integrated into MailScanner and forks as a branch of the
>>>> MailScanner process tree, keeping systemd happy.
>>>>
>>>> The Milter process intercepts incoming email and tells postfix to
>>>> DISCARD, which basically accepts the mail and silently drops it before
>>>> entering the queue.  At the same time, the Milter writes a raw email file
>>>> to the /var/spool/MailScanner/milterin queue.
>>>>
>>>> MailScanner picks up the message batches in the milterin directory,
>>>> processes them, and spits them out to /var/spool/MailScanner/milterout
>>>> directory as raw email files.
>>>>
>>>> The MSMail Processor (new) relays the messages to postfix for further
>>>> processing over port 25.  A optional localhost rule in header_checks
>>>> removes the local entry from the header before delivery.
>>>>
>>>> The benefits are that the postfix queue is not touched at all
>>>> throughout this process, making the solution (hopefully) an acceptable one
>>>> within the postfix community.  It is also very fast, and the codebase for
>>>> this method is smaller than even the Postfix Processor, and MailScanner
>>>> gets its own queues, separate from postfix.
>>>>
>>>> One drawback to this method is there is no apparent way to extract the
>>>> Envelope From address (at least not yet, perhaps I am missing a milter
>>>> code), although it doesn't appear that MailScanner is all that concerned
>>>> about it and doesn't go out of its way to capture it.  I think it is
>>>> important though, for spoof detection, so I will continue to research this.
>>>>
>>>> Anyone that is willing to get their feet wet and test can apply the
>>>> following files from my branch:
>>>>
>>>> (In common)
>>>> /usr/sbin/MailScanner
>>>> /usr/share/MailScanner/perl/MailScanner/Milter.pm
>>>> /usr/share/MailScanner/perl/MailScanner/MSMail.pm
>>>> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm
>>>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm
>>>>
>>>> Then create the following dirs:
>>>> mkdir -p /var/spool/MailScanner/milterin
>>>> chown postfix:mtagroup /var/spool/MailScanner/milterin
>>>> mkdir -p /var/spool/MailScanner/milterout
>>>> chown postfix:mtagroup /var/spool/MailScanner/milterout
>>>>
>>>> Apply the following to /etc/MailScanner/MailScanner.conf:
>>>> Incoming Queue Dir = /var/spool/MailScanner/milterin
>>>> Outgoing Queue Dir = /var/spool/MailScanner/milterout
>>>> MTA = MSMail
>>>> MSMail Queue Type = short | long (pick one that matches your postfix
>>>> setting)
>>>>
>>>> I recommend doing this in a test or split relay environment that
>>>> blackholes email.  Do not use in production yet ;)
>>>>
>>>> Known issues at the moment:
>>>> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do not
>>>> appear
>>>> More validation and error handling is needed throughout.  Weird emails
>>>> abound!
>>>> Need to know the envelope from sender.  Currently hidden from the
>>>> milter, but hopefully exposable via a callback code.
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson <
>>>> iversons at rushville.k12.in.us> wrote:
>>>>
>>>>> Dear MailScanner users:
>>>>>
>>>>> I am officially working on creating a lightweight milter for
>>>>> MailScanner.
>>>>>
>>>>> This milter will not provide MTA protocol rejection for postfix, due
>>>>> to the severe performance penalty it would cause.  All mail will be
>>>>> intercepted, accepted, and silently dropped from the postfix queue and
>>>>> placed in a MailScanner queue.
>>>>>
>>>>> I have a working prototype, and it is processing mail!  It is in need
>>>>> of heavy refactoring and some bug squashing.
>>>>>
>>>>> Currently it attempts to create a postfix formatted queue file (very
>>>>> ugly, who thought up this file format???!!!).  I may instead create a new
>>>>> Milter Processor for MailScanner that reduces the overhead of doing this
>>>>> and can read the incoming email in a simple line-by-line format.  This may
>>>>> also increase performance overall and reduce all the conversions happening.
>>>>>
>>>>> The other side of the coin is what to do when MailScanner is done
>>>>> processing mail.  Currently, it generates a postfix queue file and drops it
>>>>> into postfix incoming directory.  It should not do this but instead drop
>>>>> the message into postfix using native postfix tools.  That will be the next
>>>>> part I tackle as part of the Milter Processor.
>>>>>
>>>>> Why am I doing this?  I want to place MailScanner back in a good
>>>>> standing with Postfix folks (at least when the milter + postfix method is
>>>>> in use).
>>>>>
>>>>> I have no plans of removing the old method but rather provide a more
>>>>> supported path for postfix users.
>>>>>
>>>>> Wish me luck.  I could be heard across the neighborhood when
>>>>> MailScanner processed an email from the Milter for the first time! :D
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Aug 11, 2018 at 9:58 AM David Jones <djones at ena.com> wrote:
>>>>>
>>>>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote:
>>>>>> > David,
>>>>>> >
>>>>>> > I agree that this is true, and part of my lack of motivation to do
>>>>>> it.
>>>>>> > One reason I wanted it as an option was to reconcile the ongoing
>>>>>> > conflict with the postfix community and return MailScanner to good
>>>>>> > standing to this community.  Weitze has been very stern about
>>>>>> > MailScanner directly tapping the postfix queues.
>>>>>> >
>>>>>> > Perhaps an alternative option would be to create a fast MailScanner
>>>>>> > milter that behaves more like the HOLD queue.  Basically just a
>>>>>> milter
>>>>>> > that immediately fires back accept to postfix and places all the
>>>>>> > messages in a MailScanner HOLD queue as opposed to a postfix HOLD
>>>>>> > queue.  Doing so would maintain speed, simplicity, and be more
>>>>>> compliant
>>>>>> > with postfix. The code would also be very simple.
>>>>>> >
>>>>>> > Then, as you say, if you need MTA level functionality for SA, use
>>>>>> other
>>>>>> > software and methods.
>>>>>> >
>>>>>> >
>>>>>>
>>>>>> This light MS milter would make a lot of sense based on your goal to
>>>>>> get
>>>>>> compliant with Postfix and back "in" with the Postfix community.  +1
>>>>>>
>>>>>> >
>>>>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones <djones at ena.com
>>>>>> > <mailto:djones at ena.com>> wrote:
>>>>>> >
>>>>>> >     On 08/11/2018 08:15 AM, Shawn Iverson wrote:
>>>>>> >      > I have been planning for a MailScanner milter for quite some
>>>>>> >     time.  I
>>>>>> >      > have been specifically studying rpamd's milter source for
>>>>>> this
>>>>>> >     purpose.
>>>>>> >      > Alas, lack of time and lack of money are always an issue,
>>>>>> and I
>>>>>> >     put a
>>>>>> >      > lot of hours in my day job.  As Jerry would say, I like to
>>>>>> eat
>>>>>> >     and have
>>>>>> >      > a roof over my head :D
>>>>>> >      >
>>>>>> >      > If I do find the time to build a milter, performance will
>>>>>> >     definitely be
>>>>>> >      > impacted.  The reason is that postfix will have to keep each
>>>>>> session
>>>>>> >      > open for the duration of scanning, and each MailScanner child
>>>>>> >     would have
>>>>>> >      > to issue a callback to postfix after scanning the spam so
>>>>>> that
>>>>>> >     postfix
>>>>>> >      > can responds to the connection appropriately  (i.e. reject or
>>>>>> >     accept).
>>>>>> >      > This will slow down mail processing considerably.  If I do
>>>>>> this,
>>>>>> >     I am
>>>>>> >      > going to keep the HOLD queue around, so you would have to
>>>>>> choose
>>>>>> >     between
>>>>>> >      > speed or MTA level rejection functionality.
>>>>>> >      >
>>>>>> >      >
>>>>>> >      >
>>>>>> >
>>>>>> >     My gut tells me that this is going to be so slow, that it's not
>>>>>> >     going to
>>>>>> >     be worth the time to put into it.  If you want to reject at MTA
>>>>>> time,
>>>>>> >     throw in amavis-new or spamd (not rspamd) using the same
>>>>>> SpamAsssassin
>>>>>> >     rules and Bayes DB to get most of the same features as
>>>>>> MailScanner
>>>>>> >     during the SMTP conversation.  Then the mail that gets through
>>>>>> can be
>>>>>> >     filtered by MailScanner for it's extra features that make it
>>>>>> unique.
>>>>>> >
>>>>>> >     I understand there are different local legal requirements
>>>>>> around the
>>>>>> >     world that if email is accepted at MTA time then it has to be
>>>>>> passed on
>>>>>> >     to the end user's mailbox.  If you are located in one of these
>>>>>> >     countries, then this would be more of an issue.  But since I am
>>>>>> in a
>>>>>> >     country that doesn't have this legal requirement, I do block
>>>>>> email
>>>>>> >     post-MTA by MailScanner.
>>>>>> >
>>>>>> >     The majority of my spam is blocked at the MTA level already by
>>>>>> highly
>>>>>> >     tuned RBLs and postscreen's RBL weighting which is very, very
>>>>>> good.
>>>>>> >     Only a small percentage of spam that is zero-hour or from
>>>>>> compromised
>>>>>> >     accounts makes it to MailScanner.
>>>>>> >
>>>>>> >     I highly recommend the Invaluement RBL.  It's very accurate --
>>>>>> only
>>>>>> >     1 or
>>>>>> >     2 false positives over 5+ the years.  This RBL is very cost
>>>>>> effective
>>>>>> >     and has allowed me to disable all Spamhaus RBL checks in
>>>>>> SpamAssassin
>>>>>> >     saving thousands of dollars a year.  (We have too high a volume
>>>>>> to stay
>>>>>> >     under the free usage limits of Spamhaus so we were having to
>>>>>> pay for
>>>>>> >     the
>>>>>> >     RBL feed.)
>>>>>> >
>>>>>> >      >
>>>>>> >      >
>>>>>> >      >
>>>>>> >      > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner
>>>>>> >      > <mailscanner at lists.mailscanner.info
>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>>>> >      > <mailto:mailscanner at lists.mailscanner.info
>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>>> wrote:
>>>>>> >      >
>>>>>> >      >     On 08/07/2018 05:03 AM, info at schroeffu.ch
>>>>>> >     <mailto:info at schroeffu.ch> <mailto:info at schroeffu.ch
>>>>>> >     <mailto:info at schroeffu.ch>>
>>>>>> >      >     wrote:
>>>>>> >      >      >
>>>>>> >      >      > Hi Mailscanner friends,
>>>>>> >      >      >
>>>>>> >      >      > is there any progress to make MailScanner usable as a
>>>>>> >     postfix milter?
>>>>>> >      >      > The most biggest problem I have is, SPAM is not
>>>>>> possible to
>>>>>> >      >     reject when
>>>>>> >      >      > reaching a high score at MTA level. For my
>>>>>> understanding,
>>>>>> >     connect
>>>>>> >      >     via
>>>>>> >      >      > milter instead of queue ^HOLD would be the solution.
>>>>>> >      >      >
>>>>>> >      >      > For the next decade we are still using MailScanner
>>>>>> instead
>>>>>> >     of others
>>>>>> >      >      > like Rspamd, because MailScanner is like a mail suite
>>>>>> for mail
>>>>>> >      >     security,
>>>>>> >      >      > but if there will never be the possibility to reject
>>>>>> at
>>>>>> >     MTA level
>>>>>> >      >     the
>>>>>> >      >      > high score spam, we will also change in 1-3 years
>>>>>> while
>>>>>> >     replacing
>>>>>> >      >     the OS
>>>>>> >      >      > beyond.
>>>>>> >      >      >
>>>>>> >      >
>>>>>> >      >     One of MailScanner's strongest features is it's batch
>>>>>> mode
>>>>>> >     processing
>>>>>> >      >     that will allow it to handle a very high volume of mail
>>>>>> >     flow.  I doubt
>>>>>> >      >     that MailScanner will ever be changed to run as a milter
>>>>>> for this
>>>>>> >      >     reason.
>>>>>> >      >
>>>>>> >      >     I tried rspamd and found it wasn't as good as the author
>>>>>> >     claims so no
>>>>>> >      >     reason to try to use that as a milter.  It also wasn't as
>>>>>> >     fast as it
>>>>>> >      >     claims.  I could not send high volumes of mail through it
>>>>>> >     like I could
>>>>>> >      >     with MailScanner.
>>>>>> >      >
>>>>>> >      >     If you want to block high scoring spam at the MTA level,
>>>>>> I
>>>>>> >     suggest
>>>>>> >      >     using
>>>>>> >      >     amavis or spamd with the same SA rulesets as
>>>>>> MailScanner.
>>>>>> >     This will
>>>>>> >      >     get
>>>>>> >      >     you most of the power of MailScanner's blocking at the
>>>>>> MTA.
>>>>>> >      >
>>>>>> >      > https://wiki.apache.org/spamassassin/IntegratedInMta
>>>>>> >      >
>>>>>> >      >     If you you use postscreen and postwhite at the Postfix
>>>>>> MTA
>>>>>> >     level, you
>>>>>> >      >     can block most of the obvious spam with a tuned list of
>>>>>> >     RBLs.  See the
>>>>>> >      >     SA users mailing list over the past year for details on
>>>>>> this
>>>>>> >     from me
>>>>>> >      >     and
>>>>>> >      >     a few others.
>>>>>> >      >
>>>>>> >      >     I suggest setting up a quick test VM with iRedmail to
>>>>>> get a good
>>>>>> >      >     example
>>>>>> >      >     of how to do TLS and amavis integration well with
>>>>>> Postfix.
>>>>>> >      >
>>>>>> >      >     --
>>>>>> >      >     David Jones
>>>>>> >      >
>>>>>> >      >
>>>>>> >      >     --
>>>>>> >      >     MailScanner mailing list
>>>>>> >      > mailscanner at lists.mailscanner.info
>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>>>> >      >     <mailto:mailscanner at lists.mailscanner.info
>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>>
>>>>>> >      > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>> >      >
>>>>>> >      >
>>>>>> >      >
>>>>>> >      > --
>>>>>> >      > Shawn Iverson, CETL
>>>>>> >      > Director of Technology
>>>>>> >      > Rush County Schools
>>>>>> >      > 765-932-3901 x1171
>>>>>> >      > iversons at rushville.k12.in.us
>>>>>> >     <mailto:iversons at rushville.k12.in.us>
>>>>>> >     <mailto:iversons at rushville.k12.in.us
>>>>>> >     <mailto:iversons at rushville.k12.in.us>>
>>>>>> >      >
>>>>>> >      >
>>>>>> >
>>>>>> >     --
>>>>>> >     David Jones
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > --
>>>>>> > Shawn Iverson, CETL
>>>>>> > Director of Technology
>>>>>> > Rush County Schools
>>>>>> > 765-932-3901 x1171
>>>>>> > iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
>>>>>> >
>>>>>> >
>>>>>>
>>>>>>
>>>>>> --
>>>>>> David Jones
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Shawn Iverson, CETL
>>>>> Director of Technology
>>>>> Rush County Schools
>>>>> 765-932-3901 x1171
>>>>> iversons at rushville.k12.in.us
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Shawn Iverson, CETL
>>>> Director of Technology
>>>> Rush County Schools
>>>> 765-932-3901 x1171
>>>> iversons at rushville.k12.in.us
>>>>
>>>>
>>>>
>>>
>>> --
>>> Shawn Iverson, CETL
>>> Director of Technology
>>> Rush County Schools
>>> 765-932-3901 x1171
>>> iversons at rushville.k12.in.us
>>>
>>>
>>>
>>
>> --
>> Shawn Iverson, CETL
>> Director of Technology
>> Rush County Schools
>> 765-932-3901 x1171
>> iversons at rushville.k12.in.us
>>
>>
>>
>
> --
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 x1171
> iversons at rushville.k12.in.us
>
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180819/009b0684/attachment.html>

From iversons at rushville.k12.in.us  Mon Aug 20 15:49:14 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Mon, 20 Aug 2018 11:49:14 -0400
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <CABu_8zLdP0tROOL4Vc8WbJzjyVDCKZhJtuP-ZNd8RTYQqWGh3A@mail.gmail.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
 <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>
 <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>
 <CABu_8zKtdTWSyFQ6iLBkK-Wg7TVQ7Szw13EXhx7BzrG6RuZ0Zg@mail.gmail.com>
 <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com>
 <CABu_8zLyd+NhG38SGCMPtJEHdxwnZbGEZE5xzSgpMtr+9sH1mQ@mail.gmail.com>
 <CABu_8zJt7gBO0zyx15hLMV1Tuq4pia6XhsPFgQ_dLCKH7qX5dg@mail.gmail.com>
 <CABu_8zLWpk=SRxHK_g+O+5uYBsYCxeay4dyV-88MVPLC9wQ+5A@mail.gmail.com>
 <CABu_8zLdNnFqmvUesCGqObmeb7gS+ZDyyirC-Fzra80H02EFHw@mail.gmail.com>
 <CABu_8zJQ4ZioeuKfHJzfdDVSfJuj1zF2N7YZT7sHsb=r3mmJFw@mail.gmail.com>
 <CABu_8zLdP0tROOL4Vc8WbJzjyVDCKZhJtuP-ZNd8RTYQqWGh3A@mail.gmail.com>
Message-ID: <CABu_8z+rc6iQ2FJytkfWuebBAQRK8=sXqzpFSnZP=LQky=0UFQ@mail.gmail.com>

RFC 5321 support added.

Also reviewing RFC 822, particularly handling of delivery failure notices,
with respect to the milter.

https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de351645321


Currently addressing a bug with the daemon forking new children.   Seems to
be caused by the Milter being a child process of MailScanner.  If I cannot
resolve, I plan to separate the Milter into its own daemon.  This may be
better anyway and allow both to be managed independently.

On Sun, Aug 19, 2018 at 5:14 PM Shawn Iverson <iversons at rushville.k12.in.us>
wrote:

> Latest commit
>
> Spamassassin/MailScanner are now comparing envelope from and from properly
> :)
>
>
> https://github.com/shawniverson/v5/commit/625040caedc93b2c4e78edf305b69ac8a82bc25b
>
> Todo:
>
> Cleanup code
> Add more options to mailscanner config, such as # of milter threads, etc.
> Remove hard coded items where feasible
> Honor placement of Header entries in header (top or bottom)
> Test Test Test (anyone interested is welcome!)
> Patches for MailWatch to handle new queues and process counts
> Fix bug observed where mailscanner thinks processes are still running when
> stopping (but aren't, harmless, just weird)
>
> Feedback is welcome.
>
>
>
>
>
>
>
> On Sun, Aug 19, 2018 at 4:26 PM Shawn Iverson <
> iversons at rushville.k12.in.us> wrote:
>
>> Found the callback code for MAIL FROM:
>>
>> 'M'     SMFIC_MAIL      MAIL FROM: information
>>                         Expected response:  Accept/reject action
>>
>> Time for some more coding :D
>>
>> On Sun, Aug 19, 2018 at 4:04 PM Shawn Iverson <
>> iversons at rushville.k12.in.us> wrote:
>>
>>> Another update
>>>
>>> The latest commit to my branch includes more fixes and a new thing that
>>> needs handled now that a Milter is in play.  When mail is submitted back to
>>> postfix, it needs to be processed by other things that could reject the
>>> email (such as an blocked sender).  This is a problem because MailScanner
>>> does not know how to handle rejects since it has always been part of the
>>> queue process interacting directly with the queues, not before queue
>>> process.
>>>
>>> During message delivery, if a reject is detected, I inject a special
>>> header to the message and requeue it to MailScanner.  MailScanner has a
>>> chance, based on this special header to flag the message, remove the
>>> special header, add diagnostic info to the header about the relay, and
>>> quarantine the message.  The mail admin is happy knowing that the message
>>> didn't just vanish and has an opportunity to resolve the issue and release
>>> it or know the disposition of the email.
>>>
>>> Another cool thing about this Milter Processor I discovered is you can
>>> simply drop a message into /var/spool/MailScanner/milterin from
>>> /var/spool/MailScanner/quarantine, and it will try to redeliver it :D
>>>
>>> This new code is in Message.pm and only becomes active if the milter is
>>> activated.
>>>
>>> On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson <
>>> iversons at rushville.k12.in.us> wrote:
>>>
>>>> Oh yeah, here's the config for Postfix:
>>>>
>>>> smtpd_milters = inet:127.0.0.1:33333
>>>> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
>>>>
>>>> /etc/postfix/smtpd_milter_map:
>>>> 127.0.0.0/8 DISABLE
>>>> ::/64 DISABLE
>>>>
>>>> This allows scanned emails to pass the milter, as well as notifications
>>>> sent from the localhost.  You do need at least Postfix version 3.2 I
>>>> believe to have milter map support.
>>>>
>>>>
>>>>
>>>>
>>>> On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson <
>>>> iversons at rushville.k12.in.us> wrote:
>>>>
>>>>> MailScanner users:
>>>>>
>>>>> The MailScanner Milter project is coming along nicely.
>>>>>
>>>>> https://github.com/shawniverson/v5/commits/081118msmilter
>>>>>
>>>>> I am currently running this on a split relay to test the milter
>>>>> without impacting production email.
>>>>>
>>>>> The design is fairly simple, although development has taken about 40
>>>>> hours of my time.  I know more about MailScanner (and perl) than I ever
>>>>> have :D
>>>>>
>>>>> The Milter is integrated into MailScanner and forks as a branch of the
>>>>> MailScanner process tree, keeping systemd happy.
>>>>>
>>>>> The Milter process intercepts incoming email and tells postfix to
>>>>> DISCARD, which basically accepts the mail and silently drops it before
>>>>> entering the queue.  At the same time, the Milter writes a raw email file
>>>>> to the /var/spool/MailScanner/milterin queue.
>>>>>
>>>>> MailScanner picks up the message batches in the milterin directory,
>>>>> processes them, and spits them out to /var/spool/MailScanner/milterout
>>>>> directory as raw email files.
>>>>>
>>>>> The MSMail Processor (new) relays the messages to postfix for further
>>>>> processing over port 25.  A optional localhost rule in header_checks
>>>>> removes the local entry from the header before delivery.
>>>>>
>>>>> The benefits are that the postfix queue is not touched at all
>>>>> throughout this process, making the solution (hopefully) an acceptable one
>>>>> within the postfix community.  It is also very fast, and the codebase for
>>>>> this method is smaller than even the Postfix Processor, and MailScanner
>>>>> gets its own queues, separate from postfix.
>>>>>
>>>>> One drawback to this method is there is no apparent way to extract the
>>>>> Envelope From address (at least not yet, perhaps I am missing a milter
>>>>> code), although it doesn't appear that MailScanner is all that concerned
>>>>> about it and doesn't go out of its way to capture it.  I think it is
>>>>> important though, for spoof detection, so I will continue to research this.
>>>>>
>>>>> Anyone that is willing to get their feet wet and test can apply the
>>>>> following files from my branch:
>>>>>
>>>>> (In common)
>>>>> /usr/sbin/MailScanner
>>>>> /usr/share/MailScanner/perl/MailScanner/Milter.pm
>>>>> /usr/share/MailScanner/perl/MailScanner/MSMail.pm
>>>>> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm
>>>>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm
>>>>>
>>>>> Then create the following dirs:
>>>>> mkdir -p /var/spool/MailScanner/milterin
>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterin
>>>>> mkdir -p /var/spool/MailScanner/milterout
>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterout
>>>>>
>>>>> Apply the following to /etc/MailScanner/MailScanner.conf:
>>>>> Incoming Queue Dir = /var/spool/MailScanner/milterin
>>>>> Outgoing Queue Dir = /var/spool/MailScanner/milterout
>>>>> MTA = MSMail
>>>>> MSMail Queue Type = short | long (pick one that matches your postfix
>>>>> setting)
>>>>>
>>>>> I recommend doing this in a test or split relay environment that
>>>>> blackholes email.  Do not use in production yet ;)
>>>>>
>>>>> Known issues at the moment:
>>>>> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do
>>>>> not appear
>>>>> More validation and error handling is needed throughout.  Weird emails
>>>>> abound!
>>>>> Need to know the envelope from sender.  Currently hidden from the
>>>>> milter, but hopefully exposable via a callback code.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson <
>>>>> iversons at rushville.k12.in.us> wrote:
>>>>>
>>>>>> Dear MailScanner users:
>>>>>>
>>>>>> I am officially working on creating a lightweight milter for
>>>>>> MailScanner.
>>>>>>
>>>>>> This milter will not provide MTA protocol rejection for postfix, due
>>>>>> to the severe performance penalty it would cause.  All mail will be
>>>>>> intercepted, accepted, and silently dropped from the postfix queue and
>>>>>> placed in a MailScanner queue.
>>>>>>
>>>>>> I have a working prototype, and it is processing mail!  It is in need
>>>>>> of heavy refactoring and some bug squashing.
>>>>>>
>>>>>> Currently it attempts to create a postfix formatted queue file (very
>>>>>> ugly, who thought up this file format???!!!).  I may instead create a new
>>>>>> Milter Processor for MailScanner that reduces the overhead of doing this
>>>>>> and can read the incoming email in a simple line-by-line format.  This may
>>>>>> also increase performance overall and reduce all the conversions happening.
>>>>>>
>>>>>> The other side of the coin is what to do when MailScanner is done
>>>>>> processing mail.  Currently, it generates a postfix queue file and drops it
>>>>>> into postfix incoming directory.  It should not do this but instead drop
>>>>>> the message into postfix using native postfix tools.  That will be the next
>>>>>> part I tackle as part of the Milter Processor.
>>>>>>
>>>>>> Why am I doing this?  I want to place MailScanner back in a good
>>>>>> standing with Postfix folks (at least when the milter + postfix method is
>>>>>> in use).
>>>>>>
>>>>>> I have no plans of removing the old method but rather provide a more
>>>>>> supported path for postfix users.
>>>>>>
>>>>>> Wish me luck.  I could be heard across the neighborhood when
>>>>>> MailScanner processed an email from the Milter for the first time! :D
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sat, Aug 11, 2018 at 9:58 AM David Jones <djones at ena.com> wrote:
>>>>>>
>>>>>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote:
>>>>>>> > David,
>>>>>>> >
>>>>>>> > I agree that this is true, and part of my lack of motivation to do
>>>>>>> it.
>>>>>>> > One reason I wanted it as an option was to reconcile the ongoing
>>>>>>> > conflict with the postfix community and return MailScanner to good
>>>>>>> > standing to this community.  Weitze has been very stern about
>>>>>>> > MailScanner directly tapping the postfix queues.
>>>>>>> >
>>>>>>> > Perhaps an alternative option would be to create a fast
>>>>>>> MailScanner
>>>>>>> > milter that behaves more like the HOLD queue.  Basically just a
>>>>>>> milter
>>>>>>> > that immediately fires back accept to postfix and places all the
>>>>>>> > messages in a MailScanner HOLD queue as opposed to a postfix HOLD
>>>>>>> > queue.  Doing so would maintain speed, simplicity, and be more
>>>>>>> compliant
>>>>>>> > with postfix. The code would also be very simple.
>>>>>>> >
>>>>>>> > Then, as you say, if you need MTA level functionality for SA, use
>>>>>>> other
>>>>>>> > software and methods.
>>>>>>> >
>>>>>>> >
>>>>>>>
>>>>>>> This light MS milter would make a lot of sense based on your goal to
>>>>>>> get
>>>>>>> compliant with Postfix and back "in" with the Postfix community.  +1
>>>>>>>
>>>>>>> >
>>>>>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones <djones at ena.com
>>>>>>> > <mailto:djones at ena.com>> wrote:
>>>>>>> >
>>>>>>> >     On 08/11/2018 08:15 AM, Shawn Iverson wrote:
>>>>>>> >      > I have been planning for a MailScanner milter for quite some
>>>>>>> >     time.  I
>>>>>>> >      > have been specifically studying rpamd's milter source for
>>>>>>> this
>>>>>>> >     purpose.
>>>>>>> >      > Alas, lack of time and lack of money are always an issue,
>>>>>>> and I
>>>>>>> >     put a
>>>>>>> >      > lot of hours in my day job.  As Jerry would say, I like to
>>>>>>> eat
>>>>>>> >     and have
>>>>>>> >      > a roof over my head :D
>>>>>>> >      >
>>>>>>> >      > If I do find the time to build a milter, performance will
>>>>>>> >     definitely be
>>>>>>> >      > impacted.  The reason is that postfix will have to keep
>>>>>>> each session
>>>>>>> >      > open for the duration of scanning, and each MailScanner
>>>>>>> child
>>>>>>> >     would have
>>>>>>> >      > to issue a callback to postfix after scanning the spam so
>>>>>>> that
>>>>>>> >     postfix
>>>>>>> >      > can responds to the connection appropriately  (i.e. reject
>>>>>>> or
>>>>>>> >     accept).
>>>>>>> >      > This will slow down mail processing considerably.  If I do
>>>>>>> this,
>>>>>>> >     I am
>>>>>>> >      > going to keep the HOLD queue around, so you would have to
>>>>>>> choose
>>>>>>> >     between
>>>>>>> >      > speed or MTA level rejection functionality.
>>>>>>> >      >
>>>>>>> >      >
>>>>>>> >      >
>>>>>>> >
>>>>>>> >     My gut tells me that this is going to be so slow, that it's not
>>>>>>> >     going to
>>>>>>> >     be worth the time to put into it.  If you want to reject at
>>>>>>> MTA time,
>>>>>>> >     throw in amavis-new or spamd (not rspamd) using the same
>>>>>>> SpamAsssassin
>>>>>>> >     rules and Bayes DB to get most of the same features as
>>>>>>> MailScanner
>>>>>>> >     during the SMTP conversation.  Then the mail that gets through
>>>>>>> can be
>>>>>>> >     filtered by MailScanner for it's extra features that make it
>>>>>>> unique.
>>>>>>> >
>>>>>>> >     I understand there are different local legal requirements
>>>>>>> around the
>>>>>>> >     world that if email is accepted at MTA time then it has to be
>>>>>>> passed on
>>>>>>> >     to the end user's mailbox.  If you are located in one of these
>>>>>>> >     countries, then this would be more of an issue.  But since I
>>>>>>> am in a
>>>>>>> >     country that doesn't have this legal requirement, I do block
>>>>>>> email
>>>>>>> >     post-MTA by MailScanner.
>>>>>>> >
>>>>>>> >     The majority of my spam is blocked at the MTA level already by
>>>>>>> highly
>>>>>>> >     tuned RBLs and postscreen's RBL weighting which is very, very
>>>>>>> good.
>>>>>>> >     Only a small percentage of spam that is zero-hour or from
>>>>>>> compromised
>>>>>>> >     accounts makes it to MailScanner.
>>>>>>> >
>>>>>>> >     I highly recommend the Invaluement RBL.  It's very accurate --
>>>>>>> only
>>>>>>> >     1 or
>>>>>>> >     2 false positives over 5+ the years.  This RBL is very cost
>>>>>>> effective
>>>>>>> >     and has allowed me to disable all Spamhaus RBL checks in
>>>>>>> SpamAssassin
>>>>>>> >     saving thousands of dollars a year.  (We have too high a
>>>>>>> volume to stay
>>>>>>> >     under the free usage limits of Spamhaus so we were having to
>>>>>>> pay for
>>>>>>> >     the
>>>>>>> >     RBL feed.)
>>>>>>> >
>>>>>>> >      >
>>>>>>> >      >
>>>>>>> >      >
>>>>>>> >      > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner
>>>>>>> >      > <mailscanner at lists.mailscanner.info
>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>>>>> >      > <mailto:mailscanner at lists.mailscanner.info
>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>>> wrote:
>>>>>>> >      >
>>>>>>> >      >     On 08/07/2018 05:03 AM, info at schroeffu.ch
>>>>>>> >     <mailto:info at schroeffu.ch> <mailto:info at schroeffu.ch
>>>>>>> >     <mailto:info at schroeffu.ch>>
>>>>>>> >      >     wrote:
>>>>>>> >      >      >
>>>>>>> >      >      > Hi Mailscanner friends,
>>>>>>> >      >      >
>>>>>>> >      >      > is there any progress to make MailScanner usable as a
>>>>>>> >     postfix milter?
>>>>>>> >      >      > The most biggest problem I have is, SPAM is not
>>>>>>> possible to
>>>>>>> >      >     reject when
>>>>>>> >      >      > reaching a high score at MTA level. For my
>>>>>>> understanding,
>>>>>>> >     connect
>>>>>>> >      >     via
>>>>>>> >      >      > milter instead of queue ^HOLD would be the solution.
>>>>>>> >      >      >
>>>>>>> >      >      > For the next decade we are still using MailScanner
>>>>>>> instead
>>>>>>> >     of others
>>>>>>> >      >      > like Rspamd, because MailScanner is like a mail
>>>>>>> suite for mail
>>>>>>> >      >     security,
>>>>>>> >      >      > but if there will never be the possibility to reject
>>>>>>> at
>>>>>>> >     MTA level
>>>>>>> >      >     the
>>>>>>> >      >      > high score spam, we will also change in 1-3 years
>>>>>>> while
>>>>>>> >     replacing
>>>>>>> >      >     the OS
>>>>>>> >      >      > beyond.
>>>>>>> >      >      >
>>>>>>> >      >
>>>>>>> >      >     One of MailScanner's strongest features is it's batch
>>>>>>> mode
>>>>>>> >     processing
>>>>>>> >      >     that will allow it to handle a very high volume of mail
>>>>>>> >     flow.  I doubt
>>>>>>> >      >     that MailScanner will ever be changed to run as a
>>>>>>> milter for this
>>>>>>> >      >     reason.
>>>>>>> >      >
>>>>>>> >      >     I tried rspamd and found it wasn't as good as the author
>>>>>>> >     claims so no
>>>>>>> >      >     reason to try to use that as a milter.  It also wasn't
>>>>>>> as
>>>>>>> >     fast as it
>>>>>>> >      >     claims.  I could not send high volumes of mail through
>>>>>>> it
>>>>>>> >     like I could
>>>>>>> >      >     with MailScanner.
>>>>>>> >      >
>>>>>>> >      >     If you want to block high scoring spam at the MTA
>>>>>>> level, I
>>>>>>> >     suggest
>>>>>>> >      >     using
>>>>>>> >      >     amavis or spamd with the same SA rulesets as
>>>>>>> MailScanner.
>>>>>>> >     This will
>>>>>>> >      >     get
>>>>>>> >      >     you most of the power of MailScanner's blocking at the
>>>>>>> MTA.
>>>>>>> >      >
>>>>>>> >      > https://wiki.apache.org/spamassassin/IntegratedInMta
>>>>>>> >      >
>>>>>>> >      >     If you you use postscreen and postwhite at the Postfix
>>>>>>> MTA
>>>>>>> >     level, you
>>>>>>> >      >     can block most of the obvious spam with a tuned list of
>>>>>>> >     RBLs.  See the
>>>>>>> >      >     SA users mailing list over the past year for details on
>>>>>>> this
>>>>>>> >     from me
>>>>>>> >      >     and
>>>>>>> >      >     a few others.
>>>>>>> >      >
>>>>>>> >      >     I suggest setting up a quick test VM with iRedmail to
>>>>>>> get a good
>>>>>>> >      >     example
>>>>>>> >      >     of how to do TLS and amavis integration well with
>>>>>>> Postfix.
>>>>>>> >      >
>>>>>>> >      >     --
>>>>>>> >      >     David Jones
>>>>>>> >      >
>>>>>>> >      >
>>>>>>> >      >     --
>>>>>>> >      >     MailScanner mailing list
>>>>>>> >      > mailscanner at lists.mailscanner.info
>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>>>>> >      >     <mailto:mailscanner at lists.mailscanner.info
>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>>
>>>>>>> >      > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>> >      >
>>>>>>> >      >
>>>>>>> >      >
>>>>>>> >      > --
>>>>>>> >      > Shawn Iverson, CETL
>>>>>>> >      > Director of Technology
>>>>>>> >      > Rush County Schools
>>>>>>> >      > 765-932-3901 x1171
>>>>>>> >      > iversons at rushville.k12.in.us
>>>>>>> >     <mailto:iversons at rushville.k12.in.us>
>>>>>>> >     <mailto:iversons at rushville.k12.in.us
>>>>>>> >     <mailto:iversons at rushville.k12.in.us>>
>>>>>>> >      >
>>>>>>> >      >
>>>>>>> >
>>>>>>> >     --
>>>>>>> >     David Jones
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> > --
>>>>>>> > Shawn Iverson, CETL
>>>>>>> > Director of Technology
>>>>>>> > Rush County Schools
>>>>>>> > 765-932-3901 x1171
>>>>>>> > iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
>>>>>>> >
>>>>>>> >
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> David Jones
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Shawn Iverson, CETL
>>>>>> Director of Technology
>>>>>> Rush County Schools
>>>>>> 765-932-3901 x1171
>>>>>> iversons at rushville.k12.in.us
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Shawn Iverson, CETL
>>>>> Director of Technology
>>>>> Rush County Schools
>>>>> 765-932-3901 x1171
>>>>> iversons at rushville.k12.in.us
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Shawn Iverson, CETL
>>>> Director of Technology
>>>> Rush County Schools
>>>> 765-932-3901 x1171
>>>> iversons at rushville.k12.in.us
>>>>
>>>>
>>>>
>>>
>>> --
>>> Shawn Iverson, CETL
>>> Director of Technology
>>> Rush County Schools
>>> 765-932-3901 x1171
>>> iversons at rushville.k12.in.us
>>>
>>>
>>>
>>
>> --
>> Shawn Iverson, CETL
>> Director of Technology
>> Rush County Schools
>> 765-932-3901 x1171
>> iversons at rushville.k12.in.us
>>
>>
>>
>
> --
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 x1171
> iversons at rushville.k12.in.us
>
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180820/fc6a8545/attachment.html>

From iversons at rushville.k12.in.us  Mon Aug 20 15:49:46 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Mon, 20 Aug 2018 11:49:46 -0400
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <CABu_8z+rc6iQ2FJytkfWuebBAQRK8=sXqzpFSnZP=LQky=0UFQ@mail.gmail.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
 <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>
 <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>
 <CABu_8zKtdTWSyFQ6iLBkK-Wg7TVQ7Szw13EXhx7BzrG6RuZ0Zg@mail.gmail.com>
 <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com>
 <CABu_8zLyd+NhG38SGCMPtJEHdxwnZbGEZE5xzSgpMtr+9sH1mQ@mail.gmail.com>
 <CABu_8zJt7gBO0zyx15hLMV1Tuq4pia6XhsPFgQ_dLCKH7qX5dg@mail.gmail.com>
 <CABu_8zLWpk=SRxHK_g+O+5uYBsYCxeay4dyV-88MVPLC9wQ+5A@mail.gmail.com>
 <CABu_8zLdNnFqmvUesCGqObmeb7gS+ZDyyirC-Fzra80H02EFHw@mail.gmail.com>
 <CABu_8zJQ4ZioeuKfHJzfdDVSfJuj1zF2N7YZT7sHsb=r3mmJFw@mail.gmail.com>
 <CABu_8zLdP0tROOL4Vc8WbJzjyVDCKZhJtuP-ZNd8RTYQqWGh3A@mail.gmail.com>
 <CABu_8z+rc6iQ2FJytkfWuebBAQRK8=sXqzpFSnZP=LQky=0UFQ@mail.gmail.com>
Message-ID: <CABu_8zKDNp-4LiPK3YmH9oAPGqBE2D8iL-EcqpK0fQBtp9DtSg@mail.gmail.com>

Corrected link

https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de35164

On Mon, Aug 20, 2018 at 11:49 AM Shawn Iverson <iversons at rushville.k12.in.us>
wrote:

> RFC 5321 support added.
>
> Also reviewing RFC 822, particularly handling of delivery failure notices,
> with respect to the milter.
>
>
> https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de351645321
>
>
> Currently addressing a bug with the daemon forking new children.   Seems
> to be caused by the Milter being a child process of MailScanner.  If I
> cannot resolve, I plan to separate the Milter into its own daemon.  This
> may be better anyway and allow both to be managed independently.
>
> On Sun, Aug 19, 2018 at 5:14 PM Shawn Iverson <
> iversons at rushville.k12.in.us> wrote:
>
>> Latest commit
>>
>> Spamassassin/MailScanner are now comparing envelope from and from
>> properly :)
>>
>>
>> https://github.com/shawniverson/v5/commit/625040caedc93b2c4e78edf305b69ac8a82bc25b
>>
>> Todo:
>>
>> Cleanup code
>> Add more options to mailscanner config, such as # of milter threads, etc.
>> Remove hard coded items where feasible
>> Honor placement of Header entries in header (top or bottom)
>> Test Test Test (anyone interested is welcome!)
>> Patches for MailWatch to handle new queues and process counts
>> Fix bug observed where mailscanner thinks processes are still running
>> when stopping (but aren't, harmless, just weird)
>>
>> Feedback is welcome.
>>
>>
>>
>>
>>
>>
>>
>> On Sun, Aug 19, 2018 at 4:26 PM Shawn Iverson <
>> iversons at rushville.k12.in.us> wrote:
>>
>>> Found the callback code for MAIL FROM:
>>>
>>> 'M'     SMFIC_MAIL      MAIL FROM: information
>>>                         Expected response:  Accept/reject action
>>>
>>> Time for some more coding :D
>>>
>>> On Sun, Aug 19, 2018 at 4:04 PM Shawn Iverson <
>>> iversons at rushville.k12.in.us> wrote:
>>>
>>>> Another update
>>>>
>>>> The latest commit to my branch includes more fixes and a new thing that
>>>> needs handled now that a Milter is in play.  When mail is submitted back to
>>>> postfix, it needs to be processed by other things that could reject the
>>>> email (such as an blocked sender).  This is a problem because MailScanner
>>>> does not know how to handle rejects since it has always been part of the
>>>> queue process interacting directly with the queues, not before queue
>>>> process.
>>>>
>>>> During message delivery, if a reject is detected, I inject a special
>>>> header to the message and requeue it to MailScanner.  MailScanner has a
>>>> chance, based on this special header to flag the message, remove the
>>>> special header, add diagnostic info to the header about the relay, and
>>>> quarantine the message.  The mail admin is happy knowing that the message
>>>> didn't just vanish and has an opportunity to resolve the issue and release
>>>> it or know the disposition of the email.
>>>>
>>>> Another cool thing about this Milter Processor I discovered is you can
>>>> simply drop a message into /var/spool/MailScanner/milterin from
>>>> /var/spool/MailScanner/quarantine, and it will try to redeliver it :D
>>>>
>>>> This new code is in Message.pm and only becomes active if the milter is
>>>> activated.
>>>>
>>>> On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson <
>>>> iversons at rushville.k12.in.us> wrote:
>>>>
>>>>> Oh yeah, here's the config for Postfix:
>>>>>
>>>>> smtpd_milters = inet:127.0.0.1:33333
>>>>> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
>>>>>
>>>>> /etc/postfix/smtpd_milter_map:
>>>>> 127.0.0.0/8 DISABLE
>>>>> ::/64 DISABLE
>>>>>
>>>>> This allows scanned emails to pass the milter, as well as
>>>>> notifications sent from the localhost.  You do need at least Postfix
>>>>> version 3.2 I believe to have milter map support.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson <
>>>>> iversons at rushville.k12.in.us> wrote:
>>>>>
>>>>>> MailScanner users:
>>>>>>
>>>>>> The MailScanner Milter project is coming along nicely.
>>>>>>
>>>>>> https://github.com/shawniverson/v5/commits/081118msmilter
>>>>>>
>>>>>> I am currently running this on a split relay to test the milter
>>>>>> without impacting production email.
>>>>>>
>>>>>> The design is fairly simple, although development has taken about 40
>>>>>> hours of my time.  I know more about MailScanner (and perl) than I ever
>>>>>> have :D
>>>>>>
>>>>>> The Milter is integrated into MailScanner and forks as a branch of
>>>>>> the MailScanner process tree, keeping systemd happy.
>>>>>>
>>>>>> The Milter process intercepts incoming email and tells postfix to
>>>>>> DISCARD, which basically accepts the mail and silently drops it before
>>>>>> entering the queue.  At the same time, the Milter writes a raw email file
>>>>>> to the /var/spool/MailScanner/milterin queue.
>>>>>>
>>>>>> MailScanner picks up the message batches in the milterin directory,
>>>>>> processes them, and spits them out to /var/spool/MailScanner/milterout
>>>>>> directory as raw email files.
>>>>>>
>>>>>> The MSMail Processor (new) relays the messages to postfix for further
>>>>>> processing over port 25.  A optional localhost rule in header_checks
>>>>>> removes the local entry from the header before delivery.
>>>>>>
>>>>>> The benefits are that the postfix queue is not touched at all
>>>>>> throughout this process, making the solution (hopefully) an acceptable one
>>>>>> within the postfix community.  It is also very fast, and the codebase for
>>>>>> this method is smaller than even the Postfix Processor, and MailScanner
>>>>>> gets its own queues, separate from postfix.
>>>>>>
>>>>>> One drawback to this method is there is no apparent way to extract
>>>>>> the Envelope From address (at least not yet, perhaps I am missing a milter
>>>>>> code), although it doesn't appear that MailScanner is all that concerned
>>>>>> about it and doesn't go out of its way to capture it.  I think it is
>>>>>> important though, for spoof detection, so I will continue to research this.
>>>>>>
>>>>>> Anyone that is willing to get their feet wet and test can apply the
>>>>>> following files from my branch:
>>>>>>
>>>>>> (In common)
>>>>>> /usr/sbin/MailScanner
>>>>>> /usr/share/MailScanner/perl/MailScanner/Milter.pm
>>>>>> /usr/share/MailScanner/perl/MailScanner/MSMail.pm
>>>>>> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm
>>>>>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm
>>>>>>
>>>>>> Then create the following dirs:
>>>>>> mkdir -p /var/spool/MailScanner/milterin
>>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterin
>>>>>> mkdir -p /var/spool/MailScanner/milterout
>>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterout
>>>>>>
>>>>>> Apply the following to /etc/MailScanner/MailScanner.conf:
>>>>>> Incoming Queue Dir = /var/spool/MailScanner/milterin
>>>>>> Outgoing Queue Dir = /var/spool/MailScanner/milterout
>>>>>> MTA = MSMail
>>>>>> MSMail Queue Type = short | long (pick one that matches your postfix
>>>>>> setting)
>>>>>>
>>>>>> I recommend doing this in a test or split relay environment that
>>>>>> blackholes email.  Do not use in production yet ;)
>>>>>>
>>>>>> Known issues at the moment:
>>>>>> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do
>>>>>> not appear
>>>>>> More validation and error handling is needed throughout.  Weird
>>>>>> emails abound!
>>>>>> Need to know the envelope from sender.  Currently hidden from the
>>>>>> milter, but hopefully exposable via a callback code.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson <
>>>>>> iversons at rushville.k12.in.us> wrote:
>>>>>>
>>>>>>> Dear MailScanner users:
>>>>>>>
>>>>>>> I am officially working on creating a lightweight milter for
>>>>>>> MailScanner.
>>>>>>>
>>>>>>> This milter will not provide MTA protocol rejection for postfix, due
>>>>>>> to the severe performance penalty it would cause.  All mail will be
>>>>>>> intercepted, accepted, and silently dropped from the postfix queue and
>>>>>>> placed in a MailScanner queue.
>>>>>>>
>>>>>>> I have a working prototype, and it is processing mail!  It is in
>>>>>>> need of heavy refactoring and some bug squashing.
>>>>>>>
>>>>>>> Currently it attempts to create a postfix formatted queue file (very
>>>>>>> ugly, who thought up this file format???!!!).  I may instead create a new
>>>>>>> Milter Processor for MailScanner that reduces the overhead of doing this
>>>>>>> and can read the incoming email in a simple line-by-line format.  This may
>>>>>>> also increase performance overall and reduce all the conversions happening.
>>>>>>>
>>>>>>> The other side of the coin is what to do when MailScanner is done
>>>>>>> processing mail.  Currently, it generates a postfix queue file and drops it
>>>>>>> into postfix incoming directory.  It should not do this but instead drop
>>>>>>> the message into postfix using native postfix tools.  That will be the next
>>>>>>> part I tackle as part of the Milter Processor.
>>>>>>>
>>>>>>> Why am I doing this?  I want to place MailScanner back in a good
>>>>>>> standing with Postfix folks (at least when the milter + postfix method is
>>>>>>> in use).
>>>>>>>
>>>>>>> I have no plans of removing the old method but rather provide a more
>>>>>>> supported path for postfix users.
>>>>>>>
>>>>>>> Wish me luck.  I could be heard across the neighborhood when
>>>>>>> MailScanner processed an email from the Milter for the first time! :D
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Sat, Aug 11, 2018 at 9:58 AM David Jones <djones at ena.com> wrote:
>>>>>>>
>>>>>>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote:
>>>>>>>> > David,
>>>>>>>> >
>>>>>>>> > I agree that this is true, and part of my lack of motivation to
>>>>>>>> do it.
>>>>>>>> > One reason I wanted it as an option was to reconcile the ongoing
>>>>>>>> > conflict with the postfix community and return MailScanner to
>>>>>>>> good
>>>>>>>> > standing to this community.  Weitze has been very stern about
>>>>>>>> > MailScanner directly tapping the postfix queues.
>>>>>>>> >
>>>>>>>> > Perhaps an alternative option would be to create a fast
>>>>>>>> MailScanner
>>>>>>>> > milter that behaves more like the HOLD queue.  Basically just a
>>>>>>>> milter
>>>>>>>> > that immediately fires back accept to postfix and places all the
>>>>>>>> > messages in a MailScanner HOLD queue as opposed to a postfix HOLD
>>>>>>>> > queue.  Doing so would maintain speed, simplicity, and be more
>>>>>>>> compliant
>>>>>>>> > with postfix. The code would also be very simple.
>>>>>>>> >
>>>>>>>> > Then, as you say, if you need MTA level functionality for SA, use
>>>>>>>> other
>>>>>>>> > software and methods.
>>>>>>>> >
>>>>>>>> >
>>>>>>>>
>>>>>>>> This light MS milter would make a lot of sense based on your goal
>>>>>>>> to get
>>>>>>>> compliant with Postfix and back "in" with the Postfix community.  +1
>>>>>>>>
>>>>>>>> >
>>>>>>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones <djones at ena.com
>>>>>>>> > <mailto:djones at ena.com>> wrote:
>>>>>>>> >
>>>>>>>> >     On 08/11/2018 08:15 AM, Shawn Iverson wrote:
>>>>>>>> >      > I have been planning for a MailScanner milter for quite
>>>>>>>> some
>>>>>>>> >     time.  I
>>>>>>>> >      > have been specifically studying rpamd's milter source for
>>>>>>>> this
>>>>>>>> >     purpose.
>>>>>>>> >      > Alas, lack of time and lack of money are always an issue,
>>>>>>>> and I
>>>>>>>> >     put a
>>>>>>>> >      > lot of hours in my day job.  As Jerry would say, I like to
>>>>>>>> eat
>>>>>>>> >     and have
>>>>>>>> >      > a roof over my head :D
>>>>>>>> >      >
>>>>>>>> >      > If I do find the time to build a milter, performance will
>>>>>>>> >     definitely be
>>>>>>>> >      > impacted.  The reason is that postfix will have to keep
>>>>>>>> each session
>>>>>>>> >      > open for the duration of scanning, and each MailScanner
>>>>>>>> child
>>>>>>>> >     would have
>>>>>>>> >      > to issue a callback to postfix after scanning the spam so
>>>>>>>> that
>>>>>>>> >     postfix
>>>>>>>> >      > can responds to the connection appropriately  (i.e. reject
>>>>>>>> or
>>>>>>>> >     accept).
>>>>>>>> >      > This will slow down mail processing considerably.  If I do
>>>>>>>> this,
>>>>>>>> >     I am
>>>>>>>> >      > going to keep the HOLD queue around, so you would have to
>>>>>>>> choose
>>>>>>>> >     between
>>>>>>>> >      > speed or MTA level rejection functionality.
>>>>>>>> >      >
>>>>>>>> >      >
>>>>>>>> >      >
>>>>>>>> >
>>>>>>>> >     My gut tells me that this is going to be so slow, that it's
>>>>>>>> not
>>>>>>>> >     going to
>>>>>>>> >     be worth the time to put into it.  If you want to reject at
>>>>>>>> MTA time,
>>>>>>>> >     throw in amavis-new or spamd (not rspamd) using the same
>>>>>>>> SpamAsssassin
>>>>>>>> >     rules and Bayes DB to get most of the same features as
>>>>>>>> MailScanner
>>>>>>>> >     during the SMTP conversation.  Then the mail that gets
>>>>>>>> through can be
>>>>>>>> >     filtered by MailScanner for it's extra features that make it
>>>>>>>> unique.
>>>>>>>> >
>>>>>>>> >     I understand there are different local legal requirements
>>>>>>>> around the
>>>>>>>> >     world that if email is accepted at MTA time then it has to be
>>>>>>>> passed on
>>>>>>>> >     to the end user's mailbox.  If you are located in one of these
>>>>>>>> >     countries, then this would be more of an issue.  But since I
>>>>>>>> am in a
>>>>>>>> >     country that doesn't have this legal requirement, I do block
>>>>>>>> email
>>>>>>>> >     post-MTA by MailScanner.
>>>>>>>> >
>>>>>>>> >     The majority of my spam is blocked at the MTA level already
>>>>>>>> by highly
>>>>>>>> >     tuned RBLs and postscreen's RBL weighting which is very, very
>>>>>>>> good.
>>>>>>>> >     Only a small percentage of spam that is zero-hour or from
>>>>>>>> compromised
>>>>>>>> >     accounts makes it to MailScanner.
>>>>>>>> >
>>>>>>>> >     I highly recommend the Invaluement RBL.  It's very accurate
>>>>>>>> -- only
>>>>>>>> >     1 or
>>>>>>>> >     2 false positives over 5+ the years.  This RBL is very cost
>>>>>>>> effective
>>>>>>>> >     and has allowed me to disable all Spamhaus RBL checks in
>>>>>>>> SpamAssassin
>>>>>>>> >     saving thousands of dollars a year.  (We have too high a
>>>>>>>> volume to stay
>>>>>>>> >     under the free usage limits of Spamhaus so we were having to
>>>>>>>> pay for
>>>>>>>> >     the
>>>>>>>> >     RBL feed.)
>>>>>>>> >
>>>>>>>> >      >
>>>>>>>> >      >
>>>>>>>> >      >
>>>>>>>> >      > On Tue, Aug 7, 2018 at 10:52 AM David Jones via MailScanner
>>>>>>>> >      > <mailscanner at lists.mailscanner.info
>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>>>>>> >      > <mailto:mailscanner at lists.mailscanner.info
>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>>> wrote:
>>>>>>>> >      >
>>>>>>>> >      >     On 08/07/2018 05:03 AM, info at schroeffu.ch
>>>>>>>> >     <mailto:info at schroeffu.ch> <mailto:info at schroeffu.ch
>>>>>>>> >     <mailto:info at schroeffu.ch>>
>>>>>>>> >      >     wrote:
>>>>>>>> >      >      >
>>>>>>>> >      >      > Hi Mailscanner friends,
>>>>>>>> >      >      >
>>>>>>>> >      >      > is there any progress to make MailScanner usable as
>>>>>>>> a
>>>>>>>> >     postfix milter?
>>>>>>>> >      >      > The most biggest problem I have is, SPAM is not
>>>>>>>> possible to
>>>>>>>> >      >     reject when
>>>>>>>> >      >      > reaching a high score at MTA level. For my
>>>>>>>> understanding,
>>>>>>>> >     connect
>>>>>>>> >      >     via
>>>>>>>> >      >      > milter instead of queue ^HOLD would be the solution.
>>>>>>>> >      >      >
>>>>>>>> >      >      > For the next decade we are still using MailScanner
>>>>>>>> instead
>>>>>>>> >     of others
>>>>>>>> >      >      > like Rspamd, because MailScanner is like a mail
>>>>>>>> suite for mail
>>>>>>>> >      >     security,
>>>>>>>> >      >      > but if there will never be the possibility to
>>>>>>>> reject at
>>>>>>>> >     MTA level
>>>>>>>> >      >     the
>>>>>>>> >      >      > high score spam, we will also change in 1-3 years
>>>>>>>> while
>>>>>>>> >     replacing
>>>>>>>> >      >     the OS
>>>>>>>> >      >      > beyond.
>>>>>>>> >      >      >
>>>>>>>> >      >
>>>>>>>> >      >     One of MailScanner's strongest features is it's batch
>>>>>>>> mode
>>>>>>>> >     processing
>>>>>>>> >      >     that will allow it to handle a very high volume of mail
>>>>>>>> >     flow.  I doubt
>>>>>>>> >      >     that MailScanner will ever be changed to run as a
>>>>>>>> milter for this
>>>>>>>> >      >     reason.
>>>>>>>> >      >
>>>>>>>> >      >     I tried rspamd and found it wasn't as good as the
>>>>>>>> author
>>>>>>>> >     claims so no
>>>>>>>> >      >     reason to try to use that as a milter.  It also wasn't
>>>>>>>> as
>>>>>>>> >     fast as it
>>>>>>>> >      >     claims.  I could not send high volumes of mail through
>>>>>>>> it
>>>>>>>> >     like I could
>>>>>>>> >      >     with MailScanner.
>>>>>>>> >      >
>>>>>>>> >      >     If you want to block high scoring spam at the MTA
>>>>>>>> level, I
>>>>>>>> >     suggest
>>>>>>>> >      >     using
>>>>>>>> >      >     amavis or spamd with the same SA rulesets as
>>>>>>>> MailScanner.
>>>>>>>> >     This will
>>>>>>>> >      >     get
>>>>>>>> >      >     you most of the power of MailScanner's blocking at the
>>>>>>>> MTA.
>>>>>>>> >      >
>>>>>>>> >      > https://wiki.apache.org/spamassassin/IntegratedInMta
>>>>>>>> >      >
>>>>>>>> >      >     If you you use postscreen and postwhite at the Postfix
>>>>>>>> MTA
>>>>>>>> >     level, you
>>>>>>>> >      >     can block most of the obvious spam with a tuned list of
>>>>>>>> >     RBLs.  See the
>>>>>>>> >      >     SA users mailing list over the past year for details
>>>>>>>> on this
>>>>>>>> >     from me
>>>>>>>> >      >     and
>>>>>>>> >      >     a few others.
>>>>>>>> >      >
>>>>>>>> >      >     I suggest setting up a quick test VM with iRedmail to
>>>>>>>> get a good
>>>>>>>> >      >     example
>>>>>>>> >      >     of how to do TLS and amavis integration well with
>>>>>>>> Postfix.
>>>>>>>> >      >
>>>>>>>> >      >     --
>>>>>>>> >      >     David Jones
>>>>>>>> >      >
>>>>>>>> >      >
>>>>>>>> >      >     --
>>>>>>>> >      >     MailScanner mailing list
>>>>>>>> >      > mailscanner at lists.mailscanner.info
>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>>>>>> >      >     <mailto:mailscanner at lists.mailscanner.info
>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>>
>>>>>>>> >      > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>>> >      >
>>>>>>>> >      >
>>>>>>>> >      >
>>>>>>>> >      > --
>>>>>>>> >      > Shawn Iverson, CETL
>>>>>>>> >      > Director of Technology
>>>>>>>> >      > Rush County Schools
>>>>>>>> >      > 765-932-3901 x1171
>>>>>>>> >      > iversons at rushville.k12.in.us
>>>>>>>> >     <mailto:iversons at rushville.k12.in.us>
>>>>>>>> >     <mailto:iversons at rushville.k12.in.us
>>>>>>>> >     <mailto:iversons at rushville.k12.in.us>>
>>>>>>>> >      >
>>>>>>>> >      >
>>>>>>>> >
>>>>>>>> >     --
>>>>>>>> >     David Jones
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > --
>>>>>>>> > Shawn Iverson, CETL
>>>>>>>> > Director of Technology
>>>>>>>> > Rush County Schools
>>>>>>>> > 765-932-3901 x1171
>>>>>>>> > iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> David Jones
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Shawn Iverson, CETL
>>>>>>> Director of Technology
>>>>>>> Rush County Schools
>>>>>>> 765-932-3901 x1171
>>>>>>> iversons at rushville.k12.in.us
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Shawn Iverson, CETL
>>>>>> Director of Technology
>>>>>> Rush County Schools
>>>>>> 765-932-3901 x1171
>>>>>> iversons at rushville.k12.in.us
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Shawn Iverson, CETL
>>>>> Director of Technology
>>>>> Rush County Schools
>>>>> 765-932-3901 x1171
>>>>> iversons at rushville.k12.in.us
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Shawn Iverson, CETL
>>>> Director of Technology
>>>> Rush County Schools
>>>> 765-932-3901 x1171
>>>> iversons at rushville.k12.in.us
>>>>
>>>>
>>>>
>>>
>>> --
>>> Shawn Iverson, CETL
>>> Director of Technology
>>> Rush County Schools
>>> 765-932-3901 x1171
>>> iversons at rushville.k12.in.us
>>>
>>>
>>>
>>
>> --
>> Shawn Iverson, CETL
>> Director of Technology
>> Rush County Schools
>> 765-932-3901 x1171
>> iversons at rushville.k12.in.us
>>
>>
>>
>
> --
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 x1171
> iversons at rushville.k12.in.us
>
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180820/9fcb465f/attachment-0001.html>

From iversons at rushville.k12.in.us  Mon Aug 20 22:33:16 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Mon, 20 Aug 2018 18:33:16 -0400
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <CABu_8zKDNp-4LiPK3YmH9oAPGqBE2D8iL-EcqpK0fQBtp9DtSg@mail.gmail.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
 <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>
 <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>
 <CABu_8zKtdTWSyFQ6iLBkK-Wg7TVQ7Szw13EXhx7BzrG6RuZ0Zg@mail.gmail.com>
 <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com>
 <CABu_8zLyd+NhG38SGCMPtJEHdxwnZbGEZE5xzSgpMtr+9sH1mQ@mail.gmail.com>
 <CABu_8zJt7gBO0zyx15hLMV1Tuq4pia6XhsPFgQ_dLCKH7qX5dg@mail.gmail.com>
 <CABu_8zLWpk=SRxHK_g+O+5uYBsYCxeay4dyV-88MVPLC9wQ+5A@mail.gmail.com>
 <CABu_8zLdNnFqmvUesCGqObmeb7gS+ZDyyirC-Fzra80H02EFHw@mail.gmail.com>
 <CABu_8zJQ4ZioeuKfHJzfdDVSfJuj1zF2N7YZT7sHsb=r3mmJFw@mail.gmail.com>
 <CABu_8zLdP0tROOL4Vc8WbJzjyVDCKZhJtuP-ZNd8RTYQqWGh3A@mail.gmail.com>
 <CABu_8z+rc6iQ2FJytkfWuebBAQRK8=sXqzpFSnZP=LQky=0UFQ@mail.gmail.com>
 <CABu_8zKDNp-4LiPK3YmH9oAPGqBE2D8iL-EcqpK0fQBtp9DtSg@mail.gmail.com>
Message-ID: <CABu_8zLv_X3QkK=Jmrso4WksEaBS3kh8qXsbEOFkVkG7UT39=g@mail.gmail.com>

Daemonized the Milter

https://github.com/shawniverson/v5/commit/3614686575763cceac965c43212544f37f9f6a24

On Mon, Aug 20, 2018 at 11:49 AM Shawn Iverson <iversons at rushville.k12.in.us>
wrote:

> Corrected link
>
>
> https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de35164
>
> On Mon, Aug 20, 2018 at 11:49 AM Shawn Iverson <
> iversons at rushville.k12.in.us> wrote:
>
>> RFC 5321 support added.
>>
>> Also reviewing RFC 822, particularly handling of delivery failure
>> notices, with respect to the milter.
>>
>>
>> https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de351645321
>>
>>
>> Currently addressing a bug with the daemon forking new children.   Seems
>> to be caused by the Milter being a child process of MailScanner.  If I
>> cannot resolve, I plan to separate the Milter into its own daemon.  This
>> may be better anyway and allow both to be managed independently.
>>
>> On Sun, Aug 19, 2018 at 5:14 PM Shawn Iverson <
>> iversons at rushville.k12.in.us> wrote:
>>
>>> Latest commit
>>>
>>> Spamassassin/MailScanner are now comparing envelope from and from
>>> properly :)
>>>
>>>
>>> https://github.com/shawniverson/v5/commit/625040caedc93b2c4e78edf305b69ac8a82bc25b
>>>
>>> Todo:
>>>
>>> Cleanup code
>>> Add more options to mailscanner config, such as # of milter threads, etc.
>>> Remove hard coded items where feasible
>>> Honor placement of Header entries in header (top or bottom)
>>> Test Test Test (anyone interested is welcome!)
>>> Patches for MailWatch to handle new queues and process counts
>>> Fix bug observed where mailscanner thinks processes are still running
>>> when stopping (but aren't, harmless, just weird)
>>>
>>> Feedback is welcome.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Sun, Aug 19, 2018 at 4:26 PM Shawn Iverson <
>>> iversons at rushville.k12.in.us> wrote:
>>>
>>>> Found the callback code for MAIL FROM:
>>>>
>>>> 'M'     SMFIC_MAIL      MAIL FROM: information
>>>>                         Expected response:  Accept/reject action
>>>>
>>>> Time for some more coding :D
>>>>
>>>> On Sun, Aug 19, 2018 at 4:04 PM Shawn Iverson <
>>>> iversons at rushville.k12.in.us> wrote:
>>>>
>>>>> Another update
>>>>>
>>>>> The latest commit to my branch includes more fixes and a new thing
>>>>> that needs handled now that a Milter is in play.  When mail is submitted
>>>>> back to postfix, it needs to be processed by other things that could reject
>>>>> the email (such as an blocked sender).  This is a problem because
>>>>> MailScanner does not know how to handle rejects since it has always been
>>>>> part of the queue process interacting directly with the queues, not before
>>>>> queue process.
>>>>>
>>>>> During message delivery, if a reject is detected, I inject a special
>>>>> header to the message and requeue it to MailScanner.  MailScanner has a
>>>>> chance, based on this special header to flag the message, remove the
>>>>> special header, add diagnostic info to the header about the relay, and
>>>>> quarantine the message.  The mail admin is happy knowing that the message
>>>>> didn't just vanish and has an opportunity to resolve the issue and release
>>>>> it or know the disposition of the email.
>>>>>
>>>>> Another cool thing about this Milter Processor I discovered is you can
>>>>> simply drop a message into /var/spool/MailScanner/milterin from
>>>>> /var/spool/MailScanner/quarantine, and it will try to redeliver it :D
>>>>>
>>>>> This new code is in Message.pm and only becomes active if the milter
>>>>> is activated.
>>>>>
>>>>> On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson <
>>>>> iversons at rushville.k12.in.us> wrote:
>>>>>
>>>>>> Oh yeah, here's the config for Postfix:
>>>>>>
>>>>>> smtpd_milters = inet:127.0.0.1:33333
>>>>>> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
>>>>>>
>>>>>> /etc/postfix/smtpd_milter_map:
>>>>>> 127.0.0.0/8 DISABLE
>>>>>> ::/64 DISABLE
>>>>>>
>>>>>> This allows scanned emails to pass the milter, as well as
>>>>>> notifications sent from the localhost.  You do need at least Postfix
>>>>>> version 3.2 I believe to have milter map support.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson <
>>>>>> iversons at rushville.k12.in.us> wrote:
>>>>>>
>>>>>>> MailScanner users:
>>>>>>>
>>>>>>> The MailScanner Milter project is coming along nicely.
>>>>>>>
>>>>>>> https://github.com/shawniverson/v5/commits/081118msmilter
>>>>>>>
>>>>>>> I am currently running this on a split relay to test the milter
>>>>>>> without impacting production email.
>>>>>>>
>>>>>>> The design is fairly simple, although development has taken about 40
>>>>>>> hours of my time.  I know more about MailScanner (and perl) than I ever
>>>>>>> have :D
>>>>>>>
>>>>>>> The Milter is integrated into MailScanner and forks as a branch of
>>>>>>> the MailScanner process tree, keeping systemd happy.
>>>>>>>
>>>>>>> The Milter process intercepts incoming email and tells postfix to
>>>>>>> DISCARD, which basically accepts the mail and silently drops it before
>>>>>>> entering the queue.  At the same time, the Milter writes a raw email file
>>>>>>> to the /var/spool/MailScanner/milterin queue.
>>>>>>>
>>>>>>> MailScanner picks up the message batches in the milterin directory,
>>>>>>> processes them, and spits them out to /var/spool/MailScanner/milterout
>>>>>>> directory as raw email files.
>>>>>>>
>>>>>>> The MSMail Processor (new) relays the messages to postfix for
>>>>>>> further processing over port 25.  A optional localhost rule in
>>>>>>> header_checks removes the local entry from the header before delivery.
>>>>>>>
>>>>>>> The benefits are that the postfix queue is not touched at all
>>>>>>> throughout this process, making the solution (hopefully) an acceptable one
>>>>>>> within the postfix community.  It is also very fast, and the codebase for
>>>>>>> this method is smaller than even the Postfix Processor, and MailScanner
>>>>>>> gets its own queues, separate from postfix.
>>>>>>>
>>>>>>> One drawback to this method is there is no apparent way to extract
>>>>>>> the Envelope From address (at least not yet, perhaps I am missing a milter
>>>>>>> code), although it doesn't appear that MailScanner is all that concerned
>>>>>>> about it and doesn't go out of its way to capture it.  I think it is
>>>>>>> important though, for spoof detection, so I will continue to research this.
>>>>>>>
>>>>>>> Anyone that is willing to get their feet wet and test can apply the
>>>>>>> following files from my branch:
>>>>>>>
>>>>>>> (In common)
>>>>>>> /usr/sbin/MailScanner
>>>>>>> /usr/share/MailScanner/perl/MailScanner/Milter.pm
>>>>>>> /usr/share/MailScanner/perl/MailScanner/MSMail.pm
>>>>>>> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm
>>>>>>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm
>>>>>>>
>>>>>>> Then create the following dirs:
>>>>>>> mkdir -p /var/spool/MailScanner/milterin
>>>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterin
>>>>>>> mkdir -p /var/spool/MailScanner/milterout
>>>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterout
>>>>>>>
>>>>>>> Apply the following to /etc/MailScanner/MailScanner.conf:
>>>>>>> Incoming Queue Dir = /var/spool/MailScanner/milterin
>>>>>>> Outgoing Queue Dir = /var/spool/MailScanner/milterout
>>>>>>> MTA = MSMail
>>>>>>> MSMail Queue Type = short | long (pick one that matches your postfix
>>>>>>> setting)
>>>>>>>
>>>>>>> I recommend doing this in a test or split relay environment that
>>>>>>> blackholes email.  Do not use in production yet ;)
>>>>>>>
>>>>>>> Known issues at the moment:
>>>>>>> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do
>>>>>>> not appear
>>>>>>> More validation and error handling is needed throughout.  Weird
>>>>>>> emails abound!
>>>>>>> Need to know the envelope from sender.  Currently hidden from the
>>>>>>> milter, but hopefully exposable via a callback code.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson <
>>>>>>> iversons at rushville.k12.in.us> wrote:
>>>>>>>
>>>>>>>> Dear MailScanner users:
>>>>>>>>
>>>>>>>> I am officially working on creating a lightweight milter for
>>>>>>>> MailScanner.
>>>>>>>>
>>>>>>>> This milter will not provide MTA protocol rejection for postfix,
>>>>>>>> due to the severe performance penalty it would cause.  All mail will be
>>>>>>>> intercepted, accepted, and silently dropped from the postfix queue and
>>>>>>>> placed in a MailScanner queue.
>>>>>>>>
>>>>>>>> I have a working prototype, and it is processing mail!  It is in
>>>>>>>> need of heavy refactoring and some bug squashing.
>>>>>>>>
>>>>>>>> Currently it attempts to create a postfix formatted queue file
>>>>>>>> (very ugly, who thought up this file format???!!!).  I may instead create a
>>>>>>>> new Milter Processor for MailScanner that reduces the overhead of doing
>>>>>>>> this and can read the incoming email in a simple line-by-line format.  This
>>>>>>>> may also increase performance overall and reduce all the conversions
>>>>>>>> happening.
>>>>>>>>
>>>>>>>> The other side of the coin is what to do when MailScanner is done
>>>>>>>> processing mail.  Currently, it generates a postfix queue file and drops it
>>>>>>>> into postfix incoming directory.  It should not do this but instead drop
>>>>>>>> the message into postfix using native postfix tools.  That will be the next
>>>>>>>> part I tackle as part of the Milter Processor.
>>>>>>>>
>>>>>>>> Why am I doing this?  I want to place MailScanner back in a good
>>>>>>>> standing with Postfix folks (at least when the milter + postfix method is
>>>>>>>> in use).
>>>>>>>>
>>>>>>>> I have no plans of removing the old method but rather provide a
>>>>>>>> more supported path for postfix users.
>>>>>>>>
>>>>>>>> Wish me luck.  I could be heard across the neighborhood when
>>>>>>>> MailScanner processed an email from the Milter for the first time! :D
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Sat, Aug 11, 2018 at 9:58 AM David Jones <djones at ena.com> wrote:
>>>>>>>>
>>>>>>>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote:
>>>>>>>>> > David,
>>>>>>>>> >
>>>>>>>>> > I agree that this is true, and part of my lack of motivation to
>>>>>>>>> do it.
>>>>>>>>> > One reason I wanted it as an option was to reconcile the ongoing
>>>>>>>>> > conflict with the postfix community and return MailScanner to
>>>>>>>>> good
>>>>>>>>> > standing to this community.  Weitze has been very stern about
>>>>>>>>> > MailScanner directly tapping the postfix queues.
>>>>>>>>> >
>>>>>>>>> > Perhaps an alternative option would be to create a fast
>>>>>>>>> MailScanner
>>>>>>>>> > milter that behaves more like the HOLD queue.  Basically just a
>>>>>>>>> milter
>>>>>>>>> > that immediately fires back accept to postfix and places all the
>>>>>>>>> > messages in a MailScanner HOLD queue as opposed to a postfix
>>>>>>>>> HOLD
>>>>>>>>> > queue.  Doing so would maintain speed, simplicity, and be more
>>>>>>>>> compliant
>>>>>>>>> > with postfix. The code would also be very simple.
>>>>>>>>> >
>>>>>>>>> > Then, as you say, if you need MTA level functionality for SA,
>>>>>>>>> use other
>>>>>>>>> > software and methods.
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>>
>>>>>>>>> This light MS milter would make a lot of sense based on your goal
>>>>>>>>> to get
>>>>>>>>> compliant with Postfix and back "in" with the Postfix community.
>>>>>>>>> +1
>>>>>>>>>
>>>>>>>>> >
>>>>>>>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones <djones at ena.com
>>>>>>>>> > <mailto:djones at ena.com>> wrote:
>>>>>>>>> >
>>>>>>>>> >     On 08/11/2018 08:15 AM, Shawn Iverson wrote:
>>>>>>>>> >      > I have been planning for a MailScanner milter for quite
>>>>>>>>> some
>>>>>>>>> >     time.  I
>>>>>>>>> >      > have been specifically studying rpamd's milter source for
>>>>>>>>> this
>>>>>>>>> >     purpose.
>>>>>>>>> >      > Alas, lack of time and lack of money are always an issue,
>>>>>>>>> and I
>>>>>>>>> >     put a
>>>>>>>>> >      > lot of hours in my day job.  As Jerry would say, I like
>>>>>>>>> to eat
>>>>>>>>> >     and have
>>>>>>>>> >      > a roof over my head :D
>>>>>>>>> >      >
>>>>>>>>> >      > If I do find the time to build a milter, performance will
>>>>>>>>> >     definitely be
>>>>>>>>> >      > impacted.  The reason is that postfix will have to keep
>>>>>>>>> each session
>>>>>>>>> >      > open for the duration of scanning, and each MailScanner
>>>>>>>>> child
>>>>>>>>> >     would have
>>>>>>>>> >      > to issue a callback to postfix after scanning the spam so
>>>>>>>>> that
>>>>>>>>> >     postfix
>>>>>>>>> >      > can responds to the connection appropriately  (i.e.
>>>>>>>>> reject or
>>>>>>>>> >     accept).
>>>>>>>>> >      > This will slow down mail processing considerably.  If I
>>>>>>>>> do this,
>>>>>>>>> >     I am
>>>>>>>>> >      > going to keep the HOLD queue around, so you would have to
>>>>>>>>> choose
>>>>>>>>> >     between
>>>>>>>>> >      > speed or MTA level rejection functionality.
>>>>>>>>> >      >
>>>>>>>>> >      >
>>>>>>>>> >      >
>>>>>>>>> >
>>>>>>>>> >     My gut tells me that this is going to be so slow, that it's
>>>>>>>>> not
>>>>>>>>> >     going to
>>>>>>>>> >     be worth the time to put into it.  If you want to reject at
>>>>>>>>> MTA time,
>>>>>>>>> >     throw in amavis-new or spamd (not rspamd) using the same
>>>>>>>>> SpamAsssassin
>>>>>>>>> >     rules and Bayes DB to get most of the same features as
>>>>>>>>> MailScanner
>>>>>>>>> >     during the SMTP conversation.  Then the mail that gets
>>>>>>>>> through can be
>>>>>>>>> >     filtered by MailScanner for it's extra features that make it
>>>>>>>>> unique.
>>>>>>>>> >
>>>>>>>>> >     I understand there are different local legal requirements
>>>>>>>>> around the
>>>>>>>>> >     world that if email is accepted at MTA time then it has to
>>>>>>>>> be passed on
>>>>>>>>> >     to the end user's mailbox.  If you are located in one of
>>>>>>>>> these
>>>>>>>>> >     countries, then this would be more of an issue.  But since I
>>>>>>>>> am in a
>>>>>>>>> >     country that doesn't have this legal requirement, I do block
>>>>>>>>> email
>>>>>>>>> >     post-MTA by MailScanner.
>>>>>>>>> >
>>>>>>>>> >     The majority of my spam is blocked at the MTA level already
>>>>>>>>> by highly
>>>>>>>>> >     tuned RBLs and postscreen's RBL weighting which is very,
>>>>>>>>> very good.
>>>>>>>>> >     Only a small percentage of spam that is zero-hour or from
>>>>>>>>> compromised
>>>>>>>>> >     accounts makes it to MailScanner.
>>>>>>>>> >
>>>>>>>>> >     I highly recommend the Invaluement RBL.  It's very accurate
>>>>>>>>> -- only
>>>>>>>>> >     1 or
>>>>>>>>> >     2 false positives over 5+ the years.  This RBL is very cost
>>>>>>>>> effective
>>>>>>>>> >     and has allowed me to disable all Spamhaus RBL checks in
>>>>>>>>> SpamAssassin
>>>>>>>>> >     saving thousands of dollars a year.  (We have too high a
>>>>>>>>> volume to stay
>>>>>>>>> >     under the free usage limits of Spamhaus so we were having to
>>>>>>>>> pay for
>>>>>>>>> >     the
>>>>>>>>> >     RBL feed.)
>>>>>>>>> >
>>>>>>>>> >      >
>>>>>>>>> >      >
>>>>>>>>> >      >
>>>>>>>>> >      > On Tue, Aug 7, 2018 at 10:52 AM David Jones via
>>>>>>>>> MailScanner
>>>>>>>>> >      > <mailscanner at lists.mailscanner.info
>>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>>>>>>> >      > <mailto:mailscanner at lists.mailscanner.info
>>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>>> wrote:
>>>>>>>>> >      >
>>>>>>>>> >      >     On 08/07/2018 05:03 AM, info at schroeffu.ch
>>>>>>>>> >     <mailto:info at schroeffu.ch> <mailto:info at schroeffu.ch
>>>>>>>>> >     <mailto:info at schroeffu.ch>>
>>>>>>>>> >      >     wrote:
>>>>>>>>> >      >      >
>>>>>>>>> >      >      > Hi Mailscanner friends,
>>>>>>>>> >      >      >
>>>>>>>>> >      >      > is there any progress to make MailScanner usable
>>>>>>>>> as a
>>>>>>>>> >     postfix milter?
>>>>>>>>> >      >      > The most biggest problem I have is, SPAM is not
>>>>>>>>> possible to
>>>>>>>>> >      >     reject when
>>>>>>>>> >      >      > reaching a high score at MTA level. For my
>>>>>>>>> understanding,
>>>>>>>>> >     connect
>>>>>>>>> >      >     via
>>>>>>>>> >      >      > milter instead of queue ^HOLD would be the
>>>>>>>>> solution.
>>>>>>>>> >      >      >
>>>>>>>>> >      >      > For the next decade we are still using MailScanner
>>>>>>>>> instead
>>>>>>>>> >     of others
>>>>>>>>> >      >      > like Rspamd, because MailScanner is like a mail
>>>>>>>>> suite for mail
>>>>>>>>> >      >     security,
>>>>>>>>> >      >      > but if there will never be the possibility to
>>>>>>>>> reject at
>>>>>>>>> >     MTA level
>>>>>>>>> >      >     the
>>>>>>>>> >      >      > high score spam, we will also change in 1-3 years
>>>>>>>>> while
>>>>>>>>> >     replacing
>>>>>>>>> >      >     the OS
>>>>>>>>> >      >      > beyond.
>>>>>>>>> >      >      >
>>>>>>>>> >      >
>>>>>>>>> >      >     One of MailScanner's strongest features is it's batch
>>>>>>>>> mode
>>>>>>>>> >     processing
>>>>>>>>> >      >     that will allow it to handle a very high volume of
>>>>>>>>> mail
>>>>>>>>> >     flow.  I doubt
>>>>>>>>> >      >     that MailScanner will ever be changed to run as a
>>>>>>>>> milter for this
>>>>>>>>> >      >     reason.
>>>>>>>>> >      >
>>>>>>>>> >      >     I tried rspamd and found it wasn't as good as the
>>>>>>>>> author
>>>>>>>>> >     claims so no
>>>>>>>>> >      >     reason to try to use that as a milter.  It also
>>>>>>>>> wasn't as
>>>>>>>>> >     fast as it
>>>>>>>>> >      >     claims.  I could not send high volumes of mail
>>>>>>>>> through it
>>>>>>>>> >     like I could
>>>>>>>>> >      >     with MailScanner.
>>>>>>>>> >      >
>>>>>>>>> >      >     If you want to block high scoring spam at the MTA
>>>>>>>>> level, I
>>>>>>>>> >     suggest
>>>>>>>>> >      >     using
>>>>>>>>> >      >     amavis or spamd with the same SA rulesets as
>>>>>>>>> MailScanner.
>>>>>>>>> >     This will
>>>>>>>>> >      >     get
>>>>>>>>> >      >     you most of the power of MailScanner's blocking at
>>>>>>>>> the MTA.
>>>>>>>>> >      >
>>>>>>>>> >      > https://wiki.apache.org/spamassassin/IntegratedInMta
>>>>>>>>> >      >
>>>>>>>>> >      >     If you you use postscreen and postwhite at the
>>>>>>>>> Postfix MTA
>>>>>>>>> >     level, you
>>>>>>>>> >      >     can block most of the obvious spam with a tuned list
>>>>>>>>> of
>>>>>>>>> >     RBLs.  See the
>>>>>>>>> >      >     SA users mailing list over the past year for details
>>>>>>>>> on this
>>>>>>>>> >     from me
>>>>>>>>> >      >     and
>>>>>>>>> >      >     a few others.
>>>>>>>>> >      >
>>>>>>>>> >      >     I suggest setting up a quick test VM with iRedmail to
>>>>>>>>> get a good
>>>>>>>>> >      >     example
>>>>>>>>> >      >     of how to do TLS and amavis integration well with
>>>>>>>>> Postfix.
>>>>>>>>> >      >
>>>>>>>>> >      >     --
>>>>>>>>> >      >     David Jones
>>>>>>>>> >      >
>>>>>>>>> >      >
>>>>>>>>> >      >     --
>>>>>>>>> >      >     MailScanner mailing list
>>>>>>>>> >      > mailscanner at lists.mailscanner.info
>>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>>>>>>> >      >     <mailto:mailscanner at lists.mailscanner.info
>>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>>
>>>>>>>>> >      >
>>>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>>>> >      >
>>>>>>>>> >      >
>>>>>>>>> >      >
>>>>>>>>> >      > --
>>>>>>>>> >      > Shawn Iverson, CETL
>>>>>>>>> >      > Director of Technology
>>>>>>>>> >      > Rush County Schools
>>>>>>>>> >      > 765-932-3901 x1171
>>>>>>>>> >      > iversons at rushville.k12.in.us
>>>>>>>>> >     <mailto:iversons at rushville.k12.in.us>
>>>>>>>>> >     <mailto:iversons at rushville.k12.in.us
>>>>>>>>> >     <mailto:iversons at rushville.k12.in.us>>
>>>>>>>>> >      >
>>>>>>>>> >      >
>>>>>>>>> >
>>>>>>>>> >     --
>>>>>>>>> >     David Jones
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> > --
>>>>>>>>> > Shawn Iverson, CETL
>>>>>>>>> > Director of Technology
>>>>>>>>> > Rush County Schools
>>>>>>>>> > 765-932-3901 x1171
>>>>>>>>> > iversons at rushville.k12.in.us <mailto:
>>>>>>>>> iversons at rushville.k12.in.us>
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> David Jones
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Shawn Iverson, CETL
>>>>>>>> Director of Technology
>>>>>>>> Rush County Schools
>>>>>>>> 765-932-3901 x1171
>>>>>>>> iversons at rushville.k12.in.us
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Shawn Iverson, CETL
>>>>>>> Director of Technology
>>>>>>> Rush County Schools
>>>>>>> 765-932-3901 x1171
>>>>>>> iversons at rushville.k12.in.us
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Shawn Iverson, CETL
>>>>>> Director of Technology
>>>>>> Rush County Schools
>>>>>> 765-932-3901 x1171
>>>>>> iversons at rushville.k12.in.us
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Shawn Iverson, CETL
>>>>> Director of Technology
>>>>> Rush County Schools
>>>>> 765-932-3901 x1171
>>>>> iversons at rushville.k12.in.us
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Shawn Iverson, CETL
>>>> Director of Technology
>>>> Rush County Schools
>>>> 765-932-3901 x1171
>>>> iversons at rushville.k12.in.us
>>>>
>>>>
>>>>
>>>
>>> --
>>> Shawn Iverson, CETL
>>> Director of Technology
>>> Rush County Schools
>>> 765-932-3901 x1171
>>> iversons at rushville.k12.in.us
>>>
>>>
>>>
>>
>> --
>> Shawn Iverson, CETL
>> Director of Technology
>> Rush County Schools
>> 765-932-3901 x1171
>> iversons at rushville.k12.in.us
>>
>>
>>
>
> --
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 x1171
> iversons at rushville.k12.in.us
>
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180820/745ab218/attachment.html>

From mark at meelhuysen.com  Tue Aug 21 07:19:24 2018
From: mark at meelhuysen.com (Mark Meelhuysen)
Date: Tue, 21 Aug 2018 07:19:24 +0000
Subject: RBL Check
Message-ID: <198cd95f133a4964ae9fabba945746d7@DC01.meelhuysen.com>

Hi All,

I got triggerd by email received from Google (Gmail.com) being listed as spam. MS states it is on the SORBS RBL (Komt voor in RBL:  Y  (SORBS)). When checking the adress directly at sorbs gives me :  Not found in the database.

Can someone tell me what i should check?

Versions:
MailWatch Versie: 1.2.6
Operating System Version: CentOS Linux 7 (Core)
Postfix Versie: 2.10.1
MailScanner Versie: 5.0.6
ClamAV Versie: 0.100.1
SpamAssassin Versie: 3.4.0

(Yes, I know, i?m not running latest versions).

Thank you in advance.

Mark

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180821/67f49ad3/attachment.html>

From mark at meelhuysen.com  Tue Aug 21 07:23:49 2018
From: mark at meelhuysen.com (Mark Meelhuysen)
Date: Tue, 21 Aug 2018 07:23:49 +0000
Subject: ClamAV logging
Message-ID: <a9d28bd14d094c579817d78891ebb925@DC01.meelhuysen.com>

Hi All,

Was just testing my system for AV response and concluded that in the maillog there are no entries for ClamAV. If I remember correctly this was the case in the past and i never noticed that it is not anymore. I think after installing a new MailScanner box.
Anyone can point me in the right direction of checking why logging is not added?

Mailscanner ? lint gives me:


Trying to setlogsock(unix)

Reading configuration file /etc/MailScanner/MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/README
Read 1500 hostnames from the phishing whitelist
Read 16729 hostnames from the phishing blacklists
Config: calling custom init function SQLBlacklist
MailWatch: Starting up MailWatch SQL Blacklist
MailWatch: Read 1 blacklist entries
Config: calling custom init function MailWatchLogging
MailWatch: Started MailWatch SQL Logging child
Config: calling custom init function SQLWhitelist
MailWatch: Starting up MailWatch SQL Whitelist
MailWatch: Read 4 whitelist entries

Checking version numbers...
Version number in MailScanner.conf (5.0.6) is correct.

Your envelope_sender_header in spamassassin.conf is correct.
MailScanner setting GID to  (89)
MailScanner setting UID to  (89)

Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Connected to Processing Attempts Database
Created Processing Attempts Database successfully
There are 0 messages in the Processing Attempts Database
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamav"
Found these virus scanners installed: clamav
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them
./1/eicar.com: Eicar-Test-Signature FOUND

Virus Scanning: ClamAV found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
ClamAV said "eicar.com contains Eicar-Test-Signature"

If any of your virus scanners (clamav)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Config: calling custom end function SQLBlacklist
MailWatch: Closing down MailWatch SQL Blacklist
Config: calling custom end function MailWatchLogging
Config: calling custom end function SQLWhitelist
MailWatch: Closing down MailWatch SQL Whitelist


Versions:
MailWatch Versie: 1.2.6
Operating System Version: CentOS Linux 7 (Core)
Postfix Versie: 2.10.1
MailScanner Versie: 5.0.6
ClamAV Versie: 0.100.1
SpamAssassin Versie: 3.4.0

(Yes, I know, i?m not running latest versions).

Thank you in advance.

Mark


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180821/615f1438/attachment.html>

From thom at vdb.nl  Tue Aug 21 07:35:27 2018
From: thom at vdb.nl (Thom van der Boon)
Date: Tue, 21 Aug 2018 09:35:27 +0200 (CEST)
Subject: ClamAV logging
Message-ID: <c7048dcf-669b-4cbb-b7aa-12f005ce9f4a@email.android.com>

An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180821/f1d3cdc4/attachment-0001.html>

From mark at meelhuysen.com  Tue Aug 21 07:49:34 2018
From: mark at meelhuysen.com (Mark Meelhuysen)
Date: Tue, 21 Aug 2018 07:49:34 +0000
Subject: ClamAV logging
In-Reply-To: <c7048dcf-669b-4cbb-b7aa-12f005ce9f4a@email.android.com>
References: <c7048dcf-669b-4cbb-b7aa-12f005ce9f4a@email.android.com>
Message-ID: <b605cfaddb2342f08eafdb7bf9efb448@DC01.meelhuysen.com>

Hi Thom,

I noticed that indeed and removed the main.cvd, so now there are only *.cld files.
The ?lint does not produce the error anymore, but stil no logging.

Thanks.

Mark

Van: MailScanner <mailscanner-bounces+mark=meelhuysen.com at lists.mailscanner.info> Namens Thom van der Boon
Verzonden: dinsdag 21 augustus 2018 09:35
Aan: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Onderwerp: Re: ClamAV logging

Hi Mark,

Take a look at the error message in you MailScanner --lint output


LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them"


Met vriendelijke groet, Best regards,



Thom van der Boon
E-Mail: thom at vdb.nl<mailto:thom at vdb.nl>




=====




Thom.H. van der Boon b.v.
Transito 4

6909 DA  Babberich
Tel.: +31 (0)88 4272727
Fax: +31 (0)88 4272789
Home Page: http://www.vdb.nl/

Op 21 aug. 2018 09:24 schreef Mark Meelhuysen <mark at meelhuysen.com<mailto:mark at meelhuysen.com>>:

Hi All,



Was just testing my system for AV response and concluded that in the maillog there are no entries for ClamAV. If I remember correctly this was the case in the past and i never noticed that it is not anymore. I think after installing a new MailScanner box.

Anyone can point me in the right direction of checking why logging is not added?



Mailscanner ? lint gives me:





Trying to setlogsock(unix)



Reading configuration file /etc/MailScanner/MailScanner.conf

Reading configuration file /etc/MailScanner/conf.d/README

Read 1500 hostnames from the phishing whitelist

Read 16729 hostnames from the phishing blacklists

Config: calling custom init function SQLBlacklist

MailWatch: Starting up MailWatch SQL Blacklist

MailWatch: Read 1 blacklist entries

Config: calling custom init function MailWatchLogging

MailWatch: Started MailWatch SQL Logging child

Config: calling custom init function SQLWhitelist

MailWatch: Starting up MailWatch SQL Whitelist

MailWatch: Read 4 whitelist entries



Checking version numbers...

Version number in MailScanner.conf (5.0.6) is correct.



Your envelope_sender_header in spamassassin.conf is correct.

MailScanner setting GID to  (89)

MailScanner setting UID to  (89)



Checking for SpamAssassin errors (if you use it)...

Using SpamAssassin results cache

Connected to SpamAssassin cache database

SpamAssassin reported no errors.

Connected to Processing Attempts Database

Created Processing Attempts Database successfully

There are 0 messages in the Processing Attempts Database

Using locktype = posix

MailScanner.conf says "Virus Scanners = clamav"

Found these virus scanners installed: clamav

===========================================================================

Filename Checks: Windows/DOS Executable (1 eicar.com)

Other Checks: Found 1 problems

Virus and Content Scanning: Starting

LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them

./1/eicar.com: Eicar-Test-Signature FOUND



Virus Scanning: ClamAV found 2 infections

Infected message 1 came from 10.1.1.1

Virus Scanning: Found 2 viruses

===========================================================================

Virus Scanner test reports:

ClamAV said "eicar.com contains Eicar-Test-Signature"



If any of your virus scanners (clamav)

are not listed there, you should check that they are installed correctly

and that MailScanner is finding them correctly via its virus.scanners.conf.

Config: calling custom end function SQLBlacklist

MailWatch: Closing down MailWatch SQL Blacklist

Config: calling custom end function MailWatchLogging

Config: calling custom end function SQLWhitelist

MailWatch: Closing down MailWatch SQL Whitelist





Versions:

MailWatch Versie: 1.2.6

Operating System Version: CentOS Linux 7 (Core)

Postfix Versie: 2.10.1

MailScanner Versie: 5.0.6

ClamAV Versie: 0.100.1

SpamAssassin Versie: 3.4.0



(Yes, I know, i?m not running latest versions).



Thank you in advance.



Mark



--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.


--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180821/d82aeabc/attachment.html>

From belle at bazuin.nl  Tue Aug 21 08:17:03 2018
From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=)
Date: Tue, 21 Aug 2018 10:17:03 +0200
Subject: RBL Check
In-Reply-To: <198cd95f133a4964ae9fabba945746d7@DC01.meelhuysen.com>
References: <198cd95f133a4964ae9fabba945746d7@DC01.meelhuysen.com>
Message-ID: <vmime.5b7bca7f.2d55.17234f79f3690ef@ms249-lin-003.rotterdam.bazuin.nl>

Hai, 
?
i see the following.? ( from the mail headers ) 
ms.meelhuysen.com (unknown??[IPv6:2001:985:d013:1:c0a8:7bde:718e:9c74])

So maybe gmail blocked you because you did not set your PTR for your IPv6 record. 
?
I did a small check. 
MX? ( dig mx ) 
meelhuysen.com.???????? 788???? IN????? MX????? 10 mx01.meelhuysen.com.
meelhuysen.com.???????? 788???? IN????? MX????? 20 mx02.meelhuysen.com.

( dig a )
mx01.meelhuysen.com.??? 776???? IN????? A?????? 62.251.122.185
mx02.meelhuysen.com.??? 291???? IN????? A?????? 83.162.255.45

( dig -x ) 
185.122.251.62.in-addr.arpa. 21453 IN?? PTR???? mx01.meelhuysen.com.
45.255.162.83.in-addr.arpa. 19414 IN??? PTR???? mx02.meelhuysen.com.
?
mx01.meelhuysen.com.??? 899???? IN????? AAAA??? 2001:985:d013:1:c0a8:7bde:718e:9c74
mx02.meelhuysen.com.??? 899???? IN????? AAAA??? 2001:985:d011::1

both ipv6 does not have a PTR and you sending from server outside through name ms.meelhuysen.com
?
ms.meelhuysen.com.????? 619???? IN????? A?????? 62.251.122.185
ms.meelhuysen.com.????? 603???? IN????? AAAA??? 2001:985:d013:1:c0a8:7bde:718e:9c74

Your SPF looks ok? but fix the first then missing PTR for you ipv6. 
?
?
Greetz, 
?
Louis
?
?
?
?

Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Mark Meelhuysen
Verzonden: dinsdag 21 augustus 2018 9:19
Aan: MailScanner Discussion
Onderwerp: RBL Check




Hi All,

?

I got triggerd by email received from Google (Gmail.com) being listed as spam. MS states it is on the SORBS RBL (Komt voor in RBL:? Y? (SORBS)). When checking the adress directly at sorbs gives me : ?Not found in the database.

?

Can someone tell me what i should check?

?

Versions:

MailWatch Versie: 1.2.6

Operating System Version: CentOS Linux 7 (Core)

Postfix Versie: 2.10.1 

MailScanner Versie: 5.0.6

ClamAV Versie: 0.100.1 

SpamAssassin Versie: 3.4.0

?

(Yes, I know, i?m not running latest versions).

?

Thank you in advance.

?

Mark


-- 
This message has been scanned for viruses and 
dangerous content by MailScanner, and is 
believed to be clean. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180821/96896879/attachment.html>

From iversons at rushville.k12.in.us  Tue Aug 21 08:51:23 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Tue, 21 Aug 2018 04:51:23 -0400
Subject: ClamAV logging
In-Reply-To: <a9d28bd14d094c579817d78891ebb925@DC01.meelhuysen.com>
References: <a9d28bd14d094c579817d78891ebb925@DC01.meelhuysen.com>
Message-ID: <CABu_8zLxiwDsZ1EFKgu8L1ghV=1OJ97qWyRD_LKksRthLEq=8Q@mail.gmail.com>

Mark,

Not sure when this behavior changed (a v5 change?), but I only see entries
when a virus is detected.

On Tue, Aug 21, 2018 at 3:24 AM Mark Meelhuysen <mark at meelhuysen.com> wrote:

> Hi All,
>
>
>
> Was just testing my system for AV response and concluded that in the
> maillog there are no entries for ClamAV. If I remember correctly this was
> the case in the past and i never noticed that it is not anymore. I think
> after installing a new MailScanner box.
>
> Anyone can point me in the right direction of checking why logging is not
> added?
>
>
>
> Mailscanner ? lint gives me:
>
>
>
>
>
> Trying to setlogsock(unix)
>
>
>
> Reading configuration file /etc/MailScanner/MailScanner.conf
>
> Reading configuration file /etc/MailScanner/conf.d/README
>
> Read 1500 hostnames from the phishing whitelist
>
> Read 16729 hostnames from the phishing blacklists
>
> Config: calling custom init function SQLBlacklist
>
> MailWatch: Starting up MailWatch SQL Blacklist
>
> MailWatch: Read 1 blacklist entries
>
> Config: calling custom init function MailWatchLogging
>
> MailWatch: Started MailWatch SQL Logging child
>
> Config: calling custom init function SQLWhitelist
>
> MailWatch: Starting up MailWatch SQL Whitelist
>
> MailWatch: Read 4 whitelist entries
>
>
>
> Checking version numbers...
>
> Version number in MailScanner.conf (5.0.6) is correct.
>
>
>
> Your envelope_sender_header in spamassassin.conf is correct.
>
> MailScanner setting GID to  (89)
>
> MailScanner setting UID to  (89)
>
>
>
> Checking for SpamAssassin errors (if you use it)...
>
> Using SpamAssassin results cache
>
> Connected to SpamAssassin cache database
>
> SpamAssassin reported no errors.
>
> Connected to Processing Attempts Database
>
> Created Processing Attempts Database successfully
>
> There are 0 messages in the Processing Attempts Database
>
> Using locktype = posix
>
> MailScanner.conf says "Virus Scanners = clamav"
>
> Found these virus scanners installed: clamav
>
> ===========================================================================
>
> Filename Checks: Windows/DOS Executable (1 eicar.com)
>
> Other Checks: Found 1 problems
>
> Virus and Content Scanning: Starting
>
> LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd
> and /var/lib/clamav/main.cld, please manually remove one of them
>
> ./1/eicar.com: Eicar-Test-Signature FOUND
>
>
>
> Virus Scanning: ClamAV found 2 infections
>
> Infected message 1 came from 10.1.1.1
>
> Virus Scanning: Found 2 viruses
>
> ===========================================================================
>
> Virus Scanner test reports:
>
> ClamAV said "eicar.com contains Eicar-Test-Signature"
>
>
>
> If any of your virus scanners (clamav)
>
> are not listed there, you should check that they are installed correctly
>
> and that MailScanner is finding them correctly via its virus.scanners.conf.
>
> Config: calling custom end function SQLBlacklist
>
> MailWatch: Closing down MailWatch SQL Blacklist
>
> Config: calling custom end function MailWatchLogging
>
> Config: calling custom end function SQLWhitelist
>
> MailWatch: Closing down MailWatch SQL Whitelist
>
>
>
>
>
> Versions:
>
> MailWatch Versie: 1.2.6
>
> Operating System Version: CentOS Linux 7 (Core)
>
> Postfix Versie: 2.10.1
>
> MailScanner Versie: 5.0.6
>
> ClamAV Versie: 0.100.1
>
> SpamAssassin Versie: 3.4.0
>
>
>
> (Yes, I know, i?m not running latest versions).
>
>
>
> Thank you in advance.
>
>
>
> Mark
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180821/2bb50918/attachment.html>

From mark at meelhuysen.com  Tue Aug 21 08:54:04 2018
From: mark at meelhuysen.com (Mark Meelhuysen)
Date: Tue, 21 Aug 2018 08:54:04 +0000
Subject: RBL Check
In-Reply-To: <vmime.5b7bca7f.2d55.17234f79f3690ef@ms249-lin-003.rotterdam.bazuin.nl>
References: <198cd95f133a4964ae9fabba945746d7@DC01.meelhuysen.com>
 <vmime.5b7bca7f.2d55.17234f79f3690ef@ms249-lin-003.rotterdam.bazuin.nl>
Message-ID: <dc498eec7c4c45788026ca36c47aa050@DC01.meelhuysen.com>

Hi Louis,

Thank you for your reply. We recently changed ISP, and this ISP is actively using IPV6. It was not before. So, indeed, Gmail blocked us for IPV6 restraints. I adjusted my DNS and config for IPV6 and then mailflow from Google was ok. Before we received delay notices or NDR?s.
But offcourse i will go and fix the things you mentioned ?. I think first I will change the hostname of MS to mx01.
After that i will check the PTR?s.

Van: MailScanner <mailscanner-bounces+mark=meelhuysen.com at lists.mailscanner.info> Namens L.P.H. van Belle via MailScanner
Verzonden: dinsdag 21 augustus 2018 10:17
Aan: MailScanner Discussion <mailscanner at lists.mailscanner.info>
CC: L.P.H. van Belle <belle at bazuin.nl>
Onderwerp: RE: RBL Check

Hai,

i see the following.  ( from the mail headers )
ms.meelhuysen.com (unknown  [IPv6:2001:985:d013:1:c0a8:7bde:718e:9c74])

So maybe gmail blocked you because you did not set your PTR for your IPv6 record.

I did a small check.
MX  ( dig mx )
meelhuysen.com.         788     IN      MX      10 mx01.meelhuysen.com.
meelhuysen.com.         788     IN      MX      20 mx02.meelhuysen.com.
( dig a )
mx01.meelhuysen.com.    776     IN      A       62.251.122.185
mx02.meelhuysen.com.    291     IN      A       83.162.255.45
( dig -x )
185.122.251.62.in-addr.arpa. 21453 IN   PTR     mx01.meelhuysen.com.
45.255.162.83.in-addr.arpa. 19414 IN    PTR     mx02.meelhuysen.com.

mx01.meelhuysen.com.    899     IN      AAAA    2001:985:d013:1:c0a8:7bde:718e:9c74
mx02.meelhuysen.com.    899     IN      AAAA    2001:985:d011::1
both ipv6 does not have a PTR and you sending from server outside through name ms.meelhuysen.com

ms.meelhuysen.com.      619     IN      A       62.251.122.185
ms.meelhuysen.com.      603     IN      AAAA    2001:985:d013:1:c0a8:7bde:718e:9c74
Your SPF looks ok  but fix the first then missing PTR for you ipv6.


Greetz,

Louis





________________________________
Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Mark Meelhuysen
Verzonden: dinsdag 21 augustus 2018 9:19
Aan: MailScanner Discussion
Onderwerp: RBL Check
Hi All,

I got triggerd by email received from Google (Gmail.com) being listed as spam. MS states it is on the SORBS RBL (Komt voor in RBL:  Y  (SORBS)). When checking the adress directly at sorbs gives me :  Not found in the database.

Can someone tell me what i should check?

Versions:
MailWatch Versie: 1.2.6
Operating System Version: CentOS Linux 7 (Core)
Postfix Versie: 2.10.1
MailScanner Versie: 5.0.6
ClamAV Versie: 0.100.1
SpamAssassin Versie: 3.4.0

(Yes, I know, i?m not running latest versions).

Thank you in advance.

Mark

--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.

--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180821/cdc1cdf1/attachment.html>

From mark at meelhuysen.com  Tue Aug 21 08:57:35 2018
From: mark at meelhuysen.com (Mark Meelhuysen)
Date: Tue, 21 Aug 2018 08:57:35 +0000
Subject: ClamAV logging
In-Reply-To: <CABu_8zLxiwDsZ1EFKgu8L1ghV=1OJ97qWyRD_LKksRthLEq=8Q@mail.gmail.com>
References: <a9d28bd14d094c579817d78891ebb925@DC01.meelhuysen.com>
 <CABu_8zLxiwDsZ1EFKgu8L1ghV=1OJ97qWyRD_LKksRthLEq=8Q@mail.gmail.com>
Message-ID: <7f409d1b7fd3434ea634e6159a6329b4@DC01.meelhuysen.com>

Hi Shawn,

Thats why it triggered me. I di dan online test and the mails were not delivered (good behaviour) but i could not see anything in the log, accept that the connection was incoming and closing.

Mark

Van: MailScanner <mailscanner-bounces+mark=meelhuysen.com at lists.mailscanner.info> Namens Shawn Iverson
Verzonden: dinsdag 21 augustus 2018 10:51
Aan: mailscanner at lists.mailscanner.info
Onderwerp: Re: ClamAV logging

Mark,

Not sure when this behavior changed (a v5 change?), but I only see entries when a virus is detected.

On Tue, Aug 21, 2018 at 3:24 AM Mark Meelhuysen <mark at meelhuysen.com<mailto:mark at meelhuysen.com>> wrote:
Hi All,

Was just testing my system for AV response and concluded that in the maillog there are no entries for ClamAV. If I remember correctly this was the case in the past and i never noticed that it is not anymore. I think after installing a new MailScanner box.
Anyone can point me in the right direction of checking why logging is not added?

Mailscanner ? lint gives me:


Trying to setlogsock(unix)

Reading configuration file /etc/MailScanner/MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/README
Read 1500 hostnames from the phishing whitelist
Read 16729 hostnames from the phishing blacklists
Config: calling custom init function SQLBlacklist
MailWatch: Starting up MailWatch SQL Blacklist
MailWatch: Read 1 blacklist entries
Config: calling custom init function MailWatchLogging
MailWatch: Started MailWatch SQL Logging child
Config: calling custom init function SQLWhitelist
MailWatch: Starting up MailWatch SQL Whitelist
MailWatch: Read 4 whitelist entries

Checking version numbers...
Version number in MailScanner.conf (5.0.6) is correct.

Your envelope_sender_header in spamassassin.conf is correct.
MailScanner setting GID to  (89)
MailScanner setting UID to  (89)

Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Connected to Processing Attempts Database
Created Processing Attempts Database successfully
There are 0 messages in the Processing Attempts Database
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamav"
Found these virus scanners installed: clamav
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com<http://eicar.com>)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them
./1/eicar.com<http://eicar.com>: Eicar-Test-Signature FOUND

Virus Scanning: ClamAV found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
ClamAV said "eicar.com<http://eicar.com> contains Eicar-Test-Signature"

If any of your virus scanners (clamav)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Config: calling custom end function SQLBlacklist
MailWatch: Closing down MailWatch SQL Blacklist
Config: calling custom end function MailWatchLogging
Config: calling custom end function SQLWhitelist
MailWatch: Closing down MailWatch SQL Whitelist


Versions:
MailWatch Versie: 1.2.6
Operating System Version: CentOS Linux 7 (Core)
Postfix Versie: 2.10.1
MailScanner Versie: 5.0.6
ClamAV Versie: 0.100.1
SpamAssassin Versie: 3.4.0

(Yes, I know, i?m not running latest versions).

Thank you in advance.

Mark


--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.


--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner


--
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us<mailto:iversons at rushville.k12.in.us>

[https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_cy1OZFNIZ0drYVU&revid=0Bw5iD0ToYvs_UitIcHVIWkJVVTl2VGpxVUE0d0FQcHBIRXk4PQ][https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_Zkh4eEs3R01yWXc&revid=0Bw5iD0ToYvs_QWpBK2Y2ajJtYjhOMDRFekZwK2xOamk5Q3Y0PQ]
[https://docs.google.com/uc?export=download&id=1aBrlQou4gjB04FY-twHN_0Dn3GHVNxqa&revid=0Bw5iD0ToYvs_RnQ0eDhHcm95WHBFdkNRbXhQRXpoYkR6SEEwPQ]

--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180821/8648ea9f/attachment-0001.html>

From belle at bazuin.nl  Tue Aug 21 09:07:13 2018
From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=)
Date: Tue, 21 Aug 2018 11:07:13 +0200
Subject: ClamAV logging
In-Reply-To: <7f409d1b7fd3434ea634e6159a6329b4@DC01.meelhuysen.com>
References: <CABu_8zLxiwDsZ1EFKgu8L1ghV=1OJ97qWyRD_LKksRthLEq=8Q@mail.gmail.com>
Message-ID: <vmime.5b7bd641.64fc.5c0d95c77fe43bd1@ms249-lin-003.rotterdam.bazuin.nl>

Now, im dont know centos much but clamav is in debian logging to its own logfile. 
You could adjust the syslogger and make clamav log to mail.log 
?
Your using postfix, and you see an incoming and disconnects. 
Spammers try to abuse your server and if postfix is setup ok, then its disconnect the session. 

That is OK.? ( most of the time then ) 
And?to analyse that i need much more info. ( and time. )? ;-) 
?
As far i see below, looks ok to me. 
?
Greetz, 
?
Louis
?
?
?


Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Mark Meelhuysen
Verzonden: dinsdag 21 augustus 2018 10:58
Aan: MailScanner Discussion
Onderwerp: RE: ClamAV logging




Hi Shawn,

?

Thats why it triggered me. I di dan online test and the mails were not delivered (good behaviour) but i could not see anything in the log, accept that the connection was incoming and closing.

?

Mark

?

Van: MailScanner <mailscanner-bounces+mark=meelhuysen.com at lists.mailscanner.info> Namens Shawn Iverson
Verzonden: dinsdag 21 augustus 2018 10:51
Aan: mailscanner at lists.mailscanner.info
Onderwerp: Re: ClamAV logging

?

Mark,

?


Not sure when this behavior changed (a v5 change?), but I only see entries when a virus is detected.



?

On Tue, Aug 21, 2018 at 3:24 AM Mark Meelhuysen <mark at meelhuysen.com> wrote:


Hi All,

?

Was just testing my system for AV response and concluded that in the maillog there are no entries for ClamAV. If I remember correctly this was the case in the past and i never noticed that it is not anymore. I think after installing a new MailScanner box.

Anyone can point me in the right direction of checking why logging is not added?

?

Mailscanner ? lint gives me:

?


?

Trying to setlogsock(unix)

?

Reading configuration file /etc/MailScanner/MailScanner.conf

Reading configuration file /etc/MailScanner/conf.d/README

Read 1500 hostnames from the phishing whitelist

Read 16729 hostnames from the phishing blacklists

Config: calling custom init function SQLBlacklist

MailWatch: Starting up MailWatch SQL Blacklist

MailWatch: Read 1 blacklist entries

Config: calling custom init function MailWatchLogging

MailWatch: Started MailWatch SQL Logging child

Config: calling custom init function SQLWhitelist

MailWatch: Starting up MailWatch SQL Whitelist

MailWatch: Read 4 whitelist entries

?

Checking version numbers...

Version number in MailScanner.conf (5.0.6) is correct.

?

Your envelope_sender_header in spamassassin.conf is correct.

MailScanner setting GID to? (89)

MailScanner setting UID to? (89)

?

Checking for SpamAssassin errors (if you use it)...

Using SpamAssassin results cache

Connected to SpamAssassin cache database

SpamAssassin reported no errors.

Connected to Processing Attempts Database

Created Processing Attempts Database successfully

There are 0 messages in the Processing Attempts Database

Using locktype = posix

MailScanner.conf says "Virus Scanners = clamav"

Found these virus scanners installed: clamav

===========================================================================

Filename Checks: Windows/DOS Executable (1 eicar.com)

Other Checks: Found 1 problems

Virus and Content Scanning: Starting

LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them

./1/eicar.com: Eicar-Test-Signature FOUND

?

Virus Scanning: ClamAV found 2 infections

Infected message 1 came from 10.1.1.1

Virus Scanning: Found 2 viruses

===========================================================================

Virus Scanner test reports:

ClamAV said "eicar.com contains Eicar-Test-Signature"

?

If any of your virus scanners (clamav)

are not listed there, you should check that they are installed correctly

and that MailScanner is finding them correctly via its virus.scanners.conf.

Config: calling custom end function SQLBlacklist

MailWatch: Closing down MailWatch SQL Blacklist

Config: calling custom end function MailWatchLogging

Config: calling custom end function SQLWhitelist

MailWatch: Closing down MailWatch SQL Whitelist

?


?

Versions:

MailWatch Versie: 1.2.6

Operating System Version: CentOS Linux 7 (Core)

Postfix Versie: 2.10.1 

MailScanner Versie: 5.0.6

ClamAV Versie: 0.100.1 

SpamAssassin Versie: 3.4.0

?

(Yes, I know, i?m not running latest versions).

?

Thank you in advance.

?

Mark

?



-- 
This message has been scanned for viruses and 
dangerous content by MailScanner, and is 
believed to be clean. 




-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner





?


-- 

Shawn Iverson, CETL

Director of Technology


Rush County Schools


765-932-3901 x1171


iversons at rushville.k12.in.us


?

























-- 
This message has been scanned for viruses and 
dangerous content by MailScanner, and is 
believed to be clean. 


-- 
This message has been scanned for viruses and 
dangerous content by MailScanner, and is 
believed to be clean. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180821/37a79abb/attachment.html>

From iversons at rushville.k12.in.us  Wed Aug 22 12:51:41 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Wed, 22 Aug 2018 08:51:41 -0400
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <CABu_8zLv_X3QkK=Jmrso4WksEaBS3kh8qXsbEOFkVkG7UT39=g@mail.gmail.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
 <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>
 <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>
 <CABu_8zKtdTWSyFQ6iLBkK-Wg7TVQ7Szw13EXhx7BzrG6RuZ0Zg@mail.gmail.com>
 <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com>
 <CABu_8zLyd+NhG38SGCMPtJEHdxwnZbGEZE5xzSgpMtr+9sH1mQ@mail.gmail.com>
 <CABu_8zJt7gBO0zyx15hLMV1Tuq4pia6XhsPFgQ_dLCKH7qX5dg@mail.gmail.com>
 <CABu_8zLWpk=SRxHK_g+O+5uYBsYCxeay4dyV-88MVPLC9wQ+5A@mail.gmail.com>
 <CABu_8zLdNnFqmvUesCGqObmeb7gS+ZDyyirC-Fzra80H02EFHw@mail.gmail.com>
 <CABu_8zJQ4ZioeuKfHJzfdDVSfJuj1zF2N7YZT7sHsb=r3mmJFw@mail.gmail.com>
 <CABu_8zLdP0tROOL4Vc8WbJzjyVDCKZhJtuP-ZNd8RTYQqWGh3A@mail.gmail.com>
 <CABu_8z+rc6iQ2FJytkfWuebBAQRK8=sXqzpFSnZP=LQky=0UFQ@mail.gmail.com>
 <CABu_8zKDNp-4LiPK3YmH9oAPGqBE2D8iL-EcqpK0fQBtp9DtSg@mail.gmail.com>
 <CABu_8zLv_X3QkK=Jmrso4WksEaBS3kh8qXsbEOFkVkG7UT39=g@mail.gmail.com>
Message-ID: <CABu_8zJrF5Eof3sFKvgNbduo6FdXt+K-Dd_C-FNoDKN4r-sKYw@mail.gmail.com>

Getting closer to a 1.0 release of the milter and the next update to
MailScanner:

RFC 821/1123 null sender support
RFC 822 unfolding support

https://github.com/shawniverson/v5/commit/9c9bb7fb344957be83477c40003aa1e1a64ec832



On Mon, Aug 20, 2018 at 6:33 PM Shawn Iverson <iversons at rushville.k12.in.us>
wrote:

> Daemonized the Milter
>
>
> https://github.com/shawniverson/v5/commit/3614686575763cceac965c43212544f37f9f6a24
>
> On Mon, Aug 20, 2018 at 11:49 AM Shawn Iverson <
> iversons at rushville.k12.in.us> wrote:
>
>> Corrected link
>>
>>
>> https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de35164
>>
>> On Mon, Aug 20, 2018 at 11:49 AM Shawn Iverson <
>> iversons at rushville.k12.in.us> wrote:
>>
>>> RFC 5321 support added.
>>>
>>> Also reviewing RFC 822, particularly handling of delivery failure
>>> notices, with respect to the milter.
>>>
>>>
>>> https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de351645321
>>>
>>>
>>> Currently addressing a bug with the daemon forking new children.   Seems
>>> to be caused by the Milter being a child process of MailScanner.  If I
>>> cannot resolve, I plan to separate the Milter into its own daemon.  This
>>> may be better anyway and allow both to be managed independently.
>>>
>>> On Sun, Aug 19, 2018 at 5:14 PM Shawn Iverson <
>>> iversons at rushville.k12.in.us> wrote:
>>>
>>>> Latest commit
>>>>
>>>> Spamassassin/MailScanner are now comparing envelope from and from
>>>> properly :)
>>>>
>>>>
>>>> https://github.com/shawniverson/v5/commit/625040caedc93b2c4e78edf305b69ac8a82bc25b
>>>>
>>>> Todo:
>>>>
>>>> Cleanup code
>>>> Add more options to mailscanner config, such as # of milter threads,
>>>> etc.
>>>> Remove hard coded items where feasible
>>>> Honor placement of Header entries in header (top or bottom)
>>>> Test Test Test (anyone interested is welcome!)
>>>> Patches for MailWatch to handle new queues and process counts
>>>> Fix bug observed where mailscanner thinks processes are still running
>>>> when stopping (but aren't, harmless, just weird)
>>>>
>>>> Feedback is welcome.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Sun, Aug 19, 2018 at 4:26 PM Shawn Iverson <
>>>> iversons at rushville.k12.in.us> wrote:
>>>>
>>>>> Found the callback code for MAIL FROM:
>>>>>
>>>>> 'M'     SMFIC_MAIL      MAIL FROM: information
>>>>>                         Expected response:  Accept/reject action
>>>>>
>>>>> Time for some more coding :D
>>>>>
>>>>> On Sun, Aug 19, 2018 at 4:04 PM Shawn Iverson <
>>>>> iversons at rushville.k12.in.us> wrote:
>>>>>
>>>>>> Another update
>>>>>>
>>>>>> The latest commit to my branch includes more fixes and a new thing
>>>>>> that needs handled now that a Milter is in play.  When mail is submitted
>>>>>> back to postfix, it needs to be processed by other things that could reject
>>>>>> the email (such as an blocked sender).  This is a problem because
>>>>>> MailScanner does not know how to handle rejects since it has always been
>>>>>> part of the queue process interacting directly with the queues, not before
>>>>>> queue process.
>>>>>>
>>>>>> During message delivery, if a reject is detected, I inject a special
>>>>>> header to the message and requeue it to MailScanner.  MailScanner has a
>>>>>> chance, based on this special header to flag the message, remove the
>>>>>> special header, add diagnostic info to the header about the relay, and
>>>>>> quarantine the message.  The mail admin is happy knowing that the message
>>>>>> didn't just vanish and has an opportunity to resolve the issue and release
>>>>>> it or know the disposition of the email.
>>>>>>
>>>>>> Another cool thing about this Milter Processor I discovered is you
>>>>>> can simply drop a message into /var/spool/MailScanner/milterin from
>>>>>> /var/spool/MailScanner/quarantine, and it will try to redeliver it :D
>>>>>>
>>>>>> This new code is in Message.pm and only becomes active if the milter
>>>>>> is activated.
>>>>>>
>>>>>> On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson <
>>>>>> iversons at rushville.k12.in.us> wrote:
>>>>>>
>>>>>>> Oh yeah, here's the config for Postfix:
>>>>>>>
>>>>>>> smtpd_milters = inet:127.0.0.1:33333
>>>>>>> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
>>>>>>>
>>>>>>> /etc/postfix/smtpd_milter_map:
>>>>>>> 127.0.0.0/8 DISABLE
>>>>>>> ::/64 DISABLE
>>>>>>>
>>>>>>> This allows scanned emails to pass the milter, as well as
>>>>>>> notifications sent from the localhost.  You do need at least Postfix
>>>>>>> version 3.2 I believe to have milter map support.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson <
>>>>>>> iversons at rushville.k12.in.us> wrote:
>>>>>>>
>>>>>>>> MailScanner users:
>>>>>>>>
>>>>>>>> The MailScanner Milter project is coming along nicely.
>>>>>>>>
>>>>>>>> https://github.com/shawniverson/v5/commits/081118msmilter
>>>>>>>>
>>>>>>>> I am currently running this on a split relay to test the milter
>>>>>>>> without impacting production email.
>>>>>>>>
>>>>>>>> The design is fairly simple, although development has taken about
>>>>>>>> 40 hours of my time.  I know more about MailScanner (and perl) than I ever
>>>>>>>> have :D
>>>>>>>>
>>>>>>>> The Milter is integrated into MailScanner and forks as a branch of
>>>>>>>> the MailScanner process tree, keeping systemd happy.
>>>>>>>>
>>>>>>>> The Milter process intercepts incoming email and tells postfix to
>>>>>>>> DISCARD, which basically accepts the mail and silently drops it before
>>>>>>>> entering the queue.  At the same time, the Milter writes a raw email file
>>>>>>>> to the /var/spool/MailScanner/milterin queue.
>>>>>>>>
>>>>>>>> MailScanner picks up the message batches in the milterin directory,
>>>>>>>> processes them, and spits them out to /var/spool/MailScanner/milterout
>>>>>>>> directory as raw email files.
>>>>>>>>
>>>>>>>> The MSMail Processor (new) relays the messages to postfix for
>>>>>>>> further processing over port 25.  A optional localhost rule in
>>>>>>>> header_checks removes the local entry from the header before delivery.
>>>>>>>>
>>>>>>>> The benefits are that the postfix queue is not touched at all
>>>>>>>> throughout this process, making the solution (hopefully) an acceptable one
>>>>>>>> within the postfix community.  It is also very fast, and the codebase for
>>>>>>>> this method is smaller than even the Postfix Processor, and MailScanner
>>>>>>>> gets its own queues, separate from postfix.
>>>>>>>>
>>>>>>>> One drawback to this method is there is no apparent way to extract
>>>>>>>> the Envelope From address (at least not yet, perhaps I am missing a milter
>>>>>>>> code), although it doesn't appear that MailScanner is all that concerned
>>>>>>>> about it and doesn't go out of its way to capture it.  I think it is
>>>>>>>> important though, for spoof detection, so I will continue to research this.
>>>>>>>>
>>>>>>>> Anyone that is willing to get their feet wet and test can apply the
>>>>>>>> following files from my branch:
>>>>>>>>
>>>>>>>> (In common)
>>>>>>>> /usr/sbin/MailScanner
>>>>>>>> /usr/share/MailScanner/perl/MailScanner/Milter.pm
>>>>>>>> /usr/share/MailScanner/perl/MailScanner/MSMail.pm
>>>>>>>> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm
>>>>>>>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm
>>>>>>>>
>>>>>>>> Then create the following dirs:
>>>>>>>> mkdir -p /var/spool/MailScanner/milterin
>>>>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterin
>>>>>>>> mkdir -p /var/spool/MailScanner/milterout
>>>>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterout
>>>>>>>>
>>>>>>>> Apply the following to /etc/MailScanner/MailScanner.conf:
>>>>>>>> Incoming Queue Dir = /var/spool/MailScanner/milterin
>>>>>>>> Outgoing Queue Dir = /var/spool/MailScanner/milterout
>>>>>>>> MTA = MSMail
>>>>>>>> MSMail Queue Type = short | long (pick one that matches your
>>>>>>>> postfix setting)
>>>>>>>>
>>>>>>>> I recommend doing this in a test or split relay environment that
>>>>>>>> blackholes email.  Do not use in production yet ;)
>>>>>>>>
>>>>>>>> Known issues at the moment:
>>>>>>>> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats do
>>>>>>>> not appear
>>>>>>>> More validation and error handling is needed throughout.  Weird
>>>>>>>> emails abound!
>>>>>>>> Need to know the envelope from sender.  Currently hidden from the
>>>>>>>> milter, but hopefully exposable via a callback code.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson <
>>>>>>>> iversons at rushville.k12.in.us> wrote:
>>>>>>>>
>>>>>>>>> Dear MailScanner users:
>>>>>>>>>
>>>>>>>>> I am officially working on creating a lightweight milter for
>>>>>>>>> MailScanner.
>>>>>>>>>
>>>>>>>>> This milter will not provide MTA protocol rejection for postfix,
>>>>>>>>> due to the severe performance penalty it would cause.  All mail will be
>>>>>>>>> intercepted, accepted, and silently dropped from the postfix queue and
>>>>>>>>> placed in a MailScanner queue.
>>>>>>>>>
>>>>>>>>> I have a working prototype, and it is processing mail!  It is in
>>>>>>>>> need of heavy refactoring and some bug squashing.
>>>>>>>>>
>>>>>>>>> Currently it attempts to create a postfix formatted queue file
>>>>>>>>> (very ugly, who thought up this file format???!!!).  I may instead create a
>>>>>>>>> new Milter Processor for MailScanner that reduces the overhead of doing
>>>>>>>>> this and can read the incoming email in a simple line-by-line format.  This
>>>>>>>>> may also increase performance overall and reduce all the conversions
>>>>>>>>> happening.
>>>>>>>>>
>>>>>>>>> The other side of the coin is what to do when MailScanner is done
>>>>>>>>> processing mail.  Currently, it generates a postfix queue file and drops it
>>>>>>>>> into postfix incoming directory.  It should not do this but instead drop
>>>>>>>>> the message into postfix using native postfix tools.  That will be the next
>>>>>>>>> part I tackle as part of the Milter Processor.
>>>>>>>>>
>>>>>>>>> Why am I doing this?  I want to place MailScanner back in a good
>>>>>>>>> standing with Postfix folks (at least when the milter + postfix method is
>>>>>>>>> in use).
>>>>>>>>>
>>>>>>>>> I have no plans of removing the old method but rather provide a
>>>>>>>>> more supported path for postfix users.
>>>>>>>>>
>>>>>>>>> Wish me luck.  I could be heard across the neighborhood when
>>>>>>>>> MailScanner processed an email from the Milter for the first time! :D
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Sat, Aug 11, 2018 at 9:58 AM David Jones <djones at ena.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote:
>>>>>>>>>> > David,
>>>>>>>>>> >
>>>>>>>>>> > I agree that this is true, and part of my lack of motivation to
>>>>>>>>>> do it.
>>>>>>>>>> > One reason I wanted it as an option was to reconcile the
>>>>>>>>>> ongoing
>>>>>>>>>> > conflict with the postfix community and return MailScanner to
>>>>>>>>>> good
>>>>>>>>>> > standing to this community.  Weitze has been very stern about
>>>>>>>>>> > MailScanner directly tapping the postfix queues.
>>>>>>>>>> >
>>>>>>>>>> > Perhaps an alternative option would be to create a fast
>>>>>>>>>> MailScanner
>>>>>>>>>> > milter that behaves more like the HOLD queue.  Basically just a
>>>>>>>>>> milter
>>>>>>>>>> > that immediately fires back accept to postfix and places all
>>>>>>>>>> the
>>>>>>>>>> > messages in a MailScanner HOLD queue as opposed to a postfix
>>>>>>>>>> HOLD
>>>>>>>>>> > queue.  Doing so would maintain speed, simplicity, and be more
>>>>>>>>>> compliant
>>>>>>>>>> > with postfix. The code would also be very simple.
>>>>>>>>>> >
>>>>>>>>>> > Then, as you say, if you need MTA level functionality for SA,
>>>>>>>>>> use other
>>>>>>>>>> > software and methods.
>>>>>>>>>> >
>>>>>>>>>> >
>>>>>>>>>>
>>>>>>>>>> This light MS milter would make a lot of sense based on your goal
>>>>>>>>>> to get
>>>>>>>>>> compliant with Postfix and back "in" with the Postfix community.
>>>>>>>>>> +1
>>>>>>>>>>
>>>>>>>>>> >
>>>>>>>>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones <djones at ena.com
>>>>>>>>>> > <mailto:djones at ena.com>> wrote:
>>>>>>>>>> >
>>>>>>>>>> >     On 08/11/2018 08:15 AM, Shawn Iverson wrote:
>>>>>>>>>> >      > I have been planning for a MailScanner milter for quite
>>>>>>>>>> some
>>>>>>>>>> >     time.  I
>>>>>>>>>> >      > have been specifically studying rpamd's milter source
>>>>>>>>>> for this
>>>>>>>>>> >     purpose.
>>>>>>>>>> >      > Alas, lack of time and lack of money are always an
>>>>>>>>>> issue, and I
>>>>>>>>>> >     put a
>>>>>>>>>> >      > lot of hours in my day job.  As Jerry would say, I like
>>>>>>>>>> to eat
>>>>>>>>>> >     and have
>>>>>>>>>> >      > a roof over my head :D
>>>>>>>>>> >      >
>>>>>>>>>> >      > If I do find the time to build a milter, performance will
>>>>>>>>>> >     definitely be
>>>>>>>>>> >      > impacted.  The reason is that postfix will have to keep
>>>>>>>>>> each session
>>>>>>>>>> >      > open for the duration of scanning, and each MailScanner
>>>>>>>>>> child
>>>>>>>>>> >     would have
>>>>>>>>>> >      > to issue a callback to postfix after scanning the spam
>>>>>>>>>> so that
>>>>>>>>>> >     postfix
>>>>>>>>>> >      > can responds to the connection appropriately  (i.e.
>>>>>>>>>> reject or
>>>>>>>>>> >     accept).
>>>>>>>>>> >      > This will slow down mail processing considerably.  If I
>>>>>>>>>> do this,
>>>>>>>>>> >     I am
>>>>>>>>>> >      > going to keep the HOLD queue around, so you would have
>>>>>>>>>> to choose
>>>>>>>>>> >     between
>>>>>>>>>> >      > speed or MTA level rejection functionality.
>>>>>>>>>> >      >
>>>>>>>>>> >      >
>>>>>>>>>> >      >
>>>>>>>>>> >
>>>>>>>>>> >     My gut tells me that this is going to be so slow, that it's
>>>>>>>>>> not
>>>>>>>>>> >     going to
>>>>>>>>>> >     be worth the time to put into it.  If you want to reject at
>>>>>>>>>> MTA time,
>>>>>>>>>> >     throw in amavis-new or spamd (not rspamd) using the same
>>>>>>>>>> SpamAsssassin
>>>>>>>>>> >     rules and Bayes DB to get most of the same features as
>>>>>>>>>> MailScanner
>>>>>>>>>> >     during the SMTP conversation.  Then the mail that gets
>>>>>>>>>> through can be
>>>>>>>>>> >     filtered by MailScanner for it's extra features that make
>>>>>>>>>> it unique.
>>>>>>>>>> >
>>>>>>>>>> >     I understand there are different local legal requirements
>>>>>>>>>> around the
>>>>>>>>>> >     world that if email is accepted at MTA time then it has to
>>>>>>>>>> be passed on
>>>>>>>>>> >     to the end user's mailbox.  If you are located in one of
>>>>>>>>>> these
>>>>>>>>>> >     countries, then this would be more of an issue.  But since
>>>>>>>>>> I am in a
>>>>>>>>>> >     country that doesn't have this legal requirement, I do
>>>>>>>>>> block email
>>>>>>>>>> >     post-MTA by MailScanner.
>>>>>>>>>> >
>>>>>>>>>> >     The majority of my spam is blocked at the MTA level already
>>>>>>>>>> by highly
>>>>>>>>>> >     tuned RBLs and postscreen's RBL weighting which is very,
>>>>>>>>>> very good.
>>>>>>>>>> >     Only a small percentage of spam that is zero-hour or from
>>>>>>>>>> compromised
>>>>>>>>>> >     accounts makes it to MailScanner.
>>>>>>>>>> >
>>>>>>>>>> >     I highly recommend the Invaluement RBL.  It's very accurate
>>>>>>>>>> -- only
>>>>>>>>>> >     1 or
>>>>>>>>>> >     2 false positives over 5+ the years.  This RBL is very cost
>>>>>>>>>> effective
>>>>>>>>>> >     and has allowed me to disable all Spamhaus RBL checks in
>>>>>>>>>> SpamAssassin
>>>>>>>>>> >     saving thousands of dollars a year.  (We have too high a
>>>>>>>>>> volume to stay
>>>>>>>>>> >     under the free usage limits of Spamhaus so we were having
>>>>>>>>>> to pay for
>>>>>>>>>> >     the
>>>>>>>>>> >     RBL feed.)
>>>>>>>>>> >
>>>>>>>>>> >      >
>>>>>>>>>> >      >
>>>>>>>>>> >      >
>>>>>>>>>> >      > On Tue, Aug 7, 2018 at 10:52 AM David Jones via
>>>>>>>>>> MailScanner
>>>>>>>>>> >      > <mailscanner at lists.mailscanner.info
>>>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>>>>>>>> >      > <mailto:mailscanner at lists.mailscanner.info
>>>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>>> wrote:
>>>>>>>>>> >      >
>>>>>>>>>> >      >     On 08/07/2018 05:03 AM, info at schroeffu.ch
>>>>>>>>>> >     <mailto:info at schroeffu.ch> <mailto:info at schroeffu.ch
>>>>>>>>>> >     <mailto:info at schroeffu.ch>>
>>>>>>>>>> >      >     wrote:
>>>>>>>>>> >      >      >
>>>>>>>>>> >      >      > Hi Mailscanner friends,
>>>>>>>>>> >      >      >
>>>>>>>>>> >      >      > is there any progress to make MailScanner usable
>>>>>>>>>> as a
>>>>>>>>>> >     postfix milter?
>>>>>>>>>> >      >      > The most biggest problem I have is, SPAM is not
>>>>>>>>>> possible to
>>>>>>>>>> >      >     reject when
>>>>>>>>>> >      >      > reaching a high score at MTA level. For my
>>>>>>>>>> understanding,
>>>>>>>>>> >     connect
>>>>>>>>>> >      >     via
>>>>>>>>>> >      >      > milter instead of queue ^HOLD would be the
>>>>>>>>>> solution.
>>>>>>>>>> >      >      >
>>>>>>>>>> >      >      > For the next decade we are still using
>>>>>>>>>> MailScanner instead
>>>>>>>>>> >     of others
>>>>>>>>>> >      >      > like Rspamd, because MailScanner is like a mail
>>>>>>>>>> suite for mail
>>>>>>>>>> >      >     security,
>>>>>>>>>> >      >      > but if there will never be the possibility to
>>>>>>>>>> reject at
>>>>>>>>>> >     MTA level
>>>>>>>>>> >      >     the
>>>>>>>>>> >      >      > high score spam, we will also change in 1-3 years
>>>>>>>>>> while
>>>>>>>>>> >     replacing
>>>>>>>>>> >      >     the OS
>>>>>>>>>> >      >      > beyond.
>>>>>>>>>> >      >      >
>>>>>>>>>> >      >
>>>>>>>>>> >      >     One of MailScanner's strongest features is it's
>>>>>>>>>> batch mode
>>>>>>>>>> >     processing
>>>>>>>>>> >      >     that will allow it to handle a very high volume of
>>>>>>>>>> mail
>>>>>>>>>> >     flow.  I doubt
>>>>>>>>>> >      >     that MailScanner will ever be changed to run as a
>>>>>>>>>> milter for this
>>>>>>>>>> >      >     reason.
>>>>>>>>>> >      >
>>>>>>>>>> >      >     I tried rspamd and found it wasn't as good as the
>>>>>>>>>> author
>>>>>>>>>> >     claims so no
>>>>>>>>>> >      >     reason to try to use that as a milter.  It also
>>>>>>>>>> wasn't as
>>>>>>>>>> >     fast as it
>>>>>>>>>> >      >     claims.  I could not send high volumes of mail
>>>>>>>>>> through it
>>>>>>>>>> >     like I could
>>>>>>>>>> >      >     with MailScanner.
>>>>>>>>>> >      >
>>>>>>>>>> >      >     If you want to block high scoring spam at the MTA
>>>>>>>>>> level, I
>>>>>>>>>> >     suggest
>>>>>>>>>> >      >     using
>>>>>>>>>> >      >     amavis or spamd with the same SA rulesets as
>>>>>>>>>> MailScanner.
>>>>>>>>>> >     This will
>>>>>>>>>> >      >     get
>>>>>>>>>> >      >     you most of the power of MailScanner's blocking at
>>>>>>>>>> the MTA.
>>>>>>>>>> >      >
>>>>>>>>>> >      > https://wiki.apache.org/spamassassin/IntegratedInMta
>>>>>>>>>> >      >
>>>>>>>>>> >      >     If you you use postscreen and postwhite at the
>>>>>>>>>> Postfix MTA
>>>>>>>>>> >     level, you
>>>>>>>>>> >      >     can block most of the obvious spam with a tuned list
>>>>>>>>>> of
>>>>>>>>>> >     RBLs.  See the
>>>>>>>>>> >      >     SA users mailing list over the past year for details
>>>>>>>>>> on this
>>>>>>>>>> >     from me
>>>>>>>>>> >      >     and
>>>>>>>>>> >      >     a few others.
>>>>>>>>>> >      >
>>>>>>>>>> >      >     I suggest setting up a quick test VM with iRedmail
>>>>>>>>>> to get a good
>>>>>>>>>> >      >     example
>>>>>>>>>> >      >     of how to do TLS and amavis integration well with
>>>>>>>>>> Postfix.
>>>>>>>>>> >      >
>>>>>>>>>> >      >     --
>>>>>>>>>> >      >     David Jones
>>>>>>>>>> >      >
>>>>>>>>>> >      >
>>>>>>>>>> >      >     --
>>>>>>>>>> >      >     MailScanner mailing list
>>>>>>>>>> >      > mailscanner at lists.mailscanner.info
>>>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>>>>>>>> >      >     <mailto:mailscanner at lists.mailscanner.info
>>>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>>
>>>>>>>>>> >      >
>>>>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>>>>> >      >
>>>>>>>>>> >      >
>>>>>>>>>> >      >
>>>>>>>>>> >      > --
>>>>>>>>>> >      > Shawn Iverson, CETL
>>>>>>>>>> >      > Director of Technology
>>>>>>>>>> >      > Rush County Schools
>>>>>>>>>> >      > 765-932-3901 x1171
>>>>>>>>>> >      > iversons at rushville.k12.in.us
>>>>>>>>>> >     <mailto:iversons at rushville.k12.in.us>
>>>>>>>>>> >     <mailto:iversons at rushville.k12.in.us
>>>>>>>>>> >     <mailto:iversons at rushville.k12.in.us>>
>>>>>>>>>> >      >
>>>>>>>>>> >      >
>>>>>>>>>> >
>>>>>>>>>> >     --
>>>>>>>>>> >     David Jones
>>>>>>>>>> >
>>>>>>>>>> >
>>>>>>>>>> >
>>>>>>>>>> > --
>>>>>>>>>> > Shawn Iverson, CETL
>>>>>>>>>> > Director of Technology
>>>>>>>>>> > Rush County Schools
>>>>>>>>>> > 765-932-3901 x1171
>>>>>>>>>> > iversons at rushville.k12.in.us <mailto:
>>>>>>>>>> iversons at rushville.k12.in.us>
>>>>>>>>>> >
>>>>>>>>>> >
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> David Jones
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Shawn Iverson, CETL
>>>>>>>>> Director of Technology
>>>>>>>>> Rush County Schools
>>>>>>>>> 765-932-3901 x1171
>>>>>>>>> iversons at rushville.k12.in.us
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Shawn Iverson, CETL
>>>>>>>> Director of Technology
>>>>>>>> Rush County Schools
>>>>>>>> 765-932-3901 x1171
>>>>>>>> iversons at rushville.k12.in.us
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Shawn Iverson, CETL
>>>>>>> Director of Technology
>>>>>>> Rush County Schools
>>>>>>> 765-932-3901 x1171
>>>>>>> iversons at rushville.k12.in.us
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Shawn Iverson, CETL
>>>>>> Director of Technology
>>>>>> Rush County Schools
>>>>>> 765-932-3901 x1171
>>>>>> iversons at rushville.k12.in.us
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Shawn Iverson, CETL
>>>>> Director of Technology
>>>>> Rush County Schools
>>>>> 765-932-3901 x1171
>>>>> iversons at rushville.k12.in.us
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Shawn Iverson, CETL
>>>> Director of Technology
>>>> Rush County Schools
>>>> 765-932-3901 x1171
>>>> iversons at rushville.k12.in.us
>>>>
>>>>
>>>>
>>>
>>> --
>>> Shawn Iverson, CETL
>>> Director of Technology
>>> Rush County Schools
>>> 765-932-3901 x1171
>>> iversons at rushville.k12.in.us
>>>
>>>
>>>
>>
>> --
>> Shawn Iverson, CETL
>> Director of Technology
>> Rush County Schools
>> 765-932-3901 x1171
>> iversons at rushville.k12.in.us
>>
>>
>>
>
> --
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 x1171
> iversons at rushville.k12.in.us
>
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180822/f06a43b6/attachment.html>

From iversons at rushville.k12.in.us  Sat Aug 25 02:56:43 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Fri, 24 Aug 2018 22:56:43 -0400
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <CABu_8zJrF5Eof3sFKvgNbduo6FdXt+K-Dd_C-FNoDKN4r-sKYw@mail.gmail.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <f2c32b79-22c2-3ca9-f596-2d4f9354306d@ena.com>
 <CABu_8zKAtewGDa1O11dHG3e4fvu3D3wO+7KE2HMFit=MAF7x1g@mail.gmail.com>
 <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>
 <CABu_8zKtdTWSyFQ6iLBkK-Wg7TVQ7Szw13EXhx7BzrG6RuZ0Zg@mail.gmail.com>
 <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com>
 <CABu_8zLyd+NhG38SGCMPtJEHdxwnZbGEZE5xzSgpMtr+9sH1mQ@mail.gmail.com>
 <CABu_8zJt7gBO0zyx15hLMV1Tuq4pia6XhsPFgQ_dLCKH7qX5dg@mail.gmail.com>
 <CABu_8zLWpk=SRxHK_g+O+5uYBsYCxeay4dyV-88MVPLC9wQ+5A@mail.gmail.com>
 <CABu_8zLdNnFqmvUesCGqObmeb7gS+ZDyyirC-Fzra80H02EFHw@mail.gmail.com>
 <CABu_8zJQ4ZioeuKfHJzfdDVSfJuj1zF2N7YZT7sHsb=r3mmJFw@mail.gmail.com>
 <CABu_8zLdP0tROOL4Vc8WbJzjyVDCKZhJtuP-ZNd8RTYQqWGh3A@mail.gmail.com>
 <CABu_8z+rc6iQ2FJytkfWuebBAQRK8=sXqzpFSnZP=LQky=0UFQ@mail.gmail.com>
 <CABu_8zKDNp-4LiPK3YmH9oAPGqBE2D8iL-EcqpK0fQBtp9DtSg@mail.gmail.com>
 <CABu_8zLv_X3QkK=Jmrso4WksEaBS3kh8qXsbEOFkVkG7UT39=g@mail.gmail.com>
 <CABu_8zJrF5Eof3sFKvgNbduo6FdXt+K-Dd_C-FNoDKN4r-sKYw@mail.gmail.com>
Message-ID: <CABu_8z+OWZ5j5E8qd69Xembw6XEX+PjoB4N3S0pmFBVBQWBVsw@mail.gmail.com>

New milestone...version 0.9

Milter now supports REJECT of blacklisted emails and IP addresses with a
message of "554 5.7.1 Message Blacklisted" when the new Milter Scanner mode
is activated.

https://github.com/shawniverson/v5/commit/a6e22ebe51357e0d92bae534092074eee7162f24

This just made sense to do, since blacklist checking is very fast and can
happen while the milter is active.

On Wed, Aug 22, 2018 at 8:51 AM Shawn Iverson <iversons at rushville.k12.in.us>
wrote:

> Getting closer to a 1.0 release of the milter and the next update to
> MailScanner:
>
> RFC 821/1123 null sender support
> RFC 822 unfolding support
>
>
> https://github.com/shawniverson/v5/commit/9c9bb7fb344957be83477c40003aa1e1a64ec832
>
>
>
> On Mon, Aug 20, 2018 at 6:33 PM Shawn Iverson <
> iversons at rushville.k12.in.us> wrote:
>
>> Daemonized the Milter
>>
>>
>> https://github.com/shawniverson/v5/commit/3614686575763cceac965c43212544f37f9f6a24
>>
>> On Mon, Aug 20, 2018 at 11:49 AM Shawn Iverson <
>> iversons at rushville.k12.in.us> wrote:
>>
>>> Corrected link
>>>
>>>
>>> https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de35164
>>>
>>> On Mon, Aug 20, 2018 at 11:49 AM Shawn Iverson <
>>> iversons at rushville.k12.in.us> wrote:
>>>
>>>> RFC 5321 support added.
>>>>
>>>> Also reviewing RFC 822, particularly handling of delivery failure
>>>> notices, with respect to the milter.
>>>>
>>>>
>>>> https://github.com/shawniverson/v5/commit/6eef93cb3cbc49f72cdca656e8a2bf655de351645321
>>>>
>>>>
>>>> Currently addressing a bug with the daemon forking new children.
>>>>  Seems to be caused by the Milter being a child process of MailScanner.  If
>>>> I cannot resolve, I plan to separate the Milter into its own daemon.  This
>>>> may be better anyway and allow both to be managed independently.
>>>>
>>>> On Sun, Aug 19, 2018 at 5:14 PM Shawn Iverson <
>>>> iversons at rushville.k12.in.us> wrote:
>>>>
>>>>> Latest commit
>>>>>
>>>>> Spamassassin/MailScanner are now comparing envelope from and from
>>>>> properly :)
>>>>>
>>>>>
>>>>> https://github.com/shawniverson/v5/commit/625040caedc93b2c4e78edf305b69ac8a82bc25b
>>>>>
>>>>> Todo:
>>>>>
>>>>> Cleanup code
>>>>> Add more options to mailscanner config, such as # of milter threads,
>>>>> etc.
>>>>> Remove hard coded items where feasible
>>>>> Honor placement of Header entries in header (top or bottom)
>>>>> Test Test Test (anyone interested is welcome!)
>>>>> Patches for MailWatch to handle new queues and process counts
>>>>> Fix bug observed where mailscanner thinks processes are still running
>>>>> when stopping (but aren't, harmless, just weird)
>>>>>
>>>>> Feedback is welcome.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Aug 19, 2018 at 4:26 PM Shawn Iverson <
>>>>> iversons at rushville.k12.in.us> wrote:
>>>>>
>>>>>> Found the callback code for MAIL FROM:
>>>>>>
>>>>>> 'M'     SMFIC_MAIL      MAIL FROM: information
>>>>>>                         Expected response:  Accept/reject action
>>>>>>
>>>>>> Time for some more coding :D
>>>>>>
>>>>>> On Sun, Aug 19, 2018 at 4:04 PM Shawn Iverson <
>>>>>> iversons at rushville.k12.in.us> wrote:
>>>>>>
>>>>>>> Another update
>>>>>>>
>>>>>>> The latest commit to my branch includes more fixes and a new thing
>>>>>>> that needs handled now that a Milter is in play.  When mail is submitted
>>>>>>> back to postfix, it needs to be processed by other things that could reject
>>>>>>> the email (such as an blocked sender).  This is a problem because
>>>>>>> MailScanner does not know how to handle rejects since it has always been
>>>>>>> part of the queue process interacting directly with the queues, not before
>>>>>>> queue process.
>>>>>>>
>>>>>>> During message delivery, if a reject is detected, I inject a special
>>>>>>> header to the message and requeue it to MailScanner.  MailScanner has a
>>>>>>> chance, based on this special header to flag the message, remove the
>>>>>>> special header, add diagnostic info to the header about the relay, and
>>>>>>> quarantine the message.  The mail admin is happy knowing that the message
>>>>>>> didn't just vanish and has an opportunity to resolve the issue and release
>>>>>>> it or know the disposition of the email.
>>>>>>>
>>>>>>> Another cool thing about this Milter Processor I discovered is you
>>>>>>> can simply drop a message into /var/spool/MailScanner/milterin from
>>>>>>> /var/spool/MailScanner/quarantine, and it will try to redeliver it :D
>>>>>>>
>>>>>>> This new code is in Message.pm and only becomes active if the milter
>>>>>>> is activated.
>>>>>>>
>>>>>>> On Sun, Aug 19, 2018 at 9:30 AM Shawn Iverson <
>>>>>>> iversons at rushville.k12.in.us> wrote:
>>>>>>>
>>>>>>>> Oh yeah, here's the config for Postfix:
>>>>>>>>
>>>>>>>> smtpd_milters = inet:127.0.0.1:33333
>>>>>>>> smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
>>>>>>>>
>>>>>>>> /etc/postfix/smtpd_milter_map:
>>>>>>>> 127.0.0.0/8 DISABLE
>>>>>>>> ::/64 DISABLE
>>>>>>>>
>>>>>>>> This allows scanned emails to pass the milter, as well as
>>>>>>>> notifications sent from the localhost.  You do need at least Postfix
>>>>>>>> version 3.2 I believe to have milter map support.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Sat, Aug 18, 2018 at 11:28 PM Shawn Iverson <
>>>>>>>> iversons at rushville.k12.in.us> wrote:
>>>>>>>>
>>>>>>>>> MailScanner users:
>>>>>>>>>
>>>>>>>>> The MailScanner Milter project is coming along nicely.
>>>>>>>>>
>>>>>>>>> https://github.com/shawniverson/v5/commits/081118msmilter
>>>>>>>>>
>>>>>>>>> I am currently running this on a split relay to test the milter
>>>>>>>>> without impacting production email.
>>>>>>>>>
>>>>>>>>> The design is fairly simple, although development has taken about
>>>>>>>>> 40 hours of my time.  I know more about MailScanner (and perl) than I ever
>>>>>>>>> have :D
>>>>>>>>>
>>>>>>>>> The Milter is integrated into MailScanner and forks as a branch of
>>>>>>>>> the MailScanner process tree, keeping systemd happy.
>>>>>>>>>
>>>>>>>>> The Milter process intercepts incoming email and tells postfix to
>>>>>>>>> DISCARD, which basically accepts the mail and silently drops it before
>>>>>>>>> entering the queue.  At the same time, the Milter writes a raw email file
>>>>>>>>> to the /var/spool/MailScanner/milterin queue.
>>>>>>>>>
>>>>>>>>> MailScanner picks up the message batches in the milterin
>>>>>>>>> directory, processes them, and spits them out to
>>>>>>>>> /var/spool/MailScanner/milterout directory as raw email files.
>>>>>>>>>
>>>>>>>>> The MSMail Processor (new) relays the messages to postfix for
>>>>>>>>> further processing over port 25.  A optional localhost rule in
>>>>>>>>> header_checks removes the local entry from the header before delivery.
>>>>>>>>>
>>>>>>>>> The benefits are that the postfix queue is not touched at all
>>>>>>>>> throughout this process, making the solution (hopefully) an acceptable one
>>>>>>>>> within the postfix community.  It is also very fast, and the codebase for
>>>>>>>>> this method is smaller than even the Postfix Processor, and MailScanner
>>>>>>>>> gets its own queues, separate from postfix.
>>>>>>>>>
>>>>>>>>> One drawback to this method is there is no apparent way to extract
>>>>>>>>> the Envelope From address (at least not yet, perhaps I am missing a milter
>>>>>>>>> code), although it doesn't appear that MailScanner is all that concerned
>>>>>>>>> about it and doesn't go out of its way to capture it.  I think it is
>>>>>>>>> important though, for spoof detection, so I will continue to research this.
>>>>>>>>>
>>>>>>>>> Anyone that is willing to get their feet wet and test can apply
>>>>>>>>> the following files from my branch:
>>>>>>>>>
>>>>>>>>> (In common)
>>>>>>>>> /usr/sbin/MailScanner
>>>>>>>>> /usr/share/MailScanner/perl/MailScanner/Milter.pm
>>>>>>>>> /usr/share/MailScanner/perl/MailScanner/MSMail.pm
>>>>>>>>> /usr/share/MailScanner/perl/MailScanner/MSDiskStore.pm
>>>>>>>>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pm
>>>>>>>>>
>>>>>>>>> Then create the following dirs:
>>>>>>>>> mkdir -p /var/spool/MailScanner/milterin
>>>>>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterin
>>>>>>>>> mkdir -p /var/spool/MailScanner/milterout
>>>>>>>>> chown postfix:mtagroup /var/spool/MailScanner/milterout
>>>>>>>>>
>>>>>>>>> Apply the following to /etc/MailScanner/MailScanner.conf:
>>>>>>>>> Incoming Queue Dir = /var/spool/MailScanner/milterin
>>>>>>>>> Outgoing Queue Dir = /var/spool/MailScanner/milterout
>>>>>>>>> MTA = MSMail
>>>>>>>>> MSMail Queue Type = short | long (pick one that matches your
>>>>>>>>> postfix setting)
>>>>>>>>>
>>>>>>>>> I recommend doing this in a test or split relay environment that
>>>>>>>>> blackholes email.  Do not use in production yet ;)
>>>>>>>>>
>>>>>>>>> Known issues at the moment:
>>>>>>>>> MailWatch doesn't recogize MSMail as an 'MTA' so the queue stats
>>>>>>>>> do not appear
>>>>>>>>> More validation and error handling is needed throughout.  Weird
>>>>>>>>> emails abound!
>>>>>>>>> Need to know the envelope from sender.  Currently hidden from the
>>>>>>>>> milter, but hopefully exposable via a callback code.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Aug 14, 2018 at 10:56 AM Shawn Iverson <
>>>>>>>>> iversons at rushville.k12.in.us> wrote:
>>>>>>>>>
>>>>>>>>>> Dear MailScanner users:
>>>>>>>>>>
>>>>>>>>>> I am officially working on creating a lightweight milter for
>>>>>>>>>> MailScanner.
>>>>>>>>>>
>>>>>>>>>> This milter will not provide MTA protocol rejection for postfix,
>>>>>>>>>> due to the severe performance penalty it would cause.  All mail will be
>>>>>>>>>> intercepted, accepted, and silently dropped from the postfix queue and
>>>>>>>>>> placed in a MailScanner queue.
>>>>>>>>>>
>>>>>>>>>> I have a working prototype, and it is processing mail!  It is in
>>>>>>>>>> need of heavy refactoring and some bug squashing.
>>>>>>>>>>
>>>>>>>>>> Currently it attempts to create a postfix formatted queue file
>>>>>>>>>> (very ugly, who thought up this file format???!!!).  I may instead create a
>>>>>>>>>> new Milter Processor for MailScanner that reduces the overhead of doing
>>>>>>>>>> this and can read the incoming email in a simple line-by-line format.  This
>>>>>>>>>> may also increase performance overall and reduce all the conversions
>>>>>>>>>> happening.
>>>>>>>>>>
>>>>>>>>>> The other side of the coin is what to do when MailScanner is done
>>>>>>>>>> processing mail.  Currently, it generates a postfix queue file and drops it
>>>>>>>>>> into postfix incoming directory.  It should not do this but instead drop
>>>>>>>>>> the message into postfix using native postfix tools.  That will be the next
>>>>>>>>>> part I tackle as part of the Milter Processor.
>>>>>>>>>>
>>>>>>>>>> Why am I doing this?  I want to place MailScanner back in a good
>>>>>>>>>> standing with Postfix folks (at least when the milter + postfix method is
>>>>>>>>>> in use).
>>>>>>>>>>
>>>>>>>>>> I have no plans of removing the old method but rather provide a
>>>>>>>>>> more supported path for postfix users.
>>>>>>>>>>
>>>>>>>>>> Wish me luck.  I could be heard across the neighborhood when
>>>>>>>>>> MailScanner processed an email from the Milter for the first time! :D
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Sat, Aug 11, 2018 at 9:58 AM David Jones <djones at ena.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> On 08/11/2018 08:52 AM, Shawn Iverson wrote:
>>>>>>>>>>> > David,
>>>>>>>>>>> >
>>>>>>>>>>> > I agree that this is true, and part of my lack of motivation
>>>>>>>>>>> to do it.
>>>>>>>>>>> > One reason I wanted it as an option was to reconcile the
>>>>>>>>>>> ongoing
>>>>>>>>>>> > conflict with the postfix community and return MailScanner to
>>>>>>>>>>> good
>>>>>>>>>>> > standing to this community.  Weitze has been very stern about
>>>>>>>>>>> > MailScanner directly tapping the postfix queues.
>>>>>>>>>>> >
>>>>>>>>>>> > Perhaps an alternative option would be to create a fast
>>>>>>>>>>> MailScanner
>>>>>>>>>>> > milter that behaves more like the HOLD queue.  Basically just
>>>>>>>>>>> a milter
>>>>>>>>>>> > that immediately fires back accept to postfix and places all
>>>>>>>>>>> the
>>>>>>>>>>> > messages in a MailScanner HOLD queue as opposed to a postfix
>>>>>>>>>>> HOLD
>>>>>>>>>>> > queue.  Doing so would maintain speed, simplicity, and be more
>>>>>>>>>>> compliant
>>>>>>>>>>> > with postfix. The code would also be very simple.
>>>>>>>>>>> >
>>>>>>>>>>> > Then, as you say, if you need MTA level functionality for SA,
>>>>>>>>>>> use other
>>>>>>>>>>> > software and methods.
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>>
>>>>>>>>>>> This light MS milter would make a lot of sense based on your
>>>>>>>>>>> goal to get
>>>>>>>>>>> compliant with Postfix and back "in" with the Postfix
>>>>>>>>>>> community.  +1
>>>>>>>>>>>
>>>>>>>>>>> >
>>>>>>>>>>> > On Sat, Aug 11, 2018 at 9:39 AM David Jones <djones at ena.com
>>>>>>>>>>> > <mailto:djones at ena.com>> wrote:
>>>>>>>>>>> >
>>>>>>>>>>> >     On 08/11/2018 08:15 AM, Shawn Iverson wrote:
>>>>>>>>>>> >      > I have been planning for a MailScanner milter for quite
>>>>>>>>>>> some
>>>>>>>>>>> >     time.  I
>>>>>>>>>>> >      > have been specifically studying rpamd's milter source
>>>>>>>>>>> for this
>>>>>>>>>>> >     purpose.
>>>>>>>>>>> >      > Alas, lack of time and lack of money are always an
>>>>>>>>>>> issue, and I
>>>>>>>>>>> >     put a
>>>>>>>>>>> >      > lot of hours in my day job.  As Jerry would say, I like
>>>>>>>>>>> to eat
>>>>>>>>>>> >     and have
>>>>>>>>>>> >      > a roof over my head :D
>>>>>>>>>>> >      >
>>>>>>>>>>> >      > If I do find the time to build a milter, performance
>>>>>>>>>>> will
>>>>>>>>>>> >     definitely be
>>>>>>>>>>> >      > impacted.  The reason is that postfix will have to keep
>>>>>>>>>>> each session
>>>>>>>>>>> >      > open for the duration of scanning, and each MailScanner
>>>>>>>>>>> child
>>>>>>>>>>> >     would have
>>>>>>>>>>> >      > to issue a callback to postfix after scanning the spam
>>>>>>>>>>> so that
>>>>>>>>>>> >     postfix
>>>>>>>>>>> >      > can responds to the connection appropriately  (i.e.
>>>>>>>>>>> reject or
>>>>>>>>>>> >     accept).
>>>>>>>>>>> >      > This will slow down mail processing considerably.  If I
>>>>>>>>>>> do this,
>>>>>>>>>>> >     I am
>>>>>>>>>>> >      > going to keep the HOLD queue around, so you would have
>>>>>>>>>>> to choose
>>>>>>>>>>> >     between
>>>>>>>>>>> >      > speed or MTA level rejection functionality.
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >
>>>>>>>>>>> >
>>>>>>>>>>> >     My gut tells me that this is going to be so slow, that
>>>>>>>>>>> it's not
>>>>>>>>>>> >     going to
>>>>>>>>>>> >     be worth the time to put into it.  If you want to reject
>>>>>>>>>>> at MTA time,
>>>>>>>>>>> >     throw in amavis-new or spamd (not rspamd) using the same
>>>>>>>>>>> SpamAsssassin
>>>>>>>>>>> >     rules and Bayes DB to get most of the same features as
>>>>>>>>>>> MailScanner
>>>>>>>>>>> >     during the SMTP conversation.  Then the mail that gets
>>>>>>>>>>> through can be
>>>>>>>>>>> >     filtered by MailScanner for it's extra features that make
>>>>>>>>>>> it unique.
>>>>>>>>>>> >
>>>>>>>>>>> >     I understand there are different local legal requirements
>>>>>>>>>>> around the
>>>>>>>>>>> >     world that if email is accepted at MTA time then it has to
>>>>>>>>>>> be passed on
>>>>>>>>>>> >     to the end user's mailbox.  If you are located in one of
>>>>>>>>>>> these
>>>>>>>>>>> >     countries, then this would be more of an issue.  But since
>>>>>>>>>>> I am in a
>>>>>>>>>>> >     country that doesn't have this legal requirement, I do
>>>>>>>>>>> block email
>>>>>>>>>>> >     post-MTA by MailScanner.
>>>>>>>>>>> >
>>>>>>>>>>> >     The majority of my spam is blocked at the MTA level
>>>>>>>>>>> already by highly
>>>>>>>>>>> >     tuned RBLs and postscreen's RBL weighting which is very,
>>>>>>>>>>> very good.
>>>>>>>>>>> >     Only a small percentage of spam that is zero-hour or from
>>>>>>>>>>> compromised
>>>>>>>>>>> >     accounts makes it to MailScanner.
>>>>>>>>>>> >
>>>>>>>>>>> >     I highly recommend the Invaluement RBL.  It's very
>>>>>>>>>>> accurate -- only
>>>>>>>>>>> >     1 or
>>>>>>>>>>> >     2 false positives over 5+ the years.  This RBL is very
>>>>>>>>>>> cost effective
>>>>>>>>>>> >     and has allowed me to disable all Spamhaus RBL checks in
>>>>>>>>>>> SpamAssassin
>>>>>>>>>>> >     saving thousands of dollars a year.  (We have too high a
>>>>>>>>>>> volume to stay
>>>>>>>>>>> >     under the free usage limits of Spamhaus so we were having
>>>>>>>>>>> to pay for
>>>>>>>>>>> >     the
>>>>>>>>>>> >     RBL feed.)
>>>>>>>>>>> >
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >
>>>>>>>>>>> >      > On Tue, Aug 7, 2018 at 10:52 AM David Jones via
>>>>>>>>>>> MailScanner
>>>>>>>>>>> >      > <mailscanner at lists.mailscanner.info
>>>>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>>>>>>>>> >      > <mailto:mailscanner at lists.mailscanner.info
>>>>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>>> wrote:
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >     On 08/07/2018 05:03 AM, info at schroeffu.ch
>>>>>>>>>>> >     <mailto:info at schroeffu.ch> <mailto:info at schroeffu.ch
>>>>>>>>>>> >     <mailto:info at schroeffu.ch>>
>>>>>>>>>>> >      >     wrote:
>>>>>>>>>>> >      >      >
>>>>>>>>>>> >      >      > Hi Mailscanner friends,
>>>>>>>>>>> >      >      >
>>>>>>>>>>> >      >      > is there any progress to make MailScanner usable
>>>>>>>>>>> as a
>>>>>>>>>>> >     postfix milter?
>>>>>>>>>>> >      >      > The most biggest problem I have is, SPAM is not
>>>>>>>>>>> possible to
>>>>>>>>>>> >      >     reject when
>>>>>>>>>>> >      >      > reaching a high score at MTA level. For my
>>>>>>>>>>> understanding,
>>>>>>>>>>> >     connect
>>>>>>>>>>> >      >     via
>>>>>>>>>>> >      >      > milter instead of queue ^HOLD would be the
>>>>>>>>>>> solution.
>>>>>>>>>>> >      >      >
>>>>>>>>>>> >      >      > For the next decade we are still using
>>>>>>>>>>> MailScanner instead
>>>>>>>>>>> >     of others
>>>>>>>>>>> >      >      > like Rspamd, because MailScanner is like a mail
>>>>>>>>>>> suite for mail
>>>>>>>>>>> >      >     security,
>>>>>>>>>>> >      >      > but if there will never be the possibility to
>>>>>>>>>>> reject at
>>>>>>>>>>> >     MTA level
>>>>>>>>>>> >      >     the
>>>>>>>>>>> >      >      > high score spam, we will also change in 1-3
>>>>>>>>>>> years while
>>>>>>>>>>> >     replacing
>>>>>>>>>>> >      >     the OS
>>>>>>>>>>> >      >      > beyond.
>>>>>>>>>>> >      >      >
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >     One of MailScanner's strongest features is it's
>>>>>>>>>>> batch mode
>>>>>>>>>>> >     processing
>>>>>>>>>>> >      >     that will allow it to handle a very high volume of
>>>>>>>>>>> mail
>>>>>>>>>>> >     flow.  I doubt
>>>>>>>>>>> >      >     that MailScanner will ever be changed to run as a
>>>>>>>>>>> milter for this
>>>>>>>>>>> >      >     reason.
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >     I tried rspamd and found it wasn't as good as the
>>>>>>>>>>> author
>>>>>>>>>>> >     claims so no
>>>>>>>>>>> >      >     reason to try to use that as a milter.  It also
>>>>>>>>>>> wasn't as
>>>>>>>>>>> >     fast as it
>>>>>>>>>>> >      >     claims.  I could not send high volumes of mail
>>>>>>>>>>> through it
>>>>>>>>>>> >     like I could
>>>>>>>>>>> >      >     with MailScanner.
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >     If you want to block high scoring spam at the MTA
>>>>>>>>>>> level, I
>>>>>>>>>>> >     suggest
>>>>>>>>>>> >      >     using
>>>>>>>>>>> >      >     amavis or spamd with the same SA rulesets as
>>>>>>>>>>> MailScanner.
>>>>>>>>>>> >     This will
>>>>>>>>>>> >      >     get
>>>>>>>>>>> >      >     you most of the power of MailScanner's blocking at
>>>>>>>>>>> the MTA.
>>>>>>>>>>> >      >
>>>>>>>>>>> >      > https://wiki.apache.org/spamassassin/IntegratedInMta
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >     If you you use postscreen and postwhite at the
>>>>>>>>>>> Postfix MTA
>>>>>>>>>>> >     level, you
>>>>>>>>>>> >      >     can block most of the obvious spam with a tuned
>>>>>>>>>>> list of
>>>>>>>>>>> >     RBLs.  See the
>>>>>>>>>>> >      >     SA users mailing list over the past year for
>>>>>>>>>>> details on this
>>>>>>>>>>> >     from me
>>>>>>>>>>> >      >     and
>>>>>>>>>>> >      >     a few others.
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >     I suggest setting up a quick test VM with iRedmail
>>>>>>>>>>> to get a good
>>>>>>>>>>> >      >     example
>>>>>>>>>>> >      >     of how to do TLS and amavis integration well with
>>>>>>>>>>> Postfix.
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >     --
>>>>>>>>>>> >      >     David Jones
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >     --
>>>>>>>>>>> >      >     MailScanner mailing list
>>>>>>>>>>> >      > mailscanner at lists.mailscanner.info
>>>>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>
>>>>>>>>>>> >      >     <mailto:mailscanner at lists.mailscanner.info
>>>>>>>>>>> >     <mailto:mailscanner at lists.mailscanner.info>>
>>>>>>>>>>> >      >
>>>>>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >
>>>>>>>>>>> >      > --
>>>>>>>>>>> >      > Shawn Iverson, CETL
>>>>>>>>>>> >      > Director of Technology
>>>>>>>>>>> >      > Rush County Schools
>>>>>>>>>>> >      > 765-932-3901 x1171
>>>>>>>>>>> >      > iversons at rushville.k12.in.us
>>>>>>>>>>> >     <mailto:iversons at rushville.k12.in.us>
>>>>>>>>>>> >     <mailto:iversons at rushville.k12.in.us
>>>>>>>>>>> >     <mailto:iversons at rushville.k12.in.us>>
>>>>>>>>>>> >      >
>>>>>>>>>>> >      >
>>>>>>>>>>> >
>>>>>>>>>>> >     --
>>>>>>>>>>> >     David Jones
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>> > --
>>>>>>>>>>> > Shawn Iverson, CETL
>>>>>>>>>>> > Director of Technology
>>>>>>>>>>> > Rush County Schools
>>>>>>>>>>> > 765-932-3901 x1171
>>>>>>>>>>> > iversons at rushville.k12.in.us <mailto:
>>>>>>>>>>> iversons at rushville.k12.in.us>
>>>>>>>>>>> >
>>>>>>>>>>> >
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> David Jones
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Shawn Iverson, CETL
>>>>>>>>>> Director of Technology
>>>>>>>>>> Rush County Schools
>>>>>>>>>> 765-932-3901 x1171
>>>>>>>>>> iversons at rushville.k12.in.us
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Shawn Iverson, CETL
>>>>>>>>> Director of Technology
>>>>>>>>> Rush County Schools
>>>>>>>>> 765-932-3901 x1171
>>>>>>>>> iversons at rushville.k12.in.us
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Shawn Iverson, CETL
>>>>>>>> Director of Technology
>>>>>>>> Rush County Schools
>>>>>>>> 765-932-3901 x1171
>>>>>>>> iversons at rushville.k12.in.us
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Shawn Iverson, CETL
>>>>>>> Director of Technology
>>>>>>> Rush County Schools
>>>>>>> 765-932-3901 x1171
>>>>>>> iversons at rushville.k12.in.us
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Shawn Iverson, CETL
>>>>>> Director of Technology
>>>>>> Rush County Schools
>>>>>> 765-932-3901 x1171
>>>>>> iversons at rushville.k12.in.us
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Shawn Iverson, CETL
>>>>> Director of Technology
>>>>> Rush County Schools
>>>>> 765-932-3901 x1171
>>>>> iversons at rushville.k12.in.us
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Shawn Iverson, CETL
>>>> Director of Technology
>>>> Rush County Schools
>>>> 765-932-3901 x1171
>>>> iversons at rushville.k12.in.us
>>>>
>>>>
>>>>
>>>
>>> --
>>> Shawn Iverson, CETL
>>> Director of Technology
>>> Rush County Schools
>>> 765-932-3901 x1171
>>> iversons at rushville.k12.in.us
>>>
>>>
>>>
>>
>> --
>> Shawn Iverson, CETL
>> Director of Technology
>> Rush County Schools
>> 765-932-3901 x1171
>> iversons at rushville.k12.in.us
>>
>>
>>
>
> --
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 x1171
> iversons at rushville.k12.in.us
>
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180824/4497a036/attachment.html>

From djones at ena.com  Sat Aug 25 13:20:45 2018
From: djones at ena.com (David Jones)
Date: Sat, 25 Aug 2018 08:20:45 -0500
Subject: Mailscanner milter to reject high score spam at MTA level
In-Reply-To: <CABu_8z+OWZ5j5E8qd69Xembw6XEX+PjoB4N3S0pmFBVBQWBVsw@mail.gmail.com>
References: <2025b748bdc246c5f880b03b527f84c4@schroeffu.ch>
 <00f32287-42b9-90c8-9293-6eb492480b8a@ena.com>
 <CABu_8zKtdTWSyFQ6iLBkK-Wg7TVQ7Szw13EXhx7BzrG6RuZ0Zg@mail.gmail.com>
 <793fcdc6-e7eb-5d4f-e767-335f90c397cf@ena.com>
 <CABu_8zLyd+NhG38SGCMPtJEHdxwnZbGEZE5xzSgpMtr+9sH1mQ@mail.gmail.com>
 <CABu_8zJt7gBO0zyx15hLMV1Tuq4pia6XhsPFgQ_dLCKH7qX5dg@mail.gmail.com>
 <CABu_8zLWpk=SRxHK_g+O+5uYBsYCxeay4dyV-88MVPLC9wQ+5A@mail.gmail.com>
 <CABu_8zLdNnFqmvUesCGqObmeb7gS+ZDyyirC-Fzra80H02EFHw@mail.gmail.com>
 <CABu_8zJQ4ZioeuKfHJzfdDVSfJuj1zF2N7YZT7sHsb=r3mmJFw@mail.gmail.com>
 <CABu_8zLdP0tROOL4Vc8WbJzjyVDCKZhJtuP-ZNd8RTYQqWGh3A@mail.gmail.com>
 <CABu_8z+rc6iQ2FJytkfWuebBAQRK8=sXqzpFSnZP=LQky=0UFQ@mail.gmail.com>
 <CABu_8zKDNp-4LiPK3YmH9oAPGqBE2D8iL-EcqpK0fQBtp9DtSg@mail.gmail.com>
 <CABu_8zLv_X3QkK=Jmrso4WksEaBS3kh8qXsbEOFkVkG7UT39=g@mail.gmail.com>
 <CABu_8zJrF5Eof3sFKvgNbduo6FdXt+K-Dd_C-FNoDKN4r-sKYw@mail.gmail.com>
 <CABu_8z+OWZ5j5E8qd69Xembw6XEX+PjoB4N3S0pmFBVBQWBVsw@mail.gmail.com>
Message-ID: <2574b09c-4df1-4c63-6d17-4bbb28230122@ena.com>

On 08/24/2018 09:56 PM, Shawn Iverson wrote:
> New milestone...version 0.9
> 
> Milter now supports REJECT of blacklisted emails and IP addresses with a 
> message of "554 5.7.1 Message Blacklisted" when the new Milter Scanner 
> mode is activated.
> 
> https://github.com/shawniverson/v5/commit/a6e22ebe51357e0d92bae534092074eee7162f24
> 
> This just made sense to do, since blacklist checking is very fast and 
> can happen while the milter is active.
> 

Excellent work on this Shawn.  That REJECT logic makes a lot of sense.

I don't use the MailScanner white/black lists since they are vulnerable 
to spoofing.  I use the SA whitelist_auth, whitelist_spf, 
whitelist_dkim, and whitelist_from_rcvd (when no SPF) entries since they 
can limit the exposure to spoofing.

I don't know how you do this with all of the "back to school" work at 
your day job.  You must really have things under control and well 
managed at your school district or you only sleep about 2 hours a night.  :)

-- 
David Jones

From mailinglists at feedmebits.nl  Thu Aug 23 21:11:51 2018
From: mailinglists at feedmebits.nl (Maarten)
Date: Thu, 23 Aug 2018 23:11:51 +0200
Subject: handling spam
Message-ID: <782f8c5a-1761-f706-3704-163dbfaa5b1e@feedmebits.nl>

I don't know much about dealing with spam, what's the best way to deal with spam messages like these coming through?
Make custom spamassassin rules or some other way?

Return-Path: <owresyb at zimerton.biz.ua>
X-Original-To: mailinglists at feedmebits.nl
X-Spam-Status: No
X-FMB-MailScanner-From: owresyb at zimerton.biz.ua
X-FMB-MailScanner-SpamScore: s
X-FMB-MailScanner: Found to be clean
X-FMB-MailScanner-ID: D21F4308D3.A0A81
X-FMB-MailScanner-Information: Please contact hostmaster at feedmebits.nl for more information
X-Greylist: delayed 4233 seconds by postgrey-1.34 at supernova; Thu, 23 Aug 2018 01:54:33 CEST
DKIM-Filter: OpenDKIM Filter v2.11.0 a.mx.feedmebits.nl D21F4308D3
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=89.163.142.60; helo=mail.zimerton.biz.ua; envelope-from=owresyb at zimerton.biz.ua; receiver=mailinglists at feedmebits.nl
Received: from mail.zimerton.biz.ua (mail.zimerton.biz.ua [89.163.142.60])
	by a.mx.feedmebits.nl (Postfix) with ESMTP id D21F4308D3
	for <mailinglists at feedmebits.nl>; Thu, 23 Aug 2018 01:54:33 +0200 (CEST)
Received: from zimerton.biz.ua (unknown [188.127.251.138])
	by mail.zimerton.biz.ua (Postfix) with ESMTPA id DFE7C71005C;
	Wed, 22 Aug 2018 23:20:22 +0300 (EEST)
Message-ID: <owresyb45741880.41288061 at mail.zimerton.biz.ua>
Reply-To: "BTC Investor" <owresyb at zimerton.biz.ua>
From: "BTC Investor" <owresyb at zimerton.biz.ua>
To: <mailinglists at feedmebits.nl>
Subject: Invest in a brighter future today
Date: Wed, 22 Aug 2018 23:20:31 +0300

What are good starting points to start reading up on when it comes
to dealing and handling spam and what would be a good place to start
reading?  https://wiki.apache.org/spamassassin or other recommendations?

Regards,

Maarten




From iversons at rushville.k12.in.us  Mon Aug 27 02:07:04 2018
From: iversons at rushville.k12.in.us (Shawn Iverson)
Date: Sun, 26 Aug 2018 22:07:04 -0400
Subject: handling spam
In-Reply-To: <782f8c5a-1761-f706-3704-163dbfaa5b1e@feedmebits.nl>
References: <782f8c5a-1761-f706-3704-163dbfaa5b1e@feedmebits.nl>
Message-ID: <CABu_8zK_ogkefKwvWf8h0nNq+b=thYJqNMkx635w31xzZqR9AQ@mail.gmail.com>

Maarten,

RBLs are your friend...

http://multirbl.valli.org/lookup/89.163.142.60.html
reveals that it is blacklisted on several RBLs

So you could leverage one or more of these RBLs, either in postfix or SA,
to filter out this email.  Be sure to check the RBL for its terms and
conditions, since some of them have limits and/or are paid services.


On Sun, Aug 26, 2018 at 9:11 PM Maarten <mailinglists at feedmebits.nl> wrote:

> I don't know much about dealing with spam, what's the best way to deal
> with spam messages like these coming through?
> Make custom spamassassin rules or some other way?
>
> Return-Path: <owresyb at zimerton.biz.ua>
> X-Original-To: mailinglists at feedmebits.nl
> X-Spam-Status: No
> X-FMB-MailScanner-From: owresyb at zimerton.biz.ua
> X-FMB-MailScanner-SpamScore: s
> X-FMB-MailScanner: Found to be clean
> X-FMB-MailScanner-ID: D21F4308D3.A0A81
> X-FMB-MailScanner-Information: Please contact hostmaster at feedmebits.nl
> for more information
> X-Greylist: delayed 4233 seconds by postgrey-1.34 at supernova; Thu, 23
> Aug 2018 01:54:33 CEST
> DKIM-Filter: OpenDKIM Filter v2.11.0 a.mx.feedmebits.nl D21F4308D3
> Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
> client-ip=89.163.142.60; helo=mail.zimerton.biz.ua; envelope-from=
> owresyb at zimerton.biz.ua; receiver=mailinglists at feedmebits.nl
> Received: from mail.zimerton.biz.ua (mail.zimerton.biz.ua [89.163.142.60])
>         by a.mx.feedmebits.nl (Postfix) with ESMTP id D21F4308D3
>         for <mailinglists at feedmebits.nl>; Thu, 23 Aug 2018 01:54:33 +0200
> (CEST)
> Received: from zimerton.biz.ua (unknown [188.127.251.138])
>         by mail.zimerton.biz.ua (Postfix) with ESMTPA id DFE7C71005C;
>         Wed, 22 Aug 2018 23:20:22 +0300 (EEST)
> Message-ID: <owresyb45741880.41288061 at mail.zimerton.biz.ua>
> Reply-To: "BTC Investor" <owresyb at zimerton.biz.ua>
> From: "BTC Investor" <owresyb at zimerton.biz.ua>
> To: <mailinglists at feedmebits.nl>
> Subject: Invest in a brighter future today
> Date: Wed, 22 Aug 2018 23:20:31 +0300
>
> What are good starting points to start reading up on when it comes
> to dealing and handling spam and what would be a good place to start
> reading?  https://wiki.apache.org/spamassassin or other recommendations?
>
> Regards,
>
> Maarten
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 x1171
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180826/0e82aaa1/attachment.html>

From Denis.Beauchemin at usherbrooke.ca  Mon Aug 27 13:30:08 2018
From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin)
Date: Mon, 27 Aug 2018 13:30:08 +0000
Subject: What is causing this delay?
Message-ID: <YQBPR0101MB2084CD53B57093D67C3A3F0EFD0B0@YQBPR0101MB2084.CANPRD01.PROD.OUTLOOK.COM>

Hello all,

After many years away from MailScanner I installed new MS servers a couple of weeks ago. I?m happy to see that MS has continued to thrive!

Now my problem: my 2 new servers are running into some timeout during messages scan as can be seen here:
[root at smtpi3 conf.d]# MailScanner --lint 2>&1 | while true; do read l; echo "$(date +%T): $l";done
08:01:56: Trying to setlogsock(unix)
08:01:56:
08:01:56: Reading configuration file /etc/MailScanner/MailScanner.conf
08:01:56: Reading configuration file /etc/MailScanner/conf.d/README
08:01:56: Reading configuration file /etc/MailScanner/conf.d/UdeS.conf
08:01:56: Read 1500 hostnames from the phishing whitelist
08:01:56: Read 17028 hostnames from the phishing blacklists
08:01:56:
08:01:56: Checking version numbers...
08:01:56: Version number in MailScanner.conf (5.0.7) is correct.
08:01:56:
08:01:56: Your envelope_sender_header in spamassassin.conf is correct.
08:01:56:
08:01:56: Checking for SpamAssassin errors (if you use it)...
08:01:56: Using SpamAssassin results cache
08:01:56: Connected to SpamAssassin cache database
08:02:14: SpamAssassin reported no errors.
08:02:14: Connected to Processing Attempts Database
08:02:14: Created Processing Attempts Database successfully
08:02:14: There is 1 message in the Processing Attempts Database
08:02:14: Using locktype = posix
08:02:14: MailScanner.conf says "Virus Scanners = clamd"
08:02:14: Found these virus scanners installed: clamd
08:02:14: ===========================================================================
08:02:14: Filename Checks: Windows/DOS Executable (1 eicar.com)
08:02:14: Other Checks: Found 1 problems
08:02:14: Virus and Content Scanning: Starting
08:02:14: Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
08:02:14: Virus Scanning: Clamd found 1 infections
08:02:14: Infected message 1 came from 10.1.1.1
08:02:14: Virus Scanning: Found 1 viruses
08:02:14: ===========================================================================
08:02:14: Virus Scanner test reports:
08:02:14: Clamd said "eicar.com was infected: Eicar-Test-Signature"
08:02:14:
08:02:14: If any of your virus scanners (clamd)
08:02:14: are not listed there, you should check that they are installed correctly
08:02:14: and that MailScanner is finding them correctly via its virus.scanners.conf.

If you look at the timestamps between "Connected to SpamAssassin cache database" and "SpamAssassin reported no errors", you'll see a 18 seconds delay, which seems excessive. I've redone this many times and it never goes lower than 10 seconds.

If I do a "MailScanner --debug-sa" I get the following delays:
In Debugging mode, not forking...
Trying to setlogsock(unix)
08:18:36 Aug 24 08:18:36.710 [10096] dbg: logger: adding facilities: all ...
08:18:37 Aug 24 08:18:37.643 [10096] dbg: rules: run_eval_tests - compiling eval code: 13, priority 0
08:18:37 Aug 24 08:18:37.644 [10096] dbg: dns: entering helper-app run mode
08:18:42 Aug 24 08:18:42.645 [10096] dbg: dns: leaving helper-app run mode ...
08:18:42 Building a message batch to scan...
08:19:36 Have a batch of 1 message.
08:19:36 Stopping now as you are debugging me.

I tried to look at the dns settings but couldn't figure out what might be off. I am not running a caching nameserver. My old MS servers are not either and do not show this delay.

Thanks for you help.

I'm running this version:
[root at smtpi3 conf.d]# MailScanner -v
Running on
Linux smtpi3.usherbrooke.ca 3.10.0-862.11.6.el7.x86_64 #1 SMP Fri Aug 10 16:55:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux This is Red Hat Enterprise Linux Server release 7.5 (Maipo) This is Perl version 5.016003 (5.16.3)

This is MailScanner version 5.0.7
Module versions are:
1.01    AnyDBM_File
1.30    Archive::Zip
0.29    bignum
1.26    Carp
2.061   Compress::Zlib
1.119   Convert::BinHex
0.18    Convert::TNEF
2.145   Data::Dumper
2.30    Date::Parse
1.04    DirHandle
1.11    Fcntl
2.84    File::Basename
2.23    File::Copy
2.02    FileHandle
2.09    File::Path
0.2301  File::Temp
0.92    Filesys::Df
3.69    HTML::Entities
3.71    HTML::Parser
3.69    HTML::TokeParser
1.16    IO::File
1.15    IO::Pipe
2.12    Mail::Header
1.998   Math::BigInt
0.2603  Math::BigRat
3.13    MIME::Base64
5.509   MIME::Decoder
5.509   MIME::Decoder::UU
5.509   MIME::Head
5.509   MIME::Parser
3.13    MIME::QuotedPrint
5.509   MIME::Tools
0.18    Net::CIDR
1.26    Net::IP
0.19    OLE::Storage_Lite
1.04    Pod::Escapes
3.28    Pod::Simple
1.30    POSIX
1.27    Scalar::Util
2.010   Socket
2.45    Storable
1.5     Sys::Hostname::Long
0.33    Sys::Syslog
1.48    Test::Pod
1.302140        Test::Simple
1.9725  Time::HiRes
1.02    Time::localtime

Optional module versions are:
1.92    Archive::Tar
0.29    bignum
2.06    Business::ISBN
20120719.001    Business::ISBN::Data
1.22    Data::Dump
1.83    DB_File
1.39    DBD::SQLite
1.627   DBI
1.17    Digest
1.03    Digest::HMAC
2.52    Digest::MD5
2.13    Digest::SHA1
1.01    Encode::Detect
0.17020 Error
0.280206        ExtUtils::CBuilder
3.18    ExtUtils::ParseXS
2.4     Getopt::Long
0.53    Inline
1.08    IO::String
1.10    IO::Zlib
2.28    IP::Country
missing Mail::ClamAV
3.004000        Mail::SpamAssassin
v2.008  Mail::SPF
1.999001        Mail::SPF::Query
0.4005  Module::Build
0.21    Net::CIDR::Lite
0.72    Net::DNS
v0.003  Net::DNS::Resolver::Programmable
0.56    Net::LDAP
 4.069  NetAddr::IP
1.967009        Parse::RecDescent
missing SAVI
3.28    Test::Harness
1.23    Test::Manifest
2.02    Text::Balanced
1.60    URI
0.9907  version
0.84    YAML

Denis

From jerry.benton at mailborder.com  Tue Aug 28 03:26:49 2018
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Mon, 27 Aug 2018 23:26:49 -0400
Subject: What is causing this delay?
In-Reply-To: <YQBPR0101MB2084CD53B57093D67C3A3F0EFD0B0@YQBPR0101MB2084.CANPRD01.PROD.OUTLOOK.COM>
References: <YQBPR0101MB2084CD53B57093D67C3A3F0EFD0B0@YQBPR0101MB2084.CANPRD01.PROD.OUTLOOK.COM>
Message-ID: <017b01d43e7e$f5708360$e0518a20$@mailborder.com>

Setup a caching DNS server on the same box and you should see those numbers drop from 10 seconds to about 2 seconds or less. Just finished testing this in the lab. 


--
Jerry Benton
www.mailborder.com
+1   (843) 800-8605
+44 (020) 3883-8605


-----Original Message-----
From: MailScanner <mailscanner-bounces+jerry.benton=mailborder.com at lists.mailscanner.info> On Behalf Of Denis Beauchemin
Sent: Monday, August 27, 2018 09:30
To: mailscanner at lists.mailscanner.info
Subject: What is causing this delay?

Hello all,

After many years away from MailScanner I installed new MS servers a couple of weeks ago. I?m happy to see that MS has continued to thrive!

Now my problem: my 2 new servers are running into some timeout during messages scan as can be seen here:
[root at smtpi3 conf.d]# MailScanner --lint 2>&1 | while true; do read l; echo "$(date +%T): $l";done
08:01:56: Trying to setlogsock(unix)
08:01:56:
08:01:56: Reading configuration file /etc/MailScanner/MailScanner.conf
08:01:56: Reading configuration file /etc/MailScanner/conf.d/README
08:01:56: Reading configuration file /etc/MailScanner/conf.d/UdeS.conf
08:01:56: Read 1500 hostnames from the phishing whitelist
08:01:56: Read 17028 hostnames from the phishing blacklists
08:01:56:
08:01:56: Checking version numbers...
08:01:56: Version number in MailScanner.conf (5.0.7) is correct.
08:01:56:
08:01:56: Your envelope_sender_header in spamassassin.conf is correct.
08:01:56:
08:01:56: Checking for SpamAssassin errors (if you use it)...
08:01:56: Using SpamAssassin results cache
08:01:56: Connected to SpamAssassin cache database
08:02:14: SpamAssassin reported no errors.
08:02:14: Connected to Processing Attempts Database
08:02:14: Created Processing Attempts Database successfully
08:02:14: There is 1 message in the Processing Attempts Database
08:02:14: Using locktype = posix
08:02:14: MailScanner.conf says "Virus Scanners = clamd"
08:02:14: Found these virus scanners installed: clamd
08:02:14: ===========================================================================
08:02:14: Filename Checks: Windows/DOS Executable (1 eicar.com)
08:02:14: Other Checks: Found 1 problems
08:02:14: Virus and Content Scanning: Starting
08:02:14: Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
08:02:14: Virus Scanning: Clamd found 1 infections
08:02:14: Infected message 1 came from 10.1.1.1
08:02:14: Virus Scanning: Found 1 viruses
08:02:14: ===========================================================================
08:02:14: Virus Scanner test reports:
08:02:14: Clamd said "eicar.com was infected: Eicar-Test-Signature"
08:02:14:
08:02:14: If any of your virus scanners (clamd)
08:02:14: are not listed there, you should check that they are installed correctly
08:02:14: and that MailScanner is finding them correctly via its virus.scanners.conf.

If you look at the timestamps between "Connected to SpamAssassin cache database" and "SpamAssassin reported no errors", you'll see a 18 seconds delay, which seems excessive. I've redone this many times and it never goes lower than 10 seconds.

If I do a "MailScanner --debug-sa" I get the following delays:
In Debugging mode, not forking...
Trying to setlogsock(unix)
08:18:36 Aug 24 08:18:36.710 [10096] dbg: logger: adding facilities: all ...
08:18:37 Aug 24 08:18:37.643 [10096] dbg: rules: run_eval_tests - compiling eval code: 13, priority 0
08:18:37 Aug 24 08:18:37.644 [10096] dbg: dns: entering helper-app run mode
08:18:42 Aug 24 08:18:42.645 [10096] dbg: dns: leaving helper-app run mode ...
08:18:42 Building a message batch to scan...
08:19:36 Have a batch of 1 message.
08:19:36 Stopping now as you are debugging me.

I tried to look at the dns settings but couldn't figure out what might be off. I am not running a caching nameserver. My old MS servers are not either and do not show this delay.

Thanks for you help.

I'm running this version:
[root at smtpi3 conf.d]# MailScanner -v
Running on
Linux smtpi3.usherbrooke.ca 3.10.0-862.11.6.el7.x86_64 #1 SMP Fri Aug 10 16:55:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux This is Red Hat Enterprise Linux Server release 7.5 (Maipo) This is Perl version 5.016003 (5.16.3)

This is MailScanner version 5.0.7
Module versions are:
1.01    AnyDBM_File
1.30    Archive::Zip
0.29    bignum
1.26    Carp
2.061   Compress::Zlib
1.119   Convert::BinHex
0.18    Convert::TNEF
2.145   Data::Dumper
2.30    Date::Parse
1.04    DirHandle
1.11    Fcntl
2.84    File::Basename
2.23    File::Copy
2.02    FileHandle
2.09    File::Path
0.2301  File::Temp
0.92    Filesys::Df
3.69    HTML::Entities
3.71    HTML::Parser
3.69    HTML::TokeParser
1.16    IO::File
1.15    IO::Pipe
2.12    Mail::Header
1.998   Math::BigInt
0.2603  Math::BigRat
3.13    MIME::Base64
5.509   MIME::Decoder
5.509   MIME::Decoder::UU
5.509   MIME::Head
5.509   MIME::Parser
3.13    MIME::QuotedPrint
5.509   MIME::Tools
0.18    Net::CIDR
1.26    Net::IP
0.19    OLE::Storage_Lite
1.04    Pod::Escapes
3.28    Pod::Simple
1.30    POSIX
1.27    Scalar::Util
2.010   Socket
2.45    Storable
1.5     Sys::Hostname::Long
0.33    Sys::Syslog
1.48    Test::Pod
1.302140        Test::Simple
1.9725  Time::HiRes
1.02    Time::localtime

Optional module versions are:
1.92    Archive::Tar
0.29    bignum
2.06    Business::ISBN
20120719.001    Business::ISBN::Data
1.22    Data::Dump
1.83    DB_File
1.39    DBD::SQLite
1.627   DBI
1.17    Digest
1.03    Digest::HMAC
2.52    Digest::MD5
2.13    Digest::SHA1
1.01    Encode::Detect
0.17020 Error
0.280206        ExtUtils::CBuilder
3.18    ExtUtils::ParseXS
2.4     Getopt::Long
0.53    Inline
1.08    IO::String
1.10    IO::Zlib
2.28    IP::Country
missing Mail::ClamAV
3.004000        Mail::SpamAssassin
v2.008  Mail::SPF
1.999001        Mail::SPF::Query
0.4005  Module::Build
0.21    Net::CIDR::Lite
0.72    Net::DNS
v0.003  Net::DNS::Resolver::Programmable
0.56    Net::LDAP
 4.069  NetAddr::IP
1.967009        Parse::RecDescent
missing SAVI
3.28    Test::Harness
1.23    Test::Manifest
2.02    Text::Balanced
1.60    URI
0.9907  version
0.84    YAML

Denis


-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5530 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180827/eeab5b1e/attachment.bin>

From Denis.Beauchemin at usherbrooke.ca  Tue Aug 28 12:39:33 2018
From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin)
Date: Tue, 28 Aug 2018 12:39:33 +0000
Subject: What is causing this delay?
In-Reply-To: <017b01d43e7e$f5708360$e0518a20$@mailborder.com>
References: <YQBPR0101MB2084CD53B57093D67C3A3F0EFD0B0@YQBPR0101MB2084.CANPRD01.PROD.OUTLOOK.COM>
 <017b01d43e7e$f5708360$e0518a20$@mailborder.com>
Message-ID: <YQBPR0101MB2084CA2727D81CDDE453BE01FD0A0@YQBPR0101MB2084.CANPRD01.PROD.OUTLOOK.COM>

Hello Jerry,

Installed one but it didn't do any good:
08:35:02: Checking for SpamAssassin errors (if you use it)...
08:35:02: Using SpamAssassin results cache
08:35:02: Connected to SpamAssassin cache database
08:35:12: SpamAssassin reported no errors.
08:35:12: Connected to Processing Attempts Database

dig www.apache.org returns:
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Aug 28 08:36:12 EDT 2018
;; MSG SIZE  rcvd: 376

Any other suggestions??

Denis

-----Message d'origine-----
De?: MailScanner <mailscanner-bounces+denis.beauchemin=usherbrooke.ca at lists.mailscanner.info> De la part de Jerry Benton
Envoy??: 27 ao?t 2018 23:27
??: 'MailScanner Discussion' <mailscanner at lists.mailscanner.info>
Objet?: RE: What is causing this delay?

Setup a caching DNS server on the same box and you should see those numbers drop from 10 seconds to about 2 seconds or less. Just finished testing this in the lab. 


--
Jerry Benton
www.mailborder.com
+1   (843) 800-8605
+44 (020) 3883-8605


-----Original Message-----
From: MailScanner <mailscanner-bounces+jerry.benton=mailborder.com at lists.mailscanner.info> On Behalf Of Denis Beauchemin
Sent: Monday, August 27, 2018 09:30
To: mailscanner at lists.mailscanner.info
Subject: What is causing this delay?

Hello all,

After many years away from MailScanner I installed new MS servers a couple of weeks ago. I?m happy to see that MS has continued to thrive!

Now my problem: my 2 new servers are running into some timeout during messages scan as can be seen here:
[root at smtpi3 conf.d]# MailScanner --lint 2>&1 | while true; do read l; echo "$(date +%T): $l";done
08:01:56: Trying to setlogsock(unix)
08:01:56:
08:01:56: Reading configuration file /etc/MailScanner/MailScanner.conf
08:01:56: Reading configuration file /etc/MailScanner/conf.d/README
08:01:56: Reading configuration file /etc/MailScanner/conf.d/UdeS.conf
08:01:56: Read 1500 hostnames from the phishing whitelist
08:01:56: Read 17028 hostnames from the phishing blacklists
08:01:56:
08:01:56: Checking version numbers...
08:01:56: Version number in MailScanner.conf (5.0.7) is correct.
08:01:56:
08:01:56: Your envelope_sender_header in spamassassin.conf is correct.
08:01:56:
08:01:56: Checking for SpamAssassin errors (if you use it)...
08:01:56: Using SpamAssassin results cache
08:01:56: Connected to SpamAssassin cache database
08:02:14: SpamAssassin reported no errors.
08:02:14: Connected to Processing Attempts Database
08:02:14: Created Processing Attempts Database successfully
08:02:14: There is 1 message in the Processing Attempts Database
08:02:14: Using locktype = posix
08:02:14: MailScanner.conf says "Virus Scanners = clamd"
08:02:14: Found these virus scanners installed: clamd
08:02:14: ===========================================================================
08:02:14: Filename Checks: Windows/DOS Executable (1 eicar.com)
08:02:14: Other Checks: Found 1 problems
08:02:14: Virus and Content Scanning: Starting
08:02:14: Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
08:02:14: Virus Scanning: Clamd found 1 infections
08:02:14: Infected message 1 came from 10.1.1.1
08:02:14: Virus Scanning: Found 1 viruses
08:02:14: ===========================================================================
08:02:14: Virus Scanner test reports:
08:02:14: Clamd said "eicar.com was infected: Eicar-Test-Signature"
08:02:14:
08:02:14: If any of your virus scanners (clamd)
08:02:14: are not listed there, you should check that they are installed correctly
08:02:14: and that MailScanner is finding them correctly via its virus.scanners.conf.

If you look at the timestamps between "Connected to SpamAssassin cache database" and "SpamAssassin reported no errors", you'll see a 18 seconds delay, which seems excessive. I've redone this many times and it never goes lower than 10 seconds.

If I do a "MailScanner --debug-sa" I get the following delays:
In Debugging mode, not forking...
Trying to setlogsock(unix)
08:18:36 Aug 24 08:18:36.710 [10096] dbg: logger: adding facilities: all ...
08:18:37 Aug 24 08:18:37.643 [10096] dbg: rules: run_eval_tests - compiling eval code: 13, priority 0
08:18:37 Aug 24 08:18:37.644 [10096] dbg: dns: entering helper-app run mode
08:18:42 Aug 24 08:18:42.645 [10096] dbg: dns: leaving helper-app run mode ...
08:18:42 Building a message batch to scan...
08:19:36 Have a batch of 1 message.
08:19:36 Stopping now as you are debugging me.

I tried to look at the dns settings but couldn't figure out what might be off. I am not running a caching nameserver. My old MS servers are not either and do not show this delay.

Thanks for you help.

I'm running this version:
[root at smtpi3 conf.d]# MailScanner -v
Running on
Linux smtpi3.usherbrooke.ca 3.10.0-862.11.6.el7.x86_64 #1 SMP Fri Aug 10 16:55:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux This is Red Hat Enterprise Linux Server release 7.5 (Maipo) This is Perl version 5.016003 (5.16.3)

This is MailScanner version 5.0.7
Module versions are:
1.01    AnyDBM_File
1.30    Archive::Zip
0.29    bignum
1.26    Carp
2.061   Compress::Zlib
1.119   Convert::BinHex
0.18    Convert::TNEF
2.145   Data::Dumper
2.30    Date::Parse
1.04    DirHandle
1.11    Fcntl
2.84    File::Basename
2.23    File::Copy
2.02    FileHandle
2.09    File::Path
0.2301  File::Temp
0.92    Filesys::Df
3.69    HTML::Entities
3.71    HTML::Parser
3.69    HTML::TokeParser
1.16    IO::File
1.15    IO::Pipe
2.12    Mail::Header
1.998   Math::BigInt
0.2603  Math::BigRat
3.13    MIME::Base64
5.509   MIME::Decoder
5.509   MIME::Decoder::UU
5.509   MIME::Head
5.509   MIME::Parser
3.13    MIME::QuotedPrint
5.509   MIME::Tools
0.18    Net::CIDR
1.26    Net::IP
0.19    OLE::Storage_Lite
1.04    Pod::Escapes
3.28    Pod::Simple
1.30    POSIX
1.27    Scalar::Util
2.010   Socket
2.45    Storable
1.5     Sys::Hostname::Long
0.33    Sys::Syslog
1.48    Test::Pod
1.302140        Test::Simple
1.9725  Time::HiRes
1.02    Time::localtime

Optional module versions are:
1.92    Archive::Tar
0.29    bignum
2.06    Business::ISBN
20120719.001    Business::ISBN::Data
1.22    Data::Dump
1.83    DB_File
1.39    DBD::SQLite
1.627   DBI
1.17    Digest
1.03    Digest::HMAC
2.52    Digest::MD5
2.13    Digest::SHA1
1.01    Encode::Detect
0.17020 Error
0.280206        ExtUtils::CBuilder
3.18    ExtUtils::ParseXS
2.4     Getopt::Long
0.53    Inline
1.08    IO::String
1.10    IO::Zlib
2.28    IP::Country
missing Mail::ClamAV
3.004000        Mail::SpamAssassin
v2.008  Mail::SPF
1.999001        Mail::SPF::Query
0.4005  Module::Build
0.21    Net::CIDR::Lite
0.72    Net::DNS
v0.003  Net::DNS::Resolver::Programmable
0.56    Net::LDAP
 4.069  NetAddr::IP
1.967009        Parse::RecDescent
missing SAVI
3.28    Test::Harness
1.23    Test::Manifest
2.02    Text::Balanced
1.60    URI
0.9907  version
0.84    YAML

Denis


-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner


From djones at ena.com  Tue Aug 28 12:44:16 2018
From: djones at ena.com (David Jones)
Date: Tue, 28 Aug 2018 12:44:16 +0000
Subject: What is causing this delay?
In-Reply-To: <YQBPR0101MB2084CA2727D81CDDE453BE01FD0A0@YQBPR0101MB2084.CANPRD01.PROD.OUTLOOK.COM>
References: <YQBPR0101MB2084CD53B57093D67C3A3F0EFD0B0@YQBPR0101MB2084.CANPRD01.PROD.OUTLOOK.COM>
 <017b01d43e7e$f5708360$e0518a20$@mailborder.com>,
 <YQBPR0101MB2084CA2727D81CDDE453BE01FD0A0@YQBPR0101MB2084.CANPRD01.PROD.OUTLOOK.COM>
Message-ID: <SN6PR02MB39361D3372A1DF79E044E078C60A0@SN6PR02MB3936.namprd02.prod.outlook.com>

Try finding any errors/delays in the output of:


spamassassin -D --lint 2>&1 > debug.log

________________________________
From: MailScanner <mailscanner-bounces+djones=ena.com at lists.mailscanner.info> on behalf of Denis Beauchemin <Denis.Beauchemin at usherbrooke.ca>
Sent: Tuesday, August 28, 2018 7:39 AM
To: MailScanner Discussion
Subject: RE: What is causing this delay?

Hello Jerry,

Installed one but it didn't do any good:
08:35:02: Checking for SpamAssassin errors (if you use it)...
08:35:02: Using SpamAssassin results cache
08:35:02: Connected to SpamAssassin cache database
08:35:12: SpamAssassin reported no errors.
08:35:12: Connected to Processing Attempts Database

dig www.apache.org<http://www.apache.org> returns:
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Aug 28 08:36:12 EDT 2018
;; MSG SIZE  rcvd: 376

Any other suggestions ?

Denis

-----Message d'origine-----
De : MailScanner <mailscanner-bounces+denis.beauchemin=usherbrooke.ca at lists.mailscanner.info> De la part de Jerry Benton
Envoy? : 27 ao?t 2018 23:27
? : 'MailScanner Discussion' <mailscanner at lists.mailscanner.info>
Objet : RE: What is causing this delay?

Setup a caching DNS server on the same box and you should see those numbers drop from 10 seconds to about 2 seconds or less. Just finished testing this in the lab.


--
Jerry Benton
www.mailborder.com<http://www.mailborder.com>
+1   (843) 800-8605
+44 (020) 3883-8605


-----Original Message-----
From: MailScanner <mailscanner-bounces+jerry.benton=mailborder.com at lists.mailscanner.info> On Behalf Of Denis Beauchemin
Sent: Monday, August 27, 2018 09:30
To: mailscanner at lists.mailscanner.info
Subject: What is causing this delay?

Hello all,

After many years away from MailScanner I installed new MS servers a couple of weeks ago. I?m happy to see that MS has continued to thrive!

Now my problem: my 2 new servers are running into some timeout during messages scan as can be seen here:
[root at smtpi3 conf.d]# MailScanner --lint 2>&1 | while true; do read l; echo "$(date +%T): $l";done
08:01:56: Trying to setlogsock(unix)
08:01:56:
08:01:56: Reading configuration file /etc/MailScanner/MailScanner.conf
08:01:56: Reading configuration file /etc/MailScanner/conf.d/README
08:01:56: Reading configuration file /etc/MailScanner/conf.d/UdeS.conf
08:01:56: Read 1500 hostnames from the phishing whitelist
08:01:56: Read 17028 hostnames from the phishing blacklists
08:01:56:
08:01:56: Checking version numbers...
08:01:56: Version number in MailScanner.conf (5.0.7) is correct.
08:01:56:
08:01:56: Your envelope_sender_header in spamassassin.conf is correct.
08:01:56:
08:01:56: Checking for SpamAssassin errors (if you use it)...
08:01:56: Using SpamAssassin results cache
08:01:56: Connected to SpamAssassin cache database
08:02:14: SpamAssassin reported no errors.
08:02:14: Connected to Processing Attempts Database
08:02:14: Created Processing Attempts Database successfully
08:02:14: There is 1 message in the Processing Attempts Database
08:02:14: Using locktype = posix
08:02:14: MailScanner.conf says "Virus Scanners = clamd"
08:02:14: Found these virus scanners installed: clamd
08:02:14: ===========================================================================
08:02:14: Filename Checks: Windows/DOS Executable (1 eicar.com)
08:02:14: Other Checks: Found 1 problems
08:02:14: Virus and Content Scanning: Starting
08:02:14: Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
08:02:14: Virus Scanning: Clamd found 1 infections
08:02:14: Infected message 1 came from 10.1.1.1
08:02:14: Virus Scanning: Found 1 viruses
08:02:14: ===========================================================================
08:02:14: Virus Scanner test reports:
08:02:14: Clamd said "eicar.com was infected: Eicar-Test-Signature"
08:02:14:
08:02:14: If any of your virus scanners (clamd)
08:02:14: are not listed there, you should check that they are installed correctly
08:02:14: and that MailScanner is finding them correctly via its virus.scanners.conf.

If you look at the timestamps between "Connected to SpamAssassin cache database" and "SpamAssassin reported no errors", you'll see a 18 seconds delay, which seems excessive. I've redone this many times and it never goes lower than 10 seconds.

If I do a "MailScanner --debug-sa" I get the following delays:
In Debugging mode, not forking...
Trying to setlogsock(unix)
08:18:36 Aug 24 08:18:36.710 [10096] dbg: logger: adding facilities: all ...
08:18:37 Aug 24 08:18:37.643 [10096] dbg: rules: run_eval_tests - compiling eval code: 13, priority 0
08:18:37 Aug 24 08:18:37.644 [10096] dbg: dns: entering helper-app run mode
08:18:42 Aug 24 08:18:42.645 [10096] dbg: dns: leaving helper-app run mode ...
08:18:42 Building a message batch to scan...
08:19:36 Have a batch of 1 message.
08:19:36 Stopping now as you are debugging me.

I tried to look at the dns settings but couldn't figure out what might be off. I am not running a caching nameserver. My old MS servers are not either and do not show this delay.

Thanks for you help.

I'm running this version:
[root at smtpi3 conf.d]# MailScanner -v
Running on
Linux smtpi3.usherbrooke.ca 3.10.0-862.11.6.el7.x86_64 #1 SMP Fri Aug 10 16:55:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux This is Red Hat Enterprise Linux Server release 7.5 (Maipo) This is Perl version 5.016003 (5.16.3)

This is MailScanner version 5.0.7
Module versions are:
1.01    AnyDBM_File
1.30    Archive::Zip
0.29    bignum
1.26    Carp
2.061   Compress::Zlib
1.119   Convert::BinHex
0.18    Convert::TNEF
2.145   Data::Dumper
2.30    Date::Parse
1.04    DirHandle
1.11    Fcntl
2.84    File::Basename
2.23    File::Copy
2.02    FileHandle
2.09    File::Path
0.2301  File::Temp
0.92    Filesys::Df
3.69    HTML::Entities
3.71    HTML::Parser
3.69    HTML::TokeParser
1.16    IO::File
1.15    IO::Pipe
2.12    Mail::Header
1.998   Math::BigInt
0.2603  Math::BigRat
3.13    MIME::Base64
5.509   MIME::Decoder
5.509   MIME::Decoder::UU
5.509   MIME::Head
5.509   MIME::Parser
3.13    MIME::QuotedPrint
5.509   MIME::Tools
0.18    Net::CIDR
1.26    Net::IP
0.19    OLE::Storage_Lite
1.04    Pod::Escapes
3.28    Pod::Simple
1.30    POSIX
1.27    Scalar::Util
2.010   Socket
2.45    Storable
1.5     Sys::Hostname::Long
0.33    Sys::Syslog
1.48    Test::Pod
1.302140        Test::Simple
1.9725  Time::HiRes
1.02    Time::localtime

Optional module versions are:
1.92    Archive::Tar
0.29    bignum
2.06    Business::ISBN
20120719.001    Business::ISBN::Data
1.22    Data::Dump
1.83    DB_File
1.39    DBD::SQLite
1.627   DBI
1.17    Digest
1.03    Digest::HMAC
2.52    Digest::MD5
2.13    Digest::SHA1
1.01    Encode::Detect
0.17020 Error
0.280206        ExtUtils::CBuilder
3.18    ExtUtils::ParseXS
2.4     Getopt::Long
0.53    Inline
1.08    IO::String
1.10    IO::Zlib
2.28    IP::Country
missing Mail::ClamAV
3.004000        Mail::SpamAssassin
v2.008  Mail::SPF
1.999001        Mail::SPF::Query
0.4005  Module::Build
0.21    Net::CIDR::Lite
0.72    Net::DNS
v0.003  Net::DNS::Resolver::Programmable
0.56    Net::LDAP
 4.069  NetAddr::IP
1.967009        Parse::RecDescent
missing SAVI
3.28    Test::Harness
1.23    Test::Manifest
2.02    Text::Balanced
1.60    URI
0.9907  version
0.84    YAML

Denis


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner



--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180828/2167e35d/attachment.html>

From Denis.Beauchemin at usherbrooke.ca  Tue Aug 28 12:52:05 2018
From: Denis.Beauchemin at usherbrooke.ca (Denis Beauchemin)
Date: Tue, 28 Aug 2018 12:52:05 +0000
Subject: What is causing this delay?
In-Reply-To: <SN6PR02MB39361D3372A1DF79E044E078C60A0@SN6PR02MB3936.namprd02.prod.outlook.com>
References: <YQBPR0101MB2084CD53B57093D67C3A3F0EFD0B0@YQBPR0101MB2084.CANPRD01.PROD.OUTLOOK.COM>
 <017b01d43e7e$f5708360$e0518a20$@mailborder.com>,
 <YQBPR0101MB2084CA2727D81CDDE453BE01FD0A0@YQBPR0101MB2084.CANPRD01.PROD.OUTLOOK.COM>
 <SN6PR02MB39361D3372A1DF79E044E078C60A0@SN6PR02MB3936.namprd02.prod.outlook.com>
Message-ID: <YQBPR0101MB2084411398E1E74E251533E5FD0A0@YQBPR0101MB2084.CANPRD01.PROD.OUTLOOK.COM>

I think I found it. I just uncommented the following lines in /etc/mail/spamassassin/MailScanner.cf:
use_razor2              0
use_pyzor       0

And now I get:
08:49:32: Checking for SpamAssassin errors (if you use it)...
08:49:32: Using SpamAssassin results cache
08:49:32: Connected to SpamAssassin cache database
08:49:33: SpamAssassin reported no errors.
08:49:33: Connected to Processing Attempts Database
08:49:33: Created Processing Attempts Database successfully

:-)

Thanks all for your suggestions.

Denis


De?: MailScanner <mailscanner-bounces+denis.beauchemin=usherbrooke.ca at lists.mailscanner.info> De la part de David Jones via MailScanner
Envoy??: 28 ao?t 2018 08:44
??: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Cc?: David Jones <djones at ena.com>
Objet?: Re: What is causing this delay?

Try finding any errors/delays in the output of:

spamassassin -D --lint 2>&1 > debug.log

________________________________________
From: MailScanner <mailto:mailscanner-bounces+djones=ena.com at lists.mailscanner.info> on behalf of Denis Beauchemin <mailto:Denis.Beauchemin at usherbrooke.ca>
Sent: Tuesday, August 28, 2018 7:39 AM
To: MailScanner Discussion
Subject: RE: What is causing this delay? 
?
Hello Jerry,

Installed one but it didn't do any good:
08:35:02: Checking for SpamAssassin errors (if you use it)...
08:35:02: Using SpamAssassin results cache
08:35:02: Connected to SpamAssassin cache database
08:35:12: SpamAssassin reported no errors.
08:35:12: Connected to Processing Attempts Database

dig http://www.apache.org returns:
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Aug 28 08:36:12 EDT 2018
;; MSG SIZE? rcvd: 376

Any other suggestions??

Denis

-----Message d'origine-----
De?: MailScanner <mailto:mailscanner-bounces+denis.beauchemin=usherbrooke.ca at lists.mailscanner.info> De la part de Jerry Benton
Envoy??: 27 ao?t 2018 23:27
??: 'MailScanner Discussion' <mailto:mailscanner at lists.mailscanner.info>
Objet?: RE: What is causing this delay?

Setup a caching DNS server on the same box and you should see those numbers drop from 10 seconds to about 2 seconds or less. Just finished testing this in the lab. 


--
Jerry Benton
http://www.mailborder.com
+1?? (843) 800-8605
+44 (020) 3883-8605


-----Original Message-----
From: MailScanner <mailto:mailscanner-bounces+jerry.benton=mailborder.com at lists.mailscanner.info> On Behalf Of Denis Beauchemin
Sent: Monday, August 27, 2018 09:30
To: mailto:mailscanner at lists.mailscanner.info
Subject: What is causing this delay?

Hello all,

After many years away from MailScanner I installed new MS servers a couple of weeks ago. I?m happy to see that MS has continued to thrive!

Now my problem: my 2 new servers are running into some timeout during messages scan as can be seen here:
[root at smtpi3 conf.d]# MailScanner --lint 2>&1 | while true; do read l; echo "$(date +%T): $l";done
08:01:56: Trying to setlogsock(unix)
08:01:56:
08:01:56: Reading configuration file /etc/MailScanner/MailScanner.conf
08:01:56: Reading configuration file /etc/MailScanner/conf.d/README
08:01:56: Reading configuration file /etc/MailScanner/conf.d/UdeS.conf
08:01:56: Read 1500 hostnames from the phishing whitelist
08:01:56: Read 17028 hostnames from the phishing blacklists
08:01:56:
08:01:56: Checking version numbers...
08:01:56: Version number in MailScanner.conf (5.0.7) is correct.
08:01:56:
08:01:56: Your envelope_sender_header in spamassassin.conf is correct.
08:01:56:
08:01:56: Checking for SpamAssassin errors (if you use it)...
08:01:56: Using SpamAssassin results cache
08:01:56: Connected to SpamAssassin cache database
08:02:14: SpamAssassin reported no errors.
08:02:14: Connected to Processing Attempts Database
08:02:14: Created Processing Attempts Database successfully
08:02:14: There is 1 message in the Processing Attempts Database
08:02:14: Using locktype = posix
08:02:14: MailScanner.conf says "Virus Scanners = clamd"
08:02:14: Found these virus scanners installed: clamd
08:02:14: ===========================================================================
08:02:14: Filename Checks: Windows/DOS Executable (1 eicar.com)
08:02:14: Other Checks: Found 1 problems
08:02:14: Virus and Content Scanning: Starting
08:02:14: Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
08:02:14: Virus Scanning: Clamd found 1 infections
08:02:14: Infected message 1 came from 10.1.1.1
08:02:14: Virus Scanning: Found 1 viruses
08:02:14: ===========================================================================
08:02:14: Virus Scanner test reports:
08:02:14: Clamd said "eicar.com was infected: Eicar-Test-Signature"
08:02:14:
08:02:14: If any of your virus scanners (clamd)
08:02:14: are not listed there, you should check that they are installed correctly
08:02:14: and that MailScanner is finding them correctly via its virus.scanners.conf.

If you look at the timestamps between "Connected to SpamAssassin cache database" and "SpamAssassin reported no errors", you'll see a 18 seconds delay, which seems excessive. I've redone this many times and it never goes lower than 10 seconds.

If I do a "MailScanner --debug-sa" I get the following delays:
In Debugging mode, not forking...
Trying to setlogsock(unix)
08:18:36 Aug 24 08:18:36.710 [10096] dbg: logger: adding facilities: all ...
08:18:37 Aug 24 08:18:37.643 [10096] dbg: rules: run_eval_tests - compiling eval code: 13, priority 0
08:18:37 Aug 24 08:18:37.644 [10096] dbg: dns: entering helper-app run mode
08:18:42 Aug 24 08:18:42.645 [10096] dbg: dns: leaving helper-app run mode ...
08:18:42 Building a message batch to scan...
08:19:36 Have a batch of 1 message.
08:19:36 Stopping now as you are debugging me.

I tried to look at the dns settings but couldn't figure out what might be off. I am not running a caching nameserver. My old MS servers are not either and do not show this delay.

Thanks for you help.

I'm running this version:
[root at smtpi3 conf.d]# MailScanner -v
Running on
Linux smtpi3.usherbrooke.ca 3.10.0-862.11.6.el7.x86_64 #1 SMP Fri Aug 10 16:55:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux This is Red Hat Enterprise Linux Server release 7.5 (Maipo) This is Perl version 5.016003 (5.16.3)

This is MailScanner version 5.0.7
Module versions are:
1.01??? AnyDBM_File
1.30??? Archive::Zip
0.29??? bignum
1.26??? Carp
2.061?? Compress::Zlib
1.119?? Convert::BinHex
0.18??? Convert::TNEF
2.145?? Data::Dumper
2.30??? Date::Parse
1.04??? DirHandle
1.11??? Fcntl
2.84??? File::Basename
2.23??? File::Copy
2.02??? FileHandle
2.09??? File::Path
0.2301? File::Temp
0.92??? Filesys::Df
3.69??? HTML::Entities
3.71??? HTML::Parser
3.69??? HTML::TokeParser
1.16??? IO::File
1.15??? IO::Pipe
2.12??? Mail::Header
1.998?? Math::BigInt
0.2603? Math::BigRat
3.13??? MIME::Base64
5.509?? MIME::Decoder
5.509?? MIME::Decoder::UU
5.509?? MIME::Head
5.509?? MIME::Parser
3.13??? MIME::QuotedPrint
5.509?? MIME::Tools
0.18??? Net::CIDR
1.26??? Net::IP
0.19??? OLE::Storage_Lite
1.04??? Pod::Escapes
3.28??? Pod::Simple
1.30??? POSIX
1.27??? Scalar::Util
2.010?? Socket
2.45??? Storable
1.5???? Sys::Hostname::Long
0.33??? Sys::Syslog
1.48??? Test::Pod
1.302140??????? Test::Simple
1.9725? Time::HiRes
1.02??? Time::localtime

Optional module versions are:
1.92??? Archive::Tar
0.29??? bignum
2.06??? Business::ISBN
20120719.001??? Business::ISBN::Data
1.22??? Data::Dump
1.83??? DB_File
1.39??? DBD::SQLite
1.627?? DBI
1.17??? Digest
1.03??? Digest::HMAC
2.52??? Digest::MD5
2.13??? Digest::SHA1
1.01??? Encode::Detect
0.17020 Error
0.280206??????? ExtUtils::CBuilder
3.18??? ExtUtils::ParseXS
2.4???? Getopt::Long
0.53??? Inline
1.08??? IO::String
1.10??? IO::Zlib
2.28??? IP::Country
missing Mail::ClamAV
3.004000??????? Mail::SpamAssassin
v2.008? Mail::SPF
1.999001??????? Mail::SPF::Query
0.4005? Module::Build
0.21??? Net::CIDR::Lite
0.72??? Net::DNS
v0.003? Net::DNS::Resolver::Programmable
0.56??? Net::LDAP
?4.069? NetAddr::IP
1.967009??????? Parse::RecDescent
missing SAVI
3.28??? Test::Harness
1.23??? Test::Manifest
2.02??? Text::Balanced
1.60??? URI
0.9907? version
0.84??? YAML

Denis


-- 
MailScanner mailing list
mailto:mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner



-- 
MailScanner mailing list
mailto:mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

From zephyr at flytonet.com  Wed Aug 29 08:40:14 2018
From: zephyr at flytonet.com (=?big5?B?t0ypTaq6rbc=?=)
Date: Wed, 29 Aug 2018 16:40:14 +0800
Subject: Help~Setup MailScanner v5.0.7-4  error
Message-ID: <000001d43f73$e7ff8aa0$b7fe9fe0$@flytonet.com>

Hi,

 

I use CentOS v7(1804),and download MailScanner 5.0.7 from
https://s3.amazonaws.com/msv5/release/MailScanner-5.0.7-4.rhel.tar.gz.

 

But I got some problem. I try some commands to slove them,but it?s not
working.

==================================================

mkdir /var/spool/MailScanner/spamassassin

chown postfix.postfix /var/spool/MailScanner/spamassassin

chown -R postfix.postfix /var/spool/MailScanner/incoming

chown -R postfix.postfix /var/spool/MailScanner/quarantine

====================================================

Could someone help me ? Thanks a lot.

 

 

zephyr

 

file path ==>/var/log/maillog

Aug 29 11:31:09 ftp MailScanner[18173]: MailScanner Email Processor version
5.0.7 starting...

Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file
/etc/MailScanner/MailScanner.conf

Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file
/etc/MailScanner/conf.d/README

Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory
/var/spool/MailScanner/incoming

Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line
200, directory /var/spool/MailScanner/incoming for incomingworkdir does not
exist (or is not readable)

Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory
/var/spool/MailScanner/incoming/Locks

Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line
3069, directory /var/spool/MailScanner/incoming/Locks for lockfiledir does
not exist (or is not readable)

Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory
/var/spool/postfix/incoming

Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line
190, directory /var/spool/postfix/incoming for outqueuedir does not exist
(or is not readable)

Aug 29 11:31:09 ftp MailScanner[18173]: File containing list of incoming
queue dirs (/var/spool/postfix/hold) does not exist

Aug 29 11:31:09 ftp MailScanner[18173]: Read 1500 hostnames from the
phishing whitelist

Aug 29 11:31:10 ftp MailScanner[18173]: Read 15767 hostnames from the
phishing blacklists

Aug 29 11:31:10 ftp MailScanner[18173]: Using SpamAssassin results cache

Aug 29 11:31:10 ftp MailScanner[18173]: Could not create SpamAssassin cache
database /var/spool/MailScanner/incoming/SpamAssassin.cache.db

Aug 29 11:31:10 ftp MailScanner[18173]: Enabling SpamAssassin auto-whitelist
functionality...

 

 

file path ==>/etc/MailScanner/MailScanner.conf

MTA = postfix

Run As User = postfix

Run As Group = postfix

Incoming Queue Dir = /var/spool/postfix/hold

Outgoing Queue Dir =/var/spool/postfix/incoming

SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

Deliver Unparsable TNEF = yes

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180829/a5fd8fdf/attachment.html>

From mailinglists at feedmebits.nl  Wed Aug 29 16:04:46 2018
From: mailinglists at feedmebits.nl (Maarten)
Date: Wed, 29 Aug 2018 18:04:46 +0200
Subject: Help~Setup MailScanner v5.0.7-4 error
In-Reply-To: <000001d43f73$e7ff8aa0$b7fe9fe0$@flytonet.com>
References: <000001d43f73$e7ff8aa0$b7fe9fe0$@flytonet.com>
Message-ID: <e0872240-0b5f-108d-5c16-b61258aad63c@feedmebits.nl>

Hello Zephyr,

My guess would be that it's selinux the problem, try? setenforce 0

and try restarting mailscanner. If it works like that you need

to configure selinux so that it allows the creation of those

directories.


On 29-08-18 10:40, ???? wrote:
>
> Hi,
>
> I use CentOS v7(1804),and download MailScanner 5.0.7 from 
> https://s3.amazonaws.com/msv5/release/MailScanner-5.0.7-4.rhel.tar.gz.
>
> But I got some problem. I try some commands to slove them,but it?s not 
> working.
>
> ==================================================
>
> mkdir /var/spool/MailScanner/spamassassin
>
> chown postfix.postfix /var/spool/MailScanner/spamassassin
>
> chown -R postfix.postfix /var/spool/MailScanner/incoming
>
> chown -R postfix.postfix /var/spool/MailScanner/quarantine
>
> ====================================================
>
> Could someone help me ? Thanks a lot.
>
> zephyr
>
> file path ?/var/log/maillog
>
> Aug 29 11:31:09 ftp MailScanner[18173]: MailScanner Email Processor 
> version 5.0.7 starting...
>
> Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file 
> /etc/MailScanner/MailScanner.conf
>
> Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file 
> /etc/MailScanner/conf.d/README
>
> Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory 
> /var/spool/MailScanner/incoming
>
> *Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file 
> line 200, directory /var/spool/MailScanner/incoming for 
> incomingworkdir does not exist (or is not readable)*
>
> *Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory 
> /var/spool/MailScanner/incoming/Locks*
>
> *Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file 
> line 3069, directory /var/spool/MailScanner/incoming/Locks for 
> lockfiledir does not exist (or is not readable)*
>
> Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory 
> /var/spool/postfix/incoming
>
> *Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file 
> line 190, directory /var/spool/postfix/incoming for outqueuedir does 
> not exist (or is not readable)*
>
> Aug 29 11:31:09 ftp MailScanner[18173]: File containing list of 
> incoming queue dirs (/var/spool/postfix/hold) does not exist
>
> Aug 29 11:31:09 ftp MailScanner[18173]: Read 1500 hostnames from the 
> phishing whitelist
>
> Aug 29 11:31:10 ftp MailScanner[18173]: Read 15767 hostnames from the 
> phishing blacklists
>
> Aug 29 11:31:10 ftp MailScanner[18173]: Using SpamAssassin results cache
>
> *Aug 29 11:31:10 ftp MailScanner[18173]: Could not create SpamAssassin 
> cache database /var/spool/MailScanner/incoming/SpamAssassin.cache.db*
>
> Aug 29 11:31:10 ftp MailScanner[18173]: Enabling SpamAssassin 
> auto-whitelist functionality...
>
> file path ?/etc/MailScanner/MailScanner.conf
>
> MTA = postfix
>
> Run As User = postfix
>
> Run As Group = postfix
>
> Incoming Queue Dir = /var/spool/postfix/hold
>
> Outgoing Queue Dir =/var/spool/postfix/incoming
>
> SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
>
> Deliver Unparsable TNEF = yes
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180829/637edae9/attachment.html>

From jerry.benton at mailborder.com  Wed Aug 29 16:06:27 2018
From: jerry.benton at mailborder.com (Jerry Benton)
Date: Wed, 29 Aug 2018 12:06:27 -0400
Subject: Help~Setup MailScanner v5.0.7-4 error
In-Reply-To: <e0872240-0b5f-108d-5c16-b61258aad63c@feedmebits.nl>
References: <000001d43f73$e7ff8aa0$b7fe9fe0$@flytonet.com>
 <e0872240-0b5f-108d-5c16-b61258aad63c@feedmebits.nl>
Message-ID: <009b01d43fb2$3e0c0250$ba2406f0$@mailborder.com>

Also:
 
postfix:mtagroup
 
not 
 
postfix:postfix
 
 
 
 
--
Jerry Benton
 <http://www.mailborder.com/> www.mailborder.com
+1   (843) 800-8605
+44 (020) 3883-8605


 
From: MailScanner <mailscanner-bounces+jerry.benton=mailborder.com at lists.mailscanner.info> On Behalf Of Maarten
Sent: Wednesday, August 29, 2018 12:05
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: Help~Setup MailScanner v5.0.7-4 error
 
Hello Zephyr,
My guess would be that it's selinux the problem, try  setenforce 0
and try restarting mailscanner. If it works like that you need
to configure selinux so that it allows the creation of those
directories.
 
On 29-08-18 10:40, ???? wrote:
Hi,
 
I use CentOS v7(1804),and download MailScanner 5.0.7 from https://s3.amazonaws.com/msv5/release/MailScanner-5.0.7-4.rhel.tar.gz.
 
But I got some problem. I try some commands to slove them,but it?s not working.
==================================================
mkdir /var/spool/MailScanner/spamassassin
chown postfix.postfix /var/spool/MailScanner/spamassassin
chown -R postfix.postfix /var/spool/MailScanner/incoming
chown -R postfix.postfix /var/spool/MailScanner/quarantine
====================================================
Could someone help me ? Thanks a lot.
 
 
zephyr
 
file path ==>/var/log/maillog
Aug 29 11:31:09 ftp MailScanner[18173]: MailScanner Email Processor version 5.0.7 starting...
Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file /etc/MailScanner/MailScanner.conf
Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file /etc/MailScanner/conf.d/README
Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory /var/spool/MailScanner/incoming
Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line 200, directory /var/spool/MailScanner/incoming for incomingworkdir does not exist (or is not readable)
Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory /var/spool/MailScanner/incoming/Locks
Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line 3069, directory /var/spool/MailScanner/incoming/Locks for lockfiledir does not exist (or is not readable)
Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory /var/spool/postfix/incoming
Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line 190, directory /var/spool/postfix/incoming for outqueuedir does not exist (or is not readable)
Aug 29 11:31:09 ftp MailScanner[18173]: File containing list of incoming queue dirs (/var/spool/postfix/hold) does not exist
Aug 29 11:31:09 ftp MailScanner[18173]: Read 1500 hostnames from the phishing whitelist
Aug 29 11:31:10 ftp MailScanner[18173]: Read 15767 hostnames from the phishing blacklists
Aug 29 11:31:10 ftp MailScanner[18173]: Using SpamAssassin results cache
Aug 29 11:31:10 ftp MailScanner[18173]: Could not create SpamAssassin cache database /var/spool/MailScanner/incoming/SpamAssassin.cache.db
Aug 29 11:31:10 ftp MailScanner[18173]: Enabling SpamAssassin auto-whitelist functionality...
 
 
file path ==>/etc/MailScanner/MailScanner.conf
MTA = postfix
Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir =/var/spool/postfix/incoming
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
Deliver Unparsable TNEF = yes




 
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180829/7fceb319/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5530 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180829/7fceb319/attachment.bin>

From zephyr at flytonet.com  Fri Aug 31 00:26:44 2018
From: zephyr at flytonet.com (=?big5?B?t0ypTaq6rbc=?=)
Date: Fri, 31 Aug 2018 08:26:44 +0800
Subject: Help~Setup MailScanner v5.0.7-4 error
Message-ID: <000601d440c1$4c2d4cd0$e487e670$@flytonet.com>

The problem is solved. Thanks for Maarten and Jerry Benton.

 

/var/log/maillog

Aug 31 08:20:00 ftp MailScanner[16310]: MailScanner Email Processor version
5.0.7 starting...

Aug 31 08:20:00 ftp MailScanner[16310]: Reading configuration file
/etc/MailScanner/MailScanner.conf

Aug 31 08:20:00 ftp MailScanner[16310]: Reading configuration file
/etc/MailScanner/conf.d/README

Aug 31 08:20:00 ftp MailScanner[16310]: Read 1500 hostnames from the
phishing whitelist

Aug 31 08:20:00 ftp MailScanner[16310]: Read 16138 hostnames from the
phishing blacklists

Aug 31 08:20:00 ftp MailScanner[16310]: Using SpamAssassin results cache

Aug 31 08:20:00 ftp MailScanner[16310]: Connected to SpamAssassin cache
database

Aug 31 08:20:00 ftp MailScanner[16310]: Enabling SpamAssassin auto-whitelist
functionality...

Aug 31 08:20:05 ftp MailScanner[16421]: MailScanner Email Processor version
5.0.7 starting...

Aug 31 08:20:05 ftp MailScanner[16421]: Reading configuration file
/etc/MailScanner/MailScanner.conf

Aug 31 08:20:05 ftp MailScanner[16421]: Reading configuration file
/etc/MailScanner/conf.d/README

Aug 31 08:20:05 ftp MailScanner[16421]: Read 1500 hostnames from the
phishing whitelist

Aug 31 08:20:05 ftp MailScanner[16421]: Read 16138 hostnames from the
phishing blacklists

Aug 31 08:20:05 ftp MailScanner[16421]: Using SpamAssassin results cache

Aug 31 08:20:05 ftp MailScanner[16421]: Connected to SpamAssassin cache
database

Aug 31 08:20:05 ftp MailScanner[16421]: Enabling SpamAssassin auto-whitelist
functionality...

 

Message: 1

Date: Wed, 29 Aug 2018 16:40:14 +0800

From: ???? <zephyr at flytonet.com <mailto:zephyr at flytonet.com> >

To: <mailscanner at lists.mailscanner.info
<mailto:mailscanner at lists.mailscanner.info> >

Subject: Help~Setup MailScanner v5.0.7-4  error

Message-ID: <000001d43f73$e7ff8aa0$b7fe9fe0$@flytonet.com
<mailto:000001d43f73$e7ff8aa0$b7fe9fe0$@flytonet.com> >

Content-Type: text/plain; charset="big5"

 

Hi,

 

I use CentOS v7(1804),and download MailScanner 5.0.7 from
https://s3.amazonaws.com/msv5/release/MailScanner-5.0.7-4.rhel.tar.gz.

But I got some problem. I try some commands to slove them,but it?s not
working.

 

==================================================

 

mkdir /var/spool/MailScanner/spamassassin

 

chown postfix.postfix /var/spool/MailScanner/spamassassin

 

chown -R postfix.postfix /var/spool/MailScanner/incoming

 

chown -R postfix.postfix /var/spool/MailScanner/quarantine

 

====================================================

 

Could someone help me ? Thanks a lot.

 

zephyr

 

 

file path ==>/var/log/maillog

 

Aug 29 11:31:09 ftp MailScanner[18173]: MailScanner Email Processor version

5.0.7 starting...

 

Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file
/etc/MailScanner/MailScanner.conf

 

Aug 29 11:31:09 ftp MailScanner[18173]: Reading configuration file
/etc/MailScanner/conf.d/README

 

Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory
/var/spool/MailScanner/incoming

 

Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line
200, directory /var/spool/MailScanner/incoming for incomingworkdir does not
exist (or is not readable)

 

Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory
/var/spool/MailScanner/incoming/Locks

 

Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line
3069, directory /var/spool/MailScanner/incoming/Locks for lockfiledir does
not exist (or is not readable)

 

Aug 29 11:31:09 ftp MailScanner[18173]: Could not read directory
/var/spool/postfix/incoming

 

Aug 29 11:31:09 ftp MailScanner[18173]: Error in configuration file line
190, directory /var/spool/postfix/incoming for outqueuedir does not exist
(or is not readable)

 

Aug 29 11:31:09 ftp MailScanner[18173]: File containing list of incoming
queue dirs (/var/spool/postfix/hold) does not exist

 

Aug 29 11:31:09 ftp MailScanner[18173]: Read 1500 hostnames from the
phishing whitelist

 

Aug 29 11:31:10 ftp MailScanner[18173]: Read 15767 hostnames from the
phishing blacklists

 

Aug 29 11:31:10 ftp MailScanner[18173]: Using SpamAssassin results cache

 

Aug 29 11:31:10 ftp MailScanner[18173]: Could not create SpamAssassin cache
database /var/spool/MailScanner/incoming/SpamAssassin.cache.db

 

Aug 29 11:31:10 ftp MailScanner[18173]: Enabling SpamAssassin auto-whitelist
functionality...

 

 

 

file path ==>/etc/MailScanner/MailScanner.conf

 

MTA = postfix

 

Run As User = postfix

 

Run As Group = postfix

 

Incoming Queue Dir = /var/spool/postfix/hold

 

Outgoing Queue Dir =/var/spool/postfix/incoming

 

SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

 

Deliver Unparsable TNEF = yes

 

-------------- next part --------------

An HTML attachment was scrubbed...

URL:
<http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180829/a5
fd8fdf/attachment-0001.html>

 

------------------------------

 

Message: 2

Date: Wed, 29 Aug 2018 18:04:46 +0200

From: Maarten <mailinglists at feedmebits.nl
<mailto:mailinglists at feedmebits.nl> >

To: MailScanner Discussion <mailscanner at lists.mailscanner.info
<mailto:mailscanner at lists.mailscanner.info> >

Subject: Re: Help~Setup MailScanner v5.0.7-4 error

Message-ID: <e0872240-0b5f-108d-5c16-b61258aad63c at feedmebits.nl
<mailto:e0872240-0b5f-108d-5c16-b61258aad63c at feedmebits.nl> >

Content-Type: text/plain; charset="utf-8"; Format="flowed"

 

Hello Zephyr,

 

My guess would be that it's selinux the problem, try? setenforce 0

 

and try restarting mailscanner. If it works like that you need

 

to configure selinux so that it allows the creation of those

 

directories.

 

 

Message: 3

Date: Wed, 29 Aug 2018 12:06:27 -0400

From: "Jerry Benton" <jerry.benton at mailborder.com
<mailto:jerry.benton at mailborder.com> >

To: "'MailScanner Discussion'" <mailscanner at lists.mailscanner.info
<mailto:mailscanner at lists.mailscanner.info> >

Subject: RE: Help~Setup MailScanner v5.0.7-4 error

Message-ID: <009b01d43fb2$3e0c0250$ba2406f0$@mailborder.com
<mailto:009b01d43fb2$3e0c0250$ba2406f0$@mailborder.com> >

Content-Type: text/plain; charset="utf-8"

 

Also:

postfix:mtagroup

not 

 

postfix:postfix

  

--

Jerry Benton

<http://www.mailborder.com/> www.mailborder.com <http://www.mailborder.com> 

+1   (843) 800-8605

+44 (020) 3883-8605

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20180831/952c9781/attachment.html>