From danita at caledonia.net Fri Feb 1 09:46:04 2019 From: danita at caledonia.net (Danita Zanre) Date: Fri, 1 Feb 2019 10:46:04 +0100 Subject: Oddly missing emails In-Reply-To: References: <42b0e1f3-7975-14c0-c3b6-a1d6969b2b6b@caledonia.net> <78a83a19-4b46-b57b-04b8-69d1515fba09@caledonia.net> Message-ID: <4a6b2549-b7ad-ab5d-ac23-380dde7c2a61@caledonia.net> I'm beginning to think it's the sending server.? Now I'm receiving them sporatically on Gmail! I guess I'll have to hunt down their admin ;-) Thanks for the moral support! Danita Danita Zanre wrote on 1/31/19 7:26 PM: > Possible. I?ll scout the firewall rule for port 25 blocks. I have so > few rules. > > *--* > *Danita Zanr?*, /Move Out of the Office/ > I love my job, and you can too! > Tel: (720) 319-7530 - Caledonia.Net LLC > Tel: (720) 319-8240 - Move Out of the Office > Il 31 gen 2019, 19:15 +0100, Mark Sapiro , ha scritto: >> On 1/31/19 5:54 AM, Danita Zanre wrote: >>> Nope - and this particular message actually was received.? Today I've >>> received about 3 messages and they and only they even appear in the log. >>> >>> >>> >>> Shawn Iverson via MailScanner wrote on 1/31/19 2:48 PM: >>>> That log says that the message was written to HOLD queue.? Have >>>> anything in there, by chance? >> >> >> writing to the HOLD queue is the normal way messages are queued from >> Postfix to MailScanner if not using the milter method. >> >> If there is nothing in the mail_log at all for the missing messages, >> they are not getting to Postfix in the first place. >> >> As Alex suggests in another reply, they are probably sending from >> multiple servers and this one gets through, but others are blocked by >> some firewall rule. >> >> -- >> Mark Sapiro The highway is for gamblers, >> San Francisco Bay Area, California better use your sense - B. Dylan >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by Iris MailScanner, and is >> believed to be clean. >> > > -- > This message has been scanned for viruses and > dangerous content by *Iris MailScanner* , > and is > believed to be clean. > -- *Danita Zanr?*, /Move Out of the Office/ I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office -------------- next part -------------- An HTML attachment was scrubbed... URL: From glenn.steen at gmail.com Wed Feb 6 14:17:51 2019 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed, 6 Feb 2019 15:17:51 +0100 Subject: Oddly missing emails In-Reply-To: References: <42b0e1f3-7975-14c0-c3b6-a1d6969b2b6b@caledonia.net> <78a83a19-4b46-b57b-04b8-69d1515fba09@caledonia.net> Message-ID: Mark is (as usual) correct in his guidance... You may have your mailscanner/postfix logs split into separate files (yes, that is unusual,but has happened in the past:-)),so be sureto findyour Postfix rejections etc in the maillog, so to be sure you get all the possible NOQUEUE: things. I've been running pflogsumfor years, to get some readable stats on all that, even posted a few scripts for presentation purposes back inthe days... Something like that may make your searches easier (well, grep is pretty easy:-)). But it is likely tehir system that is acting up... Cheers! -- -- Glenn Den tors 31 jan. 2019 kl 19:08 skrev Mark Sapiro : > On 1/31/19 5:54 AM, Danita Zanre wrote: > > Nope - and this particular message actually was received. Today I've > > received about 3 messages and they and only they even appear in the log. > > > > > > > > Shawn Iverson via MailScanner wrote on 1/31/19 2:48 PM: > >> That log says that the message was written to HOLD queue. Have > >> anything in there, by chance? > > > writing to the HOLD queue is the normal way messages are queued from > Postfix to MailScanner if not using the milter method. > > If there is nothing in the mail_log at all for the missing messages, > they are not getting to Postfix in the first place. > > As Alex suggests in another reply, they are probably sending from > multiple servers and this one gets through, but others are blocked by > some firewall rule. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: From belle at bazuin.nl Wed Feb 6 14:25:02 2019 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 6 Feb 2019 15:25:02 +0100 Subject: Oddly missing emails In-Reply-To: References: Message-ID: hmm, i missed this thread, but agree here. cat /var/log/mail.log|egrep "reject|NOQUEUE" ? If you know the source domain its sending server server_ipnumbers, then search for these in maillog and firewall log. I do that often these days,?due to users are more using SPF/DKIM/DMARC and mail not arriving, They are not using SRS https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme? ? Most if the time the problem is at a antispam service not using SRS. ( at least in my case ) ? Greetz, ? Louis ? ? Van: MailScanner [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] Namens Glenn Steen Verzonden: woensdag 6 februari 2019 15:18 Aan: MailScanner Discussion Onderwerp: Re: Oddly missing emails Mark is (as usual) correct in his guidance... You may have your mailscanner/postfix logs split into separate files (yes, that is unusual,but has happened in the past:-)),so be sureto findyour Postfix rejections etc in the maillog, so to be sure you get all the possible NOQUEUE: things. I've been running pflogsumfor years, to get some readable stats on all that, even posted a few scripts for presentation purposes back inthe days... Something like that may make your searches easier (well, grep is pretty easy:-)). But it is likely tehir system that is acting up... Cheers! -- -- Glenn Den tors 31 jan. 2019 kl 19:08 skrev Mark Sapiro : On 1/31/19 5:54 AM, Danita Zanre wrote: > Nope - and this particular message actually was received.? Today I've > received about 3 messages and they and only they even appear in the log. > > > > Shawn Iverson via MailScanner wrote on 1/31/19 2:48 PM: >> That log says that the message was written to HOLD queue.? Have >> anything in there, by chance? writing to the HOLD queue is the normal way messages are queued from Postfix to MailScanner if not using the milter method. If there is nothing in the mail_log at all for the missing messages, they are not getting to Postfix in the first place. As Alex suggests in another reply, they are probably sending from multiple servers and this one gets through, but others are blocked by some firewall rule. -- Mark Sapiro ? ? ? ? The highway is for gamblers, San Francisco Bay Area, California? ? better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -------------- next part -------------- An HTML attachment was scrubbed... URL: From danita at caledonia.net Wed Feb 6 14:34:08 2019 From: danita at caledonia.net (Danita Zanre) Date: Wed, 6 Feb 2019 15:34:08 +0100 Subject: Oddly missing emails In-Reply-To: References: Message-ID: <39ebef22-2643-5b68-6667-fbc62dd21689@caledonia.net> They seem to have fixed whatever was up apparently at the sending site, because yesterday the mail started flowing again.? There were no "old" messages, so who knows what they did - but hey - things are back together and I don't believe it was mailscanner at all. Danita L.P.H. van Belle via MailScanner wrote on 2/6/19 3:25 PM: > hmm, i missed this thread, but agree here. > cat /var/log/mail.log|egrep "reject|NOQUEUE" > If you know the source domain its sending server server_ipnumbers, > then search for these in maillog and firewall log. > I do that often these days, due to users are more using SPF/DKIM/DMARC > and mail not arriving, > They are not using SRS > https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme > Most if the time the problem is at a antispam service not using SRS. ( > at least in my case ) > Greetz, > Louis > > ------------------------------------------------------------------------ > *Van:* MailScanner > [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.info] > *Namens *Glenn Steen > *Verzonden:* woensdag 6 februari 2019 15:18 > *Aan:* MailScanner Discussion > *Onderwerp:* Re: Oddly missing emails > > Mark is (as usual) correct in his guidance... You may have your > mailscanner/postfix logs split into separate files (yes, that is > unusual,but has happened in the past:-)),so be sureto findyour > Postfix rejections etc in the maillog, so to be sure you get all > the possible NOQUEUE: things. > I've been running pflogsumfor years, to get some readable stats on > all that, even posted a few scripts for presentation purposes back > inthe days... Something like that may make your searches easier > (well, grep is pretty easy:-)). > > But it is likely tehir system that is acting up... > > Cheers! > -- > -- Glenn > > Den tors 31 jan. 2019 kl 19:08 skrev Mark Sapiro >: > > On 1/31/19 5:54 AM, Danita Zanre wrote: > > Nope - and this particular message actually was received.? > Today I've > > received about 3 messages and they and only they even appear > in the log. > > > > > > > > Shawn Iverson via MailScanner wrote on 1/31/19 2:48 PM: > >> That log says that the message was written to HOLD queue.? Have > >> anything in there, by chance? > > > writing to the HOLD queue is the normal way messages are > queued from > Postfix to MailScanner if not using the milter method. > > If there is nothing in the mail_log at all for the missing > messages, > they are not getting to Postfix in the first place. > > As Alex suggests in another reply, they are probably sending from > multiple servers and this one gets through, but others are > blocked by > some firewall rule. > > -- > Mark Sapiro > ? ? ? > The highway is for gamblers, > San Francisco Bay Area, California? ? better use your sense - > B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > > > -- > This message has been scanned for viruses and > dangerous content by *Iris MailScanner* , > and is > believed to be clean. > -- *Danita Zanr?*, /Move Out of the Office/ I love my job, and you can too! Tel: (720) 319-7530 - Caledonia.Net LLC Tel: (720) 319-8240 - Move Out of the Office -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmgomess at gmail.com Tue Feb 19 14:04:39 2019 From: mmgomess at gmail.com (Marcelo Machado) Date: Tue, 19 Feb 2019 11:04:39 -0300 Subject: Denial of Service attack message Message-ID: Hello everyone. I?m receiving e-mails with warning messages like this below, instead of the originals. "MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report." My server is a Ubuntu 16.04.5 LTS with MailScanner 5.1.2, Mailwatch 1.2.12 and MariaDB 10.3. Anyone can help me? Marcelo Gomes -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: error_message.jpeg Type: image/jpeg Size: 50519 bytes Desc: not available URL: From admin at tsys3.com Tue Feb 19 14:16:04 2019 From: admin at tsys3.com (admin) Date: Tue, 19 Feb 2019 09:16:04 -0500 Subject: Denial of Service attack message In-Reply-To: References: Message-ID: Good Morning, I am getting the same thing.? I tired increasing the memory, disabling apparmor but have not had any luck in resolving it.? I think this might be something to do with the html parser but not sure. On 02/19/19 9:04 AM, Marcelo Machado wrote: > Hello everyone. > > I?m receiving e-mails with warning messages like this below, instead > of the originals. > > "MailScanner was attacked by a Denial Of Service attack, and has therefore > deleted this part of the message. Please contact your e-mail providers for > more information if you need it, giving them the whole of this report." > > My server is a?Ubuntu 16.04.5 LTS with MailScanner 5.1.2, Mailwatch > 1.2.12 and MariaDB 10.3. > > Anyone can help me? > > Marcelo Gomes > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.farrow at togethia.net Tue Feb 19 14:17:01 2019 From: peter.farrow at togethia.net (Peter Farrow) Date: Tue, 19 Feb 2019 14:17:01 +0000 Subject: Denial of Service attack message In-Reply-To: References: Message-ID: This is an ongoing issue, and Shawn Iverson and I originally thought it was an Ubuntu 18.04 LTS Kernel issue, but your post discounts theory. The latest version on MailScanner (released very recently) has a an option to disable this message and send the original email through. Pete On 19/02/2019 14:04, Marcelo Machado wrote: > Hello everyone. > > I?m receiving e-mails with warning messages like this below, instead > of the originals. > > "MailScanner was attacked by a Denial Of Service attack, and has therefore > deleted this part of the message. Please contact your e-mail providers for > more information if you need it, giving them the whole of this report." > > My server is a?Ubuntu 16.04.5 LTS with MailScanner 5.1.2, Mailwatch > 1.2.12 and MariaDB 10.3. > > Anyone can help me? > > Marcelo Gomes > > -- > This message has been scanned for viruses and > dangerous content by the *Togethia MailScanner* > , > and is believed to be clean. > Togethia logo > > -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From mmgomess at gmail.com Tue Feb 19 14:26:50 2019 From: mmgomess at gmail.com (Marcelo Machado) Date: Tue, 19 Feb 2019 11:26:50 -0300 Subject: Denial of Service attack message In-Reply-To: References: Message-ID: Thank you Peter for your answer. Which is this option? Marcelo Em ter, 19 de fev de 2019 ?s 11:17, Peter Farrow escreveu: > This is an ongoing issue, and Shawn Iverson and I originally thought it > was an Ubuntu 18.04 LTS Kernel issue, but your post discounts theory. > > The latest version on MailScanner (released very recently) has a an option > to disable this message and send the original email through. > > Pete > On 19/02/2019 14:04, Marcelo Machado wrote: > > Hello everyone. > > I?m receiving e-mails with warning messages like this below, instead of > the originals. > > "MailScanner was attacked by a Denial Of Service attack, and has therefore > deleted this part of the message. Please contact your e-mail providers for > more information if you need it, giving them the whole of this report." > > My server is a Ubuntu 16.04.5 LTS with MailScanner 5.1.2, Mailwatch 1.2.12 > and MariaDB 10.3. > > Anyone can help me? > > Marcelo Gomes > > -- > This message has been scanned for viruses and > dangerous content by the *Togethia MailScanner* , > > and is believed to be clean. > [image: Togethia logo] > > -- > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From iversons at rushville.k12.in.us Tue Feb 19 15:36:15 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Tue, 19 Feb 2019 10:36:15 -0500 Subject: Denial of Service attack message In-Reply-To: References: Message-ID: I have the option in a PR I am about to upload...i'll work on this this evening. On Tue, Feb 19, 2019, 9:27 AM Marcelo Machado wrote: > Thank you Peter for your answer. > > Which is this option? > > Marcelo > > Em ter, 19 de fev de 2019 ?s 11:17, Peter Farrow < > peter.farrow at togethia.net> escreveu: > >> This is an ongoing issue, and Shawn Iverson and I originally thought it >> was an Ubuntu 18.04 LTS Kernel issue, but your post discounts theory. >> >> The latest version on MailScanner (released very recently) has a an >> option to disable this message and send the original email through. >> >> Pete >> On 19/02/2019 14:04, Marcelo Machado wrote: >> >> Hello everyone. >> >> I?m receiving e-mails with warning messages like this below, instead of >> the originals. >> >> "MailScanner was attacked by a Denial Of Service attack, and has therefore >> deleted this part of the message. Please contact your e-mail providers for >> more information if you need it, giving them the whole of this report." >> >> My server is a Ubuntu 16.04.5 LTS with MailScanner 5.1.2, Mailwatch >> 1.2.12 and MariaDB 10.3. >> >> Anyone can help me? >> >> Marcelo Gomes >> >> -- >> This message has been scanned for viruses and >> dangerous content by the *Togethia MailScanner* >> , >> and is believed to be clean. >> [image: Togethia logo] >> >> -- >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From iversons at rushville.k12.in.us Wed Feb 20 00:36:12 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Tue, 19 Feb 2019 19:36:12 -0500 Subject: Denial of Service attack message In-Reply-To: References: Message-ID: Here is the PR... https://github.com/MailScanner/v5/pull/367 On Tue, Feb 19, 2019 at 10:36 AM Shawn Iverson wrote: > I have the option in a PR I am about to upload...i'll work on this this > evening. > > On Tue, Feb 19, 2019, 9:27 AM Marcelo Machado wrote: > >> Thank you Peter for your answer. >> >> Which is this option? >> >> Marcelo >> >> Em ter, 19 de fev de 2019 ?s 11:17, Peter Farrow < >> peter.farrow at togethia.net> escreveu: >> >>> This is an ongoing issue, and Shawn Iverson and I originally thought it >>> was an Ubuntu 18.04 LTS Kernel issue, but your post discounts theory. >>> >>> The latest version on MailScanner (released very recently) has a an >>> option to disable this message and send the original email through. >>> >>> Pete >>> On 19/02/2019 14:04, Marcelo Machado wrote: >>> >>> Hello everyone. >>> >>> I?m receiving e-mails with warning messages like this below, instead of >>> the originals. >>> >>> "MailScanner was attacked by a Denial Of Service attack, and has >>> therefore >>> deleted this part of the message. Please contact your e-mail providers >>> for >>> more information if you need it, giving them the whole of this report." >>> >>> My server is a Ubuntu 16.04.5 LTS with MailScanner 5.1.2, Mailwatch >>> 1.2.12 and MariaDB 10.3. >>> >>> Anyone can help me? >>> >>> Marcelo Gomes >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by the *Togethia MailScanner* >>> , >>> and is believed to be clean. >>> [image: Togethia logo] >>> >>> -- >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From mmgomess at gmail.com Wed Feb 20 11:30:17 2019 From: mmgomess at gmail.com (Marcelo Machado) Date: Wed, 20 Feb 2019 08:30:17 -0300 Subject: Denial of Service attack message In-Reply-To: References: Message-ID: Thank you Shawn. I will apply and observe. Marcelo Em ter, 19 de fev de 2019 ?s 21:37, Shawn Iverson via MailScanner < mailscanner at lists.mailscanner.info> escreveu: > Here is the PR... > > https://github.com/MailScanner/v5/pull/367 > > > > On Tue, Feb 19, 2019 at 10:36 AM Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > >> I have the option in a PR I am about to upload...i'll work on this this >> evening. >> >> On Tue, Feb 19, 2019, 9:27 AM Marcelo Machado wrote: >> >>> Thank you Peter for your answer. >>> >>> Which is this option? >>> >>> Marcelo >>> >>> Em ter, 19 de fev de 2019 ?s 11:17, Peter Farrow < >>> peter.farrow at togethia.net> escreveu: >>> >>>> This is an ongoing issue, and Shawn Iverson and I originally thought it >>>> was an Ubuntu 18.04 LTS Kernel issue, but your post discounts theory. >>>> >>>> The latest version on MailScanner (released very recently) has a an >>>> option to disable this message and send the original email through. >>>> >>>> Pete >>>> On 19/02/2019 14:04, Marcelo Machado wrote: >>>> >>>> Hello everyone. >>>> >>>> I?m receiving e-mails with warning messages like this below, instead of >>>> the originals. >>>> >>>> "MailScanner was attacked by a Denial Of Service attack, and has >>>> therefore >>>> deleted this part of the message. Please contact your e-mail providers >>>> for >>>> more information if you need it, giving them the whole of this report." >>>> >>>> My server is a Ubuntu 16.04.5 LTS with MailScanner 5.1.2, Mailwatch >>>> 1.2.12 and MariaDB 10.3. >>>> >>>> Anyone can help me? >>>> >>>> Marcelo Gomes >>>> >>>> -- >>>> This message has been scanned for viruses and >>>> dangerous content by the *Togethia MailScanner* >>>> , >>>> and is believed to be clean. >>>> [image: Togethia logo] >>>> >>>> -- >>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 option 7 > iversons at rushville.k12.in.us > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From mmgomess at gmail.com Thu Feb 21 13:47:19 2019 From: mmgomess at gmail.com (Marcelo Machado) Date: Thu, 21 Feb 2019 10:47:19 -0300 Subject: Denial of Service attack message In-Reply-To: References: Message-ID: Hello Shawn Looks like it worked. Thank you Em qua, 20 de fev de 2019 ?s 08:30, Marcelo Machado escreveu: > Thank you Shawn. > > I will apply and observe. > > Marcelo > > Em ter, 19 de fev de 2019 ?s 21:37, Shawn Iverson via MailScanner < > mailscanner at lists.mailscanner.info> escreveu: > >> Here is the PR... >> >> https://github.com/MailScanner/v5/pull/367 >> >> >> >> On Tue, Feb 19, 2019 at 10:36 AM Shawn Iverson < >> iversons at rushville.k12.in.us> wrote: >> >>> I have the option in a PR I am about to upload...i'll work on this this >>> evening. >>> >>> On Tue, Feb 19, 2019, 9:27 AM Marcelo Machado >>> wrote: >>> >>>> Thank you Peter for your answer. >>>> >>>> Which is this option? >>>> >>>> Marcelo >>>> >>>> Em ter, 19 de fev de 2019 ?s 11:17, Peter Farrow < >>>> peter.farrow at togethia.net> escreveu: >>>> >>>>> This is an ongoing issue, and Shawn Iverson and I originally thought >>>>> it was an Ubuntu 18.04 LTS Kernel issue, but your post discounts theory. >>>>> >>>>> The latest version on MailScanner (released very recently) has a an >>>>> option to disable this message and send the original email through. >>>>> >>>>> Pete >>>>> On 19/02/2019 14:04, Marcelo Machado wrote: >>>>> >>>>> Hello everyone. >>>>> >>>>> I?m receiving e-mails with warning messages like this below, instead >>>>> of the originals. >>>>> >>>>> "MailScanner was attacked by a Denial Of Service attack, and has >>>>> therefore >>>>> deleted this part of the message. Please contact your e-mail providers >>>>> for >>>>> more information if you need it, giving them the whole of this report." >>>>> >>>>> My server is a Ubuntu 16.04.5 LTS with MailScanner 5.1.2, Mailwatch >>>>> 1.2.12 and MariaDB 10.3. >>>>> >>>>> Anyone can help me? >>>>> >>>>> Marcelo Gomes >>>>> >>>>> -- >>>>> This message has been scanned for viruses and >>>>> dangerous content by the *Togethia MailScanner* >>>>> , >>>>> and is believed to be clean. >>>>> [image: Togethia logo] >>>>> >>>>> -- >>>>> >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner at lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> >> >> -- >> Shawn Iverson, CETL >> Director of Technology >> Rush County Schools >> 765-932-3901 option 7 >> iversons at rushville.k12.in.us >> >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sig.PNG Type: image/png Size: 90838 bytes Desc: not available URL: From kevin.miller at juneau.org Thu Feb 21 22:41:08 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Thu, 21 Feb 2019 22:41:08 +0000 Subject: Couple of issues... Message-ID: I noticed a couple of issues on my MailScanner boxes: 1: Old directories in /var/spool/MailScanner/Incoming: root at mx2:/var/spool/MailScanner/incoming# l total 252 drwxrwx--- 2 postfix mtagroup 40 Jun 22 2018 10064 drwxrwx--- 2 postfix mtagroup 40 Jan 23 04:41 10983 drwxrwx--- 2 postfix mtagroup 40 Oct 5 15:17 11738 drwxrwx--- 2 postfix mtagroup 40 Dec 16 09:35 1221 drwxrwx--- 2 postfix mtagroup 40 Aug 16 2018 1259 drwxrwx--- 2 postfix mtagroup 40 Dec 14 06:25 1267 drwxrwx--- 2 postfix mtagroup 40 Jun 1 2018 13123 drwxrwx--- 2 postfix mtagroup 40 Sep 27 13:50 14581 drwxrwx--- 2 postfix mtagroup 40 Sep 25 14:53 1504 drwxrwx--- 2 postfix mtagroup 40 Jan 23 06:26 15182 drwxrwx--- 2 postfix mtagroup 40 Nov 7 06:25 15247 drwxrwx--- 2 postfix mtagroup 40 Dec 14 16:50 15342 drwxrwx--- 2 postfix mtagroup 40 Jan 21 14:56 15377 drwxrwx--- 2 postfix mtagroup 40 Sep 25 14:55 1561 ...snip... Shouldn't these be auto-deleted? I presume I can manually delete them if they're empty, yes? 2: I just ran MailScanner --lint which output the following: MailScanner.conf says "Virus Scanners = sophos clamd" mktemp: failed to create directory via template '/var/spool/MailScanner/incoming/clamav-tmp/tmp.XXXXXXXXXX': Permission denied Found these virus scanners installed: clamd, sophos =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting >>> Virus 'EICAR-AV-Test' found in file /var/pool/MailScanner/incoming/27249/1/neicar.com Virus Scanning: Sophos found 1 infections Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 1 infections Infected message 1 came from 10.1.1.1 Infected message var came from Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" It seems that clam-av is catching the infection, despite the clamav-tmp directory being inaccessible but I suspect there could be some other issues that could arise that I'm not seeing in a simple lint test. Also, this is puzzeling: Other Checks: Found 1 problems What other check and what's the problem? I'm running both Sophos and clamav (clamd). Permisson on /var/spool/MailScanner/incoming/clamav-tmp are: drwxr-xr-x 2 www-data www-data 40 Aug 10 2018 clamav-tmp What should the owner.group and perms be on that directory? --- Environment details: MailWatch Version: 1.2.12 Operating System Version: Debian GNU/Linux 9 (stretch) Postfix Version: 3.1.9 MailScanner Version: 5.0.7 ClamAV Version: 0.100.2 SpamAssassin Version: 3.4.2 PHP Version: 7.0.33-0+deb9u1 MySQL Version: 10.1.37-MariaDB-0+deb9u1 GeoIP Database Version: GeoLite2 Country database 2019-02-05 05:36:24 Incoming Work User = postfix Incoming Work Group = mtagroup /etc/group: mtagroup:x:1002:clamav,postfix,mail,www-data I'm also running Mailwatch Thanks... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From kevin.miller at juneau.org Fri Feb 22 01:02:53 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Fri, 22 Feb 2019 01:02:53 +0000 Subject: More antivirus fun... Message-ID: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> Re: my previous message, I change the owner/group of /var/spool/MailScanner/incoming/clamav-tmp to postfix:mtagroup and it cleaned up the permissions error I had noted. In my further testing, I configured MailScanner to only use Sophos rather than it and clamav. It detects messages as viral, but let doesn't quarantine them (using clamd does). >From my mail.log: Feb 21 15:50:07 mxt MailScanner[3122]: Virus and Content Scanning: Starting Feb 21 15:50:15 mxt MailScanner[3122]: >>> Virus 'EICAR-AV-Test' found in file /var/pool/MailScanner/incoming/3122/836C01002EF.AD186/nmsg-3122-1.txt Feb 21 15:50:15 mxt MailScanner[3122]: Virus Scanning: Sophos found 1 infections Feb 21 15:50:15 mxt MailScanner[3122]: Infected message var came from Feb 21 15:50:15 mxt MailScanner[3122]: Virus Scanning: Found 1 viruses Feb 21 15:50:36 mxt MailScanner[3122]: Requeue: 836C01002EF.AD186 to E6FF31005DD Feb 21 15:50:36 mxt MailScanner[3122]: Uninfected: Delivered 1 messages There's several oddities such as "var/pool" rather than "/var/spool". Lines 3 - 5 clearly note the infection but the message is requeued and sent through as if it was clean. Really odd. Testing the wrapper from the CLI I got the following output which seems pretty much what one would expect: =================================== root at mxt:/opt/sophos-av/bin# /usr/lib/MailScanner/wrapper/sophos-wrapper /opt/sophos-av/ /tmp SAVScan virus detection utility Version 5.53.0 [Linux/AMD64] Virus data version 5.60, February 2019 Includes detection for 30926993 viruses, Trojans and worms Copyright (c) 1989-2019 Sophos Limited. All rights reserved. System time 15:46:59, System date 21 February 2019 IDE directory is: /opt/sophos-av/lib/sav Using IDE file tofse-cl.ide ...dozens of similar lines snipped... Using IDE file docd-rwe.ide Quick Scanning 0 files scanned in 8 seconds. No viruses were discovered. End of Scan. =================================== MailScanner --lint gave the following: MailScanner.conf says "Virus Scanners = sophos" Found these virus scanners installed: sophos, clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting >>> Virus 'EICAR-AV-Test' found in file /var/pool/MailScanner/incoming/5033/1/neicar.com Virus Scanning: Sophos found 1 infections Infected message var came from Virus Scanning: Found 1 viruses There seems to be some piece of the puzzle that apparently has a typo in it, leading to the "var/pool" error and probably the reason the message is delivered even though noted as a virus. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From iversons at rushville.k12.in.us Fri Feb 22 05:17:12 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Fri, 22 Feb 2019 00:17:12 -0500 Subject: Couple of issues... In-Reply-To: References: Message-ID: You can delete those older directories safely while MailScanner is idle and running (stopping MailScanner may sync the ramdisk, which means they will come back when MailScanner is started back up). If you are paranoid, you can get the current PIDs of all current MailScanner processes, just to be safe, and skip those directories, if present. They normally auto-delete, but I have seen cases where they do not, such as a system crash, MailScanner crash, or permissions issue. On Thu, Feb 21, 2019 at 5:41 PM Kevin Miller wrote: > I noticed a couple of issues on my MailScanner boxes: > 1: Old directories in /var/spool/MailScanner/Incoming: > > root at mx2:/var/spool/MailScanner/incoming# l > total 252 > drwxrwx--- 2 postfix mtagroup 40 Jun 22 2018 10064 > drwxrwx--- 2 postfix mtagroup 40 Jan 23 04:41 10983 > drwxrwx--- 2 postfix mtagroup 40 Oct 5 15:17 11738 > drwxrwx--- 2 postfix mtagroup 40 Dec 16 09:35 1221 > drwxrwx--- 2 postfix mtagroup 40 Aug 16 2018 1259 > drwxrwx--- 2 postfix mtagroup 40 Dec 14 06:25 1267 > drwxrwx--- 2 postfix mtagroup 40 Jun 1 2018 13123 > drwxrwx--- 2 postfix mtagroup 40 Sep 27 13:50 14581 > drwxrwx--- 2 postfix mtagroup 40 Sep 25 14:53 1504 > drwxrwx--- 2 postfix mtagroup 40 Jan 23 06:26 15182 > drwxrwx--- 2 postfix mtagroup 40 Nov 7 06:25 15247 > drwxrwx--- 2 postfix mtagroup 40 Dec 14 16:50 15342 > drwxrwx--- 2 postfix mtagroup 40 Jan 21 14:56 15377 > drwxrwx--- 2 postfix mtagroup 40 Sep 25 14:55 1561 > ...snip... > > Shouldn't these be auto-deleted? I presume I can manually delete them if > they're empty, yes? > > 2: I just ran MailScanner --lint which output the following: > MailScanner.conf says "Virus Scanners = sophos clamd" > mktemp: failed to create directory via template > '/var/spool/MailScanner/incoming/clamav-tmp/tmp.XXXXXXXXXX': Permission > denied > Found these virus scanners installed: clamd, sophos > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > >>> Virus 'EICAR-AV-Test' found in file > /var/pool/MailScanner/incoming/27249/1/neicar.com > Virus Scanning: Sophos found 1 infections > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 1 infections > Infected message 1 came from 10.1.1.1 > Infected message var came from > Virus Scanning: Found 2 viruses > =========================================================================== > Virus Scanner test reports: > Clamd said "eicar.com was infected: Eicar-Test-Signature" > > It seems that clam-av is catching the infection, despite the clamav-tmp > directory being inaccessible but I suspect there could be some other issues > that could arise that I'm not seeing in a simple lint test. > > Also, this is puzzeling: > Other Checks: Found 1 problems > What other check and what's the problem? > > I'm running both Sophos and clamav (clamd). > Permisson on /var/spool/MailScanner/incoming/clamav-tmp are: > drwxr-xr-x 2 www-data www-data 40 Aug 10 2018 clamav-tmp > > What should the owner.group and perms be on that directory? > > --- > Environment details: > MailWatch Version: 1.2.12 > Operating System Version: Debian GNU/Linux 9 (stretch) > Postfix Version: 3.1.9 > MailScanner Version: 5.0.7 > ClamAV Version: 0.100.2 > SpamAssassin Version: 3.4.2 > PHP Version: 7.0.33-0+deb9u1 > MySQL Version: 10.1.37-MariaDB-0+deb9u1 > GeoIP Database Version: GeoLite2 Country database 2019-02-05 05:36:24 > > Incoming Work User = postfix > Incoming Work Group = mtagroup > /etc/group: mtagroup:x:1002:clamav,postfix,mail,www-data > I'm also running Mailwatch > > Thanks... > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Fri Feb 22 05:18:23 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Fri, 22 Feb 2019 00:18:23 -0500 Subject: More antivirus fun... In-Reply-To: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> Message-ID: Kevin, https://github.com/MailScanner/v5/pull/353 On Thu, Feb 21, 2019 at 8:03 PM Kevin Miller wrote: > Re: my previous message, I change the owner/group of > /var/spool/MailScanner/incoming/clamav-tmp to postfix:mtagroup and it > cleaned up the permissions error I had noted. > > In my further testing, I configured MailScanner to only use Sophos rather > than it and clamav. It detects messages as viral, but let doesn't > quarantine them (using clamd does). > > From my mail.log: > Feb 21 15:50:07 mxt MailScanner[3122]: Virus and Content Scanning: Starting > Feb 21 15:50:15 mxt MailScanner[3122]: >>> Virus 'EICAR-AV-Test' found in > file /var/pool/MailScanner/incoming/3122/836C01002EF.AD186/nmsg-3122-1.txt > Feb 21 15:50:15 mxt MailScanner[3122]: Virus Scanning: Sophos found 1 > infections > Feb 21 15:50:15 mxt MailScanner[3122]: Infected message var came from > Feb 21 15:50:15 mxt MailScanner[3122]: Virus Scanning: Found 1 viruses > Feb 21 15:50:36 mxt MailScanner[3122]: Requeue: 836C01002EF.AD186 to > E6FF31005DD > Feb 21 15:50:36 mxt MailScanner[3122]: Uninfected: Delivered 1 messages > > There's several oddities such as "var/pool" rather than "/var/spool". > Lines 3 - 5 clearly note the infection but the message is requeued and > sent through as if it was clean. Really odd. > > Testing the wrapper from the CLI I got the following output which seems > pretty much what one would expect: > =================================== > root at mxt:/opt/sophos-av/bin# /usr/lib/MailScanner/wrapper/sophos-wrapper > /opt/sophos-av/ /tmp > SAVScan virus detection utility > Version 5.53.0 [Linux/AMD64] > Virus data version 5.60, February 2019 > Includes detection for 30926993 viruses, Trojans and worms > Copyright (c) 1989-2019 Sophos Limited. All rights reserved. > > System time 15:46:59, System date 21 February 2019 > > IDE directory is: /opt/sophos-av/lib/sav > > Using IDE file tofse-cl.ide > ...dozens of similar lines snipped... > Using IDE file docd-rwe.ide > > Quick Scanning > > 0 files scanned in 8 seconds. > No viruses were discovered. > End of Scan. > =================================== > > MailScanner --lint gave the following: > > MailScanner.conf says "Virus Scanners = sophos" > Found these virus scanners installed: sophos, clamd > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > >>> Virus 'EICAR-AV-Test' found in file > /var/pool/MailScanner/incoming/5033/1/neicar.com > Virus Scanning: Sophos found 1 infections > Infected message var came from > Virus Scanning: Found 1 viruses > > There seems to be some piece of the puzzle that apparently has a typo in > it, leading to the "var/pool" error and probably the reason the message is > delivered even though noted as a virus. > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.miller at juneau.org Fri Feb 22 17:56:39 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Fri, 22 Feb 2019 17:56:39 +0000 Subject: More antivirus fun... In-Reply-To: References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> Message-ID: <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> Thanks ? I?ve always used the zip files so am clueless regarding git. Can I just download rep_viruses.php and drop it in place? I really should better myself and learn more about it, but I need to get the issue fixed before science projects. I do have a github account which was created to report issues some years back, but I?ve never played w/it beyond that. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Shawn Iverson via MailScanner Sent: Thursday, February 21, 2019 8:18 PM To: MailScanner Discussion Cc: Shawn Iverson Subject: Re: More antivirus fun... Kevin, https://github.com/MailScanner/v5/pull/353 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Fri Feb 22 18:17:41 2019 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 22 Feb 2019 10:17:41 -0800 Subject: More antivirus fun... In-Reply-To: <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> Message-ID: <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> On 2/22/19 9:56 AM, Kevin Miller wrote: > Thanks ? I?ve always used the zip files so am clueless regarding git.? > Can I just download rep_viruses.php and drop it in place? ... > Shawn wrote: > > https://github.com/MailScanner/v5/pull/353 I don't use MailWatch and have no idea about the current state of rep_viruses.php, but Shawn's referenced PR just changes the MailScanner file usr/share/MailScanner/perl/MailScanner/SweepViruses.pm. If you go to https://github.com/MailScanner/v5/pull/353/files you will see the diff which just replaces lines 1512-1515 in that file with a single line. You can either just edit your file or you can download the whole file at or you can download a patch at https://github.com/MailScanner/v5/pull/353.diff. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From kevin.miller at juneau.org Fri Feb 22 18:31:43 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Fri, 22 Feb 2019 18:31:43 +0000 Subject: More antivirus fun... In-Reply-To: <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> Message-ID: Perfect. I'll make a quick edit and test. Do you know if this patch is in the latest stable release? I'm on 5.0.7 and notice MailScanner v5.1.3-2 is available... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Friday, February 22, 2019 9:18 AM To: mailscanner at lists.mailscanner.info Subject: Re: More antivirus fun... On 2/22/19 9:56 AM, Kevin Miller wrote: > Thanks ? I?ve always used the zip files so am clueless regarding git.? > Can I just download rep_viruses.php and drop it in place? ... > Shawn wrote: > > https://github.com/MailScanner/v5/pull/353 I don't use MailWatch and have no idea about the current state of rep_viruses.php, but Shawn's referenced PR just changes the MailScanner file usr/share/MailScanner/perl/MailScanner/SweepViruses.pm. If you go to https://github.com/MailScanner/v5/pull/353/files you will see the diff which just replaces lines 1512-1515 in that file with a single line. You can either just edit your file or you can download the whole file at or you can download a patch at https://github.com/MailScanner/v5/pull/353.diff. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From kevin.miller at juneau.org Fri Feb 22 18:41:19 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Fri, 22 Feb 2019 18:41:19 +0000 Subject: More antivirus fun... In-Reply-To: References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> Message-ID: Looks like it's time to upgrade regardless. My SweepViruses.pm doesn't remotely match so the diff is not applicable. Thanks all for the feedback none-the-less... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Kevin Miller Sent: Friday, February 22, 2019 9:32 AM To: 'MailScanner Discussion' Subject: RE: More antivirus fun... Perfect. I'll make a quick edit and test. Do you know if this patch is in the latest stable release? I'm on 5.0.7 and notice MailScanner v5.1.3-2 is available... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Friday, February 22, 2019 9:18 AM To: mailscanner at lists.mailscanner.info Subject: Re: More antivirus fun... On 2/22/19 9:56 AM, Kevin Miller wrote: > Thanks ? I?ve always used the zip files so am clueless regarding git.? > Can I just download rep_viruses.php and drop it in place? ... > Shawn wrote: > > https://github.com/MailScanner/v5/pull/353 I don't use MailWatch and have no idea about the current state of rep_viruses.php, but Shawn's referenced PR just changes the MailScanner file usr/share/MailScanner/perl/MailScanner/SweepViruses.pm. If you go to https://github.com/MailScanner/v5/pull/353/files you will see the diff which just replaces lines 1512-1515 in that file with a single line. You can either just edit your file or you can download the whole file at or you can download a patch at https://github.com/MailScanner/v5/pull/353.diff. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From mark at msapiro.net Fri Feb 22 18:43:23 2019 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 22 Feb 2019 10:43:23 -0800 Subject: More antivirus fun... In-Reply-To: References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> Message-ID: On 2/22/19 10:31 AM, Kevin Miller wrote: > Perfect. I'll make a quick edit and test. > > Do you know if this patch is in the latest stable release? I'm on 5.0.7 and notice MailScanner v5.1.3-2 is available... Yes, the patch is in 5.1.3-2 as are some others related to Sophos. See . -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From kevin.miller at juneau.org Fri Feb 22 19:31:45 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Fri, 22 Feb 2019 19:31:45 +0000 Subject: More antivirus fun... In-Reply-To: References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> Message-ID: Sweet. Just upgraded on my test box. It's sure getting painless to do so! One quick question. The upgrade process asked "Do you wish to install the Sendmail::Milter interface? [yes]" I said yes as that was the default, but wasn't really sure what the implications of that are. I'm running Postfix, but don't yet want to convert from the old way of using MailScanner with Postfix to the milter just yet. I presume that using the default was the appropriate selection is this case, correct? root at mxt:~# dpkg -l | grep -i milter ii libmilter1.0.1:amd64 8.15.2-8 amd64 Sendmail Mail Filter API (Milter) Best... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Friday, February 22, 2019 9:43 AM To: mailscanner at lists.mailscanner.info Subject: Re: More antivirus fun... On 2/22/19 10:31 AM, Kevin Miller wrote: > Perfect. I'll make a quick edit and test. > > Do you know if this patch is in the latest stable release? I'm on 5.0.7 and notice MailScanner v5.1.3-2 is available... Yes, the patch is in 5.1.3-2 as are some others related to Sophos. See . -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From iversons at rushville.k12.in.us Fri Feb 22 19:32:37 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Fri, 22 Feb 2019 14:32:37 -0500 Subject: More antivirus fun... In-Reply-To: References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> Message-ID: Yes On Fri, Feb 22, 2019 at 2:32 PM Kevin Miller wrote: > Sweet. Just upgraded on my test box. It's sure getting painless to do so! > > One quick question. The upgrade process asked "Do you wish to install the > Sendmail::Milter interface? [yes]" I said yes as that was the default, but > wasn't really sure what the implications of that are. I'm running Postfix, > but don't yet want to convert from the old way of using MailScanner with > Postfix to the milter just yet. I presume that using the default was the > appropriate selection is this case, correct? > > root at mxt:~# dpkg -l | grep -i milter > ii libmilter1.0.1:amd64 8.15.2-8 > amd64 Sendmail Mail Filter API (Milter) > > Best... > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > > -----Original Message----- > From: MailScanner [mailto:mailscanner-bounces+kevin.miller= > juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro > Sent: Friday, February 22, 2019 9:43 AM > To: mailscanner at lists.mailscanner.info > Subject: Re: More antivirus fun... > > On 2/22/19 10:31 AM, Kevin Miller wrote: > > Perfect. I'll make a quick edit and test. > > > > Do you know if this patch is in the latest stable release? I'm on 5.0.7 > and notice MailScanner v5.1.3-2 is available... > > > Yes, the patch is in 5.1.3-2 as are some others related to Sophos. See > . > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Fri Feb 22 21:23:09 2019 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 22 Feb 2019 13:23:09 -0800 Subject: More antivirus fun... In-Reply-To: References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> Message-ID: <41128c53-bfab-affa-4c03-7e2fd4cf22a0@msapiro.net> On 2/22/19 11:31 AM, Kevin Miller wrote: > > One quick question. The upgrade process asked "Do you wish to install the Sendmail::Milter interface? [yes]" I said yes as that was the default, but wasn't really sure what the implications of that are. The implication is should you now choose to configure the Postfix milter option in MailScanner, you have the necessary pieces. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From kevin.miller at juneau.org Fri Feb 22 23:15:23 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Fri, 22 Feb 2019 23:15:23 +0000 Subject: More antivirus fun... In-Reply-To: <41128c53-bfab-affa-4c03-7e2fd4cf22a0@msapiro.net> References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> <41128c53-bfab-affa-4c03-7e2fd4cf22a0@msapiro.net> Message-ID: <4dec1ed82b434ab685d84d4b21025535@City-Exch-DB2.cbj.local> I should have said ramifications. But you're quite right. Good to know all the pieces are in place. I keep a test virtual Mailscanner/MailWatch/Postbox on hand for such purposes. Since I can create snapshots, it's easy to start over if I totally bollix it up. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Friday, February 22, 2019 12:23 PM To: mailscanner at lists.mailscanner.info Subject: Re: More antivirus fun... On 2/22/19 11:31 AM, Kevin Miller wrote: > > One quick question. The upgrade process asked "Do you wish to install the Sendmail::Milter interface? [yes]" I said yes as that was the default, but wasn't really sure what the implications of that are. The implication is should you now choose to configure the Postfix milter option in MailScanner, you have the necessary pieces. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From iversons at rushville.k12.in.us Fri Feb 22 23:45:02 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Fri, 22 Feb 2019 18:45:02 -0500 Subject: More antivirus fun... In-Reply-To: <4dec1ed82b434ab685d84d4b21025535@City-Exch-DB2.cbj.local> References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> <41128c53-bfab-affa-4c03-7e2fd4cf22a0@msapiro.net> <4dec1ed82b434ab685d84d4b21025535@City-Exch-DB2.cbj.local> Message-ID: Kevin, You are in good hands :) My MailScanner test environment has grown to four physical hosts in a cluster running various distributions of MailScanner and upgrade paths :D I have (not kidding) about a dozen virtual machines with snapshots and now some LXC containers. The goal: blow it up here first before releasing it. On Fri, Feb 22, 2019 at 6:15 PM Kevin Miller wrote: > I should have said ramifications. But you're quite right. Good to know > all the pieces are in place. > > I keep a test virtual Mailscanner/MailWatch/Postbox on hand for such > purposes. Since I can create snapshots, it's easy to start over if I > totally bollix it up. > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > > -----Original Message----- > From: MailScanner [mailto:mailscanner-bounces+kevin.miller= > juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro > Sent: Friday, February 22, 2019 12:23 PM > To: mailscanner at lists.mailscanner.info > Subject: Re: More antivirus fun... > > On 2/22/19 11:31 AM, Kevin Miller wrote: > > > > One quick question. The upgrade process asked "Do you wish to install > the Sendmail::Milter interface? [yes]" I said yes as that was the default, > but wasn't really sure what the implications of that are. > > > The implication is should you now choose to configure the Postfix milter > option in MailScanner, you have the necessary pieces. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.miller at juneau.org Sat Feb 23 01:36:13 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Sat, 23 Feb 2019 01:36:13 +0000 Subject: More antivirus fun... In-Reply-To: References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> <41128c53-bfab-affa-4c03-7e2fd4cf22a0@msapiro.net> <4dec1ed82b434ab685d84d4b21025535@City-Exch-DB2.cbj.local> Message-ID: Thanks ? it?s much appreciated! I have my boxes upgraded to MailScanner version: 5.1.3, and Sophos is working just jiffy on them. On two (of five) however, clamd is now acting sort of goofy. MailScanner ?lint report this: Virus and Content Scanning: Starting Clamd::INFECTED::Eicar-Test-Signature :: ./1/ Clamd::ERROR:: Can't open file or directory ERROR :: ./1/neicar.com Virus Scanning: Clamd found 2 infections >>> Virus 'EICAR-AV-Test' found in file /var/spool/MailScanner/incoming/2642/1/eicar.com Virus Scanning: Sophos found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 3 viruses It's catching viruses, but note line three - for some reason it "Can't open file or directory ERROR :: ./1/neicar.com" The config is (or should be) the same on all the boxes. I'm stumped. Not going to worry about it until Monday (it's quitting time) and clamd seems to be catching the viruses so I guess it's safe to ignore for a couple days. Have a great weekend all... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Shawn Iverson via MailScanner Sent: Friday, February 22, 2019 2:45 PM To: MailScanner Discussion Cc: Shawn Iverson Subject: Re: More antivirus fun... Kevin, You are in good hands :) My MailScanner test environment has grown to four physical hosts in a cluster running various distributions of MailScanner and upgrade paths :D? I have (not kidding) about a dozen virtual machines with snapshots and now some LXC containers.? The goal: blow it up here first before releasing it. On Fri, Feb 22, 2019 at 6:15 PM Kevin Miller wrote: I should have said ramifications.? But you're quite right.? Good to know all the pieces are in place. I keep a test virtual Mailscanner/MailWatch/Postbox on hand for such purposes.? Since I can create snapshots, it's easy to start over if I totally bollix it up.? ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Friday, February 22, 2019 12:23 PM To: mailscanner at lists.mailscanner.info Subject: Re: More antivirus fun... On 2/22/19 11:31 AM, Kevin Miller wrote: > > One quick question.? The upgrade process asked "Do you wish to install the Sendmail::Milter interface? [yes]"? I said yes as that was the default, but wasn't really sure what the implications of that are. The implication is should you now choose to configure the Postfix milter option in MailScanner, you have the necessary pieces. -- Mark Sapiro ? ? ? ? The highway is for gamblers, San Francisco Bay Area, California? ? better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us From kevin.chege at gmail.com Sat Feb 23 14:48:36 2019 From: kevin.chege at gmail.com (Kevin G. Chege) Date: Sat, 23 Feb 2019 17:48:36 +0300 Subject: Milter not starting Message-ID: Hi, I would like to test the Milter feature on MailScanner but it does not seem to start. I have looked at other configs and tried to adapt to a FreeBSD 12 setup. Here is what I have: Milter Max Children = 10 Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/MailScanner/milterin Outgoing Queue Dir = /var/spool/MailScanner/milterout Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /var/run/MailScanner.pid Milter PID File = /var/run/MSMilter.pid Restart Every = 7200 MTA = MSMail MSMail Queue Type = short Milter Scanner = yes Milter Port = 33333 Milter Bind = 127.0.1.25 the pid file (/var/run/MSMilter.pid) is not created and there is nothing on port 33333. No errors in the log either and I don't see anything off when I run "MailScanner --lint" What am I missing? Thanks Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Sat Feb 23 19:54:53 2019 From: mark at msapiro.net (Mark Sapiro) Date: Sat, 23 Feb 2019 11:54:53 -0800 Subject: Milter not starting In-Reply-To: References: Message-ID: <511a11a8-e32d-bafa-47a1-02f58a3ff2fe@msapiro.net> On 2/23/19 6:48 AM, Kevin G. Chege wrote: > Hi, > > I would like to test the Milter feature on MailScanner but it does not > seem to start.... > What am I missing? The milter doesn't start itself. If you use systemd, try systemctl enable msmilter Otherwise, there is an init script at /usr/lib/MailScanner/init/msmilter-init and a systemd script at /usr/lib/MailScanner/systemd/ms-milter. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From kevin.miller at juneau.org Mon Feb 25 20:30:11 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Mon, 25 Feb 2019 20:30:11 +0000 Subject: More antivirus fun... In-Reply-To: References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> <41128c53-bfab-affa-4c03-7e2fd4cf22a0@msapiro.net> <4dec1ed82b434ab685d84d4b21025535@City-Exch-DB2.cbj.local> Message-ID: Following up on last weeks upgrades. To wit, on a couple of my hosts clamd is working as advertised. On a couple others, it's only partially working. I ran MailScanner --lint on a fully working box, mxt, and a partially working box, mx1 and compared the /var/log/clamav/clamav.log files. mxt: Mon Feb 25 10:47:48 2019 -> /var/spool/MailScanner/incoming/65439/1.message: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND Mon Feb 25 10:47:48 2019 -> /var/spool/MailScanner/incoming/65439/1/neicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND mx1: Mon Feb 25 10:31:20 2019 -> /var/spool/MailScanner/incoming/13106/1.message: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND Mon Feb 25 10:31:20 2019 -> /var/spool/MailScanner/incoming/13106/1/neicar.com: Can't open file or directory ERROR So it appears that for whatever reason "neicar.com" isn't found on mx1, the partially working box. The directory is available, as evidenced by the fist log entry. I did a "locate neicar.com" on both hosts and neither returned a location for that filename, but perhaps it's created on the fly by the lint process? Permissions match on both hosts. It's a puzzler... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Kevin Miller Sent: Friday, February 22, 2019 4:36 PM To: 'MailScanner Discussion' Subject: RE: More antivirus fun... Thanks ? it?s much appreciated! I have my boxes upgraded to MailScanner version: 5.1.3, and Sophos is working just jiffy on them. On two (of five) however, clamd is now acting sort of goofy. MailScanner ?lint report this: Virus and Content Scanning: Starting Clamd::INFECTED::Eicar-Test-Signature :: ./1/ Clamd::ERROR:: Can't open file or directory ERROR :: ./1/neicar.com Virus Scanning: Clamd found 2 infections >>> Virus 'EICAR-AV-Test' found in file /var/spool/MailScanner/incoming/2642/1/eicar.com Virus Scanning: Sophos found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 3 viruses It's catching viruses, but note line three - for some reason it "Can't open file or directory ERROR :: ./1/neicar.com" The config is (or should be) the same on all the boxes. I'm stumped. Not going to worry about it until Monday (it's quitting time) and clamd seems to be catching the viruses so I guess it's safe to ignore for a couple days. Have a great weekend all... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Shawn Iverson via MailScanner Sent: Friday, February 22, 2019 2:45 PM To: MailScanner Discussion Cc: Shawn Iverson Subject: Re: More antivirus fun... Kevin, You are in good hands :) My MailScanner test environment has grown to four physical hosts in a cluster running various distributions of MailScanner and upgrade paths :D? I have (not kidding) about a dozen virtual machines with snapshots and now some LXC containers.? The goal: blow it up here first before releasing it. On Fri, Feb 22, 2019 at 6:15 PM Kevin Miller wrote: I should have said ramifications.? But you're quite right.? Good to know all the pieces are in place. I keep a test virtual Mailscanner/MailWatch/Postbox on hand for such purposes.? Since I can create snapshots, it's easy to start over if I totally bollix it up.? ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Friday, February 22, 2019 12:23 PM To: mailscanner at lists.mailscanner.info Subject: Re: More antivirus fun... On 2/22/19 11:31 AM, Kevin Miller wrote: > > One quick question.? The upgrade process asked "Do you wish to install the Sendmail::Milter interface? [yes]"? I said yes as that was the default, but wasn't really sure what the implications of that are. The implication is should you now choose to configure the Postfix milter option in MailScanner, you have the necessary pieces. -- Mark Sapiro ? ? ? ? The highway is for gamblers, San Francisco Bay Area, California? ? better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner From iversons at rushville.k12.in.us Mon Feb 25 20:33:43 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 25 Feb 2019 15:33:43 -0500 Subject: More antivirus fun... In-Reply-To: References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> <41128c53-bfab-affa-4c03-7e2fd4cf22a0@msapiro.net> <4dec1ed82b434ab685d84d4b21025535@City-Exch-DB2.cbj.local> Message-ID: Is the clam user in the mtagroup on all hosts? On Mon, Feb 25, 2019 at 3:30 PM Kevin Miller wrote: > Following up on last weeks upgrades. > > To wit, on a couple of my hosts clamd is working as advertised. On a > couple others, it's only partially working. I ran MailScanner --lint on a > fully working box, mxt, and a partially working box, mx1 and compared the > /var/log/clamav/clamav.log files. > > mxt: > Mon Feb 25 10:47:48 2019 -> > /var/spool/MailScanner/incoming/65439/1.message: > Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND > Mon Feb 25 10:47:48 2019 -> /var/spool/MailScanner/incoming/65439/1/ > neicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) > FOUND > > mx1: > Mon Feb 25 10:31:20 2019 -> > /var/spool/MailScanner/incoming/13106/1.message: > Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND > Mon Feb 25 10:31:20 2019 -> /var/spool/MailScanner/incoming/13106/1/ > neicar.com: Can't open file or directory ERROR > > So it appears that for whatever reason "neicar.com" isn't found on mx1, > the partially working box. The directory is available, as evidenced by the > fist log entry. > > I did a "locate neicar.com" on both hosts and neither returned a location > for that filename, but perhaps it's created on the fly by the lint process? > > Permissions match on both hosts. > > It's a puzzler... > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > > -----Original Message----- > From: MailScanner [mailto:mailscanner-bounces+kevin.miller= > juneau.org at lists.mailscanner.info] On Behalf Of Kevin Miller > Sent: Friday, February 22, 2019 4:36 PM > To: 'MailScanner Discussion' > Subject: RE: More antivirus fun... > > Thanks ? it?s much appreciated! > > I have my boxes upgraded to MailScanner version: 5.1.3, and Sophos is > working just jiffy on them. > On two (of five) however, clamd is now acting sort of goofy. MailScanner > ?lint report this: > > Virus and Content Scanning: Starting > Clamd::INFECTED::Eicar-Test-Signature :: ./1/ > Clamd::ERROR:: Can't open file or directory ERROR :: ./1/ > neicar.com > Virus Scanning: Clamd found 2 infections > >>> Virus 'EICAR-AV-Test' found in file > /var/spool/MailScanner/incoming/2642/1/eicar.com > Virus Scanning: Sophos found 1 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 3 viruses > > It's catching viruses, but note line three - for some reason it "Can't > open file or directory ERROR :: ./1/neicar.com" > > The config is (or should be) the same on all the boxes. I'm stumped. Not > going to worry about it until Monday (it's quitting time) and clamd seems > to be catching the viruses so I guess it's safe to ignore for a couple days. > > Have a great weekend all... > > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > From: MailScanner [mailto:mailscanner-bounces+kevin.miller= > juneau.org at lists.mailscanner.info] On Behalf Of Shawn Iverson via > MailScanner > Sent: Friday, February 22, 2019 2:45 PM > To: MailScanner Discussion > Cc: Shawn Iverson > Subject: Re: More antivirus fun... > > Kevin, > > You are in good hands :) > > My MailScanner test environment has grown to four physical hosts in a > cluster running various distributions of MailScanner and upgrade paths :D > I have (not kidding) about a dozen virtual machines with snapshots and now > some LXC containers. The goal: blow it up here first before releasing it. > > On Fri, Feb 22, 2019 at 6:15 PM Kevin Miller > wrote: > I should have said ramifications. But you're quite right. Good to know > all the pieces are in place. > > I keep a test virtual Mailscanner/MailWatch/Postbox on hand for such > purposes. Since I can create snapshots, it's easy to start over if I > totally bollix it up. > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > > -----Original Message----- > From: MailScanner [mailto:mailscanner-bounces+kevin.miller= > juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro > Sent: Friday, February 22, 2019 12:23 PM > To: mailscanner at lists.mailscanner.info > Subject: Re: More antivirus fun... > > On 2/22/19 11:31 AM, Kevin Miller wrote: > > > > One quick question. The upgrade process asked "Do you wish to install > the Sendmail::Milter interface? [yes]" I said yes as that was the default, > but wasn't really sure what the implications of that are. > > > The implication is should you now choose to configure the Postfix milter > option in MailScanner, you have the necessary pieces. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 option 7 > iversons at rushville.k12.in.us > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.miller at juneau.org Mon Feb 25 20:42:31 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Mon, 25 Feb 2019 20:42:31 +0000 Subject: More antivirus fun... In-Reply-To: References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> <41128c53-bfab-affa-4c03-7e2fd4cf22a0@msapiro.net> <4dec1ed82b434ab685d84d4b21025535@City-Exch-DB2.cbj.local> Message-ID: Yup: root at mx1:/var/spool/MailScanner/incoming# grep mtagroup /etc/group mtagroup:x:1002:clamav,postfix,mail,www-data,sophosav ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Shawn Iverson via MailScanner Sent: Monday, February 25, 2019 11:34 AM To: MailScanner Discussion Cc: Shawn Iverson Subject: Re: More antivirus fun... Is the clam user in the mtagroup on all hosts? On Mon, Feb 25, 2019 at 3:30 PM Kevin Miller > wrote: Following up on last weeks upgrades. To wit, on a couple of my hosts clamd is working as advertised. On a couple others, it's only partially working. I ran MailScanner --lint on a fully working box, mxt, and a partially working box, mx1 and compared the /var/log/clamav/clamav.log files. mxt: Mon Feb 25 10:47:48 2019 -> /var/spool/MailScanner/incoming/65439/1.message: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND Mon Feb 25 10:47:48 2019 -> /var/spool/MailScanner/incoming/65439/1/neicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND mx1: Mon Feb 25 10:31:20 2019 -> /var/spool/MailScanner/incoming/13106/1.message: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND Mon Feb 25 10:31:20 2019 -> /var/spool/MailScanner/incoming/13106/1/neicar.com: Can't open file or directory ERROR So it appears that for whatever reason "neicar.com" isn't found on mx1, the partially working box. The directory is available, as evidenced by the fist log entry. I did a "locate neicar.com" on both hosts and neither returned a location for that filename, but perhaps it's created on the fly by the lint process? Permissions match on both hosts. It's a puzzler... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Mon Feb 25 23:00:38 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 25 Feb 2019 18:00:38 -0500 Subject: More antivirus fun... In-Reply-To: References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> <41128c53-bfab-affa-4c03-7e2fd4cf22a0@msapiro.net> <4dec1ed82b434ab685d84d4b21025535@City-Exch-DB2.cbj.local> Message-ID: The error message is pretty generic....could be it is not parsing properly, or can't write the file after parsing, or can't open the directory, or can't access the file...also add in the fact that MailScanner keeps the files very briefly and dumps them after scanning... The neicar.com is created as an attachment to the test message during MailScanner lint testing and subsequently parsed as a regular message. The n is just a prefix added as part of the disarming process. Are the versions of MIME::Parser the same on all the hosts? On Mon, Feb 25, 2019 at 3:33 PM Shawn Iverson wrote: > Is the clam user in the mtagroup on all hosts? > > On Mon, Feb 25, 2019 at 3:30 PM Kevin Miller > wrote: > >> Following up on last weeks upgrades. >> >> To wit, on a couple of my hosts clamd is working as advertised. On a >> couple others, it's only partially working. I ran MailScanner --lint on a >> fully working box, mxt, and a partially working box, mx1 and compared the >> /var/log/clamav/clamav.log files. >> >> mxt: >> Mon Feb 25 10:47:48 2019 -> >> /var/spool/MailScanner/incoming/65439/1.message: >> Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND >> Mon Feb 25 10:47:48 2019 -> /var/spool/MailScanner/incoming/65439/1/ >> neicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) >> FOUND >> >> mx1: >> Mon Feb 25 10:31:20 2019 -> >> /var/spool/MailScanner/incoming/13106/1.message: >> Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND >> Mon Feb 25 10:31:20 2019 -> /var/spool/MailScanner/incoming/13106/1/ >> neicar.com: Can't open file or directory ERROR >> >> So it appears that for whatever reason "neicar.com" isn't found on mx1, >> the partially working box. The directory is available, as evidenced by the >> fist log entry. >> >> I did a "locate neicar.com" on both hosts and neither returned a >> location for that filename, but perhaps it's created on the fly by the lint >> process? >> >> Permissions match on both hosts. >> >> It's a puzzler... >> >> ...Kevin >> -- >> Kevin Miller >> Network/email Administrator, CBJ MIS Dept. >> 155 South Seward Street >> Juneau, Alaska 99801 >> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: >> 307357 >> >> >> -----Original Message----- >> From: MailScanner [mailto:mailscanner-bounces+kevin.miller= >> juneau.org at lists.mailscanner.info] On Behalf Of Kevin Miller >> Sent: Friday, February 22, 2019 4:36 PM >> To: 'MailScanner Discussion' >> Subject: RE: More antivirus fun... >> >> Thanks ? it?s much appreciated! >> >> I have my boxes upgraded to MailScanner version: 5.1.3, and Sophos is >> working just jiffy on them. >> On two (of five) however, clamd is now acting sort of goofy. MailScanner >> ?lint report this: >> >> Virus and Content Scanning: Starting >> Clamd::INFECTED::Eicar-Test-Signature :: ./1/ >> Clamd::ERROR:: Can't open file or directory ERROR :: ./1/ >> neicar.com >> Virus Scanning: Clamd found 2 infections >> >>> Virus 'EICAR-AV-Test' found in file >> /var/spool/MailScanner/incoming/2642/1/eicar.com >> Virus Scanning: Sophos found 1 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 3 viruses >> >> It's catching viruses, but note line three - for some reason it "Can't >> open file or directory ERROR :: ./1/neicar.com" >> >> The config is (or should be) the same on all the boxes. I'm stumped. >> Not going to worry about it until Monday (it's quitting time) and clamd >> seems to be catching the viruses so I guess it's safe to ignore for a >> couple days. >> >> Have a great weekend all... >> >> >> ...Kevin >> -- >> Kevin Miller >> Network/email Administrator, CBJ MIS Dept. >> 155 South Seward Street >> Juneau, Alaska 99801 >> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: >> 307357 >> >> From: MailScanner [mailto:mailscanner-bounces+kevin.miller= >> juneau.org at lists.mailscanner.info] On Behalf Of Shawn Iverson via >> MailScanner >> Sent: Friday, February 22, 2019 2:45 PM >> To: MailScanner Discussion >> Cc: Shawn Iverson >> Subject: Re: More antivirus fun... >> >> Kevin, >> >> You are in good hands :) >> >> My MailScanner test environment has grown to four physical hosts in a >> cluster running various distributions of MailScanner and upgrade paths :D >> I have (not kidding) about a dozen virtual machines with snapshots and now >> some LXC containers. The goal: blow it up here first before releasing it. >> >> On Fri, Feb 22, 2019 at 6:15 PM Kevin Miller >> wrote: >> I should have said ramifications. But you're quite right. Good to know >> all the pieces are in place. >> >> I keep a test virtual Mailscanner/MailWatch/Postbox on hand for such >> purposes. Since I can create snapshots, it's easy to start over if I >> totally bollix it up. >> >> ...Kevin >> -- >> Kevin Miller >> Network/email Administrator, CBJ MIS Dept. >> 155 South Seward Street >> Juneau, Alaska 99801 >> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: >> 307357 >> >> >> -----Original Message----- >> From: MailScanner [mailto:mailscanner-bounces+kevin.miller= >> juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro >> Sent: Friday, February 22, 2019 12:23 PM >> To: mailscanner at lists.mailscanner.info >> Subject: Re: More antivirus fun... >> >> On 2/22/19 11:31 AM, Kevin Miller wrote: >> > >> > One quick question. The upgrade process asked "Do you wish to install >> the Sendmail::Milter interface? [yes]" I said yes as that was the default, >> but wasn't really sure what the implications of that are. >> >> >> The implication is should you now choose to configure the Postfix milter >> option in MailScanner, you have the necessary pieces. >> >> -- >> Mark Sapiro The highway is for gamblers, >> San Francisco Bay Area, California better use your sense - B. Dylan >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> -- >> Shawn Iverson, CETL >> Director of Technology >> Rush County Schools >> 765-932-3901 option 7 >> iversons at rushville.k12.in.us >> >> >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 option 7 > iversons at rushville.k12.in.us > > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.miller at juneau.org Mon Feb 25 23:49:56 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Mon, 25 Feb 2019 23:49:56 +0000 Subject: More antivirus fun... In-Reply-To: References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> <41128c53-bfab-affa-4c03-7e2fd4cf22a0@msapiro.net> <4dec1ed82b434ab685d84d4b21025535@City-Exch-DB2.cbj.local> Message-ID: <0b26154bb2e44d37b07b7d08b332456f@City-Exch-DB2.cbj.local> They are the same: 5.509 MIME::Parser ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Shawn Iverson via MailScanner Sent: Monday, February 25, 2019 2:01 PM To: MailScanner Discussion Cc: Shawn Iverson Subject: Re: More antivirus fun... The error message is pretty generic....could be it is not parsing properly, or can't write the file after parsing, or can't open the directory, or can't access the file...also add in the fact that MailScanner keeps the files very briefly and dumps them after scanning... The neicar.com is created as an attachment to the test message during MailScanner lint testing and subsequently parsed as a regular message. The n is just a prefix added as part of the disarming process. Are the versions of MIME::Parser the same on all the hosts? On Mon, Feb 25, 2019 at 3:33 PM Shawn Iverson > wrote: Is the clam user in the mtagroup on all hosts? On Mon, Feb 25, 2019 at 3:30 PM Kevin Miller > wrote: Following up on last weeks upgrades. To wit, on a couple of my hosts clamd is working as advertised. On a couple others, it's only partially working. I ran MailScanner --lint on a fully working box, mxt, and a partially working box, mx1 and compared the /var/log/clamav/clamav.log files. mxt: Mon Feb 25 10:47:48 2019 -> /var/spool/MailScanner/incoming/65439/1.message: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND Mon Feb 25 10:47:48 2019 -> /var/spool/MailScanner/incoming/65439/1/neicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND mx1: Mon Feb 25 10:31:20 2019 -> /var/spool/MailScanner/incoming/13106/1.message: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND Mon Feb 25 10:31:20 2019 -> /var/spool/MailScanner/incoming/13106/1/neicar.com: Can't open file or directory ERROR So it appears that for whatever reason "neicar.com" isn't found on mx1, the partially working box. The directory is available, as evidenced by the fist log entry. I did a "locate neicar.com" on both hosts and neither returned a location for that filename, but perhaps it's created on the fly by the lint process? Permissions match on both hosts. It's a puzzler... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Kevin Miller Sent: Friday, February 22, 2019 4:36 PM To: 'MailScanner Discussion' Subject: RE: More antivirus fun... Thanks ? it?s much appreciated! I have my boxes upgraded to MailScanner version: 5.1.3, and Sophos is working just jiffy on them. On two (of five) however, clamd is now acting sort of goofy. MailScanner ?lint report this: Virus and Content Scanning: Starting Clamd::INFECTED::Eicar-Test-Signature :: ./1/ Clamd::ERROR:: Can't open file or directory ERROR :: ./1/neicar.com Virus Scanning: Clamd found 2 infections >>> Virus 'EICAR-AV-Test' found in file /var/spool/MailScanner/incoming/2642/1/eicar.com Virus Scanning: Sophos found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 3 viruses It's catching viruses, but note line three - for some reason it "Can't open file or directory ERROR :: ./1/neicar.com" The config is (or should be) the same on all the boxes. I'm stumped. Not going to worry about it until Monday (it's quitting time) and clamd seems to be catching the viruses so I guess it's safe to ignore for a couple days. Have a great weekend all... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Shawn Iverson via MailScanner Sent: Friday, February 22, 2019 2:45 PM To: MailScanner Discussion Cc: Shawn Iverson Subject: Re: More antivirus fun... Kevin, You are in good hands :) My MailScanner test environment has grown to four physical hosts in a cluster running various distributions of MailScanner and upgrade paths :D I have (not kidding) about a dozen virtual machines with snapshots and now some LXC containers. The goal: blow it up here first before releasing it. On Fri, Feb 22, 2019 at 6:15 PM Kevin Miller > wrote: I should have said ramifications. But you're quite right. Good to know all the pieces are in place. I keep a test virtual Mailscanner/MailWatch/Postbox on hand for such purposes. Since I can create snapshots, it's easy to start over if I totally bollix it up. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -----Original Message----- From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Friday, February 22, 2019 12:23 PM To: mailscanner at lists.mailscanner.info Subject: Re: More antivirus fun... On 2/22/19 11:31 AM, Kevin Miller wrote: > > One quick question. The upgrade process asked "Do you wish to install the Sendmail::Milter interface? [yes]" I said yes as that was the default, but wasn't really sure what the implications of that are. The implication is should you now choose to configure the Postfix milter option in MailScanner, you have the necessary pieces. -- Mark Sapiro > The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us [https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_cy1OZFNIZ0drYVU&revid=0Bw5iD0ToYvs_UitIcHVIWkJVVTl2VGpxVUE0d0FQcHBIRXk4PQ][https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_Zkh4eEs3R01yWXc&revid=0Bw5iD0ToYvs_QWpBK2Y2ajJtYjhOMDRFekZwK2xOamk5Q3Y0PQ] [https://docs.google.com/uc?export=download&id=1aBrlQou4gjB04FY-twHN_0Dn3GHVNxqa&revid=0Bw5iD0ToYvs_RnQ0eDhHcm95WHBFdkNRbXhQRXpoYkR6SEEwPQ] -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us [https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_cy1OZFNIZ0drYVU&revid=0Bw5iD0ToYvs_UitIcHVIWkJVVTl2VGpxVUE0d0FQcHBIRXk4PQ][https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_Zkh4eEs3R01yWXc&revid=0Bw5iD0ToYvs_QWpBK2Y2ajJtYjhOMDRFekZwK2xOamk5Q3Y0PQ] [https://docs.google.com/uc?export=download&id=1aBrlQou4gjB04FY-twHN_0Dn3GHVNxqa&revid=0Bw5iD0ToYvs_RnQ0eDhHcm95WHBFdkNRbXhQRXpoYkR6SEEwPQ] -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Mon Feb 25 23:53:19 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Mon, 25 Feb 2019 18:53:19 -0500 Subject: More antivirus fun... In-Reply-To: <0b26154bb2e44d37b07b7d08b332456f@City-Exch-DB2.cbj.local> References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> <41128c53-bfab-affa-4c03-7e2fd4cf22a0@msapiro.net> <4dec1ed82b434ab685d84d4b21025535@City-Exch-DB2.cbj.local> <0b26154bb2e44d37b07b7d08b332456f@City-Exch-DB2.cbj.local> Message-ID: Are the permissions the same alone the entire directory tree? from /var all the way down? On Mon, Feb 25, 2019 at 6:50 PM Kevin Miller wrote: > They are the same: 5.509 MIME::Parser > > > > > > ...Kevin > > -- > > Kevin Miller > > Network/email Administrator, CBJ MIS Dept. > > 155 South Seward Street > > Juneau, Alaska 99801 > > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > > > *From:* MailScanner [mailto:mailscanner-bounces+kevin.miller= > juneau.org at lists.mailscanner.info] *On Behalf Of *Shawn Iverson via > MailScanner > *Sent:* Monday, February 25, 2019 2:01 PM > *To:* MailScanner Discussion > *Cc:* Shawn Iverson > *Subject:* Re: More antivirus fun... > > > > The error message is pretty generic....could be it is not parsing > properly, or can't write the file after parsing, or can't open the > directory, or can't access the file...also add in the fact that MailScanner > keeps the files very briefly and dumps them after scanning... > > > > The neicar.com is created as an attachment to the test message during > MailScanner lint testing and subsequently parsed as a regular message. The > n is just a prefix added as part of the disarming process. > > > > Are the versions of MIME::Parser the same on all the hosts? > > > > On Mon, Feb 25, 2019 at 3:33 PM Shawn Iverson < > iversons at rushville.k12.in.us> wrote: > > Is the clam user in the mtagroup on all hosts? > > > > On Mon, Feb 25, 2019 at 3:30 PM Kevin Miller > wrote: > > Following up on last weeks upgrades. > > To wit, on a couple of my hosts clamd is working as advertised. On a > couple others, it's only partially working. I ran MailScanner --lint on a > fully working box, mxt, and a partially working box, mx1 and compared the > /var/log/clamav/clamav.log files. > > mxt: > Mon Feb 25 10:47:48 2019 -> > /var/spool/MailScanner/incoming/65439/1.message: > Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND > Mon Feb 25 10:47:48 2019 -> /var/spool/MailScanner/incoming/65439/1/ > neicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) > FOUND > > mx1: > Mon Feb 25 10:31:20 2019 -> > /var/spool/MailScanner/incoming/13106/1.message: > Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND > Mon Feb 25 10:31:20 2019 -> /var/spool/MailScanner/incoming/13106/1/ > neicar.com: Can't open file or directory ERROR > > So it appears that for whatever reason "neicar.com" isn't found on mx1, > the partially working box. The directory is available, as evidenced by the > fist log entry. > > I did a "locate neicar.com" on both hosts and neither returned a location > for that filename, but perhaps it's created on the fly by the lint process? > > Permissions match on both hosts. > > It's a puzzler... > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > > -----Original Message----- > From: MailScanner [mailto:mailscanner-bounces+kevin.miller= > juneau.org at lists.mailscanner.info] On Behalf Of Kevin Miller > Sent: Friday, February 22, 2019 4:36 PM > To: 'MailScanner Discussion' > Subject: RE: More antivirus fun... > > Thanks ? it?s much appreciated! > > I have my boxes upgraded to MailScanner version: 5.1.3, and Sophos is > working just jiffy on them. > On two (of five) however, clamd is now acting sort of goofy. MailScanner > ?lint report this: > > Virus and Content Scanning: Starting > Clamd::INFECTED::Eicar-Test-Signature :: ./1/ > Clamd::ERROR:: Can't open file or directory ERROR :: ./1/ > neicar.com > Virus Scanning: Clamd found 2 infections > >>> Virus 'EICAR-AV-Test' found in file > /var/spool/MailScanner/incoming/2642/1/eicar.com > Virus Scanning: Sophos found 1 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 3 viruses > > It's catching viruses, but note line three - for some reason it "Can't > open file or directory ERROR :: ./1/neicar.com" > > The config is (or should be) the same on all the boxes. I'm stumped. Not > going to worry about it until Monday (it's quitting time) and clamd seems > to be catching the viruses so I guess it's safe to ignore for a couple days. > > Have a great weekend all... > > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > From: MailScanner [mailto:mailscanner-bounces+kevin.miller= > juneau.org at lists.mailscanner.info] On Behalf Of Shawn Iverson via > MailScanner > Sent: Friday, February 22, 2019 2:45 PM > To: MailScanner Discussion > Cc: Shawn Iverson > Subject: Re: More antivirus fun... > > Kevin, > > You are in good hands :) > > My MailScanner test environment has grown to four physical hosts in a > cluster running various distributions of MailScanner and upgrade paths :D > I have (not kidding) about a dozen virtual machines with snapshots and now > some LXC containers. The goal: blow it up here first before releasing it. > > On Fri, Feb 22, 2019 at 6:15 PM Kevin Miller > wrote: > I should have said ramifications. But you're quite right. Good to know > all the pieces are in place. > > I keep a test virtual Mailscanner/MailWatch/Postbox on hand for such > purposes. Since I can create snapshots, it's easy to start over if I > totally bollix it up. > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > > -----Original Message----- > From: MailScanner [mailto:mailscanner-bounces+kevin.miller= > juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro > Sent: Friday, February 22, 2019 12:23 PM > To: mailscanner at lists.mailscanner.info > Subject: Re: More antivirus fun... > > On 2/22/19 11:31 AM, Kevin Miller wrote: > > > > One quick question. The upgrade process asked "Do you wish to install > the Sendmail::Milter interface? [yes]" I said yes as that was the default, > but wasn't really sure what the implications of that are. > > > The implication is should you now choose to configure the Postfix milter > option in MailScanner, you have the necessary pieces. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -- > Shawn Iverson, CETL > Director of Technology > Rush County Schools > 765-932-3901 option 7 > iversons at rushville.k12.in.us > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > -- > > Shawn Iverson, CETL > > Director of Technology > > Rush County Schools > > 765-932-3901 option 7 > > iversons at rushville.k12.in.us > > > > > > -- > > Shawn Iverson, CETL > > Director of Technology > > Rush County Schools > > 765-932-3901 option 7 > > iversons at rushville.k12.in.us > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Tue Feb 26 00:05:40 2019 From: mark at msapiro.net (Mark Sapiro) Date: Mon, 25 Feb 2019 16:05:40 -0800 Subject: More antivirus fun... In-Reply-To: References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> <41128c53-bfab-affa-4c03-7e2fd4cf22a0@msapiro.net> <4dec1ed82b434ab685d84d4b21025535@City-Exch-DB2.cbj.local> <0b26154bb2e44d37b07b7d08b332456f@City-Exch-DB2.cbj.local> Message-ID: <2eedf3e4-ee58-5fce-ea8e-fd5e68b63840@msapiro.net> On 2/25/19 3:53 PM, Shawn Iverson via MailScanner wrote: > Are the permissions the same alone the entire directory tree? from /var > all the way down? And if so, could this possibly be some kind of SELinux or apparmor issue? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From kevin.miller at juneau.org Tue Feb 26 01:04:39 2019 From: kevin.miller at juneau.org (Kevin Miller) Date: Tue, 26 Feb 2019 01:04:39 +0000 Subject: More antivirus fun... In-Reply-To: References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> <41128c53-bfab-affa-4c03-7e2fd4cf22a0@msapiro.net> <4dec1ed82b434ab685d84d4b21025535@City-Exch-DB2.cbj.local> <0b26154bb2e44d37b07b7d08b332456f@City-Exch-DB2.cbj.local> Message-ID: <52ea6fd73d974914803fac1d50e8d4cf@City-Exch-DB2.cbj.local> Yeah ? right on down the line. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Shawn Iverson via MailScanner Sent: Monday, February 25, 2019 2:53 PM To: MailScanner Discussion Cc: Shawn Iverson Subject: Re: More antivirus fun... Are the permissions the same alone the entire directory tree? from /var all the way down? -------------- next part -------------- An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Tue Feb 26 18:24:54 2019 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Tue, 26 Feb 2019 13:24:54 -0500 Subject: More antivirus fun... In-Reply-To: <52ea6fd73d974914803fac1d50e8d4cf@City-Exch-DB2.cbj.local> References: <057e05c68f344649aed7b541cea4e1c4@City-Exch-DB2.cbj.local> <48299224a6c3484db04f30e94010c72a@City-Exch-DB2.cbj.local> <93370047-4996-6b34-fa0b-96157284422c@msapiro.net> <41128c53-bfab-affa-4c03-7e2fd4cf22a0@msapiro.net> <4dec1ed82b434ab685d84d4b21025535@City-Exch-DB2.cbj.local> <0b26154bb2e44d37b07b7d08b332456f@City-Exch-DB2.cbj.local> <52ea6fd73d974914803fac1d50e8d4cf@City-Exch-DB2.cbj.local> Message-ID: Kevin, If your game, I would like to help you add some debugging code so we can see what is happening in greater detail. On Mon, Feb 25, 2019 at 8:04 PM Kevin Miller wrote: > Yeah ? right on down the line. > > > > ...Kevin > > -- > > Kevin Miller > > Network/email Administrator, CBJ MIS Dept. > > 155 South Seward Street > > Juneau, Alaska 99801 > > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > > > *From:* MailScanner [mailto:mailscanner-bounces+kevin.miller= > juneau.org at lists.mailscanner.info] *On Behalf Of *Shawn Iverson via > MailScanner > *Sent:* Monday, February 25, 2019 2:53 PM > *To:* MailScanner Discussion > *Cc:* Shawn Iverson > *Subject:* Re: More antivirus fun... > > > > Are the permissions the same alone the entire directory tree? from /var > all the way down? > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 option 7 iversons at rushville.k12.in.us [image: Cybersecurity] -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.chege at gmail.com Wed Feb 27 10:07:12 2019 From: kevin.chege at gmail.com (Kevin G. Chege) Date: Wed, 27 Feb 2019 13:07:12 +0300 Subject: Milter not starting In-Reply-To: <511a11a8-e32d-bafa-47a1-02f58a3ff2fe@msapiro.net> References: <511a11a8-e32d-bafa-47a1-02f58a3ff2fe@msapiro.net> Message-ID: Thank you Mark. I got it to start and testing it out. My environment is FreeBSD and the path is: /usr/local/lib/MailScanner/init/msmilter-init I also had to edit that file and change the "DAEMON" path to DAEMON=/usr/local/sbin/MSMilter Continuing to test now. Kevin On Sat, Feb 23, 2019 at 10:55 PM Mark Sapiro wrote: > On 2/23/19 6:48 AM, Kevin G. Chege wrote: > > Hi, > > > > I would like to test the Milter feature on MailScanner but it does not > > seem to start.... > > What am I missing? > > > The milter doesn't start itself. If you use systemd, try > > systemctl enable msmilter > > Otherwise, there is an init script at > /usr/lib/MailScanner/init/msmilter-init and a systemd script at > /usr/lib/MailScanner/systemd/ms-milter. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > -------------- next part -------------- An HTML attachment was scrubbed... URL: