MailScanner and Postfix restart issue

Vitaliy T vitaliy.tokarev at gmail.com
Thu Jul 25 18:23:26 UTC 2019 

I have checked permissions on postfix start/stop via auditd:
1. service auditd start
2. auditctl -w /var/spool/postfix/hold -k postfix_hold
3. ausearch -k postfix_hold | aureport -f -i

Result:
1. The postfix restart does nothing on system where no mail traffic.
2. THe postfix restart calls fchmod syscall by postsuper process. The
output is below. The restart was completed on 1 and 2 points.

1. 07/25/2019 21:01:13 /var/spool/postfix/hold open yes /bin/find tvv 160
2. 07/25/2019 21:01:13 hold open yes /usr/sbin/postsuper tvv 159
3. 07/25/2019 21:01:44 hold open yes /usr/libexec/postfix/showq tvv 171
4. 07/25/2019 21:01:54 (null) fchmod yes /usr/libexec/postfix/cleanup tvv
173
5. 07/25/2019 21:01:54 hold/5CEBB60FD5 rename yes
/usr/libexec/postfix/cleanup tvv 172
6. 07/25/2019 21:01:58 hold/F3C3E60FD5 rename yes
/usr/libexec/postfix/cleanup tvv 174
7. 07/25/2019 21:01:58 (null) fchmod yes /usr/libexec/postfix/cleanup tvv
175
8. 07/25/2019 21:02:12 (null) fchmod yes /usr/libexec/postfix/cleanup tvv
197
9. 07/25/2019 21:02:12 hold/2A37060FD5 rename yes
/usr/libexec/postfix/cleanup tvv 196
10. 07/25/2019 21:02:16 (null) fchmod yes /usr/libexec/postfix/cleanup tvv
206
11. 07/25/2019 21:02:16 hold open yes /usr/libexec/postfix/showq tvv 204
12. 07/25/2019 21:02:16 hold/9232E60FD5 rename yes
/usr/libexec/postfix/cleanup tvv 205
13. 07/25/2019 21:02:47 hold open yes /usr/libexec/postfix/showq tvv 227
14. 07/25/2019 21:03:04 hold/76AA860FD5 rename yes
/usr/libexec/postfix/cleanup tvv 244
15. 07/25/2019 21:03:04 (null) fchmod yes /usr/libexec/postfix/cleanup tvv
245
16. 07/25/2019 21:03:16 hold/7DB5B60FD5 rename yes
/usr/libexec/postfix/cleanup tvv 246
17. 07/25/2019 21:03:16 (null) fchmod yes /usr/libexec/postfix/cleanup tvv
247
18. 07/25/2019 21:03:18 hold/DB76560FD6 rename yes
/usr/libexec/postfix/cleanup tvv 248
19. 07/25/2019 21:03:20 hold/7DB5B60FD5 open yes /usr/libexec/postfix/showq
tvv 251
20. 07/25/2019 21:03:20 hold/DB76560FD6 open yes /usr/libexec/postfix/showq
tvv 252
21. 07/25/2019 21:03:18 (null) fchmod yes /usr/libexec/postfix/cleanup tvv
249
22. 07/25/2019 21:03:20 hold open yes /usr/libexec/postfix/showq tvv 250

I have to note that I have encountered with this issue on one of
installations with very high mail traffic (20k mails per day).
I see no this problem on another installations with much less traffic (less
than 5k/day).

I will keep enabled auditd to catch this error again and I will send a
message about details.

Shawn, I think it is a bad idea to disable auditd on CentOS 6 (EFA 3.0.2.6)
installation by default. I have noticed this right now, when I have needed
to check permissions on /var/spool/postfix/hold.
I understand that you are working on EFA 4 now, but please keep auditd
enabled by default on at least in EFA 4. Yes, it could produce lots of
logs, but there is logrotate to keep the log size within reasonable limits
I am saying this as a system administrator with about 10 years experience.

Thank you!


On Thu, Jul 25, 2019 at 8:10 PM Shawn Iverson via MailScanner <
mailscanner at lists.mailscanner.info> wrote:

> Check the permissions on /var/spool/postfix/hold before and after
> reloading postfix.  Are the permissions resetting on this directory?
>
> On Wed, Jul 24, 2019 at 12:46 PM Vitaliy T <vitaliy.tokarev at gmail.com>
> wrote:
>
>> Hello,
>>
>> Sorry, if the question below was already asked. Quick googling gives no
>> answers.
>>
>> I have encountered with the issue when the mailscanner just stop
>> processing any mail after the postfix's restart. There were no 100% CPU
>> usage, just mailscanner processes do nothing.
>>
>> I need to restart postfix to update its configuration (hash databases to
>> be clear). This is done by cron automatically.
>>
>> Is it possible that restarting postfix has affect on work of the
>> mailscanner process? I mean, is MailScanner is using socket connections to
>> postfix, may be file locks/checks or something similar?
>>
>> Are there recommendations about this case?
>>
>> Thank you!
>>
>> Rig:
>> EFA 3.0.2.6 installation
>> CentOS 6 x86_64
>> postfix-3.1.3-1.efa.el6.x86_64
>> MailScanner-5.0.7-1.noarch
>>
>> --
>> With Best Regards,
>> Vitaliy V. Tokarev
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>
>
> --
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 option 7
> iversons at rushville.k12.in.us
>
> [image: Cybersecurity]
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>

-- 
With Best Regards,
Vitaliy V. Tokarev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190725/b628aa00/attachment.html>

More information about the MailScanner mailing list