MailScanner and Postfix restart issue

Shawn Iverson iversons at rushville.k12.in.us
Thu Jul 25 18:28:08 UTC 2019 

Auditd is enabled on v4.

On Thu, Jul 25, 2019, 2:24 PM Vitaliy T <vitaliy.tokarev at gmail.com wrote:

> I have checked permissions on postfix start/stop via auditd:
> 1. service auditd start
> 2. auditctl -w /var/spool/postfix/hold -k postfix_hold
> 3. ausearch -k postfix_hold | aureport -f -i
>
> Result:
> 1. The postfix restart does nothing on system where no mail traffic.
> 2. THe postfix restart calls fchmod syscall by postsuper process. The
> output is below. The restart was completed on 1 and 2 points.
>
> 1. 07/25/2019 21:01:13 /var/spool/postfix/hold open yes /bin/find tvv 160
> 2. 07/25/2019 21:01:13 hold open yes /usr/sbin/postsuper tvv 159
> 3. 07/25/2019 21:01:44 hold open yes /usr/libexec/postfix/showq tvv 171
> 4. 07/25/2019 21:01:54 (null) fchmod yes /usr/libexec/postfix/cleanup tvv
> 173
> 5. 07/25/2019 21:01:54 hold/5CEBB60FD5 rename yes
> /usr/libexec/postfix/cleanup tvv 172
> 6. 07/25/2019 21:01:58 hold/F3C3E60FD5 rename yes
> /usr/libexec/postfix/cleanup tvv 174
> 7. 07/25/2019 21:01:58 (null) fchmod yes /usr/libexec/postfix/cleanup tvv
> 175
> 8. 07/25/2019 21:02:12 (null) fchmod yes /usr/libexec/postfix/cleanup tvv
> 197
> 9. 07/25/2019 21:02:12 hold/2A37060FD5 rename yes
> /usr/libexec/postfix/cleanup tvv 196
> 10. 07/25/2019 21:02:16 (null) fchmod yes /usr/libexec/postfix/cleanup tvv
> 206
> 11. 07/25/2019 21:02:16 hold open yes /usr/libexec/postfix/showq tvv 204
> 12. 07/25/2019 21:02:16 hold/9232E60FD5 rename yes
> /usr/libexec/postfix/cleanup tvv 205
> 13. 07/25/2019 21:02:47 hold open yes /usr/libexec/postfix/showq tvv 227
> 14. 07/25/2019 21:03:04 hold/76AA860FD5 rename yes
> /usr/libexec/postfix/cleanup tvv 244
> 15. 07/25/2019 21:03:04 (null) fchmod yes /usr/libexec/postfix/cleanup tvv
> 245
> 16. 07/25/2019 21:03:16 hold/7DB5B60FD5 rename yes
> /usr/libexec/postfix/cleanup tvv 246
> 17. 07/25/2019 21:03:16 (null) fchmod yes /usr/libexec/postfix/cleanup tvv
> 247
> 18. 07/25/2019 21:03:18 hold/DB76560FD6 rename yes
> /usr/libexec/postfix/cleanup tvv 248
> 19. 07/25/2019 21:03:20 hold/7DB5B60FD5 open yes
> /usr/libexec/postfix/showq tvv 251
> 20. 07/25/2019 21:03:20 hold/DB76560FD6 open yes
> /usr/libexec/postfix/showq tvv 252
> 21. 07/25/2019 21:03:18 (null) fchmod yes /usr/libexec/postfix/cleanup tvv
> 249
> 22. 07/25/2019 21:03:20 hold open yes /usr/libexec/postfix/showq tvv 250
>
> I have to note that I have encountered with this issue on one of
> installations with very high mail traffic (20k mails per day).
> I see no this problem on another installations with much less traffic
> (less than 5k/day).
>
> I will keep enabled auditd to catch this error again and I will send a
> message about details.
>
> Shawn, I think it is a bad idea to disable auditd on CentOS 6 (EFA
> 3.0.2.6) installation by default. I have noticed this right now, when I
> have needed to check permissions on /var/spool/postfix/hold.
> I understand that you are working on EFA 4 now, but please keep auditd
> enabled by default on at least in EFA 4. Yes, it could produce lots of
> logs, but there is logrotate to keep the log size within reasonable limits
> I am saying this as a system administrator with about 10 years experience.
>
> Thank you!
>
>
> On Thu, Jul 25, 2019 at 8:10 PM Shawn Iverson via MailScanner <
> mailscanner at lists.mailscanner.info> wrote:
>
>> Check the permissions on /var/spool/postfix/hold before and after
>> reloading postfix.  Are the permissions resetting on this directory?
>>
>> On Wed, Jul 24, 2019 at 12:46 PM Vitaliy T <vitaliy.tokarev at gmail.com>
>> wrote:
>>
>>> Hello,
>>>
>>> Sorry, if the question below was already asked. Quick googling gives no
>>> answers.
>>>
>>> I have encountered with the issue when the mailscanner just stop
>>> processing any mail after the postfix's restart. There were no 100% CPU
>>> usage, just mailscanner processes do nothing.
>>>
>>> I need to restart postfix to update its configuration (hash databases to
>>> be clear). This is done by cron automatically.
>>>
>>> Is it possible that restarting postfix has affect on work of the
>>> mailscanner process? I mean, is MailScanner is using socket connections to
>>> postfix, may be file locks/checks or something similar?
>>>
>>> Are there recommendations about this case?
>>>
>>> Thank you!
>>>
>>> Rig:
>>> EFA 3.0.2.6 installation
>>> CentOS 6 x86_64
>>> postfix-3.1.3-1.efa.el6.x86_64
>>> MailScanner-5.0.7-1.noarch
>>>
>>> --
>>> With Best Regards,
>>> Vitaliy V. Tokarev
>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>>
>>
>> --
>> Shawn Iverson, CETL
>> Director of Technology
>> Rush County Schools
>> 765-932-3901 option 7
>> iversons at rushville.k12.in.us
>>
>> [image: Cybersecurity]
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>
>
> --
> With Best Regards,
> Vitaliy V. Tokarev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190725/e88ef63b/attachment.html>

More information about the MailScanner mailing list