MailScanner: Suspected QP DOS

Wed Nov 25 16:50:21 UTC 2020

Thank you for the information, your permissions look good.

I think I see the problem.  There is step on the MIME parsing in this 
check that assumes that the email contains a regular body. This is not 
always true.

I will prepare a patch.

On 11/25/20 11:21 AM, Chaminda Indrajith wrote:
>
> Thanks Shawn, for the reply.
>
> This happened after the upgrade from 5.0.3 to the latest. OS is CentOS 
> 7. So, the directory permission remains unchanged. SELINUX is in 
> permissive mode. MailScanner runs as user postfix. By the way, Is 
> there a way of disabling QP DOC Checking? For your information, here 
> it shows the permissions of /var/spool/MailScanner
>
> [root at dot ~]# cd /var/spool/MailScanner/
>
> [root at dot MailScanner]# ls -la
>
> total 4
>
> drwxr-xr-x.  9 root    root 122 Nov 24 14:40 .
>
> drwxr-xr-x. 17 root    root 215 Apr 11  2018 ..
>
> drwxrwxr-x.  2 root    mtagroup 6 Nov  4 22:21 archive
>
> drwxrwx---.  9 postfix mtagroup 220 Nov 25 21:41 incoming
>
> drwxrwxr-x.  2 postfix mtagroup 6 Nov  4 22:21 milterin
>
> drwxrwxr-x.  2 postfix mtagroup 6 Nov  4 22:21 milterout
>
> drwxrwxr-x. 26 postfix apache 4096 Nov 25 00:00 quarantine
>
> drwxrwx---.  5 postfix mtagroup 107 Nov 24 14:33 ramdisk_store
>
> drwxrwsr-x.  2 postfix apache 58 Sep 30 08:15 spamassassin
>
> [root at dot MailScanner]# cd incoming
>
> [root at dot incoming]# ls -la
>
> total 308
>
> drwxrwx---. 9 postfix mtagroup 220 Nov 25 21:45 .
>
> drwxr-xr-x. 9 root    root 122 Nov 24 14:40 ..
>
> drwxrwx---. 2 postfix mtagroup 40 Nov 25 21:44 3063
>
> drwxrwx---. 2 postfix mtagroup 40 Nov 25 21:44 3225
>
> drwxrwx---. 2 postfix mtagroup 40 Nov 25 21:42 3325
>
> drwxrwx---. 4 postfix mtagroup 160 Nov 25 21:45 3489
>
> drwxrwx---. 2 postfix mtagroup 40 Nov 25 21:41 3526
>
> drwxr-xr-x. 2 root    postfix 200 Nov 25 18:31 Locks
>
> -rw-------. 1 postfix postfix 4096 Nov 25 21:45 Processing.db
>
> -rw-------. 1 postfix postfix 310272 Nov 25 21:45 SpamAssassin.cache.db
>
> drwxr-xr-x. 2 postfix root 100 Nov 25 21:45 SpamAssassin-Temp
>
> [root at dot incoming]# cd ../quarantine/
>
> [root at dot quarantine]# ls -la
>
> total 8
>
> drwxrwxr-x. 26 postfix apache 4096 Nov 25 00:00 .
>
> drwxr-xr-x.  9 root    root    122 Nov 24 14:40 ..
>
> drwxrwx---.  4 postfix apache   31 Nov  2 23:13 20201102
>
> drwxrwx---. 12 postfix apache  215 Nov  3 15:05 20201103
>
> drwxrwx---.  6 postfix apache   77 Nov  4 08:00 20201104
>
> drwxrwx---. 10 postfix apache  169 Nov  5 20:31 20201105
>
> drwxrwx---. 14 postfix apache  261 Nov  6 18:00 20201106
>
> drwxrwx---.  5 postfix apache   54 Nov  7 01:27 20201107
>
> drwxrwx---.  6 postfix apache   77 Nov  8 10:45 20201108
>
> drwxrwx---.  8 postfix apache  123 Nov  9 15:37 20201109
>
> [root at dot quarantine]# groups postfix
>
> postfix : postfix mail mtagroup
>
> [root at dot quarantine]# groups clamav
>
> groups: clamav: no such user
>
> [root at dot quarantine]# groups clamscan
>
> clamscan : clamscan virusgroup mtagroup
>
> Regards
>
> Chaminda Indrajith
>
> *From:* MailScanner 
> <mailscanner-bounces+indrajith=sltidc.lk at lists.mailscanner.info> *On 
> Behalf Of *Shawn Iverson via MailScanner
> *Sent:* Wednesday, November 25, 2020 9:24 PM
> *To:* mailscanner at lists.mailscanner.info
> *Cc:* Shawn Iverson <shawniverson at summitgrid.com>
> *Subject:* Re: MailScanner: Suspected QP DOS
>
> "could not read file" seems to indicate some form of permissions or 
> access control problem.  Have you double checked permissions on key 
> folders such as those within /var/spool/MailScanner?
>
> On 11/25/20 3:11 AM, Chaminda Indrajith wrote:
>
>     Hi,
>
>     After upgraded to the latest MailScanner (5.3.4), some of the read
>     receipts are blocked by MailScanner.
>
>     It shows the below message in the MailWatch. Let me know how to
>     allow these read receipts.
>
>     MailScanner: Suspected QP DOS
>     checks failed
>     could not read file
>
>     Thanks
>
>     Chaminda Indrajith
>
>
>
> -- 
>
> Shawn Iverson
> shawniverson at summitgrid.com <mailto:shawniverson at summitgrid.com>
>
-- 

Shawn Iverson
shawniverson at summitgrid.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20201125/566fe759/attachment.html>