From shawniverson at summitgrid.com Mon Mar 1 17:53:49 2021 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Mon, 1 Mar 2021 12:53:49 -0500 Subject: URGENT - SILENT VIRUSES EXCEPTIONS In-Reply-To: References: <3eef3284-6fab-de72-1f9c-04841f2b439b@gmail.com> Message-ID: <1c666248-8dab-1749-5764-7717d3883edc@summitgrid.com> I haven't had a chance to dig into this yet, but I have it noted to look when I can.? Wouldn't be the first time something in the config says it works but doesn't in reality... On 2/27/21 1:06 PM, aris fesarlis wrote: > >> "Notify Senders" must also be set to yes for this to work, so you >> probably need this as well. > > Thank you for both replies. > > 1. Notify Senders is *yes*. > > 2. Changing the order does not make any difference. > > 3. I have noticed that the only way to achieve this is by setting > "Silent Viruses" to Null. But Obviously this cannot be done. However > author states that *'Silent Viruses' can also be a ruleset* (the > ruleset in my first post is about this). But it does not work. So I > wonder if indeed a ruleset can be applied and what is its syntax. > > Thanks again > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zephyr at flytonet.com Fri Mar 12 09:12:14 2021 From: zephyr at flytonet.com (zephyr) Date: Fri, 12 Mar 2021 17:12:14 +0800 Subject: The issue of checking filename from mailscanner Message-ID: <003101d7171f$cbf2f000$63d8d000$@flytonet.com> I use filename.rules.conf to detect unallowed filenames,and setting partameter such as "deny \.iso$" to quarantine the email message that contain the illegal file type. After checking it,I can release then original message to user.( cp -p $quarantined_file /var/spool/postfix/incoming/$mailname) But this command still send the mail to the receiver but without the quarantined file before I release the email. I am wondering if there is a command can quarantine this mail and stop sending to user, until I checked and allow it to the recipient? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6510 bytes Desc: not available URL: From shawniverson at summitgrid.com Sun Mar 14 14:02:44 2021 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Sun, 14 Mar 2021 10:02:44 -0400 Subject: The issue of checking filename from mailscanner In-Reply-To: <003101d7171f$cbf2f000$63d8d000$@flytonet.com> References: <003101d7171f$cbf2f000$63d8d000$@flytonet.com> Message-ID: <0a733130-eade-3a9c-2eb5-7f1af2a580aa@summitgrid.com> Are you wanting to quarantine the whole message if a file is blocked? On 3/12/21 4:12 AM, zephyr wrote: > > I use filename.rules.conf to detect unallowed filenames,and setting > partameter such as ?deny \.iso$? to quarantine the email message that > contain the illegal file type. > > After checking it,I can release then original message to user.( cp -p > $quarantined_file /var/spool/postfix/incoming/$mailname) > > But this command still send the mail to the receiver but without the > quarantined file before I release the email. > > I am wondering if there is a command can quarantine this mail and stop > sending to user, until I checked and allow it to the recipient? > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zephyr at flytonet.com Wed Mar 17 01:45:30 2021 From: zephyr at flytonet.com (zephyr) Date: Wed, 17 Mar 2021 09:45:30 +0800 Subject: The issue of checking filename from mailscanner Message-ID: <000001d71acf$37417c70$a5c47550$@flytonet.com> Thanks for your relply. Yes,I want know how to quarantine the whole message if a file is blocked. I can forward email to myblacklist account to achieve my goal. But I cannot release original message as before. Any idea? -----Original Message----- Message: 1 Date: Sun, 14 Mar 2021 10:02:44 -0400 From: Shawn Iverson To: mailscanner at lists.mailscanner.info Subject: Re: The issue of checking filename from mailscanner Message-ID: <0a733130-eade-3a9c-2eb5-7f1af2a580aa at summitgrid.com> Content-Type: text/plain; charset="windows-1252"; Format="flowed" Are you wanting to quarantine the whole message if a file is blocked? On 3/12/21 4:12 AM, zephyr wrote: > > I use filename.rules.conf to detect unallowed filenames,and setting > partameter such as ?deny \.iso$? to quarantine the email message that > contain the illegal file type. > > After checking it,I can release then original message to user.( cp -p > $quarantined_file /var/spool/postfix/incoming/$mailname) > > But this command still send the mail to the receiver but without the > quarantined file before I release the email. > > I am wondering if there is a command can quarantine this mail and stop > sending to user, until I checked and allow it to the recipient? > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Subject: Digest Footer -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner ------------------------------ End of MailScanner Digest, Vol 183, Issue 3 ******************************************* From mark at msapiro.net Wed Mar 17 02:16:56 2021 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 16 Mar 2021 19:16:56 -0700 Subject: The issue of checking filename from mailscanner In-Reply-To: <000001d71acf$37417c70$a5c47550$@flytonet.com> References: <000001d71acf$37417c70$a5c47550$@flytonet.com> Message-ID: <4a83a3cf-5a45-0e29-650c-4f909ced8d23@msapiro.net> On 3/16/21 6:45 PM, zephyr via MailScanner wrote: > Thanks for your relply. Yes,I want know how to quarantine the whole message > if a file is blocked. If you set Quarantine Whole Message = Yes, does that do it? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From fesarlis at gmail.com Wed Mar 17 07:04:29 2021 From: fesarlis at gmail.com (aris fesarlis) Date: Wed, 17 Mar 2021 09:04:29 +0200 Subject: URGENT - SILENT VIRUSES EXCEPTIONS In-Reply-To: <1c666248-8dab-1749-5764-7717d3883edc@summitgrid.com> References: <3eef3284-6fab-de72-1f9c-04841f2b439b@gmail.com> <1c666248-8dab-1749-5764-7717d3883edc@summitgrid.com> Message-ID: An HTML attachment was scrubbed... URL: From v.andrews at noc.ac.uk Wed Mar 17 08:48:27 2021 From: v.andrews at noc.ac.uk (Andrews, Vincent) Date: Wed, 17 Mar 2021 08:48:27 +0000 Subject: Moving an existing Mail Relay from one VM to another. Message-ID: <140EA446-F3F5-4462-83D7-F88F7DC695F3@noc.ac.uk> Hello, Our existing mail relay is in need OS change, we have created a new one based around CentOS 7 an MailScanner V5.3.4. Everything seems to check out ? ??lint? passes without error. Because the new system is not a legitimate mail relay ? we cannot do any further testing until we move the IP address over. We moved the IP Address from the existing VM to the new and changed /etc/hostname and rebooted. Mail started to be accepted and was processed as we would expect ? MailScanner was identifying Spam and passing everything as normal. The messages were passed to sendmail for processing. We then noticed that mail was being delayed by two key 365 domains. We left it like that for about 40 minutes and then reverted to the existing server. After which mail was processed correctly. The messages in /var/spool/mqueue were moved to the existing system and within 10 minutes everything was cleared. Has anyone had a similar experience? Could it be that the new VM ? having a different MAC address ? was being flagged as an illegal mail relay? Thank you for your help, and sorry about the essay. Vincent Andrews. This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. The National Oceanography Centre (NOC) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. NOC does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses. Opinions, conclusions or other information in this message and attachments that are not related directly to NOC business are solely those of the author and do not represent the views of NOC. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Wed Mar 17 17:51:26 2021 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 17 Mar 2021 10:51:26 -0700 Subject: Moving an existing Mail Relay from one VM to another. In-Reply-To: <140EA446-F3F5-4462-83D7-F88F7DC695F3@noc.ac.uk> References: <140EA446-F3F5-4462-83D7-F88F7DC695F3@noc.ac.uk> Message-ID: <6f1f082e-7d6b-ec21-5f67-b4ff94f576ae@msapiro.net> On 3/17/21 1:48 AM, Andrews, Vincent wrote: > > We moved the IP Address from the existing VM to the new and changed > /etc/hostname and rebooted. ... > We then noticed that mail was being delayed by two key 365 domains. We > left it like that for about 40 minutes and then reverted to the existing > server. After which mail was processed correctly. The messages in > /var/spool/mqueue were moved to the existing system and within 10 > minutes everything was cleared. > > ? > > Has anyone had a similar experience? There are always issues with new mail servers whose IP address has not yet developed a reputation, but IIUC, from the remote's point of view, the IP hasn't changed. > Could it be that the new VM ? having a different MAC address ? was being > flagged as an illegal mail relay? And how would the remote SMTPD server determine the MAC of the sending server? I don't think that's possible. I don't know why there would be an issue if the IP didn't change. What is the content of the 4xx responses from the remote? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From zephyr at flytonet.com Thu Mar 18 01:41:25 2021 From: zephyr at flytonet.com (zephyr) Date: Thu, 18 Mar 2021 09:41:25 +0800 Subject: The issue of checking filename from mailscanner Message-ID: <002701d71b97$d03a91f0$70afb5d0$@flytonet.com> Thanks Mark. The following are my settings~ ================================================= < MailScanner.conf > Quarantine Whole Message = yes Filename Subject Text = {***File Quarantine***} ================================================= ================================================= < filename.rules.conf > deny \.zip$ - - ================================================= ================================================= < release_Quarantine.sh> #!/bin/sh if [ -z "$1" ]; then echo "Syntax: release_Quarantine.sh i.e. 5B604228086.932F0 (case sensitive)" exit fi #truncate the filename mailname=`echo $1 | cut -d . -f 1` #find the quarantined file and set permissions quarantined_file=`find /var/spool/MailScanner/quarantine/ -name $mailname` chmod u+x $quarantined_file chown postfix.postfix $quarantined_file #truncate the filename #mailname=`echo $1 | cut -d . -f 1` #lets get the first character char=`echo $1 | cut -b 1-1` echo 'source file name:'$quarantined_file cp -p $quarantined_file /var/spool/postfix/incoming/$mailname ================================================= If customer sent a email to my user with attachment of zip.MailScanner will Quarantine Whole Message into "/var/spool/MailScanner/quarantine/" and add "***File Quarantine***" to subject . I can release original email when I review it as safe.(using release_Quarantine.sh) This is good for me,but process of MailScanner is spam test-->Virus test->attachment test, so I cannot use specific words to block emails when this email with low spam score. The user will still receive the email without attachment. If I change setting of filename.rules.conf => ?blacklist at domain.com \.zip$ - - ?,The email will forward to blacklist at domain.com if file has been blocked, and then I can just use email client to forward message to user when I review it later. This is not the original information of email,so It?s inconvenient for me. Is there a better way? ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- -------------------------------------------------------- Message: 1 Date: Wed, 17 Mar 2021 09:45:30 +0800 From: "zephyr" To: Subject: Re: The issue of checking filename from mailscanner Message-ID: <000001d71acf$37417c70$a5c47550$@flytonet.com> Content-Type: text/plain; charset="us-ascii" Thanks for your relply. Yes,I want know how to quarantine the whole message if a file is blocked. I can forward email to myblacklist account to achieve my goal. But I cannot release original message as before. Any idea? -----Original Message----- Message: 1 Date: Sun, 14 Mar 2021 10:02:44 -0400 From: Shawn Iverson To: mailscanner at lists.mailscanner.info Subject: Re: The issue of checking filename from mailscanner Message-ID: <0a733130-eade-3a9c-2eb5-7f1af2a580aa at summitgrid.com> Content-Type: text/plain; charset="windows-1252"; Format="flowed" Are you wanting to quarantine the whole message if a file is blocked? On 3/12/21 4:12 AM, zephyr wrote: > > I use filename.rules.conf to detect unallowed filenames,and setting > partameter such as ?deny \.iso$? to quarantine the email message that > contain the illegal file type. > > After checking it,I can release then original message to user.( cp -p > $quarantined_file /var/spool/postfix/incoming/$mailname) > > But this command still send the mail to the receiver but without the > quarantined file before I release the email. > > I am wondering if there is a command can quarantine this mail and stop > sending to user, until I checked and allow it to the recipient? > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Subject: Digest Footer -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner ------------------------------ End of MailScanner Digest, Vol 183, Issue 3 ******************************************* ------------------------------ Message: 2 Date: Tue, 16 Mar 2021 19:16:56 -0700 From: Mark Sapiro To: mailscanner at lists.mailscanner.info Subject: Re: The issue of checking filename from mailscanner Message-ID: <4a83a3cf-5a45-0e29-650c-4f909ced8d23 at msapiro.net> Content-Type: text/plain; charset=utf-8 On 3/16/21 6:45 PM, zephyr via MailScanner wrote: > Thanks for your relply. Yes,I want know how to quarantine the whole > message if a file is blocked. If you set Quarantine Whole Message = Yes, does that do it? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------ Message: 3 Date: Wed, 17 Mar 2021 09:04:29 +0200 From: aris fesarlis To: mailscanner at lists.mailscanner.info Subject: Re: URGENT - SILENT VIRUSES EXCEPTIONS Message-ID: Content-Type: text/plain; charset="us-ascii" An HTML attachment was scrubbed... URL: ------------------------------ Message: 4 Date: Wed, 17 Mar 2021 08:48:27 +0000 From: "Andrews, Vincent" To: "mailscanner at lists.mailscanner.info" Subject: Moving an existing Mail Relay from one VM to another. Message-ID: <140EA446-F3F5-4462-83D7-F88F7DC695F3 at noc.ac.uk> Content-Type: text/plain; charset="utf-8" Hello, Our existing mail relay is in need OS change, we have created a new one based around CentOS 7 an MailScanner V5.3.4. Everything seems to check out ? ??lint? passes without error. Because the new system is not a legitimate mail relay ? we cannot do any further testing until we move the IP address over. We moved the IP Address from the existing VM to the new and changed /etc/hostname and rebooted. Mail started to be accepted and was processed as we would expect ? MailScanner was identifying Spam and passing everything as normal. The messages were passed to sendmail for processing. We then noticed that mail was being delayed by two key 365 domains. We left it like that for about 40 minutes and then reverted to the existing server. After which mail was processed correctly. The messages in /var/spool/mqueue were moved to the existing system and within 10 minutes everything was cleared. Has anyone had a similar experience? Could it be that the new VM ? having a different MAC address ? was being flagged as an illegal mail relay? Thank you for your help, and sorry about the essay. Vincent Andrews. This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. The National Oceanography Centre (NOC) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. NOC does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses. Opinions, conclusions or other information in this message and attachments that are not related directly to NOC business are solely those of the author and do not represent the views of NOC. -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Subject: Digest Footer -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner ------------------------------ End of MailScanner Digest, Vol 183, Issue 4 ******************************************* -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6510 bytes Desc: not available URL: From adrian at pa0rda.nl Thu Mar 18 20:34:39 2021 From: adrian at pa0rda.nl (Adrian van Bloois) Date: Thu, 18 Mar 2021 21:34:39 +0100 Subject: Dating of changelog Message-ID: <20210318203439.GA10432@pa0rda.nl> Hi, It seems the changelog of recent beta version is beginning last year. Typo? Or dementia light. Can happen to anyone. Adrian -- Adri P. van Bloois "The greatest threat to our planet is the belief that someone else will save it." Robert Swan. From v.andrews at noc.ac.uk Tue Mar 23 08:19:13 2021 From: v.andrews at noc.ac.uk (Andrews, Vincent) Date: Tue, 23 Mar 2021 08:19:13 +0000 Subject: Moving an existing Mail Relay from one VM to another. In-Reply-To: <6f1f082e-7d6b-ec21-5f67-b4ff94f576ae@msapiro.net> References: <140EA446-F3F5-4462-83D7-F88F7DC695F3@noc.ac.uk> <6f1f082e-7d6b-ec21-5f67-b4ff94f576ae@msapiro.net> Message-ID: <43AE028C-4D11-4BD3-B5CD-004DD4682C3A@noc.ac.uk> Thanks for your comments. I have just successfully moved the system over to a new VM. It turned out that the issue was to do with Network Manager and how I had moved the ifcg file for the network port. $ mv ifcfg-eno323232 ifcfg-eno323232.as-X $ mv as-Y- ifcfg-eno323232 ifcfg-eno323232 $ reboot Network Manager attempted to load the new ifcfg but found a conflict with the renamed one. Even though it accepted the new IP address (from the retired system) and I could log on, sendmail was having none of it and failed to forward on mail that MailScanner had passed. This error only produced a warning message in the messages file. Vince. ?On 17/03/2021, 17:51, "MailScanner on behalf of Mark Sapiro" wrote: Caution: This email has originated from outside of the organisation. Do not click links or open attachments unless you have verified the sender and content is safe. Thank you. On 3/17/21 1:48 AM, Andrews, Vincent wrote: > > We moved the IP Address from the existing VM to the new and changed > /etc/hostname and rebooted. ... > We then noticed that mail was being delayed by two key 365 domains. We > left it like that for about 40 minutes and then reverted to the existing > server. After which mail was processed correctly. The messages in > /var/spool/mqueue were moved to the existing system and within 10 > minutes everything was cleared. > > > > Has anyone had a similar experience? There are always issues with new mail servers whose IP address has not yet developed a reputation, but IIUC, from the remote's point of view, the IP hasn't changed. > Could it be that the new VM ? having a different MAC address ? was being > flagged as an illegal mail relay? And how would the remote SMTPD server determine the MAC of the sending server? I don't think that's possible. I don't know why there would be an issue if the IP didn't change. What is the content of the 4xx responses from the remote? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. The National Oceanography Centre (NOC) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. NOC does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses. Opinions, conclusions or other information in this message and attachments that are not related directly to NOC business are solely those of the author and do not represent the views of NOC. From v.andrews at noc.ac.uk Wed Mar 31 13:42:16 2021 From: v.andrews at noc.ac.uk (Andrews, Vincent) Date: Wed, 31 Mar 2021 13:42:16 +0000 Subject: MailScanner 5.3.4 clamd does not appear to be participating. Message-ID: Hello, We have a new MailScanner V5.3.4 on a CentOS 7 system. Running the -lint command proves that it can use both Sophos and clamd, however it is only Sophos that appears to be catching viruses. Clamd is installed via the OS route - version is 0.103.0-3. MailScanner.conf is 'Virus Scanners = auto' was 'Virus Scanners = clamd, sophos'. Virus.scanners.conf entry for clamd is /bin/false, but as I cannot see a specific wrapper I assume that is Ok. I am loath to cut out Sophos from the list and see what happens. Do I need to do anything else? Thanks. Vince. This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. The National Oceanography Centre (NOC) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. NOC does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses. Opinions, conclusions or other information in this message and attachments that are not related directly to NOC business are solely those of the author and do not represent the views of NOC. -------------- next part -------------- An HTML attachment was scrubbed... URL: From grenier at cgsecurity.org Wed Mar 31 14:17:24 2021 From: grenier at cgsecurity.org (Christophe GRENIER) Date: Wed, 31 Mar 2021 16:17:24 +0200 (CEST) Subject: MailScanner 5.3.4 clamd does not appear to be participating. In-Reply-To: References: Message-ID: On Wed, 31 Mar 2021, Andrews, Vincent wrote: > Hello, > > We have a new MailScanner V5.3.4 on a CentOS 7 system. Running the ?lint command proves that it can use both Sophos and clamd, however it is only Sophos that appears to be catching > viruses. > > Clamd is installed via the OS route ? version is 0.103.0-3. > > MailScanner.conf is ?Virus Scanners = auto? was ?Virus Scanners = clamd, sophos?. > > Virus.scanners.conf entry for clamd is /bin/false, but as I cannot see a specific wrapper I assume that is Ok. > > I am loath to cut out Sophos from the list and see what happens. > > Do I need to do anything else? Hello A good start is to check your clamd configuration. On my CentOS servers, I am using /etc/clamd.d/mailscanner.conf MaxThreads 50 FixStaleSocket true LocalSocket /var/run/clamd.mailscanner/clamd.sock User postfix LogFile /var/log/clamd.mailscanner LogFileMaxSize 0 LogVerbose yes LogClean no Debug no LogTime yes TemporaryDirectory /var/tmp Check the daemon with systemctl status clamd at mailscanner.service If it's OK, use clamdscan (not clamscan) to check a file that can be read by everyone (ie. /etc/hosts): clamdscan -c /etc/clamd.d/mailscanner.conf /etc/hosts /etc/hosts: OK ----------- SCAN SUMMARY ----------- Infected files: 0 Time: 0.002 sec (0 m 0 s) Start Date: 2021:03:31 16:13:29 End Date: 2021:03:31 16:13:29 Regards, Christophe -- ,-~~-.___. ._. / | ' \ | |--------. Christophe GRENIER ( ) 0 | | | grenier at cgsecurity.org \_/-, ,----' | | | ==== !_!-v---v--. / \-'~; .--------. TestDisk & PhotoRec / __/~| ._-""|| | Data Recovery =( _____|_|____||________| https://www.cgsecurity.org From mailinglists at feedmebits.nl Wed Mar 31 14:33:22 2021 From: mailinglists at feedmebits.nl (Maarten) Date: Wed, 31 Mar 2021 16:33:22 +0200 Subject: latest release mailscanner? Message-ID: <9f6d82fa-5357-e4ae-177b-5e07f0b5bef1@feedmebits.nl> Hello Everyone, On the website(mailscanner.info) it says that v5.3.3-1 is the latest stable and on the github page it says that v5.3.4-3 is the latest release. So which of the two is it or is the advised version always the one on the mailscanner.info download page? Regards, Maarten