<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-IE" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I’m being bitten by the below, and after trawling through the mailing list the consensus seems to be that this is a permissions issue, but there’s not really a clear root cause or fix. I don’t have apparmor
or SELinux running, and I’m pretty sure all permissions are healthy. Furthermore, when I take the quarantined message, and send it again through the system (from a remote machine through SMTP, just to be sure it follows the same path), the message goes through
just fine, which I find somewhat baffling.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16 11:09:12 nb postfix/smtpd[29310]: disconnect from mta-2-019.ml.wish.com[144.2.145.19] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16 11:09:13 nb MailScanner[10436]: New Batch: Scanning 1 messages, 26430 bytes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16 11:09:13 nb MailScanner[10436]: Virus and Content Scanning: Starting<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16 11:09:13 nb MailScanner[10436]: Expired 1 records from the SpamAssassin cache<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16 11:09:19 nb MailScanner[10436]:
<b>HTML disarming died, status = 13<o:p></o:p></b></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16 11:09:19 nb MailScanner[10436]: Content Checks: Detected and have disarmed web bug, denialofservice tags in HTML message in 1C8987C093A.AEDFB from bounces+vn1vl9d7nxin2gjpxuh8ibeiyxqfzeq92@mail.wish.com<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16 11:09:19 nb MailScanner[10436]: Quarantined message 1C8987C093A.AEDFB as it caused MailScanner to crash several times<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16 11:09:19 nb MailScanner[10436]: Saved entire message to /var/spool/MailScanner/quarantine/20200616/1C8987C093A.AEDFB<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I’m running a fairly standard setup, with just clamav and spamassassin, latest version from MailScanner-5.3.3-1.noarch.deb, on a relatively fresh Ubuntu 18.04LTS VPS.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">This comes back clean as well:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">root@nb:/usr/src# MailScanner --lint<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Trying to setlogsock(unix)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Reading configuration file /etc/MailScanner/MailScanner.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Reading configuration file /etc/MailScanner/conf.d/README<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Read 1500 hostnames from the phishing whitelist<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Read 7181 hostnames from the phishing blacklists<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Config: calling custom init function MailWatchLogging<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Started SQL Logging child<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Checking version numbers...<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Version number in MailScanner.conf (5.3.3) is correct.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Your envelope_sender_header in spamassassin.conf is correct.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">MailScanner setting GID to (1000)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">MailScanner setting UID to (108)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Checking for SpamAssassin errors (if you use it)...<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Using SpamAssassin results cache<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Connected to SpamAssassin cache database<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">SpamAssassin reported no errors.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Auto: Found virus scanners: clamd<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Connected to Processing Attempts Database<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Created Processing Attempts Database successfully<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">There are 0 messages in the Processing Attempts Database<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Using locktype = posix<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">MailScanner.conf says "Virus Scanners = auto"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Found these virus scanners installed: clamd<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">===========================================================================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Filename Checks: Windows/DOS Executable (1 eicar.com)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Other Checks: Found 1 problems<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Virus and Content Scanning: Starting<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Clamd::INFECTED:: Win.Test.EICAR_HDB-1 :: ./1/eicar.com<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Virus Scanning: Clamd found 2 infections<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Infected message 1 came from 10.1.1.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Virus Scanning: Found 2 viruses<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">===========================================================================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Virus Scanner test reports:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Clamd said "eicar.com was infected: Win.Test.EICAR_HDB-1"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">If any of your virus scanners (clamd)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">are not listed there, you should check that they are installed correctly<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">and that MailScanner is finding them correctly via its virus.scanners.conf.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Config: calling custom end function MailWatchLogging<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">It’s a very quiet server hosting a couple of private domains (throughput is just over 100 emails/day), and the VPS has 4 cores and 8GB available to it (guaranteed no memory issues here), and ample SSD space:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> total used free shared buff/cache available<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Mem: 7.8G 1.4G 6.1G 9.1M 347M 6.2G<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Swap: 2.0G 0B 2.0G<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">root@nb:/usr/src# df -h<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Filesystem Size Used Avail Use% Mounted on<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">udev 3.9G 0 3.9G 0% /dev<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">tmpfs 798M 3.7M 795M 1% /run<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">/dev/sda2 195G 7.5G 178G 5% /<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">tmpfs 3.9G 0 3.9G 0% /dev/shm<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">tmpfs 5.0M 0 5.0M 0% /run/lock<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">/dev/sda1 922M 109M 750M 13% /boot<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">tmpfs 1.0G 84K 1.0G 1% /var/spool/MailScanner/incoming<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">tmpfs 798M 0 798M 0% /run/user/0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">(I’ve also tried without the tmpfs for incoming, no difference as far as I can remember)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I would like to request some assistance or guidance on how to start looking for the root cause please.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Kind Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Ferry van Aesch.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">PS I’ve been using older versions of MailScanner for as long as I can remember on a different VPS, without ever giving me any issues.<o:p></o:p></span></p>
</div>
</body>
</html>