<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>This message is by design, as long as you are not caught in a
loop and it is not happening with every message. There's
something in the HTML that killed the child spawned to perform the
disarming. Depending on the scenario, a sample of the email
(sanitized) might be helpful to isolate what is going on here and
improve the HTML Disarming code.<br>
</p>
<p>Shawn<br>
</p>
<div class="moz-cite-prefix">On 6/16/20 6:39 AM, Ferry van Aesch via
MailScanner wrote:<br>
</div>
<blockquote type="cite"
cite="mid:20200616172420.B333F121968@ms1.mailscanner.info">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I’m being
bitten by the below, and after trawling through the mailing
list the consensus seems to be that this is a permissions
issue, but there’s not really a clear root cause or fix. I
don’t have apparmor or SELinux running, and I’m pretty sure
all permissions are healthy. Furthermore, when I take the
quarantined message, and send it again through the system
(from a remote machine through SMTP, just to be sure it
follows the same path), the message goes through just fine,
which I find somewhat baffling.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16
11:09:12 nb postfix/smtpd[29310]: disconnect from
mta-2-019.ml.wish.com[144.2.145.19] ehlo=2 starttls=1 mail=1
rcpt=1 data=1 quit=1 commands=7<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16
11:09:13 nb MailScanner[10436]: New Batch: Scanning 1
messages, 26430 bytes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16
11:09:13 nb MailScanner[10436]: Virus and Content Scanning:
Starting<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16
11:09:13 nb MailScanner[10436]: Expired 1 records from the
SpamAssassin cache<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16
11:09:19 nb MailScanner[10436]:
<b>HTML disarming died, status = 13<o:p></o:p></b></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16
11:09:19 nb MailScanner[10436]: Content Checks: Detected and
have disarmed web bug, denialofservice tags in HTML message
in 1C8987C093A.AEDFB from
<a class="moz-txt-link-abbreviated" href="mailto:bounces+vn1vl9d7nxin2gjpxuh8ibeiyxqfzeq92@mail.wish.com">bounces+vn1vl9d7nxin2gjpxuh8ibeiyxqfzeq92@mail.wish.com</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16
11:09:19 nb MailScanner[10436]: Quarantined message
1C8987C093A.AEDFB as it caused MailScanner to crash several
times<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 16
11:09:19 nb MailScanner[10436]: Saved entire message to
/var/spool/MailScanner/quarantine/20200616/1C8987C093A.AEDFB<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I’m running
a fairly standard setup, with just clamav and spamassassin,
latest version from MailScanner-5.3.3-1.noarch.deb, on a
relatively fresh Ubuntu 18.04LTS VPS.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">This comes
back clean as well:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">root@nb:/usr/src#
MailScanner --lint<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Trying to
setlogsock(unix)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Reading
configuration file /etc/MailScanner/MailScanner.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Reading
configuration file /etc/MailScanner/conf.d/README<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Read 1500
hostnames from the phishing whitelist<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Read 7181
hostnames from the phishing blacklists<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Config:
calling custom init function MailWatchLogging<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Started SQL
Logging child<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Checking
version numbers...<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Version
number in MailScanner.conf (5.3.3) is correct.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Your
envelope_sender_header in spamassassin.conf is correct.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">MailScanner
setting GID to (1000)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">MailScanner
setting UID to (108)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Checking for
SpamAssassin errors (if you use it)...<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Using
SpamAssassin results cache<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Connected to
SpamAssassin cache database<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">SpamAssassin
reported no errors.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Auto: Found
virus scanners: clamd<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Connected to
Processing Attempts Database<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Created
Processing Attempts Database successfully<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">There are 0
messages in the Processing Attempts Database<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Using
locktype = posix<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">MailScanner.conf
says "Virus Scanners = auto"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Found these
virus scanners installed: clamd<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">===========================================================================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Filename
Checks: Windows/DOS Executable (1 eicar.com)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Other
Checks: Found 1 problems<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Virus and
Content Scanning: Starting<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Clamd::INFECTED::
Win.Test.EICAR_HDB-1 :: ./1/eicar.com<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Virus
Scanning: Clamd found 2 infections<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Infected
message 1 came from 10.1.1.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Virus
Scanning: Found 2 viruses<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">===========================================================================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Virus
Scanner test reports:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Clamd said
"eicar.com was infected: Win.Test.EICAR_HDB-1"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">If any of
your virus scanners (clamd)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">are not
listed there, you should check that they are installed
correctly<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">and that
MailScanner is finding them correctly via its
virus.scanners.conf.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Config:
calling custom end function MailWatchLogging<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">It’s a very
quiet server hosting a couple of private domains (throughput
is just over 100 emails/day), and the VPS has 4 cores and
8GB available to it (guaranteed no memory issues here), and
ample SSD space:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
total used free shared buff/cache
available<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Mem:
7.8G 1.4G 6.1G 9.1M 347M
6.2G<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Swap:
2.0G 0B 2.0G<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">root@nb:/usr/src#
df -h<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Filesystem
Size Used Avail Use% Mounted on<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">udev
3.9G 0 3.9G 0% /dev<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">tmpfs
798M 3.7M 795M 1% /run<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">/dev/sda2
195G 7.5G 178G 5% /<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">tmpfs
3.9G 0 3.9G 0% /dev/shm<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">tmpfs
5.0M 0 5.0M 0% /run/lock<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">tmpfs
3.9G 0 3.9G 0% /sys/fs/cgroup<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">/dev/sda1
922M 109M 750M 13% /boot<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">tmpfs
1.0G 84K 1.0G 1% /var/spool/MailScanner/incoming<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">tmpfs
798M 0 798M 0% /run/user/0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">(I’ve also
tried without the tmpfs for incoming, no difference as far
as I can remember)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I would like
to request some assistance or guidance on how to start
looking for the root cause please.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Kind
Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Ferry van
Aesch.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">PS I’ve been
using older versions of MailScanner for as long as I can
remember on a different VPS, without ever giving me any
issues.<o:p></o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">
</pre>
</blockquote>
<div class="moz-signature">-- <br>
<img src="http://mailserver.summitgrid.org/logo_text_sig.png"><br>
Shawn Iverson<br>
<a class="moz-txt-link-abbreviated" href="mailto:shawniverson@summitgrid.com">shawniverson@summitgrid.com</a><br>
</div>
</body>
</html>