Troy Ayers wrote:
Are you using dspam as daemon? Restart the dspam daemon only, not the
whole server.
Fair point, although the server restart is only a few seconds so that
isn't the problem, its stopping it happening in the first place!
Otherwise:
Enable debug logging.
Silly question, but where do I enable this?
I'm pretty sure that debugging isn't enabled in the Ubuntu/Debian builds
(how do I check?). I do have (and always have had) SystemLog and UserLog
enabled.
Check for the missing emails on the root account (or it's alias) if
applicable.
Check for the missing email on the account specified to receive
double-bounces (IE postmaster)
Where would I check where these are going?
The domain I am particularly concerned about locating missing mail from
was set as a catch-all which redirected to a single address elsewhere,
ie postmaster@ would have gone to the same place as the other emails.
Other domains which drop to POP3 boxes on my server do not, it turns
out, have postmaster aliases set up (something I need to fix).
Where would any root alias be set?
Would postfix have logged any failure to find a suitable root/postmaster
mailbox, and if so what should I look for in the logs?
I thought that dspam quarantine doesn't delete the message from the
mbox until after a successful exit code from whatever delivery agent
was specified. Could somebody confirm?
Looking at the Perl code I'm not convinced it is very careful, but I
really don't know much Perl at all. I've appended what I think is the
relevant subroutine below, but it looks to me like it extracts messages,
retrains on them (which I think leaves dspam to resend the message?),
then afterwards just deletes selected messages from the quarantine (via
Quarantine_DeleteSpam). There doesn't seem to be much attempt to avoid
deleting messages that couldn't be sent for some reason.
Sounds like the message are not getting to postfix though. Postfix
logs a "connect from <hostname>[ipaddress]..." Please confirm that
postfix is listening in on the same ip/port as what you have specified
in your dspam.conf deliveryhost/deliveryport.
Based on my comments above, I think you're right; maybe postfix has died
for some reason (on the port 10026 configured for dspam to send via),
and the web interface simply ignores that fact and deletes the messages.
Looking in the logs there are plenty of connections from
localhost.localdomain, but that's to be expected as the server is
usually working.
Does dspam log any failure to connect to the mailserver? I can't see it
having happened anywhere.
Next time it fails I will release something from the quarantine and
watch what goes into mail.log (and dspam's system.log).
[I assume that if I release a spam from the quarantine then retrain that
spam as spam then I get back to where I started? There's no point
releasing ham from the quarantine when I know its going to go missing!]
Thanks for your help Troy, it is very much appreciated.
Perl code from dspam.cgi follows:
sub ProcessFalsePositive {
my(@buffer, %head, $found);
if ($FORM{'signatureID'} eq "") {
&error("No Message ID Specified");
}
open(FILE, "<$MAILBOX");
while(<FILE>) {
s/\r?\n$//;
push(@buffer, $_);
}
close(FILE);
while($#buffer>=0) {
my($buff, $mode, @temp);
$mode = 0;
@temp = ();
while(($buff !~ /^From /) && ($#buffer>=0)) {
$buff = $buffer[0];
if ($buff =~ /^From /) {
if ($mode == 0) { $mode = 1; }
else { next; }
}
$buff = shift(@buffer);
if ($buff !~ /^From /) {
push(@temp, $buff);
}
next;
}
foreach(@temp) {
last if ($_ eq "");
my($key, $val) = split(/\: ?/, $_, 2);
$head{$key} = $val;
}
if ($head{'X-DSPAM-Signature'} eq $FORM{'signatureID'}) {
$found = 1;
open(PIPE, "|$CONFIG{'DSPAM'} $CONFIG{'DSPAM_ARGS'} >$TMPFILE
2>&1") || &error($!);
foreach(@temp) {
print PIPE "$_\n";
}
close(PIPE);
}
}
# Couldn't find the message, so just retrain on signature
if (!$found) {
system("$CONFIG{'DSPAM'} --source=error --class=innocent
--signature=" . quotemeta($FORM{'signatureID'}) . " --user " .
quotemeta("$CURRENT_USER"));
}
if ($?) {
my(@log);
open(LOG, "<$TMPFILE");
@log = <LOG>;
close(LOG);
unlink("$TMPFILE");
&error("<PRE>".join('', @log)."</PRE>");
}
unlink("$TMPFILE");
$FORM{$FORM{'signatureID'}} = "on";
&Quarantine_DeleteSpam();
return;
}
--
Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555
Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG
!DSPAM:1011,48748205150925650348932!
