On Sat, 2004-09-11 at 18:54, Jason Haar wrote:
> On Sat, Sep 11, 2004 at 02:43:43PM -0700, Jay Tortorelli wrote:
> > Now whenever I try and send mail using qmail-scanner I get the following
> > error:
> > 451 qq crashed (#4.3.0)
>
> OK - then the error should either be logged in qmail-queue.log (assuming you
> left "--debug 1" enabled for Qmail-Scanner), or in qmails logging itself
> (could be syslog or maillog - depends on your config).
Yup, debug is set to 1. I get logging information when I set the
QMAILQUEUE variable in tcp.smtp during relaying. I have been able to
send a couple of messages through (although I don't know why they went
though, nothing changed. Success is sporadic at best.)
Here is an example of when I telneted in to port 25 and did 2 messages
back to back.
[EMAIL PROTECTED] jayt]# telnet mail.whydevelop.com 25
Trying 64.221.249.47...
Connected to mail.whydevelop.com.
Escape character is '^]'.
220 mail.whydevelop.com ESMTP
helo whydevelop.com
250 mail.whydevelop.com
mail to: [EMAIL PROTECTED]
250 ok
rcpt to: [EMAIL PROTECTED]
250 ok
data
354 go ahead
testing
.
250 ok 1094981532 qp 7716
quit
221 mail.whydevelop.com
Connection closed by foreign host.
[EMAIL PROTECTED] jayt]# telnet mail.whydevelop.com 25
Trying 64.221.249.47...
Connected to mail.whydevelop.com.
Escape character is '^]'.
220 mail.whydevelop.com ESMTP
helo whydevelop.com
250 mail.whydevelop.com
mail to: [EMAIL PROTECTED]
250 ok
rcpt to: [EMAIL PROTECTED]
250 ok
data
354 go ahead
testing
.
451 qq crashed (#4.3.0)
quit
221 mail.whydevelop.com
Connection closed by foreign host.
> So Qmail-Scanner works fine for relayed (i.e. SMTP-based mail), but not
> "when I login to send mail"??? Unless you set QMAILQUEUE in /etc/profile or
> the likes, Q-S isn't called normally.
"When I login to send mail" meaning, when I use Evolution, or Outlook,
or any other mail client to send mail using smtp. Right now I have
QMAILQUEUE only set for my ip address in tcp.smtp for testing so my
clients can at least send mail.
> Well then you must have disabled debugging - as you said in the first
> paragraph that Q-S works fine for relayed email.
Nope, debugging is set to 1. That is why I was questioning whether or
not it is qmail-scanner related or not. When it fails...nothing, when
it is successful the information shows up in qmail-queue.log
> Sounds like it is Q-S somehow. But you've got to see the logging to tell...
Here is the logging information that is produced when it is successful.
Although I don't see anything out of the ordinary. And the information
that would actually help when it crashes isn't produced.
[EMAIL PROTECTED] qmailscan]# cat /var/spool/qmailscan/qmail-queue.log
Sun, 12 Sep 2004 02:09:51 PDT:31873: +++ starting debugging for process
31873 by uid=89
Sun, 12 Sep 2004 02:09:51 PDT:31873: setting UID to EUID so subprocesses
can access files generated by this script
Sun, 12 Sep 2004 02:09:51 PDT:31873: program name is
qmail-scanner-queue.pl, version 1.23
Sun, 12 Sep 2004 02:09:51 PDT:31873: incoming SMTP connection from via
SMTP from 24.17.227.20
Sun, 12 Sep 2004 02:09:51 PDT:31873: w_c: mkdir
/var/spool/qmailscan/tmp/mail.whydevelop.com109498019148231873
Sun, 12 Sep 2004 02:09:51 PDT:31873: w_c: start dumping incoming msg
into
/var/spool/qmailscan/working/tmp/mail.whydevelop.com109498019148231873
[0.000986]
Sun, 12 Sep 2004 02:09:51 PDT:31873: w_c: primary Content-Type of
text/plain found
Sun, 12 Sep 2004 02:09:51 PDT:31873: w_c: rename new msg from
/var/spool/qmailscan/working/tmp/mail.whydevelop.com109498019148231873
to
/var/spool/qmailscan/working/new/mail.whydevelop.com109498019148231873
[0.027088]
Sun, 12 Sep 2004 02:09:51 PDT:31873: d_m: starting
/usr/local/bin/reformime
-x/var/spool/qmailscan/tmp/mail.whydevelop.com109498019148231873/
</var/spool/qmailscan/working/new/mail.whydevelop.com109498019148231873
[0.000279]
Sun, 12 Sep 2004 02:09:51 PDT:31873: d_m: finished
/usr/local/bin/reformime
-x/var/spool/qmailscan/tmp/mail.whydevelop.com109498019148231873/
[0.081425]Sun, 12 Sep 2004 02:09:51 PDT:31873: d_m: Checking all
attachments to see if they're MS-TNEF
Sun, 12 Sep 2004 02:09:51 PDT:31873: d_m: is
/var/spool/qmailscan/tmp/mail.whydevelop.com109498019148231873/1094980191.31875-0.mail.whydevelop.com
is a TNEF file?: 256 [0.007479]
Sun, 12 Sep 2004 02:09:51 PDT:31873: d_m: Check for zip files...
Sun, 12 Sep 2004 02:09:51 PDT:31873: d_m: unpacking message took
0.089252 seconds
Sun, 12 Sep 2004 02:09:51 PDT:31873: unsetting QMAILQUEUE env var
Sun, 12 Sep 2004 02:09:51 PDT:31873: g_e_h: return-path is
"[EMAIL PROTECTED]", recips is "[EMAIL PROTECTED]"
Sun, 12 Sep 2004 02:09:51 PDT:31873: from=Jay Tortorelli
<[EMAIL PROTECTED]>,subj=testing 2,
x-qmail-scanner-message-id=<[EMAIL PROTECTED]> via SMTP from 24.17.227.20
Sun, 12 Sep 2004 02:09:51 PDT:31873: This is a PLAIN text message
(because it's either not mime, or is text/plain), skip virus scanners -
but not SA
Sun, 12 Sep 2004 02:09:51 PDT:31873: ini_sc: start scanning
Sun, 12 Sep 2004 02:09:51 PDT:31873: ini_sc: recursively scan the
directory
/var/spool/qmailscan/tmp/mail.whydevelop.com109498019148231873/
Sun, 12 Sep 2004 02:09:51 PDT:31873: scanloop: starting scan of
directory
"/var/spool/qmailscan/tmp/mail.whydevelop.com109498019148231873"...
Sun, 12 Sep 2004 02:09:51 PDT:31873: scanloop:
scanner=clamdscan_scanner,plain_text_msg=1
Sun, 12 Sep 2004 02:09:51 PDT:31873: scanloop: finished scan of
"/var/spool/qmailscan/tmp/mail.whydevelop.com109498019148231873"...
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: starting scan of directory
"/var/spool/qmailscan/tmp/mail.whydevelop.com109498019148231873"...
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: '81:ILOVEYOU' =
'Virus-subject' = 'Love Letter Virus/Trojan'
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: type is a header!
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: checking for objects
containing subject: ILOVEYOU
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: '82:message/partial.*' =
'Virus-content-type' = 'Message/partial MIME attachments blocked by
policy'
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: type is a header!
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: checking for objects
containing content-type: message/partial.*
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: '85:.{100,}' = 'Virus-date' =
'MIME Header Buffer Overflow'
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: type is a header!
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: checking for objects
containing date: .{100,}
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: '86:.{100,}' =
'Virus-mime-version' = 'MIME Header Buffer Overflow '
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: type is a header!
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: checking for objects
containing mime-version: .{100,}
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: '87:.{100,}' =
'Virus-resent-date' = 'MIME Header Buffer Overflow'
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: type is a header!
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: checking for objects
containing resent-date: .{100,}
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s:
'90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]' =
'Virus-to' = 'BadTrans Trojan exploit!'
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: type is a header!
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: checking for objects
containing to:
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: 'eicar.com' = '69' = 'EICAR
Test Virus'
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: type is a size!
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: 'happy99.exe' = '10000' =
'Happy99 Trojan'
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: type is a size!
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: 'zipped_files.exe' = '120495'
= 'W32/ExploreZip.worm.pak virus'
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: type is a size!
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: skipping auto-generated file
1094980191.31875-0.mail.whydevelop.com
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: skipping auto-generated file
orig-mail.whydevelop.com109498019148231873
Sun, 12 Sep 2004 02:09:51 PDT:31873: p_s: finished scan of dir
"/var/spool/qmailscan/tmp/mail.whydevelop.com109498019148231873" in
0.007244 secs
Sun, 12 Sep 2004 02:09:51 PDT:31873: ini_sc: scanning message took
0.007638 seconds
Sun, 12 Sep 2004 02:09:51 PDT:31873: q_r: fork off child into
/var/qmail/bin/qmail-queue...
Sun, 12 Sep 2004 02:09:51 PDT:31878: q_r: xstatus=0
Sun, 12 Sep 2004 02:09:51 PDT:31873: qmail-scanner[31873]:
Clear:RC:1(24.17.227.20): 0.125805 452 [EMAIL PROTECTED]
[EMAIL PROTECTED] testing_2
<[EMAIL PROTECTED]>
1094980191.31875-0.mail.whydevelop.com:2
orig-mail.whydevelop.com109498019148231873:452
Sun, 12 Sep 2004 02:09:51 PDT:31873: cleanup: /bin/rm -rf
/var/spool/qmailscan/tmp/mail.whydevelop.com109498019148231873/
/var/spool/qmailscan/working/new/mail.whydevelop.com109498019148231873
Sun, 12 Sep 2004 02:09:51 PDT:31873: all finished. Total of 0.169172
secs
Sun, 12 Sep 2004 02:32:09 PDT:7716: +++ starting debugging for process
7716 by uid=89
Sun, 12 Sep 2004 02:32:09 PDT:7716: setting UID to EUID so subprocesses
can access files generated by this script
Sun, 12 Sep 2004 02:32:09 PDT:7716: program name is
qmail-scanner-queue.pl, version 1.23
Sun, 12 Sep 2004 02:32:09 PDT:7716: incoming SMTP connection from via
SMTP from 24.17.227.20
Sun, 12 Sep 2004 02:32:09 PDT:7716: w_c: mkdir
/var/spool/qmailscan/tmp/mail.whydevelop.com10949815294827716
Sun, 12 Sep 2004 02:32:09 PDT:7716: w_c: start dumping incoming msg into
/var/spool/qmailscan/working/tmp/mail.whydevelop.com10949815294827716
[0.000868]Sun, 12 Sep 2004 02:32:12 PDT:7716: w_c: rename new msg from
/var/spool/qmailscan/working/tmp/mail.whydevelop.com10949815294827716 to
/var/spool/qmailscan/working/new/mail.whydevelop.com10949815294827716
[2.7628]
Sun, 12 Sep 2004 02:32:12 PDT:7716: d_m: starting
/usr/local/bin/reformime
-x/var/spool/qmailscan/tmp/mail.whydevelop.com10949815294827716/
</var/spool/qmailscan/working/new/mail.whydevelop.com10949815294827716
[0.000342]
Sun, 12 Sep 2004 02:32:12 PDT:7716: d_m: finished
/usr/local/bin/reformime
-x/var/spool/qmailscan/tmp/mail.whydevelop.com10949815294827716/
[0.007569]
Sun, 12 Sep 2004 02:32:12 PDT:7716: d_m: Checking all attachments to see
if they're MS-TNEF
Sun, 12 Sep 2004 02:32:12 PDT:7716: d_m: is
/var/spool/qmailscan/tmp/mail.whydevelop.com10949815294827716/1094981532.7756-0.mail.whydevelop.com
is a TNEF file?: 256 [0.003491]
Sun, 12 Sep 2004 02:32:12 PDT:7716: d_m: Check for zip files...
Sun, 12 Sep 2004 02:32:12 PDT:7716: d_m: unpacking message took 0.011487
seconds
Sun, 12 Sep 2004 02:32:12 PDT:7716: unsetting QMAILQUEUE env var
Sun, 12 Sep 2004 02:32:12 PDT:7716: g_e_h: return-path is
"[EMAIL PROTECTED]", recips is "[EMAIL PROTECTED]"
Sun, 12 Sep 2004 02:32:12 PDT:7716: from=,subj=,
x-qmail-scanner-message-id= via SMTP from 24.17.227.20
Sun, 12 Sep 2004 02:32:12 PDT:7716: This is a PLAIN text message
(because it's either not mime, or is text/plain), skip virus scanners -
but not SA
Sun, 12 Sep 2004 02:32:12 PDT:7716: ini_sc: start scanning
Sun, 12 Sep 2004 02:32:12 PDT:7716: ini_sc: recursively scan the
directory /var/spool/qmailscan/tmp/mail.whydevelop.com10949815294827716/
Sun, 12 Sep 2004 02:32:12 PDT:7716: scanloop: starting scan of directory
"/var/spool/qmailscan/tmp/mail.whydevelop.com10949815294827716"...
Sun, 12 Sep 2004 02:32:12 PDT:7716: scanloop:
scanner=clamdscan_scanner,plain_text_msg=1
Sun, 12 Sep 2004 02:32:12 PDT:7716: scanloop: finished scan of
"/var/spool/qmailscan/tmp/mail.whydevelop.com10949815294827716"...
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: starting scan of directory
"/var/spool/qmailscan/tmp/mail.whydevelop.com10949815294827716"...
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: '81:ILOVEYOU' =
'Virus-subject' = 'Love Letter Virus/Trojan'
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: type is a header!
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: checking for objects
containing subject: ILOVEYOU
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: '82:message/partial.*' =
'Virus-content-type' = 'Message/partial MIME attachments blocked by
policy'
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: type is a header!
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: checking for objects
containing content-type: message/partial.*
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: '85:.{100,}' = 'Virus-date' =
'MIME Header Buffer Overflow'
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: type is a header!
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: checking for objects
containing date: .{100,}
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: '86:.{100,}' =
'Virus-mime-version' = 'MIME Header Buffer Overflow '
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: type is a header!
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: checking for objects
containing mime-version: .{100,}
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: '87:.{100,}' =
'Virus-resent-date' = 'MIME Header Buffer Overflow'
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: type is a header!
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: checking for objects
containing resent-date: .{100,}
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s:
'90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]' =
'Virus-to' = 'BadTrans Trojan exploit!'
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: type is a header!
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: checking for objects
containing to:
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: 'eicar.com' = '69' = 'EICAR
Test Virus'
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: type is a size!
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: 'happy99.exe' = '10000' =
'Happy99 Trojan'
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: type is a size!
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: 'zipped_files.exe' = '120495'
= 'W32/ExploreZip.worm.pak virus'
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: type is a size!
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: skipping auto-generated file
1094981532.7756-0.mail.whydevelop.com
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: skipping auto-generated file
orig-mail.whydevelop.com10949815294827716
Sun, 12 Sep 2004 02:32:12 PDT:7716: p_s: finished scan of dir
"/var/spool/qmailscan/tmp/mail.whydevelop.com10949815294827716" in
0.007369 secs
Sun, 12 Sep 2004 02:32:12 PDT:7716: ini_sc: scanning message took
0.007766 seconds
Sun, 12 Sep 2004 02:32:12 PDT:7716: q_r: fork off child into
/var/qmail/bin/qmail-queue...
Sun, 12 Sep 2004 02:32:12 PDT:7759: q_r: xstatus=0
Sun, 12 Sep 2004 02:32:12 PDT:7716: qmail-scanner[7716]:
Clear:RC:0(24.17.227.20): 2.783829 131 [EMAIL PROTECTED]
[EMAIL PROTECTED] <> <> 1094981532.7756-0.mail.whydevelop.com:0
orig-mail.whydevelop.com10949815294827716:131
Sun, 12 Sep 2004 02:32:12 PDT:7716: cleanup: /bin/rm -rf
/var/spool/qmailscan/tmp/mail.whydevelop.com10949815294827716/
/var/spool/qmailscan/working/new/mail.whydevelop.com10949815294827716
Sun, 12 Sep 2004 02:32:12 PDT:7716: all finished. Total of 2.809184 secs
Thank you very much for your help,
Jay Tortorelli
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
