Re: [Mimedefang] [resend] Specfile bug: disables service on update
David F. Skoll wrote: Off topic: I hate RPM! Does anyone have a *good* document where all this stuff is documented? Half the stuff in .spec files seems to be undocumented magic. Sorry.. I know most of my RPM via just working on them over and over and over again. I read Maximum RPM a long time ago, and am trying to dig through the new Red Hat RPM Guide, and by working at RH for 4 years ;). I can try to help on these issues.. now that I have my off-wrok website working a bit more. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang 2.45-BETA-3 is available
David F. Skoll wrote: Hi, MIMEDefang 2.45-BETA-3 is available at http://www.mimedefang.org/node.php?id=1 I would like this to be the last beta before the 2.45 Final release. Full changelog going back to 2.44 follows. Regards, David. How long of a test period do you want. I am running BETA2 on a small site at the moment without too many issues {all of the issues have been me being silly... except the sa-mimedefang overwritten one}. Also could you update the tar balls of recommended CPAN items to use if there have been any changes to what you would consider golden versus dead. I see that the DAG repository now has RPMs for mimedefang and such.. so you probably dont need my spec files now that I finally got the time to do them :(. 2004-08-23 David F. Skoll <[EMAIL PROTECTED]> * Version 2.45-BETA-3 released. * Makefile.in: Prevent sa-mimedefang.cf from being overwritten. * mimedefang.filter.5.in: Correct some documentation errors. * mimedefang.pl.in: Added and documented read_commands_file function so that you can initialize certain global variables in filter_sender and filter_recipient. Code contributed by Jan Pieter Cornet. * mimedefang-multiplexor.c: Log UNIX error code if problem communicating with a slave. * mimedefang-multiplexor.c: Implement new commands "help", "slaves", and "slaveinfo". * watch-mimedefang: added -command, -interval, -10s, -1m, -5m, -10m and -title command-line options. * mimedefang.pl.in(message_contains_virus_clamd): Time out if clamd doesn't respond in 8 seconds. Based on a patch from Chris Myers. * mimedefang-spec.in: Fix error in %preun script. * watch-mimedefang.in: Many bug fixes. -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 | PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] mimedefang -> tcp/ip -> clamav
Muhammad Talha wrote: Is there a possibility to run clamd over a tcp socket. Even if there is, it still needs file system access to the /var/spool/MIMEDefang directory, so it has to run on the local host. What if we mount /var/spool/MIMEdefang on remote machine through NFS I think (but am probably wrong, the socket file has to be on the machine that you are running clamav and mimedefang on. It cant just be mounted via NFS. However even if I am wrong, you would find your slowdown even worse... as you are now dealing with multiple network bottlenecks. As it is, /var/spool/MIMEdefang should be on the FASTEST available 'drive', be it a memory drive, a hardware memory drive, or worse case the only drive on a dedicated SCSI bus in the fastest PCI slot you got. /var/spool/mqueue/xf/ should also be in a similar state. Take some time and try to analyze the box a bit. What is using the most memory. what is using the most interrupts on the bus, what is using the most CPU, etc. Move that to dedicated hardware where possible. Spread your mqueus over multiple hard-drives and disk buses. My bet is that the problem is the DCC-server/spamassassin. If you have multiple machines that you can do this with.. spread the load with multiple Mailrelays acting as your MX record or worse yet, set up one box that just does clamav and who sends all its email to the box that does spamassassin/DCC. -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 | PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Danger of .vcs files?
Jim McCullars wrote: On Thu, 30 Sep 2004, Jim Hatfield wrote: I see that .vcs is listed in filter_bad_filename. I think David got those extensions from a list that Microsoft published at one time. At my site, I pared the list down considerably, to a list of about 10 or so that are commonly used to send mail bombs. .vcf isn't one of them. Which 10? -- Stephen John Smoogen| CCN-5 Security Team LANL SIRT Team Leader | SMTP: [EMAIL PROTECTED] Los Alamos National Laboratory | Voice: 505.664.0645 Ta-03 SM-1498 MS: B255 DP 10S | FAX: 505.665.7793 Los Alamos, NM 87545| ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: OT: Re: [Mimedefang] Fedora to replace sendmail with Exim as default MTA?
On Mon, 28 Feb 2005 14:44:40 -0500 (EST), David F. Skoll <[EMAIL PROTECTED]> wrote: > On Mon, 28 Feb 2005, Nels Lindquist wrote: > > > > Huh. I've already become so fed up with Red Hat that I'm switching to > > > Debian anyway. (Exim is the default on Debian, but it's easy to > > > replace it with Sendmail.) > > > Are you fed up with RedHat due to their packaging choices, or their > > pricing/licensing? > > Packaging choices, mostly. I also don't like the way SELinux breaks > almost everything useful. :-( > Can you give me some tips on where you are seeing this. I think if all goes well I will be the Fedora packager for mimedefang... and want to get it into place in a happy way. -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Ad / Announcement: CanIt is free for small organizations
On Tue, 01 Mar 2005 12:24:09 -0500, G. Roderick Singleton <[EMAIL PROTECTED]> wrote: > On Mon, 2005-02-28 at 16:32 -0500, David F. Skoll wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > Hi, > > > > I hope you don't consider this an abuse of the MIMEDefang list, but... > > > > I do not and thanks for the opportunity. All I hope for is that the > Fedora1 release works under RH7.3 No a fedora 1 would work with a RH9 pretty ok... but the changes in threading models and other changes between 8 and 9 pretty much break any chance of stuff working in 7.3. > -- > G. Roderick Singleton <[EMAIL PROTECTED]> > PATH tech > > ___ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > MIMEDefang@lists.roaringpenguin.com > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang > -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: OT: Re: [Mimedefang] Fedora to replace sendmail with Exim as default MTA?
On Tue, 1 Mar 2005 14:39:47 -0500 (EST), David F. Skoll <[EMAIL PROTECTED]> wrote: > On Tue, 1 Mar 2005, Stephen J. Smoogen wrote: > > > Can you give me some tips on where you are seeing this. I think if all > > goes well I will be the Fedora packager for mimedefang... and want to > > get it into place in a happy way. > > Well, it only affects CanIt. Under Fedora's SELinux settings, Apache is > not allowed to open a UNIX-domain socket. Since the default for PostgreSQL > is to use a UNIX-domain socket if the client is on the same host, it > kind of breaks our software. > > I'm not familiar enough with SELinux configuration to know how to allow > Apache to open a UNIX-domain socket. > I will look at it . It will effect some web socket stuff for other database driven items I am looking to package (drupal). That would mean getting that working correctly. > Regards, > > David. > ___ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > MIMEDefang@lists.roaringpenguin.com > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang > -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT] clamd doesn't recognize virus
On 9/21/05, Marco Berizzi <[EMAIL PROTECTED]> wrote: > Hello everybody. > I'm using clam 0.87 with mimedefang 2.51. > This morning a virus has been slipped through MD. > This is the output from clamdscan: > /tmp/photo.zip: OK > Clearly clamd doesn't recognize it as a virus > and MD accept the message. > Hints? Drop all zips until clamav gets a working signature? -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] learning database
On 10/15/05, Matevz <[EMAIL PROTECTED]> wrote: > Hi, > > I am pretty new to mimedefang, so i have a question regarding to learning. > When I use sa-learn command as root it stores data in /root/.spamassassin/ ? > > So I add these lines to sa-mimedefang.cf > > use_bayes 1 > use_bayes_rules 1 > bayes_path /root/.spamassassin/ > bayes_auto_learn 1 > bayes_learn_to_journal 1 > bayes_auto_expire 0 > Is this OK? > You need to have the database in a way that mimedefang can read and write. I am running Fedora Core 3 with mimedefang and spamassassin. mimedefang runs as the user defang and uses /etc/mail/spamassassin for its database area. How I set things up is the following: gather 100+ yam and 100+ spam messages for the broth. cp ham spam /tmp chmod 0444 /tmp/yam /tmp/spam su - root chown defang.defang /etc/mail/spamassassin chmod 0755 /etc/mail/spamassassin su -s /bin/bash - defang sa-learn --ham --mbox --dbpath /etc/mail/spamassassin/ /tmp/yam sa-learn --spam --mbox --dbpath /etc/mail/spamassassin/ /tmp/spam exit rm /tmp/yam /tmp/spam exit Thats about it. I am a small site with 4 email addresses so this works well. I have heard that for larger sites you will want to extend this with individual spamassassin databases as one mans spam is another mans yam. > Because I think spamassassin does not use this database, how can i test > this if it works? Well you should also make sure the lines in /etc/mail/mimedefang-filter are turned on: if ($Features{"SpamAssassin"}) { spam_assassin_init()->compile_now(1) if defined(spam_assassin_init()); if (defined($SASpamTester)) { use Mail::SpamAssassin::DBBasedAddrList; my $awl = Mail::SpamAssassin::DBBasedAddrList->new(); $SASpamTester->set_persistent_address_list_factory($awl) if defined($awl); } } and sub filter_end ($) { my($entity) = @_; return if message_rejected(); if ($Features{"SpamAssassin"}) { if (-s "./INPUTMSG" < 100*1024) { my($hits, $req, $names, $report) = spam_assassin_check(); my($score); if ($hits < 40) { $score = "*" x int($hits); } else { $score = "*" x 40; } if ($hits >= $req) { action_change_header("X-Spam-Score", "$hits ($score) $names"); md_graphdefang_log('spam', $hits, $RelayAddr); } else { } } } md_graphdefang_log('mail_in'); } If these are turned on you should see "X-Spam-Score" being added to your messages. -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: [Clamav-users] Once again a Newbe question
On 11/20/05, Darryl Baker <[EMAIL PROTECTED]> wrote: > I'm building a new system with Sendmail 8.13.5, ClamAV 0.87.1, and > MIMEDefang 2.49. I'm tearing out what little hair I have left trying > to get everyone to play together. First it was sock permission > problems for the MIMEDefang socket. The it was finding the Clamd > socket. Now MIMEDefang can't talk to Clamd on the socket. Anyone have > a simple cheat sheet with who owns what and the mode they should be > so everything just works as advertised and I can get on with tuning > the rules? > The general way I have seen mimedefang+clamav has been with mimedefang calling the clam process versus using clamd. In any case, all the items that you are wanting to talk need to talk should run in the same ownership mode. Normally this is the defang user. > I had these working on my old system and I don't remember having this > level of trouble. > > Darryl Baker > [EMAIL PROTECTED] > > > > ___________ > http://lurker.clamav.net/list/clamav-users.html > -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] spams slipping by, because they bigger than the SA size cutoff
On 2/1/06, Gary Funck <[EMAIL PROTECTED]> wrote: > > > I've had a couple of spams drop in my inbox recently, > and at first, I couldn't see how they made it past SA. > I looked at the headers, and to my surprise, the message > hadn't been scanned by Spamassassin(!). Why? How? > I looked further, and noticed that one message was 800K > bytes, and the other 140K. The first had an attached > .wmv file (hopefully not one of _those_ .wmv files, but > I didn't click on it to find out). > Well depending on how patched your system is.. and what application you are using for email you do not have to click on the wmv file. Just having some clients process the email can cause problems (according to one write up about WMV). I would recommend that you put wmv on the extensions block list and your problem is solved. I would also recommend a grey-list or other mechanism. -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang