Re: [AMaViS-user] Delivery Failures From Banned Emails to Sender
Carlos, On 8/5/2009 7:15 AM, Carlos Williams wrote: > I checked and the settings appear to be coming from > "20-debian_default" as follows: > > $final_virus_destiny = D_DISCARD; # (data not lost, see virus > quarantine) > $final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA > $final_spam_destiny = D_BOUNCE; > $final_bad_header_destiny = D_PASS; # False-positive prone (for spam) > > Should I set both "D_BOUNCE" to "D_DISCARD" or just the "$final_spam_destiny"? I set my $final_banned_destiny to D_DISCARD (goes to quarantine), so that I have a shot at releasing potential FPs. This has happened on several occasions. > >>> Second issue is when the sender receives a notification that their >>> message was rejected, the message is sent from >>> rather than just >>> . >> >> The domain name in the $hdrfrom_notify_sender defaults to $myhostname. >> Either change the $myhostname, or assign $hdrfrom_notify_sender directly: > > I checked the file "05-domain_id" and I can't seem to find where > Amavisd-new is reading the $myhostname parameter from. When I edit > "20-debian_defaults" I see: From the released amavisd.conf-default, one discovers: # $myhostname = ... predefined default from uname(3), must be a FQDN # $mydomain = ... no useful default, should be set if used in expressions You can set $myhostname and $mydomain manually; sometimes its safer/clearer/easier to be explicit. Consider grabbing a copy of the source, so that you have both the amavisd.conf-default and amavisd.conf-sample files for reference. > > $virus_admin = "postmast...@$mydomain"; # due to D_DISCARD default > > # Set to empty ("") to add no header > $X_HEADER_LINE = "Debian $myproduct_name at $mydomain"; > > Should I simple just change that to "postmas...@iamghost.com? I am > just making sure I am make the right change in the right section of > the right file. > > Thanks for your assistance! > > - Carlos > -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] trying to track down an am:boost=5
On 8/5/2009 8:18 AM, Michael Scheidell wrote: > on a system without pen pals, bouncekiller or anything that I can think > of that would do this, > > I keep getting an AMBOOST:5 on emails from cdpublications. > from:Community Health Funding Report ^^^ Search "offers" below: /etc/amavisd.conf: # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING @score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i=> 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i=> 5.0], ), -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Configuration Question
Jeff, On 7/27/2009 1:32 PM, Jeff Grossman wrote: > I am running Postfix 2.6.2 and Amavis 2.6.4 together. Everything is > running smoothly except for one problem. When a user connects remotely and > sends a message, I get the following line in my amavis-logwatch output: > > 1 *Warning: Security risk > - > 1 Open relay? Nonlocal recips but not originating: recip1 > > I have asked about this on the Logwatcher mailing list, but I was told it > was an Amavis configuration problem. What setting do I either have > incorrect or not have at all to remove this error from the amavis-logwatch > output? > I saw your post, but had believed it was answered to your satisfaction, so didn't contribute anything. Here's the basic idea, as others have mentioned. You want something similar to the submission service listed below in postfix's master.cf file (note the content_filter setting and port number of 10026): master.cf: submission inet n - n - - smtpd -o content_filter=lmtp-amavis:[127.0.0.1]:10026 -o smtpd_tls_security_level=encrypt -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes -o broken_sasl_auth_clients=yes -o receive_override_options=no_header_body_checks,no_address_mappings -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject Now, in amavis's configuration file amavisd.conf, you'd want a matching policy bank entry with listener (note the additional 10026 listening port in $inet_socket_port): amavsid.conf: # listen on multiple TCP ports $inet_socket_port = [10024,10026]; $interface_policy{'10026'} = 'ORIGINATING'; # mail supposedly originating from our users $policy_bank{'ORIGINATING'} = { # declare that mail was submitted by our smtp client originating => 1, # enables disclaimer insertion if available # allow_disclaimers => 1, # avoids loading MYNETS policy unnecessarily mynetworks_maps => [], # don't spam scan bypass_spam_checks_maps => [1], # allow sending any file names and types bypass_banned_checks_maps => [1], # don't check headers bypass_header_checks_maps => [1], # notify administrator of locally originating malware virus_admin_maps => ["virusale...@$mydomain"], spam_admin_maps => ["virusale...@$mydomain"], warnbadhsender => 1, # don't remove NOTIFY=SUCCESS option terminate_dsn_on_notify_success => 0, # don't query p0f os_fingerprint_method => undef, }; With these settings, the mail submitted by your users will traverse one route while your general service takes the existing route. The 'originating' flag will be set, and amavis will consider mail from your local users as local mail. Tailor to suit your needs. See also: http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex Mike > Thanks for any help you can offer me. > > Jeff > -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] interpretation of log entries
Stefan, On 7/8/2009 7:54 AM, Stefan Palme wrote: > Hi all, > > I have a question concerning the log entries created by amavisd-new: > > Passed SPAM, [209.85.23.242] [77.61.136.43] ->... > > What is the meaning of the two IP addresses? > See: http://marc.info/?l=amavis-user&m=117941930332341&w=2 > Every log line of this type always contains two such IP addresses, > sometimes they are the same, sometimes not. > > Thanks for any hint > Regards > -stefan- -- Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Spam score of 2.168+5?
>>> From a spam message: >> >> X-Spam-Status: Yes, score=2.168+5 tag=5.9 tag2=6.4 kill=6.9 >> tests=[AM:BOOST=5, >> AWL=0.495, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, >> MIME_HTML_ONLY=1.672, SPF_PASS=-0.001] autolearn=no >> >> 2.168+5? 216800? Why the scientific notation? >> No sci-no, simple per-recipient addition: amavisd-new-2.6.2 release notes - insert "AM:BOOST=boost_scores_list" into a list of triggered spam tests to make visible the internally generated per-recipient spam score boosts (like from: pen pals, soft white/black-listing, bounce killer) in the log and in the X-Spam-Status header field. The 'tests' list in X-Spam-Status or in the log (macro %T) can now look like: tests=[AM:BOOST=+1.3+0.51-1.1, BAYES_99=3.6, ...] Multiple summands appear in multi-recipient messages where boost scores differ between recipients (the list is squashed, only unique values are shown). Apparent mismatch in score addition pointed out by John Beranek. -- Are you an open source citizen? Join us for the Open Source Bridge conference! Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250. Need another reason to go? 24-hour hacker lounge. Register today! http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Useless use of hash element in void context at /usr/sbin/amavisd-nanny , line 61.
On 5/21/2009 5:50 AM, Zhang Huangbin wrote: > MrC wrote: >> >> What is the value of your AMAVISD_DB_HOME environment variable? >> >> # echo AMAVISD_DB_HOME > > Perhaps you mean 'echo $AMAVISD_DB_HOME', right? It's empty. > > > Mark Martinec wrote: >> Perhaps you changed the line 60: >> my($db_home) = # DB databases directory >> and left the expression in the continuation line 61 dangling >> without an assignment. > > not changed. Actually, it *is changed*. Compare yours with the original, at line 60: > > # grep -i 'db_home' /etc/amavisd.conf > $db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D > > # grep -i 'db_home' /usr/sbin/amavisd-nanny > my($db_home) = "/var/amavis/db"; ^ this is line 60 > defined $ENV{'AMAVISD_DB_HOME'} ? $ENV{'AMAVISD_DB_HOME'} : > '/var/amavis/db'; 2 lines above are dangling, useless expressions. Your version is: $ cat /tmp/foo #!/usr/bin/perl -w my($db_home) = "/var/amavis/db"; defined $ENV{'AMAVISD_DB_HOME'} ? $ENV{'AMAVISD_DB_HOME'} : '/var/amavis/db'; print "DB: $db_home\n"; $ /tmp/foo Useless use of hash element in void context at /tmp/foo line 4. Useless use of a constant in void context at /tmp/foo line 4. DB: /var/amavis/db Original version is: $ cat /tmp/foo #!/usr/bin/perl -w my($db_home) = # DB databases directory defined $ENV{'AMAVISD_DB_HOME'} ? $ENV{'AMAVISD_DB_HOME'} : '/var/amavis/db'; print "DB: $db_home\n"; $ /tmp/foo DB: /var/amavis/db > @dbstat = stat("$db_home/$dbfile"); > $errn==0 || $errn==ENOENT or die "stat $db_home/$dbfile: $!"; > printf STDERR ("Reopening nanny database %s/%s\n", $db_home,$dbfile); > -Home => $db_home, -Flags => DB_INIT_CDB | DB_INIT_MPOOL, > $db_home,$dbfile); > > My amavisd-new is 2.6.2. > > Thanks for your replies. :) > -- Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Useless use of hash element in void context at /usr/sbin/amavisd-nanny , line 61.
Zhang, On 5/19/09 10:21 PM, Zhang Huangbin wrote: > Hi, list > > When running amavisd-nanny, i got below msg, however the execution > of amavisd-nanny appears to be correct. Configure error or whatever? > > > # amavisd-nanny > Useless use of hash element in void context at /usr/sbin/amavisd-nanny > line 61. > Useless use of a constant in void context at /usr/sbin/amavisd-nanny > line 61. > process-id task-id elapsed inelapsed-bar (dots indicate idle) > or state idle or busy What is the value of your AMAVISD_DB_HOME environment variable? # echo AMAVISD_DB_HOME > > PID 05431: 1:27:52 .:.:.:. > PID 05432: 1:27:52 .:.:.:. > > > Thanks :) > -- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] DKIM problem with long domain names?
On 3/10/2009 3:26 PM, Bill Landry wrote: > Patrick Wong wrote: >> Yes Bill, I can confirm that 0.33 is available from CPAN cause I just >> did it this morning after reading Mark's notes. > Not for me. Just now tried again: > > cpan[1]> install Mail::DKIM > CPAN: Storable loaded ok (v2.18) > Going to read /root/.cpan/Metadata >Database was generated on Tue, 10 Mar 2009 11:26:55 GMT > CPAN: YAML loaded ok (v0.68) > Going to read 72 yaml files from /root/.cpan/build/ > CPAN: Time::HiRes loaded ok (v1.9711) > DONE > Restored the state of 3 (in 1.3195 secs) > Mail::DKIM is up to date (0.32). > The CPAN mirror currently used by your system is not up to date. See: http://search.cpan.org/~jaslong/Mail-DKIM-0.33/lib/Mail/DKIM.pm for the latest. -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] about amavis-sanesecurity_v2.cf
Nigel Horne wrote: >> The AV:Phishing.Heuristics.Email.SpoofedDomain is a ClamAv heuristically >> determined spoofed domain. It is fairly prone to false positives, so it >> might not be a good idea to place it in the meta-group L_AV_Phish, which >> are signature-based. > > > If you find any problems with ClamAV's heuristic checking for phish that > lead to problems such as false positives, > please post them to bugs.clamav.net. Thanks. > > -Nigel Nigel, One problem with posting some of the FP Spoofed Domain email is that they often contain encoded personal information, and sanitizing takes time, or isn't obvious. I see many from the NRA (nra-ila_ale...@www.ilaalerts.org), Wachovia (customerserv...@wachoviapossibilities.com, http://dls-email.b= fi0.com), etc. I'm not sure what is safe to sanitize, strip, remove. I'm happy to post my FPs, but not those of my email users. MrC -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] about amavis-sanesecurity_v2.cf
> On 1/15/09, Eddy Beliveau wrote: >> Hi! Networkers, >> >> We are using, with success, amavisd-new + clamav >> >> We are using http://www200.pair.com/mecham/spam/amavis-sanesecurity_v2.cf >> for scoring based on clamav analysis. >> >> Lately, we notice, in our logs, that some email hits the rule >> AV:Phishing.Heuristics.Email.SpoofedDomain >> which score as 0.1, but amavis-sanesecurity_v2.cf does not hits the >> rule L_AV_Phish The AV:Phishing.Heuristics.Email.SpoofedDomain is a ClamAv heuristically determined spoofed domain. It is fairly prone to false positives, so it might not be a good idea to place it in the meta-group L_AV_Phish, which are signature-based. Heuristic checks should have low scores so that a false positive doesn't count too much against the spam score. See: https://wiki.clamav.net/Main/MalwareNaming >> >> So I edit that cf file with the following difference: >> >> @@ -1,4 +1,4 @@ >> -header L_AV_Phish X-Amavis-AV-Status =~ >> m{\bAV:(Email|HTML)\.Phishing\.}i >> +header L_AV_Phish X-Amavis-AV-Status =~ >> m{\bAV:(|(Email|HTML)\.)Phishing\.}i >> You can consider creating a separate rule if you just want to increase the score of heuristic spoofed domain checks. >> Cheers, >> Eddy -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] MSRBL signature change
Henrik K wrote: > FYI, you should replace.. > > header L_AV_MSRBL_Img X-Amavis-AV-Status =~ m{\bAV:MSRBL-Images/} > > -> > > header L_AV_MSRBL_Img X-Amavis-AV-Status =~ m{\bAV:MSRBL-Images\b} > ... as well any @virus_name_to_spam_score_maps rules referencing MSRBL-Images that includes a slash separator, such as those mentioned in the recent thread: [AMaViS-user] SaneSecurity - new signature format. In: @virus_name_to_spam_score_maps = ... [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)'=> 0.1 ], ... change to: ... [ qr'^(MSRBL-(Images|SPAM)\.)' => 0.1 ], ... or to: ... [ qr'^(MSRBL-Images\.|MSRBL-SPAM\.)' => 0.1 ], ... - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Discard of spams
Eduardo , Eduardo Júnior wrote: > On Thu, Aug 21, 2008 at 7:25 PM, Mark Martinec > <[EMAIL PROTECTED]<[EMAIL PROTECTED]> >> wrote: >> >>> Ok, but what I want is that mail from the Internet to be discarded when a >>> certain score is achieved, defined by *$sa_kill_level_deflt = 15.0*; >> It should be according to your settings, unless you have some >> other higher-cannon settings telling otherwise (*spam_lovers*, >> @spam_kill_level_maps, %final_destiny_by_ccat, %lovers_maps_by_ccat). > > I don´t have this configured. > >>> There is a kind of debug to recipients? >>> Something like [EMAIL PROTECTED] >> No, there isn't. But as about every 8 or 9 messages out of 10 >> are spam nowadays, just rise log level to 5 and leave amavisd >> running for a minute or two, and you should have enough evidence. >> Pick a representative case from the log and grep the log >> for the log_id, collecting all log entries belonging to the >> same task, e.g.: >> $ fgrep '(58163-09)' /var/log/amavisd.log > > > > Here, when I putted the policy @debug_sender_maps = > (["[EMAIL PROTECTED]"]); > > any messages from this address not generated logs more detailed. > I putted this in the end of file /etc/amavis/amavisd.conf With all the attempts you have made, and nothing seeming to stick, one might believe that your amavisd.conf file being edited is not the file being used. What does your amavisd startup script look like (in /etc/init.d or /etc/rc.d I presume, but this is distro-dependant, or how you actually start amavisd may be custom) Do any of the settings below work, or have you had luck when changing other values from the below config file? I also notice $sa_local_tests_only = 1; # (default: false) Is this what you really want? > I read [1], like recommended by MrC, ajusting the configs, but not worked. > I don´t know if I was clear but i want discard messages with score/hits > > "x" A score of x (score=x) means SA was not called. This will occur when messages are larger than $sa_mail_body_size_limit, for example. So you want to discard all messages for which SA has not been called?! MrC > Version of the amavis: 2.4.2-5 > > my amavisd.conf: > > use strict; > > $MYHOME = '/var/lib/amavis'; # (default is '/var/amavis') > $mydomain = 'conset.com.br'; # (no useful default) > $daemon_user = 'amavis'; # (no default (undef)) > $daemon_group = 'amavis'; # (no default (undef)) > $TEMPBASE = $MYHOME; # (must be set if other config vars use is) > $pid_file = "/var/run/amavis/amavisd.pid"; # (default: > "$MYHOME/amavisd.pid") > $lock_file = "/var/run/amavis/amavisd.lock"; # (default: > "$MYHOME/amavisd.lock") > $ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory > $forward_method = 'smtp:127.0.0.1:10025'; > $notify_method = $forward_method; > $max_servers = 4; # number of pre-forked children (default 2) > $max_requests = 10; # retire a child after that many accepts (default 10) > $child_timeout=10*60; # abort child if it does not complete each task in n > sec > # (default: 8*60 seconds) > @local_domains_acl = ( ".$mydomain" ); > $relayhost_is_client = 0; > $insert_received_line = 1; > $unix_socketname = undef; > $inet_socket_port = 10024; > $inet_socket_bind = '127.0.0.1'; > @inet_acl = qw( 127.0.0.1 ); > $DO_SYSLOG = 1; > $LOGFILE = "/var/log/amavis.log"; > $log_level = 4; > > $log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type > (%F)]|INFECTED (%V)], # > [?%o|(?)|<%o>] -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: > %c'; > > read_l10n_templates('en_US', '/etc/amavis'); > > $final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE) > $final_banned_destiny = D_DISCARD; # (defaults to D_BOUNCE) > $final_spam_destiny = D_DISCARD; # (defaults to D_REJECT) > $final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE > suggested > > $viruses_that_fake_sender_re = new_RE( > qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, > qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i, > qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i, > > qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i, > qr'@mm|@MM',# mass mailing viruses as labeled by f-prot and uvscan > qr'Worm'i,
[AMaViS-user] [Fwd: [Clamav-users] Sanesecurity Changes]
FYI... This change affects @virus_name_to_spam_score_maps, used to turn Sanesecurity ClamAV hits into spam scores. Note the new naming scheme: Eg: @virus_name_to_spam_score_maps = (new_RE( # [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ], [ qr'^Sanesecurity\.Malware\.' => undef ], [ qr'^Sanesecurity\. (Hdr|Img|ImgO|Junk|Doc|ScamL|Scam4| Job|Stk|Loan|Spam|Porn|Bou|Dipl|Cred)\.'x => 10.1 ], [ qr'^(MSRBL-Images/)' => 2.1 ], [ qr'^(MSRBL-SPAM\.)'=> 5.1 ], )); Mike Original Message Subject: [Clamav-users] Sanesecurity Changes Date: Mon, 6 Oct 2008 13:37:48 +0100 (BST) From: Steve Basford Reply-To: ClamAV users ML <[EMAIL PROTECTED]> To: ClamAV users ML <[EMAIL PROTECTED]> Hi All, There are a few changes to the Sanesecurity signature names and database names (including updated downlaod scripts). Please read the following, as it contains all the information on the new changes: http://www.sanesecurity.co.uk/clamav/changes.pdf Cheers, Steve Sanesecurity - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Another secondary virus scanner
Rocco Scappatura wrote: > Hello, > > due to high load of my Postfix+Amavisd-new+MySQL boxes, I have had to > disable the primary virus scanner (UVSCAN). I found that UVSCAN is very I have found that ClamAV detects as much or more than uvscan. Can you place uvscan as a backup scanner? > CPU expensive so I had no other choice other then disable it. So Do you have the v5.30 engine? It is significantly faster than the v5.20 or v5.10 engines. See related thread: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/290df7dc7b1fcb39/1cf69cf9691e083f?lnk=gst&q=uvscan+MrC#1cf69cf9691e083f > Amavisd-new at the moment is using only CLAMAV. If it crash or stops > working for some reason, my mail gateway doesn't deliver email at all. > Since I find CLAMAV an effective virus scanner, I would like a similar > tool (demonized, open source, active project) that I can use as > secondary virus scanner for my Postfix+Amavisd-new+MySQL platform. > rocsca > - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Another secondary virus scanner
Rocco Scappatura wrote: >>> due to high load of my Postfix+Amavisd-new+MySQL boxes, I have had > to >>> disable the primary virus scanner (UVSCAN). I found that UVSCAN is >> very >> >> I have found that ClamAV detects as much or more than uvscan. Can you >> place uvscan as a backup scanner? >> >>> CPU expensive so I had no other choice other then disable it. So > > How do I have to configure amavisd-new? Comment out the primary scanner entry for uvscan in @av_scanners = ( ... } and add it to @av_scanners_backup = ( ... } You may ultimately not need to do this, if the updated scanner engine is fast enough for your environment. See below. > >> Do you have the v5.30 engine? It is significantly faster than the >> v5.20 >> or v5.10 engines. See related thread: >> > > # uvscan --version > Virus Scan for Linux v4.40.0 > > :- Frown indeed - that's ancient, and I believe EOL'd. See the trial version of 5.30 McAfee VirusScan Command Line Scanner for Linux here: https://secure.nai.com/apps/downloads/free_evaluations/default.asp?region=us&segment=small > >> http://groups.google.com/group/mailing.unix.amavis- >> > user/browse_thread/thread/290df7dc7b1fcb39/1cf69cf9691e083f?lnk=gst&q=u >> vscan+MrC#1cf69cf9691e083f > > Thanks, > > rocsca - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Trouble with /usr/bin/file
Clemens von Musil wrote: > Hi, > > the day before yesterday, my amavis started to fail with following log > line per scanned email: > > > 451 4.5.0 Error in processing, id=18143-02, decoding2-get-file-types > FAILED: 'file' utility (/usr/bin/file) failed, status=1 (256 ) at > /usr/sbin/amavisd-new line 3853. (in reply to end of DATA command)) > > > I did not update anything at the time. If executed manually, > /usr/bin/file seems to work as usual. I reinstalles file and amavisd-new > from repository with no success. > > I really don't know where to search any error. Perhaps the file utility is failing on the particular decoded part of the MIME encoded email. You may still have a directory in your amavis tmp directory (/var/amavis/tmp perhaps?) that ends with 18143. There will be an "email.txt" file and a "parts" sub-directory. Try running file on each component and checking the exit status of each. > > I run amavisd-new 20030616 on a debian sarge machine. Do I have to > upgrade amavis? > > Thanks for any suggestion! > Clemente > - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Discard of spams
Eduardo Júnior wrote: > I read and made the following changes: > > $sa_tag_level_deflt = 'undef'; > $sa_tag2_level_deflt = 6.3; > $sa_kill_level_deflt = 15.0; > $sa_dsn_cutoff_level = 15.0; > > > $final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE) > $final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE) > $final_spam_destiny = D_DISCARD; # (defaults to D_REJECT) > $final_bad_header_destiny = D_PASS; > > > $virus_quarantine_to = 'undef'; > $spam_quarantine_to = 'undef'; > $banned_quarantine_to = 'undef'; > $bad_header_quarantine_to = 'undef'; > > but with spam score greater than 15.0 is being delivered and copies being > made for quarantine. > > Part of the log: > > (00959-01) Passed SPAM, <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, > quarantine: > spam-HX9hsQgGx+rU.gz, Message-ID: < > [EMAIL PROTECTED]>, mail_id: > HX9hsQgGx+rU, Hits: 1001.442, queued_as: 626F3439AB2, 1480 ms > > > Any suggestions? > Unquote your 'undef' values. undef is not a string. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Getting Amavisd-new To Use Clamav
Carlos, Carlos Williams wrote: > I am assuming based on my headers from received emails that > Amavisd-new is running however I don't have anything running that > Amavisd-new can use like Clamav. I am really trying to get Clamav > (clamd) to run on my Postfix email server / Debian 4.0 (Etch) and > can't find any guides that were written in the last 5 years. They all > appear very outdated and am looking for someone to help me get Clamav > working on my email server. > > First is to make sure Amavisd-new is installed = check > Next is to make sure Amavisd-new is running = check > Make sure Postfix can use Amavisd-new = check (maybe) > > === > > Return-Path: [EMAIL PROTECTED] > X-Original-To: [EMAIL PROTECTED] > Delivered-To: [EMAIL PROTECTED] > Received: from localhost (localhost [127.0.0.1]) > by email.example.net (Postfix) with ESMTP id D9B33211C140 > for <[EMAIL PROTECTED]>; Sun, 17 Aug 2008 16:42:45 -0400 (EDT) > Received: from email.example.net ([127.0.0.1]) > by localhost (email.example.net [127.0.0.1]) (amavisd-new, port 10024) > with ESMTP id Ll-O6he+Nkrg for <[EMAIL PROTECTED]>; > Sun, 17 Aug 2008 16:42:45 -0400 (EDT) > Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.231]) > by email.example.net (Postfix) with ESMTP id A198A211C109 > for <[EMAIL PROTECTED]>; Sun, 17 Aug 2008 16:42:45 -0400 (EDT) > > > === > > I see "amavisd-new, port 10024 in the headers so I can only then > assume Amavisd-new is working, right? Lets hope so and now I have > installed the latest version of Clamav on my Debian server and it is > running but I have no idea how to make this work with Postfix / > Amavisd-new. Does anyone have any suggestions and or assistance? I > checked the site and did a Google search and could not find anything > that was not extremely old and did not apply or did not apply to Exim4 > MTA rather than Postfix MTA. > > Thanks for any help. > > GaryV's documents here are all very good and thorough: http://www200.pair.com/mecham/spam/ MrC - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Discard of spams
Eduardo Júnior wrote: > I want my amavis discard messages with score above 10, for example, that > delivered the messages with scores below that. > > Thus, the score that set to be classified as spam was 7. > So anything above 10 should be discarded and between 7 and 10 delivered. > > I saw that in amavis has the following directives: > $ sa_tag_level_deflt > $ sa_tag2_level_deflt > $ sa_kill_level_deflt > $ sa_dsn_cutoff_level > > They are in these directives should I move? > How to adjust them This document is worth reading. It should clarify the settings for you, and explain each: http://www200.pair.com/mecham/spam/amavisd-settings.html Discarding mail with scores starting 10 might be a little aggressive, and prone to losing mail. You might want to quarantine for a while at 10 and discard at 20. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd-new and mcafee's uvscan for unix questions
jonathan wrote: > as a relevant point, the newest unix (Solaris) command-line uvscan is > almost twice as fast as the previous one - upgrading this is making a > massive performance difference. Agreed. I updated my NetBSD system from the 5.2 engine to 5.3. The claimed performance gains from 5.1 -> 5.2 have finally been realized in 5.3. I'm seeing minimally a 30% reduction in scan times with the 5.3 uvscan vs. 5.2 or 5.1. While clamdscan is faster for smaller mail messages (due to not reading in defs files each run), uvscan destroys clamdscan on larger archives: # # 4.2K small mail file # $ time uvscan -rv --noboot --summary --secure --mime virus-4byRQjj1YPAt Scanning virus-4byRQjj1YPAt Scanning file virus-4byRQjj1YPAt Scanning file virus-4byRQjj1YPAt/04dc.EML Summary report on virus-4byRQjj1YPAt File(s) Total files: ... 2 Clean: . 2 Possibly Infected: . 0 real0m2.845s user0m2.474s sys 0m0.370s $ time clamdscan --verbose virus-4byRQjj1YPAt virus-4byRQjj1YPAt: Email.Malware.Sanesecurity.08081003.StormNews.CnnGen FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.071 sec (0 m 0 s) real0m0.074s user0m0.002s sys 0m0.002s # # 2.2M gzipped tar archive # $ time uvscan -rv --noboot --summary --secure --mime \ gallery-1.5.7.tar.gz Summary report on gallery-1.5.7.tar.gz File(s) Total files: ...1169 Clean: .1169 Possibly Infected: . 0 real0m7.642s user0m7.130s sys 0m0.482s $ time clamdscan --verbose gallery-1.5.7.tar.gz gallery-1.5.7.tar.gz: OK --- SCAN SUMMARY --- Infected files: 0 Time: 18.697 sec (0 m 18 s) real0m18.700s user0m0.001s sys 0m0.002s - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd-new and mcafee's uvscan for unix questions
jonathan wrote: > aha: I'm not seeing the directory name in my ps list due to the > command-line printout cutoff, which conveniently chops off right after > /var/amavis/tmp/. Increasing my amavis loglevel shows the correct > directory being scanned. > > I'm still not sure why I don't see a corresponding increase in the > number of uvscan processes if I increase my number of amavisd processes > by a factor of 2 or 3. I have servers that are getting a queue backlog, > yet are only showing 40% cpu utilization and lots of free memory, which > seems strange. > > Have you run amavis-nanny to see if all amavis processes are actually in use? - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd-new and mcafee's uvscan for unix questions
jonathan wrote: > My amavisd.conf is using a standard configuration for uvscan: > >### http://www.nai.com/ >['NAI McAfee AntiVirus (uvscan)', 'uvscan', > '--secure -rv --mime --summary --noboot - {}', [0], [13], > qr/(?x) Found (?: > \ the\ (.+)\ (?:virus|trojan) | > \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | > :\ (.+)\ NOT\ a\ virus)/, ># sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, ># sub {delete $ENV{LD_PRELOAD}}, >], > > I'm running many instances of amavisd, yet I never seem to see much more > than a dozen uvscan processes, no mater how many amavisd processes are > running. Furthermore, it seems like every uvscan process is scanning > the entire contents of /var/amavisd/tmp?: > > amavisd 6265 6112 1 15:57:36 ? 0:07 > /usr/local/bin/uvscan --secure -rv --mime --summary --noboot - > /var/amavis/tmp/ > > Shouldn't each uvscan process be shown as acting on a single > subdirectory (message) in amavisd/tmp? I'm seeing really high times for > virus scanning. Yes, it should be a per-mail message, which gets decoded into a specific folder in the amavis tmp directory. I'm seeing: /bin/sh /usr/local/bin/uvscan --secure -rv --mime --summary \ --noboot - /var/spool/amavis/tmp/amavis-20080813T135331-1 > > Any insight here greatly appreciated. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Config File Missing in Debian Linux
Carlos Williams wrote: > Do you mean read my Amavisd logs or Postfix logs? I checked /var/log/ > and Amavisd does not appear to store logs there unless I don't have it > properly installed / running. > > mail:/var/log# ls > apt debug dpkg.log.1 mail.err messages.0 syslog.4.gz > auth.log debug.0 faillog mail.infonews syslog.5.gz > auth.log.0dmesg fsckmail.info.0 ntpstats user.log > boot dmesg.0 installer mail.log syslog user.log.0 > btmp dmesg.1.gz kern.logmail.log.0 syslog.0 wtmp > btmp.1dmesg.2.gz kern.log.0 mail.warnsyslog.1.gz wtmp.1 > daemon.logdmesg.3.gz lastlog mail.warn.0 syslog.2.gz > daemon.log.0 dpkg.loglpr.log messages syslog.3.gz > > I checked messages, mail.log, mail.err, & mail.warn and could not find > anything related to Amavisd. I think I am missing something. > I don't know what Debian defaults to. Amavis default is: # $DO_SYSLOG = undef; # same as 0 # $syslog_ident = 'amavis'; # $syslog_facility = 'mail';# after-default, derived from # $SYSLOG_LEVEL # $syslog_priority = 'debug'; # after-default, derived from # $SYSLOG_LEVEL # $SYSLOG_LEVEL = 'mail.debug'; # obsolete variable Be sure to set: $DO_SYSLOG = 1; # log via syslogd (preferred) This will place log entries in the location specified in syslog.conf for mail.debug and higher priorities. Here is an alternative method: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/ff7c62b6d598bc22/39d6015dc32ae56a?lnk=gst&q=DO_SYSLOG+syslog_facility#39d6015dc32ae56a MrC - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Log Subject
> Luis Daniel Lucio Quiroz wrote: >> Hi >> >> is it possible to log subject with amavis? I konw that it is a werid >> question. > > Amavisd-new doesn't do this by default, but you can hack the > code if you really need it logged by amavisd-new. and yet another alternative is to uncomment: #[? [:header_field|Subject] ||, Subject: \ [:dquote|[:header_field|Subject]]]# in the default Passed and Blocked $log_templ. Examine the $log_templ in amavisd.conf-sample. You can copy/paste the entire variable setting into your amavisd.conf, uncomment the Subject portion in each of of the Passed and Blocked templates, and restart amavis. Your logs will then show the Subject in your Passed and Blocked log lines. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] ot: perl modules missing?
Voytek Eymont wrote: > On Sat, July 19, 2008 9:00 pm, Voytek Eymont wrote: > > now I noticed in mailq there are things with 'failed seek ... File::Temp' > I've reinstalled File::Temp, reloaded amavisd, flush and requed queue reinstalled from what source ? See: http://www.webservertalk.com/archive390-2007-11-2191734.html > > > 1245AB44868 1534 Sat Jul 19 21:38:27 [EMAIL PROTECTED] > (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, > id=18252-03, mime_decode-1 FAILED: Can't locate object method "seek" via > package "File::Temp" at /usr/lib/perl5/site_perl/5.8.5/MIME/Parser.pm line > 816, line 65. (in reply to end of DATA command)) > > - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] ot: perl modules missing?
Voytek Eymont wrote: > On Sat, July 19, 2008 5:32 pm, MrC wrote: >> Voytek Eymont wrote: > # service amavisd start > Starting Mail Virus Scanner (amavisd): [ OK ] > # > > thanks ! > Good news, you're welcome. >> In general, it is a bad idea to mix-n-match CPAN with your disto >> packages, unless you understand the the interdependencies of the parallel >> module trees that get created under site_perl and vendor_perl. > > I see... > nope, not only I don't understand, I don't even have a clue... > > so what do you think went wrong ? > (I think I should keep better records, too...) Well, this is a tough call. You're using a distro with a stability policy, but CPAN is all about latest and greatest. So, if you need stability, stay with your distros packages and just update for security issues. If you want more recent software, that's manageable, but you have to take on the responsibility of managing the interdependencies, and in the case of perl modules, this requires getting to known the perl modules trees. I'll suggest that before any perl software updates, since this is an area that has presented troubles for you in the past, make a (tar) backup of the entire lib/perl5 directory, so that should something go wrong, you can just move the broken directory out of the way, and restore from your backup. Then, you can examine the differences and changes without the stress of your server being down. [ even more off topic - cpan and distro packages ] The various Zlib modules cause issues when mixing CPAN modules with a distro's packages or modules. To understand why this occurs, you need to understand how perl modules are located and where they are installed. Your distro's perl modules are placed in one directory tree, and CPANs are placed into another. So, you can end up with conflicting sets of modules, and this is particularly problematic when a module requires compiled objects. Take a look at your perl INC path: perl -e '$"="\n"; print "@INC\n"' Mine looks like: /usr/pkg/lib/perl5/site_perl/5.8.0/i386-netbsd-thread-multi /usr/pkg/lib/perl5/site_perl/5.8.0 /usr/pkg/lib/perl5/site_perl /usr/pkg/lib/perl5/vendor_perl/5.8.0/i386-netbsd-thread-multi /usr/pkg/lib/perl5/vendor_perl/5.8.0 /usr/pkg/lib/perl5/vendor_perl /usr/pkg/lib/perl5/5.8.0/i386-netbsd-thread-multi /usr/pkg/lib/perl5/5.8.0 Some things to notice here: 1) site_perl contains modules I've installed independent of my distro. CPAN modules go here. 2) vendor_perl contains modules installed by my vendor; packages such as RPM, pkgsrc, etc. go here. 3) the non-{vendor_perl,site_perl} directories are included with Perl itself. 4) the *-thread-multi directories contain compiled objects. 5) each of the site_perl, vendor_perl, *-thread-multi, base Perl directories are essentially. 6) directories are searched for modules in the order listed in INC, as shown ordered above. This makes essentially three trees of modules (its even a bit more complicated, I'm simplifying), which can all appear somewhat (and may be) identical. Further complicating this is that the *-thread-multi directories will contain module components that may be companions to those in the corresponding non *-thread-multi directory. One final detail - there is an directory named "auto" in the *-thread-multi directories. This is where the compiled module components are located, again, in the now familiar tree structure. A module may have two implementations, one binary version compiled for performance, and another pure-perl fall back. This is a good time for you to go examine those trees, and discover which of the multiple versions are actually being used (this was a question you had back in March on the mailing list). The INC list output on your system will help you see which modules are no longer in use because they've been superseded by newer CPAN versions. When you use CPAN to install a module, your CPAN modules are found and used first because your INC path is set to do so (site_perl before vendor_perl). Any dependencies this module has are also found using the same INC path. But the dependency list in the CPAN build instructions do not perfectly match the actual dependencies that the code requires. In the case of Compress::Zlib, it depends upon the module Scalar::Util, but the software when running actually not only requires Scalar::Util the module, but a particular variable (dualvar) within that module use Scalar::Util qw(dualvar); So while the build dependencies are satisfied, due to the partial dual implementation of Scalar::Util, the build succeeds, but running the software fails. The fix? Manually update Scalar::Util. If you want more gory details of this particular issue, see: http://forums.whirlpool.net.au/forum-replies-archive.cfm/843943.htm
Re: [AMaViS-user] ot: perl modules missing?
Peter Huetmannsberger wrote: >> In general, it is a bad idea to mix-n-match CPAN with your disto >> packages, unless you understand the the interdependencies of the >> parallel module trees that get created under site_perl and vendor_perl. >> >> MrC > > If you are using rpm-based distros, there is a great tool called > cpan2rpm which does just that. Using this tool you keep control over the > packages you install even from CPAN. > > just my 2cents > .peter I haven't used cpan2rpm in ages, and when I used it several times in the past, it never fully satisfied dependencies or worked for me properly. At that stage, I dumped the entire RPM concept and went back to what I know best - building software from the source. If it works for others, that's excellent. But if/when it fails, what's the next step for the OP ? - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] ot: perl modules missing?
Voytek Eymont wrote: > On Sat, July 19, 2008 2:37 pm, MrC wrote: >> Voytek Eymont wrote: > >>> then it fails >>> what went wrong with my perl ? > >> I think this has occurred for you not too long ago. Have you looked >> through the past threads here: >> >> http://marc.info/?l=amavis-user&w=2&r=1&s=%22Compress%3A%3AZlib%22&q=b > >> What is the output of: > >> perl -e 'use Compress::Zlib;' > > # perl -e 'use Compress::Zlib;' > is only avaliable with the XS version at > /usr/lib/perl5/site_perl/5.8.5/Compress/Zlib.pm line 9 You'll find at line 9 of that file, there is a use Scalar::Util qw(dualvar); line. It is that module that is failing to be included. Since you've updated via CPAN, you can update Scalar::Util as well. In cpan: force install Scalar::Util this will force update the required utilities into CPAN. Then you can try the command I had you try earlier. In general, it is a bad idea to mix-n-match CPAN with your disto packages, unless you understand the the interdependencies of the parallel module trees that get created under site_perl and vendor_perl. MrC > BEGIN failed--compilation aborted at > /usr/lib/perl5/site_perl/5.8.5/Compress/Zlib.pm line 9. > Compilation failed in require at -e line 1. > BEGIN failed--compilation aborted at -e line 1. > > thanks, Mr C > yes... > but I wasn't really touching anything... unless, there was some auto > update that affected this...?? > > - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] ot: perl modules missing?
Voytek Eymont wrote: > I have amavisd on Centos 4x, it all (used to) work fine; > > this morning I noticed amavisd not running, mail queuing up > > # service amavisd start > Starting Mail Virus Scanner (amavisd): ERROR: MISSING REQUIRED BASIC MODULES: > Compress::Zlib > BEGIN failed--compilation aborted at /usr/sbin/amavisd line 171. >[FAILED] > > > attemping to install Compress::Zlib with perl -MCPAN -e shell > says other things missing: > > Unsatisfied dependencies detected during > [P/PM/PMQS/Compress-Zlib-2.012.tar.gz] - > IO::Uncompress::Gunzip > IO::Compress::Gzip > IO::Uncompress::Base > IO::Compress::Gzip::Constants > IO::Compress::Base > IO::Compress::Base::Common > Shall I follow them and prepend them to the queue > > then it fails > > what went wrong with my perl ? > I think this has occurred for you not too long ago. Have you looked through the past threads here: http://marc.info/?l=amavis-user&w=2&r=1&s=%22Compress%3A%3AZlib%22&q=b What is the output of: perl -e 'use Compress::Zlib;' MrC - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] memory recomendations
Benedict White wrote: > >>>> MrC <[EMAIL PROTECTED]> 07/16/08 04:46pm >>> > Benedict White wrote: >> Hello! >> >> I have had a bit of trouble with the following message: >> >> (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=07140-17, >> parts_decode_ext FAILED: >> file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork >> at >> /usr/lib/perl5/core_perl/IO/File.pm line 188, line 59. at >> /usr/sbin/amavisd line 2873, >> line 59. (in reply to end of DATA command)) >> >> Which seems to come about as memory runs out. I am not sure if this is a >> leak. >> >> I am using Amavisd-new 2.6.1, Spamassassin and clamav with postfix. >> >> The machine it runs in has 512MB of RAM and I did have it running 10 servers >> max. > > At min of 50-60MB/server, you'd have amavis consume all of your RAM! > > Yes, though it used to work fine. That said obviously Spamassassin is > consuming more RAM. > Your system must have thrashed like crazy at times; that poor disk. > >> I have now dropped that to 5 and am monitoring. > > That is still 250-300MB. Perhaps 2 is about your max. Get more RAM if > you have this much traffic that you need more a few clients. > > > > Seems to be fine at the moment. >> Is there a rough and ready recomendation for how much memory each child >> needs? > > Certain SpamAssassin add-on rule sets, they can increase memory > requirements significantly. Choose wisely. Disable them, look at the > RSS (resident set size) of an amavis process without the rules, and the > enable, restart amavis and check again. This will give you a good > approximation of how much RAM they consume. > > How do I tell the resident set size that Amavis is using? ps will show it to you, but there are so many ps variants, I'm not sure which command will work for yours. Check your man page. Or use top, and look at the RES column. Type u and then the amavis username to select only amavis processes. > > > Kind regards > > > Benedict White > - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] memory recomendations
Benedict White wrote: > Hello! > > I have had a bit of trouble with the following message: > > (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=07140-17, > parts_decode_ext FAILED: > file(1) utility (/usr/bin/file) error: run_command (open pipe): Can't fork at > /usr/lib/perl5/core_perl/IO/File.pm line 188, line 59. at > /usr/sbin/amavisd line 2873, > line 59. (in reply to end of DATA command)) > > Which seems to come about as memory runs out. I am not sure if this is a leak. > > I am using Amavisd-new 2.6.1, Spamassassin and clamav with postfix. > > The machine it runs in has 512MB of RAM and I did have it running 10 servers > max. At min of 50-60MB/server, you'd have amavis consume all of your RAM! > > I have now dropped that to 5 and am monitoring. That is still 250-300MB. Perhaps 2 is about your max. Get more RAM if you have this much traffic that you need more a few clients. > > Is there a rough and ready recomendation for how much memory each child needs? Certain SpamAssassin add-on rule sets, they can increase memory requirements significantly. Choose wisely. Disable them, look at the RSS (resident set size) of an amavis process without the rules, and the enable, restart amavis and check again. This will give you a good approximation of how much RAM they consume. > > What tools do people use for hunting memory leaks? First get your house in order! > > Kind regards > > Benedict White Mike - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Empty _Warn:
I found two empty _WARN: messages in my logs yesterday: Jul 12 08:25:33 glacier amavis[20148]: (20148-01) Checking: cNMHslFYu3bd MYNETS [127.0.0.1] <> -> <[EMAIL PROTECTED]> Jul 12 08:25:33 glacier amavis[20148]: (20148-01) _WARN: Jul 12 08:25:33 glacier amavis[20148]: (20148-01) _WARN: Jul 12 08:25:33 glacier amavis[20148]: (20148-01) p003 1 Content-Type: multipart/report Jul 12 08:25:33 glacier amavis[20148]: (20148-01) p001 1/1 Content-Type: text/plain, size: 172 B, name: Jul 12 08:25:33 glacier amavis[20148]: (20148-01) p002 1/2 Content-Type: message/disposition-notification, size: 298 B, name: Jul 12 08:25:36 glacier amavis[20148]: (20148-01) bounce unverifiable, originating, <> -> <[EMAIL PROTECTED]> I suppose I'm being warned about something, and not just once, but twice. Oh, the mystery - I wonder what it could be! Amavis 2.6.1 -Mike - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Perl module permission errors when starting amavisd-new from home directory
Juan Miscaro wrote: > I've seen a thread [0] on this but it was inconclusive. Is this being > looked at? I'm using 2.6.0. > > When starting amavisd-new from my home directory I get this kind of stuff: > > fetch_modules: error loading optional module IP/Country/Fast.pm: > Requiring lib/IP/Country/Fast.pm, file is inaccessible: Permission denied, > fetch_modules: error loading optional module Image/Info.pm: > Requiring lib/Image/Info.pm, file is inaccessible: Permission denied, > fetch_modules: error loading optional module Image/Info/GIF.pm: > Requiring lib/Image/Info/GIF.pm, file is inaccessible: Permission denied, > Perhaps this: http://www.ijs.si/software/amavisd/release-notes.txt June 27, 2008 amavisd-new-2.6.1 release notes OTHER - until the issue is better understood, revert the use of 'my_require' and go back to the standard but less informative 'require'; some people were reporting problems with my_require (loading of some Perl modules can fail, apparently depending on a current directory where amavisd is started from); reports by Tuomo Soini, Max Matslofva, Bill Landry; > /juan > > [0] > http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/d31539b7df49a013?fwc=1 - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] generating p0f stats
Juan Miscaro wrote: >> MrC wrote: >> Are there p0f stats in your logs ? >> >> If so, and they have sufficient data, they might be a candidate for >> inclusion in amavis-logwatch. I don't use it, so have no data to base >> implementation on. > > As stated, > > My mail log shows > > amavis[9890]: (09890-01) OS_fingerprint: 72.0.206.213 -1 OpenBSD > 3.0-3.9 (up: 4670 hrs), (distance 8, link: unknown-1464) I've updated amavis-logwatch to show basic breakdown of p0f stats, by contents category type, OS, and then IP: 2008-06-24 (version: 1.49.07) - New: Added p0f (passive fingerprinting) hits by contents type, OS, and IP address in Detail section. Controlled by level limiter variable 'p0f', which is set to level 2 by default (this shows OS genre, but suppresses further by-IP address breakdown); increase to level 3 for per-IP breakdown. This section may be moved into a suppliemental report later. Let me know how this works for your situation. Mike - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Amavis bottleneck?
Leo Baltus wrote: > Op 23/06/2008 om 21:38:17 -0700, schreef MrC: >> Christian Purnomo wrote: >>> Our bayes DB is a berkeley db on a filesystem: >>> >>> [EMAIL PROTECTED] ~amavis/.spamassassin # ls -la bayes_* >>> -rw--- 1 amavis amavis 8376 2008-06-24 14:05 bayes_journal >>> -rw--- 1 amavis amavis 670367744 2008-06-24 14:05 bayes_seen >>> -rw--- 1 amavis amavis 20455424 2008-06-24 14:05 bayes_toks >>> >>> is our bayes_seen too large? we haven't looked at the option of using >> 670meg is pretty large. Mine is a stingy 20meg. Have you expired old >> entries? > > How do you do that? > I keep a little bash function handy for manual labor, but the command inside the function is what you want: function sa-expire { su amavis -c 'sa-learn --force-expire --showdots' } Change the user after -u to your amavis user id. Setup a cron job to force periodic expiration. See similar threads: http://groups.google.com/group/mailing.unix.amavis-user/search?group=mailing.unix.amavis-user&q=%27force-expire%27&qt_g=Search+this+group MrC - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Amavis bottleneck?
Christian Purnomo wrote: > Spot on - CPU has been relatively high when the delay happens. As per > your guess, the swap is hardly used based on the following vmstat > output: > > [EMAIL PROTECTED] /etc/postfix # vmstat 5 > procs ---memory-- ---swap-- -io --system-- > cpu > r b swpd free buff cache si sobibo incs us sy > id wa > 2 1 10880 78580 289760 6304560013 2 1214 23 8 > 51 18 > 0 1 10880 76012 289776 6305760022 958 392 583 48 11 > 17 25 > 1 0 10880 77816 289784 6307720019 1003 398 586 52 11 > 8 28 > 3 1 10880 76888 289788 6307000010 687 336 453 28 6 > 39 27 > 4 0 10880 77152 289804 6307520010 858 382 613 60 14 > 4 22 > The above does not indicate an overly taxed system. About 25% of the time is in I/O wait, there's idle time, and your blocks in/out are not high. > > We are still using amavisd-new 2.3.3-3 (from Ubuntu 6.0.6 LTS package), > I noticed TimeElapsedDecoding below doesn't exist in our amavisd-agent. > I have attached an output from amavisd-agent, could you please help with > parsing the report? I tried to look for some manual about the parameters > but wasn't able to find one on the net. > > Our bayes DB is a berkeley db on a filesystem: > > [EMAIL PROTECTED] ~amavis/.spamassassin # ls -la bayes_* > -rw--- 1 amavis amavis 8376 2008-06-24 14:05 bayes_journal > -rw--- 1 amavis amavis 670367744 2008-06-24 14:05 bayes_seen > -rw--- 1 amavis amavis 20455424 2008-06-24 14:05 bayes_toks > > is our bayes_seen too large? we haven't looked at the option of using 670meg is pretty large. Mine is a stingy 20meg. Have you expired old entries? > the bayes into database (i.e. mysql) in the past as this would add a > complexity to the mail system; we prefer to keep it simple as much as > possible but if this is a time for us to change, I would be able to > propose a project to investigate the use of database for the bayes db. Have you looked at the TIMING log entries (log_level=2) ? btw. I think you might not have included your amavis-agent report - it didn't come though on my end. MrC - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Amavis bottleneck?
Christian Purnomo wrote: > : Are your queues filled with bounce messages because you are accepting > : mail to unknown recipients? Are you rejecting unknown recipients at the > : first postfix instance. > > HI MrC > > Yes, more than 50% of the emails in the queue are Non-delivery type > email. This mail server is one of our mail gateway which primary job is > to relay email to our Exchange server, hence the server simply receives > all the incoming emails and relay through to our internal exchange > server. Solve the problem by exporting a list of valid recipients, and importing it into the gateway postfix. Not having recipient validation today is asking for the trouble you face now. > > Our postfix has the following configuration: > > smtpd_recipient_restrictions = > permit_mynetworks, > reject_unknown_recipient_domain, > check_recipient_access hash:/etc/postfix/recipient_access, > reject_unauth_destination, > permit_auth_destination > Move reject_unauth_pipelining to smtpd_data_restrictions; it serves no purpose in smtpd_recipient_restrictions. There are some additional cheap checks you can perform too. Consider these: reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_recipient and possibly: reject_unknown_sender_domain reject_unknown_recipient_domain check_helo_access pcre:/etc/postfix/helo_checks.pcre reject_invalid_helo_hostname and finally, zen is very useful: reject_rbl_client zen.spamhaus.org Here are some stats showing reject effectiveness in my current settings (note, these will change as restrictions are added/removed/moved). As you can see, rejecting bad HELOs, unknown users, and RBL(zen) catches 90% : 179 5xx Reject relay denied0.93% 6889 5xx Reject HELO/EHLO 35.85% 3605 5xx Reject unknown user 18.76% 123 5xx Reject recipient address 0.64% 57 5xx Reject sender address 0.30% 24 5xx Reject client host 0.12% 1076 5xx Reject unverified client host 5.60% 7133 5xx Reject RBL37.12% 77 5xx Reject header 0.40% 51 5xx Reject body0.27% 1 5xx Reject VRFY0.01% 19215 Total 5xx Rejects100.00% - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Amavis bottleneck?
>> We are running Postfix + amavisd-new-2.3.3-3 in our linux mail gateway. >> We have been hit hard lately with SPAM and our mail queue has been >> growing significantly to 10,000+ mails and it takes a few hours for the >> queue to go down. We received 1.6million spam messages last month and I >> believe this number is growing at around 5-10% monthly. >> >> We were hit with 65k spam messages between the 6 hours between 00:00am >> 06:00am this morning, by the time business starts, the mail queue was >> already soaring up to around 19k around 9am. I was watching the mail >> queue growth, the throughput of incoming mail -> postfix -> amavis >> (spamassassin only) -> postfix -> relay to internal hosts, was only 1-2 >> messages per second. >> >> Our configuration in postfix and amavisd are as follow, the server has >> 1.5G memory with SCSI disks (Raid 5) and 2 x 2.x Xeon processor - we >> feel the server has a decent profile and *should* cope with the >> requirement. >> >> We fiddled with the max proc for smtp-amavis below from 25, 50, 100 >> (and >> also change max_servers variable in amavisd.conf accordingly) but the >> rate/second throughput hardly changed during these periods. >> >> Would anyone be able to share some lights on our issue? please let us >> know if you require more information from our settings. >> >> Thanks >> >> CP Are your queues filled with bounce messages because you are accepting mail to unknown recipients? Are you rejecting unknown recipients at the first postfix instance. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] OT: amavis-logwatch doubts
Luis, Luis Hernán Otegui wrote: > Hi, this message ir really destined to Mike Capella, but I decided to > shot it here, since many of the users in this list use > amavis-logwatch. There's a website and a mailing list for amavis-logwatch and postfix-logwatch: http://www.mikecappella.com/logwatch http://lists.mikecappella.com/mailman/listinfo/logreporters but I can explain here as well. > > I can't seem to find a logic in the way amavis-logwatch presents the > results regarding visruses or malware. In the summary at the top of Please test against the latest (devel) version first. Send me your report with comments, and I'll explain. Send the log also, if possible, or portions of it that describe the issue. > the mail it sends, it declares a number of malwares found, while in > the detailed report which follows it tells a different one. Besides > that, I'm running extra virus signatures (downloaded via the I use extra signatures as well - they are counted correctly. > sanesecurity scripts, plus some of my own hacks), and it looks like > amavis-logwatch isn't counting some of the malwares identified by > those signatures. > I would like to know how could I correlate the nombers in the summary > and the ones in the detailed report. > OTOH, I'll do some more research on the subject, and if Mike is OK > with it, I'll mail him some examples of logs which weren't catched. > > Thanks for the hard and good work, both to Mike and Mark! > > Best regards, > > Luis - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Error starting amavisd-new on Mac OS 10.4.11 (not Server)
MrC wrote: > James Brown wrote: >> I'm trying to install amavisd-new on my mail server, a Mac Mini >> (Intel) running the non-Server version of OS X 10.4.11. >> >> When I try to start up amavisd I get a setrgid error: >> >> sudo /usr/local/sbin/amavisd -u amavisd debug >> setrgid() not implemented at /usr/local/sbin/amavisd line 12353. >> > > Which amavisd version is this? I don't find setrgid in either 2.6 or > 2.5.3, so I suppose updating to newer versions will avoid the missing > function. setrgid() is a BSD libc library call, dropped in 4.4 BSD. Never mind my response. I can see this issue is more complex, and there are a number of postings regarding missing setrgid() call on Mac OS X. Mark will probably have the answer for you. Sorry for the noise. > >> I used amavisd not amavis as the user as this user was already set up >> by Apple. I changed /etc/amavisd.conf to say: >> >> $daemon_user = 'amavisd'; >> $daemon_group = 'amavisd'; >> >> Can anyone suggest what I'm doing wrong? >> >> Does anyone know of a 'how-to' for amavisd-new on desktop version of >> OS X? I can only find ones for OS X Server. >> >> Thanks, >> >> James. > - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Error starting amavisd-new on Mac OS 10.4.11 (not Server)
James Brown wrote: > I'm trying to install amavisd-new on my mail server, a Mac Mini > (Intel) running the non-Server version of OS X 10.4.11. > > When I try to start up amavisd I get a setrgid error: > > sudo /usr/local/sbin/amavisd -u amavisd debug > setrgid() not implemented at /usr/local/sbin/amavisd line 12353. > Which amavisd version is this? I don't find setrgid in either 2.6 or 2.5.3, so I suppose updating to newer versions will avoid the missing function. setrgid() is a BSD libc library call, dropped in 4.4 BSD. > I used amavisd not amavis as the user as this user was already set up > by Apple. I changed /etc/amavisd.conf to say: > > $daemon_user = 'amavisd'; > $daemon_group = 'amavisd'; > > Can anyone suggest what I'm doing wrong? > > Does anyone know of a 'how-to' for amavisd-new on desktop version of > OS X? I can only find ones for OS X Server. > > Thanks, > > James. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Incorrect @local_domains_maps example
Hannes Erven wrote: > MrC wrote: >> ... and the user must be considered a local user, so check your >> @local_domains_maps. > > Thanks Mike (again ;-]) for the hint -- this really was the reason. I > rechecked, and noticed that the *last* domain in my @local_domains_maps > list *did* trigger the SPAM-TAG, but not any other domain listed in the > map. Since on one box the major messaging domain was actually listed > last, it appeared that it worked "better" than on the other box ;-) > > > My setting actually follows one of the examples in the amavis.conf file: > > My setting: > @local_domains_maps = ([ qw( dom1.tld, dom2.tld, dom3.tld ) ]); > There's a subtlety here. When using qw() - quote words - you do not use commas to separate entities. Eg: qw(a b c) # Correct qw(a,b,c) # Incorrect Note the examples in the amavisd.conf-sample page (like the line below) > amavis.conf.sample: > # @local_domains_maps = # similar, split list elements on whitespace > # ( [qw( .example.com !host.sub.example.net .sub.example.net )] ); no commas > > ... which won't work, because there is one level of nesting too much. I > took out the [] around the qw and now it works as expected: > > @local_domains_maps = ( qw( dom1.tld, dom2.tld, dom3.tld ) ); you have commas > > > I checked with the released 2.6.0 and 2.5.4 versions of amavisd-new, > both amavisd.conf.sample files contain this incorrect example. Should I > open an issue somewhere (where?) to get this corrected? > > > Thank you folks, > Best regards, > > -hannes - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] What suppresses SPAM-TAG log lines?
Hannes Erven wrote: > I have two seperate amavis installations at customer's sites. The > /etc/amavisd.conf file as well as /usr/sbin/amavisd are identical > (despite the site-specific changes in amavisd.conf). > > At one site, amavis logs SPAM-TAG lines for every message, at the other > it doesn't. I'm sure that I looked at the right files, since changes in > the config always go live with amavisd restart. > > I'd like to have these lines since amavis-logwatch uses them to > calculate SA rules hit statistics. > I checked the amavis binary, the amavis config file, the syslog settings > - everything is identical. > > As far as I found out, the only relevant settings are: > $log_level = 2; > $sa_tag_level_deflt = undef; > > # @spam_tag_level_maps is commented out ... and the user must be considered a local user, so check your @local_domains_maps. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] get-file-type2 - about 1/3 of total processing time
>> Would it be useful to show the number of hits for each test in the >> Timings reports, as in (the parenthesis below): >> ... >> 1544 Total messages scanned >> ... >> >> === >> Scan Time Percentiles % Time Total (s) 10% 90% 100% >> --- >> SA check (1386)51.79%4986.828 0.92816.02845.704 >> AV-scan-2 (1536) 39.19%3772.945 2.223 3.237 5.202 >> SMTP DATA (1544)3.21% 308.638 0.188 0.199 1.206 >> AV-scan-1 (1536)2.73% 262.969 0.021 0.18022.635 >> ... >> get-file-type2 (325)0.11% 10.436 0.018 0.049 0.631 >> >> I could place them in a column, or just after the test name as above and >> in other reports. >> >> Suggestions? Stefan Förster wrote: > I'd go for the solution you showed above. Mark Martinec wrote: > Sounds useful. > I don't have particular opinion regarding the placement of the counter, > the above looks fine to me. I've updated amavis-logwatch (version 1.49.06) to include the hit totals. This version also introduces a SpamAssassin Timings percentiles report (requires Amavis 2.6 and SpamAssassin 3.3). Changes: 2008-06-18 (version: 1.49.06) - New: Include hit counts after each key name in Timings report. - New: SpamAssassin timings percentiles report. Options: sa_timings, sa_timings_percentiles. Requires amavis version 2.6+ and SpamAssassin 3.3+. - Change: Scan Times percentiles report units have been changed to milliseconds rather than seconds. - Change: Removed the "Hypothetical" row from timings reports; it was not very meaningful. Example reports: Scan Timing Percentiles % Time Total (ms) 0% 50% 100% AV-scan-2 (3)69.23% 7209.00 2392.00 2407.00 2410.00 SA check (2) 19.74% 2056.00 942.00 1028.00 1114.00 SMTP DATA (3) 5.49% 572.00 189.00191.00192.00 AV-scan-1 (3) 0.82% 85.0011.00 27.00 47.00 ... Total 10413.00 2771.00 3732.00 3910.00 SA Timing Percentiles % Time Total (ms)0% 50% 100% tests_pri_0 (1)97.17% 5323.00 5323.00 5323.00 5323.00 check_razor2 (1) 91.68% 5022.00 5022.00 5022.00 5022.00 check_dcc (1) 3.50% 192.00192.00192.00192.00 learn (1) 0.66%36.00 36.00 36.00 36.00 tests_pri_-1000 (1) 0.46%25.00 25.00 25.00 25.00 ... Total 5478.00 5478.00 5478.00 5478.00 Mike - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] get-file-type2 - about 1/3 of total processing time
Stefan Förster wrote: > * Mark Martinec wrote: >>> Is the ration (one third of all computing time consumed by it) >>> a normal one ("to be expected") or is this indicating some serious >>> misconfiguration on my part? >> It is not normal. It typically takes a couple of dozens of milliseconds. > > it turns out it was a good idea to check those data twice: SA check > wan onyl called forabout one in twenty messages processed by the > filter - which is intended behaviour. > > If I divide all the time get-file-part(n) calls took and divide it by > the total time consumed, I get 156,772ms as result. Pretty normal. > > Sorry, I had forgotten that a lot of mails are simply passed without > any filtering. > > Ciao > Stefan Exactly. Each mail has different timings reported. The report basically says, "of all the time amavis spends scanning email, where is it spending its time, and how much time is it spending in each those areas". Would it be useful to show the number of hits for each test in the Timings reports, as in (the parenthesis below): ... 1544 Total messages scanned ... === Scan Time Percentiles % Time Total (s) 10% 90% 100% --- SA check (1386)51.79%4986.828 0.92816.02845.704 AV-scan-2 (1536) 39.19%3772.945 2.223 3.237 5.202 SMTP DATA (1544)3.21% 308.638 0.188 0.199 1.206 AV-scan-1 (1536)2.73% 262.969 0.021 0.18022.635 ... get-file-type2 (325)0.11% 10.436 0.018 0.049 0.631 I could place them in a column, or just after the test name as above and in other reports. Suggestions? Mike - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] question about banned_files
Leonardo Rodrigues Magalhães wrote: > > MrC escreveu: >> Leonardo Rodrigues Magalhães wrote: >> >>> Hello, >>> >>> I have banned some file/MIME types in amavisd-2.6.0 using the 'old' >>> way of doing this, the $banned_filename_re. >>> >>> The banned file admin and user notifications, which i enabled, >>> brings me something like: >>> >>> Banned name: multipart/mixed | >>> application/vnd.ms-powerpoint,.doc,Chaplin.pps >>> Content type: Banned >>> Internal reference code for the message is 24067-22/NWynDBsexbaI >>> >>> >>> It's clearly a powerpoint file, because of it's extension (.pps) as >>> well as it's mime type 'application/vnd.ms-powerpoint'. >>> >>> What i'm trying to understand is where that '.doc' cames from !!! >>> >>> >> What type of document does the file(1) utility indicate? >> What version of file is on your system? >> > > I'm running on a Fedora 8 system, with: > > [EMAIL PROTECTED] ~]# rpm -qi file > Name: file Relocations: (not relocatable) > Version : 4.21 Vendor: Fedora Project > Release : 5.fc8 Build Date: Tue 29 Jan 2008 > 06:58:26 AM BRST > > which is the latest file package from F8 repositories. > > on this system, file returns for .doc and .ppt documents: > > [EMAIL PROTECTED] user]# file Defesa.doc > Defesa.doc: Microsoft Office Document > [EMAIL PROTECTED] user]# file Projeto\ Final\ II\ VPN\ -\ última.ppt > Projeto Final II VPN - última.ppt: Microsoft Office Document > [EMAIL PROTECTED] user]# > > hm .. seems file returns only 'Microsoft Office Document' . > In the past several versions, the file(1) utility has changed its opinion many times regarding how to treat PPT documents: $ file -v file-4.21 magic file from /usr/share/file/magic $ file test.ppt test.ppt: Microsoft Installer $ file -i test.ppt test.ppt: \012- application/msword --- $ file -v file-4.24 magic file from /usr/local/share/file/magic $ file ~/test.ppt /home/cappella/test.ppt: Microsoft Office Document $ file -i ~/test.ppt /home/cappella/test.ppt: application/octet-stream Amavis uses a mapping of full type names to short names, which are then later referenced in the $banned_filename_re maps. You can see in the latest amavisd that Microsoft Office Document is mapped to short name type "doc". This is where ".doc" comes from. $map_full_type_to_short_type_re = [ ... [qr/^Rich Text Format data\b/ => 'rtf'], [qr/^Microsoft Office Document\b/i => 'doc'], # OLE2: doc, ppt, # xls, ... It is likely that the file formats for PPT, XLS, DOC, .etc have not been reverse engineered to uniquely distinguish them from each other, and instead they are all mapped to Microsoft Office Document (in more recent file versions). The file formats became much more complex with later versions of Office. Previous versions of file(1), like 4.21, were very broken in terms of identification, and there were many false identifications: $ file -v file-4.21 magic file from /usr/share/file/magic $ file -i test.xls test.xls: \012- application/msword $ file test.xls test.xls: Microsoft Installer Clearly, this Excel spreadsheet is not an Word document. Fedora adds its own patches to the file utility, of which yours is based on 4.21. Since your PPT is identified as Microsoft Office Document, it is clear that Fedora has updated the magic database used for file identification bringing in line with the more recent 4.24/4.25 releases of file. Yet the problem still remains - file types from more recent Office pacakges are identified generically as Microsoft Office Document, and not Excel, PowerPoint, etc. Given that, I'm not sure what more you can do to distinguish the types. Here's a thread which discusses some of the file(1) issues a while ago: http://groups.google.com/group/mailing.unix.amavis-user/browse_thread/thread/7147b0a90573690c/04ca5171867925c1?lnk=gst&q=powerpoint+file#04ca5171867925c1 MrC - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] question about banned_files
Leonardo Rodrigues Magalhães wrote: > Hello, > > I have banned some file/MIME types in amavisd-2.6.0 using the 'old' > way of doing this, the $banned_filename_re. > > The banned file admin and user notifications, which i enabled, > brings me something like: > > Banned name: multipart/mixed | application/vnd.ms-powerpoint,.doc,Chaplin.pps > Content type: Banned > Internal reference code for the message is 24067-22/NWynDBsexbaI > > > It's clearly a powerpoint file, because of it's extension (.pps) as > well as it's mime type 'application/vnd.ms-powerpoint'. > > What i'm trying to understand is where that '.doc' cames from !!! > What type of document does the file(1) utility indicate? What version of file is on your system? > This .doc on powerpoint blocking message is making some users think > i'm blocking .doc (word) documents, which is not true . > > is it possible to remove this .doc thing or at least change it for > '.presentation' ??? > - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Allowing Only Selective Extension Types
Manish Kathuria wrote: > Hello Everyone, > > Is there a way to block all kinds of attachments and then selectively > allow 2-3 types of extensions only (in addition to plain text) instead > of the existing mechanism where all the extensions to be blocked are > specified ? > > Thanks, > I believe the existing mechanism should be sufficient. You'd want to first specify which file types you accept, followed by a catchall rule that rejects everything else. Something like this abbreviated version of $banned_filename_re: $banned_filename_re = new_RE( ### type you allow # [ qr'^\.(gz|bz2)$'=> 0 ], # allow gzip or bzip2 qr'^\..*$', # ban everything else ); The order is important - first match wins, so you'd place specific entries first. Note the grouping for the gzip/bzip2 rule, and that it maps to 0; this means to *allow* this type. Mappings without a value default to 1, which would mean *disallow*. You may want to consider including the appropriate MIME types (eg. application/x-msdos-program) for rejection as well. Look at the default and sample $banned_filename_re rules in amavisd.conf-default and amavisd.conf-sample to determine your needs. MrC - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] 8bit conversion
Luc MAIGNAN wrote: > Hi, > > How can I enforce mails to be sent in a 7bit MIME format instead of 8 > bits while using a Amavis system ? > > BR Search 8BITMIME in : http://www.ijs.si/software/amavisd/amavisd-new-docs.html - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] full email reports - possible ???
Leonardo Rodrigues Magalhães wrote: > Hello Guys, > > i have a postfix box with amavis. ALL messages passes through > amavis, there's no exception for content_filter setting on postfix. > > i would like to have a full email report, which, intentionally, > would give me for each message: > > 1) sender > 2) recipient or recipients in case of CCs > 3) subject > 4) message size > 5) name and mime-type of attachments, if present > The default Passed/Blocked template ($log_templ) includes your 1, 2, and 4. You can customize $log_templ to include additional fields. The default will look like: ...(28512-01) Passed CLEAN, [10.0.0.1] [10.0.0.1] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, mail_id: HaFyQiWxVGg, Hits: -2.78, size: 2047, queued_as: BC2B13664F3, 4055 ms But by including the subject header field in $log_templ, you can turn your Passed/Blocked line into : ...(28512-01) Passed CLEAN, [10.0.0.1] [10.0.0.1] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, mail_id: HaFyQiWxVGg, Hits: -2.78, size: 2047, queued_as: BC2B13664F3, Subject: "A SUB TEST", 4055 ms So, we have covered your 1 - 4, but not 5. I don't know that the mime info can be included in log_templ, but it is available in the log just before the Passed/Blocked line. Basically, you can match the amavis process ID of your Passed/Blocked line with the level 2 output pNNN lines: ... (28512-01) p001 1/1/1 Content-Type: text/plain, size: 2749 B, name: Note that these process IDs are reused, so you have to limit your search. See the amavis.conf-sample log file for an example of $log_templ. MrC > > i have tried getting this from postfix logs, but i couldnt. i can > have some header/body checks with WARNING and logs somethings, but my > tries were completly wasted on trying to get all that information together. > > Question is > > i know amavisd have all this informations, some of them even easier > than postfix, like name and mime-type of attachments, which can be seen > on logs with log_level=2. > > would it be possible to have all these informations parsed from > amavisd logs and presented in a easy way ? It can be a comma-delimited > or tab-delimited text, no problem. I can convert it to HTML, the raw > information would be enough. > > no problem if some log_level tweaking would be needed to acchieve > this goal. > > Thanks. > - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] Amavis 2.6.0 and $feedback_type
Hi Mark, In amavis 2.6.0, it appears the $feedback_type is hardcoded as 'abuse' for request type 'report' and 'miscategorized' for 'release' and 'requeue' : sub process_policy_request() { ... : $req =~ /^(?:release|requeue|report)\z/ ? dispatch_from_quarantine($conn,$msginfo,$req, $req eq 'report' ? 'abuse' : 'miscategorized') Is it expected that a future release of amavis will allow $feedback_type to be configurable to use any of the other valid ARF draft types (eg. not-spam, etc.)? Thanks, Mike - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] [Fwd: Re: postfix-2.5.1 - smtpd logging ":unknown" on client lines]
Robert Brooks wrote: MrC wrote: Rob, I have not seen the ":unknown" port in my logs nor had others report this, so I suppose it is the less common pre-queue setup that is the difference. I always was the wierdo :) I'm about to update postfix-logwatch with some other fixes/features. If this is still an issue for you, I can provide a fix for this. it is, it appears with postfix-2.5 and amavis earlier than 2.6 that this information doesn't make it across in the xforward data (after 2.6 you get a port number) my unmatched entries look like this: 1 Mar 19 05:14:25 ops postfix/smtpd[9421]: B1C4B18292: client=mailer3.dailycandy.com[206.252.143.118]:unknown 1 Mar 19 04:35:39 ops postfix/smtpd[9232]: Anonymous TLS connection established from mxpool12.ebay.com[66.135.197.18]: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits) Thanks. Patch to 1.36.13pre7 attached. It will also be included in the next (pre8) release. MrC btw. I just updated amavis-logwatch as well. excellent, thanks, I will pick that up. Regards, Rob --- postfix-logwatch.orig 2008-03-20 09:40:28.0 -0700 +++ postfix-logwatch2008-03-20 09:41:51.0 -0700 @@ -1896,6 +1896,7 @@ } elsif ($p2 =~ /^client=(([^ ]*)\[([^ ]*)\](?::\d+)?)(?:, (.*))?$/o) { + elsif ($p2 =~ /^client=(([^ ]*)\[([^ ]*)\](?::(?:\d+|unknown))?)(?:, (.*))?$/o) { my ($hip,$host,$hostip,$p3) = ($1,$2,$3,$4); # Increment accepted when the client connection is made and smtpd has a QID. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] [Fwd: Re: postfix-2.5.1 - smtpd logging ":unknown" on client lines]
Robert Brooks wrote: > Mark, > > any views on this? > > Regards, > Rob > Rob, I have not seen the ":unknown" port in my logs nor had others report this, so I suppose it is the less common pre-queue setup that is the difference. I'm about to update postfix-logwatch with some other fixes/features. If this is still an issue for you, I can provide a fix for this. btw. I just updated amavis-logwatch as well. MrC > Original Message > Subject: Re: postfix-2.5.1 - smtpd logging ":unknown" on client lines > Date: Thu, 6 Mar 2008 00:18:32 -0500 > From: Victor Duchovni > > On Wed, Mar 05, 2008 at 12:00:27PM +, Robert Brooks wrote: > >> is the ":unknown" here correct (2nd log line) >> >> Mar 5 08:51:19 mailhost postfix/smtpd[13095]: connect from >> localhost.localdomain[127.0.0.1] >> Mar 5 08:51:19 mailhost postfix/smtpd[13095]: 24A9318146: >> client=mxpool12.ebay.com[66.135.197.18]:unknown >> >> this is comes where a message comes back from a pre-queue amavis >> instance. I suspect it relates to the way xforward commands interact >> with postfix-2.5. I've looked at my logs from postfix-2.4.6 and this >> doesn't seem to be the case. >> >> It seems to cause postfix-logwatch not to be able to parse the entries, >> not sure if this is a postfix-logwatch problem or something postfix is >> missing. What should be after the colon? > > A source-port number. Amavis should ideally just proxy the XFORWARD > data transparently letting Postfix talk to Postfix. > - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] still strugling with zlib issue
Voytek Eymont wrote: > thanks, everyone, I've tried all suggestions, some, several times; > I've reinstalled all Perl "::" things (fwiw, all the MIME needed force > options); > I've reinstalled amavisd, frist from Dag rpm, then, from source tgz from > here; > > but, I'm still: > > # amavisd --version > ERROR: MISSING REQUIRED BASIC MODULES: > Compress::Zlib > BEGIN failed--compilation aborted at /usr/sbin/amavisd line 171. > What is returned from the following command: perl -e 'use Compress::Zlib;' MrC > # locate Zlib.pm > /root/.cpan/build/Compress-Zlib-2.008/lib/Compress/Zlib.pm > /root/.cpan/build/Compress-Zlib-2.008/blib/lib/Compress/Zlib.pm > /usr/lib/perl5/site_perl/5.8.5/IO/Zlib.pm > /usr/lib/perl5/site_perl/5.8.5/IO/Zlib.pmorg > /usr/lib/perl5/site_perl/5.8.5/Compress/Zlib.pm > /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/Compress/Raw/Zlib.pm > /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/Compress/Raw/Zlib.pmorg > /usr/lib/perl5/vendor_perl/5.8.5/IO/Zlib.pm > /usr/lib/perl5/vendor_perl/5.8.5/IO/Zlib.pmorg > /usr/lib/perl5/vendor_perl/5.8.5/Compress/Zlib.pm > /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/Compress/Raw/Zlib.pm > /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/Compress/Raw/Zlib.pmorg > /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/Compress/Zlib.pm > > > are all these Zlib.pm supposed to be SAME ?? > do I need all of them ? > > (they were NOT same size/date, I've overwritten 'backdate' ones so, now, > all are same, did NOT help) > > > > > > - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] can not restart with zlib error
Voytek, Voytek Eymont wrote: > On Thu, March 13, 2008 12:18 pm, Voytek Eymont wrote: > > I've tried updating zlib as follows, but, no luck: > > # rpm -Uvh perl-Compress-Raw-Zlib-2.008-1.el4.rf.i386.rpm > Preparing...### > [100%] >1:perl-Compress-Raw-Zlib ### > [100%] > # amavisd --debug > ERROR: MISSING REQUIRED BASIC MODULES: > Compress::Zlib > BEGIN failed--compilation aborted at /usr/sbin/amavisd line 171. > # amavisd --version > ERROR: MISSING REQUIRED BASIC MODULES: > Compress::Zlib > BEGIN failed--compilation aborted at /usr/sbin/amavisd line 171. > > uname -a > Linux 2.6.9-55.0.9.EL #1 Thu Sep 27 18:10:45 EDT 2007 i686 i686 Make sure to also update perl-Scalar-List-Utils or itgs equivalent on your distro. MrC - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Unmatched Entries in logwatch
Leon Kolchinsky wrote: > Hello Mike, > > Below is info on "Unmatched Entries" I get in Logwatch report: > > **Unmatched Entries** > 1 (21112-20) DEFANGING MAIL: WARNING: bad headers - Improper use > of control character (char 0D hex): To: > <[EMAIL PROTECTED]>,\\n\\t<[EMAIL PROTECTED] > 1 (21112-20) mangling YES: 1 (orig: 1), discl_allowed=0, > <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> > 1 (21112-20) mangling by built-in defanger: 1, > <[EMAIL PROTECTED]> > > > Thanks, > Leon Kolchinsky Leon, Thanks. I'll have an update shortly, which includes new sections for Defanged and DefangError. The messages above are handled. I've CC'd this reply to the logreporters mailing list for future reference. Mike - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Forged 'X-Virus-Scanned' header bypasses Amavis-new scanning
Christopher J Shaker wrote: > Feb 18 15:07:33 linux amavis[17984]: (17984-09) Passed CLEAN, > [121.27.33.247] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, > Message-ID: <[EMAIL PROTECTED]>, mail_id: > If831cHwmATq, Hits: -222.952, size: 3510, queued_as: 7C4FA404B4, 20009 ms > > > Looks to me like it is getting a '-300' score from some rule that I > can't find. The email comes > in forged to look as if I had sent it, from '[EMAIL PROTECTED]'. > That email address is *not* > in the whitelist in /etc/mail/spamassassin/local.cf When you run the messages through spamassassin only, amavis-specific score adjustments will not occur, so the scores will differ. Increase amavis' $log_level to 3, and look for the tests and scores in the log lines: ... tests= See which tests and scores are present. MrC > > When I run the leaking email message through spamassassin manually, it > comes up with a score > of 58.4, quite different from what amavis-new reported above! > > Subject: *SPAM* February 73% OFF > Date: Mon, 18 Feb 2008 15:07:11 -0800 (PST) > Message-Id: <[EMAIL PROTECTED]> > X-Spam-Flag: YES > X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on > linux.shaker-net.com > X-Spam-Level: ** > X-Spam-Status: Yes, hits=58.4 required=5.0 tests=AWL,BAYES_95,FAKE_MSN,GIF, > HTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_HTML_ONLY,OFF,PERCENT, > RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RDNS_NONE,UNKNOWN,URIBL_AB_SURBL, > URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL, > URIBL_WS_SURBL,VIRUS_CLEAN autolearn=unavailable version=3.2.4 - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] MYNETS problem
Jo Rhett wrote: >> RJ45 wrote: >>> thanks, >>> but I meant is there a way to do it with sendmail ? > > On Feb 13, 2008, at 9:12 AM, MrC wrote: >> Sendmail just drops a queue file; it does not use SMTP. So you must >> configure the service that handles the queue file, which is pickup. > > MrC, I think he is using Eric Allman's Sendmail MTA, not the "sendmail" Noel Jones wrote: > I believe OP is stating he uses sendmail(TM), and not > referring to the postfix sendmail compatibility program. I re-read, and see that now. Thanks for the corrections Jo and Noel. Sorry RJ45. > program provided by postfix. The page you referred him to has > instructions for Postfix when using the sendmail-lookalike command line > program provided by postfix. > > RJ45, are you using amavisd-milter? If not, how is sendmail talking to > amavisd? > - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] MYNETS problem
RJ45 wrote: > > > On Wed, 13 Feb 2008, MrC wrote: > >> >> Setup submission service in postfix, and have its content_filter port >> 10026 (for example): >> >> ... >> -o content_filter=smtp-amavis:[127.0.0.1]:10026 >> >> and in amavisd.conf, create a policy bank and listener port: >> > thanks, > but I meant is there a way to do it with sendmail ? > Sendmail just drops a queue file; it does not use SMTP. So you must configure the service that handles the queue file, which is pickup. > thanks > > Rick > - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] MYNETS problem
RJ45 wrote: > Hello, > I am using amavisd-new 2.5.3 on RHEL5 > > the problem is that I would like internal clients to be into a bypass > policy bank so that virus checks are bypassed. Hmmm... maybe a bad idea to skip A/V checks? Spam checks ok, but A/V checks? You're not worried about infected systems? > I tryed with default MYNETS policy bank. > This does not work because I am using sendmail (And I need sendmail not > postfix) and sendmail does not support XFORWARD extension. But sendmail is serviced via pickup. See: http://groups.google.com/group/list.postfix.users/browse_thread/thread/bb328f33d6eac7cb/c9f70efe1393c8be?lnk=gst&q=pickup+content_filter#c9f70efe1393c8be This allows you to configure another amavis listener port, which can be the policy bank you desire (eg. TRUSTED). > Is there a ways to bypass SMTP_AUTH users or internal network users to > being virus checked by default ?. Sure: Setup submission service in postfix, and have its content_filter port 10026 (for example): ... -o content_filter=smtp-amavis:[127.0.0.1]:10026 and in amavisd.conf, create a policy bank and listener port: $inet_socket_port = [10024,10026]; # listen on multiple TCP ports $interface_policy{'10026'} = 'SASLAUTH'; $policy_bank{'SASLAUTH'} = { # mail originating from SASL users originating => 1, # mail was submitted by our smtp client bypass_spam_checks_maps => [1],# don't spam scan bypass_virus_checks_maps => [1], # don't virus scan ... }; As above, you can set your MYNETS policy bank to avoid what scanning you desire as well. These will skip checks for your networks and sasl-auth'd. This should get your rolling... MrC > > thank you > > Rick > > > - > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ > ___ > AMaViS-user mailing list > AMaViS-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/amavis-user > AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 > AMaViS-HowTos:http://www.amavis.org/howto/ - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Wits End - Backlogs - High CPU - Long SA Checks
Bill Martin wrote: > About 6 months ago, I inherited a number of servers and process and do > not have the time to really focus on the true ins and out of what was > given to me. Given that I'm really hoping someone can point me in the > right direction... > > About every 3-5 weeks, we get hammered to the point where out gateways > are backlogging over 10,000 across 3, sometimes 4 servers. This includes > one server in which BIND is running (wanted to determine some time back > if the issue was DNS). > > SA times are high on most e-mails. How high? What are some of the amavis TIMING results during the backlogs ? > No local logging is taking place due > to the disk IO which we thought might have been the issue. We have had > this issue regardless of the version of Amavisd we have run, regardless > of the version of SA, ClamAV and Postfix we have used. We have over time > changed the max_server to try and address and this simply consumes more CPU. > > The only items that I see which have been consistent it the general > process, DNS and out pipe the net. How have you measured this? What results do you see ? > > Now before someone suggest I refer to the docs to address performance > issues, I have, on various occasions . . . also Goggle, bought books, > etc... Well, I'm going to still ask if you've evaluated the tips in: http://www.ijs.si/software/amavisd/README.performance.txt > > If someone could eyeball the config below and let me know if you see any > concerns or areas that might need to be reconsidered, I would greatly > appreciate it Not much to comment on... > > 1. Running and various versions of RHEL (4 and 5) ok. > 2. Blocking nearly 5000 hosts and class C and B via IPtables That's a lot of if/then/else's per packet. > 3. Various postfix header, sender, and body restrictions (not problem is not > at the PF level from what I can determine) ok. > 4. All processes run in a chroot environment not relevant most likely > 5. Although some of the processes are older, we have had this issue > regardless of versions (we will be upgrading in the next few days, > Amavisd, PF, SA, and ClamAV). > > I can send a copy of the amavisd.conf if needed... I think more important than the conf is data from which to draw some conclusions or inferences. Let's see some real measurements and data. MrC > > Once again, any help would be greatly appreciated > -bill- - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] bad-header
Andrea Bencini wrote: >>>> The sub check_header_validity implements the following checks: >>> What is check_header_validity ? I don't found in amavisd.conf file!! >> Mark is indicating that the following checks are performed by amavis: > I was looking for amavisd.conf, but I didn't found them!! > Andrea It is a subroutine in amavisd: $ grep -A5 'sub check_header_validity' /usr/local/sbin/amavisd sub check_header_validity($$) { my($conn, $msginfo) = @_; local($1,$2,$3); my($curr_head); my(@bad); my($minor_badh_category) = 0; my(%field_head_counts); my($allowed_tests) = cr('allowed_header_tests'); my(%t) = !ref($allowed_tests) ? () : %$allowed_tests; ... MrC - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] score
Andrea Bencini wrote: >> Andrea Bencini wrote: >>> I installed postfix-2.4.5-2.fc8, amavisd-new-2.5.2-2.fc8 and >>> spamassassin-3.2.3-2.fc8. >>> They are running. >>> I would like to test spam changing "score" in local.cf. >>> My local.cf is: >>> score FREE_PORN 1000 >>> score LIVE_PORN 1100 >>> >>> Now I send an e-mail where there are the words "porno" and "sex" in the >>> message body. >>> >>> >>> Why there aren't FREE_PORN and LIVE_PORN scores? >>> >> Did you restart amavis ? > Yes I did. > Andrea So two things come to mind: a) the FREE_PORN pattern hits only when porn is preceded by "free " /\bfree (?:porn|xxx|adult)/i The LIVE_PORN likewise requires "live " followed by 0 or 9 characters, followed by "sex" (or other). See the patterns in 20_porn.cf, wherever that may reside on your system. b) the local.cf is not in the correct location. Use amavis debug-sa to see which local.cf spamassassin/amavis is using. MrC - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] score
Andrea Bencini wrote: > I installed postfix-2.4.5-2.fc8, amavisd-new-2.5.2-2.fc8 and > spamassassin-3.2.3-2.fc8. > They are running. > I would like to test spam changing "score" in local.cf. > My local.cf is: > > report_safe 0 > use_bayes 1 > use_bayes_rules 1 > skip_rbl_checks 0 > bayes_path /var/spool/amavisd/.spamassassin/bayes > score FREE_PORN 1000 > score LIVE_PORN 1100 > > Now I send an e-mail where there are the words "porno" and "sex" in the > message body. > > I receive the e-mail via postfix/amavisd and in the message header there are > X-Spam-Flag: NO > X-Spam-Score: 3.181 > X-Spam-Level: *** > X-Spam-Status: No, score=3.181 tagged_above=0 required=5 tests=[AWL=-0.320, > BAYES_99=3.5, STOX_REPLY_TYPE=0.001] > > Why there aren't FREE_PORN and LIVE_PORN scores? > Did you restart amavis ? > Thanks > Andrea - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] bad-header
Andrea Bencini wrote: >>> How can I test BAD_HEADER? >> Perhaps ... by sending a message with a bad header. > Yes...by sending a message with a bad header, but how can I prepare a > message with a bad header? > You can telnet to your mailhost and create a mail message with a duplicate header, for example: $ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.mydomain.com ESMTP Postfix EHLO mydomain.com 250-mail.mydomain.com 250-PIPELINING 250-SIZE 3024 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM:<[EMAIL PROTECTED]> 250 2.1.0 Ok RCPT TO:<[EMAIL PROTECTED]> 250 2.1.5 Ok DATA 354 End data with . Subject: Hello Subject: second subject header . 250 2.0.0 Ok: queued as 9F59F36639D quit 221 2.0.0 Bye Connection closed by foreign host. from maillog: Feb 7 10:22:16 glacier amavis[29310]: (29310-02) check_header: 8, Duplicate header field: "Subject" Feb 7 10:22:17 glacier postfix/smtpd[29084]: disconnect from localhost[127.0.0.1] Feb 7 10:22:17 glacier amavis[29310]: (29310-02) local delivery: <> -> , mbx=/var/amavis/quarantine/badh-NV3KV9bVKk Now, see quarantined mail indicated in mbx above. >> The sub check_header_validity implements the following checks: > What is check_header_validity ? I don't found in amavisd.conf file!! Mark is indicating that the following checks are performed by amavis: > >> - bad mime header section or bad mime structure >> - invalid 8-bit characters in header section >> - invalid control characters in header section >> - folded header field made up entirely of whitespace >> - header line longer than rfc2822 limit of 998 characters >> - header field syntax error >> - missing required header field >> - duplicate header field >> You can decided how you want to handle them (quarantine, ignore, etc). MrC >> In addition, syntax errors in MIME structure as reported >> by MIME::Parser are included in this category. > > Light me the solution!! > Thanks > Andrea - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] TROUBLE in process_request: Can't create directory
Christian, [EMAIL PROTECTED] wrote: > We have been running Postfix Spamassassin Amavisd on RedHat 9 as a > front-end mail filter/server for many years. > Since last friday, mail is stacking up in the Postfix queue with the > message: > delivery temporarily suspended: lost connection with > 127.0.0.1[127.0.0.1] while sending RCP TO > > An amavisd.log revealed these errors: > Jan 28 13:14:04 sspam1.uqat.ca /usr/local/sbin/amavisd[5208]: (05208-01) > (!!)TROUBLE in process_request: Can't create directory > /var/amavis/tmp/amavis-20080128T131404-05208: Too many links at > /usr/local/sbin/amavisd line 4780.Too many links at (eval 36) line 95, > line 2. > The "Too many links" (EMLINK) occurs during an attempt to create an new hard link (file, directory) in a file system whose maximum link count has been reached. Simply put, there are too many files and/or directories in the file system that contains /var/amavis/tmp. Amavis will leave tmp directories when there has been some failure during decoding or scanning, so that you may examine the evidence manually. Normally, amavis will remove these temporary directories, so you should examine why they remain. Check your logs for errors, using the temporary file name as a key to help you trace back. One possibility is that you are not doing recipient validation and a wave of malware is hitting your server, malware that happens to cause some decoder/unpacker to fail. Be sure you are doing proper recipient validation. In any case, you can always remove older temporary directories, for example, using a cron job to remove anything older than say a couple of days. MrC > In a post I found that emptying the /tmp directory would fix the problem > but I don't want to loose any e-mail... > > I'm kind of lost since I've been searching all week-end and found > nothing that could help me. > > Any help would be appreciated. > > Christian Pepin - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Subject line oddities...
Mike Cisar wrote: > Have had a few messages getting through lately that should have been tagged > as spam but appear not to have the subject line tagged. > Is the recipient considered local by amavis? This is a requirement for spam tagging. See "No spam-related headers inserted?" here : http://www.ijs.si/software/amavisd/#faq-gen MrC > I check the headers and see (some headers removed)... > > X-Spam-Flag: YES > X-Spam-Score: 9.498 > X-Spam-Level: * > X-Spam-Status: Yes, score=9.498 tagged_above=2 required=5 > tests=[BAYES_99=3.5, > GOOG_PAGES=5, NO_RECEIVED=-0.001, NO_RELAYS=-0.001, URIBL_GREY=1] > Subject: :: 86% Cheaper than Original Price: aRolex, Cartier, Omega, Chanel, > Tag Heuer, Breitling & ... qfbvvqgron > Subject: [SPAM -> 9.498] > > So when the email is viewed in Outlook (only reader I've tried so far) the > original subject line is shown without spam tag. > > S... what's the trick that's making Amavisd create a new subject line > instead of adding it to theirs? Is there a way to fix so the tagging > happens properly? Running amavisd-new 2.4.4 > > Cheers, >>>>>> Mike <<<<< - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd-release error
Joe Demeny wrote: > On Saturday 26 January 2008 12:55:34 pm you wrote: >> Joe Demeny wrote: >>> I'm trying to release a piece of banned mail, and I get this error: >>> >>> Can't connect to UNIX socket /var/amavis/home/amavisd.sock: No such file >>> or directory at /usr/local/sbin/amavisd-release line 202. >> What is the value of socketname in /usr/local/sbin/amavisd-release? >> >> MrC > > Oh, I see... > > It is: > > $socketname = '/var/amavis/home/amavisd.sock'; > > I have changed it - works perfectly! > > Thank you... > > Just wondering: why was it set to /var/amavis/home/amavisd.sock by default? I > don't think I ever edited /usr/local/sbin/amavisd-release before. > The FreeBSD port of amavisd-new changes the socket in the port Makefile: post-patch: .for f in amavisd.conf amavisd.conf-sample amavisd amavisd-agent amavisd-nanny amavisd-release @${REINPLACE_CMD} "s@'zoo'[EMAIL PROTECTED]'zoo','unzoo'] ]@" ${WRKSRC}/${f} .endfor .for i in amavisd.conf amavisd.conf-sample @${REINPLACE_CMD} -e "s|$daemon_user = \'vscan\';|$daemon_user = \'${AMAVISUSER}\';|" \ -e "s|$daemon_group = \'vscan\';|$daemon_group = \'${AMAVISGROUP}\';|" \ -e "s|/var/amavis|${AMAVISDIR}|" \ -e "s|/var/lib/amavis|${AMAVISDIR}|" \ -e 's|$$log_level = 2;|$$log_level = 0;|' \ -e "s|/var/virusmails|${AMAVISQUARANTINE}|" \ ${WRKSRC}/${i} .endfor @${REINPLACE_CMD} "s|/var/amavis/db|${AMAVISDIR}/db|" ${WRKSRC}/amavisd-agent @${REINPLACE_CMD} "s|/var/amavis/db|${AMAVISDIR}/db|" ${WRKSRC}/amavisd-nanny @${REINPLACE_CMD} "s|/var/amavis/amavisd.sock|${AMAVISDIR}/amavisd.sock|" \ ${WRKSRC}/amavisd-release MrC - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd-release error
Joe Demeny wrote: > I'm trying to release a piece of banned mail, and I get this error: > > Can't connect to UNIX socket /var/amavis/home/amavisd.sock: No such file or > directory at /usr/local/sbin/amavisd-release line 202. > What is the value of socketname in /usr/local/sbin/amavisd-release? MrC > In /usr/local/etc/amavisd.conf I have: > > $MYHOME = '/var/amavis'; > $interface_policy{'SOCK'} = 'AM.PDP-SOCK'; > $policy_bank{'AM.PDP-SOCK'} = { > protocol => 'AM.PDP', > auth_required_release => 0, # do not require secret_id for amavisd-release > }; > $unix_socketname = "$MYHOME/amavisd.sock"; > > and: > > # ls -al /var/amavis/amavisd.sock > srwxr-x--- 1 vscan vscan 0 Jan 26 06:27 /var/amavis/amavisd.sock > > Do I have a configuration error? Why is amavisd looking > for /var/amavis/home/amavisd.sock instead of /var/amavis/amavisd.sock? > > The system is FreeBSD 6.3-PRERELEASE, postfix-2.4.1,1 and amavisd-new-2.5.1,1 > - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] strange winmail.dat problem
Jo Rhett wrote: > MrC wrote: >> This is *not* a mail server issue. The mail server is not converting >> the attachments; rather, the MUA is displaying the attachment >> differently for user 1 & 2 vs. 3. > > Um, not it's not, sorry. Outlook will send in different formats based > on the recipient settings in the address book. It's the originating > e-mail sender's address book setting. Really. I followed up my reply with my omission; my intent was that the focus should be on the MUA and not MTA. MrC - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] strange winmail.dat problem
MrC wrote: > Miguel wrote: >> Gary V escribió: >>> On 1/24/08, Miguel wrote: >>> ... > > Have you installed the TNEF plugin, and is it enabled for user 3? > > http://www.squirrelmail.org/plugin_view.php?id=62 > > This is *not* a mail server issue. The mail server is not converting > the attachments; rather, the MUA is displaying the attachment > differently for user 1 & 2 vs. 3. > Gary V wrote: > Interesting. If it were me, I would start with two things. I would see > if this is repeatable and I would compare the body of the three > messages to see if all three are identical or not. I also might > rearrange the order of the addresses and have all three users open the > new message using the same client software. > Right. I should have also indicated that the MUAs address book may contain entries that specify different preferred mail format types for the recipients. Consider Outlook's Plaintext, HTML, and RTF). The MIME headers in each recipients message will yield the clues. The salient point is that the MUA is doing the encode/decode. MrC - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] strange winmail.dat problem
Miguel wrote: > Gary V escribió: >> On 1/24/08, Miguel wrote: >> >>> Hi to all, im facing a really strange problem, i have a contact that >>> sends emails with several images attached to the email, the email has >>> several copies to the same domain, so for so good. >>> Lets say he sends a email to [EMAIL PROTECTED], [EMAIL PROTECTED], and >>> [EMAIL PROTECTED], user1 and user2 receive the email without any issue, >>> all attahments (several images) and text is there, user3 doesnt receive >>> all attachments, just a winmail.dat file attached to the email, the text >>> is ok, >>> what should i check? >>> Thanks in advance >>> --- >>> Miguel >>> >> One possibility is user3 is not using Outlook. >> http://en.wikipedia.org/wiki/Transport_Neutral_Encapsulation_Format >> >> > Hi, i have check that and user3 is using outlook, but the problem is not > in the MUA, its in the server itself, i have squirrelmail installed in > the server and if i enter using user1 credential, i see every file, if i > enter using server3 credential, i see only winmail.dat file, the same as > in outlook, > miguel Have you installed the TNEF plugin, and is it enabled for user 3? http://www.squirrelmail.org/plugin_view.php?id=62 This is *not* a mail server issue. The mail server is not converting the attachments; rather, the MUA is displaying the attachment differently for user 1 & 2 vs. 3. MrC - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Large attachment compressed file can not sent
上海ロココ 許 wrote: > Thank you very much! > I add [EMAIL PROTECTED], [EMAIL PROTECTED] in > virtual mailbox tables ,then problem resolved. > > In amavisd.conf I set [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], > # allow any within these archives > But when send whit .exe file in RAR attachment, It also blocked. > What can I do for allow .exe file witnin RAR or zip archives ? > The order in which the mappings appear in the table is important, as the first match wins. Where is this entry relative to the entries that block .exe. Eg: these two definitions produce different results: Correct: $banned_filename_re = new_RE( [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow within archives qr'.\.(exe|vbs|pif|scr|cpl)$'i,# banned extension - basic ); Incorrect: $banned_filename_re = new_RE( qr'.\.(exe|vbs|pif|scr|cpl)$'i,# banned extension - basic [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow within archives }; The first should do what you want, while the second will not. If this isn't clear, show your $banned_filename_re map. MrC - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Large attachment compressed file can not sent
Rococo Leo wrote: > Hello everyone! > > When I send Email with attachment big then 2M in RAR Format,it can’t be > sent > Why ? The log lines below indicate two problems. The first is that the users [EMAIL PROTECTED], [EMAIL PROTECTED], and [EMAIL PROTECTED] do not exist in your virtual mailbox tables. Fix this first. Show the output of postconf -n. The second problem indicates that gzip is failing to decompress part 14 of an archive, and evidence is preserved in the file: /var/amavis/tmp/amavis-20080124T000250-91425 You indicate the attachment was a RAR file, but amavis is calling gzip via do_uncompress(). Have you configured amavis to attempt to use gzip for rar decoding ? By default, it would use rar or unrar. Examine the files in the parts subdirectory directory, and test gzip -d on part 14 (p014). You can increase amavis' log level to 2 to see the parts that are decoded. Example: ... p006 1 Content-Type: multipart/mixed ... p001 1/1 Content-Type: text/plain, size: 148 B, name: ... p007 1/2 Content-Type: message/rfc822 ... p008 1/2/1 Content-Type: multipart/mixed ... p009 1/2/1/1 Content-Type: multipart/related ... p010 1/2/1/1/1 Content-Type: multipart/alternative ... p002 1/2/1/1/1/1 Content-Type: text/plain, size: 383 B, name: ... p003 1/2/1/1/1/2 Content-Type: text/html, size: 7961 B, name: ... p004 1/2/1/1/2 Content-Type: image/gif, size: 36179 B, name: foo.gif ... p005 1/2/1/2 Content-Type: video/x-ms-wmv, size: 5307250 B, name: test.wmv > > I'm not sure if we can set amavisd-new to have limits for the size of > attachments as opposed to the size of the mail. Either ways, virus > mails sent by infected machines will never be that big. > Where to set? There is nothing below that indicates this is a size limitation; rather the decompressor is failing. I'm not aware of any per-attachment type size limit settings. MrC > > My mailog list: > > Jan 24 10:27:23 fbsd postfix/smtpd[1798]: connect from > localhost.metaworks.com.cn[127.0.0.1] > Jan 24 10:27:23 fbsd postfix/smtpd[1798]: NOQUEUE: reject: RCPT from > localhost.metaworks.com.cn[127.0.0.1]: 550 5.1.1 <[EMAIL PROTECTED]>: > Recipient address rejected: User unknown in virtual mailbox table; from=<> > to=<[EMAIL PROTECTED]> proto=ESMTP helo= > Jan 24 10:27:23 fbsd amavis[1772]: (01772-01) Negative SMTP resp to DATA: > 554 5.5.1 Error: no valid recipients > Jan 24 10:27:23 fbsd postfix/smtpd[1798]: disconnect from > localhost.metaworks.com.cn[127.0.0.1] > Jan 24 10:27:23 fbsd amavis[1772]: (01772-01) (!)SEND via SMTP: <> -> > <[EMAIL PROTECTED]>,[EMAIL PROTECTED] > ks.com.cn BODY=7BIT 550 5.6.0 Failed, id=01772-01, from > MTA([127.0.0.1]:10025): 550 5.1.1 Failed, id=01772-01, from MTA([127.0.0.1]: > 10025): 550 5.1.1 <[EMAIL PROTECTED]>: Recipient address rejected: User > unknown in virtual mailbox table > Jan 24 10:27:23 fbsd amavis[1772]: (01772-01) (!!)TROUBLE in check_mail: > quar+notif FAILED: Can not quarantine: 550 5.1.1 Failed, id=01772-01, from > MTA([127.0.0.1]:10025): 550 5.1.1 <[EMAIL PROTECTED]>: Recipient > address rejected: User unknown in virtual mailbox table at > /usr/local/sbin/amavisd line 10355, line 36322. > Jan 24 10:27:23 fbsd amavis[1772]: (01772-01) (!)PRESERVING EVIDENCE in > /var/amavis/tmp/amavis-20080124T102645-01772 > Jan 24 10:27:23 fbsd postfix/smtp[1785]: 01F1DA94466: > to=<[EMAIL PROTECTED]>, relay=localhost[127.0.0.1]:10024, delay=62475, > delays=62430/6/0.02/38, dsn=4.5.0, status=deferred (host > localhost[127.0.0.1] said: 451 4.5.0 Error in processing, id=01772-01, > quar+notif FAILED: Can not quarantine: 550 5.1.1 Failed, id=01772-01, from > MTA([127.0.0.1]:10025): 550 5.1.1 <[EMAIL PROTECTED]>: Recipient > address rejected: User unknown in virtual mailbox table at > /usr/local/sbin/amavisd line 10355, line 36322. (in reply to end of > DATA command)) > Jan 24 10:27:24 fbsd postfix/smtpd[1798]: connect from > localhost.metaworks.com.cn[127.0.0.1] > > Jan 24 00:02:51 fbsd amavis[91425]: (91425-01) (!)SEND via SMTP: <> -> > <[EMAIL PROTECTED]>,[EMAIL PROTECTED] > s.com.cn BODY=7BIT 550 5.6.0 Failed, id=91425-01, from > MTA([127.0.0.1]:10025): 550 5.1.1 Failed, id=91425-01, from MTA([127.0.0.1]: > 10025): 550 5.1.1 <[EMAIL PROTECTED]>: Recipient address rejected: User > unknown in virtual mailbox table > Jan 24 00:02:51 fbsd amavis[91425]: (91425-01) (!!)TROUBLE in check_mail: > quar+notif FAILED: Can not quarantine: 550 5.1.1 Failed, id=91425-01, from > MTA([127.0.0.1]:10025): 550 5.1.1 <[EMAIL PROTECTED]>: Recipient address > rejected: User unknown in virtual mailbox table at /usr/local/sbin/amavisd > line 10355, line 5986. > Jan 24 00:02:51 fbsd amavis[91425]: (91425-01) (!)PRESERVING EVIDENCE in > /var/a
Re: [AMaViS-user] Can't start amavisd
Mark, >> After updating perl on my netbsd system, I encountered the same issue >> with amavis indicating that Compress::Zlib was missing. The error >> message is somewhat misleading. The module exists, it just fails to load. > > Right. I encountered such problems in the past. My simple attempt > to produce a more informative diagnostics resulted in two lines > in sub fetch_modules: > > printf STDERR ("fetch_modules: error loading module %s :\n%s\n", $_, > join("\n", map {"> $_"} split(/\n/,$eval_stat))); > > (or its variants) which I had to comment out, as it was either > too chatty or failed to report relevant problem, like a module file > being too strongly protected, so it was useless. > > The original sin is in a perl's "require", which treats inaccessible > files the same as missing files. > > To do it right, a better alternative to 'require' is needed. > > So here it is - a patch to amavisd (2.5.2) to produce a more > meaningful diagnostics in case of compile errors in modules, > or module files not being accessible. I'd be interested in a > feedback if this is a viable solution for half-screwed systems - > - for example in case of having two instances of a module in > an @INC path and one of them is broken, my solution produces a > proper diagnostics, while originally the broken module is ignored. FYI: I finally had a chance to install and try the patch (into 2.5.3 rather than 2.5.2). The error messages I encountered were: fetch_modules: error loading required module Compress/Zlib.pm: Error in file /usr/pkg/lib/perl5/vendor_perl/5.8.0/Compress/Zlib.pm: is only avaliable with the XS version at /usr/pkg/lib/perl5/vendor_perl/5.8.0/Compress/Zlib.pm line 9 BEGIN failed--compilation aborted at /usr/pkg/lib/perl5/vendor_perl/5.8.0/Compress/Zlib.pm line 9. ERROR: MISSING REQUIRED BASIC MODULES: Compress::Zlib BEGIN failed--compilation aborted at /usr/local/sbin/amavisd line 216. However the actual problem is on line 9 of Compress/Zlib.pm, which happens to be: use Scalar::Util qw(dualvar); It was Scalar::Util that needed to be rebuilt. Once rebuilt, amavis started successfully. Mike > > > Mark - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Release candidate amavisd-new-2.5.3-rc1
Leon Kolchinsky wrote: >> Leon Kolchinsky wrote: >>>>> Does this release solve the issue I have (As seen in my logwatch >>>> summary)?: >>>>> 150 Extra code modules loaded at runtime >>>>> >>>>>50 unicore/lib/gc_sc/Digit.pl >>>>>50 unicore/lib/gc_sc/SpacePer.pl >>>>>50 unicore/lib/gc_sc/Word.pl >> Mark Martinec wrote: >>>> No, it doesn't get away with these particular reports >>>> for .pl files under unicore/lib. It is not a bug and >>>> there is nothing I can do (except to suppress logging it). >>>> Files under perl.../unicore/lib are not true perl modules, >>>> and can not be loaded once and for all, perl wants >>>> to be able to read them as needed. >>>> >> Perhaps I should just have amavis-logwatch ignore these...? >> >> MrC > > Right, > > May be for now it is a good idea for amavis-logwatch to ignore these. > > Leon > I've updated amavis-logwatch to version 1.48.26, which resolves this issue, and includes a number of additional changes and fixes. See the Changes file. http://www.mikecappella.com/logwatch MrC - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Content-based rejection notice: is it possible?
Luis Hernán Otegui wrote: > Hi, everybody, I was wondering if it would be possible to send a > rejection notice based on the content of the message (we're rejecting > mp3's, avi's, and every multimedia format here). Since amavis is the > one doing the trick, I figured out it should be amavis the one doing > the notify. > > Could it be done? how? If Amavis is being used in an after the message has been accepted, it is too late to reject, since your MSA/MTA has already accepted the message and the SMTP dialog is complete. Your only option here is to bounce, or configure your MSA/MTA to reject. If Amavis is used in a before-queue fashion, you can reject. What is your setup ? MrC > > Thanks in advence, > > > Luis - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Release candidate amavisd-new-2.5.3-rc1
Leon Kolchinsky wrote: >>> Does this release solve the issue I have (As seen in my logwatch >> summary)?: >>> 150 Extra code modules loaded at runtime >>> >>>50 unicore/lib/gc_sc/Digit.pl >>>50 unicore/lib/gc_sc/SpacePer.pl >>>50 unicore/lib/gc_sc/Word.pl Mark Martinec wrote: >> No, it doesn't get away with these particular reports >> for .pl files under unicore/lib. It is not a bug and >> there is nothing I can do (except to suppress logging it). >> Files under perl.../unicore/lib are not true perl modules, >> and can not be loaded once and for all, perl wants >> to be able to read them as needed. >> Perhaps I should just have amavis-logwatch ignore these...? MrC - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Release candidate amavisd-new-2.5.3-rc1
Mark Martinec wrote: > There were some recent reports that a mail message with large > and mangled header could cause perl regular expressions used in > parsing a header to exceed available memory due to deep recursion, > and cause amavisd process to crash, letting such messages to stay > stuck in a MTA queue, reporting unsightly 'process went away' > by amavisd-nanny, and leaving behind temporary directories. > > It is not a security threat, but is annoying nevertheless, > so I decided to release a last maintenance release of 2.5, > collecting all bug fixes that have accumulated by now, and > leave all new features to 2.6 (to be pre-released soon). > > amavisd-new-2.5.3-rc1 release candidate is available at: > > http://www.ijs.si/software/amavisd/amavisd-new-2.5.3-rc1.tar.gz > > Please try it out - I plan to release it in two or three days. > There are no compatibility issues with 2.5.2. No issues seen thus far. MrC - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SA rules summary for ham not logged?
Dave McGuire wrote: > On Dec 6, 2007, at 12:39 PM, MrC wrote: >>>Hey folks. It looks to me like amavisd-new isn't logging the >>> SpamAssassin rules summary for messages that *don't* get tagged >>> as spam. I can't believe I've never noticed this before, but >>> sitting here staring at a log file, this seems to be the case. >> Lower the value of $sa_tag_level_deflt, as in : >> >> $sa_tag_level_deflt = undef; # add spam info headers if at, or >> above that level > >It's already set to undef...I'm not talking about the addition of > headers to messages, I'm talking about the logging (to syslog, in my > case) of each message as amavisd processes it. > What is your $log_level setting ? SPAM-TAG entries will be added at $log_level=2. See also "syslog priorities are now dynamically derived" in the RELEASE_NOTES file for dynamic priorities. I have a little blurb also in the README file for amavis-logwatch. Dec 6 10:07:24 mailhost amavis[22519]: (22519-05) SPAM-TAG, -> , No, score=-0.528 required=6.29 tests=[AWL=-0.901, BAYES_05=-1.11, DNS_FROM_RFC_BOGUSMX=1.482, HTML_MESSAGE=0.001] MrC > -Dave - SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] SA rules summary for ham not logged?
Dave McGuire wrote: >Hey folks. It looks to me like amavisd-new isn't logging the > SpamAssassin rules summary for messages that *don't* get tagged as > spam. I can't believe I've never noticed this before, but sitting > here staring at a log file, this seems to be the case. > Lower the value of $sa_tag_level_deflt, as in : $sa_tag_level_deflt = undef; # add spam info headers if at, or above that level MrC >Basically I have a spam message that made it through the filters, > and according to the logs it scored a few points under my > threshold...and I'd like to know which rules DID get hit. > >Is there a configuration option for this? Am I missing something > silly here? > >Oh yes, this is amavisd-new v2.4.5. I've not yet upgraded due to > difficulty in taking this system down for any length of time...I'll > do so when 2.5.3 is released. > > Thanks, > -Dave > - SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Problem compiling arj-3.10.22
Peter Sørensen wrote: > OK > > Platform is RHAS9 > > The last part of the output after doing make is: > . > . > Creating archive : ./linux-gnu/en/rs/help.arj > Adding./resource/en/arjl.txt 37.2% > Adding./resource/en/arjs.txt 47.3% > Testing arjl.txtOK > Testing arjs.txtOK > 2 file(s) > ./linux-gnu/en/rs/tools/join ./linux-gnu/en/rs/arj/arj > ./linux-gnu/en/rs/help.arj > JOIN v 1.30 [26/04/2003] Not a part of any binary package! > > Copying . done! > ./linux-gnu/en/rs/tools/postproc linux-gnu/en/rs/arj/arj > POSTPROC v 1.30 [17/01/2003] Not a part of any binary package! > > Patch not found > make[1]: *** [linux-gnu/en/rs/arj/arj] Error 3 > make[1]: Leaving directory `/usr/local/src/arj-3.10.22' > make: *** [all] Error 2 > > Regards > The arj build system is very non-standard. Ignore the "error" above, and look in linux-gnu/en/rs/arj. You should find arj built and ready for install. MrC - SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Blacklist question...
Rob Morin wrote: > SO the blacklist, how do i enter in an originator's email address to be > blocked only to a certain destination address? > > I mean let say i have [EMAIL PROTECTED], i want to block any emails from > this address going to [EMAIL PROTECTED] on my server, but i want to make > sure that [EMAIL PROTECTED] can send to other hosted domains on my server > > I have not used the blacklist yet For hard black/white listing, take a look at: ENVELOPE SENDER WHITELISTING / BLACKLISTING - PER-RECIPIENT in the amavisd.conf-sample file. Alternatively, you can use per-recipient soft white/black listing: @score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed ## per-recipient tables (NOTE: positive: black, negative: white) '[EMAIL PROTECTED]' => [{'[EMAIL PROTECTED]' => 10.0}], }); MrC > > Thanks to all > > Have a great day! > - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Problem compiling arj-3.10.22
Peter Sørensen wrote: > Hi, > > I am in the process of migrating my amavisd-new installation > I found a source package for the arj program (arj-3.10.22). > I have some problems compling this. Any hints on this here? > Share your secrets. What error messages are produced? Which platform? MrC > Regards > > > Med venlig hilsen > > Peter Sørensen - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Real eBay mails get quarantined
koffiejunkie wrote: > Hi guys, > > Pretty much what the subject says. Amavisd-new (through ClamAV) is > identifying legitimate mails from eBay as HTML.Phishing.Auction-113. > The notification I get looks like this (Subject and e-mail address > changed for privacy, of course): > > > A virus was found: HTML.Phishing.Auction-113 > > Scanner detecting a virus: ClamAV-clamd This is a ClamAV (not amavis) issue. The false positive is due to the anti-phishing signatures in ClamAV. This is currently a hot topic on the clamav list. You can disable the phishing heuristics in your /etc/clamd.conf file, which default to: # With this option enabled ClamAV will try to detect phishing attempts by using # signatures. # Default: yes #PhishingSignatures yes # Scan URLs found in mails for phishing attempts using heuristics. # Default: yes #PhishingScanURLs yes You can also soft-whitelist senders (if you are able to determine them) via @score_sender_maps in amavisd, and also have amavis map phishing pseudo-viruses into spam scores instead of treating them like viruses: @virus_name_to_spam_score_maps = (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 6.0 ], )); This will treat clamav's phishing hits as spam hits, boosting the score by 6.00 (set the values as you see fit). See the amavisd.conf file and documentation. MrC > > Content type: Virus (9,0) > Internal reference code for the message is 29147-19/PLfqqUg3n0u6 > ... > > Virus scanner output: >p002: HTML.Phishing.Auction-113 FOUND > > > What is triggering this? Any way to prevent it? > > Thanks > - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Can't start amavisd
Gary V wrote: > On 11/15/07, Bob Mortimer wrote: >> On Thursday 15 November 2007 16:03:08 Gary V wrote: >> >>> Was the rpm perl-Compress-Zlib ? >> Thanks for the reply Gary. >> >> Yep, used urpmi but have also tried CPAN which is trying to install a newer >> (I >> think) version but failing with loads of errors. > > It might be useful to see those errors. > After updating perl on my netbsd system, I encountered the same issue with amavis indicating that Compress::Zlib was missing. The error message is somewhat misleading. The module exists, it just fails to load. This turned out to be a requirement to recompile some of the perl modules such as Compress::Raw::Zlib. Compress::Zlib was failing to load because the required .so files were not compatible with the updated perl binary. Mark had a post some time ago on the list about the necessity to recompile when perl is upgraded. MrC >>> Run 'perl -V' to determine the version of Perl: >>> >>> # perl -V >> I get: >> Summary of my perl5 (revision 5 version 8 subversion 8) configuration: >> ... >> @INC: >>/usr/lib/perl5/5.8.8/i386-linux >>/usr/lib/perl5/5.8.8 >>/usr/lib/perl5/site_perl/5.8.8/i386-linux >>/usr/lib/perl5/site_perl/5.8.8 >>/usr/lib/perl5/site_perl >>/usr/lib/perl5/vendor_perl/5.8.8/i386-linux >>/usr/lib/perl5/vendor_perl/5.8.8 >>/usr/lib/perl5/vendor_perl/5.8.7 >>/usr/lib/perl5/vendor_perl/5.8.7/i386-linux >>/usr/lib/perl5/vendor_perl/5.8.6 >>/usr/lib/perl5/vendor_perl >> >> >>> Then run amavisd debug, and see what version amavisd-new sees (I'm >>> trying to see if you Perl installed in two locations): >> This doesn't get far enough to report the perl version: >> [EMAIL PROTECTED] ~]# amavisd debug >> ERROR: MISSING REQUIRED BASIC MODULES: >> Compress::Zlib >> BEGIN failed--compilation aborted at /usr/local/sbin/amavisd line 171. >> >>> # find / -type f -name perl >> [EMAIL PROTECTED] ~]# find / -type f -name perl >> /usr/share/apps/kdevappwizard/imports/perl >> /usr/share/games/fortunes/perl >> >> Still confused ... >> > > How about: > # which perl > > If Mandriva uses the locate command, > # updatedb > # locate Compress/Zlib.pm > > (or) > # find / -type f -name Zlib.pm > - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Amavis timings on a new server
Leon Kolchinsky wrote: > Hello All, > > I'm installing a new mail server on Gentoo (moving from SLES9), > > When I send some test mails I can see that most of processing time is spent > on: > SMTP DATA: 37 (34%)38 > fwd-connect: 17 (15%)77 > > Is there a way to improve these timings or is it OK? As Gary indicates, those seem fine. Here's what I from last night; SMTP DATA and fwd-connect are 20.9ms and 13.3ms respectively: = Timing Percentiles % Time Total (s)0% 90% 100% - SA check 57.52% 184.599 0.637 3.174 4.545 AV-scan-228.27% 90.731 0.790 0.867 1.228 SMTP DATA 6.74% 21.631 0.185 0.197 0.209 AV-scan-1 2.49% 7.989 0.011 0.120 1.442 mime_decode 0.83% 2.652 0.011 0.034 0.061 get-file-type10.70% 2.241 0.013 0.027 0.077 main_log_entry0.54% 1.742 0.009 0.020 0.026 fwd-connect 0.53% 1.693 0.007 0.018 0.133 update_cache 0.34% 1.079 0.001 0.014 0.023 fwd-end-chkpnt0.24% 0.774 0.003 0.017 0.040 SA parse 0.21% 0.680 0.004 0.009 0.032 decompose_part0.19% 0.594 0.002 0.010 0.038 unlink-2-files0.17% 0.541 0.001 0.011 0.035 fwd-mail-pip 0.15% 0.485 0.003 0.006 0.020 SMTP pre-DATA-flush 0.11% 0.362 0.003 0.004 0.012 spam-wb-list 0.11% 0.337 0.003 0.004 0.006 check_header 0.10% 0.312 0.001 0.004 0.007 update_snmp 0.09% 0.275 0.002 0.004 0.007 SMTP greeting 0.09% 0.274 0.002 0.003 0.007 prepare-dsn 0.08% 0.258 0.001 0.003 0.022 get-file-type20.07% 0.235 0.016 0.087 0.107 decide_mail_destiny 0.07% 0.213 0.001 0.002 0.003 write-header 0.06% 0.203 0.001 0.003 0.004 rundown 0.04% 0.132 0.001 0.002 0.006 gen_mail_id 0.04% 0.121 0.001 0.001 0.006 SMTP pre-response 0.04% 0.116 0.001 0.001 0.002 SMTP LHLO 0.04% 0.113 0.001 0.001 0.002 check_init0.04% 0.113 0.001 0.001 0.002 digest_hdr0.03% 0.104 0.000 0.001 0.002 SMTP pre-MAIL 0.03% 0.101 0.000 0.001 0.002 SMTP response 0.02% 0.072 0.000 0.001 0.012 get-file-type30.01% 0.034 0.034 0.034 0.034 fwd-rcpt-pip 0.01% 0.030 0.000 0.001 0.001 open-mbx 0.01% 0.028 0.007 0.007 0.007 unlink-3-files0.01% 0.024 0.002 0.009 0.010 unlink-1-files0.01% 0.018 0.002 0.011 0.013 fwd-data-contents 0.00% 0.014 0.000 0.000 0.004 mkdir tempdir 0.00% 0.012 0.002 0.002 0.002 mkdir parts 0.00% 0.012 0.002 0.002 0.002 create email.txt 0.00% 0.006 0.001 0.001 0.001 digest_body 0.00% 0.003 0.000 0.000 0.001 unlink-4-files0.00% 0.003 0.003 0.003 0.003 parts_decode 0.00% 0.001 0.000 0.000 0.001 fwd-data-chkpnt 0.00% 0.000 0.000 0.000 0.000 save-to-local-mailbox 0.00% 0.000 0.000 0.000 0.000 = Scan Time: Actual 100.00% 320.952 0.286 4.604 6.021 Scan Time: Hypothetical 100.00% 320.957 1.765 4.717 8.197 > > Log snippet: > --- > Nov 4 11:24:14 mail2 amavis[9998]: (09998-04) TIMING [total 108 ms] - SMTP > greeting: 2 (2%)2, SMTP EHLO: 0 (0%)2, SMTP pre-MAIL: 0 (0%)2, SMTP > pre-DATA-flush: 2 (2%)4, SMTP DATA: 36 (33%)37, check_init: 1 (1%)38, > digest_hdr: 0 (0%)38, digest_body: 0 (0%)38, gen_mail_id: 1 (1%)39, > mime_decode: 10 (9%)47, get-file-type2: 8 (8%)55, decompose_part: 1 (1%)56, > parts_decode: 0 (0%)56, AV-scan-1: 4 (4%)60, update_cache: 1 (1%)61, > decide_mail_destiny: 1 (1%)61, fwd-connect: 17 (15%)77, fwd-mail-pip: 3 > (2%)79, fwd-rcpt-pip: 0 (0%)79, fwd-data-chkpnt: 0 (0%)79, write-header: 1 > (1%)80, fwd-data-contents: 0 (0%)80, fwd-end-chkpnt: 12 (11%)91, > prepare-dsn: 1 (1%)91, main_log_entry: 7 (6%)98, update_snmp: 1 (1%)99, SMTP > pre-response: 0 (0%)99, SMTP response: 0 (0%)99, unlink-2-files: 1 (1%)100, > rundown: 0 (0%)100 Nov 4 11:24:14 mail2 postfix/smtpd[19527]: disconnect > from leon.mydomain.com[192.168.41.33] Nov 4
Re: [AMaViS-user] Changing timezone on log entries and headers
Alvaro Uría wrote: > Hi all! > > I've been looking how to change the default amavisd-new date format (UTC) > on log entries and headers of emails, but I haven't found it. > > I've seen the code on the amavisd perl script, and I've read the > README.customize, but I don't know how to apply the change for using > date_rfc2822_local (or %d). > > Thanks in advance :-) > > Best regards, > Alvaro. > > PS: BTW, I'm using amavisd-new 2.4.4 At the end of amavisd, there are templates (search beginning with "This text section"). These templates are what you customize, by replacing, for example %d, with the desired time macro. Search "%d" downward after you are at the first template, and you'll find a line that starts with Date: %d This should get your started. MrC - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Log file analyser recomendations
Robert Brooks wrote: > Mark Martinec wrote: > I mean something like this... > Spam Score -5 0 3 5 10 15 > Percentile5.89% 12.59% 19.43% 24.81% 35.02% 50.37% >> Seems like you want a frequency distribution: divide a score range >> into arbitrary buckets, fill them by counts of messages falling into >> each bucket, then at the end convert absolute counts to percents. > > that would work too :) This feature is now available in the pre-release of amavis-logwatch, along with some other changes and additions. See the Changes file, and sign up on the mailing list if you want to receive update announcements. http://www.mikecappella.com/logwatch Mike - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavis OK, but amavislogsumm not giving any results
Voytek Eymont wrote: > On Mon, October 15, 2007 5:55 pm, Jordi Espasa Clofent wrote: >> I didn't know amavislogsumm, but I can see in the changelog that the >> last version is dated on feb-2004. It seems an old and out-of-date >> project. ¿Do you know amavis-logwatch [1]? It's devepelod by Mike Capella, >> an active member of the present list; the project is active and Mike is >> very receptive to any feedback. I use it daily and I'm very happy with >> it. > Thanks Jordi. > Jordi, thanks > > yes, as I was searching for answers I came across Mike's announcement > post, and, installed both of his utilities already, > Great, let me know how they work for you. I just posted the pre-releases for evaluation to those interested (see Changes for a change list). I also created a mailing list for announcements and feedback, etc. See the site. > dumb Q: > > amavis-logwatch /var/log/maillog > > snip > > 536 Spam passed -- > 138 [EMAIL PROTECTED] > > snip > All numbers on the left column are counts of that row's hits. So, 138 is the number of times that email address was passed and considered spam. And there were a total of 536 spam's passed to recipients. > > does above mean... > > 138 identified SPAMs passed to mb@ as mb is in spam_lover ? > and, 536 identified SPAMS in total were passed as in recipient is spam_lover? > You'll have to examine your configuration to know the exact reason for why they were passed. It could be spam lovers, it could be a policy bank (such as MYNETS), or other reasons. MrC - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Antivirus programs?
Anders Norrbring wrote: > *bump* > > Anders Norrbring skrev: >> Hiya all! >> I'm just curious about what you guys and girls has to say about AV >> application for use with amavis-new? >> Which ones do you like and dislike, and why? >> >> I use Kaspersky, NOD32 and F-Secure myself at this time, but I think I'll >> drop NOD32 purely because the hefty price tag. Apart from that, I feel it's >> incredibly fast and good, but the price is just too high.. >> >> Anders Anders, My primary scanner is clamav, secondary is McAfee's command line scanner (uvscan, v5.2) With the sanesecurity and securiteinfo sigs, not much gets past; uvscan rarely finds something not found by clamav. uvscan is a bit slow (like clamscan, it has to load sigs upon startup), and there is no daemonized version. Price was reasonable enough for my needs. It does have a very large signature database. $ uvscan --version Virus Scan for Linux v5.20.0 Copyright (c) 1992-2007 McAfee, Inc. All rights reserved. (408) 988-3832 LICENSED COPY - Jun 5 2007 Scan engine v5.2.00 for Linux. Virus data file v5136 created Oct 08 2007 Scanning for 330105 viruses, trojans and variants. MrC - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Log file analyser recomendations
Robert Brooks wrote: > MrC wrote: >> Robert Brooks wrote: > > [..] (discussing postfix-logwatch log analyser) > >>> whilst I'm being a pain the Postfix reject figures don't show >>> rejections from before-queue amavis. Unfortunately Postfix doesn't >>> seem to log this well :( >> >> I don't use a before-queue setup, and don't know what log entries you >> have. Feel free to send the my way if you think there is any useful >> information there. I can only report on information present in the log. > > Postfix picks up the connection: > > Oct 5 09:00:54 mailhost postfix/smtpd[16844]: connect from > unknown[84.79.70.165] > Oct 5 09:00:55 mailhost postfix/smtpd[16844]: NOQUEUE: > client=unknown[84.79.70.165] > > amavis rejects the email: > > Oct 5 09:01:06 mailhost amavis[25870]: (25870-17) Blocked SPAM, > [84.79.70.165] [84.79.70.165] <[EMAIL PROTECTED]> -> > <[EMAIL PROTECTED]>, mail_id: HFW3sN8D+u30, Hits: 20.862, size: 719, > 11887 ms > > postfix logs the client disconnecting: > > Oct 5 09:01:07 mailhost postfix/smtpd[16844]: disconnect from > unknown[84.79.70.165] This is what I expected. > > A line from Postfix along the lines of: > > Oct 5 10:58:09 mailhost postfix/smtpd[17968]: NOQUEUE: reject: RCPT > from pool-72-79-133-202.sctnpa.east.verizon.net[72.79.133.202]: Proxy > filter said "554 5.7.0 Reject, id=25870-18-2 - SPAM" > > would be perfect, I'm not sure how likely a wish it is. Doubtful. This would probably require changing postfix internals to log the fiction that it was smtpd that did the rejecting. > > Other than that you'd have to infer from the amavis log line and some > indication to postfix-logwatch of amavis's role. Without data in the log that supports such an inference, there's nothing that can be concluded. Neither utility is aware of the other and neither tries to piece together the relationship between past log entries to construct a chain of events. MrC > > I'm tempted to cross-post to postfix-users, however that's bad form. I > hope cc'ing Wietse won't incur too much wrath. > > Regards, > > Rob - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Log file analyser recomendations
Robert Brooks wrote: > MrC wrote: >>> Mark Martinec wrote: >>>>>>> I mean something like this... >>>>>>> Spam Score -5 0 3 5 10 15 >>>>>>> Percentile5.89% 12.59% 19.43% 24.81% 35.02% 50.37% >>>> Seems like you want a frequency distribution: divide a score range >>>> into arbitrary buckets, fill them by counts of messages falling into >>>> each bucket, then at the end convert absolute counts to percents. >>> >> >> Exactly. >> >> Robert Brooks wrote: >> > that would work too :) >> >> I'll implement over the next couple of days - I'm currently swamped >> right now. Thanks for the continued feedback. > > whilst I'm being a pain the Postfix reject figures don't show rejections > from before-queue amavis. Unfortunately Postfix doesn't seem to log this > well :( I don't use a before-queue setup, and don't know what log entries you have. Feel free to send the my way if you think there is any useful information there. I can only report on information present in the log. Regards, MrC - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Log file analyser recomendations
> Mark Martinec wrote: > I mean something like this... > Spam Score -5 0 3 5 10 15 > Percentile5.89% 12.59% 19.43% 24.81% 35.02% 50.37% >> Seems like you want a frequency distribution: divide a score range >> into arbitrary buckets, fill them by counts of messages falling into >> each bucket, then at the end convert absolute counts to percents. > Exactly. Robert Brooks wrote: > that would work too :) I'll implement over the next couple of days - I'm currently swamped right now. Thanks for the continued feedback. Mike - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Log file analyser recomendations
Robert Brooks wrote: > MrC wrote: >> Robert Brooks wrote: >>> MrC wrote: > I mean something like this... > > > Spam Score -5 0 3 5 10 15 > > Percentile5.89% 12.59% 19.43% 24.81% 35.02% 50.37% > > > just a thought. I'm normally thinking about what % of my mail hits a > certain score (in that I'm worried about high scoring ham or low scoring > spam. > > Regards, > Rob Ah, got it... you like nice, integer spam scores, and interpolated percentages. However, just so we're on the same page, your percentile chart does not answer your question "what % of my mail hits a certain score"... that's not the definition of percentile. The spam score 5 in your chart maps to percentile 24.81, which means that 24.81 percent of the values were *lower than score 5*, which of course is not the same as saying score 5 was hit 24.81% of the time. MrC - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Log file analyser recomendations
Robert Brooks wrote: > MrC wrote: >> I see. Its easy enough to implement. I had originally not seen much >> value in those numbers, but will be happy to add the feature if it is >> useful. > > seeing the overall performance of amavis is useful to me, especially as > I use amavis before-queue. Ok, check out version 1.48.26 posted today. > > also, spam score percentiles. It might be useful to get percentiles > against scores, had you thought of doing it this way round instead? > I'm not sure what you mean. Can you show an example? Currently, you have something like: Spam Score Percentiles 0%50%90%95%98% 100% Score -10.898 -2.599 1.437 4.816 15.028 30.376 ======== MrC > Regards, > > Rob - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Log file analyser recomendations
Robert Brooks wrote: > MrC wrote: >> Hi Rob, >> >> Is your request different from the timings percentiles report that >> currently exists ? Example at the end of: >> >>http://www.mikecappella.com/logwatch/example-amavis-detail10 >> >> It is obtained with detail level >= 5. > > this is what I'm thinking about, but as well as the times for different > components of amavis performance I'd to be able to see the total times > at different percentiles (in the row "Total Time" would make sense). I see. Its easy enough to implement. I had originally not seen much value in those numbers, but will be happy to add the feature if it is useful. MrC - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] outgoing problem
Curtis Maurand wrote: > Hello, > I've been having trouble where outgoing mail from authenticated users > is not only being checked, but rejected as spam. For example I wrote up > a set of instructions for a customer, attached screenshots and sent it. > It got 12 hits including Fuzzyocr and I know that this was not spam. > How can I get mail from authenticated senders to bypass spam checks > outgoing. I'm running Postfix,Amavisd-new,spamassassin,razor2,dcc on > Ubuntu 6.10 > > Curtis Use a policy bank. In amavisd.conf, something like: $inet_socket_port = [10024,10026]; # listen on multiple TCP ports $interface_policy{'10026'} = 'SASLAUTH'; $policy_bank{'SASLAUTH'} = { # mail originating from SASL users originating => 1, # i.e. mail was submitted by our smtp client bypass_spam_checks_maps => [1],# don't spam scan bypass_banned_checks_maps => [1], # allow sending any file names and types bypass_header_checks_maps => [1], # don't check headers # allow_disclaimers => 1, # enables disclaimer insertion if available # notify administrator of locally originating malware virus_admin_maps => ["[EMAIL PROTECTED]"], spam_admin_maps => ["[EMAIL PROTECTED]"], warnbadhsender => 1, # forward to a smtpd service providing DKIM signing service #forward_method => 'smtp:[127.0.0.1]:10027', # force MTA conversion to 7-bit (e.g. before DKIM signing) #smtpd_discard_ehlo_keywords => ['8BITMIME'], terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option }; and in postfix's master.cf: submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes -o broken_sasl_auth_clients=yes -o receive_override_options=no_header_body_checks,no_address_mappings -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o content_filter=smtp-amavis:[127.0.0.1]:10026 MrC - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Log file analyser recomendations
Robert Brooks wrote: > MrC wrote: >> Benedict - feel free to drop me a line if you have questions or >> improvement requests. I have just made some recent experimental >> changes in the summary presentation, and am looking for feedback on >> that in particular. > > one thing I'd like to see is the percentiles for total time amavis takes > to process emails. > > Regards, > > Rob Hi Rob, Is your request different from the timings percentiles report that currently exists ? Example at the end of: http://www.mikecappella.com/logwatch/example-amavis-detail10 It is obtained with detail level >= 5. MrC - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] best way to include a file?
Dave Augustus wrote: > I maintain a number of mail servers. The configuration of those are all > the same except for a few lines. If I put a file containing these > exceptions in /etc, how would I tell amavisd to include it? > > Thanks, > Dave > Either by starting amavisd with multiple -c command line options, as in: /usr/local/sbin/amavisd \ -c /etc/amavisd.conf \ -c /etc/amavisd-custom.conf or by appending the line: include_config_files('/etc/amavisd-custom.conf'); in your primary amavisd.conf file. From the RELEASE_NOTES: - provide two new subroutines available for calling from config files: include_config_files() and include_optional_config_files(), each take a list of filenames as arguments, and reads & evaluates them just like normal configuration files specified on a command line (option -c or a default amavisd.conf). This provides a simplified and uniform mechanism for 'including' additional configuration files, which formerly could be invoked through a perl do() function. The only difference between include_config_files and include_optional_config_files is that the former aborts if some specified file does not exist, while the later silently ignores specified but missing files. Both/each subroutine may be called multiple times, recursion is allowed (but some sanity limit to recursion is provided); based on a suggestion by Gary V. Example line in amavisd.conf: include_config_files('/etc/amavisd-custom.conf'); - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/