Re: [Clamav-users] contrib/init/RedHat suggested patch
Christopher X. Candreva said: > On Tue, 17 Aug 2004, Damian Menscher wrote: > >> If user A emails user B and the email doesn't go through in under 2 >> minutes, there will be complaints. Tempfail is just too dangerous. >> Yes, nothing will be lost. But you have to admit it's pretty bad for >> email to be down. A few viruses leaking through is minor compared to >> that. At least, that's how we run our shop. Things may be different > > Have to disagree. > > With so mnay of the major providers haveing multiple-HOUR delays through > their system as standard, a delay of one queue interval for a single > message > won't be noticed. (Comcast comes to mind) > As always, milage varies. I recently implemented gray listing on a sendmail server farm because of unusually heavy distributed spam runs - just a 10 minute delay caused all kinds of grief. The end users have come to believe that Internet mail should be as quick as inter-office mail. Unrealistic, yes, but as the sys admin I'm outgunned. My best practices response is a minor delay is far better than allowing viruses to enter the system. The problem, then, is to educate the mail users about the realities of email in the spam age. BTW, the gray listing worked perfectly and the spam runs were handled cleanly leaving me to believe they were from infected Windows drones. There were no retries. dp --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] contrib/init/RedHat suggested patch
On Tue, 17 Aug 2004, Damian Menscher wrote: > If user A emails user B and the email doesn't go through in under 2 > minutes, there will be complaints. Tempfail is just too dangerous. > Yes, nothing will be lost. But you have to admit it's pretty bad for > email to be down. A few viruses leaking through is minor compared to > that. At least, that's how we run our shop. Things may be different Have to disagree. With so mnay of the major providers haveing multiple-HOUR delays through their system as standard, a delay of one queue interval for a single message won't be noticed. (Comcast comes to mind) Futher, the damage from a viruses getting into your network, if it spreads, can be very expensive in terms of support, cleaning, etc. The other solution, if mail is that important, is multiple MX servers, each with their own clam-av. One fails, the other should be tried immediately. Odds are slim that BOTH will be down at the same time. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] contrib/init/RedHat suggested patch
Damian Menscher wrote: On Mon, 16 Aug 2004, Richard A Nelson wrote: On Mon, 16 Aug 2004, Todd Lyons wrote: It shouldn't, however change if a virus is accepted - since sendmail should be tempfailing mail until the milters are functioning. Incorrect, depending on how you define your milter call for sendmail. Yes, I guess one cant legislate sanity, can one :( But spamassassin and clamav should default to tempfail ! ...still cant believe that people aren't recommending a safe, by default setup. We are. ;) For most mailserver admins, the danger of losing our jobs is much greater if we tempfail all incoming mail due to a clamav crash than is the danger of losing our jobs due to a couple of viruses leaking through. Where email is concerned, message delivery is critical. Virus and spam filtering are features. Damian Menscher Hear Hear. Precisely right in any service situation I have seen. More important to get email than to get clean email. At least these days, for whatever reasons. Especialy when customers may/should have their own line of defense. Also why limiting sendmail connections/rate limiting or attachment sizes in repsonse to clamav limits is not the way to go, as I have advocated in the past. I advocate running a second line virus scanner with quarantine and notifying site postmaster/administrator to catch the ones that slip through for whatever reason, and actualy keep them around for diagnostics. AMavisd-new works well for this, on sendmail. One can get rid of the ones clamav recognizes by running #!/bin/bash AMAVIS_QDIR="/var/lib/amavis/virusmails" for tempvar in `ls $AMAVIS_QDIR`; do echo "$AMAVIS_QDIR/$tempvar" cat "$AMAVIS_QDIR/$tempvar" | clamdscan --disable-summary - if (( $? == 1 )); then rm -- "$AMAVIS_QDIR/$tempvar" fi done --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] contrib/init/RedHat suggested patch
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > > > Damian Menscher wrote: > > For most mailserver admins, the danger of losing our jobs > > is much greater if we tempfail all incoming mail due to a clamav crash > > than is the danger of losing our jobs due to a couple of viruses leaking > > through. > > s/most/some/; > > Spoken as one who has never gotten burned by a virus. Many > organizations have their strongest anti-virus protection at the > perimeter. Once through ClamAV, viruses can spread like wildfire. > True for organizations/companies where you can have a downtime because of 'security reasons'. But for ISPs, mail has to be _always_ up, no matter if virus/spam blocking is active or not. -Samuel --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] contrib/init/RedHat suggested patch
On Tue, 17 Aug 2004, Richard A Nelson wrote: > On Tue, 17 Aug 2004, Damian Menscher wrote: > > On Mon, 16 Aug 2004, Richard A Nelson wrote: > > > > > > Yes, I guess one cant legislate sanity, can one :( > > > But spamassassin and clamav should default to tempfail ! > > > > > > ...still cant believe that > > > people aren't recommending a safe, by default setup. > > > > We are. ;) For most mailserver admins, the danger of losing our jobs > > is much greater if we tempfail all incoming mail due to a clamav crash > > than is the danger of losing our jobs due to a couple of viruses leaking > > through. Where email is concerned, message delivery is critical. > > Virus and spam filtering are features. > > Ah, what's the problem with tempfail ? This isn't a 5xx rejection - > the mail will be retried (unless of course, your milter is down longer > than the remote hosts retry interval*tries)... If user A emails user B and the email doesn't go through in under 2 minutes, there will be complaints. Tempfail is just too dangerous. Yes, nothing will be lost. But you have to admit it's pretty bad for email to be down. A few viruses leaking through is minor compared to that. At least, that's how we run our shop. Things may be different for you, depending on the intelligence of your users. (For us, it's more an annoyance to receive viruses than a real fear that someone will be stupid enough to run the attachments.) Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] contrib/init/RedHat suggested patch
On Tue, 17 Aug 2004, Damian Menscher wrote: > On Mon, 16 Aug 2004, Richard A Nelson wrote: > > > > Yes, I guess one cant legislate sanity, can one :( > > But spamassassin and clamav should default to tempfail ! > > > > ...still cant believe that > > people aren't recommending a safe, by default setup. > > We are. ;) For most mailserver admins, the danger of losing our jobs > is much greater if we tempfail all incoming mail due to a clamav crash > than is the danger of losing our jobs due to a couple of viruses leaking > through. Where email is concerned, message delivery is critical. > Virus and spam filtering are features. Ah, what's the problem with tempfail ? This isn't a 5xx rejection - the mail will be retried (unless of course, your milter is down longer than the remote hosts retry interval*tries)... -- Rick Nelson Life'll kill ya -- Warren Zevon Then you'll be dead -- Life'll kill ya --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] contrib/init/RedHat suggested patch
Damian Menscher wrote:
> For most mailserver admins, the danger of losing our jobs
> is much greater if we tempfail all incoming mail due to a clamav crash
> than is the danger of losing our jobs due to a couple of viruses leaking
> through.
s/most/some/;
Spoken as one who has never gotten burned by a virus. Many organizations have their
strongest anti-virus protection at the perimeter. Once through ClamAV, viruses can
spread like wildfire.
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] contrib/init/RedHat suggested patch
On Mon, 16 Aug 2004, Richard A Nelson wrote: > On Mon, 16 Aug 2004, Todd Lyons wrote: > > > >It shouldn't, however change if a virus is accepted - since sendmail > > >should be tempfailing mail until the milters are functioning. > > > > Incorrect, depending on how you define your milter call for sendmail. > > Yes, I guess one cant legislate sanity, can one :( > But spamassassin and clamav should default to tempfail ! > > ...still cant believe that > people aren't recommending a safe, by default setup. We are. ;) For most mailserver admins, the danger of losing our jobs is much greater if we tempfail all incoming mail due to a clamav crash than is the danger of losing our jobs due to a couple of viruses leaking through. Where email is concerned, message delivery is critical. Virus and spam filtering are features. Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] contrib/init/RedHat suggested patch
On Mon, 16 Aug 2004, Todd Lyons wrote: > >It shouldn't, however change if a virus is accepted - since sendmail > >should be tempfailing mail until the milters are functioning. > > Incorrect, depending on how you define your milter call for sendmail. Yes, I guess one cant legislate sanity, can one :( > The following is the default recommended line for sendmail.mc in the > clamav documenation (one long line): > > INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clmilter.sock, > F=, T=S:4m;R:4m')dnl That is poor planning on thier part ! Why would you *NOT* want to tempfail a late (or failing milter)... Ok, I can see some milters wanting to pass through (maybe a Reverse MX checker). But spamassassin and clamav should default to tempfail ! My setup is: INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T,T=S:1m;R:1m')dnl dnl INPUT_MAIL_FILTER(`spamassassin', dnl `S=local:/var/run/sendmail/spamass.sock, F=T,T=S:4m;R:4m;E:10m')dnl dnl INPUT_MAIL_FILTER(`clamav', dnl `S=local:/var/run/clamav/clamav-milter.ctl, F=T, T=S:4m;R:4m')dnl ie, I've dropped spamass-milter and clamav-milter for mimedefang - but I've got F=T on the lot of them... Kept meaning to investigate the time outs, but never got a round tuit. > In the libmilter documentation, it defines the F flag as: > > The current flags (F=) are: > R Reject connection if filter unavailable > T Temporary fail connection if filter unavailable > If neither F=R nor F=T is specified, the message is passed through > sendmail in case of filter errors as if the failing filters were not > present. Read that once, seems like eons ago... but still cant believe that people aren't recommending a safe, by default setup. -- Rick Nelson Life'll kill ya -- Warren Zevon Then you'll be dead -- Life'll kill ya --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] contrib/init/RedHat suggested patch
On Mon, 16 Aug 2004, Todd Lyons wrote: > >It shouldn't, however change if a virus is accepted - since sendmail > >should be tempfailing mail until the milters are functioning. > > Incorrect, depending on how you define your milter call for sendmail. > > So by not specifying an F=T setting, you're telling it to pass it > through in the event of clamav-milter failure. I'm not sure what the > case would be if clamav-milter was still fully functional, but clamd > failed. It does bad things, by default (tempfailing the mail, as I recall). The fix is to give the --dont-scan-on-error option to your clamav-milter. My full set of clamav-milter flags are: CLAMAV_FLAGS="--quiet --headers --noxheader --dont-log-clean --dont-scan-on-error --max-children=10 local:/var/run/clamav/clmilter.sock" I'd encourage the developers to make this the recommended default, since anything else is just plain silly. ;) Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] contrib/init/RedHat suggested patch
Richard A Nelson wanted us to know: >> The sample init scripts (for RedHat) start clamd and clamav-milter at >> sequence numbers 90 and 91. The RH default sendmail starts at sequence >> number 80. I'd ignored this when setting things up before, since I >Good plan, I did that for Debian - made sendmail starts After the >milters, and ends Before them... It has helped reduce the clutter in >/var/mail/mail.log. In mine, I had to do the same. >It shouldn't, however change if a virus is accepted - since sendmail >should be tempfailing mail until the milters are functioning. Incorrect, depending on how you define your milter call for sendmail. The following is the default recommended line for sendmail.mc in the clamav documenation (one long line): INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clmilter.sock, F=, T=S:4m;R:4m')dnl In the libmilter documentation, it defines the F flag as: The current flags (F=) are: R Reject connection if filter unavailable T Temporary fail connection if filter unavailable If neither F=R nor F=T is specified, the message is passed through sendmail in case of filter errors as if the failing filters were not present. So by not specifying an F=T setting, you're telling it to pass it through in the event of clamav-milter failure. I'm not sure what the case would be if clamav-milter was still fully functional, but clamd failed. -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.3-15mdkenterprise 2 users, load average: 0.02, 0.02, 0.00 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] contrib/init/RedHat suggested patch
On Mon, 16 Aug 2004, Damian Menscher wrote: > The sample init scripts (for RedHat) start clamd and clamav-milter at > sequence numbers 90 and 91. The RH default sendmail starts at sequence > number 80. I'd ignored this when setting things up before, since I > figured being vulnerable to viruses for a few seconds at boot time was > acceptable. But this is probably something that should be fixed... I > saw today that 9 messages came in during the two seconds that sendmail > was up and clamav-milter was not. Lowering those numbers (presumably to > 78 and 79) would be a better default. Good plan, I did that for Debian - made sendmail starts After the milters, and ends Before them... It has helped reduce the clutter in /var/mail/mail.log. It shouldn't, however change if a virus is accepted - since sendmail should be tempfailing mail until the milters are functioning. -- Rick Nelson Life'll kill ya -- Warren Zevon Then you'll be dead -- Life'll kill ya --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] contrib/init/RedHat suggested patch
The sample init scripts (for RedHat) start clamd and clamav-milter at sequence numbers 90 and 91. The RH default sendmail starts at sequence number 80. I'd ignored this when setting things up before, since I figured being vulnerable to viruses for a few seconds at boot time was acceptable. But this is probably something that should be fixed... I saw today that 9 messages came in during the two seconds that sendmail was up and clamav-milter was not. Lowering those numbers (presumably to 78 and 79) would be a better default. Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
