Re: [Mimedefang] netsky.c passing MD-2.40 with clamav+uvscan
Lucas Albers wrote:
You need these switches for uvscan/clamscan:
($Features{'Virus:NAI'} . " --noboot --mime --secure --allole $path
($Features{'Virus:CLAMAV'} . " -r --stdout --disable-summary --infected
You need these options in clamd if you are running clamd to catch newer
encrypted virus's.
ScanMail
ScanArchive
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
ArchiveMaxFileSize 10M
ScanRAR
MaxDirectoryRecursion 3
StreamSaveToDisk
I run uvscan 2.4.20 and clamscan .65 or .67.
You should run .67 or some virus's will slip by, as per maintainer.
I was looking in the wrong place for the switches. My default mimedefang.pl
included all of those except '-r'
I added ScanMail, ScanArchive and ScanRAR to my clamav.cf. MaxDirectoryRecursion is 15
by default. I left that as-is.
These changes didn't seem to help much though.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] netsky.c passing MD-2.40 with clamav+uvscan
Lucas Albers wrote: I'm still running 4.2.40, as I can't find how to get the upgrade. Our central IT store won't get back to me. a. You can download it from https://secure.nai.com/us/forms/downloads/upgrades/login.asp, but it is a licensed product. You'll need to enter a Grant Number with proper permissions to get it. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Errors from the MultiPlexor
Hi, I have been runnig Mimedefang for a while now and it was all working fine until I decided to rebuild my mail server. I am running RH 9 with Sendmail-8.12.11 build from a tar ball. I am also running Spamassassin-2.63 installed as a perl module and finally MIMEDefang-2.41 built from a tar ball. I have included my site.conf.m4 file: define(`confMAPDEF', `-DMAP_REGEX') define(`confENVDEF', `-DPICKY_QF_NAME_CHECK -DXDEBUG=0') define(`confCC', `gcc') define(`confOPTIMIZE', `-O3 -march=i686 -funroll-loops -fomit-frame-pointer') define(`confNO_HELPFILE_INSTALL') define(`confMAPDEF', `-DMAP_REGEX') define(`confENVDEF', `-DPICK_OFNAME_CHECK -DXDEBUG=0') define(`confSTDIO_TYPE', `portable') APPENDDEF(`confENVDEF', `-DSFIO') APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS') APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto') dnl Milter APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER') APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE') I added the lines to the init file for Sendmail and the programs start and run. Now the error that is showing up in my maillog is: Mar 16 04:31:50 hailee sendmail[2241]: i2GBQl13002241: Milter (mimedefang): timeout before data read Mar 16 04:31:50 hailee sendmail[2241]: i2GBQl13002241: Milter (mimedefang): to error state Mar 16 04:31:51 hailee sendmail[2245]: i2GBQl13002241: to=<[EMAIL PROTECTED]>, delay=00:05:01, xdelay=00:00:01, mailer=local, pri=140351, dsn=2.0.0, stat=Sent Mar 16 04:36:50 hailee mimedefang-multiplexor: Killing busy slave 0 (pid 2235): Busy timeout Mar 16 04:36:50 hailee mimedefang[745]: Error from multiplexor: ERR Filter timed out - check filter rules or system load . . Mar 16 04:45:32 hailee sendmail[2248]: i2GBeTrC002248: Milter (mimedefang): timeout before data read Mar 16 04:45:32 hailee sendmail[2248]: i2GBeTrC002248: Milter (mimedefang): to error state . . Mar 16 21:23:07 hailee sendmail[5651]: i2H4N7rE005651: Milter (mimedefang): local socket name /var/spool/MIMEDefang/mimedefang.sock unsafe Mar 16 21:23:07 hailee sendmail[5651]: i2H4N7rE005651: Milter (mimedefang): to error state Mar 16 21:23:08 hailee sendmail[5651]: i2H4N7rE005651: . . I have searched through the archives and found 31 other messages along the same line. I have tried all their fixes, but to no avail. I know I must of misconfiurged something somewhere but I don't know what it is. TIA Trevor ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Getting started with MIMEDefang
This is the same here again, however 2.41 is released now, it's easy to install over your current setup. (since you installed the ports version of MD 2.39, you can install the source version of 2.41 and everything will work fine) You didn't mention your perl version? I installed 5.6.1 (hearing of many of my favorite programs requiring this or newer). Right now, just using the default version of Perl that comes with FreeBSD...Perl 5 I believe. Being only 2 weeks into this project, I seem to understand clamd is a daemon version of clamav. With 2.4x of MIMEDefang, it uses multiple virus scanners if they are installed, but does this apply to clamav & clamd? Will it use one if the other fails? Hopefully someone else can clear this bit up for both of us. Right. Exactly what I was looking for. I wasn't sure exactly how MIMEDefang calls the AV scanner. For instance, does MIMEDefang call it on its own, or do you need to have CLAMD running already and then MIMEDefang uses the already running DAEMON to do its bidding...I'm unclear on that part. Also, in regards to the mimedefang-filter file, is it necessary to edit the sections where the virus scanners are located? For example, do I need to rearrange the order of the scanners listed in order for MIMEDefang to use them correctly. The configuring of the AV scanner has me some what confused, but once I understand the process, it should be pretty smooth sailing. Once im comfortable with that, i'll move on to SpamAssassin. I appreciate the help. Jason ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Errors from the MultiPlexor
> I added the lines to the init file for Sendmail and the programs start > and run. Now the error that is showing up in my maillog is: What lines to the init file for Sendmail? Perhaps you really need to install the MIMEDefang RH init file? > I have been runnig Mimedefang for a while now and it was all working > fine until I decided to rebuild my mail server. I am running RH 9 with > Sendmail-8.12.11 build from a tar ball. I am also running > Spamassassin-2.63 installed as a perl module and finally MIMEDefang-2.41 > built from a tar ball. Holy Smokes Batman, that seems like a highly optimized site.config.m4 file. You might want to start with something simpler and then optimize the sendmail compilation AFTER you get things working. You are also using FFR features of sendmail specifically with the milter. FFR stands for For Future Release. I know they recommend the MILTER_ROOT_UNSAFE but perhaps this points to a problem where you are running your milter as root instead of as a user defang for example. Judging by the compiler switches I believe you have added, you should have no problems extrapolating the sendmail and MIMEDefang installs I've written at http://www.pccc.com/downloads/ You might also want to triple make sure you removed the RH sendmail and the source obj files so that you aren't linking against the wrong lib for sendmail and the milter. Regards, KAM ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Errors from the MultiPlexor
Trevor wrote: Hi, I have been runnig Mimedefang for a while now and it was all working fine until I decided to rebuild my mail server. I am running RH 9 with Sendmail-8.12.11 build from a tar ball. I am also running Spamassassin-2.63 installed as a perl module and finally MIMEDefang-2.41 built from a tar ball. On the off chance - did you rebuild your milter library, and possibly relink mimedefang? (I'm not sure about shared, personally I use static libs for this stuff). I thought this was necessary if going between certain versions.. Not sure though ;-) Tim ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Errors from the MultiPlexor
Hi, I have been runnig Mimedefang for a while now and it was all working fine until I decided to rebuild my mail server. I am running RH 9 with Sendmail-8.12.11 build from a tar ball. I am also running Spamassassin-2.63 installed as a perl module and finally MIMEDefang-2.41 built from a tar ball. I have included my site.conf.m4 file: define(`confMAPDEF', `-DMAP_REGEX') define(`confENVDEF', `-DPICKY_QF_NAME_CHECK -DXDEBUG=0') define(`confCC', `gcc') define(`confOPTIMIZE', `-O3 -march=i686 -funroll-loops -fomit-frame-pointer') define(`confNO_HELPFILE_INSTALL') define(`confMAPDEF', `-DMAP_REGEX') define(`confENVDEF', `-DPICK_OFNAME_CHECK -DXDEBUG=0') define(`confSTDIO_TYPE', `portable') APPENDDEF(`confENVDEF', `-DSFIO') APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS') APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto') dnl Milter APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER') APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE') I added the lines to the init file for Sendmail and the programs start and run. Now the error that is showing up in my maillog is: Mar 16 04:31:50 hailee sendmail[2241]: i2GBQl13002241: Milter (mimedefang): timeout before data read Mar 16 04:31:50 hailee sendmail[2241]: i2GBQl13002241: Milter (mimedefang): to error state Mar 16 04:31:51 hailee sendmail[2245]: i2GBQl13002241: to=<[EMAIL PROTECTED]>, delay=00:05:01, xdelay=00:00:01, mailer=local, pri=140351, dsn=2.0.0, stat=Sent Mar 16 04:36:50 hailee mimedefang-multiplexor: Killing busy slave 0 (pid 2235): Busy timeout Mar 16 04:36:50 hailee mimedefang[745]: Error from multiplexor: ERR Filter timed out - check filter rules or system load . . Mar 16 04:45:32 hailee sendmail[2248]: i2GBeTrC002248: Milter (mimedefang): timeout before data read Mar 16 04:45:32 hailee sendmail[2248]: i2GBeTrC002248: Milter (mimedefang): to error state . . Mar 16 21:23:07 hailee sendmail[5651]: i2H4N7rE005651: Milter (mimedefang): local socket name /var/spool/MIMEDefang/mimedefang.sock unsafe Mar 16 21:23:07 hailee sendmail[5651]: i2H4N7rE005651: Milter (mimedefang): to error state Mar 16 21:23:08 hailee sendmail[5651]: i2H4N7rE005651: . . I have searched through the archives and found 31 other messages along the same line. I have tried all their fixes, but to no avail. I know I must of misconfiurged something somewhere but I don't know what it is. TIA Trevor ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Quoted material
On Wed, 17 Mar 2004, Cahya Wirawan wrote: > :> ... > yes I agree with you :) You jokers will be BANNED, you hear??? :-) Cahya figured out how to get around the filter, as you can see. Time to sharpen up the filter... Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Quoted material
On Wed, Mar 17, 2004 at 12:22:11PM -0600, Aaron Paetznick wrote: :> :> I suggest increasing the quoted material limit for this list. I :> understand the need for such a feature, but the benefit versus :> inconvenience ratio is too low IMHO. :> :> :> --Aaron yes I agree with you :) cahya ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Errors from the MultiPlexor
Hi, I have been runnig Mimedefang for a while now and it was all working fine until I decided to rebuild my mail server. I am running RH 9 with Sendmail-8.12.11 build from a tar ball. I am also running Spamassassin-2.63 installed as a perl module and finally MIMEDefang-2.41 built from a tar ball. I have included my site.conf.m4 file: define(`confMAPDEF', `-DMAP_REGEX') define(`confENVDEF', `-DPICKY_QF_NAME_CHECK -DXDEBUG=0') define(`confCC', `gcc') define(`confOPTIMIZE', `-O3 -march=i686 -funroll-loops -fomit-frame-pointer') define(`confNO_HELPFILE_INSTALL') define(`confMAPDEF', `-DMAP_REGEX') define(`confENVDEF', `-DPICK_OFNAME_CHECK -DXDEBUG=0') define(`confSTDIO_TYPE', `portable') APPENDDEF(`confENVDEF', `-DSFIO') APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS') APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto') dnl Milter APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER') APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE') I added the lines to the init file for Sendmail and the programs start and run. Now the error that is showing up in my maillog is: Mar 16 04:31:50 hailee sendmail[2241]: i2GBQl13002241: Milter (mimedefang): timeout before data read Mar 16 04:31:50 hailee sendmail[2241]: i2GBQl13002241: Milter (mimedefang): to error state Mar 16 04:31:51 hailee sendmail[2245]: i2GBQl13002241: to=<[EMAIL PROTECTED]>, delay=00:05:01, xdelay=00:00:01, mailer=local, pri=140351, dsn=2.0.0, stat=Sent Mar 16 04:36:50 hailee mimedefang-multiplexor: Killing busy slave 0 (pid 2235): Busy timeout Mar 16 04:36:50 hailee mimedefang[745]: Error from multiplexor: ERR Filter timed out - check filter rules or system load . . Mar 16 04:45:32 hailee sendmail[2248]: i2GBeTrC002248: Milter (mimedefang): timeout before data read Mar 16 04:45:32 hailee sendmail[2248]: i2GBeTrC002248: Milter (mimedefang): to error state . . Mar 16 21:23:07 hailee sendmail[5651]: i2H4N7rE005651: Milter (mimedefang): local socket name /var/spool/MIMEDefang/mimedefang.sock unsafe Mar 16 21:23:07 hailee sendmail[5651]: i2H4N7rE005651: Milter (mimedefang): to error state Mar 16 21:23:08 hailee sendmail[5651]: i2H4N7rE005651: . . I have searched through the archives and found 31 other messages along the same line. I have tried all their fixes, but to no avail. I know I must of misconfiurged something somewhere but I don't know what it is. TIA Trevor ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later'
Jason Granat wrote:
> Michael,
>
> Ok. So as this is very deep for me, how can I quit calling
> SpamAssassin the second time, yet be able to rewrite the headers?
> Should I do the rewrite in sub defang_warning after INPUTMSG?
No, just change filter_end. Take all of these lines:
--
action_change_header("Subject", "*SPAM* $Subject");
action_add_header("X-Orig-Rcpts", join(", ", @Recipients));
foreach $recip (@Recipients) {
delete_recipient($recip);
}
add_recipient('spambucket at mydomain.com');
--
And put them inside the ($hits >= $req) block, so it looks like this:
--
if ($hits >= $req) {
action_change_header("X-Spam-Score", "$hits ($score) $names");
md_graphdefang_log('spam', $hits, $RelayAddr);
# Change Subject: header
action_change_header("Subject", "*SPAM* $Subject");
# Add a header with original recipients, just for info
action_add_header("X-Orig-Rcpts", join(", ", @Recipients));
# Remove original recipients
foreach $recip (@Recipients) {
delete_recipient($recip);
}
# Send to spam address
add_recipient('spambucket at mydomain.com');
# If you find the SA report useful, add it, I guess...
action_add_part($entity, "text/plain", "-suggest",
"$report\n", "SpamAssassinReport.txt", "inline");
} else {
# Delete any existing X-Spam-Score header?
action_delete_header("X-Spam-Score");
}
--
Then delete the two blocks you have that check spam_assassin_is_spam(). It
looks to me that it will do exactly what you were doing, except that it will
only call SpamAssassin once, and it won't call it at all on messages larger
than 100k...
___
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648 Pager: (901)769-3722
___
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later'
Michael, Ok. So as this is very deep for me, how can I quit calling SpamAssassin the second time, yet be able to rewrite the headers? Should I do the rewrite in sub defang_warning after INPUTMSG? Thanks a ton! Jason ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later'
Jason Granat wrote:
> Here it is Michael.
I think I see your problem. Here:
> # Spam checks if SpamAssassin is installed
> if ($Features{"SpamAssassin"}) {
> if (-s "./INPUTMSG" < 100*1024) {
[snip]
> }
> }
>
> # Do Spam Header and Redirect
> if (spam_assassin_is_spam()) {
> # Change Subject: header
> action_change_header("Subject", "*SPAM* $Subject");
> }
>
> if (spam_assassin_is_spam()) {
[snip]
You have the standard size check on INPUTMSG, but then you are later calling
spam_assassin_is_spam() outside of that check. That sub calls
spam_assassin_check() internally, and you are calling it on ALL messages
that make it to filter_end() without being rejected for some other reason.
This means that you are running SpamAssassin on your 17MB messages, which
could easily cause the slave to timeout. Additionally, I don't believe that
spam_assassin_check() does any kind of caching of its results, so when you
call spam_assassin_is_spam() twice, you are scanning the message twice,
which needless to say isn't very efficient. (Someone correct me if I'm wrong
about that.)
It would be better to move all of the code you have to change headers and
add recipients inside the original block that runs the spam assassin check,
so that you only run the check once, and you avoid running it at all on
messages that are over 100k.
___
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648 Pager: (901)769-3722
___
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang crashing regularly
I will do that, thanks for the help. --Aaron Cormack, Ken wrote: With that understanding, you'll then have the information you need to properly scale and tune your box. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Pleasetry again later'
Thanks! Kris Deugau wrote: Jason Granat wrote: One thing I noticed. Small root messages get through fine. It looks like it's only erroring on large messages. The culprit messages are ~17M. I know there was a place for setting max mail message size, but I can't remember or find where. Can someone point me in the right direction? For a 10M limit, add: define(`confMAX_MESSAGE_SIZE',`10485760')dnl to your sendmail.mc -kgd ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later'
Here it is Michael.
# -*- Perl -*-
#***
#
# mimedefang-filter
#
# Suggested minimum-protection filter for Microsoft Windows clients, plus
# SpamAssassin checks if SpamAssassin is installed.
#
# Copyright (C) 2002 Roaring Penguin Software Inc.
#
# This program may be distributed under the terms of the GNU General
# Public License, Version 2, or (at your option) any later version.
#
# $Id: suggested-minimum-filter-for-windows-clients,v 1.79 2004/03/04
01:23:11 dfs Exp $
#***
#***
# Set administrator's e-mail address here. The administrator receives
# quarantine messages and is listed as the contact for site-wide
# MIMEDefang policy. A good example would be '[EMAIL PROTECTED]'
#***
$AdminAddress = '[EMAIL PROTECTED]';
$AdminName = "MIMEDefang Admin";
#***
# Set the e-mail address from which MIMEDefang quarantine warnings and
# user notifications appear to come. A good example would be
# '[EMAIL PROTECTED]'. Make sure to have an alias for this
# address if you want replies to it to work.
#***
$DaemonAddress = '[EMAIL PROTECTED]';
#***
# If you set $AddWarningsInline to 1, then MIMEDefang tries *very* hard
# to add warnings directly in the message body (text or html) rather
# than adding a separate "WARNING.TXT" MIME part. If the message
# has no text or html part, then a separate MIME part is still used.
#***
$AddWarningsInline = 0;
#***
# To enable syslogging of virus and spam activity, add the following
# to the filter:
# md_graphdefang_log_enable();
# You may optionally provide a syslogging facility by passing an
# argument such as: md_graphdefang_log_enable('local4'); If you do
this, be
# sure to setup the new syslog facility (probably in /etc/syslog.conf).
# An optional second argument causes a line of output to be produced
# for each recipient (if it is 1), or only a single summary line
# for all recipients (if it is 0.) The default is 1.
# Comment this line out to disable logging.
#***
md_graphdefang_log_enable('mail', 1);
#***
# Uncomment this to block messages with more than 50 parts. This will
# *NOT* work unless you're using Roaring Penguin's patched version
# of MIME tools, version MIME-tools-5.411a-RP-Patched-02 or later.
#
# WARNING: DO NOT SET THIS VARIABLE unless you're using at least
# MIME-tools-5.411a-RP-Patched-02; otherwise, your filter will fail.
#***
# $MaxMIMEParts = 50;
#***
# Set various stupid things your mail client does below.
#***
# Set the next one if your mail client cannot handle nested multipart
# messages. DO NOT set this lightly; it will cause action_add_part to
# work rather strangely. Leave it at zero, even for MS Outlook, unless
# you have serious problems.
$Stupidity{"flatten"} = 0;
# Set the next one if your mail client cannot handle multiple "inline"
# parts.
$Stupidity{"NoMultipleInlines"} = 0;
# The next lines force SpamAssassin modules to be loaded and rules
# to be compiled immediately. This may improve performance on busy
# mail servers. Comment the lines out if you don't like them.
if ($Features{"SpamAssassin"}) {
spam_assassin_init()->compile_now(1) if defined(spam_assassin_init());
# If you want to use auto-whitelisting:
# if (defined($SASpamTester)) {
# use Mail::SpamAssassin::DBBasedAddrList;
# my $awl = Mail::SpamAssassin::DBBasedAddrList->new();
# $SASpamTester->set_persistent_address_list_factory($awl) if
defined($awl);
# }
}
# This procedure returns true for entities with bad filenames.
sub filter_bad_filename ($) {
my($entity) = @_;
my($bad_exts, $re);
# Bad extensions
$bad_exts =
'(ade|adp|app|asd|asf|asx|bas|chm|cmd|com|cpl|crt|dll|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|prg|reg|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]+\})';
# Do not allow:
# - CLSIDs {foobarbaz}
# - bad extensions (possibly with trailing dots) at end
$re = '\.' . $bad_exts . '\.*$';
return 1 if (re_match($entity, $re));
# Look inside ZIP files
if (re_match($entity, '\.zip$') and
$Features{"Archiv
RE: [Mimedefang] MIMEDefang crashing regularly
Aaron, This is exactly the type of output I was hoping to see. Now, since you were perhaps unaware of the existance of "mailstats", I will assume that these numbers are a running total since "day 1". What you need to do, in order to see your daily average mail flow, is find the statistics file, and then truncate it. You can find it this way: # grep statistics sendmail.cf O StatusFile=/etc/mail/statistics Next, truncate the file to reset the counters to zero: # cd /etc/mail > statistics Finally, run mailstats again, in 24 hours. That will show you the traffic flow since the last time the statistics file was truncated. set up a cron task to nightly run the mailstats command and email you the output. Immediately after the crontask emails the output, have the cron task truncate the file. Do this every day for a week and then average the numbers. You'll then be able to accurately determine exactly what your mail volume is (both the number of messages, and the total size of those messages). In other words, you'll know if you're seeing one million messages 100-bytes each, or one hundred messages 1,000,000-bytes each. You'll be able to calculate average message size, and so on. With that understanding, you'll then have the information you need to properly scale and tune your box. KEN CORMACK, RHCE Sr. UNIX Systems Analyst, Open Systems Group Sr. Software Analyst, TSG Midrange Systems Group AFFILIATED COMPUTER SERVICES, INC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Aaron Paetznick Sent: Wednesday, March 17, 2004 1:43 PM To: [EMAIL PROTECTED] Subject: Re: [Mimedefang] MIMEDefang crashing regularly Does this help? [EMAIL PROTECTED] root]# mailstats Statistics from Tue Mar 2 05:32:10 2004 M msgsfr bytes_from msgstobytes_to msgsrej msgsdis Mailer 10 0K 175508 777613K0 0 *file* 3 518588 13242775K 1027762 19261080K19576 18788 cyrusv2 6 4054979 33506488K 236854 10013590K 109432 2968311 esmtp = T 4573567 46749263K 1440124 30052283K 129008 2987099 C 3906342 1908910 3116107 --Aaron Cormack, Ken wrote: > Very quickly, run a "mailstats" command. Assuming you have > statistics-keeping configured into your sendmail, and the statiscs file > actually exists, you should be able to see output that (among other things) > will show you exactly what kind of traffic you process. If you truncate the > statistics file nightly (truncate, not delete), then you can get daily > totals every day. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang crashing regularly
Does this help? [EMAIL PROTECTED] root]# mailstats Statistics from Tue Mar 2 05:32:10 2004 M msgsfr bytes_from msgstobytes_to msgsrej msgsdis Mailer 10 0K 175508 777613K0 0 *file* 3 518588 13242775K 1027762 19261080K19576 18788 cyrusv2 6 4054979 33506488K 236854 10013590K 109432 2968311 esmtp = T 4573567 46749263K 1440124 30052283K 129008 2987099 C 3906342 1908910 3116107 --Aaron Cormack, Ken wrote: Very quickly, run a "mailstats" command. Assuming you have statistics-keeping configured into your sendmail, and the statiscs file actually exists, you should be able to see output that (among other things) will show you exactly what kind of traffic you process. If you truncate the statistics file nightly (truncate, not delete), then you can get daily totals every day. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] MIMEDefang crashing regularly
Very quickly, run a "mailstats" command. Assuming you have statistics-keeping configured into your sendmail, and the statiscs file actually exists, you should be able to see output that (among other things) will show you exactly what kind of traffic you process. If you truncate the statistics file nightly (truncate, not delete), then you can get daily totals every day. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Aaron Paetznick Sent: Wednesday, March 17, 2004 1:25 PM To: [EMAIL PROTECTED] Subject: Re: [Mimedefang] MIMEDefang crashing regularly I have to use these settings as my volume is just that high. I don't know how many emails it processes per day as I haven't installed a stats package yet, but it's a dual Xeon with 4GB RAM, and it's pretty much consumed. It handles mail for some 10,000 mailboxes. --Aaron Kevin A. McGrail wrote: > 77 slaves? How much memory do you have on this machine? > > I'd estimate a guess on the order of 3GB minimum needed to make this work, > maybe more. > > I think you need to look at lowering your sendmail processes and your > mimedefang mins/max to much more reasonable levels. > > How many emails are you doing per day approximately and how much RAM do you > have in this box? > ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Pleasetry again later'
Jason Granat wrote: > One thing I noticed. Small root messages get through fine. It looks > like it's only erroring on large messages. The culprit messages are > ~17M. I know there was a place for setting max mail message size, > but I can't remember or find where. Can someone point me in the > right direction? For a 10M limit, add: define(`confMAX_MESSAGE_SIZE',`10485760')dnl to your sendmail.mc -kgd -- "Sendmail administration is not black magic. There are legitimate technical reasons why it requires the sacrificing of a live chicken." - Unknown ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ramdisks on Linux
I think it would protect you fine if your kernel crashes. I don't think it would be a tmpfs. It would be more like a solid state 1GB HD formatted with EXT3 I would imagine. KAM > Doesn't protect you if your kernel crashes?? > What mail volume does this performance improvement really matter at? > Over 1 million messages per day? > > battery protected ramdisk card like those from Rocketcard. They are > > about $500 for a one gig card, $1,200 for a four gig. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang crashing regularly
I have to use these settings as my volume is just that high. I don't know how many emails it processes per day as I haven't installed a stats package yet, but it's a dual Xeon with 4GB RAM, and it's pretty much consumed. It handles mail for some 10,000 mailboxes. --Aaron Kevin A. McGrail wrote: 77 slaves? How much memory do you have on this machine? I'd estimate a guess on the order of 3GB minimum needed to make this work, maybe more. I think you need to look at lowering your sendmail processes and your mimedefang mins/max to much more reasonable levels. How many emails are you doing per day approximately and how much RAM do you have in this box? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Quoted material
I suggest increasing the quoted material limit for this list. I understand the need for such a feature, but the benefit versus inconvenience ratio is too low IMHO. --Aaron ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang crashing regularly
Am am getting a lot of bayes locking errors as well. Probably related. Should the configuration options listed below help with bayes locking issues in a high-volume situation? --Aaron Lucas Albers wrote: It might be baye-learning is making mimedenfag make too many slaves. I encountered this situation, but in my case it just stopped spawning slaves. #http://mail.stalker.com/Lists/CGatePro/Message/52889.html bayes_learn_to_journal 1 bayes_journal_max_size 512 SA will get a lock then Mimedefang will spawn a new slave, which can't get a lock, which spawns a new slave,etc. Aaron Paetznick said: MIMEDefang has been crashing on me fairly regularly and it's driving me bonkers. Basically it goes "to error state" and doesn't recover. I have a script watching the logfile, and when there is a problem MD gets automatically restarted, but when this happens it won't start up again until I manually remove the /var/lock/subsys/mimedefang file. Here's a clip from /var/log/maillog from when this last happened. I would consider increasing the children, except my MX_MAXIMUM is already set to 80. I just now increased the MX_REQUESTS to 500, but I'm not confident that that will help too much. Any ideas? This is MD v2.41, SA v2.63 + the usual suspects on RHEL 3.0 with perl v5.8.3. Thanks. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang crashing regularly
It might be baye-learning is making mimedenfag make too many slaves. I encountered this situation, but in my case it just stopped spawning slaves. #http://mail.stalker.com/Lists/CGatePro/Message/52889.html bayes_learn_to_journal 1 bayes_journal_max_size 512 SA will get a lock then Mimedefang will spawn a new slave, which can't get a lock, which spawns a new slave,etc. Aaron Paetznick said: > > MIMEDefang has been crashing on me fairly regularly and it's driving me > bonkers. Basically it goes "to error state" and doesn't recover. I > have a script watching the logfile, and when there is a problem MD gets > automatically restarted, but when this happens it won't start up again > until I manually remove the /var/lock/subsys/mimedefang file. Here's a > clip from /var/log/maillog from when this last happened. I would > consider increasing the children, except my MX_MAXIMUM is already set to > 80. I just now increased the MX_REQUESTS to 500, but I'm not confident > that that will help too much. Any ideas? This is MD v2.41, SA v2.63 + > the usual suspects on RHEL 3.0 with perl v5.8.3. Thanks. > -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] ramdisks on Linux
Doesn't protect you if your kernel crashes?? What mail volume does this performance improvement really matter at? Over 1 million messages per day? John Scully said: > You can get a huge performance boost by moving the mqueue to a ramdisk, > but to avoid the risk of messages being lost due to a reset add a > battery protected ramdisk card like those from Rocketcard. They are > about $500 for a one gig card, $1,200 for a four gig. > > If you want to test the performance gain before buying a card, and have > enough ram to spare try moving the mqueue to a normal linux ramdisk for > a day. > -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later'
- Original Message - From: "Jason Granat" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 17, 2004 11:04 AM Subject: Re: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later' > One thing I noticed. Small root messages get through fine. It looks > like it's only erroring on large messages. The culprit messages are > ~17M. I know there was a place for setting max mail message size, but I > can't remember or find where. Can someone point me in the right direction? Is there any chance that you're running SpamAssassin on those large messages? That could cause the problems you're seeing. *** You can set the maximum mail message size in the sendmail configuration file. The variable you need to define is confMAX_MESSAGE_SIZE. confMAX_MESSAGE_SIZE MaxMessageSize [infinite] The maximum size of messages that will be accepted (in bytes). The exact line you would put in your sendmail.mc file is: define(`confMAX_MESSAGE_SIZE', `1000')dnl How you turn your .mc file into a .cf file is system dependent. I leave that as an exercise for the reader. Chris Myers Networks By Design ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later'
No AV installed yet. Not a zip, just plain text (from a long cron job). John Mason wrote: -Original Message- From: Jason Granat [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 12:05 PM To: [EMAIL PROTECTED] Subject: Re: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later' One thing I noticed. Small root messages get through fine. It looks like it's only erroring on large messages. The culprit messages are ~17M. I know there was a place for setting max mail message size, but I can't remember or find where. Can someone point me in the right direction? Thanks, Jason Are they getting scanned by antivirus, or a zip being opened and scanned John ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Mimedefang and DSPAM
Everything I've read about dspam, suggest it is a pain to configure. Bogofilter is much easier to setup as an addition, and you can set it to train off of SA. In a sense you are using mimedefang as a glorified procmail script to call bogofilter after or before SA. Their are plenty of examples of using bogofilter via procmail. You might be better off waiting until SA 3.0 comes out with plugin support. You will spend some time training DSPAM and bogofilter. James Miller said: > Hi All, > > Has anyone come up with an example of adding DSPAM checking into > Mimedefang? > I 'goggled' for it and didn't find anything useful. > > > Thanks, > Jim > > ___ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang > -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] netsky.c passing MD-2.40 with clamav+uvscan
I'm still running 4.2.40, as I can't find how to get the upgrade. Our central IT store won't get back to me. a. Kevin A. McGrail said: > I also highly recommend you upgrade to vlnx432 released in December. > > Regards, > KAM > >> >> What version of mcafee/clam are you using? >> > vlnx 4.24.0 > > ___ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang > -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later'
I have found that it appears to only happen when processing a large message. I had 2 messages in /var/spool/clientmqueue ~17M each. These were killing the milter. After clearing those out the system was able to processes root messages from localhost no problem. I thought there was a place to set max message size, but for the life of me I can't find where... Any help? David F. Skoll wrote: On Wed, 17 Mar 2004, Stephen Smoogen wrote: I would try 2.41 and see if the problem still occurs. If it does, I would look at turning on more debugging to help David figure out what/where/why it is happening. If you can-not get it to work within 24 hours, fall back to 2.38 or so. The C code has changed very little from 2.39 - 2.41. There is not enough info to determine the problem; it could be load, or it could be a filter problem. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later'
> -Original Message- > From: Jason Granat [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 17, 2004 12:05 PM > To: [EMAIL PROTECTED] > Subject: Re: [Mimedefang]Localhost Messages Cause 'reject=451 > 4.7.1 Please try again later' > > > One thing I noticed. Small root messages get through fine. It looks > like it's only erroring on large messages. The culprit messages are > ~17M. I know there was a place for setting max mail message > size, but I > can't remember or find where. Can someone point me in the > right direction? > > Thanks, > > Jason > Are they getting scanned by antivirus, or a zip being opened and scanned John ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later'
On Wed, 17 Mar 2004, Stephen Smoogen wrote: > I would try 2.41 and see if the problem still occurs. If it does, I > would look at turning on more debugging to help David figure out > what/where/why it is happening. If you can-not get it to work within 24 > hours, fall back to 2.38 or so. The C code has changed very little from 2.39 - 2.41. There is not enough info to determine the problem; it could be load, or it could be a filter problem. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang crashing regularly
On Wed, 17 Mar 2004, Aaron Paetznick wrote: > MIMEDefang has been crashing on me fairly regularly and it's driving me > bonkers. libmilter has a "feature" that I've complained bitterly about to Claus Assman. If pthread_create() fails too many times in a row, libmilter calls exit(), and basically you're dead in the water. I've observed this on a very busy mail server. I sent a patch to sendmail.org to fix this; no word yet if it's been accepted. My solution, like yours, was to have a script that runs once a minute to verify that mimedefang and mimedefang-multiplexor are still running, and restart if something goes wrong. I don't watch the logfile, though; I just "kill -0 `cat /var/spool/MIMEDefang/mimedefang.pid`" (similarly for the multiplexor) and restart everything if either kill fails. -- David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang crashing regularly
77 slaves? How much memory do you have on this machine? I'd estimate a guess on the order of 3GB minimum needed to make this work, maybe more. I think you need to look at lowering your sendmail processes and your mimedefang mins/max to much more reasonable levels. How many emails are you doing per day approximately and how much RAM do you have in this box? Regards, KAM > MIMEDefang has been crashing on me fairly regularly and it's driving me > bonkers. Basically it goes "to error state" and doesn't recover. I > have a script watching the logfile, and when there is a problem MD gets > automatically restarted, but when this happens it won't start up again > until I manually remove the /var/lock/subsys/mimedefang file. Here's a > clip from /var/log/maillog from when this last happened. I would > consider increasing the children, except my MX_MAXIMUM is already set to > 80. I just now increased the MX_REQUESTS to 500, but I'm not confident > that that will help too much. Any ideas? This is MD v2.41, SA v2.63 + > the usual suspects on RHEL 3.0 with perl v5.8.3. Thanks. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later'
One thing I noticed. Small root messages get through fine. It looks like it's only erroring on large messages. The culprit messages are ~17M. I know there was a place for setting max mail message size, but I can't remember or find where. Can someone point me in the right direction? Thanks, Jason Stephen Smoogen wrote: On Wed, 2004-03-17 at 09:17, Jason Granat wrote: I am using 2.40. Should I upgrade to 2.41 or fall back to 2.35? I would try 2.41 and see if the problem still occurs. If it does, I would look at turning on more debugging to help David figure out what/where/why it is happening. If you can-not get it to work within 24 hours, fall back to 2.38 or so. Jason Stephen Smoogen wrote: What version of mimedefang are you running? I am seeing this quite a bit with 2.40, but havent yet with 2.41 (not a long run though). I have also not seen it with 2.35 which is what I am still running in production. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] mount noatime (was: ramdisks on Linux)
At 07:20 AM 3/17/2004, Chris Myers wrote: Mount /tmp as ramdisk, noatime Unless you're using tmpwatch to clear out old files in /tmp. You can set it to decide based on mtime instead of atime, but atime is the default. Kelson Vibber SpeedGate Communications ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MIMEDefang crashing regularly
MIMEDefang has been crashing on me fairly regularly and it's driving me bonkers. Basically it goes "to error state" and doesn't recover. I have a script watching the logfile, and when there is a problem MD gets automatically restarted, but when this happens it won't start up again until I manually remove the /var/lock/subsys/mimedefang file. Here's a clip from /var/log/maillog from when this last happened. I would consider increasing the children, except my MX_MAXIMUM is already set to 80. I just now increased the MX_REQUESTS to 500, but I'm not confident that that will help too much. Any ideas? This is MD v2.41, SA v2.63 + the usual suspects on RHEL 3.0 with perl v5.8.3. Thanks. --Aaron Log clip: Mar 17 05:59:56 elrond sendmail[9880]: i2HBxsic009880: Milter: data, discard Mar 17 05:59:56 elrond sendmail[9880]: i2HBxsic009880: discarded Mar 17 05:59:56 elrond mimedefang.pl[5421]: filter: i2HBxtnl009903: discard=1 Mar 17 05:59:56 elrond mimedefang[24034]: i2HBxtnl009903: Discarding because filter instructed us to Mar 17 05:59:56 elrond sendmail[9903]: i2HBxtnl009903: Milter: data, discard Mar 17 05:59:56 elrond sendmail[9903]: i2HBxtnl009903: discarded Mar 17 05:59:56 elrond mimedefang-multiplexor: Slave 77 (pid 28149) taking too long to exit; sending SIGTERM Mar 17 05:59:56 elrond sendmail[8316]: i2HBwQqf008316: <[EMAIL PROTECTED]>... User unknown Mar 17 05:59:56 elrond mimedefang[24034]: Error from multiplexor: error: No free slaves Mar 17 05:59:56 elrond last message repeated 2 times Mar 17 05:59:56 elrond mimedefang[24034]: mfconnect: No free slaves Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjB4Z027427: smfi_chgheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjB4Z027427: Discarding because filter instructed us to Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjFKj027731: smfi_chgheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjFKj027731: Discarding because filter instructed us to Mar 17 05:59:56 elrond mimedefang[24034]: mfconnect: No free slaves Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjBPR027478: smfi_chgheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: Error from multiplexor: error: No free slaves Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjFhK027792: smfi_chgheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjAW0027383: smfi_chgheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjAW0027383: Discarding because filter instructed us to Mar 17 05:59:56 elrond mimedefang-multiplexor: Reap: Killed slave 77 (pid 28149) exited due to SIGTERM/SIGKILL as expected. Mar 17 05:59:56 elrond mimedefang[24034]: mfconnect: No free slaves Mar 17 05:59:56 elrond mimedefang-multiplexor: Slave 77 resource usage: req=500, scans=99, user=14.070, sys=2.830, nswap=0, majflt=44338, minflt=351313, maxrss=0, bi=0, bo=0 Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjEbQ027679: smfi_chgheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjDha027617: smfi_chgheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjDha027617: Discarding because filter instructed us to Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjCfY027513: smfi_chgheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjESv027698: smfi_chgheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjCfY027513: smfi_addheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjDKR027586: smfi_chgheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjCEK027496: smfi_chgheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjDKR027586: smfi_addheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjBPR027478: smfi_addheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjCEK027496: smfi_addheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjAlu027403: smfi_chgheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjFhK027792: smfi_addheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjEbQ027679: smfi_addheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjEKu027625: smfi_chgheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjESv027698: smfi_addheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjFou027733: smfi_chgheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjDKh027595: smfi_chgheader returned MI_FAILURE Mar 17 05:59:56 elrond mimedefang[24034]: i2HBjAlu027403: smfi_addheader returned MI_FAILURE Mar 17 05:59:56 elrond sendmail[9858]: i2HBxqtt009858: milter_read(mimedefang): cmd read returned 0, expecting 5 Mar 17 05:59:56 elrond sendmail[9858]: i2HBxqtt009858: Milter (mimedefang): to error state Mar 17 05:59:56 elrond sendmail[9858]: i2HBxqtt009858: Milter: data, reject=451 4.7.1 Plea
Re: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later'
On Wed, 2004-03-17 at 09:17, Jason Granat wrote: > I am using 2.40. Should I upgrade to 2.41 or fall back to 2.35? > I would try 2.41 and see if the problem still occurs. If it does, I would look at turning on more debugging to help David figure out what/where/why it is happening. If you can-not get it to work within 24 hours, fall back to 2.38 or so. > Jason > > Stephen Smoogen wrote: > > >What version of mimedefang are you running? I am seeing this quite a bit > >with 2.40, but havent yet with 2.41 (not a long run though). I have also > >not seen it with 2.35 which is what I am still running in production. > > > > > > > >> > > ___ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later'
I am using 2.40. Should I upgrade to 2.41 or fall back to 2.35? Jason Stephen Smoogen wrote: What version of mimedefang are you running? I am seeing this quite a bit with 2.40, but havent yet with 2.41 (not a long run though). I have also not seen it with 2.35 which is what I am still running in production. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang 2.41 is released
On Wednesday 17 March 2004 16:39, David F. Skoll wrote: > I will add this as an option; it's expensive to copy (rather than just > hard-link) the file. and did you determine that copying is a performance bottleneck here? It is done for spamassassin anyway .. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ramdisks on Linux
Mark Wiater wrote: > > Thanks John. > > When you were there, did you measure performance when using a command > line scanner? Do you know if the performance benefit warrants the three > issues? > > 1. could be worth the effort depending on your findings above? > > 2. I'm using both trend command line and mcafee command line, > > 3. I've already got a script pulling the sigs from a central machine, > shouldn't be a problem to drop them on the ramdisk too. > > Really curious about your findings, > > Thanks > > Mark > Mark, We found that for uvscan, using RAMDISK cut the scan time by anywhere from 1/2 to 2/3 the scan time of using sigs on HDD. No difference was found for clamd. The tests were run on a Sparc w/ 2GB RAM, with a LA around 3, and a context change rate around 3K to 4K/sec, and a page rate of next to zero. I suspect that if you try this on a system with any degree of paging, that your results will not be as good. Hope this helps! Jon -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ramdisks on Linux
Thanks John. When you were there, did you measure performance when using a command line scanner? Do you know if the performance benefit warrants the three issues? 1. could be worth the effort depending on your findings above? 2. I'm using both trend command line and mcafee command line, 3. I've already got a script pulling the sigs from a central machine, shouldn't be a problem to drop them on the ramdisk too. Really curious about your findings, Thanks Mark On Wed, 2004-03-17 at 10:04, Jon R. Kibler wrote: > > Been there, done that -- but three issues: > 1) You have to mod mimedefang.pl to find the files in the > correct location. > 2) Only provide performance improvements where virus scanners > have to reread files for every scan (e.g., helps with > uvscan, no help for clamd/clamdscan). > 3) You have to provide scripts that update both the RAMDISK > and master copies of the sigs, plus load the sigs when > system startup occurs. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang 2.41 is released
On Wed, 17 Mar 2004, Dirk Mueller wrote: > this patch again didn't make it: > open(I, " open(O, ">Work/COMPLETE_MSG_WITH_FROM"); I will add this as an option; it's expensive to copy (rather than just hard-link) the file. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] mount noatime
Chris Myers wrote: - Original Message - From: "Kenneth Porter" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 17, 2004 3:09 AM Subject: [Mimedefang] mount noatime (was: ramdisks on Linux) CPU is important, but not as important as you might think. A single P4 2.0GHz can handle more than 100K messages/day if the rest of the system is balanced. Don't go for that quad-processor 3.2GHz Xeon system with 4MB on-die cache with 8 SCSI disks in a RAID 0+1 array, 32GB RAM and dual gig-Ethernet NICs unless you're trying to figure out how to push a million messages/day through one box. Frankly it'll be cheaper to have a dozen 1u P4 2.8GHz 40GB IDE systems than it would be to buy that one monster box ... AND you'll have better reliability with a dozen expendable boxes. Greylisting becomes slightly more interesting over a dozen boxes, you better know (or learn) to use a real database system at that point. Forget about xeons :) Opteron has better marhitecture (64bit,numa ..etc) and bandwidth http://aceshardware.com/read.jsp?id=6275 http://www.linuxhardware.org/article.pl?sid=03/12/17/189239&mode=thread ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] mount noatime (was: ramdisks on Linux)
- Original Message - From: "Kenneth Porter" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 17, 2004 3:09 AM Subject: [Mimedefang] mount noatime (was: ramdisks on Linux) > --On Tuesday, March 16, 2004 5:09 PM -0600 Chris Myers > <[EMAIL PROTECTED]> wrote: > > > Mount your disks with the "noatime" option to cut down on largely useless > > disk writes. > > Good idea on a highly-loaded mail-only server. > > This does have the drawback that you can't easily see when your spools have > been popped, and you have to resort to parsing your POP server's logs for > that. I've been using "ls -lut" to see which users don't collect their > mail, usually a sign of someone leaving the company and HR forgetting to > tell me about it. Good point. So, summarizing some of the previous messages... If you looking for all reasonable ways to maximize system performance: Mount / as noatime Mount /etc/mail as ramdisk, noatime [restore backup at boot time] Mount /tmp as ramdisk, noatime Mount /var as noatime Mount /var/spool/MIMEDefang as ramdisk, noatime. Mount /var/spool/mqueue/qf as noatime [on disk 1] Mount /var/spool/mqueue/df as noatime [on disk 2] Mount /var/spool/mqueue/xf as ramdisk, noatime [only if you split the qdir's] Mount /var/mail normally Remember to make periodic backups of /etc/mail so you have something to restore after a crash or reboot. SCSI disks are notably faster than IDE disks. Striping is notably faster than not striping. Higher RPM disks are faster than lower RPM disks (but 2x the RPM does not mean 2x the actual performance). Hardware RAID is faster than software RAID. IDE RAID is a low-cost option, and there are 10K RPM IDE disks now. IDE is fine until you're trying to push >>100K messages/day or really big surges. Between MIMEDefang and all of these ramdisks, you'll need a lot of memory. At least 2GB of RAM. If you start paging and swapping, performance will drop considerably (keep in mind that disk is something like 1000x slower than RAM!). Set MX_REQUESTS to something like 500 and use embedded Perl if it works under your O/S version. As seen in the recommended filter, don't run SpamAssassin on messages larger than 100K. Use greylisting. If your e-mail correspondents don't use Novell Groupwise, Communigate Pro or Symantec Raptor firewalls you can use the MUCH more efficient "tempfail after RCPT TO" form of greylisting. Otherwise take note that the message is greylisted and then tempfail the message at the top of filter_begin. IMPORTANT NOTE: action_tempfail just makes a note to tempfail the message, it doesn't happen right then so you _should_ do "return if message_rejected();" at the top of filter, filter_multipart and filter_end. Drop executable attachments, don't bother to virus-scan them ... just drop them. Use daemonized virus scanners. I've seen clamd scan a message in about 10% of the CPU time it took clamscan to scan a message. Don't bother to scan a message you know will be rejected. Validate all input (HELO, MAIL FROM, RCPT TO) as much as possible. Read all the various threads over the last couple months that cover what constitutes "too much validation". These tests may let you reject 10-15% of incoming mail as spam without ever receiving the message body (a _big_ win). Run a local caching nameserver on your filter. That will get rid of a lot of network traffic to the DNSBL's and generally improve performance a bit. Use dccifd instead of dccproc, you'll save on an exec() for every scanned message. Consider running a DCC server locally, the public servers are always overloaded. Consider dropping messages that exceed a predetermined SpamAssassin score (10-20 is a good range, it depends on your environment). If you don't deliver the message, that's just one less CPU/memory/disk hit. CPU is important, but not as important as you might think. A single P4 2.0GHz can handle more than 100K messages/day if the rest of the system is balanced. Don't go for that quad-processor 3.2GHz Xeon system with 4MB on-die cache with 8 SCSI disks in a RAID 0+1 array, 32GB RAM and dual gig-Ethernet NICs unless you're trying to figure out how to push a million messages/day through one box. Frankly it'll be cheaper to have a dozen 1u P4 2.8GHz 40GB IDE systems than it would be to buy that one monster box ... AND you'll have better reliability with a dozen expendable boxes. Greylisting becomes slightly more interesting over a dozen boxes, you better know (or learn) to use a real database system at that point. Should we make "how to make a system running MIMEDefang go faster?" a FAQ entry? Chris Myers Networks By Design ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later'
On Tue, 2004-03-16 at 21:32, Jason Granat wrote: > Unfortunately it's happening every few minutes... > What version of mimedefang are you running? I am seeing this quite a bit with 2.40, but havent yet with 2.41 (not a long run though). I have also not seen it with 2.35 which is what I am still running in production. > Paul wrote: > > >>Watching /var/log/maillog I see everytime a message comes to > >>[EMAIL PROTECTED] with relay 127.0.0.1 there is an error: 'reject=451 > >>4.7.1 Please try again later' and MIMEDeFang times out. What causes > >>this and how do I fix it? > >> > >> > > > >Check your maillog (/var/log/maillog in my case on FreeBSD) I get them now and > >then, mostly it means MD has crashed. Stopping it and sendmail, waiting a minute > >and restarting them generally solves the problem. Not quiet sure what causes the > >crash, but it's not very often on my box. Generally seems to happen when some ^#%#% > >tries to deliver a spam that may have very screwed up headers. Haven't been able to > >intercept one of those though... > > > >Hope this helps > > > > > >Paul > > > >___ > >Visit http://www.mimedefang.org and http://www.canit.ca > >MIMEDefang mailing list > >[EMAIL PROTECTED] > >http://lists.roaringpenguin.com/mailman/listinfo/mimedefang > > > > > > __ > ___ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ramdisks on Linux
[EMAIL PROTECTED] wrote: > > Has anybody given thought to moving the virus scanners and > their pattern files to a ramdisk? Been there, done that -- but three issues: 1) You have to mod mimedefang.pl to find the files in the correct location. 2) Only provide performance improvements where virus scanners have to reread files for every scan (e.g., helps with uvscan, no help for clamd/clamdscan). 3) You have to provide scripts that update both the RAMDISK and master copies of the sigs, plus load the sigs when system startup occurs. Jon -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang]Localhost Messages Cause 'reject=451 4.7.1 Please try again later'
Jason Granat wrote: >>> Watching /var/log/maillog I see everytime a message comes to >>> [EMAIL PROTECTED] with relay 127.0.0.1 there is an error: >>> 'reject=451 >>> 4.7.1 Please try again later' and MIMEDeFang times out. What >>> causes this and how do I fix it? Can you post a link to your current mimedefang-filter? ___ Michael Sims Project Analyst - Information Technology Crye-Leike Realtors Office: (901)758-5648 Pager: (901)769-3722 ___ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] MD I/O intensive?
David F. Skoll wrote:
> If you accumulate more than a few hundred files in your quarantine
> directory, it's time to turn off quarantining. :-)
Which reminds me. Any chance future versions of MD could use
mkpath() from File::Path to create multi-level quarantine directories.
I do that, plus this hack in mimedefang-filter:
...
# Construct a multi-level quarantine dir
sub my_time_str {
# gloss over the details
return "a/multi/level/directory/based/on/a/timestamp";
}
*time_str = *my_time_str;
...
but I get twitchy every time I see that code.
N
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang 2.41 is released
On Tuesday 16 March 2004 17:35, David F. Skoll wrote: > This is a pure bug-fix release; changelog follows. this patch again didn't make it: open(I, "Work/COMPLETE_MSG_WITH_FROM"); print O "From foo Sun Jan 1 01:01:01 2004\n"; print O ; close(I);close(O); it is necessary to give the virus scanner an idea that the given file is indeed a mail message (so that it has to do the mime decoding). Otherwise they don't detect it and ignore it as nonexecutable file. Dirk ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] netsky.c passing MD-2.40 with clamav+uvscan
I also highly recommend you upgrade to vlnx432 released in December. Regards, KAM > >> What version of mcafee/clam are you using? > > vlnx 4.24.0 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] mount noatime (was: ramdisks on Linux)
--On Tuesday, March 16, 2004 5:09 PM -0600 Chris Myers <[EMAIL PROTECTED]> wrote: Mount your disks with the "noatime" option to cut down on largely useless disk writes. Good idea on a highly-loaded mail-only server. This does have the drawback that you can't easily see when your spools have been popped, and you have to resort to parsing your POP server's logs for that. I've been using "ls -lut" to see which users don't collect their mail, usually a sign of someone leaving the company and HR forgetting to tell me about it. OTOH, I do remount my disks noatime when verifying my backup tapes, to keep from losing the info about which users aren't popping their mail. There are of course other cases where it's nice to know when files aren't being read. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] unsubscribre
unsubscribre ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
