Re: [Mimedefang] Tracking down file descriptors
On Thu, 11 Nov 2004, Kelson wrote: > I've searched through my filter, and every single open call is inside a > function. Despite this, I still get the "Something in your Perl filter > appears to have opened a file descriptor outside of any function" > warning in my logs. Are you running Solaris, by any chance? I've seen this on a Solaris machine. Something opens a file called /var/run/name_service_door and seems to leave it open. It's probably something deep in the guts of Sun's C library. It seems to be harmless, though. If you're *not* running Solaris, then I'm at a loss. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: Original-Content-Type in header
On Wed, 10 Nov 2004 08:28:08 -0500, "Kevin A. McGrail" <[EMAIL PROTECTED]> wrote: >Tim, > >Your emails come through what looks to me like an NNTP to SMTP conversion >system. Is that possibly munging your headers? > >Regards, >KAM > Shouldn't be - it's straight Sendmail Switch. No nntp around. -- Tim Boyer [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Timeout settings (was Re: [Mimedefang] tmpfs on Linux)
Quoting "David F. Skoll" <[EMAIL PROTECTED]> Date: Thu, 11 Nov 2004 17:06:13 > On Thu, 11 Nov 2004, Greg Miller wrote: > > > During my investigations I noticed that many of my sendmail processes > > hang around for quite some time, presumably because the host on the > > other end is slow. I stumbled across a recommendation that the sendmail > > default timeouts be tuned as follows: Anyone else doing this? > > Some of those numbers are way too short. In particular, a confTO_DATAFINAL > of 5 minutes is definitely too low. RFC 2821 says that one SHOULD be > at least 10 minutes, and I would be conservative and make it 30 minutes. I'd leave that one at Sendmail's default one hour. Setting it too low may result in bandwith waste and multiple copies of email delivered. I've saw ClamAV + MIMEDefang taking some 10-15 minutes to complete when scanning emails with huge compressed attachments (on reasonably fast machine). If receiving side has some more milters, or is simply overloaded because it got several large emails to process at the same time, it could easilly take even longer. If somebody is going to DOS you, even timeout set to as short as one minute would be more than enough to allow for DOS attack. And you would need to be the one connecting to attacker's server (that's what this timeout controls). So really there's no point in lowering this. If you already transferred the email, give the other side as much time as it needs to do whatever it needs to do before accepting that email. -- Aleksandar Milivojevic <[EMAIL PROTECTED]>Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Tracking down file descriptors
OK, this is bugging the heck out of me. I just upgraded to MD 2.48 from 2.44, well aware of the need to move anything that opened a file into filter_initialize, and I got the dreaded warning about opening file descriptors anyway. I have several places where I open a descriptor, read/write, then close it. Some are in filter_begin, etc., others are in custom functions that get called by these. As far as I can tell, these should cause no problems, because the descriptor is always closed by the end of the function. I've searched through my filter, and every single open call is inside a function. Despite this, I still get the "Something in your Perl filter appears to have opened a file descriptor outside of any function" warning in my logs. I looked at embperl.c, and if I understand correctly, it seems to be counting the number of open descriptors before and after parsing the filter. So *something* is opening a descriptor somewhere and not closing it. So I looked at use statements: use Mail::SPF::Query use Text::Wrap use strict Text::Wrap seemed unlikely, but I commented out Mail::SPF::Query and the code that uses it, and that didn't make a difference. Our filter is split across three files for organization, using require(). I don't think this should leave file descriptors hanging around, but just to try it, I combined all three files into one. Same thing. Any suggestions as to where else I should look? -- Kelson Vibber SpeedGate Communications ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Timeout settings (was Re: [Mimedefang] tmpfs on Linux)
On Thu, 11 Nov 2004, Greg Miller wrote: > During my investigations I noticed that many of my sendmail processes > hang around for quite some time, presumably because the host on the > other end is slow. I stumbled across a recommendation that the sendmail > default timeouts be tuned as follows: Anyone else doing this? Some of those numbers are way too short. In particular, a confTO_DATAFINAL of 5 minutes is definitely too low. RFC 2821 says that one SHOULD be at least 10 minutes, and I would be conservative and make it 30 minutes. See http://www.ietf.org/rfc/rfc2821.txt Section 4.5.3.2 for recommended minimum values. Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] tmpfs on Linux
Thanks to everyone who helped with my performance problems. In the end, I doubled the amount of RAM to 2GB. This prevented swapping and allowed by 50 sendmail processed and 15 mimedefang slaves to run with sufficient memory. In the process, I learned a lot about sendmail performance tuning, mostly that I need to learn more. :) During my investigations I noticed that many of my sendmail processes hang around for quite some time, presumably because the host on the other end is slow. I stumbled across a recommendation that the sendmail default timeouts be tuned as follows: Anyone else doing this? define(`confTO_INITIAL', `30s') define(`confTO_CONNECT', `30s') define(`confTO_ICONNECT', `30s') define(`confTO_HELO', `1m') define(`confTO_MAIL', `2m') define(`confTO_RCPT', `2m') define(`confTO_DATAINIT', `2m') define(`confTO_DATABLOCK', `2m') define(`confTO_DATAFINAL', `5m') define(`confTO_RESET', `1m') define(`confTO_QUIT', `1m') define(`confTO_MISC', `2m') define(`confTO_COMMAND', `1m') define(`confTO_IDENT', `0s') define(`confTO_FILEOPEN', `1m') define(`confTO_CONTROL', `1m') define(`confTO_HOSTSTATUS', `5m') -- Greg Miller, RHCE, CCNA, MCSE Senior Network Specialist University of Richmond [EMAIL PROTECTED] (804) 289-8546 On Thu, 2004-11-11 at 09:13 -0500, Kevin A. McGrail wrote: > > How would you suggest I do this? I have tried setting MaxDaemonChildren > > to 20, but those quickly get eaten up and I just end up refusing lots of > > mail. What is the recommended course of action in this case? > > Well, it just sounds like you need more RAM first which I think you agree > on. > > Second, you may need to lower the amount of time your MIMEDefang spends on > messages. Have you considered turning off the SpamAssassin Network-Based > tests? > > Third, you need to look at your mail volume. Do you know how many messages > per day/per hour you are getting? You might just simply need a more > powerful machine or a cluster of machines to share the load. > > Fourth, are you having any issues with dictionary attacks or email > harvesting? Is this machine the mail destination or just a gateway to > another mail server? > > > > True. Maybe we should just stop this email business. It's just a fad, > > right? :) > > I'd laugh if I didn't have a customer once argue this with me. > > > Regards, > KAM > > ___ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter_recipient
On 11 Nov 2004 at 11:39, Kevin A. McGrail wrote: > define(`confMILTER_MACROS_ENVFROM', `rcpt_host, rcpt_mailer, rcpt_addr')dnl > > This is just a starting point, untested, etc. but I am 99% certain this is > the right path. This seems to be the default for the m4 config in current sendmail versions if you have any INPUT_MAIL_FILTER lines. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/Pickles/Adoration.gif [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter_recipient
I can't speak to the "mimedefang -a" part of your post, but something I recently learned the hard way: On Thu, Nov 11, 2004 at 11:39:33AM -0500, Kevin A. McGrail wrote: > define(`confMILTER_MACROS_ENVFROM', `rcpt_host, rcpt_mailer, rcpt_addr')dnl Setting that overwrites the default set of milter macros, which is quite long, so doing that may eliminate one you need. A post on Usenet I found recommends this form: define(`confMILTER_MACROS_FOO', confMILTER_MACROS_FOO`, bar')dnl where "bar" is what you want to add... that apparently "appends" to the list of milter macros rather than overwriting it. The Sendmail cf README documents the default set for each milter macro conf. option. -- Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN Other contact information: http://kepler.its.bethel.edu/~bjn/contact.html ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Custom Configuration
Hi all, I'm using amavisd-new and Maia as the web interface so that users can easily manage their w/b lists and spam/virus/attachment settings. However, I would still like to use MIMEDefang for 1. Envelope/header checking in filter_recipient() : reject anyone claims to be sending from the internal domain. 2. LDAP lookup on RCPT TO: verify valid mailbox before accepting data. but not anything else, because I want amavisd-new to handle spam and virus checking, is this possible? and how should I go about it? Many thanks, Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter_recipient
Steve, Those 3 values for the filter_recipient are defined with info from Sendmail Macros. I've never used them before but my educated starting point is that you have to change your mimedefang to run with these parameters "-a rcpt_host -a rcpt_mailer -a rcpt_addr" and edit / recompile your sendmail.mc with a line like this define(`confMILTER_MACROS_ENVFROM', `rcpt_host, rcpt_mailer, rcpt_addr')dnl This is just a starting point, untested, etc. but I am 99% certain this is the right path. Regards, KAM > I wrote a subroutine using filter_recipient to whitelist. It reads > /etc/mail/access, looks for OK or RELAY, and whitelists those entries. It > works for $sender and $recipient but not for $rcpt_host. Using md_syslog I found > that while I am getting values for $recipient, $sender, $ip, $hostname, > $first, and $helo, I am not getting vaulues for $rcpt_mailer $rcpt_host or > $rcpt_address. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIME Virus Issue?
Quoting Chris Masters <[EMAIL PROTECTED]> Date: Thu, 11 Nov 2004 06:21:16 > Hi All, > > We've just had an incident where 2 or more viruses > have got through our scanners. The virus was > [EMAIL PROTECTED] and was packaged with the following > Content-Type header: > >Content-Type: multipart/mixed; boundary="" > > We're using mimedefang-2.43 and *old* > MIME-tools-5.411a-RP-Patched-02. There was a bug in old versions of MIME-tools. If boundary was empty string (as in your case), mail was not parsed correctly. It was fixed in version 5.415. It might be good idea to upgrade MIMEDefang to current 2.48, since there were couple of small bugs fixed there too (although not as important as the bug in MIME-tools). -- Aleksandar Milivojevic <[EMAIL PROTECTED]>Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] filter_recipient
I wrote a subroutine using filter_recipient to whitelist. It reads /etc/mail/access, looks for OK or RELAY, and whitelists those entries. It works for $sender and $recipient but not for $rcpt_host. Using md_syslog I found that while I am getting values for $recipient, $sender, $ip, $hostname, $first, and $helo, I am not getting vaulues for $rcpt_mailer $rcpt_host or $rcpt_address. Nov 11 08:45:55 open1 mimedefang.pl[29791]: $rcpt_host is ? Nov 11 08:45:55 open1 mimedefang.pl[29791]: $rcpt_addr is ? Nov 11 08:45:55 open1 mimedefang.pl[29791]: $rcpt_mailer is ? I was wondering why this could be? I am assigning the variables just like the mimedefang-filter suggests: sub filter_recipient { my ($recipient, $sender, $ip, $hostname, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; Thanks for the help, Steve Cohen ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIME Virus Issue?
On Thu, 11 Nov 2004, Chris Masters wrote: > We're using mimedefang-2.43 and *old* > MIME-tools-5.411a-RP-Patched-02. Upgrade to MIME-tools-5.415 ASAP. > Is this an issue because we're using an old > MIME::Tools? Yes. -- David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MIME Virus Issue?
Hi All, We've just had an incident where 2 or more viruses have got through our scanners. The virus was [EMAIL PROTECTED] and was packaged with the following Content-Type header: Content-Type: multipart/mixed; boundary="" We're using mimedefang-2.43 and *old* MIME-tools-5.411a-RP-Patched-02. Although the email contained the following zip file, 'filter' was never called. Content-Type: application/x-zip-compressed; name="jenifer.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="jenifer.zip" We currently scan the whole message from 'filter_begin' and if positive each entity from 'filter' (for removal/cleaning). So, the whole message was scanned with 3 virus scanners but each entity was not scanned because filter was never called. So, a couple of questions: Is this an issue because we're using an old MIME::Tools? Could this be a MIME package exploit of some kind? We have the full intact message in a msg format, but I'm guessing that this has been reformatted (from the original raw format of the message as it went through the scanner) by the outlook client. We have other details (logs etc) if this should be taken off-line. Thanks for your help on this. Chris __ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] tmpfs on Linux
> How would you suggest I do this? I have tried setting MaxDaemonChildren > to 20, but those quickly get eaten up and I just end up refusing lots of > mail. What is the recommended course of action in this case? Well, it just sounds like you need more RAM first which I think you agree on. Second, you may need to lower the amount of time your MIMEDefang spends on messages. Have you considered turning off the SpamAssassin Network-Based tests? Third, you need to look at your mail volume. Do you know how many messages per day/per hour you are getting? You might just simply need a more powerful machine or a cluster of machines to share the load. Fourth, are you having any issues with dictionary attacks or email harvesting? Is this machine the mail destination or just a gateway to another mail server? > True. Maybe we should just stop this email business. It's just a fad, > right? :) I'd laugh if I didn't have a customer once argue this with me. Regards, KAM ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] file descriptor warning only on fresh boot
Hello all, Recently I noticed that when my server reboots the following appears in my log: Nov 10 06:50:05 vir mimedefang-multiplexor[543]: WARNING: Something in your Perl filter appears to h ave opened a file descriptor outside of any function. With embedded Perl, you should move any code that opens a file descriptor into filter_initialize. DON'T BLAME MIMEDEFANG IF YOUR FILTER FAILS IN MYSTERIOUS AND UNPREDICTABLE WAYS. Later, after the first message I get: Nov 10 08:51:47 vir mimedefang-multiplexor[543]: Slave 0 stderr: Warning: unable to close filehandle LOGF properly. When this occurs RBL checks in spamassassin no longer seem to occur. If I restart mimedefang I do not see these errors. I understand the warning is in place because global file descriptors are not supported and will automatically be closed. However, as you can see from the attached file my filter is pretty standard and does not do anything wacky with files. The system is running FreeBSD 5.3 RC2 with the following relevant ports: mimedefang-2.48 p5-Convert-BinHex-1.119 p5-Digest-HMAC-1.01 p5-Digest-SHA1-2.10 p5-HTML-Parser-3.36 p5-HTML-Tagset-3.03 p5-IO-stringy-2.108 p5-MIME-Base64-3.05 p5-MIME-Tools-5.415,2 p5-Mail-SpamAssassin-3.0.1_1 p5-Mail-Tools-1.64 p5-Net-DNS-0.48 p5-URI-1.34 perl-5.8.5 razor-agents-2.61_3 clamav-0.80 The MIMEDefang spool directory is mounted off a swap-backed memory device: FilesystemSizeUsed Avail Capacity Mounted on /dev/md10 186M8.0K171M 0%/var/spool/MIMEDefang Any ideas what is going on? Am I doing something wrong? Any help is greatly appreciated. Thanks. - Ben (I am not on the list so please keep me CC'd) mimedefang_config.tar.gz Description: GNU Zip compressed data ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang