[qmailtoaster] Re: qtp-newmodel ioctl problem

2012-12-14 Thread Eric Shubert 

I presume you have selinux disabled?

I'm guessing that your sandbox may be corrupt (or more specifically, 
something in your sandbox). This might have happened if qtp-newmodel was 
interrupted for some reason, but I'm still just guessing about that.


There are 2 parts to the overlay sandbox, /mnt/qtp-sandbox/ and 
/opt/qtp-overlay/.


To clean things up, please
.) reboot the QMT host
.) # rm -rf /mnt/qtp-sandbox /opt/qtp-overlay

Then try qtp-newmodel once more.

Thanks.

--
-Eric 'shubes'
On 12/14/2012 05:34 PM, Jesús Arnáiz wrote:

Hi, this info is enough, or should I send more?

I try a few more times but always I get the same error. Is there any
solution or workaround that I could try?

Tanks again.

El 12/12/2012 15:47, Jesús Arnáiz escribió:

Hi:

/mnt # umount disco2
# rmdir disco2
# ls
qtp-sandbox

I move (I can't delete it) this directory in order to start with a clean
sandbox:
root@mars /mnt # mv qtp-sandbox basura

I run qtp-newmodel again, same error:
-
qtp-newmodel
qtp-newmodel v0.3.18 starting Wed Dec 12 14:07:43 CET 2012
qtp-whatami v0.3.8 Wed Dec 12 14:07:43 CET 2012
REAL_DIST=CentOS
DISTRO=CentOS
OSVER=5.8
QTARCH=i686
QTKERN=2.6.18-164.11.1.el5PAE
BUILD_DIST=cnt50
BUILD_DIR=/usr/src/redhat
This machine's OS is supported and has been tested

Let's get on with it!

The following packages have already been selected:
vpopmail-toaster-5.4.33-1.4.0.src.rpm
qmail-toaster-1.03-1.3.22.src.rpm
courier-authlib-toaster-0.59.2-1.3.10.src.rpm
courier-imap-toaster-4.1.2-1.3.10.src.rpm
autorespond-toaster-2.0.5-1.4.0.src.rpm
control-panel-toaster-0.5-1.4.0.src.rpm
qmailadmin-toaster-1.2.16-1.4.0.src.rpm
qmailmrtg-toaster-4.2-1.3.7.src.rpm
spamassassin-toaster-3.3.2-1.4.3.src.rpm
clamav-toaster-0.97.6-1.4.2.src.rpm
simscan-toaster-1.4.0-1.4.0.src.rpm
vqadmin-toaster-2.3.7-1.4.1.src.rpm

Do you want to process this selection?
Shall we continue? (yes, no|skip, batch, quit) [y] / n|s / b / q : y

Getting source packages ...(this may take a while)
vpopmail-toaster-5.4.33-1.4.0.src.rpm is already downloaded, bypassed
qmail-toaster-1.03-1.3.22.src.rpm is already downloaded, bypassed
courier-authlib-toaster-0.59.2-1.3.10.src.rpm is already downloaded,
bypassed
courier-imap-toaster-4.1.2-1.3.10.src.rpm is already downloaded, bypassed
autorespond-toaster-2.0.5-1.4.0.src.rpm is already downloaded, bypassed
control-panel-toaster-0.5-1.4.0.src.rpm is already downloaded, bypassed
qmailadmin-toaster-1.2.16-1.4.0.src.rpm is already downloaded, bypassed
qmailmrtg-toaster-4.2-1.3.7.src.rpm is already downloaded, bypassed
spamassassin-toaster-3.3.2-1.4.3.src.rpm is already downloaded, bypassed
clamav-toaster-0.97.6-1.4.2.src.rpm is already downloaded, bypassed
simscan-toaster-1.4.0-1.4.0.src.rpm is already downloaded, bypassed
vqadmin-toaster-2.3.7-1.4.1.src.rpm is already downloaded, bypassed
qtp-dependencies v0.3.2
qtp-install-rpmforge v0.4.0 - getting latest version of rpmforge-release
...
qtp-install-rpmforge - installed package rpmforge-release-0.5.2-2.el5.rf
is the latest - nothing done.

qtp-dependencies - installing  compat-libf2c compat-libgcc
compat-libsdc++-33 ...
Loaded plugins: allowdowngrade, fastestmirror, replace, security
Loading mirror speeds from cached hostfile
  * base: ftp.plusline.de
  * epel: ftp-stud.hs-esslingen.de
  * extras: ftp.plusline.de
  * ius: ftp.rediris.es
  * updates: ftp.plusline.de
http://nodejs.tchol.org/stable/el5/i386/repodata/repomd.xml: [Errno 4]
IOError: 
Trying other mirror.
Setting up Install Process
No package compat-libf2c available.
No package compat-libgcc available.
No package compat-libsdc++-33 available.
Nothing to do

qtp-dependencies - updating toaster (mostly spamassassin) dependencies
...
Loaded plugins: allowdowngrade, fastestmirror, replace, security
Loading mirror speeds from cached hostfile
  * base: ftp.plusline.de
  * epel: ftp-stud.hs-esslingen.de
  * extras: ftp.plusline.de
  * ius: ftp.rediris.es
  * rpmforge: mirror1.hs-esslingen.de
  * updates: ftp.plusline.de
http://nodejs.tchol.org/stable/el5/i386/repodata/repomd.xml: [Errno 4]
IOError: 
Trying other mirror.
Skipping security plugin, no data
Setting up Update Process
No Packages marked for Update

Would you like a unionfs/overlay sandbox? (recommended) [y]/n: y

Using FUSE union filesystem ...
qtp-mount-sandbox v0.3.3
qtp-mount-sandbox - updating dependencies ...
Loaded plugins: allowdowngrade, fastestmirror, replace, security
Loading mirror speeds from cached hostfile
  * base: ftp.plusline.de
  * epel: ftp-stud.hs-esslingen.de
  * extras: ftp.plusline.de
  * ius: ftp.rediris.es
  * rpmforge: mirror1.hs-esslingen.de
  * updates: ftp.plusline.de
http://nodejs.tchol.org/stable/el5/i386/repodata/repomd.xml: [Errno 4]
IOError: 
Trying other mirror.
qtp-CentOS  |  951 B
00:00
Skipping security plugin, no data
Setting up Update Process
No Packages marked for Update
qtp-mount-sandbox: sandbox mounted successfully

Starting to build the binary rpms ...(pizza an

[qmailtoaster] Re: Disabling ClamAV heuristic phishing checks

2012-12-14 Thread Eric Shubert 

On 12/14/2012 11:19 AM, Brent Gardner wrote:

On 12/14/2012 10:23 AM, Eric Shubert wrote:

On 12/13/2012 02:33 PM, Brent Gardner wrote:

On 12/12/2012 04:53 PM, Eric Shubert wrote:

On 12/12/2012 11:18 AM, Brent Gardner wrote:

We were getting false positives caused by a heuristic anti-phishing
check in ClamAV.  We'd see log messages like:

2012-12-10 09:20:05.648516500
simscan:[18122]:VIRUS:0.2573s:Heuristics.Phishing.Email.SpoofedDomain:12.10.219.63:healt030201212100700560763005840.amex.m...@welcome.aexp.com:u...@example.com





In the last month, all but one hit on this signature were for
legitimate
messages coming from American Express.

Going off of info found here:
http://lurker.clamav.net/message/20101130.100352.010692f7.en.html,  I
disabled phishing URL checks in ClamAV by restarting clamd after
putting
this line in /etc/clamd.conf:

 PhishingScanURLs no


This also disables the following ClamAV checks, which we weren't
getting
any hits on:

 Heuristics.Phishing.Email
 Heuristics.Phishing.Email.Cloaked.Null
 Heuristics.Phishing.Email.Cloaked.NumericIP
 Heuristics.Phishing.Email.Cloaked.Username
 Heuristics.Phishing.Email.SpoofedDomain
 Heuristics.Phishing.Email.SSL-Spoof
 Heuristics.Phishing.URL.Blacklisted


fyi


Brent Gardner



-


I had a similar problem with Chase and sane security. Instead of
defeating the checks though, I set up entries in the tcp.smtp file for
Chase's servers, which don't do scanning at all, like this:
151.151.65.96-126:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"


There are 14 tcp.smtp records in all. I hope they don't change their
outbound servers around very often. ;)


Yeah, I considered doing that but I couldn't find a list of AMEX's
outbound servers.  Too bad you can't put FQDNs in tcp.smtp.  Plus, it
appears that the now-disabled check was producing false positives 95% of
the time.


Brent Gardner





-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




FWIW, I garnered Chase's IPs from their SPF record. ;)


Clever ;)

-


Yeah, I thought so.

So today my wife informs me that our latest AMEX statement was rejected. 
(Sounds familiar, I think to myself).


I just checked the AMEX SPF record, and here's what I came up with for 
addition to my tcp.smtp file:

# these are American Express email senders
12.10.219.:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
203.19.215.67:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
192.102.253.34-36:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
193.32.34.9:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
193.32.34.30:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
193.32.34.73-74:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
# end of aexp.com senders

These entries effectively bypass scanning (both SA and clamav), but 
don't allow relaying to external domains.


You might be able to get all of them with a single rule such as:
=>.aexp.com:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
It's not terribly difficult to forge an rDNS name though, so I'm a 
little leery about using the hostname format in the tcp.smtpfile. In 
fact, the man tcprules page suggests using the -p option for tcpserver 
when using TCPHOSTNAME rules, but I don't think that's practical.


If anyone is interested in the senders for jpmchase.com, I can post what 
I have for them too.


Thanks Brent.

--
-Eric 'shubes'

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: qtp-newmodel ioctl problem

2012-12-14 Thread Jesús Arnáiz 

Hi, this info is enough, or should I send more?

I try a few more times but always I get the same error. Is there any 
solution or workaround that I could try?


Tanks again.

El 12/12/2012 15:47, Jesús Arnáiz escribió:

Hi:

/mnt # umount disco2
# rmdir disco2
# ls
qtp-sandbox

I move (I can't delete it) this directory in order to start with a clean
sandbox:
root@mars /mnt # mv qtp-sandbox basura

I run qtp-newmodel again, same error:
-
qtp-newmodel
qtp-newmodel v0.3.18 starting Wed Dec 12 14:07:43 CET 2012
qtp-whatami v0.3.8 Wed Dec 12 14:07:43 CET 2012
REAL_DIST=CentOS
DISTRO=CentOS
OSVER=5.8
QTARCH=i686
QTKERN=2.6.18-164.11.1.el5PAE
BUILD_DIST=cnt50
BUILD_DIR=/usr/src/redhat
This machine's OS is supported and has been tested

Let's get on with it!

The following packages have already been selected:
vpopmail-toaster-5.4.33-1.4.0.src.rpm
qmail-toaster-1.03-1.3.22.src.rpm
courier-authlib-toaster-0.59.2-1.3.10.src.rpm
courier-imap-toaster-4.1.2-1.3.10.src.rpm
autorespond-toaster-2.0.5-1.4.0.src.rpm
control-panel-toaster-0.5-1.4.0.src.rpm
qmailadmin-toaster-1.2.16-1.4.0.src.rpm
qmailmrtg-toaster-4.2-1.3.7.src.rpm
spamassassin-toaster-3.3.2-1.4.3.src.rpm
clamav-toaster-0.97.6-1.4.2.src.rpm
simscan-toaster-1.4.0-1.4.0.src.rpm
vqadmin-toaster-2.3.7-1.4.1.src.rpm

Do you want to process this selection?
Shall we continue? (yes, no|skip, batch, quit) [y] / n|s / b / q : y

Getting source packages ...(this may take a while)
vpopmail-toaster-5.4.33-1.4.0.src.rpm is already downloaded, bypassed
qmail-toaster-1.03-1.3.22.src.rpm is already downloaded, bypassed
courier-authlib-toaster-0.59.2-1.3.10.src.rpm is already downloaded,
bypassed
courier-imap-toaster-4.1.2-1.3.10.src.rpm is already downloaded, bypassed
autorespond-toaster-2.0.5-1.4.0.src.rpm is already downloaded, bypassed
control-panel-toaster-0.5-1.4.0.src.rpm is already downloaded, bypassed
qmailadmin-toaster-1.2.16-1.4.0.src.rpm is already downloaded, bypassed
qmailmrtg-toaster-4.2-1.3.7.src.rpm is already downloaded, bypassed
spamassassin-toaster-3.3.2-1.4.3.src.rpm is already downloaded, bypassed
clamav-toaster-0.97.6-1.4.2.src.rpm is already downloaded, bypassed
simscan-toaster-1.4.0-1.4.0.src.rpm is already downloaded, bypassed
vqadmin-toaster-2.3.7-1.4.1.src.rpm is already downloaded, bypassed
qtp-dependencies v0.3.2
qtp-install-rpmforge v0.4.0 - getting latest version of rpmforge-release
...
qtp-install-rpmforge - installed package rpmforge-release-0.5.2-2.el5.rf
is the latest - nothing done.

qtp-dependencies - installing  compat-libf2c compat-libgcc
compat-libsdc++-33 ...
Loaded plugins: allowdowngrade, fastestmirror, replace, security
Loading mirror speeds from cached hostfile
  * base: ftp.plusline.de
  * epel: ftp-stud.hs-esslingen.de
  * extras: ftp.plusline.de
  * ius: ftp.rediris.es
  * updates: ftp.plusline.de
http://nodejs.tchol.org/stable/el5/i386/repodata/repomd.xml: [Errno 4]
IOError: 
Trying other mirror.
Setting up Install Process
No package compat-libf2c available.
No package compat-libgcc available.
No package compat-libsdc++-33 available.
Nothing to do

qtp-dependencies - updating toaster (mostly spamassassin) dependencies ...
Loaded plugins: allowdowngrade, fastestmirror, replace, security
Loading mirror speeds from cached hostfile
  * base: ftp.plusline.de
  * epel: ftp-stud.hs-esslingen.de
  * extras: ftp.plusline.de
  * ius: ftp.rediris.es
  * rpmforge: mirror1.hs-esslingen.de
  * updates: ftp.plusline.de
http://nodejs.tchol.org/stable/el5/i386/repodata/repomd.xml: [Errno 4]
IOError: 
Trying other mirror.
Skipping security plugin, no data
Setting up Update Process
No Packages marked for Update

Would you like a unionfs/overlay sandbox? (recommended) [y]/n: y

Using FUSE union filesystem ...
qtp-mount-sandbox v0.3.3
qtp-mount-sandbox - updating dependencies ...
Loaded plugins: allowdowngrade, fastestmirror, replace, security
Loading mirror speeds from cached hostfile
  * base: ftp.plusline.de
  * epel: ftp-stud.hs-esslingen.de
  * extras: ftp.plusline.de
  * ius: ftp.rediris.es
  * rpmforge: mirror1.hs-esslingen.de
  * updates: ftp.plusline.de
http://nodejs.tchol.org/stable/el5/i386/repodata/repomd.xml: [Errno 4]
IOError: 
Trying other mirror.
qtp-CentOS  |  951 B 00:00
Skipping security plugin, no data
Setting up Update Process
No Packages marked for Update
qtp-mount-sandbox: sandbox mounted successfully

Starting to build the binary rpms ...(pizza anyone?)

If you want to view compile messages, you can open another terminal and:
# tail -f /mnt/qtp-sandbox/usr/src/qtp-upgrade/log/build-recent.log

qtp-build-rpms v0.3.7
qtp-remove-pkgs v0.3.1
REMOVED control-panel-toaster from sandbox (not for real)
Building vpopmail-toaster-5.4.33-1.4.0 ...
Installing vpopmail-toaster-5.4.33-1.4.0 in the sandbox ...
Building qmail-toaster-1.03-1.3.22 ...
Installing qmail-toaster-1.03-1.3.22 in the sandbox ...
Building courier-authlib-toaster-0.59.2-1.3.10 ...
Installing courier-authlib-toaster

Re: [qmailtoaster] Re: Disabling ClamAV heuristic phishing checks

2012-12-14 Thread Brent Gardner 

On 12/14/2012 10:23 AM, Eric Shubert wrote:

On 12/13/2012 02:33 PM, Brent Gardner wrote:

On 12/12/2012 04:53 PM, Eric Shubert wrote:

On 12/12/2012 11:18 AM, Brent Gardner wrote:

We were getting false positives caused by a heuristic anti-phishing
check in ClamAV.  We'd see log messages like:

2012-12-10 09:20:05.648516500
simscan:[18122]:VIRUS:0.2573s:Heuristics.Phishing.Email.SpoofedDomain:12.10.219.63:healt030201212100700560763005840.amex.m...@welcome.aexp.com:u...@example.com 






In the last month, all but one hit on this signature were for 
legitimate

messages coming from American Express.

Going off of info found here:
http://lurker.clamav.net/message/20101130.100352.010692f7.en.html,  I
disabled phishing URL checks in ClamAV by restarting clamd after 
putting

this line in /etc/clamd.conf:

 PhishingScanURLs no


This also disables the following ClamAV checks, which we weren't 
getting

any hits on:

 Heuristics.Phishing.Email
 Heuristics.Phishing.Email.Cloaked.Null
 Heuristics.Phishing.Email.Cloaked.NumericIP
 Heuristics.Phishing.Email.Cloaked.Username
 Heuristics.Phishing.Email.SpoofedDomain
 Heuristics.Phishing.Email.SSL-Spoof
 Heuristics.Phishing.URL.Blacklisted


fyi


Brent Gardner



-


I had a similar problem with Chase and sane security. Instead of
defeating the checks though, I set up entries in the tcp.smtp file for
Chase's servers, which don't do scanning at all, like this:
151.151.65.96-126:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1" 



There are 14 tcp.smtp records in all. I hope they don't change their
outbound servers around very often. ;)


Yeah, I considered doing that but I couldn't find a list of AMEX's
outbound servers.  Too bad you can't put FQDNs in tcp.smtp.  Plus, it
appears that the now-disabled check was producing false positives 95% of
the time.


Brent Gardner





-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




FWIW, I garnered Chase's IPs from their SPF record. ;)


Clever ;)



-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Problem sending mail to comcast.net

2012-12-14 Thread Eric Shubert 
I would think it would start working as soon as it's active (service is 
running) and you have 127.0.0.1 listed first in your /etc/resolv.conf. 
Anyway, glad to hear it's working now.


--
-Eric 'shubes'

On 12/14/2012 06:19 AM, Rvaught wrote:

By late afternoon emails to Comcast.net started going out . The only change
was installing pdns-recursor earlier in the day .
Does pdns-recursor take awhile to start working ?

Much thanks for everyone's help.

Rick

-Original Message-
From: Eric Shubert [mailto:e...@shubes.net]
Sent: Thursday, December 13, 2012 10:15 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] Re: Problem sending mail to comcast.net

When I dig comcast.net using pdns, the reply is much smaller than when using
bind. Bind returns very close to 512 bytes, while pdns is just under 100
bytes. This is true when using "-t MX" as well (which is what I expect qmail
is doing).

Replies from pdns are *much* smaller, so it appears that pdns is running ok.

I'm not seeing any cname records. Can you poke around and see what might be
causing a cname lookup of some sort?






-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: info my qmailtoaster

2012-12-14 Thread Eric Shubert 

You can simply run the qtp-install-spamdyke script.
You should probably check that your qmailtoaster-plus package is up to 
date first:

# yum update qmailtoaster-plus

If you haven't installed QTP yet, see http://qtp.qmailtoaster.com/ for 
directions.


On 12/14/2012 01:24 AM, Giuseppe Perna wrote:

Thanks Erick for you replay.
I must first upgrade or something I can install directly spamdike?
thanks


2012/12/14 Eric Shubert :

http://wiki.qmailtoaster.com/index.php/Spamdyke
Spamdyke will be part of the "stock" QMT in the future.
In the meantime, the qtp-install-spamdyke script gets you going.

IMO, spamdyke is the best anti-spam program available. If I had to choose
only one, spamdyke would be it (over spamassassin even).

--
-Eric 'shubes'


On 12/13/2012 09:38 AM, Giuseppe Perna wrote:


Hi all,
I would like to know what kind of server I'm using qmailtoaster.
Let me try to understand why I get so much spam and if my server is
openralay
I plugged in \ var \ qmail \ control \ blacklist "-r zen.spamhaus.org"
but it has no effect, I do not see "rblsmtpd: 197.7.58.229 pid 12666:
451 http://www.spamhaus.org/query/ bl? ip = 197.7.58.229 "

thanks

i have this output:

   rpm -qa |grep qmail

qmail-toaster-1.03-1.3.15
qmailadmin-toaster-1.2.11-1.3.4
qmailtoaster-plus-0.3.0-1.4.4
qmail-pop3d-toaster-1.03-1.3.15
qmailmrtg-toaster-4.2-1.3.3


cat /etc/tcprules.d/tcp.smtp

127.:allow,RELAYCLIENT="",RBLSMTPD="",NOP0FCHECK="1"
10.72.:allow,RELAYCLIENT="",RBLSMTPD="",NOP0FCHECK="1"
212.xx.xx.x:allow,RELAYCLIENT="",RBLSMTPD="",NOP0FCHECK="1"
85.x.x.xx:allow,RELAYCLIENT="",RBLSMTPD="",NOP0FCHECK="1"

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="600",CHKUSER_WRONGRCPTLIMIT="600",QMAILQUEUE="/var/qmail/bin/simscan",NOP0FCHECK="1"

qmailctl stat

authlib: up (pid 23868) 2296 seconds
clamd: up (pid 23869) 2296 seconds
imap4: up (pid 23916) 2296 seconds
imap4-ssl: up (pid 23871) 2296 seconds
pop3: up (pid 23855) 2297 seconds
pop3-ssl: up (pid 23888) 2296 seconds
send: up (pid 23889) 2296 seconds
smtp: up (pid 23854) 2296 seconds
spamd: up (pid 23890) 2296 seconds
submission: up (pid 23899) 2296 seconds
authlib/log: up (pid 23862) 2297 seconds
clamd/log: up (pid 23870) 2296 seconds
imap4/log: up (pid 23917) 2296 seconds
imap4-ssl/log: up (pid 23872) 2296 seconds
pop3/log: up (pid 23853) 2297 seconds
pop3-ssl/log: up (pid 23882) 2296 seconds
send/log: up (pid 23895) 2296 seconds
smtp/log: up (pid 23867) 2296 seconds
spamd/log: up (pid 23877) 2296 seconds
submission/log: up (pid 23887) 2296 seconds

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com






-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com





--
-Eric 'shubes'

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Disabling ClamAV heuristic phishing checks

2012-12-14 Thread Eric Shubert 

On 12/13/2012 02:33 PM, Brent Gardner wrote:

On 12/12/2012 04:53 PM, Eric Shubert wrote:

On 12/12/2012 11:18 AM, Brent Gardner wrote:

We were getting false positives caused by a heuristic anti-phishing
check in ClamAV.  We'd see log messages like:

2012-12-10 09:20:05.648516500
simscan:[18122]:VIRUS:0.2573s:Heuristics.Phishing.Email.SpoofedDomain:12.10.219.63:healt030201212100700560763005840.amex.m...@welcome.aexp.com:u...@example.com




In the last month, all but one hit on this signature were for legitimate
messages coming from American Express.

Going off of info found here:
http://lurker.clamav.net/message/20101130.100352.010692f7.en.html,  I
disabled phishing URL checks in ClamAV by restarting clamd after putting
this line in /etc/clamd.conf:

 PhishingScanURLs no


This also disables the following ClamAV checks, which we weren't getting
any hits on:

 Heuristics.Phishing.Email
 Heuristics.Phishing.Email.Cloaked.Null
 Heuristics.Phishing.Email.Cloaked.NumericIP
 Heuristics.Phishing.Email.Cloaked.Username
 Heuristics.Phishing.Email.SpoofedDomain
 Heuristics.Phishing.Email.SSL-Spoof
 Heuristics.Phishing.URL.Blacklisted


fyi


Brent Gardner



-


I had a similar problem with Chase and sane security. Instead of
defeating the checks though, I set up entries in the tcp.smtp file for
Chase's servers, which don't do scanning at all, like this:
151.151.65.96-126:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"

There are 14 tcp.smtp records in all. I hope they don't change their
outbound servers around very often. ;)


Yeah, I considered doing that but I couldn't find a list of AMEX's
outbound servers.  Too bad you can't put FQDNs in tcp.smtp.  Plus, it
appears that the now-disabled check was producing false positives 95% of
the time.


Brent Gardner





-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




FWIW, I garnered Chase's IPs from their SPF record. ;)

--
-Eric 'shubes'

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: DMARC, anyone?

2012-12-14 Thread Eric Shubert 

On 12/13/2012 12:53 PM, Casey James Price wrote:

Recently came across an interesting sounding approach for combating spam
and forged senders. Just wanted to see if anyone else has heard about
this, tried deploying it, or if it is something Qmailtoaster is capable
of doing.

Domain-based Message Authentication, Reporting & Conformance

http://dmarc.org/overview.html

--
/*Casey James Price*/
Operations/Technical Support

Smile Global
www.smileglobal.com 




Looks interesting. QMT's not presently capable of doing this. We need to 
get DKIM integrated with the stock QMT first.


I'd like to see this incorporated into QMT at some point. If anyone 
would like to work on it, they're more than welcome to. I'd be 
interested to see if anyone's developed a patch for qmail for this.


--
-Eric 'shubes'

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Re: Problem sending mail to comcast.net

2012-12-14 Thread Rvaught 
By late afternoon emails to Comcast.net started going out . The only change
was installing pdns-recursor earlier in the day .
Does pdns-recursor take awhile to start working ?

Much thanks for everyone's help.

Rick  

-Original Message-
From: Eric Shubert [mailto:e...@shubes.net] 
Sent: Thursday, December 13, 2012 10:15 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] Re: Problem sending mail to comcast.net

When I dig comcast.net using pdns, the reply is much smaller than when using
bind. Bind returns very close to 512 bytes, while pdns is just under 100
bytes. This is true when using "-t MX" as well (which is what I expect qmail
is doing).

Replies from pdns are *much* smaller, so it appears that pdns is running ok.

I'm not seeing any cname records. Can you poke around and see what might be
causing a cname lookup of some sort?


-- 
-Eric 'shubes'

On 12/13/2012 09:46 AM, rvau...@libertycasting.com wrote:
> This is what I get when I dig comcast.net
>
> [root@mail1 pdns-recursor]# dig  comcast.net
>
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.5 <<>> comcast.net
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15929
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;comcast.net. IN  A
>
> ;; ANSWER SECTION:
> comcast.net. 2530IN A   207.223.8.109
> comcast.net. 2530IN A   76.96.39.101
> comcast.net. 2530IN A   207.223.8.110
> comcast.net. 2530IN A   76.96.39.102
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Dec 13 11:39:38 2012
> ;; MSG SIZE  rcvd: 93
>
>  > 
>  > 
>  >   > http-equiv="Content-Type">
>  > 
>  > 
>  > Have you done any DNS testing to see if comcast.net resolves?
>  > 
>  > 
>  > On 12/13/2012 04:53 AM, Rvaught
>  > wrote:
>  > 
>  >   > type="cite">
>  > My resolv.conf has :
>  >
>  > Search libertycasting.com
>  >
>  > Nameserver 192.168.120.20 ( this local a network dns forwarder)
>  >
>  >
>  > I still have bind installed . I think on my old server I was running
the
>  > tinydns.
>  >
>  >
>  >
>  > I installed pdns-recursor package
>  >
>  > Still have same problem
>  >
>  > -Original Message-
>  >
> From: Eric Shubert [  > href="mailto:e...@shubes.net";>mailto:e...@shubes.net]
>  > Sent: Wednesday, December 12, 2012 1:17 PM
>  > To:   >
>
href="mailto:qmailtoaster-list@qmailtoaster.com";>qmailtoaster-list@qmailtoas
ter.com
>  > Subject: [qmailtoaster] Re: Problem sending mail to comcast.net
>  >
>  > On 12/12/2012 11:00 AM, Rvaught wrote:
>  > 
>  > 
>  > Since I have set up my new QMT server I am having
>  > trouble sending mail
>  > to this domain. This is the error I receive:
>  >
>  > <  > href="mailto:chlevi...@comcast.net";>chlevi...@comcast.net   > class="moz-txt-link-rfc2396E"
>  >
>
href="mailto:chlevi...@comcast.net";>;
>:
>  >
>  > CNAME lookup failed temporarily. (#4.4.3) I'm not going to try again;
>  > this message has been in the queue too long.
>  >
>  > Not sure about what I need to adjust.
>  >
>  > I also like to thank everyone for help on previous problems.
>  >
>  > Rick
>  >
>  > Liberty Casting
>  >
>  > 
>  > 
>  > 
>  > What are you using for a DNS resolver? (cat /etc/resolv.conf)
>  >
>  > I recommend using the pdns-recursor package. It's available via yum
from
>  > the
>  > centos repos.
>  >
>  > --
>  > -Eric 'shubes'
>  >
>  > -
>  > To unsubscribe, e-mail:   >
>
href="mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com";>qmailtoaster-li
st-unsubscr...@qmailtoaster.com
>  > For additional commands, e-mail:   >
>
href="mailto:qmailtoaster-list-h...@qmailtoaster.com";>qmailtoaster-list-help
@qmailtoaster.com
>  >
>  >
>  >
>  >
>  >
>  > -
>  > To unsubscribe, e-mail:   >
>
href="mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com";>qmailtoaster-li
st-unsubscr...@qmailtoaster.com
>  > For additional commands, e-mail:   >
>
href="mailto:qmailtoaster-list-h...@qmailtoaster.com";>qmailtoaster-list-help
@qmailtoaster.com
>  >
>  > 
>  > 
>  > 
>  > -- 
>  > 
>  > 
>  > 
>  >
>


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com





-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: info my qmailtoaster

2012-12-14 Thread Giuseppe Perna 
Thanks Erick for you replay.
I must first upgrade or something I can install directly spamdike?
thanks


2012/12/14 Eric Shubert :
> http://wiki.qmailtoaster.com/index.php/Spamdyke
> Spamdyke will be part of the "stock" QMT in the future.
> In the meantime, the qtp-install-spamdyke script gets you going.
>
> IMO, spamdyke is the best anti-spam program available. If I had to choose
> only one, spamdyke would be it (over spamassassin even).
>
> --
> -Eric 'shubes'
>
>
> On 12/13/2012 09:38 AM, Giuseppe Perna wrote:
>>
>> Hi all,
>> I would like to know what kind of server I'm using qmailtoaster.
>> Let me try to understand why I get so much spam and if my server is
>> openralay
>> I plugged in \ var \ qmail \ control \ blacklist "-r zen.spamhaus.org"
>> but it has no effect, I do not see "rblsmtpd: 197.7.58.229 pid 12666:
>> 451 http://www.spamhaus.org/query/ bl? ip = 197.7.58.229 "
>>
>> thanks
>>
>> i have this output:
>>
>>   rpm -qa |grep qmail
>>
>> qmail-toaster-1.03-1.3.15
>> qmailadmin-toaster-1.2.11-1.3.4
>> qmailtoaster-plus-0.3.0-1.4.4
>> qmail-pop3d-toaster-1.03-1.3.15
>> qmailmrtg-toaster-4.2-1.3.3
>>
>>
>> cat /etc/tcprules.d/tcp.smtp
>>
>> 127.:allow,RELAYCLIENT="",RBLSMTPD="",NOP0FCHECK="1"
>> 10.72.:allow,RELAYCLIENT="",RBLSMTPD="",NOP0FCHECK="1"
>> 212.xx.xx.x:allow,RELAYCLIENT="",RBLSMTPD="",NOP0FCHECK="1"
>> 85.x.x.xx:allow,RELAYCLIENT="",RBLSMTPD="",NOP0FCHECK="1"
>>
>> :allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="600",CHKUSER_WRONGRCPTLIMIT="600",QMAILQUEUE="/var/qmail/bin/simscan",NOP0FCHECK="1"
>>
>> qmailctl stat
>>
>> authlib: up (pid 23868) 2296 seconds
>> clamd: up (pid 23869) 2296 seconds
>> imap4: up (pid 23916) 2296 seconds
>> imap4-ssl: up (pid 23871) 2296 seconds
>> pop3: up (pid 23855) 2297 seconds
>> pop3-ssl: up (pid 23888) 2296 seconds
>> send: up (pid 23889) 2296 seconds
>> smtp: up (pid 23854) 2296 seconds
>> spamd: up (pid 23890) 2296 seconds
>> submission: up (pid 23899) 2296 seconds
>> authlib/log: up (pid 23862) 2297 seconds
>> clamd/log: up (pid 23870) 2296 seconds
>> imap4/log: up (pid 23917) 2296 seconds
>> imap4-ssl/log: up (pid 23872) 2296 seconds
>> pop3/log: up (pid 23853) 2297 seconds
>> pop3-ssl/log: up (pid 23882) 2296 seconds
>> send/log: up (pid 23895) 2296 seconds
>> smtp/log: up (pid 23867) 2296 seconds
>> spamd/log: up (pid 23877) 2296 seconds
>> submission/log: up (pid 23887) 2296 seconds
>>
>> -
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>
>>
>
>
>
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com