Any amavisd-milter help out there?
Hope for some insight into what I'm looking at... Brand new install Scalix/SuSE11.1/Amavis/Amavisd1.4/SA/ClamAV Following How To published on the Scalix Wiki at http://www.scalix.com/wiki/index.php?title=Scalix/Sendmail_%26_Amavisd-New_HOWTO All seemed to be working except when I attempted to install the amavisd-milter initialization scripts at http://www.scalix.com/wiki/index.php?title=Scalix/Sendmail_%26_Amavisd-New_HOWTO#Initscripts.2FSysconfig_files_for_amavisd-milter The resulting errors complain about missing LSB tags and overrides fo 4 service components (relating to the tomcat webserver and postgres database). Was able to locate an old forum threadwhich references an amavisd-milter config file at /etc/sysconfig but doesn't exist on my machine. I've re-run and re-inspected the output for the amavisd-milter package when running ./configure, make and make install but don't see anything that should place a file in /etc/sysconfig. Can anyone familiar with amavisd-milter know whether such a file should be created and installed in a default unpackaging of amavisd-milter? TIA, Tony
Re: FCrDNS and localhost
Matus UHLAR - fantomas wrote: 181.188.252.222.in-addr.arpa domain name pointer localhost. That is why FcRDNS is being used everywhere... localhost has address 127.0.0.1 = fail. On 03.06.09 19:31, Adam Katz wrote: Actually, localhost doesn't resolve via DNS; it has no A record, nor any other record type. It resolves locally without using DNS; see your /etc/hosts file. Similarly, 1.0.0.127.in-addr.arpa. has no PTR record indicating it should be called localhost. actually, many recursive DNS servers have configured zone for localhost by default and for 0.0.127.in-addr.arpa or 127.in-addr.arpa. However if anything doesn't resolve, MTA should not accept/use it. if anyone uses reverse DNS name without forward-confirming it, it's their own fault and they can take all consequencies from such stupid setup. afaik some reverse-checking services are more strict about invalid than about nonexisting hostnames. And I recommend to behave like that. SA (usually) uses hostname passed by MTA, so if an MTA is affected by this bug, blame MTA, not SA. And I'm not sure if the hostname is used by any checks that would cause positive (oor lower negative) score. Sadly, too many servers are set up improperly in this context, so I doubt I'm in the minority when I say that I don't use this metric to single-handedly block mail. I was only talking that SA does not resolve IPs but hostnames are taken from Received: headers (there was an exception for MTA that does not resolve DNS) so the MTA not the SA should be blamed if the hostnames are not correct (forward confirmed). Maybe SPF, I expect someone to comment on this... Same problem as above: localhost is not actually a domain. $ host -t TXT localhost. I was not talking about localhost, but about SPF resolution. The TXT must be of course taken from DNS, but if the record contains A: etc, it can be compared to resolved hostname in Received: header. And by the sentence above I meant that someone who understands the SPF should comment this issue. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges.
Re: Question on add-to-blacklist
On 3-Jun-2009, at 14:02, Jari Fredriksson wrote: `ip` varchar(10) NOT NULL DEFAULT '', On 03.06.09 17:48, LuKreme wrote: 10? 7 could be enough for now, afaik AWL only stores /16 prefix... PostgreSQL has a IPv4 type btw -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet.
Re: Custome Plugin and Variables
On 04.06.09 00:44, Vahriç Muhtaryan wrote: We would like to create our own plugin . I red custom plugin section but maybe I do not understand, I would like to find out how spamassasin can provide me header of mail , body of mail because I would like to play on body and header. Could somebody show me the way for from where can I find out this informations. are you sure using custom rules isn't enough for you? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains?
Re: Question on add-to-blacklist
LuKreme wrote: `ip` varchar(10) NOT NULL DEFAULT '', 10? I'm missing some of the context here, but usually if someone is storing an ip in 10 characters it's because they're storing the ip number rather than the ip address. r...@haven:~# perl -e 'print length(256*256*256*256).\n;' 10 r...@haven:~# Still, if you were doing that, you'd want to use an integer rather than a varchar preferably. -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Re: Question on add-to-blacklist
On 3-Jun-2009, at 14:02, Jari Fredriksson wrote: `ip` varchar(10) NOT NULL DEFAULT '', 10? It's on wiki http://wiki.apache.org/spamassassin/BetterDocumentation/SqlReadmeAwl?highlight=%28awl%29%7C%28sql%29
Re: FW: SpamAssassin error Interrupted system call
John Hardin wrote: On Wed, 3 Jun 2009, Luis campo wrote: this is an example of var / log / qmail / spamd 2009-06-03 12:00:16.531889500 [19168] info: prefork: child states: BB 2009-06-03 12:00:16.531949500 [19168] info: prefork: server reached --max-children setting, consider raising it There is a problem. You're overloaded. I don't know if spamd being overloaded would result in spamc reporting interrupted system calls, but that would explain the behaviour you are seeing: snip You may want to add memory and increase the number of child processes. Are you using any DNSBLs to reduce load within qmail at SMTP time, before the messages get passed off to SA for scoring? If his server is having memory problems, I would suggest the first step would be to REDUCE the number of child processes. If that helps, then he can work on adding more memory if he needs the extra children for higher throughput. When you are hitting memory limits, decreasing the number of child processes will let them run more efficiently and lower the time spent on each message. This will actually *increase* throughput. Of course, we are all still waiting for the output of 'free' that was requested previously. -- Bowie
spamc not defaulting to my user
I just spent the better part of the last month trying to figure out why my baysian filtering was not working on a new mail server setup. I noticed yesterday, after adding the following header, add_header all Bayes bayes=_BAYES_ tokens=_TOKENSUMMARY_ new=_BAYESTC_ seen=_BAYESTCLEARNED_ spammy=_BAYESTCSPAMMY_ hammy=_BAYESTCHAMMY_ that tokens was always being set to Bayes not run. But there was no indication anywhere (that I could find) why it was not being run. Most of the list traffic associated with this particular problem seemed to be associated with people using mysql as their data store, not something that I am doing. I had verified that sa-learn was working properly and updating my database and that the database version was good, and that I had enough of both ham and spam in the database, etc. spammassassin -D --lint all looked good when run from the command line. Today on a whim I decided to add -u username to the spamc command line in my procmail filter and bayes started working. This is how my daemon is running, /openpkg/bin/spamd --daemonize --siteconfigpath=/openpkg/etc/spamassassin --pidfile=/openpkg/var/spamassassin/spamassassin.pid --syslog=/openpkg/var/spamassassin/spamassassin.log --listen-ip=127.0.0.1 --port=783 -A 127. --local I discovered in the syslog the following difference before and after the change, Thu Jun 4 07:40:03 2009 [29789] info: spamd: setuid to openpkg-r succeeded Thu Jun 4 08:15:02 2009 [29789] info: spamd: setuid to steeve succeeded so it's now obvious that it was running as user openpkg-r, rather than my user own user name, which is the user under which spamd is running. Now the man page states that it is using the Effective UID of the caller, which I had assumed was my user name. -u username, --username=username To have spamd use per-user-config files, run spamc as the user whose config files spamd should load; by default the effective user-ID is sent to spamd. If you’re running spamc as some other user, though, (eg. root, mail, nobody, cyrus, etc.) then you may use this flag to override the default. spamc -h is a little less ambiguous, -u, --username username User for spamd to process this message under. [default: current user] The mystery for me is why spamd was doing setuid to it's own uid rather than my uid, unless I forced it with the -u switch. I know that procmail is not running as user openpkg-r which just adds to the mystery. Any ideas? -- Steeve McCauley ste...@oneguycoding.com :wq http://oneguycoding.com I like a man who grins when he fights. - Winston Churchill
Re: spamc not defaulting to my user
On Thu, 2009-06-04 at 11:29 -0400, Steeve McCauley wrote: I just spent the better part of the last month trying to figure out why my baysian filtering was not working on a new mail server setup. [...] Today on a whim I decided to add -u username to the spamc command line in my procmail filter and bayes started working. I discovered in the syslog the following difference before and after the change, Thu Jun 4 07:40:03 2009 [29789] info: spamd: setuid to openpkg-r succeeded Thu Jun 4 08:15:02 2009 [29789] info: spamd: setuid to steeve succeeded so it's now obvious that it was running as user openpkg-r, rather than my user own user name, which is the user under which spamd is I believe this is wrong. spamd appears to be running as root. Otherwise, it would not have setuid'ed to the user in the first place. running. Now the man page states that it is using the Effective UID of the caller, which I had assumed was my user name. spamc -h is a little less ambiguous, -u, --username username User for spamd to process this message under. [default: current user] The mystery for me is why spamd was doing setuid to it's own uid rather than my uid, unless I forced it with the -u switch. I know that procmail is not running as user openpkg-r which just adds to the mystery. My guess is, this assumption is wrong. :) At least at the point in the procmail recipe where spamc is being called, procmail appears to run as the openpkg-r user. spamc tells the user it is running as by default. Any ideas? Just to verify, try adding something like this to your procmailrc, right before the recipe that filters through spamc. Then check the log. (Note, linebreak intended.) LOG = Hello, I am ${LOGNAME}. If the spamc filter is part of the system-wide procmailrc, the fix probably is to have DROPPRIVS before the filter, so it will be run on behalf of the recipient. See man procmailrc. You shouldn't need the -u switch after that. guenther -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
FW: SpamAssassin error Interrupted system call
we have made with the configuration option-x ./configure --enable-clamav=y --enable-clamdscan=/usr/local/bin/clamdscan --enable-dropmsg=y --enable-custom-smtp-reject=n --enable-per-domain=y --enable-attach=y --enable-spam=y --enable-ripmime=/usr/local/bin/ripmime --enable-received=y --enable-spam-hits=5.0 --enable-spamc=/usr/bin/spamc --enable-spamc-args=-x -d 172.16.10.9 --enable-spamc-user=y --enable-regex=y --with-pcre-include=/usr/local/include memory before the crash SA total used free sharedbuffers cached Mem: 10334681012956 20512 0 71440 270720 -/+ buffers/cache: 670796 362672 Swap: 2031608 02031608 works for a few minutes then stops again @40004a27f6b60c9922c4 simscan:[26843]:CLEAN (0.00/3.00):112.9283s:: @40004a27f6b60ea04d04 simscan:[23571]:CLEAN (0.00/3.00):221.3648s:: @40004a27f6b61000ac0c simscan:[23679]:CLEAN (0.00/3.00):218.1913s:: @40004a27f6b6291b8d4c simscan:[22930]:CLEAN (0.00/3.00):242.5665s:: @40004a27f6b62c46770c simscan:[28731]:CLEAN (0.00/3.00):30.6124s:: memory after the fall SA total used free sharedbuffers cached Mem: 1033468 531860 501608 0 26700 147200 -/+ buffers/cache: 357960 675508 Swap: 2031608 136842017924 Date: Wed, 3 Jun 2009 15:57:08 -0700 From: jhar...@impsec.org To: lcr_2...@hotmail.com CC: users@spamassassin.apache.org Subject: Re: FW: SpamAssassin error Interrupted system call On Wed, 3 Jun 2009, Luis campo wrote: this is an example of var / log / qmail / spamd 2009-06-03 12:00:16.531889500 [19168] info: prefork: child states: BB 2009-06-03 12:00:16.531949500 [19168] info: prefork: server reached --max-children setting, consider raising it There is a problem. You're overloaded. I don't know if spamd being overloaded would result in spamc reporting interrupted system calls, but that would explain the behaviour you are seeing: The problem is that spam works a few minutes then let it pass all messages giving a score of 0.00 in the log From the spamc man page: -t timeout, --timeout=timeout Set the timeout for spamc-to-spamd communications (default: 600, 0 disables). If spamd takes longer than this many seconds to reply to a message, spamc will abort the connection and treat this as a failure to connect; in other words the message will be returned unprocessed. unprocessed == score of zero. You might try using spamc's -x option, which will tell qmail that spamd is overloaded rather than skipping the scan. I don't know how simscan will respond, but it's likely the messages would be queued for retry. Messages would take longer to be delivered, but they would all be scanned. you said we have 3 mx with each SA, which work well only 2 and 3 is where the error comes, If influence on our server reaches around 75,000 emails received daily. You may want to add memory and increase the number of child processes. Are you using any DNSBLs to reduce load within qmail at SMTP time, before the messages get passed off to SA for scoring? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Our government should bear in mind the fact that the American Revolution was touched off by the then-current government attempting to confiscate firearms from the people. --- 3 days until the 65th anniversary of D-Day _ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+worldmkt=en-USform=QBRE
Re: Any amavisd-milter help out there?
Tony, Hope for some insight into what I'm looking at... Brand new install Scalix/SuSE11.1/Amavis/Amavisd1.4/SA/ClamAV Following How To published on the Scalix Wiki at http://www.scalix.com/wiki/index.php?title=Scalix/Sendmail_%26_Amavisd-New_ HOWTO All seemed to be working except when I attempted to install the amavisd-milter initialization scripts at http://www.scalix.com/wiki/index.php?title=Scalix/Sendmail_%26_Amavisd-New_ HOWTO#Initscripts.2FSysconfig_files_for_amavisd-milter The resulting errors complain about missing LSB tags and overrides fo 4 service components (relating to the tomcat webserver and postgres database). Was able to locate an old forum threadwhich references an amavisd-milter config file at /etc/sysconfig but doesn't exist on my machine. I've re-run and re-inspected the output for the amavisd-milter package when running ./configure, make and make install but don't see anything that should place a file in /etc/sysconfig. Can anyone familiar with amavisd-milter know whether such a file should be created and installed in a default unpackaging of amavisd-milter? For help on Petr Rehor's amavisd-milter the best place to ask questions is on the amavisd-milter-users mailing list: https://lists.sourceforge.net/lists/listinfo/amavisd-milter-users although the /etc/sysconfig seems to be specific to your OS, not to amavisd-milter. Mark
Re: spamc not defaulting to my user
On Thu, Jun 04, 2009 at 06:28:18PM +0200, Karsten Bräckelmann wrote: On Thu, 2009-06-04 at 11:29 -0400, Steeve McCauley wrote: I just spent the better part of the last month trying to figure out why my baysian filtering was not working on a new mail server setup. [...] Today on a whim I decided to add -u username to the spamc command line in my procmail filter and bayes started working. I discovered in the syslog the following difference before and after the change, Thu Jun 4 07:40:03 2009 [29789] info: spamd: setuid to openpkg-r succeeded Thu Jun 4 08:15:02 2009 [29789] info: spamd: setuid to steeve succeeded so it's now obvious that it was running as user openpkg-r, rather than my user own user name, which is the user under which spamd is I believe this is wrong. spamd appears to be running as root. Otherwise, it would not have setuid'ed to the user in the first place. spamd is running as root, but it does a setuid to openpkg-r when recieving from spamc, unless I use -u steeve. of the caller, which I had assumed was my user name. spamc -h is a little less ambiguous, -u, --username username User for spamd to process this message under. [default: current user] The mystery for me is why spamd was doing setuid to it's own uid rather than my uid, unless I forced it with the -u switch. I know that procmail is not running as user openpkg-r which just adds to the mystery. My guess is, this assumption is wrong. :) At least at the point in the procmail recipe where spamc is being called, procmail appears to run as the openpkg-r user. spamc tells the user it is running as by default. Any ideas? Just to verify, try adding something like this to your procmailrc, right before the recipe that filters through spamc. Then check the log. (Note, linebreak intended.) LOG = Hello, I am ${LOGNAME}. Procmail is running as steeve, Hello, I am steeve. From medicalhairrestoration...@hairproonline.com Thu Jun 4 14:05:08 2009 Subject: [SPAM 4.6] RE: Hair news : Free DVD Folder: /var/mail/steeve 341674 It woudl have been incredbily perplexing if procmail were running as an openpkg user since it's not an openpkg package. Something is weird here between spamc and spamd. Thanks for the reply, steeve -- Steeve McCauley ste...@oneguycoding.com :wq http://oneguycoding.com The mistake you make is in trying to figure it out. - Tenessee Williams
Re: spamc not defaulting to my user
On Thu, 2009-06-04 at 15:15 -0400, Steeve McCauley wrote: On Thu, Jun 04, 2009 at 06:28:18PM +0200, Karsten Bräckelmann wrote: Today on a whim I decided to add -u username to the spamc command line in my procmail filter and bayes started working. I discovered in the syslog the following difference before and after the change, Thu Jun 4 07:40:03 2009 [29789] info: spamd: setuid to openpkg-r succeeded Thu Jun 4 08:15:02 2009 [29789] info: spamd: setuid to steeve succeeded so it's now obvious that it was running as user openpkg-r, rather than my user own user name, which is the user under which spamd is I believe this is wrong. spamd appears to be running as root. Otherwise, it would not have setuid'ed to the user in the first place. spamd is running as root, but it does a setuid to openpkg-r when recieving from spamc, unless I use -u steeve. Yep, spamd will setuid to the user it scans the mail for, as told by spamc. The -u option is just a way to override it. By default, spamc tells spamd which user it (that is spamc) is running as. So I still believe spamc at that point does not run as your user, for some reason. The mystery for me is why spamd was doing setuid to it's own uid rather than my uid, unless I forced it with the -u switch. I know that procmail is not running as user openpkg-r which just adds to the mystery. My guess is, this assumption is wrong. :) At least at the point in the procmail recipe where spamc is being called, procmail appears to run as the openpkg-r user. spamc tells the user it is running as by default. Any ideas? Just to verify, try adding something like this to your procmailrc, right before the recipe that filters through spamc. Then check the log. (Note, linebreak intended.) LOG = Hello, I am ${LOGNAME}. Procmail is running as steeve, Hello, I am steeve. Weird. :) Honestly, I quickly pulled LOGNAME out of the man page. I'm not entirely sure this really reflects the UID. I guess I'd alter that debugging log line, to dump some other information, to track this down. BTW, is this a site-wide procmailrc or a user one? Did you DROPPRIVS before that, in case of site-wide? From medicalhairrestoration...@hairproonline.com Thu Jun 4 14:05:08 2009 Subject: [SPAM 4.6] RE: Hair news : Free DVD Folder: /var/mail/steeve 341674 It woudl have been incredbily perplexing if procmail were running as an openpkg user since it's not an openpkg package. But spamc is. Not that that really should matter, but there's a link. Any chance it's a setuid executable? Can you try to have a glimpse at the user spamc is running as, as called by procmail? That requires some fairly good timing. :) Or faking a spamd by using 'nc' and checking the User header... Something is weird here between spamc and spamd. Thanks for the reply, guenther -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spamc not defaulting to my user
On Thu, Jun 04, 2009 at 09:41:48PM +0200, Karsten Bräckelmann wrote: Any ideas? Just to verify, try adding something like this to your procmailrc, right before the recipe that filters through spamc. Then check the log. (Note, linebreak intended.) LOG = Hello, I am ${LOGNAME}. Procmail is running as steeve, Hello, I am steeve. Weird. :) Honestly, I quickly pulled LOGNAME out of the man page. I'm not entirely sure this really reflects the UID. I guess I'd alter that debugging log line, to dump some other information, to track this down. BTW, is this a site-wide procmailrc or a user one? Did you DROPPRIVS before that, in case of site-wide? It's my user .procmailrc. From medicalhairrestoration...@hairproonline.com Thu Jun 4 14:05:08 2009 Subject: [SPAM 4.6] RE: Hair news : Free DVD Folder: /var/mail/steeve 341674 It woudl have been incredbily perplexing if procmail were running as an openpkg user since it's not an openpkg package. But spamc is. Not that that really should matter, but there's a link. Any chance it's a setuid executable? That's it, mystery solved :) [ste...@oneguycoding .procmail]$ ls -l /openpkg/bin/spamc -rwsr-xr-x 1 openpkg-r openpkg 393128 Apr 23 12:27 /openpkg/bin/spamc Thanks for your help, I was pulling my hair out for a while on this one. Cheers, steeve -- Steeve McCauley ste...@oneguycoding.com :wq http://oneguycoding.com What this country needs is a good five cent microcomputer.
Re: spamc not defaulting to my user
On Thu, 2009-06-04 at 21:41 +0200, Karsten Bräckelmann wrote: On Thu, 2009-06-04 at 15:15 -0400, Steeve McCauley wrote: Procmail is running as steeve, Hello, I am steeve. Weird. :) Honestly, I quickly pulled LOGNAME out of the man page. I'm not entirely sure this really reflects the UID. I guess I'd alter that Err, scratch that. It really should. :) It woudl have been incredbily perplexing if procmail were running as an openpkg user since it's not an openpkg package. But spamc is. Not that that really should matter, but there's a link. Any chance it's a setuid executable? Can you try to have a glimpse at the user spamc is running as, as called by procmail? That requires some fairly good timing. :) Or faking a spamd by using 'nc' and checking the User header... So procmail is running as your user, but spamc isn't... -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spamc not defaulting to my user
On Thu, 2009-06-04 at 15:54 -0400, Steeve McCauley wrote: On Thu, Jun 04, 2009 at 09:41:48PM +0200, Karsten Bräckelmann wrote: It woudl have been incredbily perplexing if procmail were running as an openpkg user since it's not an openpkg package. But spamc is. Not that that really should matter, but there's a link. Any chance it's a setuid executable? That's it, mystery solved :) Yay! [ste...@oneguycoding .procmail]$ ls -l /openpkg/bin/spamc -rwsr-xr-x 1 openpkg-r openpkg 393128 Apr 23 12:27 /openpkg/bin/spamc Thanks for your help, I was pulling my hair out for a while on this one. No problem. :) And please blame your packager, this is not default. ;) -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: FCrDNS and localhost
John Hardin wrote: I think what Matus was saying is: 181.188.252.222.in-addr.arpa - localhost - 127.0.0.1 = FAIL. And what I'm saying is that the second step of that: localhost - 127.0.0.1 doesn't work since localhost has no A record. So it should actually go: 181.188.252.222.in-addr.arpa - localhost - FAIL and I'm not sure if that result nulls the equation or if it actually outputs an FCrDNS failure. My guess is that it does. YMMV by MTA. Matus UHLAR - fantomas then wrote: actually, many recursive DNS servers have configured zone for localhost by default and for 0.0.127.in-addr.arpa or 127.in-addr.arpa. That's what I was musing at the end of my email, complete with SPF. However if anything doesn't resolve, MTA should not accept/use it. I've already responded to this. As you quoted me: Sadly, too many servers are set up improperly in this context, so I doubt I'm in the minority when I say that I don't use this metric to single-handedly block mail. The custom SA rules I included in my email do indeed rely upon the MTA's ability to measure FCrDNS and HELO FCrDNS. As referenced in my email, sendmail performs FCrDNS checking out of the box, tacking a (may be forged) to the end of the Received: header for FCrDNS failures. You can also set PICKY_HELO_CHECK if you want your logs littered with myriads of FCrDNS warnings. I'd love to also get sendmail (or SA) to resolve the HELO domain. Sure, it's nice to see IP - domain - IP, and then compare the HELO to that domain (KHOP_HELO_FCRDNS, IP - domain == HELO), but how do I check HELO - IP? I can make a regular expression to do what I want (for sendmail's headers, as documented at http://tinyurl.com/pb8vje section 10.7.2), but I can't use this in SA because I have no way of performing it only on the firsttrusted relay (the first hit in X-Spam-Relays-Untrusted). The solution is to name my relay, so if it's mx.example.com, I'd have: Received =~ /from (\S+) \((?!\1)\S+\.\w{2,6} \[[0-9.]{7,15}(?: \(may be forged\))?\) by mx\.example\.com[ (]/ Developers: I'd /love/ to be able to use trusted_networks and internal_networks as regex variables like: trusted_networks example.com 1.2.3.4 header TEST1 Received =~ /from .* by $trusted_networks[ (]/ # which translates to: #header TEST1 Received =~ /from .* by (?:example.com|1\.2\.3\.4)[ (]/ (or perhaps use mx example.com 1.2.3.4 and $mx becomes that regex.) I'd also (or even alternatively) love to see X-Spam-Received-[type] (where type is one of Trusted, Untrusted, Internal, External) which is merely a bracket-bounded collection of properly ordered Received tags, as presented by the parsing relay. This would let me parse those things manually without getting the order wrong (since SA rules are not capable of understanding order). I was only talking that SA does not resolve IPs but hostnames are taken from Received: headers (there was an exception for MTA that does not resolve DNS) so the MTA not the SA should be blamed if the hostnames are not correct (forward confirmed). I see nothing wrong with assuming the MTA did its job correctly. Maybe SPF, I expect someone to comment on this... Same problem as above: localhost is not actually a domain. $ host -t TXT localhost. I was not talking about localhost, but about SPF resolution. Sorry, I thought that you were trying to apply SPF to localhost, since that was the issue we were discussing. The TXT must be of course taken from DNS, but if the record contains A: etc, it can be compared to resolved hostname in Received: header. And by the sentence above I meant that someone who understands the SPF should comment this issue. I've got a pretty good understanding of SPF, thank you. All I'm missing is an understanding of what you want to do with it. You appear to be trying to parse the SPF record manually. SPF records can contain a: or ip4: or several other things. What kind of comparison are you trying to do? Comparing an a: entry to the resolved hostname (rDNS) is exactly what SPF does ... there are no bidirectional requirements for within SPF records. Perhaps that's what you were trying to get to? You think SPF a: records must pass FCrDNS? That won't work for a domain example.com that uses a round-robin A record in its SPF declaration, for example: $ host -t TXT example.com example.com descriptive text v=spf1 a:spf.example.com ~all $ host -t A spf.example.com spf.example.com has address 1.2.3.4 spf.example.com has address 1.3.4.5 spf.example.com has address 1.4.5.6 $ host -t PTR 1.2.3.4 4.3.2.1.in-addr.arpa domain name pointer mx1.example.com. FCrDNS is a decent metric by which to measure spamminess because it is required by the SMTP RFC. SPF requires neither FCrDNS nor even rDNS.
Re: spamc not defaulting to my user
On Thu, Jun 04, 2009 at 10:04:46PM +0200, Karsten Bräckelmann wrote: On Thu, 2009-06-04 at 15:54 -0400, Steeve McCauley wrote: On Thu, Jun 04, 2009 at 09:41:48PM +0200, Karsten Bräckelmann wrote: It woudl have been incredbily perplexing if procmail were running as an openpkg user since it's not an openpkg package. But spamc is. Not that that really should matter, but there's a link. Any chance it's a setuid executable? That's it, mystery solved :) Yay! [ste...@oneguycoding .procmail]$ ls -l /openpkg/bin/spamc -rwsr-xr-x 1 openpkg-r openpkg 393128 Apr 23 12:27 /openpkg/bin/spamc Thanks for your help, I was pulling my hair out for a while on this one. No problem. :) And please blame your packager, this is not default. ;) Done. -- Steeve McCauley ste...@oneguycoding.com :wq http://oneguycoding.com A gift of flower will soon be made to you.
Re: FCrDNS and localhost
On Thu, 4 Jun 2009, Adam Katz wrote: John Hardin wrote: I think what Matus was saying is: 181.188.252.222.in-addr.arpa - localhost - 127.0.0.1 = FAIL. And what I'm saying is that the second step of that: localhost - 127.0.0.1 doesn't work since localhost has no A record. So that data comes from /etc/hosts. How does that materially affect the FCrDNS sanity test? So it should actually go: 181.188.252.222.in-addr.arpa - localhost - FAIL and I'm not sure if that result nulls the equation or if it actually outputs an FCrDNS failure. My guess is that it does. YMMV by MTA. You're treating localhost as a special case of FCrDNS. While that's reasonable, you shouldn't have to do that. If you don't have localhost in the /etc/hosts file on a production machine you shouldn't be an admin... (-- sweeping generalization, I know.) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When I say I don't want the government to do X, do not automatically assume that means I don't want X to happen. --- 2 days until the 65th anniversary of D-Day
Re: FCrDNS and localhost
John Hardin wrote: So that data comes from /etc/hosts. How does that materially affect the FCrDNS sanity test? By definition, FCrDNS uses DNS lookups. Unless you're using dnsmasq, the entries in /etc/hosts are ignored during DNS lookups. Unless I'm mistaken, no FCrDNS implementation ever queries /etc/hosts (nor should it). This means FCrDNS will conclude that localhost does not resolve and that 127.0.0.1 has no rDNS (excepting cases where the admins have manually placed such entries into the local DNS).
Re: FCrDNS and localhost
On Thu, 4 Jun 2009, Adam Katz wrote: John Hardin wrote: So that data comes from /etc/hosts. How does that materially affect the FCrDNS sanity test? By definition, FCrDNS uses DNS lookups. Unless you're using dnsmasq, the entries in /etc/hosts are ignored during DNS lookups. Unless I'm mistaken, no FCrDNS implementation ever queries /etc/hosts (nor should it). This means FCrDNS will conclude that localhost does not resolve and that 127.0.0.1 has no rDNS (excepting cases where the admins have manually placed such entries into the local DNS). Okay, I'll buy that. I guess I usually think in terms of gethostbyname() and related functions, rather than a pure DNS query. Apologies. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Our government wants to do everything it can for the children, except sparing them crushing tax burdens. --- 2 days until the 65th anniversary of D-Day
Re: FW: SpamAssassin error Interrupted system call
On Thu, 2009-06-04 at 17:18 +, Luis campo wrote: total used free sharedbuffers cached Mem: 10334681012956 20512 0 71440 270720 -/+ buffers/cache: 670796 362672 Swap: 2031608 02031608 OK, no swap usage initially. works for a few minutes then stops again A few minutes. When originally reporting the issue, you mentioned 20 minutes. So, did the operational time decrease, since you doubled the spamd children to 20? @40004a27f6b60c9922c4 simscan:[26843]:CLEAN (0.00/3.00):112.9283s:: @40004a27f6b60ea04d04 simscan:[23571]:CLEAN (0.00/3.00):221.3648s:: That's *much* more time than you reported before. Both might hint you actually are hitting swap. total used free sharedbuffers cached Mem: 1033468 531860 501608 0 26700 147200 -/+ buffers/cache: 357960 675508 Swap: 2031608 136842017924 Hmm, these after figures are slightly odd. I take it you got that after killing spamd? Yeah, there you are using swap. Not much, but then again lots of your physical memory has been freed, too. So that probably could just be a timing issue -- numbers /while/ spamd turns unresponsive would be more revealing. Anyway, yes -- I agree it looks like a swap problem. Bringing up 10 additional spamd children with a Gig of memory seriously didn't help at all. I'd try as Bowie suggested. Also, some questions remain un-answered. (a) Do you scan *all* messages, regardless of their size? Don't do that, but skip scanning for messages larger than about 500 kByte. Scanning large messages consumes lots of RAM, and will amplify your problem. (b) Do you have any third- party rule-sets or plugins enabled? -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: FCrDNS and localhost
On Thu, Jun 4, 2009 at 13:57, Adam Katz antis...@khopis.com wrote: John Hardin wrote: So that data comes from /etc/hosts. How does that materially affect the FCrDNS sanity test? By definition, FCrDNS uses DNS lookups. Unless you're using dnsmasq, the entries in /etc/hosts are ignored during DNS lookups. Unless I'm mistaken, no FCrDNS implementation ever queries /etc/hosts (nor should it). This means FCrDNS will conclude that localhost does not resolve and that 127.0.0.1 has no rDNS (excepting cases where the admins have manually placed such entries into the local DNS). That seems to be an important distinction for strict/rigorous/theoretical discussions of what is full circle reverse DNS, and things along those lines... but I'm not sure if it really is an important distinction for the practical matter of how you handle tests in SA. some IP - in-addr lookup - localhost - FAIL (because localhost isn't in DNS, and thus the test failed because the name listed in the PTR record doesn't resolve to an A record) vs some IP - in-addr lookup - localhost - FAIL (because localhost is a forbidden result) vs some IP - in-addr lookup - localhost - 127.0.0.1 - FAIL (because locally we do have localhost in DNS, and 127.0.0.1 isn't the IP address we started with) vs some IP - in-addr lookup - localhost - 127.0.0.1 - FAIL (because locally we do have localhost in DNS, and 127.0.0.1 is a forbidden result) All four of these are, practically speaking, the same, regardless of whether or not you're saying that the first one is strictly speaking a full circle reverse DNS check.
Re: how to know what blacklists i'm checking against
John Hardin wrote: On Wed, 3 Jun 2009, Lists wrote: I am trying to trouble shoot why a particular server cannot send into our email system. There is no reference in the logs to this server ever trying to connect. Are users of that system getting reject notifications? Have them forward one such to an address that you have access to that's not served by the MTA you're troubleshooting. The error message they are seeing will be helpful in figuring out what is going on. No they weren't getting reject messages - the server admin of the ms exchange server they were coming from said that they were getting a 400 4.4.7 Message Delayed error. They felt it was due to greylisting - however nowhere in the maillog was there any reference to the domain the emails were coming from. I also checked the postgrey logs against the maillog and there was nothing there either. They resolved it by routing their email to us through a smart host (another one of their mail servers). I was just concerned that we were stopping the connection and that I couldn't see that we were.
I never got WrongMx working and have no idea why.
In my /etc/mail/spamassassin, I have two files, wrongmx.cf and wrongmx.pm The cf file looks like this: loadplugin WrongMX wrongmx.pm header WRONGMX eval:wrongmx() describeWRONGMX Sent to lower pref MX when higher pref MX was up. tflags WRONGMX net score WRONGMX 1.0 My dns MX record looks like this: ;; ANSWER SECTION: syslang.net.9738IN MX 100 mx2.zoneedit.com. syslang.net.9738IN MX 0 syslang.net. The following file came in and we can see that it did not work. The mail came through mx2.zoneedit.com Received: from mx2.zoneedit.com (mx2.zoneedit.com [66.135.59.138]) by saturn.syslang.net (8.14.3/8.14.3) with ESMTP id n51MPA9e012266 for xxx; Mon, 1 Jun 2009 18:25:12 -0400 Received: from imo-m19.mx.aol.com (imo-m19.mx.aol.com [64.12.137.11]) by mx2.zoneedit.com (Postfix) with ESMTP id 811B35AD575 for fram...@syslang.net; Mon, 1 Jun 2009 18:25:05 -0400 (EDT) Received: from imo-ma04.mx.aol.com (imo-ma04.mx.aol.com [64.12.78.139]) by imo-m19.mx.aol.com (v107.10) with ESMTP id RELAYIN1-24a2454fbc9; Mon, 01 Jun 2009 18:24:05 -0400 Received: from yyy by imo-ma04.mx.aol.com (mail_out_v40_r1.5.) id 4.cf2.57fe20ff (30740) for xxx; Mon, 1 Jun 2009 18:23:52 -0400 (EDT) From: yyy Message-ID: cf2.57fe20ff.3755a...@aol.com Date: Mon, 1 Jun 2009 18:23:52 EDT Subject: Twin Maple Farm in Saxonville and other dairies. To: xxx MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=-1243895032 X-Mailer: 9.0 Security Edition for Windows sub 5378 X-AOL-IP: 64.12.78.139 X-Virus-Scanned: ClamAV 0.94.2/9411/Mon Jun 1 10:35:19 2009 on saturn.syslang.net X-Virus-Status: Clean X-Spam-Status: No, score=-98.8 required=5.0 tests=AWL,BAYES_00, FROM_LOCAL_NOVOWEL,HTML_MESSAGE,USER_IN_WHITELIST autolearn=no version=3.2.5 country=US US US X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on saturn.syslang.net The pm file is the latest. This trap has never fired and I'm about to give up on it and shut it off. I just have to think that I must be doing something wrong. Anyone? -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net
Re: Identifying Source of False Positives
On Mon, 1 Jun 2009, Bowie Bailey wrote: The empty body problem is a more difficult problem. Have procmail save a copy of the raw message somewhere and take a look at it. Make sure there is a blank line between the headers and the body. Bowie, et al.: Progress is being made. I discovered that the local.cf was for sa-1.3 or so, and there was a local.cf.new in the same directory. I saved the old version and made the .new one the working copy. Many fewer rules. On a real spam that was saved for my examination I see that the EMPTY_BODY check was not triggered. I'll watch this a couple of days and see if that continues to hold true. In the meantime, I'm retraining SA on the false positives to teach it that they are ham rather than spam. When my log summary reports start appearing in my INBOX and the other false positives from the mail lists (such as this one), stop appearing in the spam hold mailbox, I'll relax. Thank you all for the very helpful suggestions. I'll update the status over the next days. Rich -- Richard B. Shepard, Ph.D. | IntegrityCredibility Applied Ecosystem Services, Inc.|Innovation http://www.appl-ecosys.com Voice: 503-667-4517 Fax: 503-667-8863
Re: Controlling spamd logging from spamc
From: Martin Gregorie mar...@gregorie.org Date: Tue, 02 Jun 2009 16:54:11 +0100 How difficult would it be to let spamc control spamd's logging output on a per-message basis? My reason for asking is this: I maintain a body of spam that I use to develop and regression test local rules and, during rule development, use spamc to pass the test messages through my only copy of spamd. This is useful because I can keep the test messages in a normal user on a different host from the one running spamd and avoid local configuration ambiguities. However, as part of my logwatch environment I run a perl program to collect the day's spam stats. I find that the stats are meaningless any day I develop and/or regression test rules because, of course, spamd is logging these as well as actual mail. I should add that, since my ISP introduced greylisting, the 'spam' logged during regression testing is at least 12 times the volume of genuine spam received that day, so the day's stats are meaningless and so are any stats generated by scanning the whole of /var/log/maillog* It would be useful for me to be able to disable spamd logging during rule testing. Wouldn't it be easier to run another spamd on a different machine for rule development and testing? Or perhaps just running as a different 'test' user, and then ignore log messages for that user in the statistics. Would anybody else find this a useful feature too? I've sometimes wanted the other way - eg get more debugging output for a particular message. -jeff
FW: SpamAssassin error Interrupted system call
yes, we have configured the SA to 20 children /usr/bin/spamd -v -u vpopmail -m 20 -x -q -s stderr -r /var/run/spamd/spamd.pid \ -i 172.16.10.9 -A 172.16.10.0/24 21 | \ /usr/local/bin/setuidgid qmaill \ /usr/local/bin/multilog t !spamdappend /var/log/qmail/spamd echo spamd started ;; memory rises after the spamd stopped working Subject: Re: FW: SpamAssassin error Interrupted system call From: guent...@rudersport.de To: users@spamassassin.apache.org Date: Thu, 4 Jun 2009 23:50:10 +0200 On Thu, 2009-06-04 at 17:18 +, Luis campo wrote: total used free sharedbuffers cached Mem: 10334681012956 20512 0 71440 270720 -/+ buffers/cache: 670796 362672 Swap: 2031608 02031608 OK, no swap usage initially. works for a few minutes then stops again A few minutes. When originally reporting the issue, you mentioned 20 minutes. So, did the operational time decrease, since you doubled the spamd children to 20? @40004a27f6b60c9922c4 simscan:[26843]:CLEAN (0.00/3.00):112.9283s:: @40004a27f6b60ea04d04 simscan:[23571]:CLEAN (0.00/3.00):221.3648s:: That's *much* more time than you reported before. Both might hint you actually are hitting swap. total used free sharedbuffers cached Mem: 1033468 531860 501608 0 26700 147200 -/+ buffers/cache: 357960 675508 Swap: 2031608 136842017924 Hmm, these after figures are slightly odd. I take it you got that after killing spamd? Yeah, there you are using swap. Not much, but then again lots of your physical memory has been freed, too. So that probably could just be a timing issue -- numbers /while/ spamd turns unresponsive would be more revealing. Anyway, yes -- I agree it looks like a swap problem. Bringing up 10 additional spamd children with a Gig of memory seriously didn't help at all. I'd try as Bowie suggested. Also, some questions remain un-answered. (a) Do you scan *all* messages, regardless of their size? Don't do that, but skip scanning for messages larger than about 500 kByte. Scanning large messages consumes lots of RAM, and will amplify your problem. (b) Do you have any third- party rule-sets or plugins enabled? -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-ussource=wlmailtagline
Re: FCrDNS and localhost
John Rudd wrote: That seems to be an important distinction for strict/rigorous/theoretical discussions of what is full circle reverse DNS, and things along those lines... but I'm not sure if it really is an important distinction for the practical matter of how you handle tests in SA. I think FCrDNS stands for Forward-confirmed reverse DNS as noted at http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS :-) To clarify your four examples (as I understand them): IP = 222.252.188.181 1: IP - rDNS: localhost - DNS: [none] - FAIL* (DNS is missing) 2: IP - rDNS: localhost -- ~FAIL (rDNS result is forbidden) 3: IP - rDNS: localhost - DNS: 127.0.0.1 - FAIL (mismatch) 4: IP - rDNS: localhost - DNS: 127.0.0.1 - ~FAIL (DNS is forbidden) I don't think we ever discussed #2 or #4, which state that entering localhost as a domain or 127.0.0.1 as an IP is explicitly forbidden. As a matter of fact, there is nothing stopping a domain from resolving to 127.0.0.1 (or 127.0.0.1 from resolving to a domain, regardless of whether or not it is localhost) and no reason for SMTP to complain about it, so those aren't always automatic failures. All four of these are, practically speaking, the same, regardless of whether or not you're saying that the first one is strictly speaking a full circle reverse DNS check. We were discussing #1 and #3. My argument is that #1 is what happens in this case, which is significant because FCrDNS's failure to close the loop can result in ambiguous data (mu) could arise (thus my quotes); as with SPF, which does nothing if there is no SPF record by which to compare, some FCrDNS mechanisms will ignore (or pass) entrants that lack one of the components. SENDMAIL HAS THIS AMBIGUITY. It only places the (may be forged) marker on servers that have existing but invalid rDNS, as judged by the rDNS domain resolving to IP(s) that do not include the server, so sendmail correctly fails #5 (same as #3) but NOT #6, and I'm not sure about #7 (same as #1) in the following. Note that 1,3,5,6,7 are FCrDNS failures while 2,4 are not (and 3 requires local DNS entries). 5. IP - rDNS: Domain - DNS: IP2 - FAIL (mismatch) 6. IP - rDNS: [none] -- FAIL (no rDNS, doesn't fail in sendmail) 7. IP - rDNS: Domain - DNS: [none] - FAIL (no DNS, sendmail=?) Within SpamAssassin, RDNS_NONE catches #6, my KHOP_MAYBE_FORGED catches #5 (on sendmail servers), and I think #7 goes uncaught. The other rule I described, KHOP_HELO_FCRDNS, catches #8, which isn't technically FCrDNS: 8. IP - rDNS: Domain != HELO - ~FAIL (mismatch) The other reason I took the argument was to answer Matus's SPF question; SPF depends on actual DNS records, and there is no authoritative name server for the TLD-lacking localhost or localhost.localdomain, so an SPF record for those would require a custom entry on the local caching DNS server (a local/LAN caching DNS server is essential for SpamAssassin implementations using DNSEval and URIDNSBL, which IMHO should be all SpamAssassin implementations given their high effectiveness). -- Adam Katz khopesh on irc://irc.freenode.net/#spamassassin http://khopesh.com/Anti-spam
Re: I never got WrongMx working and have no idea why.
On Thu, 4 Jun 2009 18:04:35 -0400 (EDT) Steven W. Orr ste...@syslang.net wrote: My dns MX record looks like this: ;; ANSWER SECTION: syslang.net.9738IN MX 100 mx2.zoneedit.com. syslang.net.9738IN MX 0 syslang.net. ... The pm file is the latest. This trap has never fired and I'm about to give up on it and shut it off. I just have to think that I must be doing something wrong. Anyone? I can't really see the point your using this plugin. All you need is a one-line custom rule looking for mx2.zoneedit.com in received headers. Presumably the advantage of the plugin is that it automatically detects that a server is a backup. You already know what your backup is called, and presumably you control your mx settings.
Re: FW: SpamAssassin error Interrupted system call
On Thu, 4 Jun 2009, Karsten Br?ckelmann wrote: (a) Do you scan *all* messages, regardless of their size? Don't do that, but skip scanning for messages larger than about 500 kByte. If I remember his spamc options correctly, it was limited to 200kB. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the place of government to make right every tragedy and woe that befalls every resident of the nation. --- 2 days until the 65th anniversary of D-Day
Re: how to know what blacklists i'm checking against
On Fri, 5 Jun 2009, Lists wrote: John Hardin wrote: On Wed, 3 Jun 2009, Lists wrote: I am trying to trouble shoot why a particular server cannot send into our email system. There is no reference in the logs to this server ever trying to connect. Are users of that system getting reject notifications? Have them forward one such to an address that you have access to that's not served by the MTA you're troubleshooting. The error message they are seeing will be helpful in figuring out what is going on. No they weren't getting reject messages - the server admin of the ms exchange server they were coming from Say no more. :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the place of government to make right every tragedy and woe that befalls every resident of the nation. --- 2 days until the 65th anniversary of D-Day
Re: FW: SpamAssassin error Interrupted system call
On Thu, 4 Jun 2009, Luis campo wrote: yes, we have configured the SA to 20 children Try setting it to 5. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the place of government to make right every tragedy and woe that befalls every resident of the nation. --- 2 days until the 65th anniversary of D-Day
Re: FW: SpamAssassin error Interrupted system call
On Thu, 2009-06-04 at 17:34 -0700, John Hardin wrote: On Thu, 4 Jun 2009, Karsten Brckelmann wrote: (a) Do you scan *all* messages, regardless of their size? Don't do that, but skip scanning for messages larger than about 500 kByte. If I remember his spamc options correctly, it was limited to 200kB. Ah, good point. :) Not according to his last simscan configure paste, which doesn't show any max-size argument for spamc. However, the fact that it actually *is* using spamc means, the usual defaults apply. So this answers that question, no messages larger than 500 kB are scanned. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: I never got WrongMx working and have no idea why.
On Thursday, Jun 4th 2009 at 19:47 -, quoth RW: On Thu, 4 Jun 2009 18:04:35 -0400 (EDT) Steven W. Orr ste...@syslang.net wrote: My dns MX record looks like this: ;; ANSWER SECTION: syslang.net.9738IN MX 100 mx2.zoneedit.com. syslang.net.9738IN MX 0 syslang.net. ... The pm file is the latest. This trap has never fired and I'm about to give up on it and shut it off. I just have to think that I must be doing something wrong. Anyone? I can't really see the point your using this plugin. All you need is a one-line custom rule looking for mx2.zoneedit.com in received headers. Presumably the advantage of the plugin is that it automatically detects that a server is a backup. You already know what your backup is called, and presumably you control your mx settings. That's probably true. But I was thinking that it would be nice to be able to use something that someone else had already written. Is anyone using this plugin and getting any use out of it? I'd just like to know if I'm doing something wrong or if it's just plain broken. -- steveo at syslang dot net TMMP1 http://frambors.syslang.net/ Do you have neighbors who are not frambors? Steven W. Orr