Hello HTF guys!! Let's get this out right now...I be a newbie at the linux world, so the problem here is probably simple to you guys. Anyway, I have followed the step by steps on building the perfect spamsnake on Ubuntu 8.04 (which kicks the snot out of our barracuda for capabilities). But when I went active, all messages that came in got a spam score of 0.00 so it's letting everything through. When I run the spamassasin lint test, everything is cool and it gets a progressive score in the test of like 5 of so, so I'm a bit stumped as to where to look on this one. All help is greatly appreciated. Tom Powers
Hey Tom, Glad to hear another user is working with the SpamSnake! I'd be more than happy to help you out. First, are you using Sendmail or Postfix? Do you see the mails in the MailWatch interface? Finally, post the output of mail.log. Rocky
Good to hear back from you!! We are using postfix I see the emails in mailwatch just fine. Heres the last 100 lines of the mail log. At the top you'll see some of the messages coming in. THen towards the bottom, you'll see a complete reload of postfix after we added a couple domains to hopefully try again once we get an idea of where to go here. Jun 4 12:00:42 spam postfix/smtpd[20039]: connect from unknown[189.180.17.7] Jun 4 12:00:43 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from c-76-124-12-154.hsd1.nj.comcast.net[76.124.12.154]: 554 5.7.1 Service unavailable; Client host [76.124.12.154] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=76.124.12.154; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<c-76-124-12-154.hsd1.nj.comcast.net> Jun 4 12:00:43 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from c-76-124-12-154.hsd1.nj.comcast.net[76.124.12.154]: 554 5.7.1 Service unavailable; Client host [76.124.12.154] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=76.124.12.154; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<c-76-124-12-154.hsd1.nj.comcast.net> Jun 4 12:00:43 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from c-76-124-12-154.hsd1.nj.comcast.net[76.124.12.154]: 554 5.7.1 Service unavailable; Client host [76.124.12.154] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=76.124.12.154; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<c-76-124-12-154.hsd1.nj.comcast.net> Jun 4 12:00:43 spam postfix/smtpd[20201]: NOQUEUE: reject: RCPT from a104.sub64.net78.udm.net[78.85.64.104]: 504 5.5.2 <fb979068bcb74f4>: Helo command rejected: need fully-qualified hostname; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<fb979068bcb74f4> Jun 4 12:00:43 spam postfix/smtpd[20201]: NOQUEUE: reject: RCPT from a104.sub64.net78.udm.net[78.85.64.104]: 504 5.5.2 <fb979068bcb74f4>: Helo command rejected: need fully-qualified hostname; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<fb979068bcb74f4> Jun 4 12:00:43 spam postfix/smtpd[20051]: lost connection after DATA (0 bytes) from c-76-124-12-154.hsd1.nj.comcast.net[76.124.12.154] Jun 4 12:00:43 spam postfix/smtpd[20051]: disconnect from c-76-124-12-154.hsd1.nj.comcast.net[76.124.12.154] Jun 4 12:00:44 spam postfix/smtpd[20201]: lost connection after DATA (0 bytes) from a104.sub64.net78.udm.net[78.85.64.104] Jun 4 12:00:44 spam postfix/smtpd[20201]: disconnect from a104.sub64.net78.udm.net[78.85.64.104] Jun 4 12:00:44 spam postfix/smtpd[20039]: NOQUEUE: reject: RCPT from unknown[189.180.17.7]: 554 5.7.1 Service unavailable; Client host [189.180.17.7] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=189.180.17.7; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<dsl-189-180-17-7.prod-infinitum.com.mx> Jun 4 12:00:45 spam postfix/smtpd[20039]: lost connection after DATA (0 bytes) from unknown[189.180.17.7] Jun 4 12:00:45 spam postfix/smtpd[20039]: disconnect from unknown[189.180.17.7] Jun 4 12:00:45 spam postfix/smtpd[20041]: connect from unknown[88.235.36.128] Jun 4 12:00:47 spam postfix/smtpd[20059]: warning: 91.134.11.192: hostname 91-134-11-192.niskar.multimedia-bg.net verification failed: Name or service not known Jun 4 12:00:47 spam postfix/smtpd[20059]: connect from unknown[91.134.11.192] Jun 4 12:00:48 spam postfix/smtpd[20059]: NOQUEUE: reject: RCPT from unknown[91.134.11.192]: 554 5.7.1 Service unavailable; Client host [91.134.11.192] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=91.134.11.192; from=<[email protected]> to=<lawrence|[email protected]> proto=ESMTP helo=<91-134-11-192.niskar.multimedia-bg.net> Jun 4 12:00:48 spam postfix/smtpd[20059]: disconnect from unknown[91.134.11.192] Jun 4 12:00:48 spam postfix/smtpd[20041]: NOQUEUE: reject: RCPT from unknown[88.235.36.128]: 554 5.7.1 Service unavailable; Client host [88.235.36.128] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=88.235.36.128; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<dsldevice.lan> Jun 4 12:00:48 spam postfix/smtpd[20051]: connect from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123] Jun 4 12:00:48 spam postfix/smtpd[20041]: lost connection after DATA (0 bytes) from unknown[88.235.36.128] Jun 4 12:00:48 spam postfix/smtpd[20041]: disconnect from unknown[88.235.36.128] Jun 4 12:00:48 spam postfix/smtpd[20045]: connect from pub082136126158.dh-hfc.datazug.ch[82.136.126.158] Jun 4 12:00:48 spam postfix/smtpd[20278]: warning: 64.199.3.161: address not listed for hostname mail.iabusa.com Jun 4 12:00:48 spam postfix/smtpd[20278]: connect from unknown[64.199.3.161] Jun 4 12:00:49 spam postfix/smtpd[20201]: connect from a32-176.adsl.paltel.net[213.6.32.176] Jun 4 12:00:49 spam postfix/smtpd[20045]: NOQUEUE: reject: RCPT from pub082136126158.dh-hfc.datazug.ch[82.136.126.158]: 554 5.7.1 Service unavailable; Client host [82.136.126.158] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=82.136.126.158; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<medion.dzcmts001cpe001.datazug.ch> Jun 4 12:00:50 spam postfix/smtpd[20045]: lost connection after RCPT from pub082136126158.dh-hfc.datazug.ch[82.136.126.158] Jun 4 12:00:50 spam postfix/smtpd[20045]: disconnect from pub082136126158.dh-hfc.datazug.ch[82.136.126.158] Jun 4 12:00:50 spam postfix/smtpd[20201]: NOQUEUE: reject: RCPT from a32-176.adsl.paltel.net[213.6.32.176]: 554 5.7.1 Service unavailable; Client host [213.6.32.176] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=213.6.32.176; from=<[email protected]> to=<caldwell|[email protected]> proto=ESMTP helo=<a32-176.adsl.paltel.net> Jun 4 12:00:50 spam postfix/smtpd[20042]: warning: 88.233.113.253: hostname dsl88-233-29181.ttnet.net.tr verification failed: Name or service not known Jun 4 12:00:50 spam postfix/smtpd[20042]: connect from unknown[88.233.113.253] Jun 4 12:00:50 spam postfix/smtpd[20277]: connect from unknown[88.235.54.251] Jun 4 12:00:50 spam postfix/smtpd[20201]: disconnect from a32-176.adsl.paltel.net[213.6.32.176] Jun 4 12:00:51 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]: 504 5.5.2 <e4ef43843a9b4a7>: Helo command rejected: need fully-qualified hostname; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<e4ef43843a9b4a7> Jun 4 12:00:51 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]: 504 5.5.2 <e4ef43843a9b4a7>: Helo command rejected: need fully-qualified hostname; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<e4ef43843a9b4a7> Jun 4 12:00:51 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]: 504 5.5.2 <e4ef43843a9b4a7>: Helo command rejected: need fully-qualified hostname; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<e4ef43843a9b4a7> Jun 4 12:00:51 spam postfix/smtpd[20051]: NOQUEUE: reject: RCPT from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123]: 504 5.5.2 <e4ef43843a9b4a7>: Helo command rejected: need fully-qualified hostname; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<e4ef43843a9b4a7> Jun 4 12:05:28 spam postfix/smtpd[20052]: SSL_accept error from 66-194-50-2.static.twtelecom.net[66.194.50.2]: -1 Jun 4 12:05:28 spam postfix/smtpd[20052]: lost connection after STARTTLS from 66-194-50-2.static.twtelecom.net[66.194.50.2] Jun 4 12:05:28 spam postfix/smtpd[20052]: disconnect from 66-194-50-2.static.twtelecom.net[66.194.50.2] Jun 4 12:05:49 spam postfix/smtpd[20278]: timeout after EHLO from unknown[64.199.3.161] Jun 4 12:05:49 spam postfix/smtpd[20278]: disconnect from unknown[64.199.3.161] Jun 4 12:05:50 spam postfix/smtpd[20042]: timeout after CONNECT from unknown[88.233.113.253] Jun 4 12:05:50 spam postfix/smtpd[20042]: disconnect from unknown[88.233.113.253] Jun 4 12:05:50 spam postfix/smtpd[20277]: timeout after CONNECT from unknown[88.235.54.251] Jun 4 12:05:50 spam postfix/smtpd[20277]: disconnect from unknown[88.235.54.251] Jun 4 12:05:51 spam postfix/smtpd[20051]: timeout after DATA (0 bytes) from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123] Jun 4 12:05:51 spam postfix/smtpd[20051]: disconnect from ppp78-36-130-123.pppoe.novgorod.dslavangard.ru[78.36.130.123] Jun 4 12:07:24 spam postfix/qmgr[20005]: 9B648394093: from=<>, size=6061, nrcpt=1 (queue active) Jun 4 12:07:25 spam postfix/smtp[20422]: 9B648394093: to=<[email protected]>, relay=mx4.eline.com[204.16.159.164]:25, delay=498, delays=498/0.01/0.21/0.48, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4EA7CA4033) Jun 4 12:07:25 spam postfix/qmgr[20005]: 9B648394093: removed Jun 4 12:07:27 spam postfix/anvil[20043]: statistics: max connection rate 8/60s for (smtp:87.21.72.54) at Jun 4 11:59:34 Jun 4 12:07:27 spam postfix/anvil[20043]: statistics: max connection count 4 for (smtp:122.162.83.111) at Jun 4 12:00:07 Jun 4 12:07:27 spam postfix/anvil[20043]: statistics: max cache size 60 at Jun 4 12:00:36 Jun 4 12:15:19 spam MailScanner[20493]: MailScanner E-Mail Virus Scanner version 4.68.8 starting... Jun 4 12:15:20 spam MailScanner[20493]: Read 817 hostnames from the phishing whitelist Jun 4 12:15:20 spam MailScanner[20493]: Read 5141 hostnames from the phishing blacklist Jun 4 12:15:20 spam MailScanner[20493]: Config: calling custom init function MailWatchLogging Jun 4 12:15:21 spam MailScanner[20493]: Started SQL Logging child Jun 4 12:15:21 spam MailScanner[20493]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Jun 4 12:15:21 spam MailScanner[20493]: Using SpamAssassin results cache Jun 4 12:15:22 spam MailScanner[20493]: Connected to SpamAssassin cache database Jun 4 12:15:22 spam MailScanner[20493]: Enabling SpamAssassin auto-whitelist functionality... Jun 4 12:15:25 spam MailScanner[20493]: ClamAV scanner using unrar command /usr/bin/unrar Jun 4 12:15:26 spam MailScanner[20493]: Using locktype = flock Jun 4 12:16:00 spam MailScanner[20527]: MailScanner E-Mail Virus Scanner version 4.68.8 starting... Jun 4 12:16:00 spam MailScanner[20527]: Read 817 hostnames from the phishing whitelist Jun 4 12:16:01 spam MailScanner[20527]: Read 5141 hostnames from the phishing blacklist Jun 4 12:16:01 spam MailScanner[20527]: Config: calling custom init function MailWatchLogging Jun 4 12:16:01 spam MailScanner[20527]: Started SQL Logging child Jun 4 12:16:01 spam MailScanner[20527]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Jun 4 12:16:02 spam MailScanner[20527]: Using SpamAssassin results cache Jun 4 12:16:02 spam MailScanner[20527]: Connected to SpamAssassin cache database Jun 4 12:16:02 spam MailScanner[20527]: Enabling SpamAssassin auto-whitelist functionality... Jun 4 12:16:06 spam MailScanner[20527]: ClamAV scanner using unrar command /usr/bin/unrar Jun 4 12:16:06 spam MailScanner[20527]: Using locktype = flock Jun 4 12:48:03 spam postfix/smtpd[21389]: warning: database /etc/postfix/sender_access.db is older than source file /etc/postfix/sender_access Jun 4 12:48:03 spam postfix/smtpd[21389]: connect from laptop1.ssi.private[10.0.0.44] Jun 4 12:48:03 spam postfix/smtpd[21389]: lost connection after CONNECT from laptop1.ssi.private[10.0.0.44] Jun 4 12:48:03 spam postfix/smtpd[21389]: disconnect from laptop1.ssi.private[10.0.0.44] Jun 4 12:51:23 spam postfix/anvil[21390]: statistics: max connection rate 1/60s for (smtp:10.0.0.44) at Jun 4 12:48:03 Jun 4 12:51:23 spam postfix/anvil[21390]: statistics: max connection count 1 for (smtp:10.0.0.44) at Jun 4 12:48:03 Jun 4 12:51:23 spam postfix/anvil[21390]: statistics: max cache size 1 at Jun 4 12:48:03 Jun 4 14:12:24 spam postfix/smtpd[23678]: warning: database /etc/postfix/sender_access.db is older than source file /etc/postfix/sender_access Jun 4 14:12:24 spam postfix/smtpd[23678]: connect from laptop1.ssi.private[10.0.0.44] Jun 4 14:12:24 spam postfix/smtpd[23678]: lost connection after CONNECT from laptop1.ssi.private[10.0.0.44] Jun 4 14:12:24 spam postfix/smtpd[23678]: disconnect from laptop1.ssi.private[10.0.0.44] Jun 4 14:15:44 spam postfix/anvil[23679]: statistics: max connection rate 1/60s for (smtp:10.0.0.44) at Jun 4 14:12:24 Jun 4 14:15:44 spam postfix/anvil[23679]: statistics: max connection count 1 for (smtp:10.0.0.44) at Jun 4 14:12:24 Jun 4 14:15:44 spam postfix/anvil[23679]: statistics: max cache size 1 at Jun 4 14:12:24
You're getting the following error warning: database /etc/postfix/sender_access.db. You need to postmap it using the following command: Code: postmap /etc/postfix/sender_access Then: Code: postfix reload Also, make sure you have the following set in your MailScanner.conf file: Code: Use SpamAssassin = yes
Error in postmap OK...I ran the first postmap command and got this reply postmap: warning: /etc/postfix/sender_access.db, line 0: expected format: key whitespace value And I confirmed that the Use SpamAssassin entry is in the MailScanner.conf file. Ideas? TP
Getting closer Well...it took that command, and the postfix reload. I pointed the traffic back at the system, and we are still seeing the system letting everything through and all SA scores are 0.00, however, it did catch a virus out of one of these...so at least we have a functioning viruswall!! Next step would be....? I greatly appreciate your time and help in this TomP
Mail forwarding appears to be using DNS I look through the mail log and I see that one of the domains we are filtering and forwarding for (this is a small ISP) seems to be grabbing MX records for relay out instead of using the SMTP entry in /etc/postfix/main.cf and in the /etc/postfix/transport The log shows when forwarding the received email, the warning is that the host replied with our own name... Jun 4 15:52:40 spam postfix/smtpd[26546]: connect from unknown[10.0.0.101] Jun 4 15:52:40 spam postfix/smtp[26422]: warning: host mail.ksfuel.com[65.211.156.114]:25 greeted me with my own hostname spam.klinktech.net Jun 4 15:52:40 spam postfix/smtp[26422]: warning: host mail.ksfuel.com[65.211.156.114]:25 replied to HELO/EHLO with my own hostname spam.klinktech.net Jun 4 15:52:40 spam postfix/smtpd[26440]: connect from unknown[10.0.0.101] Jun 4 15:52:40 spam postfix/smtp[26560]: warning: host mail.ksfuel.com[65.211.156.114]:25 greeted me with my own hostname spam.klinktech.net Jun 4 15:52:40 spam postfix/smtp[26560]: warning: host mail.ksfuel.com[65.211.156.114]:25 replied to HELO/EHLO with my own hostname spam.klinktech.net Jun 4 15:52:40 spam postfix/smtp[26422]: 69048394095: to=<[email protected]>, relay=mail.ksfuel.com[65.211.156.114]:25, delay=12, delays=12/0/0.01/0, dsn=5.4.6, status=bounced (mail for ksfuel.com loops back to myself) Jun 4 15:52:40 spam postfix/smtpd[26546]: disconnect from unknown[10.0.0.101] Jun 4 15:52:40 spam postfix/smtp[26560]: D3A59394092: to=<[email protected]>, relay=mail.ksfuel.com[65.211.156.114]:25, delay=13, delays=13/0.01/0/0, dsn=5.4.6, status=bounced (mail for ksfuel.com loops back to myself) Jun 4 15:52:40 spam postfix/smtpd[26440]: disconnect from unknown[10.0.0.101] So...when relaying for these domains...it appears to be looking up MX records (mail.ksfuel.com) and getting our outside IP address of 65.211.156.114 instead of the entry I have in transport file of ksfuel.com smtp:[24.197.231.70]
Could be???? Now is it possible I have the actions hosed up? I look in the logs and see stuff being blocked entries such as Jun 4 16:39:47 spam postfix/smtpd[27616]: NOQUEUE: reject: RCPT from unknown[85.104.12.29]: 554 5.7.1 Service unavailable; Client host [85.104.12.29] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=85.104.12.29; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<dsl85-104-3101.ttnet.net.tr> Jun 4 16:39:47 spam postfix/smtpd[27417]: connect from unknown[200.127.131.151] Jun 4 16:39:47 spam postfix/smtpd[27616]: disconnect from unknown[85.104.12.29] Jun 4 16:39:48 spam postfix/smtp[27448]: 3526F394094: to=<[email protected]>, relay=smtp.secureserver.net[208.109.80.149]:25, delay=3.6, delays=0.02/0/3.5/0.09, dsn=5.0.0, status=bounced (host smtp.secureserver.net[208.109.80.149] said: 553 sorry, relaying denied from your location [65.211.156.114] (#5.7.1) (in reply to RCPT TO command)) Jun 4 16:39:48 spam postfix/qmgr[27394]: 3526F394094: removed Jun 4 16:39:48 spam postfix/smtpd[27412]: connect from unknown[190.41.36.129] Jun 4 16:39:49 spam postfix/smtpd[27409]: NOQUEUE: reject: RCPT from static-72-87-113-34.prvdri.fios.verizon.net[72.87.113.34]: 554 5.7.1 Service unavailable; Client host [72.87.113.34] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=72.87.113.34; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<static-72-87-113-34.prvdri.fios.verizon.net> Jun 4 16:39:49 spam postfix/smtpd[27409]: lost connection after DATA (0 bytes) from static-72-87-113-34.prvdri.fios.verizon.net[72.87.113.34] Jun 4 16:39:49 spam postfix/smtpd[27409]: disconnect from static-72-87-113-34.prvdri.fios.verizon.net[72.87.113.34] Jun 4 16:39:49 spam postfix/smtpd[27413]: connect from host86-149-182-199.range86-149.btcentralplus.com[86.149.182.199] Jun 4 16:39:49 spam postfix/smtpd[27417]: NOQUEUE: reject: RCPT from unknown[200.127.131.151]: 554 5.7.1 Service unavailable; Client host [200.127.131.151] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=200.127.131.151; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<200-127-140-34.dsl.prima.net.ar> Jun 4 16:39:50 spam postfix/smtpd[27416]: connect from host121-211-dynamic.10-87-r.retail.telecomitalia.it[87.10.211.121] Jun 4 16:39:50 spam postfix/smtpd[27413]: NOQUEUE: reject: RCPT from host86-149-182-199.range86-149.btcentralplus.com[86.149.182.199]: 554 5.7.1 Service unavailable; Client host [86.149.182.199] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.149.182.199; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<host86-149-182-199.range86-149.btcentralplus.com> Jun 4 16:39:50 spam postfix/smtpd[27413]: disconnect from host86-149-182-199.range86-149.btcentralplus.com[86.149.182.199] Jun 4 16:39:50 spam postfix/smtpd[27412]: NOQUEUE: reject: RCPT from unknown[190.41.36.129]: 554 5.7.1 Service unavailable; Client host [190.41.36.129] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=190.41.36.129; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[190.41.36.129]> Jun 4 16:39:50 spam postfix/smtpd[27412]: NOQUEUE: reject: RCPT from unknown[190.41.36.129]: 554 5.7.1 Service unavailable; Client host [190.41.36.129] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=190.41.36.129; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[190.41.36.129]> So I notice it's blocking using zen.spamhaus but I have told it to use the spamcop stuff...see configuration below. It's like I didn't get a setting to commit somewhere eh? And the stuff that it is blocking is not showing up in the Mailwatch window. MailScanner Configuration %org-name% Keylink Technologies %org-long-name% Keylink Technologies %web-site% www.klinktech.net %etc-dir% /etc/MailScanner %report-dir% /etc/MailScanner/reports/en %rules-dir% /etc/MailScanner/rules %mcp-dir% /etc/MailScanner/mcp Max Children 1 Run As User postfix Run As Group postfix Queue Scan Interval 6 Incoming Queue Dir /var/spool/postfix/hold Outgoing Queue Dir /var/spool/postfix/incoming Incoming Work Dir /var/spool/MailScanner/incoming Quarantine Dir /var/spool/MailScanner/quarantine PID file /var/run/MailScanner/MailScanner.pid Restart Every 7200 MTA postfix Sendmail /usr/sbin/sendmail Sendmail2 /usr/sbin/sendmail -DOUTGOING Incoming Work Permissions 0600 Quarantine User root Quarantine Group www-data Quarantine Permissions 0660 Max Unscanned Bytes Per Scan 100m Max Unsafe Bytes Per Scan 50m Max Unscanned Messages Per Scan 30 Max Unsafe Messages Per Scan 30 Max Normal Queue Size 800 Scan Messages yes Reject Message no Maximum Attachments Per Message 200 Expand TNEF yes Use TNEF Contents replace Deliver Unparsable TNEF no TNEF Expander /usr/bin/tnef --maxsize=100000000 TNEF Timeout 120 File Command /usr/bin/file File Timeout 20 Gunzip Command /bin/gunzip Gunzip Timeout 50 Unrar Command /usr/bin/unrar Unrar Timeout 50 Find UU-Encoded Files no Maximum Message Size /etc/MailScanner/rules/max.message.size.rules Maximum Attachment Size -1 Minimum Attachment Size -1 Maximum Archive Depth 2 Find Archives By Content yes Zip Attachments no Attachments Zip Filename MessageAttachments.zip Attachments Min Total Size To Zip 100k Attachment Extensions Not To Zip .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml Virus Scanning yes Virus Scanners clamav Virus Scanner Timeout 300 Deliver Disinfected Files no Silent Viruses HTML-IFrame All-Viruses Still Deliver Silent Viruses no Non-Forging Viruses Joke/ OF97/ WM97/ W97M/ eicar Block Encrypted Messages no Block Unencrypted Messages no Allow Password-Protected Archives no Check Filenames In Password-Protected Archives yes Sophos IDE Dir /opt/sophos-av/lib/sav Sophos Lib Dir /opt/sophos-av/lib Monitors For Sophos Updates /opt/sophos-av/lib/sav/*.ide Monitors for ClamAV Updates /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd ClamAVmodule Maximum Recursion Level 8 ClamAVmodule Maximum Files 1000 ClamAVmodule Maximum File Size 10000000 ClamAVmodule Maximum Compression Ratio 250 Clamd Port 3310 Clamd Socket /var/run/clamav/clamd.ctl Clamd Lock File /var/run/clamav/clamd.pid Clamd Use Threads no ClamAV Full Message Scan yes Fpscand Port 10200 Dangerous Content Scanning yes Allow Partial Messages no Allow External Message Bodies no Find Phishing Fraud yes Also Find Numeric Phishing yes Use Stricter Phishing Net yes Highlight Phishing Fraud yes Phishing Safe Sites File /etc/MailScanner/phishing.safe.sites.conf Phishing Bad Sites File /etc/MailScanner/phishing.bad.sites.conf Country Sub-Domains List /etc/MailScanner/country.domains.conf Allow IFrame Tags disarm Allow Form Tags disarm Allow Script Tags disarm Allow WebBugs disarm Ignored Web Bug Filenames spacer pixel.gif pixel.png gap shim Known Web Bug Servers msgtag.com Web Bug Replacement http://www.mailscanner.tv/1x1spacer.gif Allow Object Codebase Tags disarm Convert Dangerous HTML To Text no Convert HTML To Text no Filename Rules /etc/MailScanner/filename.rules.conf Filetype Rules /etc/MailScanner/filetype.rules.conf Quarantine Infections yes Quarantine Silent Viruses no Quarantine Modified Body no Quarantine Whole Message yes Quarantine Whole Messages As Queue Files no Keep Spam And MCP Archive Clean no Language Strings /etc/MailScanner/reports/en/languages.conf Rejection Report /etc/MailScanner/reports/en/rejection.report.txt Deleted Bad Content Message Report /etc/MailScanner/reports/en/deleted.content.message.txt Deleted Bad Filename Message Report /etc/MailScanner/reports/en/deleted.filename.message.txt Deleted Virus Message Report /etc/MailScanner/reports/en/deleted.virus.message.txt Deleted Size Message Report /etc/MailScanner/reports/en/deleted.size.message.txt Stored Bad Content Message Report /etc/MailScanner/reports/en/stored.content.message.txt Stored Bad Filename Message Report /etc/MailScanner/reports/en/stored.filename.message.txt Stored Virus Message Report /etc/MailScanner/reports/en/stored.virus.message.txt Stored Size Message Report /etc/MailScanner/reports/en/stored.size.message.txt Disinfected Report /etc/MailScanner/reports/en/disinfected.report.txt Inline HTML Signature /etc/MailScanner/reports/en/inline.sig.html Inline Text Signature /etc/MailScanner/reports/en/inline.sig.txt Signature Image Filename /etc/MailScanner/reports/en/sig.jpg Signature Image Filename signature.jpg Inline HTML Warning /etc/MailScanner/reports/en/inline.warning.html Inline Text Warning /etc/MailScanner/reports/en/inline.warning.txt Sender Content Report /etc/MailScanner/reports/en/sender.content.report.txt Sender Error Report /etc/MailScanner/reports/en/sender.error.report.txt Sender Bad Filename Report /etc/MailScanner/reports/en/sender.filename.report.txt Sender Virus Report /etc/MailScanner/reports/en/sender.virus.report.txt Sender Size Report /etc/MailScanner/reports/en/sender.size.report.txt Hide Incoming Work Dir yes Include Scanner Name In Reports yes Mail Header X-Keylink Technologies-MailScanner: Spam Header X-Keylink Technologies-MailScanner-SpamCheck: Spam Score Header X-Keylink Technologies-MailScanner-SpamScore: Add Envelope From Header yes Add Envelope To Header no Envelope From Header X-Keylink Technologies-MailScanner-From: Envelope To Header X-Keylink Technologies-MailScanner-To: Spam Score Character s SpamScore Number Instead Of Stars no Minimum Stars If On Spam List 0 Clean Header Value Found to be clean Infected Header Value Found to be infected Disinfected Header Value Disinfected Information Header Value Please contact the ISP for more information Detailed Spam Report yes Include Scores In SpamAssassin Report yes Always Include SpamAssassin Report no Multiple Headers append Hostname the Keylink Technologies ($HOSTNAME) MailScanner Sign Messages Already Processed no Sign Clean Messages yes Attach Image To Signature no Attach Image To HTML Message Only yes Mark Infected Messages yes Mark Unscanned Messages yes Unscanned Header Value Not scanned: please contact your Internet E-Mail Service Provider for details Remove These Headers X-Mozilla-Status: X-Mozilla-Status2: Deliver Cleaned Messages yes Notify Senders no Notify Senders Of Viruses no Notify Senders Of Blocked Filenames Or Filetypes yes Notify Senders Of Blocked Size Attachments no Notify Senders Of Other Blocked Content yes Never Notify Senders Of Precedence list bulk Scanned Modify Subject no Scanned Subject Text {Scanned} Virus Modify Subject start Virus Subject Text {Virus?} Filename Modify Subject start Filename Subject Text {Filename?} Content Modify Subject start Content Subject Text {Dangerous Content?} Size Modify Subject start Size Subject Text {Size} Disarmed Modify Subject start Disarmed Subject Text {Disarmed} Phishing Modify Subject no Phishing Subject Text {Fraud?} Spam Modify Subject start Spam Subject Text {Spam?} High Scoring Spam Modify Subject start High Scoring Spam Subject Text {Spam?} Warning Is Attachment yes Attachment Warning Filename Keylink Technologies-Attachment-Warning.txt Attachment Encoding Charset ISO-8859-1 Send Notices yes Notices Include Full Headers yes Hide Incoming Work Dir in Notices no Notice Signature -- MailScanner Email Virus Scanner www.mailscanner.info Notices From MailScanner Notices To postmaster Local Postmaster postmaster Spam List Definitions /etc/MailScanner/spam.lists.conf Virus Scanner Definitions /etc/MailScanner/virus.scanners.conf Spam Checks yes Spam List spamcop.net SBL+XBL Spam Lists To Be Spam 1 Spam Lists To Reach High Score 3 Spam List Timeout 10 Max Spam List Timeouts 7 Spam List Timeouts History 10 Is Definitely Not Spam @SQLWhitelist Is Definitely Spam @SQLBlacklist Definite Spam Is High Scoring no Ignore Spam Whitelist If Recipients Exceed 20 Max Spam Check Size 200k Use Watermarking no Add Watermark yes Check Watermarks With No Sender yes Treat Invalid Watermarks With No Sender as Spam nothing Check Watermarks To Skip Spam Checks yes Watermark Secret Keylink Technologies-Secret Watermark Lifetime 604800 Watermark Header X-Keylink Technologies-MailScanner-Watermark: Use SpamAssassin yes Max SpamAssassin Size 200k Required SpamAssassin Score 6 High SpamAssassin Score 10 SpamAssassin Auto Whitelist yes SpamAssassin Timeout 75 Max SpamAssassin Timeouts 10 SpamAssassin Timeouts History 30 Check SpamAssassin If On Spam List yes Include Binary Attachments In SpamAssassin no Spam Score yes Cache SpamAssassin Results yes SpamAssassin Cache Database File /var/spool/MailScanner/incoming/SpamAssassin.cache.db Rebuild Bayes Every 0 Wait During Bayes Rebuild no Use Custom Spam Scanner no Max Custom Spam Scanner Size 20k Custom Spam Scanner Timeout 20 Max Custom Spam Scanner Timeouts 10 Custom Spam Scanner Timeout History 20 Spam Actions store deliver header "X-Spam-Status: Yes" High Scoring Spam Actions store Non Spam Actions store deliver header "X-Spam-Status: No" Sender Spam Report /etc/MailScanner/reports/en/sender.spam.report.txt Sender Spam List Report /etc/MailScanner/reports/en/sender.spam.rbl.report.txt Sender SpamAssassin Report /etc/MailScanner/reports/en/sender.spam.sa.report.txt Inline Spam Warning /etc/MailScanner/reports/en/inline.spam.warning.txt Recipient Spam Report /etc/MailScanner/reports/en/recipient.spam.report.txt Enable Spam Bounce /etc/MailScanner/rules/bounce.rules Bounce Spam As Attachment no Syslog Facility mail Log Speed no Log Spam no Log Non Spam no Log Permitted Filenames no Log Permitted Filetypes no Log Permitted File MIME Types no Log Silent Viruses no Log Dangerous HTML Tags no Log SpamAssassin Rule Actions no SpamAssassin Temporary Dir /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin User State Dir /var/spool/MailScanner/spamassassin SpamAssassin Site Rules Dir /etc/mail/spamassassin MCP Checks no First Check spam MCP Required SpamAssassin Score 1 MCP High SpamAssassin Score 10 MCP Error Score 1 MCP Header X-Keylink Technologies-MailScanner-MCPCheck: Non MCP Actions deliver MCP Actions deliver High Scoring MCP Actions deliver Bounce MCP As Attachment no MCP Modify Subject start MCP Subject Text {MCP?} High Scoring MCP Modify Subject start High Scoring MCP Subject Text {MCP?} Is Definitely MCP no Is Definitely Not MCP no Definite MCP Is High Scoring no Always Include MCP Report no Detailed MCP Report yes Include Scores In MCP Report no Log MCP no MCP Max SpamAssassin Timeouts 20 MCP Max SpamAssassin Size 100k MCP SpamAssassin Timeout 10 MCP SpamAssassin Prefs File /etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf MCP SpamAssassin Local Rules Dir /etc/MailScanner/mcp MCP SpamAssassin Default Rules Dir /etc/MailScanner/mcp MCP SpamAssassin Install Prefix /etc/MailScanner/mcp Recipient MCP Report /etc/MailScanner/reports/en/recipient.mcp.report.txt Sender MCP Report /etc/MailScanner/reports/en/sender.mcp.report.txt Use Default Rules With Multiple Recipients no Spam Score Number Format %d MailScanner Version Number 4.68.8 SpamAssassin Cache Timings 1800,300,10800,172800,600 Debug no Debug SpamAssassin no Run In Foreground no Always Looked Up Last &MailWatchLogging Always Looked Up Last After Batch no Deliver In Background yes Delivery Method batch Split Exim Spool no Lockfile Dir /var/lock/subsys/MailScanner Custom Functions Dir /etc/MailScanner/CustomFunctions Automatic Syntax Check yes Minimum Code Status supported
Probably something config'd wrong for the actions OK....as I look through the last 1000 lines of the mail.log, I searched for the word "blocked" and found like 100 hits. All blocked by spamhaus. Yet...mailwatch shows none of the blocked messages. SO... 1. Why would this thing be using mail.ksfuel.com and it's MX records to forward to the client server rather then using it's transport entry (which was postmapped)..yet it forwards to other domains just fine (like our internal one) 2. Blocked stuff doesn't appear in Mailwatch 3. Why would it be using zev.spmhaus instead of the spamcop.net entry in the docs and that shows in the config. All good questions....that a simple noob has his head swimming over!! Thanks TP
Tom I went through your settings and found the following needs to be set as they are below: Code: SpamScore Number Instead Of Stars yes Is Definitely Not Spam &SQLWhitelist Is Definitely Spam &SQLBlacklist Spam Actions deliver store High Scoring Spam Actions delete store Non Spam Actions deliver store Make sure to reboot after making the changes. Let me know how it turns out.
We're rollin now - couple issues yet... OK...scores are showing up now just fine and it's blocking. I still see in the logs these errors Jun 5 10:14:02 spam postfix/smtp[5224]: warning: host mail.ksfuel.com[65.211.156.114]:25 greeted me with my own hostname spam.klinktech.net Jun 5 10:14:02 spam postfix/smtp[5224]: warning: host mail.ksfuel.com[65.211.156.114]:25 replied to HELO/EHLO with my own hostname spam.klinktech.net ksfuel.com is one of the domains we filter for at this ISP then forward to their mail server in their office. I have the domain defined in the transport file and postmapped, yet it still seems to be using DNS to try to get an MX record to forward this mail to. So.....how does one stop this and get it to actually use that transport file? We're so close I can taste it!! THanks TP
Tom, Create /etc/postfix/helo_access so that it looks like the below: Code: #Helo Access 65.211.156.114 OK spam.klinktech.net OK mail.ksfuel.com OK They run: Code: postmap /etc/postfix/helo_access If you've created a /etc/postfix/sender_access, add the following to it like this: Code: #Sender Access 65.211.156.114 OK spam.klinktech.net OK mail.ksfuel.com OK Then run: Code: postmap /etc/postfix/sender_access Make sure to edit /etc/postfix/main.cf and verify that the following settings are correct: Code: smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname, permit smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, permit Finally, run: Code: postfix reload Let me know how that turns out.
Wow.... Ok...I'll start typin. I did find in the main.cf of postfix where I had type tansport_maps = hash:/etc/postfix/transport instead of transport_maps so on one hand I'm an idiot for mistyping (too many years of clicking the mouse in microsoft) but on the other hand I'm glad I actually found that. TP
Better.... Seems to be gettin there. 3 questions though. (regret reading this post yet?) 1. How does one change the disclaimer at the bottom of the emails that Mailscanner lets through right now the default is This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. And we need to add to that. 2. When I go in and try to release an email in Mailwatch that has been blocked i get.... Result Release: error (unable to add recipient [[email protected]]: Invalid response code received from server) Close Window and finally 3. Is it possible to create a script that reads recipient addresses from an Exchange server and loads them into the recipient list rather than having to do it manually? We right now have the @domainname.com wide open for the domains, so we're not filtering by valid recipient. I ask because on the inside, we have around 1500 addresses that I would rather not typpe in and the people here will never be able to update themselves. The point and click Exchange server is beyond them, this would kill em!! TP
Hey Tom, Glad to hear things are getting better. 1. Inline signature reports can be found in /etc/MailScanner/en. Edit to customize to your liking. 2. Edit the below line in /var/www/mailscanner/conf.php and make sure you've entered the full email address, including the domain name: Code: define(QUARANTINE_FROM_ADDR, [EMAIL="'[email protected]'"]'[email protected]'[/EMAIL]); 3. Chapter 12 explains how to pull out the email addresses automatically. Let me know how it turns out.
Uh...?? Cool...got #1 and found the inline signature html to change. #2 has been put in and we're rebooting now #3 Chapter 12? Chapter 12 of what doc? TP
Chapter 12 of The Perfect Spamsnake tutorial found here http://howtoforge.org/the-perfect-spamsnake-ubuntu-8.04.
Duh!!! Ok..I'm an idiot. You mean section 12 of the online docs....when you mentioned chapter 12, I was thinking of a book somewhere. The changing of the email address in line 2 did the job, but releasing a message now gives the error of Fatal error: Allowed memory size of 16777216 bytes exhausted (tried to allocate 5239334 bytes) in /var/www/mailscanner/pear/Mail/mimePart.php on line 232 ideas? TP
Tom, Try changing the memory_limit in /etc/php5/apache/php.ini to something higher than 16M. Default Value: Code: memory_limit = 16M