Paul Welsh | 23 Sep 01:01 2014

ESET File Security

Just to share my findings of ESET File Security with MailScanner 4.84.5 in case anyone's interested in using it.

I got hold of a 30 day trial from http://www.eset.co.uk/Trial/Business?Product=LFS and have only installed it tonight so early days but was a breeze to install and appears to work fine.

It appears to be licensed per server for £83 per year with a good discount for 2 and 3 year licences - see https://shop.eset.co.uk/Store/File-Security

Installed it by downloading the software and manual from http://www.eset.co.uk/Download/Software/Product/LFS 

Installation on my CentOS 6.5 x64 box was simply a case of:
sh ./esets.x86_64.rpm.bin
then registering it with the licence file they sent:
/opt/eset/esets/sbin/esets_lic --import /home/admin/NOD32.lic
and editing the file /etc/opt/eset/esets/esets.cfg to add my username and password:
av_update_username =
av_update_password = 

At this point I could scan a directory:
/opt/eset/esets/sbin/esets_scan /root

I manually updated it, though not needed as it happened:
/opt/eset/esets/sbin/esets_update

The /etc/MailScanner/virus.scanners.conf file needed a small tweak:
esets           /usr/lib/MailScanner/esets-wrapper      /opt/eset/esets/sbin

I then tested without a problem:
/usr/lib/MailScanner/esets-wrapper /opt/eset/esets/sbin /root

I scanned another directory and got the following results.  Very quick:
Scan started at:   Mon 22 Sep 2014 10:32:17 PM BST
Scan completed at: Mon 22 Sep 2014 10:32:17 PM BST
Scan time:         0 sec (0:00:00)
Total:             files - 39, objects 39
Infected:          files - 0, objects 0
Cleaned:           files - 0, objects 0

Bitdefender took 25 seconds.  OK, no daemon with bitdefender but a startling difference.  Clamscan with clamd running took 7.5 seconds, f-prot took 1.25 seconds.

I sent the eicar test file within the body of a message and eset captured it.  The message wasn't delivered and instead the recipient got the text file with:
esets: Found virus Eicar test file in msg-2635-1.txt

I tried MailScanner.conf with the following and it worked each time:
Virus Scanners = esets
Virus Scanners = esets f-prot-6
Virus Scanners = esets f-prot-6 clamd

MailScanner's esets updater seems to work:
Sep 22 23:09:32 mail update.virus.scanners: Found esets installed
Sep 22 23:09:32 mail update.virus.scanners: Running autoupdate for esets
Sep 22 23:09:55 mail esets-autoupdate[4734]: esets updated

As per previous messages, I've found that the clamd daemon starts falling over after a few weeks with only a reboot resetting it.  Memory leak?

AVG, I found, looks like it works but delivers infected messages.

I've 30 days to see if eset is more reliable.  

Oh, one other thing.  ESET has 2 daemons:
# ps -C esets_daemon
  PID TTY          TIME CMD
  669 ?        00:00:00 esets_daemon
  671 ?        00:01:04 esets_daemon

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Paul Welsh | 21 Sep 23:40 2014

Re: Clamd error messages since last week

Following on from my issues with clamd, I rebooted the server and the errors stopped for several weeks, then came back again.  I rebooted again today.

I restart the daemon each time it fails but once it starts failing, restarts don't have any long lasting effect.  When I say long lasting, the errors start again within the hour.

Anyone else getting this?  I'm running version 0.98.4.

On 30 August 2014 12:00, <mailscanner-request <at> lists.mailscanner.info> wrote:

---------- Forwarded message ----------
From: Paul Welsh <paul <at> welshfamily.com>
To: MailScanner discussion <mailscanner <at> lists.mailscanner.info>
Cc: 
Date: Fri, 29 Aug 2014 19:13:31 +0100
Subject: Re: Clamd error messages since last week
If the clamd daemon is local to the mailscanner machine I would recommend switching to a unix socket instead of tcp. Set it in your clamd.conf and then mirror the path and filename in the MailScanner.config such as
Clamd Socket = /tmp/clamd
 
Also I attached a small perl script that will check clamd and make sure it's both up and running and capable of responding (the PING/PONG)
anything you can use to monitor program result codes can use this as it returns 0 for OK and 1 for any issues, you can also have it log to mail|info if you want to use a log file analizer and just call it from cron ever min or so, there is very, very little overhead
 
Rick Cooper


Thanks for responding, Rick.  Seems to be setup that way already though:

# grep 'Clamd Socket' /etc/MailScanner/MailScanner.conf
Clamd Socket = /var/run/clamav/clamd.sock

# grep LocalSocket /etc/clamd.conf
LocalSocket /var/run/clamav/clamd.sock

Suppose a reboot is the next step.  Upgrading to ClamAV 0.98.4 made no difference.

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Paul Welsh | 21 Sep 23:07 2014

Re: Antivirus performance, AVG

Hi Michael

Thanks for the info about AVG you provided back in May.

I didn't get any luck with this.  When I run avg with f-prot6 or clamd it appears to work.  I get this in maillog:
Clamd::INFECTED::Eicar-Test-Signature
Avg: Virus identified EICAR_Test; deleted in msg-9254-1.txt

and I get this in the attachment-warning.txt in the received message:
Clamd: msg-9254-1.txt was infected: Eicar-Test-Signature
Avg: Found virus deleted in file msg-9254-1.txt

So looks promising.

However, if I use AVG on its own I see this in the log:
Avg: Virus identified EICAR_Test; deleted in msg-12519-1.txt
Virus Scanning: Avg found 1 infections
Virus Scanning: Found 1 viruses
Delivery of nonspam

The message is delivered intact.

To test I'm including the eicar text in the body of a message.  Using MailScanner 4.84.5.





On 23 May 2014 12:00, <mailscanner-request <at> lists.mailscanner.info> wrote:
---------- Forwarded message ----------
From: Michael Huntley <michael <at> huntley.net>
To: MailScanner discussion <mailscanner <at> lists.mailscanner.info>
Cc: 
Date: Thu, 22 May 2014 23:00:28 -0700
Subject: Re: Antivirus performance, AVG
I got AVG to work.

I changed this line in virus.scanners.conf:
avg             /usr/lib/MailScanner/avg-wrapper        /opt/avg/av

Save a copy just-in-case someone blows the dust off this project and releases an update......

Then I edited the wrapper:
/usr/lib/MailScanner/avg-wrapper:

#Add the t option to delete infected object.  MailScanner doesn't remove it otherwise...
#probably a code issue.  Don't care, throw the beastie away.
ScanOptions="-at"
PackageDir=$1
shift
Prog=avgscan

if [ "x$1" = "x-IsItInstalled" ]; then
  [ -x ${PackageDir}/bin/$Prog ] && exit 0
  exit 1
fi

# Force output into English
LANG=EN
export LANG
# update AVGs library reference

#Needed For Proper Use Of New AVG
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/avg/av/lib
export AVGINSTDIR=/opt/avg/av
export HOME=/opt/avg/av

exec $PackageDir/bin/$Prog $ScanOptions "$ <at> " 2>&1
exit 1

...

Save a backup of the wrapper in case (highly UNLIKELY at this time) MailScanner has an update.  HA!

Cheers!

mph
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Edward Dam | 17 Sep 22:28 2014
Picon

Moving Servers

Hi All,

I spent the day setting up a new MailScanner server as the old one's days were numbered from a hardware perspective.

I've got the new server up and running, and MailScanner installed and working.

What I *can't* get working, is the custom rules I have, specifically a file called deliver.rules that contains a bunch of forwards.

First off, new server info.

CentOS 6.5
MailScanner Version = 4.84.6
PHP Version = 5.3.3

MailScanner.conf applicable lines:

%rules-dir% = /etc/MailScanner/rules

Non Spam Actions = %rules-dir%/deliver.rules


So in /etc/MailScanner/rules I have my deliver.rules file, copied from the old working system.

For some reason, MailScanner completely ignores the file. I've been banging my head against the desk for a couple hours now - and this is the last "issue" left before pushing this into production.

Any thoughts?



--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Mahirrudin Alkhoir | 17 Sep 11:34 2014
Picon

Custom header for whitelist message

Hello,

i have a question about tagging messages, in mailscanner configuration there are configuration about blacklist and whitelist rules perdomain. 

Is Definitely Not Spam = &ByDomainSpamWhitelist
Is Definitely Spam = &ByDomainSpamBlacklist

For blacklist ( spam messages ), i can custom header or subject using spam action. 

Spam Actions = deliver header "X-Spam-Status: Yes"
Non Spam Actions = deliver header "X-Spam-Status: No"

if i am using thats configuration, all clean messages, include whitelist messages have same "X-Spam-Status" header. 
There's another way to modified header email for whitelist rules only ?

X-Spam-Status: Whitelist


Best Regards,

mahirrudin

When there's a Will there's a Smith
http://blog.mahirrudin.com
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Jorge Barosa | 15 Sep 11:11 2014

pfSense virtualized with mailscanner doesn't run

Hello,

I'm a new in your list, can someone please help me?

I've got an pfSense in a virtulized system (vmWare vSphere Hypervisor 5.5 ESXi), every thing works just fine except the mailscanner!! it gives this errors:

mailscanner: Process did not exit cleanly, returned 2 with signal 0
root: /usr/pbi/mailscanner-amd64/etc/rc.d/mailscanner: WARNING: failed to start mailscanner

Can someone giv me an hint ?

best regards,
Jorge Barosa

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Philip Parsons | 9 Sep 19:12 2014

I anyone else seeing a bunch of Portuguese spam coming from US hosted servers ?

Has anyone found a way to block them ?

 

 

Thank you.
Philip Parsons
IT and Telecommunication Specialist

Techeez IT Consulting

250-818-2879

Skype ID: techeez
www.techeez.com "Making IT easy"

 

IMPORTANT NOTICE
This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender.

 

 

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
ja@conviator.com | 2 Sep 14:19 2014

ot a bit: sendmail and TO mx not found

hi
 
its a bit OT but I hope its OK anyway. We are also using Mailscanner as outbound scanner and see a problem that I cannot figure out - probably some setting im missing.
 
sometimes "we" send emails to a domain where the primary MX record does not resolve. I would have expected that sendmail would just try the next but instead it resolves to mxrecord.name.OURDOMAIN.COM (I think) - it seams it appends our domain and then tries this server and this server says "no thanks" so the delivery fails.
 
I tried to lookup the MX myself using the same nameserver as the mailscanner server is using - this fails so its not the DNS server that appends something to make it resolveable or gives out a standard IP.
 
I also checked the resolve file to check that there is not search setting that would make it search our domain for a valid IP/lookup.
 
how can I stop this behavior and make it try the next MX in line?
 
best regards
Jan
 
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Lev Nagdimunov | 28 Aug 08:32 2014
Picon

Mailscanner changes line-length in base64 encoded email

Hello,

I've noticed that Mailscanner will change the length of encoded (at least base64 encoded) email on anything greater than 60 characters down to 60 characters in the spool file (-D). For any DKIM signed email, this will break the body hash. Normally it's not a problem since it's already been processed by the MTA at that point, but if you do a blind forward afterward then it is a problem.

MTA: Exim version 4.82 #2

Thank you.
--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Paul Welsh | 26 Aug 22:57 2014

Clamd error messages since last week

Running MailScanner 4.84.5 on CentOS 6.5 with ClamAV 0.98.3/19312/Tue Aug 26 15:54:25 2014.

Starting Aug 22 15:30 I started getting these type of messages in maillog:
MailScanner[6035]: Clamd::ERROR:: COULD NOT CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: .

Seeing this kind of thing in maillog:
Aug 26 18:59:18 mail MailScanner[16465]: New Batch: Scanning 1 messages, 15192 bytes
Aug 26 18:59:19 mail MailScanner[16465]: Virus and Content Scanning: Starting
Aug 26 18:59:19 mail MailScanner[16465]: Clamd::ERROR:: COULD NOT CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: .
Aug 26 18:59:19 mail MailScanner[16465]: Virus Scanning: Clamd found 1 infections
Aug 26 18:59:20 mail MailScanner[16465]: Virus Scanning: Found 1 viruses
Aug 26 18:59:20 mail MailScanner[16465]: Spam Checks: Starting

The "found 1 infections" is a false alarm.

Not happening all the time but when the server is busier, eg, few or no errors over the weekend.

I'm checking the maillog hourly and restarting it with:
/etc/init.d/clamd start

Anyone else come across this problem?

Some settings from clamd.conf:
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket yes
TCPSocket 3310
MaxThreads 50

Likewise from MailScanner.conf:
Clamd Port = 3310
Clamd Socket = /var/run/clamav/clamd.sock
Clamd Lock File = # /var/lock/subsys/clamd
Clamd Use Threads = yes

Might the Use Threads setting be worth changing?



--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
Kevin Miller | 19 Aug 20:55 2014
Picon

Upgrading spamassassin

Historically I've used Jules' prepackaged spamassassin tarballs to install/upgrade.  Those seem to have
fallen by the wayside now however.  I'm on spamassassin 3.3.1.  What's the best way to get current?  

The OS varies by email host:
	centOS 5.10
	centOS 6.5
	SLES 10.4 & 11.2

Any caveats to just downloading from spamassassin.org and installing?  RPMs are so much more convenient,
but they seem to be stagnant an awful lot of the time.  My test server has both epel and rpmforge repos added
but they're "stale" as well.

TIA...

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357 

--

-- 
MailScanner mailing list
mailscanner <at> lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


Gmane