LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   amavisd / clamav, spamassassin problem (https://www.linuxquestions.org/questions/linux-server-73/amavisd-clamav-spamassassin-problem-569849/)

70mas 07-16-2007 12:32 PM
amavisd / clamav, spamassassin problem
 
I have setup a mail filter for my postfix mail server according to:

http://www.howtoforge.com/virtual_us...debian_etch_p4

And everything is ok except that ALL of my messages get deleted because filtered

Some info I get:

Undelivered mail report:
Code:
The message WAS NOT relayed to:
 <tomas@*******.com>:
  554 5.7.0 Reject, id=25583-03 - CLEAN

This nondelivery report was generated by the program amavisd-new at host
proserverhost.com. Our internal reference code for your message is
25583-03/bsqH3VULiiGg

Return-Path: <tomas.****@gmail.com>
Message-ID: <fdd19ded0707160943xce1d293x5fe92f93cfef65fc@mail.gmail.com>
Subject: skuska


Original-Recipient: rfc822;tomas@******.com
Final-Recipient: rfc822;tomas@******.com
Action: failed
Status: 5.7.0
Diagnostic-Code: smtp; 554 5.7.0 Reject, id=25583-03 - CLEAN
Last-Attempt-Date: Mon, 16 Jul 2007 18:44:03 +0200 (CEST)
Final-Log-ID: 25583-03/bsqH3VULiiGg
I think the most stupid thing about that is: 554 5.7.0 Reject, id=25583-03 - CLEAN

It says that it is CLEAN and through it removes it.

Some extract of my /var/log/mail/mail.log

Code:
Jul 16 18:44:02 websrv02 postfix/smtpd[26706]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Jul 16 18:44:02 websrv02 postfix/smtpd[26706]: connect from ug-out-1314.google.com[66.249.92.174]
Jul 16 18:44:03 websrv02 postfix/smtpd[26706]: 16E2621C050: client=ug-out-1314.google.com[66.249.92.174]
Jul 16 18:44:03 websrv02 postfix/cleanup[26714]: 16E2621C050: message-id=<fdd19ded0707160943xce1d293x5fe92f93cfef65fc@mail.gmail.com>
Jul 16 18:44:03 websrv02 postfix/qmgr[23873]: 16E2621C050: from=<tomas.****@gmail.com>, size=2104, nrcpt=1 (queue active)
Jul 16 18:44:04 websrv02 postfix/smtpd[26719]: connect from unknown[127.0.0.1]
Jul 16 16:44:04 websrv02 postfix/smtpd[26719]: 1D66321C054: client=unknown[127.0.0.1]
Jul 16 18:44:04 websrv02 postfix/cleanup[26714]: 1D66321C054: message-id=<DSNbsqH3VULiiGg@proserverhost.com>
Jul 16 18:44:04 websrv02 postfix/qmgr[23873]: 1D66321C054: from=<>, size=3775, nrcpt=1 (queue active)
Jul 16 18:44:04 websrv02 amavis[25583]: (25583-03) Blocked OTHER, [66.249.92.174] [66.249.92.174] <tomas.****@gmail.com> -> <tomas@******.com>, Message-ID: <fdd19ded0707160943xce1d293x5fe92f93cfef65fc@mail.gmail.com>, mail_id: bsqH3VULiiGg, Hits: 0.001, size: 2101, 965 ms
Jul 16 18:44:04 websrv02 postfix/smtp[26715]: 16E2621C050: to=<tomas@******.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.1, delays=0.14/0.01/0/0.97, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=25583-03, BOUNCE)
It gets Hits: 0.001 and is deleted... Strange..

Can u please help me?

Thanx in advance.

PS. Is it possible for the mail filter to not delete the messages but place them in IMAP Junk folder for example? Thanx.

gani 07-17-2007 07:58 AM
Quote:
Jul 16 18:44:04 websrv02 postfix/smtp[26715]: 16E2621C050: to=<tomas@******.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.1, delays=0.14/0.01/0/0.97, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=25583-03, BOUNCE)
Could you post further your logs beyond this line? This could provide further hints that we need.

Mails identified as junks by amavisd are usually sent in /var/virusmails and are not deleted and would just stay there until the admin wipe them all.

-----------

70mas 07-17-2007 04:45 PM
Further it goes as follows:

Code:
Jul 16 16:44:04 websrv02 postfix/smtpd[26719]: disconnect from unknown[127.0.0.1]
Jul 16 18:44:04 websrv02 postfix/qmgr[23873]: 16E2621C050: removed
Jul 16 18:44:04 websrv02 postfix/smtp[26721]: 1D66321C054: to=<tomas.****@gmail.com>, relay=gmail-smtp-in.l.google.com[209.85.129.27]:25, delay=0.46, delays=0.02/0.06/0.06/0.32, dsn=2.0.0, status=sent (250 2.0.0 OK 1184604238 31si10793761fkt)
Jul 16 18:44:04 websrv02 postfix/qmgr[23873]: 1D66321C054: removed
Jul 16 18:44:33 websrv02 postfix/smtpd[26706]: disconnect from ug-out-1314.google.com[66.249.92.174]
It just disconnects and sends an undeliverable mail report that i mentioned before.

gani 07-17-2007 11:02 PM
I followed through your logs and it looks, as the amavisd DSN report also showed, that the message that was sent from gmail that were intended for tomas@*******.com did not reach the user's inbox or it might have bounced as the continuation of your logs has shown as well.

This looks like a bounce-back notification sent by your MTA that I'm sure the gmail sender has received.

Code:
Jul 16 18:44:04 websrv02 postfix/smtp[26721]: 1D66321C054: to=<tomas.****@gmail.com>, relay=gmail-smtp-in.l.google.com[209.85.129.27]:25, delay=0.46, delays=0.02/0.06/0.06/0.32, dsn=2.0.0, status=sent (250 2.0.0 OK 1184604238 31si10793761fkt)
Jul 16 18:44:04 websrv02 postfix/qmgr[23873]: 1D66321C054: removed
Quote:
The message WAS NOT relayed to:
<tomas@*******.com>:
554 5.7.0 Reject, id=25583-03 - CLEAN

This nondelivery report was generated by the program amavisd-new at host
proserverhost.com. Our internal reference code for your message is
25583-03/bsqH3VULiiGg

Return-Path: <tomas.****@gmail.com>
Message-ID: <fdd19ded0707160943xce1d293x5fe92f93cfef65fc@mail.gmail.com>
Subject: skuska
In your case, it appears that it has something to do with local mail delivery or the way your postfix mailbox delivery has been configured. Just my idea and the way I'm sensing it.

Here is to show you a normal incoming mail transaction that I hope you can follow:

Code:
Jul 18 05:45:05 webmaster postfix/smtpd[3046]: connect from sql2.linuxquestions.org[64.179.4.149]
Jul 18 05:45:06 webmaster postfix/smtpd[3046]: setting up TLS connection from sql2.linuxquestions.org[64.179.4.149]
Jul 18 05:45:07 webmaster postfix/smtpd[3046]: TLS connection established from sql2.linuxquestions.org[64.179.4.149]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jul 18 05:45:08 webmaster postfix/smtpd[3046]: DB5FB1AFD: client=sql2.linuxquestions.org[64.179.4.149]
Jul 18 05:45:09 webmaster postfix/cleanup[3058]: DB5FB1AFD: message-id=<200707172107.79d120636826@www.linuxquestions.org>
Jul 18 05:45:09 webmaster postfix/qmgr[1312]: DB5FB1AFD: from=<*****@linuxquestions.org>, size=2455, nrcpt=1 (queue active)
Jul 18 05:45:09 webmaster postfix/smtpd[3046]: disconnect from sql2.linuxquestions.org[64.179.4.149]
Jul 18 05:45:15 webmaster postfix/cleanup[3058]: 019711B17: message-id=<200707172107.79d120636826@www.linuxquestions.org>
Jul 18 05:45:15 webmaster postfix/qmgr[1312]: 019711B17: from=<*****@linuxquestions.org>, size=2964, nrcpt=1 (queue active)
Jul 18 05:45:15 webmaster amavis[1328]: (01328-15) Passed CLEAN, ORIGINATING [64.179.4.149] [64.179.4.149] <*****@linuxquestions.org> -> <gani@********.com.ph>, Message-ID: <200707172107.79d120636826@www.linuxquestions.org>, mail_id: xXRF4JsAsUDr, Hits: -0.039, size: 2462, queued_as: 019711B17, 5467 ms
The 'Passed CLEAN' message report produced by amavis is indicative of a good message that must be delivered to the user's inbox and not to the quarantine area.

--------------

70mas 07-18-2007 09:02 AM
Instead of Passed CLEAN i get Blocked OTHER.

I ran amavisd debug according to what I googled about it...

Here are the suspicious lines of the output (the whole couldnt fit into LQ's post, note: it is another mail message because the previous wasnt debugged)

Code:
...
Jul 18 14:58:24 proserverhost.com /usr/sbin/amavisd[24035]: (24035-02) lookup (banned_filename), 1 matches for "tomas@******.com", results: "(constant:DEFAULT)"=>"DEFAULT"
...
Jul 18 14:58:27 proserverhost.com /usr/sbin/amavisd[24035]: (24035-02) lookup: (scalar) matches, result="-100"
Jul 18 14:58:27 proserverhost.com /usr/sbin/amavisd[24035]: (24035-02) lookup (spam_tag_level) => true,  "tomas@******.com" matches, result="-100", matching_key="(constant:-100)"
Jul 18 14:58:27 proserverhost.com /usr/sbin/amavisd[24035]: (24035-02) lookup: (scalar) matches, result="5"
Jul 18 14:58:27 proserverhost.com /usr/sbin/amavisd[24035]: (24035-02) lookup (spam_tag2_level) => true,  "tomas@******.com" matches, result="5", matching_key="(constant:5)"
Jul 18 14:58:27 proserverhost.com /usr/sbin/amavisd[24035]: (24035-02) lookup (spam_tag3_level) => undef, "tomas@******.com" does not match
Jul 18 14:58:27 proserverhost.com /usr/sbin/amavisd[24035]: (24035-02) lookup: (scalar) matches, result="5"
Jul 18 14:58:27 proserverhost.com /usr/sbin/amavisd[24035]: (24035-02) lookup (spam_kill_level) => true,  "tomas@******.com" matches, result="5", matching_key="(constant:5)"
...
Jul 18 14:58:27 proserverhost.com /usr/sbin/amavisd[24035]: (24035-02) blocking ccat=0, SMTP response: 554 5.7.0 Reject, id=24035-02 - CLEAN
i also tried manually test the message source:
Code:
#cat mail.txt | spamassassin
X-Spam-Checker-Version: SpamAssassin 3.2.1-gr1 (2007-05-02) on
        websrv02.primeinteractive.net
X-Spam-Level:
X-Spam-Status: No, score=-0.0 required=5.0 tests=NO_RECEIVED,NO_RELAYS
        autolearn=ham version=3.2.1-gr1
Message-ID: <469E0F4E.000001.07049@kamasutra>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: Text/Plain
From: sevas tavas <sevas@post.sk>
To: <tomas@******.com>
Subject: skuska
X-Priority: 3
Date: 18 Jul 2007 15:02:06 +0200 (CEST)
X-Mailer: StringData

toto je skuska


__________
Svetova kniznica SME - literarne klenoty 20. storocia - http://knihy.sme.sk/
I have no idea why it is behaving like this...
Please help me.

gani 07-19-2007 08:42 PM
Quote:
X-Spam-Level:
X-Spam-Status: No, score=-0.0 required=5.0
SA never sees it as SPAM.

But it looks that amavis is suspicious about this. For the purpose of isolation, deactivate first amavis in your main.cf by commenting out this line:

content_filter = smtp-amavis:[127.0.0.1]:10024

and reload postfix.

Or use another Subject line like "TEST" and a message content of "TEST" also.

If you would download the amavisd-new source tar ball, unpack in your homedir and cd to it and "less README_FILES/README.postfix", you would find instructions on configuring amavis and testing it. Or maybe this same readme is as well available (that I haven't check yet) as HTML in amavisd-new website.

Please also check amavis quarantine for quarantined messages that from a standard installation, it is supposed to be in /var/virusmails.

----------


All times are GMT -5. The time now is 01:49 AM.