Page 1 of 1

What happened after I released an email?

Posted: 25 Jan 2019 20:01
by iglooo
I've just finished setting up efa in hyperv to work with our exchange 2013 server and ran into something a little odd..

The automated system emails from root@mydomain got flagged by exchange sender ID filter (before I disabled it) so I tried releasing one of them, and what followed was a flood of that email sent from my email to my email, which never even made it to exchange.

There were about a 100 of those emails before I deleted the offending message from postfix queue. What happened? And is there a way to clean up the recent messages page?

Thanks.

Re: What happened after I released an email?

Posted: 29 Jan 2019 20:20
by iglooo
Anyone? It's really bugging me and I can't figure out

Re: What happened after I released an email?

Posted: 29 Jan 2019 21:37
by henk
Looks strange, I never had to release whitelisted mail..

I do not use exchange / exchange sender ID filter. I seems the message was blocked, so look in the /var/log/maillog.

My 2cents
As root is not the best user to receive mail ;)
1.

Code: Select all

etc/aliases
# Basic system aliases -- these MUST be present.
mailer-daemon: postmaster
postmaster: root
..
...
# Person who should get root's mail
#root: marc, henk or someone who cares
root: <<valid adminuser>>@<<your domain.XX>>

remember to exec:

Code: Select all

newaliases
2. In the Gui -> Black and white Lists
-> whitelist these users ( should match the alias user en domain)

You can add-whitelist- postmaster@ < YourDomain> and root@efa-FQDN also. Check the from-address in the messages.

3.

Code: Select all

/etc/EFA-Config
Should contain this entry:
POSTMASTEREMAIL:<valid adminuser>>@<<your domain.XX>>

4.

Code: Select all

/var/www/html/mailscanner/conf.php
// This is required if you use a remote SMTP server to send MailWatch emails (reports etc).
define('MAILWATCH_SMTP_HOSTNAME', gethostname());
// Change with a fully qualified email address
define('MAILWATCH_FROM_ADDR', '<valid adminuser>>@<<your domain.XX>>');

Re: What happened after I released an email?

Posted: 31 Jan 2019 17:16
by iglooo
henk wrote: 29 Jan 2019 21:37 Looks strange, I never had to release whitelisted mail..
...
Hey Henk! Appreciate your reply. I didn't NEED to release white listed mail, I just tried it because the initial email got blocked by exchange and I wanted to resend it. Any idea why it wouldn't resend it but instead create a flood of those messages which never even reached exchange? (pic. attached)

Maillog doesn't contain anything with my email address or even root@efa. Aliases, EFA-Config and mailscanner/conf.php all include my personal email address and otherwise look good.

My only whitelist is this:

From: To:
127.0.0.1 default

Is this something I should change?

Thanks for your help!

Re: What happened after I released an email?

Posted: 31 Jan 2019 19:43
by henk
which never even reached exchange
As exchange sender ID filter is about to block mail, and there is a regular patern about 5 secs. Are you sure efa is generating these messages?
Can you show the details from one message?
Or can you have a look at your exchange server to see what is blocked or whatever?

exchange will not accept the same message twice. viewtopic.php?p=4308

Re: What happened after I released an email?

Posted: 01 Feb 2019 19:37
by iglooo
Henk, here's a screenshot of the message:

It's the same thing over and over again, as you can see by the long scroll bar

Thanks for all your help!

Re: What happened after I released an email?

Posted: 01 Feb 2019 22:57
by shawniverson
It appears to be sending and receiving 127.0.0.1, which is causing an endless loop :o

For some reason postfix is favoring your appliance over the final destination and delivering to itself.

Do you have a transport/relayhost defined for your domain and is it a hostname or ip?

If it is a hostname does the hostname resolve to the ip of your final destination?

Re: What happened after I released an email?

Posted: 04 Feb 2019 16:09
by iglooo
Appreciate you chiming in Shawn! That makes sense. I've uploaded my transport settings and I don't have an outbound relay (is that what you're talking about?) set-up.

Should I be adding localhost to transport settings too?

Re: What happened after I released an email?

Posted: 05 Feb 2019 17:33
by iglooo
So I checked maillog again and somehow I missed this but there's countless log entries pertaining to the message loop:

Jan 25 13:01:29 efaserv MailScanner[9710]: Virus Scanning: Found 1 viruses
Jan 25 13:01:29 efaserv MailScanner[9710]: Spam Checks: Starting
Jan 25 13:01:29 efaserv MailScanner[9710]: Deleted 1 messages from processing-database
Jan 25 13:01:29 efaserv MailScanner[9710]: MailWatch: Logging message 252FC100061.A0789 to SQL
Jan 25 13:01:29 efaserv MailScanner[9710]: New Batch: Scanning 1 messages, 958 bytes
Jan 25 13:01:29 efaserv MailScanner[9710]: Virus and Content Scanning: Starting
Jan 25 13:01:29 efaserv MailScanner[9710]: Clamd::ERROR:: COULD NOT CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: .
Jan 25 13:01:29 efaserv MailScanner[9710]: Virus Scanning: Clamd found 1 infections
Jan 25 13:01:29 efaserv MailScanner[9710]: Virus Scanning: No virus scanners worked, so message batch was abandoned and retried!

There's a few posts on this forum about the same issue (I found a fix which I've yet to implement viewtopic.php?t=3128 ) and I'm wondering what's the deal? What are yara rules, why are they broken on a fresh hyperv install, and what are the drawbacks of disabling them?

Thanks community!

Edit: And if I try to restart clamd, this is what I get:

Starting Clam AntiVirus Daemon: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /var/lib/clamav/antidebug_antivm.yar, successfully loaded 92 rules.
LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them

Re: What happened after I released an email?

Posted: 05 Feb 2019 18:21
by henk
Besides the post you already found, there are several posts on this topic viewtopic.php?t=2928
I'm wondering what's the deal? What are yara rules, why are they broken on a fresh hyperv install, and what are the drawbacks of disabling them?
You could take some time to find answers on these questions yourself as there are some basic rules how to use a forum to prevent duplicate questions on topics aleady solved. viewtopic.php?f=5&t=2974

Did you notice there is a brand new efa4 being tested at the moment? It doesn't make sense to me installing efa 3 (fresh hyperv install) where it's EOL. :drool:

Re: What happened after I released an email?

Posted: 05 Feb 2019 18:43
by iglooo
efa4 is still in testing right? Not a great idea to put something that's not final into production. Any idea when it's coming out?

And I did search for yara but nothing comprehensive came up

Re: What happened after I released an email?

Posted: 05 Feb 2019 21:05
by henk
The testing status viewtopic.php?f=19&t=3306

See the 4.x Testing section for more news.

A few Current known issues. The new release version is just around the corner.
And I did search for yara but nothing comprehensive came up
how did you search for yara ?