Email Loop

General eFa discussion
Post Reply
greenieofdubbo
Posts: 4
Joined: 08 Mar 2015 02:32

Email Loop

Post by greenieofdubbo »

Hi Everyone

I have an EFA 3.0.0.7 virtual machine exposed to the internet. Forwarding email to an Exchange 2013 server.

As soon the first email hits the queue, the email loops as seen in the attached screenshot and never makes it to exchange. It continues to do so until i flush the queue from the console.

I've tried
- Rebuild of EFA.
- Shutting down Exchange (to confirm its not something Exchange related)

Has anyone seen this?
test.png
test.png (86.48 KiB) Viewed 7487 times
User avatar
darky83
Site Admin
Posts: 540
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: Email Loop

Post by darky83 »

If you look at the looping mails.. what does it show as the source ip?

Also is it possible to show the last part of the /var/log/mail.log log file?
Version eFa 4.x now available!
greenieofdubbo
Posts: 4
Joined: 08 Mar 2015 02:32

Re: Email Loop

Post by greenieofdubbo »

Thanks for the reply. Where do you see the source IP?

Last lines from maillog (while the email is looping)

Code: Select all

Mar  8 22:57:20 efa MailScanner[18634]: Reading configuration file /etc/MailScanner/MailScanner.conf
Mar  8 22:57:20 efa MailScanner[18634]: Reading configuration file /etc/MailScanner/conf.d/README
Mar  8 22:57:20 efa MailScanner[18634]: Read 1873 hostnames from the phishing whitelist
Mar  8 22:57:21 efa MailScanner[18634]: Read 17282 hostnames from the phishing blacklists
Mar  8 22:57:21 efa MailScanner[18634]: Config: calling custom init function SQLBlacklist
Mar  8 22:57:21 efa MailScanner[18634]: Starting up SQL Blacklist
Mar  8 22:57:21 efa MailScanner[18634]: Read 0 blacklist entries
Mar  8 22:57:21 efa MailScanner[18634]: Config: calling custom init function MailWatchLogging
Mar  8 22:57:21 efa MailScanner[18634]: Started SQL Logging child
Mar  8 22:57:21 efa MailScanner[18634]: Config: calling custom init function SQLWhitelist
Mar  8 22:57:21 efa MailScanner[18634]: Starting up SQL Whitelist
Mar  8 22:57:21 efa MailScanner[18634]: Read 1 whitelist entries
Mar  8 22:57:21 efa MailScanner[18634]: Using SpamAssassin results cache
Mar  8 22:57:21 efa MailScanner[18634]: Connected to SpamAssassin cache database
Mar  8 22:57:21 efa MailScanner[18634]: Enabling SpamAssassin auto-whitelist functionality...
Mar  8 22:57:24 efa MailScanner[18634]: Using locktype = flock
Mar  8 22:57:25 efa MailScanner[18634]: New Batch: Scanning 1 messages, 783 bytes
Mar  8 22:57:25 efa MailScanner[18634]: File checker failed with real error: Can't fork at /usr/lib/MailScanner/MailScanner/SweepOther.pm line 450.
Mar  8 22:57:25 efa MailScanner[18567]: Virus Scanning: Found 1 viruses
Mar  8 22:57:25 efa MailScanner[18567]: Spam Checks: Starting
Mar  8 22:57:25 efa MailScanner[18567]: Logging message A60C512004F.AC6E0 to SQL
Mar  8 22:57:25 efa MailScanner[17612]: A60C512004F.AC6E0: Logged to MailWatch SQL
Mar  8 22:57:25 efa MailScanner[18567]: New Batch: Scanning 1 messages, 783 bytes
Mar  8 22:57:25 efa MailScanner[18567]: Virus and Content Scanning: Starting
Mar  8 22:57:25 efa MailScanner[18645]: Cannot find Socket (/var/run/clamav/clamd.sock) Exiting!
Mar  8 22:57:25 efa MailScanner[18567]: Virus Scanning: No virus scanners worked, so message batch was abandoned and re-tried!
Mar  8 22:57:25 efa MailScanner[18646]: MailScanner E-Mail Virus Scanner version 4.84.6 starting...
Mar  8 22:57:25 efa MailScanner[18646]: Reading configuration file /etc/MailScanner/MailScanner.conf
Mar  8 22:57:25 efa MailScanner[18646]: Reading configuration file /etc/MailScanner/conf.d/README
Mar  8 22:57:25 efa MailScanner[18646]: Read 1873 hostnames from the phishing whitelist
Mar  8 22:57:26 efa MailScanner[18646]: Read 17282 hostnames from the phishing blacklists
Mar  8 22:57:26 efa MailScanner[18646]: Config: calling custom init function SQLBlacklist
Mar  8 22:57:26 efa MailScanner[18646]: Starting up SQL Blacklist
Mar  8 22:57:26 efa MailScanner[18646]: Read 0 blacklist entries
Mar  8 22:57:26 efa MailScanner[18646]: Config: calling custom init function MailWatchLogging
Mar  8 22:57:26 efa MailScanner[18646]: Started SQL Logging child
Mar  8 22:57:26 efa MailScanner[18646]: Config: calling custom init function SQLWhitelist
Mar  8 22:57:26 efa MailScanner[18646]: Starting up SQL Whitelist
Mar  8 22:57:26 efa MailScanner[18646]: Read 1 whitelist entries
Mar  8 22:57:26 efa MailScanner[18646]: Using SpamAssassin results cache
Mar  8 22:57:26 efa MailScanner[18646]: Connected to SpamAssassin cache database
Mar  8 22:57:26 efa MailScanner[18646]: Enabling SpamAssassin auto-whitelist functionality...
Mar  8 22:57:30 efa MailScanner[18646]: Using locktype = flock
Mar  8 22:57:30 efa MailScanner[18646]: New Batch: Scanning 1 messages, 783 bytes
Mar  8 22:57:30 efa MailScanner[18646]: File checker failed with real error: Can't fork at /usr/lib/MailScanner/MailScanner/SweepOther.pm line 450.
Mar  8 22:57:30 efa MailScanner[18656]: MailScanner E-Mail Virus Scanner version 4.84.6 starting...
Mar  8 22:57:30 efa MailScanner[18656]: Reading configuration file /etc/MailScanner/MailScanner.conf
Mar  8 22:57:30 efa MailScanner[18656]: Reading configuration file /etc/MailScanner/conf.d/README
Mar  8 22:57:31 efa MailScanner[18656]: Read 1873 hostnames from the phishing whitelist
Mar  8 22:57:31 efa MailScanner[18656]: Read 17282 hostnames from the phishing blacklists
Mar  8 22:57:31 efa MailScanner[18656]: Config: calling custom init function SQLBlacklist
Mar  8 22:57:31 efa MailScanner[18656]: Starting up SQL Blacklist
Mar  8 22:57:31 efa MailScanner[18656]: Read 0 blacklist entries
Mar  8 22:57:31 efa MailScanner[18656]: Config: calling custom init function MailWatchLogging
Mar  8 22:57:31 efa MailScanner[18656]: Started SQL Logging child
Mar  8 22:57:31 efa MailScanner[18656]: Config: calling custom init function SQLWhitelist
Mar  8 22:57:31 efa MailScanner[18656]: Starting up SQL Whitelist
Mar  8 22:57:31 efa MailScanner[18656]: Read 1 whitelist entries
Mar  8 22:57:31 efa MailScanner[18656]: Using SpamAssassin results cache
Mar  8 22:57:31 efa MailScanner[18656]: Connected to SpamAssassin cache database
Mar  8 22:57:31 efa MailScanner[18656]: Enabling SpamAssassin auto-whitelist functionality...
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Email Loop

Post by shawniverson »

Something is wrong with clamav....

Which build of EFA are you using? VMWare, Hyper-V, or a homebrew?
greenieofdubbo
Posts: 4
Joined: 08 Mar 2015 02:32

Re: Email Loop

Post by greenieofdubbo »

Hyper-V 2012 (non R2)
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Email Loop

Post by shawniverson »

How much memory do you have allocated? (Increase it to 4GB)
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Email Loop

Post by shawniverson »

I am installing the Hyper-V version just to be sure there isn't something up with it...
greenieofdubbo
Posts: 4
Joined: 08 Mar 2015 02:32

Re: Email Loop

Post by greenieofdubbo »

Increased memory from 512MB to 4GB and rebuilt the VM just incase. That seems to have fixed it.

Error on my part, i should have read the documentation. To be honest, i'm not sure I ever would have guessed that. Low memory = email loops :doh:

Thanks for your help. Looks like a great product so far.
brandonp
Posts: 1
Joined: 07 Sep 2018 13:25

Re: Email Loop

Post by brandonp »

I am having a simular issue four years later. I download eFa as the OVF template. I have the standard 1 Socket, 2 Core CPU configuration and 8GB of RAM, all other VM setting are the template default. This was efa version 3.0.2.5.

Setup went very well per the setup guide. Once I had everything configured, I did the efa-update update command and brought the VM up to date with the community. Once the system rebooted, I got an email from efa via my Exchange Server, so mail flow is working. The day before placing eFa into production, I notice an email looping with the subject of "Cron <clam@efa> [ -x /usr/bin/clamav-unofficial-sigs.sh ] && /bin/bash /usr/bin/clamav-unofficial-sigs.sh > /dev/null" My research found that CLAM AV is using module 'pe' that it could not load. I commented out the module in clamav-unofficial-sigs/conf/master.comf and re ran the script. This cleared the issue and eFa sent out several Alterts to my mail box. Everything looked good at this point.

The following day, the system still looked ready. We moved our SMTP port to the eFa server, and the first few emails passed with no issue. Then the loop returned. I was able to run the clamav-unofficla.sigs.sh script. It downloaded some update files, restarted clamav, and email started flowing for a few mintues. Then the loop returned.

If I attempted to stop the clamd service, it Fails. If I attempt a restart, the shutdown failes, but the service is restarted. I believe I am on the right track that the issue is CLAM AV, but I am not an expert in linux. Any thoughts or idea's for this issue?
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Email Loop

Post by shawniverson »

Did you remove the yara rules previously downloaded from /var/lib/clamav ?
Post Reply