What happened after I released an email?
What happened after I released an email?
I've just finished setting up efa in hyperv to work with our exchange 2013 server and ran into something a little odd..
The automated system emails from root@mydomain got flagged by exchange sender ID filter (before I disabled it) so I tried releasing one of them, and what followed was a flood of that email sent from my email to my email, which never even made it to exchange.
There were about a 100 of those emails before I deleted the offending message from postfix queue. What happened? And is there a way to clean up the recent messages page?
Thanks.
The automated system emails from root@mydomain got flagged by exchange sender ID filter (before I disabled it) so I tried releasing one of them, and what followed was a flood of that email sent from my email to my email, which never even made it to exchange.
There were about a 100 of those emails before I deleted the offending message from postfix queue. What happened? And is there a way to clean up the recent messages page?
Thanks.
- Attachments
-
- Capture.PNG (79.94 KiB) Viewed 6192 times
Re: What happened after I released an email?
Anyone? It's really bugging me and I can't figure out
Re: What happened after I released an email?
Looks strange, I never had to release whitelisted mail..
I do not use exchange / exchange sender ID filter. I seems the message was blocked, so look in the /var/log/maillog.
My 2cents
As root is not the best user to receive mail
1.
# Basic system aliases -- these MUST be present.
mailer-daemon: postmaster
postmaster: root
..
...
# Person who should get root's mail
#root: marc, henk or someone who cares
root: <<valid adminuser>>@<<your domain.XX>>
remember to exec:
2. In the Gui -> Black and white Lists
-> whitelist these users ( should match the alias user en domain)
You can add-whitelist- postmaster@ < YourDomain> and root@efa-FQDN also. Check the from-address in the messages.
3.
Should contain this entry:
POSTMASTEREMAIL:<valid adminuser>>@<<your domain.XX>>
4.
// This is required if you use a remote SMTP server to send MailWatch emails (reports etc).
define('MAILWATCH_SMTP_HOSTNAME', gethostname());
// Change with a fully qualified email address
define('MAILWATCH_FROM_ADDR', '<valid adminuser>>@<<your domain.XX>>');
I do not use exchange / exchange sender ID filter. I seems the message was blocked, so look in the /var/log/maillog.
My 2cents
As root is not the best user to receive mail
1.
Code: Select all
etc/aliases
mailer-daemon: postmaster
postmaster: root
..
...
# Person who should get root's mail
#root: marc, henk or someone who cares
root: <<valid adminuser>>@<<your domain.XX>>
remember to exec:
Code: Select all
newaliases
-> whitelist these users ( should match the alias user en domain)
You can add-whitelist- postmaster@ < YourDomain> and root@efa-FQDN also. Check the from-address in the messages.
3.
Code: Select all
/etc/EFA-Config
POSTMASTEREMAIL:<valid adminuser>>@<<your domain.XX>>
4.
Code: Select all
/var/www/html/mailscanner/conf.php
define('MAILWATCH_SMTP_HOSTNAME', gethostname());
// Change with a fully qualified email address
define('MAILWATCH_FROM_ADDR', '<valid adminuser>>@<<your domain.XX>>');
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: What happened after I released an email?
Hey Henk! Appreciate your reply. I didn't NEED to release white listed mail, I just tried it because the initial email got blocked by exchange and I wanted to resend it. Any idea why it wouldn't resend it but instead create a flood of those messages which never even reached exchange? (pic. attached)
Maillog doesn't contain anything with my email address or even root@efa. Aliases, EFA-Config and mailscanner/conf.php all include my personal email address and otherwise look good.
My only whitelist is this:
From: To:
127.0.0.1 default
Is this something I should change?
Thanks for your help!
- Attachments
-
- Capture.PNG (132.14 KiB) Viewed 6147 times
Re: What happened after I released an email?
As exchange sender ID filter is about to block mail, and there is a regular patern about 5 secs. Are you sure efa is generating these messages?which never even reached exchange
Can you show the details from one message?
Or can you have a look at your exchange server to see what is blocked or whatever?
exchange will not accept the same message twice. viewtopic.php?p=4308
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: What happened after I released an email?
Henk, here's a screenshot of the message:
It's the same thing over and over again, as you can see by the long scroll bar
Thanks for all your help!
It's the same thing over and over again, as you can see by the long scroll bar
Thanks for all your help!
- Attachments
-
- Untitled.png (132.93 KiB) Viewed 6128 times
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: What happened after I released an email?
It appears to be sending and receiving 127.0.0.1, which is causing an endless loop
For some reason postfix is favoring your appliance over the final destination and delivering to itself.
Do you have a transport/relayhost defined for your domain and is it a hostname or ip?
If it is a hostname does the hostname resolve to the ip of your final destination?
For some reason postfix is favoring your appliance over the final destination and delivering to itself.
Do you have a transport/relayhost defined for your domain and is it a hostname or ip?
If it is a hostname does the hostname resolve to the ip of your final destination?
Re: What happened after I released an email?
Appreciate you chiming in Shawn! That makes sense. I've uploaded my transport settings and I don't have an outbound relay (is that what you're talking about?) set-up.
Should I be adding localhost to transport settings too?
Should I be adding localhost to transport settings too?
- Attachments
-
- transport.PNG (24 KiB) Viewed 6089 times
Re: What happened after I released an email?
So I checked maillog again and somehow I missed this but there's countless log entries pertaining to the message loop:
Jan 25 13:01:29 efaserv MailScanner[9710]: Virus Scanning: Found 1 viruses
Jan 25 13:01:29 efaserv MailScanner[9710]: Spam Checks: Starting
Jan 25 13:01:29 efaserv MailScanner[9710]: Deleted 1 messages from processing-database
Jan 25 13:01:29 efaserv MailScanner[9710]: MailWatch: Logging message 252FC100061.A0789 to SQL
Jan 25 13:01:29 efaserv MailScanner[9710]: New Batch: Scanning 1 messages, 958 bytes
Jan 25 13:01:29 efaserv MailScanner[9710]: Virus and Content Scanning: Starting
Jan 25 13:01:29 efaserv MailScanner[9710]: Clamd::ERROR:: COULD NOT CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: .
Jan 25 13:01:29 efaserv MailScanner[9710]: Virus Scanning: Clamd found 1 infections
Jan 25 13:01:29 efaserv MailScanner[9710]: Virus Scanning: No virus scanners worked, so message batch was abandoned and retried!
There's a few posts on this forum about the same issue (I found a fix which I've yet to implement viewtopic.php?t=3128 ) and I'm wondering what's the deal? What are yara rules, why are they broken on a fresh hyperv install, and what are the drawbacks of disabling them?
Thanks community!
Edit: And if I try to restart clamd, this is what I get:
Starting Clam AntiVirus Daemon: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /var/lib/clamav/antidebug_antivm.yar, successfully loaded 92 rules.
LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them
Jan 25 13:01:29 efaserv MailScanner[9710]: Virus Scanning: Found 1 viruses
Jan 25 13:01:29 efaserv MailScanner[9710]: Spam Checks: Starting
Jan 25 13:01:29 efaserv MailScanner[9710]: Deleted 1 messages from processing-database
Jan 25 13:01:29 efaserv MailScanner[9710]: MailWatch: Logging message 252FC100061.A0789 to SQL
Jan 25 13:01:29 efaserv MailScanner[9710]: New Batch: Scanning 1 messages, 958 bytes
Jan 25 13:01:29 efaserv MailScanner[9710]: Virus and Content Scanning: Starting
Jan 25 13:01:29 efaserv MailScanner[9710]: Clamd::ERROR:: COULD NOT CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: .
Jan 25 13:01:29 efaserv MailScanner[9710]: Virus Scanning: Clamd found 1 infections
Jan 25 13:01:29 efaserv MailScanner[9710]: Virus Scanning: No virus scanners worked, so message batch was abandoned and retried!
There's a few posts on this forum about the same issue (I found a fix which I've yet to implement viewtopic.php?t=3128 ) and I'm wondering what's the deal? What are yara rules, why are they broken on a fresh hyperv install, and what are the drawbacks of disabling them?
Thanks community!
Edit: And if I try to restart clamd, this is what I get:
Starting Clam AntiVirus Daemon: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /var/lib/clamav/antidebug_antivm.yar, successfully loaded 92 rules.
LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them
Re: What happened after I released an email?
Besides the post you already found, there are several posts on this topic viewtopic.php?t=2928
Did you notice there is a brand new efa4 being tested at the moment? It doesn't make sense to me installing efa 3 (fresh hyperv install) where it's EOL.
You could take some time to find answers on these questions yourself as there are some basic rules how to use a forum to prevent duplicate questions on topics aleady solved. viewtopic.php?f=5&t=2974I'm wondering what's the deal? What are yara rules, why are they broken on a fresh hyperv install, and what are the drawbacks of disabling them?
Did you notice there is a brand new efa4 being tested at the moment? It doesn't make sense to me installing efa 3 (fresh hyperv install) where it's EOL.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: What happened after I released an email?
efa4 is still in testing right? Not a great idea to put something that's not final into production. Any idea when it's coming out?
And I did search for yara but nothing comprehensive came up
And I did search for yara but nothing comprehensive came up
Re: What happened after I released an email?
The testing status viewtopic.php?f=19&t=3306
See the 4.x Testing section for more news.
A few Current known issues. The new release version is just around the corner.
See the 4.x Testing section for more news.
A few Current known issues. The new release version is just around the corner.
how did you search for yara ?And I did search for yara but nothing comprehensive came up
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams