What happened after I released an email?

General eFa discussion
Post Reply
iglooo
Posts: 32
Joined: 25 Jan 2019 19:52

What happened after I released an email?

Post by iglooo »

I've just finished setting up efa in hyperv to work with our exchange 2013 server and ran into something a little odd..

The automated system emails from root@mydomain got flagged by exchange sender ID filter (before I disabled it) so I tried releasing one of them, and what followed was a flood of that email sent from my email to my email, which never even made it to exchange.

There were about a 100 of those emails before I deleted the offending message from postfix queue. What happened? And is there a way to clean up the recent messages page?

Thanks.
Attachments
Capture.PNG
Capture.PNG (79.94 KiB) Viewed 5998 times
iglooo
Posts: 32
Joined: 25 Jan 2019 19:52

Re: What happened after I released an email?

Post by iglooo »

Anyone? It's really bugging me and I can't figure out
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: What happened after I released an email?

Post by henk »

Looks strange, I never had to release whitelisted mail..

I do not use exchange / exchange sender ID filter. I seems the message was blocked, so look in the /var/log/maillog.

My 2cents
As root is not the best user to receive mail ;)
1.

Code: Select all

etc/aliases
# Basic system aliases -- these MUST be present.
mailer-daemon: postmaster
postmaster: root
..
...
# Person who should get root's mail
#root: marc, henk or someone who cares
root: <<valid adminuser>>@<<your domain.XX>>

remember to exec:

Code: Select all

newaliases
2. In the Gui -> Black and white Lists
-> whitelist these users ( should match the alias user en domain)

You can add-whitelist- postmaster@ < YourDomain> and root@efa-FQDN also. Check the from-address in the messages.

3.

Code: Select all

/etc/EFA-Config
Should contain this entry:
POSTMASTEREMAIL:<valid adminuser>>@<<your domain.XX>>

4.

Code: Select all

/var/www/html/mailscanner/conf.php
// This is required if you use a remote SMTP server to send MailWatch emails (reports etc).
define('MAILWATCH_SMTP_HOSTNAME', gethostname());
// Change with a fully qualified email address
define('MAILWATCH_FROM_ADDR', '<valid adminuser>>@<<your domain.XX>>');
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
iglooo
Posts: 32
Joined: 25 Jan 2019 19:52

Re: What happened after I released an email?

Post by iglooo »

henk wrote: 29 Jan 2019 21:37 Looks strange, I never had to release whitelisted mail..
...
Hey Henk! Appreciate your reply. I didn't NEED to release white listed mail, I just tried it because the initial email got blocked by exchange and I wanted to resend it. Any idea why it wouldn't resend it but instead create a flood of those messages which never even reached exchange? (pic. attached)

Maillog doesn't contain anything with my email address or even root@efa. Aliases, EFA-Config and mailscanner/conf.php all include my personal email address and otherwise look good.

My only whitelist is this:

From: To:
127.0.0.1 default

Is this something I should change?

Thanks for your help!
Attachments
Capture.PNG
Capture.PNG (132.14 KiB) Viewed 5953 times
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: What happened after I released an email?

Post by henk »

which never even reached exchange
As exchange sender ID filter is about to block mail, and there is a regular patern about 5 secs. Are you sure efa is generating these messages?
Can you show the details from one message?
Or can you have a look at your exchange server to see what is blocked or whatever?

exchange will not accept the same message twice. viewtopic.php?p=4308
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
iglooo
Posts: 32
Joined: 25 Jan 2019 19:52

Re: What happened after I released an email?

Post by iglooo »

Henk, here's a screenshot of the message:

It's the same thing over and over again, as you can see by the long scroll bar

Thanks for all your help!
Attachments
Untitled.png
Untitled.png (132.93 KiB) Viewed 5934 times
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: What happened after I released an email?

Post by shawniverson »

It appears to be sending and receiving 127.0.0.1, which is causing an endless loop :o

For some reason postfix is favoring your appliance over the final destination and delivering to itself.

Do you have a transport/relayhost defined for your domain and is it a hostname or ip?

If it is a hostname does the hostname resolve to the ip of your final destination?
iglooo
Posts: 32
Joined: 25 Jan 2019 19:52

Re: What happened after I released an email?

Post by iglooo »

Appreciate you chiming in Shawn! That makes sense. I've uploaded my transport settings and I don't have an outbound relay (is that what you're talking about?) set-up.

Should I be adding localhost to transport settings too?
Attachments
transport.PNG
transport.PNG (24 KiB) Viewed 5895 times
iglooo
Posts: 32
Joined: 25 Jan 2019 19:52

Re: What happened after I released an email?

Post by iglooo »

So I checked maillog again and somehow I missed this but there's countless log entries pertaining to the message loop:

Jan 25 13:01:29 efaserv MailScanner[9710]: Virus Scanning: Found 1 viruses
Jan 25 13:01:29 efaserv MailScanner[9710]: Spam Checks: Starting
Jan 25 13:01:29 efaserv MailScanner[9710]: Deleted 1 messages from processing-database
Jan 25 13:01:29 efaserv MailScanner[9710]: MailWatch: Logging message 252FC100061.A0789 to SQL
Jan 25 13:01:29 efaserv MailScanner[9710]: New Batch: Scanning 1 messages, 958 bytes
Jan 25 13:01:29 efaserv MailScanner[9710]: Virus and Content Scanning: Starting
Jan 25 13:01:29 efaserv MailScanner[9710]: Clamd::ERROR:: COULD NOT CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: .
Jan 25 13:01:29 efaserv MailScanner[9710]: Virus Scanning: Clamd found 1 infections
Jan 25 13:01:29 efaserv MailScanner[9710]: Virus Scanning: No virus scanners worked, so message batch was abandoned and retried!

There's a few posts on this forum about the same issue (I found a fix which I've yet to implement viewtopic.php?t=3128 ) and I'm wondering what's the deal? What are yara rules, why are they broken on a fresh hyperv install, and what are the drawbacks of disabling them?

Thanks community!

Edit: And if I try to restart clamd, this is what I get:

Starting Clam AntiVirus Daemon: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /var/lib/clamav/antidebug_antivm.yar, successfully loaded 92 rules.
LibClamAV Warning: Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: What happened after I released an email?

Post by henk »

Besides the post you already found, there are several posts on this topic viewtopic.php?t=2928
I'm wondering what's the deal? What are yara rules, why are they broken on a fresh hyperv install, and what are the drawbacks of disabling them?
You could take some time to find answers on these questions yourself as there are some basic rules how to use a forum to prevent duplicate questions on topics aleady solved. viewtopic.php?f=5&t=2974

Did you notice there is a brand new efa4 being tested at the moment? It doesn't make sense to me installing efa 3 (fresh hyperv install) where it's EOL. :drool:
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
iglooo
Posts: 32
Joined: 25 Jan 2019 19:52

Re: What happened after I released an email?

Post by iglooo »

efa4 is still in testing right? Not a great idea to put something that's not final into production. Any idea when it's coming out?

And I did search for yara but nothing comprehensive came up
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: What happened after I released an email?

Post by henk »

The testing status viewtopic.php?f=19&t=3306

See the 4.x Testing section for more news.

A few Current known issues. The new release version is just around the corner.
And I did search for yara but nothing comprehensive came up
how did you search for yara ?
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Post Reply