Michael Hall wrote:
> On Tue, Jul 26, 2005 at 10:53:32AM -0400, Joel Nimety wrote:
>
>
>>Hello -- I've just upgrade to amavis-2.3.2. I'm using LDAP lookups for
>>per domain/user maps. I have a user who has BypassBannedChecks=TRUE set
>>in LDAP yet he still is having attachments blocked. I've turned up
>>logging for myself using $debug_sender_acl and I've sent the user an
>>.exe file. Here's the log. Notice that amavis successfully looks-up
>>BypassBannedChecks=TRUE but still performs the banned blocking. Is this
>>a bug? Please let me know if more information is required. Thanks.
>
>
> The logs below are incomplete, I don't see anything like:
>
> Jul 2 12:15:18 ukiah amavis[10649]: (10649-01) Checking for banned types and
> fi
> lenames
> Jul 2 12:15:18 ukiah amavis[10649]: (10649-01)
> lookup_ldap_attr(amavisbypassban
> nedchecks) "[EMAIL PROTECTED]" result=(1)
> ...
Here are the complete logs using grep 32392-04 /var/log/maillog.1 I
still don't see lookup_ldap_attr(amavisbypassbannedchecks)... Does this
have something to do with the MYUSERS policy bank not being defined?
[EMAIL PROTECTED] amavisd-new-2.2.0]# grep 32392-04 /var/log/maillog.1
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) DEBUG_ONESHOT: TURNED ON
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) LMTP< MAIL
FROM:<[EMAIL PROTECTED]> SIZE=1685477\r\n
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) LMTP> 250 2.1.0 Sender
[EMAIL PROTECTED] OK
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) idle_proc, 6: was busy,
3.2 ms, total idle 54.198 s, busy 47.448 s
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) idle_proc, 5: was idle,
0.3 ms, total idle 54.198 s, busy 47.448 s
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) prolong_timer after
reading SMTP command: remaining time = 300 s
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) LMTP< RCPT
TO:<[EMAIL PROTECTED]>\r\n
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) query_keys:
[EMAIL PROTECTED], rcpt@, rcptpdomain.com, .rcptpdomain.com, .com, .
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04)
lookup_hash([EMAIL PROTECTED]), no matches
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup (local_domains)
=> undef, "[EMAIL PROTECTED]" does not match
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) query_keys:
[EMAIL PROTECTED], @rcptpdomain.com, @.rcptpdomain.com, @.com, @.
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap
"[EMAIL PROTECTED]", query keys: "[EMAIL PROTECTED]",
"@rcptpdomain.com", "@.rcptpdomain.com", "@.com", "@.", base: o=na,
filter: (&(objectclass=amavisaccount)(cybalternatedomain=%m))
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) ldap begin_work
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: searching
base="o=na", scope="sub",
filter="(&(objectclass=amavisaccount)(|([EMAIL PROTECTED])([EMAIL
PROTECTED])([EMAIL PROTECTED])([EMAIL PROTECTED])([EMAIL PROTECTED])))"
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisviruslover" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisspamlover" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisbannedfileslover" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisbadheaderlover" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisbypassviruschecks" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisbypassspamchecks" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisbypassbannedchecks" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisbypassheaderchecks" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisspamtaglevel" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisspamtag2level" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisspamkilllevel" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisspammodifiessubj" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisvirusquarantineto" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisspamquarantineto" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisbannedquarantineto" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisbadheaderquarantineto" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisblacklistsender" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amaviswhitelistsender" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavislocal" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavismessagesizelimit" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amaviswarnvirusrecip" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amaviswarnbannedrecip" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amaviswarnbadheaderrecip" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisvirusadmin" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisnewvirusadmin" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisspamadmin" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisbannedadmin" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisbadheaderadmin" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "amavisbannedrulenames" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup_ldap: reading
attribute "cybalternatedomain" from object
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04)
lookup_ldap([EMAIL PROTECTED]) matches,
result=(cybalternatedomain=>"@rcptpdomain.com",
amavisbypassbannedchecks=>"TRUE", amavisbypassspamchecks=>"TRUE",
amavisspamlover=>"TRUE", amavisbypassviruschecks=>"TRUE")
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04)
lookup_ldap_attr(amavismessagesizelimit), no attribute,
"[EMAIL PROTECTED]" result=undef
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup
(message_size_limit) => undef, "[EMAIL PROTECTED]" does not match
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) LMTP> 250 2.1.5
Recipient [EMAIL PROTECTED] OK
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) idle_proc, 6: was busy,
23.7 ms, total idle 54.198 s, busy 47.472 s
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) idle_proc, 5: was idle,
0.3 ms, total idle 54.198 s, busy 47.472 s
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) prolong_timer after
reading SMTP command: remaining time = 300 s
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) LMTP< DATA\r\n
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) prolong_timer after
DATA received - timer reset: remaining time = 300 s
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) LMTP::10026
/var/amavis/tmp/amavis-20050726T102756-32392: <[EMAIL PROTECTED]>
-> <[EMAIL PROTECTED]> Received: SIZE=1685477 from
mail06.perimeterco.com ([127.0.0.1]) by localhost
(mail06.perimeterco.com [127.0.0.1]) (amavisd-new, port 10026) with LMTP
id 32392-04 for <[EMAIL PROTECTED]>; Tue, 26 Jul 2005 10:29:38 -0400
(EDT)
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) LMTP> 354 End data with
<CR><LF>.<CR><LF>
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) LMTP< .\r\n
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) body hash:
ec85091d8ab8639faa9ce2e620569132
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) Original mail size:
1685477; quota set to: 314572800 bytes
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) Checking: EPI2-DPhWQFz
CF/MYNETS [63.76.208.2] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04)
lookup_ldap_attr(amavisbypassviruschecks) "[EMAIL PROTECTED]" result=(1)
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) lookup
(bypass_virus_checks) => true, "[EMAIL PROTECTED]" matches,
result="1", matching_key="/cached/"
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) Extracting mime components
Jul 26 10:29:38 mail06 amavis[32392]: (32392-04) Issued a new file name:
p001
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) Issued a new file name:
p002
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) mime_decode_preamble: 1
lines
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) Issued a new pseudo
part: p003
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) p003 1 Content-Type:
multipart/mixed
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) Charging 62 bytes to
remaining quota 314572800 (out of 314572800, (0%)) - by mime_decode
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) p001 1/1 Content-Type:
text/plain, size: 62 B, name:
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) reparenting p001 from
p000 to p003
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) Charging 1229056 bytes
to remaining quota 314572738 (out of 314572800, (0%)) - by mime_decode
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) p002 1/2 Content-Type:
application/x-ms-dos-executable, size: 1229056 B, name: dcom98.exe
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) reparenting p002 from
p000 to p003
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
mime_decode-1: remaining time = 300 s
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) decode_parts: level=1,
#parts=3 : p001, p002, p003
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) run_command: [893]
/usr/local/bin/file p001 p002 </dev/null 2>&1
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) result line from
file(1): p001: ASCII text
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup_re("ASCII text")
matches key "(?i-xsm:^(ASCII|text)\b)", result="asc"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup
(map_full_type_to_short_type) => true, "ASCII text" matches,
result="asc", matching_key="(?i-xsm:^(ASCII|text)\\b)"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) File-type of p001:
ASCII text; (asc)
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) result line from
file(1): p002: MS Windows PE 32-bit Intel 80386 GUI executable not
relocatable
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup_re("MS Windows
PE 32-bit Intel 80386 GUI executable not relocatable") matches key
"(?-xism:^MS Windows\b.*\bexecutable\b)", result=["exe","exe-ms"]
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup
(map_full_type_to_short_type) => true, "MS Windows PE 32-bit Intel
80386 GUI executable not relocatable" matches, result=["exe","exe-ms"],
matching_key="(?-xism:^MS Windows\\b.*\\bexecutable\\b)"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) File-type of p002: MS
Windows PE 32-bit Intel 80386 GUI executable not relocatable; (exe, exe-ms)
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) do_ascii: Decoding part
p001
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) do_ascii: Decoding part
p001 (0 items), uulib V0.5pl20
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) decompose_part: p001 -
atomic
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) Check whether p002 is a
self-extracting archive
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) Unzipping p002
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) do_unzip: not a zip:
AZ_FORMAT_ERROR (3)
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) Attempting to expand
RAR archive p002
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) Expanding RAR archive p002
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) run_command: [898]
/usr/bin/unrar v -c- -p- -av- -idp --
/var/amavis/tmp/amavis-20050726T102756-32392/parts/p002 </dev/null 2>&1
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) do_unrar:
/var/amavis/tmp/amavis-20050726T102756-32392/parts/p002 is not RAR archive\n
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) Attempting to expand
LHA archive p002
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) run_command: [900]
/usr/bin/lha lq
/var/amavis/tmp/amavis-20050726T102756-32392/parts/p002.exe </dev/null 2>&1
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) Expanding LHA archive
p002.exe
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) run_command: [901]
/usr/bin/lha lq
/var/amavis/tmp/amavis-20050726T102756-32392/parts/p002.exe </dev/null
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) do_lha: skip: [unknown]
16776960 0.0% Nov 30 1979
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) do_lha: no archive
members, or not an archive at all
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) decompose_part: p002 -
source retained
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
parts_decode: remaining time = 300 s
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04)
lookup_ldap_attr(amavisbypassheaderchecks), no attribute,
"[EMAIL PROTECTED]" result=undef
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) query_keys:
[EMAIL PROTECTED], rcpt@, rcptpdomain.com, .rcptpdomain.com, .com, .
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04)
lookup_hash([EMAIL PROTECTED]), no matches
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup
(bypass_header_checks) => undef, "[EMAIL PROTECTED]" does not match
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) check_header: OK
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) Checking for banned
types and filenames
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup: (scalar)
matches, result="1"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup => true,
"[EMAIL PROTECTED]" matches, result="1", matching_key="(constant:1)"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) starting banned checks
- traversing message structure tree
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) check_for_banned
(p003,p001) multipart/mixed | text/plain,.asc
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04)
lookup_re("P=p003\tL=1\tM=multipart/mixed\nP=p001\tL=1/1\tM=text/plain\tT=asc"),
no matches
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup
(banned_namepath_re) => undef,
"P=p003\tL=1\tM=multipart/mixed\nP=p001\tL=1/1\tM=text/plain\tT=asc"
does not match
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) p.path
[EMAIL PROTECTED]: "P=p003,L=1,M=multipart/mixed |
P=p001,L=1/1,M=text/plain,T=asc"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) check_for_banned
(p003,p002) multipart/mixed |
application/x-ms-dos-executable,.exe,.exe-ms,dcom98.exe
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04)
lookup_re("P=p003\tL=1\tM=multipart/mixed\nP=p002\tL=1/2\tM=application/x-ms-dos-executable\tT=exe\tT=exe-ms\tN=dcom98.exe")
matches key "(?mix-s:(?# BLOCK COMMON NAME EXENSIONS )\n ^ (.*\t)?
N= [^\t\n]* .
(pif|exe|cpl|swf|vbs|bat|cmd|com|dll|hta|js|jse|lnk|msi|ocx|reg|shs|vb|vbe|wsf|scr)
(\t.*)? $)", result="1"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup
(banned_namepath_re) => true,
"P=p003\tL=1\tM=multipart/mixed\nP=p002\tL=1/2\tM=application/x-ms-dos-executable\tT=exe\tT=exe-ms\tN=dcom98.exe"
matches, result="1", matching_key="(?mix-s:(?# BLOCK COMMON NAME
EXENSIONS )\n ^ (.*\\t)? N= [^\\t\\n]* \\.
(pif|exe|cpl|swf|vbs|bat|cmd|com|dll|hta|js|jse|lnk|msi|ocx|reg|shs|vb|vbe|wsf|scr)
(\\t.*)? $)"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) p.path BANNED:1
[EMAIL PROTECTED]: "P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/x-ms-dos-executable,T=exe,T=exe-ms,N=dcom98.exe",
matching_key="(?mix-s:(?# BLOCK COMMON NAME EXENSIONS )\n ^ (.*\t)?
N= [^\t\n]* \\.
(pif|exe|cpl|swf|vbs|bat|cmd|com|dll|hta|js|jse|lnk|msi|ocx|reg|shs|vb|vbe|wsf|scr)
(\t.*)? $)"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) banned check: any=1,
all=Y (1)
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) bypassing of virus
checks requested
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) banned contents,
skipping spam_scan
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04)
lookup_ldap_attr(amavisbannedfileslover), no attribute,
"[EMAIL PROTECTED]" result=undef
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) query_keys:
[EMAIL PROTECTED], rcpt@, rcptpdomain.com, .rcptpdomain.com, .com, .
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04)
lookup_hash([EMAIL PROTECTED]), no matches
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup
(banned_files_lovers) => undef, "[EMAIL PROTECTED]" does not match
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) do_virus: looking for
per-recipient quarantine and admins
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04)
lookup_ldap_attr(amavisbannedquarantineto), no attribute,
"[EMAIL PROTECTED]" result=undef
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup
(banned_quarantine_to) => undef, "[EMAIL PROTECTED]" does not match
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04)
lookup_ldap_attr(amavisbannedadmin), no attribute,
"[EMAIL PROTECTED]" result=undef
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04)
lookup_acl([EMAIL PROTECTED]), no match
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup (banned_admin)
=> undef, "[EMAIL PROTECTED]" does not match
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) Skip admin
notification, no administrators
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04)
lookup_ldap_attr(amavislocal), no attribute, "[EMAIL PROTECTED]" result=1
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup (local_domains)
=> true, "[EMAIL PROTECTED]" matches, result="1",
matching_key="/cached/"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04)
lookup_ldap_attr(amaviswarnbannedrecip), no attribute,
"[EMAIL PROTECTED]" result=undef
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup: (scalar)
matches, result="1"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup
(warnbannedrecip) => true, "[EMAIL PROTECTED]" matches, result="1",
matching_key="(constant:1)"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) string_to_mime_entity
Date: Tue, 26 Jul 2005 10:29:38 -0400 (EDT)
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) string_to_mime_entity
From: Perimeter Virus Defense <[EMAIL PROTECTED]>
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) string_to_mime_entity
Subject: Virus or Banned Attachment Blocked
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) string_to_mime_entity
To: <[EMAIL PROTECTED]>
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) string_to_mime_entity
Message-ID: <[EMAIL PROTECTED]>
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) (about to connect to
[127.0.0.1]:10225) SEND via SMTP: <[EMAIL PROTECTED]> ->
<[EMAIL PROTECTED]>
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) Remote host presents
itself as: mail06.perimeterco.com
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
fwd-connect: remaining time = 300 s
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) AUTH not needed,
user='', MTA offers 'PLAIN LOGIN'
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
fwd-mail-from: remaining time = 300 s
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) response to RCPT TO for
<[EMAIL PROTECTED]>: "250 Ok"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
fwd-rcpt-to: remaining time = 300 s
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) response to DATA: "354
End data with <CR><LF>.<CR><LF>"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
fwd-data: remaining time = 300 s
Jul 26 10:29:39 mail06 postfix/cleanup[785]: 83BFC3A84A3:
message-id=<[EMAIL PROTECTED]>
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
fwd-data-end: remaining time = 300 s
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) response to data end:
"250 Ok: queued as 83BFC3A84A3"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
fwd-rundown-1: remaining time = 300 s
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) SEND via SMTP:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, 250 2.6.0 Ok,
id=32392-04, from MTA([127.0.0.1]:10225): 250 Ok: queued as 83BFC3A84A3
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) one_response_for_all
<[EMAIL PROTECTED]>: success, r=0,b=0,d=0, dsn_needed=0, '250
2.6.0 Ok, id=32392-04, from MTA([127.0.0.1]:10225): 250 Ok: queued as
83BFC3A84A3'
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) DO_VIRUS - DONE
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
checking_sender_ip: remaining time = 300 s
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) one_response_for_all
<[EMAIL PROTECTED]>: mixed, r=0,b=1,d=0, dsn_needed=1, '250 2.5.0
Ok, id=32392-04, BOUNCE'
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) warnsender_with_pass=
(,1,,), dsn_needed=1, cnt=, exit=0, 250 2.5.0 Ok, id=32392-04, BOUNCE
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) notification chosen:
OutDsnBannedMsgs, SCALAR(0x86285a4)
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) string_to_mime_entity
From: Perimeter Virus Defense <[EMAIL PROTECTED]>
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) string_to_mime_entity
Subject: Virus or Banned Attachment Blocked
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) string_to_mime_entity
Message-ID: <[EMAIL PROTECTED]>
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) (about to connect to
[127.0.0.1]:10225) SEND via SMTP: <> -> <[EMAIL PROTECTED]>
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) Remote host presents
itself as: mail06.perimeterco.com
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
fwd-connect: remaining time = 300 s
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) AUTH not needed,
user='', MTA offers 'PLAIN LOGIN'
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
fwd-mail-from: remaining time = 300 s
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) response to RCPT TO for
<[EMAIL PROTECTED]>: "250 Ok"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
fwd-rcpt-to: remaining time = 300 s
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) response to DATA: "354
End data with <CR><LF>.<CR><LF>"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
fwd-data: remaining time = 300 s
Jul 26 10:29:39 mail06 postfix/cleanup[774]: AE64A3A84AF:
message-id=<[EMAIL PROTECTED]>
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
fwd-data-end: remaining time = 300 s
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) response to data end:
"250 Ok: queued as AE64A3A84AF"
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
fwd-rundown-1: remaining time = 300 s
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) SEND via SMTP: <> ->
<[EMAIL PROTECTED]>, 250 2.6.0 Ok, id=32392-04, from
MTA([127.0.0.1]:10225): 250 Ok: queued as AE64A3A84AF
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) one_response_for_all
<>: success, r=0,b=0,d=0, dsn_needed=0, '250 2.6.0 Ok, id=32392-04, from
MTA([127.0.0.1]:10225): 250 Ok: queued as AE64A3A84AF'
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) prolong_timer after
delivery-notification: remaining time = 300 s
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup_ip_acl
(mynetworks): key="63.76.208.2" matches "63.76.208.0/24", result=1
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) parse_received: from =
[10.45.0.11] (unknown [63.76.208.2])\t/[10.45.0.11]/unknown/63.76.208.2
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) parse_received: by =
mail06.perimeterco.com /mail06.perimeterco.com//
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) parse_received: with =
ESMTP /ESMTP //
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) parse_received: id =
C75993A8246\t/C75993A8246\t//
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) parse_received: for =
<[EMAIL PROTECTED]>/<[EMAIL PROTECTED]>//
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) parse_received: ; =
Tue, 26 Jul 2005 10:29:34 -0400 (EDT)/Tue, 26 Jul 2005 10:29:34 -0400
(EDT)//
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04)
fish_out_ip_from_received: 63.76.208.2, [10.45.0.11] (unknown
[63.76.208.2])\t
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup_ip_acl:
key="63.76.208.2" matches "[::FFFF:0:0]/96", result=1
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) best_try_originator_ip:
63.76.208.2
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) parse_received: from =
[10.45.0.11] (unknown [63.76.208.2])\t/[10.45.0.11]/unknown/63.76.208.2
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) parse_received: by =
mail06.perimeterco.com /mail06.perimeterco.com//
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) parse_received: with =
ESMTP /ESMTP //
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) parse_received: id =
C75993A8246\t/C75993A8246\t//
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) parse_received: for =
<[EMAIL PROTECTED]>/<[EMAIL PROTECTED]>//
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) parse_received: ; =
Tue, 26 Jul 2005 10:29:34 -0400 (EDT)/Tue, 26 Jul 2005 10:29:34 -0400
(EDT)//
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04)
fish_out_ip_from_received: 63.76.208.2, [10.45.0.11] (unknown
[63.76.208.2])\t
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) lookup_ip_acl:
key="63.76.208.2" matches "[::FFFF:0:0]/96", result=1
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) best_try_originator_ip:
63.76.208.2
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) Blocked BANNED
(P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/x-ms-dos-executable,T=exe,T=exe-ms,N=dcom98.exe),
CF/MYNETS LOCAL [63.76.208.2] [63.76.208.2] <[EMAIL PROTECTED]>
-> <[EMAIL PROTECTED]>, Message-ID:
<[EMAIL PROTECTED]>, mail_id: EPI2-DPhWQFz, Hits: -, 1490 ms
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) updating snmp variables
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) DEBUG_ONESHOT CAUSES
EVIDENCE TO BE PRESERVED
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) sending LMTP response
for <[EMAIL PROTECTED]>: "250 2.5.0 Ok [EMAIL PROTECTED], DSN sent
(550 5.7.1 Message content rejected, id=32392-04 - BANNED:
P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/x-ms-dos-executable,T=exe,T=exe-ms...)"Jul 26
10:29:39 mail06 amavis[32392]: (32392-04) timer stopped after DATA end
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) PRESERVING EVIDENCE in
/var/amavis/tmp/amavis-20050726T102756-32392
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) TIMING [total 1497 ms]
- SMTP LHLO: 4 (0%)0, SMTP pre-MAIL: 1 (0%)0, lookup_ldap: 26 (2%)2,
SMTP pre-DATA-flush: 3 (0%)2, SMTP DATA: 376 (25%)27, body_hash: 28
(2%)29, gen_mail_id: 6 (0%)30, mime_decode: 368 (25%)54, get-file-type2:
43 (3%)57, decompose_part: 2 (0%)57, decompose_part: 139 (9%)67,
parts_decode: 0 (0%)67, update_cache: 42 (3%)70, fwd-connect: 31 (2%)72,
fwd-mail-from: 9 (1%)72, fwd-rcpt-to: 14 (1%)73, write-header: 6 (0%)74,
fwd-data: 8 (1%)74, fwd-data-end: 94 (6%)80, fwd-rundown: 5 (0%)81,
deal_with_mail_size: 2 (0%)81, fwd-connect: 51 (3%)84, fwd-mail-from: 1
(0%)84, fwd-rcpt-to: 9 (1%)85, write-header: 5 (0%)85, fwd-data: 24
(2%)87, fwd-data-end: 100 (7%)93, fwd-rundown: 4 (0%)94, main_log_entry:
88 (6%)100, update_snmp: 3 (0%)100, rundown: 3 (0%)100
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) LMTP> 250 2.5.0 Ok
[EMAIL PROTECTED], DSN sent (550 5.7.1 Message content rejected,
id=32392-04 - BANNED: P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/x-ms-dos-executable,T=exe,T=exe-ms...)
Jul 26 10:29:39 mail06 postfix/lmtp[644]: C75993A8246:
to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1], delay=5,
status=sent (250 2.5.0 Ok [EMAIL PROTECTED], DSN sent (550 5.7.1
Message content rejected, id=32392-04 - BANNED:
P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/x-ms-dos-executable,T=exe,T=exe-ms...))
Jul 26 10:29:39 mail06 amavis[32392]: (32392-04) idle_proc, 6: was busy,
1465.6 ms, total idle 54.198 s, busy 48.937 s
Jul 26 10:29:40 mail06 postfix/smtp[852]: 83BFC3A84A3:
to=<[EMAIL PROTECTED]>, relay=10.8.5.1[10.8.5.1], delay=1,
status=sent (250 2.6.0 <[EMAIL PROTECTED]> Queued mail
for delivery)
Jul 26 10:29:41 mail06 amavis[32392]: (32392-04) idle_proc, 5: was idle,
1563.8 ms, total idle 55.762 s, busy 48.937 s
Jul 26 10:29:41 mail06 amavis[32392]: (32392-04) prolong_timer after
reading SMTP command: remaining time = 0 s
Jul 26 10:29:41 mail06 amavis[32392]: (32392-04) LMTP< QUIT\r\n
Jul 26 10:29:41 mail06 amavis[32392]: (32392-04) LMTP> 221 2.0.0
[127.0.0.1] amavisd-new closing transmission channel
Jul 26 10:29:41 mail06 amavis[32392]: (32392-04) DEBUG_ONESHOT: TURNED OFF
[EMAIL PROTECTED] amavisd-new-2.2.0]#
>
>
>
>
> --
>
> Mike Hall,
> System Admin - Rock Island Communications <[EMAIL PROTECTED]>
> System Admin - riverside.org, ssdd.org <[EMAIL PROTECTED]>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> AMaViS-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/amavis-user
> AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
> AMaViS-HowTos:http://www.amavis.org/howto/
--
Joel Nimety
Perimeter Internetworking Corp.
203.541.3416
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
