Jeremy,

> > As you have indicated, a likely culprit is the C code for parsing HTML:
> > Razor2-Preproc-deHTMLxs/_deHTMLxs.c, or maybe the glue in deHTMLxs.c .
>
> Just to follow up on this issue (from some time ago), upgrading to the
> latest Razor solved one problem.

Good to know. I hope it's not just a lucky outcome.

> The other problem turned out to be a
> bug in Sophos SAVI in its handling of PDF files.  Sophos put in a fix
> in the March release.  The bug appears to be in allocating memory
> based on a PDF object's meta-data rather than its actual size, leading
> to a classic buffer overrun, with the side-effect of leaving the
> message in the pre-scan postfix queue, as well as leaving a rather
> large temporary file - and eventually filling up the filesystem.  We
> had 4 different emails triggering the problem in a few months, leading
> to a denial-of-service on each occasion.  Improvements in monitoring
> (checking the age of AMaViS temp files) mean that we are now able to
> detect a problem before it starts to affect mail.  Thanks very much
> for your assistance in resolving these problems.

Are we talking about an external av scanner (like sophie, savdi, clamd),
or a linked-in internal scanner like Mail::ClamAV and SAVI-Perl).

In case of the former (external), this shouldn't be happening, as long
as you have at least one still-working av scanner. A crashing external
scanner should not be able to bring down amavisd.

I advise against using a scanner like Mail::ClamAV and SAVI-Perl
running in the context of the same process as amavisd. A bug in such
scanner will crash the amavisd process, resulting in tempfailed
mail messages and a pile-up of leftover temporary files.

> I still don't quite understand why AMaViS can't do something about
> handling a scanner that fails in this way, including not being able to
> report a problem.  Can you explain why?  Is it because AMaViS
> pre-forks its children and the master can no longer detect when they
> die ungracefully?  Is this something that the "nanny" utility can help
> me detect?

A crashing amavisd process is detectable through amavisd-nanny,
or through SNMP monitoring as introduced with amavisd-new-2.6.4
(AMAVIS-MIB.txt) :

procGone OBJECT-TYPE
    SYNTAX      Counter32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
      "Number of registered amavisd child processes that were
       abnormally terminated (crashed or killed) since the last
       start of amavisd-snmp-subagent."
    ::= { amavisProc 1 1 }

A crashing process leaves its trace in the nanny.db. The event is
not logged by the child process (which no longer exists and can't log it),
nor by its parent unfortunately, as we have no control over Net::Server
master process.

> Would it perhaps be possible for a child to wrap a fork/exec around
> its call to the scanner, and if the eval() fails, log the failure, or
> preferably send an appropriate SMTP response code?

Yes, that is currently possible for calling SpamAssassin
($sa_spawned=1), but the price is doubling the virtual memory in use,
so it is not particularly popular, except as a temporary measure
while investigating some instability in SpamAssassin.

Similar mechanism is not available for calling integrated AV scanners,
as there are plenty of other effective external scanners available,
so there is no real need for such a workaround - the downsides
just overweight the benefits.

  Mark

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/amavis-user 
 AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 
 AMaViS-HowTos:http://www.amavis.org/howto/ 

Reply via email to