Re: [AMaViS-user] Mysql 5.1 + Partitioning Storage Schema / Cleanup
ALTER TABLE quarantine PARTITION BY LIST (partition_tag) ( PARTITION p0 VALUES IN (1,5,9,13,17,21,25,29,33,37,41,45,49), PARTITION p1 VALUES IN (2,6,10,14,18,22,26,30,34,38,42,46,50), PARTITION p2 VALUES IN (3,7,11,15,19,23,27,31,35,39,43,47), PARTITION p3 VALUES IN (4,8,12,16,20,24,28,32,36,40,44,48,52)); Not to forget that some years have 53 weeks (1..53). Mark -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
Re: [AMaViS-user] Configuring Sophos with amavisd-new
Ashish, I deployed amavisd-new (with Clam-AV and spamassassin) with my postfix installation referring this: http://wiki.centos.org/HowTos/Amavisd Now because of business requirement changes I need to use Sophos instead of Clam-AV with my installed amavisd-new. Can anybody reply with a good 'how to' or reference for this. Since version amavisd-new-2.7.0(-pre*) it is possible to use a native Sophos protocol SSSP to connect amavisd to their daemon savdid. Just start it with 'savdid -d' and configure it to listen on some socket such as /var/run/savdi/sssp.sock, or an an INET socket, then add the following to the @av_scanners list amavisd.conf and restart amavisd: ['Sophos-SSSP', \ask_daemon, [{}, 'sssp:/var/run/savdi/sssp.sock'], # or: [{}, 'sssp:[127.0.0.1]:4010'], qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ], With earlier versions of amavisd the only choice to use a daemonized Sophos scanner is through a Sophie daemon: ['Sophie', \ask_daemon, [{}/\n, 'sophie:/var/run/sophie'], qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], Actually savdid daemon can also emulate a Sophie protocol so it should be usable with amavisd 2.6.4 and earlier, but I never tried this combination. Make sure amavisd has r/w access to a savdid socket, and that savdid has read access to amavisd work area ($TEMPBASE, typically /var/amavis/tmp). Running both under the same UID makes this easier, but is not a requirement, the same can be accomplished by adding a sophos UID to amavis group. Mark -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
Re: [AMaViS-user] spamassassin per user/email
Stefan, i am using Amavisd-new in a virtualUser Setup via LDAP. I would like to call SpamAssassin per user/email. Is there any way to do this or do i need to use spamAssassion via another solution? Depends on what you have in mind. As amavisd calls SpamAssassin once per message (not once per recipient), it makes not sense to use per-recipient preferences or rules directly in SpamAssassin (e.g. through its SQL or LDAP or user-prefs mechanisms). So, features like per-recipient rules are not possible. Still, the more common per-recipient features are available through amavisd looks (SQL, LDAP or static), such as per-recipient spam thresholds, white/black-listing, tagging, ... Mark -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
Re: [AMaViS-user] severe performance degredation by amavisd 2.6.4 under load
Andy, I saw a suggestion from Matt Reimer back in April regarding ditching db41 for db42 to resolve a strange performance issue with Amavisd on FreeBSD 8. Yeah. That was it. I ditched db41 for db42 and wow what a difference. Thanks for a thorough investigation and a resolution! That box is now doing over 16k messages per hour (was maxing around 6k before), has no problem with 25 max_servers (several of those sit idle so I wonder just how high I could push the messages per hour if I configured the load balancing to send that much of a load to this box)AND this is while I'm doing a make buildworld. Nice. InMsgs2044 16774/h 100.0 % (InMsgs) TimeElapsedDecoding412 s 0.196 s/msg (InMsgs) TimeElapsedPenPals 28 s 0.013 s/msg (InMsgs) TimeElapsedReceiving 378 s 0.180 s/msg (InMsgs) TimeElapsedSending 146 s 0.069 s/msg (InMsgs) TimeElapsedSpamCheck 4372 s 2.079 s/msg (InMsgs) TimeElapsedTotal 6815 s 3.241 s/msg (InMsgs) TimeElapsedVirusCheck 690 s 0.328 s/msg (InMsgs) Matt Reimer you rock. Marc, perhaps this needs to be mentioned in the release notes or something? It definitely solved a huge problem that I've been chasing all day now. Not sure that it belongs to release notes, but I've added a note to the amavisd web page, near other reasons for staying away from dbd41 and older. Mark -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
Re: [AMaViS-user] Current p0f rules?
Andy, Are the sample rules in the release notes still the preferred p0f ruleset for SA? Yes, still valid. It's pretty much what I'm using at our site. The IP distance (hop count) rules may need tweaking if your site is close to poorly policed ISPs, but it works well in our academic networks topology. The BOTNET* rules may need replacing an old DKIM_VERIFIED rule with a DKIM_VALID, reflecting the change of a rule name with SpamAssassin 3.3.0. Does anybody have any comments or experiences? We're in the process of upgrading amavisd-new, and want to take this opportunity to utilize this additional tool. Every little bit helps in fighting spam. P0f is quite effective in distinguishing Windows-based botnets from the rest. It is also quite useful with reducing numerous false positives of a Botnet plugin, if using it. Mark -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
Re: [AMaViS-user] UTF8 in fields subject and from_addr in msgs table
Miguel, I'm having some trouble reading the fields subject and from_addr from msgs table, they are in latin1 encoding, I need them in UTF8. The only way I'm able to do this is to issue an update to the msgs table preceded by a set names utf8: code $conn_h-execute(set names utf8); $conn_h-execute($upd_msg2, $from, $subj, $mail_id); $conn_h-execute(set names latin1); /code I've tested this code, and works fine with my web gui. $upd_msg2 only updates the 2 fields i want. Is there another way to do this? Perhaps declaring a character set on these two columns would achieve what you need: from_addr varchar(255) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '', subjectvarchar(255) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '', Amavisd does a MIME charset conversion to UTF-8 when storing From and Subject header fields to table msgs, so it should be safe to declare them as utf8 in SQL, i.e. the result should be a valid UTF-8 string, as guaranteed by Perl. $upd_msg2 only updates the 2 fields i want. Will this break amavis ? No, amavisd only writes these two fields, and never reads them back. Should I create 2 new fields to store the utf8 version of these two fields? There is probably no need for this. Mark -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
Re: [AMaViS-user] virus_check_*_ttl
$virus_check_negative_ttl= 3*60; # time to cache contents as not infected $virus_check_positive_ttl= 30*60; # time to cache contents as infected Are these seconds or minutes? I know. Note the lack of time units. I was going by the time to live in seconds part. I try to stick to SI units ( http://en.wikipedia.org/wiki/SI ), unless boldly noted otherwise. I suppose you could set it to zero and test. That works by the way. Yes, 0 TTL effectively disables results caching. It is not an exception, just a zero time interval, which fits nicely into semantics. Nuclear option would be to disable caching $enable_global_cache = 0; WHat does this affect? virus scanning, spam scanning, and ...? AFAIK only spam/virus scanning results. Right. Mark -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
Re: [AMaViS-user] getting policy fired on email from SQL
Jernej, I was wondering whether there is a way to find out with SQL query from amavis database, which emails were sent through SA and which were not. I know that it depends on the policy, but is there a way to combine policy with msgs table? I am looking for emails that were sent through spam scanner in amavis (SA), not just amavis. This means that I need to find out which emails were spam scanned and which weren't (by setting bypass_spam in policy). I could do analyze logs for this, but it would be way more appropriate using SQL, but I dont know whether this information is actually stored in SQL or not. This information is currently not stored in msgs or msgrcpt tables. There is a msgs.policy (a policy bank path), but this is not what you are asking for. If you look in 'sub save_info_final' in a call to $conn_h-execute($ins_rcp, there is a commented-out argument: untaint($r-user_policy_id), which may help your needs. Uncommenting it, along with adding another '?' dummy arg and a field name to %sql_clause 'ins_rcp' may provide that information, but only if bypass_spam setting is coming from an SQL lookup. Other than that, a hack would be required. Mark -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
Re: [AMaViS-user] Amavis sometimes looses e-mails
d h, We are using FreeBSD 7, Postfix 2.5.1, Amavis 2.6.1 May 4 18:11:14 amavis[54714]: (54714-08-2) smtp resp to NOOP (idle 113.5 s): 220 you.got.mail ESMTP Postfix May 4 18:11:14 amavis[54714]: (54714-08-2) Negative SMTP resp. to DATA: 250 2.1.5 Ok May 4 18:11:14 amavis[54714]: (54714-08-2) FWD via SMTP:exter...@mailaddress.com - inter...@mailaddress.com, 250 2.1.0 Ok, id=54714-08-2, from MTA([127.0.0.1]:10025): 250 2.1.0 Ok Trouble! Noel Jones writes: That looks as if the SMTP conversation has gotten out of sync. Indeed. While that /shouldn't/ lead to data loss, I guess it's possible. Maybe disabling connection caching in both amavisd-new and postfix will help? I would suggest upgrading your amavisd-new and your postfix to the latest versions, and then examine the configuration carefully to make sure it isn't borked somewhere. I agree. While I don't think the exactly same problem with 2.6.1 has been reported yet, there was work in fixing some related issues with SMTP session caching in later versions of amavisd, along with hardening code in this area, so switching to 2.6.4 would be strongly recommended. If that doesn't fix the problem, I'd certainly want to know about it - your last log was exactly what I'd want to see if trouble persists. Mark -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
Re: [AMaViS-user] forward SPAM for few domains
Lampa, is there some way how to setup forwarding mails marked as SPAM for some domains to one user (spam for domains @example.com, @example2.com, @example3.com, ... forward to s...@example.com) ? If I understand correctly, you'd want to whitelist senders @example.com, @example2.com, @example3.com, but just for a recipient s...@example.com. This can be accomplished with @score_sender_maps : @score_sender_maps = ({ # a by-recipient hash lookup table 's...@example.com' = [{ # a by-sender hash lookup table '.example.com' = -999, '.example2.com' = -999, '.example3.com' = -999, }], }); Mark -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
Re: [AMaViS-user] ban files only for AM.PDP-SOCK
David, I want to block pps file and other file only for policy bank AM.PDP-SOCK this the policy bank config $policy_bank{'AM.PDP-SOCK'} = { protocol = 'AM.PDP', notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}', auth_required_release = 0, bypass_banned_checks_maps = [0], banned_filename_re = new_RE(\qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl|pps|doc)$'i), }; but this did not working, see logs below, It doesn't work because banned_filename_re is not a member of policy banks and is ignored. You'd need to give a banning policy a name and use @banned_filename_maps, e.g.: %banned_rules = ( 'NO-VIDEO' = new_RE( qr'^\.movie$', qr'.\.(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ), 'NO-MOVIES' = new_RE( qr'^\.movie$', qr'.\.(mpg|avi|mov)$'i, ), 'NO-PPS' = new_RE(\qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl|pps|doc)$'i), 'DEFAULT' = $banned_filename_re, ); $policy_bank{'AM.PDP-SOCK'} = { protocol = 'AM.PDP', ... banned_filename_maps = ['NO-PPS'], }; Mark -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
Re: [AMaViS-user] forward SPAM for few domains
2010/5/19 Mark Martinec mark.martinec+ama...@ijs.si: If I understand correctly, you'd want to whitelist senders @example.com, @example2.com, @example3.com, but just for a recipient s...@example.com. This can be accomplished with @score_sender_maps : @score_sender_maps = ({ # a by-recipient hash lookup table 's...@example.com' = [{ # a by-sender hash lookup table '.example.com' = -999, '.example2.com' = -999, '.example3.com' = -999, }], }); No. I want forward spams for domains @example.com, @example2.com, @example3.com to one user on one of these domains (s...@example.com). Default rule is quarantine, some users have overriden quarantine using @spam_kill_level_maps = ( {u...@somedomain.com' = 99.0}, #'.example.net' = 8.0, #'.example.org' = 10.0 }, \$sa_kill_level_deflt, # catchall default ); Something like @virus_admin_maps = ({ '.example.com' = 'postmas...@example.com', '.example.net' = 'postmas...@example.net', '.' = 'postmas...@example.com', }); not send virus/banned/spam warning to listed admin for listed domains but forward whole virus/banned/spam message to user eg: @spam_user_maps = { 'example1.com' = 's...@example1.com', 'example2.com' = 's...@example1.com', 'example3.com' = 's...@example1.com, }); Explained clearly ? -- Lampa -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
[AMaViS-user] anyone getting sql-enter FAILED: find_or_save_addr: failed to insert addr
If you DON'T get this, no need to tell me, if we do have a couple people getting this, then we can try to see why. I am looking for people running latest amavisd, with mysql 5.1.x and getting these errors in your maillogs: May 19 16:16:01 mx1 postfix/lmtp[57047]: 51EB9B0D6E9: to=ssny...@domain.com, orig_to=she...@domain.com, relay=127.0.0.1[127.0.0.1]:10024, conn_use=8, delay=7.4, delays=0.71/6.6/0/0.1, dsn=4.5.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=56659-12-8, sql-enter FAILED: find_or_save_addr: failed to insert addrbounce-use=m=9235490230=echo4=6c598b5b6be991623d80732a3deaf...@returnpath.bluehornet.com: sql exec: err=1062, 23000, DBD::mysql::st execute failed: Duplicate entry '428247251-201020' for key 'PRIMARY' at (eval 100) line 166,GEN278 line 24. at (eval 101) line 109,GEN278 line 24. (in reply to end of DATA command)) with max_servers at 5, sometimes I see 6 different maddr addresses (different addresses) trying to use the same maddr id. (which, can't happen!) Duplicate entry '428247251-201020' if I am the ONLY one getting this, then I'll need to figure out why. my assumptions are it has to do with innodb locks and partitioned tables. run this and see if you get a hit, (assumes you have rotated logs using gzip) zgrep 'sql-enter FAILED: find_or_save_addr: failed to insert addr' /var/log/maillog | tail If you are getting these, then maybe we can narrow it down. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __ -- ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org