[Mimedefang] My MD install went wacko

Justin Shore listuser at numbnuts.net
Sun Jun 8 11:24:01 EDT 2003 

Howdy.  I was AFK all week and came home to find that Sendmail was temp 
failing all my mail.  A day or two before going AFK I set up the primary 
MX at my ISP to forward a copy of all mail scoring >= 10 in SpamAssassin 
to a spamtrap on my box.  I didn't have the spamtrap auto-reporting.  I 
wanted to verify that all the forwarded mail was in fact spam (since the 
remote MX is running a very old copy of SA).  During the temp failing 
period the remote MX queued up many thousand messages for my spamtrap.  I 
arrived home just as some of them were starting to get bounced with the 
final failure.  A quick restart of MD and Sendmail (one or the other 
wouldn't fix it.  I had to do both) fixed the problem.  The fix was only 
temporary though as it happened again a short time later.  I ultimately 
removed all mail queued up for my spamtrap from the remote queue.

This is a RH 7.3 box running Sendmail 8.12.9, MD 2.34b4, and SA 2.60 from
CVS.  I have SA's local checks enabled and have added numerous DNSBLs to
the mix.  I haven't had any problems with this installation up until now.  
The box handles a fairly low volume of mail.  The only mail it receives is
my personal mail and mailing list mail.  That's around 2000 a day.  With 
the spam being forwarded from the remote host we're probably talking 
under 10,000 total, give or take 5-10k (probably give).  For an SMP box 
with lots of RAM, it's a very low volume of mail.  I'm running F-Prot and 
ClamAV checks on the mail with MD as well.

The problem appears to have started at 07:59 on June 2.  The pertinent log
excerpts from that time period follow:


Jun  2 07:59:34 bubba sm-mta[17864]: h52CxX0T017864: 
from=<root at oak.MUNGED.net>, size=7402, class=0, nrcpts=1, msgid=<SERV
EROE9QyAujLaPEw0000f7e0 at server.tafko.or.kr>, proto=ESMTP, daemon=MTA, 
relay=oak.MUNGED.net [aa.bb.cc.dd]

Jun  2 07:59:37 bubba mimedefang.pl[13527]: 
MDLOG,h52CxX0T017864,spam,33.067,aa.bb.cc.dd,<root at oak.MUNGED.net>,<spamhole at nu
mbnuts.net>,***SPAM*** jowen, Best Mortgage Rates

Jun  2 07:59:37 bubba mimedefang[17867]: h52CxX0T017864: Bouncing because 
filter instructed us to

Jun  2 08:00:37 bubba sm-mta[17864]: h52CxX0T017864: Milter (mimedefang): 
timeout before data read

Jun  2 08:00:37 bubba sm-mta[17864]: h52CxX0T017864: Milter (mimedefang): 
to error state

Jun  2 08:00:37 bubba sm-mta[17864]: h52CxX0T017864: Milter: data, 
reject=451 4.7.1 Please try again later

Jun  2 08:00:37 bubba sm-mta[17864]: h52CxX0T017864: 
to=<spamhole at numbnuts.net>, delay=00:01:04, pri=33850, stat=Please t
ry again later


MD truly goes wacko after that.


Jun  2 08:01:01 bubba sm-mta[18049]: h52D010T018049: Milter (mimedefang): 
timeout before data read
Jun  2 08:01:01 bubba sm-mta[18049]: h52D010T018049: Milter (mimedefang): 
to error state
Jun  2 08:01:01 bubba sm-mta[18049]: h52D010T018049: Milter (mimedefang): 
init failed to open
Jun  2 08:01:01 bubba sm-mta[18049]: h52D010T018049: Milter (mimedefang): 
to error state
Jun  2 08:01:01 bubba sm-mta[18049]: h52D010T018049: Milter: 
initialization failed, temp failing commands
Jun  2 08:01:01 bubba sm-mta[18049]: h52D010T018049: SMTP MAIL command 
(<spamhole at bubba.numbnuts.net> SIZE=333) from localh
ost.localdomain [127.0.0.1] tempfailed (due to previous checks)


To be honest I really have no idea where to start diagnosing this problem.  
I lowered MX_REQUESTS to 50 with the hopes of restarting the MD processes
often enough to eliminate the problem.  That didn't work though.  I've 
seen a number of weird things in the maillog that may or may not be 
pertinent.  The most prevalvent was numerous "Unknown command 'u' in 
RESULTS file" errors repeating on the same message (the unknown command 
letter varied each time).  Or where Sendmail would claim a "possible 
attack" on part of the X-Spam-Score lines like this one:

Jun  7 09:20:27 bubba sm-mta[10849]: h57EK8Gq010849: POSSIBLE ATTACK from 
oak.MUNGED.net: newline in string " \t----------
---------- Start SpamAssassin results ---------------------- \tThis 
message header has ha...68.146 listed in dnsbl.sorbs
.net] \t 1.0 FORGED_OUTLOOK_HTML    Outlook can't send HTML message only "

Occasionally I'd see one of these:

Jun  7 09:17:59 bubba mimedefang[20587]: h57Dx0PG020347: Could not open 
/var/mail/MIMEDefang/mdefang-h57Dx0PG020347/NEWB
ODY for reading: No such file or directory

I also just noticed a number of these:

Jun  4 18:17:38 bubba sm-mta[21354]: h54NCc0T021354: Milter (mimedefang): 
error connecting to filter: Connection timed o
ut with /var/mail/MIMEDefang/mimedefang.sock


I'm at a loss on this one.  I'm not sure what parts of the config are
pertinent.  If anyone wants a larger portion of the maillog or my slightly 
altered mimedefang-filter (nothing major), email me off list.

Please CC any replies to listuser at numbnuts.net.  I may have been
auto-kicked from the list during the temp failing period.

Many thanks 
 Justin

More information about the MIMEDefang mailing list