[Mimedefang] My MD install went wacko
Justin Shore
listuser at numbnuts.net
Sun Jun 8 11:24:01 EDT 2003
Howdy. I was AFK all week and came home to find that Sendmail was temp
failing all my mail. A day or two before going AFK I set up the primary
MX at my ISP to forward a copy of all mail scoring >= 10 in SpamAssassin
to a spamtrap on my box. I didn't have the spamtrap auto-reporting. I
wanted to verify that all the forwarded mail was in fact spam (since the
remote MX is running a very old copy of SA). During the temp failing
period the remote MX queued up many thousand messages for my spamtrap. I
arrived home just as some of them were starting to get bounced with the
final failure. A quick restart of MD and Sendmail (one or the other
wouldn't fix it. I had to do both) fixed the problem. The fix was only
temporary though as it happened again a short time later. I ultimately
removed all mail queued up for my spamtrap from the remote queue.
This is a RH 7.3 box running Sendmail 8.12.9, MD 2.34b4, and SA 2.60 from
CVS. I have SA's local checks enabled and have added numerous DNSBLs to
the mix. I haven't had any problems with this installation up until now.
The box handles a fairly low volume of mail. The only mail it receives is
my personal mail and mailing list mail. That's around 2000 a day. With
the spam being forwarded from the remote host we're probably talking
under 10,000 total, give or take 5-10k (probably give). For an SMP box
with lots of RAM, it's a very low volume of mail. I'm running F-Prot and
ClamAV checks on the mail with MD as well.
The problem appears to have started at 07:59 on June 2. The pertinent log
excerpts from that time period follow:
Jun 2 07:59:34 bubba sm-mta[17864]: h52CxX0T017864:
from=<root at oak.MUNGED.net>, size=7402, class=0, nrcpts=1, msgid=<SERV
EROE9QyAujLaPEw0000f7e0 at server.tafko.or.kr>, proto=ESMTP, daemon=MTA,
relay=oak.MUNGED.net [aa.bb.cc.dd]
Jun 2 07:59:37 bubba mimedefang.pl[13527]:
MDLOG,h52CxX0T017864,spam,33.067,aa.bb.cc.dd,<root at oak.MUNGED.net>,<spamhole at nu
mbnuts.net>,***SPAM*** jowen, Best Mortgage Rates
Jun 2 07:59:37 bubba mimedefang[17867]: h52CxX0T017864: Bouncing because
filter instructed us to
Jun 2 08:00:37 bubba sm-mta[17864]: h52CxX0T017864: Milter (mimedefang):
timeout before data read
Jun 2 08:00:37 bubba sm-mta[17864]: h52CxX0T017864: Milter (mimedefang):
to error state
Jun 2 08:00:37 bubba sm-mta[17864]: h52CxX0T017864: Milter: data,
reject=451 4.7.1 Please try again later
Jun 2 08:00:37 bubba sm-mta[17864]: h52CxX0T017864:
to=<spamhole at numbnuts.net>, delay=00:01:04, pri=33850, stat=Please t
ry again later
MD truly goes wacko after that.
Jun 2 08:01:01 bubba sm-mta[18049]: h52D010T018049: Milter (mimedefang):
timeout before data read
Jun 2 08:01:01 bubba sm-mta[18049]: h52D010T018049: Milter (mimedefang):
to error state
Jun 2 08:01:01 bubba sm-mta[18049]: h52D010T018049: Milter (mimedefang):
init failed to open
Jun 2 08:01:01 bubba sm-mta[18049]: h52D010T018049: Milter (mimedefang):
to error state
Jun 2 08:01:01 bubba sm-mta[18049]: h52D010T018049: Milter:
initialization failed, temp failing commands
Jun 2 08:01:01 bubba sm-mta[18049]: h52D010T018049: SMTP MAIL command
(<spamhole at bubba.numbnuts.net> SIZE=333) from localh
ost.localdomain [127.0.0.1] tempfailed (due to previous checks)
To be honest I really have no idea where to start diagnosing this problem.
I lowered MX_REQUESTS to 50 with the hopes of restarting the MD processes
often enough to eliminate the problem. That didn't work though. I've
seen a number of weird things in the maillog that may or may not be
pertinent. The most prevalvent was numerous "Unknown command 'u' in
RESULTS file" errors repeating on the same message (the unknown command
letter varied each time). Or where Sendmail would claim a "possible
attack" on part of the X-Spam-Score lines like this one:
Jun 7 09:20:27 bubba sm-mta[10849]: h57EK8Gq010849: POSSIBLE ATTACK from
oak.MUNGED.net: newline in string " \t----------
---------- Start SpamAssassin results ---------------------- \tThis
message header has ha...68.146 listed in dnsbl.sorbs
.net] \t 1.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only "
Occasionally I'd see one of these:
Jun 7 09:17:59 bubba mimedefang[20587]: h57Dx0PG020347: Could not open
/var/mail/MIMEDefang/mdefang-h57Dx0PG020347/NEWB
ODY for reading: No such file or directory
I also just noticed a number of these:
Jun 4 18:17:38 bubba sm-mta[21354]: h54NCc0T021354: Milter (mimedefang):
error connecting to filter: Connection timed o
ut with /var/mail/MIMEDefang/mimedefang.sock
I'm at a loss on this one. I'm not sure what parts of the config are
pertinent. If anyone wants a larger portion of the maillog or my slightly
altered mimedefang-filter (nothing major), email me off list.
Please CC any replies to listuser at numbnuts.net. I may have been
auto-kicked from the list during the temp failing period.
Many thanks
Justin
More information about the MIMEDefang
mailing list