[Mimedefang] Parser: can't flush: No space left on device and big files in /tmp

Bill Cole mdlist-20140424 at billmail.scconsult.com
Wed Oct 28 20:32:12 EDT 2015 

On 28 Oct 2015, at 16:48, Tom Knutson wrote:

> Lately we are seeing this error in the maillog several times a day:
>
> Oct 28 15:10:03 mail mimedefang-multiplexor[37348]: Slave 1 stderr:
> MIME::Parser: can't flush: No space left on device at
> /usr/local/lib/perl5/site_perl/5.8.9/MIME/Parser.pm line 815, <FILE>
> line 2700428.
>
> The /var drive has plenty of room. The /tmp drive is nearly full with
> 5 large files owned by mailnull:
>
> -rw-------  1 mailnull  wheel     167779519 Oct 28 12:39 qhNzfFSRG3
>
> If I delete one of these large files in /tmp, they reappear after a 
> few minutes.

Any Perl module using File::Temp with default parameters (which can 
include MIME::Parser, via MIME::Tools) will create temp files with 
10-character random-alphanumeric names in /tmp  and if the calling 
process is running as mailnull (the default for anything hooked into 
sendmail on FreeBSD) they will be owned by mailnull.


> This started about a week ago on a system that has been running OK for
> quite a while.
>
> FreeBSD 7.1
> Mimedefang 2.64_1
> clamav 0.97.6
> spamassassin 3.3.2
> perl 5.8.9

So you're a fan of 2008? :)

I sincerely hope that machine is well-guarded externally, hardened 
internally, poorly publicized, and carefully watched. Note that beyond 
the obvious issue of security, those versions of clamav and spamassassin 
are substantially disabled by their age.

> I have tried restarting mimedefang.
>
> Are these big files being created by mimedefang?

Probably so, indirectly. MIME::Parser can create files like that and 
will die as you've seen if /tmp fills while it needs to write one. And 
to quote from mimedefang.pl itself:

    use MIME::Parser;


> I didn't think it
> used /tmp by default.

Not directly and implicitly, but indeed it does and so will a lot of 
other common Unix gadgets (e.g. mailx, cron, etc.) so if you have a 
chronic issue of /tmp filling you will have a chronically and diversely 
dysfunctional system.

> Could this problem be caused by cleverly crafted
> spam?

Possibly. Also possible: very large messages or messages that innocently 
catch on one of ~3 dozen bugs fixed in the MIME-Tools suite since the 
last version you are likely to have installed, in such a fashion that it 
goes insane and fills its temp files to the point of filling /tmp.

> Suggestions on how to troubleshoot this would be appreciated.

I'm torn ethically on offering deep "troubleshooting" suggestions 
because I don't think it is in your interest to try to keep that system 
running in its antiquated and intrinsically non-securable state. But 
here are some vague suggestions, with the caveat that I hope you start 
with the last one...

It may be that all you need to do is to configure your MTA to advertise 
a sane maximum mail size limit so people stop trying to mail you CD 
images. Using mail to transport objects >160MB is not sane. But then, 
neither is handling modern Internet mail on a system that hasn't been 
updated in 7 years...

Of course, you could also try slapping an extra GB into /tmp to give 
MIME::Parser room to blow up even worse OR handle the giant messages. 
You could also fiddle with how MD is being launched to put 
TMPDIR=/var/tmp into its environment, which should make these beasts go 
there (and maybe fill /var for you, breaking so much more)

If you're actually receiving messages that are >160MB intentionally, you 
can make them bypass MD content scanning in mimedefang-filter, but I'm 
not actually sure if that works for the basic MIME parsing step.

Adding logging code in mimedefang-filter can help nail down which 
messages are the cause of the giant files filling /tmp.

Ultimately, you should update to a maintainable OS version (i.e. FreeBSD 
9.3 at least) and current versions of all of the other software 
involved.

More information about the MIMEDefang mailing list