Frequently Asked Questions

27th October 2002

This list is now rather out of date. You should read The Most Asked Questions (MAQ)

Contents

  1. My syslog doesn't show anything
  2. Clean (virus-free) messages have no message body
  3. Where can I get help on configuring sendmail
  4. Where can I get help on configuring exim
  5. Is there a mailing list for MailScanner
  6. I'm getting lots of locking messages in my maillog
  7. There seem to be long delays
  8. I get a Bad File Descriptor error when updating Sophos
  9. My test messages are not being scanned
  10. There is a huge delay in message delivery
  11. I am running a very high-volume mailserver
  12. Alternative settings for a high-volume mailserver
  13. What happens when my disk fills up?
  14. I am getting errors about "does not meet configured acceptable stability"
  15. Qmail support
  16. Can I use MailScanner with my Microsoft Windows mail server?
  17. Installing MailScanner on a Cobalt/Sun RAQ system
  18. Updating virus scanner definitions/patterns
  19. Installing SpamAssassin 2.30
  20. Where should I run my RBL test (Real time Blackhole List)?
  21. I want to browse my stored spam in a mail program (e.g. pine)
  22. Why doesn't MailScanner support virus scanning daemons?
  23. My virus scanner (e.g. Sophos) is consuming lots of CPU and scanning very slowly
  24. I am using F-Prot and the F-Prot installation failed
  25. Why can't I get MailScanner to process some SpamAssassin options?
  26. I have a RaQ and cannot install MailScanner version 4
  27. I am trying to use Trend VirusWall

1. My syslog doesn't show anything

On Linux systems you need to add "-r" to the command-line options to syslog. Take a look in the file /etc/rc.d/init.d/syslog which is what starts it. On RedHat Linux 7.0 (or later) systems, you need to add the option to the SYSLOGD_OPTIONS line in /etc/sysconfig/syslog. On RedHat Linux 6.2 systems, you need to add the "-r" to /etc/rc.d/init.d/syslog. On FreeBSD, you need to remove the "-s" flag from the init script that starts syslogd.

If you are running Solaris and are having this problem, remove the "-t" from your /etc/init.d/syslog script and restart syslogd.

You should also make sure that you have scripts (and a cron job) in place to roll your maillog on a regular basis, as this log can get very large on a busy system and you don't want to fill the partition.

2. Clean (virus-free) messages have no message body

The incoming and outgoing mail queues, /var/spool/mqueue.in and /var/spool/mqueue (or whatever you have called them) need to be on the same filesystem. This dramatically cuts the system load, as messages can be linked from one queue to the other once they are known to be clean.

3. Where can I get help on configuring sendmail

Sendmail's web site at www.sendmail.org has lots of useful information.

4. Where can I get help on configuring exim

Exim's web site at www.exim.org has lots of useful information.

5. Is there a mailing list for MailScanner

Yes. Visit http://lists.mailscanner.info/mailman/listinfo/mailscanner and http://lists.mailscanner.info/mailman/listinfo/mailscanner-announce to join the list of edit your subscription details.

To search the lists, go to the links above and follow the "MailScanner Archives" link in the first section of the page.

6. I'm getting lots of locking messages in my maillog

Version 2.40 and upwards log the file locking they are doing. This is done at syslog priority debug so getting rid of them is just a matter of configuring your /etc/syslog.conf file to not log debug information into your maillog. Read the man page for syslog.conf for more information.

7. There seem to be long delays

These are most likely happening when it is attempting delivery of messages. In "batch" or "individual" mode, MailScanner makes one delivery attempt of every message it has scanned/cleaned. If you are scanning email leaving your site, it is likely some of the messages are being sent to slow/unresponsive mail servers and this is how the delay is caused.

There are several solutions to this: if you are not worried about a longer delay through your MailScanner for most messages, then you can operate in "queue" mode and ensure that your outgoing sendmail process runs through the queue regularly (use "-q10m" or something similar).

Otherwise, you need to ensure that MailScanner is delivering to a fast, responsive mail server. So either put in another system that only receives mail from your MailScanner (hint: use sendmail's "smarthost" setting to force the mail to the new server) which delivers it to the outside world for you, or else achieve the same effect with another copy of sendmail hosted on the same machine, but on a virtual IP address.

Sorry there aren't any quick and simple solutions to this problem, but I am unwilling to write an entire outgoing queue handler as sendmail already does this job very effectively.

Addendum: There is now a "Deliver In Background" configuration option which you can set to yes which will make it run all sendmail processes in the background so you don't have to wait for their completion. Many sites are reporting great success with this option, but you mileage may vary.

8. I get a Bad File Descriptor error when updating Sophos

If you get an error like this:

Fetching latest IDE virus identities from www.sophos.com
Unzip failed with error return 16777215
, Bad file descriptor at /usr/local/Sophos/bin/autoupdate line 81.
then you have not installed unzip on your system.

9. My test messages are not being scanned

Two things:

  1. MailScanner only scans mail coming in via port 25 (SMTP) when using sendmail, it cannot scan messages created by you invoking sendmail directly on the MailScanner server. If you use something like pine, you can set it to talk SMTP to localhost rather than invoking sendmail directly to deliver the message.
  2. Under test conditions, you may see up to a 30 second delay before MailScanner picks up the message and processes it. Once you are running on a live (busy) server, you won't see this delay any more.

10. There is a huge delay in message delivery

If you are checking for spam, please ensure that your machine can resolve DNS properly and quickly, as it has to do a DNS lookup for every message. If it cannot resolve DNS properly, you may be waiting for a DNS timeout for every message that is processed.

11. I am running a very high-volume mailserver

Note: This is only really relevant to version 3. Version 4 should not require any of these settings and is best left in "batch" mode.
This is contributed by a user:

It is highly preferable to use "Delivery Method = queue" instead of batch, because when you have an unresolvable dns recipient, messages accumulate in the queue and things go very slowly. It is also preferable to use "Deliver In Background = yes" to speed up the outgoing mail process. Also recommend using "sendmail -q1m" instead of the normal "sendmail -q15m" so that sendmail picks up new messages much more quickly.

12. Alternative settings for a high-volume mailserver

Note: This is only really relevant to version 3. Version 4 should not require any of these settings and is best left in "batch" mode.
This is contributed by a user:

  • Delivery method = queue (like FAQ 11)
  • Deliver in Background = yes (like FAQ 11)
  • sendmail -bd -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in
    (launched via sendmail boottime start script)
  • sendmail -q15m, also launched via boottime start script
  • crontab job for local recipients only every minute (my wrinkle)
    The crontab entry looks like:
    0-59 * * * * /usr/sbin/sendmail -qR@colby.edu
    Replace colby.edu with your own domain name

The idea here is to get email bound for local recipients in my domain ("colby.edu") delivered fast by processing *only* the local recipient stuff once a minute. Anything outbound to a remote site can wait for the 15 minute queue started with the boot script.

The "sendmail -q1m" suggestion of FAQ 11 does not work, because email bound for local recipients is mixed in with remote sites that may not DNS resolve. So "sendmail -q1m" does not distinguish between messages that can be resolved quickly (ie, domains you have DNS control over) and those that can't. One bad remote DNS resolve hoses up the whole queue. My crontab keeps the local stuff moving, and leaves the poky remote stuff for the queue that runs less often.

13. What happens when my disk fills up?

You need to have your incoming and outgoing queues on the same disk partition for MailScanner to work properly in the first place. However, it is also a good idea to put your quarantine and work areas on this partition too. The result is that your MTA (sendmail or Exim) will manage the disk space situation for you, automatically refusing to accept new mail when the partition fills up and it runs out of disk space.

14. I am getting errors about "does not meet configured acceptable stability"

There is a new Minimum Code Status configuration variable introduced in version 3.00 that is causing some confusion. For a quick guide of what to set it to for the various scanners, read this.

15. Qmail support

MailScanner does not directly support Qmail. I wish it did, but there are only 24 hours in a day and I have a lot of other things to do except write MailScanner. I also have 1500 real users to support, as well as 40,000 MailScanner users. So sorry, it doesn't. And it won't very soon either.

However, read the next FAQ as it will definitely help you!

16. Can I use MailScanner with my Microsoft Windows mail server?

Yes, provided you have a firewall or some other form of packet filtering to make sure you cannot reach the SMTP port on your Windows mail server from the outside world. This will work not only with Microsoft Windows, but also any other OS or mail system that I don't support, e.g. Exchange, Postfix, Qmail, NTMail.

You do it like this: you set up a proxy mail server running Unix/Linux and MailScanner. You make this accessible to the outside world, through your firewall. This machine is listed in your DNS as the secondary MX (give it a priority of 20). The only thing you need to configure on this host is that it is running sendmail/Exim and will relay mail for your domain(s). If you are configuring sendmail from an mc file, then use the "FEATURE(access_db)" command in the mc file. Otherwise, you may find you already have /etc/mail/relay-domains or /etc/mail/access, in which case you can add a line

	your.domain.com		RELAY

You then set up your firewall so that the SMTP port of your Windows mail server can only be reached from within your network. You list this machine as your primary MX in your DNS records (give it a priority of 10).

That's it!

What happens is this: a foreign mail server trying to send a message to you will attempt to contact your Windows mail server as it is your primary MX. It will fail due to your firewall stopping it. It will then back off and attempt to contact your Unix/Linux MailScanner host, your secondary MX. It will succeed and deliver the message to your secondary MX, at which point it will be scanned by MailScanner. By default, one of the things a secondary MX does (out of the box) is forward all incoming mail to a better (lower number) MX if there is one, which there is. So it sends the message on to your Windows mail server ready to be accessed by your users. But because it went through your Unix/Linux MailScanner host, it will have been virus-scanned and spam-tagged.

If you want to scan outgoing mail as well, just tell your Windows mail server to pass all outgoing mail to your Unix/Linux MailScanner host.

17. Installing MailScanner on a Cobalt/Sun RAQ system

Start by reading and following the RAQFAQ article on the subject. If you are using a RAQ3, then that is probably all you need. However, if you are using a RAQ4, then I would advise the following steps as well:

  1. Edit /etc/mail/sendmail.cf
    Search for "QueueDirectory" and change the line to
    O QueueDirectory=/var/spool/mqueue
  2. Edit /usr/local/MailScanner/mailscanner.conf
    Search for "Outgoing Queue Dir" and change the line to
    Outgoing Queue Dir = /var/spool/mqueue
  3. Move any remaining queue files into the updated queue directory
    mv /var/spool/mqueue/q*/* /var/spool/mqueue
  4. Delete the old queue subdirectories
    rmdir /var/spool/mqueue/q*
  5. Kill sendmail
    /etc/rc.d/init.d/mailscanner stop
    (this will kill all the sendmail processes if you happen to have more than 1 running!)
  6. Kill MailScanner and restart it
    /usr/local/MailScanner/bin/check_mailscanner
    (Then kill the process whose number it prints)
    /etc/rc.d/init.d/mailscanner start
  7. Check it's all okay:
    ps ax | grep mail
    should produce output like this:
     1680 ?        S      0:00 sendmail: accepting connections
     1682 ?        S      0:00 /usr/sbin/sendmail -q15m
     1692 ?        S      0:00 perl /usr/local/MailScanner/bin/mailscanner /usr/loca
    

18. Updating virus scanner definitions/patterns

If you look in the directory for your virus scanner (either in the tar file or else in /usr/local) you may well find an "autoupdate" script. If you set up a cron job to run this regularly (once or twice per day) then your virus definitions will be updated for you automatically.

If you are using the RPM distribution and Sophos, then the cron job will already have been set up for you, and will fetch new updates once per day.

19. Installing SpamAssassin 2.30

Install: Installing 2.30 was a bit messier than it should have been. You need to install Time-HiRes from CPAN first

       perl -MCPAN -e shell
       install Time-HiRes (or was it Time::HiRes?)
and if you are using gcc on Solaris then you'll need to remove all the "-xO3 -xdepend" from all the Makefiles as you go.

make test: It couldn't start spamd even when I tried shutting down MailScanner first, so I don't know what's wrong there. You can skip the spamd tests by doing

       cd t
       rm spamd*
       cd ..
before you "make test". You can quite safely skip spamd altogether as MailScanner doesn't use it anyway.

In Use: SpamAssassin keeps spitting out "sh: dccproc: not found" errors as I don't have the DCC system installed. But according to the SpamAssassin README, it's optional anyway. These can be stopped by adding

       score DCC_CHECK 0.0
to the spam.assassin.prefs.conf file.

Summary: The good news is that once I got it installed happily, it seems to be working just fine.

20. Where should I run my RBL test (Real time Blackhole List)?

You can perform RBL lookups at 3 different levels, each with its own characteristics:

  1. MTA (Sendmail,...): This is the most aggressive option. If the sender is RBL'ed, the email will be refused and never reach its recipient. This approach often penalizes more innocents than spammers, and you may receive complaints from your users. But it also reduces spam processing down the pipeline;
  2. MailScanner: If the sender is RBL'ed, MailScanner gives you the choice (per-user or per-domain) to deliver it (tagged as spam), delete it, or archive it.
  3. SpamAssassin: This option allows for the most control, since the RBL test will count towards the total SpamAssassin score. You can fine-tune the scoring system to match your users' needs. If the final SpamAssassin score is high enough, the message will be tagged. This option is also the most resource-intensive, since RBL'ed spam makes it all the way through the pipeline.

21. I want to browse my stored spam in a mail program (e.g. pine)

Sendmail

All the quarantined spam is stored as just the "qf" and "df" files straight out of the mail queue. It is obviously quite hard to browse these in an email program such as pine or Eudora. So, for sendmail users, I have written a little df2mbox shell script which will convert your qf and df files into "mbox"-format files which can be used directly as mailboxes by many Unix mail programs and some Windows ones (e.g. pine and Eudora).

An example of how to run it would go like this:

    cd /var/spool/MailScanner/quarantine
    /opt/mailscanner/bin/df2mbox *
and you will get a whole series of "spam.*" files, one for each sub-directory. If you set /var/spool/MailScanner/quarantine as a "mail folders location" in pine, then it will see each of these files as a mailbox.

Exim

The instructions are pretty much the same, but the script is called d2mbox instead.

22. Why doesn't MailScanner support virus scanning daemons?

I haven't supported them so far for 3 reasons:

  1. If they die or leak resources, something needs to be watching them to make sure they get restarted. If they leak resources, eventually your mail server will run out and probably get into a nasty state. MailScanner completely re-runs itself every 4 hours (by default) in order to ensure that no resource leaks last more than a few hours.
  2. The daemonized scanners would offer much better performance were I invoking the command-line scanner once for each message. However, that isn't how MailScanner works (but it is how things like Amavis work). MailScanner handles messages in batches and only invokes the scanner once for each entire batch. The busier the server, the larger the batches will be, and therefore the less the overhead (per message) of running the command-line scanner.
  3. I have very recently speed tested one (sorry, but I'm not going to get in a flame war by telling you which one) of the very big commercial virus scanners, who provide a daemon and a command-line scanner. Obviously the only time the speed difference between the 2 matters is when the message batch size has grown quite large (i.e. when the server is battling to keep up).
    I ran with a test set of 10,000 messages. The command-line approach took 11 seconds (processing in batches of about 50-100, whereas the daemon took 39 seconds. The difference is mostly down to the communication overhead in talking to the daemon. You have to generate an HTTP GET request for each individual file, sending that to a socket. The daemon then scans the file and sends back XML saying whether the file was infected, again communicating via the socket.
    All that communication overhead is much slower than starting up the command-line scanner a few times.
  4. What happens to these daemons when they are attacked with a Denial Of Service attack such as the now notorious "Zip Of Death"? If you haven't come across it, it is a 42kbytes zip file which expands to 1 million files with a total of 49,000 Tbytes. Throw any normal virus scanner at this and it will either crash or (more likely) just never return, as it desperately tries to unpack the zip file. If the virus scanner is a daemon over which MailScanner has no control, then all your incoming mail will be blocked. This is what happens with virtually all email virus scanners and daemonized file scanners. However, MailScanner recognises denial of service attacks like this, handles them tidily and quickly and disinfects the email message successfully. It can only do this as it has complete control over the virus scanner process.

I hope that explains the reasoning behind my decision. Daemons are very much a mixed blessing, and I don't feel it's worth it, particularly if you take into account the "busier server implies bigger batches implies lower overhead" argument.

23. My virus scanner (e.g. Sophos) is consuming lots of CPU and scanning very slowly

Take a look in your "incoming" directory, defined by the "Incoming Work Dir" in your mailscanner.conf file. If there is a core file in there, delete it.

24. I am using F-Prot and the F-Prot installation failed

If you find the F-Prot installation didn't work, then install F-Prot before installing MailScanner (you can uninstall MailScanner with a "rpm -e mailscanner" command). Installing F-Prot first will make the soft-link from /usr/local/f-prot to the relevant directory for your version. Then MailScanner will install into the current F-Prot verson-specific directory okay.

25. Why can't I get MailScanner to process some SpamAssassin options?

MailScanner only uses 3 pieces of information returned from SpamAssassin:
  1. The number of hits scored
  2. The threshold above which a message is deemed to be spam
  3. The list of matching rule names

So changing SpamAssassin items like the report style (use_terse_report) will have no effect as everything else is discarded.

This was coded by design to reduce the number of headers MailScanner has to parse.

26. I have a RaQ and cannot install MailScanner version 4

If you are having trouble making it install, first check that you only have 1 version of Perl installed. The one that came supplied is in /usr/bin/perl, but you may also have /usr/local/bin/perl. If you have both, I strongly advise you get rid of any traces of perl under /usr/local.

rm /usr/local/bin/*perl*
rm /usr/local/bin/pod*
rm -r /usr/local/lib/perl5
rm /usr/local/man/man1/perl*

After this, install MailScanner and then, if you want to use it, re-install SpamAssassin. When you type the "make" command, you may get "pod2text not found" errors. If so, do

ln -s pod2html /usr/bin/pod2text
I would personally not use the CPAN shell to do this, it is far too keen to upgrade your entire copy of Perl which usually isn't what you want to do.

If you get errors about "TokeParser" or the installation of the perl module HTML::Parser fails, then you will need to create 4 dummy files to keep Perl happy. You should do this:

cd /usr/lib/perl5/5.00503/i386-linux/CORE
touch opnames.h
touch perlapi.h
touch utf8.h
touch warnings.h
Then run my install.sh script again and HTML-Parser should install properly.

27. I am trying to use Trend VirusWall

The Trend VirusWall support has been entirely contributed by Martin Lorensen , so please direct questions/problems to him, but do please let me know of all bug-fixes and improvements that can be made.

Trend / MailScanner installation instructions.

MailScanner would like to thank the following for their support:

 

[Powered by Google]   Translate this page to 
Copyright 2006 © Julian Field/Mailscanner