Topic: Anacron Error Email

[devtay]

I received this after an sa update:

Code: [Select]

/etc/cron.daily/sa_update:

rules: failed to run FORGED_GMAIL_RCVD test, skipping:
(Can't locate object method "check_for_forged_gmail_received_headers" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 1314) line 227.
)
channel: lint check of update failed, channel failed

Googling shows a bug already started with SA.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7540

Thought I'd pass it along in case others have the same issue.

[SchulzStefan]

Is this error related?

freshclam: Update failed

2018-01-31 09:01:44.193753500 ClamAV update process started at Wed Jan 31 09:01:44 2018
2018-01-31 09:01:44.193924500 WARNING: Your ClamAV installation is OUTDATED!
2018-01-31 09:01:44.193924500 WARNING: Local version: 0.99.2 Recommended version: 0.99.3
2018-01-31 09:01:44.193925500 DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
2018-01-31 09:01:44.193926500 Connecting via 192.168.42.1
2018-01-31 09:01:44.193926500 main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
2018-01-31 09:01:44.193927500 Connecting via 192.168.42.1
2018-01-31 09:01:44.453444500 ERROR: getfile: Unknown response from database.clamav.net
2018-01-31 09:01:44.453512500 ERROR: Can't download daily.cvd from database.clamav.net
2018-01-31 09:01:44.453801500 Giving up on database.clamav.net...
2018-01-31 09:01:44.453817500 Update failed. Your network may be down or none of the mirrors listed in /etc/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.

regards,
stefan

[Jean-Philippe Pialasse]

Is this error related?

freshclam: Update failed

2018-01-31 09:01:44.193753500 ClamAV update process started at Wed Jan 31 09:01:44 2018
2018-01-31 09:01:44.193924500 WARNING: Your ClamAV installation is OUTDATED!
2018-01-31 09:01:44.193924500 WARNING: Local version: 0.99.2 Recommended version: 0.99.3
2018-01-31 09:01:44.193925500 DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
2018-01-31 09:01:44.193926500 Connecting via 192.168.42.1
2018-01-31 09:01:44.193926500 main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
2018-01-31 09:01:44.193927500 Connecting via 192.168.42.1
2018-01-31 09:01:44.453444500 ERROR: getfile: Unknown response from database.clamav.net
2018-01-31 09:01:44.453512500 ERROR: Can't download daily.cvd from database.clamav.net
2018-01-31 09:01:44.453801500 Giving up on database.clamav.net...
2018-01-31 09:01:44.453817500 Update failed. Your network may be down or none of the mirrors listed in /etc/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.

regards,
stefan

likely no: this thread is about spamassassin , your log about clamav

that said (clamav-0.99.3-1.el6.sme is available for testing in smeupdates-testing repo If you plan to test please report on https://bugs.contribs.org/show_bug.cgi?id=10499

[SchulzStefan]

Jean-Philippe,

thank you for the info.

I read the bug and I'll give the testing a try in my production enviroment. I'll report.

stefan

[ReetP]

Logged a bug

https://bugs.contribs.org/show_bug.cgi?id=10505

[SchulzStefan]

I read the bug and I'll give the testing a try in my production enviroment. I'll report.

I'm not quite sure what to report, because my servers are behind a firewall. I defined the Proxy and the port and everything used to work as expected.

Since a few days I get errors while updating freshclam. Still now. Might be it's related to clamav. All what I see is if I define in my firewall as last rule in my LAN-Interface *allow all* /usr/bin/refreshclam works up to this point:

# /usr/bin/refreshclam
Current working dir is /var/clamav
Max retries == 6
ClamAV update process started at Thu Feb  1 23:14:13 2018
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 500
Software version from DNS: 0.99.3
Connecting via 192.168.42.1
Retrieving http://db.local.clamav.net/main.cvd
Trying to download http://db.local.clamav.net/main.cvd
Downloading main.cvd [100%]
Loading signatures from main.cvd
Properly loaded 4566249 signatures from new main.cvd
main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Querying main.58.84.1.0.C0A82A01.ping.clamav.net
Connecting via 192.168.42.1
Retrieving http://db.local.clamav.net/daily.cvd
Trying to download http://db.local.clamav.net/daily.cvd
Downloading daily.cvd [100%]
Loading signatures from daily.cvd
Properly loaded 1841770 signatures from new daily.cvd
daily.cvd updated (version: 24276, sigs: 1841672, f-level: 63, builder: neo)
Querying daily.24276.84.1.0.C0A82A01.ping.clamav.net
Connecting via 192.168.42.1
Retrieving http://db.local.clamav.net/bytecode.cvd
Trying to download http://db.local.clamav.net/bytecode.cvd
Downloading bytecode.cvd [100%]
Loading signatures from bytecode.cvd
Properly loaded 75 signatures from new bytecode.cvd
bytecode.cvd updated (version: 319, sigs: 75, f-level: 63, builder: neo)
Querying bytecode.319.84.1.0.C0A82A01.ping.clamav.net
Database updated (6407996 signatures) from db.local.clamav.net
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/clamav/clamd.socket: No such file or directory

and:

# freshclam -v
Current working dir is /var/clamav
Max retries == 6
ClamAV update process started at Thu Feb  1 23:17:17 2018
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 316
Software version from DNS: 0.99.3
main.cvd version from DNS: 58
Connecting via 192.168.42.1
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cvd version from DNS: 24276
Connecting via 192.168.42.1
daily.cvd is up to date (version: 24276, sigs: 1841672, f-level: 63, builder: neo)
bytecode.cvd version from DNS: 319
Connecting via 192.168.42.1
bytecode.cvd is up to date (version: 319, sigs: 75, f-level: 63, builder: neo)

I've no idea at all.

Sorry if I'm OT.

regards,
stefan

[SchulzStefan]

Now this happens if I run sa-update -v:

[root@saturn ~]# sa-update -v
Update available for channel updates.spamassassin.org: 1822491 -> 1822856
http: (curl) GET http://sa-update.verein-clean.net/1822856.tar.gz, success
http: (curl) GET http://sa-update.verein-clean.net/1822856.tar.gz.sha1, success
http: (curl) GET http://sa-update.verein-clean.net/1822856.tar.gz.asc, success
Update was available, and was downloaded and installed successfully
[root@saturn ~]# ssh root@192.168.42.15
root@192.168.42.15's password:
Last login: Thu Feb  1 22:38:19 2018 from pc-00010.affaivb.local
************ Welcome to SME Server 9.2 *************

Before editing configuration files, familiarise
yourself with the automated events and templates
systems.

Please take the time to read the documentation
http://wiki.contribs.org/Main_Page

Remember that SME Server is free to download
and use, but it is not free to build

Please help the project :
http://wiki.contribs.org/Donate

****************************************************
[root@orion ~]# sa-update -v
Update available for channel updates.spamassassin.org: 1822491 -> 1822856
http: (curl) GET http://sa-update.ena.com/1822856.tar.gz, success
http: (curl) GET http://sa-update.ena.com/1822856.tar.gz.sha1, success
http: (curl) GET http://sa-update.ena.com/1822856.tar.gz.asc, success
Update was available, and was downloaded and installed successfully

Two servers - in the same LAN. I run the command on both servers within 30 seconds. This seemed to work.

Too late now, I'll report tomorrow.

regards,
stefan

[ReetP]

I'm not quite sure what to report, because my servers are behind a firewall. I defined the Proxy and the port and everything used to work as expected.

Sorry if I'm OT.

It is..... note the Subject of this thread and the first post which is for spamassassin.

If you had a look there are threads on the clamav error which would tell you there has been an upstream error (not an SME error)

Your log shows nothing wrong. The only point you might wonder about is:

"WARNING: Clamd was NOT notified: Can't connect to clamd through /var/clamav/clamd.socket: No such file or directory

A search on the foros, wiki and bugs will reveal the answer to that.

Note your proxy has nothing to do with it.

[ReetP]

Now this happens if I run sa-update -v:

So this is for spamassassin - but what relevance is it to the problem I originally reported ?

What is in your logs that makes you think something is wrong (because there doesn't appear to be ?)

Have you checked what versions are installed and against the SME bug above and the upstream one reported?

[SchulzStefan]

I reverted back to

# rpm -q clamav
clamav-0.99.2-1.el6.sme.i386

As I tested in real enviroment and my users started to complain not receiving emails from some customers/suppliers, I decided to roll back.

I checked the logs qpsmtpd, qmail, spamd.

I.e. I found this:

2018-02-02 08:49:10.192461500 10481 Accepted connection 0/40 from 217.9.102.11 / mail.sixt.de
2018-02-02 08:49:10.193214500 10481 Connection from mail.sixt.de [217.9.102.11]
2018-02-02 08:49:12.134825500 10481 dispatching EHLO mail-in1.sixt.de
2018-02-02 08:49:12.138264500 10481 250-saturn.ivbonline.de Hi mail.sixt.de [217.9.102.11]
2018-02-02 08:49:12.490391500 10481 dispatching EHLO mail-in1.sixt.de
2018-02-02 08:49:12.493210500 10481 250-saturn.ivbonline.de Hi mail.sixt.de [217.9.102.11]
2018-02-02 08:49:12.539402500 10481 dispatching MAIL FROM:<neuwagenservice@sixt.de> SIZE=52195
2018-02-02 08:49:12.874712500 10481 (mail) resolvable_fromhost: pass, sixt.de has MX at sixt-de.mail.protection.outlook.com
2018-02-02 08:49:14.582405500 10481 (mail) sender_permitted_from: pass, sixt.de: 217.9.102.11 is authorized to use 'neuwagenservice@sixt.de' in 'mfrom' identity (mechanism 'ip4:217.9.102.11' matched)
2018-02-02 08:49:14.598189500 10481 (deny) logging::logterse: ` 217.9.102.11   mail.sixt.de   mail-in1.sixt.de         naughty   901   (dnsbl) IP 217.9.102.11 is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=217.9.102.11   msg denied before queued
2018-02-02 08:49:14.599640500 10481 deny mail from <neuwagenservice@sixt.de> ((dnsbl) IP 217.9.102.11 is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=217.9.102.11)

The reason therefore might be the ubllist settings. In the white-list of the server-manager I added *sixt.de. I assume that emails from *sixt.de will pass now.

# config show qpsmtpd
qpsmtpd=service
    BadCountries=AC,AD,AE,AF,AG,AI,AL,AM,AN,AO,AQ,AP,AR,AS,AU,AW,AX,AZ,BA,BB,BD,BE,BF,BG,BH,BI,BJ,BL,BM,BN,BO,BQ,BR,BS,BT,BV,BW,BY,BZ,CA,CC,CD,CF,CG,CI,CK,CL,CM,CN,CO,CR,CU,CV,CW,CX,CY,CZ,DJ,DM,DO,DZ,EC,EDU,EE,EG,EH,ER,ES,ET,FI,FJ,FK,FM,FO,GA,GB,GD,GE,GF,GG,GH,GI,GL,GM,GN,GP,GQ,GR,GS,GT,GU,GW,GY,HK,HM,HN,HR,HT,HU,ID,IE,IL,IM,IN,IO,IQ,IR,IS,IT,JE,JM,JO,JP,KE,KG,KH,KI,KM,KN,KP,KR,KW,KY,KZ,LA,LB,LC,LI,LK,LR,LS,LT,LU,LV,LY,MA,MC,MD,ME,MF,MG,MH,MIL,MK,ML,MM,MN,MO,MP,MQ,MR,MS,MT,MU,MV,MW,MX,MY,MZ,NA,NAME,NC,NE,NF,NG,NI,NO,NP,NR,NU,NZ,OM,PA,PE,PF,PG,PH,PK,PM,PN,PR,PS,PT,PW,PY,QA,RE,RO,RS,RU,RW,SA,SB,SC,SD,SE,SG,SH,SI,SJ,SK,SL,SM,SN,SO,SR,SS,ST,SU,SV,SX,SY,SZ,TC,TD,TF,TG,TH,TJ,TK,TL,TM,TN,TO,TP,TR,TT,TV,TW,TZ,UA,UG,UK,UM,UY,UZ,VA,VC,VE,VG,VI,VN,VU,WF,WS,XXX,YE,YT,ZA,ZM,ZW
    Bcc=enabled
    BccMode=bcc
    BccUser=maillog
    DKIMSigning=enabled
    DMARCReject=disabled
    DMARCReporting=disabled
    DNSBL=enabled
    GeoIP=enabled
    Karma=disabled
    LogLevel=6
    MaxScannerSize=15000000
    RBLList=bl.spamcop.net,dnsbl-1.uceprotect.net,dnsbl-2.uceprotect.net,psbl.surriel.com,zen.spamhaus.org
    RHSBL=enabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org,black.uribl.com,rhsbl.sorbs.net
    SPFRejectPolicy=0
    TlsBeforeAuth=1
    UBLList=multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
    URIBL=enabled
    access=public
    qplogsumm=disabled
    status=enabled

But unfortunately in the logs other emails did not show up. One of our suppliers sent the error back, which was:

Betreff:         Mail delivery failed: returning message to sender
Datum:         Fri, 02 Feb 2018 10:00:59 +0100
Von:         Mail Delivery System <Mailer-Daemon@dedi1422.your-server.de>
An:         xyz@foo.de


This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  abc@foobar.de
    host mail.foobar.de [87.140.117.154]
    SMTP error from remote mail server after RCPT TO:<abc@foobar.de>:
    550 Relaying denied (#5.7.1)

------ This is a copy of the message, including all the headers. ------
------ The body of the message is 152723 characters long; only the first
------ 24576 or so are included here.

Return-path: <xyz@foo.de>
Received: from [87.140.87.168] (helo=[192.168.0.125])
        by dedi1422.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-SHA:256)
        (Exim 4.85_2)
        (envelope-from <xyz@foo.de>)
        id 1ehXDL-0004tz-D4
        for abc@foobar.de; Fri, 02 Feb 2018 10:00:56 +0100
To: abc@foobar.de
Subject: Auftragsbestaetigung Nr.12345
From: x y <xyz@foo.de>
Message-ID: <ef534d9e-64c5-87d7-d632-4947e9e1419e@foo.de>
Date: Fri, 2 Feb 2018 10:00:54 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="------------980972077F439AB852439D23"
Content-Language: de-DE
X-Antivirus: Avast (VPS 180202-2, 02.02.2018), Outbound message
X-Antivirus-Status: Clean
X-Authenticated-Sender: xyz@foo.de
X-Virus-Scanned: Clear (ClamAV 0.99.3/24277/Fri Feb  2 02:23:13 2018)

This is a multi-part message in MIME format.
--------------980972077F439AB852439D23
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

In the past I didn't have the error *550 Relaying denied (#5.7.1)*  All emails from the foo.de sender have been received. Maybe the install of the ClamAV 0.99.3 requires also 0.99.3 clamd and clamav-db? I didn't check if the rpms had been installed as dependencies. Maybe clamav changed in some behaviour? I don't know...

Therefore I reverted back to clamav-0.99.2-1. During the next week I will keep an eye on this.

regards,
stefan

[ReetP]

Stefan,

You are too busy jumping to conclusions rather than checking the errors.

Your latest has nothing to do with spamassasin, which is what this thread us about, nor with clamav.

Your rollback was unnecessary.

Read properly and check this

deny mail from <neuwagenservice@sixt.de> ((dnsbl) IP 217.9.102.11 is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=217.9.102.11)

Blocked as address is blacklisted

Then:
SMTP error from remote mail server after RCPT TO:<abc@foobar.de>:
    550 Relaying denied (#5.7.1)

Blocked because relaying is denied.

Neither have anything to do with clamav or spamassassin.

Please check the errors in the forums/wiki for help and open a new thread if you still have issues. You are just confusing this thread.

[SchulzStefan]

I know, therefore I wrote this:

The reason therefore might be the ubllist settings. In the white-list of the server-manager I added *sixt.de. I assume that emails from *sixt.de will pass now.

The only thing I changed was to install the clamav from the testing repo, and this results in the relaying denied error. Most emails went through, just a few not. Without showing the 550 Relaying denied (#5.7.1) in the logs. In fact if the supplier wouldn't have called us, we wouldn't know anything about emails, we didn't receive. I asked for the error message which was sent from our server back. They were so kindly to sent me this email to another server and account.

If you say it's got nothing to do with clamav, which was the only thing I changed, so it'll be. It's beyond my knowledge and understanding. I'll stop here, I don't want to confuse or beeing OT.

regards,
stefan

[ReetP]

It would help if you read before jumping to conclusions.

There was a specific error for clamav covered elesewhere in the forums.

There was a specific error for spamassassin covered here.

If you check your errors you will understand that neither are related to clamav or spamassasin. You are trying to add 5+3 to make 4.

The errors you are now experiencing are related to qpsmtpd and your spam blocking.

Regarding your issues...

For blacklisted address tell the sender to find why their IP was listed and get it delisted if possible. Adding them to the whitelist bypasses your server checks but will let you receive it.

Relayng denied means the sender is sending from a domain that is not permitted on your server. Check the senders settings and your own.

Please search the forums and wiki for more information and if you are still stuck then open a new relevant topic, don't hijack an unrelated one.