I am attaching the tail-f capture. Because the /^Received:/ HOLD sends them to the queue, but as the spamassassins and MailScanner takes to scan and there are accumulating mail in the queue of postfix and not forwarded to the exchange.

Dec 28 12:00:38 xxx MailScanner[22438]: Enabling SpamAssassin auto-whitelist functionality…
Dec 28 12:00:39 xxx MailScanner[22438]: Connected to Processing Attempts Database
Dec 28 12:00:39 xxx MailScanner[22438]: Found 108 messages in the Processing Attempts Database
Dec 28 12:00:39 xxx MailScanner[22438]: Using locktype = flock
Dec 28 12:00:39 xxx MailScanner[22438]: Warning: skipping message 83DBA8D460.AF3C0 as it has been attempted too many times
Dec 28 12:00:39 xxx MailScanner[22438]: Quarantined message 83DBA8D460.AF3C0 as it caused MailScanner to crash several times
Dec 28 12:00:43 xxx MailScanner[22439]: MailScanner E-Mail Virus Scanner version 4.84.3 starting…
Dec 28 12:00:43 xxx MailScanner[22439]: Reading configuration file /opt/MailScanner/etc/MailScanner.conf
Dec 28 12:00:43 xxx MailScanner[22439]: Reading configuration file /opt/MailScanner/etc/conf.d/README
Dec 28 12:00:43 xxx MailScanner[22439]: Read 869 hostnames from the phishing whitelist
Dec 28 12:00:43 xxx MailScanner[22439]: Read 3544 hostnames from the phishing blacklists

“83DBA8D460 mail is safe”

Dec 28 11:00:29 XXX postfix/pickup[21244]: 8DF748D8B6: uid=103 from= orig_id=076D48D885
Dec 28 11:00:29 XXX postfix/cleanup[21305]: 8DF748D8B6: message-id=
Dec 28 11:00:29 XXX postfix/qmgr[21245]: 8DF748D8B6: from=, size=1576, nrcpt=1 (queue active)

I have created in the directory /etc/postfix file “header_checks” with the single line: /^Received: / HOLD
if the comment before I left with # the mail in the queue, the problem you grow doubtful or spam mail.Thanks again

1. I think this is default behavior with notifying sender, but sending the whole content to admin I don’t know how to do it, try with activating notifications and chech this link http://www.mailscanner.info/man/MailScanner.conf.5.html#Notifications%20back%20to%20the%20senders%20of%20blocked%20messages

2. If you check http://www.mailscanner.info/man/MailScanner.conf.5.html you will find that you have 2 possible settings, Maximum Message Size and Maximum Attachment Size where you can specify size in bytes to limit message

I was able to solve the above problems, but now I have the following:
1) I want to send copies of the emails in quarantine and also a notice of rejection (at least who is the sender and the receiver?) To an admin account or log to check.
2) I want to limit the size of attachments, but can not find in mailscanner.conf or rules for editing. Thanks

Regards

line 2213–MailScanner::Log::WarnLog(“Syntax error(s) in configuration file:”);
#print STDERR “Syntax error(s) in configuration file:\n”;
foreach $leftover (sort @leftovers) {
MailScanner::Log::WarnLog(“Unrecognised keyword \”%s\” at line %d”,
ItoE($leftover), $LineNos{$leftover});
#print STDERR “Unrecognised keyword \”" . ItoE($leftover) .
# “\” at line ” . $LineNos{$leftover} . “\n”;
}
MailScanner::Log::WarnLog(“Warning: syntax errors in %s.”,
line 2222 $filename);
line 3132 #print STDERR “Config: $keyword has a ruleset $isrules\n”;
if (!$RulesAllowed) {
MailScanner::Log::WarnLog(“Value of %s cannot be a ruleset, only a ” .
“simple value”, $keyword);
line 3136 }

Thanks for your time and sorry for my lack of knowledge of the subject and errors to the problem as well talk to you about my bad ingles.

Logs should be available in /opt/Mailscanner and eventual bounce messages should return to senders.

I commented that add the line “> / dev / null 2​​> & 1″ at the end of the crontab file and mail Mailscanner.conf and I keep coming, but in the case of modification of MailScanner gives me an error when I restart the service :

root@xxxx:~# root@xxx:~# service mailscanner restart
* Restarting mail spam/virus scanner MailScanner
Syntax error(s) in configuration file: at /opt/MailScanner/lib/MailScanner/Config.pm line 2213
Unrecognised keyword “optmailscannerbin” at line 3132 at /opt/MailScanner/lib/MailScanner/Config.pm line 2216
Warning: syntax errors in /opt/MailScanner/etc/MailScanner.conf. at /opt/MailScanner/lib/MailScanner/Config.pm line 2221

So I had to undo the last change to service MailScanner start.
Finally the last question I want to add the following, where seconfigura mail notifications to the administrator’s mail in quarantine or are bounced by spam or where you can view these log (would need the commands) Thanks again and sorry for my bad English

I commented that add the line “> / dev / null 2​​> & 1″ at the end of the crontab file and mail Mailscanner.conf and I keep coming, but in the case of modification of MailScanner gives me an error when I restart the service :

root@PMCSpam:~# root@xxx:~# service mailscanner restart
* Restarting mail spam/virus scanner MailScanner
Syntax error(s) in configuration file: at /opt/MailScanner/lib/MailScanner/Config.pm line 2213
Unrecognised keyword “optmailscannerbin” at line 3132 at /opt/MailScanner/lib/MailScanner/Config.pm line 2216
Warning: syntax errors in /opt/MailScanner/etc/MailScanner.conf. at /opt/MailScanner/lib/MailScanner/Config.pm line 2221

So I had to undo the last change to service MailScanner start.
Finally the last question I want to add the following, where seconfigura mail notifications to the administrator’s mail in quarantine or are bounced by spam or where you can view these log (would need the commands) Thanks again and sorry for my bad English

Now regarding cron you have set it to update itself from cron, so you can edit crontab and add >/dev/null 2>&1 at the end of the mailscanner line so it won’t send you e-mail and it will update itself.

Answer to the second question is pretty simple, try to send yourself copy of some spam mail, or mail that contains .exe file, spamassasing should put it to quarantine and you would receive mail that attachment has been removed.

Also when you check mail headers you should see spamasassin score in the header.

All very good first scenario is the tutorial.mi the firewall nat all that comes to port 25 to an X port you configure in the postfix (Intal from your tutorial), he analyzes the mail and forwards it to me to exchange 2010 up here ok.Mi question is this: first I get mail sent by the cron (attached) and the other is how to update and how do I verify the basis of MailScanner, ClamAV and SpamAssassin?

Attached:
from:From: Cron Daemon
To:
Subject: Cron /opt/MailScanner/bin/check_mailscanner
Message:MailScanner running with pid 1261 1262 1431 1432 1433 1434
Message:Failed to retrieve valid current details Reading status from /var/spool/MailScanner/quarantine/phishingupdate/status
Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/2011-493 exists… ok Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/2011-493.32 exists… ok

Cheers

I’m looking through the snort.conf now and things seem to be a bit different. Once again thanks for your time and patience..

Reason for moderation is that akismet spam filter is down sometimes and then I got loads of spam idiots with replicas of watches, viagra, you name it which I block manually, but all comments from real people are approved directly, good and bad ones.

Glad that you find blog helpful.

Regards
Amar

Regarding your comments about moderation it’s not moderation that’s issue, it’s spam.

http://www.postfix.org/SMTPD_ACCESS_README.html

Tnx for highlighting type error, I will fix it in the post.

Thanks a lot man.

I want to use it on production, so can we harden it for more spams filtering ?
I tried to send using aaaa@aaaa.com and it works, and don’t want it to work for this kind of emails.
Can you help on this please.

Thanks again.

This configuration seems ok, but I would say that you have problem with transport file or master.cf so check them if they are correct.

Master.cf can be pain in the ass, spaces and dashes matters there.

Kindly, could you review it please.
Thanks.

Actually there isn’t any configuration for exchange, because linux is acting as a gateway so it intercepts mail and deliver it to next hop, which is exchange.

Check which ip addresses you have for test domain, and it’s mx records, it could be a dns problem, because as I can see it from your logs postfix is not sending it further, it’s stopping them because it’s not able to reach domain.

I am asking this question because I am getting these logs:

Dec 5 17:41:19 smtp1 postfix/smtpd[4234]: connect from test-host[192.168.1.10]
Dec 5 17:41:19 smtp1 postfix/smtpd[4234]: 8316424600C7: client=test-host[192.168.1.10]
Dec 5 17:41:19 smtp1 postfix/cleanup[4238]: 8316424600C7: hold: header Received: from monitor-test.office.com (test-host [192.168.1.10])??by smtp1.office.com (Postfix) with ESMTPS id 8316424600C7??for ; Mon, 5 Dec from test-host[192.168.1.10]; from= to= proto=ESMTP helo=
Dec 5 17:41:19 smtp1 postfix/cleanup[4238]: 8316424600C7: message-id=
Dec 5 17:41:19 smtp1 postfix/smtpd[4234]: disconnect from test-host[192.168.1.10]
Dec 5 17:41:39 smtp1 postfix/qmgr[3725]: 34D0B24600A2: from=, size=908, nrcpt=1 (queue active)
Dec 5 17:41:39 smtp1 postfix/qmgr[3725]: warning: connect to transport private/smtp [192.168.2.20]: No such file or directory
Dec 5 17:41:39 smtp1 postfix/qmgr[3725]: 4BBBB24600A8: from=, size=908, nrcpt=1 (queue active)
Dec 5 17:41:39 smtp1 postfix/error[4240]: 34D0B24600A2: to=, relay=none, delay=8826, delays=8826/0/0/0, dsn=4.3.0, status=deferred (mail transport unavailable)
Dec 5 17:41:39 smtp1 postfix/error[4241]: 4BBBB24600A8: to=, relay=none, delay=8798, delays=8798/0.01/0/0, dsn=4.3.0, status=deferred (mail transport unavailable)
Dec 5 17:42:01 smtp1 update.virus.scanners: Found clamav installed
Dec 5 17:42:01 smtp1 update.virus.scanners: Running autoupdate for clamav
Dec 5 17:42:01 smtp1 ClamAV-autoupdate[4305]: ClamAV updater /usr/local/bin/freshclam cannot be run
Dec 5 17:42:01 smtp1 update.virus.scanners: Found generic installed
Dec 5 17:42:01 smtp1 update.virus.scanners: Running autoupdate for generic

Client sending email is 192.168.1.10 (root@monitor-test.office.com) and destination email address is test-user@office.com and exchange server is 192.168.2.20

Thanks for your help.

I am consistently receiving this error even though I am the only person logged onto the machine and have checked & stop/started the Task Scheduler services on all nodes.

This is not made easier by having an existing 2n cluster (A/P) to which a third node (A) is being added to run a second instance (because the business wants to piggyback an application on an existing cluster rather than set up its own).

output alert_syslog: host=10.1.1.254:514, LOG_AUTH LOG_ALERT
output alert_fast : alerts.ids

I am using AlertMail and interneting thing is Test Messge works but it doesnt send realtime so something needs to be activated.
Below is the service paramerters I am running:

Snort is currently configured to run as a Windows service using the following
command-line parameters:

-c C:\Snort\etc\snort.conf -l C:\Snort\log -s -k all -i3

Please advice if I am missing anything.
Many thanks

You have enabled client authentication for relaying somewhere. You need to add internal ip addresses to config as permitted ones which are not requiring client authentication.

to=, relay=192.168.105.31[192.168.105.31]:25, delay=11, delays=5.9/0/0/5, dsn=5.7.1, status=bounced (host 192.168.105.31[192.168.105.31] said: 530 5.7.1 Client was not authenticated (in reply to MAIL FROM command)
why is so ?

I didn’t try to set it up on Windows so I’m not of big help there but I would try to run it with -v (verbose) to see what does it say and on what part of system is it complaining.

Also check if you can set it somehow to create debug log, usually there are several types of logging, informational, warn, debug, etc. where debug is the one that gives the most informations about everything.

Try something like this and let me know if I can “help” you more.

Kind regards
Amar

Thanks for the *very* comprehensive write-up on SpamAssassin for Windows.

I am trying to get SpamAssassin working on an SBS2003 server.

I have followed the instructions of David Stephens at:

http://www.davidstephens.co.uk/category/windows/

However, he makes no mention of installing ActivePerl, or compilation.

My SpamAssassin does appear to be partly working, but I am getting errors in the logs such as:

10/16/2011 12:01:35 AM: SpamAssassin: C:\ESA\SPAMC-SPAMD.BAT -d 127.0.0.1 -u spamd “C:\ESA\NEW\msg111016000135_95EEA.out”
10/16/2011 12:01:35 AM: SpamAssassin result: 64
10/16/2011 12:01:35 AM: Checking for PERL in Path…
10/16/2011 12:01:35 AM: *** ERROR – OUT File is blank: C:\ESA\NEW\msg111016000135_95EEA.out
10/16/2011 12:01:35 AM: *** ERROR – Logging Major Error: ’32′. Err: 53 – OUT File is blank

However, I note that there is at least one spam message in C:\ESA\Spam:

msg111016164107_D7C10.out

Inspection shows it to be spam.

Where am I going wrong? I apologise for bothering you, as you must be very busy.

Any help greatfully received.

Yours sincerely,

John Langley.

anything please

David

Try to start command prompt as administrator, then you will have more privileges.

You can try to start snort from command prompt just to see if it is capturing anything with command snort -v. In case of error with winpcap you will see directly which error you have. Also you can try running snort -W if you have more than one network interface and then if that is the case run snort with snort -v -i number_of_interface_that_you_got_with_command_before.

There are also command switches to start snort from command prompt and to display everything on console so you can check if it is working in real time.

For example you will have different kind of entries but with priority 1, 2 or 3, where that mean high, moderate or informational priority.

When you detect something with high priority then you can with that software do actions based on alert, I’m using Manage Engine Log Analyzer (which is free up to 5 servers) to manage actions based on log entries.

P.S. After installation you will need to download the latest ruleset for Snort and to apply them as well.