Postfix virus filtering (SOLVED)

Similar Messages

• Clamav running even though virus filtering is disabled

  greetings all,
  I am running an OS X Server 10.4.8 machine. I have virus filtering turned off, and with good reason - when it is on, there is a big performance hit. However, this afternoon clamav randomly clicked on, even though virus filtering is still disabled. I wasn't even working on the server - I only noticed because my monitoring software alerted me to the increased CPU usage. Any ideas as to what could have caused this behavior, and what I can do to reverse it?

  OK. This is due to how Apple's default configuration is set up.
  amavisd is the content filter and as such responsible for passing mail to spamassassin and/or clamav. On a standard installation, if you turn of virus scanning it will basically only turn of virus database updates, but amavisd will still call clamscan (without reporting anything back or taking any action).
  You have several options.
  1. Turn off content filtering altogether. Not a good idea as you would be buried in spam.
  2. Edit /etc/amavisd.conf and comment out (put a "#" in front of the lines)
  ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
  ['ClamAV-clamscan', 'clamscan',
  "--stdout --disable-summary -r --tempdir=$TEMPBASE {}",
  [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
  (May look slightly different on your system.)
  Restart after doing this.
  3. Re-Enable virus scanning and find out why it so heavy on your resources. A properly configured system shouldn't have any major issues (unless you have 100'000 mails a day on underpowered hardware). Make sure you have postfix reject as much rogue mail as possible, before it even hits the content filter.
  (There are plenty of threads on this around).
  Alex

• [solved] Postfix smtp filtered to the outside world

  Hi,
  I set up postfix+dovecot successfully except postfix smtp. I can't connect to smtp from a remote network. nmap shows:
  25/tcp filtered smtp
  When I connect to VPN on the same VPS running postfix, everything works. What could be behind this other than iptables? (I don't have any rules relevant to this set)
  Last edited by Nezmer (2010-01-02 14:32:21)

  Fixed running smtps.

• Win8 mac address filtering solved

  It seemed extreme torture to find out my yoga mac address with win8, so i am posting the link that got me to it. It is a basic type of security filtering needed for some of us to connect to a wifi router, and i couldnt find it on this forum.
  http://wintelguy.com/2009/20090215_find_mac.html#LWindows8

  dumbth wrote:
  I knew number 3 but couldnt get win 8 to give a cmd prompt without the explicit directions i posted. Number 2 didnt seem to work when there was no wifi connection to query, but maybe that was because i come from a one mouse button world. Someone who buys a yoga tablet may have no windows background, and getting past a mac filter is the most basic obstacle which should be printed boldly in the get started guide.
  An easy way to get a command prompt is to right-click the lower left corner of the screen in desktop mode. The pop-up menu has options for regular and admin command prompts.
  Hope this helps.
  English Community   Deutsche Community   Comunidad en Español   Русскоязычное Сообщество
  Community Resources: Participation Rules • Images in posts • Search (Advanced) • Private Messaging
  PM requests for individual support are not answered. If a post solves your issue, please mark it so.
  X1C3 Helix X220 X301 X200T T61p T60p Y3P • T520 T420 T510 T400 R400 T61 Y2P Y13
  I am not a Lenovo employee.

• Php & postfix mail problem [solved]

  Was having a battle with php mail() and it not wanting to send with postfix.
  Struggle ensued, and just as I though I was beaten, a dancing sandwich showed me the light!
  this was in my php.ini file..
  sendmail_path = /usr/sbin/sendmail
  for postfix, this is what you need
  sendmail_path = /usr/sbin/sendmail -t -i
  And there was much rejoicing in the land.

  Aug 11 11:52:25 hanna postfix/smtpd[13463]: fatal: incorrect version of Berkeley DB: compiled against 4.3.29, run-time linked against 4.4.20
  Within that line the error is. It was due to the fact that some librarys and such had been updated whilst the postfix-mysql hadn't been recompiled to meet these new dependencys or whatever you want to call them. Simple as that, I just got the pkgbuild file for postfix-mysql and remade the package and voila, it works like a charm!

• Server Alerts reports "Virus Detected in inbound email" for spam

  I receive hundreds of email every day that a Virus was detected in inbound email.  When checking the contents of /Library/Server/Mail/Data/scanner/quarantine these messages are only spam message, not viruses.  Virus infected messages seem to get placed in /Library/Server/Mail/Data/scanner/virusmails
  I am running on Mavericks Server 3.1.2 (1354517)
  serveradmin -v = Version 10.8 ($revision: 1.13 $ -- May 13 2014)
  Does anyone know how to tune the Server Alerting to properly handle the files in /Library/Server/Mail/Data/scanner so that virusmails are reported as virus's but quarantine is not reported?
  I have searched high and low, and cannot find where this is controlled.  With Mavericks, I no longer see Virus Alerts under the alerts management menu of Server.app
  I checked amavisd configs, as well as many other files under /Library/Server for any references to "quarantine" text, to no avail.
  I dumped all of serveradmin settings, and do not see anything that references quarantine except for the quarantine recipient addresses for spam and viruses.
  Is anyone else experiencing this, or does anyone know how to solve this?
  Thanks in advance.

  I received over 200 spam messages yesterday that got reported as viruses to me, and out of frustration, I discovered a work around.  I don't know if this is the result of a past update, or the steps I used trying to reset the server, but I performed the following and was able to suppress the email alerts.  At the time of my original posting, the Alerts section of the Server.app did not offer any option for disabling the alerts for virus..
  1) Launch Server.app
  2) Select Mail in left pane
  3) Turn off Virus filtering
  4) stop/start Mail server
  5) Turn on Virus filtering
  6) stop/start Mail server
  7) Turn off Spam filtering
  8) stop/start Mail server
  9) Turn on Spam filtering
  10) stop/start Mail server
  11) Select Alerts in left pane
  12) clear all active alert
  13) Under notifications tab, I now saw "Mail" as an option
  13.1) Turn off the alerts for Mail
  Now I don't get spammed with Virus alerts for spam messages.  This is not a fix for the configuration error in the alerting service, but it does stop the admin mailboxes from being flooded with virus alerts for all spam messages.  I cannot confirm if it was the enable/disable of the filtering that added the Mail entry under alert notifications or if it was an update, as I did not check the alerts notifications at the time.  I was frustrated, and desperate for a fix, so I did the first thing that came to mind.  But now my Mail system alerts can be enabled/disabled through server.app so I am happy.  Lets just hope for a classification fix in the Yosemite update coming this fall.

• Latest Server 2.2.2 Upgrade breaks Postfix config

  After installing Server 2.2.2, my SMTP stopped working.
  Looking at teh SMTP log, I saw a series of:
  Oct  4 21:15:45 vanroodewierda.rna.nl postfix/master[29047]: fatal: bind 127.0.0.1 port 10025: Address already in use
  At port 25 there was no SMTP daemon listening.
  I looked at master.cf. I got the old one from my backup and ran a diff:
  bash-3.2# diff master.cf ~/Desktop/master.cf
  44c44
  <   -o content_filter=
  >   -o content_filter=smtp-amavis:[127.0.0.1]:10024
  Then, when I clicked "Edit Filtering Settings" and got out of that panel without changing anything, the same diff resulted in the files being reported identical (hey Apple, if I hit Cancel I expect nothing to change...)
  Anyway, after that, it works again.
  Does not make a very robust impression.

  The only way I could get my SMTP server to function after updating to Server 2.2.2 was to disable both virus filtering and spam filtering for my email. This seems like a big step backward. Has anyone had any luck getting SMTP to run with Amavis still part of the functioning email chain?

• Norton anti-virus slows down the start up time in Windows Vista

  Hi,
  please help, i am being driven to distraction by the slow start up time of my laptop.
  I've only had it for a few weeks and don't use it for anything beyond producing word documents etc.
  It has gradually been getting slower on startup and i suspect it has something to do with the Norton anti-virus software on it and the updates for norton that i have downloaded (thinking that this was the right thing to do).
  Looking at the problems and solutions log on the computer the date that it really started to slow down coincides with downloading a norton update, which i have been unable to uninstall to check if this really is the problem.
  Further i have tried doing a System Restore, my laptop was not able to complete.
  I am stuck on the DOS screen for 10 mins with the message:
  PXE-E32 FTFP open timeout
  I have no idea what this means but the Problems and Solutions log says something about a system hang?
  I have looked on the web for other anti-virus software and they all seem to have one problem or another and slow computers down on startup.
  Does anyone know of a solution or do i just have to make a cup of tea when i switch my computer on and lace it with vodka till it has booted up completely!
  I am a novice when it comes to using computers so would welcome any non-technical advice.
  thanks
  laura

  Hi guys
  I would like to add some words about my experience using the Symantec Norton Antivirus software.
  I have used this software 3 year long. It was great because it supports one of the best virus filtering options BUT it really slow downs the operating system.
  I didnt use it on with Vista preinstalled notebook but on Win XP and I have to say that the notebook boot process was halted for about 30sec-1min till the whole parts of Norton Antivirus software has started It was very annoying
  However, I switched to AntiVir. This is software described by marina4000 and Im really happy because the boot performance increased.
  So finally I would also recommend removing this Symantec Norton Antivirus software and to switch to the other free AntiVir software ;)
  Bye

• How come pc's get viruses and not macs?

  i'm thinking of either getting a macbook or macbook pro, and moving away form PC (finallllyyyyy!!).
  and i was just wandering if someone could tell me how macs don't seem to get viruses (as apple claims) and PCs do.
  also what software does mac use for firewall, anti-virus and spyware? does it all come in pre-installed and ready to work?
  thanks.

  There are many reason Macs don't get viruses ranging from the kernel design and required user authentication to install something. Ultimately, Mac OS X is a far more difficult target not to mention Mac OS X also makes it very difficult to propagate viruses which is just as important as the virus itself.
  also what software does mac use for firewall, anti-virus and spyware?
  The firewall is included and just needs activation. I don't personally use any anti-virus although I do have virus filtering on my mail server. If I did want anti-virus I'd use ClamAV. As for anti-spkyware, don't need that.

• Adobe flash virus?

  Yesterday morning I installed the Adobe Flash player thining it was a routine update. I have done this many times before and I thought it was a safe sight. Now my computer is saying it may have viruses and/ or spyware. How can I remove the viruses or solve this issue? Can anyone offer me any advice?

  You may have installed one or more of the common types of ad-injection malware. Follow the instructions on this Apple Support page to remove it. It's been reported that some variants of the "VSearch" malware block access to the page. If that happens, start in safe mode by holding down the shift key at the startup chime, then try again.
  Back up all data before making any changes.
  One of the steps in the article is to remove malicious Safari extensions. Do the equivalent in the Chrome and Firefox browsers, if you use either of those. If Safari crashes on launch, skip that step and come back to it after you've done everything else.
  If you don't find any of the files or extensions listed, or if removing them doesn't stop the ad injection, ask for further instructions.
  Make sure you don't repeat the mistake that led you to install the malware. It may have come from an Internet cesspit such as "Softonic" or "CNET Download." Never visit either of those sites again. You might also have downloaded it from an ad in a page on some other site. The ad would probably have included a large green button labeled "Download" or "Download Now" in white letters. The button is designed to confuse people who intend to download something else on the same page. If you ever download a file that isn't obviously what you expected, delete it immediately.
  Malware is also found on websites that traffic in pirated content such as video. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.
  In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere  should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.
  Still in System Preferences, open the App Store or Software Update pane and check the box marked
            Install system data files and security updates (OS X 10.10 or later)
  or
            Download updates automatically (OS X 10.9 or earlier)
  if it's not already checked.

• Want to use OSX server as virus/spam filter for existing mail server.

  I have communigate pro completely configured and running on an iMac. hundreds of accounts, all working perfectly. The bummer is that the spam/virus filtering of Communigate Pro is weak, and I'd like to try the one built into my Xserve.
  Right now I have the domain company.com, with two A records for mail.company.com (the communigate pro server) and xserve.company.com (the xserve). And right now the MX record for company.com points to mail.company.com.
  I'd like to switch the MX record for company.com so that it points to xserve.company.com (which I know how to do). The xserve would then reject/delete/catch the spam/viruses and then forward on the remaining "good" messages to mail.company.com. The company.com clients would still get their mail from mail.company.com via Pop/Imap/Webmail.
  Any and all help is truly appreciated!!!

  imho... you may be over-complicating your system and adding additional points of failure to your architecture if you go this route.
  Communigate Pro allows you to run both SpamAssassin 3 and Clamd (the main antivirus/antispamspam tools provided in OSX Server) very easily on your CGPro box.
  MPP Free gives you a nice gui for configuring them.
  http://www.versiontracker.com/dyn/moreinfo/macosx/26139
  Here's install directions I used to get it all working:
  http://www.triksys.com/clamav.htm
  hth,
  b.

• Postfix sacl_check

  I am testing mail service on a Lion Server, and am currently seeing several entries related to sacl_check in mail.log.
  More specifically, if I send a message to an external email address (ie:  "[email protected]"), I see the following entries:
  Aug  5 12:23:26 testserver postfix/smtpd[56752]: sacl_check: mbr_user_name_to_uuid(foo) failed: No such file or directory
  Aug  5 12:23:26 testserver postfix/smtpd[56752]: sacl_check: mbr_user_name_to_uuid(@me.com) failed: No such file or directory
  Aug  5 12:23:26 testserver postfix/smtpd[56752]: sacl_check: mbr_user_name_to_uuid(foo) failed: No such file or directory
  Aug  5 12:23:26 testserver postfix/cleanup[56756]: sacl_check: mbr_user_name_to_uuid(foo) failed: No such file or directory
  Aug  5 12:23:26 testserver postfix/cleanup[56756]: sacl_check: mbr_user_name_to_uuid(@me.com) failed: No such file or directory
  Aug  5 12:23:27 testserver postfix/cleanup[56756]: sacl_check: mbr_user_name_to_uuid(foo) failed: No such file or directory
  Aug  5 12:23:27 testserver postfix/cleanup[56756]: sacl_check: mbr_user_name_to_uuid(@me.com.com) failed: No such file or directory
  The messages are being delivered successfully, but I don't understand these sacl_check messages from smptd and cleanup. I've not seen them in versions of OS X server prior to Lion.
  Can anyone help?

  Thanks to those for giving the info above. It helped me find out what was going on. To add a bit to general knowledge on what I understand about postfix and mail adresses/users:
  Postfix uses at certain stages the $myorigin variable to add to addresses that have no @domain part attached. [1]. If you run a postfix server on a ML Server, that will normally work, because the default value for $myorigin is $myhostname and that $myhostname is normally where your network users (and local users) live (at least when you follow the default setup by Apple)
  But if you have configured postfix to use an alias when talking to the outside world, e.g. (default pattern by Apple Server.app setup)
  Your domain is server.foo.com
  Your server is called server.foo.com
  But your server uses an alias mail.foo.com ($myhostname) when talking to the outside world. As a result a name like bar will become [email protected] inside postfix at certain points.
  You server, however can only recognize the name without the @domain part or with the name of the server, so, for user bar, your server server.foo.com recognizes
  bar
  [email protected]
  but it does not recognize
  [email protected]
  and that leads to the sacl_check() error. (check with "dsmemberutil getuuid -U <user>") as explained by ckillian above
  When you empty $local_alias_maps, you in fact tell postfix it should not check if a local user exists at all, as this will be done downstream. That works to prevent the sasl_check() error, but it also stops postfix from filtering a lot of mail (spam) that is directed at non-existing users.
  So, the only true solution for the local part (I haven't looked into anything with aliases that translate to an external address yet) seems to be to set $myorigin to the hostname of the server (but beware!, see below)
  sudo serveradmin settings mail:postfix:myorigin = server.foo.com
  Note: if you set up ML Server and you choose a domain name, this becomes both the name of the machine and the name of the domain. E.g.
  Your domain is server.foo.com
  Your server is called server.foo.com
  I prefer to have those separated, so I have set up my domain as foo.com. That means that after ML setup is complete I need to change the machine name to server.foo.com. That effects the validity of your setup, so you have to run the following command after having done the basic setup:
  sudo changeip 192.168.x.x 192.168.x.x foo.com server.foo.com
  Where 192.168.x.x should be replaced by the IP address of your server (a local address, assuming your server is behind a NAT router). That leads to:
  Your domain is foo.com (also in DNS, you cover all of the foo.com domain in your own DNS)
  Your server is called server.foo.com
  That means that in using $mydomain for $myorigin does not work anymore, because the server does not recognize [email protected], it only recognizes bar and [email protected]. So, you set the $myorigin to server.foo.com.
  BUT THERE IS A NASTY CATCH: if bar is rewritten to [email protected], postfix does not know yet that server.foo.com is a local destination. So, it happily sends the mail for [email protected] to your outside relay (if you're lucky to have one) or to your own mail server creating and endless loop (if your luck runs out). The solution is to add $myorigin to $mydestinations.
  serveradmin won't let you change $mydestinations. Even with a simple argument it crashes:
  $ sudo serveradmin settings mail:postfix:mydestination = 'localhost'
  2013-04-06 12:50:47.913 serveradmin[22575:707] -[__NSCFString objectEnumerator]: unrecognized selector sent to instance 0x7fb92a41e3b0
  2013-04-06 12:50:47.914 serveradmin[22575:707] Exception in doCommand for module servermgr_mail on thread 0x7fb92a40c700: -[__NSCFString objectEnumerator]: unrecognized selector sent to instance 0x7fb92a41e3b0
  (seems a bug) so you need to edit /Library/Server/Mail/Config/postfix/main.cf by hand and make sure $myorigin is added to $mydestinations.
  [1] If you use canonical names, e.g. user jonsmith inside becomes [email protected] on the outside you also have aliases that do the reverse [email protected] becomes jonsmith. But that latter name may get $myorigin added by postfix. If your aliases al are fqdn in the form of [email protected] this will not happen, but that is a bad solution (you won't catch all uses and it is hard to keep consistent).
  [2] http://www.postfix.org/LOCAL_RECIPIENT_README.html
  PS. I haven't tested a solution where you make $myorigin empty. It can work, but you need to have a canonical for all users, another consistency nightmare. The easiest solution would be if my Open Directory domain server.foo.com would accept mail.foo.com as an alias for password checking, uuid.

• How do I stop the "virus has been detected" emails?

  I am running OS X Server 10.8.2. The Mail Server frequently sends me "A virus has been detected" emails. I want to stop these emails entirely, because the emails are being screened out by my spam filter anyway.
  I turned off mail virus filtering in the Server app, but that hasn't changed this; I still get the alert emails.
  How do I stop my OS X Server from sending me these virus alert emails?

  In the Server app go to the Delivery tab in the Alerts section. Under settings you can turn off the Virus detected alerts.

• Can you give me an example of using blacklist from in mail settings to block unwanted mail?

  I want to use serveradmin settings mail command line to set a list of domains/servers I do not want to receive emails from. Can you give me an example on how to set this in ML server?
  I managed to set the domains using the command line serveradmin but it is not working. This is a list of domains I have set so far:
  mail:postfix:blacklist_from:_array_index:0 = "bounces.servidordeenvio.com"
  mail:postfix:blacklist_from:_array_index:1 = "reiserver50.info"
  mail:postfix:blacklist_from:_array_index:2 = "vps5.central-adworks.com.br"
  mail:postfix:blacklist_from:_array_index:3 = "emailTrocar.com.br"
  mail:postfix:blacklist_from:_array_index:4 = "geeklemail21.com.br"
  mail:postfix:blacklist_from:_array_index:5 = "produtosnotaveis.org"
  But I still keep receiving emails from those domains with virus (which are intercepted by the virus filtering) and receiving alert messages from the server app suggesting me to include these domains in a blacklist.
  Thanks for your help..

  Thank you.
  I tried it out and did not work either but I finally found a way to add multiple entries. I read on the serveradmin man page that if you had multiple values you should better off use a file for input.
  I did create a plain file with as many as needed entries:
  mail:postfix:blacklist_from:_array_index:0 = "*@xxx.com"
  mail:postfix:blacklist_from:_array_index:1 = "*@xxxx.com"
  saved as blacklist then I issued the command:
  sudo serveradmin settings < blacklist
  This solved the setting of multiple values. I will monitor if it will really block the spam from the locations.
  Thanks again for your help and interest.

• How much CPU resource takes ClamAV ?

  I deal with an interesting issue on a newly set up xServe G5 2.0 GHz, 1 GB RAM:
  When enabling virus filtering, the CPU performance goes down, or should I better say "up" to a usage rate between typically 70 % and 90+%.
  Running command "top" at terminal reveals that it is the ClamAV process taking all that resources.
  I cannot imagine that this is normal behavior. So maybe someone has advice how I can keep enable virus checking but not dealing with performance issues (there is currently just one single testing website and low web traffic only).
  My first idea was that unless SpamAssassin filters mails more accurate (it is currently learning - we run it now effectively since about one day), all incoming mail gets checked against viruses.
  But in my mind even this should not take over 80% of the CPU. On our old server we had around 500 incoming mails per day, where 90 % were considered spam.

  (1) "mails intended for one our domains we host"
  (2) "mails that going to one of our domains, but to
  an non-existing inbox"
  (3) "mail abusers trying to use the SMTP as a open
  relay"
  I sometimes feel that the virus checks are done for
  each mail type, also for (2) and (3).
  You are correct. On a default installation all mail will be checked.
  This can be optimized, but requires command line interaction.
  For example:
  (2) can be avoided by using postfix style virtual aliases and following my tutorial about rejecting mail for unknow users before the content filter (http://osx.topicdesk.com/downloads/)
  (3) can be optimized by adding better smtpdclientrestrictions and smtpdrecipientrestrictions (see: http://www.postfix.org/postconf.5.html)
  So for example my mail queue is full of entries that
  have recipients never on my server (domains/e-mail
  addresses).
  If these are in your queue and you are not an open relay then your server or a client have been compromised from the inside. Either by a script or code injection or whatever... Could even have happened before you "locked down" your server. If you delete your queue and it happens again, you have an "internal" problem.
  However since my "open-smtp-relay" tests I performed
  on various websites found on the Web lead me that my
  server isn't an open SMTP relay. You may try it for
  yourself - sent mails via starenterprise.com or its
  IP 194.77.100.91 - it hopefully should decline
  Yes, your server is not an open relay. Which still doesn't mean that a script or compromised client from inside your network can't send rogue mail.
  What are your experiences ? How does ClamAV perform
  ClamAV performs very well. On a high volume system I'd use clamd, otherwise clamscan is fine.
  To give you an idea. One of my clients runs a mail server on a PowerMac G4 500MHz DP with 1GB of RAM. Not particularly fancy software. Today it processed 18'000 emails, rejected 7000 spam mails, rejected 1000 virus mails, and about 1000 unknown recipients. Once a week they send a newsletter to their subscribers, where the server averages about 3000 messages/minute. Still, the CPU is bored stiff.
  As a general word of advice and no offense meant: You seem to be tackling too many things at once. Try and solve your issues step by step. Next think about your priorities and do one change after the other.
  HTH,
  Alex