Sonic photolog

Friday, April 21

CentOS 7 with MailScanner failed to use Sophos SAVI

CentOS 7 with MailScanner failed to use Sophos SAVI.

My MailScanner doesn't work with SAVI mode (use less CPU resource), just work with Sophos mode (user more CPU resource).

I have complied the SAVI-Perl-0.30 and the after "make" the SAVI.so has been deployed to /usr/local/lib64/perl5/auto/SAVI/SAVI.so.

I set "Virus Scanners = sophossavi" in MailScanner.conf, let it make use SAVI module.
However I got the following error in maillog, keep saying "SAVI Perl module not found"

Apr 20 15:07:56 myserver MailScanner[5266]: MailScanner E-Mail Virus Scanner version 4.85.2 starting...
Apr 20 15:07:56 myserver MailScanner[5266]: Reading configuration file /etc/MailScanner/MailScanner.conf
Apr 20 15:07:56 myserver MailScanner[5266]: Reading configuration file /etc/MailScanner/conf.d/README
Apr 20 15:07:56 myserver MailScanner[5266]: Using SpamAssassin results cache
Apr 20 15:07:56 myserver MailScanner[5266]: Connected to SpamAssassin cache database
Apr 20 15:07:56 myserver MailScanner[5266]: Enabling SpamAssassin auto-whitelist functionality...
Apr 20 15:07:58 myserver MailScanner[5266]: SAVI Perl module not found, did you install it?

If I set "Virus Scanners = sophos" in MailScanner.conf, it works, but use a lot of CPU and performance is not good.

In the MailScanner.conf, seems no conf to tell the MailScanner where is the SAVI.so file.

Software:
CentOS 7.3 x64
sendmail 8.14 (build-in)
MailScanner 4.85.2
Sophos Antivirus for Linux 9.12.3
SAVI-Perl-0.30

Sophos related settings in MailScanner.conf
Virus Scanners = sophossavi
Sophos IDE Dir = /opt/sophos-av/lib/sav
Sophos Lib Dir = /opt/sophos-av/lib64
Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide

Solution:
It is because the service startup script don't have library path.

Edit /etc/sysconfig/MailScanner and add the following line will fix the issue.
export LD_LIBRARY_PATH=/opt/sophos-av/lib64

Wednesday, January 11

CentOS/RHEL 7, SELinux prevents MailScanner stop sendmail processes

I configured MailScanner work on Sendmail on CentOS 7, it work's fine with SELinux disabled.
SELinux prevented it work normally.
I used "cat /var/log/audit/audit.log | audit2allow -M fixfile" method to make it work with SELinux enabled.

However, with SELinux enabled I still got a little problem. When I stop the MailScanner service, the "sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue" process will keep running, until I kill it. With SELinux disabled/permissive, no problem, all sendmail process will stop when I stop MailScanner.
I tried to repeat the audit2allow method a few time, but still can't make the MailScanner kill all sendmail process while service stop.

[root@mta3 ~]# getenforce
Enforcing
[root@mta3 ~]# ps -ef|grep -i mail
root 5743 1 0 15:46 ? 00:00:00 sendmail: accepting connections
smmsp 5747 1 0 15:46 ? 00:00:00 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue
root 5751 1 0 15:46 ? 00:00:00 sendmail: Queue runner@00:15:00 for /var/spool/mqueue
root 5771 1 0 15:46 ? 00:00:00 MailScanner: master waiting for children, sleeping
root 5772 5771 4 15:46 ? 00:00:01 MailScanner: waiting for messages
root 5821 5771 6 15:46 ? 00:00:01 MailScanner: waiting for messages
root 5868 5771 7 15:46 ? 00:00:01 MailScanner: waiting for messages
root 5916 5771 11 15:47 ? 00:00:01 MailScanner: waiting for messages
root 5963 5771 20 15:47 ? 00:00:01 MailScanner: waiting for messages

[root@mta3 ~]# systemctl status MailScanner
● MailScanner.service - SYSV: MailScanner is an open-source E-Mail Gateway Virus Scanner.
Loaded: loaded (/etc/rc.d/init.d/MailScanner; bad; vendor preset: disabled)
Drop-In: /etc/systemd/system/MailScanner.service.d
└─custom_script.conf
Active: active (running) since Thu 2017-01-05 15:46:47 HKT; 13s ago
Docs: man:systemd-sysv-generator(8)
Process: 5697 ExecStop=/etc/rc.d/init.d/MailScanner stop (code=exited, status=0/SUCCESS)
Process: 5728 ExecStart=/etc/rc.d/init.d/MailScanner start (code=exited, status=0/SUCCESS)
Main PID: 5771 (MailScanner: st)
CGroup: /system.slice/MailScanner.service
├─5743 sendmail: accepting connections
├─5747 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue
├─5751 sendmail: Queue runner@00:15:00 for /var/spool/mqueue
├─5771 MailScanner: starting children
├─5772 MailScanner: waiting for messages
├─5821 MailScanner: waiting for messages
└─5868 MailScanner: waiting for messages

[root@mta3 ~]# systemctl stop MailScanner

[root@mta3 ~]# systemctl status MailScanner
● MailScanner.service - SYSV: MailScanner is an open-source E-Mail Gateway Virus Scanner.
Loaded: loaded (/etc/rc.d/init.d/MailScanner; bad; vendor preset: disabled)
Drop-In: /etc/systemd/system/MailScanner.service.d
└─custom_script.conf
Active: inactive (dead) since Thu 2017-01-05 15:47:44 HKT; 2min 45s ago
Docs: man:systemd-sysv-generator(8)
Process: 6018 ExecStop=/etc/rc.d/init.d/MailScanner stop (code=exited, status=0/SUCCESS)
Process: 5728 ExecStart=/etc/rc.d/init.d/MailScanner start (code=exited, status=0/SUCCESS)
Main PID: 5771 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/MailScanner.service
└─5747 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue

[root@mta3 ~]# ps -ef|grep -i mail
smmsp 5747 1 0 15:46 ? 00:00:00 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue

Solution:
I located the issue finally.

In the stop section of /etc/init.d/MailScanner, it kills the process base on the PID in /var/run/*.pid.
The I found /var/run/sm-client.pid is blank if SELinux is enforced.

Then I checked the start section of /etc/init.d/MailScanner, it starts sm-client with the following commands:

touch /var/run/sm-client.pidchown smmsp:smmsp /var/run/sm-client.pid/usr/sbin/sendmail -L sm-msp-queue -Ac -q15m -OPidFile=/var/run/sm-client.pid

Open in new window

SELinux prevented the sendmail process to write the /var/run/sm-client.pid, I don't know why audit2allow can't fix this.
Then, I edit the /etc/init.d/MailScanner, added "restorecon /var/run/sm-client.pid" right after the chown command to fix correct the permission before sm-client start.

It works now.

Finally working codes in /etc/init.d/MailScanner:

touch /var/run/sm-client.pid
chown $MSPUSER:$MSPGROUP /var/run/sm-client.pid 2>/dev/null
restorecon $SMPID
$SENDMAIL -L sm-msp-queue -Ac -q15m -OPidFile=$SMPID 2>/dev/null

Friday, March 18

CentOS/RHEL 7 Mailscanner + sendmail, prevent systemd stop sendmail with stopms option

In CentOS 6 and previous versions, running "/etc/init.d/MailScanner stopms" will terminate MailScanner processes only, without stopping the sendmail processes.

However on CentOS 7, init was replaced by systemd. systemd would treat the MailScanner and sendmail process at one service, if you stopms or kill MailScanner, systemd will run "/etc/init.d/MailScanner stop" to stop the sendmail processes too.

Make the following changes to overcome this issue:
# mkdir /etc/systemd/system/MailScanner.service.d
create custom_script.conf with followings:
[Service]
RemainAfterExit=yes

# systemctl daemon-reload

Reference:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-Managing_Services_with_systemd-Unit_Files.html#brid-Managing_Services_with_systemd-Overriding_Unit_Mod
http://www.unix.com/man-page/centos/5/systemd.service/

RemainAfterExit=
Takes a boolean value that specifies whether the service shall be considered active even when all its processes exited. Defaults to no.

Wednesday, January 20

銅鑼鵝頸

Monday, September 28

同好

Wednesday, September 23

從網絡審判行私刊，到網絡實名制

聯興行一事，從來法治精神，只有法律才可以去制裁罪犯。
你們認為法律無法去制裁犯罪的人，就自己躲在電腦後面對人家執行私刑。
女事主犯錯，你們也犯了跟她一樣的錯。同樣以為自己有權去審判和懲罰別人。

你們跟死亡筆記裡面個夜神月有什麼分別？自以為自己為了公義替天行道。
認為只要制裁犯罪的人，就能創造沒有犯罪的理想社會。實在是挑戰社會的法治精神。

香港有今日，真是可怕。濫用言論自由，於有一日會被收回。
韓國已經因為這樣，要推行網絡實名制(要用身份證登記網站)，看來香港都不遠已。
到時大家都要自我河蟹。

有關韓國網絡實名制：
http://www.google.com.hk/search?hl=zh-TW&safe=active&q=%E9%9F%93%E5%9C%8B+%E7%B6%B2%