Friday, April 21

CentOS 7 with MailScanner failed to use Sophos SAVI

CentOS 7 with MailScanner failed to use Sophos SAVI.

My MailScanner doesn't work with SAVI mode (use less CPU resource), just work with Sophos mode (user more CPU resource).

I have complied the SAVI-Perl-0.30 and the after "make" the SAVI.so has been deployed to /usr/local/lib64/perl5/auto/SAVI/SAVI.so.

I set "Virus Scanners = sophossavi" in MailScanner.conf, let it make use SAVI module.
However I got the following error in maillog, keep saying "SAVI Perl module not found"

Apr 20 15:07:56 myserver MailScanner[5266]: MailScanner E-Mail Virus Scanner version 4.85.2 starting...
Apr 20 15:07:56 myserver MailScanner[5266]: Reading configuration file /etc/MailScanner/MailScanner.conf
Apr 20 15:07:56 myserver MailScanner[5266]: Reading configuration file /etc/MailScanner/conf.d/README
Apr 20 15:07:56 myserver MailScanner[5266]: Using SpamAssassin results cache
Apr 20 15:07:56 myserver MailScanner[5266]: Connected to SpamAssassin cache database
Apr 20 15:07:56 myserver MailScanner[5266]: Enabling SpamAssassin auto-whitelist functionality...
Apr 20 15:07:58 myserver MailScanner[5266]: SAVI Perl module not found, did you install it?

If I set  "Virus Scanners = sophos" in MailScanner.conf, it works, but use a lot of CPU and performance is not good.

In the MailScanner.conf, seems no conf to tell the MailScanner where is the SAVI.so file.

Software:
CentOS 7.3 x64
sendmail 8.14 (build-in)
MailScanner 4.85.2
Sophos Antivirus for Linux 9.12.3
SAVI-Perl-0.30

Sophos related settings in MailScanner.conf
Virus Scanners = sophossavi
Sophos IDE Dir = /opt/sophos-av/lib/sav
Sophos Lib Dir = /opt/sophos-av/lib64
Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide

Solution:
It is because the service startup script don't have library path.

Edit /etc/sysconfig/MailScanner and add the following line will fix the issue.
export LD_LIBRARY_PATH=/opt/sophos-av/lib64

Posted by at No comments:
Labels: , , , , ,

Wednesday, January 11

CentOS/RHEL 7, SELinux prevents MailScanner stop sendmail processes

I configured MailScanner work on Sendmail on CentOS 7, it work's fine with SELinux disabled.
SELinux prevented it work normally.
I used "cat /var/log/audit/audit.log | audit2allow -M fixfile" method to make it work with SELinux enabled.

 However, with SELinux enabled I still got a little problem. When I stop the MailScanner service, the "sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue" process will keep running, until I kill it. With SELinux disabled/permissive, no problem, all sendmail process will stop when I stop MailScanner.
I tried to repeat the audit2allow method a few time, but still can't make the MailScanner kill all sendmail process while service stop.
[root@mta3 ~]# getenforce
Enforcing
[root@mta3 ~]# ps -ef|grep -i mail
root      5743     1  0 15:46 ?        00:00:00 sendmail: accepting connections
smmsp     5747     1  0 15:46 ?        00:00:00 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue
root      5751     1  0 15:46 ?        00:00:00 sendmail: Queue runner@00:15:00 for /var/spool/mqueue
root      5771     1  0 15:46 ?        00:00:00 MailScanner: master waiting for children, sleeping
root      5772  5771  4 15:46 ?        00:00:01 MailScanner: waiting for messages
root      5821  5771  6 15:46 ?        00:00:01 MailScanner: waiting for messages
root      5868  5771  7 15:46 ?        00:00:01 MailScanner: waiting for messages
root      5916  5771 11 15:47 ?        00:00:01 MailScanner: waiting for messages
root      5963  5771 20 15:47 ?        00:00:01 MailScanner: waiting for messages

[root@mta3 ~]# systemctl status MailScanner
● MailScanner.service - SYSV: MailScanner is an open-source E-Mail Gateway Virus Scanner.
   Loaded: loaded (/etc/rc.d/init.d/MailScanner; bad; vendor preset: disabled)
  Drop-In: /etc/systemd/system/MailScanner.service.d
           └─custom_script.conf
   Active: active (running) since Thu 2017-01-05 15:46:47 HKT; 13s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 5697 ExecStop=/etc/rc.d/init.d/MailScanner stop (code=exited, status=0/SUCCESS)
  Process: 5728 ExecStart=/etc/rc.d/init.d/MailScanner start (code=exited, status=0/SUCCESS)
 Main PID: 5771 (MailScanner: st)
   CGroup: /system.slice/MailScanner.service
           ├─5743 sendmail: accepting connections
           ├─5747 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue
           ├─5751 sendmail: Queue runner@00:15:00 for /var/spool/mqueue
           ├─5771 MailScanner: starting children
           ├─5772 MailScanner: waiting for messages
           ├─5821 MailScanner: waiting for messages
           └─5868 MailScanner: waiting for messages

 [root@mta3 ~]# systemctl stop MailScanner

 [root@mta3 ~]# systemctl status MailScanner
● MailScanner.service - SYSV: MailScanner is an open-source E-Mail Gateway Virus Scanner.
   Loaded: loaded (/etc/rc.d/init.d/MailScanner; bad; vendor preset: disabled)
  Drop-In: /etc/systemd/system/MailScanner.service.d
           └─custom_script.conf
   Active: inactive (dead) since Thu 2017-01-05 15:47:44 HKT; 2min 45s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 6018 ExecStop=/etc/rc.d/init.d/MailScanner stop (code=exited, status=0/SUCCESS)
  Process: 5728 ExecStart=/etc/rc.d/init.d/MailScanner start (code=exited, status=0/SUCCESS)
 Main PID: 5771 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/MailScanner.service
           └─5747 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue
[root@mta3 ~]# ps -ef|grep -i mail
smmsp     5747     1  0 15:46 ?        00:00:00 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue

Solution:
I located the issue finally.

 In the stop section of  /etc/init.d/MailScanner, it kills the process base on the PID in /var/run/*.pid.
The I found /var/run/sm-client.pid is blank if SELinux is enforced.

 Then I checked the start section of /etc/init.d/MailScanner, it starts sm-client with the following commands:

touch /var/run/sm-client.pidchown smmsp:smmsp /var/run/sm-client.pid/usr/sbin/sendmail -L sm-msp-queue -Ac -q15m -OPidFile=/var/run/sm-client.pid

 Open in new window

 SELinux prevented the sendmail process to write the /var/run/sm-client.pid, I don't know why audit2allow can't fix this.
Then, I edit the /etc/init.d/MailScanner, added "restorecon /var/run/sm-client.pid" right after the chown command to fix correct the permission before sm-client start.

 It works now.

 Finally working codes in /etc/init.d/MailScanner:
touch /var/run/sm-client.pid
chown $MSPUSER:$MSPGROUP /var/run/sm-client.pid 2>/dev/null
restorecon $SMPID
$SENDMAIL -L sm-msp-queue -Ac -q15m -OPidFile=$SMPID 2>/dev/null



                        
Posted by at No comments:
Subscribe to: Posts (Atom)