Most Asked Questions

Welcome to MailScanner’s Most Asked Questions.

This is the the most concentrated source of information about MailScanner and its related applications. See the Table of Contents on the right for quick access. You can also use the search tool; it does work .

You are strongly encouraged to read it until the end, whether you are a beginner or an advanced user. You will learn, that is sure.

I’ll keep this page up to date as much as I can, but since e-mail, spam, and viruses are evolving topics, you should keep on eye on the MailScanner Mailing List. You should at least subscribe to the announce list.

Being a MailScanner admin isn’t easy and you will have to read a lot to be able to understand how it works and how it can be used intelligently. It starts with being a good sysadmin and a good mail server admin, and then getting the knowledge about MailScanner. Reading this page is a good start. There are also some interesting links (the MailScanner Manual, in particular) on FSL’s site. By reading the Manual and this page, you have answers to 90% of the questions you’ll ever have about MailScanner, and you have tips you’d never thought of! Oh, and Buy the book – Americas or Europe – to support MailScanner’s development.

Thanks,

— Ugo Bellavance 2006/09/13 20:11

Use a ruleset. Here is a ruleset tutorial and a whole section dedicated to that in the faqs:

A Dual Xeon with 2 GB of RAM and 15K SCSI disks can process up to 1,4 million of messages/day (with optimizations). See the bottom of this page for a list of actual examples of configurations and respective throughput.

1. You should already be familiar with the task of setting up a mail server.
2. Take a look at this page for documentation/help.
3. Install and configure your MTA (Sendmail, Exim, Postfix, Qmail) correctly.
4. If you want a gateway, see docs regarding the mailertable or transport.
5. Telnet to it and see if you get the result you want.
6. Take a look at your MTA’s logs, if you’re not familiar with them already.
7. Download the MailScanner installation file and signature (url).
8. Test the file’s integrity with the signature.
   1. Get Julian’s key (only the first time):

      gpg --recv-keys --keyserver pgp.mit.edu 1415B654

   2. Verify the integrity:

      gpg --verify signature_file mailscanner_archive

9. Subscribe to MailScanner’s mailing list (if not already a subscriber). You can ask question to the list at any time, but I suggest you keep on reading this MAQ page until the end before doing so.

This is a quick & dirty guide to a standard, functional, but not optimized e-mail filtering server.

1. See guides on this site (depends on your setup/OS).
2. If RedHat 9 first see $LANG settings page. (Hopefully you are not using something this old)
3. Install anti-viruses and set MailScanner.conf accordingly: Virus Scanners = .
4. Install SpamAssassin.
5. In your /etc/MailScanner/MailScanner.conf, set Use SpamAssassin = yes and Debug SpamAssassin = yes.
6. Telnet into it to see if it works.
7. Look at your logs, start getting familiar with messages from MailScanner. By default, it logs to the mail facility.

Now your server should accept, process, and route messages properly. Time to set back and relax? Nah, not yet...

1. Read carefully the config file (MailScanner.conf) and define what settings you need to change to comply with your needs.
2. Test for spam and viruses.
3. Make sure everything is installed and configured to your best knowledge before testing.
4. Test mailscanner in debug mode frequently.
5. You can test Spamassassin using the command

   spamassassin -D --lint -p /path/to/your/prefs/file

   Newer MailScanner puts a symlink to the prefs, so you should be fine with doing

   spamassassin -D --lint

6. To test spam, make a gtube go through MailScanner.
7. To test the anti-virus, make the eicar test virus go through MailScanner.
8. To test your whole mail setup try GFI Email Security Testing Zone.
9. Determine which SpamAssassin plugins you want to install and install them.
10. See optimization tips below.
11. See FSL's support page, you’ll find many tools to help you.
12. Read the MailScanner Manual or, even better, buy the book – Americas or Europe – and support MailScanner’s development.
13. Ask questions on the mailing list if needed.

If you need to load-test your MailScanner server, a few ideas and scripts have been exchanged on the list. You can search the archives for “MailScanner load testing advice”, or ask Julian.

• Make a backup copy of your current MailScanner (Linux):

cp -a /etc/MailScanner /etc/MailScanner.$(date +%Y%m%d)
cp -a /usr/lib/MailScanner /usr/lib/MailScanner.$(date +%Y%m%d)
cp -a /usr/sbin/MailScanner /usr/sbin/MailScanner.$(date +%Y%m%d)

• Download the latest version
• Check the integrity (#9)
• untar the archive (tar xzf) X/
• cd into the created directory
• run the install script (./install)
• inspect the output for errors
• manage the .rmpnew files
• if everything went fine, run the command

upgrade_MailScanner_conf

and

upgrade_language_conf

It will explain you what to do.

Don’t forget to upgrade other components periodically as well (SA, DCC, Pyzor, Razor)

• Check for errors in your maillog after restarting (check_mailscanner to restart)

(Linux):

tail -f /var/log/maillog | grep MailScanner

• For downgrade (a backup as stated earlier is needed):

rpm -Uvh --oldpackage --replacefiles --replacepkgs mailscanner-<older-version>.rpm

Sometimes one wants to return to a known good version, which is actually quite simple to do... Provided you made a backup as shown above. Start by halting MailScanner (ex: service MailScanner stop), then

rm -rf /etc/MailScanner /usr/lib/MailScanner /usr/sbin/MailScanner
mv /etc/MailScanner.<the_date_you_backed_it_up> /etc/MailScanner
mv /usr/lib/MailScanner.<the_date_you_backed_it_up> /usr/lib/MailScanner
mv /usr/sbin/MailScanner.<the_date_you_backed_it_up> /usr/sbin/MailScanner

( Please Note: you have to type those commands, since they aren’t cut’n’pastable examples, in contrast to the backup above!)

When you’re done, just start MailScanner again (ex: service MailScanner start) and you should be fine. Note that this method doesn’t backup/restore some files in the mailscanner package (rpm), but they mainly doesn’t matter ... Either they do not change between versions (or not often, like the init script, or the check_MailScanner symlink), or they simply do not matter for the normal operation (upgrade_MailScanner_conf etc are only meaningful when moving to another version, and then a new one will be created for you).

Here is a complete backup and restore solution;

#!/bin/bash


# Fix the next few lines to point to the proper locations for your system
# and the date format you prefer
DATE=`date +%Y%m%d`
MSDIR=/etc/MailScanner
LIBDIR=/usr/lib/MailScanner
MSBIN=/usr/sbin/MailScanner
# Where to put the restore and cleanup scripts.
# Make sure it exists first.
USERDIR=/root
# Name the prefix of the scripts. They will be prefix-date.sh
REST_SCR=msrestore
DEL_SCR=msdelback

#------You shouldn't need to edit below here ------------

# Copy config, lib and binary 
cp -a $MSDIR $MSDIR.$DATE
cp -a $LIBDIR $LIBDIR.$DATE
cp -a $MSBIN $MSBIN.$DATE

# Create restore script and make executable
echo cp -a --remove-destination $MSDIR.$DATE $MSDIR > $USERDIR/$REST_SCR-$DATE.sh
echo cp -a --remove-destination $LIBDIR.$DATE $LIBDIR >> $USERDIR/$REST_SCR-$DATE.sh
echo cp -a --remove-destination $MSBIN.$DATE $MSBIN >> $USERDIR/$REST_SCR-$DATE.sh
chmod +x /root/$REST_SCR-$DATE.sh

# Create matching cleanup script for old backups and make it executable
# Cleanup script also removes itself and restore script
echo rm -fr $MSDIR.$DATE > $USERDIR/$DEL_SCR-$DATE.sh
echo rm -fr $LIBDIR.$DATE >> $USERDIR/$DEL_SCR-$DATE.sh
echo rm -fr $MSBIN.$DATE >> $USERDIR/$DEL_SCR-$DATE.sh
echo rm -fr $USERDIR/msrestore-$DATE.sh  >> $USERDIR/$DEL_SCR-$DATE.sh
echo rm -fr $USERDIR/msdelback-$DATE.sh  >> $USERDIR/$DEL_SCR-$DATE.sh


chmod +x $USERDIR/$DEL_SCR-$DATE.sh 

• Create a directory under /opt called mailscanner-installs and change to it

mkdir -p /opt/mailscanner-installs
cd /opt/mailscanner-installs

• Download the latest version to this new directory with something like wget

wget -c http://www.mailscanner.info/files/4/tar/MailScanner-install-4.70.7-1.tar.gz

• Check the integrity (#9)
• disable the check_mailscanner command in crontab with #. It should look something like this after changing it:

#3,23,43 * * * * /opt/MailScanner/bin/check_mailscanner

• Stop all running MailScanner processes by using the MailScanner init script or kill them manually (if you feel lucky):

service MailScanner stop

or

killall -9 MailScanner

• Make a backup copy of your current MailScanner (Linux) by moving the softlink in /opt like this (assuming your old version is 4.70.6-1):

mv /opt/MailScanner /opt/MailScanner_4.70.6-1

( Please Note: The reason for making a backup like this is if your break something, its quick to fix and get the old version back up and running in no time. Also note that the softlink has a _ (underscore) and not a - (hyphen) in the filename. You will see later why.!)

• untar the archive

tar -zxf MailScanner-install-4.70.7-1.tar.gz

• cd into the created directory

cd MailScanner-install-4.70.7

• run the install script (./install.sh)
• inspect the output for errors
• change directory to /opt/MailScanner/etc

cd /opt/MailScanner/etc

• upgrade your MailScanner.conf file by running the following command

../bin/upgrade_MailScanner_conf /opt/MailScanner_4.70.6-1/etc/MailScanner.conf /opt/MailScanner/etc/MailScanner.conf > MailScanner.new

• Verify that all the setting have sucessfully been migrated to the new MailScanner.conf file and configure any new features that have been added

vi MailScanner.new

• backup the original MailScanner.conf file so that you have something to reference back to if you break something

mv MailScanner.conf MailScanner.old

• move the MailScanner.new into place as MailScanner.conf

mv MailScanner.new MailScanner.conf

• change directory to reports/en (if your language is English)

cd /opt/MailScanner/etc/reports/en

• upgrade your languages.conf file by running the following command

../../../bin/upgrade_languages_conf /opt/MailScanner_4.70.6-1/etc/reports/en/languages.conf /opt/MailScanner/etc/reports/en/languages.conf > languages.new

• backup the original languages.conf file so that you have something to reference back to if you break something

mv languages.conf languages.old

• move the languages.new into place as languages.conf

mv languages.new languages.conf

• copy your customised .txt and .html files to the new installation

cp /opt/MailScanner_4.70.6-1/etc/reports/en/*.txt /opt/MailScanner/etc/reports/en/
cp /opt/MailScanner_4.70.6-1/etc/reports/en/*.html /opt/MailScanner/etc/reports/en/

• If using MailWatch, copy the SQLBlackWhiteList.pm and MailWatch.pm files to the new install like this:

cp /opt/MailScanner_4.70.6-1/lib/MailScanner/CustomFunctions/SQLBlackWhiteList.pm /opt/MailScanner/lib/MailScanner/CustomFunctions/
cp /opt/MailScanner_4.70.6-1/lib/MailScanner/CustomFunctions/MailWatch.pm /opt/MailScanner/lib/MailScanner/CustomFunctions/

• verify if there are any differences between your old spam.assassin.prefs.conf and the new one and update accordingly

diff /opt/MailScanner_4.70.6-1/etc/spam.assassin.prefs.conf /opt/MailScanner/etc/spam.assassin.prefs.conf

( Please Note: The original file will have the prefix < and the new file will have the prefix of >.!)

• That should be about all, then you can run the following command and monitor the log file for any errors:

/opt/MailScanner/bin/check_mailscanner; tail -f /var/log/maillog

• re-enable the cronjob if there are no errors in the log. An active MailScanner cronjob looks like this

3,23,43 * * * * /opt/MailScanner/bin/check_mailscanner

• If something breaks and you can’t find the problem, re-enabling the old system is as easy as executing the following commands (remember to kill all running MailScanner instances as described above before executing these commands)

cd /opt
mv MailScanner MailScanner_4.70.7-1
mv MailScanner_4.70.6-1 MailScanner

• now start the old system as usual.

— Craig Retief 2008/07/21 14:44

You can use MailScanner in a gateway mode that will accept e-mails from the internet, scan it for virus/spam, and then send it to your “unsupported” mail server, like Exchange, Domino, Groupwise.

For MailScanner + Sendmail in gateway mode: see here:

For MailScanner + Postfix in gateway mode: see here:

For MailScanner + Exim in gateway mode: see here:

Mail gateways (relay-only systems) are more effective when they can reject INVALID or UNKNOWN USERS at the MTA level instead of accepting the message. This way, MailScanner will not have to process them at all. There are several ways to make an MTA aware of INVALID USERS. Here are some clues, please let me know if you have more:

See these articles to learn hot to access LDAP or other directories to block e-mails to unknown/invalid recipients/users.

- Exchange + Sendmail? See that as well to accept mail only for valid Exchange users.

- Postfix with Exchange or Domino? See this (thanks to Pete).

It is a program that analyses e-mails to determine if they are spam or not. It works in 3 ways: 1- Header analysis 2- Text (body) analysis 3- Black lists (lists of mail servers known for sending spam) 4- (new) URL analysis in the body

It increases significantly the quantity of spam detected by MailScanner, when used. It uses some resources, but it is more than worth it. See this page for more details and tips.

Razor, Pyzor and DCC are the plugins for SpamAssassin

Simply said, they compute checksums/signatures of a message, and determine how many times this checksum (message) has been seen. If a message has been seen around 10,000 times, it is very likely to be a mass-mailing. They increase the SpamAssassin score accordingly.

See the documentation section,plugins or just the readme file inside the tarballs. Once you’ve installed them, SpamAssassin will detect their presence automatically and start using them. See the SpamAssassin troubleshooting section as well. debug

Don’t forget to set a cronjob that updates the server list.

 
Commands to update servers
Pyzor: pyzor discover (This command is less than desirable, as the default pyzor server usually times out.)
A better option for pyzor is to use the alternate pyzor server located at 82.94.255.100:24441 and not run pyzor discover.
Razor: razor-admin -discover
DCC: /var/dcc/libexec/updatedcc (updates the software as well) 
A weekly cronjob is usually often enough.

You may write SA rules for your needs. See this article for details. You can put additionnal rules in “/etc/spam.assassin.prefs.conf’ SpamAssassin rules writing How-To, or you can define a local rules directory in MailScanner.conf and put all your rules there. Don’t forget to test SpamAsssasin every time you add a rule. There is no need to restart MailScanner to tell it to use a new rule. New rules are effective the next time MailScanner scans a message batch.

Stop right there. MailScanner does not use spamd, spamc, or the spamassassin script directly. It calls the installed perl modules directly. Any spamassassin-related configuration is done in /etc/MailScanner/spam.assassin.prefs.conf, and only certain options are recognized. See here.

You should install Spamassassin from source or CPAN to avoid this kind of problems. Julian’s all in one tarball for Clam-AV and spamassassin is great for this! http://www.mailscanner.info/downloads.html

Bayes is a system included with SpamAssassin that learns as it sees messages go through it. If you set it on, it will learn automatically and start giving results when it has seen 200 spams and 200 hams (not-spams). You can also manually train it (see here ). The purpose is to have a spam filter that is customized for your organization.

Problem with bayes lock files? Read this. Bayes databases growing out of control? Read this.

The module bundled starting with MailScanner 4.50.4, could not be compiled successfully under the Solaris O.S. due to a lack in linking the rt library needed for symbol fdatasync.

If you have errors like this from “make test”

DBD-SQLite-1.11/blib/arch/auto/DBD/SQLite/SQLite.so: symbol fdatasync: referenced symbol not found at /opt/perl/lib/5.8.0/sun4-solaris/DynaLoader.pm line 229.

Then you should add “-lrt” to two lines in the generated Makefile for the package (perl Makefile.PL), as below (as an example)

LDDLFLAGS = -G -L/usr/local/lib -L/opt/gnu/lib -lrt

LDFLAGS = -L/usr/local/lib -L/opt/gnu/lib -lrt

then redo make and make test and finally, make install.

These special lists can be used for people to force MailScanner/Spamassassin to treat some messages as spam (Blacklist) or not spam (Whitelist).

• For whitelist: edit the spam.whitelist.rules from the rules directory following the format shown in the file.
• For blacklist: edit MailScanner.conf’s setting called: “Is Definitely Spam = " and set it to a file; create and edit this file following the usual format (see the ruleset tutorial if needed).
• Lists’ application precedence: whitelist wins against blacklist.

If you’re using sendmail 8.13, many new features are availabe to help control spam and prevent Denial of Service (DOS) Attacks. Please see:

http://www.technoids.org/dossed.html

This site’s contents:

1. Limiting the Rate of Incoming Connections

• The ratecontrol Feature
• The Connection Rate Throttle

2. Limiting Simultaneous Connections with the conncontrol Feature 3. Thwarting Dictionary Attacks

• Limiting the Number of Recipients per Message
• Reacting to “Bad” Recipients

4. Blocking Slammers with the greet_pause Feature

5. Other Ways to Protect Your Sendmail Server

6. Afterword

• Use RBL checks at different points. See this page.
  • RBL: a comprehensive list
  • RBL: a comparison of the lists
  • RBL: checking addresses against multiple lists
• Use Bayes
• Use special SpamAssassin rules, like the Rules Du Jour.
• (For gateway mode only) Configure your MTA to accept only messages for valid users on your Exchange/Domino/Name_It server. Guides
• Use MCP

There are many factors that define the quality level of an anti-virus, so it is hard to give one single answer:

• Time to create signatures when a new virus comes out. (Kaspersky is usually at the top of the list)

• Stability

• New features (Ex.: Kaspersky were once working on an OCR engine to see passwords in JPEG files).

• Number of viruses it can catch

• Performance (CPU hog?)

• Its price

Most of the people recommend using at least ClamAV and BitDefender, as they’re free, and one commercial engine. If you have a site licensed commercial scanner, you may be entitled to the commandline version also. Check your license agreement.

Note:
BitDefender is no longer free for any commercial use, but the last freeware version (7.1) can still be found if you search for it.
(Can you say Google?)
It is somewhat resource intensive, and who knows how long the new signatures will work with this version.

The benefit of having more than one AV engine, is that when one misses, there are still chances that the other will catch it.

This is done hourly by the script update_virus_scanners. Depending on your anti-virus. No need to do it yourself. Just check the update logs and test once in a while.

Make sure your work directory is pointing to the real path, not a symlink.

• Make sure you have enough ram (use the commands free, vmstat and top to see if you use swap or not. MailScanner can slow down terribly if it begins using swap.) Take into consideration the fact that RAM is probably the least of the concerns of Julian, he is more concerned in accuracy and performance. A process usually uses between 20 and 60 MB of RAM, but can use much more with additional spamassassin rules. Julian has recommended 1 GB per CPU core.
• Use a ramdisk (tmpfs) for MailScanner’s working directory.

There are a few quick steps that may be taken to improve performance.
These specific instructions are for Linux distributions only, but similar techniques may be used on other operations systems.
Using a tmpfs files system: MailScanner “unpacks” messages for scanning on /var/spool/MailScanner/incoming.
If your system has sufficient memory, mounting this directory on a tmpfs (in memory) file system will improve performance.
To setup this tmpfs, modify /etc/fstab to add the line:
none /var/spool/MailScanner/incoming tmpfs defaults 0 0
Be sure to add this line in the /etc/fstab below the point at which all of the other disk partitions are mounted and available.
Then as root, issue the command:

mount -a
Issuing the command:

mount
Should show that /var/spool/MailScanner/incoming is now mounted on the tmpfs.
No email will be lost if the system crashes. MailScanner never removes a message from the incoming mail
queue until it is fully written to the outgoing mail queue. If the system crashes, when MailScanner
restarts, it will find the “lost” messages in the incoming mail queue and process these messages normally.

* Solaris *
Add this line to /etc/vfstab:

swap    -       /var/spool/MailScanner/incoming    tmpfs   -       yes     -

It will be mounted during boot but you can mount it manually with "mount /var/spool/MailScanner/incoming" (or mount -a).

• Set the noatime flag on your spool and log partitions.
• Use a local DNS caching nameserver (On RedHat, you can usually just install the package named caching-nameserver and change your /etc/resolv.conf file accordingly (use 127.0.0.1 as primary DNS server).
• No syncs on logs
  • edit your syslog.conf file

     #mail.*   /var/log/maillog (commented out)
     mail.*   -/var/log/maillog (new line)

• Use DCC as a daemon:

The general MTA interface dccifd should usually be started before the mail transfer agent or MTA.
It should be enabled by setting DCCIFD_ENABLE=on in dcc_conf. It is also usually necessary to change
an /etc/rc script or configuration file to start and stop the daemon with the system.
The script /var/dcc/libexec/rcDCC should be installed, best with a symbolic link.
The daemon can be started manually with

        rcDCC start

• Tweak your # of max child processes. If you are low on ram, make sure you use the minimum # of child process. You don’t want your server to end up swapping, ever.
• For very, very large sites, you may think of running your own copy of RBLs, and servers for DCC, Pyzor and Razor.
• Consider dropping unknown recipient emails on the inbound MailScanner MTA with these techniques, this can drop the amount of inbound emails you are processing by dramatic amounts (66% or more).

• Run sa-update regularly

• think about running the compiled rules with re2c and sa-compile

• only run a couple of the RBL’s in SA, by default it runs everything and this can easily result in timeouts or FPs.

• 1GB ram per real CPU core (not hyperthreading) on the scanning machine (preferably dedicated to email scanning)

• local caching DNS server on the scanning machine (yes even if your DNS forwarder is 2ms away this still helps a lot for 99.9% of people).

• having a spam and ham area for people to drop corrections into for bayes (share imap area, forwarding won’t help as this breaks the headers).

• adding in DCC (it is free if you are not re-selling the service, but not enabled by default for this reason).

• Adding in iXhash plugin can provide improvements in spam detection as can the Sought ruleset.

• If running the bayes database in a file (DB_File) consider adding “bayes_learn_to_journal 1” to spam.assassin.prefs.conf to help with lock contention. This can really help with busy systems. If you are worried you might lose some bayes data, you can add a ‘sa-learn –sync’ to cron every hour or so to flush the journal to the DB.

• running bayes in SDBM format http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:bayes:sdbm&s=bayes is much faster normally

• Always add the SA info into email headers to see what the score and rule hits are ( helps with debug), in MailScanner.conf make sure the follow are set thus:

Spam Score Number Format = %5.2f

Detailed Spam Report = yes

Include Scores In SpamAssassin Report = yes

Always Include SpamAssassin Report = yes

Spam Score Number Format = %5.2f

See this section of the documentation section.

In short - MailScanner can’t. If a message is sent to multiple recipients and you want to accurately enforce MailScanner rules, i.e White and Black lists, for each recipent, you must split the message into individual messages, one for each recipient at the MTA level, before the message is inserted into MailScanner’s incoming mail queue.

IMPORTANT NOTE: Using this feature may increase load on your server by 10% to 30% since MailScanner must process more messages.

Currently this is documented for: Sendmail, Postfix

If you quarantine as queue files:

See release_quarantined_mail

1. Navigate to the directory of the offending message
2. Copy the qf- and df- file pair into the outgoing queue (usually /var/spool/mqueue)
3. Run mailq to make sure you’ve put your files into the correct directory (your outgoing queue)
4. If you see your message listed it’s time to tell sendmail to recheck the outgoing queue and send any messages that are there by typing sendmail -q

Here’s an example:

# cd /var/spool/MailScanner/quarantine/<date>/<message>
# cp * /var/spool/mqueue
# mailq
                /var/spool/mqueue (1 request)
-----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient-----------
l7SN2mOP015471  1025684 Tue Aug 28 16:02 <sender@domain.com>
                                         <recipient1@domain.com>
                                         <recipient2@domain.com>
                Total requests: 1
# sendmail -q
# mailq
/var/spool/mqueue is empty
                Total requests: 0

If you don’t quarantine as queue files:

• Sendmail : sendmail -toi user@domain < messagefile

Check /etc/cron.daily/clean.quarantine OR /opt/Mailscanner/bin/cron/clean.quarantine.cron

set $disabled = 1; to $disabled = 0;

and set the $days_to_keep variable according to your needs.

There is something similar for the MailWatch database: trimming_db

Please search the related project’s mailing list before posting on the MailScanner’s mailing list. MailWatch has one, Vispan has a forum...

According to the Postfix developers, yes. However there are always two sides to any story. Before making your mind up, read the other side to the Postfix politics

• Regular tcp SMTP port (25) (of course...)
• Razor2 tcp ports 2703 and 7 (outgoing)
• Pyzor udp port 24441 (outgoing)
• DCC udp port 6277 (outgoing)
• Of course, DNS ports (outgoing)

This is normal if you are using more than one child process. The explanation is that when a MailScanner process scans the queue, it reports messages waiting in the queue. However, this number includes messages already being processed by other MailScanner processes. Here is a log sample: Mar 9 10:25:29 server MailScanner[16892]: New Batch: Found 2 messages waiting Mar 9 10:25:30 server MailScanner[16892]: New Batch: Scanning 1 messages, 20111 bytes Mar 9 10:25:30 server MailScanner[16892]: Spam Checks: Starting

What that means is that when this process scanned the queue, one message was already taken care of by another process. Messages always stay in the incoming queue until MailScanner’s process is completed. The message is copied to the working directory and deleted from the incoming queue only when it is in the outgoing queue. This way, no message is lost.

As stated by Julian: “It (double-scanning a message) actually causes only a very slight extra load, certainly nothing compared to extracting all the attachments from the messages in the first place. Remember that MailScanner only runs the virus scanners once for each batch of messages, not once per message.”

By the same token, you cannot use rulesets for virus scanners; it’s all or nothing.

Anything which is not delivered or forwarded is not virus scanned. Pretty simple, instead of not delivering, do a store to an alias pointing to /dev/null. Thanks to Phil and Kai :).

Current versions of MailScanner now have a setting to take care of this;
Set "Keep Spam And MCP Archive Clean = yes" in the MailScanner.conf file.

1. The easiest things first: RBL tests (basically just DNS lookups, hence the importance of a local caching nameserver)
2. Spamassassin tests (no need to extract attachments yet)
3. Now, more demanding tests: Virus testing is not very demanding by itself, once all the attachments are extracted and the virus scanner is loaded in memory, but it still has to do it (that is why MailScanner processes messages in batches). Please note that anything that is not delivered is not virus-scanned. This is also why MailScanner always scans a message with all configured virus scanners. The processing time needed to determine if a message is already considered as infected is longer than making it go through the next virus scanner.
4. More demanding: Attachment (file name/types) and HTML tests.

Added Dec 1st, 2005 (Taken from julian’s post to the list:

This old chestnut...

What is most of your mail? Spam. So what should you reject first? Spam.
Rejecting viruses first only reduces your mail by about 2%, leaving  
98% to be spam checked. Which makes virtually no difference to your  
load whatsoever.
Rejecting spam first reduces your mail by about 70%, leaving only 30%  
to be virus checked and all the other tests. Which makes considerably  
more difference.

That's all there is to it. Do tests in decreasing order of effect.

See this for thorough guidelines on help requests: How To Ask Questions The Smart Way

1. Do your homework: Search the archives, search the faq, search google before asking a question.

» Search archives here.

• Put all the details of the problems , not just “It doesn’t work”. Please include log samples if possible.
• Put all the details of your setup, unless completely unrelevant, including : OS, Hardware, installed software, mode (gateway or not), network setup.
• Tell us what you tried, what you tested, what you searched, and the results. This way, we won’t end up telling you “read the MailScanner.conf” file if you have already done so.
• Use a meaningful subject. If you change topics in a thread, change the subject line so that people who view the list as threads can better follow the ideas.
• Trim the post to the absolute minimum when you reply, and avoid top-posting.
• New topic? Use a new message. Don’t start from an existing thread and do a reply, it breaks threads.
• When your problem is solved and it has taken many posts to get an answer, please make a final post explaining clearly your problem and how it was solved. Put “SOLVED” in the subject.
• Put “OT:” if your message is off-topic.
• Please do not post in HTML, use plain-text only. –Set the “reply” to address to the list, not to yourself.
• Please do not include large attachments; it is better to post a link to your website so people can download it if they choose.
• You think you found something that can be useful for everyone? - Write a FAQ entry about it.

Why all those rules? Because everyone on the list is very busy and they deserve to not waste time with questions that could have been answered with a little effort of the asker. It helps them resolve your hid lights problem a lot faster as well. In my name and in every person who supports MailScanner through the Mailing list, I thank you for putting the effort of respecting those simple rules.

Please send comments on the list or at maq@mailscanner.info

Some basic steps to troubleshoot a problem. It should help you to give a more accurate report to the mailinglist in case the issue is not resolved with the steps below.

1. See if your MTA (exim, postfix, sendmail, ...) is running with “ps -ax”.
2. See if your MTA is listening on port 25 with “netstat -na”.
3. Check the logs of your MTA for any errors or odd lines.
4. Check your MTA configuration.
5. Check your MailScanner configuration.
   1. Are you using the configured MTA?
   2. Did you start the MTA from MailScanner and not stand-alone?
6. Check firewall rules and firewall logging.
   1. Run a packet capture “tcpdump -l port 25”
7. Check incoming queue. (Hold area for postfix)

1. See if your MailScanner is running.
2. Check the logs of MailScanner.
3. Check the MailScanner configuration.
4. Run “MailScanner --lint” and “MailScanner -V” and check the outputs for errors.
5. Check to see you have only one perl version.
6. Check to make sure all required perl modules are installed and available to perl in the proper paths.
7. Try to avoid RPM and CPAN installation of perl modules. It may work now but will cause you trouble if you upgrade your system.

1. See if your MTA is running.
2. Check the logs of your MTA.
3. Check your MTA configuration.
4. Check firewall rules and firewall logging

Hardware: Dual Opteron, 4Gb RAM, SCSI disk

Software: RedHat Enterprise Linux 4

Configuration: MailScanner 4.50 default setup with clamavmodule virus scanner, SpamAssassin, Razor, DCC, Sendmail

Hardware: 1 X Pentium II, 233MMX, 256 MB RAM, 4.3 SCSI HDD.

Software: Fedora Core 1, Sendmail+SPF-milter, Gateway mode, Spamassassin, Pyzor, DCC, Razor, MailWatch, Vispan, Mailscanner-MRTG

RBLs: None in MTA, None in MailScanner, All in SpamAssassin

Virus Scanners: ClamAV + BitDefender

Hardware : PIII 1.4GHZ, 1 GB Ram, Dual 80GB Raid 0 IDE

Software : FreeBSD 4.9, Sendmail, MailScanner, SpamAssassin, ClamAV

RBLs : SBL+XBL (MailScanner), SpamCop (SpamAssassin)

Virus Scanners: ClamAV

Average Load: Around 1-2

Hardware: 1 x P4-2.0Ghz, 1G RAM, 80G IDE

Software: RHES 3, Sendmail 8.12.x, SA, Razor, Pyzor, DCC

RBLs: MTA = spamcop, ordb, sbl-xbl.spamhaus

Virus Scanners: ClamAVmodule SophosSAVI

Average Load: Around 2-4

Hardware: 1 X Pentium, 200, 256 MB RAM, 4.3 SCSI HDD.

Software: Red Hat 9, Postfix 2.0.16, Gateway mode - All Mail forwarded to Lotus Domino, Spamassassin, Pyzor, DCC, MailWatch, Vispan, Mailscanner-MRTG, Caching Named,

RBLs: None in MTA, None in MailScanner, All in SpamAssassin

Virus Scanners: ClamAV

Hardware: 2 X Pentium, 200, 256 MB RAM, 4.3 SCSI HDD.

Software: Red Hat 9, Postfix 2.0.16, Gateway mode - All Mail forwarded to Lotus Domino, Spamassassin, Pyzor, DCC, MailWatch, Vispan, Mailscanner-MRTG, Caching Named

RBLs: None in MTA, None in MailScanner, All in SpamAssassin

Virus Scanners: ClamAV

Hardware: 1 X Pentium IV, 800MHz, 1G RAM, 40G miniIDE (Blade server)

Software: Mandrake 9.1, Sendmail using ‘LDAP routing’ to filter invalid

addresses so they don’t hit exchange, Spamassassin + bigevil, chickenpox etc.,

Pyzor, DCC, Razor, Vispan, Mailscanner-MRTG

RBLs: None in MTA, None in MailScanner, All in SpamAssassin; Also filtering some know virus subjects by name at MTA level

Virus Scanners: ClamAV

Average Load: Usually 0.5

Hardware: Sun Fire V210, 1 X UltraSPARC IIIi 1 GHz, 1 GB RAM, 2 X 36 GB U160 SCSI HDD (SVM mirror)

Software: Sun Solaris 9, Sendmail, Spamassassin, DCC, Vispan

RBLs: None in MTA, None in MailScanner, All in SpamAssassin

Virus Scanners: ClamAV

Hardware: 2x Dual Xeon 2.4Ghz, 1Gb Ram, 2x 36Gb U3 SCSI

3 x P3 1Ghz, 512Mb Ram, 2 x 36gb EIDE (fall back gateways)

Software: Redhat 9, Exim, Gateway mode, Spamassassin, Pyzor, DCC, Razor, MailWatch, Mailscanner-MRTG

RBLs: XBL+SBL and JANET MAPS+ in MTA, None in MailScanner, All in SpamAssassin

Average Load: Tops around 1.8, usually around 0.6-1

Hardware: 2 X Pentium III 933Mhz, 1.5 GB RAM, 2x 18 GB SCSI

Software: Tao Linux 1.0, Postfix 2.0.18, SpamAssassin 3.02, Razor, DCC

RBLs: XBL + SBL in MTA

Virus Scanners: ClamAV, Sophos

Average Load: around 0.7 to 1

Hardware: Dual Xeon P4 3Ghz, 1.5 GB RAM, 2 36GB SCSI Raid1

Software: RHEL AS V3, Sendmail, Spamassassin, DCC, MailScanner-MRTG

RBLs: All in MailScanner

Virus Scanners: F-Prot, McAfee, and ClamAV.

Average Load: Around 2.5

Hardware: Dual Xeon P4 2Ghz, 1.5 GB RAM, 2 36GB SCSI Raid1

Software: RHEL AS V3, Sendmail, Spamassassin, DCC, MailScanner-MRTG

RBLs: All in MailScanner

Virus Scanners: F-Prot, McAfee, and ClamAV.

Average Load: Around 4

Hardware: Dual Xeon P3 1.4Ghz, 1.25 GB RAM, 2 36GB SCSI Raid1

Software: RHEL AS V3, Sendmail, Spamassassin, DCC, MailScanner-MRTG

RBLs: All in MailScanner

Virus Scanners: F-Prot, McAfee, and ClamAV

Hardware: Sun E-4500, 8x 400 MHz, 2 GB RAM, 2×18 GB drives

Software: Solaris 9, Sendmail, Spamassassin, DCC, FireRBL (DNS solution for RBL’s)

RBLs: 11 in MTA, None in MailScanner

Virus Scanners: ClamAV and McAfee

Average Load: ~4

Average Load: Average of 12

Hardware: Dual Xeon 3.2Ghz, 2 GB RAM, 4x 18 GB RAID-1 (using an HP DL380 G3)

Software: Tao Linux 1.0, Postfix 2.0.18, SpamAssassin 3.02, Razor, DCC

RBLs: XBL + SBL in MailScanner

Virus Scanners: ClamAV, Sophos, BitDefender

Notes: This performance was achieved in the lab, using random message sizes between 1 and 100 Kb. Please see the List archives for 'System capacity'.

Hardware: Intel(R) Xeon(TM) CPU 3.06GHz x2, 6094.84 bogomips, 2 GB RAM

Software: Zmailer, Spamassassin, Rbldnsd

Virus Scanners: ClamAV