Amavis filtering stops when logs stop?

[wpd7]

Since I am not getting anywhere on trying to find out what’s going on, here’s a call for help:

We find that logging stops at 3.15AM daily as expected. Logging does not resume unless we stop/start the mail service or reboot. However, when logging stops, any filtering stops with it. Meaning I can see a flurry of SPAM coming in at the 3.15AM mark until I get in the morning and restart the service or reboot depending on my mood. 😥

I have been told by a lot of people that if amavis goes down, mail is queued and will not be delivered. I find this not to be the case as mail is still being delivered, but upon log reset at 3.15AM, the new log is not started and amavis does not filter anything.

As a stopgap measure, does anyone know how to schedule reboots, say at 3.20AM daily?

Has anyone encountered the same issue where upon a log reset at 3.15AM, amavis gets neutured and stops looking at the messages? I know its still running since mail does not queue up.

Any help is greatly appreciated. Due to this issue, we are getting on quite a few blacklists and it is very troublesome to get delisted.

This is due to 2 issues:

A lot of our users are forwarding all their emails from our domain address to their personal accounts (Yahoo, etc). This is fine if amavis is running correctly as SPAM is mitigated, but when its not there’s trouble.

A possible open relay situation, but I cannot find a hole anywhere that I know of.

Help:!:

[wpd7]

I’ve added an additional script to run daily per:

https://www.afp548.com/forum/viewtopic.php?forum=4&showtopic=10127

Hopefully this will keep the logs running and I can see the issue.

MacTroll, this issue happens daily, not weekly as it should if it were due to the rolling logs. Also, this only happens to the Junk Mail/Virus Scanning logs; all the other logs continue on as normal (IMAP, POP, etc).

[TvE]

[QUOTE][u]Quote by: MacTroll[/u]

Happening dailiy at 3:15 is quite bizarre. You check your cron tab and the periodic scripts to see if something has been added?

[/QUOTE]
I have recently ALSO seen this behavior on several 10.4.x servers.

EG. one of the servers (running 10.4.7, also on november 26’th) shows this:
-rw-r—– 1 clamav admin 0 Nov 26 03:15 amavis.log
-rw-r—– 1 clamav admin 127513 Nov 26 02:47 amavis.log.0.gz
-rw-r—– 1 clamav admin 71688 Nov 12 03:12 amavis.log.1.gz
-rw-r—– 1 clamav admin 243525 Oct 22 03:15 amavis.log.2.gz
-rw-r—– 1 clamav admin 3831502 Oct 8 03:15 amavis.log.3.gz
-rw-r—– 1 clamav admin 2653546 Aug 27 03:14 amavis.log.4.gz

So I think the problem was introduced with the 10.4.7 update.

I have not yet applied the latest Security Update (that updates amavis) or 10.4.8… Those might change the problem!

I also

[wpd7]

TvE- I was beginning to think that I’m the only one here…

Unfortunately your theory about 10.4.8 is inaccurate- I am currently running 10.4.8! 😕

I have been rebooting the machine daily as I come in – I find that’s the best way to get everything up and running again- stopping and starting the mail service is not reliable as most of the time it will not start up alk the services correctly.

[TvE]

[QUOTE][u]Quote by: wpd7[/u]

TvE- I was beginning to think that I’m the only one here…

Unfortunately your theory about 10.4.8 is inaccurate- I am currently running 10.4.8! 😕 [/QUOTE]
Theory not quite, but possibility yes 😉
[QUOTE]I have been rebooting the machine daily as I come in – I find that’s the best way to get everything up and running again- stopping and starting the mail service is not reliable as most of the time it will not start up alk the services correctly.

[/QUOTE]
Hmm – to me that indicates other problems that I (so far) have not seen at all on “my” servers.
I would be digging my logs to see WHY I would be unable to have all the mailservice relaunched.
What you’re doing at the moment is just massaging the symptoms, not trying to find (and eliminate) the cause of the problem…

[wpd7]

What I mean by not all services are restarting completely is that amavis is troublesome. Sometimes upon restarting the mail service, it will work flawlessly. Othertimes it may take several stop/starts to resolve half issues such as queueing due to amavis not restarted, slow mail delivery, slow DNS lookups for domain checks through amavis, etc.

I find that a reboot is the best way as it will make sure everything comes back up and working as it should.

Of course, tommorow at 3.15AM, the same thing happens and amavis gets neutured again.

I’m trying to find a relavant cause to the amavis issue since if I can remove what is stopping logging/neutering amavis at 3.15AM daily, the whole isssue is pretty much resolved.

Unfortunately, I am not very well versed in the underlying Mac OS under the GUI.

Maybe you can answer this question for me. In the periodic/daily scripts, what does the number in front of the filename mean? I’m assuming these are times? If so, I am contemplating putting in a 320.daily-reboot file with a restart script for the time being to reduce our blacklist placement (due to SPAMS being forwarded) and also reduce our SPAM overall.

If you can point out to me where I should be looking for possible malicious software or code, that would be greatly appreciated!

[TvE]

[QUOTE][u]Quote by: wpd7[/u]

In the periodic/daily scripts, what does the number in front of the filename mean? I’m assuming these are times? If so, I am contemplating putting in a 320.daily-reboot file with a restart script for the time being to reduce our blacklist placement (due to SPAMS being forwarded) and also reduce our SPAM overall.[/QUOTE]

I doubt that it will be times, the time is controlled by CRON (or perhaps it’s now launchd) – I’d think that it’s there to generate the *order* that the scripts is being executed at.
Take a look at man periodic and you’ll see:

“The periodic program will run each executable file in the directory or directories specified. If a file does not have the executable bit set, it is silently ignored”

I think that (for the daily scripts) first is the 100.… executed, then the 500.…
AND if you make your 320.x it’ss be executed in between the two

[code]TvE-iMac24:~ tve$ ls -l /etc/periodic/daily/
total 16
-r-xr-xr-x 1 root wheel 1389 Jul 2 02:15 100.clean-logs
-r-xr-xr-x 1 root wheel 3964 Jul 2 02:15 500.daily[/code]

[QUOTE]If you can point out to me where I should be looking for possible malicious software or code, that would be greatly appreciated!

[/QUOTE]

Hmm – take a look at http://FilthyCodersFilthyWebsiteWithBadCode.gone
(or do you mean on your local drive ;-P)

[TvE]

As written from you on the OS X Server mailing list on november 30’th:
[quote]All in all, its a strange problem. I’ll see if the script I added to daily
to restart the syslogd works to continue the logging then perhaps we can see
what is affecting amavis.[/quote]

What was the result of this?

😉 TvE

[twlynch]

see these post:

https://www.afp548.com/index.php?topic=tips&page=4

and this

http://members.cox.net/18james/anacron-tiger.html

There are a couple of errors in apples scripts that cause problems

[Author]

Posts