Hi, When investigating our mail queue it seems we have quite a lot of mails which are stuck in transit... Whats happening is we're accepting the mail as the primary MX for the domain but the user has setup a forwarding to another account at another ISP, they have antivirus service on that other account. So we get the mail, spool it and try to forward it but then we get a "550 Error: Suspected W32/MyDoom@MM virus" after DATA and our server freezes the mail. Surely this is an incorrect way to do this as there will be lots of similar MXs like ours backing this mail up? They should accept the mail and then bounce it? Thoughts? Steve
Stephen J. Wilcox [2/3/2004 7:28 PM] :
Whats happening is we're accepting the mail as the primary MX for the domain but the user has setup a forwarding to another account at another ISP, they have antivirus service on that other account. So we get the mail, spool it and try to forward it but then we get a "550 Error: Suspected W32/MyDoom@MM virus" after DATA and our server freezes the mail.
Surely this is an incorrect way to do this as there will be lots of similar MXs like ours backing this mail up? They should accept the mail and then bounce it?
Don't bounce. Reject with 5xx during the SMTP transaction (immediately after the DATA stage). If you accept the mail and detect a virus later, trash it instead of generating a bounce. If you don't want to set up antivirus, at least set up Exim (preferably with exiscan-acl) to reject mail with suspicious attachments. You might want to try the exim-users list for some more on this. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
On Tue, 3 Feb 2004, Suresh Ramasubramanian wrote:
Stephen J. Wilcox [2/3/2004 7:28 PM] :
Whats happening is we're accepting the mail as the primary MX for the domain but the user has setup a forwarding to another account at another ISP, they have antivirus service on that other account. So we get the mail, spool it and try to forward it but then we get a "550 Error: Suspected W32/MyDoom@MM virus" after DATA and our server freezes the mail.
Surely this is an incorrect way to do this as there will be lots of similar MXs like ours backing this mail up? They should accept the mail and then bounce it?
Don't bounce. Reject with 5xx during the SMTP transaction (immediately after the DATA stage). If you accept the mail and detect a virus later, trash it instead of generating a bounce.
Ok I just realised what I'm doing here, 550 is a permanent fail and at this point as I am holding the mail on my server I should decide to return it to the sender. This isnt actually whats filling my queue and actually the reason I have some of these with 550 codes in the queue log is because they are bounces which means we handle them differently to normal mails and dont immediately fail them. I'd mixed permanent and temporary, but thanks to rfc821 I've resolved my confusion! Steve
If you don't want to set up antivirus, at least set up Exim (preferably with exiscan-acl) to reject mail with suspicious attachments.
You might want to try the exim-users list for some more on this.
Stephen J. Wilcox [2/3/2004 8:13 PM] :
Ok I just realised what I'm doing here, 550 is a permanent fail and at this point as I am holding the mail on my server I should decide to return it to the sender. This isnt actually whats filling my queue and actually the reason I have some of these with 550 codes in the queue log is because they are bounces which means we handle them differently to normal mails and dont immediately fail them.
I'd mixed permanent and temporary, but thanks to rfc821 I've resolved my confusion!
To clean out all the frozen mail ... exim -bpru|grep frozen|awk {'print $3'}|xargs exim -Mr -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
"Suresh" == Suresh Ramasubramanian <suresh@outblaze.com> writes:
Suresh> exim -bpru|grep frozen|awk {'print $3'}|xargs exim -Mr Woops. missed a "m" at the end. # exim -bpru|grep frozen|awk {'print $3'}|xargs exim -Mrm srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Stephen J. Wilcox wrote:
Hi, When investigating our mail queue it seems we have quite a lot of mails which are stuck in transit...
Whats happening is we're accepting the mail as the primary MX for the domain but the user has setup a forwarding to another account at another ISP, they have antivirus service on that other account. So we get the mail, spool it and try to forward it but then we get a "550 Error: Suspected W32/MyDoom@MM virus" after DATA and our server freezes the mail.
Surely this is an incorrect way to do this as there will be lots of similar MXs like ours backing this mail up? They should accept the mail and then bounce it?
That's what I just wrote a patch into Postfix to do.... ( http://www.isux.com/projects/ if anyone is interested, uses libclamav ) This is the only way I can see the virus laden mails should be dealt with - you certainly cannot return it to the sender, that is _most_ annoying, causes no end of users to call the support desk about being virus laden when they haven't actually been infected etc... / Mat
participants (4)
-
Matthew Sullivan
-
Stephen J. Wilcox
-
Suresh Ramasubramanian
-
sureshï¼ outblaze.com