[TriLUG] Strange postfix issue

Douglas Ward binaryflow at gmail.com
Tue Jan 10 14:02:34 EST 2006


I am trying to track down virus messages that are slipping through our
Mandrake/Postfix/MailScanner gateway server.  These messages are being
caught by our av scanner (GFI MailSecurity) that scans our Exchange
information store internally.  If I look at one of the lines in
/var/log/mail/info I see the following:

Jan 10 02:56:07 incoming postfix/smtpd[7835]: NOQUEUE: reject: RCPT from
adsl-221-107-112.rmo.bellsouth.net[68.221.107.112]: 554 Service unavailable;
Client host [68.221.107.112] blocked using sbl-xbl.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=68.221.107.112; from=<
webmaster at nccumc.org> to=<dward at nccumc.org> proto=ESMTP helo=<nccumc.org>

Postfix says that it rejected the message and I do not see it being queued
for MailScanner to look at.  Regardless of what Postfix says it is doing the
message still slips through.  It would appear that postfix is circumventing
the MailScanner queue as clamav/bitdefender do not catch it as a virus.  It
transmits to the Exchange server as a live virus.  All of the files in
question seem to have .htm, .html and .zip extensions.  I have blocked all
three extensions using mime-header-checks and verified that these file types
do not make it past the servers.  I can duplicate this with at least 50
messages spread across our end users.  I am hesitant to block this IP
address at the firewall as I am unsure of what it is.  I cannot for example,
block a major Bellsouth e-mail gateway server.  Has anyone seen this
behavior with Postfix before?  Is this something new?  Any suggestions that
you could offer would be most appreciated.  Thanks!



More information about the TriLUG mailing list