spamd failed email messages

[binkatl]

I'm receiving an email message about every 5 minutes from my server, indicating that spamd failed and a restart was attempted.

I have spamd turned off in the Service Manager, and Spamassasin turned off in the Tweak Settings menu. Why am I still receiving this message? I've tried restarting cPanel, also, but it hasn't helped.

Any ideas... thanks!

[dalem]

restart exim

[binkatl]

I was very hopeful that this would work, but it hasn't. I've already received 2 more emails since I restarted Exim... the problem still exists.

Any other thoughts?

[chirpy]

/bin/rm -fv /var/run/chkservd/spamd
/etc/init.d/chkservd restart

That should do it

[binkatl]

Thanks, Chirpy! That did the trick.

[station]

I've been having the same problem as binkatl, and before I dissable spamd and spamAssasin, I was hopeing someone might shed some light on this subject.
My questions are: is this over kill? have I duplicated a function here somewhere? With this setup what would be the most effective exim config? Should I deactivate something?
My objective is for all spam to die at the front door, and virus to bounce with a warning, plus leave the option of individual users to create their own black and white lists if desired.

Your suggestion chirpy to turn spamd off makes me wonder, what does it do? Is it integrated into spamassassin? I think there's alot of crossover dependences here and if I turn one off how does it effect the other pieces?

The following is my server set up for email:
WHM 9.9.9
Cpanel 9.9.9-S15
Fedora i686

Exim
Exiscan + Clam
Clamav
Clamd
spamd
spamAssasin

cpanel addon Modules:
pro- Version: 1.0rc8
spamdconf - Version: 0.3
clamavconnector - Version: 0.80-1.0RC1.2

cpanel config:
service manager, - spamd = enabled
tweak settings, - mail catch-all = fail
- spamassassin = enabled
- track origin = enabled

RSkin's Spam+Virus Protection for cPanel server using
Exim+Exiscan+ Clamav+RBL+ Spamassassin+SARE+ Razor+DCC anti spam tut

Vipul's Razor razor.sourceforge.net/ razor-agents-2.67 and razor-agents-sdk-2.03

Distributed Checksum Clearinghouse ( DCC )www.rhyolite.com/anti-spam/dcc/

SpamAssassin Rules Emporium (SARE) rulesemporium.com/

RulesDuJour www.exit0.us/index.php?pagename=RulesDuJour

Quote:

a bash script intended to automatically download new versions of SpamAssassin rules

For added info to anyone reading and trying to do the same, my whm/exim config /System filter file is: /usr/local/cpanel/base/eximacl/antivirusandspam.exim
and my whm/exim config editor/ advanced mode/ top window is:

Code:

av_scanner = clamd:/var/clamd

acl_smtp_connect = acl_check_host

acl_smtp_mail = acl_check_sender

domainlist rv_rbl_receiver_domain_whitelist = lsearch;/usr/local/cpanel/base/eximacl/rv_rbl_receiver_domain_whitelist
  
hostlist rv_rbl_server_ip_whitelist = net-iplsearch;/usr/local/cpanel/base/eximacl/rv_rbl_server_ip_whitelist
  
addresslist rv_rbl_sender_address_whitelist= lsearch*@;/usr/local/cpanel/base/eximacl/rv_rbl_sender_address_whitelist
  
addresslist rv_spam_sender_address_whitelist= lsearch*@;/usr/local/cpanel/base/eximacl/rv_spam_sender_address_whitelist

log_selector = +address_rewrite+all_parents+arguments+connection_reject+delay_delivery+delivery_size+
dnslist_defer+incoming_interface+incoming_port+lost_incoming_connection+queue_run+rec
eived_sender+received_recipients+retry_defer+sender_on_delivery+size_reject+skip_deliver
y+smtp_confirmation+smtp_connection+smtp_protocol_error+smtp_syntax_error+subject+tl
s_cipher+tls_peerdn

The log selector list gives me a complete readout when using the command tail -f /var/log/exim_mainlog

and begin acl window 1 is:

Code:

#!!# This ACL is used at the start of an incoming connection.
#!!# The tests are run in order until the connection is
#!!# either accepted or denied.
acl_check_host:

##
# Reject email sent from mail server IP listed in the blacklist
##
deny message = Host $sender_host_address is blocked
hosts = /usr/local/cpanel/base/eximacl/rv_server_ip_blacklist
delay = 20s

accept

#!!# This ACL is used for the MAIL FROM: command in an
#!!# incoming SMTP transaction. The tests are run in order until the
#!!# sender address is either accepted or denied.
acl_check_sender:

##
# Reject email sent from sender listed in the blacklist
## 
deny message = Sender $sender_address is blocked
senders = /usr/local/cpanel/base/eximacl/rv_sender_address_blacklist
delay = 20s

accept

and window 2 is: (see next post)

If anyone adept at reading exim config files sees a blatant error or suggestions to improve the functionality of all this setup I'm all ears. in fact Im not so sure that I have this set up as well as I might like.

TIA , and have a great day!

[station]

Code:

#!!# ACL that is used after the RCPT command
check_recipient:
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :
# Always accept mail to postmaster & abuse for any local domain 

accept domains = +local_domains 
local_parts = postmaster:abuse 

### Reject email sent from server listed in DNS blacklists. ### 
deny message = Message rejected because $sender_fullhost is blacklisted at $dnslist_domain see $dnslist_text
!hosts = +relay_hosts
!authenticated = *
# RBL Bypass Local Domain List
!domains = +rv_rbl_receiver_domain_whitelist
# RBL Whitelist Incoming hosts
!hosts = +rv_rbl_server_ip_whitelist
# RBL Bypass Sender Domain List
!senders = +rv_rbl_sender_address_whitelist
# The following is a list of RBL to check for spam.
dnslists = bl.spamcop.net :\
           list.dsbl.org : \
           malaysia.blackholes.us  :\
           singapore.blackholes.us :\
           porn.rhs.mailpolice.com 
           #combined.njabl.org :\
message = your mail server $sender_host_address is in a black list \
                 at $dnslist_domain ($dnslist_text) 


  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}

  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}


  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  #if it gets here it isn't mailman
  
#### Dictionary attacks  
  drop hosts = /etc/exim_deny 
        message = Connection denied after dictionary attack 
        log_message = Connection denied from $sender_host_address after dictionary attack 

  drop message = Appears to be a dictionary attack 
        log_message = Dictionary attack (after $rcpt_fail_count failures) 
        condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}} 
        condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}} 
        !verify = recipient 
                                                                                                                                         
  #sender verifications are required for all messages that are not sent to lists
                                                                                                                                           
  require verify = sender
  accept  domains = +local_domains
  endpass
                                                                                                                                           
  #recipient verifications are required for all messages that are not sent to the local machine
  #this was done at multiple users requests
                                                                                                                                           
  message = "The recipient cannot be verified.  Please check all recipients of this message to verify they are valid."
  verify = recipient
                                                                                                                                           
  accept  domains = +relay_domains

  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
        hosts = +relay_hosts
  accept  hosts = +relay_hosts
                                                                                
  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
        condition = ${perl{checkrelayhost}{$sender_host_address}}
  accept  condition = ${perl{checkrelayhost}{$sender_host_address}}

  accept  hosts = +auth_relay_hosts
          endpass
          message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.
          authenticated = *

  deny    message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.


#!!# ACL that is used after the DATA command
check_message:
  require verify = header_sender
##### clamav ACL, reject virus infected        mails with proper error 

deny message = This message contains malformed MIME ($demime_reason). 
demime = * 
condition = ${if >{$demime_errorlevel}{2}{1}{0}} 

deny message = This message contains a virus or other harmful content \ 
($malware_name) 
demime = * 
malware = * 

deny message = Potentially executable content. If you meant to send this file \ 
then please package it up as a zip file and resend it. 
demime =        ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:pcd:reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc 

# Add X-Scanned Header 

warn message = X-Antivirus-Scanner: Basically clean mail though you should still use an Antivirus 

##### end clamav ACL 

  accept

[chirpy]

Looks OK (of course, I prefer the MailScanner solution). You should put the dictionary attack stuff from my ACL at the top of the middle box, just after:

accept hosts = :

There's no point in going through the overhead of RBL lookups if you're going to deny the connection anyway because of a RCPT check failure, which is much quicker.

[station]

Quote:

Originally Posted by chirpy

There's no point in going through the overhead of RBL lookups if you're going to deny the connection anyway because of a RCPT check failure, which is much quicker.

Thanx for the suggestion chirpy, that's just the sort of thinhg that I was wondering about. How to cut down on the overhead. Ideally a tool which could control all these spam, virus concerns on the server would be great. I can't imagine the work required to stay on top of hundreds of boxes....
Meanwhile my spamd is still failing to load/boot and I would like to find the cause.

[chirpy]

WRT spamd, have you tried:

/etc/init.d/chkservd restart

If that doesn't work, try:
/scripts/fixspamassassinfailedupdate

[station]

Quote:

Originally Posted by chirpy

WRT spamd, have you tried:
/etc/init.d/chkservd restart
If that doesn't work, try:
/scripts/fixspamassassinfailedupdate

Ya, Hi chirpy, thanx again, I had restarted the chkservd a couple of times,

the fixspamassassinfailedupdate is a really cool name for a script. Talk about spelling it out,
I guess I should spend more time in my script dir,
unfortunately,my result is:

Code:

# ./fixspamassassinfailedupdate
Spamassassin Update Failed, reinstalling!
File/Spec/Unix.pm did not return a true value at /usr/lib/perl5/5.8.6/i686-linux/File/Spec.pm line 21.
Compilation failed in require at /scripts/realperlinstaller line 14.
BEGIN failed--compilation aborted at /scripts/realperlinstaller line 14.

and line 14 of realperlinstaller says

Code:

use File::Spec;

So, what's missing in my perl5...file/Spec.pm? it says at line 21

Code:

require "File/Spec/$module.pm";

and my /usr/lib/perl5/5.8.6/i686-linux/File/Spec dir has the following :etc.
-r--r--r-- 1 root root 1808 Jan 22 04:57 Cygwin.pm
-r--r--r-- 1 root root 1531 Jan 22 04:57 Epoc.pm
-r--r--r-- 1 root root 1855 Jan 22 04:57 Functions.pm
-r--r--r-- 1 root root 11708 Jan 22 04:57 Unix.pm
so the Unix.pm is not returning atrue value, so what does fixspamassassinfailedupdate consider to be a true value to be recieving from Unix.pm? this is starting to get complicated for a mear gumby as myself.

[chirpy]

You might want to try:

/scripts/perlinstaller Tie::Hash File::Spec HTML::Parser

Then try running that fix script again.

[station]

Well, chirpy, This is becoming embarassing, as I feel as if you're acting as my private consultant, I'm going to start having to pay for your help.
/scripts/perlinstaller Tie::Hash File::Spec HTML::Parser has the same results as the previous command /scripts/fixspamassassinfailedupdate
I'm sure that in most cases the /scripts/fixspamassassinfailedupdate would fix the spamd failed to load problem but I seam to have an irregular perl installation. Perhaps I should update , or reinstall perl. However, I think that would be abit extream.
So I'm doing a rebuild RPM database in whm/software,
now reinstall RPM specpro,
now reinstall RPM file:

Code:

# /scripts/fixspamassassinfailedupdate
Spamassassin Update Failed, reinstalling!
File/Spec/Unix.pm did not return a true value at /usr/lib/perl5/5.8.6/i686-linux/File/Spec.pm line 21.
Compilation failed in require at /scripts/realperlinstaller line 14.
BEGIN failed--compilation aborted at /scripts/realperlinstaller line 14.

trying:check repair perl script:/usr/lib/perl5/5.8.6/i686-linux/File/Spec.pm
I'm obviously taking stabs in the dark, so far with no success. I'm still getting the same results.

[station]

Well, I do seam to have a misconfigured perl.
I've just entered:/usr/local/cpanel/whostmgr/docroot/cgi/diskusage.cgi as a test, and I get the same type of errors.
Although a basic hello-world.cgi in a domain does work. that obviously doesn't require any libs.
So I guess I need to reinstall perl. Now it's off to find out how I do that.
first I'll go to whm/software/update system software, ... everything fine down to:
make[2]: Leaving directory `/home/cpgdbuild/gd-2.0.33'
make[1]: Leaving directory `/home/cpgdbuild/gd-2.0.33'
GD install failed and I'm stuck here. So, I'll search around and see if I can find a solution. I believe the main problem was a manual perl update to 5.8.6 which I problably should not have done. ( especially as I am a gumby )

[station]

Dear reader, I know that my posts tend to be a bit long winded, but i find it frustrating when looking for a solution to find someone has had the same problem and they end their post with

Quote:

never mind, I've fixed it

without explaining how. Or they skip a couple of steps in the solution.

ok, I've found the thread pathtools error which mr. chirpy seams to have been providing solutions, and reading through I decided to look in my /usr/bin where I have the dirs perl, perl5.8.3, and perl 5.8.6

My symlink is:
/usr/local/bin/perl -> /usr/bin/perl
the suggestion

Quote:

The other things to check are that these two binaries are identical:
/usr/bin/perl
/usr/bin/perl5.8.4

would maybe apply to me with my 5.8.6 but I doen't know how to do that check.

My /usr/lib/perl5 has the following:
drwxr-xr-x 3 root root 4096 Mar 24 2004 5.8.0/
drwxr-xr-x 3 root root 4096 Mar 24 2004 5.8.1/
drwxr-xr-x 3 root root 4096 Mar 24 2004 5.8.2/
drwxr-xr-x 43 root root 4096 Jan 23 23:19 5.8.3/
drwxr-xr-x 45 root root 4096 Jan 24 00:31 5.8.6/
drwxr-xr-x 7 root root 4096 Jan 24 00:31 site_perl/
drwxr-xr-x 6 root root 4096 Mar 24 2004 vendor_perl/

also suggested was if you upgrade perl use these commands:
/scripts/rpmup
/scripts/sysup
the first one:
Using RPM Backend: RPM version 4.2.1
busy updateing aton of stuff, ends with GD install failed, I guess that would be gd 2.0.33
and half way through the install there is the following error

Code:

yum is up to date
File/Spec/Unix.pm did not return a true value at /usr/lib/perl5/5.8.6/i686-linux/File/Spec.pm line 21.
Compilation failed in require at /scripts/realperlinstaller line 14.
BEGIN failed--compilation aborted at /scripts/realperlinstaller line 14.
Using RPM Backend: RPM version 4.2.1
installed: freetype-2.1.4-5
installed: freetype-devel-2.1.4-5
unknown package perl-CPAN (ok)
installed: libpng-devel-1.2.5-7
installed: libjpeg-devel-6b-29
installed: XFree86-devel-4.3.0-55
unknown package iconv (ok)
unknown package jpeg (ok)
unknown package xpm (ok)
unknown package png (ok)
unknown package linuxthreads (ok)
Building GD..........
......
Done
GD status [0]
gd-2.0.33.tar.gz

so I'm not going to run the second script:/scripts/sysup untill I find what's wrong with the first install, any comments welcome