Procmail WARNING

21 posts / 0 new
Last post
#1 Fri, 02/27/2009 - 13:25
mdtiberi

Procmail WARNING

I am seeing this frequently in my log. I have seen the bug report from 2006 but I assume that this particular issue has been fixed since then. Nonetheless, it's still cropping up.

WARNING: System limit for file size is lower than maxfilesize or maxscansize

AND

procmail: Program failure (1) of "/etc/webmin/virtual-server/clam-wrapper.pl"

Two different problems?

Thanks

Fri, 02/27/2009 - 14:38
andreychek

Yeah, there's a brand new bug report for that here it looks like:

https://bugzilla.redhat.com/show_bug.cgi?id=484742

Which distro are you using?

In the clamav init script in /etc/init.d, do you see a ulimit setting? If so, I'm curious what it's set to.
-Eric

Mon, 03/02/2009 - 12:31 (Reply to #2)
Joe
Joe's picture

The <i>program failure</i> message is a little misleading - it doesn't mean that anything has actually failed, but rather than Virtualmin's clamav wrapper has detected a virus. The way it sets up the procmail rules, a non-zero exit status from that clam-wrapper.pl script is used to tell the next rule to send the email to /dev/null .

This only happens for viruses, so spam or regular email will not generate a <i>program failure</i> message.

--

Check out the forum guidelines!

Fri, 02/27/2009 - 14:49
mdtiberi

Linux 2.6.27.7-9.art.x86_64 on x86_64, updated from CentOS 5.2

I changed the Spam and Virus Scanning from standalone to server(clamdscan). Error messages are now gone. I left spamassassin at standalone.

I don't have clamav in /etc/rc.d/init.d but there is clamd and there is no ulimit setting in the script.

Fri, 02/27/2009 - 14:58 (Reply to #4)
andreychek

Aha!

Indeed, in most circumstances, the Clam server is the better option anyhow.

Standalone is only desirable on very low-memory systems.
-Eric

Fri, 02/27/2009 - 15:50
mdtiberi

Spoke too soon. The procmail error is popping up again.

Bummer, thought I had it licked. At least the WARNING System Limit is gone.

Fri, 02/27/2009 - 15:53 (Reply to #6)
andreychek

Can you clarify exactly what error you're seeing now?
-Eric

Fri, 02/27/2009 - 15:53
mdtiberi

Can't seem to edit, keeps crashing.

It is now only the following error that is appearing im my logs:

procmail: Program failure (1) of &quot;/etc/webmin/virtual-server/clam-wrapper.pl&quot;

Fri, 02/27/2009 - 16:02
mdtiberi

It occurs after each procmail entry in the log most of the time. Haven't figured out whether its only obvious junk rather than legitimate mail. I would think that a program failure would be bad in any case.

Fri, 02/27/2009 - 16:09 (Reply to #9)
andreychek

Yeah, that definitely shouldn't be happening regardless of the kind of email.

A few questions for you:

* What distro/version are you using

* What Virtualmin version do you have installed

* Can you verify that the clam daemon is running?

* If you look in the mail log (/var/log/maillog or /var/log/mail.log), do you see any procmail or procmail-wrapper related errors showing up in there (I'm assuming that the error you showed above was in the procmail.log)?

Fri, 02/27/2009 - 16:57
mdtiberi

I'll have to check tomorrow AM for some of the answers to your questions. But I can tell you:

-clamd is running
-Webmin 1.450 (just did fresh installed two weeks ago)
-don't know the exact version of procmail
-I'll have to check the logs

BTW, the error message says something about wrappers. Is this possibly a TCP Wrappers issue?

Thanks

Fri, 02/27/2009 - 17:13 (Reply to #11)
andreychek

The &quot;wrapper&quot; you're seeing is probably the &quot;procmail-wrapper&quot; program.

I wait to hear some more details tomorrow -- have a good evening,
-Eric

Sat, 02/28/2009 - 07:44
mdtiberi

Yes, the failure entry is from the procmail log

rpm -qa procmail*

procmail-3.22-17.1.el5.centos
procmail-wrapper-1.0-1.vm

Last part of a procmail entry in maillog shows:

relay=local, delay=0.84, delays=0.42/0/0/0.42, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)

Sat, 02/28/2009 - 11:53
mdtiberi

Notice these two emails from the procmail log. One fails and the other doesn't. They are both spam from the same sender but within 2 seconds of each other. Is there a clue here?

From perkinsjd@calasparrajovenesflamencos.com Sat Feb 28 12:16:29 2009
Subject: [SPAM] Bags and wallets
Folder: /dev/null 4262
Time:1235852190 From:perkinsjd@calasparrajovenesflamencos.com To:jj@xxxxx.com User:jjp.xxxxx Size:4262 Dest:/dev/null Mode:Spam

From perkinsjd@calasparrajovenesflamencos.com Sat Feb 28 12:16:27 2009
Subject: [SPAM] Bags and wallets
Folder: /dev/null 4262
Time:1235852190 From:perkinsjd@calasparrajovenesflamencos.com To:jj@xxxxx.com User:jjp.xxxxx Size:4262 Dest:/dev/null Mode:Spam
procmail: Program failure (1) of &quot;/etc/webmin/virtual-server/clam-wrapper.pl&quot;

Sat, 02/28/2009 - 12:12
mdtiberi

I have also seen other entries with same spam sender (different from last example). Where the first entry there is no procmail failure but the second one fails. Time stamp in the above case is equal.

Almost seems like there coming in to fast to handle.

Mon, 03/02/2009 - 09:55
mdtiberi

So I am thinking that this is a problem with clam-wrapper.pl

procmail manual states:

Program failure (nnn) of &quot;x&quot;
Program that was started by proc-
mail returned nnn instead of EX-
IT_SUCCESS (=0); if nnn is nega-
tive, then this is the signal the
program died on.

Do I need to examine clam-wrapper.pl to find the problem if I even can?

Mon, 03/02/2009 - 10:22
mdtiberi

In the absence of a reply, perhaps you guys can give me a simple yes or no.

procmail: Program failure (1) is not really an error, it is just mislabeled I guess. clam-wrapper.pl returns an exit(1) when a virus is found (according to the script). Procmail is interpreting the return code as a program failure when it is really exiting normally.

If this is true then it should be corrected somewhere so folks like me don't think it is a problem. I take &quot;failure&quot; quite literally.

Mon, 03/02/2009 - 11:56 (Reply to #17)
Joe
Joe's picture

Would an &quot;I don't know&quot; work? :-)

I don't recall seeing failures in our maillogs, but I don't pay much attention when things are working correctly. I'll ask Jamie to have a look at this thread.

--

Check out the forum guidelines!

Mon, 03/02/2009 - 13:46
mdtiberi

Thanks for the replies.

I actually think &quot;Program Failure&quot; is more than just a little misleading. It is actually a successful operation of the script and as you mention trashes the virus infected email to /dev/null/.

This should be put on the list of &quot;minor things to do&quot; when you get around to procmail changes.

Thanks again

Mon, 03/02/2009 - 14:11 (Reply to #19)
Joe
Joe's picture

Are you seeing a case where a program failure caused a non-virus email to be sent to /dev/null ? *That* would be a more serious problem..

--

Check out the forum guidelines!

Mon, 03/02/2009 - 14:51
mdtiberi

No, but now that you mention it I'll keep a look out.