Re: [Exim] Odd Bounce - AGAIN

Top Page
Delete this message
Reply to this message
Author: Andreas J Mueller
Date:  
To: Dan Egli
CC: exim-users
Subject: Re: [Exim] Odd Bounce - AGAIN
Hi Dan!

> I keep getting these. I'm confused. I have looked through the mainlog and
> found nothing of note. I'll attach any log segments from the time this
> message was delivered below. Anyone know why this keeps happening?


I don't have any experience with amavis, but I'll try to at least make
some sense of your Exim log file. Lines have been reordered.

> 2003-07-06 14:11:41 19ZFqm-0007dT-62 <= pgp-keyserver-folk-return-3230-dan=shortcircuit.dyndns.org@??? H=kechara-p.flame.org
> (kechara.flame.org) [204.152.186.129] P=smtp S=112471
> 2003-07-06 14:11:42 19ZFqm-0007dT-62 => dan <dan@???> R=amavis_router T=amavis
> 2003-07-06 14:11:42 19ZFqm-0007dT-62 Completed


This is the original message, from a mailing list. It is routed to
amavis for virus checking. The actual destination (dan) in the log is
irrelevant here, the message will be handled by amavis. Now, this
mail appears to be virus infected, and amavis generates two alerts:

> 2003-07-06 14:11:42 19ZFrK-0007eB-0M <= postmaster@??? U=amavis P=scanned-ok S=2043
> 2003-07-06 14:11:44 19ZFrK-0007eB-0M => pgp-keyserver-folk-return-3230-dan=shortcircuit.dyndns.org@??? R=dnslookup T=remote_smtp
> H=mail.flame.org [204.152.184.79]
> 2003-07-06 14:11:44 19ZFrK-0007eB-0M Completed


This is the first virus alert. It is sent back to the mailing list
manager (the return-path of the original message).

> 2003-07-06 14:11:42 19ZFrK-0007eD-1H <= postmaster@??? U=amavis P=scanned-ok S=2890
> 2003-07-06 14:11:43 19ZFrK-0007eD-1H => dan <virusalert@???> R=procmail_director T=procmail_transport
> 2003-07-06 14:11:43 19ZFrK-0007eD-1H Completed


This is the second virus alert. It is sent to virusalert@... and
delivered to procmail for dan's mailbox.

> 2003-07-06 14:11:42 19ZFrK-0007eK-Hq <= <> H=localhost.localdomain (shortcircuit.dyndns.org) [127.0.0.1] P=esmtp S=4488
> id=1057522302.29407.TMDA@???
> 2003-07-06 14:11:43 19ZFrK-0007eK-Hq => postmaster <postmaster@???> R=amavis_router T=amavis
> 2003-07-06 14:11:43 19ZFrK-0007eK-Hq Completed


This totally confuses me. It is a locally generated error message,
submitted via SMTP to localhost for postmaster@???
It is also routed to amavis for virus checking. Again, the actual
destination (postmaster) from the log file is irrelevant.

Does procmail create error messages, and submit them via local SMTP?
Or do you have other tools that do? Maybe that's your culprit, at
least it relates somehow to the second virus alert, being sent to the
return-path postmaster@???.

> 2003-07-06 14:11:43 19ZFrL-0007eT-2H <= <> U=amavis P=scanned-ok S=4692 id=1057522302.29407.TMDA@???
> 2003-07-06 14:11:43 19ZFrL-0007eT-2H => dan <postmaster@???> R=procmail_director T=procmail_transport
> 2003-07-06 14:11:43 19ZFrL-0007eT-2H Completed


This is the same error message message as above, resubmitted by amavis
for delivery to postmaster@???, and finally (via
procmail) to dan's mailbox.

So far, so good. I don't know what created the locally generated
error message (19ZFrK-0007eK-Hq) above. If it was indeed procmail
(the message-id 1057522302.29407.TMDA@??? may give
you a hint), you should look in your procmail config.

> Note: postmaster and virusalert are both defined in /etc/aliases to be
> dan@???


That may be true, but isn't procmail able to make some sense of the
envelope-to header, which does not change during aliasing? Maybe
someone familiar with procmail can help you here.

Andy