Amavis disposing of attachments

Discussion in 'Server Operation' started by julianmartin, Aug 13, 2010.

  1. julianmartin

    julianmartin New Member

    Hi, recently, amavis has started spooning out over some headers and munging attachments on emails. It's very random, sometimes happens and sometimes doesn't even if we send the attachment 5 times. It's impossible to accurately replicate.

    Here is an example of the headers on a suspect email

    Code:
    From - Thu Aug 12 18:27:38 2010
    X-Account-Key: account2
    X-UIDL: UID2524-1268054582
    X-Mozilla-Status: 0003
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys:                                                                                 
    Return-Path: <[email protected]>
    Received: from localhost (localhost [127.0.0.1])
    	by server1.xxxxxxx (Postfix) with ESMTP id 1C1C7A075;
    	Thu, 12 Aug 2010 18:26:49 +0100 (BST)
    X-Virus-Scanned: Debian amavisd-new at server1.xxxxxxxx.co.uk
    [B]X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: part did not end with
    	expected boundary[/B]
    Received: from server1.xxxxxx.co.uk ([127.0.0.1])
    	by localhost (server1.xxxxxx.co.uk [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id sEiMepIFWeMU; Thu, 12 Aug 2010 18:26:48 +0100 (BST)
    Received: by server1.xxxxxxx.co.uk (Postfix, from userid 108)
    	id 95476A1B6; Thu, 12 Aug 2010 18:26:48 +0100 (BST)
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=g-q-r.com; s=dkim_2;
    	t=1281634008; bh=6a9fN4hpcj/nqTz5xg3/nt8vs+qcI5xb8m8uJpQ+LpA=;
    	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=d
    	n/tZ0oBwNmaloeTTfmFj+F71D6fHb2OCdDSGuE72dgDGqQ1XQW5tQXqB3Am6wJRUR3p
    	rvrT6dcgb451WhPpVMMTshOxVk1L+uPcExUExwJUrByE/o8P6Fe9gV2y01hd8slxKJl
    	4HHZTEZTSrNV8nkpENtXaTpl8VjTStKuskSM=
    Received: from WKSta08 (unknown [212.36.58.162])
    	(Authenticated sender: [email protected])
    	by server1.sm-technologies.co.uk (Postfix) with ESMTPA id 5EB31A075;
    	Thu, 12 Aug 2010 18:26:47 +0100 (BST)
    From: "xxxxxxxx" <[email protected]>
    To: <[email protected]>
    Cc: <[email protected]>
    Subject: FW: prep - as attachment
    Date: Thu, 12 Aug 2010 18:28:33 +0100
    Message-ID: <[email protected]>
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    	boundary="----=_NextPart_000_02D7_01CB3A4C.2C25C770"
    X-Mailer: Microsoft Office Outlook 12.0
    Thread-Index: Acs6KFzlgsPc2gujT5Gl4FFPdEZu3wAAaapwAANfLdA=
    Content-Language: en-gb
    X-Antivirus: avast! (VPS 100812-0, 12/08/2010), Inbound message
    X-Antivirus-Status: Clean
    
    I've had to chop out the email addresses for privacy, hope that's OK.

    Anyway the error from Amavis is in bold.

    I've tried stopping the header scanning in two ways, selective TLDs and turning off on everything, like so in /etc/amavis/conf.d/50-user :

    Code:
    @bypass_header_checks_maps = ([1]);
    
    and
    Code:
    @bypass_header_checks_maps = (['.tld1.com', '.tld2.com']}
    
    However this seems to make no difference.

    I'm really stuck here and I've got a client balling down my neck about this and can't understand why this has happened all of a sudden. We recently updated the client machines that run Outlook 2007 to SP2 and it seems a bit coincidental with that, but I really need this to stop scanning headers first so I can get normal email resumed before I look into the cause.

    Any help would be REALLY appreciated.

    It's a fairly low power VPS running Debian 5.0 according to the HowtoForge perfect server instructions.
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Any errors in your mail log?

    Does this happen with all types of email clients (Thunderbird, Outlook, Evolution, etc.), or just with Outlook?
     
  3. julianmartin

    julianmartin New Member

    It's confirmed in thunderbird and outlook as recipients. The senders so far have just been Outlook. As I say, the cause is not the first worry, I just need to restore normal service by stopping amavis interfering.

    I will look at the mail logs first thing in the morning. Thankyou.
     
  4. julianmartin

    julianmartin New Member

    Okay this is the log from postfix from one of the caught emails:

    Code:
    Aug 13 17:09:39 server1 postfix/smtpd[23397]: 8457FA1B5: client=localhost[127.0.0.1]
    Aug 13 17:09:39 server1 postfix/cleanup[23334]: 8457FA1B5: message-id=<[email protected]t.net>
    Aug 13 17:09:39 server1 postfix/smtpd[23397]: disconnect from localhost[127.0.0.1]
    Aug 13 17:09:39 server1 postfix/qmgr[23215]: 8457FA1B5: from=<[email protected]>, size=12174, nrcpt=1 (queue active)
    Aug 13 17:09:39 server1 amavis[22887]: (22887-05) Passed BAD-HEADER, [195.245.230.115] [130.32.42.40] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]t.net>, $
    Aug 13 17:09:39 server1 postfix/pipe[23353]: 8457FA1B5: to=<[email protected]>, relay=maildrop, delay=0.04, delays=0.01/0/0/0.02, dsn=2.0.0, status=sent (delivered via maildrop service)
    Aug 13 17:09:39 server1 postfix/qmgr[23215]: 8457FA1B5: removed
    I can't say this tells me anything new though, is there another log I should be looking at?
     
  5. julianmartin

    julianmartin New Member

    Okay I'm now led to believe that the MIME headers on these emails are getting scrambled somewhere on my server.

    My understanding is that postfix is not capable of doing this, and it's not likely to be amavis either.

    What modules on the debian perfect sever could fiddle with a MIME header making an attachment unreadable for a mail client?
     
  6. falko

    falko Super Moderator ISPConfig Developer

    I'm not sure, but maybe the email client is doing this?
     
  7. julianmartin

    julianmartin New Member

    Well see this is the strange thing, we had an incoming email from 2 different offices and mail servers that had a missing attachment too, which had my clients hotmail address CCd and the attachments arrived in his hotmail.

    So in addition, another email sent from within the office that my VPS serves wasn't visible on my computer which runs thunderbird, not Outlook so it's a different client...

    Wierd huh?
     
  8. julianmartin

    julianmartin New Member

    Hi, okay I've found someone else with the same problem and the exact same circumstances to me, here is a link to his description:

    http://www.zimbra.com/forums/administrators/40733-bug-handling-encoded-decoded-mail-messages.html

    So i think it's a bug in postfix that's munching these double full stop lines and thus effectively disposing of the rest of the email.

    Only I just don't know where to go from here, I don't really want to tear apart postfix, i'm a competent user but not that competent!
     

Share This Page