hMailServer forum

agatha

Yes, obviously I did not search the topics good enough. Mea maxima culpa.

OK, then it is by design and for this purpose not usable.

Thank you!

agatha

Hello together, I noticed a strange behaviour when using Windows Defender as external scanner. When I use this command line: "C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "%FILE%" -disableremediation" and "return value" 2 it generally works fine. Malware is detected, it is...

agatha

Well, it is a question of the design. When the signatures are already loaded in the RAM, it is fast. Especially when lots of Mails have to be scanned.

agatha

ClamAV works quite good. And yes, it needs some RAM as it loads the signatures into the RAM. So it is fast, when Mails are scanned.

In my setting, it uses about 1,2 GB RAM. But so what? RAM is cheap and for little money you buy a lot of performance.

agatha

There is no difference between "send to a local mirror and pop it from an external account" and "send directly to an external account" regarding the number of copies. When you pop from the mirror account, there will be no loop. Let´s make it precisely: 1. You send or receive an e-mail. -> One mail o...

agatha

OK, the log helped (though it was quite large in debug mode). First the external scanner is used and if this one found no malware clamav runs. Thanks for this hint.

agatha

Hello, I use clamav and for a few weeks now an additional external scanner (Avast). My question: Are both scanners used one after another? And which one first? And what happens, when the first one recognizes a virus, ist the second one still used? And one more issue: HM deletes attachements when a v...

agatha

But ashcmd.exe is not (anymore?) included in the free version.

To be honest, I do not know any free comand line scanner (except clamav).

agatha

Could it be an anti virus issue? The mail folder should be excluded from an on-access-scan.

agatha

Where did you get your references from? securite FAQ: What is the best configuration for clamd.conf ? To achieve maximum detection rates, we recommend modifying the following lines in your clamd.conf : WARNING : These changes suggest that you have at least 8GB of RAM DetectPUA yes IncludePUA Spy In...

agatha

sanesecurity.ftm sigwhitelist.ign2 rogue.hdb junk.ndb foxhole_filename.cdb foxhole_generic.cdb foxhole_all.cdb foxhole_all.ndb foxhole_js.cdb foxhole_js.ndb phish.ndb badmacro.ndb jurlbl.ndb scam.ndb mbl.ndb winnow_malware.hdb winnow_extended_malware.hdb crdfam.clamav.hdb This is quite strict, as i...

agatha

You have prodded my curiosity now.

How large is your ClamAV database folder? Mine is 666 (!) MB.

And good luck with Joel Esler - the signatures are not worthless - but not very reliable.

agatha

Is that immediately after a clamav service restart?

Depends, how you define "immediately". After the service is restarted, it takes a few seconds (about 5 maybe) until this the RAM is filled.

agatha

Hm. To be honest, I just copied the recommendations.

But I have just tested it with 45M each - the same RAM usage.

agatha

I am not sure. Probably the clamd.conf is the reason. I use the recommendation from securite.info and they suggest at least 8 GB RAM for this. DetectPUA yes IncludePUA Spy IncludePUA Spyware IncludePUA Game IncludePUA Keylogger IncludePUA Spam IncludePUA Trojan IncludePUA NetTool IncludePUA Win MaxS...

agatha

I've now removed the securiteinfo signatures and instead implemented the SaneSecurity signatures, and will monitor the performance for a couple of days. I use those signatures for years and have no problems at all. The memory usage is about 1.3 GB. But what about the message "invalid argument"? May...

agatha

peak RAM usage by SA

about 500 MB. I restart the service daily as there seems to be a memory leak.

what is your average SMTP volume

About 2000 messages per day.

agatha

WinSock errorcode 10054 is the error you get when spamd is unavailable, most likely: right in the middle of the restarting process (stop service, update database, start service) First I thought so. But the timestamps in the logs did not match to the time, the service is reloaded. Not one single tim...

agatha

It seems to be a RAM issue. Since I upgraded my RAM from 4 to 8 GB, this message did not occur anymore.

agatha

and X-hMailServer-LoopCount < 1

Do you need a loop-count, when using recipient list?

agatha

Should the sigupdate.log be also updated when using the task schedule? Yes. And also the *.hdb and *.cdb files in your clamav database folder get a new time stamp. My batch looks like: @echo off cd /d d:\clamav set log=D:\Logs\sanesecurity.log set db=D:\ClamAV\db set CYGWIN=nontsec echo %date%-%tim...

agatha

@mattg @jimimaseye That is in deed interesting. Thank you. CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures I guess, this is a result of the CLAMAV plugin for spamassassin? That means - as you mentioned before - I can use the malware definitions I want as definitions for spamassassin? And we...

agatha

But in Germany there are rules for eMails which may not be archived like "application mails" etc. That is not true. Only the period, you are allowed to store those mails is shorter (max. 3 month) and you should store them for several reasons. So it is better, when you delete those mails from the ar...

agatha

Why not.....

OK, good idea.

I did not know, that I can have a different header for the case a mail is marked as spam because of a match of the clamav definitions.
That could be nice.

Thanks.

agatha

Do you want to inspect the malware or delete it? Well, it is a balance between effort and benefit. The first target is, that users do not get infected mails. The second target is, that I do not have to inspect hundreds of spam mails per day. Of course, your setup works. When you invest the time to ...

agatha

But that's my point But how do you differentiate between spam and malware? Or do you say: spam and malware is both unwanted an so it is treated the same way? That is consequent but it leads to the following problem: - when you have a low score for spam, you will get a lot of mails (and a lot of fal...

agatha

Then set your spam mark score low enough to be useful, and your delete mark extremely high I have done this - but I want handle spam an infected mails in a different way. People should be able to read mails, that are marked as spam by themselves (because it is a lot of spam) - but infected mails sh...

agatha

Very convoluted and unnecessarily so IMO. I use Clam, have viruses stripped, and the resultant email sent to trash, and at the end of the day I know how many. How? Well, see my first post. I guess you misunderstood it. The mirroring applies to all mails. It is meant to archive all mails. It has not...

agatha

Thanks for the replies! Try X-hMailServer-LoopCount with the value "less than 1" I tried this. In this case no mail is forwarded. just add a rule criteria that says Recipient List does not include <mirroraddress.domain.com> Thanks for this hint. This creates still a loop but when the address to whic...

agatha

Hello together! I would like to forward all mails (or count them at least) that contained malware. So I can easily see, if there is a peak in such mails. My setup regarding this issue seams to be a bit problematic: - All mails are mirrored to a certain address (Settings->Advanced->Mirror) - Mails, t...

agatha

OK, SMTP only. Thank you.

agatha

In my opinion you should only use clamav running as a service. That is the fastest way to scan your mails. And take a look at the signatures from sanesecurity. To update clamav stop the service, override the files and start the service again. That should work in most cases. If it does not, remove an...

agatha

Perhaps you have a similar option. Hm, not really. There is not only a catch all account on the remote server but above this several accounts that are downloaded. And within the hmail logs, I only have an ID (and of course a time stamp) to identify the relevant mail. I can not see, how I could find...

agatha

As it is a very rare error, I am not worry. I just do not like unsolved problems ...

But thanks for the hints.

If I find something out, I will tell. Maybe logging SMTP and POP3 will help.

agatha

No SMPT logging yet. But I already activated it for the next time.

And yes, I download mails via POP3 froman external server.

The forwarding rules are like:
From -> Not contains [mail address to which is forwarded] -> Forward email

agatha

No scipts but indeed some forwarding rules. The problem is, that it happens so unfrequently. 10000 Mails are processed without this error. I tried to find the mentioned file within the data file system but (of course it is a sended message) it does not appear. So I do not know, which rule might be a...

agatha

Hello, I need some hint where I have to look for this issue: Sometimes - about once a week - the following error occurs: "ERROR" 4904 "2016-10-25 08:17:05.777" "Severity: 3 (Medium), Code: HM5007, Source: SMTPDeliverer::DeliverMessage(), Description: Message 781666 could not be delivered. No remaini...

agatha

Reloading the database was my first thought.

The spamd service is reloaded three times a day (stop service, update database, start service), but the timestamps of the errors do not match those reloads.

The service itself runs fine, so I do not think, abnormal terminations are the reason.

agatha

When using SpamAssassin with HM I get sometimes (once, twice a day) this error: "ERROR" 3368 "2016-09-14 06:00:11.876" "Severity: 3 (Medium), Code: HM5157, Source: SpamAssassinClient::OnReadError, Description: There was a communication error with SpamAssassin. hMailServer tried to retrieve data from...

agatha

I am unsure how a message with a known virus as an attachment could possibly be a false positive.

That depends on the signatures. Especially when heuristic is used.
Im my case, I use ClamAV with signatures from sanesecurity and from securite.

agatha

When a virus is found, HMS either deletes the e-mail or only the attachment.

But it would be helpful - especially in case of a false positive - when the e-mail or the attachment is not deleted but moved to a special folder.

agatha

The problem is that the diagnostics don't work if you set the outgoing port to 465 in SMTP relayer.

Indeed. That´s the problem.

Thank you for the explanation!

agatha

In SMTP relayer under delivery of email, what do you have set for the 'remote host name', 'remote TCP/IP port' and the 'connection security' I use hMS as a local mailserver, that pulls and sends mails from/to a provider. Therefor the remote host name is the smtp address of this provider. Port is 46...

agatha

I did both: I left the default value as well as I used a custom one.
None of them worked.

It is strange in so far, as everything works fine (pop, imap, smtp, http). It seems, hmail just failes to create the output form.

agatha

Well, I am quite sure, that I did not change any permissions. And Apache works fine too. I read "https://www.hmailserver.com/forum/viewtopic.php?t=27567#p170518", but as far as I see, my configuration is OK. Especially the service has no problems with windows permissions. So I think it might be more...

agatha

No, I do not use SSL within hMail and i do not have any certificates on this server. Settings->Advanced->SSL certificates: No entries Settings->Advanced->SSL/TLS: "Verify remote ..." is unchecked, "Versions" are all checked. And thanks for the google link - I searched "800403E9" within the forum and...

agatha

Hello, when I run "Diagnostics" in hMail Admin, I receive an error: ExceptionType: COMException HelpLine: Message: Exception from HRESULT: 0x800403E9 Source: Interop.hMailServer StackTrace: at hMailServer.DiagnosticsClass.PerformTests() at hMailServer.Administrator.ucDiagnostics.buttonPerformTests_C...

agatha

That was exactly what I was looking for.

Thank you very much.

agatha

Hello together, in webadmin, I would like to remove some tabs for administration level "user". E.g. all users with administration level "0" shall not be able to change their signature. For this behalf I could either remove the whole tab or I could disable the accordant field. I already removed the "...

Search found 49 matches