[bug] Mailscanner crashes when an org. has an IP subnet in relay settings

[rmoesbergen]

When I add an entire IP subnet under Organization -> Add relay settings, for example: 10.0.0.0/8, Mailscanner starts crashing:

MailScanner: Process did not exit cleanly, returned 255 with signal 0

I did a manual debug trace when this configuration was active, the logging is as follows:

..... 09:59:50 Jul 20 09:59:50.783 [17819] dbg: dcc: DCC learning not enabled by dcc_learn_score 09:59:50 Jul 20 09:59:50.783 [17819] dbg: check: is spam? score=5.278 required=5 09:59:50 Jul 20 09:59:50.783 [17819] dbg: check: tests=DCC_CHECK,MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS 09:59:50 Jul 20 09:59:50.783 [17819] dbg: check: subtests=BODY_TEXT_LINE,DKIM_DEPENDABLE,EMPTY_BODY,__GATED_THROUGH_RCVD_REMOVER,HAS_FROM,HAS_MESSAGE_ID,HAS_MSGID,KAM_DROPBOX2,__KAM_FAKEDELIVER12,KAM_FAKEDELIVER4,KAM_FAKEDELIVER6,__KAM_FAKEDELIVER8,KAM_GOOGLE2_2,KAM_HARP3,__KAM_HAS_0_URIS,KAM_JURY3,KAM_MULTIPLE_FROM,KAM_PAYPAL3B,KAM_UPS2,__KHOP_NO_FULL_NAME,MISSING_REF,MISSING_REPLY,MSGID_OK_DIGITS,MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,NONEMPTY_BODY,NOT_SPOOFED,__SANE_MSGID,SUBJ_SHORT,TO_NO_ARROWS_R,__UNUSABLE_MSGID,ZMISOBER_P_MSGID 09:59:50 Jul 20 09:59:50.784 [17819] dbg: check: tagrun - tag LASTEXTERNALIP is still blocking action 1 09:59:50 Jul 20 09:59:50.784 [17819] dbg: check: tagrun - tag SENDERDOMAIN is still blocking action 0 09:59:50 Jul 20 09:59:50.784 [17819] dbg: check: tagrun - tag DKIMDOMAIN is still blocking action 2 09:59:50 Jul 20 09:59:50.784 [17819] dbg: plugin: Mail::SpamAssassin::Plugin::Bayes=HASH(0x62a7790) implements 'learner_close', priority 0 09:59:50 Jul 20 09:59:50.785 [17819] dbg: plugin: Mail::SpamAssassin::Plugin::TxRep=HASH(0x64e4ff8) implements 'learner_close', priority 0 09:59:50 Jul 20 09:59:50.786 [17819] dbg: TxRep: learner_close 09:59:50 Jul 20 09:59:50.786 [17819] dbg: TxRep: learner_close 09:59:50 Jul 20 09:59:50.786 [17819] dbg: plugin: Mail::SpamAssassin::Plugin::Shortcircuit=HASH(0x629b168) implements 'compile_now_finish', priority 0 09:59:50 Building a message batch to scan... 09:59:50 Have a batch of 11 messages. 09:59:57 Invalid netblock: 10.255.255.255-42.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0 at /usr/share/MailScanner/MailScanner/Config.pm line 621 Failed.

This is quite a nasty one, since we're not able to relay outbound unless we specify every IP separately. Not an option with 1000+ servers.

[rmoesbergen]

This seems related: http://lists.mailscanner.info/pipermail/mailscanner/2016-March/103240.html

So looks like it only borks when mail was received from an IPv6 address, which is then compared to an IPv4 subnet, which Net::CIDR::cidrlookup can't handle.

[akissa]

I cannot replicate this, the relay settings are not even used in mailscanner. I think you have input an incorrect value else where.

[rmoesbergen]

Strange, because I can replicate this in seconds, by just adding 10.0.0.0/8 in the relay settings and sending a mail from the 'outside' using an IPV6 address. Removing the relay setting also fixes the crash... But beware: it only crashes when the mail was sent via IPv6!

This is where it crashes:

/usr/share/MailScanner/MailScanner/Config.pm:

    elsif ( $direction =~ /f/ ) {

        # Can only check these with From:, not To: addresses
        # Match against the SMTP Client IP address
        my (@cidr) = split( ',', $regexp2 );

        #print STDERR "Matching IP " . $msg->{clientip} .
        #             " against " . join(',',@cidr) . "\n";
        **return $value if Net::CIDR::cidrlookup( $msg->{clientip}, @cidr );**
    }

So where does the @cidr come from?

[akissa]

That is matching a ruleset, it is a bug. But it is not caused by the relay settings. I suspect it is from the approved senders or banned senders, i am releasing a fix which should hit the mirrors in a few minutes.

[rmoesbergen]

That doesn't make sense to me... When the only change I make is the relay setting and it clearly makes the crash appear / go away, how can it not be the relay settings? Oh well, I'll check if the fix works, please let me know when it's there.

[akissa]

The updates have hit the mirrors.

[rmoesbergen]

Ok, I tested mailscanner-4.85.5-23.el6.noarch, but it does not fix the crash. Output is slightly different though:

12:05:20 Jul 20 12:05:20.940 [9125] dbg: learn: auto-learn? ham=0.1, spam=12, body-points=0.001, head-points=0.27, learned-points=-2 12:05:20 Jul 20 12:05:20.941 [9125] dbg: learn: auto-learn? no: inside auto-learn thresholds, not considered ham or spam 12:05:20 Jul 20 12:05:20.953 [9125] dbg: netset: cache trusted_networks hits/attempts: 15/16, 93.8 % 12:05:20 SpamAssassin failed with real error: Invalid netblock: 10.255.255.255-38.7.248.176.64.1.12.11.0.0.0.0.0.0.231.36979 at /usr/share/MailScanner/MailScanner/Config.pm line 622 12:05:20 at /usr/share/MailScanner/MailScanner/SA.pm line 1203 Failed.

The SA.pm is new...

[akissa]

Please email us the queue files.

[akissa]

Ping ?

[rmoesbergen]

I sent them just now.

[akissa]

I cannot replicate the issue using those files and a relay setting of 10.0.0.0/8 As previously stated i think you have some other non default configuration causing the issue.

What is the output of

fgrep -rn '10.0.0' /etc/MailScanner/

[rmoesbergen]

$ fgrep -r '10.0.0' /etc/MailScanner/ /etc/MailScanner/baruwa/rules/highspam.score.rules:From: 10.0.0.0/8 20.0 /etc/MailScanner/baruwa/rules/highspam.actions.rules:From: 10.0.0.0/8 deliver /etc/MailScanner/baruwa/rules/spam.score.rules:From: 10.0.0.0/8 10.0 /etc/MailScanner/baruwa/rules/spam.actions.rules:From: 10.0.0.0/8 deliver

[rmoesbergen]

setting the spamscores to something other than 0.0 is the trick... If I leave those at 0.0, the entries above are not created and things keep working.

[akissa]

Got it.

[akissa]

It should be fixed now.

[rmoesbergen]

Yes, it works now, even with spam scores set! Thanks!