Question for ya Matt -- as I understand it here's how the system should work for blocking virus senders -- and heres the problem I'm seeing, along with a proposed solution.
How it should be:
mail comes in, goes to a processing location
qmail-scanner runs on it -- if it finds its virus laden, it drops delivering it, and puts the mail in a quarantine folder --
then comes along toaster-watcher -- run every 5 minutes from cron
if qs_quarantine_process & qs_block_virus_senders are enabled in toaster-watcher.conf then
it'll come in, parse those emails that are in the quarantine folder, get the IPS, and add them to the ~vpopmail/etc/smtp.tcp file...
and send me a notification email that it dealt with a virus saying: "found 1 infected files"
*** then tcprules (either directly, or through qmailctl cdb) must be run on tcp.smtp to turn it into tcp.smtp.cdb ***
then the smtpd comes along, reads tcp.smtp.cdb at each run (defined in the service/run file for smtpd), and it'll stop our toaster from accepting any further emails for 24 hours from that sending host; so that they hopefully resolve their virus issue.
This will stop me from getting more notifcation emails about the same host for atleast 24 hours.
What I am seeing:
I get an email everytime the host tries to resend the email --
smtpd is not blocking hosts
tcp.smtp IS updated; tcp.smtp.cdb is NOT updated.
Reading the code -- it seems toaster-watcher.pl --
=item Qmail-Scanner Quarantine Processing
should be turning tcp.smtp into tcp.smtp.cdb after it succesfully executes the UpdateVirusBlocks routine.
back me up Matt, am I totally off base? is there some other outside solution I'm missing? should I just be running tcprules from cron (or qmailctl cdb) separately from toaster-watcher?
Thanks for the help.
and somewhere in there ---
-- I upgraded to mysql 4.1, so I had to recompile things, reinstalled a bunch of the toaster stuff -- and now it works --tracked down the tcp.smtp.cdb updating as coming from the runs of /usr/vpopmail/bin/clearopensmtp
-- which was in my crontab before -- not sure WHY it wasn't working before and suddenly is now