[Avcheck] kavkeeper + "User unknown"

George Chelidze wrath@geo.net.ge
Tue, 22 Apr 2003 19:10:21 +0500 

Hello,

I am using KAV as AV software + kavkeeper. The MTA is sendmail-8.12.9. 
Lately I have noticed (didn't pay attantion to this before) the 
following problem:

say geo.net.ge is local domain.

without main injection mechanism activated, issuing

RCPT TO: userdoesnotexsist@geo.net.ge

I get:

550 5.1.1 userdoesnotexsist@geo.net.ge... User unknown

after enabling injection mechanism I get:

250 2.1.5 userdoesnotexsist@geo.net.ge... Recipient ok

At this level message is collected. Only the LDA (procmail in my case) 
rejects it with "User unknown". As the result many useless messages are 
wasting my bandwidth.

I have looked at my sendmail.cf file to find out why this happens. The 
things added to configuration regarding kavkeeper follows:

...
C{KAG}${KAV}
...
SLOCAL_RULE_0
R$* @ $+ . ${KAV}		$1 < @ $2 . ${KAV} >
R$* < @ $+ . $~{KAG} . >	$#kavkeeper $@ $2 . $3 . ${KAV} $: $1 @ $2 . $3 
. ${KAV}
R$* < @ $* . ${KAV} >		$1 < @ $2 . >


###   KAVKEEPER Mailer specification  ###
		A=kavkeeper -s $f -r $u -x $h -m sendmail -p ${KAV} -c 
/var/spool/avp/kavkeeper/keeper.ini

the first rule involves kavkeeper mailer if the address doesn't ends 
with ${KAG} string which checks the message for infection and then 
reinjects it back to sendmail. the next rule strips the suffix.

as Ruleset 0 contains

Sparse=0

R$*			$: $>Parse0 $1		initial parsing
R<@>			$#local $: <@>		special case error msgs
R$*			$: $>ParseLocal $1	handle local hacks
R$*			$: $>Parse1 $1		final parsing

we can see that LOCAL_RULE_0 ruleset executes before final parsing. The 
only thing I can't understand is why I get the above result? As second 
rule of LOCAL_RULE_0 stripped ${KAV} suffix, the address should be the 
same as it was before adding this suffix (obviously I am wrong as the 
above mention problem presents). All this long story has nothing common 
with this list. There are 2 reasons why I have posted this message here:

1. many list members are experienced people spending a lot of time 
maintaning e-mail systems. I hope someone can explain this problem.

2. (The main one) I have a dought that the problem is caused by 
kavkeeper not injection mechanism, so if someone using sendmail with 
avcheck instead of kavkeeper can tell me if he/she is experiencing the 
same problems with avcheck or not, I will be able to nerrow the set of 
possible reasons and hope to solve the problem.

Thank you in advance for any suggestions/answers


Best Regards,

--
George Chelidze