Patch provided by MAINTAINER, Julian Dunn in PR 35578.
---------------------------------------------------------------------------
January 30, 2007
amavisd-new-2.4.5 release notes
SECURITY
- Recommended version of Convert::UUlib is 1.08 or higher
to avoid processing of uninitialized data containing 'random' garbage.
Note that a security hole in uulib which comes with Convert::UUlib 1.04
and older is now (as of 2006-12-05) known to be exploitable:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1349
credits to Jean-Sebastien Guay-Leroux;
- p0f-analyzer.pl will no longer reply to queries coming from low-numbered
UDP ports below 1024 or from nfsd port 2049, and will ignore queries
with nonce longer than 1024 character or containing characters outside
of \040-\177 range to limit its usefulness as a potential reflector
for an attacker from internal networks.
INCOMPATIBLE CHANGE WITH 2.4.4
- p0f-analyzer.pl now only binds to a loopback interface by default, instead
of to all interfaces; change $bind_addr in p0f-analyzer.pl to '0.0.0.0'
if p0f-analyzer.pl is running on a different host from amavisd or from
other querying clients; suggested by Shaun T. Erickson and Mario Liehr;
BUG FIXES
- let p0f-analyzer.pl exit when a pipe on stdin is closed (e.g. when p0f
is killed or crashes), instead of entering a tight loop; reported by
Justin Piszcz and Henrik Krohns;
- hard-blacklisting no longer skips quarantining when
$spam_quarantine_cutoff_level is undefined (or is an empty string);
- restart timer after Sophie times out; previously the next attempt
would run with no time limit; reported by Nick Leverton and
Nicklas Bondesson;
- fixed AM.PDP code to always provide smtp-quoted form in angle brackets
in delrcpt and addrcpt attributes of a response, i.e. in the same form
as was received in sender and recipient attributes;
- fix error reporting in open_on_specific_fd when POSIX::dup2 fails;
thanks to Chris (decoder);
- fix signal handling in read_snmp_variables() and register_proc(),
a signal could previously get lost (not re-signaled) if it occurred
within these subroutines;
- fixed get_body_digest which incorrectly determined 7- or 8-bitness
of mail header and body, setting body_type incorrectly (with only
cosmetic ill-effects);
- AM.PDP protocol: ensure proper address form is used in server response
attributes 'delrcpt' and 'addrcpt': the same form should be used as
in 'sender' and 'recipient' attributes. The attribute value syntax is
specified in RFC 2821 as 'Reverse-path' (i.e. smtp-quoted form, enclosed
in <>); previously enclosing angle brackets were missing in a server reply;
- documentation - amavisd.conf-default incorrectly stated that a default
value for $prepend_header_fields_hdridx is 1; actually the default is 0
as correctly indicated in release notes; reported by Jo Rhett;
OTHER
- qmail interfacing notice:
MTA timeout for waiting on results from amavisd should be longer than
$child_timeout (8 minutes by default) with some margin, setting MTA timeout
to 15 or 20 minutes is usual. With qmail however the QMQP code in qmail
has hard-coded timeouts set, 10 seconds for connect and 60 seconds for
read/write. If amavisd processing takes longer than 60 seconds, the MTA
drops connection and retries later, yet amavisd continues processing
and eventually delivers a mail (with each MTA retry), causing repeated
deliveries of the same message. The following patch by Eric Huss on
the www.qmail.org page: http://www.ehuss.org/qmail/qmqpc-timeout.tar.gz
should be applied to qmail when interfacing it to a post-queue content
filter. Problem researched by Nicklas Bondesson;
- better timeout handling in interface code to daemonized virus scanners
like clamd, Sophie, Trophie: allow short time (10 s) for connect and
for sending a request, then allow normal (long) time to collect results;
keep evidence of the initial deadline on retries;
- prefer '7bit' as Content-Transfer-Encoding when attaching original message
or its headers (message/rfc822 or text/rfc822-headers) to DSN or to a
defanged mail, and only specify '8bit' when necessary;
- remove protecting the $ and @ characters in second argument
of a regexp selector macro, it is unnecessary and confusing;
- sanitize Message-ID and Resent-Message-ID header field bodies in
macros %m, %r and header_field by providing angle brackets if missing
to facilitate log parsing (angle brackets are RFC 2822 required syntax
and are semantically not part of a message id);
- updated $map_full_type_to_short_type_re to avoid mapping file(1) result
'MS-DOS executable (built-in)' to types 'exe-ms' and 'exe'; the file(1)
utility generously declares any text file starting with LZ to be a
'MS-DOS executable (built-in)'; thanks to Noel Jones, Jakob Curdes
and Clifton Royston for troubleshooting;
- add X-Spam-* header fields to quarantined mail if spam score is at or
above tag_level. Previously message needed to be recognized as spammy
or spam (tag2 or kill level) in order to receive spam header fields
in quarantined copy. This also makes it more consistent with adding
such header fields to passed mail; suggested by Michael Gaskins;
- add X-Amavis-OS-Fingerprint header field to quarantined mail;
- header field X-Spam-Score in a passed or quarantined mail now reflects
score boost even when SA score is unknown (e.g. when SA was not called),
and reflects white and blacklisting by pushing score to 0 or 64, to
make it consistent with a bar size in X-Spam-Level header field;
- resignal "timed out" after (almost) every eval {} which has no subsequent
call to prolong_timer() to ensure we do not continue running with
disabled timer. Exceptions are DESTROY and END handlers, and code which
handles timer in some other way (e.g. by keeping evidence of a deadline);
- for the purpose of looking up client IP address in @mynetworks_maps,
treat unknown/unavailable IP address as 0.0.0.0; this allows treating
directly submitted mail on the MTA host (not submitted through SMTP) as
coming from IP address 0.0.0.0 (i.e. "This" Network - according to RFC 1700);
Note that this is indistinguishable from other reasons when IP address
is not made available to amavisd, e.g. when smtp_send_xforward_command
option in Postfix smtp service is not enabled, which is why the default
setting of @mynetworks does not include a 0.0.0.0/8 network to prevent
falsely loading a MYNETS policy bank.
One should add 0.0.0.0/8 to a @mynetworks list only when XFORWARD is known
to work and if some software on the MTA host is submitting its mail to MTA
directly, e.g. through a sendmail command, and MYNETS policy bank loading
is needed for proper processing of such mail;
- report a more informative message when a file(1) utility fails to produce
useful results: joins exit status with a parsing report into one message;
thanks to Andres, whose file(1) utility was crashing with SEGV;
- consistency: rearrange implicitly adding $X_HEADER_TAG to a hash
%allowed_added_header_fields so that it is possible to turn off
insertion of $X_HEADER_TAG header field by turning off associated key in
%allowed_added_header_fields even when $X_HEADER_TAG is explicitly defined;
- let %allowed_added_header_fields also control insertion of header fields
into quarantined message;
- amavisd-nanny now displays a title line indicating the semantics of columns;
- Courier patch: ensure the information is stored to newly introduced
recip_addr_smtp and sender_smtp object attributes, which are needed
to preserve pristine address forms for DSN and ORCPT use and for logging;
a patch by Martin Orr;
- qmqpqq (qmail): ensure the information is stored to newly introduced
recip_addr_smtp and sender_smtp object attributes;
- qmail patch now activates line-by-line sending to qmail to avoid qmail bug
('bare LF' reported when CR and LF are separated by a TCP packet boundary);
- tighten a regexp on matching a p0f fingerprint for Windows XP to avoid
matching 'Windows XP SP1+, 2000 SP3'; suggested by Michael Scheidell;
- updated AV entry for CentralCommand Vexira (vascan):
removed hard-coded option '--vdb'; by Brian Wong;
- internal: move code dealing with a SA call to a dedicated
subroutine call_spamassassin;
- internal: provide new routines to collect scalar and structured results
from a subprocess (collect_results, collect_results_structured) and
take advantage of them in decoding, in AV and in dspam interface routines,
unifying code and providing results size sanity limit and consistent
killing of runaway external programs;
- experimental: taking advantage of the above, make it possible to run SA in
a spawned process, requested by setting a new config variable $sa_spawned
to true (it is off by default); benefits are that a mainstream child process
can not be brought down by potential processing problems in SA or its
external modules, and timeouts are handled cleanly by a calling process;
downside is an increase of process count (worst case: doubled), with
corresponding increase in memory footprint, plus about 20 .. 30 ms
of additional processing time for each call to SA;
- added a tuning tip on buffer sizes to README.sql for MySQL with InnoDB,
by Wayne Smith;
- updated URL of Sophie AV scanner;
---------------------------------------------------------------------------
June 27, 2006
amavisd-new-2.4.2 release notes
SUMMARY OF CHANGES:
- new feature: "pen pals soft-whitelisting" lowers spam score of received
replies to a message previously sent by a local user to this address;
- new feature: added command line options to override certain configuration
settings from a config file, see below;
- documentation bug fixes, especially on the use of SQL data type TIMESTAMP;
- zoo decoder interface routine can now use utility unzoo(1) or zoo(1);
---------------------------------------------------------------------------
May 8, 2006
amavisd-new-2.4.1 release notes
INCOMPATIBLE CHANGE WITH 2.4.0:
- notification templates incompatibility with 2.4.0 (but not with versions
2.3.3 or older): major contents category numbers are renumbered due to a
newly inserted category CC_SPAMMY; it affects the use of macro ccat_maj
in templates (one field added), and only affect users which provide
non-default templates based on 2.4.0 templates; older templates (2.3.3
or earlier) are unaffected as they do not use macro ccat_maj;
---------------------------------------------------------------------------
April 3, 2006
amavisd-new-2.4.0 release notes
The most important changes since 2.3.3 at a glance:
Delivery status notifications (DSN) are now supported, both as a SMTP
protocol extension and in notifications. Header fields like X-Amavis
and X-Spam are now prepended to mail header for DomainKeys compatibility.
Configuration variables can be chosen based on mail contents category,
which is now represented explicitly. A built-in macro expander is enhanced,
providing new macros and call types. Added support for passive operating
system fingerprinting with the use of p0f, supplying collected information
as a header field to SpamAssassin. Provide compatibility with Net::Server
0.91 and later.
since they always need a C compiler, even when the source code is
completely in C++.
For some other packages, stated in the comment that a C compiler is
really not needed.
patch provided by eggert at macvaerk dot dtu dot dk
in PR 31127
changes:
Version 2.3.3 is a maintenance release over 2.3.2. Besides fixing known
problems and providing some optimizations, no new features were added.
If using SpamAssassin older than 3.1, an upgrade of either SA to 3.1,
or an upgrade of amavisd-new to 2.3.3 is recommended.
- privacy: add a safety fuse / workaround around calls to SA to detect
SA's failure (in SA versions before 3.1) to catch a failed exec() in a
forked process, which could produce runaway process clones. See SA bug
report #4370. An incident of a mail copy being delivered to unrelated
recipient reported by Joel Nimety;
- privacy: turn warning into a fatal error when a quarantine ID of a message
requested for a quarantine release does not match the requested mail_id;
- security: require minimal version 1.35 of Compress::Zlib to avoid
vulnerability in the zlib compression library;
- the dsn_cutoff_level should have been ignored if undefined according to
documentation, but was not, causing DSN to be suppressed regardless of
spam level; discovered by Gary V;
- ensure the banned check is not performed if all recipients agree
it is not needed, even in presence of $banned_namepath_re;
undesired behaviour (not strictly incorrect) reported by Joel Nimety;
- missing import of lookup_ip_acl in module Amavis::In::AMCL caused
failure in sendmail milter setup when using the new AM.PDP protocol;
reported by Mic And;
- document and explicitly define handling of syntactically invalid IP address
in lookup_ip_acl: it matches a zero-length-mask net, a constant lookup table,
or a hash entry with an undef key, but no other entries in IP lookup tables;
syntactically invalid IP addresses are now logged;
- fix parsing if IPv6 address in $notify_method and $forward_method in case
of dynamic destination override (the use of '*' in method fields);
- check during startup that $myhostname is a fully qualified domain name
(or 'localhost', if you must), and abort if it isn't, otherwise a non-FQDN
can end up in places where RFC 2822 does not allow it; if uname(3) does not
provide a FQDN, then an assignment to $myhostname must be done explicitly
in amavisd.conf;
- when quarantining to a single file in mbox format the 'From ...' line
needs an English date, regardless of current locale; fixed by globally
setting locale LC_TIME to "C";
- pass on the parameter BODY=8BITMIME on MAIL FROM when submitting to MTA
when original message reception indicated it is needed (RFC 1652).
Note that mail forwarding may now fail if the feeding MTA requests
BODY=8BITMIME SMTP service extension (or just passes data with msb set),
but the MTA on the output side does not allow the use of the BODY parameter
in SMTP. In case of Postfix this may only happen when receiving service
on port 10025 is misconfigured and does not announce ESMTP capability
and support for the SMTP service extension 8BITMIME;
- RFC 2554 requires auth_param to be xtext-encoded addr-spec (no angle
brackets) or "<>", not the xtext-encoded addr-spec enclosed in angle
brackets (when specifying submitter during authentication); fixed;
- apply some sanity limit on collected bad-header samples to ensure that
a grossly broken mail does not unnecessarily fill up memory;
- when sending recipient warnings for viruses, banned files, or bad headers,
recipient address must not be rfc2822-quoted twice; fixed;
- fix interpretation of $defang_all to really imply all; previously it only
affected clean messages;
- in quarantined mail the reported spam score in X-Spam-Status header field
now includes maximum of all by-recipient score boosts (less surprising
when soft-whitelisting through @score_sender_maps is in use); suggested
by Mike Cappella and Gary V;
- when a policy delegation protocol attribute "request" is not "AM.PDP"
(perhaps it is a Postfix policy delegation request) don't attempt to find
and open a mail file;
- do_ascii and do_unarj: set environment variable TMPDIR or a command line
temporary directory option to "$tempdir/parts" instead of $TEMPBASE
to minimize possible pollution of top level directory;
- don't abort even if amavisd.conf returns undef as a final value,
as long as there are no errors reading or interpreting it;
- if during 'amavisd stop' or 'amavisd reload' the old running daemon does
not go away for one minute after sending it a SIGTERM, use a bigger
hammer and send it a SIGKILL; suggested by Sven Riedel;
- extend LDAP lookups to allow multiple search attributes (multiple
occurrences of %m in a query); a patch by Michael Hall (and a similar
one by Matthias Bandemer);
- LDAP lookup on an empty envelope address (e.g. a null return path)
adds another lookup key "<>", as it is difficult if not impossible
to have LDAP attributes with empty string as a value; by Michael Hall;
- LDAP.schema: drop "MUST ( mail )" from objectclass 'amavisAccount';
suggested by Michael Hall;
- updated comments and documentation, most notably the README.chroot;
- contributed file Macintosh.tar.gz updated by Dale Walsh;
COMPATIBILITY
- replaced 'hits=' with 'score=' in inserted X-Spam-Status header field
(and in some internal log entries) for compatibility with a changed
default in SpamAssassin 3.1;
- insert X-Spam-Score header field for compatibility with SA (previously
insertion of this header field was commented-out because the information
is redundant, as the score already appears in X-Spam-Status);
OPTIMIZATION
- speed up sending a mail header or full defanged (rewritten) mail over SMTP
back to MTA by a factor of 4 by buffering header fields into large chunks
to avoid bottleneck in Net::Cmd::datasend, which has lots of overhead for
line-by-line writes. Previously slow writes mostly affected mail messages
with extreme header lengths (such as results of a broken mail loop), or
when delivering defanged messages, particularly at sites with large MTA
mail size limits, sometimes to a point of exceeding timeout limits;
reported by Dominik Weber and Ralf Hildebrandt;
- move subroutine lookup_ip_acl() and associated ip_to_vec() into its own
dedicated new package Amavis::Lookup::IP; provide a constructor to pre-parse
IP lookup tables to speed up IP lookups in lookup_ip_acl; prepare pre-parsed
commonly used IP lookup tables (@mynetworks_maps, @publicnetworks_maps,
@inet_acl);
- optimized reading loop in SMTP DATA state, receiving data is now about
35% faster when mail size limit is not enforced (which is a default);
no speedup when mail size limit _is_ enforced;
- cache results of evaluated macros during a single call to expand(),
as macro calls often come in pairs, like: [?%e||\[%e\] ]
or [? %#T ||, Tests: [%T|,]]; together with the above optimization in
pre-parsed IP lookups it shaves off 25% of time in preparing main log entry;
- set locale LC_TIME to "C" globally, avoid changing and restoring locale
for every log write and when generating RFC2822 timestamps;
- added an optimization note in README.sql about indexes and about
SELECT count(*) in MySQL with InnoDB; investigation by Paolo Cravero;
---------------------------------------------------------------------------
June 29, 2005
amavisd-new-2.3.2 release notes
INCOMPATIBILITY with 2.3.1 and earlier versions:
If running amavisd daemon in chroot please note:
Each child process now opens its own syslog connection or a file descriptor
to a log file, and no longer inherits a connection from its parent.
When running in chroot jail and logging to syslog, the syslog client
routines need syslogd socket to be present in the chroot subtree to be
able to establish a connection with syslogd, otherwise logging output
may be lost. Additional syslogd sockets (to be made available in the
jail) may be requested from the syslogd daemon, see its documentation.
This requirement is equivalent to the requirement of chrooted Postfix
services (see Postfix documentation file BASIC_CONFIGURATION_README).
BUG FIXES since 2.3.1:
- do not enforce $MAXFILES limit during top-level MIME decoding to avoid
tempfailing mail; MIME parts are still counted, so a limit exceeded may
still be reported during subsequent decoding, but this is handled more
gracefully and does not cause preserved temporary directories to be left
behind; reported by Marcin Lemanski; suggested by Stephane Lentz and
Robert LeBlanc (noted in the 2.0 release notes);
- use recv() instead of read() to get results from daemonized virus scanners
in an attempt to avoid a bogus Perl I/O status on some Linux installations
(reported by Sander Steffann); we now get a meaningful status codes like
ECONNRESET instead of a bogus EBADF (Bad file descriptor);
- ignore status ECONNRESET when reading results of a daemonized virus scanner
from a socket, specific to some Linux versions; thanks to Sander Steffann
for the initial report and extensive help in debugging the Perl problem;
- run_av and other similar code sections: replace line-by-line reads by
block-by-block reads wherever possible to avoid inappropriate status report
EBADF (Bad file descriptor) caused by Perl I/O bug when last line is not
terminated by a newline. The problem was affecting reading response from
some command line virus checkers; reported by Sander Steffann;
- ignore status EAGAIN when reading results on a pipe from a forked process;
the status EAGAIN seems to be an artifact of Perl I/O on some installations;
reported by several people to cause problems on FreeBSD with Perl 5.8.7
(but Perl 5.8.6 is fine); thanks to Bart Matterne for testing and feedback;
- allow one level of indirection when collecting %needed_protocols;
global setting $protocol='COURIER' did not work, a workaround was needed
with previous version, e.g.: $policy_bank{'QMQPqq'}={protocol=>'QMQPqq'};
reported by Nicklas Bondesson and Martin Orr;
- fix a bug (introduced with 2.3.0) in Courier and QMQPqq setups, where global
information about processed message wasn't always reset and could leak
into processing of a subsequent message; reported by Nicklas Bondesson;
- SQL: fix arguments in calls to last_insert_id(), failing under PostgreSQL
(MySQL didn't mind); pointed out by Henrik Krohns;
- if module SAVI is loaded, insist it is version 0.30 or later;
incompatibility with earlier versions reported by Andrzej Kukula;
- make use of the new Net::Server 0.88 hook run_n_children_hook() to
reload SAVI database; removes a need to apply SAVI patch to Net::Server;
the Net::Server hook was suggested by Paul B. Henson and others,
and incorporated into Net::Server 0.88 by Paul Seamons;
- reopen log file or syslog connection in each child process to make it use
its own file descriptor; also minimizes transients when syslogd is restarted
and its socket re-created, as reported by Les Ault. When running in chroot
please make sure a syslogd socket is also available in the chroot jail,
see README.chroot for syslogd options (and BASIC_CONFIGURATION_README
in Postfix documentation for the Postfix equivalent);
- close log file or syslog in forked process before exec, just to play nicely;
- do_lha: fix extracting archive member filename in case of broken archive
or empty name (avoid interpreting creation date as a file name);
do not increment OpsDecByLha counter for empty archives, which are
most likely not lha archives at all;
- obey $final_bad_header_destiny D_DISCARD or D_REJECT even for messages
with bad headers from mailing lists or with a null envelope sender (DSN);
previously such messages were passed; undesired behaviour reported
by Cami Sardinha.
Such messages are still let through with $final_bad_header_destiny set to
D_BOUNCE, as otherwise they will be lost because a bounce is suppressed
for null sender messages and for mail from mailing list. This behaviour
is retained for backwards compatibility, but may need to be reconsidered.
- fix regexp for extracting am_id from amavis-milter helper program requests;
- if fork/exec fails, try to commit suicide in forked process with
POSIX::_exit(1) first, before trying kill('KILL',$$) as a last resort;
- updated $log_templ example in amavisd.conf-sample to match the default;
pointed out by Gary V;
- further reduce a couple of more frequent Perl warnings about the use of
uninitialized values in expressions;
- pre-load additional Perl modules required by SA 3.1 plugins;
- require minimal versions of modules: Time::HiRes 1.49, Archive::Zip 1.14;
- replaced nonexistent variable @sa_spam_modifies_subj_maps by
@spam_modifies_subj_maps in commented-out example in amavisd.conf-sample;
noticed by Joachim Schoenberg;
LDAP CHANGES by Michael Hall:
All the LDAP changes are transparent to the user.
- rewritten some of the code similar to the restructuring of the SQL code
in version amavisd-new-2.3.0. A new package Amavisd::LDAP::Connection was
added which is a LDAP connection object, and the old connection-related code
in Amavis::Lookup::LDAP has been moved to the new package. Amavisd-new will
now try to reconnect (once) while processing a message, similar to SQL;
- added the ability to specify a '%d' (domain) token in the LDAP base DN;
based on idea from Alexander Wittig;
- updated default LDAP port based on whether SSL/TLS is being used or not;
based on idea from Timo Veith;
- updated the search code to query for multiple records and return the results
sorted in 'make_query_keys' order versus doing a query for each key.
As a result performance is enhanced, and the tweaks 'ldap_get_all', and
'use_query_keys' (recently added) are no longer applicable or needed
and have been removed;
- improved LDAP error reporting and misc changes to multivalued attributes;
- documentation changes (amavisd.conf-default, README.lookups);
MINOR IMPROVEMENTS:
- macro %c (commonly used in a log template) reports spam score no longer
as a single number, but as an explicit sum of a SA score and a by-sender
boost score (from @score_sender_maps) when boost score is nonzero;
suggested by Ed Walker;
- enhancement to amavisd-release: if its only command line argument is '-',
then read arguments from stdin, one release request per line, ignoring empty
lines; input lines have the same format as command line arguments, i.e.:
mail_file
mail_file secret_id
mail_file secret_id alt_recip1 alt_recip2 ...
- better handle cases where a persistent temporary file email.txt
as prepared by the SMTP server module gets replaced as a result
of some user program modification (e.g. when invoking altermime);
problems reported by Dinesh Shah and Leonardo Rodrigues;
backslashes anymore. A single backslash is enough. Changed the
definition in all affected packages. For those that are not caught, an
additional check is placed into bsd.pkginstall.mk.
Here's an excerpt from the rather long RELEASE_NOTES included in the
distribution:
QUICK OVERVIEW:
Provides more flexible configuration of decoders. Allows recipients to have
individual banning rules. Assigns a long-term unique id to each message,
reducing clashes and facilitating retrieval of information. The daemon can
store information to a SQL database for logging, reporting and quarantine
retrieval, optionally storing entire message to a SQL database. File-based
quarantine can disperse files to 62 subdirectories. Provides a quarantine
release mechanism. Reconnects to SQL if connection is broken. Can skip
quarantining high-score spam. Compatibility with IPv6-enabled Postfix
is improved.
SECURITY:
- require minimal version 1.05 of Convert::UUlib to avoid a known security
problem in the underlying uulib (likely to be exploitable);
around at either build-time or at run-time is:
USE_TOOLS+= perl # build-time
USE_TOOLS+= perl:run # run-time
Also remove some places where perl5/buildlink3.mk was being included
by a package Makefile, but all that the package wanted was the Perl
executable.
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
Release notes:
December 22, 2004
amavisd-new-2.2.1 release notes
SECURITY:
- add support for the pax(1) archive decoder, which can handle tar/cpio/pax
archives (including legacy format variants). Due to limitations in cpio
(and in Archive::Tar), for security reasons it is preferred to decode
such archives with pax and no longer with cpio; please add a line:
$pax = 'pax';
to amavisd.conf and verify that the program pax is installed on the system
(and in the jail if running in chroot);
- perform additional tests at startup time on the proper protection
of the configuration file;
- add file name extensions wmf, emf and grp to the example list of
banned extension, according to recent Microsoft security bulletins;
suggested by Stephane Lentz;
- introduces 'clean but inconclusive' av scanner result to avoid a specialized
or quick partial av scanner like jpeg checker to claim mail is clean
when all other general purpose av scanners fail (see below);
INCOMPATIBILITY:
- removed some legacy $*_ldap variables, as they are no longer needed;
These variables were still declared but ignored in 2.2.0 for compatibility
with older amavisd.conf files. Such variables need to be removed from
the amavisd.conf if they are still present there from older versions,
otherwise Perl will complain with 'Global symbol ... requires explicit
package name";
OTHER FIXES:
- files_to_scan and decompose_mail are now able to remove unexpected
directories which may have been left behind by some failed decoding
and were causing temporary failures and mail delivery retries;
error recovery problem after failed unarj reported by Ralf Hildebrandt;
- error recovery code in files_to_scan and rmdir_recursively now tries to
change protection on directories and files, and retry if the first attempt
to access them fails because of denied permission;
- pre-load some additional Perl modules needed by SA when running in chroot;
- add module Net::LDAP::Search to a list of pre-fetched modules;
omission pointed out by Paul Jacobson;
- when quarantining is disabled by keeping $QUARANTINEDIR undefined,
the log entry and administrator notification message inappropriately
suggested that mail was quarantined, which in fact (appropriately)
it was not. Setting $QUARANTINEDIR='' did work as expected.
Reported by Sascha Lucas;
- avoid the use of Encode::is_utf8 due to a Perl bug (still present in 5.8.5)
where Encode::is_utf8 on tainted utf8 character string produces false;
- modify safe_encode() to guarantee the result is a string of octets,
not a string of UTF-8 characters; it saves some unnecessary work in
further processing and keeps MIME::Entity from UTF swamp when running
in chroot; problem pointed out by Branko F. Gracnar;
- avoid braindead Perl default where an empty regexp implies the last
successfully matched regexp, which (if not being very careful) brings in
some completely unrelated last-executed regular expression;
- change kill 'TERM' into kill 'KILL' when a forked process within run_command
and run_command_consumer gets into deep trouble, to avoid exit handlers
being invoked in the subprocess (which could lead to two processes trying
to clean the same set of temporary files);
- in an old sendmail setup using the amavis(.c) helper program without
LDA arguments, avoid inappropriate warning:
"WARN: no recips left (forgot to set $forward_method=undef using milter?)
and return status 0 instead of 99 when message is to be blocked, as the
helper program amavis(.c) does not recognize status 99 in this situation
and inappropriately passed it on to sendmail; reported by The Mindflayer;
- the @bypass_header_checks_maps is now able to also bypass the bad header
checks as provided by MIME::Parser; inconsitency reported by CRivera;
- avoid some Perl warning messages; thanks to Bill Landry;
CHANGES AND MINOR NEW FEATURES:
- add configuration variable @newvirus_admin_maps (and $newvirus_admin,
along with corresponding SQL field 'newvirus_admin') which works like
the existing @virus_admin_maps (and $virus_admin), except that it sends
virus administrator notification to specified e-mail address only for newly
encountered viruses which have not yet been encountered since the amavisd
startup. It makes use of by-virusname counters in the SNMP counters
database. If more than one child process starts working on infected
message containing a not-yet-accounted-for virus, there might be more
than one 'first time' notification, this is not a malfunction. Both
the @newvirus_admin_maps and the @virus_admin_maps may be enabled,
each (possibly both) would receive their notifications as appropriate.
A useful setting is to globally enable only the new virus notifications,
and additionally enable _all_ administrator notifications for internally
originating mail only (by the use of policy banks);
- provide separate configuration variables @banned_admin_maps and
@bad_header_admin_maps, along with corresponding SQL fields
'banned_admin' and 'bad_header_admin'; their function was previously
covered by @virus_admin_maps, which now only still controls administrator
notifications in case of viruses;
- introduces 'clean but inconclusive' av scanner result to avoid a specialized
or quick partial av scanner like jpeg checker to claim mail is clean
when all other general purpose av scanners fail:
in av scanner entries (lists @av_scanners and @av_scanners_backup) give
an extended meaning to undefined fourth argument (the 'match for clean'
list or regexp). The interpretation of the fourth argument is now:
4. an array ref of av scanner exit status values, or a regexp (to be
matched against scanner output), indicating NO VIRUSES found;
a special case is a value undef, which does not claim file to be clean
(i.e. it never matches, similar to []), but suppresses a failure warning;
to be used when the result is inconclusive (useful for specialized and
quick partial scanners such as jpeg checker);
Also modified example jpeg checker entry in amavisd.conf accordingly.
- NOD32 av scanner: changed @av_scanners entry to match the new version
of the scanner; thanks to Nejc Skoberne;
- added @av_scanners entry for File::Scan;
- when preparing a SQL SELECT clause for white/blacklisting lookup,
take into account a relative position of ? and %k in the
$sql_select_white_black_list template to improve flexibility
of specifying the clause; suggested by Matt Petteys;
- reduce the log level of some more common and harmless log messages;
- macro %p and the log entry now reports full policy bank path,
not just the last loaded policy bank name;
- added LDAP attributes amavisWarnVirusRecip, amavisWarnBannedRecip,
and amavisWarnBadHeaderRecip; by Joel Nimety and Michael Hall;
- renamed LDAP attribute name amavisSpamModifiesSubject to
amavisSpamModifiesSubj in order to match the documented LDAP schema;
noticed by Kees Bos, patch by Michael Hall;
- add support for ripOLE decoder, which attempt to extract embedded documents
from MS OLE documents (MS Office) (http://www.pldaniels.com/ripole/,
by Paul L Daniels)); ripOLE is still experimental/alpha code;
To be make amavisd-new find the installed program 'ripole', add the:
$ripole = 'ripole';
to the amavisd.conf; suggested by David Wilson and Noel Jones;
- allow multiple occurrences of command line option: -c config_file
and execute the provided configuration files one after the other;
based on a subset of functionality provided as a patch by Davor Ocelic;
- a slight improvement (in default $map_full_type_to_short_type_re)
in classifying mpeg and some other multimedia files;
- several minor code cleanups;
- add a recommendation by Daniel J McDonald to a documentation file INSTALL:
If different UID is preferred for an AV scanner, a solution for
ClamAV is to add user clamav to the amavis group, and then add
AllowSupplementaryGroups to clamd.conf;
- enclosed a simple demonstrational Perl program amavis.pl, which is
functionally much like the amavis.c helper program, but talks the new
AM.PDP protocol with the amavisd daemon. See README.protocol for the
description of AM.PDP protocol. To be placed in amavisd.conf:
$protocol='AM.PDP'; $unix_socketname='/var/amavis/amavisd.sock';
Usage: amavis.pl sender recip1 recip2 ... < message.txt
- documentation updates;
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
New in 2.2.0:
MIME traversal now includes MIME container parts (e.g. multipart/*,
message/*), making them visible to banned rules. This version
preserves original zip archives for virus scanners if the archive
contains any zero-length members. New short types 'dll' and 'empty'
makes blocking recent viruses more flexible, including their
unsuccessful propagation attempts. It recognizes standard Unix
archives and unpacks Debian binary packages. The LDAP modules were
rewritten. The handling of double errors was improved. This version
supports mail size limits and Mail::ClamAV 0.12. A new AV entry
'check-jpeg' can test JPEG images for validity.
New in 2.1.2:
This release fixes (hard) blacklisting and whitelisting on static
lookup tables, which was failing to match any sender. The 'neutral'
sender notification, which was joining the Subject and the Message-ID
header fields in some situations, has been fixed. The signal and
error handling in code sections holding BDB locks is now more
thorough. A new %e macro is provided that evaluates to a best guess
of the originator IP address collected from the Received trace.
New in 2.1.1:
The default use of $banned_filename_re, which was lost in 2.1.0,
was added back. A fix was made for inappropriate log entry in SQL
whitelisting, complaining about unexpected wb field value. Missing
import of &ca was added to the amavisd-new-courier.patch. A default
directory is now provided with delivery method "bsmtp", if not
specified. The Mail::SpamAssassin::Plugin::Hashcash module is
pre-loaded with SA 3.0.0, and Mail::SpamAssassin::SpamCopURI with
URI::* is loaded for older SA versions. Small enhancements were
made to amavisd-nanny.
New in 2.1.0:
The use of BerkeleyDB is now optional. The configuration files were
cleaned up, and a small new amavisd-nanny utility that shows the
status of all child processes and checks for vanished or stale
processes was included. Two important bugfixes were made in the
ACL and SQL lookup code along with numerous other fixes and small
improvements. Users of 2.0 should upgrade to this release.
into the bsd.options.mk framework. Instead of appending to
${PKG_OPTIONS_VAR}, it appends to PKG_DEFAULT_OPTIONS. This causes
the default options to be the union of PKG_DEFAULT_OPTIONS and any
old USE_* and FOO_USE_* settings.
This fixes PR pkg/26590.
amavisd-new is an interface between message transfer agent (MTA) and
one or more content checkers, e.g. virus scanners, SpamAssassin, etc.
It is a performance-enhanced and feature-enriched version of amavisd
(which in turn is a daemonized version of AMaViS or amavis-perl).
amavisd-new is normally positioned at or near a central mailer, not
necessarily where user's mailboxes and final delivery takes place. If
you are looking for fully per-user configurable and/or low-message-rate
solution to be placed at the final stage of mail delivery (e.g. called
from procmail), there may be other solutions more appropriate for your
needs.
Package created and maintained by Julian Dunn in pkgsrc-wip.
