| @@ -1,14471 +0,0 @@
----------------------------------------------------------------------------
- June 30, 2012
-amavisd-new-2.7.2 release notes
-
-BUG FIXES
-
-- a generated Received header field was missing the 'IPv6:' prefix
- in the TCP-info component of a 'by' subfield (as required by RFC 5321,
- section 4.1.3) when amavisd received a message over an IPv6 protocol;
- (btw, the TCP-info component of a 'from' subfield was correct);
-
-- changed data type of a SNMP variable LogRetries from C32 to C64
- for consistency with the MIB;
-
-- updated AV entry 'AVG Anti-Virus' to consider status-403 continuation
- lines when searching for a virus name; suggested by Ralf Hildebrandt;
-
-
-OTHER
-
-- reduce a log level to 5 on a log message:
- Amavis::IO::RW: Error flushing on close: ...
- to avoid an innocent but sinister-looking warning when a pipe
- to a virus scanner is broken and needs to be re-established;
- reported by Stefan Jakobs;
-
-- updated an AV entry for 'F-Secure Linux Security' to version 9.14;
- options updated by Mika Ilmaranta, a patch by Tuomo Soini;
-
-- fix a Unix socket compatibility issue with Net::Server versions 2.000,
- 2.001 and 2.002, where a method NS_unix_path no longer exists.
- This method was re-introduced for compatibility reasons in 2.003.
- Reported by Paul MacKenzie;
-
-
----------------------------------------------------------------------------
- April 29, 2012
-amavisd-new-2.7.1 release notes
-
-BUG FIXES
-
-- prevent rmdir() from failing with 'Invalid argument' on Solaris 10 when
- deleting a temporary directory: current working directory must not be
- within a directory which is about to be deleted; reported and diagnosed
- by Maciej Uhlig;
-
-- forwarding or quarantining through a 'pipe:' method failed with
- "Insecure dependency in exec while running with -T switch" when a
- sendmail command-line option -N was needed; reported by Andreas Schulze;
-
-- when multiple sockets are specified (e.g. in $forward_method) as a
- redundancy/failover mechanism, and SMTP session caching is enabled,
- a failed forwarding session does not clear a cached session, so all
- further attempts are stuck with the failed server, instead of picking
- a different server from the list; discovered by Michael Storz;
-
-- on establishing a SMTP session when multiple sockets are specified
- (e.g. in $forward_method) as a redundancy/failover mechanism, the
- random choice never picked the last socket in a list;
- discovered by Michael Storz;
-
-- fix defanging by mimedefang, it was failing with perl 5.10 or later
- due to an unhandled "Insecure dependency in sprintf" while logging the
- result if the $log_level was 2 or higher, or when debugging was enabled;
- thanks to Steve Scotter for a problem report;
-
-- fix defanging by Anomy::Sanitizer, it was failing with an error message:
- "mangling by anomy failed: replacement size 0, mail will pass unmodified";
-
-- fix the 'xz' entry in a default @decoders list (in files amavisd.conf,
- amavisd.conf-default and amavisd); the first two variants ('xzdec' and
- 'xz') were glued together, so the xz decoder was only available if found
- under names 'unxz' or 'xzcat';
-
-- provide a workaround for a bug [rt.cpan.org #64642] in a perl module
- Encode, which gratuitously untaints a string when encoding or decoding it:
- https://rt.cpan.org/Public/Bug/Display.html?id=64642
- (still unfixed in Encode 2.44, perl 5.14.2);
- A module Scalar::Util is now required, which should not be a compatibility
- problem, as this module is a Perl core module since perl 5.8.0.
-
-- avoid the use of Encode::is_utf8 due to a bug in a perl module Encode
- as bundled with versions of Perl 5.8.0 to 5.8.8 (fixed in March 2007):
-
- Perl bug tracking: #32687:
- Encode::is_utf8 on tainted UTF8 string returns false
- https://rt.perl.org/rt3/Public/Bug/Display.html?id=32687
- also referenced by #37170:
- https://rt.perl.org/rt3/Public/Bug/Display.html?id=37170
-
- This is a re-manifestation of the same problem we had back in 2004,
- with a workaround provided by amavisd-new-2.2.1. Forgot that people
- are still using Perl 5.8 :) Reported by Peter Dieth;
-
-- fix a warning: _WARN: Invalid conversion in sprintf: "%a"
-
-- write informational messages during a stop/start/restart to stdout,
- instead of to stderr, avoiding unnecessary cron job messages;
- thanks to Cristian Seres, Sandro Janke and John Griffiths;
- also: https://bugzilla.redhat.com/show_bug.cgi?id=561389
-
-- fix a syntactically incorrect 'Avira SAVAPI' av entry (missing
- closing bracket) in a sample configuration file amavisd.conf;
-
-- minor: get_body_digest incorrectly logged 8-bit body as 8-bit header;
-
-- no longer insist on a minimal version 2.22 of a module Digest::MD5,
- the 'clone' method is no longer needed since amavisd-new-2.7.0;
-
-- do not call $parser->max_parts($MAXFILES) with some old versions
- of MIME::Parser which did not yet provide this method;
-
-- pre-load a module File::Glob even with perl 5.8.0, otherwise
- autowhitelisting in SpamAssasssin may fail with "Insecure dependency";
-
-- documentation: (files README.sql-mysql and README.sql-pg):
- fixed a field name "policy.unchecked_lover", previously incorrectly
- specified as "policy.unchecked_lovers_maps"; reported by TimH;
-
-- documentation: fixed the two SELECT examples in files README.sql-pg and
- README.sql-mysql, the field 'select' needs to be qualified with a table
- name: 'msgrcpt.content' to avoid ambiguity; reported by Gary V;
-
-- documentation bug in amavisd.conf-default: 'ESMTP' is not a valid
- setting for $protocol, just use 'SMTP' instead; reported by Pascal Volk;
-
-
-COMPATIBILITY
-
-- commented out the LHA entry in the default @decoders list and in
- do_executable(). The program seems to be unmaintained, was seen crashing
- and as such it may pose a security risk; pointed out by Thomas Jarosch;
-
-- due to popular demand, bring the 'spam-tag:' log line back to log level 2
- (version 2.7.0 dropped it to log level 3) to retain compatibility with
- some log analyzers. Caveat: 'spam-tag' string is now entirely in lowercase.
- Suggested by Stefan Jakobs;
-
-
-OTHER
-
-- if a message is quarantined to more than one location using different
- quarantine methods, the SQL field msgs.quar_type indicates only the
- type of the last one. When archival quarantining is enabled this choice
- is unfortunate, as the primary quarantine type is more interesting
- than the permanent archival quarantine type. This is now reversed,
- the msgs.quar_type field now reflects the first quarantine type.
- Suggested by Patrick Ben Koetter.
-
-- SMTP session caching now no longer re-uses old sessions which are
- in use for more than a minute since their establishment; suggested
- by Michael Storz;
-
-- having the archive quarantine enabled should not be a sufficient reason
- to store information to SQL when $sql_store_info_for_all_msgs is off;
- Suggested by Patrick Ben Koetter.
-
-- ClamAV-clamd and ClamAV-clamd-stream av scanners: changed socket name
- in a sample configuration file amavisd.conf to /var/run/clamav/clamd.sock
- (previously the socket name was /var/run/clamav/clamd); this makes it
- compatible with a default socket name under several Linux distributions
- and under FreeBSD; suggested by Oliver Schinagl;
-
-- documentation updates;
-
-
----------------------------------------------------------------------------
- July 1, 2011
-amavisd-new-2.7.0 release notes
-
-Contents:
- NEW FEATURES SUMMARY
- GENERAL
- COMPATIBILITY WITH 2.6.4 / 2.6.5 / 2.6.6
- BUG FIXES SINCE 2.6.6
- BUG FIXES SINCE 2.6.5
- BUG FIXES SINCE 2.6.4
- NEW FEATURES
- OPTIMIZATIONS
- OTHER
- CLEANING
-
-
-NEW FEATURES SUMMARY
-
-- significant improvements affecting a pre-queue content filtering setup
- (time limiting, warm/flying restart, ...) - requires Postfix 2.7.0 and
- SpamAssassin 3.3.0, or later;
-
-- new daemon amavisd-signer makes it possible to sign mail with DKIM
- signatures without requiring amavisd process to have access to private
- signing keys;
-
-- added support for the Sophos-SSSP, Avira SAVAPI and ClamAV clamd streaming
- protocols allows amavisd to communicate with these antivirus solutions;
-
-- allow specifying multiple (fail-over) back-end mailers for resubmission
- of messages from amavisd back to MTA;
-
|
| @@ -0,0 +1,15113 @@
+---------------------------------------------------------------------------
+ June 30, 2012
+amavisd-new-2.8.0 release notes
+
+Contents:
+ COMPATIBILITY
+ BUG FIXES
+ NEW FEATURES SUMMARY
+ NEW FEATURES - 0MQ
+ NEW FEATURES - OTHER
+ OTHER
+
+
+COMPATIBILITY
+
+- removed an old compatibility measure: default value of @banned_admin_maps
+ was changed from:
+ @banned_admin_maps = (\$banned_admin, \%virus_admin, \$virus_admin);
+ to a more consistent:
+ @banned_admin_maps = (\$banned_admin);
+ The previous default value of @banned_admin_maps tried to maintain
+ compatibility with versions before the setting was separated from
+ its companion @virus_admin_maps. Now this compatibility is no longer
+ considered necessary and contributes to some confusion, so it was dropped.
+ See 2.4.0 and 2.2.1 release notes for previous changes to this setting.
+
+- quarantining to an mbox format file used to include a local time in an
+ mbox separator line, which differs from RFC 4155 and common practices
+ of using an UTC timestamp; a time zone of a timestamp in separator lines
+ is now changed to UTC;
+
+
+BUG FIXES
+
+- fixed initial evaluation of dynamic (i.e. per policy bank) values of
+ $enable_dkim_verification, $enable_dkim_signing and $bypass_decode_parts
+ across all declared policy banks; these policy bank entries may be scalars
+ of references to such;
+
+- finely adjust a message size for de-stuffed dots according to a size
+ definition in RFC 1870; avoids occasional message size mismatch when
+ using an antispam interface module SpamdClient (implementing client-side
+ of a spamc/spamd protocol);
+
+- updated LDAP.ldif to match LDAP.schema; provided by Quanah Gibson-Mount;
+
+- updated AMAVIS-MIB.txt and amavisd-snmp-subagent: changed type of
+ SNMP variables *MsgsSize* in the group amavisStats 7 from Counter32
+ to Counter64 for consistency with other *MsgsSize* variables in groups
+ amavisStats 3 and amavisStats 9;
+
+See also the bug fixes section of 2.7.1 and 2.7.2 release notes.
+All fixes applied to 2.7.1 and 2.7.2 are incorporated in the 2.8.0 code.
+
+
+NEW FEATURES SUMMARY
+
+- For monitoring and statistics gathering purposes a new set of utilities
+ and service processes is available based on a message passing paradigm,
+ using a 0MQ (a.k.a. ZMQ, ZeroMQ, or Crossroads I/O) library. This
+ replaces a functionally similar set of utilities based on a shared
+ BerkeleyDB database, with a benefit of avoiding lock contention
+ altogether. This can bring sigificant speedups, most pronounced on
+ a host with many busy amavisd child processes.
+
+- Applied numerous fine-grained optimizations based on a NYTProf profiler
+ results. Optimizations include a reduction in a number of generated
+ Perl opcodes and similar micro-optimizations. This accounts for a large
+ amount of small changes in the code.
+
+- Our current statistics (Q4 2011) shows that 80 % of messages are below
+ 30.000 bytes, and 90 % of mail messages are below 100.000 bytes in
+ size. As an optimization, messages below 100 KiB in size are now kept
+ and processed in memory, including passing them more optimally to
+ SpamAssassin 3.4.0. Some file activity is still there, but is much
+ reduced. If $TEMPBASE also resides on an SSD disk (or a RAM disk),
+ observed speedup between 2.7.2 and 2.8.0 was 3 to 8 percent on a
+ busy host (with monitoring disabled, so as not to skew a measurement).
+
+- Use a module IO::Socket::IP if available, instead of dealing directly
+ with low-level modules IO::Socket::INET and IO::Socket::INET6;
+
+- choose more appropriate defaults if running on an IPv6-only host
+ (like connecting to ::1 instead of 127.0.0.1 which may not exist);
+
+- amavisd-release now also supports connecting to amavisd over IPv6;
+
+- as a debugging aid it is now possible that a late event triggers full
+ logging of earlier events that occurred during processing of a current
+ mail message;
+
+- $enable_ldap setting is now dynamic, i.e. can be changed by a policy
+ bank, which makes it possible to selectively disable LDAP lookups
+ per policy bank;
+
+- optionally avoid persistent connections to SQL and LDAP servers;
+
+- it is now possible to disable calling an external file(1) utility
+ but still have MIME parts decoding enabled;
+
+- added support in Amavis::SpamControl::ExtProg for an external spam scanner
+ Bogofilter;
+
+- added locking options to @spam_scanners entries, to be used with external
+ scanners which need but do not implement locking of their resources
+ by themselves;
+
+- added a global configuration setting $sa_userprefs_file, which is passed
+ on to SpamAssassin as a 'userprefs_filename' parameter at initialization;
+
+- added a subroutine iso8601_weekday(), potentially useful with partitioning;
+
+- added several new macros available to logging and notification templates;
+
+
+NEW FEATURES - 0MQ
+
+- added support for monitoring and auxilliary services, communicating
+ with amavisd and among themselves through 0MQ sockets (also called ZMQ
+ or ZeroMQ, or Crossroads I/O or XS). This method offers similar features
+ as current services amavisd-nanny, amavisd-agent and amavisd-snmp-subagent,
+ but use message passing paradigm instead of communicating through a shared
+ Berkeley database. This avoids locking contention, so the gain can be
+ significant for a busy amavisd setup with lots of child processes.
+
+ New files in the package are:
+
+ - amavis-mc is a master supervisor process ( master of ceremonies :),
+ to be started at boot time as root, or as a user vscan/amavis.
+ Currently its only function is to spawn three instances of
+ amavis-services processes with dropped privileges, to monitor
+ and restart them in case they fail, and to terminate them when
+ itself if being terminated. Preferably this process should be
+ started before amavisd and before amavisd-snmp-subagent-zmq,
+ although things would eventually catch up even if this is not
+ the case. This process must run on the same host as amavis-service
+ processes.
+
+ - amavis-mc_init.sh is an example FreeBSD-style startup/shutdown shell
+ script for starting/stopping the amavis-mc process;
+
+ - amavis-service implements three services, chosen by a command line
+ argument. It should be running as user vscan/amavis (not as root!).
+ All its instances are typically started/stopped automatically by
+ the amavis-mc process with dropped privileges. A note for manual
+ testing (started from a command line, not by an amavis-mc process):
+ make sure to run amavis-service under the same UID as the amavisd is
+ running. If 0MQ cannot write to a socket due to privilege violation,
+ messages are silently dropped. Service processes as implemented by
+ amavis-service must run on the same host as amavis-service for two
+ reasons: they communicate with amavisd child processes through a
+ Unix socket, and at least some of these services need visibility
+ of amavisd processes through signals (kill). At least the forwarding
+ service must be running when amavisd is operational with $enable_zmq
+ at true, otherwise amavisd processing might eventually stall when
+ their message queue fills up. Preferably amavis-service processes
+ should be started before amavisd is started, although things would
+ eventually catch up even if started late or restarted during operation.
+
+ - amavis-status is a user utility program, similar to amavisd-nanny,
+ which connects to amavis-service 0MQ socket and displays a status
+ of running amavisd child processes. This program communicates
+ with amavis-service processes through an inet socket and can
+ in principle run on a different host (in which case sockets must
+ not be bound to a loopback interface). The program can be started and
+ stopped at any time, and may run in multiple instances if necessary.
+
+ - amavisd-snmp-subagent-zmq is a SNMP AgentX program, functionally
+ equivalent to amavisd-snmp-subagent. It collects information from
+ amavis-service processes and passes it as a MIB to a SNMP daemon.
+ This process communicates with amavis-service processes through an
+ inet socket and can in principle run on a different host (in which
+ case sockets must not be bound to a loopback interface). In principle
+ there could be more than one instance of amavisd-snmp-subagent-zmq
+ running at the same time, although this hardly serves any practical
+ purpose.
+
+ The amavisd-agent utility does not currently have a 0MQ equivalent,
+ use snmpbulkwalk with net-snmp and amavisd-snmp-subagent-zmq for similar
+ functionality.
+
+ Please see comments in amavis-service for details and configuration
+ of sockets.
+
+ To enable amavisd child processes to start sending their status and
+ statistics information to the amavis-service services, please set
+ a configuration variable $enable_zmq to true in amavisd.conf:
+ $enable_zmq = 1;
+
+ Optionally a 0MQ socket can be changed, it defaults to:
+ @zmq_sockets = ( "ipc://$MYHOME/amavisd-zmq.sock" );
+
+ Both the 0MQ-based ($enable_zmq=1) and the BerkeleyDB-based ($enable_db=1)
+ monitoring implementations can coexist: use one or the other, or both
+ at the same time, or turn off both.
+
+ Required Perl modules are either:
+ ZeroMQ, which interfaces with a version 2 of a zmq library
+ (in case of FreeBSD that would be ports net/p5-ZeroMQ and devel/zmq),
|
