|
|
| @@ -1,5 +1,5 @@
---- amavisd.conf.orig 2008-07-10 06:50:12.000000000 +0200
-+++ amavisd.conf 2008-07-12 23:50:14.000000000 +0200
+--- amavisd.conf.orig 2009-01-18 13:49:48.000000000 +0100
++++ amavisd.conf 2009-01-18 13:51:34.000000000 +0100
@@ -58,8 +58,12 @@
$unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter
# option(s) -p overrides $inet_socket_port and $unix_socketname
@@ -60,16 +60,16 @@
-# ['ClamAV-clamd',
-# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
-# qr/\bOK$/, qr/\bFOUND$/,
--# qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
+-# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
-# # NOTE: run clamd under the same user as amavisd, or run it under its own
-# # uid such as clamav, add user clamav to the amavis group, and then add
-# # AllowSupplementaryGroups to clamd.conf;
-# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
-# # this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
+['ClamAV-clamd',
-+ \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
-+ qr/\bOK$/, qr/\bFOUND$/,
-+ qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
++ \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
++ qr/\bOK$/, qr/\bFOUND$/,
++ qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+# NOTE: run clamd under the same user as amavisd, or run it under its own
+# uid such as clamav, add user clamav to the amavis group, and then add
+# AllowSupplementaryGroups to clamd.conf;
|
| @@ -0,0 +1,11569 @@
+---------------------------------------------------------------------------
+ December 15, 2008
+amavisd-new-2.6.2 release notes
+
+MAIN NEW FEATURES SUMMARY
+
+- bounce killer: improved detection of nonstandard bounces;
+- bounces to be killed no longer waste SpamAssassin time;
+- tool to convert dkim-filter keysfile into amavisd configuration;
+- compatibility with SpamAssassin 3.3 (CVS head) regained;
+- rewritten and expanded documentation section on DKIM signing and
+ verification in amavisd-new-docs.html;
+
+
+COMPATIBILITY WITH 2.6.1
+
+- apart from small differences in logging and notifications, the
+ version 2.6.2 is compatible with 2.6.1, with its configuration file
+ and its environment;
+
+- virus scanner entries were updated (as described below, most notably by
+ adding a regexp flag m), so be sure to update existing configuration file;
+ updated virus scanner entries can be used with 2.6.1 too;
+
+- the %sql_clause default has changed in detail (see below), if its value
+ is overridden in a configuration file the setting may need updating;
+
+
+BUG FIXES
+
+- when feeding a message by SMTP back to MTA and MTA rejects a recipient as
+ invalid and a smtp connection cache is enabled, the SMTP protocol can get
+ out of step, rejecting the next message in the same connection with a
+ "503 5.5.1 Error: nested MAIL command"; this only affects (hopefully) rare
+ sites where recipient validation is performed after content filtering
+ instead of before content filtering; reported by Richard Smits;
+
+- logging routines reporting warnings failed to include a diagnostics message
+ in a log, instead only a dry '_WARN:' or '_DIE:' with no explanation was
+ logged; a bug was introduced in 2.6.1; reported by Mike Cappella;
+
+- amavisd-release: add a 'partition_tag' attribute to a release request if
+ a specified quarantine name ends up in a partition tag string in square
+ brackets; this feature was announced in 2.6.1 release notes, but never
+ made it into a distribution;
+
+- amavisd-report failed on reading a message from SQL quarantine:
+ dispatch_from_quarantine failed: read: sql select failed,
+ DBD::Pg::st fetchrow_arrayref failed: no statement executing
+ reported by Achraf Tangui;
+
+- while evaluating compiled regular expressions (qr), perl 5.10.0 ignores
+ flag m when present in the final expression but not in the qr itself,
+ causing messages containing multiple viruses not to report any virus
+ names (mail is still considered infected, but list of names is empty).
+ Changed regular expressions in virus entries by appending a /m flag
+ to regular expressions in the 6th element of each entry. According to
+ Perl maintainers this was a bug in 5.8.x and earlier, and the behaviour
+ of perl 5.10.0 is now according to specs; reported by Martin Huber;
+
+- envelope sender address for administrator- and recipient notifications
+ ($mailfrom_notify_admin, $mailfrom_notify_spamadmin, $mailfrom_notify_recip,
+ %mailfrom_notify_admin_by_ccat, %mailfrom_notify_recip_by_ccat) was
+ not expanded when their value is left unspecified in a configuration
+ file and defaults to parsing of $hdrfrom_notify_* settings. This leads
+ to MTA rejecting a notification from 'postmaster@${myhostname}' by a
+ '501 5.1.7 Bad sender address syntax'. Reported by Aleksey Chudov,
+ Jonas Jacobsson, Durk Strooisma, and Adam;
+
+- remove unintentionally hard-coded SSL certificate and key file locations
+ stored in variables $smtpd_tls_key_file and $smtpd_tls_cert_file, they
+ are now configurable through a configuration file as intended;
+
+- a macro 'rfc2822_sender' now returns a Sender address in a quoted form,
+ just like its cousin 'rfc2822_from';
+
+- when stopping or restarting amavisd, check a PID file for being stale
+ _before_ testing whether a process exists, not the other way around;
+ previously an unlucky starting amavisd process could hit a:
+ Can't send SIG 0 to process [nnnn]: Operation not permitted
+ which prevented its startup when a stale PID was reused by an unrelated
+ process; reported by Zhang Huangbin;
+
+- error reporting improvement: localize variables $@ and $! in all DESTROY
+ methods, thus preventing these variables from being clobbered behind
+ the scenes (e.g. by calling eval or system routines from DESTROY),
+ which could cause a surprising empty (or unrelated) error message
+ being reported by surrounding eval blocks;
+
+- avoid problematic perl constructs open('|-') and open('-|') which fail
+ to catch certain fork errors, or waits indefinitely when resources
+ are tight; just explicitly create a pipe and call fork in subroutines
+ run_command, run_command_consumer and in run_as_subprocess. The change
+ possibly also solves some mystery cases where amavisd would appear
+ to hang when resources are tight (running out of swap space or near a
+ maxprocesses limit) instead of reporting a fork failure. Problem with
+ fork failing without giving a reason for failure reported by Uwe Kiewel;
+
+- amavisd.conf-default: definition of %sql_clause default was out of date;
+ reported by Roland;
+
+- releasing a non-existent message from a SQL quarantine produced an
+ inappropriate error message about a subsequent failure, instead of
+ reporting a missing record; reported by Rick (rn). Also let SQL treat
+ a NULL in mail_text.partition_tag as 0 by using coalesce() - changed
+ a $sql_clause{'sel_quar'} from:
+ SELECT mail_text FROM quarantine
+ WHERE partition_tag=? AND mail_id=?
+ ORDER BY chunk_ind
+ into:
+ SELECT mail_text FROM quarantine
+ WHERE coalesce(partition_tag,0)=coalesce(?,0) AND mail_id=?
+ ORDER BY chunk_ind
+ to facilitate transition from not having a partition_tag defined
+ (resulting in NULL partition_tag fields in SQL) into using it as a
+ numeric value (e.g. a week-of-the-year number);
+
+- modified AV entry for a grisoft.com virus scanner by adding a regexp
+ flag /m to let ^ match at any line beginning of a possibly multi-line
+ response from a virus scanner; problem reported by John Beranek;
+
+- recognize any 'ERROR:' result from a file(1) utility - not just an
+ 'ERROR: Corrupted', and do not treat its exit status 1 as fatal,
+ but just log a warning;
+
+- protect logging from being recursively re-entered when an error occurs
+ during writing of a log entry;
+
+
+NEW FEATURES:
+
+- bounce killer: improved parsing of nonstandard bounce messages (from
+ qmail, spamarrest.com and similar) yields more effective protection
+ against third-party bounces, including those without a Message-ID.
+
+ An analysis of 1000 previously passed bounces showed that 2/3 of those
+ are now recognized and blocked, bringing a bounce killer rate to 94 % of
+ all received bounces (with about 4 % of passed unverifiable bounces not
+ carrying an original mail header, and a tiny trickle of true bounces),
+ while still ensuring that bounces (in response to our genuine outbound
+ mail) and message disposition notifications (MDN, RFC 3798) are still
+ received reliably.
+
+ As a reminder: bounce killer is enabled by setting $bounce_killer_score
+ to a large value, e.g. 100. A pre-requisite for proper operation of
+ a bounce killer is a working SQL logging database (pen pals), or that
+ outbound DSN messages have a Message-ID with a fully qualified domain
+ name matching the @local_domains_maps list of lookup tables.
+ Parts decoding must also not be disabled ($bypass_decode_parts=0), which
+ is a default. Conditions are easily met when all mail from local users
+ is submitted through a domain's official mailer, which goes hand in hand
+ with the requirement for DKIM signing and for other similar anti-spoofing
+ techniques (SPF, whitelisting by IP address in Received trace, ...).
+
+ The $bounce_killer_score should not be enabled when not all outgoing
+ mail can be identified either by a local domain name in Message-ID or by
+ being registered in pen pals SQL database, otherwise genuine bounces and
+ returning MDN messages will be considered spam.
+
+- to facilitate transition of DKIM signing from dkim-milter to amavisd-new,
+ a new command-line tool is available (the extra utility code is not
+ loaded during normal operation), taking a file name as its argument,
+ e.g.:
+
+ # amavisd convert_keysfile /var/db/dkim/keysfile.txt
+
+ and writing to stdout a set of lines that may be directly included into
+ amavisd.conf configurations file, matching semantics of a dkim-filter
+ keys file. It can be useful during transition, or for those who prefer
+ to specify signing keys and sender-to-key mappings as a file in a
+ syntax compatible with options -K -k of dkim-filter, and can live with
+ limitations of such syntax. See dkim-filter(8) man page for details
+ on the syntax.
+
+ The produced output consists of signing key declarations (calls to a
+ procedure dkim_key), where each call normally corresponds to exactly
+ one DNS resource record publishing a corresponding DKIM public key.
+ When necessary output also produces an assignment to a list of lookup
+ tables @dkim_signature_options_bysender_maps, which supplies non-default
+ mappings of sender domains to signing keys, e.g. when third-party
+ signatures are desired.
+
+ From the dkim-filter man page: The keyfile should contain a set of lines
+ of the form sender-pattern:signing-domain:keypath where sender-pattern
+ is a pattern to match against message senders (with a special character
+ "*" interpreted as "zero or more characters"), signing-domain is the
+ domain to announce as the signing domain when generating signatures
+ (or a '*', implying author's domain), and keypath is a path to the
+ PEM-formatted private key to be used for signing messages which match
+ the sender-pattern. The selector used in the signature will be the
+ filename portion of keypath. A line starting with "/" is interpreted as
+ a root directory for keys, meaning the keypath values after that line
+ in the file are taken relative to that path. If a file referenced by
+ keypath cannot be opened, the filter will try again by appending ".pem"
+ and then ".private". '#'-delimited comments and blank lines are ignored.
+
+- DKIM verification now logs a note (at log level 2) when a signature
+ timestamp is in future;
+
|
