|
[-]
[+]
|
Changed |
amavisd-new.spec
|
|
|
|
[-]
[+]
|
Deleted |
amavisd-new-conf-qmail.patchold
^
|
| @@ -1,80 +0,0 @@
---- amavisd.conf.orig 2009-01-18 13:49:48.000000000 +0100
-+++ amavisd.conf 2009-01-18 13:51:34.000000000 +0100
-@@ -58,8 +58,12 @@
- $unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter
- # option(s) -p overrides $inet_socket_port and $unix_socketname
-
--$protocol = 'QMQPqq'; # suggested protocol to use on all input sockets
--$inet_socket_port = 10628; # accept connections on this local TCP port(s)
-+$protocol = 'QMQPqq'; # suggested protocol to use on all input sockets
-+$inet_socket_port = [10024, 10628]; # accept connections on this local TCP port(s)
-+#$inet_qmqpqq_port = 10628; # accept QMQPqq on this local TCP port
-+#$inet_smtp_port = 10024; # accept SMTP/LMTP on this local TCP port
-+$inet_socket_bind = '127.10.10.10'; # limit socket bind to loopback interface
-+@inet_acl = qw( 127.10.10.10 ); # allow SMTP access only from localhost IP
-
- $policy_bank{'MYNETS'} = { # mail originating from @mynetworks
- originating => 1, # is true in MYNETS by default, but let's make it explicit
-@@ -94,9 +98,9 @@
- auth_required_release => 0, # do not require secret_id for amavisd-release
- };
-
--$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
--$sa_tag2_level_deflt = 6.2; # add 'spam detected' headers at that level
--$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail)
-+$sa_tag_level_deflt = undef; # add spam info headers if at, or above that level
-+$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
-+$sa_kill_level_deflt = 99; # triggers spam evasive actions (e.g. blocks mail)
- $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
- $sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
- # $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
-@@ -149,16 +153,16 @@
-
- # OTHER MORE COMMON SETTINGS (defaults may suffice):
-
--# $myhostname = 'host.example.com'; # must be a fully-qualified domain name!
-+$myhostname = 'host.example.com'; # must be a fully-qualified domain name!
-
--# $notify_method = 'smtp:[127.0.0.1]:10025';
--# $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter!
-+$notify_method = 'smtp:127.10.10.10:10025';
-+$forward_method = 'smtp:127.10.10.10:10025'; # set to undef with milter!
-
--# $final_virus_destiny = D_DISCARD;
--# $final_banned_destiny = D_BOUNCE;
--# $final_spam_destiny = D_BOUNCE;
--# $final_bad_header_destiny = D_PASS;
--# $bad_header_quarantine_method = undef;
-+$final_virus_destiny = D_DISCARD;
-+$final_banned_destiny = D_BOUNCE;
-+$final_spam_destiny = D_PASS;
-+$final_bad_header_destiny = D_PASS;
-+$bad_header_quarantine_method = undef;
-
- # $os_fingerprint_method = 'p0f:*:2345'; # to query p0f-analyzer.pl
-
-@@ -360,15 +364,15 @@
- # ['Sophos SAVI', \&sophos_savi ],
-
- # ### http://www.clamav.net/
--# ['ClamAV-clamd',
--# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
--# qr/\bOK$/, qr/\bFOUND$/,
--# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
--# # NOTE: run clamd under the same user as amavisd, or run it under its own
--# # uid such as clamav, add user clamav to the amavis group, and then add
--# # AllowSupplementaryGroups to clamd.conf;
--# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
--# # this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
-+['ClamAV-clamd',
-+ \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
-+ qr/\bOK$/, qr/\bFOUND$/,
-+ qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
-+# NOTE: run clamd under the same user as amavisd, or run it under its own
-+# uid such as clamav, add user clamav to the amavis group, and then add
-+# AllowSupplementaryGroups to clamd.conf;
-+# NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
-+# this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
-
- # ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred)
- # # note that Mail::ClamAV requires perl to be build with threading!
|
|
[-]
[+]
|
Deleted |
RELEASE_NOTES.2.6.1
^
|
| @@ -1,11080 +0,0 @@
----------------------------------------------------------------------------
- June 29, 2008
-amavisd-new-2.6.1 release notes
-
-
-BUG FIXES
-
-- avoid a bounce-killer's false positive when a message is multipart/mixed
- with an attached message/rfc822 (looking like a qmail or a MSN bounce)
- and having attached a message with a foreign Message-ID - by restricting
- the check to messages with an empty sender address or a 'postmaster' or
- 'MAILER-DAEMON' author address;
-
-- privileges were dropped too early when chrooting, causing chroot to fail
- (a workaround was to specify a jail directory through a command line
- option -R); reported by Helmut Schneider;
-
-- fix unwarranted 'run_av error: Exceeded allowed time' error when using
- a virus scanned Mail::ClamAV; reported by Chaminda Indrajith;
-
-- fix a bug in helper-progs/amavis-milter.c where atoi could be reading
- from a non-null terminated string which could result in wrong milter
- return status, or even cause a read-access violation;
- reported by Shin-ichi Nagamura;
-
-- dsn_cutoff_level was ignored if SpamAssassin was not invoked (e.g. on
- large messages) even if recip_score_boost was nonzero, causing a DSN
- not to be suppressed for internally generated large score values;
- reported by Bernd Probst;
-
-- add back the 'Ok, id=..., from MTA(...):' prefix to a MTA status responses
- on forwarded mail when generating own SMTP status response (it was lost
- in code transition from 2.5.4 to 2.6.0); reported by Thomas Gelf;
-
-- replaced '-ErrFile=>*STDOUT' with '-ErrFile=>\*STDOUT' in a call to
- BerkeleyDB::Env::new in amavisd-nanny and amavisd-agent; seems it
- was failing in some setups (even though it was in accordance with
- a BerkeleyDB module documentation); reported by Leo Baltus;
-
-- README.sql-mysql: fixed a SQL data type mismatch between maddr.id (used as
- a foreign key) and msgs.sid & msgrcpt.rid; they all should be of the same
- type, either integer unsigned or bigint unsigned; a schema as published
- in README.sql-mysql could not be built because of a conflict in a data
- type; reported by Leonardo Rodrigues Magalhães and Zhang Huangbin;
-
-
-NEW FEATURES
-
-- recognize an additional place-holder %P in a template used to build
- a file name in file-based quarantining, for example:
-
- $spam_quarantine_method = 'local:Week%P/spam/%m.gz';
-
- A %P is replaced by a current partition tag, which makes it easier to
- better organize a file-based quarantine by including a partition tag
- (e.g. an ISO week number) in a file name or a file path.
-
- For the record, here is a complete list of place-holders currently
- recognized in filename templates:
- %P => $msginfo->partition_tag
- %b => $msginfo->body_digest
- %m => $msginfo->mail_id
- %n => $msginfo->log_id
- %i => iso8601 timestamp of a message reception time by amavisd
- %% => %
-
- The following example organizes spam quarantine into weekly subdirectories:
- cd /var/virusmails
- mkdir -p W23/spam W24/spam W25/spam ... (weeks 01..53)
- chown -R vscan:vscan W23 W24 W25 ... (weeks 01..53)
- amavisd.conf:
- $spam_quarantine_method = 'local:W%P/spam/%m.gz';
- $sql_partition_tag =
- sub { my($msginfo)=@_; sprintf("%02d",iso8601_week($msginfo->rx_time)) };
-
-- add a macro %P as a synonym for a macro 'partition_tag', mainly for
- completeness with the added place-holder %P in a file name template;
-
-
-OTHER
-
-- disabled a do_ascii decoder in the default @decoders list:
- # ['asc', \&Amavis::Unpackers::do_ascii],
- # ['uue', \&Amavis::Unpackers::do_ascii],
- # ['hqx', \&Amavis::Unpackers::do_ascii],
- # ['ync', \&Amavis::Unpackers::do_ascii],
- The do_ascii is invoking a module Convert::UUlib which in turn calls
- a troublesome library uulib, which has a history of security problems
- and on occasion misinterprets a text file as some encoded text, causing
- false positives (e.g. making it look like an executable);
- recent false positive on base64-decoding reported by Jeffrey Arbuckle;
- recent DoS (looping in uulib) reported by Thomas Ritterbach;
-
-- added a rule into $map_full_type_to_short_type_re to cope with another
- example of misclassification by a file(1) utility, where a plain text
- file is considered a DOS executable:
- [qr/^DOS executable \(COM\)/ => 'asc'], # misclassified?
- An example was provided by Leonardo Rodrigues Magalhães;
-
-- until the issue is better understood, revert the use of 'my_require'
- and go back to the standard but less informative 'require'; some people
- were reporting problems with my_require (loading of some Perl modules can
- fail, apparently depending on a current directory where amavisd is started
- from); reports by Tuomo Soini, Max Matslofva, Bill Landry;
-
-- use the $myproduct_name value in generated Received header field
- instead of a hard-wired 'amavisd-new'; suggested by Thomas Gelf;
-
-- added missing required header fields to some test mail messages in a
- directory test-messages to quench down a complaint about a bad header;
-
-- changed SQL default clauses in %sql_clause (upd_msg, sel_quar, sel_penpals)
- to always join tables using both the partition_tag and the mail_id fields,
- previously just the mail_id field was used in a join. The change has no
- particular effect (and is not really necessary) on existing 2.6.0 databases
- where a primary key is mail_id (it is just a redundant extra condition),
- but saves a day when a primary key is a composite: (partition_tag,mail_id),
- which may be a requirement of a SQL partitioning mechanism.
- Thanks to Thomas Gelf for his testing of MySQL partitioning, reporting
- deficiency in amavisd SQL schema (primary keys) which did not meet MySQL
- requirements for partitioning, and suggestions;
-
-- an AM.PDP release request can specify an additional optional attribute:
- partition_tag=xx
- where a requester can supply a partition_tag value of a message to be
- released. This helps to uniquely identify a message in case where an SQL
- database did not enforce a mail_id field to be unique (as may be necessary
- with some partitioning schemes).
-
- If a partition_tag information is readily available to a requester, it
- is advised that the attribute is included in a request even if mail_id
- is known to be unique. This may expedite a search and provide a double
- check to a validity of a request. For backwards compatibility amavisd
- performs a query on msgs.mail_id for a partition_tag value if it is
- missing form a request, the query uses an SQL clause in a new entry
- $sql_clause{'sel_msg'}. If exactly one record matches, then everything
- is fine, and releasing may proceed. If multiple records with the same
- mail_id exist the release request is aborted with a message asking user
- to supply a disambiguating partition_tag=xx attribute;
-
-- a quarantine id for an SQL-quarantined message as logged in a main
- log entry is changed from:
- quarantine: aX3C4f6btXgX
- to:
- quarantine: aX3C4f6btXgX[25]
- i.e. a partition_tag in brackets is appended to mail_id.
-
- Correspondingly the amavisd-release is also changed to be able to parse
- 'aX3C4f6btXgX[25]', splitting it into mail_id and partition_tag, and
- providing each as a separate attribute in an AM.PDP release request;
-
-- README.sql-mysql: changed SQL datatype VARCHAR into VARBINARY for
- data fields mail_id, secret_id and quar_loc, and CHAR into BINARY for
- msgs.content and msgs.quar_type to preserve case sensitivity on string
- comparison operators; suggested by Thomas Gelf;
-
- The same change should eventually be done on README.sql-pg too, but as
- PostgreSQL is more picky than MySQL on matching a field data type to a
- supplied data value, the change of a data type would need to be reflected
- in SQL calls in amavisd. This will have to wait until some future version
- of amavisd-new, having to undergo more testing than I have available
- before the 2.6.1 release.
-
-
-Background information on UNIQUE constraint in table SQL msgs
-
-Amavisd does not know and need not be aware of what is a primary
-key or what are UNIQUE constraints in SQL table msgs. When generating
-a mail_id for a message being processed, amavisd tries to INSERT
-a record with a randomly generated mail_id into table msgs (using
-SQL clause in $sql_clause{'ins_msg'}). If the operation fails,
-another mail_id is generated and attempt repeated, until it eventually
-succeeds. Thus it depends entirely on SQL's decision whether a
-particular record is allowed or would break some UNIQUE constraint.
-So, by only changing a declaration on table msgs (PRIMARY KEY or
-adding a CONSTRAINT), it changes what keys amavisd will be allowed
-to insert and what kind of duplicates would be allowed.
-
-Classically the msgs.mail_id is a PRIMARY KEY and as such it is unique.
-This was a requirement for versions of amavisd up to and including 2.6.0.
-Starting with 2.6.1 the JOINs have been tightened to include a
-partition_tag besides mail_id in a relation, which makes it possible
-to loosen a unique requirement on msgs.mail_id and only require a
-pair (partition_tag,mail_id) to be unique. In other words, this way
-the mail_id is only needed to be unique within each partition tag value.
-
-This change allows a partitioning scheme to meet requirements on
-MySQL partitioning. For non-partitioned databases the change shouldn't
-make any difference, and one is free to choose between having mail_id
-unique across the entire table or just within each partition_tag value.
-
-Changing a primary key to (partition_tag,mail_id) brings consequences
-to quarantining, in particular to releasing from a SQL quarantine,
-where it no longer suffices to specify mail_id=xxx in AM.PDP request,
-but may be necessary to specify also a partition_tag=xx to distinguish
-between SQL-quarantined messages which happen to have the same mail_id.
-
-
----------------------------------------------------------------------------
|
|
[-]
[+]
|
Deleted |
RELEASE_NOTES.2.6.2
^
|
| @@ -1,11569 +0,0 @@
----------------------------------------------------------------------------
- December 15, 2008
-amavisd-new-2.6.2 release notes
-
-MAIN NEW FEATURES SUMMARY
-
-- bounce killer: improved detection of nonstandard bounces;
-- bounces to be killed no longer waste SpamAssassin time;
-- tool to convert dkim-filter keysfile into amavisd configuration;
-- compatibility with SpamAssassin 3.3 (CVS head) regained;
-- rewritten and expanded documentation section on DKIM signing and
- verification in amavisd-new-docs.html;
-
-
-COMPATIBILITY WITH 2.6.1
-
-- apart from small differences in logging and notifications, the
- version 2.6.2 is compatible with 2.6.1, with its configuration file
- and its environment;
-
-- virus scanner entries were updated (as described below, most notably by
- adding a regexp flag m), so be sure to update existing configuration file;
- updated virus scanner entries can be used with 2.6.1 too;
-
-- the %sql_clause default has changed in detail (see below), if its value
- is overridden in a configuration file the setting may need updating;
-
-
-BUG FIXES
-
-- when feeding a message by SMTP back to MTA and MTA rejects a recipient as
- invalid and a smtp connection cache is enabled, the SMTP protocol can get
- out of step, rejecting the next message in the same connection with a
- "503 5.5.1 Error: nested MAIL command"; this only affects (hopefully) rare
- sites where recipient validation is performed after content filtering
- instead of before content filtering; reported by Richard Smits;
-
-- logging routines reporting warnings failed to include a diagnostics message
- in a log, instead only a dry '_WARN:' or '_DIE:' with no explanation was
- logged; a bug was introduced in 2.6.1; reported by Mike Cappella;
-
-- amavisd-release: add a 'partition_tag' attribute to a release request if
- a specified quarantine name ends up in a partition tag string in square
- brackets; this feature was announced in 2.6.1 release notes, but never
- made it into a distribution;
-
-- amavisd-report failed on reading a message from SQL quarantine:
- dispatch_from_quarantine failed: read: sql select failed,
- DBD::Pg::st fetchrow_arrayref failed: no statement executing
- reported by Achraf Tangui;
-
-- while evaluating compiled regular expressions (qr), perl 5.10.0 ignores
- flag m when present in the final expression but not in the qr itself,
- causing messages containing multiple viruses not to report any virus
- names (mail is still considered infected, but list of names is empty).
- Changed regular expressions in virus entries by appending a /m flag
- to regular expressions in the 6th element of each entry. According to
- Perl maintainers this was a bug in 5.8.x and earlier, and the behaviour
- of perl 5.10.0 is now according to specs; reported by Martin Huber;
-
-- envelope sender address for administrator- and recipient notifications
- ($mailfrom_notify_admin, $mailfrom_notify_spamadmin, $mailfrom_notify_recip,
- %mailfrom_notify_admin_by_ccat, %mailfrom_notify_recip_by_ccat) was
- not expanded when their value is left unspecified in a configuration
- file and defaults to parsing of $hdrfrom_notify_* settings. This leads
- to MTA rejecting a notification from 'postmaster@${myhostname}' by a
- '501 5.1.7 Bad sender address syntax'. Reported by Aleksey Chudov,
- Jonas Jacobsson, Durk Strooisma, and Adam;
-
-- remove unintentionally hard-coded SSL certificate and key file locations
- stored in variables $smtpd_tls_key_file and $smtpd_tls_cert_file, they
- are now configurable through a configuration file as intended;
-
-- a macro 'rfc2822_sender' now returns a Sender address in a quoted form,
- just like its cousin 'rfc2822_from';
-
-- when stopping or restarting amavisd, check a PID file for being stale
- _before_ testing whether a process exists, not the other way around;
- previously an unlucky starting amavisd process could hit a:
- Can't send SIG 0 to process [nnnn]: Operation not permitted
- which prevented its startup when a stale PID was reused by an unrelated
- process; reported by Zhang Huangbin;
-
-- error reporting improvement: localize variables $@ and $! in all DESTROY
- methods, thus preventing these variables from being clobbered behind
- the scenes (e.g. by calling eval or system routines from DESTROY),
- which could cause a surprising empty (or unrelated) error message
- being reported by surrounding eval blocks;
-
-- avoid problematic perl constructs open('|-') and open('-|') which fail
- to catch certain fork errors, or waits indefinitely when resources
- are tight; just explicitly create a pipe and call fork in subroutines
- run_command, run_command_consumer and in run_as_subprocess. The change
- possibly also solves some mystery cases where amavisd would appear
- to hang when resources are tight (running out of swap space or near a
- maxprocesses limit) instead of reporting a fork failure. Problem with
- fork failing without giving a reason for failure reported by Uwe Kiewel;
-
-- amavisd.conf-default: definition of %sql_clause default was out of date;
- reported by Roland;
-
-- releasing a non-existent message from a SQL quarantine produced an
- inappropriate error message about a subsequent failure, instead of
- reporting a missing record; reported by Rick (rn). Also let SQL treat
- a NULL in mail_text.partition_tag as 0 by using coalesce() - changed
- a $sql_clause{'sel_quar'} from:
- SELECT mail_text FROM quarantine
- WHERE partition_tag=? AND mail_id=?
- ORDER BY chunk_ind
- into:
- SELECT mail_text FROM quarantine
- WHERE coalesce(partition_tag,0)=coalesce(?,0) AND mail_id=?
- ORDER BY chunk_ind
- to facilitate transition from not having a partition_tag defined
- (resulting in NULL partition_tag fields in SQL) into using it as a
- numeric value (e.g. a week-of-the-year number);
-
-- modified AV entry for a grisoft.com virus scanner by adding a regexp
- flag /m to let ^ match at any line beginning of a possibly multi-line
- response from a virus scanner; problem reported by John Beranek;
-
-- recognize any 'ERROR:' result from a file(1) utility - not just an
- 'ERROR: Corrupted', and do not treat its exit status 1 as fatal,
- but just log a warning;
-
-- protect logging from being recursively re-entered when an error occurs
- during writing of a log entry;
-
-
-NEW FEATURES:
-
-- bounce killer: improved parsing of nonstandard bounce messages (from
- qmail, spamarrest.com and similar) yields more effective protection
- against third-party bounces, including those without a Message-ID.
-
- An analysis of 1000 previously passed bounces showed that 2/3 of those
- are now recognized and blocked, bringing a bounce killer rate to 94 % of
- all received bounces (with about 4 % of passed unverifiable bounces not
- carrying an original mail header, and a tiny trickle of true bounces),
- while still ensuring that bounces (in response to our genuine outbound
- mail) and message disposition notifications (MDN, RFC 3798) are still
- received reliably.
-
- As a reminder: bounce killer is enabled by setting $bounce_killer_score
- to a large value, e.g. 100. A pre-requisite for proper operation of
- a bounce killer is a working SQL logging database (pen pals), or that
- outbound DSN messages have a Message-ID with a fully qualified domain
- name matching the @local_domains_maps list of lookup tables.
- Parts decoding must also not be disabled ($bypass_decode_parts=0), which
- is a default. Conditions are easily met when all mail from local users
- is submitted through a domain's official mailer, which goes hand in hand
- with the requirement for DKIM signing and for other similar anti-spoofing
- techniques (SPF, whitelisting by IP address in Received trace, ...).
-
- The $bounce_killer_score should not be enabled when not all outgoing
- mail can be identified either by a local domain name in Message-ID or by
- being registered in pen pals SQL database, otherwise genuine bounces and
- returning MDN messages will be considered spam.
-
-- to facilitate transition of DKIM signing from dkim-milter to amavisd-new,
- a new command-line tool is available (the extra utility code is not
- loaded during normal operation), taking a file name as its argument,
- e.g.:
-
- # amavisd convert_keysfile /var/db/dkim/keysfile.txt
-
- and writing to stdout a set of lines that may be directly included into
- amavisd.conf configurations file, matching semantics of a dkim-filter
- keys file. It can be useful during transition, or for those who prefer
- to specify signing keys and sender-to-key mappings as a file in a
- syntax compatible with options -K -k of dkim-filter, and can live with
- limitations of such syntax. See dkim-filter(8) man page for details
- on the syntax.
-
- The produced output consists of signing key declarations (calls to a
- procedure dkim_key), where each call normally corresponds to exactly
- one DNS resource record publishing a corresponding DKIM public key.
- When necessary output also produces an assignment to a list of lookup
- tables @dkim_signature_options_bysender_maps, which supplies non-default
- mappings of sender domains to signing keys, e.g. when third-party
- signatures are desired.
-
- From the dkim-filter man page: The keyfile should contain a set of lines
- of the form sender-pattern:signing-domain:keypath where sender-pattern
- is a pattern to match against message senders (with a special character
- "*" interpreted as "zero or more characters"), signing-domain is the
- domain to announce as the signing domain when generating signatures
- (or a '*', implying author's domain), and keypath is a path to the
- PEM-formatted private key to be used for signing messages which match
- the sender-pattern. The selector used in the signature will be the
- filename portion of keypath. A line starting with "/" is interpreted as
- a root directory for keys, meaning the keypath values after that line
- in the file are taken relative to that path. If a file referenced by
- keypath cannot be opened, the filter will try again by appending ".pem"
- and then ".private". '#'-delimited comments and blank lines are ignored.
-
-- DKIM verification now logs a note (at log level 2) when a signature
- timestamp is in future;
-
|
|
[-]
[+]
|
Deleted |
RELEASE_NOTES.2.6.3
^
|
| @@ -1,11919 +0,0 @@
----------------------------------------------------------------------------
- April 22, 2009
-amavisd-new-2.6.3 release notes
-
-
-COMPATIBILITY WITH 2.6.2
-
-- support for DSPAM has been removed from Amavis::SpamControl::SpamAssassin
- module, merging DSPAM scores into SpamAssassin and DSPAM autolearning
- is no longer available. Nevertheless, it is now possible to use DSPAM
- instead of SpamAssassin, or by adding results from each. See description
- below for @spam_scanners;
-
-- there are no other known incompatibilities with 2.6.2;
-
-
-BUG FIXES
-
-- when logging to SQL (pen pals), the msgs.message_id field always received
- a value '1' instead of a Message-Id, thus making pen pals less effective
- (only matching on sender/recipient pairs worked, not on message threads)
- and letting some bounces bypass a bounce killer; bug was introduced with
- version 2.6.2; reported by Michael Scheidell;
-
-- timer was not reset after a persistent failure to connect to a daemonized
- virus scanner, so a subsequent call to a backup scanner only had 10 seconds
- available before it was aborted, which was often too short for a command
- line backup scanner like clamscan; reported by Bill Landry;
-
-- if a virus scanner interface did not find a name of a virus in the output
- of a virus scanner (despite noticing infection), the infection was ignored;
- reported by Thomas Mueller;
-
-- added missing /m flags to regular expressions in AV entries
- (a bug is revealed with Perl 5.10.0; previous versions of Perl happened
- to work, unintentionally accepting a /m flag if added late during a regexp
- evaluation); reported by Rafael;
-
-- $banned_namepath_re setting only worked globally, but was not usable in
- policy banks; reported by Danny Richter;
-
-- do_uncompress: signal run_command_copy() errors, instead of returning a
- status, thus allowing decompose_part() to detect 'Exceeded storage quota'
- or 'Maximum number of files exceeded', and flag mail as CC_UNCHECKED;
-
-- if $mailfrom_notify_admin was not specified in a configuration file but
- defaulted to an e-mail address in $hdrfrom_notify_admin, the following
- was reported (due to missing angle brackets) on an attempt to submit
- a notification:
- (!)SEND via SMTP: virusalert@example.com -> <virusalert@example.com>...
- 501 5.1.7 Bad sender address syntax
- (!)FAILED to notify admin: 501 5.1.7 Failed, id=40690-23,
- from MTA([::1]:10027): 501 5.1.7 Bad sender address syntax
- Notification was not sent, the rest of the processing was unaffected;
- reported by Peter Pechnik, Thomas Mueller, and Stefan Förster;
-
-- fetch_modules: only suppress the "Can't locate ... in @INC" diagnostics
- if exactly the requested module is missing, but do show the error if some
- subordinate module is missing and preventing the requested module to be
- loaded;
-
-- do_unrar: recognize an information line with a '<->';
-
-- fixed a syntax error in LDAP.ldif; by Quanah Gibson-Mount
-
-- fixed a bug in SpamdClient; reported by Filip Valder
-
-
-NEW FEATURES
-
-- added a configuration variable @client_ipaddr_policy, which maps smtp
- client's IP address lookup lists to a policy bank name. This allows for
- loading a policy bank based on a client IP address, and generalizes a
- formerly hard-wired mapping of @mynetworks_maps into 'MYNETS'.
- The list is traversed in order, the first matching networks list stops
- the search and its associated policy name is used. Suggested by Jo Rhett.
-
- The default setting retains backwards compatibility:
- @client_ipaddr_policy = map { $_ => 'MYNETS' } @mynetworks_maps;
-
- Example:
- @client_ipaddr_policy = (
- [qw( 0.0.0.0/8 127.0.0.1/8 [::] [::1] )] => 'LOCALHOST',
- [qw( !172.16.1.0/24 172.16.0.0/12 192.168.0.0/16 )] => 'PRIVATENETS',
- [qw( 192.0.2.0/25 192.0.2.129 192.0.2.130 )] => 'PARTNER',
- \@some_other_networks => 'OTHER',
- \@mynetworks => 'MYNETS',
- );
-
-- large messages beyond $sa_mail_body_size_limit are now partially passed
- to SpamAssassin and other spam scanners for checking: a copy passed to
- a spam scanner is truncated near or slightly past the indicated limit.
- Large messages are no longer given an almost free passage through spam
- checks.
-
- Note that message truncation can invalidate a DKIM or DK signature.
- If using (non-default) SpamAssassin rules to assign score points to mail
- with no valid signatures from authors which are expected to always provide
- a valid signature, the message truncation can cause false positives on
- these rules. As a workaround, to a truncated message passed to spam
- scanners, amavisd inserts a header field:
- X-Amavis-MessageSize: mmmmm, TRUNCATED to nnnnn
- which can be captured by SpamAssassin rules, e.g.:
- header __TRUNCATED X-Amavis-MessageSize =~ m{\A[^\n]*TRUNCATED}m
- and used in rules like NOTVALID_EBAY to prevent them from triggering.
-
- Starting with version 3.3.0 of SpamAssassin, its DKIM plugin understands
- the issue and receives undamaged DKIM signature objects directly from
- amavisd, so the above workaround is not needed. Also, a hit on a __TRUNCATED
- rule is automatically generated (explicit header rule is not necessary),
- just in case it might be useful for some purpose.
-
-- supports passing an extra argument suppl_attrib to $spamassassin->parse,
- as recognized by SpamAssassin 3.3.0, passing a set of DKIM signature
- objects to a SpamAssassin's plugin DKIM, which saves having to do the
- same signature verification operation again within a plugin, and provides
- uncrippled signatures to SpamAssassin even when a large message is
- truncated by amavisd and only partially submitted to spam analysis;
-
-- add global variables $sa_configpath and $sa_siteconfigpath (undef by
- default), which are passed to SpamAssassin as options 'rules_filename'
- and 'site_rules_filename' during its initialization call; this makes
- it easier to run multiple instances of amavisd, each with a different
- SpamAssassin configuration, using the same amavisd configurations file
- by taking advantage of option -i; suggested by Noah Baker;
-
-- report process resource usage at log level 2 by calling getrusage(1)
- if a perl module Unix::Getrusage is available;
-
-- a configuration variable @spam_scanners is added, along with a module
- Amavis::SpamControl::ExtProg (which is only loaded if needed).
- This is similar in concept to @av_scanners list, and allows using
- amavisd with different spam scanners, not just with SpamAssassin.
- The default setting is backwards compatible:
-
- @spam_scanners = (
- ['SpamAssassin', 'Amavis::SpamControl::SpamAssassin'],
- );
-
- The first element of each tuple is a scanner name, the second is a module
- name to be invoked, it must implement a method new(). Remaining arguments
- are passed to a module as arguments in a call to its new(). The exact
- syntax and semantics of these arguments is module-specific and may change
- in future versions as more experience is gained.
-
- Currently supported spam scanners are:
-
- - SpamAssassin: backwards compatible, uses the module Mail::SpamAssassin
- directly as before;
-
- - SpamdClient: a client to spamd, equivalent to a spamc usage; the main
- reason for existence of this module is to allow amavisd to serve as
- a test client for exercising spamd; not envisaged for production use;
-
- - CRM114: spawns an external program 'crm'. A well trained crm114 system
- gives good results (even with a global database). An alternative is to
- use a CRM114 plugin to SpamAssassin, with a benefit of autolearning
- and combining its results with other rules, but at some processing cost;
-
- - DSPAM: spawns an external program 'dspam';
-
- Spam score and test results from all spam scanners are added together,
- currently it makes most sense to only have one of these entries enabled
- at a time. A possible (artificial, not particularly useful) configuration
- with multiple entries is illustrated by the following setting:
-
- @spam_scanners = (
- ['SpamAssassin', 'Amavis::SpamControl::SpamAssassin' ],
-
- ['SpamdClient', 'Amavis::SpamControl::SpamdClient' ],
-
- ['CRM114', 'Amavis::SpamControl::ExtProg', 'crm',
- [ qw(-u /var/amavis/home/.crm114 mailreaver.crm
- --dontstore --report_only --stats_only
- --good_threshold=8 --spam_threshold=-8) ],
- mail_body_size_limit => 64000, score_factor => -0.20,
- ],
-
- ['DSPAM', 'Amavis::SpamControl::ExtProg', $dspam,
- [ qw(--stdout --classify --deliver=innocent,spam
- --mode=tum --tokenizer=chained,noise
- --user), $daemon_user ],
- # use option --feature instead of --tokenizer with dspam < 3.8.0
- mail_body_size_limit => 64000, score_factor => 1,
- ],
- );
-
- A module Amavis::SpamControl::ExtProg implements an interface to external
- spawned programs. These are expected to receive a mail message on their
- stdin, and produce a result on their stdout (and errors on stderr). The
- result typically consists of some header fields the spawned spam scanner
- wishes to report to a caller, but can also be a complete rewritten header
- section or a complete rewritten mail message. The ExtProg module just
- collects the information it needs from the output of a scanner and discards
- the rest (i.e. an external scanner can not rewrite a message), so to avoid
- unnecessary processing, it is best to configure an external scanner to
- only return what is needed.
-
- Currently some post-processing of CRM114 and DSPAM results is hard-wired
|
|
[-]
[+]
|
Deleted |
RELEASE_NOTES.2.6.4
^
|
| @@ -1,12240 +0,0 @@
----------------------------------------------------------------------------
- June 25, 2009
-amavisd-new-2.6.4 release notes
-
-
-NOTE: When upgrading Perl to version 5.10 or planning to do so, please do
-not forget to add a missing /m flag to regular expressions in your existing
-AV entries (if you haven't already done so with a 2.6.3 upgrade), as
-suggested in an example file amavisd.conf in a package. Perl 5.8 does
-not mind missing /m flags, but with perl 5.10 the results from a virus
-scanner may no longer be properly recognized. See the BUG FIXES section
-in 2.6.3 release notes.
-
-
-COMPATIBILITY WITH 2.6.3
-
-The output of amavisd-agent and contents of a database snmp.db has changed
-according to the now published MIB. Several new SNMP counters were added, a
-few retired, and some renamed. If you are parsing the output of amavisd-agent
-or accessing snmp.db directly, please review AMAVIS-MIB.txt, and perhaps
-switch to using the new amavisd-snmp-subagent.
-
-
-BUG FIXES
-
-- amavisd failed to start when spam scanning was disabled either
- by @bypass_spam_checks_maps=(1) or by @spam_scanners=(), giving:
- Can't locate object method "new" via package "Amavis::SpamControl"
- As a workaround one could use a @spam_scanners=(undef) to disable spam
- scanning; reported by Steve;
-
-- several decoders failed to propagate "Exceeded storage quota" exception,
- so the protection of AV scanners against mail bombs was ineffective;
- reported by Jorgen Lundman;
-
-- milter usage (AM.PDP): verbatim header edits inserted a header body of "1"
- instead of the correct string, for example: "Authentication-Results: 1";
-
-- updated AV entry for BitDefender's bdscan to recognize tabs around a colon
- in its output; contributed by Steve;
-
-- fix parsing of a combined result from DSPAM (option --classify), as
- earlier versions of DSPAM did not include a signature with a combined
- result line; problem reported by Marijan Vidmar;
-
-
-NEW FEATURES SUMMARY
-
-- provide a true SNMP agent and a MIB, facilitating monitoring the health
- of a content filtering system, its performance and mail characteristics;
-
-- a new AV interface to SMTP-based antivirus scanners;
-
-- allow customizing SMTP-status response reason text for blocked messages;
-
-- prevent inserting fake copies of certain important mail header fields
- without breaking a DKIM signature;
-
-
-NEW FEATURES
-
-- newly supplied with the package is a program amavisd-snmp-subagent,
- acting as a SNMP AgentX, exporting amavisd statistical counters database
- (snmp.db) as well as a child process status database (nanny.db) to a
- SNMP daemon supporting the AgentX protocol (RFC 2741), such a NET-SNMP.
-
- It is similar to combined existing utility programs amavisd-agent
- and amavisd-nanny, but instead of writing results as text to stdout,
- it exports data to a SNMP server running on a host (same or remote),
- making them available to SNMP clients (such a Cacti or mrtg) for
- monitoring or alerting purposes.
-
- The amavisd program does not have any additional requirements, but
- to run amavisd-snmp-subagent the following Perl modules are required:
- NetSNMP::OID, NetSNMP::ASN, NetSNMP::agent, NetSNMP::default_store.
- All of these come with a Net-SNMP package (previously known as "ucd-snmp"),
- home at http://net-snmp.sourceforge.net/, FreeBSD ports: net-mgmt/net-snmp.
-
- Also, a snmpd daemon must be running on a host. It can be a snmpd from
- a Net-SNMP package or some other SNMP server supporting AgentX protocol.
- When using snmpd from Net-SNMP, just add the following to its snmpd.conf:
- master agentx
- agentXSocket tcp:127.0.0.1:705
- so that amavisd-snmp-subagent will be allowed to connect to it.
-
- The setup was tested with Net-SNMP versions 5.4.2.1 and 5.3.2.3. If you
- experience wild numbers served in Counter64 variables on a 64-bit platform,
- the following patch (at the server side) solves the problem:
- http://www.mail-archive.com/
- net-snmp-users@lists.sourceforge.net/msg19502.html
- The patch seems to already be incorporated into version 5.3.3 of Net-SNMP,
- but not yet in 5.4.2.
-
- A MIB module (SNMP Management information base) is provided in a file
- AMAVIS-MIB.txt. It is not necessary to make it available to a SNMP server,
- and not even necessary for SNMP clients, but making it available to clients
- allows them to display data with names of variables, not just their OIDs.
- A query example with no MIB modules:
- snmpbulkwalk -v2c -c xxx host.example.com .1.3.6.1.4.1.15312.2.1
- A query example when a file AMAVIS-MIB.txt is in a subdirectory ./mibs/ :
- snmpbulkwalk -m+AMAVIS-MIB -M-mibs -OQ -v2c -c xxx host.example.com amavis
-
- The amavisd-snmp-subagent can be started at any time, either before or
- after amavisd, and either before or after snmpd. It can also be restarted
- at any time. Also, amavisd can be restarted without having to restart
- amavisd-snmp-subagent, as it will automatically notice a database
- change and connect to a new database. Similarly, a snmpd daemon can be
- restarted at any time and amavisd-snmp-subagent will reconnect to it
- if necessary. A natural starting order is: snmpd first, then amavisd
- and then amavisd-snmp-subagent.
-
- Restarting amavisd will reset its counters. A SNMP client typically
- interprets a decremented value of a counter variable as a wraparound,
- which results in a large spike when graphing data. There are two common
- solutions to the problem: a reasonable upper limit can be provided to
- a client, so that a spike will be treated as invalid data and ignored,
- or else a AMAVIS-MIB::sysUpTime variable can be monitored, and if its
- value is smaller than on a previous reading, this indicates that counters
- were reset (i.e. amavisd was restarted) and values of counters should not
- be treated as wrapped on maxint. Consult your SNMP client documentation.
-
- The amavisd-snmp-subagent should have access to databases snmp,db and
- nanny.db in a $db_home directory (environment variable AMAVISD_DB_HOME,
- defaults to /var/amavis/db) and have rights to connect to a snmpd daemon.
- It is safe to run it as root, although perhaps not necessary.
-
- For testing purposes start amavisd-snmp-subagent from a command line
- using a command line option -f to let it stay in foreground, and
- optionally increase debug level, e.g:
- amavisd-snmp-subagent -f -d 5
- If everything goes well, start it without -f and let it daemonize.
-
- Supplying a filename with an option -P tells a daemonized agent to write
- its PID to that file, and remove the file on shutdown (on receiving a
- signal TERM or INT):
- amavisd-snmp-subagent -P /var/run/amavisd-snmp-subagent.pid
-
- Some suggested sets of OIDs making up interesting diagrams
- (e.g. for displaying by Cacti):
-
- counters:
- * inMsgsStatusRelayed, inMsgsStatusDiscarded,
- inMsgsStatusNoBounce, inMsgsStatusBounced, inMsgsStatusRejected
- * inMsgs, inMsgsOriginating
- * inMsgsSize, inMsgsSizeOriginating
- * inMsgsSize, outMsgsSizeSubmitQuar, outMsgsSizeRelay
- * inMsgs, outMsgsRelay, outMsgsSubmitQuar,
- outMsgsSubmitDsn, outMsgsSubmitNotif
- * contentCleanMsgs, contentCleanMsgsOriginating
- * inMsgs, contentSpamMsgs, contentBannedMsgs, contentVirusMsgs
- * contentSpamMsgsOriginating, contentBannedMsgsOriginating,
- contentVirusMsgsOriginating
- * timeElapsedTotal, timeElapsedDecoding,
- timeElapsedVirusCheck, timeElapsedSpamCheck
- * procGone
-
- gauges:
- * procBusy, procAll
- * procBusy, procBusyTransfer, procBusyDecode, procBusyVirus, procBusySpam
- * procBusy0, procBusy1s, procBusy2s, procBusy4s, procBusy8s
- * procBusy15s, procBusy30s, procBusy1m, procBusy2m, procBusy4m
- * mtaQueueEntriesIncoming, mtaQueueEntriesActive, mtaQueueEntriesDeferred
-
- Note that even frequent or extensive SNMP queries do not burden amavisd
- processes. The amavisd-snmp-subagent process keeps a cache of current
- variable values. It queries one or the other berkeley database as needed,
- i.e. when cached data is stale and there was an actual SNMP query for a
- variable in one or the other database. When a berkeley database needs to be
- accessed, all its data is fetched in one quick sweep by using a database
- cursor with a read lock, so that data is consistent. No more than one
- database sweep in 4 seconds is performed, and less often when queries are
- less frequent and preferably batched in groups. If some time has passed
- since the last SNMP query (more than 4 seconds currently), resulting values
- are always fresh as collected from a database at the time of a SNMP query.
-
- There is one additional experimental feature - experimental in a sense
- that it may change or be dropped in future versions. If running Postfix
- on the same host as amavisd-snmp-subagent, a count of files (mail messages)
- in each of the Postfix queue directories is provided as Gauge32 variables
- in the MIB under .1.3.6.1.4.1.15312.2.1.3, i.e. under amavisMta subtree.
- The following SNMP variables are available: mtaQueueEntriesMaildrop,
- mtaQueueEntriesIncoming, mtaQueueEntriesActive, mtaQueueEntriesDeferred.
-
- Although semantically outside the scope of amavisd, it provides a quick
- insight into health of a MTA, and indirectly into health of amavisd.
- Data is made available only if a command 'postconf -h queue_directory' is
- successful at amavisd-snmp-subagent startup time and provides a sensible
- result. Like with the other two real databases, MTA directories are only
- scanned if and when actually queried by a SNMP client (again, subject to
- caching). As a safety measure for times when MTA queue grows huge, there
- is a time limit for scanning each directory subtree (currently 5 seconds,
- which is about how much a typical SNMP client is willing to wait for a
- response). Also, a long scan time automatically increases cache validity
- time (time-to-live) of that measurement.
-
-
-- a new experimental interface to SMTP-based antivirus scanners is provided;
- an @av_scanners entry may look like the following:
-
|
|
[-]
[+]
|
Added |
RELEASE_NOTES.2.6.6
^
|
| @@ -0,0 +1,19 @@
+BUG FIXES SINCE 2.6.6
+
+- take a more cautious approach on keeping evidence on an SMTP session
+ transaction state when feeding a message back to MTA. Under certain
+ abnormal circumstances an MTA could respond to end-of-data with a temporary
+ failure but retain an active transaction state, while amavisd would assume
+ the transaction was closed, leading to a 'MAIL transaction in progress'
+ failure on the next message using the same cached SMTP session.
+ Now amavisd considers a transaction state to be unknown when there is any
+ doubt and closes a session instead of caching it, unless the transaction
+ is reliably known to be closed. Problem reported by Ralf Hildebrandt.
+
+
+BUG FIXES SINCE 2.6.5
+
+All bug fixes that were developed during a 2.7.0 developement cycle
+have been backported to the 2.6 branch and released as 2.6.6.
+They are all documented in release notes of the 2.6.6 release.
+
|
|
|
Deleted |
amavisd-new-2.6.2.tar.bz2
^
|
|
|
Deleted |
amavisd-new-2.6.3.tar.bz2
^
|
|
|
Deleted |
amavisd-new-2.6.4.tar.bz2
^
|
|
|
Changed |
amavisd-new-2.6.6.tar.bz2
^
|
