diff -pruN 1:2.6.4-4/amavisd 1:2.6.5-0ubuntu3/amavisd --- 1:2.6.4-4/amavisd 2009-06-25 12:39:01.000000000 +0000 +++ 1:2.6.5-0ubuntu3/amavisd 2011-04-07 18:21:49.000000000 +0000 @@ -10,7 +10,7 @@ # on amavisd-snapshot-20020300). # # All work since amavisd-snapshot-20020300: -# Copyright (C) 2002-2009 Mark Martinec, +# Copyright (C) 2002-2011 Mark Martinec, # All Rights Reserved. # with contributions from the amavis-user mailing list and individuals, # as acknowledged in the release notes. @@ -273,7 +273,7 @@ sub CC_VIRUS () { 9 } BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); %EXPORT_TAGS = ( 'dynamic_confvars' => # per- policy bank settings @@ -597,7 +597,7 @@ sub dkim_key($$$;@) { use vars qw($read_config_files_depth @actual_config_files); BEGIN { # init_primary: version, $unicode_aware, base policy bank $myproduct_name = 'amavisd-new'; - $myversion_id = '2.6.4'; $myversion_date = '20090625'; + $myversion_id = '2.6.5'; $myversion_date = '20110407'; $myversion = "$myproduct_name-$myversion_id ($myversion_date)"; $myversion_id_numeric = # x.yyyzzz, allows numerical compare, like Perl $] @@ -1303,7 +1303,7 @@ BEGIN { [qr/^LHa.*\barchive\b/i => 'lha'], # (also known as .lzh) [qr/^ARC archive\b/i => 'arc'], [qr/^ARJ archive\b/i => 'arj'], - [qr/^Zoo archive\b/i => ['zoo','unzoo'] ], + [qr/^Zoo archive\b/i => 'zoo'], [qr/^(\S+\s+)?tar archive\b/i => 'tar'], [qr/^(\S+\s+)?cpio archive\b/i => 'cpio'], [qr/^StuffIt Archive\b/i => 'sit'], @@ -1492,6 +1492,7 @@ BEGIN { CC_BANNED, sub { c('final_banned_destiny') }, CC_SPAM, sub { c('final_spam_destiny') }, CC_BADH, sub { c('final_bad_header_destiny') }, + CC_MTA.',2', D_REJECT, CC_OVERSIZED, D_BOUNCE, CC_CATCHALL, D_PASS, ); @@ -1709,8 +1710,8 @@ use vars qw(%defang_by_ccat); @virus_name_to_spam_score_maps = (new_RE( # the order matters! - [ qr'^Phishing\.' => 0.1 ], [ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1 ], + [ qr'^(Heuristics\.)?Phishing\.' => 0.1 ], [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ], [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected [ qr'^Sanesecurity\.' => 0.1 ], @@ -1725,6 +1726,9 @@ use vars qw(%defang_by_ccat); [ qr'^Safebrowsing\.' => 0.1 ], [ qr'^winnow\.(phish|spam)\.' => 0.1 ], [ qr'^INetMsg\.SpamDomain' => 0.1 ], + [ qr'^Doppelstern\.(Scam4|Phishing)' => 0.1 ], + [ qr'^ScamNailer\.' => 0.1 ], + [ qr'^HTML/Bankish' => 0.1 ], # F-Prot [ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as infected [ qr'^MBL_NA\.UNOFFICIAL' => 0.1 ], # false positives [ qr'^MBL_' => undef ], # keep as infected @@ -1891,7 +1895,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&init &collect_log_stats &log_to_stderr &log_fd &write_log &open_log &close_log); @@ -1958,8 +1962,8 @@ sub open_log() { my($syslog_facility_num) = eval("LOG_\U$fac"); $syslog_facility_num =~ /^\d+\z/ or die "Unknown syslog facility name: $fac"; - openlog($id, LOG_PID | LOG_NDELAY, $syslog_facility_num); $current_syslog_ident = $id; $current_syslog_facility = $fac; + openlog($current_syslog_ident, LOG_PID | LOG_NDELAY, $syslog_facility_num); } elsif ($logfile ne '') { $loghandle = IO::File->new; $loghandle->open($logfile, O_CREAT|O_APPEND|O_WRONLY, 0640) @@ -2070,7 +2074,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&init §ion_time &report &get_time_so_far); } @@ -2154,7 +2158,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&untaint &min &max &unique_list &unique_ref &safe_encode &safe_decode &q_encode @@ -2849,7 +2853,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&exit_status_str &proc_status_ok &kill_proc &cloexec &run_command &run_command_consumer &run_as_subprocess @@ -3363,7 +3367,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT = qw( &rfc2822_timestamp &iso8601_timestamp &iso8601_utc_timestamp &iso8601_week @@ -4255,7 +4259,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Util qw(ll do_log fmt_struct); } @@ -4374,7 +4378,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&lookup_ip_acl); import Amavis::Util qw(ll do_log); @@ -4649,7 +4653,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&lookup &lookup2 &lookup_hash &lookup_acl); import Amavis::Util qw(ll do_log fmt_struct); @@ -4913,7 +4917,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&expand &tokenize); import Amavis::Util qw(ll do_log); @@ -5204,7 +5208,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform :confvars); import Amavis::Timing qw(section_time); @@ -5439,12 +5443,19 @@ sub check { if ($errn) { die "Inaccessible $dir/$f: $!"; } elsif (-f _) { - if ($f ne 'email.txt') { die "Unexpected file $dir/$f" } + warn "Unexpected file $dir/$f" if $f ne 'email.txt'; + } elsif (-l _) { + die "Unexpected link $dir/$f"; } elsif (-d _) { + my($nlink) = $stat_list[3]; if ($f ne 'parts') { die "Unexpected directory $dir/$f"; - } elsif ($stat_list[3] > 2) { # number of hard links - die "Directory $dir/$f has subdirectories: ".($stat_list[3]-2); + } elsif ($nlink > 2) { # number of hard links + # when a directory's link count is > 2, it has "n-2" sub-directories; + # this does not apply to file systems like AFS, FAT, ISO-9660, + # but it also seems it does not apply to Mac OS 10 (Leopard) + do_log(5, "TempDir::check: directory %s has %d subdirectories", + $dir, $nlink-2); } } else { die "Unexpected non-regular file $dir/$f"; @@ -5683,7 +5694,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); } use Errno qw(EIO); @@ -5813,7 +5824,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); } @@ -5844,7 +5855,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform); import Amavis::Util qw(setting_by_given_contents_category_all @@ -6017,7 +6028,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform); import Amavis::rfc2821_2822_Tools qw(rfc2822_timestamp quote_rfc2821_local @@ -6315,7 +6326,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&hdr); import Amavis::Conf qw(:platform c cr ca); @@ -6575,7 +6586,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT = qw(&mail_dispatch); import Amavis::Conf qw(:platform :confvars c cr ca $relayhost_is_client); @@ -6649,7 +6660,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&parse_ip_address_from_received &best_try_originator &first_received_from); @@ -6753,7 +6764,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&consumed_bytes); import Amavis::Conf qw(c cr ca @@ -6839,7 +6850,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Util qw(ll do_log); } @@ -6925,7 +6936,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter MIME::Parser::Filer); # subclass of MIME::Parser::Filer } # This package will be used by mime_decode(). @@ -6966,10 +6977,10 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&check_header_validity &check_for_banned_names); - import Amavis::Util qw(ll do_log min max sanitize_str); + import Amavis::Util qw(ll do_log min max untaint sanitize_str); import Amavis::Conf qw(:platform %banned_rules c cr ca); import Amavis::Lookup qw(lookup lookup2); } @@ -6994,29 +7005,31 @@ sub check_header_validity($$) { $pre = ''; $mid = ''; $post = $curr_head; $minor_badh_category = max(6, $minor_badh_category); } - } elsif ($t{'empty'} && $curr_head =~ /^(.*?)^([ \t]+)(?=\n|\z)/gms) { + } elsif ($t{'empty'} && $curr_head =~ /^([ \t]+)(?=\n|\z)/gms) { $msg1 ="Improper folded header field made up entirely of whitespace"; - $pre = $1; $mid = $2; $post = substr($curr_head,pos($curr_head)); + $mid = $1; # note: using //g and pos to avoid deep recursion in regexp $minor_badh_category = max(4, $minor_badh_category); } elsif ($t{'long'} && - $curr_head =~ /^(.*?)^([^\n]{999,})(?=\n|\z)/gms) { + $curr_head =~ /^([^\n]{999,})(?=\n|\z)/gms) { $msg1 = "Header line longer than 998 characters"; - $pre = $1; $mid = $2; $post = substr($curr_head,pos($curr_head)); + $mid = $1; $minor_badh_category = max(5, $minor_badh_category); - } elsif ($t{'control'} && $curr_head =~ /^(.*?)([\000\015])/gs) { + } elsif ($t{'control'} && $curr_head =~ /([\000\015])/gs) { $msg1 = "Improper use of control character"; - $pre = $1; $mid = $2; $post = substr($curr_head,pos($curr_head)); + $mid = $1; $minor_badh_category = max(3, $minor_badh_category); - } elsif ($t{'8bit'} && $curr_head =~ /^(.*?)([\200-\377])/gs) { + } elsif ($t{'8bit'} && $curr_head =~ /([\200-\377])/gs) { $msg1 = "Non-encoded 8-bit data"; - $pre = $1; $mid = $2; $post = substr($curr_head,pos($curr_head)); + $mid = $1; $minor_badh_category = max(2, $minor_badh_category); - } elsif ($t{'8bit'} && $curr_head =~ /^(.*?)([^\000-\377])/gs) { + } elsif ($t{'8bit'} && $curr_head =~ /([^\000-\377])/gs) { $msg1 = "Non-encoded Unicode character"; # should not happen - $pre = $1; $mid = $2; $post = substr($curr_head,pos($curr_head)); + $mid = $1; $minor_badh_category = max(2, $minor_badh_category); } + $pre = substr($curr_head,0,pos($curr_head)-length($mid)) if !defined $pre; + $post = substr($curr_head,pos($curr_head)) if !defined $post; if (defined $msg1) { chomp($post); if (length($mid) > 20) { $mid = substr($mid, 0,15) . "..." } @@ -7192,7 +7205,13 @@ sub check_for_banned_names($) { } if (ref $bnpre && grep {!$_->{result}} @recip_tables) { # any non-true? # try new style: banned_namepath_re; it is global, not per-recipient - my($result,$matchingkey) = lookup2(0, join("\n",@descr), [$bnpre], + my $descr_str = join("\n",@descr); + if ($] < 5.012003) { + # avoid a [perl #62048] bug in lookup_re(): + # Unwarranted "Malformed UTF-8 character" on tainted variable + $descr_str = untaint($descr_str); + } + my($result,$matchingkey) = lookup2(0, $descr_str, [$bnpre], Label=>'banned_namepath_re'); if (defined $result) { for my $e (@recip_tables) { @@ -7252,12 +7271,13 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&mime_decode); import Amavis::Conf qw(:platform c cr ca $MAXFILES); import Amavis::Timing qw(section_time); - import Amavis::Util qw(snmp_count untaint ll do_log); + import Amavis::Util qw(snmp_count untaint ll do_log + safe_decode safe_encode); import Amavis::Unpackers::NewFilename qw(consumed_bytes); } use subs @EXPORT_OK; @@ -7354,22 +7374,33 @@ sub mime_traverse($$$$$) { $part->attributes_add('U','C') if $mt =~ m{/encrypted}i || $et =~ m{/encrypted}i; my(@rn); # recommended file names, both raw and RFC 2047 decoded - my($val, $val_decoded); - $val = $head->mime_attr('content-disposition.filename'); - if ($val ne '') { - push(@rn, $val); - $val_decoded = MIME::Words::decode_mimewords($val); - push(@rn, $val_decoded) if $val_decoded ne $val; - } - $val = $head->mime_attr('content-type.name'); - if (defined($val) && $val ne '') { - $val_decoded = MIME::Words::decode_mimewords($val); - push(@rn, $val_decoded) if !grep { $_ eq $val_decoded } @rn; - push(@rn, $val) if !grep { $_ eq $val } @rn; + my %rn_seen; + for my $attr_name ('content-disposition.filename', 'content-type.name') { + my $val_raw = $head->mime_attr($attr_name); + next if !defined $val_raw || $val_raw eq ''; + my $val_dec = ''; # decoded, represented as native Perl characters + eval { + my(@chunks) = MIME::Words::decode_mimewords($val_raw); + for my $pair (@chunks) { + my($data,$encoding) = @$pair; + $encoding = 'ISO-8859-1' if !defined $encoding || $encoding eq ''; + $encoding =~ s/\*[^*]*\z//; # strip RFC 2231 language suffix + $val_dec .= safe_decode($encoding,$data); + } + }; + if ($val_dec ne '' && !$rn_seen{$val_dec}) { + push(@rn,$val_dec); $rn_seen{$val_dec} = 1; + } + if (!$rn_seen{$val_raw}) { + push(@rn,$val_raw); $rn_seen{$val_raw} = 1; + } } $part->name_declared(@rn==1 ? $rn[0] : \@rn) if @rn; - $val = $head->mime_attr('content-type.report-type'); - $part->report_type($val) if $val ne ''; + my $val = $head->mime_attr('content-type.report-type'); + if (defined $val && $val ne '') { + # $val = safe_encode('UTF-8',$val) if Encode::is_utf8($val); + $part->report_type($val); + } } mime_decode_pre_epi('epilogue', $entity->epilogue, $tempdir, $parent_obj, $placement); @@ -7439,7 +7470,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter MIME::Body); # subclass of MIME::Body import Amavis::Util qw(ll do_log); } @@ -7503,7 +7534,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&delivery_status_notification &delivery_short_report &build_mime_entity &defanged_mime_entity @@ -8414,7 +8445,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.2071'; + $VERSION = '2.2081'; @ISA = qw(Exporter); import Amavis::Util qw(ll do_log freeze thaw); } @@ -8467,7 +8498,7 @@ use re 'taint'; BEGIN { use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; import Amavis::Conf qw(:platform :sa :confvars c cr ca); import Amavis::Util qw(untaint min max unique_list unique_ref ll do_log sanitize_str debug_oneshot @@ -9211,13 +9242,14 @@ sub load_policy_bank($) { my($new_bank_ref) = $policy_bank{$policy_bank_name}; my($do_log5) = ll(5); for my $k (keys %$new_bank_ref) { - do_log(-1,'loading policy bank "%s": unknown field "%s"', - $policy_bank_name,$k) if !exists $current_policy_bank{$k}; - if (ref($new_bank_ref->{$k}) ne 'HASH' || + if (!exists $current_policy_bank{$k}) { + do_log(-1,'loading policy bank "%s": unknown field "%s"', + $policy_bank_name,$k); + } elsif (ref($new_bank_ref->{$k}) ne 'HASH' || ref($current_policy_bank{$k}) ne 'HASH') { $current_policy_bank{$k} = $new_bank_ref->{$k}; } else { # new hash to be merged into an existing hash - if ($new_bank_ref->{REPLACE}) { # replace the entire hash + if ($new_bank_ref->{$k}{REPLACE}) { # replace the entire hash $current_policy_bank{$k} = { %{$new_bank_ref->{$k}} }; # copy of new do_log(5,"loading policy bank %s, curr{%s} hash replaced", $policy_bank_name, $k) if $do_log5; @@ -10714,11 +10746,17 @@ sub check_mail($$$) { if (!$bounce_header_fields_ref) { # not a bounce } elsif ($msginfo->originating) { - # rescued by originating - } elsif (defined($bounce_msgid) && $bounce_msgid =~ /(\@[^\@>]+)>?\z/ && + # will be rescued from bounce killing by the originating flag + } elsif (defined($bounce_msgid) && + $bounce_msgid =~ /(\@[^\@>() \t][^\@>]*?)[ \t]*>?\z/ && lookup2(0,$1, ca('local_domains_maps'))) { - # rescued by a local domain in referenced Message-ID + # will be rescued from bounce killing by a local domain + # in referenced Message-ID + } elsif (!defined($sql_storage) || + c('penpals_bonus_score') <= 0 || c('penpals_halflife') <= 0) { + # will be rescued from bounce killing by pen pals disabled } elsif (c('bounce_killer_score') > 20) { + # is a bounce and is eligible to bounce killing, no need for spam scan $bypass_spam_checks_by_bounce_killer = 1; } @@ -11314,6 +11352,32 @@ sub check_mail($$$) { $msginfo->add_contents_category(CC_MTA,$min_ccat); my($blocking_ccat) = sprintf("%d,%d", CC_MTA,$min_ccat); $r->blocking_ccat($blocking_ccat) if !defined($r->blocking_ccat); + my($final_destiny) = + $r->setting_by_contents_category(cr('final_destiny_by_ccat')); + if ($final_destiny == D_PASS) { + $final_destiny = D_REJECT; # impossible to pass, change to reject + } + local($1,$2); + $r->recip_destiny($final_destiny); + if ($final_destiny == D_DISCARD && $smtp_resp =~ /^5/) { + $smtp_resp =~ s{^5(\d\d) 5(\.\d\.\d)}{250 2$2}; # 5xx -> 250 + } + my($smtp_reason) = # get the custom smtp response reason text + $r->setting_by_contents_category(cr('smtp_reason_by_ccat')); + $smtp_reason = '' if !defined $smtp_reason; + if ($smtp_reason ne '') { + my(%mybuiltins) = %builtins; # make a local copy + $smtp_reason = expand(\$smtp_reason, \%mybuiltins); + $smtp_reason = !ref($smtp_reason) ? '' : $$smtp_reason; + chomp($smtp_reason); $smtp_reason = sanitize_str($smtp_reason,1); + $smtp_reason = substr($smtp_reason,0,100) . "..." + if length($smtp_reason) > 100+3; + } + $smtp_resp =~ /^(\d\d\d(?: \d\.\d\.\d)?)\s*(.*)\z/; + my($dis) = $final_destiny == D_DISCARD ? ' Discarded' : ''; + $r->recip_smtp_response("$1$dis $smtp_reason, $2"); + $r->recip_done(1); # fake a delivery (confirm delivery to a bit bucket) + # note that 5xx status rejects may later be converted to bounces $msginfo->blocking_ccat($blocking_ccat) if !defined($msginfo->blocking_ccat); } @@ -11722,14 +11786,25 @@ sub inspect_a_bounce_message($) { $t[2] eq 'message/feedback-report' ) && #shafranovich-feedback-report $t[2] eq 'message/'.lc($parts[0]->report_type) && ( $t[3] eq 'text/rfc822-headers' || $t[3] eq 'message/rfc822' || - $t[3] eq 'message/rfc822-headers' ) # nonstandard + $t[3] eq 'message/rfc822-headers' || # nonstandard + $t[3] eq 'message/partial' ) # nonstandard ) { # standard DSN or MDN or feedback-report $bounce_type = $t[2] eq 'message/disposition-notification' ? 'MDN' : $t[2] eq 'message/global-disposition-notification' ? 'MDN' : $t[2] eq 'message/feedback-report' ? 'ARF' : 'DSN'; $structure_type = 'standard ' . $bounce_type; - $fname_ind = 3; $is_true_bounce = 1; + $fname_ind = $#parts; $is_true_bounce = 1; + + } elsif ( @parts == 5 && + $t[0] eq 'multipart/report' && + $t[-2] eq 'message/delivery-status' && + $t[-2] eq 'message/'.lc($parts[0]->report_type) && + ( $t[-1] eq 'text/rfc822-headers' || $t[-1] eq 'message/rfc822' ) + ) { # almost standard DSN, has two leading plain text parts + $bounce_type = 'DSN'; # BorderWare Security Platform + $structure_type = 'standard ' . $bounce_type; + $fname_ind = $#parts; $is_true_bounce = 1; } elsif ( @parts >= 2 && @parts <= 4 && $t[0] eq 'multipart/report' && $t[2] eq 'message/delivery-status' && @@ -11749,41 +11824,31 @@ sub inspect_a_bounce_message($) { $t[0] eq 'multipart/mixed' && ( $t[-1] eq 'text/rfc822-headers' || $t[-1] eq 'message/rfc822' || $t[-1] eq 'message/rfc822-headers') && # nonstandard - Gordano M.S. - ( $msginfo->is_auto || $msginfo->is_mlist || + ( $rfc2822_from[0] =~ /^MAILER-DAEMON(?:\@|\z)/si || $msginfo->get_header_field_body('subject') =~ - /\bDelivery Failure Notification\b/ - # || $sender =~ /^postmaster(?:\@|\z)/si - # || $rfc2822_from[0] =~ /^postmaster(?:\@|\z)/si + /\b(?:Delivery Failure Notification|failure notice)\b/ ) ) { # qmail, msn?, mailman, C/R $fname_ind = -1; $structure_type = 'multipart/mixed(' . $msginfo->is_bulk . ')'; - } elsif (@parts == 3 && - $t[0] eq 'multipart/mixed' && - $t[-1] eq 'application/octet-stream' && - $parts[-1]->name_declared =~ /\.eml\z/) { - # MDaemon + } elsif ( $msginfo->is_auto && $sender eq '' && + # notify@yahoogroups.com notify@yahoogroupes.fr + $rfc2822_from[0] =~ /^notify\@yahoo/si && + @parts >= 3 && @parts <= 5 && + $t[0] eq 'multipart/mixed' && + ( $t[-1] eq 'text/rfc822-headers' || $t[-1] eq 'message/rfc822' ) + ) { $fname_ind = -1; - $structure_type = 'multipart/mixed with binary .eml'; - } elsif ( @parts == 1 && $t[0] ne 'multipart/report' && - ( $msginfo->is_auto || - $rfc2822_from[0] =~ /^postmaster(?:\@|\z)/si ) ) { + $structure_type = 'multipart/mixed(yahoogroups)'; + } elsif ( $msginfo->is_auto && $sender eq '' && + @parts == 1 && $t[0] ne 'multipart/report' && + $rfc2822_from[0] =~ /^(?:MAILER-DAEMON|postmaster)(?:\@|\z)/si + ) { # nonstructured, possibly a non-standard bounce (qmail, gmail.com, ...) $fname_ind = 0; $plaintext = 1; $structure_type = 'nonstructured(' . $msginfo->is_auto . ')'; - } elsif ( $msginfo->is_auto && @parts == 2 && - $t[0] eq 'multipart/mixed' && $t[1] eq 'text/plain' ) { - # nonstructured, possibly a broken bounce - $fname_ind = 1; $plaintext = 1; - $structure_type = $t[0] .' with '. $t[1] .'(' . $msginfo->is_auto .')'; - } elsif ( $msginfo->is_auto && @parts == 3 && - $t[0] eq 'multipart/alternative' && - $t[1] eq 'text/plain' && $t[2] eq 'text/html' ) { - # text/plain+text/html, possibly a challenge CR message - $fname_ind = 1; $plaintext = 1; - $structure_type = $t[0] .' with '. $t[1] .'(' . $msginfo->is_auto .')'; } - if (defined $fname_ind) { + if (defined $fname_ind && defined $parts[$fname_ind]) { # we probably have a header section from original mail, scan it $fname_ind = $#parts if $fname_ind == -1; my($fname) = $parts[$fname_ind]->full_name; @@ -11809,7 +11874,7 @@ sub inspect_a_bounce_message($) { if (!defined($ln)) { $eof = 1; $ln = "\n"; $!==0 or # returning EBADF at EOF is a perl bug - $!==EBADF ? do_log(0,"Error reading mail header section: $!") + $!==EBADF ? do_log(1,"Error reading mail header section: $!") : die "Error reading mail header section: $!"; } } @@ -13897,14 +13962,27 @@ eval { die "PID file $pidf is not a regular file\n"; } else { # determine PID of the currently running amavisd daemon, validate it my($mtime) = $stat_list[9]; my($ln); my($pidf_h) = IO::File->new; + my($lcnt) = 0; $pidf_h->open($pidf,'<') or die "Can't open PID file $pidf: $!"; - for ($! = 0; defined($ln=$pidf_h->getline); $! = 0) - { chomp($ln); $amavisd_pid = $ln if $ln ne '' && !defined $amavisd_pid } + for ($! = 0; defined($ln=$pidf_h->getline); $! = 0) { + chomp($ln); $lcnt++; last if $lcnt > 100; + $amavisd_pid = $ln if $lcnt == 1 && $ln =~ /^\d{1,10}\z/; + } defined $ln || $!==0 or die "Error reading from file $pidf: $!"; $pidf_h->close or die "Error closing file $pidf: $!"; - defined($amavisd_pid) or die "Missing process ID in file $pidf"; - $amavisd_pid =~ /^\d{1,10}\z/ && $amavisd_pid > 1 && $amavisd_pid != $$ - or die "Invalid process ID in file $pidf: [$amavisd_pid]"; + if ($lcnt <= 1 && !defined $amavisd_pid) { + # treat empty or junk one-line pid file the same as nonexisting pid file + die "The amavisd daemon is apparently not running, empty PID file $pidf\n" + if $cmd =~ /^(?:reload|restart|stop)\z/; + # prevent Net::Server from seeing this crippled file + do_log(-1, "removing empty or crippled PID file %s", $pidf); + unlink($pidf) or die "Can't remove PID file $pidf: $!"; + undef $amavisd_pid; + } else { + $lcnt <= 1 or die "More than one line in file $pidf"; + defined $amavisd_pid or die "Missing process ID in file $pidf"; + $amavisd_pid > 1 or die "Invalid PID in file $pidf: [$amavisd_pid]"; + } if (defined $amavisd_pid && defined $mtime) { # got a PID from a file # Is pid file older than system uptime? If so, it should be disregarded, # it must not prevent starting up amavisd after unclean shutdown. @@ -14048,7 +14126,7 @@ do_log(1, "user=%s, EUID: %s (%s); grou do_log(0, "Perl version %s", $]); # insist on a FQDN in $myhostname my($myhn) = c('myhostname'); -$myhn =~ /[^.]\.[a-zA-Z0-9]+\z/s || lc($myhn) eq 'localhost' +$myhn =~ /[^.]\.[a-zA-Z0-9-]+\z/s || lc($myhn) eq 'localhost' or die <<"EOD"; The value of variable \$myhostname is \"$myhn\", but should have been a fully qualified domain name; perhaps uname(3) did not provide such. @@ -14127,7 +14205,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform $myversion $myhostname $snmp_contact $snmp_location $nanny_details_level); @@ -14383,7 +14461,7 @@ use warnings FATAL => 'utf8'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw($db_home $daemon_chroot_dir); import Amavis::Util qw(untaint ll do_log); @@ -14464,7 +14542,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.2072'; + $VERSION = '2.2082'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform); import Amavis::Util qw(ll do_log freeze thaw); @@ -14612,7 +14690,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Util qw(ll do_log); import Amavis::Conf qw($trim_trailing_space_in_lookup_result_fields); @@ -14711,7 +14789,7 @@ use warnings FATAL => 'utf8'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform :confvars c cr ca); import Amavis::Timing qw(section_time); @@ -14910,7 +14988,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION $ldap_sys_default); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform :confvars c cr ca); import Amavis::Util qw(ll do_log); @@ -15021,7 +15099,7 @@ sub disconnect_from_ldap { sub do_search { my($self,$base,$scope,$filter) = @_; - my($result); + my($result,$error_name); $self->ldap or die "do_search: ldap not available"; do_log(5,"lookup_ldap: searching base=\"%s\", scope=\"%s\", filter=\"%s\"", $base, $scope, $filter); @@ -15031,15 +15109,26 @@ sub do_search { filter => $filter, deref => $self->{deref}, ); - if ($result->code) { die $result->error_name, "\n"; } + if ($result->code) { + $error_name = $result->error_name; + if ($error_name eq 'LDAP_NO_SUCH_OBJECT') { + # probably alright, e.g. a foreign %d + do_log(4, 'do_search failed in "%s": %s', $base, $error_name); + } else { + die $error_name."\n"; + } + } 1; } or do { my($err) = $@ ne '' ? $@ : "errno=$!"; chomp $err; die $err if $err =~ /^timed out\b/; # resignal timeout if ($err !~ /^LDAP_/) { die "do_search: $err"; - } else { # LDAP related error - do_log(0, "NOTICE: do_search: trying again: %s", $err); + } elsif ($error_name !~ /^LDAP_(?:BUSY|UNAVAILABLE|UNWILLING_TO_PERFORM| + TIMEOUT|SERVER_DOWN|CONNECT_ERROR|OTHER)\z/x) { + die "do_search: failed: $error_name\n"; + } else { # LDAP related error, worth retrying + do_log(0, "NOTICE: do_search: trying again: %s", $error_name); $self->disconnect_from_ldap; $self->connect_to_ldap; $self->ldap or die "do_search: reconnect failed"; @@ -15075,7 +15164,7 @@ use re 'taint'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Util qw(ll do_log); import Amavis::Conf qw($trim_trailing_space_in_lookup_result_fields); @@ -15170,7 +15259,7 @@ BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION $ldap_sys_default @ldap_attrs @mv_ldap_attrs); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform :confvars c cr ca); import Amavis::Timing qw(section_time); @@ -15303,8 +15392,9 @@ sub lookup_ldap($$$%) { $conn_h->begin_work; # (re)connect if not connected eval { snmp_count('OpsLDAPSearch'); - my($result) = $conn_h->do_search($base, $self->{scope}, $filter); - my(@entry) = $result->entries; + my(@entry); + my($search_obj) = $conn_h->do_search($base, $self->{scope}, $filter); + @entry = $search_obj->entries if $search_obj && !$search_obj->code; my(%mv_ldap_attrs) = map { (lc($_), 1) } @mv_ldap_attrs; for my $entry (@entry) { my($match) = {}; @@ -15375,7 +15465,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform :confvars c cr ca); import Amavis::Util qw(ll do_log debug_oneshot snmp_counters_init @@ -16047,7 +16137,7 @@ use warnings FATAL => 'utf8'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform :confvars c cr ca); import Amavis::Util qw(ll do_log untaint am_id new_am_id snmp_counters_init @@ -17055,7 +17145,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform); import Amavis::Util qw(ll do_log min max); @@ -17094,7 +17184,7 @@ sub new { $blocking = 0 if defined $arg{Blocking} && !$arg{Blocking}; my($socketname) = $peeraddress; my($is_inet) = $socketname=~m{^/} ? 0 : 1; # simpleminded: unix vs. inet - my($is_inet4) = $is_inet && $socketname=~/^\d+.\d+.\d+.\d+\z/ ? 1 : 0; + my($is_inet4) = $is_inet && $socketname=~/^\d+\.\d+\.\d+\.\d+\z/ ? 1 : 0; my($sock); if ($is_inet && ($is_inet4 || !$have_inet6)) { # inet socket (IPv4) do_log(3,"smtp creating socket by IO::Socket::INET to [%s]:%s", @@ -17431,7 +17521,7 @@ use warnings FATAL => 'utf8'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&rundown_stale_sessions); import Amavis::Conf qw(:platform c cr ca $smtp_connection_cache_enable); @@ -17708,7 +17798,7 @@ use warnings FATAL => 'utf8'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT = qw(&mail_via_smtp); import Amavis::Conf qw(:platform c cr ca $smtp_connection_cache_enable); @@ -17774,23 +17864,21 @@ sub mail_via_smtp(@) { # sub enhance_smtp_response($$$$$) { my($smtp_resp,$am_id,$mta_id,$dflt_enhcode,$cmd_name) = @_; - local($1,$2,$3); my($resp_shortmsg,$resp_msg); + local($1,$2,$3); my($resp_msg); my($resp_code,$resp_enhcode) = ('451', '4.5.0'); if (!defined($smtp_resp) || $smtp_resp eq '') { - $resp_shortmsg = 'No resp. to '.$cmd_name; + $smtp_resp = sprintf('No resp. to %s', $cmd_name); } elsif ($smtp_resp !~ /^[245]\d{2}/) { - $resp_shortmsg = 'Bad resp. to '.$cmd_name; + $smtp_resp = sprintf('Bad resp. to %s: %s', $cmd_name,$smtp_resp); } elsif ($smtp_resp =~ /^ (\d{3}) [ \t]+ ([245] \. \d{1,3} \. \d{1,3})? \s* (.*) \z/xs) { ($resp_code, $resp_enhcode, $resp_msg) = ($1, $2, $3); my($c) = substr($resp_code,0,1); if ($resp_enhcode eq '' && $resp_code =~ /^[245]/) { $resp_enhcode = $dflt_enhcode; $resp_enhcode =~ s/^\d*/$c/ } - $resp_shortmsg = $c eq '2' ? 'Ok' : $c eq '4' ? 'TempFailed' : 'Failed'; } - sprintf("%s %s %s, id=%s, from MTA(%s): %s", - $resp_code, $resp_enhcode, $resp_shortmsg, - $am_id, $mta_id, $smtp_resp); + sprintf("%s %s from MTA(%s): %s", + $resp_code, $resp_enhcode, $mta_id, $smtp_resp); } # Send mail using SMTP - single transaction @@ -18342,7 +18430,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT = qw(&mail_via_pipe); import Amavis::Conf qw(:platform c cr ca); @@ -18521,7 +18609,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT = qw(&mail_via_bsmtp); import Amavis::Conf qw(:platform $QUARANTINEDIR c cr ca); @@ -18705,7 +18793,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&mail_to_local_mailbox); import Amavis::Conf qw(:platform $quarantine_subdir_levels c cr ca); @@ -19022,7 +19110,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Util qw(ll do_log); } @@ -19175,7 +19263,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform c cr ca); import Amavis::Util qw(ll do_log); @@ -19409,6 +19497,7 @@ sub connect_to_sql { $dbh->{'RaiseError'} = 1; # $dbh->{mysql_auto_reconnect} = 1; # questionable benefit # $dbh->func(30000,'busy_timeout'); # milliseconds (SQLite) + $dbh->do("SET NAMES 'utf8'"); section_time('sql-connect'); $self; } @@ -19435,7 +19524,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform c cr ca $QUARANTINEDIR $timestamp_fmt_mysql $sql_allow_8bit_address); @@ -19824,7 +19913,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Util qw(ll do_log untaint min max); } @@ -20118,7 +20207,7 @@ use warnings FATAL => 'utf8'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT = qw(&mail_via_sql); import Amavis::Conf qw(:platform c cr ca $sql_quarantine_chunksize_max); @@ -20246,7 +20335,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform :confvars c cr ca); import Amavis::Util qw(ll untaint min max unique_list do_log add_entropy @@ -20549,8 +20638,10 @@ sub ask_daemon_internal { 10, $remaining_time); @$sockets >= 1 or die "no sockets specified!?"; # sanity $socketname = $sockets->[0]; # try the first one in the current list + $socketname =~ s/^([a-z][a-z0-9.+-]*)?://si; # strip protocol name $is_inet = $socketname =~ m{^/} ? 0 : 1; # simpleminded: unix vs. inet sock - my($is_inet4) = $is_inet && $socketname=~/^\d+.\d+.\d+.\d+\z/ ? 1 : 0; + my($is_inet4) = + $is_inet && $socketname=~/^\d+\.\d+\.\d+\.\d+(?:\z|:)/ ? 1 : 0; my($eval_stat); eval { if (!$st_socket_created{$socketname}) { @@ -21040,7 +21131,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform c cr ca); import Amavis::Util qw(ll do_log untaint unique_list); @@ -21341,7 +21432,7 @@ use warnings FATAL => 'utf8'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform :confvars :sa c cr ca); import Amavis::Util qw(ll do_log sanitize_str min max prolong_timer); @@ -21698,7 +21789,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform :confvars :sa c cr ca); import Amavis::Util qw(ll do_log sanitize_str); @@ -21845,7 +21936,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); # let a 'require' understand that this module is already loaded: $INC{'Mail/SpamAssassin/Logger/Amavislog.pm'} = 'amavisd'; @@ -21881,7 +21972,7 @@ use warnings FATAL => 'utf8'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); import Amavis::Conf qw(:platform :confvars :sa $daemon_user c cr ca); import Amavis::Util qw(ll do_log sanitize_str prolong_timer add_entropy @@ -21916,7 +22007,7 @@ sub getCommonSAModules { Net::DNS::RR::A Net::DNS::RR::AAAA Net::DNS::RR::PTR Net::DNS::RR::CNAME Net::DNS::RR::TXT Net::DNS::RR::SPF Net::CIDR::Lite - Sys::Hostname::Long DBD::mysql + Sys::Hostname::Long URI URI::Escape URI::Heuristic URI::QueryParam URI::Split URI::URL URI::WithBase URI::_foreign URI::_generic URI::_ldap URI::_login URI::_query URI::_segment URI::_server URI::_userpass URI::data URI::ftp @@ -21929,7 +22020,7 @@ sub getCommonSAModules { # Mail::SpamAssassin::BayesStore::SQL # Mail::SpamAssassin::SQLBasedAddrList # ??? ArchiveIterator Reporter Getopt::Long Sys::Syslog lib - # Net::Ping + # Net::Ping DBD::mysql @modules; } @@ -22227,6 +22318,7 @@ sub call_spamassassin($$$$) { my(%suppl_attrib) = ( 'return_path' => $msginfo->sender_smtp, 'recipients' => [ qquote_rfc2821_local(@{$msginfo->recips}) ], + 'originating' => $msginfo->originating ? 1 : 0, 'message_size' => $msginfo->msg_size, !$enable_dkim_verification ? () : ('dkim_signatures' => $msginfo->dkim_signatures_all), @@ -22432,7 +22524,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&init &decompose_part &determine_file_types); import Amavis::Util qw(untaint min max ll do_log snmp_count @@ -22887,8 +22979,8 @@ sub do_ascii($$) { sub do_unzip($$;$$) { my($part, $tempdir, $archiver_dummy, $testing_for_sfx) = @_; ll(4) && do_log(4, "Unzipping %s", $part->base_name); - # avoid DoS vulnerability in < 2.017 - Compress::Raw::Zlib->VERSION(2.017); # required minimal version, or die + # avoid DoS vulnerability in < 2.017, CVE-2009-1391 + # Compress::Raw::Zlib->VERSION(2.017); # module not loaded snmp_count('OpsDecByArZipAttempt'); my($zip) = Archive::Zip->new; my(@err_nm) = qw(AZ_OK AZ_STREAM_END AZ_ERROR AZ_FORMAT_ERROR AZ_IO_ERROR); @@ -24083,7 +24175,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&dkim_key_postprocess &generate_authentication_results &dkim_make_signatures &adjust_score_by_signer_reputation); @@ -24643,7 +24735,7 @@ no warnings 'uninitialized'; BEGIN { require Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); - $VERSION = '2.207'; + $VERSION = '2.208'; @ISA = qw(Exporter); @EXPORT_OK = qw(&show_or_test_dkim_public_keys &generate_dkim_private_key &convert_dkim_keys_file); @@ -24931,7 +25023,7 @@ UNCHECKED|BANNED (%F)|INFECTED (%V)]# , size: %z# [? [:partition_tag] ||, pt: [:partition_tag]]# [~[:remote_mta_smtp_response]|["^$"]||[", queued_as: "]]\ -[remote_mta_smtp_response|[~%x|["queued as ([0-9A-Z]+)$"]|["%1"]|["%0"]]|/]# +[remote_mta_smtp_response|[~%x|["queued as ([0-9A-Za-z]+)$"]|["%1"]|["%0"]]|/]# #[? [:header_field|Subject]||, Subject: [:dquote|[:header_field|Subject|100]]]# #[? [:header_field|From] ||, From: [:uquote|[:header_field|From|100]]\ #[? [:dkim|author] || (dkim:AUTHOR)]]# @@ -24991,7 +25083,7 @@ UNCHECKED|BANNED (%F)|INFECTED (%V)]# , %s -> [%D|,], Hits: %c# , tag=[:tag_level], tag2=[:tag2_level], kill=[:kill_level]# [~[:remote_mta_smtp_response]|["^$"]||\ -["queued as ([0-9A-Z]+)"]|[", queued_as: %1"]|[", fwd: %0"]]# +["queued as ([0-9A-Za-z]+)"]|[", queued_as: %1"]|[", fwd: %0"]]# , %0/%1/%2/%k# ] [?%#O|#|Blocked # diff -pruN 1:2.6.4-4/amavisd.conf 1:2.6.5-0ubuntu3/amavisd.conf --- 1:2.6.4-4/amavisd.conf 2009-06-25 12:38:47.000000000 +0000 +++ 1:2.6.5-0ubuntu3/amavisd.conf 2011-04-02 00:22:15.000000000 +0000 @@ -204,7 +204,7 @@ $banned_filename_re = new_RE( ### BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary -# qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types +# qr'^\.(exe|lha|cab|dll)$', # banned file(1) types ### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: # [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 @@ -227,7 +227,7 @@ $banned_filename_re = new_RE( # qr'^\.wmf$', # Windows Metafile file(1) type # block certain double extensions in filenames - qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, + qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, # qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict # qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose diff -pruN 1:2.6.4-4/amavisd.conf-default 1:2.6.5-0ubuntu3/amavisd.conf-default --- 1:2.6.4-4/amavisd.conf-default 2009-06-25 12:38:32.000000000 +0000 +++ 1:2.6.5-0ubuntu3/amavisd.conf-default 2011-04-02 00:22:06.000000000 +0000 @@ -5,7 +5,7 @@ use strict; ## This software is licensed under the GNU General Public License (GPL). ## See comments at the start of file amavisd for the whole license text. -## Copyright (C) 2002-2009 Mark Martinec, All Rights Reserved. +## Copyright (C) 2002-2011 Mark Martinec, All Rights Reserved. ## See file amavisd.conf-sample for explanations and examples. @@ -355,8 +355,8 @@ use strict; # @viruses_that_fake_sender_maps = (\$viruses_that_fake_sender_re, 1); # @virus_name_to_spam_score_maps = # (new_RE( # the order matters! -# [ qr'^Phishing\.' => 0.1 ], # [ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1 ], +# [ qr'^(Heuristics\.)?Phishing\.' => 0.1 ], # [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ], # [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep infected # [ qr'^Sanesecurity\.' => 0.1 ], @@ -371,6 +371,9 @@ use strict; # [ qr'^Safebrowsing\.' => 0.1 ], # [ qr'^winnow\.(phish|spam)\.' => 0.1 ], # [ qr'^INetMsg\.SpamDomain' => 0.1 ], +# [ qr'^Doppelstern\.(Scam4|Phishing)' => 0.1 ], +# [ qr'^ScamNailer\.' => 0.1 ], +# [ qr'^HTML/Bankish' => 0.1 ], # F-Prot # [ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as infected # [ qr'^MBL_NA\.UNOFFICIAL' => 0.1 ], # false positives # [ qr'^MBL_' => undef ], # keep as infected @@ -546,10 +549,13 @@ $reputation_factor = 0.33; # CC_BANNED, sub { c('final_banned_destiny') }, # CC_SPAM, sub { c('final_spam_destiny') }, # CC_BADH, sub { c('final_bad_header_destiny') }, +# CC_MTA.',2', D_REJECT, # CC_OVERSIZED, D_BOUNCE, # CC_CATCHALL, D_PASS, # ); # %smtp_reason_by_ccat = ( +# # currently only used for blocked messages only, status 5xx +# # a multiline message will produce a valid multiline SMTP response # CC_VIRUS, "id=%n - INFECTED: %V", # CC_BANNED, "id=%n - BANNED: %F", # CC_UNCHECKED, "id=%n - UNCHECKED", diff -pruN 1:2.6.4-4/amavisd-new-courier.patch 1:2.6.5-0ubuntu3/amavisd-new-courier.patch --- 1:2.6.4-4/amavisd-new-courier.patch 2009-06-25 12:36:51.000000000 +0000 +++ 1:2.6.5-0ubuntu3/amavisd-new-courier.patch 2011-04-02 00:20:29.000000000 +0000 @@ -1,5 +1,5 @@ ---- amavisd.ori 2009-06-25 14:36:06.000000000 +0200 -+++ amavisd 2009-06-25 14:36:14.000000000 +0200 +--- amavisd.ori 2011-04-02 02:19:15.198032427 +0200 ++++ amavisd 2011-04-02 02:19:40.068808511 +0200 @@ -98,5 +98,5 @@ # Amavis::In::AMCL # Amavis::In::SMTP @@ -14,14 +14,14 @@ + IO::Handle IO::File IO::Select IO::Socket IO::Socket::UNIX IO::Socket::INET IO::Stringy Digest::MD5 Unix::Syslog File::Basename Compress::Zlib MIME::Base64 MIME::QuotedPrint MIME::Words -@@ -9249,5 +9249,5 @@ +@@ -9281,5 +9281,5 @@ ### but before binding to sockets sub post_configure_hook { -# umask(0007); # affect protection of Unix sockets created by Net::Server + umask(0007); # affect protection of Unix sockets created by Net::Server } -@@ -9260,4 +9260,34 @@ +@@ -9292,4 +9292,34 @@ ### Net::Server hook +### This hook takes place immediately after the "->run()" method is called. @@ -56,7 +56,7 @@ +### Net::Server hook ### This hook occurs in the parent (master) process after chroot, ### after change of user, and change of group has occured. -@@ -9312,4 +9342,15 @@ +@@ -9344,4 +9374,15 @@ } $spamcontrol_obj->init_pre_fork if $spamcontrol_obj; + if ($courierfilter_shutdown) { @@ -72,7 +72,7 @@ + } my(@modules_extra) = grep {!exists $modules_basic{$_}} keys %INC; if (@modules_extra) { -@@ -9674,5 +9715,7 @@ +@@ -9706,5 +9747,7 @@ $amcl_in_obj->process_policy_request($sock, $conn, \&check_mail, 0); } elsif ($suggested_protocol eq 'COURIER') { - die "unavailable support for protocol: $suggested_protocol"; @@ -81,7 +81,7 @@ + $courier_in_obj->process_courier_request($sock, $conn, \&check_mail); } elsif ($suggested_protocol eq 'QMQPqq') { die "unavailable support for protocol: $suggested_protocol"; -@@ -9752,4 +9795,24 @@ +@@ -9784,4 +9827,24 @@ } +### Net::Server hook @@ -106,7 +106,7 @@ + ### Child is about to be terminated ### user customizable Net::Server hook -@@ -13614,4 +13677,9 @@ +@@ -13679,4 +13742,9 @@ Amavis::Conf::supply_after_defaults(); +# courierfilter shutdown needs can_read_hook, added in Net::Server 0.90 @@ -116,14 +116,14 @@ + if (defined $desired_user && $daemon_user ne '') { local($1); -@@ -14083,4 +14151,6 @@ +@@ -14161,4 +14229,6 @@ : $inet_socket_bind), listen => defined $listen_queue_size ? $listen_queue_size : undef, + # need to set multi_port for can_read_hook + multi_port => $courierfilter_shutdown ? 1 : undef, max_servers => $max_servers, # number of pre-forked children !defined($min_servers) ? () -@@ -17041,5 +17111,424 @@ +@@ -17131,5 +17201,424 @@ no warnings 'uninitialized'; -BEGIN { die "Code not available for module Amavis::In::Courier" } @@ -549,8 +549,8 @@ +} 1; ---- amavisd.conf-sample.ori 2009-06-25 14:35:59.000000000 +0200 -+++ amavisd.conf-sample 2009-06-25 14:36:14.000000000 +0200 +--- amavisd.conf-sample.ori 2011-04-02 02:19:32.928601729 +0200 ++++ amavisd.conf-sample 2011-04-02 02:19:40.068808511 +0200 @@ -148,4 +148,11 @@ #$notify_method = $forward_method; diff -pruN 1:2.6.4-4/amavisd-new-qmqpqq.patch 1:2.6.5-0ubuntu3/amavisd-new-qmqpqq.patch --- 1:2.6.4-4/amavisd-new-qmqpqq.patch 2009-06-25 12:38:22.000000000 +0000 +++ 1:2.6.5-0ubuntu3/amavisd-new-qmqpqq.patch 2011-04-02 00:21:57.000000000 +0000 @@ -1,36 +1,36 @@ ---- amavisd.ori 2009-06-25 14:36:06.000000000 +0200 -+++ amavisd 2009-06-25 14:37:27.000000000 +0200 +--- amavisd.ori 2011-04-02 02:19:15.198032427 +0200 ++++ amavisd 2011-04-02 02:21:04.852776572 +0200 @@ -99,4 +99,5 @@ # Amavis::In::SMTP #( Amavis::In::Courier ) +# Amavis::In::QMQPqq # Amavis::Out::SMTP::Protocol # Amavis::Out::SMTP::Session -@@ -3509,4 +3510,5 @@ +@@ -3513,4 +3514,5 @@ $myproduct_name, $conn->socket_port eq '' ? 'unix socket' : "port ".$conn->socket_port); + # must not use proto name QMQPqq in 'with' $s .= "\n with $smtp_proto" if $smtp_proto=~/^(ES|S|L)MTPS?A?\z/i; # rfc3848 $s .= "\n id $id" if $id ne ''; -@@ -8516,4 +8518,5 @@ +@@ -8547,4 +8549,5 @@ $extra_code_sql_lookup $extra_code_ldap $extra_code_in_amcl $extra_code_in_smtp $extra_code_in_courier + $extra_code_in_qmqpqq $extra_code_out_smtp $extra_code_out_pipe $extra_code_out_bsmtp $extra_code_out_local $extra_code_p0f -@@ -8544,4 +8547,5 @@ +@@ -8575,4 +8578,5 @@ # Amavis::In::AMCL, Amavis::In::SMTP and In::Courier objects use vars qw($amcl_in_obj $smtp_in_obj $courier_in_obj); +use vars qw($qmqpqq_in_obj); # Amavis::In::QMQPqq object use vars qw($sql_dataset_conn_lookups); # Amavis::Out::SQL::Connection object -@@ -9172,4 +9176,5 @@ +@@ -9203,4 +9207,5 @@ do_log(0,"SMTP-in proto code %s loaded", $extra_code_in_smtp ?'':" NOT"); do_log(0,"Courier proto code %s loaded", $extra_code_in_courier ?'':" NOT"); + do_log(0,"QMQPqq-in proto code %s loaded", $extra_code_in_qmqpqq ?'':" NOT"); do_log(0,"SMTP-out proto code %s loaded", $extra_code_out_smtp ?'':" NOT"); do_log(0,"Pipe-out proto code %s loaded", $extra_code_out_pipe ?'':" NOT"); -@@ -9676,5 +9681,9 @@ +@@ -9708,5 +9713,9 @@ die "unavailable support for protocol: $suggested_protocol"; } elsif ($suggested_protocol eq 'QMQPqq') { - die "unavailable support for protocol: $suggested_protocol"; @@ -41,25 +41,25 @@ + $qmqpqq_in_obj->process_qmqpqq_request($sock,$conn,\&check_mail); } elsif ($suggested_protocol eq 'TCP-LOOKUP') { #postfix maps, experimental process_tcp_lookup_request($sock, $conn); -@@ -9769,4 +9778,5 @@ +@@ -9801,4 +9810,5 @@ do_log(5,"child_finish_hook: invoking DESTROY methods"); undef $smtp_in_obj; undef $amcl_in_obj; undef $courier_in_obj; + undef $qmqpqq_in_obj; undef $sql_storage; undef $sql_wblist; undef $sql_policy; undef $ldap_policy; undef $sql_dataset_conn_lookups; undef $sql_dataset_conn_storage; -@@ -9779,4 +9789,5 @@ +@@ -9811,4 +9821,5 @@ # do_log(5,"at the END handler: invoking DESTROY methods"); undef $smtp_in_obj; undef $amcl_in_obj; undef $courier_in_obj; + undef $qmqpqq_in_obj; undef $sql_storage; undef $sql_wblist; undef $sql_policy; undef $ldap_policy; undef $sql_dataset_conn_lookups; undef $sql_dataset_conn_storage; -@@ -13447,4 +13458,5 @@ +@@ -13512,4 +13523,5 @@ $extra_code_sql_lookup, $extra_code_ldap, $extra_code_in_amcl, $extra_code_in_smtp, $extra_code_in_courier, + $extra_code_in_qmqpqq, $extra_code_out_smtp, $extra_code_out_pipe, $extra_code_out_bsmtp, $extra_code_out_local, $extra_code_p0f, -@@ -13741,5 +13753,10 @@ +@@ -13806,5 +13818,10 @@ undef $extra_code_in_courier; } - if ($needed_protocols_in{'QMQPqq'}) { die "In::QMQPqq code not available" } @@ -71,7 +71,7 @@ + } } -@@ -17047,4 +17064,276 @@ +@@ -17137,4 +17154,276 @@ __DATA__ # +package Amavis::In::QMQPqq; @@ -348,8 +348,8 @@ +# package Amavis::Out::SMTP::Protocol; use strict; ---- amavisd.conf.ori 2009-06-25 14:35:47.000000000 +0200 -+++ amavisd.conf 2009-06-25 14:37:27.000000000 +0200 +--- amavisd.conf.ori 2011-04-02 02:19:19.998172566 +0200 ++++ amavisd.conf 2011-04-02 02:21:04.852776572 +0200 @@ -59,6 +59,6 @@ # option(s) -p overrides $inet_socket_port and $unix_socketname @@ -359,8 +359,8 @@ +$inet_socket_port = 10628; # accept connections on this local TCP port(s) $policy_bank{'MYNETS'} = { # mail originating from @mynetworks ---- amavisd.conf-sample.ori 2009-06-25 14:35:59.000000000 +0200 -+++ amavisd.conf-sample 2009-06-25 14:37:27.000000000 +0200 +--- amavisd.conf-sample.ori 2011-04-02 02:19:32.928601729 +0200 ++++ amavisd.conf-sample 2011-04-02 02:21:04.852776572 +0200 @@ -231,8 +231,11 @@ # SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...) # (used when MTA is configured to pass mail to amavisd via SMTP or LMTP) diff -pruN 1:2.6.4-4/amavisd-release 1:2.6.5-0ubuntu3/amavisd-release --- 1:2.6.4-4/amavisd-release 2008-08-05 16:49:30.000000000 +0000 +++ 1:2.6.5-0ubuntu3/amavisd-release 2011-03-31 17:56:42.000000000 +0000 @@ -32,7 +32,7 @@ # using socket protection (unix socket) or @inet_acl (for inet socket). # # Author: Mark Martinec -# Copyright (C) 2005-2008 Mark Martinec, All Rights Reserved. +# Copyright (C) 2005-2011 Mark Martinec, All Rights Reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: @@ -74,7 +74,7 @@ use re 'taint'; use IO::Socket; use Time::HiRes (); -use vars qw($VERSION); $VERSION = 1.500; +use vars qw($VERSION); $VERSION = 1.501; use vars qw($log_level $socketname); $log_level = 1; @@ -156,15 +156,13 @@ sub release_file($$$@) { usage("Invalid quarantine ID: $mail_file"); } my($quar_type) = - $fn_suffix eq '.gz' ? 'Z' - : $fn_path eq '' && $mail_id eq $mail_file ? 'Q' : 'F'; + $fn_suffix eq '.gz' ? 'Z' : $fn_path ne '' ? 'F' : ''; my($request_type) = $0 =~ /\breport\z/i ? 'report' : $0 =~ /\brequeue\z/i ? 'requeue' : 'release'; - my(@query) = ( - "request=$request_type", - "quar_type=$quar_type", - "mail_id=$mail_id", - ); + my(@query); + push(@query, "request=$request_type"); + push(@query, "mail_id=$mail_id"); + push(@query, "quar_type=$quar_type") if $quar_type ne ''; push(@query, "secret_id=$secret_id") if $secret_id ne ''; push(@query, "mail_file=$mail_file") if $quar_type =~ /^[FZB]\z/; push(@query, "partition_tag=$part_tag") if $part_tag ne ''; diff -pruN 1:2.6.4-4/AMAVIS-MIB.txt 1:2.6.5-0ubuntu3/AMAVIS-MIB.txt --- 1:2.6.4-4/AMAVIS-MIB.txt 2009-06-23 07:23:08.000000000 +0000 +++ 1:2.6.5-0ubuntu3/AMAVIS-MIB.txt 2011-04-02 00:00:28.000000000 +0000 @@ -13,7 +13,7 @@ IMPORTS FROM SNMPv2-CONF; amavis MODULE-IDENTITY - LAST-UPDATED "200906010000Z" + LAST-UPDATED "201104020000Z" ORGANIZATION "Institut Jozef Stefan" CONTACT-INFO "Mark Martinec @@ -29,6 +29,11 @@ amavis MODULE-IDENTITY REVISION "200906010000Z" DESCRIPTION "The original version of this MIB." + + REVISION "201104020000Z" + DESCRIPTION + "Fixed some English article usage in descriptions." + ::= { enterprises 15312 2 1 } -- 1.3.6.1.4.1.15312 enterprises . Jozef Stefan Institute @@ -200,7 +205,7 @@ inMsgsStatusAccepted OBJECT-TYPE DESCRIPTION "Number of mail messages received by amavisd and accepted with a success status code (D_PASS, 2xx), but their forwarding remained - the responsibility of a MTA (null delivery_method, typical for + the responsibility of an MTA (null delivery_method, typical for a milter setup)." ::= { amavisStats 2 7 } @@ -275,7 +280,7 @@ inMsgsStatusTempFailed OBJECT-TYPE "Number of mail messages whose reception resulted in a temporary failure status code (4xx) being send by amavisd back to MTA. A message was not forwarded by amavisd, and no delivery status - notification was sent. A message stayed in a MTA queue for future + notification was sent. A message stayed in an MTA queue for future attempts at delivery." ::= { amavisStats 2 13 } @@ -580,7 +585,7 @@ outMsgsProtoSMTP OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of mail messages transmitted by amavisd to a MTA using a + "Number of mail messages transmitted by amavisd to an MTA using a SMTP protocol. This includes relayed mail messages as well as messages generated by amavisd, such as notifications." ::= { amavisStats 6 12 } @@ -591,7 +596,7 @@ outMsgsProtoSMTPRelay OBJECT-TYPE STATUS current DESCRIPTION "Number of relayed (fordarded, passed) mail messages transmitted by - amavisd to a MTA using a SMTP protocol." + amavisd to an MTA using an SMTP protocol." ::= { amavisStats 6 13 } outMsgsProtoSMTPSubmit OBJECT-TYPE @@ -599,7 +604,7 @@ outMsgsProtoSMTPSubmit OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of mail messages transmitted by amavisd to a MTA using a + "Number of mail messages transmitted by amavisd to an MTA using a SMTP protocol and generated by amavisd, such as notifications." ::= { amavisStats 6 14 } @@ -608,7 +613,7 @@ outMsgsProtoLMTP OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of mail messages transmitted by amavisd to a MTA using a + "Number of mail messages transmitted by amavisd to an MTA using a LMTP protocol. This includes relayed mail messages as well as messages generated by amavisd, such as notifications." ::= { amavisStats 6 15 } @@ -619,7 +624,7 @@ outMsgsProtoLMTPRelay OBJECT-TYPE STATUS current DESCRIPTION "Number of relayed (forwarded, passed) mail messages transmitted by - amavisd to a MTA using a LMTP protocol." + amavisd to an MTA using an LMTP protocol." ::= { amavisStats 6 16 } outMsgsProtoLMTPSubmit OBJECT-TYPE @@ -627,7 +632,7 @@ outMsgsProtoLMTPSubmit OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of mail messages transmitted by amavisd to a MTA using a + "Number of mail messages transmitted by amavisd to an MTA using a LMTP protocol and generated by amavisd, such as notifications." ::= { amavisStats 6 17 } @@ -636,7 +641,7 @@ outMsgsProtoBSMTP OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of mail messages transmitted by amavisd to a MTA using a + "Number of mail messages transmitted by amavisd to an MTA using a BSMTP protocol. This includes relayed mail messages as well as messages generated by amavisd, such as notifications." ::= { amavisStats 6 18 } @@ -647,7 +652,7 @@ outMsgsProtoBSMTPRelay OBJECT-TYPE STATUS current DESCRIPTION "Number of relayed (forwarded, passed) mail messages transmitted by - amavisd to a MTA using a BSMTP protocol." + amavisd to an MTA using a BSMTP protocol." ::= { amavisStats 6 19 } outMsgsProtoBSMTPSubmit OBJECT-TYPE @@ -655,7 +660,7 @@ outMsgsProtoBSMTPSubmit OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of mail messages transmitted by amavisd to a MTA using a + "Number of mail messages transmitted by amavisd to an MTA using a BSMTP protocol and generated by amavisd, such as notifications." ::= { amavisStats 6 20 } @@ -664,7 +669,7 @@ outMsgsProtoPipe OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of mail messages transmitted by amavisd to a MTA using a + "Number of mail messages transmitted by amavisd to an MTA using a pipe to an external program. This includes relayed mail messages as well as messages generated by amavisd, such as notifications." ::= { amavisStats 6 21 } @@ -675,7 +680,7 @@ outMsgsProtoPipeRelay OBJECT-TYPE STATUS current DESCRIPTION "Number of relayed (forwarded, passed) mail messages transmitted by - amavisd to a MTA using a pipe to an external program." + amavisd to an MTA using a pipe to an external program." ::= { amavisStats 6 22 } outMsgsProtoPipeSubmit OBJECT-TYPE @@ -683,7 +688,7 @@ outMsgsProtoPipeSubmit OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of mail messages transmitted by amavisd to a MTA using a + "Number of mail messages transmitted by amavisd to an MTA using a pipe to an external program and generated by amavisd, such as notifications." ::= { amavisStats 6 23 } @@ -861,7 +866,7 @@ outMsgsSizeProtoSMTP OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of octets in messages transmitted by amavisd to a MTA using + "Number of octets in messages transmitted by amavisd to an MTA using SMTP protocol. This includes relayed (passed) messages, as well as notifications generated by amavisd and messages quarantined to an e-mail address when using this method. The number may not be exact, @@ -874,7 +879,7 @@ outMsgsSizeProtoSMTPRelay OBJECT-TYPE STATUS current DESCRIPTION "Number of relayed (fordarded, passed) mail messages transmitted by - amavisd to a MTA using a SMTP protocol." + amavisd to an MTA using an SMTP protocol." ::= { amavisStats 7 13 } outMsgsSizeProtoSMTPSubmit OBJECT-TYPE @@ -882,7 +887,7 @@ outMsgsSizeProtoSMTPSubmit OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of mail messages transmitted by amavisd to a MTA using a + "Number of mail messages transmitted by amavisd to an MTA using a SMTP protocol and generated by amavisd, such as notifications." ::= { amavisStats 7 14 } @@ -891,7 +896,7 @@ outMsgsSizeProtoLMTP OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of octets in messages transmitted by amavisd to a MTA using + "Number of octets in messages transmitted by amavisd to an MTA using LMTP protocol. This includes relayed (passed) messages, as well as notifications generated by amavisd and messages quarantined to an e-mail address when using this method. The number may not be exact, @@ -904,7 +909,7 @@ outMsgsSizeProtoLMTPRelay OBJECT-TYPE STATUS current DESCRIPTION "Number of octets in relayed (forwarded, passed) mail messages - transmitted by amavisd to a MTA using a LMTP protocol." + transmitted by amavisd to an MTA using an LMTP protocol." ::= { amavisStats 7 16 } outMsgsSizeProtoLMTPSubmit OBJECT-TYPE @@ -912,8 +917,8 @@ outMsgsSizeProtoLMTPSubmit OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of octets in mail messages transmitted by amavisd to a MTA - using a LMTP protocol and generated by amavisd, such as notifications." + "Number of octets in mail messages transmitted by amavisd to an MTA + using an LMTP protocol and generated by amavisd, such as notifications." ::= { amavisStats 7 17 } outMsgsSizeProtoBSMTP OBJECT-TYPE @@ -921,7 +926,7 @@ outMsgsSizeProtoBSMTP OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of octets in messages transmitted by amavisd to a MTA using + "Number of octets in messages transmitted by amavisd to an MTA using BSMTP protocol. This includes relayed (passed) messages, as well as notifications generated by amavisd and messages quarantined through BSMTP. The number may not be exact, as it currently does not account @@ -934,7 +939,7 @@ outMsgsSizeProtoBSMTPRelay OBJECT-TYPE STATUS current DESCRIPTION "Number of octets in relayed (forwarded, passed) mail messages - transmitted by amavisd to a MTA using a BSMTP protocol." + transmitted by amavisd to an MTA using a BSMTP protocol." ::= { amavisStats 7 19 } outMsgsSizeProtoBSMTPSubmit OBJECT-TYPE @@ -942,7 +947,7 @@ outMsgsSizeProtoBSMTPSubmit OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of octets in mail messages transmitted by amavisd to a MTA + "Number of octets in mail messages transmitted by amavisd to an MTA using a BSMTP protocol and generated by amavisd, such as quarantined messages and notifications." ::= { amavisStats 7 20 } @@ -965,7 +970,7 @@ outMsgsSizeProtoPipeRelay OBJECT-TYPE STATUS current DESCRIPTION "Number of octets in relayed (forwarded, passed) mail messages - transmitted by amavisd to a MTA using a pipe to an external program." + transmitted by amavisd to an MTA using a pipe to an external program." ::= { amavisStats 7 22 } outMsgsSizeProtoPipeSubmit OBJECT-TYPE @@ -973,7 +978,7 @@ outMsgsSizeProtoPipeSubmit OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of octets in mail messages transmitted by amavisd to a MTA + "Number of octets in mail messages transmitted by amavisd to an MTA using a pipe to an external program and generated by amavisd, such as quarantined messages and notifications." ::= { amavisStats 7 23 } @@ -1039,7 +1044,7 @@ quarMtaFailedMsgs OBJECT-TYPE STATUS current DESCRIPTION "Number of clean-contents messages quarantined because of a failure - to feed a message back to a MTA. Should be zero at all times, + to feed a message back to an MTA. Should be zero at all times, quarantining is not supposed to be enabled for MTA failures." ::= { amavisStats 8 4 } @@ -1154,7 +1159,7 @@ quarMtaFailedMsgsSize OBJECT-TYPE STATUS current DESCRIPTION "Number of octets in clean-contents messages quarantined because of - a failure to feed a message back to a MTA." + a failure to feed a message back to an MTA." ::= { amavisStats 9 4 } quarOversizedMsgsSize OBJECT-TYPE @@ -1744,7 +1749,7 @@ outConnNew OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of new (SMTP or LMTP) TCP session establishments to a MTA." + "Number of new (SMTP or LMTP) TCP session establishments to an MTA." ::= { amavisStats 11 6 } outConnQuit OBJECT-TYPE @@ -1752,7 +1757,7 @@ outConnQuit OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of (SMTP or LMTP) TCP sessions to a MTA closed down by + "Number of (SMTP or LMTP) TCP sessions to an MTA closed down by sending a QUIT command." ::= { amavisStats 11 7 } @@ -1761,7 +1766,7 @@ outConnTransact OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of transactions to a MTA. The SMTP or LMTP protocol allows + "Number of transactions to an MTA. The SMTP or LMTP protocol allows transferring more than one mail message during the same session. Each MAIL FROM command begins a new SMTP or LMTP transaction." ::= { amavisStats 11 8 } @@ -1771,7 +1776,7 @@ outConnReuseFail OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Amavisd tries to reuse open SMTP or LMTP sessions to a MTA to send + "Amavisd tries to reuse open SMTP or LMTP sessions to an MTA to send additional mail messages without having to tear down and re-establish a session. Before attempting to reuse an open session which hasn't been used for some time, amavisd sends a NOOP command to test if @@ -1785,7 +1790,7 @@ outConnReuseRecent OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Amavisd tries to reuse open SMTP or LMTP sessions to a MTA to send + "Amavisd tries to reuse open SMTP or LMTP sessions to an MTA to send additional mail messages without having to tear down and re-establish a session. The outConnReuseRecent corresponds to the number of times an already open and recently used session could be reused." @@ -1796,7 +1801,7 @@ outConnReuseRefreshed OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Amavisd tries to reuse open SMTP or LMTP sessions to a MTA to send + "Amavisd tries to reuse open SMTP or LMTP sessions to an MTA to send additional mail messages without having to tear down and re-establish a session. Before attempting to reuse an open session which hasn't been used for some time, amavisd sends a NOOP command to test if @@ -2245,7 +2250,7 @@ procBusyTransfer OBJECT-TYPE STATUS current DESCRIPTION "Number of currently registered and busy amavisd child processes - transferring data from or to a MTA." + transferring data from or to an MTA." ::= { amavisProc 1 5 } procBusyDecode OBJECT-TYPE @@ -2492,7 +2497,7 @@ mtaQueueEntriesMaildrop OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of files under a MTA directory $queue_directory/maildrop." + "Number of files under an MTA directory $queue_directory/maildrop." ::= { amavisMta 1 1 } mtaQueueEntriesIncoming OBJECT-TYPE @@ -2500,7 +2505,7 @@ mtaQueueEntriesIncoming OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of files under a MTA directory $queue_directory/incoming" + "Number of files under an MTA directory $queue_directory/incoming" ::= { amavisMta 1 2 } mtaQueueEntriesActive OBJECT-TYPE @@ -2508,7 +2513,7 @@ mtaQueueEntriesActive OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of files under a MTA directory $queue_directory/active" + "Number of files under an MTA directory $queue_directory/active" ::= { amavisMta 1 3 } mtaQueueEntriesDeferred OBJECT-TYPE @@ -2516,7 +2521,7 @@ mtaQueueEntriesDeferred OBJECT-TYPE MAX-ACCESS read-only STATUS current DESCRIPTION - "Number of files under a MTA directory $queue_directory/deferred" + "Number of files under an MTA directory $queue_directory/deferred" ::= { amavisMta 1 4 } END diff -pruN 1:2.6.4-4/debian/22-amavisd-new-postfix 1:2.6.5-0ubuntu3/debian/22-amavisd-new-postfix --- 1:2.6.4-4/debian/22-amavisd-new-postfix 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/22-amavisd-new-postfix 2011-08-24 17:50:20.000000000 +0000 @@ -0,0 +1,13 @@ +# Enable AntiVirus mode +@bypass_virus_checks_maps = ( + \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); + +# Enable AntiSpam mode +@bypass_spam_checks_maps = ( + \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); + +# Store Viruses in quarantine +$virus_quarantine_to = 'virus-quarantine'; + +# Enable Auto Whitelist +$sa_auto_whitelist = 1; diff -pruN 1:2.6.4-4/debian/amavisd-new-postfix.dirs 1:2.6.5-0ubuntu3/debian/amavisd-new-postfix.dirs --- 1:2.6.4-4/debian/amavisd-new-postfix.dirs 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/amavisd-new-postfix.dirs 2011-08-24 17:50:20.000000000 +0000 @@ -0,0 +1,3 @@ +var/backups +var/backups/amavisd-new-postfix +etc/amavis/conf.d diff -pruN 1:2.6.4-4/debian/amavisd-new-postfix.postinst 1:2.6.5-0ubuntu3/debian/amavisd-new-postfix.postinst --- 1:2.6.4-4/debian/amavisd-new-postfix.postinst 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/amavisd-new-postfix.postinst 2011-08-24 17:50:20.000000000 +0000 @@ -0,0 +1,93 @@ +#! /bin/sh +# postinst script for amavisd-new-postfix + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package +# +# quoting from the policy: +# Any necessary prompting should almost always be confined to the +# post-installation script, and should be protected with a conditional +# so that unnecessary prompting doesn't happen if a package's +# installation fails and the `postinst' is called with `abort-upgrade', +# `abort-remove' or `abort-deconfigure'. + +POSTFIX_BCKFILE="/var/backups/amavisd-new-postfix/main.cf-backup" +POSTFIX_MASTER_BCKFILE="/var/backups/amavisd-new-postfix/master.cf-backup" + +set_postfix_option() { + opt="$1" + # Backup the existion value of the option + postconf $(echo ${opt} | cut -d= -f1) >> ${POSTFIX_BCKFILE} || true + # Set the new value of the option + postconf -e "${opt}" +} + +case "$1" in + configure) + if [ -f "/etc/postfix/main.cf" ]; then + if [ -z "$2" -o ! -e "$POSTFIX_BCKFILE" ]; then + if which postconf >/dev/null; then + # Setup postfix + set_postfix_option "content_filter = smtp-amavis:[localhost]:10024" + set_postfix_option "spf-policyd_time_limit = 3600s" + SMTPD_RECIP_RESTR=`postconf smtpd_recipient_restrictions` + set_postfix_option "$SMTPD_RECIP_RESTR, check_policy_service unix:private/policy-spf" + fi + cp /etc/postfix/master.cf $POSTFIX_MASTER_BCKFILE + postfix-add-policy policy-spf nobody /usr/bin/policyd-spf + postfix-add-filter smtp-amavis 10025 + fi + else + echo "" + echo "Postfix not configured. Run" + echo "sudo dpkg-reconfigure postfix and choose" + echo "the type of mail server. Then run" + echo "sudo dpkg-reconfigure amavisd-new-postfix to" + echo "finish amavisd-new-postfix installation." + echo "" + fi + if [ -x "/etc/init.d/postfix" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d postfix restart + else + /etc/init.d/postfix restart + fi + fi + if [ -x "/etc/init.d/amavis" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d amavis restart + else + /etc/init.d/amavis restart + fi + fi + + + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + diff -pruN 1:2.6.4-4/debian/amavisd-new-postfix.postrm 1:2.6.5-0ubuntu3/debian/amavisd-new-postfix.postrm --- 1:2.6.4-4/debian/amavisd-new-postfix.postrm 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/amavisd-new-postfix.postrm 2011-08-24 17:50:20.000000000 +0000 @@ -0,0 +1,20 @@ +#!/bin/sh +set -e + +POSTFIX_BCKFILE="/var/backups/amavisd-new-postfix/main.cf-backup" + +if [ "$1" = "remove" ]; then + if which postconf >/dev/null && [ -f "${POSTFIX_BCKFILE}" ]; then + while read line; do + postconf -e "$line" + done < "${POSTFIX_BCKFILE}" + rm -f "${POSTFIX_BCKFILE}" + fi + if [ -x "/etc/init.d/postfix" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d postfix reload + else + /etc/init.d/postfix reload + fi + fi +fi diff -pruN 1:2.6.4-4/debian/amavisd-new.postinst 1:2.6.5-0ubuntu3/debian/amavisd-new.postinst --- 1:2.6.4-4/debian/amavisd-new.postinst 2011-08-24 17:50:20.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/amavisd-new.postinst 2011-08-24 17:50:20.000000000 +0000 @@ -138,7 +138,7 @@ case "$1" in # Work around dpkg not deleting removed conffiles # (template directories (with files) removed in 1:2.3.3-2) - if dpkg --compare-versions "1:2.3.3-2" gt-nl "$2" ; then + if dpkg --compare-versions "1:2.3.3-2" gt-nl "$1" ; then for i in pt_BR fr it_IT de_DE ; do if [ -e "/etc/amavis/$i" ] ; then echo "Moving outdated l10n template to /etc/amavis/${i}.outdated_for_2.3.3-2" >&2 diff -pruN 1:2.6.4-4/debian/changelog 1:2.6.5-0ubuntu3/debian/changelog --- 1:2.6.4-4/debian/changelog 2011-08-24 17:50:20.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/changelog 2011-08-24 17:50:20.000000000 +0000 @@ -1,15 +1,35 @@ -amavisd-new (1:2.6.4-4) unstable; urgency=low +amavisd-new (1:2.6.5-0ubuntu3) oneiric; urgency=low - [ Alexander Wirt ] - * Fix ESET CLI virus scanner definition. - Thanks to Thomas Liske (Closes: #622848) - * Really apply 90_do_not_send_dsn_if_D_REJECT.dpatch (Closes: #607746) - * Fix dpkg --compare-versions in amavisd-new.postinst (Closes: #629457) - * Do not mention nagios in README.source (Closes: #607745) - * Add danish debconf translation. - Thanks to Joe Dalton (Closes: #597761) + * debian/patches/00patch-opts: "-U" option to patch is obsolete, replaced + with --reject-format=unified. - -- Alexander Wirt Tue, 07 Jun 2011 21:05:26 +0200 + -- Steve Langasek Tue, 16 Aug 2011 23:24:31 -0700 + +amavisd-new (1:2.6.5-0ubuntu2) natty; urgency=low + + * Fix amavisd-new-postfix to be arch all since it has no arch specific + content + + -- Scott Kitterman Thu, 07 Apr 2011 18:46:45 -0400 + +amavisd-new (1:2.6.5-0ubuntu1) natty; urgency=low + + * New upstream bugfix release + - Update 65_fixtldcheck.dpatch to match upstream changes + - Remove 90_do_not_send_dsn_if_D_REJECT.dpatch, was cherrypicked, included + upstream + * Merge from Debian unstable. Remaining Ubuntu changes: + - amavisd-new-postfix configuration for anti-spam/virus + - Add and enable hardened build for PIE + - Add information in README.Debian about Ubuntu specific changes + - Ubuntu configuration changes in 21-ubuntu_defaults + - Reduce email responses for virus/blocked mail so as not to be a + backscatter source by default + - Enable DKIM checking by default + - Include policy-bank of known good domains for DKIM whitelisting + in 40-policy_banks + + -- Scott Kitterman Thu, 07 Apr 2011 16:23:22 -0400 amavisd-new (1:2.6.4-3) unstable; urgency=low @@ -38,6 +58,59 @@ amavisd-new (1:2.6.4-2) unstable; urgenc -- Alexander Wirt Tue, 26 Jan 2010 11:31:00 +0100 +amavisd-new (1:2.6.4-1ubuntu6) maverick; urgency=low + + * Initial amavisd-new-postfix configuration: + - AntiSpam: Amavis, Spamassassin, SPF + - AntiVirus: Amavis, ClamAV + + -- Ante Karamatic Mon, 02 Aug 2010 21:24:32 +0200 + +amavisd-new (1:2.6.4-1ubuntu5) lucid; urgency=low + + * debian/amavisd-new.cron.daily: Fail gracefully if package has been removed + (LP: #428814) + + -- Thierry Carrez Mon, 29 Mar 2010 12:05:32 +0200 + +amavisd-new (1:2.6.4-1ubuntu4) lucid; urgency=low + + * rebuild rest of main for armel armv7/thumb2 optimization; + UbuntuSpec:mobile-lucid-arm-gcc-v7-thumb2 + + -- Alexander Sack Fri, 05 Mar 2010 03:09:16 +0100 + +amavisd-new (1:2.6.4-1ubuntu3) karmic; urgency=low + + * debian/{control,rules}: add and enable hardened build for PIE + (Debian bug 542722). + + -- Kees Cook Thu, 20 Aug 2009 17:23:07 -0700 + +amavisd-new (1:2.6.4-1ubuntu2) karmic; urgency=low + + * Add libcompress-raw-zlib-perl (> 2.020) to Recommends so zip files can be + extracted + + -- Scott Kitterman Thu, 09 Jul 2009 09:39:44 -0400 + +amavisd-new (1:2.6.4-1ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - Add information in README.Debian about Ubuntu specific changes + - Ubuntu configuration changes in 21-ubuntu_defaults + - Reduce email responses for virus/blocked mail so as not to be a + backscatter source by default + - Enable DKIM checking by default + - Include policy-bank of known good domains for DKIM whitelisting + in 40-policy_banks + - Bump required version of libconvert-uulib-perl to (>= 1.0.8) + - Version depends on libmail-dkim-perl to (>= 0.31) and do not also + suggest it + - Retain depends on libcompress-zlib-perl for backports + + -- Scott Kitterman Thu, 09 Jul 2009 01:29:14 -0400 + amavisd-new (1:2.6.4-1) unstable; urgency=low * New upstream release @@ -55,6 +128,22 @@ amavisd-new (1:2.6.4-1) unstable; urgenc -- Alexander Wirt Fri, 03 Jul 2009 15:50:52 +0200 +amavisd-new (1:2.6.3-3ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: LP: #379979 + - Add information in README.Debian about Ubuntu specific changes + - Ubuntu configuration changes in 21-ubuntu_defaults + - Reduce email responses for virus/blocked mail so as not to be a + backscatter source by default + - Enable DKIM checking by default + - libmail-dkim-perl (>= 0.31) recommends instead of suggests + - Include policy-bank of known good domains for DKIM whitelisting + in 40-policy_banks + - Add missing ; to default hostname option in debian/etc/conf.d/05-node_id + - Bump required version of libconvert-uulib-perl to (>= 1.0.8) + + -- Bhavani Shankar Mon, 25 May 2009 19:01:04 +0530 + amavisd-new (1:2.6.3-3) unstable; urgency=low * Fix socketpath for clamav in 15-avscanners @@ -70,6 +159,22 @@ amavisd-new (1:2.6.3-2) unstable; urgenc -- Alexander Wirt Sat, 23 May 2009 11:34:09 +0200 +amavisd-new (1:2.6.3-1ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - Add information in README.Debian about Ubuntu specific changes + - Ubuntu configuration changes in 21-ubuntu_defaults + - Reduce email responses for virus/blocked mail so as not to be a + backscatter source by default + - Enable DKIM checking by default + - libmail-dkim-perl (>= 0.31) recommends instead of suggests + - Include policy-bank of known good domains for DKIM whitelisting + in 40-policy_banks + - Add missing ; to default hostname option in debian/etc/conf.d/05-node_id + - Bump required version of libconvert-uulib-perl to (>= 1.0.8) + + -- Scott Kitterman Fri, 01 May 2009 01:17:03 -0400 + amavisd-new (1:2.6.3-1) unstable; urgency=low * New upstream version (Closes: #525375) @@ -82,6 +187,31 @@ amavisd-new (1:2.6.3-1) unstable; urgenc -- Alexander Wirt Fri, 24 Apr 2009 09:40:23 +0200 +amavisd-new (1:2.6.2-2ubuntu2) jaunty; urgency=low + + * fix default config to not send bounce mail to sender for + banned filenames in mail (LP: #360689) + - debian/etc/conf.d/21-ubuntu_defaults + + -- Imre Gergely Mon, 13 Apr 2009 23:02:24 +0300 + +amavisd-new (1:2.6.2-2ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - Add information in README.Debian about Ubuntu specific changes + - Ubuntu configuration changes in 21-ubuntu_defaults + - Reduce email responses for virus/blocked mail so as not to be a + backscatter source by default + - Enable DKIM checking by default + - libmail-dkim-perl (>= 0.31) recommends instead of suggests + - Include policy-bank of known good domains for DKIM whitelisting + in 40-policy_banks + - Add missing ; to default hostname option in debian/etc/conf.d/05-node_id + - Add ${misc:Depends} for amavisd-new and amavisd-new-milter + - Bump required version of libconvert-uulib-perl to (>= 1.0.8) + + -- Scott Kitterman Tue, 10 Mar 2009 10:30:03 -0400 + amavisd-new (1:2.6.2-2) unstable; urgency=medium * Update antivirusscanner definitions. This is security relevant since @@ -113,6 +243,43 @@ amavisd-new (1:2.6.2-1) unstable; urgenc -- Alexander Wirt Mon, 02 Mar 2009 22:20:39 +0100 +amavisd-new (1:2.6.2-0ubuntu1) jaunty; urgency=low + + * New upstream release + - Tarball no longer needs to be repackaged because non-free IETF RFC has + been removed by upstream + * Add ${misc:Depends} for amavisd-new and amavisd-new-milter + + -- Scott Kitterman Mon, 15 Dec 2008 10:21:14 -0500 + +amavisd-new (1:2.6.2~rc2.dfsg-0ubuntu1) jaunty; urgency=low + + * New upstream RC release + - Bump required version of libconvert-uulib-perl to (>= 1.0.8~) + * Drop $warnbannedsender and $warnbadhsender from Ubuntu specific config + - They are unset by default and should be left that way to keep the + default configuration from being a backscatter source + + -- Scott Kitterman Sat, 06 Dec 2008 00:55:44 -0500 + +amavisd-new (1:2.6.1.dfsg-2ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - Add information in README.Debian about Ubuntu specific changes + - libmail-dkim-perl (>= 0.31) recommends instead of suggests and + enable DKIM checking by default + - Include policy-bank of known good domains for DKIM whitelisting + in 40-policy_banks + - Add unrar-free to 01-debian config so it will be used if intstalled and + also add it as an alternate suggests to unrar + - Updated logcheck/ignore.d.server/amavisd-new + * Consolidate Ubuntu configuration changes in 21-ubuntu_defaults + - Reduce email responses for virus/blocked mail so as not to be a + backscatter source by default + * Add missing ; to default hostname option in debian/etc/conf.d/05-node_id + + -- Scott Kitterman Fri, 10 Oct 2008 23:58:30 -0400 + amavisd-new (1:2.6.1.dfsg-2) unstable; urgency=low [ Christian Perrier ] @@ -123,6 +290,29 @@ amavisd-new (1:2.6.1.dfsg-2) unstable; u -- Alexander Wirt Sat, 27 Sep 2008 09:27:55 +0200 +amavisd-new (1:2.6.1.dfsg-1ubuntu2) intrepid; urgency=low + + * Fix all the comments in debian/etc/conf.d/40-policy_banks so they + are actually comments (LP: #255251) + * Add information in README.Debian about Ubuntu specific changes + + -- Scott Kitterman Wed, 06 Aug 2008 22:39:06 -0400 + +amavisd-new (1:2.6.1.dfsg-1ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - libmail-dkim-perl (>= 0.31) recommends instead of suggests and + enable DKIM checking by default + - Include policy-bank of known good domains for DKIM whitelisting + in 40-policy_banks instead of 20-debian_defaults (previous Ubuntu + location) to minimize user prompts during upgrades + - Add unrar-free to 01-debian config so it will be used if intstalled and + also add it as an alternate suggests to unrar + - Updated logcheck/ignore.d.server/amavisd-new + * Other Ubuntu changes incorporated by Debian + + -- Scott Kitterman Fri, 01 Aug 2008 22:34:17 -0400 + amavisd-new (1:2.6.1.dfsg-1) unstable; urgency=low * New upstream release @@ -133,6 +323,32 @@ amavisd-new (1:2.6.1.dfsg-1) unstable; u -- Alexander Wirt Thu, 24 Jul 2008 20:56:32 +0200 +amavisd-new (1:2.6.0.dfsg-2ubuntu1) intrepid; urgency=low + + * Merge from Debian unstable. Remaining Ubuntu changes: + - Updated logcheck/ignore.d.server/amavisd-new (LP: #188754) + - Add libmail-dkim-perl (>= 0.31) to recommends for new DKIM based + whitelisting + - Added 81_fqdn-warning.dpatch so that correct config file path for + Debian/Ubuntu is displayed if it needs to be set manually + - Renumbered from 71 to put it after the new Debian patch + - Added patch description + - Add commented out $myhostname definition to debian/etc/conf.d05-node_id + so that it will be easier for people who don't know Perl syntax to set + - Updated debian/patches/40_fix_paths.dpatch to use the new path + (/var/lib) for amavis-release + - Modify Maintainer value to match the DebianMaintainerField + specification. + * Drop previous Ubuntu changes in debian/control and debian/rules to remove + amavisd-new-milter package for transition to Main + - No longer needed now that libmilter is in Main + * Added unrar-free to 01-debian config so it will be used if intstalled + (Closes: #442010) + * Enable DKIM verification by default along with policy-bank whitelist + of good domains recommended in upstream documentation + + -- Scott Kitterman Thu, 03 Jul 2008 01:56:39 -0400 + amavisd-new (1:2.6.0.dfsg-2) unstable; urgency=low * Remove rfc4871 from upstream tarball (Closes: #484881) @@ -141,6 +357,27 @@ amavisd-new (1:2.6.0.dfsg-2) unstable; u -- Alexander Wirt Wed, 02 Jul 2008 22:30:43 +0200 +amavisd-new (1:2.6.0-1ubuntu1) intrepid; urgency=low + + * Merge from Debian unstable. Remaining Ubuntu changes: + - Updated logcheck/ignore.d.server/amavisd-new (LP: #188754) + - Add libmail-dkim-perl (>= 0.31) to recommends for new DKIM based + whitelisting + - Added 81_fqdn-warning.dpatch so that correct config file path for + Debian/Ubuntu is displayed if it needs to be set manually + - Renumbered from 71 to put it after the new Debian patch + - Added patch description + - Add commented out $myhostname definition to debian/etc/conf.d05-node_id + so that it will be easier for people who don't know Perl syntax to set + - Updated debian/patches/40_fix_paths.dpatch to use the new path + (/var/lib) for amavis-release + - Remove amavisd-new-milter package for transition to Main + - Remove libmilter-dev from build-dep + - Comment out debian/rules related to amavisd-new-milter + - Change maintainer to Ubuntu Core Developers + + -- Scott Kitterman Wed, 11 Jun 2008 21:07:08 -0400 + amavisd-new (1:2.6.0-1) unstable; urgency=low * New upstream version @@ -154,6 +391,34 @@ amavisd-new (1:2.6.0-1) unstable; urgenc -- Alexander Wirt Tue, 20 May 2008 18:57:16 +0200 +amavisd-new (1:2.5.3-1ubuntu3) hardy; urgency=low + + * Update debian/patches/40_fix_paths.dpatch to use the new path (/var/lib) + for amavis-release (LP: #199124) + + -- Scott Kitterman Tue, 11 Mar 2008 00:13:51 -0400 + +amavisd-new (1:2.5.3-1ubuntu2) hardy; urgency=low + + * Remove amavisd-new-milter package for transition to Main + * Remove libmilter-dev from build-dep + * Comment out debian/rules related to amavisd-new-milter + * Change maintainer to Ubuntu Core Developers + + -- Scott Kitterman Fri, 08 Feb 2008 07:41:52 -0500 + +amavisd-new (1:2.5.3-1ubuntu1) hardy; urgency=low + + + * Merge from debian unstable, remaining changes: + - Added 71_fqdn-warning.dpatch so that correct config file path for + Debian/Ubuntu is displayed if it needs to be set manually. + - Add commented out $myhostname definition to debian/etc/conf.d05-node_id + so that it will be easier for people who don't know Perl syntax to set + - Change maintainer to MOTU + + -- Scott Kitterman Tue, 15 Jan 2008 14:14:32 -0500 + amavisd-new (1:2.5.3-1) unstable; urgency=low * Enable quarantine hashing (Closes: #447240) @@ -163,6 +428,16 @@ amavisd-new (1:2.5.3-1) unstable; urgenc -- Alexander Wirt Thu, 20 Dec 2007 13:54:21 +0100 +amavisd-new (1:2.5.2-2ubuntu1) hardy; urgency=low + + * Merge from Debian Unstable. Remaining Ubuntu changes: + - Freshend and renumbered 71_fqdn-warning.dpatch + - Add commented out $myhostname definition to debian/etc/conf.d05-node_id + so that it will be easier for people who don't know Perl syntax to set + - Change maintainer to MOTU + + -- Scott Kitterman Sun, 04 Nov 2007 01:18:46 -0400 + amavisd-new (1:2.5.2-2) unstable; urgency=low * Make milter tempdir group writeable (Closes: #442372) @@ -230,6 +505,22 @@ amavisd-new (1:2.4.3-1) unstable; urgenc -- Henrique de Moraes Holschuh Sat, 4 Nov 2006 01:40:27 -0300 +amavisd-new (1:2.4.2-6.2ubuntu1) gutsy; urgency=low + + * Add dpatch to debian/rules, add build-dep on dpatch, add debian/patches, + and add debian/patches/00list + * Add 01fqdn-warning.dpatch so that correct config file path for Debian/ + Ubuntu is displayed if it needs to be set manually. + * Change default MTA to Postfix in debian/control + * Add commented out $myhostname definition to debian/etc/conf.d05-node_id + so that it will be easier for people who don't know Perl syntax to set + * Change maintainer to MOTU + * Add debian/compat and bump to 5, adjust debhelper version in build-dep + * Add [ ! -f Makefile ] || to clean in debian/rules to avoid trapping all + errors. + + -- Scott Kitterman Thu, 04 Oct 2007 14:57:45 -0400 + amavisd-new (1:2.4.2-1.1) unstable; urgency=medium * Non-maintainer upload. diff -pruN 1:2.6.4-4/debian/control 1:2.6.5-0ubuntu3/debian/control --- 1:2.6.4-4/debian/control 2011-08-24 17:50:20.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/control 2011-08-24 17:50:20.000000000 +0000 @@ -1,9 +1,10 @@ Source: amavisd-new Section: mail Priority: extra -Maintainer: Brian May +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Brian May Uploaders: Henrique de Moraes Holschuh , Alexander Wirt -Build-Depends: debhelper (>= 5), po-debconf, dpatch (>= 2), patch (>= 2.5.9-3bpo1), dpkg-dev (>= 1.13.19) +Build-Depends: debhelper (>= 5), po-debconf, dpatch (>= 2), patch (>= 2.5.9-3bpo1), dpkg-dev (>= 1.13.19), autoconf2.13, hardening-wrapper Standards-Version: 3.8.3 Package: amavisd-new @@ -26,3 +27,22 @@ Description: Interface between MTA and v filter mode than using the AMaViS pipe client. It supports sendmail milter through the amavisd-new-milter package. +Package: amavisd-new-postfix +Architecture: all +Depends: ${shlibs:Depends}, amavisd-new (= ${source:Version}), ${misc:Depends}, postfix, postfix-policyd-spf-python, spamassassin +Recommends: clamav-daemon, clamav-freshclam, zoo, unzip, unarj, bzip2 +Description: part of Ubuntu mail stack provided by Ubuntu server team + AMaViSd-new is a script that interfaces a mail transport agent (MTA) with + zero or more virus scanners, and spamassassin (optional). + . + It supports all common virus scanners (more than 20 different AVs), with + direct talk-to-daemon support for ClamAV, OpenAntiVirus, Trophie, AVG, + f-prot, and Sophos AVs. + . + AMaViSd-new supports all MTAs through its generic SMTP/LMTP filter mode + (ideal for postfix and exim). It is faster and safer to use the SMTP/LMTP + filter mode than using the AMaViS pipe client. It supports sendmail milter + through this package. + . + This package contains configuration files for amavis and alters postfix + configuration to utilize amavisd-new. diff -pruN 1:2.6.4-4/debian/copyright 1:2.6.5-0ubuntu3/debian/copyright --- 1:2.6.4-4/debian/copyright 2011-08-24 17:50:20.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/copyright 2011-08-24 17:50:20.000000000 +0000 @@ -1,6 +1,6 @@ $Id: copyright 740 2005-12-26 16:59:50Z hmh $ -This package was debianized by Brian May on +This package was debianized by Brian May on Fri, 8 Mar 2002 15:31:24 +1100. The Debian packaging of amavisd-new is: diff -pruN 1:2.6.4-4/debian/etc/conf.d/15-av_scanners 1:2.6.5-0ubuntu3/debian/etc/conf.d/15-av_scanners --- 1:2.6.4-4/debian/etc/conf.d/15-av_scanners 2011-08-24 17:50:20.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/etc/conf.d/15-av_scanners 2011-08-24 17:50:20.000000000 +0000 @@ -231,7 +231,7 @@ use strict; ### http://www.eset.com/, version 3.0 ['ESET Software ESETS Command Line Interface', ['/usr/bin/esets_cli', 'esets_cli'], - '--subdir {}', [0], [2,3], + '--subdir {}', [0], [1,2,3], qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ], ## http://www.nod32.com/, NOD32LFS version 2.5 and above diff -pruN 1:2.6.4-4/debian/etc/conf.d/21-ubuntu_defaults 1:2.6.5-0ubuntu3/debian/etc/conf.d/21-ubuntu_defaults --- 1:2.6.4-4/debian/etc/conf.d/21-ubuntu_defaults 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/etc/conf.d/21-ubuntu_defaults 2011-08-24 17:50:20.000000000 +0000 @@ -0,0 +1,19 @@ +use strict; + +# +# These are Ubuntu specific defaults for amavisd-new configuration +# +# DOMAIN KEYS IDENTIFIED MAIL (DKIM) +$enable_dkim_verification = 1; +# Don't be verbose about sending mail: +@whitelist_sender_acl = qw( .$mydomain ); +$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE) +$final_banned_destiny = D_DISCARD; # (defaults to D_BOUNCE) +$final_spam_destiny = D_DISCARD; # (defaults to D_REJECT) +$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested + +$virus_admin = undef; +$spam_admin = undef; + +#------------ Do not modify anything below this line ------------- +1; # insure a defined return diff -pruN 1:2.6.4-4/debian/etc/conf.d/40-policy_banks 1:2.6.5-0ubuntu3/debian/etc/conf.d/40-policy_banks --- 1:2.6.4-4/debian/etc/conf.d/40-policy_banks 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/etc/conf.d/40-policy_banks 2011-08-24 17:50:20.000000000 +0000 @@ -0,0 +1,33 @@ +# DKIM signing domain whitelist. The domain to use is the domain after +# d= in the DKIM header. + +@author_to_policy_bank_maps = ( { + # 'friends.example.net' => 'WHITELIST,NOBANNEDCHECK', + # 'user1@cust.example.net' => 'WHITELIST,NOBANNEDCHECK', + '.ebay.com' => 'WHITELIST', + '.ebay.co.uk' => 'WHITELIST', + 'ebay.at' => 'WHITELIST', + 'ebay.ca' => 'WHITELIST', + 'ebay.de' => 'WHITELIST', + 'ebay.fr' => 'WHITELIST', + '.paypal.co.uk' => 'WHITELIST', + '.paypal.com' => 'WHITELIST', # author signatures + './@paypal.com' => 'WHITELIST', # 3rd-party sign. by paypal.com + 'alert.bankofamerica.com' => 'WHITELIST', + 'amazon.com' => 'WHITELIST', + 'cisco.com' => 'WHITELIST', + '.cnn.com' => 'WHITELIST', + 'skype.net' => 'WHITELIST', + 'welcome.skype.com' => 'WHITELIST', + 'cc.yahoo-inc.com' => 'WHITELIST', + 'cc.yahoo-inc.com/@yahoo-inc.com' => 'WHITELIST', + # 'google.com' => 'MILD_WHITELIST', + # 'googlemail.com' => 'MILD_WHITELIST', + # './@googlegroups.com' => 'MILD_WHITELIST', + # './@yahoogroups.com' => 'MILD_WHITELIST', + # './@yahoogroups.co.uk' => 'MILD_WHITELIST', + # './@yahoogroupes.fr' => 'MILD_WHITELIST', + # 'yousendit.com' => 'MILD_WHITELIST', + # 'meetup.com' => 'MILD_WHITELIST', + # 'dailyhoroscope@astrology.com' => 'MILD_WHITELIST', + } ); diff -pruN 1:2.6.4-4/debian/patches/00list 1:2.6.5-0ubuntu3/debian/patches/00list --- 1:2.6.4-4/debian/patches/00list 2011-08-24 17:50:20.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/patches/00list 2011-08-24 17:50:20.000000000 +0000 @@ -8,4 +8,3 @@ 65_fixtldcheck.dpatch 70_fix_milter_permissions.dpatch 85-clarify_fqdn_error.dpatch -90_do_not_send_dsn_if_D_REJECT.dpatch diff -pruN 1:2.6.4-4/debian/patches/00patch-opts 1:2.6.5-0ubuntu3/debian/patches/00patch-opts --- 1:2.6.4-4/debian/patches/00patch-opts 1970-01-01 00:00:00.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/patches/00patch-opts 2011-08-24 17:50:20.000000000 +0000 @@ -0,0 +1 @@ +patch_opts="-g0 -f --no-backup-if-mismatch -F0 --reject-format=unified ${workdir:+-d ${workdir}}" diff -pruN 1:2.6.4-4/debian/patches/65_fixtldcheck.dpatch 1:2.6.5-0ubuntu3/debian/patches/65_fixtldcheck.dpatch --- 1:2.6.4-4/debian/patches/65_fixtldcheck.dpatch 2011-08-24 17:50:20.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/patches/65_fixtldcheck.dpatch 2011-08-24 17:50:20.000000000 +0000 @@ -5,14 +5,14 @@ ## DP: Accept hostnames according to rfc2181 @DPATCH@ -diff -urNad pkg-amavisd~/amavisd pkg-amavisd/amavisd ---- pkg-amavisd~/amavisd 2008-06-29 02:37:58.000000000 +0200 -+++ pkg-amavisd/amavisd 2008-07-24 20:34:28.000000000 +0200 -@@ -12957,7 +12957,7 @@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' amavisd-new-2.6.5~/amavisd amavisd-new-2.6.5/amavisd +--- amavisd-new-2.6.5~/amavisd 2011-04-07 16:39:47.077795817 -0400 ++++ amavisd-new-2.6.5/amavisd 2011-04-07 16:42:11.173795825 -0400 +@@ -14152,7 +14152,7 @@ do_log(0, "Perl version %s", $]); # insist on a FQDN in $myhostname my($myhn) = c('myhostname'); --$myhn =~ /[^.]\.[a-zA-Z0-9]+\z/s || lc($myhn) eq 'localhost' +-$myhn =~ /[^.]\.[a-zA-Z0-9-]+\z/s || lc($myhn) eq 'localhost' +$myhn =~ /[^.]\..+\z/s || lc($myhn) eq 'localhost' or die <<"EOD"; The value of variable \$myhostname is \"$myhn\", but should have been diff -pruN 1:2.6.4-4/debian/patches/90_do_not_send_dsn_if_D_REJECT.dpatch 1:2.6.5-0ubuntu3/debian/patches/90_do_not_send_dsn_if_D_REJECT.dpatch --- 1:2.6.4-4/debian/patches/90_do_not_send_dsn_if_D_REJECT.dpatch 2011-08-24 17:50:20.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/patches/90_do_not_send_dsn_if_D_REJECT.dpatch 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 90_do_not_send_dsn_if_D_REJECT.dpatch by Alexander Wirt -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: ported from trunk (http://marc.info/?l=amavis-user&m=124725226106875&w=2) - -@DPATCH@ -diff -urNad pkg-amavisd-new~/amavisd pkg-amavisd-new/amavisd ---- pkg-amavisd-new~/amavisd 2009-02-26 20:39:17.000000000 +0100 -+++ pkg-amavisd-new/amavisd 2009-07-11 20:07:27.000000000 +0200 -@@ -1425,6 +1425,7 @@ - CC_BANNED, sub { c('final_banned_destiny') }, - CC_SPAM, sub { c('final_spam_destiny') }, - CC_BADH, sub { c('final_bad_header_destiny') }, -+ CC_MTA.',2', D_REJECT, - CC_OVERSIZED, D_BOUNCE, - CC_CATCHALL, D_PASS, - ); -@@ -11021,6 +11022,32 @@ - $r->blocking_ccat($blocking_ccat) if !defined($r->blocking_ccat); - $msginfo->blocking_ccat($blocking_ccat) - if !defined($msginfo->blocking_ccat); -+ my($final_destiny) = -+ $r->setting_by_contents_category(cr('final_destiny_by_ccat')); -+ if ($final_destiny == D_PASS) { -+ $final_destiny = D_REJECT; # impossible to pass, change to reject -+ } -+ local($1,$2); -+ $r->recip_destiny($final_destiny); -+ if ($final_destiny == D_DISCARD && $smtp_resp =~ /^5/) { -+ $smtp_resp =~ s{^5(\d\d) 5(\.\d\.\d)}{250 2$2}; # 5xx -> 250 -+ } -+ my($smtp_reason) = # get the custom smtp response reason text -+ $r->setting_by_contents_category(cr('smtp_reason_by_ccat')); -+ $smtp_reason = '' if !defined $smtp_reason; -+ if ($smtp_reason ne '') { -+ my(%mybuiltins) = %builtins; # make a local copy -+ $smtp_reason = expand(\$smtp_reason, \%mybuiltins); -+ $smtp_reason = !ref($smtp_reason) ? '' : $$smtp_reason; -+ chomp($smtp_reason); $smtp_reason = sanitize_str($smtp_reason,1); -+ $smtp_reason = substr($smtp_reason,0,100) . "..." -+ if length($smtp_reason) > 100+3; -+ } -+ $smtp_resp =~ /^(\d\d\d(?: \d\.\d\.\d)?)\s*(.*)\z/; -+ my($dis) = $final_destiny == D_DISCARD ? ' Discarded' : ''; -+ $r->recip_smtp_response("$1$dis $smtp_reason, $2"); -+ $r->recip_done(1); # fake a delivery (confirm delivery to a bit bucket) -+ # note that 5xx status rejects may later be converted to bounces - } - $msginfo->header_edits($hdr_edits); # restore original edits just in case - $elapsed{'TimeElapsedForwarding'} = Time::HiRes::time - $t0_sect; -@@ -17270,23 +17297,21 @@ - # - sub enhance_smtp_response($$$$$) { - my($smtp_resp,$am_id,$mta_id,$dflt_enhcode,$cmd_name) = @_; -- local($1,$2,$3); my($resp_shortmsg,$resp_msg); -+ local($1,$2,$3); my($resp_msg); - my($resp_code,$resp_enhcode) = ('451', '4.5.0'); - if (!defined($smtp_resp) || $smtp_resp eq '') { -- $resp_shortmsg = 'No resp. to '.$cmd_name; -+ $smtp_resp = sprintf('No resp. to %s', $cmd_name); - } elsif ($smtp_resp !~ /^[245]\d{2}/) { -- $resp_shortmsg = 'Bad resp. to '.$cmd_name; -+ $smtp_resp = sprintf('Bad resp. to %s: %s', $cmd_name,$smtp_resp); - } elsif ($smtp_resp =~ /^ (\d{3}) [ \t]+ ([245] \. \d{1,3} \. \d{1,3})? - \s* (.*) \z/xs) { - ($resp_code, $resp_enhcode, $resp_msg) = ($1, $2, $3); - my($c) = substr($resp_code,0,1); - if ($resp_enhcode eq '' && $resp_code =~ /^[245]/) - { $resp_enhcode = $dflt_enhcode; $resp_enhcode =~ s/^\d*/$c/ } -- $resp_shortmsg = $c eq '2' ? 'Ok' : $c eq '4' ? 'TempFailed' : 'Failed'; - } -- sprintf("%s %s %s, id=%s, from MTA(%s): %s", -- $resp_code, $resp_enhcode, $resp_shortmsg, -- $am_id, $mta_id, $smtp_resp); -+ sprintf("%s %s from MTA(%s): %s", -+ $resp_code, $resp_enhcode, $mta_id, $smtp_resp); - } diff -pruN 1:2.6.4-4/debian/po/da.po 1:2.6.5-0ubuntu3/debian/po/da.po --- 1:2.6.4-4/debian/po/da.po 2011-08-24 17:50:20.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/po/da.po 1970-01-01 00:00:00.000000000 +0000 @@ -1,87 +0,0 @@ -# Danish translation amavisd-new. -# Copyright (C) 2010 amavisd-new & nedenstÃ¥ende oversættere. -# This file is distributed under the same license as the amavisd-new package. -# Joe Hansen , 2010. -# -msgid "" -msgstr "" -"Project-Id-Version: amavisd-new\n" -"Report-Msgid-Bugs-To: bam@debian.org\n" -"POT-Creation-Date: 2006-08-10 11:09-0300\n" -"PO-Revision-Date: 2010-09-22 17:30+01:00\n" -"Last-Translator: Joe Hansen \n" -"Language-Team: Danish \n" -"Language: \n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit\n" - -#. Type: note -#. Description -#: ../amavisd-new.templates:1001 -msgid "Incompatible configuration file layout detected" -msgstr "Inkompatibel layout for konfigurationsfil detekteret" - -#. Type: note -#. Description -#: ../amavisd-new.templates:1001 -msgid "" -"The Debian packages have changed the way they handle configuration files for " -"amavisd-new to a better system, which uses multiple files instead of a " -"single, monolithic file." -msgstr "" -"Debianpakkerne har ændret den mÃ¥de de hÃ¥ndterer konfigurationsfiler for " -"amavisd-new til et bedre system, som bruger flere filer i steden for en " -"enkel, monolitisk fil." - -#. Type: note -#. Description -#: ../amavisd-new.templates:1001 -msgid "" -"The old amavisd-new configuration files that are still present in your " -"system (named either /etc/amavisd.conf or /etc/amavis/amavisd.conf) are " -"incompatible with this new config file layout." -msgstr "" -"De gamle konfigurationsfiler til amavisd-new, som stadig er til stede i dit " -"system (navngivet enten /etc/amavisd.conf eller /etc/amavis/amavisd.conf), " -"er inkompatible med dette nye layout for konfigurationsfilen." - -#. Type: note -#. Description -#: ../amavisd-new.templates:1001 -msgid "" -"You should read /usr/share/doc/amavisd-new/README.Debian to understand the " -"new configuration layout, and after that you should port your configuration " -"to the new layout." -msgstr "" -"Du bør læse /usr/share/doc/amavisd-new/README.Debian for at forstÃ¥ det nye " -"konfigurationslayout, og derefter bør du omdanne din konfiguration til det " -"nye layout." - -#. Type: note -#. Description -#: ../amavisd-new.templates:1001 -msgid "" -"For your safety, the old configuration files in your system have been " -"disabled, and a \".disabled\" postfix was added to their file names. The " -"amavisd-new service will refuse to start until you remove (or rename) these " -"\".disabled\" files." -msgstr "" -"For en sikkerheds skyld er de gamle konfigurationsfiler i dit system blevet " -"deaktiveret, og et præfiks ».disabled« er blevet tilføjet deres filnavne. " -"Tjenesten amavisd-new vil nægte at starte indtil du fjerner (eller omdøber) " -"disse ».disabled-filer«." - -#. Type: note -#. Description -#: ../amavisd-new.templates:1001 -msgid "" -"This safety is in place to avoid starting an unconfigured amavisd-new in " -"place of your previously configured one. Do not remove the \".disabled\" " -"files until you have read the /usr/share/doc/amavisd-new/README.Debian file " -"and ported your old configuration to the new layout." -msgstr "" -"Denne sikkerhed er indført for at undgÃ¥ start af en amavisd-new, som ikke er " -"konfigureret fremfor din tidligere konfigurerede. Fjern ikke filerne »." -"disabled« før du har læst filen /usr/share/doc/amavisd-new/README.Debian og " -"omdannet din gamle konfiguration til det nye layout." diff -pruN 1:2.6.4-4/debian/README.Debian 1:2.6.5-0ubuntu3/debian/README.Debian --- 1:2.6.4-4/debian/README.Debian 2011-08-24 17:50:20.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/README.Debian 2011-08-24 17:50:20.000000000 +0000 @@ -24,6 +24,8 @@ Read-write conffiles: /etc/amavis/conf.d 15-av_scanners: AV scanner interface configuration 15-content_filter_mode: Use this to re-enable spamassassin/av checks 20-debian_defaults: Commonly modified settings + 21-ubuntu_defaults: Additional Ubuntu specific changes + 40-policy_banks: DKIM whitelist 50-user: Place your overrides here, if you want If the package detects legacy config files, it renames them adding a @@ -97,3 +99,18 @@ or -- Your amavisd-new maintainers (and contributors) + +Ubuntu Changes +-------------- + +The Ubuntu variant of this package is generally very similar to the standard +Debian package. The major difference is that we enable DKIM verification by +default and provide an additional config file, 40-policy_banks, to for easy +DKIM based whitelisting. Domains recommended by upstream are whitelisted by +default. You can over-ride DKIM verification in 50-user if you don't want it. + +At any given moment there may be bug fixes applied in the Ubuntu package, but +not yet in Debian. It is the goal of Ubuntu to feed these back to Debian. + + + -- Scott Kitterman diff -pruN 1:2.6.4-4/debian/README.source 1:2.6.5-0ubuntu3/debian/README.source --- 1:2.6.4-4/debian/README.source 2011-08-24 17:50:20.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/README.source 2011-08-24 17:50:20.000000000 +0000 @@ -1,3 +1,3 @@ -We use dpatch for patch handling inside our amavisd-new packages. Please see +We use dpatch for patch handling inside our nagios packages. Please see /usr/share/doc/dpatch/README.source.gz (if you have installed dpatch) for documentation about dpatch. diff -pruN 1:2.6.4-4/debian/rules 1:2.6.5-0ubuntu3/debian/rules --- 1:2.6.4-4/debian/rules 2011-08-24 17:50:20.000000000 +0000 +++ 1:2.6.5-0ubuntu3/debian/rules 2011-08-24 17:50:20.000000000 +0000 @@ -6,6 +6,7 @@ # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 +export DEB_BUILD_HARDENING=1 export DH_ALWAYS_EXCLUDE=CVS @@ -100,7 +101,6 @@ install: build dh_movefiles - # Build architecture-independent files here. binary-indep: build install dh_testdir diff -pruN 1:2.6.4-4/README_FILES/amavisd-new-docs.html 1:2.6.5-0ubuntu3/README_FILES/amavisd-new-docs.html --- 1:2.6.4-4/README_FILES/amavisd-new-docs.html 2009-03-10 18:07:24.000000000 +0000 +++ 1:2.6.5-0ubuntu3/README_FILES/amavisd-new-docs.html 2011-04-01 00:57:11.000000000 +0000 @@ -302,18 +302,20 @@ of the recipient and his LDA and MUA.

Quarantine

Mail quarantining is attempted when enabled for a given contents category, -which usually includes infected or banned or spam mail with score for +which usually includes infected, or banned, or spam mail with score for at least one of its recipients at or above his kill level. It is also possible to enable quarantining of clean messages for archiving or troubleshooting purposes. The *quarantine_to for each recipient -(when nonempty), along with a global corresponding *_quarantine_method, +(when nonempty), along with a corresponding global *_quarantine_method, determines where the quarantine location should be.

+

quarantine_method

+

The *_quarantine_method can be considered a static and a site-wide setting, generally controlling a format and location of the quarantine on the system. The *quarantine_to can be considered a dynamic part of the quarantine location, possibly affected by per-recipient settings -and the class of malware (contents category). It serves to fully specify +and the type of malware (contents category). It serves to fully specify the final location, e.g. a file or a mailbox.

Depending on mail contents category (type of malware), the following @@ -341,10 +343,31 @@ variables. A nonempty string should foll usual methods for quarantining. The smtp: or lmtp: methods are only useful for quarantining if quarantine location is some dedicated mailbox instead of a local file or directory. The smtp:, lmtp: -and pipe: methods are more often used for forwarding and notifications. -The following features became available with version 2.5.0: the lmtp: -method, support for IPv6, and specifying a Unix socket to a smtp: or -lmtp: method.

+and pipe: methods are more often used for forwarding and notifications, +and only rarely for quarantining. The following features became available with +version 2.5.0: the lmtp: method, support for IPv6, and specifying a +Unix socket to a smtp: or lmtp: method.

+ +

When quarantine method starts with local:, the rest of the +string is a filename-template, which serves to specify a file name +to store a quarantined message. The template may contain placeholders +which are composed of a percent character, followed by exactly one +character. The following expansions are recognized:

+ +
    +
  • %b is replaced by $msginfo->body_digest
    • +
  • %P is replaced by $msginfo->partition_tag
    • +
  • %m is replaced by $msginfo->mail_id
    • +
  • %n is replaced by $msginfo->log_id
    • +
  • %i is replaced by ISO 8601 timestamp of a mail reception time
    • +
  • %% is replaced by a single %
    • +
+ +

If a filename-template ends up in .gz, the resulting +file will be gzip-compressed.

+ + +

quarantine_to

Depending on the method specified (local/bsmtp/smtp/sql) a per-recipient setting *quarantine_to adopts different semantics and syntax, @@ -428,11 +451,6 @@ possibly modified by the configuration v anything (nonempty) anything stored into SQL database specified by @storage_sql_dsn - - sql: - empty or undef - anything - not quarantined

The *quarantine_to is currently quite limited in functionality, @@ -1241,13 +1259,12 @@ content_filter=amavisfeed:[127.0.0.1]:10 # note that permit_mynetworks only checks for key presence and ignores rhs mynetworks = cidr:/etc/postfix/mynetworks-filter.cidr -smtpd_recipient_restrictions = - reject_unauth_pipelining, reject_non_fqdn_recipient, reject_non_fqdn_sender, - reject_unknown_recipient_domain, reject_unknown_sender_domain, - check_client_access cidr:/etc/postfix/mynetworks-filter.cidr, - permit_mynetworks, - permit_sasl_authenticated, permit_tls_clientcerts, - reject_unauth_destination, +smtpd_sender_restrictions = + ... the usual rejects if any ... + check_client_access cidr:/etc/postfix/mynetworks-filter.cidr + permit_mynetworks + permit_sasl_authenticated + permit_tls_clientcerts check_sender_access regexp:/etc/postfix/filter-catchall.regexp @@ -1942,14 +1959,9 @@ sending addresses, and bounces to possib More information on the 'sender_credible' attribute can be found in release notes. -

Currently the ADSP (Author Domain Signing Practices, formerly SSP) draft -is not implemented, neither by amavisd, nor by SpamAssassin's plugin DKIM. -Until it settles and comes into wider use one needs to resort to SpamAssassin -rules to block fake mail with no valid signature from domains which are known -to be signing all their mail, such as PayPal, eBay, alert.bankofamerica.com, -and others. In essence, the ADSP information (usually inferred, or actually -published (quite rare today)) from such domains needs to be encoded into -SpamAssassin rules.

+

Currently the ADSP (RFC 5617, Author Domain Signing Practices, formerly SSP) +is not implemented by amavisd, but is implemented in the SpamAssassin's plugin +DKIM as of version 3.3.0.

Setting up DKIM signing in amavisd

@@ -2365,16 +2377,25 @@ frequent clients.

mm -
Last updated: 2009-03-10 +
Last updated: 2010-10-20

diff -pruN 1:2.6.4-4/README_FILES/README.chroot 1:2.6.5-0ubuntu3/README_FILES/README.chroot --- 1:2.6.4-4/README_FILES/README.chroot 2008-12-06 00:16:26.000000000 +0000 +++ 1:2.6.5-0ubuntu3/README_FILES/README.chroot 2010-01-04 19:05:17.000000000 +0000 @@ -55,7 +55,7 @@ mknod dev/urandom c 1 9 # Linux? mknod dev/urandom c 45 2 # OpenBSD ? mknod dev/random c 2 3 # FreeBSD ? mknod dev/random c 244 0 # FreeBSD5.4 -ln -s random dev/urandom # FreeBSD +ln -s dev/random dev/urandom # FreeBSD # some external programs may need these: mknod dev/zero c 2 12 # FreeBSD, OpenBSD @@ -68,7 +68,7 @@ mknod dev/stderr c 22 2 # FreeBSD?, O # make a symbolic link so that chrooted processes can refer to the -# home directory as /var/amavis (same as not-chrooted), and do not have +# home directory as /var/amavis (same as not-chrooted), and need not have # to handle it differently (i.e. referring to it as / ) ln -s / var/amavis # actually, the following is more general: d=`pwd`; ln -s / $d$d @@ -83,7 +83,7 @@ for j in \ /usr/local/bin/zoo /usr/local/bin/lha /usr/local/bin/tnef \ /usr/local/bin/lzop /usr/local/bin/freeze \ /usr/local/bin/rpm2cpio /usr/local/bin/ripole /usr/local/bin/cabextract \ - /usr/local/bin/clamscan /usr/local/bin/sweep /usr/local/sbin/sophie + /usr/local/bin/clamscan /usr/local/bin/sweep /usr/local/sbin/sophie \ /usr/local/bin/dccproc /usr/local/bin/pyzor do cp -p $j usr/bin/; done @@ -116,10 +116,10 @@ ln -s usr/libexec . #FreeBSD: for j in \ /usr/lib/libc.so* /usr/lib/libc_r.so* /usr/lib/libm.so* \ - /usr/lib/libpthread.so.1 /usr/lib/libstdc++.so* \ + /usr/lib/libthr.so* /usr/lib/libstdc++.so* \ /usr/lib/libz.so* /usr/lib/libz2.so* \ /usr/lib/libmagic.so* /usr/local/lib/libsavi.so* \ - /usr/local/lib/libclamav.so.1 /usr/local/lib/libgmp.so.6 + /usr/local/lib/libclamav.so.* /usr/local/lib/libgmp.so.* do cp -p $j usr/lib/; done cp -p /usr/libexec/ld-elf.so.1 usr/libexec/ @@ -133,7 +133,7 @@ for j in \ do cp -p $j lib/; done # UTF8 data files needed by Perl Unicode support: -cp -pR /usr/local/lib/perl5/5.8.7/unicore usr/local/lib/perl5/site_perl/ +cp -pR /usr/local/lib/perl5/5.10.1/unicore usr/local/lib/perl5/site_perl/ # # on OpenBSD 3.8 that would be something like: # cp -pR /usr/libdata/perl5/unicore/ usr/libdata/perl5/ @@ -141,7 +141,7 @@ cp -pR /usr/local/lib/perl5/5.8.7/unicor # needed by SpamAssassin: -cp -p /etc/mail/spamassassin/{init.pre,v310.pre,*.cf} etc/mail/spamassassin/ +cp -p /etc/mail/spamassassin/{*.pre,*.cf} etc/mail/spamassassin/ cp -pR /usr/local/share/spamassassin usr/share/ # FreeBSD cp -pR /usr/share/spamassassin usr/share/ # Linux @@ -157,9 +157,8 @@ cp -p /usr/share/misc/magic* usr/share cp -p /usr/share/magic usr/share/ # needed by AV scanners (ClamAV) -mkdir -p usr/local/share/clamav var/db/clamav -cp -pR /usr/local/share/clamav usr/local/share/ # is it in /usr/local/share ? -cp -pR /var/db/clamav var/db/ # or is it in /var/db/ ? +mkdir -p var/db/clamav +cp -pR /var/db/clamav var/db/ cp /usr/local/bin/freshclam /usr/local/sbin/clamd usr/bin/ cp /usr/local/etc/clamd.conf etc/ # Start clamd and freshclam: @@ -253,6 +252,13 @@ to the list, such as: auto::POSIX::setgid auto::POSIX::setuid +As SpamAssassin loads its rules files only after chrooting, these need +to be made available in the jail. A common procedure is to tell sa-update +the directory that needs updating: + # sa-update --updatedir /var/amavis/var/lib/spamassassin/3.003000 +and periodically refresh them. + + NOTE: OpenBSD chroot specifics are described in the document http://www.flakshack.com/anti-spam, by Scott Vintinner. diff -pruN 1:2.6.4-4/README_FILES/README.customize 1:2.6.5-0ubuntu3/README_FILES/README.customize --- 1:2.6.4-4/README_FILES/README.customize 2008-12-06 00:31:08.000000000 +0000 +++ 1:2.6.5-0ubuntu3/README_FILES/README.customize 2011-04-01 01:04:10.000000000 +0000 @@ -362,7 +362,7 @@ The substitution text for the following ccat_name display name of the c.cat, takes into account per-recip bypass_* remote_mta MTA to which a message was forwarded remote_mta_smtp_response MTA's SMTP response on accepting forwarded message - smtp_response either a MTA's SMTP response for forwarded mail, or + smtp_response either an MTA's SMTP response for forwarded mail, or internally generated SMTP response for mail that was not forwarded score_boost internally generated score points to be added to a SA score @@ -580,5 +580,5 @@ body string should be quoted in [" ... " %0, %1, %2, ... %9 as formal arguments. These will be substituted with actual arguments (or empty strings for missing arguments) at the time of a call. In most respects these dynamically defined macros behave just like other -pre-defined macros. One distinction is that they can only result in a scalar -string, it can not produce an array. +pre-defined macros. One distinction is that they can only produce a scalar +string, they can not produce an array. diff -pruN 1:2.6.4-4/README_FILES/README.ldap 1:2.6.5-0ubuntu3/README_FILES/README.ldap --- 1:2.6.4-4/README_FILES/README.ldap 2006-01-27 00:46:18.000000000 +0000 +++ 1:2.6.5-0ubuntu3/README_FILES/README.ldap 2011-04-02 00:09:43.000000000 +0000 @@ -53,15 +53,15 @@ $default_ldap = { hostname => [ 'localhost', 'ldap2.example.com' ], timeout => 5, tls => 0, - base => ou=People,dc=example,dc=com, + base => 'ou=People,dc=example,dc=com', query_filter => '(&(objectClass=amavisAccount)(mail=%m))', }; The amavisd-new LDAP schema is available in file LDAP.schema of the distribution, and at http://www.ijs.si/software/amavisd/LDAP.schema -LDAP 'search' requests all available fields from the specified directory -and the result is cached (just for this mail message processing). +LDAP 'search' requests all available fields from the specified directory and +the result is cached (just for the duration of this mail message processing). Individual attributes can be extracted one at a time from this cache very quickly, so there is no penalty in using several calls to lookup for different attributes (for the same key) in different parts of the @@ -70,8 +70,10 @@ program. lookup_ldap() performs a lookup for an e-mail address in an LDAP directory. If a match is found it returns whatever the map returns (a reference to a hash containing values of requested attributes), -otherwise returns undef. Given an address the following lookups are -done by default: +otherwise returns undef. Given an e-mail address the following lookups +are done by default: + +with $ldap_lookups_no_at_means_domain = 0 (default): - lookup for user+foo@example.com - lookup for user@example.com (only if $recipient_delimiter is '+') @@ -82,13 +84,24 @@ done by default: - lookup for @.com - lookup for @. (catchall) +With $ldap_lookups_no_at_means_domain = 1 : + + - lookup for user+foo@example.com + - lookup for user@example.com (only if $recipient_delimiter is '+') + - lookup for user+foo@ (only if domain part is local) + - lookup for user@ (only local; only if $recipient_delimiter is '+') + - lookup for example.com + - lookup for .example.com + - lookup for .com + - lookup for . (catchall) + NOTE: a null reverse path e-mail address used by MTA for delivery status notifications (DSN) has empty local part and empty domain. As far as the lookup is concerned (which uses raw, i.e. non-quoted and non-bracketed address form), this address is @, i.e. a single character "@". The LDAP lookup for null address goes through the following sequence -of keys: "", "@", "@." (double quotes added for clarity, they are not part -of the key). +of keys: "", "@", "@." (double quotes added for clarity, they are not +part of the query key). lookup_ldap_attr() also performs a lookup for an e-mail address against a LDAP directory. It first calls lookup_ldap() if it hasn't been called @@ -134,7 +147,7 @@ Special handling of optional LDAP attrib --------------------------------------------------------- A special shorthand is provided when LDAP lookups are used: when a match -for recipient address (or domain) is found in LDAP tables (regardless of +for a recipient address (or domain) is found in LDAP tables (regardless of attribute values), the recipient is considered local, regardless of static @local_domains_acl or %local_domains lookup tables. This simplifies life when a large number of dynamically changing domains is hosted. diff -pruN 1:2.6.4-4/README_FILES/README.lookups 1:2.6.5-0ubuntu3/README_FILES/README.lookups --- 1:2.6.4-4/README_FILES/README.lookups 2007-03-01 19:03:50.000000000 +0000 +++ 1:2.6.5-0ubuntu3/README_FILES/README.lookups 2011-04-01 01:07:07.000000000 +0000 @@ -3,7 +3,8 @@ LOOKUP MAPS (hash, SQL) AND ACCESS LISTS Updated: 2002-04, 2002-06, 2002-11, 2002-12, 2003-03, 2003-05, 2003-06, 2003-09, 2003-12, 2004-01, 2004-03, 2004-12, - 2005-01, 2005-03, 2005-05, 2005-08 + 2005-01, 2005-03, 2005-05, 2005-08, + 2010-10 Mark Martinec (applies to the semantics of amavisd.conf variables such as: @@ -299,8 +300,6 @@ if by calling provided routines read_arr or: @mynetworks_maps = (read_hash('/etc/amavisd-mynetworks'), \@mynetworks); -More examples at amavisd.conf-sample. - REGULAR EXPRESSION LOOKUPS @@ -391,22 +390,22 @@ no attempts to use SQL for lookups will will be loaded or compiled (if @storage_sql_dsn is empty as well). For arguments to subroutine lookup() of type Amavis::Lookup::SQLfield -(objects), the object is passed to method lookup_sql_field, which does -a lookup into a SQL table by using Perl module DBI. +(objects), the object is passed to a method lookup_sql_field, which does +a lookup into an SQL table by using Perl module DBI. -SQL 'select' requests all available fields from the specified tables, +An SQL 'select' requests all available fields from the specified tables, and the result is cached (just for this mail message processing). Individual fields can be extracted one at a time from this cache very quickly, so there is no penalty in using several calls to lookup for different fields (for the same key) in different parts of the program. -lookup_sql() performs a lookup for an e-mail address against a SQL map. +lookup_sql() performs a lookup for an e-mail address against an SQL map. If a match is found it returns whatever the map returns (a reference to a hash containing values of requested fields), otherwise returns undef. A match aborts further fetching sequence. lookup_sql_field() also performs a lookup for an e-mail address against -a SQL map. It first calls lookup_sql() if it hasn't been called yet for +an SQL map. It first calls lookup_sql() if it hasn't been called yet for this key, requesting it to return all matching records. Instead of returning the whole record as lookup_sql does, it returns just a value of one particular table field, the first one with a defined (non-NULL) value from the list @@ -415,11 +414,14 @@ of matching records (or undef if there a The lookup_sql_field() is the subroutine that gets called from lookup() for arguments (objects) of type Amavis::Lookup::SQLfield. -The field value NULL is translated to Perl undef, which according -to lookup rules implies that the next lookup table (if there are more) -is to be tried. In plain words, NULL means "this table does not know -the answer, try the next one". Further searching in this table -(e.g. for more general defaults) is terminated. +A field value NULL is translated to a Perl undef, and is treated the same +as a nonexistent field of the specified name. For any field (apart from +the only exception field 'local') a record with a NULL/undef/nonexistent +field is skipped and search continues with the next, more general, +matching record until a defined value is found or all matching records are +checked. The only exception is a field named 'local', where a nonexistent +field on an otherwise matching record implies a value true - see section +"Special handling of optional SQL field 'users.local'" further down. Boolean fields are usually represented as a single character (instead of an integer) to minimize storage. Characters N,n,F,f,0,NUL and SPACE @@ -429,30 +431,35 @@ are ignored. It is customary to use Y fo SQL lookups (e.g. for user+foo@example.com) are performed in order which is usually specified by 'ORDER BY...DESC' in the SELECT statement; otherwise the order is unspecified, which is only useful if just specific -entries exist in a database (e.g. full address always, not only domain part -or mailbox part). +entries exist in a database (e.g. full address always, not domain part only +or mailbox parts only). The following order (implemented by sorting on the 'priority' field in DESCending order, zero is low priority) is recommended, to follow -the same specific-to-general principle as in other lookup tables: - - - lookup for user+foo@example.com - - lookup for user@example.com (only if $recipient_delimiter is '+') - - lookup for user+foo (only if domain part is local) - - lookup for user (only local; only if $recipient_delimiter is '+') - - lookup for @example.com - - lookup for @.example.com - - lookup for @.com - - lookup for @. (catchall) +the same specific-to-general principle as in other lookup tables; +the first column is a suggested priority (the exact value does not matter +as long as the order is maintained): + +9 - lookup for user+foo@sub.example.com +8 - lookup for user@sub.example.com (only if $recipient_delimiter is '+') +7 - lookup for user+foo (only if domain part is local) +6 - lookup for user (only local; only if $recipient_delimiter is '+') +5 - lookup for @sub.example.com +3 - lookup for @.sub.example.com +2 - lookup for @.example.com +1 - lookup for @.com +0 - lookup for @. (catchall) NOTE: this is different from hash and ACL lookups in two important aspects: - - key without '@' implies mailbox name, not domain name; - - a naked mailbox name lookups (without '@', e.g. 'user') are only + - key without '@' implies a mailbox name, not a domain name; + - naked mailbox name lookups (without an '@', e.g. 'user') are only performed when the mail address matches local_domains lookups. The domain part is always lowercased when constructing a key, the localpart is not lowercased when $localpart_is_case_sensitive is true. +With SQL datatypes CHAR and VARCHAR this does not matter anyway, as such +fields are matched case-insensitively. NOTE: a null reverse path e-mail address used by MTA for delivery status notifications (DSN) has empty local part and empty domain. As far as the diff -pruN 1:2.6.4-4/README_FILES/README.milter 1:2.6.5-0ubuntu3/README_FILES/README.milter --- 1:2.6.4-4/README_FILES/README.milter 2006-12-04 13:58:33.000000000 +0000 +++ 1:2.6.5-0ubuntu3/README_FILES/README.milter 2009-10-07 18:12:05.000000000 +0000 @@ -15,7 +15,7 @@ NOTE1: in amavisd.conf, and adjust the $notify_method. Also, the $final_*_destiny may use D_REJECT if desired. -NITE2: +NOTE2: a rewrite by Petr Rehor of the helper program amavis-milter.c to use the new AM.PDP protocol (README.protocol) is available as a separate project, see: http://sourceforge.net/projects/amavisd-milter/ diff -pruN 1:2.6.4-4/README_FILES/README.protocol 1:2.6.5-0ubuntu3/README_FILES/README.protocol --- 1:2.6.4-4/README_FILES/README.protocol 2008-06-21 00:17:21.000000000 +0000 +++ 1:2.6.5-0ubuntu3/README_FILES/README.protocol 2011-04-01 01:13:01.000000000 +0000 @@ -49,7 +49,7 @@ protocol: by exactly one non-encoded space. Spaces within a field must be encoded like any other restricted character (see below). -The protocol may be spoken over a Unix STREAM socket, or over a +The protocol may be spoken over a Unix STREAM socket, or over an inet tcp socket. The client request is a sequence of name=value attributes, each terminated @@ -61,8 +61,8 @@ the server should not close the socket u Only under special circumstances is the server allowed to close the session, e.g. in response to a timeout or fatal error condition. -The order of attributes does not matter (except for the 'request' -attribute which must appear the first in the client request). +The order of attributes does not matter, except for the 'request' +attribute which must appear first in the client request. The policy client as well as the policy server should ignore any attributes that it does not care about. @@ -84,7 +84,7 @@ truncate unreasonably long lines to a se Neither the client nor the server must make any assumptions that certain characters will not be used in the attribute name or values. E.g. a presence -of encoded null or newline other special character in the attribute name +of encoded null or newline or other special character in the attribute name or value must be safely and appropriately handled. If such a character does not comply with the expected syntax, the case should be handled to the best of client or server understanding and capability, @@ -96,10 +96,10 @@ The following example Perl expression ma s/%([0-9a-fA-F]{2})/pack("C",hex($1))/eg to encode attribute name: - s/[^0-9a-zA-Z_-]/sprintf("%%%02x",ord($&))/eg; + s/([^0-9a-zA-Z_-])/sprintf("%%%02x",ord($1))/eg; to encode attribute values (each space-separated field individually): - s/[^\041-\044\046-\176]/sprintf("%%%02x",ord($&))/eg; + s/([^\041-\044\046-\176])/sprintf("%%%02x",ord($1))/eg; Attributes in the client request are: @@ -116,7 +116,7 @@ sender= recipient= specifies the envelope recipient address. The attribute appears once - for each recipient address, the order or addresses must be preserved + for each recipient address, the order of addresses must be preserved and might be significant for some setups or functions. The attribute value syntax is specified in rfc2821 as 'Forward-path'. @@ -124,8 +124,10 @@ tempdir=/var/amavis/amavis-milter-MWZmu9 Specifies a temporary work directory to be used for mail unpacking, typically also containing the original mail file - see attribute 'mail_file' below. This attribute should be present exactly once. - The server is allowed to use the specified directory to create - additional temporary files if it chooses so. + The server is allowed to use the specified directory to create additional + temporary files if it chooses so. As a security precaution, currently + amavisd restricts the temporary directory path, which must be a + subdirectory under $TEMPBASE or $MYHOME. tempdir_removed_by=client Specifies the client will be responsible for removing the temporary diff -pruN 1:2.6.4-4/RELEASE_NOTES 1:2.6.5-0ubuntu3/RELEASE_NOTES --- 1:2.6.4-4/RELEASE_NOTES 2009-06-25 17:56:55.000000000 +0000 +++ 1:2.6.5-0ubuntu3/RELEASE_NOTES 2011-04-07 18:21:30.000000000 +0000 @@ -1,4 +1,121 @@ --------------------------------------------------------------------------- + April 7, 2011 +amavisd-new-2.6.5 release notes + +This version is strictly a maintenance release, it incorporates bug fixes +backported from 2.7.0-pre* series and/or posted as patches to the mailing +list. + + +BUG FIXES + +- when a back-end MTA rejected a message, amavisd would send a non-delivery + status notification, but also propagate the reject status back, which is + wrong, only one or the other response would be appropriate. A fix also + allows choosing either a D_REJECT, D_BOUNCE or D_DISCARD response for + such a case, configurable through %final_destiny_by_ccat at a CC_MTA + entry, defaulting to D_REJECT; reported by Peer Heinlein; + +- checking header section syntax could take excessive amounts of time + in some degenerate cases of a very long header section, now fixed; + +- do not bypass spam checking of a bounce message when its referenced domain + in Message-ID is non-local but pen pals are disabled; reported by Stefan; + +- removed some of the guesswork in bounce killer to prevent false + positives in certain cases of forwarding a mail message as an attachment, + at the expense of passing through some undesired but nonstandard bounces; + (also, deal with non-delivery notifications from yahoogroups.com, + and fixed one particular case of a false-positive in bounce killer + (mixed/multipart with an attached full message, sent through a mailing + list); + +- fixed a 'Zoo archive' entry in the $map_full_type_to_short_type_re list; + +- fixed a test for $myhostname being a FQDN to allow IDN domains (with a dash); + +- fixed a REPLACE hack (feature introduced in 2.6.2) on loading a policy bank; + +- fixed choosing the module IO::Socket::INET in ask_daemon_internal() to + avoid versions of IO::Socket::INET6 older than 2.55 (2.56?) failing with + "Address family not supported by protocol family" + when an IPv4 address with a port number is specified for connections + to a virus scanner; based on a patch by Phil Pearl (Lobbes); + +- do_unzip: avoid testing version of Compress::Raw::Zlib, the module may + not be loaded at all and the test would fail, resulting in inoperative + zip unpacking; reported by Tuomo Soini; + +- when logging or quarantining to SQL, execute a clause: SET NAMES 'utf8' + after connecting to a database, to ensure the decoded Subject and From + header fields are correctly interpreted by a SQL server as UTF-8 encoded + strings. It seems the module DBD::mysql does not observe a MySQL setting + for 'character_set_client' and needs an explicit SET NAMES. The problem + did not affect PostgreSQL. Reported by Zhang Huangbin; + +- avoid LDAP lookups aborting the scan when a %d placeholder is used in + a $default_ldap{base} setting and the resulting base do not exist in + an LDAP schema; reported by Zhang Huangbin; + +- the amavisd-new 2.6.3 relaxed semantics of a number of hard links on a + directory in TempDir::prepare(_dir), but left out an equivalent change + necessary in TempDir::check, which is now fixed; the change only affects + certain file system (like the one used on Mac OSX); + +- treat an empty PID file or a junk one-liner file the same as a nonexistent + PID file; previously an empty PID file (e.g. after an unclean shutdown) + would prevent amavisd from starting; problem reported by Michael Scheidell; + +- changed amavisd-release to only provide a 'quar_type' attribute in its + request when it is reasonably sure of its appropriate value, otherwise + leave the decision to the amavisd daemon; this solves releasing from a + file-based quarantine when compression is not used and all files are at + the top directory; reported by Voytek Eymont; + +- provide a workaround for a [perl #62048] bug affecting versions of perl + older than (approx) 5.12.3, when a banning check is using rules in + $banned_namepath_re and a lookup_re() could abort with an: + Unwarranted "Malformed UTF-8 character" + on certain tainted mail part names (with a valid UTF-8 representation); + reported by Jakob Curdes; + +- provide a workaround for logging to syslog using an old version of + Unix::Syslog which didn't prepare and keep its own copy of the 'ident' + argument on a call to openlog(3); thanks to Bill Landry; + + +OTHER + +- ensure compatibility with a new version 5.500 of MIME-Tools, which changed + the way mime attributes content-disposition.filename and content-type.name + are decoded, now properly respecting their declared encodings (character + set). As a result, the declared (recommended) file names of MIME parts are + now represented as native Perl character strings (Unicode), and as such + may also end up in reported names of banned parts. Regular expressions + in @banned_filename_maps, $banned_filename_re and $banned_namepath_re + may also see these strings as native Perl characters, as well as in their + MIME-encoded form. The change also affects interpretation of names with + earlier versions of MIME-Tools, making them behave more like the 5.500. + +- amavisd.conf: exclude names starting with 'cid:' from matching the + double extensions banning rule, avoiding false positives; + +- support Postfix 2.9 long queue IDs (enable_long_queue_ids=yes) as + available since postfix-20110321 by adjusting a default value of + a $log_templ template; + +- a small update to a default @virus_name_to_spam_score_maps; + +- the 'originating' flag is now passed on to SpamAssassin through its + %suppl_attrib argument - potentially useful with current trunk version + of SpamAssassin (treats originating mail submission as a MSA submission), + and ignored by older versions; + +- some documentation updates; + the RELEASE_NOTES file is now encoded as UTF-8, instead of ISO-8859-1; + + +--------------------------------------------------------------------------- June 25, 2009 amavisd-new-2.6.4 release notes @@ -60,13 +177,13 @@ NEW FEATURES SUMMARY NEW FEATURES - newly supplied with the package is a program amavisd-snmp-subagent, - acting as a SNMP AgentX, exporting amavisd statistical counters database + acting as an SNMP AgentX, exporting amavisd statistical counters database (snmp.db) as well as a child process status database (nanny.db) to a SNMP daemon supporting the AgentX protocol (RFC 2741), such a NET-SNMP. It is similar to combined existing utility programs amavisd-agent and amavisd-nanny, but instead of writing results as text to stdout, - it exports data to a SNMP server running on a host (same or remote), + it exports data to an SNMP server running on a host (same or remote), making them available to SNMP clients (such a Cacti or mrtg) for monitoring or alerting purposes. @@ -76,23 +193,23 @@ NEW FEATURES All of these come with a Net-SNMP package (previously known as "ucd-snmp"), home at http://net-snmp.sourceforge.net/, FreeBSD ports: net-mgmt/net-snmp. - Also, a snmpd daemon must be running on a host. It can be a snmpd from + Also, an snmpd daemon must be running on a host. It can be an snmpd from a Net-SNMP package or some other SNMP server supporting AgentX protocol. When using snmpd from Net-SNMP, just add the following to its snmpd.conf: master agentx agentXSocket tcp:127.0.0.1:705 so that amavisd-snmp-subagent will be allowed to connect to it. - The setup was tested with Net-SNMP versions 5.4.2.1 and 5.3.2.3. If you - experience wild numbers served in Counter64 variables on a 64-bit platform, - the following patch (at the server side) solves the problem: + The setup was tested with Net-SNMP versions 5.3.2.3, 5.4.2.1 and 5.2.0. + If you experience wild numbers served in Counter64 variables on a 64-bit + platform, the following patch (at the server side) solves the problem: http://www.mail-archive.com/ net-snmp-users@lists.sourceforge.net/msg19502.html The patch seems to already be incorporated into version 5.3.3 of Net-SNMP, - but not yet in 5.4.2. + and into 5.5 (but not in 5.4.2, nor in 5.2.0). A MIB module (SNMP Management information base) is provided in a file - AMAVIS-MIB.txt. It is not necessary to make it available to a SNMP server, + AMAVIS-MIB.txt. It is not necessary to make it available to an SNMP server, and not even necessary for SNMP clients, but making it available to clients allows them to display data with names of variables, not just their OIDs. A query example with no MIB modules: @@ -104,12 +221,12 @@ NEW FEATURES after amavisd, and either before or after snmpd. It can also be restarted at any time. Also, amavisd can be restarted without having to restart amavisd-snmp-subagent, as it will automatically notice a database - change and connect to a new database. Similarly, a snmpd daemon can be + change and connect to a new database. Similarly, an snmpd daemon can be restarted at any time and amavisd-snmp-subagent will reconnect to it if necessary. A natural starting order is: snmpd first, then amavisd and then amavisd-snmp-subagent. - Restarting amavisd will reset its counters. A SNMP client typically + Restarting amavisd will reset its counters. An SNMP client typically interprets a decremented value of a counter variable as a wraparound, which results in a large spike when graphing data. There are two common solutions to the problem: a reasonable upper limit can be provided to @@ -121,7 +238,7 @@ NEW FEATURES The amavisd-snmp-subagent should have access to databases snmp,db and nanny.db in a $db_home directory (environment variable AMAVISD_DB_HOME, - defaults to /var/amavis/db) and have rights to connect to a snmpd daemon. + defaults to /var/amavis/db) and have rights to connect to an snmpd daemon. It is safe to run it as root, although perhaps not necessary. For testing purposes start amavisd-snmp-subagent from a command line @@ -171,7 +288,7 @@ NEW FEATURES database sweep in 4 seconds is performed, and less often when queries are less frequent and preferably batched in groups. If some time has passed since the last SNMP query (more than 4 seconds currently), resulting values - are always fresh as collected from a database at the time of a SNMP query. + are always fresh as collected from a database at the time of an SNMP query. There is one additional experimental feature - experimental in a sense that it may change or be dropped in future versions. If running Postfix @@ -182,11 +299,11 @@ NEW FEATURES mtaQueueEntriesIncoming, mtaQueueEntriesActive, mtaQueueEntriesDeferred. Although semantically outside the scope of amavisd, it provides a quick - insight into health of a MTA, and indirectly into health of amavisd. + insight into health of an MTA, and indirectly into health of amavisd. Data is made available only if a command 'postconf -h queue_directory' is successful at amavisd-snmp-subagent startup time and provides a sensible result. Like with the other two real databases, MTA directories are only - scanned if and when actually queried by a SNMP client (again, subject to + scanned if and when actually queried by an SNMP client (again, subject to caching). As a safety measure for times when MTA queue grows huge, there is a time limit for scanning each directory subtree (currently 5 seconds, which is about how much a typical SNMP client is willing to wait for a @@ -208,7 +325,7 @@ NEW FEATURES using the original envelope sender address and a given address as a single recipient (defaults to 'dummy@localhost'). It is expected that a virus scanner will accept a clean message (2xx) and reject an infected message - (status 5xx). A SMTP response is parsed as usual for any output from a + (status 5xx). An SMTP response is parsed as usual for any output from a virus scanner, typically considering a response starting with 2 as clean, a response starting by 5 as infected, and anything else as a scanner failure. The SMTP-based virus scanner should be configured not to deliver @@ -240,7 +357,7 @@ NEW FEATURES $signed_header_fields{'content-type'} = 2; Please restrict values used in %signed_header_fields to 0, 1, or 2, - consider other values reserved for future compatibility. + consider other values reserved for future use. By default the following header fields are protected from duplicates by a DKIM signature generated by amavisd: From, Date, Subject, Content-Type. @@ -363,7 +480,7 @@ BUG FIXES (!)FAILED to notify admin: 501 5.1.7 Failed, id=40690-23, from MTA([::1]:10027): 501 5.1.7 Bad sender address syntax Notification was not sent, the rest of the processing was unaffected; - reported by Peter Pechnik, Thomas Mueller, and Stefan Förster; + reported by Peter Pechnik, Thomas Mueller, and Stefan Förster; - fetch_modules: only suppress the "Can't locate ... in @INC" diagnostics if exactly the requested module is missing, but do show the error if some @@ -546,7 +663,7 @@ NEW FEATURES OTHER - supports a SpamAssassin plugin CRM114, thanks to Jules M, and to - Martin Schütte for his CRM114 plugin for SpamAssassin; + Martin Schütte for his CRM114 plugin for SpamAssassin; - updated AV virus scanner entry for ESET Software ESETS Command Line Interface to version 3.0, commenting out entries for old versions 2.7 and 2.71.12; @@ -638,7 +755,7 @@ OTHER has been removed and now produces an 'Incorrect command line' error; - log (at log level 2) a list of loaded SpamAssassin plugins during startup; - suggested by Giuseppe Ghibò; + suggested by Giuseppe Ghibò; - convert_keysfile: do not print @dkim_signature_options_bysender_maps assignment when a list of options is empty and thus redundant; @@ -689,7 +806,7 @@ COMPATIBILITY WITH 2.6.1 BUG FIXES - when feeding a message by SMTP back to MTA and MTA rejects a recipient as - invalid and a smtp connection cache is enabled, the SMTP protocol can get + invalid and an smtp connection cache is enabled, the SMTP protocol can get out of step, rejecting the next message in the same connection with a "503 5.5.1 Error: nested MAIL command"; this only affects (hopefully) rare sites where recipient validation is performed after content filtering @@ -930,7 +1047,7 @@ NEW FEATURES %final_destiny_by_ccat entirely, leaving only a key CC_CATCHALL there: $policy_bank{'DITCH'} = { - final_destiny_by_ccat => { REPLACE=>1, (CC_CATCHALL) => D_DISCARD }, + final_destiny_by_ccat => { REPLACE=>1, CC_CATCHALL() => D_DISCARD }, }; Without specifying a REPLACE=>1 remaining key/value pairs in a hash @@ -938,11 +1055,11 @@ NEW FEATURES key/value pair would be replaced by a new setting (which may not be desirable): $policy_bank{'DITCH'} = { - final_destiny_by_ccat => { REPLACE=>0, (CC_CATCHALL) => D_DISCARD }, + final_destiny_by_ccat => { REPLACE=>0, CC_CATCHALL() => D_DISCARD }, }; or equivalently: $policy_bank{'DITCH'} = { - final_destiny_by_ccat => { (CC_CATCHALL) => D_DISCARD }, + final_destiny_by_ccat => { CC_CATCHALL() => D_DISCARD }, }; - rewritten and expanded documentation section on DKIM signing and @@ -989,7 +1106,7 @@ OTHER multipart/mixed | application/octet-stream,.exe,.exe-ms,videos.exe F: rule #9:application/octet-stream,.exe,.exe-ms,videos.exe - Likewise a SMTP response (with D_REJECT) would match a macro F as + Likewise an SMTP response (with D_REJECT) would match a macro F as before and would yield: 554 5.7.0 Reject, id=42721-01 - BANNED: rule #9:application/octet\ @@ -1156,7 +1273,7 @@ BUG FIXES not to be suppressed for internally generated large score values; reported by Bernd Probst; -- add back the 'Ok, id=..., from MTA(...):' prefix to a MTA status responses +- add back the 'Ok, id=..., from MTA(...):' prefix to an MTA status responses on forwarded mail when generating own SMTP status response (it was lost in code transition from 2.5.4 to 2.6.0); reported by Thomas Gelf; @@ -1169,7 +1286,7 @@ BUG FIXES a foreign key) and msgs.sid & msgrcpt.rid; they all should be of the same type, either integer unsigned or bigint unsigned; a schema as published in README.sql-mysql could not be built because of a conflict in a data - type; reported by Leonardo Rodrigues Magalhães and Zhang Huangbin; + type; reported by Leonardo Rodrigues Magalhães and Zhang Huangbin; NEW FEATURES @@ -1194,8 +1311,8 @@ NEW FEATURES The following example organizes spam quarantine into weekly subdirectories: cd /var/virusmails - mkdir -p W23/spam W24/spam W25/spam ... (weeks 01..53) - chown -R vscan:vscan W23 W24 W25 ... (weeks 01..53) + mkdir -p W01/spam W02/spam ... W53/spam (weeks 01..53) + chown -R vscan:vscan W01 W02 ... W53 (weeks 01..53) amavisd.conf: $spam_quarantine_method = 'local:W%P/spam/%m.gz'; $sql_partition_tag = @@ -1223,7 +1340,7 @@ OTHER example of misclassification by a file(1) utility, where a plain text file is considered a DOS executable: [qr/^DOS executable \(COM\)/ => 'asc'], # misclassified? - An example was provided by Leonardo Rodrigues Magalhães; + An example was provided by Leonardo Rodrigues Magalhães; - until the issue is better understood, revert the use of 'my_require' and go back to the standard but less informative 'require'; some people @@ -1342,7 +1459,7 @@ MAIN NEW FEATURES SUMMARY - releasing from a quarantine can push a released message to an attachment; - new experimental code for abuse reporting using formats: ARF/attach/plain; - TLS support on the SMTP client and server side; -- connection caching by a SMTP client; +- connection caching by an SMTP client; - amavisd-nanny and amavisd-agent now re-open a database on amavisd restarts; - amavisd-nanny and amavisd-agent new command line option: -c count; - updated p0f-analyzer.pl to support source port number in queries; @@ -1482,8 +1599,9 @@ NEW FEATURES $sql_partition_tag = sub { my($msginfo)=@_; iso8601_week($msginfo->rx_time) }; - yields an ISO 8601 week number (1..53) corresponding to a mail reception - timestamp in a local time zone. + yields an ISO 8601 (EN 28601) week number (1..53) corresponding to a mail + reception timestamp in a local time zone. This week number definition is + equivalent to PostgreSQL extract(week from ...), and MySQL week(date,3). Another possible use of 'partition_tag' field is to let a policy bank set its specific value (a fixed value or a subroutine) for $sql_partition_tag. @@ -1683,8 +1801,8 @@ NEW FEATURES - a new configuration variable @author_to_policy_bank_maps (also a member of policy banks) is a list of lookup tables (typically only a hash-type lookup table is used), which maps author addresses(es) (each address in - a 'From:' header field - typically only one) in a mail header section - to one or more policy bank names (a comma-separated list of names). + a 'From:' header field - typically only one) to one or more policy bank + names (a comma-separated list of names). A match can only occur if a valid DKIM author domain signature or a valid DKIM third-party signature is found, so in as much as one can trust the @@ -1701,8 +1819,9 @@ NEW FEATURES author address and the usual lookup rules apply (README.lookups - hash lookups). - When a valid third-party signature is found, a lookup key is extended - by a '/@' and a lowercased signing domain, as shown in the example below. + When a valid third-party signature is found, a lookup key (author address) + is extended by a '/@' and a lowercased signing domain, as shown in the + example below. The semantics is very similar to a whitelist_from_dkim feature in SpamAssassin, but is more flexible as is allows any dynamic amavisd @@ -1739,37 +1858,42 @@ NEW FEATURES SA: whitelist_from_dkim *@* example.com am: './@example.com' => 'WHITELIST', - Here is a complete example to be included in amavisd.conf: + Here is a complete example that can be included in amavisd.conf: @author_to_policy_bank_maps = ( { - # 'friends.example.net' => 'WHITELIST,NOBANNEDCHECK', - # 'user1@cust.example.net' => 'WHITELIST,NOBANNEDCHECK', - '.ebay.com' => 'WHITELIST', - '.ebay.co.uk' => 'WHITELIST', - 'ebay.at' => 'WHITELIST', - 'ebay.ca' => 'WHITELIST', - 'ebay.de' => 'WHITELIST', - 'ebay.fr' => 'WHITELIST', - '.paypal.co.uk' => 'WHITELIST', - '.paypal.com' => 'WHITELIST', # author domain signatures - './@paypal.com' => 'WHITELIST', # 3rd-party sign. by paypal.com - 'alert.bankofamerica.com' => 'WHITELIST', - 'amazon.com' => 'WHITELIST', - 'cisco.com' => 'WHITELIST', - '.cnn.com' => 'WHITELIST', - 'skype.net' => 'WHITELIST', - 'welcome.skype.com' => 'WHITELIST', - 'cc.yahoo-inc.com' => 'WHITELIST', + # 'friends.example.net' => 'WHITELIST,NOBANNEDCHECK', + # 'user1@cust.example.net' => 'WHITELIST,NOBANNEDCHECK', + '.ebay.com' => 'WHITELIST', + '.ebay.co.uk' => 'WHITELIST', + 'members.ebay.co.uk/@ebay.co.uk' => 'WHITELIST', + 'ebay.at' => 'WHITELIST', + 'ebay.ca' => 'WHITELIST', + 'ebay.fr' => 'WHITELIST', + 'ebay.de' => 'WHITELIST', + 'members.ebay.de/@ebay.de' => 'WHITELIST', + '.paypal.co.uk' => 'WHITELIST', + '.paypal.com' => 'WHITELIST', # author domain signatures + './@paypal.com' => 'WHITELIST', # 3rd-party sign. by paypal.com + 'alert.bankofamerica.com' => 'WHITELIST', + 'ealerts.bankofamerica.com'=> 'WHITELIST', + 'amazon.com' => 'WHITELIST', + 'amazon.de' => 'WHITELIST', + 'amazon.co.uk' => 'WHITELIST', + 'cisco.com' => 'WHITELIST', + '.cnn.com' => 'WHITELIST', + 'skype.net' => 'WHITELIST', + 'welcome.skype.com' => 'WHITELIST', + 'cc.yahoo-inc.com' => 'WHITELIST', 'cc.yahoo-inc.com/@yahoo-inc.com' => 'WHITELIST', - '.linkedin.com' => 'MILD_WHITELIST', - 'google.com' => 'MILD_WHITELIST', - 'googlemail.com' => 'MILD_WHITELIST', - './@googlegroups.com' => 'MILD_WHITELIST', - './@yahoogroups.com' => 'MILD_WHITELIST', - './@yahoogroups.co.uk' => 'MILD_WHITELIST', - './@yahoogroupes.fr' => 'MILD_WHITELIST', - 'yousendit.com' => 'MILD_WHITELIST', - 'meetup.com' => 'MILD_WHITELIST', + '.linkedin.com' => 'MILD_WHITELIST', + 'google.com' => 'MILD_WHITELIST', + 'googlemail.com' => 'MILD_WHITELIST', + './@googlegroups.com' => 'MILD_WHITELIST', + './@yahoogroups.com' => 'MILD_WHITELIST', + './@yahoogroups.co.uk' => 'MILD_WHITELIST', + './@yahoogroupes.fr' => 'MILD_WHITELIST', + 'yousendit.com' => 'MILD_WHITELIST', + 'meetup.com' => 'MILD_WHITELIST', 'dailyhoroscope@astrology.com' => 'MILD_WHITELIST', } ); @@ -1792,7 +1916,7 @@ NEW FEATURES - smtp client connection caching is a new feature which allows smtp client - code in amavisd to keep a SMTP session to MTA open after forwarding a + code in amavisd to keep an SMTP session to MTA open after forwarding a message or a notification, so that a next mail message that needs to be sent by this child process can avoid re-establishing a session and the initial greeting/EHLO (and TLS) handshake. @@ -2371,7 +2495,7 @@ NEW FEATURES A workaround for a small SOMAXCONN default on Solaris is provided by Net::Server 0.98 (?). -- in the absence of a smtp client's IP address (normally received by XFORWARD +- in the absence of an smtp client's IP address (normally received by XFORWARD smtp command from Postfix, or in the 'client_address' attribute of AM.PDP), parse the topmost one or two Received header fields and use the first valid IP address found there; based on a suggestion by Richard Bishop; @@ -2386,7 +2510,7 @@ NEW FEATURES opt-out-list, virus, other - 'rfc2822_from' an e-mail address from a From header field; - 'rfc2822_sender' an e-mail address from a Sender header field, or empty; - - 'tls_in' returns TLS ciphers in use by a SMTP session if mail came + - 'tls_in' returns TLS ciphers in use by an SMTP session if mail came to amavisd through a TLS-encrypted session, otherwise empty - 'limit' takes two arguments: a string size limit and some string, returning the string from the second argument unchanged @@ -2493,9 +2617,9 @@ OTHER %T and %C; - when defanging mail body no longer insert our own Sender header - field on a pretense that it helps with DKIM resigning - according - to ADSP (ex SSP) drafts the DKIM/ADSP does not care for the Sender - header field (unlike a historical DomainKeys); + field on a pretense that it helps with DKIM resigning - according to + ADSP (ex SSP) the DKIM/ADSP does not care for the Sender header field + (unlike a historical DomainKeys); - always provide X-Amavis-PolicyBank header field in a copy of a mail as submitted to SpamAssassin, even if a policy bank path is empty - this @@ -2597,13 +2721,13 @@ Benefits configuration variable @author_to_policy_bank_maps earlier in this release notes. -- To each message passed to local recipients amavisd inserts a header field - Authentication-Results (according to draft-kucherawy-sender-auth-header, - now RFC 5451) for each signature found in a message, reporting a - corresponding verification result. These header fields can reliably tell - a recipient or his MUA what domains claimed responsibility for a message, - or can be used for troubleshooting DKIM signing, verification and tracking - mail transformations. +- To each message passed to local recipients (matching the @local_domains_maps) + amavisd inserts a header field Authentication-Results (according to + draft-kucherawy-sender-auth-header, now RFC 5451) for each signature + found in a message, reporting a corresponding verification result. + These header fields can reliably tell a recipient or his MUA what domains + claimed responsibility for a message, or can be used for troubleshooting + DKIM signing, verification and tracking of mail transformations. - Can adjust spam score based on some metrics on a signing domain's reputation for valid signatures found in a message. A useful reputation metric is @@ -2636,6 +2760,8 @@ no valid signature from domains which ar such as PayPal, eBay, alert.bankofamerica.com, and others. In essence, the ADSP information (usually inferred, or actually published (quite rare today)) from such domains needs to be encoded into SpamAssassin rules. +(A note from the future: ADSP is now RFC 5617, SpamAssassin's DKIM plugin +does implement ADSP starting with version 3.3.0.) A QUICK START TO DKIM SIGNING @@ -2666,10 +2792,17 @@ A QUICK START TO DKIM SIGNING Amavisd already ensures the generated files are only readable by owner, but a manual procedure may require explicitly setting file permissions. Private keys must be protected from unauthorized access, only the - signing software such as amavisd should have access. Amavisd loads - these files on startup before dropping privileges, so if amavisd is - started as root it is not necessary that these key files are readable - by uid under which amavisd is running. + signing software such as amavisd should have read access. + + On a fresh program start the amavisd daemon loads these files before + dropping privileges, so if amavisd is started as root these key files + are readable regardless of their file access permission. Note however + that starting with version 2.7.0 amavisd is also capable of a warm reload, + where the daemon restarts with existing UID, so it does not have elevated + privileges to read files with private keys. Therefore it is recommended + that the file is owned by a group under which amavisd runs and UID root, + and the file access permission allows read access for a group, e.g.: + -rw-r----- 1 root vscan ... /var/db/dkim/xxx.key.pem 2. Add commands to amavisd.conf to load private keys, associate them with signing domains and selectors, and describe constraints (tags) to be @@ -2840,7 +2973,7 @@ amavisd-new-2.5.4 release notes BUG FIXES - simplify regular expressions in parse_quoted_rfc2821() to avoid perl crashing - on a long degenerated e-mail address; reported by Sébastien Aveline; + on a long degenerated e-mail address; reported by Sébastien Aveline; - further simplify (split in two) regular expressions in parse_address_list() to avoid perl crashing on long degenerated e-mail addresses in From, To, @@ -2904,8 +3037,8 @@ amavisd-new-2.5.3 release notes BUG FIXES -- fix parsing a SMTP status response from MTA when releasing from a - quarantine, when a MTA response did not include an enhanced status +- fix parsing an SMTP status response from MTA when releasing from a + quarantine, when an MTA response did not include an enhanced status code (RFC 3463) (such as with old versions of Postfix); a parsing failure resulted in attribute "setreply=450 4.5.0 Unexpected:..." in an AM.PDP protocol response, even though a release was successful; @@ -2915,7 +3048,7 @@ BUG FIXES - change parsing of addresses in From, To, and Cc header fields, avoiding complex Perl regular expressions which could crash a process on certain degenerate cases of these header fields; thanks for detailed problem - reports to Carsten Lührs and Attila Nagy; + reports to Carsten Lührs and Attila Nagy; - completely rewritten parsing of Received header field to work around a Perl regular expression problem which could crash a process on certain @@ -3043,7 +3176,7 @@ OTHER interface (nod32cli): added a status 3 (e.g. corrupted archive) back to the list of clean statuses; the 3 was removed in 2.5.1 as the entry was substituted with the one from a NOD32 documentation; reported by - Tamás Gregorics; + Tamás Gregorics; - updated AV entry for 'F-Secure Antivirus for Linux servers' to cope with version 5.5 and later; a new entry provided by Peter Bieringer; @@ -3165,7 +3298,7 @@ BUG FIXES - fixed quarantining to a SQL database of messages with a null envelope sender address (broken in 2.5.0, causing such messages to tempfail); - reported by Markus Edholm, Vahur Jõesalu and Michael Scheidell; + reported by Markus Edholm, Vahur Jõesalu and Michael Scheidell; - fixed parsing of certain broken 'From' header fields, which would result in a temporary failure and the following logged error: @@ -3203,7 +3336,7 @@ BUG FIXES it didn't reflect reality, it was always reported together with the: INFO: unfolded 1 illegal all-whitespace continuation lines -- when a SMTP option BODY=8BITMIME (RFC 1652) is not given on mail +- when an SMTP option BODY=8BITMIME (RFC 1652) is not given on mail reception, avoid turning it on while forwarding, even if mail body contains 8-bit characters; following a garbage-in-garbage-out principle, this doesn't break anything that isn't already broken, @@ -3249,7 +3382,7 @@ OTHER with each mail task, where actually missing modules were only loaded once within each child process; -- avoid reporting 'BOUNCE' in a SMTP response text when a bounce (i.e. +- avoid reporting 'BOUNCE' in an SMTP response text when a bounce (i.e. a nondelivery status notification) was actually suppressed, such as is usually the case with infected mail or when spam score exceeds spam_dsn_cutoff_level. Previously the SMTP response text only reflected @@ -3733,9 +3866,9 @@ NEW FEATURES http://www.goldmark.org/jeff/stupid-disclaimers/ -- as mentioned above, the new SMTP/LMTP client code now supports a LMTP - protocol too. This allows amavisd-new to act as a LMTP-to-LMTP content - filter, possibly being inserted between MTA and a LMTP-based mail delivery +- as mentioned above, the new SMTP/LMTP client code now supports an LMTP + protocol too. This allows amavisd-new to act as an LMTP-to-LMTP content + filter, possibly being inserted between MTA and an LMTP-based mail delivery agent such as Cyrus (if checking of outgoing mail is not needed). LMTP is selected when the first field of a $*_method (such as $forward_method, $notify_method, $resend_method, $release_method, $*_quarantine_method) @@ -3755,7 +3888,7 @@ NEW FEATURES same (or less) than $max_servers, or limit the maxproc field in master.cf such as: 'lmtp unix - - n - 15 lmtp' . - Note that invoking amavisd as a LMTP delivery agent has a disadvantage + Note that invoking amavisd as an LMTP delivery agent has a disadvantage that outgoing mail is not being checked, so infected internal hosts are able to pollute the world. Also the pen pals feature is no longer useful, as it requires the information on previous outgoing mail to be present @@ -3837,7 +3970,7 @@ NEW FEATURES virus_admin_maps => ["virusalert\@$mydomain"], spam_admin_maps => ["virusalert\@$mydomain"], warnbadhsender => 1, - # forward to a smtpd service providing DKIM signing service + # forward to an smtpd service providing DKIM signing service forward_method => 'smtp:[127.0.0.1]:10027', # force MTA conversion to 7-bit (e.g. before DKIM signing) smtpd_discard_ehlo_keywords => ['8BITMIME'], @@ -3916,6 +4049,7 @@ NEW FEATURES m{\b(Email|Html)\.(Img|ImgO)(\.[^., ]*)*\.Sanesecurity\.}m header L_AV_MSRBL_Img X-Amavis-AV-Status =~ m{\bMSRBL-Images/}m header L_AV_MSRBL_Spam X-Amavis-AV-Status =~ m{\bMSRBL-SPAM\.}m + header L_AV_Scam X-Amavis-AV-Status =~ m{\bScamNailer\.}i score L_AV_Phish 14 score L_AV_SS_Phish -3 @@ -3925,6 +4059,7 @@ NEW FEATURES score L_AV_SS_Img 3.5 score L_AV_MSRBL_Img 3.5 score L_AV_MSRBL_Spam 6 + score L_AV_Scam 8 - added a new concept of a 'blocking contents category', which in most cases @@ -4224,7 +4359,7 @@ SECURITY Note that a security hole in uulib which comes with Convert::UUlib 1.04 and older is now (as of 2006-12-05) known to be exploitable: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1349 - credits to Jean-Sébastien Guay-Leroux; + credits to Jean-Sébastien Guay-Leroux; - p0f-analyzer.pl will no longer reply to queries coming from low-numbered UDP ports below 1024 or from nfsd port 2049, and will ignore queries @@ -4265,7 +4400,7 @@ BUG FIXES of mail header and body, setting body_type incorrectly (with only cosmetic ill-effects); -- fixed AM.PDP code to always provide a smtp-quoted form in angle brackets +- fixed AM.PDP code to always provide an smtp-quoted form in angle brackets in 'delrcpt' and 'addrcpt' attributes of a response, i.e. in the same form as was received in 'sender' and 'recipient' attributes. The attribute value syntax is specified in RFC 2821 as 'Reverse-Path' (i.e. smtp-quoted form, @@ -4695,7 +4830,7 @@ COMPATIBILITY WITH 2.4.2 BUG FIXES AND WORKAROUNDS - fixed a bug (introduced with amavisd-new-2.4.0): when receiving mail - from MTA through a LMTP protocol (not SMTP) and with D_BOUNCE as a + from MTA through an LMTP protocol (not SMTP) and with D_BOUNCE as a final*destiny setting, a suppressed non-delivery notification (e.g. spam above cutoff_level) did not turn LMTP status into a success, so an undesired bounce was generated by MTA in a post-queue filtering @@ -4731,7 +4866,7 @@ BUG FIXES AND WORKAROUNDS our own Sender field (configurable by %hdrfrom_notify_recip_by_ccat); - explicitly set PerlIO layer to ":bytes" on a temporary file handle for - email.txt (just in case); based on a problem report by Alexander Schäfer; + email.txt (just in case); based on a problem report by Alexander Schäfer; - in a string produced by a macro %c remove a decimal dot if score happens to be an integer; @@ -4762,6 +4897,11 @@ BUG FIXES AND WORKAROUNDS $xx{(CC_SPAM)} and similar; a more obvious &CC_SPAM is avoided because it prevents subroutine call inlining optimization in Perl; + Note that the '+' trick does not prevent implicit quoting with the + '=>' operator, so this is wrong: %h = (+CC_SPAM => 1); use '&' or + a '()', e.g. %h = ( CC_SPAM() => 1 ); or %h = ( &CC_SPAM => 1 ); + or avoid the '=>' operator and use a comma: %h = ( CC_SPAM, 1 ); + - qmail: update amavisd-new-qmqpqq.patch to be compatible with Net::Server version 0.91 or later; thanks to mr from DBA Lab S.p.A.; @@ -4930,7 +5070,7 @@ OTHER CHANGES AND SMALL FEATURES: users such as amavis! - added a global config variable $enforce_smtpd_message_size_limit_64kb_min, - true by default; when true a rfc2822 requirement that a limit on mail size + true by default; when true an rfc2822 requirement that a limit on mail size must not be below 64 kB is enforced, so that any specified limit below 64 kB is treated as 64 kB; setting this variable to false disables this check, so mail size restrictions below 64 kB can be used and are effective; @@ -5122,7 +5262,7 @@ OTHER CHANGES AND SMALL FEATURES: # to avoid later conversions which could destroy signature: smtpd_discard_ehlo_keywords => ['8BITMIME'], - # forward to a smtpd service providing DKIM/DomainKeys signing service: + # forward to an smtpd service providing DKIM/DomainKeys signing service: forward_method => 'smtp:[127.0.0.1]:10027', # other special treatment of locally originating mail, e.g.: @@ -5144,7 +5284,7 @@ OTHER CHANGES AND SMALL FEATURES: Note that the same effect (making Postfix convert outgoing mail to 7-bits before DKIM signing) could be achieved by a Postfix setting - smtp_discard_ehlo_keywords=8bitmime on a smtp service feeding mail + smtp_discard_ehlo_keywords=8bitmime on an smtp service feeding mail to be signed to amavisd, but this would require setting up two such services, one with the option and one without. @@ -5287,7 +5427,7 @@ BUG FIXES AND CHANGES since 2.4.1: - zoo sucks, unzoo (v4.4) sucks more: considered, but decided against changing zoo entry in @decoders to ['unzoo','zoo'] in amavisd.conf, as was suggested - by Gábor Kövesdán. It would not necessarily be an improvement (see previous + by Gábor Kövesdán. It would not necessarily be an improvement (see previous item, misses extracting members from my test cases), so feel free to choose between the two poor choices, I still prefer zoo(1), partly also because it covers cases which clamd decoding misses; @@ -5307,7 +5447,7 @@ NEW FEATURES: - new feature: added command line options which override some configuration settings from a config file (an option to override pid_file suggested by - Paul Murphy and Gábor Kövesdán): + Paul Murphy and Gábor Kövesdán): -d log_level ... overrides $log_level -m max_servers ... overrides $max_servers @@ -5571,10 +5711,10 @@ OTHER CHANGES: as permitted by RFC 2442; - apply the concept of separate timers $child_timeout and $smtpd_timeout - as used in a SMTP session to AM.PDP and AM.CL protocols; + as used in an SMTP session to AM.PDP and AM.CL protocols; - apply the concept of separate timers $child_timeout and $smtpd_timeout - as used in a SMTP session to Courier patch; by Martin Orr; + as used in an SMTP session to Courier patch; by Martin Orr; - new macros: remote_mta, smtp_response, remote_mta_smtp_response and score_boost available to log templates and notification templates; @@ -5595,7 +5735,7 @@ OTHER CHANGES: - make use of the new macro remote_mta_smtp_response and add it to a default $log_templ, so that a Postfix queue-id of a forwarded message shows up like 'queued_as: DCF2A17B9E4' in the main log entry, - facilitating search for a related log entry in a MTA log. + facilitating search for a related log entry in an MTA log. In case of a mail split, all the MTA responses would now be shown, e.g.: queued_as: F3DBD17B847/F3DBD17B847/F3DBD17B847 (customizable by the use of macros in $log_templ); @@ -5614,7 +5754,7 @@ amavisd-new-2.4.0 release notes The most important changes since 2.3.3 at a glance: - Delivery status notifications (DSN) are now supported, both as a SMTP + Delivery status notifications (DSN) are now supported, both as an SMTP protocol extension and in notifications. Header fields like X-Amavis and X-Spam are now prepended to mail header for DomainKeys compatibility. Configuration variables can be chosen based on mail contents category, @@ -5810,7 +5950,7 @@ OTHER CHANGES: field of comma-separated names. The included LDAP.schema and documentation files are fixed accordingly. Also moved the LDAP stuff out of README.lookups into its own README.ldap and updated it accordingly for the banned - rules stuff. Fixed by Michael Hall; problem reported by Jérôme Schell, + rules stuff. Fixed by Michael Hall; problem reported by Jérôme Schell, Aury Fink Filho and Brian Wong; thanks also to Jack Stewart and Willi Gruber; - bug fix: properly disconnect SMTP session with 421 response if it times out; @@ -6063,7 +6203,7 @@ OTHER CHANGES: header L_P0F_Unix X-Amavis-OS-Fingerprint =~ /\A((Free|Open|Net)BSD|Solaris|HP-UX|Tru64|AIX)/m score L_P0F_Unix -1.0 - describe L_P0F_Unix Remote system is running Linux + describe L_P0F_Linux Remote system is running Linux header L_P0F_Linux X-Amavis-OS-Fingerprint =~ /\ALinux/m score L_P0F_Linux -0.1 @@ -6093,14 +6233,13 @@ OTHER CHANGES: # tame a Botnet plugin, reducing its false positives score BOTNET 0.1 - meta BOTNET_W !DKIM_VERIFIED && (L_P0F_WXP || L_P0F_W) && BOTNET + meta BOTNET_W !DKIM_VALID && (L_P0F_WXP || L_P0F_W) && BOTNET score BOTNET_W 2.8 - meta BOTNET_WU !DKIM_VERIFIED && L_P0F_UNKN && BOTNET + meta BOTNET_WU !DKIM_VALID && L_P0F_UNKN && BOTNET score BOTNET_WU 2.0 meta BOTNET_OTHER !BOTNET_W && !BOTNET_WU && BOTNET score BOTNET_OTHER 0.5 - * make sure the @mynetworks is configured correctly, otherwise you will be inappropriately penalizing mail from internal hosts running Windows! Other methods to turn off fingerprinting for our own SMTP client hosts @@ -6360,7 +6499,7 @@ OTHER CHANGES: classified, e.g. it can be both a CC_VIRUS and a CC_BANNED. Supporting subroutines are: add_contents_category, main_contents_category, is_in_contents_category, setting_by_contents_category; - thanks for suggestions and feedback to Gérald Macinenti; + thanks for suggestions and feedback to Gérald Macinenti; The contents_category list is a sorted list of strings, each of the form "major" or "major,minor", where major and minor are numbers, representing @@ -6841,7 +6980,7 @@ SECURITY: a security problem in the underlying uulib: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1349 which is now known to be exploitable (2006-12-05), credits to - Jean-Sébastien Guay-Leroux; + Jean-Sébastien Guay-Leroux; INCOMPATIBILITY with 2.2.1 and older versions: @@ -6918,7 +7057,7 @@ BUG FIXES or missing functionality: - at last: when mail is received through LMTP protocol, gracefully handle a temporary failure 4xx reply from MTA to a RCPT TO command and pass it - back to a LMTP client for tempfailed recipients only, instead of returning + back to an LMTP client for tempfailed recipients only, instead of returning 450 for _all_ recipients (needed the sending routine to be aware of the receiving side capabilities, which was previously not available); @@ -7007,35 +7146,37 @@ NEW FEATURES: uniqueness property and can be used for the purpose of uniquely identifying a quarantined mail, or for other uses. The mail_id is a 12-character string consisting of characters [A-Za-z0-9+-] (like base64, except for a '/' being - substituted by a '+'), guaranteed to start and to end with an alphanumeric - character (i.e. not with '+' or '-'). It is derived by cryptographically - strong method (MD5), cumulatively collecting entropy during the life of - child processes, folding-in entropy from processed mail and other cheaply - accessible sources, collected when an opportunity arises (e.g. file system - file-IDs, SA results etc), without placing a burden on system sources of - randomness (see RFC 4086). Note that MD5 has been demonstrated to have some - weaknesses, but we are not talking about cryptographic attacks here, but - rather about spreading messages which have no inherent intention of causing + substituted by a '+') [a note from the future: since amavisd-new-2.7.0 the + character set is [A-Za-z0-9-_] and follows rfc4648 base64url, derived from + base64 by substituting '+' -> '-' and '/' -> '_'], guaranteed to start and + to end with an alphanumeric character (i.e. not with '+' or '-' or '_'). + It is derived by a cryptographically strong method (MD5), cumulatively + collecting entropy during the life of child processes, folding-in entropy + from processed mail and other inexpensively accessible sources, collected + when an opportunity arises (e.g. file system file-IDs, SA results etc), + without placing a burden on system sources of randomness (see RFC 4086). + Note that MD5 has been demonstrated to have some weaknesses, but we are + not talking about cryptographic attacks here, but rather about spreading + message identity codes which have no inherent intention of causing collisions. - The mail_id carries 71.9 bits of information (subject to the quality of - sources). For a high-end system that keeps a year's worth of mail messages + The mail_id carries 71.9 bits of information (subject to quality of sources + of entropy). For a high-end system that keeps a year's worth of mail messages in evidence (e.g. in quarantine) and receives 10e6 messages each day (20..200 TB of yearly mail contents), the probability of a mail_id collision happening during one year (while gradually displacing an entire collection with a new set of IDs) is n^2/m = 0.3 % (10e6 * 365)^2 / (62 * (64^(12-2)) * 62) = (10e6 * 365)^2 / 2^71.9 = 0.003 - Eventual clash is still possible and needs to be detected, but a re-tried - mail delivery attempt is acceptable if its probability is low, as each mail - processing rolls a dice again. On a smallish system receiving 10.000 mail - messages daily an 8-character mail_id would suffice, but the savings are - not worth the trouble of providing configuration flexibility. + Eventual clash is still possible and needs to be detected by testing each + generated code against the set of message IDs currently kept in a database. + On a smallish system receiving 10.000 mail messages daily an 8-character + mail_id would suffice, but savings are not worth the trouble of providing + a configuration flexibility. Paired with a mail_id there is its companion secret_id generated for each message, such that mail_id can be derived from secret_id and pairing checked, - but not the other way around. The purpose of secret_id is not yet fully - developed, but can serve as a 'ticket', granting user a right to release - a quarantined message addressed to him. + but not the other way around. The secret_id can serve as a 'ticket', + granting user a right to release a quarantined message addressed to him. - SQL: can store information about every processed mail to SQL; the information is similar to level 0 log entries, but more detailed; a SQL database can be @@ -7748,7 +7889,7 @@ OTHER CHANGES SINCE 2.1.2: - document the localization template directory contents (in file amavisd.conf-sample) when read_l10n_templates is used; - thanks to Joël Brogniart; + thanks to Joël Brogniart; - includes file Macintosh.tar.gz, which contains auto-startup scripts and installation instructions for Mac OS X, contributed by Dale Walsh @@ -8287,7 +8428,7 @@ MAJOR NEW FEATURES A word of caution: the syntax of entries within a policy bank hash is slightly different from assignments to configuration variables. - This is because entries within policy bank are not asssignments, but + This is because entries within policy bank are not assignments, but key=>value pairs as in any Perl hash. And these pairs are delimited by commas, unlike statements, which are delimited by semicolons. Value is separated from its key by '=>' (or by a comma), whereas the @@ -8550,7 +8691,7 @@ SQL, LDAP LOOKUPS - added LDAP attributes for completeness: amavisBadHeaderLover, amavisBypassBannedChecks, amavisBypassHeaderChecks, amavisVirusQuarantineTo, - amavisBannedQuarantineTo, amavisBadHeaderQuarantineTo; by Jérôme Schell; + amavisBannedQuarantineTo, amavisBadHeaderQuarantineTo; by Jérôme Schell; DECODING / DEARCHIVING @@ -9529,9 +9670,10 @@ Patch: amavisd-new-20030616-p6 - fix parsing of unrar info lines; -- consistency with other virus/banned logic: don't send recipient notification - (reporting banned name) if mail contains both a virus and a banned name, - but $warnvirusrecip is false; reported by Nathan G. Grennan and Urska Brinar; +- consistency with other virus/banned logic: don't send recipient + notification (reporting banned name) if mail contains both a virus + and a banned name, but $warnvirusrecip is false; + reported by Nathan G. Grennan and UrÅ¡ka (Brinar) Mlakar; - check for possible I/O errors when reading from SMTP socket, and distinguish error condition from normal TCP session teardown; @@ -10060,7 +10202,7 @@ NEW FEATURES Enables checking headers of each mail for invalid (non-encoded) 8-bit characters, and produces a bounce (non-delivery status notification, - or a SMTP REJECT if desired) with the full explanation of the problem, + or an SMTP REJECT if desired) with the full explanation of the problem, with offending header fields trimmed, sanitized and included in the text. New setting $final_bad_header_destiny, defaults to D_PASS for backwards @@ -10245,7 +10387,7 @@ Patch: amavisd-new-20030314-p1 not applied by default), which, when applied (with patch(1) utility) to amavisd-new, makes it check headers of each mail for invalid (non-encoded) 8-bit characters, and produces a bounce (non-delivery - status notification, or a SMTP REJECT if desired) with the full + status notification, or an SMTP REJECT if desired) with the full explanation of the problem, with offending header fields trimmed, sanitized and included in the text. @@ -10339,7 +10481,7 @@ BUG FIXES into cache as clean. This could cause tests to be bypassed for subsequent message with the same body but different recipients with different bypass* settings, but only within a lifetime of a child process (10 messages - by default). Noticed by Jürgen Louis Fluk, thanks! + by default). Noticed by Jürgen Louis Fluk, thanks! - changed caching of SQL lookups to match the documented behaviour, i.e. SQL lookup result is cached (for the benefit of field lookups)