Recommended update for amavisd-new

Knowledgebase

(Last modified: 19NOV2007)

solutions Recommended update for amavisd-new SuSE Linux Maintenance Web (23ece00fb79c79d52546748410990eb6)

Applies to

Package: amavisd-new
Product(s): SUSE CORE 9 for x86
SUSE CORE 9 for Itanium Processor Family
SUSE CORE 9 for IBM POWER
SUSE CORE 9 for IBM S/390 31bit
SUSE CORE 9 for IBM zSeries 64bit
SUSE CORE 9 for AMD64 and Intel EM64T
Open Enterprise Server
Patch: patch-11767
Release: 20071119
Obsoletes: none

Indications

Everyone should update.

Contraindications

None.

Problem description

This updates Amavis to version 2.4.3.
Bug fixes and workarounds

fixed a bug (introduced with amavisd-new-2.4.0): when receiving mail from MTA through a LMTP protocol (not SMTP) and with D_BOUNCE as a final*destiny setting, a suppressed non-delivery notification (e.g. spam above cutoff_level) did not turn LMTP status into a success, so an undesired bounce was generated by MTA in a post-queue filtering setup, contributing to excessive bounce backscatter; reported by Michael Scheidell, thanks to Gary V for analysis;
bug fix to amavisd-release: a regexp needs to be relaxed to allow quarantine names like Y/spam-Y5y7A3J5r2Ax.gz, reported by Rob Chanter;
fix a bug in LDAP lookups which could lead to an infinite loop while expanding %m in the filter; reported by Petr Vokac;
add "LOCAL_STATE_DIR => '/var/lib'" to the SA object initialization for versions of SA 3.1.4 or older, so that SpamAssassin would see additional rules provided by sa-update and placed to its default location; the SA 3.1.5 provides its own default so this becomes unnecessary;
bug fix: don't reject mail when mail size restriction is in force, the limit is exceeded, and $final_destiny_by_ccat{+CC_OVERSIZED} is not D_REJECT;
treat blacklisting like high spam score when considering suppressing quarantining (@spam_quarantine_cutoff_level_maps) or suppressing sending a DSN (@spam_dsn_cutoff_level_maps);
calling do_quarantine() multiple times on the same message would accumulate header edits from each invocation, fixed; (such situation can only happen with a modified program);
when defanging mail or releasing mail from a quarantine, with a goal of not breaking DKIM Sender Signing Policy and DomainKeys policy, do not copy existing Sender header field to a new header, and insert our own Sender field (configurable by %hdrfrom_notify_recip_by_ccat); Note that dk-milter-0.4.1 (dk-filter) incorrectly signs mail released by amavisd from a quarantine - presence of X-Spam-* header fields preceded and followed by Received header fields makes dk-filter inappropriately reorder headers fields before signing. The dkim-milter works correctly. The bug has been reported, but has not yet been resolved at this time.
explicitly set PerlIO layer to ":bytes" on a temporary file handle for email.txt (just in case); based on a problem report by Alexander Sch�fer;
in a string produced by a macro %c remove a decimal dot if score happens to be an integer;
reduce $sa_mail_body_size_limit from 512 kB to 400 kB in amavisd.conf and amavisd.conf-sample for the time being, while the SA folks work on http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5041 (MS Outlook Express seems to be chopping long mail in approx 500 kB chunks);
another workaround for Perl taint bug: IO::Handle::_open_mode_string taints the $1 when mode string to IO::File::open is '+<', use O_RDWR instead; thanks to Ryan Frantz;
abort if a specified syslog facility name is unknown, instead of switching to LOG_DAEMON as before;
change the code which selects defanging so that defanging is triggered if any applicable contents category of a message chooses defanging; counterintuitive behaviour reported by Tapani Tarvainen;
fix example in amavisd.conf-sample to use +CC_SPAM instead of CC_SPAM as a key to a hash, e.g. $final_destiny_by_ccat{+CC_SPAM}, otherwise Perl would implicitly turn CC_SPAM into a string when used in such a context. Note that any Perl expression syntax would do, as long as the argument does not look like a plain variable which receives implicit quoting; possibilities include $xx{&CC_SPAM}, $xx{+CC_SPAM}, $xx{CC_SPAM()}, $xx{(CC_SPAM)} and similar; a more obvious &CC_SPAM is avoided because it prevents subroutine call inlining optimization in Perl;
qmail: update amavisd-new-qmqpqq.patch to be compatible with Net::Server version 0.91 or later; thanks to mr from DBA Lab S.p.A.;
AM.PDP protocol: change the order of attributes returned in an reply: delete and edit header fields before adding new header fields; problem of deleting just-inserted header fields in a sendmail milter setup reported by Petr Rehor;
AM.PDP protocol change - with version 2 of the protocol the following changes to the protocol were made:
- "version_server=2" is provided in a server response as the first attribute, older versions did not provide such attribute (assumed version on the server side was 1);
- delheader and chgheader now stand in a response before insheader and addheader, assuming that milter MTA will execute these in the same order;
- new attribute: "insheader=hdridx hdr_head hdr_body" (where hdridx as used by amavisd will always be 0 for now), making it possible to prepend header fields in a sendmail milter setup (instead of appending them, breaking compatibility with DomainKeys); problem noted by Adam Gibson and Petr Rehor;
- new attribute: "quarantine=reason" place message on hold or to a quarantine maintained by MTA, and supply a reason text (e.g. client may call smfi_quarantine milter routine); For future use - it is currently (2.4.3 or earlier) never used.
new feature: "pen pals soft-whitelisting" lowers spam score of received replies to a message previously sent by a local user to this address;
new feature: added command line options to override certain configuration settings from a config file, see below;
documentation bug fixes, especially on the use of SQL data type TIMESTAMP;
zoo decoder interface routine can now use utility unzoo(1) or zoo(1);
new feature: "pen pals soft-whitelisting" lowers spam score of received replies to a message previously sent by a local user to this address;
new feature: added command line options to override certain configuration settings from a config file, see below;
documentation bug fixes, especially on the use of SQL data type TIMESTAMP;
zoo decoder interface routine can now use utility unzoo(1) or zoo(1);
LDAP.schema: add missing LDAP attribute amavisSpamQuarantineCutoffLevel to the list of allowed attributes in objectclass amavisAccount; pointed out by Paolo Cravero;
Delivery status notifications (DSN) are now supported, both as a SMTP protocol extension and in notifications. Header fields like X-Amavis and X-Spam are now prepended to mail header for DomainKeys compatibility. Configuration variables can be chosen based on mail contents category, which is now represented explicitly. A built-in macro expander is enhanced, providing new macros and call types. Added support for passive operating system fingerprinting with the use of p0f, supplying collected information as a header field to SpamAssassin. Provide compatibility with Net::Server 0.91 and later.
fix insufficient sender address sanitation when storing quarantined or forwarded files as BSMTP files _and_ having a %s in the corresponding *_method template; potential security vulnerability (with limited scope) in versions of amavisd-new 2.3.1, 2.3.2 and 2.3.3 discovered by Thomas Jarosch;
recognize result "ms-windows metafile" (or "ms-windows metafont") from a file(1) utility and provide short type 'wmf' for it; added two example rules to amavisd.conf (and amavisd.conf-sample) to block files containing Windows Metafiles, based on US-CERT Alert TA05-362A;

Solution

Please install the updates provided at the location noted below.

Installation notes

This update is provided as an RPM package that can easily be installed onto a running system by using this command:


rpm -Fhv amavisd-new.rpm

links to download packages

Download Source Packages

Download the source code of the patches for maintained products.

Disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.

Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.