Enhancement #2093
amavisd-new 2.8.0 from EPEL
Status: | CLOSED | Start date: | 08/19/2013 | |
---|---|---|---|---|
Priority: | Normal | Due date: | 08/20/2013 | |
Assignee: | - | % Done: | 100% | |
Category: | nethserver-mail-filter | |||
Target version: | v6.4-beta2 | |||
Resolution: | NEEDINFO: | No |
Description
There's a recent amavisd-new
package from EPEL that can replace the current one from RepoForge.
Related issues
Associated revisions
*.spec.in: require amavisd-new >= 2.8.0-4. Refs #2093
/etc/amavisd.conf template: adjusted pid file and home dir paths. Refs #2093
nethserver-mail-filter-conf action: fix amavis home dir permissions to allow clamd to scan attachments. Refs #2093
*.spec.in: add archive formats support for amavis (EPEL) Refs #2093
postfix DB defaults: ConnectionsLimit ConnectionsLimitPerIp prop set to "0" to avoid template expansion warnings. Refs #2093
*.spec.in: additional archive format support is now an optional. Refs #2093
nethserver-mail group: ripole, lha, unrar packages are optionals. Refs #2093
History
#1 Updated by Davide Principi almost 8 years ago
- Description updated (diff)
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
#2 Updated by Davide Principi almost 8 years ago
- Due date set to 08/20/2013
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- Start date set to 08/19/2013
- % Done changed from 20 to 30
- Estimated time set to 6.00
#3 Updated by Davide Principi almost 8 years ago
Enabled EPEL repository:
# yum update amavisd-new [...] ============================================================================================== Package Arch Version Repository Size ============================================================================================== Updating: amavisd-new noarch 2.8.0-4.el6 epel 797 k Installing for dependencies: lrzip x86_64 0.614-1.el6 epel 185 k p7zip-plugins x86_64 9.20.1-2.el6 epel 892 k perl-DBD-SQLite x86_64 1.27-3.el6 centos-base1 83 k perl-Razor-Agent x86_64 2.85-6.el6 epel 119 k unzoo x86_64 4.4-7.el6 epel 21 k Updating for dependencies: clamav x86_64 0.97.8-1.el6 epel 10 M clamav-db x86_64 0.97.8-1.el6 epel 56 M clamd x86_64 0.97.8-1.el6 epel 132 k Transaction Summary ============================================================================================== Install 5 Package(s) Upgrade 4 Package(s)
#4 Updated by Davide Principi almost 8 years ago
Some archive decoders are not defined as requirements in package from EPEL:
Added- lha
- unrar
- ripole
The sample-virus-nested
test fails if they are not installed.
# smtptest --from davide.principi@nethesis.it --hello nethesis.it --to postmaster@vboxnet0.tld --addr 1.2.3.4 --input sample-virus-nested.txt
#5 Updated by Davide Principi almost 8 years ago
Test case 1 / fresh install
# yum install @nethserver-mail # grep -F '|Status' /var/log/messages # see in /var/log/messages if any action exits non-zero # id amavis && id vmail && id clam # check users & groups uid=496(amavis) gid=496(amavis) groups=496(amavis) uid=495(vmail) gid=495(vmail) groups=495(vmail),496(amavis) uid=497(clam) gid=497(clam) groups=497(clam),496(amavis) # # check running daemons # for D in amavisd clamd master dovecot; do ps -C $D &>/dev/null && echo "$D OK"; done (master here is postfix) amavisd OK clamd OK master OK dovecot OK # yum install nethserver-mail-dev # perl -pe 's/./chr(ord($&)^255)/sge' </usr/share/doc/amavisd-new-2.8.0/test-messages/sample.tar.gz.compl | zcat | tar xvf - sample-42-mail-bomb.txt sample-badh.txt sample-executable.txt sample-nonspam.txt sample-spam-GTUBE-junk.txt sample-spam-GTUBE-nojunk.txt sample-spam.txt sample-virus-executable.txt sample-virus-nested.txt sample-virus-simple.txt # for TEST in sample-*.txt; do echo -e "\n\nTESTING $TEST:"; smtptest --from me@example.com --to postmaster@testdomain.tld --addr 4.4.4.4 --input $TEST; done ...
Executable and virus tests should be rejected. Spam messages should be accepted with default spam kill threshold (6.9).
#6 Updated by Davide Principi almost 8 years ago
Upgrading from amavisd-new-2.6.6-3.el6.rf
- After
yum update
kill amavisd and clamd daemons - Change amavis user home directory:
# usermod -d /var/spool/amavisd amavis
- Move bayes rules into new amavisd home directory:
# mv /var/amavis/.spamassassin /var/spool/amavisd/
- Change clamd log and pid files owner:
# chown clam.clam /var/log/clamav/* /var/run/clamav/clamd.pid
- Clean up old dirs:
# rm -rvf /var/clamav/ /var/amavis/
- Delete old clamav user and group:
# userdel clamav
- re-run
nethserver-mail-filter-update
event:# signal-event nethserver-mail-filter-update
#7 Updated by Davide Principi almost 8 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
Test case 2 / upgraded installation
Apply test case 1, considering that nethserver-antivirus-update
event may had failed during package updates.
QA NOTE
Verification of this issue applies also to #2062
#8 Updated by Davide Principi almost 8 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Davide Principi) - % Done changed from 60 to 70
In nethserver-testing:nethserver-antivirus-1.0.4-4.0gitb4e2ef2d.ns6.noarch.rpm updated from #2109
nethserver-mail-filter-1.1.1-2.0git151cfb82.ns6.noarch.rpm
nethserver-mail-common-1.3.0-3.0git4bf4bb76.ns6.noarch.rpm
Added also dependencies:
altermime-0.3.10-3.el6.x86_64.rpm
amavisd-new-2.8.0-4.el6.noarch.rpm
clamav-0.97.8-1.el6.x86_64.rpm
clamav-db-0.97.8-1.el6.x86_64.rpm
clamd-0.97.8-1.el6.x86_64.rpm
lrzip-0.614-1.el6.x86_64.rpm
p7zip-plugins-9.20.1-2.el6.x86_64.rpm
perl-DBD-SQLite-1.27-3.el6.x86_64.rpm
perl-Razor-Agent-2.85-6.el6.x86_64.rpm
unzoo-4.4-7.el6.x86_64.rpm
#9 Updated by Filippo Carletti almost 8 years ago
- lha
Could be dropped, old archive format, not widely used today.
- unrar
Needed, since epel clamav has no rar support.
But I doubt it will add a lot of "security".
- ripole
Do we really want to look inside MS documents?
#10 Updated by Davide Principi almost 8 years ago
Filippo Carletti wrote:
lha: Could be dropped, old archive format, not widely used today.
Seems that "windows lha support" is present in a lot of widely used archiving software. Even if the format is old, it can be still used to hide malicious/unwanted contents.
unrar: Needed, since epel clamav has no rar support.
But I doubt it will add a lot of "security".
Same as above.
Pros:ripole: Do we really want to look inside MS documents?
- build an aggressive policy for blocking specific file types
- old project (still supported)
- not EPEL
- performance (AV should block an infected .doc anyway)
We can drop lha and ripole, or document/mark it as "optional". Only sample-virus-nested
test case fails if unrar and lha are missing.
#11 Updated by Davide Principi almost 8 years ago
Updated in nethserver-testing from #2109:nethserver-antivirus-1.0.4-6.0gitebd0b9a5.ns6.noarch.rpm
nethserver-antivirus-1.0.4-7.0git75c4a2c6.ns6.noarch.rpm
#12 Updated by Giacomo Sanchietti almost 8 years ago
- Assignee set to Giacomo Sanchietti
#13 Updated by Giacomo Sanchietti almost 8 years ago
- nethserver-mail-filter-1.1.1-2.0git151cfb82.ns6.noarch
- nethserver-antivirus-1.0.4-7.0git75c4a2c6.ns6.noarch
- nethserver-mail-common-1.3.0-4.0gitf6f5b2c6.ns6.noarch
- nethserver-mail-server-1.4.5-2.0git2461f47b.ns6.noarch
- amavisd-new-2.8.0-4.el6.noarch
- users and groups are ok
- all services are running
- tests with smtptest are ok
On update:
Aug 29 16:32:12 localhost esmith::event[16494]: Starting Clam AntiVirus Daemon: ERROR: Can't initialize the internal logger Aug 29 16:32:12 localhost esmith::event[16494]: ERROR: Can't open /var/log/clamav/clamd.log in append mode (check permissions!). Aug 29 16:32:13 localhost esmith::event[16494]: [FAILED]#015
All previous tests are ok.
Also found this warning:
Aug 29 16:36:26 localhost esmith::event[17101]: WARNING in /etc/e-smith/templates//etc/postfix/master.cf/30amavisd-before-queue: Argument "" isn't numeric in int at /etc/e-smith/templates//etc/postfix/master.cf/30amavisd-before-queue line 11. Aug 29 16:36:26 localhost esmith::event[17101]: WARNING in /etc/e-smith/templates//etc/postfix/master.cf/30amavisd-before-queue: Argument "" isn't numeric in int at /etc/e-smith/templates//etc/postfix/master.cf/30amavisd-before-queue line 12. Aug 29 16:36:26 localhost esmith::event[17101]: WARNING: Template processing succeeded for //etc/postfix/master.cf: 2 fragments generated warnings
Before release, set defaults values for ConnectionsLimit
and ConnectionsLimitPerIp
to 0.
#14 Updated by Giacomo Sanchietti almost 8 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 70 to 90
Marking as VERIFIED.
#15 Updated by Davide Principi almost 8 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-mail-common-1.3.1-1.ns6.noarch.rpm
nethserver-mail-filter-1.1.2-1.ns6.src.rpm
nethserver-mail-server-1.4.6-1.ns6.noarch.rpm
nethserver-antivirus-1.0.5-1.ns6.noarch.rpm
Dependencies:
unzoo-4.4-7.el6.x86_64.rpm
altermime-0.3.10-3.el6.x86_64.rpm
amavisd-new-2.8.0-4.el6.noarch.rpm
clamav-db-0.97.8-1.el6.x86_64.rpm
clamav-0.97.8-1.el6.x86_64.rpm
clamd-0.97.8-1.el6.x86_64.rpm
lrzip-0.614-1.el6.x86_64.rpm
p7zip-plugins-9.20.1-2.el6.x86_64.rpm
perl-DBD-SQLite-1.27-3.el6.x86_64.rpm
perl-Razor-Agent-2.85-6.el6.x86_64.rpm