Enhancement #2093

amavisd-new 2.8.0 from EPEL

Added by Davide Principi about 8 years ago. Updated almost 8 years ago.

Status:CLOSEDStart date:08/19/2013
Priority:NormalDue date:08/20/2013
Assignee:-% Done:

100%

Category:nethserver-mail-filter
Target version:v6.4-beta2
Resolution: NEEDINFO:No

Description

There's a recent amavisd-new package from EPEL that can replace the current one from RepoForge.


Related issues

Related to NethServer 6 - Enhancement #2062: Upgrade ClamAV to 0.97.8 CLOSED 08/19/2013 08/20/2013
Related to NethServer 6 - Bug #2108: SMTP temporary error on non-existing recipients CLOSED 08/21/2013 08/21/2013
Related to NethServer 6 - Enhancement #2109: Antivirus: disable syslog messages CLOSED 08/22/2013 08/22/2013

Associated revisions

Revision c6be27f2
Added by Davide Principi almost 8 years ago

*.spec.in: require amavisd-new >= 2.8.0-4. Refs #2093

Revision 4bf4bb76
Added by Davide Principi almost 8 years ago

/etc/amavisd.conf template: adjusted pid file and home dir paths. Refs #2093

Revision 1f54ab3f
Added by Davide Principi almost 8 years ago

nethserver-mail-filter-conf action: fix amavis home dir permissions to allow clamd to scan attachments. Refs #2093

Revision 151cfb82
Added by Davide Principi almost 8 years ago

*.spec.in: add archive formats support for amavis (EPEL) Refs #2093

Revision f3821221
Added by Davide Principi almost 8 years ago

postfix DB defaults: ConnectionsLimit ConnectionsLimitPerIp prop set to "0" to avoid template expansion warnings. Refs #2093

Revision 667b20e4
Added by Davide Principi almost 8 years ago

*.spec.in: additional archive format support is now an optional. Refs #2093

Revision af341aba
Added by Davide Principi almost 8 years ago

nethserver-mail group: ripole, lha, unrar packages are optionals. Refs #2093

History

#1 Updated by Davide Principi almost 8 years ago

  • Description updated (diff)
  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#2 Updated by Davide Principi almost 8 years ago

  • Due date set to 08/20/2013
  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • Start date set to 08/19/2013
  • % Done changed from 20 to 30
  • Estimated time set to 6.00

#3 Updated by Davide Principi almost 8 years ago

Enabled EPEL repository:

    # yum update amavisd-new

[...]

==============================================================================================
 Package                   Arch            Version                Repository             Size
==============================================================================================
Updating:
 amavisd-new               noarch          2.8.0-4.el6            epel                  797 k
Installing for dependencies:
 lrzip                     x86_64          0.614-1.el6            epel                  185 k
 p7zip-plugins             x86_64          9.20.1-2.el6           epel                  892 k
 perl-DBD-SQLite           x86_64          1.27-3.el6             centos-base1           83 k
 perl-Razor-Agent          x86_64          2.85-6.el6             epel                  119 k
 unzoo                     x86_64          4.4-7.el6              epel                   21 k
Updating for dependencies:
 clamav                    x86_64          0.97.8-1.el6           epel                   10 M
 clamav-db                 x86_64          0.97.8-1.el6           epel                   56 M
 clamd                     x86_64          0.97.8-1.el6           epel                  132 k

Transaction Summary
==============================================================================================
Install       5 Package(s)
Upgrade       4 Package(s)

#4 Updated by Davide Principi almost 8 years ago

Some archive decoders are not defined as requirements in package from EPEL:

Added
  • lha
  • unrar
  • ripole

The sample-virus-nested test fails if they are not installed.

  # smtptest --from davide.principi@nethesis.it --hello nethesis.it --to postmaster@vboxnet0.tld --addr 1.2.3.4 --input sample-virus-nested.txt

#5 Updated by Davide Principi almost 8 years ago

Test case 1 / fresh install

   # yum install @nethserver-mail

   # grep -F '|Status' /var/log/messages             # see in /var/log/messages if any action exits non-zero

   # id amavis && id vmail && id clam                # check users & groups
uid=496(amavis) gid=496(amavis) groups=496(amavis)
uid=495(vmail) gid=495(vmail) groups=495(vmail),496(amavis)
uid=497(clam) gid=497(clam) groups=497(clam),496(amavis)

   #                                                 # check running daemons
   # for D in amavisd clamd master dovecot; do ps -C $D &>/dev/null && echo "$D OK"; done   
 (master here is postfix)
amavisd OK
clamd OK
master OK
dovecot OK

   # yum install nethserver-mail-dev                 
   # perl -pe 's/./chr(ord($&)^255)/sge' </usr/share/doc/amavisd-new-2.8.0/test-messages/sample.tar.gz.compl | zcat | tar xvf -
sample-42-mail-bomb.txt
sample-badh.txt
sample-executable.txt
sample-nonspam.txt
sample-spam-GTUBE-junk.txt
sample-spam-GTUBE-nojunk.txt
sample-spam.txt
sample-virus-executable.txt
sample-virus-nested.txt
sample-virus-simple.txt
   # for TEST in sample-*.txt; do echo -e "\n\nTESTING $TEST:"; smtptest --from me@example.com --to postmaster@testdomain.tld --addr 4.4.4.4 --input $TEST; done
...

Executable and virus tests should be rejected. Spam messages should be accepted with default spam kill threshold (6.9).

#6 Updated by Davide Principi almost 8 years ago

Upgrading from amavisd-new-2.6.6-3.el6.rf

  • After yum update kill amavisd and clamd daemons
  • Change amavis user home directory:
        # usermod -d /var/spool/amavisd amavis
    
  • Move bayes rules into new amavisd home directory:
        #  mv /var/amavis/.spamassassin /var/spool/amavisd/
    
  • Change clamd log and pid files owner:
        # chown clam.clam /var/log/clamav/* /var/run/clamav/clamd.pid
    
  • Clean up old dirs:
        # rm -rvf /var/clamav/ /var/amavis/
    
  • Delete old clamav user and group:
        # userdel clamav
    
  • re-run nethserver-mail-filter-update event:
        # signal-event nethserver-mail-filter-update
    

#7 Updated by Davide Principi almost 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

Test case 2 / upgraded installation

Apply test case 1, considering that nethserver-antivirus-update event may had failed during package updates.

QA NOTE
Verification of this issue applies also to #2062

#8 Updated by Davide Principi almost 8 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Davide Principi)
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-antivirus-1.0.4-4.0gitb4e2ef2d.ns6.noarch.rpm updated from #2109
nethserver-mail-filter-1.1.1-2.0git151cfb82.ns6.noarch.rpm
nethserver-mail-common-1.3.0-3.0git4bf4bb76.ns6.noarch.rpm

Added also dependencies:
altermime-0.3.10-3.el6.x86_64.rpm
amavisd-new-2.8.0-4.el6.noarch.rpm
clamav-0.97.8-1.el6.x86_64.rpm
clamav-db-0.97.8-1.el6.x86_64.rpm
clamd-0.97.8-1.el6.x86_64.rpm
lrzip-0.614-1.el6.x86_64.rpm
p7zip-plugins-9.20.1-2.el6.x86_64.rpm
perl-DBD-SQLite-1.27-3.el6.x86_64.rpm
perl-Razor-Agent-2.85-6.el6.x86_64.rpm
unzoo-4.4-7.el6.x86_64.rpm

#9 Updated by Filippo Carletti almost 8 years ago

  • lha

Could be dropped, old archive format, not widely used today.

  • unrar

Needed, since epel clamav has no rar support.
But I doubt it will add a lot of "security".

  • ripole

Do we really want to look inside MS documents?

#10 Updated by Davide Principi almost 8 years ago

Filippo Carletti wrote:

lha: Could be dropped, old archive format, not widely used today.

Seems that "windows lha support" is present in a lot of widely used archiving software. Even if the format is old, it can be still used to hide malicious/unwanted contents.

unrar: Needed, since epel clamav has no rar support.
But I doubt it will add a lot of "security".

Same as above.

ripole: Do we really want to look inside MS documents?

Pros:
  • build an aggressive policy for blocking specific file types
Cons:
  • old project (still supported)
  • not EPEL
  • performance (AV should block an infected .doc anyway)

We can drop lha and ripole, or document/mark it as "optional". Only sample-virus-nested test case fails if unrar and lha are missing.

#11 Updated by Davide Principi almost 8 years ago

Updated in nethserver-testing from #2109:
nethserver-antivirus-1.0.4-6.0gitebd0b9a5.ns6.noarch.rpm
nethserver-antivirus-1.0.4-7.0git75c4a2c6.ns6.noarch.rpm

#12 Updated by Giacomo Sanchietti almost 8 years ago

  • Assignee set to Giacomo Sanchietti

#13 Updated by Giacomo Sanchietti almost 8 years ago

Tested with:
  • nethserver-mail-filter-1.1.1-2.0git151cfb82.ns6.noarch
  • nethserver-antivirus-1.0.4-7.0git75c4a2c6.ns6.noarch
  • nethserver-mail-common-1.3.0-4.0gitf6f5b2c6.ns6.noarch
  • nethserver-mail-server-1.4.5-2.0git2461f47b.ns6.noarch
  • amavisd-new-2.8.0-4.el6.noarch
On a fresh install:
  • users and groups are ok
  • all services are running
  • tests with smtptest are ok

On update:

Aug 29 16:32:12 localhost esmith::event[16494]: Starting Clam AntiVirus Daemon: ERROR: Can't initialize the internal logger
Aug 29 16:32:12 localhost esmith::event[16494]: ERROR: Can't open /var/log/clamav/clamd.log in append mode (check permissions!).
Aug 29 16:32:13 localhost esmith::event[16494]: [FAILED]#015

All previous tests are ok.

Also found this warning:

Aug 29 16:36:26 localhost esmith::event[17101]: WARNING in /etc/e-smith/templates//etc/postfix/master.cf/30amavisd-before-queue: Argument "" isn't numeric in int at /etc/e-smith/templates//etc/postfix/master.cf/30amavisd-before-queue line 11.
Aug 29 16:36:26 localhost esmith::event[17101]: WARNING in /etc/e-smith/templates//etc/postfix/master.cf/30amavisd-before-queue: Argument "" isn't numeric in int at /etc/e-smith/templates//etc/postfix/master.cf/30amavisd-before-queue line 12.
Aug 29 16:36:26 localhost esmith::event[17101]: WARNING: Template processing succeeded for //etc/postfix/master.cf: 2 fragments generated warnings

Before release, set defaults values for ConnectionsLimit and ConnectionsLimitPerIp to 0.

#14 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90

Marking as VERIFIED.

#15 Updated by Davide Principi almost 8 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-mail-common-1.3.1-1.ns6.noarch.rpm
nethserver-mail-filter-1.1.2-1.ns6.src.rpm
nethserver-mail-server-1.4.6-1.ns6.noarch.rpm
nethserver-antivirus-1.0.5-1.ns6.noarch.rpm

Dependencies:
unzoo-4.4-7.el6.x86_64.rpm
altermime-0.3.10-3.el6.x86_64.rpm
amavisd-new-2.8.0-4.el6.noarch.rpm
clamav-db-0.97.8-1.el6.x86_64.rpm
clamav-0.97.8-1.el6.x86_64.rpm
clamd-0.97.8-1.el6.x86_64.rpm
lrzip-0.614-1.el6.x86_64.rpm
p7zip-plugins-9.20.1-2.el6.x86_64.rpm
perl-DBD-SQLite-1.27-3.el6.x86_64.rpm
perl-Razor-Agent-2.85-6.el6.x86_64.rpm

Also available in: Atom PDF