-------------------------------------------------------------------

Sun Oct 14 06:59:01 UTC 2018 - wr@rosenauer.org

​

- update to version 2.11.1

  * removed a trailing dot element from @INC, as a workaround for a perl

    vulnerability CVE-2016-1238

  * amavis-services: bumping up syslog level from LOG_NOTICE to LOG_ERR

    for a message "PID <pid> went away", and removed redundant newlines

    from some log messages

  * safe_decode() and safe_decode_utf8(): avoid warning messages

    "Use of uninitialized value in subroutine entry"

    in Encode::MIME::Header when the $check argument is undefined

  * @sa_userconf_maps has been extended to allow loading of per-recipient

    (or per-policy bank, or global) SpamAssassin configuration set from

    LDAP. For consistency with SQL a @sa_userconf_maps entry prefixed with

    'ldap:' will load SpamAssassin configuration set using the

    load_scoreonly_ldap() method;  a patch by Atanas Karashenski

  * add some Sanesecurity.Foxhole false positives to the default

    list @virus_name_to_spam_score_maps

  * updated some comments

- update amavis-milter to version 2.6.1

  * Fixed bug when creating amavisd-new policy bank names

​

-------------------------------------------------------------------

Thu Mar 15 13:59:13 UTC 2018 - varkoly@suse.com

​

- bsc#1072122 amavisd-new should use unar instead of unrar

​

-------------------------------------------------------------------

Wed Mar 14 09:15:49 UTC 2018 - varkoly@suse.com

​

- bsc#1071932 - YaST2 Mail Server Configuration - throws Error for

  starting service amavis.

  amavisd-new should require spamassassin

​

-------------------------------------------------------------------

Sun Jan 14 14:56:08 UTC 2018 - varkoly@suse.com

​

- bnc#1007149 Amavisd-milter fails to start when started via systemd

  Use fillup_only with -n amavis

​

-------------------------------------------------------------------

Thu Nov 23 13:42:57 UTC 2017 - rbrown@suse.com

​

- Replace references to /var/adm/fillup-templates with new

  %_fillupdir macro (boo#1069468)

​

-------------------------------------------------------------------

Wed Feb 22 22:25:51 UTC 2017 - wr@rosenauer.org

​

- fixed DKIM signing by recognizing ORIGINATING

  (regression in 2.11.0) (dkim-signing.diff)

  (https://lists.amavis.org/pipermail/amavis-users/2016-July/004428.html)

​

-------------------------------------------------------------------

Mon Feb 20 15:14:45 CET 2017 - kukuk@suse.de

​

- Don't require insserv if we don't need it.

​

-------------------------------------------------------------------

Fri May 27 10:59:00 UTC 2016 - jcnengel@gmail.com

​

- Update to version 2.11.0

  + Bugfixes

    * delivery method was undefined when always_bcc was used;

      reported by Marieke Janssen;

    * avoid warnings issued by perl 5.21.7 and later:

      Negative repeat count does nothing at ./amavisd line 16408

      and similarly in amavisd-status;

    * releasing from an SQL quarantine failed to provide the original

      envelope sender address to a released message;

      reported, and a fix suggested by Tom Johnson and Tobias;

    * remove a stale database file __db.nanny.db on a reload or restart,

      as it can prevent a successful start when a previous start failed

      for some reason; a patch by Trent Lloyd;

  + Compatibility

    * During startup more detailed testing is performed for taint bugs of

      a module Encode and the function utf8::is_utf8(), which may produce

      warnings on old versions of perl with its old core module Encode,

      or may exit on detecting more sinister bugs in these modules.

      Note that the module Encode may be upgraded independently of perl,

      if desired;

    * with MySQL: changed character set 'utf8' to 'utf8mb4' for fields

      msgs.subject and msgs.from_addr, as previously some of the UTF-8

      characters could not be stored in a database;

    * when logging to stderr a timestamp prefix to each message is only

      still inserted if $DEBUG is true.  When $DEBUG is false each message

      is prefixed with a syslog log level in angle brackets, and a timestamp

      is omitted (for compatibility with systemd);

    * a perl module Digest::SHA is now a required module. It is a perl core

      module since perl 5.10, so it shouldn't introduce a new dependency,

      and it was a de-facto required module even previously, as it was needed

      for DKIM processing;

  + New features

    * Polished rough corners to facilitate running amavisd as a non-daemonized

      supervised process

    * A log template macro 'report_json' can now take arguments, which can

      include or exclude fields (key/values) from the JSON report object.

      Arguments to a macro are either field names (keys) to be included

      in a report, or are field names to be excluded, each prefixed with

      an exclamation mark, to produce a report with all but excluded fields.

    * Two new configuration settings are added: %smtpd_tls_server_options

      and %smtp_tls_client_options. These two associative arrays are passed

      to IO::Socket::SSL->start_SSL when establishing a server-side or a

      client-side TLS session with an MTA, and provide more control over

      a TLS session - like providing certificates and restricting ciphers.

      See documentation of a perl module IO::Socket::SSL for a list of

      all options with their descriptions and their defaults.

    * Supports receiving SMTP/LMTP connections through a HAProxy,

      recognizing 'PROXY protocol Version 1' data on the first line read,

      after a connection from HAProxy to amavisd has been established.

      Connection data (IP addresses and ports) received via this protocol

      end up replacing such data in the the Amavis::In::Connection object

      ($conn).  Set configuration variable $haproxy_target_enabled (also

      a member of policy banks) to true in order to enable this protocol.

    * redis: allow a scoped / link-local IP address specification

      (avoiding current limitation in IO::Socket::IP [rt.cpan.org #89608]);

    * the Amavis::Unpackers::Part::digest method now holds a digest (SHA1,

      hex) of a decoded (base64 or quoted-printable) MIME part contents,

      followed by a colon and a lowercased Content-Type of the MIME part.

      Canonical line endings CRLF in decoded textual parts are normalized

      to a native newline (\n) before feeding them to a digest algorithm.

    * Policy bank names in a @client_ipaddr_policy setting can now accept

      a comma-separated list of policy names to be loaded on a match

      (for loading of policy banks based on an IP address of a SMTP client).

      Whitespace around each policy name is allowed and is stripped.

      Previously only a single policy bank name was allowed in each entry

      of @client_ipaddr_policy.

    * Experimental feature: IP lookups (as implemented by lookup_ip_acl()

      and used by @client_ipaddr_policy) can now also do DNS-based lookups,

      in addition to array- and hash-based lookups.

​

-------------------------------------------------------------------

Thu Jan 21 13:43:53 UTC 2016 - aj@ajaissle.de

​

- Add amavisd-new-2.10.1-myhostname.patch:

  $myhostname is set using POSIX::uname, but expects a FQDN. This

  patch changes this behaviour to use Net::Domain::hostfqdn instead

​

-------------------------------------------------------------------

Wed Aug 12 14:35:24 UTC 2015 - wr@rosenauer.org

​

- require perl-Convert-BinHex as otherwise startup fails with

  default installation

- file based requirement does not work

  -> changed to package requirement util-linux-systemd

​

-------------------------------------------------------------------

Tue Dec 16 20:26:10 UTC 2014 - p.drouand@gmail.com

​

- Update to version 2.10.1

  + fixed a missing import of mail_addr_idn_to_ascii() and idn_to_utf8()

    when SQL is in use

  + void warnings issued by perl 5.21.5:

- Changes from version 2.10

COMPATIBILITY

- New requirement: perl module Net::LibIDN needs to be installed.

- Uses a perl module File::LibMagic if installed, instead of spawning

  a file(1) utility.

- Support for international email relies heavily on perl to do the

  right thing in its support of Unicode, so using a reasonably recent

  version of perl is recommended. Amavisd was tested with perl 5.18

  and 5.20.1. Versions of perl older than 5.12 may cause problems

  with handling, encoding, and decoding of Unicode characters.

  It is reasonable to expect that versions 5.14 and 5.16 are fine too,

  but have not been tested extensively.

- Default log templates and notification templates have changed

  in details (like in decoding of international e-mail addresses), so

  if locally customized templates are in use these will benefit from

  updating - otherwise expect some mojibake in log and notifications.

- International domain names (IDN) encoded in ASCII-compatible encoding

  found in e-mail addresses and in Message-ID header field will be decoded

  to Unicode for presentation purposes (syslog, JSON structured log,

  notifications). This decoding does not affect a mail message itself.

- Logging via syslog expects that syslogd (or equivalent) will not

  clobber UTF-8 octets. It may be necessary to tell syslogd to accept

  C1 control characters unchanged, e.g. by adding a command line option

  "-8" to syslogd. Failing to do so may leave logged entries (like

  sender and recipient address, From, Subject) in international mail

  garbled or poorly readable in syslog.

  On FreeBSD one should add:  syslogd_flags="-8"  to /etc/rc.conf.

- Third party log parsers may need updating to accept logs with Unicode

  characters in UTF-8 encoding.

- A SMTP response to an EHLO command will now announce SMTPUTF8 capability

  by default.

​

BUG FIXES

- releasing a message from an SQL quarantine was broken in version 2.9.1

  due to introduction of parent_mail_id(); patches provided by Stef Simoens

  and Gionatan Danti;

- if checking of a message was aborted prematurely (like due to a timeout

  or some fatal error), JSON log could receive a copy of a previous

  log entry;

- prevent non-ASCII non-UTF-8 octets from reaching a JSON log/report

  (which produced an invalid JSON object and Elasticsearch complaining);

- allow SMTP commands MAIL FROM and RCPT TO to accept options without

  values, as allowed by the RFC 5321 syntax;

- in delivery status notification (DSN) the field Received-From-MTA

  specified 'smtp' as mta-name-type, instead of a 'dns' as prescribed

  in RFC 3464;

- releasing from a quarantine left envelope sender address as '<>'

  instead of using the address found in a Return-Path header field

  of a quarantined message, while also logging a warning:

    Quarantine release $QID: missing X-Envelope-From or Return-Path

  reported by Pascal Volk;

- avoid failure in os_fingerprint or in smtp forwarding in certain cases

  where the $os_fingerprint_method or $forward_method or $notify_method

  uses an asterisk in place of a host IP address or port number.

  The reported error in os_fingerprint (reported by -ben) was:

    os_fingerprint FAILED: Insecure dependency in socket

      while running with -T switch

      at /usr/lib/perl/5.18/IO/Socket.pm line 80

  and in SMTP forwarding or notification (reported by Dennis Boone):

    (!)connect to *:10025 attempt #1:

      Insecure dependency in socket while running with -T switch

      at /usr/lib/perl/5.18/IO/Socket.pm line 80.

- files LDAP.ldif and LDAP.schema: added a missing attribute

  amavisDisclaimerOptions to objectClass; reported by Quanah Gibson-Mount;

​

NEW FEATURES

- added support for Internationalized Email:

  * RFC 6530 - Overview and Framework for Internationalized Email

  * RFC 6531 - SMTP Extension for Internationalized Email (SMTPUTF8)

  * RFC 6532 - Internationalized Email Headers

  * RFC 6533 - Internationalized Delivery Status Notifications

  This supports UTF-8 (EAI) in SMTP/LMTP sender addresses, recipient

  addresses, and message header section. Feature parity with Postfix

  version 2.12 (support introduced in development snapshot 20140715).

  The SMTPUTF8 extension is supported by Gmail since 2014-08-05:

    http://googleblog.blogspot.com/2014/08/a-first-step-toward-more-global-email.html

- added support for Internationalized Domain Names (IDN) according

  to IDNA (RFC 5890, RFC 5891; RFC 3490);

  * A-labels in ASCII-compatible encoding of domain names are converted

    to U-labels for presentation/logging purposed;

  * U-labels are converted to A-labels when feeding a mail message

    to an MTA which does not announce support for SMTPUTF8 extension

    (instead of rejecting them as invalid mail address);

  * For lookup purposes an international domain name is converted to

    ASCII-compatible encoding when used as a query key in DNS lookups

    and in lookups into hash, list, SQL and LDAP lookup tables (but not

    in regexp table lookups). These tables are expected to contain domain

    names in their ASCII representation (ACE). For convenience of config

    files subroutines idn_to_ascii() and mail_idn_to_ascii() are available,

    which encode a Unicode domain name to ACE (like ToASCII in RFC 3490);

  * Many configuration settings may have their domain names in UTF-8.

    These will be converted to ACE automatically where necessary

    (e.g. when creating a Received and Authentication-Results header

    fields, DKIM signatures, mail addresses in notifications, ...).

    These settings include:

      $myhostname, $localhost_name, $myauthservid, $mydomain,

      notification sender and recipient mail addresses

        ($mailfrom_notify_*, $hdrfrom_notify_*, @*_admin_maps),

      domain names and selectors in DKIM signing keys (in calls

        to dkim_key() );

- delivery notifications and admin notifications now show the following

  information encoded as UTF-8 (which is a default $bdy_encoding) in the

  plain text part of the message: IDN domain names in sender and recipient

  mail addresses and Message-ID are first decoded to Unicode, Subject and

  author display names are MIME-decoded;

- 'amavisd showkeys' and 'amavisd testkeys' can now deal with IDN

  (international domain names): domain names in DNS zone comments

  end up as UTF-8, DNS labels are in ASCII (A-labels); domain names in

  calls to dkim_key() may be specified either as UTF-8 or in ASCII (ACE);

- new macro 'mail_addr_decode' takes an e-mail address as a string of

  octets, where a local part may be encoded as UTF-8, and the domain part

  may be an international domain name (IDN) consisting either of U-labels

  or A-labels or NR-LDH labels. Decodes A-labels to U-labels in domain

  name. Returns a string of logical characters (Unicode), suitable for

  notification templates. If the mail address is not a valid UTF-8 string,

  it is interpreted as ISO-8859-1 (Latin-1).

- new macro 'mail_addr_decode_octets' is like 'mail_addr_decode', except

  that the result is a string of octets, only valid as UTF-8 if the

  provided address was a valid UTF-8 (garbage-in/garbage-out);

- new macro 'header_field_octets' is like 'header_field', except that

  a result is a string of octets in UTF-8 encoding, suitable for a log

  template;

- new macro 'ip_proto_trace_all' expands into a list of information

  items from a Received header trace; each item consists of a protocol

  name (the WITH clause) and an IP address, optionally followed by a

  source port number if known;

  Example:

    ESMTP://[2001:db8::143:1]:39141 < ESMTP://2001:db8::25 <

      esmtps://203.0.113.172 < ESMTPSA://192.168.9.9

  or:

    UTF8SMTP://[203.0.113.172]:51208 < UTF8SMTPSA://192.168.9.9

- new macro 'ip_proto_trace_public' is like ip_proto_trace_all, except

  that entries with non-public IP address are excluded from the list;

  'Received' trace information in $log_verbose_templ and in notifications

  now include results from this macro call;

- new macro 'protocol' evaluates to a protocol name by which a message

  was received by amavisd, according to RFC 3848 ("Transmission Types

  Registration") and "Mail Transmission Types" / "WITH protocol types"

  IANA registration

    http://www.iana.org/assignments/mail-parameters/mail-parameters.xhtml

  e.g.: SMTP, ESMTP, ESMTPA, ESMTPS, ESMTPSA, LMTP, LMTPA, LMTPS, LMTPSA,

        UTF8SMTP, UTF8SMTPA, UTF8SMTPS, UTF8SMTPSA,

        UTF8LMTP, UTF8LMTPA, UTF8LMTPS, UTF8LMTPSA, ...

- new macro 'client_protocol' expands into a protocol name by which

  a message was received from a client by MTA; the information is passed

  from MTA to amavisd through XFORWARD PROTO SMTP protocol extension or

  through AM.PDP (milter); typical values are 'ESMTP' or 'SMTP';

- use a perl module File::LibMagic when available, instead of spawning

  a file(1) utility for classifying contents of mail parts.

  By using a direct interface to a libmagic library the startup cost

  of spawning an external process is avoided. Benchmarking shows that

  using libmagic is significantly faster especially for checking a small

  number of files - takes 4 ms for checking one file with libmagic

  vs. 27 ms with a spawned file(1); based on a patch by Markus Benning;

​

​

OTHER

- RFC 6533: recognize a MIME type 'message/global' as similar

  to 'message/rfc822', and 'message/global-headers' as similar

  to 'text/rfc822-headers' where appropriate (e.g. in bounce killer);

​

- header validity check now distinguishes 'non-ASCII and invalid UTF-8'

  from 'non-ASCII but valid UTF-8' characters in a mail header section.

  By default valid UTF-8 strings in a mail header section are not treated

  as error even if mail is not flagged as international mail (SMTPUTF8),

  as these are quite common in practice. To treat non- MIME-encoded UTF-8

  in a header section as error the test can be enabled by:

    $allowed_header_tests{'utf8'} = 1;

- ORCPT attribute in SMTP 'RCPT TO' command now accepts the original

  recipient mail address in any of these encodings: utf-8-address,

  utf-8-addr-unitext, utf-8-addr-xtext, or as a legacy xtext,

  as required by RFC 6533;

- updated do_cabextract (extraction of Microsoft cabinet .cab archives)

  to recognize a slightly changed output of cabextract version 1.2;

  patch by Thomas Jarosch;

- adjusted some timeouts to leave more reserve for later stages of

  mail processing and forwarding;

- prefer sanitizing/protecting control characters as hex code (like \x7F)

  instead of octal (like \177) (e.g. in logging and DSN);

- Use dowload Url as source

- Add a requirement on perl-Net-LibIDN; new upstream dependency

-------------------------------------------------------------------

Sun Nov 09 00:46:00 UTC 2014 - Led <ledest@gmail.com>

​

- fix bashism in post script

- remove '-e' option of 'echo' command that may be unsupported in some

  POSIX-complete shells

​

-------------------------------------------------------------------

Sat Aug 16 10:31:29 CEST 2014 - ro@suse.de

​

- add /bin/logger as prereq (util-linux split)

​

-------------------------------------------------------------------

Sun Jul 27 15:35:21 UTC 2014 - wr@rosenauer.org

​

- update to version 2.9.1

  COMPATIBILITY

  There are no known incompatibilities between versions 2.9.0 and 2.9.1.

​

  Additional bugfixes and also:

  - updated decoding of RAR archives to recognize a changed format in output

    of 'unrar' utility version 5; based on a patch by amavis17(at)iotti.biz

  - avoid tempfailing a message if a redis server is down, just log the

    error and carry on;

  - some minor logging changes to facilitate troubleshooting;

- changes in 2.9

  COMPATIBILITY

  This version drops dependency on a Perl module Redis, and makes

  dependencies on modules Convert::TNEF and Convert::UUlib truly optional.

  The following change may affect third-party log parsers:

  To facilitate forensic log analysis and troubleshooting, log entries

  'FWD from' and 'SEND from' at level 1 now carry one additional

  prefixed information field which is the unique internal mail_id of

  the message, possibly followed by a parent_mail_id in parenthesis,

  No other incompatibilities with a previous version 2.8.1 are expected.

​

  NEW FEATURES SUMMARY

  - structured log/reporting to a Redis server in JSON format;

  - IP address reputation (uses a Redis server);

  - added two minor content categories to the major ccat CC_UNCHECKED

    (encrypted (=1) and over-limits/mail-bomb (=2) );

  - introduced a by-recipient setting %final_destiny_maps_by_ccat.

- update amavisd-milter to 1.6.0

  * New features:

    Added new amavisd-milter option -B which passes value of

    {daemon_name} milter macro as amavisd-new policy bank name.

  * Bug and compatibility fixes:

    Added amavisd-milter.spec for compilation with rpmbuild.

    Fixed typo which prevents using LDFLAGS on Debian.

    Fixed missing definition of true and false in libmilter/mfapi.h.

- upstream packages as tar.xz -> added xz as BuildRequires to

  support building for older dists

​

-------------------------------------------------------------------

Wed Jan  1 13:17:13 UTC 2014 - wr@rosenauer.org

​

- add some recommended decoders (bnc#754852)

- fixed amavisd-milter invocation (bnc#809969)

- correctly set clamd socket to (/var/run/clamav/clamd-socket)

  (bnc#844575)

- some spec file cleanup including using optflags for native code

​

-------------------------------------------------------------------

Tue Nov 12 13:40:03 UTC 2013 - wr@rosenauer.org

​

- Add real systemd support; add required macros in %post/postun sections

  and drop sysvinit support on openSUSE >= 12.3

​

-------------------------------------------------------------------

Tue Oct 22 15:51:56 UTC 2013 - varkoly@suse.com

​

- bnc#844575 - amavis received a change where /var/run was replaced

   with /run still /var/run is present

​

-------------------------------------------------------------------

Thu Oct  3 15:56:34 UTC 2013 - opensuse@cboltz.de

​

- fix clamd socket location (bnc#809580)

​

-------------------------------------------------------------------

Wed Sep 25 09:10:34 UTC 2013 - varkoly@suse.com

​

- bnc#831556 - naming mismatch for amavis and systemd

​

-------------------------------------------------------------------

Sat Sep 14 18:40:10 UTC 2013 - wr@rosenauer.org

​

- update to version 2.8.1

  COMPATIBILITY

  when 0MQ (a.k.a. ZeroMQ) is used between Amavis components as an

  internal messaging protocol, make sure to replace all 0MQ-enabled

  Amavis components on upgrading amavisd, as the internal protocol

  has changed slightly, taking advantage of 0MQ multi-part messages

  for better performance. Affected programs are: amavis-services,

  amavisd-status, amavisd-snmp-subagent-zmq, and amavisd.

​

  NOTE: The Crossroads I/O project (libxs) ceased development on

    July 2012, to be replaced by nanomsg eventually by the same author.

​

    The 0MQ library (libzmq) is currently (2013) the best choice,

    the preferred library version is 3.2.2 or later along with

    the ZMQ::LibZMQ3 Perl interface module and ZMQ::Constants.

    The older version 2 of the library, along with an older perl

    module ZeroMQ, should be fine too, but lacks support for IPv6.

​

  amavisd is compatible with perl 5.18.0 and with SpamAssassin 3.4.0

​

  NEW FEATURES SUMMARY

  * new Redis storage for the "pen pals" feature;

  * improved IPv6 support;

  * support for p0f v3;

  * new macros ip_trace_all and ip_trace_public;

  * amavisd-status now shows a bar graph display

    of the number of active processes;

  * the timing report log entry can show CPU usage

    at log level 2 if a module Unix::Getrusage is available;

​

-------------------------------------------------------------------

Wed May 29 20:03:41 UTC 2013 - crrodriguez@opensuse.org

​

- Fix multiple bugs in systemd unit, syslog.target should

  not be used and Wants must be used instead of requires in most

  cases.

​

-------------------------------------------------------------------

Thu May  2 07:45:54 UTC 2013 - meissner@suse.com

​

- use %defattr correctly to make /var/spool/amavis not worldreadable.

​

-------------------------------------------------------------------

Mon Feb 25 08:09:22 UTC 2013 - mlin@suse.com

​

- Install amavisd.service accordingly (/usr/lib/systemd for 12.3

  and up or /lib/systemd for older versions).

​

-------------------------------------------------------------------

Wed Feb  6 08:52:23 UTC 2013 - aj@ajaissle.de

​

- update to version 2.8.0

​

- COMPATIBILITY 2.8.0

  * removed an old compatibility measure: default value of @banned_admin_maps

    was changed from:

      @banned_admin_maps = (\$banned_admin, \%virus_admin, \$virus_admin);

    to a more consistent:

      @banned_admin_maps = (\$banned_admin);

    The previous default value of @banned_admin_maps tried to maintain

    compatibility with versions before the setting was separated from

    its companion @virus_admin_maps. Now this compatibility is no longer

    considered necessary and contributes to some confusion, so it was dropped.

    See 2.4.0 and 2.2.1 release notes for previous changes to this setting.

  * quarantining to an mbox format file used to include a local time in an

    mbox separator line, which differs from RFC 4155 and common practices

    of using an UTC timestamp; a time zone of a timestamp in separator lines

    is now changed to UTC;

​

- BUG FIXES 2.8.0

  * fixed initial evaluation of dynamic (i.e. per policy bank) values of

    $enable_dkim_verification, $enable_dkim_signing and $bypass_decode_parts

    across all declared policy banks; these policy bank entries may be scalars

    of references to such;

  * finely adjust a message size for de-stuffed dots according to a size

    definition in RFC 1870; avoids occasional message size mismatch when

    using an antispam interface module SpamdClient (implementing client-side

    of a spamc/spamd protocol);

  * updated LDAP.ldif to match LDAP.schema; provided by Quanah Gibson-Mount;

  * updated AMAVIS-MIB.txt and amavisd-snmp-subagent: changed type of

    SNMP variables *MsgsSize* in the group amavisStats 7 from Counter32

    to Counter64 for consistency with other *MsgsSize* variables in groups

    amavisStats 3 and amavisStats 9;

​

- NEW FEATURES SUMMARY 2.8.0

  * For monitoring and statistics gathering purposes a new set of utilities

    and service processes is available based on a message passing paradigm,

    using a 0MQ (a.k.a. ZMQ, ZeroMQ, or Crossroads I/O) library. This

    replaces a functionally similar set of utilities based on a shared

    BerkeleyDB database, with a benefit of avoiding lock contention

    altogether. This can bring sigificant speedups, most pronounced on

    a host with many busy amavisd child processes.

  * Applied numerous fine-grained optimizations based on a NYTProf profiler

    results. Optimizations include a reduction in a number of generated

    Perl opcodes and similar micro-optimizations. This accounts for a large

    amount of small changes in the code.

  * Our current statistics (Q4 2011) shows that 80 % of messages are below

    30.000 bytes, and 90 % of mail messages are below 100.000 bytes in

    size. As an optimization, messages below 100 KiB in size are now kept

    and processed in memory, including passing them more optimally to

    SpamAssassin 3.4.0. Some file activity is still there, but is much

    reduced. If $TEMPBASE also resides on an SSD disk (or a RAM disk),

    observed speedup between 2.7.2 and 2.8.0 was 3 to 8 percent on a

    busy host (with monitoring disabled, so as not to skew a measurement).

  * Use a module IO::Socket::IP if available, instead of dealing directly

    with low-level modules IO::Socket::INET and IO::Socket::INET6;

  * choose more appropriate defaults if running on an IPv6-only host

    (like connecting to ::1 instead of 127.0.0.1 which may not exist);

  * amavisd-release now also supports connecting to amavisd over IPv6;

  * as a debugging aid it is now possible that a late event triggers full

    logging of earlier events that occurred during processing of a current

    mail message;

  * $enable_ldap setting is now dynamic, i.e. can be changed by a policy

    bank, which makes it possible to selectively disable LDAP lookups

    per policy bank;

  * optionally avoid persistent connections to SQL and LDAP servers;

  * it is now possible to disable calling an external file(1) utility

    but still have MIME parts decoding enabled;

  * added support in Amavis::SpamControl::ExtProg for an external spam scanner

    Bogofilter;

  * added locking options to @spam_scanners entries, to be used with external

    scanners which need but do not implement locking of their resources

    by themselves;

  * added a global configuration setting $sa_userprefs_file, which is passed

    on to SpamAssassin as a 'userprefs_filename' parameter at initialization;

  * added a subroutine iso8601_weekday(), potentially useful with partitioning;

  * added several new macros available to logging and notification templates;

​

​

-------------------------------------------------------------------

Thu Dec 27 23:29:51 UTC 2012 - wr@rosenauer.org

​

- update to version 2.7.2

  * a generated Received header field was missing the 'IPv6:' prefix

    in the TCP-info component of a 'by' subfield (as required by RFC 5321,

    section 4.1.3) when amavisd received a message over an IPv6 protocol;

    (btw, the TCP-info component of a 'from' subfield was correct);

  * changed data type of an SNMP variable LogRetries from C32 to C64

    for consistency with the MIB;

  * updated AV entry 'AVG Anti-Virus' to consider status 403 continuation

    lines when searching for a virus name; suggested by Ralf Hildebrandt;

  * reduce a log level to 5 on a log message:

    Amavis::IO::RW: Error flushing on close: ...

    to avoid an innocent but sinister-looking warning when a pipe

    to a virus scanner is broken and needs to be re-established;

    reported by Stefan Jakobs

  * updated an AV entry for 'F-Secure Linux Security' to version 9.14;

    options updated by Mika Ilmaranta, a patch by Tuomo Soini;

  * fix a Unix socket compatibility issue with Net::Server versions 2.000,

    2.001 and 2.002, where a method NS_unix_path no longer exists.

    This method was re-introduced for compatibility reasons in 2.003.

    Reported by Paul MacKenzie;

​

-------------------------------------------------------------------

Mon Aug 27 09:14:08 UTC 2012 - dmueller@suse.com

​

- unarj was dropped from Factory, remove dependency to it

​

-------------------------------------------------------------------

Mon Jun 25 10:36:36 UTC 2012 - varkoly@suse.com

​

- fix the systemd service file 

​

-------------------------------------------------------------------

Thu Apr 26 21:11:48 UTC 2012 - chris@computersalat.de

​

- fix build for < 1210

​

-------------------------------------------------------------------

Wed Jan  4 14:47:42 UTC 2012 - varkoly@suse.com

​

- bnc#706257 - amavis failed to start during boot, however it is active

​

-------------------------------------------------------------------

Fri Nov  4 06:23:56 UTC 2011 - varkoly@suse.com

​

- Add systemd scripts 

​

-------------------------------------------------------------------

Wed Nov  2 10:05:41 UTC 2011 - varkoly@suse.com

​

- Fix amavisd-milter binary name 

​

-------------------------------------------------------------------

Wed Oct 26 08:58:10 UTC 2011 - wr@rosenauer.org

​

- obsolete amavisd-milter package

​

-------------------------------------------------------------------

Thu Oct 13 13:11:20 UTC 2011 - varkoly@suse.com

​

- Integrate amavisd-milter 

​

-------------------------------------------------------------------

Tue Oct 11 14:22:57 UTC 2011 - varkoly@suse.com

​

- bnc#718025 - amavisd-new 2.7.0 fails to start 

​

-------------------------------------------------------------------

Sat Sep 17 11:02:03 UTC 2011 - jengelh@medozas.de

​

- Remove redundant tags/sections from specfile

​

-------------------------------------------------------------------

Tue Sep 13 13:24:37 UTC 2011 - varkoly@suse.com

​

- update to 2.7.0 With a synergy of four solutions, using amavisd-new

  in a pre-queue filtering setup became a sensible / better behaved solution:

​

  - old helper programs amavis.c and amavis-milter.c are no longer distributed

    with the package, along with the whole helper-progs subdirectory.

    As a milter client please use the more modern 'amavisd-milter' package by

    Petr Rehor, available at http://sourceforge.net/projects/amavisd-milter/

​

  - the "smtpd_proxy_options=speed_adjust" Postfix option, available since

    Postfix 2.7.0 (20091101), improves decoupling between SMTP clients

    and a content filter in a proxy setup, reducing the number of content

    filtering processes needed for the same mail load. With this option

    turned on, a Postfix SMTP server receives the entire message before

    connecting to a before-queue content filter;

  - a master_deadline option and its API equivalent, available in SpamAssassin

    since version 3.3.0, allows for time limiting on lengthy rules checking,

    while still providing results when a time limit is exceeded; this makes

    it more suitable for time-sensitive setups like a pre-queue filtering setup;

  - reworked sub-task time limiting in amavisd, along with its counterpart

    solution in SpamAssassin, makes it better suited to a real-time nature

    of pre-queue filtering setups, where one has no control over how long

    SMTP clients are willing to wait at the data-end stage;

  - a re-purposed command line option 'reload' now does a warm restart,

    keeping sockets available to an MTA client at all times, thus reducing

    a chance that an MTA would even notice a content filter's warm restart.

​

-------------------------------------------------------------------

Tue Aug 30 15:22:40 UTC 2011 - varkoly@suse.com

​

- bnc#710289 - amavisd-new: fails rpmlint check non-ghost-in-var-run 

​

-------------------------------------------------------------------

Tue Jul 12 16:02:45 UTC 2011 - varkoly@novell.com

​

- Enable clamav as integrated scanner

- Enable Avira Antivir personal

​

-------------------------------------------------------------------

Tue May 24 08:02:50 UTC 2011 - varkoly@suse.de

​

- update to 2.6.6

 - amavisd-release was not sending a 'mail_file' attribute when a quarantined

  message was a non-compressed file in a single-level directory quarantine

​

- quarantining to SQL was sporadically failing, reporting some unrelated

  random error (like 'not available' or 'OpenSSL error: header too long');

​

- avoid a warning "_WARN: Use of uninitialized value in string eq at ...

  line 275." when an SQL-based white/black-listing is used;

​

- wrap the sql clause  SET NAMES 'utf8'  so that only a warning at

  a log level 2 is issued if an SQL server does not understand the

  command (SQLite, old versions of MySQL) instead of aborting;

- when a back-end MTA rejected a message, amavisd would send a non-delivery

  status notification, but also propagate the reject status back, which is

  wrong, only one or the other response would be appropriate. A fix also

  allows choosing either a D_REJECT, D_BOUNCE or D_DISCARD response for

  such a case, configurable through %final_destiny_by_ccat at a CC_MTA

  entry, defaulting to D_REJECT;

​

-------------------------------------------------------------------

Mon Feb 21 18:57:25 UTC 2011 - varkoly@novell.com

​

- bnc#663726 - amavisd-new: group of /var/spool/amavis conflicts with av programms 

​

-------------------------------------------------------------------

Sun Feb 20 10:41:40 UTC 2011 - coolo@novell.com

​

- unrar should not be required (non-free software now)

​

-------------------------------------------------------------------

Thu Jun 24 10:18:46 UTC 2010 - varkoly@novell.com

​

- bnc#614316 - amavisd-new: amavisd-new/README.SuSE does not match /etc/amavisd.conf

​

-------------------------------------------------------------------

Mon May 10 10:49:10 UTC 2010 - varkoly@novell.com

​

- bnc#600409 - amavisd not starting after system crash because of stale pid file

​

-------------------------------------------------------------------

Mon Jul 20 14:52:09 CEST 2009 - varkoly@suse.de

​

- bnc#521366 - Amavisd-new sends bounces when it isn't allowed to do so (backscatter!)

- update to 2.6.4

BUG FIXES

​

- amavisd failed to start when spam scanning was disabled either

  by @bypass_spam_checks_maps=(1) or by @spam_scanners=(), giving:

    Can't locate object method "new" via package "Amavis::SpamControl"

- several decoders failed to propagate "Exceeded storage quota" exception,

  so the protection of AV scanners against mail bombs was ineffective;

- milter usage (AM.PDP): verbatim header edits inserted a header body of "1"

  instead of the correct string, for example: "Authentication-Results: 1";

- updated AV entry for BitDefender's bdscan to recognize tabs around a colon

  in its output; contributed by Steve;

- fix parsing of a combined result from DSPAM (option --classify), as

  earlier versions of DSPAM did not include a signature with a combined

  result line;

- when logging to SQL (pen pals), the msgs.message_id field always received

  a value '1' instead of a Message-Id, thus making pen pals less effective

  (only matching on sender/recipient pairs worked, not on message threads)

  and letting some bounces bypass a bounce killer; bug was introduced with

  version 2.6.2;

- timer was not reset after a persistent failure to connect to a daemonized

  virus scanner, so a subsequent call to a backup scanner only had 10 seconds

  available before it was aborted, which was often too short for a command

  line backup scanner like clamscan;

- if a virus scanner interface did not find a name of a virus in the output

  of a virus scanner (despite noticing infection), the infection was ignored;

- added missing /m flags to regular expressions in AV entries

  (a bug is revealed with Perl 5.10.0; previous versions of Perl happened

  to work, unintentionally accepting a /m flag if added late during a regexp

  evaluation);

- $banned_namepath_re setting only worked globally, but was not usable in

  policy banks;

- do_uncompress: signal run_command_copy() errors, instead of returning a

  status, thus allowing decompose_part() to detect 'Exceeded storage quota'

  or 'Maximum number of files exceeded', and flag mail as CC_UNCHECKED;

- if $mailfrom_notify_admin was not specified in a configuration file but

  defaulted to an e-mail address in $hdrfrom_notify_admin, the following

  was reported (due to missing angle brackets) on an attempt to submit

  a notification:

    (!)SEND via SMTP: virusalert@example.com -> <virusalert@example.com>...

        501 5.1.7 Bad sender address syntax

    (!)FAILED to notify admin: 501 5.1.7 Failed, id=40690-23,

      from MTA([::1]:10027): 501 5.1.7 Bad sender address syntax

  Notification was not sent, the rest of the processing was unaffected;

- fetch_modules: only suppress the "Can't locate ... in @INC" diagnostics

  if exactly the requested module is missing, but do show the error if some

  subordinate module is missing and preventing the requested module to be

  loaded;

- do_unrar: recognize an information line with a '<->';

- fixed a syntax error in LDAP.ldif;

- fixed a bug in SpamdClient;

​

NEW FEATURES SUMMARY

- provide a true SNMP agent and a MIB, facilitating monitoring the health

  of a content filtering system, its performance and mail characteristics;

- a new AV interface to SMTP-based antivirus scanners;

- allow customizing SMTP-status response reason text for blocked messages;

- prevent inserting fake copies of certain important mail header fields

  without breaking a DKIM signature;

- added a configuration variable @client_ipaddr_policy, which maps smtp

  client's IP address lookup lists to a policy bank name. This allows for

  loading a policy bank based on a client IP address, and generalizes a

  formerly hard-wired mapping of @mynetworks_maps into 'MYNETS'.

- large messages beyond $sa_mail_body_size_limit are now partially passed

  to SpamAssassin and other spam scanners for checking: a copy passed to

  a spam scanner is truncated near or slightly past the indicated limit.

  Large messages are no longer given an almost free passage through spam

  checks.

- supports passing an extra argument suppl_attrib to $spamassassin->parse,

  as recognized by SpamAssassin 3.3.0, passing a set of DKIM signature

  objects to a SpamAssassin's plugin DKIM, which saves having to do the

  same signature verification operation again within a plugin, and provides

  uncrippled signatures to SpamAssassin even when a large message is

  truncated by amavisd and only partially submitted to spam analysis;

- add global variables $sa_configpath and $sa_siteconfigpath (undef by

  default), which are passed to SpamAssassin as options 'rules_filename'

  and 'site_rules_filename' during its initialization call; this makes

  it easier to run multiple instances of amavisd, each with a different

  SpamAssassin configuration, using the same amavisd configurations file

  by taking advantage of option -i;  suggested by Noah Baker;

- report process resource usage at log level 2 by calling getrusage(1)

  if a perl module Unix::Getrusage is available;

​

-------------------------------------------------------------------

Wed Jan 21 17:58:19 CET 2009 - ro@suse.de

​

- drop requires for lha for post 11.1 (dropped package) 

​

-------------------------------------------------------------------

Mon Dec 29 12:27:56 CET 2008 - lrupp@suse.de

​

- update to 2.6.2:

  + bounce killer: improved detection of nonstandard bounces

  + bounces to be killed no longer waste SpamAssassin time

  + tool to convert dkim-filter keysfile into amavisd configuration

  + compatibility with SpamAssassin 3.3 (CVS head) regained

  + rewritten and expanded documentation section on DKIM signing and

    verification in amavisd-new-docs.html

  + the %sql_clause default has changed in detail, if its value

    is overridden in a configuration file the setting may need 

    updating

- don't patch it: use a regexp in the specfile to get rid of

  amavisd-new-suse.{dif,patch}

- package p0f-analyzer.pl

  (a program to interface amavisd with a p0f utility)

- remove outdated Obsoletes

- dont enable clamd per default - its a user decision

- added probe option to init script

- compress the Release-Notes

- Recommend clamav perl-spamassassin perl-ldap perl-Authen-SASL 

  perl-DBI and perl-Mail-ClamAV - they are needed just in 

  special cases

- use package names in PreReq

- split up amavisd-new-docs subpackage and package additional files

- dont create the vscan user in the build system (not needed)

- added amavisd-new-rpmlintrc

​

-------------------------------------------------------------------

Tue Oct 28 15:10:21 CET 2008 - varkoly@suse.de

​

- Require perl-Mail-DKIM

- (bnc#439292) - amavisd.conf comes with wrong path to clamd socket 

​

-------------------------------------------------------------------

Mon Sep  1 11:59:23 CEST 2008 - kukuk@suse.de

​

- Don't require unace, amavis does not know about it.

​

-------------------------------------------------------------------

Tue Aug 12 23:37:46 CEST 2008 - crrodriguez@suse.de

​

- fix init scripts 

​

-------------------------------------------------------------------

Tue Jul  1 08:27:11 CEST 2008 - varkoly@suse.de

​

- update to version 2.6.1

  BUG FIXES

  - avoid a bounce-killer's false positive when a message is multipart/mixed

    with an attached message/rfc822 (looking like a qmail or a MSN bounce)

    and having attached a message with a foreign Message-ID - by restricting

    the check to messages with an empty sender address or a 'postmaster' or

    'MAILER-DAEMON' author address;

  - privileges were dropped too early when chrooting, causing chroot to fail

  - fix unwarranted 'run_av error: Exceeded allowed time' error when using

    a virus scanned Mail::ClamAV;

  - fix a bug in helper-progs/amavis-milter.c where atoi could be reading

    from a non-null terminated string which could result in wrong milter

    return status, or even cause a read-access violation;

  - dsn_cutoff_level was ignored if SpamAssassin was not invoked (e.g. on

    large messages) even if recip_score_boost was nonzero, causing a DSN

    not to be suppressed for internally generated large score values;

  - add back the 'Ok, id=..., from MTA(...):' prefix to a MTA status responses

    on forwarded mail when generating own SMTP status response

  - replaced '-ErrFile=>*STDOUT' with '-ErrFile=>\*STDOUT' in a call to

    BerkeleyDB::Env::new in amavisd-nanny and amavisd-agent;

  NEW FEATURES

  - recognize an additional place-holder %P in a template used to build

    a file name in file-based quarantining.

​

-------------------------------------------------------------------

Fri Jun 27 16:26:11 CEST 2008 - varkoly@suse.de

​

- openldap do not contains /etc/openldap anymore

​

-------------------------------------------------------------------

Wed Jun 25 12:42:02 CEST 2008 - varkoly@suse.de

​

- update to version 2.6.0

  - integrated DKIM signing and verification

  - loading of policy banks based on valid DKIM-signed author's address

    can be used for reliable whitelisting, for bypassing banned checks, etc.

  - bounce killer feature: uses a pen pals SQL lookup to check inbound DSN;

  - SQL logging and quarantining tables have a new field 'partition_tag';

  - captures SpamAssassin logging, more flexibility specifying SA log areas;

  - collects and logs SpamAssassin timing breakdown report (requires SA 3.3);

  - releasing from a quarantine can push a released message to an attachment;

  - new experimental code for abuse reporting using formats: ARF/attach/plain;

  - TLS support on the SMTP client and server side;

  - connection caching by a SMTP client;

  - amavisd-nanny and amavisd-agent now re-open a database on amavisd restarts;

  - amavisd-nanny and amavisd-agent new command line option: -c count;

  - updated p0f-analyzer.pl to support source port number in queries;

  - amavisd can send queries either to p0f-analyzer.pl or directly to p0f;

​

-------------------------------------------------------------------

Thu Jun 21 10:10:24 CEST 2007 - varkoly@suse.de

​

- Bug 230822  Amavisd-release Misconfiguration

​

- update to version 2.5.1

​

SECURITY

​

- provides checking the number of archive members against $MAXFILES quota

  even when just listing an archive directory, providing some additional

  protection (besides a time limit) against runaway dearchivers

  (such as a recent Zoo archiver DoS);

​

- please use the most recent versions of file(1) utility (currently 4.21)

  and recent versions of external dearchivers/decoders to avoid known

  security vulnerabilities in them;

​

​

NEW FEATURES

​

- introduced a variation of a message release from a quarantine, allowing

  a releaser to choose between forwarding a message to the back-end MTA

  port as usual (avoiding re-checking of a message), or to send it to MTA

  on its incoming port (normally 25) and let the message be rescanned,

  which might be useful after adjusting spam rules or antivirus database.

​

  It is implemented by:

​

    * adding a configuration variable $requeue_method (also a member

      of policy banks), with a default value: 'smtp:[127.0.0.1]:25'

​

    * extending the AM.PDP protocol with a 'request=requeue' attribute

      which can be used in place of a 'request=release',

​

    * enhancing the 'amavisd-release' utility program to choose between

      sending 'request=release' and 'request=requeue' based on its

      program name, i.e. by making a soft or hard link to amavisd-release

      (or its copy) named 'amavisd-requeue', the utility will send

      a 'request=requeue' in place of the usual 'request=release', e.g.:

        # ln -s amavisd-release amavisd-requeue

        $ amavisd-requeue spam/k/kg2P0rP9Lpu3.gz

​

    * enhancing amavisd daemon to choose between forwarding a released

      message either to $release_method or to $requeue_method destination

      based on a 'request' attribute value in an AM.PDP request;

​

- new AV entry: ArcaVir for Linux and Unix, see below for links;

​

- a new macro 'supplementary_info' gives access to some additional information

  provided by content scanners, such as a provided by SpamAssassin API

  routine get_tag. The macro takes two arguments, the first is a tag name

  (a name of some attribute which is expected to provide an associated

  value), the second argument is a sprintf format string and is optional,

  if missing a %s is assumed. Currently the only available attributes are

  AUTOLEARN, SC, SCRULE, SCTYPE, and RELAYCOUNTRY. These are nonempty only

  when an associated SpamAssassin plugin or function is enabled.

​

BUG FIXES

​

- fixed quarantining to a SQL database of messages with a null envelope

  sender address (broken in 2.5.0, causing such messages to tempfail);

  reported by Markus Edholm, Vahur Jõlu and Michael Scheidell;

​

- fixed parsing of certain broken 'From' header fields, which would

  result in a temporary failure and the following logged error:

    check_init2 FAILED: parse_address_list PANIC1 53

      at /usr/local/sbin/amavisd line 3292

  reported by Michael Scheidell;

​

- avoid encoding nonprintable characters in X-Envelope-From and X-Envelope-To

  header fields in a quarantined message even if envelope mail addresses

  contain such invalid characters, so that a quarantine release is possible;

  (RFC 2047 allows encoding of a 'phrase' in From, To, and similar headers,

  as well as in comments, but not in the address specification);

​

- avoid unnecessarily RFC 2047 -encoding of 8-bit characters in those

  lines of inserted X-Spam-Report (and similar) multiline header fields

  which only contain ASCII characters; also avoid encoding of newlines;

  reported by Anant Nitya;

​

- properly recognize PostgreSQL error code 'S8006' and reconnect to

  a disconnected server right away; thanks to Brian Wong;

​

- call $mail_obj->finish after a SA call to allow for garbage collection

  and removal of SA temporary files;  see:

    http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5444

​

- avoid nonstandard SMTP status code 254 on discarded malware;

  on discarding turn status 554 into a 250 instead;  violation

  of a SHOULD in RFC 2822 pointed out by Alexander Bergolth;

​

- an informational log message was reported inappropriately:

    INFO: truncated ... header line(s) longer than 998 characters

  it didn't reflect reality, it was always reported together with the:

    INFO: unfolded 1 illegal all-whitespace continuation lines

​

- when a SMTP option BODY=8BITMIME (RFC 1652) is not given on mail

  reception, avoid turning it on while forwarding even if mail body

  contains 8-bit characters;  following a garbage-in-garbage-out

  principle, this doesn't break anything that isn't already broken,

  but might prevent later conversion to 7-bit quoted-printable MIME

  by some downstream MTA, possibly preventing signature invalidations

  (DKIM, S/MIME, PGP, ...) - at a risk that some overzealous firewall

  might block a mail transfer;

​

- fixed a couple of documentation typos/bugs in README.customize

  amavisd-new-2.5.0 release notes

​

COMPATIBILITY WITH 2.4.5

​

  The 2.5.0 is upwards compatible with 2.4.* versions. 

  Nevertheless, default notification and logging templates are

  enhanced to take advantage of new macros and new concepts,

  so it is prudent to update templates if defaults are overridden,

  e.g. $log_templ, $notify_*_admin_templ, ...

NEW FEATURES AT A GLANCE

​

- new concept: blocking contents category; 

- true per-recipient defanging/sanitation of a mail body (previously

  a true per-recipient handling was available for mail header edits,

  but not for mail body modifications);

- added interface code to invoke Anomy Sanitizer or the 'altermime' program

  allows defanging or adding disclaimers by external utilities on a

  per-recipient basis;

​

- rewritten SMTP client code: get rid of the troublesome module Net::SMTP;

  new code now supports pipelining, client-side LMTP, IPv6, Unix sockets,

  more reliable error handling, passes on ORCPT parameter, passes on ENVID

  parameter unmangled, is bare-CR-clean, tidier code (no workarounds for

  rough corners in Net::SMTP), fewer context switches (handshake handovers)

  due to pipelining if pipelining is offered by MTA (which usually is);

- makes available pedantically parsed addresses from a mail header:

  From, Sender, To, Cc.  Addresses from mail header may be needed for

  deciding on inserting disclaimers, signing mail (DKIM), custom hooks

  (like 'vacation'-type applications), and other future applications.

  Get rid of inexact parsing by module Mail::Address, provide own parser;

- phishing fraud as returned by ClamAV is now treated as spam, no longer

  as a virus;

- compatible with SpamAssassin 3.2.0;

- enhancements to amavisd-nanny: shows more detailed states of processes;

​

- enhancements to amavisd-agent: shows average processing times per message;

- extended AM.PDP protocol with an attribute 'policy_bank' which may be used

  in a client's request to require loading additional policy banks;

- add support for 7-Zip archives if external utility 7z is available;

​

- custom hooks allow custom code to be called at few strategic places;

- penpals can now also match replies which reference previous outgoing mail

  by its MessageID (taking into account References or In-Reply-To header

  field); 

​

- new key 'originating' in policy banks generalizes a MYNETS policy bank;

- a documentation rewrite for setting up amavisd-new with Postfix

  by Patrick Ben Koetter (one of the two authors of The Book of Postfix).

  Previous documentation has been renamed to README.postfix.old and will be

  removed in the next version; the new documentation is README.postfix.html,

  and its automatically converted plain text version is README.postfix.

​

BUG FIXES

​

- if a sender is both white- and black-listed at the same time, then

  inserted X-Spam-* header fields were inconsistent, e.g. X-Spam-Level,

  X-Spam-Flag and X-Spam-Status reflected a whitelisted status (no asterisks,

  not a spam), while X-Spam-Score showed 64 points; now whitelisting prevails

  in all X-Spam-* header fields;

​

- relax argument parsing in amavisd-release to allow releasing of

  quarantine id containing a body hash in a name (%b in template);

  reported by Ron Rademaker;

​

- skip a SQL-logging database operation if an associated clause in %sql_clause

  is disabled, e.g. set to undef or '';  this allows for example to selectively

  disable SQL logging based on a policy bank; thanks to Riaan Kok;

​

- let LHA decoder (do_lha) recognize also other listing formats, e.g. MS-DOS,

  symlinks, not just plain Unix archives; problem reported by Ryuhei Funatsu;

​

-------------------------------------------------------------------

Thu Mar  8 14:58:24 CET 2007 - varkoly@suse.de

​

- update to version 2.4.5

​

SECURITY

​

- Recommended version of Convert::UUlib is 1.08 or higher

  to avoid processing of uninitialized data containing 'random' garbage.

​

  Note that a security hole in uulib which comes with Convert::UUlib 1.04

  and older is now (as of 2006-12-05) known to be exploitable:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1349

  credits to Jean-Sébastien Guay-Leroux;

​

- p0f-analyzer.pl will no longer reply to queries coming from low-numbered

  UDP ports below 1024 or from nfsd port 2049, and will ignore queries

  with nonce longer than 1024 character or containing characters outside

  of \040-\177 range to limit its usefulness as a potential reflector

  for an attacker from internal networks.

​

​

INCOMPATIBLE CHANGE WITH 2.4.4

​

- p0f-analyzer.pl now only binds to a loopback interface by default, instead

  of to all interfaces;  change $bind_addr in p0f-analyzer.pl to '0.0.0.0'

  if p0f-analyzer.pl is running on a different host from amavisd or from

  other querying clients; suggested by Shaun T. Erickson and Mario Liehr;

​

​

BUG FIXES

​

- let p0f-analyzer.pl exit when a pipe on stdin is closed (e.g. when p0f

  is killed or crashes), instead of entering a tight loop; reported by

  Justin Piszcz and Henrik Krohns;

​

- hard-blacklisting no longer skips quarantining when

  $spam_quarantine_cutoff_level is undefined (or is an empty string);

​

- restart timer after Sophie times out; previously the next attempt

  would run with no time limit; reported by Nick Leverton and

  Nicklas Bondesson;

​

- fixed AM.PDP code to always provide smtp-quoted form in angle brackets

  in delrcpt and addrcpt attributes of a response, i.e. in the same form

  as was received in sender and recipient attributes;

​

- fix error reporting in open_on_specific_fd when POSIX::dup2 fails;

  thanks to Chris (decoder);

​

- fix signal handling in read_snmp_variables() and register_proc(),

  a signal could previously get lost (not re-signaled) if it occurred

  within these subroutines;

​

- fixed get_body_digest which incorrectly determined 7- or 8-bitness

  of mail header and body, setting body_type incorrectly (with only

  cosmetic ill-effects);

​

- AM.PDP protocol: ensure proper address form is used in server response

  attributes 'delrcpt' and 'addrcpt': the same form should be used as

  in 'sender' and 'recipient' attributes. The attribute value syntax is

  specified in RFC 2821 as 'Reverse-path' (i.e. smtp-quoted form, enclosed

  in <>); previously enclosing angle brackets were missing in a server reply;

​

- documentation - amavisd.conf-default incorrectly stated that a default

  value for $prepend_header_fields_hdridx is 1;  actually the default is 0

  as correctly indicated in release notes; reported by Jo Rhett;

​

-------------------------------------------------------------------

Mon Nov 20 11:47:16 CET 2006 - varkoly@suse.de

​

- fixing bug 218230 - amavisd crashes on start 

​

-------------------------------------------------------------------

Fri Oct 20 11:13:22 CEST 2006 - varkoly@suse.de

​

- update to version 2.4.3 

​

BUG FIXES AND WORKAROUNDS

​

- fixed a bug (introduced with amavisd-new-2.4.0): when receiving mail

  from MTA through a LMTP protocol (not SMTP) and with D_BOUNCE as a

  final*destiny setting, a suppressed non-delivery notification (e.g.

  spam above cutoff_level) did not turn LMTP status into a success,

  so an undesired bounce was generated by MTA in a post-queue filtering

  setup, contributing to excessive bounce backscatter; reported by

  Michael Scheidell, thanks to Gary V for analysis;

​

- bug fix to amavisd-release: a regexp needs to be relaxed to allow

  quarantine names like Y/spam-Y5y7A3J5r2Ax.gz, reported by Rob Chanter;

​

- fix a bug in LDAP lookups which could lead to an infinite loop while

  expanding %m in the filter; reported by Petr Vokac;

​

- add "LOCAL_STATE_DIR => '/var/lib'" to the SA object initialization

  for versions of SA 3.1.4 or older, so that SpamAssassin would see

  additional rules provided by sa-update and placed to its default location;

  the SA 3.1.5 provides its own default so this becomes unnecessary;

​

- bug fix: don't reject mail when mail size restriction is in force,

  the limit is exceeded, and $final_destiny_by_ccat{+CC_OVERSIZED}

  is not D_REJECT;

​

- treat blacklisting like high spam score when considering suppressing

  quarantining (@spam_quarantine_cutoff_level_maps) or suppressing sending

  a DSN (@spam_dsn_cutoff_level_maps);

​

- calling do_quarantine() multiple times on the same message would accumulate

  header edits from each invocation, fixed;  (such situation can only happen

  with a modified program);

​

- when defanging mail or releasing mail from a quarantine, with a goal

  of not breaking DKIM Sender Signing Policy and DomainKeys policy,

  do not copy existing Sender header field to a new header, and insert

  our own Sender field (configurable by %hdrfrom_notify_recip_by_ccat);

​

  Note that dk-milter-0.4.1 (dk-filter) incorrectly signs mail released by

  amavisd from a quarantine - presence of X-Spam-* header fields preceded

  and followed by Received header fields makes dk-filter inappropriately

  reorder headers fields before signing. The dkim-milter works correctly.

  The bug has been reported, but has not yet been resolved at this time.

​

- explicitly set PerlIO layer to ":bytes" on a temporary file handle for

  email.txt (just in case); based on a problem report by Alexander Schäfer;

​

- in a string produced by a macro %c remove a decimal dot if score happens

  to be an integer;

​

- reduce $sa_mail_body_size_limit from 512 kB to 400 kB in amavisd.conf

  and amavisd.conf-sample for the time being, while the SA folks work

  on http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5041

  (MS Outlook Express seems to be chopping long mail in approx 500 kB chunks);

​

- another workaround for Perl taint bug: IO::Handle::_open_mode_string

  taints the $1 when mode string to IO::File::open is '+<', use O_RDWR

  instead; thanks to Ryan Frantz;

​

- abort if a specified syslog facility name is unknown, instead of

  switching to LOG_DAEMON as before;

​

- change the code which selects defanging so that defanging is triggered

  if any applicable contents category of a message chooses defanging;

  counterintuitive behaviour reported by Tapani Tarvainen;

​

- fix example in amavisd.conf-sample to use +CC_SPAM instead of CC_SPAM

  as a key to a hash, e.g. $final_destiny_by_ccat{+CC_SPAM}, otherwise Perl

  would implicitly turn CC_SPAM into a string when used in such a context.

​

  Note that any Perl expression syntax would do, as long as the argument

  does not look like a plain variable which receives implicit quoting;

  possibilities include $xx{&CC_SPAM}, $xx{+CC_SPAM}, $xx{CC_SPAM()},

  $xx{(CC_SPAM)} and similar; a more obvious &CC_SPAM is avoided because

  it prevents subroutine call inlining optimization in Perl;

​

- qmail: update amavisd-new-qmqpqq.patch to be compatible with Net::Server

  version 0.91 or later; thanks to mr from DBA Lab S.p.A.;

​

- AM.PDP protocol: change the order of attributes returned in an reply:

  delete and edit header fields before adding new header fields;

  problem of deleting just-inserted header fields in a sendmail milter

  setup reported by Petr Rehor;

​

- AM.PDP protocol change - with version 2 of the protocol the following

  changes to the protocol were made:

  * "version_server=2" is provided in a server response as the

    first attribute, older versions did not provide such attribute

    (assumed version on the server side was 1);

  * delheader and chgheader now stand in a response before insheader

    and addheader, assuming that milter MTA will execute these

    in the same order;

  * new attribute: "insheader=hdridx hdr_head hdr_body"

    (where hdridx as used by amavisd will always be 0 for now), making

    it possible to prepend header fields in a sendmail milter setup

    (instead of appending them, breaking compatibility with DomainKeys);

    problem noted by Adam Gibson and Petr Rehor;

  * new attribute: "quarantine=reason"

    place message on hold or to a quarantine maintained by MTA, and supply

    a reason text (e.g. client may call smfi_quarantine milter routine);

    For future use - it is currently (2.4.3 or earlier) never used.

​

- new feature: "pen pals soft-whitelisting" lowers spam score of received

  replies to a message previously sent by a local user to this address;

- new feature: added command line options to override certain configuration

  settings from a config file, see below;

- documentation bug fixes, especially on the use of SQL data type TIMESTAMP;

- zoo decoder interface routine can now use utility unzoo(1) or zoo(1);

​

- LDAP.schema: add missing LDAP attribute amavisSpamQuarantineCutoffLevel

  to the list of allowed attributes in objectclass amavisAccount;

  pointed out by Paolo Cravero;

​

​

-  Delivery status notifications (DSN) are now supported, both as a SMTP

  protocol extension and in notifications. Header fields like X-Amavis

  and X-Spam are now prepended to mail header for DomainKeys compatibility.

  Configuration variables can be chosen based on mail contents category,

  which is now represented explicitly. A built-in macro expander is enhanced,

  providing new macros and call types. Added support for passive operating

  system fingerprinting with the use of p0f, supplying collected information

  as a header field to SpamAssassin. Provide compatibility with Net::Server

  0.91 and later.

​

- fix insufficient sender address sanitation when storing quarantined or

  forwarded files as BSMTP files _and_ having a %s in the corresponding

  *_method template; potential security vulnerability (with limited scope)

  in versions of amavisd-new 2.3.1, 2.3.2 and 2.3.3 discovered by Thomas

  Jarosch;

​

- recognize result "ms-windows metafile" (or "ms-windows metafont") from a

  file(1) utility and provide short type 'wmf' for it; added two example

  rules to amavisd.conf (and amavisd.conf-sample) to block files containing

  Windows Metafiles, based on US-CERT Alert TA05-362A;

​

​

-------------------------------------------------------------------

Wed Jan 25 21:34:13 CET 2006 - mls@suse.de

​

- converted neededforbuild to BuildRequires

​

-------------------------------------------------------------------

Mon Aug 29 12:01:07 CEST 2005 - choeger@suse.de

​

- change clamav default setting from unix socket to tcp to be

  compliant with the default settings of the clamav package 

​

-------------------------------------------------------------------

Fri Aug 26 15:09:48 CEST 2005 - choeger@suse.de

​

- amavisd does not behave LSB conform with it's return codes of start and stop,

  so work around it in start and stop section of init script

- version 2.3.3 now requires uname(2) to return an FQHN, which isn't

  the case with SUSE Linux; work around it in %post

​

-------------------------------------------------------------------

Mon Aug 22 10:07:30 CEST 2005 - choeger@suse.de

​

- update to version 2.3.3

​

-------------------------------------------------------------------

Mon Jul  4 17:11:42 CEST 2005 - choeger@suse.de

​

- use RPM_OPT_FLAGS

​

-------------------------------------------------------------------

Wed Jun 29 14:38:08 CEST 2005 - choeger@suse.de

​

- update to version 2.3.2

​

-------------------------------------------------------------------

Tue May 10 09:40:43 CEST 2005 - choeger@suse.de

​

- update to version 2.3.1

​

-------------------------------------------------------------------

Mon Apr 25 09:35:49 CEST 2005 - choeger@suse.de

​

- update to version 2.3.0

​

-------------------------------------------------------------------

Thu Feb  3 10:02:55 CET 2005 - choeger@suse.de

​

- s/X-UnitedLinux-Should-Start/Should-Start/

​

-------------------------------------------------------------------

Mon Jan 24 12:35:58 CET 2005 - ro@suse.de

​

- removed arc dependency (deleted package) 

​

-------------------------------------------------------------------

Fri Jan 21 17:05:55 CET 2005 - choeger@suse.de

​

- update to version 2.2.1

​

-------------------------------------------------------------------

Wed Nov 24 10:27:23 CET 2004 - choeger@suse.de

​

- update to version 2.2.0

​

-------------------------------------------------------------------

Tue Oct  5 09:47:15 CEST 2004 - choeger@suse.de

​

- bugfix: untainting filename in unlink() in function

  files_to_scan(). Without untaint() amavisd-new will

  e.g. fail in case of a message with an attachment that

  has more than $MAXFILES files in it.

​

-------------------------------------------------------------------

Thu Sep 23 11:59:41 CEST 2004 - choeger@suse.de

​

- setting "$final_spam_destiny = D_PASS;" again

- changing /var/run/clamav/clamd to /var/lib/clamav/clamd-socket

​

-------------------------------------------------------------------

Wed Sep 15 18:21:48 CEST 2004 - choeger@suse.de

​

- HUPing no longer possible in version 2.1, using

  amavisd reload instead

​

-------------------------------------------------------------------

Tue Sep  7 10:50:57 CEST 2004 - choeger@suse.de

​

- update to minor maintenance release 2.1.2

  - fixed (hard)black- and white-listing on static lookup tables

    which failed to match any sender; reported by Derck Floor;

  - use $hdrfrom_notify_recip address in the From: field for recipient

    notifications, instead of $hdrfrom_notify_admin; inconsistency pointed out

    by Ekkehard Burkon;

  - the 'neutral' sender notification template was joining the Subject and the

    Message-ID header fields into one longer Subject when it was reporting some

    nondelivery other than the 'invalid characters in header'.  Likewise the

    first body line of this same DSN was eaten up: "This nondelivery report was

    generated by the amavisd-new program" (the problem was introduced in

    amavisd-new-20030616 and never reported);

  - in amavisd-agent, amavisd-nanny, amavisd: extend the signal and error

    handling in code sections holding bdb locks from just ignoring the SIGINT,

    to controlled catching and re-signaling several signals and error

    conditions; problem reported by Tom Mulder;

  - provide new macro %e which evaluates to our best guess of the originator IP

    address collected from the Received trace, complementing similar macros

    %t, %a and %g; suggested by Gregor Weiss;

  - add the result of macro %e to the default 0-level log entry;

​

​

-------------------------------------------------------------------

Thu Aug 26 14:08:32 CEST 2004 - choeger@suse.de

​

- uncomment $unix_socketname in amavisd.conf to be able to

  pipe into /usr/sbin/amavis, which needs to connect to

  $unix_socketname

​

-------------------------------------------------------------------

Thu Aug 26 11:06:43 CEST 2004 - choeger@suse.de

​

- Bugfix: amavisd 2.1.1 still announces itself as 2.1.0

​

-------------------------------------------------------------------

Wed Aug 25 16:58:10 CEST 2004 - choeger@suse.de

​

- update to latest version 2.1.1

- fixed specfile (now needs to additional directories %{avspool}/tmp

  and %{avspool}/db

- fixed hardcoded berkeleydb home path to /var/spool/amavis/db in

  amavisd-agent and amavisd-nanny 

- added perl-BerkeleyDB to Requires

​

-------------------------------------------------------------------

Tue Aug 17 17:39:39 CEST 2004 - choeger@suse.de

​

- update to latest version 2.1.0 (20040815)

​

-------------------------------------------------------------------

Mon Jun 28 10:36:00 CEST 2004 - choeger@suse.de

​

- Bugfix ID#42381 - amavisd-new reload/restart kills service

  chown logfile to $daemon_user when using file logging instead

  of syslog

- Bugfix ID#42223 - amavis-new spams mail.warn

  do not enable amavisd-new per default in sysconfig.amavis

​

-------------------------------------------------------------------

Mon Jun  7 15:12:33 CEST 2004 - choeger@suse.de

​

- added clamd to X-UnitedLinux-Should-Start in init-script

  (related to Bugzilla ID#41722)

​

-------------------------------------------------------------------

Fri Apr 23 13:54:27 CEST 2004 - choeger@suse.de

​

- Bugfix Bugzilla ID#39293, amavisd-new + bind9 cache

  When using rbl checks etc. in amavisd-new (/etc/amavsid.conf:

  $sa_local_tests_only = 0;   # (default: false)) amavis seems to check for a