Date: Mon, 19 Feb 2001 23:44:29 +0200 (IST) From: Roman Shterenzon <roman@xpert.com> To: Lars Hecking <lhecking@nmrc.ie> Cc: <freebsd-security@freebsd.org> Subject: Re: Announcement draft for amavisd Message-ID: <Pine.LNX.4.30.0102192342380.17586-100000@jamus.xpert.com> In-Reply-To: <20010219211540.A23910@nmrc.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
I hope that you don't mind if I forward it to FreeBSD security list, perhaps people will give it a try. Unfortunately I don't have time for it now. P.S. For those that don't know amavis - it's antivirus program for SMTP gateways. http://www.amavis.org/ On Mon, 19 Feb 2001, Lars Hecking wrote: > > Check this out before I throw it to the pack. Is anyone except Geoff > and myself actually running amavisd? > > This will go to amavis-user, and a few selected newsgroups/mailing lists. > > >> > > We are looking for beta testers for amavis-perl before the next release. > > amavis-perl-11 represents the first major break in amavis development > since amavis-perl was branched off: it now runs as a daemon process, and > communicates with the MTA by means of a small client program, written > in C. The daemonisation was performed by Geoff Winkless, who also wrote > the sendmail milter interface for amavis-perl. > > This version is not a drop-in replacement for scanmails or amavis-perl. > There are known issues (see below), and it would be ideal if the > people testing it don't mind hacking a line of code or two if necessary. > Familiarity with amavis-perl is also a big plus. > > As the documentation hasn't been updated yet, this post is the only > available document on how to set up and configure amavisd. It is > probably incomplete. Nevertheless, read all of it, especially the known > bugs section, before proceeding! > > Feedback should go to amavis-dev@amavis.org. > > getting it > ---------- > > Anonymous CVS > > cvs -d:pserver:anonymous@cvs.amavis.sourceforge.net:/cvsroot/amavis login > > When prompted for a password for anonymous, simply press the Enter key. > > cvs -z3 -d:pserver:anonymous@cvs.amavis.sourceforge.net:/cvsroot/amavis \ > co -r amavisd amavis > > If people have problems with cvs, I could be talked into producing a > snapshot archive. > > configure and build it > ---------------------- > > See ./configure --help for available configure options. A brief description > of these options is in INSTALL (which is up to date, incidentally). > > To allow testing under a non-privileged user id, I recommend something like > --with-runtime-dir=/tmp/amavis. The directory must exist before you run > amavis. I also recommend --disable-syslog to avoid cluttering the system > logs while testing. > > For sendmail milter, you need --enable-milter. See README.milter, too. > NB: There are two client programs, one for milter (amavis-milter), and > one for all other configs (amavis). > > For the config file to install under /etc, use --sysconfdir=/etc. > > When configure is finished, inspect the configure report to see whether > the software was configured the way you want. After that, a simple > "make" should do. > > DISCLAIMER: > Don't run the software on a production machine before you've tested it. > You risk loss of email, floods, mud slides, nuclear war. The Shrike may > appear and stick all PHB's on the Tree of Pain (you wish ...). > > install it (not strictly required for testing) > ---------- > > amavisd and amavis (or amavis-milter) live in /usr/sbin. The daemon config > file is /etc/amavisd.conf. > > The "real" runtime-dir (/var/amavis by default) must exist before running > amavis. It should be chmod'd 0700 and chown'd by the user id amavis daemon > and client run as. > > "make install" should take care of setting up everything corerctly, but > it must be run as root (chown stuff), which is not required for testing. > > post-install configuration > -------------------------- > > Ideally, it should not be necessary to make any changes in the daemon > (except for testing, see below). > > IMPORTANT: the MTA now interfaces with the client instead of amavisd. > Client synopsis: > > amavis sender recipient [recipient ...] [-- lda [lda-args]] > > This is where the documentation is not up to date: your MTA configuration > must be changed to match the above! > > The lda part is only relevant if you use sendmail and replace Mlocal > with amavis. In this configuration, the A equate changes to > A=amavis $f $u -- /bin/mail.local -d $u > I have no idea whether this works properly with "m" in the F equate > (it could :) > > For postfix (master.cf entry) > ... user=vscan argv=/usr/sbin/amavis ${sender} ${recipient} > ie. drop the -f before $sender if present. > > For exim, drop the -f/-d flags. > > testing > ------- > > amavis-perl-11 sports vastly improved debugging and logging facilities. > The do_debug function is gone, it was integrated into do_log. > > - all runtime files are generated under the same directory (the one > configured with --with-runtime-dir=DIR): socket, log file, temporary > scan directories > - logging goes to syslog or to DIR/amavis.log; if $DEBUG is yes, logging > goes to stdout! > - the amount of information logged is controlled by $log_level in the > config file > > The test suite is disabled; I haven't found a good way yet to make it > work. Some simple tests can be run out of the source directory without > actually installing the software. > > Edit amavisd and set $DEBUG and $TESTING to yes. Set the path to the > config file to Source_Dir/amavis/amavisd.conf. Edit this config file > and set $log_level to 5. > > Now you can run some simple tests. For convenient viewing, daemon and > client should be running in separate windows/vc's. > > - start the daemon; it should print a startup message and some lines > about socket setup > - run the client: > > amavis sender recipient <test-message > > and a bunch of logging messages should appear in the daemon window. > > known bugs > ---------- > > o qmail is not supported by the client; patches are welcome (I _think_ > all that is needed is code to read sender and recipients from stdout) > o the test suite is disabled > o the documentation is not up to date > o daemon issues: > - it doesn't detach itself from the terminal (yet) > - it doesn't clean up on exit (doesn't remove the socket) > - it needs a SIGHUP handler to re-read the config file (the one I wrote > kills the daemon, flat ...) > - on some systems, notably Solaris, /usr/include/sys/socket.h:SOMAXCONN > is awfully small. If the mail logs show a lot of deferrals ("failed to > connect()"), you may need to replace SOMAXCONN in amavisd with a higher > value; but you still should remain within the limits set by the OS > (I'm not terribly sure, but I think on Solaris the max values are: > ndd /dev/tcp tcp_conn_req_max_q and tcp_conn_req_max_q0). > HP-UX may be another candidate. DU/Tru64, Irix, Linux, the *BSDs > should be OK. > > new features (relative to amavis-perl-10) > ------------ > > o support for sendmail milter (by Geoff Winkless) > o support for Command AntiVirus (CSAV) for Linux (by Jeffrey C. Ollie) > o many small bug fixes and improvements; a big Thanks! to all who > contributed via amavis-user and our web pages at SourceForge. > o performance :-) > - it is slightly faster than amavis-perl-10 (on my test machine, up > to 30%) > - memory usage is reduced significantly, especially if many mails are > scanned in parallel > - not really a useful metric, but I have observed that cpu load is > reduced by up to 67%, again for the case of many parallel scans > > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.30.0102192342380.17586-100000>