home site (Slovenia) | mirrors: Denmark | Sweden | France/Paris | Netherlands | Germany

amavisd-new

amavisd-new is a high-performance interface between mailer (MTA) and content checkers: virus scanners, and/or SpamAssassin. It is written in Perl for maintainability, without paying a significant price for speed. It talks to MTA via (E)SMTP or LMTP, or by using helper programs. Best with Postfix, fine with dual-sendmail setup and Exim v4, works with sendmail/milter, or with any MTA as a SMTP relay. For Courier and qmail MTA integration there is a patch in the distributed package.

Introduction

amavisd-new is a high-performance and reliable interface between mailer (MTA) and one or more content checkers: virus scanners, and/or Mail::SpamAssassin Perl module. It is written in Perl, ensuring high reliability, portability and maintainability. It talks to MTA via (E)SMTP or LMTP protocols, or by using helper programs. No timing gaps exist in the design, which could cause a mail loss.

It is normally positioned at or near a central mailer, not necessarily where users' mailboxes and final delivery takes place. If looking for a per-user and low-message-rate solution to be placed at the final stage of mail delivery (e.g. called from procmail or in place of a local delivery agent), there may be other solutions more appropriate.

When calling of Mail::SpamAssassin (SA) is enabled, it calls SA only once per message regardless of the number of recipients, and tries very hard to correctly honour per-recipient preferences, such as pass/reject, check/nocheck, spam levels, and inserting spam-related mail header fields.

amavisd-new benefits from the use of Perl module Net::Server, which offers a fast pre-forked multichild process control. amavisd-new provides rfc2821-compliant SMTP server and client, a rfc2033-compliant LMTP server and client, and generates rfc3462/rfc3464-compliant (ex rfc1892/rfc1894) delivery (and non-delivery) status notifications.

This makes it suitable for mail anti-virus and/or anti-spam checking on a busy mail gateways that care for reliability and standards compliance.

amavisd-new grew out of amavisd(-snapshot) (which in turn is a daemonized version of amavis-perl), but through five years of development turned into a separate product, hardly resembling its origin. The code is several times the size of its predecessor, yet faster in throughput, richer in features, compliant to standards, includes optional support for spam detection, and makes virus scanning optional and easier to adjust/extend. Compatibility with helper programs from amavisd(-snapshot) is retained.

All modifications since the original amavisd done by Mark Martinec, with contribution of ideas, patches and reports from the amavis-users mailing list community and individuals.

News

2014-09-29: amavisd-new-2.10.0-rc1.tar.xz release

Old News

2014-06-27: amavisd-new-2.9.1.tar.xz release

2014-05-09: amavisd-new-2.9.0.tar.xz release

2014-05-07: amavisd-new-2.9.0-rc2.tar.bz2 release candidate

2013-09-04: amavisd-new-2.8.2-rc1.tar.bz2 release candidate (never released)

2013-06-28: amavisd-new-2.8.1.tar.gz released

2013-04-27: amavisd-new-2.8.1-rc1.tar.gz release candidate

2012-06-30: amavisd-new-2.8.0.tar.gz has been released

2012-06-30: amavisd-new-2.7.2.tar.gz has been released, it is a bug-fix update over 2.7.1

2012-05-22: amavisd-new-2.8.0-pre7.tar.gz is a preview of the next release

2012-04-29: amavisd-new-2.7.1.tar.gz has been released, it is a bug-fix update over 2.7.0

2012-04-29: amavisd-new-2.8.0-pre6.tar.gz is a preview of the next release

2012-04-10: amavisd-new-2.7.1-rc1.tar.gz is a release candidate for a bug-fix update on 2.7

2012-03-09: amavisd-new-2.8.0-pre4.tar.gz is a preview of the next release

2011-07-01: amavisd-new-2.7.0.tar.gz is a long-awaited features release

2011-05-19: amavisd-new-2.6.6.tar.gz is a maintenance update of a 2.6 branch, backporting all bug fixes from the 2.7.0-pre* development cycle

2011-05-18: amavisd-new-2.7.0-rc1.tar.gz pre-release

2011-03-07: Mailing list has been moved from SourceForge to amavis.org. The new posting address is amavis-users@amavis.org . Only posts from subscribed members are accepted, as before. The announcement is archived at http://lists.amavis.org/pipermail/amavis-users/2011-March/000005.html . The MARC archive of the previous mailing list is continuing to follow the new list, other third-party archives are no longer being updated.

2011-05-13: amavisd-new-2.6.6-rc1.tar.gz is a maintenance update of a 2.6 branch, backporting all bug fixes from the 2.7.0-pre* development cycle

2011-04-12: amavisd-new-2.7.0-pre15.tar.gz pre-release

2011-04-07: amavisd-new-2.6.5.tar.gz is a maintenance update of a 2.6 branch, backporting all bug fixes from the 2.7.0-pre* development cycle

2011-04-02: amavisd-new-2.6.5-rc2.tar.gz release candidate

2011-03-31: amavisd-new-2.6.5-rc1.tar.gz release candidate

2011-02-03: amavisd-new-2.7.0-pre14.tar.gz pre-release

2011-01-25: amavisd-new-2.7.0-pre13.tar.gz pre-release

2010-12-24: amavisd-new-2.7.0-pre12.tar.gz pre-release

2010-12-18: amavisd-new-2.7.0-pre11.tar.bz2 pre-release

2010-11-15: amavisd-new-2.7.0-pre9.tar.gz pre-release

2010-10-28: amavisd-new-2.7.0-pre8.tar.gz pre-release

2010-08-31: amavisd-new-2.7.0-pre7.tar.gz pre-release

2010-06-03: amavisd-new-2.7.0-pre5.tar.gz pre-release

2010-04-25: amavisd-new-2.7.0-pre4.tar.gz pre-release

2009-06-25: amavisd-new-2.6.4.tar.gz released

2009-06-19: amavisd-new-2.6.4-rc2.tar.gz release candidate

2009-06-12: amavisd-new-2.6.4-rc1.tar.gz release candidate

2009-04-22: amavisd-new-2.6.3.tar.gz released

2009-04-18: amavisd-new-2.6.3-rc2.tar.gz release candidate

2009-04-15: amavisd-new-2.6.3-rc1.tar.gz release candidate

2008-12-15: amavisd-new-2.6.2.tar.gz released

2008-12-06: amavisd-new-2.6.2-rc2.tar.gz release candidate

2008-11-20: amavisd-new-2.6.2-rc1.tar.gz release candidate

2008-11-14: amavisd-new-2.6.2-pre1.tar.gz pre-release

2008-06-29: amavisd-new-2.6.1.tar.gz released

2008-06-24: amavisd-new-2.6.1-rc1.tar.gz release candidate

2008-04-23: amavisd-new-2.6.0.tar.gz has been released

2008-04-19: amavisd-new-2.6.0-rc2.tar.gz release candidate

2008-03-19: amavisd-new-2.6.0-rc1.tar.gz release candidate

2008-03-12: amavisd-new-2.5.4.tar.gz maintenance version

2007-12-30: amavisd-new-2.6.0-pre3.tar.gz pre-release

2007-12-12: amavisd-new-2.5.3.tar.gz maintenance version

2007-06-27: amavisd-new-2.5.2.tar.gz

2007-05-31: amavisd-new-2.5.1.tar.gz

2007-05-23: A security vulnerability in a file(1) utility version 4.20 has been found. Note that this is not the same issue as CVE-2007-1536. The problem is fixed in version 4.21. This program is being used by amavisd-new even when virus scanning is disabled, so it is heartly recommended to use the most recent version (currently at 4.21), available from ftp://ftp.astron.com/pub/file.

See the FreeBSD-SA-07:04 security advisory which applies to a file(1) utility distributed with the operating system.

2007-04-23: amavisd-new-2.5.0.tar.gz

2007-03-22: An exploitable security problem in file(1) utility version 4.19 and older has been found by Jean-Sébastien Guay-Leroux. The problem is fixed in version 4.21 (partly fixed in 4.20). This program is being used by amavisd-new even when virus scanning is disabled, so it is heartly recommended to use the most recent version (currently at 4.21), available from ftp://ftp.astron.com/pub/file.

2005-06-24: MailZu is a quarantine management interface for amavisd-new, created by Samuel Tran and Brian Wong (beware, the domain MailZu.net no longer belongs to the project!)

Security warning

The amavisd-new uses several external programs and Perl modules for its operation. If there are security vulnerabilities in them, the whole setup might be affected. The possible damage is limited to what a non-privileged UID can accomplish in normal setups, and can further be limited using a chroot setup. Please see the Security considerations section below for additional information.

It is always a good idea to use fairly recent versions of external programs and external Perl modules. Some of the noteworthy known security problems are:

utility program file(1):
An explitable security problem in version 4.19 and older has been found by Jean-Sébastien Guay-Leroux, and a similar security problem in 4.20 found by Colin Percival. The problem is fixed in file(1) version 4.21. This program is being used by amavisd-new even when virus scanning is disabled, so it is heartly recommended to use the most recent version (currently at 4.21), available from ftp://ftp.astron.com/pub/file .
uulib:
An exploitable integer overflow leading to a buffer overflow was discovered in versions of uulib as distributed with Perl module Convert::UUlib older than version 1.05. Please use the most recent version of this module, which at the time of writing is 1.06. CVE-2005-1349
LHa dearchiver:
A LHa buffer overflows and directory traversal problem was described on the [Full-Disclosure] mailing list. Please use the patched version or use the latest version if available for your OS.
zoo
Stack-based exploitable buffer overflow in the fullpath function in misc.c for Zoo 2.10 and earlier: CVE-2006-0855
zoo
Zoo file decompression infinite loop DoS (zoo 2.10, unzoo.c): CVE-2007-1669, CVE-2007-1673, zoo advisory 2007-05-04

The use of each external decoding program can be disabled in file amavisd.conf by removing entries from the list @decoders, or in older versions or amavisd-new by removing assignment to corresponding variables (e.g. $lha, $unarj, $unrar, $zoo, ...) or setting them to undef, or just not having the named external program present on the $path.

Download

Home web site in Slovenia (at J. Stefan Institute):
=> http://www.ijs.si/software/amavisd/
Mirror web site in Denmark (courtesy of catpipe Systems ApS):
=> http://mirrors.catpipe.net/amavisd-new/
Mirror web site in Sweden (courtesy of Mainloop, Stockholm):
=> http://mirror.mainloop.se/amavisd/
Mirror web site in France/Paris (courtesy of Cádrat Net):
=> http://mirror.cedratnet.com/amavisd-new/
Mirror web site in the Netherlands/Hilversum (courtesy of Publieke Omroep Internet Services):
=> http://mirror.omroep.nl/amavisd-new/
Mirror web site in Germany (courtesy of German Postfix Community):
=> http://amavisd.de.postfix.org/

Most recent versions

amavisd-new-2.10.0-rc1.tar.xz (tar.xz md5)
A release candidate for the coming version, please see RELEASE NOTES
amavisd-new-2.9.1.tar.xz (tar.xz md5); or bz2
Most recent stable major release, please see RELEASE NOTES
amavisd-new-2.8.1.tar.gz (gz md5 sum); or xz, bz2
Previous release
amavisd-new-2.8.0.tar.gz or amavisd-new-2.8.0.tar.xz (gz md5 sum).
Old major release
amavisd-new-2.7.2.tar.gz or amavisd-new-2.7.2.tar.xz (gz md5 sum).
Old major release
amavisd-new-2.6.6.tar.gz (md5 sum).
Old major release

The most recent stable version is also accessible through a soft link at: http://www.ijs.si/software/amavisd/amavisd-new.tar.gz

Announcements about new releases are posted on the amavis-users mailing list, and on the Freshmeat project page, which also accepts subscriptions to announcements.

All versions

For a web-browsable Mercurial repository of all the past versions of amavisd, reaching all the way back to the origins of the project (AMaViS, amavis-perl, amavisd-snapshot, amavisd-new) please see the http://mirrors.catpipe.net/amavisd-new/hgweb/, maintained by Phil Regnauld (of catpipe.net).

amavisd-new-2.8.1.tar.gz or amavisd-new-2.8.1.tar.xz (also known as amavisd-new-20130628) (gz md5 sum).
amavisd-new-2.8.0.tar.gz or amavisd-new-2.8.0.tar.xz (also known as amavisd-new-20120630) (gz md5 sum).
amavisd-new-2.7.2.tar.gz or amavisd-new-2.7.2.tar.xz (also known as amavisd-new-20120629) (gz md5 sum).
amavisd-new-2.7.1.tar.gz or amavisd-new-2.7.1.tar.xz (also known as amavisd-new-20120429) (gz md5 sum).
amavisd-new-2.7.0.tar.gz or amavisd-new-2.7.0.tar.xz (also known as amavisd-new-20110701) (gz md5 sum)
amavisd-new-2.6.6.tar.gz (also known as amavisd-new-20110518) (md5 sum)
amavisd-new-2.6.5.tar.gz (also known as amavisd-new-20110407) (md5 sum)
amavisd-new-2.6.4.tar.gz (also known as amavisd-new-20090625) (md5 sum)
amavisd-new-2.6.3.tar.gz (also known as amavisd-new-20090422) (md5 sum)
amavisd-new-2.6.2.tar.gz (also known as amavisd-new-20081215) (md5 sum)
amavisd-new-2.6.1.tar.gz (also known as amavisd-new-20080629) (md5 sum)
amavisd-new-2.6.0.tar.gz (also known as amavisd-new-20080423) (md5 sum)
amavisd-new-2.5.4.tar.gz (also known as amavisd-new-20080312) (md5 sum)
amavisd-new-2.5.3.tar.gz (also known as amavisd-new-20071212) (md5 sum)
amavisd-new-2.5.2.tar.gz (also known as amavisd-new-20070627) (md5 sum)
amavisd-new-2.5.1.tar.gz (also known as amavisd-new-20070531) (md5 sum)
amavisd-new-2.5.0.tar.gz (also known as amavisd-new-20070423) (md5 sum)
amavisd-new-2.4.5.tar.gz (also known as amavisd-new-20070130) (md5 sum)
amavisd-new-2.4.4.tar.gz (also known as amavisd-new-20061120) (md5 sum)
amavisd-new-2.4.3.tar.gz (also known as amavisd-new-20060930) (md5 sum)
amavisd-new-2.4.2.tar.gz (also known as amavisd-new-20060627) (md5 sum)
amavisd-new-2.4.1.tar.gz (also known as amavisd-new-20060508) (md5 sum)
amavisd-new-2.4.0.tar.gz (also known as amavisd-new-20060402) (md5 sum)
amavisd-new-2.3.3.tar.gz (also known as amavisd-new-20050822) (md5 sum)
amavisd-new-2.3.2.tar.gz (also known as amavisd-new-20050629) (md5 sum)
amavisd-new-2.3.1.tar.gz (also known as amavisd-new-20050509) (md5 sum)
amavisd-new-2.3.0.tar.gz (also known as amavisd-new-20050424) (md5 sum)
amavisd-new-2.2.1.tar.gz (also known as amavisd-new-20041222) (md5 sum)
amavisd-new-2.2.0.tar.gz (also known as amavisd-new-20041102) (md5 sum)
amavisd-new-2.1.2.tar.gz (also known as amavisd-new-20040906) (md5 sum)
amavisd-new-2.1.1.tar.gz (also known as amavisd-new-20040824) (md5 sum)
amavisd-new-2.1.0.tar.gz (also known as amavisd-new-20040815) (md5 sum)
amavisd-new-20040701.tar.gz (also known as amavisd-new-2.0) (md5 sum)
amavisd-new-20030616-p10.tar.gz (md5 sum)
amavisd-new-20030314-p2.tar.gz (md5 sum)
amavisd-new-20021227-p2.tar.gz (md5 sum)
amavisd-new-20021116.tar.gz (md5 sum)
(a new features release, its mandatory patches: p1, p2, p3, p4, p5)
amavisd-new-20020630.tar.gz (md5 sum)
(mostly a development and new features release)
amavisd-new-20020517.tar.gz (md5 sum)
(first version with SpamAssassin (optional) support)

Ports and Packages

There are some packaged versions available, provided and supported only by their respective authors/maintainers. Some are recent and updated frequently, others are pretty much out of date.

FreeBSD port
in the System security software ports section (/usr/ports/security/amavisd-new), maintained by Michael Scheidell and Gábor Kövesdán. The latest port is based on amavisd-new-2.7.0;
NetBSD port
wip/amavisd-new has been moved to pkgsrc as security/amavisd-new, maintained by Julian C. Dunn, based on amavisd-new-2.7.0;
OpenBSD port
in the mail software ports section (/usr/ports/mail/amavisd-new), maintained by Giovanni Bechis. The latest port is based on amavisd-new-2.7.0;
OpenPKG RPM
cross-platform RPM-based Unix software packaging; current: ftp://ftp.openpkg.org/current/SRC/ is based on amavisd-new-2.6.4, CVS directory: http://cvs.openpkg.org/dir?d=openpkg-src/amavisd
Solaris CSW package
by Ihsan Dogan, available at http://www.opencsw.org/packages/amavisd_new is based on 2.6.4
Linux: Red Hat/Fedora Apt RPM packages amavisd-new
by Dag Wieërs, available at http://dag.wieers.com/packages/amavisd-new/; based on 2.6.6
Linux: Fedora RPMS/SRPMS amavisd-new
by Lukasz Trabinski, available at ftp://ftp.wsisiz.edu.pl/pub/Linux/rpms/Fedora-9/amavisd-new/; based on 2.6.1
Linux: SuSE RPM
available at ftp://ftp.norrbring.com/pub/linux/inst-source/, provided by Anders Norrbring, Norrbring Consulting; based on version 2.5.2
Linux: Gentoo ebuild
in the net-mail category (/usr/portage/net-mail/amavisd-new). The latest 'unstable' ebuild is maintained by Christian Zoffoli, Sune Kloppenborg Jeppesen and other contributors;
Linux: Debian package amavisd-new
maintained by Henrique de Moraes Holschuh and Brian May, available at: http://packages.debian.org/sid/amavisd-new; based on 2.6.4;
Linux: Mandriva Linux
by Giuseppe Ghibò, available at Mandriva Linux SRPMS as amavisd-new-*mdk.src.rpm; see also http://www.joeghi.com/amavisd-new/; based on 2.6.3

There may be other packaged version around, please let me know.

Note that packaged versions may not be based on the most recent version of amavisd-new.

Documentation

Besides this web page at http://www.ijs.si/software/amavisd/ (or mirrors), and the assorted bits and pieces of new documentation, the following files comprise the amavisd-new documentation. The web page documents may be more recent than the documentation distributed with the program.

How-to

Support

Check the amavis-users mailing list. Its archives are at http://lists.amavis.org/pipermail/amavis-users, and at the MARC archive: http://marc.theaimsgroup.com/?l=amavis-user . Other third-party archives are no longer updated: http://groups.google.com/group/mailing.unix.amavis-user/topics?lnk=srg

For questions about packaged versions please contact their maintainers and/or their bug-tracking mechanisms.

Contributed and related software

amavisd-milter (by Petr Rehor)
is a sendmail milter for amavisd-new version 2.2.0 and above which use the new AM.PDP protocol;
policyd v2 (by Nigel Kukard)
version 2 of policyd allows integration with amavisd-new by overriding policy banks just before processing and allows finger grained control of the policy banks;
MailZu (by Samuel Tran, Brian Wong, and others)
is a simple and intuitive quarantine management interface for amavisd-new; (beware, the domain MailZu.net no longer belongs to the project!) at SourceForge;
Artica for Postfix (by David Touzeau)
a full Postfix Management console;
Modoboa (formerly named MailNG), by Antoine Nguyen
web-based interface and management system for virtual domains hosting, with a module to handle amavisd-new SQL quarantine;
Zentyal (formerly eBox Platform)
a Linux Small Business Server that integrates Amavisd-new in the mailfilter module;
wblist (by James Bourne)
is a web based interface to the amavisd-new SQL-based policy database, allowing users to edit their white-/black- list;
myAmavis (by Stefan Palme)
is a web frontend for the SQL database that can be used by amavisd-new for policy lookup and storage;
Maia Mailguard (by Robert LeBlanc)
is a web-based interface and management system for amavisd-new. Written in Perl and PHP, Maia Mailguard gives end-users control over how their mail is processed by virus scanners and spam filters, while giving mail administrators the power to configure site-wide defaults and limits;
Horde SAM (by Max Kalika)
is a per-user SpamAssassin, whitelist and blacklist manager which now has native support for amavisd-new policies and attributes stored in an SQL server;
AmavisNewSQL is a SquirrelMail Plugin project (by Jared Watkins)
It lets users change a pre-defined set of SpamAssassin settings when those settings are stored in a SQL database rather than a config file. It also allows you to use a quarantine database for questionable email messages. It was designed with enterprise use in mind, and differs from already existing plugins in that it works with amavisd-new rather than SpamAssassin directly.
WebAvis (by Jérôme Schell)
is a Web frontend to amavisd-new written in PHP. It allows owners of a mail account to manage their amavisd-new parameters, like spam scores, white/black lists and filter behavior;
PostVis Admin (by Roger Smith)
is an easy to use administration tool written in PHP for amavisd-new and Postfix. The main backend is MySQL for quarantine and user management;
OpenVISP Admin (by Xavier Beaudouin)
is a fork of Postfix Admin (PHP-based) that handles some amavisd-new options and greylisting through SQL database;
ClamAV webmin module
includes an interface to the amavis quarantine to search/view/delete/re-inject virus infected and spam-tagged mail;
quarReminder (by BJ Dierkes)
is a small PHP program that queries an amavisd-new SQL database and sends a list of messages in quarantine to email users;
process_bsmtp.pl (by Peter Collinson)
feeds quarantined messages (in BSMTP format) to SQL database;
logwatch modules (by Mike Cappella)
parses amavisd-new and Postfix logs, producing reports;
amavis-stats (originally written by Mark Lawrence, since 0.1.14 c/o Dale Walsh)
is a simple statistics generator based on rrdtool. It produces graphs of infections from amavisd-new log entries broken down by virus. The RRD files are created and updated by a perl script, graphs are generated by a php script.
amavis-blocked (by Uwe S. Fuerst)
a log file parser for amavisd-new 2.x, written in Perl
mailgraph (David Schweikert and others)
collects data (into RRD) and plots virus and spam blocked by amavisd-new;
OpenVISPStats (a.k.a. OVS) (by Xavier Beaudouin)
is a fork of MailGraph and Couriergraph; collects data (into RRD) and plots charts;
amavistat-new (by Marcus Schopen)
is a modification of AmaviStats (by Heath Robinson) to work with amavisd-new.
amavislogsumm (by Stefan Jakobs, updated version of amavislogsumm based on earlier work by Matt Egan, originally by Sascha Hüdepohl)
analyse amavisd-new logfiles
PheTail (apparently no longer available on-line, here is the phetail-0.1.tar.gz), (by Jesper Nøhr)
continuously parses amavisd-new log file (tail) and feeds information about encountered viruses and spam into SQL database
ClamAV
Clam AntiVirus - an open source AV scanner
Sophie (by Vanja Hrustic, maintained by Richard Baldry)
daemonised Sophos virus engine

Features

-- general

-- performance

-- interfaces to MTA

-- user individuality, quarantine

-- anti-virus

-- anti-spam

-- other

Tips and FAQ

Tips and FAQ -- troubleshooting and reporting problems

Tips and FAQ -- general

Tips and FAQ -- mail transfer agents (MTA)

Tips and FAQ -- virus scanners

Tips and FAQ -- spam scanners (Mail::SpamAssassin)

Tips and FAQ -- Net::Server

Security considerations

Security considerations for the host running amavisd-new

amavisd-new accepts mail from MTA, may call external Perl modules and may fork external programs to decompress and decode message, classify its content, then the checked mail is either passed to MTA for delivery, or rejected and quarantined.

Any component of a program that comes in contact with unpredictable and possibly malicious mail/document content, must be careful not to let the content have any uncontrolled effect on the operation of the program, or its environment.

amavisd-new is written entirely in Perl, with taint mode Perl checking enabled. This in itself is a strong argument that the processing within amavisd-new (and Perl modules it calls) is not likely to be subject to buffer overruns, stack smashing, and other problems that are common source of security problems in programs written in languages like C.

Information coming from external world like SMTP envelope information, mail header and body contents, suggested MIME file names, etc., is only used by amavisd-new for operations that do not influence the program environment. For example, names of created temporary files are internally generated and do not depend on suggested file names from MIME header. Mail addresses or other tainted information is never passed through shell to an external program.

The external Perl modules called by amavisd-new have not been thoroughly screened for possible security implications. They still benefit from the Perl environment, and the Perl taint mode checking is not turned off even when other Perl modules are executing, including SpamAssassin if enabled (which is a relatively complex piece of software). Perl modules that deal with decoding and checking of mail contents may be targets of malicious mail content, especially if they include code written in C, like decoding and uncompressing libraries, e.g. zlib and uulib/uudeview (Convert::UUlib).

External programs that get forked from amavisd-new to perform some decoding/uncompressing or classifying task, are the greatest potential threat to the safe operation of the host running amavisd-new. Some of these programs that are used to decode certain archive formats are quite complex, are old or poorly maintained, and/or written by less security conscious authors. E.g. a vulnerability is present in Unix utility file(1) version 3.41 or older. Generally it is advised that external programs are kept up-to-date and that crashes of such programs are reported immediately to their maintainers (after verifying first the version is recent).

There is a tradeoff in deciding whether to call some external decoder: calling it may open a vulnerability at the host running amavisd-new; not calling it (and not decoding certain types of document) may cause virus checker to miss a malicious mail contents, increasing danger for the mail recipient, while reducing risk for the host running checks.

While it may be true that only a powered-down computer, locked in a basement and disconnected from the network is completely secure computer, this is not practical to get any job done. Besides choosing a content filtering program to be written in Perl and using taint mode checks, there are other things one may do to reduce security threats to the computer running content filter:

Security considerations for mail clients being protected

Running a virus checking content filter for each mail before it reaches the mail reader is an important line of defense against virus outbreaks and in protecting the (possibly not security conscious) recipients, or their mail reader programs or computer environment.

Not all malware is passed by e-mail. Several viruses or worms use multiple mechanisms to propagate, including WWW, sharing disks or through peer-to-peer 'contents' sharing, social engineering, or even a memory key or a CD brought-in in a pocket or distributed by magazines and software publishing houses may bring in a virus;

Content filtering mailer can not protect internal hosts unless incoming SMTP (TCP dst port 25) is restricted at the firewall to official mailers only. Similarly external world deserves protection from possibly infected internal hosts, so outgoing SMTP (TCP dst port 25 again, outgoing this time) needs to be restricted to official mailers. (Use standard tcp port 587 for mail submission from roaming users.)

Similarly, if mail readers can fetch mail from external mailboxes (POP3, IMAP), the SMTP mail gateway can not protect them. One solution is to provide a centralized fetchmail service to users that need access to external mailboxes, and feed such mail to the regular content filtering mailer, while blocking other unofficial access to external POP3 and IMAP servers at a firewall.

Even in e-mail, malware may be carried in encrypted or scrambled form, or simply as a plain text, using social engineering techniques to persuade recipient to fetch or activate malware.

It is not possible to prevent user shooting himself in the foot, or to prevent a dedicated person to transfer malware. There is a tradeoff in keeping e-mail useful, and protecting against threats.

The first line of defense (mail content filtering, firewall) must be complemented by defense mechanisms at the local user's desktop computer. This includes virus scanners run on PCs, keeping software up-to-date, doing backups, and educating users.

Malware does not have to play by the rules. Nothing prevents malware from generating a syntactically incorrect mail, to send it directly to some host ignoring MX and A records, to supply forged SMTP information or forged mail header, to poison DNS, perhaps even to use forged source IP address.

Content filter with virus scanner tries to decide if the mail under consideration will, or can, cause any bad effects on the recipient computer, often without knowing what mail reading software or what computer is used by recipients. This implies that while some mail may be decoded (by adhering to standards) into a harmless text, it might be decoded by some broken MUA or archiver into a virus or exploit, or trigger a MUA bug or vulnerability during decoding, or during displaying a message. External archivers/unpackers called by amavisd-new may be relatively easy to trick into not extracting certain archive members, thus hiding malicious code. See Malformed email project, Bypassing content filtering whitepaper, Declude's list of vulnerabilities, NISCC Vulnerability Advisory 380375/MIME. CAN-2003-1015

Solving this problem would require content filter with virus scanner to emulate all known (and unknown?!) mail readers in the way they respond to malformed mail. While amavisd-new and other content filters try to anticipate some common problems, especially the ones practiced by currently active viruses, there is no guarantee that this approach is always successful.

Even now there are combinations of viruses and virus scanners (e.g. Yaha.K + Sophos) that fail to be detected due to a malformed MIME header, which gets decoded differently (and correctly, considering standards!) by MIME::Parser, yet certain mail readers decode it differently, forming a virus. It often helps to use more than one virus scanner (e.g. clamd along with some commercial virus scanner).

RFC 2046 defines a way to split sending one document into several e-mail messages, which can then be reassembled (automatically or manually) by MUA. The Content-Type value to look for is message/partial (and similarly: message/external-body). Checking mail fragments individually for viruses can not reliably detect viruses, which only get reassembled into a recognizable form by the recipient's mail reader. Most virus scanners at the MTA level (including amavisd-new and all other variants of AMaViS*) check each mail independently from other messages, so the only protection to this threat is to ban these MIME content-types (see $banned_filename_re setting in amavisd.conf), or by disabling auto-reassembly at mail readers, or running a virus checker tightly associated with MUA.

Blocking the MIME content type message/external-body may sound useful, although the mechanism is not much different from letting user freely browse the web or fully interpret HTML mail messages, so if the later is allowed, it probably does not make sense to treat message/external-body differently.

Protection against denial-of-service (DoS) attacks

Because amavisd-new tries to recursively unpack and decode each mail as deeply as possible, this may be abused by malware. The so-called mail bomb, e.g. 42.zip or bzip2 bomb are examples of such malware. Such mail message, when fully decoded, can exceed available disk size several times, or consume a lot of time for decoding. Unless decoding is stopped at an earlier stage, it could cause the message checking to be retried over and over again, each time either hitting the disk full condition, or exceeding the allowed time limit. Note that mail bombs are targeting mail content filters, and are normally not a threat to mail clients (MUA), unless they carry a virus as well.

amavisd-new has several configurable mechanism for limiting the amount of space consumed during decoding - see resource limits in file amavisd.conf. When message decoding exceeds the storage quota, the decoding stops, the virus scanning is not performed to protect the virus scanner, but a header field is inserted, telling MTA it may place the message 'on hold', or reject it, or just pass it - the action depends on MTA configuration. This works well with Postfix, but may not be configurable with some other mailers.

Since amavisd-new-20030616-p8 a string '***UNCHECKED***' is inserted into Subject. Since amavisd-new-2.0 such passed mail is also wrapped into a MIME wrapper (defanged), prepended by a warning message.

See also the AERAsec advisory on decompression bomb vulnerabilities.

Protection against mail loss

When a content filter is positioned in relation to MTA as a mail relay (or proxy), accepting mail from MTA, and passing all checked mail to MTA for final delivery (e.g. Postfix, or dual-sendmail setup), there are only two possible approaches that can prevent mail loss when unpredictable things happen:

amavisd-new chooses the second approach. Some alternative mail content filtering solutions based on Perl module Net::Server::SMTP can not guarantee not losing mail under certain circumstances, because they confirm mail reception before being in a position to ensure a mail delivery or bounce.

Besides taking care of not losing mail, it is important the mail contents is not unintentionally changed, as could happen for example when disk is full, or communication or I/O errors occur. amavisd-new is thorough in always checking the status of operations, e.g. all I/O operations, creating/deleting/writing to files, calling external programs, checking all SMTP response codes, etc. When a problem occur, amavisd-new tries to produce an error report in its log file that is as informative as practical. When the situation can not be corrected, a temporary failure (EX_TEMPFAIL, or 450 SMTP response) is generated, telling MTA to try again later, hoping for the postmaster to notice stuck mail if the problem keeps reoccurring.

The amavisd-new policy is to either deliver the mail, or to make sure the sender gets a non-delivery notification. It is possible to configure amavisd-new to disobey this policy for certain unwanted contents, e.g. only to quarantine spam and not generate bounces. See README.policy-on-notifications and choose your policy. Since amavisd-new-2.0 the default policy for viruses is to discard them after quarantining. Configurable options are provided to reduce undesired bounces on spam: @spam_dsn_cutoff_level_maps (with $sa_dsn_cutoff_level) and @spam_dsn_cutoff_level_bysender_maps.


mm
Last updated: 2014-09-29

Valid XHTML 1.0!