Bug 167354 - Review Request: amavisd-new
Review Request: amavisd-new
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tom "spot" Callaway
David Lawrence
http://www.ijs.si/software/amavisd/
:
Depends On: 167471 174099
Blocks: FE-ACCEPT
  Show dependency treegraph
 
Reported: 2005-09-01 16:44 EDT by Steven Pritchard
Modified: 2014-03-10 08:52 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-02 22:30:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
limburgher: fedora‑cvs+


Attachments (Terms of Use)
Correct the db directory for amavisd-agent and amavisd-nanny (1018 bytes, patch)
2005-09-19 09:40 EDT, Julien Tognazzi
no flags Details | Diff

  None (edit)
Description Steven Pritchard 2005-09-01 16:44:25 EDT
Spec Name or Url: http://ftp.kspei.com/pub/steve/rpms/amavisd-new/amavisd-new.spec
SRPM Name or Url: http://ftp.kspei.com/pub/steve/rpms/amavisd-new-2.3.2-10.src.rpm
Description:
amavisd-new is a high-performance and reliable interface between mailer
(MTA) and one or more content checkers: virus scanners, and/or
Mail::SpamAssassin Perl module. It is written in Perl, assuring high
reliability, portability and maintainability. It talks to MTA via (E)SMTP
or LMTP, or by using helper programs. No timing gaps exist in the design,
which could cause a mail loss.
Comment 1 Steven Pritchard 2005-09-01 16:52:30 EDT
Must remember to check these things *before* I submit a package...

SRPM URL: http://ftp.kspei.com/pub/steve/rpms/amavisd-new-2.3.3-1.src.rpm

* Thu Sep 01 2005 Steven Pritchard <steve@kspei.com> 2.3.3-1
- Update to 2.3.3
- Remove explicit dependencies on core perl modules
Comment 2 Steven Pritchard 2005-09-02 17:57:03 EDT
I need to bump the perl(Compress::Zlib) requirement to >= 1.35, or remove the
check from the code so we can use it on FC-[34] without an update to
perl-Compress-Zlib.

*sigh*
Comment 3 Steven Pritchard 2005-09-16 17:25:27 EDT
An update to Compress::Zlib was pushed to Core some time ago, so please review.

http://ftp.kspei.com/pub/steve/rpms/amavisd-new-2.3.3-2.src.rpm

* Fri Sep 02 2005 Steven Pritchard <steve@kspei.com> 2.3.3-2
- Requires: perl(Compress::Zlib) >= 1.35
Comment 4 Julien Tognazzi 2005-09-19 09:37:26 EDT
the demo programs amavisd-{agent,nanny} need a patch to look the db in the
proper directory (/var/spool/amavisd/db)

I'll attach it.
Comment 5 Julien Tognazzi 2005-09-19 09:40:36 EDT
Created attachment 118977 [details]
Correct the db directory for amavisd-agent and amavisd-nanny
Comment 6 Steven Pritchard 2005-09-19 10:39:06 EDT
I've applied the patch.  Thanks.

http://ftp.kspei.com/pub/steve/rpms/amavisd-new-2.3.3-3.src.rpm
Comment 7 Julien Tognazzi 2005-09-20 09:55:27 EDT
and what about adding the amavisd-release program ?
It allow to resend quarantined mail, the author explains how to use it, 
cf.
http://groups.google.com/group/mailing.unix.amavis-user/browse_frm/thread/50640aa9c5f182bb/a12b4488cba1cd8d#a12b4488cba1cd8d
(I hope the link will work...)
Comment 8 Nicolas Mailhot 2005-09-20 10:07:20 EDT
Even if it's included enabling quarantine is probably a bad idea for Fedora. Tag
suspicious mail, ask sender to retry if you've got a doubt, and dump everything
else.

Quarantine is IMHO inadequate for small systems. Big organisations can justify
quarantine management and will enable it in the conf file but the Fedora default
should be off.
Comment 9 James Wilkinson 2005-09-21 09:42:14 EDT
Thank you very much for this package. I've been testing it (on x86-64, FWIW) and
it works well.

I note that /etc/amavisd/amavisd.conf mentions:
#   see amavisd.conf-default for a list of all variables with their defaults;
#   see amavisd.conf-sample for a traditional-style commented file;

These files are provided in the tar.gz in the src.rpm, but are not included in
the RPM.

Personally, I'd prefer to see them in the RPM (they do provide worthwhile
documentation), but some sort of consistency might be nice.

Thanks,

James.
Comment 10 Nicolas Mailhot 2005-09-21 09:55:55 EDT
BTW I've been testing with selinux disabled (for other reasons). Is this package
selinux-safe ? Anyone tested it with the new security rules wich landed in
rawhide recently ?
Comment 11 Steven Pritchard 2005-09-21 12:36:32 EDT
http://ftp.kspei.com/pub/steve/rpms/amavisd-new-2.3.3-4.src.rpm has a couple of
extra %doc entries (TODO and amavisd.conf-*).

As for selinux, I have no idea.  It has been broken enough in FC4 that I am
running all my servers either in permissive mode or with selinux disabled
entirely, unfortunately.
Comment 12 Nicolas Mailhot 2005-09-21 13:23:46 EDT
That's why I asked about this. I fear no one is testing it and people will need
it to work later.

Unfortunately, one of the things that stops me from going into enforcing mode is
I haven't figured yet how to authorize the fact my postfix listens on port 24,
so if I go into enforcing mode postfix goes down (and I can't test amavis)
Comment 13 manuel wolfshant 2005-09-22 04:13:06 EDT
I think that the kind guys from fedora-selinux list may assist you on modifying
the policy so as to allow running postfix on port 24.
Comment 14 Paul Howarth 2005-09-22 05:37:35 EDT
If you have selinux-policy-targeted-sources installed, try adding a line to
/etc/selinux/targeted/src/policy/net_contexts

portcon tcp 24 system_u:object_r:smtp_port_t

and then do:

make -C /etc/selinux/targeted/src/policy load

Comment 15 Nicolas Mailhot 2005-09-22 07:29:27 EDT
Thanks for the tip.
However I fear I may have other selinux problems lurking (squirrelmail) so I
won't touch it before I have the time to put everything right.

Also, I'd rather understand the system before meddling with the security policies ;)
Comment 16 James Wilkinson 2005-09-22 08:20:55 EDT
I'm running a pretty unmodified (but "yum update"d) FC4 with current (FC4)
SELinux enabled in enforcing targeted mode. I haven't configured Postfix beyond
installing amavisd and changing some of the main.cf parameters.

As I say, it's all working well for me.
Comment 17 Nicolas Mailhot 2005-09-22 18:23:08 EDT
Well I switched postfix from port 24 to 587 which is more traditional and
victory it's in the default redhat selinux policy

*HOWEVER* selinux still blocked postfix this time when it tried to bind on the
port used to talk to amavis (port 10026 on my box, dunno if your current package
makes the same choice)

So it seems amavisd is not selinux safe in fedora devel
Comment 18 Paul Howarth 2005-09-23 04:33:31 EDT
(In reply to comment #17)
> Well I switched postfix from port 24 to 587 which is more traditional and
> victory it's in the default redhat selinux policy
> 
> *HOWEVER* selinux still blocked postfix this time when it tried to bind on the
> port used to talk to amavis (port 10026 on my box, dunno if your current package
> makes the same choice)
> 
> So it seems amavisd is not selinux safe in fedora devel

You need to take this to fedora-selinux-list now. Dan Walsh hangs out there and
will probably work with you to get the Fdeora SELinux policy fixed so that this
works. That's how I got SELinux support for my Extras pptp package included in
Fedora Core.

Comment 19 James Wilkinson 2005-09-24 04:35:13 EDT
I've just applied the latest selinux-policy-targeted-1.27.1-2.1 from FC4
updates. And it's broken my amavisd install...
Comment 20 Nicolas Mailhot 2005-10-31 05:11:14 EST
Selinux problems are fixed in Raw Hide. Package works very well for me so far.
Are there no perl gurus available to approve it ?
Comment 21 Rahul Sundaram 2005-10-31 14:38:32 EST
(In reply to comment #19)
> I've just applied the latest selinux-policy-targeted-1.27.1-2.1 from FC4
> updates. And it's broken my amavisd install...


Its fixed in rawhide. Report to this to bugzilla and request a policy update.
Comment 22 Dennis Gilmore 2005-11-14 18:24:45 EST
Starting amavisd: Problem in the Amavis::Unpackers code: Archive::Zip version
1.14 required--this is only version 1.12 at (eval 46) line 20.
BEGIN failed--compilation aborted at (eval 46) line 20.

Just as a start  i havent done a full check on the package yet.
Comment 23 James Wilkinson 2005-12-01 07:24:20 EST
Latest selinux-policy-targeted-1.27.1-2.14.noarch fixes it: thanks.
Comment 24 Nicolas Mailhot 2006-01-08 07:51:03 EST
A new perl-Net-Server will be pushed to FE soonish. Please test
Comment 25 Nicolas Mailhot 2006-01-16 18:17:14 EST
And while I'm a it, I've updated perl-Convert-UUlib too

(still happily running Steve's original package 24h/24 7j/j since last september
at least without any hitch - can't anyone approve this?)
Comment 26 Tom "spot" Callaway 2006-01-16 23:21:29 EST
Since there are no obvious showstoppers in this bug ticket, I'll review this:

Good:

- rpmlint checks return:
E: amavisd-new non-standard-uid /var/spool/amavisd/db amavis
E: amavisd-new non-standard-gid /var/spool/amavisd/db amavis
E: amavisd-new non-standard-dir-perm /var/spool/amavisd/db 0700
W: amavisd-new dangling-relative-symlink /usr/sbin/clamd.amavisd clamd
E: amavisd-new non-standard-uid /var/spool/amavisd amavis
E: amavisd-new non-standard-gid /var/spool/amavisd amavis
E: amavisd-new non-standard-dir-perm /var/spool/amavisd 0700
E: amavisd-new non-standard-uid /var/run/amavisd amavis
E: amavisd-new non-standard-gid /var/run/amavisd amavis
E: amavisd-new non-standard-uid /var/spool/amavisd/tmp amavis
E: amavisd-new non-standard-gid /var/spool/amavisd/tmp amavis
E: amavisd-new non-standard-dir-perm /var/spool/amavisd/tmp 0700
E: amavisd-new init-script-name-with-dot /etc/rc.d/init.d/clamd.amavisd
E: amavisd-new no-status-entry /etc/rc.d/init.d/clamd.amavisd
W: amavisd-new no-reload-entry /etc/rc.d/init.d/clamd.amavisd
E: amavisd-new subsys-not-used /etc/rc.d/init.d/clamd.amavisd
E: amavisd-new incoherent-subsys /etc/rc.d/init.d/amavisd ${prog_base}

I think all of these are safe to ignore.

- package meets naming guidelines
- package meets packaging guidelines
- license (GPL) OK, text in %doc, matches source
- spec file legible, in am. english
- source matches upstream
- package compiles on devel (x86)
- no missing BR
- no unnecessary BR
- no locales
- not relocatable
- owns all directories that it creates
- no duplicate files
- permissions ok
- %clean ok
- macro use consistent
- code, not content
- no need for -docs
- nothing in %doc affects runtime
- no need for .desktop file

APPROVED.
Comment 27 Ville Skyttä 2006-01-17 01:35:19 EST
(In reply to comment #25)
> (still happily running Steve's original package 24h/24 7j/j since last september
> at least without any hitch - can't anyone approve this?)

You know you could have done that yourself, right?
Comment 28 Nicolas Mailhot 2006-01-17 03:25:00 EST
Thanks Tom.

Ville: I'm not going to approve a perl package which processes insecure data. At
least not before taking a few perl tutorials/courses first. You can call me
paranoïd if you like, but perl is very low in my trust scale, and I don't know
it enough to do an educated evaluation.

(and yes I'm ready to trust my own data to a package I wouldn't approve - but
then I've been running rawhide for more years I care to remember now)
Comment 29 Paul Wouters 2006-01-20 01:54:15 EST
when updating from your first to your last rpm, I noticed amavisd is restarted
twice:

[root@cdc ~]# rpm -Uhv /usr/src/redhat/RPMS/noarch/amavisd-new-2.3.3-4.noarch.rpm
Preparing...                ########################################### [100%]
   1:amavisd-new            warning: /etc/amavisd/amavisd.conf created as
/etc/amavisd/amavisd.conf.rpmnew
########################################### [100%]
Shutting down amavisd: Can't SIGTERM amavisd[1337]: No such process at
/usr/sbin/amavisd line 8983., can't stop the process
[FAILED]

Starting amavisd: Pid_file "/var/run/amavisd/amavisd.pid" already exists. 
Overwriting!
[  OK  ]

Stopping clamd.amavisd: [  OK  ]
Starting clamd.amavisd: [  OK  ]
[root@cdc ~]#

More importantly, amavisd never starts for me. It goes through a lot of good
messages and then ends with an error:
Jan 20 01:54:19 cdc amavis[1588]: Found decoder for    .zoo  at /usr/bin/zoo
Jan 20 01:54:19 cdc amavis[1588]: Found decoder for    .lha  at /usr/bin/lha
Jan 20 01:54:19 cdc amavis[1588]: Found decoder for    .cab  at /usr/bin/cabextract
Jan 20 01:54:19 cdc amavis[1588]: No decoder for       .tnef tried: tnef
Jan 20 01:54:19 cdc amavis[1588]: Internal decoder for .tnef
Jan 20 01:54:19 cdc amavis[1588]: Found decoder for    .exe  at /usr/bin/unrar;
/usr/bin/lha; /usr/bin/unarj
Jan 20 01:54:19 cdc amavis[1588]: Using internal av scanner code for (primary)
ClamAV-clamd
Jan 20 01:54:19 cdc amavis[1588]: Found secondary av scanner ClamAV-clamscan at
/usr/bin/clamscan
Jan 20 01:54:19 cdc amavis[1588]: TROUBLE in pre_loop_hook: db_init: BDB bad db
env. at /var/spool/amavisd/db: Invalid argument, . at (eval 37) line 244.

[root@cdc amavisd]# ls -al /var/spool/amavisd/db/
total 8
drwx------  2 amavis amavis 4096 Jan 20 01:48 .
drwx------  5 amavis amavis 4096 Jan 20 01:49 ..

This is a FC4-updated machine.

[root@cdc amavisd]# rpm -V amavisd-new
[root@cdc amavisd]# rpm -q amavisd-new
amavisd-new-2.3.3-4
Comment 30 Steven Pritchard 2006-01-20 10:35:29 EST
I haven't seen that error before.  Had you been using the old rpm, or did you
just have it installed?

For that matter, do you know which old rpm you were using?
Comment 31 Nicolas Mailhot 2006-01-20 13:52:17 EST
How about pushing the current version to FE so everyone can use the same
reference package ? Then we can forget about the pre-inclusion versions
Comment 32 Paul Wouters 2006-01-20 14:03:15 EST
I used the first rpm you put up, had that error and then found your latest rpm,
and did a rpm -U.

An strace ends with problems for BDB and "Destroy". But I did install the FE
BerkeleyDB rpm as well.

My guess was this could be some missing perl dependancy, but I cannot figure out
the package that would be missing.
Comment 33 Paul Wouters 2006-01-20 14:21:33 EST
One additional note, I don't think it should matter, but this is within a xen2
FC4 xenu
Comment 34 Paul Wouters 2006-01-24 22:11:08 EST
I'm still trying to debug this and get amavisd-new running. Looking a bit
further into my db error, I noticed:

 ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );

Howeverm there is no 'sql' directory included with amavisd-new in the rpm.
Perhaps either the sqlite depedancy needs to be dropped, or this file needs to
be included?
Comment 35 Paul Wouters 2006-01-24 22:12:55 EST
also, there is a note saying: 

#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually

However, $MYHOME/var is not created by the rpm.
Comment 36 Paul Wouters 2006-01-24 22:22:12 EST
I finally found the reason for my failure, which is the following line:

$enable_db = 1 

checking the build shipped config file shows:

[root@cdc amavisd]# grep enable_db
/usr/src/redhat/BUILD/amavisd-new-2.3.3/amavisd.conf*
/usr/src/redhat/BUILD/amavisd-new-2.3.3/amavisd.conf:$enable_db = 1;           
  # enable use of BerkeleyDB/libdb (SNMP and nanny)
/usr/src/redhat/BUILD/amavisd-new-2.3.3/amavisd.conf:$enable_global_cache = 1; 
  # enable use of libdb-based cache if $enable_db=1
/usr/src/redhat/BUILD/amavisd-new-2.3.3/amavisd.conf-default:# $enable_db = 0;
/usr/src/redhat/BUILD/amavisd-new-2.3.3/amavisd.conf-sample:$enable_db = 1;    
         # enable use of BerkeleyDB/libdb (SNMP and nanny)
/usr/src/redhat/BUILD/amavisd-new-2.3.3/amavisd.conf-sample:$enable_global_cache
= 1;    # enable use of libdb-based cache if $enable_db=1

So I believe it did ship with $enable_db=1

So either this functionality is broken, or more likely, something else needs to
happen that I have not yet done, but which was already dont on the server of the
rpm builder.
Comment 37 Steven Pritchard 2006-02-02 22:30:14 EST
Please open a new bug if you can reproduce the problem with 2.3.3-5 when it
comes out of the build system.
Comment 38 Juan Orti 2014-02-11 16:45:10 EST
Package Change Request
======================
Package Name: amavisd-new
New Branches: 
Owners: jorti steve kanarip
InitialCC: perl-sig

steve is unresponsive, so I want to take over the package. See:
https://lists.fedoraproject.org/pipermail/devel/2014-February/195318.html
https://lists.fedoraproject.org/pipermail/devel/2014-January/194940.html
Comment 39 Jon Ciesla 2014-02-12 07:59:24 EST
Git done (by process-git-requests).
Comment 40 Juan Orti 2014-03-10 08:34:50 EDT
Package Change Request
======================
Package Name: amavisd-new
New Branches: f20 f19 el5 el6 epel7
Owners: jorti steve kanarip
InitialCC: perl-sig

I already have the ownership of the devel branch, I ask to take the ownership of the remaining branches. In epel, the user janfrode has commit rights, please, keep them.
https://fedorahosted.org/fesco/ticket/1233
Comment 41 Jon Ciesla 2014-03-10 08:52:54 EDT
Git done (by process-git-requests).

Note You need to log in before you can comment on or make changes to this bug.