Bug#346083: may be in next MailScanner upstream release
This bug is unfixed in the latest MailScanner upstream package. I informed Julian Field about it and he says the changes will be incorporated into the next MailScanner release. dominik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#346212: may be in next MailScanner upstream release
This bug is unfixed in the latest MailScanner upstream package. I informed Julian Field about it and he says the changes will be incorporated into the next MailScanner release. dominik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#346212: mailscanner: Exim spool format error: one_time option treatment
Package: mailscanner
Version: 4.41.3-2
Severity: important
*** Please type your report below this line ***
Error description
*
The (-H) spool file format has changed with Exim version 4.10 --
Debian stable Exim version is 4.50-8 -- and this change is not
reflected in lib/MailScanner/Exim.pm (sub ReadQf).
If the one_time option is in effect, the corresponding address line
after the non-recipients tree looks like this:
top-level address errors_to address length,parent number#flag
bits
(see here:
http://www.exim.org/exim-html-4.50/doc/html/spec_52.html#SECT52.1 )
The Exim.pm code is based on the pre-v4.10 format:
top-level address flags number,parent number,0
This may actually a MailScanner bug not specific to Debian.
Resulting problem
*
lib/MailScanner/Exim.pm, sub ReadQf, line 415:
# Add recipient to message data
# but deal with special lines first
# (when one_time option is being used)
$line =~ s/ \d+,\d+,\d+$//;
push @{$message-{to}}, $line;
The regexp replacement actually does nothing, so that an invalid
e-mail address is pushed onto the $message-{to} array if one_time
is in effect; something like:
[EMAIL PROTECTED] [EMAIL PROTECTED] 17,1#01
or
[EMAIL PROTECTED] 0,1#01
Solution suggestion
***
Replace the regexp used to strip away the special data:
If addresses in spool files were guaranteed not to contain spaces,
then the following would work:
$line =~ s/ *$//;
Unfortunately, RFC2822 seems to suggest that addresses whose local
and domain parts contain spaces must at least be parsed (though I
neither read nor understood this RFC completely).
So here's another suggestion (attached as diff):
# strips old special content
$line =~ s/ \d+,\d+,\d+$//;
# strips new special content
$line =~ s/ (\d+),\d+#01$//;
if ($1) {
$line = substr($line, 0, length($line)-$1-1);
}
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages mailscanner depends on:
ii debconf 1.4.30.13Debian configuration management sy
ii exim4 4.50-8 metapackage to ease exim MTA (v4)
ii exim4-daemon-light [mail-tr 4.50-8 lightweight exim MTA (v4) daemon
ii libarchive-zip-perl 1.14-1 Module for manipulation of ZIP arc
ii libcompress-zlib-perl 1.34-1 Perl module for creation and manip
ii libconvert-binhex-perl 1.119-2 Perl5 module for extracting data f
ii libconvert-tnef-perl0.17-4 Perl module to read TNEF files
ii libhtml-parser-perl 3.45-2 A collection of modules that parse
ii libmime-perl5.417-1 Perl5 modules for MIME-compliant m
ii libnet-cidr-perl0.10-1 Manipulate IPv4/IPv6 netblocks in
ii ncftp 2:3.1.8-1A user-friendly and well-featured
ii perl5.8.4-8 Larry Wall's Practical Extraction
ii spamassassin3.0.3-2 Perl-based spam filter using text
ii ucf 1.17 Update Configuration File: preserv
ii unzip 5.52-1sarge2 De-archiver for .zip files
ii wget1.9.1-12 retrieves files from the web
--- mailscanner-4.41.3.orig/lib/MailScanner/Exim.pm 2005-03-27
19:37:10.0 +0200
+++ mailscanner-4.41.3.corrected/lib/MailScanner/Exim.pm2006-01-06
13:48:33.0 +0100
@@ -415,7 +415,15 @@
# Add recipient to message data
# but deal with special lines first
# (when one_time option is being used)
+
+ # strips old special content ( v4.10)
$line =~ s/ \d+,\d+,\d+$//;
+ # strips new special content (= v4.10)
+ $line =~ s/ (\d+),\d+#01$//;
+ if ($1) {
+$line = substr($line, 0, length($line)-$1-1);
+ }
+
push @{$message-{to}}, $line;
}
}
Bug#346212: diff contains error
The part
$line =~ s/ (\d+),\d+#01//;
if ($1) {
$line = substr($line, 0, length($line)-$1-1);
}
should actually be:
$line =~ s/ (\d+),\d+#01//;
if (defined $1) {
$line = substr($line, 0, length($line)-$1-1);
}
Otherwise length 0 for errors_to address is not handled correctly.
--- mailscanner-4.41.3.orig/lib/MailScanner/Exim.pm 2005-03-27
19:37:10.0 +0200
+++ mailscanner-4.41.3.corrected/lib/MailScanner/Exim.pm2006-01-06
13:48:33.0 +0100
@@ -415,7 +415,15 @@
# Add recipient to message data
# but deal with special lines first
# (when one_time option is being used)
+
+ # strips old special content ( v4.10)
$line =~ s/ \d+,\d+,\d+$//;
+ # strips new special content (= v4.10)
+ $line =~ s/ (\d+),\d+#01$//;
+ if (defined $1) {
+$line = substr($line, 0, length($line)-$1-1);
+ }
+
push @{$message-{to}}, $line;
}
}
Bug#346083: Solution
The following diff fixes this issue.
The problem was in fact that $msg-{to} is empty in
MailScanner/Config.pm (around line 446):
if ($direction =~ /t/) {
# Match against every To address
if (defined $tooverride) {
push @matches, split( ,$value) if $tooverride =~ /$regexp/;
} else {
foreach $to (@{$msg-{to}}) {
push @matches, split( ,$value) if $to =~ /$regexp/;
}
}
}
The reason is that Config (MailScanner/Config.pm) is called from
MailScanner/Quarantine.pm with the wrong message argument:
$this instead of $message.
--- mailscanner-4.41.3.orig/lib/MailScanner/Quarantine.pm 2005-03-20
13:50:57.0 +0100
+++ mailscanner-4.41.3.corrected/lib/MailScanner/Quarantine.pm 2006-01-06
15:34:41.0 +0100
@@ -191,7 +191,7 @@
# messages, not just infections.
umask $this-{fileumask};
if ($message-{allreports}{} ||
- MailScanner::Config::Value('quarantinewholemessage',$this) =~ /1/) {
+ MailScanner::Config::Value('quarantinewholemessage',$message) =~ /1/) {
#print STDERR Saving entire message to $msgdir\n;
MailScanner::Log::InfoLog(Saved entire message to $msgdir);
$message-{store}-CopyEntireMessage($message, $msgdir, 'message',
Bug#346083: mailscanner: Ruleset for Quarantine Whole Message not evaluated correctly
Package: mailscanner
Version: 4.41.3-2
Severity: normal
*** Please type your report below this line ***
Main problem
The problem occurs on a production mail server (so running in debug
mode is not easily feasible):
In /etc/MailScanner/MailScanner.conf:
Quarantine Whole Message = yes
works.
Quarantine Whole Message = %rules%/quarantine.whole.message.rules
also works *IF* it contains XY: default yes (XY = From, To, or
FromOrTo).
If the default given in the rules file is no, then
no matter what the yes rules look like, the message is
not quarantined whole.
I specifically tested this by sending a message containing an EICAR
attachment to [EMAIL PROTECTED], while the rules file contains:
To: [EMAIL PROTECTED] yes
and
To: /[EMAIL PROTECTED]/ yes
To: /^(?i-xsm:[EMAIL PROTECTED])$/ yes
and other -- simpler -- possibilities like:
To: /myusername/ yes
To: [EMAIL PROTECTED] yes
If the default line is no:
From: default no
or:
FromOrTo: default no
then the message is not quarantined whole.
Other MailScanner options referring to rulesets work the way
they are expected to.
Log file excerpts
*
/var/log/mail.log says:
Jan 5 12:39:56 dmx001 MailScanner[32025]: Virus and Content Scanning: Starting
Jan 5 12:39:56 dmx001 MailScanner[32025]: /1EuTTH-0008Ly-JB/eicar.txt
Found: EICAR test file NOT a
virus.
Jan 5 12:39:56 dmx001 MailScanner[32025]: Virus Scanning: McAfee found 1
infections
Jan 5 12:39:56 dmx001 MailScanner[32025]: Infected message 1EuTTH-0008Ly-JB
came from ***.***.***.***
Jan 5 12:39:56 dmx001 MailScanner[32025]: Virus Scanning: Found 1 viruses
Jan 5 12:39:56 dmx001 MailScanner[32025]: Saved infected eicar.txt to
/var/spool/MailScanner/quarantine/
20060105/1EuTTH-0008Ly-JB
Jan 5 12:39:56 dmx001 MailScanner[32025]: Uninfected: Delivered 1 messages
Jan 5 12:39:56 dmx001 MailScanner[32025]: Silent: Delivered 1 messages
containing silent viruses
Jan 5 12:39:56 dmx001 MailScanner[32025]: Notices: Warned about 1 messages
/var/log/mail.info contains the same, /var/log/mail.warn and
/var/log/mail.err are empty.
/var/log/exim4/mainlog says:
2006-01-05 12:39:55 1EuTTH-0008Ly-JB = [EMAIL PROTECTED] H=
[***.***.***.***] P=smtp S=851
2006-01-05 12:39:56 1EuTTI-0008N7-KY = [EMAIL PROTECTED] U=Debian-exim P=local
S=1562
2006-01-05 12:39:57 1EuTTH-0008Ly-JB = [EMAIL PROTECTED] R=smarthost_102mx
T=remote_smtp H=10.16.24.9 [10.16.24.9]
2006-01-05 12:39:57 1EuTTH-0008Ly-JB Completed
2006-01-05 12:39:57 1EuTTI-0008N7-KY = [EMAIL PROTECTED] R=smarthost_102mx
T=remote_smtp H=10.16.24.9 [10.16.24.9]
2006-01-05 12:39:57 1EuTTI-0008N7-KY Completed
Additional information
**
Notify Senders is no for the To address I am testing with
(ruleset -- works: I -- the sender -- am not notified of the virus).
Silent Viruses contains AllViruses.
Still Deliver Silent Viruses is yes for the To address
I am testing with (ruleset -- works: I do receive the message without
the virus infected attachment).
Notices To contains the same address that I am testing with,
i.e. [EMAIL PROTECTED]. (ruleset -- works: I do get a virus
report).
Quarantine Message As Queue Files is no at the moment,
but with yes the behavior is the same as described above.
Virus Scanning is on.
Spam Detection is off.
Possible problem location
*
I have had a look at the source code, and here is my very
humble opinion about where the problem might be located
-- please take it with a grain of salt:
The problem seems to be somewhere around the AllMatchesValue
sub in MailScanner/Config.pm: quarantinewholemessage is of
category all and of type yesno.
The block responsible for finding matches should be
(around line 446):
if ($direction =~ /t/) {
# Match against every To address
if (defined $tooverride) {
push @matches, split( ,$value) if $tooverride =~ /$regexp/;
} else {
foreach $to (@{$msg-{to}}) {
push @matches, split( ,$value) if $to =~ /$regexp/;
}
}
}
For messages with one recipient only, it looks like $msg-{to}
is empty -- $tooverride is undefined.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages mailscanner depends on:
ii debconf 1.4.30.13Debian configuration management sy
ii exim4 4.50-8 metapackage to ease exim MTA (v4)
ii exim4-daemon-light [mail-tr 4.50-8 lightweight exim MTA (v4) daemon
ii libarchive-zip-perl 1.14-1 Module for manipulation of ZIP arc
ii libcompress-zlib-perl 1.34-1 Perl module for creation and manip
ii libconvert-binhex-perl 1.119-2 Perl5 module for extracting data f
ii libconvert-tnef-perl0.17-4 Perl module to read TNEF files
ii libhtml-parser-perl 3.45-2 A collection of modules that parse
ii libmime-perl
