Bug#346083: may be in next MailScanner upstream release
This bug is unfixed in the latest MailScanner upstream package. I informed Julian Field about it and he says the changes will be incorporated into the next MailScanner release. dominik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#346212: may be in next MailScanner upstream release
This bug is unfixed in the latest MailScanner upstream package. I informed Julian Field about it and he says the changes will be incorporated into the next MailScanner release. dominik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#346212: mailscanner: Exim spool format error: one_time option treatment
Package: mailscanner Version: 4.41.3-2 Severity: important *** Please type your report below this line *** Error description * The (-H) spool file format has changed with Exim version 4.10 -- Debian stable Exim version is 4.50-8 -- and this change is not reflected in lib/MailScanner/Exim.pm (sub ReadQf). If the one_time option is in effect, the corresponding address line after the non-recipients tree looks like this: top-level address errors_to address length,parent number#flag bits (see here: http://www.exim.org/exim-html-4.50/doc/html/spec_52.html#SECT52.1 ) The Exim.pm code is based on the pre-v4.10 format: top-level address flags number,parent number,0 This may actually a MailScanner bug not specific to Debian. Resulting problem * lib/MailScanner/Exim.pm, sub ReadQf, line 415: # Add recipient to message data # but deal with special lines first # (when one_time option is being used) $line =~ s/ \d+,\d+,\d+$//; push @{$message-{to}}, $line; The regexp replacement actually does nothing, so that an invalid e-mail address is pushed onto the $message-{to} array if one_time is in effect; something like: [EMAIL PROTECTED] [EMAIL PROTECTED] 17,1#01 or [EMAIL PROTECTED] 0,1#01 Solution suggestion *** Replace the regexp used to strip away the special data: If addresses in spool files were guaranteed not to contain spaces, then the following would work: $line =~ s/ *$//; Unfortunately, RFC2822 seems to suggest that addresses whose local and domain parts contain spaces must at least be parsed (though I neither read nor understood this RFC completely). So here's another suggestion (attached as diff): # strips old special content $line =~ s/ \d+,\d+,\d+$//; # strips new special content $line =~ s/ (\d+),\d+#01$//; if ($1) { $line = substr($line, 0, length($line)-$1-1); } -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.4.27 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages mailscanner depends on: ii debconf 1.4.30.13Debian configuration management sy ii exim4 4.50-8 metapackage to ease exim MTA (v4) ii exim4-daemon-light [mail-tr 4.50-8 lightweight exim MTA (v4) daemon ii libarchive-zip-perl 1.14-1 Module for manipulation of ZIP arc ii libcompress-zlib-perl 1.34-1 Perl module for creation and manip ii libconvert-binhex-perl 1.119-2 Perl5 module for extracting data f ii libconvert-tnef-perl0.17-4 Perl module to read TNEF files ii libhtml-parser-perl 3.45-2 A collection of modules that parse ii libmime-perl5.417-1 Perl5 modules for MIME-compliant m ii libnet-cidr-perl0.10-1 Manipulate IPv4/IPv6 netblocks in ii ncftp 2:3.1.8-1A user-friendly and well-featured ii perl5.8.4-8 Larry Wall's Practical Extraction ii spamassassin3.0.3-2 Perl-based spam filter using text ii ucf 1.17 Update Configuration File: preserv ii unzip 5.52-1sarge2 De-archiver for .zip files ii wget1.9.1-12 retrieves files from the web --- mailscanner-4.41.3.orig/lib/MailScanner/Exim.pm 2005-03-27 19:37:10.0 +0200 +++ mailscanner-4.41.3.corrected/lib/MailScanner/Exim.pm2006-01-06 13:48:33.0 +0100 @@ -415,7 +415,15 @@ # Add recipient to message data # but deal with special lines first # (when one_time option is being used) + + # strips old special content ( v4.10) $line =~ s/ \d+,\d+,\d+$//; + # strips new special content (= v4.10) + $line =~ s/ (\d+),\d+#01$//; + if ($1) { +$line = substr($line, 0, length($line)-$1-1); + } + push @{$message-{to}}, $line; } }
Bug#346212: diff contains error
The part $line =~ s/ (\d+),\d+#01//; if ($1) { $line = substr($line, 0, length($line)-$1-1); } should actually be: $line =~ s/ (\d+),\d+#01//; if (defined $1) { $line = substr($line, 0, length($line)-$1-1); } Otherwise length 0 for errors_to address is not handled correctly. --- mailscanner-4.41.3.orig/lib/MailScanner/Exim.pm 2005-03-27 19:37:10.0 +0200 +++ mailscanner-4.41.3.corrected/lib/MailScanner/Exim.pm2006-01-06 13:48:33.0 +0100 @@ -415,7 +415,15 @@ # Add recipient to message data # but deal with special lines first # (when one_time option is being used) + + # strips old special content ( v4.10) $line =~ s/ \d+,\d+,\d+$//; + # strips new special content (= v4.10) + $line =~ s/ (\d+),\d+#01$//; + if (defined $1) { +$line = substr($line, 0, length($line)-$1-1); + } + push @{$message-{to}}, $line; } }
Bug#346083: Solution
The following diff fixes this issue. The problem was in fact that $msg-{to} is empty in MailScanner/Config.pm (around line 446): if ($direction =~ /t/) { # Match against every To address if (defined $tooverride) { push @matches, split( ,$value) if $tooverride =~ /$regexp/; } else { foreach $to (@{$msg-{to}}) { push @matches, split( ,$value) if $to =~ /$regexp/; } } } The reason is that Config (MailScanner/Config.pm) is called from MailScanner/Quarantine.pm with the wrong message argument: $this instead of $message. --- mailscanner-4.41.3.orig/lib/MailScanner/Quarantine.pm 2005-03-20 13:50:57.0 +0100 +++ mailscanner-4.41.3.corrected/lib/MailScanner/Quarantine.pm 2006-01-06 15:34:41.0 +0100 @@ -191,7 +191,7 @@ # messages, not just infections. umask $this-{fileumask}; if ($message-{allreports}{} || - MailScanner::Config::Value('quarantinewholemessage',$this) =~ /1/) { + MailScanner::Config::Value('quarantinewholemessage',$message) =~ /1/) { #print STDERR Saving entire message to $msgdir\n; MailScanner::Log::InfoLog(Saved entire message to $msgdir); $message-{store}-CopyEntireMessage($message, $msgdir, 'message',
Bug#346083: mailscanner: Ruleset for Quarantine Whole Message not evaluated correctly
Package: mailscanner Version: 4.41.3-2 Severity: normal *** Please type your report below this line *** Main problem The problem occurs on a production mail server (so running in debug mode is not easily feasible): In /etc/MailScanner/MailScanner.conf: Quarantine Whole Message = yes works. Quarantine Whole Message = %rules%/quarantine.whole.message.rules also works *IF* it contains XY: default yes (XY = From, To, or FromOrTo). If the default given in the rules file is no, then no matter what the yes rules look like, the message is not quarantined whole. I specifically tested this by sending a message containing an EICAR attachment to [EMAIL PROTECTED], while the rules file contains: To: [EMAIL PROTECTED] yes and To: /[EMAIL PROTECTED]/ yes To: /^(?i-xsm:[EMAIL PROTECTED])$/ yes and other -- simpler -- possibilities like: To: /myusername/ yes To: [EMAIL PROTECTED] yes If the default line is no: From: default no or: FromOrTo: default no then the message is not quarantined whole. Other MailScanner options referring to rulesets work the way they are expected to. Log file excerpts * /var/log/mail.log says: Jan 5 12:39:56 dmx001 MailScanner[32025]: Virus and Content Scanning: Starting Jan 5 12:39:56 dmx001 MailScanner[32025]: /1EuTTH-0008Ly-JB/eicar.txt Found: EICAR test file NOT a virus. Jan 5 12:39:56 dmx001 MailScanner[32025]: Virus Scanning: McAfee found 1 infections Jan 5 12:39:56 dmx001 MailScanner[32025]: Infected message 1EuTTH-0008Ly-JB came from ***.***.***.*** Jan 5 12:39:56 dmx001 MailScanner[32025]: Virus Scanning: Found 1 viruses Jan 5 12:39:56 dmx001 MailScanner[32025]: Saved infected eicar.txt to /var/spool/MailScanner/quarantine/ 20060105/1EuTTH-0008Ly-JB Jan 5 12:39:56 dmx001 MailScanner[32025]: Uninfected: Delivered 1 messages Jan 5 12:39:56 dmx001 MailScanner[32025]: Silent: Delivered 1 messages containing silent viruses Jan 5 12:39:56 dmx001 MailScanner[32025]: Notices: Warned about 1 messages /var/log/mail.info contains the same, /var/log/mail.warn and /var/log/mail.err are empty. /var/log/exim4/mainlog says: 2006-01-05 12:39:55 1EuTTH-0008Ly-JB = [EMAIL PROTECTED] H= [***.***.***.***] P=smtp S=851 2006-01-05 12:39:56 1EuTTI-0008N7-KY = [EMAIL PROTECTED] U=Debian-exim P=local S=1562 2006-01-05 12:39:57 1EuTTH-0008Ly-JB = [EMAIL PROTECTED] R=smarthost_102mx T=remote_smtp H=10.16.24.9 [10.16.24.9] 2006-01-05 12:39:57 1EuTTH-0008Ly-JB Completed 2006-01-05 12:39:57 1EuTTI-0008N7-KY = [EMAIL PROTECTED] R=smarthost_102mx T=remote_smtp H=10.16.24.9 [10.16.24.9] 2006-01-05 12:39:57 1EuTTI-0008N7-KY Completed Additional information ** Notify Senders is no for the To address I am testing with (ruleset -- works: I -- the sender -- am not notified of the virus). Silent Viruses contains AllViruses. Still Deliver Silent Viruses is yes for the To address I am testing with (ruleset -- works: I do receive the message without the virus infected attachment). Notices To contains the same address that I am testing with, i.e. [EMAIL PROTECTED]. (ruleset -- works: I do get a virus report). Quarantine Message As Queue Files is no at the moment, but with yes the behavior is the same as described above. Virus Scanning is on. Spam Detection is off. Possible problem location * I have had a look at the source code, and here is my very humble opinion about where the problem might be located -- please take it with a grain of salt: The problem seems to be somewhere around the AllMatchesValue sub in MailScanner/Config.pm: quarantinewholemessage is of category all and of type yesno. The block responsible for finding matches should be (around line 446): if ($direction =~ /t/) { # Match against every To address if (defined $tooverride) { push @matches, split( ,$value) if $tooverride =~ /$regexp/; } else { foreach $to (@{$msg-{to}}) { push @matches, split( ,$value) if $to =~ /$regexp/; } } } For messages with one recipient only, it looks like $msg-{to} is empty -- $tooverride is undefined. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.4.27 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages mailscanner depends on: ii debconf 1.4.30.13Debian configuration management sy ii exim4 4.50-8 metapackage to ease exim MTA (v4) ii exim4-daemon-light [mail-tr 4.50-8 lightweight exim MTA (v4) daemon ii libarchive-zip-perl 1.14-1 Module for manipulation of ZIP arc ii libcompress-zlib-perl 1.34-1 Perl module for creation and manip ii libconvert-binhex-perl 1.119-2 Perl5 module for extracting data f ii libconvert-tnef-perl0.17-4 Perl module to read TNEF files ii libhtml-parser-perl 3.45-2 A collection of modules that parse ii libmime-perl