Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1007
  • Last Modified:

amavisd-new, redhat linux 9, sendmail and AVG virus scanner

I have installed the AVG virus scanner daemon on Redhat Linux 9, hooked up Dazuko, and also (I think) configured amavisd-new so that it uses the AVG scanner (when I run the amavisd-new daemon in debug mode it apparently starts up fine and conencts it to the avg scanner).

However, I'm now having trouble hooking amavisd-new up to sendmail. amavisd. I added the following lines to sendmail.mc and regenerated sendmail.cf

dnl
dnl Change Mlocal to use AMaViS-Perl
define(`AMAVIS_LOCAL_MAILER_ARGS', `-d $u')
define(`LOCAL_MAILER_ARGS',`amavis $f $u' LOCAL_MAILER_PATH AMAVIS_LOCAL_MAILER_ARGS)dnl
define(`LOCAL_MAILER_PATH', `/usr/sbin/amavis')dnl
dnl please set the path to your procmail accordingly!
dnl the following works only with sendmail 8.10.x or above
MODIFY_MAILER_FLAGS(`LOCAL', `-m-f-r')dnl

I then restarted sendmail, and sent myself a test message. This got bounced with an error 255. The error log shows the following

Mar 27 10:59:36 garcia sendmail[4995]: starting daemon (8.12.8): SMTP+queueing@01:00:00
Mar 27 10:59:36 garcia sm-msp-queue[5004]: starting daemon (8.12.8): queueing@01:00:00
Mar 27 11:00:43 garcia sendmail[5017]: i2RB0fDD005017: from=<drjohnbrooke@hotmail.com>, size=830, class=0, nrcpts=1, msgid=<Sea2-F41iCMI2q5Knp50002bd4e@hotmail.com>, proto=ESMTP, daemon=MTA, relay=sea2-f41.sea2.hotmail.com [207.68.165.41]
Mar 27 11:00:43 garcia amavisd[5019]: starting.  amavis 0.3.12 Tue Jan 27 18:30:14 GMT 2004
Mar 27 11:00:44 garcia amavisd[5022]: mail forwarding failed, retry: Insecure dependency in exec while running with -T switch at /usr/sbin/amavis line 581, <GEN0> line 26. (message-id=<Sea2-F41iCMI2q5Knp50002bd4e@hotmail.com>)
Mar 27 11:00:44 garcia amavisd[5022]: do_exit:481 - ending execution with 75
Mar 27 11:00:44 garcia amavisd[5019]: do_exit:594 - ending execution with 255
Mar 27 11:00:44 garcia sendmail[5018]: i2RB0fDD005017: to=<drjohn@contingent-solutions.com>, delay=00:00:02, xdelay=00:00:01, mailer=local, pri=31044, dsn=5.3.0, stat=unknown mailer error 255
Mar 27 11:00:44 garcia sendmail[5018]: i2RB0fDD005017: i2RB0iDD005018: DSN: unknown mailer error 255
Mar 27 11:00:45 garcia sendmail[5018]: i2RB0iDD005018: to=<drjohnbrooke@hotmail.com>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=32068, relay=mx4.hotmail.com. [65.54.167.230], dsn=2.0.0, stat=Sent ( <200403271100.i2RB0iDD005018@localhost.localdomain> Queued mail for delivery)

So what am I doing wrong here?

John
0
JohnBrookeContingent
Asked:
JohnBrookeContingent
  • 4
  • 4
1 Solution
 
Karl Heinz KremerCommented:
It looks like Amavis has a problem with the Perl -T flag ('tainted') - or the other way around. I found one report (even though for RH 8) that describes this symptom: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107532
- unfortunately without a solution.

You could try to upgrade to a newer version of Amavis.
You could also try to remove the -T from the first line of the /usr/sbin/amavis script - BUT THIS MAY OPEN YOUR SYSTEM TO SECURITY PROBLEMS.
0
 
JohnBrookeContingentAuthor Commented:
I'm using amavisd-new-200030616 - is there something newer than this?

I went back to the README files for amavisd-new and the configuration change they recommend is to put in

MODIFY_MAILER_FLAGS(`LOCAL',`-r')dnl
define(`LOCAL_MAILER_ARGS',`amavis $f $u --' LOCAL_MAILER_PATH `-d $u')dnl
define(`LOCAL_MAILER_PATH',`/usr/local/sbin/amavis')dnl

However, this still doesn't work. The message doesn't get bounced this time, it gets deferred....

Mar 27 12:15:14 garcia sendmail[5614]: i2RCFDR8005614: from=<drjohnbrooke@hotmail.com>, size=819, class=0, nrcpts=1, msgid=<Sea2-F20AODDD3OaiPZ0002c108@hotmail.com>, proto=ESMTP, daemon=MTA, relay=sea2-f20.sea2.hotmail.com [207.68.165.20]
Mar 27 12:15:14 garcia amavisd[5616]: starting.  amavis 0.3.12 Tue Jan 27 18:30:14 GMT 2004
Mar 27 12:15:15 garcia amavisd[5619]: mail forwarding failed, retry: Insecure dependency in exec while running with -T switch at /usr/local/sbin/amavis line 581, <GEN0> line 25. (message-id=<Sea2-F20AODDD3OaiPZ0002c108@hotmail.com>)
Mar 27 12:15:15 garcia amavisd[5619]: do_exit:481 - ending execution with 75
Mar 27 12:15:15 garcia amavisd[5616]: do_exit:594 - ending execution with 75
Mar 27 12:15:15 garcia sendmail[5615]: i2RCFDR8005614: to=<drjohn@contingent-solutions.com>, delay=00:00:02, xdelay=00:00:01, mailer=local, pri=31033, dsn=4.0.0, stat=Deferred: local mailer (/usr/local/sbin/amavis) exited with EX_TEMPFAIL

The problem still seems to be the -T switch.

What exactly is the security issue? I don't want to open security holes, I'm trying to close them!!

0
 
Karl Heinz KremerCommented:
The -T switch makes Perl scripts more secure. You can find more about this in this FAQ: http://gunther.web66.com/FAQS/taintmode.html

0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
Karl Heinz KremerCommented:
What exactly is line 581 in the amavis script? Which version of Perl are you running?
0
 
JohnBrookeContingentAuthor Commented:
The section of the amavis script in question is

        # sending mail, sendmail version
        # For sendmail, we call the "real" local delivery agent
                                                                               
        open(MAIL, "|-") || exec($LDA, @LDAARGS);
        while (<$fh>) {
                next if ($seen_xheader == 0 && m/^$X_HEADER_TAG:/o);
                if ($seen_xheader == 0 && m/\A\r?\n\Z/) {
                        print MAIL "$X_HEADER_TAG: $X_HEADER_LINE\n";
                        $seen_xheader = 1;
                }
                print MAIL $_;
        }
                                                                               
        close(MAIL);

Line 581 is the "open (MAIL, "|-") || exec($LDA, @LDAARGS);"

I seem to be running Perl v5.8.0.
0
 
Karl Heinz KremerCommented:
I'm also using Perl v5.8.0, my Amavis version is 0.3.12pre8 (Mar 17 2003), and it does not have this line (and I also don't have this problem). Maybe the solution is not to install a newer version, but an older version of Amavis.
0
 
JohnBrookeContingentAuthor Commented:
Well, I tried running the Amavis script without the -T switch on Perl, and it didn't fall over but any messages went into some sort of black hole somewhere and never re-emerged. I'll investigate going backwards to an older version of Amavis, though at the moment I can't find the particular version you're running.
0
 
JohnBrookeContingentAuthor Commented:
In the end I switched from Sendmail to Postfix - it was a lot easier to configure amavisd to work with it....
0
 
moduloCommented:
PAQed, with points refunded (125)

modulo
Community Support Moderator
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now