• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1010
  • Last Modified:

amavisd-new, redhat linux 9, sendmail and AVG virus scanner

I have installed the AVG virus scanner daemon on Redhat Linux 9, hooked up Dazuko, and also (I think) configured amavisd-new so that it uses the AVG scanner (when I run the amavisd-new daemon in debug mode it apparently starts up fine and conencts it to the avg scanner).

However, I'm now having trouble hooking amavisd-new up to sendmail. amavisd. I added the following lines to sendmail.mc and regenerated sendmail.cf

dnl Change Mlocal to use AMaViS-Perl
define(`AMAVIS_LOCAL_MAILER_ARGS', `-d $u')
define(`LOCAL_MAILER_PATH', `/usr/sbin/amavis')dnl
dnl please set the path to your procmail accordingly!
dnl the following works only with sendmail 8.10.x or above

I then restarted sendmail, and sent myself a test message. This got bounced with an error 255. The error log shows the following

Mar 27 10:59:36 garcia sendmail[4995]: starting daemon (8.12.8): SMTP+queueing@01:00:00
Mar 27 10:59:36 garcia sm-msp-queue[5004]: starting daemon (8.12.8): queueing@01:00:00
Mar 27 11:00:43 garcia sendmail[5017]: i2RB0fDD005017: from=<drjohnbrooke@hotmail.com>, size=830, class=0, nrcpts=1, msgid=<Sea2-F41iCMI2q5Knp50002bd4e@hotmail.com>, proto=ESMTP, daemon=MTA, relay=sea2-f41.sea2.hotmail.com []
Mar 27 11:00:43 garcia amavisd[5019]: starting.  amavis 0.3.12 Tue Jan 27 18:30:14 GMT 2004
Mar 27 11:00:44 garcia amavisd[5022]: mail forwarding failed, retry: Insecure dependency in exec while running with -T switch at /usr/sbin/amavis line 581, <GEN0> line 26. (message-id=<Sea2-F41iCMI2q5Knp50002bd4e@hotmail.com>)
Mar 27 11:00:44 garcia amavisd[5022]: do_exit:481 - ending execution with 75
Mar 27 11:00:44 garcia amavisd[5019]: do_exit:594 - ending execution with 255
Mar 27 11:00:44 garcia sendmail[5018]: i2RB0fDD005017: to=<drjohn@contingent-solutions.com>, delay=00:00:02, xdelay=00:00:01, mailer=local, pri=31044, dsn=5.3.0, stat=unknown mailer error 255
Mar 27 11:00:44 garcia sendmail[5018]: i2RB0fDD005017: i2RB0iDD005018: DSN: unknown mailer error 255
Mar 27 11:00:45 garcia sendmail[5018]: i2RB0iDD005018: to=<drjohnbrooke@hotmail.com>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=32068, relay=mx4.hotmail.com. [], dsn=2.0.0, stat=Sent ( <200403271100.i2RB0iDD005018@localhost.localdomain> Queued mail for delivery)

So what am I doing wrong here?

  • 4
  • 4
1 Solution
Karl Heinz KremerCommented:
It looks like Amavis has a problem with the Perl -T flag ('tainted') - or the other way around. I found one report (even though for RH 8) that describes this symptom: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107532
- unfortunately without a solution.

You could try to upgrade to a newer version of Amavis.
You could also try to remove the -T from the first line of the /usr/sbin/amavis script - BUT THIS MAY OPEN YOUR SYSTEM TO SECURITY PROBLEMS.
JohnBrookeContingentAuthor Commented:
I'm using amavisd-new-200030616 - is there something newer than this?

I went back to the README files for amavisd-new and the configuration change they recommend is to put in

define(`LOCAL_MAILER_ARGS',`amavis $f $u --' LOCAL_MAILER_PATH `-d $u')dnl

However, this still doesn't work. The message doesn't get bounced this time, it gets deferred....

Mar 27 12:15:14 garcia sendmail[5614]: i2RCFDR8005614: from=<drjohnbrooke@hotmail.com>, size=819, class=0, nrcpts=1, msgid=<Sea2-F20AODDD3OaiPZ0002c108@hotmail.com>, proto=ESMTP, daemon=MTA, relay=sea2-f20.sea2.hotmail.com []
Mar 27 12:15:14 garcia amavisd[5616]: starting.  amavis 0.3.12 Tue Jan 27 18:30:14 GMT 2004
Mar 27 12:15:15 garcia amavisd[5619]: mail forwarding failed, retry: Insecure dependency in exec while running with -T switch at /usr/local/sbin/amavis line 581, <GEN0> line 25. (message-id=<Sea2-F20AODDD3OaiPZ0002c108@hotmail.com>)
Mar 27 12:15:15 garcia amavisd[5619]: do_exit:481 - ending execution with 75
Mar 27 12:15:15 garcia amavisd[5616]: do_exit:594 - ending execution with 75
Mar 27 12:15:15 garcia sendmail[5615]: i2RCFDR8005614: to=<drjohn@contingent-solutions.com>, delay=00:00:02, xdelay=00:00:01, mailer=local, pri=31033, dsn=4.0.0, stat=Deferred: local mailer (/usr/local/sbin/amavis) exited with EX_TEMPFAIL

The problem still seems to be the -T switch.

What exactly is the security issue? I don't want to open security holes, I'm trying to close them!!

Karl Heinz KremerCommented:
The -T switch makes Perl scripts more secure. You can find more about this in this FAQ: http://gunther.web66.com/FAQS/taintmode.html

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Karl Heinz KremerCommented:
What exactly is line 581 in the amavis script? Which version of Perl are you running?
JohnBrookeContingentAuthor Commented:
The section of the amavis script in question is

        # sending mail, sendmail version
        # For sendmail, we call the "real" local delivery agent
        open(MAIL, "|-") || exec($LDA, @LDAARGS);
        while (<$fh>) {
                next if ($seen_xheader == 0 && m/^$X_HEADER_TAG:/o);
                if ($seen_xheader == 0 && m/\A\r?\n\Z/) {
                        print MAIL "$X_HEADER_TAG: $X_HEADER_LINE\n";
                        $seen_xheader = 1;
                print MAIL $_;

Line 581 is the "open (MAIL, "|-") || exec($LDA, @LDAARGS);"

I seem to be running Perl v5.8.0.
Karl Heinz KremerCommented:
I'm also using Perl v5.8.0, my Amavis version is 0.3.12pre8 (Mar 17 2003), and it does not have this line (and I also don't have this problem). Maybe the solution is not to install a newer version, but an older version of Amavis.
JohnBrookeContingentAuthor Commented:
Well, I tried running the Amavis script without the -T switch on Perl, and it didn't fall over but any messages went into some sort of black hole somewhere and never re-emerged. I'll investigate going backwards to an older version of Amavis, though at the moment I can't find the particular version you're running.
JohnBrookeContingentAuthor Commented:
In the end I switched from Sendmail to Postfix - it was a lot easier to configure amavisd to work with it....
PAQed, with points refunded (125)

Community Support Moderator
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now