Upgrade amavisd-new

Home

So, you would like to upgrade your Debian Sarge box from amavisd-new version 20030616-p10 to amavisd-new 2.2.1. Amavisd-new 2.2.1 has many more configuration options available making it a more flexible yet more complex system. I have to admit, there are many configuration options I do not understand. The main reason I wanted to upgrade is because it is now possible to send email containing banned files or bad headers to quarantine areas that are no longer common to the virus quarantine area. This new version of amavisd-new also has better integration with SpamAssassin, better support on the mailing list, adds new features and is more secure.

There are innumerable ways to approach this upgrade. The method I have chosen will use the very verbose, but very informative amavisd.conf-sample file as a basis for the new configuration. While this new version will likely run on a completely unmodified 20030616-p10 configuration file, doing so will likely mask problems (like quarantining banned files to a local file instead of sending them to a mailbox). There are a few new settings that will have to be added to our new configuration file to make amavisd-new work properly and some old configuration settings will get replaced with new 2.2.1 style settings because they work better. Upgrading this way will introduce us to many of the new features and familiarize us with the syntax of 2.2.1. If you use Maia Mailguard, this upgrade will of course kill it. This upgrade assumes you are not using LDAP or SQL for data tables. If you are, you will need to figure out if there are new configuration syntaxes for those. It also assumes you built your spamfilter using the instructions at http://verchick.com/mecham/public_html/spam/spamfilter20041003.html. Read the disclaimer in the parent document.

Here is a general overview of the process:

1. Start with a fully configured and working 20030616-p10 installation.

2. Download the source code for version 2.2.1.

3. Make backup copies of /etc/amavis/amavisd.conf and /usr/sbin/amavisd-new.

4. Create a scratch copy of our current amavisd.conf with all the comments removed to make it easier to read.

5. Insure all of the external modules amavisd-new uses are up to date.

6. Modify a copy of amavisd.conf-sample (amavisd.conf-2.2.1) as needed by comparing it to our scratch file side-by-side.

7. Stop amavisd-new

8. Replace /etc/amavis/amavisd.conf and /usr/sbin/amavisd-new with the new files.

9. Start amavisd.new.

10. If it crashes, stop amavisd-new, restore from backup, start amavisd-new.

Make sure we are prepared for some of the new features:

mkdir /var/lib/amavis/tmp
mkdir /var/lib/amavis/db
mkdir /var/lib/amavis/var
ln -s /etc/amavis/amavisd.conf /etc/amavisd.conf
chown -R amavis:amavis /var/lib/amavis
chmod -R 750 /var/lib/amavis

In this section, we download source, make multiple backup copies of our 20030616-p10 files and create a copy of amavisd.conf-sample which is the configuration file we will work with until we are ready to actually do the upgrade:

cd /usr/local/src
wget http://www.ijs.si/software/amavisd/amavisd-new-2.2.1.tar.gz
tar xzvf amavisd-new-2.2.1.tar.gz
rm amavisd-new-2.2.1.tar.gz
cp /usr/local/src/amavisd-new-2.2.1/amavisd /usr/sbin/amavisd-new-2.2.1
cp /usr/local/src/amavisd-new-2.2.1/amavisd.conf-sample /etc/amavis/amavisd.conf-2.2.1
cp /etc/amavis/amavisd.conf /etc/amavis/amavisd.conf-20030616
cp /etc/amavis/amavisd.conf /etc/amavis/amavisd.conf-20030616-extra-backup
cp /usr/sbin/amavisd-new /usr/sbin/amavisd-new-20030616
cp /usr/sbin/amavisd-new /usr/sbin/amavisd-new-20030616-extra-backup
grep -vE "^$|^#" /etc/amavis/amavisd.conf > /etc/amavis/amavisd.conf-20030616-short

It's a good idea to make sure all of the external modules amavisd-new requires are up to date. You should exercise caution here because in order to solve dependencies, apt-get may upgrade Perl. This is at times a bad thing, but I personally have had no problem when it does. You may possibly need to reinstall any Perl modules you installed via CPAN if apt-get upgrades Perl. I strongly suggest you have a good backup of your hard drive before you continue.

apt-get update

apt-get install file libarchive-tar-perl libarchive-zip-perl libcompress-zlib-perl
 libconvert-tnef-perl libconvert-uulib-perl libberkeleydb-perl
  libmailtools-perl libdb4.3-dev libmime-perl libnet-perl libnet-dns-perl libconvert-binhex-perl 
  libnet-server-perl libunix-syslog-perl arj nomarch unrar pax

If Perl was upgraded when you installed the programs above, Perl may not be able to find programs you installed via CPAN (I personally have not had this problem, but others claim to). I suggest looking in your /root/.cpan/build directory for a list of files you installed. Rather than using CPAN to reinstall the programs, use apt-get as much as possible. I found 4 files in my /root/.cpan/build directory: Bit-Vector (Bit::Vector), Carp-Clan (Carp::Clan), Date-Calc (Date::Calc) and File-MMagic (File::MMagic). I then installed the equivalent Debian packages libbit-vector-perl, libcarp-clan-perl, libdate-calc-perl and libfile-mmagic-perl to replace them. I find http://packages.debian.org/testing/allpackages useful for finding package names. Note that if you have a Perl program installed in more than one directory that the first one found in the path will be used. This means that just because we install a Debian version does not guarantee that it will be used. In fact, from my experience, if a CPAN version exists, it will be used.

I suggest you read the amavisd-new RELEASE_NOTES, most notably the release notes for amavisd-new-20040701 which was the first of the 2.0 versions. This section will illustrate the most important changes since 20030616-p10 and will explain most of the new features of the 2.0 variants.

If you are a Windows user like me, this upgrade will go much easier by using WordPad (or Notepad) to display the old amavisd.conf file, and the WinSCP editor to edit /etc/amavis/amavisd.conf-2.2.1. Open up WinSCP and edit /etc/amavis/amavisd.conf-20030616-short. Select the all the text and copy it to the clipboard, then close the editor. Open up WordPad and paste the entire contents into it. You may optionally save the document. Size the WordPad window so it fills the left hand side of your screen. Size the WinSCP window so it fills the right hand side of your screen. Now open up /etc/amavis/amavisd.conf-2.2.1 and size it to also fit the right hand side of your screen. So, obviously the idea is to transfer settings from the old file on the left hand to the new file on the right hand. Below is step-by-step notation of the parameters that were changed in my amavisd.conf-2.2.1 file during this process, yours may/will be different:


$MYHOME

$mydomain

$daemon_user

$daemon_group

$pid_file

$lock_file



$enable_db (new setting)

$enable_global_cache (new setting)

Note: If you get errors when you first start your 2.2.1 program up, the first thing I would do is disable those two new settings. However, if you leave these settings disabled you will loose some new features of 2.x.x (like amavisd-nanny). It is also a known problem that on a busy server, BerkeleyDB may run out of locker entries and as a result amavisd-new will begin refusing mail, causing mail to back up in the Postfix deferred queue.





$max_servers

$max_requests

Instead of the old @local_domains_acl, I used the new @local_domains_maps in the form:


@local_domains_maps = ( [ '.domain1.com', '.domain2.com', '.domain3.com' ] );



$relayhost_is_client (had to add this)

$insert_received_line

$unix_socketname

$inet_socket_port

$inet_socket_bind

Use the new default for @inet_acl, not the old one

 

Uncomment @mynetworks

(and the line below it) and change the IP addresses to match "mynetworks" in your Postfix main.cf (postconf mynetworks)




$LOGFILE



$log_level

is your choice, but in this version, set it to 2 to get useful log files unless you are a busy site and need to reduce the size of the log files or simply don't need the extra information. In that case, set to 0. I set mine to 0.








You most likely will not want to be annoyed by every message amavisd-new Blocks,


so edit this file using vi or the WinSCP editor:

vi /etc/logcheck/ignore.d.server/amavisd-new



At the bottom, you will find the text:

amavis\[[0-9]+\]: +(\([-0-9]+\) +)?(SPAM|Not-Delivered|Passed|BANNED|INFECTED)



Change this to:

amavis\[[0-9]+\]: +(\([-0-9]+\) +)?(Blocked|SPAM|Not-Delivered|Passed|BANNED|INFECTED)








There is a new $log_templ

You have your choice of the new style or the old style. If you want to use the old style, uncomment the entries below "# log template compatible with amavisd-new-20030616-p10:". You can also modify the new style by uncommenting it, modifying it as you wish, and commenting out the old style. This is important: If you use the new style, remove not only the #, but also the one space character that follows it. There is no need to copy and paste the $log_templ section from your old config file.


read_l10n_templates

The Debian package maintainers created notification templates in different languages in subdirectories in /etc/amavis. If you would like to continue to use these templates, copy over the read_l10n_templates parameter from your old config. If you choose not to use them, amavisd-new will use the default (English) templates at the bottom the amavisd-new source code.



$final_virus_destiny

$final_banned_destiny

$final_spam_destiny

$final_bad_header_destiny



Rather that use the old $viruses_that_fake_sender_re, use the new @viruses_that_fake_sender_maps provided.



$virus_admin (and possibly $spam_admin)

$mailfrom_notify_admin

$mailfrom_notify_recip

$mailfrom_notify_spamadmin

$hdrfrom_notify_sender

$QUARANTINEDIR

$virus_quarantine_to



$banned_quarantine_to (new setting)

$bad_header_quarantine_to (new setting)

These new parameters must be configured. I suggest creating a new mailbox to send messages containing banned attachments to, "banned\@$mydomain", and treat them in a similar manner to spam messages. You can use the same mailbox for bad headers. Messages with bad headers do not get quarantined on my system because I have $final_bad_header_destiny = D_PASS; Set your 'banned' email client's SMTP server to your final destination server (your Exchange server) so when you forward mail out of this mailbox, it will not pass through the spamfilter again. If you have not done so already, you may wish to also have a separate mailbox for viruses (virii).


$spam_quarantine_to

$X_HEADER_LINE


$defang_virus (new setting)

$defang_banned (new setting)

These will wrap up the message into an attachment and give the recipient a warning about opening the attachment. It does not make the attachment safe to open. I personally do not defang, because I quarantine these messages and personally review them. Messages that end up in a quarantine do not get defanged.


Use the new @keep_decoded_original_maps instead of the old $keep_decoded_original_re



$banned_filename_re

has changed quite a bit. Add or remove items to meet your needs. Now is a good time to review what it is you ban. It is suggested to add wmf, emf and grp if not already present.

There is an entire new section called $banned_namepath_re. The syntax for configuring this is a little more complex and not as obvious as $banned_filename_re. I suggest you leave this alone for now and research it later if you desire. You can use $banned_filename_re or $banned_namepath_re, but not both. You will notice that at the end of $banned_namepath_re, the new style is disabled.

If you have virus_lovers or spam_lovers, you may wish to use the new @virus_lovers_maps and @spam_lovers_maps - read the examples for details.
Read about the new syntax of bypass_virus and bypass_spam.
You may need to set @bypass_virus_checks_maps = (1); if you wish to disable virus scanning.





$recipient_delimiter

$replace_existing_extension


$blacklist_sender_re and $whitelist_sender have been replaced with @score_sender_maps.

This new method uses "soft" white or black listing by modifying the SpamAssassin score by the numbers shown in the example. I suggest increasing the -3.0 negative scores (to something like -15.0) to insure mail from these senders is received. If you have customized this section, remember to add your senders here.

You may wish to comment out the @blacklist_sender_maps section as it is somewhat redundant but will definitely insure these senders are blacklisted.



Some of our most important settings:


$sa_local_tests_only

$sa_tag_level_deflt

$sa_tag2_level_deflt

$sa_kill_level_deflt

$sa_dsn_cutoff_level

You may wish to uncomment "#$first_infected_stops_scan = 1;"

In the @av_scanners section, configure AV scanners as you did in the old file. If you use ClamAV, make sure you edit the value after CONTSCAN so it matches your old config. I personally delete all the virus scanners I don't use. I keep ClamAV and BitDefender and delete or comment out all the rest. The only reason I do this is because it lessens the amount of data displayed when running amavisd-new debug. Remember that you must leave at least one backup scanner uncommented, whether it is used or not.

OK, save your file, then let's give it a try:

amavisd-new stop
cp /usr/sbin/amavisd-new-2.2.1 /usr/sbin/amavisd-new
cp /etc/amavis/amavisd.conf-2.2.1 /etc/amavis/amavisd.conf
amavisd-new debug

Watch for errors - send test mail through as usual.
If everything looks great, Ctrl+c then amavisd-new start
Enjoy.

If things don't go well, you will want to revert to 20030616-p10 until your problems are solved:

amavisd-new stop
cp /usr/sbin/amavisd-new-20030616 /usr/sbin/amavisd-new
cp /etc/amavis/amavisd.conf-20030616 /etc/amavis/amavisd.conf
amavisd-new start

If all goes well, make a backup copy of our new configuration file:

cp /etc/amavis/amavisd.conf /etc/amavis/amavisd.conf-2.2.1-backup

Since running apt-get upgrade or apt-get install amavisd-new will clobber our new installation, either don't do either of these, or revert back to 20030616-p10 during the upgrade, or use the instructions below to prevent amavisd-new from upgrading. Either way, just make sure you keep backup copies of each version of amavisd.conf and amavisd-new. If you used my amavisd-new hack for deleting high scoring spam, then you will need to use that document as a reference for modifying version 2.2.1.

To prevent the old version of amavisd-new from installing over our new one, place the package on hold:
echo "amavisd-new hold" | dpkg --set-selections

If in the future, you would like to take amavisd-new off hold:
echo "amavisd-new install" | dpkg --set-selections

Last updated 5/7/2005