[Avcheck] Announce: avcheck-0.6 and a website

Michael Tokarev mjt@tls.msk.ru
Sat, 10 Nov 2001 18:27:35 +0300 

Karsten Dambekalns wrote:
> 
[]
> Sounds good, but what version of postfix do you need for that? I have
> postfix-20010228-pl06 installed, but it says
> 
> postfix/pipe[5053]: fatal: unknown flag: q (ignored)

Doh!...  I suspected this but not checked...  Oh, ma... :(
This flag is available only in postfix snapshots.  Why
Wietse still not added it into stable code?  Well, Ok.
Please recompile avcheck with:

  rm -f avcheck
  make CFLAGS="-O -DQUOTEADDR"

(use appropriate -Oetc flags for your compiler, default is
"-O2 -Wall" for gcc).  This will restore back old pre-0.6
functionality, and there will be no need to use flags=q.

The fix will effectively be reverted back.

Ok, so some more words about the fix and the problem.

Some forms of addresses should be quoted in order to
be understood correctly by all standard mail software.
Example is "foo bar"@example.com - this exact form should
be used.

Postfix's pipe(8) agent will not do such quoting without
`flags=q', and will pass bare or raw address into avcheck
(and any other external program it configured to execute),
i.e. foo bar@example.com, in a single argument.  This is
a defect in postfix: raw address can't be accepted by any
postfix's injection software (sendmail or smtpd).

Avcheck will happily check the mail (it ignores address
syntax and the like) and will then try to reinject the
mail back into postfix.

When sendmail wrapper used for reinjection, it will
translate such an address (correctly passed as *one*
argument) into *two* addresses, making foo@$myorigin
and bar@example.com.  This is what Sendmail does --
a bizzare behaviour, but there is nothing we can do
against this -- Postfix's sendmail fllows Sendmail's
sendmail closely.  Obviously, this is not what we
want -- both addresses may be non-existent and shurely
not the original destinations.

When reinjecting using smtp, with strict_rfc822_envelopes=yes,
postfix's smtpd will reject such address in RCPT TO
command:
  RCPT TO:<foo bar@example.com>
the syntax is incorrect, it should be written as
  RCPT TO:<"foo bar"@example.com>
or
  RCPT TO:<foo\ bar@example.com>

Avcheck has had a workaround for this problem, by
unconditionnaly quoting any addresses when passing
them away.  This is incorrect too -- for example,
if avcheck called from Sendmail, it will see already
quoted addresses, so double quoting will result in
again incorrect address.  This is not an issue with
postfix, but it prevents avcheck to run properly with
other mailers.

But there is still an issue possible with postfix too,
having in mind infected mail handler.  When avcheck
detects an infected email, it calls it's `infected'
helper, passing *unquoted* addresses into it.  This
is intentional -- the same avcheck may be called from
within `infected' script to deliver virus notifications
via SMTP, and at this stage it will quote addresses.

But when `infected' script uses other means to send
a mail, it will use unquoted addresses too.  For example,
when sendmail wrapper used to (re)inject good mails or
notifications, `infected' script will call /usr/sbin/sendmail,
with unquoted addresses.

Let's draw a picture:

Quoting, using smtp:
 pipe =>rawaddr=> avcheck =>quotedaddr=> smtp

Quoting, using sendmail:
 pipe =>rawaddr=> avcheck =>quotedaddr=> sendmail

Quoting, using smtp, infected:
 pipe =>rawaddr=> avcheck =>rawaddr=> infected \
  =>rawaddr=> avcheck =>quotedaddr=> smtp

Quoting, using sendmail, infected:
 pipe =>rawaddr=> avcheck =>rawaddr=> infected \
  =>rawaddr=> sendmail
(in this case, avcheck isn't used for reinjection).
And sendmail will see raw unquoted addresses, this
is wrong.

If I'll change avcheck to quote addresses when passing
them into `infected' helper, smtp path will break,
since addresses will be quoted twice.

Note that the situation is very rare when smtp path
used for reinjection (with sendmail path, it is far
more possible): you should have *infected* email sent
from or to an address that needs quoting.

The real solution is to drop any attempts to quote
any addresses and always use one "external" format.
This is how the fix should work.  But that postfix
defect still here, and not allows us to really fix
the problem.

Well, an ugly and temporary workaround I see is to
add a flag, say, -q, to avcheck commandline, that
will indicate that addresses should or should not
be quoted.  Avcheck should expect *quoted* addresses
(i.e. no need to quote) *by default*, and -q flag
should tell that all addresses are "raw" and should
be quoted by avcheck.  That is, -q will mean to
enable a workaround for Postfix's defect, and when
postfix will be finally corrected, one will need
to add flags=q into pipe commandline and remove -q
from avcheck's commandline.  But note the twice
incompatibility - now all users with postfix's
release will need to add -q flag, and later them
will need to remove -q and add flags=q...  Bizzare...
But I see no real solution.  Any is ugly.  I'll
perhaps choose one that looks less ugly but breaks
compatibility -- i.e. described above.  Or should
I add more ugliness? ;)

Comments?

Well, expect version 0.6a soon...  But a workaround
(recompiling) described at the top will work now.

I'm sorry for inconsistence.

Regards,
 Michael.