[exim-cvs] cvs commit: exim/exim-doc/doc-docbook spec.xfpt …

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Phil Pennock
Date:  
À: exim-cvs
Sujet: [exim-cvs] cvs commit: exim/exim-doc/doc-docbook spec.xfpt exim/exim-doc/doc-txt ChangeLog NewStuff exim/exim-src/src EDITME config.h.defaults demime.c exim.c functions.h malware.c receive.c regex.c
pdp 2010/06/05 12:13:31 BST

  Modified files:
    exim-doc/doc-docbook spec.xfpt 
    exim-doc/doc-txt     ChangeLog NewStuff 
    exim-src/src         EDITME config.h.defaults demime.c exim.c 
                         functions.h malware.c receive.c regex.c 
                         spam.c spool_mbox.c 
  Log:
  ClamAV INSTREAM scanning by default, unless built with WITH_OLD_CLAMAV_STREAM.
  New command-line option, -bmalware (restricted to admin_user).
  Fixes: #926


  Revision  Changes    Path
  1.77      +31 -1     exim/exim-doc/doc-docbook/spec.xfpt
  1.621     +4 -0      exim/exim-doc/doc-txt/ChangeLog
  1.168     +17 -0     exim/exim-doc/doc-txt/NewStuff
  1.25      +9 -0      exim/exim-src/src/EDITME
  1.19      +1 -0      exim/exim-src/src/config.h.defaults
  1.10      +1 -1      exim/exim-src/src/demime.c
  1.66      +35 -2     exim/exim-src/src/exim.c
  1.49      +1 -1      exim/exim-src/src/functions.h
  1.19      +427 -177  exim/exim-src/src/malware.c
  1.55      +1 -1      exim/exim-src/src/receive.c
  1.8       +1 -1      exim/exim-src/src/regex.c
  1.18      +1 -1      exim/exim-src/src/spam.c
  1.15      +22 -10    exim/exim-src/src/spool_mbox.c


  Index: spec.xfpt
  ===================================================================
  RCS file: /home/cvs/exim/exim-doc/doc-docbook/spec.xfpt,v
  retrieving revision 1.76
  retrieving revision 1.77
  diff -u -r1.76 -r1.77
  --- spec.xfpt    5 Jun 2010 10:04:43 -0000    1.76
  +++ spec.xfpt    5 Jun 2010 11:13:29 -0000    1.77
  @@ -1,4 +1,4 @@
  -. $Cambridge: exim/exim-doc/doc-docbook/spec.xfpt,v 1.76 2010/06/05 10:04:43 pdp Exp $
  +. $Cambridge: exim/exim-doc/doc-docbook/spec.xfpt,v 1.77 2010/06/05 11:13:29 pdp Exp $
   .
   . /////////////////////////////////////////////////////////////////////////////
   . This is the primary source of the Exim Manual. It is an xfpt document that is
  @@ -3169,6 +3169,17 @@
   Exim behaves in exactly the same way as it does when receiving a message via
   the listening daemon.


+.vitem &%-bmalware%&&~<&'filename'&>
+.oindex "&%-bmalware%&"
+.cindex "testing", "malware"
+.cindex "malware scan test"
+This debugging option causes Exim to scan the given file,
+using the malware scanning framework. The option of av_scanner influences
+this option, so if av_scanner's value is dependent upon an expansion then
+the expansion should have defaults which apply to this invocation. Exim will
+have changed working directory before resolving the filename, so using fully
+qualified pathnames is advisable. This option requires admin privileges.
+
.vitem &%-bt%&
.oindex "&%-bt%&"
.cindex "testing" "addresses"
@@ -13952,6 +13963,14 @@
the generic transport option &%message_size_limit%&, which limits the size of
message that an individual transport can process.

+If you use a virus-scanner and set this option to to a value larger than the
+maximum size that your virus-scanner is configured to support, you may get
+failures triggered by large mails. The right size to configure for the
+virus-scanner depends upon what data is passed and the options in use but it's
+probably safest to just set it to a little larger than this value. Eg, with a
+default Exim message size of 50M and a default ClamAV StreamMaxLength of 10M,
+some problems may result.
+

.option move_frozen_messages main boolean false
.cindex "frozen messages" "moving"
@@ -27884,8 +27903,16 @@
number, and a port, separated by space, as in the second of these examples:
.code
av_scanner = clamd:/opt/clamd/socket
-av_scanner = clamd:192.168.2.100 1234
+av_scanner = clamd:192.0.2.3 1234
+av_scanner = clamd:192.0.2.3 1234:local
.endd
+If the value of av_scanner points to a UNIX socket file or contains the local
+keyword, then the ClamAV interface will pass a filename containing the data
+to be scanned, which will should normally result in less I/O happening and be
+more efficient. Normally in the TCP case, the data is streamed to ClamAV as
+Exim does not assume that there is a common filesystem with the remote host.
+There is an option WITH_OLD_CLAMAV_STREAM in &_src/EDITME_& available, should
+you be running a version of ClamAV prior to 0.95.
If the option is unset, the default is &_/tmp/clamd_&. Thanks to David Saez for
contributing the code for this scanner.

@@ -28025,6 +28052,9 @@
use the &%demime%& condition (see section &<<SECTdemimecond>>&) before the
&%malware%& condition.

+Beware the interaction of Exim's &%message_size_limit%& with any size limits
+imposed by your anti-virus scanner.
+
Here is a very simple scanning example:
.code
deny message = This message contains malware ($malware_name)

  Index: ChangeLog
  ===================================================================
  RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
  retrieving revision 1.620
  retrieving revision 1.621
  diff -u -r1.620 -r1.621
  --- ChangeLog    5 Jun 2010 10:34:29 -0000    1.620
  +++ ChangeLog    5 Jun 2010 11:13:29 -0000    1.621
  @@ -1,4 +1,4 @@
  -$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.620 2010/06/05 10:34:29 pdp Exp $
  +$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.621 2010/06/05 11:13:29 pdp Exp $


   Change log file for Exim from version 4.21
   -------------------------------------------
  @@ -27,6 +27,10 @@
         an assumption that peers always have certificates.  Be a little more
         paranoid.  Problem reported by Martin Tscholak.


  +PP/08 Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content
  +      filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes
  +      NB: ClamAV planning to remove STREAM in "middle of 2010".
  +


Exim version 4.72
-----------------

  Index: NewStuff
  ===================================================================
  RCS file: /home/cvs/exim/exim-doc/doc-txt/NewStuff,v
  retrieving revision 1.167
  retrieving revision 1.168
  diff -u -r1.167 -r1.168
  --- NewStuff    5 Jun 2010 10:04:43 -0000    1.167
  +++ NewStuff    5 Jun 2010 11:13:29 -0000    1.168
  @@ -1,4 +1,4 @@
  -$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.167 2010/06/05 10:04:43 pdp Exp $
  +$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.168 2010/06/05 11:13:29 pdp Exp $


   New Features in Exim
   --------------------
  @@ -26,6 +26,23 @@
       so that safety mechanism would have to be overriden for this option to
       be able to take effect.


  + 3. ClamAV 0.95 is now required for ClamAV support in Exim, unless
  +    Local/Makefile sets: WITH_OLD_CLAMAV_STREAM=yes
  +    Note that this switches Exim to use a new API ("INSTREAM") and a future
  +    release of ClamAV will remove support for the old API ("STREAM").
  +
  +    The av_scanner option, when set to "clamd", now takes an optional third
  +    part, "local", which causes Exim to pass a filename to ClamAV instead of
  +    the file content.  This is the same behaviour as when clamd is pointed at
  +    a Unix-domain socket.  For example:
  +
  +      av_scanner = clamd:192.0.2.3 1234:local
  +
  + 4. There is now a -bmalware option, restricted to admin users.  This option
  +    takes one parameter, a filename, and scans that file with Exim's
  +    malware-scanning framework.  This is intended purely as a debugging aid
  +    to ensure that Exim's scanning is working, not to replace other tools.
  +


Version 4.72
------------

  Index: EDITME
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/EDITME,v
  retrieving revision 1.24
  retrieving revision 1.25
  diff -u -r1.24 -r1.25
  --- EDITME    3 Jun 2010 15:20:41 -0000    1.24
  +++ EDITME    5 Jun 2010 11:13:29 -0000    1.25
  @@ -1,4 +1,4 @@
  -# $Cambridge: exim/exim-src/src/EDITME,v 1.24 2010/06/03 15:20:41 jetmore Exp $
  +# $Cambridge: exim/exim-src/src/EDITME,v 1.25 2010/06/05 11:13:29 pdp Exp $


   ##################################################
   #          The Exim mail transport agent         #
  @@ -352,6 +352,15 @@


# WITH_OLD_DEMIME=yes

+# If you're using ClamAV and are backporting fixes to an old version, instead
+# of staying current (which is the more usual approach) then you may need to
+# use an older API which uses a STREAM command, now deprecated, instead of
+# zINSTREAM. If you need to set this, please let the Exim developers know, as
+# if nobody reports a need for it, we'll remove this option and clean up the
+# code. zINSTREAM was introduced with ClamAV 0.95.
+#
+# WITH_OLD_CLAMAV_STREAM=yes
+
#------------------------------------------------------------------------------
# By default Exim includes code to support DKIM (DomainKeys Identified
# Mail, RFC4871) signing and verification. Verification of signatures is

  Index: config.h.defaults
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/config.h.defaults,v
  retrieving revision 1.18
  retrieving revision 1.19
  diff -u -r1.18 -r1.19
  --- config.h.defaults    16 Nov 2009 19:50:36 -0000    1.18
  +++ config.h.defaults    5 Jun 2010 11:13:29 -0000    1.19
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/config.h.defaults,v 1.18 2009/11/16 19:50:36 nm4 Exp $ */
  +/* $Cambridge: exim/exim-src/src/config.h.defaults,v 1.19 2010/06/05 11:13:29 pdp Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -146,6 +146,7 @@


#define WITH_CONTENT_SCAN
#define WITH_OLD_DEMIME
+#define WITH_OLD_CLAMAV_STREAM

/* EXPERIMENTAL features */
#define EXPERIMENTAL_SPF

  Index: demime.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/demime.c,v
  retrieving revision 1.9
  retrieving revision 1.10
  diff -u -r1.9 -r1.10
  --- demime.c    22 Feb 2006 14:46:44 -0000    1.9
  +++ demime.c    5 Jun 2010 11:13:29 -0000    1.10
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/demime.c,v 1.9 2006/02/22 14:46:44 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/demime.c,v 1.10 2010/06/05 11:13:29 pdp Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -47,7 +47,7 @@
     };


     /* make sure the eml mbox file is spooled up */
  -  mbox_file = spool_mbox(&mbox_size);
  +  mbox_file = spool_mbox(&mbox_size, NULL);


     if (mbox_file == NULL) {
       /* error while spooling */


  Index: exim.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/exim.c,v
  retrieving revision 1.65
  retrieving revision 1.66
  diff -u -r1.65 -r1.66
  --- exim.c    16 Nov 2009 19:50:36 -0000    1.65
  +++ exim.c    5 Jun 2010 11:13:29 -0000    1.66
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/exim.c,v 1.65 2009/11/16 19:50:36 nm4 Exp $ */
  +/* $Cambridge: exim/exim-src/src/exim.c,v 1.66 2010/06/05 11:13:29 pdp Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -1355,6 +1355,7 @@
   uschar *ftest_localpart = NULL;
   uschar *ftest_prefix = NULL;
   uschar *ftest_suffix = NULL;
  +uschar *malware_test_file = NULL;
   uschar *real_sender_address;
   uschar *originator_home = US"/";
   void *reset_point;
  @@ -1821,6 +1822,14 @@


       else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;


  +    /* -bmalware: test the filename given for malware */
  +
  +    else if (Ustrcmp(argrest, "malware") == 0)
  +      {
  +      if (++i >= argc) { badarg = TRUE; break; }
  +      malware_test_file = argv[i];
  +      }
  +
       /* -bnq: For locally originating messages, do not qualify unqualified
       addresses. In the envelope, this causes errors; in header lines they
       just get left. */
  @@ -3592,12 +3601,13 @@
   user may request that a message be returned to its sender forthwith. Only an
   admin user may specify a debug level greater than D_v (because it might show
   passwords, etc. in lookup queries). Only an admin user may request a queue
  -count. */
  +count. Only an admin user can use the test interface to scan for email
  +(because Exim will be in the spool dir and able to look at mails). */


   if (!admin_user)
     {
     BOOL debugset = (debug_selector & ~D_v) != 0;
  -  if (deliver_give_up || daemon_listen ||
  +  if (deliver_give_up || daemon_listen || malware_test_file ||
        (count_queue && queue_list_requires_admin) ||
        (list_queue && queue_list_requires_admin) ||
        (queue_interval >= 0 && prod_requires_admin) ||
  @@ -3748,6 +3758,29 @@


else setgid(exim_gid);

  +/* Handle a request to scan a file for malware */
  +if (malware_test_file)
  +  {
  +  int result;
  +  set_process_info("scanning file for malware");
  +  result = malware_in_file(malware_test_file);
  +  if (result == FAIL)
  +    {
  +    printf("No malware found.\n");
  +    exit(EXIT_SUCCESS);
  +    }
  +  if (result != OK)
  +    {
  +    printf("Malware lookup returned non-okay/fail: %d\n", result);
  +    exit(EXIT_FAILURE);
  +    }
  +  if (malware_name)
  +    printf("Malware found: %s\n", malware_name);
  +  else
  +    printf("Malware scan detected malware of unknown name.\n");
  +  exit(EXIT_FAILURE);
  +  }
  +
   /* Handle a request to list the delivery queue */


if (list_queue)

  Index: functions.h
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/functions.h,v
  retrieving revision 1.48
  retrieving revision 1.49
  diff -u -r1.48 -r1.49
  --- functions.h    5 Jun 2010 09:10:10 -0000    1.48
  +++ functions.h    5 Jun 2010 11:13:30 -0000    1.49
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/functions.h,v 1.48 2010/06/05 09:10:10 pdp Exp $ */
  +/* $Cambridge: exim/exim-src/src/functions.h,v 1.49 2010/06/05 11:13:30 pdp Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -297,7 +297,7 @@
   extern int     smtp_write_command(smtp_outblock *, BOOL, char *, ...);
   #ifdef WITH_CONTENT_SCAN
   extern int     spam(uschar **);
  -extern FILE   *spool_mbox(unsigned long *);
  +extern FILE   *spool_mbox(unsigned long *, uschar *);
   #endif
   extern BOOL    spool_move_message(uschar *, uschar *, uschar *, uschar *);
   extern BOOL    spool_open_datafile(uschar *);


  Index: malware.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/malware.c,v
  retrieving revision 1.18
  retrieving revision 1.19
  diff -u -r1.18 -r1.19
  --- malware.c    11 Nov 2009 10:08:01 -0000    1.18
  +++ malware.c    5 Jun 2010 11:13:30 -0000    1.19
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/malware.c,v 1.18 2009/11/11 10:08:01 nm4 Exp $ */
  +/* $Cambridge: exim/exim-src/src/malware.c,v 1.19 2010/06/05 11:13:30 pdp Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -13,7 +13,8 @@
   #ifdef WITH_CONTENT_SCAN


/* declaration of private routines */
-int mksd_scan_packed(int sock);
+static int mksd_scan_packed(int sock, uschar *scan_filename);
+static int malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking);

/* SHUT_WR seems to be undefined on Unixware? */
#ifndef SHUT_WR
@@ -48,7 +49,104 @@
uschar malware_name_buffer[256];
int malware_ok = 0;

  +/* Gross hacks for the -bmalware option; perhaps we should just create
  +the scan directory normally for that case, but look into rigging up the
  +needed header variables if not already set on the command-line? */
  +extern int spool_mbox_ok;
  +extern uschar spooled_message_id[17];
  +
  +/*************************************************
  +*          Scan an email for malware             *
  +*************************************************/
  +
  +/* This is the normal interface for scanning an email, which doesn't need a
  +filename; it's a wrapper around the malware_file function.
  +
  +Arguments:
  +  listptr     the list of options to the "malware = ..." ACL condition
  +
  +Returns:      Exim message processing code (OK, FAIL, DEFER, ...)
  +              where true means malware was found (condition applies)
  +*/
   int malware(uschar **listptr) {
  +  uschar scan_filename[1024];
  +  BOOL fits;
  +
  +  fits = string_format(scan_filename, sizeof(scan_filename),
  +      CS"%s/scan/%s/%s.eml", spool_directory, message_id, message_id);
  +  if (!fits)
  +    {
  +    log_write(0, LOG_MAIN|LOG_PANIC,
  +        "malware filename does not fit in buffer [malware()]");
  +    return DEFER;
  +  }
  +
  +  return malware_internal(listptr, scan_filename, FALSE);
  +}
  +
  +
  +/*************************************************
  +*          Scan a file for malware               *
  +*************************************************/
  +
  +/* This is a test wrapper for scanning an email, which is not used in
  +normal processing.  Scan any file, using the Exim scanning interface.
  +This function tampers with various global variables so is unsafe to use
  +in any other context.
  +
  +Arguments:
  +  eml_filename  a file holding the message to be scanned
  +
  +Returns:        Exim message processing code (OK, FAIL, DEFER, ...)
  +                where true means malware was found (condition applies)
  +*/
  +int malware_in_file(uschar *eml_filename) {
  +  uschar *scan_options[2];
  +  uschar message_id_buf[64];
  +  int ret;
  +
  +  scan_options[0] = "*";
  +  scan_options[1] = NULL;
  +
  +  /* spool_mbox() assumes various parameters exist, when creating
  +  the relevant directory and the email within */
  +  (void) string_format(message_id_buf, sizeof(message_id_buf),
  +      US"dummy-%d", pseudo_random_number(INT_MAX));
  +  message_id = message_id_buf;
  +  sender_address = "malware-sender@???";
  +  return_path = "";
  +  recipients_list = NULL;
  +  receive_add_recipient("malware-victim@???", -1);
  +  enable_dollar_recipients = TRUE;
  +
  +  ret = malware_internal(scan_options, eml_filename, TRUE);
  +
  +  strncpy(spooled_message_id, message_id, sizeof(spooled_message_id));
  +  spool_mbox_ok = 1;
  +  /* don't set no_mbox_unspool; at present, there's no way for it to become
  +  set, but if that changes, then it should apply to these tests too */
  +  unspool_mbox();
  +
  +  return ret;
  +}
  +
  +
  +/*************************************************
  +*          Scan content for malware              *
  +*************************************************/
  +
  +/* This is an internal interface for scanning an email; the normal interface
  +is via malware(), or there's malware_in_file() used for testing/debugging.
  +
  +Arguments:
  +  listptr       the list of options to the "malware = ..." ACL condition
  +  eml_filename  the file holding the email to be scanned
  +  faking        whether or not we're faking this up for the -bmalware test
  +
  +Returns:        Exim message processing code (OK, FAIL, DEFER, ...)
  +                where true means malware was found (condition applies)
  +*/
  +static int malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) {
     int sep = 0;
     uschar *list = *listptr;
     uschar *av_scanner_work = av_scanner;
  @@ -64,7 +162,7 @@
     const uschar *rerror;


     /* make sure the eml mbox file is spooled up */
  -  mbox_file = spool_mbox(&mbox_size);
  +  mbox_file = spool_mbox(&mbox_size, faking ? eml_filename : NULL);
     if (mbox_file == NULL) {
       /* error while spooling */
       log_write(0, LOG_MAIN|LOG_PANIC,
  @@ -202,8 +300,8 @@
         return DEFER;
       }


  -    (void)string_format(scanrequest, 1024, CS"GET %s/scan/%s/%s.eml",
  -          spool_directory, message_id, message_id);
  +    DEBUG(D_acl) debug_printf("Malware scan: issuing %s GET\n", scanner_name);
  +    (void)string_format(scanrequest, 1024, CS"GET %s", eml_filename);


       while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep,
         fp_scan_option_buffer, sizeof(fp_scan_option_buffer))) != NULL) {
  @@ -257,7 +355,6 @@
       int sock, result, ovector[30];
       unsigned int port, fsize;
       uschar tmpbuf[1024], *drweb_fbuf;
  -    uschar scanrequest[1024];
       uschar drweb_match_string[128];
       int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd,
           drweb_vnum, drweb_slen, drweb_fin = 0x0000;
  @@ -310,16 +407,14 @@
         /* prepare variables */
         drweb_cmd = htonl(DRWEBD_SCAN_CMD);
         drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
  -      (void)string_format(scanrequest, 1024,CS"%s/scan/%s/%s.eml",
  -            spool_directory, message_id, message_id);


         /* calc file size */
  -      drweb_fd = open(CS scanrequest, O_RDONLY);
  +      drweb_fd = open(CS eml_filename, O_RDONLY);
         if (drweb_fd == -1) {
           (void)close(sock);
           log_write(0, LOG_MAIN|LOG_PANIC,
             "malware acl condition: drweb: can't open spool file %s: %s",
  -          scanrequest, strerror(errno));
  +          eml_filename, strerror(errno));
           return DEFER;
         }
         fsize = lseek(drweb_fd, 0, SEEK_END);
  @@ -328,12 +423,15 @@
           (void)close(drweb_fd);
           log_write(0, LOG_MAIN|LOG_PANIC,
             "malware acl condition: drweb: can't seek spool file %s: %s",
  -          scanrequest, strerror(errno));
  +          eml_filename, strerror(errno));
           return DEFER;
         }
         drweb_slen = htonl(fsize);
         lseek(drweb_fd, 0, SEEK_SET);


  +      DEBUG(D_acl) debug_printf("Malware scan: issuing %s remote scan [%s %u]\n",
  +          scanner_name, hostname, port);
  +
         /* send scan request */
         if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
             (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
  @@ -352,7 +450,7 @@
           (void)close(drweb_fd);
           log_write(0, LOG_MAIN|LOG_PANIC,
             "malware acl condition: drweb: unable to allocate memory %u for file (%s)",
  -          fsize, scanrequest);
  +          fsize, eml_filename);
           return DEFER;
         }


  @@ -363,7 +461,7 @@
           free(drweb_fbuf);
           log_write(0, LOG_MAIN|LOG_PANIC,
             "malware acl condition: drweb: can't read spool file %s: %s",
  -          scanrequest, strerror(errno));
  +          eml_filename, strerror(errno));
           return DEFER;
         }
         (void)close(drweb_fd);
  @@ -398,14 +496,16 @@
         /* prepare variables */
         drweb_cmd = htonl(DRWEBD_SCAN_CMD);
         drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
  -      (void)string_format(scanrequest, 1024,CS"%s/scan/%s/%s.eml", spool_directory, message_id, message_id);
  -      drweb_slen = htonl(Ustrlen(scanrequest));
  +      drweb_slen = htonl(Ustrlen(eml_filename));
  +
  +      DEBUG(D_acl) debug_printf("Malware scan: issuing %s local scan [%s]\n",
  +          scanner_name, drweb_options);


         /* send scan request */
         if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
             (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
             (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
  -          (send(sock, scanrequest, Ustrlen(scanrequest), 0) < 0) ||
  +          (send(sock, eml_filename, Ustrlen(eml_filename), 0) < 0) ||
             (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0)) {
           (void)close(sock);
           log_write(0, LOG_MAIN|LOG_PANIC,
  @@ -557,7 +657,9 @@
         };


         /* prepare our command */
  -      (void)string_format(buf, 32768, "SCAN bPQRSTUW %s/scan/%s/%s.eml\r\n", spool_directory, message_id, message_id);
  +      (void)string_format(buf, 32768, "SCAN bPQRSTUW %s\r\n", eml_filename);
  +
  +      DEBUG(D_acl) debug_printf("Malware scan: issuing %s SCAN\n", scanner_name);


         /* and send it */
         if (send(sock, buf, Ustrlen(buf), 0) < 0) {
  @@ -577,8 +679,8 @@
     } else if (buf[0] == '5') {
             /* aveserver is having problems */
             log_write(0, LOG_MAIN|LOG_PANIC,
  -             "malware acl condition: unable to scan file %s/scan/%s/%s.eml (Responded: %s).",
  -       spool_directory, message_id, message_id, buf);
  +             "malware acl condition: unable to scan file %s (Responded: %s).",
  +       eml_filename, buf);
             result = DEFER;
       break;
     } else if (Ustrncmp(buf,"322",3) == 0) {
  @@ -656,6 +758,9 @@
           return DEFER;
         }


  +      DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
  +          scanner_name, fsecure_options);
  +
         /* pass options */
         memset(av_buffer, 0, sizeof(av_buffer));
         for (i=0; i != 4; i++) {
  @@ -682,7 +787,7 @@
         };


         /* pass the mailfile to fsecure */
  -      (void)string_format(file_name,1024,"SCAN\t%s/scan/%s/%s.eml\n", spool_directory, message_id, message_id);
  +      (void)string_format(file_name,1024,"SCAN\t%s\n", eml_filename);
         /* debug_printf("send scan %s",file_name); */
         if (write(sock, file_name, Ustrlen(file_name)) < 0) {
           (void)close(sock);
  @@ -745,6 +850,8 @@
         int kav_rc;
         unsigned long kav_reportlen, bread;
         pcre *kav_re;
  +      uschar *p;
  +      int fits;


         if ((kav_options = string_nextinlist(&av_scanner_work, &sep,
                                              kav_options_buffer,
  @@ -771,8 +878,24 @@


         /* get current date and time, build scan request */
         time(&t);
  -      strftime(CS tmpbuf, sizeof(tmpbuf), "<0>%d %b %H:%M:%S:%%s/scan/%%s", localtime(&t));
  -      (void)string_format(scanrequest, 1024,CS tmpbuf, spool_directory, message_id);
  +      /* pdp note: before the eml_filename parameter, this scanned the
  +      directory; not finding documentation, so we'll strip off the directory.
  +      The side-effect is that the test framework scanning may end up in
  +      scanning more than was requested, but for the normal interface, this is
  +      fine. */
  +      strftime(CS tmpbuf, sizeof(tmpbuf), "<0>%d %b %H:%M:%S:%%s", localtime(&t));
  +      fits = string_format(scanrequest, 1024,CS tmpbuf, eml_filename);
  +      if (!fits) {
  +        (void)close(sock);
  +        log_write(0, LOG_MAIN|LOG_PANIC,
  +            "malware filename does not fit in buffer [malware_internal() kavdaemon]");
  +      }
  +      p = strrchr(scanrequest, '/');
  +      if (p)
  +        *p = '\0';
  +
  +      DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
  +          scanner_name, kav_options);


         /* send scan request */
         if (send(sock, scanrequest, Ustrlen(scanrequest)+1, 0) < 0) {
  @@ -917,6 +1040,8 @@
         int trigger = 0;
         int result;
         int ovector[30];
  +      uschar *p;
  +      BOOL fits;


         /* find scanner command line */
         if ((cmdline_scanner = string_nextinlist(&av_scanner_work, &sep,
  @@ -964,12 +1089,36 @@
           return DEFER;
         };


  -      /* prepare scanner call */
  -      (void)string_format(file_name,1024,"%s/scan/%s", spool_directory, message_id);
  -      (void)string_format(commandline,1024, CS cmdline_scanner,file_name);
  +      /* prepare scanner call; despite the naming, file_name holds a directory
  +      name which is documented as the value given to %s. */
  +      if (Ustrlen(eml_filename) > sizeof(file_name) - 1)
  +        {
  +        log_write(0, LOG_MAIN|LOG_PANIC,
  +            "malware filename does not fit in buffer [malware_internal() cmdline]");
  +        return DEFER;
  +        }
  +      p = strrchr(eml_filename, '/');
  +      if (p)
  +        *p = '\0';
  +      fits = string_format(commandline, sizeof(commandline), CS cmdline_scanner, file_name);
  +      if (!fits)
  +        {
  +        log_write(0, LOG_MAIN|LOG_PANIC,
  +            "cmdline scanner command-line does not fit in buffer");
  +        return DEFER;
  +        }
  +
         /* redirect STDERR too */
  +      if (Ustrlen(commandline) + 5 > sizeof(commandline))
  +        {
  +        log_write(0, LOG_MAIN|LOG_PANIC,
  +            "cmdline scanner command-line does not fit in buffer (STDERR redirect)");
  +        return DEFER;
  +        }
         Ustrcat(commandline," 2>&1");


  +      DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", scanner_name, commandline);
  +
         /* store exims signal handlers */
         eximsigchld = signal(SIGCHLD,SIG_DFL);
         eximsigpipe = signal(SIGPIPE,SIG_DFL);
  @@ -1047,7 +1196,9 @@
         uschar sophie_options_default[] = "/var/run/sophie";
         int bread = 0;
         struct sockaddr_un server;
  -      int sock;
  +      int sock, len;
  +      uschar *p;
  +      BOOL fits;
         uschar file_name[1024];
         uschar av_buffer[1024];


  @@ -1075,7 +1226,22 @@
         }


         /* pass the scan directory to sophie */
  -      (void)string_format(file_name,1024,"%s/scan/%s", spool_directory, message_id);
  +      len = Ustrlen(eml_filename) + 1;
  +      if (len > sizeof(file_name))
  +        {
  +        (void)close(sock);
  +        log_write(0, LOG_MAIN|LOG_PANIC,
  +            "malware filename does not fit in buffer [malware_internal() sophie]");
  +        return DEFER;
  +        }
  +      memcpy(file_name, eml_filename, len);
  +      p = strrchr(file_name, '/');
  +      if (p)
  +        *p = '\0';
  +
  +      DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
  +          scanner_name, sophie_options);
  +
         if (write(sock, file_name, Ustrlen(file_name)) < 0) {
           (void)close(sock);
           log_write(0, LOG_MAIN|LOG_PANIC,
  @@ -1116,7 +1282,17 @@



       /* "clamd" scanner type ------------------------------------------------- */
  -    /* This code was contributed by David Saez */
  +    /* This code was originally contributed by David Saez */
  +    /* There are three scanning methods available to us:
  +     *  (1) Use the SCAN command, pointing to a file in the filesystem
  +     *  (2) Use the STREAM command, send the data on a separate port
  +     *  (3) Use the zINSTREAM command, send the data inline
  +     * The zINSTREAM command was introduced with ClamAV 0.95, which marked
  +     * STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095
  +     * In Exim, we use SCAN if using a Unix-domain socket or explicitly told that
  +     * the TCP-connected daemon is actually local; otherwise we use zINSTREAM unless
  +     * WITH_OLD_CLAMAV_STREAM is defined.
  +     * See Exim bug 926 for details.  */
       else if (strcmpic(scanner_name,US"clamd") == 0) {
         uschar *clamd_options;
         uschar clamd_options_buffer[1024];
  @@ -1133,11 +1309,16 @@
         uschar *clamd_options2;
         uschar clamd_options2_buffer[1024];
         uschar clamd_options2_default[] = "";
  -      uschar av_buffer2[1024];
         uschar *clamav_fbuf;
         uschar scanrequest[1024];
         int sockData, clam_fd, result;
         unsigned int fsize;
  +      BOOL use_scan_command, fits;
  +#ifdef WITH_OLD_CLAMAV_STREAM
  +      uschar av_buffer2[1024];
  +#else
  +      uint32_t send_size, send_final_zeroblock;
  +#endif


         if ((clamd_options = string_nextinlist(&av_scanner_work, &sep,
                                                clamd_options_buffer,
  @@ -1151,9 +1332,18 @@
           clamd_options2 = clamd_options2_default;
         }


  +      if ((*clamd_options == '/') || (strcmpic(clamd_options2,US"local") == 0))
  +        use_scan_command = TRUE;
  +      else
  +        use_scan_command = FALSE;
  +
         /* socket does not start with '/' -> network socket */
         if (*clamd_options != '/') {


  +        /* Confirmed in ClamAV source (0.95.3) that the TCPAddr option of clamd
  +         * only supports AF_INET, but we should probably be looking to the
  +         * future and rewriting this to be protocol-independent anyway. */
  +
           /* extract host and port part */
           if( sscanf(CS clamd_options, "%s %u", hostname, &port) != 2 ) {
             log_write(0, LOG_MAIN|LOG_PANIC,
  @@ -1186,166 +1376,225 @@
             return DEFER;
           }


  -        if (strcmpic(clamd_options2,US"local") == 0) {
  -
  -      /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
  -
  -          (void)string_format(file_name,1024,"SCAN %s/scan/%s\n", spool_directory, message_id);
  +      } else {
  +        /* open the local socket */
  +        if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
  +          log_write(0, LOG_MAIN|LOG_PANIC,
  +                    "malware acl condition: clamd: unable to acquire socket (%s)",
  +                    strerror(errno));
  +          return DEFER;
  +        }


  -          if (send(sock, file_name, Ustrlen(file_name), 0) < 0) {
  -            (void)close(sock);
  -            log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
  -                  strerror(errno));
  -            return DEFER;
  -          }
  -        } else {
  +        server.sun_family = AF_UNIX;
  +        Ustrcpy(server.sun_path, clamd_options);


  -      /* Pass the string to ClamAV (7 = "STREAM\n") */
  +        if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
  +          (void)close(sock);
  +          log_write(0, LOG_MAIN|LOG_PANIC,
  +                    "malware acl condition: clamd: unable to connect to UNIX socket %s (%s)",
  +                    clamd_options, strerror(errno) );
  +          return DEFER;
  +        }
  +      }


  -          if (send(sock, "STREAM\n", 7, 0) < 0) {
  -            (void)close(sock);
  -            log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
  -                  strerror(errno));
  -            return DEFER;
  -          }
  -          memset(av_buffer2, 0, sizeof(av_buffer2));
  -          bread = ip_recv(sock, av_buffer2, sizeof(av_buffer2), MALWARE_TIMEOUT);
  +      /* have socket in variable "sock"; command to use is semi-independent of
  +       * the socket protocol.  We use SCAN if is local (either Unix/local
  +       * domain socket, or explicitly told local) else we stream the data.
  +       * How we stream the data depends upon how we were built.  */
  +
  +      if (!use_scan_command) {
  +
  +#ifdef WITH_OLD_CLAMAV_STREAM
  +        /* "STREAM\n" command, get back a "PORT <N>\n" response, send data to
  +         * that port on a second connection; then in the scan-method-neutral
  +         * part, read the response back on the original connection. */
  +
  +        DEBUG(D_acl) debug_printf("Malware scan: issuing %s old-style remote scan (PORT)\n",
  +            scanner_name);
  +
  +        /* Pass the string to ClamAV (7 = "STREAM\n") */
  +        if (send(sock, "STREAM\n", 7, 0) < 0) {
  +          log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
  +                strerror(errno));
  +          (void)close(sock);
  +          return DEFER;
  +        }
  +        memset(av_buffer2, 0, sizeof(av_buffer2));
  +        bread = ip_recv(sock, av_buffer2, sizeof(av_buffer2), MALWARE_TIMEOUT);


  -          if (bread < 0) {
  -            log_write(0, LOG_MAIN|LOG_PANIC,
  -                  "malware acl condition: clamd: unable to read PORT from socket (%s)",
  -                  strerror(errno));
  -            return DEFER;
  -          }
  +        if (bread < 0) {
  +          log_write(0, LOG_MAIN|LOG_PANIC,
  +                "malware acl condition: clamd: unable to read PORT from socket (%s)",
  +                strerror(errno));
  +          (void)close(sock);
  +          return DEFER;
  +        }


  -          if (bread == sizeof(av_buffer)) {
  -            log_write(0, LOG_MAIN|LOG_PANIC,
  -                  "malware acl condition: clamd: buffer too small");
  -            return DEFER;
  -          }
  +        if (bread == sizeof(av_buffer)) {
  +          log_write(0, LOG_MAIN|LOG_PANIC,
  +                "malware acl condition: clamd: buffer too small");
  +          (void)close(sock);
  +          return DEFER;
  +        }


  -          if (!(*av_buffer2)) {
  -            log_write(0, LOG_MAIN|LOG_PANIC,
  -                  "malware acl condition: clamd: ClamAV returned null");
  -            return DEFER;
  -          }
  +        if (!(*av_buffer2)) {
  +          log_write(0, LOG_MAIN|LOG_PANIC,
  +                "malware acl condition: clamd: ClamAV returned null");
  +          (void)close(sock);
  +          return DEFER;
  +        }


  -          av_buffer2[bread] = '\0';
  -          if( sscanf(CS av_buffer2, "PORT %u\n", &port) != 1 ) {
  -            log_write(0, LOG_MAIN|LOG_PANIC,
  -                    "malware acl condition: clamd: Expected port information from clamd, got '%s'", av_buffer2);
  -            return DEFER;
  -          };
  +        av_buffer2[bread] = '\0';
  +        if( sscanf(CS av_buffer2, "PORT %u\n", &port) != 1 ) {
  +          log_write(0, LOG_MAIN|LOG_PANIC,
  +                  "malware acl condition: clamd: Expected port information from clamd, got '%s'", av_buffer2);
  +          (void)close(sock);
  +          return DEFER;
  +        };


  -          if ( (sockData = ip_socket(SOCK_STREAM, AF_INET)) < 0) {
  -            log_write(0, LOG_MAIN|LOG_PANIC,
  -                    "malware acl condition: clamd: unable to acquire socket (%s)",
  -                    strerror(errno));
  -            return DEFER;
  -          }
  +        if ( (sockData = ip_socket(SOCK_STREAM, AF_INET)) < 0) {
  +          log_write(0, LOG_MAIN|LOG_PANIC,
  +                  "malware acl condition: clamd: unable to acquire socket (%s)",
  +                  strerror(errno));
  +          (void)close(sock);
  +          return DEFER;
  +        }


  -          if (ip_connect(sockData, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) {
  -            (void)close(sockData);
  -            log_write(0, LOG_MAIN|LOG_PANIC,
  -                    "malware acl condition: clamd: connection to %s, port %u failed (%s)",
  -                    inet_ntoa(in), port, strerror(errno));
  -            return DEFER;
  -          }
  +        if (ip_connect(sockData, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) {
  +          log_write(0, LOG_MAIN|LOG_PANIC,
  +                  "malware acl condition: clamd: connection to %s, port %u failed (%s)",
  +                  inet_ntoa(in), port, strerror(errno));
  +          (void)close(sockData); (void)close(sock);
  +          return DEFER;
  +        }


  -      (void)string_format(scanrequest, 1024,CS"%s/scan/%s/%s.eml",
  -      spool_directory, message_id, message_id);
  +#define CLOSE_SOCKDATA (void)close(sockData)
  +#else /* WITH_OLD_CLAMAV_STREAM not defined */
  +        /* New protocol: "zINSTREAM\n" followed by a sequence of <length><data>
  +        chunks, <n> a 4-byte number (network order), terminated by a zero-length
  +        chunk. */


  -    /* calc file size */
  -    clam_fd = open(CS scanrequest, O_RDONLY);
  -    if (clam_fd == -1) {
  -      log_write(0, LOG_MAIN|LOG_PANIC,
  -        "malware acl condition: clamd: can't open spool file %s: %s",
  -        scanrequest, strerror(errno));
  -      return DEFER;
  -    }
  -    fsize = lseek(clam_fd, 0, SEEK_END);
  -    if (fsize == -1) {
  -      log_write(0, LOG_MAIN|LOG_PANIC,
  -        "malware acl condition: clamd: can't seek spool file %s: %s",
  -        scanrequest, strerror(errno));
  -      return DEFER;
  -    }
  -    lseek(clam_fd, 0, SEEK_SET);
  +        DEBUG(D_acl) debug_printf("Malware scan: issuing %s new-style remote scan (zINSTREAM)\n",
  +            scanner_name);


  -    clamav_fbuf = (uschar *) malloc (fsize);
  -    if (!clamav_fbuf) {
  -      (void)close(sockData);
  -      (void)close(clam_fd);
  -      log_write(0, LOG_MAIN|LOG_PANIC,
  -        "malware acl condition: clamd: unable to allocate memory %u for file (%s)",
  -        fsize, scanrequest);
  -      return DEFER;
  -    }
  +        /* Pass the string to ClamAV (10 = "zINSTREAM\0") */
  +        if (send(sock, "zINSTREAM", 10, 0) < 0) {
  +          log_write(0, LOG_MAIN|LOG_PANIC,
  +              "malware acl condition: clamd: unable to send zINSTREAM to socket (%s)",
  +              strerror(errno));
  +          (void)close(sock);
  +          return DEFER;
  +        }


  -    result = read (clam_fd, clamav_fbuf, fsize);
  -    if (result == -1) {
  -      (void)close(sockData);
  -      (void)close(clam_fd);
  -      free(clamav_fbuf);
  -      log_write(0, LOG_MAIN|LOG_PANIC,
  -        "malware acl condition: clamd: can't read spool file %s: %s",
  -        scanrequest, strerror(errno));
  -      return DEFER;
  -    }
  -    (void)close(clam_fd);
  +#define CLOSE_SOCKDATA /**/
  +#endif


  -    /* send file body to socket */
  -    if (send(sockData, clamav_fbuf, fsize, 0) < 0) {
  -      (void)close(sockData);
  -      free(clamav_fbuf);
  -      log_write(0, LOG_MAIN|LOG_PANIC,
  -        "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port);
  -      return DEFER;
  -    }
  -    free(clamav_fbuf);
  -          (void)close(sockData);
  +        /* calc file size */
  +        clam_fd = open(CS eml_filename, O_RDONLY);
  +        if (clam_fd == -1) {
  +          log_write(0, LOG_MAIN|LOG_PANIC,
  +            "malware acl condition: clamd: can't open spool file %s: %s",
  +            eml_filename, strerror(errno));
  +          CLOSE_SOCKDATA; (void)close(sock);
  +          return DEFER;
           }
  -      }
  -      else {
  -        /* open the local socket */
  -        if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
  +        fsize = lseek(clam_fd, 0, SEEK_END);
  +        if (fsize == -1) {
             log_write(0, LOG_MAIN|LOG_PANIC,
  -                    "malware acl condition: clamd: unable to acquire socket (%s)",
  -                    strerror(errno));
  +            "malware acl condition: clamd: can't seek spool file %s: %s",
  +            eml_filename, strerror(errno));
  +          CLOSE_SOCKDATA; (void)close(sock);
             return DEFER;
           }
  +        lseek(clam_fd, 0, SEEK_SET);


  -        server.sun_family = AF_UNIX;
  -        Ustrcpy(server.sun_path, clamd_options);
  +        clamav_fbuf = (uschar *) malloc (fsize);
  +        if (!clamav_fbuf) {
  +          log_write(0, LOG_MAIN|LOG_PANIC,
  +            "malware acl condition: clamd: unable to allocate memory %u for file (%s)",
  +            fsize, eml_filename);
  +          CLOSE_SOCKDATA; (void)close(sock); (void)close(clam_fd);
  +          return DEFER;
  +        }


  -        if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
  -          (void)close(sock);
  +        result = read (clam_fd, clamav_fbuf, fsize);
  +        if (result == -1) {
             log_write(0, LOG_MAIN|LOG_PANIC,
  -                    "malware acl condition: clamd: unable to connect to UNIX socket %s (%s)",
  -                    clamd_options, strerror(errno) );
  +            "malware acl condition: clamd: can't read spool file %s: %s",
  +            eml_filename, strerror(errno));
  +          CLOSE_SOCKDATA; (void)close(sock); (void)close(clam_fd);
  +          free(clamav_fbuf);
             return DEFER;
           }
  -      }
  +        (void)close(clam_fd);


  -      /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
  +        /* send file body to socket */
  +#ifdef WITH_OLD_CLAMAV_STREAM
  +        if (send(sockData, clamav_fbuf, fsize, 0) < 0) {
  +          log_write(0, LOG_MAIN|LOG_PANIC,
  +            "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port);
  +          CLOSE_SOCKDATA; (void)close(sock);
  +          free(clamav_fbuf);
  +          return DEFER;
  +        }
  +#else
  +        send_size = htonl(fsize);
  +        send_final_zeroblock = 0;
  +        if ((send(sock, &send_size, sizeof(send_size), 0) < 0) ||
  +            (send(sock, clamav_fbuf, fsize, 0) < 0) ||
  +            (send(sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0))
  +          {
  +          log_write(0, LOG_MAIN|LOG_PANIC,
  +            "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port);
  +          (void)close(sock);
  +          free(clamav_fbuf);
  +          return DEFER;
  +          }
  +#endif


  -      (void)string_format(file_name,1024,"SCAN %s/scan/%s\n", spool_directory, message_id);
  +        free(clamav_fbuf);


  -      if (send(sock, file_name, Ustrlen(file_name), 0) < 0) {
  -        (void)close(sock);
  -        log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
  -                  strerror(errno));
  -        return DEFER;
  -      }
  +        CLOSE_SOCKDATA;
  +#undef CLOSE_SOCKDATA


  -      /*
  -        We're done sending, close socket for writing.
  +      } else { /* use scan command */
  +        /* Send a SCAN command pointing to a filename; then in the then in the
  +         * scan-method-neutral part, read the response back */
  +
  +/* ================================================================= */
  +
  +        /* Prior to the reworking post-Exim-4.72, this scanned a directory,
  +        which dates to when ClamAV needed us to break apart the email into the
  +        MIME parts (eg, with the now deprecated demime condition coming first).
  +        Some time back, ClamAV gained the ability to deconstruct the emails, so
  +        doing this would actually have resulted in the mail attachments being
  +        scanned twice, in the broken out files and from the original .eml.
  +        Since ClamAV now handles emails (and has for quite some time) we can
  +        just use the email file itself. */
  +        /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
  +        fits = string_format(file_name, sizeof(file_name), "SCAN %s\n",
  +            eml_filename);
  +        if (!fits) {
  +          (void)close(sock);
  +          log_write(0, LOG_MAIN|LOG_PANIC,
  +              "malware filename does not fit in buffer [malware_internal() clamd]");
  +        }


  -        One user reported that clamd 0.70 does not like this any more ...
  +        DEBUG(D_acl) debug_printf("Malware scan: issuing %s local-path scan [%s]\n",
  +            scanner_name, clamd_options);


  -      */
  +        if (send(sock, file_name, Ustrlen(file_name), 0) < 0) {
  +          (void)close(sock);
  +          log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
  +                    strerror(errno));
  +          return DEFER;
  +        }


  -      /* shutdown(sock, SHUT_WR); */
  +        /* Do not shut down the socket for writing; a user report noted that
  +         * clamd 0.70 does not react well to this. */
  +      }
  +      /* Commands have been sent, no matter which scan method or connection
  +       * type we're using; now just read the result, independent of method. */


         /* Read the result */
         memset(av_buffer, 0, sizeof(av_buffer));
  @@ -1368,7 +1617,7 @@
         /* Check the result. ClamAV Returns
            infected: -> "<filename>: <virusname> FOUND"
            not-infected: -> "<filename>: OK"
  -    error: -> "<filename>: <errcode> ERROR */
  +         error: -> "<filename>: <errcode> ERROR */


         if (!(*av_buffer)) {
           log_write(0, LOG_MAIN|LOG_PANIC,
  @@ -1376,10 +1625,12 @@
           return DEFER;
         }


  -      /* strip newline at the end */
  +      /* strip newline at the end (won't be present for zINSTREAM) */
         p = av_buffer + Ustrlen(av_buffer) - 1;
         if( *p == '\n' ) *p = '\0';


  +      DEBUG(D_acl) debug_printf("Malware response: %s\n", av_buffer);
  +
         /* colon in returned output? */
         if((p = Ustrrchr(av_buffer,':')) == NULL) {
           log_write(0, LOG_MAIN|LOG_PANIC,
  @@ -1398,6 +1649,7 @@
              for (;*vname==32;vname++);
              Ustrcpy(malware_name_buffer,vname);
              malware_name = malware_name_buffer;
  +           DEBUG(D_acl) debug_printf("Malware found, name \"%s\"\n", malware_name);
         }
         else {
              if (Ustrstr(vname, "ERROR")!=NULL) {
  @@ -1413,6 +1665,7 @@
              else {
                 /* Everything should be OK */
                 malware_name = NULL;
  +              DEBUG(D_acl) debug_printf("Malware not found\n");
              }
         }
       }
  @@ -1459,7 +1712,9 @@


         malware_name = NULL;


  -      retval = mksd_scan_packed(sock);
  +      DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan\n", scanner_name);
  +
  +      retval = mksd_scan_packed(sock, eml_filename);


         if (retval != OK)
           return retval;
  @@ -1481,6 +1736,7 @@
     /* match virus name against pattern (caseless ------->----------v) */
     if ( (malware_name != NULL) &&
          (regex_match_and_setup(re, malware_name, 0, -1)) ) {
  +    DEBUG(D_acl) debug_printf("Matched regex to malware [%s] [%s]\n", malware_regex, malware_name);
       return OK;
     }
     else {
  @@ -1510,7 +1766,7 @@


#include <sys/uio.h>

  -int mksd_writev (int sock, struct iovec *iov, int iovcnt)
  +static int mksd_writev (int sock, struct iovec *iov, int iovcnt)
   {
     int i;


  @@ -1539,7 +1795,7 @@
     }
   }


  -int mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size)
  +static int mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size)
   {
     int offset = 0;
     int i;
  @@ -1566,7 +1822,7 @@
     return offset;
   }


  -int mksd_parse_line (char *line)
  +static int mksd_parse_line (char *line)
   {
     char *p;


  @@ -1600,26 +1856,20 @@
     }
   }


  -int mksd_scan_packed (int sock)
  +static int mksd_scan_packed(int sock, uschar *scan_filename)
   {
  -  struct iovec iov[7];
  -  char *cmd = "MSQ/scan/.eml\n";
  +  struct iovec iov[3];
  +  char *cmd = "MSQ\n";
     uschar av_buffer[1024];


     iov[0].iov_base = cmd;
     iov[0].iov_len = 3;
  -  iov[1].iov_base = CS spool_directory;
  -  iov[1].iov_len = Ustrlen (spool_directory);
  +  iov[1].iov_base = CS scan_filename;
  +  iov[1].iov_len = Ustrlen(scan_filename);
     iov[2].iov_base = cmd + 3;
  -  iov[2].iov_len = 6;
  -  iov[3].iov_base = iov[5].iov_base = CS message_id;
  -  iov[3].iov_len = iov[5].iov_len = Ustrlen (message_id);
  -  iov[4].iov_base = cmd + 3;
  -  iov[4].iov_len = 1;
  -  iov[6].iov_base = cmd + 9;
  -  iov[6].iov_len = 5;
  +  iov[2].iov_len = 1;


  -  if (mksd_writev (sock, iov, 7) < 0)
  +  if (mksd_writev (sock, iov, 3) < 0)
       return DEFER;


     if (mksd_read_lines (sock, av_buffer, sizeof (av_buffer)) < 0)


  Index: receive.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/receive.c,v
  retrieving revision 1.54
  retrieving revision 1.55
  diff -u -r1.54 -r1.55
  --- receive.c    3 Jun 2010 05:40:27 -0000    1.54
  +++ receive.c    5 Jun 2010 11:13:30 -0000    1.55
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/receive.c,v 1.54 2010/06/03 05:40:27 pdp Exp $ */
  +/* $Cambridge: exim/exim-src/src/receive.c,v 1.55 2010/06/05 11:13:30 pdp Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -1094,7 +1094,7 @@


   DO_MIME_ACL:
   /* make sure the eml mbox file is spooled up */
  -mbox_file = spool_mbox(&mbox_size);
  +mbox_file = spool_mbox(&mbox_size, NULL);
   if (mbox_file == NULL) {
     /* error while spooling */
     log_write(0, LOG_MAIN|LOG_PANIC,


  Index: regex.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/regex.c,v
  retrieving revision 1.7
  retrieving revision 1.8
  diff -u -r1.7 -r1.8
  --- regex.c    1 Jul 2005 10:49:02 -0000    1.7
  +++ regex.c    5 Jun 2010 11:13:30 -0000    1.8
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/regex.c,v 1.7 2005/07/01 10:49:02 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/regex.c,v 1.8 2010/06/05 11:13:30 pdp Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -47,7 +47,7 @@


     if (mime_stream == NULL) {
       /* We are in the DATA ACL */
  -    mbox_file = spool_mbox(&mbox_size);
  +    mbox_file = spool_mbox(&mbox_size, NULL);
       if (mbox_file == NULL) {
         /* error while spooling */
         log_write(0, LOG_MAIN|LOG_PANIC,


  Index: spam.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/spam.c,v
  retrieving revision 1.17
  retrieving revision 1.18
  diff -u -r1.17 -r1.18
  --- spam.c    18 Jul 2008 17:55:42 -0000    1.17
  +++ spam.c    5 Jun 2010 11:13:30 -0000    1.18
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/spam.c,v 1.17 2008/07/18 17:55:42 fanf2 Exp $ */
  +/* $Cambridge: exim/exim-src/src/spam.c,v 1.18 2010/06/05 11:13:30 pdp Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -80,7 +80,7 @@
     };


     /* make sure the eml mbox file is spooled up */
  -  mbox_file = spool_mbox(&mbox_size);
  +  mbox_file = spool_mbox(&mbox_size, NULL);


     if (mbox_file == NULL) {
       /* error while spooling */


  Index: spool_mbox.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/spool_mbox.c,v
  retrieving revision 1.14
  retrieving revision 1.15
  diff -u -r1.14 -r1.15
  --- spool_mbox.c    16 Jan 2008 09:56:55 -0000    1.14
  +++ spool_mbox.c    5 Jun 2010 11:13:30 -0000    1.15
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/spool_mbox.c,v 1.14 2008/01/16 09:56:55 tom Exp $ */
  +/* $Cambridge: exim/exim-src/src/spool_mbox.c,v 1.15 2010/06/05 11:13:30 pdp Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -25,9 +25,10 @@
   int spool_mbox_ok = 0;
   uschar spooled_message_id[17];


-/* returns a pointer to the FILE, and puts the size in bytes into mbox_file_size */
+/* returns a pointer to the FILE, and puts the size in bytes into mbox_file_size
+ * normally, source_file_override is NULL */

  -FILE *spool_mbox(unsigned long *mbox_file_size) {
  +FILE *spool_mbox(unsigned long *mbox_file_size, uschar *source_file_override) {
     uschar message_subdir[2];
     uschar buffer[16384];
     uschar *temp_string;
  @@ -100,13 +101,17 @@
       (void)fwrite("\n", 1, 1, mbox_file);


       /* copy body file */
  -    message_subdir[1] = '\0';
  -    for (i = 0; i < 2; i++) {
  -      message_subdir[0] = (split_spool_directory == (i == 0))? message_id[5] : 0;
  -      temp_string = string_sprintf("%s/input/%s/%s-D", spool_directory,
  -        message_subdir, message_id);
  -      data_file = Ufopen(temp_string, "rb");
  -      if (data_file != NULL) break;
  +    if (source_file_override == NULL) {
  +      message_subdir[1] = '\0';
  +      for (i = 0; i < 2; i++) {
  +        message_subdir[0] = (split_spool_directory == (i == 0))? message_id[5] : 0;
  +        temp_string = string_sprintf("%s/input/%s/%s-D", spool_directory,
  +          message_subdir, message_id);
  +        data_file = Ufopen(temp_string, "rb");
  +        if (data_file != NULL) break;
  +      };
  +    } else {
  +      data_file = Ufopen(source_file_override, "rb");
       };


       if (data_file == NULL) {
  @@ -125,7 +130,8 @@
        * explicitly, because the one in the file is parted of the locked area.
        */


  -    (void)fseek(data_file, SPOOL_DATA_START_OFFSET, SEEK_SET);
  +    if (!source_file_override)
  +      (void)fseek(data_file, SPOOL_DATA_START_OFFSET, SEEK_SET);


       do {
         j = fread(buffer, 1, sizeof(buffer), data_file);
  @@ -188,6 +194,12 @@
       mbox_path = string_sprintf("%s/scan/%s", spool_directory, spooled_message_id);


       tempdir = opendir(CS mbox_path);
  +    if (!tempdir) {
  +      debug_printf("Unable to opendir(%s): %s\n", mbox_path, strerror(errno));
  +      /* Just in case we still can: */
  +      rmdir(CS mbox_path);
  +      return;
  +    }
       /* loop thru dir & delete entries */
       while((entry = readdir(tempdir)) != NULL) {
         uschar *name = US entry->d_name;