SA rule updates with sha1 checksums to stop on March 1, 2020

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 505
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

SA rule updates with sha1 checksums to stop on March 1, 2020

Postby JDunphy » Sat Feb 01, 2020 7:28 pm

If you are running spamassassin 3.4.1 or older, new rule updates will fail on March 1, 2020 when the rule checksums will no longer be hashed as sha1. You will require a /opt/zimbra/common/bin/sa-update with sha256/sha512 support to pull updated and new rules.
What does this mean? No further rule upgrades and your sa-update will fail nightly. Latest spamassasin (SA) is 3.4.4 at this posting which also has numerous bug and security fixes. SA 3.4.2 and newer would not have this problem.

Run this with your version of Zimbra to see if this could be a problem after March 1, 2020 for your installation. Here is an example that will fail after March 1, 2020.

Code: Select all

# su - zimbra
% spamassassin --version
SpamAssassin version 3.4.1
  running on Perl version 5.10.1

There are a few workarounds...
1) upgrade to a later version of spamassassin. I have a zimbra wiki showing that process.
2) patch /opt/zimbra/common/bin/sa-update to understand sha256/sha512

There is an sa-update patched (from RHEL) to include sha256 and sha512 and am testing this now. Here is how to patch your sa-update that handles sha256/sha512.

Code: Select all

# su - zimbra
% cd /tmp
% wget 'https://bugzilla.redhat.com/attachment.cgi?id=1652727' -O sha256.patch
% cp /opt/zimbra/common/bin/sa-update sa-update.raw
% patch < sha256.patch

If everything looks good ... do the following as root:

Code: Select all

# su -
# cd /opt/zimbra/common/bin
# mv sa-update sa-update.bak
# mv /tmp/sa-update.raw sa-update
# chmod 555 sa-update

You can test this manually via this process:

Code: Select all

# su - zimbra
% /opt/zimbra/common/bin/sa-update -D -v --allowplugins --refreshmirrors

Normally, this is called via cron nightly... see this entry: /opt/zimbra/libexec/zmsaupdate
If it fails, your original as shipped with zimbra is sa-update.bak and you can put it back without further issues.

Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1787382

Note: I do not have extensive testing at this time with this patched sa-update.

Can anyone verify which version of SA is being shipped with the various 8.8+ versions? Hopefully something more modern than spamassassin 3.4.1 :-)

Jim


User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2138
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: SA rule updates with sha1 checksums to stop on March 1, 2020

Postby L. Mark Stone » Sat Feb 01, 2020 8:56 pm

Hi Jim,

Thanks very much for this.

8.8.15 Patch 4 ships with SpamAssassin 3.4.1.

Are you running Network Edition and if so can you open a support case with Zimbra?

Let me know?

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 505
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: SA rule updates with sha1 checksums to stop on March 1, 2020

Postby JDunphy » Sat Feb 01, 2020 10:53 pm

L. Mark Stone wrote:Hi Jim,

Thanks very much for this.

8.8.15 Patch 4 ships with SpamAssassin 3.4.1.

Are you running Network Edition and if so can you open a support case with Zimbra?

Hi Mark,

Yes I am. Ticket has been opened with them.

Given this seems to be a problem across all platforms, upgrading SA can be done via this formula also.

https://wiki.zimbra.com/wiki/JDunphy-SA-Upgrade

Jim
User avatar
zimico
Advanced member
Advanced member
Posts: 174
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: SA rule updates with sha1 checksums to stop on March 1, 2020

Postby zimico » Sun Feb 16, 2020 1:57 am

Dear,
I have just updated to OSS 8.8.15 P7 on Centos 7. Spamassassin is still version 3.4.1. I followed Jim's wiki to update to 3.4.2 successfully.
Best regards,
Minh.

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 6 guests