[Mimedefang] Upgrading from old version (2.28)

Kris Deugau kdeugau at vianet.ca
Thu Sep 23 12:49:25 EDT 2004 

mimedefang wrote:
> I'm running Mimedefang 2.28 and SpamAssassin 2.43

Ouch.  I think there was a security fix in a more recent version of MD,
and SA2.4x is just plain outdated.  Certainly there have been bugfixes
related to how virus scanners are called in more recent versions of MD.

> under RedHat 8 and would
> like to upgrade to Mimedefang 2.45 and SpamAssassin 3.0.

You probably won't be able to make this jump all at once.  Both SA and
MD have changed fairly significantly since the versions you're running.

>  The problem is
> that I need to do this on an in-use production server and can't have
> downtime more than a couple minutes

Not gonna happen;  you'll likely spend more than a few minutes just
installing the new versions of SA and MD- to say nothing of the task of
going through the configuration for each and setting the new versions to
behave as much like the old as possible.  Expect to spend several days
AT LEAST for the whole process.

> and no lost mails.

This shouldn't be an issue.

>  I also have
> somewhat of a customized Mimedefang script although I could probably
> just start again from the default.

You should set up a test box with the new version of MD, and manually
compare with your current mimedefang-filter.  You could just start with
the provided filter, and modify to taste;  I found having the old filter
as a reference helped make the changes to the new filter.

I would make the change in several steps, testing on an experimental
system before doing it live:

1)  Upgrade SA to 2.64.  You may be able to do this live without
trouble;  SA's Perl interfaces haven't changed up to this point.  You
WILL have to check on some non-rule settings in
/etc/mail/spamassassin/*.cf;  if you're calling SA from MD you may be
able to get away with ignoring these cahnges.  You also don't have to
worry about Bayes incompatibilities since SA2.4x didn't have Bayes
support.  You may want to just leave it disabled and activate Bayes once
you jump to SA 3.0.

Rulesets in /etc/mail/spamassassin should be OK to leave as-is, although
you may want to score them down due to changes in "internal" rules
between 2.43 and 2.64.  You'll have to compare non-rule configuration
settings between versions, and watch for changes in which options do
what and what they're called.

2)  Upgrade MD to 2.45.  You WILL want to do this on an experimental
system first, so you can get mimedefang-filter set up the way you want
it.  As with SA, there ARE configuration differences and
incompatibilities.

3)  Upgrade to SA 3.0.  You may want to do this on an experimental box
as, once again, there are some configuration changes.  Again, calling SA
direct from MD eliminates quite a few of these gotchas.

> Am I just running versions too old to do a smooth upgrade?

In terms of just "rpm -Uvh mimedefang-2.45-1.i386.rpm
spamassassin*3.0-1.i386.rpm", yes.  I generally find it advisable to NOT
keep running truly ancient (ie, more than a year and a half old <g>)
versions of SA, and while MD doesn't change quite as quickly there ARE
nice new features and abilities - and (rarely) security fixes - that
make it useful to try to keep up to date.

>  What
> upgrade process do I need to follow?  Any pointers to a detailed FAQ
> or other guide would be welcome.

See above.  <g>  If you decide to upgrade, I STRONGLY suggest you do it
in at least the three rough stages I listed above, on an experimental
box FIRST so you can see what breaks.

It may prove to be far easier to just build a whole new box- I've found
this to be the case once or twice.  Since you're on RedHat, I'd suggest
upgrading the OS one of the RHEL clones as well as the SA and MD
upgrades.

> As a side note, is this a case where "if its not broken don't fix it"
> shouldn't apply?

Ah...   Yes.  <g>  Your SA is so old it's likely missing ~50% or more of
today's spam, and at the very least 2.43 has some nasty holes in the
negative-scoring rules that spammers have used to sneak messages
through.  I checked back through the changelog for MD, and the last
security-tagged fix was for 2.23...  but it you want to go to SA3.0,
you'll probably have to upgrade as SA's Perl module API has changed.

>  Do most users upgrade to each new release?

Some people upgrade EVERY release - including RC releases.  I only
upgrade if there's a security issue, or if I want to use some capability
only available in newer versions.  I try to keep at least somewhat up to
date;  it makes future upgrades easier.

-kgd
-- 
Get your mouse off of there!  You don't know where that email has been!

More information about the MIMEDefang mailing list