Installatie Amavisd
postfix config
voeg toe:
content_filter=smtp-amavis:[127.0.0.1]:10024
Amavisd Config
Download laatste versie: http://www.ijs.si/software/amavisd/#download
De standaard voorbeeld config is redelijk duidelijk.
mijn config:
use strict; # Sample configuration file for amavisd-new (traditional style, chatty, # you may prefer to start with the more concise supplied amavisd.conf) # # See amavisd.conf-default for a list of all variables with their defaults; # for more details see documentation in INSTALL, README_FILES/* # and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html # This software is licensed under the GNU General Public License (GPL). # See comments at the start of amavisd-new for the whole license text. #Sections: # Section I - Essential daemon and MTA settings # Section II - MTA specific # Section III - Logging # Section IV - Notifications/DSN, bounce/reject/discard/pass, quarantine # Section V - Per-recipient and per-sender handling, whitelisting, etc. # Section VI - Resource limits # Section VII - External programs, virus scanners, SpamAssassin # Section VIII - Debugging # Section IX - Policy banks (dynamic policy switching) #GENERAL NOTES: # This file is a normal Perl code, interpreted by Perl itself. # - make sure this file (or directory where it resides) is NOT WRITABLE # by mere mortals (not even vscan/amavis; best to make it owned by root), # otherwise it can represent a severe security risk! # - for values which are interpreted as booleans, it is recommended # to use 1 for true, and 0 or undef or for false. # THIS IS DIFFERENT FROM OLD AMAVIS VERSIONS where "no" also meant false, # now it means true, like any nonempty string does! # - Perl syntax applies. Most notably: strings in "" may include variables # (which start with $ or @); to include characters $ and @ and \ in double # quoted strings precede them by a backslash; in single-quoted strings # the $ and @ lose their special meaning, so it is usually easier to use # single quoted strings (or qw operator) for e-mail addresses. # In both types of quoting a backslash should to be doubled. # - variables with names starting with a '@' are lists, the values assigned # to them should be lists too, e.g. ('one@foo', $mydomain, "three"); # note the comma-separation and parenthesis. If strings in the list # do not contain spaces nor variables, a Perl operator qw() may be used # as a shorthand to split its argument on whitespace and produce a list # of strings, e.g. qw( one@foo example.com three ); Note that the argument # to qw is quoted implicitly and no variable interpretation is done within # (no '$' variable evaluations). The #-initiated comments can NOT be used # within a string. In other words, $ and # lose their special meaning # within a qw argument, just like within '...' strings. # - all e-mail addresses in this file and as used internally by the daemon # are in their raw (rfc2821-unquoted and non-bracketed) form, i.e. # Bob "Funny" Dude@example.com, not: "Bob \"Funny\" Dude"@example.com # and not <"Bob \"Funny\" Dude"@example.com>; also: and not '<>'. # - the term 'default value' in examples below refers to the value of a # variable pre-assigned to it by the program; any explicit assignment # to a variable in this configuration file overrides the default value; # # Section I - Essential daemon and MTA settings # # $MYHOME serves as a quick default for some other configuration settings. # More refined control is available with each individual setting further down. # $MYHOME is not used directly by the program. No trailing slash! $MYHOME = '/var/amavis'; # (default is '/var/amavis') # $mydomain serves as a quick default for some other configuration settings. # More refined control is available with each individual setting further down. # $mydomain is never used directly by the program. $mydomain = 'frotmail.nl'; # (no useful default) $myhostname = 'mail.frotmail.nl'; # fqdn of this host, default by uname(3) # Set the user and group to which the daemon will change if started as root # (otherwise just keeps the UID unchanged, and these settings have no effect): $daemon_user = 'amavis'; # (no default; customary: vscan or amavis) $daemon_group = 'amavis'; # (no default; customary: vscan or amavis or sweep) # Runtime working directory (cwd), and a place where # temporary directories for unpacking mail are created. # (no trailing slash, may be a scratch file system) #$TEMPBASE = $MYHOME; # (must be set if other config vars use is) $TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean? $db_home = "$MYHOME/db"; # DB databases directory, default "$MYHOME/db" # $helpers_home sets environment variable HOME, and is passed as option # 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory # on a normal persistent file system, not a scratch or temporary file system $helpers_home = $MYHOME; # (defaults to $MYHOME) # Run the daemon in the specified chroot jail if nonempty: #$daemon_chroot_dir = $MYHOME; # (default is undef, meaning: do not chroot) $pid_file = "$MYHOME/amavisd.pid"; # (default is "$MYHOME/amavisd.pid") $lock_file = "$MYHOME/amavisd.lock"; # (default is "$MYHOME/amavisd.lock") # set environment variables if you want (no defaults): $ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory #... $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 # MTA SETTINGS, UNCOMMENT AS APPROPRIATE, # both $forward_method and $notify_method default to 'smtp:[127.0.0.1]:10025' # POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4 # (set host and port number as required; host can be specified # as an IP address or a DNS name (A or CNAME, but MX is ignored) $forward_method = 'smtp:[127.0.0.1]:10025'; # where to forward checked mail $notify_method = $forward_method; # where to submit notifications # To make it possible for several hosts to share one content checking daemon, # the IP address and/or the port number in $forward_method and $notify_method # may be spacified as an asterisk. An asterisk in the colon-separated # second field (host) will be replaced by the SMTP client peer address, # An asterisk in the third field (tcp port) will be replaced by the incoming # SMTP/LMTP session port number plus one. This obsoletes the previously used # less flexible configuration parameter $relayhost_is_client. An example: # $forward_method = 'smtp:*:*'; $notify_method = 'smtp:*:10587'; # NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST # uncomment the appropriate settings below if using other setups! # SENDMAIL MILTER, using amavis-milter.c helper program: #$forward_method = undef; # no explicit forwarding, sendmail does it by itself # milter; option -odd is needed to avoid deadlocks #$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}'; # just a thought: can we use use -Am instead of -odd ? # SENDMAIL (old non-milter setup, as relay, deprecated): #$forward_method = 'pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f ${sender} -- ${recipient}'; #$notify_method = $forward_method; # SENDMAIL (old non-milter setup, amavis.c calls local delivery agent, deprecated): #$forward_method = undef; # no explicit forwarding, amavis.c will call LDA #$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}'; # EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead): #$forward_method = 'pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f ${sender} -- ${recipient}'; #$notify_method = $forward_method; # prefer to collect mail for forwarding as BSMTP files? #$forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp"; #$notify_method = $forward_method; # Net::Server pre-forking settings # The $max_servers should match the width of your MTA pipe # feeding amavisd, e.g. with Postfix the 'Max procs' field in the # master.cf file, like the '2' in the: smtp-amavis unix - - n - 2 smtp # $max_servers = 2; # number of pre-forked children (default 2) $max_requests = 20; # retire a child after that many accepts (default 10) $child_timeout=5*60; # abort child if it does not complete each task in # approximately n sec (default: 8*60 seconds) # Here is a QUICK WAY to completely DISABLE some sections of code # that WE DO NOT WANT (it won't even be compiled-in). # For more refined controls leave the following two lines commented out, # and see further down what these two lookup lists really mean. # # @bypass_virus_checks_maps = (1); # uncomment to DISABLE anti-virus code # @bypass_spam_checks_maps = (1); # uncomment to DISABLE anti-spam code # # Any setting can be changed with a new assignment, so make sure # you do not unintentionally override these settings further down! # Check also the settings of @av_scanners at the end if you want to use # virus scanners. If not, you may want to delete the whole long assignment # to the variable @av_scanners and @av_scanners_backup, which will also # remove the virus checking code (e.g. if you only want to do spam scanning). # Lookup list of local domains (see README.lookups for syntax details) # # @local_domains_maps list of lookup tables are used in deciding whether a # recipient is local or not, or in other words, if the message is outgoing # or not. This affects inserting spam-related headers for local recipients, # limiting recipient virus notifications (if enabled) to local recipients, # in deciding if address extension may be appended, and in SQL lookups # for non-fqdn addresses. Set it up correctly if you need features # that rely on this setting (or just leave empty otherwise). # # With Postfix (2.0) a quick hint on what local domains normally are: # a union of domains specified in: mydestination, virtual_alias_domains, # virtual_mailbox_domains, and relay_domains. @local_domains_maps = ( [".$mydomain"] ); # $mydomain and its subdomains # @local_domains_maps = (); # default is empty list, no recip. considered local # @local_domains_maps = # using ACL lookup table # ( [ ".$mydomain", 'sub.example.net', '.example.com' ] ); # @local_domains_maps = # similar, split list elements on whitespace # ( [qw( .example.com !host.sub.example.net .sub.example.net )] ); # @local_domains_maps = ( new_RE( qr'[@.]example\.com$'i ) ); # using regexp # @local_domains_maps = ( read_hash("$MYHOME/local_domains") ); # using hash # perhaps combined with Postfix: mydestination = /var/amavis/local_domains # for debugging purposes: dump_hash($local_domains_maps[0]); # # Section II - MTA specific (defaults should be ok) # #$insert_received_line = 1; # behave like MTA: insert 'Received:' header # (does not apply to sendmail/milter) # (default is true) # AMAVIS-CLIENT PROTOCOL INPUT SETTINGS (e.g. with sendmail milter) # (used with amavis helper clients like amavis-milter.c and amavis.c, # NOT needed for Postfix or Exim or dual-sendmail - keep it undefined. $unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket #$unix_socketname = undef; # disable listening on a unix socket # (default is undef, i.e. disabled) # (usual setting is $MYHOME/amavisd.sock) # SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...) # (used when MTA is configured to pass mail to amavisd via SMTP or LMTP) $inet_socket_port = 10024; # accept SMTP on this local TCP port # (default is undef, i.e. disabled) # multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028]; # SMTP SERVER (INPUT) access control # - do not allow free access to the amavisd SMTP port !!! # # when MTA is at the same host, use the following (one or the other or both): #$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface # (default is '127.0.0.1') @inet_acl = qw(127.0.0.1 [::1]); # allow SMTP access only from localhost IP # (default is qw(127.0.0.1 [::1]) ) # when MTA (one or more) is on a different host, use the following: #@inet_acl = qw(127.0.0.0/8 [::1] 10.1.0.1 10.1.0.2); # adjust list as needed #$inet_socket_bind = undef; # bind to all IP interfaces if undef # # Example1: # @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 ); # permit only SMTP access from loopback and rfc1918 private address space # # Example2: # @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0 # 127.0.0.1 10/8 172.16/12 192.168/16 ); # matches loopback and rfc1918 private address space except host 192.168.1.12 # and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches) # # Example3: # @inet_acl = qw( 127/8 # !172.16.3.0 !172.16.3.127 172.16.3.0/25 # !172.16.3.128 !172.16.3.255 172.16.3.128/25 ); # matches loopback and both halves of the 172.16.3/24 C-class, # split into two subnets, except all four broadcast addresses # for these subnets # @mynetworks is an IP access list which determines if the original SMTP client # IP address belongs to our internal networks, i.e. mail is coming from inside. # It is much like the Postfix parameter 'mynetworks' in semantics and similar # in syntax, and its value should normally match the Postfix counterpart. # It only affects the value of a macro %l (=sender-is-local), # and the loading of policy 'MYNETS' if present (see below). # Note that '-o smtp_send_xforward_command=yes' (or its lmtp counterpart) # must be enabled in the Postfix service that feeds amavisd, otherwise # client IP address is not available to amavisd-new. # # @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 # 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); # default # # A list of networks can also be read from a file, either as an IP acl in # CIDR notation, one address per line (comments and empty lines are allowed): # @mynetworks_maps = (read_array('/etc/amavisd-mynetworks'), \@mynetworks); # # or less flexibly (but provides faster lookups for large lists) by reading # into a hash lookup table, which only allows for full addresses or classful # IPv4 subnets with truncated octets, such as 127, 10, 192.168, 10.11.12.13, # one address per line (comments and empty lines are allowed): # @mynetworks_maps = (read_hash('/etc/amavisd-mynetworks'), \@mynetworks); # See README.lookups for details on specifying access control lists. # # Section III - Logging # # true (e.g. 1) => syslog; false (e.g. 0) => logging to file $DO_SYSLOG = 1; # (defaults to 0) #$SYSLOG_LEVEL = 'user.info'; # (facility.priority, default 'mail.info') # Log file (if not using syslog) $LOGFILE = "$MYHOME/amavis.log"; # (defaults to empty, no log) #NOTE: levels are not strictly observed and are somewhat arbitrary # 0: startup/exit/failure messages, viruses detected # 1: args passed from client, some more interesting messages # 2: virus scanner output, timing # 3: server, client # 4: decompose parts # 5: more debug details $log_level = 2; # (defaults to 0) # Customizable template for the most interesting log file entry (e.g. with # $log_level=0) (take care to properly quote Perl special characters like '\') # For a list of available macros see README.customize . # $log_templ = undef; # undef disables by-message level-0 log entries $log_recip_templ = undef; # undef disables by-recipient level-0 log entries # log both infected and noninfected messages (new default): # (remove the leading '#' and a space in the following lines to activate) # $log_templ = ' # [?%#D|#|Passed # # [? [?%#V|1] |INFECTED (%V)|# # [? [?%#F|1] |BANNED (%F)|# # [? [? %2|1] |SPAM|# # [? [?%#X|1] |BAD-HEADER|CLEAN]]]]# # , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]<%o> -> [%D|,]# # [? %q ||, quarantine: %q]# # [? %Q ||, Queue-ID: %Q]# # [? %m ||, Message-ID: %m]# # [? %r ||, Resent-Message-ID: %r]# # , mail_id: %i# # , Hits: %c# # #, size: %z# # #[? %j ||, Subject: "%j"]# # #[? %#T ||, Tests: \,\]# # , %y ms# # ] # [?%#O|#|Blocked # # [? [?%#V|1] |INFECTED (%V)|# # [? [?%#F|1] |BANNED (%F)|# # [? [? %2|1] |SPAM|# # [? [?%#X|1] |BAD-HEADER|CLEAN]]]]# # , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]<%o> -> [%O|,]# # [? %q ||, quarantine: %q]# # [? %Q ||, Queue-ID: %Q]# # [? %m ||, Message-ID: %m]# # [? %r ||, Resent-Message-ID: %r]# # , mail_id: %i# # , Hits: %c# # #, size: %z# # #[? %j ||, Subject: "%j"]# # #[? %#T ||, Tests: \,\]# # , %y ms# # ]'; # log template compatible with amavisd-new-20030616-p10: # $log_recip_templ = undef; # $log_templ = ' # [? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], # # <%o> -> [<%R>|,][? %q ||, quarantine %q], Message-ID: %m, Hits: %c'; # # Section IV - Notifications/DSN, bounce/reject/discard/pass, quarantine # # Select notifications text encoding when Unicode-aware Perl is converting # text from internal character representation to external encoding (charset # in MIME terminology). Used as argument to Perl Encode::encode subroutine. # # to be used in RFC 2047-encoded header field bodies, e.g. in Subject: #$hdr_encoding = 'iso-8859-1'; # MIME charset (default: 'iso-8859-1') #$hdr_encoding_qb = 'Q'; # MIME encoding: quoted-printable (default) #$hdr_encoding_qb = 'B'; # MIME encoding: base64 # # to be used in notification body text: its encoding and Content-type.charset #$bdy_encoding = 'iso-8859-1'; # (default: 'iso-8859-1') # Default template texts for notifications may be overruled by directly # assigning new text to template variables, or by reading template text # from files. A second argument may be specified in a call to read_text(), # specifying character encoding layer to be used when reading from the # external file, e.g. 'utf8', 'iso-8859-1', or often just $bdy_encoding. # Text will be converted to internal character representation by Perl 5.8.0 # or later; second argument is ignored otherwise. See PerlIO::encoding, # Encode::PerlIO and perluniintro man pages. # # $notify_sender_templ = read_text("$MYHOME/notify_sender.txt"); # $notify_virus_sender_templ= read_text("$MYHOME/notify_virus_sender.txt"); # $notify_virus_admin_templ = read_text("$MYHOME/notify_virus_admin.txt"); # $notify_virus_recips_templ= read_text("$MYHOME/notify_virus_recips.txt"); # $notify_spam_sender_templ = read_text("$MYHOME/notify_spam_sender.txt"); # $notify_spam_admin_templ = read_text("$MYHOME/notify_spam_admin.txt"); # If notification template files are collectively available in some directory, # one may call read_l10n_templates which invokes read_text for each known # template. This is primarily a Debian-specific feature, but was incorporated # into base code to facilitate porting. # # read_l10n_templates('/etc/amavis/en_US'); # # If read_l10n_templates is called, a localization template directory must # contain the following files: # charset this file should contain a one-line name # of the character set used in the template # files (e.g. utf8, iso-8859-2, ...) and is # passed as the second argument to read_text; # template-dsn.txt content fills the $notify_sender_templ # template-virus-sender.txt content fills the $notify_virus_sender_templ # template-virus-admin.txt content fills the $notify_virus_admin_templ # template-virus-recipient.txt content fills the $notify_virus_recips_templ # template-spam-sender.txt content fills the $notify_spam_sender_templ # template-spam-admin.txt content fills the $notify_spam_admin_templ # Here is an overall picture (sequence of events) of how pieces fit together # # bypass_virus_checks set for all recipients? ==> PASS # no viruses? ==> PASS # log virus if $log_templ is nonempty # quarantine if $virus_quarantine_to is nonempty # notify admin if $virus_admin (lookup) nonempty # notify recips if $warnvirusrecip and (recipient is local or $warn_offsite) # add address extensions for local recipients (when enabled) # send (non-)delivery notifications # to sender if DSN needed (BOUNCE or ($warnvirussender and D_PASS)) # virus_lovers or final_destiny==D_PASS ==> PASS # DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny) # # Equivalent flow diagram applies for spam checks. # If a virus is detected, spam checking is skipped entirely. # The following symbolic constants can be used in *_destiny settings: # # D_PASS mail will pass to recipients, regardless of bad contents; # # D_DISCARD mail will not be delivered to its recipients, sender will NOT be # notified. Effectively we lose mail (but will be quarantined # unless disabled). Losing mail is not decent for a mailer, # but might be desired. # # D_BOUNCE mail will not be delivered to its recipients, a non-delivery # notification (bounce) will be sent to the sender by amavisd-new; # Exception: bounce (DSN) will not be sent if a virus name matches # $viruses_that_fake_sender_re, or to messages from mailing lists # (Precedence: bulk|list|junk), or for spam level that exceeds # the $sa_dsn_cutoff_level. # # D_REJECT mail will not be delivered to its recipients, sender should # preferably get a reject, e.g. SMTP permanent reject response # (e.g. with milter), or non-delivery notification from MTA # (e.g. Postfix). If this is not possible (e.g. different recipients # have different tolerances to bad mail contents and not using LMTP) # amavisd-new sends a bounce by itself (same as D_BOUNCE). # Not to be used with Postfix or dual-MTA setups! # # Notes: # D_REJECT and D_BOUNCE are similar, the difference is in who is responsible # for informing the sender about non-delivery, and how informative # the notification can be (amavisd-new knows more than MTA); # With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status # notification, colloquially called 'bounce') - depending on MTA; # Best suited for sendmail milter, especially for spam. # With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the # reason for mail non-delivery or even suppress DSN, but unable # to reject the original SMTP session). Best suited to reporting # viruses, and for Postfix and other dual-MTA setups, which can't # reject original client SMTP session, as the mail has already # been enqueued. $final_virus_destiny = D_DISCARD; # (defaults to D_DISCARD) $final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE) $final_spam_destiny = D_PASS; # (defaults to D_BOUNCE) $final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested # Alternatives to consider for spam: # - use D_PASS if clients will do filtering based on inserted # mail headers or added address extensions ('plus-addressing'); # - use D_DISCARD, if kill_level is set comfortably high; # # D_BOUNCE is preferred for viruses, but consider: # - use D_PASS (or virus_lovers) to deliver viruses; # - use D_REJECT instead of D_BOUNCE if using milter and under heavy # virus storm; # # Don't bother to set both D_DISCARD and $warn*sender=1, it will get mapped # to D_BOUNCE. # # The separation of *_destiny values into D_BOUNCE, D_REJECT, D_DISCARD # and D_PASS made settings $warnvirussender and $warnspamsender only still # marginally useful with D_PASS. # The following $warn*sender settings are ONLY used when mail is # actually passed to recipients ($final_*_destiny=D_PASS, or *_lovers*). # Bounces or rejects produce non-delivery status notification regardless. # Notify virus sender? #$warnvirussender = 1; # (defaults to false (undef)) # Notify spam sender? #$warnspamsender = 1; # (defaults to false (undef)) # Notify sender of banned files? $warnbannedsender = 1; # (defaults to false (undef)) # Notify sender of syntactically invalid header containing non-ASCII characters? #$warnbadhsender = 1; # (defaults to false (undef)) # Notify virus (or banned files or bad headers) RECIPIENT? # (not very useful, but some policies demand it) $warnvirusrecip = 1; # (defaults to false (undef)) $warnbannedrecip = 1; # (defaults to false (undef)) #$warnbadhrecip = 1; # (defaults to false (undef)) # Notify also non-local virus/banned recipients if $warn*recip is true? # (including those not matching local_domains*) $warn_offsite = 1; # (defaults to false (undef), i.e. only notify locals) @viruses_that_fake_sender_maps = (new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i, qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i, qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i, qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc [qr/^/ => 1], # true by default (remove or comment-out if undesired) )); $mailfrom_notify_admin = "virusalert\@$mydomain"; $mailfrom_notify_recip = "virusalert\@$mydomain"; $mailfrom_notify_spamadmin = "spam.police\@$mydomain"; $mailfrom_to_quarantine = ; # override sender address with null return path $QUARANTINEDIR = '/var/amavis'; #$quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine $virus_quarantine_method = 'local:virus-%m'; # default $spam_quarantine_method = ; # default $banned_files_quarantine_method = 'local:banned-%m'; # default $bad_header_quarantine_method = ; # default # Separate quarantine subdirectories virus, spam, banned and badh within # the directory $QUARANTINEDIR may be specified by the following settings # (the subdirectories need to exist - must be created manually): $virus_quarantine_method = 'local:virus/virus-%m'; #$spam_quarantine_method = 'local:spam/spam-%m.gz'; $banned_files_quarantine_method = 'local:banned/banned-%m'; #$bad_header_quarantine_method = 'local:badh/badh-%m'; $virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine #$virus_quarantine_to = 'infected@'; # forward to MTA for delivery #$virus_quarantine_to = "virus-quarantine\@$mydomain"; # similar #$virus_quarantine_to = 'virus-quarantine@example.com'; # similar #$virus_quarantine_to = undef; # no quarantine # # lookup key is envelope recipient address: #@virus_quarantine_to_maps = ( # per-recip multiple quarantines # new_RE( [qr'^user@example\.com$'i => 'infected@'], # [qr'^(.*)@example\.com$'i => 'virus-${1}@example.com'], # [qr'^(.*)(@[^@])?$'i => 'virus-${1}${2}'] ), # $virus_quarantine_to, # the usual default #); # similar for banned names and bad headers and spam (set to undef to disable) $banned_quarantine_to = 'banned-quarantine'; # local quarantine $bad_header_quarantine_to = undef; # local quarantine $spam_quarantine_to = undef; # local quarantine # or to a mailbox: #$spam_quarantine_to = "spam-quarantine\@$mydomain"; # #@spam_quarantine_to_maps = ( # per-recip multiple quarantines # new_RE( [qr'^(.*)@example\.com$'i => 'spam-${1}@example.com'] ), # $spam_quarantine_to, # the usual default #); # In addition to per-recip quarantine, a by-sender lookup is possible. # It is similar to $spam_quarantine_to, but the lookup key is the # envelope sender address: #$spam_quarantine_bysender_to = undef; # dflt: no by-sender spam quarantine # Add X-Virus-Scanned header field to mail? $X_HEADER_TAG = 'X-Virus-Scanned'; # (default: 'X-Virus-Scanned') # Set to empty to add no header field # (dflt "$myproduct_name at $mydomain") # $X_HEADER_LINE = "$myproduct_name at $mydomain"; $X_HEADER_LINE = "by $myproduct_name using ClamAV at $mydomain"; # $X_HEADER_LINE = "$myproduct_name $myversion_id ($myversion_date) at $mydomain"; # a string to prepend to Subject (for local recipients only) if mail could # not be decoded or checked entirely, e.g. due to password-protected archives $undecipherable_subject_tag = '*UNCHECKED* '; # undef disables it # MIME defanging wraps the entire original mail in a MIME container of type # 'Content-type: multipart/mixed', where the first part is a text/plain with # a short explanation, and the second part is a complete original mail, # enclosed in a 'Content-type: message/rfc822' MIME part. # Defanging is only done when enabled (selectively by malware type), # and mail is considered malware (virus/spam/...), and the malware is allowed # to pass (*_lovers or *_destiny=D_PASS) # $defang_virus = 1; # default is false: don't modify mail body $defang_banned = 1; # default is false: don't modify mail body # $defang_bad_header = 1; # default is false: don't modify mail body # $defang_undecipherable = 1; # default is false: don't modify mail body $defang_spam = 1; # default is false: don't modify mail body $remove_existing_x_scanned_headers = 1; # leave existing X-Virus-Scanned alone #$remove_existing_x_scanned_headers= 1; # remove existing headers # (defaults to false) #$remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone $remove_existing_spam_headers = 1; # remove existing spam headers if # spam scanning is enabled (default) @keep_decoded_original_maps = (new_RE( qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, )); $banned_filename_re = new_RE( # block certain double extensions anywhere in the base name qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
[ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives ); # new-style of banned lookup table $banned_namepath_re = new_RE( # # within traditional Unix compressions allow any name and type [ qr'(?#rule-3) ^ (.*\t)? T=(Z|gz|bz2) (\t.*)? $'xmi => 0 ], # allow # within traditional Unix archives allow any name and type [ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio|rar|zip) (\t.*)? $'xmi => 0 ], # allow # block certain double extensions in filenames qr'(?# BLOCK DOUBLE-EXTENSIONS ) ^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \. (exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi, ); $banned_namepath_re = undef; # to disable new-style $sql_select_white_black_list = undef; # undef disables SQL white/blacklisting $localpart_is_case_sensitive = 0; # (default is false) @score_sender_maps = ({ # a by-recipient hash lookup table # site-wide opinions about senders (the '.' matches any recipient) '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], ), # read_hash("/var/amavis/sender_scores_sitewide"), { # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'bugtraq@securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0, 'amavis-user-admin@lists.sourceforge.net'=> -3.0, 'notification-return@lists.sophos.com' => -3.0, 'owner-postfix-users@postfix.org' => -3.0, 'owner-postfix-announce@postfix.org' => -3.0, 'owner-sendmail-announce@lists.sendmail.org' => -3.0, 'sendmail-announce-request@lists.sendmail.org' => -3.0, 'donotreply@sendmail.org' => -3.0, 'ca+envelope@sendmail.org' => -3.0, 'noreply@freshmeat.net' => -3.0, 'owner-technews@postel.acm.org' => -3.0, 'ietf-123-owner@loki.ietf.org' => -3.0, 'cvs-commits-list-admin@gnome.org' => -3.0, 'rt-users-admin@lists.fsck.com' => -3.0, 'clp-request@comp.nus.edu.sg' => -3.0, 'surveys-errors@lists.nua.ie' => -3.0, 'emailnews@genomeweb.com' => -5.0, 'yahoo-dev-null@yahoo-inc.com' => -3.0, 'returns.groups.yahoo.com' => -3.0, 'clusternews@linuxnetworx.com' => -3.0, lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, # soft-blacklisting (positive score) 'sender@example.net' => 3.0, '.example.net' => 1.0, }, ], # end of site-wide tables }); @blacklist_sender_maps = ( new_RE( qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i, qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i, qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i, qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i, qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i, qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i, )); # Maximum recursion level for extraction/decoding (0 or undef disables limit) $MAXLEVELS = 14; # (default is undef, no limit) # Maximum number of extracted files (0 or undef disables the limit) $MAXFILES = 1500; # (default is undef, no limit) # $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) $MIN_EXPANSION_FACTOR = 5; # times original mail size (default is 5) $MAX_EXPANSION_FACTOR = 500; # times original mail size (default is 500) # expiration time of cached results: time to live in seconds # (how long the result of a virus/spam test remains valid) $virus_check_negative_ttl= 3*60; # time to remember that mail was not infected $virus_check_positive_ttl= 30*60; # time to remember that mail was infected $spam_check_negative_ttl = 30*60; # time to remember that mail was not spam $spam_check_positive_ttl = 30*60; # time to remember that mail was spam $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; $file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability $dspam = 'dspam'; @decoders = ( ['mail', \&do_mime_decode], ['asc', \&do_ascii], ['uue', \&do_ascii], ['hqx', \&do_ascii], ['ync', \&do_ascii], ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ], ['gz', \&do_gunzip], ['gz', \&do_uncompress, 'gzip -d'], ['bz2', \&do_uncompress, 'bzip2 -d'], ['lzo', \&do_uncompress, 'lzop -d'], ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ], ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ], ['tar', \&do_tar], ['deb', \&do_ar, 'ar'], # ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill ['zip', \&do_unzip], ['rar', \&do_unrar, ['rar','unrar'] ], ['arj', \&do_unarj, ['arj','unarj'] ], ['arc', \&do_arc, ['nomarch','arc'] ], ['zoo', \&do_zoo, 'zoo'], ['lha', \&do_lha, 'lha'], # ['doc', \&do_ole, 'ripole'], ['cab', \&do_cabextract, 'cabextract'], ['tnef', \&do_tnef_ext, 'tnef'], ['tnef', \&do_tnef], ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], ); # SpamAssassin settings # $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value # of the option local_tests_only. See Mail::SpamAssassin man page. # If set to 1, no SA tests that require internet access will be performed. # $sa_local_tests_only = 0; # (default: false) $sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant # for SA 3.0, its cf option is use_auto_whitelist) $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger # (less than 1% of spam is > 64k) # default: undef, no limitations # default values, customarily used in the @spam_*_level_maps as the last entry $sa_tag_level_deflt = -999.0; # add spam info headers if at, or above that level; # undef is interpreted as lower than any spam level $sa_tag2_level_deflt = 3.31;# add 'spam detected' headers at that level to # passed mail (e.g. when $final_spam_destiny=D_PASS # or for spam_lovers or when below kill_level) $sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions # at or above that level: bounce/reject/drop, # quarantine, and adding mail address extension $sa_dsn_cutoff_level = undef; # spam level beyond which a DSN is not sent, # effectively turning D_BOUNCE into D_DISCARD; # undef disables this feature and is a default; # a quick reference: # tag_level controls adding the X-Spam-Status and X-Spam-Level headers, # tag2_level controls adding 'X-Spam-Flag: YES', editing (tagging) Subject, # and adding address extensions, # kill_level controls 'evasive actions' (reject, quarantine); # it only makes sense to maintain the relationship: # tag_level <= tag2_level <= kill_level < dsn_cutoff_level # string to prepend to Subject header field when message exceeds tag2 level $sa_spam_subject_tag = '*SPAM* '; # (defaults to undef, disabled) # (only seen when spam is passed and recipient is # in local_domains*) $sa_spam_modifies_subj = 1; # in @spam_modifies_subj_maps, default is true # Example: modify Subject for all local recipients except user@example.com #@spam_modifies_subj_maps = ( [qw( !user@example.com . )] ); #$sa_spam_level_char = '*'; # char for X-Spam-Level bar, defaults to '*'; # undef or empty disables inserting X-Spam-Level $sa_spam_report_header = 1; # insert X-Spam-Report header field? default false # stop anti-virus scanning when the first scanner detects a virus? #$first_infected_stops_scan = 1; # default is false, all scanners in a section # are called @av_scanners = ( ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], # NOTE: the easiest is to run clamd under the same user as amavisd; match the # socket name (LocalSocket) in clamav.conf to the socket name in this entry # When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"], ### http://www.kaspersky.com/ (in the 'file server version') ['KasperskyLab AVP - aveclient', ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', '/opt/kav/bin/aveclient','aveclient'], '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/, qr/(?:INFECTED|SUSPICION) (.+)/, ], ### http://www.kaspersky.com/ ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? qr/infected: (.+)/, sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], ### The kavdaemon and AVPDaemonClient have been removed from Kasperky ### products and replaced by aveserver and aveclient ['KasperskyLab AVPDaemonClient' , [ '/opt/AVP/kavdaemon', 'kavdaemon', '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', '/opt/AVP/AvpTeamDream', 'AvpTeamDream', '/opt/AVP/avpdc', 'avpdc' ], "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ], # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" ### http://www.centralcommand.com/ ['CentralCommand Vexira (new) vascan', ['vascan','/usr/lib/Vexira/vascan'], "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". "--vdb=/usr/lib/Vexira/vexira8.vdb --log=/var/log/vascan.log {}", [0,3], [1,2,5], qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ], # Adjust the path of the binary and the virus database as needed. # 'vascan' does not allow to have the temp directory to be the same as # the quarantine directory, and the quarantine option can not be disabled. # If $QUARANTINEDIR is not used, then another directory must be specified # to appease 'vascan'. Move status 3 to the second list if password # protected files are to be considered infected. ### http://www.hbedv.com/ ['H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus', ['antivir','vexira'], '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/, qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ], # NOTE: if you only have a demo version, remove -z and add 214, as in: # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, ### http://www.commandsoftware.com/ ['Command AntiVirus for Linux', 'csav', '-all -archive -packed {}', [50], [51,52,53], qr/Infection: (.+)/ ], ### http://www.symantec.com/ ['Symantec CarrierScan via Symantec CommandLineScanner', 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', qr/^Files Infected:\s+0$/, qr/^Infected\b/, qr/^(?:Info|Virus Name):\s+(.+)/ ], ### http://www.symantec.com/ ['Symantec AntiVirus Scan Engine', 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', [0], qr/^Infected\b/, qr/^(?:Info|Virus Name):\s+(.+)/ ], # NOTE: check options and patterns to see which entry better applies ### http://www.f-secure.com/products/anti-virus/ ['F-Secure Antivirus', 'fsav', '--dumb --mime --archive {}', [0], [3,8], qr/(?:infection|Infected|Suspected): (.+)/ ], ['CAI InoculateIT', 'inocucmd', # retired product '-sec -nex {}', [0], [100], qr/was infected by virus (.+)/ ], # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) ['CAI eTrust Antivirus', 'etrust-wrapper', '-arc -nex -spm h {}', [0], [101], qr/is infected by virus: (.+)/ ], # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 ### http://mks.com.pl/english.html ['MkS_Vir for Linux (beta)', ['mks32','mks'], '-s {}/*', [0], [1,2], qr/--[ \t]*(.+)/ ], ### http://mks.com.pl/english.html ['MkS_Vir daemon', 'mksscan', '-s -q {}', [0], [1..7], qr/^... (\S+)/ ], ### http://www.nod32.com/ ['ESET Software NOD32', 'nod32', '--arch --mail {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/ ], # with old versions use: # '-all -subdir+ {}', [0], [1,2], # qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ], ### http://www.nod32.com/ ['ESET Software NOD32 - Client/Server Version', 'nod32cli', '-a -r -d recurse --heur standard {}', [0], [10,11], qr/^\S+\s+infected:\s+(.+)/ ], ### http://www.norman.com/products_nvc.shtml ['Norman Virus Control v5 / Linux', 'nvcc', '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], qr/(?i).* virus in .* -> \'(.+)\'/ ], ### http://www.pandasoftware.com/ ['Panda Antivirus for Linux', ['pavcl'], '-aut -aex -heu -cmp -nbr -nor -nso -eng {}', qr/Number of files infected[ .]*: 0+(?!\d)/, qr/Number of files infected[ .]*: 0*[1-9]/, qr/Found virus :\s*(\S+)/ ], ### http://www.nai.com/ ['NAI McAfee AntiVirus (uvscan)', 'uvscan', '--secure -rv --mime --summary --noboot - {}', [0], [13], qr/(?x) Found (?: \ the\ (.+)\ (?:virus|trojan) | \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | :\ (.+)\ NOT\ a\ virus)/, # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, # sub {delete $ENV{LD_PRELOAD}}, ], ### http://www.virusbuster.hu/en/ ['VirusBuster', ['vbuster', 'vbengcl'], "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], qr/: '(.*)' - Virus/ ], ### http://www.cyber.com/ ['CyberSoft VFind', 'vfind', '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/, # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, ], ### http://www.ikarus-software.com/ ['Ikarus AntiVirus for Linux', 'ikarus', '{}', [0], [40], qr/Signature (.+) found/ ], ### http://www.bitdefender.com/ ['BitDefender', 'bdc', '--all --arc --mail {}', qr/^Infected files *:0+(?!\d)/, qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, qr/(?:suspected|infected): (.*)(?:\033|$)/ ], ); @av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ### http://www.f-prot.com/ - backs up F-Prot Daemon ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], '-dumb -archive -packed {}', [0,8], [3,6], qr/Infection: (.+)|\s+contains\s+(.+)$/ ], ### http://www.trendmicro.com/ - backs up Trophie ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD ['drweb - DrWeb Antivirus', ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], '-path={} -al -go -ot -cn -upn -ok-', [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'], ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'], '-i1 -xp {}', [0,10,15], [5,20,21,25], qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ , sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], ); 1; # insure a defined return