Installatie Amavisd

From Frotmail Projects
Revision as of 09:18, 5 April 2022 by Eric (talk | contribs) (Created page with "=postfix config= voeg toe: content_filter=smtp-amavis:[127.0.0.1]:10024 =Amavisd Config= Download laatste versie: http://www.ijs.si/software/amavisd/#download De standaard voorbeeld config is redelijk duidelijk. mijn config: ---- use strict; # Sample configuration file for amavisd-new (traditional style, chatty, # you may prefer to start with the more concise supplied amavisd.conf) # # See amavisd.conf-default for a list of all variables with their defaul...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

postfix config

voeg toe:

content_filter=smtp-amavis:[127.0.0.1]:10024

Amavisd Config

Download laatste versie: http://www.ijs.si/software/amavisd/#download

De standaard voorbeeld config is redelijk duidelijk.

mijn config:


use strict;

# Sample configuration file for amavisd-new (traditional style, chatty,
# you may prefer to start with the more concise supplied amavisd.conf)
#
# See amavisd.conf-default for a list of all variables with their defaults;
# for more details see documentation in INSTALL, README_FILES/*
# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html

# This software is licensed under the GNU General Public License (GPL).
# See comments at the start of amavisd-new for the whole license text.

#Sections:
# Section I    - Essential daemon and MTA settings
# Section II   - MTA specific
# Section III  - Logging
# Section IV   - Notifications/DSN, bounce/reject/discard/pass, quarantine
# Section V    - Per-recipient and per-sender handling, whitelisting, etc.
# Section VI   - Resource limits
# Section VII  - External programs, virus scanners, SpamAssassin
# Section VIII - Debugging
# Section IX   - Policy banks (dynamic policy switching)

#GENERAL NOTES:
#  This file is a normal Perl code, interpreted by Perl itself.
#  - make sure this file (or directory where it resides) is NOT WRITABLE
#    by mere mortals (not even vscan/amavis; best to make it owned by root),
#    otherwise it can represent a severe security risk!
#  - for values which are interpreted as booleans, it is recommended
#    to use 1 for true, and 0 or undef or  for false.
#    THIS IS DIFFERENT FROM OLD AMAVIS VERSIONS where "no" also meant false,
#    now it means true, like any nonempty string does!
#  - Perl syntax applies. Most notably: strings in "" may include variables
#    (which start with $ or @); to include characters $ and @ and \ in double
#    quoted strings precede them by a backslash; in single-quoted strings
#    the $ and @ lose their special meaning, so it is usually easier to use
#    single quoted strings (or qw operator) for e-mail addresses.
#    In both types of quoting a backslash should to be doubled.
#  - variables with names starting with a '@' are lists, the values assigned
#    to them should be lists too, e.g. ('one@foo', $mydomain, "three");
#    note the comma-separation and parenthesis. If strings in the list
#    do not contain spaces nor variables, a Perl operator qw() may be used
#    as a shorthand to split its argument on whitespace and produce a list
#    of strings, e.g. qw( one@foo example.com three );  Note that the argument
#    to qw is quoted implicitly and no variable interpretation is done within
#    (no '$' variable evaluations). The #-initiated comments can NOT be used
#    within a string. In other words, $ and # lose their special meaning
#    within a qw argument, just like within '...' strings.
#  - all e-mail addresses in this file and as used internally by the daemon
#    are in their raw (rfc2821-unquoted and non-bracketed) form, i.e.
#    Bob "Funny" Dude@example.com, not: "Bob \"Funny\" Dude"@example.com
#    and not <"Bob \"Funny\" Dude"@example.com>; also:  and not '<>'.
#  - the term 'default value' in examples below refers to the value of a
#    variable pre-assigned to it by the program; any explicit assignment
#    to a variable in this configuration file overrides the default value;
 

#
# Section I - Essential daemon and MTA settings
#

# $MYHOME serves as a quick default for some other configuration settings.
# More refined control is available with each individual setting further down.
# $MYHOME is not used directly by the program. No trailing slash!
$MYHOME = '/var/amavis';   # (default is '/var/amavis')

# $mydomain serves as a quick default for some other configuration settings.
# More refined control is available with each individual setting further down.
# $mydomain is never used directly by the program.
$mydomain = 'frotmail.nl';      # (no useful default)

$myhostname = 'mail.frotmail.nl';  # fqdn of this host, default by uname(3)

# Set the user and group to which the daemon will change if started as root
# (otherwise just keeps the UID unchanged, and these settings have no effect):
$daemon_user  = 'amavis';   # (no default;  customary: vscan or amavis)
$daemon_group = 'amavis';   # (no default;  customary: vscan or amavis or sweep)

# Runtime working directory (cwd), and a place where
# temporary directories for unpacking mail are created.
# (no trailing slash, may be a scratch file system)
#$TEMPBASE = $MYHOME;	        # (must be set if other config vars use is)
$TEMPBASE = "$MYHOME/tmp";     # prefer to keep home dir /var/amavis clean?

$db_home = "$MYHOME/db";	# DB databases directory, default "$MYHOME/db"

# $helpers_home sets environment variable HOME, and is passed as option
# 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory
# on a normal persistent file system, not a scratch or temporary file system
$helpers_home = $MYHOME;	# (defaults to $MYHOME)

# Run the daemon in the specified chroot jail if nonempty:
#$daemon_chroot_dir = $MYHOME;  # (default is undef, meaning: do not chroot)

$pid_file  = "$MYHOME/amavisd.pid";  # (default is "$MYHOME/amavisd.pid")
$lock_file = "$MYHOME/amavisd.lock"; # (default is "$MYHOME/amavisd.lock")

# set environment variables if you want (no defaults):
$ENV{TMPDIR} = $TEMPBASE;       # wise to set TMPDIR, but not obligatory
#...

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

# MTA SETTINGS, UNCOMMENT AS APPROPRIATE,
# both $forward_method and $notify_method default to 'smtp:[127.0.0.1]:10025'

# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4
# (set host and port number as required; host can be specified
# as an IP address or a DNS name (A or CNAME, but MX is ignored)
$forward_method = 'smtp:[127.0.0.1]:10025';  # where to forward checked mail
$notify_method = $forward_method;            # where to submit notifications

# To make it possible for several hosts to share one content checking daemon,
# the IP address and/or the port number in $forward_method and $notify_method
# may be spacified as an asterisk. An asterisk in the colon-separated
# second field (host) will be replaced by the SMTP client peer address,
# An asterisk in the third field (tcp port) will be replaced by the incoming
# SMTP/LMTP session port number plus one. This obsoletes the previously used
# less flexible configuration parameter $relayhost_is_client. An example:
#   $forward_method = 'smtp:*:*'; $notify_method = 'smtp:*:10587';


# NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST
#       uncomment the appropriate settings below if using other setups!

# SENDMAIL MILTER, using amavis-milter.c helper program:
#$forward_method = undef;  # no explicit forwarding, sendmail does it by itself
# milter; option -odd is needed to avoid deadlocks
#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}';
# just a thought: can we use use -Am instead of -odd ?  

# SENDMAIL (old non-milter setup, as relay, deprecated):
#$forward_method = 'pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f ${sender} -- ${recipient}';
#$notify_method = $forward_method;

# SENDMAIL (old non-milter setup, amavis.c calls local delivery agent, deprecated):
#$forward_method = undef;  # no explicit forwarding, amavis.c will call LDA
#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}';

# EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead):
#$forward_method = 'pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f ${sender} -- ${recipient}';
#$notify_method = $forward_method;

# prefer to collect mail for forwarding as BSMTP files?
#$forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp";
#$notify_method = $forward_method;


# Net::Server pre-forking settings
# The $max_servers should match the width of your MTA pipe
# feeding amavisd, e.g. with Postfix the 'Max procs' field in the
# master.cf file, like the '2' in the:  smtp-amavis unix - - n - 2 smtp
#
$max_servers  =  2;   # number of pre-forked children          (default 2)
$max_requests = 20;   # retire a child after that many accepts (default 10)

$child_timeout=5*60;  # abort child if it does not complete each task in
                      # approximately n sec (default: 8*60 seconds)

# Here is a QUICK WAY to completely DISABLE some sections of code
# that WE DO NOT WANT (it won't even be compiled-in).
# For more refined controls leave the following two lines commented out,
# and see further down what these two lookup lists really mean.
#
# @bypass_virus_checks_maps = (1);  # uncomment to DISABLE anti-virus code
# @bypass_spam_checks_maps  = (1);  # uncomment to DISABLE anti-spam code
#
# Any setting can be changed with a new assignment, so make sure
# you do not unintentionally override these settings further down!

# Check also the settings of @av_scanners at the end if you want to use
# virus scanners. If not, you may want to delete the whole long assignment
# to the variable @av_scanners and @av_scanners_backup, which will also
# remove the virus checking code (e.g. if you only want to do spam scanning).


# Lookup list of local domains (see README.lookups for syntax details)
#
# @local_domains_maps list of lookup tables are used in deciding whether a
# recipient is local or not, or in other words, if the message is outgoing
# or not. This affects inserting spam-related headers for local recipients,
# limiting recipient virus notifications (if enabled) to local recipients,
# in deciding if address extension may be appended, and in SQL lookups
# for non-fqdn addresses. Set it up correctly if you need features
# that rely on this setting (or just leave empty otherwise).
#
# With Postfix (2.0) a quick hint on what local domains normally are:
# a union of domains specified in: mydestination, virtual_alias_domains,
# virtual_mailbox_domains, and relay_domains. 

@local_domains_maps = ( [".$mydomain"] );  # $mydomain and its subdomains
# @local_domains_maps = (); # default is empty list, no recip. considered local
# @local_domains_maps =  # using ACL lookup table
#   ( [ ".$mydomain", 'sub.example.net', '.example.com' ] );
# @local_domains_maps =  # similar, split list elements on whitespace
#   ( [qw( .example.com !host.sub.example.net .sub.example.net )] );
# @local_domains_maps = ( new_RE( qr'[@.]example\.com$'i ) );   # using regexp
# @local_domains_maps = ( read_hash("$MYHOME/local_domains") ); # using hash
#   perhaps combined with Postfix: mydestination = /var/amavis/local_domains
# for debugging purposes: dump_hash($local_domains_maps[0]);
#
# Section II - MTA specific (defaults should be ok)
#

#$insert_received_line = 1;       # behave like MTA: insert 'Received:' header
			          # (does not apply to sendmail/milter)
			          # (default is true)

# AMAVIS-CLIENT PROTOCOL INPUT SETTINGS (e.g. with sendmail milter)
#   (used with amavis helper clients like amavis-milter.c and amavis.c,
#   NOT needed for Postfix or Exim or dual-sendmail - keep it undefined.
$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket
#$unix_socketname = undef;        # disable listening on a unix socket
                                  # (default is undef, i.e. disabled)
                                  # (usual setting is $MYHOME/amavisd.sock)

# SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...)
#   (used when MTA is configured to pass mail to amavisd via SMTP or LMTP)
$inet_socket_port = 10024;        # accept SMTP on this local TCP port
                                  # (default is undef, i.e. disabled)
# multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028];

# SMTP SERVER (INPUT) access control
# - do not allow free access to the amavisd SMTP port !!!
#
# when MTA is at the same host, use the following (one or the other or both):
#$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface
                                  # (default is '127.0.0.1')
@inet_acl = qw(127.0.0.1 [::1]);  # allow SMTP access only from localhost IP
                                  # (default is qw(127.0.0.1 [::1]) )

# when MTA (one or more) is on a different host, use the following:
#@inet_acl = qw(127.0.0.0/8 [::1] 10.1.0.1 10.1.0.2);  # adjust list as needed
#$inet_socket_bind = undef;       # bind to all IP interfaces if undef

#
# Example1:
# @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 );
# permit only SMTP access from loopback and rfc1918 private address space
#
# Example2:
# @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0
#		  127.0.0.1 10/8 172.16/12 192.168/16 );
# matches loopback and rfc1918 private address space except host 192.168.1.12
# and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches)
#
# Example3:
# @inet_acl = qw( 127/8
#		  !172.16.3.0   !172.16.3.127 172.16.3.0/25
#		  !172.16.3.128 !172.16.3.255 172.16.3.128/25 );
# matches loopback and both halves of the 172.16.3/24 C-class,
# split into two subnets, except all four broadcast addresses
# for these subnets


# @mynetworks is an IP access list which determines if the original SMTP client
# IP address belongs to our internal networks, i.e. mail is coming from inside.
# It is much like the Postfix parameter 'mynetworks' in semantics and similar
# in syntax, and its value should normally match the Postfix counterpart.
# It only affects the value of a macro %l (=sender-is-local),
# and the loading of policy 'MYNETS' if present (see below).
# Note that '-o smtp_send_xforward_command=yes' (or its lmtp counterpart)
# must be enabled in the Postfix service that feeds amavisd, otherwise
# client IP address is not available to amavisd-new.
#
# @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
#                   10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );  # default
#
# A list of networks can also be read from a file, either as an IP acl in
# CIDR notation, one address per line (comments and empty lines are allowed):
#   @mynetworks_maps = (read_array('/etc/amavisd-mynetworks'), \@mynetworks);
#
# or less flexibly (but provides faster lookups for large lists) by reading
# into a hash lookup table, which only allows for full addresses or classful
# IPv4 subnets with truncated octets, such as 127, 10, 192.168, 10.11.12.13,
# one address per line (comments and empty lines are allowed):
#   @mynetworks_maps = (read_hash('/etc/amavisd-mynetworks'), \@mynetworks);

# See README.lookups for details on specifying access control lists.


#
# Section III - Logging
#

# true (e.g. 1) => syslog;  false (e.g. 0) => logging to file
$DO_SYSLOG = 1;                   # (defaults to 0)
#$SYSLOG_LEVEL = 'user.info';     # (facility.priority, default 'mail.info')

# Log file (if not using syslog)
$LOGFILE = "$MYHOME/amavis.log";  # (defaults to empty, no log)

#NOTE: levels are not strictly observed and are somewhat arbitrary
# 0: startup/exit/failure messages, viruses detected
# 1: args passed from client, some more interesting messages
# 2: virus scanner output, timing
# 3: server, client
# 4: decompose parts
# 5: more debug details
$log_level = 2;		  # (defaults to 0)

# Customizable template for the most interesting log file entry (e.g. with
# $log_level=0) (take care to properly quote Perl special characters like '\')
# For a list of available macros see README.customize .

# $log_templ = undef;      # undef disables by-message level-0 log entries
$log_recip_templ = undef;  # undef disables by-recipient level-0 log entries


# log both infected and noninfected messages (new default):
# (remove the leading '#' and a space in the following lines to activate)

# $log_templ = '
# [?%#D|#|Passed #
# [? [?%#V|1] |INFECTED (%V)|#
# [? [?%#F|1] |BANNED (%F)|#
# [? [? %2|1] |SPAM|#
# [? [?%#X|1] |BAD-HEADER|CLEAN]]]]#
# , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]<%o> -> [%D|,]#
# [? %q ||, quarantine: %q]#
# [? %Q ||, Queue-ID: %Q]#
# [? %m ||, Message-ID: %m]#
# [? %r ||, Resent-Message-ID: %r]#
# , mail_id: %i#
# , Hits: %c#
# #, size: %z#
# #[? %j ||, Subject: "%j"]#
# #[? %#T ||, Tests: \,\]#
# , %y ms#
# ]
# [?%#O|#|Blocked #
# [? [?%#V|1] |INFECTED (%V)|#
# [? [?%#F|1] |BANNED (%F)|#
# [? [? %2|1] |SPAM|#
# [? [?%#X|1] |BAD-HEADER|CLEAN]]]]#
# , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]<%o> -> [%O|,]#
# [? %q ||, quarantine: %q]#
# [? %Q ||, Queue-ID: %Q]#
# [? %m ||, Message-ID: %m]#
# [? %r ||, Resent-Message-ID: %r]#
# , mail_id: %i#
# , Hits: %c#
# #, size: %z#
# #[? %j ||, Subject: "%j"]#
# #[? %#T ||, Tests: \,\]#
# , %y ms#
# ]';

# log template compatible with amavisd-new-20030616-p10:
# $log_recip_templ = undef;
# $log_templ = '
# [? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], #
# <%o> -> [<%R>|,][? %q ||, quarantine %q], Message-ID: %m, Hits: %c';


#
# Section IV - Notifications/DSN, bounce/reject/discard/pass, quarantine
#

# Select notifications text encoding when Unicode-aware Perl is converting
# text from internal character representation to external encoding (charset
# in MIME terminology). Used as argument to Perl Encode::encode subroutine.
#
#   to be used in RFC 2047-encoded header field bodies, e.g. in Subject:
#$hdr_encoding = 'iso-8859-1';  # MIME charset (default: 'iso-8859-1')
#$hdr_encoding_qb = 'Q';        # MIME encoding: quoted-printable (default)
#$hdr_encoding_qb = 'B';        # MIME encoding: base64
#
#   to be used in notification body text: its encoding and Content-type.charset
#$bdy_encoding = 'iso-8859-1';  # (default: 'iso-8859-1')

# Default template texts for notifications may be overruled by directly
# assigning new text to template variables, or by reading template text
# from files. A second argument may be specified in a call to read_text(),
# specifying character encoding layer to be used when reading from the
# external file, e.g. 'utf8', 'iso-8859-1', or often just $bdy_encoding.
# Text will be converted to internal character representation by Perl 5.8.0
# or later; second argument is ignored otherwise. See PerlIO::encoding,
# Encode::PerlIO and perluniintro man pages.
#
# $notify_sender_templ      = read_text("$MYHOME/notify_sender.txt");
# $notify_virus_sender_templ= read_text("$MYHOME/notify_virus_sender.txt");
# $notify_virus_admin_templ = read_text("$MYHOME/notify_virus_admin.txt");
# $notify_virus_recips_templ= read_text("$MYHOME/notify_virus_recips.txt");
# $notify_spam_sender_templ = read_text("$MYHOME/notify_spam_sender.txt");
# $notify_spam_admin_templ  = read_text("$MYHOME/notify_spam_admin.txt");

# If notification template files are collectively available in some directory,
# one may call read_l10n_templates which invokes read_text for each known
# template. This is primarily a Debian-specific feature, but was incorporated
# into base code to facilitate porting.
#
#   read_l10n_templates('/etc/amavis/en_US');
#
# If read_l10n_templates is called, a localization template directory must
# contain the following files:
#   charset                       this file should contain a one-line name
#                                 of the character set used in the template
#                                 files (e.g. utf8, iso-8859-2, ...) and is
#                                 passed as the second argument to read_text;
#   template-dsn.txt              content fills the $notify_sender_templ
#   template-virus-sender.txt     content fills the $notify_virus_sender_templ
#   template-virus-admin.txt      content fills the $notify_virus_admin_templ
#   template-virus-recipient.txt  content fills the $notify_virus_recips_templ
#   template-spam-sender.txt      content fills the $notify_spam_sender_templ
#   template-spam-admin.txt       content fills the $notify_spam_admin_templ

# Here is an overall picture (sequence of events) of how pieces fit together
#
#   bypass_virus_checks set for all recipients? ==> PASS
#   no viruses?   ==> PASS
#   log virus     if $log_templ is nonempty
#   quarantine    if $virus_quarantine_to is nonempty
#   notify admin  if $virus_admin (lookup) nonempty
#   notify recips if $warnvirusrecip and (recipient is local or $warn_offsite)
#   add address extensions for local recipients (when enabled)
#   send (non-)delivery notifications
#      to sender if DSN needed (BOUNCE or ($warnvirussender and D_PASS))
#   virus_lovers or final_destiny==D_PASS  ==> PASS
#   DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny)
#
# Equivalent flow diagram applies for spam checks.
# If a virus is detected, spam checking is skipped entirely.

# The following symbolic constants can be used in *_destiny settings:
#
# D_PASS     mail will pass to recipients, regardless of bad contents;
#
# D_DISCARD  mail will not be delivered to its recipients, sender will NOT be
#            notified. Effectively we lose mail (but will be quarantined
#            unless disabled). Losing mail is not decent for a mailer,
#            but might be desired.
#
# D_BOUNCE   mail will not be delivered to its recipients, a non-delivery
#            notification (bounce) will be sent to the sender by amavisd-new;
#            Exception: bounce (DSN) will not be sent if a virus name matches
#            $viruses_that_fake_sender_re, or to messages from mailing lists
#            (Precedence: bulk|list|junk), or for spam level that exceeds
#            the $sa_dsn_cutoff_level.
#
# D_REJECT   mail will not be delivered to its recipients, sender should
#            preferably get a reject, e.g. SMTP permanent reject response
#            (e.g. with milter), or non-delivery notification from MTA
#            (e.g. Postfix). If this is not possible (e.g. different recipients
#            have different tolerances to bad mail contents and not using LMTP)
#            amavisd-new sends a bounce by itself (same as D_BOUNCE).
#            Not to be used with Postfix or dual-MTA setups!
#
# Notes:
#   D_REJECT and D_BOUNCE are similar, the difference is in who is responsible
#            for informing the sender about non-delivery, and how informative
#            the notification can be (amavisd-new knows more than MTA);
#   With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status
#            notification, colloquially called 'bounce') - depending on MTA;
#            Best suited for sendmail milter, especially for spam.
#   With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the
#            reason for mail non-delivery or even suppress DSN, but unable
#            to reject the original SMTP session). Best suited to reporting
#            viruses, and for Postfix and other dual-MTA setups, which can't
#            reject original client SMTP session, as the mail has already
#            been enqueued. 

$final_virus_destiny      = D_DISCARD;  # (defaults to D_DISCARD)
$final_banned_destiny     = D_BOUNCE;  # (defaults to D_BOUNCE)
$final_spam_destiny       = D_PASS;  # (defaults to D_BOUNCE)
$final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested 

# Alternatives to consider for spam:
# - use D_PASS if clients will do filtering based on inserted
#   mail headers or added address extensions ('plus-addressing');
# - use D_DISCARD, if kill_level is set comfortably high;
#
# D_BOUNCE is preferred for viruses, but consider:
# - use D_PASS (or virus_lovers) to deliver viruses;
# - use D_REJECT instead of D_BOUNCE if using milter and under heavy
#   virus storm;
#
# Don't bother to set both D_DISCARD and $warn*sender=1, it will get mapped
# to D_BOUNCE.
#
# The separation of *_destiny values into D_BOUNCE, D_REJECT, D_DISCARD
# and D_PASS made settings $warnvirussender and $warnspamsender only still
# marginally useful with D_PASS. 

# The following $warn*sender settings are ONLY used when mail is
# actually passed to recipients ($final_*_destiny=D_PASS, or *_lovers*).
# Bounces or rejects produce non-delivery status notification regardless. 

# Notify virus sender?
#$warnvirussender = 1;	# (defaults to false (undef)) 

# Notify spam sender?
#$warnspamsender = 1;	# (defaults to false (undef)) 

# Notify sender of banned files?
$warnbannedsender = 1;	# (defaults to false (undef)) 

# Notify sender of syntactically invalid header containing non-ASCII characters?
#$warnbadhsender = 1;	# (defaults to false (undef)) 

# Notify virus (or banned files or bad headers) RECIPIENT?
#  (not very useful, but some policies demand it)
$warnvirusrecip = 1;	# (defaults to false (undef))
$warnbannedrecip = 1;	# (defaults to false (undef))
#$warnbadhrecip = 1;	# (defaults to false (undef)) 

# Notify also non-local virus/banned recipients if $warn*recip is true?
#  (including those not matching local_domains*)
$warn_offsite = 1;	# (defaults to false (undef), i.e. only notify locals) 
   

@viruses_that_fake_sender_maps = (new_RE(
  qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
  qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
  qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
  qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
  qr'@mm|@MM',    # mass mailing viruses as labeled by f-prot and uvscan
  qr'Worm'i,      # worms as labeled by ClamAV, Kaspersky, etc
  [qr/^/ => 1],   # true by default  (remove or comment-out if undesired)
)); 


$mailfrom_notify_admin     = "virusalert\@$mydomain";
$mailfrom_notify_recip     = "virusalert\@$mydomain";
$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; 


$mailfrom_to_quarantine = ;   # override sender address with null return path


$QUARANTINEDIR = '/var/amavis';

#$quarantine_subdir_levels = 1;  # add level of subdirs to disperse quarantine

$virus_quarantine_method          = 'local:virus-%m';     # default
$spam_quarantine_method           = ;   # default
$banned_files_quarantine_method   = 'local:banned-%m';    # default
$bad_header_quarantine_method     = ;      # default

# Separate quarantine subdirectories virus, spam, banned and badh within
# the directory $QUARANTINEDIR may be specified by the following settings
# (the subdirectories need to exist - must be created manually):
$virus_quarantine_method          = 'local:virus/virus-%m';
#$spam_quarantine_method           = 'local:spam/spam-%m.gz';
$banned_files_quarantine_method   = 'local:banned/banned-%m';
#$bad_header_quarantine_method     = 'local:badh/badh-%m';


$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine
#$virus_quarantine_to = 'infected@';           # forward to MTA for delivery
#$virus_quarantine_to = "virus-quarantine\@$mydomain";   # similar
#$virus_quarantine_to = 'virus-quarantine@example.com';  # similar
#$virus_quarantine_to = undef;                 # no quarantine
#
# lookup key is envelope recipient address:
#@virus_quarantine_to_maps = (   # per-recip multiple quarantines
#  new_RE( [qr'^user@example\.com$'i => 'infected@'],
#          [qr'^(.*)@example\.com$'i => 'virus-${1}@example.com'],
#          [qr'^(.*)(@[^@])?$'i      => 'virus-${1}${2}'] ),
#  $virus_quarantine_to,  # the usual default
#);

# similar for banned names and bad headers and spam (set to undef to disable)
$banned_quarantine_to     = 'banned-quarantine';     # local quarantine
$bad_header_quarantine_to = undef; # local quarantine
$spam_quarantine_to       = undef;       # local quarantine

# or to a mailbox:
#$spam_quarantine_to = "spam-quarantine\@$mydomain";
#
#@spam_quarantine_to_maps = (    # per-recip multiple quarantines
#  new_RE( [qr'^(.*)@example\.com$'i => 'spam-${1}@example.com'] ),
#  $spam_quarantine_to,  # the usual default
#);


# In addition to per-recip quarantine, a by-sender lookup is possible.
# It is similar to $spam_quarantine_to, but the lookup key is the
# envelope sender address:
#$spam_quarantine_bysender_to = undef;   # dflt: no by-sender spam quarantine


# Add X-Virus-Scanned header field to mail?
$X_HEADER_TAG = 'X-Virus-Scanned';	# (default: 'X-Virus-Scanned')

# Set to empty to add no header field	# (dflt "$myproduct_name at $mydomain")
# $X_HEADER_LINE = "$myproduct_name at $mydomain";
$X_HEADER_LINE = "by $myproduct_name using ClamAV at $mydomain";
# $X_HEADER_LINE = "$myproduct_name $myversion_id ($myversion_date) at $mydomain";

# a string to prepend to Subject (for local recipients only) if mail could
# not be decoded or checked entirely, e.g. due to password-protected archives
$undecipherable_subject_tag = '*UNCHECKED* ';  # undef disables it

# MIME defanging wraps the entire original mail in a MIME container of type
# 'Content-type: multipart/mixed', where the first part is a text/plain with
# a short explanation, and the second part is a complete original mail,
# enclosed in a 'Content-type: message/rfc822' MIME part.
# Defanging is only done when enabled (selectively by malware type),
# and mail is considered malware (virus/spam/...), and the malware is allowed
# to pass (*_lovers or *_destiny=D_PASS)
#
$defang_virus  = 1;  # default is false: don't modify mail body
$defang_banned = 1;  # default is false: don't modify mail body
# $defang_bad_header     = 1;  # default is false: don't modify mail body
# $defang_undecipherable = 1;  # default is false: don't modify mail body
$defang_spam = 1;  # default is false: don't modify mail body

$remove_existing_x_scanned_headers = 1; # leave existing X-Virus-Scanned alone
#$remove_existing_x_scanned_headers= 1; # remove existing headers
					# (defaults to false)
#$remove_existing_spam_headers = 0;     # leave existing X-Spam* headers alone
$remove_existing_spam_headers  = 1;     # remove existing spam headers if
					# spam scanning is enabled (default)

@keep_decoded_original_maps = (new_RE(
  qr'^MAIL-UNDECIPHERABLE$',  # retain full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));

$banned_filename_re = new_RE(

  # block certain double extensions anywhere in the base name
   qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,  

  [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
  [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives  

);




# new-style of banned lookup table
$banned_namepath_re = new_RE( 
# # within traditional Unix compressions allow any name and type
  [ qr'(?#rule-3) ^ (.*\t)? T=(Z|gz|bz2)     (\t.*)? $'xmi => 0 ],  # allow

  # within traditional Unix archives allow any name and type
  [ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio|rar|zip) (\t.*)? $'xmi => 0 ],  # allow

  # block certain double extensions in filenames
  qr'(?# BLOCK DOUBLE-EXTENSIONS )
     ^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \.
                  (exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi, 


);

  $banned_namepath_re = undef;  # to disable new-style


$sql_select_white_black_list = undef;  # undef disables SQL white/blacklisting

$localpart_is_case_sensitive = 0;	# (default is false)


@score_sender_maps = ({  # a by-recipient hash lookup table

  # site-wide opinions about senders (the '.' matches any recipient)
  '.' => [  # the _first_ matching sender determines the score boost 

   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
    [qr'^(your_friend|greatoffers)@'i                                => 5.0],
    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
   ),

#  read_hash("/var/amavis/sender_scores_sitewide"),

   { # a hash-type lookup table (associative array)
     'nobody@cert.org'                        => -3.0,
     'cert-advisory@us-cert.gov'              => -3.0,
     'owner-alert@iss.net'                    => -3.0,
     'slashdot@slashdot.org'                  => -3.0,
     'bugtraq@securityfocus.com'              => -3.0,
     'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,
     'security-alerts@linuxsecurity.com'      => -3.0,
     'mailman-announce-admin@python.org'      => -3.0,
     'amavis-user-admin@lists.sourceforge.net'=> -3.0,
     'notification-return@lists.sophos.com'   => -3.0,
     'owner-postfix-users@postfix.org'        => -3.0,
     'owner-postfix-announce@postfix.org'     => -3.0,
     'owner-sendmail-announce@lists.sendmail.org'   => -3.0,
     'sendmail-announce-request@lists.sendmail.org' => -3.0,
     'donotreply@sendmail.org'                => -3.0,
     'ca+envelope@sendmail.org'               => -3.0,
     'noreply@freshmeat.net'                  => -3.0,
     'owner-technews@postel.acm.org'          => -3.0,
     'ietf-123-owner@loki.ietf.org'           => -3.0,
     'cvs-commits-list-admin@gnome.org'       => -3.0,
     'rt-users-admin@lists.fsck.com'          => -3.0,
     'clp-request@comp.nus.edu.sg'            => -3.0,
     'surveys-errors@lists.nua.ie'            => -3.0,
     'emailnews@genomeweb.com'                => -5.0,
     'yahoo-dev-null@yahoo-inc.com'           => -3.0,
     'returns.groups.yahoo.com'               => -3.0,
     'clusternews@linuxnetworx.com'           => -3.0,
     lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,
     lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,

     # soft-blacklisting (positive score)
     'sender@example.net'                     =>  3.0,
     '.example.net'                           =>  1.0, 

   },
  ],  # end of site-wide tables
});

@blacklist_sender_maps = ( new_RE(
    qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,
    qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i,
    qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,
    qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,
    qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,
    qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
)); 


# Maximum recursion level for extraction/decoding (0 or undef disables limit)
$MAXLEVELS = 14;		# (default is undef, no limit)

# Maximum number of extracted files (0 or undef disables the limit)
$MAXFILES = 1500;		# (default is undef, no limit)

#
$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not enforced)
$MIN_EXPANSION_FACTOR =   5;  # times original mail size  (default is 5)
$MAX_EXPANSION_FACTOR = 500;  # times original mail size  (default is 500)

# expiration time of cached results: time to live in seconds
#   (how long the result of a virus/spam test remains valid)
$virus_check_negative_ttl=  3*60; # time to remember that mail was not infected
$virus_check_positive_ttl= 30*60; # time to remember that mail was infected
$spam_check_negative_ttl = 30*60; # time to remember that mail was not spam
$spam_check_positive_ttl = 30*60; # time to remember that mail was spam

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';

$file   = 'file';   # file(1) utility; use 3.41 or later to avoid vulnerability
$dspam  = 'dspam';

@decoders = (
  ['mail', \&do_mime_decode],
  ['asc',  \&do_ascii],
  ['uue',  \&do_ascii],
  ['hqx',  \&do_ascii],
  ['ync',  \&do_ascii],
  ['F',    \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
  ['Z',    \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
  ['gz',   \&do_gunzip],
  ['gz',   \&do_uncompress,  'gzip -d'],
  ['bz2',  \&do_uncompress,  'bzip2 -d'],
  ['lzo',  \&do_uncompress,  'lzop -d'],
  ['rpm',  \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
  ['cpio', \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['tar',  \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['tar',  \&do_tar],
  ['deb',  \&do_ar,          'ar'],
# ['a',    \&do_ar,          'ar'],  # unpacking .a seems an overkill
  ['zip',  \&do_unzip],
  ['rar',  \&do_unrar,      ['rar','unrar'] ],
  ['arj',  \&do_unarj,      ['arj','unarj'] ],
  ['arc',  \&do_arc,        ['nomarch','arc'] ],
  ['zoo',  \&do_zoo,         'zoo'],
  ['lha',  \&do_lha,         'lha'],
# ['doc',  \&do_ole,         'ripole'],
  ['cab',  \&do_cabextract,  'cabextract'],
  ['tnef', \&do_tnef_ext,    'tnef'],
  ['tnef', \&do_tnef],
  ['exe',  \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
);


# SpamAssassin settings

# $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value
# of the option local_tests_only. See Mail::SpamAssassin man page.
# If set to 1, no SA tests that require internet access will be performed.
#
$sa_local_tests_only = 0;   # (default: false)
$sa_auto_whitelist = 1;    # turn on AWL in SA 2.63 or older (irrelevant
                            # for SA 3.0, its cf option is use_auto_whitelist)

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
			    # (less than 1% of spam is > 64k)
			    # default: undef, no limitations

# default values, customarily used in the @spam_*_level_maps as the last entry
$sa_tag_level_deflt  = -999.0; # add spam info headers if at, or above that level;
			    # undef is interpreted as lower than any spam level
$sa_tag2_level_deflt = 3.31;# add 'spam detected' headers at that level to
                            # passed mail (e.g. when $final_spam_destiny=D_PASS
                            # or for spam_lovers or when below kill_level)
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
			    # at or above that level: bounce/reject/drop,
			    # quarantine, and adding mail address extension
$sa_dsn_cutoff_level = undef;   # spam level beyond which a DSN is not sent,
                            # effectively turning D_BOUNCE into D_DISCARD;
                            # undef disables this feature and is a default;  
   

# a quick reference:
#   tag_level  controls adding the X-Spam-Status and X-Spam-Level headers,
#   tag2_level controls adding 'X-Spam-Flag: YES', editing (tagging) Subject,
#                       and adding address extensions,
#   kill_level controls 'evasive actions' (reject, quarantine);
# it only makes sense to maintain the relationship:
# tag_level <= tag2_level <= kill_level < dsn_cutoff_level

# string to prepend to Subject header field when message exceeds tag2 level
$sa_spam_subject_tag = '*SPAM* ';	# (defaults to undef, disabled)
			     # (only seen when spam is passed and recipient is
                             # in local_domains*)

$sa_spam_modifies_subj = 1; # in @spam_modifies_subj_maps, default is true

# Example: modify Subject for all local recipients except user@example.com
#@spam_modifies_subj_maps = ( [qw( !user@example.com . )] ); 

#$sa_spam_level_char = '*';  # char for X-Spam-Level bar, defaults to '*';
			     # undef or empty disables inserting X-Spam-Level
$sa_spam_report_header = 1; # insert X-Spam-Report header field? default false 

# stop anti-virus scanning when the first scanner detects a virus?
#$first_infected_stops_scan = 1;  # default is false, all scanners in a section
                                  # are called 
   

@av_scanners = ( 
 

### http://www.clamav.net/
['ClamAV-clamd',
  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
  qr/\bOK$/, qr/\bFOUND$/,
  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# NOTE: the easiest is to run clamd under the same user as amavisd; match the
# socket name (LocalSocket) in clamav.conf to the socket name in this entry
# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],

  ### http://www.kaspersky.com/  (in the 'file server version')
  ['KasperskyLab AVP - aveclient',
    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
     '/opt/kav/bin/aveclient','aveclient'],
    '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/,
    qr/(?:INFECTED|SUSPICION) (.+)/,
  ],

  ### http://www.kaspersky.com/
  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?
    qr/infected: (.+)/,
    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
  ],

  ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
  ### products and replaced by aveserver and aveclient 
  ['KasperskyLab AVPDaemonClient' ,
    [ '/opt/AVP/kavdaemon',      'kavdaemon',
      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',
      '/opt/AVP/avpdc', 'avpdc' ],
    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ],

    # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"

  ### http://www.centralcommand.com/
  ['CentralCommand Vexira (new) vascan',
    ['vascan','/usr/lib/Vexira/vascan'],
    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
    "--vdb=/usr/lib/Vexira/vexira8.vdb --log=/var/log/vascan.log {}",
    [0,3], [1,2,5],
    qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ],
    # Adjust the path of the binary and the virus database as needed.
    # 'vascan' does not allow to have the temp directory to be the same as
    # the quarantine directory, and the quarantine option can not be disabled.
    # If $QUARANTINEDIR is not used, then another directory must be specified
    # to appease 'vascan'. Move status 3 to the second list if password
    # protected files are to be considered infected.

  ### http://www.hbedv.com/
  ['H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus',
    ['antivir','vexira'],
    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
    # NOTE: if you only have a demo version, remove -z and add 214, as in:
    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,

  ### http://www.commandsoftware.com/
  ['Command AntiVirus for Linux', 'csav',
    '-all -archive -packed {}', [50], [51,52,53],
    qr/Infection: (.+)/ ],

  ### http://www.symantec.com/
  ['Symantec CarrierScan via Symantec CommandLineScanner',
    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
    qr/^Files Infected:\s+0$/, qr/^Infected\b/,
    qr/^(?:Info|Virus Name):\s+(.+)/ ],

  ### http://www.symantec.com/
  ['Symantec AntiVirus Scan Engine',
    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
    [0], qr/^Infected\b/,
    qr/^(?:Info|Virus Name):\s+(.+)/ ],
    # NOTE: check options and patterns to see which entry better applies

  ### http://www.f-secure.com/products/anti-virus/
  ['F-Secure Antivirus', 'fsav',
    '--dumb --mime --archive {}', [0], [3,8],
    qr/(?:infection|Infected|Suspected): (.+)/ ],

  ['CAI InoculateIT', 'inocucmd',  # retired product
    '-sec -nex {}', [0], [100],
    qr/was infected by virus (.+)/ ],
  # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html

  ### http://www3.ca.com/Solutions/Product.asp?ID=156  (ex InoculateIT)
  ['CAI eTrust Antivirus', 'etrust-wrapper',
    '-arc -nex -spm h {}', [0], [101],
    qr/is infected by virus: (.+)/ ],
    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
    # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783

  ### http://mks.com.pl/english.html
  ['MkS_Vir for Linux (beta)', ['mks32','mks'],
    '-s {}/*', [0], [1,2],
    qr/--[ \t]*(.+)/ ],

  ### http://mks.com.pl/english.html
  ['MkS_Vir daemon', 'mksscan',
    '-s -q {}', [0], [1..7],
    qr/^... (\S+)/ ],

  ### http://www.nod32.com/
  ['ESET Software NOD32', 'nod32',
    '--arch --mail {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/ ],
  # with old versions use:
  #   '-all -subdir+ {}', [0], [1,2],
  #   qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ],

  ### http://www.nod32.com/
  ['ESET Software NOD32 - Client/Server Version', 'nod32cli',
    '-a -r -d recurse --heur standard {}', [0], [10,11],
    qr/^\S+\s+infected:\s+(.+)/ ],


  ### http://www.norman.com/products_nvc.shtml
  ['Norman Virus Control v5 / Linux', 'nvcc',
    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
    qr/(?i).* virus in .* -> \'(.+)\'/ ],

  ### http://www.pandasoftware.com/
  ['Panda Antivirus for Linux', ['pavcl'],
    '-aut -aex -heu -cmp -nbr -nor -nso -eng {}',
    qr/Number of files infected[ .]*: 0+(?!\d)/,
    qr/Number of files infected[ .]*: 0*[1-9]/,
    qr/Found virus :\s*(\S+)/ ],

  ### http://www.nai.com/
  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
    '--secure -rv --mime --summary --noboot - {}', [0], [13],
    qr/(?x) Found (?:
        \ the\ (.+)\ (?:virus|trojan)  |
        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |
        :\ (.+)\ NOT\ a\ virus)/,
  # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
  # sub {delete $ENV{LD_PRELOAD}},
  ],

  ### http://www.virusbuster.hu/en/
  ['VirusBuster', ['vbuster', 'vbengcl'],
    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
    qr/: '(.*)' - Virus/ ],


  ### http://www.cyber.com/
  ['CyberSoft VFind', 'vfind',
    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,
  # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
  ],

  ### http://www.ikarus-software.com/
  ['Ikarus AntiVirus for Linux', 'ikarus',
    '{}', [0], [40], qr/Signature (.+) found/ ],

  ### http://www.bitdefender.com/
  ['BitDefender', 'bdc',
    '--all --arc --mail {}', qr/^Infected files *:0+(?!\d)/,
    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
    qr/(?:suspected|infected): (.*)(?:\033|$)/ ],


);




@av_scanners_backup = (

  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
  ['ClamAV-clamscan', 'clamscan',
    "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1],
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

  ### http://www.f-prot.com/   - backs up F-Prot Daemon
  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
    '-dumb -archive -packed {}', [0,8], [3,6],
    qr/Infection: (.+)|\s+contains\s+(.+)$/ ],

  ### http://www.trendmicro.com/   - backs up Trophie
  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
    '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],

  ### http://www.sald.com/, http://drweb.imshop.de/   - backs up DrWebD
  ['drweb - DrWeb Antivirus',
    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
    '-path={} -al -go -ot -cn -upn -ok-',
    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'],

  ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'],
    '-i1 -xp {}', [0,10,15], [5,20,21,25],
    qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,
    sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
  ],



);

1;  # insure a defined return