 |
||
| ||
| |||||
| Dernière réponse | |
|---|---|
| Sujet : pb interfacer clamav et postfix... | |
| thierry_b | Bonjour,
j'utilise une config postfix, courier-imap, maildrop, mysql qui marche bien. J'ai voulu mettre clamav et maintement tout ce qui s'envoit est refusé :-( Je recois ca: Reporting-MTA: dns; linux.bouhnik.eu.org X-Postfix-Queue-ID: 94A9C521F8 X-Postfix-Sender: rfc822; thierry@bouhnik.biz Arrival-Date: Sun, 29 Aug 2004 11:22:29 +0200 (CEST) Final-Recipient: rfc822; thierry@linux.bouhnik.eu.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "thierry" Voila ma config: PS: Je précise que ca vient forcement de amavis & clamav, car tout marchait bien avant lol Merci bcp. A+ Log de postfix & courier-imap /var/log/mail.log --------------------------------------------------------------------------------------- Aug 29 11:19:55 papa amavis[344]: starting. amavisd-new at papa amavisd-new-20030616-p10, Unicode aware Aug 29 11:19:55 papa amavis[344]: Perl version 5.008004 Aug 29 11:19:55 papa amavis[344]: Module Amavis::Conf 1.15 Aug 29 11:19:55 papa amavis[344]: Module Archive::Tar 1.08 Aug 29 11:19:55 papa amavis[344]: Module Archive::Zip 1.12 Aug 29 11:19:55 papa amavis[344]: Module Compress::Zlib 1.33 Aug 29 11:19:55 papa amavis[344]: Module Convert::TNEF 0.17 Aug 29 11:19:55 papa amavis[344]: Module Convert::UUlib 1.01 Aug 29 11:19:55 papa amavis[344]: Module MIME::Entity 5.404 Aug 29 11:19:55 papa amavis[344]: Module MIME::Parser 5.406 Aug 29 11:19:55 papa amavis[344]: Module MIME::Tools 5.411 Aug 29 11:19:55 papa amavis[344]: Module Mail::Header 1.62 Aug 29 11:19:55 papa amavis[344]: Module Mail::Internet 1.62 Aug 29 11:19:55 papa amavis[344]: Module Net::Cmd 2.26 Aug 29 11:19:55 papa amavis[344]: Module Net::SMTP 2.29 Aug 29 11:19:55 papa amavis[344]: Module Net::Server 0.85 Aug 29 11:19:55 papa amavis[344]: Module Time::HiRes 1.59 Aug 29 11:19:55 papa amavis[344]: Module Unix::Syslog 0.100 Aug 29 11:19:55 papa amavis[345]: Found $file at /usr/bin/file Aug 29 11:19:55 papa amavis[345]: No $arc, not using it Aug 29 11:19:55 papa amavis[345]: Found $gzip at /bin/gzip Aug 29 11:19:55 papa amavis[345]: Found $bzip2 at /usr/bin/bzip2 Aug 29 11:19:55 papa amavis[345]: No $lzop, not using it Aug 29 11:19:55 papa amavis[345]: No $lha, not using it Aug 29 11:19:55 papa amavis[345]: No $unarj, not using it Aug 29 11:19:55 papa amavis[345]: Found $uncompress at /bin/uncompress Aug 29 11:19:55 papa amavis[345]: No $unfreeze, not using it Aug 29 11:19:55 papa amavis[345]: No $unrar, not using it Aug 29 11:19:55 papa amavis[345]: No $zoo, not using it Aug 29 11:19:55 papa amavis[345]: Found $cpio at /bin/cpio Aug 29 11:19:55 papa amavis[345]: Using internal av scanner code for (primary) Clam Antivirus-clamd Aug 29 11:19:55 papa amavis[345]: Found secondary av scanner Clam Antivirus - clamscan at /usr/bin/clamscan Aug 29 11:19:55 papa authdaemond.mysql: modules="authmysql authpam", daemons=5 Aug 29 11:19:58 papa postfix/postfix-script: starting the Postfix mail system Aug 29 11:19:58 papa postfix/master[543]: daemon started -- version 2.1.3 Aug 29 11:22:21 papa postfix/smtpd[644]: connect from bouhnik.biz[192.168.0.3] Aug 29 11:22:21 papa postfix/trivial-rewrite[645]: warning: do not list domain linux.bouhnik.eu.org in BOTH mydestination and virtual_mailbox_domains Aug 29 11:22:21 papa postfix/smtpd[644]: 9C619521F4: client=bouhnik.biz[192.168.0.3] Aug 29 11:22:21 papa postfix/cleanup[654]: 9C619521F4: message-id=<4131A01F.7070809@bouhnik.biz> Aug 29 11:22:21 papa postfix/smtpd[644]: disconnect from bouhnik.biz[192.168.0.3] Aug 29 11:22:21 papa postfix/qmgr[549]: 9C619521F4: from=<thierry@bouhnik.biz>, size=1201, nrcpt=1 (queue active) Aug 29 11:22:22 papa amavis[350]: (00350-01) Clam Antivirus-clamd: Can't connect to UNIX socket /tmp/clamd.sock: No such file or directory, retrying (2) Aug 29 11:22:28 papa amavis[350]: (00350-01) Clam Antivirus-clamd av-scanner FAILED: Too many retries to talk to /tmp/clamd.sock (Can't connect to UNIX socket /tmp/clamd.sock: No such file or directory) at (eval 38) line 180. Aug 29 11:22:28 papa amavis[350]: (00350-01) WARN: all primary virus scanners failed, considering backups Aug 29 11:22:29 papa postfix/smtpd[659]: connect from localhost[127.0.0.1] Aug 29 11:22:29 papa postfix/trivial-rewrite[645]: warning: do not list domain linux.bouhnik.eu.org in BOTH mydestination and virtual_mailbox_domains Aug 29 11:22:29 papa postfix/smtpd[659]: 94A9C521F8: client=localhost[127.0.0.1] Aug 29 11:22:29 papa postfix/cleanup[654]: 94A9C521F8: message-id=<4131A01F.7070809@bouhnik.biz> Aug 29 11:22:29 papa postfix/qmgr[549]: 94A9C521F8: from=<thierry@bouhnik.biz>, size=1680, nrcpt=1 (queue active) Aug 29 11:22:29 papa postfix/trivial-rewrite[645]: warning: do not list domain linux.bouhnik.eu.org in BOTH mydestination and virtual_mailbox_domains Aug 29 11:22:29 papa amavis[350]: (00350-01) Passed, <thierry@bouhnik.biz> -> <thierry@linux.bouhnik.eu.org>, Message-ID: <4131A01F.7070809@bouhnik.biz>, Hits: - Aug 29 11:22:29 papa postfix/lmtp[656]: 9C619521F4: to=<thierry@linux.bouhnik.eu.org>, relay=127.0.0.1[127.0.0.1], delay=8, status=sent (250 2.6.0 Ok, id=00350-01, from MTA: 250 Ok: queued as 94A9C521F8) Aug 29 11:22:29 papa postfix/qmgr[549]: 9C619521F4: removed Aug 29 11:22:29 papa postfix/smtpd[659]: disconnect from localhost[127.0.0.1] Aug 29 11:22:29 papa postfix/local[661]: 94A9C521F8: to=<thierry@linux.bouhnik.eu.org>, relay=local, delay=0, status=bounced (unknown user: "thierry" ) Aug 29 11:22:29 papa postfix/cleanup[654]: AC505521F4: message-id=<20040829092229.AC505521F4@linux.bouhnik.eu.org> Aug 29 11:22:29 papa postfix/qmgr[549]: AC505521F4: from=<>, size=3379, nrcpt=1 (queue active) Aug 29 11:22:29 papa postfix/qmgr[549]: 94A9C521F8: removed Aug 29 11:22:30 papa postfix/smtp[665]: AC505521F4: to=<thierry@bouhnik.biz>, relay=mail.bouhnik.biz[82.224.47.63], delay=1, status=sent (250 Ok, message enregistr? <Message-ID: <20040829092229.AC505521F4@linux.bouhnik.eu.org>> ) Aug 29 11:22:30 papa postfix/qmgr[549]: AC505521F4: removed ---------------------------------------------------------------------------------------- master.cf ------------------------------------------------------------------------- # # Postfix master process configuration file. Each logical line # describes how a Postfix daemon program should be run. # # A logical line starts with non-whitespace, non-comment text. # Empty lines and whitespace-only lines are ignored, as are comment # lines whose first non-whitespace character is a `#'. # A line that starts with whitespace continues a logical line. # # The fields that make up each line are described below. A "-" field # value requests that a default value be used for that field. # # Service: any name that is valid for the specified transport type # (the next field). With INET transports, a service is specified as # host:port. The host part (and colon) may be omitted. Either host # or port may be given in symbolic form or in numeric form. Examples # for the SMTP server: localhost:smtp receives mail via the loopback # interface only; 10025 receives mail on port 10025. # # Transport type: "inet" for Internet sockets, "unix" for UNIX-domain # sockets, "fifo" for named pipes. # # Private: whether or not access is restricted to the mail system. # Default is private service. Internet (inet) sockets can't be private. # # Unprivileged: whether the service runs with root privileges or as # the owner of the Postfix system (the owner name is controlled by the # mail_owner configuration variable in the main.cf file). Only the # pipe, virtual and local delivery daemons require privileges. # # Chroot: whether or not the service runs chrooted to the mail queue # directory (pathname is controlled by the queue_directory configuration # variable in the main.cf file). Presently, all Postfix daemons can run # chrooted, except for the pipe, virtual and local delivery daemons. # The proxymap server can run chrooted, but doing so defeats most of # the purpose of having that service in the first place. # The files in the examples/chroot-setup subdirectory describe how # to set up a Postfix chroot environment for your type of machine. # # Wakeup time: automatically wake up the named service after the # specified number of seconds. A ? at the end of the wakeup time # field requests that wake up events be sent only to services that # are actually being used. Specify 0 for no wakeup. Presently, only # the pickup, queue manager and flush daemons need a wakeup timer. # # Max procs: the maximum number of processes that may execute this # service simultaneously. Default is to use a globally configurable # limit (the default_process_limit configuration parameter in main.cf). # Specify 0 for no process count limit. # # Command + args: the command to be executed. The command name is # relative to the Postfix program directory (pathname is controlled by # the daemon_directory configuration variable). Adding one or more # -v options turns on verbose logging for that service; adding a -D # option enables symbolic debugging (see the debugger_command variable # in the main.cf configuration file). See individual command man pages # for specific command-line options, if any. # # General main.cf options can be overridden for specific services. # To override one or more main.cf options, specify them as arguments # below, preceding each option by "-o". There must be no whitespace # in the option itself (separate multiple values for an option by # commas). # # In order to use the "uucp" message tranport below, set up entries # in the transport table. # # In order to use the "cyrus" message transport below, configure it # in main.cf as the mailbox_transport. # # SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS. # ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL. # # DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd smtp-amavis unix - - n - 2 lmtp -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 #submission inet n - - - - smtpd # -o smtpd_etrn_restrictions=reject #628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - - 300 1 qmgr #qmgr fifo n - - 300 1 oqmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - - - - smtp relay unix - - - - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil # # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # maildrop. See the Postfix MAILDROP_README file for details. # maildrop unix - n n - - pipe flags=R user=vmail argv=/usr/local/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} # only used by postfix-tls #tlsmgr fifo - - n 300 1 tlsmgr #smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes #587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -------------------------------------------------------------------------------------------- main.cf -------------------------------------------------------------------------------------------- myhostname = linux.bouhnik.eu.org mydomain = linux.bouhnik.eu.org mydestination = $myhostname local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname home_mailbox = Maildir/ smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-recipient.cf,reject_unauth_destination,permit #smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-sender.cf smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-client.cf alias_maps = mysql:/etc/postfix/mysql-aliases.cf relocated_maps = mysql:/etc/postfix/mysql-relocated.cf transport_maps = mysql:/etc/postfix/mysql-transport.cf maildrop_destination_recipient_limit = 1 virtual_transport = maildrop virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-domains.cf virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf virtual_mailbox_base = /home/vmail virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf virtual_uid_maps = mysql:/etc/postfix/mysql-virtual-uid.cf virtual_gid_maps = mysql:/etc/postfix/mysql-virtual-gid.cf #OPTIONAL PART smtpd_helo_required = yes disable_vrfy_command = yes smtpd_data_restrictions = reject_unauth_pipelining smtpd_etrn_restrictions = reject content_filter=smtp-amavis:[127.0.0.1]:10024 ---------------------------------------------------------------------------------------------- amavid.conf ---------------------------------------------------------------------------------------------------- use strict; # Configuration file for amavisd-new # Defaults modified for the Debian amavisd-new package # $Id: amavisd.conf,v 1.26 2004/07/05 15:15:02 hmh Exp $ # # This software is licensed under the GNU General Public License (GPL). # See comments at the start of amavisd-new for the whole license text. #Sections: # Section I - Essential daemon and MTA settings # Section II - MTA specific # Section III - Logging # Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine # Section V - Per-recipient and per-sender handling, whitelisting, etc. # Section VI - Resource limits # Section VII - External programs, virus scanners, SpamAssassin # Section VIII - Debugging #GENERAL NOTES: # This file is a normal Perl code, interpreted by Perl itself. # - make sure this file (or directory where it resides) is NOT WRITABLE # by mere mortals (not even vscan/amavis; best to make it owned by root), # otherwise it represents a severe security risk! # - for values which are interpreted as booleans, it is recommended # to use 1 for true, and 0 or undef or '' for false. # THIS IS DIFFERENT FROM OLD AMAVIS VERSIONS where "no" also meant false, # now it means true, like any nonempty string does! # - Perl syntax applies. Most notably: strings in "" may include variables # (which start with $ or @); to include characters @ and $ in double # quoted strings, precede them by a backslash; in single-quoted strings # the $ and @ lose their special meaning, so it is usually easier to use # single quoted strings (or qw operator) for e-mail addresses. # Still, in both cases a backslash needs to be doubled. # - variables with names starting with a '@' are lists, the values assigned # to them should be lists as well, e.g. ('one@foo', $mydomain, "three" ); # note the comma-separation and parenthesis. If strings in the list # do not contain spaces nor variables, a Perl operator qw() may be used # as a shorthand to split its argument on whitespace and produce a list # of strings, e.g. qw( one@foo example.com three ); Note that the argument # to qw is quoted implicitly and no variable interpretation is done within # (no '$' variable evaluations). The #-initiated comments can NOT be used # within a string. In other words, $ and # lose their special meaning # within a qw argument, just like within '...' strings. # - all e-mail addresses in this file and as used internally by the daemon # are in their raw (rfc2821-unquoted and non-bracketed) form, i.e. # Bob "Funny" Dude@example.com, not: "Bob \"Funny\" Dude"@example.com # and not <"Bob \"Funny\" Dude"@example.com>; also: '' and not '<>'. # - the term 'default value' in examples below refers to the value of a # variable pre-assigned to it by the program; any explicit assignment # to a variable in this configuration file overrides the default value; # # Section I - Essential daemon and MTA settings # # $MYHOME serves as a quick default for some other configuration settings. # More refined control is available with each individual setting further down. # $MYHOME is not used directly by the program. No trailing slash! $MYHOME = '/var/lib/amavis'; # (default is '/var/amavis') # $mydomain serves as a quick default for some other configuration settings. # More refined control is available with each individual setting further down. # $mydomain is never used directly by the program. $mydomain = 'linux.bouhnik.eu.org'; # (no useful default) # $myhostname = 'host.example.com'; # fqdn of this host, default by uname(3) # Set the user and group to which the daemon will change if started as root # (otherwise just keeps the UID unchanged, and these settings have no effect): $daemon_user = 'amavis'; # (no default (undef)) $daemon_group = 'amavis'; # (no default (undef)) # Runtime working directory (cwd), and a place where # temporary directories for unpacking mail are created. # if you change this, you might want to modify the cleanup() # function in /etc/init.d/amavisd-new # (no trailing slash, may be a scratch file system) $TEMPBASE = $MYHOME; # (must be set if other config vars use is) #$TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean? # $helpers_home sets environment variable HOME, and is passed as option # 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory # on a normal persistent file system, not a scratch or temporary file system #$helpers_home = $MYHOME; # (defaults to $MYHOME) # Run the daemon in the specified chroot jail if nonempty: #$daemon_chroot_dir = $MYHOME; # (default is undef, meaning: do not chroot) $pid_file = "/var/run/amavis/amavisd.pid"; # (default: "$MYHOME/amavisd.pid" ) $lock_file = "/var/run/amavis/amavisd.lock"; # (default: "$MYHOME/amavisd.lock" ) # set environment variables if you want (no defaults): $ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory #... # MTA SETTINGS, UNCOMMENT AS APPROPRIATE, # both $forward_method and $notify_method default to 'smtp:127.0.0.1:10025' # POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4 # (set host and port number as required; host can be specified # as IP address or DNS name (A or CNAME, but MX is ignored) #$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail #$notify_method = $forward_method; # where to submit notifications # NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST # uncomment the appropriate settings below if using other setups! # SENDMAIL MILTER, using amavis-milter.c helper program: # SEE amavisd-new-milter package docs FOR DEBIAN INSTRUCTIONS #$forward_method = undef; # no explicit forwarding, sendmail does it by itself # milter; option -odd is needed to avoid deadlocks #$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}'; # just a thought: can we use use -Am instead of -odd ? # SENDMAIL (old non-milter setup, as relay): #$forward_method = 'pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f ${sender} -- ${recipient}'; #$notify_method = $forward_method; # SENDMAIL (old non-milter setup, amavis.c calls local delivery agent): #$forward_method = undef; # no explicit forwarding, amavis.c will call LDA #$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}'; # EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead): #$forward_method = 'pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f ${sender} -- ${recipient}'; #$notify_method = $forward_method; # prefer to collect mail for forwarding as BSMTP files? #$forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp"; #$notify_method = $forward_method; # Net::Server pre-forking settings # You may want $max_servers to match the width of your MTA pipe # feeding amavisd, e.g. with Postfix the 'Max procs' field in the # master.cf file, like the '2' in the: smtp-amavis unix - - n - 2 smtp # $max_servers = 2; # number of pre-forked children (default 2) $max_requests = 10; # retire a child after that many accepts (default 10) $child_timeout=5*60; # abort child if it does not complete each task in n sec # (default: 8*60 seconds) # Check also the settings of @av_scanners at the end if you want to use # virus scanners. If not, you may want to delete the whole long assignment # to the variable @av_scanners, which will also remove the virus checking # code (e.g. if you only want to do spam scanning). # Here is a QUICK WAY to completely DISABLE some sections of code # that WE DO NOT WANT (it won't even be compiled-in). # For more refined controls leave the following two lines commented out, # and see further down what these two lookup lists really mean. # # @bypass_virus_checks_acl = qw( . ); # uncomment to DISABLE anti-virus code # @bypass_spam_checks_acl = qw( . ); # uncomment to DISABLE anti-spam code # # Any setting can be changed with a new assignment, so make sure # you do not unintentionally override these settings further down! @bypass_spam_checks_acl = qw( . ); # No default dependency on spamassassin # Lookup list of local domains (see README.lookups for syntax details) # # NOTE: # For backwards compatibility the variable names @local_domains (old) and # @local_domains_acl (new) are synonyms. For consistency with other lookups # the name @local_domains_acl is now preferred. It also makes it more # obviously distinct from the new %local_domains hash lookup table. # # local_domains* lookup tables are used in deciding whether a recipient # is local or not, or in other words, if the message is outgoing or not. # This affects inserting spam-related headers for local recipients, # limiting recipient virus notifications (if enabled) to local recipients, # in deciding if address extension may be appended, and in SQL lookups # for non-fqdn addresses. Set it up correctly if you need features # that rely on this setting (or just leave empty otherwise). # # With Postfix (2.0) a quick reminder on what local domains normally are: # a union of domains specified in: $mydestination, $virtual_alias_domains, # $virtual_mailbox_domains, and $relay_domains. # @local_domains_acl = ( ".$mydomain" ); # $mydomain and its subdomains # @local_domains_acl = ( ".$mydomain", "my.other.domain" ); # @local_domains_acl = qw(); # default is empty, no recipient treated as local # @local_domains_acl = qw( .example.com ); # @local_domains_acl = qw( .example.com !host.sub.example.net .sub.example.net ); # or alternatively(A), using a Perl hash lookup table, which may be assigned # directly, or read from a file, one domain per line; comments and empty lines # are ignored, a dot before a domain name implies its subdomains: # #read_hash(\%local_domains, '/etc/amavis/local_domains'); #or alternatively(B), using a list of regular expressions: # $local_domains_re = new_RE( qr'[@.]example\.com$'i ); # # see README.lookups for syntax and semantics # # Section II - MTA specific (defaults should be ok) # # if $relayhost_is_client is true, the IP address in $notify_method and # $forward_method is dynamically overridden with SMTP client peer address # (if available), which makes it possible for several hosts to share one # daemon. The static port number is also overridden, and is dynamically # calculated as being one above the incoming SMTP/LMTP session port number. # # These are logged at level 3, so enable logging until you know you got it # right. $relayhost_is_client = 0; # (defaults to false) $insert_received_line = 1; # behave like MTA: insert 'Received:' header # (does not apply to sendmail/milter) # (default is true (1) ) # AMAVIS-CLIENT PROTOCOL INPUT SETTINGS (e.g. with sendmail milter) # (used with amavis helper clients like amavis-milter.c and amavis.c, # NOT needed for Postfix and Exim or dual-sendmail - keep it undefined.) #$unix_socketname = "/var/lib/amavis/amavisd.sock"; # amavis helper protocol socket $unix_socketname = undef; # disable listening on a unix socket # (default is undef, i.e. disabled) # Do we receive quoted or raw addresses from the helper program? # (does not apply to SMTP; defaults to true) #$gets_addr_in_quoted_form = 1; # "Bob \"Funny\" Dude"@example.com #$gets_addr_in_quoted_form = 0; # Bob "Funny" Dude@example.com # SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...) # (used when MTA is configured to pass mail to amavisd via SMTP or LMTP) $inet_socket_port = 10024; # accept SMTP on this local TCP port # (default is undef, i.e. disabled) # multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028]; # SMTP SERVER (INPUT) access control # - do not allow free access to the amavisd SMTP port !!! # # when MTA is at the same host, use the following (one or the other or both): $inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface # (default is '127.0.0.1') @inet_acl = qw( 127.0.0.1 ); # allow SMTP access only from localhost IP # (default is qw( 127.0.0.1 ) ) # when MTA (one or more) is on a different host, use the following: # @inet_acl = qw(127/8 10.1.0.1 10.1.0.2); # adjust the list as appropriate # $inet_socket_bind = undef; # bind to all IP interfaces if undef # # Example1: # @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 ); # permit only SMTP access from loopback and rfc1918 private address space # # Example2: # @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0 # 127.0.0.1 10/8 172.16/12 192.168/16 ); # matches loopback and rfc1918 private address space except host 192.168.1.12 # and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches) # # Example3: # @inet_acl = qw( 127/8 # !172.16.3.0 !172.16.3.127 172.16.3.0/25 # !172.16.3.128 !172.16.3.255 172.16.3.128/25 ); # matches loopback and both halves of the 172.16.3/24 C-class, # split into two subnets, except all four broadcast addresses # for these subnets # # See README.lookups for details on specifying access control lists. # # Section III - Logging # # true (e.g. 1) => syslog; false (e.g. 0) => logging to file $DO_SYSLOG = 1; # (defaults to false) #$SYSLOG_LEVEL = 'user.info'; # (facility.priority, default 'mail.info') # Log file (if not using syslog) $LOGFILE = "/var/log/amavis.log"; # (defaults to empty, no log) #NOTE: levels are not strictly observed and are somewhat arbitrary # 0: startup/exit/failure messages, viruses detected # 1: args passed from client, some more interesting messages # 2: virus scanner output, timing # 3: server, client # 4: decompose parts # 5: more debug details #$log_level = 2; # (defaults to 0) # Customizable template for the most interesting log file entry (e.g. with # $log_level=0) (take care to properly quote Perl special characters like '\') # For a list of available macros see README.customize . # only log infected messages (useful with log level 0): # $log_templ = '[? %#V |[? %#F ||banned filename ([%F|,])]|infected ([%V|,])]# # [? %#V |[? %#F ||, from=[?%o|(?)|<%o>], to=[<%R>|,][? %i ||, quarantine %i]]# # |, from=[?%o|(?)|<%o>], to=[<%R>|,][? %i ||, quarantine %i]]'; # log both infected and noninfected messages (default): $log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], # [?%o|(?)|<%o>] -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c'; # # Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine # # Select notifications text encoding when Unicode-aware Perl is converting # text from internal character representation to external encoding (charset # in MIME terminology). Used as argument to Perl Encode::encode subroutine. # # to be used in RFC 2047-encoded header field bodies, e.g. in Subject: #$hdr_encoding = 'iso-8859-1'; # (default: 'iso-8859-1') # # to be used in notification body text: its encoding and Content-type.charset #$bdy_encoding = 'iso-8859-1'; # (default: 'iso-8859-1') # Default template texts for notifications may be overruled by directly # assigning new text to template variables, or by reading template text # from files. A second argument may be specified in a call to read_text(), # specifying character encoding layer to be used when reading from the # external file, e.g. 'utf8', 'iso-8859-1', or often just $bdy_encoding. # Text will be converted to internal character representation by Perl 5.8.0 # or later; second argument is ignored otherwise. See PerlIO::encoding, # Encode::PerlIO and perluniintro man pages. # # $notify_sender_templ = read_text('/var/amavis/notify_sender.txt'); # $notify_virus_sender_templ= read_text('/var/amavis/notify_virus_sender.txt'); # $notify_virus_admin_templ = read_text('/var/amavis/notify_virus_admin.txt'); # $notify_virus_recips_templ= read_text('/var/amavis/notify_virus_recips.txt'); # $notify_spam_sender_templ = read_text('/var/amavis/notify_spam_sender.txt'); # $notify_spam_admin_templ = read_text('/var/amavis/notify_spam_admin.txt'); # If notification template files are collectively available in some directory, # use read_l10n_templates which calls read_text for each known template. # # read_l10n_templates('/etc/amavis/en_US'); # # Debian available locales: en_US, pt_BR read_l10n_templates('en_US', '/etc/amavis'); # Here is an overall picture (sequence of events) of how pieces fit together # (only virus controls are shown, spam controls work the same way): # # bypass_virus_checks? ==> PASS # no viruses? ==> PASS # log virus if $log_templ is nonempty # quarantine if $virus_quarantine_to is nonempty # notify admin if $virus_admin (lookup) nonempty # notify recips if $warnvirusrecip and (recipient is local or $warn_offsite) # add address extensions if adding extensions is enabled and virus will pass # send (non-)delivery notifications # to sender if DSN needed (BOUNCE or ($warn_virus_sender and D_PASS)) # virus_lovers or final_destiny==D_PASS ==> PASS # DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny) # # Equivalent flow diagram applies for spam checks. # If a virus is detected, spam checking is skipped entirely. # The following symbolic constants can be used in *destiny settings: # # D_PASS mail will pass to recipients, regardless of bad contents; # # D_DISCARD mail will not be delivered to its recipients, sender will NOT be # notified. Effectively we lose mail (but will be quarantined # unless disabled). Losing mail is not decent for a mailer, # but might be desired. # # D_BOUNCE mail will not be delivered to its recipients, a non-delivery # notification (bounce) will be sent to the sender by amavisd-new; # Exception: bounce (DSN) will not be sent if a virus name matches # $viruses_that_fake_sender_re, or to messages from mailing lists # (Precedence: bulk|list|junk); # # D_REJECT mail will not be delivered to its recipients, sender should # preferably get a reject, e.g. SMTP permanent reject response # (e.g. with milter), or non-delivery notification from MTA # (e.g. Postfix). If this is not possible (e.g. different recipients # have different tolerances to bad mail contents and not using LMTP) # amavisd-new sends a bounce by itself (same as D_BOUNCE). # # Notes: # D_REJECT and D_BOUNCE are similar, the difference is in who is responsible # for informing the sender about non-delivery, and how informative # the notification can be (amavisd-new knows more than MTA); # With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status # notification, colloquially called 'bounce') - depending on MTA; # Best suited for sendmail milter, especially for spam. # With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the # reason for mail non-delivery, but unable to reject the original # SMTP session). Best suited to reporting viruses, and for Postfix # and other dual-MTA setups, which can't reject original client SMTP # session, as the mail has already been enqueued. $final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE) $final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE) $final_spam_destiny = D_REJECT; # (defaults to D_REJECT) $final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested # Alternatives to consider for spam: # - use D_PASS if clients will do filtering based on inserted mail headers; # - use D_DISCARD, if kill_level is set safely high; # - use D_BOUNCE instead of D_REJECT if not using milter; # # D_BOUNCE is preferred for viruses, but consider: # - use D_DISCARD to avoid bothering the rest of the network, it is hopeless # to try to keep up with the viruses that faker the envelope sender anyway, # and bouncing only increases the network cost of viruses for everyone # - use D_PASS (or virus_lovers) and $warnvirussender=1 to deliver viruses; # - use D_REJECT instead of D_BOUNCE if using milter and under heavy # virus storm; # # Don't bother to set both D_DISCARD and $warn*sender=1, it will get mapped # to D_BOUNCE. # # The separation of *_destiny values into D_BOUNCE, D_REJECT, D_DISCARD # and D_PASS made settings $warnvirussender and $warnspamsender only still # useful with D_PASS. # The following $warn*sender settings are ONLY used when mail is # actually passed to recipients ($final_*_destiny=D_PASS, or *_lovers*). # Bounces or rejects produce non-delivery status notification anyway. # Notify virus sender? #$warnvirussender = 1; # (defaults to false (undef)) # Notify spam sender? #$warnspamsender = 1; # (defaults to false (undef)) # Notify sender of banned files? #$warnbannedsender = 1; # (defaults to false (undef)) # Notify sender of syntactically invalid header containing non-ASCII characters? #$warnbadhsender = 1; # (defaults to false (undef)) # Notify virus (or banned files) RECIPIENT? # (not very useful, but some policies demand it) #$warnvirusrecip = 1; # (defaults to false (undef)) #$warnbannedrecip = 1; # (defaults to false (undef)) # Notify also non-local virus/banned recipients if $warn*recip is true? # (including those not matching local_domains*) #$warn_offsite = 1; # (defaults to false (undef), i.e. only notify locals) # Treat envelope sender address as unreliable and don't send sender # notification / bounces if name(s) of detected virus(es) match the list. # Note that virus names are supplied by external virus scanner(s) and are # not standardized, so virus names may need to be adjusted. # See README.lookups for syntax, check also README.policy-on-notifications # $viruses_that_fake_sender_re = new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i, qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i, qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i, qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc [qr'^(EICAR|Joke\.|Junk\.)'i => 0], [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0], [qr/.*/ => 1], # true by default (remove or comment-out if undesired) ); # where to send ADMIN VIRUS NOTIFICATIONS (should be a fully qualified address) # - the administrator address may be a simple fixed e-mail address (a scalar), # or may depend on the SENDER address (e.g. its domain), in which case # a ref to a hash table can be specified (specify lower-cased keys, # dot is a catchall, see README.lookups). # # Empty or undef lookup disables virus admin notifications. # $virus_admin = undef; # do not send virus admin notifications (default) # $virus_admin = {'not.example.com' => '', '.' => 'virusalert@example.com'}; # $virus_admin = 'virus-admin@example.com'; $virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default # equivalent to $virus_admin, but for spam admin notifications: # $spam_admin = "spamalert\@$mydomain"; # $spam_admin = undef; # do not send spam admin notifications (default) # $spam_admin = {'not.example.com' => '', '.' => 'spamalert@example.com'}; #advanced example, using a hash lookup table: #$virus_admin = { # 'baduser@sub1.example.com' => 'HisBoss@sub1.example.com', # '.sub1.example.com' => 'virusalert@sub1.example.com', # '.sub2.example.com' => '', # don't send admin notifications # 'a.sub3.example.com' => 'abuse@sub3.example.com', # '.sub3.example.com' => 'virusalert@sub3.example.com', # '.example.com' => 'noc@example.com', # catchall for our virus senders # '.' => 'virusalert@hq.example.com', # catchall for the rest #}; # whom notification reports are sent from (ENVELOPE SENDER); # may be a null reverse path, or a fully qualified address: # (admin and recip sender addresses default to $mailfrom # for compatibility, which in turn defaults to undef (empty) ) # If using strings in double quotes, don't forget to quote @, i.e. \@ # #$mailfrom_notify_admin = "postmaster\@$mydomain"; #$mailfrom_notify_recip = "postmaster\@$mydomain"; #$mailfrom_notify_spamadmin = "postmaster\@$mydomain"; # 'From' HEADER FIELD for sender and admin notifications. # This should be a replyable address, see rfc1894. Not to be confused # with $mailfrom_notify_sender, which is the envelope return address # and should be empty (null reverse path) according to rfc2821. # # The syntax of the 'From' header field is specified in rfc2822, section # '3.4. Address Specification'. Note in particular that display-name must be # a quoted-string if it contains any special characters like spaces and dots. # # $hdrfrom_notify_sender = "amavisd-new <postmaster\@$mydomain>"; # $hdrfrom_notify_sender = 'amavisd-new <postmaster@example.com>'; # $hdrfrom_notify_sender = '"Content-Filter Master" <postmaster@example.com>'; # (defaults to: "amavisd-new <postmaster\@$myhostname>" ) # $hdrfrom_notify_admin = $mailfrom_notify_admin; # (defaults to: $mailfrom_notify_admin) # $hdrfrom_notify_spamadmin = $mailfrom_notify_spamadmin; # (defaults to: $mailfrom_notify_spamadmin) # whom quarantined messages appear to be sent from (envelope sender); # keeps original sender if undef, or set it explicitly, default is undef $mailfrom_to_quarantine = ''; # override sender address with null return path # Location to put infected mail into: (applies to 'local:' quarantine method) # empty for not quarantining, may be a file (mailbox), # or a directory (no trailing slash) # (the default value is undef, meaning no quarantine) # $QUARANTINEDIR = '/var/lib/amavis/virusmails'; #$virus_quarantine_method = "local:virus-%i-%n"; # default #$spam_quarantine_method = "local:spam-%b-%i-%n"; # default # #use the new 'bsmtp:' method as an alternative to the default 'local:' #$virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%i-%n.bsmtp"; #$spam_quarantine_method = "bsmtp:$QUARANTINEDIR/spam-%b-%i-%n.bsmtp"; # When using the 'local:' quarantine method (default), the following applies: # # A finer control of quarantining is available through variable # $virus_quarantine_to/$spam_quarantine_to. It may be a simple scalar string, # or a ref to a hash lookup table, or a regexp lookup table object, # which makes possible to set up per-recipient quarantine addresses. # # The value of scalar $virus_quarantine_to/$spam_quarantine_to (or a # per-recipient lookup result from the hash table %$virus_quarantine_to) # is/are interpreted as follows: # # VARIANT 1: # empty or undef disables quarantine; # # VARIANT 2: # a string NOT containing an '@'; # amavisd will behave as a local delivery agent (LDA) and will quarantine # viruses to local files according to hash %local_delivery_aliases (pseudo # aliases map) - see subroutine mail_to_local_mailbox() for details. # Some of the predefined aliases are 'virus-quarantine' and 'spam-quarantine'. # Setting $virus_quarantine_to ($spam_quarantine_to) to this string will: # # * if $QUARANTINEDIR is a directory, each quarantined virus will go # to a separate file in the $QUARANTINEDIR directory (traditional # amavis style, similar to maildir mailbox format); # # * otherwise $QUARANTINEDIR is treated as a file name of a Unix-style # mailbox. All quarantined messages will be appended to this file. # Amavisd child process must obtain an exclusive lock on the file during # delivery, so this may be less efficient than using individual files # or forwarding to MTA, and it may not work across NFS or other non-local # file systems (but may be handy for pickup of quarantined files via IMAP # for example); # # VARIANT 3: # any email address (must contain '@'). # The e-mail messages to be quarantined will be handed to MTA # for delivery to the specified address. If a recipient address local to MTA # is desired, you may leave the domain part empty, e.g. 'infected@', but the # '@' character must nevertheless be included to distinguish it from variant 2. # # This method enables more refined delivery control made available by MTA # (e.g. its aliases file, other local delivery agents, dealing with # privileges and file locking when delivering to user's mailbox, nonlocal # delivery and forwarding, fan-out lists). Make sure the mail-to-be-quarantined # will not be handed back to amavisd for checking, as this will cause a loop # (hopefully broken at some stage)! If this can be assured, notifications # will benefit too from not being unnecessarily virus-scanned. # # By default this is safe to do with Postfix and Exim v4 and dual-sendmail # setup, but probably not safe with sendmail milter interface without # precaution. # (the default value is undef, meaning no quarantine) $virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine #$virus_quarantine_to = 'infected@'; # forward to MTA for delivery #$virus_quarantine_to = "virus-quarantine\@$mydomain"; # similar #$virus_quarantine_to = 'virus-quarantine@example.com'; # similar #$virus_quarantine_to = undef; # no quarantine # #$virus_quarantine_to = new_RE( # per-recip multiple quarantines # [qr'^user@example\.com$'i => 'infected@'], # [qr'^(.*)@example\.com$'i => 'virus-${1}@example.com'], # [qr'^(.*)(@[^@])?$'i => 'virus-${1}${2}'], # [qr/.*/ => 'virus-quarantine'] ); # similar for spam # (the default value is undef, meaning no quarantine) # $spam_quarantine_to = 'spam-quarantine'; #$spam_quarantine_to = "spam-quarantine\@$mydomain"; #$spam_quarantine_to = new_RE( # per-recip multiple quarantines # [qr'^(.*)@example\.com$'i => 'spam-${1}@example.com'], # [qr/.*/ => 'spam-quarantine'] ); # In addition to per-recip quarantine, a by-sender lookup is possible. It is # similar to $spam_quarantine_to, but the lookup key is the sender address: #$spam_quarantine_bysender_to = undef; # dflt: no by-sender spam quarantine # Add X-Virus-Scanned header field to mail? $X_HEADER_TAG = 'X-Virus-Scanned'; # (default: undef) # Leave empty to add no header # (default: undef) $X_HEADER_LINE = "by $myversion (Debian) at $mydomain"; # a string to prepend to Subject (for local recipients only) if mail could # not be decoded or checked entirely, e.g. due to password-protected archives $undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it $remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone #$remove_existing_x_scanned_headers= 1; # remove existing headers # (defaults to false) #$remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone $remove_existing_spam_headers = 1; # remove existing spam headers if # spam scanning is enabled (default) # set $bypass_decode_parts to true if you only do spam scanning, or if you # have a good virus scanner that can deal with compression and recursively # unpacking archives by itself, and save amavisd the trouble. # Disabling decoding also causes banned_files checking to only see # MIME names and MIME content types, not the content classification types # as provided by the file(1) utility. # It is a double-edged sword, make sure you know what you are doing! # #$bypass_decode_parts = 1; # (defaults to false) # don't trust this file type or corresponding unpacker for this file type, # keep both the original and the unpacked file for a virus checker to see # (lookup key is what file(1) utility returned): # $keep_decoded_original_re = new_RE( # qr'^MAIL$', # retain full original message for virus checking (can be slow) qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, # qr'^Zip archive data', ); # Checking for banned MIME types and names. If any mail part matches, # the whole mail is rejected, much like the way viruses are handled. # A list in object $banned_filename_re can be defined to provide a list # of Perl regular expressions to be matched against each part's: # # * Content-Type value (both declared and effective mime-type), # including the possible security risk content types # message/partial and message/external-body, as specified by rfc2046; # # * declared (i.e. recommended) file names as specified by MIME subfields # Content-Disposition.filename and Content-Type.name, both in their # raw (encoded) form and in rfc2047-decoded form if applicable; # # * file content type as guessed by 'file' utility, both the raw # result from 'file', as well as short type name, classified # into names such as .asc, .txt, .html, .doc, .jpg, .pdf, # .zip, .exe, ... - see subroutine determine_file_types(). # This step is done only if $bypass_decode_parts is not true. # # * leave $banned_filename_re undefined to disable these checks # (giving an empty list to new_RE() will also always return false) $banned_filename_re = new_RE( # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, # some double extensions qr'[{}]', # curly braces in names (serve as Class ID extensions - CLSID) # qr'.\.(exe|vbs|pif|scr|bat|cmd|com)$'i, # banned extension - basic # qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js| # jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb| # vbe|vbs|wsc|wsf|wsh)$'ix, # banned extension - long # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. # qr'^\.(zip|lha|tnef|cab)$'i, # banned file(1) types # qr'^\.exe$'i, # banned file(1) types # qr'^application/x-msdownload$'i, # banned MIME types # qr'^application/x-msdos-program$'i, qr'^message/partial$'i, qr'^message/external-body$'i, # block rfc2046 ); # See http://support.microsoft.com/defau [...] US;q262631 # and http://www.cknow.com/vtutor/vtextensions.htm # A little trick: a pattern qr'\.exe$' matches both a short type name '.exe', # as well as any file name which happens to end with .exe. If only matching # a file name is desired, but not the short name, a pattern qr'.\.exe$'i # or similar may be used, which requires that at least one character precedes # the '.exe', and so it will never match short file types, which always start # with a dot. # # Section V - Per-recipient and per-sender handling, whitelisting, etc. # # %virus_lovers, @virus_lovers_acl and $virus_lovers_re lookup tables: # (these should be considered policy options, they do not disable checks, # see bypass*checks for that!) # # Exclude certain RECIPIENTS from virus filtering by adding their lower-cased # envelope e-mail address (or domain only) to the hash %virus_lovers, or to # the access list @virus_lovers_acl - see README.lookups and examples. # Make sure the appropriate form (e.g. external/internal) of address # is used in case of virtual domains, or when mapping external to internal # addresses, etc. - this is MTA-specific. # # Notifications would still be generated however (see the overall # picture above), and infected mail (if passed) gets additional header: # X-AMaViS-Alert: INFECTED, message contains virus: ... # (header not inserted with milter interface!) # # NOTE (milter interface only): in case of multiple recipients, # it is only possible to drop or accept the message in its entirety - for all # recipients. If all of them are virus lovers, we'll accept mail, but if # at least one recipient is not a virus lover, we'll discard the message. # %bypass_virus_checks, @bypass_virus_checks_acl and $bypass_virus_checks_re # lookup tables: # (this is mainly a time-saving option, unlike virus_lovers* !) # # Similar in concept to %virus_lovers, a hash %bypass_virus_checks, # access list @bypass_virus_checks_acl and regexp list $bypass_virus_checks_re # are used to skip entirely the decoding, unpacking and virus checking, # but only if ALL recipients match the lookup. # # %bypass_virus_checks/@bypass_virus_checks_acl/$bypass_virus_checks_re # do NOT GUARANTEE the message will NOT be checked for viruses - this may # still happen when there is more than one recipient for a message, and # not all of them match these lookup tables. To guarantee virus delivery, # a recipient must also match %virus_lovers/@virus_lovers_acl lookups # (but see milter limitations above), # NOTE: it would not be clever to base virus checks on SENDER address, # since there are no guarantees that it is genuine. Many viruses # and spam messages fake sender address. To achieve selective filtering # based on the source of the mail (e.g. IP address, MTA port number, ...), # use mechanisms provided by MTA if available. # Similar to lookup tables controlling virus checking, there exist # spam scanning, banned names/types, and headers_checks control counterparts: # %spam_lovers, @spam_lovers_acl, $spam_lovers_re # %banned_files_lovers, @banned_files_lovers_acl, $banned_files_lovers_re # %bad_header_lovers, @bad_header_lovers_acl, $bad_header_lovers_re # and: # %bypass_spam_checks/@bypass_spam_checks_acl/$bypass_spam_checks_re # %bypass_banned_checks/@bypass_banned_checks_acl/$bypass_banned_checks_re # %bypass_header_checks/@bypass_header_checks_acl/$bypass_header_checks_re # See README.lookups for details about the syntax. # The following example disables spam checking altogether, # since it matches any recipient e-mail address (any address # is a subdomain of the top-level root DNS domain): # @bypass_spam_checks_acl = qw( . ); # @bypass_header_checks_acl = qw( user@example.com ); # @bad_header_lovers_acl = qw( user@example.com ); # See README.lookups for further detail, and examples below. # $virus_lovers{lc("postmaster\@$mydomain" )} = 1; # $virus_lovers{lc('postmaster@example.com')} = 1; # $virus_lovers{lc('abuse@example.com')} = 1; # $virus_lovers{lc('some.user@')} = 1; # this recipient, regardless of domain # $virus_lovers{lc('boss@example.com')} = 0; # never, even if domain matches # $virus_lovers{lc('example.com')} = 1; # this domain, but not its subdomains # $virus_lovers{lc('.example.com')}= 1; # this domain, including its subdomains #or: # @virus_lovers_acl = qw( me@lab.xxx.com !lab.xxx.com .xxx.com yyy.org ); # # $bypass_virus_checks{lc('some.user2@butnot.example.com')} = 1; # @bypass_virus_checks_acl = qw( some.ddd !butnot.example.com .example.com ); # @virus_lovers_acl = qw( postmaster@example.com ); # $virus_lovers_re = new_RE( qr'^(helpdesk|postmaster)@example\.com$'i ); # $spam_lovers{lc("postmaster\@$mydomain" )} = 1; # $spam_lovers{lc('postmaster@example.com')} = 1; # $spam_lovers{lc('abuse@example.com')} = 1; # @spam_lovers_acl = qw( !.example.com ); # $spam_lovers_re = new_RE( qr'^user@example\.com$'i ); # don't run spam check for these RECIPIENT domains: # @bypass_spam_checks_acl = qw( d1.com .d2.com a.d3.com ); # or the other way around (bypass check for all BUT these): # @bypass_spam_checks_acl = qw( !d1.com !.d2.com !a.d3.com . ); # a practical application: don't check outgoing mail for spam: # @bypass_spam_checks_acl = ( "!.$mydomain", "." ); # (a downside of which is that such mail will not count as ham in SA bayes db) # Where to find SQL server(s) and database to support SQL lookups? # A list of triples: (dsn,user,passw). (dsn = data source name) # More than one entry may be specified for multiple (backup) SQL servers. # See 'man DBI', 'man DBD::mysql', 'man DBD::Pg', ... for details. # When chroot-ed, accessing SQL server over inet socket may be more convenient. # # @lookup_sql_dsn = # ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], # ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'] ); # # ('mail' in the example is the database name, choose what you like) # With PostgreSQL the dsn (first element of the triple) may look like: # 'DBI:Pg:host=host1;dbname=mail' # The SQL select clause to fetch per-recipient policy settings. # The %k will be replaced by a comma-separated list of query addresses # (e.g. full address, domain only, catchall). Use ORDER, if there # is a chance that multiple records will match - the first match wins. # If field names are not unique (e.g. 'id'), the later field overwrites the # earlier in a hash returned by lookup, which is why we use '*,users.id'. # $sql_select_policy = 'SELECT *,users.id FROM users,policy'. # ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'. # ' ORDER BY users.priority DESC'; # # The SQL select clause to check sender in per-recipient whitelist/blacklist # The first SELECT argument '?' will be users.id from recipient SQL lookup, # the %k will be sender addresses (e.g. full address, domain only, catchall). # $sql_select_white_black_list = 'SELECT wb FROM wblist,mailaddr'. # ' WHERE (wblist.rid=?) AND (wblist.sid=mailaddr.id)'. # ' AND (mailaddr.email IN (%k))'. # ' ORDER BY mailaddr.priority DESC'; $sql_select_white_black_list = undef; # undef disables SQL white/blacklisting # If you decide to pass viruses (or spam) to certain recipients using the # above lookup tables or using $final_virus_destiny=D_PASS, you can set # the variable $addr_extension_virus ($addr_extension_spam) to some # string, and the recipient address will have this string appended # as an address extension to the local-part of the address. This extension # can be used by final local delivery agent to place such mail in different # folders. Leave these two variables undefined or empty strings to prevent # appending address extensions. Setting has no effect on recipient which will # not be receiving viruses/spam. Recipients who do not match lookup tables # local_domains* are not affected. # # LDAs usually default to stripping away address extension if no special # handling is specified, so having this option enabled normally does no harm, # provided the $recipients_delimiter matches the setting on the final # MTA's LDA. # $addr_extension_virus = 'virus'; # (default is undef, same as empty) # $addr_extension_spam = 'spam'; # (default is undef, same as empty) # $addr_extension_banned = 'banned'; # (default is undef, same as empty) # Delimiter between local part of the recipient address and address extension # (which can optionally be added, see variables $addr_extension_virus and # $addr_extension_spam). E.g. recipient address <user@example.com> gets changed # to <user+virus@example.com>. # # Delimiter should match equivalent (final) MTA delimiter setting. # (e.g. for Postfix add 'recipient_delimiter = +' to main.cf) # Setting it to an empty string or to undef disables this feature # regardless of $addr_extension_virus and $addr_extension_spam settings. $recipient_delimiter = '+'; # (default is '+') # true: replace extension; false: append extension $replace_existing_extension = 1; # (default is false) # Affects matching of localpart of e-mail addresses (left of '@') # in lookups: true = case sensitive, false = case insensitive $localpart_is_case_sensitive = 0; # (default is false) # ENVELOPE SENDER WHITELISTING / BLACKLISTING - GLOBAL (RECIPIENT-INDEPENDENT) # (affects spam checking only, has no effect on virus and other checks) # WHITELISTING: use ENVELOPE SENDER lookups to ENSURE DELIVERY from whitelisted # senders even if the message would be recognized as spam. Effectively, for # the specified senders, message recipients temporarily become 'spam_lovers'. # To avoid surprises, whitelisted sender also suppresses inserting/editing # the tag2-level header fields (X-Spam-*, Subject), appending spam address # extension, and quarantining. # BLACKLISTING: messages from specified SENDERS are DECLARED SPAM. # Effectively, for messages from blacklisted senders, spam level # is artificially pushed high, and the normal spam processing applies, # resulting in 'X-Spam-Flag: YES', high 'X-Spam-Level' bar and other usual # reactions to spam, including possible rejection. If the message nevertheless # still passes (e.g. for spam loving recipients), it is tagged as BLACKLISTED # in the 'X-Spam-Status' header field, but the reported spam value and # set of tests in this report header field (if available from SpamAssassin, # which may have not been called) is not adjusted. # # A sender may be both white- and blacklisted at the same time, settings # are independent. For example, being both white- and blacklisted, message # is delivered to recipients, but is not tagged as spam (X-Spam-Flag: No; # X-Spam-Status: No, ...), but the reported spam level (if computed) may # still indicate high spam score. # # If ALL recipients of the message either white- or blacklist the sender, # spam scanning (calling the SpamAssassin) is bypassed, saving on time. # # The following variables (lookup tables) are available, with the semantics # and syntax as specified in README.lookups: # # %whitelist_sender, @whitelist_sender_acl, $whitelist_sender_re # %blacklist_sender, @blacklist_sender_acl, $blacklist_sender_re # SOME EXAMPLES: # #ACL: # @whitelist_sender_acl = qw( .example.com ); # # @whitelist_sender_acl = ( ".$mydomain" ); # $mydomain and its subdomains # NOTE: This is not a reliable way of turning off spam checks for # locally-originating mail, as sender address can easily be faked. # To reliably avoid spam-scanning outgoing mail, # use @bypass_spam_checks_acl . #RE: # $whitelist_sender_re = new_RE( # qr'^postmaster@.*\bexample\.com$'i, # qr'owner-[^@]*@'i, qr'-request@'i, # qr'\.example\.com$'i ); # $blacklist_sender_re = new_RE( qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i, qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i, qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonl|smoking2002k)@'i, qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i, qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i, qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i, ); #HASH lookup variant: # NOTE: Perl operator qw splits its argument string by whitespace # and produces a list. This means that addresses can not contain # whitespace, and there is no provision for comments within the string. # You can use the normal Perl list syntax if you have special requirements, # e.g. map {...} ('one user@bla', '.second.com'), or use read_hash to read # addresses from a file. # # a hash lookup table can be read from a file, # one address per line, comments and empty lines are permitted: # # read_hash(\%whitelist_sender, '/var/amavis/whitelist_sender'); # ... or set directly: map { $whitelist_sender{lc($_)}=1 } (qw( nobody@cert.org owner-alert@iss.net slashdot@slashdot.org bugtraq@securityfocus.com NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM security-alerts@linuxsecurity.com amavis-user-admin@lists.sourceforge.net razor-users-admin@lists.sourceforge.net notification-return@lists.sophos.com mailman-announce-admin@python.org zope-announce-admin@zope.org owner-postfix-users@postfix.org owner-postfix-announce@postfix.org owner-sendmail-announce@lists.sendmail.org sendmail-announce-request@lists.sendmail.org ca+envelope@sendmail.org owner-technews@postel.ACM.ORG lvs-users-admin@LinuxVirtualServer.org ietf-123-owner@loki.ietf.org cvs-commits-list-admin@gnome.org rt-users-admin@lists.fsck.com owner-announce@mnogosearch.org owner-hackers@ntp.org owner-bugs@ntp.org clp-request@comp.nus.edu.sg surveys-errors@lists.nua.ie emailNews@genomeweb.com owner-textbreakingnews@CNNIMAIL12.CNN.COM yahoo-dev-null@yahoo-inc.com )); # ENVELOPE SENDER WHITELISTING / BLACKLISTING - PER-RECIPIENT # The same semantics as for global white/blacklisting applies, but this # time each recipient (or its domain, or subdomain, ...) can be given # an individual lookup table for matching senders. The per-recipient lookups # override the global lookups, which serve as a fallback default. # Specify a two-level lookup table: the key for the outer table is recipient, # and the result should be an inner lookup table (hash or ACL or RE), # where the key used w |
| Vue Rapide de la discussion |
|---|
