--- /dev/null
+amavisd-cn
+
+Ovaj paket donosi dodatnu CARNetovu konfiguraciju za paket
+iz Debian distribucije.
+
+- Od inacice 20030616p10-1, amavisd-cn vise ne donosi cijeli amavisd-new,
+ vec ovisi o Debianovim paketima amavisd-new i amavisd-new-milter. U ovom
+ paketu se sada nalazi samo konfiguracija podesna za posluzitelje na
+ CARNetovim ustanovama. Konfiguracijska datoteka se vise ne nalazi u
+ /etc/amavisd.conf, vec u
+
+ /etc/amavis/amavisd.conf
+
+ Stara datoteka se kod instalacije premjesta u
+ /etc/amavis/amavisd.conf.cn-old, tako da po zelji mozete vlastite
+ postavke prenijeti u novu. Predlozak za novu konfiguraciju se nalazi u
+ /usr/share/amavisd-cn/amavisd.conf.template, i sadrzi minimalne izmjene u
+ odnosu na pocetnu konfiguraciju iz Debianovog paketa. U predlosku je
+ postavljena podrska za Sendmail+milter, za SpamAssassin s podrskom za
+ white- i blackliste, te za ClamAV i Sophos antiviruse.
+
+- Za restart svih kompomenti mta sustava ispravnim redoslijedom (clamd +
+ amavisd-new + amavis-milter + sendmail ili clamd + amavisd + postfix)
+ mozete koristiti dodanu init.d skriptu
+
+ /etc/init.d/amavisd-cn restart
+
+- Odrzavanje spamassassin bayesian filtera sada dolazi sa Debianovim paketom
+ i nalazi se u
+
+ /etc/cron.d/amavisd-new
+
+ Brisanje starih datoteka iz karantene se obavlja iz
+
+ /etc/cron.d/amavisd-cn
+
+ Logika je da se cron datoteke zovu po paketu koji ih je donio, sto je
+ u duhu Debianove paketne politike i olaksava upgrade ovih paketa.
+
+- $spam_admin opcija omogucava obavjestavanje o prepoznatom spamu putem
+ maila. S obzirom da se u obavijestima poslanim na ovaj nacin citira
+ poruka prepoznata kao spam, moguce je da Amavis samu tu obavijest
+ prepozna kao spam, pokusa poslati dodatnu obavijest i na taj nacin
+ generira velike kolicine maila, sto moze uzrokovati zapunjenje /var
+ particije.
+
+ Ukoliko zelite primati te obavijesti, svakako izuzmite $spam_admin email
+ adresu iz iz anti-spam filtera. To se moze uciniti dodavanjem
+ $spam_admin adrese u neku od $spam_lovers* postavki, ili dodavanjem
+ adrese iz postavke $mailfrom_notify_spamadmin u whitelistu. Primjer za
+ prvi nacin:
+
+ $spam_lovers{lc($spam_admin)} = 1;
+
+ -- Zoran Dzelajlija <jelly+paketi@srce.hr> Fri, 30 Jun 2006 10:58:01 +0200
--- /dev/null
+Bugs:
+- SAVI ne radi kod prve instalacije? Nakon sophos-sweep-update i
+ dpkg-reconfigure amavisd-cn proradi.
+- CN: Current configuration saved in /var/backups/amavisd.conf.bak
+ se pojavljuje precesto a uzrokuje slanje maila.
+
+Features:
+- funkcije za pametniju izmjenu sendmail <-> postfix
+- update na 2.4 i _mozda_ split config
--- /dev/null
+amavisd-cn (2:20030616p10-11) sarge; urgency=low
+
+ * Ispravljen typo u uvjetima za provjeru postfix konfiguracije.
+ * Skracena postfixize.sh skripta:
+ - varijable sa verzijama predlozaka prebacene u version.sh,
+ - izbaceni dijelovi nevezani za postfix.
+ * Bolja vrijednost za $mydomain ako je stroj MX za domenu
+ (T#: 2006101613000041).
+ * dpkg -l | grep ^.i za provjeru instalacije paketa.
+ * _CH_HOST_ -> _CN_DOMAIN_ u predloscima, nema funkcionalnih izmjena.
+
+ -- Zoran Dzelajlija <zoran.dzelajlija@carnet.hr> Sun, 29 Oct 2006 20:54:01 +0100
+
+amavisd-cn (2:20030616p10-10.1) sarge; urgency=low
+
+ * Razdvojene verzije predlozaka za sendmail i postfix.
+
+ -- Zoran Dzelajlija <jelly+paketi@srce.hr> Fri, 30 Jun 2006 14:10:01 +0200
+
+amavisd-cn (2:20030616p10-10) sarge; urgency=low
+
+ * Dodana podrska za postfix.
+ * Preuredjene instalacijske skripte.
+
+ -- Zoran Dzelajlija <jelly+paketi@srce.hr> Fri, 30 Jun 2006 01:04:44 +0200
+
+amavisd-cn (2:20030616p10-9) sarge; urgency=low
+
+ * Greska u funkciji za provjeru rada daemona uzrokovala ispad miltera
+ (T#: 2005070613000087, T#: 2005070613000096).
+ Ujednacena ista funkcija u init i postinst skripti, sitne ispravke.
+ * Provjera daemona u postinst skripti je sada bezuvjetna.
+
+ -- Zoran Dzelajlija <jelly+paketi@srce.hr> Wed, 6 Jul 2005 20:33:02 +0200
+
+amavisd-cn (2:20030616p10-8) sarge; urgency=low
+
+ * Ispravljen typo u detekciji stare konfiguracijske datoteke.
+ * Backup konfiguracije u /var/backups umjesto u *.dpkg-old.
+ * Utisane bounce poruke za viruse i sumnjive privitke.
+
+ -- Zoran Dzelajlija <jelly+paketi@srce.hr> Thu, 23 Jun 2005 14:54:14 +0200
+
+amavisd-cn (2:20030616p10-7) sarge; urgency=low
+
+ * Ispravljeno rusenje kod brisanja paketa.
+ * Ispravljen sumnjiv copy/paste u postinst skripti.
+ * Ciscenje zaostalih pyzor procesa.
+
+ -- Zoran Dzelajlija <jelly+paketi@srce.hr> Mon, 25 Apr 2005 23:46:10 +0200
+
+amavisd-cn (2:20030616p10-6) sarge; urgency=low
+
+ * Ispravke funkcije za provjeru rada servisa (T#: 2005011313000021).
+ * Konfiguracija sendmaila protiv pojave X-Authentication-Warning u zaglavlju
+ i logovima (dio T#: 2005021513000024).
+ * Dio dijeljenih postinst funkcija prebacen u carnet-tools.
+ * Ispravljene provjere ispravnog dizanja servisa.
+
+ -- Zoran Dzelajlija <jelly+paketi@srce.hr> Mon, 21 Mar 2005 00:01:01 +0100
+
+amavisd-cn (2:20030616p10-5) sarge; urgency=low
+
+ * Iskljuceno slanje obavijesti o spamu zbog moguceg mail loopa
+ (T#: 2004122913000017 i dr.). Dodana dokumentacija o problemu.
+ * Ispravka korisnika u konfiguraciji za logrotate.
+ * mv /etc/amavisd.conf /etc/amavisd.conf.cn-old
+ * Popravljen poziv update-rc.d za clamav-daemon.
+
+ -- Zoran Dzelajlija <jelly+paketi@srce.hr> Sat, 15 Jan 2005 18:48:25 +0100
+
+amavisd-cn (2:20030616p10-4) sarge; urgency=low
+
+ * Paket za sarge distribuciju.
+ * Zamjenjuje konfiguraciju sa CARNet Debian 2.x CD-a.
+
+ -- Zoran Dzelajlija <jelly+paketi@srce.hr> Sun, 26 Dec 2004 03:00:49 +0100
+
+amavisd-cn (20030616p10-3) woody; urgency=low
+
+ * Iskljucena podrska za SAVI::Perl ako nije instaliran
+ (mozda popravlja T#: 2004122113000041).
+ * chown sweep logova (opet T#: 2004122113000059)
+ * Salje mail sa logom od upgradea.
+ * Predlozak za amavisd.conf updatean na Debian 20030616p10-5.
+
+ -- Zoran Dzelajlija <jelly+paketi@srce.hr> Sun, 26 Dec 2004 03:00:22 +0100
+
+amavisd-cn (20030616p10-2) woody; urgency=low
+
+ * Ispravka korisnika u /usr/bin/sophos-ide-update (T#: 2004122113000059).
+ * postinst puca kod restarta clamava (T#: 2004122013000015).
+
+ -- Zoran Dzelajlija <jelly+paketi@srce.hr> Tue, 21 Dec 2004 13:11:06 +0100
+
+amavisd-cn (20030616p10-1) woody; urgency=low
+
+ * Verzija za woody.
+ * Nova konfiguracijska datoteka,
+ - minimalne izmjene u odnosu na Debianove defaulte.
+ * Novo ime cron.d datoteke.
+ * Koristenje Debianovih paketa i init skripti.
+ * Nova amavisd-cn wrapper init skripta.
+ * viruser korisnik se brise, koriste se amavis i clamav.
+
+ -- Zoran Dzelajlija <jelly+paketi@srce.hr> Mon, 15 Nov 2004 00:35:04 +0100
+
+amavisd-cn (2:20030616p10-1) testing; urgency=low
+
+ * Nove verzije amavisd-new, clamav, spamassassin.
+ * Mice divert amavisd.conf i ubija zaostale milter procese.
+ * init.d skripta srezana i pokrece se nakon ostalih relevantnih.
+ init skripti.
+ * Promjene u amavisd.conf:
+ - sinkronizacija sa Debianovom konfiguracijom za novu verziju:
+ - kozmeticke promjene
+ - prepoznati spam je dobro odbiti i SMTP protokolom
+ ($final_spam_destiny = D_REJECT umjesto D_DISCARD)
+ - provjera virusa zavrsava s prvim nadjenim virusom
+ ($first_infected_stops_scan = 1)
+ - maknuta "domena.hr." iz popisa lokalnih domena.
+ * Ovisnost o spamassassin paketu.
+ * chown datoteka u slucaju upgradea sa woodyja.
+ * Dodavanje grupe amavis ako je potrebno.
+
+ -- Zeljko Boros <zelja@ravnica.ptfos.hr>
+
+amavisd-cn (20030616p7-3) testing; urgency=low
+
+ * Uveden link /etc/init.d/amavisd-cn na /etc/init.d/amavisd
+ * Smanjen milter log level na 4
+ * amavisd socket promijenjen na /var/lib/amavis/amavisd.sock
+ * uvedeno citanje crnih i bijelih lista iz datoteka
+ /var/lib/amavis/{black,white}list_sender
+ * Brisanje amavis-milter* datoteka starijih od 1 dan svaki dan
+ * Brisanje spama i virusa u karanteni svakih 7 dana
+ * Dodane neke opcije u /var/lib/amavis/.spamassassin/user_prefs
+ - datoteka /var/lib/amavis/.spamassassin/auto-whitelist
+ - eksplicitno dodana putanja do Bayes baze
+ - dodatno osigurano da se auto-expire ne ukljucuje
+ * Promjene u amavisd.conf:
+ - ukljucen auto-whitelisting sustav
+ - dodan 'always-clean' virus-scanner ("isporuci postu cak i kad svi
+ scanneri ne rade")
+ * Ovisnost o sendmail-cn (>= 8.12.9-6)
+
+ -- Zeljko Boros <zelja@ravnica.ptfos.hr> Wed, 24 Mar 2004 10:26:51 +0100
+
+amavisd-cn (20030616p7-2) testing; urgency=low
+
+ * Nova inacica paketa
+ * Ovisnost o amavisd-new i amavisd-new-milter paketima
+ * Brisanje privremenih amavis-milter* datoteka svakih 5 dana
+
+ -- Zeljko Boros <zelja@ravnica.ptfos.hr> Thu, 26 Feb 2004 13:02:08 +0100
+
--- /dev/null
+../changelog.CARNet
\ No newline at end of file
--- /dev/null
+/etc/cron.d/amavisd-cn
--- /dev/null
+Source: amavisd-cn
+Section: mail
+Priority: optional
+Maintainer: Zoran Dzelajlija <zoran.dzelajlija@carnet.hr>
+Build-Depends: debhelper (>= 4.0.0)
+Standards-Version: 3.6.1
+
+Package: amavisd-cn
+Architecture: all
+Provides: amavisd-new-cn
+Depends: amavisd-new (>= 20030616p10-5), postfix | amavisd-new-milter (>= 20030616p10-5), postfix | sendmail (>= 8.13.1-20), clamav-cn (>= 0.80-7), spamassassin (>= 2.64), debianutils (>= 1.13.1), carnet-tools-cn (>= 2.1), procps, patch, host
+Pre-Depends: amavisd-new
+Recommends: sweep-cn, libsavi-perl
+Conflicts: libsavi-perl (<< 0.15), bunch-perl-modules-cn, sweep-cn (<< 1.8-2)
+Description: Interface between MTA and virus scanner/content filters
+ AMaViSd-new is a script that interfaces a mail transport agent (MTA) with
+ zero or more virus scanners, and spamassassin (optional).
+ .
+ CARNet configuration comes with clamav and spamassassin, providing
+ virus and spam scanning for postfix, or for sendmail via
+ amavisd-new-milter.
--- /dev/null
+Package: amavisd-cn
+Version: 2:20030616p10-11
+Section:
+Architecture: all
+Provides: amavisd-new-cn
+Depends: amavisd-new (>= 20030616p10-5), postfix | amavisd-new-milter (>= 20030616p10-5), postfix | sendmail (>= 8.13.1-20), clamav-cn (>= 0.80-7), spamassassin (>= 2.64), debianutils (>= 1.13.1), carnet-tools-cn (>= 2.1), procps, patch, host
+Pre-Depends: amavisd-new
+Recommends: sweep-cn, libsavi-perl
+Conflicts: libsavi-perl (<< 0.15), bunch-perl-modules-cn, sweep-cn (<< 1.8-2)
+Suggests:
+Installed-Size: 284
+Maintainer: Zoran Dzelajlija <zoran.dzelajlija@carnet.hr>
+Description: Interface between MTA and virus scanner/content filters
+ AMaViSd-new is a script that interfaces a mail transport agent (MTA) with
+ zero or more virus scanners, and spamassassin (optional).
+ .
+ CARNet configuration comes with clamav and spamassassin, providing
+ virus and spam scanning for postfix, or for sendmail via
+ amavisd-new-milter.
--- /dev/null
+# Deleting temp files from quarantine area every day at 01:35
+35 1 * * * amavis find /var/lib/amavis/ -type d -mtime +1 -name "amavis-milter-*" -print0 | xargs -0 rm -fr
+# Deleting virus mails from quarantine area at 03:15 every day
+15 3 * * * amavis find /var/lib/amavis/virusmails -type f -mtime +7 -name "virus-*" -print0 | xargs -0 rm -f
+# Deleting spam mails from quarantine area every day at 04:25
+25 4 * * * amavis find /var/lib/amavis/virusmails -type f -mtime +7 -name "spam-*" -print0 | xargs -0 rm -f
--- /dev/null
+usr/share/amavisd-cn
--- /dev/null
+README.CARNet
+changelog.CARNet
+TODO
--- /dev/null
+#!/bin/sh
+
+set -e
+
+# options for daemons:
+# name init.d/script user ps name for pgrep -f pidfile, relative to /var/run num-fds last-fd-name
+options='
+clamd clamav-daemon clamav /usr/sbin/clamd clamav/clamd.pid 5 clamav.log
+amavis amavis.amavisd-new amavis amavisd \\(master\\) amavis/amavisd.pid 5 socket
+milter amavisd-new-milter amavis /usr/sbin/amavis-milter amavis/amavisd-new-milter.pid 5 socket
+'
+# note: pgrep -f takes a regexp, and this is shell expanded once, hence \\
+
+start () {
+ local daemon IFSOLD name script user psname pidfile num fdname
+ daemon="$1"
+ IFSOLD="$IFS"
+ IFS=" " # tab
+ read name script user psname pidfile num fdname <<-EOPTS
+ $(echo "$options" | sed 's/ */ /g' | grep ^$daemon)
+ EOPTS
+ IFS="$IFSOLD"
+ /etc/init.d/$script start
+ wait_for_fds "$daemon"
+}
+
+stop () {
+ local daemon IFSOLD name script user psname pidfile num fdname
+ daemon="$1"
+ n=10
+ IFSOLD="$IFS"
+ IFS=" " # tab
+ read name script user psname pidfile num fdname <<-EOPTS
+ $(echo "$options" | sed 's/ */ /g' | grep ^$daemon)
+ EOPTS
+ IFS="$IFSOLD"
+ /etc/init.d/$script stop
+ pkill -u $user -f "$psname" > /dev/null || true
+ while pgrep -u $user -f "$psname" > /dev/null && [ "$n" -gt 0 ]
+ do
+ sleep 1
+ n=$(($n-1))
+ done
+ pkill -9 -u $user -f "$psname" > /dev/null || true
+ #pkill -9 -u $user -x "$daemon"
+ if pgrep -u $user -f "$psname" > /dev/null; then # still there?
+ return 1
+ fi
+}
+
+wait_for_fds () {
+ # wait until process shows some I/O readiness :)
+ local name IFSOLD num sleep maxtry script user psname pidfile fdname
+ name="$1"
+ [ -z "$name" ] && return 1
+ IFSOLD="$IFS"
+ IFS=" " # tab
+ read name script user psname pidfile num fdname <<-EOPTS
+ $(echo "$options" | sed 's/ */ /g' | grep ^$name)
+ EOPTS
+ IFS="$IFSOLD"
+ num=${num:-4}
+ sleep=${sleep:-1}
+ maxtry=${maxtry:-10}
+ if [ -n "$pidfile" ]; then
+ pidfile=/var/run/$pidfile
+ findpid="[ -f $pidfile ] && cat $pidfile || true"
+ else
+ findpid="pgrep -u $user -f \"$psname\" -P 1 | head -1"
+ fi
+
+ # loop the loop the loop
+ try=1
+ while /bin/true
+ do
+ sleep $sleep # 1st, give it a chance to run
+ pid=`eval $findpid` # 2nd: find it
+ [ -z "$pid" ] && return 1 # not running at all
+ count=`ls -1 /proc/$pid/fd 2>/dev/null| wc -l` # 3rd: count all it's worth
+ [ "$count" -ge "$num" ] && ls -l /proc/$pid/fd | grep -q $fdname \
+ && return # success -- release
+ try=$(($try+1))
+ [ "0$try" -ge "0$maxtry" ] && return 1 # no luck this time
+ done
+}
+
+# if we're called as amavisd-cn or amavis with start argument,
+# act like one; otherwise, pass the call down
+case "$(basename $0)" in
+ amavisd-cn)
+ arg="i$1"
+ ;;
+ amavis)
+ if [ "$1" = start ]; then
+ arg="i$1"
+ else
+ arg="$1"
+ fi
+ ;;
+ *)
+ arg="$1"
+ ;;
+esac
+
+# If there's no diversion, play possum
+[ -x /etc/init.d/amavis.amavisd-new ] || exit 0
+
+if [ -x /etc/init.d/postfix -a -x /usr/lib/postfix/master ]; then
+ mta=postfix
+else
+ mta=sendmail
+fi
+
+case "$arg" in
+ start|stop|restart|reload|force-reload)
+ /etc/init.d/amavis.amavisd-new "$arg"
+ ;;
+
+ istart)
+ start clamd
+ start amavis
+ [ $mta = sendmail ] && start milter
+ /etc/init.d/$mta start
+ ;;
+
+ istop)
+ /etc/init.d/$mta stop
+ [ $mta = sendmail ] && stop milter
+ stop amavis
+ stop clamd
+ ;;
+
+ irestart|ireload|iforce-reload)
+ $0 stop
+ sleep 2
+ $0 start
+ ;;
+
+ *)
+ echo "Usage: $0 {start|stop|restart|reload|force-reload}" >&2
+ exit 1
+ ;;
+esac
+
+exit 0
--- /dev/null
+version.sh usr/share/amavisd-cn
+src/* usr/share/amavisd-cn
+templates/* usr/share/amavisd-cn
--- /dev/null
+#!/bin/sh
+# last update: jelly+paketi@srce.hr Mon Oct 30 14:37:06 CET 2006
+
+set -e
+
+[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx
+
+case "$1" in
+ configure)
+ # continue below
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ exit 0
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+export PATH
+
+. /usr/share/amavisd-cn/version.sh
+. /usr/share/carnet-tools/functions.sh
+. /usr/share/amavisd-cn/variables.sh
+. /usr/share/amavisd-cn/functions.sh
+
+# Place configuration tweaks done on upgrades into this function
+update_conf() {
+ [ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx
+ # comment out spam alerts if we're upgrading from
+ # << 20030616p10-4 in woody, or << 2:20030616p10-5 in sarge,
+ # or a fresh installation is taking place
+ if dpkg --compare-versions "$2" lt 20030616p10-4 || \
+ { dpkg --compare-versions "$2" ge 2:0 && \
+ dpkg --compare-versions "$2" lt 2:20030616p10-5; }; then
+ if cp_check_and_sed '^\$spam_admin = "spamalert\\@\$mydomain";$' \
+ 's/^\(\$spam_admin\b\)/# \1/' $ACONF; then
+ cp_echo "CN: commented \$spam_admin in $ACONF."
+ cp_echo "CN: Be sure to whitelist that address if you reenable it!"
+ cp_echo " If spam detection is enabled for that address, loops may occur."
+ restart_daemon=1
+ fi
+ fi
+ # saner defaults - silently discard viruses, and do SMTP-time reject for
+ # explicitely banned attachments instead of bounces
+ if dpkg --compare-versions "$2" lt 2:20030616p10-8; then
+ if cp_check_and_sed \
+ '^[ ]*\$final_virus_destiny[ ]*=[ ]*D_BOUNCE' \
+ 's/^\([ \t]*\$final_virus_destiny[ \t]*=[ \t]*\)D_BOUNCE/\1D_DISCARD/' \
+ $ACONF; then
+ cp_echo "CN: Discarding viruses (option \$final_virus_destiny)."
+ restart_daemon=1
+ fi
+ if cp_check_and_sed \
+ '^[ ]*\$final_banned_destiny[ ]*=[ ]*D_BOUNCE' \
+ 's/^\([ \t]*\$final_banned_destiny[ \t]*=[ \t]*\)D_BOUNCE/\1D_REJECT/' \
+ $ACONF; then
+ cp_echo "CN: Rejecting banned files at SMTP time (option \$final_banned_destiny)."
+ restart_daemon=1
+ fi
+ fi
+ if dpkg --compare-versions "$2" lt 2:20030616p10-11 && \
+ [ "$domain" != "$host" ]; then
+ if cp_check_and_sed \
+ '^[ ]*\$mydomain[ ]*=[ ]* ["'"']$host['"'"]' \
+ 's/^\([ \t]*\$mydomain[ \t]*=[ \t]*\)["'"']$host['"'"]/\1'"'$domain'"/ \
+ $ACONF; then
+ cp_echo "CN: MX for $domain detected, updating \$mydomain."
+ restart_daemon=1
+ fi
+ fi
+}
+
+# find out which MTA, assume postfix
+mta=postfix
+ACONFTMPL=$POSTTMPL
+TMPLVERSION=$POSTTMPLVERSION
+if dpkg -l postfix | grep -q '^.i'; then
+ . /usr/share/amavisd-cn/postfix.sh
+elif dpkg -l sendmail | grep -q '^.i'; then
+ mta=sendmail
+ ACONFTMPL=$SENDTMPL
+ TMPLVERSION=$SENDTMPLVERSION
+ . /usr/share/amavisd-cn/sendmail.sh
+else
+ # should never happen, we check for this in preinst too!
+ echo "CN: Ugh, no supported mail-transported-agent could be found?!" >&2
+ echo "CN: If you really have a MTA supported by CARNet installed," >&2
+ echo "CN: Please inform the maintainer. Assuming ${mta}..." >&2
+fi
+
+# XXX remove at least some of woody cruft for CARNet Debian 2.1+1
+# convert sweep-cn back to "sweep" account, fix uid/gid
+if getent passwd sweep > /dev/null; then
+ check_and_update_ugid sweep /etc/sweep /var/lib/sav /var/spool/intercheck /var/log/sweep.log || true
+ # chown stuff I forgot in previous versions
+ if dpkg --compare-versions "$2" lt 20030616p10-3; then
+ chown -R sweep:sweep /var/spool/intercheck /var/log/sweep.log 2> /dev/null || true
+ fi
+ if cp_check_and_sed viruser s/viruser/sweep/ /etc/cron.d/sweep-cn /usr/bin/sophos-ide-update; then
+ did_sweep="sweep "
+ fi
+ if cp_check_and_sed viruser "s/sweep viruser/sweep/g; s/viruser/sweep/g" /etc/samba/smb.conf; then
+ /etc/init.d/samba reload || true
+ did_sweep="${did_sweep}smb.conf "
+ fi
+fi # sweep
+
+# get rid of viruser
+if getent passwd viruser > /dev/null || [ -n "$did_sweep" ]; then
+ # remove viruser account usage
+ echo -n "CN: Removing viruser: "
+ [ "$did_sweep" ] && echo -n "$did_sweep"
+ if cp_check_and_sed '^viruser' s/viruser/clamav/ $ALIASES; then
+ newaliases 2>&1 > /dev/null
+ echo -n "aliases "
+ fi
+ if cp_check_and_sed "User viruser" \
+ s/viruser/clamav/ /etc/clamav/clamd.conf; then
+ clamav_changed=1
+ fi
+ if cp_check_and_sed "DatabaseOwner viruser" \
+ s/viruser/clamav/ /etc/clamav/freshclam.conf; then
+ clamav_changed=1
+ fi
+ if [ -n "$clamav_changed" ]; then
+ # add clamav to amavis group
+ echo -n "c"
+ id clamav | grep -q amavis || adduser clamav amavis > /dev/null
+ echo -n "l"
+ /etc/init.d/clamav-daemon stop > /dev/null || true
+ pkill -9 /usr/sbin/clamd || true
+ echo -n "a"
+ /etc/init.d/clamav-freshclam stop > /dev/null || true
+ pkill -9 /usr/bin/freshclam || true
+ echo -n "m"
+ chown -R clamav:clamav \
+ /var/lib/clamav /var/log/clamav /var/run/clamav || true
+ echo -n "a"
+ # Don't abort if clamav services do not restart.
+ /etc/init.d/clamav-daemon start > /dev/null || failed clamav-daemon
+ /etc/init.d/clamav-freshclam start > /dev/null || failed clamav-freshclam
+ echo -n "v "
+ fi
+ # We'll catch other changes later, just fix user now
+ if cp_check_and_sed '$daemon_user.*viruser' s/viruser/amavis/g $ACONF; then
+ stop_amavisd_now=1
+ fi
+ if getent passwd viruser >/dev/null; then
+ if ls -lnG /var/run/amavis $AHOME |grep -q " $(id -u viruser) " || \
+ pgrep -u viruser -f /usr/sbin/amavis-milter > /dev/null || \
+ pgrep -u viruser amavisd > /dev/null; then
+ stop_amavisd_now=1
+ fi
+ fi
+ if [ -n "$stop_amavisd_now" ]; then
+ echo -n "a"
+ if [ -x /etc/init.d/$mta ]; then
+ /etc/init.d/$mta stop > /dev/null
+ else
+ # shouldn't happen either XXX catch it and send to maintainer?
+ echo -n "iee, no init script for $mta! ignoring... a"
+ fi
+ echo -n "m"
+ if [ -x /etc/init.d/amavisd-new-milter ]; then
+ /etc/init.d/amavisd-new-milter stop > /dev/null
+ fi
+ echo -n "a"
+ pkill -9 -u viruser -f /usr/sbin/amavis-milter || true
+ echo -n "v"
+ /etc/init.d/amavis stop > /dev/null
+ echo -n "i"
+ pkill -9 -u viruser -x amavisd || true
+ chown_ahome=1 # do it later
+ echo -n "s "
+ restart_daemon=1
+ [ $mta = sendmail ] && restart_milter=1 || true
+ restart_mta=1
+ fi
+ if getent passwd viruser >/dev/null; then
+ echo -n "userdel"
+ userdel viruser
+ fi
+ echo "."
+ cp_echo -mailonly "CN: Removed user viruser."
+fi # viruser
+# added later
+if cp_check_and_sed viruser s/viruser/clamav/ \
+ /etc/logrotate.d/clamav-daemon /etc/logrotate.d/clamav-freshclam; then
+ :
+fi # viruser
+
+# $domain will be equal to $host if nothing better can be found
+get_domain
+domain=$RET
+
+# sendmail config
+if [ "$mta" = sendmail ]; then
+ update_sendmail
+ conf_sendmailize
+fi # end sendmail config
+
+# postfix config
+if [ "$mta" = postfix ]; then
+ update_postfix
+ conf_postfixize
+fi # end postfix config
+
+# amavisd.conf
+if [ -f "$ACONFOLD" ]; then
+ cp_echo "CN: Amavisd configuration is now in $ACONF."
+ cp_echo " Previous location was $ACONFOLD."
+ if [ ! -e "$ACONFMOVED" ]; then
+ mv "$ACONFOLD" "$ACONFMOVED"
+ cp_echo " Old file renamed to $ACONFMOVED."
+ fi
+ cp_echo ""
+ cp_echo "CN: If you made any changes to $ACONFOLD, they will NOT be moved"
+ cp_echo "CN: to the new location automatically. You must update the new file"
+ cp_echo "CN: by yourself, and remove the old file afterwards."
+elif [ -f "$ACONFMOVED" ]; then
+ cp_echo "CN: Remember to remove the old $ACONFMOVED file."
+fi
+if [ -f $ACONF ]; then
+ if grep -q _CN_ $ACONF; then
+ # This is unlikely, actually
+ if cp_check_and_sed "s/_CN_DOMAIN_/$domain/g; s/_CN_HOST_/$domain/g" $ACONF; then
+ restart_daemon=1
+ fi
+ else
+ if egrep -q "^\\\$mydomain = 'example.com'" $ACONF; then
+ # Debian default or lame sysadmin detected, replace it by template
+ conf_from_template
+ elif egrep -q "#CARNet#\\\$mydomain = 'example.com';" $ACONF &&
+ dpkg --compare-versions "$2" eq 2:20030616p5-0; then
+ # CARNet Debian 2.1 (sarge) CDROM installation detected
+ noisy_backup $ACONF
+ conf_from_template
+ else
+ # add other fixups to update_conf() above
+ update_conf $*
+ fi
+ fi
+fi
+# nonexistent or empty config
+if [ ! -f $ACONF -o ! -s $ACONF ]; then
+ # Create fresh config from template
+ conf_from_template
+fi
+
+# check for SAVI:
+# if not there, comment it out, if there, uncomment and restart
+if ! dpkg -l libsavi-perl bunch-perl-modules-cn 2> /dev/null | \
+ egrep -q '^.i' || \
+ ! [ -f /usr/lib/libsavi.so ]; then
+ if cp_check_and_sed "^\['Sophos SAVI'" \
+ "s/^\(\['Sophos SAVI', ..sophos_savi \]\)/#\1/" $ACONF; then
+ cp_echo "CN: Disabled SAVI::Perl usage in ${ACONF}."
+ cp_echo " To enable it, run sophos-sweep-update, uncomment and restart amavis."
+ fi
+else
+ if cp_check_and_sed "^#\['Sophos SAVI'" \
+ "s/^#\(\['Sophos SAVI', ..sophos_savi \]\)/\1/" $ACONF; then
+ cp_echo "CN: Enabled SAVI::Perl usage in ${ACONF}."
+ restart_daemon=1
+ fi
+fi
+
+check_and_add_alias virusalert root
+check_and_add_alias spamalert root
+
+# touch some required files XXX check if necessary for 2.4
+if [ ! -f $WLIST ]; then
+ touch $WLIST
+ chown_ahome=1
+fi
+
+if [ ! -f $BLIST ]; then
+ touch $BLIST
+ chown_ahome=1
+fi
+
+if [ ! -f $AHOME/.spamassassin/user_prefs ] ; then
+ [ -d $AHOME/.spamassassin ] || mkdir -p $AHOME/.spamassassin
+ cat > $AHOME/.spamassassin/user_prefs <<-EEND
+ bayes_path $AHOME/.spamassassin/bayes
+ bayes_auto_expire 0
+ auto_whitelist_path $AHOME/.spamassassin/auto-whitelist
+ EEND
+ chown_ahome=1
+fi
+
+if [ ! -f $AHOME/.spamassassin/auto-whitelist ] ; then
+ touch $AHOME/.spamassassin/auto-whitelist
+ chown_ahome=1
+fi
+
+# Raid over rc2.d
+if [ -x "/etc/init.d/sendmail" -a -e /etc/rc2.d/S20sendmail ]; then
+ update-rc.d -f sendmail remove >/dev/null 2>/dev/null
+ update-rc.d sendmail defaults 21 19 >/dev/null
+fi
+if [ -n "$(find /etc/rc2.d -name S18clam\*)" ]; then
+ update-rc.d -f clamav-daemon remove >/dev/null
+ update-rc.d clamav-daemon defaults 22 18 >/dev/null
+fi
+
+# Cleanup and finalization
+if dpkg --compare-versions "$2" lt 2:20030616p10-4; then
+ update-rc.d -f amavisd remove > /dev/null
+ restart_daemon=1
+ chown_ahome=1
+ # a complicated way to say chmod 750
+ dpkg-statoverride --remove $AHOME > /dev/null || true
+ dpkg-statoverride --update --add amavis amavis 750 $AHOME
+fi
+
+if [ -n "$chown_ahome" ]; then
+ # might be slow
+ echo -n "CN: Fixing ownership in /var/*/amavis... "
+ chown -R amavis:amavis $AHOME /var/run/amavis || true
+ echo "done."
+ cp_echo -mailonly "CN: Fixed ownerships in /var/*/amavis."
+fi
+
+# kill naughty pyzor descendants
+if dpkg --compare-versions "$2" lt "2:20030616p10-7" && \
+ pgrep -u amavis -f '/usr/bin/pyzor check' > /dev/null; then
+ /etc/init.d/amavisd-cn stop
+ pkill -9 -u amavis -f '/usr/bin/pyzor check' > /dev/null || true
+ /etc/init.d/amavisd-cn start
+ restart_daemon=
+ restart_mta=
+fi
+
+# START AMAVISD
+# about a half of amavisd-cn script is here
+if [ "$restart_daemon" -a -x /etc/init.d/amavis.amavisd-new ]; then
+ /etc/init.d/amavis.amavisd-new restart
+fi
+# always check that the daemons are running
+if ! wait_for_fds amavis; then
+ /etc/init.d/amavis.amavisd-new start
+ wait_for_fds amavis
+fi
+if [ "$mta" = sendmail ]; then
+ if [ "$restart_daemon" -a -x /etc/init.d/amavisd-new-milter ]; then
+ /etc/init.d/amavisd-new-milter restart
+ restart_mta=1
+ fi
+ # always check that the daemons are running
+ if ! wait_for_fds milter; then
+ /etc/init.d/amavisd-new-milter start
+ wait_for_fds milter
+ restart_mta=1
+ fi
+elif [ "$restart_mta" ]; then
+ /etc/init.d/$mta restart
+fi
+
+# this needs to be updated when $CRONTAB file changes
+if dpkg --compare-versions "$2" lt "2:20030616p10-4"; then
+ cp_echo ""
+ cp_echo "CN: Deleting temp files older than 1 day every day at 01:35 AM"
+ cp_echo "CN: Deleting spam-mail older than 7 days every day at 03:15 AM"
+ cp_echo "CN: Deleting virus-mail older than 7 days every day at 04:25 AM"
+ cp_echo " (can be changed in $CRONTAB)"
+fi
+# display this message just once... maybe use debconf instead
+if dpkg --compare-versions "$2" lt "2:20030616p10-4"; then
+ cp_echo ""
+ cp_echo "CN: To stop, start or restart all of the clamav+amavis+mta components,"
+ cp_echo "CN: use the /etc/init.d/amavisd-cn script."
+fi
+if [ "$failed" ]; then
+ cp_echo ""
+ cp_echo "CN: Services $failed failed to restart!"
+ cp_echo "CN: Please check and start manually if needed."
+fi
+
+# Upgrade, but no automatically changed config;
+# warn if new template available
+if [ -n "$2" -a -z "$changed_config" ] && \
+ dpkg --compare-versions "$2" lt "$TMPLVERSION"; then
+ cp_echo ""
+ cp_echo "CN: It seems you have upgraded this package from version $2."
+ cp_echo "CN: Configuration template for $mta was modified in version ${TMPLVERSION}."
+ cp_echo " You might want to review the changes, or simply copy the new template and"
+ cp_echo " and replace the _CN_DOMAIN_ string with an adequate value:"
+ cp_echo " cp $ACONFTMPL $ACONF"
+ cp_echo " perl -pi -e 's/_CN_DOMAIN_/$domain/g' $ACONF"
+fi
+
+cp_mail $PKG $VERSION
--- /dev/null
+#!/bin/sh
+
+set -e
+
+if [ "$1" = remove ]; then
+ rm -f /etc/init.d/amavis
+ dpkg-divert --quiet --package amavisd-cn --remove --rename \
+ --divert /etc/init.d/amavis.amavisd-new /etc/init.d/amavis || true
+fi
+
+if [ "$1" = purge ]; then
+ # REMOVING /var/lib/amavis/amavis* and /var/run/amavis
+ # /var/run/amavis now deleted in /etc/init.d/amavisd
+ # keeping virusmails until --purge is used
+ rm -fr /var/lib/amavis/amavis*
+fi
--- /dev/null
+#!/bin/sh
+
+set -e
+
+mv_init () {
+ echo -n " Renaming to /etc/init.d/amavis.dpkg-old... "
+ mv /etc/init.d/amavis /etc/init.d/amavis.dpkg-old
+ echo "done."
+}
+
+if [ "$1" = install -o "$1" = upgrade ]; then
+ dpkg-divert --quiet --package amavisd-cn --rename \
+ --divert /etc/init.d/amavis.amavisd-new /etc/init.d/amavis
+
+ # link not in package because woody's dpkg behaves strange when it is
+ if [ ! -h /etc/init.d/amavis ]; then
+ if [ -e /etc/init.d/amavis ]; then
+ echo "CN: Found unknown file at /etc/init.d/amavis."
+ mv_init
+ fi
+ ln -s amavisd-cn /etc/init.d/amavis
+ elif ! readlink /etc/init.d/amavis | grep -q '^amavisd-cn$'; then
+ # Symlink in place, but does it point to us?
+ echo "CN: Shouldn't happen: found strange /etc/init.d/amavis link."
+ mv_init
+ ln -s amavisd-cn /etc/init.d/amavis
+ fi
+fi
--- /dev/null
+#!/bin/sh
+
+set -e
+[ "$DEBIAN_SCRIPT_DEBUG" ] && set -x
+
+. /usr/share/carnet-tools/functions.sh
+
+PKG=amavisd-cn
+MAILDIR=/etc/mail
+ALIASES=/etc/aliases
+sendmail_cf=$MAILDIR/sendmail.cf
+sendmail_mc=$MAILDIR/sendmail.mc
+submit_mc=$MAILDIR/submit.mc
+ct_file=$MAILDIR/trusted-users
+main_cf=/etc/postfix/main.cf
+master_cf=/etc/postfix/master.cf
+
+del_postconf() {
+ egrep -v "^$1[[:blank:]]*=[[:blank:]]*" $main_cf > $main_cf.dpkg-tmp.$$
+ cp_mv $main_cf.dpkg-tmp.$$ $main_cf
+}
+
+if [ "$1" = remove ]; then
+ # sendmail?
+ if grep -q $PKG $sendmail_mc $submit_mc 2>&- || \
+ grep -q '^amavis$' $ct_file 2>&- ; then
+ echo "Removing sendmail configuration for ${PKG}... "
+ cp-update -r -c dnl $PKG $sendmail_mc >&-
+ cp-update -r -c dnl $PKG $submit_mc >&-
+ grep -v '^amavis$' $ct_file > ${ct_file}.dpkg-tmp.$$ || true
+ cp_mv ${ct_file}.dpkg-tmp.$$ $ct_file
+ make -C /etc/mail 2>&1 | grep -v 'issue .*/etc/init.d/sendmail reload' 1>&2 || true
+ echo "Removed sendmail configuration for ${PKG}."
+ if pgrep -u root -f 'sendmail: MTA: accepting connections' >&- ; then
+ /etc/init.d/sendmail reload
+ if ! pgrep -u root -f 'sendmail: MTA: accepting connections' >&- ; then
+ echo 'CN: Something bad happened to sendmail on reload!' 1>&2
+ exit 1
+ fi
+ # Everything went well, apparently. Remove old backup files.
+ rm -f $sendmail_cf.$PKG
+ rm -f $sendmail_mc.$PKG
+ rm -f $submit_mc.$PKG
+ fi
+ fi
+ # postfix?
+ if grep -q $PKG $master_cf; then
+ cp-update -r $PKG $master_cf >&-
+ del_postconf content_filter
+ echo "Removed postfix configuration for ${PKG}."
+ if pgrep -u root -f /usr/lib/postfix/master >&- && \
+ [ -x /etc/init.d/postfix ] >&- ; then
+ /etc/init.d/postfix restart
+ fi
+ fi
+ cp-update -r $PKG $ALIASES >&-
+ newaliases
+fi
--- /dev/null
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Sample debian/rules that uses debhelper.
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+configure: configure-stamp
+configure-stamp:
+ dh_testdir
+ # Add here commands to configure the package.
+
+ touch configure-stamp
+
+
+build: build-stamp
+
+build-stamp: configure-stamp
+ dh_testdir
+
+ # Add here commands to compile the package.
+ # $(MAKE)
+ # pod2man debian/carnet-tools-cn/usr/sbin/cp-update > cp-update.1
+
+ touch build-stamp
+
+clean:
+ dh_testdir
+ dh_testroot
+ rm -f build-stamp configure-stamp
+
+ # Add here commands to clean up after the build process.
+ # -$(MAKE) clean
+
+ dh_clean
+
+install: build
+ dh_testdir
+ dh_testroot
+ dh_clean -k
+ dh_installdirs
+
+ # Add here commands to install the package into debian/carnet-tools-cn.
+ # $(MAKE) install DESTDIR=$(CURDIR)/debian/carnet-tools-cn
+
+
+# Build architecture-independent files here.
+binary-indep: build install
+# We have nothing to do by default.
+
+# Build architecture-dependent files here.
+binary-arch: build install
+ dh_testdir
+ dh_testroot
+# dh_installchangelogs -k
+ dh_installdocs
+# dh_installexamples
+ dh_install
+# dh_installmenu
+# dh_installdebconf
+# dh_installlogrotate
+# dh_installemacsen
+# dh_installpam
+# dh_installmime
+ dh_installinit -n
+ dh_installcron
+# dh_installinfo
+# dh_installman
+# dh_link
+# dh_strip
+# dh_compress
+ dh_fixperms
+# dh_perl
+# dh_python
+# dh_makeshlibs
+ dh_installdeb
+# dh_shlibdeps
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install configure
--- /dev/null
+#####
+##
+## first, some generic functions
+##
+
+# find first free uid/gid in range
+# find_id passwd 100 999
+find_id() {
+ local db first last ids
+ db=$1
+ first=$2
+ last=$3
+ ids=$(getent $db | awk -F: "\$3 >= $first && \$3 <= $last {print \$3}")
+ for i in $(seq $first $last)
+ do
+ if ! echo $ids |grep -q $i; then
+ echo $i
+ return 0
+ fi
+ done
+ return 1
+}
+
+#
+# Update uid for user from reserved system range (0-99) to dynamic system
+# range (100-999). Optionally update ownerships of given directories.
+# $0 user [directory ...]
+#
+check_and_update_ugid() {
+ local user newgid newuid
+ user=$1
+ if [ "$(getent passwd $user | awk -F: '$3 >= 100 {print "ok"; exit 0}')" ]; then
+ return 0
+ fi
+ shift
+ newgid=$(find_id group 100 999)
+ newuid=$(find_id passwd 100 999)
+ # other directories/files
+ chown -R $newuid:$newgid $* 2>/dev/null || true
+ groupmod -g $newgid $user
+ usermod -u $newuid -g $newgid $user
+ cp_echo "CN: Fixed $user user uid/gid."
+}
+
+wait_for_fds () {
+ # wait until process shows some I/O readiness :)
+ [ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx
+ local name IFSOLD num sleep maxtry script user psname pidfile fdname
+ name="$1"
+ [ -z "$name" ] && return 1
+ IFSOLD="$IFS"
+ IFS=" " # tab
+ read name script user psname pidfile num fdname <<-EOPTS
+ $(echo "$options" | sed 's/ */ /g' | grep ^$name)
+ EOPTS
+ IFS="$IFSOLD"
+ num=${num:-4}
+ sleep=${sleep:-1}
+ maxtry=${maxtry:-10}
+ if [ -n "$pidfile" ]; then
+ pidfile=/var/run/$pidfile
+ findpid="[ -f $pidfile ] && cat $pidfile || true"
+ else
+ findpid="pgrep -u $user -f \"$psname\" -P 1 | head -1"
+ fi
+
+ # loop the loop the loop
+ try=1
+ while /bin/true
+ do
+ sleep $sleep # 1st, give it a chance to run
+ pid=`eval $findpid` # 2nd: find it
+ [ -z "$pid" ] && return 1 # not running at all
+ count=`ls -1 /proc/$pid/fd 2> /dev/null| wc -l` # 3rd: count all it's worth
+ [ "$count" -ge "$num" ] && ls -l /proc/$pid/fd | grep -q $fdname \
+ && return # success -- release
+ try=$(($try+1))
+ [ "0$try" -ge "0$maxtry" ] && return 1 # no luck this time
+ done
+}
+
+failed() {
+ if [ -n "$failed" ]; then
+ failed="$failed, $1"
+ else
+ failed="$1"
+ fi
+}
+
+check_and_add_alias () {
+ if ! grep -q "^$1:" $ALIASES; then
+ echo "$1: $2" >> $ALIASES
+ # both postfix and sendmail use newaliases
+ newaliases > /dev/null
+ fi
+}
+
+noisy_backup() {
+ cp_backup_conffile "$1"
+ cp_echo "CN: Current configuration saved in /var/backups/`basename $1`.bak"
+}
+
+# if fqdn is name.dom3.dom2.dom1.hr, check if this host is MX for
+# either dom3.dom2.dom1.hr, dom2.dom1.hr or dom1.hr and dump highest level
+# domain on stdout
+get_domain() {
+ local domains d
+ RET=$host
+ if ! echo $host | grep -q '\.'; then
+ return
+ fi
+ if [ ! -x /usr/bin/host ]; then
+ cp_echo "CN: no host command... \$mydomain value might be unoptimal."
+ return
+ fi
+ domains=$(hostname -f | awk -F'\.' '
+ {
+ for (i=2; i<NF; i++) {
+ for (j=i; j<NF; j++) {
+ printf "%s", $(j)"."
+ };
+ print $NF
+ }
+ }' )
+ for d in $domains
+ do
+ mxes=$(host -t mx $d)
+ # handle output of both /usr/bin/host providers
+ mxes=$(echo "$mxes"|\
+ awk '/mail is handled by/ || /MX/ {print $NF}'|sed s/\.$//)
+ if echo "$mxes" |egrep -q "^$host$"; then
+ RET="$d"
+ fi
+ done
+}
+
+# XXX TODO implement per paragraph conditional munging some day
+in_paragraph() {
+ return 1
+}
+
+commented_in_paragraph() {
+ local s
+ s="$1"
+ shift
+ s=`echo $s|sed 's/^/[[:blank:]]*#[[:blank:]]/'`
+ set -- "$s" "$@"
+ in_paragraph "$@"
+}
+
+uncommented_in_paragraph() {
+ local s
+ s="$1"
+ shift
+ s=`echo $s|sed 's/^/[[:blank:]]*/'`
+ set -- "$s" "$@"
+ in_paragraph "$@"
+}
+
+catpatch() {
+ cat "$postdiff" | sed "s,amavisd\.conf[a-z.-]*\t,$1\t,"
+}
+
+#####
+##
+## amavisd-cn specific functions bloated enough to be moved here
+##
+
+conf_from_template() {
+ cp /dev/null $ACONF
+ sed -e "s/_CN_DOMAIN_/$domain/g; s/_CN_HOST_/$host/g" $ACONFTMPL >> $ACONF
+ restart_daemon=1
+ changed_config=1
+}
--- /dev/null
+update_postfix() {
+ # set up master.cf
+ if [ -f /etc/postfix/master.cf ] && \
+ ! grep -q smtp-amavis /etc/postfix/master.cf; then
+ cp-update $PKG /etc/postfix/master.cf <<-EOF
+ smtp-amavis unix - - n - 2 smtp
+ -o smtp_data_done_timeout=1200
+ -o disable_dns_lookups=yes
+ -o smtp_line_length_limit=0
+ -o notify_classes=protocol,resource,software
+ -o max_use=10
+
+ 127.0.0.1:10025 inet n - n - - smtpd
+ -o content_filter=
+ -o local_recipient_maps=
+ -o smtpd_helo_restrictions=
+ -o smtpd_client_restrictions=
+ -o smtpd_sender_restrictions=
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject
+ -o mynetworks=127.0.0.0/8
+ -o strict_rfc821_envelopes=yes
+ EOF
+ fi
+
+ # main.cf
+ postconf -e content_filter="smtp-amavis:[127.0.0.1]:10024"
+}
+
+conf_postfixize() {
+ local tmp
+ tmp=`basename $ACONF.dpkg-tmp.$$`
+ noisy_backup $ACONF
+ # detect non-postfix config
+ # XXX add $inet_socket_port & $inet_socket_bind
+ if egrep -q '^[[:blank:]]*\$notify_method = .*argv=/usr/sbin/sendmail -Ac.*-odd' $ACONF || \
+ ! ( egrep -q '^\$forward_method = '\''smtp:127.0.0.1:10025'\'';[[:blank:]]*(#|$)' $ACONF && \
+ egrep -q '^\$notify_method = \$forward_method;[[:blank:]]*(#|$)' $ACONF && \
+ egrep -q '^\$inet_socket_port.*10024' $ACONF && \
+ egrep -q '^\$inet_socket_bind' $ACONF ); then
+ if catpatch $ACONF | patch -sfp0 --dry-run >&- 2>&-; then
+ oldpwd=`pwd`
+ cd `dirname $ACONF`
+ cp -p $ACONF $tmp
+ catpatch $tmp | patch -fp0
+ cp_mv $tmp $ACONF
+ cd $oldpwd
+ cp_echo -mailonly "CN: $ACONF patched for postfix."
+ # then try to update exact options without disturbing anything else
+ elif commented_in_paragraph '^[[:blank:]]*#.*POSTFIX' \
+ '^$forward_method = '\''smtp:127.0.0.1:10025'\'';[[:blank:]]*(#|$)' \
+ '^\$notify_method = \$forward_method;[[:blank:]]*(#|$)' \
+ -f $ACONF &&
+ uncommented_in_paragraph '^[[:blank:]]*#.*MILTER' \
+ '$forward_method = undef;[[:blank:]]*(#|$)' \
+ '$notify_method = .*argv=/usr/sbin/sendmail -Ac.*-odd' \
+ -f $ACONF; then
+ cp $ACONF $tmp
+ uncomment_in_paragraph '^[[:blank:]]*#.*POSTFIX' \
+ '^$forward_method = '\''smtp:127.0.0.1:10025'\'';[[:blank:]]*(#|$)' \
+ '^\$notify_method = \$forward_method;[[:blank:]]*(#|$)' \
+ -f $tmp
+ comment_in_paragraph '^[[:blank:]]*#.*MILTER' \
+ '$forward_method = undef;[[:blank:]]*(#|$)' \
+ '$notify_method = .*argv=/usr/sbin/sendmail -Ac.*-odd' \
+ -f $tmp
+ cp_mv $tmp $ACONF
+ cp_echo "CN: $ACONF updated for ${mta}."
+ # or just use the template
+ else
+ conf_from_template
+ cp_echo "CN: Config generated from ${ACONFTMPL}."
+ fi
+ restart_daemon=1
+ changed_config=1
+ fi
+ restart_mta=1
+}
--- /dev/null
+#!/bin/sh
+# last update: jelly+paketi@srce.hr Thu Jun 29 22:08:49 CEST 2006
+
+set -e
+
+[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+export PATH
+
+. /usr/share/amavisd-cn/version.sh
+. /usr/share/carnet-tools/functions.sh
+. /usr/share/amavisd-cn/variables.sh
+. /usr/share/amavisd-cn/functions.sh
+
+# find out which MTA, assume postfix
+mta=postfix
+ACONFTMPL=$POSTTMPL
+TMPLVERSION=$POSTTMPLVERSION
+if dpkg -l postfix | grep -q '^.i'; then
+ . /usr/share/amavisd-cn/postfix.sh
+else
+ # should never happen
+ echo "CN: Don't invoke this script unless you have $mta installed!" >&2
+ exit 1
+fi
+
+# postfix config
+if [ "$mta" = postfix ]; then
+ update_postfix
+ conf_postfixize
+fi # end postfix config
+
+# nonexistent or empty config
+if [ ! -f $ACONF -o ! -s $ACONF ]; then
+ # should never happen
+ echo "CN: Can't find $ACONF?!" >&2
+ exit 2
+fi
+
+# START AMAVISD
+if [ "$restart_daemon" -a -x /etc/init.d/amavis.amavisd-new ]; then
+ /etc/init.d/amavis.amavisd-new restart
+fi
+# always check that the daemons are running
+if ! wait_for_fds amavis; then
+ /etc/init.d/amavis.amavisd-new start < /dev/null
+ wait_for_fds amavis
+fi
--- /dev/null
+update_sendmail_mc() {
+ cp-update -c dnl $PKG $sendmail_mc <<-END
+ define(\`MILTER', 1)dnl
+ INPUT_MAIL_FILTER(\`amavis-milter', \`S=local:$AHOME/amavisd-new-milter.sock, F=T, T=S:10m;R:10m;E:10m')dnl
+ dnl Reducing number of messages in syslog for milter
+ define(\`confMILTER_LOG_LEVEL', \`4')dnl
+ END
+ #' XXX stupid joe syntax highlighing
+}
+
+# sendmail chunk moved out from postinst in 20030616p10-10
+update_sendmail() {
+ if [ -f $sendmail_mc ]; then
+ # creating backup files, just in case
+ cp -p $sendmail_mc $sendmail_mc.$PKG
+ mcbak=1
+ cp -p $sendmail_cf $sendmail_cf.$PKG
+ cfbak=1
+
+ if ! egrep -q '^INPUT_MAIL_FILTER.*amavis-milter' $sendmail_mc; then
+ update_sendmail_mc
+ makecf=1
+ elif grep -q 'Begin update by CARNet package amavisd-cn' $sendmail_mc; then
+ update_sendmail_mc
+ makecf=1
+ elif grep -q 'local:/var/run/amavis/amavis-milter.sock' $sendmail_mc; then
+ echo "CN: You seem to have a custom configuration for milter in"
+ echo " ${sendmail_mc}. I'll try to fix it but I don't promise anything."
+ echo " Things might break or behave unexpectedly."
+ cp_echo -mailonly "CN: Tried to fix custom milter config in ${sendmail_mc}."
+ cp_check_and_sed "/var/run/amavis/amavis-milter.sock" \
+ "s,/var/run/amavis/amavis-milter.sock,$AHOME/amavisd-new-milter.sock," \
+ $sendmail_mc
+ makecf=1
+ fi
+ fi # sendmail.mc
+
+ # submit.mc: use /etc/mail/trusted-users, and add user amavis
+ # to get rid of Authentication-Warnings
+ if [ -f "$submit_mc" ]; then
+ cp -p $submit_mc $submit_mc.$PKG
+ subak=1
+ if ! grep -q use_ct_file $submit_mc; then
+ cp-update -R --insert-before '^FEATURE\(`?msp' -c dnl $PKG $submit_mc <<-END
+ FEATURE(\`use_ct_file')dnl
+ END
+ grep -q '^amavis$' $ct_file || echo amavis >> $ct_file
+ echo "CN: Added FEATURE(use_ct_file) to $submit_mc."
+ fi
+ fi # submit.mc
+
+ if [ "$makecf" ]; then
+ make -C /etc/mail >/dev/null 2>&1
+ restart_mta=1
+ else
+ [ "$mcbak" ] && rm -f $sendmail_mc.$PKG
+ [ "$cfbak" ] && rm -f $sendmail_cf.$PKG
+ [ "$subak" ] && rm -f $submit_mc.$PKG
+ fi
+}
+
+conf_sendmailize() {
+ local tmp oldpwd
+ tmp=`basename $ACONF.dpkg-tmp.$$`
+ noisy_backup $ACONF
+ # are we configured for milter?
+ if ! egrep -q '^[[:blank:]]*\$notify_method = .*argv=/usr/sbin/sendmail -Ac.*-odd' $ACONF; then
+ # first try to apply patch
+ if catpatch $ACONF | patch -Rsfp0 --dry-run 2>&- ; then
+ oldpwd=`pwd`
+ cd `dirname $ACONF`
+ cp -p $ACONF $tmp
+ catpatch $tmp | patch -Rfp0
+ cp_mv $tmp $ACONF
+ cd $oldpwd
+ cp_echo -mailonly "CN: $ACONF postfix patch removed."
+ # then try to update exact options without disturbing anything else
+ elif uncommented_in_paragraph '^[[:blank:]]*#.*POSTFIX' \
+ '^$forward_method = '\''smtp:127.0.0.1:10025'\'';[[:blank:]]*(#|$)' \
+ '^\$notify_method = \$forward_method;[[:blank:]]*(#|$)' \
+ -f $ACONF &&
+ commented_in_paragraph '^[[:blank:]]*#.*MILTER' \
+ '$forward_method = undef;[[:blank:]]*(#|$)' \
+ '$notify_method = .*argv=/usr/sbin/sendmail -Ac.*-odd' \
+ -f $ACONF; then
+ cp $ACONF $tmp
+ comment_in_paragraph '^[[:blank:]]*#.*POSTFIX' \
+ '^$forward_method = '\''smtp:127.0.0.1:10025'\'';[[:blank:]]*(#|$)' \
+ '^\$notify_method = \$forward_method;[[:blank:]]*(#|$)' \
+ -f $tmp
+ uncomment_in_paragraph '^[[:blank:]]*#.*MILTER' \
+ '$forward_method = undef;[[:blank:]]*(#|$)' \
+ '$notify_method = .*argv=/usr/sbin/sendmail -Ac.*-odd' \
+ -f $tmp
+ cp_mv $tmp $ACONF
+ cp_echo "CN: $ACONF updated for ${mta}."
+ # or just overwrite
+ else
+ conf_from_template
+ cp_echo "CN: Config generated from ${ACONFTMPL}."
+ fi
+ restart_daemon=1
+ changed_config=1
+ fi
+}
--- /dev/null
+PKG=amavisd-cn
+AHOME=/var/lib/amavis
+MAILDIR=/etc/mail
+ALIASES=/etc/aliases
+sendmail_cf=$MAILDIR/sendmail.cf
+sendmail_mc=$MAILDIR/sendmail.mc
+submit_mc=$MAILDIR/submit.mc
+ct_file=$MAILDIR/trusted-users
+CRONTAB=/etc/cron.d/$PKG
+ACONFOLD=/etc/amavisd.conf
+ACONFMOVED=/etc/amavisd.conf.cn-old
+ACONF=/etc/amavis/amavisd.conf
+POSTTMPL=/usr/share/$PKG/amavisd.conf.postfix-template
+SENDTMPL=/usr/share/$PKG/amavisd.conf.sendmail-template
+postdiff=/usr/share/$PKG/sendmail-to-postfix.diff
+BLIST=$AHOME/blacklist_sender
+WLIST=$AHOME/whitelist_sender
+# domain is set in postinst
+host=$(/bin/hostname -f)
+
+# options for daemons:
+# name init.d/script user ps name for pgrep -f pidfile, relative to /var/run num-fds last-fd-name
+options='
+clamd clamav-daemon clamav /usr/sbin/clamd clamav/clamd.pid 5 clamav.log
+amavis amavis.amavisd-new amavis amavisd \\(master\\) amavis/amavisd.pid 5 socket
+milter amavisd-new-milter amavis /usr/sbin/amavis-milter amavis/amavisd-new-milter.pid 5 socket
+'
+# note: pgrep -f takes a regexp, and this is shell expanded once, hence \\
--- /dev/null
+use strict;
+
+# Configuration file for amavisd-new
+# Defaults modified for the Debian amavisd-new package
+# $Id: amavisd.conf,v 1.27.2.2 2004/11/18 23:27:55 hmh Exp $
+#
+# This software is licensed under the GNU General Public License (GPL).
+# See comments at the start of amavisd-new for the whole license text.
+
+#Sections:
+# Section I - Essential daemon and MTA settings
+# Section II - MTA specific
+# Section III - Logging
+# Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine
+# Section V - Per-recipient and per-sender handling, whitelisting, etc.
+# Section VI - Resource limits
+# Section VII - External programs, virus scanners, SpamAssassin
+# Section VIII - Debugging
+
+#GENERAL NOTES:
+# This file is a normal Perl code, interpreted by Perl itself.
+# - make sure this file (or directory where it resides) is NOT WRITABLE
+# by mere mortals (not even vscan/amavis; best to make it owned by root),
+# otherwise it represents a severe security risk!
+# - for values which are interpreted as booleans, it is recommended
+# to use 1 for true, undef for false.
+# THIS IS DIFFERENT FROM OLD AMAVIS VERSIONS where "no" also meant false,
+# now it means true, like any nonempty string does!
+# - Perl syntax applies. Most notably: strings in "" may include variables
+# (which start with $ or @); to include characters @ and $ in double
+# quoted strings, precede them by a backslash; in single-quoted strings
+# the $ and @ lose their special meaning, so it is usually easier to use
+# single quoted strings (or qw operator) for e-mail addresses.
+# Still, in both cases a backslash needs to be doubled.
+# - variables with names starting with a '@' are lists, the values assigned
+# to them should be lists as well, e.g. ('one@foo', $mydomain, "three");
+# note the comma-separation and parenthesis. If strings in the list
+# do not contain spaces nor variables, a Perl operator qw() may be used
+# as a shorthand to split its argument on whitespace and produce a list
+# of strings, e.g. qw( one@foo example.com three ); Note that the argument
+# to qw is quoted implicitly and no variable interpretation is done within
+# (no '$' variable evaluations). The #-initiated comments can NOT be used
+# within a string. In other words, $ and # lose their special meaning
+# within a qw argument, just like within '...' strings.
+# - all e-mail addresses in this file and as used internally by the daemon
+# are in their raw (rfc2821-unquoted and non-bracketed) form, i.e.
+# Bob "Funny" Dude@example.com, not: "Bob \"Funny\" Dude"@example.com
+# and not <"Bob \"Funny\" Dude"@example.com>; also: '' and not '<>'.
+# - the term 'default value' in examples below refers to the value of a
+# variable pre-assigned to it by the program; any explicit assignment
+# to a variable in this configuration file overrides the default value;
+
+
+#
+# Section I - Essential daemon and MTA settings
+#
+
+# $MYHOME serves as a quick default for some other configuration settings.
+# More refined control is available with each individual setting further down.
+# $MYHOME is not used directly by the program. No trailing slash!
+$MYHOME = '/var/lib/amavis'; # (default is '/var/amavis')
+
+# $mydomain serves as a quick default for some other configuration settings.
+# More refined control is available with each individual setting further down.
+# $mydomain is never used directly by the program.
+$mydomain = '_CN_DOMAIN_'; # (no useful default)
+
+# $myhostname = 'host.example.com'; # fqdn of this host, default by uname(3)
+
+# Set the user and group to which the daemon will change if started as root
+# (otherwise just keeps the UID unchanged, and these settings have no effect):
+$daemon_user = 'amavis'; # (no default (undef))
+$daemon_group = 'amavis'; # (no default (undef))
+
+# Runtime working directory (cwd), and a place where
+# temporary directories for unpacking mail are created.
+# if you change this, you might want to modify the cleanup()
+# function in /etc/init.d/amavisd-new
+# (no trailing slash, may be a scratch file system)
+$TEMPBASE = $MYHOME; # (must be set if other config vars use is)
+#$TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean?
+
+# $helpers_home sets environment variable HOME, and is passed as option
+# 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory
+# on a normal persistent file system, not a scratch or temporary file system
+#$helpers_home = $MYHOME; # (defaults to $MYHOME)
+
+# Run the daemon in the specified chroot jail if nonempty:
+#$daemon_chroot_dir = $MYHOME; # (default is undef, meaning: do not chroot)
+
+$pid_file = "/var/run/amavis/amavisd.pid"; # (default: "$MYHOME/amavisd.pid")
+$lock_file = "/var/run/amavis/amavisd.lock"; # (default: "$MYHOME/amavisd.lock")
+
+# set environment variables if you want (no defaults):
+$ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory
+#...
+
+
+# MTA SETTINGS, UNCOMMENT AS APPROPRIATE,
+# both $forward_method and $notify_method default to 'smtp:127.0.0.1:10025'
+
+# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4
+# (set host and port number as required; host can be specified
+# as IP address or DNS name (A or CNAME, but MX is ignored)
+$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail
+$notify_method = $forward_method; # where to submit notifications
+
+# NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST
+# uncomment the appropriate settings below if using other setups!
+
+# SENDMAIL MILTER, using amavis-milter.c helper program:
+# SEE amavisd-new-milter package docs FOR DEBIAN INSTRUCTIONS
+#$forward_method = undef; # no explicit forwarding, sendmail does it by itself
+# milter; option -odd is needed to avoid deadlocks
+#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}';
+# just a thought: can we use use -Am instead of -odd ?
+
+# SENDMAIL (old non-milter setup, as relay):
+#$forward_method = 'pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f ${sender} -- ${recipient}';
+#$notify_method = $forward_method;
+
+# SENDMAIL (old non-milter setup, amavis.c calls local delivery agent):
+#$forward_method = undef; # no explicit forwarding, amavis.c will call LDA
+#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}';
+
+# EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead):
+#$forward_method = 'pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f ${sender} -- ${recipient}';
+#$notify_method = $forward_method;
+
+# prefer to collect mail for forwarding as BSMTP files?
+#$forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp";
+#$notify_method = $forward_method;
+
+
+# Net::Server pre-forking settings
+# You may want $max_servers to match the width of your MTA pipe
+# feeding amavisd, e.g. with Postfix the 'Max procs' field in the
+# master.cf file, like the '2' in the: smtp-amavis unix - - n - 2 smtp
+#
+$max_servers = 2; # number of pre-forked children (default 2)
+$max_requests = 10; # retire a child after that many accepts (default 10)
+
+$child_timeout=5*60; # abort child if it does not complete each task in n sec
+ # (default: 8*60 seconds)
+
+# Check also the settings of @av_scanners at the end if you want to use
+# virus scanners. If not, you may want to delete the whole long assignment
+# to the variable @av_scanners, which will also remove the virus checking
+# code (e.g. if you only want to do spam scanning).
+
+# Here is a QUICK WAY to completely DISABLE some sections of code
+# that WE DO NOT WANT (it won't even be compiled-in).
+# For more refined controls leave the following two lines commented out,
+# and see further down what these two lookup lists really mean.
+#
+# @bypass_virus_checks_acl = qw( . ); # uncomment to DISABLE anti-virus code
+# @bypass_spam_checks_acl = qw( . ); # uncomment to DISABLE anti-spam code
+#
+# Any setting can be changed with a new assignment, so make sure
+# you do not unintentionally override these settings further down!
+
+# Lookup list of local domains (see README.lookups for syntax details)
+#
+# NOTE:
+# For backwards compatibility the variable names @local_domains (old) and
+# @local_domains_acl (new) are synonyms. For consistency with other lookups
+# the name @local_domains_acl is now preferred. It also makes it more
+# obviously distinct from the new %local_domains hash lookup table.
+#
+# local_domains* lookup tables are used in deciding whether a recipient
+# is local or not, or in other words, if the message is outgoing or not.
+# This affects inserting spam-related headers for local recipients,
+# limiting recipient virus notifications (if enabled) to local recipients,
+# in deciding if address extension may be appended, and in SQL lookups
+# for non-fqdn addresses. Set it up correctly if you need features
+# that rely on this setting (or just leave empty otherwise).
+#
+# With Postfix (2.0) a quick reminder on what local domains normally are:
+# a union of domains specified in: $mydestination, $virtual_alias_domains,
+# $virtual_mailbox_domains, and $relay_domains.
+#
+#@local_domains_acl = ( ".$mydomain" ); # $mydomain and its subdomains
+# @local_domains_acl = ( ".$mydomain", "my.other.domain" );
+# @local_domains_acl = qw(); # default is empty, no recipient treated as local
+# @local_domains_acl = qw( .example.com );
+# @local_domains_acl = qw( .example.com !host.sub.example.net .sub.example.net );
+@local_domains_acl = ( "$mydomain", ".$mydomain" );
+
+# or alternatively(A), using a Perl hash lookup table, which may be assigned
+# directly, or read from a file, one domain per line; comments and empty lines
+# are ignored, a dot before a domain name implies its subdomains:
+#
+#read_hash(\%local_domains, '/etc/amavis/local_domains');
+
+#or alternatively(B), using a list of regular expressions:
+# $local_domains_re = new_RE( qr'[@.]example\.com$'i );
+#
+# see README.lookups for syntax and semantics
+
+
+#
+# Section II - MTA specific (defaults should be ok)
+#
+
+# if $relayhost_is_client is true, the IP address in $notify_method and
+# $forward_method is dynamically overridden with SMTP client peer address
+# (if available), which makes it possible for several hosts to share one
+# daemon. The static port number is also overridden, and is dynamically
+# calculated as being one above the incoming SMTP/LMTP session port number.
+#
+# These are logged at level 3, so enable logging until you know you got it
+# right.
+$relayhost_is_client = 0; # (defaults to false)
+
+$insert_received_line = 1; # behave like MTA: insert 'Received:' header
+ # (does not apply to sendmail/milter)
+ # (default is true (1) )
+
+# AMAVIS-CLIENT PROTOCOL INPUT SETTINGS (e.g. with sendmail milter)
+# (used with amavis helper clients like amavis-milter.c and amavis.c,
+# NOT needed for Postfix and Exim or dual-sendmail - keep it undefined.)
+$unix_socketname = "/var/lib/amavis/amavisd.sock"; # amavis helper protocol socket
+#$unix_socketname = undef; # disable listening on a unix socket
+ # (default is undef, i.e. disabled)
+
+# Do we receive quoted or raw addresses from the helper program?
+# (does not apply to SMTP; defaults to true)
+#$gets_addr_in_quoted_form = 1; # "Bob \"Funny\" Dude"@example.com
+#$gets_addr_in_quoted_form = 0; # Bob "Funny" Dude@example.com
+
+
+
+# SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...)
+# (used when MTA is configured to pass mail to amavisd via SMTP or LMTP)
+$inet_socket_port = 10024; # accept SMTP on this local TCP port
+ # (default is undef, i.e. disabled)
+# multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028];
+
+# SMTP SERVER (INPUT) access control
+# - do not allow free access to the amavisd SMTP port !!!
+#
+# when MTA is at the same host, use the following (one or the other or both):
+$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface
+ # (default is '127.0.0.1')
+#@inet_acl = qw( 127.0.0.1 ); # allow SMTP access only from localhost IP
+ # (default is qw( 127.0.0.1 ) )
+
+# when MTA (one or more) is on a different host, use the following:
+# @inet_acl = qw(127/8 10.1.0.1 10.1.0.2); # adjust the list as appropriate
+# $inet_socket_bind = undef; # bind to all IP interfaces if undef
+#
+# Example1:
+# @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 );
+# permit only SMTP access from loopback and rfc1918 private address space
+#
+# Example2:
+# @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0
+# 127.0.0.1 10/8 172.16/12 192.168/16 );
+# matches loopback and rfc1918 private address space except host 192.168.1.12
+# and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches)
+#
+# Example3:
+# @inet_acl = qw( 127/8
+# !172.16.3.0 !172.16.3.127 172.16.3.0/25
+# !172.16.3.128 !172.16.3.255 172.16.3.128/25 );
+# matches loopback and both halves of the 172.16.3/24 C-class,
+# split into two subnets, except all four broadcast addresses
+# for these subnets
+#
+# See README.lookups for details on specifying access control lists.
+
+
+#
+# Section III - Logging
+#
+
+# true (e.g. 1) => syslog; false (e.g. 0) => logging to file
+$DO_SYSLOG = 1; # (defaults to false)
+#$SYSLOG_LEVEL = 'user.info'; # (facility.priority, default 'mail.info')
+
+# Log file (if not using syslog)
+$LOGFILE = "/var/log/amavis.log"; # (defaults to empty, no log)
+
+#NOTE: levels are not strictly observed and are somewhat arbitrary
+# 0: startup/exit/failure messages, viruses detected
+# 1: args passed from client, some more interesting messages
+# 2: virus scanner output, timing
+# 3: server, client
+# 4: decompose parts
+# 5: more debug details
+#$log_level = 2; # (defaults to 0)
+
+# Customizable template for the most interesting log file entry (e.g. with
+# $log_level=0) (take care to properly quote Perl special characters like '\')
+# For a list of available macros see README.customize .
+
+# only log infected messages (useful with log level 0):
+# $log_templ = '[? %#V |[? %#F ||banned filename ([%F|,])]|infected ([%V|,])]#
+# [? %#V |[? %#F ||, from=[?%o|(?)|<%o>], to=[<%R>|,][? %i ||, quarantine %i]]#
+# |, from=[?%o|(?)|<%o>], to=[<%R>|,][? %i ||, quarantine %i]]';
+
+# log both infected and noninfected messages (default):
+$log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], #
+[?%o|(?)|<%o>] -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c';
+
+
+#
+# Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine
+#
+
+# Select notifications text encoding when Unicode-aware Perl is converting
+# text from internal character representation to external encoding (charset
+# in MIME terminology). Used as argument to Perl Encode::encode subroutine.
+#
+# to be used in RFC 2047-encoded header field bodies, e.g. in Subject:
+#$hdr_encoding = 'iso-8859-1'; # (default: 'iso-8859-1')
+#
+# to be used in notification body text: its encoding and Content-type.charset
+#$bdy_encoding = 'iso-8859-1'; # (default: 'iso-8859-1')
+
+# Default template texts for notifications may be overruled by directly
+# assigning new text to template variables, or by reading template text
+# from files. A second argument may be specified in a call to read_text(),
+# specifying character encoding layer to be used when reading from the
+# external file, e.g. 'utf8', 'iso-8859-1', or often just $bdy_encoding.
+# Text will be converted to internal character representation by Perl 5.8.0
+# or later; second argument is ignored otherwise. See PerlIO::encoding,
+# Encode::PerlIO and perluniintro man pages.
+#
+# $notify_sender_templ = read_text('/var/amavis/notify_sender.txt');
+# $notify_virus_sender_templ= read_text('/var/amavis/notify_virus_sender.txt');
+# $notify_virus_admin_templ = read_text('/var/amavis/notify_virus_admin.txt');
+# $notify_virus_recips_templ= read_text('/var/amavis/notify_virus_recips.txt');
+# $notify_spam_sender_templ = read_text('/var/amavis/notify_spam_sender.txt');
+# $notify_spam_admin_templ = read_text('/var/amavis/notify_spam_admin.txt');
+
+# If notification template files are collectively available in some directory,
+# use read_l10n_templates which calls read_text for each known template.
+#
+# read_l10n_templates('/etc/amavis/en_US');
+#
+# Debian available locales: en_US, pt_BR, de_DE, it_IT
+read_l10n_templates('en_US', '/etc/amavis');
+
+
+# Here is an overall picture (sequence of events) of how pieces fit together
+# (only virus controls are shown, spam controls work the same way):
+#
+# bypass_virus_checks? ==> PASS
+# no viruses? ==> PASS
+# log virus if $log_templ is nonempty
+# quarantine if $virus_quarantine_to is nonempty
+# notify admin if $virus_admin (lookup) nonempty
+# notify recips if $warnvirusrecip and (recipient is local or $warn_offsite)
+# add address extensions if adding extensions is enabled and virus will pass
+# send (non-)delivery notifications
+# to sender if DSN needed (BOUNCE or ($warn_virus_sender and D_PASS))
+# virus_lovers or final_destiny==D_PASS ==> PASS
+# DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny)
+#
+# Equivalent flow diagram applies for spam checks.
+# If a virus is detected, spam checking is skipped entirely.
+
+# The following symbolic constants can be used in *destiny settings:
+#
+# D_PASS mail will pass to recipients, regardless of bad contents;
+#
+# D_DISCARD mail will not be delivered to its recipients, sender will NOT be
+# notified. Effectively we lose mail (but will be quarantined
+# unless disabled). Losing mail is not decent for a mailer,
+# but might be desired.
+#
+# D_BOUNCE mail will not be delivered to its recipients, a non-delivery
+# notification (bounce) will be sent to the sender by amavisd-new;
+# Exception: bounce (DSN) will not be sent if a virus name matches
+# $viruses_that_fake_sender_re, or to messages from mailing lists
+# (Precedence: bulk|list|junk);
+#
+# D_REJECT mail will not be delivered to its recipients, sender should
+# preferably get a reject, e.g. SMTP permanent reject response
+# (e.g. with milter), or non-delivery notification from MTA
+# (e.g. Postfix). If this is not possible (e.g. different recipients
+# have different tolerances to bad mail contents and not using LMTP)
+# amavisd-new sends a bounce by itself (same as D_BOUNCE).
+#
+# Notes:
+# D_REJECT and D_BOUNCE are similar, the difference is in who is responsible
+# for informing the sender about non-delivery, and how informative
+# the notification can be (amavisd-new knows more than MTA);
+# With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status
+# notification, colloquially called 'bounce') - depending on MTA;
+# Best suited for sendmail milter, especially for spam.
+# With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the
+# reason for mail non-delivery, but unable to reject the original
+# SMTP session). Best suited to reporting viruses, and for Postfix
+# and other dual-MTA setups, which can't reject original client SMTP
+# session, as the mail has already been enqueued.
+
+$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)
+$final_banned_destiny = D_REJECT; # (defaults to D_BOUNCE)
+$final_spam_destiny = D_REJECT; # (defaults to D_REJECT)
+$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested
+
+# Alternatives to consider for spam:
+# - use D_PASS if clients will do filtering based on inserted mail headers;
+# - use D_DISCARD, if kill_level is set safely high;
+# - use D_BOUNCE instead of D_REJECT if not using milter;
+#
+# D_BOUNCE is preferred for viruses, but consider:
+# - use D_DISCARD to avoid bothering the rest of the network, it is hopeless
+# to try to keep up with the viruses that faker the envelope sender anyway,
+# and bouncing only increases the network cost of viruses for everyone
+# - use D_PASS (or virus_lovers) and $warnvirussender=1 to deliver viruses;
+# - use D_REJECT instead of D_BOUNCE if using milter and under heavy
+# virus storm;
+#
+# Don't bother to set both D_DISCARD and $warn*sender=1, it will get mapped
+# to D_BOUNCE.
+#
+# The separation of *_destiny values into D_BOUNCE, D_REJECT, D_DISCARD
+# and D_PASS made settings $warnvirussender and $warnspamsender only still
+# useful with D_PASS.
+
+# The following $warn*sender settings are ONLY used when mail is
+# actually passed to recipients ($final_*_destiny=D_PASS, or *_lovers*).
+# Bounces or rejects produce non-delivery status notification anyway.
+
+# Notify virus sender?
+#$warnvirussender = 1; # (defaults to false (undef))
+
+# Notify spam sender?
+#$warnspamsender = 1; # (defaults to false (undef))
+
+# Notify sender of banned files?
+#$warnbannedsender = 1; # (defaults to false (undef))
+
+# Notify sender of syntactically invalid header containing non-ASCII characters?
+#$warnbadhsender = 1; # (defaults to false (undef))
+
+# Notify virus (or banned files) RECIPIENT?
+# (not very useful, but some policies demand it)
+#$warnvirusrecip = 1; # (defaults to false (undef))
+#$warnbannedrecip = 1; # (defaults to false (undef))
+
+# Notify also non-local virus/banned recipients if $warn*recip is true?
+# (including those not matching local_domains*)
+#$warn_offsite = 1; # (defaults to false (undef), i.e. only notify locals)
+
+
+# Treat envelope sender address as unreliable and don't send sender
+# notification / bounces if name(s) of detected virus(es) match the list.
+# Note that virus names are supplied by external virus scanner(s) and are
+# not standardized, so virus names may need to be adjusted.
+# See README.lookups for syntax, check also README.policy-on-notifications
+#
+$viruses_that_fake_sender_re = new_RE(
+ qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
+ qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
+ qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
+ qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
+ qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan
+ qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc
+ [qr'^(EICAR|Joke\.|Junk\.)'i => 0],
+ [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
+ [qr/.*/ => 1], # true by default (remove or comment-out if undesired)
+);
+
+# where to send ADMIN VIRUS NOTIFICATIONS (should be a fully qualified address)
+# - the administrator address may be a simple fixed e-mail address (a scalar),
+# or may depend on the SENDER address (e.g. its domain), in which case
+# a ref to a hash table can be specified (specify lower-cased keys,
+# dot is a catchall, see README.lookups).
+#
+# Empty or undef lookup disables virus admin notifications.
+
+# $virus_admin = undef; # do not send virus admin notifications (default)
+# $virus_admin = {'not.example.com' => '', '.' => 'virusalert@example.com'};
+# $virus_admin = 'virus-admin@example.com';
+#$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
+$virus_admin = "virusalert\@$mydomain"; # due to D_DISCARD default
+
+# equivalent to $virus_admin, but for spam admin notifications:
+# $spam_admin = "spamalert\@$mydomain";
+# $spam_admin = undef; # do not send spam admin notifications (default)
+# $spam_admin = {'not.example.com' => '', '.' => 'spamalert@example.com'};
+
+#advanced example, using a hash lookup table:
+#$virus_admin = {
+# 'baduser@sub1.example.com' => 'HisBoss@sub1.example.com',
+# '.sub1.example.com' => 'virusalert@sub1.example.com',
+# '.sub2.example.com' => '', # don't send admin notifications
+# 'a.sub3.example.com' => 'abuse@sub3.example.com',
+# '.sub3.example.com' => 'virusalert@sub3.example.com',
+# '.example.com' => 'noc@example.com', # catchall for our virus senders
+# '.' => 'virusalert@hq.example.com', # catchall for the rest
+#};
+
+
+# whom notification reports are sent from (ENVELOPE SENDER);
+# may be a null reverse path, or a fully qualified address:
+# (admin and recip sender addresses default to $mailfrom
+# for compatibility, which in turn defaults to undef (empty) )
+# If using strings in double quotes, don't forget to quote @, i.e. \@
+#
+$mailfrom_notify_admin = "virusalert\@$mydomain";
+$mailfrom_notify_recip = "virusalert\@$mydomain";
+$mailfrom_notify_spamadmin = "spamalert\@$mydomain";
+
+# 'From' HEADER FIELD for sender and admin notifications.
+# This should be a replyable address, see rfc1894. Not to be confused
+# with $mailfrom_notify_sender, which is the envelope return address
+# and should be empty (null reverse path) according to rfc2821.
+#
+# The syntax of the 'From' header field is specified in rfc2822, section
+# '3.4. Address Specification'. Note in particular that display-name must be
+# a quoted-string if it contains any special characters like spaces and dots.
+#
+# $hdrfrom_notify_sender = "amavisd-new <postmaster\@$mydomain>";
+# $hdrfrom_notify_sender = 'amavisd-new <postmaster@example.com>';
+# $hdrfrom_notify_sender = '"Content-Filter Master" <postmaster@example.com>';
+# (defaults to: "amavisd-new <postmaster\@$myhostname>")
+# $hdrfrom_notify_admin = $mailfrom_notify_admin;
+# (defaults to: $mailfrom_notify_admin)
+# $hdrfrom_notify_spamadmin = $mailfrom_notify_spamadmin;
+# (defaults to: $mailfrom_notify_spamadmin)
+
+# whom quarantined messages appear to be sent from (envelope sender);
+# keeps original sender if undef, or set it explicitly, default is undef
+$mailfrom_to_quarantine = ''; # override sender address with null return path
+
+
+# Location to put infected mail into: (applies to 'local:' quarantine method)
+# empty for not quarantining, may be a file (mailbox),
+# or a directory (no trailing slash)
+# (the default value is undef, meaning no quarantine)
+#
+$QUARANTINEDIR = '/var/lib/amavis/virusmails';
+
+#$virus_quarantine_method = "local:virus-%i-%n"; # default
+#$spam_quarantine_method = "local:spam-%b-%i-%n"; # default
+#
+#use the new 'bsmtp:' method as an alternative to the default 'local:'
+#$virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%i-%n.bsmtp";
+#$spam_quarantine_method = "bsmtp:$QUARANTINEDIR/spam-%b-%i-%n.bsmtp";
+
+# When using the 'local:' quarantine method (default), the following applies:
+#
+# A finer control of quarantining is available through variable
+# $virus_quarantine_to/$spam_quarantine_to. It may be a simple scalar string,
+# or a ref to a hash lookup table, or a regexp lookup table object,
+# which makes possible to set up per-recipient quarantine addresses.
+#
+# The value of scalar $virus_quarantine_to/$spam_quarantine_to (or a
+# per-recipient lookup result from the hash table %$virus_quarantine_to)
+# is/are interpreted as follows:
+#
+# VARIANT 1:
+# empty or undef disables quarantine;
+#
+# VARIANT 2:
+# a string NOT containing an '@';
+# amavisd will behave as a local delivery agent (LDA) and will quarantine
+# viruses to local files according to hash %local_delivery_aliases (pseudo
+# aliases map) - see subroutine mail_to_local_mailbox() for details.
+# Some of the predefined aliases are 'virus-quarantine' and 'spam-quarantine'.
+# Setting $virus_quarantine_to ($spam_quarantine_to) to this string will:
+#
+# * if $QUARANTINEDIR is a directory, each quarantined virus will go
+# to a separate file in the $QUARANTINEDIR directory (traditional
+# amavis style, similar to maildir mailbox format);
+#
+# * otherwise $QUARANTINEDIR is treated as a file name of a Unix-style
+# mailbox. All quarantined messages will be appended to this file.
+# Amavisd child process must obtain an exclusive lock on the file during
+# delivery, so this may be less efficient than using individual files
+# or forwarding to MTA, and it may not work across NFS or other non-local
+# file systems (but may be handy for pickup of quarantined files via IMAP
+# for example);
+#
+# VARIANT 3:
+# any email address (must contain '@').
+# The e-mail messages to be quarantined will be handed to MTA
+# for delivery to the specified address. If a recipient address local to MTA
+# is desired, you may leave the domain part empty, e.g. 'infected@', but the
+# '@' character must nevertheless be included to distinguish it from variant 2.
+#
+# This method enables more refined delivery control made available by MTA
+# (e.g. its aliases file, other local delivery agents, dealing with
+# privileges and file locking when delivering to user's mailbox, nonlocal
+# delivery and forwarding, fan-out lists). Make sure the mail-to-be-quarantined
+# will not be handed back to amavisd for checking, as this will cause a loop
+# (hopefully broken at some stage)! If this can be assured, notifications
+# will benefit too from not being unnecessarily virus-scanned.
+#
+# By default this is safe to do with Postfix and Exim v4 and dual-sendmail
+# setup, but probably not safe with sendmail milter interface without
+# precaution.
+
+# (the default value is undef, meaning no quarantine)
+
+$virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine
+#$virus_quarantine_to = 'infected@'; # forward to MTA for delivery
+#$virus_quarantine_to = "virus-quarantine\@$mydomain"; # similar
+#$virus_quarantine_to = 'virus-quarantine@example.com'; # similar
+#$virus_quarantine_to = undef; # no quarantine
+#
+#$virus_quarantine_to = new_RE( # per-recip multiple quarantines
+# [qr'^user@example\.com$'i => 'infected@'],
+# [qr'^(.*)@example\.com$'i => 'virus-${1}@example.com'],
+# [qr'^(.*)(@[^@])?$'i => 'virus-${1}${2}'],
+# [qr/.*/ => 'virus-quarantine'] );
+
+# similar for spam
+# (the default value is undef, meaning no quarantine)
+#
+$spam_quarantine_to = 'spam-quarantine';
+#$spam_quarantine_to = "spam-quarantine\@$mydomain";
+#$spam_quarantine_to = new_RE( # per-recip multiple quarantines
+# [qr'^(.*)@example\.com$'i => 'spam-${1}@example.com'],
+# [qr/.*/ => 'spam-quarantine'] );
+
+# In addition to per-recip quarantine, a by-sender lookup is possible. It is
+# similar to $spam_quarantine_to, but the lookup key is the sender address:
+#$spam_quarantine_bysender_to = undef; # dflt: no by-sender spam quarantine
+
+
+# Add X-Virus-Scanned header field to mail?
+$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: undef)
+# Leave empty to add no header # (default: undef)
+$X_HEADER_LINE = "by $myversion (Debian) at $mydomain";
+
+# a string to prepend to Subject (for local recipients only) if mail could
+# not be decoded or checked entirely, e.g. due to password-protected archives
+$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it
+
+$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone
+#$remove_existing_x_scanned_headers= 1; # remove existing headers
+ # (defaults to false)
+#$remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone
+$remove_existing_spam_headers = 1; # remove existing spam headers if
+ # spam scanning is enabled (default)
+
+# set $bypass_decode_parts to true if you only do spam scanning, or if you
+# have a good virus scanner that can deal with compression and recursively
+# unpacking archives by itself, and save amavisd the trouble.
+# Disabling decoding also causes banned_files checking to only see
+# MIME names and MIME content types, not the content classification types
+# as provided by the file(1) utility.
+# It is a double-edged sword, make sure you know what you are doing!
+#
+#$bypass_decode_parts = 1; # (defaults to false)
+
+# don't trust this file type or corresponding unpacker for this file type,
+# keep both the original and the unpacked file for a virus checker to see
+# (lookup key is what file(1) utility returned):
+#
+$keep_decoded_original_re = new_RE(
+# qr'^MAIL$', # retain full original message for virus checking (can be slow)
+ qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables
+ qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
+# qr'^Zip archive data',
+);
+
+# Checking for banned MIME types and names. If any mail part matches,
+# the whole mail is rejected, much like the way viruses are handled.
+# A list in object $banned_filename_re can be defined to provide a list
+# of Perl regular expressions to be matched against each part's:
+#
+# * Content-Type value (both declared and effective mime-type),
+# including the possible security risk content types
+# message/partial and message/external-body, as specified by rfc2046;
+#
+# * declared (i.e. recommended) file names as specified by MIME subfields
+# Content-Disposition.filename and Content-Type.name, both in their
+# raw (encoded) form and in rfc2047-decoded form if applicable;
+#
+# * file content type as guessed by 'file' utility, both the raw
+# result from 'file', as well as short type name, classified
+# into names such as .asc, .txt, .html, .doc, .jpg, .pdf,
+# .zip, .exe, ... - see subroutine determine_file_types().
+# This step is done only if $bypass_decode_parts is not true.
+#
+# * leave $banned_filename_re undefined to disable these checks
+# (giving an empty list to new_RE() will also always return false)
+
+$banned_filename_re = new_RE(
+# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
+ qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, # some double extensions
+ qr'[{}]', # curly braces in names (serve as Class ID extensions - CLSID)
+# qr'.\.(exe|vbs|pif|scr|bat|cmd|com)$'i, # banned extension - basic
+# qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
+# jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|
+# vbe|vbs|wsc|wsf|wsh)$'ix, # banned extension - long
+# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
+# qr'^\.(zip|lha|tnef|cab)$'i, # banned file(1) types
+# qr'^\.exe$'i, # banned file(1) types
+# qr'^application/x-msdownload$'i, # banned MIME types
+# qr'^application/x-msdos-program$'i,
+ qr'^message/partial$'i, # rfc2046. this one is deadly for Outcrook
+# qr'^message/external-body$'i, # block rfc2046
+);
+# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
+# and http://www.cknow.com/vtutor/vtextensions.htm
+
+# A little trick: a pattern qr'\.exe$' matches both a short type name '.exe',
+# as well as any file name which happens to end with .exe. If only matching
+# a file name is desired, but not the short name, a pattern qr'.\.exe$'i
+# or similar may be used, which requires that at least one character precedes
+# the '.exe', and so it will never match short file types, which always start
+# with a dot.
+
+
+#
+# Section V - Per-recipient and per-sender handling, whitelisting, etc.
+#
+
+# %virus_lovers, @virus_lovers_acl and $virus_lovers_re lookup tables:
+# (these should be considered policy options, they do not disable checks,
+# see bypass*checks for that!)
+#
+# Exclude certain RECIPIENTS from virus filtering by adding their lower-cased
+# envelope e-mail address (or domain only) to the hash %virus_lovers, or to
+# the access list @virus_lovers_acl - see README.lookups and examples.
+# Make sure the appropriate form (e.g. external/internal) of address
+# is used in case of virtual domains, or when mapping external to internal
+# addresses, etc. - this is MTA-specific.
+#
+# Notifications would still be generated however (see the overall
+# picture above), and infected mail (if passed) gets additional header:
+# X-AMaViS-Alert: INFECTED, message contains virus: ...
+# (header not inserted with milter interface!)
+#
+# NOTE (milter interface only): in case of multiple recipients,
+# it is only possible to drop or accept the message in its entirety - for all
+# recipients. If all of them are virus lovers, we'll accept mail, but if
+# at least one recipient is not a virus lover, we'll discard the message.
+
+
+# %bypass_virus_checks, @bypass_virus_checks_acl and $bypass_virus_checks_re
+# lookup tables:
+# (this is mainly a time-saving option, unlike virus_lovers* !)
+#
+# Similar in concept to %virus_lovers, a hash %bypass_virus_checks,
+# access list @bypass_virus_checks_acl and regexp list $bypass_virus_checks_re
+# are used to skip entirely the decoding, unpacking and virus checking,
+# but only if ALL recipients match the lookup.
+#
+# %bypass_virus_checks/@bypass_virus_checks_acl/$bypass_virus_checks_re
+# do NOT GUARANTEE the message will NOT be checked for viruses - this may
+# still happen when there is more than one recipient for a message, and
+# not all of them match these lookup tables. To guarantee virus delivery,
+# a recipient must also match %virus_lovers/@virus_lovers_acl lookups
+# (but see milter limitations above),
+
+# NOTE: it would not be clever to base virus checks on SENDER address,
+# since there are no guarantees that it is genuine. Many viruses
+# and spam messages fake sender address. To achieve selective filtering
+# based on the source of the mail (e.g. IP address, MTA port number, ...),
+# use mechanisms provided by MTA if available.
+
+
+# Similar to lookup tables controlling virus checking, there exist
+# spam scanning, banned names/types, and headers_checks control counterparts:
+# %spam_lovers, @spam_lovers_acl, $spam_lovers_re
+# %banned_files_lovers, @banned_files_lovers_acl, $banned_files_lovers_re
+# %bad_header_lovers, @bad_header_lovers_acl, $bad_header_lovers_re
+# and:
+# %bypass_spam_checks/@bypass_spam_checks_acl/$bypass_spam_checks_re
+# %bypass_banned_checks/@bypass_banned_checks_acl/$bypass_banned_checks_re
+# %bypass_header_checks/@bypass_header_checks_acl/$bypass_header_checks_re
+# See README.lookups for details about the syntax.
+
+# The following example disables spam checking altogether,
+# since it matches any recipient e-mail address (any address
+# is a subdomain of the top-level root DNS domain):
+# @bypass_spam_checks_acl = qw( . );
+
+# @bypass_header_checks_acl = qw( user@example.com );
+# @bad_header_lovers_acl = qw( user@example.com );
+
+
+# See README.lookups for further detail, and examples below.
+
+# $virus_lovers{lc("postmaster\@$mydomain")} = 1;
+# $virus_lovers{lc('postmaster@example.com')} = 1;
+# $virus_lovers{lc('abuse@example.com')} = 1;
+# $virus_lovers{lc('some.user@')} = 1; # this recipient, regardless of domain
+# $virus_lovers{lc('boss@example.com')} = 0; # never, even if domain matches
+# $virus_lovers{lc('example.com')} = 1; # this domain, but not its subdomains
+# $virus_lovers{lc('.example.com')}= 1; # this domain, including its subdomains
+#or:
+# @virus_lovers_acl = qw( me@lab.xxx.com !lab.xxx.com .xxx.com yyy.org );
+#
+# $bypass_virus_checks{lc('some.user2@butnot.example.com')} = 1;
+# @bypass_virus_checks_acl = qw( some.ddd !butnot.example.com .example.com );
+
+# @virus_lovers_acl = qw( postmaster@example.com );
+# $virus_lovers_re = new_RE( qr'^(helpdesk|postmaster)@example\.com$'i );
+
+# $spam_lovers{lc("postmaster\@$mydomain")} = 1;
+# $spam_lovers{lc('postmaster@example.com')} = 1;
+# $spam_lovers{lc('abuse@example.com')} = 1;
+# @spam_lovers_acl = qw( !.example.com );
+# $spam_lovers_re = new_RE( qr'^user@example\.com$'i );
+
+# don't run spam check for these RECIPIENT domains:
+# @bypass_spam_checks_acl = qw( d1.com .d2.com a.d3.com );
+# or the other way around (bypass check for all BUT these):
+# @bypass_spam_checks_acl = qw( !d1.com !.d2.com !a.d3.com . );
+# a practical application: don't check outgoing mail for spam:
+# @bypass_spam_checks_acl = ( "!.$mydomain", "." );
+# (a downside of which is that such mail will not count as ham in SA bayes db)
+
+
+# Where to find SQL server(s) and database to support SQL lookups?
+# A list of triples: (dsn,user,passw). (dsn = data source name)
+# More than one entry may be specified for multiple (backup) SQL servers.
+# See 'man DBI', 'man DBD::mysql', 'man DBD::Pg', ... for details.
+# When chroot-ed, accessing SQL server over inet socket may be more convenient.
+#
+# @lookup_sql_dsn =
+# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
+# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'] );
+#
+# ('mail' in the example is the database name, choose what you like)
+# With PostgreSQL the dsn (first element of the triple) may look like:
+# 'DBI:Pg:host=host1;dbname=mail'
+
+# The SQL select clause to fetch per-recipient policy settings.
+# The %k will be replaced by a comma-separated list of query addresses
+# (e.g. full address, domain only, catchall). Use ORDER, if there
+# is a chance that multiple records will match - the first match wins.
+# If field names are not unique (e.g. 'id'), the later field overwrites the
+# earlier in a hash returned by lookup, which is why we use '*,users.id'.
+# $sql_select_policy = 'SELECT *,users.id FROM users,policy'.
+# ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'.
+# ' ORDER BY users.priority DESC';
+#
+# The SQL select clause to check sender in per-recipient whitelist/blacklist
+# The first SELECT argument '?' will be users.id from recipient SQL lookup,
+# the %k will be sender addresses (e.g. full address, domain only, catchall).
+# $sql_select_white_black_list = 'SELECT wb FROM wblist,mailaddr'.
+# ' WHERE (wblist.rid=?) AND (wblist.sid=mailaddr.id)'.
+# ' AND (mailaddr.email IN (%k))'.
+# ' ORDER BY mailaddr.priority DESC';
+
+$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting
+
+
+# If you decide to pass viruses (or spam) to certain recipients using the
+# above lookup tables or using $final_virus_destiny=D_PASS, you can set
+# the variable $addr_extension_virus ($addr_extension_spam) to some
+# string, and the recipient address will have this string appended
+# as an address extension to the local-part of the address. This extension
+# can be used by final local delivery agent to place such mail in different
+# folders. Leave these two variables undefined or empty strings to prevent
+# appending address extensions. Setting has no effect on recipient which will
+# not be receiving viruses/spam. Recipients who do not match lookup tables
+# local_domains* are not affected.
+#
+# LDAs usually default to stripping away address extension if no special
+# handling is specified, so having this option enabled normally does no harm,
+# provided the $recipients_delimiter matches the setting on the final
+# MTA's LDA.
+
+# $addr_extension_virus = 'virus'; # (default is undef, same as empty)
+# $addr_extension_spam = 'spam'; # (default is undef, same as empty)
+# $addr_extension_banned = 'banned'; # (default is undef, same as empty)
+
+
+# Delimiter between local part of the recipient address and address extension
+# (which can optionally be added, see variables $addr_extension_virus and
+# $addr_extension_spam). E.g. recipient address <user@example.com> gets changed
+# to <user+virus@example.com>.
+#
+# Delimiter should match equivalent (final) MTA delimiter setting.
+# (e.g. for Postfix add 'recipient_delimiter = +' to main.cf)
+# Setting it to an empty string or to undef disables this feature
+# regardless of $addr_extension_virus and $addr_extension_spam settings.
+
+$recipient_delimiter = '+'; # (default is '+')
+
+# true: replace extension; false: append extension
+$replace_existing_extension = 1; # (default is false)
+
+# Affects matching of localpart of e-mail addresses (left of '@')
+# in lookups: true = case sensitive, false = case insensitive
+$localpart_is_case_sensitive = 0; # (default is false)
+
+
+# ENVELOPE SENDER WHITELISTING / BLACKLISTING - GLOBAL (RECIPIENT-INDEPENDENT)
+# (affects spam checking only, has no effect on virus and other checks)
+
+# WHITELISTING: use ENVELOPE SENDER lookups to ENSURE DELIVERY from whitelisted
+# senders even if the message would be recognized as spam. Effectively, for
+# the specified senders, message recipients temporarily become 'spam_lovers'.
+# To avoid surprises, whitelisted sender also suppresses inserting/editing
+# the tag2-level header fields (X-Spam-*, Subject), appending spam address
+# extension, and quarantining.
+
+# BLACKLISTING: messages from specified SENDERS are DECLARED SPAM.
+# Effectively, for messages from blacklisted senders, spam level
+# is artificially pushed high, and the normal spam processing applies,
+# resulting in 'X-Spam-Flag: YES', high 'X-Spam-Level' bar and other usual
+# reactions to spam, including possible rejection. If the message nevertheless
+# still passes (e.g. for spam loving recipients), it is tagged as BLACKLISTED
+# in the 'X-Spam-Status' header field, but the reported spam value and
+# set of tests in this report header field (if available from SpamAssassin,
+# which may have not been called) is not adjusted.
+#
+# A sender may be both white- and blacklisted at the same time, settings
+# are independent. For example, being both white- and blacklisted, message
+# is delivered to recipients, but is not tagged as spam (X-Spam-Flag: No;
+# X-Spam-Status: No, ...), but the reported spam level (if computed) may
+# still indicate high spam score.
+#
+# If ALL recipients of the message either white- or blacklist the sender,
+# spam scanning (calling the SpamAssassin) is bypassed, saving on time.
+#
+# The following variables (lookup tables) are available, with the semantics
+# and syntax as specified in README.lookups:
+#
+# %whitelist_sender, @whitelist_sender_acl, $whitelist_sender_re
+# %blacklist_sender, @blacklist_sender_acl, $blacklist_sender_re
+
+# SOME EXAMPLES:
+#
+#ACL:
+# @whitelist_sender_acl = qw( .example.com );
+#
+# @whitelist_sender_acl = ( ".$mydomain" ); # $mydomain and its subdomains
+# NOTE: This is not a reliable way of turning off spam checks for
+# locally-originating mail, as sender address can easily be faked.
+# To reliably avoid spam-scanning outgoing mail,
+# use @bypass_spam_checks_acl .
+
+#RE:
+# $whitelist_sender_re = new_RE(
+# qr'^postmaster@.*\bexample\.com$'i,
+# qr'owner-[^@]*@'i, qr'-request@'i,
+# qr'\.example\.com$'i );
+#
+$blacklist_sender_re = new_RE(
+ qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,
+ qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i,
+ qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonl|smoking2002k)@'i,
+ qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,
+ qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,
+ qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
+);
+
+#HASH lookup variant:
+# NOTE: Perl operator qw splits its argument string by whitespace
+# and produces a list. This means that addresses can not contain
+# whitespace, and there is no provision for comments within the string.
+# You can use the normal Perl list syntax if you have special requirements,
+# e.g. map {...} ('one user@bla', '.second.com'), or use read_hash to read
+# addresses from a file.
+#
+
+# a hash lookup table can be read from a file,
+# one address per line, comments and empty lines are permitted:
+#
+# read_hash(\%whitelist_sender, '/var/amavis/whitelist_sender');
+read_hash(\%whitelist_sender, "$MYHOME/whitelist_sender");
+read_hash(\%blacklist_sender, "$MYHOME/blacklist_sender");
+
+# ... or set directly:
+map { $whitelist_sender{lc($_)}=1 } (qw(
+ nobody@cert.org
+ owner-alert@iss.net
+ slashdot@slashdot.org
+ bugtraq@securityfocus.com
+ NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
+ security-alerts@linuxsecurity.com
+ amavis-user-admin@lists.sourceforge.net
+ razor-users-admin@lists.sourceforge.net
+ notification-return@lists.sophos.com
+ mailman-announce-admin@python.org
+ zope-announce-admin@zope.org
+ owner-postfix-users@postfix.org
+ owner-postfix-announce@postfix.org
+ owner-sendmail-announce@lists.sendmail.org
+ sendmail-announce-request@lists.sendmail.org
+ ca+envelope@sendmail.org
+ owner-technews@postel.ACM.ORG
+ lvs-users-admin@LinuxVirtualServer.org
+ ietf-123-owner@loki.ietf.org
+ cvs-commits-list-admin@gnome.org
+ rt-users-admin@lists.fsck.com
+ owner-announce@mnogosearch.org
+ owner-hackers@ntp.org
+ owner-bugs@ntp.org
+ clp-request@comp.nus.edu.sg
+ surveys-errors@lists.nua.ie
+ emailNews@genomeweb.com
+ owner-textbreakingnews@CNNIMAIL12.CNN.COM
+ yahoo-dev-null@yahoo-inc.com
+));
+
+
+# ENVELOPE SENDER WHITELISTING / BLACKLISTING - PER-RECIPIENT
+
+# The same semantics as for global white/blacklisting applies, but this
+# time each recipient (or its domain, or subdomain, ...) can be given
+# an individual lookup table for matching senders. The per-recipient lookups
+# override the global lookups, which serve as a fallback default.
+
+# Specify a two-level lookup table: the key for the outer table is recipient,
+# and the result should be an inner lookup table (hash or ACL or RE),
+# where the key used will be the sender.
+#
+#$per_recip_blacklist_sender_lookup_tables = {
+# 'user1@my.example.com'=>new_RE(qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i),
+# 'user2@my.example.com'=>[qw( spammer@d1.example,org .d2.example,org )],
+#};
+#$per_recip_whitelist_sender_lookup_tables = {
+# 'user@my.example.com' => [qw( friend@example.org .other.example.org )],
+# '.my1.example.com' => [qw( !foe.other.example,org .other.example,org )],
+# '.my2.example.com' => read_hash('/var/amavis/my2-wl.dat'),
+# 'abuse@' => { 'postmaster@'=>1,
+# 'cert-advisory-owner@cert.org'=>1, 'owner-alert@iss.net'=>1 },
+#};
+
+
+#
+# Section VI - Resource limits
+#
+
+# Sanity limit to the number of allowed recipients per SMTP transaction
+# $smtpd_recipient_limit = 1000; # (default is 1000)
+
+
+# Resource limits to protect unpackers, decompressors and virus scanners
+# against mail bombs (e.g. 42.zip)
+
+# Maximum recursion level for extraction/decoding (0 or undef disables limit)
+$MAXLEVELS = 14; # (default is undef, no limit)
+
+# Maximum number of extracted files (0 or undef disables the limit)
+$MAXFILES = 1500; # (default is undef, no limit)
+
+# For the cumulative total of all decoded mail parts we set max storage size
+# to defend against mail bombs. Even though parts may be deleted (replaced
+# by decoded text) during decoding, the size they occupied is _not_ returned
+# to the quota pool.
+#
+# Parameters to storage quota formula for unpacking/decoding/decompressing
+# Formula:
+# quota = max($MIN_EXPANSION_QUOTA,
+# $mail_size*$MIN_EXPANSION_FACTOR,
+# min($MAX_EXPANSION_QUOTA, $mail_size*$MAX_EXPANSION_FACTOR))
+# In plain words (later condition overrules previous ones):
+# allow MAX_EXPANSION_FACTOR times initial mail size,
+# but not more than MAX_EXPANSION_QUOTA,
+# but not less than MIN_EXPANSION_FACTOR times initial mail size,
+# but never less than MIN_EXPANSION_QUOTA
+#
+$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
+$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
+$MIN_EXPANSION_FACTOR = 5; # times original mail size (must be specified)
+$MAX_EXPANSION_FACTOR = 500; # times original mail size (must be specified)
+
+
+#
+# Section VII - External programs, virus scanners
+#
+
+# Specify a path string, which is a colon-separated string of directories
+# (no trailing slashes!) to be assigned to the environment variable PATH
+# and to serve for locating external programs below.
+
+# NOTE: if $daemon_chroot_dir is nonempty, the directories will be
+# relative to the chroot directory specified;
+
+$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
+
+# Specify one string or a search list of strings (first match wins).
+# The string (or: each string in a list) may be an absolute path,
+# or just a program name, to be located via $path;
+# Empty string or undef (=default) disables the use of that external program.
+# Optionally command arguments may be specified - only the first substring
+# up to the whitespace is used for file searching.
+
+$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability
+
+$gzip = 'gzip';
+$bzip2 = 'bzip2';
+$lzop = 'lzop';
+$uncompress = ['uncompress', 'gzip -d', 'zcat'];
+$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
+$arc = ['nomarch', 'arc'];
+$unarj = ['arj', 'unarj']; # both can extract, arj is recommended
+$unrar = ['rar', 'unrar']; # both can extract, same options
+$zoo = 'zoo';
+$lha = 'lha';
+$cpio = 'cpio'; # comment out if cpio does not support GNU options
+
+
+# SpamAssassin settings
+
+# $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value
+# of the option local_tests_only. See Mail::SpamAssassin man page.
+# If set to 1, SA tests are restricted to local tests only, i.e. no tests
+# that require internet access will be performed.
+#
+#$sa_local_tests_only = 1; # (default: false)
+$sa_auto_whitelist = 1; # turn on AWL (default: false)
+
+# Timout for SpamAssassin. This is only used if spamassassin does NOT
+# override it (which it often does if sa_local_tests_only is not true)
+$sa_timeout = 30; # timeout in seconds for a call to SpamAssassin
+ # (default is 30 seconds, undef disables it)
+
+# AWL (auto whitelisting), requires spamassassin 2.44 or better
+# $sa_auto_whitelist = 1; # defaults to undef
+
+$sa_mail_body_size_limit = 150*1024; # don't waste time on SA is mail is larger
+ # (less than 1% of spam is > 64k)
+ # default: undef, no limitations
+
+# default values, can be overridden by more specific lookups, e.g. SQL
+$sa_tag_level_deflt = 3.0; # add spam info headers if at, or above that level
+$sa_tag2_level_deflt = 6.3; # add 'spam detected' headers at that level
+$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
+ # at or above that level: bounce/reject/drop,
+ # quarantine, and adding mail address extension
+
+$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent,
+ # effectively turning D_BOUNCE into D_DISCARD;
+ # undef disables this feature and is a default;
+
+#
+# The $sa_tag_level_deflt, $sa_tag2_level_deflt and $sa_kill_level_deflt
+# may also be hashrefs to hash lookup tables, to make static per-recipient
+# settings possible without having to resort to SQL or LDAP lookups.
+
+# a quick reference:
+# tag_level controls adding the X-Spam-Status and X-Spam-Level headers,
+# tag2_level controls adding 'X-Spam-Flag: YES', and editing Subject,
+# kill_level controls 'evasive actions' (reject, quarantine, extensions);
+# it only makes sense to maintain the relationship:
+# tag_level <= tag2_level <= kill_level < $sa_dsn_cutoff_level
+
+# string to prepend to Subject header field when message exceeds tag2 level
+$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled)
+ # (only seen when spam is not to be rejected
+ # and recipient is in local_domains*)
+
+#$sa_spam_modifies_subj = 1; # may be a ref to a lookup table, default is true
+# Example: modify Subject for all local recipients except user@example.com
+#$sa_spam_modifies_subj = [qw( !user@example.com . )];
+
+# stop anti-virus scanning when the first scanner detects a virus?
+$first_infected_stops_scan = 1; # default is false, all scanners are called
+
+# @av_scanners is a list of n-tuples, where fields semantics is:
+# 1. av scanner plain name, to be used in log and reports;
+# 2. scanner program name; this string will be submitted to subroutine
+# find_external_programs(), which will try to find the full program
+# path name; if program is not found, this scanner is disabled.
+# Besides a simple string (full program path name or just the basename
+# to be looked for in PATH), this may be an array ref of alternative
+# program names or full paths - the first match in the list will be used;
+# As a special case for more complex scanners, this field may be
+# a subroutine reference, and the whole n-tuple is passed to it as args.
+# 3. command arguments to be given to the scanner program;
+# a substring {} will be replaced by the directory name to be scanned,
+# i.e. "$tempdir/parts", a "*" will be replaced by file names of parts;
+# 4. an array ref of av scanner exit status values, or a regexp (to be
+# matched against scanner output), indicating NO VIRUSES found;
+# 5. an array ref of av scanner exit status values, or a regexp (to be
+# matched against scanner output), indicating VIRUSES WERE FOUND;
+# Note: the virus match prevails over a 'not found' match, so it is safe
+# even if the no. 4. matches for viruses too;
+# 6. a regexp (to be matched against scanner output), returning a list
+# of virus names found.
+# 7. and 8.: (optional) subroutines to be executed before and after scanner
+# (e.g. to set environment or current directory);
+# see examples for these at KasperskyLab AVP and Sophos sweep.
+
+# NOTES:
+#
+# - NOT DEFINING @av_scanners (e.g. setting it to empty list, or deleting the
+# whole assignment) TURNS OFF LOADING AND COMPILING OF THE ANTIVIRUS CODE
+# (which can be handy if all you want to do is spam scanning);
+#
+# - the order matters: although _all_ available entries from the list are
+# always tried regardless of their verdict, scanners are run in the order
+# specified: the report from the first one detecting a virus will be used
+# (providing virus names and scanner output); REARRANGE THE ORDER TO WILL;
+#
+# - it doesn't hurt to keep an unused command line scanner entry in the list
+# if the program can not be found; the path search is only performed once
+# during the program startup;
+#
+# COROLLARY: to disable a scanner that _does_ exist on your system,
+# comment out its entry or use undef or '' as its program name/path
+# (second parameter). An example where this is almost a must: disable
+# Sophos 'sweep' if you have its daemonized version Sophie or SAVI-Perl
+# (same for Trophie/vscan, and clamd/clamscan), or if another unrelated
+# program happens to have a name matching one of the entries ('sweep'
+# again comes to mind);
+#
+# - it DOES HURT to keep unwanted entries which use INTERNAL SUBROUTINES
+# for interfacing (where the second parameter starts with \&).
+# Keeping such entry and not having a corresponding virus scanner daemon
+# causes an unnecessary connection attempt (which eventually times out,
+# but it wastes precious time). For this reason the daemonized entries
+# are commented in the distribution - just remove the '#' where needed.
+#
+# CERT list of av resources: http://www.cert.org/other_sources/viruses.html
+
+@av_scanners = (
+
+# ### http://www.vanja.com/tools/sophie/
+# ['Sophie',
+# \&ask_daemon, ["{}/\n", '/var/run/sophie'],
+# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
+# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],
+
+# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
+['Sophos SAVI', \&sophos_savi ],
+
+### http://www.clamav.net/
+['Clam Antivirus-clamd',
+ \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
+ qr/\bOK$/, qr/\bFOUND$/,
+ qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
+# NOTE: run clamd under the same user as amavisd; match the socket
+# name (LocalSocket) in clamav.conf to the socket name in this entry
+# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],
+
+# ### http://www.openantivirus.org/
+# ['OpenAntiVirus ScannerDaemon (OAV)',
+# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],
+# qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ],
+
+# ### http://www.vanja.com/tools/trophie/
+# ['Trophie',
+# \&ask_daemon, ["{}/\n", '/var/run/trophie'],
+# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
+# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],
+
+# ### http://www.grisoft.com/
+# ['AVG Anti-Virus',
+# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'],
+# qr/^200/, qr/^403/, qr/^403 .*?: (.+)/ ],
+
+# ### http://www.f-prot.com/
+# ['FRISK F-Prot Daemon',
+# \&ask_daemon,
+# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
+# ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202',
+# '127.0.0.1:10203','127.0.0.1:10204'] ],
+# qr/(?i)<summary[^>]*>clean<\/summary>/,
+# qr/(?i)<summary[^>]*>infected<\/summary>/,
+# qr/(?i)<name>(.+)<\/name>/ ],
+
+ ['KasperskyLab AVP - aveclient',
+ ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
+ '/opt/kav/bin/aveclient','aveclient'],
+ '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/,
+ qr/(?:INFECTED|SUSPICION) (.+)/,
+ ],
+
+ ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
+ '-* -P -B -Y -O- {}', [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22],
+ qr/infected: (.+)/,
+ sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
+ sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
+ ],
+
+ ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
+ ### products and replaced by aveserver and aveclient
+ ['KasperskyLab AVPDaemonClient',
+ [ '/opt/AVP/kavdaemon', 'kavdaemon',
+ '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
+ '/opt/AVP/AvpTeamDream', 'AvpTeamDream',
+ '/opt/AVP/avpdc', 'avpdc' ],
+ "-f=$TEMPBASE {}", [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22],
+ qr/infected: ([^\r\n]+)/ ],
+ # change the startup-script in /etc/init.d/kavd to:
+ # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
+ # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" )
+ # adjusting /var/amavis above to match your $TEMPBASE.
+ # The '-f=/var/amavis' is needed if not running it as root, so it
+ # can find, read, and write its pid file, etc., see 'man kavdaemon'.
+ # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
+ # directory $TEMPBASE specifies) in the 'Names=' section.
+ # cd /opt/AVP/DaemonClients; configure; cd Sample; make
+ # cp AvpDaemonClient /opt/AVP/
+ # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"
+
+ ### http://www.hbedv.com/ or http://www.centralcommand.com/
+ ['H+BEDV AntiVir or CentralCommand Vexira Antivirus',
+ ['antivir','vexira'],
+ '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
+ qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
+ (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
+ # NOTE: if you only have a demo version, remove -z and add 214, as in:
+ # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,
+
+ ### http://www.commandsoftware.com/
+ ['Command AntiVirus for Linux', 'csav',
+ '-all -archive -packed {}', [50], [51,52,53],
+ qr/Infection: (.+)/ ],
+
+ ### http://www.symantec.com/
+ ['Symantec CarrierScan via Symantec CommandLineScanner',
+ 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
+ qr/^Files Infected:\s+0$/, qr/^Infected\b/,
+ qr/^(?:Info|Virus Name):\s+(.+)/ ],
+
+ ### http://www.symantec.com/
+ ['Symantec AntiVirus Scan Engine',
+ 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
+ [0], qr/^Infected\b/,
+ qr/^(?:Info|Virus Name):\s+(.+)/ ],
+ # NOTE: check options and patterns to see which entry better applies
+
+ ### http://www.sald.com/, http://drweb.imshop.de/
+ ['drweb - DrWeb Antivirus',
+ ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
+ '-path={} -al -go -ot -cn -upn -ok-',
+ [0,32], [1,33], qr' infected (?:with|by)(?: virus)? (.*)$'],
+
+# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/
+# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later
+# [pack('N',1). # DRWEBD_SCAN_CMD
+# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
+# pack('N', # path length
+# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/part-xxxxx")).
+# '{}/*'. # path
+# pack('N',0). # content size
+# pack('N',0),
+# '/var/drweb/run/drwebd.sock',
+# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot
+# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default
+# # '127.0.0.1:3000', # or over an inet socket
+# ],
+# qr/\A\x00(\x10|\x11)\x00\x00/s, # IS_CLEAN, EVAL_KEY
+# qr/\A\x00(\x00|\x01)\x00(\x20|\x40|\x80)/s, # KNOWN_V, UNKNOWN_V, V._MODIF
+# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/s,
+# ],
+# # NOTE: If you are using amavis-milter, change length to:
+# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/part-xxxxx").
+
+ ### http://www.f-secure.com/products/anti-virus/
+ ['F-Secure Antivirus', 'fsav',
+ '--dumb --mime --archive {}', [0], [3,8],
+ qr/(?:infection|Infected|Suspected): (.+)/ ],
+
+ ['CAI InoculateIT', 'inocucmd',
+ '-sec -nex {}', [0], [100],
+ qr/was infected by virus (.+)/ ],
+
+ ['MkS_Vir for Linux (beta)', ['mks32','mks'],
+ '-s {}/*', [0], [1,2], # any use for options: -a -c ?
+ qr/--[ \t]*(.+)/ ],
+
+ ### http://www.nod32.com/
+ ['ESET Software NOD32', 'nod32',
+ '-all -subdir+ {}', [0], [1,2],
+ qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ],
+
+ ### http://www.nod32.com/
+ ['ESET Software NOD32 - Client/Server Version', 'nod32cli',
+ '-a -r -d recurse --heur standard {}', [0], [10,11],
+ qr/^\S+\s+infected:\s+(.+)/ ],
+
+ ### http://www.norman.com/products_nvc.shtml
+ ['Norman Virus Control v5 / Linux', 'nvcc',
+ '-c -l:0 -s -u {}', [0], [1],
+ qr/(?i).* virus in .* -> \'(.+)\'/ ],
+
+ ### http://www.pandasoftware.com/
+ ['Panda Antivirus for Linux', ['pavcl'],
+ '-aut -aex -heu -cmp -nbr -nor -nso -eng {}',
+ qr/Number of files infected[ .]*: 0(?!\d)/,
+ qr/Number of files infected[ .]*: 0*[1-9]/,
+ qr/Found virus :\s*(\S+)/ ],
+
+# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
+# Check your RAV license terms before fiddling with the following two lines!
+# ['GeCAD RAV AntiVirus 8', 'ravav',
+# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ],
+# # NOTE: the command line switches changed with scan engine 8.5 !
+# # (btw, assigning stdin to /dev/null causes RAV to fail)
+
+ ### http://www.nai.com/
+ ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
+ '--secure -rv --mime --summary --noboot - {}', [0], [13],
+ qr/(?x) Found (?:
+ \ the\ (.+)\ (?:virus|trojan) |
+ \ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
+ :\ (.+)\ NOT\ a\ virus)/,
+ # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
+ # sub {delete $ENV{LD_PRELOAD}},
+ ],
+ # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
+ # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
+ # and then clear it when finished to avoid confusing anything else.
+ # NOTE2: to treat encrypted files as viruses replace the [13] with:
+ # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
+
+ ### http://www.virusbuster.hu/en/
+ ['VirusBuster', ['vbuster', 'vbengcl'],
+ # VirusBuster Ltd. does not support the daemon version for the workstation
+ # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
+ # binaries, some parameters AND return codes (from 3 to 1) changed.
+ "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
+ qr/: '(.*)' - Virus/ ],
+
+# ### http://www.virusbuster.hu/en/
+# ['VirusBuster (Client + Daemon)', 'vbengd',
+# # HINT: for an infected file it returns always 3,
+# # although the man-page tells a different story
+# '-f -log scandir {}', [0], [3],
+# qr/Virus found = (.*);/ ],
+
+ ### http://www.cyber.com/
+ ['CyberSoft VFind', 'vfind',
+ '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,
+ # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
+ ],
+
+ ### http://www.ikarus-software.com/
+ ['Ikarus AntiVirus for Linux', 'ikarus',
+ '{}', [0], [40], qr/Signature (.+) found/ ],
+
+ ### http://www.bitdefender.com/
+ ['BitDefender', 'bdc',
+ '--all --arc --mail {}', qr/^Infected files *:0(?!\d)/,
+ qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
+ qr/(?:suspected|infected): (.*)(?:\033|$)/ ],
+);
+
+# If no virus scanners from the @av_scanners list produce 'clean' nor
+# 'infected' status (e.g. they all fail to run or the list is empty),
+# then _all_ scanners from the @av_scanners_backup list are tried.
+# When there are both daemonized and command-line scanners available,
+# it is customary to place slower command-line scanners in the
+# @av_scanners_backup list. The default choice is somewhat arbitrary,
+# move entries from one list to another as desired.
+
+@av_scanners_backup = (
+
+ ### http://www.clamav.net/
+ ['Clam Antivirus - clamscan', 'clamscan',
+ "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], [1],
+ qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
+
+ ### http://www.f-prot.com/
+ ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
+ '-dumb -archive -packed {}', [0,8], [3,6],
+ qr/Infection: (.+)/ ],
+
+ ### http://www.trendmicro.com/
+ ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
+ '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],
+
+ ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'],
+ '-i1 -xp {}', [0,10,15], [5,20,21,25],
+ qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,
+ sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
+ sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
+ ],
+
+# Commented out because the name 'sweep' clashes with the Debian package of
+# the same name. Make sure the correct sweep is found in the path when enabling
+#
+# ### http://www.sophos.com/
+# ['Sophos Anti Virus (sweep)', 'sweep',
+# '-nb -f -all -rec -ss -sc -archive -cab -tnef --no-reset-atime {}',
+# [0,2], qr/Virus .*? found/,
+# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/,
+# ],
+# # other options to consider: -mime -oe -idedir=/usr/local/sav
+
+# always succeeds (uncomment to consider mail clean if all other scanners fail)
+['always-clean', sub {0}],
+
+);
+
+
+#
+# Section VIII - Debugging
+#
+
+# The most useful debugging tool is to run amavisd-new non-detached
+# from a terminal window:
+# amavisd debug
+
+# Some more refined approaches:
+
+# If sender matches ACL, turn log level fully up, just for this one message,
+# and preserve temporary directory
+#@debug_sender_acl = ( "test-sender\@$mydomain" );
+#@debug_sender_acl = qw( debug@example.com );
+
+# May be useful along with @debug_sender_acl:
+# Prevent all decoded originals being deleted (replaced by decoded part)
+#$keep_decoded_original_re = new_RE( qr/.*/ );
+
+# Turn on SpamAssassin debugging (output to STDERR, use with 'amavisd debug')
+#$sa_debug = 1; # defaults to false
+
+#-------------
+1; # insure a defined return
--- /dev/null
+use strict;
+
+# Configuration file for amavisd-new
+# Defaults modified for the Debian amavisd-new package
+# $Id: amavisd.conf,v 1.27.2.2 2004/11/18 23:27:55 hmh Exp $
+#
+# This software is licensed under the GNU General Public License (GPL).
+# See comments at the start of amavisd-new for the whole license text.
+
+#Sections:
+# Section I - Essential daemon and MTA settings
+# Section II - MTA specific
+# Section III - Logging
+# Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine
+# Section V - Per-recipient and per-sender handling, whitelisting, etc.
+# Section VI - Resource limits
+# Section VII - External programs, virus scanners, SpamAssassin
+# Section VIII - Debugging
+
+#GENERAL NOTES:
+# This file is a normal Perl code, interpreted by Perl itself.
+# - make sure this file (or directory where it resides) is NOT WRITABLE
+# by mere mortals (not even vscan/amavis; best to make it owned by root),
+# otherwise it represents a severe security risk!
+# - for values which are interpreted as booleans, it is recommended
+# to use 1 for true, undef for false.
+# THIS IS DIFFERENT FROM OLD AMAVIS VERSIONS where "no" also meant false,
+# now it means true, like any nonempty string does!
+# - Perl syntax applies. Most notably: strings in "" may include variables
+# (which start with $ or @); to include characters @ and $ in double
+# quoted strings, precede them by a backslash; in single-quoted strings
+# the $ and @ lose their special meaning, so it is usually easier to use
+# single quoted strings (or qw operator) for e-mail addresses.
+# Still, in both cases a backslash needs to be doubled.
+# - variables with names starting with a '@' are lists, the values assigned
+# to them should be lists as well, e.g. ('one@foo', $mydomain, "three");
+# note the comma-separation and parenthesis. If strings in the list
+# do not contain spaces nor variables, a Perl operator qw() may be used
+# as a shorthand to split its argument on whitespace and produce a list
+# of strings, e.g. qw( one@foo example.com three ); Note that the argument
+# to qw is quoted implicitly and no variable interpretation is done within
+# (no '$' variable evaluations). The #-initiated comments can NOT be used
+# within a string. In other words, $ and # lose their special meaning
+# within a qw argument, just like within '...' strings.
+# - all e-mail addresses in this file and as used internally by the daemon
+# are in their raw (rfc2821-unquoted and non-bracketed) form, i.e.
+# Bob "Funny" Dude@example.com, not: "Bob \"Funny\" Dude"@example.com
+# and not <"Bob \"Funny\" Dude"@example.com>; also: '' and not '<>'.
+# - the term 'default value' in examples below refers to the value of a
+# variable pre-assigned to it by the program; any explicit assignment
+# to a variable in this configuration file overrides the default value;
+
+
+#
+# Section I - Essential daemon and MTA settings
+#
+
+# $MYHOME serves as a quick default for some other configuration settings.
+# More refined control is available with each individual setting further down.
+# $MYHOME is not used directly by the program. No trailing slash!
+$MYHOME = '/var/lib/amavis'; # (default is '/var/amavis')
+
+# $mydomain serves as a quick default for some other configuration settings.
+# More refined control is available with each individual setting further down.
+# $mydomain is never used directly by the program.
+$mydomain = '_CN_DOMAIN_'; # (no useful default)
+
+# $myhostname = 'host.example.com'; # fqdn of this host, default by uname(3)
+
+# Set the user and group to which the daemon will change if started as root
+# (otherwise just keeps the UID unchanged, and these settings have no effect):
+$daemon_user = 'amavis'; # (no default (undef))
+$daemon_group = 'amavis'; # (no default (undef))
+
+# Runtime working directory (cwd), and a place where
+# temporary directories for unpacking mail are created.
+# if you change this, you might want to modify the cleanup()
+# function in /etc/init.d/amavisd-new
+# (no trailing slash, may be a scratch file system)
+$TEMPBASE = $MYHOME; # (must be set if other config vars use is)
+#$TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean?
+
+# $helpers_home sets environment variable HOME, and is passed as option
+# 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory
+# on a normal persistent file system, not a scratch or temporary file system
+#$helpers_home = $MYHOME; # (defaults to $MYHOME)
+
+# Run the daemon in the specified chroot jail if nonempty:
+#$daemon_chroot_dir = $MYHOME; # (default is undef, meaning: do not chroot)
+
+$pid_file = "/var/run/amavis/amavisd.pid"; # (default: "$MYHOME/amavisd.pid")
+$lock_file = "/var/run/amavis/amavisd.lock"; # (default: "$MYHOME/amavisd.lock")
+
+# set environment variables if you want (no defaults):
+$ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory
+#...
+
+
+# MTA SETTINGS, UNCOMMENT AS APPROPRIATE,
+# both $forward_method and $notify_method default to 'smtp:127.0.0.1:10025'
+
+# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4
+# (set host and port number as required; host can be specified
+# as IP address or DNS name (A or CNAME, but MX is ignored)
+#$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail
+#$notify_method = $forward_method; # where to submit notifications
+
+# NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST
+# uncomment the appropriate settings below if using other setups!
+
+# SENDMAIL MILTER, using amavis-milter.c helper program:
+# SEE amavisd-new-milter package docs FOR DEBIAN INSTRUCTIONS
+$forward_method = undef; # no explicit forwarding, sendmail does it by itself
+# milter; option -odd is needed to avoid deadlocks
+$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}';
+# just a thought: can we use use -Am instead of -odd ?
+
+# SENDMAIL (old non-milter setup, as relay):
+#$forward_method = 'pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f ${sender} -- ${recipient}';
+#$notify_method = $forward_method;
+
+# SENDMAIL (old non-milter setup, amavis.c calls local delivery agent):
+#$forward_method = undef; # no explicit forwarding, amavis.c will call LDA
+#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}';
+
+# EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead):
+#$forward_method = 'pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f ${sender} -- ${recipient}';
+#$notify_method = $forward_method;
+
+# prefer to collect mail for forwarding as BSMTP files?
+#$forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp";
+#$notify_method = $forward_method;
+
+
+# Net::Server pre-forking settings
+# You may want $max_servers to match the width of your MTA pipe
+# feeding amavisd, e.g. with Postfix the 'Max procs' field in the
+# master.cf file, like the '2' in the: smtp-amavis unix - - n - 2 smtp
+#
+$max_servers = 2; # number of pre-forked children (default 2)
+$max_requests = 10; # retire a child after that many accepts (default 10)
+
+$child_timeout=5*60; # abort child if it does not complete each task in n sec
+ # (default: 8*60 seconds)
+
+# Check also the settings of @av_scanners at the end if you want to use
+# virus scanners. If not, you may want to delete the whole long assignment
+# to the variable @av_scanners, which will also remove the virus checking
+# code (e.g. if you only want to do spam scanning).
+
+# Here is a QUICK WAY to completely DISABLE some sections of code
+# that WE DO NOT WANT (it won't even be compiled-in).
+# For more refined controls leave the following two lines commented out,
+# and see further down what these two lookup lists really mean.
+#
+# @bypass_virus_checks_acl = qw( . ); # uncomment to DISABLE anti-virus code
+# @bypass_spam_checks_acl = qw( . ); # uncomment to DISABLE anti-spam code
+#
+# Any setting can be changed with a new assignment, so make sure
+# you do not unintentionally override these settings further down!
+
+# Lookup list of local domains (see README.lookups for syntax details)
+#
+# NOTE:
+# For backwards compatibility the variable names @local_domains (old) and
+# @local_domains_acl (new) are synonyms. For consistency with other lookups
+# the name @local_domains_acl is now preferred. It also makes it more
+# obviously distinct from the new %local_domains hash lookup table.
+#
+# local_domains* lookup tables are used in deciding whether a recipient
+# is local or not, or in other words, if the message is outgoing or not.
+# This affects inserting spam-related headers for local recipients,
+# limiting recipient virus notifications (if enabled) to local recipients,
+# in deciding if address extension may be appended, and in SQL lookups
+# for non-fqdn addresses. Set it up correctly if you need features
+# that rely on this setting (or just leave empty otherwise).
+#
+# With Postfix (2.0) a quick reminder on what local domains normally are:
+# a union of domains specified in: $mydestination, $virtual_alias_domains,
+# $virtual_mailbox_domains, and $relay_domains.
+#
+#@local_domains_acl = ( ".$mydomain" ); # $mydomain and its subdomains
+# @local_domains_acl = ( ".$mydomain", "my.other.domain" );
+# @local_domains_acl = qw(); # default is empty, no recipient treated as local
+# @local_domains_acl = qw( .example.com );
+# @local_domains_acl = qw( .example.com !host.sub.example.net .sub.example.net );
+@local_domains_acl = ( "$mydomain", ".$mydomain" );
+
+# or alternatively(A), using a Perl hash lookup table, which may be assigned
+# directly, or read from a file, one domain per line; comments and empty lines
+# are ignored, a dot before a domain name implies its subdomains:
+#
+#read_hash(\%local_domains, '/etc/amavis/local_domains');
+
+#or alternatively(B), using a list of regular expressions:
+# $local_domains_re = new_RE( qr'[@.]example\.com$'i );
+#
+# see README.lookups for syntax and semantics
+
+
+#
+# Section II - MTA specific (defaults should be ok)
+#
+
+# if $relayhost_is_client is true, the IP address in $notify_method and
+# $forward_method is dynamically overridden with SMTP client peer address
+# (if available), which makes it possible for several hosts to share one
+# daemon. The static port number is also overridden, and is dynamically
+# calculated as being one above the incoming SMTP/LMTP session port number.
+#
+# These are logged at level 3, so enable logging until you know you got it
+# right.
+$relayhost_is_client = 0; # (defaults to false)
+
+$insert_received_line = 1; # behave like MTA: insert 'Received:' header
+ # (does not apply to sendmail/milter)
+ # (default is true (1) )
+
+# AMAVIS-CLIENT PROTOCOL INPUT SETTINGS (e.g. with sendmail milter)
+# (used with amavis helper clients like amavis-milter.c and amavis.c,
+# NOT needed for Postfix and Exim or dual-sendmail - keep it undefined.)
+$unix_socketname = "/var/lib/amavis/amavisd.sock"; # amavis helper protocol socket
+#$unix_socketname = undef; # disable listening on a unix socket
+ # (default is undef, i.e. disabled)
+
+# Do we receive quoted or raw addresses from the helper program?
+# (does not apply to SMTP; defaults to true)
+#$gets_addr_in_quoted_form = 1; # "Bob \"Funny\" Dude"@example.com
+#$gets_addr_in_quoted_form = 0; # Bob "Funny" Dude@example.com
+
+
+
+# SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...)
+# (used when MTA is configured to pass mail to amavisd via SMTP or LMTP)
+#$inet_socket_port = 10024; # accept SMTP on this local TCP port
+ # (default is undef, i.e. disabled)
+# multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028];
+
+# SMTP SERVER (INPUT) access control
+# - do not allow free access to the amavisd SMTP port !!!
+#
+# when MTA is at the same host, use the following (one or the other or both):
+#$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface
+ # (default is '127.0.0.1')
+#@inet_acl = qw( 127.0.0.1 ); # allow SMTP access only from localhost IP
+ # (default is qw( 127.0.0.1 ) )
+
+# when MTA (one or more) is on a different host, use the following:
+# @inet_acl = qw(127/8 10.1.0.1 10.1.0.2); # adjust the list as appropriate
+# $inet_socket_bind = undef; # bind to all IP interfaces if undef
+#
+# Example1:
+# @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 );
+# permit only SMTP access from loopback and rfc1918 private address space
+#
+# Example2:
+# @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0
+# 127.0.0.1 10/8 172.16/12 192.168/16 );
+# matches loopback and rfc1918 private address space except host 192.168.1.12
+# and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches)
+#
+# Example3:
+# @inet_acl = qw( 127/8
+# !172.16.3.0 !172.16.3.127 172.16.3.0/25
+# !172.16.3.128 !172.16.3.255 172.16.3.128/25 );
+# matches loopback and both halves of the 172.16.3/24 C-class,
+# split into two subnets, except all four broadcast addresses
+# for these subnets
+#
+# See README.lookups for details on specifying access control lists.
+
+
+#
+# Section III - Logging
+#
+
+# true (e.g. 1) => syslog; false (e.g. 0) => logging to file
+$DO_SYSLOG = 1; # (defaults to false)
+#$SYSLOG_LEVEL = 'user.info'; # (facility.priority, default 'mail.info')
+
+# Log file (if not using syslog)
+$LOGFILE = "/var/log/amavis.log"; # (defaults to empty, no log)
+
+#NOTE: levels are not strictly observed and are somewhat arbitrary
+# 0: startup/exit/failure messages, viruses detected
+# 1: args passed from client, some more interesting messages
+# 2: virus scanner output, timing
+# 3: server, client
+# 4: decompose parts
+# 5: more debug details
+#$log_level = 2; # (defaults to 0)
+
+# Customizable template for the most interesting log file entry (e.g. with
+# $log_level=0) (take care to properly quote Perl special characters like '\')
+# For a list of available macros see README.customize .
+
+# only log infected messages (useful with log level 0):
+# $log_templ = '[? %#V |[? %#F ||banned filename ([%F|,])]|infected ([%V|,])]#
+# [? %#V |[? %#F ||, from=[?%o|(?)|<%o>], to=[<%R>|,][? %i ||, quarantine %i]]#
+# |, from=[?%o|(?)|<%o>], to=[<%R>|,][? %i ||, quarantine %i]]';
+
+# log both infected and noninfected messages (default):
+$log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], #
+[?%o|(?)|<%o>] -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c';
+
+
+#
+# Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine
+#
+
+# Select notifications text encoding when Unicode-aware Perl is converting
+# text from internal character representation to external encoding (charset
+# in MIME terminology). Used as argument to Perl Encode::encode subroutine.
+#
+# to be used in RFC 2047-encoded header field bodies, e.g. in Subject:
+#$hdr_encoding = 'iso-8859-1'; # (default: 'iso-8859-1')
+#
+# to be used in notification body text: its encoding and Content-type.charset
+#$bdy_encoding = 'iso-8859-1'; # (default: 'iso-8859-1')
+
+# Default template texts for notifications may be overruled by directly
+# assigning new text to template variables, or by reading template text
+# from files. A second argument may be specified in a call to read_text(),
+# specifying character encoding layer to be used when reading from the
+# external file, e.g. 'utf8', 'iso-8859-1', or often just $bdy_encoding.
+# Text will be converted to internal character representation by Perl 5.8.0
+# or later; second argument is ignored otherwise. See PerlIO::encoding,
+# Encode::PerlIO and perluniintro man pages.
+#
+# $notify_sender_templ = read_text('/var/amavis/notify_sender.txt');
+# $notify_virus_sender_templ= read_text('/var/amavis/notify_virus_sender.txt');
+# $notify_virus_admin_templ = read_text('/var/amavis/notify_virus_admin.txt');
+# $notify_virus_recips_templ= read_text('/var/amavis/notify_virus_recips.txt');
+# $notify_spam_sender_templ = read_text('/var/amavis/notify_spam_sender.txt');
+# $notify_spam_admin_templ = read_text('/var/amavis/notify_spam_admin.txt');
+
+# If notification template files are collectively available in some directory,
+# use read_l10n_templates which calls read_text for each known template.
+#
+# read_l10n_templates('/etc/amavis/en_US');
+#
+# Debian available locales: en_US, pt_BR, de_DE, it_IT
+read_l10n_templates('en_US', '/etc/amavis');
+
+
+# Here is an overall picture (sequence of events) of how pieces fit together
+# (only virus controls are shown, spam controls work the same way):
+#
+# bypass_virus_checks? ==> PASS
+# no viruses? ==> PASS
+# log virus if $log_templ is nonempty
+# quarantine if $virus_quarantine_to is nonempty
+# notify admin if $virus_admin (lookup) nonempty
+# notify recips if $warnvirusrecip and (recipient is local or $warn_offsite)
+# add address extensions if adding extensions is enabled and virus will pass
+# send (non-)delivery notifications
+# to sender if DSN needed (BOUNCE or ($warn_virus_sender and D_PASS))
+# virus_lovers or final_destiny==D_PASS ==> PASS
+# DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny)
+#
+# Equivalent flow diagram applies for spam checks.
+# If a virus is detected, spam checking is skipped entirely.
+
+# The following symbolic constants can be used in *destiny settings:
+#
+# D_PASS mail will pass to recipients, regardless of bad contents;
+#
+# D_DISCARD mail will not be delivered to its recipients, sender will NOT be
+# notified. Effectively we lose mail (but will be quarantined
+# unless disabled). Losing mail is not decent for a mailer,
+# but might be desired.
+#
+# D_BOUNCE mail will not be delivered to its recipients, a non-delivery
+# notification (bounce) will be sent to the sender by amavisd-new;
+# Exception: bounce (DSN) will not be sent if a virus name matches
+# $viruses_that_fake_sender_re, or to messages from mailing lists
+# (Precedence: bulk|list|junk);
+#
+# D_REJECT mail will not be delivered to its recipients, sender should
+# preferably get a reject, e.g. SMTP permanent reject response
+# (e.g. with milter), or non-delivery notification from MTA
+# (e.g. Postfix). If this is not possible (e.g. different recipients
+# have different tolerances to bad mail contents and not using LMTP)
+# amavisd-new sends a bounce by itself (same as D_BOUNCE).
+#
+# Notes:
+# D_REJECT and D_BOUNCE are similar, the difference is in who is responsible
+# for informing the sender about non-delivery, and how informative
+# the notification can be (amavisd-new knows more than MTA);
+# With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status
+# notification, colloquially called 'bounce') - depending on MTA;
+# Best suited for sendmail milter, especially for spam.
+# With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the
+# reason for mail non-delivery, but unable to reject the original
+# SMTP session). Best suited to reporting viruses, and for Postfix
+# and other dual-MTA setups, which can't reject original client SMTP
+# session, as the mail has already been enqueued.
+
+$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)
+$final_banned_destiny = D_REJECT; # (defaults to D_BOUNCE)
+$final_spam_destiny = D_REJECT; # (defaults to D_REJECT)
+$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested
+
+# Alternatives to consider for spam:
+# - use D_PASS if clients will do filtering based on inserted mail headers;
+# - use D_DISCARD, if kill_level is set safely high;
+# - use D_BOUNCE instead of D_REJECT if not using milter;
+#
+# D_BOUNCE is preferred for viruses, but consider:
+# - use D_DISCARD to avoid bothering the rest of the network, it is hopeless
+# to try to keep up with the viruses that faker the envelope sender anyway,
+# and bouncing only increases the network cost of viruses for everyone
+# - use D_PASS (or virus_lovers) and $warnvirussender=1 to deliver viruses;
+# - use D_REJECT instead of D_BOUNCE if using milter and under heavy
+# virus storm;
+#
+# Don't bother to set both D_DISCARD and $warn*sender=1, it will get mapped
+# to D_BOUNCE.
+#
+# The separation of *_destiny values into D_BOUNCE, D_REJECT, D_DISCARD
+# and D_PASS made settings $warnvirussender and $warnspamsender only still
+# useful with D_PASS.
+
+# The following $warn*sender settings are ONLY used when mail is
+# actually passed to recipients ($final_*_destiny=D_PASS, or *_lovers*).
+# Bounces or rejects produce non-delivery status notification anyway.
+
+# Notify virus sender?
+#$warnvirussender = 1; # (defaults to false (undef))
+
+# Notify spam sender?
+#$warnspamsender = 1; # (defaults to false (undef))
+
+# Notify sender of banned files?
+#$warnbannedsender = 1; # (defaults to false (undef))
+
+# Notify sender of syntactically invalid header containing non-ASCII characters?
+#$warnbadhsender = 1; # (defaults to false (undef))
+
+# Notify virus (or banned files) RECIPIENT?
+# (not very useful, but some policies demand it)
+#$warnvirusrecip = 1; # (defaults to false (undef))
+#$warnbannedrecip = 1; # (defaults to false (undef))
+
+# Notify also non-local virus/banned recipients if $warn*recip is true?
+# (including those not matching local_domains*)
+#$warn_offsite = 1; # (defaults to false (undef), i.e. only notify locals)
+
+
+# Treat envelope sender address as unreliable and don't send sender
+# notification / bounces if name(s) of detected virus(es) match the list.
+# Note that virus names are supplied by external virus scanner(s) and are
+# not standardized, so virus names may need to be adjusted.
+# See README.lookups for syntax, check also README.policy-on-notifications
+#
+$viruses_that_fake_sender_re = new_RE(
+ qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
+ qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
+ qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
+ qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
+ qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan
+ qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc
+ [qr'^(EICAR|Joke\.|Junk\.)'i => 0],
+ [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
+ [qr/.*/ => 1], # true by default (remove or comment-out if undesired)
+);
+
+# where to send ADMIN VIRUS NOTIFICATIONS (should be a fully qualified address)
+# - the administrator address may be a simple fixed e-mail address (a scalar),
+# or may depend on the SENDER address (e.g. its domain), in which case
+# a ref to a hash table can be specified (specify lower-cased keys,
+# dot is a catchall, see README.lookups).
+#
+# Empty or undef lookup disables virus admin notifications.
+
+# $virus_admin = undef; # do not send virus admin notifications (default)
+# $virus_admin = {'not.example.com' => '', '.' => 'virusalert@example.com'};
+# $virus_admin = 'virus-admin@example.com';
+#$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
+$virus_admin = "virusalert\@$mydomain"; # due to D_DISCARD default
+
+# equivalent to $virus_admin, but for spam admin notifications:
+# $spam_admin = "spamalert\@$mydomain";
+# $spam_admin = undef; # do not send spam admin notifications (default)
+# $spam_admin = {'not.example.com' => '', '.' => 'spamalert@example.com'};
+
+#advanced example, using a hash lookup table:
+#$virus_admin = {
+# 'baduser@sub1.example.com' => 'HisBoss@sub1.example.com',
+# '.sub1.example.com' => 'virusalert@sub1.example.com',
+# '.sub2.example.com' => '', # don't send admin notifications
+# 'a.sub3.example.com' => 'abuse@sub3.example.com',
+# '.sub3.example.com' => 'virusalert@sub3.example.com',
+# '.example.com' => 'noc@example.com', # catchall for our virus senders
+# '.' => 'virusalert@hq.example.com', # catchall for the rest
+#};
+
+
+# whom notification reports are sent from (ENVELOPE SENDER);
+# may be a null reverse path, or a fully qualified address:
+# (admin and recip sender addresses default to $mailfrom
+# for compatibility, which in turn defaults to undef (empty) )
+# If using strings in double quotes, don't forget to quote @, i.e. \@
+#
+$mailfrom_notify_admin = "virusalert\@$mydomain";
+$mailfrom_notify_recip = "virusalert\@$mydomain";
+$mailfrom_notify_spamadmin = "spamalert\@$mydomain";
+
+# 'From' HEADER FIELD for sender and admin notifications.
+# This should be a replyable address, see rfc1894. Not to be confused
+# with $mailfrom_notify_sender, which is the envelope return address
+# and should be empty (null reverse path) according to rfc2821.
+#
+# The syntax of the 'From' header field is specified in rfc2822, section
+# '3.4. Address Specification'. Note in particular that display-name must be
+# a quoted-string if it contains any special characters like spaces and dots.
+#
+# $hdrfrom_notify_sender = "amavisd-new <postmaster\@$mydomain>";
+# $hdrfrom_notify_sender = 'amavisd-new <postmaster@example.com>';
+# $hdrfrom_notify_sender = '"Content-Filter Master" <postmaster@example.com>';
+# (defaults to: "amavisd-new <postmaster\@$myhostname>")
+# $hdrfrom_notify_admin = $mailfrom_notify_admin;
+# (defaults to: $mailfrom_notify_admin)
+# $hdrfrom_notify_spamadmin = $mailfrom_notify_spamadmin;
+# (defaults to: $mailfrom_notify_spamadmin)
+
+# whom quarantined messages appear to be sent from (envelope sender);
+# keeps original sender if undef, or set it explicitly, default is undef
+$mailfrom_to_quarantine = ''; # override sender address with null return path
+
+
+# Location to put infected mail into: (applies to 'local:' quarantine method)
+# empty for not quarantining, may be a file (mailbox),
+# or a directory (no trailing slash)
+# (the default value is undef, meaning no quarantine)
+#
+$QUARANTINEDIR = '/var/lib/amavis/virusmails';
+
+#$virus_quarantine_method = "local:virus-%i-%n"; # default
+#$spam_quarantine_method = "local:spam-%b-%i-%n"; # default
+#
+#use the new 'bsmtp:' method as an alternative to the default 'local:'
+#$virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%i-%n.bsmtp";
+#$spam_quarantine_method = "bsmtp:$QUARANTINEDIR/spam-%b-%i-%n.bsmtp";
+
+# When using the 'local:' quarantine method (default), the following applies:
+#
+# A finer control of quarantining is available through variable
+# $virus_quarantine_to/$spam_quarantine_to. It may be a simple scalar string,
+# or a ref to a hash lookup table, or a regexp lookup table object,
+# which makes possible to set up per-recipient quarantine addresses.
+#
+# The value of scalar $virus_quarantine_to/$spam_quarantine_to (or a
+# per-recipient lookup result from the hash table %$virus_quarantine_to)
+# is/are interpreted as follows:
+#
+# VARIANT 1:
+# empty or undef disables quarantine;
+#
+# VARIANT 2:
+# a string NOT containing an '@';
+# amavisd will behave as a local delivery agent (LDA) and will quarantine
+# viruses to local files according to hash %local_delivery_aliases (pseudo
+# aliases map) - see subroutine mail_to_local_mailbox() for details.
+# Some of the predefined aliases are 'virus-quarantine' and 'spam-quarantine'.
+# Setting $virus_quarantine_to ($spam_quarantine_to) to this string will:
+#
+# * if $QUARANTINEDIR is a directory, each quarantined virus will go
+# to a separate file in the $QUARANTINEDIR directory (traditional
+# amavis style, similar to maildir mailbox format);
+#
+# * otherwise $QUARANTINEDIR is treated as a file name of a Unix-style
+# mailbox. All quarantined messages will be appended to this file.
+# Amavisd child process must obtain an exclusive lock on the file during
+# delivery, so this may be less efficient than using individual files
+# or forwarding to MTA, and it may not work across NFS or other non-local
+# file systems (but may be handy for pickup of quarantined files via IMAP
+# for example);
+#
+# VARIANT 3:
+# any email address (must contain '@').
+# The e-mail messages to be quarantined will be handed to MTA
+# for delivery to the specified address. If a recipient address local to MTA
+# is desired, you may leave the domain part empty, e.g. 'infected@', but the
+# '@' character must nevertheless be included to distinguish it from variant 2.
+#
+# This method enables more refined delivery control made available by MTA
+# (e.g. its aliases file, other local delivery agents, dealing with
+# privileges and file locking when delivering to user's mailbox, nonlocal
+# delivery and forwarding, fan-out lists). Make sure the mail-to-be-quarantined
+# will not be handed back to amavisd for checking, as this will cause a loop
+# (hopefully broken at some stage)! If this can be assured, notifications
+# will benefit too from not being unnecessarily virus-scanned.
+#
+# By default this is safe to do with Postfix and Exim v4 and dual-sendmail
+# setup, but probably not safe with sendmail milter interface without
+# precaution.
+
+# (the default value is undef, meaning no quarantine)
+
+$virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine
+#$virus_quarantine_to = 'infected@'; # forward to MTA for delivery
+#$virus_quarantine_to = "virus-quarantine\@$mydomain"; # similar
+#$virus_quarantine_to = 'virus-quarantine@example.com'; # similar
+#$virus_quarantine_to = undef; # no quarantine
+#
+#$virus_quarantine_to = new_RE( # per-recip multiple quarantines
+# [qr'^user@example\.com$'i => 'infected@'],
+# [qr'^(.*)@example\.com$'i => 'virus-${1}@example.com'],
+# [qr'^(.*)(@[^@])?$'i => 'virus-${1}${2}'],
+# [qr/.*/ => 'virus-quarantine'] );
+
+# similar for spam
+# (the default value is undef, meaning no quarantine)
+#
+$spam_quarantine_to = 'spam-quarantine';
+#$spam_quarantine_to = "spam-quarantine\@$mydomain";
+#$spam_quarantine_to = new_RE( # per-recip multiple quarantines
+# [qr'^(.*)@example\.com$'i => 'spam-${1}@example.com'],
+# [qr/.*/ => 'spam-quarantine'] );
+
+# In addition to per-recip quarantine, a by-sender lookup is possible. It is
+# similar to $spam_quarantine_to, but the lookup key is the sender address:
+#$spam_quarantine_bysender_to = undef; # dflt: no by-sender spam quarantine
+
+
+# Add X-Virus-Scanned header field to mail?
+$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: undef)
+# Leave empty to add no header # (default: undef)
+$X_HEADER_LINE = "by $myversion (Debian) at $mydomain";
+
+# a string to prepend to Subject (for local recipients only) if mail could
+# not be decoded or checked entirely, e.g. due to password-protected archives
+$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it
+
+$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone
+#$remove_existing_x_scanned_headers= 1; # remove existing headers
+ # (defaults to false)
+#$remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone
+$remove_existing_spam_headers = 1; # remove existing spam headers if
+ # spam scanning is enabled (default)
+
+# set $bypass_decode_parts to true if you only do spam scanning, or if you
+# have a good virus scanner that can deal with compression and recursively
+# unpacking archives by itself, and save amavisd the trouble.
+# Disabling decoding also causes banned_files checking to only see
+# MIME names and MIME content types, not the content classification types
+# as provided by the file(1) utility.
+# It is a double-edged sword, make sure you know what you are doing!
+#
+#$bypass_decode_parts = 1; # (defaults to false)
+
+# don't trust this file type or corresponding unpacker for this file type,
+# keep both the original and the unpacked file for a virus checker to see
+# (lookup key is what file(1) utility returned):
+#
+$keep_decoded_original_re = new_RE(
+# qr'^MAIL$', # retain full original message for virus checking (can be slow)
+ qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables
+ qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
+# qr'^Zip archive data',
+);
+
+# Checking for banned MIME types and names. If any mail part matches,
+# the whole mail is rejected, much like the way viruses are handled.
+# A list in object $banned_filename_re can be defined to provide a list
+# of Perl regular expressions to be matched against each part's:
+#
+# * Content-Type value (both declared and effective mime-type),
+# including the possible security risk content types
+# message/partial and message/external-body, as specified by rfc2046;
+#
+# * declared (i.e. recommended) file names as specified by MIME subfields
+# Content-Disposition.filename and Content-Type.name, both in their
+# raw (encoded) form and in rfc2047-decoded form if applicable;
+#
+# * file content type as guessed by 'file' utility, both the raw
+# result from 'file', as well as short type name, classified
+# into names such as .asc, .txt, .html, .doc, .jpg, .pdf,
+# .zip, .exe, ... - see subroutine determine_file_types().
+# This step is done only if $bypass_decode_parts is not true.
+#
+# * leave $banned_filename_re undefined to disable these checks
+# (giving an empty list to new_RE() will also always return false)
+
+$banned_filename_re = new_RE(
+# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
+ qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, # some double extensions
+ qr'[{}]', # curly braces in names (serve as Class ID extensions - CLSID)
+# qr'.\.(exe|vbs|pif|scr|bat|cmd|com)$'i, # banned extension - basic
+# qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
+# jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|
+# vbe|vbs|wsc|wsf|wsh)$'ix, # banned extension - long
+# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
+# qr'^\.(zip|lha|tnef|cab)$'i, # banned file(1) types
+# qr'^\.exe$'i, # banned file(1) types
+# qr'^application/x-msdownload$'i, # banned MIME types
+# qr'^application/x-msdos-program$'i,
+ qr'^message/partial$'i, # rfc2046. this one is deadly for Outcrook
+# qr'^message/external-body$'i, # block rfc2046
+);
+# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
+# and http://www.cknow.com/vtutor/vtextensions.htm
+
+# A little trick: a pattern qr'\.exe$' matches both a short type name '.exe',
+# as well as any file name which happens to end with .exe. If only matching
+# a file name is desired, but not the short name, a pattern qr'.\.exe$'i
+# or similar may be used, which requires that at least one character precedes
+# the '.exe', and so it will never match short file types, which always start
+# with a dot.
+
+
+#
+# Section V - Per-recipient and per-sender handling, whitelisting, etc.
+#
+
+# %virus_lovers, @virus_lovers_acl and $virus_lovers_re lookup tables:
+# (these should be considered policy options, they do not disable checks,
+# see bypass*checks for that!)
+#
+# Exclude certain RECIPIENTS from virus filtering by adding their lower-cased
+# envelope e-mail address (or domain only) to the hash %virus_lovers, or to
+# the access list @virus_lovers_acl - see README.lookups and examples.
+# Make sure the appropriate form (e.g. external/internal) of address
+# is used in case of virtual domains, or when mapping external to internal
+# addresses, etc. - this is MTA-specific.
+#
+# Notifications would still be generated however (see the overall
+# picture above), and infected mail (if passed) gets additional header:
+# X-AMaViS-Alert: INFECTED, message contains virus: ...
+# (header not inserted with milter interface!)
+#
+# NOTE (milter interface only): in case of multiple recipients,
+# it is only possible to drop or accept the message in its entirety - for all
+# recipients. If all of them are virus lovers, we'll accept mail, but if
+# at least one recipient is not a virus lover, we'll discard the message.
+
+
+# %bypass_virus_checks, @bypass_virus_checks_acl and $bypass_virus_checks_re
+# lookup tables:
+# (this is mainly a time-saving option, unlike virus_lovers* !)
+#
+# Similar in concept to %virus_lovers, a hash %bypass_virus_checks,
+# access list @bypass_virus_checks_acl and regexp list $bypass_virus_checks_re
+# are used to skip entirely the decoding, unpacking and virus checking,
+# but only if ALL recipients match the lookup.
+#
+# %bypass_virus_checks/@bypass_virus_checks_acl/$bypass_virus_checks_re
+# do NOT GUARANTEE the message will NOT be checked for viruses - this may
+# still happen when there is more than one recipient for a message, and
+# not all of them match these lookup tables. To guarantee virus delivery,
+# a recipient must also match %virus_lovers/@virus_lovers_acl lookups
+# (but see milter limitations above),
+
+# NOTE: it would not be clever to base virus checks on SENDER address,
+# since there are no guarantees that it is genuine. Many viruses
+# and spam messages fake sender address. To achieve selective filtering
+# based on the source of the mail (e.g. IP address, MTA port number, ...),
+# use mechanisms provided by MTA if available.
+
+
+# Similar to lookup tables controlling virus checking, there exist
+# spam scanning, banned names/types, and headers_checks control counterparts:
+# %spam_lovers, @spam_lovers_acl, $spam_lovers_re
+# %banned_files_lovers, @banned_files_lovers_acl, $banned_files_lovers_re
+# %bad_header_lovers, @bad_header_lovers_acl, $bad_header_lovers_re
+# and:
+# %bypass_spam_checks/@bypass_spam_checks_acl/$bypass_spam_checks_re
+# %bypass_banned_checks/@bypass_banned_checks_acl/$bypass_banned_checks_re
+# %bypass_header_checks/@bypass_header_checks_acl/$bypass_header_checks_re
+# See README.lookups for details about the syntax.
+
+# The following example disables spam checking altogether,
+# since it matches any recipient e-mail address (any address
+# is a subdomain of the top-level root DNS domain):
+# @bypass_spam_checks_acl = qw( . );
+
+# @bypass_header_checks_acl = qw( user@example.com );
+# @bad_header_lovers_acl = qw( user@example.com );
+
+
+# See README.lookups for further detail, and examples below.
+
+# $virus_lovers{lc("postmaster\@$mydomain")} = 1;
+# $virus_lovers{lc('postmaster@example.com')} = 1;
+# $virus_lovers{lc('abuse@example.com')} = 1;
+# $virus_lovers{lc('some.user@')} = 1; # this recipient, regardless of domain
+# $virus_lovers{lc('boss@example.com')} = 0; # never, even if domain matches
+# $virus_lovers{lc('example.com')} = 1; # this domain, but not its subdomains
+# $virus_lovers{lc('.example.com')}= 1; # this domain, including its subdomains
+#or:
+# @virus_lovers_acl = qw( me@lab.xxx.com !lab.xxx.com .xxx.com yyy.org );
+#
+# $bypass_virus_checks{lc('some.user2@butnot.example.com')} = 1;
+# @bypass_virus_checks_acl = qw( some.ddd !butnot.example.com .example.com );
+
+# @virus_lovers_acl = qw( postmaster@example.com );
+# $virus_lovers_re = new_RE( qr'^(helpdesk|postmaster)@example\.com$'i );
+
+# $spam_lovers{lc("postmaster\@$mydomain")} = 1;
+# $spam_lovers{lc('postmaster@example.com')} = 1;
+# $spam_lovers{lc('abuse@example.com')} = 1;
+# @spam_lovers_acl = qw( !.example.com );
+# $spam_lovers_re = new_RE( qr'^user@example\.com$'i );
+
+# don't run spam check for these RECIPIENT domains:
+# @bypass_spam_checks_acl = qw( d1.com .d2.com a.d3.com );
+# or the other way around (bypass check for all BUT these):
+# @bypass_spam_checks_acl = qw( !d1.com !.d2.com !a.d3.com . );
+# a practical application: don't check outgoing mail for spam:
+# @bypass_spam_checks_acl = ( "!.$mydomain", "." );
+# (a downside of which is that such mail will not count as ham in SA bayes db)
+
+
+# Where to find SQL server(s) and database to support SQL lookups?
+# A list of triples: (dsn,user,passw). (dsn = data source name)
+# More than one entry may be specified for multiple (backup) SQL servers.
+# See 'man DBI', 'man DBD::mysql', 'man DBD::Pg', ... for details.
+# When chroot-ed, accessing SQL server over inet socket may be more convenient.
+#
+# @lookup_sql_dsn =
+# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
+# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'] );
+#
+# ('mail' in the example is the database name, choose what you like)
+# With PostgreSQL the dsn (first element of the triple) may look like:
+# 'DBI:Pg:host=host1;dbname=mail'
+
+# The SQL select clause to fetch per-recipient policy settings.
+# The %k will be replaced by a comma-separated list of query addresses
+# (e.g. full address, domain only, catchall). Use ORDER, if there
+# is a chance that multiple records will match - the first match wins.
+# If field names are not unique (e.g. 'id'), the later field overwrites the
+# earlier in a hash returned by lookup, which is why we use '*,users.id'.
+# $sql_select_policy = 'SELECT *,users.id FROM users,policy'.
+# ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'.
+# ' ORDER BY users.priority DESC';
+#
+# The SQL select clause to check sender in per-recipient whitelist/blacklist
+# The first SELECT argument '?' will be users.id from recipient SQL lookup,
+# the %k will be sender addresses (e.g. full address, domain only, catchall).
+# $sql_select_white_black_list = 'SELECT wb FROM wblist,mailaddr'.
+# ' WHERE (wblist.rid=?) AND (wblist.sid=mailaddr.id)'.
+# ' AND (mailaddr.email IN (%k))'.
+# ' ORDER BY mailaddr.priority DESC';
+
+$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting
+
+
+# If you decide to pass viruses (or spam) to certain recipients using the
+# above lookup tables or using $final_virus_destiny=D_PASS, you can set
+# the variable $addr_extension_virus ($addr_extension_spam) to some
+# string, and the recipient address will have this string appended
+# as an address extension to the local-part of the address. This extension
+# can be used by final local delivery agent to place such mail in different
+# folders. Leave these two variables undefined or empty strings to prevent
+# appending address extensions. Setting has no effect on recipient which will
+# not be receiving viruses/spam. Recipients who do not match lookup tables
+# local_domains* are not affected.
+#
+# LDAs usually default to stripping away address extension if no special
+# handling is specified, so having this option enabled normally does no harm,
+# provided the $recipients_delimiter matches the setting on the final
+# MTA's LDA.
+
+# $addr_extension_virus = 'virus'; # (default is undef, same as empty)
+# $addr_extension_spam = 'spam'; # (default is undef, same as empty)
+# $addr_extension_banned = 'banned'; # (default is undef, same as empty)
+
+
+# Delimiter between local part of the recipient address and address extension
+# (which can optionally be added, see variables $addr_extension_virus and
+# $addr_extension_spam). E.g. recipient address <user@example.com> gets changed
+# to <user+virus@example.com>.
+#
+# Delimiter should match equivalent (final) MTA delimiter setting.
+# (e.g. for Postfix add 'recipient_delimiter = +' to main.cf)
+# Setting it to an empty string or to undef disables this feature
+# regardless of $addr_extension_virus and $addr_extension_spam settings.
+
+$recipient_delimiter = '+'; # (default is '+')
+
+# true: replace extension; false: append extension
+$replace_existing_extension = 1; # (default is false)
+
+# Affects matching of localpart of e-mail addresses (left of '@')
+# in lookups: true = case sensitive, false = case insensitive
+$localpart_is_case_sensitive = 0; # (default is false)
+
+
+# ENVELOPE SENDER WHITELISTING / BLACKLISTING - GLOBAL (RECIPIENT-INDEPENDENT)
+# (affects spam checking only, has no effect on virus and other checks)
+
+# WHITELISTING: use ENVELOPE SENDER lookups to ENSURE DELIVERY from whitelisted
+# senders even if the message would be recognized as spam. Effectively, for
+# the specified senders, message recipients temporarily become 'spam_lovers'.
+# To avoid surprises, whitelisted sender also suppresses inserting/editing
+# the tag2-level header fields (X-Spam-*, Subject), appending spam address
+# extension, and quarantining.
+
+# BLACKLISTING: messages from specified SENDERS are DECLARED SPAM.
+# Effectively, for messages from blacklisted senders, spam level
+# is artificially pushed high, and the normal spam processing applies,
+# resulting in 'X-Spam-Flag: YES', high 'X-Spam-Level' bar and other usual
+# reactions to spam, including possible rejection. If the message nevertheless
+# still passes (e.g. for spam loving recipients), it is tagged as BLACKLISTED
+# in the 'X-Spam-Status' header field, but the reported spam value and
+# set of tests in this report header field (if available from SpamAssassin,
+# which may have not been called) is not adjusted.
+#
+# A sender may be both white- and blacklisted at the same time, settings
+# are independent. For example, being both white- and blacklisted, message
+# is delivered to recipients, but is not tagged as spam (X-Spam-Flag: No;
+# X-Spam-Status: No, ...), but the reported spam level (if computed) may
+# still indicate high spam score.
+#
+# If ALL recipients of the message either white- or blacklist the sender,
+# spam scanning (calling the SpamAssassin) is bypassed, saving on time.
+#
+# The following variables (lookup tables) are available, with the semantics
+# and syntax as specified in README.lookups:
+#
+# %whitelist_sender, @whitelist_sender_acl, $whitelist_sender_re
+# %blacklist_sender, @blacklist_sender_acl, $blacklist_sender_re
+
+# SOME EXAMPLES:
+#
+#ACL:
+# @whitelist_sender_acl = qw( .example.com );
+#
+# @whitelist_sender_acl = ( ".$mydomain" ); # $mydomain and its subdomains
+# NOTE: This is not a reliable way of turning off spam checks for
+# locally-originating mail, as sender address can easily be faked.
+# To reliably avoid spam-scanning outgoing mail,
+# use @bypass_spam_checks_acl .
+
+#RE:
+# $whitelist_sender_re = new_RE(
+# qr'^postmaster@.*\bexample\.com$'i,
+# qr'owner-[^@]*@'i, qr'-request@'i,
+# qr'\.example\.com$'i );
+#
+$blacklist_sender_re = new_RE(
+ qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,
+ qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i,
+ qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonl|smoking2002k)@'i,
+ qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,
+ qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,
+ qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
+);
+
+#HASH lookup variant:
+# NOTE: Perl operator qw splits its argument string by whitespace
+# and produces a list. This means that addresses can not contain
+# whitespace, and there is no provision for comments within the string.
+# You can use the normal Perl list syntax if you have special requirements,
+# e.g. map {...} ('one user@bla', '.second.com'), or use read_hash to read
+# addresses from a file.
+#
+
+# a hash lookup table can be read from a file,
+# one address per line, comments and empty lines are permitted:
+#
+# read_hash(\%whitelist_sender, '/var/amavis/whitelist_sender');
+read_hash(\%whitelist_sender, "$MYHOME/whitelist_sender");
+read_hash(\%blacklist_sender, "$MYHOME/blacklist_sender");
+
+# ... or set directly:
+map { $whitelist_sender{lc($_)}=1 } (qw(
+ nobody@cert.org
+ owner-alert@iss.net
+ slashdot@slashdot.org
+ bugtraq@securityfocus.com
+ NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
+ security-alerts@linuxsecurity.com
+ amavis-user-admin@lists.sourceforge.net
+ razor-users-admin@lists.sourceforge.net
+ notification-return@lists.sophos.com
+ mailman-announce-admin@python.org
+ zope-announce-admin@zope.org
+ owner-postfix-users@postfix.org
+ owner-postfix-announce@postfix.org
+ owner-sendmail-announce@lists.sendmail.org
+ sendmail-announce-request@lists.sendmail.org
+ ca+envelope@sendmail.org
+ owner-technews@postel.ACM.ORG
+ lvs-users-admin@LinuxVirtualServer.org
+ ietf-123-owner@loki.ietf.org
+ cvs-commits-list-admin@gnome.org
+ rt-users-admin@lists.fsck.com
+ owner-announce@mnogosearch.org
+ owner-hackers@ntp.org
+ owner-bugs@ntp.org
+ clp-request@comp.nus.edu.sg
+ surveys-errors@lists.nua.ie
+ emailNews@genomeweb.com
+ owner-textbreakingnews@CNNIMAIL12.CNN.COM
+ yahoo-dev-null@yahoo-inc.com
+));
+
+
+# ENVELOPE SENDER WHITELISTING / BLACKLISTING - PER-RECIPIENT
+
+# The same semantics as for global white/blacklisting applies, but this
+# time each recipient (or its domain, or subdomain, ...) can be given
+# an individual lookup table for matching senders. The per-recipient lookups
+# override the global lookups, which serve as a fallback default.
+
+# Specify a two-level lookup table: the key for the outer table is recipient,
+# and the result should be an inner lookup table (hash or ACL or RE),
+# where the key used will be the sender.
+#
+#$per_recip_blacklist_sender_lookup_tables = {
+# 'user1@my.example.com'=>new_RE(qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i),
+# 'user2@my.example.com'=>[qw( spammer@d1.example,org .d2.example,org )],
+#};
+#$per_recip_whitelist_sender_lookup_tables = {
+# 'user@my.example.com' => [qw( friend@example.org .other.example.org )],
+# '.my1.example.com' => [qw( !foe.other.example,org .other.example,org )],
+# '.my2.example.com' => read_hash('/var/amavis/my2-wl.dat'),
+# 'abuse@' => { 'postmaster@'=>1,
+# 'cert-advisory-owner@cert.org'=>1, 'owner-alert@iss.net'=>1 },
+#};
+
+
+#
+# Section VI - Resource limits
+#
+
+# Sanity limit to the number of allowed recipients per SMTP transaction
+# $smtpd_recipient_limit = 1000; # (default is 1000)
+
+
+# Resource limits to protect unpackers, decompressors and virus scanners
+# against mail bombs (e.g. 42.zip)
+
+# Maximum recursion level for extraction/decoding (0 or undef disables limit)
+$MAXLEVELS = 14; # (default is undef, no limit)
+
+# Maximum number of extracted files (0 or undef disables the limit)
+$MAXFILES = 1500; # (default is undef, no limit)
+
+# For the cumulative total of all decoded mail parts we set max storage size
+# to defend against mail bombs. Even though parts may be deleted (replaced
+# by decoded text) during decoding, the size they occupied is _not_ returned
+# to the quota pool.
+#
+# Parameters to storage quota formula for unpacking/decoding/decompressing
+# Formula:
+# quota = max($MIN_EXPANSION_QUOTA,
+# $mail_size*$MIN_EXPANSION_FACTOR,
+# min($MAX_EXPANSION_QUOTA, $mail_size*$MAX_EXPANSION_FACTOR))
+# In plain words (later condition overrules previous ones):
+# allow MAX_EXPANSION_FACTOR times initial mail size,
+# but not more than MAX_EXPANSION_QUOTA,
+# but not less than MIN_EXPANSION_FACTOR times initial mail size,
+# but never less than MIN_EXPANSION_QUOTA
+#
+$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
+$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
+$MIN_EXPANSION_FACTOR = 5; # times original mail size (must be specified)
+$MAX_EXPANSION_FACTOR = 500; # times original mail size (must be specified)
+
+
+#
+# Section VII - External programs, virus scanners
+#
+
+# Specify a path string, which is a colon-separated string of directories
+# (no trailing slashes!) to be assigned to the environment variable PATH
+# and to serve for locating external programs below.
+
+# NOTE: if $daemon_chroot_dir is nonempty, the directories will be
+# relative to the chroot directory specified;
+
+$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
+
+# Specify one string or a search list of strings (first match wins).
+# The string (or: each string in a list) may be an absolute path,
+# or just a program name, to be located via $path;
+# Empty string or undef (=default) disables the use of that external program.
+# Optionally command arguments may be specified - only the first substring
+# up to the whitespace is used for file searching.
+
+$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability
+
+$gzip = 'gzip';
+$bzip2 = 'bzip2';
+$lzop = 'lzop';
+$uncompress = ['uncompress', 'gzip -d', 'zcat'];
+$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
+$arc = ['nomarch', 'arc'];
+$unarj = ['arj', 'unarj']; # both can extract, arj is recommended
+$unrar = ['rar', 'unrar']; # both can extract, same options
+$zoo = 'zoo';
+$lha = 'lha';
+$cpio = 'cpio'; # comment out if cpio does not support GNU options
+
+
+# SpamAssassin settings
+
+# $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value
+# of the option local_tests_only. See Mail::SpamAssassin man page.
+# If set to 1, SA tests are restricted to local tests only, i.e. no tests
+# that require internet access will be performed.
+#
+#$sa_local_tests_only = 1; # (default: false)
+$sa_auto_whitelist = 1; # turn on AWL (default: false)
+
+# Timout for SpamAssassin. This is only used if spamassassin does NOT
+# override it (which it often does if sa_local_tests_only is not true)
+$sa_timeout = 30; # timeout in seconds for a call to SpamAssassin
+ # (default is 30 seconds, undef disables it)
+
+# AWL (auto whitelisting), requires spamassassin 2.44 or better
+# $sa_auto_whitelist = 1; # defaults to undef
+
+$sa_mail_body_size_limit = 150*1024; # don't waste time on SA is mail is larger
+ # (less than 1% of spam is > 64k)
+ # default: undef, no limitations
+
+# default values, can be overridden by more specific lookups, e.g. SQL
+$sa_tag_level_deflt = 3.0; # add spam info headers if at, or above that level
+$sa_tag2_level_deflt = 6.3; # add 'spam detected' headers at that level
+$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
+ # at or above that level: bounce/reject/drop,
+ # quarantine, and adding mail address extension
+
+$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent,
+ # effectively turning D_BOUNCE into D_DISCARD;
+ # undef disables this feature and is a default;
+
+#
+# The $sa_tag_level_deflt, $sa_tag2_level_deflt and $sa_kill_level_deflt
+# may also be hashrefs to hash lookup tables, to make static per-recipient
+# settings possible without having to resort to SQL or LDAP lookups.
+
+# a quick reference:
+# tag_level controls adding the X-Spam-Status and X-Spam-Level headers,
+# tag2_level controls adding 'X-Spam-Flag: YES', and editing Subject,
+# kill_level controls 'evasive actions' (reject, quarantine, extensions);
+# it only makes sense to maintain the relationship:
+# tag_level <= tag2_level <= kill_level < $sa_dsn_cutoff_level
+
+# string to prepend to Subject header field when message exceeds tag2 level
+$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled)
+ # (only seen when spam is not to be rejected
+ # and recipient is in local_domains*)
+
+#$sa_spam_modifies_subj = 1; # may be a ref to a lookup table, default is true
+# Example: modify Subject for all local recipients except user@example.com
+#$sa_spam_modifies_subj = [qw( !user@example.com . )];
+
+# stop anti-virus scanning when the first scanner detects a virus?
+$first_infected_stops_scan = 1; # default is false, all scanners are called
+
+# @av_scanners is a list of n-tuples, where fields semantics is:
+# 1. av scanner plain name, to be used in log and reports;
+# 2. scanner program name; this string will be submitted to subroutine
+# find_external_programs(), which will try to find the full program
+# path name; if program is not found, this scanner is disabled.
+# Besides a simple string (full program path name or just the basename
+# to be looked for in PATH), this may be an array ref of alternative
+# program names or full paths - the first match in the list will be used;
+# As a special case for more complex scanners, this field may be
+# a subroutine reference, and the whole n-tuple is passed to it as args.
+# 3. command arguments to be given to the scanner program;
+# a substring {} will be replaced by the directory name to be scanned,
+# i.e. "$tempdir/parts", a "*" will be replaced by file names of parts;
+# 4. an array ref of av scanner exit status values, or a regexp (to be
+# matched against scanner output), indicating NO VIRUSES found;
+# 5. an array ref of av scanner exit status values, or a regexp (to be
+# matched against scanner output), indicating VIRUSES WERE FOUND;
+# Note: the virus match prevails over a 'not found' match, so it is safe
+# even if the no. 4. matches for viruses too;
+# 6. a regexp (to be matched against scanner output), returning a list
+# of virus names found.
+# 7. and 8.: (optional) subroutines to be executed before and after scanner
+# (e.g. to set environment or current directory);
+# see examples for these at KasperskyLab AVP and Sophos sweep.
+
+# NOTES:
+#
+# - NOT DEFINING @av_scanners (e.g. setting it to empty list, or deleting the
+# whole assignment) TURNS OFF LOADING AND COMPILING OF THE ANTIVIRUS CODE
+# (which can be handy if all you want to do is spam scanning);
+#
+# - the order matters: although _all_ available entries from the list are
+# always tried regardless of their verdict, scanners are run in the order
+# specified: the report from the first one detecting a virus will be used
+# (providing virus names and scanner output); REARRANGE THE ORDER TO WILL;
+#
+# - it doesn't hurt to keep an unused command line scanner entry in the list
+# if the program can not be found; the path search is only performed once
+# during the program startup;
+#
+# COROLLARY: to disable a scanner that _does_ exist on your system,
+# comment out its entry or use undef or '' as its program name/path
+# (second parameter). An example where this is almost a must: disable
+# Sophos 'sweep' if you have its daemonized version Sophie or SAVI-Perl
+# (same for Trophie/vscan, and clamd/clamscan), or if another unrelated
+# program happens to have a name matching one of the entries ('sweep'
+# again comes to mind);
+#
+# - it DOES HURT to keep unwanted entries which use INTERNAL SUBROUTINES
+# for interfacing (where the second parameter starts with \&).
+# Keeping such entry and not having a corresponding virus scanner daemon
+# causes an unnecessary connection attempt (which eventually times out,
+# but it wastes precious time). For this reason the daemonized entries
+# are commented in the distribution - just remove the '#' where needed.
+#
+# CERT list of av resources: http://www.cert.org/other_sources/viruses.html
+
+@av_scanners = (
+
+# ### http://www.vanja.com/tools/sophie/
+# ['Sophie',
+# \&ask_daemon, ["{}/\n", '/var/run/sophie'],
+# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
+# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],
+
+# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
+['Sophos SAVI', \&sophos_savi ],
+
+### http://www.clamav.net/
+['Clam Antivirus-clamd',
+ \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
+ qr/\bOK$/, qr/\bFOUND$/,
+ qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
+# NOTE: run clamd under the same user as amavisd; match the socket
+# name (LocalSocket) in clamav.conf to the socket name in this entry
+# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],
+
+# ### http://www.openantivirus.org/
+# ['OpenAntiVirus ScannerDaemon (OAV)',
+# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],
+# qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ],
+
+# ### http://www.vanja.com/tools/trophie/
+# ['Trophie',
+# \&ask_daemon, ["{}/\n", '/var/run/trophie'],
+# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
+# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],
+
+# ### http://www.grisoft.com/
+# ['AVG Anti-Virus',
+# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'],
+# qr/^200/, qr/^403/, qr/^403 .*?: (.+)/ ],
+
+# ### http://www.f-prot.com/
+# ['FRISK F-Prot Daemon',
+# \&ask_daemon,
+# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
+# ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202',
+# '127.0.0.1:10203','127.0.0.1:10204'] ],
+# qr/(?i)<summary[^>]*>clean<\/summary>/,
+# qr/(?i)<summary[^>]*>infected<\/summary>/,
+# qr/(?i)<name>(.+)<\/name>/ ],
+
+ ['KasperskyLab AVP - aveclient',
+ ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
+ '/opt/kav/bin/aveclient','aveclient'],
+ '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/,
+ qr/(?:INFECTED|SUSPICION) (.+)/,
+ ],
+
+ ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
+ '-* -P -B -Y -O- {}', [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22],
+ qr/infected: (.+)/,
+ sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
+ sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
+ ],
+
+ ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
+ ### products and replaced by aveserver and aveclient
+ ['KasperskyLab AVPDaemonClient',
+ [ '/opt/AVP/kavdaemon', 'kavdaemon',
+ '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
+ '/opt/AVP/AvpTeamDream', 'AvpTeamDream',
+ '/opt/AVP/avpdc', 'avpdc' ],
+ "-f=$TEMPBASE {}", [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22],
+ qr/infected: ([^\r\n]+)/ ],
+ # change the startup-script in /etc/init.d/kavd to:
+ # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
+ # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" )
+ # adjusting /var/amavis above to match your $TEMPBASE.
+ # The '-f=/var/amavis' is needed if not running it as root, so it
+ # can find, read, and write its pid file, etc., see 'man kavdaemon'.
+ # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
+ # directory $TEMPBASE specifies) in the 'Names=' section.
+ # cd /opt/AVP/DaemonClients; configure; cd Sample; make
+ # cp AvpDaemonClient /opt/AVP/
+ # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"
+
+ ### http://www.hbedv.com/ or http://www.centralcommand.com/
+ ['H+BEDV AntiVir or CentralCommand Vexira Antivirus',
+ ['antivir','vexira'],
+ '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
+ qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
+ (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
+ # NOTE: if you only have a demo version, remove -z and add 214, as in:
+ # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,
+
+ ### http://www.commandsoftware.com/
+ ['Command AntiVirus for Linux', 'csav',
+ '-all -archive -packed {}', [50], [51,52,53],
+ qr/Infection: (.+)/ ],
+
+ ### http://www.symantec.com/
+ ['Symantec CarrierScan via Symantec CommandLineScanner',
+ 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
+ qr/^Files Infected:\s+0$/, qr/^Infected\b/,
+ qr/^(?:Info|Virus Name):\s+(.+)/ ],
+
+ ### http://www.symantec.com/
+ ['Symantec AntiVirus Scan Engine',
+ 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
+ [0], qr/^Infected\b/,
+ qr/^(?:Info|Virus Name):\s+(.+)/ ],
+ # NOTE: check options and patterns to see which entry better applies
+
+ ### http://www.sald.com/, http://drweb.imshop.de/
+ ['drweb - DrWeb Antivirus',
+ ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
+ '-path={} -al -go -ot -cn -upn -ok-',
+ [0,32], [1,33], qr' infected (?:with|by)(?: virus)? (.*)$'],
+
+# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/
+# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later
+# [pack('N',1). # DRWEBD_SCAN_CMD
+# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
+# pack('N', # path length
+# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/part-xxxxx")).
+# '{}/*'. # path
+# pack('N',0). # content size
+# pack('N',0),
+# '/var/drweb/run/drwebd.sock',
+# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot
+# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default
+# # '127.0.0.1:3000', # or over an inet socket
+# ],
+# qr/\A\x00(\x10|\x11)\x00\x00/s, # IS_CLEAN, EVAL_KEY
+# qr/\A\x00(\x00|\x01)\x00(\x20|\x40|\x80)/s, # KNOWN_V, UNKNOWN_V, V._MODIF
+# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/s,
+# ],
+# # NOTE: If you are using amavis-milter, change length to:
+# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/part-xxxxx").
+
+ ### http://www.f-secure.com/products/anti-virus/
+ ['F-Secure Antivirus', 'fsav',
+ '--dumb --mime --archive {}', [0], [3,8],
+ qr/(?:infection|Infected|Suspected): (.+)/ ],
+
+ ['CAI InoculateIT', 'inocucmd',
+ '-sec -nex {}', [0], [100],
+ qr/was infected by virus (.+)/ ],
+
+ ['MkS_Vir for Linux (beta)', ['mks32','mks'],
+ '-s {}/*', [0], [1,2], # any use for options: -a -c ?
+ qr/--[ \t]*(.+)/ ],
+
+ ### http://www.nod32.com/
+ ['ESET Software NOD32', 'nod32',
+ '-all -subdir+ {}', [0], [1,2],
+ qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ],
+
+ ### http://www.nod32.com/
+ ['ESET Software NOD32 - Client/Server Version', 'nod32cli',
+ '-a -r -d recurse --heur standard {}', [0], [10,11],
+ qr/^\S+\s+infected:\s+(.+)/ ],
+
+ ### http://www.norman.com/products_nvc.shtml
+ ['Norman Virus Control v5 / Linux', 'nvcc',
+ '-c -l:0 -s -u {}', [0], [1],
+ qr/(?i).* virus in .* -> \'(.+)\'/ ],
+
+ ### http://www.pandasoftware.com/
+ ['Panda Antivirus for Linux', ['pavcl'],
+ '-aut -aex -heu -cmp -nbr -nor -nso -eng {}',
+ qr/Number of files infected[ .]*: 0(?!\d)/,
+ qr/Number of files infected[ .]*: 0*[1-9]/,
+ qr/Found virus :\s*(\S+)/ ],
+
+# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
+# Check your RAV license terms before fiddling with the following two lines!
+# ['GeCAD RAV AntiVirus 8', 'ravav',
+# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ],
+# # NOTE: the command line switches changed with scan engine 8.5 !
+# # (btw, assigning stdin to /dev/null causes RAV to fail)
+
+ ### http://www.nai.com/
+ ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
+ '--secure -rv --mime --summary --noboot - {}', [0], [13],
+ qr/(?x) Found (?:
+ \ the\ (.+)\ (?:virus|trojan) |
+ \ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
+ :\ (.+)\ NOT\ a\ virus)/,
+ # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
+ # sub {delete $ENV{LD_PRELOAD}},
+ ],
+ # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
+ # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
+ # and then clear it when finished to avoid confusing anything else.
+ # NOTE2: to treat encrypted files as viruses replace the [13] with:
+ # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
+
+ ### http://www.virusbuster.hu/en/
+ ['VirusBuster', ['vbuster', 'vbengcl'],
+ # VirusBuster Ltd. does not support the daemon version for the workstation
+ # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
+ # binaries, some parameters AND return codes (from 3 to 1) changed.
+ "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
+ qr/: '(.*)' - Virus/ ],
+
+# ### http://www.virusbuster.hu/en/
+# ['VirusBuster (Client + Daemon)', 'vbengd',
+# # HINT: for an infected file it returns always 3,
+# # although the man-page tells a different story
+# '-f -log scandir {}', [0], [3],
+# qr/Virus found = (.*);/ ],
+
+ ### http://www.cyber.com/
+ ['CyberSoft VFind', 'vfind',
+ '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,
+ # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
+ ],
+
+ ### http://www.ikarus-software.com/
+ ['Ikarus AntiVirus for Linux', 'ikarus',
+ '{}', [0], [40], qr/Signature (.+) found/ ],
+
+ ### http://www.bitdefender.com/
+ ['BitDefender', 'bdc',
+ '--all --arc --mail {}', qr/^Infected files *:0(?!\d)/,
+ qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
+ qr/(?:suspected|infected): (.*)(?:\033|$)/ ],
+);
+
+# If no virus scanners from the @av_scanners list produce 'clean' nor
+# 'infected' status (e.g. they all fail to run or the list is empty),
+# then _all_ scanners from the @av_scanners_backup list are tried.
+# When there are both daemonized and command-line scanners available,
+# it is customary to place slower command-line scanners in the
+# @av_scanners_backup list. The default choice is somewhat arbitrary,
+# move entries from one list to another as desired.
+
+@av_scanners_backup = (
+
+ ### http://www.clamav.net/
+ ['Clam Antivirus - clamscan', 'clamscan',
+ "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], [1],
+ qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
+
+ ### http://www.f-prot.com/
+ ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
+ '-dumb -archive -packed {}', [0,8], [3,6],
+ qr/Infection: (.+)/ ],
+
+ ### http://www.trendmicro.com/
+ ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
+ '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],
+
+ ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'],
+ '-i1 -xp {}', [0,10,15], [5,20,21,25],
+ qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,
+ sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
+ sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
+ ],
+
+# Commented out because the name 'sweep' clashes with the Debian package of
+# the same name. Make sure the correct sweep is found in the path when enabling
+#
+# ### http://www.sophos.com/
+# ['Sophos Anti Virus (sweep)', 'sweep',
+# '-nb -f -all -rec -ss -sc -archive -cab -tnef --no-reset-atime {}',
+# [0,2], qr/Virus .*? found/,
+# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/,
+# ],
+# # other options to consider: -mime -oe -idedir=/usr/local/sav
+
+# always succeeds (uncomment to consider mail clean if all other scanners fail)
+['always-clean', sub {0}],
+
+);
+
+
+#
+# Section VIII - Debugging
+#
+
+# The most useful debugging tool is to run amavisd-new non-detached
+# from a terminal window:
+# amavisd debug
+
+# Some more refined approaches:
+
+# If sender matches ACL, turn log level fully up, just for this one message,
+# and preserve temporary directory
+#@debug_sender_acl = ( "test-sender\@$mydomain" );
+#@debug_sender_acl = qw( debug@example.com );
+
+# May be useful along with @debug_sender_acl:
+# Prevent all decoded originals being deleted (replaced by decoded part)
+#$keep_decoded_original_re = new_RE( qr/.*/ );
+
+# Turn on SpamAssassin debugging (output to STDERR, use with 'amavisd debug')
+#$sa_debug = 1; # defaults to false
+
+#-------------
+1; # insure a defined return
--- /dev/null
+--- amavisd.conf.sendmail-template 2006-06-30 10:53:18.000000000 +0200
++++ amavisd.conf.postfix-template 2006-06-30 13:07:57.000000000 +0200
+@@ -102,17 +102,17 @@
+ # POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4
+ # (set host and port number as required; host can be specified
+ # as IP address or DNS name (A or CNAME, but MX is ignored)
+-#$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail
+-#$notify_method = $forward_method; # where to submit notifications
++$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail
++$notify_method = $forward_method; # where to submit notifications
+
+ # NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST
+ # uncomment the appropriate settings below if using other setups!
+
+ # SENDMAIL MILTER, using amavis-milter.c helper program:
+ # SEE amavisd-new-milter package docs FOR DEBIAN INSTRUCTIONS
+-$forward_method = undef; # no explicit forwarding, sendmail does it by itself
++#$forward_method = undef; # no explicit forwarding, sendmail does it by itself
+ # milter; option -odd is needed to avoid deadlocks
+-$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}';
++#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}';
+ # just a thought: can we use use -Am instead of -odd ?
+
+ # SENDMAIL (old non-milter setup, as relay):
+@@ -232,7 +232,7 @@
+
+ # SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...)
+ # (used when MTA is configured to pass mail to amavisd via SMTP or LMTP)
+-#$inet_socket_port = 10024; # accept SMTP on this local TCP port
++$inet_socket_port = 10024; # accept SMTP on this local TCP port
+ # (default is undef, i.e. disabled)
+ # multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028];
+
+@@ -240,7 +240,7 @@
+ # - do not allow free access to the amavisd SMTP port !!!
+ #
+ # when MTA is at the same host, use the following (one or the other or both):
+-#$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface
++$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface
+ # (default is '127.0.0.1')
+ #@inet_acl = qw( 127.0.0.1 ); # allow SMTP access only from localhost IP
+ # (default is qw( 127.0.0.1 ) )
--- /dev/null
+VERSION=20030616p10-11
+SENDTMPLVERSION=2:20030616p10-8
+POSTTMPLVERSION=2:20030616p10-10
projects / amavisd-cn.git / commitdiff