From 1c3f285a0edf2971bb7fd75147e10bb66fb5323c Mon Sep 17 00:00:00 2001 From: Grupa za izradu paketa Date: Wed, 1 Nov 2006 16:18:33 +0000 Subject: [PATCH] r1: [svn-inject] Installing original source of amavisd-cn --- README.CARNet | 55 ++ TODO | 9 + changelog.CARNet | 156 +++ debian/changelog | 1 + debian/compat | 1 + debian/conffiles | 1 + debian/control | 21 + debian/control.binary | 19 + debian/cron.d | 6 + debian/dirs | 1 + debian/docs | 3 + debian/init | 145 +++ debian/install | 3 + debian/postinst | 398 ++++++++ debian/postrm | 16 + debian/preinst | 28 + debian/prerm | 58 ++ debian/rules | 87 ++ src/functions.sh | 174 ++++ src/postfix.sh | 77 ++ src/postfixize.sh | 49 + src/sendmail.sh | 105 +++ src/variables.sh | 28 + templates/amavisd.conf.postfix-template | 1510 ++++++++++++++++++++++++++++++ templates/amavisd.conf.sendmail-template | 1510 ++++++++++++++++++++++++++++++ templates/sendmail-to-postfix.diff | 42 + version.sh | 3 + 27 files changed, 4506 insertions(+) create mode 100644 README.CARNet create mode 100644 TODO create mode 100644 changelog.CARNet create mode 120000 debian/changelog create mode 100644 debian/compat create mode 100644 debian/conffiles create mode 100644 debian/control create mode 100644 debian/control.binary create mode 100644 debian/cron.d create mode 100644 debian/dirs create mode 100644 debian/docs create mode 100755 debian/init create mode 100644 debian/install create mode 100755 debian/postinst create mode 100755 debian/postrm create mode 100755 debian/preinst create mode 100755 debian/prerm create mode 100755 debian/rules create mode 100644 src/functions.sh create mode 100644 src/postfix.sh create mode 100755 src/postfixize.sh create mode 100644 src/sendmail.sh create mode 100644 src/variables.sh create mode 100644 templates/amavisd.conf.postfix-template create mode 100644 templates/amavisd.conf.sendmail-template create mode 100644 templates/sendmail-to-postfix.diff create mode 100644 version.sh diff --git a/README.CARNet b/README.CARNet new file mode 100644 index 0000000..4601dfd --- /dev/null +++ b/README.CARNet @@ -0,0 +1,55 @@ +amavisd-cn + +Ovaj paket donosi dodatnu CARNetovu konfiguraciju za paket +iz Debian distribucije. + +- Od inacice 20030616p10-1, amavisd-cn vise ne donosi cijeli amavisd-new, + vec ovisi o Debianovim paketima amavisd-new i amavisd-new-milter. U ovom + paketu se sada nalazi samo konfiguracija podesna za posluzitelje na + CARNetovim ustanovama. Konfiguracijska datoteka se vise ne nalazi u + /etc/amavisd.conf, vec u + + /etc/amavis/amavisd.conf + + Stara datoteka se kod instalacije premjesta u + /etc/amavis/amavisd.conf.cn-old, tako da po zelji mozete vlastite + postavke prenijeti u novu. Predlozak za novu konfiguraciju se nalazi u + /usr/share/amavisd-cn/amavisd.conf.template, i sadrzi minimalne izmjene u + odnosu na pocetnu konfiguraciju iz Debianovog paketa. U predlosku je + postavljena podrska za Sendmail+milter, za SpamAssassin s podrskom za + white- i blackliste, te za ClamAV i Sophos antiviruse. + +- Za restart svih kompomenti mta sustava ispravnim redoslijedom (clamd + + amavisd-new + amavis-milter + sendmail ili clamd + amavisd + postfix) + mozete koristiti dodanu init.d skriptu + + /etc/init.d/amavisd-cn restart + +- Odrzavanje spamassassin bayesian filtera sada dolazi sa Debianovim paketom + i nalazi se u + + /etc/cron.d/amavisd-new + + Brisanje starih datoteka iz karantene se obavlja iz + + /etc/cron.d/amavisd-cn + + Logika je da se cron datoteke zovu po paketu koji ih je donio, sto je + u duhu Debianove paketne politike i olaksava upgrade ovih paketa. + +- $spam_admin opcija omogucava obavjestavanje o prepoznatom spamu putem + maila. S obzirom da se u obavijestima poslanim na ovaj nacin citira + poruka prepoznata kao spam, moguce je da Amavis samu tu obavijest + prepozna kao spam, pokusa poslati dodatnu obavijest i na taj nacin + generira velike kolicine maila, sto moze uzrokovati zapunjenje /var + particije. + + Ukoliko zelite primati te obavijesti, svakako izuzmite $spam_admin email + adresu iz iz anti-spam filtera. To se moze uciniti dodavanjem + $spam_admin adrese u neku od $spam_lovers* postavki, ili dodavanjem + adrese iz postavke $mailfrom_notify_spamadmin u whitelistu. Primjer za + prvi nacin: + + $spam_lovers{lc($spam_admin)} = 1; + + -- Zoran Dzelajlija Fri, 30 Jun 2006 10:58:01 +0200 diff --git a/TODO b/TODO new file mode 100644 index 0000000..f99e222 --- /dev/null +++ b/TODO @@ -0,0 +1,9 @@ +Bugs: +- SAVI ne radi kod prve instalacije? Nakon sophos-sweep-update i + dpkg-reconfigure amavisd-cn proradi. +- CN: Current configuration saved in /var/backups/amavisd.conf.bak + se pojavljuje precesto a uzrokuje slanje maila. + +Features: +- funkcije za pametniju izmjenu sendmail <-> postfix +- update na 2.4 i _mozda_ split config diff --git a/changelog.CARNet b/changelog.CARNet new file mode 100644 index 0000000..95dad43 --- /dev/null +++ b/changelog.CARNet @@ -0,0 +1,156 @@ +amavisd-cn (2:20030616p10-11) sarge; urgency=low + + * Ispravljen typo u uvjetima za provjeru postfix konfiguracije. + * Skracena postfixize.sh skripta: + - varijable sa verzijama predlozaka prebacene u version.sh, + - izbaceni dijelovi nevezani za postfix. + * Bolja vrijednost za $mydomain ako je stroj MX za domenu + (T#: 2006101613000041). + * dpkg -l | grep ^.i za provjeru instalacije paketa. + * _CH_HOST_ -> _CN_DOMAIN_ u predloscima, nema funkcionalnih izmjena. + + -- Zoran Dzelajlija Sun, 29 Oct 2006 20:54:01 +0100 + +amavisd-cn (2:20030616p10-10.1) sarge; urgency=low + + * Razdvojene verzije predlozaka za sendmail i postfix. + + -- Zoran Dzelajlija Fri, 30 Jun 2006 14:10:01 +0200 + +amavisd-cn (2:20030616p10-10) sarge; urgency=low + + * Dodana podrska za postfix. + * Preuredjene instalacijske skripte. + + -- Zoran Dzelajlija Fri, 30 Jun 2006 01:04:44 +0200 + +amavisd-cn (2:20030616p10-9) sarge; urgency=low + + * Greska u funkciji za provjeru rada daemona uzrokovala ispad miltera + (T#: 2005070613000087, T#: 2005070613000096). + Ujednacena ista funkcija u init i postinst skripti, sitne ispravke. + * Provjera daemona u postinst skripti je sada bezuvjetna. + + -- Zoran Dzelajlija Wed, 6 Jul 2005 20:33:02 +0200 + +amavisd-cn (2:20030616p10-8) sarge; urgency=low + + * Ispravljen typo u detekciji stare konfiguracijske datoteke. + * Backup konfiguracije u /var/backups umjesto u *.dpkg-old. + * Utisane bounce poruke za viruse i sumnjive privitke. + + -- Zoran Dzelajlija Thu, 23 Jun 2005 14:54:14 +0200 + +amavisd-cn (2:20030616p10-7) sarge; urgency=low + + * Ispravljeno rusenje kod brisanja paketa. + * Ispravljen sumnjiv copy/paste u postinst skripti. + * Ciscenje zaostalih pyzor procesa. + + -- Zoran Dzelajlija Mon, 25 Apr 2005 23:46:10 +0200 + +amavisd-cn (2:20030616p10-6) sarge; urgency=low + + * Ispravke funkcije za provjeru rada servisa (T#: 2005011313000021). + * Konfiguracija sendmaila protiv pojave X-Authentication-Warning u zaglavlju + i logovima (dio T#: 2005021513000024). + * Dio dijeljenih postinst funkcija prebacen u carnet-tools. + * Ispravljene provjere ispravnog dizanja servisa. + + -- Zoran Dzelajlija Mon, 21 Mar 2005 00:01:01 +0100 + +amavisd-cn (2:20030616p10-5) sarge; urgency=low + + * Iskljuceno slanje obavijesti o spamu zbog moguceg mail loopa + (T#: 2004122913000017 i dr.). Dodana dokumentacija o problemu. + * Ispravka korisnika u konfiguraciji za logrotate. + * mv /etc/amavisd.conf /etc/amavisd.conf.cn-old + * Popravljen poziv update-rc.d za clamav-daemon. + + -- Zoran Dzelajlija Sat, 15 Jan 2005 18:48:25 +0100 + +amavisd-cn (2:20030616p10-4) sarge; urgency=low + + * Paket za sarge distribuciju. + * Zamjenjuje konfiguraciju sa CARNet Debian 2.x CD-a. + + -- Zoran Dzelajlija Sun, 26 Dec 2004 03:00:49 +0100 + +amavisd-cn (20030616p10-3) woody; urgency=low + + * Iskljucena podrska za SAVI::Perl ako nije instaliran + (mozda popravlja T#: 2004122113000041). + * chown sweep logova (opet T#: 2004122113000059) + * Salje mail sa logom od upgradea. + * Predlozak za amavisd.conf updatean na Debian 20030616p10-5. + + -- Zoran Dzelajlija Sun, 26 Dec 2004 03:00:22 +0100 + +amavisd-cn (20030616p10-2) woody; urgency=low + + * Ispravka korisnika u /usr/bin/sophos-ide-update (T#: 2004122113000059). + * postinst puca kod restarta clamava (T#: 2004122013000015). + + -- Zoran Dzelajlija Tue, 21 Dec 2004 13:11:06 +0100 + +amavisd-cn (20030616p10-1) woody; urgency=low + + * Verzija za woody. + * Nova konfiguracijska datoteka, + - minimalne izmjene u odnosu na Debianove defaulte. + * Novo ime cron.d datoteke. + * Koristenje Debianovih paketa i init skripti. + * Nova amavisd-cn wrapper init skripta. + * viruser korisnik se brise, koriste se amavis i clamav. + + -- Zoran Dzelajlija Mon, 15 Nov 2004 00:35:04 +0100 + +amavisd-cn (2:20030616p10-1) testing; urgency=low + + * Nove verzije amavisd-new, clamav, spamassassin. + * Mice divert amavisd.conf i ubija zaostale milter procese. + * init.d skripta srezana i pokrece se nakon ostalih relevantnih. + init skripti. + * Promjene u amavisd.conf: + - sinkronizacija sa Debianovom konfiguracijom za novu verziju: + - kozmeticke promjene + - prepoznati spam je dobro odbiti i SMTP protokolom + ($final_spam_destiny = D_REJECT umjesto D_DISCARD) + - provjera virusa zavrsava s prvim nadjenim virusom + ($first_infected_stops_scan = 1) + - maknuta "domena.hr." iz popisa lokalnih domena. + * Ovisnost o spamassassin paketu. + * chown datoteka u slucaju upgradea sa woodyja. + * Dodavanje grupe amavis ako je potrebno. + + -- Zeljko Boros + +amavisd-cn (20030616p7-3) testing; urgency=low + + * Uveden link /etc/init.d/amavisd-cn na /etc/init.d/amavisd + * Smanjen milter log level na 4 + * amavisd socket promijenjen na /var/lib/amavis/amavisd.sock + * uvedeno citanje crnih i bijelih lista iz datoteka + /var/lib/amavis/{black,white}list_sender + * Brisanje amavis-milter* datoteka starijih od 1 dan svaki dan + * Brisanje spama i virusa u karanteni svakih 7 dana + * Dodane neke opcije u /var/lib/amavis/.spamassassin/user_prefs + - datoteka /var/lib/amavis/.spamassassin/auto-whitelist + - eksplicitno dodana putanja do Bayes baze + - dodatno osigurano da se auto-expire ne ukljucuje + * Promjene u amavisd.conf: + - ukljucen auto-whitelisting sustav + - dodan 'always-clean' virus-scanner ("isporuci postu cak i kad svi + scanneri ne rade") + * Ovisnost o sendmail-cn (>= 8.12.9-6) + + -- Zeljko Boros Wed, 24 Mar 2004 10:26:51 +0100 + +amavisd-cn (20030616p7-2) testing; urgency=low + + * Nova inacica paketa + * Ovisnost o amavisd-new i amavisd-new-milter paketima + * Brisanje privremenih amavis-milter* datoteka svakih 5 dana + + -- Zeljko Boros Thu, 26 Feb 2004 13:02:08 +0100 + diff --git a/debian/changelog b/debian/changelog new file mode 120000 index 0000000..dbf0845 --- /dev/null +++ b/debian/changelog @@ -0,0 +1 @@ +../changelog.CARNet \ No newline at end of file diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..b8626c4 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +4 diff --git a/debian/conffiles b/debian/conffiles new file mode 100644 index 0000000..f263a28 --- /dev/null +++ b/debian/conffiles @@ -0,0 +1 @@ +/etc/cron.d/amavisd-cn diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..57c0011 --- /dev/null +++ b/debian/control @@ -0,0 +1,21 @@ +Source: amavisd-cn +Section: mail +Priority: optional +Maintainer: Zoran Dzelajlija +Build-Depends: debhelper (>= 4.0.0) +Standards-Version: 3.6.1 + +Package: amavisd-cn +Architecture: all +Provides: amavisd-new-cn +Depends: amavisd-new (>= 20030616p10-5), postfix | amavisd-new-milter (>= 20030616p10-5), postfix | sendmail (>= 8.13.1-20), clamav-cn (>= 0.80-7), spamassassin (>= 2.64), debianutils (>= 1.13.1), carnet-tools-cn (>= 2.1), procps, patch, host +Pre-Depends: amavisd-new +Recommends: sweep-cn, libsavi-perl +Conflicts: libsavi-perl (<< 0.15), bunch-perl-modules-cn, sweep-cn (<< 1.8-2) +Description: Interface between MTA and virus scanner/content filters + AMaViSd-new is a script that interfaces a mail transport agent (MTA) with + zero or more virus scanners, and spamassassin (optional). + . + CARNet configuration comes with clamav and spamassassin, providing + virus and spam scanning for postfix, or for sendmail via + amavisd-new-milter. diff --git a/debian/control.binary b/debian/control.binary new file mode 100644 index 0000000..3574b20 --- /dev/null +++ b/debian/control.binary @@ -0,0 +1,19 @@ +Package: amavisd-cn +Version: 2:20030616p10-11 +Section: +Architecture: all +Provides: amavisd-new-cn +Depends: amavisd-new (>= 20030616p10-5), postfix | amavisd-new-milter (>= 20030616p10-5), postfix | sendmail (>= 8.13.1-20), clamav-cn (>= 0.80-7), spamassassin (>= 2.64), debianutils (>= 1.13.1), carnet-tools-cn (>= 2.1), procps, patch, host +Pre-Depends: amavisd-new +Recommends: sweep-cn, libsavi-perl +Conflicts: libsavi-perl (<< 0.15), bunch-perl-modules-cn, sweep-cn (<< 1.8-2) +Suggests: +Installed-Size: 284 +Maintainer: Zoran Dzelajlija +Description: Interface between MTA and virus scanner/content filters + AMaViSd-new is a script that interfaces a mail transport agent (MTA) with + zero or more virus scanners, and spamassassin (optional). + . + CARNet configuration comes with clamav and spamassassin, providing + virus and spam scanning for postfix, or for sendmail via + amavisd-new-milter. diff --git a/debian/cron.d b/debian/cron.d new file mode 100644 index 0000000..0658b2e --- /dev/null +++ b/debian/cron.d @@ -0,0 +1,6 @@ +# Deleting temp files from quarantine area every day at 01:35 +35 1 * * * amavis find /var/lib/amavis/ -type d -mtime +1 -name "amavis-milter-*" -print0 | xargs -0 rm -fr +# Deleting virus mails from quarantine area at 03:15 every day +15 3 * * * amavis find /var/lib/amavis/virusmails -type f -mtime +7 -name "virus-*" -print0 | xargs -0 rm -f +# Deleting spam mails from quarantine area every day at 04:25 +25 4 * * * amavis find /var/lib/amavis/virusmails -type f -mtime +7 -name "spam-*" -print0 | xargs -0 rm -f diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 0000000..2653062 --- /dev/null +++ b/debian/dirs @@ -0,0 +1 @@ +usr/share/amavisd-cn diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..4e23d62 --- /dev/null +++ b/debian/docs @@ -0,0 +1,3 @@ +README.CARNet +changelog.CARNet +TODO diff --git a/debian/init b/debian/init new file mode 100755 index 0000000..8af8212 --- /dev/null +++ b/debian/init @@ -0,0 +1,145 @@ +#!/bin/sh + +set -e + +# options for daemons: +# name init.d/script user ps name for pgrep -f pidfile, relative to /var/run num-fds last-fd-name +options=' +clamd clamav-daemon clamav /usr/sbin/clamd clamav/clamd.pid 5 clamav.log +amavis amavis.amavisd-new amavis amavisd \\(master\\) amavis/amavisd.pid 5 socket +milter amavisd-new-milter amavis /usr/sbin/amavis-milter amavis/amavisd-new-milter.pid 5 socket +' +# note: pgrep -f takes a regexp, and this is shell expanded once, hence \\ + +start () { + local daemon IFSOLD name script user psname pidfile num fdname + daemon="$1" + IFSOLD="$IFS" + IFS=" " # tab + read name script user psname pidfile num fdname <<-EOPTS + $(echo "$options" | sed 's/ */ /g' | grep ^$daemon) + EOPTS + IFS="$IFSOLD" + /etc/init.d/$script start + wait_for_fds "$daemon" +} + +stop () { + local daemon IFSOLD name script user psname pidfile num fdname + daemon="$1" + n=10 + IFSOLD="$IFS" + IFS=" " # tab + read name script user psname pidfile num fdname <<-EOPTS + $(echo "$options" | sed 's/ */ /g' | grep ^$daemon) + EOPTS + IFS="$IFSOLD" + /etc/init.d/$script stop + pkill -u $user -f "$psname" > /dev/null || true + while pgrep -u $user -f "$psname" > /dev/null && [ "$n" -gt 0 ] + do + sleep 1 + n=$(($n-1)) + done + pkill -9 -u $user -f "$psname" > /dev/null || true + #pkill -9 -u $user -x "$daemon" + if pgrep -u $user -f "$psname" > /dev/null; then # still there? + return 1 + fi +} + +wait_for_fds () { + # wait until process shows some I/O readiness :) + local name IFSOLD num sleep maxtry script user psname pidfile fdname + name="$1" + [ -z "$name" ] && return 1 + IFSOLD="$IFS" + IFS=" " # tab + read name script user psname pidfile num fdname <<-EOPTS + $(echo "$options" | sed 's/ */ /g' | grep ^$name) + EOPTS + IFS="$IFSOLD" + num=${num:-4} + sleep=${sleep:-1} + maxtry=${maxtry:-10} + if [ -n "$pidfile" ]; then + pidfile=/var/run/$pidfile + findpid="[ -f $pidfile ] && cat $pidfile || true" + else + findpid="pgrep -u $user -f \"$psname\" -P 1 | head -1" + fi + + # loop the loop the loop + try=1 + while /bin/true + do + sleep $sleep # 1st, give it a chance to run + pid=`eval $findpid` # 2nd: find it + [ -z "$pid" ] && return 1 # not running at all + count=`ls -1 /proc/$pid/fd 2>/dev/null| wc -l` # 3rd: count all it's worth + [ "$count" -ge "$num" ] && ls -l /proc/$pid/fd | grep -q $fdname \ + && return # success -- release + try=$(($try+1)) + [ "0$try" -ge "0$maxtry" ] && return 1 # no luck this time + done +} + +# if we're called as amavisd-cn or amavis with start argument, +# act like one; otherwise, pass the call down +case "$(basename $0)" in + amavisd-cn) + arg="i$1" + ;; + amavis) + if [ "$1" = start ]; then + arg="i$1" + else + arg="$1" + fi + ;; + *) + arg="$1" + ;; +esac + +# If there's no diversion, play possum +[ -x /etc/init.d/amavis.amavisd-new ] || exit 0 + +if [ -x /etc/init.d/postfix -a -x /usr/lib/postfix/master ]; then + mta=postfix +else + mta=sendmail +fi + +case "$arg" in + start|stop|restart|reload|force-reload) + /etc/init.d/amavis.amavisd-new "$arg" + ;; + + istart) + start clamd + start amavis + [ $mta = sendmail ] && start milter + /etc/init.d/$mta start + ;; + + istop) + /etc/init.d/$mta stop + [ $mta = sendmail ] && stop milter + stop amavis + stop clamd + ;; + + irestart|ireload|iforce-reload) + $0 stop + sleep 2 + $0 start + ;; + + *) + echo "Usage: $0 {start|stop|restart|reload|force-reload}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/debian/install b/debian/install new file mode 100644 index 0000000..2c00cdf --- /dev/null +++ b/debian/install @@ -0,0 +1,3 @@ +version.sh usr/share/amavisd-cn +src/* usr/share/amavisd-cn +templates/* usr/share/amavisd-cn diff --git a/debian/postinst b/debian/postinst new file mode 100755 index 0000000..f3598f1 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,398 @@ +#!/bin/sh +# last update: jelly+paketi@srce.hr Mon Oct 30 14:37:06 CET 2006 + +set -e + +[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx + +case "$1" in + configure) + # continue below + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + exit 0 + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 0 + ;; +esac + +PATH=/bin:/usr/bin:/sbin:/usr/sbin +export PATH + +. /usr/share/amavisd-cn/version.sh +. /usr/share/carnet-tools/functions.sh +. /usr/share/amavisd-cn/variables.sh +. /usr/share/amavisd-cn/functions.sh + +# Place configuration tweaks done on upgrades into this function +update_conf() { + [ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx + # comment out spam alerts if we're upgrading from + # << 20030616p10-4 in woody, or << 2:20030616p10-5 in sarge, + # or a fresh installation is taking place + if dpkg --compare-versions "$2" lt 20030616p10-4 || \ + { dpkg --compare-versions "$2" ge 2:0 && \ + dpkg --compare-versions "$2" lt 2:20030616p10-5; }; then + if cp_check_and_sed '^\$spam_admin = "spamalert\\@\$mydomain";$' \ + 's/^\(\$spam_admin\b\)/# \1/' $ACONF; then + cp_echo "CN: commented \$spam_admin in $ACONF." + cp_echo "CN: Be sure to whitelist that address if you reenable it!" + cp_echo " If spam detection is enabled for that address, loops may occur." + restart_daemon=1 + fi + fi + # saner defaults - silently discard viruses, and do SMTP-time reject for + # explicitely banned attachments instead of bounces + if dpkg --compare-versions "$2" lt 2:20030616p10-8; then + if cp_check_and_sed \ + '^[ ]*\$final_virus_destiny[ ]*=[ ]*D_BOUNCE' \ + 's/^\([ \t]*\$final_virus_destiny[ \t]*=[ \t]*\)D_BOUNCE/\1D_DISCARD/' \ + $ACONF; then + cp_echo "CN: Discarding viruses (option \$final_virus_destiny)." + restart_daemon=1 + fi + if cp_check_and_sed \ + '^[ ]*\$final_banned_destiny[ ]*=[ ]*D_BOUNCE' \ + 's/^\([ \t]*\$final_banned_destiny[ \t]*=[ \t]*\)D_BOUNCE/\1D_REJECT/' \ + $ACONF; then + cp_echo "CN: Rejecting banned files at SMTP time (option \$final_banned_destiny)." + restart_daemon=1 + fi + fi + if dpkg --compare-versions "$2" lt 2:20030616p10-11 && \ + [ "$domain" != "$host" ]; then + if cp_check_and_sed \ + '^[ ]*\$mydomain[ ]*=[ ]* ["'"']$host['"'"]' \ + 's/^\([ \t]*\$mydomain[ \t]*=[ \t]*\)["'"']$host['"'"]/\1'"'$domain'"/ \ + $ACONF; then + cp_echo "CN: MX for $domain detected, updating \$mydomain." + restart_daemon=1 + fi + fi +} + +# find out which MTA, assume postfix +mta=postfix +ACONFTMPL=$POSTTMPL +TMPLVERSION=$POSTTMPLVERSION +if dpkg -l postfix | grep -q '^.i'; then + . /usr/share/amavisd-cn/postfix.sh +elif dpkg -l sendmail | grep -q '^.i'; then + mta=sendmail + ACONFTMPL=$SENDTMPL + TMPLVERSION=$SENDTMPLVERSION + . /usr/share/amavisd-cn/sendmail.sh +else + # should never happen, we check for this in preinst too! + echo "CN: Ugh, no supported mail-transported-agent could be found?!" >&2 + echo "CN: If you really have a MTA supported by CARNet installed," >&2 + echo "CN: Please inform the maintainer. Assuming ${mta}..." >&2 +fi + +# XXX remove at least some of woody cruft for CARNet Debian 2.1+1 +# convert sweep-cn back to "sweep" account, fix uid/gid +if getent passwd sweep > /dev/null; then + check_and_update_ugid sweep /etc/sweep /var/lib/sav /var/spool/intercheck /var/log/sweep.log || true + # chown stuff I forgot in previous versions + if dpkg --compare-versions "$2" lt 20030616p10-3; then + chown -R sweep:sweep /var/spool/intercheck /var/log/sweep.log 2> /dev/null || true + fi + if cp_check_and_sed viruser s/viruser/sweep/ /etc/cron.d/sweep-cn /usr/bin/sophos-ide-update; then + did_sweep="sweep " + fi + if cp_check_and_sed viruser "s/sweep viruser/sweep/g; s/viruser/sweep/g" /etc/samba/smb.conf; then + /etc/init.d/samba reload || true + did_sweep="${did_sweep}smb.conf " + fi +fi # sweep + +# get rid of viruser +if getent passwd viruser > /dev/null || [ -n "$did_sweep" ]; then + # remove viruser account usage + echo -n "CN: Removing viruser: " + [ "$did_sweep" ] && echo -n "$did_sweep" + if cp_check_and_sed '^viruser' s/viruser/clamav/ $ALIASES; then + newaliases 2>&1 > /dev/null + echo -n "aliases " + fi + if cp_check_and_sed "User viruser" \ + s/viruser/clamav/ /etc/clamav/clamd.conf; then + clamav_changed=1 + fi + if cp_check_and_sed "DatabaseOwner viruser" \ + s/viruser/clamav/ /etc/clamav/freshclam.conf; then + clamav_changed=1 + fi + if [ -n "$clamav_changed" ]; then + # add clamav to amavis group + echo -n "c" + id clamav | grep -q amavis || adduser clamav amavis > /dev/null + echo -n "l" + /etc/init.d/clamav-daemon stop > /dev/null || true + pkill -9 /usr/sbin/clamd || true + echo -n "a" + /etc/init.d/clamav-freshclam stop > /dev/null || true + pkill -9 /usr/bin/freshclam || true + echo -n "m" + chown -R clamav:clamav \ + /var/lib/clamav /var/log/clamav /var/run/clamav || true + echo -n "a" + # Don't abort if clamav services do not restart. + /etc/init.d/clamav-daemon start > /dev/null || failed clamav-daemon + /etc/init.d/clamav-freshclam start > /dev/null || failed clamav-freshclam + echo -n "v " + fi + # We'll catch other changes later, just fix user now + if cp_check_and_sed '$daemon_user.*viruser' s/viruser/amavis/g $ACONF; then + stop_amavisd_now=1 + fi + if getent passwd viruser >/dev/null; then + if ls -lnG /var/run/amavis $AHOME |grep -q " $(id -u viruser) " || \ + pgrep -u viruser -f /usr/sbin/amavis-milter > /dev/null || \ + pgrep -u viruser amavisd > /dev/null; then + stop_amavisd_now=1 + fi + fi + if [ -n "$stop_amavisd_now" ]; then + echo -n "a" + if [ -x /etc/init.d/$mta ]; then + /etc/init.d/$mta stop > /dev/null + else + # shouldn't happen either XXX catch it and send to maintainer? + echo -n "iee, no init script for $mta! ignoring... a" + fi + echo -n "m" + if [ -x /etc/init.d/amavisd-new-milter ]; then + /etc/init.d/amavisd-new-milter stop > /dev/null + fi + echo -n "a" + pkill -9 -u viruser -f /usr/sbin/amavis-milter || true + echo -n "v" + /etc/init.d/amavis stop > /dev/null + echo -n "i" + pkill -9 -u viruser -x amavisd || true + chown_ahome=1 # do it later + echo -n "s " + restart_daemon=1 + [ $mta = sendmail ] && restart_milter=1 || true + restart_mta=1 + fi + if getent passwd viruser >/dev/null; then + echo -n "userdel" + userdel viruser + fi + echo "." + cp_echo -mailonly "CN: Removed user viruser." +fi # viruser +# added later +if cp_check_and_sed viruser s/viruser/clamav/ \ + /etc/logrotate.d/clamav-daemon /etc/logrotate.d/clamav-freshclam; then + : +fi # viruser + +# $domain will be equal to $host if nothing better can be found +get_domain +domain=$RET + +# sendmail config +if [ "$mta" = sendmail ]; then + update_sendmail + conf_sendmailize +fi # end sendmail config + +# postfix config +if [ "$mta" = postfix ]; then + update_postfix + conf_postfixize +fi # end postfix config + +# amavisd.conf +if [ -f "$ACONFOLD" ]; then + cp_echo "CN: Amavisd configuration is now in $ACONF." + cp_echo " Previous location was $ACONFOLD." + if [ ! -e "$ACONFMOVED" ]; then + mv "$ACONFOLD" "$ACONFMOVED" + cp_echo " Old file renamed to $ACONFMOVED." + fi + cp_echo "" + cp_echo "CN: If you made any changes to $ACONFOLD, they will NOT be moved" + cp_echo "CN: to the new location automatically. You must update the new file" + cp_echo "CN: by yourself, and remove the old file afterwards." +elif [ -f "$ACONFMOVED" ]; then + cp_echo "CN: Remember to remove the old $ACONFMOVED file." +fi +if [ -f $ACONF ]; then + if grep -q _CN_ $ACONF; then + # This is unlikely, actually + if cp_check_and_sed "s/_CN_DOMAIN_/$domain/g; s/_CN_HOST_/$domain/g" $ACONF; then + restart_daemon=1 + fi + else + if egrep -q "^\\\$mydomain = 'example.com'" $ACONF; then + # Debian default or lame sysadmin detected, replace it by template + conf_from_template + elif egrep -q "#CARNet#\\\$mydomain = 'example.com';" $ACONF && + dpkg --compare-versions "$2" eq 2:20030616p5-0; then + # CARNet Debian 2.1 (sarge) CDROM installation detected + noisy_backup $ACONF + conf_from_template + else + # add other fixups to update_conf() above + update_conf $* + fi + fi +fi +# nonexistent or empty config +if [ ! -f $ACONF -o ! -s $ACONF ]; then + # Create fresh config from template + conf_from_template +fi + +# check for SAVI: +# if not there, comment it out, if there, uncomment and restart +if ! dpkg -l libsavi-perl bunch-perl-modules-cn 2> /dev/null | \ + egrep -q '^.i' || \ + ! [ -f /usr/lib/libsavi.so ]; then + if cp_check_and_sed "^\['Sophos SAVI'" \ + "s/^\(\['Sophos SAVI', ..sophos_savi \]\)/#\1/" $ACONF; then + cp_echo "CN: Disabled SAVI::Perl usage in ${ACONF}." + cp_echo " To enable it, run sophos-sweep-update, uncomment and restart amavis." + fi +else + if cp_check_and_sed "^#\['Sophos SAVI'" \ + "s/^#\(\['Sophos SAVI', ..sophos_savi \]\)/\1/" $ACONF; then + cp_echo "CN: Enabled SAVI::Perl usage in ${ACONF}." + restart_daemon=1 + fi +fi + +check_and_add_alias virusalert root +check_and_add_alias spamalert root + +# touch some required files XXX check if necessary for 2.4 +if [ ! -f $WLIST ]; then + touch $WLIST + chown_ahome=1 +fi + +if [ ! -f $BLIST ]; then + touch $BLIST + chown_ahome=1 +fi + +if [ ! -f $AHOME/.spamassassin/user_prefs ] ; then + [ -d $AHOME/.spamassassin ] || mkdir -p $AHOME/.spamassassin + cat > $AHOME/.spamassassin/user_prefs <<-EEND + bayes_path $AHOME/.spamassassin/bayes + bayes_auto_expire 0 + auto_whitelist_path $AHOME/.spamassassin/auto-whitelist + EEND + chown_ahome=1 +fi + +if [ ! -f $AHOME/.spamassassin/auto-whitelist ] ; then + touch $AHOME/.spamassassin/auto-whitelist + chown_ahome=1 +fi + +# Raid over rc2.d +if [ -x "/etc/init.d/sendmail" -a -e /etc/rc2.d/S20sendmail ]; then + update-rc.d -f sendmail remove >/dev/null 2>/dev/null + update-rc.d sendmail defaults 21 19 >/dev/null +fi +if [ -n "$(find /etc/rc2.d -name S18clam\*)" ]; then + update-rc.d -f clamav-daemon remove >/dev/null + update-rc.d clamav-daemon defaults 22 18 >/dev/null +fi + +# Cleanup and finalization +if dpkg --compare-versions "$2" lt 2:20030616p10-4; then + update-rc.d -f amavisd remove > /dev/null + restart_daemon=1 + chown_ahome=1 + # a complicated way to say chmod 750 + dpkg-statoverride --remove $AHOME > /dev/null || true + dpkg-statoverride --update --add amavis amavis 750 $AHOME +fi + +if [ -n "$chown_ahome" ]; then + # might be slow + echo -n "CN: Fixing ownership in /var/*/amavis... " + chown -R amavis:amavis $AHOME /var/run/amavis || true + echo "done." + cp_echo -mailonly "CN: Fixed ownerships in /var/*/amavis." +fi + +# kill naughty pyzor descendants +if dpkg --compare-versions "$2" lt "2:20030616p10-7" && \ + pgrep -u amavis -f '/usr/bin/pyzor check' > /dev/null; then + /etc/init.d/amavisd-cn stop + pkill -9 -u amavis -f '/usr/bin/pyzor check' > /dev/null || true + /etc/init.d/amavisd-cn start + restart_daemon= + restart_mta= +fi + +# START AMAVISD +# about a half of amavisd-cn script is here +if [ "$restart_daemon" -a -x /etc/init.d/amavis.amavisd-new ]; then + /etc/init.d/amavis.amavisd-new restart +fi +# always check that the daemons are running +if ! wait_for_fds amavis; then + /etc/init.d/amavis.amavisd-new start + wait_for_fds amavis +fi +if [ "$mta" = sendmail ]; then + if [ "$restart_daemon" -a -x /etc/init.d/amavisd-new-milter ]; then + /etc/init.d/amavisd-new-milter restart + restart_mta=1 + fi + # always check that the daemons are running + if ! wait_for_fds milter; then + /etc/init.d/amavisd-new-milter start + wait_for_fds milter + restart_mta=1 + fi +elif [ "$restart_mta" ]; then + /etc/init.d/$mta restart +fi + +# this needs to be updated when $CRONTAB file changes +if dpkg --compare-versions "$2" lt "2:20030616p10-4"; then + cp_echo "" + cp_echo "CN: Deleting temp files older than 1 day every day at 01:35 AM" + cp_echo "CN: Deleting spam-mail older than 7 days every day at 03:15 AM" + cp_echo "CN: Deleting virus-mail older than 7 days every day at 04:25 AM" + cp_echo " (can be changed in $CRONTAB)" +fi +# display this message just once... maybe use debconf instead +if dpkg --compare-versions "$2" lt "2:20030616p10-4"; then + cp_echo "" + cp_echo "CN: To stop, start or restart all of the clamav+amavis+mta components," + cp_echo "CN: use the /etc/init.d/amavisd-cn script." +fi +if [ "$failed" ]; then + cp_echo "" + cp_echo "CN: Services $failed failed to restart!" + cp_echo "CN: Please check and start manually if needed." +fi + +# Upgrade, but no automatically changed config; +# warn if new template available +if [ -n "$2" -a -z "$changed_config" ] && \ + dpkg --compare-versions "$2" lt "$TMPLVERSION"; then + cp_echo "" + cp_echo "CN: It seems you have upgraded this package from version $2." + cp_echo "CN: Configuration template for $mta was modified in version ${TMPLVERSION}." + cp_echo " You might want to review the changes, or simply copy the new template and" + cp_echo " and replace the _CN_DOMAIN_ string with an adequate value:" + cp_echo " cp $ACONFTMPL $ACONF" + cp_echo " perl -pi -e 's/_CN_DOMAIN_/$domain/g' $ACONF" +fi + +cp_mail $PKG $VERSION diff --git a/debian/postrm b/debian/postrm new file mode 100755 index 0000000..e099a6a --- /dev/null +++ b/debian/postrm @@ -0,0 +1,16 @@ +#!/bin/sh + +set -e + +if [ "$1" = remove ]; then + rm -f /etc/init.d/amavis + dpkg-divert --quiet --package amavisd-cn --remove --rename \ + --divert /etc/init.d/amavis.amavisd-new /etc/init.d/amavis || true +fi + +if [ "$1" = purge ]; then + # REMOVING /var/lib/amavis/amavis* and /var/run/amavis + # /var/run/amavis now deleted in /etc/init.d/amavisd + # keeping virusmails until --purge is used + rm -fr /var/lib/amavis/amavis* +fi diff --git a/debian/preinst b/debian/preinst new file mode 100755 index 0000000..1767ee1 --- /dev/null +++ b/debian/preinst @@ -0,0 +1,28 @@ +#!/bin/sh + +set -e + +mv_init () { + echo -n " Renaming to /etc/init.d/amavis.dpkg-old... " + mv /etc/init.d/amavis /etc/init.d/amavis.dpkg-old + echo "done." +} + +if [ "$1" = install -o "$1" = upgrade ]; then + dpkg-divert --quiet --package amavisd-cn --rename \ + --divert /etc/init.d/amavis.amavisd-new /etc/init.d/amavis + + # link not in package because woody's dpkg behaves strange when it is + if [ ! -h /etc/init.d/amavis ]; then + if [ -e /etc/init.d/amavis ]; then + echo "CN: Found unknown file at /etc/init.d/amavis." + mv_init + fi + ln -s amavisd-cn /etc/init.d/amavis + elif ! readlink /etc/init.d/amavis | grep -q '^amavisd-cn$'; then + # Symlink in place, but does it point to us? + echo "CN: Shouldn't happen: found strange /etc/init.d/amavis link." + mv_init + ln -s amavisd-cn /etc/init.d/amavis + fi +fi diff --git a/debian/prerm b/debian/prerm new file mode 100755 index 0000000..c3e9da1 --- /dev/null +++ b/debian/prerm @@ -0,0 +1,58 @@ +#!/bin/sh + +set -e +[ "$DEBIAN_SCRIPT_DEBUG" ] && set -x + +. /usr/share/carnet-tools/functions.sh + +PKG=amavisd-cn +MAILDIR=/etc/mail +ALIASES=/etc/aliases +sendmail_cf=$MAILDIR/sendmail.cf +sendmail_mc=$MAILDIR/sendmail.mc +submit_mc=$MAILDIR/submit.mc +ct_file=$MAILDIR/trusted-users +main_cf=/etc/postfix/main.cf +master_cf=/etc/postfix/master.cf + +del_postconf() { + egrep -v "^$1[[:blank:]]*=[[:blank:]]*" $main_cf > $main_cf.dpkg-tmp.$$ + cp_mv $main_cf.dpkg-tmp.$$ $main_cf +} + +if [ "$1" = remove ]; then + # sendmail? + if grep -q $PKG $sendmail_mc $submit_mc 2>&- || \ + grep -q '^amavis$' $ct_file 2>&- ; then + echo "Removing sendmail configuration for ${PKG}... " + cp-update -r -c dnl $PKG $sendmail_mc >&- + cp-update -r -c dnl $PKG $submit_mc >&- + grep -v '^amavis$' $ct_file > ${ct_file}.dpkg-tmp.$$ || true + cp_mv ${ct_file}.dpkg-tmp.$$ $ct_file + make -C /etc/mail 2>&1 | grep -v 'issue .*/etc/init.d/sendmail reload' 1>&2 || true + echo "Removed sendmail configuration for ${PKG}." + if pgrep -u root -f 'sendmail: MTA: accepting connections' >&- ; then + /etc/init.d/sendmail reload + if ! pgrep -u root -f 'sendmail: MTA: accepting connections' >&- ; then + echo 'CN: Something bad happened to sendmail on reload!' 1>&2 + exit 1 + fi + # Everything went well, apparently. Remove old backup files. + rm -f $sendmail_cf.$PKG + rm -f $sendmail_mc.$PKG + rm -f $submit_mc.$PKG + fi + fi + # postfix? + if grep -q $PKG $master_cf; then + cp-update -r $PKG $master_cf >&- + del_postconf content_filter + echo "Removed postfix configuration for ${PKG}." + if pgrep -u root -f /usr/lib/postfix/master >&- && \ + [ -x /etc/init.d/postfix ] >&- ; then + /etc/init.d/postfix restart + fi + fi + cp-update -r $PKG $ALIASES >&- + newaliases +fi diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..d92f2b4 --- /dev/null +++ b/debian/rules @@ -0,0 +1,87 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +configure: configure-stamp +configure-stamp: + dh_testdir + # Add here commands to configure the package. + + touch configure-stamp + + +build: build-stamp + +build-stamp: configure-stamp + dh_testdir + + # Add here commands to compile the package. + # $(MAKE) + # pod2man debian/carnet-tools-cn/usr/sbin/cp-update > cp-update.1 + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + + # Add here commands to clean up after the build process. + # -$(MAKE) clean + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/carnet-tools-cn. + # $(MAKE) install DESTDIR=$(CURDIR)/debian/carnet-tools-cn + + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot +# dh_installchangelogs -k + dh_installdocs +# dh_installexamples + dh_install +# dh_installmenu +# dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime + dh_installinit -n + dh_installcron +# dh_installinfo +# dh_installman +# dh_link +# dh_strip +# dh_compress + dh_fixperms +# dh_perl +# dh_python +# dh_makeshlibs + dh_installdeb +# dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure diff --git a/src/functions.sh b/src/functions.sh new file mode 100644 index 0000000..b67aaab --- /dev/null +++ b/src/functions.sh @@ -0,0 +1,174 @@ +##### +## +## first, some generic functions +## + +# find first free uid/gid in range +# find_id passwd 100 999 +find_id() { + local db first last ids + db=$1 + first=$2 + last=$3 + ids=$(getent $db | awk -F: "\$3 >= $first && \$3 <= $last {print \$3}") + for i in $(seq $first $last) + do + if ! echo $ids |grep -q $i; then + echo $i + return 0 + fi + done + return 1 +} + +# +# Update uid for user from reserved system range (0-99) to dynamic system +# range (100-999). Optionally update ownerships of given directories. +# $0 user [directory ...] +# +check_and_update_ugid() { + local user newgid newuid + user=$1 + if [ "$(getent passwd $user | awk -F: '$3 >= 100 {print "ok"; exit 0}')" ]; then + return 0 + fi + shift + newgid=$(find_id group 100 999) + newuid=$(find_id passwd 100 999) + # other directories/files + chown -R $newuid:$newgid $* 2>/dev/null || true + groupmod -g $newgid $user + usermod -u $newuid -g $newgid $user + cp_echo "CN: Fixed $user user uid/gid." +} + +wait_for_fds () { + # wait until process shows some I/O readiness :) + [ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx + local name IFSOLD num sleep maxtry script user psname pidfile fdname + name="$1" + [ -z "$name" ] && return 1 + IFSOLD="$IFS" + IFS=" " # tab + read name script user psname pidfile num fdname <<-EOPTS + $(echo "$options" | sed 's/ */ /g' | grep ^$name) + EOPTS + IFS="$IFSOLD" + num=${num:-4} + sleep=${sleep:-1} + maxtry=${maxtry:-10} + if [ -n "$pidfile" ]; then + pidfile=/var/run/$pidfile + findpid="[ -f $pidfile ] && cat $pidfile || true" + else + findpid="pgrep -u $user -f \"$psname\" -P 1 | head -1" + fi + + # loop the loop the loop + try=1 + while /bin/true + do + sleep $sleep # 1st, give it a chance to run + pid=`eval $findpid` # 2nd: find it + [ -z "$pid" ] && return 1 # not running at all + count=`ls -1 /proc/$pid/fd 2> /dev/null| wc -l` # 3rd: count all it's worth + [ "$count" -ge "$num" ] && ls -l /proc/$pid/fd | grep -q $fdname \ + && return # success -- release + try=$(($try+1)) + [ "0$try" -ge "0$maxtry" ] && return 1 # no luck this time + done +} + +failed() { + if [ -n "$failed" ]; then + failed="$failed, $1" + else + failed="$1" + fi +} + +check_and_add_alias () { + if ! grep -q "^$1:" $ALIASES; then + echo "$1: $2" >> $ALIASES + # both postfix and sendmail use newaliases + newaliases > /dev/null + fi +} + +noisy_backup() { + cp_backup_conffile "$1" + cp_echo "CN: Current configuration saved in /var/backups/`basename $1`.bak" +} + +# if fqdn is name.dom3.dom2.dom1.hr, check if this host is MX for +# either dom3.dom2.dom1.hr, dom2.dom1.hr or dom1.hr and dump highest level +# domain on stdout +get_domain() { + local domains d + RET=$host + if ! echo $host | grep -q '\.'; then + return + fi + if [ ! -x /usr/bin/host ]; then + cp_echo "CN: no host command... \$mydomain value might be unoptimal." + return + fi + domains=$(hostname -f | awk -F'\.' ' + { + for (i=2; i> $ACONF + restart_daemon=1 + changed_config=1 +} diff --git a/src/postfix.sh b/src/postfix.sh new file mode 100644 index 0000000..e851632 --- /dev/null +++ b/src/postfix.sh @@ -0,0 +1,77 @@ +update_postfix() { + # set up master.cf + if [ -f /etc/postfix/master.cf ] && \ + ! grep -q smtp-amavis /etc/postfix/master.cf; then + cp-update $PKG /etc/postfix/master.cf <<-EOF + smtp-amavis unix - - n - 2 smtp + -o smtp_data_done_timeout=1200 + -o disable_dns_lookups=yes + -o smtp_line_length_limit=0 + -o notify_classes=protocol,resource,software + -o max_use=10 + + 127.0.0.1:10025 inet n - n - - smtpd + -o content_filter= + -o local_recipient_maps= + -o smtpd_helo_restrictions= + -o smtpd_client_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o mynetworks=127.0.0.0/8 + -o strict_rfc821_envelopes=yes + EOF + fi + + # main.cf + postconf -e content_filter="smtp-amavis:[127.0.0.1]:10024" +} + +conf_postfixize() { + local tmp + tmp=`basename $ACONF.dpkg-tmp.$$` + noisy_backup $ACONF + # detect non-postfix config + # XXX add $inet_socket_port & $inet_socket_bind + if egrep -q '^[[:blank:]]*\$notify_method = .*argv=/usr/sbin/sendmail -Ac.*-odd' $ACONF || \ + ! ( egrep -q '^\$forward_method = '\''smtp:127.0.0.1:10025'\'';[[:blank:]]*(#|$)' $ACONF && \ + egrep -q '^\$notify_method = \$forward_method;[[:blank:]]*(#|$)' $ACONF && \ + egrep -q '^\$inet_socket_port.*10024' $ACONF && \ + egrep -q '^\$inet_socket_bind' $ACONF ); then + if catpatch $ACONF | patch -sfp0 --dry-run >&- 2>&-; then + oldpwd=`pwd` + cd `dirname $ACONF` + cp -p $ACONF $tmp + catpatch $tmp | patch -fp0 + cp_mv $tmp $ACONF + cd $oldpwd + cp_echo -mailonly "CN: $ACONF patched for postfix." + # then try to update exact options without disturbing anything else + elif commented_in_paragraph '^[[:blank:]]*#.*POSTFIX' \ + '^$forward_method = '\''smtp:127.0.0.1:10025'\'';[[:blank:]]*(#|$)' \ + '^\$notify_method = \$forward_method;[[:blank:]]*(#|$)' \ + -f $ACONF && + uncommented_in_paragraph '^[[:blank:]]*#.*MILTER' \ + '$forward_method = undef;[[:blank:]]*(#|$)' \ + '$notify_method = .*argv=/usr/sbin/sendmail -Ac.*-odd' \ + -f $ACONF; then + cp $ACONF $tmp + uncomment_in_paragraph '^[[:blank:]]*#.*POSTFIX' \ + '^$forward_method = '\''smtp:127.0.0.1:10025'\'';[[:blank:]]*(#|$)' \ + '^\$notify_method = \$forward_method;[[:blank:]]*(#|$)' \ + -f $tmp + comment_in_paragraph '^[[:blank:]]*#.*MILTER' \ + '$forward_method = undef;[[:blank:]]*(#|$)' \ + '$notify_method = .*argv=/usr/sbin/sendmail -Ac.*-odd' \ + -f $tmp + cp_mv $tmp $ACONF + cp_echo "CN: $ACONF updated for ${mta}." + # or just use the template + else + conf_from_template + cp_echo "CN: Config generated from ${ACONFTMPL}." + fi + restart_daemon=1 + changed_config=1 + fi + restart_mta=1 +} diff --git a/src/postfixize.sh b/src/postfixize.sh new file mode 100755 index 0000000..8334b7a --- /dev/null +++ b/src/postfixize.sh @@ -0,0 +1,49 @@ +#!/bin/sh +# last update: jelly+paketi@srce.hr Thu Jun 29 22:08:49 CEST 2006 + +set -e + +[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx + +PATH=/bin:/usr/bin:/sbin:/usr/sbin +export PATH + +. /usr/share/amavisd-cn/version.sh +. /usr/share/carnet-tools/functions.sh +. /usr/share/amavisd-cn/variables.sh +. /usr/share/amavisd-cn/functions.sh + +# find out which MTA, assume postfix +mta=postfix +ACONFTMPL=$POSTTMPL +TMPLVERSION=$POSTTMPLVERSION +if dpkg -l postfix | grep -q '^.i'; then + . /usr/share/amavisd-cn/postfix.sh +else + # should never happen + echo "CN: Don't invoke this script unless you have $mta installed!" >&2 + exit 1 +fi + +# postfix config +if [ "$mta" = postfix ]; then + update_postfix + conf_postfixize +fi # end postfix config + +# nonexistent or empty config +if [ ! -f $ACONF -o ! -s $ACONF ]; then + # should never happen + echo "CN: Can't find $ACONF?!" >&2 + exit 2 +fi + +# START AMAVISD +if [ "$restart_daemon" -a -x /etc/init.d/amavis.amavisd-new ]; then + /etc/init.d/amavis.amavisd-new restart +fi +# always check that the daemons are running +if ! wait_for_fds amavis; then + /etc/init.d/amavis.amavisd-new start < /dev/null + wait_for_fds amavis +fi diff --git a/src/sendmail.sh b/src/sendmail.sh new file mode 100644 index 0000000..a39d6a5 --- /dev/null +++ b/src/sendmail.sh @@ -0,0 +1,105 @@ +update_sendmail_mc() { + cp-update -c dnl $PKG $sendmail_mc <<-END + define(\`MILTER', 1)dnl + INPUT_MAIL_FILTER(\`amavis-milter', \`S=local:$AHOME/amavisd-new-milter.sock, F=T, T=S:10m;R:10m;E:10m')dnl + dnl Reducing number of messages in syslog for milter + define(\`confMILTER_LOG_LEVEL', \`4')dnl + END + #' XXX stupid joe syntax highlighing +} + +# sendmail chunk moved out from postinst in 20030616p10-10 +update_sendmail() { + if [ -f $sendmail_mc ]; then + # creating backup files, just in case + cp -p $sendmail_mc $sendmail_mc.$PKG + mcbak=1 + cp -p $sendmail_cf $sendmail_cf.$PKG + cfbak=1 + + if ! egrep -q '^INPUT_MAIL_FILTER.*amavis-milter' $sendmail_mc; then + update_sendmail_mc + makecf=1 + elif grep -q 'Begin update by CARNet package amavisd-cn' $sendmail_mc; then + update_sendmail_mc + makecf=1 + elif grep -q 'local:/var/run/amavis/amavis-milter.sock' $sendmail_mc; then + echo "CN: You seem to have a custom configuration for milter in" + echo " ${sendmail_mc}. I'll try to fix it but I don't promise anything." + echo " Things might break or behave unexpectedly." + cp_echo -mailonly "CN: Tried to fix custom milter config in ${sendmail_mc}." + cp_check_and_sed "/var/run/amavis/amavis-milter.sock" \ + "s,/var/run/amavis/amavis-milter.sock,$AHOME/amavisd-new-milter.sock," \ + $sendmail_mc + makecf=1 + fi + fi # sendmail.mc + + # submit.mc: use /etc/mail/trusted-users, and add user amavis + # to get rid of Authentication-Warnings + if [ -f "$submit_mc" ]; then + cp -p $submit_mc $submit_mc.$PKG + subak=1 + if ! grep -q use_ct_file $submit_mc; then + cp-update -R --insert-before '^FEATURE\(`?msp' -c dnl $PKG $submit_mc <<-END + FEATURE(\`use_ct_file')dnl + END + grep -q '^amavis$' $ct_file || echo amavis >> $ct_file + echo "CN: Added FEATURE(use_ct_file) to $submit_mc." + fi + fi # submit.mc + + if [ "$makecf" ]; then + make -C /etc/mail >/dev/null 2>&1 + restart_mta=1 + else + [ "$mcbak" ] && rm -f $sendmail_mc.$PKG + [ "$cfbak" ] && rm -f $sendmail_cf.$PKG + [ "$subak" ] && rm -f $submit_mc.$PKG + fi +} + +conf_sendmailize() { + local tmp oldpwd + tmp=`basename $ACONF.dpkg-tmp.$$` + noisy_backup $ACONF + # are we configured for milter? + if ! egrep -q '^[[:blank:]]*\$notify_method = .*argv=/usr/sbin/sendmail -Ac.*-odd' $ACONF; then + # first try to apply patch + if catpatch $ACONF | patch -Rsfp0 --dry-run 2>&- ; then + oldpwd=`pwd` + cd `dirname $ACONF` + cp -p $ACONF $tmp + catpatch $tmp | patch -Rfp0 + cp_mv $tmp $ACONF + cd $oldpwd + cp_echo -mailonly "CN: $ACONF postfix patch removed." + # then try to update exact options without disturbing anything else + elif uncommented_in_paragraph '^[[:blank:]]*#.*POSTFIX' \ + '^$forward_method = '\''smtp:127.0.0.1:10025'\'';[[:blank:]]*(#|$)' \ + '^\$notify_method = \$forward_method;[[:blank:]]*(#|$)' \ + -f $ACONF && + commented_in_paragraph '^[[:blank:]]*#.*MILTER' \ + '$forward_method = undef;[[:blank:]]*(#|$)' \ + '$notify_method = .*argv=/usr/sbin/sendmail -Ac.*-odd' \ + -f $ACONF; then + cp $ACONF $tmp + comment_in_paragraph '^[[:blank:]]*#.*POSTFIX' \ + '^$forward_method = '\''smtp:127.0.0.1:10025'\'';[[:blank:]]*(#|$)' \ + '^\$notify_method = \$forward_method;[[:blank:]]*(#|$)' \ + -f $tmp + uncomment_in_paragraph '^[[:blank:]]*#.*MILTER' \ + '$forward_method = undef;[[:blank:]]*(#|$)' \ + '$notify_method = .*argv=/usr/sbin/sendmail -Ac.*-odd' \ + -f $tmp + cp_mv $tmp $ACONF + cp_echo "CN: $ACONF updated for ${mta}." + # or just overwrite + else + conf_from_template + cp_echo "CN: Config generated from ${ACONFTMPL}." + fi + restart_daemon=1 + changed_config=1 + fi +} diff --git a/src/variables.sh b/src/variables.sh new file mode 100644 index 0000000..6652536 --- /dev/null +++ b/src/variables.sh @@ -0,0 +1,28 @@ +PKG=amavisd-cn +AHOME=/var/lib/amavis +MAILDIR=/etc/mail +ALIASES=/etc/aliases +sendmail_cf=$MAILDIR/sendmail.cf +sendmail_mc=$MAILDIR/sendmail.mc +submit_mc=$MAILDIR/submit.mc +ct_file=$MAILDIR/trusted-users +CRONTAB=/etc/cron.d/$PKG +ACONFOLD=/etc/amavisd.conf +ACONFMOVED=/etc/amavisd.conf.cn-old +ACONF=/etc/amavis/amavisd.conf +POSTTMPL=/usr/share/$PKG/amavisd.conf.postfix-template +SENDTMPL=/usr/share/$PKG/amavisd.conf.sendmail-template +postdiff=/usr/share/$PKG/sendmail-to-postfix.diff +BLIST=$AHOME/blacklist_sender +WLIST=$AHOME/whitelist_sender +# domain is set in postinst +host=$(/bin/hostname -f) + +# options for daemons: +# name init.d/script user ps name for pgrep -f pidfile, relative to /var/run num-fds last-fd-name +options=' +clamd clamav-daemon clamav /usr/sbin/clamd clamav/clamd.pid 5 clamav.log +amavis amavis.amavisd-new amavis amavisd \\(master\\) amavis/amavisd.pid 5 socket +milter amavisd-new-milter amavis /usr/sbin/amavis-milter amavis/amavisd-new-milter.pid 5 socket +' +# note: pgrep -f takes a regexp, and this is shell expanded once, hence \\ diff --git a/templates/amavisd.conf.postfix-template b/templates/amavisd.conf.postfix-template new file mode 100644 index 0000000..afc46c7 --- /dev/null +++ b/templates/amavisd.conf.postfix-template @@ -0,0 +1,1510 @@ +use strict; + +# Configuration file for amavisd-new +# Defaults modified for the Debian amavisd-new package +# $Id: amavisd.conf,v 1.27.2.2 2004/11/18 23:27:55 hmh Exp $ +# +# This software is licensed under the GNU General Public License (GPL). +# See comments at the start of amavisd-new for the whole license text. + +#Sections: +# Section I - Essential daemon and MTA settings +# Section II - MTA specific +# Section III - Logging +# Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine +# Section V - Per-recipient and per-sender handling, whitelisting, etc. +# Section VI - Resource limits +# Section VII - External programs, virus scanners, SpamAssassin +# Section VIII - Debugging + +#GENERAL NOTES: +# This file is a normal Perl code, interpreted by Perl itself. +# - make sure this file (or directory where it resides) is NOT WRITABLE +# by mere mortals (not even vscan/amavis; best to make it owned by root), +# otherwise it represents a severe security risk! +# - for values which are interpreted as booleans, it is recommended +# to use 1 for true, undef for false. +# THIS IS DIFFERENT FROM OLD AMAVIS VERSIONS where "no" also meant false, +# now it means true, like any nonempty string does! +# - Perl syntax applies. Most notably: strings in "" may include variables +# (which start with $ or @); to include characters @ and $ in double +# quoted strings, precede them by a backslash; in single-quoted strings +# the $ and @ lose their special meaning, so it is usually easier to use +# single quoted strings (or qw operator) for e-mail addresses. +# Still, in both cases a backslash needs to be doubled. +# - variables with names starting with a '@' are lists, the values assigned +# to them should be lists as well, e.g. ('one@foo', $mydomain, "three"); +# note the comma-separation and parenthesis. If strings in the list +# do not contain spaces nor variables, a Perl operator qw() may be used +# as a shorthand to split its argument on whitespace and produce a list +# of strings, e.g. qw( one@foo example.com three ); Note that the argument +# to qw is quoted implicitly and no variable interpretation is done within +# (no '$' variable evaluations). The #-initiated comments can NOT be used +# within a string. In other words, $ and # lose their special meaning +# within a qw argument, just like within '...' strings. +# - all e-mail addresses in this file and as used internally by the daemon +# are in their raw (rfc2821-unquoted and non-bracketed) form, i.e. +# Bob "Funny" Dude@example.com, not: "Bob \"Funny\" Dude"@example.com +# and not <"Bob \"Funny\" Dude"@example.com>; also: '' and not '<>'. +# - the term 'default value' in examples below refers to the value of a +# variable pre-assigned to it by the program; any explicit assignment +# to a variable in this configuration file overrides the default value; + + +# +# Section I - Essential daemon and MTA settings +# + +# $MYHOME serves as a quick default for some other configuration settings. +# More refined control is available with each individual setting further down. +# $MYHOME is not used directly by the program. No trailing slash! +$MYHOME = '/var/lib/amavis'; # (default is '/var/amavis') + +# $mydomain serves as a quick default for some other configuration settings. +# More refined control is available with each individual setting further down. +# $mydomain is never used directly by the program. +$mydomain = '_CN_DOMAIN_'; # (no useful default) + +# $myhostname = 'host.example.com'; # fqdn of this host, default by uname(3) + +# Set the user and group to which the daemon will change if started as root +# (otherwise just keeps the UID unchanged, and these settings have no effect): +$daemon_user = 'amavis'; # (no default (undef)) +$daemon_group = 'amavis'; # (no default (undef)) + +# Runtime working directory (cwd), and a place where +# temporary directories for unpacking mail are created. +# if you change this, you might want to modify the cleanup() +# function in /etc/init.d/amavisd-new +# (no trailing slash, may be a scratch file system) +$TEMPBASE = $MYHOME; # (must be set if other config vars use is) +#$TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean? + +# $helpers_home sets environment variable HOME, and is passed as option +# 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory +# on a normal persistent file system, not a scratch or temporary file system +#$helpers_home = $MYHOME; # (defaults to $MYHOME) + +# Run the daemon in the specified chroot jail if nonempty: +#$daemon_chroot_dir = $MYHOME; # (default is undef, meaning: do not chroot) + +$pid_file = "/var/run/amavis/amavisd.pid"; # (default: "$MYHOME/amavisd.pid") +$lock_file = "/var/run/amavis/amavisd.lock"; # (default: "$MYHOME/amavisd.lock") + +# set environment variables if you want (no defaults): +$ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory +#... + + +# MTA SETTINGS, UNCOMMENT AS APPROPRIATE, +# both $forward_method and $notify_method default to 'smtp:127.0.0.1:10025' + +# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4 +# (set host and port number as required; host can be specified +# as IP address or DNS name (A or CNAME, but MX is ignored) +$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail +$notify_method = $forward_method; # where to submit notifications + +# NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST +# uncomment the appropriate settings below if using other setups! + +# SENDMAIL MILTER, using amavis-milter.c helper program: +# SEE amavisd-new-milter package docs FOR DEBIAN INSTRUCTIONS +#$forward_method = undef; # no explicit forwarding, sendmail does it by itself +# milter; option -odd is needed to avoid deadlocks +#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}'; +# just a thought: can we use use -Am instead of -odd ? + +# SENDMAIL (old non-milter setup, as relay): +#$forward_method = 'pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f ${sender} -- ${recipient}'; +#$notify_method = $forward_method; + +# SENDMAIL (old non-milter setup, amavis.c calls local delivery agent): +#$forward_method = undef; # no explicit forwarding, amavis.c will call LDA +#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}'; + +# EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead): +#$forward_method = 'pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f ${sender} -- ${recipient}'; +#$notify_method = $forward_method; + +# prefer to collect mail for forwarding as BSMTP files? +#$forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp"; +#$notify_method = $forward_method; + + +# Net::Server pre-forking settings +# You may want $max_servers to match the width of your MTA pipe +# feeding amavisd, e.g. with Postfix the 'Max procs' field in the +# master.cf file, like the '2' in the: smtp-amavis unix - - n - 2 smtp +# +$max_servers = 2; # number of pre-forked children (default 2) +$max_requests = 10; # retire a child after that many accepts (default 10) + +$child_timeout=5*60; # abort child if it does not complete each task in n sec + # (default: 8*60 seconds) + +# Check also the settings of @av_scanners at the end if you want to use +# virus scanners. If not, you may want to delete the whole long assignment +# to the variable @av_scanners, which will also remove the virus checking +# code (e.g. if you only want to do spam scanning). + +# Here is a QUICK WAY to completely DISABLE some sections of code +# that WE DO NOT WANT (it won't even be compiled-in). +# For more refined controls leave the following two lines commented out, +# and see further down what these two lookup lists really mean. +# +# @bypass_virus_checks_acl = qw( . ); # uncomment to DISABLE anti-virus code +# @bypass_spam_checks_acl = qw( . ); # uncomment to DISABLE anti-spam code +# +# Any setting can be changed with a new assignment, so make sure +# you do not unintentionally override these settings further down! + +# Lookup list of local domains (see README.lookups for syntax details) +# +# NOTE: +# For backwards compatibility the variable names @local_domains (old) and +# @local_domains_acl (new) are synonyms. For consistency with other lookups +# the name @local_domains_acl is now preferred. It also makes it more +# obviously distinct from the new %local_domains hash lookup table. +# +# local_domains* lookup tables are used in deciding whether a recipient +# is local or not, or in other words, if the message is outgoing or not. +# This affects inserting spam-related headers for local recipients, +# limiting recipient virus notifications (if enabled) to local recipients, +# in deciding if address extension may be appended, and in SQL lookups +# for non-fqdn addresses. Set it up correctly if you need features +# that rely on this setting (or just leave empty otherwise). +# +# With Postfix (2.0) a quick reminder on what local domains normally are: +# a union of domains specified in: $mydestination, $virtual_alias_domains, +# $virtual_mailbox_domains, and $relay_domains. +# +#@local_domains_acl = ( ".$mydomain" ); # $mydomain and its subdomains +# @local_domains_acl = ( ".$mydomain", "my.other.domain" ); +# @local_domains_acl = qw(); # default is empty, no recipient treated as local +# @local_domains_acl = qw( .example.com ); +# @local_domains_acl = qw( .example.com !host.sub.example.net .sub.example.net ); +@local_domains_acl = ( "$mydomain", ".$mydomain" ); + +# or alternatively(A), using a Perl hash lookup table, which may be assigned +# directly, or read from a file, one domain per line; comments and empty lines +# are ignored, a dot before a domain name implies its subdomains: +# +#read_hash(\%local_domains, '/etc/amavis/local_domains'); + +#or alternatively(B), using a list of regular expressions: +# $local_domains_re = new_RE( qr'[@.]example\.com$'i ); +# +# see README.lookups for syntax and semantics + + +# +# Section II - MTA specific (defaults should be ok) +# + +# if $relayhost_is_client is true, the IP address in $notify_method and +# $forward_method is dynamically overridden with SMTP client peer address +# (if available), which makes it possible for several hosts to share one +# daemon. The static port number is also overridden, and is dynamically +# calculated as being one above the incoming SMTP/LMTP session port number. +# +# These are logged at level 3, so enable logging until you know you got it +# right. +$relayhost_is_client = 0; # (defaults to false) + +$insert_received_line = 1; # behave like MTA: insert 'Received:' header + # (does not apply to sendmail/milter) + # (default is true (1) ) + +# AMAVIS-CLIENT PROTOCOL INPUT SETTINGS (e.g. with sendmail milter) +# (used with amavis helper clients like amavis-milter.c and amavis.c, +# NOT needed for Postfix and Exim or dual-sendmail - keep it undefined.) +$unix_socketname = "/var/lib/amavis/amavisd.sock"; # amavis helper protocol socket +#$unix_socketname = undef; # disable listening on a unix socket + # (default is undef, i.e. disabled) + +# Do we receive quoted or raw addresses from the helper program? +# (does not apply to SMTP; defaults to true) +#$gets_addr_in_quoted_form = 1; # "Bob \"Funny\" Dude"@example.com +#$gets_addr_in_quoted_form = 0; # Bob "Funny" Dude@example.com + + + +# SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...) +# (used when MTA is configured to pass mail to amavisd via SMTP or LMTP) +$inet_socket_port = 10024; # accept SMTP on this local TCP port + # (default is undef, i.e. disabled) +# multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028]; + +# SMTP SERVER (INPUT) access control +# - do not allow free access to the amavisd SMTP port !!! +# +# when MTA is at the same host, use the following (one or the other or both): +$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface + # (default is '127.0.0.1') +#@inet_acl = qw( 127.0.0.1 ); # allow SMTP access only from localhost IP + # (default is qw( 127.0.0.1 ) ) + +# when MTA (one or more) is on a different host, use the following: +# @inet_acl = qw(127/8 10.1.0.1 10.1.0.2); # adjust the list as appropriate +# $inet_socket_bind = undef; # bind to all IP interfaces if undef +# +# Example1: +# @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 ); +# permit only SMTP access from loopback and rfc1918 private address space +# +# Example2: +# @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0 +# 127.0.0.1 10/8 172.16/12 192.168/16 ); +# matches loopback and rfc1918 private address space except host 192.168.1.12 +# and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches) +# +# Example3: +# @inet_acl = qw( 127/8 +# !172.16.3.0 !172.16.3.127 172.16.3.0/25 +# !172.16.3.128 !172.16.3.255 172.16.3.128/25 ); +# matches loopback and both halves of the 172.16.3/24 C-class, +# split into two subnets, except all four broadcast addresses +# for these subnets +# +# See README.lookups for details on specifying access control lists. + + +# +# Section III - Logging +# + +# true (e.g. 1) => syslog; false (e.g. 0) => logging to file +$DO_SYSLOG = 1; # (defaults to false) +#$SYSLOG_LEVEL = 'user.info'; # (facility.priority, default 'mail.info') + +# Log file (if not using syslog) +$LOGFILE = "/var/log/amavis.log"; # (defaults to empty, no log) + +#NOTE: levels are not strictly observed and are somewhat arbitrary +# 0: startup/exit/failure messages, viruses detected +# 1: args passed from client, some more interesting messages +# 2: virus scanner output, timing +# 3: server, client +# 4: decompose parts +# 5: more debug details +#$log_level = 2; # (defaults to 0) + +# Customizable template for the most interesting log file entry (e.g. with +# $log_level=0) (take care to properly quote Perl special characters like '\') +# For a list of available macros see README.customize . + +# only log infected messages (useful with log level 0): +# $log_templ = '[? %#V |[? %#F ||banned filename ([%F|,])]|infected ([%V|,])]# +# [? %#V |[? %#F ||, from=[?%o|(?)|<%o>], to=[<%R>|,][? %i ||, quarantine %i]]# +# |, from=[?%o|(?)|<%o>], to=[<%R>|,][? %i ||, quarantine %i]]'; + +# log both infected and noninfected messages (default): +$log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], # +[?%o|(?)|<%o>] -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c'; + + +# +# Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine +# + +# Select notifications text encoding when Unicode-aware Perl is converting +# text from internal character representation to external encoding (charset +# in MIME terminology). Used as argument to Perl Encode::encode subroutine. +# +# to be used in RFC 2047-encoded header field bodies, e.g. in Subject: +#$hdr_encoding = 'iso-8859-1'; # (default: 'iso-8859-1') +# +# to be used in notification body text: its encoding and Content-type.charset +#$bdy_encoding = 'iso-8859-1'; # (default: 'iso-8859-1') + +# Default template texts for notifications may be overruled by directly +# assigning new text to template variables, or by reading template text +# from files. A second argument may be specified in a call to read_text(), +# specifying character encoding layer to be used when reading from the +# external file, e.g. 'utf8', 'iso-8859-1', or often just $bdy_encoding. +# Text will be converted to internal character representation by Perl 5.8.0 +# or later; second argument is ignored otherwise. See PerlIO::encoding, +# Encode::PerlIO and perluniintro man pages. +# +# $notify_sender_templ = read_text('/var/amavis/notify_sender.txt'); +# $notify_virus_sender_templ= read_text('/var/amavis/notify_virus_sender.txt'); +# $notify_virus_admin_templ = read_text('/var/amavis/notify_virus_admin.txt'); +# $notify_virus_recips_templ= read_text('/var/amavis/notify_virus_recips.txt'); +# $notify_spam_sender_templ = read_text('/var/amavis/notify_spam_sender.txt'); +# $notify_spam_admin_templ = read_text('/var/amavis/notify_spam_admin.txt'); + +# If notification template files are collectively available in some directory, +# use read_l10n_templates which calls read_text for each known template. +# +# read_l10n_templates('/etc/amavis/en_US'); +# +# Debian available locales: en_US, pt_BR, de_DE, it_IT +read_l10n_templates('en_US', '/etc/amavis'); + + +# Here is an overall picture (sequence of events) of how pieces fit together +# (only virus controls are shown, spam controls work the same way): +# +# bypass_virus_checks? ==> PASS +# no viruses? ==> PASS +# log virus if $log_templ is nonempty +# quarantine if $virus_quarantine_to is nonempty +# notify admin if $virus_admin (lookup) nonempty +# notify recips if $warnvirusrecip and (recipient is local or $warn_offsite) +# add address extensions if adding extensions is enabled and virus will pass +# send (non-)delivery notifications +# to sender if DSN needed (BOUNCE or ($warn_virus_sender and D_PASS)) +# virus_lovers or final_destiny==D_PASS ==> PASS +# DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny) +# +# Equivalent flow diagram applies for spam checks. +# If a virus is detected, spam checking is skipped entirely. + +# The following symbolic constants can be used in *destiny settings: +# +# D_PASS mail will pass to recipients, regardless of bad contents; +# +# D_DISCARD mail will not be delivered to its recipients, sender will NOT be +# notified. Effectively we lose mail (but will be quarantined +# unless disabled). Losing mail is not decent for a mailer, +# but might be desired. +# +# D_BOUNCE mail will not be delivered to its recipients, a non-delivery +# notification (bounce) will be sent to the sender by amavisd-new; +# Exception: bounce (DSN) will not be sent if a virus name matches +# $viruses_that_fake_sender_re, or to messages from mailing lists +# (Precedence: bulk|list|junk); +# +# D_REJECT mail will not be delivered to its recipients, sender should +# preferably get a reject, e.g. SMTP permanent reject response +# (e.g. with milter), or non-delivery notification from MTA +# (e.g. Postfix). If this is not possible (e.g. different recipients +# have different tolerances to bad mail contents and not using LMTP) +# amavisd-new sends a bounce by itself (same as D_BOUNCE). +# +# Notes: +# D_REJECT and D_BOUNCE are similar, the difference is in who is responsible +# for informing the sender about non-delivery, and how informative +# the notification can be (amavisd-new knows more than MTA); +# With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status +# notification, colloquially called 'bounce') - depending on MTA; +# Best suited for sendmail milter, especially for spam. +# With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the +# reason for mail non-delivery, but unable to reject the original +# SMTP session). Best suited to reporting viruses, and for Postfix +# and other dual-MTA setups, which can't reject original client SMTP +# session, as the mail has already been enqueued. + +$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE) +$final_banned_destiny = D_REJECT; # (defaults to D_BOUNCE) +$final_spam_destiny = D_REJECT; # (defaults to D_REJECT) +$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested + +# Alternatives to consider for spam: +# - use D_PASS if clients will do filtering based on inserted mail headers; +# - use D_DISCARD, if kill_level is set safely high; +# - use D_BOUNCE instead of D_REJECT if not using milter; +# +# D_BOUNCE is preferred for viruses, but consider: +# - use D_DISCARD to avoid bothering the rest of the network, it is hopeless +# to try to keep up with the viruses that faker the envelope sender anyway, +# and bouncing only increases the network cost of viruses for everyone +# - use D_PASS (or virus_lovers) and $warnvirussender=1 to deliver viruses; +# - use D_REJECT instead of D_BOUNCE if using milter and under heavy +# virus storm; +# +# Don't bother to set both D_DISCARD and $warn*sender=1, it will get mapped +# to D_BOUNCE. +# +# The separation of *_destiny values into D_BOUNCE, D_REJECT, D_DISCARD +# and D_PASS made settings $warnvirussender and $warnspamsender only still +# useful with D_PASS. + +# The following $warn*sender settings are ONLY used when mail is +# actually passed to recipients ($final_*_destiny=D_PASS, or *_lovers*). +# Bounces or rejects produce non-delivery status notification anyway. + +# Notify virus sender? +#$warnvirussender = 1; # (defaults to false (undef)) + +# Notify spam sender? +#$warnspamsender = 1; # (defaults to false (undef)) + +# Notify sender of banned files? +#$warnbannedsender = 1; # (defaults to false (undef)) + +# Notify sender of syntactically invalid header containing non-ASCII characters? +#$warnbadhsender = 1; # (defaults to false (undef)) + +# Notify virus (or banned files) RECIPIENT? +# (not very useful, but some policies demand it) +#$warnvirusrecip = 1; # (defaults to false (undef)) +#$warnbannedrecip = 1; # (defaults to false (undef)) + +# Notify also non-local virus/banned recipients if $warn*recip is true? +# (including those not matching local_domains*) +#$warn_offsite = 1; # (defaults to false (undef), i.e. only notify locals) + + +# Treat envelope sender address as unreliable and don't send sender +# notification / bounces if name(s) of detected virus(es) match the list. +# Note that virus names are supplied by external virus scanner(s) and are +# not standardized, so virus names may need to be adjusted. +# See README.lookups for syntax, check also README.policy-on-notifications +# +$viruses_that_fake_sender_re = new_RE( + qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, + qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i, + qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i, + qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i, + qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan + qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc + [qr'^(EICAR|Joke\.|Junk\.)'i => 0], + [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0], + [qr/.*/ => 1], # true by default (remove or comment-out if undesired) +); + +# where to send ADMIN VIRUS NOTIFICATIONS (should be a fully qualified address) +# - the administrator address may be a simple fixed e-mail address (a scalar), +# or may depend on the SENDER address (e.g. its domain), in which case +# a ref to a hash table can be specified (specify lower-cased keys, +# dot is a catchall, see README.lookups). +# +# Empty or undef lookup disables virus admin notifications. + +# $virus_admin = undef; # do not send virus admin notifications (default) +# $virus_admin = {'not.example.com' => '', '.' => 'virusalert@example.com'}; +# $virus_admin = 'virus-admin@example.com'; +#$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default +$virus_admin = "virusalert\@$mydomain"; # due to D_DISCARD default + +# equivalent to $virus_admin, but for spam admin notifications: +# $spam_admin = "spamalert\@$mydomain"; +# $spam_admin = undef; # do not send spam admin notifications (default) +# $spam_admin = {'not.example.com' => '', '.' => 'spamalert@example.com'}; + +#advanced example, using a hash lookup table: +#$virus_admin = { +# 'baduser@sub1.example.com' => 'HisBoss@sub1.example.com', +# '.sub1.example.com' => 'virusalert@sub1.example.com', +# '.sub2.example.com' => '', # don't send admin notifications +# 'a.sub3.example.com' => 'abuse@sub3.example.com', +# '.sub3.example.com' => 'virusalert@sub3.example.com', +# '.example.com' => 'noc@example.com', # catchall for our virus senders +# '.' => 'virusalert@hq.example.com', # catchall for the rest +#}; + + +# whom notification reports are sent from (ENVELOPE SENDER); +# may be a null reverse path, or a fully qualified address: +# (admin and recip sender addresses default to $mailfrom +# for compatibility, which in turn defaults to undef (empty) ) +# If using strings in double quotes, don't forget to quote @, i.e. \@ +# +$mailfrom_notify_admin = "virusalert\@$mydomain"; +$mailfrom_notify_recip = "virusalert\@$mydomain"; +$mailfrom_notify_spamadmin = "spamalert\@$mydomain"; + +# 'From' HEADER FIELD for sender and admin notifications. +# This should be a replyable address, see rfc1894. Not to be confused +# with $mailfrom_notify_sender, which is the envelope return address +# and should be empty (null reverse path) according to rfc2821. +# +# The syntax of the 'From' header field is specified in rfc2822, section +# '3.4. Address Specification'. Note in particular that display-name must be +# a quoted-string if it contains any special characters like spaces and dots. +# +# $hdrfrom_notify_sender = "amavisd-new "; +# $hdrfrom_notify_sender = 'amavisd-new '; +# $hdrfrom_notify_sender = '"Content-Filter Master" '; +# (defaults to: "amavisd-new ") +# $hdrfrom_notify_admin = $mailfrom_notify_admin; +# (defaults to: $mailfrom_notify_admin) +# $hdrfrom_notify_spamadmin = $mailfrom_notify_spamadmin; +# (defaults to: $mailfrom_notify_spamadmin) + +# whom quarantined messages appear to be sent from (envelope sender); +# keeps original sender if undef, or set it explicitly, default is undef +$mailfrom_to_quarantine = ''; # override sender address with null return path + + +# Location to put infected mail into: (applies to 'local:' quarantine method) +# empty for not quarantining, may be a file (mailbox), +# or a directory (no trailing slash) +# (the default value is undef, meaning no quarantine) +# +$QUARANTINEDIR = '/var/lib/amavis/virusmails'; + +#$virus_quarantine_method = "local:virus-%i-%n"; # default +#$spam_quarantine_method = "local:spam-%b-%i-%n"; # default +# +#use the new 'bsmtp:' method as an alternative to the default 'local:' +#$virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%i-%n.bsmtp"; +#$spam_quarantine_method = "bsmtp:$QUARANTINEDIR/spam-%b-%i-%n.bsmtp"; + +# When using the 'local:' quarantine method (default), the following applies: +# +# A finer control of quarantining is available through variable +# $virus_quarantine_to/$spam_quarantine_to. It may be a simple scalar string, +# or a ref to a hash lookup table, or a regexp lookup table object, +# which makes possible to set up per-recipient quarantine addresses. +# +# The value of scalar $virus_quarantine_to/$spam_quarantine_to (or a +# per-recipient lookup result from the hash table %$virus_quarantine_to) +# is/are interpreted as follows: +# +# VARIANT 1: +# empty or undef disables quarantine; +# +# VARIANT 2: +# a string NOT containing an '@'; +# amavisd will behave as a local delivery agent (LDA) and will quarantine +# viruses to local files according to hash %local_delivery_aliases (pseudo +# aliases map) - see subroutine mail_to_local_mailbox() for details. +# Some of the predefined aliases are 'virus-quarantine' and 'spam-quarantine'. +# Setting $virus_quarantine_to ($spam_quarantine_to) to this string will: +# +# * if $QUARANTINEDIR is a directory, each quarantined virus will go +# to a separate file in the $QUARANTINEDIR directory (traditional +# amavis style, similar to maildir mailbox format); +# +# * otherwise $QUARANTINEDIR is treated as a file name of a Unix-style +# mailbox. All quarantined messages will be appended to this file. +# Amavisd child process must obtain an exclusive lock on the file during +# delivery, so this may be less efficient than using individual files +# or forwarding to MTA, and it may not work across NFS or other non-local +# file systems (but may be handy for pickup of quarantined files via IMAP +# for example); +# +# VARIANT 3: +# any email address (must contain '@'). +# The e-mail messages to be quarantined will be handed to MTA +# for delivery to the specified address. If a recipient address local to MTA +# is desired, you may leave the domain part empty, e.g. 'infected@', but the +# '@' character must nevertheless be included to distinguish it from variant 2. +# +# This method enables more refined delivery control made available by MTA +# (e.g. its aliases file, other local delivery agents, dealing with +# privileges and file locking when delivering to user's mailbox, nonlocal +# delivery and forwarding, fan-out lists). Make sure the mail-to-be-quarantined +# will not be handed back to amavisd for checking, as this will cause a loop +# (hopefully broken at some stage)! If this can be assured, notifications +# will benefit too from not being unnecessarily virus-scanned. +# +# By default this is safe to do with Postfix and Exim v4 and dual-sendmail +# setup, but probably not safe with sendmail milter interface without +# precaution. + +# (the default value is undef, meaning no quarantine) + +$virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine +#$virus_quarantine_to = 'infected@'; # forward to MTA for delivery +#$virus_quarantine_to = "virus-quarantine\@$mydomain"; # similar +#$virus_quarantine_to = 'virus-quarantine@example.com'; # similar +#$virus_quarantine_to = undef; # no quarantine +# +#$virus_quarantine_to = new_RE( # per-recip multiple quarantines +# [qr'^user@example\.com$'i => 'infected@'], +# [qr'^(.*)@example\.com$'i => 'virus-${1}@example.com'], +# [qr'^(.*)(@[^@])?$'i => 'virus-${1}${2}'], +# [qr/.*/ => 'virus-quarantine'] ); + +# similar for spam +# (the default value is undef, meaning no quarantine) +# +$spam_quarantine_to = 'spam-quarantine'; +#$spam_quarantine_to = "spam-quarantine\@$mydomain"; +#$spam_quarantine_to = new_RE( # per-recip multiple quarantines +# [qr'^(.*)@example\.com$'i => 'spam-${1}@example.com'], +# [qr/.*/ => 'spam-quarantine'] ); + +# In addition to per-recip quarantine, a by-sender lookup is possible. It is +# similar to $spam_quarantine_to, but the lookup key is the sender address: +#$spam_quarantine_bysender_to = undef; # dflt: no by-sender spam quarantine + + +# Add X-Virus-Scanned header field to mail? +$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: undef) +# Leave empty to add no header # (default: undef) +$X_HEADER_LINE = "by $myversion (Debian) at $mydomain"; + +# a string to prepend to Subject (for local recipients only) if mail could +# not be decoded or checked entirely, e.g. due to password-protected archives +$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it + +$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone +#$remove_existing_x_scanned_headers= 1; # remove existing headers + # (defaults to false) +#$remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone +$remove_existing_spam_headers = 1; # remove existing spam headers if + # spam scanning is enabled (default) + +# set $bypass_decode_parts to true if you only do spam scanning, or if you +# have a good virus scanner that can deal with compression and recursively +# unpacking archives by itself, and save amavisd the trouble. +# Disabling decoding also causes banned_files checking to only see +# MIME names and MIME content types, not the content classification types +# as provided by the file(1) utility. +# It is a double-edged sword, make sure you know what you are doing! +# +#$bypass_decode_parts = 1; # (defaults to false) + +# don't trust this file type or corresponding unpacker for this file type, +# keep both the original and the unpacked file for a virus checker to see +# (lookup key is what file(1) utility returned): +# +$keep_decoded_original_re = new_RE( +# qr'^MAIL$', # retain full original message for virus checking (can be slow) + qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables + qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, +# qr'^Zip archive data', +); + +# Checking for banned MIME types and names. If any mail part matches, +# the whole mail is rejected, much like the way viruses are handled. +# A list in object $banned_filename_re can be defined to provide a list +# of Perl regular expressions to be matched against each part's: +# +# * Content-Type value (both declared and effective mime-type), +# including the possible security risk content types +# message/partial and message/external-body, as specified by rfc2046; +# +# * declared (i.e. recommended) file names as specified by MIME subfields +# Content-Disposition.filename and Content-Type.name, both in their +# raw (encoded) form and in rfc2047-decoded form if applicable; +# +# * file content type as guessed by 'file' utility, both the raw +# result from 'file', as well as short type name, classified +# into names such as .asc, .txt, .html, .doc, .jpg, .pdf, +# .zip, .exe, ... - see subroutine determine_file_types(). +# This step is done only if $bypass_decode_parts is not true. +# +# * leave $banned_filename_re undefined to disable these checks +# (giving an empty list to new_RE() will also always return false) + +$banned_filename_re = new_RE( +# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components + qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, # some double extensions + qr'[{}]', # curly braces in names (serve as Class ID extensions - CLSID) +# qr'.\.(exe|vbs|pif|scr|bat|cmd|com)$'i, # banned extension - basic +# qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js| +# jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb| +# vbe|vbs|wsc|wsf|wsh)$'ix, # banned extension - long +# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. +# qr'^\.(zip|lha|tnef|cab)$'i, # banned file(1) types +# qr'^\.exe$'i, # banned file(1) types +# qr'^application/x-msdownload$'i, # banned MIME types +# qr'^application/x-msdos-program$'i, + qr'^message/partial$'i, # rfc2046. this one is deadly for Outcrook +# qr'^message/external-body$'i, # block rfc2046 +); +# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 +# and http://www.cknow.com/vtutor/vtextensions.htm + +# A little trick: a pattern qr'\.exe$' matches both a short type name '.exe', +# as well as any file name which happens to end with .exe. If only matching +# a file name is desired, but not the short name, a pattern qr'.\.exe$'i +# or similar may be used, which requires that at least one character precedes +# the '.exe', and so it will never match short file types, which always start +# with a dot. + + +# +# Section V - Per-recipient and per-sender handling, whitelisting, etc. +# + +# %virus_lovers, @virus_lovers_acl and $virus_lovers_re lookup tables: +# (these should be considered policy options, they do not disable checks, +# see bypass*checks for that!) +# +# Exclude certain RECIPIENTS from virus filtering by adding their lower-cased +# envelope e-mail address (or domain only) to the hash %virus_lovers, or to +# the access list @virus_lovers_acl - see README.lookups and examples. +# Make sure the appropriate form (e.g. external/internal) of address +# is used in case of virtual domains, or when mapping external to internal +# addresses, etc. - this is MTA-specific. +# +# Notifications would still be generated however (see the overall +# picture above), and infected mail (if passed) gets additional header: +# X-AMaViS-Alert: INFECTED, message contains virus: ... +# (header not inserted with milter interface!) +# +# NOTE (milter interface only): in case of multiple recipients, +# it is only possible to drop or accept the message in its entirety - for all +# recipients. If all of them are virus lovers, we'll accept mail, but if +# at least one recipient is not a virus lover, we'll discard the message. + + +# %bypass_virus_checks, @bypass_virus_checks_acl and $bypass_virus_checks_re +# lookup tables: +# (this is mainly a time-saving option, unlike virus_lovers* !) +# +# Similar in concept to %virus_lovers, a hash %bypass_virus_checks, +# access list @bypass_virus_checks_acl and regexp list $bypass_virus_checks_re +# are used to skip entirely the decoding, unpacking and virus checking, +# but only if ALL recipients match the lookup. +# +# %bypass_virus_checks/@bypass_virus_checks_acl/$bypass_virus_checks_re +# do NOT GUARANTEE the message will NOT be checked for viruses - this may +# still happen when there is more than one recipient for a message, and +# not all of them match these lookup tables. To guarantee virus delivery, +# a recipient must also match %virus_lovers/@virus_lovers_acl lookups +# (but see milter limitations above), + +# NOTE: it would not be clever to base virus checks on SENDER address, +# since there are no guarantees that it is genuine. Many viruses +# and spam messages fake sender address. To achieve selective filtering +# based on the source of the mail (e.g. IP address, MTA port number, ...), +# use mechanisms provided by MTA if available. + + +# Similar to lookup tables controlling virus checking, there exist +# spam scanning, banned names/types, and headers_checks control counterparts: +# %spam_lovers, @spam_lovers_acl, $spam_lovers_re +# %banned_files_lovers, @banned_files_lovers_acl, $banned_files_lovers_re +# %bad_header_lovers, @bad_header_lovers_acl, $bad_header_lovers_re +# and: +# %bypass_spam_checks/@bypass_spam_checks_acl/$bypass_spam_checks_re +# %bypass_banned_checks/@bypass_banned_checks_acl/$bypass_banned_checks_re +# %bypass_header_checks/@bypass_header_checks_acl/$bypass_header_checks_re +# See README.lookups for details about the syntax. + +# The following example disables spam checking altogether, +# since it matches any recipient e-mail address (any address +# is a subdomain of the top-level root DNS domain): +# @bypass_spam_checks_acl = qw( . ); + +# @bypass_header_checks_acl = qw( user@example.com ); +# @bad_header_lovers_acl = qw( user@example.com ); + + +# See README.lookups for further detail, and examples below. + +# $virus_lovers{lc("postmaster\@$mydomain")} = 1; +# $virus_lovers{lc('postmaster@example.com')} = 1; +# $virus_lovers{lc('abuse@example.com')} = 1; +# $virus_lovers{lc('some.user@')} = 1; # this recipient, regardless of domain +# $virus_lovers{lc('boss@example.com')} = 0; # never, even if domain matches +# $virus_lovers{lc('example.com')} = 1; # this domain, but not its subdomains +# $virus_lovers{lc('.example.com')}= 1; # this domain, including its subdomains +#or: +# @virus_lovers_acl = qw( me@lab.xxx.com !lab.xxx.com .xxx.com yyy.org ); +# +# $bypass_virus_checks{lc('some.user2@butnot.example.com')} = 1; +# @bypass_virus_checks_acl = qw( some.ddd !butnot.example.com .example.com ); + +# @virus_lovers_acl = qw( postmaster@example.com ); +# $virus_lovers_re = new_RE( qr'^(helpdesk|postmaster)@example\.com$'i ); + +# $spam_lovers{lc("postmaster\@$mydomain")} = 1; +# $spam_lovers{lc('postmaster@example.com')} = 1; +# $spam_lovers{lc('abuse@example.com')} = 1; +# @spam_lovers_acl = qw( !.example.com ); +# $spam_lovers_re = new_RE( qr'^user@example\.com$'i ); + +# don't run spam check for these RECIPIENT domains: +# @bypass_spam_checks_acl = qw( d1.com .d2.com a.d3.com ); +# or the other way around (bypass check for all BUT these): +# @bypass_spam_checks_acl = qw( !d1.com !.d2.com !a.d3.com . ); +# a practical application: don't check outgoing mail for spam: +# @bypass_spam_checks_acl = ( "!.$mydomain", "." ); +# (a downside of which is that such mail will not count as ham in SA bayes db) + + +# Where to find SQL server(s) and database to support SQL lookups? +# A list of triples: (dsn,user,passw). (dsn = data source name) +# More than one entry may be specified for multiple (backup) SQL servers. +# See 'man DBI', 'man DBD::mysql', 'man DBD::Pg', ... for details. +# When chroot-ed, accessing SQL server over inet socket may be more convenient. +# +# @lookup_sql_dsn = +# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], +# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'] ); +# +# ('mail' in the example is the database name, choose what you like) +# With PostgreSQL the dsn (first element of the triple) may look like: +# 'DBI:Pg:host=host1;dbname=mail' + +# The SQL select clause to fetch per-recipient policy settings. +# The %k will be replaced by a comma-separated list of query addresses +# (e.g. full address, domain only, catchall). Use ORDER, if there +# is a chance that multiple records will match - the first match wins. +# If field names are not unique (e.g. 'id'), the later field overwrites the +# earlier in a hash returned by lookup, which is why we use '*,users.id'. +# $sql_select_policy = 'SELECT *,users.id FROM users,policy'. +# ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'. +# ' ORDER BY users.priority DESC'; +# +# The SQL select clause to check sender in per-recipient whitelist/blacklist +# The first SELECT argument '?' will be users.id from recipient SQL lookup, +# the %k will be sender addresses (e.g. full address, domain only, catchall). +# $sql_select_white_black_list = 'SELECT wb FROM wblist,mailaddr'. +# ' WHERE (wblist.rid=?) AND (wblist.sid=mailaddr.id)'. +# ' AND (mailaddr.email IN (%k))'. +# ' ORDER BY mailaddr.priority DESC'; + +$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting + + +# If you decide to pass viruses (or spam) to certain recipients using the +# above lookup tables or using $final_virus_destiny=D_PASS, you can set +# the variable $addr_extension_virus ($addr_extension_spam) to some +# string, and the recipient address will have this string appended +# as an address extension to the local-part of the address. This extension +# can be used by final local delivery agent to place such mail in different +# folders. Leave these two variables undefined or empty strings to prevent +# appending address extensions. Setting has no effect on recipient which will +# not be receiving viruses/spam. Recipients who do not match lookup tables +# local_domains* are not affected. +# +# LDAs usually default to stripping away address extension if no special +# handling is specified, so having this option enabled normally does no harm, +# provided the $recipients_delimiter matches the setting on the final +# MTA's LDA. + +# $addr_extension_virus = 'virus'; # (default is undef, same as empty) +# $addr_extension_spam = 'spam'; # (default is undef, same as empty) +# $addr_extension_banned = 'banned'; # (default is undef, same as empty) + + +# Delimiter between local part of the recipient address and address extension +# (which can optionally be added, see variables $addr_extension_virus and +# $addr_extension_spam). E.g. recipient address gets changed +# to . +# +# Delimiter should match equivalent (final) MTA delimiter setting. +# (e.g. for Postfix add 'recipient_delimiter = +' to main.cf) +# Setting it to an empty string or to undef disables this feature +# regardless of $addr_extension_virus and $addr_extension_spam settings. + +$recipient_delimiter = '+'; # (default is '+') + +# true: replace extension; false: append extension +$replace_existing_extension = 1; # (default is false) + +# Affects matching of localpart of e-mail addresses (left of '@') +# in lookups: true = case sensitive, false = case insensitive +$localpart_is_case_sensitive = 0; # (default is false) + + +# ENVELOPE SENDER WHITELISTING / BLACKLISTING - GLOBAL (RECIPIENT-INDEPENDENT) +# (affects spam checking only, has no effect on virus and other checks) + +# WHITELISTING: use ENVELOPE SENDER lookups to ENSURE DELIVERY from whitelisted +# senders even if the message would be recognized as spam. Effectively, for +# the specified senders, message recipients temporarily become 'spam_lovers'. +# To avoid surprises, whitelisted sender also suppresses inserting/editing +# the tag2-level header fields (X-Spam-*, Subject), appending spam address +# extension, and quarantining. + +# BLACKLISTING: messages from specified SENDERS are DECLARED SPAM. +# Effectively, for messages from blacklisted senders, spam level +# is artificially pushed high, and the normal spam processing applies, +# resulting in 'X-Spam-Flag: YES', high 'X-Spam-Level' bar and other usual +# reactions to spam, including possible rejection. If the message nevertheless +# still passes (e.g. for spam loving recipients), it is tagged as BLACKLISTED +# in the 'X-Spam-Status' header field, but the reported spam value and +# set of tests in this report header field (if available from SpamAssassin, +# which may have not been called) is not adjusted. +# +# A sender may be both white- and blacklisted at the same time, settings +# are independent. For example, being both white- and blacklisted, message +# is delivered to recipients, but is not tagged as spam (X-Spam-Flag: No; +# X-Spam-Status: No, ...), but the reported spam level (if computed) may +# still indicate high spam score. +# +# If ALL recipients of the message either white- or blacklist the sender, +# spam scanning (calling the SpamAssassin) is bypassed, saving on time. +# +# The following variables (lookup tables) are available, with the semantics +# and syntax as specified in README.lookups: +# +# %whitelist_sender, @whitelist_sender_acl, $whitelist_sender_re +# %blacklist_sender, @blacklist_sender_acl, $blacklist_sender_re + +# SOME EXAMPLES: +# +#ACL: +# @whitelist_sender_acl = qw( .example.com ); +# +# @whitelist_sender_acl = ( ".$mydomain" ); # $mydomain and its subdomains +# NOTE: This is not a reliable way of turning off spam checks for +# locally-originating mail, as sender address can easily be faked. +# To reliably avoid spam-scanning outgoing mail, +# use @bypass_spam_checks_acl . + +#RE: +# $whitelist_sender_re = new_RE( +# qr'^postmaster@.*\bexample\.com$'i, +# qr'owner-[^@]*@'i, qr'-request@'i, +# qr'\.example\.com$'i ); +# +$blacklist_sender_re = new_RE( + qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i, + qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i, + qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonl|smoking2002k)@'i, + qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i, + qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i, + qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i, +); + +#HASH lookup variant: +# NOTE: Perl operator qw splits its argument string by whitespace +# and produces a list. This means that addresses can not contain +# whitespace, and there is no provision for comments within the string. +# You can use the normal Perl list syntax if you have special requirements, +# e.g. map {...} ('one user@bla', '.second.com'), or use read_hash to read +# addresses from a file. +# + +# a hash lookup table can be read from a file, +# one address per line, comments and empty lines are permitted: +# +# read_hash(\%whitelist_sender, '/var/amavis/whitelist_sender'); +read_hash(\%whitelist_sender, "$MYHOME/whitelist_sender"); +read_hash(\%blacklist_sender, "$MYHOME/blacklist_sender"); + +# ... or set directly: +map { $whitelist_sender{lc($_)}=1 } (qw( + nobody@cert.org + owner-alert@iss.net + slashdot@slashdot.org + bugtraq@securityfocus.com + NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM + security-alerts@linuxsecurity.com + amavis-user-admin@lists.sourceforge.net + razor-users-admin@lists.sourceforge.net + notification-return@lists.sophos.com + mailman-announce-admin@python.org + zope-announce-admin@zope.org + owner-postfix-users@postfix.org + owner-postfix-announce@postfix.org + owner-sendmail-announce@lists.sendmail.org + sendmail-announce-request@lists.sendmail.org + ca+envelope@sendmail.org + owner-technews@postel.ACM.ORG + lvs-users-admin@LinuxVirtualServer.org + ietf-123-owner@loki.ietf.org + cvs-commits-list-admin@gnome.org + rt-users-admin@lists.fsck.com + owner-announce@mnogosearch.org + owner-hackers@ntp.org + owner-bugs@ntp.org + clp-request@comp.nus.edu.sg + surveys-errors@lists.nua.ie + emailNews@genomeweb.com + owner-textbreakingnews@CNNIMAIL12.CNN.COM + yahoo-dev-null@yahoo-inc.com +)); + + +# ENVELOPE SENDER WHITELISTING / BLACKLISTING - PER-RECIPIENT + +# The same semantics as for global white/blacklisting applies, but this +# time each recipient (or its domain, or subdomain, ...) can be given +# an individual lookup table for matching senders. The per-recipient lookups +# override the global lookups, which serve as a fallback default. + +# Specify a two-level lookup table: the key for the outer table is recipient, +# and the result should be an inner lookup table (hash or ACL or RE), +# where the key used will be the sender. +# +#$per_recip_blacklist_sender_lookup_tables = { +# 'user1@my.example.com'=>new_RE(qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i), +# 'user2@my.example.com'=>[qw( spammer@d1.example,org .d2.example,org )], +#}; +#$per_recip_whitelist_sender_lookup_tables = { +# 'user@my.example.com' => [qw( friend@example.org .other.example.org )], +# '.my1.example.com' => [qw( !foe.other.example,org .other.example,org )], +# '.my2.example.com' => read_hash('/var/amavis/my2-wl.dat'), +# 'abuse@' => { 'postmaster@'=>1, +# 'cert-advisory-owner@cert.org'=>1, 'owner-alert@iss.net'=>1 }, +#}; + + +# +# Section VI - Resource limits +# + +# Sanity limit to the number of allowed recipients per SMTP transaction +# $smtpd_recipient_limit = 1000; # (default is 1000) + + +# Resource limits to protect unpackers, decompressors and virus scanners +# against mail bombs (e.g. 42.zip) + +# Maximum recursion level for extraction/decoding (0 or undef disables limit) +$MAXLEVELS = 14; # (default is undef, no limit) + +# Maximum number of extracted files (0 or undef disables the limit) +$MAXFILES = 1500; # (default is undef, no limit) + +# For the cumulative total of all decoded mail parts we set max storage size +# to defend against mail bombs. Even though parts may be deleted (replaced +# by decoded text) during decoding, the size they occupied is _not_ returned +# to the quota pool. +# +# Parameters to storage quota formula for unpacking/decoding/decompressing +# Formula: +# quota = max($MIN_EXPANSION_QUOTA, +# $mail_size*$MIN_EXPANSION_FACTOR, +# min($MAX_EXPANSION_QUOTA, $mail_size*$MAX_EXPANSION_FACTOR)) +# In plain words (later condition overrules previous ones): +# allow MAX_EXPANSION_FACTOR times initial mail size, +# but not more than MAX_EXPANSION_QUOTA, +# but not less than MIN_EXPANSION_FACTOR times initial mail size, +# but never less than MIN_EXPANSION_QUOTA +# +$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) +$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) +$MIN_EXPANSION_FACTOR = 5; # times original mail size (must be specified) +$MAX_EXPANSION_FACTOR = 500; # times original mail size (must be specified) + + +# +# Section VII - External programs, virus scanners +# + +# Specify a path string, which is a colon-separated string of directories +# (no trailing slashes!) to be assigned to the environment variable PATH +# and to serve for locating external programs below. + +# NOTE: if $daemon_chroot_dir is nonempty, the directories will be +# relative to the chroot directory specified; + +$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; + +# Specify one string or a search list of strings (first match wins). +# The string (or: each string in a list) may be an absolute path, +# or just a program name, to be located via $path; +# Empty string or undef (=default) disables the use of that external program. +# Optionally command arguments may be specified - only the first substring +# up to the whitespace is used for file searching. + +$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability + +$gzip = 'gzip'; +$bzip2 = 'bzip2'; +$lzop = 'lzop'; +$uncompress = ['uncompress', 'gzip -d', 'zcat']; +$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat']; +$arc = ['nomarch', 'arc']; +$unarj = ['arj', 'unarj']; # both can extract, arj is recommended +$unrar = ['rar', 'unrar']; # both can extract, same options +$zoo = 'zoo'; +$lha = 'lha'; +$cpio = 'cpio'; # comment out if cpio does not support GNU options + + +# SpamAssassin settings + +# $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value +# of the option local_tests_only. See Mail::SpamAssassin man page. +# If set to 1, SA tests are restricted to local tests only, i.e. no tests +# that require internet access will be performed. +# +#$sa_local_tests_only = 1; # (default: false) +$sa_auto_whitelist = 1; # turn on AWL (default: false) + +# Timout for SpamAssassin. This is only used if spamassassin does NOT +# override it (which it often does if sa_local_tests_only is not true) +$sa_timeout = 30; # timeout in seconds for a call to SpamAssassin + # (default is 30 seconds, undef disables it) + +# AWL (auto whitelisting), requires spamassassin 2.44 or better +# $sa_auto_whitelist = 1; # defaults to undef + +$sa_mail_body_size_limit = 150*1024; # don't waste time on SA is mail is larger + # (less than 1% of spam is > 64k) + # default: undef, no limitations + +# default values, can be overridden by more specific lookups, e.g. SQL +$sa_tag_level_deflt = 3.0; # add spam info headers if at, or above that level +$sa_tag2_level_deflt = 6.3; # add 'spam detected' headers at that level +$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions + # at or above that level: bounce/reject/drop, + # quarantine, and adding mail address extension + +$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent, + # effectively turning D_BOUNCE into D_DISCARD; + # undef disables this feature and is a default; + +# +# The $sa_tag_level_deflt, $sa_tag2_level_deflt and $sa_kill_level_deflt +# may also be hashrefs to hash lookup tables, to make static per-recipient +# settings possible without having to resort to SQL or LDAP lookups. + +# a quick reference: +# tag_level controls adding the X-Spam-Status and X-Spam-Level headers, +# tag2_level controls adding 'X-Spam-Flag: YES', and editing Subject, +# kill_level controls 'evasive actions' (reject, quarantine, extensions); +# it only makes sense to maintain the relationship: +# tag_level <= tag2_level <= kill_level < $sa_dsn_cutoff_level + +# string to prepend to Subject header field when message exceeds tag2 level +$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled) + # (only seen when spam is not to be rejected + # and recipient is in local_domains*) + +#$sa_spam_modifies_subj = 1; # may be a ref to a lookup table, default is true +# Example: modify Subject for all local recipients except user@example.com +#$sa_spam_modifies_subj = [qw( !user@example.com . )]; + +# stop anti-virus scanning when the first scanner detects a virus? +$first_infected_stops_scan = 1; # default is false, all scanners are called + +# @av_scanners is a list of n-tuples, where fields semantics is: +# 1. av scanner plain name, to be used in log and reports; +# 2. scanner program name; this string will be submitted to subroutine +# find_external_programs(), which will try to find the full program +# path name; if program is not found, this scanner is disabled. +# Besides a simple string (full program path name or just the basename +# to be looked for in PATH), this may be an array ref of alternative +# program names or full paths - the first match in the list will be used; +# As a special case for more complex scanners, this field may be +# a subroutine reference, and the whole n-tuple is passed to it as args. +# 3. command arguments to be given to the scanner program; +# a substring {} will be replaced by the directory name to be scanned, +# i.e. "$tempdir/parts", a "*" will be replaced by file names of parts; +# 4. an array ref of av scanner exit status values, or a regexp (to be +# matched against scanner output), indicating NO VIRUSES found; +# 5. an array ref of av scanner exit status values, or a regexp (to be +# matched against scanner output), indicating VIRUSES WERE FOUND; +# Note: the virus match prevails over a 'not found' match, so it is safe +# even if the no. 4. matches for viruses too; +# 6. a regexp (to be matched against scanner output), returning a list +# of virus names found. +# 7. and 8.: (optional) subroutines to be executed before and after scanner +# (e.g. to set environment or current directory); +# see examples for these at KasperskyLab AVP and Sophos sweep. + +# NOTES: +# +# - NOT DEFINING @av_scanners (e.g. setting it to empty list, or deleting the +# whole assignment) TURNS OFF LOADING AND COMPILING OF THE ANTIVIRUS CODE +# (which can be handy if all you want to do is spam scanning); +# +# - the order matters: although _all_ available entries from the list are +# always tried regardless of their verdict, scanners are run in the order +# specified: the report from the first one detecting a virus will be used +# (providing virus names and scanner output); REARRANGE THE ORDER TO WILL; +# +# - it doesn't hurt to keep an unused command line scanner entry in the list +# if the program can not be found; the path search is only performed once +# during the program startup; +# +# COROLLARY: to disable a scanner that _does_ exist on your system, +# comment out its entry or use undef or '' as its program name/path +# (second parameter). An example where this is almost a must: disable +# Sophos 'sweep' if you have its daemonized version Sophie or SAVI-Perl +# (same for Trophie/vscan, and clamd/clamscan), or if another unrelated +# program happens to have a name matching one of the entries ('sweep' +# again comes to mind); +# +# - it DOES HURT to keep unwanted entries which use INTERNAL SUBROUTINES +# for interfacing (where the second parameter starts with \&). +# Keeping such entry and not having a corresponding virus scanner daemon +# causes an unnecessary connection attempt (which eventually times out, +# but it wastes precious time). For this reason the daemonized entries +# are commented in the distribution - just remove the '#' where needed. +# +# CERT list of av resources: http://www.cert.org/other_sources/viruses.html + +@av_scanners = ( + +# ### http://www.vanja.com/tools/sophie/ +# ['Sophie', +# \&ask_daemon, ["{}/\n", '/var/run/sophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ], + +# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ +['Sophos SAVI', \&sophos_savi ], + +### http://www.clamav.net/ +['Clam Antivirus-clamd', + \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"], + qr/\bOK$/, qr/\bFOUND$/, + qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], +# NOTE: run clamd under the same user as amavisd; match the socket +# name (LocalSocket) in clamav.conf to the socket name in this entry +# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"], + +# ### http://www.openantivirus.org/ +# ['OpenAntiVirus ScannerDaemon (OAV)', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], +# qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ], + +# ### http://www.vanja.com/tools/trophie/ +# ['Trophie', +# \&ask_daemon, ["{}/\n", '/var/run/trophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ], + +# ### http://www.grisoft.com/ +# ['AVG Anti-Virus', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], +# qr/^200/, qr/^403/, qr/^403 .*?: (.+)/ ], + +# ### http://www.f-prot.com/ +# ['FRISK F-Prot Daemon', +# \&ask_daemon, +# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", +# ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202', +# '127.0.0.1:10203','127.0.0.1:10204'] ], +# qr/(?i)]*>clean<\/summary>/, +# qr/(?i)]*>infected<\/summary>/, +# qr/(?i)(.+)<\/name>/ ], + + ['KasperskyLab AVP - aveclient', + ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', + '/opt/kav/bin/aveclient','aveclient'], + '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/, + qr/(?:INFECTED|SUSPICION) (.+)/, + ], + + ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], + '-* -P -B -Y -O- {}', [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22], + qr/infected: (.+)/, + sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, + sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + + ### The kavdaemon and AVPDaemonClient have been removed from Kasperky + ### products and replaced by aveserver and aveclient + ['KasperskyLab AVPDaemonClient', + [ '/opt/AVP/kavdaemon', 'kavdaemon', + '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', + '/opt/AVP/AvpTeamDream', 'AvpTeamDream', + '/opt/AVP/avpdc', 'avpdc' ], + "-f=$TEMPBASE {}", [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22], + qr/infected: ([^\r\n]+)/ ], + # change the startup-script in /etc/init.d/kavd to: + # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" + # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) + # adjusting /var/amavis above to match your $TEMPBASE. + # The '-f=/var/amavis' is needed if not running it as root, so it + # can find, read, and write its pid file, etc., see 'man kavdaemon'. + # defUnix.prf: there must be an entry "*/var/amavis" (or whatever + # directory $TEMPBASE specifies) in the 'Names=' section. + # cd /opt/AVP/DaemonClients; configure; cd Sample; make + # cp AvpDaemonClient /opt/AVP/ + # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" + + ### http://www.hbedv.com/ or http://www.centralcommand.com/ + ['H+BEDV AntiVir or CentralCommand Vexira Antivirus', + ['antivir','vexira'], + '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/, + qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | + (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ], + # NOTE: if you only have a demo version, remove -z and add 214, as in: + # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, + + ### http://www.commandsoftware.com/ + ['Command AntiVirus for Linux', 'csav', + '-all -archive -packed {}', [50], [51,52,53], + qr/Infection: (.+)/ ], + + ### http://www.symantec.com/ + ['Symantec CarrierScan via Symantec CommandLineScanner', + 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', + qr/^Files Infected:\s+0$/, qr/^Infected\b/, + qr/^(?:Info|Virus Name):\s+(.+)/ ], + + ### http://www.symantec.com/ + ['Symantec AntiVirus Scan Engine', + 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', + [0], qr/^Infected\b/, + qr/^(?:Info|Virus Name):\s+(.+)/ ], + # NOTE: check options and patterns to see which entry better applies + + ### http://www.sald.com/, http://drweb.imshop.de/ + ['drweb - DrWeb Antivirus', + ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], + '-path={} -al -go -ot -cn -upn -ok-', + [0,32], [1,33], qr' infected (?:with|by)(?: virus)? (.*)$'], + +# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ +# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later +# [pack('N',1). # DRWEBD_SCAN_CMD +# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES +# pack('N', # path length +# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/part-xxxxx")). +# '{}/*'. # path +# pack('N',0). # content size +# pack('N',0), +# '/var/drweb/run/drwebd.sock', +# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot +# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default +# # '127.0.0.1:3000', # or over an inet socket +# ], +# qr/\A\x00(\x10|\x11)\x00\x00/s, # IS_CLEAN, EVAL_KEY +# qr/\A\x00(\x00|\x01)\x00(\x20|\x40|\x80)/s, # KNOWN_V, UNKNOWN_V, V._MODIF +# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/s, +# ], +# # NOTE: If you are using amavis-milter, change length to: +# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/part-xxxxx"). + + ### http://www.f-secure.com/products/anti-virus/ + ['F-Secure Antivirus', 'fsav', + '--dumb --mime --archive {}', [0], [3,8], + qr/(?:infection|Infected|Suspected): (.+)/ ], + + ['CAI InoculateIT', 'inocucmd', + '-sec -nex {}', [0], [100], + qr/was infected by virus (.+)/ ], + + ['MkS_Vir for Linux (beta)', ['mks32','mks'], + '-s {}/*', [0], [1,2], # any use for options: -a -c ? + qr/--[ \t]*(.+)/ ], + + ### http://www.nod32.com/ + ['ESET Software NOD32', 'nod32', + '-all -subdir+ {}', [0], [1,2], + qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ], + + ### http://www.nod32.com/ + ['ESET Software NOD32 - Client/Server Version', 'nod32cli', + '-a -r -d recurse --heur standard {}', [0], [10,11], + qr/^\S+\s+infected:\s+(.+)/ ], + + ### http://www.norman.com/products_nvc.shtml + ['Norman Virus Control v5 / Linux', 'nvcc', + '-c -l:0 -s -u {}', [0], [1], + qr/(?i).* virus in .* -> \'(.+)\'/ ], + + ### http://www.pandasoftware.com/ + ['Panda Antivirus for Linux', ['pavcl'], + '-aut -aex -heu -cmp -nbr -nor -nso -eng {}', + qr/Number of files infected[ .]*: 0(?!\d)/, + qr/Number of files infected[ .]*: 0*[1-9]/, + qr/Found virus :\s*(\S+)/ ], + +# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. +# Check your RAV license terms before fiddling with the following two lines! +# ['GeCAD RAV AntiVirus 8', 'ravav', +# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ], +# # NOTE: the command line switches changed with scan engine 8.5 ! +# # (btw, assigning stdin to /dev/null causes RAV to fail) + + ### http://www.nai.com/ + ['NAI McAfee AntiVirus (uvscan)', 'uvscan', + '--secure -rv --mime --summary --noboot - {}', [0], [13], + qr/(?x) Found (?: + \ the\ (.+)\ (?:virus|trojan) | + \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | + :\ (.+)\ NOT\ a\ virus)/, + # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, + # sub {delete $ENV{LD_PRELOAD}}, + ], + # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before + # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 + # and then clear it when finished to avoid confusing anything else. + # NOTE2: to treat encrypted files as viruses replace the [13] with: + # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ + + ### http://www.virusbuster.hu/en/ + ['VirusBuster', ['vbuster', 'vbengcl'], + # VirusBuster Ltd. does not support the daemon version for the workstation + # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of + # binaries, some parameters AND return codes (from 3 to 1) changed. + "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], + qr/: '(.*)' - Virus/ ], + +# ### http://www.virusbuster.hu/en/ +# ['VirusBuster (Client + Daemon)', 'vbengd', +# # HINT: for an infected file it returns always 3, +# # although the man-page tells a different story +# '-f -log scandir {}', [0], [3], +# qr/Virus found = (.*);/ ], + + ### http://www.cyber.com/ + ['CyberSoft VFind', 'vfind', + '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/, + # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, + ], + + ### http://www.ikarus-software.com/ + ['Ikarus AntiVirus for Linux', 'ikarus', + '{}', [0], [40], qr/Signature (.+) found/ ], + + ### http://www.bitdefender.com/ + ['BitDefender', 'bdc', + '--all --arc --mail {}', qr/^Infected files *:0(?!\d)/, + qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, + qr/(?:suspected|infected): (.*)(?:\033|$)/ ], +); + +# If no virus scanners from the @av_scanners list produce 'clean' nor +# 'infected' status (e.g. they all fail to run or the list is empty), +# then _all_ scanners from the @av_scanners_backup list are tried. +# When there are both daemonized and command-line scanners available, +# it is customary to place slower command-line scanners in the +# @av_scanners_backup list. The default choice is somewhat arbitrary, +# move entries from one list to another as desired. + +@av_scanners_backup = ( + + ### http://www.clamav.net/ + ['Clam Antivirus - clamscan', 'clamscan', + "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], [1], + qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], + + ### http://www.f-prot.com/ + ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], + '-dumb -archive -packed {}', [0,8], [3,6], + qr/Infection: (.+)/ ], + + ### http://www.trendmicro.com/ + ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], + '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], + + ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'], + '-i1 -xp {}', [0,10,15], [5,20,21,25], + qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ , + sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, + sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + +# Commented out because the name 'sweep' clashes with the Debian package of +# the same name. Make sure the correct sweep is found in the path when enabling +# +# ### http://www.sophos.com/ +# ['Sophos Anti Virus (sweep)', 'sweep', +# '-nb -f -all -rec -ss -sc -archive -cab -tnef --no-reset-atime {}', +# [0,2], qr/Virus .*? found/, +# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/, +# ], +# # other options to consider: -mime -oe -idedir=/usr/local/sav + +# always succeeds (uncomment to consider mail clean if all other scanners fail) +['always-clean', sub {0}], + +); + + +# +# Section VIII - Debugging +# + +# The most useful debugging tool is to run amavisd-new non-detached +# from a terminal window: +# amavisd debug + +# Some more refined approaches: + +# If sender matches ACL, turn log level fully up, just for this one message, +# and preserve temporary directory +#@debug_sender_acl = ( "test-sender\@$mydomain" ); +#@debug_sender_acl = qw( debug@example.com ); + +# May be useful along with @debug_sender_acl: +# Prevent all decoded originals being deleted (replaced by decoded part) +#$keep_decoded_original_re = new_RE( qr/.*/ ); + +# Turn on SpamAssassin debugging (output to STDERR, use with 'amavisd debug') +#$sa_debug = 1; # defaults to false + +#------------- +1; # insure a defined return diff --git a/templates/amavisd.conf.sendmail-template b/templates/amavisd.conf.sendmail-template new file mode 100644 index 0000000..b9ad72e --- /dev/null +++ b/templates/amavisd.conf.sendmail-template @@ -0,0 +1,1510 @@ +use strict; + +# Configuration file for amavisd-new +# Defaults modified for the Debian amavisd-new package +# $Id: amavisd.conf,v 1.27.2.2 2004/11/18 23:27:55 hmh Exp $ +# +# This software is licensed under the GNU General Public License (GPL). +# See comments at the start of amavisd-new for the whole license text. + +#Sections: +# Section I - Essential daemon and MTA settings +# Section II - MTA specific +# Section III - Logging +# Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine +# Section V - Per-recipient and per-sender handling, whitelisting, etc. +# Section VI - Resource limits +# Section VII - External programs, virus scanners, SpamAssassin +# Section VIII - Debugging + +#GENERAL NOTES: +# This file is a normal Perl code, interpreted by Perl itself. +# - make sure this file (or directory where it resides) is NOT WRITABLE +# by mere mortals (not even vscan/amavis; best to make it owned by root), +# otherwise it represents a severe security risk! +# - for values which are interpreted as booleans, it is recommended +# to use 1 for true, undef for false. +# THIS IS DIFFERENT FROM OLD AMAVIS VERSIONS where "no" also meant false, +# now it means true, like any nonempty string does! +# - Perl syntax applies. Most notably: strings in "" may include variables +# (which start with $ or @); to include characters @ and $ in double +# quoted strings, precede them by a backslash; in single-quoted strings +# the $ and @ lose their special meaning, so it is usually easier to use +# single quoted strings (or qw operator) for e-mail addresses. +# Still, in both cases a backslash needs to be doubled. +# - variables with names starting with a '@' are lists, the values assigned +# to them should be lists as well, e.g. ('one@foo', $mydomain, "three"); +# note the comma-separation and parenthesis. If strings in the list +# do not contain spaces nor variables, a Perl operator qw() may be used +# as a shorthand to split its argument on whitespace and produce a list +# of strings, e.g. qw( one@foo example.com three ); Note that the argument +# to qw is quoted implicitly and no variable interpretation is done within +# (no '$' variable evaluations). The #-initiated comments can NOT be used +# within a string. In other words, $ and # lose their special meaning +# within a qw argument, just like within '...' strings. +# - all e-mail addresses in this file and as used internally by the daemon +# are in their raw (rfc2821-unquoted and non-bracketed) form, i.e. +# Bob "Funny" Dude@example.com, not: "Bob \"Funny\" Dude"@example.com +# and not <"Bob \"Funny\" Dude"@example.com>; also: '' and not '<>'. +# - the term 'default value' in examples below refers to the value of a +# variable pre-assigned to it by the program; any explicit assignment +# to a variable in this configuration file overrides the default value; + + +# +# Section I - Essential daemon and MTA settings +# + +# $MYHOME serves as a quick default for some other configuration settings. +# More refined control is available with each individual setting further down. +# $MYHOME is not used directly by the program. No trailing slash! +$MYHOME = '/var/lib/amavis'; # (default is '/var/amavis') + +# $mydomain serves as a quick default for some other configuration settings. +# More refined control is available with each individual setting further down. +# $mydomain is never used directly by the program. +$mydomain = '_CN_DOMAIN_'; # (no useful default) + +# $myhostname = 'host.example.com'; # fqdn of this host, default by uname(3) + +# Set the user and group to which the daemon will change if started as root +# (otherwise just keeps the UID unchanged, and these settings have no effect): +$daemon_user = 'amavis'; # (no default (undef)) +$daemon_group = 'amavis'; # (no default (undef)) + +# Runtime working directory (cwd), and a place where +# temporary directories for unpacking mail are created. +# if you change this, you might want to modify the cleanup() +# function in /etc/init.d/amavisd-new +# (no trailing slash, may be a scratch file system) +$TEMPBASE = $MYHOME; # (must be set if other config vars use is) +#$TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean? + +# $helpers_home sets environment variable HOME, and is passed as option +# 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory +# on a normal persistent file system, not a scratch or temporary file system +#$helpers_home = $MYHOME; # (defaults to $MYHOME) + +# Run the daemon in the specified chroot jail if nonempty: +#$daemon_chroot_dir = $MYHOME; # (default is undef, meaning: do not chroot) + +$pid_file = "/var/run/amavis/amavisd.pid"; # (default: "$MYHOME/amavisd.pid") +$lock_file = "/var/run/amavis/amavisd.lock"; # (default: "$MYHOME/amavisd.lock") + +# set environment variables if you want (no defaults): +$ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory +#... + + +# MTA SETTINGS, UNCOMMENT AS APPROPRIATE, +# both $forward_method and $notify_method default to 'smtp:127.0.0.1:10025' + +# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4 +# (set host and port number as required; host can be specified +# as IP address or DNS name (A or CNAME, but MX is ignored) +#$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail +#$notify_method = $forward_method; # where to submit notifications + +# NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST +# uncomment the appropriate settings below if using other setups! + +# SENDMAIL MILTER, using amavis-milter.c helper program: +# SEE amavisd-new-milter package docs FOR DEBIAN INSTRUCTIONS +$forward_method = undef; # no explicit forwarding, sendmail does it by itself +# milter; option -odd is needed to avoid deadlocks +$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}'; +# just a thought: can we use use -Am instead of -odd ? + +# SENDMAIL (old non-milter setup, as relay): +#$forward_method = 'pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f ${sender} -- ${recipient}'; +#$notify_method = $forward_method; + +# SENDMAIL (old non-milter setup, amavis.c calls local delivery agent): +#$forward_method = undef; # no explicit forwarding, amavis.c will call LDA +#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}'; + +# EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead): +#$forward_method = 'pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f ${sender} -- ${recipient}'; +#$notify_method = $forward_method; + +# prefer to collect mail for forwarding as BSMTP files? +#$forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp"; +#$notify_method = $forward_method; + + +# Net::Server pre-forking settings +# You may want $max_servers to match the width of your MTA pipe +# feeding amavisd, e.g. with Postfix the 'Max procs' field in the +# master.cf file, like the '2' in the: smtp-amavis unix - - n - 2 smtp +# +$max_servers = 2; # number of pre-forked children (default 2) +$max_requests = 10; # retire a child after that many accepts (default 10) + +$child_timeout=5*60; # abort child if it does not complete each task in n sec + # (default: 8*60 seconds) + +# Check also the settings of @av_scanners at the end if you want to use +# virus scanners. If not, you may want to delete the whole long assignment +# to the variable @av_scanners, which will also remove the virus checking +# code (e.g. if you only want to do spam scanning). + +# Here is a QUICK WAY to completely DISABLE some sections of code +# that WE DO NOT WANT (it won't even be compiled-in). +# For more refined controls leave the following two lines commented out, +# and see further down what these two lookup lists really mean. +# +# @bypass_virus_checks_acl = qw( . ); # uncomment to DISABLE anti-virus code +# @bypass_spam_checks_acl = qw( . ); # uncomment to DISABLE anti-spam code +# +# Any setting can be changed with a new assignment, so make sure +# you do not unintentionally override these settings further down! + +# Lookup list of local domains (see README.lookups for syntax details) +# +# NOTE: +# For backwards compatibility the variable names @local_domains (old) and +# @local_domains_acl (new) are synonyms. For consistency with other lookups +# the name @local_domains_acl is now preferred. It also makes it more +# obviously distinct from the new %local_domains hash lookup table. +# +# local_domains* lookup tables are used in deciding whether a recipient +# is local or not, or in other words, if the message is outgoing or not. +# This affects inserting spam-related headers for local recipients, +# limiting recipient virus notifications (if enabled) to local recipients, +# in deciding if address extension may be appended, and in SQL lookups +# for non-fqdn addresses. Set it up correctly if you need features +# that rely on this setting (or just leave empty otherwise). +# +# With Postfix (2.0) a quick reminder on what local domains normally are: +# a union of domains specified in: $mydestination, $virtual_alias_domains, +# $virtual_mailbox_domains, and $relay_domains. +# +#@local_domains_acl = ( ".$mydomain" ); # $mydomain and its subdomains +# @local_domains_acl = ( ".$mydomain", "my.other.domain" ); +# @local_domains_acl = qw(); # default is empty, no recipient treated as local +# @local_domains_acl = qw( .example.com ); +# @local_domains_acl = qw( .example.com !host.sub.example.net .sub.example.net ); +@local_domains_acl = ( "$mydomain", ".$mydomain" ); + +# or alternatively(A), using a Perl hash lookup table, which may be assigned +# directly, or read from a file, one domain per line; comments and empty lines +# are ignored, a dot before a domain name implies its subdomains: +# +#read_hash(\%local_domains, '/etc/amavis/local_domains'); + +#or alternatively(B), using a list of regular expressions: +# $local_domains_re = new_RE( qr'[@.]example\.com$'i ); +# +# see README.lookups for syntax and semantics + + +# +# Section II - MTA specific (defaults should be ok) +# + +# if $relayhost_is_client is true, the IP address in $notify_method and +# $forward_method is dynamically overridden with SMTP client peer address +# (if available), which makes it possible for several hosts to share one +# daemon. The static port number is also overridden, and is dynamically +# calculated as being one above the incoming SMTP/LMTP session port number. +# +# These are logged at level 3, so enable logging until you know you got it +# right. +$relayhost_is_client = 0; # (defaults to false) + +$insert_received_line = 1; # behave like MTA: insert 'Received:' header + # (does not apply to sendmail/milter) + # (default is true (1) ) + +# AMAVIS-CLIENT PROTOCOL INPUT SETTINGS (e.g. with sendmail milter) +# (used with amavis helper clients like amavis-milter.c and amavis.c, +# NOT needed for Postfix and Exim or dual-sendmail - keep it undefined.) +$unix_socketname = "/var/lib/amavis/amavisd.sock"; # amavis helper protocol socket +#$unix_socketname = undef; # disable listening on a unix socket + # (default is undef, i.e. disabled) + +# Do we receive quoted or raw addresses from the helper program? +# (does not apply to SMTP; defaults to true) +#$gets_addr_in_quoted_form = 1; # "Bob \"Funny\" Dude"@example.com +#$gets_addr_in_quoted_form = 0; # Bob "Funny" Dude@example.com + + + +# SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...) +# (used when MTA is configured to pass mail to amavisd via SMTP or LMTP) +#$inet_socket_port = 10024; # accept SMTP on this local TCP port + # (default is undef, i.e. disabled) +# multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028]; + +# SMTP SERVER (INPUT) access control +# - do not allow free access to the amavisd SMTP port !!! +# +# when MTA is at the same host, use the following (one or the other or both): +#$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface + # (default is '127.0.0.1') +#@inet_acl = qw( 127.0.0.1 ); # allow SMTP access only from localhost IP + # (default is qw( 127.0.0.1 ) ) + +# when MTA (one or more) is on a different host, use the following: +# @inet_acl = qw(127/8 10.1.0.1 10.1.0.2); # adjust the list as appropriate +# $inet_socket_bind = undef; # bind to all IP interfaces if undef +# +# Example1: +# @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 ); +# permit only SMTP access from loopback and rfc1918 private address space +# +# Example2: +# @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0 +# 127.0.0.1 10/8 172.16/12 192.168/16 ); +# matches loopback and rfc1918 private address space except host 192.168.1.12 +# and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches) +# +# Example3: +# @inet_acl = qw( 127/8 +# !172.16.3.0 !172.16.3.127 172.16.3.0/25 +# !172.16.3.128 !172.16.3.255 172.16.3.128/25 ); +# matches loopback and both halves of the 172.16.3/24 C-class, +# split into two subnets, except all four broadcast addresses +# for these subnets +# +# See README.lookups for details on specifying access control lists. + + +# +# Section III - Logging +# + +# true (e.g. 1) => syslog; false (e.g. 0) => logging to file +$DO_SYSLOG = 1; # (defaults to false) +#$SYSLOG_LEVEL = 'user.info'; # (facility.priority, default 'mail.info') + +# Log file (if not using syslog) +$LOGFILE = "/var/log/amavis.log"; # (defaults to empty, no log) + +#NOTE: levels are not strictly observed and are somewhat arbitrary +# 0: startup/exit/failure messages, viruses detected +# 1: args passed from client, some more interesting messages +# 2: virus scanner output, timing +# 3: server, client +# 4: decompose parts +# 5: more debug details +#$log_level = 2; # (defaults to 0) + +# Customizable template for the most interesting log file entry (e.g. with +# $log_level=0) (take care to properly quote Perl special characters like '\') +# For a list of available macros see README.customize . + +# only log infected messages (useful with log level 0): +# $log_templ = '[? %#V |[? %#F ||banned filename ([%F|,])]|infected ([%V|,])]# +# [? %#V |[? %#F ||, from=[?%o|(?)|<%o>], to=[<%R>|,][? %i ||, quarantine %i]]# +# |, from=[?%o|(?)|<%o>], to=[<%R>|,][? %i ||, quarantine %i]]'; + +# log both infected and noninfected messages (default): +$log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], # +[?%o|(?)|<%o>] -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c'; + + +# +# Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine +# + +# Select notifications text encoding when Unicode-aware Perl is converting +# text from internal character representation to external encoding (charset +# in MIME terminology). Used as argument to Perl Encode::encode subroutine. +# +# to be used in RFC 2047-encoded header field bodies, e.g. in Subject: +#$hdr_encoding = 'iso-8859-1'; # (default: 'iso-8859-1') +# +# to be used in notification body text: its encoding and Content-type.charset +#$bdy_encoding = 'iso-8859-1'; # (default: 'iso-8859-1') + +# Default template texts for notifications may be overruled by directly +# assigning new text to template variables, or by reading template text +# from files. A second argument may be specified in a call to read_text(), +# specifying character encoding layer to be used when reading from the +# external file, e.g. 'utf8', 'iso-8859-1', or often just $bdy_encoding. +# Text will be converted to internal character representation by Perl 5.8.0 +# or later; second argument is ignored otherwise. See PerlIO::encoding, +# Encode::PerlIO and perluniintro man pages. +# +# $notify_sender_templ = read_text('/var/amavis/notify_sender.txt'); +# $notify_virus_sender_templ= read_text('/var/amavis/notify_virus_sender.txt'); +# $notify_virus_admin_templ = read_text('/var/amavis/notify_virus_admin.txt'); +# $notify_virus_recips_templ= read_text('/var/amavis/notify_virus_recips.txt'); +# $notify_spam_sender_templ = read_text('/var/amavis/notify_spam_sender.txt'); +# $notify_spam_admin_templ = read_text('/var/amavis/notify_spam_admin.txt'); + +# If notification template files are collectively available in some directory, +# use read_l10n_templates which calls read_text for each known template. +# +# read_l10n_templates('/etc/amavis/en_US'); +# +# Debian available locales: en_US, pt_BR, de_DE, it_IT +read_l10n_templates('en_US', '/etc/amavis'); + + +# Here is an overall picture (sequence of events) of how pieces fit together +# (only virus controls are shown, spam controls work the same way): +# +# bypass_virus_checks? ==> PASS +# no viruses? ==> PASS +# log virus if $log_templ is nonempty +# quarantine if $virus_quarantine_to is nonempty +# notify admin if $virus_admin (lookup) nonempty +# notify recips if $warnvirusrecip and (recipient is local or $warn_offsite) +# add address extensions if adding extensions is enabled and virus will pass +# send (non-)delivery notifications +# to sender if DSN needed (BOUNCE or ($warn_virus_sender and D_PASS)) +# virus_lovers or final_destiny==D_PASS ==> PASS +# DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny) +# +# Equivalent flow diagram applies for spam checks. +# If a virus is detected, spam checking is skipped entirely. + +# The following symbolic constants can be used in *destiny settings: +# +# D_PASS mail will pass to recipients, regardless of bad contents; +# +# D_DISCARD mail will not be delivered to its recipients, sender will NOT be +# notified. Effectively we lose mail (but will be quarantined +# unless disabled). Losing mail is not decent for a mailer, +# but might be desired. +# +# D_BOUNCE mail will not be delivered to its recipients, a non-delivery +# notification (bounce) will be sent to the sender by amavisd-new; +# Exception: bounce (DSN) will not be sent if a virus name matches +# $viruses_that_fake_sender_re, or to messages from mailing lists +# (Precedence: bulk|list|junk); +# +# D_REJECT mail will not be delivered to its recipients, sender should +# preferably get a reject, e.g. SMTP permanent reject response +# (e.g. with milter), or non-delivery notification from MTA +# (e.g. Postfix). If this is not possible (e.g. different recipients +# have different tolerances to bad mail contents and not using LMTP) +# amavisd-new sends a bounce by itself (same as D_BOUNCE). +# +# Notes: +# D_REJECT and D_BOUNCE are similar, the difference is in who is responsible +# for informing the sender about non-delivery, and how informative +# the notification can be (amavisd-new knows more than MTA); +# With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status +# notification, colloquially called 'bounce') - depending on MTA; +# Best suited for sendmail milter, especially for spam. +# With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the +# reason for mail non-delivery, but unable to reject the original +# SMTP session). Best suited to reporting viruses, and for Postfix +# and other dual-MTA setups, which can't reject original client SMTP +# session, as the mail has already been enqueued. + +$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE) +$final_banned_destiny = D_REJECT; # (defaults to D_BOUNCE) +$final_spam_destiny = D_REJECT; # (defaults to D_REJECT) +$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested + +# Alternatives to consider for spam: +# - use D_PASS if clients will do filtering based on inserted mail headers; +# - use D_DISCARD, if kill_level is set safely high; +# - use D_BOUNCE instead of D_REJECT if not using milter; +# +# D_BOUNCE is preferred for viruses, but consider: +# - use D_DISCARD to avoid bothering the rest of the network, it is hopeless +# to try to keep up with the viruses that faker the envelope sender anyway, +# and bouncing only increases the network cost of viruses for everyone +# - use D_PASS (or virus_lovers) and $warnvirussender=1 to deliver viruses; +# - use D_REJECT instead of D_BOUNCE if using milter and under heavy +# virus storm; +# +# Don't bother to set both D_DISCARD and $warn*sender=1, it will get mapped +# to D_BOUNCE. +# +# The separation of *_destiny values into D_BOUNCE, D_REJECT, D_DISCARD +# and D_PASS made settings $warnvirussender and $warnspamsender only still +# useful with D_PASS. + +# The following $warn*sender settings are ONLY used when mail is +# actually passed to recipients ($final_*_destiny=D_PASS, or *_lovers*). +# Bounces or rejects produce non-delivery status notification anyway. + +# Notify virus sender? +#$warnvirussender = 1; # (defaults to false (undef)) + +# Notify spam sender? +#$warnspamsender = 1; # (defaults to false (undef)) + +# Notify sender of banned files? +#$warnbannedsender = 1; # (defaults to false (undef)) + +# Notify sender of syntactically invalid header containing non-ASCII characters? +#$warnbadhsender = 1; # (defaults to false (undef)) + +# Notify virus (or banned files) RECIPIENT? +# (not very useful, but some policies demand it) +#$warnvirusrecip = 1; # (defaults to false (undef)) +#$warnbannedrecip = 1; # (defaults to false (undef)) + +# Notify also non-local virus/banned recipients if $warn*recip is true? +# (including those not matching local_domains*) +#$warn_offsite = 1; # (defaults to false (undef), i.e. only notify locals) + + +# Treat envelope sender address as unreliable and don't send sender +# notification / bounces if name(s) of detected virus(es) match the list. +# Note that virus names are supplied by external virus scanner(s) and are +# not standardized, so virus names may need to be adjusted. +# See README.lookups for syntax, check also README.policy-on-notifications +# +$viruses_that_fake_sender_re = new_RE( + qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, + qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i, + qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i, + qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i, + qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan + qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc + [qr'^(EICAR|Joke\.|Junk\.)'i => 0], + [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0], + [qr/.*/ => 1], # true by default (remove or comment-out if undesired) +); + +# where to send ADMIN VIRUS NOTIFICATIONS (should be a fully qualified address) +# - the administrator address may be a simple fixed e-mail address (a scalar), +# or may depend on the SENDER address (e.g. its domain), in which case +# a ref to a hash table can be specified (specify lower-cased keys, +# dot is a catchall, see README.lookups). +# +# Empty or undef lookup disables virus admin notifications. + +# $virus_admin = undef; # do not send virus admin notifications (default) +# $virus_admin = {'not.example.com' => '', '.' => 'virusalert@example.com'}; +# $virus_admin = 'virus-admin@example.com'; +#$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default +$virus_admin = "virusalert\@$mydomain"; # due to D_DISCARD default + +# equivalent to $virus_admin, but for spam admin notifications: +# $spam_admin = "spamalert\@$mydomain"; +# $spam_admin = undef; # do not send spam admin notifications (default) +# $spam_admin = {'not.example.com' => '', '.' => 'spamalert@example.com'}; + +#advanced example, using a hash lookup table: +#$virus_admin = { +# 'baduser@sub1.example.com' => 'HisBoss@sub1.example.com', +# '.sub1.example.com' => 'virusalert@sub1.example.com', +# '.sub2.example.com' => '', # don't send admin notifications +# 'a.sub3.example.com' => 'abuse@sub3.example.com', +# '.sub3.example.com' => 'virusalert@sub3.example.com', +# '.example.com' => 'noc@example.com', # catchall for our virus senders +# '.' => 'virusalert@hq.example.com', # catchall for the rest +#}; + + +# whom notification reports are sent from (ENVELOPE SENDER); +# may be a null reverse path, or a fully qualified address: +# (admin and recip sender addresses default to $mailfrom +# for compatibility, which in turn defaults to undef (empty) ) +# If using strings in double quotes, don't forget to quote @, i.e. \@ +# +$mailfrom_notify_admin = "virusalert\@$mydomain"; +$mailfrom_notify_recip = "virusalert\@$mydomain"; +$mailfrom_notify_spamadmin = "spamalert\@$mydomain"; + +# 'From' HEADER FIELD for sender and admin notifications. +# This should be a replyable address, see rfc1894. Not to be confused +# with $mailfrom_notify_sender, which is the envelope return address +# and should be empty (null reverse path) according to rfc2821. +# +# The syntax of the 'From' header field is specified in rfc2822, section +# '3.4. Address Specification'. Note in particular that display-name must be +# a quoted-string if it contains any special characters like spaces and dots. +# +# $hdrfrom_notify_sender = "amavisd-new "; +# $hdrfrom_notify_sender = 'amavisd-new '; +# $hdrfrom_notify_sender = '"Content-Filter Master" '; +# (defaults to: "amavisd-new ") +# $hdrfrom_notify_admin = $mailfrom_notify_admin; +# (defaults to: $mailfrom_notify_admin) +# $hdrfrom_notify_spamadmin = $mailfrom_notify_spamadmin; +# (defaults to: $mailfrom_notify_spamadmin) + +# whom quarantined messages appear to be sent from (envelope sender); +# keeps original sender if undef, or set it explicitly, default is undef +$mailfrom_to_quarantine = ''; # override sender address with null return path + + +# Location to put infected mail into: (applies to 'local:' quarantine method) +# empty for not quarantining, may be a file (mailbox), +# or a directory (no trailing slash) +# (the default value is undef, meaning no quarantine) +# +$QUARANTINEDIR = '/var/lib/amavis/virusmails'; + +#$virus_quarantine_method = "local:virus-%i-%n"; # default +#$spam_quarantine_method = "local:spam-%b-%i-%n"; # default +# +#use the new 'bsmtp:' method as an alternative to the default 'local:' +#$virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%i-%n.bsmtp"; +#$spam_quarantine_method = "bsmtp:$QUARANTINEDIR/spam-%b-%i-%n.bsmtp"; + +# When using the 'local:' quarantine method (default), the following applies: +# +# A finer control of quarantining is available through variable +# $virus_quarantine_to/$spam_quarantine_to. It may be a simple scalar string, +# or a ref to a hash lookup table, or a regexp lookup table object, +# which makes possible to set up per-recipient quarantine addresses. +# +# The value of scalar $virus_quarantine_to/$spam_quarantine_to (or a +# per-recipient lookup result from the hash table %$virus_quarantine_to) +# is/are interpreted as follows: +# +# VARIANT 1: +# empty or undef disables quarantine; +# +# VARIANT 2: +# a string NOT containing an '@'; +# amavisd will behave as a local delivery agent (LDA) and will quarantine +# viruses to local files according to hash %local_delivery_aliases (pseudo +# aliases map) - see subroutine mail_to_local_mailbox() for details. +# Some of the predefined aliases are 'virus-quarantine' and 'spam-quarantine'. +# Setting $virus_quarantine_to ($spam_quarantine_to) to this string will: +# +# * if $QUARANTINEDIR is a directory, each quarantined virus will go +# to a separate file in the $QUARANTINEDIR directory (traditional +# amavis style, similar to maildir mailbox format); +# +# * otherwise $QUARANTINEDIR is treated as a file name of a Unix-style +# mailbox. All quarantined messages will be appended to this file. +# Amavisd child process must obtain an exclusive lock on the file during +# delivery, so this may be less efficient than using individual files +# or forwarding to MTA, and it may not work across NFS or other non-local +# file systems (but may be handy for pickup of quarantined files via IMAP +# for example); +# +# VARIANT 3: +# any email address (must contain '@'). +# The e-mail messages to be quarantined will be handed to MTA +# for delivery to the specified address. If a recipient address local to MTA +# is desired, you may leave the domain part empty, e.g. 'infected@', but the +# '@' character must nevertheless be included to distinguish it from variant 2. +# +# This method enables more refined delivery control made available by MTA +# (e.g. its aliases file, other local delivery agents, dealing with +# privileges and file locking when delivering to user's mailbox, nonlocal +# delivery and forwarding, fan-out lists). Make sure the mail-to-be-quarantined +# will not be handed back to amavisd for checking, as this will cause a loop +# (hopefully broken at some stage)! If this can be assured, notifications +# will benefit too from not being unnecessarily virus-scanned. +# +# By default this is safe to do with Postfix and Exim v4 and dual-sendmail +# setup, but probably not safe with sendmail milter interface without +# precaution. + +# (the default value is undef, meaning no quarantine) + +$virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine +#$virus_quarantine_to = 'infected@'; # forward to MTA for delivery +#$virus_quarantine_to = "virus-quarantine\@$mydomain"; # similar +#$virus_quarantine_to = 'virus-quarantine@example.com'; # similar +#$virus_quarantine_to = undef; # no quarantine +# +#$virus_quarantine_to = new_RE( # per-recip multiple quarantines +# [qr'^user@example\.com$'i => 'infected@'], +# [qr'^(.*)@example\.com$'i => 'virus-${1}@example.com'], +# [qr'^(.*)(@[^@])?$'i => 'virus-${1}${2}'], +# [qr/.*/ => 'virus-quarantine'] ); + +# similar for spam +# (the default value is undef, meaning no quarantine) +# +$spam_quarantine_to = 'spam-quarantine'; +#$spam_quarantine_to = "spam-quarantine\@$mydomain"; +#$spam_quarantine_to = new_RE( # per-recip multiple quarantines +# [qr'^(.*)@example\.com$'i => 'spam-${1}@example.com'], +# [qr/.*/ => 'spam-quarantine'] ); + +# In addition to per-recip quarantine, a by-sender lookup is possible. It is +# similar to $spam_quarantine_to, but the lookup key is the sender address: +#$spam_quarantine_bysender_to = undef; # dflt: no by-sender spam quarantine + + +# Add X-Virus-Scanned header field to mail? +$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: undef) +# Leave empty to add no header # (default: undef) +$X_HEADER_LINE = "by $myversion (Debian) at $mydomain"; + +# a string to prepend to Subject (for local recipients only) if mail could +# not be decoded or checked entirely, e.g. due to password-protected archives +$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it + +$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone +#$remove_existing_x_scanned_headers= 1; # remove existing headers + # (defaults to false) +#$remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone +$remove_existing_spam_headers = 1; # remove existing spam headers if + # spam scanning is enabled (default) + +# set $bypass_decode_parts to true if you only do spam scanning, or if you +# have a good virus scanner that can deal with compression and recursively +# unpacking archives by itself, and save amavisd the trouble. +# Disabling decoding also causes banned_files checking to only see +# MIME names and MIME content types, not the content classification types +# as provided by the file(1) utility. +# It is a double-edged sword, make sure you know what you are doing! +# +#$bypass_decode_parts = 1; # (defaults to false) + +# don't trust this file type or corresponding unpacker for this file type, +# keep both the original and the unpacked file for a virus checker to see +# (lookup key is what file(1) utility returned): +# +$keep_decoded_original_re = new_RE( +# qr'^MAIL$', # retain full original message for virus checking (can be slow) + qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables + qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, +# qr'^Zip archive data', +); + +# Checking for banned MIME types and names. If any mail part matches, +# the whole mail is rejected, much like the way viruses are handled. +# A list in object $banned_filename_re can be defined to provide a list +# of Perl regular expressions to be matched against each part's: +# +# * Content-Type value (both declared and effective mime-type), +# including the possible security risk content types +# message/partial and message/external-body, as specified by rfc2046; +# +# * declared (i.e. recommended) file names as specified by MIME subfields +# Content-Disposition.filename and Content-Type.name, both in their +# raw (encoded) form and in rfc2047-decoded form if applicable; +# +# * file content type as guessed by 'file' utility, both the raw +# result from 'file', as well as short type name, classified +# into names such as .asc, .txt, .html, .doc, .jpg, .pdf, +# .zip, .exe, ... - see subroutine determine_file_types(). +# This step is done only if $bypass_decode_parts is not true. +# +# * leave $banned_filename_re undefined to disable these checks +# (giving an empty list to new_RE() will also always return false) + +$banned_filename_re = new_RE( +# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components + qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, # some double extensions + qr'[{}]', # curly braces in names (serve as Class ID extensions - CLSID) +# qr'.\.(exe|vbs|pif|scr|bat|cmd|com)$'i, # banned extension - basic +# qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js| +# jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb| +# vbe|vbs|wsc|wsf|wsh)$'ix, # banned extension - long +# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. +# qr'^\.(zip|lha|tnef|cab)$'i, # banned file(1) types +# qr'^\.exe$'i, # banned file(1) types +# qr'^application/x-msdownload$'i, # banned MIME types +# qr'^application/x-msdos-program$'i, + qr'^message/partial$'i, # rfc2046. this one is deadly for Outcrook +# qr'^message/external-body$'i, # block rfc2046 +); +# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 +# and http://www.cknow.com/vtutor/vtextensions.htm + +# A little trick: a pattern qr'\.exe$' matches both a short type name '.exe', +# as well as any file name which happens to end with .exe. If only matching +# a file name is desired, but not the short name, a pattern qr'.\.exe$'i +# or similar may be used, which requires that at least one character precedes +# the '.exe', and so it will never match short file types, which always start +# with a dot. + + +# +# Section V - Per-recipient and per-sender handling, whitelisting, etc. +# + +# %virus_lovers, @virus_lovers_acl and $virus_lovers_re lookup tables: +# (these should be considered policy options, they do not disable checks, +# see bypass*checks for that!) +# +# Exclude certain RECIPIENTS from virus filtering by adding their lower-cased +# envelope e-mail address (or domain only) to the hash %virus_lovers, or to +# the access list @virus_lovers_acl - see README.lookups and examples. +# Make sure the appropriate form (e.g. external/internal) of address +# is used in case of virtual domains, or when mapping external to internal +# addresses, etc. - this is MTA-specific. +# +# Notifications would still be generated however (see the overall +# picture above), and infected mail (if passed) gets additional header: +# X-AMaViS-Alert: INFECTED, message contains virus: ... +# (header not inserted with milter interface!) +# +# NOTE (milter interface only): in case of multiple recipients, +# it is only possible to drop or accept the message in its entirety - for all +# recipients. If all of them are virus lovers, we'll accept mail, but if +# at least one recipient is not a virus lover, we'll discard the message. + + +# %bypass_virus_checks, @bypass_virus_checks_acl and $bypass_virus_checks_re +# lookup tables: +# (this is mainly a time-saving option, unlike virus_lovers* !) +# +# Similar in concept to %virus_lovers, a hash %bypass_virus_checks, +# access list @bypass_virus_checks_acl and regexp list $bypass_virus_checks_re +# are used to skip entirely the decoding, unpacking and virus checking, +# but only if ALL recipients match the lookup. +# +# %bypass_virus_checks/@bypass_virus_checks_acl/$bypass_virus_checks_re +# do NOT GUARANTEE the message will NOT be checked for viruses - this may +# still happen when there is more than one recipient for a message, and +# not all of them match these lookup tables. To guarantee virus delivery, +# a recipient must also match %virus_lovers/@virus_lovers_acl lookups +# (but see milter limitations above), + +# NOTE: it would not be clever to base virus checks on SENDER address, +# since there are no guarantees that it is genuine. Many viruses +# and spam messages fake sender address. To achieve selective filtering +# based on the source of the mail (e.g. IP address, MTA port number, ...), +# use mechanisms provided by MTA if available. + + +# Similar to lookup tables controlling virus checking, there exist +# spam scanning, banned names/types, and headers_checks control counterparts: +# %spam_lovers, @spam_lovers_acl, $spam_lovers_re +# %banned_files_lovers, @banned_files_lovers_acl, $banned_files_lovers_re +# %bad_header_lovers, @bad_header_lovers_acl, $bad_header_lovers_re +# and: +# %bypass_spam_checks/@bypass_spam_checks_acl/$bypass_spam_checks_re +# %bypass_banned_checks/@bypass_banned_checks_acl/$bypass_banned_checks_re +# %bypass_header_checks/@bypass_header_checks_acl/$bypass_header_checks_re +# See README.lookups for details about the syntax. + +# The following example disables spam checking altogether, +# since it matches any recipient e-mail address (any address +# is a subdomain of the top-level root DNS domain): +# @bypass_spam_checks_acl = qw( . ); + +# @bypass_header_checks_acl = qw( user@example.com ); +# @bad_header_lovers_acl = qw( user@example.com ); + + +# See README.lookups for further detail, and examples below. + +# $virus_lovers{lc("postmaster\@$mydomain")} = 1; +# $virus_lovers{lc('postmaster@example.com')} = 1; +# $virus_lovers{lc('abuse@example.com')} = 1; +# $virus_lovers{lc('some.user@')} = 1; # this recipient, regardless of domain +# $virus_lovers{lc('boss@example.com')} = 0; # never, even if domain matches +# $virus_lovers{lc('example.com')} = 1; # this domain, but not its subdomains +# $virus_lovers{lc('.example.com')}= 1; # this domain, including its subdomains +#or: +# @virus_lovers_acl = qw( me@lab.xxx.com !lab.xxx.com .xxx.com yyy.org ); +# +# $bypass_virus_checks{lc('some.user2@butnot.example.com')} = 1; +# @bypass_virus_checks_acl = qw( some.ddd !butnot.example.com .example.com ); + +# @virus_lovers_acl = qw( postmaster@example.com ); +# $virus_lovers_re = new_RE( qr'^(helpdesk|postmaster)@example\.com$'i ); + +# $spam_lovers{lc("postmaster\@$mydomain")} = 1; +# $spam_lovers{lc('postmaster@example.com')} = 1; +# $spam_lovers{lc('abuse@example.com')} = 1; +# @spam_lovers_acl = qw( !.example.com ); +# $spam_lovers_re = new_RE( qr'^user@example\.com$'i ); + +# don't run spam check for these RECIPIENT domains: +# @bypass_spam_checks_acl = qw( d1.com .d2.com a.d3.com ); +# or the other way around (bypass check for all BUT these): +# @bypass_spam_checks_acl = qw( !d1.com !.d2.com !a.d3.com . ); +# a practical application: don't check outgoing mail for spam: +# @bypass_spam_checks_acl = ( "!.$mydomain", "." ); +# (a downside of which is that such mail will not count as ham in SA bayes db) + + +# Where to find SQL server(s) and database to support SQL lookups? +# A list of triples: (dsn,user,passw). (dsn = data source name) +# More than one entry may be specified for multiple (backup) SQL servers. +# See 'man DBI', 'man DBD::mysql', 'man DBD::Pg', ... for details. +# When chroot-ed, accessing SQL server over inet socket may be more convenient. +# +# @lookup_sql_dsn = +# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], +# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'] ); +# +# ('mail' in the example is the database name, choose what you like) +# With PostgreSQL the dsn (first element of the triple) may look like: +# 'DBI:Pg:host=host1;dbname=mail' + +# The SQL select clause to fetch per-recipient policy settings. +# The %k will be replaced by a comma-separated list of query addresses +# (e.g. full address, domain only, catchall). Use ORDER, if there +# is a chance that multiple records will match - the first match wins. +# If field names are not unique (e.g. 'id'), the later field overwrites the +# earlier in a hash returned by lookup, which is why we use '*,users.id'. +# $sql_select_policy = 'SELECT *,users.id FROM users,policy'. +# ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'. +# ' ORDER BY users.priority DESC'; +# +# The SQL select clause to check sender in per-recipient whitelist/blacklist +# The first SELECT argument '?' will be users.id from recipient SQL lookup, +# the %k will be sender addresses (e.g. full address, domain only, catchall). +# $sql_select_white_black_list = 'SELECT wb FROM wblist,mailaddr'. +# ' WHERE (wblist.rid=?) AND (wblist.sid=mailaddr.id)'. +# ' AND (mailaddr.email IN (%k))'. +# ' ORDER BY mailaddr.priority DESC'; + +$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting + + +# If you decide to pass viruses (or spam) to certain recipients using the +# above lookup tables or using $final_virus_destiny=D_PASS, you can set +# the variable $addr_extension_virus ($addr_extension_spam) to some +# string, and the recipient address will have this string appended +# as an address extension to the local-part of the address. This extension +# can be used by final local delivery agent to place such mail in different +# folders. Leave these two variables undefined or empty strings to prevent +# appending address extensions. Setting has no effect on recipient which will +# not be receiving viruses/spam. Recipients who do not match lookup tables +# local_domains* are not affected. +# +# LDAs usually default to stripping away address extension if no special +# handling is specified, so having this option enabled normally does no harm, +# provided the $recipients_delimiter matches the setting on the final +# MTA's LDA. + +# $addr_extension_virus = 'virus'; # (default is undef, same as empty) +# $addr_extension_spam = 'spam'; # (default is undef, same as empty) +# $addr_extension_banned = 'banned'; # (default is undef, same as empty) + + +# Delimiter between local part of the recipient address and address extension +# (which can optionally be added, see variables $addr_extension_virus and +# $addr_extension_spam). E.g. recipient address gets changed +# to . +# +# Delimiter should match equivalent (final) MTA delimiter setting. +# (e.g. for Postfix add 'recipient_delimiter = +' to main.cf) +# Setting it to an empty string or to undef disables this feature +# regardless of $addr_extension_virus and $addr_extension_spam settings. + +$recipient_delimiter = '+'; # (default is '+') + +# true: replace extension; false: append extension +$replace_existing_extension = 1; # (default is false) + +# Affects matching of localpart of e-mail addresses (left of '@') +# in lookups: true = case sensitive, false = case insensitive +$localpart_is_case_sensitive = 0; # (default is false) + + +# ENVELOPE SENDER WHITELISTING / BLACKLISTING - GLOBAL (RECIPIENT-INDEPENDENT) +# (affects spam checking only, has no effect on virus and other checks) + +# WHITELISTING: use ENVELOPE SENDER lookups to ENSURE DELIVERY from whitelisted +# senders even if the message would be recognized as spam. Effectively, for +# the specified senders, message recipients temporarily become 'spam_lovers'. +# To avoid surprises, whitelisted sender also suppresses inserting/editing +# the tag2-level header fields (X-Spam-*, Subject), appending spam address +# extension, and quarantining. + +# BLACKLISTING: messages from specified SENDERS are DECLARED SPAM. +# Effectively, for messages from blacklisted senders, spam level +# is artificially pushed high, and the normal spam processing applies, +# resulting in 'X-Spam-Flag: YES', high 'X-Spam-Level' bar and other usual +# reactions to spam, including possible rejection. If the message nevertheless +# still passes (e.g. for spam loving recipients), it is tagged as BLACKLISTED +# in the 'X-Spam-Status' header field, but the reported spam value and +# set of tests in this report header field (if available from SpamAssassin, +# which may have not been called) is not adjusted. +# +# A sender may be both white- and blacklisted at the same time, settings +# are independent. For example, being both white- and blacklisted, message +# is delivered to recipients, but is not tagged as spam (X-Spam-Flag: No; +# X-Spam-Status: No, ...), but the reported spam level (if computed) may +# still indicate high spam score. +# +# If ALL recipients of the message either white- or blacklist the sender, +# spam scanning (calling the SpamAssassin) is bypassed, saving on time. +# +# The following variables (lookup tables) are available, with the semantics +# and syntax as specified in README.lookups: +# +# %whitelist_sender, @whitelist_sender_acl, $whitelist_sender_re +# %blacklist_sender, @blacklist_sender_acl, $blacklist_sender_re + +# SOME EXAMPLES: +# +#ACL: +# @whitelist_sender_acl = qw( .example.com ); +# +# @whitelist_sender_acl = ( ".$mydomain" ); # $mydomain and its subdomains +# NOTE: This is not a reliable way of turning off spam checks for +# locally-originating mail, as sender address can easily be faked. +# To reliably avoid spam-scanning outgoing mail, +# use @bypass_spam_checks_acl . + +#RE: +# $whitelist_sender_re = new_RE( +# qr'^postmaster@.*\bexample\.com$'i, +# qr'owner-[^@]*@'i, qr'-request@'i, +# qr'\.example\.com$'i ); +# +$blacklist_sender_re = new_RE( + qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i, + qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i, + qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonl|smoking2002k)@'i, + qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i, + qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i, + qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i, +); + +#HASH lookup variant: +# NOTE: Perl operator qw splits its argument string by whitespace +# and produces a list. This means that addresses can not contain +# whitespace, and there is no provision for comments within the string. +# You can use the normal Perl list syntax if you have special requirements, +# e.g. map {...} ('one user@bla', '.second.com'), or use read_hash to read +# addresses from a file. +# + +# a hash lookup table can be read from a file, +# one address per line, comments and empty lines are permitted: +# +# read_hash(\%whitelist_sender, '/var/amavis/whitelist_sender'); +read_hash(\%whitelist_sender, "$MYHOME/whitelist_sender"); +read_hash(\%blacklist_sender, "$MYHOME/blacklist_sender"); + +# ... or set directly: +map { $whitelist_sender{lc($_)}=1 } (qw( + nobody@cert.org + owner-alert@iss.net + slashdot@slashdot.org + bugtraq@securityfocus.com + NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM + security-alerts@linuxsecurity.com + amavis-user-admin@lists.sourceforge.net + razor-users-admin@lists.sourceforge.net + notification-return@lists.sophos.com + mailman-announce-admin@python.org + zope-announce-admin@zope.org + owner-postfix-users@postfix.org + owner-postfix-announce@postfix.org + owner-sendmail-announce@lists.sendmail.org + sendmail-announce-request@lists.sendmail.org + ca+envelope@sendmail.org + owner-technews@postel.ACM.ORG + lvs-users-admin@LinuxVirtualServer.org + ietf-123-owner@loki.ietf.org + cvs-commits-list-admin@gnome.org + rt-users-admin@lists.fsck.com + owner-announce@mnogosearch.org + owner-hackers@ntp.org + owner-bugs@ntp.org + clp-request@comp.nus.edu.sg + surveys-errors@lists.nua.ie + emailNews@genomeweb.com + owner-textbreakingnews@CNNIMAIL12.CNN.COM + yahoo-dev-null@yahoo-inc.com +)); + + +# ENVELOPE SENDER WHITELISTING / BLACKLISTING - PER-RECIPIENT + +# The same semantics as for global white/blacklisting applies, but this +# time each recipient (or its domain, or subdomain, ...) can be given +# an individual lookup table for matching senders. The per-recipient lookups +# override the global lookups, which serve as a fallback default. + +# Specify a two-level lookup table: the key for the outer table is recipient, +# and the result should be an inner lookup table (hash or ACL or RE), +# where the key used will be the sender. +# +#$per_recip_blacklist_sender_lookup_tables = { +# 'user1@my.example.com'=>new_RE(qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i), +# 'user2@my.example.com'=>[qw( spammer@d1.example,org .d2.example,org )], +#}; +#$per_recip_whitelist_sender_lookup_tables = { +# 'user@my.example.com' => [qw( friend@example.org .other.example.org )], +# '.my1.example.com' => [qw( !foe.other.example,org .other.example,org )], +# '.my2.example.com' => read_hash('/var/amavis/my2-wl.dat'), +# 'abuse@' => { 'postmaster@'=>1, +# 'cert-advisory-owner@cert.org'=>1, 'owner-alert@iss.net'=>1 }, +#}; + + +# +# Section VI - Resource limits +# + +# Sanity limit to the number of allowed recipients per SMTP transaction +# $smtpd_recipient_limit = 1000; # (default is 1000) + + +# Resource limits to protect unpackers, decompressors and virus scanners +# against mail bombs (e.g. 42.zip) + +# Maximum recursion level for extraction/decoding (0 or undef disables limit) +$MAXLEVELS = 14; # (default is undef, no limit) + +# Maximum number of extracted files (0 or undef disables the limit) +$MAXFILES = 1500; # (default is undef, no limit) + +# For the cumulative total of all decoded mail parts we set max storage size +# to defend against mail bombs. Even though parts may be deleted (replaced +# by decoded text) during decoding, the size they occupied is _not_ returned +# to the quota pool. +# +# Parameters to storage quota formula for unpacking/decoding/decompressing +# Formula: +# quota = max($MIN_EXPANSION_QUOTA, +# $mail_size*$MIN_EXPANSION_FACTOR, +# min($MAX_EXPANSION_QUOTA, $mail_size*$MAX_EXPANSION_FACTOR)) +# In plain words (later condition overrules previous ones): +# allow MAX_EXPANSION_FACTOR times initial mail size, +# but not more than MAX_EXPANSION_QUOTA, +# but not less than MIN_EXPANSION_FACTOR times initial mail size, +# but never less than MIN_EXPANSION_QUOTA +# +$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) +$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) +$MIN_EXPANSION_FACTOR = 5; # times original mail size (must be specified) +$MAX_EXPANSION_FACTOR = 500; # times original mail size (must be specified) + + +# +# Section VII - External programs, virus scanners +# + +# Specify a path string, which is a colon-separated string of directories +# (no trailing slashes!) to be assigned to the environment variable PATH +# and to serve for locating external programs below. + +# NOTE: if $daemon_chroot_dir is nonempty, the directories will be +# relative to the chroot directory specified; + +$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; + +# Specify one string or a search list of strings (first match wins). +# The string (or: each string in a list) may be an absolute path, +# or just a program name, to be located via $path; +# Empty string or undef (=default) disables the use of that external program. +# Optionally command arguments may be specified - only the first substring +# up to the whitespace is used for file searching. + +$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability + +$gzip = 'gzip'; +$bzip2 = 'bzip2'; +$lzop = 'lzop'; +$uncompress = ['uncompress', 'gzip -d', 'zcat']; +$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat']; +$arc = ['nomarch', 'arc']; +$unarj = ['arj', 'unarj']; # both can extract, arj is recommended +$unrar = ['rar', 'unrar']; # both can extract, same options +$zoo = 'zoo'; +$lha = 'lha'; +$cpio = 'cpio'; # comment out if cpio does not support GNU options + + +# SpamAssassin settings + +# $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value +# of the option local_tests_only. See Mail::SpamAssassin man page. +# If set to 1, SA tests are restricted to local tests only, i.e. no tests +# that require internet access will be performed. +# +#$sa_local_tests_only = 1; # (default: false) +$sa_auto_whitelist = 1; # turn on AWL (default: false) + +# Timout for SpamAssassin. This is only used if spamassassin does NOT +# override it (which it often does if sa_local_tests_only is not true) +$sa_timeout = 30; # timeout in seconds for a call to SpamAssassin + # (default is 30 seconds, undef disables it) + +# AWL (auto whitelisting), requires spamassassin 2.44 or better +# $sa_auto_whitelist = 1; # defaults to undef + +$sa_mail_body_size_limit = 150*1024; # don't waste time on SA is mail is larger + # (less than 1% of spam is > 64k) + # default: undef, no limitations + +# default values, can be overridden by more specific lookups, e.g. SQL +$sa_tag_level_deflt = 3.0; # add spam info headers if at, or above that level +$sa_tag2_level_deflt = 6.3; # add 'spam detected' headers at that level +$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions + # at or above that level: bounce/reject/drop, + # quarantine, and adding mail address extension + +$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent, + # effectively turning D_BOUNCE into D_DISCARD; + # undef disables this feature and is a default; + +# +# The $sa_tag_level_deflt, $sa_tag2_level_deflt and $sa_kill_level_deflt +# may also be hashrefs to hash lookup tables, to make static per-recipient +# settings possible without having to resort to SQL or LDAP lookups. + +# a quick reference: +# tag_level controls adding the X-Spam-Status and X-Spam-Level headers, +# tag2_level controls adding 'X-Spam-Flag: YES', and editing Subject, +# kill_level controls 'evasive actions' (reject, quarantine, extensions); +# it only makes sense to maintain the relationship: +# tag_level <= tag2_level <= kill_level < $sa_dsn_cutoff_level + +# string to prepend to Subject header field when message exceeds tag2 level +$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled) + # (only seen when spam is not to be rejected + # and recipient is in local_domains*) + +#$sa_spam_modifies_subj = 1; # may be a ref to a lookup table, default is true +# Example: modify Subject for all local recipients except user@example.com +#$sa_spam_modifies_subj = [qw( !user@example.com . )]; + +# stop anti-virus scanning when the first scanner detects a virus? +$first_infected_stops_scan = 1; # default is false, all scanners are called + +# @av_scanners is a list of n-tuples, where fields semantics is: +# 1. av scanner plain name, to be used in log and reports; +# 2. scanner program name; this string will be submitted to subroutine +# find_external_programs(), which will try to find the full program +# path name; if program is not found, this scanner is disabled. +# Besides a simple string (full program path name or just the basename +# to be looked for in PATH), this may be an array ref of alternative +# program names or full paths - the first match in the list will be used; +# As a special case for more complex scanners, this field may be +# a subroutine reference, and the whole n-tuple is passed to it as args. +# 3. command arguments to be given to the scanner program; +# a substring {} will be replaced by the directory name to be scanned, +# i.e. "$tempdir/parts", a "*" will be replaced by file names of parts; +# 4. an array ref of av scanner exit status values, or a regexp (to be +# matched against scanner output), indicating NO VIRUSES found; +# 5. an array ref of av scanner exit status values, or a regexp (to be +# matched against scanner output), indicating VIRUSES WERE FOUND; +# Note: the virus match prevails over a 'not found' match, so it is safe +# even if the no. 4. matches for viruses too; +# 6. a regexp (to be matched against scanner output), returning a list +# of virus names found. +# 7. and 8.: (optional) subroutines to be executed before and after scanner +# (e.g. to set environment or current directory); +# see examples for these at KasperskyLab AVP and Sophos sweep. + +# NOTES: +# +# - NOT DEFINING @av_scanners (e.g. setting it to empty list, or deleting the +# whole assignment) TURNS OFF LOADING AND COMPILING OF THE ANTIVIRUS CODE +# (which can be handy if all you want to do is spam scanning); +# +# - the order matters: although _all_ available entries from the list are +# always tried regardless of their verdict, scanners are run in the order +# specified: the report from the first one detecting a virus will be used +# (providing virus names and scanner output); REARRANGE THE ORDER TO WILL; +# +# - it doesn't hurt to keep an unused command line scanner entry in the list +# if the program can not be found; the path search is only performed once +# during the program startup; +# +# COROLLARY: to disable a scanner that _does_ exist on your system, +# comment out its entry or use undef or '' as its program name/path +# (second parameter). An example where this is almost a must: disable +# Sophos 'sweep' if you have its daemonized version Sophie or SAVI-Perl +# (same for Trophie/vscan, and clamd/clamscan), or if another unrelated +# program happens to have a name matching one of the entries ('sweep' +# again comes to mind); +# +# - it DOES HURT to keep unwanted entries which use INTERNAL SUBROUTINES +# for interfacing (where the second parameter starts with \&). +# Keeping such entry and not having a corresponding virus scanner daemon +# causes an unnecessary connection attempt (which eventually times out, +# but it wastes precious time). For this reason the daemonized entries +# are commented in the distribution - just remove the '#' where needed. +# +# CERT list of av resources: http://www.cert.org/other_sources/viruses.html + +@av_scanners = ( + +# ### http://www.vanja.com/tools/sophie/ +# ['Sophie', +# \&ask_daemon, ["{}/\n", '/var/run/sophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ], + +# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ +['Sophos SAVI', \&sophos_savi ], + +### http://www.clamav.net/ +['Clam Antivirus-clamd', + \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"], + qr/\bOK$/, qr/\bFOUND$/, + qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], +# NOTE: run clamd under the same user as amavisd; match the socket +# name (LocalSocket) in clamav.conf to the socket name in this entry +# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"], + +# ### http://www.openantivirus.org/ +# ['OpenAntiVirus ScannerDaemon (OAV)', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], +# qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ], + +# ### http://www.vanja.com/tools/trophie/ +# ['Trophie', +# \&ask_daemon, ["{}/\n", '/var/run/trophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ], + +# ### http://www.grisoft.com/ +# ['AVG Anti-Virus', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], +# qr/^200/, qr/^403/, qr/^403 .*?: (.+)/ ], + +# ### http://www.f-prot.com/ +# ['FRISK F-Prot Daemon', +# \&ask_daemon, +# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", +# ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202', +# '127.0.0.1:10203','127.0.0.1:10204'] ], +# qr/(?i)]*>clean<\/summary>/, +# qr/(?i)]*>infected<\/summary>/, +# qr/(?i)(.+)<\/name>/ ], + + ['KasperskyLab AVP - aveclient', + ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', + '/opt/kav/bin/aveclient','aveclient'], + '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/, + qr/(?:INFECTED|SUSPICION) (.+)/, + ], + + ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], + '-* -P -B -Y -O- {}', [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22], + qr/infected: (.+)/, + sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, + sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + + ### The kavdaemon and AVPDaemonClient have been removed from Kasperky + ### products and replaced by aveserver and aveclient + ['KasperskyLab AVPDaemonClient', + [ '/opt/AVP/kavdaemon', 'kavdaemon', + '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', + '/opt/AVP/AvpTeamDream', 'AvpTeamDream', + '/opt/AVP/avpdc', 'avpdc' ], + "-f=$TEMPBASE {}", [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22], + qr/infected: ([^\r\n]+)/ ], + # change the startup-script in /etc/init.d/kavd to: + # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" + # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) + # adjusting /var/amavis above to match your $TEMPBASE. + # The '-f=/var/amavis' is needed if not running it as root, so it + # can find, read, and write its pid file, etc., see 'man kavdaemon'. + # defUnix.prf: there must be an entry "*/var/amavis" (or whatever + # directory $TEMPBASE specifies) in the 'Names=' section. + # cd /opt/AVP/DaemonClients; configure; cd Sample; make + # cp AvpDaemonClient /opt/AVP/ + # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" + + ### http://www.hbedv.com/ or http://www.centralcommand.com/ + ['H+BEDV AntiVir or CentralCommand Vexira Antivirus', + ['antivir','vexira'], + '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/, + qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | + (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ], + # NOTE: if you only have a demo version, remove -z and add 214, as in: + # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, + + ### http://www.commandsoftware.com/ + ['Command AntiVirus for Linux', 'csav', + '-all -archive -packed {}', [50], [51,52,53], + qr/Infection: (.+)/ ], + + ### http://www.symantec.com/ + ['Symantec CarrierScan via Symantec CommandLineScanner', + 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', + qr/^Files Infected:\s+0$/, qr/^Infected\b/, + qr/^(?:Info|Virus Name):\s+(.+)/ ], + + ### http://www.symantec.com/ + ['Symantec AntiVirus Scan Engine', + 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', + [0], qr/^Infected\b/, + qr/^(?:Info|Virus Name):\s+(.+)/ ], + # NOTE: check options and patterns to see which entry better applies + + ### http://www.sald.com/, http://drweb.imshop.de/ + ['drweb - DrWeb Antivirus', + ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], + '-path={} -al -go -ot -cn -upn -ok-', + [0,32], [1,33], qr' infected (?:with|by)(?: virus)? (.*)$'], + +# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ +# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later +# [pack('N',1). # DRWEBD_SCAN_CMD +# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES +# pack('N', # path length +# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/part-xxxxx")). +# '{}/*'. # path +# pack('N',0). # content size +# pack('N',0), +# '/var/drweb/run/drwebd.sock', +# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot +# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default +# # '127.0.0.1:3000', # or over an inet socket +# ], +# qr/\A\x00(\x10|\x11)\x00\x00/s, # IS_CLEAN, EVAL_KEY +# qr/\A\x00(\x00|\x01)\x00(\x20|\x40|\x80)/s, # KNOWN_V, UNKNOWN_V, V._MODIF +# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/s, +# ], +# # NOTE: If you are using amavis-milter, change length to: +# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/part-xxxxx"). + + ### http://www.f-secure.com/products/anti-virus/ + ['F-Secure Antivirus', 'fsav', + '--dumb --mime --archive {}', [0], [3,8], + qr/(?:infection|Infected|Suspected): (.+)/ ], + + ['CAI InoculateIT', 'inocucmd', + '-sec -nex {}', [0], [100], + qr/was infected by virus (.+)/ ], + + ['MkS_Vir for Linux (beta)', ['mks32','mks'], + '-s {}/*', [0], [1,2], # any use for options: -a -c ? + qr/--[ \t]*(.+)/ ], + + ### http://www.nod32.com/ + ['ESET Software NOD32', 'nod32', + '-all -subdir+ {}', [0], [1,2], + qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ], + + ### http://www.nod32.com/ + ['ESET Software NOD32 - Client/Server Version', 'nod32cli', + '-a -r -d recurse --heur standard {}', [0], [10,11], + qr/^\S+\s+infected:\s+(.+)/ ], + + ### http://www.norman.com/products_nvc.shtml + ['Norman Virus Control v5 / Linux', 'nvcc', + '-c -l:0 -s -u {}', [0], [1], + qr/(?i).* virus in .* -> \'(.+)\'/ ], + + ### http://www.pandasoftware.com/ + ['Panda Antivirus for Linux', ['pavcl'], + '-aut -aex -heu -cmp -nbr -nor -nso -eng {}', + qr/Number of files infected[ .]*: 0(?!\d)/, + qr/Number of files infected[ .]*: 0*[1-9]/, + qr/Found virus :\s*(\S+)/ ], + +# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. +# Check your RAV license terms before fiddling with the following two lines! +# ['GeCAD RAV AntiVirus 8', 'ravav', +# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ], +# # NOTE: the command line switches changed with scan engine 8.5 ! +# # (btw, assigning stdin to /dev/null causes RAV to fail) + + ### http://www.nai.com/ + ['NAI McAfee AntiVirus (uvscan)', 'uvscan', + '--secure -rv --mime --summary --noboot - {}', [0], [13], + qr/(?x) Found (?: + \ the\ (.+)\ (?:virus|trojan) | + \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | + :\ (.+)\ NOT\ a\ virus)/, + # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, + # sub {delete $ENV{LD_PRELOAD}}, + ], + # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before + # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 + # and then clear it when finished to avoid confusing anything else. + # NOTE2: to treat encrypted files as viruses replace the [13] with: + # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ + + ### http://www.virusbuster.hu/en/ + ['VirusBuster', ['vbuster', 'vbengcl'], + # VirusBuster Ltd. does not support the daemon version for the workstation + # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of + # binaries, some parameters AND return codes (from 3 to 1) changed. + "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], + qr/: '(.*)' - Virus/ ], + +# ### http://www.virusbuster.hu/en/ +# ['VirusBuster (Client + Daemon)', 'vbengd', +# # HINT: for an infected file it returns always 3, +# # although the man-page tells a different story +# '-f -log scandir {}', [0], [3], +# qr/Virus found = (.*);/ ], + + ### http://www.cyber.com/ + ['CyberSoft VFind', 'vfind', + '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/, + # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, + ], + + ### http://www.ikarus-software.com/ + ['Ikarus AntiVirus for Linux', 'ikarus', + '{}', [0], [40], qr/Signature (.+) found/ ], + + ### http://www.bitdefender.com/ + ['BitDefender', 'bdc', + '--all --arc --mail {}', qr/^Infected files *:0(?!\d)/, + qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, + qr/(?:suspected|infected): (.*)(?:\033|$)/ ], +); + +# If no virus scanners from the @av_scanners list produce 'clean' nor +# 'infected' status (e.g. they all fail to run or the list is empty), +# then _all_ scanners from the @av_scanners_backup list are tried. +# When there are both daemonized and command-line scanners available, +# it is customary to place slower command-line scanners in the +# @av_scanners_backup list. The default choice is somewhat arbitrary, +# move entries from one list to another as desired. + +@av_scanners_backup = ( + + ### http://www.clamav.net/ + ['Clam Antivirus - clamscan', 'clamscan', + "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], [1], + qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], + + ### http://www.f-prot.com/ + ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], + '-dumb -archive -packed {}', [0,8], [3,6], + qr/Infection: (.+)/ ], + + ### http://www.trendmicro.com/ + ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], + '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], + + ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'], + '-i1 -xp {}', [0,10,15], [5,20,21,25], + qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ , + sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, + sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + +# Commented out because the name 'sweep' clashes with the Debian package of +# the same name. Make sure the correct sweep is found in the path when enabling +# +# ### http://www.sophos.com/ +# ['Sophos Anti Virus (sweep)', 'sweep', +# '-nb -f -all -rec -ss -sc -archive -cab -tnef --no-reset-atime {}', +# [0,2], qr/Virus .*? found/, +# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/, +# ], +# # other options to consider: -mime -oe -idedir=/usr/local/sav + +# always succeeds (uncomment to consider mail clean if all other scanners fail) +['always-clean', sub {0}], + +); + + +# +# Section VIII - Debugging +# + +# The most useful debugging tool is to run amavisd-new non-detached +# from a terminal window: +# amavisd debug + +# Some more refined approaches: + +# If sender matches ACL, turn log level fully up, just for this one message, +# and preserve temporary directory +#@debug_sender_acl = ( "test-sender\@$mydomain" ); +#@debug_sender_acl = qw( debug@example.com ); + +# May be useful along with @debug_sender_acl: +# Prevent all decoded originals being deleted (replaced by decoded part) +#$keep_decoded_original_re = new_RE( qr/.*/ ); + +# Turn on SpamAssassin debugging (output to STDERR, use with 'amavisd debug') +#$sa_debug = 1; # defaults to false + +#------------- +1; # insure a defined return diff --git a/templates/sendmail-to-postfix.diff b/templates/sendmail-to-postfix.diff new file mode 100644 index 0000000..9ccdd7f --- /dev/null +++ b/templates/sendmail-to-postfix.diff @@ -0,0 +1,42 @@ +--- amavisd.conf.sendmail-template 2006-06-30 10:53:18.000000000 +0200 ++++ amavisd.conf.postfix-template 2006-06-30 13:07:57.000000000 +0200 +@@ -102,17 +102,17 @@ + # POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4 + # (set host and port number as required; host can be specified + # as IP address or DNS name (A or CNAME, but MX is ignored) +-#$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail +-#$notify_method = $forward_method; # where to submit notifications ++$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail ++$notify_method = $forward_method; # where to submit notifications + + # NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST + # uncomment the appropriate settings below if using other setups! + + # SENDMAIL MILTER, using amavis-milter.c helper program: + # SEE amavisd-new-milter package docs FOR DEBIAN INSTRUCTIONS +-$forward_method = undef; # no explicit forwarding, sendmail does it by itself ++#$forward_method = undef; # no explicit forwarding, sendmail does it by itself + # milter; option -odd is needed to avoid deadlocks +-$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}'; ++#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}'; + # just a thought: can we use use -Am instead of -odd ? + + # SENDMAIL (old non-milter setup, as relay): +@@ -232,7 +232,7 @@ + + # SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...) + # (used when MTA is configured to pass mail to amavisd via SMTP or LMTP) +-#$inet_socket_port = 10024; # accept SMTP on this local TCP port ++$inet_socket_port = 10024; # accept SMTP on this local TCP port + # (default is undef, i.e. disabled) + # multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028]; + +@@ -240,7 +240,7 @@ + # - do not allow free access to the amavisd SMTP port !!! + # + # when MTA is at the same host, use the following (one or the other or both): +-#$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface ++$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface + # (default is '127.0.0.1') + #@inet_acl = qw( 127.0.0.1 ); # allow SMTP access only from localhost IP + # (default is qw( 127.0.0.1 ) ) diff --git a/version.sh b/version.sh new file mode 100644 index 0000000..f14ca7f --- /dev/null +++ b/version.sh @@ -0,0 +1,3 @@ +VERSION=20030616p10-11 +SENDTMPLVERSION=2:20030616p10-8 +POSTTMPLVERSION=2:20030616p10-10 -- 1.7.10.4