6
use Getopt::Long qw(:config gnu_getopt);
16
my $sep = $v=~/ / ? '"' : '';
17
$v = "\n$cfg $sep$v$sep";
34
my $oninfected = 'Reject';
46
"from|a:s" => \$notify,
47
"bounce|b" => \$notify,
48
"headers|H" => \$notify,
49
"postmaster|p=s" => \$notify,
50
"postmaster-only|P" => \$notify,
51
"template-file|t=s" => \$notify,
52
"template-headers|1=s" => \$notify,
53
"quiet|q" => sub { $notify = 0 },
54
"dont-blacklist|K=s" => \$black,
55
"blacklist-time|k=i" => \$black,
56
"report-phish|r=s" => \$report,
57
"report-phish-false-positives|R=s" => \$report,
58
"debug-level|x=i" => \$debug,
61
"signature-file|F=s" => \$sign,
62
"broadcast|B=s" => \$broad,
63
"detect-forged-local-address|L" => \$forge,
64
"dont-sanitise|z" => sub { $sanity = 0 },
65
"black-hole-mode|2" => \$blackhole,
66
"quarantine|Q=s" => \$quarantine,
67
"quarantine-dir|U" => \$quarantine,
68
"max-children|m=i" => \$rate,
69
"dont-wait|w" => \$rate,
70
"timeout|T=i" => \$rate,
71
"freshclam-monitor|M=i" => \$monitor,
72
"external|e" => sub { },
73
"no-check-cf" => sub { },
74
"sendmail-cf|0=s" => sub { },
75
"advisory|A" => sub { $oninfected='Accept'; },
76
"noreject|N" => sub { $oninfected='Blackhole'; },
77
"dont-scan-on-error|d" => sub { $onfail = 'Accept'; },
78
"ignore|I=s" => \@localnets,
79
"local|l" => sub { @localnets = (); },
80
"force-scan|f" => sub { @localnets = (); },
81
"whitelist-file|W=s" => \$whitelist,
82
"config-file|c=s" => \$config,
83
"chroot|C=s" => \$chroot,
84
"pidfile|i=s" => \$pidfile,
85
"noxheader|n" => sub { $addheader = 0},
86
"outgoing|o" => sub { push(@localnets, 'localhost'); },
87
"server|s=s" => \$tcpclamds,
91
foreach (split(/:/, $tcpclamds)) {
92
$clamds{"tcp:$_:3310"}++;
106
open CFG, "<$chroot/$config" or die "failed to open clamd config file $config";
109
$port = $1 if /^TCPSocket\s+(.*)$/;
110
$ip = $1 if /^TCPAddr\s+(.*)$/;
111
$lsock = $1 if /^LocalSocket\s+(.*)$/;
112
$user = $1 if /^User\s+(.*)$/;
113
$supgrp = $1 if /^AllowSupplementaryGroups\s+(.*)$/;
114
$syslog = $1 if /^LogSyslog\s+(.*)$/;
115
$facility = $1 if /^LogFacility\s+(.*)$/;
116
$tempdir = $1 if /^TemporaryDirectory\s+(.*)$/;
117
$maxsize = $1 if /^MaxFileSize\s+(.*)$/;
121
$clamds{"unix:$lsock"}++;
124
$clamds{"tcp:$ip:$port"}++;
126
$clamds{"tcp:localhost:$port"}++;
131
die "FAIL: No socket provided" unless $ARGV[0];
132
die "FAIL: Unable to determine clamd socket\n" unless scalar keys %clamds;
134
wwarn "Notifications and bounces are no longer supported.
135
As a result the following command line options cannot be converted into new config options:
140
--postmaster-only (-P)
142
--template-headers (-1)
145
wwarn "Temporary blacklisting of ip addresses is no longer supported.
146
As a result the following command line options cannot be converted into new config options:
147
--dont-blacklist (-K)
148
--blacklist-time (-k)
151
wwarn "Phising reports are no longer supported.
152
As a result the following command line options cannot be converted into new config options:
154
--report-phish-false-positives (-R)
157
wwarn "The options --debug (-D) and --debug-level (-x) are no longer supported.
158
Please set LogVerbose to yes instead
161
wwarn "Message scan signatures are no longer supported.
162
As a result the following command line options cannot be converted into new config options:
164
--signature-file (-F)
167
wwarn "Broadcasting is no longer supported\n" if $broad;
169
wwarn "Forgery detection is no longer supported\n" if $forge;
171
wwarn "Please be aware that email addresses are no longer checked for weird characters like '|' and ';'\n" if $sanity;
173
wwarn "Blackhole mode is no longer available\nIf you have a lot users aliased to /dev/null you may want to whitelist them instead\n" if $blackhole;
175
wwarn "Quarantine now achieved via native milter support\nPlease read more about it in the example config file\n" if $quarantine;
177
wwarn "Rate limiting in the milter is no longer supported.
178
As a result the following command line options cannot be converted into new config options:
182
Please make use of the native Sendmail / Postfix rate limiting facilities
185
wwarn "The option --freshclam-monitor (-M) only made sense in internal mode\nPlease configure freshclam to notify clamd about updates instead\n" if $monitor;
187
wwarn "Your whitelist file path has been preserved, however please be aware that its syntax is changed\nInstead of a full email address you are now allowed to use regexes. See the example clamav-milter.conf file for more info.\n" if $whitelist;
189
wwarn "Here is the auto generated config file. Please review:\n";
191
my $mysock = tosconf('MilterSocket', $ARGV[0]);
192
$chroot = tosconf('Chroot', $chroot);
193
$pidfile = tosconf('PidFile', $pidfile);
194
$oninfected = tosconf('OnInfected', $oninfected);
195
$onfail = tosconf('OnFail', $onfail);
196
$whitelist = tosconf('Whitelist', $whitelist);
197
$addheader = $addheader ? "\nAddHeader Yes" : '';
198
$user = tosconf('User', $user);
199
$supgrp = $supgrp ? "\nAllowSupplementaryGroups Yes" : '';
200
if ($syslog =~ /yes/i) {
201
$syslog = "LogSyslog yes";
202
$facility = tosconf('LogFacility', $facility);
207
$tempdir = tosconf('TemporaryDirectory', $tempdir);
208
$maxsize = tosconf('MaxFileSize', $maxsize);
212
## Example config file for clamav-milter
213
## (automatically generated by make-clamav-milter-conf.pl)
216
# Comment or remove the line below.
224
# Define the interface through which we communicate with sendmail
225
# This option is mandatory! Possible formats are:
226
# [[unix|local]:]/path/to/file - to specify a unix domain socket
227
# inet:port@[hostname|ip-address] - to specify an ipv4 socket
228
# inet6:port@[hostname|ip-address] - to specify an ipv6 socket
230
# Default: no default
231
#MilterSocket /tmp/clamav-milter.socket
232
#MilterSocket inet:7357$mysock
234
# Remove stale socket after unclean shutdown.
239
# Run as another user (clamav-milter must be started by root for this option to work)
241
# Default: unset (don't drop privileges)
244
# Initialize supplementary group access (clamd must be started by root).
247
#AllowSupplementaryGroups no$supgrp
249
# Waiting for data from clamd will timeout after this time (seconds).
250
# Value of 0 disables the timeout.
255
# Don't fork into background.
260
# Chroot to the specified directory.
261
# Chrooting is performed just after reading the config file and before dropping privileges.
263
# Default: unset (don't chroot)
264
#Chroot /newroot$chroot
266
# This option allows you to save a process identifier of the listening
267
# daemon (main thread).
270
#PidFile /var/run/clamd.pid$pidfile
272
# Optional path to the global temporary directory.
273
# Default: system specific (usually /tmp or /var/tmp).
275
#TemporaryDirectory /var/tmp$tempdir
281
# Define the clamd socket to connect to for scanning.
282
# If not set (the default), clamav-milter uses internal mode.
283
# This option is mandatory! Syntax:
284
# ClamdSocket unix:path
285
# ClamdSocket tcp:host:port
286
# The first syntax specifies a local unix socket (needs an bsolute path) e.g.:
287
# ClamdSocket unix:/var/run/clamd/clamd.socket
288
# The second syntax specifies a tcp local or remote tcp socket: the
289
# host can be a hostname or an ip address; the ":port" field is only required
290
# for IPv6 addresses, otherwise it defaults to 3310
291
# ClamdSocket tcp:192.168.0.1
293
# This option can be repeated several times with different sockets or even
294
# with the same socket: clamd servers will be selected in a round-robin fashion.
296
# Default: no default
297
#ClamdSocket tcp:scanner.mydomain:7357
300
print "ClamdSocket \"$_\"\n" foreach (keys %clamds);
308
# Messages originating from these hosts/networks will not be scanned
309
# This option takes a host(name)/mask pair in CIRD notation and can be
310
# repeated several times. If "/mask" is omitted, a host is assumed.
311
# To specify a locally orignated, non-smtp, email use the keyword "local"
313
# Default: unset (scan everything regardless of the origin)
315
#LocalNet 192.168.0.0/24
316
#LocalNet 1111:2222:3333::/48
318
# This option specifies a file which contains a list of POSIX regular
319
# expressions. Addresses (sent to or from - see below) matching these regexes
320
# will not be scanned. Optionally each line can start with the string "From:"
321
# or "To:" (note: no whitespace after the colon) indicating if it is,
322
# respectively, the sender or recipient that is to be whitelisted.
323
# If the field is missing, "To:" is assumed.
324
# Lines starting with #, : or ! are ignored.
326
# Default unset (no exclusion applied)
327
#Whitelist /etc/whitelisted_addresses$whitelist
334
# The following group of options controls the delievery process under
335
# different circumstances.
336
# The following actions are available:
338
# The message is accepted for delievery
340
# Immediately refuse delievery (a 5xx error is returned to the peer)
342
# Return a temporary failure message (4xx) to the peer
343
# - Blackhole (not available for OnFail)
344
# Like accept but the message is sent to oblivion
345
# - Quarantine (not available for OnFail)
346
# Like accept but message is quarantined instead of being deilievered
347
# In sendmail the quarantine queue can be examined via mailq -qQ
348
# For Postfix this causes the message to be accepted but placed on hold
350
# Action to be performed on clean messages (mostly useful for testing)
354
# Action to be performed on infected messages
355
# Default: Quarantine
356
#OnInfected Quarantine$oninfected
358
# Action to be performed on error conditions (this includes failure to
359
# allocate data structures, no scanners available, network timeouts,
360
# unknown scanner replies and the like)
364
# If this option is set to Yes, an "X-Virus-Scanned" and an "X-Virus-Status"
365
# headers will be attached to each processed message, possibly replacing
368
#AddHeader Yes$addheader
375
# Uncomment this option to enable logging.
376
# LogFile must be writable for the user running daemon.
377
# A full path is required.
380
#LogFile /tmp/clamav-milter.log
382
# By default the log file is locked for writing - the lock protects against
383
# running clamav-milter multiple times.
384
# This option disables log file locking.
389
# Maximum size of the log file.
390
# Value of 0 disables the limit.
391
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
392
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
393
# in bytes just don't use modifiers.
398
# Log time with each message.
403
# Use system logger (can work together with LogFile).
406
#LogSyslog yes$syslog
408
# Specify the type of syslog messages - please refer to 'man syslog'
409
# for facility names.
411
# Default: LOG_LOCAL6
412
#LogFacility LOG_MAIL$facility
414
# Enable verbose logging.
424
# Messages larger than this value won't be scanned.
426
#MaxFileSize 150M$maxsize