3
# Sample configuration file for amavisd-new (traditional style, chatty,
4
# you may prefer to start with the more concise supplied amavisd.conf)
6
# See amavisd.conf-default for a list of all variables with their defaults;
7
# for more details see documentation in INSTALL, README_FILES/*
8
# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
10
# This software is licensed under the GNU General Public License (GPL).
11
# See comments at the start of amavisd-new for the whole license text.
14
# Section I - Essential daemon and MTA settings
15
# Section II - MTA specific
16
# Section III - Logging
17
# Section IV - Notifications/DSN, bounce/reject/discard/pass, quarantine
18
# Section V - Per-recipient and per-sender handling, whitelisting, etc.
19
# Section VI - Resource limits
20
# Section VII - External programs, virus scanners, SpamAssassin
21
# Section VIII - Debugging
22
# Section IX - Policy banks (dynamic policy switching)
25
# This file is a normal Perl code, interpreted by Perl itself.
26
# - make sure this file (or directory where it resides) is NOT WRITABLE
27
# by mere mortals (not even vscan/amavis; best to make it owned by root),
28
# otherwise it can represent a severe security risk!
29
# - for values which are interpreted as booleans, it is recommended
30
# to use 1 for true, and 0 or undef or '' for false;
31
# Note that this interpretation of boolean values does not apply directly
32
# to LDAP and SQL lookups, which follow their own rules - see README.lookups
33
# and README.ldap (in short: use Y/N in SQL, and TRUE/FALSE in LDAP);
34
# - Perl syntax applies. Most notably: strings in "" may include variables
35
# (which start with $ or @); to include characters $ and @ and \ in double
36
# quoted strings precede them by a backslash; in single-quoted strings
37
# the $ and @ lose their special meaning, so it is usually easier to use
38
# single quoted strings (or qw operator) for e-mail addresses.
39
# In both types of quoting a backslash should to be doubled.
40
# - variables with names starting with a '@' are lists, the values assigned
41
# to them should be lists too, e.g. ('one@foo', $mydomain, "three");
42
# note the comma-separation and parenthesis. If strings in the list
43
# do not contain spaces nor variables, a Perl operator qw() may be used
44
# as a shorthand to split its argument on whitespace and produce a list
45
# of strings, e.g. qw( one@foo example.com three ); Note that the argument
46
# to qw is quoted implicitly and no variable interpretation is done within
47
# (no '$' variable evaluations). The #-initiated comments can NOT be used
48
# within a string. In other words, $ and # lose their special meaning
49
# within a qw argument, just like within '...' strings.
50
# - all e-mail addresses in this file and as used internally by the daemon
51
# are in their raw (rfc2821-unquoted and non-bracketed) form, i.e.
52
# Bob "Funny" Dude@example.com, not: "Bob \"Funny\" Dude"@example.com
53
# and not <"Bob \"Funny\" Dude"@example.com>; also: '' and not '<>'.
54
# - the term 'default value' in examples below refers to the value of a
55
# variable pre-assigned to it by the program; any explicit assignment
56
# to a variable in this configuration file overrides the default value;
60
# Section I - Essential daemon and MTA settings
63
# $MYHOME serves as a quick default for some other configuration settings.
64
# More refined control is available with each individual setting further down.
65
# $MYHOME is not used directly by the program. No trailing slash!
66
#$MYHOME = '/var/lib/amavis'; # (default is '/var/amavis'), -H
68
# $mydomain serves as a quick default for some other configuration settings.
69
# More refined control is available with each individual setting further down.
70
# $mydomain is never used directly by the program.
71
$mydomain = 'example.com'; # (no useful default)
73
# $myhostname = 'host.example.com'; # fqdn of this host, default by uname(3)
75
# Set the user and group to which the daemon will change if started as root
76
# (otherwise just keeps the UID unchanged, and these settings have no effect):
77
$daemon_user = 'vscan'; # (no default; customary: vscan or amavis), -u
78
$daemon_group = 'vscan'; # (no default; customary: vscan or amavis), -g
80
# Runtime working directory (cwd), and a place where
81
# temporary directories for unpacking mail are created.
82
# (no trailing slash, may be a scratch file system)
83
$TEMPBASE = $MYHOME; # (must be set if other config vars use is), -T
84
#$TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean?
86
#$db_home = "$MYHOME/db"; # DB databases directory, default "$MYHOME/db", -D
88
# $helpers_home sets environment variable HOME, and is passed as option
89
# 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory
90
# on a normal persistent file system, not a scratch or temporary file system
91
#$helpers_home = $MYHOME; # (defaults to $MYHOME), -S
93
# Run the daemon in the specified chroot jail if nonempty:
94
#$daemon_chroot_dir = $MYHOME; # (default is undef, meaning: do not chroot), -R
96
#$pid_file = "$MYHOME/amavisd.pid"; # (default is "$MYHOME/amavisd.pid"), -P
97
#$lock_file = "$MYHOME/amavisd.lock"; # (default is "$MYHOME/amavisd.lock"), -L
99
# set environment variables if you want (no defaults):
100
$ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory
103
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
104
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
106
# MTA SETTINGS, UNCOMMENT AS APPROPRIATE,
107
# both $forward_method and $notify_method default to 'smtp:[127.0.0.1]:10025'
109
# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4
110
# (set host and port number as required; host can be specified
111
# as an IP address or a DNS name (A or CNAME, but MX is ignored)
112
#$forward_method = 'smtp:[127.0.0.1]:10025'; # where to forward checked mail
113
#$notify_method = $forward_method; # where to submit notifications
115
#$os_fingerprint_method = 'p0f:127.0.0.1:2345'; # query p0f-analyzer.pl
117
# To make it possible for several hosts to share one content checking daemon,
118
# the IP address and/or the port number in $forward_method and $notify_method
119
# may be spacified as an asterisk. An asterisk in the colon-separated
120
# second field (host) will be replaced by the SMTP client peer address,
121
# An asterisk in the third field (tcp port) will be replaced by the incoming
122
# SMTP/LMTP session port number plus one. This obsoletes the previously used
123
# less flexible configuration parameter $relayhost_is_client. An example:
124
# $forward_method = 'smtp:*:*'; $notify_method = 'smtp:*:10587';
127
# NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST
128
# uncomment the appropriate settings below if using other setups!
130
# SENDMAIL MILTER, using amavis-milter.c helper program:
131
#$forward_method = undef; # no explicit forwarding, sendmail does it by itself
132
# milter; option -odd is needed to avoid deadlocks
133
#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}';
134
# just a thought: can we use use -Am instead of -odd ?
136
# SENDMAIL (old non-milter setup, as relay, deprecated):
137
#$forward_method = 'pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f ${sender} -- ${recipient}';
138
#$notify_method = $forward_method;
140
# SENDMAIL (old non-milter setup, amavis.c calls local delivery agent, deprecated):
141
#$forward_method = undef; # no explicit forwarding, amavis.c will call LDA
142
#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}';
144
# EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead):
145
#$forward_method = 'pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f ${sender} -- ${recipient}';
146
#$notify_method = $forward_method;
148
# prefer to collect mail for forwarding as BSMTP files?
149
#$forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp";
150
#$notify_method = $forward_method;
153
# Net::Server pre-forking settings
154
# The $max_servers should match the width of your MTA pipe
155
# feeding amavisd, e.g. with Postfix the 'Max procs' field in the
156
# master.cf file, like the '2' in the: smtp-amavis unix - - n - 2 smtp
158
$max_servers = 2; # number of pre-forked children (default 2), -m
159
$max_requests = 20; # retire a child after that many accepts (default 10)
161
$child_timeout=5*60; # abort child if it does not complete its processing in
162
# approximately n seconds (default: 8*60 seconds)
164
$smtpd_timeout = 120; # disconnect session if client is idle for too long
165
# (default: 8*60 seconds); should be higher than a
166
# Postfix setting max_idle (default 100s)
168
# Here is a QUICK WAY to completely DISABLE some sections of code
169
# that WE DO NOT WANT (it won't even be compiled-in).
170
# For more refined controls leave the following two lines commented out,
171
# and see further down what these two lookup lists really mean.
173
# @bypass_virus_checks_maps = (1); # uncomment to DISABLE anti-virus code
174
# @bypass_spam_checks_maps = (1); # uncomment to DISABLE anti-spam code
176
# Any setting can be changed with a new assignment, so make sure
177
# you do not unintentionally override these settings further down!
179
# Check also the settings of @av_scanners at the end if you want to use
180
# virus scanners. If not, you may want to delete the whole long assignment
181
# to the variable @av_scanners and @av_scanners_backup, which will also
182
# remove the virus checking code (e.g. if you only want to do spam scanning).
185
# Lookup list of local domains (see README.lookups for syntax details)
187
# @local_domains_maps list of lookup tables are used in deciding whether a
188
# recipient is local or not, or in other words, if the message is outgoing
189
# or not. This affects inserting spam-related headers for local recipients,
190
# limiting recipient virus notifications (if enabled) to local recipients,
191
# in deciding if address extension may be appended, and in SQL lookups
192
# for non-fqdn addresses. Set it up correctly if you need features
193
# that rely on this setting (or just leave empty otherwise).
195
# With Postfix (2.0) a quick hint on what local domains normally are:
196
# a union of domains specified in: mydestination, virtual_alias_domains,
197
# virtual_mailbox_domains, and relay_domains.
199
@local_domains_maps = ( [".$mydomain"] ); # $mydomain and its subdomains
200
# @local_domains_maps = (); # default is empty list, no recip. considered local
201
# @local_domains_maps = # using ACL lookup table
202
# ( [ ".$mydomain", 'sub.example.net', '.example.com' ] );
203
# @local_domains_maps = # similar, split list elements on whitespace
204
# ( [qw( .example.com !host.sub.example.net .sub.example.net )] );
205
# @local_domains_maps = ( new_RE( qr'[@.]example\.com$'i ) ); # using regexp
206
# @local_domains_maps = ( read_hash("$MYHOME/local_domains") ); # using hash
207
# perhaps combined with Postfix: mydestination = /var/amavis/local_domains
208
# for debugging purposes: dump_hash($local_domains_maps[0]);
210
# Section II - MTA specific (defaults should be ok)
213
#$insert_received_line = 1; # behave like MTA: insert 'Received:' header
214
# (does not apply to sendmail/milter)
217
# AMAVIS-CLIENT PROTOCOL INPUT SETTINGS (e.g. with amavisd-release, or
218
# sendmail milter through helper clients like amavis-milter.c and amavis.c)
219
# option(s) -p overrides $inet_socket_port and $unix_socketname
220
$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket
221
#$unix_socketname = undef; # disable listening on a unix socket
222
# (default is undef, i.e. disabled)
223
# (usual setting is $MYHOME/amavisd.sock)
225
# SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...)
226
# (used when MTA is configured to pass mail to amavisd via SMTP or LMTP)
227
$inet_socket_port = 10024; # accept SMTP on this local TCP port
228
# (default is undef, i.e. disabled)
229
# multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028];
231
# SMTP SERVER (INPUT) access control
232
# - do not allow free access to the amavisd SMTP port !!!
234
# when MTA is at the same host, use the following (one or the other or both):
235
#$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface
236
# (default is '127.0.0.1')
237
@inet_acl = qw(127.0.0.1 [::1]); # allow SMTP access only from localhost IP
238
# (default is qw(127.0.0.1 [::1]) )
240
# when MTA (one or more) is on a different host, use the following:
241
#@inet_acl = qw(127.0.0.0/8 [::1] 10.1.0.1 10.1.0.2); # adjust list as needed
242
#$inet_socket_bind = undef; # bind to all IP interfaces if undef
246
# @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 );
247
# permit only SMTP access from loopback and rfc1918 private address space
250
# @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0
251
# 127.0.0.1 10/8 172.16/12 192.168/16 );
252
# matches loopback and rfc1918 private address space except host 192.168.1.12
253
# and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches)
256
# @inet_acl = qw( 127/8
257
# !172.16.3.0 !172.16.3.127 172.16.3.0/25
258
# !172.16.3.128 !172.16.3.255 172.16.3.128/25 );
259
# matches loopback and both halves of the 172.16.3/24 C-class,
260
# split into two subnets, except all four broadcast addresses
264
# @mynetworks is an IP access list which determines if the original SMTP client
265
# IP address belongs to our internal networks, i.e. mail is coming from inside.
266
# It is much like the Postfix parameter 'mynetworks' in semantics and similar
267
# in syntax, and its value should normally match the Postfix counterpart.
268
# It only affects the value of a macro %l (=sender-is-local),
269
# and the loading of policy 'MYNETS' if present (see below).
270
# Note that '-o smtp_send_xforward_command=yes' (or its lmtp counterpart)
271
# must be enabled in the Postfix service that feeds amavisd, otherwise
272
# client IP address is not available to amavisd-new.
274
# @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
275
# 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); # default
277
# A list of networks can also be read from a file, either as an IP acl in
278
# CIDR notation, one address per line (comments and empty lines are allowed):
279
# @mynetworks_maps = (read_array('/etc/amavisd-mynetworks'), \@mynetworks);
281
# or less flexibly (but provides faster lookups for large lists) by reading
282
# into a hash lookup table, which only allows for full addresses or classful
283
# IPv4 subnets with truncated octets, such as 127, 10, 192.168, 10.11.12.13,
284
# one address per line (comments and empty lines are allowed):
285
# @mynetworks_maps = (read_hash('/etc/amavisd-mynetworks'), \@mynetworks);
287
# See README.lookups for details on specifying access control lists.
291
# Section III - Logging
294
# true (e.g. 1) => syslog; false (e.g. 0) => logging to file
295
$DO_SYSLOG = 1; # (defaults to 0)
297
$syslog_ident = 'amavis'; # Syslog ident string (defaults to 'amavis')
298
$syslog_facility = 'mail'; # Syslog facility as a string
299
# e.g.: mail, daemon, user, local0, ... local7, ...
300
$syslog_priority = 'debug'; # Syslog base (minimal) priority as a string,
301
# choose from: emerg, alert, crit, err, warning, notice, info, debug
303
# Log file (if not using syslog)
304
$LOGFILE = "$MYHOME/amavis.log"; # (defaults to empty, no log)
306
#NOTE: levels are not strictly observed and are somewhat arbitrary
307
# 0: startup/exit/failure messages, viruses detected
308
# 1: args passed from client, some more interesting messages
309
# 2: virus scanner output, timing
312
# 5: more debug details
313
$log_level = 2; # (defaults to 0), -d
315
# Customizable template for the most interesting log file entry (e.g. with
316
# $log_level=0) (take care to properly quote Perl special characters like '\')
317
# For a list of available macros see README.customize .
319
# $log_templ = undef; # undef disables by-message level-0 log entries
320
$log_recip_templ = undef; # undef disables by-recipient level-0 log entries
323
# log both infected and noninfected messages (as deflt, with size,subj,tests):
324
# (remove the leading '#' and a space in the following lines to activate)
326
# $log_templ = <<'EOD';
328
# [? [:ccat_maj] |OTHER|CLEAN|TEMPFAIL|OVERSIZED|BAD-HEADER|SPAMMY|SPAM|\
329
# UNCHECKED|BANNED (%F)|INFECTED (%V)]#
330
# #([:ccat_maj],[:ccat_min])#
331
# , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]%s -> [%D|,]#
332
# [? %q ||, quarantine: %q]#
333
# [? %Q ||, Queue-ID: %Q]#
334
# [? %m ||, Message-ID: %m]#
335
# [? %r ||, Resent-Message-ID: %r]#
339
# [~[:remote_mta_smtp_response]|["^$"]||[", queued_as: "]]\
340
# [remote_mta_smtp_response|[~%x|["queued as ([0-9A-Z]+)$"]|["%1"]|["%0"]]|/]#
341
# [? %j ||, Subject: "%j\"]#
342
# [? %#T ||, Tests: \[[%T|,]\]]#
346
# [? [:ccat_maj] |OTHER|CLEAN|TEMPFAIL|OVERSIZED|BAD-HEADER|SPAMMY|SPAM|\
347
# UNCHECKED|BANNED (%F)|INFECTED (%V)]#
348
# #([:ccat_maj],[:ccat_min])#
349
# , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]%s -> [%O|,]#
350
# [? %q ||, quarantine: %q]#
351
# [? %Q ||, Queue-ID: %Q]#
352
# [? %m ||, Message-ID: %m]#
353
# [? %r ||, Resent-Message-ID: %r]#
357
# #, smtp_resp: [:smtp_response]#
358
# [? %j ||, Subject: "%j\"]#
359
# [? %#T ||, Tests: \[[%T|,]\]]#
365
# Section IV - Notifications/DSN, bounce/reject/discard/pass, quarantine
368
# Select notifications text encoding when Unicode-aware Perl is converting
369
# text from internal character representation to external encoding (charset
370
# in MIME terminology). Used as argument to Perl Encode::encode subroutine.
372
# to be used in RFC 2047-encoded header field bodies, e.g. in Subject:
373
#$hdr_encoding = 'iso-8859-1'; # MIME charset (default: 'iso-8859-1')
374
#$hdr_encoding_qb = 'Q'; # MIME encoding: quoted-printable (default)
375
#$hdr_encoding_qb = 'B'; # MIME encoding: base64
377
# to be used in notification body text: its encoding and Content-type.charset
378
#$bdy_encoding = 'iso-8859-1'; # (default: 'iso-8859-1')
380
# Default template texts for notifications may be overruled by directly
381
# assigning new text to template variables, or by reading template text
382
# from files. A second argument may be specified in a call to read_text(),
383
# specifying character encoding layer to be used when reading from the
384
# external file, e.g. 'utf8', 'iso-8859-1', or often just $bdy_encoding.
385
# Text will be converted to internal character representation by Perl 5.8.0
386
# or later; second argument is ignored otherwise. See PerlIO::encoding,
387
# Encode::PerlIO and perluniintro man pages.
389
# $notify_sender_templ = read_text("$MYHOME/notify_sender.txt");
390
# $notify_virus_sender_templ= read_text("$MYHOME/notify_virus_sender.txt");
391
# $notify_virus_admin_templ = read_text("$MYHOME/notify_virus_admin.txt");
392
# $notify_virus_recips_templ= read_text("$MYHOME/notify_virus_recips.txt");
393
# $notify_spam_sender_templ = read_text("$MYHOME/notify_spam_sender.txt");
394
# $notify_spam_admin_templ = read_text("$MYHOME/notify_spam_admin.txt");
396
# If notification template files are collectively available in some directory,
397
# one may call read_l10n_templates which invokes read_text for each known
398
# template. This is primarily a Debian-specific feature, but was incorporated
399
# into base code to facilitate porting.
401
# read_l10n_templates('/etc/amavis/en_US');
403
# If read_l10n_templates is called, a localization template directory must
404
# contain the following files:
405
# charset this file should contain a one-line name
406
# of the character set used in the template
407
# files (e.g. utf8, iso-8859-2, ...) and is
408
# passed as the second argument to read_text;
409
# template-dsn.txt content fills the $notify_sender_templ
410
# template-virus-sender.txt content fills the $notify_virus_sender_templ
411
# template-virus-admin.txt content fills the $notify_virus_admin_templ
412
# template-virus-recipient.txt content fills the $notify_virus_recips_templ
413
# template-spam-sender.txt content fills the $notify_spam_sender_templ
414
# template-spam-admin.txt content fills the $notify_spam_admin_templ
416
# Here is an overall picture (sequence of events) of how pieces fit together
418
# bypass_virus_checks set for all recipients? ==> PASS
419
# no viruses? ==> PASS
420
# log virus if $log_templ is nonempty
421
# quarantine if $virus_quarantine_to is nonempty
422
# notify admin if $virus_admin (lookup) nonempty
423
# notify recips if $warnvirusrecip and (recipient is local or $warn_offsite)
424
# add address extensions for local recipients (when enabled)
425
# send (non-)delivery notifications
426
# to sender if DSN needed (BOUNCE or ($warnvirussender and D_PASS))
427
# virus_lovers or final_destiny==D_PASS ==> PASS
428
# DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny)
430
# Equivalent flow diagram applies for spam checks.
431
# If a virus is detected, spam checking is skipped entirely.
433
# The following symbolic constants can be used in *_destiny settings:
435
# D_PASS mail will pass to recipients, regardless of bad contents;
437
# D_DISCARD mail will not be delivered to its recipients, sender will NOT be
438
# notified. Effectively we lose mail (but will be quarantined
439
# unless disabled). Losing mail is not decent for a mailer,
440
# but might be desired.
442
# D_BOUNCE mail will not be delivered to its recipients, a non-delivery
443
# notification (bounce) will be sent to the sender by amavisd-new;
444
# Exception: bounce (DSN) will not be sent if a virus name matches
445
# @viruses_that_fake_sender_maps, or to messages from mailing lists
446
# (Precedence: bulk|list|junk), or for spam level that exceeds
447
# the $sa_dsn_cutoff_level.
449
# D_REJECT mail will not be delivered to its recipients, sender should
450
# preferably get a reject, e.g. SMTP permanent reject response
451
# (e.g. with milter), or non-delivery notification from MTA
452
# (e.g. Postfix). If this is not possible (e.g. different recipients
453
# have different tolerances to bad mail contents and not using LMTP)
454
# amavisd-new sends a bounce by itself (same as D_BOUNCE).
455
# Not to be used with Postfix or dual-MTA setups!
458
# D_REJECT and D_BOUNCE are similar, the difference is in who is responsible
459
# for informing the sender about non-delivery, and how informative
460
# the notification can be (amavisd-new knows more than MTA);
461
# With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status
462
# notification, colloquially called 'bounce') - depending on MTA;
463
# Best suited for sendmail milter and Courier, especially for spam.
464
# With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the
465
# reason for mail non-delivery or even suppress DSN, but unable
466
# to reject the original SMTP session). Best suited to reporting
467
# viruses, and for Postfix and other dual-MTA setups, which can't
468
# reject original client SMTP session, as the mail has already
471
# Alternatives to consider for spam:
472
# - use D_PASS if clients will do filtering based on inserted
473
# mail headers or added address extensions ('plus-addressing');
474
# - use D_DISCARD, if kill_level is set comfortably high;
476
# D_BOUNCE is preferred for viruses, but consider:
477
# - use D_PASS (or virus_lovers) to deliver viruses;
478
# - use D_REJECT instead of D_BOUNCE if using Courier or milter and under heavy
482
# The use of new *_by_ccat hashes is illustrated by the following examples
483
# on configuring final_*_destiny.
486
# using traditional settings of $final_*_destiny variables, relying on a
487
# default setting of an associative array %final_destiny_by_ccat which is
488
# backwards compatible and contains references to these traditional variables:
490
$final_virus_destiny = D_DISCARD; # (defaults to D_DISCARD)
491
$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
492
$final_spam_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
493
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS)
495
# to explicitly list all (or most) possible contents category (ccat) keys:
496
#%final_destiny_by_ccat = (
497
# CC_VIRUS, D_DISCARD,
498
# CC_BANNED, D_BOUNCE,
499
# CC_UNCHECKED, D_PASS,
502
# CC_OVERSIZED, D_BOUNCE,
504
# CC_CATCHALL, D_PASS,
507
# to rely on a catchall ccat key and only list exceptions (alternative 1):
508
#%final_destiny_by_ccat = (
509
# CC_VIRUS, D_DISCARD,
510
# CC_BANNED, D_BOUNCE,
512
# CC_BADH.',4', D_BOUNCE, # BadHdrSpace
513
# CC_BADH.',3', D_BOUNCE, # BadHdrChar
514
# CC_OVERSIZED, D_BOUNCE,
515
# CC_CATCHALL, D_PASS,
518
# to rely on a catchall ccat key and list exceptions (alternative 2):
519
#%final_destiny_by_ccat = (
520
# CC_VIRUS, D_DISCARD,
521
# CC_UNCHECKED, D_PASS,
522
# CC_BADH.',6', D_PASS, # BadHdrSyntax
523
# CC_BADH.',5', D_PASS, # BadHdrLong
524
# CC_BADH.',2', D_PASS, # BadHdr8bit
525
# CC_BADH.',1', D_PASS, # BadHdrMime
527
# CC_CATCHALL, D_BOUNCE,
530
# to rely on a catchall ccat key and list exceptions (alternative 3):
531
#%final_destiny_by_ccat = (
532
# CC_VIRUS, D_DISCARD,
533
# CC_UNCHECKED, D_PASS,
534
# CC_BADH.',4', D_BOUNCE, # BadHdrSpace
535
# CC_BADH.',3', D_BOUNCE, # BadHdrChar
536
# CC_BADH, D_PASS, # sub-catchall for CC_BADH
538
# CC_CATCHALL, D_BOUNCE,
541
# to rely on a default %final_destiny_by_ccat and only change few settings:
542
#$final_destiny_by_ccat{CC_SPAM} = D_PASS;
543
#$final_destiny_by_ccat{CC_BADH} = D_BOUNCE;
544
#$final_destiny_by_ccat{CC_BADH.',2'} = D_PASS; # BadHdr8bit
548
# For monitoring / testing purposes let the administrator receive a copy
549
# of certain delivery status notifications that are mailed back to senders:
551
#%dsn_bcc_by_ccat = (
555
# CC_CATCHALL, 'admin+test@example.com',
558
# or use a simpler form, taking advantage of defaults in %dsn_bcc_by_ccat:
559
#$dsn_bcc = 'admin+test@example.com';
562
# The following $warn*sender settings are ONLY used when mail is
563
# actually passed to recipients ($final_*_destiny=D_PASS, or *_lovers*).
564
# Bounces or rejects produce non-delivery status notification regardless.
566
# Notify sender of banned files?
567
#$warnbannedsender = 1; # (defaults to false (undef))
569
# Notify sender of syntactically invalid header containing non-ASCII chars?
570
#$warnbadhsender = 1; # (defaults to false (undef))
572
# Notify virus (or banned files or bad headers) RECIPIENT?
573
# (not very useful, but some policies demand it)
574
#$warnvirusrecip = 1; # (defaults to false (undef))
575
#$warnbannedrecip = 1; # (defaults to false (undef))
576
#$warnbadhrecip = 1; # (defaults to false (undef))
578
# Notify also non-local virus/banned recipients if $warn*recip is true?
579
# (including those not matching local_domains*)
580
#$warn_offsite = 1; # (defaults to false (undef), i.e. only notify locals)
583
# Treat envelope sender address as unreliable and don't send sender
584
# notification / bounces if name(s) of detected virus(es) match the list.
585
# Note that virus names are supplied by external virus scanner(s) and are
586
# not standardized, so virus names may need to be adjusted.
587
# See README.lookups for syntax, check also README.policy-on-notifications.
588
# If the intention is to treat all viruses as faking the sender address, it
589
# is equivalent but more efficient to just set $final_virus_destiny=D_DISCARD;
591
@viruses_that_fake_sender_maps = (new_RE(
592
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
593
qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
594
qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
595
qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
596
qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan
597
qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc
598
# [qr'^(EICAR|Joke\.|Junk\.)'i => 0],
599
# [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
600
[qr/^/ => 1], # true by default (remove or comment-out if undesired)
603
# where to send ADMIN VIRUS NOTIFICATIONS (should be a fully qualified address)
604
# - the administrator envelope address may be a simple fixed e-mail address
605
# (a scalar), or may depend on the RECIPIENT address (e.g. its domain).
607
# Empty or undef lookup disables virus admin notifications.
609
# The full set of configurable administrator addresses is:
610
# @virus_admin_maps ... notifications to admin about viruses
611
# @newvirus_admin_maps ... newly encountered viruses since amavisd startup
612
# @spam_admin_maps ... notifications to admin about spam
613
# @banned_admin_maps ... notifications to admin about banned contents
614
# @bad_header_admin_maps ... notifications to admin about bad headers
616
$virus_admin = "virusalert\@$mydomain";
617
# $virus_admin = 'virus-admin@example.com';
618
# $virus_admin = undef; # do not send virus admin notifications (default)
620
#@virus_admin_maps = ( # by-recipient maps
621
# {'not.example.com' => '',
622
# '.' => 'virusalert@example.com'},
623
# $virus_admin, # the usual default
626
# equivalent to $virus_admin, but for spam admin notifications:
627
# $spam_admin = "spamalert\@$mydomain";
628
# $spam_admin = undef; # do not send spam admin notifications (default)
629
#@spam_admin_maps = ( # by-recipient maps
630
# {'not.example.com' => '',
631
# '.' => 'spamalert@example.com'},
632
# $spam_admin, # the usual default
635
# receive a copy of all delivery status notifications sent;
636
# useful for testing or monitoring
637
#$dsn_bcc = "mailadmin\@$mydomain";
639
#advanced example, using a hash lookup table and a scalar default,
640
#lookup key is a recipient envelope address:
641
#@virus_admin_maps = ( # by-recipient maps
642
# { 'baduser@sub1.example.com' => 'HisBoss@sub1.example.com',
643
# '.sub1.example.com' => 'virusalert@sub1.example.com',
644
# '.sub2.example.com' => '', # don't send admin notifications
645
# 'a.sub3.example.com' => 'abuse@sub3.example.com',
646
# '.sub3.example.com' => 'virusalert@sub3.example.com',
647
# '.example.com' => 'noc@example.com', # default for our virus senders
649
# 'virusalert@hq.example.com', # catchall for the rest
652
# sender envelope address, from which notification reports are sent from;
653
# may be a null reverse path, or a fully qualified address:
654
# (admin and recip sender addresses default to a null return path).
655
# If using strings in double quotes, don't forget to quote @, i.e. \@
657
$mailfrom_notify_admin = "virusalert\@$mydomain";
658
$mailfrom_notify_recip = "virusalert\@$mydomain";
659
$mailfrom_notify_spamadmin = "spam.police\@$mydomain";
661
# 'From' HEADER FIELD for sender and admin notifications.
662
# This should be a replyable address, see rfc1894. Not to be confused
663
# with $mailfrom_notify_sender, which is the envelope return address
664
# and can be empty (null reverse path) according to rfc2821.
666
# The syntax of the 'From' header field is specified in rfc2822, section
667
# '3.4. Address Specification'. Note in particular that display-name must be
668
# a quoted-string if it contains any special characters like spaces and dots.
670
# $hdrfrom_notify_sender = "amavisd-new <postmaster\@$mydomain>";
671
# $hdrfrom_notify_sender = 'amavisd-new <postmaster@example.com>';
672
# $hdrfrom_notify_sender = '"Content-Filter Master" <postmaster@example.com>';
673
# $hdrfrom_notify_admin = $mailfrom_notify_admin;
674
# $hdrfrom_notify_spamadmin = $mailfrom_notify_spamadmin;
675
# (default: "\"Content-filter at $myhostname\" <postmaster\@$myhostname>")
677
# whom quarantined messages appear to be sent from (envelope sender);
678
# keeps original sender if undef, or set it explicitly, default is undef
679
$mailfrom_to_quarantine = ''; # override sender address with null return path
682
# Location to put infected mail into: (applies to 'local:' quarantine method)
683
# empty for not quarantining, may be a file (Unix-style mailbox),
684
# or a directory (no trailing slash)
685
# (the default value is undef, meaning no quarantine)
687
$QUARANTINEDIR = '/var/virusmails'; # -Q
689
#$quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine
691
#$clean_quarantine_method = 'local:clean-%m'; # disabled by default
692
#$virus_quarantine_method = 'local:virus-%m'; # default
693
#$spam_quarantine_method = 'local:spam-%m.gz'; # default
694
#$banned_files_quarantine_method = 'local:banned-%m'; # default
695
#$bad_header_quarantine_method = 'local:badh-%m'; # default
697
# Separate quarantine subdirectories virus, spam, banned and badh within
698
# the directory $QUARANTINEDIR may be specified by the following settings
699
# (the subdirectories need to exist - must be created manually):
700
#$clean_quarantine_method = 'local:clean/%m';
701
#$virus_quarantine_method = 'local:virus/%m';
702
#$spam_quarantine_method = 'local:spam/%m.gz';
703
#$banned_files_quarantine_method = 'local:banned/%m';
704
#$bad_header_quarantine_method = 'local:badh/%m';
706
#use the 'bsmtp:' method as an alternative to the default 'local:'
707
#$virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%m.bsmtp";
708
#$spam_quarantine_method = "bsmtp:$QUARANTINEDIR/spam-%m.bsmtp";
710
#using the 'pipe:' method might be useful for some special purpose:
711
#$mailfrom_to_quarantine = undef; # pass on the original sender address
712
#$spam_quarantine_method = 'pipe:argv=/usr/bin/myscript.sh spam-%b ${sender}';
714
#using the 'sql:' method to store quarantined message to a SQL database:
715
#$virus_quarantine_method = $spam_quarantine_method =
716
# $banned_files_quarantine_method = $bad_header_quarantine_method = 'sql:';
719
# When using the 'local:' quarantine method (default), the following applies:
721
# A finer control of quarantining is available through
722
# variables $virus_quarantine_method/$spam_quarantine_method/
723
# $banned_files_quarantine_method/$bad_header_quarantine_method.
725
# The value of scalar $virus_quarantine_to/$spam_quarantine_to (or a
726
# per-recipient lookup result from lookup tables @virus_quarantine_to_maps)
727
# is/are interpreted as follows:
730
# empty or undef disables quarantine;
733
# a string NOT containing an '@';
734
# amavisd will behave as a local delivery agent (LDA) and will quarantine
735
# viruses to local files according to hash %local_delivery_aliases (pseudo
736
# aliases map) - see subroutine mail_to_local_mailbox() for details.
737
# Some of the predefined aliases are 'virus-quarantine' and 'spam-quarantine'.
738
# Setting $virus_quarantine_to ($spam_quarantine_to) to this string will:
740
# * if $QUARANTINEDIR is a directory, each quarantined virus will go
741
# to a separate file in the $QUARANTINEDIR directory (traditional
742
# amavis style, similar to maildir mailbox format);
744
# * otherwise $QUARANTINEDIR is treated as a file name of a Unix-style
745
# mailbox. All quarantined messages will be appended to this file.
746
# Amavisd child process must obtain an exclusive lock on the file during
747
# delivery, so this may be less efficient than using individual files
748
# or forwarding to MTA, and it may not work across NFS or other non-local
749
# file systems (but may be handy for pickup of quarantined files via IMAP
753
# any email address (must contain '@').
754
# The e-mail messages to be quarantined will be handed to MTA
755
# for delivery to the specified address. If a recipient address local to MTA
756
# is desired, you may leave the domain part empty, e.g. 'infected@', but the
757
# '@' character must nevertheless be included to distinguish it from variant 2.
759
# This variant enables more refined delivery control made available by MTA
760
# (e.g. its aliases file, other local delivery agents, dealing with
761
# privileges and file locking when delivering to user's mailbox, nonlocal
762
# delivery and forwarding, fan-out lists). Make sure the mail-to-be-quarantined
763
# will not be handed back to amavisd for checking, as this will cause a loop
764
# (hopefully broken at some stage)! If this can be assured, notifications
765
# will benefit too from not being unnecessarily virus-scanned.
767
# By default this is safe to do with Postfix and Exim v4 and dual-sendmail
768
# setup, but probably not safe with sendmail milter interface without tricks.
770
# (default values are: virus-quarantine, banned-quarantine, spam-quarantine)
772
$virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine
773
#$virus_quarantine_to = 'infected@'; # forward to MTA for delivery
774
#$virus_quarantine_to = "virus-quarantine\@$mydomain"; # similar
775
#$virus_quarantine_to = 'virus-quarantine@example.com'; # similar
776
#$virus_quarantine_to = undef; # no quarantine
778
# lookup key is envelope recipient address:
779
#@virus_quarantine_to_maps = ( # per-recip multiple quarantines
780
# new_RE( [qr'^user@example\.com$'i => 'infected@'],
781
# [qr'^(.*)@example\.com$'i => 'virus-${1}@example.com'],
782
# [qr'^(.*)(@[^@])?$'i => 'virus-${1}${2}'] ),
783
# $virus_quarantine_to, # the usual default
786
# similar for banned names and bad headers and spam (set to undef to disable)
787
$banned_quarantine_to = 'banned-quarantine'; # local quarantine
788
$bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine
789
$spam_quarantine_to = 'spam-quarantine'; # local quarantine
792
#$spam_quarantine_to = "spam-quarantine\@$mydomain";
794
#@spam_quarantine_to_maps = ( # per-recip multiple quarantines
795
# new_RE( [qr'^(.*)@example\.com$'i => 'spam-${1}@example.com'] ),
796
# $spam_quarantine_to, # the usual default
800
# In addition to per-recip quarantine, a by-sender lookup is possible.
801
# It is similar to $spam_quarantine_to, but the lookup key is the
802
# envelope sender address:
803
#$spam_quarantine_bysender_to = undef; # dflt: no by-sender spam quarantine
806
# Spam level beyond which quarantining is disabled (global value):
807
#$sa_quarantine_cutoff_level = 20; # dflt: undef, which disables this feature
809
#@spam_quarantine_cutoff_level_maps = ( # per-recip. quarantine cutoff levels
810
# { 'user1@example.com' => 20.5,
811
# 'postmaster@example.com' => 9999,
812
# '.example.com' => 25 },
813
# \$sa_quarantine_cutoff_level, # catchall default
817
# Add X-Virus-Scanned header field to mail?
818
$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: 'X-Virus-Scanned')
820
# Set to empty to add no header field # (dflt "$myproduct_name at $mydomain")
821
# $X_HEADER_LINE = "$myproduct_name at $mydomain";
822
# $X_HEADER_LINE = "by $myproduct_name using ClamAV at $mydomain";
823
# $X_HEADER_LINE = "$myproduct_name $myversion_id ($myversion_date) at $mydomain";
825
# a string to prepend to Subject (for local recipients only) if mail could
826
# not be decoded or checked entirely, e.g. due to password-protected archives
827
$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it
829
# MIME defanging wraps the entire original mail in a MIME container of type
830
# 'Content-type: multipart/mixed', where the first part is a text/plain with
831
# a short explanation, and the second part is a complete original mail,
832
# enclosed in a 'Content-type: message/rfc822' MIME part.
833
# Defanging is only done when enabled (selectively by malware type),
834
# and mail is considered malware (virus/spam/...), and the malware is allowed
835
# to pass (*_lovers or *_destiny=D_PASS)
837
$defang_virus = 1; # default is false: don't modify mail body
838
$defang_banned = 1; # default is false: don't modify mail body
839
# $defang_bad_header = 1; # default is false: don't modify mail body
840
# $defang_undecipherable = 1; # default is false: don't modify mail body
841
# $defang_spam = 1; # default is false: don't modify mail body
843
$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone
844
#$remove_existing_x_scanned_headers= 1; # remove existing headers
845
# (defaults to false)
846
#$remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone
847
$remove_existing_spam_headers = 1; # remove existing spam headers if
848
# spam scanning is enabled (default)
850
# set $bypass_decode_parts to true if you only do spam scanning, or if you
851
# have a good virus scanner that can deal with compression and recursively
852
# unpacking archives by itself, and save amavisd the trouble.
853
# Disabling decoding also causes banned_files checking to only see
854
# MIME names and MIME content types, not the content classification types
855
# as provided by the file(1) utility.
856
# It is a double-edged sword, make sure you know what you are doing!
858
#$bypass_decode_parts = 1; # (defaults to false)
860
# don't trust this file type or corresponding unpacker for this file type,
861
# keep both the original and the unpacked file for a virus checker to see
862
# (lookup key is what file(1) utility returned):
864
@keep_decoded_original_maps = (new_RE(
865
# qr'^MAIL$', # retain full original message for virus checking (can be slow)
866
qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables
867
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
868
# qr'^Zip archive data', # don't trust Archive::Zip
872
# Checking for banned MIME types and names. If any mail part matches,
873
# the whole mail is rejected. Object $banned_filename_re provides a list
874
# of Perl regular expressions to be matched against each part's:
876
# * Content-Type value (both declared and effective mime-type),
877
# such as the possible security-risk content types
878
# 'message/partial' and 'message/external-body', as specified in rfc2046
879
# or 'application/x-msdownload' and 'application/x-msdos-program';
881
# * declared (recommended) file names as specified by MIME subfields
882
# Content-Disposition.filename and Content-Type.name, both in their
883
# raw (encoded) form and in rfc2047-decoded form if applicable
884
# as well as (recommended) file names specified in archives;
886
# * file content type as guessed by 'file(1)' utility, mapped
887
# (by @map_full_type_to_short_type_maps) into short type names such as
888
# .asc, .txt, .html, .doc, .jpg, .pdf, .zip, .exe-ms, ..., which always
889
# starts with a dot. These short types are available unless
890
# $bypass_decode_parts is true.
892
# All nodes (mail parts) of the fully recursively decoded mail and embedded
893
# archives are checked, each node independently from remaining nodes.
895
# For each node all its ancestor nodes including itself are checked against
896
# $banned_filename_re lookup list, top-down. The search for a node stops
897
# at the first match, the right-hand side of the matching key determines
898
# the result (true or false, absent right-hand side implies true, as explained
899
# in README.lookups).
901
# Although repeatedly re-checking ancestor nodes may seem excessive, it gives
902
# the opportunity to specify rules which make a particular node hide its
903
# descendents, e.g. allow any name or file type within a .zip, even though
904
# .exe files may otherwise not be allowed.
906
# Leave $banned_filename_re undefined to disable these checks
907
# (giving an empty list to new_RE() will also always return false)
909
$banned_filename_re = new_RE(
910
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
912
# block certain double extensions anywhere in the base name
913
qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
915
# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict
916
# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose
918
qr'^application/x-msdownload$'i, # block these MIME types
919
qr'^application/x-msdos-program$'i,
920
qr'^application/hta$'i,
922
# qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME
923
# qr'^\.wmf$', # Windows Metafile file(1) type
925
# qr'^message/partial$'i, # rfc2046 MIME type
927
# qr'^message/external-body$'i, # rfc2046 MIME type
928
# (btw, note that allowing 'message/external-body' is probably no worse
929
# than allowing mail with HTML and/or allowing a user to browse the web)
931
# [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed
932
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
933
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives
935
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
936
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
937
# inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
938
# ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
939
# wmf|wsc|wsf|wsh)$'ix, # banned ext - long
941
# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
943
qr'^\.(exe-ms)$', # banned file(1) types
944
# qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types
946
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
947
# and http://www.cknow.com/vtutor/vtextensions.htm
949
# A little trick: a pattern qr'\.exe$' matches both a short type name '.exe',
950
# as well as any file name which happens to end with .exe. If only matching
951
# a file name is desired, but not the short type, a pattern qr'.\.exe$'i
952
# or similar may be used, which requires that at least one character precedes
953
# the '.exe', and so it will never match short file types which always start
957
# the syntax of these Perl regular expressions is a bit awkward if not
958
# familiar with them, so please do follow examples and stick to the idioms:
959
# \A ... at the beginning of the first component
960
# \z ... at the end of the the last (leaf) component
961
# ^ ... at the beginning of each component in the path
962
# $ ... at the end of each component in the path
963
# (.*\t)? ... at the beginning of a field
964
# (\t.*)? ... at the end of a field
965
# \t(.*\t)* ... separating fields
966
# [^\t\n] ... any single character, but don't escape from this field
967
# (.*\n)+ ... one or more levels down
968
# (?#...) ... a comment within a regexp
970
# new-style of banned lookup table
971
$banned_namepath_re = new_RE(
973
# block these MIME types
974
qr'(?#NO X-MSDOWNLOAD) ^(.*\t)? M=application/x-msdownload (\t.*)? $'xmi,
975
qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi,
976
qr'(?#NO HTA) ^(.*\t)? M=application/hta (\t.*)? $'xmi,
978
# # block rfc2046 MIME types
979
# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/partial (\t.*)? $'xmi,
980
# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/external-body (\t.*)? $'xmi,
982
# qr'(?#No Metafile MIME) ^(.*\t)? M=application/x-msmetafile (\t.*)? $'xmi,
983
# qr'(?#No Metafile MIME) ^(.*\t)? M=image/x-wmf (\t.*)? $'xmi,
984
# qr'(?#No Metafile file) ^(.*\t)? T=wmf (\t.*)? $'xm,
986
# # within traditional Unix compressions allow any name and type
987
# [ qr'(?#rule-3) ^ (.*\t)? T=(Z|gz|bz2) (\t.*)? $'xmi => 0 ], # allow
989
# within traditional Unix archives allow any name and type
990
[ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ], # allow
992
# # block anything within a zip
993
# qr'(?#rule-5) ^ (.*\t)? T=zip (\t.*)? (.*\n)+ .* $'xmi,
995
# block certain double extensions in filenames
996
qr'(?# BLOCK DOUBLE-EXTENSIONS )
997
^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \.
998
(exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi,
1000
# # block Class ID (CLSID) extensions in filenames
1001
# qr'(?# BLOCK CLSID-EXTENSIONS )
1002
# ^ (.*\t)? N= [^\t\n]* \{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}? [^\t\n]* (\t.*)? $'xmi,
1004
# # banned declared names with three or more consecutive spaces
1005
# qr'(?# BLOCK NAMES WITH SPACES )
1006
# ^ (.*\t)? N= [^\t\n]* [ ]{3,} 'xmi,
1008
# # within PC archives allow any types or names at any depth
1009
# [ qr'(?#rule-7) ^ (.*\t)? T=(zip|rar|arc|arj|zoo) (\t.*)? $'xmi => 0 ], # ok
1011
# # within certain archives allow leaf members at any depth if crypted
1012
# [ qr'(?# ALLOW ENCRYPTED )
1013
# ^ (.*\t)? T=(zip|rar|arj) (.*\n)+ (.*\t)? A=C (\t.*)? \z'xmi => 0 ],
1015
# # allow crypted leaf members regardless of their name or type
1016
# [ qr'(?# ALLOW IF ENCRYPTED ) ^ (.*\t)? A=C (\t.*)? \z'xmi => 0 ],
1018
# # block if any component can not be decoded (is encrypted or bad archive)
1019
# qr'(?# BLOCK IF UNDECIPHERABLE ) ^ (.*\t)? A=U (\t.*)? \z'xmi,
1021
# [ qr'(?# SPECIAL ALLOWANCES - MAGIC NAMES)
1022
# \A (.*\t)? T=(rpm|cpio|tar|zip|rar|arc|arj|zoo|Z|gz|bz2)
1023
# \t(.*\t)* N=example\d+[^\t\n]*
1024
# (\t.*)? $'xmi => 0 ],
1026
# banned filename extensions (in declared names) anywhere - basic
1027
qr'(?# BLOCK COMMON NAME EXENSIONS )
1028
^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|bat|com|cpl) (\t.*)? $'xmi,
1030
# # banned filename extensions (in declared names) anywhere - long
1031
# qr'(?# BLOCK MORE NAME EXTENSIONS )
1032
# ^ (.*\t)? N= [^\t\n]* \. (
1033
# ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
1034
# inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
1035
# ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
1036
# wmf|wsc|wsf|wsh) (\t.*)? $'xmi,
1038
# # banned filename extensions anywhere - WinZip vulnerability (pre-V9)
1039
# qr'(?# BLOCK WinZip VULNERABILITY EXENSIONS )
1040
# ^ (.*\t)? N= [^\t\n]* \. (mim|b64|bhx|hqx|xxe|uu|uue) (\t.*)? $'xmi,
1042
[ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM )
1043
^ (.*\t)? M=application/octet-stream \t(.*\t)* T=empty (\t.*)? $'xmi
1046
# [ qr'(?# BLOCK EMPTY MIME PARTS )
1047
# ^ (.*\t)? M= [^\t\n]+ \t(.*\t)* T=empty (\t.*)? $'xmi => 'DISCARD' ],
1049
qr'(?# BLOCK Microsoft EXECUTABLES )
1050
^ (.*\t)? T=exe-ms (\t.*)? $'xm, # banned file(1) type
1052
# qr'(?# BLOCK ANY EXECUTABLE )
1053
# ^ (.*\t)? T=exe (\t.*)? $'xm, # banned file(1) type
1055
# qr'(?# BLOCK THESE TYPES )
1056
# ^ (.*\t)? T=(exe|lha|tnef|cab|dll) (\t.*)? $'xm, # banned file(1) types
1060
# use old or new style of banned lookup table; not both to avoid confusion
1062
# @banned_filename_maps = (); # to disable old-style
1063
$banned_namepath_re = undef; # to disable new-style
1067
'MYNETS-DEFAULT' => new_RE( # permissive set of rules for internal hosts
1068
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any name/type in Unix archives
1069
qr'.\.(vbs|pif|scr)$'i, # banned extension - rudimentary
1071
'DEFAULT' => $banned_filename_re,
1076
# Section V - Per-recipient and per-sender handling, whitelisting, etc.
1079
# @virus_lovers_maps list of lookup tables:
1080
# (this should be considered a policy option, is does not disable checks,
1081
# see bypass*checks for that!)
1083
# Exclude certain RECIPIENTS from virus filtering by adding their (lower-cased)
1084
# envelope e-mail address (or domain only) to one of the lookup tables in
1085
# the @virus_lovers_maps list - see README.lookups and examples.
1086
# Make sure the appropriate form (e.g. external/internal) of address
1087
# is used in case of virtual domains, or when mapping external to internal
1088
# addresses, etc. - this is MTA-specific.
1090
# Notifications would still be generated however (see the overall
1091
# picture above), and infected mail (if passed) gets additional header:
1092
# X-AMaViS-Alert: INFECTED, message contains virus: ...
1093
# (header not inserted with Courier or milter interface!)
1095
# Setting $final_*_destiny=D_PASS is functionally equivalent to having
1096
# all recipients match the @*_lovers_maps.
1098
# NOTE (milter interface only): in case of multiple recipients,
1099
# it is only possible to drop or accept the message in its entirety - for all
1100
# recipients. If all of them are virus lovers, we'll accept mail, but if
1101
# at least one recipient is not a virus lover, we'll discard the message.
1104
# @bypass_virus_checks_maps list of lookup tables:
1105
# (this is mainly a time-saving option, unlike virus_lovers* !)
1107
# Similar in concept to @virus_lovers_maps, a @bypass_virus_checks_maps
1108
# is used to skip entirely the decoding, unpacking and virus checking,
1109
# but only if ALL recipients match the lookup.
1111
# @bypass_virus_checks_maps does NOT GUARANTEE the message will NOT be checked
1112
# for viruses - this may still happen when there is more than one recipient
1113
# for a message and not all of them match these lookup tables, or when
1114
# check result was cached (i.e. the same contents was recently sent to other
1115
# recipients). To guarantee virus delivery, a recipient must also match
1116
# @virus_lovers_maps lookups (but see milter limitations above),
1118
# The following table summarizes the possible combinations:
1120
# 0 0 useful, check for malware and block it
1121
# 0 1 useful, check but deliver nevertheless, possibly tagged
1122
# 1 0 not too useful, free riding on cached or other-people's checks
1123
# 1 1 useful, no checks if possible, and no effects
1125
# NOTE: it would not be clever to base enabling of virus checks on SENDER
1126
# address, since there are no guarantees that it is genuine. Many viruses
1127
# and spam messages fake sender address. To achieve selective filtering
1128
# based on the source of the mail (e.g. IP address, MTA port number, ...),
1129
# use mechanisms provided by MTA if available, possibly combined with policy
1132
# Similar to lists of lookup tables controlling virus checking, there are
1133
# counterparts for spam scanning, banned names/types, and headers_checks
1135
# @spam_lovers_maps,
1136
# @banned_files_lovers_maps,
1137
# @bad_header_lovers_maps
1139
# @bypass_spam_checks_maps,
1140
# @bypass_banned_checks_maps,
1141
# @bypass_header_checks_maps
1144
# @bypass_header_checks_maps = ( [qw( user@example.com )] );
1145
# @bad_header_lovers_maps = ( [qw( user@example.com )] );
1147
# The following example disables spam checking altogether,
1148
# since it matches any recipient e-mail address.
1149
# @bypass_spam_checks_maps = (1);
1152
# See README.lookups for further detail, and examples below.
1154
# In the following example a list of lookup tables @virus_lovers_maps
1155
# contains three elements, the first is a reference to an ACL lookup table
1156
# (brackets in Perl indicate a ref to a list), the second is a reference
1157
# to a hash lookup table (curly braces in Perl indicate a ref to a hash),
1158
# the third is a regexp lookup table, indicated by the type of object
1159
# created by new_RE() :
1161
#@virus_lovers_maps = (
1162
# [ qw( me@lab.xxx.com !lab.xxx.com .xxx.com yyy.org ) ],
1163
# { "postmaster\@$mydomain" => 1, # double quotes permit variable evaluation
1164
# 'postmaster@example.com'=> 1, # in single quotes the '@' need not be quoted
1165
# 'abuse@example.com'=> 1,
1166
# 'some.user@' => 1, # this recipient, regardless of domain
1167
# 'boss@example.com' => 0, # never, even if domain matches
1168
# 'example.com' => 1, # this domain, but not its subdomains
1169
# '.example.com' => 1, # this domain, including its subdomains
1171
# new_RE( qr'^(helpdesk|postmaster)@example\.com$'i ),
1174
#@spam_lovers_maps = (
1175
# ["postmaster\@$mydomain", 'postmaster@example.com', 'abuse@example.com'],
1178
#@bad_header_lovers_maps = (
1179
# ["postmaster\@", "abuse\@$mydomain"],
1183
# as an alternative to fiddling with @_lovers_maps and similar _maps, here
1184
# is an illustration of using a more general *_by_ccat associative array,
1185
# introduced with 2.4.0, like %lovers_maps_by_ccat in this example:
1187
#$lovers_maps_by_ccat{CC_SPAM} = [
1188
# read_hash("$MYHOME/etc/spam_lovers.txt"),
1189
# [qw(postmaster@example.com abuse@example.com)],
1192
#$lovers_maps_by_ccat{CC_BANNED} = [
1193
# { map {lc $_ => 1} # construct a hash lookup table from a list
1194
# qw(user1@example.com user2.example.com)
1199
# to save some typing of quotes and commas, a Perl operator qw can be used
1200
# to split its argument on whitespace and to quote resulting elements:
1201
#@bypass_spam_checks_maps = (
1202
# [ qw( some.ddd !butnot.example.com .example.com ) ],
1206
# don't run spam check for these RECIPIENT domains:
1207
# @bypass_spam_checks_maps = ( [qw( d1.com .d2.com a.d3.com )] );
1208
# or the other way around (bypass check for all BUT these):
1209
# @bypass_spam_checks_maps = ( [qw( !d1.com !.d2.com !a.d3.com . )] );
1210
# a practical application: don't check outgoing mail for spam:
1211
# @bypass_spam_checks_maps = ( [ "!.$mydomain", "." ] );
1212
# or calculated (negated) from the %local_domains:
1213
# @bypass_spam_checks_maps =
1214
# ( {map {$_ => !$local_domains{$_}} keys %local_domains}, 1);
1215
# (a downside of which is that such mail will not count as ham in SA bayes db)
1217
# Note that 'outgoing' is not the same as 'originating from inside'.
1218
# The internal-to-internal mail is not outgoing, but is originating from
1219
# inside. To base rules on 'originating from inside', the use of policy bank
1220
# MYNETS is needed, in conjunction with XFORWARD Postfix extension to SMTP.
1222
# Where to find SQL server(s) and database to support SQL lookups?
1223
# A list of triples: (dsn,user,passw). (dsn = data source name)
1224
# More than one entry may be specified for multiple (backup) SQL servers.
1225
# See 'man DBI', 'man DBD::mysql', 'man DBD::Pg', ... for details.
1226
# When chroot-ed, accessing SQL server over inet socket may be more convenient.
1229
# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
1230
# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
1231
# ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
1232
# @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database
1234
# ('mail' in the example is the database name, choose what you like)
1235
# With PostgreSQL the dsn (first element of the triple) may look like:
1236
# 'DBI:Pg:dbname=mail;host=host1'
1238
# The SQL select clause to fetch per-recipient policy settings.
1239
# The %k will be replaced by a comma-separated list of query addresses
1240
# (e.g. full address, domain only (stripped level by level), and a catchall).
1241
# Use ORDER if there is a chance that multiple records will match - the first
1242
# match wins. If field names are not unique (e.g. 'id'), the later field
1243
# overwrites the earlier in a hash returned by lookup, which is why we use
1244
# '*,users.id' instead of just '*'. No need to uncomment the following
1245
# assignment if the default is ok.
1246
# $sql_select_policy = 'SELECT *,users.id FROM users,policy'.
1247
# ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'.
1248
# ' ORDER BY users.priority DESC';
1250
# The SQL select clause to check sender in per-recipient whitelist/blacklist
1251
# The first SELECT argument '?' will be users.id from recipient SQL lookup,
1252
# the %k will be sender addresses (e.g. full address, domain only, catchall).
1253
# The default value is:
1254
# $sql_select_white_black_list = 'SELECT wb FROM wblist,mailaddr'.
1255
# ' WHERE (wblist.rid=?) AND (wblist.sid=mailaddr.id)'.
1256
# ' AND (mailaddr.email IN (%k))'.
1257
# ' ORDER BY mailaddr.priority DESC';
1259
# To disable SQL white/black list, set to undef (otherwise comment-out
1260
# the following statement, leaving it at the default value):
1261
$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting
1263
# Controls the format of timestamps in the field msgs.time_iso:
1264
# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
1265
# defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)
1268
# If passing malware to certain recipients ($final_*_destiny=D_PASS or
1269
# *_lovers), the recipient-based lookup tables @addr_extension_*_maps may
1270
# return a string, which (if nonempty) will be added as an address extension
1271
# to the local-part of the recipient's address. This extension may be used
1272
# by the final local delivery agent (LDA) to place such mail into different
1273
# subfolders (the extension is usually interpreted as a folder name).
1274
# This is sometimes known as the 'plus addressing'. Appending address
1275
# extensions is prevented when:
1276
# - recipient does not match lookup tables @local_domains_maps;
1277
# - lookup into corresponding @addr_extension_*_maps results
1278
# in an empty string or undef;
1279
# - $recipient_delimiter is empty (see below)
1280
# LDAs usually default to stripping away address extension if no special
1281
# handling is specified or if a named subfolder or alias does not exist,
1282
# so adding address extensions normally does no harm.
1284
# @addr_extension_virus_maps = ('virus'); # defaults to empty
1285
# @addr_extension_spam_maps = ('spam'); # defaults to empty
1286
# @addr_extension_banned_maps = ('banned'); # defaults to empty
1287
# @addr_extension_bad_header_maps = ('badh'); # defaults to empty
1289
# A more complex example:
1290
# @addr_extension_virus_maps = (
1291
# {'sub.example.com'=>'infected', '.example.com'=>'filtered'}, 'virus' );
1293
# Delimiter between local part of the envelope recipient address and address
1294
# extension (which can optionally be added, see @addr_extension_*_maps. E.g.
1295
# recipient address <user@example.com> is changed to <user+virus@example.com>.
1297
# Delimiter must match the equivalent (final) MTA delimiter setting.
1298
# (e.g. for Postfix add 'recipient_delimiter = +' to main.cf)
1299
# Setting it to an empty string or to undef disables adding extensions
1300
# regardless of $addr_extension_*_maps.
1302
# $recipient_delimiter = '+'; # (default is undef, i.e. disabled)
1304
# true: replace extension; false: append extension
1305
# $replace_existing_extension = 1; # (default is true)
1307
# Affects matching of localpart of e-mail addresses (left of '@')
1308
# in lookups: true = case sensitive, false = case insensitive
1309
$localpart_is_case_sensitive = 0; # (default is false)
1312
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
1314
# Instead of hard black- or whitelisting, a softer approach is to add
1315
# score points (penalties) to the SA score for mail from certain senders.
1316
# Positive points lean towards blacklisting, negative towards whitelisting.
1317
# This is much like adding SA rules or using its white/blacklisting, except
1318
# that here only envelope sender addresses are considered (not addresses
1319
# in a mail header), and that score points can be assigned per-recipient
1320
# (or globally), and the assigned penalties are customarily much lower
1321
# than the default SA white/blacklisting score.
1323
# The table structure is similar to $per_recip_blacklist_sender_lookup_tables
1324
# i.e. the first level key is recipient, pointing to by-sender lookup tables.
1325
# The essential difference is that scores from _all_ matching by-recipient
1326
# lookups (not just the first that matches) are summed to give the final
1327
# score boost. That means that both the site and domain administrators,
1328
# as well as the recipient can have a say on the final score.
1330
# NOTE: keep hash keys in lowercase, either manually or by using function lc
1332
@score_sender_maps = ({ # a by-recipient hash lookup table
1334
# # per-recipient personal tables (NOTE: positive: black, negative: white)
1335
# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}],
1336
# 'user3@example.com' => [{'.ebay.com' => -3.0}],
1337
# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0,
1338
# '.cleargreen.com' => -5.0}],
1340
# site-wide opinions about senders (the '.' matches any recipient)
1341
'.' => [ # the _first_ matching sender determines the score boost
1343
new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
1344
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
1345
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
1346
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
1347
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
1348
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
1349
[qr'^(your_friend|greatoffers)@'i => 5.0],
1350
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
1353
# read_hash("/var/amavis/sender_scores_sitewide"),
1355
{ # a hash-type lookup table (associative array)
1356
'nobody@cert.org' => -3.0,
1357
'cert-advisory@us-cert.gov' => -3.0,
1358
'owner-alert@iss.net' => -3.0,
1359
'slashdot@slashdot.org' => -3.0,
1360
'securityfocus.com' => -3.0,
1361
'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
1362
'security-alerts@linuxsecurity.com' => -3.0,
1363
'mailman-announce-admin@python.org' => -3.0,
1364
'amavis-user-admin@lists.sourceforge.net'=> -3.0,
1365
'amavis-user-bounces@lists.sourceforge.net' => -3.0,
1366
'spamassassin.apache.org' => -3.0,
1367
'notification-return@lists.sophos.com' => -3.0,
1368
'owner-postfix-users@postfix.org' => -3.0,
1369
'owner-postfix-announce@postfix.org' => -3.0,
1370
'owner-sendmail-announce@lists.sendmail.org' => -3.0,
1371
'sendmail-announce-request@lists.sendmail.org' => -3.0,
1372
'donotreply@sendmail.org' => -3.0,
1373
'ca+envelope@sendmail.org' => -3.0,
1374
'noreply@freshmeat.net' => -3.0,
1375
'owner-technews@postel.acm.org' => -3.0,
1376
'ietf-123-owner@loki.ietf.org' => -3.0,
1377
'cvs-commits-list-admin@gnome.org' => -3.0,
1378
'rt-users-admin@lists.fsck.com' => -3.0,
1379
'clp-request@comp.nus.edu.sg' => -3.0,
1380
'surveys-errors@lists.nua.ie' => -3.0,
1381
'emailnews@genomeweb.com' => -5.0,
1382
'yahoo-dev-null@yahoo-inc.com' => -3.0,
1383
'returns.groups.yahoo.com' => -3.0,
1384
'clusternews@linuxnetworx.com' => -3.0,
1385
lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0,
1386
lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
1388
# soft-blacklisting (positive score)
1389
'sender@example.net' => 3.0,
1390
'.example.net' => 1.0,
1393
], # end of site-wide tables
1397
# ENVELOPE SENDER WHITELISTING / BLACKLISTING - GLOBAL (RECIPIENT-INDEPENDENT)
1398
# (affects spam checking only, has no effect on virus and other checks)
1400
# WHITELISTING: use ENVELOPE SENDER lookups to ENSURE DELIVERY from whitelisted
1401
# senders even if the message would be recognized as spam. Effectively, for
1402
# the specified senders, message recipients temporarily become 'spam_lovers'.
1403
# To avoid surprises, whitelisted sender also suppresses inserting/editing
1404
# the tag2-level header fields (X-Spam-*, Subject), appending spam address
1405
# extension, and quarantining.
1407
# BLACKLISTING: messages from specified SENDERS are DECLARED SPAM.
1408
# Effectively, for messages from blacklisted envelope sender addresses, spam
1409
# level is artificially pushed high, and the normal spam processing applies,
1410
# resulting in 'X-Spam-Flag: YES', high 'X-Spam-Level' bar and other usual
1411
# reactions to spam, including possible rejection. If the message nevertheless
1412
# still passes (e.g. for spam loving recipients), it is tagged as BLACKLISTED
1413
# in the 'X-Spam-Status' header field, but the reported spam value and
1414
# set of tests in this report header field (if available from SpamAssassin,
1415
# which may or may not have been called) is not adjusted.
1417
# A sender may be both white- and blacklisted at the same time, settings
1418
# are independent. For example, being both white- and blacklisted, message
1419
# is delivered to recipients, but is not tagged as spam (X-Spam-Flag: No;
1420
# X-Spam-Status: No, ...), but the reported spam level (if computed) may
1421
# still indicate high spam score.
1423
# If ALL recipients of the message either white- or blacklist the sender,
1424
# spam scanning (calling the SpamAssassin) is bypassed, saving on time.
1426
# The following variables (lists of lookup tables) are available,
1427
# with the semantics and syntax as specified in README.lookups:
1428
# @whitelist_sender_maps, @blacklist_sender_maps
1433
# @whitelist_sender_maps = ( ['.example.org', '.example.net'] );
1434
# @whitelist_sender_maps = ( [qw(.example.org .example.net)] ); # same thing
1436
# @whitelist_sender_maps = ( [".$mydomain"] ); # $mydomain and its subdomains
1437
# NOTE: This is not a reliable way of turning off spam checks for
1438
# locally-originating mail, as sender address can easily be faked.
1439
# To reliably avoid spam-scanning outgoing mail, use @bypass_spam_checks_maps
1440
# for nonlocal recipients. To reliably avoid spam scanning for locally
1441
# originating mail (including internal-to-internal mail), recognized by
1442
# the original SMTP client IP address matching @mynetworks, use policy bank
1443
# MYNETS, adjust @mynetworks, and turn on XFORWARD in the Postfix smtp client
1444
# service feeding amavisd.
1447
# @whitelist_sender_maps = ( new_RE(
1448
# qr'^postmaster@.*\bexample\.com$'i,
1449
# qr'^owner-[^@]*@'i, qr'-request@'i,
1450
# qr'\.example\.com$'i
1454
# illustrates the use of regexp lookup table:
1456
@blacklist_sender_maps = ( new_RE(
1457
qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,
1458
qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i,
1459
qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,
1460
qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,
1461
qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,
1462
qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
1466
# NOTE: whitelisting is becoming deprecated because sender address is
1467
# all too often faked; use @score_sender_maps for soft-whitelisting!
1469
# Illustrates the use of several lookup tables:
1471
# @whitelist_sender_maps = (
1473
# # read_hash("$MYHOME/whitelist_sender"), # a hash table read from a file
1475
# # and another hash lookup table constructed in-line, with keys lowercased:
1476
# { map {lc $_ => 1} qw(
1478
# cert-advisory@us-cert.gov
1479
# owner-alert@iss.net
1480
# slashdot@slashdot.org
1481
# bugtraq@securityfocus.com
1482
# NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
1483
# security-alerts@linuxsecurity.com
1484
# amavis-user-admin@lists.sourceforge.net
1485
# amavis-user-bounces@lists.sourceforge.net
1486
# notification-return@lists.sophos.com
1487
# mailman-announce-admin@python.org
1488
# owner-postfix-users@postfix.org
1489
# owner-postfix-announce@postfix.org
1490
# owner-sendmail-announce@lists.sendmail.org
1491
# sendmail-announce-request@lists.sendmail.org
1492
# owner-technews@postel.ACM.ORG
1493
# lvs-users-admin@LinuxVirtualServer.org
1494
# ietf-123-owner@loki.ietf.org
1495
# cvs-commits-list-admin@gnome.org
1496
# rt-users-admin@lists.fsck.com
1497
# clp-request@comp.nus.edu.sg
1498
# surveys-errors@lists.nua.ie
1499
# emailNews@genomeweb.com
1500
# owner-textbreakingnews@CNNIMAIL12.CNN.COM
1501
# yahoo-dev-null@yahoo-inc.com
1502
# returns.groups.yahoo.com
1505
# # { '' => 1 }, # and another one, containing just an empty reverse path (DSN)
1510
# ENVELOPE SENDER WHITELISTING / BLACKLISTING - PER-RECIPIENT
1512
# The same semantics as for global white/blacklisting applies, but this
1513
# time each recipient (or its domain, or subdomain, ...) can be given
1514
# an individual lookup table for matching senders. The per-recipient lookups
1515
# take precedence over the global lookups, which serve as a fallback default.
1517
# Specify a two-level lookup table: the key for the outer table is recipient,
1518
# and the result should be an inner lookup table (hash or ACL or RE),
1519
# where the key used will be the sender. (Note that this structure is flatter
1520
# than @score_sender_maps, where the first level result is a ref to a _list_
1521
# of inner lookup tables, not a ref to a single lookup table.)
1523
#$per_recip_blacklist_sender_lookup_tables = {
1524
# 'user1@my.example.com'=>new_RE(qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i),
1525
# 'user2@my.example.com'=>[qw( spammer@d1.example,org .d2.example,org )],
1527
#$per_recip_whitelist_sender_lookup_tables = {
1528
# 'user@my.example.com' => [qw( friend@example.org .other.example.org )],
1529
# '.my1.example.com' => [qw( !foe.other.example,org .other.example,org )],
1530
# '.my2.example.com' => read_hash("$MYHOME/my2-wl.dat"),
1531
# 'abuse@' => { 'postmaster@'=>1,
1532
# 'cert-advisory-owner@cert.org'=>1, 'owner-alert@iss.net'=>1 },
1537
# Section VI - Resource limits
1540
# Sanity limit to the number of allowed recipients per SMTP transaction
1541
# $smtpd_recipient_limit = 1100; # (default is 1100)
1543
# Resource limits to protect unpackers, decompressors and virus scanners
1544
# against mail bombs (e.g. 42.zip)
1547
# Maximum recursion level for extraction/decoding (0 or undef disables limit)
1548
$MAXLEVELS = 14; # (default is undef, no limit)
1550
# Maximum number of extracted files (0 or undef disables the limit)
1551
$MAXFILES = 1500; # (default is undef, no limit)
1553
# For the cumulative total of all decoded mail parts we set max storage size
1554
# to defend against mail bombs. Even though parts may be deleted (replaced
1555
# by decoded text) during decoding, the size they occupied is _not_ returned
1556
# to the quota pool.
1558
# Parameters to storage quota formula for unpacking/decoding/decompressing
1560
# quota = max($MIN_EXPANSION_QUOTA,
1561
# $mail_size*$MIN_EXPANSION_FACTOR,
1562
# min($MAX_EXPANSION_QUOTA, $mail_size*$MAX_EXPANSION_FACTOR))
1563
# In plain words (later condition overrules previous ones):
1564
# allow MAX_EXPANSION_FACTOR times initial mail size,
1565
# but not more than MAX_EXPANSION_QUOTA,
1566
# but not less than MIN_EXPANSION_FACTOR times initial mail size,
1567
# but never less than MIN_EXPANSION_QUOTA
1569
$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
1570
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
1571
$MIN_EXPANSION_FACTOR = 5; # times original mail size (default is 5)
1572
$MAX_EXPANSION_FACTOR = 500; # times original mail size (default is 500)
1574
# expiration time of cached results: time to live in seconds
1575
# (how long the result of a virus/spam test remains valid)
1576
$virus_check_negative_ttl= 3*60; # time to remember that mail was not infected
1577
$virus_check_positive_ttl= 30*60; # time to remember that mail was infected
1578
$spam_check_negative_ttl = 30*60; # time to remember that mail was not spam
1579
$spam_check_positive_ttl = 30*60; # time to remember that mail was spam
1582
# Cache size will be determined by the largest of the $*_ttl values.
1583
# Depending on the mail rate, the cache database may grow quite large.
1584
# Reasonable compromise for the max value is 15 minutes to 2 hours.
1587
# Section VII - External programs, virus scanners
1590
# Specify a path string, which is a colon-separated string of directories
1591
# (no trailing slashes!) to be assigned to the environment variable PATH
1592
# and to serve for locating external programs below.
1594
# NOTE: if $daemon_chroot_dir is nonempty, the directories will be
1595
# relative to the chroot directory specified;
1597
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
1599
# For external programs specify one string or a search list of strings (first
1600
# match wins). The string (or: each string in a list) may be an absolute path,
1601
# or just a program name, to be located via $path;
1602
# Empty string or undef (=default) disables the use of that external program.
1603
# Optionally command arguments may be specified - only the first substring
1604
# up to the whitespace is used for file searching.
1606
$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability
1609
# A list of pairs or n-tuples: [short-type, code_ref, optional-args...].
1610
# Maps short types to a decoding routine, the first match wins.
1611
# Arguments beyond the first two can be program path string (or a listref of
1612
# paths to be searched) or a reference to a variable containing such a path,
1613
# which allows for lazy evaluation, making possible to assign values to
1614
# legacy configuration variables even after the assignment to @decoders.
1617
['mail', \&do_mime_decode],
1618
['asc', \&do_ascii],
1619
['uue', \&do_ascii],
1620
['hqx', \&do_ascii],
1621
['ync', \&do_ascii],
1622
['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
1623
['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
1624
['gz', \&do_uncompress, 'gzip -d'],
1625
['gz', \&do_gunzip],
1626
['bz2', \&do_uncompress, 'bzip2 -d'],
1627
['lzo', \&do_uncompress, 'lzop -d'],
1628
['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
1629
['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
1630
['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
1632
['deb', \&do_ar, 'ar'],
1633
# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill
1634
['zip', \&do_unzip],
1635
['rar', \&do_unrar, ['rar','unrar'] ],
1636
['arj', \&do_unarj, ['arj','unarj'] ],
1637
['arc', \&do_arc, ['nomarch','arc'] ],
1638
['zoo', \&do_zoo, ['zoo','unzoo'] ],
1639
['lha', \&do_lha, 'lha'],
1640
# ['doc', \&do_ole, 'ripole'],
1641
['cab', \&do_cabextract, 'cabextract'],
1642
['tnef', \&do_tnef_ext, 'tnef'],
1643
['tnef', \&do_tnef],
1644
# ['sit', \&do_unstuff, 'unstuff'], # broken/unsafe decoder
1645
['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
1649
# SpamAssassin settings
1651
# $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value
1652
# of the option local_tests_only. See Mail::SpamAssassin man page.
1653
# If set to 1, no SA tests that require internet access will be performed.
1655
$sa_local_tests_only = 0; # only tests which do not require internet access?
1656
#$sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant
1657
# for SA 3.0, its cf option is use_auto_whitelist)
1659
$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
1660
# (less than 1% of spam is > 64k)
1661
# default: undef, no limitations
1663
# default values, customarily used in the @spam_*_level_maps as the last entry
1664
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level;
1665
# undef is interpreted as lower than any spam level
1666
$sa_tag2_level_deflt = 6.31;# add 'spam detected' headers at that level to
1667
# passed mail, adding address extensions;
1668
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
1669
# at or above that level: bounce/reject/drop,
1671
$sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent,
1672
# effectively turning D_BOUNCE into D_DISCARD;
1673
# undef disables this feature and is a default;
1674
# see also $sa_quarantine_cutoff_level above, which only controls quarantining
1676
# $penpals_bonus_score = 4; # (positive) score by which spam score is lowered
1677
# when sender is known to have previously received mail from our
1678
# local user from this mail system; zero or undef disables penpals
1679
# lookups in SQL; default: undef
1680
# $penpals_halflife = 7*24*60*60; # exponential decay time constant in seconds;
1681
# penpal bonus is halved for each halflife period from the last mail
1682
# sent by a local user to a current mail's sender; default: 7 days
1683
# $penpals_threshold_low = 1.0; # no need for pen pals lookup on low spam score
1684
# $penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam
1686
# advanced example specifying per-recipient values using a hash lookup:
1687
#@spam_tag_level_maps = (\$sa_tag_level_deflt); # this is a default
1688
#@spam_tag2_level_maps = (
1689
# { 'user1@example.com' => 8.0, '.example.com' => 6.0 },
1690
# \$sa_tag2_level_deflt, # catchall default
1692
#@spam_kill_level_maps = (
1693
# { 'user1@example.com' => 8.0, '.example.com' => 6.0 },
1694
# \$sa_kill_level_deflt, # catchall default
1696
#@spam_dsn_cutoff_level_maps = (
1697
# { 'user1@example.com' => 10, '.example.com' => 15 },
1698
# \$sa_dsn_cutoff_level, # catchall default
1701
# a quick reference:
1702
# tag_level contents category: CC_CLEAN,
1703
# controls adding the X-Spam-Status and X-Spam-Level headers,
1704
# tag2_level contents category: CC_SPAMMY,
1705
# controls adding 'X-Spam-Flag: YES', editing (tagging) Subject,
1706
# and adding address extensions,
1707
# tag3_level contents category: CC_SPAMMY, minor category 1,
1708
# like tag2, but may insert different Subject tag
1709
# e.g. @spam_subject_tag3_maps=('***BLATANT*SPAM*** ');
1710
# kill_level contents category: CC_SPAM,
1711
# controls 'evasive actions' (reject, quarantine);
1712
# it only makes sense to maintain the relationship:
1713
# tag_level <= tag2_level <= tag3_level <= kill_level <
1714
# < dsn_cutoff_level <= quarantine_cutoff_level
1716
# string to prepend to Subject header field when message exceeds tag2 level
1717
#$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled)
1718
# (only seen when spam is passed and recipient is
1719
# in local_domains*)
1721
#$sa_spam_modifies_subj = 1; # in @spam_modifies_subj_maps, default is true
1723
# Example: modify Subject for all local recipients except user@example.com
1724
#@spam_modifies_subj_maps = ( [qw( !user@example.com . )] );
1726
#$sa_spam_level_char = '*'; # char for X-Spam-Level bar, defaults to '*';
1727
# undef or empty disables inserting X-Spam-Level
1728
#$sa_spam_report_header = 0; # insert X-Spam-Report header field? default false
1730
# stop anti-virus scanning when the first scanner detects a virus?
1731
#$first_infected_stops_scan = 1; # default is false, all scanners in a section
1734
# @av_scanners is a list of n-tuples, where fields semantics is:
1735
# 1. av scanner plain name, to be used in log and reports;
1736
# 2. scanner program name; this string will be submitted to subroutine
1737
# find_external_programs(), which will try to find the full program path
1738
# name during startup; if program is not found, this scanner is disabled.
1739
# Besides a simple string (full program path name or just the basename
1740
# to be looked for in PATH), this may be an array ref of alternative
1741
# program names or full paths - the first match in the list will be used;
1742
# As a special case for more complex scanners, this field may be
1743
# a subroutine reference, and the whole n-tuple is passed to it as args.
1744
# 3. command arguments to be given to the scanner program;
1745
# a substring {} will be replaced by the directory name to be scanned, i.e.
1746
# "$tempdir/parts", a "*" will be replaced by base file names of parts;
1747
# 4. an array ref of av scanner exit status values, or a regexp (to be
1748
# matched against scanner output), indicating NO VIRUSES found;
1749
# a special case is a value undef, which does not claim file to be clean
1750
# (i.e. it never matches, similar to []), but suppresses a failure warning;
1751
# to be used when the result is inconclusive (useful for specialized and
1752
# quick partial scanners such as jpeg checker);
1753
# 5. an array ref of av scanner exit status values, or a regexp (to be
1754
# matched against scanner output), indicating VIRUSES WERE FOUND;
1755
# Note: the virus match prevails over a 'not found' match, so it is safe
1756
# even if the no. 4. matches for viruses too;
1757
# 6. a regexp (to be matched against scanner output), returning a list
1758
# of virus names found, or a sub ref, returning such a list when given
1759
# scanner output as argument;
1760
# 7. and 8.: (optional) subroutines to be executed before and after scanner
1761
# (e.g. to set environment or current directory);
1762
# see examples for these at KasperskyLab AVP and NAI uvscan.
1766
# - NOT DEFINING @av_scanners (e.g. setting it to empty list, or deleting the
1767
# whole assignment) TURNS OFF LOADING AND COMPILING OF THE ANTIVIRUS CODE
1768
# (which can be handy if all you want to do is spam scanning);
1770
# - the order matters: although _all_ available entries from the list
1771
# are tried regardless of their verdict, scanners are run in the order
1772
# specified: the report from the first one detecting a virus will be used
1773
# (providing virus names and scanner output); REARRANGE THE ORDER TO WILL;
1774
# see also $first_infected_stops_scan;
1776
# - it doesn't hurt to keep an unused command line scanner entry in the list
1777
# if the program can not be found; the path search is only performed once
1778
# during the program startup;
1780
# COROLLARY: to disable a scanner that _does_ exist on your system,
1781
# comment out its entry or use undef or '' as its program name/path
1782
# (second parameter). An example where this is almost a must: disable
1783
# Sophos 'sweep' if you have its daemonized version Sophie or SAVI-Perl
1784
# (same for Trophie/vscan, and clamd/clamscan), or if another unrelated
1785
# program happens to have a name matching one of the entries ('sweep'
1786
# again comes to mind);
1788
# - it DOES HURT to keep unwanted entries which use INTERNAL SUBROUTINES
1789
# for interfacing (where the second parameter starts with \&).
1790
# Keeping such entry and not having a corresponding virus scanner daemon
1791
# causes an unnecessary connection attempt (which eventually times out,
1792
# but it wastes precious time). For this reason the daemonized entries
1793
# are commented in the distribution - just remove the '#' where needed.
1795
# CERT list of av resources: http://www.cert.org/other_sources/viruses.html
1799
# ### http://www.vanja.com/tools/sophie/
1801
# \&ask_daemon, ["{}/\n", '/var/run/sophie'],
1802
# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
1803
# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],
1805
# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
1806
# ['Sophos SAVI', \&sophos_savi ],
1808
# ### http://www.clamav.net/
1810
# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
1811
# qr/\bOK$/, qr/\bFOUND$/,
1812
# qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
1813
# # NOTE: the easiest is to run clamd under the same user as amavisd; match the
1814
# # socket name (LocalSocket) in clamav.conf to the socket name in this entry
1815
# # When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],
1817
# ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred)
1818
# ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/],
1820
# ### http://www.openantivirus.org/
1821
# ['OpenAntiVirus ScannerDaemon (OAV)',
1822
# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],
1823
# qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ],
1825
# ### http://www.vanja.com/tools/trophie/
1827
# \&ask_daemon, ["{}/\n", '/var/run/trophie'],
1828
# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
1829
# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],
1831
# ### http://www.grisoft.com/
1832
# ['AVG Anti-Virus',
1833
# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'],
1834
# qr/^200/, qr/^403/, qr/^403 .*?: ([^\r\n]+)/ ],
1836
# ### http://www.f-prot.com/
1837
# ['FRISK F-Prot Daemon',
1839
# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
1840
# ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202',
1841
# '127.0.0.1:10203','127.0.0.1:10204'] ],
1842
# qr/(?i)<summary[^>]*>clean<\/summary>/,
1843
# qr/(?i)<summary[^>]*>infected<\/summary>/,
1844
# qr/(?i)<name>(.+)<\/name>/ ],
1846
# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/
1847
# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later
1848
# [pack('N',1). # DRWEBD_SCAN_CMD
1849
# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
1850
# pack('N', # path length
1851
# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")).
1853
# pack('N',0). # content size
1855
# '/var/drweb/run/drwebd.sock',
1856
# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot
1857
# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default
1858
# # '127.0.0.1:3000', # or over an inet socket
1860
# qr/\A\x00[\x10\x11][\x00\x10]\x00/s, # IS_CLEAN,EVAL_KEY; SKIPPED
1861
# qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/s, # KNOWN_V,UNKNOWN_V,V._MODIF
1862
# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/s,
1864
# # NOTE: If using amavis-milter, change length to:
1865
# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx").
1867
### http://www.kaspersky.com/ (kav4mailservers)
1868
['KasperskyLab AVP - aveclient',
1869
['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
1870
'/opt/kav/bin/aveclient','aveclient'],
1871
'-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/,
1872
qr/(?:INFECTED|SUSPICION) (.+)/,
1875
### http://www.kaspersky.com/
1876
['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
1877
'-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ?
1879
sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
1880
sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
1883
### The kavdaemon and AVPDaemonClient have been removed from Kasperky
1884
### products and replaced by aveserver and aveclient
1885
['KasperskyLab AVPDaemonClient',
1886
[ '/opt/AVP/kavdaemon', 'kavdaemon',
1887
'/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
1888
'/opt/AVP/AvpTeamDream', 'AvpTeamDream',
1889
'/opt/AVP/avpdc', 'avpdc' ],
1890
"-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ],
1891
# change the startup-script in /etc/init.d/kavd to:
1892
# DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
1893
# (or perhaps: DPARMS="-I0 -Y -* /var/amavis" )
1894
# adjusting /var/amavis above to match your $TEMPBASE.
1895
# The '-f=/var/amavis' is needed if not running it as root, so it
1896
# can find, read, and write its pid file, etc., see 'man kavdaemon'.
1897
# defUnix.prf: there must be an entry "*/var/amavis" (or whatever
1898
# directory $TEMPBASE specifies) in the 'Names=' section.
1899
# cd /opt/AVP/DaemonClients; configure; cd Sample; make
1900
# cp AvpDaemonClient /opt/AVP/
1901
# su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"
1903
### http://www.centralcommand.com/
1904
['CentralCommand Vexira (new) vascan',
1905
['vascan','/usr/lib/Vexira/vascan'],
1906
"-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
1907
"--vdb=/usr/lib/Vexira/vexira8.vdb --log=/var/log/vascan.log {}",
1909
qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ],
1910
# Adjust the path of the binary and the virus database as needed.
1911
# 'vascan' does not allow to have the temp directory to be the same as
1912
# the quarantine directory, and the quarantine option can not be disabled.
1913
# If $QUARANTINEDIR is not used, then another directory must be specified
1914
# to appease 'vascan'. Move status 3 to the second list if password
1915
# protected files are to be considered infected.
1917
### http://www.hbedv.com/
1918
['H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus',
1919
['antivir','vexira'],
1920
'--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
1921
qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
1922
(?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
1923
# NOTE: if you only have a demo version, remove -z and add 214, as in:
1924
# '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,
1926
### http://www.commandsoftware.com/
1927
['Command AntiVirus for Linux', 'csav',
1928
'-all -archive -packed {}', [50], [51,52,53],
1929
qr/Infection: (.+)/ ],
1931
### http://www.symantec.com/
1932
['Symantec CarrierScan via Symantec CommandLineScanner',
1933
'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
1934
qr/^Files Infected:\s+0$/, qr/^Infected\b/,
1935
qr/^(?:Info|Virus Name):\s+(.+)/ ],
1937
### http://www.symantec.com/
1938
['Symantec AntiVirus Scan Engine',
1939
'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
1940
[0], qr/^Infected\b/,
1941
qr/^(?:Info|Virus Name):\s+(.+)/ ],
1942
# NOTE: check options and patterns to see which entry better applies
1944
### http://www.f-secure.com/products/anti-virus/
1945
['F-Secure Antivirus', 'fsav',
1946
'--dumb --mime --archive {}', [0], [3,8],
1947
qr/(?:infection|Infected|Suspected): (.+)/ ],
1949
# ### http://www.avast.com/
1950
# ['avast! Antivirus daemon',
1951
# \&ask_daemon, # greets with 220, terminate with QUIT
1952
# ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'],
1953
# qr/\t\[\+\]/, qr/\t\[L\]\t/, qr/\t\[L\]\t([^[ \t\015\012]+)/ ],
1955
# ### http://www.avast.com/
1956
# ['avast! Antivirus - Client/Server Version', 'avastlite',
1957
# '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1],
1958
# qr/\t\[L\]\t([^[ \t\015\012]+)/ ],
1960
['CAI InoculateIT', 'inocucmd', # retired product
1961
'-sec -nex {}', [0], [100],
1962
qr/was infected by virus (.+)/ ],
1963
# see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html
1965
### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT)
1966
['CAI eTrust Antivirus', 'etrust-wrapper',
1967
'-arc -nex -spm h {}', [0], [101],
1968
qr/is infected by virus: (.+)/ ],
1969
# NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
1970
# see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783
1972
### http://mks.com.pl/english.html
1973
['MkS_Vir for Linux (beta)', ['mks32','mks'],
1974
'-s {}/*', [0], [1,2],
1977
### http://mks.com.pl/english.html
1978
['MkS_Vir daemon', 'mksscan',
1979
'-s -q {}', [0], [1..7],
1982
### http://www.nod32.com/
1983
['ESET Software NOD32 Command Line Interface v 2.51', 'nod32cli',
1984
'--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/ ],
1986
# ### http://www.nod32.com/ old
1987
# ['ESET Software NOD32 - Client/Server Version', 'nod32cli',
1988
# '-a -r -d recurse --heur standard {}', [0], [10,11],
1989
# qr/^\S+\s+infected:\s+(.+)/ ],
1991
# ### http://www.nod32.com/ old
1992
# ['ESET Software NOD32', 'nod32',
1993
# '--arch --mail {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/ ],
1995
# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31
1996
# ['ESET Software NOD32 Client/Server (NOD32SS)',
1997
# \&ask_daemon2, # greets with 200, persistent, terminate with QUIT
1998
# ["SCAN {}/*\r\n", '127.0.0.1:8448' ],
1999
# qr/^200 File OK/, qr/^201 /, qr/^201 (.+)/ ],
2001
### http://www.norman.com/products_nvc.shtml
2002
['Norman Virus Control v5 / Linux', 'nvcc',
2003
'-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
2004
qr/(?i).* virus in .* -> \'(.+)\'/ ],
2006
### http://www.pandasoftware.com/
2007
['Panda Antivirus for Linux', ['pavcl'],
2008
'-aut -aex -heu -cmp -nbr -nor -nso -eng {}',
2009
qr/Number of files infected[ .]*: 0+(?!\d)/,
2010
qr/Number of files infected[ .]*: 0*[1-9]/,
2011
qr/Found virus :\s*(\S+)/ ],
2013
# ### http://www.pandasoftware.com/
2014
# ['Panda Antivirus for Linux', ['pavcl'],
2015
# '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}',
2016
# [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0],
2017
# qr/Found virus :\s*(\S+)/ ],
2019
# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
2020
# Check your RAV license terms before fiddling with the following two lines!
2021
# ['GeCAD RAV AntiVirus 8', 'ravav',
2022
# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ],
2023
# # NOTE: the command line switches changed with scan engine 8.5 !
2024
# # (btw, assigning stdin to /dev/null causes RAV to fail)
2026
### http://www.nai.com/
2027
['NAI McAfee AntiVirus (uvscan)', 'uvscan',
2028
'--secure -rv --mime --summary --noboot - {}', [0], [13],
2030
\ the\ (.+)\ (?:virus|trojan) |
2031
\ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
2032
:\ (.+)\ NOT\ a\ virus)/,
2033
# sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
2034
# sub {delete $ENV{LD_PRELOAD}},
2036
# NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
2037
# anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
2038
# and then clear it when finished to avoid confusing anything else.
2039
# NOTE2: to treat encrypted files as viruses replace the [13] with:
2040
# qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
2042
### http://www.virusbuster.hu/en/
2043
['VirusBuster', ['vbuster', 'vbengcl'],
2044
"{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
2045
qr/: '(.*)' - Virus/ ],
2046
# VirusBuster Ltd. does not support the daemon version for the workstation
2047
# engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
2048
# binaries, some parameters AND return codes have changed (from 3 to 1).
2049
# See also the new Vexira entry 'vascan' which is possibly related.
2051
# ### http://www.virusbuster.hu/en/
2052
# ['VirusBuster (Client + Daemon)', 'vbengd',
2053
# '-f -log scandir {}', [0], [3],
2054
# qr/Virus found = (.*);/ ],
2055
# # HINT: for an infected file it always returns 3,
2056
# # although the man-page tells a different story
2058
### http://www.cyber.com/
2059
['CyberSoft VFind', 'vfind',
2060
'--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,
2061
# sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
2064
### http://www.avast.com/
2065
['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
2066
'-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/ ],
2068
### http://www.ikarus-software.com/
2069
['Ikarus AntiVirus for Linux', 'ikarus',
2070
'{}', [0], [40], qr/Signature (.+) found/ ],
2072
### http://www.bitdefender.com/
2073
['BitDefender', 'bdc',
2074
'--arc --mail {}', qr/^Infected files *:0+(?!\d)/,
2075
qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
2076
qr/(?:suspected|infected): (.*)(?:\033|$)/ ],
2077
# consider also: --all --nowarn --alev=15 --flev=15. The --all argument may
2078
# not apply to your version of bdc, check documentation and see 'bdc --help'
2080
# ['File::Scan', sub {Amavis::AV::ask_av(sub{
2081
# use File::Scan; my($fn)=@_;
2082
# my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0);
2083
# my($vname) = $f->scan($fn);
2084
# $f->error ? (2,"Error: ".$f->error)
2085
# : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) },
2086
# ["{}/*"], [0], [1], qr/^(.*) FOUND$/ ],
2088
# ### example: fully-fledged checker for JPEG marker segments of invalid length
2090
# sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) },
2091
# ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/ ],
2092
# # NOTE: place file JpegTester.pm somewhere where Perl can find it,
2093
# # for example in /usr/local/lib/perl5/site_perl
2095
# ### example: simpleminded checker for JPEG marker segments of invalid length
2096
# ### (only checks first 32k, which is not thorough enough)
2097
# ['check-jpeg-simple',
2098
# sub { Amavis::AV::ask_av(sub {
2099
# my($f)=@_; local(*FF,$_,$1,$2); my(@r)=(0,'not jpeg');
2100
# open(FF,$f) or die "jpeg: open err $f: $!";
2101
# binmode(FF) or die "jpeg: binmode err $f: $!";
2102
# defined read(FF,$_,32000) or die "jpeg: read err $f: $!";
2103
# close(FF) or die "jpeg: close err $f: $!";
2104
# if (/^\xff\xd8\xff/) {
2106
# while (!/\G(?:\xff\xd9|\z)/gc) { # EOI or eof
2107
# if (/\G\xff+(?=\xff|\z)/gc) {} # fill-bytes before marker
2108
# elsif (/\G\xff([\x01\xd0-\xd8])/gc) {} # TEM, RSTi, SOI
2109
# elsif (/\G\xff([^\x00\xff])(..)/gcs) { # marker segment start
2110
# my($n)=unpack("n",$2)-2;
2111
# $n=32766 if $n>32766; # Perl regexp limit
2112
# if ($n<0) {@r=(1,"bad jpeg: len=$n, pos=".pos); last}
2113
# elsif (/\G.{$n}/gcs) {} # ok
2114
# elsif (/\G.{0,$n}\z/gcs) {last} # truncated
2115
# else {@r=(1,"bad jpeg: unexpected, pos=".pos); last}
2117
# elsif (/\G[^\xff]+/gc) {} # ECS
2118
# elsif (/\G(?:\xff\x00)+/gc) {} # ECS
2119
# else {@r=(2,"bad jpeg: unexpected char, pos=".pos); last}
2122
# ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/ ],
2127
# If no virus scanners from the @av_scanners list produce 'clean' nor
2128
# 'infected' status (i.e. they all fail to run or the list is empty),
2129
# then _all_ scanners from the @av_scanners_backup list are tried
2130
# (again, subject to $first_infected_stops_scan). When there are both
2131
# daemonized and equivalent or similar command-line scanners available,
2132
# it is customary to place slower command-line scanners in the
2133
# @av_scanners_backup list. The default choice is somewhat arbitrary,
2134
# move entries from one list to another as desired, keeping main scanners
2135
# in the primary list to avoid warnings.
2137
@av_scanners_backup = (
2139
### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
2140
['ClamAV-clamscan', 'clamscan',
2141
"--stdout --disable-summary -r --tempdir=$TEMPBASE {}",
2142
[0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
2144
### http://www.f-prot.com/ - backs up F-Prot Daemon
2145
['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
2146
'-dumb -archive -packed {}', [0,8], [3,6],
2147
qr/Infection: (.+)|\s+contains\s+(.+)$/ ],
2149
### http://www.trendmicro.com/ - backs up Trophie
2150
['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
2151
'-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],
2153
### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD
2154
['drweb - DrWeb Antivirus',
2155
['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
2156
'-path={} -al -go -ot -cn -upn -ok-',
2157
[0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'],
2159
['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'],
2160
'-i1 -xp {}', [0,10,15], [5,20,21,25],
2161
qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,
2162
sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
2163
sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
2166
# Commented out because the name 'sweep' clashes with Debian and FreeBSD
2167
# package/port of an audio editor. Make sure the correct 'sweep' is found
2168
# in the path when enabling.
2170
# ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl
2171
# ['Sophos Anti Virus (sweep)', 'sweep',
2172
# '-nb -f -all -rec -ss -sc -archive -cab -tnef --no-reset-atime {}',
2173
# [0,2], qr/Virus .*? found/,
2174
# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/,
2176
# # other options to consider: -mime -oe -idedir=/usr/local/sav
2178
# always succeeds (uncomment to consider mail clean if all other scanners fail)
2179
# ['always-clean', sub {0}],
2185
# Section VIII - Debugging
2188
# The most useful debugging tool is to run amavisd-new non-detached
2189
# from a terminal window using command: # amavisd debug
2191
# Some more refined approaches:
2193
# If sender matches ACL, turn debugging fully up, just for this one message
2194
#@debug_sender_maps = ( ["test-sender\@$mydomain"] );
2195
#@debug_sender_maps = ( [qw( debug@example.com debug@example.net )] );
2197
# May be useful along with @debug_sender_maps:
2198
# Prevent all decoded originals being deleted (replaced by decoded part)
2199
#@keep_decoded_original_maps = (1);
2201
# Turn on SpamAssassin debugging (output to STDERR, use with 'amavisd debug')
2202
#$sa_debug = '1,all'; # defaults to false
2206
# Section IX - Policy banks (dynamic policy switching)
2209
## Define some policy banks (sets of settings) and give them
2210
## arbitrary names (the names '', 'MYNETS' and 'MYUSERS' have special meaning):
2212
# $policy_bank{'ALT'} = {
2214
# syslog_ident => 'alt-amavis',
2215
# syslog_facility => 'LOCAL3',
2216
# inet_acl => [qw( 10.0.1.14 )],
2217
# final_spam_destiny => D_PASS, final_bad_header_destiny => D_PASS,
2218
# forward_method => 'smtp:*:*',
2219
# notify_method => 'smtp:[127.0.0.1]:10025',
2220
# virus_admin_maps => "abuse\@$mydomain",
2221
# spam_lovers_maps => [@spam_lovers_maps, [qw( abuse@example.com )]],
2222
# spam_tag_level_maps => 2.1,
2223
# spam_tag2_level_maps => 6.32,
2224
# spam_kill_level_maps => 6.72,
2225
# spam_dsn_cutoff_level_maps => 8,
2227
# local_client_bind_address => '10.11.12.13',
2228
# localhost_name => 'amavis.example.com',
2229
# smtpd_greeting_banner =>
2230
# '${helo-name} ${protocol} ${product} ${version-id} (${version-date}) TEST service ready';
2231
# auth_mech_avail => [qw(PLAIN LOGIN)],
2232
# auth_required_inp => 1,
2233
# auth_required_out => 1,
2234
# amavis_auth_user => 'amavisd', amavis_auth_pass = 'tOpsecretX',
2235
# av_scanners => [ # provide only 'free' scanners
2237
# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
2238
# qr/\bOK$/, qr/\bFOUND$/,
2239
# qr/^.*?: (?!Infected Archive)(.*) FOUND$/,
2242
# av_scanners_backup => [
2243
# ['ClamAV-clamscan', 'clamscan',
2244
# "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1],
2245
# qr/^.*?: (?!Infected Archive)(.*) FOUND$/,
2250
# NOTE: the use of policy banks for changing protocol on the input socket is
2251
# only needed when different protocols need to be spoken on different sockets
2252
# at the same time. For normal use just set globally e.g.: $protocol='AM.PDP';
2254
#$policy_bank{'AM.PDP-SOCK'} = {
2255
# protocol => 'AM.PDP', # Amavis policy delegation protocol
2256
# auth_required_release => 0, # don't require secret_id for amavisd-release
2259
#$policy_bank{'AM.PDP-INET'} = {
2260
# protocol => 'AM.PDP', # Amavis policy delegation protocol
2261
# inet_acl => [qw( 127.0.0.1 [::1] )], # restrict to these IP addresses
2264
## the name 'MYNETS' has special semantics: this policy bank gets loaded
2265
## whenever MTA supplies the original SMTP client IP address (Postfix XFORWARD
2266
## extension or a new AM.PDP protocol) and that address matches @mynetworks.
2268
# $terminate_dsn_on_notify_success = 1;
2269
# $policy_bank{'MYNETS'} = { # mail originating from @mynetworks
2270
# terminate_dsn_on_notify_success => 0,
2271
# spam_kill_level_maps => 6.9,
2272
# syslog_facility => 'LOCAL4', # tell syslog to log to a separate file
2273
# spam_admin_maps => ["spamalert\@$mydomain"], # alert of internal spam
2274
# bypass_spam_checks_maps => [1], # or: don't spam-check internal mail
2275
# bypass_banned_checks_maps => [1], # don't banned-check internal mail
2276
# warnbadhsender => 1, # warn local senders about their broken MUA
2277
# banned_filename_maps => ['MYNETS-DEFAULT'], # more permissive banning rules
2280
## the name 'MYUSERS' has special semantics: this policy bank gets loaded
2281
## whenever the sender matches @local_domains_maps. This only makes sense
2282
## if local sender addresses can be trusted -- for example by requiring
2283
## authentication before letting users send with their local address.
2285
# $policy_bank{'MYUSERS'} = {
2286
# final_virus_destiny => D_BOUNCE, # bounce only to authenticated local users
2287
# final_banned_destiny=> D_BOUNCE,
2291
## Now we can assign policy banks to amavisd tcp port numbers listed in
2292
## $inet_socket_port. Whenever the connection from MTA is received, first
2293
## a built-in policy bank $policy_bank{''} gets loaded, which bringings-in
2294
## all the global/legacy settings, then it gets overlaid by the bank
2295
## named in the $interface_policy{$port} if any, and finally the bank
2296
## 'MYNETS' is overlaid if it exists and the SMTP client IP address
2297
## is known (by XFORWARD command from MTA) and it matches @mynetworks.
2299
# $interface_policy{'10026'} = 'ALT';
2301
# used by amavisd-release utility of a new AM.PDP-based amavis-milter client
2302
#$interface_policy{'9998'} = 'AM.PDP-INET';
2303
#$interface_policy{'SOCK'} = 'AM.PDP-SOCK';
2306
# Want to execute additional configuration files from some directory?
2308
#{ my($d) = '/etc/amavis/conf.d'; # do *.cf or *.conf files in this directory
2309
# local(*D); opendir(D,$d) or die "Can't open dir $d: $!";
2310
# my(@d) = sort grep {/\.(cf|conf)$/ && -f} map {/^(.*)$/,"$d/$1"} readdir(D);
2311
# closedir(D) or die "Can't close $d: $!";
2313
# printf("Reading config file %s\n", $f); $!=0;
2314
# if (defined(do $f)) {}
2315
# elsif ($@ ne '') { die "Error in $f: $@" }
2316
# elsif ($! != 0) { die "Error reading $f: $!" }
2321
1; # insure a defined return