diff options
author | Cory Visi <merlin@gentoo.org> | 2004-07-28 17:25:36 +0000 |
---|---|---|
committer | Cory Visi <merlin@gentoo.org> | 2004-07-28 17:25:36 +0000 |
commit | 9b0c5ed0029549751756a13a9b2626aba99b33a6 (patch) | |
tree | 17d9c4357596d290b4fc8d57fd2d6c719bb6975a /mail-filter/amavisd-new | |
parent | Semi solved bug #57838, and added support for postgres. (Manifest recommit) (diff) | |
download | gentoo-2-9b0c5ed0029549751756a13a9b2626aba99b33a6.tar.gz gentoo-2-9b0c5ed0029549751756a13a9b2626aba99b33a6.tar.bz2 gentoo-2-9b0c5ed0029549751756a13a9b2626aba99b33a6.zip |
New official release (v2) - see Bug 56233 for details; numerous app and ebuild changes
Diffstat (limited to 'mail-filter/amavisd-new')
-rw-r--r-- | mail-filter/amavisd-new/ChangeLog | 9 | ||||
-rw-r--r-- | mail-filter/amavisd-new/Manifest | 9 | ||||
-rw-r--r-- | mail-filter/amavisd-new/amavisd-new-20040701.ebuild | 139 | ||||
-rw-r--r-- | mail-filter/amavisd-new/files/amavisd.conf | 1888 | ||||
-rw-r--r-- | mail-filter/amavisd-new/files/digest-amavisd-new-20040701 | 1 |
5 files changed, 2042 insertions, 4 deletions
diff --git a/mail-filter/amavisd-new/ChangeLog b/mail-filter/amavisd-new/ChangeLog index db6d136d34b8..b050f81b16ce 100644 --- a/mail-filter/amavisd-new/ChangeLog +++ b/mail-filter/amavisd-new/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for mail-filter/amavisd-new # Copyright 2000-2004 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/mail-filter/amavisd-new/ChangeLog,v 1.6 2004/07/18 15:40:35 aliz Exp $ +# $Header: /var/cvsroot/gentoo-x86/mail-filter/amavisd-new/ChangeLog,v 1.7 2004/07/28 17:25:36 merlin Exp $ + +*amavisd-new-20040701 (28 Jul 2004) + + 28 Jul 2004; Cory Visi <merlin@gentoo.org> amavisd-new-20040701.ebuild, + files/amavisd.conf: + New official release (v2) - see Bug 56233 for details; numerous app and ebuild + changes 15 Jun 2004; Thomas Raschbacher <lordvan@gentoo.org> amavisd-new-20030616_p8.ebuild, amavisd-new-20030616_p9.ebuild: diff --git a/mail-filter/amavisd-new/Manifest b/mail-filter/amavisd-new/Manifest index 258421756357..7a61133abc3e 100644 --- a/mail-filter/amavisd-new/Manifest +++ b/mail-filter/amavisd-new/Manifest @@ -1,10 +1,13 @@ +MD5 e5c515162199b0cf5873e59450caec3a ChangeLog 5219 MD5 8f6932db0e432e589c41d9928d4198a0 amavisd-new-20030616_p8.ebuild 2630 MD5 1417aabd41c7b66e06f012fac0edad91 amavisd-new-20030616_p9.ebuild 2901 -MD5 5d3689ebec909d9446a75835a54d5f06 ChangeLog 4994 MD5 7e32edfd72887a57b16ecd73f0f7a1a0 metadata.xml 184 -MD5 1f1f4cf9c92f92f966361a8ac08aa543 files/amavisd.rc6 305 -MD5 3256d64018bee64fa34ed62fb93e44af files/sql_timeout.patch 3282 +MD5 28bfd33a76250484c589b19df20e4a89 amavisd-new-20040701.ebuild 3532 MD5 f45025857b1aaeeb225782bf7f35c5c3 files/addr_extensions_in_sql.patch 10222 +MD5 1f1f4cf9c92f92f966361a8ac08aa543 files/amavisd.rc6 305 MD5 0c677a1cb17705ea75841cabd5d14634 files/digest-amavisd-new-20030616_p8 75 MD5 0a2364d819d448c49ea72dfe8c2a109a files/digest-amavisd-new-20030616_p9 75 MD5 b9ac0b985d0cb7da0ab45fa22ebe38c8 files/lost_connection.patch 567 +MD5 3256d64018bee64fa34ed62fb93e44af files/sql_timeout.patch 3282 +MD5 ca888d0029704c16992a7439a8ee28f1 files/amavisd.conf 85575 +MD5 4b5c8018b70d0e6a8f52d37653996367 files/digest-amavisd-new-20040701 72 diff --git a/mail-filter/amavisd-new/amavisd-new-20040701.ebuild b/mail-filter/amavisd-new/amavisd-new-20040701.ebuild new file mode 100644 index 000000000000..bb663477afdb --- /dev/null +++ b/mail-filter/amavisd-new/amavisd-new-20040701.ebuild @@ -0,0 +1,139 @@ +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/mail-filter/amavisd-new/amavisd-new-20040701.ebuild,v 1.1 2004/07/28 17:25:36 merlin Exp $ + +inherit eutils + +DESCRIPTION="High-performance interface between the MTA and content checkers." +HOMEPAGE="http://www.ijs.si/software/amavisd/" +SRC_URI="http://www.ijs.si/software/amavisd/${PN}-${PV/_/-}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~x86 ~ppc ~amd64 ~sparc" +IUSE="ldap mysql postgres milter" + +DEPEND=">=sys-apps/sed-4 + >=dev-lang/perl-5.8.2" + +RDEPEND="${DEPEND} + >=sys-apps/coreutils-5.0-r3 + app-arch/gzip + app-arch/bzip2 + app-arch/arc + app-arch/freeze + app-arch/lha + app-arch/unarj + app-arch/unrar + app-arch/zoo + dev-perl/Archive-Tar + dev-perl/Archive-Zip + dev-perl/Compress-Zlib + dev-perl/Convert-TNEF + dev-perl/Convert-UUlib + dev-perl/MIME-Base64 + >=dev-perl/MIME-tools-6.2 + >=dev-perl/MailTools-1.58 + dev-perl/net-server + dev-perl/libnet + dev-perl/Digest-MD5 + dev-perl/IO-stringy + >=dev-perl/Time-HiRes-1.49 + dev-perl/Unix-Syslog + >=sys-libs/db-3.1 + dev-perl/BerkeleyDB + virtual/mta + virtual/antivirus + ldap? ( dev-perl/perl-ldap ) + mysql? ( dev-perl/DBD-mysql ) + postgres? ( dev-perl/DBD-Pg ) + milter? ( >=mail-mta/sendmail-8.12 )" + +S="${WORKDIR}/${PN}-${PV/_*/}" + +AMAVIS_ROOT=/var/amavis + +src_compile() { + if use milter ; then + cd "${S}/helper-progs" + + econf --with-runtime-dir=${AMAVIS_ROOT} \ + --with-sockname=${AMAVIS_ROOT}/amavisd.sock \ + --with-user=amavis || die "helper-progs econf failed" + emake || die "helper-progs compile problem" + + cd "${S}" + fi +} + +src_install() { + enewgroup amavis + enewuser amavis -1 /bin/false ${AMAVIS_ROOT} amavis + + dosbin amavisd + + insinto /etc + doins ${FILESDIR}/amavisd.conf + dosed "s:^#\\?\\\$MYHOME[^;]*;:\$MYHOME = '$AMAVIS_ROOT';:" \ + /etc/amavisd.conf + if [ "$(domainname)" = "(none)" ] ; then + dosed "s:^#\\?\\\$mydomain[^;]*;:\$mydomain = '$(hostname)';:" \ + /etc/amavisd.conf + else + dosed "s:^#\\?\\\$mydomain[^;]*;:\$mydomain = '$(domainname)';:" \ + /etc/amavisd.conf + fi + + exeinto /etc/init.d + newexe "${FILESDIR}/amavisd.rc6" amavisd + dosed "s:/var/spool/amavis/:$AMAVIS_ROOT/:g" /etc/init.d/amavisd + + keepdir ${AMAVIS_ROOT} + fowners amavis:amavis ${AMAVIS_ROOT} + fperms 0750 ${AMAVIS_ROOT} + + keepdir ${AMAVIS_ROOT}/db + fowners amavis:amavis ${AMAVIS_ROOT}/db + + keepdir ${AMAVIS_ROOT}/quarantine + fowners amavis:amavis ${AMAVIS_ROOT}/quarantine + + keepdir ${AMAVIS_ROOT}/tmp + fowners amavis:amavis ${AMAVIS_ROOT}/tmp + for i in whitelist blacklist spam_lovers; do + touch ${D}${AMAVIS_ROOT}/${i} + fowners amavis:amavis ${AMAVIS_ROOT}/${i} + done + + newdoc test-messages/README README.samples + dodoc AAAREADME.first INSTALL LDAP.schema LICENSE MANIFEST RELEASE_NOTES \ + README_FILES/* test-messages/sample-* amavisd.conf-default amavisd-agent + + if use milter ; then + cd "${S}/helper-progs" + einstall + fi +} + +pkg_postinst() { + if `has_version mail-filter/razor` ; then + einfo "Setting up initial razor config files..." + + razor-admin -create -home=${ROOT}${AMAVIS_ROOT}/.razor + sed -i -e "s:debuglevel\([ ]*\)= .:debuglevel\1= 0:g" \ + ${ROOT}${AMAVIS_ROOT}/.razor/razor-agent.conf + chown -R amavis:amavis ${ROOT}${AMAVIS_ROOT}/.razor + fi + + echo + ewarn + ewarn "This version of amavisd-new has a different layout from previous versions" + ewarn "available in portage. The socket, pid, and lock file, as well as the" + ewarn "temporary, razor, and spamassassin configuration directories have all" + ewarn "moved to:" + ewarn + ewarn "${AMAVIS_ROOT}" + ewarn + ewarn "It may be necessary to reconfigure any helper applications." + ewarn +} diff --git a/mail-filter/amavisd-new/files/amavisd.conf b/mail-filter/amavisd-new/files/amavisd.conf new file mode 100644 index 000000000000..06fc1eda2d74 --- /dev/null +++ b/mail-filter/amavisd-new/files/amavisd.conf @@ -0,0 +1,1888 @@ +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/mail-filter/amavisd-new/files/amavisd.conf,v 1.1 2004/07/28 17:25:36 merlin Exp $ + +# Configuration file for amavisd-new on Gentoo Linux +# Based on amavisd.conf-sample distributed with software +# +# This software is licensed under the GNU General Public License (GPL). +# See comments at the start of amavisd-new for the whole license text. + + +use strict; + +#Sections: +# Section I - Essential daemon and MTA settings +# Section II - MTA specific +# Section III - Logging +# Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine +# Section V - Per-recipient and per-sender handling, whitelisting, etc. +# Section VI - Resource limits +# Section VII - External programs, virus scanners, SpamAssassin +# Section VIII - Debugging +# Section IX - Policy banks (dynamic policy switching) + +#GENERAL NOTES: +# This file is a normal Perl code, interpreted by Perl itself. +# - make sure this file (or directory where it resides) is NOT WRITABLE +# by mere mortals (not even vscan/amavis; best to make it owned by root), +# otherwise it represents a severe security risk! +# - for values which are interpreted as booleans, it is recommended +# to use 1 for true, and 0 or undef or '' for false. +# THIS IS DIFFERENT FROM OLD AMAVIS VERSIONS where "no" also meant false, +# now it means true, like any nonempty string does! +# - Perl syntax applies. Most notably: strings in "" may include variables +# (which start with $ or @); to include characters @ and $ in double +# quoted strings, precede them by a backslash; in single-quoted strings +# the $ and @ lose their special meaning, so it is usually easier to use +# single quoted strings (or qw operator) for e-mail addresses. +# Still, in both cases a backslash needs to be doubled. +# - variables with names starting with a '@' are lists, the values assigned +# to them should be lists as well, e.g. ('one@foo', $mydomain, "three"); +# note the comma-separation and parenthesis. If strings in the list +# do not contain spaces nor variables, a Perl operator qw() may be used +# as a shorthand to split its argument on whitespace and produce a list +# of strings, e.g. qw( one@foo example.com three ); Note that the argument +# to qw is quoted implicitly and no variable interpretation is done within +# (no '$' variable evaluations). The #-initiated comments can NOT be used +# within a string. In other words, $ and # lose their special meaning +# within a qw argument, just like within '...' strings. +# - all e-mail addresses in this file and as used internally by the daemon +# are in their raw (rfc2821-unquoted and non-bracketed) form, i.e. +# Bob "Funny" Dude@example.com, not: "Bob \"Funny\" Dude"@example.com +# and not <"Bob \"Funny\" Dude"@example.com>; also: '' and not '<>'. +# - the term 'default value' in examples below refers to the value of a +# variable pre-assigned to it by the program; any explicit assignment +# to a variable in this configuration file overrides the default value; + + +# +# Section I - Essential daemon and MTA settings +# + +# $MYHOME serves as a quick default for some other configuration settings. +# More refined control is available with each individual setting further down. +# $MYHOME is not used directly by the program. No trailing slash! +#$MYHOME = '/var/lib/amavis'; # (default is '/var/amavis') + +# $mydomain serves as a quick default for some other configuration settings. +# More refined control is available with each individual setting further down. +# $mydomain is never used directly by the program. +$mydomain = 'example.com'; # (no useful default) + +# $myhostname = 'host.example.com'; # fqdn of this host, default by uname(3) + +# Set the user and group to which the daemon will change if started as root +# (otherwise just keeps the UID unchanged, and these settings have no effect): +$daemon_user = 'amavis'; # (no default; customary: vscan or amavis) +$daemon_group = 'amavis'; # (no default; customary: vscan or amavis) + +# Runtime working directory (cwd), and a place where +# temporary directories for unpacking mail are created. +# (no trailing slash, may be a scratch file system) +#$TEMPBASE = $MYHOME; # (must be set if other config vars use is) +$TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean? + +$db_home = "$MYHOME/db"; # DB databases directory, default "$MYHOME/db" + +# $helpers_home sets environment variable HOME, and is passed as option +# 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory +# on a normal persistent file system, not a scratch or temporary file system +$helpers_home = $MYHOME; # (defaults to $MYHOME) + +# Run the daemon in the specified chroot jail if nonempty: +#$daemon_chroot_dir = $MYHOME; # (default is undef, meaning: do not chroot) + +#$pid_file = "$MYHOME/amavisd.pid"; # (default is "$MYHOME/amavisd.pid") +#$lock_file = "$MYHOME/amavisd.lock"; # (default is "$MYHOME/amavisd.lock") + +# set environment variables if you want (no defaults): +$ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory +#... + +# MTA SETTINGS, UNCOMMENT AS APPROPRIATE, +# both $forward_method and $notify_method default to 'smtp:[127.0.0.1]:10025' + +# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4 +# (set host and port number as required; host can be specified +# as an IP address or a DNS name (A or CNAME, but MX is ignored) +#$forward_method = 'smtp:[127.0.0.1]:10025'; # where to forward checked mail +#$notify_method = $forward_method; # where to submit notifications + +# To make it possible for several hosts to share one content checking daemon, +# the IP address and/or the port number in $forward_method and $notify_method +# may be spacified as an asterisk. An asterisk in the colon-separated +# second field (host) will be replaced by the SMTP client peer address, +# An asterisk in the third field (tcp port) will be replaced by the incoming +# SMTP/LMTP session port number plus one. This obsoletes the previously used +# less flexible configuration parameter $relayhost_is_client. An example: +# $forward_method = 'smtp:*:*'; $notify_method = 'smtp:*:10587'; + + +# NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST +# uncomment the appropriate settings below if using other setups! + +# SENDMAIL MILTER, using amavis-milter.c helper program: +#$forward_method = undef; # no explicit forwarding, sendmail does it by itself +# milter; option -odd is needed to avoid deadlocks +#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}'; +# just a thought: can we use use -Am instead of -odd ? + +# SENDMAIL (old non-milter setup, as relay): +#$forward_method = 'pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f ${sender} -- ${recipient}'; +#$notify_method = $forward_method; + +# SENDMAIL (old non-milter setup, amavis.c calls local delivery agent): +#$forward_method = undef; # no explicit forwarding, amavis.c will call LDA +#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}'; + +# EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead): +#$forward_method = 'pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f ${sender} -- ${recipient}'; +#$notify_method = $forward_method; + +# prefer to collect mail for forwarding as BSMTP files? +#$forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp"; +#$notify_method = $forward_method; + + +# Net::Server pre-forking settings +# You may want $max_servers to match the width of your MTA pipe +# feeding amavisd, e.g. with Postfix the 'Max procs' field in the +# master.cf file, like the '2' in the: smtp-amavis unix - - n - 2 smtp +# +$max_servers = 4; # number of pre-forked children (default 2) +$max_requests = 10; # retire a child after that many accepts (default 10) + +$child_timeout=5*60; # abort child if it does not complete each task in n sec + # (default: 8*60 seconds) + +# Check also the settings of @av_scanners at the end if you want to use +# virus scanners. If not, you may want to delete the whole long assignment +# to the variable @av_scanners, which will also remove the virus checking +# code (e.g. if you only want to do spam scanning). + +# Here is a QUICK WAY to completely DISABLE some sections of code +# that WE DO NOT WANT (it won't even be compiled-in). +# For more refined controls leave the following two lines commented out, +# and see further down what these two lookup lists really mean. +# +# @bypass_virus_checks_maps = (1); # uncomment to DISABLE anti-virus code +# @bypass_spam_checks_maps = (1); # uncomment to DISABLE anti-spam code +# +# Any setting can be changed with a new assignment, so make sure +# you do not unintentionally override these settings further down! + + +# Lookup list of local domains (see README.lookups for syntax details) +# +# @local_domains_maps list of lookup tables are used in deciding whether a +# recipient is local or not, or in other words, if the message is outgoing +# or not. This affects inserting spam-related headers for local recipients, +# limiting recipient virus notifications (if enabled) to local recipients, +# in deciding if address extension may be appended, and in SQL lookups +# for non-fqdn addresses. Set it up correctly if you need features +# that rely on this setting (or just leave empty otherwise). +# +# With Postfix (2.0) a quick reminder on what local domains normally are: +# a union of domains specified in: $mydestination, $virtual_alias_domains, +# $virtual_mailbox_domains, and $relay_domains. + +@local_domains_maps = ( [".$mydomain"] ); # $mydomain and its subdomains +# @local_domains_maps = (); # default is empty list, no recip. considered local +# @local_domains_maps = # using ACL lookup table +# ( [ ".$mydomain", '.example.com', 'sub.example.net' ] ); +# @local_domains_maps = # similar, split list elements on whitespace +# ( [qw( .example.com !host.sub.example.net .sub.example.net )] ); +# @local_domains_maps = ( new_RE( qr'[@.]example\.com$'i ) ); # using regexp +# @local_domains_maps = ( read_hash("$MYHOME/local_domains") ); # using hash + +# +# Section II - MTA specific (defaults should be ok) +# + +#$insert_received_line = 1; # behave like MTA: insert 'Received:' header + # (does not apply to sendmail/milter) + # (default is true) + +# AMAVIS-CLIENT PROTOCOL INPUT SETTINGS (e.g. with sendmail milter) +# (used with amavis helper clients like amavis-milter.c and amavis.c, +# NOT needed for Postfix or Exim or dual-sendmail - keep it undefined. +$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket +#$unix_socketname = undef; # disable listening on a unix socket + # (default is undef, i.e. disabled) + # (usual setting is $MYHOME/amavisd.sock) + +# SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...) +# (used when MTA is configured to pass mail to amavisd via SMTP or LMTP) +$inet_socket_port = 10024; # accept SMTP on this local TCP port + # (default is undef, i.e. disabled) +# multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028]; + +# SMTP SERVER (INPUT) access control +# - do not allow free access to the amavisd SMTP port !!! +# +# when MTA is at the same host, use the following (one or the other or both): +#$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface + # (default is '127.0.0.1') +@inet_acl = qw( 127.0.0.1 ::1 ); # allow SMTP access only from localhost IP + # (default is qw(127.0.0.1 ::1) ) + +# when MTA (one or more) is on a different host, use the following: +#@inet_acl = qw(127/8 ::1 10.1.0.1 10.1.0.2); # adjust the list as appropriate +#$inet_socket_bind = undef; # bind to all IP interfaces if undef + +# +# Example1: +# @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 ); +# permit only SMTP access from loopback and rfc1918 private address space +# +# Example2: +# @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0 +# 127.0.0.1 10/8 172.16/12 192.168/16 ); +# matches loopback and rfc1918 private address space except host 192.168.1.12 +# and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches) +# +# Example3: +# @inet_acl = qw( 127/8 +# !172.16.3.0 !172.16.3.127 172.16.3.0/25 +# !172.16.3.128 !172.16.3.255 172.16.3.128/25 ); +# matches loopback and both halves of the 172.16.3/24 C-class, +# split into two subnets, except all four broadcast addresses +# for these subnets + + +# @mynetworks is an IP access list which determines if the original SMTP client +# IP address belongs to our internal networks. It is much like the Postfix +# parameter 'mynetworks' in semantics and similar in syntax, and its value +# should normally match the Postfix counterpart. It only affects the value +# of a macro %l (=sender-is-local), and the loading of policy 'MYNETS' if +# present (see below). Note that '-o smtp_send_xforward_command=yes' (or its +# lmtp counterpart) must be enabled in the Postfix service that feeds amavisd, +# otherwise client IP address is not available to amavisd-new. +# +# @mynetworks = +# qw( 127.0.0.0/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); # default + + +# See README.lookups for details on specifying access control lists. + + +# +# Section III - Logging +# + +# true (e.g. 1) => syslog; false (e.g. 0) => logging to file +$DO_SYSLOG = 1; # (defaults to false) +#$SYSLOG_LEVEL = 'user.info'; # (facility.priority, default 'mail.info') + +# Log file (if not using syslog) +$LOGFILE = "$MYHOME/amavis.log"; # (defaults to empty, no log) + +#NOTE: levels are not strictly observed and are somewhat arbitrary +# 0: startup/exit/failure messages, viruses detected +# 1: args passed from client, some more interesting messages +# 2: virus scanner output, timing +# 3: server, client +# 4: decompose parts +# 5: more debug details +$log_level = 0; # (defaults to 0) + +# Customizable template for the most interesting log file entry (e.g. with +# $log_level=0) (take care to properly quote Perl special characters like '\') +# For a list of available macros see README.customize . + +# $log_templ = undef; # disable by-message level-0 log entries +$log_recip_templ = undef; # disable by-recipient level-0 log entries + + +# log both infected and noninfected messages (new default): +# +# [?%#D||Passed # +# [? %#V |[? %#F |[? %#X |[? %2 |CLEAN|SPAM]|BAD-HEADER]|BANNED (%F)]|INFECTED (%V)]# +# , [?%a||\[%a\] ]<%o> -> [%D|,]# +# [? %q ||, quarantine: %i]# +# [? %m ||, Message-ID: %m]# +# [? %r ||, Resent-Message-ID: %r]# +# , Hits: %c# +# ] +# [?%#O||Blocked # +# [? %#V |[? %#F |[? %#X |[? %2 |CLEAN|SPAM]|BAD-HEADER]|BANNED (%F)]|INFECTED (%V)]# +# , [?%a||\[%a\] ]<%o> -> [%O|,]# +# [? %q ||, quarantine: %i]# +# [? %m ||, Message-ID: %m]# +# [? %r ||, Resent-Message-ID: %r]# +# , Hits: %c# +# ] + + +# +# Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine +# + +# Select notifications text encoding when Unicode-aware Perl is converting +# text from internal character representation to external encoding (charset +# in MIME terminology). Used as argument to Perl Encode::encode subroutine. +# +# to be used in RFC 2047-encoded header field bodies, e.g. in Subject: +#$hdr_encoding = 'iso-8859-1'; # MIME charset (default: 'iso-8859-1') +#$hdr_encoding_qb = 'Q'; # MIME encoding: quoted-printable (default) +#$hdr_encoding_qb = 'B'; # MIME encoding: base64 +# +# to be used in notification body text: its encoding and Content-type.charset +#$bdy_encoding = 'iso-8859-1'; # (default: 'iso-8859-1') + +# Default template texts for notifications may be overruled by directly +# assigning new text to template variables, or by reading template text +# from files. A second argument may be specified in a call to read_text(), +# specifying character encoding layer to be used when reading from the +# external file, e.g. 'utf8', 'iso-8859-1', or often just $bdy_encoding. +# Text will be converted to internal character representation by Perl 5.8.0 +# or later; second argument is ignored otherwise. See PerlIO::encoding, +# Encode::PerlIO and perluniintro man pages. +# +# $notify_sender_templ = read_text("$MYHOME/notify_sender.txt"); +# $notify_virus_sender_templ= read_text("$MYHOME/notify_virus_sender.txt"); +# $notify_virus_admin_templ = read_text("$MYHOME/notify_virus_admin.txt"); +# $notify_virus_recips_templ= read_text("$MYHOME/notify_virus_recips.txt"); +# $notify_spam_sender_templ = read_text("$MYHOME/notify_spam_sender.txt"); +# $notify_spam_admin_templ = read_text("$MYHOME/notify_spam_admin.txt"); + +# If notification template files are collectively available in some directory, +# use read_l10n_templates which calls read_text for each known template. +# +# read_l10n_templates('/etc/amavis/en_US'); + + +# Here is an overall picture (sequence of events) of how pieces fit together +# (only virus controls are shown, spam controls work the same way): +# +# bypass_virus_checks set for all recipients? ==> PASS +# no viruses? ==> PASS +# log virus if $log_templ is nonempty +# quarantine if $virus_quarantine_to is nonempty +# notify admin if $virus_admin (lookup) nonempty +# notify recips if $warnvirusrecip and (recipient is local or $warn_offsite) +# add address extensions for local recipients (when enabled) +# send (non-)delivery notifications +# to sender if DSN needed (BOUNCE or ($warnvirussender and D_PASS)) +# virus_lovers or final_destiny==D_PASS ==> PASS +# DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny) +# +# Equivalent flow diagram applies for spam checks. +# If a virus is detected, spam checking is skipped entirely. + +# The following symbolic constants can be used in *destiny settings: +# +# D_PASS mail will pass to recipients, regardless of bad contents; +# +# D_DISCARD mail will not be delivered to its recipients, sender will NOT be +# notified. Effectively we lose mail (but will be quarantined +# unless disabled). Losing mail is not decent for a mailer, +# but might be desired. +# +# D_BOUNCE mail will not be delivered to its recipients, a non-delivery +# notification (bounce) will be sent to the sender by amavisd-new; +# Exception: bounce (DSN) will not be sent if a virus name matches +# $viruses_that_fake_sender_re, or to messages from mailing lists +# (Precedence: bulk|list|junk); +# +# D_REJECT mail will not be delivered to its recipients, sender should +# preferably get a reject, e.g. SMTP permanent reject response +# (e.g. with milter), or non-delivery notification from MTA +# (e.g. Postfix). If this is not possible (e.g. different recipients +# have different tolerances to bad mail contents and not using LMTP) +# amavisd-new sends a bounce by itself (same as D_BOUNCE). +# +# Notes: +# D_REJECT and D_BOUNCE are similar, the difference is in who is responsible +# for informing the sender about non-delivery, and how informative +# the notification can be (amavisd-new knows more than MTA); +# With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status +# notification, colloquially called 'bounce') - depending on MTA; +# Best suited for sendmail milter, especially for spam. +# With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the +# reason for mail non-delivery, but unable to reject the original +# SMTP session). Best suited to reporting viruses, and for Postfix +# and other dual-MTA setups, which can't reject original client SMTP +# session, as the mail has already been enqueued. + +######## +# +# Please think about what you are doing when you set these options. +# If necessary, question your origanization's e-mail policies: +# +# D_BOUNCE contributes to the overall spread of virii and spam on the +# internet. Both the envelope and header from addresses can be forged +# accurately with no effort. +# +# D_DISCARD breaks internet mail specifications. However, with a +# properly implemented Quaratine system, the concern for breaking the +# specification is addressed to some extent. +# +# D_PASS is the safest way to handle e-mails. You must implement +# client-side filtering to handle this method. +# +# -Cory Visi <merlin@gentoo.org> 07/28/04 +# +####### +$final_virus_destiny = D_DISCARD; # (defaults to D_DISCARD) +$final_banned_destiny = D_DISCARD; # (defaults to D_BOUNCE) +$final_spam_destiny = D_DISCARD; # (defaults to D_BOUNCE) +$final_bad_header_destiny = D_PASS; # (defaults to D_PASS) + +# Alternatives to consider for spam: +# - use D_PASS if clients will do filtering based on inserted mail headers; +# - use D_DISCARD, if kill_level is set safely high; +# - use D_BOUNCE instead of D_REJECT if not using milter; +# +# D_BOUNCE is preferred for viruses, but consider: +# - use D_PASS (or virus_lovers) and $warnvirussender=1 to deliver viruses; +# - use D_REJECT instead of D_BOUNCE if using milter and under heavy +# virus storm; +# +# Don't bother to set both D_DISCARD and $warn*sender=1, it will get mapped +# to D_BOUNCE. +# +# The separation of *_destiny values into D_BOUNCE, D_REJECT, D_DISCARD +# and D_PASS made settings $warnvirussender and $warnspamsender only still +# useful with D_PASS. + +# The following $warn*sender settings are ONLY used when mail is +# actually passed to recipients ($final_*_destiny=D_PASS, or *_lovers*). +# Bounces or rejects produce non-delivery status notification anyway. + +# Notify virus sender? +#$warnvirussender = 1; # (defaults to false (undef)) + +# Notify spam sender? +#$warnspamsender = 1; # (defaults to false (undef)) + +# Notify sender of banned files? +#$warnbannedsender = 1; # (defaults to false (undef)) + +# Notify sender of syntactically invalid header containing non-ASCII characters? +#$warnbadhsender = 1; # (defaults to false (undef)) + +# Notify virus (or banned files or bad headers) RECIPIENT? +# (not very useful, but some policies demand it) +#$warnvirusrecip = 1; # (defaults to false (undef)) +#$warnbannedrecip = 1; # (defaults to false (undef)) +#$warnbadhrecip = 1; # (defaults to false (undef)) + +# Notify also non-local virus/banned recipients if $warn*recip is true? +# (including those not matching local_domains*) +#$warn_offsite = 1; # (defaults to false (undef), i.e. only notify locals) + + +# Treat envelope sender address as unreliable and don't send sender +# notification / bounces if name(s) of detected virus(es) match the list. +# Note that virus names are supplied by external virus scanner(s) and are +# not standardized, so virus names may need to be adjusted. +# See README.lookups for syntax, check also README.policy-on-notifications +# +@viruses_that_fake_sender_maps = (new_RE( + qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, + qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i, + qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i, + qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i, + qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan + qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc + [qr'^(EICAR|Joke\.|Junk\.)'i => 0], + [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0], + [qr/.*/ => 1], # true by default (remove or comment-out if undesired) +)); + +# where to send ADMIN VIRUS NOTIFICATIONS (should be a fully qualified address) +# - the administrator address may be a simple fixed e-mail address (a scalar), +# or may depend on the SENDER address (e.g. its domain), in which case +# a ref to a hash table can be specified (specify lower-cased keys, +# dot is a catchall, see README.lookups). +# +# Empty or undef lookup disables virus admin notifications. + +$virus_admin = "virusalert\@$mydomain"; +# $virus_admin = 'virus-admin@example.com'; +# $virus_admin = undef; # do not send virus admin notifications (default) +# +#@virus_admin_maps = ( # by-sender maps +# {'not.example.com'=>'', '.'=>'virusalert@example.com'}, +# $virus_admin, # the usual default +#); + +# equivalent to $virus_admin, but for spam admin notifications: +# $spam_admin = "spamalert\@$mydomain"; +# $spam_admin = undef; # do not send spam admin notifications (default) +#@spam_admin_maps = ( # by-sender maps +# {'not.example.com'=>'', '.'=>'spamalert@example.com'}, +# $spam_admin, # the usual default +#); + +#advanced example, using a hash lookup table and a scalar default: +#@virus_admin_maps = ( # by-sender maps +# { 'baduser@sub1.example.com' => 'HisBoss@sub1.example.com', +# '.sub1.example.com' => 'virusalert@sub1.example.com', +# '.sub2.example.com' => '', # don't send admin notifications +# 'a.sub3.example.com' => 'abuse@sub3.example.com', +# '.sub3.example.com' => 'virusalert@sub3.example.com', +# '.example.com' => 'noc@example.com', # default for our virus senders +# }, +# 'virusalert@hq.example.com', # catchall for the rest +#); + + +# whom notification reports are sent from (ENVELOPE SENDER); +# may be a null reverse path, or a fully qualified address: +# (admin and recip sender addresses default to a null return path) +# If using strings in double quotes, don't forget to quote @, i.e. \@ +# +$mailfrom_notify_admin = "virusalert\@$mydomain"; +$mailfrom_notify_recip = "virusalert\@$mydomain"; +$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; + +# 'From' HEADER FIELD for sender and admin notifications. +# This should be a replyable address, see rfc1894. Not to be confused +# with $mailfrom_notify_sender, which is the envelope return address +# and should be empty (null reverse path) according to rfc2821. +# +# The syntax of the 'From' header field is specified in rfc2822, section +# '3.4. Address Specification'. Note in particular that display-name must be +# a quoted-string if it contains any special characters like spaces and dots. +# +# $hdrfrom_notify_sender = "amavisd-new <postmaster\@$mydomain>"; +# $hdrfrom_notify_sender = 'amavisd-new <postmaster@example.com>'; +# $hdrfrom_notify_sender = '"Content-Filter Master" <postmaster@example.com>'; +# $hdrfrom_notify_admin = $mailfrom_notify_admin; +# $hdrfrom_notify_spamadmin = $mailfrom_notify_spamadmin; +# (all default to: "\"Content-filter at $myhostname\" <postmaster\@$myhostname>") + +# whom quarantined messages appear to be sent from (envelope sender); +# keeps original sender if undef, or set it explicitly, default is undef +$mailfrom_to_quarantine = ''; # override sender address with null return path + + +# Location to put infected mail into: (applies to 'local:' quarantine method) +# empty for not quarantining, may be a file (mailbox), +# or a directory (no trailing slash) +# (the default value is undef, meaning no quarantine) +# +$QUARANTINEDIR = "$MYHOME/quarantine"; + +#$virus_quarantine_method = 'local:virus-%i-%n'; # default +#$spam_quarantine_method = 'local:spam-%b-%i-%n'; # default +#$banned_files_quarantine_method = 'local:banned-%i-%n'; # default +#$bad_header_quarantine_method = 'local:badh-%i-%n'; # default + +# Separate quarantine subdirectories virus, spam, banned and badh within +# the directory $QUARANTINEDIR may be specified by the following settings +# (the subdirectories need to exist - must be created manually): +#$virus_quarantine_method = 'local:virus/virus-%i-%n'; +#$spam_quarantine_method = 'local:spam/spam-%b-%i-%n'; +#$banned_files_quarantine_method = 'local:banned/banned-%i-%n'; +#$bad_header_quarantine_method = 'local:badh/badh-%i-%n'; + +# +#use the new 'bsmtp:' method as an alternative to the default 'local:' +#$virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%i-%n.bsmtp"; +#$spam_quarantine_method = "bsmtp:$QUARANTINEDIR/spam-%b-%i-%n.bsmtp"; + +# When using the 'local:' quarantine method (default), the following applies: +# +# A finer control of quarantining is available through variable +# $virus_quarantine_to/$spam_quarantine_to. It may be a simple scalar string, +# or a ref to a hash lookup table, or a regexp lookup table object, +# which makes possible to set up per-recipient quarantine addresses. +# +# The value of scalar $virus_quarantine_to/$spam_quarantine_to (or a +# per-recipient lookup result from lookup tables @virus_quarantine_to_maps) +# is/are interpreted as follows: +# +# VARIANT 1: +# empty or undef disables quarantine; +# +# VARIANT 2: +# a string NOT containing an '@'; +# amavisd will behave as a local delivery agent (LDA) and will quarantine +# viruses to local files according to hash %local_delivery_aliases (pseudo +# aliases map) - see subroutine mail_to_local_mailbox() for details. +# Some of the predefined aliases are 'virus-quarantine' and 'spam-quarantine'. +# Setting $virus_quarantine_to ($spam_quarantine_to) to this string will: +# +# * if $QUARANTINEDIR is a directory, each quarantined virus will go +# to a separate file in the $QUARANTINEDIR directory (traditional +# amavis style, similar to maildir mailbox format); +# +# * otherwise $QUARANTINEDIR is treated as a file name of a Unix-style +# mailbox. All quarantined messages will be appended to this file. +# Amavisd child process must obtain an exclusive lock on the file during +# delivery, so this may be less efficient than using individual files +# or forwarding to MTA, and it may not work across NFS or other non-local +# file systems (but may be handy for pickup of quarantined files via IMAP +# for example); +# +# VARIANT 3: +# any email address (must contain '@'). +# The e-mail messages to be quarantined will be handed to MTA +# for delivery to the specified address. If a recipient address local to MTA +# is desired, you may leave the domain part empty, e.g. 'infected@', but the +# '@' character must nevertheless be included to distinguish it from variant 2. +# +# This method enables more refined delivery control made available by MTA +# (e.g. its aliases file, other local delivery agents, dealing with +# privileges and file locking when delivering to user's mailbox, nonlocal +# delivery and forwarding, fan-out lists). Make sure the mail-to-be-quarantined +# will not be handed back to amavisd for checking, as this will cause a loop +# (hopefully broken at some stage)! If this can be assured, notifications +# will benefit too from not being unnecessarily virus-scanned. +# +# By default this is safe to do with Postfix and Exim v4 and dual-sendmail +# setup, but probably not safe with sendmail milter interface without +# precaution. + +# (default values are: virus-quarantine, banned-quarantine, spam-quarantine) + +$virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine +#$virus_quarantine_to = 'infected@'; # forward to MTA for delivery +#$virus_quarantine_to = "virus-quarantine\@$mydomain"; # similar +#$virus_quarantine_to = 'virus-quarantine@example.com'; # similar +#$virus_quarantine_to = undef; # no quarantine +# +#@virus_quarantine_to_maps = ( # per-recip multiple quarantines +# new_RE( [qr'^user@example\.com$'i => 'infected@'], +# [qr'^(.*)@example\.com$'i => 'virus-${1}@example.com'], +# [qr'^(.*)(@[^@])?$'i => 'virus-${1}${2}'] ), +# $virus_quarantine_to, # the usual default +#); + +# similar for banned names and bad headers and spam (set to undef to disable) +$banned_quarantine_to = 'banned-quarantine'; # local quarantine +$bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine +$spam_quarantine_to = 'spam-quarantine'; # local quarantine + +# or to a mailbox: +#$spam_quarantine_to = "spam-quarantine\@$mydomain"; +# +#@spam_quarantine_to_maps = ( # per-recip multiple quarantines +# new_RE( [qr'^(.*)@example\.com$'i => 'spam-${1}@example.com'] ), +# $spam_quarantine_to, # the usual default +#); + + +# In addition to per-recip quarantine, a by-sender lookup is possible. It is +# similar to $spam_quarantine_to, but the lookup key is the sender address: +#$spam_quarantine_bysender_to = undef; # dflt: no by-sender spam quarantine + + +# Add X-Virus-Scanned header field to mail? +$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: undef) +# Leave empty to add no header field # (default: undef) +$X_HEADER_LINE = "by amavisd-new at $mydomain"; + +# a string to prepend to Subject (for local recipients only) if mail could +# not be decoded or checked entirely, e.g. due to password-protected archives +$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it + +# MIME defanging wraps the entire original mail in a MIME container of type +# 'Content-type: multipart/mixed', where the first part is a text/plain with +# a short explanation, and the second part is a complete original mail, +# enclosed in a 'Content-type: message/rfc822' MIME part. +# Defanging is only done when enabled (selectively by malware type) +# and the malware is allowed to pass (*_lovers or *_destiny=D_PASS) +# +$defang_virus = 1; # default is false: don't modify mail body +$defang_banned = 1; # default is false: don't modify mail body +# $defang_bad_header = 1; # default is false: don't modify mail body +$defang_undecipherable = 1; # default is false: don't modify mail body +# $defang_spam = 1; # default is false: don't modify mail body + +$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone +#$remove_existing_x_scanned_headers= 1; # remove existing headers + # (defaults to false) +#$remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone +$remove_existing_spam_headers = 1; # remove existing spam headers if + # spam scanning is enabled (default) + +# set $bypass_decode_parts to true if you only do spam scanning, or if you +# have a good virus scanner that can deal with compression and recursively +# unpacking archives by itself, and save amavisd the trouble. +# Disabling decoding also causes banned_files checking to only see +# MIME names and MIME content types, not the content classification types +# as provided by the file(1) utility. +# It is a double-edged sword, make sure you know what you are doing! +# +#$bypass_decode_parts = 1; # (defaults to false) + +# don't trust this file type or corresponding unpacker for this file type, +# keep both the original and the unpacked file for a virus checker to see +# (lookup key is what file(1) utility returned): +# +@keep_decoded_original_maps = (new_RE( +# qr'^MAIL$', # retain full original message for virus checking (can be slow) + qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables + qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, +# qr'^Zip archive data', +)); + + +# Checking for banned MIME types and names. If any mail part matches, +# the whole mail is rejected, much like the way viruses are handled. +# Object $banned_filename_re provides a list of Perl regular expressions +# to be matched against each part's: +# +# * Content-Type value (both declared and effective mime-type), +# including the possible security-risk content types +# message/partial and message/external-body, as specified in rfc2046; +# +# * declared (recommended) file names as specified by MIME subfields +# Content-Disposition.filename and Content-Type.name, both in their +# raw (encoded) form and in rfc2047-decoded form if applicable; +# +# * file content type as guessed by 'file(1)' utility, mapped +# (by @map_full_type_to_short_type_maps) into short type names such as +# .asc, .txt, .html, .doc, .jpg, .pdf, .zip, .exe-ms, ..., which is always +# beginning with a dot. These short types are available unless +# $bypass_decode_parts is true. +# +# All nodes (mail parts) of the fully recursively decoded mail and embedded +# archives are checked, each node independently from remaining nodes. +# +# For each node all its ancestor nodes including itself are checked against +# $banned_filename_re lookup list, top-down. The search for this node stops +# at the first match, the right-hand side of the matching key determines +# the result (true or false, absent right-hand side implies true, as explained +# in README.lookups). +# +# Although repeatedly re-checking ancestor nodes may seem excessive, it gives +# the opportunity to specify rules which make a particular node hide its +# descendents, e.g. allow anything witnin a .zip even though .exe files +# are otherwise not allowed. +# +# Leave $banned_filename_re undefined to disable these checks +# (giving an empty list to new_RE() will also always return false) + +$banned_filename_re = new_RE( +# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components + + # block certain double extensions anywhere in the base name + qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, + +# qr'[{}]', # curly braces in names (serve as Class ID extensions - CLSID) + + qr'^application/x-msdownload$'i, # block these MIME types + qr'^application/x-msdos-program$'i, + +# qr'^message/partial$'i, qr'^message/external-body$'i, # block rfc2046 + +# [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow anything Unix-compressed + [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow anything in Unix archives +# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow anything within such archives + + qr'.\.(exe|vbs|pif|scr|bat|cmd|com)$'i, # banned extension - basic +# qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js| +# jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb| +# vbe|vbs|wsc|wsf|wsh)$'ix, # banned extension - long +# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. + + qr'^\.(exe-ms)$', # banned file(1) types +# qr'^\.(exe|lha|tnef|cab)$', # banned file(1) types +); +# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 +# and http://www.cknow.com/vtutor/vtextensions.htm + +# A little trick: a pattern qr'\.exe$' matches both a short type name '.exe', +# as well as any file name which happens to end with .exe. If only matching +# a file name is desired, but not the short name, a pattern qr'.\.exe$'i +# or similar may be used, which requires that at least one character precedes +# the '.exe', and so it will never match short file types, which always start +# with a dot. + + +# the syntax of these Perl regular expressions is a bit awkward if not +# familiar with them, so please do follow examples and stick to the idioms: +# \A ... at the beginning of the first component +# \z ... at the end of the the last (leaf) component +# ^ ... at the beginning of each component in the path +# $ ... at the end of each component in the path +# (.*\t)? ... at the beginning of a field +# (\t.*)? ... at the end of a field +# \t(.*\t)* ... separating fields +# [^\t\n] ... any single character, but don't escape from this field +# (.*\n)+ ... one or more levels down + +$banned_namepath_re = new_RE( + + # block these MIME types + qr'(?#NO X-MSDOWNLOAD) ^(.*\t)? M=application/x-msdownload (\t.*)? $'xmi, + qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi, + +# # block rfc2046 MIME types +# qr'(?# BLOCK RFC2046 ) +# ^ (.*\t)? M=message/(partial|external-body) (\t.*)? $'xmi, + +# # within traditional Unix compressions allow any name and type +# [ qr'(?#rule-3) ^ (.*\t)? T=(Z|gz|bz2) (\t.*)? $'xmi => 0 ], # allow + + # within traditional Unix archives allow any name and type + [ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ], # allow + +# # block anything within a zip +# qr'(?#rule-5) ^ (.*\t)? T=zip (\t.*)? (.*\n)+ .* $'xmi, + + # block certain double extensions in filenames + qr'(?# BLOCK DOUBLE-EXTENSIONS ) + ^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* \. + (exe|vbs|pif|scr|bat|cmd|com|dll) (\t.*)? $'xmi, + +# # block curly braces (used in Class ID (CLSID) extensions) in filenames +# qr'(?# BLOCK CLSID-EXTENSIONS ) +# ^ (.*\t)? N= [^\t\n]* [{}] [^\t\n]* (\t.*)? $'xmi, + +# # banned declared names with three or more consecutive spaces +# qr'(?# BLOCK NAMES WITH SPACES ) +# ^ (.*\t)? N= [^\t\n]* [ ]{3,} 'xmi, + +# # within PC archives allow any types or names nested to any level +# [ qr'(?#rule-7) ^ (.*\t)? T=(zip|rar|arc|arj|zoo) (\t.*)? $'xmi => 0 ], # ok + +# # within certain archives allow leaf members nested to any depth if crypted +# [ qr'(?# ALLOW ENCRYPTED ) +# ^ (.*\t)? T=(zip|rar|arj) (.*\n)+ (.*\t)? A=C (\t.*)? \z'xmi => 0 ], + +# # allow crypted leaf members regardless of their name or type +# [ qr'(?# ALLOW IF ENCRYPTED ) ^ (.*\t)? A=C (\t.*)? \z'xmi => 0 ], + +# # block if any component can not be decoded (e.g. is encrypted) +# qr'(?# BLOCK IF UNDECIPHERABLE ) ^ (.*\t)? A=U (\t.*)? \z'xmi, + +# [ qr'(?#rule-11) +# \A (.*\t)? T=(rpm|cpio|tar|zip|rar|arc|arj|zoo|Z|gz|bz2) +# \t(.*\t)* N=example\d+[^\t\n]* +# (\t.*)? $'xmi => 0 ], + + # banned filename extensions (in declared names) anywhere - basic + qr'(?# BLOCK COMMON NAME EXENSIONS ) + ^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|bat|com) (\t.*)? $'xmi, + +# # banned filename extensions (in declared names) anywhere - long +# qr'(?# BLOCK MORE NAME EXTENSIONS ) +# ^ (.*\t)? N= [^\t\n]* \. ( +# ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js| +# jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb| +# vbe|vbs|wsc|wsf|wsh) (\t.*)? $'xmi, + +# # banned filename extensions anywhere - WinZip vulnerability (pre-V9) +# qr'(?# BLOCK WinZip VULNERABILITY EXENSIONS ) +# ^ (.*\t)? N= [^\t\n]* \. (mim|b64|bhx|hqx|xxe|uu|uue) (\t.*)? $'xmi, + + qr'(?# BLOCK Microsoft EXECUTABLES ) + ^ (.*\t)? T=(exe-ms) (\t.*)? $'xm, # banned file(1) type + +# qr'(?# BLOCK ANY EXECUTABLE ) +# ^ (.*\t)? T=exe (\t.*)? $'xm, # banned file(1) type + +# qr'(?# BLOCK THESE TYPES ) +# ^ (.*\t)? T=(exe|lha|tnef|cab) (\t.*)? $'xm, # banned file(1) type + +); + +# old or new style, or both? +# + $banned_filename_re = undef; +# $banned_namepath_re = undef; # !!! + +# +# Section V - Per-recipient and per-sender handling, whitelisting, etc. +# + +# @virus_lovers_maps list of lookup tables: +# (this should be considered a policy option, is does not disable checks, +# see bypass*checks for that!) +# +# Exclude certain RECIPIENTS from virus filtering by adding their (lower-cased) +# envelope e-mail address (or domain only) to one of the lookup tables in +# the @virus_lovers_maps list - see README.lookups and examples. +# Make sure the appropriate form (e.g. external/internal) of address +# is used in case of virtual domains, or when mapping external to internal +# addresses, etc. - this is MTA-specific. +# +# Notifications would still be generated however (see the overall +# picture above), and infected mail (if passed) gets additional header: +# X-AMaViS-Alert: INFECTED, message contains virus: ... +# (header not inserted with milter interface!) +# +# NOTE (milter interface only): in case of multiple recipients, +# it is only possible to drop or accept the message in its entirety - for all +# recipients. If all of them are virus lovers, we'll accept mail, but if +# at least one recipient is not a virus lover, we'll discard the message. + + +# @bypass_virus_checks_maps list of lookup tables: +# (this is mainly a time-saving option, unlike virus_lovers* !) +# +# Similar in concept to @virus_lovers_maps, a @bypass_virus_checks_maps +# is used to skip entirely the decoding, unpacking and virus checking, +# but only if ALL recipients match the lookup. +# +# @bypass_virus_checks_maps does NOT GUARANTEE the message will NOT be checked +# for viruses - this may still happen when there is more than one recipient +# for a message, and not all of them match these lookup tables. To guarantee +# virus delivery, a recipient must also match @virus_lovers_maps lookups +# (but see milter limitations above), + +# NOTE: it would not be clever to base virus checks on SENDER address, +# since there are no guarantees that it is genuine. Many viruses +# and spam messages fake sender address. To achieve selective filtering +# based on the source of the mail (e.g. IP address, MTA port number, ...), +# use mechanisms provided by MTA if available. + + +# Similar to lists of lookup tables controlling virus checking, there are +# counterparts for spam scanning, banned names/types, and headers_checks +# control: +# @spam_lovers_maps, +# @banned_files_lovers_maps, +# @bad_header_lovers_maps +# and: +# @bypass_spam_checks_maps, +# @bypass_banned_checks_maps, +# @bypass_header_checks_maps + +# Example: +# @bypass_header_checks_maps = ( [qw( user@example.com )] ); +# @bad_header_lovers_maps = ( [qw( user@example.com )] ); + +# The following example disables spam checking altogether, +# since it matches any recipient e-mail address (any address +# is a subdomain of the top-level root DNS domain): +# @bypass_spam_checks_maps = (1); + + +# See README.lookups for further detail, and examples below. + +# In the following example a list of lookup tables @virus_lovers_maps +# contains three elements, the first is a reference to an ACL lookup +# table (brackets in Perl indicate a ref to a list), the second is a +# reference to a hash lookup table (braces in Perl indicate a ref to a hash), +# the third is a regexp lookup table, indicated by the type of the object: +# +#@virus_lovers_maps = ( +# [ qw( me@lab.xxx.com !lab.xxx.com .xxx.com yyy.org ) ], +# { "postmaster\@$mydomain" => 1, # double quotes permit variable evaluation +# 'postmaster@example.com'=> 1, # in single quotes the '@' need not be quoted +# 'abuse@example.com'=> 1, +# 'some.user@' => 1, # this recipient, regardless of domain +# 'boss@example.com' => 0, # never, even if domain matches +# 'example.com' => 1, # this domain, but not its subdomains +# '.example.com' => 1, # this domain, including its subdomains +# }, +# new_RE( qr'^(helpdesk|postmaster)@example\.com$'i ), +#); + +#@spam_lovers_maps = ( +# ["postmaster\@$mydomain", 'postmaster@example.com', 'abuse@example.com'], +#); + +#@bad_header_lovers_maps = ( +# ["postmaster\@", "abuse\@$mydomain"], +#); + +# to save some typing of quotes and commas, a Perl operator qw can be used +# to split its argument on whitespace and to quote resulting elements: +#@bypass_spam_checks_maps = ( +# [ qw( some.ddd !butnot.example.com .example.com ) ], +#); + + +# don't run spam check for these RECIPIENT domains: +# @bypass_spam_checks_maps = ( [qw( d1.com .d2.com a.d3.com )] ); +# or the other way around (bypass check for all BUT these): +# @bypass_spam_checks_maps = ( [qw( !d1.com !.d2.com !a.d3.com . )] ); +# a practical application: don't check outgoing mail for spam: +# @bypass_spam_checks_maps = ( [ "!.$mydomain", "." ] ); +# (a downside of which is that such mail will not count as ham in SA bayes db) + + +# Where to find SQL server(s) and database to support SQL lookups? +# A list of triples: (dsn,user,passw). (dsn = data source name) +# More than one entry may be specified for multiple (backup) SQL servers. +# See 'man DBI', 'man DBD::mysql', 'man DBD::Pg', ... for details. +# When chroot-ed, accessing SQL server over inet socket may be more convenient. +# +# @lookup_sql_dsn = +# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], +# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'] ); +# +# ('mail' in the example is the database name, choose what you like) +# With PostgreSQL the dsn (first element of the triple) may look like: +# 'DBI:Pg:host=host1;dbname=mail' + +# The SQL select clause to fetch per-recipient policy settings. +# The %k will be replaced by a comma-separated list of query addresses +# (e.g. full address, domain only, catchall). Use ORDER, if there +# is a chance that multiple records will match - the first match wins. +# If field names are not unique (e.g. 'id'), the later field overwrites the +# earlier in a hash returned by lookup, which is why we use '*,users.id'. +# No need to uncomment the following assignment if the default is ok. +# $sql_select_policy = 'SELECT *,users.id FROM users,policy'. +# ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'. +# ' ORDER BY users.priority DESC'; +# +# The SQL select clause to check sender in per-recipient whitelist/blacklist +# The first SELECT argument '?' will be users.id from recipient SQL lookup, +# the %k will be sender addresses (e.g. full address, domain only, catchall). +# The default value is: +# $sql_select_white_black_list = 'SELECT wb FROM wblist,mailaddr'. +# ' WHERE (wblist.rid=?) AND (wblist.sid=mailaddr.id)'. +# ' AND (mailaddr.email IN (%k))'. +# ' ORDER BY mailaddr.priority DESC'; +# +# To disable SQL white/black list, set to undef (otherwise comment-out +# the following statement, leaving it at the default value): +$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting + + +# If passing malware to certain recipients ($final_*_destiny=D_PASS or +# *_lovers), the recipient-based lookup tables @addr_extension_*_maps may +# return a string, which (if nonempty) will be added as an address extension +# to the local-part of the recipient's address. This extension may be used +# by the final local delivery agent (LDA) to place such mail into different +# subfolders (the extension is usually interpreted as a folder name). +# This is sometimes known as the 'plus addressing'. Appending address +# extensions is prevented when: +# - recipient does not match lookup tables @local_domains_maps; +# - lookup into corresponding @addr_extension_*_maps results +# in an empty string or undef; +# - $recipient_delimiter is empty (see below) +# LDAs usually default to stripping away address extension if no special +# handling is specified, so adding address extensions normally does no harm +# even if such subfolders do not exist in user's mailboxes. + +# @addr_extension_virus_maps = ('virus'); # defaults to empty +# @addr_extension_spam_maps = ('spam'); # defaults to empty +# @addr_extension_banned_maps = ('banned'); # defaults to empty +# @addr_extension_bad_header_maps = ('badh'); # defaults to empty +# +# A more complex example: +# @addr_extension_virus_maps = ( +# {'sub.example.com'=>'infected', '.example.com'=>'filtered'}, 'virus' ); + +# Delimiter between local part of the recipient address and address extension +# (which can optionally be added, see @addr_extension_*_maps. E.g. recipient +# address <user@example.com> gets changed to <user+virus@example.com>. +# +# Delimiter must match the equivalent (final) MTA delimiter setting. +# (e.g. for Postfix add 'recipient_delimiter = +' to main.cf) +# Setting it to an empty string or to undef disables adding extensions +# regardless of $addr_extension_*_maps. + +$recipient_delimiter = '+'; # (default is '+') + +# true: replace extension; false: append extension +# $replace_existing_extension = 1; # (default is false) + +# Affects matching of localpart of e-mail addresses (left of '@') +# in lookups: true = case sensitive, false = case insensitive +$localpart_is_case_sensitive = 0; # (default is false) + + +# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING + +# Instead of strongly black- or whitelisting, a softer approach is to add +# score points (penalties) to the SA score for mail from certain senders. +# Positive points lean towards blacklisting, negative towards whitelisting. +# This is much like adding SA rules or using its white/blacklisting, except +# that here only envelope sender addresses are considered (not addresses +# in a mail header), and that score points can be assigned per-recipient +# (or globally), and the assigned penalties are customarily much lower +# that the default SA white/blacklisting score. +# +# The table structure is similar to $per_recip_whitelist_sender_lookup_tables +# i.e. the first level key is recipient, pointing to by-sender lookup tables. +# The essential difference is that scores from _all_ by-recipient lookups +# (not just the first that matches) are summed to give the final score boost. +# +# NOTE: keep hash keys in lowercase, either manually or by using function lc + +@score_sender_maps = ({ # a by-recipient hash lookup table + +# # per-recipient personal tables (NOTE: positive: black, negative: white) +# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], +# 'user3@example.com' => [{'.ebay.com' => -3.0}], +# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, +# '.cleargreen.com' => -5.0}], + + # site-wide opinions about senders (the '.' matches any recipient) + '.' => [ # the _first_ matching sender determines the score boost + + new_RE( # regexp-type lookup table, just happens to be all soft-blacklist + [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], + [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], + [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], + [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], + [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], + [qr'^(your_friend|greatoffers)@'i => 5.0], + [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], + ), + + { # a hash-type lookup table (associative array) + 'nobody@cert.org' => -3.0, + 'cert-advisory@us-cert.gov' => -3.0, + 'owner-alert@iss.net' => -3.0, + 'slashdot@slashdot.org' => -3.0, + 'bugtraq@securityfocus.com' => -3.0, + 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, + 'security-alerts@linuxsecurity.com' => -3.0, + 'mailman-announce-admin@python.org' => -3.0, + 'amavis-user-admin@lists.sourceforge.net'=> -3.0, + 'notification-return@lists.sophos.com' => -3.0, + 'owner-postfix-users@postfix.org' => -3.0, + 'owner-postfix-announce@postfix.org' => -3.0, + 'owner-sendmail-announce@lists.sendmail.org' => -3.0, + 'sendmail-announce-request@lists.sendmail.org' => -3.0, + 'donotreply@sendmail.org' => -3.0, + 'ca+envelope@sendmail.org' => -3.0, + 'noreply@freshmeat.net' => -3.0, + 'owner-technews@postel.acm.org' => -3.0, + 'ietf-123-owner@loki.ietf.org' => -3.0, + 'cvs-commits-list-admin@gnome.org' => -3.0, + 'rt-users-admin@lists.fsck.com' => -3.0, + 'clp-request@comp.nus.edu.sg' => -3.0, + 'surveys-errors@lists.nua.ie' => -3.0, + 'emailnews@genomeweb.com' => -5.0, + 'yahoo-dev-null@yahoo-inc.com' => -3.0, + 'returns.groups.yahoo.com' => -3.0, + 'clusternews@linuxnetworx.com' => -3.0, + lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, + lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, + + # soft-blacklisting (positive score) + 'sender@example.net' => 3.0, + '.example.net' => 1.0, + + }, + ], # end of site-wide tables +}); + + +# ENVELOPE SENDER WHITELISTING / BLACKLISTING - GLOBAL (RECIPIENT-INDEPENDENT) +# (affects spam checking only, has no effect on virus and other checks) + +# WHITELISTING: use ENVELOPE SENDER lookups to ENSURE DELIVERY from whitelisted +# senders even if the message would be recognized as spam. Effectively, for +# the specified senders, message recipients temporarily become 'spam_lovers'. +# To avoid surprises, whitelisted sender also suppresses inserting/editing +# the tag2-level header fields (X-Spam-*, Subject), appending spam address +# extension, and quarantining. +# +# BLACKLISTING: messages from specified SENDERS are DECLARED SPAM. +# Effectively, for messages from blacklisted senders, spam level +# is artificially pushed high, and the normal spam processing applies, +# resulting in 'X-Spam-Flag: YES', high 'X-Spam-Level' bar and other usual +# reactions to spam, including possible rejection. If the message nevertheless +# still passes (e.g. for spam loving recipients), it is tagged as BLACKLISTED +# in the 'X-Spam-Status' header field, but the reported spam value and +# set of tests in this report header field (if available from SpamAssassin, +# which may have not been called) is not adjusted. +# +# A sender may be both white- and blacklisted at the same time, settings +# are independent. For example, being both white- and blacklisted, message +# is delivered to recipients, but is not tagged as spam (X-Spam-Flag: No; +# X-Spam-Status: No, ...), but the reported spam level (if computed) may +# still indicate high spam score. +# +# If ALL recipients of the message either white- or blacklist the sender, +# spam scanning (calling the SpamAssassin) is bypassed, saving on time. +# +# The following variables (lists of lookup tables) are available, +# with the semantics and syntax as specified in README.lookups: +# @whitelist_sender_maps, @blacklist_sender_maps + +# SOME EXAMPLES: +# +#ACL: +# @whitelist_sender_maps = ( ['.example.org', '.example.net'] ); +# @whitelist_sender_maps = ( [qw(.example.org .example.net)] ); # same thing +# +# @whitelist_sender_maps = ( [".$mydomain"] ); # $mydomain and its subdomains +# NOTE: This is not a reliable way of turning off spam checks for +# locally-originating mail, as sender address can easily be faked. +# To reliably avoid spam-scanning outgoing mail, +# use @bypass_spam_checks_maps . + +#with regexps: +# @whitelist_sender_maps = ( new_RE( +# qr'^postmaster@.*\bexample\.com$'i, +# qr'^owner-[^@]*@'i, qr'-request@'i, +# qr'\.example\.com$'i +# )); + + +# illustrates the use of regexp lookup table: + +@blacklist_sender_maps = ( new_RE( + qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i, + qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i, + qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i, + qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i, + qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i, + qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i, +)); + + +# NOTE: whitelisting is becoming deprecated, +# use @score_sender_maps for soft-whitelisting! +# +# Illustrates the use of several lookup tables: +# +# @whitelist_sender_maps = ( +# +# # read_hash("$MYHOME/whitelist_sender"), # a hash table read from a file +# +# # and another hash lookup table constructed in-line, with keys lowercased: +# { map {lc $_ => 1} qw( +# nobody@cert.org +# cert-advisory@us-cert.gov +# owner-alert@iss.net +# slashdot@slashdot.org +# bugtraq@securityfocus.com +# NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM +# security-alerts@linuxsecurity.com +# amavis-user-admin@lists.sourceforge.net +# notification-return@lists.sophos.com +# mailman-announce-admin@python.org +# owner-postfix-users@postfix.org +# owner-postfix-announce@postfix.org +# owner-sendmail-announce@lists.sendmail.org +# sendmail-announce-request@lists.sendmail.org +# owner-technews@postel.ACM.ORG +# lvs-users-admin@LinuxVirtualServer.org +# ietf-123-owner@loki.ietf.org +# cvs-commits-list-admin@gnome.org +# rt-users-admin@lists.fsck.com +# clp-request@comp.nus.edu.sg +# surveys-errors@lists.nua.ie +# emailNews@genomeweb.com +# owner-textbreakingnews@CNNIMAIL12.CNN.COM +# yahoo-dev-null@yahoo-inc.com +# returns.groups.yahoo.com +# )}, +# +# # { '' => 1 }, # and another one, containing just an empty reverse path (DSN) +# +# ); + + +# ENVELOPE SENDER WHITELISTING / BLACKLISTING - PER-RECIPIENT + +# The same semantics as for global white/blacklisting applies, but this +# time each recipient (or its domain, or subdomain, ...) can be given +# an individual lookup table for matching senders. The per-recipient lookups +# override the global lookups, which serve as a fallback default. + +# Specify a two-level lookup table: the key for the outer table is recipient, +# and the result should be an inner lookup table (hash or ACL or RE), +# where the key used will be the sender. +# +#$per_recip_blacklist_sender_lookup_tables = { +# 'user1@my.example.com'=>new_RE(qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i), +# 'user2@my.example.com'=>[qw( spammer@d1.example,org .d2.example,org )], +#}; +#$per_recip_whitelist_sender_lookup_tables = { +# 'user@my.example.com' => [qw( friend@example.org .other.example.org )], +# '.my1.example.com' => [qw( !foe.other.example,org .other.example,org )], +# '.my2.example.com' => read_hash("$MYHOME/my2-wl.dat"), +# 'abuse@' => { 'postmaster@'=>1, +# 'cert-advisory-owner@cert.org'=>1, 'owner-alert@iss.net'=>1 }, +#}; + + +# +# Section VI - Resource limits +# + +# Sanity limit to the number of allowed recipients per SMTP transaction +# $smtpd_recipient_limit = 1000; # (default is 1000) + +# Resource limits to protect unpackers, decompressors and virus scanners +# against mail bombs (e.g. 42.zip) + + +# Maximum recursion level for extraction/decoding (0 or undef disables limit) +$MAXLEVELS = 14; # (default is undef, no limit) + +# Maximum number of extracted files (0 or undef disables the limit) +$MAXFILES = 1500; # (default is undef, no limit) + +# For the cumulative total of all decoded mail parts we set max storage size +# to defend against mail bombs. Even though parts may be deleted (replaced +# by decoded text) during decoding, the size they occupied is _not_ returned +# to the quota pool. +# +# Parameters to storage quota formula for unpacking/decoding/decompressing +# Formula: +# quota = max($MIN_EXPANSION_QUOTA, +# $mail_size*$MIN_EXPANSION_FACTOR, +# min($MAX_EXPANSION_QUOTA, $mail_size*$MAX_EXPANSION_FACTOR)) +# In plain words (later condition overrules previous ones): +# allow MAX_EXPANSION_FACTOR times initial mail size, +# but not more than MAX_EXPANSION_QUOTA, +# but not less than MIN_EXPANSION_FACTOR times initial mail size, +# but never less than MIN_EXPANSION_QUOTA +# +$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) +$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) +$MIN_EXPANSION_FACTOR = 5; # times original mail size (must be specified) +$MAX_EXPANSION_FACTOR = 500; # times original mail size (must be specified) + +# expiration time of cached results: time to live in seconds +# (how long the result of a virus/spam test remains valid) +$virus_check_negative_ttl= 3*60; # time to remember that mail was not infected +$virus_check_positive_ttl= 30*60; # time to remember that mail was infected +$spam_check_negative_ttl = 30*60; # time to remember that mail was not spam +$spam_check_positive_ttl = 30*60; # time to remember that mail was spam +# +# NOTE: +# Cache size will be determined by the largest of the $*_ttl values. +# Depending on the mail rate, the cache database may grow quite large. +# Reasonable compromise for the max value is 15 minutes to 2 hours. + +# +# Section VII - External programs, virus scanners +# + +# Specify a path string, which is a colon-separated string of directories +# (no trailing slashes!) to be assigned to the environment variable PATH +# and to serve for locating external programs below. + +# NOTE: if $daemon_chroot_dir is nonempty, the directories will be +# relative to the chroot directory specified; + +$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin:/opt/bin'; + +# Specify one string or a search list of strings (first match wins). +# The string (or: each string in a list) may be an absolute path, +# or just a program name, to be located via $path; +# Empty string or undef (=default) disables the use of that external program. +# Optionally command arguments may be specified - only the first substring +# up to the whitespace is used for file searching. + +$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability + +$gzip = 'gzip'; +$bzip2 = 'bzip2'; +$lzop = 'lzop'; +$rpm2cpio = ['rpm2cpio.pl','rpm2cpio']; +$cabextract = 'cabextract'; +$uncompress = ['uncompress', 'gzip -d', 'zcat']; +$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat']; +$arc = ['nomarch', 'arc']; +$unarj = ['arj', 'unarj']; # both can extract, arj is recommended +$unrar = ['rar', 'unrar']; # both can extract, same options +$zoo = 'zoo'; +$lha = 'lha'; +$cpio = ['gcpio','cpio']; # gcpio is a GNU cpio on OpenBSD, which supports + # the options needed; the rest of us use cpio +$dspam = 'dspam'; + +# SpamAssassin settings + +# $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value +# of the option local_tests_only. See Mail::SpamAssassin man page. +# If set to 1, no tests that require internet access will be performed. +# +$sa_local_tests_only = 0; # (default: false) +#$sa_auto_whitelist = 1; # turn on AWL (default: false) + +$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger + # (less than 1% of spam is > 64k) + # default: undef, no limitations + +# default values, customarily used in the @spam_*_level_maps as the last entry +$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level; + # undef is interpreted as lower than any spam level +$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level +$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions + # at or above that level: bounce/reject/drop, + # quarantine, and adding mail address extension +$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent, + # effectively turning D_BOUNCE into D_DISCARD; + # undef disables this feature and is a default; + +# advanced example specifying per-recipient values using a hash lookup: +#@spam_tag_level_maps = (\$sa_tag_level_deflt); # this is a default +#@spam_tag2_level_maps = ( +# { 'user1@example.com' => 8.0, '.example.com' => 6.0 }, +# \$sa_tag2_level_deflt, # catchall default +#); +#@spam_kill_level_maps = ( +# { 'user1@example.com' => 8.0, '.example.com' => 6.0 }, +# \$sa_kill_level_deflt, # catchall default +#); +#@spam_dsn_cutoff_level_maps = ( +# { 'user1@example.com' => 10, '.example.com' => 15 }, +# \$sa_dsn_cutoff_level, # catchall default +#); + +# a quick reference: +# tag_level controls adding the X-Spam-Status and X-Spam-Level headers, +# tag2_level controls adding 'X-Spam-Flag: YES', and editing Subject, +# kill_level controls 'evasive actions' (reject, quarantine, extensions); +# it only makes sense to maintain the relationship: +# tag_level <= tag2_level <= kill_level < dsn_cutoff_level + +# string to prepend to Subject header field when message exceeds tag2 level +#$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled) + # (only seen when spam is not to be rejected + # and recipient is in local_domains*) + +#$sa_spam_modifies_subj = 1; # may be a ref to a lookup table, default is true + +# Example: modify Subject for all local recipients except user@example.com +#$sa_spam_modifies_subj = [qw( !user@example.com . )]; + +#$sa_spam_level_char = '*'; # char for X-Spam-Level bar, defaults to '*'; + # undef disables inserting X-Spam-Level header +#$sa_spam_report_header = 0; # insert X-Spam-Report header field? default false + +# stop anti-virus scanning when the first scanner detects a virus? +$first_infected_stops_scan = 1; # default is false, all scanners are called + +# @av_scanners is a list of n-tuples, where fields semantics is: +# 1. av scanner plain name, to be used in log and reports; +# 2. scanner program name; this string will be submitted to subroutine +# find_external_programs(), which will try to find the full program +# path name; if program is not found, this scanner is disabled. +w# Besides a simple string (full program path name or just the basename +# to be looked for in PATH), this may be an array ref of alternative +# program names or full paths - the first match in the list will be used; +# As a special case for more complex scanners, this field may be +# a subroutine reference, and the whole n-tuple is passed to it as args. +# 3. command arguments to be given to the scanner program; +# a substring {} will be replaced by the directory name to be scanned, +# i.e. "$tempdir/parts", a "*" will be replaced by file names of parts; +# 4. an array ref of av scanner exit status values, or a regexp (to be +# matched against scanner output), indicating NO VIRUSES found; +# 5. an array ref of av scanner exit status values, or a regexp (to be +# matched against scanner output), indicating VIRUSES WERE FOUND; +# Note: the virus match prevails over a 'not found' match, so it is safe +# even if the no. 4. matches for viruses too; +# 6. a regexp (to be matched against scanner output), returning a list +# of virus names found. +# 7. and 8.: (optional) subroutines to be executed before and after scanner +# (e.g. to set environment or current directory); +# see examples for these at KasperskyLab AVP and Sophos sweep. + +# NOTES: +# +# - NOT DEFINING @av_scanners (e.g. setting it to empty list, or deleting the +# whole assignment) TURNS OFF LOADING AND COMPILING OF THE ANTIVIRUS CODE +# (which can be handy if all you want to do is spam scanning); +# +# - the order matters: although _all_ available entries from the list are +# always tried regardless of their verdict, scanners are run in the order +# specified: the report from the first one detecting a virus will be used +# (providing virus names and scanner output); REARRANGE THE ORDER TO WILL; +# +# - it doesn't hurt to keep an unused command line scanner entry in the list +# if the program can not be found; the path search is only performed once +# during the program startup; +# +# COROLLARY: to disable a scanner that _does_ exist on your system, +# comment out its entry or use undef or '' as its program name/path +# (second parameter). An example where this is almost a must: disable +# Sophos 'sweep' if you have its daemonized version Sophie or SAVI-Perl +# (same for Trophie/vscan, and clamd/clamscan), or if another unrelated +# program happens to have a name matching one of the entries ('sweep' +# again comes to mind); +# +# - it DOES HURT to keep unwanted entries which use INTERNAL SUBROUTINES +# for interfacing (where the second parameter starts with \&). +# Keeping such entry and not having a corresponding virus scanner daemon +# causes an unnecessary connection attempt (which eventually times out, +# but it wastes precious time). For this reason the daemonized entries +# are commented in the distribution - just remove the '#' where needed. +# +# CERT list of av resources: http://www.cert.org/other_sources/viruses.html + +@av_scanners = ( + +# ### http://www.vanja.com/tools/sophie/ +# ['Sophie', +# \&ask_daemon, ["{}/\n", '/var/run/sophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ], + +# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ +# ['Sophos SAVI', \&sophos_savi ], + +# ### http://www.clamav.net/ +# ['ClamAV-clamd', +# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], +# qr/\bOK$/, qr/\bFOUND$/, +# qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], +# # NOTE: run clamd under the same user as amavisd; match the socket +# # name (LocalSocket) in clamav.conf to the socket name in this entry +# # When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"], + +# ### http://www.clamav.net/ and CPAN (Perl modules) +# ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/], + +# ### http://www.openantivirus.org/ +# ['OpenAntiVirus ScannerDaemon (OAV)', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], +# qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ], + +# ### http://www.vanja.com/tools/trophie/ +# ['Trophie', +# \&ask_daemon, ["{}/\n", '/var/run/trophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ], + +# ### http://www.grisoft.com/ +# ['AVG Anti-Virus', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], +# qr/^200/, qr/^403/, qr/^403 .*?: (.+)/ ], + +# ### http://www.f-prot.com/ +# ['FRISK F-Prot Daemon', +# \&ask_daemon, +# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", +# ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202', +# '127.0.0.1:10203','127.0.0.1:10204'] ], +# qr/(?i)<summary[^>]*>clean<\/summary>/, +# qr/(?i)<summary[^>]*>infected<\/summary>/, +# qr/(?i)<name>(.+)<\/name>/ ], + + ['KasperskyLab AVP - aveclient', + ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', + '/opt/kav/bin/aveclient','aveclient'], + '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/, + qr/(?:INFECTED|SUSPICION) (.+)/, + ], + + ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], + '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? + qr/infected: (.+)/, + sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, + sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + + ### The kavdaemon and AVPDaemonClient have been removed from Kasperky + ### products and replaced by aveserver and aveclient + ['KasperskyLab AVPDaemonClient', + [ '/opt/AVP/kavdaemon', 'kavdaemon', + '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', + '/opt/AVP/AvpTeamDream', 'AvpTeamDream', + '/opt/AVP/avpdc', 'avpdc' ], + "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ], + # change the startup-script in /etc/init.d/kavd to: + # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" + # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) + # adjusting /var/amavis above to match your $TEMPBASE. + # The '-f=/var/amavis' is needed if not running it as root, so it + # can find, read, and write its pid file, etc., see 'man kavdaemon'. + # defUnix.prf: there must be an entry "*/var/amavis" (or whatever + # directory $TEMPBASE specifies) in the 'Names=' section. + # cd /opt/AVP/DaemonClients; configure; cd Sample; make + # cp AvpDaemonClient /opt/AVP/ + # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" + + ### http://www.hbedv.com/ or http://www.centralcommand.com/ + ['H+BEDV AntiVir or CentralCommand Vexira Antivirus', + ['antivir','vexira'], + '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/, + qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | + (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ], + # NOTE: if you only have a demo version, remove -z and add 214, as in: + # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, + + ### http://www.commandsoftware.com/ + ['Command AntiVirus for Linux', 'csav', + '-all -archive -packed {}', [50], [51,52,53], + qr/Infection: (.+)/ ], + + ### http://www.symantec.com/ + ['Symantec CarrierScan via Symantec CommandLineScanner', + 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', + qr/^Files Infected:\s+0$/, qr/^Infected\b/, + qr/^(?:Info|Virus Name):\s+(.+)/ ], + + ### http://www.symantec.com/ + ['Symantec AntiVirus Scan Engine', + 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', + [0], qr/^Infected\b/, + qr/^(?:Info|Virus Name):\s+(.+)/ ], + # NOTE: check options and patterns to see which entry better applies + + ### http://www.sald.com/, http://drweb.imshop.de/ + ['drweb - DrWeb Antivirus', + ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], + '-path={} -al -go -ot -cn -upn -ok-', + [0,32], [1,33], qr' infected (?:with|by)(?: virus)? (.*)$'], + +# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ +# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later +# [pack('N',1). # DRWEBD_SCAN_CMD +# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES +# pack('N', # path length +# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). +# '{}/*'. # path +# pack('N',0). # content size +# pack('N',0), +# '/var/drweb/run/drwebd.sock', +# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot +# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default +# # '127.0.0.1:3000', # or over an inet socket +# ], +# qr/\A\x00(\x10|\x11)\x00\x00/s, # IS_CLEAN, EVAL_KEY +# qr/\A\x00(\x00|\x01)\x00(\x20|\x40|\x80)/s, # KNOWN_V, UNKNOWN_V, V._MODIF +# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/s, +# ], +# # NOTE: If you are using amavis-milter, change length to: +# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). + + ### http://www.f-secure.com/products/anti-virus/ + ['F-Secure Antivirus', 'fsav', + '--dumb --mime --archive {}', [0], [3,8], + qr/(?:infection|Infected|Suspected): (.+)/ ], + + ['CAI InoculateIT', 'inocucmd', + '-sec -nex {}', [0], [100], + qr/was infected by virus (.+)/ ], + + ['MkS_Vir for Linux (beta)', ['mks32','mks'], + '-s {}/*', [0], [1,2], + qr/--[ \t]*(.+)/ ], + + ['MkS_Vir daemon', + 'mksscan', '-s -q {}', [0], [1..7], + qr/^... (\S+)/ ], + + ### http://www.nod32.com/ + ['ESET Software NOD32', 'nod32', + '-all -subdir+ {}', [0], [1,2], + qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ], + + ### http://www.nod32.com/ + ['ESET Software NOD32 - Client/Server Version', 'nod32cli', + '-a -r -d recurse --heur standard {}', [0], [10,11], + qr/^\S+\s+infected:\s+(.+)/ ], + +# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31 +# ['ESET Software NOD32 Client/Server (NOD32SS)', +# \&ask_daemon2, # greets with 200, persistent, terminate with QUIT +# ["SCAN {}/*\r\n", '127.0.0.1:8448' ], +# qr/^200 File OK/, qr/^201 /, qr/^201 (.+)/ ], + + ### http://www.norman.com/products_nvc.shtml + ['Norman Virus Control v5 / Linux', 'nvcc', + '-c -l:0 -s -u {}', [0], [1], + qr/(?i).* virus in .* -> \'(.+)\'/ ], + + ### http://www.pandasoftware.com/ + ['Panda Antivirus for Linux', ['pavcl'], + '-aut -aex -heu -cmp -nbr -nor -nso -eng {}', + qr/Number of files infected[ .]*: 0(?!\d)/, + qr/Number of files infected[ .]*: 0*[1-9]/, + qr/Found virus :\s*(\S+)/ ], + +# ### http://www.pandasoftware.com/ +# ['Panda Antivirus for Linux', ['pavcl'], +# '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}', +# [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0], +# qr/Found virus :\s*(\S+)/ ], + +# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. +# Check your RAV license terms before fiddling with the following two lines! +# ['GeCAD RAV AntiVirus 8', 'ravav', +# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ], +# # NOTE: the command line switches changed with scan engine 8.5 ! +# # (btw, assigning stdin to /dev/null causes RAV to fail) + + ### http://www.nai.com/ + ['NAI McAfee AntiVirus (uvscan)', 'uvscan', + '--secure --mime --program --mailbox -rv --summary --noboot --timeout 180 - {}', [0], [13], + qr/(?x) Found (?: + \ the\ (.+)\ (?:virus|trojan) | + \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | + :\ (.+)\ NOT\ a\ virus)/, + # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, + # sub {delete $ENV{LD_PRELOAD}}, + ], + # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before + # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 + # and then clear it when finished to avoid confusing anything else. + # NOTE2: to treat encrypted files as viruses replace the [13] with: + # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ + + ### http://www.virusbuster.hu/en/ + ['VirusBuster', ['vbuster', 'vbengcl'], + # VirusBuster Ltd. does not support the daemon version for the workstation + # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of + # binaries, some parameters AND return codes (from 3 to 1) changed. + "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], + qr/: '(.*)' - Virus/ ], + +# ### http://www.virusbuster.hu/en/ +# ['VirusBuster (Client + Daemon)', 'vbengd', +# # HINT: for an infected file it returns always 3, +# # although the man-page tells a different story +# '-f -log scandir {}', [0], [3], +# qr/Virus found = (.*);/ ], + + ### http://www.cyber.com/ + ['CyberSoft VFind', 'vfind', + '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/, + # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, + ], + + ### http://www.ikarus-software.com/ + ['Ikarus AntiVirus for Linux', 'ikarus', + '{}', [0], [40], qr/Signature (.+) found/ ], + + ### http://www.bitdefender.com/ + ['BitDefender', 'bdc', + '--all --arc --mail {}', qr/^Infected files *:0(?!\d)/, + qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, + qr/(?:suspected|infected): (.*)(?:\033|$)/ ], + +); + +# If no virus scanners from the @av_scanners list produce 'clean' nor +# 'infected' status (e.g. they all fail to run or the list is empty), +# then _all_ scanners from the @av_scanners_backup list are tried. +# When there are both daemonized and command-line scanners available, +# it is customary to place slower command-line scanners in the +# @av_scanners_backup list. The default choice is somewhat arbitrary, +# move entries from one list to another as desired. + +@av_scanners_backup = ( + + ### http://www.clamav.net/ + ['ClamAV-clamscan', 'clamscan', + "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], + qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], + + ### http://www.f-prot.com/ + ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], + '-dumb -ai -packed -server {}', [0,8], [3,6], + qr/Infection: (.+)/ ], + + ### http://www.trendmicro.com/ + ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], + '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], + + ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'], + '-i1 -xp {}', [0,10,15], [5,20,21,25], + qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ , + sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, + sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + +# Commented out because the name 'sweep' clashes with the Debian package of +# the same name. Make sure the correct sweep is found in the path when enabling +# +# ### http://www.sophos.com/ +# ['Sophos Anti Virus (sweep)', 'sweep', +# '-nb -f -all -rec -ss -sc -archive -cab -tnef --no-reset-atime {}', +# [0,2], qr/Virus .*? found/, +# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/, +# ], +# # other options to consider: -mime -oe -idedir=/usr/local/sav + +# always succeeds (uncomment to consider mail clean if all other scanners fail) +# ['always-clean', sub {0}], + +); + + +# +# Section VIII - Debugging +# + +# The most useful debugging tool is to run amavisd-new non-detached +# from a terminal window: # amavisd debug + +# Some more refined approaches: + +# If sender matches ACL, turn debugging fully up, just for this one message +#@debug_sender_acl = ( "test-sender\@$mydomain" ); +#@debug_sender_acl = qw( debug@example.com ); + +# May be useful along with @debug_sender_acl: +# Prevent all decoded originals being deleted (replaced by decoded part) +#$keep_decoded_original_re = new_RE( qr/.*/ ); + +# Turn on SpamAssassin debugging (output to STDERR, use with 'amavisd debug') +#$sa_debug = 1; # defaults to false + + +# +# Section IX - Policy banks (dynamic policy switching) +# + +## Define some policy banks (sets of settings) and give them +## arbitrary names (the '' and 'MYNETS' have special meaning): +# +# $policy_bank{'ALT'} = { +# log_level => 3, +# inet_acl => [qw( 10.0.1.14 )], +# final_spam_destiny => D_PASS, final_bad_header_destiny => D_PASS, +# forward_method => 'smtp:*:*', +# notify_method => 'smtp:[127.0.0.1]:10025', +# virus_admin_maps => "abuse\@$mydomain", +# spam_lovers_maps => [@spam_lovers_maps, [qw( abuse@example.com )]], +# spam_tag_level_maps => 2.1, +# spam_tag2_level_maps => 6.32, +# spam_kill_level_maps => 6.72, +# spam_dsn_cutoff_level_maps => 9, +# defang_spam => 1, +# localhost_name => 'amavis.example.com', +# smtpd_greeting_banner => +# '${helo-name} ${protocol} amavisd-new TEST service ready', +# auth_required_inp => 0, +# auth_supported_out => 1, +# auth_mech_avail => [qw(PLAIN LOGIN)], +# av_scanners => [ # give them only 'free' scanners +# ['ClamAV-clamd', +# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], +# qr/\bOK$/, qr/\bFOUND$/, +# qr/^.*?: (?!Infected Archive)(.*) FOUND$/, +# ], +# ], +# av_scanners_backup => [ +# ['ClamAV-clamscan', 'clamscan', +# "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], +# qr/^.*?: (?!Infected Archive)(.*) FOUND$/, +# ], +# ], +# }; +# +# $policy_bank{'AM.PDP'} = { +# log_level => 3, +# protocol=>'AM.PDP', # Amavis policy delegation protocol (new milter helper) +# }; + +## the name 'MYNETS' has special semantics: this policy bank gets loaded +## whenever MTA supplies a SMTP client IP address (Postfix XFORWARD extension +## or a new AM.PDP protocol) and that address matches the @mynetworks list. +# +# $policy_bank{'MYNETS'} = { # mail originating from @mynetworks +# spam_kill_level_maps => 6.9, +# spam_admin_maps => ["spamalert\@$mydomain"], +# }; + + +## Now we can assign policy banks to amavisd tcp port numbers listed in +## $inet_socket_port. Whenever the connection from MTA is received, first +## a built-in policy bank $policy_bank{''} gets loaded, which bringings-in +## all the global/legacy settings, then it gets overlaid by the bank +## named in the $interface_policy{$port} if any, and finally the bank +## 'MYNETS' is overlaid if it exists and the SMTP client IP address +## is known (by XFORWARD command from MTA) and it matches @mynetworks. + +# $interface_policy{'10026'} = 'ALT'; +# $interface_policy{'9998'} = 'AM.PDP'; + + +#------------- +1; # insure a defined return diff --git a/mail-filter/amavisd-new/files/digest-amavisd-new-20040701 b/mail-filter/amavisd-new/files/digest-amavisd-new-20040701 new file mode 100644 index 000000000000..20f1e9e20af4 --- /dev/null +++ b/mail-filter/amavisd-new/files/digest-amavisd-new-20040701 @@ -0,0 +1 @@ +MD5 d5566eeaf1e47b6c856f4e676e93d584 amavisd-new-20040701.tar.gz 451622 |