use strict; # Sample configuration file for amavisd-new (traditional style, chatty, # you may prefer to start with the more concise supplied amavisd.conf) # # This software is licensed under the GNU General Public License (GPL). # See comments at the start of amavisd-new for the whole license text. #Sections: # Section I - Essential daemon and MTA settings # Section II - MTA specific # Section III - Logging # Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine # Section V - Per-recipient and per-sender handling, whitelisting, etc. # Section VI - Resource limits # Section VII - External programs, virus scanners, SpamAssassin # Section VIII - Debugging # Section IX - Policy banks (dynamic policy switching) #GENERAL NOTES: # This file is a normal Perl code, interpreted by Perl itself. # - make sure this file (or directory where it resides) is NOT WRITABLE # by mere mortals (not even vscan/amavis; best to make it owned by root), # otherwise it can represent a severe security risk! # - for values which are interpreted as booleans, it is recommended # to use 1 for true, and 0 or undef or '' for false. # THIS IS DIFFERENT FROM OLD AMAVIS VERSIONS where "no" also meant false, # now it means true, like any nonempty string does! # - Perl syntax applies. Most notably: strings in "" may include variables # (which start with $ or @); to include characters $ and @ and \ in double # quoted strings precede them by a backslash; in single-quoted strings # the $ and @ lose their special meaning, so it is usually easier to use # single quoted strings (or qw operator) for e-mail addresses. # In both types of quoting a backslash should to be doubled. # - variables with names starting with a '@' are lists, the values assigned # to them should be lists too, e.g. ('one@foo', $mydomain, "three"); # note the comma-separation and parenthesis. If strings in the list # do not contain spaces nor variables, a Perl operator qw() may be used # as a shorthand to split its argument on whitespace and produce a list # of strings, e.g. qw( one@foo example.com three ); Note that the argument # to qw is quoted implicitly and no variable interpretation is done within # (no '$' variable evaluations). The #-initiated comments can NOT be used # within a string. In other words, $ and # lose their special meaning # within a qw argument, just like within '...' strings. # - all e-mail addresses in this file and as used internally by the daemon # are in their raw (rfc2821-unquoted and non-bracketed) form, i.e. # Bob "Funny" Dude@example.com, not: "Bob \"Funny\" Dude"@example.com # and not <"Bob \"Funny\" Dude"@example.com>; also: '' and not '<>'. # - the term 'default value' in examples below refers to the value of a # variable pre-assigned to it by the program; any explicit assignment # to a variable in this configuration file overrides the default value; # ============================================================================= # Section I - Essential options # ============================================================================= # $MYHOME serves as a quick default for some other configuration settings. # More refined control is available with each individual setting further down. # $MYHOME is not used directly by the program. No trailing slash! $MYHOME = '/home/amavis'; # (default is '/var/amavis') # $mydomain serves as a quick default for some other configuration settings. # More refined control is available with each individual setting further down. # $mydomain is never used directly by the program. $mydomain = 'akadia.com'; # (no useful default) # $myhostname = 'host.example.com'; # fqdn of this host, default by uname(3) # Set the user and group to which the daemon will change if started as root # (otherwise just keeps the UID unchanged, and these settings have no effect): $daemon_user = 'amavis'; # (no default; customary: vscan or amavis) $daemon_group = 'amavis'; # (no default; customary: vscan or amavis or sweep) # Runtime working directory (cwd), and a place where # temporary directories for unpacking mail are created. # (no trailing slash, may be a scratch file system) # $TEMPBASE = $MYHOME; # (must be set if other config vars use is) $TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean? $db_home = "$MYHOME/db"; # DB databases directory, default "$MYHOME/db" # $helpers_home sets environment variable HOME, and is passed as option # 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory # on a normal persistent file system, not a scratch or temporary file system # $helpers_home = $MYHOME; # (defaults to $MYHOME) $helpers_home = "$MYHOME/var"; # Run the daemon in the specified chroot jail if nonempty: # $daemon_chroot_dir = $MYHOME; # (default is undef, meaning: do not chroot) $pid_file = "$MYHOME/var/amavisd.pid"; # (default is "$MYHOME/amavisd.pid") $lock_file = "$MYHOME/var/amavisd.lock"; # (default is "$MYHOME/amavisd.lock") # set environment variables if you want (no defaults): $ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 # ============================================================================= # MTA SETTINGS, UNCOMMENT AS APPROPRIATE # ============================================================================= # both $forward_method and $notify_method default to 'smtp:[127.0.0.1]:10025' # POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4 # (set host and port number as required; host can be specified # as an IP address or a DNS name (A or CNAME, but MX is ignored) $forward_method = 'smtp:[127.0.0.1]:10025'; # where to forward checked mail $notify_method = $forward_method; # where to submit notifications # To make it possible for several hosts to share one content checking daemon, # the IP address and/or the port number in $forward_method and $notify_method # may be spacified as an asterisk. An asterisk in the colon-separated # second field (host) will be replaced by the SMTP client peer address, # An asterisk in the third field (tcp port) will be replaced by the incoming # SMTP/LMTP session port number plus one. This obsoletes the previously used # less flexible configuration parameter $relayhost_is_client. An example: # $forward_method = 'smtp:*:*'; $notify_method = 'smtp:*:10587'; # NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST # uncomment the appropriate settings below if using other setups! # SENDMAIL MILTER, using amavis-milter.c helper program: # $forward_method = undef; # no explicit forwarding, sendmail does it by itself # milter; option -odd is needed to avoid deadlocks # $notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}'; # just a thought: can we use use -Am instead of -odd ? # SENDMAIL (old non-milter setup, as relay, deprecated): # $forward_method = 'pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f ${sender} -- ${recipient}'; # $notify_method = $forward_method; # SENDMAIL (old non-milter setup, amavis.c calls local delivery agent, deprecated): # $forward_method = undef; # no explicit forwarding, amavis.c will call LDA # $notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}'; # EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead): # $forward_method = 'pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f ${sender} -- ${recipient}'; # $notify_method = $forward_method; # prefer to collect mail for forwarding as BSMTP files? # $forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp"; # $notify_method = $forward_method; # Net::Server pre-forking settings # The $max_servers should match the width of your MTA pipe # feeding amavisd, e.g. with Postfix the 'Max procs' field in the # master.cf file, like the '2' in the: smtp-amavis unix - - n - 2 smtp # $max_servers = 5; # number of pre-forked children (default 2) $max_requests = 20; # retire a child after that many accepts (default 10) $child_timeout=5*60; # abort child if it does not complete each task in # approximately n sec (default: 8*60 seconds) # Here is a QUICK WAY to completely DISABLE some sections of code # that WE DO NOT WANT (it won't even be compiled-in). # For more refined controls leave the following two lines commented out, # and see further down what these two lookup lists really mean. # @bypass_virus_checks_maps = (1); # uncomment to DISABLE anti-virus code # @bypass_spam_checks_maps = (1); # uncomment to DISABLE anti-spam code # # Any setting can be changed with a new assignment, so make sure # you do not unintentionally override these settings further down! # Check also the settings of @av_scanners at the end if you want to use # virus scanners. If not, you may want to delete the whole long assignment # to the variable @av_scanners and @av_scanners_backup, which will also # remove the virus checking code (e.g. if you only want to do spam scanning). # Lookup list of local domains (see README.lookups for syntax details) # # @local_domains_maps list of lookup tables are used in deciding whether a # recipient is local or not, or in other words, if the message is outgoing # or not. This affects inserting spam-related headers for local recipients, # limiting recipient virus notifications (if enabled) to local recipients, # in deciding if address extension may be appended, and in SQL lookups # for non-fqdn addresses. Set it up correctly if you need features # that rely on this setting (or just leave empty otherwise). # # With Postfix (2.0) a quick hint on what local domains normally are: # a union of domains specified in: mydestination, virtual_alias_domains, # virtual_mailbox_domains, and relay_domains. @local_domains_maps = ( [".$mydomain"] ); # $mydomain and its subdomains # @local_domains_maps = (); # default is empty list, no recip. considered local # @local_domains_maps = # using ACL lookup table # ( [ ".$mydomain", 'sub.example.net', '.example.com' ] ); # @local_domains_maps = # similar, split list elements on whitespace # ( [qw( .example.com !host.sub.example.net .sub.example.net )] ); # @local_domains_maps = ( new_RE( qr'[@.]example\.com$'i ) ); # using regexp # @local_domains_maps = ( read_hash("$MYHOME/local_domains") ); # using hash # ============================================================================= # Section II - Postfix specific (defaults should be ok) # ============================================================================= # $insert_received_line = 1; # behave like MTA: insert 'Received:' header # (does not apply to sendmail/milter) # (default is true) # AMAVIS-CLIENT PROTOCOL INPUT SETTINGS (e.g. with sendmail milter) # (used with amavis helper clients like amavis-milter.c and amavis.c, # NOT needed for Postfix or Exim or dual-sendmail - keep it undefined. # $unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket # $unix_socketname = undef; # disable listening on a unix socket # (default is undef, i.e. disabled) # (usual setting is $MYHOME/amavisd.sock) # SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...) # (used when MTA is configured to pass mail to amavisd via SMTP or LMTP) $inet_socket_port = 10024; # accept SMTP on this local TCP port # (default is undef, i.e. disabled) # multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028]; # SMTP SERVER (INPUT) access control # - do not allow free access to the amavisd SMTP port !!! # # when MTA is at the same host, use the following (one or the other or both): $inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface # (default is '127.0.0.1') @inet_acl = qw( 127.0.0.1 ::1 ); # allow SMTP access only from localhost IP # (default is qw(127.0.0.1 ::1) ) # when MTA (one or more) is on a different host, use the following: # @inet_acl = qw(127/8 ::1 10.1.0.1 10.1.0.2); # adjust the list as appropriate # $inet_socket_bind = undef; # bind to all IP interfaces if undef # # Example1: # @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 ); # permit only SMTP access from loopback and rfc1918 private address space # # Example2: # @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0 # 127.0.0.1 10/8 172.16/12 192.168/16 ); # matches loopback and rfc1918 private address space except host 192.168.1.12 # and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches) # # Example3: # @inet_acl = qw( 127/8 # !172.16.3.0 !172.16.3.127 172.16.3.0/25 # !172.16.3.128 !172.16.3.255 172.16.3.128/25 ); # matches loopback and both halves of the 172.16.3/24 C-class, # split into two subnets, except all four broadcast addresses # for these subnets # @mynetworks is an IP access list which determines if the original SMTP client # IP address belongs to our internal networks, i.e. mail is coming from inside. # It is much like the Postfix parameter 'mynetworks' in semantics and similar # in syntax, and its value should normally match the Postfix counterpart. # It only affects the value of a macro %l (=sender-is-local), # and the loading of policy 'MYNETS' if present (see below). # Note that '-o smtp_send_xforward_command=yes' (or its lmtp counterpart) # must be enabled in the Postfix service that feeds amavisd, otherwise # client IP address is not available to amavisd-new. # @mynetworks = qw( 127.0.0.0/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); # default # See README.lookups for details on specifying access control lists. # ============================================================================= # Section III - Logging # ============================================================================= # true (e.g. 1) => syslog; false (e.g. 0) => logging to file $DO_SYSLOG = 1; # (defaults to false) $SYSLOG_LEVEL = 'mail.debug'; # (facility.priority, default 'mail.info') # Log file (if not using syslog) $LOGFILE = "$MYHOME/amavis.log"; # (defaults to empty, no log) #NOTE: levels are not strictly observed and are somewhat arbitrary # 0: startup/exit/failure messages, viruses detected # 1: args passed from client, some more interesting messages # 2: virus scanner output, timing # 3: server, client # 4: decompose parts # 5: more debug details $log_level = 1; # (defaults to 0) # Customizable template for the most interesting log file entry (e.g. with # $log_level=0) (take care to properly quote Perl special characters like '\') # For a list of available macros see README.customize . # $log_templ = undef; # undef disables by-message level-0 log entries # $log_recip_templ = undef; # undef disables by-recipient level-0 log entries # log both infected and noninfected messages (new default): # $log_templ = ' # [?%#D||Passed # # [? [?%#V|1] |INFECTED (%V)|# # [? [?%#F|1] |BANNED (%F)|# # [? [? %2|1] |SPAM|# # [? [?%#X|1] |BAD-HEADER|CLEAN]]]]# # , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ]<%o> -> [%D|,]# # [? %q ||, quarantine: %i]# # [? %m ||, Message-ID: %m]# # [? %r ||, Resent-Message-ID: %r]# # , Hits: %c# # #, size: %z# # #[? %j ||, Subject: "%j"]# # #[? %#T ||, tests=[%T|,]]# # ] # [?%#O||Blocked # # [? [?%#V|1] |INFECTED (%V)|# # [? [?%#F|1] |BANNED (%F)|# # [? [? %2|1] |SPAM|# # [? [?%#X|1] |BAD-HEADER|CLEAN]]]]# # , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ]<%o> -> [%O|,]# # [? %q ||, quarantine: %i]# # [? %m ||, Message-ID: %m]# # [? %r ||, Resent-Message-ID: %r]# # , Hits: %c# # #, size: %z# # #[? %j ||, Subject: "%j"]# # #[? %#T ||, tests=[%T|,]]# # ]'; # log template compatible with amavisd-new-20030616-p10: # $log_recip_templ = undef; # $log_templ = ' # [? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], # # <%o> -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c'; # # ============================================================================= # Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine # ============================================================================= # # Select notifications text encoding when Unicode-aware Perl is converting # text from internal character representation to external encoding (charset # in MIME terminology). Used as argument to Perl Encode::encode subroutine. # # to be used in RFC 2047-encoded header field bodies, e.g. in Subject: # $hdr_encoding = 'iso-8859-1'; # MIME charset (default: 'iso-8859-1') # $hdr_encoding_qb = 'Q'; # MIME encoding: quoted-printable (default) # $hdr_encoding_qb = 'B'; # MIME encoding: base64 # # to be used in notification body text: its encoding and Content-type.charset # $bdy_encoding = 'iso-8859-1'; # (default: 'iso-8859-1') # Default template texts for notifications may be overruled by directly # assigning new text to template variables, or by reading template text # from files. A second argument may be specified in a call to read_text(), # specifying character encoding layer to be used when reading from the # external file, e.g. 'utf8', 'iso-8859-1', or often just $bdy_encoding. # Text will be converted to internal character representation by Perl 5.8.0 # or later; second argument is ignored otherwise. See PerlIO::encoding, # Encode::PerlIO and perluniintro man pages. # # $notify_sender_templ = read_text("$MYHOME/notify_sender.txt"); # $notify_virus_sender_templ= read_text("$MYHOME/notify_virus_sender.txt"); # $notify_virus_admin_templ = read_text("$MYHOME/notify_virus_admin.txt"); # $notify_virus_recips_templ= read_text("$MYHOME/notify_virus_recips.txt"); # $notify_spam_sender_templ = read_text("$MYHOME/notify_spam_sender.txt"); # $notify_spam_admin_templ = read_text("$MYHOME/notify_spam_admin.txt"); # If notification template files are collectively available in some directory, # one may call read_l10n_templates which invokes read_text for each known # template. This is primarily a Debian-specific feature, but was incorporated # into base code to facilitate porting. # # read_l10n_templates('/etc/amavis/en_US'); # # If read_l10n_templates is called, a localization template directory must # contain the following files: # charset this file should contain a one-line name # of the character set used in the template # files (e.g. utf8, iso-8859-2, ...) and is # passed as the second argument to read_text; # template-dsn.txt content fills the $notify_sender_templ # template-virus-sender.txt content fills the $notify_virus_sender_templ # template-virus-admin.txt content fills the $notify_virus_admin_templ # template-virus-recipient.txt content fills the $notify_virus_recips_templ # template-spam-sender.txt content fills the $notify_spam_sender_templ # template-spam-admin.txt content fills the $notify_spam_admin_templ # Here is an overall picture (sequence of events) of how pieces fit together # # bypass_virus_checks set for all recipients? ==> PASS # no viruses? ==> PASS # log virus if $log_templ is nonempty # quarantine if $virus_quarantine_to is nonempty # notify admin if $virus_admin (lookup) nonempty # notify recips if $warnvirusrecip and (recipient is local or $warn_offsite) # add address extensions for local recipients (when enabled) # send (non-)delivery notifications # to sender if DSN needed (BOUNCE or ($warnvirussender and D_PASS)) # virus_lovers or final_destiny==D_PASS ==> PASS # DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny) # # Equivalent flow diagram applies for spam checks. # If a virus is detected, spam checking is skipped entirely. # The following symbolic constants can be used in *_destiny settings: # # D_PASS mail will pass to recipients, regardless of bad contents; # # D_DISCARD mail will not be delivered to its recipients, sender will NOT be # notified. Effectively we lose mail (but will be quarantined # unless disabled). Losing mail is not decent for a mailer, # but might be desired. # # D_BOUNCE mail will not be delivered to its recipients, a non-delivery # notification (bounce) will be sent to the sender by amavisd-new; # Exception: bounce (DSN) will not be sent if a virus name matches # $viruses_that_fake_sender_re, or to messages from mailing lists # (Precedence: bulk|list|junk), or for spam level that exceeds # the $sa_dsn_cutoff_level. # # D_REJECT mail will not be delivered to its recipients, sender should # preferably get a reject, e.g. SMTP permanent reject response # (e.g. with milter), or non-delivery notification from MTA # (e.g. Postfix). If this is not possible (e.g. different recipients # have different tolerances to bad mail contents and not using LMTP) # amavisd-new sends a bounce by itself (same as D_BOUNCE). # Not to be used with Postfix or dual-MTA setups! # # Notes: # D_REJECT and D_BOUNCE are similar, the difference is in who is responsible # for informing the sender about non-delivery, and how informative # the notification can be (amavisd-new knows more than MTA); # With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status # notification, colloquially called 'bounce') - depending on MTA; # Best suited for sendmail milter, especially for spam. # With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the # reason for mail non-delivery or even suppress DSN, but unable # to reject the original SMTP session). Best suited to reporting # viruses, and for Postfix and other dual-MTA setups, which can't # reject original client SMTP session, as the mail has already # been enqueued. $final_virus_destiny = D_BOUNCE; # (defaults to D_DISCARD) $final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE) $final_spam_destiny = D_BOUNCE; # (defaults to D_BOUNCE) $final_bad_header_destiny = D_BOUNCE; # (defaults to D_PASS), D_BOUNCE suggested # Alternatives to consider for spam: # - use D_PASS if clients will do filtering based on inserted # mail headers or added address extensions ('plus-addressing'); # - use D_DISCARD, if kill_level is set comfortably high; # # D_BOUNCE is preferred for viruses, but consider: # - use D_PASS (or virus_lovers) to deliver viruses; # - use D_REJECT instead of D_BOUNCE if using milter and under heavy # virus storm; # # Don't bother to set both D_DISCARD and $warn*sender=1, it will get mapped # to D_BOUNCE. # # The separation of *_destiny values into D_BOUNCE, D_REJECT, D_DISCARD # and D_PASS made settings $warnvirussender and $warnspamsender only still # marginally useful with D_PASS. # The following $warn*sender settings are ONLY used when mail is # actually passed to recipients ($final_*_destiny=D_PASS, or *_lovers*). # Bounces or rejects produce non-delivery status notification regardless. # Notify virus sender? # $warnvirussender = 1; # (defaults to false (undef)) # Notify spam sender? # $warnspamsender = 1; # (defaults to false (undef)) # Notify sender of banned files? # $warnbannedsender = 1; # (defaults to false (undef)) # Notify sender of syntactically invalid header containing non-ASCII characters? # $warnbadhsender = 1; # (defaults to false (undef)) # Notify virus (or banned files or bad headers) RECIPIENT? # (not very useful, but some policies demand it) # $warnvirusrecip = 1; # (defaults to false (undef)) # $warnbannedrecip = 1; # (defaults to false (undef)) # $warnbadhrecip = 1; # (defaults to false (undef)) # Notify also non-local virus/banned recipients if $warn*recip is true? # (including those not matching local_domains*) # $warn_offsite = 1; # (defaults to false (undef), i.e. only notify locals) # Treat envelope sender address as unreliable and don't send sender # notification / bounces if name(s) of detected virus(es) match the list. # Note that virus names are supplied by external virus scanner(s) and are # not standardized, so virus names may need to be adjusted. # See README.lookups for syntax, check also README.policy-on-notifications # @viruses_that_fake_sender_maps = (new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i, qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i, qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i, qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc [qr'^(EICAR|Joke\.|Junk\.)'i => 0], [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0], [qr/.*/ => 1], # true by default (remove or comment-out if undesired) )); # where to send ADMIN VIRUS NOTIFICATIONS (should be a fully qualified address) # - the administrator envelope address may be a simple fixed e-mail address # (a scalar), or may depend on the RECIPIENT address (e.g. its domain). # # Empty or undef lookup disables virus admin notifications. $virus_admin = undef; # $virus_admin = "martin.zahn\@$mydomain"; # $virus_admin = 'virus-admin@example.com'; # $virus_admin = undef; # do not send virus admin notifications (default) # # @virus_admin_maps = ( # by-recipient maps # {'not.example.com' => '', # '.' => 'virusalert@example.com'}, # $virus_admin, # the usual default # ); # equivalent to $virus_admin, but for spam admin notifications: $spam_admin = undef; # $spam_admin = "martin.zahn\@$mydomain"; # $spam_admin = undef; # do not send spam admin notifications (default) # @spam_admin_maps = ( # by-recipient maps # {'not.example.com' => '', # '.' => 'spamalert@example.com'}, # $spam_admin, # the usual default # ); # advanced example, using a hash lookup table and a scalar default, # lookup key is a recipient envelope address: # @virus_admin_maps = ( # by-recipient maps # { 'baduser@sub1.example.com' => 'HisBoss@sub1.example.com', # '.sub1.example.com' => 'virusalert@sub1.example.com', # '.sub2.example.com' => '', # don't send admin notifications # 'a.sub3.example.com' => 'abuse@sub3.example.com', # '.sub3.example.com' => 'virusalert@sub3.example.com', # '.example.com' => 'noc@example.com', # default for our virus senders # }, # 'virusalert@hq.example.com', # catchall for the rest # ); # sender envelope address, from which notification reports are sent from; # may be a null reverse path, or a fully qualified address: # (admin and recip sender addresses default to a null return path). # If using strings in double quotes, don't forget to quote @, i.e. \@ # # $mailfrom_notify_admin = "martin.zahn\@$mydomain"; # $mailfrom_notify_recip = "martin.zahn\@$mydomain"; # $mailfrom_notify_spamadmin = "martin.zahn\@$mydomain"; $mailfrom_notify_admin = undef; $mailfrom_notify_recip = undef; $mailfrom_notify_spamadmin = undef; # 'From' HEADER FIELD for sender and admin notifications. # This should be a replyable address, see rfc1894. Not to be confused # with $mailfrom_notify_sender, which is the envelope return address # and can be empty (null reverse path) according to rfc2821. # # The syntax of the 'From' header field is specified in rfc2822, section # '3.4. Address Specification'. Note in particular that display-name must be # a quoted-string if it contains any special characters like spaces and dots. # # $hdrfrom_notify_sender = "amavisd-new "; # $hdrfrom_notify_sender = 'amavisd-new '; # $hdrfrom_notify_sender = '"Content-Filter Master" '; # $hdrfrom_notify_admin = $mailfrom_notify_admin; # $hdrfrom_notify_spamadmin = $mailfrom_notify_spamadmin; # (default: "\"Content-filter at $myhostname\" ") # whom quarantined messages appear to be sent from (envelope sender); # keeps original sender if undef, or set it explicitly, default is undef $mailfrom_to_quarantine = ''; # override sender address with null return path # Location to put infected mail into: (applies to 'local:' quarantine method) # empty for not quarantining, may be a file (Unix-style mailbox), # or a directory (no trailing slash) # (the default value is undef, meaning no quarantine) # $QUARANTINEDIR = '/var/virusmails'; # $virus_quarantine_method = 'local:virus-%i-%n'; # default # $spam_quarantine_method = 'local:spam-%b-%i-%n'; # default # $banned_files_quarantine_method = 'local:banned-%i-%n'; # default # $bad_header_quarantine_method = 'local:badh-%i-%n'; # default # Separate quarantine subdirectories virus, spam, banned and badh within # the directory $QUARANTINEDIR may be specified by the following settings # (the subdirectories need to exist - must be created manually): # $virus_quarantine_method = 'local:virus/virus-%i-%n'; # $spam_quarantine_method = 'local:spam/spam-%b-%i-%n'; # $banned_files_quarantine_method = 'local:banned/banned-%i-%n'; # $bad_header_quarantine_method = 'local:badh/badh-%i-%n'; # # use the 'bsmtp:' method as an alternative to the default 'local:' # $virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%i-%n.bsmtp"; # $spam_quarantine_method = "bsmtp:$QUARANTINEDIR/spam-%b-%i-%n.bsmtp"; # When using the 'local:' quarantine method (default), the following applies: # # A finer control of quarantining is available through # variables $virus_quarantine_method/$spam_quarantine_method/ # $banned_files_quarantine_method/$bad_header_quarantine_method. # # The value of scalar $virus_quarantine_to/$spam_quarantine_to (or a # per-recipient lookup result from lookup tables @virus_quarantine_to_maps) # is/are interpreted as follows: # # VARIANT 1: # empty or undef disables quarantine; # # VARIANT 2: # a string NOT containing an '@'; # amavisd will behave as a local delivery agent (LDA) and will quarantine # viruses to local files according to hash %local_delivery_aliases (pseudo # aliases map) - see subroutine mail_to_local_mailbox() for details. # Some of the predefined aliases are 'virus-quarantine' and 'spam-quarantine'. # Setting $virus_quarantine_to ($spam_quarantine_to) to this string will: # # * if $QUARANTINEDIR is a directory, each quarantined virus will go # to a separate file in the $QUARANTINEDIR directory (traditional # amavis style, similar to maildir mailbox format); # # * otherwise $QUARANTINEDIR is treated as a file name of a Unix-style # mailbox. All quarantined messages will be appended to this file. # Amavisd child process must obtain an exclusive lock on the file during # delivery, so this may be less efficient than using individual files # or forwarding to MTA, and it may not work across NFS or other non-local # file systems (but may be handy for pickup of quarantined files via IMAP # for example); # # VARIANT 3: # any email address (must contain '@'). # The e-mail messages to be quarantined will be handed to MTA # for delivery to the specified address. If a recipient address local to MTA # is desired, you may leave the domain part empty, e.g. 'infected@', but the # '@' character must nevertheless be included to distinguish it from variant 2. # # This variant enables more refined delivery control made available by MTA # (e.g. its aliases file, other local delivery agents, dealing with # privileges and file locking when delivering to user's mailbox, nonlocal # delivery and forwarding, fan-out lists). Make sure the mail-to-be-quarantined # will not be handed back to amavisd for checking, as this will cause a loop # (hopefully broken at some stage)! If this can be assured, notifications # will benefit too from not being unnecessarily virus-scanned. # # By default this is safe to do with Postfix and Exim v4 and dual-sendmail # setup, but probably not safe with sendmail milter interface without tricks. # (default values are: virus-quarantine, banned-quarantine, spam-quarantine) # $virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine # $virus_quarantine_to = 'infected@'; # forward to MTA for delivery # $virus_quarantine_to = "virus-quarantine\@$mydomain"; # similar # $virus_quarantine_to = 'virus-quarantine@example.com'; # similar $virus_quarantine_to = undef; # no quarantine # # lookup key is envelope recipient address: # @virus_quarantine_to_maps = ( # per-recip multiple quarantines # new_RE( [qr'^user@example\.com$'i => 'infected@'], # [qr'^(.*)@example\.com$'i => 'virus-${1}@example.com'], # [qr'^(.*)(@[^@])?$'i => 'virus-${1}${2}'] ), # $virus_quarantine_to, # the usual default # ); # similar for banned names and bad headers and spam (set to undef to disable) $banned_quarantine_to = 'banned-quarantine'; # local quarantine $bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine $spam_quarantine_to = 'spam-quarantine'; # local quarantine # or to a mailbox or no quarantine # $banned_quarantine_to = "martin.zahn\@$mydomain"; # $bad_header_quarantine_to = "martin.zahn\@$mydomain"; # $spam_quarantine_to = "martin.zahn\@$mydomain"; $banned_quarantine_to = undef; $bad_header_quarantine_to = undef; $spam_quarantine_to = undef; # @spam_quarantine_to_maps = ( # per-recip multiple quarantines # new_RE( [qr'^(.*)@example\.com$'i => 'spam-${1}@example.com'] ), # $spam_quarantine_to, # the usual default # ); # In addition to per-recip quarantine, a by-sender lookup is possible. # It is similar to $spam_quarantine_to, but the lookup key is the # envelope sender address: # $spam_quarantine_bysender_to = undef; # dflt: no by-sender spam quarantine # Add X-Virus-Scanned header field to mail? $X_HEADER_TAG = 'X-Virus-Scanned'; # (default: 'X-Virus-Scanned') # Set to empty to add no header field # (dflt "$myproduct_name at $mydomain") # $X_HEADER_LINE = "$myproduct_name at $mydomain"; # $X_HEADER_LINE = "by $myproduct_name using ClamAV at $mydomain"; # $X_HEADER_LINE = "$myproduct_name $myversion_id ($myversion_date) at $mydomain"; # a string to prepend to Subject (for local recipients only) if mail could # not be decoded or checked entirely, e.g. due to password-protected archives $undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it # MIME defanging wraps the entire original mail in a MIME container of type # 'Content-type: multipart/mixed', where the first part is a text/plain with # a short explanation, and the second part is a complete original mail, # enclosed in a 'Content-type: message/rfc822' MIME part. # Defanging is only done when enabled (selectively by malware type), # and mail is considered malware (virus/spam/...), and the malware is allowed # to pass (*_lovers or *_destiny=D_PASS) # $defang_virus = 1; # default is false: don't modify mail body $defang_banned = 1; # default is false: don't modify mail body # $defang_bad_header = 1; # default is false: don't modify mail body # $defang_undecipherable = 1; # default is false: don't modify mail body # $defang_spam = 1; # default is false: don't modify mail body $remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone #$remove_existing_x_scanned_headers= 1; # remove existing headers # (defaults to false) #$remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone $remove_existing_spam_headers = 1; # remove existing spam headers if # spam scanning is enabled (default) # set $bypass_decode_parts to true if you only do spam scanning, or if you # have a good virus scanner that can deal with compression and recursively # unpacking archives by itself, and save amavisd the trouble. # Disabling decoding also causes banned_files checking to only see # MIME names and MIME content types, not the content classification types # as provided by the file(1) utility. # It is a double-edged sword, make sure you know what you are doing! # #$bypass_decode_parts = 1; # (defaults to false) # don't trust this file type or corresponding unpacker for this file type, # keep both the original and the unpacked file for a virus checker to see # (lookup key is what file(1) utility returned): # @keep_decoded_original_maps = (new_RE( # qr'^MAIL$', # retain full original message for virus checking (can be slow) qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, # qr'^Zip archive data', # don't trust Archive::Zip )); # Checking for banned MIME types and names. If any mail part matches, # the whole mail is rejected. Object $banned_filename_re provides a list # of Perl regular expressions to be matched against each part's: # # * Content-Type value (both declared and effective mime-type), # such as the possible security-risk content types # 'message/partial' and 'message/external-body', as specified in rfc2046, # or 'application/x-msdownload' and 'application/x-msdos-program'; # # * declared (recommended) file names as specified by MIME subfields # Content-Disposition.filename and Content-Type.name, both in their # raw (encoded) form and in rfc2047-decoded form if applicable # as well as (recommended) file names specified in archives; # # * file content type as guessed by 'file(1)' utility, mapped # (by @map_full_type_to_short_type_maps) into short type names such as # .asc, .txt, .html, .doc, .jpg, .pdf, .zip, .exe-ms, ..., which always # starts with a dot. These short types are available unless # $bypass_decode_parts is true. # # All nodes (mail parts) of the fully recursively decoded mail and embedded # archives are checked, each node independently from remaining nodes. # # For each node all its ancestor nodes including itself are checked against # $banned_filename_re lookup list, top-down. The search for a node stops # at the first match, the right-hand side of the matching key determines # the result (true or false, absent right-hand side implies true, as explained # in README.lookups). # # Although repeatedly re-checking ancestor nodes may seem excessive, it gives # the opportunity to specify rules which make a particular node hide its # descendents, e.g. allow any name or file type within a .zip, even though # .exe files may otherwise not be allowed. # # Leave $banned_filename_re undefined to disable these checks # (giving an empty list to new_RE() will also always return false) $banned_filename_re = new_RE( # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components # block certain double extensions anywhere in the base name qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, # qr'[{}]', # curly braces in names (serve as Class ID extensions - CLSID) qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types # [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any type in Unix-compressed [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any type in Unix archives # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any type within such archives qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|exe|fxp|hlp|hta|inf|ins|isp| # js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|ops|pcd|pif|prg| # reg|scr|sct|shb|shs|vb|vbe|vbs|wsc|wsf|wsh)$'ix, # banned ext - long # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. qr'^\.(exe-ms)$', # banned file(1) types # qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types ); # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 # and http://www.cknow.com/vtutor/vtextensions.htm # A little trick: a pattern qr'\.exe$' matches both a short type name '.exe', # as well as any file name which happens to end with .exe. If only matching # a file name is desired, but not the short type, a pattern qr'.\.exe$'i # or similar may be used, which requires that at least one character precedes # the '.exe', and so it will never match short file types which always start # with a dot. # the syntax of these Perl regular expressions is a bit awkward if not # familiar with them, so please do follow examples and stick to the idioms: # \A ... at the beginning of the first component # \z ... at the end of the the last (leaf) component # ^ ... at the beginning of each component in the path # $ ... at the end of each component in the path # (.*\t)? ... at the beginning of a field # (\t.*)? ... at the end of a field # \t(.*\t)* ... separating fields # [^\t\n] ... any single character, but don't escape from this field # (.*\n)+ ... one or more levels down # (?#...) ... a comment within a regexp # new-style of banned lookup table $banned_namepath_re = new_RE( # block these MIME types qr'(?#NO X-MSDOWNLOAD) ^(.*\t)? M=application/x-msdownload (\t.*)? $'xmi, qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi, qr'(?#NO HTA) ^(.*\t)? M=application/hta (\t.*)? $'xmi, # # block rfc2046 MIME types # qr'(?# BLOCK RFC2046 ) # ^ (.*\t)? M=message/(partial|external-body) (\t.*)? $'xmi, # # within traditional Unix compressions allow any name and type # [ qr'(?#rule-3) ^ (.*\t)? T=(Z|gz|bz2) (\t.*)? $'xmi => 0 ], # allow # within traditional Unix archives allow any name and type [ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ], # allow # # block anything within a zip # qr'(?#rule-5) ^ (.*\t)? T=zip (\t.*)? (.*\n)+ .* $'xmi, # block certain double extensions in filenames qr'(?# BLOCK DOUBLE-EXTENSIONS ) ^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* \. (exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi, # # block curly braces (used in Class ID (CLSID) extensions) in filenames # qr'(?# BLOCK CLSID-EXTENSIONS ) # ^ (.*\t)? N= [^\t\n]* [{}] [^\t\n]* (\t.*)? $'xmi, # # banned declared names with three or more consecutive spaces # qr'(?# BLOCK NAMES WITH SPACES ) # ^ (.*\t)? N= [^\t\n]* [ ]{3,} 'xmi, # # within PC archives allow any types or names at any depth # [ qr'(?#rule-7) ^ (.*\t)? T=(zip|rar|arc|arj|zoo) (\t.*)? $'xmi => 0 ], # ok # # within certain archives allow leaf members at any depth if crypted # [ qr'(?# ALLOW ENCRYPTED ) # ^ (.*\t)? T=(zip|rar|arj) (.*\n)+ (.*\t)? A=C (\t.*)? \z'xmi => 0 ], # # allow crypted leaf members regardless of their name or type # [ qr'(?# ALLOW IF ENCRYPTED ) ^ (.*\t)? A=C (\t.*)? \z'xmi => 0 ], # # block if any component can not be decoded (is encrypted or bad archive) # qr'(?# BLOCK IF UNDECIPHERABLE ) ^ (.*\t)? A=U (\t.*)? \z'xmi, # [ qr'(?# SPECIAL ALLOWANCES - MAGIC NAMES) # \A (.*\t)? T=(rpm|cpio|tar|zip|rar|arc|arj|zoo|Z|gz|bz2) # \t(.*\t)* N=example\d+[^\t\n]* # (\t.*)? $'xmi => 0 ], # banned filename extensions (in declared names) anywhere - basic qr'(?# BLOCK COMMON NAME EXENSIONS ) ^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|bat|com|cpl) (\t.*)? $'xmi, # # banned filename extensions (in declared names) anywhere - long # qr'(?# BLOCK MORE NAME EXTENSIONS ) # ^ (.*\t)? N= [^\t\n]* \. ( # ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|exe|fxp|hlp|hta|inf|ins|isp| # js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|ops|pcd|pif|prg| # reg|scr|sct|shb|shs|vb|vbe|vbs|wsc|wsf|wsh) (\t.*)? $'xmi, # # banned filename extensions anywhere - WinZip vulnerability (pre-V9) # qr'(?# BLOCK WinZip VULNERABILITY EXENSIONS ) # ^ (.*\t)? N= [^\t\n]* \. (mim|b64|bhx|hqx|xxe|uu|uue) (\t.*)? $'xmi, [ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM ) ^ (.*\t)? M=application/octet-stream \t(.*\t)* T=empty (\t.*)? $'xmi => 'DISCARD' ], # [ qr'(?# BLOCK EMPTY MIME PARTS ) # ^ (.*\t)? M= [^\t\n]+ \t(.*\t)* T=empty (\t.*)? $'xmi => 'DISCARD' ], qr'(?# BLOCK Microsoft EXECUTABLES ) ^ (.*\t)? T=exe-ms (\t.*)? $'xm, # banned file(1) type # qr'(?# BLOCK ANY EXECUTABLE ) # ^ (.*\t)? T=exe (\t.*)? $'xm, # banned file(1) type # qr'(?# BLOCK THESE TYPES ) # ^ (.*\t)? T=(exe|lha|tnef|cab|dll) (\t.*)? $'xm, # banned file(1) types ); # use old or new style of banned lookup table; not both to avoid confusion # # @banned_filename_maps = (); # to disable old-style $banned_namepath_re = undef; # to disable new-style # # ============================================================================= # Section V - Per-recipient and per-sender handling, whitelisting, etc. # ============================================================================= # # @virus_lovers_maps list of lookup tables: # (this should be considered a policy option, is does not disable checks, # see bypass*checks for that!) # # Exclude certain RECIPIENTS from virus filtering by adding their (lower-cased) # envelope e-mail address (or domain only) to one of the lookup tables in # the @virus_lovers_maps list - see README.lookups and examples. # Make sure the appropriate form (e.g. external/internal) of address # is used in case of virtual domains, or when mapping external to internal # addresses, etc. - this is MTA-specific. # # Notifications would still be generated however (see the overall # picture above), and infected mail (if passed) gets additional header: # X-AMaViS-Alert: INFECTED, message contains virus: ... # (header not inserted with milter interface!) # # NOTE (milter interface only): in case of multiple recipients, # it is only possible to drop or accept the message in its entirety - for all # recipients. If all of them are virus lovers, we'll accept mail, but if # at least one recipient is not a virus lover, we'll discard the message. # @bypass_virus_checks_maps list of lookup tables: # (this is mainly a time-saving option, unlike virus_lovers* !) # # Similar in concept to @virus_lovers_maps, a @bypass_virus_checks_maps # is used to skip entirely the decoding, unpacking and virus checking, # but only if ALL recipients match the lookup. # # @bypass_virus_checks_maps does NOT GUARANTEE the message will NOT be checked # for viruses - this may still happen when there is more than one recipient # for a message and not all of them match these lookup tables, or when # check result was cached (i.e. the same contents was recently sent to other # recipients). To guarantee virus delivery, a recipient must also match # @virus_lovers_maps lookups (but see milter limitations above), # NOTE: it would not be clever to base enabling of virus checks on SENDER # address, since there are no guarantees that it is genuine. Many viruses # and spam messages fake sender address. To achieve selective filtering # based on the source of the mail (e.g. IP address, MTA port number, ...), # use mechanisms provided by MTA if available, possibly combined with policy # banks feature. # Similar to lists of lookup tables controlling virus checking, there are # counterparts for spam scanning, banned names/types, and headers_checks # control: # @spam_lovers_maps, # @banned_files_lovers_maps, # @bad_header_lovers_maps # and: # @bypass_spam_checks_maps, # @bypass_banned_checks_maps, # @bypass_header_checks_maps # Example: # @bypass_header_checks_maps = ( [qw( user@example.com )] ); # @bad_header_lovers_maps = ( [qw( user@example.com )] ); # The following example disables spam checking altogether, # since it matches any recipient e-mail address. # @bypass_spam_checks_maps = (1); # See README.lookups for further detail, and examples below. # In the following example a list of lookup tables @virus_lovers_maps # contains three elements, the first is a reference to an ACL lookup table # (brackets in Perl indicate a ref to a list), the second is a reference # to a hash lookup table (curly braces in Perl indicate a ref to a hash), # the third is a regexp lookup table, indicated by the type of object # created by new_RE() : # #@virus_lovers_maps = ( # [ qw( me@lab.xxx.com !lab.xxx.com .xxx.com yyy.org ) ], # { "postmaster\@$mydomain" => 1, # double quotes permit variable evaluation # 'postmaster@example.com'=> 1, # in single quotes the '@' need not be quoted # 'abuse@example.com'=> 1, # 'some.user@' => 1, # this recipient, regardless of domain # 'boss@example.com' => 0, # never, even if domain matches # 'example.com' => 1, # this domain, but not its subdomains # '.example.com' => 1, # this domain, including its subdomains # }, # new_RE( qr'^(helpdesk|postmaster)@example\.com$'i ), #); #@spam_lovers_maps = ( # ["postmaster\@$mydomain", 'postmaster@example.com', 'abuse@example.com'], #); #@bad_header_lovers_maps = ( # ["postmaster\@", "abuse\@$mydomain"], #); # to save some typing of quotes and commas, a Perl operator qw can be used # to split its argument on whitespace and to quote resulting elements: #@bypass_spam_checks_maps = ( # [ qw( some.ddd !butnot.example.com .example.com ) ], #); # don't run spam check for these RECIPIENT domains: # @bypass_spam_checks_maps = ( [qw( d1.com .d2.com a.d3.com )] ); # or the other way around (bypass check for all BUT these): # @bypass_spam_checks_maps = ( [qw( !d1.com !.d2.com !a.d3.com . )] ); # a practical application: don't check outgoing mail for spam: # @bypass_spam_checks_maps = ( [ "!.$mydomain", "." ] ); # (a downside of which is that such mail will not count as ham in SA bayes db) # # Note that 'outgoing' is not the same as 'originating from inside'. # The internal-to-internal mail is not outgoing, but is originating from # inside. To base rules on 'originating from inside', the use of policy bank # MYNETS is needed, in conjunction with XFORWARD Postfix extension to SMTP. # Where to find SQL server(s) and database to support SQL lookups? # A list of triples: (dsn,user,passw). (dsn = data source name) # More than one entry may be specified for multiple (backup) SQL servers. # See 'man DBI', 'man DBD::mysql', 'man DBD::Pg', ... for details. # When chroot-ed, accessing SQL server over inet socket may be more convenient. # # @lookup_sql_dsn = # ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], # ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'] ); # # ('mail' in the example is the database name, choose what you like) # With PostgreSQL the dsn (first element of the triple) may look like: # 'DBI:Pg:host=host1;dbname=mail' # The SQL select clause to fetch per-recipient policy settings. # The %k will be replaced by a comma-separated list of query addresses # (e.g. full address, domain only (stripped level by level), and a catchall). # Use ORDER if there is a chance that multiple records will match - the first # match wins. If field names are not unique (e.g. 'id'), the later field # overwrites the earlier in a hash returned by lookup, which is why we use # '*,users.id' instead of just '*'. No need to uncomment the following # assignment if the default is ok. # $sql_select_policy = 'SELECT *,users.id FROM users,policy'. # ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'. # ' ORDER BY users.priority DESC'; # # The SQL select clause to check sender in per-recipient whitelist/blacklist # The first SELECT argument '?' will be users.id from recipient SQL lookup, # the %k will be sender addresses (e.g. full address, domain only, catchall). # The default value is: # $sql_select_white_black_list = 'SELECT wb FROM wblist,mailaddr'. # ' WHERE (wblist.rid=?) AND (wblist.sid=mailaddr.id)'. # ' AND (mailaddr.email IN (%k))'. # ' ORDER BY mailaddr.priority DESC'; # # To disable SQL white/black list, set to undef (otherwise comment-out # the following statement, leaving it at the default value): $sql_select_white_black_list = undef; # undef disables SQL white/blacklisting # If passing malware to certain recipients ($final_*_destiny=D_PASS or # *_lovers), the recipient-based lookup tables @addr_extension_*_maps may # return a string, which (if nonempty) will be added as an address extension # to the local-part of the recipient's address. This extension may be used # by the final local delivery agent (LDA) to place such mail into different # subfolders (the extension is usually interpreted as a folder name). # This is sometimes known as the 'plus addressing'. Appending address # extensions is prevented when: # - recipient does not match lookup tables @local_domains_maps; # - lookup into corresponding @addr_extension_*_maps results # in an empty string or undef; # - $recipient_delimiter is empty (see below) # LDAs usually default to stripping away address extension if no special # handling is specified or if a named subfolder or alias does not exist, # so adding address extensions normally does no harm. # @addr_extension_virus_maps = ('virus'); # defaults to empty # @addr_extension_spam_maps = ('spam'); # defaults to empty # @addr_extension_banned_maps = ('banned'); # defaults to empty # @addr_extension_bad_header_maps = ('badh'); # defaults to empty # # A more complex example: # @addr_extension_virus_maps = ( # {'sub.example.com'=>'infected', '.example.com'=>'filtered'}, 'virus' ); # Delimiter between local part of the envelope recipient address and address # extension (which can optionally be added, see @addr_extension_*_maps. E.g. # recipient address is changed to . # # Delimiter must match the equivalent (final) MTA delimiter setting. # (e.g. for Postfix add 'recipient_delimiter = +' to main.cf) # Setting it to an empty string or to undef disables adding extensions # regardless of $addr_extension_*_maps. # $recipient_delimiter = '+'; # (default is undef, i.e. disabled) # true: replace extension; false: append extension # $replace_existing_extension = 1; # (default is false) # Affects matching of localpart of e-mail addresses (left of '@') # in lookups: true = case sensitive, false = case insensitive $localpart_is_case_sensitive = 0; # (default is false) # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING # Instead of hard black- or whitelisting, a softer approach is to add # score points (penalties) to the SA score for mail from certain senders. # Positive points lean towards blacklisting, negative towards whitelisting. # This is much like adding SA rules or using its white/blacklisting, except # that here only envelope sender addresses are considered (not addresses # in a mail header), and that score points can be assigned per-recipient # (or globally), and the assigned penalties are customarily much lower # than the default SA white/blacklisting score. # # The table structure is similar to $per_recip_blacklist_sender_lookup_tables # i.e. the first level key is recipient, pointing to by-sender lookup tables. # The essential difference is that scores from _all_ matching by-recipient # lookups (not just the first that matches) are summed to give the final # score boost. That means that both the site and domain administrators, # as well as the recipient can have a say on the final score. # # NOTE: keep hash keys in lowercase, either manually or by using function lc @score_sender_maps = ({ # a by-recipient hash lookup table # # per-recipient personal tables (NOTE: positive: black, negative: white) # 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], # 'user3@example.com' => [{'.ebay.com' => -3.0}], # 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, # '.cleargreen.com' => -5.0}], # site-wide opinions about senders (the '.' matches any recipient) '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], ), # read_hash("/var/amavis/sender_scores_sitewide"), { # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'bugtraq@securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0, 'amavis-user-admin@lists.sourceforge.net'=> -3.0, 'notification-return@lists.sophos.com' => -3.0, 'owner-postfix-users@postfix.org' => -3.0, 'owner-postfix-announce@postfix.org' => -3.0, 'owner-sendmail-announce@lists.sendmail.org' => -3.0, 'sendmail-announce-request@lists.sendmail.org' => -3.0, 'donotreply@sendmail.org' => -3.0, 'ca+envelope@sendmail.org' => -3.0, 'noreply@freshmeat.net' => -3.0, 'owner-technews@postel.acm.org' => -3.0, 'ietf-123-owner@loki.ietf.org' => -3.0, 'cvs-commits-list-admin@gnome.org' => -3.0, 'rt-users-admin@lists.fsck.com' => -3.0, 'clp-request@comp.nus.edu.sg' => -3.0, 'surveys-errors@lists.nua.ie' => -3.0, 'emailnews@genomeweb.com' => -5.0, 'yahoo-dev-null@yahoo-inc.com' => -3.0, 'returns.groups.yahoo.com' => -3.0, 'clusternews@linuxnetworx.com' => -3.0, lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, # soft-blacklisting (positive score) 'sender@example.net' => 3.0, '.example.net' => 1.0, }, ], # end of site-wide tables }); # ENVELOPE SENDER WHITELISTING / BLACKLISTING - GLOBAL (RECIPIENT-INDEPENDENT) # (affects spam checking only, has no effect on virus and other checks) # WHITELISTING: use ENVELOPE SENDER lookups to ENSURE DELIVERY from whitelisted # senders even if the message would be recognized as spam. Effectively, for # the specified senders, message recipients temporarily become 'spam_lovers'. # To avoid surprises, whitelisted sender also suppresses inserting/editing # the tag2-level header fields (X-Spam-*, Subject), appending spam address # extension, and quarantining. # # BLACKLISTING: messages from specified SENDERS are DECLARED SPAM. # Effectively, for messages from blacklisted envelope sender addresses, spam # level is artificially pushed high, and the normal spam processing applies, # resulting in 'X-Spam-Flag: YES', high 'X-Spam-Level' bar and other usual # reactions to spam, including possible rejection. If the message nevertheless # still passes (e.g. for spam loving recipients), it is tagged as BLACKLISTED # in the 'X-Spam-Status' header field, but the reported spam value and # set of tests in this report header field (if available from SpamAssassin, # which may or may not have been called) is not adjusted. # # A sender may be both white- and blacklisted at the same time, settings # are independent. For example, being both white- and blacklisted, message # is delivered to recipients, but is not tagged as spam (X-Spam-Flag: No; # X-Spam-Status: No, ...), but the reported spam level (if computed) may # still indicate high spam score. # # If ALL recipients of the message either white- or blacklist the sender, # spam scanning (calling the SpamAssassin) is bypassed, saving on time. # # The following variables (lists of lookup tables) are available, # with the semantics and syntax as specified in README.lookups: # @whitelist_sender_maps, @blacklist_sender_maps # SOME EXAMPLES: # #ACL: # @whitelist_sender_maps = ( ['.example.org', '.example.net'] ); # @whitelist_sender_maps = ( [qw(.example.org .example.net)] ); # same thing # # @whitelist_sender_maps = ( [".$mydomain"] ); # $mydomain and its subdomains # NOTE: This is not a reliable way of turning off spam checks for # locally-originating mail, as sender address can easily be faked. # To reliably avoid spam-scanning outgoing mail, use @bypass_spam_checks_maps # for nonlocal recipients. To reliably avoid spam scanning for locally # originating mail (including internal-to-internal mail), recognized by # the original SMTP client IP address matching @mynetworks, use policy bank # MYNETS, adjust @mynetworks, and turn on XFORWARD in the Postfix smtp client # service feeding amavisd. #with regexps: @whitelist_sender_maps = ( new_RE( qr'.*@akadia.com$'i, qr'.*@swisscom\.com$'i, qr'.*@sicap\.com$'i, qr'.*@glue\.ch$'i, qr'.*@\.*\.admin\.ch$'i )); # illustrates the use of regexp lookup table: @blacklist_sender_maps = ( new_RE( qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i, qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i, qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i, qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i, qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i, qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i, qr'.*@yahoo\.com$'i, qr'.*@hotmail\.com$'i, qr'.*@comfind\.com$'i, qr'.*@b2bnowmembers\.com$'i, qr'.*@aral\.net$'i, qr'.*@nowcon\.com$'i, qr'.*@uole\.com$'i, qr'.*@mail\.com$'i, qr'.*@microware\.ch$'i, qr'.*@stsmarketing\.ch$'i, qr'.*@wstore\.com$'i, qr'.*@oracleeblast\.com$'i, qr'.*@boss\.com$'i, qr'.*@issihk\.net$'i, qr'.*@draexlmaier\.de$'i, qr'.*@ebay\.com$'i, qr'.*@qualitylaser\.com$'i, qr'.*@transitchicago\.com$'i, qr'.*@homeeshopping\.com$'i, qr'.*@alltel\.net$'i, qr'.*@ntlworld\.com$'i, qr'.*@jpberlin\.de$'i, qr'.*@iwantspecialdeals\.com$'i, qr'.*@juno\.com$'i, qr'.*@exotissimo\.com$'i, qr'.*@5pillars\.com$'i, qr'.*@notmydesk\.com$'i, qr'.*@3rivers\.net$'i, qr'.*@2die4\.com$'i, qr'.*@free\.fr$'i, qr'.*@toto\.com$'i, qr'.*@klopapier\.net$'i, qr'.*@netscape\.net$'i, qr'.*@inforush\.biz$'i, qr'.*@mail4him\.com$'i, qr'.*@mail4her\.com$'i, qr'.*@onthenet\.com\.au$'i, qr'.*@ihug\.com\.au$'i, qr'.*@public\.bta\.net\.cn$'i, qr'.*@4hismail\.com$'i, qr'.*@4hermail\.com$'i, qr'.*@ciudad\.com\.ar$'i, qr'.*@keromail\.com$'i, qr'.*@webtopmail\.com$'i, qr'.*@financeland\.com\.br$'i, qr'.*@yahoo\.co\.uk$'i, qr'.*@Nationwide\.com$'i, qr'.*@web2mail\.com$'i, qr'.*@utopia\.com$'i, qr'.*@adelphia\.net$'i, qr'.*@mailcity\.com$'i, qr'.*@teleauskunft\.de$'i, qr'.*@gunji\.co\.kr$'i, qr'.*@winning\.com$'i, qr'.*@gate\.net$'i, qr'.*@qis\.net$'i, qr'.*@gmx\.at$'i, qr'.*@123box\.co\.uk$'i, qr'.*@link\.net$'i, qr'.*@bestnet\.net$'i, qr'.*@samerica\.com$'i, qr'.*@mshri\.on\.ca$'i, qr'.*@optinet\.de$'i, qr'.*@mailpike\.net$'i, qr'.*@gte\.net$'i, qr'.*@aol\.com$'i, qr'.*@athenet\.net$'i, qr'.*@business-man\.com$'i, qr'.*@dbzmail\.com$'i, qr'.*@mail2amazing\.com$'i, qr'.*@cruzio\.com$'i, qr'.*@bigfoot\.com$'i, qr'.*@financetotal\.com\.br$'i, qr'.*@sex\.com$'i, qr'.*@freeweb\.org$'i, qr'.*@lemonde\.fr$'i, qr'.*@bildata\.se$'i, qr'.*@erols\.com$'i, qr'.*@msn\.com$'i, qr'.*@whale-mail\.com$'i, qr'.*@carioca\.net$'i, qr'.*@freemail\.hu$'i, qr'.*@cicciociccio\.org$'i, qr'.*@mypersonalemail\.com$'i, qr'.*@kittymail\.com$'i, qr'.*@email\.com$'i, qr'.*@yahoo\.com\.hk$'i, qr'.*@singles4jesus\.com$'i, qr'.*@cox\.net$'i, qr'.*@china\.com$'i, qr'.*@onlinehome\.de$'i, qr'.*@theglobe\.com$'i, qr'.*@telegraaf\.nl$'i, qr'.*@jamesoff\.net$'i, qr'.*@doramail\.com$'i, qr'.*@amuro\.net$'i, qr'.*@terra\.es$'i, qr'.*@advalvas\.be$'i, qr'.*@sinnfein\.ie$'i, qr'.*@www\.cn\.nctu\.edu\.tw$'i, qr'.*@address\.com$'i, qr'.*@sunnygirl\.net$'i, qr'.*@au\.ru$'i, qr'.*@wuerzburg\.de$'i, qr'.*@online\.nsk\.su$'i, qr'.*@rr\.com$'i, qr'.*@oricom\.ca$'i, qr'.*@hongkong\.com$'i, qr'.*@boardermail\.com$'i, qr'.*@scientist\.com$'i, qr'.*@worldonline\.de$'i, qr'.*@yahoo\.ca$'i, qr'.*@yahoo\.fr$'i, qr'.*@Korea\.com$'i, qr'.*@fastermail\.com$'i, qr'.*@glay\.org$'i, qr'.*@web\.de$'i, qr'.*@cas\.honeywell\.com$'i, qr'.*@icqmail\.com$'i, qr'.*@zaobao\.com$'i, qr'.*@pekklemail\.com$'i, qr'.*@pacbell\.net$'i, qr'.*@tutopia\.com$'i, qr'.*@caramail\.com$'i, qr'.*@minedu\.fi$'i, qr'.*@weco\.ca$'i, qr'.*@ulb\.ac\.be$'i, qr'.*@amora\.co\.uk$'i, qr'.*@earthlink\.com$'i, qr'.*@verizon\.net$'i, qr'.*@syo\.fi$'i, qr'.*@slarti\.ucd\.ie$'i, qr'.*@qwest\.net$'i, qr'.*@xcelco\.on\.ca$'i, qr'.*@home\.pf\.jcu\.cz$'i, qr'.*@wong\.com$'i, qr'.*@koys\.de$'i, qr'.*@colagen\.com$'i, qr'.*@go\.com$'i, qr'.*@vrflow\.oulu\.fi$'i, qr'.*@burntmail\.com$'i, qr'.*@avo\.gov\.au$'i, qr'.*@davinci\.ethz\.ch$'i, qr'.*@velnet\.com$'i, qr'.*@medmicro\.uct\.ac\.za$'i, qr'.*@earthlink\.net$'i, qr'.*@rte\.ie$'i, qr'.*@Earth9\.com$'i, qr'.*@einkaufs-verzeichnis\.de$'i, qr'.*@alehop\.com$'i, qr'.*@tenbit\.pl$'i, qr'.*@email\.cz$'i, qr'.*@vtt\.fi$'i, qr'.*@online\.at$'i, qr'.*@graffiti\.net$'i, qr'.*@graffiti\.com$'i, qr'.*@earthcorp\.com$'i, qr'.*@merlin\.net\.au$'i, qr'.*@ondagrupera\.com$'i, qr'.*@earthnet\.com$'i, qr'.*@indiatimes\.com$'i, qr'.*@mgmt\.ucalgary\.ca$'i, qr'.*@cybermega\.com$'i, qr'.*@promo\.gateway\.com$'i, qr'.*@zeit\.de$'i, qr'.*@cefic\.be$'i, qr'.*@standaard\.be$'i, qr'.*@cuni\.cz$'i, qr'.*@kirjastot\.fi$'i, qr'.*@uni-mannheim\.de$'i, qr'.*@cs\.com$'i, qr'.*@yahoo\.com\.au$'i, qr'.*@arsystech\.com$'i, qr'.*@billboard\.cz$'i, qr'.*@ericsson\.se$'i, qr'.*@mail\.glue\.ch$'i, qr'.*@ns\.glue\.ch$'i, qr'.*@lycos\.com$'i, qr'.*@Juntos\.com$'i, qr'.*@cabana\.net$'i, qr'.*@thanksmuch\.org$'i, qr'.*@rediffmail\.com$'i, qr'.*@spiegel\.de$'i, qr'.*@topgamers\.com$'i, qr'.*@beer\.com$'i, qr'.*@ramirez\.com$'i, qr'.*@canada\.com$'i, qr'.*@freenet\.de$'i, qr'.*@prontomail\.com$'i, qr'.*@hon\.ch$'i, qr'.*@cnn\.com$'i, qr'.*@zuvio\.com$'i, qr'.*@hush\.com$'i, qr'.*@gmcc\.ab\.ca$'i, qr'.*@adacta\.si$'i, qr'.*@englandfans\.com$'i, qr'.*@polbox\.com$'i, qr'.*@geocities\.com$'i, qr'.*@gosympatico\.ca$'i, qr'.*@optusnet\.com\.au$'i, qr'.*@cbn\.net\.id$'i, qr'.*@williams\.edu$'i, qr'.*@billy\.de$'i, qr'.*@skynet\.be$'i, qr'.*@rock\.com$'i, qr'.*@gfk\.se$'i, qr'.*@alacarta\.com$'i, qr'.*@micronet\.fr$'i, qr'.*@att\.net$'i, qr'.*@mahjong\.dk$'i, qr'.*@free\.com$'i, qr'.*@mail2Samoa\.com$'i, qr'.*@amhb\.ab\.ca$'i, qr'.*@bnf\.fr$'i, qr'.*@sprint\.com$'i, qr'.*@v-sexi\.com$'i, qr'.*@passcollege\.com$'i, qr'.*@myownemail\.com$'i, qr'.*@ac\.be$'i, qr'.*@kbr\.be$'i, qr'.*@creative\.net$'i, qr'.*@2911\.net$'i, qr'.*@calwin\.dk$'i, qr'.*@asiaworldd2000\.com$'i, qr'.*@marshall\.edu$'i, qr'.*@sasquatch\.com$'i, qr'.*@xs4all\.nl$'i, qr'.*@surfbirds\.com$'i, qr'.*@centurytel\.net$'i, qr'.*@eliteconsultant\.com$'i, qr'.*@concentric\.com$'i, qr'.*@asgard\.net\.au$'i, qr'.*@ne\.jp$'i, qr'.*@olywa\.net$'i, qr'.*@wli\.net$'i, qr'.*@asiaapacific\.com$'i, qr'.*@aces-ductwork\.co\.uk$'i, qr'.*@javanet\.com$'i, qr'.*@tlcfan\.com$'i, qr'.*@merlin\.at$'i, qr'.*@fresnomail\.com$'i, qr'.*@meganet\.net$'i, qr'.*@freemail\.gr$'i, qr'.*@toppoint\.de$'i, qr'.*@megatime\.de$'i, qr'.*@o2\.pl$'i, qr'.*@telusplanet\.net$'i, qr'.*@bcpl\.net$'i, qr'.*@cyberlink\.com$'i, qr'.*@nyu\.edu$'i, qr'.*@top--sites\.com$'i, qr'.*@terra\.com$'i, qr'.*@on-luebeck\.de$'i, qr'.*@i-link-2\.net$'i, qr'.*@after-death\.com$'i, qr'.*@srce\.hr$'i, qr'.*@wmn\.net$'i, qr'.*@tepkom\.ru$'i, qr'.*@asia\.co\.th$'i, qr'.*@cape\.com$'i, qr'.*@terem\.ru$'i, qr'.*@awwwsome\.com$'i, qr'.*@br-online\.de$'i, qr'.*@itu\.ch$'i, qr'.*@macbox\.com$'i, qr'.*@1-base\.com$'i, qr'.*@ameritech\.net$'i, qr'.*@mail2Betty\.com$'i, qr'.*@metla\.fi$'i, qr'.*@gawab\.com$'i, qr'.*@web-mail\.com\.ar$'i, qr'.*@skrzynka\.pl$'i, qr'.*@dwp\.net$'i, qr'.*@1234hollus\.com$'i, qr'.*@optonline\.net$'i, qr'.*@myparentime\.com$'i, qr'.*@bluepalalski\.com$'i, qr'.*@1bigred\.com$'i, qr'.*@geocities\.co\.jp$'i, qr'.*@apc\.net$'i, qr'.*@osn\.de$'i, qr'.*@osha\.eu\.int$'i, qr'.*@attbi\.com$'i, qr'.*@mailinator\.com$'i, qr'.*@octo\.com$'i, qr'.*@winzip\.com$'i, qr'.*@indiamart\.com$'i, qr'.*@ztabb\.com$'i, qr'.*@salabrasteron\.com$'i, qr'.*@hillside-inn\.com$'i, qr'.*@nccn\.net$'i, qr'.*@comidamexicana\.com$'i, qr'.*@swingfans\.com$'i, qr'.*@inbox\.lv$'i, qr'.*@siritech\.com$'i, qr'.*@widgetdesigns\.com$'i, qr'.*@karlsruhe\.org$'i, qr'.*@chol\.com$'i, qr'.*@infinito\.it$'i, qr'.*@warwick\.ac\.uk$'i, qr'.*@sisl\.co\.in$'i, qr'.*@canterbury\.ac\.nz$'i, qr'.*@usa\.net$'i, qr'.*@relay\.jinr\.ru$'i, qr'.*@smartwebby\.com$'i, qr'.*@buss\.com$'i, qr'.*@coca-coliker\.com$'i, qr'.*@incluudes\.com$'i, qr'.*@371\.net$'i, qr'.*@starmedia\.com$'i, qr'.*@surfeador\.com$'i, qr'.*@inria\.fr$'i, qr'.*@thw-ahrensburg\.de$'i, qr'.*@exo\.com$'i, qr'.*@sify\.com$'i, qr'.*@flantalapsicle\.com$'i, qr'.*@coolyork\.com$'i, qr'.*@ttasmdc\.com$'i, qr'.*@web-o\.net$'i, qr'.*@sisulasterex\.com$'i, qr'.*@dated\.biz$'i, qr'.*@libero\.it$'i, qr'.*@e-gold\.com$'i, qr'.*@orcon\.net\.nz$'i, qr'.*@tohoku\.ac\.jp$'i, qr'.*@haveyooseeenthis\.com$'i, qr'.*@aguytyemdse\.com$'i, qr'.*@room84\.net$'i, qr'.*@frsnce\.com$'i, qr'.*@misfit\.co\.uk$'i, qr'.*@123greetings\.com$'i, qr'.*@44eemeds\.com$'i, qr'.*@cnetech\.com$'i, qr'.*@occultmail\.com$'i, qr'.*@lissamail\.com$'i, qr'.*@shopfree-inc\.com$'i, qr'.*@cmmeds4\.com$'i, qr'.*@yahoo\.com\.cn$'i, qr'.*@finklfan\.com$'i, qr'.*@arcada\.fi$'i, qr'.*@tiscali\.fr$'i, qr'.*@offshrtme\.com$'i, qr'.*@excite\.com$'i, qr'.*@isnet\.ca$'i, qr'.*@qw21qa\.com$'i, qr'.*@actasap\.com$'i, qr'.*@umanitoba\.ca$'i, qr'.*@videotron\.ca$'i, qr'.*@zonai\.com$'i, qr'.*@futbolamericano\.com$'i, qr'.*@tscnet\.com$'i, qr'.*@boink\.net$'i, qr'.*@lawyer\.com$'i, qr'.*@online\.fr$'i, qr'.*@billonario\.com$'i, qr'.*@bellatlantic\.net$'i, qr'.*@allsaintsfan\.com$'i, qr'.*@dumbwit\.com$'i, qr'.*@halifax\.com$'i, qr'.*@proca\.ro$'i, qr'.*@uwasa\.fi$'i, qr'.*@dajuma\.com$'i, qr'.*@actogmbh\.com$'i, qr'.*@ergo\.no$'i, qr'.*@ibi\.co\.za$'i, qr'.*@ewa\.net$'i, qr'.*@crestron\.com$'i, qr'.*@jetcity\.com$'i, qr'.*@playful\.com$'i, qr'.*@tiscali\.co\.uk$'i, qr'.*@superstorebn\.com$'i, qr'.*@izap\.com$'i, qr'.*@88cresa\.com$'i, qr'.*@moellenhoff\.de$'i, qr'.*@fishing\.co\.jp$'i, qr'.*@nwinfo\.net$'i, qr'.*@shinbiro\.com$'i, qr'.*@wanted-dead-or-alive\.com$'i, qr'.*@lignumcomputing\.com$'i, qr'.*@sns\.it$'i, qr'.*@best1\.net$'i, qr'.*@ginko\.de$'i, qr'.*@expage\.com$'i, qr'.*@aruba\.it$'i, qr'.*@nospammail\.net$'i, qr'.*@guanajuato\.com$'i, qr'.*@ournewsnow\.com$'i, qr'.*@kutscheracommunication\.com$'i, qr'.*@thereallybigone\.com$'i, qr'.*@nwnexus\.com$'i, qr'.*@star\.cz$'i, qr'.*@bettahits\.biz$'i, qr'.*@deportista\.com$'i, qr'.*@cheftalk\.com$'i, qr'.*@bkkmail\.com$'i, qr'.*@yerphi\.am$'i, qr'.*@rescueteam\.com$'i, qr'.*@webmail\.co\.za$'i, qr'.*@vsnl\.net$'i, qr'.*@surfari\.net$'i, qr'.*@inorbit\.com$'i, qr'.*@interblod\.com$'i, qr'.*@bion\.kth\.se$'i, qr'.*@advernet\.es$'i, qr'.*@leonlai\.net$'i, qr'.*@gettyimages\.com$'i, qr'.*@bootix\.com$'i, qr'.*@ilovemermaids\.com$'i, qr'.*@moegenburg\.de$'i, qr'.*@mmail\.com$'i, qr'.*@cidman\.de$'i, qr'.*@sunpharma\.com$'i, qr'.*@semantec\.bg$'i, qr'.*@argus\.co\.za$'i, qr'.*@anonymous\.to$'i, qr'.*@beyondthelaw\.com$'i, qr'.*@so-near-yet-so-far\.com$'i, qr'.*@cumbria\.sch\.uk$'i, qr'.*@elsitiodc\.tv$'i, qr'.*@ilovebanging\.com$'i, qr'.*@webinbox\.com$'i, qr'.*@r-a-v-e\.com$'i, qr'.*@infi\.net$'i, qr'.*@capitale\.qc\.ca$'i, qr'.*@aus-city\.com$'i, qr'.*@techemail\.com$'i, qr'.*@Jabble\.com$'i, qr'.*@alloymail\.com$'i, qr'.*@uk2\.net$'i, qr'.*@myself\.com$'i, qr'.*@six1\.net$'i, qr'.*@journalist\.com$'i, qr'.*@ri1\.biz$'i, qr'.*@swbell\.net$'i, qr'.*@zwallet\.com$'i, qr'.*@ivysaur-fan\.com$'i, qr'.*@seznam\.cz$'i, qr'.*@doomedbeauty\.com$'i, qr'.*@showfans\.com$'i, qr'.*@andylau\.net$'i, qr'.*@emaila\.nu$'i, qr'.*@yahoo\.co\.in$'i, qr'.*@fireball\.de$'i, qr'.*@mail2Reggie\.com$'i, qr'.*@goforit\.helpaccount\.net$'i, qr'.*@usa\.com$'i, qr'.*@Rinderwahnsinn\.de$'i, qr'.*@gravityswitch\.com$'i, qr'.*@nextmail\.ru$'i, qr'.*@starbux\.de$'i, qr'.*@einsundeins\.de$'i, qr'.*@codewerk\.com$'i, qr'.*@antispin\.org$'i, qr'.*@modem-help\.co\.uk$'i, qr'.*@aboutgolf\.com$'i, qr'.*@derechoshumanos\.com$'i, qr'.*@lets-do-a-liquid-lunch\.com$'i, qr'.*@email\.ro$'i, qr'.*@e-mail\.com$'i, qr'.*@millcomm\.com$'i, qr'.*@vnet\.ibm\.com$'i, qr'.*@porncity\.net$'i, qr'.*@yandex\.ru$'i, qr'.*@inav\.net$'i, qr'.*@gyuvetch\.bg$'i, qr'.*@winterhighland\.co\.uk$'i, qr'.*@ranmamail\.com$'i, qr'.*@pigs-arse\.com$'i, qr'.*@pakvalley\.com$'i, qr'.*@madrid\.com$'i, qr'.*@mail2Steve\.com$'i, qr'.*@infoasis\.com$'i, qr'.*@adden\.com$'i, qr'.*@maktoob\.com$'i, qr'.*@postaldigital\.com$'i, qr'.*@ablake\.net$'i, qr'.*@abwebplus\.com$'i, qr'.*@bcs\.cl$'i, qr'.*@afreeinternet\.com$'i, qr'.*@staffplanning\.nl$'i, qr'.*@candea\.nl$'i, qr'.*@bestofchris\.de$'i, qr'.*@roava\.net$'i, qr'.*@penn\.com$'i, qr'.*@bugger-all\.com$'i, qr'.*@milestoneinteractive\.com$'i, qr'.*@mendsxn4\.com$'i, qr'.*@iluvxmas\.com$'i, qr'.*@sllug\.org$'i, qr'.*@co\.id$'i, qr'.*@therightmoment\.com$'i, qr'.*@tstindias\.com$'i, qr'.*@stamm-wire\.de$'i, qr'.*@qc\.ca$'i, qr'.*@co\.uk$'i, qr'.*@1-struck\.de$'i, qr'.*@stapro\.sk$'i, qr'.*@or\.jp$'i, qr'.*@stan-noon\.de$'i, qr'.*@mokry\.cz$'i, qr'.*@telus\.net$'i, qr'.*@stallbalans\.se$'i, qr'.*@co\.kr$'i, qr'.*@another-world\.com$'i, qr'.*@e-bay\.com$'i, qr'.*@univr\.it$'i, qr'.*@tvg\.is$'i, qr'.*@carolina\.cl$'i, qr'.*@stamm-erdenburg\.de$'i, qr'.*@mst\.dk$'i, qr'.*@co\.nz$'i, qr'.*@comcast\.com$'i, qr'.*@stakes\.fi$'i, qr'.*@firemail\.de$'i, qr'.*@mnends\.com$'i, qr'.*@mail2lawyer\.org$'i, qr'.*@doctor\.com$'i, qr'.*@cicm\.es$'i, qr'.*@attitude\.com$'i, qr'.*@chinakontor\.de$'i, qr'.*@ac\.uk$'i, qr'.*@unipv\.it$'i, qr'.*@rhubarb-rhubarb\.com$'i, qr'.*@charterpa\.net$'i, qr'.*@pravda\.ru$'i, qr'.*@singapore\.com$'i, qr'.*@mohnhaupt\.de$'i, qr'.*@gamewood\.net$'i, qr'.*@tver\.ru$'i, qr'.*@utimail\.com$'i, qr'.*@emailaccount\.com$'i, qr'.*@bellsouth\.net$'i, qr'.*@co\.at$'i, qr'.*@hanmail\.net$'i, qr'.*@buttonpushers\.com$'i, qr'.*@indiantoners\.com$'i, qr'.*@rocketmail\.com$'i, qr'.*@wroc\.pl$'i, qr'.*@nhs\.uk$'i, qr'.*@over-the-rainbow\.com$'i, qr'.*@modellbautreff\.de$'i, qr'.*@co\.th$'i, qr'.*@bizjournals\.com$'i, qr'.*@a-acht\.de$'i, qr'.*@p-bridge\.com$'i, qr'.*@namesecure\.com$'i, qr'.*@veryfast\.biz$'i, qr'.*@stammwelfen\.de$'i, qr'.*@kinki-kids\.com$'i, qr'.*@co\.jp$'i, qr'.*@twainweb\.de$'i, qr'.*@dgmedia\.dk$'i, qr'.*@catchamail\.com$'i, qr'.*@cvrtgfd\.com$'i, qr'.*@jjgfdk\.com$'i, qr'.*@bluecom\.no$'i, qr'.*@autrijus\.org$'i, qr'.*@126\.com$'i, qr'.*@silcom\.com$'i, qr'.*@gtt-india\.com$'i, qr'.*@legacy\.com$'i, qr'.*@unlimitedautoresponders\.com$'i, qr'.*@com\.au$'i, qr'.*@Iname\.com$'i, qr'.*@internav\.com$'i, qr'.*@extremeplayer\.com$'i, qr'.*@abstractsoft\.com$'i, qr'.*@cims\.cz$'i, qr'.*@kerrlake\.com$'i, qr'.*@hurting\.com$'i, qr'.*@usherb\.ca$'i, qr'.*@cliffhanger\.com$'i, qr'.*@online\.hr$'i, qr'.*@shawcable\.net$'i, qr'.*@mcgillicuddy\.com$'i, qr'.*@neenahprinting\.com$'i, qr'.*@hondutel\.hn$'i, qr'.*@netwiz\.net$'i, qr'.*@es\.to$'i, qr'.*@co\.za$'i, qr'.*@moose-mail\.com$'i, qr'.*@rattvik\.se$'i, qr'.*@waw\.pl$'i, qr'.*@mk\.ua$'i, qr'.*@cat-fan\.com$'i, qr'.*@dewahost\.com$'i, qr'.*@cimatech\.at$'i, qr'.*@accountant\.com$'i, qr'.*@dvd-fan\.net$'i, qr'.*@ImogeneOlsen@google\.com$'i, qr'.*@tnl-online\.com$'i, qr'.*@pavilion\.net$'i, qr'.*@supermedia\.pl$'i, qr'.*@dte2k\.de$'i, qr'.*@uni-stuttgart\.de$'i, qr'.*@waxworks\.nl$'i, qr'.*@ula\.ve$'i, qr'.*@xemacs\.org$'i, qr'.*@iwvisp\.com$'i, qr'.*@univ-lyon1\.fr$'i, qr'.*@yahoo\.com\.sg$'i, qr'.*@Z6\.com$'i, qr'.*@t-online\.de$'i, qr'.*@aaiworldmarket\.com$'i, qr'.*@telstra\.com$'i, qr'.*@eivd\.ch$'i, qr'.*@net999\.com$'i, qr'.*@amega\.com$'i, qr'.*@moebelspedition\.de$'i, qr'.*@alen\.com$'i, qr'.*@primion\.de$'i, qr'.*@bargain-warrior\.com$'i, qr'.*@myvaluepc\.com$'i, qr'.*@allergist\.com$'i, qr'.*@bigisbetter\.com$'i, qr'.*@fleet\.com$'i, qr'.*@os\.dk$'i, qr'.*@rockbridge\.net$'i, qr'.*@adamsacres\.com$'i, qr'.*@senderservices\.info$'i, qr'.*@queerplaces\.com$'i, qr'.*@algx\.net$'i, qr'.*@zenpkscu11\.com$'i, qr'.*@akelia\.com$'i, qr'.*@cariboo\.bc\.ca$'i, qr'.*@americatel\.hn$'i, qr'.*@michaelkuntz\.de$'i, qr'.*@telefonicamoviles\.com\.mx$'i, qr'.*@swift\.cz$'i, qr'.*@vulve\.com$'i, qr'.*@llangollen\.com$'i, qr'.*@thedoghousemail\.com$'i, qr'.*@model-endres\.de$'i, qr'.*@cuernavaca\.com$'i, qr'.*@cadcamlab\.org$'i, qr'.*@carmen\.se$'i, qr'.*@hopsoft\.com$'i, qr'.*@freemail\.nl$'i, qr'.*@qualiteonline\.com$'i, qr'.*@aschober\.de$'i, qr'.*@every1\.net$'i, qr'.*@com\.ar$'i, qr'.*@mannegeil\.com$'i, qr'.*@com\.pe$'i, qr'.*@viernulvier\.nl$'i, qr'.*@nabaza\.com$'i, qr'.*@i7\.com\.pl$'i, qr'.*@honold-online\.de$'i, qr'.*@free-state\.com$'i, qr'.*@kristne-gym\.dk$'i, qr'.*@bigpond\.com$'i, qr'.*@yahoo\.es$'i, qr'.*@broadbad\.com$'i, qr'.*@loveforlostcats\.com$'i, qr'.*@cybersmtp\.com$'i, qr'.*@customspine\.com$'i, qr'.*@mchsi\.com$'i, qr'.*@metalab\.unc\.edu$'i, qr'.*@planetwave\.net$'i, qr'.*@mhi\.nl$'i, qr'.*@godsmackmail\.com$'i, qr'.*@stardel\.ca$'i, qr'.*@fuse\.net$'i, qr'.*@jumpy\.it$'i, qr'.*@cjb\.net$'i, qr'.*@cityofcardiff\.net$'i, qr'.*@llandudno\.com$'i, qr'.*@starcity\.ru$'i, qr'.*@twotiming\.com$'i, qr'.*@desertmail\.com$'i, qr'.*@ae\.com$'i, qr'.*@aeneasmail\.com$'i, qr'.*@breath-of-fresh-air\.com$'i, qr'.*@analytic\.ch$'i, qr'.*@avertlabs\.com$'i, qr'.*@vcustomer\.com$'i, qr'.*@yangjinglin\.com$'i, qr'.*@net4india\.com$'i, qr'.*@fr\.st$'i, qr'.*@asia-links\.com$'i, qr'.*@jorma-pentium\.org$'i, qr'.*@netikka\.fi$'i, qr'.*@avvesta\.com$'i, qr'.*@comcast\.net$'i, qr'.*@timewarner\.com$'i, qr'.*@euphoricheaven\.com$'i, qr'.*@aahtech\.com$'i, qr'.*@abelio\.com$'i, qr'.*@wanadoo\.nl$'i, qr'.*@thehatters\.com$'i, qr'.*@quattro-it\.dk$'i, qr'.*@ls-d\.de$'i, qr'.*@tell-me-another\.com$'i, qr'.*@paonline\.com$'i, qr'.*@tackleshop\.de$'i, qr'.*@3dimension\.com$'i, qr'.*@darwinsys\.com$'i, qr'.*@techpacindia\.com$'i, qr'.*@nsta\.ca$'i, qr'.*@computer-expert\.net$'i, qr'.*@astat\.de$'i, qr'.*@geekly\.net$'i, qr'.*@xfiles\.cz$'i, qr'.*@chello\.nl$'i, qr'.*@hanbalmasstech\.com$'i, qr'.*@essenet\.it$'i, qr'.*@pon\.net$'i, qr'.*@lycosmail\.com$'i, qr'.*@afropoets\.com$'i, qr'.*@spl\.at$'i, qr'.*@moering\.de$'i, qr'.*@pdgbroadcast\.com$'i, qr'.*@ESPN\.com$'i, qr'.*@gantke-net\.com$'i, qr'.*@craftemail\.com$'i, qr'.*@bju\.edu$'i, qr'.*@takas\.lt$'i, qr'.*@neuform-propeller\.de$'i, qr'.*@inow\.com$'i, qr'.*@inland\.net$'i, qr'.*@emarsistemi\.it$'i, qr'.*@quoteland\.com$'i, qr'.*@backyardjungle\.org$'i, qr'.*@servicemagic\.com$'i, qr'.*@expn\.com$'i, qr'.*@aahlife\.com$'i, qr'.*@suomi24\.fi$'i, qr'.*@adams-online\.de$'i, qr'.*@advmgtconcepts\.com$'i, qr'.*@stampauctions\.se$'i, qr'.*@gol\.com$'i, qr'.*@pqnb\.com$'i, qr'.*@dodgeit\.com$'i, qr'.*@tvc\.es$'i, qr'.*@nightstyles\.net$'i, qr'.*@netster\.com$'i, qr'.*@dyaryoboy\.com$'i, qr'.*@handbag\.com$'i, qr'.*@carmax\.com$'i, qr'.*@stony4921rneds\.com$'i, qr'.*@sbcglobal\.net$'i, qr'.*@cyberwebglobal\.info$'i, qr'.*@wesleymail\.com$'i, qr'.*@gowebway\.com$'i, qr'.*@yahoo\.gr$'i, qr'.*@hardwarefan\.com$'i, qr'.*@flash\.net$'i, qr'.*@ciateq\.mx$'i, qr'.*@myway\.com$'i, qr'.*@phayze\.com$'i, qr'.*@desilver\.com$'i, qr'.*@semistable\.com$'i, qr'.*@catcha\.com$'i, qr'.*@armagalli\.com$'i, qr'.*@recruited2055rneds\.com$'i, qr'.*@asiamail\.com$'i, qr'.*@tmicha\.net$'i, qr'.*@inker\.com$'i, qr'.*@tatanova\.com$'i, qr'.*@easypeasy\.com$'i, qr'.*@peepingtomtortoises\.com$'i, qr'.*@harryturtlepeepers\.com$'i, qr'.*@bass-security\.com$'i, qr'.*@carrier\.kiev\.ua$'i, qr'.*@openface\.ca$'i, qr'.*@tverskov\.dk$'i, qr'.*@luxuryhomesinc\.com$'i, qr'.*@aafintl\.com$'i, qr'.*@mokai\.de$'i, qr'.*@outgun\.com$'i, qr'.*@siba\.fi$'i, qr'.*@yyhmail\.com$'i, qr'.*@akela\.ro$'i, qr'.*@aonix\.de$'i, qr'.*@assetnewmedia\.de$'i, qr'.*@optincomp\.info$'i, qr'.*@steels4foreknew\.com$'i, qr'.*@gmail\.com$'i, qr'.*@fastmail\.fm$'i, qr'.*@paamco\.com$'i, qr'.*@accessfactory\.com$'i, qr'.*@tucomm\.net$'i, qr'.*@netoffersnow\.com$'i, qr'.*@chifren\.de$'i, qr'.*@evafan\.com$'i, qr'.*@cheerful\.com$'i, qr'.*@acuario\.com$'i, qr'.*@advodata\.be$'i, qr'.*@asptoday\.com$'i, qr'.*@citibank\.com$'i, qr'.*@check1check\.com$'i, qr'.*@ahmed\.com$'i, qr'.*@online-dialer\.com$'i, qr'.*@arkwright\.com$'i, qr'.*@access-one\.com$'i, qr'.*@norcov\.com$'i, qr'.*@datasync\.com$'i, qr'.*@accessloans\.com$'i, qr'.*@carleton\.ca$'i, qr'.*@softlineamerica\.com$'i, qr'.*@azzit\.de$'i, qr'.*@asapso\.de$'i, qr'.*@despammed\.com$'i, qr'.*@ufredbx\.com$'i, qr'.*@norgesmail\.com$'i, qr'.*@mail2Richard\.com$'i, qr'.*@charterwv\.net$'i, qr'.*@stallion\.ee$'i, qr'.*@inbox\.ru$'i, qr'.*@way2vn\.com$'i, qr'.*@act-online\.de$'i, qr'.*@tigerdrive\.com$'i, qr'.*@accutek\.com$'i, qr'.*@absolutemotion\.com$'i, qr'.*@yapost\.com$'i, qr'.*@t-dialin\.net$'i, qr'.*@mailserver\.de$'i, qr'.*@starfrog\.de$'i, qr'.*@bmbuss\.de$'i, qr'.*@access\.com$'i, qr'.*@birdowner\.net$'i, qr'.*@shops\.com$'i, qr'.*@mailpride\.com$'i, qr'.*@alphasystem\.no$'i, qr'.*@wbox\.de$'i, qr'.*@emosaustin\.com$'i, qr'.*@giminc\.com$'i, qr'.*@queretaro\.com$'i, qr'.*@inos\.com$'i, qr'.*@modern-products\.at$'i, qr'.*@atom\.hu$'i, qr'.*@paypal\.com$'i, qr'.*@138mail\.com$'i, qr'.*@relia\.net$'i, qr'.*@chinchilla\.de$'i, qr'.*@educationalministries\.com$'i, qr'.*@websentric\.com$'i, qr'.*@dighty\.com$'i, qr'.*@scriptsportal\.com$'i, qr'.*@goingincircles\.com$'i, qr'.*@blocspam\.com$'i, qr'.*@peta\.org$'i, qr'.*@doxdesk\.com$'i, qr'.*@tatasteel\.com$'i, qr'.*@sinhalaya\.com$'i, qr'.*@netidentity\.com$'i, qr'.*@meramec\.com$'i, qr'.*@computermail\.net$'i, qr'.*@directvinternet\.com$'i, qr'.*@iepg\.org$'i, qr'.*@taet-tat\.ch$'i, qr'.*@mz-home\.de$'i, qr'.*@sos-software\.ch$'i, qr'.*@eduhi\.at$'i, qr'.*@hacker\.ag$'i, qr'.*@bytebox\.de$'i )); # NOTE: whitelisting is becoming deprecated because sender address is # all too often faked; use @score_sender_maps for soft-whitelisting! # # Illustrates the use of several lookup tables: # # @whitelist_sender_maps = ( # # # read_hash("$MYHOME/whitelist_sender"), # a hash table read from a file # # # and another hash lookup table constructed in-line, with keys lowercased: # { map {lc $_ => 1} qw( # nobody@cert.org # cert-advisory@us-cert.gov # owner-alert@iss.net # slashdot@slashdot.org # bugtraq@securityfocus.com # NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM # security-alerts@linuxsecurity.com # amavis-user-admin@lists.sourceforge.net # notification-return@lists.sophos.com # mailman-announce-admin@python.org # owner-postfix-users@postfix.org # owner-postfix-announce@postfix.org # owner-sendmail-announce@lists.sendmail.org # sendmail-announce-request@lists.sendmail.org # owner-technews@postel.ACM.ORG # lvs-users-admin@LinuxVirtualServer.org # ietf-123-owner@loki.ietf.org # cvs-commits-list-admin@gnome.org # rt-users-admin@lists.fsck.com # clp-request@comp.nus.edu.sg # surveys-errors@lists.nua.ie # emailNews@genomeweb.com # owner-textbreakingnews@CNNIMAIL12.CNN.COM # yahoo-dev-null@yahoo-inc.com # returns.groups.yahoo.com # )}, # # # { '' => 1 }, # and another one, containing just an empty reverse path (DSN) # # ); # ENVELOPE SENDER WHITELISTING / BLACKLISTING - PER-RECIPIENT # The same semantics as for global white/blacklisting applies, but this # time each recipient (or its domain, or subdomain, ...) can be given # an individual lookup table for matching senders. The per-recipient lookups # take precedence over the global lookups, which serve as a fallback default. # Specify a two-level lookup table: the key for the outer table is recipient, # and the result should be an inner lookup table (hash or ACL or RE), # where the key used will be the sender. (Note that this structure is flatter # than @score_sender_maps, where the first level result is a ref to a _list_ # of inner lookup tables, not a ref to a single lookup table.) # #$per_recip_blacklist_sender_lookup_tables = { # 'user1@my.example.com'=>new_RE(qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i), # 'user2@my.example.com'=>[qw( spammer@d1.example,org .d2.example,org )], #}; #$per_recip_whitelist_sender_lookup_tables = { # 'user@my.example.com' => [qw( friend@example.org .other.example.org )], # '.my1.example.com' => [qw( !foe.other.example,org .other.example,org )], # '.my2.example.com' => read_hash("$MYHOME/my2-wl.dat"), # 'abuse@' => { 'postmaster@'=>1, # 'cert-advisory-owner@cert.org'=>1, 'owner-alert@iss.net'=>1 }, #}; # # ============================================================================= # Section VI - Resource limits # ============================================================================= # # Sanity limit to the number of allowed recipients per SMTP transaction # $smtpd_recipient_limit = 1100; # (default is 1100) # Resource limits to protect unpackers, decompressors and virus scanners # against mail bombs (e.g. 42.zip) # Maximum recursion level for extraction/decoding (0 or undef disables limit) $MAXLEVELS = 14; # (default is undef, no limit) # Maximum number of extracted files (0 or undef disables the limit) $MAXFILES = 1500; # (default is undef, no limit) # For the cumulative total of all decoded mail parts we set max storage size # to defend against mail bombs. Even though parts may be deleted (replaced # by decoded text) during decoding, the size they occupied is _not_ returned # to the quota pool. # # Parameters to storage quota formula for unpacking/decoding/decompressing # Formula: # quota = max($MIN_EXPANSION_QUOTA, # $mail_size*$MIN_EXPANSION_FACTOR, # min($MAX_EXPANSION_QUOTA, $mail_size*$MAX_EXPANSION_FACTOR)) # In plain words (later condition overrules previous ones): # allow MAX_EXPANSION_FACTOR times initial mail size, # but not more than MAX_EXPANSION_QUOTA, # but not less than MIN_EXPANSION_FACTOR times initial mail size, # but never less than MIN_EXPANSION_QUOTA # $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) $MIN_EXPANSION_FACTOR = 5; # times original mail size (default is 5) $MAX_EXPANSION_FACTOR = 500; # times original mail size (default is 500) # expiration time of cached results: time to live in seconds # (how long the result of a virus/spam test remains valid) $virus_check_negative_ttl= 3*60; # time to remember that mail was not infected $virus_check_positive_ttl= 30*60; # time to remember that mail was infected $spam_check_negative_ttl = 30*60; # time to remember that mail was not spam $spam_check_positive_ttl = 30*60; # time to remember that mail was spam # # NOTE: # Cache size will be determined by the largest of the $*_ttl values. # Depending on the mail rate, the cache database may grow quite large. # Reasonable compromise for the max value is 15 minutes to 2 hours. # # ============================================================================= # Section VII - External programs, virus scanners # ============================================================================= # # Specify a path string, which is a colon-separated string of directories # (no trailing slashes!) to be assigned to the environment variable PATH # and to serve for locating external programs below. # NOTE: if $daemon_chroot_dir is nonempty, the directories will be # relative to the chroot directory specified; $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; # Specify one string or a search list of strings (first match wins). # The string (or: each string in a list) may be an absolute path, # or just a program name, to be located via $path; # Empty string or undef (=default) disables the use of that external program. # Optionally command arguments may be specified - only the first substring # up to the whitespace is used for file searching. # required: $file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability # optional: $gzip = 'gzip'; $bzip2 = 'bzip2'; $lzop = 'lzop'; $rpm2cpio = ['rpm2cpio.pl','rpm2cpio']; $cabextract = 'cabextract'; $uncompress = ['uncompress', 'gzip -d', 'zcat']; $unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat']; $arc = ['nomarch', 'arc']; $unarj = ['arj', 'unarj']; # both can extract, arj is recommended $unrar = ['rar', 'unrar']; # both can extract, same options $zoo = 'zoo'; $lha = 'lha'; $cpio = ['gcpio','cpio']; # gcpio is a GNU cpio on OpenBSD, which supports # the options needed; the rest of us use cpio $ar = 'ar'; # Unix binary archives and Debian binary packages $dspam = 'dspam'; # ============================================================================= # SpamAssassin settings # ============================================================================= # $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value # of the option local_tests_only. See Mail::SpamAssassin man page. # If set to 1, no SA tests that require internet access will be performed. # $sa_local_tests_only = 0; # (default: false) $sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant # for SA 3.0, its cf option is use_auto_whitelist) $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger # (less than 1% of spam is > 64k) # default: undef, no limitations # default values, customarily used in the @spam_*_level_maps as the last entry $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level; # undef is interpreted as lower than any spam level $sa_tag2_level_deflt = 2.0; # add 'spam detected' headers at that level to # passed mail (e.g. when $final_spam_destiny=D_PASS # or for spam_lovers or when below kill_level) $sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions # at or above that level: bounce/reject/drop, # quarantine, and adding mail address extension $sa_dsn_cutoff_level = 5; # spam level beyond which a DSN is not sent, # effectively turning D_BOUNCE into D_DISCARD; # undef disables this feature and is a default; # advanced example specifying per-recipient values using a hash lookup: #@spam_tag_level_maps = (\$sa_tag_level_deflt); # this is a default #@spam_tag2_level_maps = ( # { 'user1@example.com' => 8.0, '.example.com' => 6.0 }, # \$sa_tag2_level_deflt, # catchall default #); #@spam_kill_level_maps = ( # { 'user1@example.com' => 8.0, '.example.com' => 6.0 }, # \$sa_kill_level_deflt, # catchall default #); #@spam_dsn_cutoff_level_maps = ( # { 'user1@example.com' => 10, '.example.com' => 15 }, # \$sa_dsn_cutoff_level, # catchall default #); # a quick reference: # tag_level controls adding the X-Spam-Status and X-Spam-Level headers, # tag2_level controls adding 'X-Spam-Flag: YES', editing (tagging) Subject, # and adding address extensions, # kill_level controls 'evasive actions' (reject, quarantine); # it only makes sense to maintain the relationship: # tag_level <= tag2_level <= kill_level < dsn_cutoff_level # string to prepend to Subject header field when message exceeds tag2 level $sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled) # (only seen when spam is passed and recipient is # in local_domains*) $sa_spam_modifies_subj = 1; # in @sa_spam_modifies_subj_maps, default is true # Example: modify Subject for all local recipients except user@example.com #@sa_spam_modifies_subj_maps = ( [qw( !user@example.com . )] ); #$sa_spam_level_char = '*'; # char for X-Spam-Level bar, defaults to '*'; # undef or empty disables inserting X-Spam-Level #$sa_spam_report_header = 0; # insert X-Spam-Report header field? default false # stop anti-virus scanning when the first scanner detects a virus? #$first_infected_stops_scan = 1; # default is false, all scanners in a section # are called # @av_scanners is a list of n-tuples, where fields semantics is: # 1. av scanner plain name, to be used in log and reports; # 2. scanner program name; this string will be submitted to subroutine # find_external_programs(), which will try to find the full program path # name during startup; if program is not found, this scanner is disabled. # Besides a simple string (full program path name or just the basename # to be looked for in PATH), this may be an array ref of alternative # program names or full paths - the first match in the list will be used; # As a special case for more complex scanners, this field may be # a subroutine reference, and the whole n-tuple is passed to it as args. # 3. command arguments to be given to the scanner program; # a substring {} will be replaced by the directory name to be scanned, i.e. # "$tempdir/parts", a "*" will be replaced by base file names of parts; # 4. an array ref of av scanner exit status values, or a regexp (to be # matched against scanner output), indicating NO VIRUSES found; # 5. an array ref of av scanner exit status values, or a regexp (to be # matched against scanner output), indicating VIRUSES WERE FOUND; # Note: the virus match prevails over a 'not found' match, so it is safe # even if the no. 4. matches for viruses too; # 6. a regexp (to be matched against scanner output), returning a list # of virus names found, or a sub ref, returning such a list when given # scanner output as argument; # 7. and 8.: (optional) subroutines to be executed before and after scanner # (e.g. to set environment or current directory); # see examples for these at KasperskyLab AVP and NAI uvscan. # NOTES: # # - NOT DEFINING @av_scanners (e.g. setting it to empty list, or deleting the # whole assignment) TURNS OFF LOADING AND COMPILING OF THE ANTIVIRUS CODE # (which can be handy if all you want to do is spam scanning); # # - the order matters: although _all_ available entries from the list # are tried regardless of their verdict, scanners are run in the order # specified: the report from the first one detecting a virus will be used # (providing virus names and scanner output); REARRANGE THE ORDER TO WILL; # see also $first_infected_stops_scan; # # - it doesn't hurt to keep an unused command line scanner entry in the list # if the program can not be found; the path search is only performed once # during the program startup; # # COROLLARY: to disable a scanner that _does_ exist on your system, # comment out its entry or use undef or '' as its program name/path # (second parameter). An example where this is almost a must: disable # Sophos 'sweep' if you have its daemonized version Sophie or SAVI-Perl # (same for Trophie/vscan, and clamd/clamscan), or if another unrelated # program happens to have a name matching one of the entries ('sweep' # again comes to mind); # # - it DOES HURT to keep unwanted entries which use INTERNAL SUBROUTINES # for interfacing (where the second parameter starts with \&). # Keeping such entry and not having a corresponding virus scanner daemon # causes an unnecessary connection attempt (which eventually times out, # but it wastes precious time). For this reason the daemonized entries # are commented in the distribution - just remove the '#' where needed. # # CERT list of av resources: http://www.cert.org/other_sources/viruses.html @av_scanners = ( # ### http://www.vanja.com/tools/sophie/ # ['Sophie', # \&ask_daemon, ["{}/\n", '/var/run/sophie'], # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ], # ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ # ['Sophos SAVI', \&sophos_savi ], # ### http://www.clamav.net/ # ['ClamAV-clamd', # \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], # qr/\bOK$/, qr/\bFOUND$/, # qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], # # NOTE: run clamd under the same user as amavisd; match the socket # # name (LocalSocket) in clamav.conf to the socket name in this entry # # When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"], # ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) # ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/], # ### http://www.openantivirus.org/ # ['OpenAntiVirus ScannerDaemon (OAV)', # \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], # qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ], # ### http://www.vanja.com/tools/trophie/ # ['Trophie', # \&ask_daemon, ["{}/\n", '/var/run/trophie'], # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ], # ### http://www.grisoft.com/ # ['AVG Anti-Virus', # \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], # qr/^200/, qr/^403/, qr/^403 .*?: ([^\r\n]+)/ ], # ### http://www.f-prot.com/ # ['FRISK F-Prot Daemon', # \&ask_daemon, # ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", # ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202', # '127.0.0.1:10203','127.0.0.1:10204'] ], # qr/(?i)]*>clean<\/summary>/, # qr/(?i)]*>infected<\/summary>/, # qr/(?i)(.+)<\/name>/ ], # ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ # ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later # [pack('N',1). # DRWEBD_SCAN_CMD # pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES # pack('N', # path length # length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). # '{}/*'. # path # pack('N',0). # content size # pack('N',0), # '/var/drweb/run/drwebd.sock', # # '/var/amavis/var/run/drwebd.sock', # suitable for chroot # # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default # # '127.0.0.1:3000', # or over an inet socket # ], # qr/\A\x00[\x10\x11][\x00\x10]\x00/s, # IS_CLEAN,EVAL_KEY; SKIPPED # qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/s, # KNOWN_V,UNKNOWN_V,V._MODIF # qr/\A.{12}(?:infected with )?([^\x00]+)\x00/s, # ], # # NOTE: If using amavis-milter, change length to: # # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). ### http://www.kaspersky.com/ (in the 'file server version') ['KasperskyLab AVP - aveclient', ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', '/opt/kav/bin/aveclient','aveclient'], '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/, qr/(?:INFECTED|SUSPICION) (.+)/, ], ### http://www.kaspersky.com/ ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? qr/infected: (.+)/, sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], ### The kavdaemon and AVPDaemonClient have been removed from Kasperky ### products and replaced by aveserver and aveclient ['KasperskyLab AVPDaemonClient', [ '/opt/AVP/kavdaemon', 'kavdaemon', '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', '/opt/AVP/AvpTeamDream', 'AvpTeamDream', '/opt/AVP/avpdc', 'avpdc' ], "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ], # change the startup-script in /etc/init.d/kavd to: # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) # adjusting /var/amavis above to match your $TEMPBASE. # The '-f=/var/amavis' is needed if not running it as root, so it # can find, read, and write its pid file, etc., see 'man kavdaemon'. # defUnix.prf: there must be an entry "*/var/amavis" (or whatever # directory $TEMPBASE specifies) in the 'Names=' section. # cd /opt/AVP/DaemonClients; configure; cd Sample; make # cp AvpDaemonClient /opt/AVP/ # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" ### http://www.hbedv.com/ or http://www.centralcommand.com/ ['H+BEDV AntiVir or CentralCommand Vexira Antivirus', ['antivir','vexira'], '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/, qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ], # NOTE: if you only have a demo version, remove -z and add 214, as in: # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, ### http://www.commandsoftware.com/ ['Command AntiVirus for Linux', 'csav', '-all -archive -packed {}', [50], [51,52,53], qr/Infection: (.+)/ ], ### http://www.symantec.com/ ['Symantec CarrierScan via Symantec CommandLineScanner', 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', qr/^Files Infected:\s+0$/, qr/^Infected\b/, qr/^(?:Info|Virus Name):\s+(.+)/ ], ### http://www.symantec.com/ ['Symantec AntiVirus Scan Engine', 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', [0], qr/^Infected\b/, qr/^(?:Info|Virus Name):\s+(.+)/ ], # NOTE: check options and patterns to see which entry better applies ### http://www.f-secure.com/products/anti-virus/ ['F-Secure Antivirus', 'fsav', '--dumb --mime --archive {}', [0], [3,8], qr/(?:infection|Infected|Suspected): (.+)/ ], ['CAI InoculateIT', 'inocucmd', # retired product '-sec -nex {}', [0], [100], qr/was infected by virus (.+)/ ], # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) ['CAI eTrust Antivirus', 'etrust-wrapper', '-arc -nex -spm h {}', [0], [101], qr/is infected by virus: (.+)/ ], # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 ### http://mks.com.pl/english.html ['MkS_Vir for Linux (beta)', ['mks32','mks'], '-s {}/*', [0], [1,2], qr/--[ \t]*(.+)/ ], ### http://mks.com.pl/english.html ['MkS_Vir daemon', 'mksscan', '-s -q {}', [0], [1..7], qr/^... (\S+)/ ], ### http://www.nod32.com/ ['ESET Software NOD32', 'nod32', '-all -subdir+ {}', [0], [1,2], qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ], ### http://www.nod32.com/ ['ESET Software NOD32 - Client/Server Version', 'nod32cli', '-a -r -d recurse --heur standard {}', [0], [10,11], qr/^\S+\s+infected:\s+(.+)/ ], # Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31 # ['ESET Software NOD32 Client/Server (NOD32SS)', # \&ask_daemon2, # greets with 200, persistent, terminate with QUIT # ["SCAN {}/*\r\n", '127.0.0.1:8448' ], # qr/^200 File OK/, qr/^201 /, qr/^201 (.+)/ ], ### http://www.norman.com/products_nvc.shtml ['Norman Virus Control v5 / Linux', 'nvcc', '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], qr/(?i).* virus in .* -> \'(.+)\'/ ], ### http://www.pandasoftware.com/ ['Panda Antivirus for Linux', ['pavcl'], '-aut -aex -heu -cmp -nbr -nor -nso -eng {}', qr/Number of files infected[ .]*: 0+(?!\d)/, qr/Number of files infected[ .]*: 0*[1-9]/, qr/Found virus :\s*(\S+)/ ], # ### http://www.pandasoftware.com/ # ['Panda Antivirus for Linux', ['pavcl'], # '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}', # [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0], # qr/Found virus :\s*(\S+)/ ], # GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. # Check your RAV license terms before fiddling with the following two lines! # ['GeCAD RAV AntiVirus 8', 'ravav', # '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ], # # NOTE: the command line switches changed with scan engine 8.5 ! # # (btw, assigning stdin to /dev/null causes RAV to fail) ### http://www.nai.com/ ['NAI McAfee AntiVirus (uvscan)', 'uvscan', '--secure -rv --mime --summary --noboot - {}', [0], [13], qr/(?x) Found (?: \ the\ (.+)\ (?:virus|trojan) | \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | :\ (.+)\ NOT\ a\ virus)/, # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, # sub {delete $ENV{LD_PRELOAD}}, ], # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 # and then clear it when finished to avoid confusing anything else. # NOTE2: to treat encrypted files as viruses replace the [13] with: # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ ### http://www.virusbuster.hu/en/ ['VirusBuster', ['vbuster', 'vbengcl'], # VirusBuster Ltd. does not support the daemon version for the workstation # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of # binaries, some parameters AND return codes have changed (from 3 to 1). "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], qr/: '(.*)' - Virus/ ], # ### http://www.virusbuster.hu/en/ # ['VirusBuster (Client + Daemon)', 'vbengd', # # HINT: for an infected file it always returns 3, # # although the man-page tells a different story # '-f -log scandir {}', [0], [3], # qr/Virus found = (.*);/ ], ### http://www.cyber.com/ ['CyberSoft VFind', 'vfind', '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/, # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, ], ### http://www.ikarus-software.com/ ['Ikarus AntiVirus for Linux', 'ikarus', '{}', [0], [40], qr/Signature (.+) found/ ], ### http://www.bitdefender.com/ ['BitDefender', 'bdc', '--all --arc --mail {}', qr/^Infected files *:0+(?!\d)/, qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, qr/(?:suspected|infected): (.*)(?:\033|$)/ ], # ### example: fully-fledged checker for JPEG marker segments of invalid length # ['check-jpeg', # sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) }, # ["{}/*"], [0], [1], qr/^(bad jpeg: .*)$/ ], # # NOTE: place file JpegTester.pm somewhere where Perl can find it, # # for example in /usr/local/lib/perl5/site_perl # ### example: simpleminded checker for JPEG marker segments of invalid length # ### (only checks first 32k, which is not thorough enough) # ['check-jpeg-simple', # sub { Amavis::AV::ask_av(sub { # my($f)=@_; local(*FF,$_,$1,$2); my(@r)=(0,'not jpeg'); # open(FF,$f) or die "jpeg: open err $f: $!"; # binmode(FF) or die "jpeg: binmode err $f: $!"; # defined read(FF,$_,32000) or die "jpeg: read err $f: $!"; # close(FF) or die "jpeg: close err $f: $!"; # if (/^\xff\xd8\xff/) { # @r=(0,'jpeg ok'); # while (!/\G(?:\xff\xd9|\z)/gc) { # EOI or eof # if (/\G\xff+(?=\xff|\z)/gc) {} # fill-bytes before marker # elsif (/\G\xff([\x01\xd0-\xd8])/gc) {} # TEM, RSTi, SOI # elsif (/\G\xff([^\x00\xff])(..)/gcs) { # marker segment start # my($n)=unpack("n",$2)-2; # $n=32766 if $n>32766; # Perl regexp limit # if ($n<0) {@r=(1,"bad jpeg: len=$n, pos=".pos); last} # elsif (/\G.{$n}/gcs) {} # ok # elsif (/\G.{0,$n}\z/gcs) {last} # truncated # else {@r=(1,"bad jpeg: unexpected, pos=".pos); last} # } # elsif (/\G[^\xff]+/gc) {} # ECS # elsif (/\G(?:\xff\x00)+/gc) {} # ECS # else {@r=(2,"bad jpeg: unexpected char, pos=".pos); last} # } # }; @r}, @_) }, # ["{}/*"], [0], [1], qr/^(bad jpeg: .*)$/ ], ); # If no virus scanners from the @av_scanners list produce 'clean' nor # 'infected' status (i.e. they all fail to run or the list is empty), # then _all_ scanners from the @av_scanners_backup list are tried # (again, subject to $first_infected_stops_scan). When there are both # daemonized and equivalent or similar command-line scanners available, # it is customary to place slower command-line scanners in the # @av_scanners_backup list. The default choice is somewhat arbitrary, # move entries from one list to another as desired, keeping main scanners # in the primary list to avoid warnings. @av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ### http://www.f-prot.com/ - backs up F-Prot Daemon ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], '-dumb -archive -packed {}', [0,8], [3,6], qr/Infection: (.+)/ ], ### http://www.trendmicro.com/ - backs up Trophie ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD ['drweb - DrWeb Antivirus', ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], '-path={} -al -go -ot -cn -upn -ok-', [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'], ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'], '-i1 -xp {}', [0,10,15], [5,20,21,25], qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ , sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], # Commented out because the name 'sweep' clashes with Debian and FreeBSD # package/port of an audio editor. Make sure the correct 'sweep' is found # in the path when enabling. # # ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl # ['Sophos Anti Virus (sweep)', 'sweep', # '-nb -f -all -rec -ss -sc -archive -cab -tnef --no-reset-atime {}', # [0,2], qr/Virus .*? found/, # qr/^>>> Virus(?: fragment)? '?(.*?)'? found/, # ], # # other options to consider: -mime -oe -idedir=/usr/local/sav # always succeeds (uncomment to consider mail clean if all other scanners fail) # ['always-clean', sub {0}], ); # # ============================================================================= # Section VIII - Debugging # ============================================================================= # # The most useful debugging tool is to run amavisd-new non-detached # from a terminal window using command: # amavisd debug # Some more refined approaches: # If sender matches ACL, turn debugging fully up, just for this one message #@debug_sender_maps = ( ["test-sender\@$mydomain"] ); #@debug_sender_maps = ( [qw( debug@example.com debug@example.net )] ); # May be useful along with @debug_sender_maps: # Prevent all decoded originals being deleted (replaced by decoded part) #@keep_decoded_original_maps = (1); # Turn on SpamAssassin debugging (output to STDERR, use with 'amavisd debug') $sa_debug = 1; # defaults to false # # ============================================================================= # Section IX - Policy banks (dynamic policy switching) # ============================================================================= # ## Define some policy banks (sets of settings) and give them ## arbitrary names (the '' and 'MYNETS' have special meaning): # # $policy_bank{'ALT'} = { # log_level => 3, # inet_acl => [qw( 10.0.1.14 )], # final_spam_destiny => D_PASS, final_bad_header_destiny => D_PASS, # forward_method => 'smtp:*:*', # notify_method => 'smtp:[127.0.0.1]:10025', # virus_admin_maps => "abuse\@$mydomain", # spam_lovers_maps => [@spam_lovers_maps, [qw( abuse@example.com )]], # spam_tag_level_maps => 2.1, # spam_tag2_level_maps => 6.32, # spam_kill_level_maps => 6.72, # spam_dsn_cutoff_level_maps => 9, # defang_spam => 1, # local_client_bind_address => '10.11.12.13', # localhost_name => 'amavis.example.com', # smtpd_greeting_banner => # '${helo-name} ${protocol} ${product} ${version-id} (${version-date}) TEST service ready'; # auth_mech_avail => [qw(PLAIN LOGIN)], # auth_required_inp => 1, # auth_required_out => 1, # amavis_auth_user => 'amavisd', amavis_auth_pass = 'tOpsecretX', # av_scanners => [ # provide only 'free' scanners # ['ClamAV-clamd', # \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], # qr/\bOK$/, qr/\bFOUND$/, # qr/^.*?: (?!Infected Archive)(.*) FOUND$/, # ], # ], # av_scanners_backup => [ # ['ClamAV-clamscan', 'clamscan', # "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], # qr/^.*?: (?!Infected Archive)(.*) FOUND$/, # ], # ], # }; # NOTE: the use of policy banks for changing protocol on the input socket is # only needed when different protocols need to be spoken on different sockets # at the same time. For normal use just set e.g.: $protocol='AM.PDP'; # # $policy_bank{'AM.PDP'} = { # log_level => 3, # protocol=>'AM.PDP', # Amavis policy delegation protocol (new milter helper) # }; ## the name 'MYNETS' has special semantics: this policy bank gets loaded ## whenever MTA supplies the original SMTP client IP address (Postfix XFORWARD ## extension or a new AM.PDP protocol) and that address matches @mynetworks. # # $policy_bank{'MYNETS'} = { # mail originating from @mynetworks # spam_kill_level_maps => 6.9, # spam_admin_maps => ["spamalert\@$mydomain"], # alert of internal spam # bypass_spam_checks_maps => [1], # or: don't spam-check internal mail # bypass_banned_checks_maps => [1], # don't banned-check internal mail # }; ## Now we can assign policy banks to amavisd tcp port numbers listed in ## $inet_socket_port. Whenever the connection from MTA is received, first ## a built-in policy bank $policy_bank{''} gets loaded, which bringings-in ## all the global/legacy settings, then it gets overlaid by the bank ## named in the $interface_policy{$port} if any, and finally the bank ## 'MYNETS' is overlaid if it exists and the SMTP client IP address ## is known (by XFORWARD command from MTA) and it matches @mynetworks. # $interface_policy{'10026'} = 'ALT'; # $interface_policy{'9998'} = 'AM.PDP'; # $interface_policy{'SOCK'} = 'AM.PDP'; #------------- 1; # insure a defined return