Ich habe viele Mais an die ML bzgl. amavisd gelesen, bin aber nicht fündig 
geworden, warum ich keinen Header-Eintrag mit client4 habe.

Unten sieht man, dass amavisd gestartet wurde und auch clamav automatisch 
aktualisert wurde. Statt * ist ein FQDN zu betrachten. Vom Host gw erfolgt 
ein amavis-Eintrag, von client4 nicht. Mails an root und ab von client4, 
werden an den User ab auf gw via /etc/aliases umgeleitet.


postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = client4.local.*, localhost.local.*, localhost
myhostname = client4.local.*
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
recipient_delimiter = +
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)


Log eines simplen Testmails
Jan 22 23:14:30 client4 postfix/pickup[11569]: 5BD8737FC2: uid=0 from=<root>
Jan 22 23:14:30 client4 postfix/cleanup[11577]: 5BD8737FC2: 
message-id=<[EMAIL PROTECTED]>
Jan 22 23:14:30 client4 postfix/qmgr[11570]: 5BD8737FC2: 
from=<[EMAIL PROTECTED]>, size=463, nrcpt=1 (queue active)
Jan 22 23:14:30 client4 postfix/cleanup[11577]: 5DD1C17536: 
message-id=<[EMAIL PROTECTED]>
Jan 22 23:14:30 client4 postfix/qmgr[11570]: 5DD1C17536: 
from=<[EMAIL PROTECTED]>, size=612, nrcpt=1 (queue active)
Jan 22 23:14:30 client4 postfix/local[11579]: 5BD8737FC2: 
to=<[EMAIL PROTECTED]>, orig_to=<root>, relay=local, delay=0, status=sent 
(forwarded as 5DD1C17536)
Jan 22 23:14:30 client4 postfix/qmgr[11570]: 5BD8737FC2: removed
Jan 22 23:14:30 client4 postfix/smtp[11580]: 5DD1C17536: to=<[EMAIL 
PROTECTED]>, 
orig_to=<root>, relay=gw.local.*[192.168.1.99], delay=0, status=sent (250 Ok: 
queued as A7AD755EAC1)
Jan 22 23:14:30 client4 postfix/qmgr[11570]: 5DD1C17536: removed


Header dieses simplen Testmails
Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from localhost (localhost [127.0.0.1])
        by gw.local.* (Postfix) with ESMTP id 486CA56C1DC
        for <[EMAIL PROTECTED]>; Sun, 22 Jan 2006 23:14:31 +0100 (CET)
Received: from gw.local.* ([127.0.0.1])
 by localhost (gw [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
 id 11821-01 for <[EMAIL PROTECTED]>;
 Sun, 22 Jan 2006 23:14:29 +0100 (CET)
Received: from client4.local.* (client4.local.* [192.168.1.104])
        by gw.local.* (Postfix) with ESMTP id A7AD755EAC1
        for <[EMAIL PROTECTED]>; Sun, 22 Jan 2006 23:14:29 +0100 (CET)
Received: by client4.local.* (Postfix)
        id 5DD1C17536; Sun, 22 Jan 2006 23:14:30 +0100 (CET)
Delivered-To: [EMAIL PROTECTED]
Received: by client4.local.* (Postfix, from userid 0)
        id 5BD8737FC2; Sun, 22 Jan 2006 23:14:30 +0100 (CET)
Date: Sun, 22 Jan 2006 23:14:30 +0100
To: [EMAIL PROTECTED]
Subject: Test
User-Agent: nail 11.25 7/29/05
MIME-Version: 1.0
Content-Type: text/plain;
  charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <[EMAIL PROTECTED]>
From: [EMAIL PROTECTED] (root)
X-Virus-Scanned: by amavisd-new at gw.local.*




Ein Testmail mit einem Virus:

nail -a virus-20051121-204103-15708-06 [EMAIL PROTECTED]

Jan 22 23:16:10 client4 postfix/pickup[11569]: 5843E37FC2: uid=1000 from=<ab>
Jan 22 23:16:10 client4 postfix/cleanup[11590]: 5843E37FC2: 
message-id=<[EMAIL PROTECTED]>
Jan 22 23:16:10 client4 postfix/qmgr[11570]: 5843E37FC2: 
from=<[EMAIL PROTECTED]>, size=80732, nrcpt=1 (queue active)
Jan 22 23:16:11 client4 postfix/smtp[11591]: 5843E37FC2: to=<[EMAIL 
PROTECTED]>, 
relay=gw.local.*[192.168.1.99], delay=1, status=sent (250 Ok: queued as 
9C1B956DE14)
Jan 22 23:16:11 client4 postfix/qmgr[11570]: 5843E37FC2: removed



Das Mail wurde also offensichtlich durchgelassen.

Vom Rechner gw erhielt ich dann einen Virusalert.

Kann es sein, dass mein Postfix nicht so konfiguriert ist, wie ich möchte, 
nämlich, dass der lokal sendende Client bereits auf Viren prüft? Es folgen 
noch weitere Infos:



 ################### LogWatch 7.1 (11/12/05) #################### 

 --------------------- amavis Begin ------------------------ 
...
    Found decoder for    .bz2  at /usr/bin/bzip2 -d: 10 Time(s)
    starting.  /usr/sbin/amavisd-new at client4.local.pinguin.uni.cc 
amavisd-new-2.3.3 (20050822), Unicode aware: 9 Time(s)
    starting.  /usr/sbin/amavisd-new at client4.local.pinguin.uni.cc 
amavisd-new-2.3.3 (20050822), Unicode aware, LANG=de_AT.UTF-8: 1 Time(s)
 ---------------------- amavis End ------------------------- 

 
 --------------------- clam-update Begin ------------------------ 
 The following version(s) of the freshclam daemon were started
    0.88 (OS: linux-gnu, ARCH: i386, CPU: i486): 10 Time(s)
 The ClamAV updated process was started 11 time(s)
 Last ClamAV update process started at Sat Jan 21 23:58:36 2006
 Last Status:
    main.cvd is up to date (version: 35, sigs: 41649, f-level: 6, builder: 
tkojm)
    daily.cvd is up to date (version: 1247, sigs: 849, f-level: 6, builder: 
sven)
 ---------------------- clam-update End -------------------------





/etc/default/spamassassin
ENABLED=1
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"


/etc/amavis/conf.d/50-user
use strict;
$mydomain = '';
$sa_tag_level_deflt  = -100;  # add spam info headers if at, or above that 
level
1;  # insure a defined return


etc/amavis/conf.d/05-node_id
use strict;
chomp($myhostname = `hostname --fqdn`);
chomp($mydomain = `head -n 1 /etc/mailname`);
1;  # insure a defined return


/etc/amavis/conf.d/15-content_filter_mode
use strict;
@bypass_virus_checks_maps = (
   \%bypass_virus_checks, [EMAIL PROTECTED], 
\$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
   \%bypass_spam_checks, [EMAIL PROTECTED], \$bypass_spam_checks_re);
1;  # insure a defined return


which freshclam
/usr/bin/freshclam

which bdc
/usr/bin/bdc

which f-prot
/usr/bin/f-prot

which antivir
/usr/bin/antivir


/etc/amavis/conf.d/15-av_scanners
use strict;
@av_scanners = (
 ['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
   qr/\bOK$/, qr/\bFOUND$/,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
  ['KasperskyLab AVP - aveclient',
    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
     '/opt/kav/bin/aveclient','aveclient'],
    '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/,
    qr/(?:INFECTED|SUSPICION) (.+)/,
  ],
  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?
    qr/infected: (.+)/,
    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
  ],
  ['KasperskyLab AVPDaemonClient',
    [ '/opt/AVP/kavdaemon',       'kavdaemon',
      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',
      '/opt/AVP/avpdc', 'avpdc' ],
    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ],
  ['H+BEDV AntiVir or CentralCommand Vexira Antivirus',
    ['antivir','vexira'],
    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
  ['Command AntiVirus for Linux', 'csav',
    '-all -archive -packed {}', [50], [51,52,53],
    qr/Infection: (.+)/ ],
  ['Symantec CarrierScan via Symantec CommandLineScanner',
    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
    qr/^Files Infected:\s+0$/, qr/^Infected\b/,
    qr/^(?:Info|Virus Name):\s+(.+)/ ],
  ['Symantec AntiVirus Scan Engine',
    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose 
{}',
    [0], qr/^Infected\b/,
    qr/^(?:Info|Virus Name):\s+(.+)/ ],
  ['F-Secure Antivirus', 'fsav',
    '--dumb --mime --archive {}', [0], [3,8],
    qr/(?:infection|Infected|Suspected): (.+)/ ],
  ['CAI InoculateIT', 'inocucmd',  # retired product
    '-sec -nex {}', [0], [100],
    qr/was infected by virus (.+)/ ],
  ['CAI eTrust Antivirus', 'etrust-wrapper',
    '-arc -nex -spm h {}', [0], [101],
    qr/is infected by virus: (.+)/ ],
  ['MkS_Vir for Linux (beta)', ['mks32','mks'],
    '-s {}/*', [0], [1,2],
    qr/--[ \t]*(.+)/ ],
  ['MkS_Vir daemon', 'mksscan',
    '-s -q {}', [0], [1..7],
    qr/^... (\S+)/ ],
  ['ESET Software NOD32', 'nod32',
    '--arch --mail {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/ ],
  ['ESET Software NOD32 - Client/Server Version', 'nod32cli',
    '-a -r -d recurse --heur standard {}', [0], [10,11],
    qr/^\S+\s+infected:\s+(.+)/ ],
  ['Norman Virus Control v5 / Linux', 'nvcc',
    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
    qr/(?i).* virus in .* -> \'(.+)\'/ ],
  ['Panda Antivirus for Linux', ['pavcl'],
    '-aut -aex -heu -cmp -nbr -nor -nso -eng {}',
    qr/Number of files infected[ .]*: 0+(?!\d)/,
    qr/Number of files infected[ .]*: 0*[1-9]/,
    qr/Found virus :\s*(\S+)/ ],
  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
    '--secure -rv --mime --summary --noboot - {}', [0], [13],
    qr/(?x) Found (?:
        \ the\ (.+)\ (?:virus|trojan)  |
        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |
        :\ (.+)\ NOT\ a\ virus)/,
  ],
  ['VirusBuster', ['vbuster', 'vbengcl'],
    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
    qr/: '(.*)' - Virus/ ],
  ['CyberSoft VFind', 'vfind',
    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,
  ],
  ['Ikarus AntiVirus for Linux', 'ikarus',
    '{}', [0], [40], qr/Signature (.+) found/ ],
  ['BitDefender', 'bdc',
    '--all --arc --mail {}', qr/^Infected files *:0+(?!\d)/,
    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
    qr/(?:suspected|infected): (.*)(?:\033|$)/ ],
 ['check-jpeg',
   sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) },
   ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/ ],
);
@av_scanners_backup = (
  ['ClamAV-clamscan', 'clamscan',
    "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1],
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
    '-dumb -archive -packed {}', [0,8], [3,6],
    qr/Infection: (.+)/ ],
  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
    '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],
  ['drweb - DrWeb Antivirus',
    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
    '-path={} -al -go -ot -cn -upn -ok-',
    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'],
  ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'],
    '-i1 -xp {}', [0,10,15], [5,20,21,25],
    qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,
    sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
  ],
);
1;  # insure a defined return



Al

Antwort per Email an