Postfix und amavisd per amavisd-milter

[Andreas Wass - Glas Gasperlmair]

Hallo Postfix-Profis!
Ich brauch wieder mal eure Hilfe bei amavisd per amavisd-milter.
Ich bin gerade dabei einen All-in-One-Mailserver lt. 
https://dokuwiki.nausch.org/doku.php/centos:mail_c7:start zu konfigurieren.
Ich habe auch das mailguru repo eingebunden (wg. amavisd-milter usw.)
MTA zu MTA über Port 25 mit amavisd funktioniert
MUA zu MTA über submission port 587 ohne amavisd funktioniert auch

Aber Sobald ich amavisd per amavisd-milter einbinde, scheitert das Ganze 
und ich komme einfach nicht dahinter, woran es liegt.
Ihr seht sicher sofort, wo der/die Fehler liegen.

Vielen Dank im Voraus.
vg, Andi

Test von fremden MTA zu meinem MTA funktioniert:
Auszug aus maillog:
Nov  8 11:44:02 mail postfix/postscreen[23037]: CONNECT from 
[89.26.12.242]:55315 to [172.31.1.100]:25
Nov  8 11:44:02 mail postfix/postscreen[23037]: PASS OLD 
[89.26.12.242]:55315
Nov  8 11:44:02 mail postfix/smtpd[23038]: connect from 
mail1.glasgasperlmair.at[89.26.12.242]
Nov  8 11:44:02 mail postfix/smtpd[23038]: 7D0EC208EC: 
client=mail1.glasgasperlmair.at[89.26.12.242]
Nov  8 11:44:02 mail postfix/cleanup[23048]: 7D0EC208EC: 
message-id=<5821ac6f.30...@glas-gasperlmair.at>
Nov  8 11:44:02 mail amavis[22995]: (22995-02) Checking: qNoKsxTWQPpG 
AM.PDP-SOCK [89.26.12.242] <a.w...@glas-gasperlmair.at> -> <a...@wassa.at>
Nov  8 11:44:03 mail amavis[22995]: (22995-02) Passed CLEAN 
{AcceptedInbound}, AM.PDP-SOCK [89.26.12.242] [89.26.12.242] 
<a.w...@glas-gasperlmair.at> -> <a...@wassa.at>, Queue-ID: 7D0EC208EC, 
Message-ID: <5821ac6f.30...@glas-gasperlmair.at>, mail_id: qNoKsxTWQPpG, 
Hits: 0.001, size: 2512, 770 ms
Nov  8 11:44:03 mail postfix/qmgr[22911]: 7D0EC208EC: 
from=<a.w...@glas-gasperlmair.at>, size=2538, nrcpt=1 (queue active)
Nov  8 11:44:03 mail postfix/smtpd[23038]: disconnect from 
mail1.glasgasperlmair.at[89.26.12.242]
Nov  8 11:44:03 mail dovecot: lmtp(23052): Connect from 127.0.0.1
Nov  8 11:44:03 mail dovecot: lmtp(a...@wassa.at): 
60mlH3OsIVgMWgAAu6NIgg: msgid=<5821ac6f.30...@glas-gasperlmair.at>: 
saved mail to INBOX
Nov  8 11:44:03 mail dovecot: lmtp(23052): Disconnect from 127.0.0.1: 
Successful quit
Nov  8 11:44:03 mail postfix/lmtp[23051]: 7D0EC208EC: 
to=<a...@wassa.at>, relay=127.0.0.1[127.0.0.1]:24, delay=1.7, 
delays=1.2/0.02/0.09/0.37, dsn=2.0.0, status=sent (250 2.0.0 
<a...@wassa.at> 60mlH3OsIVgMWgAAu6NIgg Saved)
Nov  8 11:44:03 mail postfix/qmgr[22911]: 7D0EC208EC: removed


Test mit Thunderbird über port 587 funktioniert nicht
Auszug aus maillog:
Nov  8 11:40:27 mail postfix/submission/smtpd[23001]: connect from 
unknown[89.26.12.241]
Nov  8 11:40:27 mail postfix/submission/smtpd[23001]: Anonymous TLS 
connection established from unknown[89.26.12.241]: TLSv1.2 with cipher 
ECDHE-RSA-AES256-SHA (256/256 bits)
Nov  8 11:40:27 mail postfix/submission/smtpd[23001]: BC58A208E3: 
client=unknown[89.26.12.241], sasl_method=PLAIN, sasl_username=a...@wassa.at
Nov  8 11:40:27 mail postfix/cleanup[23014]: BC58A208E3: 
message-id=<5821ab9a.4040...@wassa.at>
Nov  8 11:40:27 mail postfix/qmgr[22911]: BC58A208E3: 
from=<a...@wassa.at>, size=692, nrcpt=1 (queue active)
Nov  8 11:40:27 mail amavis[22995]: (22995-01) ESMTP [127.0.0.1]:10024 
/var/spool/amavisd/tmp/amavis-20161108T114027-22995-9FDAxjys: 
<a...@wassa.at> -> <a.w...@glas-gasperlmair.at> Received: from 
mail.wassa.at ([127.0.0.1]) by localhost (mail.wassa.at [127.0.0.1]) 
(amavisd-new, port 10024) with ESMTP for <a.w...@glas-gasperlmair.at>; 
Tue,  8 Nov 2016 11:40:27 +0100 (CET)
Nov  8 11:40:27 mail postfix/submission/smtpd[23001]: disconnect from 
unknown[89.26.12.241]
Nov  8 11:40:27 mail amavis[22995]: (22995-01) Checking: 9pw322ZKDeoc 
ORIGINATING [127.0.0.1] <a...@wassa.at> -> <a.w...@glas-gasperlmair.at>
Nov  8 11:40:28 mail amavis[22995]: (22995-01) (!)connect to 
[127.0.0.1]:10025 failed, attempt #1: Can't connect to socket 
[127.0.0.1]:10025 using module IO::Socket::IP: Connection refused
Nov  8 11:40:28 mail amavis[22995]: (22995-01) (!)9pw322ZKDeoc FWD from 
<a...@wassa.at> -> <a.w...@glas-gasperlmair.at>,  451 4.5.0 From MTA() 
during fwd-connect (All attempts (1) failed connecting to 
smtp:[127.0.0.1]:10025): id=22995-01
Nov  8 11:40:28 mail amavis[22995]: (22995-01) Blocked MTA-BLOCKED 
{TempFailedOutbound}, ORIGINATING LOCAL [127.0.0.1] [89.26.12.241] 
<a...@wassa.at> -> <a.w...@glas-gasperlmair.at>, Message-ID: 
<5821ab9a.4040...@wassa.at>, mail_id: 9pw322ZKDeoc, Hits: -0.999, size: 
692, 597 ms
Nov  8 11:40:28 mail postfix/smtp[23015]: BC58A208E3: 
to=<a.w...@glas-gasperlmair.at>, relay=127.0.0.1[127.0.0.1]:10024, 
delay=0.8, delays=0.17/0.02/0.02/0.59, dsn=4.5.0, status=deferred (host 
127.0.0.1[127.0.0.1] said: 451 4.5.0 id=22995-01 - Temporary MTA failure 
on relaying, From MTA() during fwd-connect (All attempts (1) failed 
connecting to smtp:[127.0.0.1]:10025): id=22995-01 (in reply to end of 
DATA command))


Meine Konfigurationen:

#####################################################################
/etc/amavisd/amavisd-milter.conf
AMAVIS_USER=amavis
WORKING_DIRECTORY=/var/spool/amavisd/tmp
SOCKET=inet:10010@127.0.0.1
AMAVISD_SOCKET=/var/spool/amavisd/amavisd.sock
MAX_CONNECTIONS=5
MAX_WAIT=300
MAILDAEMON_TIMEOUT=600
AMAVISD_TIMEOUT=600

#####################################################################
/etc/postfix/master.cf
smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=no
# Django : 2014-11-29 amavisd-milter eingebunden
  -o smtpd_milters=${amavisd_milter}
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o content_filter=smtp:127.0.0.1:10024

############################################################################# 

/etc/postfix/main.cf
amavisd_milter = inet:127.0.0.1:10010

############################################################################### 

/etc/amavisd/amavisd.conf
use strict;
################################################################################
# #
#     Django : 2014-11-15 - Musterkonfiguration AMaViS 2.9 unter CentOS 
7      #
# #
################################################################################

# Eine Aufstellung aller möglichen Variablen findet man in der Datei
# /usr/share/doc/amavisd-new-2.9.1/amavisd.conf-default aus dem RPM. Auf 
der
# Webseite http://www.ijs.si/software/amavisd/amavisd-new-docs.html findet
# man darüber hinaus noch viele erklärungen und Konfigurationsbeispiele

################################################################################
## PFADANGABEN DER LOKALEN INSTALLATION
#

# Pfadangaben zu den Programmen und Tools
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';

# Arbeitsverzeichnisses von AMaViS
$MYHOME = '/var/spool/amavisd';

# Verzeichnis für temporäre Daten
#$TEMPBASE = '$MYHOME/tmp';
$TEMPBASE = "$MYHOME/tmp";

# Enviroment Variable TMPDIR, wird unter anderem von Spamassassion verwendet
$ENV{TMPDIR} = $TEMPBASE;

# Keine Quarantäne -> kein Quarantäneverzeichnis notwendig
$QUARANTINEDIR = undef;

# Verzeichnisses für die Berkeley-Datenbank Dateien nanny/cache/snmp
$db_home   = "$MYHOME/db";

# Pfade zur PID- und LOCK-Datei
$lock_file = "/var/run/amavisd/amavisd.lock";
$pid_file  = "/var/run/amavisd/amavisd.pid";

# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
@score_sender_maps = ({ # a by-recipient hash lookup table,
                        # results from all matching recipient tables 
are summed

# ## per-recipient personal tables  (NOTE: positive: black, negative: white)
# 'us...@example.com'  => [{'bla-mobile.pr...@example.com'             
=> 10.0}],
# 'us...@example.com'  => [{'.ebay.com'                                
=> -3.0}],
# 'us...@example.com'  => [{'cleargr...@cleargreen.com'                
=> -7.0,
# '.cleargreen.com'                          => -5.0}],

  ## site-wide opinions about senders (the '.' matches any recipient)
  '.' => [  # the _first_ matching sender determines the score boost

   new_RE(  # regexp-type lookup table, just happens to be all 
soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i => 5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i => 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
[qr'^(your_friend|greatoffers)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
   ),

#  read_hash("/var/amavis/sender_scores_sitewide"),

   { # a hash-type lookup table (associative array)
'nob...@cert.org' => -3.0,
'cert-advis...@us-cert.gov' => -3.0,
'owner-al...@iss.net' => -3.0,
'slash...@slashdot.org' => -3.0,
'securityfocus.com' => -3.0,
'ntbugt...@listserv.ntbugtraq.com' => -3.0,
'security-ale...@linuxsecurity.com' => -3.0,
'mailman-announce-ad...@python.org' => -3.0,
'amavis-user-ad...@lists.sourceforge.net' => -3.0,
'amavis-user-boun...@lists.sourceforge.net' => -3.0,
'spamassassin.apache.org' => -3.0,
'notification-ret...@lists.sophos.com' => -3.0,
'owner-postfix-us...@postfix.org' => -3.0,
'owner-postfix-annou...@postfix.org' => -3.0,
'owner-sendmail-annou...@lists.sendmail.org' => -3.0,
'sendmail-announce-requ...@lists.sendmail.org' => -3.0,
'donotre...@sendmail.org' => -3.0,
'ca+envel...@sendmail.org' => -3.0,
'nore...@freshmeat.net' => -3.0,
'owner-techn...@postel.acm.org' => -3.0,
'ietf-123-ow...@loki.ietf.org' => -3.0,
'cvs-commits-list-ad...@gnome.org' => -3.0,
'rt-users-ad...@lists.fsck.com' => -3.0,
'clp-requ...@comp.nus.edu.sg' => -3.0,
'surveys-err...@lists.nua.ie' => -3.0,
'emailn...@genomeweb.com' => -5.0,
'yahoo-dev-n...@yahoo-inc.com' => -3.0,
'returns.groups.yahoo.com' => -3.0,
'clustern...@linuxnetworx.com' => -3.0,
lc('lvs-users-ad...@linuxvirtualserver.org') => -3.0,
lc('owner-textbreakingn...@cnnimail12.cnn.com') => -5.0,

     # soft-blacklisting (positive score)
'sen...@example.net' =>  3.0,
'.example.net' =>  1.0,

   },
  ],  # end of site-wide tables
});

# Utilities mit denen amavis Archive auspackt
@decoders = (
    ['mail', \&do_mime_decode],
    ['F',    \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
    ['Z',    \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
    ['gz',   \&do_uncompress, 'gzip -d'],
    ['gz', \&do_gunzip],
    ['bz2',  \&do_uncompress, 'bzip2 -d'],
    ['xz',   \&do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
    ['lzma', \&do_uncompress, ['lzmadec', 'xz -dc --format=lzma',
            'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
    ['lrz',  \&do_uncompress, ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
    ['lzo',  \&do_uncompress, 'lzop -d'],
    ['rpm',  \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
    [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
    ['deb',  \&do_ar, 'ar'],
    ['rar',  \&do_unrar, ['unrar', 'rar'] ],
    ['arj',  \&do_unarj, ['unarj', 'arj'] ],
    ['arc',  \&do_arc,   ['nomarch', 'arc'] ],
    ['zoo',  \&do_zoo,   ['zoo', 'unzoo'] ],
    ['cab',  \&do_cabextract, 'cabextract'],
    ['tnef', \&do_tnef],
    [['zip','kmz'], \&do_7zip,  ['7za', '7z'] ],
    [['zip','kmz'], \&do_unzip],
    ['7z',   \&do_7zip,  ['7zr', '7za', '7z'] ],
    [[qw(7z zip gz bz2 Z tar)], \&do_7zip,  ['7za', '7z'] ],
    [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], 
\&do_7zip,  '7z' ],
    ['exe',  \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
);

# eMails wird komplett dem Virenscanner zugestellt. Dem Inhalt von Archiven
# wird grundsätzlich nicht vertraut.
@keep_decoded_original_maps = (new_RE(
qr'^MAIL$',
qr'^MAIL-UNDECIPHERABLE$',
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)',
));


################################################################################
## GRUNDSÄTZLICHE SERVERANGABEN UND -DEFINITIONEN
#

# Anzahl Server (pre-forked childs) die gestartet werden sollen.
$max_servers = 5;

# User und Gruppe des AMaViS Daemon
$daemon_user  = 'amavis';
$daemon_group = 'amavis';

# Hostname (FQDN) des AMaViS-Servers
$myhostname = 'mail.wassa.at';

# Lokale Domäne des AMaViS-Servers
$mydomain = 'wassa.at';

# Adresstrennzeichen in der eMail-Adresse
$recipient_delimiter = '+';

# Wir setzen alles auf NULL und definieren das Backrouting in den Policy 
Banks

# Wie werden die eMails an den ;MTA zurückgegeben? "undef" bei 
Verwendung des
# amavisd-milter!
$forward_method = undef;

$notify_method  = 'smtp:[mail.wassa.at]:10025';

#$allowed_added_header_fields{lc('X-Virus-Scanned')} = 0;


################################################################################
## LOGGING
#

# verbosity 0..5, -d
# Django : 2014-11-18
# default: $log_level = 0;
$log_level = 3;
# disable by-recipient level-0 log entries
$log_recip_templ = undef;
# log via syslogd (preferred)
$do_syslog = 1;
# Syslog facility as a string e.g.: mail, daemon, user, local0, ... local7
$syslog_facility = 'mail';
#Syslog base (minimal) priority
$syslog_priority = 'debug';
# enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_db = 1;
# enable use of libdb-based cache if $enable_db=1
$enable_global_cache = 1;
# enable use of ZeroMQ (SNMP and nanny)
# $enable_zmq = 1;
# # nanny verbosity: 1: traditional, 2: detailed
$nanny_details_level = 2;

# @lookup_sql_dsn =
#   ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 
'passwd1'],
#     ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
#     ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
# @storage_sql_dsn = @lookup_sql_dsn;  # none, same, or separate database

# @storage_redis_dsn = ( {server=>'127.0.0.1:6379', db_id=>1} );
# $redis_logging_key = 'amavis-log';
# about 250 MB / 100000
# $redis_logging_queue_size_limit = 300000;

# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is 
TIMESTAMP;
#   defaults to 0, which is good for non-MySQL or if msgs.time_iso is 
CHAR(16)


################################################################################
## SOCKETS
#

# Wo soll AMaViS auf eingehende Verbindungen lauschen?
@listen_sockets = (
        '127.0.0.1:10024',
        '127.0.0.1:9998',
        "$MYHOME/amavisd.sock"
        );


################################################################################
## POLICY MAPPINGS
#

# Wir routen eingehende Verbindungen aufgrund unterschiedlicher Kriterien in
# Policy Banks.

# TCP-Sockets auf Policies mappen
$interface_policy{'9998'}  = 'AM.PDP-INET';
$interface_policy{'10024'} = 'ORIGINATING';

# UNIX-Domain-Sockets auf Policies mappen
$interface_policy{'SOCK'}  = 'AM.PDP-SOCK';

# IP-Adressen/Ranges auf Policies mappen
@client_ipaddr_policy = (
    [qw( 0.0.0.0/8 127.0.0.1/32 [::] [::1] )]           => 'LOCALHOST',
    [qw( !172.16.1.0/24 172.16.0.0/12 192.168.0.0/16 )] => 'PRIVATENETS',
    [qw( 192.0.2.0/25 192.0.2.129 192.0.2.130 )]        => 'PARTNER',
    [qw( 198.51.100.88/32 )]                            => 'CUSTOMERS',
    [qw( 203.0.113.164/32 )]                            => 'HOSTING',
    \@mynetworks                                        => 'MYNETS',
);

# DKIM-verifizierte Sender(domains) auf Policies mappen
@author_to_policy_bank_maps = ( {
    'piratenpartei-bayern.de' => 'WHITELIST,NOBANNEDCHECK,NOVIRUSCHECK',
    '.paypal.de'              => 'WHITELIST',
    '.paypal.com'             => 'WHITELIST',
    'amazon.de'               => 'WHITELIST',
} );


################################################################################
## DESTINATIONS
#

# Definition der Verkehrsrichtungen:

# Das ist nach intern. Alle anderen Destinationen sind im Umkehrschluss 
extern.
@local_domains_maps = (
[".$mydomain"],
read_hash("/etc/postfix/all_local_domains_map"),
);

# Das kommt von intern. Alles andere ist per Default von extern, ausser wir
# erkennen es an anderen Kriterien wie z.B. DKIM-Signatur oder 
originating Port
@mynetworks = qw(
127.0.0.0/8
[::1]
[FE80::]/10
[FEC0::]/10
172.31.1.0/24
10.0.10.0/26
);


################################################################################
## NOTIFICATIONS
#

# Externe warnen?
$warn_offsite = 0;

# Envelope Sender
$mailfrom_notify_admin = "postmaster\@$mydomain";
$mailfrom_notify_recip = "postmaster\@$mydomain";
$mailfrom_notify_sender = "postmaster\@$mydomain";
$mailfrom_notify_spamadmin = "postmaster\@$mydomain";
$mailfrom_to_quarantine = '';
$dsn_bcc = "postmaster\@$mydomain";

# From: Header
$hdrfrom_notify_sender = "Postmaster <postmaster\@$mydomain>";
$hdrfrom_notify_recip = "Postmaster <postmaster\@$mydomain>";
$hdrfrom_notify_release = "Postmaster <postmaster\@$mydomain>";


################################################################################
## VIRUS POLICY
#

# Check aktivieren?
# @bypass_virus_checks_maps = (1);

# In Quarantäne?
$virus_quarantine_to = undef;

# Admin benachrichtigen?
$virus_admin = undef;

# Empfänger benachrichtigen?
$warnvirusrecip = 1;

# Recipient-Adresse bei Release erweitern?
@addr_extension_virus_maps = ('virus');

# eMail bei Release wrappen?
$defang_virus  = 1;

# Wollen wir Content transportieren?
$final_virus_destiny = D_REJECT;

@av_scanners = (
  ### http://www.clamav.net/
  ['ClamAV-clamd',
    \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"],
    qr/\bOK$/m, qr/\bFOUND$/m,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
);

@av_scanners_backup = ();
#@av_scanners_backup = (
#  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
#  ['ClamAV-clamscan', 'clamscan',
#    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
#    [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
#);


################################################################################
## SPAM POLICY
#

# Check aktivieren?
# @bypass_spam_checks_maps  = (1);

# In Quarantäne?
$spam_quarantine_to = undef;

# Admin benachrichtigen?
$spam_admin = undef;

# Recipient-Adresse bei Release erweitern?
@addr_extension_spam_maps = ('spam');

# eMail bei Release wrappen?
$defang_spam = undef;

# Wollen wir Content transportieren?
$final_spam_destiny = D_REJECT;

# add spam info headers if at, or above that level
$sa_tag_level_deflt  = -1000.0;
# add 'spam detected' headers at that level
$sa_tag2_level_deflt = 6.31;
# triggers spam evasive actions (e.g. blocks mail)
$sa_kill_level_deflt = 6.31;
# spam level beyond which a DSN is not sent
$sa_dsn_cutoff_level = 10;
# likewise, but for a likely valid From
$sa_crediblefrom_dsn_cutoff_level = 18;
# spam level beyond which quarantine is off
# $sa_quarantine_cutoff_level = 25;

# (no effect without a @storage_sql_dsn database)
$penpals_bonus_score = 8;
# don't waste time on hi spam
$penpals_threshold_high = $sa_kill_level_deflt;
# spam score points to add for joe-jobbed bounces
$bounce_killer_score = 100;
# don't waste time on SA if mail is larger
$sa_mail_body_size_limit = 400*1024;
# only tests which do not require internet access?
$sa_local_tests_only = 0;

$sa_spam_subject_tag = '***Spam*** ';


################################################################################
## BANNED POLICY
#

# Check aktivieren?
#@bypass_banned_checks_maps  = (1);

# In Quarantäne?
$banned_quarantine_to = undef;

# Admin benachrichtigen?
$banned_admin = undef;

# Recipient-Adresse bei Release erweitern?
@addr_extension_banned_maps = ('banned');

# eMail bei Release wrappen?
$defang_banned = 1;

# Wollen wir Content transportieren?
$final_banned_destiny = D_BOUNCE;

# Definitionslisten in denen wir bestimmte Dateitypen zusammenfassen
# Die Definitionsnamen können wir in einer Policy verwenden
%banned_rules = (
    'NO-MS-EXEC'=> new_RE( qr'^\.(exe-ms)$' ),
    'PASSALL'   => new_RE( [qr'^' => 0] ),
    'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 
0] ),
    'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ),
    'NO-VIDEO'  => new_RE( qr'^\.movie$', 
qr'.\.(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ),
    'NO-MOVIES' => new_RE( qr'^\.movie$', qr'.\.(mpg|avi|mov)$'i, ),
    'MYNETS-DEFAULT' => new_RE( [ qr'^\.(rpm|cpio|tar)$' => 0 ], 
qr'.\.(vbs|pif|scr)$'i, ),
    'DEFAULT' => $banned_filename_re,
);

# Alles was in der Definitionsliste oben DEFAULT ist
$banned_filename_re = new_RE(
    # banned file(1) types, rudimentary
    qr'^\.(exe-ms|dll)$',
    # allow any in Unix-type archives
    [ qr'^\.(rpm|cpio|tar)$'       => 0 ],
    # banned extensions - rudimentary
    qr'.\.(pif|scr)$'i,
    # block these MIME types
    qr'^application/x-msdownload$'i,
    qr'^application/x-msdos-program$'i,
    qr'^application/hta$'i,
    # block certain double extensions in filenames
qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
    # banned extension - basic+cmd
qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i,
);


################################################################################
## HEADER POLICY
#

# Check aktivieren?
# @bypass_header_checks_maps = (1);

# In Quarantäne?
$bad_header_quarantine_method = undef;

# Recipient-Adresse bei Release erweitern?
@addr_extension_bad_header_maps = ('badh');

# eMail bei Release wrappen?
# NUL or CR character in header
$defang_by_ccat{CC_BADH.",3"} = 1;
# header line longer than 998 characters
$defang_by_ccat{CC_BADH.",5"} = 1;
# header field syntax error
$defang_by_ccat{CC_BADH.",6"} = 1;

# Wollen wir Content transportieren?
$final_bad_header_destiny = D_PASS;

# Admin benachrichtigen?
$bad_header_admin = undef;

# Sender benachrichtigen?
$warnbadhsender = undef;

# Empfänger benachrichtigen?
$warnbadhrecip = undef;


################################################################################
## UNCHECKED POLICY
#
$undecipherable_subject_tag = '';

$MAXLEVELS = 14;
$MAXFILES = 3000;
# bytes  (default undef, not enforced)
$MIN_EXPANSION_QUOTA =      100*1024;
# bytes  (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 500*1024*1024;


################################################################################
## DKIM - Domain Key Identified Mail
#

# DKIM-Signaturen verifizieren
$enable_dkim_verification = 0;

# DKIM-Signaturen erstellen
$enable_dkim_signing = 0;

# Private Keys und Selectors
#
# signing domain         selector   private key                       
options
# -------------          -------- ----------------------            
----------
# dkim_key('nausch.org', '201411', 
'/var/spool/amavis/dkim/201411_nausch.org');

# DKIM Signing Policies
@dkim_signature_options_bysender_maps = (
    { '.' =>
        {
                ttl => 21*24*3600,
                c => 'relaxed/simple'
        }
    }
);

# to query p0f-analyzer.pl
# $os_fingerprint_method = 'p0f:*:2345';

## hierarchy by which a final setting is chosen:
##   policy bank (based on port or IP address) -> *_by_ccat
##   *_by_ccat (based on mail contents) -> *_maps
##   *_maps (based on recipient address) -> final configuration value


################################################################################
## POLICY BANKS
#

## POLICY BANK MYNETWORK
# Alles Hosts, die in MYNETS gelistet sind
$policy_bank{'MYNETS'} = {
    # Jede Mail von einen unserer Hosts wird als originating gesetzt
    originating => 1,
    # Keine pof Abfragen für interne Clients durchführen.
    os_fingerprint_method => undef,
};

## POLICY BANK SUBMISSON
# Nachrichten unserer Kunden, die auf Port 587 (Submisson) eingeliefert 
wurden
# wird als originating, also von uns gesetzt.
$policy_bank{'ORIGINATING'} = {
    # welcher Host darf soll auf Port 10014 einliefern dürfen
    inet_acl => [qw( 127.0.0.1 )],
    # eMails vom Port 587 werdenals "von uns" = originating gesetzt
    originating => 1,
    # Disclaimer an jede Mail anfügen, sofern welche verfügbar sind.
    allow_disclaimers => 1,
    # notify administrator of locally originating malware
    virus_admin_maps => ["virusalert\@$mydomain"],
    spam_admin_maps  => ["virusalert\@$mydomain"],
    warnbadhsender   => 1,
    # forward to a smtpd service providing DKIM signing service
    forward_method => 'smtp:[127.0.0.1]:10027',
    # force MTA conversion to 7-bit (e.g. before DKIM signing)
    smtpd_discard_ehlo_keywords => ['8BITMIME'],
    # allow sending any file names and types
    bypass_spam_checks_maps => [0],
    # allow sending any file names and types
    bypass_banned_checks_maps => [1],
    # don't remove NOTIFY=SUCCESS option
    terminate_dsn_on_notify_success => 0,
    notify_method  => 'smtp:[127.0.0.1]:10025',
    forward_method => 'smtp:[127.0.0.1]:10025',
    final_virus_destiny => 'D_BOUNCE',
};

# Hier schlägt der MILTER auf
$policy_bank{'AM.PDP-SOCK'} = {
    protocol => 'AM.PDP',
    auth_required_release => 0,
};

# Hier würden wir releasen
$policy_bank{'AM.PDP-INET'} = {
    protocol => 'AM.PDP',
    inet_acl => [qw( 127.0.0.1 )],
    auth_required_release => 0,
};


## POLICY BANK: WHITELIST
  $policy_bank{'WHITELIST'} = {
    bypass_spam_checks_maps => [1],
    spam_lovers_maps => [1],
  };


## POLICY BANK: NOVIRUSCHECK
  $policy_bank{'NOVIRUSCHECK'} = {
    bypass_decode_parts => 1,
    bypass_virus_checks_maps => [1],
    virus_lovers_maps => [1],
  };


## POLICY BANK: NOBANNEDCHECK
  $policy_bank{'NOBANNEDCHECK'} = {
    bypass_banned_checks_maps => [1],
    banned_files_lovers_maps  => [1],
  };


1;  # insure a defined return value

# vim: set ft=perl sw=4: