(Hey MOJO ... small world)
I've been following this thread, as I have a similar configuration to Florian's. I'm running a modified Debian with a 2.4 kernel. Amavisd version 2.2.0, clamav, and Spamassassin 3.0.2. I do not use apt-get for spamassassin (or other items for that matter), as I find that compiling from source has given me more predictable results.
First and foremost, I found it necessary to upgrade to perl 5.8.x. The earlier version (5.6.1 -- installed with Debian) was insufficient for running Spamassassin under Amavis under my configuration.
Once I upgraded Perl, reinstalled all the necessary modules, and modified the amavis script to point to the new perl executable, I found Spamassassin 3.0.2 to be a significant improvement over 2.6. I am now getting over 98% of my spam filtered; and that's without Bayes having kicked in yet.
I'm very pleased with the results and am nearly ready to roll this into production on a dozen or so servers.
Florian, what version of Perl are you using? Post your amavis.conf file.
I use the following rulesets in addition to those distributed with Spamassassin:
70_sare_random.cf chickenpox.cf tripwire.cf weeds.cf
Below is my local.cf and my amavisd.conf. (If anyone would like these as attachments, contact me privately.)
(My domain info is a bit odd because I don't have a real domain for this testbed. The machine I'm using is actually popping its mail and handing it over to postfix for delivery.)
1. local.cf ########################################## auto_whitelist_path /var/spool/spamassassin/auto-whitelist auto_whitelist_file_mode 0666
report_safe 0
use_bayes 1 bayes_path /var/amavis/.spamassassin/bayes bayes_auto_learn 1
skip_rbl_checks 1 use_razor2 0 use_dcc 1 use_pyzor 0
dns_available yes
header LOCAL_RCVD Received =~ /\S+\.domain\.com\s+\(.*\[.*\]\)/ describe LOCAL_RCVD Received from local machine score LOCAL_RCVD -50
## Optional Score Increases score DCC_CHECK 4.000 score RAZOR2_CHECK 2.500 score BAYES_99 4.300 score BAYES_80 3.000 ##########################################
2. amavisd.conf
########################################## use strict;
# Configuration file for amavisd-new # # This software is licensed under the GNU General Public License (GPL). # See comments at the start of amavisd-new for the whole license text.
#Sections:
# Section I - Essential daemon and MTA settings
# Section II - MTA specific
# Section III - Logging
# Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine
# Section V - Per-recipient and per-sender handling, whitelisting, etc.
# Section VI - Resource limits
# Section VII - External programs, virus scanners, SpamAssassin
# Section VIII - Debugging
#GENERAL NOTES:
# This file is a normal Perl code, interpreted by Perl itself.
# - make sure this file (or directory where it resides) is NOT WRITABLE
# by mere mortals, otherwise it represents a severe security risk!
# - for values which are interpreted as booleans, it is recommended
# to use 1 for true, and 0 or undef or '' for false.
# THIS IS DIFFERENT FROM OLDER AMAVIS VERSIONS where "no" also meant false,
# now it means true, like any nonempty string does!
# - Perl syntax applies. Most notably: strings in "" may include variables
# (which start with $ or @ signs), to include characters @ and $ in double
# quoted strings, precede them by a backslash; in single-quoted strings
# the $ and @ lose their special meaning, so it is usually easier to use
# single quoted strings. Still, in both cases a backslash need to be doubled
# - variables with names starting with a '@' are lists, the values assigned
# to them should be lists as well, e.g. ('[EMAIL PROTECTED]', $mydomain, "three");
# note the comma-separation and parenthesis. If the strings in the list
# do not contain spaces nor variables, a Perl operator qw() may be used
# as a shorthand to split its argument on whitespace and produce a list
# of strings, e.g. qw( [EMAIL PROTECTED] example.com three ); Note that the argument
# to qw is quoted implicitly and no variable interpretation is done within
# (no '$' variable evaluations), and #-initiated comments can not be used
# within the string. In other words, $ and # lose their special meaning
# withing a qw argument, just like within '...' strings.
# - all e-mail addresses in this file and as used internally by the daemon
# are in their raw (rfc2821-unquoted and nonbracketed) form, i.e.
# Bob "Funny" [EMAIL PROTECTED], not: "Bob \"Funny\" Dude"@example.com
# and not <"Bob \"Funny\" Dude"@example.com>
# # Section I - Essential daemon and MTA settings #
# $MYHOME serves as a quick default for some other configuration settings.
# More refined control is available with each individual setting further down.
# $MYHOME is never used directly by the program. No trailing slash!
$MYHOME = '/var/amavis'; # (default is '/var/amavis')
# $mydomain serves as a quick default for some other configuration settings.
# More refined control is available with each individual setting further down.
# $mydomain is never used directly by the program.
$mydomain = 'cordova.net'; # (no useful default)
# Set the user and group to which the daemon will change if started as root
# (otherwise just keep the UID unchanged, and these settings have no effect):
$daemon_user = 'amavisd'; # (no default; customary: vscan or amavis)
$daemon_group = 'amavisd'; # (no default; customary: vscan or amavis)
# Runtime working directory (cwd), and a place where
# temporary directories for unpacking mail are created.
# (no trailing slash, may be a scratch file system)
$TEMPBASE = "$MYHOME/tmp"; # (must be set if other config vars use is)
#$TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean?
# $helpers_home sets environment variable HOME, and is passed as option
# 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory
# on a normal persistent file system, not a scratch or temporary file system
$helpers_home = $MYHOME; # (defaults to $MYHOME)
#$daemon_chroot_dir = $MYHOME; # (default is undef => do not chroot)
#$pid_file = "$MYHOME/amavisd.pid"; # (default is "$MYHOME/amavisd.pid") #$lock_file = "$MYHOME/amavisd.lock"; # (default is "$MYHOME/amavisd.lock")
# set environment variables if you want (no defaults):
$ENV{TMPDIR} = $TEMPBASE; # wise, but usually not necessary
#...# MTA SETTINGS, UNCOMMENT AS APPROPRIATE, # both $forward_method and $notify_method default to 'smtp:127.0.0.1:10025'
# POSTFIX or EXIM V4 or dual MTA setup (set host and port number as required)
# (host can be given as IP address or DNS name (A or CNAME, but not MX)
$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail
$notify_method = $forward_method; # where to submit notifications
# NOTE: The defaults are good for Postfix. You MUST uncomment # the approprate settings below if using other mailers!
# SENDMAIL MILTER, using amavis-milter.c helper program:
#$forward_method = undef; # no explicit forwarding, sendmail does it by itself
# milter; option -odd is needed to avoid deadlocks
#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}';
# just a thought: can we use use -Am instead of -odd ?
# SENDMAIL (non-milter sendmail, as relay):
#$forward_method = 'pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f ${sender} -- ${recipient}';
#$notify_method = $forward_method;
# SENDMAIL (non-milter sendmail, amavis.c calls local delivery agent):
#$forward_method = undef; # no explicit forwarding, amavis.c will call LDA
#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}';
# EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead):
#$forward_method = 'pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f ${sender} -- ${recipient}';
#$notify_method = $forward_method;
# prefer to collect mail for forwarding as BSMTP files? #$forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp"; #$notify_method = $forward_method;
# Net::Server pre-forking settings # You may want $max_servers to match the width of your MTA pipe # feeding amavisd, e.g. with Postfix the 'Max procs' field in the # master.cf file, like the '2' in the: smtp-amavis unix - - n - 2 smtp # $max_servers = 2; # number of pre-forked children (default 2) $max_requests = 10; # retire a child after that many accepts (default 10)
$child_timeout=5*60; # abort child if it does not complete each task in n sec
# (default: 8*60 seconds)
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
# Check also the settings of @av_scanners at the end if you want to use # virus scanners. If not, you may want to delete the whole long assignment # to the variable @av_scanners, which will also remove the virus checking # code (e.g. if you only want to do spam scanning).
# Here is a QUICK WAY to completely DISABLE some sections of code
# that WE DO NOT WANT (it won't even be compiled-in).
# For more refined controls leave the following two lines commented out,
# and see further down what these two lookup lists really mean.
#
# @bypass_virus_checks_acl = qw( . ); # uncomment to DISABLE anti-virus code
# @bypass_spam_checks_acl = qw( . ); # uncomment to DISABLE anti-spam code
#
# Any setting can be changed with a new assignment, so make sure
# you do not unintentionally override these settings further down!
# Lookup list of local domains (see README.lookups for syntax details)
#
# NOTE:
# For backwards compatibility the variable names @local_domains (old) and
# @local_domains_acl (new) are synonyms. For consistency with other lookups
# the name @local_domains_acl is now preferred. It also makes it more
# obviously distinct from the new %local_domains hash lookup table.
#
# local_domains* lookup tables are used in deciding whether a recipient
# is local or not, or in other words, if the message is outgoing or not.
# This affects inserting spam-related headers for local recipients,
# limiting recipient virus notifications (if enabled) to local recipients,
# in deciding if address extension may be appended, and in SQL lookups
# for non-fqdn addresses. Set it up correctly if you need features
# that rely on this setting (or just leave empty otherwise).
#
# With Postfix (2.0) a quick reminder on what local domains normally are:
# a union of domains spacified in: $mydestination, $virtual_alias_domains,
# $virtual_mailbox_domains, and $relay_domains.
#
@local_domains_acl = ( ".$mydomain" ); # $mydomain and its subdomains
# @local_domains_acl = qw(); # default is empty, no recipient treated as local
# @local_domains_acl = qw( .example.com );
# @local_domains_acl = qw( .example.com !host.sub.example.net .sub.example.net );
# @local_domains_acl = ( ".$mydomain", '.example.com', 'sub.example.net' );
# or alternatively(A), using a Perl hash lookup table, which may be assigned
# directly, or read from a file, one domain per line; comments and empty lines
# are ignored, a dot before a domain name implies its subdomains:
#
#read_hash(\%local_domains, '/var/amavis/local_domains');
#or alternatively(B), using a list of regular expressions: # $local_domains_re = new_RE( qr'[EMAIL PROTECTED]'i ); # # see README.lookups for syntax and semantics
# # Section II - MTA specific (defaults should be ok) #
# if $relayhost_is_client is true, IP address in $notify_method and # $forward_method is dynamically overridden with SMTP client peer address # if available, which makes possible for several hosts to share one daemon #$relayhost_is_client = 1; # (defaults to false)
#$insert_received_line = 1; # behave like MTA: insert 'Received:' header
# (does not apply to sendmail/milter)
# (default is true)
# AMAVIS-CLIENT PROTOCOL INPUT SETTINGS (e.g. with sendmail milter)
# (used with amavis helper clients like amavis-milter.c and amavis.c,
# NOT needed for Postfix and Exim)
$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket
#$unix_socketname = undef; # disable listening on a unix socket
# (default is undef, i.e. disabled)
# (usual setting is $MYHOME/amavisd.sock)# Do we receive quoted or raw addresses from the helper program? # (does not apply to SMTP; defaults to true) #$gets_addr_in_quoted_form = 1; # "Bob \"Funny\" Dude"@example.com #$gets_addr_in_quoted_form = 0; # Bob "Funny" [EMAIL PROTECTED]
# SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...)
# (used when MTA is configured to pass mail to amavisd via SMTP or LMTP)
$inet_socket_port = 10024; # accept SMTP on this local TCP port
# (default is undef, i.e. disabled)# SMTP SERVER (INPUT) access control
# - do not allow free access to the amavisd SMTP port !!!
#
# when MTA is at the same host, use the following (one or the other or both):
$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface
# (default is '127.0.0.1')
@inet_acl = qw( 127.0.0.1 ); # allow SMTP access only from localhost IP
# (default is qw( 127.0.0.1 ) )
# when MTA (one or more) is on a different host, use the following: [EMAIL PROTECTED] = qw(127/8 10.1.0.1 10.1.0.2); # adjust the list as appropriate #$inet_socket_bind = undef; # bind to all IP interfaces
#
# Example1:
# @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 );
# permit only SMTP access from loopback and rfc1918 private address space
#
# Example2:
# @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0
# 127.0.0.1 10/8 172.16/12 192.168/16 );
# matches loopback and rfc1918 private address space except host 192.168.1.12
# and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches)
#
# Example3:
# @inet_acl = qw( 127/8
# !172.16.3.0 !172.16.3.127 172.16.3.0/25
# !172.16.3.128 !172.16.3.255 172.16.3.128/25 );
# matches loopback and both halves of the 172.16.3/24 C-class,
# split into two subnets, except all four broadcast addresses
# for these subnets
#
# See README.lookups for details on specifying access control lists.
# # Section III - Logging #
# true (e.g. 1) => syslog; false (e.g. 0) => logging to file $DO_SYSLOG = 1; # (defaults to false) #$SYSLOG_LEVEL = 'mail.info'; # (defaults to 'mail.info')
# Log file (if not using syslog) $LOGFILE = "$MYHOME/amavis.log"; # (defaults to empty, no log)
#NOTE: levels are not strictly observed and are somewhat arbitrary # 0: startup/exit/failure messages, viruses detected # 1: args passed from client, some more interesting messages # 2: virus scanner output, timing # 3: server, client # 4: decompose parts # 5: more debug details $log_level = 5; # (defaults to 0)
# Customizeable template for the most interesting log file entry (e.g. with
# $log_level=0) (take care to properly quote Perl special characters like '\')
# For a list of available macros see README.customize .
# only log infected messages (useful with log level 0):
# $log_templ = '[? %#V |[? %#F ||banned filename ([%F|,])]|infected ([%V|,])]#
# [? %#V |[? %#F ||, from=<%o>, to=[<%R>|,][? %i ||, quarantine %i]]#
# |, from=<%o>, to=[<%R>|,][? %i ||, quarantine %i]]';
# log both infected and noninfected messages (default):
$log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], #
<%o> -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m';
#
# Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine
#
# Select notifications text encoding when Unicode-aware Perl is converting
# text from internal character representation to external encoding (charset
# in MIME terminology)
#
# to be used in RFC 2047-encoded header field bodies, e.g. in Subject:
#$hdr_encoding = 'iso-8859-1'; # (default: 'iso-8859-1')
#
# to be used in notification body text: its encoding and Content-type.charset
#$bdy_encoding = 'iso-8859-1'; # (default: 'iso-8859-1')
# Default template texts for notifications may be overruled by directly
# assigning new text to template variables, or by reading template text
# from files. A second argument may be specified in a call to read_text(),
# specifying character encoding layer to be used when reading from the
# external file, e.g. 'utf8', 'iso-8859-1', or often just $bdy_encoding.
# Text will be converted to internal character representation by Perl 5.8.0
# or later; second argument is ignored otherwise. See PerlIO::encoding,
# Encode::PerlIO and perluniintro man pages.
#
# $notify_sender_templ = read_text('/var/amavis/notify_sender.txt');
# $notify_virus_sender_templ= read_text('/var/amavis/notify_virus_sender.txt');
# $notify_virus_admin_templ = read_text('/var/amavis/notify_virus_admin.txt');
# $notify_virus_recips_templ= read_text('/var/amavis/notify_virus_recips.txt');
# $notify_spam_sender_templ = read_text('/var/amavis/notify_spam_sender.txt');
# $notify_spam_admin_templ = read_text('/var/amavis/notify_spam_admin.txt');
# Here is an overall picture (sequence of events) of how pieces fit together
# (only virus controls are shown, spam controls work the same way):
#
# bypass_virus_checks set for all recipients? ==> PASS
# no viruses? ==> PASS
# log virus if $log_templ is nonempty
# quarantine if $virus_quarantine_to is nonempty
# notify admin if $virus_admin (lookup) nonempty
# notify recips if $warnvirusrecip and (recipient is local or $warn_offsite)
# add address extensions for local recipients (when enabled)
# send (non-)delivery notifications
# to sender if DSN needed (BOUNCE) or ($warnvirussender and D_PASS)
# virus_lovers or final_destiny==D_PASS ==> PASS
# DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny)
# The following symbolic constants can be used in *destiny settings:
#
# D_PASS mail will pass to recipients, regardless of bad contents;
#
# D_DISCARD mail will not be delivered to its recipients, sender will NOT be
# notified. Effectively we lose mail (but will be quarantined
# unless disabled). Not a decent thing to do for a mailer.
#
# D_BOUNCE mail will not be delivered to its recipients, a non-delivery
# notification (bounce) will be sent to the sender by amavisd-new;
# Exception: bounce (DSN) will not be sent if a virus name matches
# $viruses_that_fake_sender_re, or to messages from mailing lists
# (Precedence: bulk|list|junk);
#
# D_REJECT mail will not be delivered to its recipients, sender should
# preferably get a reject, e.g. SMTP permanent reject response
# (e.g. with milter), or non-delivery notification from MTA
# (e.g. Postfix). If this is not possible (e.g. different recipients
# have different tolerances to bad mail contents and not using LMTP)
# amavisd-new sends a bounce by itself (same as D_BOUNCE).
#
# Notes:
# D_REJECT and D_BOUNCE are similar, the difference is in who is responsible
# for informing the sender about non-delivery, and how informative
# the notification can be (amavisd-new knows more than MTA);
# With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status
# notification, colloquially called 'bounce') - depending on MTA;
# Best suited for sendmail milter, especially for spam.
# With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the
# reason for mail non-delivery, but unable to reject the original
# SMTP session). Best suited to reporting viruses, and for Postfix
# and other dual-MTA setups, which can't reject original client SMTP
# session, as the mail has already been enqueued.
$final_virus_destiny = D_BOUNCE; # (defaults to D_BOUNCE) $final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE) $final_spam_destiny = D_PASS; # (defaults to D_REJECT) $final_bad_header_destiny = D_BOUNCE;
# Alternatives to consider for spam: # - use D_PASS if clients will do filtering based on inserted mail headers; # - use D_DISCARD, if kill_level is set safely high; # - use D_BOUNCE instead of D_REJECT if not using milter; # # There are no sensible alternatives to D_BOUNCE for viruses, but consider: # - use D_PASS (or virus_lovers) and $warnvirussender=1 to deliver viruses; # - use D_REJECT instead of D_BOUNCE if using milter and under heavy # virus storm; # # Don't bother to set both D_DISCARD and $warn*sender=1, it will get mapped # to D_BOUNCE. # # The separation of *_destiny values into D_BOUNCE, D_REJECT, D_DISCARD # and D_PASS made settings $warnvirussender and $warnspamsender only still # useful with D_PASS.
# Notify virus or banned file sender? # (only when mail passes ($final_*_destiny=D_PASS, or virus_lovers*); # bounces or rejects produce non-delivery status notification anyway) #$warnvirussender = 1; # (defaults to false (undef))
# Notify spam sender? # (only when mail passes ($final_spam_destiny=D_PASS, or spam_lovers*); # bounces or rejects produce non-delivery status notification anyway) #$warnspamsender = 1; # (defaults to false (undef))
# Notify virus recipient? # (not very useful, but some policies demand it) #$warnvirusrecip = 1; # (defaults to false (undef))
# Notify also non-local virus recipients if $warnvirusrecip is true? # (including those not matching local_domains*) #$warn_offsite = 1; # (defaults to false (undef), i.e. only notify locals)
# Treat envelope sender address as unreliable and don't send sender # notification / bounces if name(s) of detected virus(es) match the list. # Note that virus names are supplied by external virus scanner(s) and are # not standardized, so virus names may need to be adjusted. # See README.lookups for syntax. # $viruses_that_fake_sender_re = new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig'i );
# where to send ADMIN VIRUS NOTIFICATIONS (should be a fully qualified address)
# - the administrator address may be a simple fixed e-mail address (a scalar),
# or may depend on the SENDER address (e.g. its domain), in which case
# a ref to a hash table can be specified (specify lower-cased keys,
# dot is a catchall, see README.lookups).
#
# Empty or undef lookup disables virus admin notifications.
# $virus_admin = "[EMAIL PROTECTED]";
# $virus_admin = undef; # do not send virus admin notifications (default)
# $virus_admin = {'not.example.com' => '', '.' => '[EMAIL PROTECTED]'};
# $virus_admin = '[EMAIL PROTECTED]';# equivalent to $virus_admin, but for spam admin notifications:
# $spam_admin = "[EMAIL PROTECTED]";
# $spam_admin = undef; # do not send spam admin notifications (default)
# $spam_admin = {'not.example.com' => '', '.' => '[EMAIL PROTECTED]'};#advanced example, using a hash lookup table:
#$virus_admin = {
# '[EMAIL PROTECTED]' => '[EMAIL PROTECTED]',
# '.sub1.example.com' => '[EMAIL PROTECTED]',
# '.sub2.example.com' => '', # don't send admin notifications
# 'a.sub3.example.com' => '[EMAIL PROTECTED]',
# '.sub3.example.com' => '[EMAIL PROTECTED]',
# '.example.com' => '[EMAIL PROTECTED]', # catchall for our virus senders
# '.' => '[EMAIL PROTECTED]', # catchall for the rest
#};
# whom notification reports are sent from (ENVELOPE SENDER); # may be a null reverse path, or a fully qualified address: # (admin and recip sender addresses default to $mailfrom # for compatibility, which in turn defaults to undef (empty) ) # If using strings in double quotes, don't forget to quote @, i.e. \@ # $mailfrom_notify_admin = "[EMAIL PROTECTED]"; $mailfrom_notify_recip = "[EMAIL PROTECTED]"; $mailfrom_notify_spamadmin = "[EMAIL PROTECTED]";
# 'From' HEADER FIELD for sender and admin notifications. # This should be a replyable address, see rfc1894. Not to be confused # with $mailfrom_notify_sender, which is the envelope address and # should be empty (null reverse path) according to rfc2821. # # $hdrfrom_notify_sender = "amavisd-new <[EMAIL PROTECTED]>"; # $hdrfrom_notify_sender = 'amavisd-new <[EMAIL PROTECTED]>'; # (defaults to: "amavisd-new <[EMAIL PROTECTED]>") # $hdrfrom_notify_admin = $mailfrom_notify_admin; # (defaults to: $mailfrom_notify_admin) # $hdrfrom_notify_spamadmin = $mailfrom_notify_spamadmin; # (defaults to: $mailfrom_notify_spamadmin)
# whom quarantined messages appear to be sent from (envelope sender)
$mailfrom_to_quarantine = undef; # original sender if undef, or set explicitly
# (default is undef)
# Location to put infected mail into: (applies to 'local:' quarantine method)
# empty for not quarantining, may be a file (mailbox),
# or a directory (no trailing slash)
# (the default value is undef, meaning no quarantine)
#
#$QUARANTINEDIR = '/var/virusmails';
#$virus_quarantine_method = "local:virus-%i-%n"; # default #$spam_quarantine_method = "local:spam-%b-%i-%n"; # default # #use the new 'bsmtp:' method as an alternative to the default 'local:' #$virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%i-%n.bsmtp"; #$spam_quarantine_method = "bsmtp:$QUARANTINEDIR/spam-%b-%i-%n.bsmtp";
# When using the 'local:' quarantine method (default), the following applies:
#
# A finer control of quarantining is available through variable
# $virus_quarantine_to/$spam_quarantine_to. It may be a simple scalar string,
# or a ref to a hash lookup table, or a regexp lookup table object,
# which makes possible to set up per-recipient quarantine addresses.
#
# The value of scalar $virus_quarantine_to (or per-recipient lookup result
# from the hash table %$virus_quarantine_to) is/are interpreted as follows:
#
# VARIANT 1:
# empty or undef disables virus quarantine;
#
# VARIANT 2:
# a string NOT containg an '@';
# amavisd will behave as a local delivery agent (LDA) and will quarantine
# viruses to local files according to hash %local_delivery_aliases (pseudo
# aliases map) - see subroutine mail_to_local_mailbox() for details.
# One of the predefined aliases is 'virus-quarantine'.
# Setting $virus_quarantine_to to this string will:
#
# * if $QUARANTINEDIR is a directory, each quarantined virus will go
# to a separate file in the $QUARANTINEDIR directory (traditional
# amavis style, similar to maildir mailbox format);
#
# * otherwise $QUARANTINEDIR is treated as a file name of a Unix-style
# mailbox. All quarantined messages will be appended to this file.
# Amavisd child process must obtain an exclusive lock on the file during
# delivery, so this may be less efficient than using individual files
# or forwarding to MTA, and it may not work across NFS or other non-local
# file systems (but may be handy for pickup of quarantined files via IMAP
# for example);
#
# VARIANT 3:
# any email address (must contain '@').
# The e-mail messages to be quarantined will be handed to MTA
# for delivery to the specified address. If a recipient address local to MTA
# is desired, you may leave the domain part empty, e.g. 'infected@', but the
# '@' character must nevertheless be included to distinguish it from variant 2.
#
# This method enables more refined delivery control made available by MTA
# (e.g. its aliases file, other local delivery agents, dealing with
# privileges and file locking when delivering to user's mailbox, nonlocal
# delivery and forwarding, fan-out lists). Make sure the mail-to-be-quarantined
# will not be handed back to amavisd for checking, as this will cause a loop
# (hopefully broken at some stage)! If this can be assured, notifications
# will benefit too from not being unecessarily virus-scanned.
#
# By default this is safe to do with Postfix and Exim v4, but probably
# not safe with sendmail milter interface without precaution.
# (the default value is undef, meaning no quarantine)
$virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine
#$virus_quarantine_to = 'infected@'; # forward to MTA for delivery
#$virus_quarantine_to = "[EMAIL PROTECTED]"; # similar
#$virus_quarantine_to = undef; # no quarantine
#
#$virus_quarantine_to = new_RE( # per-recip multiple quarantines
# [qr'[EMAIL PROTECTED]'i => 'infected@'],
# [qr/.*/ => 'virus-quarantine'] );
# similar for spam # (the default value is undef, meaning no quarantine)
#$spam_quarantine_to = '[EMAIL PROTECTED]'; #$spam_quarantine_to = "[EMAIL PROTECTED]";
# Add X-Virus-Scanned line to mail? # (default: undef) $X_HEADER_TAG = 'X-Virus-Scanned'; # Leave empty to add no header # (default: undef) $X_HEADER_LINE = "by amavisd-new at $mydomain";
$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone
#$remove_existing_x_scanned_headers= 1; # remove existing headers
# (defaults to false)
# set $bypass_decode_parts to true if you have a good virus scanner
# that can deal with compression and recursively unpacking archives by itself,
# and save amavisd the trouble. It is a double-edged sword, make sure you know
# what you are doing!
#
#$bypass_decode_parts = 1; # (defaults to false)
# don't trust this file type or unpacker for this file type, # keep both the original and the unpacked file # (lookup key is what 'file' utility returned): # $keep_decoded_original_re = new_RE( qr'^(ASCII|text|uuencoded|xxencoded|binhex)'i, );
# Checking for banned MIME types and names. If any mail part matches, # the whole mail is rejected, much like the way viruses are handled. # A list in object $banned_filename_re can be defined to provide a list # of Perl regular expressions to be matched against each part's: # # * Content-Type value (both declared and effective mime-type), # including the possible security risk content types # message/partial and message/external-body, as specified by rfc2046; # # * declared (recommended) file names as specified by MIME subfields # Content-Disposition.filename and Content-Type.name, both in their # raw (encoded) form and in rfc2047-decoded form if applicable; # # * file content type as guessed by 'file(1)' utility, both the raw result # from file(1), as well as short type name, classified into names such as # .asc, .txt, .html, .doc, .jpg, .pdf, .zip, .exe, ..., which is always # beginning with a dot - see subroutine determine_file_types(). # This step is done only if $bypass_decode_parts is not true. # # * leave $banned_filename_re undefined to disable these checks # (giving an empty list to new_RE() will also always return false)
$banned_filename_re = new_RE(
qr'\.[a-zA-Z][a-zA-Z0-9]{0,3}\.(vbs|pif|scr|bat|com)$'i, # double extension
# qr'\.(exe|vbs|pif|scr|bat|com)$'i, # banned extension
# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046
);
# A little trick: a pattern qr'\.exe$' matches both a short type name '.exe',
# as well as any file name which happens to end with .exe. It only matching
# the file name is desired, but not the short name, a pattern qr'.\.exe$'i
# or similar may be used, which requires that at least one character preceeds
# the '.exe', and so it will never match short file types, which always start
# by a dot.
# # Section V - Per-recipient and per-sender handling, whitelisting, etc. #
# %virus_lovers, @virus_lovers_acl and $virus_lovers_re lookup tables:
# (these should be considered policy options, they do not disable checks,
# see bypas*checks for that!)
#
# Exclude certain RECIPIENTS from virus filtering by adding their lower-cased
# envelope e-mail address (or domain only) to the hash %virus_lovers, or to
# the access list @virus_lovers_acl - see README.lookups and examples.
# Make sure the appropriate form (e.g. external/internal) of address
# is used in case of virtual domains, or when mapping external to internal
# addresses, etc. - this is MTA-specific.
#
# Notifications would still be generated however (see the overall
# picture above), and infected mail (if passed) gets additional header:
# X-AMaViS-Alert: INFECTED, message contains virus: ...
# (header not inserted with milter interface!)
#
# NOTE (milter interface only): in case of multiple recipients,
# it is only possible to drop or accept the message in its entirety - for all
# recipients. If all of them are virus lovers, we'll accept mail, but if
# at least one recipient is not a virus lover, we'll discard the message.
# %bypass_virus_checks, @bypass_virus_checks_acl and $bypass_virus_checks_re
# lookup tables:
# (this is mainly a time-saving option, unlike virus_lovers* !)
#
# Similar in concept to %virus_lovers, a hash %bypass_virus_checks,
# access list @bypass_virus_checks_acl and regexp list $bypass_virus_checks_re
# are used to skip entirely the decoding, unpacking and virus checking,
# but only if ALL recipients match the lookup.
#
# %bypass_virus_checks/@bypass_virus_checks_acl/$bypass_virus_checks_re
# do NOT GUARANTEE the message will NOT be checked for viruses - this may
# still happen when there is more than one recipient for a message, and
# not all of them match these lookup tables. To guarantee virus delivery,
# a recipient must also match %virus_lovers/@virus_lovers_acl lookups
# (but see milter limitations above),
# NOTE: it would not be clever to base virus checks on SENDER address, # since there are no guarantees that it is genuine. Many viruses # and spam messages fake sender address. To achieve selective filtering # based on the source of the mail (e.g. IP address, MTA port number, ...), # use mechanisms provided by MTA if available.
# Similar to lookup tables controlling virus checking,
# there exist spam scanning and banned names/types control counterparts:
# %spam_lovers, @spam_lovers_acl
# %banned_files_lovers, @banned_files_lovers_acl
# and:
# %bypass_spam_checks/@bypass_spam_checks_acl/$bypass_spam_checks_re
# (but no bypass_banned_checks, as $bypass_decode_parts controls it already)
# See README.lookups for detailsabout the syntax.
# The following example disables spam checking altogether, # since it matches any recipient e-mail address (any address # is a subdomain of the top-level root DNS domain): # @bypass_spam_checks_acl = qw( . );
# See README.lookups for further detail, and examples below.
# $virus_lovers{lc("[EMAIL PROTECTED]")} = 1;
# $virus_lovers{lc('[EMAIL PROTECTED]')} = 1;
# $virus_lovers{lc('[EMAIL PROTECTED]')} = 1;
# $virus_lovers{lc('some.user@')} = 1; # this recipient, regardless of domain
# $virus_lovers{lc('[EMAIL PROTECTED]')} = 0; # never, even if domain matches
# $virus_lovers{lc('example.com')} = 1; # this domain, but not its subdomains
# $virus_lovers{lc('.example.com')}= 1; # this domain, including its subdomains
#or:
# @virus_lovers_acl = qw( [EMAIL PROTECTED] !lab.xxx.com .xxx.com yyy.org );
#
# $bypass_virus_checks{lc('[EMAIL PROTECTED]')} = 1;
# @bypass_virus_checks_acl = qw( some.ddd !butnot.example.com .example.com );
# @virus_lovers_acl = qw( [EMAIL PROTECTED] ); # $virus_lovers_re = new_RE( qr'(helpdesk|postmaster)@example\.com$'i );
# $spam_lovers{lc("[EMAIL PROTECTED]")} = 1;
# $spam_lovers{lc('[EMAIL PROTECTED]')} = 1;
# $spam_lovers{lc('[EMAIL PROTECTED]')} = 1;
# @spam_lovers_acl = qw( !.example.com );
# $spam_lovers_re = new_RE( qr'[EMAIL PROTECTED]'i );# don't run spam check for these RECIPIENT domains:
# @bypass_spam_checks_acl = qw( d1.com .d2.com a.d3.com );
# or the other way around (bypass check for all BUT these):
# @bypass_spam_checks_acl = qw( !d1.com !.d2.com !a.d3.com . );
# a practical application: don't check outgoing mail for spam:
# @bypass_spam_checks_acl = ( "!.$mydomain", "." );
# (a downside of which is that such mail will not count as ham in SA bayes db)
# Where to find SQL server(s) and database to support SQL lookups? # A list of triples: (dsn,user,passw). (dsn = data source name) # Specify more than one for multiple (backup) SQL servers. # # @lookup_sql_dsn = # ( ['DBI:mysql:mail:host1', 'some-username1', 'some-password1'], # ['DBI:mysql:mail:host2', 'some-username2', 'some-password2'] );
# The SQL select clause to fetch per-recipient policy settings.
# The %k will be replaced by a comma-separated list of query addresses
# (e.g. full address, domain only, catchall). Use ORDER, if there
# is a chance that multiple records will match - the first match wins.
# If field names are not unique (e.g. 'id'), the later field overwrites the
# earlier in a hash returned by lookup, which is why we use '*,users.id'.
# No need to uncomment the following assignment if the default is ok.
# $sql_select_policy = 'SELECT *,users.id FROM users,policy'.
# ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'.
# ' ORDER BY users.priority DESC';
#
# The SQL select clause to check sender in per-recipient whitelist/blacklist
# The first SELECT argument '?' will be users.id from recipient SQL lookup,
# the %k will be sender addresses (e.g. full address, domain only, catchall).
# The default value is:
# $sql_select_white_black_list = 'SELECT wb FROM wblist,mailaddr'.
# ' WHERE (rid=?) AND (sid=mailaddr.id) AND (mailaddr.email IN (%k))'.
# ' ORDER BY mailaddr.priority DESC';
#
# To disable SQL white/black list, set to undef (otherwise comment-out
# the following statement, leaving it at the default value):
$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting
# If you decide to pass viruses (or spam) to certain recipients using the
# above lookup tables or using $final_virus_destiny=1, you can set
# the variable $addr_extension_virus ($addr_extension_spam) to some
# string, and the recipient address will have this string appended
# as an address extension to the local-part of the address. This extension
# can be used by final local delivery agent to place such mail in different
# folders. Leave these two variables undefined or empty strings to prevent
# appending address extensions. Setting has no effect on recipient which will
# not be receiving viruses/spam. Recipients who do not match lookup tables
# local_domains* are not affected.
#
# LDAs usually default to stripping away address extension if no special
# handling is specified, so having this option enabled normally does no harm,
# provided the $recipients_delimiter matches the setting on the final
# MTA's LDA.
# $addr_extension_virus = 'virus'; # (default is undef, same as empty) # $addr_extension_spam = 'spam'; # (default is undef, same as empty) # $addr_extension_banned = 'banned'; # (default is undef, same as empty)
# Delimiter between local part of the recipient address and address extension
# (which can optionally be added, see variables $addr_extension_virus and
# $addr_extension_spam). E.g. recipient address <[EMAIL PROTECTED]> gets changed
# to <[EMAIL PROTECTED]>.
#
# Delimiter should match equivalent (final) MTA delimiter setting.
# (e.g. for Postfix add 'recipient_delimiter = +' to main.cf)
# Setting it to an empty string or to undef disables this feature
# regardless of $addr_extension_virus and $addr_extension_spam settings.
$recipient_delimiter = '+'; # (default is '+')
# true: replace extension; false: append extension # $replace_existing_extension = 1; # (default is false)
# Affects matching of localpart of e-mail addresses (left of '@') # in lookups: true = case sensitive, false = case insensitive $localpart_is_case_sensitive = 0; # (default is false)
# ENVELOPE SENDER WHITELISTING / BLACKLISTING - GLOBAL (RECIPIENT-INDEPENDENT)
# WHITELISTING: use ENVELOPE SENDER lookups to ENSURE DELIVERY from whitelisted
# senders even if the message is recognized as spam. Effectively, for the
# specified senders, message RECIPIENTS temporarily become 'spam_lovers', with
# further processing being the same as otherwise specified for spam lovers.
# It does not turn off inserting spam-related headers, if they are enabled.
#
# BLACKLISTING: messages from specified SENDERS are DECLARED SPAM.
# Effectively, for messages from blacklisted senders, spam level
# is artificially pushed high, and the normal spam processing applies,
# resulting in 'X-Spam-Flag: YES', high 'X-Spam-Level' bar and other usual
# reactions to spam, including possible rejection. If the message nevertheless
# still passes (e.g. for spam loving recipients), it is tagged as BLACKLISTED
# in the 'X-Spam-Status' header field, but the reported spam value and
# set of tests in this report header field (if available from SpamAssassin,
# which may have not been called) is not adjusted.
#
# A sender may be both white- and blacklisted at the same time,
# settings are independent. For example, being both white- and blacklisted,
# message is delivered to recipients, but is tagged as spam.
#
# If ALL recipients of the message either white- or blacklist the sender,
# spam scanning (calling the SpamAssassin) is bypassed, saving on time.
#
# The following variables (lookup tables) are available, with the semantics
# and syntax as specified in README.lookups:
#
# %whitelist_sender, @whitelist_sender_acl, $whitelist_sender_re
# %blacklist_sender, @blacklist_sender_acl, $blacklist_sender_re
# SOME EXAMPLES: # #ACL: # @whitelist_sender_acl = qw( .example.com ); # # @whitelist_sender_acl = ( ".$mydomain" ); # $mydomain and its subdomains # NOTE: This is not a reliable way of turning off spam checks for # locally-originating mail, as sender address can easily be faked. # To reliably avoid spam-scanning outgoing mail, # use @bypass_spam_checks_acl .
#RE:
# $whitelist_sender_re = new_RE(
# qr'[EMAIL PROTECTED]'i,
# qr'[EMAIL PROTECTED]@'i, qr'-request@'i,
# qr'\.example\.com$'i );
#
$blacklist_sender_re = new_RE(
qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,qr'^(investments|lose_weight_today|market.alert|money2you|MyGreenCard)@'i,
qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,
qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,
qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,
qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
);#HASH lookup variant:
# NOTE: Perl operator qw splits its argument string by whitespace
# and produces a list. This means that addresses can not contain
# whitespace, and there is no provision for comments within the string.
# You can use the normal Perl list syntax if you have special requirements,
# e.g. map {...} ('one [EMAIL PROTECTED]', '.second.com'), or use read_hash to
read
# addresses from a file.
## a hash lookup table can be read from a file, # one address per line, comments and empty lines are permitted: # # read_hash(\%whitelist_sender, '/var/amavis/whitelist_sender'); read_hash(\%whitelist_sender, '/var/amavis/whitelist'); read_hash(\%blacklist_sender, '/var/amavis/blacklist'); read_hash(\%spam_lovers, '/var/amavis/spam_lovers');
# ... or set directly:
# $whitelist_sender{''} = 1; # don't spam-check MTA bouncesmap { $whitelist_sender{lc($_)}=1 } (qw(
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
bugtraq@securityfocus.com
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
returns.groups.yahoo.com
));
# ENVELOPE SENDER WHITELISTING / BLACKLISTING - PER-RECIPIENT
# The same semantics as for global white/blacklisting applies, but this # time each recipient (or its domain, or subdomain, ...) can be given # an individual lookup table for matching senders. The per-recipient lookups # override the global lookups, which serve as a fallback default.
# Specify a two-level lookup table: the key for the outer table is recipient,
# and the result should be an inner lookup table (hash or ACL or RE),
# where the key used will be the sender.
#
#$per_recip_blacklist_sender_lookup_tables = {
# '[EMAIL PROTECTED]'=>new_RE(qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i),
# '[EMAIL PROTECTED]'=>[qw( [EMAIL PROTECTED],org .d2.example,org )],
#};
#$per_recip_whitelist_sender_lookup_tables = {
# '[EMAIL PROTECTED]' => [qw( [EMAIL PROTECTED] .other.example.org )],
# '.my.example.com' => [qw( !foe.other.example,org .other.example,org )],
# 'abuse@' => { 'postmaster@'=>1,
# '[EMAIL PROTECTED]'=>1, '[EMAIL PROTECTED]'=>1 },
#};
# # Section VI - Resource limits #
# Sanity limit to the number of allowed recipients per SMTP transaction # $smtpd_recipient_limit = 1000; # (default is 1000)
# Resource limitations to protect against mail bombs (e.g. 42.zip)
# Maximum recursion level for extraction/decoding (0 or undef disables limit)
$MAXLEVELS = 14; # (default is undef, no limit)
# Maximum number of extracted files (0 or undef disables the limit) $MAXFILES = 1500; # (default is undef, no limit)
# For the cumulative total of all decoded mail parts we set max storage size
# to defend against mail bombs. Even though parts may be deleted (replaced
# by decoded text) during decoding, the size they occupied is _not_ returned
# to the quota pool.
#
# Parameters to storage quota formula for unpacking/decoding/decompressing
# Formula:
# quota = max($MIN_EXPANSION_QUOTA,
# $mail_size*$MIN_EXPANSION_FACTOR,
# min($MAX_EXPANSION_QUOTA, $mail_size*$MAX_EXPANSION_FACTOR))
# In plain words (later condition overrules previous ones):
# allow MAX_EXPANSION_FACTOR times initial mail size,
# but not more than MAX_EXPANSION_QUOTA,
# but not less than MIN_EXPANSION_FACTOR times initial mail size,
# but never less than MIN_EXPANSION_QUOTA
#
$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
$MIN_EXPANSION_FACTOR = 5; # times original mail size (must be specified)
$MAX_EXPANSION_FACTOR = 500; # times original mail size (must be specified)
# # Section VII - External programs, virus scanners #
# Specify a path string, which is a colon-separated string of directories # (no trailing slashes!) to be assigned to the environment variable PATH # and to serve for locating external programs below.
# NOTE: if $daemon_chroot_dir is nonempty, the directories will be # relative to the chroot directory specified;
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
# Specify one string or a search list of strings (first match wins).
# The string (or: each string in a list) may be an absolute path,
# or just a program name, to be located via $path;
# Empty string or undef (=default) disables the use of that external program.
# Optionally command arguments may be specified - only the first substring
# up to the whitespace is used for file searching.
$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability
$arc = ['nomarch', 'arc']; $gzip = 'gzip'; $bzip2 = 'bzip2'; $uncompress = ['uncompress', 'gzip -d', 'zcat']; $lha = 'lha'; $unarj = 'unarj'; $unrar = 'unrar'; $zoo = 'zoo';
# SpamAssassin settings
# $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value # of the option local_tests_only. See Mail::SpamAssassin man page. # If set to 1, no tests that require internet access will be performed. # $sa_local_tests_only = 0; # (default: false) $sa_auto_whitelist = 1; # turn on AWL (default: false)
$sa_mail_body_size_limit = 64*1024; # don't waste time on SA if mail is larger
# (less than 1% of spam is > 64k)
# default: undef, no limitations
# default values, can be overridden by more specific lookups, e.g. SQL
$sa_tag_level_deflt = 3.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.3; # add 'spam detected' headers at that level
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
# at or above that level: bounce/reject/drop,
# quarantine, and adding mail address extension
#
# The $sa_tag_level_deflt, $sa_tag2_level_deflt and $sa_kill_level_deflt
# may also be hashrefs to hash lookup tables, to make static per-recipient
# settings possible without having to resort to SQL or LDAP lookups.
# Half-supported - it works, but may change.
# a quick reference: # tag_level controls adding the X-Spam-Status and X-Spam-Level headers, # tag2_level controls adding 'X-Spam-Flag: YES', and editing Subject, # kill_level controls 'evasive actions' (reject, quarantine, extensions); # it only makes sense to maintain the relationship: # tag_level <= tag2_level <= kill_level
# string to prepend to Subject header field when message exceeds kill level
$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disables)
# (only seen when spam is not to be rejected
# and recipient is in local_domains*)#$sa_spam_modifies_subj = 1; # may be a ref to a lookup table, default is true
# Example: modify Subject for all local recipients except [EMAIL PROTECTED] #$sa_spam_modifies_subj = [qw( [EMAIL PROTECTED] . )];
# @av_scanners is a list of n-tuples, where fields semantics is:
# 1. av scanner plain name, to be used in log and reports;
# 2. scanner program name; this string will be submitted to subroutine
# find_external_programs(), which will try to find the full program
# path name; if program is not found, this scanner is disabled.
# Besides a simple string (full program path name or just the basename
# to be looked for in PATH), this may be an array ref of alternative
# program names or full paths - the first match in the list will be used;
# As a special case for more complex scanners, this field may be
# a subroutine reference, and the whole n-tuple is passed to it as args.
# 3. command arguments to be given to the scanner program;
# a substring {} will be replaced by the directory name to be scanned,
# i.e. "$tempdir/parts"
# 4. an array ref of av scanner exit status values, or a regexp (to be
# matched against scanner output), indicating NO VIRUSES found;
# 5. an array ref of av scanner exit status values, or a regexp (to be
# matched against scanner output), indicating VIRUSES WERE FOUND;
# Note: the virus match prevails over a 'not found' match, so it is safe
# even if 4. matches for viruses too;
# 6. a regexp (to be matched against scanner output), returning a list
# of virus names found.
# 7. and 8.: (optional) subroutines to be executed before and after scanner
# (e.g. to set environment or current directory);
# see examples for these at KasperskyLab AVP and Sophos sweep.
# NOTES:
#
# - NOT DEFINING @av_scanners (e.g. setting it to empty list, or deleting the
# whole assignment) TURNS OFF LOADING AND COMPILING OF THE ANTIVIRUS CODE
# (which can be handy if all you want to do is spam scanning);
#
# - the order matters: when several av scanners are found, they are run
# in the order specified; the report from the first one detecting a virus
# will be used (virus names and scanner output); REARRANGE THE ORDER TO WILL;
#
# - it doesn't hurt to keep an unused command line scanner entry in the list
# if the program can not be found; the path search is only performed once
# during the program startup;
#
# CORROLARY: to disable a scanner that _does_ exist on your system,
# comment out its entry or use undef or '' as its program name/path
# (second parameter). An example where this is almost a must: disable
# Sophos sweep if you have its daemonized version Sophie or SAVI-Perl
# (same for Trophie/vscan, and clamd/clamscan).
#
# - it DOES HURT to keep unwanted entries which use INTERNAL SUBROUTINES
# for interfacing (where the second parameter starts with \&).
# Keeping such entry and not having a corresponding virus scanner daemon
# causes an unnecessary connection attempt (which eventually times out,
# but it wastes precious time). For this reason the daemonized entries
# are commented in the distribution - just remove the '#' where needed.
@av_scanners = (
# ### http://www.vanja.com/tools/sophie/ # ['Sophie', # \&ask_daemon, ["{}/\n", '/var/run/sophie'], # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],
# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ # ['Sophos SAVI', \&sophos_savi ],
# ### http://clamav.elektrapro.com/ ['Clam Antivirus-clamd', \&ask_daemon, ["CONTSCAN {}\n", '127.0.0.1:3310'], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# ### http://www.openantivirus.org/ # ['OpenAntiVirus ScannerDaemon (OAV)', # \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], # qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ],
# ### http://www.vanja.com/tools/trophie/ # ['Trophie', # \&ask_daemon, ["{}/\n", '/var/run/trophie'], # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],
# ### http://www.f-prot.com/ # ['FRISK F-Prot Daemon', # \&ask_daemon, # ["GET {}/*?-dumb%20-archive HTTP/1.0\r\n\r\n", # ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202', # '127.0.0.1:10203','127.0.0.1:10204'] ], # qr/(?i)<summary[^>]*>clean<\/summary>/, # qr/(?i)<summary[^>]*>infected<\/summary>/, # qr/(?i)<name>(.+)<\/name>/ ],
['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp','kavscanner'],
"-* -P -B -Y -O- {}", [0,3,8], [2,4], # any use for -A -K ?
qr/infected: (.+)/,
sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
],['KasperskyLab AVPDaemonClient',
['/opt/AVP/AvpDaemonClient','AvpDaemonClient','/opt/AVP/avpdc','avpdc'],
'{}', [0,8], [3,4,5,6], qr/infected: (.+)/ ],### http://www.hbedv.com/ ['H+BEDV AntiVir', 'antivir', '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/, qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
### http://www.commandsoftware.com/ ['Command AntiVirus for Linux', 'csav', '-all -archive -packed {}', [50], [51,52,53], qr/Infection: (.+)/ ],
### http://www.symantec.com/ ['Symantec CarrierScan via Symantec CommandLineScanner', 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', qr/Files Infected: 0/, qr/^Infected: /, qr/Info:\s+(.+)/ ],
### http://drweb.imshop.de/ ['DrWeb Antivirus for Linux/FreeBSD/Solaris', 'drweb', '-al -ar -fm -go -ha -ml -ot -sd -up {}', [0], [1], sub {('no-name')} ],
### http://www.f-secure.com/products/anti-virus/ ['F-Secure Antivirus', 'fsav', '--dumb --archive {}', [0], [3,8], qr/(?:infection|Infected): (.+)/ ],
['CAI InoculateIT', 'inocucmd',
'-sec -nex {}', [0], [100],
qr/was infected by virus (.+)/ ], ['MkS_Vir for Linux (beta)', ['mks32','mks'],
'-s {}/*', [0], [1,2],
qr/--[ \t]*(.+)/ ], ['MkS_Vir daemon',
'mksscan', '-s -q {}', [0], [1..7],
qr/^... (\S+)/ ],### http://www.nod32.com/ ['ESET Software NOD32', 'nod32', '-all -subdir+ {}', [0], [1,2], qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ],
### http://www.nod32.com/ ['ESET Software NOD32 - Client/Server Version', 'nod32cli', '-a -r -d recurse --heur standard {}', [0], [10,11], qr/^\S+\s+infected:\s+(.+)/ ],
### http://www.norman.com/products_nvc.shtml ['Norman Virus Control v5 / Linux', 'nvccmd', '-c -l:0 -s -u {}', [0], [1], qr/(?i).* virus in .* -> \'(.+)\'/ ],
### http://www.pandasoftware.com/ ['Panda Antivirus for Linux', ['pavcl','pavc'], '-aut -aex -heu -cmp -nor -nso -eng {}', qr/Number of files infected\.*: 0(?!\d)/, qr/Number of files infected\.*: 0*[1-9]/, qr/Found virus :\s*(\S+)/ ],
# Check your RAV license terms before fiddling with the following two lines!
# ['GeCAD RAV AntiVirus 8', 'ravav',
# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ],
# # NOTE: the command line switches changed with scan engine 8.5 !
# # (btw, assigning stdin to /dev/null causes RAV to fail)### http://www.nai.com/ ['NAI McAfee AntiVirus (uvscan)', 'uvscan', '--secure -rv --summary --noboot {}', [0], [13], qr/(?x) Found (?: \ the\ (.+)\ (?:virus|trojan) | \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | :\ (.+)\ NOT\ a\ virus)/ ],
### http://www.virusbuster.hu/en/ ['VirusBuster (Client + Daemon)', 'vbengd', # HINT: for an infected file it returns always 3, # although the man-page tells a different story '-f -log scandir {}', [0], [3], qr/Virus found = (.*);/ ],
### http://www.centralcommand.com/ ['CentralCommand Vexira - engine based on H+BEDV AntiVir/X', 'vexira', '-allfiles -noboot -s -z {}', [0], [1], qr/(?i)VIRUS: .* virus (.+)/ ],
### http://www.cyber.com/ ['CyberSoft VFind', 'vfind', '-vexit {}', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/ ],
### http://www.ikarus-software.com/ ['Ikarus AntiVirus for Linux', 'ikarus', '{}', [0], [40], qr/Signature (.+) found/ ],
### http://www.bitdefender.com/ ['BitDefender', 'bdc', '--all --arc {}', qr/^Infected files *:0(?!\d)/, qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, qr/(?:suspected|infected): (.*)\033/ ],
);
# If no virus scanners from the @av_scanners list produce 'clean' nor # 'infected' status (e.g. they all fail to run or the list is empty), # then the scanners of the @av_scanners_backup list are tried. # When there are both daemonized and command-line scanners available, # it is customary to place slower command-line scanners in the # @av_scanners_backup list.
@av_scanners_backup = (
### http://clamav.elektrapro.com/ ['Clam Antivirus - clamscan', 'clamscan', '--stdout --disable-summary -r {}', [0], [1], qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
### http://www.f-prot.com/ ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], '-dumb -archive -packed {}', [0,8], [3,6], qr/Infection: (.+)/ ],
### http://www.trendmicro.com/ ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], '-a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],
# Commented out because the name 'sweep' clashes with the Debian package of
# the same name. Make sure the correct sweep is found in the path when enabling
#
# ### http://www.sophos.com/
# ['Sophos Anti Virus (sweep)', 'sweep',
# '-nb -f -all -rec -ss -sc -archive {}',
# [0,2], qr/Virus .*? found/,
# qr/^>>> Virus(?:(?: fragment)? '?(.+?)'? found)/,
# # sub {$ENV{SAV_IDE}='/usr/local/sav'},
# ],
);
# # Section VIII - Debugging #
# The most useful debugging tool is to run amavisd-new non-detached # from a terminal window: # amavisd debug
# Some more refined approaches:
# If sender matches ACL, turn debugging fully up, just for this one message [EMAIL PROTECTED] = ( "[EMAIL PROTECTED]" ); [EMAIL PROTECTED] = qw( [EMAIL PROTECTED] );
# May be useful along with @debug_sender_acl: # Prevent all decoded originals being deleted (replaced by decoded part) #$keep_decoded_original_re = new_RE( qr/.*/ );
# Turn on SpamAssassin debugging (output on STDERR, use with 'amavisd debug')
$sa_debug = 1; # defaults to false
#------------- 1; # insure a defined return
##########################################
Florian Effenberger wrote:
Hi Mojo,
Compare the headers of a mail going through each way, and see which rules are affecting the score.
an example is the 70-80% blank lines ruleset, that is not being checked from within amavisd-new.
Florian
