| Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung |
| tachtler:amavis_centos_7 [2017/06/19 14:16] – [AMaViSd-new - TLS-patch] klaus | tachtler:amavis_centos_7 [2020/05/11 08:58] (aktuell) – [(Ab Version 1.7.x) /etc/sysconfig/amavisd-milter] klaus |
|---|
| |
| Um **alle möglichen Konfigurationsparameter** einsehen zu können, wird mit der Installation des [[http://www.ijs.si/software/amavisd/|AMaViS]] nachfolgende **Default-Konfigurationsdatei** in nachfolgendem Verzeichnis mit nachfolgendem Namen installiert, welche als **Referenz** für **alle Konfigurationsdirektiven** verwendet werden kann: | Um **alle möglichen Konfigurationsparameter** einsehen zu können, wird mit der Installation des [[http://www.ijs.si/software/amavisd/|AMaViS]] nachfolgende **Default-Konfigurationsdatei** in nachfolgendem Verzeichnis mit nachfolgendem Namen installiert, welche als **Referenz** für **alle Konfigurationsdirektiven** verwendet werden kann: |
| * ''/usr/share/doc/amavisd-new-2.10.1/amavisd.conf-default'' | * ''/usr/share/doc/amavisd-new-2.10.1/amavisd.conf-default'' bzw. |
| | * ''/usr/share/doc/amavisd-new-2.11.0/amavisd.conf-default'' |
| |
| Welche Konfigurationsparameter gesetzt werden sollten, soll in nachfolgender **Beispielkonfigurationsdatei** dargestellt werden. | Welche Konfigurationsparameter gesetzt werden sollten, soll in nachfolgender **Beispielkonfigurationsdatei** dargestellt werden. |
| |
| <code perl> | <code perl> |
| | use strict; |
| |
| | ## AMaViS - amavsid-new configuration. |
| | |
| | ## The 'after-default' comment indicates that these variables obtain their |
| | ## default value if the config file left them undefined. It means these values |
| | ## are not yet available during processing of the configuration file, but that |
| | ## they can derive their value from other configurations variables no matter |
| | ## where in the configuration file they appear. |
| | |
| | |
| | ## GENERAL |
| | |
| | $myhostname = 'amavis.idmz.tachtler.net'; # FQDN des Servers. |
| | $mydomain = 'tachtler.net'; # Basiseinstellung. |
| | # $snmp_contact = ''; |
| | # $snmp_location = ''; |
| | $daemon_user = 'amavis'; # Benutzer, unter dem der AMaViS-Dienst gestartet wird. [-u] |
| | $daemon_group = 'amavis'; # Gruppe, unter der der AMaViS-Dienst gestartet wird. [-g] |
| | $MYHOME = '/var/spool/amavisd'; # Basiseinstellung. [-H] |
| | $TEMPBASE = "$MYHOME/tmp"; # Arbeitsverzeichnis, muss vor dem Start existieren. [-T] |
| | $db_home = "$MYHOME/db"; # Verzeichnis fuer bdb nanny/cache/snmp Datenbanken. [-D] |
| | $pid_file = "/var/run/amavisd/amavisd.pid"; # PID (Process-ID)-Datei. [-P] |
| | $lock_file = "/var/run/amavisd/amavisd.lock"; # Lock (Process-Lock)-Datei. [-L] |
| | # $daemon_chroot_dir = undef; |
| | $max_requests = 20; # Beenden eines Kind-Prozesses nach xx Aufrufen. (Speicher). |
| | $max_servers = 4; # Anzahl der maximalen gleichzeitig laufenden Kind-Prozesse. [-m] |
| | $min_servers = 1; # Anzahl der minimal gleichzeitig laufenden Kind-Prozesse. |
| | $min_spare_servers = 1; # Anzahl der minimal vorgehaltenen Kind-Prozesse. |
| | $max_spare_servers = 3; # Anzahl der maximal vorgehaltenen Kind-Prozesse. |
| | # $child_timeout = 8*60; |
| | # $localpart_is_case_sensitive = 0; |
| | $enable_db = 1; # Nutzung der BerkeleyDB/libdb (SNMP und nanny). |
| | # $enable_zmq = undef; |
| | # @zmq_sockets = ( "ipc://$MYHOME/amavisd-zmq.sock" ); # after-default |
| | $nanny_details_level = 2; # nanny - Log-Level: 0 (aus), 1 (traditionell), 2 (detailiert). |
| | # @additional_perl_modules = (); |
| | @local_domains_maps = ( [".$mydomain"] ); # Liste aller lokalen Sub/Domains. |
| | @mynetworks = qw( 0.0.0.0/32 127.0.0.0/8 |
| | 192.168.0.0/24 192.168.1.0/24 |
| | 192.168.2.0/25 88.217.171.167/32 ); # Liste aller als lokal angesehenen IP-Adressen und Netze. |
| | # @mynetworks_maps = (\@mynetworks); |
| | # @client_ipaddr_policy = map { $_ => 'MYNETS' } @mynetworks_maps; |
| | |
| | |
| | ## LOGGING AND DEBUGGING |
| | |
| | $log_level = 3; # Log-Level: 0..5. [-d] |
| | # $logfile = undef; |
| | $do_syslog = 1; # Syslog-Schreibung nutzen. |
| | $syslog_ident = 'amavis'; # Dienst-Identitaet bei der syslog-Scheribung. |
| | $syslog_facility = 'mail'; # Dienst-Bereichs-Identitaet bei der syslog-Schereibung. |
| | # $logline_maxlen = 980; |
| | # enable_log_capture_dump = undef; |
| | |
| | # $log_short_templ ... built-in default at the end of file amavisd |
| | # $log_verbose_templ ... built-in default at the end of file amavisd |
| | # $log_recip_templ = ... built-in default at the end of file amavisd |
| | # $log_templ = $log_short_templ; |
| | |
| | # @debug_sender_acl = (); |
| | # @debug_sender_maps = (\@debug_sender_acl); |
| | # @debug_recipient_maps = (); |
| | # $sa_debug = undef; |
| | # $allow_preserving_evidence = 1; |
| | |
| | |
| | ## DKIM VERIFICATION |
| | |
| | $enable_dkim_verification = 0; # Deaktiviert die DKIM Ueberpruefung, wegen OpenDKIM-Milter! |
| | # $reputation_factor = 0.2; |
| | # @signer_reputation_maps = (); |
| | # @author_to_policy_bank_maps = (); |
| | # $dkim_minimum_key_bits = 1024; |
| | # $myauthservid = $myhostname; # after-default (RFC 5451) |
| | # $dkim_minimum_key_bits = 1024; |
| | |
| | ## DKIM SIGNING |
| | |
| | $enable_dkim_signing = 0; # Deaktiviert das Signieren der ausgehenden e-Mails mit dem Schluessel unter dkim_key. |
| | dkim_key('tachtler.net', 'main', '/etc/pki/amavis/dkim/dkim.key', h=>'sha256'); # Spezifikationen zum DKIM-Schluessel und dessen Anwendung. |
| | # %dkim_signing_keys = (); |
| | @dkim_signature_options_bysender_maps = ( |
| | { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } |
| | ); # Optionen zur DKIM-Signaturerstellung. |
| | # $dkim_signing_service = undef; |
| | # |
| | # for (qw(Accept-Language Archived-At Auto-Submitted Content-Alternative |
| | # Content-Base Content-Class Content-Description Content-Disposition |
| | # Content-Duration Content-Features Content-Id Content-Language |
| | # Content-Location Content-MD5 Content-Transfer-Encoding In-Reply-To |
| | # List-Archive List-Help List-Id List-Owner List-Post List-Subscribe |
| | # List-Unsubscribe Message-Context Message-ID MIME-Version |
| | # Organisation Organization Original-Message-ID Pics-Label |
| | # Precedence Received References Reply-To Resent-Date Resent-From |
| | # Resent-Message-ID Resent-Sender Sensitivity Solicitation |
| | # User-Agent VBR-Info X-Mailer)) { $signed_header_fields{lc $_} = 1 } |
| | # for (qw(From Date Subject Content-Type)) { $signed_header_fields{lc $_} = 2 } |
| | $signed_header_fields{'received'} = 0; # Received: from-Zeile aus DKIM-Signatur-Berechnung ausnehmen. |
| | |
| | |
| | ## MTA INTERFACE - INPUT |
| | |
| | # @listen_sockets = ... $unix_socketname and $inet_socket_port are added here |
| | $unix_socketname = "/var/run/amavisd/amavisd.sock"; # Unix socket zur Nutzung des AMaViS "helper protocol". |
| | # $unix_socket_mode = undef; # sets sockets protection (numeric mode), or undef |
| | $inet_socket_port = [10024,10026]; # Akzeptiert Verbindungen via TCP auf diesen Port(s) (SMTP...). |
| | $inet_socket_bind = undef; # AMaViS NICHT an einen Socket binden, sondern @inet_acl nutzen. |
| | # $inet_socket_bind = [ '127.0.0.1', '[::1]' ]; # if both inet & inet6 avail. |
| | # $inet_socket_bind = '127.0.0.1'; # if only inet available |
| | # $inet_socket_bind = '[::1]' # if only inet6 available |
| | @inet_acl = qw( 0.0.0.0/32 127.0.0.0/8 |
| | 192.168.0.0/24 192.168.1.0/24 |
| | 192.168.2.0/25 88.217.171.167/32 ); # AMaViS ist nicht auf dem MTA-Host und via Netzwerk erreichbar. |
| | # $listen_queue_size = undef; |
| | |
| | # $protocol = ... defaults to 'SMTP' or 'LMTP' (autodetected) on inet and inet6 |
| | # sockets; must be configured explicitly for Unix sockets. |
| | # Possible values: 'SMTP', 'LMTP', 'AM.PDP', |
| | # and with appropriate patches applied also: 'COURIER' or 'QMQPqq' |
| | |
| | # $soft_bounce = undef; |
| | # $smtpd_timeout = 8*60; |
| | # $smtpd_recipient_limit = 1100; |
| | # $smtpd_message_size_limit = undef; # site-wide limit |
| | # @message_size_limit_maps = (); # per-recipient limits |
| | # $smtpd_greeting_banner = '${helo-name} ${protocol} ${product} service ready'; |
| | # $smtpd_quit_banner = '${helo-name} ${product} closing transmission channel'; |
| | # $auth_required_inp = undef; |
| | # $auth_required_release = 1; |
| | # @auth_mech_avail=(); # empty list disables incoming AUTH; or: qw(PLAIN LOGIN) |
| | # $smtp_connection_cache_on_demand = 1; |
| | # $smtp_connection_cache_enable = 1; |
| | # $enforce_smtpd_message_size_limit_64kb_min = 1; |
| | # @smtpd_discard_ehlo_keywords = (); |
| | |
| | # Tachtler |
| | # SEE: https://raw.githubusercontent.com/benningm/amavisd-new/master/amavisd |
| | # SEE: http://search.cpan.org/~sullr/IO-Socket-SSL-2.049/lib/IO/Socket/SSL.pod#Description_Of_Methods |
| | $tls_security_level_in = 'may'; # Opportunistische TLS Transportverschluesselung eingehend aktiviere |
| | %smtpd_tls_server_options = ( |
| | SSL_verifycn_scheme => 'smtp', |
| | SSL_session_cache => 2, |
| | SSL_cert_file => '/etc/pki/amavis/certs/CAcert-class3-wildcard.crt', |
| | SSL_key_file => '/etc/pki/amavis/private/tachtler.net.key', |
| | SSL_dh_file => '/etc/pki/amavis/private/dh_2048.pem', |
| | SSL_ca_file => '/etc/pki/tls/certs/ca-bundle.crt', |
| | SSL_version => 'SSLv23:!SSLv3:!SSLv2', |
| | SSL_cipher_list => 'ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES:!CBC3-SHA:!iAES128-SHA:!DHE-RSA-AES128-SHA:!AES256-SHA:!DHE-RSA-AES256-SHA:!CAMELLIA128-SHA:!iDHE-RSA-CAMELLIA128-SHA:!iCAMELLIA256-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA', |
| | SSL_honor_cipher_order => '1', |
| | SSL_verify_mode => 'SSL_VERIFY_NONE', |
| | SSL_passwd_cb => sub { 'example' }, |
| | ); |
| | |
| | ## MTA INTERFACE - OUTPUT |
| | |
| | ## see also $notify_method, $forward_method and $*_quarantine_method |
| | |
| | $localhost_name = 'amavis.idmz.tachtler.net'; # Eigener EHLO Name, welcher in den Received-Zeilen verwendet wird. |
| | # $local_client_bind_address = undef; # my source IP address as a SMTP client |
| | # $auth_required_out = undef; |
| | # $amavis_auth_user = undef; # for submitting notifications and quarantine |
| | # $amavis_auth_pass = undef; |
| | # $auth_reauthenticate_forwarded = undef; # our credentials for forwarding too |
| | |
| | # Tachtler |
| | # SEE: https://raw.githubusercontent.com/benningm/amavisd-new/master/amavisd |
| | # SEE: http://search.cpan.org/~sullr/IO-Socket-SSL-2.049/lib/IO/Socket/SSL.pod#Description_Of_Methods |
| | $tls_security_level_out = 'may'; # Opportunistisches TLS Transportverschluesselung ausgehend aktivieren. |
| | %smtp_tls_client_options = ( |
| | # SSL_verifycn_scheme => 'smtp', |
| | SSL_verifycn_scheme => 'none', |
| | SSL_version => 'SSLv23:!SSLv3:!SSLv2', |
| | SSL_cipher_list => 'ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES:!CBC3-SHA:!iAES128-SHA:!DHE-RSA-AES128-SHA:!AES256-SHA:!DHE-RSA-AES256-SHA:!CAMELLIA128-SHA:!iDHE-RSA-CAMELLIA128-SHA:!iCAMELLIA256-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA', |
| | SSL_client_ca_file => '/etc/pki/tls/certs/ca-bundle.crt', |
| | SSL_honor_cipher_order => '1', |
| | SSL_verify_mode => 'SSL_VERIFY_PEER', |
| | ); |
| | |
| | |
| | ## MAIL FORWARDING |
| | |
| | # Tachtler |
| | # default: # $forward_method = 'smtp:[127.0.0.1]:10025'; # may be arrayref |
| | $forward_method = 'smtp:[192.168.0.60]:10025'; # Rueckgabe von gescannten Nachrichten an Postfix. undef bei NUR MILTER !!! |
| | |
| | # # or 'smtp:[::1]:10025' when INET6 is available |
| | # @forward_method_maps = ( sub { Opaque(c('forward_method')) } ); |
| | # $resend_method = undef; # falls back to $forward_method |
| | # $always_bcc = undef; |
| | |
| | $final_virus_destiny = D_REJECT; # Aktion bei Virus e-Mails. (D_PASS, D_DISCARD, D_BOUNCE ,D_REJECT) |
| | $final_banned_destiny = D_REJECT; # Aktion bei geblockten Dateianhaengen e-Mails. |
| | $final_spam_destiny = D_REJECT; # Aktion bei SPAM e-Mails. |
| | $final_bad_header_destiny = D_PASS; # Aktion bei schlechten/unfvollstaendigen Header e-Mails. |
| | |
| | |
| | ## QUARANTINE |
| | |
| | # $release_method = undef; # falls back to $notify_method |
| | # $requeue_method = 'smtp:[127.0.0.1]:25'; |
| | # # or 'smtp:[::1]:25' when INET6 is available |
| | # $release_format = 'resend'; # (dsn), (arf), attach, plain, resend |
| | # $report_format = 'arf'; # (dsn), arf, attach, plain, resend |
| | # $attachment_password = ''; # '': no pwd, undef: PIN, code ref, or static str |
| | # $attachment_email_name = 'msg-%m.eml'; |
| | # $attachment_outer_name = 'msg-%m.zip'; |
| | |
| | # $virus_quarantine_method = 'local:virus-%m'; |
| | # $spam_quarantine_method = 'local:spam-%m.gz'; |
| | # $banned_files_quarantine_method = 'local:banned-%m'; |
| | # $bad_header_quarantine_method = 'local:badh-%m'; |
| | # $clean_quarantine_method = undef; |
| | # $archive_quarantine_method = undef; |
| | |
| | # $mail_id_size_bits = 72; |
| | |
| | $QUARANTINEDIR = undef; # KEIN Quarantaene Ablageort definiert. [-Q] |
| | # $quarantine_subdir_levels = undef; # 0 or 1 (undef treated as 0) |
| | # $sql_quarantine_chunksize_max; # see SQL section |
| | |
| | $virus_quarantine_to = undef; # KEIN Quarantaene Ablageort fuer Virus e-Mails. |
| | $banned_quarantine_to = undef; # KEIN Quarantaene Ablageort fuer geblockte Dateinanhaenge e-Mails. |
| | $bad_header_quarantine_to = undef; # KEIN Quarantaene Ablageort fuer schlechten/unfvollst. Header e-Mails. |
| | $spam_quarantine_to = undef; # KEIN Quarantaene Ablageort fuer SPAM e-Mails. |
| | # $spam_quarantine_bysender_to = undef; |
| | # $clean_quarantine_to = 'clean-quarantine'; |
| | # $archive_quarantine_to = 'archive-quarantine'; |
| | |
| | # @virus_quarantine_to_maps = (\$virus_quarantine_to); |
| | # @banned_quarantine_to_maps = (\$banned_quarantine_to); |
| | # @bad_header_quarantine_to_maps = (\$bad_header_quarantine_to); |
| | # @spam_quarantine_to_maps = (\$spam_quarantine_to); |
| | # @spam_quarantine_bysender_to_maps = (\$spam_quarantine_bysender_to); |
| | # @clean_quarantine_to_maps = (\$clean_quarantine_to); |
| | # @archive_quarantine_to_maps = (\$archive_quarantine_to); |
| | |
| | # %local_delivery_aliases ... predefined, used by a delivery method 'local:' |
| | $mailfrom_to_quarantine = ''; # Quarantaene Anwtort e-Mail-Adresse, undef (Original Absender), '' (<>). |
| | |
| | |
| | ## NOTIFICATIONS (DSN, admin, recip) |
| | |
| | $notify_method = 'smtp:[192.168.0.60]:10025'; # Transport von Meldungen über gescannte Nachrichten zurueck an Postfix. |
| | # # or 'smtp:[::1]:10025' when INET6 is available |
| | |
| | # $propagate_dsn_if_possible = 1; |
| | # $terminate_dsn_on_notify_success = 0; |
| | |
| | # $newvirus_admin = undef; |
| | $virus_admin = "virusalert\@$mydomain"; # E-Mail an, falls eine Virus entdeckt wurde. |
| | # $spam_admin = undef; |
| | $banned_admin = "bannedfilealert\@$mydomain"; # E-Mail an, falls eine Dateianhang geblockt wurde. |
| | # $bad_header_admin = undef; |
| | |
| | # $dsn_bcc = undef; |
| | |
| | # @newvirus_admin_maps = (\$newvirus_admin); |
| | # @virus_admin_maps = (\%virus_admin, \$virus_admin); |
| | # @banned_admin_maps = (\$banned_admin); |
| | # @spam_admin_maps = (\%spam_admin, \$spam_admin); |
| | # @bad_header_admin_maps = (\$bad_header_admin); |
| | |
| | # $hdr_encoding = 'UTF-8'; # header field bodies charset |
| | # $bdy_encoding = 'UTF-8'; # notification body text charset |
| | # $hdr_encoding_qb = 'Q'; # quoted-printable (Q or B) |
| | |
| | # $notify_sender_templ = ... built-in default at the end of file amavisd |
| | # $notify_virus_sender_templ = ... built-in default at the end of file amavisd |
| | # $notify_spam_sender_templ = ... built-in default at the end of file amavisd |
| | # $notify_virus_admin_templ = ... built-in default at the end of file amavisd |
| | # $notify_spam_admin_templ = ... built-in default at the end of file amavisd |
| | $notify_virus_recips_templ = read_text('/etc/amavisd/notify_virus_recips.txt'); |
| | # $notify_spam_recips_templ = ... built-in default at the end of file amavisd |
| | # $notify_release_templ = ... built-in default at the end of file amavisd |
| | # $notify_report_templ = ... built-in default at the end of file amavisd |
| | |
| | $mailfrom_notify_admin = "mailfilter\@$mydomain"; # Absender von administrativen Benachrichtigungen. |
| | $mailfrom_notify_recip = "mailfilter\@$mydomain"; # Absender von Empfaengerbenachrichtigungen. |
| | $mailfrom_notify_spamadmin = "spamfilter\@$mydomain"; # Absender von SPAM-Filter Benachrichtigungen. |
| | |
| | ## these are after-defaults: |
| | # $hdrfrom_notify_sender = "\"Content-filter at $myhostname\" <postmaster\@$myhostname>"; |
| | # $hdrfrom_notify_recip = ... derived from $mailfrom_notify_recip |
| | # $hdrfrom_notify_admin = ... derived from $mailfrom_notify_admin |
| | # $hdrfrom_notify_spamadmin = ... derived from $mailfrom_notify_spamadmin |
| | # $hdrfrom_notify_release = $hdrfrom_notify_sender; |
| | # $hdrfrom_notify_report = $hdrfrom_notify_sender; |
| | |
| | # $warnbannedsender = undef; |
| | # $warnbadhsender = undef; |
| | |
| | # $warn_offsite = undef; |
| | |
| | # $warnvirusrecip = undef; |
| | # $warnbannedrecip = undef; |
| | # $warnbadhrecip = undef; |
| | # @warnvirusrecip_maps = (\$warnvirusrecip); |
| | # @warnbannedrecip_maps = (\$warnbannedrecip); |
| | # @warnbadhrecip_maps = (\$warnbadhrecip); |
| | |
| | |
| | ## MODIFICATIONS TO PASSED MAIL |
| | |
| | # %allowed_added_header_fields = ...; # built-in default |
| | # %prefer_our_added_header_fields = ...; # built-in default |
| | # $remove_existing_x_scanned_headers = 0; |
| | # $remove_existing_spam_headers = 1; |
| | # @remove_existing_spam_headers_maps = (\$remove_existing_spam_headers); |
| | # $allow_fixing_improper_header = 1; # all-white folding lines and long lines |
| | # $allow_fixing_improper_header_folding = 1; |
| | # $allow_fixing_long_header_lines = 1; |
| | # $prepend_header_fields_hdridx = 0; |
| | |
| | # $X_HEADER_TAG = 'X-Virus-Scanned'; # after-default |
| | # $X_HEADER_LINE = "$myproduct_name at $mydomain"; # after-default |
| | |
| | $defang_virus = 1; # Fuegt die gesamte Virus e-Mail als MIME-Container an. |
| | $defang_banned = 1; # Fuegt die gesamte geblockte Dateianhang e-Mails als MIME-Container an. |
| | $defang_spam = 1; # Fuegt die gesamte SPAM e-Mail als MIME-Container an. |
| | # $defang_bad_header = undef; |
| | $defang_undecipherable = 1; # Fuegt die nicht leserliche e-Mail als MIME-Container an. |
| | # $defang_all = undef; # mostly for testing |
| | |
| | $defang_by_ccat{CC_BADH.",3"} = 1; # <NUL> oder <CR> Zeichen im Header enthalten. |
| | $defang_by_ccat{CC_BADH.",5"} = 1; # Header Zeile ist laenger als 998 Zeichen. |
| | $defang_by_ccat{CC_BADH.",6"} = 1; # Fehlerhafter Syntax im Header. |
| | |
| | # $allow_disclaimers = undef; |
| | # $outbound_disclaimers_only = undef; |
| | # $enable_anomy_sanitizer = 0; |
| | # @anomy_sanitizer_args = (); # a config file or list of var=value pairs |
| | # **************************************************************************** |
| | # * ! DISABLE alterMIME, when using amavisd-milter, it's NOT COMPATIBLE. ! * |
| | # **************************************************************************** |
| | $altermime = '/usr/bin/altermime'; # Pfad zum Programm (binary) alterMIME |
| | @altermime_args_defang = qw(--verbose --removeall); # Verarbeitung definieren. |
| | # Definition der einzelnen Disclaimersyntax und der entsprechenden Disclaimerdateien fuer die einzelnen Benutzer. |
| | @altermime_args_disclaimer = qw(--disclaimer=/etc/amavisd/altermime/_OPTION_.text --disclaimer-html=/etc/amavisd/altermime/_OPTION_.html); |
| | @disclaimer_options_bysender_maps = ( |
| | { 'root@tachtler.net' => 'disclaimer-root', |
| | 'postmaster@tachtler.net' => 'disclaimer-postmaster', |
| | 'klaus@tachtler.net' => 'disclaimer-klaus', |
| | '.' => 'disclaimer-default' }, |
| | ); # Definition der einzelnen Disclaimer. |
| | $defang_maps_by_ccat{+CC_CATCHALL} = [ 'disclaimer' ]; # Anhaengen der Disclaimer beim verarbeiten der e-Mails. |
| | |
| | # $undecipherable_subject_tag = '***UNCHECKED*** '; |
| | $sa_spam_subject_tag = '***SPAM*** '; # Kennzeichnung im Betreff von als SPAM deklarierten Nachrichten. |
| | # $sa_spam_level_char = '*'; |
| | |
| | # @spam_subject_tag_maps = (\$sa_spam_subject_tag1); # N.B.: inconsistent name |
| | # @spam_subject_tag2_maps = (\$sa_spam_subject_tag); # N.B.: inconsistent name |
| | # @spam_subject_tag3_maps = (); |
| | |
| | |
| | ## ADDING ADDRESS EXTENSIONS TO RECIPIENTS - 'plus addressing' |
| | |
| | $recipient_delimiter = '+'; # Adresszusatz fuer Nachrichten mit 'Adress-Delimeter'. |
| | # $replace_existing_extension = 1; |
| | # $addr_extension_virus = undef; |
| | # $addr_extension_banned = undef; |
| | # $addr_extension_spam = undef; |
| | # $addr_extension_bad_header = undef; |
| | @addr_extension_virus_maps = ('virus'); # Adresszusatz fuer Viren Nachrichten. |
| | @addr_extension_banned_maps = ('banned'); # Adresszusatz fuer geblockte Dateianhaenge Nachrichten. |
| | @addr_extension_spam_maps = ('spam'); # Adresszusatz fuer SPAM Nachrichten. |
| | @addr_extension_bad_header_maps = ('badh'); # Adresszusatz fuer schlechten/unfvollstaendigen Header Nachrichten. |
| | |
| | |
| | ## MAIL DECODING |
| | |
| | # $bypass_decode_parts = undef; |
| | |
| | # $keep_decoded_original_re = undef; |
| | @keep_decoded_original_maps = (new_RE( |
| | qr'^MAIL$', # let virus scanner see full original message |
| | qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable |
| | qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, |
| | # qr'^Zip archive data', # don't trust Archive::Zip |
| | )); |
| | |
| | # $map_full_type_to_short_type_re = ... predefined regexp lookup table |
| | # @map_full_type_to_short_type_maps = (\$map_full_type_to_short_type_re); |
| | |
| | $MAXLEVELS = 14; # Verzeichnistiefe bei zu pruefenden e-Mail-Anhaengen. |
| | $MAXFILES = 3000; # Maximale Anzahl an Dateien bei zu pruefenden e-Mail-Anhaengen. |
| | $MIN_EXPANSION_QUOTA = 100*1024; # Minimale Groesse von Dateianhaengen, damit diese entpackt werden. |
| | $MAX_EXPANSION_QUOTA = 500*1024*1024; # Maximale Groesse von Dateianhaengen, bis zu der diese entpackt werden. |
| | # $MIN_EXPANSION_FACTOR = 5; # times original mail size |
| | # $MAX_EXPANSION_FACTOR = 500; # times original mail size |
| | |
| | $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; # Suchpfadangaben fuer Zusatzprogramme. |
| | # $file = 'file'; |
| | |
| | # For backward compatibility the @decoders list defaults to use of legacy |
| | # variables $gzip, $bzip2, $lzop, ... It is cleaner to explicitly assign |
| | # a list to @decoders in amavisd.conf and directly specify program paths, |
| | # without indirections through legacy variables $gzip, etc. |
| | # |
| | # $gzip = $bzip2 = $lzop = $rpm2cpio = undef; |
| | # $uncompress = $unfreeze = $arc = $unarj = $unrar = undef; |
| | # $zoo = $lha = $pax = $cpio = $cabextract = undef; |
| | |
| | @decoders = ( |
| | ['mail', \&do_mime_decode], |
| | [[qw(asc uue hqx ync)], \&do_ascii], # not safe |
| | ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], |
| | ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ], |
| | ['gz', \&do_uncompress, 'gzip -d'], |
| | ['gz', \&do_gunzip], |
| | ['bz2', \&do_uncompress, 'bzip2 -d'], |
| | ['xz', \&do_uncompress, |
| | ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], |
| | ['lzma', \&do_uncompress, |
| | ['lzmadec', 'xz -dc --format=lzma', |
| | 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], |
| | ['lrz', \&do_uncompress, |
| | ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], |
| | ['lzo', \&do_uncompress, 'lzop -d'], |
| | ['lz4', \&do_uncompress, ['lz4c -d'] ], |
| | ['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ], |
| | [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ], |
| | # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio'] |
| | ['deb', \&do_ar, 'ar'], |
| | # ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill |
| | # Tachtler |
| | # default: ['rar', \&do_unrar, ['unrar', 'rar'] ], |
| | ['rar', \&do_unrar, ['7za', '7z'] ], |
| | ['arj', \&do_unarj, ['unarj', 'arj'] ], |
| | ['arc', \&do_arc, ['nomarch', 'arc'] ], |
| | ['zoo', \&do_zoo, ['zoo', 'unzoo'] ], |
| | # ['doc', \&do_ole, 'ripole'], # no ripole package so far |
| | ['cab', \&do_cabextract, 'cabextract'], |
| | # ['tnef', \&do_tnef_ext, 'tnef'], # use internal do_tnef() instead |
| | ['tnef', \&do_tnef], |
| | # Tachtler |
| | # default: # ['lha', \&do_lha, 'lha'], # not safe, use 7z instead |
| | ['lha', \&do_lha, ['7za', '7z'] ], # not safe, use 7z instead |
| | # ['sit', \&do_unstuff, 'unstuff'], # not safe |
| | [['zip','kmz'], \&do_7zip, ['7za', '7z'] ], |
| | [['zip','kmz'], \&do_unzip], |
| | ['7z', \&do_7zip, ['7zr', '7za', '7z'] ], |
| | [[qw(gz bz2 Z tar)], |
| | \&do_7zip, ['7za', '7z'] ], |
| | [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], |
| | \&do_7zip, '7z' ], |
| | # Tachtler |
| | # default: ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ], |
| | ['exe', \&do_executable, ['7za','7z'], 'lha', ['unarj','arj'] ], |
| | ); |
| | |
| | |
| | ## ANTI-VIRUS AND INVALID/FORBIDDEN CONTENTS CONTROLS |
| | |
| | @av_scanners = ( |
| | ### http://www.clamav.net/ |
| | ['ClamAV-clamd', |
| | \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"], |
| | qr/\bOK$/m, qr/\bFOUND$/m, |
| | qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], |
| | # NOTE: run clamd under the same user as amavisd - or run it under its own |
| | # uid such as clamav, add user clamav to the amavis group, and then add |
| | # AllowSupplementaryGroups to clamd.conf; |
| | # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in |
| | # this entry; when running chrooted one may prefer a socket under $MYHOME. |
| | ); |
| | @av_scanners_backup = ( |
| | ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV |
| | ['ClamAV-clamscan', 'clamscan', |
| | "--stdout --no-summary -r --tempdir=$TEMPBASE {}", |
| | [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], |
| | ); |
| | |
| | # $first_infected_stops_scan = undef; |
| | # $virus_scanners_failure_is_fatal = undef; |
| | |
| | # $viruses_that_fake_sender_re = undef; |
| | # @viruses_that_fake_sender_maps = (\$viruses_that_fake_sender_re, 1); |
| | # @virus_name_to_policy_bank_maps = (); |
| | # |
| | # @virus_name_to_spam_score_maps = |
| | # (new_RE( # the order matters, first match wins |
| | # [ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1 ], |
| | # [ qr'^(Heuristics\.)?Phishing\.' => 0.1 ], |
| | # [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ], |
| | # [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected |
| | # [ qr'^Sanesecurity\.Foxhole\.' => undef ],# keep as infected |
| | # [ qr'^Sanesecurity\.' => 0.1 ], |
| | # [ qr'^Sanesecurity_PhishBar_' => 0 ], |
| | # [ qr'^Sanesecurity.TestSig_' => 0 ], |
| | # [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ], |
| | # [ qr'^Email\.Spammail\b' => 0.1 ], |
| | # [ qr'^MSRBL-(Images|SPAM)\b' => 0.1 ], |
| | # [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 0.1 ], |
| | # [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ], |
| | # [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 0.1 ], |
| | # [ qr'^Safebrowsing\.' => 0.1 ], |
| | # [ qr'^winnow\.(phish|spam)\.' => 0.1 ], |
| | # [ qr'^INetMsg\.SpamDomain' => 0.1 ], |
| | # [ qr'^Doppelstern\.(Spam|Scam|Phishing|Junk|Lott|Loan)'=> 0.1 ], |
| | # [ qr'^Bofhland\.Phishing' => 0.1 ], |
| | # [ qr'^ScamNailer\.' => 0.1 ], |
| | # [ qr'^HTML/Bankish' => 0.1 ], # F-Prot |
| | # [ qr'^PORCUPINE_JUNK' => 0.1 ], |
| | # [ qr'^PORCUPINE_PHISHING' => 0.1 ], |
| | # [ qr'^Porcupine\.Junk' => 0.1 ], |
| | # [ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as infected |
| | # [ qr'^MBL_NA\.UNOFFICIAL' => 0.1 ], # false positives |
| | # [ qr'^MBL_' => undef ], # keep as infected |
| | # )); |
| | |
| | # @banned_filename_maps = ( 'DEFAULT' ); |
| | # %banned_rules = ( 'DEFAULT' => $banned_filename_re); # after-default |
| | |
| | $banned_filename_re = new_RE( |
| | |
| | ### BLOCKED ANYWHERE |
| | # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components |
| | # qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary |
| | qr'^\.(exe|lha|cab|dll)$', # banned file(1) types |
| | |
| | ### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: |
| | [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 |
| | [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives |
| | |
| | qr'.\.(pif|scr)$'i, # banned extensions - rudimentary |
| | # qr'^\.zip$', # block zip type |
| | |
| | ### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: |
| | # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives |
| | |
| | qr'^application/x-msdownload$'i, # block these MIME types |
| | qr'^application/x-msdos-program$'i, |
| | qr'^application/hta$'i, |
| | |
| | # qr'^message/partial$'i, # rfc2046 MIME type |
| | # qr'^message/external-body$'i, # rfc2046 MIME type |
| | |
| | # qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type |
| | # qr'^\.wmf$', # Windows Metafile file(1) type |
| | |
| | # block certain double extensions in filenames |
| | qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, |
| | |
| | # qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict |
| | # qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose |
| | |
| | # qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic |
| | # qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd |
| | qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| |
| | inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi| |
| | msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd| |
| | wmf|wsc|wsf|wsh)$'ix, # banned extensions - long |
| | qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i, # consider also |
| | qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename |
| | qr'^\.ani$', # banned animated cursor file(1) type |
| | qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. |
| | |
| | # Tachtler - Word |
| | # qr'.\.(doc|docx)$'i, # block word files |
| | # qr'^application/vnd.ms-word$'i, # block word MIME types |
| | # Tachtler - Excel |
| | # qr'.\.(xls|xlsx)$'i, # block excel files |
| | # qr'^application/vnd.ms-excel$'i, # block excel MIME types |
| | # Tachtler - PowerPoint |
| | # qr'.\.(ppt|pptx)$'i, # block powerpoint files |
| | # qr'^application/vnd.ms-powerpoint$'i, # block powerpoint MIME types |
| | ); |
| | # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 |
| | # and http://www.cknow.com/vtutor/vtextensions.htm |
| | |
| | # $banned_namepath_re = undef; # regexp-style |
| | |
| | # @bypass_virus_checks_maps = (\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); |
| | # @bypass_banned_checks_maps = (\%bypass_banned_checks, \@bypass_banned_checks_acl, \$bypass_banned_checks_re); |
| | # @bypass_header_checks_maps = (\%bypass_header_checks, \@bypass_header_checks_acl, \$bypass_header_checks_re); |
| | |
| | # @virus_lovers_maps = (\%virus_lovers, \@virus_lovers_acl, \$virus_lovers_re); |
| | # @banned_files_lovers_maps = (\%banned_files_lovers, \@banned_files_lovers_acl, \$banned_files_lovers_re); |
| | # @bad_header_lovers_maps = (\%bad_header_lovers, \@bad_header_lovers_acl, \$bad_header_lovers_re); |
| | # @unchecked_lovers_maps = (); |
| | |
| | # Tachtler - new - |
| | # $allowed_header_tests{$_} = 1 for qw(other mime 8bit control empty long |
| | # syntax missing multiple); |
| | $allowed_header_tests{'8bit'} = 0; |
| | |
| | |
| | ## ANTI-Spam CONTROLS |
| | |
| | $ENV{TMPDIR} = $TEMPBASE; # Umgebungsvariable temporaeres Verzeichnis fuer SpamAssassin. |
| | |
| | # @spam_scanners = ( ['SpamAssassin', 'Amavis::SpamControl::SpamAssassin'] ); |
| | |
| | # $helpers_home = $MYHOME; # after-default |
| | # $sa_configpath = undef; |
| | # $sa_siteconfigpath = undef; |
| | # $sa_num_instances = 1; |
| | # @sa_userconf_maps = (); |
| | # @sa_username_maps = (); |
| | |
| | $sa_mail_body_size_limit = 400*1024; # SpamAssassin einbinden, NUR bei e-Mail Groesse, bei <= Wert. |
| | $sa_local_tests_only = 0; # NUR Test ausfuehren, die OHNE Internetverbinden auskommen deaktivieren. |
| | # $sa_spawned = 0; |
| | # $dspam = undef; |
| | |
| | # $sa_timeout = 30; |
| | |
| | # @bypass_spam_checks_maps = (\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); |
| | # @spam_lovers_maps = (\%spam_lovers, \@spam_lovers_acl, \$spam_lovers_re); |
| | |
| | $sa_tag_level_deflt = '-1000.0'; # Hinzufuegen von SPAM-Header Informationen, bei >= Wert. |
| | $sa_tag2_level_deflt = 6.31; # Hinzufuegen von SPAM-Erkannt Informationen, bei >= Wert. |
| | # $sa_tag3_level_deflt = undef; |
| | $sa_kill_level_deflt = 6.31; # Aktion ausloesen bei SPAM-Nachrichten, bei >= Wert. |
| | $sa_dsn_cutoff_level = 10; # SPAM-Level, ab dem keine DSN-Benachrichtigung gesendet wird. |
| | $sa_crediblefrom_dsn_cutoff_level = 18; # SPAM-Level, ab dem keine DNS-From-Benachrichtigung gesendet wird. |
| | # $sa_quarantine_cutoff_level = 25; # SPAM-Level, ab dem keine Quarantaene Enlieferung erfolgt. |
| | |
| | # @spam_tag_level_maps = (\$sa_tag_level_deflt); |
| | # @spam_tag2_level_maps = (\$sa_tag2_level_deflt); |
| | # @spam_tag3_level_maps = (\$sa_tag3_level_deflt); |
| | # @spam_kill_level_maps = (\$sa_kill_level_deflt); |
| | # @spam_quarantine_cutoff_level_maps = (\$sa_quarantine_cutoff_level); |
| | # @spam_notifyadmin_cutoff_level_maps = (); |
| | # @spam_dsn_cutoff_level_maps = (\$sa_dsn_cutoff_level); |
| | # @spam_dsn_cutoff_level_bysender_maps = (\$sa_dsn_cutoff_level); |
| | # @spam_crediblefrom_dsn_cutoff_level_maps = |
| | # (\$sa_crediblefrom_dsn_cutoff_level); |
| | # @spam_crediblefrom_dsn_cutoff_level_bysender_maps = |
| | # (\$sa_crediblefrom_dsn_cutoff_level); |
| | |
| | $bounce_killer_score = 100; # SPAM-Punkte, fuer "joe-job" Rufschaedigung BOUNCE gelten, bei >= Wert. |
| | |
| | $penpals_bonus_score = 8; # NUR bei Einsatz von @storage_sql_dsn Datenbanken. |
| | # $penpals_halflife = 7*24*60*60; |
| | # $penpals_threshold_low = 1.0; |
| | $penpals_threshold_high = $sa_kill_level_deflt; # SPAM mit hohen Widererkennungswert, Punkte-Ueberschreitung, bei >= Wert. |
| | |
| | # $reputation_factor = 0.2; |
| | |
| | |
| | # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING |
| | |
| | @score_sender_maps = ({ # a by-recipient hash lookup table, |
| | # results from all matching recipient tables are summed |
| | |
| | # ## per-recipient personal tables (NOTE: positive: black, negative: white) |
| | # 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], |
| | # 'user3@example.com' => [{'.ebay.com' => -3.0}], |
| | # 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, |
| | # '.cleargreen.com' => -5.0}], |
| | |
| | ## site-wide opinions about senders (the '.' matches any recipient) |
| | '.' => [ # the _first_ matching sender determines the score boost |
| | |
| | new_RE( # regexp-type lookup table, just happens to be all soft-blacklist |
| | [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], |
| | [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], |
| | [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], |
| | [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], |
| | [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], |
| | [qr'^(your_friend|greatoffers)@'i => 5.0], |
| | [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], |
| | ), |
| | |
| | # read_hash("/var/amavis/sender_scores_sitewide"), |
| | |
| | { # a hash-type lookup table (associative array) |
| | 'nobody@cert.org' => -3.0, |
| | 'cert-advisory@us-cert.gov' => -3.0, |
| | 'owner-alert@iss.net' => -3.0, |
| | 'slashdot@slashdot.org' => -3.0, |
| | 'securityfocus.com' => -3.0, |
| | 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, |
| | 'security-alerts@linuxsecurity.com' => -3.0, |
| | 'mailman-announce-admin@python.org' => -3.0, |
| | 'amavis-user-admin@lists.sourceforge.net'=> -3.0, |
| | 'amavis-user-bounces@lists.sourceforge.net' => -3.0, |
| | 'spamassassin.apache.org' => -3.0, |
| | 'notification-return@lists.sophos.com' => -3.0, |
| | 'owner-postfix-users@postfix.org' => -3.0, |
| | 'owner-postfix-announce@postfix.org' => -3.0, |
| | 'owner-sendmail-announce@lists.sendmail.org' => -3.0, |
| | 'sendmail-announce-request@lists.sendmail.org' => -3.0, |
| | 'donotreply@sendmail.org' => -3.0, |
| | 'ca+envelope@sendmail.org' => -3.0, |
| | 'noreply@freshmeat.net' => -3.0, |
| | 'owner-technews@postel.acm.org' => -3.0, |
| | 'ietf-123-owner@loki.ietf.org' => -3.0, |
| | 'cvs-commits-list-admin@gnome.org' => -3.0, |
| | 'rt-users-admin@lists.fsck.com' => -3.0, |
| | 'clp-request@comp.nus.edu.sg' => -3.0, |
| | 'surveys-errors@lists.nua.ie' => -3.0, |
| | 'emailnews@genomeweb.com' => -5.0, |
| | 'yahoo-dev-null@yahoo-inc.com' => -3.0, |
| | 'returns.groups.yahoo.com' => -3.0, |
| | 'clusternews@linuxnetworx.com' => -3.0, |
| | lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, |
| | lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, |
| | |
| | # soft-blacklisting (positive score) |
| | 'sender@example.net' => 3.0, |
| | '.example.net' => 1.0, |
| | |
| | }, |
| | ], # end of site-wide tables |
| | }); |
| | |
| | |
| | # @signer_reputation_maps = (); |
| | |
| | # @blacklist_sender_maps = (\%blacklist_sender, \@blacklist_sender_acl, \$blacklist_sender_re); |
| | # @whitelist_sender_maps = (\%whitelist_sender, \@whitelist_sender_acl, \$whitelist_sender_re); |
| | |
| | # $per_recip_blacklist_sender_lookup_tables = undef; |
| | # $per_recip_whitelist_sender_lookup_tables = undef; # deprecated |
| | |
| | # $os_fingerprint_method = undef; |
| | # $os_fingerprint_dst_ip_and_port = undef; |
| | |
| | |
| | ## SQL, LDAP, Redis |
| | |
| | # $database_sessions_persistent = 1; |
| | # $trim_trailing_space_in_lookup_result_fields = 0; |
| | # $lookup_maps_imply_sql_and_ldap = 1; |
| | |
| | # @storage_redis_dsn = (); # Redis server(s) for pen pals, IP reput, JSON log |
| | # $storage_redis_ttl = 16*24*60*60; |
| | # $enable_ip_repu = 1; |
| | # @ip_repu_ignore_networks = (); |
| | # @ip_repu_ignore_maps = (\@ip_repu_ignore_networks); |
| | # $redis_logging_key = undef; |
| | # $redis_logging_queue_size_limit = undef; |
| | |
| | # @lookup_sql_dsn = (); # SQL data source name for lookups, or empty |
| | # @storage_sql_dsn = (); # SQL data source name for log/quarantine, or empty |
| | |
| | # $sql_store_info_for_all_msgs = 1; |
| | # $sql_schema_version = $myversion_id_numeric; |
| | # $timestamp_fmt_mysql = undef; |
| | # $sql_partition_tag = undef; |
| | # $sql_allow_8bit_address = 0; # VARCHAR (0), VARBINARY/BYTEA (1) |
| | # $sql_lookups_no_at_means_domain = 0; |
| | # $sql_quarantine_chunksize_max = 16384; |
| | |
| | # $sql_select_policy = |
| | # 'SELECT *,users.id'. |
| | # ' FROM users LEFT JOIN policy ON users.policy_id=policy.id'. |
| | # ' WHERE users.email IN (%k) ORDER BY users.priority DESC'; |
| | |
| | # $sql_select_white_black_list = |
| | # 'SELECT wb'. |
| | # ' FROM wblist JOIN mailaddr ON wblist.sid=mailaddr.id'. |
| | # ' WHERE wblist.rid=? AND mailaddr.email IN (%k)'. |
| | # ' ORDER BY mailaddr.priority DESC'; |
| | |
| | # %sql_clause = ( |
| | # 'sel_policy' => \$sql_select_policy, |
| | # 'sel_wblist' => \$sql_select_white_black_list, |
| | # 'sel_adr' => |
| | # 'SELECT id FROM maddr WHERE partition_tag=? AND email=?', |
| | # 'ins_adr' => |
| | # 'INSERT INTO maddr (partition_tag, email, domain) VALUES (?,?,?)', |
| | # 'ins_msg' => |
| | # 'INSERT INTO msgs (partition_tag, mail_id, secret_id, am_id,'. |
| | # ' time_num, time_iso, sid, policy, client_addr, size, host)'. |
| | # ' VALUES (?,?,?,?,?,?,?,?,?,?,?)', |
| | # 'upd_msg' => |
| | # 'UPDATE msgs SET content=?, quar_type=?, quar_loc=?, dsn_sent=?,'. |
| | # ' spam_level=?, message_id=?, from_addr=?, subject=?, client_addr=?,'. |
| | # ' originating=?'. |
| | # ' WHERE partition_tag=? AND mail_id=?', |
| | # 'ins_rcp' => |
| | # 'INSERT INTO msgrcpt (partition_tag, mail_id, rseqnum, rid, is_local,'. |
| | # ' content, ds, rs, bl, wl, bspam_level, smtp_resp)'. |
| | # ' VALUES (?,?,?,?,?,?,?,?,?,?,?,?)', |
| | # 'ins_quar' => |
| | # 'INSERT INTO quarantine (partition_tag, mail_id, chunk_ind, mail_text)'. |
| | # ' VALUES (?,?,?,?)', |
| | # 'sel_msg' => # obtains partition_tag if missing in a release request |
| | # 'SELECT partition_tag FROM msgs WHERE mail_id=?', |
| | # 'sel_quar' => |
| | # 'SELECT mail_text FROM quarantine'. |
| | # ' WHERE partition_tag=? AND mail_id=?'. |
| | # ' ORDER BY chunk_ind', |
| | # 'sel_penpals' => # no message-id references list |
| | # "SELECT msgs.time_num, msgs.mail_id, subject". |
| | # " FROM msgs JOIN msgrcpt USING (partition_tag,mail_id)". |
| | # " WHERE sid=? AND rid=? AND msgs.content!='V' AND ds='P'". |
| | # " ORDER BY msgs.time_num DESC", # LIMIT 1 |
| | # 'sel_penpals_msgid' => # with a nonempty list of message-id references |
| | # "SELECT msgs.time_num, msgs.mail_id, subject, message_id, rid". |
| | # " FROM msgs JOIN msgrcpt USING (partition_tag,mail_id)". |
| | # " WHERE sid=? AND msgs.content!='V' AND ds='P' AND message_id IN (%m)". |
| | # " AND rid!=sid". |
| | # " ORDER BY rid=? DESC, msgs.time_num DESC", # LIMIT 1 |
| | # ); |
| | |
| | ## LDAP, Please see file README.lookups for more info. |
| | |
| | # $enable_ldap = 0; |
| | # $ldap_lookups_no_at_means_domain = 0; |
| | # |
| | # $default_ldap = { |
| | # hostname => 'localhost', |
| | # localaddr => undef, |
| | # port => undef, # 389 or 636, default provided by Net::LDAP |
| | # scheme => undef, # 'ldaps' or 'ldap', depending on hostname |
| | # inet6 => $have_inet6 ? 1 : 0, |
| | # version => 3, |
| | # timeout => 120, |
| | # deref => 'find', |
| | # bind_dn => undef, |
| | # bind_password => undef, |
| | # tls => 0, |
| | # verify => 'none', |
| | # sslversion => 'tlsv1', |
| | # clientcert => undef, |
| | # clientkey => undef, |
| | # cafile => undef, |
| | # capath => undef, |
| | # sasl => 0, |
| | # sasl_mech => undef, # space-separated list of mech names |
| | # sasl_auth_id => undef, |
| | # }; |
| | |
| | |
| | ## hierarchy by which a final setting is chosen: |
| | ## policy bank (based on port or IP address) -> *_by_ccat |
| | ## *_by_ccat (based on mail contents) -> *_maps |
| | ## *_maps (based on recipient address) -> final configuration value |
| | |
| | |
| | ## MAPPING A CONTENTS CATEGORY TO A SETTING CHOSEN |
| | |
| | # %final_destiny_maps_by_ccat = ( |
| | # # value is normally a list of by-recipient lookup tables, but for compa- |
| | # # tibility with old %final_destiny_by_ccat a value may also be a scalar |
| | # CC_VIRUS, sub { c('final_virus_destiny') }, |
| | # CC_BANNED, sub { c('final_banned_destiny') }, |
| | # CC_UNCHECKED, sub { c('final_unchecked_destiny') }, |
| | # CC_SPAM, sub { c('final_spam_destiny') }, |
| | # CC_BADH, sub { c('final_bad_header_destiny') }, |
| | # CC_MTA.',1', D_TEMPFAIL, # MTA response was 4xx |
| | # CC_MTA.',2', D_REJECT, # MTA response was 5xx |
| | # CC_MTA, D_TEMPFAIL, |
| | # CC_OVERSIZED, D_BOUNCE, |
| | # CC_CATCHALL, D_PASS, |
| | # ); |
| | # %forward_method_maps_by_ccat = ( |
| | # CC_CATCHALL, sub { ca('forward_method_maps') }, |
| | # ); |
| | # %smtp_reason_by_ccat = ( |
| | # # currently only used for blocked messages only, status 5xx |
| | # # a multiline message will produce a valid multiline SMTP response |
| | # CC_VIRUS, 'id=%n - INFECTED: %V', |
| | # CC_BANNED, 'id=%n - BANNED: %F', |
| | # CC_UNCHECKED.',1', 'id=%n - UNCHECKED: encrypted', |
| | # CC_UNCHECKED.',2', 'id=%n - UNCHECKED: over limits', |
| | # CC_UNCHECKED, 'id=%n - UNCHECKED', |
| | # CC_SPAM, 'id=%n - spam', |
| | # CC_SPAMMY.',1', 'id=%n - spammy (tag3)', |
| | # CC_SPAMMY, 'id=%n - spammy', |
| | # CC_BADH.',1', 'id=%n - BAD HEADER: MIME error', |
| | # CC_BADH.',2', 'id=%n - BAD HEADER: nonencoded 8-bit character', |
| | # CC_BADH.',3', 'id=%n - BAD HEADER: contains invalid control character', |
| | # CC_BADH.',4', 'id=%n - BAD HEADER: line made up entirely of whitespace', |
| | # CC_BADH.',5', 'id=%n - BAD HEADER: line longer than RFC 5322 limit', |
| | # CC_BADH.',6', 'id=%n - BAD HEADER: syntax error', |
| | # CC_BADH.',7', 'id=%n - BAD HEADER: missing required header field', |
| | # CC_BADH.',8', 'id=%n - BAD HEADER: duplicate header field', |
| | # CC_BADH, 'id=%n - BAD HEADER', |
| | # CC_OVERSIZED, 'id=%n - Message size exceeds recipient\'s size limit', |
| | # CC_MTA.',1', 'id=%n - Temporary MTA failure on relaying', |
| | # CC_MTA.',2', 'id=%n - Rejected by next-hop MTA on relaying', |
| | # CC_MTA, 'id=%n - Unable to relay message back to MTA', |
| | # CC_CLEAN, 'id=%n - CLEAN', |
| | # CC_CATCHALL, 'id=%n - OTHER', # should not happen |
| | # ); |
| | # %lovers_maps_by_ccat = ( |
| | # CC_VIRUS, sub { ca('virus_lovers_maps') }, |
| | # CC_BANNED, sub { ca('banned_files_lovers_maps') }, |
| | # CC_UNCHECKED, sub { ca('unchecked_lovers_maps') }, |
| | # CC_SPAM, sub { ca('spam_lovers_maps') }, |
| | # CC_SPAMMY, sub { ca('spam_lovers_maps') }, |
| | # CC_BADH, sub { ca('bad_header_lovers_maps') }, |
| | # ); |
| | # %defang_maps_by_ccat = ( |
| | # # compatible with legacy %defang_by_ccat: value may be a scalar |
| | # CC_VIRUS, sub { c('defang_virus') }, |
| | # CC_BANNED, sub { c('defang_banned') }, |
| | # CC_UNCHECKED, sub { c('defang_undecipherable') }, |
| | # CC_SPAM, sub { c('defang_spam') }, |
| | # CC_SPAMMY, sub { c('defang_spam') }, |
| | # # CC_BADH.',3', 1, # NUL or CR character in header section |
| | # # CC_BADH.',5', 1, # header line longer than 998 characters |
| | # # CC_BADH.',6', 1, # header field syntax error |
| | # CC_BADH, sub { c('defang_bad_header') }, |
| | # ); |
| | # %subject_tag_maps_by_ccat = ( |
| | # CC_VIRUS, [ '***INFECTED*** ' ], |
| | # CC_BANNED, undef, |
| | # CC_UNCHECKED, sub { [ c('undecipherable_subject_tag') ] }, # not by-recip |
| | # CC_SPAM, undef, |
| | # CC_SPAMMY.',1', sub { ca('spam_subject_tag3_maps') }, |
| | # CC_SPAMMY, sub { ca('spam_subject_tag2_maps') }, |
| | # CC_CLEAN.',1', sub { ca('spam_subject_tag_maps') }, |
| | # ); |
| | # %quarantine_method_by_ccat = ( |
| | # CC_VIRUS, sub { c('virus_quarantine_method') }, |
| | # CC_BANNED, sub { c('banned_files_quarantine_method') }, |
| | # CC_UNCHECKED, sub { c('unchecked_quarantine_method') }, |
| | # CC_SPAM, sub { c('spam_quarantine_method') }, |
| | # CC_BADH, sub { c('bad_header_quarantine_method') }, |
| | # CC_CLEAN, sub { c('clean_quarantine_method') }, |
| | # ); |
| | # %quarantine_to_maps_by_ccat = ( |
| | # CC_VIRUS, sub { ca('virus_quarantine_to_maps') }, |
| | # CC_BANNED, sub { ca('banned_quarantine_to_maps') }, |
| | # CC_UNCHECKED, sub { ca('unchecked_quarantine_to_maps') }, |
| | # CC_SPAM, sub { ca('spam_quarantine_to_maps') }, |
| | # CC_BADH, sub { ca('bad_header_quarantine_to_maps') }, |
| | # CC_CLEAN, sub { ca('clean_quarantine_to_maps') }, |
| | # ); |
| | # Tachtler - new - |
| | # Disable notifications about ***UNCHECKED*** messages. |
| | %admin_maps_by_ccat = ( |
| | CC_VIRUS, sub { ca('virus_admin_maps') }, |
| | CC_BANNED, sub { ca('banned_admin_maps') }, |
| | # CC_UNCHECKED, sub { ca('virus_admin_maps') }, |
| | CC_SPAM, sub { ca('spam_admin_maps') }, |
| | CC_BADH, sub { ca('bad_header_admin_maps') }, |
| | ); |
| | # %always_bcc_by_ccat = ( |
| | # CC_CATCHALL, sub { c('always_bcc') }, |
| | # ); |
| | # %dsn_bcc_by_ccat = ( |
| | # CC_CATCHALL, sub { c('dsn_bcc') }, |
| | # ); |
| | # %mailfrom_notify_admin_by_ccat = ( |
| | # CC_SPAM, sub { c('mailfrom_notify_spamadmin') }, |
| | # CC_CATCHALL, sub { c('mailfrom_notify_admin') }, |
| | # ); |
| | # %hdrfrom_notify_admin_by_ccat = ( |
| | # CC_SPAM, sub { c('hdrfrom_notify_spamadmin') }, |
| | # CC_CATCHALL, sub { c('hdrfrom_notify_admin') }, |
| | # ); |
| | # %mailfrom_notify_recip_by_ccat = ( |
| | # CC_CATCHALL, sub { c('mailfrom_notify_recip') }, |
| | # ); |
| | # %hdrfrom_notify_recip_by_ccat = ( |
| | # CC_CATCHALL, sub { c('hdrfrom_notify_recip') }, |
| | # ); |
| | # %hdrfrom_notify_sender_by_ccat = ( |
| | # CC_CATCHALL, sub { c('hdrfrom_notify_sender') }, |
| | # ); |
| | # %hdrfrom_notify_release_by_ccat = ( |
| | # CC_CATCHALL, sub { c('hdrfrom_notify_release') }, |
| | # ); |
| | # %hdrfrom_notify_report_by_ccat = ( |
| | # CC_CATCHALL, sub { c('hdrfrom_notify_report') }, |
| | # ); |
| | # %notify_admin_templ_by_ccat = ( |
| | # CC_SPAM, sub { cr('notify_spam_admin_templ') }, |
| | # CC_CATCHALL, sub { cr('notify_virus_admin_templ') }, |
| | # ); |
| | # %notify_recips_templ_by_ccat = ( |
| | # CC_SPAM, sub { cr('notify_spam_recips_templ') }, #usually empty |
| | # CC_CATCHALL, sub { cr('notify_virus_recips_templ') }, |
| | # ); |
| | # %notify_sender_templ_by_ccat = ( # bounce templates |
| | # CC_VIRUS, sub { cr('notify_virus_sender_templ') }, |
| | # CC_BANNED, sub { cr('notify_virus_sender_templ') }, #historical reason |
| | # CC_SPAM, sub { cr('notify_spam_sender_templ') }, |
| | # CC_CATCHALL, sub { cr('notify_sender_templ') }, |
| | # ); |
| | # %notify_release_templ_by_ccat = ( |
| | # CC_CATCHALL, sub { cr('notify_release_templ') }, |
| | # ); |
| | # %notify_report_templ_by_ccat = ( |
| | # CC_CATCHALL, sub { cr('notify_report_templ') }, |
| | # ); |
| | # %notify_autoresp_templ_by_ccat = ( |
| | # CC_CATCHALL, sub { cr('notify_autoresp_templ') }, |
| | # ); |
| | # %warnsender_by_ccat = ( # deprecated use, except perhaps for CC_BADH |
| | # CC_VIRUS, undef, |
| | # CC_BANNED, sub { c('warnbannedsender') }, |
| | # CC_SPAM, undef, |
| | # CC_BADH, sub { c('warnbadhsender') }, |
| | # ); |
| | # %warnrecip_maps_by_ccat = ( |
| | # CC_VIRUS, sub { ca('warnvirusrecip_maps') }, |
| | # CC_BANNED, sub { ca('warnbannedrecip_maps') }, |
| | # CC_SPAM, undef, |
| | # CC_BADH, sub { ca('warnbadhrecip_maps') }, |
| | # ); |
| | # %addr_extension_maps_by_ccat = ( |
| | # CC_VIRUS, sub { ca('addr_extension_virus_maps') }, |
| | # CC_BANNED, sub { ca('addr_extension_banned_maps') }, |
| | # CC_SPAM, sub { ca('addr_extension_spam_maps') }, |
| | # CC_SPAMMY, sub { ca('addr_extension_spam_maps') }, |
| | # CC_BADH, sub { ca('addr_extension_bad_header_maps') }, |
| | # # CC_OVERSIZED, 'oversized'; |
| | # ); |
| | # %addr_rewrite_maps_by_ccat = ( ); |
| | |
| | |
| | ## POLICY BANKS |
| | |
| | $interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname |
| | $interface_policy{'10026'} = 'ORIGINATING'; |
| | |
| | # %interface_policy = (); # maps input interface/port to policy bank name |
| | |
| | $policy_bank{'AM.PDP-SOCK'} = { |
| | protocol => 'AM.PDP', |
| | auth_required_release => 0, # do not require secret_id for amavisd-release |
| | }; |
| | |
| | $policy_bank{'MYNETS'} = { # mail originating from @mynetworks |
| | originating => 1, # is true in MYNETS by default, but let's make it explicit |
| | allow_disclaimers => 1, # enables disclaimer insertion if available |
| | os_fingerprint_method => undef, # don't query p0f for internal clients |
| | }; |
| | |
| | $policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users |
| | originating => 1, # declare that mail was submitted by our smtp client |
| | allow_disclaimers => 1, # enables disclaimer insertion if available |
| | # notify administrator of locally originating malware |
| | virus_admin_maps => ["virusalert\@$mydomain"], |
| | spam_admin_maps => ["mailfilter\@$mydomain"], |
| | warnbadhsender => 1, |
| | # forward to a smtpd service back to postfix |
| | forward_method => 'smtp:[192.168.0.60]:10027', |
| | # notify to a smtpd service back to postfix |
| | notify_method => 'smtp:[192.168.0.60]:10027', |
| | # force MTA conversion to 7-bit (e.g. before DKIM signing) |
| | smtpd_discard_ehlo_keywords => ['8BITMIME'], |
| | terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option |
| | }; |
| | |
| | # $policy_bank{''} = { ...predefined... }; |
| | |
| | ## the built-in policy bank (empty name) is predefined, and includes |
| | ## references to most other variables listed above (the dynamic config |
| | ## variables), which are accessed only indirectly through the currently |
| | ## installed policy bank. Overlaying a policy bank with another policy |
| | ## bank may bring-in references to entirely different variables, |
| | ## possibly unnamed. Here is a list of configuration variables |
| | ## referenced from the built-in policy bank by keys of the same name |
| | ## (e.g. { log_level => \$log_level, inet_acl => \@inet_acl, ...} ) |
| | ## |
| | ## $child_timeout $smtpd_timeout |
| | ## $policy_bank_name $protocol @inet_acl |
| | ## $myhostname $myauthservid $snmp_contact $snmp_location |
| | ## $myprogram_name $syslog_ident $syslog_facility |
| | ## $log_level $log_templ $log_recip_templ $enable_log_capture_dump |
| | ## $forward_method $notify_method $resend_method $report_format |
| | ## $release_method $requeue_method $release_format |
| | ## $attachment_password $attachment_email_name $attachment_outer_name |
| | ## $os_fingerprint_method $os_fingerprint_dst_ip_and_port |
| | ## $originating @smtpd_discard_ehlo_keywords $soft_bounce |
| | ## $propagate_dsn_if_possible $terminate_dsn_on_notify_success |
| | ## $amavis_auth_user $amavis_auth_pass $auth_reauthenticate_forwarded |
| | ## $auth_required_out $auth_required_inp $auth_required_release |
| | ## @auth_mech_avail $tls_security_level_in $tls_security_level_out |
| | ## $local_client_bind_address $smtpd_message_size_limit |
| | ## $localhost_name $smtpd_greeting_banner $smtpd_quit_banner |
| | ## $mailfrom_to_quarantine $warn_offsite $bypass_decode_parts @decoders |
| | ## @av_scanners @av_scanners_backup @spam_scanners |
| | ## $first_infected_stops_scan $virus_scanners_failure_is_fatal |
| | ## $sa_spam_level_char $sa_mail_body_size_limit |
| | ## $penpals_bonus_score $penpals_halflife $bounce_killer_score |
| | ## $reputation_factor |
| | ## $undecipherable_subject_tag $localpart_is_case_sensitive |
| | ## $recipient_delimiter $replace_existing_extension |
| | ## $hdr_encoding $bdy_encoding $hdr_encoding_qb |
| | ## $allow_disclaimers $outbound_disclaimers_only |
| | ## $prepend_header_fields_hdridx |
| | ## $allow_fixing_improper_header |
| | ## $allow_fixing_improper_header_folding $allow_fixing_long_header_lines |
| | ## %allowed_added_header_fields %prefer_our_added_header_fields |
| | ## %allowed_header_tests |
| | ## $X_HEADER_TAG $X_HEADER_LINE |
| | ## $remove_existing_x_scanned_headers $remove_existing_spam_headers |
| | ## %sql_clause $partition_tag |
| | ## %local_delivery_aliases $banned_namepath_re |
| | ## $per_recip_whitelist_sender_lookup_tables |
| | ## $per_recip_blacklist_sender_lookup_tables |
| | ## @anomy_sanitizer_args @altermime_args_defang |
| | ## @altermime_args_disclaimer @disclaimer_options_bysender_maps |
| | ## %signed_header_fields @dkim_signature_options_bysender_maps |
| | ## $enable_dkim_verification $enable_dkim_signing $dkim_signing_service |
| | ## $dkim_minimum_key_bits $enable_ldap $enable_ip_repu $redis_logging_key |
| | ## |
| | ## @local_domains_maps |
| | ## @mynetworks_maps @client_ipaddr_policy @ip_repu_ignore_maps |
| | ## @forward_method_maps @newvirus_admin_maps @banned_filename_maps |
| | ## @spam_quarantine_bysender_to_maps |
| | ## @spam_tag_level_maps @spam_tag2_level_maps @spam_tag3_level_maps |
| | ## @spam_kill_level_maps |
| | ## @spam_subject_tag_maps @spam_subject_tag2_maps @spam_subject_tag3_maps |
| | ## @spam_dsn_cutoff_level_maps @spam_dsn_cutoff_level_bysender_maps |
| | ## @spam_crediblefrom_dsn_cutoff_level_maps |
| | ## @spam_crediblefrom_dsn_cutoff_level_bysender_maps |
| | ## @spam_quarantine_cutoff_level_maps @spam_notifyadmin_cutoff_level_maps |
| | ## @whitelist_sender_maps @blacklist_sender_maps @score_sender_maps |
| | ## @author_to_policy_bank_maps @signer_reputation_maps |
| | ## @message_size_limit_maps @debug_sender_maps @debug_recipient_maps |
| | ## @bypass_virus_checks_maps @bypass_spam_checks_maps |
| | ## @bypass_banned_checks_maps @bypass_header_checks_maps |
| | ## @viruses_that_fake_sender_maps |
| | ## @virus_name_to_spam_score_maps @virus_name_to_policy_bank_maps |
| | ## @remove_existing_spam_headers_maps |
| | ## @sa_userconf_maps @sa_username_maps |
| | ## |
| | ## %final_destiny_maps_by_ccat %forward_method_maps_by_ccat |
| | ## %lovers_maps_by_ccat %defang_maps_by_ccat %subject_tag_maps_by_ccat |
| | ## %quarantine_method_by_ccat %quarantine_to_maps_by_ccat |
| | ## %notify_admin_templ_by_ccat %notify_recips_templ_by_ccat |
| | ## %notify_sender_templ_by_ccat %notify_autoresp_templ_by_ccat |
| | ## %notify_release_templ_by_ccat %notify_report_templ_by_ccat |
| | ## %warnsender_by_ccat |
| | ## %hdrfrom_notify_admin_by_ccat %mailfrom_notify_admin_by_ccat |
| | ## %hdrfrom_notify_recip_by_ccat %mailfrom_notify_recip_by_ccat |
| | ## %hdrfrom_notify_sender_by_ccat |
| | ## %hdrfrom_notify_release_by_ccat %hdrfrom_notify_report_by_ccat |
| | ## %admin_maps_by_ccat %warnrecip_maps_by_ccat |
| | ## %always_bcc_by_ccat %dsn_bcc_by_ccat |
| | ## %addr_extension_maps_by_ccat %addr_rewrite_maps_by_ccat |
| | ## %smtp_reason_by_ccat |
| | |
| | ## legacy dynamic configuration variables: |
| | |
| | ## $final_virus_destiny $final_banned_destiny $final_unchecked_destiny |
| | ## $final_spam_destiny $final_bad_header_destiny |
| | ## @virus_lovers_maps @spam_lovers_maps @unchecked_lovers_maps |
| | ## @banned_files_lovers_maps @bad_header_lovers_maps |
| | ## $always_bcc $dsn_bcc |
| | ## $mailfrom_notify_sender $mailfrom_notify_recip |
| | ## $mailfrom_notify_admin $mailfrom_notify_spamadmin |
| | ## $hdrfrom_notify_sender $hdrfrom_notify_recip |
| | ## $hdrfrom_notify_admin $hdrfrom_notify_spamadmin |
| | ## $hdrfrom_notify_release $hdrfrom_notify_report |
| | ## $notify_virus_admin_templ $notify_spam_admin_templ |
| | ## $notify_virus_recips_templ $notify_spam_recips_templ |
| | ## $notify_virus_sender_templ $notify_spam_sender_templ |
| | ## $notify_sender_templ $notify_release_templ |
| | ## $notify_report_templ $notify_autoresp_templ |
| | ## $warnbannedsender $warnbadhsender |
| | ## $defang_virus $defang_banned $defang_spam |
| | ## $defang_bad_header $defang_undecipherable $defang_all |
| | ## $virus_quarantine_method $banned_files_quarantine_method |
| | ## $unchecked_quarantine_method $spam_quarantine_method |
| | ## $bad_header_quarantine_method $clean_quarantine_method |
| | ## $archive_quarantine_method |
| | ## @virus_quarantine_to_maps @banned_quarantine_to_maps |
| | ## @unchecked_quarantine_to_maps @spam_quarantine_to_maps |
| | ## @bad_header_quarantine_to_maps @clean_quarantine_to_maps |
| | ## @archive_quarantine_to_maps |
| | ## @virus_admin_maps @banned_admin_maps |
| | ## @spam_admin_maps @bad_header_admin_maps @spam_modifies_subj_maps |
| | ## @warnvirusrecip_maps @warnbannedrecip_maps @warnbadhrecip_maps |
| | ## @addr_extension_virus_maps @addr_extension_spam_maps |
| | ## @addr_extension_banned_maps @addr_extension_bad_header_maps |
| | |
| | 1; # insure a defined return value |
| </code> | </code> |
| |
| ===== Konfiguration: amavisd-milter ===== | ===== Konfiguration: amavisd-milter ===== |
| |
| ==== /etc/amavisd/amavisd-milter.conf ==== | ==== (Bis Version 1.6.x) - /etc/amavisd/amavisd-milter.conf ==== |
| | |
| | **__BIS Version 1.6.x__** |
| |
| Standardmäßig wird nach der Installation von [[http://amavisd-milter.sourceforge.net/|AMaViS]] - **''amavsid-milter''** in nachfolgendem Verzeichnis mit nachfolgendem Namen die Konfigurationsdatei für den [[http://amavisd-milter.sourceforge.net//|AMaViS]] - **''amavisd-milter''** hinterlegt: | Standardmäßig wird nach der Installation von [[http://amavisd-milter.sourceforge.net/|AMaViS]] - **''amavsid-milter''** in nachfolgendem Verzeichnis mit nachfolgendem Namen die Konfigurationsdatei für den [[http://amavisd-milter.sourceforge.net//|AMaViS]] - **''amavisd-milter''** hinterlegt: |
| :!: **WICHTIG** - **Dies muss mit der Angabe in der [[http://amavisd-milter.sourceforge.net//|AMaViS]] Konfigurationsdatei** | :!: **WICHTIG** - **Dies muss mit der Angabe in der [[http://amavisd-milter.sourceforge.net//|AMaViS]] Konfigurationsdatei** |
| * ''/etc/amavisd/amavisd.conf'' | * ''/etc/amavisd/amavisd.conf'' |
| | **und dem Parameter** |
| | * ''$max_servers = 4'' |
| | **übereinstimmen!** |
| | |
| | ==== (Ab Version 1.7.x) /etc/sysconfig/amavisd-milter ==== |
| | |
| | **__AB Version 1.7.x__** |
| | |
| | :!: **HINWEIS** - **Nachfolgender Befehl muss ausgeführt werden, falls ein __Update von Version 1.6.x auf 1.7.x__ erfolgt!** |
| | |
| | <code> |
| | systemctl daemon-reload |
| | </code> |
| | |
| | Standardmäßig wird nach der Installation von [[https://github.com/prehor/amavisd-milter|AMaViS]] - **''amavsid-milter''** in nachfolgendem Verzeichnis mit nachfolgendem Namen die Konfigurationsdatei für den [[https://github.com/prehor/amavisd-milter|AMaViS]] - **''amavisd-milter''** hinterlegt: |
| | * **''/etc/sysconfig/amavisd-milter''** |
| | |
| | Nachfolgende Änderungen sind an der Konfigurationsdatei ''/etc/sysconfig/amavisd-milter'' durchzuführen: |
| | |
| | (**Komplette Konfigurationsdatei**) |
| | |
| | <code ini> |
| | # Communication socket between sendmail and amavisd-milter (default |
| | # /var/amavis/amavisd-milter.sock). The protocol spoken over this |
| | # socket is MILTER (Mail FILTER). It must agree with the |
| | # INPUT_MAIL_FILTER entry in sendmail.mc |
| | # The socket should be in "proto:address" format: |
| | # o {unix|local}:/path/to/file - A named pipe. |
| | # o inet:port@{hostname|ip-address} - An IPV4 socket. |
| | # o inet6:port@{hostname|ip-address} - An IPV6 socket. |
| | # Tachtler |
| | # default: SOCKET=/var/run/amavisd/amavisd-milter.sock |
| | SOCKET=inet:10014@192.168.0.70 |
| | |
| | # Use this pid file (default /var/amavis/amavisd-milter.pid). |
| | # Better to create /var/run/amavis and put it there |
| | #PID_FILE=/var/run/amavisd/amavisd-milter.pid |
| | |
| | # Maximum concurrent amavisd connections (default 0 - unlimited |
| | # number of connections). It must agree with the $max_servers |
| | # entry in amavisd.conf. |
| | # Tachtler |
| | # default: MAX_CONNECTIONS=2 |
| | MAX_CONNECTIONS=4 |
| | |
| | # Maximum wait for connection to amavisd in seconds (default 300 = |
| | # 5 minutes). It must be less then sending MTA timeout for a |
| | # response to the final "." that terminates a message on sending |
| | # MTA. sendmail has default value 1 hour, postfix 10 minutes and |
| | # qmail 20 minutes. We suggest to use less than 10 minutes. |
| | MAX_WAIT=300 |
| | |
| | # sendmail connection timeout in seconds (default 600 = 10 min- |
| | # utes). It must agree with the INPUT_MAIL_FILTER entry in send- |
| | # mail.mc and must be greater than or equal to the amavisd-new con- |
| | # nection timeout. When you use other milters (especially time- |
| | # consuming), the timeout must be sufficient to process message in |
| | # all milters. |
| | MAILDAEMON_TIMEOUT=600 |
| | |
| | # amavisd-new connection timeout in seconds (default 600 = 10 min- |
| | # utes). This timeout must be sufficient for message processing in |
| | # amavisd-new. It's usually a good idea to adjust them to the same |
| | # value as sendmail connection timeout. |
| | AMAVISD_TIMEOUT=600 |
| | </code> |
| | |
| | **__Nachfolgende Änderungen sollten vorgenommen werden:__** |
| | |
| | * <code ini>SOCKET=inet:10014@192.168.0.70</code> |
| | |
| | Socket über den mit dem [[https://github.com/prehor/amavisd-milter|AMaViS]] - **''amavisd-milter''** über die **IP-Adresse: ''192.168.0.70''** und den **Port: ''10014''** kommuniziert werden kann. |
| | |
| | * <code ini>MAX_CONNECTIONS=4</code> |
| | |
| | Anzahl der **maximalen gleichzeitigen Verbindungen** zwischen [[http://www.postfix.org|Postfix]] und [[https://github.com/prehor/amavisd-milter|AMaViS]] - **''amavisd-milter''**. |
| | |
| | :!: **WICHTIG** - **Dies muss mit der Angabe in der [[https://github.com/prehor/amavisd-milter|AMaViS]] Konfigurationsdatei** |
| | * ''/etc/sysconfig/amavisd-milter'' |
| **und dem Parameter** | **und dem Parameter** |
| * ''$max_servers = 4'' | * ''$max_servers = 4'' |
| |
| ==== /etc/amavisd/amavisd.conf ==== | ==== /etc/amavisd/amavisd.conf ==== |
| | |
| | :!: **WICHTIG** - **Ab der Version 2.11.x von [[http://www.ijs.si/software/amavisd/|AMaViS]], ist ein Patch __nicht__ mehr notwendig!!!** |
| | |
| | :!: **WICHTIG** - **Nachfolgende Konfiguration ist bis Version 2.10.x von [[http://www.ijs.si/software/amavisd/|AMaViS]] notwendig** |
| |
| Nachfolgende Konfigurationsdirektiven (alte und neue) müssen nun gesetzt werden, um eine TLS Transport | Nachfolgende Konfigurationsdirektiven (alte und neue) müssen nun gesetzt werden, um eine TLS Transport |
| Verschlüsselung **von und zu** [[http://www.ijs.si/software/amavisd/|AMaViS]] nutzen zu können. | Verschlüsselung **von und zu** [[http://www.ijs.si/software/amavisd/|AMaViS]] nutzen zu können. |
| |
| **__Eingehende Verbindungen__**: | **__Bis Version 2.10.x von [[http://www.ijs.si/software/amavisd/|AMaViS]] - Eingehende Verbindungen__**: |
| |
| (**Nur relevanter Ausschnitt**) | (**Nur relevanter Ausschnitt**) |
| * //Bitte **__keine__ Zeilenumbrüche** bei ''$smtpd_tls_cipher_list'' durchführen!// | * //Bitte **__keine__ Zeilenumbrüche** bei ''$smtpd_tls_cipher_list'' durchführen!// |
| |
| **__Ausgehende Verbindungen__**: | **__Ab Version 2.11.x von [[http://www.ijs.si/software/amavisd/|AMaViS]] - Eingehende Verbindungen__**: |
| | |
| | (**Nur relevanter Ausschnitt**) |
| | |
| | <code perl> |
| | ... |
| | $tls_security_level_in = 'may'; # Opportunistische TLS Transportverschluesselung eingehend aktiviere |
| | %smtpd_tls_server_options = ( |
| | # SSL_verifycn_scheme => 'smtp', |
| | SSL_verifycn_scheme => 'none', |
| | SSL_session_cache => 2, |
| | SSL_cert_file => '/etc/pki/amavis/certs/CAcert-class3-wildcard.crt', |
| | SSL_key_file => '/etc/pki/amavis/private/tachtler.net.key', |
| | SSL_dh_file => '/etc/pki/postfix/private/dh_2048.pem', |
| | SSL_ca_file => '/etc/pki/tls/certs/ca-bundle.crt', |
| | SSL_version => 'SSLv23:!SSLv3:!SSLv2', |
| | SSL_cipher_list => 'ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- |
| | CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES:!CBC3-SHA:!iAES128-SHA:!DHE-RSA-AES128-SHA:!AES256-SHA:!DHE- |
| | RSA-AES256-SHA:!CAMELLIA128-SHA:!iDHE-RSA-CAMELLIA128-SHA:!iCAMELLIA256-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE- |
| | RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA', |
| | SSL_honor_cipher_order => '1', |
| | SSL_verify_mode => 'SSL_VERIFY_NONE', |
| | SSL_passwd_cb => sub { 'example' }, |
| | ); |
| | ... |
| | </code> |
| | |
| | **__Bis Version 2.10.x von [[http://www.ijs.si/software/amavisd/|AMaViS]] - Ausgehende Verbindungen__**: |
| |
| (**Nur relevanter Ausschnitt**) | (**Nur relevanter Ausschnitt**) |
| </code> | </code> |
| * //Bitte **__keine__ Zeilenumbrüche** bei ''$smtp_tls_cipher_list'' durchführen!// | * //Bitte **__keine__ Zeilenumbrüche** bei ''$smtp_tls_cipher_list'' durchführen!// |
| | |
| | |
| | **__Ab Version 2.11.x von [[http://www.ijs.si/software/amavisd/|AMaViS]] - Eingehende Verbindungen__**: |
| | |
| | (**Nur relevanter Ausschnitt**) |
| | |
| | <code perl> |
| | ... |
| | $tls_security_level_out = 'may'; # Opportunistisches TLS Transportverschluesselung ausgehend aktivieren. |
| | %smtp_tls_client_options = ( |
| | # SSL_verifycn_scheme => 'smtp', |
| | SSL_verifycn_scheme => 'none', |
| | SSL_version => 'SSLv23:!SSLv3:!SSLv2', |
| | SSL_cipher_list => 'ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- |
| | CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES:!CBC3-SHA:!iAES128-SHA:!DHE-RSA-AES128-SHA:!AES256-SHA:!DHE- |
| | RSA-AES256-SHA:!CAMELLIA128-SHA:!iDHE-RSA-CAMELLIA128-SHA:!iCAMELLIA256-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE- |
| | RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA', |
| | SSL_client_ca_file => '/etc/pki/tls/certs/ca-bundle.crt', |
| | SSL_honor_cipher_order => '1', |
| | SSL_verify_mode => 'SSL_VERIFY_PEER', |
| | ); |
| | ... |
| | </code> |
| | |
| | :!: **HINWEIS** - Falls ein **Wildcard-Zertifikat zum Einsatz kommt** (z.B. ''*.tachtler.net'') und der Hostname nicht darauf angewendet werden kann (z.B. ''amavis.idmz.tachtler.net''), dann muss der Parameter: |
| | * ''SSL_verifycn_scheme => 'none','' |
| | gesetzt werden! |
| |
| ==== /etc/postfix/master.cf ==== | ==== /etc/postfix/master.cf ==== |
