amavisd.conf: stucture/default settings

Patrick Ben Koetter p at sys4.de
Thu Nov 15 16:24:31 CET 2018 

Anyone interested to share their ideas/opninions on this?

p at rick



* Patrick Ben Koetter <p at sys4.de>:
> as it is today amavisd.conf is full of options, but none of them really seem
> to make a lot of sense – at least not to newcomers. Some options are redundant
> and serve as examples. Some, belonging to the same topic, touch the surface
> only, while others go into depth.
> 
> As a whole it is hard for newbies and even for more experienced, long time
> users to come up with a setup that does exactly what they want. Many have no
> idea how powerful amavis is, because documentation and configuration file
> don't reflect this.
> 
> I'd like to change that. I want to provide newbies with a useful default
> configuration that covers their main use case by default *and* gives them
> feeling they would be capable – without any doubt – to modify settings and
> still have a functional and secure server afterwards. For the more advanced
> users I'd like to add information that gives them ideas how they could
> improve/individualize/... their setup.
> 
> To me this requires a fundamental change of amavisd.conf. I've summed up my
> toughts in the following sections.
> 
> Please comment. I'd like to get a decision on the changes I propose and start
> putting them to effect.
> 
> 
> == Parameters
> 
> 
> === Comment parameters
> 
> Any parameter in amavisd.conf should be accompanied by a brief comment that
> documents its purpose and its default behaviour.
> 
> 
> === Use new parameters
> 
> There's a pletora of configurations out there today, that uses and mixes old
> and new parameters. Usually the new ones provide better/more functionality. I
> would like to establish and propagate the new ones.
> 
>     .example: socket configuration
>     remove: inet_socket_port
>     add:    listen_sockets
> 
> 
> === Administrator view
> 
> amavis' configuration file is pure Perl. You can add program code to it and it
> will be executed. This is useful if you are a programmer, but it also
> complicates things if you an administrator, whose Perl is not so fluent. The
> majority of amavisd.conf users are administrators.
> 
> I'd like to deliver a configuration file that looks at amavis how they see the
> world, i.e. group options by content class and not by function.
> 
> I'd like to single out options from *_maps_by_ccat and place them into
> sections where they belong e.g. spam related options from *_maps_by_ccat into
> a spam setting dedicated section.
> 
> 
> == Structure
> 
> As of today amavis.conf loosely enforces a structure adding "COMMONLY ADJUSTED
> SETTINGS" as a section and "OTHER MORE COMMON SETTINGS".
> 
> My goal is to improve readability and reduce errors adding sections that help
> to "to jump through the document and scan options" looking for the right
> setting to modify.
> 
> I'd also like to remove anything that distracts attention, e.g. rarely used
> options. The noise should go and the signal should remain only.
> 
> Here's a rough structure I have on my mind (I've been using it with success as
> an amavis trainer throughout the last years):
> 
> .proposed new amavisd structure
> ----
> Server settings
>     identity
>     @listen_sockets
>     nr. instances
> Logging
>     type
>     template
> destinations
>     @local_domains_maps
>     @mynetworks
> policy mappings
>     interface_policy
>     client_ipaddr_policy
>     author_to_policy_bank_maps
> notifications
>     mailfrom_notify_*
>     hdrfrom_notify_*
> Quarantine settings
>     release_format
>     ...
>     notify_release_templ
> IP reputation
> Virus policy (default)
>     scanners
>     ...
> Spam policy (default)
> Banned policy (default)
> Bad Header policy (default)
> Undecipherable policy (default)
> DKIM
>     verification
>     signing
> Policy banks
>     MYNETS
>     submission
>     whitelists
>     AM.PDP
> ----
> 
> 
> == Default policies
> 
> Distributions add their own default policies. Regardless of what they do I'd
> like to review amavis' current policies and modify them (if required).
> 
> 
> === pre-queue by default
> 
> In most countries it is illegal to accept messages for transport first but not
> deliver them later, e.g. because the policy for viruses says to discard
> messages containing malware.
> 
> I'd like to ship amavis with a configuration that has been optimized for
> pre-queue filtering (and documentation addressing pre- and post-queue
> policies).
> 
> 
> === localhost by default
> 
> A content filter (framework) should not be reachable outside the host it runs
> on *unless* someone decides to change that on purpose.
> 
> Back when I was using $inet_socket_port to establish ports amavis would - due
> to limitations of Net::Server - listen on any network interface provided by
> the host and I had to firewall the service in order to allow local sockets
> only.
> 
> Eversince Mark came up with @listen_sockets, which may replace
> $inet_socket_port, this isn't necessary anymore. @listen_sockets allows to
> configure ip:port mappings. I want it to be 127.0.0.1:10024 by default.
> 
> 
> 
> Regards,
> 
> p at rick
> 
> -- 
> [*] sys4 AG
>  
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>  
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>  

-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the amavis-devel mailing list