defang_spam not working
Mark Martinec
Mark.Martinec+amavis at ijs.si
Tue Feb 21 15:12:20 CET 2012
Stephen,
> You are correct I was indeed hoping to replicate $defang_spam = 'attach'
> with altermime. I like receiving the spam report with spammy messages, but
> I'd also like to be able to add a disclaimer to outgoing (and possibly
> some incoming messages) messages as well. Are these two features mutually
> exclusive?
>
> I've just had a quick look at amavisd.conf-default it would seem to me that
> $altermime is only globally configurable and not a policy configurable, so
> I can't just enable altermime on our outbound policy, or can I?
You can have both. The $defang_* settings can contain one of the
strings: 'attach', 'altermime', 'anomy', 'disclaimer'. Any other value
(such as 1) is interpreted as 'anomy' if $enable_anomy_sanitizer is true,
or as 'altermime' if $altermime proogram is available, or as 'attach' otherwise,
for compatibility reasons.
So the idea is to set it to 'disclaimer' with a policy bank which is accepting
mail from inside or roaming authenticated users (typically named 'MYNETS'
or 'ORIGINATING'), and use a setting 'attach' for everything else, i.e. as a global
default. You can even have $defang_spam='attach' and $defang_virus='altermime'
For example:
$defang_spam='attach';
$defang_virus='altermime';
# list all you internal networks here, public and private addresses
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 );
$policy_bank{'MYNETS'} = {
originating => 1,
allow_disclaimers => 1,
defang_maps_by_ccat => { REPLACE => 1, &CC_CATCHALL => 'disclaimer' },
}
amavisd-new-2.5.0 release notes:
- provided interface code to allow mangling/defanging/sanitation
to be performed by an external utility, either by directly calling
a Perl module Anomy Sanitizer (within the same process, avoiding
startup cost), or by invoking a program 'altermime' (or by internal
defanging code as before).
Mail body defanging is only allowed for local recipients (those matching
@local_domains_maps), i.e. for inbound and internal-to-internal mail.
If there is more than one mangling code option available, the result
of a %defang_maps_by_ccat can choose between them by returning one of
the following strings, the selection can depend on mail content type
and on by-recipient lookups if needed:
'anomy' chooses Anomy Sanitizer (if $enable_anomy_sanitizer is true);
'altermime' chooses a program whose path is $altermime (if found);
'attach' chooses the traditional amavisd-new defanging method
which pushes an original mail message to an attachment;
'null' for testing purposes - doesn't modify mail body, but
pretends it does (in logging and mail header);
other non-empty and non-zero value automatically choose one
of the above options depending on what is available;
at least the 'attach' is always available;
an empty, zero or undef value disables mail body modifications;
Controls: $enable_anomy_sanitizer, @anomy_sanitizer_args,
and: $altermime, @altermime_args_defang;
Typical use:
# with altermime:
$altermime = '/usr/local/bin/altermime';
@altermime_args_defang = qw(--verbose --removeall);
# with Anomy Sanitizer:
$enable_anomy_sanitizer = 1;
@anomy_sanitizer_args = qw( /usr/local/etc/sanitizer.cfg );
$defang_spam = 1; # old style, applies the first available mangler
# to all spam-loving local recipients
# unnecessarily complicated example of selective choices:
$defang_maps_by_ccat{+CC_BANNED} = [
'altermime', # use altermime for everybody (a 'constant' lookup table)
];
$defang_maps_by_ccat{+CC_SPAM} = [
{ # a per-recipient hash lookup table
'user at example.com' => 1, # old style, auto-selects a mangler
'user-a at example.com' => 'anomy',
'user-m at example.com' => 'altermime',
'user-t at example.com' => 'attach',
'.example.net' => 0, # no mangling
},
$defang_spam, # fallback to old style setting if no match above
];
- a special case of mangling is adding a disclaimer, by invoking an external
program 'altermime' (if available and enabled). This differs from mangling
inbound mail in two details:
* uses a separately configurable list of arguments to altermime:
@altermime_args_disclaimer; and
* it applies only to mail submitted from internal networks or roaming users
(as recognized through a policy bank which sets: allow_disclaimers => 1),
and where any of the following addresses matches local domains:
author (2822.From) or sender (2822.Sender) or return path (2821.mail_from);
Typically the $allow_disclaimers should be set by a policy bank which
also sets the $originating flag.
In addition to strings that may be returned by %defang_maps_by_ccat
as described above, there are two more, only taken into account
when $allow_disclaimers is true:
'disclaimer' invokes $altermime program for outgoing mail with
arguments as given in @altermime_args_disclaimer;
'nulldisclaimer' for testing purposes - doesn't modify mail body,
but pretends it does (in logging and mail header);
Typical use:
$altermime = '/usr/local/bin/altermime';
@altermime_args_disclaimer =
qw(--verbose --disclaimer=/etc/altermime-disclaimer.txt);
$defang_maps_by_ccat{+CC_CATCHALL} = [ 'disclaimer' ];
@mynetworks = qw( ... );
$policy_bank{'MYNETS'} = { # mail originating from our networks
originating => 1,
allow_disclaimers => 1,
}
For the moment there is one limitation: there can only be one mangler
in effect at a time, it is not currently possible to both defang and to
append a disclaimer on the same message: for internal-to-internal mail
inserting a disclaimer takes precedence.
To make it possible to provide different disclaimer texts when hosting
multiple domains, there is an experimental additional configuration
variable available: the @disclaimer_options_bysender_maps.
It is a list of lookup tables, looked up by a sender address.
The sender address is chosen from the following list, first match wins:
* 'Sender:' header field, if its domain matches @local_domains_maps;
* 'From:' header field, if its domain matches @local_domains_maps;
* envelope sender address, if its domain matches @local_domains_maps;
We already know that at least one of the above will match, otherwise
adding disclaimers would be skipped at an earlier stage. The result of
lookups should be one simple string, which replaces a string '_OPTION_'
anywhere in @altermime_args_disclaimer elements.
Typical use:
@altermime_args_disclaimer = qw(--disclaimer=/etc/_OPTION_.txt);
@disclaimer_options_bysender_maps = (
{ 'host1.example.com' => 'altermime-disclaimer-host1',
'boss at example.net' => 'altermime-disclaimer-boss',
'.example.net' => 'altermime-disclaimer-net',
'.' => 'altermime-disclaimer-default' },
);
It is currently not possible to disable adding disclaimers through
@disclaimer_options_bysender_maps results. This needs to be improved.
The exact interpretation of the @disclaimer_options_bysender_maps lookup
result may change in the future (which is why I call it 'experimental').
Note that disclaimers are pretty much useless legally.
If you can help it at all, please avoid the pollution. See:
http://www.goldmark.org/jeff/stupid-disclaimers/
Mark
More information about the amavis-users
mailing list