Amavisd question
Alan Davies via amavis-users
amavis-users at amavis.org
Tue Sep 3 10:18:42 CEST 2013
Hi Benedict,
conf file no comments:
use strict;
$QUARANTINEDIR = "/var/virusmails";
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
};
$interface_policy{'10026'} = 'ORIGINATING';
$protocol = 'SMTP';
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 1,
forward_method => 'smtp:[127.0.0.1]:10027',
smtpd_discard_ehlo_keywords => ['8BITMIME'],
};
$policy_bank{'AM.PDP-SOCK'} = {
protocol => 'AM.PDP',
inet_acl => [qw( 127.0.0.1)]
};
@lookup_sql_dsn =
( ['dbi:mysql:postfix:127.0.0.1','postfix','postfix']);
$sql_select_policy =
'SELECT *,users.id'.
' FROM users LEFT JOIN policy ON users.policy_id=policy.id'.
' WHERE users.email IN (%k) ORDER BY users.priority DESC';
$sql_select_white_black_list =
'SELECT wb'.
' FROM wblist JOIN mailaddr ON wblist.sid=mailaddr.id'.
' WHERE wblist.rid=? AND mailaddr.email IN (%k)'.
' ORDER BY mailaddr.priority DESC';
%sql_clause = (
'sel_policy' => \$sql_select_policy,
'sel_wblist' => \$sql_select_white_black_list,
'sel_adr' =>
'SELECT id FROM maddr WHERE partition_tag=? AND email=?',
'ins_adr' =>
'INSERT INTO maddr (partition_tag, email, domain) VALUES (?,?,?)',
'ins_msg' =>
'INSERT INTO msgs (partition_tag, mail_id, secret_id, am_id,'.
' time_num, time_iso, sid, policy, client_addr, size, host)'.
' VALUES (?,?,?,?,?,?,?,?,?,?,?)',
'upd_msg' =>
'UPDATE msgs SET content=?, quar_type=?, quar_loc=?, dsn_sent=?,'.
' spam_level=?, message_id=?, from_addr=?, subject=?, client_addr=?,'.
' originating=?'.
' WHERE partition_tag=? AND mail_id=?',
'ins_rcp' =>
'INSERT INTO msgrcpt (partition_tag, mail_id, rseqnum, rid, is_local,'.
' content, ds, rs, bl, wl, bspam_level, smtp_resp)'.
' VALUES (?,?,?,?,?,?,?,?,?,?,?,?)',
'ins_quar' =>
'INSERT INTO quarantine (partition_tag, mail_id, chunk_ind, mail_text)'.
' VALUES (?,?,?,?)',
'SELECT partition_tag FROM msgs WHERE mail_id=?',
'sel_quar' =>
'SELECT mail_text FROM quarantine'.
' WHERE partition_tag=? AND mail_id=?'.
' ORDER BY chunk_ind',
"SELECT msgs.time_num, msgs.mail_id, subject".
" FROM msgs JOIN msgrcpt USING (partition_tag,mail_id)".
" WHERE sid=? AND rid=? AND msgs.content!='V' AND ds='P'".
"SELECT msgs.time_num, msgs.mail_id, subject, message_id, rid".
" FROM msgs JOIN msgrcpt USING (partition_tag,mail_id)".
" WHERE sid=? AND msgs.content!='V' AND ds='P' AND message_id IN (%m)".
" AND rid!=sid".
);
@addr_extension_virus_maps = ('virus');
@addr_extension_banned_maps = ('banned');
@addr_extension_spam_maps = ('spam');
@addr_extension_bad_header_maps = ('badh');
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$MAXLEVELS = 14;
$MAXFILES = 1500;
$sa_spam_subject_tag = '***Spam*** ';
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_DISCARD;
$final_bad_header_destiny = D_DISCARD;
$bad_header_quarantine_method = D_DISCARD;
@keep_decoded_original_maps = (new_RE(
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));
$banned_filename_re = new_RE(
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
);
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|free|baked|laughing\sgas|offer|sale|onsale|order\snow|register|certified|certification)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert|mikogo|contract|contracts|LinkedIn|Bank\sHoliday|upgrade|buyer)@'i=> 5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in|borrow|no\schecks|funds|success)@'i=> 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers|\d+%\soff|ink|toner|merdeces|only\s£\d+|seeing\syou\sagain)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree|voucher|training|budget|cuts|diet|free|half\sprice|best\sin\sclass|test\sdrive)@'i => 5.0],
[qr'^(your_friend|greatoffers|under\s$\d+|£\d+|tuition|driving|quote|timeshare|share)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney|win|homware|beauty|suits|mens|new\sbusiness|tactical|online\scollaboration|tickets|awards|expensive|jaguar)\d*@'i => 5.0],
[qr'^(test)'i => -15.0],
),
'nobody at cert.org' => -3.0,
'cert-advisory at us-cert.gov' => -3.0,
'owner-alert at iss.net' => -3.0,
'slashdot at slashdot.org' => -3.0,
'securityfocus.com' => -3.0,
'ntbugtraq at listserv.ntbugtraq.com' => -3.0,
'security-alerts at linuxsecurity.com' => -3.0,
'mailman-announce-admin at python.org' => -3.0,
'amavis-user-admin at lists.sourceforge.net'=> -3.0,
'amavis-user-bounces at lists.sourceforge.net' => -3.0,
'spamassassin.apache.org' => -3.0,
'notification-return at lists.sophos.com' => -3.0,
'owner-postfix-users at postfix.org' => -3.0,
'owner-postfix-announce at postfix.org' => -3.0,
'owner-sendmail-announce at lists.sendmail.org' => -3.0,
'sendmail-announce-request at lists.sendmail.org' => -3.0,
'donotreply at sendmail.org' => -3.0,
'ca+envelope at sendmail.org' => -3.0,
'noreply at freshmeat.net' => -3.0,
'owner-technews at postel.acm.org' => -3.0,
'ietf-123-owner at loki.ietf.org' => -3.0,
'cvs-commits-list-admin at gnome.org' => -3.0,
'rt-users-admin at lists.fsck.com' => -3.0,
'clp-request at comp.nus.edu.sg' => -3.0,
'surveys-errors at lists.nua.ie' => -3.0,
'emailnews at genomeweb.com' => -5.0,
'yahoo-dev-null at yahoo-inc.com' => -3.0,
'.bounce.' => 4.5,
'returns.groups.yahoo.com' => -3.0,
'clusternews at linuxnetworx.com' => -3.0,
'.bounce.' => 4.5,
'ballco.co.uk' => -15.0,
lc('lvs-users-admin at LinuxVirtualServer.org') => -3.0,
lc('owner-textbreakingnews at CNNIMAIL12.CNN.COM') => -5.0,
'sender at example.net' => 3.0,
'.example.net' => 1.0,
},
});
@decoders = (
['mail', \&do_mime_decode],
['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
['gz', \&do_uncompress, 'gzip -d'],
['gz', \&do_gunzip],
['bz2', \&do_uncompress, 'bzip2 -d'],
['xz', \&do_uncompress,
['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
['lzma', \&do_uncompress,
['lzmadec', 'xz -dc --format=lzma',
'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
['lrz', \&do_uncompress,
['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
['lzo', \&do_uncompress, 'lzop -d'],
['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
[['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
['deb', \&do_ar, 'ar'],
['rar', \&do_unrar, ['unrar', 'rar'] ],
['arj', \&do_unarj, ['unarj', 'arj'] ],
['arc', \&do_arc, ['nomarch', 'arc'] ],
['zoo', \&do_zoo, ['zoo', 'unzoo'] ],
['doc', \&do_ole, 'ripole'],
['cab', \&do_cabextract, 'cabextract'],
['tnef', \&do_tnef_ext, 'tnef'],
['tnef', \&do_tnef],
[['zip','kmz'], \&do_7zip, ['7za', '7z'] ],
[['zip','kmz'], \&do_unzip],
['7z', \&do_7zip, ['7zr', '7za', '7z'] ],
[[qw(7z zip gz bz2 Z tar)],
\&do_7zip, ['7za', '7z'] ],
[[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
\&do_7zip, '7z' ],
['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
);
@av_scanners = (
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
qr/\bOK$/m, qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
['Mail::ClamAV', \&ask_daemon, ['{}','clamav-perl:'],
[0], [1], qr/^INFECTED: (.+)/m],
['KasperskyLab AVP - aveclient',
['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
'/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
'-p /var/run/aveserver -s {}/*',
[0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m,
qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m,
],
['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
qr/infected: (.+)/m,
sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
],
['KasperskyLab AVPDaemonClient',
[ '/opt/AVP/kavdaemon', 'kavdaemon',
'/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
'/opt/AVP/AvpTeamDream', 'AvpTeamDream',
'/opt/AVP/avpdc', 'avpdc' ],
"-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ],
['CentralCommand Vexira (new) vascan',
['vascan','/usr/lib/Vexira/vascan'],
"-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
"--log=/var/log/vascan.log {}",
[0,3], [1,2,5],
qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ],
['Avira AntiVir', ['antivir','vexira'],
'--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m,
qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
(?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ],
['Avira AntiVir', ['avscan'],
'-s --batch --alert-action=none {}', [0,4], qr/(?:ALERT|FUND):/m,
qr/(?:ALERT|FUND): (?:.* <<< )?(.+?)(?: ; |$)/m ],
['Command AntiVirus for Linux', 'csav',
'-all -archive -packed {}', [50], [51,52,53],
qr/Infection: (.+)/m ],
['Symantec CarrierScan via Symantec CommandLineScanner',
'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
qr/^Files Infected:\s+0$/m, qr/^Infected\b/m,
qr/^(?:Info|Virus Name):\s+(.+)/m ],
['Symantec AntiVirus Scan Engine',
'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
[0], qr/^Infected\b/m,
qr/^(?:Info|Virus Name):\s+(.+)/m ],
['F-Secure Linux Security',
['/opt/f-secure/fsav/bin/fsav', 'fsav'],
'--virus-action1=report --archive=yes --auto=yes '.
'--list=no --nomimeerr {}', [0], [3,4,6,8],
qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
'-sec -nex {}', [0], [100],
qr/was infected by virus (.+)/m ],
['CAI eTrust Antivirus', 'etrust-wrapper',
'-arc -nex -spm h {}', [0], [101],
qr/is infected by virus: (.+)/m ],
['MkS_Vir for Linux (beta)', ['mks32','mks'],
'-s {}/*', [0], [1,2],
qr/--[ \t]*(.+)/m ],
['MkS_Vir daemon', 'mksscan',
'-s -q {}', [0], [1..7],
qr/^... (\S+)/m ],
['ESET Software ESETS Command Line Interface',
['/usr/bin/esets_cli', 'esets_cli'],
'--subdir {}', [0], [1,2,3],
qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],
['ESET NOD32 for Linux File servers',
['/opt/eset/nod32/sbin/nod32','nod32'],
'--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
'-w -a --action=1 -b {}',
[0], [1,10], qr/^object=.*, virus="(.*?)",/m ],
['Norman Virus Control v5 / Linux', 'nvcc',
'-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
qr/(?i).* virus in .* -> \'(.+)\'/m ],
['Panda CommandLineSecure 9 for Linux',
['/opt/pavcl/usr/bin/pavcl','pavcl'],
'-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
qr/Number of files infected[ .]*: 0+(?!\d)/m,
qr/Number of files infected[ .]*: 0*[1-9]/m,
qr/Found virus :\s*(\S+)/m ],
['NAI McAfee AntiVirus (uvscan)', 'uvscan',
'--secure -rv --mime --summary --noboot - {}', [0], [13],
qr/(?x) Found (?:
\ the\ (.+)\ (?:virus|trojan) |
\ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
:\ (.+)\ NOT\ a\ virus)/m,
],
['VirusBuster', ['vbuster', 'vbengcl'],
"{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
qr/: '(.*)' - Virus/m ],
['CyberSoft VFind', 'vfind',
],
['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
'-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ],
['Ikarus AntiVirus for Linux', 'ikarus',
'{}', [0], [40], qr/Signature (.+) found/m ],
'--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m,
qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m,
qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ],
'--arc --mail {}', qr/^Infected files *:0+(?!\d)/m,
qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
'-v 1 -summary 0 -s {}', [0], [1,2],
qr/(?:VIR|WIR):[ \t]*(.+)/m ],
);
@av_scanners_backup = (
['ClamAV-clamscan', 'clamscan',
"--stdout --no-summary -r --tempdir=$TEMPBASE {}",
[0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
['F-PROT Antivirus for UNIX', ['fpscan'],
[0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ],
['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ],
['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
'-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],
['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
'-path={} -al -go -ot -cn -upn -ok-',
[0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ],
['Kaspersky Antivirus v5.5',
['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
'/opt/kav/5.5/kav4unix/bin/kavscanner',
'/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
'-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
],
);
Kind Regards,
Alan Davies
Business Support
ITCS - IT Computer Services
Bridgend Ind Estate
Bridgend
CF31 3TP
www.itcs.co.uk
Tel: 08456 444 200
Fax: 01656 660 016
-----Original Message-----
From: Benedict White [mailto:Benedict.White at cse-ltd.co.uk]
Sent: 02 September 2013 17:28
To: Alan Davies; amavis-users at amavis.org
Subject: RE: Amavisd question
-----Original Message-----
From: Alan Davies [mailto:adavies at itcs.co.uk]
Sent: 02 September 2013 17:17
To: Benedict White
Subject: RE: Amavisd question
>Here's the output of the grep command:
>
>[root at spam log]# grep -a3 -b3 0 /etc/amavisd.conf | grep protocol 3314-$protocol = 'SMTP';
>4381- protocol => 'AM.PDP',
>[root at spam log]#
>
>I've tried entering a policy (taken from the sql example config page, the normal setting) but this has had no effect either...
>
>
That has me stumped for the moment.
Hopefully someone else can jump in and help.
In the meantime can you post the output of:
grep -v '^#' amavisd.conf
Kindest regards,
Benedict White
More information about the amavis-users
mailing list