Policy enforcement

Joolee amavisd at joolee.nl
Thu Sep 18 16:17:34 CEST 2014


As far as I could find in the source when I was configuring it, any maps
from policy banks are merged with the default or custom map.

On 18 September 2014 14:20, Christian Rößner <
c at roessner-network-solutions.com> wrote:

> Hi again,
>
> Am 18.09.2014 um 10:41 schrieb Joolee <amavisd at joolee.nl>:
>
> > Which version of Amavisd-new are you running? The
> final_destiny_maps_by_ccat setting is only available since v2.9
> >
> > The default value of the map variable is as listed below. The first 5
> entries specify that the value has to be retrieved from the old-style
> variables. You are overwriting this default value and using the old-style
> variables in your ORIGINATING policy bank. Without looking at the code for
> parsing the policy banks, I dare to say that this is your problem. Try
> overwriting the map values in your ORIGINATING policy bank as you did in
> your EICAR_TEST bank. Although I do wonder why you have function brackets
> after "CC_VIRUS"
> >
> >   # build backward-compatible settings hashes
> >   #
> >   %final_destiny_maps_by_ccat = (
> >     # value is normally a list of by-recipient lookup tables, but for
> compa-
> >     # tibility with old %final_destiny_by_ccat a value may also be a
> scalar
> >     CC_VIRUS,       sub { c('final_virus_destiny') },
> >     CC_BANNED,      sub { c('final_banned_destiny') },
> >     CC_UNCHECKED,   sub { c('final_unchecked_destiny') },
> >     CC_SPAM,        sub { c('final_spam_destiny') },
> >     CC_BADH,        sub { c('final_bad_header_destiny') },
> >     CC_MTA.',1',    D_TEMPFAIL,  # MTA response was 4xx
> >     CC_MTA.',2',    D_REJECT,    # MTA response was 5xx
> >     CC_MTA,         D_TEMPFAIL,
> >     CC_OVERSIZED,   D_BOUNCE,
> >     CC_CATCHALL,    D_PASS,
> >   );
> > On 18 September 2014 08:31, Christian Rößner <
> c at roessner-network-solutions.com> wrote:
> > Hi,
> >
> > I have two Postfix instances. One is submission, the other a combined
> mxin/mxout/hub.
> >
> > I do amavisd-milter on incoming and outgoing mail on the mxin/mxout.
> >
> > On the mxout I give a ORIGINATINg macro to do a special policy-bank for
> submission users that does not check spam (for legal reasons). But it does
> check for viruses. I have set the final_virus_destiny to D_BOUNCE.
> >
> > I also have a special policy-bank for the EICA-test virus. That should
> also do a D_BOUNCE.
> >
> > Sep 18 08:18:33 mx amavis[4588]: (04588-01) Blocked INFECTED
> (Eicar-Test-Signature) {NoBounceOutbound,Quarantined},
> AM.PDP-SOCK/ORIGINATING/EICAR_TEST LOCAL [193.239.107.42] [193.239.106.201]
> <c at roessner-network-solutions.com> -> <cr at deltaweb.de>, quarantine:
> nErWWT6nkl_s, Queue-ID: 3hz7KN0rRqzGp0j, Message-ID: <
> 209C73CC-2067-44C9-AAAE-5F5D68790090 at roessner-network-solutions.com>,
> mail_id: nErWWT6nkl_s, Hits: -, size: 6628, 1400 ms, EICAR test message,
> not to worry
> > Sep 18 08:18:33 mx amavis[4588]: (04588-01) Blocked INFECTED
> (Eicar-Test-Signature), <c at roessner-network-solutions.com> -> <
> cr at deltaweb.de>, Hits: -, tag=0, tag2=0, kill=0, 0/0/0/0
> > Sep 18 08:18:33 mx amavisd-milter[2425]: 3hz7KN0rRqzGp0j: log_id=04588-01
> > Sep 18 08:18:33 mx amavisd-milter[2425]: 3hz7KN0rRqzGp0j:
> return_value=discard
> > Sep 18 08:18:33 mx postfix/cleanup[4642]: 3hz7KN0rRqzGp0j:
> milter-discard: END-OF-MESSAGE from mail.roessner-net.de[193.239.107.42]:
> milter triggers DISCARD action; from=<c at roessner-network-solutions.com>
> to=<cr at deltaweb.de> proto=ESMTP helo=<mail.roessner-net.de>
> >
> > Unfortunately it is not bounced and it gets discarded. Only the
> postmaster does get a notify that a virus was caught.
> >
> > Here are the settings that I focused on:
> >
> > $policy_bank{'ORIGINATING'} = {
> >   originating                     => 1,
> >   final_banned_destiny            => D_BOUNCE,
> >   final_virus_destiny             => D_BOUNCE,
> >   allow_disclaimers               => 1,
> >   bypass_spam_checks_maps         => [1],
> >   enable_ldap                     => 0,
> > };
> >
> > $policy_bank{'EICAR_TEST'} = {
> >   log_templ => $log_short_templ . ', EICAR test message, not to worry',
> >   final_destiny_maps_by_ccat      => { CC_VIRUS() => D_BOUNCE },
> > };
> >
> > $warn_offsite = 0;
> > $warnbannedsender = 0;
> > $warnbannedrecip = 1;
> > $warnvirussender = 0;
> > $warnvirusrecip = 1;
> > $warnbadhsender = 0;
> > $warnbadhrecip = 0;
> >
> > $final_virus_destiny = D_REJECT;
> >
> > %final_destiny_maps_by_ccat = (
> >   CC_VIRUS,             sub { c('final_virus_destiny') },
> >   CC_BANNED,            sub { c('final_banned_destiny') },
> >   CC_UNCHECKED,         sub { c('final_unchecked_destiny') },
> >   CC_UNCHECKED.',1',    D_PASS,
> >   CC_SPAM,              sub { c('final_spam_destiny') },
> >   CC_BADH,              sub { c('final_bad_header_destiny') },
> >   CC_MTA.',1',          D_TEMPFAIL,
> >   CC_MTA.',2',          D_REJECT,
> >   CC_OVERSIZED,         D_BOUNCE,
> >   CC_CATCHALL,          D_PASS,
> > );
> >
> > %admin_maps_by_ccat = (
> >   CC_VIRUS,       sub { ca('virus_admin_maps') },
> >   CC_BANNED,      sub { ca('banned_admin_maps') },
> >   CC_UNCHECKED,   sub { ca('virus_admin_maps') },
> >   CC_UNCHECKED.',1',    undef,
> >   CC_SPAM,        sub { ca('spam_admin_maps') },
> >   CC_BADH,        sub { ca('bad_header_admin_maps') },
> > );
> >
> > I probably do not understand all meaning here, so I guess I
> misconfigured something. Does the order play a role, in which settings have
> been done here? I have copied all relevant snippets in the order they
> appear in my config file.
> >
> > Can I turn a NoBounceOutbound?
>
> I have modified my config. I also removed the enable_ldap=0 variable in
> the policy-bank, because I thought that amavis would not know, if mail is
> going outbound or inbound.
>
> Still no luck at all.
>
> I attached my whole config now. I am pretty sure, I have missed something
> and I do not see where. Probably looked too long at the lines :-)
>
> One question to the new maps_cc stuff: What happens to all the other CC_*
> things, if I overload it in a policy-bank? As a python developer I would
> expect that the map is a reference and gets replaced. So not using the
> old-style variables would mean to define the whole map each time. Am I
> right? How is Perl doing this?
>
>
>
>
> Thanks for help in advance
>
> Christian
> --
> Bachelor of Science Informatik
> Erlenwiese 14, 36304 Alsfeld
> T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
> USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20140918/482071f1/attachment.html>


More information about the amavis-users mailing list