Policy enforcement
Joolee
amavisd at joolee.nl
Thu Sep 18 16:17:34 CEST 2014
As far as I could find in the source when I was configuring it, any maps
from policy banks are merged with the default or custom map.
On 18 September 2014 14:20, Christian Rößner <
c at roessner-network-solutions.com> wrote:
> Hi again,
>
> Am 18.09.2014 um 10:41 schrieb Joolee <amavisd at joolee.nl>:
>
> > Which version of Amavisd-new are you running? The
> final_destiny_maps_by_ccat setting is only available since v2.9
> >
> > The default value of the map variable is as listed below. The first 5
> entries specify that the value has to be retrieved from the old-style
> variables. You are overwriting this default value and using the old-style
> variables in your ORIGINATING policy bank. Without looking at the code for
> parsing the policy banks, I dare to say that this is your problem. Try
> overwriting the map values in your ORIGINATING policy bank as you did in
> your EICAR_TEST bank. Although I do wonder why you have function brackets
> after "CC_VIRUS"
> >
> > # build backward-compatible settings hashes
> > #
> > %final_destiny_maps_by_ccat = (
> > # value is normally a list of by-recipient lookup tables, but for
> compa-
> > # tibility with old %final_destiny_by_ccat a value may also be a
> scalar
> > CC_VIRUS, sub { c('final_virus_destiny') },
> > CC_BANNED, sub { c('final_banned_destiny') },
> > CC_UNCHECKED, sub { c('final_unchecked_destiny') },
> > CC_SPAM, sub { c('final_spam_destiny') },
> > CC_BADH, sub { c('final_bad_header_destiny') },
> > CC_MTA.',1', D_TEMPFAIL, # MTA response was 4xx
> > CC_MTA.',2', D_REJECT, # MTA response was 5xx
> > CC_MTA, D_TEMPFAIL,
> > CC_OVERSIZED, D_BOUNCE,
> > CC_CATCHALL, D_PASS,
> > );
> > On 18 September 2014 08:31, Christian Rößner <
> c at roessner-network-solutions.com> wrote:
> > Hi,
> >
> > I have two Postfix instances. One is submission, the other a combined
> mxin/mxout/hub.
> >
> > I do amavisd-milter on incoming and outgoing mail on the mxin/mxout.
> >
> > On the mxout I give a ORIGINATINg macro to do a special policy-bank for
> submission users that does not check spam (for legal reasons). But it does
> check for viruses. I have set the final_virus_destiny to D_BOUNCE.
> >
> > I also have a special policy-bank for the EICA-test virus. That should
> also do a D_BOUNCE.
> >
> > Sep 18 08:18:33 mx amavis[4588]: (04588-01) Blocked INFECTED
> (Eicar-Test-Signature) {NoBounceOutbound,Quarantined},
> AM.PDP-SOCK/ORIGINATING/EICAR_TEST LOCAL [193.239.107.42] [193.239.106.201]
> <c at roessner-network-solutions.com> -> <cr at deltaweb.de>, quarantine:
> nErWWT6nkl_s, Queue-ID: 3hz7KN0rRqzGp0j, Message-ID: <
> 209C73CC-2067-44C9-AAAE-5F5D68790090 at roessner-network-solutions.com>,
> mail_id: nErWWT6nkl_s, Hits: -, size: 6628, 1400 ms, EICAR test message,
> not to worry
> > Sep 18 08:18:33 mx amavis[4588]: (04588-01) Blocked INFECTED
> (Eicar-Test-Signature), <c at roessner-network-solutions.com> -> <
> cr at deltaweb.de>, Hits: -, tag=0, tag2=0, kill=0, 0/0/0/0
> > Sep 18 08:18:33 mx amavisd-milter[2425]: 3hz7KN0rRqzGp0j: log_id=04588-01
> > Sep 18 08:18:33 mx amavisd-milter[2425]: 3hz7KN0rRqzGp0j:
> return_value=discard
> > Sep 18 08:18:33 mx postfix/cleanup[4642]: 3hz7KN0rRqzGp0j:
> milter-discard: END-OF-MESSAGE from mail.roessner-net.de[193.239.107.42]:
> milter triggers DISCARD action; from=<c at roessner-network-solutions.com>
> to=<cr at deltaweb.de> proto=ESMTP helo=<mail.roessner-net.de>
> >
> > Unfortunately it is not bounced and it gets discarded. Only the
> postmaster does get a notify that a virus was caught.
> >
> > Here are the settings that I focused on:
> >
> > $policy_bank{'ORIGINATING'} = {
> > originating => 1,
> > final_banned_destiny => D_BOUNCE,
> > final_virus_destiny => D_BOUNCE,
> > allow_disclaimers => 1,
> > bypass_spam_checks_maps => [1],
> > enable_ldap => 0,
> > };
> >
> > $policy_bank{'EICAR_TEST'} = {
> > log_templ => $log_short_templ . ', EICAR test message, not to worry',
> > final_destiny_maps_by_ccat => { CC_VIRUS() => D_BOUNCE },
> > };
> >
> > $warn_offsite = 0;
> > $warnbannedsender = 0;
> > $warnbannedrecip = 1;
> > $warnvirussender = 0;
> > $warnvirusrecip = 1;
> > $warnbadhsender = 0;
> > $warnbadhrecip = 0;
> >
> > $final_virus_destiny = D_REJECT;
> >
> > %final_destiny_maps_by_ccat = (
> > CC_VIRUS, sub { c('final_virus_destiny') },
> > CC_BANNED, sub { c('final_banned_destiny') },
> > CC_UNCHECKED, sub { c('final_unchecked_destiny') },
> > CC_UNCHECKED.',1', D_PASS,
> > CC_SPAM, sub { c('final_spam_destiny') },
> > CC_BADH, sub { c('final_bad_header_destiny') },
> > CC_MTA.',1', D_TEMPFAIL,
> > CC_MTA.',2', D_REJECT,
> > CC_OVERSIZED, D_BOUNCE,
> > CC_CATCHALL, D_PASS,
> > );
> >
> > %admin_maps_by_ccat = (
> > CC_VIRUS, sub { ca('virus_admin_maps') },
> > CC_BANNED, sub { ca('banned_admin_maps') },
> > CC_UNCHECKED, sub { ca('virus_admin_maps') },
> > CC_UNCHECKED.',1', undef,
> > CC_SPAM, sub { ca('spam_admin_maps') },
> > CC_BADH, sub { ca('bad_header_admin_maps') },
> > );
> >
> > I probably do not understand all meaning here, so I guess I
> misconfigured something. Does the order play a role, in which settings have
> been done here? I have copied all relevant snippets in the order they
> appear in my config file.
> >
> > Can I turn a NoBounceOutbound?
>
> I have modified my config. I also removed the enable_ldap=0 variable in
> the policy-bank, because I thought that amavis would not know, if mail is
> going outbound or inbound.
>
> Still no luck at all.
>
> I attached my whole config now. I am pretty sure, I have missed something
> and I do not see where. Probably looked too long at the lines :-)
>
> One question to the new maps_cc stuff: What happens to all the other CC_*
> things, if I overload it in a policy-bank? As a python developer I would
> expect that the map is a reference and gets replaced. So not using the
> old-style variables would mean to define the whole map each time. Am I
> right? How is Perl doing this?
>
>
>
>
> Thanks for help in advance
>
> Christian
> --
> Bachelor of Science Informatik
> Erlenwiese 14, 36304 Alsfeld
> T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
> USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20140918/482071f1/attachment.html>
More information about the amavis-users
mailing list