<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html>
<head>
<meta name="Generator" content="Kopano WebApp v8.3.0-694">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>AW: Suspect, mails are banned due to attachent only for single user.</title>
</head>
<body>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: arial, helvetica, sans-serif;">Hi Damian,<br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: arial, helvetica, sans-serif;"><br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: arial, helvetica, sans-serif;">Thanks for You help. I also searching for some values in the config I could not find. </span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: arial, helvetica, sans-serif;">But I have no clue why only one sender is banned...</span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: arial, helvetica, sans-serif;"><br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: arial, helvetica, sans-serif;">Here is all in /etc/amavis/conf.d/ is defined in my setup so far. </span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: arial, helvetica, sans-serif;"><br /></span></p>
<div>--- 01-debian :</div>
<div><br /></div>
<div>debian standards.... </div>
<div><br /></div>
<div>pathes and so on.</div>
<div><br /></div>
<div><br /></div>
<div>--- 05-domain_id</div>
<div><br /></div>
<div>@local_domains_acl =.... local local_domains_acl</div>
<div><br /></div>
<div><br /></div>
<div>--- 05-node_id</div>
<div><br /></div>
<div>chomp($myhostname = `hostname --fqdn`);</div>
<div><br /></div>
<div>--- 15-av_scanners:</div>
<div><br /></div>
<div>@av_scanners = (</div>
<div><br /></div>
<div> ['Sophos Anti Virus (sweep)', 'sweep',</div>
<div> '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.</div>
<div> '--no-reset-atime {}',</div>
<div> [0,2], qr/Virus .*? found/m,</div>
<div> qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,</div>
<div> ],</div>
<div><br /></div>
<div>..... some more .....</div>
<div><br /></div>
<div>};</div>
<div><br /></div>
<div>@av_scanners_backup {</div>
<div><br /></div>
<div>..... some scanners like debian standard file ...</div>
<div><br /></div>
<div>};</div>
<div><br /></div>
<div><br /></div>
<div>15--content_filter_mode</div>
<div><br /></div>
<div><br /></div>
<div>use strict;</div>
<div><br /></div>
<div>@bypass_virus_checks_maps = (</div>
<div> \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);</div>
<div><br /></div>
<div>@bypass_spam_checks_maps = (</div>
<div> \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);</div>
<div><br /></div>
<div>1; # ensure a defined return</div>
<div><br /></div>
<div>use strict;</div>
<div><br /></div>
<div><br /></div>
<div>$QUARANTINEDIR = "$MYHOME/virusmails";</div>
<div>$quarantine_subdir_levels = 1; # enable quarantine dir hashing</div>
<div><br /></div>
<div>$log_recip_templ = undef; # disable by-recipient level-0 log entries</div>
<div>$DO_SYSLOG = 1; # log via syslogd (preferred)</div>
<div>$syslog_ident = 'amavis'; # syslog ident tag, prepended to all messages</div>
<div>$syslog_facility = 'mail';</div>
<div>$syslog_priority = 'debug'; # switch to info to drop debug output, etc</div>
<div><br /></div>
<div>$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)</div>
<div>$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1</div>
<div><br /></div>
<div>$inet_socket_port = 10024; # default listening socket</div>
<div><br /></div>
<div>$sa_spam_subject_tag = '***SPAM*** ';</div>
<div>$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level</div>
<div>$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level</div>
<div>$sa_kill_level_deflt = 6.31; # triggers spam evasive actions</div>
<div>$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent</div>
<div><br /></div>
<div>$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger</div>
<div>$sa_local_tests_only = 0; # only tests which do not require internet access?</div>
<div><br /></div>
<div># Quota limits to avoid bombs (like 42.zip)</div>
<div><br /></div>
<div>$MAXLEVELS = 14;</div>
<div>$MAXFILES = 1500;</div>
<div>$MIN_EXPANSION_QUOTA = 100*1024; # bytes</div>
<div>$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes</div>
<div><br /></div>
<div><br /></div>
<div><br /></div>
<div>$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine)</div>
<div>$final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA</div>
<div>$final_spam_destiny = D_PASS;</div>
<div>$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)</div>
<div><br /></div>
<div>$enable_dkim_verification = 0; #disabled to prevent warning</div>
<div><br /></div>
<div>$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default</div>
<div><br /></div>
<div># Set to empty ("") to add no header</div>
<div>$X_HEADER_LINE = "Debian $myproduct_name at $myhostname";</div>
<div><br /></div>
<div><br /></div>
<div>@viruses_that_fake_sender_maps = (new_RE(</div>
<div> [qr'\bEICAR\b'i => 0], # av test pattern name</div>
<div> [qr/.*/ => 1], # true for everything else</div>
<div>));</div>
<div><br /></div>
<div>@keep_decoded_original_maps = (new_RE(</div>
<div># qr'^MAIL$', # retain full original message for virus checking (can be slow)</div>
<div> qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables</div>
<div> qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,</div>
<div># qr'^Zip archive data', # don't trust Archive::Zip</div>
<div>));</div>
<div><br /></div>
<div><br /></div>
<div># for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample</div>
<div><br /></div>
<div>$banned_filename_re = new_RE(</div>
<div># qr'^UNDECIPHERABLE$', # is or contains any undecipherable components</div>
<div><br /></div>
<div> # block certain double extensions anywhere in the base name</div>
<div> qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,</div>
<div><br /></div>
<div> qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict</div>
<div><br /></div>
<div> qr'^application/x-msdownload$'i, # block these MIME types</div>
<div> qr'^application/x-msdos-program$'i,</div>
<div> qr'^application/hta$'i,</div>
<div><br /></div>
<div># qr'^application/x-msmetafile$'i, # Windows Metafile MIME type</div>
<div># qr'^\.wmf$', # Windows Metafile file(1) type</div>
<div><br /></div>
<div># qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types</div>
<div># [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed</div>
<div># [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives</div>
<div># [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives</div>
<div># [ qr'^application/x-zip-compressed$'i => 0], # allow any within such archives</div>
<div><br /></div>
<div> qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic</div>
<div># qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|</div>
<div># inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|</div>
<div># ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|</div>
<div># wmf|wsc|wsf|wsh)$'ix, # banned ext - long</div>
<div><br /></div>
<div># qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.</div>
<div><br /></div>
<div> qr'^\.(exe-ms)$', # banned file(1) types</div>
<div># qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types</div>
<div>);</div>
<div># See <a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631">http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631</a></div>
<div># and <a href="http://www.cknow.com/vtutor/vtextensions.htm">http://www.cknow.com/vtutor/vtextensions.htm</a></div>
<div><br /></div>
<div><br /></div>
<div># ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING</div>
<div><br /></div>
<div>@score_sender_maps = ({ # a by-recipient hash lookup table,</div>
<div> # results from all matching recipient tables are summed</div>
<div><br /></div>
<div># ## per-recipient personal tables (NOTE: positive: black, negative: white)</div>
<div># 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}],</div>
<div># 'user3@example.com' => [{'.ebay.com' => -3.0}],</div>
<div># 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0,</div>
<div># '.cleargreen.com' => -5.0}],</div>
<div><br /></div>
<div> ## site-wide opinions about senders (the '.' matches any recipient)</div>
<div> '.' => [ # the _first_ matching sender determines the score boost</div>
<div><br /></div>
<div> new_RE( # regexp-type lookup table, just happens to be all soft-blacklist</div>
<div> [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],</div>
<div> [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],</div>
<div> [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],</div>
<div> [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],</div>
<div> [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],</div>
<div> [qr'^(your_friend|greatoffers)@'i => 5.0],</div>
<div> [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],</div>
<div> ),</div>
<div><br /></div>
<div><br /></div>
<div> },</div>
<div> ], # end of site-wide tables</div>
<div>});</div>
<div><br /></div>
<div>1; # ensure a defined return</div>
<div><br /></div>
<div><br /></div>
<div>--- 25-amavis_helpers</div>
<div><br /></div>
<div>use strict;</div>
<div><br /></div>
<div><br /></div>
<div>$unix_socketname = "/var/lib/amavis/amavisd.sock";</div>
<div><br /></div>
<div>$interface_policy{'SOCK'} = 'AM.PDP-SOCK';</div>
<div>$policy_bank{'AM.PDP-SOCK'} = {</div>
<div> protocol => 'AM.PDP',</div>
<div> auth_required_release => 0, # don't require secret-id for release</div>
<div>};</div>
<div><br /></div>
<div>1; # ensure a defined return</div>
<div><br /></div>
<div>--- 30-template-localization </div>
<div><br /></div>
<div><br /></div>
<div>read_l10n_templates('en_US', '/etc/amavis');</div>
<div><br /></div>
<div><br /></div>
<div><br /></div>
<div>--- 50-user</div>
<div><br /></div>
<div>$hdrfrom_notify_sender = "postmaster\@mylocal.domain";</div>
<div><br /></div>
<div><br /></div>
<div>--- 90-local-adoption</div>
<div><br /></div>
<div>use strict;</div>
<div><br /></div>
<div><br /></div>
<div>## What to do with different types</div>
<div>$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine)</div>
<div>$final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA</div>
<div>$final_spam_destiny = D_PASS;</div>
<div>$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)</div>
<div><br /></div>
<div><br /></div>
<div><br /></div>
<div><br /></div>
<div>$banned_filename_re = new_RE(</div>
<div># qr'^UNDECIPHERABLE$', # is or contains any undecipherable components</div>
<div><br /></div>
<div> # block certain double extensions anywhere in the base name</div>
<div> qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,</div>
<div><br /></div>
<div> qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict</div>
<div><br /></div>
<div> qr'^application/x-msdownload$'i, # block these MIME types</div>
<div> qr'^application/x-msdos-program$'i,</div>
<div> qr'^application/hta$'i,</div>
<div><br /></div>
<div> qr'^application/x-msmetafile$'i, # Windows Metafile MIME type</div>
<div># qr'^\.wmf$', # Windows Metafile file(1) type</div>
<div><br /></div>
<div># qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types</div>
<div><br /></div>
<div> [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed</div>
<div>#[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives</div>
<div> [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives</div>
<div> [ qr'^application/x-zip-compressed$'i => 0], # allow any within such archives</div>
<div><br /></div>
<div> qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic</div>
<div> </div>
<div>qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|</div>
<div> inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|</div>
<div> ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|</div>
<div> wmf|wsc|wsf|wsh)$'ix, # ohne MS-Office</div>
<div># docx|doc|xlm|xls|xlsx|ppt|pptx)$'ix, # banned ext - long</div>
<div><br /></div>
<div># qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.</div>
<div><br /></div>
<div> qr'^\.(exe-ms)$', # banned file(1) types</div>
<div> qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types</div>
<div>);</div>
<div>1;</div>
<div> </div>
<div> </div>
<div>Regards Lukas</div>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: arial, helvetica, sans-serif;"><br /></span></p>
<blockquote style="border-left: 2px solid #325FBA; padding-left: 5px; margin: 0px 5px;"><span style="font-family: tahoma,arial,helvetica,sans-serif; font-size: 10pt;">-----Ursprüngliche Nachricht-----<br /><span><strong>Von:</strong> Damian <amavis@arcsin.de></span><br /><span><strong>Gesendet:</strong> Freitag 22 November 2019 18:21</span><br /><span><strong>An:</strong> amavis-users@amavis.org</span><br /><span><strong>Betreff:</strong> Re: Suspect, mails are banned due to attachent only for single user.</span><br /><br /></span>
<div>
<pre style="white-space: pre-wrap; word-wrap: break-word;">All I can say is that the described behavior does not fit the config you<br />have posted. Your description sounds like some banned_*_maps are<br />involved at some point, maybe even indirectly via inclusion of other<br />config files.<br /><br />> I'm pretty shure to have the right part of the debian config files. We have some adoptions in the files located at /etc/amavis/conf.d<br />><br />> Some initial settings are in 20-debian-default and the part copied in was from file 90-local-settings, which will be the last loaded while starting.<br />><br />> The funny thing is, the same sender can submit the same mail with identical attachement to other recipients with no problems.<br />><br />> I saw 1 mail to multiple recipient, for witch exacly the mail for exacly the one recipient was banned.<br /></pre>
</div>
</blockquote>
</body>
</html>