Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung |
tachtler:amavis_centos_7 [2017/06/19 14:15] – [Konfiguration: TLS] klaus | tachtler:amavis_centos_7 [2020/05/11 08:58] (aktuell) – [(Ab Version 1.7.x) /etc/sysconfig/amavisd-milter] klaus |
---|
| |
Um **alle möglichen Konfigurationsparameter** einsehen zu können, wird mit der Installation des [[http://www.ijs.si/software/amavisd/|AMaViS]] nachfolgende **Default-Konfigurationsdatei** in nachfolgendem Verzeichnis mit nachfolgendem Namen installiert, welche als **Referenz** für **alle Konfigurationsdirektiven** verwendet werden kann: | Um **alle möglichen Konfigurationsparameter** einsehen zu können, wird mit der Installation des [[http://www.ijs.si/software/amavisd/|AMaViS]] nachfolgende **Default-Konfigurationsdatei** in nachfolgendem Verzeichnis mit nachfolgendem Namen installiert, welche als **Referenz** für **alle Konfigurationsdirektiven** verwendet werden kann: |
* ''/usr/share/doc/amavisd-new-2.10.1/amavisd.conf-default'' | * ''/usr/share/doc/amavisd-new-2.10.1/amavisd.conf-default'' bzw. |
| * ''/usr/share/doc/amavisd-new-2.11.0/amavisd.conf-default'' |
| |
Welche Konfigurationsparameter gesetzt werden sollten, soll in nachfolgender **Beispielkonfigurationsdatei** dargestellt werden. | Welche Konfigurationsparameter gesetzt werden sollten, soll in nachfolgender **Beispielkonfigurationsdatei** dargestellt werden. |
| |
<code perl> | <code perl> |
| use strict; |
| |
| ## AMaViS - amavsid-new configuration. |
| |
| ## The 'after-default' comment indicates that these variables obtain their |
| ## default value if the config file left them undefined. It means these values |
| ## are not yet available during processing of the configuration file, but that |
| ## they can derive their value from other configurations variables no matter |
| ## where in the configuration file they appear. |
| |
| |
| ## GENERAL |
| |
| $myhostname = 'amavis.idmz.tachtler.net'; # FQDN des Servers. |
| $mydomain = 'tachtler.net'; # Basiseinstellung. |
| # $snmp_contact = ''; |
| # $snmp_location = ''; |
| $daemon_user = 'amavis'; # Benutzer, unter dem der AMaViS-Dienst gestartet wird. [-u] |
| $daemon_group = 'amavis'; # Gruppe, unter der der AMaViS-Dienst gestartet wird. [-g] |
| $MYHOME = '/var/spool/amavisd'; # Basiseinstellung. [-H] |
| $TEMPBASE = "$MYHOME/tmp"; # Arbeitsverzeichnis, muss vor dem Start existieren. [-T] |
| $db_home = "$MYHOME/db"; # Verzeichnis fuer bdb nanny/cache/snmp Datenbanken. [-D] |
| $pid_file = "/var/run/amavisd/amavisd.pid"; # PID (Process-ID)-Datei. [-P] |
| $lock_file = "/var/run/amavisd/amavisd.lock"; # Lock (Process-Lock)-Datei. [-L] |
| # $daemon_chroot_dir = undef; |
| $max_requests = 20; # Beenden eines Kind-Prozesses nach xx Aufrufen. (Speicher). |
| $max_servers = 4; # Anzahl der maximalen gleichzeitig laufenden Kind-Prozesse. [-m] |
| $min_servers = 1; # Anzahl der minimal gleichzeitig laufenden Kind-Prozesse. |
| $min_spare_servers = 1; # Anzahl der minimal vorgehaltenen Kind-Prozesse. |
| $max_spare_servers = 3; # Anzahl der maximal vorgehaltenen Kind-Prozesse. |
| # $child_timeout = 8*60; |
| # $localpart_is_case_sensitive = 0; |
| $enable_db = 1; # Nutzung der BerkeleyDB/libdb (SNMP und nanny). |
| # $enable_zmq = undef; |
| # @zmq_sockets = ( "ipc://$MYHOME/amavisd-zmq.sock" ); # after-default |
| $nanny_details_level = 2; # nanny - Log-Level: 0 (aus), 1 (traditionell), 2 (detailiert). |
| # @additional_perl_modules = (); |
| @local_domains_maps = ( [".$mydomain"] ); # Liste aller lokalen Sub/Domains. |
| @mynetworks = qw( 0.0.0.0/32 127.0.0.0/8 |
| 192.168.0.0/24 192.168.1.0/24 |
| 192.168.2.0/25 88.217.171.167/32 ); # Liste aller als lokal angesehenen IP-Adressen und Netze. |
| # @mynetworks_maps = (\@mynetworks); |
| # @client_ipaddr_policy = map { $_ => 'MYNETS' } @mynetworks_maps; |
| |
| |
| ## LOGGING AND DEBUGGING |
| |
| $log_level = 3; # Log-Level: 0..5. [-d] |
| # $logfile = undef; |
| $do_syslog = 1; # Syslog-Schreibung nutzen. |
| $syslog_ident = 'amavis'; # Dienst-Identitaet bei der syslog-Scheribung. |
| $syslog_facility = 'mail'; # Dienst-Bereichs-Identitaet bei der syslog-Schereibung. |
| # $logline_maxlen = 980; |
| # enable_log_capture_dump = undef; |
| |
| # $log_short_templ ... built-in default at the end of file amavisd |
| # $log_verbose_templ ... built-in default at the end of file amavisd |
| # $log_recip_templ = ... built-in default at the end of file amavisd |
| # $log_templ = $log_short_templ; |
| |
| # @debug_sender_acl = (); |
| # @debug_sender_maps = (\@debug_sender_acl); |
| # @debug_recipient_maps = (); |
| # $sa_debug = undef; |
| # $allow_preserving_evidence = 1; |
| |
| |
| ## DKIM VERIFICATION |
| |
| $enable_dkim_verification = 0; # Deaktiviert die DKIM Ueberpruefung, wegen OpenDKIM-Milter! |
| # $reputation_factor = 0.2; |
| # @signer_reputation_maps = (); |
| # @author_to_policy_bank_maps = (); |
| # $dkim_minimum_key_bits = 1024; |
| # $myauthservid = $myhostname; # after-default (RFC 5451) |
| # $dkim_minimum_key_bits = 1024; |
| |
| ## DKIM SIGNING |
| |
| $enable_dkim_signing = 0; # Deaktiviert das Signieren der ausgehenden e-Mails mit dem Schluessel unter dkim_key. |
| dkim_key('tachtler.net', 'main', '/etc/pki/amavis/dkim/dkim.key', h=>'sha256'); # Spezifikationen zum DKIM-Schluessel und dessen Anwendung. |
| # %dkim_signing_keys = (); |
| @dkim_signature_options_bysender_maps = ( |
| { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } |
| ); # Optionen zur DKIM-Signaturerstellung. |
| # $dkim_signing_service = undef; |
| # |
| # for (qw(Accept-Language Archived-At Auto-Submitted Content-Alternative |
| # Content-Base Content-Class Content-Description Content-Disposition |
| # Content-Duration Content-Features Content-Id Content-Language |
| # Content-Location Content-MD5 Content-Transfer-Encoding In-Reply-To |
| # List-Archive List-Help List-Id List-Owner List-Post List-Subscribe |
| # List-Unsubscribe Message-Context Message-ID MIME-Version |
| # Organisation Organization Original-Message-ID Pics-Label |
| # Precedence Received References Reply-To Resent-Date Resent-From |
| # Resent-Message-ID Resent-Sender Sensitivity Solicitation |
| # User-Agent VBR-Info X-Mailer)) { $signed_header_fields{lc $_} = 1 } |
| # for (qw(From Date Subject Content-Type)) { $signed_header_fields{lc $_} = 2 } |
| $signed_header_fields{'received'} = 0; # Received: from-Zeile aus DKIM-Signatur-Berechnung ausnehmen. |
| |
| |
| ## MTA INTERFACE - INPUT |
| |
| # @listen_sockets = ... $unix_socketname and $inet_socket_port are added here |
| $unix_socketname = "/var/run/amavisd/amavisd.sock"; # Unix socket zur Nutzung des AMaViS "helper protocol". |
| # $unix_socket_mode = undef; # sets sockets protection (numeric mode), or undef |
| $inet_socket_port = [10024,10026]; # Akzeptiert Verbindungen via TCP auf diesen Port(s) (SMTP...). |
| $inet_socket_bind = undef; # AMaViS NICHT an einen Socket binden, sondern @inet_acl nutzen. |
| # $inet_socket_bind = [ '127.0.0.1', '[::1]' ]; # if both inet & inet6 avail. |
| # $inet_socket_bind = '127.0.0.1'; # if only inet available |
| # $inet_socket_bind = '[::1]' # if only inet6 available |
| @inet_acl = qw( 0.0.0.0/32 127.0.0.0/8 |
| 192.168.0.0/24 192.168.1.0/24 |
| 192.168.2.0/25 88.217.171.167/32 ); # AMaViS ist nicht auf dem MTA-Host und via Netzwerk erreichbar. |
| # $listen_queue_size = undef; |
| |
| # $protocol = ... defaults to 'SMTP' or 'LMTP' (autodetected) on inet and inet6 |
| # sockets; must be configured explicitly for Unix sockets. |
| # Possible values: 'SMTP', 'LMTP', 'AM.PDP', |
| # and with appropriate patches applied also: 'COURIER' or 'QMQPqq' |
| |
| # $soft_bounce = undef; |
| # $smtpd_timeout = 8*60; |
| # $smtpd_recipient_limit = 1100; |
| # $smtpd_message_size_limit = undef; # site-wide limit |
| # @message_size_limit_maps = (); # per-recipient limits |
| # $smtpd_greeting_banner = '${helo-name} ${protocol} ${product} service ready'; |
| # $smtpd_quit_banner = '${helo-name} ${product} closing transmission channel'; |
| # $auth_required_inp = undef; |
| # $auth_required_release = 1; |
| # @auth_mech_avail=(); # empty list disables incoming AUTH; or: qw(PLAIN LOGIN) |
| # $smtp_connection_cache_on_demand = 1; |
| # $smtp_connection_cache_enable = 1; |
| # $enforce_smtpd_message_size_limit_64kb_min = 1; |
| # @smtpd_discard_ehlo_keywords = (); |
| |
| # Tachtler |
| # SEE: https://raw.githubusercontent.com/benningm/amavisd-new/master/amavisd |
| # SEE: http://search.cpan.org/~sullr/IO-Socket-SSL-2.049/lib/IO/Socket/SSL.pod#Description_Of_Methods |
| $tls_security_level_in = 'may'; # Opportunistische TLS Transportverschluesselung eingehend aktiviere |
| %smtpd_tls_server_options = ( |
| SSL_verifycn_scheme => 'smtp', |
| SSL_session_cache => 2, |
| SSL_cert_file => '/etc/pki/amavis/certs/CAcert-class3-wildcard.crt', |
| SSL_key_file => '/etc/pki/amavis/private/tachtler.net.key', |
| SSL_dh_file => '/etc/pki/amavis/private/dh_2048.pem', |
| SSL_ca_file => '/etc/pki/tls/certs/ca-bundle.crt', |
| SSL_version => 'SSLv23:!SSLv3:!SSLv2', |
| SSL_cipher_list => 'ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES:!CBC3-SHA:!iAES128-SHA:!DHE-RSA-AES128-SHA:!AES256-SHA:!DHE-RSA-AES256-SHA:!CAMELLIA128-SHA:!iDHE-RSA-CAMELLIA128-SHA:!iCAMELLIA256-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA', |
| SSL_honor_cipher_order => '1', |
| SSL_verify_mode => 'SSL_VERIFY_NONE', |
| SSL_passwd_cb => sub { 'example' }, |
| ); |
| |
| ## MTA INTERFACE - OUTPUT |
| |
| ## see also $notify_method, $forward_method and $*_quarantine_method |
| |
| $localhost_name = 'amavis.idmz.tachtler.net'; # Eigener EHLO Name, welcher in den Received-Zeilen verwendet wird. |
| # $local_client_bind_address = undef; # my source IP address as a SMTP client |
| # $auth_required_out = undef; |
| # $amavis_auth_user = undef; # for submitting notifications and quarantine |
| # $amavis_auth_pass = undef; |
| # $auth_reauthenticate_forwarded = undef; # our credentials for forwarding too |
| |
| # Tachtler |
| # SEE: https://raw.githubusercontent.com/benningm/amavisd-new/master/amavisd |
| # SEE: http://search.cpan.org/~sullr/IO-Socket-SSL-2.049/lib/IO/Socket/SSL.pod#Description_Of_Methods |
| $tls_security_level_out = 'may'; # Opportunistisches TLS Transportverschluesselung ausgehend aktivieren. |
| %smtp_tls_client_options = ( |
| # SSL_verifycn_scheme => 'smtp', |
| SSL_verifycn_scheme => 'none', |
| SSL_version => 'SSLv23:!SSLv3:!SSLv2', |
| SSL_cipher_list => 'ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES:!CBC3-SHA:!iAES128-SHA:!DHE-RSA-AES128-SHA:!AES256-SHA:!DHE-RSA-AES256-SHA:!CAMELLIA128-SHA:!iDHE-RSA-CAMELLIA128-SHA:!iCAMELLIA256-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA', |
| SSL_client_ca_file => '/etc/pki/tls/certs/ca-bundle.crt', |
| SSL_honor_cipher_order => '1', |
| SSL_verify_mode => 'SSL_VERIFY_PEER', |
| ); |
| |
| |
| ## MAIL FORWARDING |
| |
| # Tachtler |
| # default: # $forward_method = 'smtp:[127.0.0.1]:10025'; # may be arrayref |
| $forward_method = 'smtp:[192.168.0.60]:10025'; # Rueckgabe von gescannten Nachrichten an Postfix. undef bei NUR MILTER !!! |
| |
| # # or 'smtp:[::1]:10025' when INET6 is available |
| # @forward_method_maps = ( sub { Opaque(c('forward_method')) } ); |
| # $resend_method = undef; # falls back to $forward_method |
| # $always_bcc = undef; |
| |
| $final_virus_destiny = D_REJECT; # Aktion bei Virus e-Mails. (D_PASS, D_DISCARD, D_BOUNCE ,D_REJECT) |
| $final_banned_destiny = D_REJECT; # Aktion bei geblockten Dateianhaengen e-Mails. |
| $final_spam_destiny = D_REJECT; # Aktion bei SPAM e-Mails. |
| $final_bad_header_destiny = D_PASS; # Aktion bei schlechten/unfvollstaendigen Header e-Mails. |
| |
| |
| ## QUARANTINE |
| |
| # $release_method = undef; # falls back to $notify_method |
| # $requeue_method = 'smtp:[127.0.0.1]:25'; |
| # # or 'smtp:[::1]:25' when INET6 is available |
| # $release_format = 'resend'; # (dsn), (arf), attach, plain, resend |
| # $report_format = 'arf'; # (dsn), arf, attach, plain, resend |
| # $attachment_password = ''; # '': no pwd, undef: PIN, code ref, or static str |
| # $attachment_email_name = 'msg-%m.eml'; |
| # $attachment_outer_name = 'msg-%m.zip'; |
| |
| # $virus_quarantine_method = 'local:virus-%m'; |
| # $spam_quarantine_method = 'local:spam-%m.gz'; |
| # $banned_files_quarantine_method = 'local:banned-%m'; |
| # $bad_header_quarantine_method = 'local:badh-%m'; |
| # $clean_quarantine_method = undef; |
| # $archive_quarantine_method = undef; |
| |
| # $mail_id_size_bits = 72; |
| |
| $QUARANTINEDIR = undef; # KEIN Quarantaene Ablageort definiert. [-Q] |
| # $quarantine_subdir_levels = undef; # 0 or 1 (undef treated as 0) |
| # $sql_quarantine_chunksize_max; # see SQL section |
| |
| $virus_quarantine_to = undef; # KEIN Quarantaene Ablageort fuer Virus e-Mails. |
| $banned_quarantine_to = undef; # KEIN Quarantaene Ablageort fuer geblockte Dateinanhaenge e-Mails. |
| $bad_header_quarantine_to = undef; # KEIN Quarantaene Ablageort fuer schlechten/unfvollst. Header e-Mails. |
| $spam_quarantine_to = undef; # KEIN Quarantaene Ablageort fuer SPAM e-Mails. |
| # $spam_quarantine_bysender_to = undef; |
| # $clean_quarantine_to = 'clean-quarantine'; |
| # $archive_quarantine_to = 'archive-quarantine'; |
| |
| # @virus_quarantine_to_maps = (\$virus_quarantine_to); |
| # @banned_quarantine_to_maps = (\$banned_quarantine_to); |
| # @bad_header_quarantine_to_maps = (\$bad_header_quarantine_to); |
| # @spam_quarantine_to_maps = (\$spam_quarantine_to); |
| # @spam_quarantine_bysender_to_maps = (\$spam_quarantine_bysender_to); |
| # @clean_quarantine_to_maps = (\$clean_quarantine_to); |
| # @archive_quarantine_to_maps = (\$archive_quarantine_to); |
| |
| # %local_delivery_aliases ... predefined, used by a delivery method 'local:' |
| $mailfrom_to_quarantine = ''; # Quarantaene Anwtort e-Mail-Adresse, undef (Original Absender), '' (<>). |
| |
| |
| ## NOTIFICATIONS (DSN, admin, recip) |
| |
| $notify_method = 'smtp:[192.168.0.60]:10025'; # Transport von Meldungen über gescannte Nachrichten zurueck an Postfix. |
| # # or 'smtp:[::1]:10025' when INET6 is available |
| |
| # $propagate_dsn_if_possible = 1; |
| # $terminate_dsn_on_notify_success = 0; |
| |
| # $newvirus_admin = undef; |
| $virus_admin = "virusalert\@$mydomain"; # E-Mail an, falls eine Virus entdeckt wurde. |
| # $spam_admin = undef; |
| $banned_admin = "bannedfilealert\@$mydomain"; # E-Mail an, falls eine Dateianhang geblockt wurde. |
| # $bad_header_admin = undef; |
| |
| # $dsn_bcc = undef; |
| |
| # @newvirus_admin_maps = (\$newvirus_admin); |
| # @virus_admin_maps = (\%virus_admin, \$virus_admin); |
| # @banned_admin_maps = (\$banned_admin); |
| # @spam_admin_maps = (\%spam_admin, \$spam_admin); |
| # @bad_header_admin_maps = (\$bad_header_admin); |
| |
| # $hdr_encoding = 'UTF-8'; # header field bodies charset |
| # $bdy_encoding = 'UTF-8'; # notification body text charset |
| # $hdr_encoding_qb = 'Q'; # quoted-printable (Q or B) |
| |
| # $notify_sender_templ = ... built-in default at the end of file amavisd |
| # $notify_virus_sender_templ = ... built-in default at the end of file amavisd |
| # $notify_spam_sender_templ = ... built-in default at the end of file amavisd |
| # $notify_virus_admin_templ = ... built-in default at the end of file amavisd |
| # $notify_spam_admin_templ = ... built-in default at the end of file amavisd |
| $notify_virus_recips_templ = read_text('/etc/amavisd/notify_virus_recips.txt'); |
| # $notify_spam_recips_templ = ... built-in default at the end of file amavisd |
| # $notify_release_templ = ... built-in default at the end of file amavisd |
| # $notify_report_templ = ... built-in default at the end of file amavisd |
| |
| $mailfrom_notify_admin = "mailfilter\@$mydomain"; # Absender von administrativen Benachrichtigungen. |
| $mailfrom_notify_recip = "mailfilter\@$mydomain"; # Absender von Empfaengerbenachrichtigungen. |
| $mailfrom_notify_spamadmin = "spamfilter\@$mydomain"; # Absender von SPAM-Filter Benachrichtigungen. |
| |
| ## these are after-defaults: |
| # $hdrfrom_notify_sender = "\"Content-filter at $myhostname\" <postmaster\@$myhostname>"; |
| # $hdrfrom_notify_recip = ... derived from $mailfrom_notify_recip |
| # $hdrfrom_notify_admin = ... derived from $mailfrom_notify_admin |
| # $hdrfrom_notify_spamadmin = ... derived from $mailfrom_notify_spamadmin |
| # $hdrfrom_notify_release = $hdrfrom_notify_sender; |
| # $hdrfrom_notify_report = $hdrfrom_notify_sender; |
| |
| # $warnbannedsender = undef; |
| # $warnbadhsender = undef; |
| |
| # $warn_offsite = undef; |
| |
| # $warnvirusrecip = undef; |
| # $warnbannedrecip = undef; |
| # $warnbadhrecip = undef; |
| # @warnvirusrecip_maps = (\$warnvirusrecip); |
| # @warnbannedrecip_maps = (\$warnbannedrecip); |
| # @warnbadhrecip_maps = (\$warnbadhrecip); |
| |
| |
| ## MODIFICATIONS TO PASSED MAIL |
| |
| # %allowed_added_header_fields = ...; # built-in default |
| # %prefer_our_added_header_fields = ...; # built-in default |
| # $remove_existing_x_scanned_headers = 0; |
| # $remove_existing_spam_headers = 1; |
| # @remove_existing_spam_headers_maps = (\$remove_existing_spam_headers); |
| # $allow_fixing_improper_header = 1; # all-white folding lines and long lines |
| # $allow_fixing_improper_header_folding = 1; |
| # $allow_fixing_long_header_lines = 1; |
| # $prepend_header_fields_hdridx = 0; |
| |
| # $X_HEADER_TAG = 'X-Virus-Scanned'; # after-default |
| # $X_HEADER_LINE = "$myproduct_name at $mydomain"; # after-default |
| |
| $defang_virus = 1; # Fuegt die gesamte Virus e-Mail als MIME-Container an. |
| $defang_banned = 1; # Fuegt die gesamte geblockte Dateianhang e-Mails als MIME-Container an. |
| $defang_spam = 1; # Fuegt die gesamte SPAM e-Mail als MIME-Container an. |
| # $defang_bad_header = undef; |
| $defang_undecipherable = 1; # Fuegt die nicht leserliche e-Mail als MIME-Container an. |
| # $defang_all = undef; # mostly for testing |
| |
| $defang_by_ccat{CC_BADH.",3"} = 1; # <NUL> oder <CR> Zeichen im Header enthalten. |
| $defang_by_ccat{CC_BADH.",5"} = 1; # Header Zeile ist laenger als 998 Zeichen. |
| $defang_by_ccat{CC_BADH.",6"} = 1; # Fehlerhafter Syntax im Header. |
| |
| # $allow_disclaimers = undef; |
| # $outbound_disclaimers_only = undef; |
| # $enable_anomy_sanitizer = 0; |
| # @anomy_sanitizer_args = (); # a config file or list of var=value pairs |
| # **************************************************************************** |
| # * ! DISABLE alterMIME, when using amavisd-milter, it's NOT COMPATIBLE. ! * |
| # **************************************************************************** |
| $altermime = '/usr/bin/altermime'; # Pfad zum Programm (binary) alterMIME |
| @altermime_args_defang = qw(--verbose --removeall); # Verarbeitung definieren. |
| # Definition der einzelnen Disclaimersyntax und der entsprechenden Disclaimerdateien fuer die einzelnen Benutzer. |
| @altermime_args_disclaimer = qw(--disclaimer=/etc/amavisd/altermime/_OPTION_.text --disclaimer-html=/etc/amavisd/altermime/_OPTION_.html); |
| @disclaimer_options_bysender_maps = ( |
| { 'root@tachtler.net' => 'disclaimer-root', |
| 'postmaster@tachtler.net' => 'disclaimer-postmaster', |
| 'klaus@tachtler.net' => 'disclaimer-klaus', |
| '.' => 'disclaimer-default' }, |
| ); # Definition der einzelnen Disclaimer. |
| $defang_maps_by_ccat{+CC_CATCHALL} = [ 'disclaimer' ]; # Anhaengen der Disclaimer beim verarbeiten der e-Mails. |
| |
| # $undecipherable_subject_tag = '***UNCHECKED*** '; |
| $sa_spam_subject_tag = '***SPAM*** '; # Kennzeichnung im Betreff von als SPAM deklarierten Nachrichten. |
| # $sa_spam_level_char = '*'; |
| |
| # @spam_subject_tag_maps = (\$sa_spam_subject_tag1); # N.B.: inconsistent name |
| # @spam_subject_tag2_maps = (\$sa_spam_subject_tag); # N.B.: inconsistent name |
| # @spam_subject_tag3_maps = (); |
| |
| |
| ## ADDING ADDRESS EXTENSIONS TO RECIPIENTS - 'plus addressing' |
| |
| $recipient_delimiter = '+'; # Adresszusatz fuer Nachrichten mit 'Adress-Delimeter'. |
| # $replace_existing_extension = 1; |
| # $addr_extension_virus = undef; |
| # $addr_extension_banned = undef; |
| # $addr_extension_spam = undef; |
| # $addr_extension_bad_header = undef; |
| @addr_extension_virus_maps = ('virus'); # Adresszusatz fuer Viren Nachrichten. |
| @addr_extension_banned_maps = ('banned'); # Adresszusatz fuer geblockte Dateianhaenge Nachrichten. |
| @addr_extension_spam_maps = ('spam'); # Adresszusatz fuer SPAM Nachrichten. |
| @addr_extension_bad_header_maps = ('badh'); # Adresszusatz fuer schlechten/unfvollstaendigen Header Nachrichten. |
| |
| |
| ## MAIL DECODING |
| |
| # $bypass_decode_parts = undef; |
| |
| # $keep_decoded_original_re = undef; |
| @keep_decoded_original_maps = (new_RE( |
| qr'^MAIL$', # let virus scanner see full original message |
| qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable |
| qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, |
| # qr'^Zip archive data', # don't trust Archive::Zip |
| )); |
| |
| # $map_full_type_to_short_type_re = ... predefined regexp lookup table |
| # @map_full_type_to_short_type_maps = (\$map_full_type_to_short_type_re); |
| |
| $MAXLEVELS = 14; # Verzeichnistiefe bei zu pruefenden e-Mail-Anhaengen. |
| $MAXFILES = 3000; # Maximale Anzahl an Dateien bei zu pruefenden e-Mail-Anhaengen. |
| $MIN_EXPANSION_QUOTA = 100*1024; # Minimale Groesse von Dateianhaengen, damit diese entpackt werden. |
| $MAX_EXPANSION_QUOTA = 500*1024*1024; # Maximale Groesse von Dateianhaengen, bis zu der diese entpackt werden. |
| # $MIN_EXPANSION_FACTOR = 5; # times original mail size |
| # $MAX_EXPANSION_FACTOR = 500; # times original mail size |
| |
| $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; # Suchpfadangaben fuer Zusatzprogramme. |
| # $file = 'file'; |
| |
| # For backward compatibility the @decoders list defaults to use of legacy |
| # variables $gzip, $bzip2, $lzop, ... It is cleaner to explicitly assign |
| # a list to @decoders in amavisd.conf and directly specify program paths, |
| # without indirections through legacy variables $gzip, etc. |
| # |
| # $gzip = $bzip2 = $lzop = $rpm2cpio = undef; |
| # $uncompress = $unfreeze = $arc = $unarj = $unrar = undef; |
| # $zoo = $lha = $pax = $cpio = $cabextract = undef; |
| |
| @decoders = ( |
| ['mail', \&do_mime_decode], |
| [[qw(asc uue hqx ync)], \&do_ascii], # not safe |
| ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], |
| ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ], |
| ['gz', \&do_uncompress, 'gzip -d'], |
| ['gz', \&do_gunzip], |
| ['bz2', \&do_uncompress, 'bzip2 -d'], |
| ['xz', \&do_uncompress, |
| ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], |
| ['lzma', \&do_uncompress, |
| ['lzmadec', 'xz -dc --format=lzma', |
| 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], |
| ['lrz', \&do_uncompress, |
| ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], |
| ['lzo', \&do_uncompress, 'lzop -d'], |
| ['lz4', \&do_uncompress, ['lz4c -d'] ], |
| ['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ], |
| [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ], |
| # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio'] |
| ['deb', \&do_ar, 'ar'], |
| # ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill |
| # Tachtler |
| # default: ['rar', \&do_unrar, ['unrar', 'rar'] ], |
| ['rar', \&do_unrar, ['7za', '7z'] ], |
| ['arj', \&do_unarj, ['unarj', 'arj'] ], |
| ['arc', \&do_arc, ['nomarch', 'arc'] ], |
| ['zoo', \&do_zoo, ['zoo', 'unzoo'] ], |
| # ['doc', \&do_ole, 'ripole'], # no ripole package so far |
| ['cab', \&do_cabextract, 'cabextract'], |
| # ['tnef', \&do_tnef_ext, 'tnef'], # use internal do_tnef() instead |
| ['tnef', \&do_tnef], |
| # Tachtler |
| # default: # ['lha', \&do_lha, 'lha'], # not safe, use 7z instead |
| ['lha', \&do_lha, ['7za', '7z'] ], # not safe, use 7z instead |
| # ['sit', \&do_unstuff, 'unstuff'], # not safe |
| [['zip','kmz'], \&do_7zip, ['7za', '7z'] ], |
| [['zip','kmz'], \&do_unzip], |
| ['7z', \&do_7zip, ['7zr', '7za', '7z'] ], |
| [[qw(gz bz2 Z tar)], |
| \&do_7zip, ['7za', '7z'] ], |
| [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], |
| \&do_7zip, '7z' ], |
| # Tachtler |
| # default: ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ], |
| ['exe', \&do_executable, ['7za','7z'], 'lha', ['unarj','arj'] ], |
| ); |
| |
| |
| ## ANTI-VIRUS AND INVALID/FORBIDDEN CONTENTS CONTROLS |
| |
| @av_scanners = ( |
| ### http://www.clamav.net/ |
| ['ClamAV-clamd', |
| \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"], |
| qr/\bOK$/m, qr/\bFOUND$/m, |
| qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], |
| # NOTE: run clamd under the same user as amavisd - or run it under its own |
| # uid such as clamav, add user clamav to the amavis group, and then add |
| # AllowSupplementaryGroups to clamd.conf; |
| # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in |
| # this entry; when running chrooted one may prefer a socket under $MYHOME. |
| ); |
| @av_scanners_backup = ( |
| ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV |
| ['ClamAV-clamscan', 'clamscan', |
| "--stdout --no-summary -r --tempdir=$TEMPBASE {}", |
| [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], |
| ); |
| |
| # $first_infected_stops_scan = undef; |
| # $virus_scanners_failure_is_fatal = undef; |
| |
| # $viruses_that_fake_sender_re = undef; |
| # @viruses_that_fake_sender_maps = (\$viruses_that_fake_sender_re, 1); |
| # @virus_name_to_policy_bank_maps = (); |
| # |
| # @virus_name_to_spam_score_maps = |
| # (new_RE( # the order matters, first match wins |
| # [ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1 ], |
| # [ qr'^(Heuristics\.)?Phishing\.' => 0.1 ], |
| # [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ], |
| # [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected |
| # [ qr'^Sanesecurity\.Foxhole\.' => undef ],# keep as infected |
| # [ qr'^Sanesecurity\.' => 0.1 ], |
| # [ qr'^Sanesecurity_PhishBar_' => 0 ], |
| # [ qr'^Sanesecurity.TestSig_' => 0 ], |
| # [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ], |
| # [ qr'^Email\.Spammail\b' => 0.1 ], |
| # [ qr'^MSRBL-(Images|SPAM)\b' => 0.1 ], |
| # [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 0.1 ], |
| # [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ], |
| # [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 0.1 ], |
| # [ qr'^Safebrowsing\.' => 0.1 ], |
| # [ qr'^winnow\.(phish|spam)\.' => 0.1 ], |
| # [ qr'^INetMsg\.SpamDomain' => 0.1 ], |
| # [ qr'^Doppelstern\.(Spam|Scam|Phishing|Junk|Lott|Loan)'=> 0.1 ], |
| # [ qr'^Bofhland\.Phishing' => 0.1 ], |
| # [ qr'^ScamNailer\.' => 0.1 ], |
| # [ qr'^HTML/Bankish' => 0.1 ], # F-Prot |
| # [ qr'^PORCUPINE_JUNK' => 0.1 ], |
| # [ qr'^PORCUPINE_PHISHING' => 0.1 ], |
| # [ qr'^Porcupine\.Junk' => 0.1 ], |
| # [ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as infected |
| # [ qr'^MBL_NA\.UNOFFICIAL' => 0.1 ], # false positives |
| # [ qr'^MBL_' => undef ], # keep as infected |
| # )); |
| |
| # @banned_filename_maps = ( 'DEFAULT' ); |
| # %banned_rules = ( 'DEFAULT' => $banned_filename_re); # after-default |
| |
| $banned_filename_re = new_RE( |
| |
| ### BLOCKED ANYWHERE |
| # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components |
| # qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary |
| qr'^\.(exe|lha|cab|dll)$', # banned file(1) types |
| |
| ### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: |
| [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 |
| [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives |
| |
| qr'.\.(pif|scr)$'i, # banned extensions - rudimentary |
| # qr'^\.zip$', # block zip type |
| |
| ### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: |
| # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives |
| |
| qr'^application/x-msdownload$'i, # block these MIME types |
| qr'^application/x-msdos-program$'i, |
| qr'^application/hta$'i, |
| |
| # qr'^message/partial$'i, # rfc2046 MIME type |
| # qr'^message/external-body$'i, # rfc2046 MIME type |
| |
| # qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type |
| # qr'^\.wmf$', # Windows Metafile file(1) type |
| |
| # block certain double extensions in filenames |
| qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, |
| |
| # qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict |
| # qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose |
| |
| # qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic |
| # qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd |
| qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| |
| inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi| |
| msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd| |
| wmf|wsc|wsf|wsh)$'ix, # banned extensions - long |
| qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i, # consider also |
| qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename |
| qr'^\.ani$', # banned animated cursor file(1) type |
| qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. |
| |
| # Tachtler - Word |
| # qr'.\.(doc|docx)$'i, # block word files |
| # qr'^application/vnd.ms-word$'i, # block word MIME types |
| # Tachtler - Excel |
| # qr'.\.(xls|xlsx)$'i, # block excel files |
| # qr'^application/vnd.ms-excel$'i, # block excel MIME types |
| # Tachtler - PowerPoint |
| # qr'.\.(ppt|pptx)$'i, # block powerpoint files |
| # qr'^application/vnd.ms-powerpoint$'i, # block powerpoint MIME types |
| ); |
| # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 |
| # and http://www.cknow.com/vtutor/vtextensions.htm |
| |
| # $banned_namepath_re = undef; # regexp-style |
| |
| # @bypass_virus_checks_maps = (\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); |
| # @bypass_banned_checks_maps = (\%bypass_banned_checks, \@bypass_banned_checks_acl, \$bypass_banned_checks_re); |
| # @bypass_header_checks_maps = (\%bypass_header_checks, \@bypass_header_checks_acl, \$bypass_header_checks_re); |
| |
| # @virus_lovers_maps = (\%virus_lovers, \@virus_lovers_acl, \$virus_lovers_re); |
| # @banned_files_lovers_maps = (\%banned_files_lovers, \@banned_files_lovers_acl, \$banned_files_lovers_re); |
| # @bad_header_lovers_maps = (\%bad_header_lovers, \@bad_header_lovers_acl, \$bad_header_lovers_re); |
| # @unchecked_lovers_maps = (); |
| |
| # Tachtler - new - |
| # $allowed_header_tests{$_} = 1 for qw(other mime 8bit control empty long |
| # syntax missing multiple); |
| $allowed_header_tests{'8bit'} = 0; |
| |
| |
| ## ANTI-Spam CONTROLS |
| |
| $ENV{TMPDIR} = $TEMPBASE; # Umgebungsvariable temporaeres Verzeichnis fuer SpamAssassin. |
| |
| # @spam_scanners = ( ['SpamAssassin', 'Amavis::SpamControl::SpamAssassin'] ); |
| |
| # $helpers_home = $MYHOME; # after-default |
| # $sa_configpath = undef; |
| # $sa_siteconfigpath = undef; |
| # $sa_num_instances = 1; |
| # @sa_userconf_maps = (); |
| # @sa_username_maps = (); |
| |
| $sa_mail_body_size_limit = 400*1024; # SpamAssassin einbinden, NUR bei e-Mail Groesse, bei <= Wert. |
| $sa_local_tests_only = 0; # NUR Test ausfuehren, die OHNE Internetverbinden auskommen deaktivieren. |
| # $sa_spawned = 0; |
| # $dspam = undef; |
| |
| # $sa_timeout = 30; |
| |
| # @bypass_spam_checks_maps = (\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); |
| # @spam_lovers_maps = (\%spam_lovers, \@spam_lovers_acl, \$spam_lovers_re); |
| |
| $sa_tag_level_deflt = '-1000.0'; # Hinzufuegen von SPAM-Header Informationen, bei >= Wert. |
| $sa_tag2_level_deflt = 6.31; # Hinzufuegen von SPAM-Erkannt Informationen, bei >= Wert. |
| # $sa_tag3_level_deflt = undef; |
| $sa_kill_level_deflt = 6.31; # Aktion ausloesen bei SPAM-Nachrichten, bei >= Wert. |
| $sa_dsn_cutoff_level = 10; # SPAM-Level, ab dem keine DSN-Benachrichtigung gesendet wird. |
| $sa_crediblefrom_dsn_cutoff_level = 18; # SPAM-Level, ab dem keine DNS-From-Benachrichtigung gesendet wird. |
| # $sa_quarantine_cutoff_level = 25; # SPAM-Level, ab dem keine Quarantaene Enlieferung erfolgt. |
| |
| # @spam_tag_level_maps = (\$sa_tag_level_deflt); |
| # @spam_tag2_level_maps = (\$sa_tag2_level_deflt); |
| # @spam_tag3_level_maps = (\$sa_tag3_level_deflt); |
| # @spam_kill_level_maps = (\$sa_kill_level_deflt); |
| # @spam_quarantine_cutoff_level_maps = (\$sa_quarantine_cutoff_level); |
| # @spam_notifyadmin_cutoff_level_maps = (); |
| # @spam_dsn_cutoff_level_maps = (\$sa_dsn_cutoff_level); |
| # @spam_dsn_cutoff_level_bysender_maps = (\$sa_dsn_cutoff_level); |
| # @spam_crediblefrom_dsn_cutoff_level_maps = |
| # (\$sa_crediblefrom_dsn_cutoff_level); |
| # @spam_crediblefrom_dsn_cutoff_level_bysender_maps = |
| # (\$sa_crediblefrom_dsn_cutoff_level); |
| |
| $bounce_killer_score = 100; # SPAM-Punkte, fuer "joe-job" Rufschaedigung BOUNCE gelten, bei >= Wert. |
| |
| $penpals_bonus_score = 8; # NUR bei Einsatz von @storage_sql_dsn Datenbanken. |
| # $penpals_halflife = 7*24*60*60; |
| # $penpals_threshold_low = 1.0; |
| $penpals_threshold_high = $sa_kill_level_deflt; # SPAM mit hohen Widererkennungswert, Punkte-Ueberschreitung, bei >= Wert. |
| |
| # $reputation_factor = 0.2; |
| |
| |
| # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING |
| |
| @score_sender_maps = ({ # a by-recipient hash lookup table, |
| # results from all matching recipient tables are summed |
| |
| # ## per-recipient personal tables (NOTE: positive: black, negative: white) |
| # 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], |
| # 'user3@example.com' => [{'.ebay.com' => -3.0}], |
| # 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, |
| # '.cleargreen.com' => -5.0}], |
| |
| ## site-wide opinions about senders (the '.' matches any recipient) |
| '.' => [ # the _first_ matching sender determines the score boost |
| |
| new_RE( # regexp-type lookup table, just happens to be all soft-blacklist |
| [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], |
| [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], |
| [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], |
| [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], |
| [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], |
| [qr'^(your_friend|greatoffers)@'i => 5.0], |
| [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], |
| ), |
| |
| # read_hash("/var/amavis/sender_scores_sitewide"), |
| |
| { # a hash-type lookup table (associative array) |
| 'nobody@cert.org' => -3.0, |
| 'cert-advisory@us-cert.gov' => -3.0, |
| 'owner-alert@iss.net' => -3.0, |
| 'slashdot@slashdot.org' => -3.0, |
| 'securityfocus.com' => -3.0, |
| 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, |
| 'security-alerts@linuxsecurity.com' => -3.0, |
| 'mailman-announce-admin@python.org' => -3.0, |
| 'amavis-user-admin@lists.sourceforge.net'=> -3.0, |
| 'amavis-user-bounces@lists.sourceforge.net' => -3.0, |
| 'spamassassin.apache.org' => -3.0, |
| 'notification-return@lists.sophos.com' => -3.0, |
| 'owner-postfix-users@postfix.org' => -3.0, |
| 'owner-postfix-announce@postfix.org' => -3.0, |
| 'owner-sendmail-announce@lists.sendmail.org' => -3.0, |
| 'sendmail-announce-request@lists.sendmail.org' => -3.0, |
| 'donotreply@sendmail.org' => -3.0, |
| 'ca+envelope@sendmail.org' => -3.0, |
| 'noreply@freshmeat.net' => -3.0, |
| 'owner-technews@postel.acm.org' => -3.0, |
| 'ietf-123-owner@loki.ietf.org' => -3.0, |
| 'cvs-commits-list-admin@gnome.org' => -3.0, |
| 'rt-users-admin@lists.fsck.com' => -3.0, |
| 'clp-request@comp.nus.edu.sg' => -3.0, |
| 'surveys-errors@lists.nua.ie' => -3.0, |
| 'emailnews@genomeweb.com' => -5.0, |
| 'yahoo-dev-null@yahoo-inc.com' => -3.0, |
| 'returns.groups.yahoo.com' => -3.0, |
| 'clusternews@linuxnetworx.com' => -3.0, |
| lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, |
| lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, |
| |
| # soft-blacklisting (positive score) |
| 'sender@example.net' => 3.0, |
| '.example.net' => 1.0, |
| |
| }, |
| ], # end of site-wide tables |
| }); |
| |
| |
| # @signer_reputation_maps = (); |
| |
| # @blacklist_sender_maps = (\%blacklist_sender, \@blacklist_sender_acl, \$blacklist_sender_re); |
| # @whitelist_sender_maps = (\%whitelist_sender, \@whitelist_sender_acl, \$whitelist_sender_re); |
| |
| # $per_recip_blacklist_sender_lookup_tables = undef; |
| # $per_recip_whitelist_sender_lookup_tables = undef; # deprecated |
| |
| # $os_fingerprint_method = undef; |
| # $os_fingerprint_dst_ip_and_port = undef; |
| |
| |
| ## SQL, LDAP, Redis |
| |
| # $database_sessions_persistent = 1; |
| # $trim_trailing_space_in_lookup_result_fields = 0; |
| # $lookup_maps_imply_sql_and_ldap = 1; |
| |
| # @storage_redis_dsn = (); # Redis server(s) for pen pals, IP reput, JSON log |
| # $storage_redis_ttl = 16*24*60*60; |
| # $enable_ip_repu = 1; |
| # @ip_repu_ignore_networks = (); |
| # @ip_repu_ignore_maps = (\@ip_repu_ignore_networks); |
| # $redis_logging_key = undef; |
| # $redis_logging_queue_size_limit = undef; |
| |
| # @lookup_sql_dsn = (); # SQL data source name for lookups, or empty |
| # @storage_sql_dsn = (); # SQL data source name for log/quarantine, or empty |
| |
| # $sql_store_info_for_all_msgs = 1; |
| # $sql_schema_version = $myversion_id_numeric; |
| # $timestamp_fmt_mysql = undef; |
| # $sql_partition_tag = undef; |
| # $sql_allow_8bit_address = 0; # VARCHAR (0), VARBINARY/BYTEA (1) |
| # $sql_lookups_no_at_means_domain = 0; |
| # $sql_quarantine_chunksize_max = 16384; |
| |
| # $sql_select_policy = |
| # 'SELECT *,users.id'. |
| # ' FROM users LEFT JOIN policy ON users.policy_id=policy.id'. |
| # ' WHERE users.email IN (%k) ORDER BY users.priority DESC'; |
| |
| # $sql_select_white_black_list = |
| # 'SELECT wb'. |
| # ' FROM wblist JOIN mailaddr ON wblist.sid=mailaddr.id'. |
| # ' WHERE wblist.rid=? AND mailaddr.email IN (%k)'. |
| # ' ORDER BY mailaddr.priority DESC'; |
| |
| # %sql_clause = ( |
| # 'sel_policy' => \$sql_select_policy, |
| # 'sel_wblist' => \$sql_select_white_black_list, |
| # 'sel_adr' => |
| # 'SELECT id FROM maddr WHERE partition_tag=? AND email=?', |
| # 'ins_adr' => |
| # 'INSERT INTO maddr (partition_tag, email, domain) VALUES (?,?,?)', |
| # 'ins_msg' => |
| # 'INSERT INTO msgs (partition_tag, mail_id, secret_id, am_id,'. |
| # ' time_num, time_iso, sid, policy, client_addr, size, host)'. |
| # ' VALUES (?,?,?,?,?,?,?,?,?,?,?)', |
| # 'upd_msg' => |
| # 'UPDATE msgs SET content=?, quar_type=?, quar_loc=?, dsn_sent=?,'. |
| # ' spam_level=?, message_id=?, from_addr=?, subject=?, client_addr=?,'. |
| # ' originating=?'. |
| # ' WHERE partition_tag=? AND mail_id=?', |
| # 'ins_rcp' => |
| # 'INSERT INTO msgrcpt (partition_tag, mail_id, rseqnum, rid, is_local,'. |
| # ' content, ds, rs, bl, wl, bspam_level, smtp_resp)'. |
| # ' VALUES (?,?,?,?,?,?,?,?,?,?,?,?)', |
| # 'ins_quar' => |
| # 'INSERT INTO quarantine (partition_tag, mail_id, chunk_ind, mail_text)'. |
| # ' VALUES (?,?,?,?)', |
| # 'sel_msg' => # obtains partition_tag if missing in a release request |
| # 'SELECT partition_tag FROM msgs WHERE mail_id=?', |
| # 'sel_quar' => |
| # 'SELECT mail_text FROM quarantine'. |
| # ' WHERE partition_tag=? AND mail_id=?'. |
| # ' ORDER BY chunk_ind', |
| # 'sel_penpals' => # no message-id references list |
| # "SELECT msgs.time_num, msgs.mail_id, subject". |
| # " FROM msgs JOIN msgrcpt USING (partition_tag,mail_id)". |
| # " WHERE sid=? AND rid=? AND msgs.content!='V' AND ds='P'". |
| # " ORDER BY msgs.time_num DESC", # LIMIT 1 |
| # 'sel_penpals_msgid' => # with a nonempty list of message-id references |
| # "SELECT msgs.time_num, msgs.mail_id, subject, message_id, rid". |
| # " FROM msgs JOIN msgrcpt USING (partition_tag,mail_id)". |
| # " WHERE sid=? AND msgs.content!='V' AND ds='P' AND message_id IN (%m)". |
| # " AND rid!=sid". |
| # " ORDER BY rid=? DESC, msgs.time_num DESC", # LIMIT 1 |
| # ); |
| |
| ## LDAP, Please see file README.lookups for more info. |
| |
| # $enable_ldap = 0; |
| # $ldap_lookups_no_at_means_domain = 0; |
| # |
| # $default_ldap = { |
| # hostname => 'localhost', |
| # localaddr => undef, |
| # port => undef, # 389 or 636, default provided by Net::LDAP |
| # scheme => undef, # 'ldaps' or 'ldap', depending on hostname |
| # inet6 => $have_inet6 ? 1 : 0, |
| # version => 3, |
| # timeout => 120, |
| # deref => 'find', |
| # bind_dn => undef, |
| # bind_password => undef, |
| # tls => 0, |
| # verify => 'none', |
| # sslversion => 'tlsv1', |
| # clientcert => undef, |
| # clientkey => undef, |
| # cafile => undef, |
| # capath => undef, |
| # sasl => 0, |
| # sasl_mech => undef, # space-separated list of mech names |
| # sasl_auth_id => undef, |
| # }; |
| |
| |
| ## hierarchy by which a final setting is chosen: |
| ## policy bank (based on port or IP address) -> *_by_ccat |
| ## *_by_ccat (based on mail contents) -> *_maps |
| ## *_maps (based on recipient address) -> final configuration value |
| |
| |
| ## MAPPING A CONTENTS CATEGORY TO A SETTING CHOSEN |
| |
| # %final_destiny_maps_by_ccat = ( |
| # # value is normally a list of by-recipient lookup tables, but for compa- |
| # # tibility with old %final_destiny_by_ccat a value may also be a scalar |
| # CC_VIRUS, sub { c('final_virus_destiny') }, |
| # CC_BANNED, sub { c('final_banned_destiny') }, |
| # CC_UNCHECKED, sub { c('final_unchecked_destiny') }, |
| # CC_SPAM, sub { c('final_spam_destiny') }, |
| # CC_BADH, sub { c('final_bad_header_destiny') }, |
| # CC_MTA.',1', D_TEMPFAIL, # MTA response was 4xx |
| # CC_MTA.',2', D_REJECT, # MTA response was 5xx |
| # CC_MTA, D_TEMPFAIL, |
| # CC_OVERSIZED, D_BOUNCE, |
| # CC_CATCHALL, D_PASS, |
| # ); |
| # %forward_method_maps_by_ccat = ( |
| # CC_CATCHALL, sub { ca('forward_method_maps') }, |
| # ); |
| # %smtp_reason_by_ccat = ( |
| # # currently only used for blocked messages only, status 5xx |
| # # a multiline message will produce a valid multiline SMTP response |
| # CC_VIRUS, 'id=%n - INFECTED: %V', |
| # CC_BANNED, 'id=%n - BANNED: %F', |
| # CC_UNCHECKED.',1', 'id=%n - UNCHECKED: encrypted', |
| # CC_UNCHECKED.',2', 'id=%n - UNCHECKED: over limits', |
| # CC_UNCHECKED, 'id=%n - UNCHECKED', |
| # CC_SPAM, 'id=%n - spam', |
| # CC_SPAMMY.',1', 'id=%n - spammy (tag3)', |
| # CC_SPAMMY, 'id=%n - spammy', |
| # CC_BADH.',1', 'id=%n - BAD HEADER: MIME error', |
| # CC_BADH.',2', 'id=%n - BAD HEADER: nonencoded 8-bit character', |
| # CC_BADH.',3', 'id=%n - BAD HEADER: contains invalid control character', |
| # CC_BADH.',4', 'id=%n - BAD HEADER: line made up entirely of whitespace', |
| # CC_BADH.',5', 'id=%n - BAD HEADER: line longer than RFC 5322 limit', |
| # CC_BADH.',6', 'id=%n - BAD HEADER: syntax error', |
| # CC_BADH.',7', 'id=%n - BAD HEADER: missing required header field', |
| # CC_BADH.',8', 'id=%n - BAD HEADER: duplicate header field', |
| # CC_BADH, 'id=%n - BAD HEADER', |
| # CC_OVERSIZED, 'id=%n - Message size exceeds recipient\'s size limit', |
| # CC_MTA.',1', 'id=%n - Temporary MTA failure on relaying', |
| # CC_MTA.',2', 'id=%n - Rejected by next-hop MTA on relaying', |
| # CC_MTA, 'id=%n - Unable to relay message back to MTA', |
| # CC_CLEAN, 'id=%n - CLEAN', |
| # CC_CATCHALL, 'id=%n - OTHER', # should not happen |
| # ); |
| # %lovers_maps_by_ccat = ( |
| # CC_VIRUS, sub { ca('virus_lovers_maps') }, |
| # CC_BANNED, sub { ca('banned_files_lovers_maps') }, |
| # CC_UNCHECKED, sub { ca('unchecked_lovers_maps') }, |
| # CC_SPAM, sub { ca('spam_lovers_maps') }, |
| # CC_SPAMMY, sub { ca('spam_lovers_maps') }, |
| # CC_BADH, sub { ca('bad_header_lovers_maps') }, |
| # ); |
| # %defang_maps_by_ccat = ( |
| # # compatible with legacy %defang_by_ccat: value may be a scalar |
| # CC_VIRUS, sub { c('defang_virus') }, |
| # CC_BANNED, sub { c('defang_banned') }, |
| # CC_UNCHECKED, sub { c('defang_undecipherable') }, |
| # CC_SPAM, sub { c('defang_spam') }, |
| # CC_SPAMMY, sub { c('defang_spam') }, |
| # # CC_BADH.',3', 1, # NUL or CR character in header section |
| # # CC_BADH.',5', 1, # header line longer than 998 characters |
| # # CC_BADH.',6', 1, # header field syntax error |
| # CC_BADH, sub { c('defang_bad_header') }, |
| # ); |
| # %subject_tag_maps_by_ccat = ( |
| # CC_VIRUS, [ '***INFECTED*** ' ], |
| # CC_BANNED, undef, |
| # CC_UNCHECKED, sub { [ c('undecipherable_subject_tag') ] }, # not by-recip |
| # CC_SPAM, undef, |
| # CC_SPAMMY.',1', sub { ca('spam_subject_tag3_maps') }, |
| # CC_SPAMMY, sub { ca('spam_subject_tag2_maps') }, |
| # CC_CLEAN.',1', sub { ca('spam_subject_tag_maps') }, |
| # ); |
| # %quarantine_method_by_ccat = ( |
| # CC_VIRUS, sub { c('virus_quarantine_method') }, |
| # CC_BANNED, sub { c('banned_files_quarantine_method') }, |
| # CC_UNCHECKED, sub { c('unchecked_quarantine_method') }, |
| # CC_SPAM, sub { c('spam_quarantine_method') }, |
| # CC_BADH, sub { c('bad_header_quarantine_method') }, |
| # CC_CLEAN, sub { c('clean_quarantine_method') }, |
| # ); |
| # %quarantine_to_maps_by_ccat = ( |
| # CC_VIRUS, sub { ca('virus_quarantine_to_maps') }, |
| # CC_BANNED, sub { ca('banned_quarantine_to_maps') }, |
| # CC_UNCHECKED, sub { ca('unchecked_quarantine_to_maps') }, |
| # CC_SPAM, sub { ca('spam_quarantine_to_maps') }, |
| # CC_BADH, sub { ca('bad_header_quarantine_to_maps') }, |
| # CC_CLEAN, sub { ca('clean_quarantine_to_maps') }, |
| # ); |
| # Tachtler - new - |
| # Disable notifications about ***UNCHECKED*** messages. |
| %admin_maps_by_ccat = ( |
| CC_VIRUS, sub { ca('virus_admin_maps') }, |
| CC_BANNED, sub { ca('banned_admin_maps') }, |
| # CC_UNCHECKED, sub { ca('virus_admin_maps') }, |
| CC_SPAM, sub { ca('spam_admin_maps') }, |
| CC_BADH, sub { ca('bad_header_admin_maps') }, |
| ); |
| # %always_bcc_by_ccat = ( |
| # CC_CATCHALL, sub { c('always_bcc') }, |
| # ); |
| # %dsn_bcc_by_ccat = ( |
| # CC_CATCHALL, sub { c('dsn_bcc') }, |
| # ); |
| # %mailfrom_notify_admin_by_ccat = ( |
| # CC_SPAM, sub { c('mailfrom_notify_spamadmin') }, |
| # CC_CATCHALL, sub { c('mailfrom_notify_admin') }, |
| # ); |
| # %hdrfrom_notify_admin_by_ccat = ( |
| # CC_SPAM, sub { c('hdrfrom_notify_spamadmin') }, |
| # CC_CATCHALL, sub { c('hdrfrom_notify_admin') }, |
| # ); |
| # %mailfrom_notify_recip_by_ccat = ( |
| # CC_CATCHALL, sub { c('mailfrom_notify_recip') }, |
| # ); |
| # %hdrfrom_notify_recip_by_ccat = ( |
| # CC_CATCHALL, sub { c('hdrfrom_notify_recip') }, |
| # ); |
| # %hdrfrom_notify_sender_by_ccat = ( |
| # CC_CATCHALL, sub { c('hdrfrom_notify_sender') }, |
| # ); |
| # %hdrfrom_notify_release_by_ccat = ( |
| # CC_CATCHALL, sub { c('hdrfrom_notify_release') }, |
| # ); |
| # %hdrfrom_notify_report_by_ccat = ( |
| # CC_CATCHALL, sub { c('hdrfrom_notify_report') }, |
| # ); |
| # %notify_admin_templ_by_ccat = ( |
| # CC_SPAM, sub { cr('notify_spam_admin_templ') }, |
| # CC_CATCHALL, sub { cr('notify_virus_admin_templ') }, |
| # ); |
| # %notify_recips_templ_by_ccat = ( |
| # CC_SPAM, sub { cr('notify_spam_recips_templ') }, #usually empty |
| # CC_CATCHALL, sub { cr('notify_virus_recips_templ') }, |
| # ); |
| # %notify_sender_templ_by_ccat = ( # bounce templates |
| # CC_VIRUS, sub { cr('notify_virus_sender_templ') }, |
| # CC_BANNED, sub { cr('notify_virus_sender_templ') }, #historical reason |
| # CC_SPAM, sub { cr('notify_spam_sender_templ') }, |
| # CC_CATCHALL, sub { cr('notify_sender_templ') }, |
| # ); |
| # %notify_release_templ_by_ccat = ( |
| # CC_CATCHALL, sub { cr('notify_release_templ') }, |
| # ); |
| # %notify_report_templ_by_ccat = ( |
| # CC_CATCHALL, sub { cr('notify_report_templ') }, |
| # ); |
| # %notify_autoresp_templ_by_ccat = ( |
| # CC_CATCHALL, sub { cr('notify_autoresp_templ') }, |
| # ); |
| # %warnsender_by_ccat = ( # deprecated use, except perhaps for CC_BADH |
| # CC_VIRUS, undef, |
| # CC_BANNED, sub { c('warnbannedsender') }, |
| # CC_SPAM, undef, |
| # CC_BADH, sub { c('warnbadhsender') }, |
| # ); |
| # %warnrecip_maps_by_ccat = ( |
| # CC_VIRUS, sub { ca('warnvirusrecip_maps') }, |
| # CC_BANNED, sub { ca('warnbannedrecip_maps') }, |
| # CC_SPAM, undef, |
| # CC_BADH, sub { ca('warnbadhrecip_maps') }, |
| # ); |
| # %addr_extension_maps_by_ccat = ( |
| # CC_VIRUS, sub { ca('addr_extension_virus_maps') }, |
| # CC_BANNED, sub { ca('addr_extension_banned_maps') }, |
| # CC_SPAM, sub { ca('addr_extension_spam_maps') }, |
| # CC_SPAMMY, sub { ca('addr_extension_spam_maps') }, |
| # CC_BADH, sub { ca('addr_extension_bad_header_maps') }, |
| # # CC_OVERSIZED, 'oversized'; |
| # ); |
| # %addr_rewrite_maps_by_ccat = ( ); |
| |
| |
| ## POLICY BANKS |
| |
| $interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname |
| $interface_policy{'10026'} = 'ORIGINATING'; |
| |
| # %interface_policy = (); # maps input interface/port to policy bank name |
| |
| $policy_bank{'AM.PDP-SOCK'} = { |
| protocol => 'AM.PDP', |
| auth_required_release => 0, # do not require secret_id for amavisd-release |
| }; |
| |
| $policy_bank{'MYNETS'} = { # mail originating from @mynetworks |
| originating => 1, # is true in MYNETS by default, but let's make it explicit |
| allow_disclaimers => 1, # enables disclaimer insertion if available |
| os_fingerprint_method => undef, # don't query p0f for internal clients |
| }; |
| |
| $policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users |
| originating => 1, # declare that mail was submitted by our smtp client |
| allow_disclaimers => 1, # enables disclaimer insertion if available |
| # notify administrator of locally originating malware |
| virus_admin_maps => ["virusalert\@$mydomain"], |
| spam_admin_maps => ["mailfilter\@$mydomain"], |
| warnbadhsender => 1, |
| # forward to a smtpd service back to postfix |
| forward_method => 'smtp:[192.168.0.60]:10027', |
| # notify to a smtpd service back to postfix |
| notify_method => 'smtp:[192.168.0.60]:10027', |
| # force MTA conversion to 7-bit (e.g. before DKIM signing) |
| smtpd_discard_ehlo_keywords => ['8BITMIME'], |
| terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option |
| }; |
| |
| # $policy_bank{''} = { ...predefined... }; |
| |
| ## the built-in policy bank (empty name) is predefined, and includes |
| ## references to most other variables listed above (the dynamic config |
| ## variables), which are accessed only indirectly through the currently |
| ## installed policy bank. Overlaying a policy bank with another policy |
| ## bank may bring-in references to entirely different variables, |
| ## possibly unnamed. Here is a list of configuration variables |
| ## referenced from the built-in policy bank by keys of the same name |
| ## (e.g. { log_level => \$log_level, inet_acl => \@inet_acl, ...} ) |
| ## |
| ## $child_timeout $smtpd_timeout |
| ## $policy_bank_name $protocol @inet_acl |
| ## $myhostname $myauthservid $snmp_contact $snmp_location |
| ## $myprogram_name $syslog_ident $syslog_facility |
| ## $log_level $log_templ $log_recip_templ $enable_log_capture_dump |
| ## $forward_method $notify_method $resend_method $report_format |
| ## $release_method $requeue_method $release_format |
| ## $attachment_password $attachment_email_name $attachment_outer_name |
| ## $os_fingerprint_method $os_fingerprint_dst_ip_and_port |
| ## $originating @smtpd_discard_ehlo_keywords $soft_bounce |
| ## $propagate_dsn_if_possible $terminate_dsn_on_notify_success |
| ## $amavis_auth_user $amavis_auth_pass $auth_reauthenticate_forwarded |
| ## $auth_required_out $auth_required_inp $auth_required_release |
| ## @auth_mech_avail $tls_security_level_in $tls_security_level_out |
| ## $local_client_bind_address $smtpd_message_size_limit |
| ## $localhost_name $smtpd_greeting_banner $smtpd_quit_banner |
| ## $mailfrom_to_quarantine $warn_offsite $bypass_decode_parts @decoders |
| ## @av_scanners @av_scanners_backup @spam_scanners |
| ## $first_infected_stops_scan $virus_scanners_failure_is_fatal |
| ## $sa_spam_level_char $sa_mail_body_size_limit |
| ## $penpals_bonus_score $penpals_halflife $bounce_killer_score |
| ## $reputation_factor |
| ## $undecipherable_subject_tag $localpart_is_case_sensitive |
| ## $recipient_delimiter $replace_existing_extension |
| ## $hdr_encoding $bdy_encoding $hdr_encoding_qb |
| ## $allow_disclaimers $outbound_disclaimers_only |
| ## $prepend_header_fields_hdridx |
| ## $allow_fixing_improper_header |
| ## $allow_fixing_improper_header_folding $allow_fixing_long_header_lines |
| ## %allowed_added_header_fields %prefer_our_added_header_fields |
| ## %allowed_header_tests |
| ## $X_HEADER_TAG $X_HEADER_LINE |
| ## $remove_existing_x_scanned_headers $remove_existing_spam_headers |
| ## %sql_clause $partition_tag |
| ## %local_delivery_aliases $banned_namepath_re |
| ## $per_recip_whitelist_sender_lookup_tables |
| ## $per_recip_blacklist_sender_lookup_tables |
| ## @anomy_sanitizer_args @altermime_args_defang |
| ## @altermime_args_disclaimer @disclaimer_options_bysender_maps |
| ## %signed_header_fields @dkim_signature_options_bysender_maps |
| ## $enable_dkim_verification $enable_dkim_signing $dkim_signing_service |
| ## $dkim_minimum_key_bits $enable_ldap $enable_ip_repu $redis_logging_key |
| ## |
| ## @local_domains_maps |
| ## @mynetworks_maps @client_ipaddr_policy @ip_repu_ignore_maps |
| ## @forward_method_maps @newvirus_admin_maps @banned_filename_maps |
| ## @spam_quarantine_bysender_to_maps |
| ## @spam_tag_level_maps @spam_tag2_level_maps @spam_tag3_level_maps |
| ## @spam_kill_level_maps |
| ## @spam_subject_tag_maps @spam_subject_tag2_maps @spam_subject_tag3_maps |
| ## @spam_dsn_cutoff_level_maps @spam_dsn_cutoff_level_bysender_maps |
| ## @spam_crediblefrom_dsn_cutoff_level_maps |
| ## @spam_crediblefrom_dsn_cutoff_level_bysender_maps |
| ## @spam_quarantine_cutoff_level_maps @spam_notifyadmin_cutoff_level_maps |
| ## @whitelist_sender_maps @blacklist_sender_maps @score_sender_maps |
| ## @author_to_policy_bank_maps @signer_reputation_maps |
| ## @message_size_limit_maps @debug_sender_maps @debug_recipient_maps |
| ## @bypass_virus_checks_maps @bypass_spam_checks_maps |
| ## @bypass_banned_checks_maps @bypass_header_checks_maps |
| ## @viruses_that_fake_sender_maps |
| ## @virus_name_to_spam_score_maps @virus_name_to_policy_bank_maps |
| ## @remove_existing_spam_headers_maps |
| ## @sa_userconf_maps @sa_username_maps |
| ## |
| ## %final_destiny_maps_by_ccat %forward_method_maps_by_ccat |
| ## %lovers_maps_by_ccat %defang_maps_by_ccat %subject_tag_maps_by_ccat |
| ## %quarantine_method_by_ccat %quarantine_to_maps_by_ccat |
| ## %notify_admin_templ_by_ccat %notify_recips_templ_by_ccat |
| ## %notify_sender_templ_by_ccat %notify_autoresp_templ_by_ccat |
| ## %notify_release_templ_by_ccat %notify_report_templ_by_ccat |
| ## %warnsender_by_ccat |
| ## %hdrfrom_notify_admin_by_ccat %mailfrom_notify_admin_by_ccat |
| ## %hdrfrom_notify_recip_by_ccat %mailfrom_notify_recip_by_ccat |
| ## %hdrfrom_notify_sender_by_ccat |
| ## %hdrfrom_notify_release_by_ccat %hdrfrom_notify_report_by_ccat |
| ## %admin_maps_by_ccat %warnrecip_maps_by_ccat |
| ## %always_bcc_by_ccat %dsn_bcc_by_ccat |
| ## %addr_extension_maps_by_ccat %addr_rewrite_maps_by_ccat |
| ## %smtp_reason_by_ccat |
| |
| ## legacy dynamic configuration variables: |
| |
| ## $final_virus_destiny $final_banned_destiny $final_unchecked_destiny |
| ## $final_spam_destiny $final_bad_header_destiny |
| ## @virus_lovers_maps @spam_lovers_maps @unchecked_lovers_maps |
| ## @banned_files_lovers_maps @bad_header_lovers_maps |
| ## $always_bcc $dsn_bcc |
| ## $mailfrom_notify_sender $mailfrom_notify_recip |
| ## $mailfrom_notify_admin $mailfrom_notify_spamadmin |
| ## $hdrfrom_notify_sender $hdrfrom_notify_recip |
| ## $hdrfrom_notify_admin $hdrfrom_notify_spamadmin |
| ## $hdrfrom_notify_release $hdrfrom_notify_report |
| ## $notify_virus_admin_templ $notify_spam_admin_templ |
| ## $notify_virus_recips_templ $notify_spam_recips_templ |
| ## $notify_virus_sender_templ $notify_spam_sender_templ |
| ## $notify_sender_templ $notify_release_templ |
| ## $notify_report_templ $notify_autoresp_templ |
| ## $warnbannedsender $warnbadhsender |
| ## $defang_virus $defang_banned $defang_spam |
| ## $defang_bad_header $defang_undecipherable $defang_all |
| ## $virus_quarantine_method $banned_files_quarantine_method |
| ## $unchecked_quarantine_method $spam_quarantine_method |
| ## $bad_header_quarantine_method $clean_quarantine_method |
| ## $archive_quarantine_method |
| ## @virus_quarantine_to_maps @banned_quarantine_to_maps |
| ## @unchecked_quarantine_to_maps @spam_quarantine_to_maps |
| ## @bad_header_quarantine_to_maps @clean_quarantine_to_maps |
| ## @archive_quarantine_to_maps |
| ## @virus_admin_maps @banned_admin_maps |
| ## @spam_admin_maps @bad_header_admin_maps @spam_modifies_subj_maps |
| ## @warnvirusrecip_maps @warnbannedrecip_maps @warnbadhrecip_maps |
| ## @addr_extension_virus_maps @addr_extension_spam_maps |
| ## @addr_extension_banned_maps @addr_extension_bad_header_maps |
| |
| 1; # insure a defined return value |
</code> | </code> |
| |
===== Konfiguration: amavisd-milter ===== | ===== Konfiguration: amavisd-milter ===== |
| |
==== /etc/amavisd/amavisd-milter.conf ==== | ==== (Bis Version 1.6.x) - /etc/amavisd/amavisd-milter.conf ==== |
| |
| **__BIS Version 1.6.x__** |
| |
Standardmäßig wird nach der Installation von [[http://amavisd-milter.sourceforge.net/|AMaViS]] - **''amavsid-milter''** in nachfolgendem Verzeichnis mit nachfolgendem Namen die Konfigurationsdatei für den [[http://amavisd-milter.sourceforge.net//|AMaViS]] - **''amavisd-milter''** hinterlegt: | Standardmäßig wird nach der Installation von [[http://amavisd-milter.sourceforge.net/|AMaViS]] - **''amavsid-milter''** in nachfolgendem Verzeichnis mit nachfolgendem Namen die Konfigurationsdatei für den [[http://amavisd-milter.sourceforge.net//|AMaViS]] - **''amavisd-milter''** hinterlegt: |
:!: **WICHTIG** - **Dies muss mit der Angabe in der [[http://amavisd-milter.sourceforge.net//|AMaViS]] Konfigurationsdatei** | :!: **WICHTIG** - **Dies muss mit der Angabe in der [[http://amavisd-milter.sourceforge.net//|AMaViS]] Konfigurationsdatei** |
* ''/etc/amavisd/amavisd.conf'' | * ''/etc/amavisd/amavisd.conf'' |
| **und dem Parameter** |
| * ''$max_servers = 4'' |
| **übereinstimmen!** |
| |
| ==== (Ab Version 1.7.x) /etc/sysconfig/amavisd-milter ==== |
| |
| **__AB Version 1.7.x__** |
| |
| :!: **HINWEIS** - **Nachfolgender Befehl muss ausgeführt werden, falls ein __Update von Version 1.6.x auf 1.7.x__ erfolgt!** |
| |
| <code> |
| systemctl daemon-reload |
| </code> |
| |
| Standardmäßig wird nach der Installation von [[https://github.com/prehor/amavisd-milter|AMaViS]] - **''amavsid-milter''** in nachfolgendem Verzeichnis mit nachfolgendem Namen die Konfigurationsdatei für den [[https://github.com/prehor/amavisd-milter|AMaViS]] - **''amavisd-milter''** hinterlegt: |
| * **''/etc/sysconfig/amavisd-milter''** |
| |
| Nachfolgende Änderungen sind an der Konfigurationsdatei ''/etc/sysconfig/amavisd-milter'' durchzuführen: |
| |
| (**Komplette Konfigurationsdatei**) |
| |
| <code ini> |
| # Communication socket between sendmail and amavisd-milter (default |
| # /var/amavis/amavisd-milter.sock). The protocol spoken over this |
| # socket is MILTER (Mail FILTER). It must agree with the |
| # INPUT_MAIL_FILTER entry in sendmail.mc |
| # The socket should be in "proto:address" format: |
| # o {unix|local}:/path/to/file - A named pipe. |
| # o inet:port@{hostname|ip-address} - An IPV4 socket. |
| # o inet6:port@{hostname|ip-address} - An IPV6 socket. |
| # Tachtler |
| # default: SOCKET=/var/run/amavisd/amavisd-milter.sock |
| SOCKET=inet:10014@192.168.0.70 |
| |
| # Use this pid file (default /var/amavis/amavisd-milter.pid). |
| # Better to create /var/run/amavis and put it there |
| #PID_FILE=/var/run/amavisd/amavisd-milter.pid |
| |
| # Maximum concurrent amavisd connections (default 0 - unlimited |
| # number of connections). It must agree with the $max_servers |
| # entry in amavisd.conf. |
| # Tachtler |
| # default: MAX_CONNECTIONS=2 |
| MAX_CONNECTIONS=4 |
| |
| # Maximum wait for connection to amavisd in seconds (default 300 = |
| # 5 minutes). It must be less then sending MTA timeout for a |
| # response to the final "." that terminates a message on sending |
| # MTA. sendmail has default value 1 hour, postfix 10 minutes and |
| # qmail 20 minutes. We suggest to use less than 10 minutes. |
| MAX_WAIT=300 |
| |
| # sendmail connection timeout in seconds (default 600 = 10 min- |
| # utes). It must agree with the INPUT_MAIL_FILTER entry in send- |
| # mail.mc and must be greater than or equal to the amavisd-new con- |
| # nection timeout. When you use other milters (especially time- |
| # consuming), the timeout must be sufficient to process message in |
| # all milters. |
| MAILDAEMON_TIMEOUT=600 |
| |
| # amavisd-new connection timeout in seconds (default 600 = 10 min- |
| # utes). This timeout must be sufficient for message processing in |
| # amavisd-new. It's usually a good idea to adjust them to the same |
| # value as sendmail connection timeout. |
| AMAVISD_TIMEOUT=600 |
| </code> |
| |
| **__Nachfolgende Änderungen sollten vorgenommen werden:__** |
| |
| * <code ini>SOCKET=inet:10014@192.168.0.70</code> |
| |
| Socket über den mit dem [[https://github.com/prehor/amavisd-milter|AMaViS]] - **''amavisd-milter''** über die **IP-Adresse: ''192.168.0.70''** und den **Port: ''10014''** kommuniziert werden kann. |
| |
| * <code ini>MAX_CONNECTIONS=4</code> |
| |
| Anzahl der **maximalen gleichzeitigen Verbindungen** zwischen [[http://www.postfix.org|Postfix]] und [[https://github.com/prehor/amavisd-milter|AMaViS]] - **''amavisd-milter''**. |
| |
| :!: **WICHTIG** - **Dies muss mit der Angabe in der [[https://github.com/prehor/amavisd-milter|AMaViS]] Konfigurationsdatei** |
| * ''/etc/sysconfig/amavisd-milter'' |
**und dem Parameter** | **und dem Parameter** |
* ''$max_servers = 4'' | * ''$max_servers = 4'' |
</code> | </code> |
| |
:!: **WICHTIG** - **Aber Version 2.11.x von [[http://www.ijs.si/software/amavisd/|AMaViS]], ist ein Patch __nicht__ mehr notwendig!!!** | :!: **WICHTIG** - **Ab der Version 2.11.x von [[http://www.ijs.si/software/amavisd/|AMaViS]], ist ein Patch __nicht__ mehr notwendig!!!** |
| |
Nachfolgender **patch** basierend auf einem **patch** von [[https://markusbenning.de/|Markus Benning]] mit einigen Ergänzungen von [[http://www.tachtler.net|Klaus Tachtler]], welcher in den [[http://www.ijs.si/software/amavisd/|AMaViS]] integriert werden muss, damit | Nachfolgender **patch** basierend auf einem **patch** von [[https://markusbenning.de/|Markus Benning]] mit einigen Ergänzungen von [[http://www.tachtler.net|Klaus Tachtler]], welcher in den [[http://www.ijs.si/software/amavisd/|AMaViS]] integriert werden muss, damit |
:!: **HINWEIS** - **Die Definition von ''SSL_verify_mode'' behebt übrigens die Warnmeldung!** | :!: **HINWEIS** - **Die Definition von ''SSL_verify_mode'' behebt übrigens die Warnmeldung!** |
| |
==== AMaViSd-new - TLS-patch ==== | ==== Bis AMaViSd-new 2.10.x - TLS-patch ==== |
| |
| :!: **WICHTIG** - **Ab der Version 2.11.x von [[http://www.ijs.si/software/amavisd/|AMaViS]], ist ein Patch __nicht__ mehr notwendig!!!** |
| |
Nachfolgender **patch** muss in den [[http://www.ijs.si/software/amavisd/|AMaViS]] integriert werden, damit TLS Transport Verschlüsselung entsprechend genutzt werden kann: | Nachfolgender **patch** muss in den [[http://www.ijs.si/software/amavisd/|AMaViS]] integriert werden, damit TLS Transport Verschlüsselung entsprechend genutzt werden kann: |
| |
==== /etc/amavisd/amavisd.conf ==== | ==== /etc/amavisd/amavisd.conf ==== |
| |
| :!: **WICHTIG** - **Ab der Version 2.11.x von [[http://www.ijs.si/software/amavisd/|AMaViS]], ist ein Patch __nicht__ mehr notwendig!!!** |
| |
| :!: **WICHTIG** - **Nachfolgende Konfiguration ist bis Version 2.10.x von [[http://www.ijs.si/software/amavisd/|AMaViS]] notwendig** |
| |
Nachfolgende Konfigurationsdirektiven (alte und neue) müssen nun gesetzt werden, um eine TLS Transport | Nachfolgende Konfigurationsdirektiven (alte und neue) müssen nun gesetzt werden, um eine TLS Transport |
Verschlüsselung **von und zu** [[http://www.ijs.si/software/amavisd/|AMaViS]] nutzen zu können. | Verschlüsselung **von und zu** [[http://www.ijs.si/software/amavisd/|AMaViS]] nutzen zu können. |
| |
**__Eingehende Verbindungen__**: | **__Bis Version 2.10.x von [[http://www.ijs.si/software/amavisd/|AMaViS]] - Eingehende Verbindungen__**: |
| |
(**Nur relevanter Ausschnitt**) | (**Nur relevanter Ausschnitt**) |
* //Bitte **__keine__ Zeilenumbrüche** bei ''$smtpd_tls_cipher_list'' durchführen!// | * //Bitte **__keine__ Zeilenumbrüche** bei ''$smtpd_tls_cipher_list'' durchführen!// |
| |
**__Ausgehende Verbindungen__**: | **__Ab Version 2.11.x von [[http://www.ijs.si/software/amavisd/|AMaViS]] - Eingehende Verbindungen__**: |
| |
| (**Nur relevanter Ausschnitt**) |
| |
| <code perl> |
| ... |
| $tls_security_level_in = 'may'; # Opportunistische TLS Transportverschluesselung eingehend aktiviere |
| %smtpd_tls_server_options = ( |
| # SSL_verifycn_scheme => 'smtp', |
| SSL_verifycn_scheme => 'none', |
| SSL_session_cache => 2, |
| SSL_cert_file => '/etc/pki/amavis/certs/CAcert-class3-wildcard.crt', |
| SSL_key_file => '/etc/pki/amavis/private/tachtler.net.key', |
| SSL_dh_file => '/etc/pki/postfix/private/dh_2048.pem', |
| SSL_ca_file => '/etc/pki/tls/certs/ca-bundle.crt', |
| SSL_version => 'SSLv23:!SSLv3:!SSLv2', |
| SSL_cipher_list => 'ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- |
| CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES:!CBC3-SHA:!iAES128-SHA:!DHE-RSA-AES128-SHA:!AES256-SHA:!DHE- |
| RSA-AES256-SHA:!CAMELLIA128-SHA:!iDHE-RSA-CAMELLIA128-SHA:!iCAMELLIA256-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE- |
| RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA', |
| SSL_honor_cipher_order => '1', |
| SSL_verify_mode => 'SSL_VERIFY_NONE', |
| SSL_passwd_cb => sub { 'example' }, |
| ); |
| ... |
| </code> |
| |
| **__Bis Version 2.10.x von [[http://www.ijs.si/software/amavisd/|AMaViS]] - Ausgehende Verbindungen__**: |
| |
(**Nur relevanter Ausschnitt**) | (**Nur relevanter Ausschnitt**) |
</code> | </code> |
* //Bitte **__keine__ Zeilenumbrüche** bei ''$smtp_tls_cipher_list'' durchführen!// | * //Bitte **__keine__ Zeilenumbrüche** bei ''$smtp_tls_cipher_list'' durchführen!// |
| |
| |
| **__Ab Version 2.11.x von [[http://www.ijs.si/software/amavisd/|AMaViS]] - Eingehende Verbindungen__**: |
| |
| (**Nur relevanter Ausschnitt**) |
| |
| <code perl> |
| ... |
| $tls_security_level_out = 'may'; # Opportunistisches TLS Transportverschluesselung ausgehend aktivieren. |
| %smtp_tls_client_options = ( |
| # SSL_verifycn_scheme => 'smtp', |
| SSL_verifycn_scheme => 'none', |
| SSL_version => 'SSLv23:!SSLv3:!SSLv2', |
| SSL_cipher_list => 'ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- |
| CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES:!CBC3-SHA:!iAES128-SHA:!DHE-RSA-AES128-SHA:!AES256-SHA:!DHE- |
| RSA-AES256-SHA:!CAMELLIA128-SHA:!iDHE-RSA-CAMELLIA128-SHA:!iCAMELLIA256-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE- |
| RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA', |
| SSL_client_ca_file => '/etc/pki/tls/certs/ca-bundle.crt', |
| SSL_honor_cipher_order => '1', |
| SSL_verify_mode => 'SSL_VERIFY_PEER', |
| ); |
| ... |
| </code> |
| |
| :!: **HINWEIS** - Falls ein **Wildcard-Zertifikat zum Einsatz kommt** (z.B. ''*.tachtler.net'') und der Hostname nicht darauf angewendet werden kann (z.B. ''amavis.idmz.tachtler.net''), dann muss der Parameter: |
| * ''SSL_verifycn_scheme => 'none','' |
| gesetzt werden! |
| |
==== /etc/postfix/master.cf ==== | ==== /etc/postfix/master.cf ==== |