Benutzer-Werkzeuge

Webseiten-Werkzeuge


tachtler:postfix_amavis_installieren

Dies ist eine alte Version des Dokuments!


Postfix AMaViS

AMaViS (A MAil Virus Scanner) ist ein Prüfprogramm, welches e-Mails auf SPAM und Viren untersucht und sich dabei externer Programme wie dem sehr bekannten SpamAssassin und z.B. ClamAV bedient und diese in sich selbst und damit auch Postfix einbindet.

:!: WICHTIG - Folgendes ist auf jeden Fall zu beachten

  • ohne eine lauffähige Version von SpamAssassin und
  • ohne eine lauffähige Version von ClamAV

kann AMaViS (A MAil Virus Scanner) nicht, oder nur unter erheblichen Aufwand betrieben werden!

Postfix AMaViS herunterladen

AMaViS (A MAil Virus Scanner) kann unter folgendem Link heruntergeladen werden, dabei sollte ein RPM-Paket bevorzugt werden, deshalb soll hier auch ein Repository als Quelle eines RPM-Paktes gewählt werden und nicht die Quell-Sourcen zum selbst kompilieren!

:!: WICHTIG - Da zur Installation von AMaViS (A MAil Virus Scanner) sehr viele Abhängigkeiten zu erfüllen sind, wäre es ratsam das RPMforge-Repository in den yum-Paketmanager einzubinden!

:!: WICHTIG - Ein detaillierte Anleitung, wie das RPMforge-Repository in CentOS eingebunden werden kann, kann unter Repository einbinden CentOS 5 nachgelesen werden!

Postfix AMaViS installieren

Um AMaViS (A MAil Virus Scanner) zu installieren, können dank der Einbindung des RPMforge-Repository alle Abhängigkeiten aufgelöst werden und AMaViS installiert werden.

Der zur Installation benötigte Befehl lautet:

# yum install amavisd-new
Loading "priorities" plugin
Loading "fastestmirror" plugin
Loading mirror speeds from cached hostfile
 * rpmforge: ftp-stud.fht-esslingen.de
 * base: mirror.silyus.net
 * updates: mirror.silyus.net
 * addons: mirror.silyus.net
 * extras: mirror.silyus.net
339 packages excluded due to repository priority protections
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package amavisd-new.i386 0:2.5.4-1.el5.rf set to be updated
--> Processing Dependency: cabextract for package: amavisd-new
--> Processing Dependency: arc >= 5.21e for package: amavisd-new
--> Processing Dependency: nomarch >= 1.2 for package: amavisd-new
--> Processing Dependency: ripole for package: amavisd-new
--> Processing Dependency: ncompress for package: amavisd-new
--> Processing Dependency: perl(MIME::Tools) >= 5.420 for package: amavisd-new
--> Processing Dependency: perl(MIME::Parser) for package: amavisd-new
--> Processing Dependency: perl(Convert::UUlib) for package: amavisd-new
--> Processing Dependency: unrar >= 2.71 for package: amavisd-new
--> Processing Dependency: lha for package: amavisd-new
--> Processing Dependency: perl(Convert::TNEF) for package: amavisd-new
--> Processing Dependency: lzop for package: amavisd-new
--> Processing Dependency: perl-MailTools for package: amavisd-new
--> Processing Dependency: perl(MIME::Words) for package: amavisd-new
--> Processing Dependency: freeze for package: amavisd-new
--> Processing Dependency: perl(IO::Stringy) for package: amavisd-new
--> Processing Dependency: zoo >= 2.10 for package: amavisd-new
--> Processing Dependency: perl(MIME::Entity) for package: amavisd-new
--> Processing Dependency: perl(Archive::Zip) >= 1.14 for package: amavisd-new
--> Processing Dependency: unarj for package: amavisd-new
--> Running transaction check
---> Package perl-Convert-UUlib.i386 0:1.051-1.2.el5.rf set to be updated
---> Package perl-Convert-TNEF.noarch 0:0.17-3.2.el5.rf set to be updated
---> Package freeze.i386 0:2.5.0-1.2.el5.rf set to be updated
---> Package cabextract.i386 0:1.2-1.el5.rf set to be updated
---> Package unrar.i386 0:3.8.2-1.el5.rf set to be updated
---> Package perl-MIME-tools.noarch 0:5.420-2.el5.rf set to be updated
--> Processing Dependency: perl(Convert::BinHex) for package: perl-MIME-tools
---> Package zoo.i386 0:2.10-2.2.el5.rf set to be updated
---> Package lha.i386 0:1.14i-19.2.2.el5.rf set to be updated
---> Package ripole.i386 0:0.2.0-1.2.el5.rf set to be updated
---> Package perl-Archive-Zip.noarch 0:1.16-1.2.1 set to be updated
---> Package nomarch.i386 0:1.4-1.el5.rf set to be updated
---> Package perl-MailTools.noarch 0:1.77-1.el5.centos set to be updated
--> Processing Dependency: perl(Date::Parse) for package: perl-MailTools
--> Processing Dependency: perl(Date::Format) for package: perl-MailTools
---> Package arj.i386 0:3.10.22-1.el5.centos set to be updated
---> Package lzop.i386 0:1.01-2.el5.rf set to be updated
--> Processing Dependency: liblzo.so.1 for package: lzop
---> Package perl-IO-stringy.noarch 0:2.110-1.2.el5.rf set to be updated
---> Package arc.i386 0:5.21o-1.el5.rf set to be updated
---> Package ncompress.i386 0:4.2.4-47 set to be updated
--> Running transaction check
---> Package lzo.i386 0:1.08-5.el5.rf set to be updated
---> Package perl-TimeDate.noarch 1:1.16-5.el5 set to be updated
---> Package perl-Convert-BinHex.noarch 0:1.119-2.2.el5.rf set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================
 Package                 Arch       Version          Repository        Size 
=============================================================================
Installing:
 amavisd-new             i386       2.5.4-1.el5.rf   rpmforge          745 k
Installing for dependencies:
 arc                     i386       5.21o-1.el5.rf   rpmforge           63 k
 arj                     i386       3.10.22-1.el5.centos  extras            168 k
 cabextract              i386       1.2-1.el5.rf     rpmforge           47 k
 freeze                  i386       2.5.0-1.2.el5.rf  rpmforge           23 k
 lha                     i386       1.14i-19.2.2.el5.rf  rpmforge           48 k
 lzo                     i386       1.08-5.el5.rf    rpmforge          143 k
 lzop                    i386       1.01-2.el5.rf    rpmforge           47 k
 ncompress               i386       4.2.4-47         base               23 k
 nomarch                 i386       1.4-1.el5.rf     rpmforge           18 k
 perl-Archive-Zip        noarch     1.16-1.2.1       base              138 k
 perl-Convert-BinHex     noarch     1.119-2.2.el5.rf  rpmforge           34 k
 perl-Convert-TNEF       noarch     0.17-3.2.el5.rf  rpmforge           18 k
 perl-Convert-UUlib      i386       1.051-1.2.el5.rf  rpmforge          305 k
 perl-IO-stringy         noarch     2.110-1.2.el5.rf  rpmforge           70 k
 perl-MIME-tools         noarch     5.420-2.el5.rf   rpmforge          276 k
 perl-MailTools          noarch     1.77-1.el5.centos  extras             91 k
 perl-TimeDate           noarch     1:1.16-5.el5     base               32 k
 ripole                  i386       0.2.0-1.2.el5.rf  rpmforge           47 k
 unrar                   i386       3.8.2-1.el5.rf   rpmforge          112 k
 zoo                     i386       2.10-2.2.el5.rf  rpmforge           71 k

Transaction Summary
=============================================================================
Install     21 Package(s)         
Update       0 Package(s)         
Remove       0 Package(s)         

Total download size: 2.5 M
Is this ok [y/N]: y
Downloading Packages:
(1/21): ncompress-4.2.4-4 100% |=========================|  23 kB    00:00     
(2/21): arc-5.21o-1.el5.r 100% |=========================|  63 kB    00:00     
(3/21): perl-IO-stringy-2 100% |=========================|  70 kB    00:00     
(4/21): lzop-1.01-2.el5.r 100% |=========================|  47 kB    00:00     
(5/21): arj-3.10.22-1.el5 100% |=========================| 168 kB    00:00     
(6/21): perl-MailTools-1. 100% |=========================|  91 kB    00:00     
(7/21): nomarch-1.4-1.el5 100% |=========================|  18 kB    00:00     
(8/21): perl-Archive-Zip- 100% |=========================| 138 kB    00:00     
(9/21): ripole-0.2.0-1.2. 100% |=========================|  47 kB    00:00     
(10/21): perl-Convert-Bin 100% |=========================|  34 kB    00:00     
(11/21): perl-TimeDate-1. 100% |=========================|  32 kB    00:00     
(12/21): lha-1.14i-19.2.2 100% |=========================|  48 kB    00:00     
(13/21): zoo-2.10-2.2.el5 100% |=========================|  71 kB    00:00     
(14/21): perl-MIME-tools- 100% |=========================| 276 kB    00:00     
(15/21): unrar-3.8.2-1.el 100% |=========================| 112 kB    00:00     
(16/21): amavisd-new-2.5. 100% |=========================| 745 kB    00:00     
(17/21): cabextract-1.2-1 100% |=========================|  47 kB    00:00     
(18/21): freeze-2.5.0-1.2 100% |=========================|  23 kB    00:00     
(19/21): perl-Convert-TNE 100% |=========================|  18 kB    00:00     
(20/21): perl-Convert-UUl 100% |=========================| 305 kB    00:00     
(21/21): lzo-1.08-5.el5.r 100% |=========================| 143 kB    00:00     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: perl-IO-stringy              ####################### [ 1/21] 
  Installing: ncompress                    ####################### [ 2/21] 
  Installing: arc                          ####################### [ 3/21] 
  Installing: arj                          ####################### [ 4/21] 
  Installing: nomarch                      ####################### [ 5/21] 
  Installing: perl-Archive-Zip             ####################### [ 6/21] 
  Installing: ripole                       ####################### [ 7/21] 
  Installing: perl-Convert-BinHex          ####################### [ 8/21] 
  Installing: perl-TimeDate                ####################### [ 9/21] 
  Installing: perl-MailTools               ####################### [10/21] 
  Installing: perl-MIME-tools              ####################### [11/21] 
  Installing: perl-Convert-TNEF            ####################### [12/21] 
  Installing: lha                          ####################### [13/21] 
  Installing: zoo                          ####################### [14/21] 
  Installing: unrar                        ####################### [15/21] 
  Installing: cabextract                   ####################### [16/21] 
  Installing: freeze                       ####################### [17/21] 
  Installing: perl-Convert-UUlib           ####################### [18/21] 
  Installing: lzo                          ####################### [19/21] 
  Installing: lzop                         ####################### [20/21] 
id: clamav: No such user
usermod: user clamav does not exist
  Installing: amavisd-new                  ####################### [21/21] 

Installed: amavisd-new.i386 0:2.5.4-1.el5.rf
Dependency Installed: arc.i386 0:5.21o-1.el5.rf arj.i386 0:3.10.22-1.el5.centos cabextract.i386 0:1.2-1.el5.rf freeze.i386 0:2.5.0-1.2.el5.rf lha.i386 0:1.14i-19.2.2.el5.rf lzo.i386 0:1.08-5.el5.rf lzop.i386 0:1.01-2.el5.rf ncompress.i386 0:4.2.4-47 nomarch.i386 0:1.4-1.el5.rf perl-Archive-Zip.noarch 0:1.16-1.2.1 perl-Convert-BinHex.noarch 0:1.119-2.2.el5.rf perl-Convert-TNEF.noarch 0:0.17-3.2.el5.rf perl-Convert-UUlib.i386 0:1.051-1.2.el5.rf perl-IO-stringy.noarch 0:2.110-1.2.el5.rf perl-MIME-tools.noarch 0:5.420-2.el5.rf perl-MailTools.noarch 0:1.77-1.el5.centos perl-TimeDate.noarch 1:1.16-5.el5 ripole.i386 0:0.2.0-1.2.el5.rf unrar.i386 0:3.8.2-1.el5.rf zoo.i386 0:2.10-2.2.el5.rf
Complete!

Nach erfolgreich Installation, kann der Inhalt des soeben installierten RPM-Paketes amavisd-new mit folgendem Befehl überprüft werden:

# rpm -qil amavisd-new | more
Name        : amavisd-new                  Relocations: (not relocatable)
Version     : 2.5.4                             Vendor: Dag Apt Repository, http://dag.wieers.com/apt/
Release     : 1.el5.rf                      Build Date: Thu 13 Mar 2008 08:29:14 PM CET
Install Date: Fri 02 Jan 2009 12:33:04 PM CET      Build Host: lisse.leuven.wieers.com
Group       : System Environment/Daemons    Source RPM: amavisd-new-2.5.4-1.el5.rf.src.rpm
Size        : 2351302                          License: GPL
Signature   : DSA/SHA1, Fri 14 Mar 2008 03:09:06 AM CET, Key ID a20e52146b8d79e6
Packager    : Dag Wieers <dag@wieers.com>
URL         : http://www.ijs.si/software/amavisd/
Summary     : Mail virus-scanner
Description :
AMaViS is a program that interfaces a mail transfer agent (MTA) with
one or more virus scanners.

Amavisd-new is a branch created by Mark Martinec that adds serveral
performance and robustness features. It's partly based on
work being done on the official amavisd branch. Please see the
README.amavisd-new-RELNOTES file for a detailed description.
/etc/amavisd.conf
/etc/cron.daily/amavisd
/etc/logrotate.d/amavisd
/etc/openldap/schema/amavisd-new.schema
/etc/rc.d/init.d/amavisd
/etc/sysconfig/amavisd
/usr/sbin/amavisd
/usr/sbin/amavisd-agent
/usr/sbin/amavisd-nanny
/usr/sbin/amavisd-release
/usr/sbin/p0f-analyzer
/usr/share/doc/amavisd-new-2.5.4
/usr/share/doc/amavisd-new-2.5.4/AAAREADME.first
/usr/share/doc/amavisd-new-2.5.4/LDAP.schema
/usr/share/doc/amavisd-new-2.5.4/LICENSE
/usr/share/doc/amavisd-new-2.5.4/MANIFEST
/usr/share/doc/amavisd-new-2.5.4/README.banned
/usr/share/doc/amavisd-new-2.5.4/README.chroot
/usr/share/doc/amavisd-new-2.5.4/README.contributed
/usr/share/doc/amavisd-new-2.5.4/README.courier
/usr/share/doc/amavisd-new-2.5.4/README.courier-old
/usr/share/doc/amavisd-new-2.5.4/README.customize
/usr/share/doc/amavisd-new-2.5.4/README.exim_v3
/usr/share/doc/amavisd-new-2.5.4/README.exim_v3_app
/usr/share/doc/amavisd-new-2.5.4/README.exim_v4
/usr/share/doc/amavisd-new-2.5.4/README.exim_v4_app
/usr/share/doc/amavisd-new-2.5.4/README.exim_v4_app2
/usr/share/doc/amavisd-new-2.5.4/README.ldap
/usr/share/doc/amavisd-new-2.5.4/README.lookups
/usr/share/doc/amavisd-new-2.5.4/README.milter
/usr/share/doc/amavisd-new-2.5.4/README.old.scanners
/usr/share/doc/amavisd-new-2.5.4/README.performance
/usr/share/doc/amavisd-new-2.5.4/README.policy-on-notifications
/usr/share/doc/amavisd-new-2.5.4/README.postfix
/usr/share/doc/amavisd-new-2.5.4/README.postfix.html
/usr/share/doc/amavisd-new-2.5.4/README.protocol
/usr/share/doc/amavisd-new-2.5.4/README.sendmail
/usr/share/doc/amavisd-new-2.5.4/README.sendmail-dual
/usr/share/doc/amavisd-new-2.5.4/README.sendmail-dual.old
/usr/share/doc/amavisd-new-2.5.4/README.sql
/usr/share/doc/amavisd-new-2.5.4/README.sql-mysql
/usr/share/doc/amavisd-new-2.5.4/README.sql-pg
/usr/share/doc/amavisd-new-2.5.4/RELEASE_NOTES
/usr/share/doc/amavisd-new-2.5.4/TODO-SNMP-AGENT
/usr/share/doc/amavisd-new-2.5.4/amavisd-new-docs.html
/usr/share/doc/amavisd-new-2.5.4/amavisd.conf
/usr/share/doc/amavisd-new-2.5.4/amavisd.conf-default
/usr/share/doc/amavisd-new-2.5.4/amavisd.conf-sample
/usr/share/doc/amavisd-new-2.5.4/amavisd.conf.orig
/usr/share/doc/amavisd-new-2.5.4/images
/usr/share/doc/amavisd-new-2.5.4/images/1.png
/usr/share/doc/amavisd-new-2.5.4/images/2.png
/usr/share/doc/amavisd-new-2.5.4/images/3.png
/usr/share/doc/amavisd-new-2.5.4/images/4.png
/usr/share/doc/amavisd-new-2.5.4/images/5.png
/usr/share/doc/amavisd-new-2.5.4/images/6.png
/usr/share/doc/amavisd-new-2.5.4/images/7.png
/usr/share/doc/amavisd-new-2.5.4/images/8.png
/usr/share/doc/amavisd-new-2.5.4/images/9.png
/usr/share/doc/amavisd-new-2.5.4/images/blank.png
/usr/share/doc/amavisd-new-2.5.4/images/callouts
/usr/share/doc/amavisd-new-2.5.4/images/callouts/10.png
/usr/share/doc/amavisd-new-2.5.4/images/callouts/11.png
/usr/share/doc/amavisd-new-2.5.4/images/callouts/12.png
/usr/share/doc/amavisd-new-2.5.4/images/callouts/13.png
/usr/share/doc/amavisd-new-2.5.4/images/callouts/14.png
/usr/share/doc/amavisd-new-2.5.4/images/callouts/15.png
/usr/share/doc/amavisd-new-2.5.4/images/caution.png
/usr/share/doc/amavisd-new-2.5.4/images/draft.png
/usr/share/doc/amavisd-new-2.5.4/images/home.png
/usr/share/doc/amavisd-new-2.5.4/images/important.png
/usr/share/doc/amavisd-new-2.5.4/images/next.png
/usr/share/doc/amavisd-new-2.5.4/images/note.png
/usr/share/doc/amavisd-new-2.5.4/images/prev.png
/usr/share/doc/amavisd-new-2.5.4/images/tip.png
/usr/share/doc/amavisd-new-2.5.4/images/toc-blank.png
/usr/share/doc/amavisd-new-2.5.4/images/toc-minus.png
/usr/share/doc/amavisd-new-2.5.4/images/toc-plus.png
/usr/share/doc/amavisd-new-2.5.4/images/up.png
/usr/share/doc/amavisd-new-2.5.4/images/warning.png
/usr/share/doc/amavisd-new-2.5.4/screen.css
/usr/share/doc/amavisd-new-2.5.4/test-messages
/usr/share/doc/amavisd-new-2.5.4/test-messages/README
/usr/share/doc/amavisd-new-2.5.4/test-messages/sample.tar.gz.compl
/var/amavis
/var/amavis/db
/var/amavis/tmp
/var/amavis/var
/var/virusmails

Folgender Benutzer wurde ebenfalls angelegt, was mit folgende Befehl überprüft werden kann:

# cat /etc/passwd | grep amavis
amavis:x:102:104:Amavis email scan user:/var/amavis:/bin/sh

Desweiteren wurden auch folgende Gruppen angelegt, was mit folgendem Befehl überprüft werden kann:

# cat /etc/group | grep amavis
amavis:x:104:

Um das Starten von AMaViS (A MAil Virus Scanner) auch nach einem System-(re)-start auch in Zukunft dauerhaft zu realisieren, kann folgender Befehl genutzt werden. Hier wird AMaViS (A MAil Virus Scanner) zu den Start-Scripten der einzelnen Runlevel des Betriebssystem hinzugefügt:

# chkconfig amavisd on

Ein Überprüfung, ob AMaViS (A MAil Virus Scanner) in den einzelnen Runlevel des Betriebssystems bei einem System-(re)-start mit gestartet wird, kann mit folgendem Befehl abgefragt werden:

# chkconfig --list | grep amavisd
amavisd         0:off   1:off   2:on    3:on    4:on    5:on    6:off

Postfix AMaViS konfigurieren

Die Grundkonfiguration von AMaViS erfolgt in der Konfigurationsdatei

  • /etc/amavisd.conf

Die relevanten Änderungen gegenüber der Standard-Konfiguration von AMaViS sind mit folgendem Kommentar

# Tachtler

versehen.

Hier die relevanten Änderungen der Konfigurationsdatei, welche unter /etc zu finden ist und den Namen amavisd.conf trägt (nur relevante Auszüge):

use strict;
 
# a minimalistic configuration file for amavisd-new with all necessary settings
#
#   see amavisd.conf-default for a list of all variables with their defaults;
#   see amavisd.conf-sample for a traditional-style commented file;
#   for more details see documentation in INSTALL, README_FILES/*
#   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
 
...
 
# Tachtler
# default: $mydomain = 'example.com';   # a convenient default for other settings
$mydomain = 'tachtler.net';   # a convenient default for other settings
 
...
 
# Tachtler
# default: $log_level = 0;              # verbosity 0..5, -d
$log_level = 3;              # verbosity 0..5, -d
 
...
 
# Tachtler
# default: @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
# default:                   10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
@mynetworks = qw( 127.0.0.0/8 [::1] 192.168.0.0/24 );
 
...
 
$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
# Tachtler
# default: $sa_tag2_level_deflt = 6.2;  # add 'spam detected' headers at that level
$sa_tag2_level_deflt = 6.31;  # add 'spam detected' headers at that level
# Tachtler
# default: $sa_kill_level_deflt = 6.9;  # triggers spam evasive actions (e.g. blocks mail)
$sa_kill_level_deflt = 6.31;  # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
$penpals_bonus_score = 8;    # (no effect without a @storage_sql_dsn database)
$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi spam
 
$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;    # only tests which do not require internet access?
 
...
 
# OTHER MORE COMMON SETTINGS (defaults may suffice):
 
# Tachtler
# default: # $myhostname = 'host.example.com';  # must be a fully-qualified domain name!
$myhostname = 'rechner000070.dmz.tachtler.net';  # must be a fully-qualified domain name!
 
$unix_socketname = "$MYHOME/amavisd.sock";  # amavisd-release or amavis-milter
               # option(s) -p overrides $inet_socket_port and $unix_socketname
 
# Tachtler - !! IF POSTFIX (192.168.0.60) IS RUNNING ON ANOTHER SERVER, LIKE THIS (192.168.0.70) !!!
# inet_socket_bind = undef; # listen to ALL Interfaces !!!
 
# Tachtler - !! IF POSTFIX (192.168.0.60) IS RUNNING ON ANOTHER SERVER, LIKE THIS (192.168.0.70) !!!
@inet_acl = qw( 127.0.0.1 192.168.0.60 192.168.0.70 );
 
$inet_socket_port = 10024;   # listen on this local TCP port(s)
 
# $notify_method  = 'smtp:[127.0.0.1]:10025';
# $forward_method = 'smtp:[127.0.0.1]:10025';  # set to undef with milter!
 
# Tachtler - !!! IF POSTFIX (192.168.0.60) IS RUNNING ON ANOTHER SERVER, LIKE THIS (192.168.0.70) !!!
# $notify_method  = 'smtp:[192.168.0.60]:10025';
# $forward_method = 'smtp:[192.168.0.60]:10025';  # set to undef with milter!
 
# Tachtler
# default: # $final_virus_destiny      = D_DISCARD;
$final_virus_destiny      = D_REJECT;
# Tachtler
# default: # $final_banned_destiny     = D_BOUNCE;
$final_banned_destiny     = D_REJECT;
# Tachtler
# default: # $final_spam_destiny       = D_BOUNCE;
$final_spam_destiny       = D_REJECT;
# $final_bad_header_destiny = D_PASS;
# $bad_header_quarantine_method = undef;
 
# $os_fingerprint_method = 'p0f:*:2345';  # to query p0f-analyzer.pl
 
... 
 
# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all)
 
# $warnbadhsender,
# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps)
#
# @bypass_virus_checks_maps, @bypass_spam_checks_maps,
# @bypass_banned_checks_maps, @bypass_header_checks_maps,
#
# @virus_lovers_maps, @spam_lovers_maps,
# @banned_files_lovers_maps, @bad_header_lovers_maps,
#
# @blacklist_sender_maps, @score_sender_maps,
#
# $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to,
# $bad_header_quarantine_to, $spam_quarantine_to,
#
# $defang_bad_header, $defang_undecipherable, $defang_spam
 
# Tachtler
# New lines, not in standard config file.
# Possibility to - DISABLE - using the - QUARANTINEDIR - possibility.
# No e-Mails will be stored in /var/viusmails.
# - FUTUREUSE -
#
# $virus_quarantine_to = undef;
# $banned_quarantine_to = undef;
# $spam_quarantine_to = undef;
# $bad_header_quarantine_to = undef;
 
...
 
@av_scanners = (
 
# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)
# ['Sophie',
#   \&ask_daemon, ["{}/\n", '/var/run/sophie'],
#   qr/(?x)^ 0+ ( : | [\000\r\n]* $)/,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
#   qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],
 
# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
# ['Sophos SAVI', \&sophos_savi ],
 
# Tachtler
# default: # ### http://www.clamav.net/
# default: # ['ClamAV-clamd',
# default: #   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
# default: #   qr/\bOK$/, qr/\bFOUND$/,
# default: #   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
  ### http://www.clamav.net/
  ['ClamAV-clamd',
    \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
    qr/\bOK$/, qr/\bFOUND$/,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# # NOTE: run clamd under the same user as amavisd, or run it under its own
# #   uid such as clamav, add user clamav to the amavis group, and then add
# #   AllowSupplementaryGroups to clamd.conf;
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
# #   this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
...

:!: WICHTIG - Falls Sie einen eigenen DNS-Server wie z.B. bind bzw. named betreiben, stellen Sie bitte sicher, das eine Namensauflösung Forward sowie Reverse für - hier als Beispiel amavis.tachtler.net möglich ist !!!

Postfix AMaViS konfigurieren: master.cf

:!: WICHTIG - Um AMaViS und Postfix zu verbinden, müssen ebenfalls noch Konfigurationen an der Postfix-Konfigurationsdatei /etc/postfix/master.cf wie folgt

für CentOS Version 5.x unter

und für CentOS Version 6.x unter

Postfix AMaViS starten

Jetzt ist der richtige Zeitpunkt gekommen, um AMaViS zu starten, was mit folgendem Befehl erfolgen kann:

# service amavisd start

Folgende Ausgabe kann nach dem Start von AMaViS in der LOG-Datei /var/log/maillog in etwa beobachtet werden:

Jan  2 21:33:15 nss amavis[25312]: logging initialized, log level 3, syslog: amavis.mail
Jan  2 21:33:15 nss amavis[25312]: starting.  /usr/sbin/amavisd at amavis.tachtler.net amavisd-new-2.5.4 (20080312), Unicode aware, LANG="en_US.UTF-8"
Jan  2 21:33:15 nss amavis[25312]: user=102, EUID: 102 (102);  group=, EGID: 104 104 (104 104)
Jan  2 21:33:15 nss amavis[25312]: Perl version               5.008008
Jan  2 21:33:17 nss amavis[25312]: INFO: SA version: 3.2.4, 3.002004, no optional modules: Net::CIDR::Lite Sys::Hostname::Long Mail::SpamAssassin::BayesStore::PgSQL Encode::Detect Mail::SpamAssassin::Plugin::DKIM Razor2::Client::Agent IP::Country::Fast Mail::DKIM Mail::DKIM::Verifier Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF Mail::SPF::Server Mail::SPF::Request Mail::SPF::Mech Mail::SPF::Mech::A Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::Mech::Exists Mail::SPF::Mech::IP4 Mail::SPF::Mech::IP6 Mail::SPF::Mech::Include Mail::SPF::Mech::MX Mail::SPF::Mod Mail::SPF::Mod::Exp Mail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMech Mail::SPF::v1::Record Mail::SPF::v2::Record NetAddr::IP NetAddr::IP::Util auto::NetAddr::IP::Util::inet_n2dx auto::NetAddr::IP::Util::ipv6_n2d Mail::SPF::Query Crypt::OpenSSL::RSA auto::Crypt::OpenSSL::RSA::new_public_key auto::Crypt::OpenSSL::RSA::new_key_from_parameters auto::Crypt::OpenSSL::RSA::get_key_parameters aut...
Jan  2 21:33:17 nss amavis[25312]: ...o::Crypt::OpenSSL::RSA::import_random_seed Error
Jan  2 21:33:17 nss amavis[25312]: SpamControl: init_pre_chroot done
Jan  2 21:33:17 nss amavis[25314]: Net::Server: Process Backgrounded
Jan  2 21:33:17 nss amavis[25314]: Net::Server: 2009/01/02-21:33:17 Amavis (type Net::Server::PreForkSimple) starting! pid(25314)
Jan  2 21:33:17 nss amavis[25314]: Net::Server: Binding to UNIX socket file /var/amavis/amavisd.sock using SOCK_STREAM
Jan  2 21:33:17 nss amavis[25314]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1
Jan  2 21:33:17 nss amavis[25314]: Net::Server: Group Not Defined.  Defaulting to EGID '104 104'
Jan  2 21:33:17 nss amavis[25314]: Net::Server: User Not Defined.  Defaulting to EUID '102'
Jan  2 21:33:17 nss amavis[25314]: config files read: /etc/amavisd.conf
Jan  2 21:33:17 nss amavis[25314]: Module Amavis::Conf        2.094
Jan  2 21:33:17 nss amavis[25314]: Module Archive::Zip        1.26
Jan  2 21:33:17 nss amavis[25314]: Module BerkeleyDB          0.36
Jan  2 21:33:17 nss amavis[25314]: Module Compress::Zlib      2.015
Jan  2 21:33:17 nss amavis[25314]: Module Convert::TNEF       0.17
Jan  2 21:33:17 nss amavis[25314]: Module Convert::UUlib      1.051
Jan  2 21:33:17 nss amavis[25314]: Module DBD::mysql          4.010
Jan  2 21:33:17 nss amavis[25314]: Module DBI                 1.52
Jan  2 21:33:17 nss amavis[25314]: Module DB_File             1.814
Jan  2 21:33:17 nss amavis[25314]: Module Digest::MD5         2.36
Jan  2 21:33:17 nss amavis[25314]: Module Digest::SHA         5.47
Jan  2 21:33:17 nss amavis[25314]: Module Digest::SHA1        2.11
Jan  2 21:33:17 nss amavis[25314]: Module IO::Socket::INET6   2.51
Jan  2 21:33:17 nss amavis[25314]: Module MIME::Entity        5.420
Jan  2 21:33:17 nss amavis[25314]: Module MIME::Parser        5.420
Jan  2 21:33:17 nss amavis[25314]: Module MIME::Tools         5.420
Jan  2 21:33:17 nss amavis[25314]: Module Mail::Header        1.77
Jan  2 21:33:17 nss amavis[25314]: Module Mail::Internet      1.77
Jan  2 21:33:17 nss amavis[25314]: Module Mail::SpamAssassin  3.002004
Jan  2 21:33:17 nss amavis[25314]: Module Net::DNS            0.59
Jan  2 21:33:17 nss amavis[25314]: Module Net::Server         0.97
Jan  2 21:33:17 nss amavis[25314]: Module Time::HiRes         1.86
Jan  2 21:33:17 nss amavis[25314]: Module URI                 1.35
Jan  2 21:33:17 nss amavis[25314]: Module Unix::Syslog        1.0
Jan  2 21:33:17 nss amavis[25314]: Amavis::DB code      loaded
Jan  2 21:33:17 nss amavis[25314]: Amavis::Cache code   loaded
Jan  2 21:33:17 nss amavis[25314]: SQL base code        NOT loaded
Jan  2 21:33:17 nss amavis[25314]: SQL::Log code        NOT loaded
Jan  2 21:33:17 nss amavis[25314]: SQL::Quarantine      NOT loaded
Jan  2 21:33:17 nss amavis[25314]: Lookup::SQL code     NOT loaded
Jan  2 21:33:17 nss amavis[25314]: Lookup::LDAP code    NOT loaded
Jan  2 21:33:17 nss amavis[25314]: AM.PDP-in proto code loaded
Jan  2 21:33:17 nss amavis[25314]: SMTP-in proto code   loaded
Jan  2 21:33:17 nss amavis[25314]: Courier proto code   NOT loaded
Jan  2 21:33:17 nss amavis[25314]: SMTP-out proto code  loaded
Jan  2 21:33:17 nss amavis[25314]: Pipe-out proto code  NOT loaded
Jan  2 21:33:17 nss amavis[25314]: BSMTP-out proto code NOT loaded
Jan  2 21:33:17 nss amavis[25314]: Local-out proto code loaded
Jan  2 21:33:17 nss amavis[25314]: OS_Fingerprint code  NOT loaded
Jan  2 21:33:17 nss amavis[25314]: ANTI-VIRUS code      loaded
Jan  2 21:33:17 nss amavis[25314]: ANTI-SPAM code       loaded
Jan  2 21:33:17 nss amavis[25314]: ANTI-SPAM-SA code    loaded
Jan  2 21:33:17 nss amavis[25314]: Unpackers code       loaded
Jan  2 21:33:17 nss amavis[25314]: Found $file            at /usr/bin/file
Jan  2 21:33:17 nss amavis[25314]: No $dspam,             not using it
Jan  2 21:33:17 nss amavis[25314]: No $altermime,         not using it
Jan  2 21:33:17 nss amavis[25314]: Internal decoder for .mail
Jan  2 21:33:17 nss amavis[25314]: Internal decoder for .asc
Jan  2 21:33:17 nss amavis[25314]: Internal decoder for .uue
Jan  2 21:33:17 nss amavis[25314]: Internal decoder for .hqx
Jan  2 21:33:17 nss amavis[25314]: Internal decoder for .ync
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .F    at /usr/bin/unfreeze
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .Z    at /usr/bin/uncompress
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .gz   at /usr/bin/gzip -d
Jan  2 21:33:17 nss amavis[25314]: Internal decoder for .gz   (backup, not used)
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .bz2  at /usr/bin/bzip2 -d
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .lzo  at /usr/bin/lzop -d
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .rpm  at /usr/bin/rpm2cpio
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .cpio at /usr/bin/pax
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .tar  at /usr/bin/pax
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .deb  at /usr/bin/ar
Jan  2 21:33:17 nss amavis[25314]: Internal decoder for .zip
Jan  2 21:33:17 nss amavis[25314]: No decoder for       .7z   tried: 7zr, 7za, 7z
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .rar  at /usr/bin/unrar
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .arj  at /usr/bin/arj
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .arc  at /usr/bin/nomarch
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .zoo  at /usr/bin/zoo
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .lha  at /usr/bin/lha
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .cab  at /usr/bin/cabextract
Jan  2 21:33:17 nss amavis[25314]: No decoder for       .tnef tried: tnef
Jan  2 21:33:17 nss amavis[25314]: Internal decoder for .tnef
Jan  2 21:33:17 nss amavis[25314]: Found decoder for    .exe  at /usr/bin/unrar; /usr/bin/lha; /usr/bin/arj
Jan  2 21:33:17 nss amavis[25314]: Using primary internal av scanner code for ClamAV-clamd
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: KasperskyLab AVP - aveclient
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: KasperskyLab AntiViral Toolkit Pro (AVP)
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: KasperskyLab AVPDaemonClient
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: CentralCommand Vexira (new) vascan
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: Avira AntiVir
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: Command AntiVirus for Linux
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: Symantec CarrierScan via Symantec CommandLineScanner
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: Symantec AntiVirus Scan Engine
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: F-Secure Antivirus for Linux servers
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: CAI InoculateIT
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: CAI eTrust Antivirus
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: MkS_Vir for Linux (beta)
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: MkS_Vir daemon
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: ESET NOD32 Linux Mail Server - command line interface
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: ESET NOD32 for Linux File servers
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: Norman Virus Control v5 / Linux
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: Panda CommandLineSecure 9 for Linux
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: NAI McAfee AntiVirus (uvscan)
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: VirusBuster
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: CyberSoft VFind
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: avast! Antivirus
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: Ikarus AntiVirus for Linux
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: BitDefender
Jan  2 21:33:17 nss amavis[25314]: No primary av scanner: BitDefender
Jan  2 21:33:18 nss amavis[25314]: No primary av scanner: ArcaVir for Linux
Jan  2 21:33:18 nss amavis[25314]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
Jan  2 21:33:18 nss amavis[25314]: No secondary av scanner: F-PROT Antivirus for UNIX
Jan  2 21:33:18 nss amavis[25314]: No secondary av scanner: FRISK F-Prot Antivirus
Jan  2 21:33:18 nss amavis[25314]: No secondary av scanner: Trend Micro FileScanner
Jan  2 21:33:18 nss amavis[25314]: No secondary av scanner: drweb - DrWeb Antivirus
Jan  2 21:33:18 nss amavis[25314]: No secondary av scanner: Kaspersky Antivirus v5.5
Jan  2 21:33:18 nss amavis[25314]: Creating db in /var/amavis/db/; BerkeleyDB 0.36, libdb 4.3
Jan  2 21:33:18 nss amavis[25314]: SpamControl: initializing Mail::SpamAssassin
Jan  2 21:33:21 nss amavis[25314]: SpamControl: init_pre_fork done
Jan  2 21:33:21 nss amavis[25320]: TIMING [total 28 ms] - bdb-open: 28 (100%)100, rundown: 0 (0%)100
Jan  2 21:33:21 nss amavis[25321]: TIMING [total 15 ms] - bdb-open: 15 (100%)100, rundown: 0 (0%)100

Folgender Befehl kann zur Überprüfung verwendet werden, ob AMaViS auf localhost bzw. 127.0.0.1 und Port 10024 lauscht:

# netstat -tulpen | grep amavis
tcp        0      0 127.0.0.1:10024             0.0.0.0:*                   LISTEN      102        104354     22140/amavisd (mast

bzw.

# lsof -i :10024
COMMAND   PID   USER   FD   TYPE DEVICE SIZE NODE NAME
amavisd 22140 amavis    6u  IPv4 104354       TCP localhost.localdomain:10024 (LISTEN)
amavisd 22146 amavis    6u  IPv4 104354       TCP localhost.localdomain:10024 (LISTEN)
amavisd 22147 amavis    6u  IPv4 104354       TCP localhost.localdomain:10024 (LISTEN)

Folgender Test kann zeigen, ob AMaViS auf localhost bzw. 127.0.0.1 und Port 10024 auch korrekt antwortet:

# telnet localhost 10024
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
QUIT
221 2.0.0 [127.0.0.1] amavisd-new closing transmission channel
Connection closed by foreign host.

Abschließend ist auch ein Neustart von Postfix mit folgendem Befehl erforderlich:

# service postfix restart

Folgender Befehl kann zur Überprüfung verwendet werden, ob Postfix auf localhost bzw. 127.0.0.1 und Port 25 und zusätzlich auf Port 10025 lauscht:

# netstat -tulpen | grep master
tcp        0      0 127.0.0.1:10025             0.0.0.0:*                   LISTEN      0          106933     22304/master        
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      0          106927     22304/master

bzw.

# lsof -i :25
COMMAND   PID USER   FD   TYPE DEVICE SIZE NODE NAME
master  22304 root   11u  IPv4 106927       TCP *:smtp (LISTEN)

und

# lsof -i :10025
COMMAND   PID USER   FD   TYPE DEVICE SIZE NODE NAME
master  22304 root   14u  IPv4 106933       TCP localhost.localdomain:10025 (LISTEN)

Folgender Test kann zeigen, ob Postfix auf localhost bzw. 127.0.0.1 und Port 10025 auch korrekt antwortet:

# telnet localhost 10025
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mx1.tachtler.net ESMTP Postfix
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

Postfix AMaViS testen

Als Testszenario wurde eine e-Mail per Telnet von einem befreundeten Server - kein Spammer - an mx1.tachtler.net gesendet.

:-) Vielen Dank an Michi!

Hier ein LOG-Datei-Auszug aus der LOG-Datei /etc/log/maillog:

Jan  2 22:10:42 nss postfix/smtpd[25835]: connect from mx1.nausch.org[88.217.187.21]
Jan  2 22:11:02 nss postfix/policyd-weight[22442]: decided action=PREPEND X-policyd-weight: using cached result; rate: -7.6; <client=88.217.187.21> <helo=mx1.nausch.org> <from=michael@nausch.org> <to=klaus@tachtler.net>; delay: 0s
Jan  2 22:11:02 nss postgrey[2292]: action=pass, reason=triplet found, client_name=mx1.nausch.org, client_address=88.217.187.21, sender=michael@nausch.org, recipient=klaus@tachtler.net
Jan  2 22:11:02 nss postfix/cleanup[25842]: 67A624129A: message-id=<20090102211102.67A624129A@mx1.tachtler.net>
Jan  2 22:11:02 nss postfix/qmgr[25747]: 67A624129A: from=<postmaster@tachtler.net>, size=260, nrcpt=1 (queue active)
Jan  2 22:11:02 nss postfix/local[25843]: 67A624129A: to=<klaus@tachtler.net>, relay=local, delay=0.06, delays=0.01/0.04/0/0, dsn=2.0.0, status=deliverable (delivers to mailbox)
Jan  2 22:11:02 nss postfix/qmgr[25747]: 67A624129A: removed
Jan  2 22:11:05 nss amavis[25680]: process_request: fileno sock=12, STDIN=0, STDOUT=1
Jan  2 22:11:05 nss postfix/smtpd[25835]: NOQUEUE: client=mx1.nausch.org[88.217.187.21]
Jan  2 22:11:05 nss amavis[25680]: (25680-01) ESMTP::10024 /var/amavis/tmp/amavis-20090102T221105-25680: <michael@nausch.org> -> <klaus@tachtler.net> Received: from mx1.tachtler.net ([127.0.0.1]) by localhost (amavis.tachtler.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <klaus@tachtler.net>; Fri,  2 Jan 2009 22:11:05 +0100 (CET)
Jan  2 22:11:28 nss amavis[25680]: (25680-01) body hash: 64181cbd08dbef5994d7f39c5d09546d
Jan  2 22:11:28 nss amavis[25680]: (25680-01) Checking: pUEviqhGUmnF [88.217.187.21] <michael@nausch.org> -> <klaus@tachtler.net>
Jan  2 22:11:28 nss amavis[25680]: (25680-01) 2822.From: <kowalski@nausch.org>, 2821.Mail_From: <michael@nausch.org>
Jan  2 22:11:28 nss amavis[25680]: (25680-01) p001 1 Content-Type: text/plain, size: 31 B, name:
Jan  2 22:11:28 nss amavis[25680]: (25680-01) check_header: 7, Missing required header field: "Date"
Jan  2 22:11:29 nss amavis[25680]: (25680-01) Checking for banned types and filenames
Jan  2 22:11:29 nss amavis[25680]: (25680-01) collect banned table[0]: klaus@tachtler.net, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x98bbf0c)
Jan  2 22:11:29 nss amavis[25680]: (25680-01) p.path klaus@tachtler.net: "P=p001,L=1,M=text/plain,T=asc"
Jan  2 22:11:29 nss amavis[25680]: (25680-01) Using ClamAV-clamd: (built-in interface)
Jan  2 22:11:29 nss amavis[25680]: (25680-01) Using (ClamAV-clamd) on dir: CONTSCAN /var/amavis/tmp/amavis-20090102T221105-25680/parts\n
Jan  2 22:11:29 nss amavis[25680]: (25680-01) ClamAV-clamd: Connecting to socket  /var/run/clamav/clamd
Jan  2 22:11:29 nss amavis[25680]: (25680-01) ClamAV-clamd: Sending CONTSCAN /var/amavis/tmp/amavis-20090102T221105-25680/parts\n to UNIX socket /var/run/clamav/clamd
Jan  2 22:11:29 nss amavis[25680]: (25680-01) ask_av (ClamAV-clamd): /var/amavis/tmp/amavis-20090102T221105-25680/parts CLEAN
Jan  2 22:11:29 nss amavis[25680]: (25680-01) ClamAV-clamd result: clean
Jan  2 22:11:29 nss amavis[25680]: (25680-01) spam_scan: score=2.537 autolearn=no tests=[AWL=1.250,MISSING_DATE=0.001,MISSING_MID=0.001,MISSING_SUBJECT=1.285]
Jan  2 22:11:29 nss amavis[25680]: (25680-01) do_notify_and_quar: ccat=BadHdr (4,7) ("4":BadHdr, "1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(), q_mth=local:badh-%m, qar_mth=
Jan  2 22:11:29 nss amavis[25680]: (25680-01) local delivery: <> -> <bad-header-quarantine>, mbx=/var/virusmails/badh-pUEviqhGUmnF
Jan  2 22:11:29 nss amavis[25680]: (25680-01) SPAM-TAG, <michael@nausch.org> -> <klaus@tachtler.net>, No, score=2.537 tagged_above=2 required=6.31 tests=[AWL=1.250, MISSING_DATE=0.001, MISSING_MID=0.001, MISSING_SUBJECT=1.285]
Jan  2 22:11:29 nss amavis[25680]: (25680-01) smtp creating socket by IO::Socket::INET: 127.0.0.1
Jan  2 22:11:29 nss postfix/smtpd[25847]: connect from localhost.localdomain[127.0.0.1]
Jan  2 22:11:29 nss amavis[25680]: (25680-01) smtp resp to greeting: 220 mx1.tachtler.net ESMTP Postfix
Jan  2 22:11:29 nss amavis[25680]: (25680-01) smtp cmd> EHLO localhost
Jan  2 22:11:29 nss amavis[25680]: (25680-01) smtp resp to EHLO: 250 mx1.tachtler.net\nSIZE 10240000\nETRN\nXFORWARD NAME ADDR PROTO HELO SOURCE\nENHANCEDSTATUSCODES\n8BITMIME
Jan  2 22:11:29 nss amavis[25680]: (25680-01) No announced PIPELINING support by MTA?
Jan  2 22:11:29 nss amavis[25680]: (25680-01) smtp cmd> XFORWARD ADDR=88.217.187.21 NAME=mx1.nausch.org PROTO=ESMTP HELO=mx1.nausch.org
Jan  2 22:11:29 nss amavis[25680]: (25680-01) smtp resp to XFORWARD: 250 2.0.0 Ok
Jan  2 22:11:29 nss amavis[25680]: (25680-01) AUTH not needed, user='', MTA offers ''
Jan  2 22:11:29 nss amavis[25680]: (25680-01) smtp cmd> MAIL FROM:<michael@nausch.org> BODY=7BIT
Jan  2 22:11:29 nss amavis[25680]: (25680-01) smtp resp to MAIL: 250 2.1.0 Ok
Jan  2 22:11:29 nss amavis[25680]: (25680-01) smtp cmd> RCPT TO:<klaus@tachtler.net>
Jan  2 22:11:29 nss postfix/smtpd[25847]: 8D9494129A: client=mx1.nausch.org[88.217.187.21]
Jan  2 22:11:29 nss amavis[25680]: (25680-01) smtp resp to RCPT (<klaus@tachtler.net>): 250 2.1.5 Ok, id=25680-01, from MTA([127.0.0.1]:10025): 250 2.1.5 Ok
Jan  2 22:11:29 nss amavis[25680]: (25680-01) smtp cmd> DATA
Jan  2 22:11:29 nss amavis[25680]: (25680-01) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF>
Jan  2 22:11:29 nss postfix/cleanup[25842]: 8D9494129A: message-id=<20090102211129.8D9494129A@mx1.tachtler.net>
Jan  2 22:11:29 nss amavis[25680]: (25680-01) smtp resp to data-dot (<klaus@tachtler.net>): 250 2.0.0 Ok: queued as 8D9494129A
Jan  2 22:11:29 nss amavis[25680]: (25680-01) smtp cmd> QUIT
Jan  2 22:11:29 nss postfix/smtpd[25847]: disconnect from localhost.localdomain[127.0.0.1]
Jan  2 22:11:29 nss amavis[25680]: (25680-01) smtp resp to QUIT: 221 2.0.0 Bye
Jan  2 22:11:29 nss amavis[25680]: (25680-01) FWD via SMTP: <michael@nausch.org> -> <klaus@tachtler.net>,BODY=7BIT 250 2.6.0 Ok, id=25680-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8D9494129A
Jan  2 22:11:29 nss amavis[25680]: (25680-01) Passed BAD-HEADER, [88.217.187.21] [88.217.187.21] <michael@nausch.org> -> <klaus@tachtler.net>, quarantine: badh-pUEviqhGUmnF, mail_id: pUEviqhGUmnF, Hits: 2.537, size: 335, queued_as: 8D9494129A, 24280 ms
Jan  2 22:11:29 nss amavis[25680]: (25680-01) TIMING [total 24292 ms] - SMTP greeting: 35 (0%)0, SMTP EHLO: 4 (0%)0, SMTP pre-MAIL: 5 (0%)0, mkdir tempdir: 2 (0%)0, create email.txt: 3 (0%)0, SMTP pre-DATA-flush: 423 (2%)2, SMTP DATA: 22354 (92%)94, check_init: 5 (0%)94, digest_hdr: 3 (0%)94, digest_body: 2 (0%)94, gen_mail_id: 6 (0%)94, mkdir parts: 4 (0%)94, mime_decode: 46 (0%)94, get-file-type1: 690 (3%)97, decompose_part: 9 (0%)97, parts_decode: 0 (0%)97, check_header: 12 (0%)97, AV-scan-1: 48 (0%)97, spam-wb-list: 13 (0%)97, SA parse: 21 (0%)98, SA check: 403 (2%)99, update_cache: 20 (0%)99, decide_mail_destiny: 3 (0%)99, open-mbx: 15 (0%)99, write-header: 2 (0%)99, save-to-local-mailbox: 1 (0%)99, fwd-connect: 41 (0%)99, fwd-xforward: 3 (0%)100, fwd-mail-from: 5 (0%)100, fwd-rcpt-to: 7 (0%)100, fwd-data-cmd: 3 (0%)100, write-header: 1 (0%)100, fwd-data-contents: 0 (0%)100, fwd-data-end: 0 (0%)100, fwd-end-chkpnt: 66 (0%)100, prepare-dsn: 2 (0%)100, main_log_entry: 26 (0%)100, update_snmp: 4...
Jan  2 22:11:29 nss amavis[25680]: (25680-01) ... (0%)100, SMTP pre-response: 1 (0%)100, SMTP response: 1 (0%)100, unlink-1-files: 1 (0%)100, rundown: 1 (0%)100
Jan  2 22:11:29 nss amavis[25680]: (25680-01) load: 98 %, total idle 0.404 s, busy 23.896 s
Jan  2 22:11:29 nss postfix/qmgr[25747]: 8D9494129A: from=<michael@nausch.org>, size=1000, nrcpt=1 (queue active)
Jan  2 22:11:29 nss postfix/local[25843]: 8D9494129A: to=<klaus@tachtler.net>, relay=local, delay=0.14, delays=0.13/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
Jan  2 22:11:29 nss postfix/qmgr[25747]: 8D9494129A: removed
Jan  2 22:11:33 nss postfix/smtpd[25835]: disconnect from mx1.nausch.org[88.217.187.21]

und die dazugehörige e-Mail:

From michael@nausch.org  Fri Jan  2 22:11:29 2009
Return-Path: <michael@nausch.org>
X-Original-To: klaus@tachtler.net
Delivered-To: klaus@tachtler.net
X-Quarantine-ID: <pUEviqhGUmnF>
X-Virus-Scanned: amavisd-new at tachtler.net
X-Amavis-Alert: BAD HEADER, Missing required header field: "Date"
X-Spam-Flag: NO
X-Spam-Score: 2.537
X-Spam-Level: **
X-Spam-Status: No, score=2.537 tagged_above=2 required=6.31 tests=[AWL=1.250,
        MISSING_DATE=0.001, MISSING_MID=0.001, MISSING_SUBJECT=1.285]
Received: from mx1.tachtler.net ([127.0.0.1])
        by localhost (amavis.tachtler.net [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id pUEviqhGUmnF for <klaus@tachtler.net>;
        Fri,  2 Jan 2009 22:11:05 +0100 (CET)
X-policyd-weight: using cached result; rate: -7.6
Received: from mx1.nausch.org (mx1.nausch.org [88.217.187.21])
        by mx1.tachtler.net (Postfix) with ESMTP
        for <klaus@tachtler.net>; Fri,  2 Jan 2009 22:10:55 +0100 (CET)
From: michael@nausch.org
To: klaus@tachtler.net
Subj: Terminvereinbarung
Message-Id: <20090102211129.8D9494129A@mx1.tachtler.net>
Date: Fri,  2 Jan 2009 22:11:29 +0100 (CET)

Dies ist unsere erste Testmail

Postfix AMaViS Performance

Um die Performance von AMaViS zu steigern, können einige Einstellungen optimiert werden.

RAM-Disk für AMaViS

Eine sehr gute Möglichkeit die Performance für AMaViS zu steigern, ist eine RAM-Disk anzulegen. Dabei sollte natürlich auf die Hardware des Servers geachtete werden, aber auch auf die Gegebenheiten von AMaViS.

Um die benötigte Größe einer RAM-Disk berechnen zu können, was jedoch eher eine theoretische Größe ist, kann folgende Formel herangezogen werden:

max. AMaViS-Instanzen * (max. e-Mailgröße + (max. e-Mailgröße * Auspackfaktor))

Hier ein Beispiel:

Für 20 AMaViS-Instanzen bei einer max. e-Mailgröße von 30 MB und einem Auspackfaktor von 1,5 ergibt das eine RAM-Disk mit der Größe von 1,5 GB!

:!: Dies ist aber wie schon erwähnt, nur ein theoretischer Wert, da nicht jede e-Mail die max. Größe hat und es auch vom Netzwerkverkehr - sprich der Physik der Netzwerkkarte - nicht möglich sein dürfte, so viel Daten in kürzester Zeit (bis AMaViS-Instanzen wieder zur Verfügung stehen) zu transferieren!

Für einen kleinen privaten e-Mail-Server wird sicherlich auch eine kleinere Größe an RAM-Disk völlig ausreichend sein!

Deshalb kann mit folgenden Größen für einen kleinen privaten e-Mail-Server durchaus gerechnet werden:

Für 4 AMaViS-Instanzen bei einer max. e-Mailgröße von 10 MB und einem Auspackfaktor von 1,5 ergibt das eine RAM-Disk mit der Größe von 100 MB!

Unter CentOS Version 5.x kann mit folgendem Eintrag in der /etc/fstab kann eine RAM-Disk in der Größe von 96 MB angelegt werden (nur relevanter Ausschnitt):

...
/dev/shm                /var/amavis/tmp         tmpfs   defaults,size=96m,mode=755,uid=102,gid=104      0 0

Unter CentOS Version 6.x kann mit folgendem Eintrag in der /etc/fstab kann eine RAM-Disk in der Größe von 96 MB angelegt werden (nur relevanter Ausschnitt):

...
tmpfs                   /var/amavis/tmp         tmpfs   defaults,size=96m,mode=755,uid=102,gid=104      0 0

Zum Mounten nach dem Eintrag in der /etc/fstab kann folgender Befehl ausgeführt werden:

# mount /var/amavis/tmp

:!: WICHTIG - Falls gewünscht kann die soeben angelegte RAM-Disk auch für andere Programme lesbar gemacht werden, z.B. für Überwachungs- und Auswertungs-Tools. Dafür sollte folgender Befehl für die entsprechenden Zugriffsrechte auf das Verzeichnis /etc/amavis/tmp und dessen übergeordnetem Verzeichnis /var/amavis sorgen:

# chmod 755 /var/amavis

Zur Überprüfung, ob die Verarbeitung wirklich schneller von statten geht, hier zwei Auszüge aus der LOG-Datei /var/log/maillog, der gleichen e-Mail, einmal ohne und anschließend mit RAM-Disk:

...
Jan  5 23:59:40 nss amavis[10206]: (10206-01) TIMING [total 1993 ms]...
...
Jan  6 00:12:52 nss amavis[10987]: (10987-01) TIMING [total 853 ms]...
...

Postfix AMaViS Black/Whitelisting

Falls es einmal notwendig sein sollte bestimmte Absender zu Black- oder Whitelisten, kann dies auf eine elegantere Art und Weise durchgeführt werden, als Listen mit Absenderadressen zu führen. Die Lösung in diesem Fall heißt „score_sender_maps“!

Hier werden einzelnen Absenderadressen

  • Punkte hinzugeschlagen = blacklisting
  • Punkte abgeschlagen = whitelisting

Ein Beispiel für diese Art der „Veränderung des Verhaltens von AMaViS“ ist bereits in der Konfigurationsdatei /etc/amavisd.conf vorgegeben. Hier ein Auszug aus der Konfigurationsdatei /etc/amavisd.conf mit Beispielen:

...
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
 
@score_sender_maps = ({ # a by-recipient hash lookup table,
                        # results from all matching recipient tables are summed
 
# ## per-recipient personal tables  (NOTE: positive: black, negative: white)
# 'user1@example.com'  => [{'bla-mobile.press@example.com' => 10.0}],
# 'user3@example.com'  => [{'.ebay.com'                 => -3.0}],
# 'user4@example.com'  => [{'cleargreen@cleargreen.com' => -7.0,
#                           '.cleargreen.com'           => -5.0}],
 
  ## site-wide opinions about senders (the '.' matches any recipient)
  '.' => [  # the _first_ matching sender determines the score boost
 
   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
    [qr'^(your_friend|greatoffers)@'i                                => 5.0],
    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
   ),
 
#  read_hash("/var/amavis/sender_scores_sitewide"),
 
   { # a hash-type lookup table (associative array)
     'nobody@cert.org'                        => -3.0,
     'cert-advisory@us-cert.gov'              => -3.0,
     'owner-alert@iss.net'                    => -3.0,
     'slashdot@slashdot.org'                  => -3.0,
     'securityfocus.com'                      => -3.0,
     'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,
     'security-alerts@linuxsecurity.com'      => -3.0,
     'mailman-announce-admin@python.org'      => -3.0,
     'amavis-user-admin@lists.sourceforge.net'=> -3.0,
     'amavis-user-bounces@lists.sourceforge.net' => -3.0,
     'spamassassin.apache.org'                => -3.0,
     'notification-return@lists.sophos.com'   => -3.0,
     'owner-postfix-users@postfix.org'        => -3.0,
     'owner-postfix-announce@postfix.org'     => -3.0,
     'owner-sendmail-announce@lists.sendmail.org'   => -3.0,
     'sendmail-announce-request@lists.sendmail.org' => -3.0,
     'donotreply@sendmail.org'                => -3.0,
     'ca+envelope@sendmail.org'               => -3.0,
     'noreply@freshmeat.net'                  => -3.0,
     'owner-technews@postel.acm.org'          => -3.0,
     'ietf-123-owner@loki.ietf.org'           => -3.0,
     'cvs-commits-list-admin@gnome.org'       => -3.0,
     'rt-users-admin@lists.fsck.com'          => -3.0,
     'clp-request@comp.nus.edu.sg'            => -3.0,
     'surveys-errors@lists.nua.ie'            => -3.0,
     'emailnews@genomeweb.com'                => -5.0,
     'yahoo-dev-null@yahoo-inc.com'           => -3.0,
     'returns.groups.yahoo.com'               => -3.0,
     'clusternews@linuxnetworx.com'           => -3.0,
     lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,
     lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
 
     # soft-blacklisting (positive score)
     'sender@example.net'                     =>  3.0,
     '.example.net'                           =>  1.0,
 
     # Tachtler - whitelisting via score-points
     'whitelist@example.com'                  => [{'logwatch@tachtler.net' => -10.0}],
 
     # Tachtler - blacklisting via score-points
     'blacklist@example.com'                  => [{'logwatch@tachtler.net' =>  10.0}],
 
   },
  ],  # end of site-wide tables
});
...
</code perl> 
 
:!: **WICHTIG** - Eine beispielhafte Anwendung ist hier beschrieben (**nur relevanter Ausschnitt**):
<code>
...
     # Tachtler - whitelisting via score-points
     'whitelist@example.com'                  => [{'logwatch@tachtler.net' => -10.0}],
 
     # Tachtler - blacklisting via score-points
     'blacklist@example.com'                  => [{'logwatch@tachtler.net' =>  10.0}],
...

Postfix AMaViS MySQL-Anbindung

Eine weitere Möglichkeit die AMaViS bietet, ist die Anbindung an eine Datenbank, hier in diesem Falls MySQL.

Die Nutzung einer Datenbank in Zusammenhang mit AMaViS bietet folgende Möglichkeiten:

  • Verwaltung von White-/Blacklisting individuell pro Empfänger welche über ein Web-Frontend durch die Nutzer konfigurierbar sind.
  • Verwaltung der Quarantäne, ebenfalls komfortabel über ein Web-Frontend.

:!: Um diese Vorteile nutzen zu können, wird natürlich eine Abhängigkeit von AMaViS zu der zugrunde liegenden Datenbank aufgebaut, was natürlich bei einem Ausfall der Datenbank auch folgen für die e-Mail-Verarbeitung hat!

MySQL konfigurieren

AMaViS bringt fertige MySQL-Scripte mit, welche die erforderlichen Tabellen für die Nutzung mitbringen. Diese Scripte sind nach der Installation von AMaViS im Verzeichnis:

  • /usr/share/doc/amavisd-new-2.5.4/README.sql-mysql

zu finden.

:!: WICHTIG - Leider fehlen diesem Script zwei wichtige Gegebenheiten

  1. Es wird kein neuer Benutzer für die Datenbank erstellt
  2. Es wird keine neue Datenbank in MySQL angelegt

Aufgrund dieser Tatsachen, können folgende MySQL-Befehle in z.B. eine separate Datei kopiert werden und mit nachfolgendem Befehl gegen das MySQL-Datenbanksystem angewendet werden.

Als ersten Schritt ist die Anlage einer neuen Datenbank und eines neuen Benutzers für diese Datenbank erforderlich.

USE mysql;
 
REPLACE INTO user (host, user, password)
    VALUES (
        'localhost',
        'amavis',
-- IMPORTANT: Change this password!
-- Tachtler
        PASSWORD('geheim')
);
 
REPLACE INTO db (host, db, user, select_priv, insert_priv, update_priv,
                 delete_priv, create_priv, drop_priv, index_priv)
    VALUES (
        'localhost',
        'amavis',
        'amavisuser',
        'Y', 'Y', 'Y', 'Y',
        'Y', 'Y', 'Y'
);
 
-- Make sure that priviliges are reloaded.
FLUSH PRIVILEGES;
 
CREATE DATABASE amavis;
 
USE amavis;

Diese Befehle können z.B. in eine Datei mit Speicherort und Namen

  • /tmp/amavis_db_user.sql

kopiert werden.

Die Datei /tmp/amavis_db_user.sql kann mit folgendem Befehl angelegt werden und anschließend mit einem Editor verändert werden:

# touch /tmp/amavis_db_user.sql

Anschließend kann die so entstandene Datei /tmp/amavis_db_user.sql mit folgendem Befehl gegen das MySQL-Datenbanksystem angewendet werden:

# mysql -u root -p < /tmp/amavis_db_user.sql
Enter password:

Als zweiten Schritt ist es erforderlich die SQL-Anweisungen aus der mitgelieferten Datei /usr/share/doc/amavisd-new-2.5.4/README.sql-mysql in eine separate Datei zu extrahieren, welche z.B. den Speicherort und Namen

  • /tmp/amavis.sql

haben kann.

Folgende Anweisungen müssen extrahiert werden:

-- local users
CREATE TABLE users (
  id         int unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY,  -- unique id
  priority   integer      NOT NULL DEFAULT '7',  -- sort field, 0 is low prior.
  policy_id  integer unsigned NOT NULL DEFAULT '1',  -- JOINs with policy.id
  email      varchar(255) NOT NULL UNIQUE,
  fullname   varchar(255) DEFAULT NULL,    -- not used by amavisd-new
  local      char(1)      -- Y/N  (optional field, see note further down)
);
 
-- any e-mail address (non- rfc2822-quoted), external or local,
-- used as senders in wblist
CREATE TABLE mailaddr (
  id         int unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY,
  priority   integer      NOT NULL DEFAULT '7',  -- 0 is low priority
  email      varchar(255) NOT NULL UNIQUE
);
 
-- per-recipient whitelist and/or blacklist,
-- puts sender and recipient in relation wb  (white or blacklisted sender)
CREATE TABLE wblist (
  rid        integer unsigned NOT NULL,  -- recipient: users.id
  sid        integer unsigned NOT NULL,  -- sender: mailaddr.id
  wb         varchar(10)  NOT NULL,  -- W or Y / B or N / space=neutral / score
  PRIMARY KEY (rid,sid)
);
 
CREATE TABLE policy (
  id  int unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY,
                                    -- 'id' this is the _only_ required field
  policy_name      varchar(32),     -- not used by amavisd-new, a comment
 
  virus_lover          char(1) default NULL,     -- Y/N
  spam_lover           char(1) default NULL,     -- Y/N
  banned_files_lover   char(1) default NULL,     -- Y/N
  bad_header_lover     char(1) default NULL,     -- Y/N
 
  bypass_virus_checks  char(1) default NULL,     -- Y/N
  bypass_spam_checks   char(1) default NULL,     -- Y/N
  bypass_banned_checks char(1) default NULL,     -- Y/N
  bypass_header_checks char(1) default NULL,     -- Y/N
 
  spam_modifies_subj   char(1) default NULL,     -- Y/N
 
  virus_quarantine_to      varchar(64) default NULL,
  spam_quarantine_to       varchar(64) default NULL,
  banned_quarantine_to     varchar(64) default NULL,
  bad_header_quarantine_to varchar(64) default NULL,
  clean_quarantine_to      varchar(64) default NULL,
  other_quarantine_to      varchar(64) default NULL,
 
  spam_tag_level  float default NULL, -- higher score inserts spam info headers
  spam_tag2_level float default NULL, -- inserts 'declared spam' header fields
  spam_kill_level float default NULL, -- higher score triggers evasive actions
                                      -- e.g. reject/drop, quarantine, ...
                                     -- (subject to final_spam_destiny setting)
  spam_dsn_cutoff_level        float default NULL,
  spam_quarantine_cutoff_level float default NULL,
 
  addr_extension_virus      varchar(64) default NULL,
  addr_extension_spam       varchar(64) default NULL,
  addr_extension_banned     varchar(64) default NULL,
  addr_extension_bad_header varchar(64) default NULL,
 
  warnvirusrecip      char(1)     default NULL, -- Y/N
  warnbannedrecip     char(1)     default NULL, -- Y/N
  warnbadhrecip       char(1)     default NULL, -- Y/N
  newvirus_admin      varchar(64) default NULL,
  virus_admin         varchar(64) default NULL,
  banned_admin        varchar(64) default NULL,
  bad_header_admin    varchar(64) default NULL,
  spam_admin          varchar(64) default NULL,
  spam_subject_tag    varchar(64) default NULL,
  spam_subject_tag2   varchar(64) default NULL,
  message_size_limit  integer     default NULL, -- max size in bytes, 0 disable
  banned_rulenames    varchar(64) default NULL  -- comma-separated list of ...
        -- names mapped through %banned_rules to actual banned_filename tables
);
 
 
 
-- R/W part of the dataset (optional)
--   May reside in the same or in a separate database as lookups database;
--   REQUIRES SUPPORT FOR TRANSACTIONS; specified in @storage_sql_dsn
--
--   MySQL note ( http://dev.mysql.com/doc/mysql/en/storage-engines.html ):
--     ENGINE is the preferred term, but cannot be used before MySQL 4.0.18.
--     TYPE is available beginning with MySQL 3.23.0, the first version of
--     MySQL for which multiple storage engines were available. If you omit
--     the ENGINE or TYPE option, the default storage engine is used.
--     By default this is MyISAM.
--
--  Please create additional indexes on keys when needed, or drop suggested
--  ones as appropriate to optimize queries needed by a management application.
--  See your database documentation for further optimization hints. With MySQL
--  see Chapter 15 of the reference manual. For example the chapter 15.17 says:
--  InnoDB does not keep an internal count of rows in a table. To process a
--  SELECT COUNT(*) FROM T statement, InnoDB must scan an index of the table,
--  which takes some time if the index is not entirely in the buffer pool.
--
--  Wayne Smith adds: When using MySQL with InnoDB one might want to
--  increase buffer size for both pool and log, and might also want
--  to change flush settings for a little better performance. Example:
--    innodb_buffer_pool_size  = 384M
--    innodb_log_buffer_size = 8M
--    innodb_flush_log_at_trx_commit = 0
--  The big performance increase is the first two, the third just helps
--  with lowering disk activity.
 
 
-- provide unique id for each e-mail address, avoids storing copies
CREATE TABLE maddr (
  id         int unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY,
  email      varchar(255) NOT NULL UNIQUE, -- full mail address
  domain     varchar(255) NOT NULL     -- only domain part of the email address
                                       -- with subdomain fields in reverse
) ENGINE=InnoDB;
 
-- information pertaining to each processed message as a whole;
-- NOTE: records with NULL msgs.content should be ignored by utilities,
--   as such records correspond to messages just being processes, or were lost
-- NOTE: instead of a character field time_iso, one might prefer:
--   time_iso TIMESTAMP NOT NULL DEFAULT 0,
--   but the following MUST then be set in amavisd.conf: $timestamp_fmt_mysql=1
CREATE TABLE msgs (
  mail_id    varchar(12)   NOT NULL PRIMARY KEY,  -- long-term unique mail id
  secret_id  varchar(12)   DEFAULT '',  -- authorizes release of mail_id
  am_id      varchar(20)   NOT NULL,    -- id used in the log
  time_num   integer unsigned NOT NULL, -- rx_time: seconds since Unix epoch
  time_iso   char(16)      NOT NULL,    -- rx_time: ISO8601 UTC ascii time
  sid        integer unsigned NOT NULL, -- sender: maddr.id
  policy     varchar(255)  DEFAULT '',  -- policy bank path (like macro %p)
  client_addr varchar(255) DEFAULT '',  -- SMTP client IP address (IPv4 or v6)
  size       integer unsigned NOT NULL, -- message size in bytes
  content    char(1),                   -- content type: V/B/S/s/M/H/O/C:
                                        -- virus/banned/spam(kill)/spammy(tag2)
                                        -- /bad mime/bad header/oversized/clean
                                        -- is NULL on partially processed mail
  quar_type  char(1),                   -- quarantined as: ' '/F/Z/B/Q/M/L
                                        --  none/file/zipfile/bsmtp/sql/
                                        --  /mailbox(smtp)/mailbox(lmtp)
  quar_loc   varchar(255)  DEFAULT '',  -- quarantine location (e.g. file)
  dsn_sent   char(1),                   -- was DSN sent? Y/N/q (q=quenched)
  spam_level float,                     -- SA spam level (no boosts)
  message_id varchar(255)  DEFAULT '',  -- mail Message-ID header field
  from_addr  varchar(255)  DEFAULT '',  -- mail From header field,    UTF8
  subject    varchar(255)  DEFAULT '',  -- mail Subject header field, UTF8
  host       varchar(255)  NOT NULL,    -- hostname where amavisd is running
  FOREIGN KEY (sid) REFERENCES maddr(id) ON DELETE RESTRICT
) ENGINE=InnoDB;
CREATE INDEX msgs_idx_sid      ON msgs (sid);
CREATE INDEX msgs_idx_mess_id  ON msgs (message_id); -- useful with pen pals
CREATE INDEX msgs_idx_time_num ON msgs (time_num);
-- alternatively when purging based on time_iso (instead of msgs_idx_time_num):
-- CREATE INDEX msgs_idx_time_iso ON msgs (time_iso);
 
-- per-recipient information related to each processed message;
-- NOTE: records in msgrcpt without corresponding msgs.mail_id record are
--  orphaned and should be ignored and eventually deleted by external utilities
CREATE TABLE msgrcpt (
  mail_id    varchar(12)   NOT NULL,     -- (must allow duplicates)
  rid        integer unsigned NOT NULL,  -- recipient: maddr.id (dupl. allowed)
  ds         char(1)       NOT NULL,     -- delivery status: P/R/B/D/T
                                         -- pass/reject/bounce/discard/tempfail
  rs         char(1)       NOT NULL,     -- release status: initialized to ' '
  bl         char(1)       DEFAULT ' ',  -- sender blacklisted by this recip
  wl         char(1)       DEFAULT ' ',  -- sender whitelisted by this recip
  bspam_level float,                     -- spam level + per-recip boost
  smtp_resp  varchar(255)  DEFAULT '',   -- SMTP response given to MTA
  FOREIGN KEY (rid)     REFERENCES maddr(id)     ON DELETE RESTRICT,
  FOREIGN KEY (mail_id) REFERENCES msgs(mail_id) ON DELETE CASCADE
) ENGINE=InnoDB;
CREATE INDEX msgrcpt_idx_mail_id  ON msgrcpt (mail_id);
CREATE INDEX msgrcpt_idx_rid      ON msgrcpt (rid);
 
-- mail quarantine in SQL, enabled by $*_quarantine_method='sql:'
-- NOTE: records in quarantine without corresponding msgs.mail_id record are
--  orphaned and should be ignored and eventually deleted by external utilities
CREATE TABLE quarantine (
  mail_id    varchar(12)   NOT NULL,    -- long-term unique mail id
  chunk_ind  integer unsigned NOT NULL, -- chunk number, starting with 1
  mail_text  blob NOT NULL,             -- store mail as chunks of octets
  PRIMARY KEY (mail_id,chunk_ind),
  FOREIGN KEY (mail_id) REFERENCES msgs(mail_id) ON DELETE CASCADE
) ENGINE=InnoDB;
 
-- field msgrcpt.rs is primarily intended for use by quarantine management
-- software; the value assigned by amavisd is a space;
-- a short _preliminary_ list of possible values:
--   'V' => viewed (marked as read)
--   'R' => released (delivered) to this recipient
--   'p' => pending (a status given to messages when the admin received the
--                   request but not yet released; targeted to banned parts)
--   'D' => marked for deletion; a cleanup script may delete it
 
 
-- =====================
-- Example data follows:
-- =====================
INSERT INTO users VALUES ( 1, 9, 5, 'user1+foo@y.example.com','Name1 Surname1', 'Y');
INSERT INTO users VALUES ( 2, 7, 5, 'user1@y.example.com', 'Name1 Surname1', 'Y');
INSERT INTO users VALUES ( 3, 7, 2, 'user2@y.example.com', 'Name2 Surname2', 'Y');
INSERT INTO users VALUES ( 4, 7, 7, 'user3@z.example.com', 'Name3 Surname3', 'Y');
INSERT INTO users VALUES ( 5, 7, 7, 'user4@example.com',   'Name4 Surname4', 'Y');
INSERT INTO users VALUES ( 6, 7, 1, 'user5@example.com',   'Name5 Surname5', 'Y');
INSERT INTO users VALUES ( 7, 5, 0, '@sub1.example.com', NULL, 'Y');
INSERT INTO users VALUES ( 8, 5, 7, '@sub2.example.com', NULL, 'Y');
INSERT INTO users VALUES ( 9, 5, 5, '@example.com',      NULL, 'Y');
INSERT INTO users VALUES (10, 3, 8, 'userA', 'NameA SurnameA anywhere', 'Y');
INSERT INTO users VALUES (11, 3, 9, 'userB', 'NameB SurnameB', 'Y');
INSERT INTO users VALUES (12, 3,10, 'userC', 'NameC SurnameC', 'Y');
INSERT INTO users VALUES (13, 3,11, 'userD', 'NameD SurnameD', 'Y');
INSERT INTO users VALUES (14, 3, 0, '@sub1.example.net', NULL, 'Y');
INSERT INTO users VALUES (15, 3, 7, '@sub2.example.net', NULL, 'Y');
INSERT INTO users VALUES (16, 3, 5, '@example.net',      NULL, 'Y');
INSERT INTO users VALUES (17, 7, 5, 'u1@example.org',    'u1', 'Y');
INSERT INTO users VALUES (18, 7, 6, 'u2@example.org',    'u2', 'Y');
INSERT INTO users VALUES (19, 7, 3, 'u3@example.org',    'u3', 'Y');
 
-- INSERT INTO users VALUES (20, 0, 5, '@.',             NULL, 'N');  -- catchall
 
INSERT INTO policy (id, policy_name,
  virus_lover, spam_lover, banned_files_lover, bad_header_lover,
  bypass_virus_checks, bypass_spam_checks,
  bypass_banned_checks, bypass_header_checks, spam_modifies_subj,
  spam_tag_level, spam_tag2_level, spam_kill_level) VALUES
  (1, 'Non-paying',    'N','N','N','N', 'Y','Y','Y','N', 'Y', 3.0,   7, 10),
  (2, 'Uncensored',    'Y','Y','Y','Y', 'N','N','N','N', 'N', 3.0, 999, 999),
  (3, 'Wants all spam','N','Y','N','N', 'N','N','N','N', 'Y', 3.0, 999, 999),
  (4, 'Wants viruses', 'Y','N','Y','Y', 'N','N','N','N', 'Y', 3.0, 6.9, 6.9),
  (5, 'Normal',        'N','N','N','N', 'N','N','N','N', 'Y', 3.0, 6.9, 6.9),
  (6, 'Trigger happy', 'N','N','N','N', 'N','N','N','N', 'Y', 3.0,   5, 5),
  (7, 'Permissive',    'N','N','N','Y', 'N','N','N','N', 'Y', 3.0,  10, 20),
  (8, '6.5/7.8',       'N','N','N','N', 'N','N','N','N', 'N', 3.0, 6.5, 7.8),
  (9, 'userB',         'N','N','N','Y', 'N','N','N','N', 'Y', 3.0, 6.3, 6.3),
  (10,'userC',         'N','N','N','N', 'N','N','N','N', 'N', 3.0, 6.0, 6.0),
  (11,'userD',         'Y','N','Y','Y', 'N','N','N','N', 'N', 3.0,   7, 7);
 
-- sender envelope addresses needed for white/blacklisting
INSERT INTO mailaddr VALUES (1, 5, '@example.com');
INSERT INTO mailaddr VALUES (2, 9, 'owner-postfix-users@postfix.org');
INSERT INTO mailaddr VALUES (3, 9, 'amavis-user-admin@lists.sourceforge.net');
INSERT INTO mailaddr VALUES (4, 9, 'makemoney@example.com');
INSERT INTO mailaddr VALUES (5, 5, '@example.net');
INSERT INTO mailaddr VALUES (6, 9, 'spamassassin-talk-admin@lists.sourceforge.net');
INSERT INTO mailaddr VALUES (7, 9, 'spambayes-bounces@python.org');
 
-- whitelist for user 14, i.e. default for recipients in domain sub1.example.net
INSERT INTO wblist VALUES (14, 1, 'W');
INSERT INTO wblist VALUES (14, 3, 'W');
 
-- whitelist and blacklist for user 17, i.e. u1@example.org
INSERT INTO wblist VALUES (17, 2, 'W');
INSERT INTO wblist VALUES (17, 3, 'W');
INSERT INTO wblist VALUES (17, 6, 'W');
INSERT INTO wblist VALUES (17, 7, 'W');
INSERT INTO wblist VALUES (17, 5, 'B');
INSERT INTO wblist VALUES (17, 4, 'B');
 
-- $sql_select_policy setting in amavisd.conf tells amavisd
-- how to fetch per-recipient policy settings.
-- See comments there. Example:
--
-- SELECT *,users.id FROM users,policy
--   WHERE (users.policy_id=policy.id) AND (users.email IN (%k))
--   ORDER BY users.priority DESC;
--
-- $sql_select_white_black_list in amavisd.conf tells amavisd
-- how to check sender in per-recipient whitelist/blacklist.
-- See comments there. Example:
--
-- SELECT wb FROM wblist,mailaddr
--   WHERE (wblist.rid=?) AND (wblist.sid=mailaddr.id) AND (mailaddr.email IN (%k))
--   ORDER BY mailaddr.priority DESC;
 
 
 
-- NOTE: the SELECT, INSERT and UPDATE clauses as used by the amavisd-new
-- program are configurable through %sql_clause; see amavisd.conf-default

Die Datei /tmp/amavis.sql kann mit folgendem Befehl angelegt werden und anschließend mit einem Editor verändert werden:

# touch /tmp/amavis.sql

Anschließend kann die so entstandene Datei /tmp/amavis.sql mit folgendem Befehl gegen das MySQL-Datenbanksystem angewendet werden:

# mysql -u root amavis -p < /tmp/amavis.sql
Enter password:

/etc/amavisd.conf

Die Konfiguration von AMaViS erfolgt in der Konfigurationsdatei

  • /etc/amavisd.conf

Die relevanten Änderungen gegenüber der Standard-Konfiguration und der bisherigen Kofiguration ohne MySQL-Unterstützung von AMaViS sind mit folgendem Kommentar

# Tachtler

versehen.

Hier die relevanten Änderungen der Konfigurationsdatei, welche unter /etc zu finden ist und den Namen amavisd.conf trägt (nur relevante Auszüge):

...
# @lookup_sql_dsn =
#   ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
#     ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
#     ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
# @storage_sql_dsn = @lookup_sql_dsn;  # none, same, or separate database
# Tachtler
@lookup_sql_dsn =
  ( ['DBI:mysql:database=amavis;host=127.0.0.1;port=3306', 'amavisuser', 'geheim'] );
@storage_sql_dsn = @lookup_sql_dsn;  # none, same, or separate database
 
# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
#   defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)
...

Postfix AMaViS Upgrade Version 2.6.4

Beim Upgrade von AMaViS auf die Version 2.6.4, sind folgende Haupt-Punkte zu beachten:

  • AMaViS beherrscht seit Version 2.6.4 - DKIM
  • Die Schemata im Bezug auf die Anbindung von MySQL an AMaViS haben sich geändert

:!: Die oben genannten Punkte sind bei einem Upgrade zwingend zu beachten!

Die Konfigurationsdatei hat sich punktuell verändert, so das ein Vergleich mit der bestehenden Konfigurationsdatei mit einem Programm wiediff, oder auf andere geeignete Weise unumgänglich ist und zur Erstellung der Konfigurationsdatei mit der Vorlage der mitgelieferten Beispiel-Konfigurationsdatei durchgeführt werden sollte. Viele Änderungen in der /etc/amavisd.conf sind bei der Einbindung der Viren-Scann-Engine durchgeführt worden, im Detail sind das eher syntaktisch kleine Änderungen, jedoch recht viele.

:!: Empfehlung - Die Neuerstellung mit Hilfe der neu mitgelieferten Beispiel-Konfigurationsdatei /etc/amavisd.conf.rpmnew aufgrund der alten Einstellungen ist zu empfehlen!

Postfix AMaViS Upgrade: DKIM

Falls der Einsatz von DKIM NICHT geplant ist, sollten folgende Änderungen an der Konfigurationsdatei /etc/amavisd.conf durchgeführt werden (nur relevanter Ausschnitt):

...
$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1
$nanny_details_level = 2;    # nanny verbosity: 1: traditional, 2: detailed
# Tachtler
# default: $enable_dkim_verification = 1;  # enable DKIM signatures verification
$enable_dkim_verification = 0;  # disable DKIM signatures verification
# Tachtler
# default: $enable_dkim_signing = 1;    # load DKIM signing code, keys defined by dkim_key
$enable_dkim_signing = 0;    # do not load DKIM signing code, keys defined by dkim_key
...

:!: WICHTIG - Trotzdem muss folgendes Paket mit nachfolgendem Befehl installiert werden, um AMaViS problemlos starten zu können:

# yum install perl-Mail-DKIM.noarch
Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
 * rpmforge: ftp-stud.fht-esslingen.de
 * base: centos.intergenia.de
 * updates: mirror.switch.ch
 * addons: centos.intergenia.de
 * extras: centos.kiewel-online.ch
410 packages excluded due to repository priority protections
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package perl-Mail-DKIM.noarch 0:0.36-1.el5.rf set to be updated
--> Processing Dependency: perl(Digest::SHA) for package: perl-Mail-DKIM
--> Processing Dependency: perl(Crypt::OpenSSL::RSA) for package: perl-Mail-DKIM
--> Running transaction check
---> Package perl-Crypt-OpenSSL-RSA.i386 0:0.25-1.el5.rf set to be updated
---> Package perl-Digest-SHA.i386 0:5.47-1.el5.rf set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================
 Package                                Arch                   Version                          Repository                Size
==============================================================================================================================
Installing: 
perl-Mail-DKIM                          noarch                 0.36-1.el5.rf                    rpmforge                 120 k
Installing for dependencies: 
perl-Crypt-OpenSSL-RSA                  i386                   0.25-1.el5.rf                    rpmforge                  60 k
perl-Digest-SHA                         i386                   5.47-1.el5.rf                    rpmforge                  88 k

Transaction Summary
==============================================================================================================================
Install      3 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 269 k
Is this ok [y/N]: y
Downloading Packages:
(1/3): perl-Crypt-OpenSSL RSA-0.25-1.el5.rf.i386.rpm                                                        |  60 kB     00:00
(2/3): perl-Digest-SHA-5.47-1.el5.rf.i386.rpm                                                               |  88 kB     00:00
(3/3): perl-Mail-DKIM-0.36-1.el5.rf.noarch.rpm                                                              | 120 kB     00:00
------------------------------------------------------------------------------------------------------------------------------
Total                                                                                              184 kB/s | 269 kB     00:01
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : perl-Crypt-OpenSSL-RSA                            [1/3]
  Installing     : perl-Digest-SHA                                   [2/3]
  Installing     : perl-Mail-DKIM                                    [3/3]

Installed: perl-Mail-DKIM.noarch 0:0.36-1.el5.rf
Dependency Installed: perl-Crypt-OpenSSL-RSA.i386 0:0.25-1.el5.rf perl-Digest-SHA.i386 0:5.47-1.el5.rf
Complete!

Postfix AMaViS Upgrade: MySQL

Etwas komplizierter sieht es da beim Upgrade der MySQL-Datenbank aus. Hier kommt es auf die individuellen Einstellungen an. Deswegen möchte ich ausnahmsweise hier nicht global darauf eingehen, ich hoffe das ist mir hier nachzusehen, für individuelle Fragen gibt es die AMaViS-Mailingliste.

AMaViS-User-Mailingliste

Diese Website verwendet Cookies. Durch die Nutzung der Website stimmen Sie dem Speichern von Cookies auf Ihrem Computer zu. Außerdem bestätigen Sie, dass Sie unsere Datenschutzbestimmungen gelesen und verstanden haben. Wenn Sie nicht einverstanden sind, verlassen Sie die Website.Weitere Information
tachtler/postfix_amavis_installieren.1339591921.txt.gz · Zuletzt geändert: 2012/06/13 14:52 von klaus