Grundinstallation von AMaViS
Grundlagen
Bei der Definition der Anforderungen an unseren Mailserver hatten wir unter anderem ein mehrstufiges Anti-SPAM- und Anti-Viren-schutzkonzept vorgesehen.
- Stufe 1 : Greylisting mit Hilfe von postgrey
In diesem ersten Schritt erfolgt eine Überprüfung, ob von dem Absender bereits eine Nachricht für einen Empfänger angenommen wurde (greylisting). Nachrichten von unbekannten Absendern werden erst einmal mit einem temporären Fehler 450 abgewiesen. SPAMer geben i.d.R. hier schon auf und ordnungsgemäß konfigurierte Mailserver versuchen die erneute Zustellung in ein paar Minuten. So kann erfolgreich die erste Welle von unerwünschter Post bekämpft und deren Zustellung verweigert werden. - Stufe 2 : Nutzung des Policy-Daemon policyd-weight
bei Stufe 2 wird mit Hilfe des Policy-Daemon policyd-weight die Mail bei der Einlieferung untersucht. An Hand des Envelope Sender, des Envelope To und der HELO-Daten, die während des SMTP-Handshakes übertragen werden, werden für verschiedene Kriterien Punkte vergeben. Dabei werden z.B. Realtime Blackhole Listen abgefragt oder die DNS-Konfiguration des Absenders überprüft. Für jeden Regelverstoß gibt es negative Punkte und ab einer bestimmten Wertung wird die Mail abgelehnt. - Stufe 3 : Einbindung und Nutzung von SpamAssassin und ClamAV mit Hilfe von AMaViS.
Bei der Stufe 3, also bei der inhaltlichen Prüfung auf SPAM und Schadcode, setzen wir auf das Open Source-Projekt AMaViS1), das ihren kommerziellen und kostenpflichtigen Konkurrenzprodukten nicht nur ebenbürtig, sondern in vielerlei Hinblick sogar überlegen ist!
In dieser Stufe wird noch während des Einlieferungsversuches des externen Mailservers, die Nachricht an den AMaViS-Host auf Port 10024 zur Prüfung übergeben. Dort wird die Nachricht auf unerwünschte Inhalte SPAM und möglichen Schadcode (Viren) hin überprüft. Fällt diese Prüfung negativ aus, quittiert der AMaViS-Host die Einlieferung mit einem 250er und leitet die eMail an den betreffenden MTA auf Port 10025 zurück. Unser MTX quittiert sodann die Einlieferung und Annahme der Nachricht mit einem 250er und leitet anschließend die ihm anvertraute Nachricht an das jeweilige Backend Dovecot-IMAP-server bzw. Mailman Mailinglisten-Server weiter. Bei einer positiven Bewertung auf unerwünschte Inhalte und/oder Schadcode, quittiert der AMaViS-Daemon die Annahme mit einem 500-Code, was wiederum unser externes Mailrelay Postfix veranlasst, die annahme ebenfalls mit einem 500er-Fehlercode abzulehnen. Somit müssen wir uns um eine eventuelle quarantäne oder SPAM-Verwaltung erst gar nicht kümmern!
Der prinzipielle Ablauf und die Einbindung des AMaViS veranschaulich folgende Skizze.
AMaVis übernimmt in unserem eMailworkflow eigentlich nur die Steuerung des Ablaufes, sie nimmt also die eMail vom MTA an und leitet diese an die Backendsysteme weiter:
- PACKER Zum Entpacken von Dateianhängen
- Virenscanner Zur Prüfung der eMail und der Inhalte auf Schadcode, in unserem Fall übernimmt dies das freie Projekt ClamAV
- Spamassassin Zur Prüfung der eMail auf unerwünschte Inhalte (SPAM und UCE)
Installation
Wie gerade schon erwähnt, stellt AMaViS das Frontend-System zur Verfügung. Daher werden wir im ersten Schritt mit der Installation von amavisd-new beginnen. Es ist natürlich klar, dass ohne die Backend-Systeme wie SpamAssassin oder ClamAV, der Einsatz von AMaViS nicht gerade viel bringt, sehen wir mal von der Möglichkeit vom Einfügen der DKIM-Signaturen ab. Auf diese gehen wir später in einem gesonderten Kapitel ein.
Für die Installation von amavisd-new und der zugehörigen Pakete nutzen wir am besten das Repository rpmforge - die Installation selbst nehmen wir mit Unterstützung von yum vor.
# yum install amavisd-new -y
Was uns das Paket alle bei der Installation mitgebracht hat, zeigt uns ein Blick in das installierte rpm.
# rpm -qil amavisd-new
Name : amavisd-new Relocations: (not relocatable) Version : 2.6.6 Vendor: Dag Apt Repository, http://dag.wieers.com/apt/ Release : 2.el6.rf Build Date: Fri 20 Jan 2012 11:44:48 PM CET Install Date: Sun 10 Jun 2012 12:35:06 PM CEST Build Host: lisse.hasselt.wieers.com Group : System Environment/Daemons Source RPM: amavisd-new-2.6.6-2.el6.rf.src.rpm Size : 2796438 License: GPL Signature : DSA/SHA1, Sat 21 Jan 2012 12:21:44 AM CET, Key ID a20e52146b8d79e6 Packager : Dag Wieers <dag@wieers.com> URL : http://www.ijs.si/software/amavisd/ Summary : Mail virus-scanner Description : AMaViS is a program that interfaces a mail transfer agent (MTA) with one or more virus scanners. Amavisd-new is a branch created by Mark Martinec that adds serveral performance and robustness features. It's partly based on work being done on the official amavisd branch. Please see the README.amavisd-new-RELNOTES file for a detailed description. /etc/amavisd.conf /etc/cron.daily/amavisd /etc/logrotate.d/amavisd /etc/openldap/schema/amavisd-new.schema /etc/rc.d/init.d/amavisd /etc/sysconfig/amavisd /usr/sbin/amavisd /usr/sbin/amavisd-agent /usr/sbin/amavisd-nanny /usr/sbin/amavisd-release /usr/sbin/p0f-analyzer /usr/share/doc/amavisd-new-2.6.6 /usr/share/doc/amavisd-new-2.6.6/AAAREADME.first /usr/share/doc/amavisd-new-2.6.6/LDAP.schema /usr/share/doc/amavisd-new-2.6.6/LICENSE /usr/share/doc/amavisd-new-2.6.6/MANIFEST /usr/share/doc/amavisd-new-2.6.6/README.banned /usr/share/doc/amavisd-new-2.6.6/README.chroot /usr/share/doc/amavisd-new-2.6.6/README.contributed /usr/share/doc/amavisd-new-2.6.6/README.courier /usr/share/doc/amavisd-new-2.6.6/README.courier-old /usr/share/doc/amavisd-new-2.6.6/README.customize /usr/share/doc/amavisd-new-2.6.6/README.exim_v3 /usr/share/doc/amavisd-new-2.6.6/README.exim_v3_app /usr/share/doc/amavisd-new-2.6.6/README.exim_v4 /usr/share/doc/amavisd-new-2.6.6/README.exim_v4_app /usr/share/doc/amavisd-new-2.6.6/README.exim_v4_app2 /usr/share/doc/amavisd-new-2.6.6/README.ldap /usr/share/doc/amavisd-new-2.6.6/README.lookups /usr/share/doc/amavisd-new-2.6.6/README.milter /usr/share/doc/amavisd-new-2.6.6/README.old.scanners /usr/share/doc/amavisd-new-2.6.6/README.performance /usr/share/doc/amavisd-new-2.6.6/README.policy-on-notifications /usr/share/doc/amavisd-new-2.6.6/README.postfix /usr/share/doc/amavisd-new-2.6.6/README.postfix.html /usr/share/doc/amavisd-new-2.6.6/README.protocol /usr/share/doc/amavisd-new-2.6.6/README.sendmail /usr/share/doc/amavisd-new-2.6.6/README.sendmail-dual /usr/share/doc/amavisd-new-2.6.6/README.sendmail-dual.old /usr/share/doc/amavisd-new-2.6.6/README.sql /usr/share/doc/amavisd-new-2.6.6/README.sql-mysql /usr/share/doc/amavisd-new-2.6.6/README.sql-pg /usr/share/doc/amavisd-new-2.6.6/RELEASE_NOTES /usr/share/doc/amavisd-new-2.6.6/amavisd-new-docs.html /usr/share/doc/amavisd-new-2.6.6/amavisd.conf /usr/share/doc/amavisd-new-2.6.6/amavisd.conf-default /usr/share/doc/amavisd-new-2.6.6/amavisd.conf-sample /usr/share/doc/amavisd-new-2.6.6/amavisd.conf.orig /usr/share/doc/amavisd-new-2.6.6/images /usr/share/doc/amavisd-new-2.6.6/images/blank.png /usr/share/doc/amavisd-new-2.6.6/images/callouts /usr/share/doc/amavisd-new-2.6.6/images/callouts/1.png /usr/share/doc/amavisd-new-2.6.6/images/callouts/10.png /usr/share/doc/amavisd-new-2.6.6/images/callouts/11.png /usr/share/doc/amavisd-new-2.6.6/images/callouts/12.png /usr/share/doc/amavisd-new-2.6.6/images/callouts/13.png /usr/share/doc/amavisd-new-2.6.6/images/callouts/14.png /usr/share/doc/amavisd-new-2.6.6/images/callouts/15.png /usr/share/doc/amavisd-new-2.6.6/images/callouts/2.png /usr/share/doc/amavisd-new-2.6.6/images/callouts/3.png /usr/share/doc/amavisd-new-2.6.6/images/callouts/4.png /usr/share/doc/amavisd-new-2.6.6/images/callouts/5.png /usr/share/doc/amavisd-new-2.6.6/images/callouts/6.png /usr/share/doc/amavisd-new-2.6.6/images/callouts/7.png /usr/share/doc/amavisd-new-2.6.6/images/callouts/8.png /usr/share/doc/amavisd-new-2.6.6/images/callouts/9.png /usr/share/doc/amavisd-new-2.6.6/images/caution.png /usr/share/doc/amavisd-new-2.6.6/images/draft.png /usr/share/doc/amavisd-new-2.6.6/images/home.png /usr/share/doc/amavisd-new-2.6.6/images/important.png /usr/share/doc/amavisd-new-2.6.6/images/next.png /usr/share/doc/amavisd-new-2.6.6/images/note.png /usr/share/doc/amavisd-new-2.6.6/images/prev.png /usr/share/doc/amavisd-new-2.6.6/images/tip.png /usr/share/doc/amavisd-new-2.6.6/images/toc-blank.png /usr/share/doc/amavisd-new-2.6.6/images/toc-minus.png /usr/share/doc/amavisd-new-2.6.6/images/toc-plus.png /usr/share/doc/amavisd-new-2.6.6/images/up.png /usr/share/doc/amavisd-new-2.6.6/images/warning.png /usr/share/doc/amavisd-new-2.6.6/screen.css /usr/share/doc/amavisd-new-2.6.6/test-messages /usr/share/doc/amavisd-new-2.6.6/test-messages/README /usr/share/doc/amavisd-new-2.6.6/test-messages/sample.tar.gz.compl /var/amavis /var/amavis/db /var/amavis/tmp /var/amavis/var /var/log/amavis.log /var/virusmails
Grundkonfiguration
Für die weitere Viren- und Spam-Prüfung der uns angetragenen elektronischen Post, verwenden wir die smtp_proxy_filter-Funktionen, also die Pre-Queue unseres Postfixes. Somit können wir die Nachricht in Echtzeit filtern und wenn uns diese „nicht gefällt“, einfach abweisen.
Der externe Mailserver versucht mit unserer neuen Konfiguration eine eMail bei uns auf Port 25 abzusetzen. Unser Postfix reicht diese direkt an den Port 10024 unseres AMaViS-Daemon weiter, der die Nachricht on-the-fly weiteren daemons zum Virenscanner und Spambewerten unterzieht. Wird dabei die Nachricht für O.K. befunden, so reicht AMaViS die Mail zurück an den Postfix auf Port 10025, oder signalisiert Postfix, dass die Nachricht O.K. ist und der externe SMTP-Dialog erfolgreich zu Ende gebracht werden kann.
AMaViS
Im ersten Schritt definieren wir also die ersten drei Parameter, Hostnamen, Domäne und Port in der Konfigurationsdatei unter /etc/amavisd.conf.
# vim /etc/amavisd.conf
... # Django : 2012-05-21 # default: $mydomain = 'example.com'; $mydomain = 'nausch.org'; # a convenient default for other settings ... # Django : 2012-05-21 # default: $log_level = 0; $log_level = 3; # verbosity 0..5, -d ... # Django : 2012-05-21 # @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 # 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); @mynetworks = qw( 127.0.0.0/8 10.0.0.0/24 ); ... # Django : 2012-05-21 # default: unset # listening only on localhost $inet_socket_bind = '*'; # listen on this port 10024 on all network-interfaces # Django : 2012-05-21 # default: @inet_acl = qw( 127.0.0.1 ::1 ); @inet_acl = qw( 127.0.0.1 10.0.0.80/32 ); # access allowed from this hosts ... # Django : 2012-05-21 # default: $sa_tag2_level_deflt = 6.2; $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level # Django : 2012-05-21 # default: $sa_kill_level_deflt = 6.9; $sa_kill_level_deflt = 6.31; # triggers spam evasive actions (e.g. blocks mail) ... # Django : 2010-05-21 # default: unset $myhostname = 'amavis.dmz.nausch.org'; # must be a fully-qualified domain name! ... # Django : 2010-05-21 # definiert wohin der amavisd-new SMTP-Client überprüfte eMails senden soll # default: # $notify_method = 'smtp:[127.0.0.1]:10025'; $notify_method = 'smtp:[mail.dmz.nausch.org]:10025'; # Django : 2010-05-21 # definiert wohin der amavisd-new SMTP-Client Benachrichtigungen, also die zu überprüften eMails, senden soll. # default: # $forward_method = 'smtp:[127.0.0.1]:10025'; $forward_method = 'smtp:[mail.dmz.nausch.org]:10025'; # set to undef with milter! ...
Postfix
Wie schon beim Punkt Grundlagen beschrieben, erweitern wir nun unsere Postfixkonfiguration so, dass die zwei Ports 10024 und 10025 von Postfix bedient werden.
Bei der Konfiguration unseres Postfix-Mailservers kommt es nun darauf an, ob Postfix und AMaViS auf einem Host betrieben wird, oder ob beide Daemons auf getrennten Hosts laufen.
single based host
Im ersten Beispiel gehen wir auf die Konfiguration beider Daemon auf einem gemeinsamen Host ein. Die Konfiguration selbst wird in der Konfigurationsdatei master.cf vorgenommen - wir erweitern also die Datei /etc/postfix/master.cf wie folgt.
# vim /etc/postfix/master.cf
# # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd # Django : 2012-05-21 # AMaViS-Intergration als smtpd_proxy_filter -o smtpd_proxy_filter=localhost:10024 -o content_filter= # Django : 2012-05-21 # AMaViS-Intergration als smtpd_proxy_filter localhost:10025 inet n - n - - smtpd -o content_filter= -o smtpd_proxy_filter= -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtp_client_restrictions= -o smtp_helo_restrictions= -o smtp_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtp_data_restrictions= -o mynetworks=127.0.0.0/8 -o receive_override_options=no_unknown_recipient_checks
dual based host
Laufen Postfix und AMaViS auf zwei getrennten Maschinen, sieht die Konfiguration geringfügig anders aus. Auf dem Host 10.0.0.80 läuft in dem Beispiel Postfix und auf dem Host 10.0.0.60 AMaViS.
# vim /etc/postfix/master.cf
# # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd # Django : 2012-05-21 # AMaViS-Intergration als smtpd_proxy_filter -o smtpd_proxy_filter=10.0.0.60:10024 -o content_filter= # Django : 2012-05-21 # AMaViS-Intergration als smtpd_proxy_filter 10.0.0.80:10025 inet n - n - - smtpd -o content_filter= -o smtpd_proxy_filter= -o smtpd_authorized_xforward_hosts=10.0.0.60/32 -o smtp_client_restrictions= -o smtp_helo_restrictions= -o smtp_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtp_data_restrictions= -o mynetworks=10.0.0.60/32 -o receive_override_options=no_unknown_recipient_checks
erster Programmstart - Aktivierung der Konfiguration
AMaViS
Nun ist es an der Zeit, unser AMaViS-System das erste mal zu starten.
# service amavisd start
Starting Mail Virus Scanner (amavisd): [ OK ]
Im Maillog wird uns der Start entsprechend quittiert.
Jun 10 19:00:24 vml000060 amavis[14167]: logging initialized, log level 3, syslog: amavis.mail Jun 10 19:00:24 vml000060 amavis[14167]: starting. /usr/sbin/amavisd at amavis.dmz.nausch.org amavisd-new-2.6.6 (20110518), Unicode aware, LANG="en_US.UTF-8" Jun 10 19:00:24 vml000060 amavis[14167]: user=497, EUID: 497 (497); group=, EGID: 494 494 (494 494) Jun 10 19:00:24 vml000060 amavis[14167]: Perl version 5.010001 Jun 10 19:00:25 vml000060 amavis[14167]: SpamControl: scanner SpamAssassin, module Amavis::SpamControl::SpamAssassin Jun 10 19:00:25 vml000060 amavis[14167]: INFO: SA version: 3.3.1, 3.003001, no optional modules: Net::CIDR::Lite Sys::Hostname::Long Razor2::Client::Agent IP::Country::Fast Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF Mail::SPF::Server Mail::SPF::Request Mail::SPF::Mech Mail::SPF::Mech::A Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::Mech::Exists Mail::SPF::Mech::IP4 Mail::SPF::Mech::IP6 Mail::SPF::Mech::Include Mail::SPF::Mech::MX Mail::SPF::Mod Mail::SPF::Mod::Exp Mail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMech Mail::SPF::v1::Record Mail::SPF::v2::Record Error Jun 10 19:00:25 vml000060 amavis[14167]: SpamControl: init_pre_chroot on SpamAssassin done Jun 10 19:00:25 vml000060 amavis[14168]: Net::Server: Process Backgrounded Jun 10 19:00:25 vml000060 amavis[14168]: Net::Server: 2012/06/10-19:00:25 Amavis (type Net::Server::PreForkSimple) starting! pid(14168) Jun 10 19:00:25 vml000060 amavis[14168]: Net::Server: Using default listen value of 128 Jun 10 19:00:25 vml000060 amavis[14168]: Net::Server: Binding to UNIX socket file /var/amavis/amavisd.sock using SOCK_STREAM Jun 10 19:00:25 vml000060 amavis[14168]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1 Jun 10 19:00:25 vml000060 amavis[14168]: Net::Server: Group Not Defined. Defaulting to EGID '494 494' Jun 10 19:00:25 vml000060 amavis[14168]: Net::Server: User Not Defined. Defaulting to EUID '497' Jun 10 19:00:25 vml000060 amavis[14168]: config files read: /etc/amavisd.conf Jun 10 19:00:25 vml000060 amavis[14168]: Module Amavis::Conf 2.209 Jun 10 19:00:25 vml000060 amavis[14168]: Module Archive::Zip 1.30 Jun 10 19:00:25 vml000060 amavis[14168]: Module BerkeleyDB 0.43 Jun 10 19:00:25 vml000060 amavis[14168]: Module Compress::Zlib 2.02 Jun 10 19:00:25 vml000060 amavis[14168]: Module Convert::TNEF 0.17 Jun 10 19:00:25 vml000060 amavis[14168]: Module Convert::UUlib 1.34 Jun 10 19:00:25 vml000060 amavis[14168]: Module Crypt::OpenSSL::RSA 0.25 Jun 10 19:00:25 vml000060 amavis[14168]: Module DB_File 1.82 Jun 10 19:00:25 vml000060 amavis[14168]: Module Digest::MD5 2.39 Jun 10 19:00:25 vml000060 amavis[14168]: Module Digest::SHA 5.47 Jun 10 19:00:25 vml000060 amavis[14168]: Module IO::Socket::INET6 2.56 Jun 10 19:00:25 vml000060 amavis[14168]: Module MIME::Entity 5.427 Jun 10 19:00:25 vml000060 amavis[14168]: Module MIME::Parser 5.427 Jun 10 19:00:25 vml000060 amavis[14168]: Module MIME::Tools 5.427 Jun 10 19:00:25 vml000060 amavis[14168]: Module Mail::DKIM::Signer 0.37 Jun 10 19:00:25 vml000060 amavis[14168]: Module Mail::DKIM::Verifier 0.37 Jun 10 19:00:25 vml000060 amavis[14168]: Module Mail::Header 2.04 Jun 10 19:00:25 vml000060 amavis[14168]: Module Mail::Internet 2.04 Jun 10 19:00:25 vml000060 amavis[14168]: Module Mail::SpamAssassin 3.003001 Jun 10 19:00:25 vml000060 amavis[14168]: Module Net::DNS 0.65 Jun 10 19:00:25 vml000060 amavis[14168]: Module Net::Server 0.99 Jun 10 19:00:25 vml000060 amavis[14168]: Module NetAddr::IP 4.027 Jun 10 19:00:25 vml000060 amavis[14168]: Module Socket6 0.23 Jun 10 19:00:25 vml000060 amavis[14168]: Module Time::HiRes 1.9721 Jun 10 19:00:25 vml000060 amavis[14168]: Module URI 1.40 Jun 10 19:00:25 vml000060 amavis[14168]: Module Unix::Syslog 1.1 Jun 10 19:00:25 vml000060 amavis[14168]: Amavis::DB code loaded Jun 10 19:00:25 vml000060 amavis[14168]: Amavis::Cache code loaded Jun 10 19:00:25 vml000060 amavis[14168]: SQL base code NOT loaded Jun 10 19:00:25 vml000060 amavis[14168]: SQL::Log code NOT loaded Jun 10 19:00:25 vml000060 amavis[14168]: SQL::Quarantine NOT loaded Jun 10 19:00:25 vml000060 amavis[14168]: Lookup::SQL code NOT loaded Jun 10 19:00:25 vml000060 amavis[14168]: Lookup::LDAP code NOT loaded Jun 10 19:00:25 vml000060 amavis[14168]: AM.PDP-in proto code loaded Jun 10 19:00:25 vml000060 amavis[14168]: SMTP-in proto code loaded Jun 10 19:00:25 vml000060 amavis[14168]: Courier proto code NOT loaded Jun 10 19:00:25 vml000060 amavis[14168]: SMTP-out proto code loaded Jun 10 19:00:25 vml000060 amavis[14168]: Pipe-out proto code NOT loaded Jun 10 19:00:25 vml000060 amavis[14168]: BSMTP-out proto code NOT loaded Jun 10 19:00:25 vml000060 amavis[14168]: Local-out proto code loaded Jun 10 19:00:25 vml000060 amavis[14168]: OS_Fingerprint code NOT loaded Jun 10 19:00:25 vml000060 amavis[14168]: ANTI-VIRUS code loaded Jun 10 19:00:25 vml000060 amavis[14168]: ANTI-SPAM code loaded Jun 10 19:00:25 vml000060 amavis[14168]: ANTI-SPAM-EXT code NOT loaded Jun 10 19:00:25 vml000060 amavis[14168]: ANTI-SPAM-C code NOT loaded Jun 10 19:00:25 vml000060 amavis[14168]: ANTI-SPAM-SA code loaded Jun 10 19:00:25 vml000060 amavis[14168]: Unpackers code loaded Jun 10 19:00:25 vml000060 amavis[14168]: DKIM code loaded Jun 10 19:00:25 vml000060 amavis[14168]: Tools code NOT loaded Jun 10 19:00:25 vml000060 amavis[14168]: Found $file at /usr/bin/file Jun 10 19:00:25 vml000060 amavis[14168]: Found $altermime at /usr/bin/altermime Jun 10 19:00:25 vml000060 amavis[14168]: Internal decoder for .mail Jun 10 19:00:25 vml000060 amavis[14168]: Internal decoder for .asc Jun 10 19:00:25 vml000060 amavis[14168]: Internal decoder for .uue Jun 10 19:00:25 vml000060 amavis[14168]: Internal decoder for .hqx Jun 10 19:00:25 vml000060 amavis[14168]: Internal decoder for .ync Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .F at /usr/bin/unfreeze Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .Z at /usr/bin/uncompress Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .gz at /usr/bin/gzip -d Jun 10 19:00:25 vml000060 amavis[14168]: Internal decoder for .gz (backup, not used) Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .bz2 at /usr/bin/bzip2 -d Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .lzo at /usr/bin/lzop -d Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .rpm at /usr/bin/rpm2cpio Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .cpio at /bin/cpio Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .tar at /bin/cpio Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .deb at /usr/bin/ar Jun 10 19:00:25 vml000060 amavis[14168]: Internal decoder for .zip Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .7z at /usr/bin/7za Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .rar at /usr/bin/unrar Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .arj at /usr/bin/arj Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .arc at /usr/bin/nomarch Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .zoo at /usr/bin/zoo Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .lha at /usr/bin/lha Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .cab at /usr/bin/cabextract Jun 10 19:00:25 vml000060 amavis[14168]: No decoder for .tnef tried: tnef Jun 10 19:00:25 vml000060 amavis[14168]: Internal decoder for .tnef Jun 10 19:00:25 vml000060 amavis[14168]: Found decoder for .exe at /usr/bin/unrar; /usr/bin/lha; /usr/bin/arj Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: KasperskyLab AVP - aveclient Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: KasperskyLab AntiViral Toolkit Pro (AVP) Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: KasperskyLab AVPDaemonClient Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: CentralCommand Vexira (new) vascan Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: Avira AntiVir Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: Command AntiVirus for Linux Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: Symantec CarrierScan via Symantec CommandLineScanner Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: Symantec AntiVirus Scan Engine Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: F-Secure Antivirus for Linux servers Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: CAI InoculateIT Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: CAI eTrust Antivirus Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: MkS_Vir for Linux (beta) Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: MkS_Vir daemon Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: ESET Software ESETS Command Line Interface Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: ESET NOD32 for Linux File servers Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: Norman Virus Control v5 / Linux Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: Panda CommandLineSecure 9 for Linux Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: NAI McAfee AntiVirus (uvscan) Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: VirusBuster Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: CyberSoft VFind Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: avast! Antivirus Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: Ikarus AntiVirus for Linux Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: BitDefender Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: BitDefender Jun 10 19:00:25 vml000060 amavis[14168]: No primary av scanner: ArcaVir for Linux Jun 10 19:00:25 vml000060 amavis[14168]: No secondary av scanner: ClamAV-clamscan Jun 10 19:00:25 vml000060 amavis[14168]: No secondary av scanner: F-PROT Antivirus for UNIX Jun 10 19:00:25 vml000060 amavis[14168]: No secondary av scanner: FRISK F-Prot Antivirus Jun 10 19:00:25 vml000060 amavis[14168]: No secondary av scanner: Trend Micro FileScanner Jun 10 19:00:25 vml000060 amavis[14168]: No secondary av scanner: drweb - DrWeb Antivirus Jun 10 19:00:25 vml000060 amavis[14168]: No secondary av scanner: Kaspersky Antivirus v5.5 Jun 10 19:00:25 vml000060 amavis[14168]: Creating db in /var/amavis/db/; BerkeleyDB 0.43, libdb 4.7 Jun 10 19:00:25 vml000060 amavis[14168]: initializing Mail::SpamAssassin Jun 10 19:00:25 vml000060 amavis[14168]: SpamAssassin debug facilities: info Jun 10 19:00:28 vml000060 amavis[14168]: SA info: rules: meta test FROM_41_FREEMAIL has dependency 'NSL_RCVD_FROM_41' with a zero score Jun 10 19:00:28 vml000060 amavis[14168]: SpamAssassin loaded plugins: AutoLearnThreshold, Bayes, BodyEval, Check, DKIM, DNSEval, FreeMail, HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject Jun 10 19:00:28 vml000060 amavis[14168]: SpamControl: init_pre_fork on SpamAssassin done Jun 10 19:00:28 vml000060 amavis[14168]: extra modules loaded after daemonizing/chrooting: Mail/SpamAssassin/Plugin/FreeMail.pm Jun 10 19:00:28 vml000060 amavis[14182]: TIMING [total 14 ms] - bdb-open: 14 (100%)100, rundown: 0 (0%)100 Jun 10 19:00:28 vml000060 amavis[14183]: TIMING [total 13 ms] - bdb-open: 13 (100%)100, rundown: 0 (0%)100
Die Meldungen No primary av scanner und No secondary av scanner braucht uns nicht zu beunruhigen, schließlich haben wir noch keinen AV-Scanner installiert. Dies werden wir erst im nächsten Kapitel vornehmen.
Über den Port 10024 sollte nun unser daemon ansprechbar sein. Was wir auch sehr einfach mittels lsof überprüfen können:
# lsof -i :10024
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
amavisd 14168 amavis 5u IPv4 57830 0t0 TCP localhost:10024 (LISTEN)
amavisd 14182 amavis 5u IPv4 57830 0t0 TCP localhost:10024 (LISTEN)
amavisd 14183 amavis 5u IPv4 57830 0t0 TCP localhost:10024 (LISTEN)
Via netstat -tulpen können wir ebenfalls abfragen, ob der amavis-Daemon läuft.
# netstat -tulpen | grep 10024
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 497 57830 14168/amavisd (mast
Via telnet localhost 10024 können wir uns nun zum virusscanner-daemon verbinden.
# telnet localhost 10024
Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 [127.0.0.1] ESMTP amavisd-new service ready quit 221 2.0.0 [127.0.0.1] amavisd-new closing transmission channel Connection closed by foreign host.
Postfix
Zum Aktivieren der Konfigurationsänderung am Postfix-Mailserver starten wir diesen einmal durch.
# service postfix restart
Shutting down postfix: [ OK ] Starting postfix: [ OK ]
Ob nun neben unserem Standard SMTP-Port 25 auch der weitere 10025 können wir nun wie folgt überprüfen.
# netstat -tulpen | grep master
tcp 0 0 10.0.0.80:10025 0.0.0.0:* LISTEN 0 86905 24751/master tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 0 86898 24751/master
iptables Paketfilter
Betreiben wir unseren AMaViS-Host und unseren Postfix-Mailserver auf zwei getrennten Hosts müssen wir noch unsere Paketfilter entsprechend anpassen.
AMaVis
Für die Einlieferung der Nachrichten auf Port 10024 öffnen wir nun Port 10024 auf unserem AMaViS-Host, so dass der Postfix-Mailserver mit der IP 10.0.0.80 diesen Port auch erreichen kann.
Hierzu tragen wir folgende Zeile in die Konfigurationsdatei /etc/sysconfig/iptables ein.
# vim /etc/sysconfig/iptables
# Django : 2012-05-21 Port 10024 für den Postfix-Mailserver in der DMZ geöffnet -A INPUT -m state --state NEW -m tcp -i eth0 -s 10.0.0.80 -p tcp --dport 10024 -j ACCEPT # Django : end
Anschließend starten wir den Paketfilter einmal durch.
# service iptables restart
iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ]
Nun können wir vom Postfix-Mailserver aus den AMaVS-Host auf Port 10024 erreichen.
# telnet amavis.dmz.nausch.org 10024
Trying 10.0.0.60... Connected to amavis.dmz.nausch.org. Escape character is '^]'. 220 [10.0.0.60] ESMTP amavisd-new service ready quit 221 2.0.0 [10.0.0.60] amavisd-new closing transmission channel Connection closed by foreign host.
Postfix
Für die Rückleitung der Nachrichten auf Port 10025 öffnen wir nun Port 10025 auf unserem Postfix-Mailserver, so dass der AMaViS-Host mit der IP 10.0.0.60 diesen Port auch erreichen kann.
Hierzu tragen wir folgende Zeile in die Konfigurationsdatei /etc/sysconfig/iptables ein.
# vim /etc/sysconfig/iptables
# Django : 2012-05-21 Port 10025 für die Rückleitung der AMaViS-Verbindung in der DMZ geöffnet -A INPUT -m state --state NEW -m tcp -i eth0 -s 10.0.0.60 -p tcp --dport 10025 -j ACCEPT # Django : end
Anschließend starten wir den Paketfilter einmal durch.
# service iptables restart
iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ]
Nun können wir vom AMaViS-Host aus den Postfix-Mailserver auf Port 10025 erreichen.
# telnet mail.dmz.nausch.org 10025
Trying 10.0.0.80... Connected to mail.dmz.nausch.org. Escape character is '^]'. 220 mx1.nausch.org ESMTP Postfix quit 221 2.0.0 Bye Connection closed by foreign host.
automatisches Starten des Dienste beim Systemstart
Damit nun unser AMaViS-Server beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.
# chkconfig amavisd on
Anschließend überprüfen wir noch unsere Änderung:
# chkconfig --list | grep amavisd
amavisd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
vorläufige Konfiguration
Bevor wir uns nun an die Konfiguration der beiden Backend-Systeme SpamAssassin und ClamAV befassen, werfen wir noch einen abschließenden Blick in die vorläufige Konfigurationsdatei.
# vim /etc/amavisd.conf
- /etc/amavisd.conf
use strict; # a minimalistic configuration file for amavisd-new with all necessary settings # # see amavisd.conf-default for a list of all variables with their defaults; # see amavisd.conf-sample for a traditional-style commented file; # for more details see documentation in INSTALL, README_FILES/* # and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html # COMMONLY ADJUSTED SETTINGS: # @bypass_virus_checks_maps = (1); # controls running of anti-virus code # @bypass_spam_checks_maps = (1); # controls running of anti-spam code # $bypass_decode_parts = 1; # controls running of decoders&dearchivers $max_servers = 2; # num of pre-forked children (2..30 is common), -m $daemon_user = "amavis"; # (no default; customary: vscan or amavis), -u $daemon_group = "amavis"; # (no default; customary: vscan or amavis), -g # Django : 2012-05-21 # default: $mydomain = 'example.com'; $mydomain = 'nausch.org'; # a convenient default for other settings # Django : 2012-06-25 "by localhost" in den Haederzeilen durch "" ersetzen # default: unset $localhost_name = ""; # $MYHOME = '/var/amavis'; # a convenient default for other settings, -H $TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc. $QUARANTINEDIR = "/var/virusmails"; # $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine # $release_format = 'resend'; # 'attach', 'plain', 'resend' # $report_format = 'arf'; # 'attach', 'plain', 'resend', 'arf' # $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R $db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D # $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S # $lock_file = "$MYHOME/var/amavisd.lock"; # -L # $pid_file = "$MYHOME/var/amavisd.pid"; # -P #NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually # Django : 2012-05-21 # default: $log_level = 0; $log_level = 3; # verbosity 0..5, -d $log_recip_templ = undef; # disable by-recipient level-0 log entries $DO_SYSLOG = 1; # log via syslogd (preferred) $syslog_facility = 'mail'; # Syslog facility as a string # e.g.: mail, daemon, user, local0, ... local7 $syslog_priority = 'debug'; # Syslog base (minimal) priority as a string, # choose from: emerg, alert, crit, err, warning, notice, info, debug $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 $nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed $enable_dkim_verification = 1; # enable DKIM signatures verification $enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key @local_domains_maps = ( [".$mydomain"] ); # list of all local domains # Django : 2012-05-21 # @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 # 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); @mynetworks = qw( 127.0.0.0/8 10.0.0.0/24 ); $unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter # option(s) -p overrides $inet_socket_port and $unix_socketname $inet_socket_port = 10024; # listen on this local TCP port(s) # $inet_socket_port = [10024,10026]; # listen on multiple TCP ports # Django : 2012-05-21 # default: unset # listening only on localhost $inet_socket_bind = '*'; # listen on this port 10024 on all network-interfaces # Django : 2012-05-21 # default: @inet_acl = qw( 127.0.0.1 ::1 ); @inet_acl = qw( 127.0.0.1 10.0.0.80/32 ); # access allowed from this hosts $policy_bank{'MYNETS'} = { # mail originating from @mynetworks originating => 1, # is true in MYNETS by default, but let's make it explicit os_fingerprint_method => undef, # don't query p0f for internal clients }; # it is up to MTA to re-route mail from authenticated roaming users or # from internal hosts to a dedicated TCP port (such as 10026) for filtering $interface_policy{'10026'} = 'ORIGINATING'; $policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users originating => 1, # declare that mail was submitted by our smtp client allow_disclaimers => 1, # enables disclaimer insertion if available # notify administrator of locally originating malware virus_admin_maps => ["virusalert\@$mydomain"], spam_admin_maps => ["virusalert\@$mydomain"], warnbadhsender => 1, # forward to a smtpd service providing DKIM signing service forward_method => 'smtp:[127.0.0.1]:10027', # force MTA conversion to 7-bit (e.g. before DKIM signing) smtpd_discard_ehlo_keywords => ['8BITMIME'], bypass_banned_checks_maps => [1], # allow sending any file names and types terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option }; $interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname # Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c # (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'): $policy_bank{'AM.PDP-SOCK'} = { protocol => 'AM.PDP', auth_required_release => 0, # do not require secret_id for amavisd-release }; $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level # Django : 2012-05-21 # default: $sa_tag2_level_deflt = 6.2; $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level # Django : 2012-05-21 # default: $sa_kill_level_deflt = 6.9; $sa_kill_level_deflt = 6.31; # triggers spam evasive actions (e.g. blocks mail) $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent $sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From # $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off $penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database) $penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam $bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces $sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger $sa_local_tests_only = 0; # only tests which do not require internet access? # @lookup_sql_dsn = # ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], # ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], # ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); # @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database # $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; # defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16) $virus_admin = "virusalert\@$mydomain"; # notifications recip. $mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender $mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender $mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender $mailfrom_to_quarantine = ''; # null return path; uses original sender if undef @addr_extension_virus_maps = ('virus'); @addr_extension_banned_maps = ('banned'); @addr_extension_spam_maps = ('spam'); @addr_extension_bad_header_maps = ('badh'); # $recipient_delimiter = '+'; # undef disables address extensions altogether # when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+ $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; # $dspam = 'dspam'; $MAXLEVELS = 14; $MAXFILES = 1500; $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) $sa_spam_subject_tag = '***SPAM*** '; $defang_virus = 1; # MIME-wrap passed infected mail $defang_banned = 1; # MIME-wrap passed mail containing banned name # for defanging bad headers only turn on certain minor contents categories: $defang_by_ccat{+CC_BADH.",3"} = 1; # NUL or CR character in header $defang_by_ccat{+CC_BADH.",5"} = 1; # header line longer than 998 characters $defang_by_ccat{+CC_BADH.",6"} = 1; # header field syntax error # OTHER MORE COMMON SETTINGS (defaults may suffice): # Django : 2010-05-21 # default: unset $myhostname = 'amavis.dmz.nausch.org'; # must be a fully-qualified domain name! # Django : 2010-05-21 # default: # $notify_method = 'smtp:[127.0.0.1]:10025'; $notify_method = 'smtp:[mail.dmz.nausch.org]:10025'; # Django : 2010-05-21 # default: # $forward_method = 'smtp:[127.0.0.1]:10025'; $forward_method = 'smtp:[mail.dmz.nausch.org]:10025'; # set to undef with milter! # $final_virus_destiny = D_DISCARD; # $final_banned_destiny = D_BOUNCE; # $final_spam_destiny = D_BOUNCE; # $final_bad_header_destiny = D_PASS; # $bad_header_quarantine_method = undef; # $os_fingerprint_method = 'p0f:*:2345'; # to query p0f-analyzer.pl ## hierarchy by which a final setting is chosen: ## policy bank (based on port or IP address) -> *_by_ccat ## *_by_ccat (based on mail contents) -> *_maps ## *_maps (based on recipient address) -> final configuration value # SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all) # $warnbadhsender, # $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps) # # @bypass_virus_checks_maps, @bypass_spam_checks_maps, # @bypass_banned_checks_maps, @bypass_header_checks_maps, # # @virus_lovers_maps, @spam_lovers_maps, # @banned_files_lovers_maps, @bad_header_lovers_maps, # # @blacklist_sender_maps, @score_sender_maps, # # $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to, # $bad_header_quarantine_to, $spam_quarantine_to, # # $defang_bad_header, $defang_undecipherable, $defang_spam # REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, # qr'^Zip archive data', # don't trust Archive::Zip )); # for $banned_namepath_re (a new-style of banned table) see amavisd.conf-sample $banned_filename_re = new_RE( ### BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary # qr'^\.(exe|lha|cab|dll)$', # banned file(1) types ### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: # [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives qr'.\.(pif|scr)$'i, # banned extensions - rudimentary # qr'^\.zip$', # block zip type ### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # qr'^message/partial$'i, # rfc2046 MIME type # qr'^message/external-body$'i, # rfc2046 MIME type # qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type # qr'^\.wmf$', # Windows Metafile file(1) type # block certain double extensions in filenames qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, # qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict # qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic # qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| # inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| # ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| # wmf|wsc|wsf|wsh)$'ix, # banned ext - long # qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename # qr'^\.ani$', # banned animated cursor file(1) type # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. ); # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 # and http://www.cknow.com/vtutor/vtextensions.htm # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING @score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed # ## per-recipient personal tables (NOTE: positive: black, negative: white) # 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], # 'user3@example.com' => [{'.ebay.com' => -3.0}], # 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, # '.cleargreen.com' => -5.0}], ## site-wide opinions about senders (the '.' matches any recipient) '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], ), # read_hash("/var/amavis/sender_scores_sitewide"), { # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0, 'amavis-user-admin@lists.sourceforge.net'=> -3.0, 'amavis-user-bounces@lists.sourceforge.net' => -3.0, 'spamassassin.apache.org' => -3.0, 'notification-return@lists.sophos.com' => -3.0, 'owner-postfix-users@postfix.org' => -3.0, 'owner-postfix-announce@postfix.org' => -3.0, 'owner-sendmail-announce@lists.sendmail.org' => -3.0, 'sendmail-announce-request@lists.sendmail.org' => -3.0, 'donotreply@sendmail.org' => -3.0, 'ca+envelope@sendmail.org' => -3.0, 'noreply@freshmeat.net' => -3.0, 'owner-technews@postel.acm.org' => -3.0, 'ietf-123-owner@loki.ietf.org' => -3.0, 'cvs-commits-list-admin@gnome.org' => -3.0, 'rt-users-admin@lists.fsck.com' => -3.0, 'clp-request@comp.nus.edu.sg' => -3.0, 'surveys-errors@lists.nua.ie' => -3.0, 'emailnews@genomeweb.com' => -5.0, 'yahoo-dev-null@yahoo-inc.com' => -3.0, 'returns.groups.yahoo.com' => -3.0, 'clusternews@linuxnetworx.com' => -3.0, lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, # soft-blacklisting (positive score) 'sender@example.net' => 3.0, '.example.net' => 1.0, }, ], # end of site-wide tables }); @decoders = ( ['mail', \&do_mime_decode], ['asc', \&do_ascii], ['uue', \&do_ascii], ['hqx', \&do_ascii], ['ync', \&do_ascii], ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ], ['gz', \&do_uncompress, 'gzip -d'], ['gz', \&do_gunzip], ['bz2', \&do_uncompress, 'bzip2 -d'], ['lzo', \&do_uncompress, 'lzop -d'], ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ], ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ], ['deb', \&do_ar, 'ar'], # ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill ['zip', \&do_unzip], ['7z', \&do_7zip, ['7zr','7za','7z'] ], ['rar', \&do_unrar, ['rar','unrar'] ], ['arj', \&do_unarj, ['arj','unarj'] ], ['arc', \&do_arc, ['nomarch','arc'] ], ['zoo', \&do_zoo, ['zoo','unzoo'] ], ['lha', \&do_lha, 'lha'], # ['doc', \&do_ole, 'ripole'], ['cab', \&do_cabextract, 'cabextract'], ['tnef', \&do_tnef_ext, 'tnef'], ['tnef', \&do_tnef], # ['sit', \&do_unstuff, 'unstuff'], # broken/unsafe decoder ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], ); @av_scanners = ( # ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/) # ['Sophie', # \&ask_daemon, ["{}/\n", '/var/run/sophie'], # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m, # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], # ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ # ['Sophos SAVI', \&sophos_savi ], # ### http://www.clamav.net/ # ['ClamAV-clamd', # \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], # qr/\bOK$/m, qr/\bFOUND$/m, # qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], # # NOTE: run clamd under the same user as amavisd, or run it under its own # # uid such as clamav, add user clamav to the amavis group, and then add # # AllowSupplementaryGroups to clamd.conf; # # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in # # this entry; when running chrooted one may prefer socket "$MYHOME/clamd". # ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) # # note that Mail::ClamAV requires perl to be build with threading! # ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/m ], # ### http://www.openantivirus.org/ # ['OpenAntiVirus ScannerDaemon (OAV)', # \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], # qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ], # ### http://www.vanja.com/tools/trophie/ # ['Trophie', # \&ask_daemon, ["{}/\n", '/var/run/trophie'], # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m, # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], # ### http://www.grisoft.com/ # ['AVG Anti-Virus', # \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], # qr/^200/m, qr/^403/m, qr/^403 .*?: ([^\r\n]+)/m ], # ### http://www.f-prot.com/ # ['F-Prot fpscand', # F-PROT Antivirus for BSD/Linux/Solaris, version 6 # \&ask_daemon, # ["SCAN FILE {}/*\n", '127.0.0.1:10200'], # qr/^(0|8|64) /m, # qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m, # qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ], # ### http://www.f-prot.com/ # ['F-Prot f-protd', # old version # \&ask_daemon, # ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", # ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202', # '127.0.0.1:10203', '127.0.0.1:10204'] ], # qr/(?i)<summary[^>]*>clean<\/summary>/m, # qr/(?i)<summary[^>]*>infected<\/summary>/m, # qr/(?i)<name>(.+)<\/name>/m ], # ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ # ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later # [pack('N',1). # DRWEBD_SCAN_CMD # pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES # pack('N', # path length # length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). # '{}/*'. # path # pack('N',0). # content size # pack('N',0), # '/var/drweb/run/drwebd.sock', # # '/var/amavis/var/run/drwebd.sock', # suitable for chroot # # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default # # '127.0.0.1:3000', # or over an inet socket # ], # qr/\A\x00[\x10\x11][\x00\x10]\x00/sm, # IS_CLEAN,EVAL_KEY; SKIPPED # qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF # qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm, # ], # # NOTE: If using amavis-milter, change length to: # # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). ### http://www.kaspersky.com/ (kav4mailservers) ['KasperskyLab AVP - aveclient', ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'], '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m, qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m, ], # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious, # currupted or protected archives are to be handled ### http://www.kaspersky.com/ ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? qr/infected: (.+)/m, sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], ### The kavdaemon and AVPDaemonClient have been removed from Kasperky ### products and replaced by aveserver and aveclient ['KasperskyLab AVPDaemonClient', [ '/opt/AVP/kavdaemon', 'kavdaemon', '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', '/opt/AVP/AvpTeamDream', 'AvpTeamDream', '/opt/AVP/avpdc', 'avpdc' ], "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ], # change the startup-script in /etc/init.d/kavd to: # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) # adjusting /var/amavis above to match your $TEMPBASE. # The '-f=/var/amavis' is needed if not running it as root, so it # can find, read, and write its pid file, etc., see 'man kavdaemon'. # defUnix.prf: there must be an entry "*/var/amavis" (or whatever # directory $TEMPBASE specifies) in the 'Names=' section. # cd /opt/AVP/DaemonClients; configure; cd Sample; make # cp AvpDaemonClient /opt/AVP/ # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" ### http://www.centralcommand.com/ ['CentralCommand Vexira (new) vascan', ['vascan','/usr/lib/Vexira/vascan'], "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". "--log=/var/log/vascan.log {}", [0,3], [1,2,5], qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ], # Adjust the path of the binary and the virus database as needed. # 'vascan' does not allow to have the temp directory to be the same as # the quarantine directory, and the quarantine option can not be disabled. # If $QUARANTINEDIR is not used, then another directory must be specified # to appease 'vascan'. Move status 3 to the second list if password # protected files are to be considered infected. ### http://www.avira.com/ ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus ['Avira AntiVir', ['antivir','vexira'], '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m, qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ], # NOTE: if you only have a demo version, remove -z and add 214, as in: # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, ### http://www.commandsoftware.com/ ['Command AntiVirus for Linux', 'csav', '-all -archive -packed {}', [50], [51,52,53], qr/Infection: (.+)/m ], ### http://www.symantec.com/ ['Symantec CarrierScan via Symantec CommandLineScanner', 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', qr/^Files Infected:\s+0$/m, qr/^Infected\b/m, qr/^(?:Info|Virus Name):\s+(.+)/m ], ### http://www.symantec.com/ ['Symantec AntiVirus Scan Engine', 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', [0], qr/^Infected\b/m, qr/^(?:Info|Virus Name):\s+(.+)/m ], # NOTE: check options and patterns to see which entry better applies # ### http://www.f-secure.com/products/anti-virus/ version 4.65 # ['F-Secure Antivirus for Linux servers', # ['/opt/f-secure/fsav/bin/fsav', 'fsav'], # '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '. # '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8], # qr/(?:infection|Infected|Suspected): (.+)/m ], ### http://www.f-secure.com/products/anti-virus/ version 5.52 ['F-Secure Antivirus for Linux servers', ['/opt/f-secure/fsav/bin/fsav', 'fsav'], '--virus-action1=report --archive=yes --auto=yes '. '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8], qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ], # NOTE: internal archive handling may be switched off by '--archive=no' # to prevent fsav from exiting with status 9 on broken archives # ### http://www.avast.com/ # ['avast! Antivirus daemon', # \&ask_daemon, # greets with 220, terminate with QUIT # ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'], # qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t([^[ \t\015\012]+)/m ], # ### http://www.avast.com/ # ['avast! Antivirus - Client/Server Version', 'avastlite', # '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1], # qr/\t\[L\]\t([^[ \t\015\012]+)/m ], ['CAI InoculateIT', 'inocucmd', # retired product '-sec -nex {}', [0], [100], qr/was infected by virus (.+)/m ], # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) ['CAI eTrust Antivirus', 'etrust-wrapper', '-arc -nex -spm h {}', [0], [101], qr/is infected by virus: (.+)/m ], # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 ### http://mks.com.pl/english.html ['MkS_Vir for Linux (beta)', ['mks32','mks'], '-s {}/*', [0], [1,2], qr/--[ \t]*(.+)/m ], ### http://mks.com.pl/english.html ['MkS_Vir daemon', 'mksscan', '-s -q {}', [0], [1..7], qr/^... (\S+)/m ], # ### http://www.nod32.com/, version v2.52 (old) # ['ESET NOD32 for Linux Mail servers', # ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'], # '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '. # '-w -a --action-on-infected=accept --action-on-uncleanable=accept '. # '--action-on-notscanned=accept {}', # [0,3], [1,2], qr/virus="([^"]+)"/m ], # ### http://www.eset.com/, version v2.7 (old) # ['ESET NOD32 Linux Mail Server - command line interface', # ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'], # '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ], # ### http://www.eset.com/, version 2.71.12 # ['ESET Software ESETS Command Line Interface', # ['/usr/bin/esets_cli', 'esets_cli'], # '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ], ### http://www.eset.com/, version 3.0 ['ESET Software ESETS Command Line Interface', ['/usr/bin/esets_cli', 'esets_cli'], '--subdir {}', [0], [1,2,3], qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ], ## http://www.nod32.com/, NOD32LFS version 2.5 and above ['ESET NOD32 for Linux File servers', ['/opt/eset/nod32/sbin/nod32','nod32'], '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '. '-w -a --action=1 -b {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/m ], # Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31 # ['ESET Software NOD32 Client/Server (NOD32SS)', # \&ask_daemon2, # greets with 200, persistent, terminate with QUIT # ["SCAN {}/*\r\n", '127.0.0.1:8448' ], # qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ], ### http://www.norman.com/products_nvc.shtml ['Norman Virus Control v5 / Linux', 'nvcc', '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], qr/(?i).* virus in .* -> \'(.+)\'/m ], ### http://www.pandasoftware.com/ ['Panda CommandLineSecure 9 for Linux', ['/opt/pavcl/usr/bin/pavcl','pavcl'], '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}', qr/Number of files infected[ .]*: 0+(?!\d)/m, qr/Number of files infected[ .]*: 0*[1-9]/m, qr/Found virus :\s*(\S+)/m ], # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr' # before starting amavisd - the bases are then loaded only once at startup. # To reload bases in a signature update script: # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr # Please review other options of pavcl, for example: # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies # ### http://www.pandasoftware.com/ # ['Panda Antivirus for Linux', ['pavcl'], # '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}', # [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0], # qr/Found virus :\s*(\S+)/m ], # GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. # Check your RAV license terms before fiddling with the following two lines! # ['GeCAD RAV AntiVirus 8', 'ravav', # '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ], # # NOTE: the command line switches changed with scan engine 8.5 ! # # (btw, assigning stdin to /dev/null causes RAV to fail) ### http://www.nai.com/ ['NAI McAfee AntiVirus (uvscan)', 'uvscan', '--secure -rv --mime --summary --noboot - {}', [0], [13], qr/(?x) Found (?: \ the\ (.+)\ (?:virus|trojan) | \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | :\ (.+)\ NOT\ a\ virus)/m, # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, # sub {delete $ENV{LD_PRELOAD}}, ], # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 # and then clear it when finished to avoid confusing anything else. # NOTE2: to treat encrypted files as viruses replace the [13] with: # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ ### http://www.virusbuster.hu/en/ ['VirusBuster', ['vbuster', 'vbengcl'], "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], qr/: '(.*)' - Virus/m ], # VirusBuster Ltd. does not support the daemon version for the workstation # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of # binaries, some parameters AND return codes have changed (from 3 to 1). # See also the new Vexira entry 'vascan' which is possibly related. # ### http://www.virusbuster.hu/en/ # ['VirusBuster (Client + Daemon)', 'vbengd', # '-f -log scandir {}', [0], [3], # qr/Virus found = (.*);/m ], # # HINT: for an infected file it always returns 3, # # although the man-page tells a different story ### http://www.cyber.com/ ['CyberSoft VFind', 'vfind', '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m, # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, ], ### http://www.avast.com/ ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ], ### http://www.ikarus-software.com/ ['Ikarus AntiVirus for Linux', 'ikarus', '{}', [0], [40], qr/Signature (.+) found/m ], ### http://www.bitdefender.com/ ['BitDefender', 'bdscan', # new version '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m, qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m, qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ], ### http://www.bitdefender.com/ ['BitDefender', 'bdc', # old version '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m, qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m, qr/(?:suspected|infected): (.*)(?:\033|$)/m ], # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may # not apply to your version of bdc, check documentation and see 'bdc --help' ### ArcaVir for Linux and Unix http://www.arcabit.pl/ ['ArcaVir for Linux', ['arcacmd','arcacmd.static'], '-v 1 -summary 0 -s {}', [0], [1,2], qr/(?:VIR|WIR):[ \t]*(.+)/m ], # ### a generic SMTP-client interface to a SMTP-based virus scanner # ['av_smtp', \&ask_av_smtp, # ['{}', 'smtp:[127.0.0.1]:5525', 'dummy@localhost'], # qr/^2/, qr/^5/, qr/^\s*(.*?)\s*$/m ], # ['File::Scan', sub {Amavis::AV::ask_av(sub{ # use File::Scan; my($fn)=@_; # my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0); # my($vname) = $f->scan($fn); # $f->error ? (2,"Error: ".$f->error) # : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) }, # ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ], # ### fully-fledged checker for JPEG marker segments of invalid length # ['check-jpeg', # sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) }, # ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ], # # NOTE: place file JpegTester.pm somewhere where Perl can find it, # # for example in /usr/local/lib/perl5/site_perl ); @av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], ### http://www.f-prot.com/ - backs up F-Prot Daemon, V6 ['F-PROT Antivirus for UNIX', ['fpscan'], '--report --mount --adware {}', # consider: --applications -s 4 -u 3 -z 10 [0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3], qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ], ### http://www.f-prot.com/ - backs up F-Prot Daemon (old) ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], '-dumb -archive -packed {}', [0,8], [3,6], # or: [0], [3,6,8], qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ], ### http://www.trendmicro.com/ - backs up Trophie ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ], ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], '-path={} -al -go -ot -cn -upn -ok-', [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ], ### http://www.kaspersky.com/ ['Kaspersky Antivirus v5.5', ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner', '/opt/kav/5.5/kav4unix/bin/kavscanner', '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'], '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25], qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m, # sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, # sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], # Commented out because the name 'sweep' clashes with Debian and FreeBSD # package/port of an audio editor. Make sure the correct 'sweep' is found # in the path when enabling. # # ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl # ['Sophos Anti Virus (sweep)', 'sweep', # '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. # '--no-reset-atime {}', # [0,2], qr/Virus .*? found/m, # qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m, # ], # # other options to consider: -idedir=/usr/local/sav # Always succeeds and considers mail clean. # Potentially useful when all other scanners fail and it is desirable # to let mail continue to flow with no virus checking (when uncommented). # ['always-clean', sub {0}], ); 1; # insure a defined return value