use strict; ################################################################################ # # # Django : 2014-11-15 - Musterkonfiguration AMaViS 2.9 unter CentOS 7 # # # ################################################################################ # Eine Aufstellung aller möglichen Variablen findet man in der Datei # /usr/share/doc/amavisd-new-2.9.1/amavisd.conf-default aus dem RPM. Auf der # Webseite http://www.ijs.si/software/amavisd/amavisd-new-docs.html findet # man darüber hinaus noch viele erklärungen und Konfigurationsbeispiele ################################################################################ ## PFADANGABEN DER LOKALEN INSTALLATION # # Pfadangaben zu den Programmen und Tools $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; # Arbeitsverzeichnisses von AMaViS $MYHOME = '/var/spool/amavisd'; # Verzeichnis für temporäre Daten #$TEMPBASE = '$MYHOME/tmp'; $TEMPBASE = "$MYHOME/tmp"; # Enviroment Variable TMPDIR, wird unter anderem von Spamassassion verwendet $ENV{TMPDIR} = $TEMPBASE; # Keine Quarantäne -> kein Quarantäneverzeichnis notwendig $QUARANTINEDIR = undef; # Verzeichnisses für die Berkeley-Datenbank Dateien nanny/cache/snmp $db_home = "$MYHOME/db"; # Pfade zur PID- und LOCK-Datei $lock_file = "/var/run/amavisd/amavisd.lock"; $pid_file = "/var/run/amavisd/amavisd.pid"; # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING @score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed # ## per-recipient personal tables (NOTE: positive: black, negative: white) # 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], # 'user3@example.com' => [{'.ebay.com' => -3.0}], # 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, # '.cleargreen.com' => -5.0}], ## site-wide opinions about senders (the '.' matches any recipient) '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i => 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i => 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], ), # read_hash("/var/amavis/sender_scores_sitewide"), { # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0, 'amavis-user-admin@lists.sourceforge.net' => -3.0, 'amavis-user-bounces@lists.sourceforge.net' => -3.0, 'spamassassin.apache.org' => -3.0, 'notification-return@lists.sophos.com' => -3.0, 'owner-postfix-users@postfix.org' => -3.0, 'owner-postfix-announce@postfix.org' => -3.0, 'owner-sendmail-announce@lists.sendmail.org' => -3.0, 'sendmail-announce-request@lists.sendmail.org' => -3.0, 'donotreply@sendmail.org' => -3.0, 'ca+envelope@sendmail.org' => -3.0, 'noreply@freshmeat.net' => -3.0, 'owner-technews@postel.acm.org' => -3.0, 'ietf-123-owner@loki.ietf.org' => -3.0, 'cvs-commits-list-admin@gnome.org' => -3.0, 'rt-users-admin@lists.fsck.com' => -3.0, 'clp-request@comp.nus.edu.sg' => -3.0, 'surveys-errors@lists.nua.ie' => -3.0, 'emailnews@genomeweb.com' => -5.0, 'yahoo-dev-null@yahoo-inc.com' => -3.0, 'returns.groups.yahoo.com' => -3.0, 'clusternews@linuxnetworx.com' => -3.0, lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, # soft-blacklisting (positive score) 'sender@example.net' => 3.0, '.example.net' => 1.0, }, ], # end of site-wide tables }); # Utilities mit denen amavis Archive auspackt @decoders = ( ['mail', \&do_mime_decode], ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ], ['gz', \&do_uncompress, 'gzip -d'], ['gz', \&do_gunzip], ['bz2', \&do_uncompress, 'bzip2 -d'], ['xz', \&do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], ['lzma', \&do_uncompress, ['lzmadec', 'xz -dc --format=lzma', 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], ['lrz', \&do_uncompress, ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], ['lzo', \&do_uncompress, 'lzop -d'], ['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ], [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ], ['deb', \&do_ar, 'ar'], ['rar', \&do_unrar, ['unrar', 'rar'] ], ['arj', \&do_unarj, ['unarj', 'arj'] ], ['arc', \&do_arc, ['nomarch', 'arc'] ], ['zoo', \&do_zoo, ['zoo', 'unzoo'] ], ['cab', \&do_cabextract, 'cabextract'], ['tnef', \&do_tnef], [['zip','kmz'], \&do_7zip, ['7za', '7z'] ], [['zip','kmz'], \&do_unzip], ['7z', \&do_7zip, ['7zr', '7za', '7z'] ], [[qw(7z zip gz bz2 Z tar)], \&do_7zip, ['7za', '7z'] ], [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], \&do_7zip, '7z' ], ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ], ); # eMails wird komplett dem Virenscanner zugestellt. Dem Inhalt von Archiven # wird grundsätzlich nicht vertraut. @keep_decoded_original_maps = (new_RE( qr'^MAIL$', qr'^MAIL-UNDECIPHERABLE$', qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)', )); ################################################################################ ## GRUNDSÄTZLICHE SERVERANGABEN UND -DEFINITIONEN # # Anzahl Server (pre-forked childs) die gestartet werden sollen. $max_servers = 5; # User und Gruppe des AMaViS Daemon $daemon_user = 'amavis'; $daemon_group = 'amavis'; # Hostname (FQDN) des AMaViS-Servers $myhostname = 'viruswall.dmz.nausch.org'; # Lokale Domäne des AMaViS-Servers $mydomain = 'nausch.org'; # Adresstrennzeichen in der eMail-Adresse $recipient_delimiter = '+'; # Wir setzen alles auf NULL und definieren das Backrouting in den Policy Banks # Wie werden die eMails an den ;MTA zurückgegeben? "undef" bei Verwendung des # amavisd-milter! $forward_method = undef; $notify_method = 'smtp:[mail.dmz.nausch.org]:10025'; #$allowed_added_header_fields{lc('X-Virus-Scanned')} = 0; ################################################################################ ## LOGGING # # verbosity 0..5, -d # Django : 2014-11-18 # default: $log_level = 0; $log_level = 3; # disable by-recipient level-0 log entries $log_recip_templ = undef; # log via syslogd (preferred) $do_syslog = 1; # Syslog facility as a string e.g.: mail, daemon, user, local0, ... local7 $syslog_facility = 'mail'; #Syslog base (minimal) priority $syslog_priority = 'debug'; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_db = 1; # enable use of libdb-based cache if $enable_db=1 $enable_global_cache = 1; # enable use of ZeroMQ (SNMP and nanny) # $enable_zmq = 1; # # nanny verbosity: 1: traditional, 2: detailed $nanny_details_level = 2; # @lookup_sql_dsn = # ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], # ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], # ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); # @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database # @storage_redis_dsn = ( {server=>'127.0.0.1:6379', db_id=>1} ); # $redis_logging_key = 'amavis-log'; # about 250 MB / 100000 # $redis_logging_queue_size_limit = 300000; # $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; # defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16) ################################################################################ ## SOCKETS # # Wo soll AMaViS auf eingehende Verbindungen lauschen? @listen_sockets = ( '10.0.0.67:10024', '127.0.0.1:9998', "$MYHOME/amavisd.sock" ); ################################################################################ ## POLICY MAPPINGS # # Wir routen eingehende Verbindungen aufgrund unterschiedlicher Kriterien in # Policy Banks. # TCP-Sockets auf Policies mappen $interface_policy{'9998'} = 'AM.PDP-INET'; $interface_policy{'10024'} = 'ORIGINATING'; # UNIX-Domain-Sockets auf Policies mappen $interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # IP-Adressen/Ranges auf Policies mappen @client_ipaddr_policy = ( [qw( 0.0.0.0/8 127.0.0.1/32 [::] [::1] )] => 'LOCALHOST', [qw( !172.16.1.0/24 172.16.0.0/12 192.168.0.0/16 )] => 'PRIVATENETS', [qw( 192.0.2.0/25 192.0.2.129 192.0.2.130 )] => 'PARTNER', [qw( 198.51.100.88/32 )] => 'CUSTOMERS', [qw( 203.0.113.164/32 )] => 'HOSTING', \@mynetworks => 'MYNETS', ); # DKIM-verifizierte Sender(domains) auf Policies mappen @author_to_policy_bank_maps = ( { 'piratenpartei-bayern.de' => 'WHITELIST,NOBANNEDCHECK,NOVIRUSCHECK', '.paypal.de' => 'WHITELIST', '.paypal.com' => 'WHITELIST', 'amazon.de' => 'WHITELIST', } ); ################################################################################ ## DESTINATIONS # # Definition der Verkehrsrichtungen: # Das ist nach intern. Alle anderen Destinationen sind im Umkehrschluss extern. @local_domains_maps = ( [".$mydomain"], read_hash("/etc/postfix/all_local_domains_map"), ); # Das kommt von intern. Alles andere ist per Default von extern, ausser wir # erkennen es an anderen Kriterien wie z.B. DKIM-Signatur oder originating Port @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 10.0.0.0/24 10.0.10.0/26 ) ################################################################################ ## NOTIFICATIONS # # Externe warnen? $warn_offsite = 0; # Envelope Sender $mailfrom_notify_admin = "postmaster\@$mydomain"; $mailfrom_notify_recip = "postmaster\@$mydomain"; $mailfrom_notify_sender = "postmaster\@$mydomain"; $mailfrom_notify_spamadmin = "postmaster\@$mydomain"; $mailfrom_to_quarantine = ''; $dsn_bcc = "postmaster\@$mydomain"; # From: Header $hdrfrom_notify_sender = "Postmaster "; $hdrfrom_notify_recip = "Postmaster "; $hdrfrom_notify_release = "Postmaster "; ################################################################################ ## VIRUS POLICY # # Check aktivieren? # @bypass_virus_checks_maps = (1); # In Quarantäne? $virus_quarantine_to = undef; # Admin benachrichtigen? $virus_admin = undef; # Empfänger benachrichtigen? $warnvirusrecip = 1; # Recipient-Adresse bei Release erweitern? @addr_extension_virus_maps = ('virus'); # eMail bei Release wrappen? $defang_virus = 1; # Wollen wir Content transportieren? $final_virus_destiny = D_REJECT; @av_scanners = ( ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], ); @av_scanners_backup = (); #@av_scanners_backup = ( # ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV # ['ClamAV-clamscan', 'clamscan', # "--stdout --no-summary -r --tempdir=$TEMPBASE {}", # [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], #); ################################################################################ ## SPAM POLICY # # Check aktivieren? # @bypass_spam_checks_maps = (1); # In Quarantäne? $spam_quarantine_to = undef; # Admin benachrichtigen? $spam_admin = undef; # Recipient-Adresse bei Release erweitern? @addr_extension_spam_maps = ('spam'); # eMail bei Release wrappen? $defang_spam = undef; # Wollen wir Content transportieren? $final_spam_destiny = D_REJECT; # add spam info headers if at, or above that level $sa_tag_level_deflt = -1000.0; # add 'spam detected' headers at that level $sa_tag2_level_deflt = 6.31; # triggers spam evasive actions (e.g. blocks mail) $sa_kill_level_deflt = 6.31; # spam level beyond which a DSN is not sent $sa_dsn_cutoff_level = 10; # likewise, but for a likely valid From $sa_crediblefrom_dsn_cutoff_level = 18; # spam level beyond which quarantine is off # $sa_quarantine_cutoff_level = 25; # (no effect without a @storage_sql_dsn database) $penpals_bonus_score = 8; # don't waste time on hi spam $penpals_threshold_high = $sa_kill_level_deflt; # spam score points to add for joe-jobbed bounces $bounce_killer_score = 100; # don't waste time on SA if mail is larger $sa_mail_body_size_limit = 400*1024; # only tests which do not require internet access? $sa_local_tests_only = 0; $sa_spam_subject_tag = '***Spam*** '; ################################################################################ ## BANNED POLICY # # Check aktivieren? #@bypass_banned_checks_maps = (1); # In Quarantäne? $banned_quarantine_to = undef; # Admin benachrichtigen? $banned_admin = undef; # Recipient-Adresse bei Release erweitern? @addr_extension_banned_maps = ('banned'); # eMail bei Release wrappen? $defang_banned = 1; # Wollen wir Content transportieren? $final_banned_destiny = D_BOUNCE; # Definitionslisten in denen wir bestimmte Dateitypen zusammenfassen # Die Definitionsnamen können wir in einer Policy verwenden %banned_rules = ( 'NO-MS-EXEC'=> new_RE( qr'^\.(exe-ms)$' ), 'PASSALL' => new_RE( [qr'^' => 0] ), 'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ), 'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ), 'NO-VIDEO' => new_RE( qr'^\.movie$', qr'.\.(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ), 'NO-MOVIES' => new_RE( qr'^\.movie$', qr'.\.(mpg|avi|mov)$'i, ), 'MYNETS-DEFAULT' => new_RE( [ qr'^\.(rpm|cpio|tar)$' => 0 ], qr'.\.(vbs|pif|scr)$'i, ), 'DEFAULT' => $banned_filename_re, ); # Alles was in der Definitionsliste oben DEFAULT ist $banned_filename_re = new_RE( # banned file(1) types, rudimentary qr'^\.(exe-ms|dll)$', # allow any in Unix-type archives [ qr'^\.(rpm|cpio|tar)$' => 0 ], # banned extensions - rudimentary qr'.\.(pif|scr)$'i, # block these MIME types qr'^application/x-msdownload$'i, qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # block certain double extensions in filenames qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, # banned extension - basic+cmd qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, ); ################################################################################ ## HEADER POLICY # # Check aktivieren? # @bypass_header_checks_maps = (1); # In Quarantäne? $bad_header_quarantine_method = undef; # Recipient-Adresse bei Release erweitern? @addr_extension_bad_header_maps = ('badh'); # eMail bei Release wrappen? # NUL or CR character in header $defang_by_ccat{CC_BADH.",3"} = 1; # header line longer than 998 characters $defang_by_ccat{CC_BADH.",5"} = 1; # header field syntax error $defang_by_ccat{CC_BADH.",6"} = 1; # Wollen wir Content transportieren? $final_bad_header_destiny = D_PASS; # Admin benachrichtigen? $bad_header_admin = undef; # Sender benachrichtigen? $warnbadhsender = undef; # Empfänger benachrichtigen? $warnbadhrecip = undef; ################################################################################ ## UNCHECKED POLICY # $undecipherable_subject_tag = ''; $MAXLEVELS = 14; $MAXFILES = 3000; # bytes (default undef, not enforced) $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) $MAX_EXPANSION_QUOTA = 500*1024*1024; ################################################################################ ## DKIM - Domain Key Identified Mail # # DKIM-Signaturen verifizieren $enable_dkim_verification = 0; # DKIM-Signaturen erstellen $enable_dkim_signing = 0; # Private Keys und Selectors # # signing domain selector private key options # ------------- -------- ---------------------- ---------- # dkim_key('nausch.org', '201411', '/var/spool/amavis/dkim/201411_nausch.org'); # DKIM Signing Policies @dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } ); # to query p0f-analyzer.pl # $os_fingerprint_method = 'p0f:*:2345'; ## hierarchy by which a final setting is chosen: ## policy bank (based on port or IP address) -> *_by_ccat ## *_by_ccat (based on mail contents) -> *_maps ## *_maps (based on recipient address) -> final configuration value ################################################################################ ## POLICY BANKS # ## POLICY BANK MYNETWORK # Alles Hosts, die in MYNETS gelistet sind $policy_bank{'MYNETS'} = { # Jede Mail von einen unserer Hosts wird als originating gesetzt originating => 1, # Keine pof Abfragen für interne Clients durchführen. os_fingerprint_method => undef, # keinerlei unchecked-Meldungen verschicken #$admin_maps_by_ccat{+CC_UNCHECKED} = undef, # "nur" keine UNCHECKED-ENCRYPTED Notifications verschicken $admin_maps_by_ccat{+CC_UNCHECKED.',1'} = undef; }; ## POLICY BANK SUBMISSON # Nachrichten unserer Kunden, die auf Port 587 (Submisson) eingeliefert wurden # wird als originating, also von uns gesetzt. $policy_bank{'ORIGINATING'} = { # welcher Host darf soll auf Port 10014 einliefern dürfen inet_acl => [qw( 10.0.0.87 )], # eMails vom Port 587 werdenals "von uns" = originating gesetzt originating => 1, # Disclaimer an jede Mail anfügen, sofern welche verfügbar sind. allow_disclaimers => 1, # notify administrator of locally originating malware virus_admin_maps => ["virusalert\@$mydomain"], spam_admin_maps => ["virusalert\@$mydomain"], warnbadhsender => 1, # keinerlei unchecked-Meldungen verschicken #$admin_maps_by_ccat{+CC_UNCHECKED} = undef, # "nur" keine UNCHECKED-ENCRYPTED Notifications verschicken $admin_maps_by_ccat{+CC_UNCHECKED.',1'} = undef; # forward to a smtpd service providing DKIM signing service forward_method => 'smtp:[127.0.0.1]:10027', # force MTA conversion to 7-bit (e.g. before DKIM signing) smtpd_discard_ehlo_keywords => ['8BITMIME'], # allow sending any file names and types bypass_spam_checks_maps => [0], # allow sending any file names and types bypass_banned_checks_maps => [1], # don't remove NOTIFY=SUCCESS option terminate_dsn_on_notify_success => 0, notify_method => 'smtp:[10.0.0.87]:10025', forward_method => 'smtp:[10.0.0.87]:10025', final_virus_destiny => 'D_BOUNCE', }; # Hier schlägt der MILTER auf $policy_bank{'AM.PDP-SOCK'} = { protocol => 'AM.PDP', auth_required_release => 0, }; # Hier würden wir releasen $policy_bank{'AM.PDP-INET'} = { protocol => 'AM.PDP', inet_acl => [qw( 127.0.0.1 )], auth_required_release => 0, }; ## POLICY BANK: WHITELIST $policy_bank{'WHITELIST'} = { bypass_spam_checks_maps => [1], spam_lovers_maps => [1], }; ## POLICY BANK: NOVIRUSCHECK $policy_bank{'NOVIRUSCHECK'} = { bypass_decode_parts => 1, bypass_virus_checks_maps => [1], virus_lovers_maps => [1], }; ## POLICY BANK: NOBANNEDCHECK $policy_bank{'NOBANNEDCHECK'} = { bypass_banned_checks_maps => [1], banned_files_lovers_maps => [1], }; 1; # insure a defined return value # vim: set ft=perl sw=4: