Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- centos:mail_c7:spam_6 [02.12.2014 14:16. ] – [GTUBE auf Port 587 (MUA zu MSA Verkehr)] django
+++ centos:mail_c7:spam_6 [22.07.2019 15:02. ] (aktuell) – Externe Bearbeitung 127.0.0.1
@@ Zeile 1: / Zeile 1: @@
-<WRAP center round important 60%>
-Artikel befindet sich noch in Bearbeitung - noch nicht vollständig!
-</WRAP>
 ====== Grundinstallation von AMaViS unter CentOS 7.x ======
 {{:centos:mail_c6:amavis-2.png?nolink&200 |AMaViS Logo}}
-<WRAP round important>Empfehlenswert ist bei tiefergehenden Fragen und komplexeren Aufgabenstellungen der Besuch eines AMaViS-Kurses z.B. bei der [[https://sys4.de/de/messaging/|sys4]].
+<WRAP round important>Empfehlenswert ist bei tiefergehenden Fragen und komplexeren Aufgabenstellungen der Besuch eines AMaViS-Kurses z.B. bei der **[[https://sys4.de/de/messaging/|sys4]]**.
 Viele der Design und Konfigurationsvorschläge stammen aus einem Idividualtraining beim **"Mailserver-Joda" //[[p@sys4.de?subject=Anfrage Mailserver-Schulung|Patrick Ben Koetter]]//** bei der **[[https://sys4.de/de/messaging/|sys4]]**.
@@ Zeile 30: / Zeile 26: @@
 ===== Installation =====
 ==== amavisd-milter ====
-Da wir für den "normalen SMTP-Traffic", als dem Verkehr von anderen SMTP-Server((**MTA**s **M**ail **T**ransport **A**gents)), AMaViS als Milter in unseren Postfix-Mailserver integrieren wollen, installieren wir nun noch das zugehörige Paket **amavisd-milter**
+Da wir für den "normalen SMTP-Traffic", als dem Verkehr von anderen SMTP-Server((**MTA** **M**ail **T**ransport **A**gent)), AMaViS als Milter in unseren Postfix-Mailserver integrieren wollen, installieren wir nun noch das zugehörige Paket **amavisd-milter**
    # yum install amavisd-milter -y
@@ Zeile 214: / Zeile 210: @@
 # Django : 2014-11-18
 # default: SOCKET=/var/run/amavisd/amavisd-milter.sock
-SOCKET=inet:10013@10.0.0.67
+SOCKET=inet:8899@10.0.0.67
 #         Communication socket between amavisd-milter and amavisd-new
@@ Zeile 1081: / Zeile 1077: @@
 </file>
-Viele Parameter sind etwas arg verstreut in der Datei, so dass man oft nicht auf den ersten Blick deren Abhängigkeit erkennt. Wir werden daher, ähnlich auch schon wie bei der Konfiguration unseres **MTA**((**M**ail **T**ransport **A**gent)) [[centos:mail_c7:mta_4#postfix_from_the_scratch|Postfix]], die originalversion bei Seite legen und uns unsere eigene strukturierte AMaViS-Konfigurationsdatei aufsetzen.
+Viele Parameter sind etwas arg verstreut in der Datei, so dass man oft nicht auf den ersten Blick deren Abhängigkeit erkennt. Wir werden daher, ähnlich auch schon wie bei der Konfiguration unseres **MTA**((**M**ail **T**ransport **A**gent)) [[centos:mail_c7:mta_4#postfix_from_the_scratch|Postfix]], die Originalversion bei Seite legen und uns unsere eigene strukturierte AMaViS-Konfigurationsdatei aufsetzen.
 Wir benennen also als erstes einmal, die original mitgelieferte Konfigurationsdate des AMaViS-Daemon um.
@@ Zeile 2087: / Zeile 2083: @@
 $lock_file = "/var/run/amavisd/amavisd.lock";
 $pid_file  = "/var/run/amavisd/amavisd.pid";
+# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
+@score_sender_maps = ({ # a by-recipient hash lookup table,
+                        # results from all matching recipient tables are summed
+# ## per-recipient personal tables  (NOTE: positive: black, negative: white)
+# 'user1@example.com'  => [{'bla-mobile.press@example.com'             => 10.0}],
+# 'user3@example.com'  => [{'.ebay.com'                                => -3.0}],
+# 'user4@example.com'  => [{'cleargreen@cleargreen.com'                => -7.0,
+#                           '.cleargreen.com'                          => -5.0}],
+  ## site-wide opinions about senders (the '.' matches any recipient)
+  '.' => [  # the _first_ matching sender determines the score boost
+   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
+    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i           => 5.0],
+    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i  => 5.0],
+    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i  => 5.0],
+    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i     => 5.0],
+    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i    => 5.0],
+    [qr'^(your_friend|greatoffers)@'i                                  => 5.0],
+    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                      => 5.0],
+   ),
+#  read_hash("/var/amavis/sender_scores_sitewide"),
+   { # a hash-type lookup table (associative array)
+     'nobody@cert.org'                                                 => -3.0,
+     'cert-advisory@us-cert.gov'                                       => -3.0,
+     'owner-alert@iss.net'                                             => -3.0,
+     'slashdot@slashdot.org'                                           => -3.0,
+     'securityfocus.com'                                               => -3.0,
+     'ntbugtraq@listserv.ntbugtraq.com'                                => -3.0,
+     'security-alerts@linuxsecurity.com'                               => -3.0,
+     'mailman-announce-admin@python.org'                               => -3.0,
+     'amavis-user-admin@lists.sourceforge.net'                         => -3.0,
+     'amavis-user-bounces@lists.sourceforge.net'                       => -3.0,
+     'spamassassin.apache.org'                                         => -3.0,
+     'notification-return@lists.sophos.com'                            => -3.0,
+     'owner-postfix-users@postfix.org'                                 => -3.0,
+     'owner-postfix-announce@postfix.org'                              => -3.0,
+     'owner-sendmail-announce@lists.sendmail.org'                      => -3.0,
+     'sendmail-announce-request@lists.sendmail.org'                    => -3.0,
+     'donotreply@sendmail.org'                                         => -3.0,
+     'ca+envelope@sendmail.org'                                        => -3.0,
+     'noreply@freshmeat.net'                                           => -3.0,
+     'owner-technews@postel.acm.org'                                   => -3.0,
+     'ietf-123-owner@loki.ietf.org'                                    => -3.0,
+     'cvs-commits-list-admin@gnome.org'                                => -3.0,
+     'rt-users-admin@lists.fsck.com'                                   => -3.0,
+     'clp-request@comp.nus.edu.sg'                                     => -3.0,
+     'surveys-errors@lists.nua.ie'                                     => -3.0,
+     'emailnews@genomeweb.com'                                         => -5.0,
+     'yahoo-dev-null@yahoo-inc.com'                                    => -3.0,
+     'returns.groups.yahoo.com'                                        => -3.0,
+     'clusternews@linuxnetworx.com'                                    => -3.0,
+     lc('lvs-users-admin@LinuxVirtualServer.org')                      => -3.0,
+     lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM')                   => -5.0,
+     # soft-blacklisting (positive score)
+     'sender@example.net'                                              =>  3.0,
+     '.example.net'                                                    =>  1.0,
+   },
+  ],  # end of site-wide tables
+});
 # Utilities mit denen amavis Archive auspackt
@@ Zeile 2264: / Zeile 2326: @@
 .0.0.0/24
 .0.10.0/26
-)</code>
+)
@@ Zeile 2525: / Zeile 2587: @@
     originating => 1,
     # Keine pof Abfragen für interne Clients durchführen.
     os_fingerprint_method => undef,
+    # keinerlei unchecked-Meldungen verschicken
+    #$admin_maps_by_ccat{+CC_UNCHECKED} =  undef,
+    # "nur" keine UNCHECKED-ENCRYPTED Notifications verschicken
+    $admin_maps_by_ccat{+CC_UNCHECKED.',1'} = undef;
 };
@@ Zeile 2541: / Zeile 2607: @@
     virus_admin_maps => ["virusalert\@$mydomain"],
     spam_admin_maps  => ["virusalert\@$mydomain"],
     warnbadhsender   => 1,
+    # keinerlei unchecked-Meldungen verschicken
+    #$admin_maps_by_ccat{+CC_UNCHECKED} =  undef,
+    # "nur" keine UNCHECKED-ENCRYPTED Notifications verschicken
+    $admin_maps_by_ccat{+CC_UNCHECKED.',1'} = undef;
     # forward to a smtpd service providing DKIM signing service
     forward_method => 'smtp:[127.0.0.1]:10027',
@@ Zeile 2601: / Zeile 2671: @@
 ==== Postfix ====
-Die Anbinung des AMaViS-Servers an unseren Postfix-MTA nehmen wir nun im folgendem Konfigurationsschritt vor. Dabei unterscheiden wir die unterschiedlichen Verkehrsrichtungen bei unserem **MHS**((**M**ail **H**andling **S**ystem)):
+Die Anbindung des AMaViS-Servers an unseren Postfix-MTA nehmen wir nun im folgendem Konfigurationsschritt vor. Dabei unterscheiden wir die unterschiedlichen Verkehrsrichtungen bei unserem **MHS**((**M**ail **H**andling **S**ystem)):
-  * **MTA**((**M**ail **T**ransport **A**gent))-Traffic : Hier bewerten und prüfen wir die Nachricht noch während der Annahme der Nachricht. Daher nutzen wir hier unseren [[centos:mail_c7:spam_6#amavisd-milter|amavisd-milter]] für die Anbindung des MTAs an das **AS/AV**((**A**nti **S**pam/**A**nti **V**irus))-System vor. Den zur Anbindung genutzten Milter, sprechen wir über den über TCP-Port **10013** an. Dazu definieren wir uns eine eigene Variable **amavisd_milter** für unseren Milter. Dieser Variable weisen wir in der Section **MILTER** den Wert //inet:10.0.0.67:10010// zu. \\ \\ <code> # vim /etc/postfix/main.cf</code><code bash>...
+  * **MTA**((**M**ail **T**ransport **A**gent))-Traffic : Hier bewerten und prüfen wir die Nachricht noch während der Annahme der Nachricht. Daher nutzen wir hier unseren [[centos:mail_c7:spam_6#amavisd-milter|amavisd-milter]] für die Anbindung des MTAs an das **AS/AV**((**A**nti **S**pam/**A**nti **V**irus))-System vor. Den zur Anbindung genutzten Milter, sprechen wir über den über TCP-Port **8899** an. Dazu definieren wir uns eine eigene Variable **amavisd_milter** für unseren Milter. Dieser Variable weisen wir in der Section **MILTER** den Wert //inet:10.0.0.67:8899// zu. \\ \\ <code> # vim /etc/postfix/main.cf</code><code bash>...
 ################################################################################
@@ Zeile 2608: / Zeile 2678: @@
 # Django : 2014-11-18
 # DMARC Test
-amavisd_milter   = inet:10.0.0.67:10010
+amavisd_milter   = inet:10.0.0.67:8899
 ...
@@ Zeile 2653: / Zeile 2723: @@
 Als erstes gestatten wir den Verkehr vom SMTP-Daemon zum AMaViS-Milter.
-   # firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="10.0.0.87/32" port protocol="tcp" port="10013" destination address="10.0.0.67/32" accept"
+   # firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="10.0.0.87/32" port protocol="tcp" port="8899" destination address="10.0.0.67/32" accept"
    success
@@ Zeile 2670: / Zeile 2740: @@
 <code>Chain IN_public_allow (1 references)
  pkts bytes target     prot opt in     out     source               destination
-     0 ACCEPT     tcp  --  *      *       10.0.0.87            10.0.0.67            tcp dpt:10013 ctstate NEW
+     0 ACCEPT     tcp  --  *      *       10.0.0.87            10.0.0.67            tcp dpt:8899 ctstate NEW
      0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
 </code>
@@ Zeile 2720: / Zeile 2790: @@
  Main PID: 15166 (amavisd-milter)
    CGroup: /system.slice/amavisd-milter.service
-           └─15166 /usr/sbin/amavisd-milter -B -w /var/spool/amavisd/tmp -s inet:10010@10.0.0.67 -S /var/spool/amavisd/amavisd.sock -p /var/run/amavisd/amavisd-milter.pid -m 2 -M 300 -t 600 -T 600
+           └─15166 /usr/sbin/amavisd-milter -B -w /var/spool/amavisd/tmp -s inet:8899@10.0.0.67 -S /var/spool/amavisd/amavisd.sock -p /var/run/amavisd/amavisd-milter.pid -m 2 -M 300 -t 600 -T 600
 Dec 02 09:38:09 vml000067.dmz.nausch.org systemd[1]: Starting amavisd-milter is a milter (mailfilter) for amavisd-new which uses the AM.PDP protocol....
 Dec 02 09:38:09 vml000067.dmz.nausch.org systemd[1]: PID file /var/run/amavisd/amavisd-milter.pid not readable (yet?) after start.
-Dec 02 09:38:09 vml000067.dmz.nausch.org amavisd-milter[15166]: starting amavisd-milter 1.6.0 on socket inet:10010@10.0.0.67
+Dec 02 09:38:09 vml000067.dmz.nausch.org amavisd-milter[15166]: starting amavisd-milter 1.6.0 on socket inet:8899@10.0.0.67
 Dec 02 09:38:09 vml000067.dmz.nausch.org systemd[1]: Started amavisd-milter is a milter (mailfilter) for amavisd-new which uses the AM.PDP protocol..</code>
 Mit **lsof** können wir auch den geöfneten Port überprüfen.
-   # lsof -i :10010
+   # lsof -i :8899
    COMMAND     PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
-   amavisd-m 15166 amavis    3u  IPv4 158740      0t0  TCP vml000067.dmz.nausch.org:10010 (LISTEN)
+   amavisd-m 15166 amavis    3u  IPv4 158740      0t0  TCP vml000067.dmz.nausch.org:8899 (LISTEN)
@@ Zeile 2972: / Zeile 3042: @@
 === SMTP-Client (swaks) ===
 Wir verschicken nun als erstes mit Hilfe von [[http://www.jetmore.org/john/code/swaks/|Swaks]]((**S**wiss **A**rmy **K**nife for **S**MTP)) von John Jetmore eine Nachricht an einen unserer eigenen Empfänger.
-   $ # swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 25 --tls --header "Subject: erste HAM-Testnachricht auf Port 25"
+   $ swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 25 --tls --header "Subject: erste HAM-Testnachricht auf Port 25"
 <code>=== Trying 10.0.0.87:25...
@@ Zeile 3146: / Zeile 3216: @@
 === SMTP-Client (swaks) ===
-Auch hier verschicken wir nun mit Hilfe von [[http://www.jetmore.org/john/code/swaks/|Swaks]]((**S**wiss **A**rmy **K**nife for **S**MTP)) von John Jetmore eine Nachricht an einen unserer eigenen Empfänger. Hierzu nutzen wir die Anmeldedaten eines unserer testkonten und liefern die NAchricht auf dem Port **587** ein.
+Auch hier verschicken wir nun mit Hilfe von [[http://www.jetmore.org/john/code/swaks/|Swaks]]((**S**wiss **A**rmy **K**nife for **S**MTP)) von John Jetmore eine Nachricht an einen unserer eigenen Empfänger. Hierzu nutzen wir die Anmeldedaten eines unserer Testkonten und liefern die Nachricht auf dem Port **587** ein.
    $ # swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 587 --tls --header "Subject: zweite HAM-Testnachricht auf Port 587" --auth NTLM --auth-user n3rd@sec-mail.guru --auth-password Dj4n90-d3r-M41153rv3rguru!
@@ Zeile 3293: / Zeile 3363: @@
 === MUA (Empfänger) ===
-Der Empfänger findet nun im Mail-Postfach unsere Testnachricht. Im Gegensatz zum vorangegangenen Testlauf mit Einlieferung auf Port **25**, sehen wir hier im Mailheader den "Schleifendurchlauf" beim Host //viruswall.dmz.nausch.org// nach Annahme der NAchricht durch den **MSA**((**M**ail **S**ubmission **A**gent)).
+Der Empfänger findet nun im Mail-Postfach unsere Testnachricht. Im Gegensatz zum vorangegangenen Testlauf mit Einlieferung auf Port **25**, sehen wir hier im Mailheader den "Schleifendurchlauf" beim Host //viruswall.dmz.nausch.org// nach Annahme der Nachricht durch den **MSA**((**M**ail **S**ubmission **A**gent)).
 <code>Return-Path: <n3rd@sec-mail.guru>
@@ Zeile 3455: / Zeile 3525: @@
 </code>
-Wie wir sehen lönnen hat der SMTP-Server die Annahme der Nachricht mit dem Fehlercode **554 5.7.0 Reject, id=15388-01 - spam.** verweigert. Zu dieser Fehlermeldung erhält der einliefernde SMTP-Client noch Informationen wie er sichh ggf mit uns in Verbindung setzen kann.
+Wie wir sehen können hat der SMTP-Server die Annahme der Nachricht mit dem Fehlercode **554 5.7.0 Reject, id=15388-01 - spam.** verweigert. Zu dieser Fehlermeldung erhält der einliefernde SMTP-Client noch Informationen wie er sichh ggf mit uns in Verbindung setzen kann.
 === SMTP-Server ===
@@ Zeile 3524: / Zeile 3594: @@
 </code>
 ==== GTUBE auf Port 587 (MUA zu MSA Verkehr) ====
-Als nächstes überprüfen wir, ob wir die GTUBE-Testmail als authetifizierten User von einem **MUA**((**M**ail **U**ser **A**gent)) beim **MSA**((**M**ail **S**ubmission **A**gent)) erfolgreich einliefern können.
+Als nächstes überprüfen wir, ob wir die GTUBE-Testmail als authentifizierten User von einem **MUA**((**M**ail **U**ser **A**gent)) beim **MSA**((**M**ail **S**ubmission **A**gent)) erfolgreich einliefern können.
 === SMTP-Client (swaks) ===
-Als nächstes versuchen wir eine SPAM-Mail mit Hilfe von [[http://www.jetmore.org/john/code/swaks/|Swaks]]((**S**wiss **A**rmy **K**nife for **S**MTP)) an einen unserer eigenen Empfänger zu verschicken.
+Das bereits heruntergeladene GTUBE-Testmail versuchen wir nun mit mit Hilfe von [[http://www.jetmore.org/john/code/swaks/|Swaks]]((**S**wiss **A**rmy **K**nife for **S**MTP)) an einen unserer eigenen Empfänger zu verschicken.
-FIXME FIXME
+   # swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 587 --tls --header "Subject: vierte Testnachricht SPAM auf Port 587" --auth NTLM --auth-user n3rd@sec-mail.guru --auth-password Dj4n90-d3r-M41153rv3rguru! --body gtube.txt
-Diese Nachricht versuchen wir nun loszuschicken:
-   # swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 25 --tls --header "Subject: dritte GTUBE-Testnachricht auf Port 25" --body gtube.txt
+<code>=== Trying 10.0.0.87:587...
-<code>=== Trying 10.0.0.87:25...
+=== Connected to 10.0.0.87.
-=== Connected to 10.0.0.87.
+<-  220 mx01.nausch.org ESMTP Postfix
-<-  220 mx01.nausch.org ESMTP Postfix
+ -> EHLO vml000087.dmz.nausch.org
- -> EHLO vml000087.dmz.nausch.org
+<-  250-mx01.nausch.org
-<-  250-mx01.nausch.org
+<-  250-PIPELINING
-<-  250-PIPELINING
+<-  250-SIZE 52428800
-<-  250-SIZE 52428800
+<-  250-ETRN
-<-  250-ETRN
+<-  250-STARTTLS
-<-  250-STARTTLS
+<-  250-ENHANCEDSTATUSCODES
-<-  250-ENHANCEDSTATUSCODES
+<-  250-8BITMIME
-<-  250-8BITMIME
+<-  250 DSN
-<-  250 DSN
+ -> STARTTLS
- -> STARTTLS
+<-  220 2.0.0 Ready to start TLS
-<-  220 2.0.0 Ready to start TLS
 === TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
 === TLS no local certificate set
 === TLS peer DN="/serialNumber=3S7x2lcbYiAccKZPoha0MSwP5hNsuSTP/OU=GT49447951/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.nausch.org"
  ~> EHLO vml000087.dmz.nausch.org
 <~  250-mx01.nausch.org
 <~  250-PIPELINING
 <~  250-SIZE 52428800
 <~  250-ETRN
-<~  250-ENHANCEDSTATUSCODES
+<~  250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM
-<~  250-8BITMIME
+<~  250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM
-<~  250 DSN
+<~  250-ENHANCEDSTATUSCODES
- ~> MAIL FROM:<n3rd@sec-mail.guru>
+<~  250-8BITMIME
-<~  250 2.1.0 Ok
+<~  250 DSN
- ~> RCPT TO:<django@nausch.org>
+ ~> AUTH NTLM
-<~  250 2.1.5 Ok
+<~  334
- ~> DATA
+ ~> TlRUMTVNTUAABAAAABU6IAAAAAAAAAAAAAAAAAAAAAAAA=
-<~  354 End data with <CR><LF>.<CR><LF>
+<~  334 UTlRMTVNTUAADUAAAAGAAYAEAAAAAYABUgAWAAAADAAMABwAAAAJAAkAKAAAAAkACQAxAAAAAAAAACoAAAABUQKCABKUTbcHiUVToxqvguZXpp6jgnmGYJ9jDa0UoXqDbxiyz+V1xFp8hFH2sd3yaZl/qjY3YAbQBsADUAAMAAwADAANwA3AC4AZABtAHoALUgBuAGEAdQBzAGMUAaAAuAG8AcgBnAG4AMwByAGQAQABzAGUAYwAtAG0AYQBpAGwALgBnAHUAcgB1AG4AMwByAGQAQABzAGUAYwAtAG0UAYQBpAGwALgBnAHUAcgB1AA==
- ~> Date: Tue, 02 Dec 2014 12:10:34 +0100
+<~  235 2.7.0 Authentication successful
- ~> To: django@nausch.org
+ ~> MAIL FROM:<n3rd@sec-mail.guru>
- ~> From: n3rd@sec-mail.guru
+<~  250 2.1.0 Ok
- ~> Subject: dritte GTUBE-Testnachricht auf Port 25
+ ~> RCPT TO:<django@nausch.org>
- ~> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
+<~  250 2.1.5 Ok
- ~> X-Test: test eMail
+ ~> DATA
- ~>
+<~  354 End data with <CR><LF>.<CR><LF>
- ~> Subject: Test spam mail (GTUBE)
+ ~> Date: Tue, 02 Dec 2014 15:27:15 +0100
- ~> Message-ID: <GTUBE1.1010101@example.net>
+ ~> To: django@nausch.org
- ~> Date: Wed, 23 Jul 2003 23:30:00 +0200
+ ~> From: n3rd@sec-mail.guru
- ~> From: Sender <sender@example.net>
+ ~> Subject: vierte Testnachricht SPAM auf Port 587
- ~> To: Recipient <recipient@example.net>
+ ~> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
- ~> Precedence: junk
+ ~> X-Test: test eMail
- ~> MIME-Version: 1.0
+ ~>
- ~> Content-Type: text/plain; charset=us-ascii
+ ~> Subject: Test spam mail (GTUBE)
- ~> Content-Transfer-Encoding: 7bit
+ ~> Message-ID: <GTUBE1.1010101@example.net>
- ~>
+ ~> Date: Wed, 23 Jul 2003 23:30:00 +0200
- ~> This is the GTUBE, the
+ ~> From: Sender <sender@example.net>
- ~>     Generic
+ ~> To: Recipient <recipient@example.net>
- ~>     Test for
+ ~> Precedence: junk
- ~>     Unsolicited
+ ~> MIME-Version: 1.0
+ ~> Content-Type: text/plain; charset=us-ascii
+ ~> Content-Transfer-Encoding: 7bit
+ ~>
+ ~> This is the GTUBE, the
+ ~>     Generic
+ ~>     Test for
+ ~>     Unsolicited
  ~>     Bulk
  ~>     Email
  ~>
  ~> If your spam filter supports it, the GTUBE provides a test by which you
  ~> can verify that the filter is installed correctly and is detecting incoming
  ~> spam. You can send yourself a test mail containing the following string of
  ~> characters (in upper case and with no white spaces and line breaks):
  ~>
  ~> XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
  ~>
  ~> You should send this test mail from an account outside of your network.
  ~>
  ~>
  ~>
  ~> .
-<~* 554 5.7.0 Reject, id=15388-01 - spam. Contact your postmaster/admin for technical assistance. He can achieve our postmaster via email: postmaster@nausch.org or via fax: +49 8121 883179. In any case, please provide the following information in your problem report: This error message, time (Dec 02 12:10:36), client (10.0.0.87) and server (mx01.nausch.org).
+<~  250 2.0.0 Ok: queued as E5401C00088
  ~> QUIT
 <~  221 2.0.0 Bye
+=== Connection closed with remote host.
 </code>
-Wie wir sehen lönnen hat der SMTP-Server die Annahme der Nachricht mit dem Fehlercode **554 5.7.0 Reject, id=15388-01 - spam.** verweigert. Zu dieser Fehlermeldung erhält der einliefernde SMTP-Client noch Informationen wie er sichh ggf mit uns in Verbindung setzen kann.
+Die Nachricht wird dem authentifizierten User abgenommen und mit einem **250**er bestätigt. Heißt das nun, dass unsere Konfiguration fehlerhaft ist, oder der Contentscanner nicht richtig funktioniert? **Nein, ganz und gar nicht!** Wir haben bei der Konfiguration explizit angegeben, dass wir Nachrichten von authentifizierten Nutzern sofort anzunehmen und erst im zweiten Schritt scannen wollen und genau das macht unser AMaViS-Server auch.
-=== SMTP-Server ===
+Den genauen Ablauf dazu, sehen wir uns nun im Detail an.
+=== SMTP-Server (Teil 1 von 3) ===
+Im **Maillog** unseres Borderfilters sehen wir nun zu unserem gerade durchgeführten Versuch mehrere zusammenhängende Logeinträge.
    # less /var/log/maillog
-<code>Nov 18 14:56:11 vml000087 postfix/smtpd[8185]: connect from vml000060.dmz.nausch.org[10.0.0.60]
-Nov 18 14:56:33 vml000087 postfix/smtpd[8185]: 49D10C00088: client=vml000060.dmz.nausch.org[10.0.0.60]
+Zunächst sehen wir den TLS-Verbindungsaufbau, gefolgt von der erfolgreichen Authentifizierung unseres Users und die Entgegennahme der eMail vom MSA((**M**ail **S**ubmission **A**gent)).
-Nov 18 14:56:47 vml000087 postfix/cleanup[8192]: 49D10C00088: message-id=<>
+<code>Dec  2 15:27:15 vml000087 postfix/submission/smtpd[27678]: connect from vml000087.dmz.nausch.org[10.0.0.87]
-Nov 18 14:56:47 vml000087 postfix/cleanup[8192]: 49D10C00088: milter-reject: END-OF-MESSAGE from vml000060.dmz.nausch.org[10.0.0.60]: 5.7.0 Reject, id=10587-01 - spam; from=<> to=<michael@nausch.org> proto=SMTP helo=<vml00060.dmz.nausch.org>
+Dec  2 15:27:15 vml000087 postfix/submission/smtpd[27678]: Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
-Nov 18 14:56:53 vml000087 postfix/smtpd[8185]: disconnect from vml000060.dmz.nausch.org[10.0.0.60]
+Dec  2 15:27:15 vml000087 postfix/submission/smtpd[27678]: E5401C00088: client=vml000087.dmz.nausch.org[10.0.0.87], sasl_method=NTLM, sasl_username=n3rd@sec-mail.guru
+Dec  2 15:27:15 vml000087 postfix/cleanup[27683]: E5401C00088: message-id=<20141202142715.E5401C00088@mx01.nausch.org>
+Dec  2 15:27:15 vml000087 postfix/qmgr[27247]: E5401C00088: from=<n3rd@sec-mail.guru>, size=1417, nrcpt=1 (queue active)
+Dec  2 15:27:15 vml000087 postfix/submission/smtpd[27678]: disconnect from vml000087.dmz.nausch.org[10.0.0.87]
 </code>
-=== ASAV-Server ===
+=== ASAV-Host ===
+Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert.
    # less /var/log/maillog
-<code>Nov 18 14:56:47 vml000067 amavis[10587]: loaded policy bank "AM.PDP-SOCK"
-Nov 18 14:56:47 vml000067 amavis[10587]: process_request: fileno sock=13, STDIN=0, STDOUT=1
+<code>Dec  2 15:27:16 vml000067 amavis[15668]: loaded policy bank "ORIGINATING"
-Nov 18 14:56:47 vml000067 amavis[10587]: policy protocol: request=AM.PDP
+Dec  2 15:27:16 vml000067 amavis[15668]: process_request: fileno sock=13, STDIN=0, STDOUT=1
-Nov 18 14:56:47 vml000067 amavis[10587]: policy protocol: queue_id=49D10C00088
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) ESMTP:[10.0.0.67]:10024 /var/spool/amavisd/tmp/amavis-20141202T152716-15668-4MUitFJK: <n3rd@sec-mail.guru> -> <django@nausch.
-Nov 18 14:56:47 vml000067 amavis[10587]: policy protocol: sender=<>
+org> Received: from mx01.nausch.org ([10.0.0.87]) by viruswall.dmz.nausch.org (viruswall.dmz.nausch.org [10.0.0.67]) (amavisd-new, port 10024) with ESMTP for <django@nausch.org>
-Nov 18 14:56:47 vml000067 amavis[10587]: policy protocol: recipient=<michael@nausch.org>
+; Tue,  2 Dec 2014 15:27:16 +0100 (CET)
-Nov 18 14:56:47 vml000067 amavis[10587]: policy protocol: tempdir=/var/spool/amavisd/afXXXXWhmmIZ
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) body hash: 4c7abc06887b1723a5b47a0f9562fd5c
-Nov 18 14:56:47 vml000067 amavis[10587]: policy protocol: tempdir_removed_by=client
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) ip_trace: 10.0.0.87
-Nov 18 14:56:47 vml000067 amavis[10587]: policy protocol: mail_file=/var/spool/amavisd/afXXXXWhmmIZ/email.txt
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) client IP address unknown, fetched from Received: 10.0.0.87
-Nov 18 14:56:47 vml000067 amavis[10587]: policy protocol: delivery_care_of=client
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) Checking: o1aYnuSaPRGv ORIGINATING [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org>
-Nov 18 14:56:47 vml000067 amavis[10587]: policy protocol: client_address=10.0.0.60
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) 2822.From: <n3rd@sec-mail.guru>
-Nov 18 14:56:47 vml000067 amavis[10587]: policy protocol: client_name=vml000060.dmz.nausch.org
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) p001 1 Content-Type: text/plain, size: 801 B, name:
-Nov 18 14:56:47 vml000067 amavis[10587]: policy protocol: helo_name=vml00060.dmz.nausch.org
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) inspect_dsn: not a bounce
-Nov 18 14:56:47 vml000067 amavis[10587]: policy protocol: policy_bank=mx01.nausch.org
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) Checking for banned types and filenames
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) Request: AM.PDP  /var/spool/amavisd/afXXXXWhmmIZ: <> -> <michael@nausch.org>
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) skipping banned check: all recipients bypass banned checks
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) loaded policy bank "MYNETS" over "AM.PDP-SOCK"
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) presenting full original message to scanners as /var/spool/amavisd/tmp/amavis-20141202T152716-15668-4MUitFJK/parts/p002
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) body hash: bb71e830f7582e0640cc78f70abd2bcf
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) run_av Using (ClamAV-clamd): (code) CONTSCAN /var/spool/amavisd/tmp/amavis-20141202T152716-15668-4MUitFJK/parts\n
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) ip_trace: 10.0.0.60
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) ClamAV-clamd: Connecting to socket  /var/run/clamd.amavisd/clamd.sock
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) Checking: E1Jt0ckpTa0l AM.PDP-SOCK/MYNETS [10.0.0.60] <> -> <michael@nausch.org>
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) new socket by IO::Socket::UNIX to /var/run/clamd.amavisd/clamd.sock, timeout 10
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) 2822.From: 0:[], 2821.Mail_From: <>
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/tmp/amavis-20141202T152716-15668-4MUitFJK/parts\n to socket /var/run/clamd.
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) p001 1 Content-Type: text/plain, size: 725 B, name:
+amavisd/clamd.sock
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) inspect_dsn: possibly a bounce, unrecognizable, struct: "?", parts(-/1): text/plain
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) rw_loop read: got eof
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) check_header: 7, Missing required header field: "Date"
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) run_av (ClamAV-clamd): CLEAN
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) check_header: 7, Missing required header field: "From"
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) run_av (ClamAV-clamd) result: clean
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) Checking for banned types and filenames
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) calling SA parse (0), SA vers 3.3.2, 3.003002, data as STRING, recips_ind [0], user: "amavis"
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) skipping banned check: all recipients bypass banned checks
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) spam_scan: score=1000.8 autolearn=no tests=[ALL_TRUSTED=-1,DKIM_ADSP_DISCARD=1.8,GTUBE=1000] recips=0
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) presenting full original message to scanners as /var/spool/amavisd/afXXXXWhmmIZ/parts/p002
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) spam_scan: dsn_suppress_reason DKIM_ADSP_DISCARD
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) run_av Using (ClamAV-clamd): (code) CONTSCAN /var/spool/amavisd/afXXXXWhmmIZ/parts\n
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) blocking contents category is (6) for django@nausch.org, final_destiny -3</code>
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) ClamAV-clamd: Connecting to socket  /var/run/clamd.amavisd/clamd.sock
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) new socket by IO::Socket::UNIX to /var/run/clamd.amavisd/clamd.sock, timeout 10
+Der SPAM-Wert von **1000.8** liegt doch "etwas über" unserem definierten Wert von **6.31**, die Nachricht wird also nicht zugestellt!
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/afXXXXWhmmIZ/parts\n to socket /var/run/clamd.amavisd/clamd.sock
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) rw_loop read: got eof
+<WRAP center round important>
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) run_av (ClamAV-clamd): CLEAN
+Gemäß unserer Konfiguration erhält der der Empfänger **virusalert@nausch.org** eine Nachricht von **postmaster@nausch.org** mit dem Details zu der SPAM-Mail. Der Postmaster kann so reagieren und mit dem authentifizierten Mailbox-Nutzer Kontalt aufnehmen und diesen ggf. darauf hinweisen, dass unter Umständen sein Rechner von einem Zombie gekapert wurde und dieser munter SPAM-Mails verschicken will. Ein weitere Ursache könnte auch ein durch eine **[[http://de.wikipedia.org/wiki/Brute-Force-Methode|Brute-Force-Methode]]** geknacktem Mailkonto, da dort z.B. irgend ein __Trivialpasswort__ verwendet wurde, was leider durchweg des öfteren vorkommt.
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) run_av (ClamAV-clamd) result: clean
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) calling SA parse (0), SA vers 3.3.2, 3.003002, data as STRING, recips_ind [0], user: "amavis"
+So kann der Postmaster tätig werden und weiteren Schaden vom Mailserver abwenden, bevor der eigene Server auf einer **Blacklist** landet und so dann gar keine Nachricht mehr verschickt werden könnte.
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) spam_scan: score=1006.51 autolearn=no tests=[ALL_TRUSTED=-1,DSN_NO_MIMEVERSION=2,GTUBE=1000,MISSING_DATE=1.396,MISSING_FROM=1,MISSING_HEADERS=1.207,MISSING_MID=0.14,MISSING_SUBJECT=1.767] recips=0
+</WRAP>
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) bounce unverifiable, originating, <> -> <michael@nausch.org>
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) blocking contents category is (6) for michael@nausch.org, final_destiny -3
+Im Maillog des AMaViS-Servers sehen wir nun, dass der Daemon die entsprechende Nachricht an den definierten Bearbeiter verschicken wird.
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) do_notify_and_quar: ccat=Spam (6,0) ("6":Spam, "5":Spammy, "4,7":BadHdrMissing, "4":BadHdr, "1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(6), qar_mth=
+   # less /var/log/maillog
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) delivery method is 1, recips: michael@nausch.org
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) status counters: InMsgsStatus{Rejected,RejectedInternal,RejectedOriginating}
+<code>Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) do_notify_and_quar: ccat=Spam (6,0) ("6":Spam, "5":Spammy, "1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(6), qar_mth=
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) Blocked SPAM {RejectedInternal}, AM.PDP-SOCK/MYNETS LOCAL [10.0.0.60] <> -> <michael@nausch.org>, Queue-ID: 49D10C00088, mail_id: E1Jt0ckpTa0l, Hits: 1006.51, size: 929, 439 ms
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) dkim: candidate originators: From:<postmaster@nausch.org>
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) TIMING-SA total 364 ms - parse: 0.89 (0.2%), extract_message_metadata: 4 (1.2%), get_uri_detail_list: 1.36 (0.4%), tests_pri_-1000: 3 (0.7%), tests_pri_-950: 1.83 (0.5%), tests_pri_-900: 1.28 (0.4%), tests_pri_-400: 1.04 (0.3%), tests_pri_0: 333 (91.5%), check_spf: 0.29 (0.1%), check_razor2: 254 (69.7%), check_pyzor: 0.22 (0.1%), tests_pri_500: 5 (1.3%), get_report: 1.53 (0.4%)
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) dkim: signing (author), From: <postmaster@nausch.org> (From:<postmaster@nausch.org>), KEY.h=>sha256, KEY.key_ind=>1, a=>rsa-sha256, c=>relaxed/simple, d=>nausch.org, s=>140224, ttl=>1814400, x=>1419344837
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) mail checking ended: version_server=2\nlog_id=10587-01\nsetreply=554 5.7.0 Reject,%20id=10587-01%20-%20spam\nreturn_value=reject\nexit_code=69
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp session: setting up a new session
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) size: 929, TIMING [total 442 ms] - got data: 0.0 (0%)0, check_init: 5 (1%)1, digest_hdr: 0.8 (0%)1, digest_body_dkim: 0.3 (0%)1, collect_info: 1.3 (0%)2, mkdir parts: 3.2 (1%)2, mime_decode: 12 (3%)5, get-file-type1: 23 (5%)10, parts_decode: 0.1 (0%)11, check_header: 0.6 (0%)11, AV-scan-1: 13 (3%)14, spam-wb-list: 0.5 (0%)14, SA msg read: 0.6 (0%)14, SA parse: 2.5 (1%)14, SA check: 355 (80%)95, decide_mail_destiny: 10 (2%)97, notif-quar: 0.5 (0%)97, prepare-dsn: 0.6 (0%)97, report: 1.4 (0%)98, main_log_entry: 8 (2%)99, update_snmp: 1.4 (0%)100, rundown: 1.3 (0%)100
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) new socket using IO::Socket::IP to [10.0.0.87]:10025, timeout 35
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) extra modules loaded: unicore/lib/Gc/Nd.pl
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp greeting: 220 mx01.nausch.org ESMTP Postfix, dt: 52.5 ms
-Nov 18 14:56:47 vml000067 amavis[10587]: (10587-01) load: 100 %, total idle 0.000 s, busy 0.468 s
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp cmd> EHLO viruswall.dmz.nausch.org
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp resp to EHLO: 250 mx01.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nAUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nAUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nXFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) AUTH not needed, user='', MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM'
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp cmd> MAIL FROM:<postmaster@nausch.org> ENVID=AM.ofn-luxWKSUo.20141202T142716Z@viruswall.dmz.nausch.org
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp cmd> RCPT TO:<virusalert@nausch.org>
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp cmd> DATA
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp resp to MAIL (pip): 250 2.1.0 Ok
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp resp to RCPT (pip) (<virusalert@nausch.org>): 250 2.1.5 Ok
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF>
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp resp to data-dot (<virusalert@nausch.org>): 250 2.0.0 Ok: queued as 9A6FBC00089, dt: 40.0 ms
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) Amavis::Out::SMTP::Session close, keeping connection
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) ofn-luxWKSUo(o1aYnuSaPRGv) SEND from <postmaster@nausch.org> -> <virusalert@nausch.org>, ENVID=AM.ofn-luxWKSUo.20141202T142716Z@viruswall.dmz.nausch.org 250 2.0.0 from MTA(smtp:[10.0.0.87]:10025): 250 2.0.0 Ok: queued as 9A6FBC00089
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) delivery method is 1, recips: django@nausch.org
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) DSN: sender is credible (orig), SA: 1000.800, <n3rd@sec-mail.guru>
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) status counters: InMsgsStatus{Rejected,RejectedInternal,RejectedOriginating}
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) Blocked SPAM {RejectedInternal}, ORIGINATING LOCAL [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org>, Message-ID: <20141202142715.E5401C00088@mx01.nausch.org>, mail_id: o1aYnuSaPRGv, Hits: 1000.8, size: 1417, 692 ms
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) TIMING-SA total 404 ms - parse: 1.77 (0.4%), extract_message_metadata: 15 (3.6%), poll_dns_idle: 0.24 (0.1%), get_uri_detail_list: 1.66 (0.4%), tests_pri_-1000: 7 (1.7%), tests_pri_-950: 2.00 (0.5%), tests_pri_-900: 1.29 (0.3%), tests_pri_-400: 1.03 (0.3%), tests_pri_0: 356 (88.2%), check_dkim_adsp: 5 (1.2%), check_spf: 0.45 (0.1%), check_razor2: 250 (61.8%), check_pyzor: 0.28 (0.1%), tests_pri_500: 4 (0.9%), get_report: 1.31 (0.3%)
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) sending SMTP response: "554 5.7.0 Reject, id=15668-01 - spam"
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) size: 1417, TIMING [total 698 ms] - SMTP greeting: 9 (1%)1, SMTP EHLO: 3.1 (0%)2, SMTP pre-MAIL: 0.6 (0%)2, mkdir tempdir: 1.5 (0%)2, create email.txt: 0.3 (0%)2, SMTP pre-DATA-flush: 4.1 (1%)3, SMTP DATA: 39 (6%)8, check_init: 1.3 (0%)8, digest_hdr: 2.0 (0%)9, digest_body_dkim: 0.5 (0%)9, collect_info: 2.5 (0%)9, mkdir parts: 1.9 (0%)9, mime_decode: 11 (2%)11, get-file-type1: 19 (3%)14, parts_decode: 0.2 (0%)14, check_header: 0.6 (0%)14, AV-scan-1: 9 (1%)15, spam-wb-list: 0.9 (0%)15, SA msg read: 0.8 (0%)15, SA parse: 4.2 (1%)16, SA check: 395 (57%)72, decide_mail_destiny: 10 (1%)74, notif-quar: 0.6 (0%)74, write-header: 16 (2%)76, fwd-data-dkim: 35 (5%)81, fwd-connect: 57 (8%)89, fwd-mail-pip: 7 (1%)91, fwd-rcpt-pip: 0.3 (0%)91, fwd-data-chkpnt: 0.1 (0%)91, write-header: 0.5 (0%)91, fwd-data-contents: 2.6 (0%)91, fwd-end-chkpnt: 41 (6%)97, prepare-dsn: 2.4 (0%)97, report: 4.7 (1%)98, main_log_entry: 11 (2%)100, update_snmp: 1.9 (0%)100, SMTP pre-resp...
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) ...onse: 0.3 (0%)100, SMTP response: 0.3 (0%)100, unlink-2-files: 0.2 (0%)100, rundown: 0.7 (0%)100
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) extra modules loaded: unicore/lib/Gc/Nd.pl
+Dec  2 15:27:16 vml000067 amavis[15668]: (15668-01) load: 100 %, total idle 0.003 s, busy 0.700 s</code>
+=== SMTP-Server (Teil 2 von 3) ===
+Im **Maillog** unseres Borderfilters sehen wir nun also als nächstes den Eingang dieser Notification-eMail an den definierten Empfänger.
+   # less /var/log/maillog
+<code>Dec  2 15:27:16 vml000087 postfix/smtpd[27685]: connect from vml000067.dmz.nausch.org[10.0.0.67]
+Dec  2 15:27:16 vml000087 postfix/smtpd[27685]: 9A6FBC00089: client=vml000067.dmz.nausch.org[10.0.0.67]
+Dec  2 15:27:16 vml000087 postfix/cleanup[27683]: 9A6FBC00089: message-id=<SAo1aYnuSaPRGv@viruswall.dmz.nausch.org>
+Dec  2 15:27:16 vml000087 postfix/qmgr[27247]: 9A6FBC00089: from=<postmaster@nausch.org>, size=4328, nrcpt=1 (queue active)
+Dec  2 15:27:16 vml000087 postfix/smtp[27684]: E5401C00088: to=<django@nausch.org>, relay=10.0.0.67[10.0.0.67]:10024, delay=0.77, delays=0.04/0.03/0.02/0.69, dsn=5.7.0, status=bounced (host 10.0.0.67[10.0.0.67] said: 554 5.7.0 Reject, id=15668-01 - spam (in reply to end of DATA command))
+Dec  2 15:27:16 vml000087 postfix/cleanup[27683]: B736EC0008A: message-id=<20141202142716.B736EC0008A@mx01.nausch.org>
+Dec  2 15:27:16 vml000087 postfix/qmgr[27247]: B736EC0008A: from=<>, size=4076, nrcpt=1 (queue active)
+Dec  2 15:27:16 vml000087 postfix/bounce[27687]: E5401C00088: sender non-delivery notification: B736EC0008A
+Dec  2 15:27:16 vml000087 postfix/qmgr[27247]: E5401C00088: removed
+Dec  2 15:27:17 vml000087 postfix/lmtp[27686]: 9A6FBC00089: to=<django@nausch.org>, orig_to=<virusalert@nausch.org>, relay=10.0.0.77[10.0.0.77]:24, delay=0.46, delays=0.04/0.01/0.01/0.39, dsn=2.0.0, status=sent (250 2.0.0 <django@nausch.org> 0WGxKC3MfVQbPAAArK2B9Q Saved)
+Dec  2 15:27:17 vml000087 postfix/qmgr[27247]: 9A6FBC00089: removed
 </code>
-==== EICAR ====
+=== SMTP-Server (Teil 3 von 3) ===
-=== SMTP-Client ===
-   $ swaks -t django@nausch.org --attach - --server 10.0.0.87 --suppress-data </home/django/eicar.com.txt
+<WRAP center round tip>
+Zu guter Letzt sehen wir dann noch die **Bounce**-Nachricht an den ursprünglichen Absender, den wir ja zweifelsfrei kennen, da dieser sich beim Einliefern der Nachricht authentifizierten hatte. Somit ist die Gefahr von **[[http://de.wikipedia.org/wiki/Backscatter_%28E-Mail%29|backscatter eMail]]** ausgeschlossen!
+</WRAP>
+   # less /var/log/messages
+   Dec  2 15:27:17 vml000087 postfix/lmtp[27688]: B736EC0008A: to=<n3rd@sec-mail.guru>, relay=10.0.0.77[10.0.0.77]:24, delay=0.49, delays=0.07/0.01/0.02/0.39, dsn=2.0.0, status=sent (250 2.0.0 <n3rd@sec-mail.guru> hwVTMkTMfVQfPAAArK2B9Q Saved)
+   Dec  2 15:27:17 vml000087 postfix/qmgr[27247]: B736EC0008A: removed
+=== MUA (Empfänger der Notification Mail) ===
+Wie schon angeschnitten erhält der verantwortliche Admin des Servers mit der Addresse **virusalert@nausch.org** eine Nachricht mit dem Detail des Versuches eine SPAM-Mail zu verschicken.
+<code>Return-Path: <postmaster@nausch.org>
+Delivered-To: django@nausch.org
+Received: from mx01.nausch.org ([10.0.0.87])
+	by imap.nausch.org (Dovecot) with LMTP id 0WGxKC3MfVQbPAAArK2B9Q
+	for <django@nausch.org>; Tue, 02 Dec 2014 15:27:16 +0100
+Received: from viruswall.dmz.nausch.org (vml000067.dmz.nausch.org [10.0.0.67])
+	by mx01.nausch.org (Postfix) with ESMTP id 9A6FBC00089
+	for <virusalert@nausch.org>; Tue,  2 Dec 2014 15:27:16 +0100 (CET)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nausch.org; h=
+	message-id:subject:subject:date:date:from:from:mime-version
+	:content-transfer-encoding:content-type:content-type; s=140224;
+	 t=1417530436; x=1419344837; bh=tVWIH0duwt/kaEdApRyhDUvLvxAvX1C8
+	fu9jN2ZwFt0=; b=AZgQAhDSlqrdcLzC1k/VopOx3PAKPHpmKeivYeIWA6KFVZH6
+	Xxbc0Unj1QQ08ZSGRNHFp5aJu4rN71BI8ad8OhRTSHdbhWR821V2Z2yRti7TUDwq
+	QZigx230dACkYKrzQhTKJawAmXKbg1V2EUbTTqUpwBDsaYnTML9i+fAr4mcVrN2n
+	JBAmg1K3OL0uokXp/eaaKpxG+GDMgv8n6dsXgk29+1V2BznRz3HTcA0BsT9m0087
+	kxonaX5Bhio01JhAEuG+fy2f12N3QMNQ2l+8zWQskPXUaL/q3SGG/dYcBvtL2BuR
+	m6f1+Z8kBuZeosXe/a3rma8v+Sdbg++u2bY6jCtGLChN/M3/bO/qq1IiYSpLOLQI
+	adNxaPKefjC75FtY0AEYWpDlU8WIbk/Wqb0/KovhexGto84UTZcmRq0Z8t8RBNtN
+	xmy4M2uNK2l6aWbfQV0cjnrg0FQ2AfisP74d45dEaDNV+dsBhMiYgcZ1wHhW4Aro
+	ug1OiU1+hbie1t59J0Y15BHO/BeJSvJYNTlf/twopaObQc1LAJSzuIUZegyiFjMQ
+	/AdpdmpWFKhPTZNp2JwDoBm3vd5DT555t5+kIuRh/8mKhNRs194ZZzXCuUdrkgMm
+	LQL4HSB5TbVxVDhOfgaStlWWRZmt4IwWR3aOsfGA2TSEOle4cTJXWHxokec=
+Content-Type: multipart/mixed; boundary="----------=_1417530436-15668-0"
+Content-Transfer-Encoding: 7bit
+MIME-Version: 1.0
+From: "Content-filter at viruswall.dmz.nausch.org" <postmaster@nausch.org>
+Date: Tue,  2 Dec 2014 15:27:16 +0100 (CET)
+Subject: Spam FROM LOCAL [10.0.0.87] <n3rd@sec-mail.guru>
+To: <virusalert@nausch.org>
+Message-ID: <SAo1aYnuSaPRGv@viruswall.dmz.nausch.org>
+This is a multi-part message in MIME format...
+------------=_1417530436-15668-0
+Content-Type: text/plain; charset="UTF-8"
+Content-Disposition: inline
+Content-Transfer-Encoding: 7bit
+Content type: Spam
+Internal reference code for the message is 15668-01/o1aYnuSaPRGv
+First upstream SMTP client IP address: [10.0.0.87]
+Received from: 10.0.0.87
+Return-Path: <n3rd@sec-mail.guru>
+From: n3rd@sec-mail.guru
+Message-ID: <20141202142715.E5401C00088@mx01.nausch.org>
+X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
+Subject: vierte Testnachricht SPAM auf Port 587
+Not quarantined.
+The message WAS NOT relayed to:
+<django@nausch.org>:
+5.7.0 Reject, id=15668-01 - spam
+Spam scanner report:
+Spam detection software, running on the system "vml000067.dmz.nausch.org", has
+identified this incoming email as possible spam.  The original message
+has been attached to this so you can view it (if it isn't spam) or label
+similar future email.  If you have any questions, see
+the administrator of that system for details.
+Content preview:  Subject: Test spam mail (GTUBE) Message-ID: <GTUBE1.1010101@example.net>
+   Date: Wed, 23 Jul 2003 23:30:00 +0200 From: Sender <sender@example.net> To:
+   Recipient <recipient@example.net> Precedence: junk MIME-Version: 1.0 Content-Type:
+   text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit [...]
+Content analysis details:   (1000.8 points, 5.0 required)
+ pts rule name              description
+---- ---------------------- --------------------------------------------------
+-1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
+.8 DKIM_ADSP_DISCARD      No valid author signature, domain signs all mail
+                            and suggests discarding the rest
+GTUBE                  BODY: Generic Test for Unsolicited Bulk Email
+------------=_1417530436-15668-0
+Content-Type: text/rfc822-headers; name="header"
+Content-Disposition: inline; filename="header"
+Content-Transfer-Encoding: 7bit
+Content-Description: Message header section
+Return-Path: <n3rd@sec-mail.guru>
+Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87])
+	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
+	(No client certificate requested)
+	by mx01.nausch.org (Postfix) with ESMTPSA id E5401C00088
+	for <django@nausch.org>; Tue,  2 Dec 2014 15:27:15 +0100 (CET)
+Date: Tue, 02 Dec 2014 15:27:15 +0100
+To: django@nausch.org
+From: n3rd@sec-mail.guru
+Subject: vierte Testnachricht SPAM auf Port 587
+X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
+X-Test: test eMail
+Message-Id: <20141202142715.E5401C00088@mx01.nausch.org>
+------------=_1417530436-15668-0--
+</code>
+=== MUA (Empfänger der Bounce Mail) ===
+Der Ursprüngliche authentifizierte Absender erhält die Bounce-Nachricht, dass seine Nachricht nicht weiterverschickt werden konnte. Dieser kann dann entsprechend tätig werden und den Fehler abstellen (helfen).
+<code>Return-Path: <>
+Delivered-To: n3rd@sec-mail.guru
+Received: from mx01.nausch.org ([10.0.0.87])
+	by imap.nausch.org (Dovecot) with LMTP id hwVTMkTMfVQfPAAArK2B9Q
+	for <n3rd@sec-mail.guru>; Tue, 02 Dec 2014 15:27:16 +0100
+Received: by mx01.nausch.org (Postfix)
+	id B736EC0008A; Tue,  2 Dec 2014 15:27:16 +0100 (CET)
+Date: Tue,  2 Dec 2014 15:27:16 +0100 (CET)
+From: MAILER-DAEMON@nausch.org (Mail Delivery System)
+Subject: Rueckgabe nicht zustellbarer Nachricht an Absender
+To: n3rd@sec-mail.guru
+Auto-Submitted: auto-replied
+MIME-Version: 1.0
+Content-Type: multipart/report; report-type=delivery-status;
+	boundary="E5401C00088.1417530436/mx01.nausch.org"
+Message-Id: <20141202142716.B736EC0008A@mx01.nausch.org>
+This is a MIME-encapsulated message.
+--E5401C00088.1417530436/mx01.nausch.org
+Content-Description: Notification
+Content-Type: text/plain; charset=iso-8859-1
+Dies ist eine automatisch generierte Nachricht des Postfix E-Mail-Dienstes.
+Dieser Dienst wird auf dem Server mx01.nausch.org betrieben und teilt Ihnen
+folgendes mit:
+    Ihre Nachricht konnte an einen oder mehrere Empfaenger nicht zugestellt
+    werden. Ein Problem-Bericht, sowie Ihre uspruengliche Nachricht wurden an
+    das Ende dieser Nachricht angehaengt.
+Fuer weitere Hilfe kontaktieren Sie bitte den fuer Sie zustaendigen
+<postmaster>.
+Senden Sie dazu den an diese E-Mail angefuegten Problem-Bericht mit.
+Den Inhalt Ihrer urspruenglichen Nachricht koennen Sie - zum Schutz Ihrer
+Privatsphaere - entfernen; er ist fuer eine Fehler-Diagnose nicht zwingend
+notwendig.
+                   Der Postfix E-Mail-Dienst
+                        INTERNATIONAL VERSION
+This is the Postfix program at host mx01.nausch.org.
+I'm sorry to have to inform you that your message could not
+be delivered to one or more recipients. It's attached below.
+For further assistance, please send mail to <postmaster>
+If you do so, please include this problem report. You can
+delete your own text from the attached returned message.
+<django@nausch.org>: host 10.0.0.67[10.0.0.67] said: 554 5.7.0 Reject,
+    id=15668-01 - spam (in reply to end of DATA command)
+--E5401C00088.1417530436/mx01.nausch.org
+Content-Description: Delivery report
+Content-Type: message/delivery-status
+Reporting-MTA: dns; mx01.nausch.org
+X-Postfix-Queue-ID: E5401C00088
+X-Postfix-Sender: rfc822; n3rd@sec-mail.guru
+Arrival-Date: Tue,  2 Dec 2014 15:27:15 +0100 (CET)
+Final-Recipient: rfc822; django@nausch.org
+Original-Recipient: rfc822;django@nausch.org
+Action: failed
+Status: 5.7.0
+Remote-MTA: dns; 10.0.0.67
+Diagnostic-Code: smtp; 554 5.7.0 Reject, id=15668-01 - spam
+--E5401C00088.1417530436/mx01.nausch.org
+Content-Description: Undelivered Message
+Content-Type: message/rfc822
+Return-Path: <n3rd@sec-mail.guru>
+Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87])
+	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
+	(No client certificate requested)
+	by mx01.nausch.org (Postfix) with ESMTPSA id E5401C00088
+	for <django@nausch.org>; Tue,  2 Dec 2014 15:27:15 +0100 (CET)
+Date: Tue, 02 Dec 2014 15:27:15 +0100
+To: django@nausch.org
+From: n3rd@sec-mail.guru
+Subject: vierte Testnachricht SPAM auf Port 587
+X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
+X-Test: test eMail
+Message-Id: <20141202142715.E5401C00088@mx01.nausch.org>
+Subject: Test spam mail (GTUBE)
+Message-ID: <GTUBE1.1010101@example.net>
+Date: Wed, 23 Jul 2003 23:30:00 +0200
+From: Sender <sender@example.net>
+To: Recipient <recipient@example.net>
+Precedence: junk
+MIME-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Transfer-Encoding: 7bit
+This is the GTUBE, the
+	Generic
+	Test for
+	Unsolicited
+	Bulk
+	Email
+If your spam filter supports it, the GTUBE provides a test by which you
+can verify that the filter is installed correctly and is detecting incoming
+spam. You can send yourself a test mail containing the following string of
+characters (in upper case and with no white spaces and line breaks):
+XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
+You should send this test mail from an account outside of your network.
+--E5401C00088.1417530436/mx01.nausch.org--
+</code>
+==== Eicar-Testmail auf Port 25 (MTA zu MTA Verkehr) ====
+=== SMTP-Client (swaks) ===
+Beim vorletzten Test unseres **AS/AV**((**A**nti **S**pam/**A**nti **V**irus))-Systems versuchen wir nun eine eMail mit einem Virus mit Hilfe von [[http://www.jetmore.org/john/code/swaks/|Swaks]]((**S**wiss **A**rmy **K**nife for **S**MTP)) an einen unserer eigenen Empfänger zu verschicken.
+Dazu laden wir uns erst einmal einen Testpattern [[http://www.eicar.org/download/eicarcom2.zip|eicarcom2.zip]] von der [[http://www.eicar.org/86-0-Intended-use.html|EICAR-Webseite]] auf unseren Rechner.
+   # curl -O http://www.eicar.org/download/eicarcom2.zip
+Wir versuchen nun eine eMail zusammen mit dieser Testdatei zu versenden, zunächst auf Port **25**.
+Diese Nachricht versuchen wir nun loszuschicken:
+   # swaks -t django@nausch.org --attach - --server 10.0.0.87 --suppress-data <eicarcom2.zip --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 25 --tls --header "Subject: 5. Test-Testnachricht mit EICAR-Testdatei im Anhang auf Port 25"
 <code>=== Trying 10.0.0.87:25...
 === Connected to 10.0.0.87.
 <-  220 mx01.nausch.org ESMTP Postfix
- -> EHLO vml000060.dmz.nausch.org
+ -> EHLO vml000087.dmz.nausch.org
 <-  250-mx01.nausch.org
 <-  250-PIPELINING
@@ Zeile 3680: / Zeile 4054: @@
 <-  250-8BITMIME
 <-  250 DSN
- -> MAIL FROM:<django@vml000060.dmz.nausch.org>
+ -> STARTTLS
-<-  250 2.1.0 Ok
+<-  220 2.0.0 Ready to start TLS
- -> RCPT TO:<django@nausch.org>
+=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
-<-  250 2.1.5 Ok
+=== TLS no local certificate set
- -> DATA
+=== TLS peer DN="/serialNumber=3S7x2lcbYiAccKZPoha0MSwP5hNsuSTP/OU=GT49447951/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.nausch.org"
-<-  354 End data with <CR><LF>.<CR><LF>
+ ~> EHLO vml000087.dmz.nausch.org
- -> 24 lines sent
+<~  250-mx01.nausch.org
-<** 554 5.7.0 Reject, id=10690-01 - INFECTED: Eicar-Test-Signature. Contact your postmaster/admin for technical assistance. He can achieve our postmaster via email: postmaster@nausch.org or via fax: +49 8121 883179. In any case, please provide the following information in your problem report: This error message, time (Nov 18 15:40:51), client (10.0.0.60) and server (mx01.nausch.org).
+<~  250-PIPELINING
- -> QUIT
+<~  250-SIZE 52428800
-<-  221 2.0.0 Bye
+<~  250-ETRN
+<~  250-ENHANCEDSTATUSCODES
+<~  250-8BITMIME
+<~  250 DSN
+ ~> MAIL FROM:<n3rd@sec-mail.guru>
+<~  250 2.1.0 Ok
+ ~> RCPT TO:<django@nausch.org>
+<~  250 2.1.5 Ok
+ ~> DATA
+<~  354 End data with <CR><LF>.<CR><LF>
+ ~> 29 lines sent
+<~* 554 5.7.0 Reject, id=15809-01 - INFECTED: Eicar-Test-Signature. Contact your postmaster/admin for technical assistance. He can achieve our postmaster via email: postmaster@nausch.org or via fax: +49 8121 883179. In any case, please provide the following information in your problem report: This error message, time (Dec 02 17:26:50), client (10.0.0.87) and server (mx01.nausch.org).
+ ~> QUIT
+<~  221 2.0.0 Bye
+=== Connection closed with remote host.</code>
+Wie wir sehen können, hat der SMTP-Server die Annahme der Nachricht mit dem Fehlercode **554 5.7.0 Reject, id=15809-01 - INFECTED: Eicar-Test-Signature.** verweigert. Zu dieser Fehlermeldung erhält der einliefernde SMTP-Client noch Informationen wie er sich ggf. mit uns in Verbindung setzen kann.
+=== SMTP-Server (Teil 1 von 2) ===
+Im **Maillog** unseres Borderfilters sehen wir nun zu unserem gerade durchgeführten Versuch eine Mail mit einem Virus einzuliefern mehrere zusammenhängende Logeinträge.
+   # less /var/log/maillog
+<code>Dec  2 17:26:49 vml000087 postfix/smtpd[27815]: connect from vml000087.dmz.nausch.org[10.0.0.87]
+Dec  2 17:26:49 vml000087 postfix/smtpd[27815]: Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (2
+/256 bits)
+Dec  2 17:26:50 vml000087 postfix/smtpd[27815]: 3339FC00088: client=vml000087.dmz.nausch.org[10.0.0.87]
+Dec  2 17:26:50 vml000087 postfix/cleanup[27821]: 3339FC00088: message-id=<20141202162650.3339FC00088@mx01.nausch.org>
+Dec  2 17:26:50 vml000087 postfix/smtpd[27822]: connect from vml000067.dmz.nausch.org[10.0.0.67]
+Dec  2 17:26:50 vml000087 postfix/smtpd[27822]: 8250AC00089: client=vml000067.dmz.nausch.org[10.0.0.67]
+Dec  2 17:26:50 vml000087 postfix/cleanup[27823]: 8250AC00089: message-id=<VRaCP3zN0_kicy@viruswall.dmz.nausch.org>
+Dec  2 17:26:50 vml000087 postfix/qmgr[27247]: 8250AC00089: from=<postmaster@nausch.org>, size=2289, nrcpt=1 (queue active)
+Dec  2 17:26:50 vml000087 postfix/cleanup[27821]: 3339FC00088: milter-reject: END-OF-MESSAGE from vml000087.dmz.nausch.org[10.0.0.87]: 5.7.0 Reject, id=15809-01 - INFECTED: Eicar-Test-Signature; from=<n3rd@sec-mail.guru> to=<django@nausch.org> proto=ESMTP helo=<vml000087.dmz.nausch.org>
+Dec  2 17:26:50 vml000087 postfix/smtpd[27815]: disconnect from vml000087.dmz.nausch.org[10.0.0.87]
+</code>
+Zunächst sehen wir den TLS-Verbindungsaufbau und dem erfolglosen Einlieferungsversuch des MTA((**M**ail **T**ransport **A**gent))-Clients. Hier finden wie auch die **id=15809-01** wieder, die uns der AMaViS-Host genannt hat. Diesen können wir nun verwenden um auf dem AMaViS-Host im Maillog zu suchen um in Erfahrung zu bringen, warum die Nachricht abgeleht wurde.
+=== ASAV-Host ===
+Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert.
+   # less /var/log/maillog
+<code>Dec  2 17:26:50 vml000067 amavis[15809]: loaded policy bank "AM.PDP-SOCK"
+Dec  2 17:26:50 vml000067 amavis[15809]: process_request: fileno sock=13, STDIN=0, STDOUT=1
+Dec  2 17:26:50 vml000067 amavis[15809]: policy protocol: request=AM.PDP
+Dec  2 17:26:50 vml000067 amavis[15809]: policy protocol: queue_id=3339FC00088
+Dec  2 17:26:50 vml000067 amavis[15809]: policy protocol: sender=<n3rd@sec-mail.guru>
+Dec  2 17:26:50 vml000067 amavis[15809]: policy protocol: recipient=<django@nausch.org>
+Dec  2 17:26:50 vml000067 amavis[15809]: policy protocol: tempdir=/var/spool/amavisd/tmp/afXXXXRW5Vp3
+Dec  2 17:26:50 vml000067 amavis[15809]: policy protocol: tempdir_removed_by=client
+Dec  2 17:26:50 vml000067 amavis[15809]: policy protocol: mail_file=/var/spool/amavisd/tmp/afXXXXRW5Vp3/email.txt
+Dec  2 17:26:50 vml000067 amavis[15809]: policy protocol: delivery_care_of=client
+Dec  2 17:26:50 vml000067 amavis[15809]: policy protocol: client_address=10.0.0.87
+Dec  2 17:26:50 vml000067 amavis[15809]: policy protocol: client_name=vml000087.dmz.nausch.org
+Dec  2 17:26:50 vml000067 amavis[15809]: policy protocol: helo_name=vml000087.dmz.nausch.org
+Dec  2 17:26:50 vml000067 amavis[15809]: policy protocol: policy_bank=mx01.nausch.org
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) Request: AM.PDP  /var/spool/amavisd/tmp/afXXXXRW5Vp3: <n3rd@sec-mail.guru> -> <django@nausch.org>
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) loaded policy bank "MYNETS" over "AM.PDP-SOCK"
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) body hash: ca2e97181bfa35cf2924c8de9332cafe
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) ip_trace: 10.0.0.87
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) Checking: aCP3zN0_kicy AM.PDP-SOCK/MYNETS [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org>
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) 2822.From: <n3rd@sec-mail.guru>
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) p003 1 Content-Type: multipart/mixed
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) p001 1/1 Content-Type: text/plain, size: 22 B, name:
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) p002 1/2 Content-Type: application/octet-stream, size: 308 B, name:
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) inspect_dsn: not a bounce
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) Checking for banned types and filenames
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) collect banned table[0]: django@nausch.org, tables:
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) p.path django@nausch.org: "P=p003,L=1,M=multipart/mixed | P=p001,L=1/1,M=text/plain,T=asc"
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) p.path django@nausch.org: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/octet-stream,T=zip | P=p004,L=1/2/1,T=zip,N=eicar_com.zip | P=p005,L=1/2/1/1,T=asc,N=eicar.com"
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) presenting full original message to scanners as /var/spool/amavisd/tmp/afXXXXRW5Vp3/parts/p006
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) run_av Using (ClamAV-clamd): (code) CONTSCAN /var/spool/amavisd/tmp/afXXXXRW5Vp3/parts\n
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) ClamAV-clamd: Connecting to socket  /var/run/clamd.amavisd/clamd.sock
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) new socket by IO::Socket::UNIX to /var/run/clamd.amavisd/clamd.sock, timeout 10
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/tmp/afXXXXRW5Vp3/parts\n to socket /var/run/clamd.amavisd/clamd.sock
+Dec  2 17:26:50 vml000067 clamd[1278]: /var/spool/amavisd/tmp/afXXXXRW5Vp3/parts/p006: Eicar-Test-Signature FOUND
+Dec  2 17:26:50 vml000067 clamd[1278]: /var/spool/amavisd/tmp/afXXXXRW5Vp3/parts/p005: Eicar-Test-Signature FOUND
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) rw_loop read: got eof
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) run_av (ClamAV-clamd): /var/spool/amavisd/tmp/afXXXXRW5Vp3/parts INFECTED: Eicar-Test-Signature, Eicar-Test-Signature
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) virus_scan: (Eicar-Test-Signature), detected by 1 scanners: ClamAV-clamd
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) Virus Eicar-Test-Signature matches (constant:1), sender addr ignored
+</code>
+Es wurde also die **Eicar-Test-Signature** in der Nachricht gefunden! Im **Maillog** des AMaViS-Servers sehen wir nun nachfolgend, dass der Daemon die entsprechende Notification eMail an den definierten Bearbeiter verschicken wird.
+    # less /var/log/maillog
+<code>ec  2 17:26:50 vml000067 amavis[15809]: (15809-01) blocking contents category is (9) for django@nausch.org, final_destiny -3
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) do_notify_and_quar: ccat=Virus (9,0) ("9":Virus, "1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(9), qar_mth=
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) dkim: candidate originators: From:<postmaster@nausch.org>
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) dkim: signing (author), From: <postmaster@nausch.org> (From:<postmaster@nausch.org>), KEY.h=>sha256, KEY.key_ind=>1, a=>rsa-sha256, c=>relaxed/simple, d=>nausch.org, s=>140224, ttl=>1814400, x=>1419352011
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp session: setting up a new session
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) new socket using IO::Socket::IP to [10.0.0.87]:10025, timeout 35
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp greeting: 220 mx01.nausch.org ESMTP Postfix, dt: 51.7 ms
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp cmd> EHLO viruswall.dmz.nausch.org
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp resp to EHLO: 250 mx01.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nAUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nAUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nXFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) AUTH not needed, user='', MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM'
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp cmd> MAIL FROM:<postmaster@nausch.org> ENVID=AM.Ndh64tU7lUEd.20141202T162650Z@viruswall.dmz.nausch.org
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp cmd> RCPT TO:<django@nausch.org>
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp cmd> DATA
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp resp to MAIL (pip): 250 2.1.0 Ok
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp resp to RCPT (pip) (<django@nausch.org>): 250 2.1.5 Ok
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF>
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp resp to data-dot (<django@nausch.org>): 250 2.0.0 Ok: queued as 8250AC00089, dt: 30.3 ms
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) Amavis::Out::SMTP::Session close, keeping connection
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) Ndh64tU7lUEd(aCP3zN0_kicy) SEND from <postmaster@nausch.org> -> <django@nausch.org>, ENVID=AM.Ndh64tU7lUEd.20141202T162650Z@viruswall.dmz.nausch.org 250 2.0.0 from MTA(smtp:[10.0.0.87]:10025): 250 2.0.0 Ok: queued as 8250AC00089
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) delivery method is 1, recips: django@nausch.org
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) DSN: sender is credible (orig), SA: 0.000, <n3rd@sec-mail.guru>
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) status counters: InMsgsStatus{Rejected,RejectedInternal,RejectedOriginating}
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) Blocked INFECTED (Eicar-Test-Signature) {RejectedInternal}, AM.PDP-SOCK/MYNETS LOCAL [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org>, Queue-ID: 3339FC00088, Message-ID: <20141202162650.3339FC00088@mx01.nausch.org>, mail_id: aCP3zN0_kicy, Hits: -, size: 1282, 309 ms
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) mail checking ended: version_server=2\nlog_id=15809-01\nsetreply=554 5.7.0 Reject,%20id=15809-01%20-%20INFECTED:%20Eicar-Test-Signature\nreturn_value=reject\nexit_code=69
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) size: 1282, TIMING [total 321 ms] - got data: 0.0 (0%)0, check_init: 6 (2%)2, digest_hdr: 2.0 (1%)2, digest_body_dkim: 0.5 (0%)3, collect_info: 2.3 (1%)3, mkdir parts: 4.6 (1%)5, mime_decode: 14 (5%)9, get-file-type2: 18 (6%)15, ren1-unl0-files1: 25 (8%)23, decompose_part: 0.3 (0%)23, get-file-type1: 9 (3%)25, ren1-unl0-files1: 23 (7%)32, decompose_part: 0.3 (0%)32, get-file-type1: 13 (4%)37, parts_decode: 0.1 (0%)37, check_header: 0.5 (0%)37, AV-scan-1: 12 (4%)41, read_snmp_variables: 0.9 (0%)41, decide_mail_destiny: 2.5 (1%)42, notif-quar: 0.6 (0%)42, write-header: 20 (6%)48, fwd-data-dkim: 33 (10%)58, fwd-connect: 55 (17%)76, fwd-mail-pip: 21 (7%)82, fwd-rcpt-pip: 0.3 (0%)82, fwd-data-chkpnt: 0.1 (0%)82, write-header: 0.4 (0%)82, fwd-data-contents: 1.0 (0%)83, fwd-end-chkpnt: 31 (10%)92, prepare-dsn: 2.0 (1%)93, report: 1.7 (1%)94, main_log_entry: 9 (3%)96, update_snmp: 10 (3%)99, rundown: 2.2 (1%)100
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) extra modules loaded: unicore/lib/Gc/Nd.pl
+Dec  2 17:26:50 vml000067 amavis[15809]: (15809-01) load: 100 %, total idle 0.000 s, busy 0.354 s
+</code>
+=== SMTP-Server (Teil 2 von 2) ===
+Im **Maillog** unseres Borderfilters sehen wir nun also als nächstes den Eingang dieser Notification-eMail an den definierten Empfänger.
+   # less /var/log/maillog
+<code>Dec  2 17:26:50 vml000087 postfix/lmtp[27824]: 8250AC00089: to=<django@nausch.org>, relay=10.0.0.77[10.0.0.77]:24, delay=0.2, delays=0.05/0.03/0.02/0.1, dsn=2.0.0, status=sent (250 2.0.0 <django@nausch.org> HpapJErofVSPSgAArK2B9Q Saved)
+Dec  2 17:26:50 vml000087 postfix/qmgr[27247]: 8250AC00089: removed
+</code>
+=== MUA (Empfänger der Notification Mail) ===
+Wie schon angeschnitten erhält der verantwortliche Admin des Servers mit der Addresse **virusalert@nausch.org** eine Nachricht mit dem Detail des Versuches eine SPAM-Mail zu verschicken.
+<code>Return-Path: <postmaster@nausch.org>
+Delivered-To: django@nausch.org
+Received: from mx01.nausch.org ([10.0.0.87])
+	by imap.nausch.org (Dovecot) with LMTP id HpapJErofVSPSgAArK2B9Q
+	for <django@nausch.org>; Tue, 02 Dec 2014 17:26:50 +0100
+Received: from viruswall.dmz.nausch.org (vml000067.dmz.nausch.org [10.0.0.67])
+	by mx01.nausch.org (Postfix) with ESMTP id 8250AC00089
+	for <django@nausch.org>; Tue,  2 Dec 2014 17:26:50 +0100 (CET)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nausch.org; h=
+	content-transfer-encoding:content-disposition:content-type
+	:content-type:message-id:subject:subject:date:date:from:from
+	:mime-version; s=140224; t=1417537610; x=1419352011; bh=tVt05RIQ
+	Bpj4qmzmNJoEPHHj22aTtLu2THUwcwoCsls=; b=Tc7gljO5SN9Y4X1yxVbiC4IH
+	szuBz2F49Mdzyx48m2VfA0mKMi1EmnT1D5QOs2tYdElBc35le8T3kLD9TfVheonI
+	XtwGnJKfUycJEQ/nwrNWPaYXrJZXjGK08TmQ08WoIg9+uH1G2SqzAeWhMKND3+K8
+	lEunOg/CmMKoJElhvp3X0k2TnSTXvPSsK1+Nvrhs1zcJzd5SSKka1eseyvnlYRB0
+	AWu8oties5VOEIM601gt2T7tBbKEFj9KMpZHiapeNGpu6UoddkvfY779Vs0DfLvj
+	WX/VLK6WNrE+qb0wjmisR1hW5+RaXFcAMRtFT/5vXhryfjLjP0RQOCPyheLrjBux
+w5KfXJEmqeb1efZ9MZTfp4SrS90wcXbJRicSt+vzYmsOcB9rXj+hO5JJf7Uj/ag
+	dP4ngXl+BvI2drOf33hjKrFynTVdpEMF8gLH/qYaydLf0h8lh0v4U9py7kvZRHfy
+	BXhF0en2YdcoIaof2ZMOxD17VLZtkouUaqDT6UxLyr60KHMS7Fx9+NeSEUjI7zTH
+	DobySVImu63dS8j3XTzFu8pFKthAod6dD2FgW2NuM00BTECEaZeDxp7CY7nuXmcg
+	pxpsoPuJYV12Y+1os+DW53ZuaLMEtsoJLQC7VF91oXkgJTk0PIaeB1FPQjOGudvd
+	QfnZYUFETGcNRt1SAd0=
+MIME-Version: 1.0
+From: Postmaster <postmaster@nausch.org>
+Date: Tue,  2 Dec 2014 17:26:50 +0100 (CET)
+Subject: VIRUS (Eicar-Test-Signature) in mail TO YOU from <n3rd@sec-mail.guru>
+To: django@nausch.org
+Message-ID: <VRaCP3zN0_kicy@viruswall.dmz.nausch.org>
+Content-Type: text/plain; charset="UTF-8"
+Content-Disposition: inline
+Content-Transfer-Encoding: 7bit
+VIRUS ALERT
+Our content checker found
+    virus: Eicar-Test-Signature
+in an email to you from probably faked sender:
+claiming to be: <n3rd@sec-mail.guru>
+Content type: Virus
+Our internal reference code for your message is 15809-01/aCP3zN0_kicy
+First upstream SMTP client IP address: [10.0.0.87] vml000087.dmz.nausch.org
+Received from: 10.0.0.87
+Return-Path: <n3rd@sec-mail.guru>
+From: n3rd@sec-mail.guru
+Message-ID: <20141202162650.3339FC00088@mx01.nausch.org>
+X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
+Subject: 5. Test-Testnachricht mit EICAR-Testdatei im Anhang auf Port 25
+Not quarantined.
+Please contact your system administrator for details.
+</code>
+==== Eicar-Testmail auf Port 587 (MUA zu MSA Verkehr) ====
+Zum Abschluss unserer Testreihe überprüfen wir, ob wir die EICAR-Testsignatur als authentifizierten User von einem **MUA**((**M**ail **U**ser **A**gent)) beim **MSA**((**M**ail **S**ubmission **A**gent)) erfolgreich einliefern können.
+=== SMTP-Client (swaks) ===
+Die bereits heruntergeladene EICAR-Testmail versuchen wir nun mit mit Hilfe von [[http://www.jetmore.org/john/code/swaks/|Swaks]]((**S**wiss **A**rmy **K**nife for **S**MTP)) an einen unserer eigenen Empfänger zu verschicken.
+   # swaks -t django@nausch.org --attach - --server 10.0.0.87 --suppress-data <eicarcom2.zip --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 587 --tls --header "Subject: 6. und letzter Test-Testnachricht mit EICAR-Testdatei im Anhang auf Port 25" --auth NTLM --auth-user n3rd@sec-mail.guru --auth-password Dj4n90-d3r-M41153rv3rguru! --body gtube.txt
+<code>=== Trying 10.0.0.87:587...
+=== Connected to 10.0.0.87.
+<-  220 mx01.nausch.org ESMTP Postfix
+ -> EHLO vml000087.dmz.nausch.org
+<-  250-mx01.nausch.org
+<-  250-PIPELINING
+<-  250-SIZE 52428800
+<-  250-ETRN
+<-  250-STARTTLS
+<-  250-ENHANCEDSTATUSCODES
+<-  250-8BITMIME
+<-  250 DSN
+ -> STARTTLS
+<-  220 2.0.0 Ready to start TLS
+=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
+=== TLS no local certificate set
+=== TLS peer DN="/serialNumber=3S7x2lcbYiAccKZPoha0MSwP5hNsuSTP/OU=GT49447951/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.nausch.org"
+ ~> EHLO vml000087.dmz.nausch.org
+<~  250-mx01.nausch.org
+<~  250-PIPELINING
+<~  250-SIZE 52428800
+<~  250-ETRN
+<~  250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM
+<~  250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM
+<~  250-ENHANCEDSTATUSCODES
+<~  250-8BITMIME
+<~  250 DSN
+ ~> AUTH NTLM
+<~  334
+ ~> TlRUMTVNTUAABAAAABU6IAAAAAAAAAAAAAAAAAAAAAAAA=
+<~  334 UTlRMTVNTUAADUAAAAGAAYAEAAAAAYABUgAWAAAADAAMABwAAAAJAAkAKAAAAAkACQAxAAAAAAAAACoAAAABUQKCABKUTbcHiUVToxqvguZXpp6jgnmGYJ9jDa0UoXqDbxiyz+V1xFp8hFH2sd3yaZl/qjY3YAbQBsADUAAMAAwADAANwA3AC4AZABtAHoALUgBuAGEAdQBzAGMUAaAAuAG8AcgBnAG4AMwByAGQAQABzAGUAYwAtAG0AYQBpAGwALgBnAHUAcgB1AG4AMwByAGQAQABzAGUAYwAtAG0UAYQBpAGwALgBnAHUAcgB1AA==
+<~  235 2.7.0 Authentication successful
+ ~> MAIL FROM:<n3rd@sec-mail.guru>
+<~  250 2.1.0 Ok
+ ~> RCPT TO:<django@nausch.org>
+<~  250 2.1.5 Ok
+ ~> DATA
+<~  354 End data with <CR><LF>.<CR><LF>
+ ~> 55 lines sent
+<~  250 2.0.0 Ok: queued as 82EB5C00088
+ ~> QUIT
+<~  221 2.0.0 Bye
 === Connection closed with remote host.
 </code>
-=== MTA-Host ===
+Wie auch schon bei vorhergehenden GTUBE-Test wird dem authentifizierten User die Nachricht abgenommen und mit einem **250**er bestätigt. Auch hier ist das Verhalten legitim und erklärbar, haben wir doch bei der Konfiguration explizit angegeben, dass wir Nachrichten von authentifizierten Nutzern sofort anzunehmen und erst im zweiten Schritt scannen wollen. Genau das machte unser AMaViS-Server auch.
+Den genauen Ablauf dazu, sehen wir uns nun im Detail an.
+=== SMTP-Server (Teil 1 von 2) ===
+Im **Maillog** unseres Borderfilters sehen wir nun zu unserem gerade durchgeführten Versuch mehrere zusammenhängende Logeinträge.
    # less /var/log/maillog
-<code>Nov 18 15:40:50 vml000087 postfix/smtpd[8716]: connect from vml000060.dmz.nausch.org[10.0.0.60]
-Nov 18 15:40:51 vml000087 postfix/smtpd[8716]: 36DB7C00088: client=vml000060.dmz.nausch.org[10.0.0.60]
+Zunächst sehen wir den TLS-Verbindungsaufbau, gefolgt von der erfolgreichen Authentifizierung unseres Users und die Entgegennahme der eMail vom MSA((**M**ail **S**ubmission **A**gent)).
-Nov 18 15:40:51 vml000087 postfix/cleanup[8720]: 36DB7C00088: message-id=<>
+<code>Dec  2 18:14:17 vml000087 postfix/submission/smtpd[27873]: connect from vml000087.dmz.nausch.org[10.0.0.87]
-Nov 18 15:40:51 vml000087 postfix/smtpd[8714]: connect from vml000067.dmz.nausch.org[10.0.0.67]
+Dec  2 18:14:17 vml000087 postfix/submission/smtpd[27873]: Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
-Nov 18 15:40:51 vml000087 postfix/smtpd[8714]: 617C1C00089: client=vml000067.dmz.nausch.org[10.0.0.67]
+Dec  2 18:14:17 vml000087 postfix/submission/smtpd[27873]: 82EB5C00088: client=vml000087.dmz.nausch.org[10.0.0.87], sasl_method=NTLM, sasl_username=n3rd@sec-mail.guru
-Nov 18 15:40:51 vml000087 postfix/cleanup[8721]: 617C1C00089: message-id=<VRQn42nSkefjqi@viruswall.dmz.nausch.org>
+Dec  2 18:14:17 vml000087 postfix/cleanup[27878]: 82EB5C00088: message-id=<20141202171417.82EB5C00088@mx01.nausch.org>
-Nov 18 15:40:51 vml000087 postfix/qmgr[8701]: 617C1C00089: from=<postmaster@nausch.org>, size=1221, nrcpt=1 (queue active)
+Dec  2 18:14:17 vml000087 postfix/qmgr[27247]: 82EB5C00088: from=<n3rd@sec-mail.guru>, size=2213, nrcpt=1 (queue active)
-Nov 18 15:40:51 vml000087 postfix/cleanup[8720]: 36DB7C00088: milter-reject: END-OF-MESSAGE from vml000060.dmz.nausch.org[10.0.0.60]: 5.7.0 Reject, id=10690-01 - INFECTED: Eicar-Test-Signature; from=<django@vml000060.dmz.nausch.org> to=<django@nausch.org> proto=ESMTP helo=<vml000060.dmz.nausch.org>
+Dec  2 18:14:17 vml000087 postfix/submission/smtpd[27873]: disconnect from vml000087.dmz.nausch.org[10.0.0.87]
-Nov 18 15:40:51 vml000087 postfix/smtpd[8716]: disconnect from vml000060.dmz.nausch.org[10.0.0.60]
-Nov 18 15:40:51 vml000087 postfix/lmtp[8722]: 617C1C00089: to=<django@nausch.org>, relay=10.0.0.77[10.0.0.77]:24, delay=0.25, delays=0.08/0.03/0.02/0.11, dsn=2.0.0, status=sent (250 2.0.0 <django@nausch.org> BR4/H3Naa1R6TwAArK2B9Q Saved)
-Nov 18 15:40:51 vml000087 postfix/qmgr[8701]: 617C1C00089: removed
 </code>
 === ASAV-Host ===
+Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert.
    # less /var/log/maillog
-<code>Nov 18 15:40:51 vml000067 amavis[10690]: loaded policy bank "AM.PDP-SOCK"
-Nov 18 15:40:51 vml000067 amavis[10690]: process_request: fileno sock=13, STDIN=0, STDOUT=1
+<code>Dec  2 18:14:17 vml000067 amavis[15810]: loaded policy bank "ORIGINATING"
-Nov 18 15:40:51 vml000067 amavis[10690]: policy protocol: request=AM.PDP
+Dec  2 18:14:17 vml000067 amavis[15810]: process_request: fileno sock=13, STDIN=0, STDOUT=1
-Nov 18 15:40:51 vml000067 amavis[10690]: policy protocol: queue_id=36DB7C00088
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) ESMTP:[10.0.0.67]:10024 /var/spool/amavisd/tmp/amavis-20141202T181417-15810-limsNKq3: <n3rd@sec-mail.guru> -> <django@nausch.
-Nov 18 15:40:51 vml000067 amavis[10690]: policy protocol: sender=<django@vml000060.dmz.nausch.org>
+org> Received: from mx01.nausch.org ([10.0.0.87]) by viruswall.dmz.nausch.org (viruswall.dmz.nausch.org [10.0.0.67]) (amavisd-new, port 10024) with ESMTP for <django@nausch.org>
-Nov 18 15:40:51 vml000067 amavis[10690]: policy protocol: recipient=<django@nausch.org>
+; Tue,  2 Dec 2014 18:14:17 +0100 (CET)
-Nov 18 15:40:51 vml000067 amavis[10690]: policy protocol: tempdir=/var/spool/amavisd/afXXXX2cyMJ5
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) body hash: d54368018a0d3ca16ae3f56772551bae
-Nov 18 15:40:51 vml000067 amavis[10690]: policy protocol: tempdir_removed_by=client
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) ip_trace: 10.0.0.87
-Nov 18 15:40:51 vml000067 amavis[10690]: policy protocol: mail_file=/var/spool/amavisd/afXXXX2cyMJ5/email.txt
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) client IP address unknown, fetched from Received: 10.0.0.87
-Nov 18 15:40:51 vml000067 amavis[10690]: policy protocol: delivery_care_of=client
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) Checking: uj-7SfJU0v_M ORIGINATING [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org>
-Nov 18 15:40:51 vml000067 amavis[10690]: policy protocol: client_address=10.0.0.60
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) 2822.From: <n3rd@sec-mail.guru>
-Nov 18 15:40:51 vml000067 amavis[10690]: policy protocol: client_name=vml000060.dmz.nausch.org
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) p003 1 Content-Type: multipart/mixed
-Nov 18 15:40:51 vml000067 amavis[10690]: policy protocol: helo_name=vml000060.dmz.nausch.org
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) p001 1/1 Content-Type: text/plain, size: 799 B, name:
-Nov 18 15:40:51 vml000067 amavis[10690]: policy protocol: policy_bank=mx01.nausch.org
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) p002 1/2 Content-Type: application/octet-stream, size: 308 B, name:
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) Request: AM.PDP  /var/spool/amavisd/afXXXX2cyMJ5: <django@vml000060.dmz.nausch.org> -> <django@nausch.org>
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) inspect_dsn: not a bounce
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) loaded policy bank "MYNETS" over "AM.PDP-SOCK"
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) Checking for banned types and filenames
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) body hash: ab01c2a13a3b0f4692629a20a0c9b55a
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) skipping banned check: all recipients bypass banned checks
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) ip_trace: 10.0.0.60
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) presenting full original message to scanners as /var/spool/amavisd/tmp/amavis-20141202T181417-15810-limsNKq3/parts/p006
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) Checking: Qn42nSkefjqi AM.PDP-SOCK/MYNETS [10.0.0.60] <django@vml000060.dmz.nausch.org> -> <django@nausch.org>
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) run_av Using (ClamAV-clamd): (code) CONTSCAN /var/spool/amavisd/tmp/amavis-20141202T181417-15810-limsNKq3/parts\n
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) 2822.From: <django@vml000060.dmz.nausch.org>
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) ClamAV-clamd: Connecting to socket  /var/run/clamd.amavisd/clamd.sock
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) p003 1 Content-Type: multipart/mixed
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) new socket by IO::Socket::UNIX to /var/run/clamd.amavisd/clamd.sock, timeout 10
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) p001 1/1 Content-Type: text/plain, size: 22 B, name:
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/tmp/amavis-20141202T181417-15810-limsNKq3/parts\n to socket /var/run/clamd.
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) p002 1/2 Content-Type: application/octet-stream, size: 68 B, name:
+amavisd/clamd.sock
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) inspect_dsn: not a bounce
+Dec  2 18:14:17 vml000067 clamd[1278]: /var/spool/amavisd/tmp/amavis-20141202T181417-15810-limsNKq3/parts/p006: Eicar-Test-Signature FOUND
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) Checking for banned types and filenames
+Dec  2 18:14:17 vml000067 clamd[1278]: /var/spool/amavisd/tmp/amavis-20141202T181417-15810-limsNKq3/parts/p005: Eicar-Test-Signature FOUND
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) skipping banned check: all recipients bypass banned checks
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) rw_loop read: got eof
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) presenting full original message to scanners as /var/spool/amavisd/afXXXX2cyMJ5/parts/p004
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) run_av (ClamAV-clamd): /var/spool/amavisd/tmp/amavis-20141202T181417-15810-limsNKq3/parts INFECTED: Eicar-Test-Signature, Eic
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) run_av Using (ClamAV-clamd): (code) CONTSCAN /var/spool/amavisd/afXXXX2cyMJ5/parts\n
+ar-Test-Signature
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) ClamAV-clamd: Connecting to socket  /var/run/clamd.amavisd/clamd.sock
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) virus_scan: (Eicar-Test-Signature), detected by 1 scanners: ClamAV-clamd
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) new socket by IO::Socket::UNIX to /var/run/clamd.amavisd/clamd.sock, timeout 10
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) Virus Eicar-Test-Signature matches (constant:1), sender addr ignored
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/afXXXX2cyMJ5/parts\n to socket /var/run/clamd.amavisd/clamd.sock
-Nov 18 15:40:51 vml000067 clamd[9755]: SelfCheck: Database status OK.
-Nov 18 15:40:51 vml000067 clamd[9755]: /var/spool/amavisd/afXXXX2cyMJ5/parts/p004: Eicar-Test-Signature FOUND
-Nov 18 15:40:51 vml000067 clamd[9755]: /var/spool/amavisd/afXXXX2cyMJ5/parts/p002: Eicar-Test-Signature FOUND
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) rw_loop read: got eof
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) run_av (ClamAV-clamd): /var/spool/amavisd/afXXXX2cyMJ5/parts INFECTED: Eicar-Test-Signature, Eicar-Test-Signature
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) virus_scan: (Eicar-Test-Signature), detected by 1 scanners: ClamAV-clamd
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) Virus Eicar-Test-Signature matches (constant:1), sender addr ignored
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) blocking contents category is (9) for django@nausch.org, final_destiny -3
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) do_notify_and_quar: ccat=Virus (9,0) ("9":Virus, "1":Clean, "0":CatchAll) ccat_block=(9), qar_mth=
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) dkim: candidate originators: From:<postmaster@nausch.org>
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) dkim: not signing, empty signing domain, From: <postmaster@nausch.org>
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) smtp session: setting up a new session
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) new socket using IO::Socket::IP to [10.0.0.87]:10025, timeout 35
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) smtp greeting: 220 mx01.nausch.org ESMTP Postfix, dt: 3.8 ms
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) smtp cmd> EHLO localhost
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) smtp resp to EHLO: 250 mx01.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nAUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nAUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nXFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) AUTH not needed, user='', MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM'
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) smtp cmd> MAIL FROM:<postmaster@nausch.org> ENVID=AM.g_RUkkLiZ_YS.20141118T144051Z@viruswall.dmz.nausch.org
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) smtp cmd> RCPT TO:<django@nausch.org>
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) smtp cmd> DATA
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) smtp resp to MAIL (pip): 250 2.1.0 Ok
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) smtp resp to RCPT (pip) (<django@nausch.org>): 250 2.1.5 Ok
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF>
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) smtp resp to data-dot (<django@nausch.org>): 250 2.0.0 Ok: queued as 617C1C00089, dt: 70.6 ms
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) Amavis::Out::SMTP::Session close, keeping connection
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) g_RUkkLiZ_YS(Qn42nSkefjqi) SEND from <postmaster@nausch.org> -> <django@nausch.org>, ENVID=AM.g_RUkkLiZ_YS.20141118T144051Z@viruswall.dmz.nausch.org 250 2.0.0 from MTA(smtp:[10.0.0.87]:10025): 250 2.0.0 Ok: queued as 617C1C00089
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) delivery method is 1, recips: django@nausch.org
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) DSN: sender is credible (orig), SA: 0.000, <django@vml000060.dmz.nausch.org>
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) status counters: InMsgsStatus{Rejected,RejectedInternal,RejectedOriginating}
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) Blocked INFECTED (Eicar-Test-Signature) {RejectedInternal}, AM.PDP-SOCK/MYNETS LOCAL [10.0.0.60] <django@vml000060.dmz.nausch.org> -> <django@nausch.org>, Queue-ID: 36DB7C00088, mail_id: Qn42nSkefjqi, Hits: -, size: 876, 207 ms
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) mail checking ended: version_server=2\nlog_id=10690-01\nsetreply=554 5.7.0 Reject,%20id=10690-01%20-%20INFECTED:%20Eicar-Test-Signature\nreturn_value=reject\nexit_code=69
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) size: 876, TIMING [total 212 ms] - got data: 0.0 (0%)0, check_init: 3.6 (2%)2, digest_hdr: 1.1 (1%)2, digest_body_dkim: 0.3 (0%)2, collect_info: 1.6 (1%)3, mkdir parts: 6 (3%)6, mime_decode: 12 (6%)12, get-file-type2: 21 (10%)22, parts_decode: 0.2 (0%)22, check_header: 0.4 (0%)22, AV-scan-1: 9 (4%)26, read_snmp_variables: 0.7 (0%)27, decide_mail_destiny: 1.7 (1%)28, notif-quar: 0.6 (0%)28, fwd-connect: 24 (11%)39, fwd-mail-pip: 17 (8%)47, fwd-rcpt-pip: 0.2 (0%)48, fwd-data-chkpnt: 0.0 (0%)48, write-header: 0.4 (0%)48, fwd-data-contents: 1.1 (1%)48, fwd-end-chkpnt: 72 (34%)82, prepare-dsn: 9 (4%)86, report: 14 (7%)93, main_log_entry: 10 (5%)98, update_snmp: 2.7 (1%)99, rundown: 1.7 (1%)100
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) extra modules loaded: unicore/lib/Gc/Nd.pl
-Nov 18 15:40:51 vml000067 amavis[10690]: (10690-01) load: 100 %, total idle 0.000 s, busy 0.257 s
 </code>
+Der Virenscanner hat also die Eicar-Test-Signatur in der Nachricht entdeckt, die Nachricht wird also nicht zugestellt!
-=== Empfänger eMail ===
+<WRAP center round important>
+Gemäß unserer Konfiguration erhält der der Empfänger **virusalert@nausch.org** eine Nachricht von **postmaster@nausch.org** mit dem Details zu der Virenmail-Mail. Der Postmaster kann so reagieren und mit dem authentifizierten Mailbox-Nutzer Kontakt aufnehmen und diesen ggf. darauf hinweisen, dass er versucht hatte einen Virus zu verschicken.
+</WRAP>
+Im Maillog des AMaViS-Servers sehen wir nun, dass der Daemon die entsprechende Nachricht an den definierten Bearbeiter verschicken wird.
+   # less /var/log/maillog
+<code>Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) blocking contents category is (9) for django@nausch.org, final_destiny 0
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) do_notify_and_quar: ccat=Virus (9,0) ("9":Virus, "1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(9), qar_mth=
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) dkim: candidate originators: From:<postmaster@nausch.org>
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) dkim: signing (author), From: <postmaster@nausch.org> (From:<postmaster@nausch.org>), KEY.h=>sha256, KEY.key_ind=>1, a=>rsa-s
+ha256, c=>relaxed/simple, d=>nausch.org, s=>140224, ttl=>1814400, x=>1419354858
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp session: setting up a new session
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) new socket using IO::Socket::IP to [10.0.0.87]:10025, timeout 35
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp greeting: 220 mx01.nausch.org ESMTP Postfix, dt: 64.7 ms
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp cmd> EHLO viruswall.dmz.nausch.org
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp resp to EHLO: 250 mx01.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nAUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nAUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nXFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) AUTH not needed, user='', MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM'
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp cmd> MAIL FROM:<postmaster@nausch.org> ENVID=AM.MtEXZuZdm5qb.20141202T171417Z@viruswall.dmz.nausch.org
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp cmd> RCPT TO:<virusalert@nausch.org>
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp cmd> DATA
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp resp to MAIL (pip): 250 2.1.0 Ok
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp resp to RCPT (pip) (<virusalert@nausch.org>): 250 2.1.5 Ok
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF>
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp resp to data-dot (<virusalert@nausch.org>): 250 2.0.0 Ok: queued as E5434C00089, dt: 33.0 ms
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) Amavis::Out::SMTP::Session close, keeping connection
+Dec  2 18:14:17 vml000067 amavis[15810]: (15810-01) MtEXZuZdm5qb(uj-7SfJU0v_M) SEND from <postmaster@nausch.org> -> <virusalert@nausch.org>, ENVID=AM.MtEXZuZdm5qb.20141202T171417Z@viruswall.dmz.nausch.org 250 2.0.0 from MTA(smtp:[10.0.0.87]:10025): 250 2.0.0 Ok: queued as E5434C00089
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) dkim: candidate originators: From:<postmaster@nausch.org>
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) dkim: signing (author), From: <postmaster@nausch.org> (From:<postmaster@nausch.org>), KEY.h=>sha256, KEY.key_ind=>1, a=>rsa-sha256, c=>relaxed/simple, d=>nausch.org, s=>140224, ttl=>1814400, x=>1419354858
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp session reuse (smtp:[10.0.0.87]:10025), 1 transactions so far
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp session most likely still valid (short idle 0.1 s)
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) AUTH not needed, user='', MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM'
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp cmd> MAIL FROM:<postmaster@nausch.org> ENVID=AM.IKpCZDv4QKL3.20141202T171418Z@viruswall.dmz.nausch.org
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp cmd> RCPT TO:<django@nausch.org>
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp cmd> DATA
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp resp to MAIL (pip): 250 2.1.0 Ok
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp resp to RCPT (pip) (<django@nausch.org>): 250 2.1.5 Ok
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF>
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp resp to data-dot (<django@nausch.org>): 250 2.0.0 Ok: queued as 11605C00089, dt: 22.2 ms
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) Amavis::Out::SMTP::Session close, keeping connection
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) IKpCZDv4QKL3(uj-7SfJU0v_M) SEND from <postmaster@nausch.org> -> <django@nausch.org>, ENVID=AM.IKpCZDv4QKL3.20141202T171418Z@viruswall.dmz.nausch.org 250 2.0.0 from MTA(smtp:[10.0.0.87]:10025): 250 2.0.0 Ok: queued as 11605C00089
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) delivery method is 1, recips: django@nausch.org
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) DSN: sender is credible (orig), SA: 0.000, <n3rd@sec-mail.guru>
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) status counters: InMsgsStatus{Discarded,DiscardedInternal,DiscardedOriginating}
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) Blocked INFECTED (Eicar-Test-Signature) {DiscardedInternal}, ORIGINATING LOCAL [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org>, Message-ID: <20141202171417.82EB5C00088@mx01.nausch.org>, mail_id: uj-7SfJU0v_M, Hits: -, size: 2213, 501 ms
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) sending SMTP response: "250 2.7.0 Ok, discarded, id=15810-01 - INFECTED: Eicar-Test-Signature"
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) size: 2213, TIMING [total 507 ms] - SMTP greeting: 8 (2%)2, SMTP EHLO: 2.6 (1%)2, SMTP pre-MAIL: 0.8 (0%)2, mkdir tempdir: 1.6 (0%)3, create email.txt: 0.3 (0%)3, SMTP pre-DATA-flush: 4.3 (1%)3, SMTP DATA: 42 (8%)12, check_init: 1.2 (0%)12, digest_hdr: 1.9 (0%)12, digest_body_dkim: 0.5 (0%)12, collect_info: 2.5 (0%)13, mkdir parts: 1.8 (0%)13, mime_decode: 15 (3%)16, get-file-type2: 19 (4%)20, ren1-unl0-files1: 25 (5%)25, decompose_part: 0.3 (0%)25, get-file-type1: 8 (2%)27, ren1-unl0-files1: 22 (4%)31, decompose_part: 0.3 (0%)31, get-file-type1: 13 (3%)34, parts_decode: 0.2 (0%)34, check_header: 0.5 (0%)34, AV-scan-1: 14 (3%)37, read_snmp_variables: 0.9 (0%)37, decide_mail_destiny: 2.6 (1%)37, notif-quar: 0.5 (0%)37, write-header: 20 (4%)41, fwd-data-dkim: 35 (7%)48, fwd-connect: 78 (15%)64, fwd-mail-pip: 11 (2%)66, fwd-rcpt-pip: 1.3 (0%)66, fwd-data-chkpnt: 0.2 (0%)66, write-header: 0.5 (0%)66, fwd-data-contents: 2.2 (0%)67, fwd-end-chkpnt: 35 (7%)74...
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) ..., write-header: 32 (6%)80, fwd-data-dkim: 52 (10%)90, fwd-connect: 1.0 (0%)91, fwd-mail-pip: 6 (1%)92, fwd-rcpt-pip: 0.2 (0%)92, fwd-data-chkpnt: 0.0 (0%)92, write-header: 0.4 (0%)92, fwd-data-contents: 2.2 (0%)92, fwd-end-chkpnt: 24 (5%)97, prepare-dsn: 1.6 (0%)97, report: 1.9 (0%)98, main_log_entry: 4.7 (1%)99, update_snmp: 5 (1%)100, SMTP pre-response: 0.3 (0%)100, SMTP response: 0.3 (0%)100, unlink-3-files: 0.2 (0%)100, rundown: 0.7 (0%)100
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) extra modules loaded: unicore/lib/Gc/Nd.pl
+Dec  2 18:14:18 vml000067 amavis[15810]: (15810-01) load: 100 %, total idle 0.002 s, busy 0.510 s
+</code>
+=== SMTP-Server (Teil 2 von 2) ===
+Im **Maillog** unseres Borderfilters sehen wir nun also als nächstes den Eingang dieser Notification-eMail an den definierten Empfänger.
+   # less /var/log/maillog
+<code>Dec  2 18:14:17 vml000087 postfix/smtpd[27880]: connect from vml000067.dmz.nausch.org[10.0.0.67]
+Dec  2 18:14:17 vml000087 postfix/smtpd[27880]: E5434C00089: client=vml000067.dmz.nausch.org[10.0.0.67]
+Dec  2 18:14:17 vml000087 postfix/cleanup[27878]: E5434C00089: message-id=<VAuj-7SfJU0v_M@viruswall.dmz.nausch.org>
+Dec  2 18:14:17 vml000087 postfix/qmgr[27247]: E5434C00089: from=<postmaster@nausch.org>, size=3536, nrcpt=1 (queue active)
+Dec  2 18:14:18 vml000087 postfix/lmtp[27881]: E5434C00089: to=<django@nausch.org>, orig_to=<virusalert@nausch.org>, relay=10.0.0.77[10.0.0.77]:24, delay=0.11, delays=0.04/0.03/0/0.05, dsn=2.0.0, status=sent (250 2.0.0 <django@nausch.org> +kkIHTLzfVSXTwAArK2B9Q Saved)
+Dec  2 18:14:18 vml000087 postfix/qmgr[27247]: E5434C00089: removed
+Dec  2 18:14:18 vml000087 postfix/smtpd[27880]: 11605C00089: client=vml000067.dmz.nausch.org[10.0.0.67]
+Dec  2 18:14:18 vml000087 postfix/cleanup[27878]: 11605C00089: message-id=<VRuj-7SfJU0v_M@viruswall.dmz.nausch.org>
+Dec  2 18:14:18 vml000087 postfix/qmgr[27247]: 11605C00089: from=<postmaster@nausch.org>, size=2280, nrcpt=1 (queue active)
+Dec  2 18:14:18 vml000087 postfix/smtp[27879]: 82EB5C00088: to=<django@nausch.org>, relay=10.0.0.67[10.0.0.67]:10024, delay=0.59, delays=0.05/0.03/0.01/0.5, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=15810-01 - INFECTED: Eicar-Test-Signature)
+Dec  2 18:14:18 vml000087 postfix/qmgr[27247]: 82EB5C00088: removed
+Dec  2 18:14:18 vml000087 postfix/lmtp[27881]: 11605C00089: to=<django@nausch.org>, relay=10.0.0.77[10.0.0.77]:24, delay=0.13, delays=0.03/0/0/0.1, dsn=2.0.0, status=sent (250 2.0.0 <django@nausch.org> /kkIHTLzfVSXTwAArK2B9Q Saved)
+Dec  2 18:14:18 vml000087 postfix/qmgr[27247]: 11605C00089: removed
+</code>
+=== MUA (Empfänger der Notification Mail) ===
+Wie schon angeschnitten erhält der verantwortliche Admin des Servers mit der Addresse **virusalert@nausch.org** eine Nachricht mit dem Detail des Versuches eine SPAM-Mail zu verschicken.
 <code>Return-Path: <postmaster@nausch.org>
 Delivered-To: django@nausch.org
 Received: from mx01.nausch.org ([10.0.0.87])
-	by imap.nausch.org (Dovecot) with LMTP id BR4/H3Naa1R6TwAArK2B9Q
+	by imap.nausch.org (Dovecot) with LMTP id /kkIHTLzfVSXTwAArK2B9Q
-	for <django@nausch.org>; Tue, 18 Nov 2014 15:40:51 +0100
+	for <django@nausch.org>; Tue, 02 Dec 2014 18:14:18 +0100
-Received: from localhost (vml000067.dmz.nausch.org [10.0.0.67])
+Received: from viruswall.dmz.nausch.org (vml000067.dmz.nausch.org [10.0.0.67])
-	by mx01.nausch.org (Postfix) with ESMTP id 617C1C00089
+	by mx01.nausch.org (Postfix) with ESMTP id 11605C00089
-	for <django@nausch.org>; Tue, 18 Nov 2014 15:40:51 +0100 (CET)
+	for <django@nausch.org>; Tue,  2 Dec 2014 18:14:18 +0100 (CET)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nausch.org; h=
+	content-transfer-encoding:content-disposition:content-type
+	:content-type:message-id:subject:subject:date:date:from:from
+	:mime-version; s=140224; t=1417540457; x=1419354858; bh=mFctWodC
+	oPn36vNDqRoivIeBgUX0G0lRWQSp8HGIA6A=; b=eIeO/pgpVbysZ5j6Myoz281/
+	XX8lxTCdzecXPxva+XoERso6WO4fN2r+ATj9R1DDrW4F/Q0e0jYfszbWHx6JU6kd
+XBPe6mYWqbbz/MDbXOG6cBBQ6v1SLuF98RPpwIAH8DuYDqyURMZS3zPJQT5LM7J
+	glfWWvj9qa+WU8KJSgICO8VLjNyxj/ibG9i3OOmiLmGlEd4VpxuGa8E8DYaLtrmt
+	nGQS6rzuBqkBIbrDGdXlEU3JjRQStAp+sto+xnGj0tufa/NYE57+Gap7tgWEK0cs
+	gpwjoHs2sTBsRmW17mkyfmR+iA3DQr8qZKvtKhpGxWD8L3lARLNuwod6XMCldPMY
+jKzohNbBasgl9eApl2BckMVeB0I3uHHpU/ypgjJQPePsS/JfhmBJC97d4MBTa+2
+dZ86FBWL6z2pS2SYfBP3+gE9al11r1iGQI233wWZAsGMbOYC9XjJl/g5/dyOwVF
+	YbUYSQfEqR0HN+/cXEXiaQ0yLEj36mFn42EtyBT/vufRRmN52bhNFONofaCD7W9A
+	OuBuaw5jLUJBKq7OoHeNjimEJglPIX53gxSIsW89ZBUhL64BnYYurCPzNoJ8GhLF
+ILaxukNAzqQJY3aoP5zkKOAWLDet9NpwdHOYnsyHPcMv0+dmistSfktNlWUNy3M
+	v+PuSR8FGh6/10vRHsI=
 MIME-Version: 1.0
 From: Postmaster <postmaster@nausch.org>
-Date: Tue, 18 Nov 2014 15:40:51 +0100 (CET)
+Date: Tue,  2 Dec 2014 18:14:17 +0100 (CET)
-Subject: VIRUS (Eicar-Test-Signature) in mail TO YOU from
+Subject: VIRUS (Eicar-Test-Signature) in mail TO YOU from <n3rd@sec-mail.guru>
- <django@vml000060.dmz.nausch.org>
 To: django@nausch.org
-Message-ID: <VRQn42nSkefjqi@viruswall.dmz.nausch.org>
+Message-ID: <VRuj-7SfJU0v_M@viruswall.dmz.nausch.org>
 Content-Type: text/plain; charset="UTF-8"
 Content-Disposition: inline
@@ Zeile 3808: / Zeile 4470: @@
 in an email to you from probably faked sender:
-claiming to be: <django@vml000060.dmz.nausch.org>
+claiming to be: <n3rd@sec-mail.guru>
 Content type: Virus
-Our internal reference code for your message is 10690-01/Qn42nSkefjqi
+Our internal reference code for your message is 15810-01/uj-7SfJU0v_M
-First upstream SMTP client IP address: [10.0.0.60] vml000060.dmz.nausch.org
+First upstream SMTP client IP address: [10.0.0.87]
-Received from: 10.0.0.60
+Received from: 10.0.0.87
-Return-Path: <django@vml000060.dmz.nausch.org>
+Return-Path: <n3rd@sec-mail.guru>
-From: django@vml000060.dmz.nausch.org
+From: n3rd@sec-mail.guru
+Message-ID: <20141202171417.82EB5C00088@mx01.nausch.org>
 X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
-Subject: test Tue, 18 Nov 2014 15:40:18 +0100
+Subject: 6. und letzter Test-Testnachricht mit EICAR-Testdatei im Anhang auf
+  Port 25
 Not quarantined.
 Please contact your system administrator for details.
 </code>
+====== Links ======
+  * **⇐ [[centos:mail_c7:spam_5|Zurück zum Kapitel "Header und Bodychecks mit Postfix 2.11.3 unter CentOS 7.x"]]**
+  * **⇒ [[centos:mail_c7:spam_7|Weiter zum Kapitel "ClamAV für AMaViS unter CentOS 7.x"]]**
+  * **[[centos:mail_c7:start|Zurück zum Kapitel >>Mailserverinstallation unter CentOS 7<<]]**
+  * **[[wiki:start|Zurück zu >>Projekte und Themenkapitel<<]]**
+  * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**