Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

centos:mail_c7:spam_6 [20.04.2018 10:33. ]
centos:mail_c7:spam_6 [22.07.2019 15:02. ] (aktuell)
Zeile 1: Zeile 1:
 +====== Grundinstallation von AMaViS unter CentOS 7.x ======
 +{{:​centos:​mail_c6:​amavis-2.png?​nolink&​200 |AMaViS Logo}} ​
 +
 +<WRAP round important>​Empfehlenswert ist bei tiefergehenden Fragen und komplexeren Aufgabenstellungen der Besuch eines AMaViS-Kurses z.B. bei der **[[https://​sys4.de/​de/​messaging/​|sys4]]**. ​
 +
 +Viele der Design und Konfigurationsvorschläge stammen aus einem Idividualtraining beim **"​Mailserver-Joda"​ //​[[p@sys4.de?​subject=Anfrage Mailserver-Schulung|Patrick Ben Koetter]]//​** bei der **[[https://​sys4.de/​de/​messaging/​|sys4]]**. ​
 +
 +</​WRAP>​
 +
 +===== Grundlagen =====
 +Bei der Definition der [[centos:​mail_c7:​mta_1#​anforderungen_an_unseren_mailserver|Anforderungen an unseren Mailserver]] hatten wir unter anderem ein mehrstufiges Anti-SPAM- und Anti-Viren-schutzkonzept vorgesehen. ​
 +  * **Stufe 1** : Einsatz von [[centos:​mail_c6:​spam_1|Postscreen]] \\ Im ersten Schritt prüfen wir mit Hilfe von **Postscreen**,​ ob es sich um einen legitimen **MTA** oder um einen SPAM-Bot/​-Zombie handelt. Dabei führen wir auch eine gewichtete Prüfung einschlägiger DNSBL und DNSWL durch. So kann erfolgreich die erste Welle von unerwünschter Post bekämpft und deren Zustellung verweigert werden.
 +  * **Stufe 2** : Nutzung von [[centos:​mail_c7:​spam_5|Header- und Bodychecks]] \\ Bei Stufe 2 nutzen wir bedarfsbezogen und auf Einzelanforderung Header- und Bodychecks. So können wir ggf. auf Nachrichten noch zusätzlich reagieren, die die erste Stufe unsers mehrstufiges Anti-SPAM- und Anti-Viren-schutzkonzept überwunden haben. ​
 +  * **Stufe 3** : Einbindung und Nutzung von [[|SpamAssassin]] und [[|ClamAV]] mit Hilfe von [[http://​www.ijs.si/​software/​amavisd/​|AMaViS]]. \\ Bei der **Stufe 3**, also bei der inhaltlichen Prüfung auf SPAM und Schadcode, setzen wir auf das Open Source-Projekt **AMaViS**((**A** **Ma**il **Vi**rus **S**canner)),​ das ihren kommerziellen und kostenpflichtigen Konkurrenzprodukten nicht nur ebenbürtig,​ sondern in vielerlei Hinblick sogar überlegen ist! \\ In dieser Stufe wird, noch während des Einlieferungsversuches des externen Mailservers,​ die Nachricht an den AMaViS-Host entweder auf dem **Port 10024** zur Prüfung übergeben oder es wird der AMaViS-Host über den [[|AMaViS-Milter]] angesprochen. Dort wird die Nachricht auf unerwünschte Inhalte SPAM und möglichen Schadcode (Viren) hin überprüft. Fällt diese Prüfung negativ aus, quittiert der AMaViS-Host die Einlieferung mit einem **250er** und leitet die eMail an den betreffenden MTA auf **Port 10025** zurück. Unser MTX quittiert sodann die Einlieferung und Annahme der Nachricht mit einem **250er** und leitet anschließend die ihm anvertraute Nachricht an das jeweilige Backend **Dovecot-IMAP-Server** bzw. **Mailman Mailinglisten-Server** weiter. Bei einer positiven Bewertung auf unerwünschte Inhalte und/oder Schadcode, quittiert der AMaViS-Daemon die Annahme mit einem **500**-Code,​ was wiederum unser externes Mailrelay **Postfix** veranlasst, die annahme ebenfalls mit einem **500**er-Fehlercode abzulehnen. Somit müssen wir uns um eine eventuelle quarantäne oder SPAM-Verwaltung erst gar nicht kümmern!
 +
 +Der prinzipielle Ablauf und die Einbindung des AMaViS veranschaulich folgende Skizze.
 +
 +{{page>​centos:​mail_c7:​amavis&​nofooter}} ​
 +
 +AMaVis übernimmt in unserem eMailworkflow eigentlich nur die Steuerung des Ablaufes, sie nimmt also die eMail vom AMaViS-Milter entgegen und leitet diese an die Backendsysteme weiter:
 +  * **PACKER** Zum Entpacken von Dateianhängen
 +  * **Virenscanner** Zur Prüfung der eMail und der Inhalte auf Schadcode, in unserem Fall übernimmt dies das freie Projekt **ClamAV**
 +  * **Spamassassin** Zur Prüfung der eMail auf unerwünschte Inhalte (SPAM und UCE)
 +Anschließend meldet AMaviS an den Milter den Status zurück, der dann die Kommunikation in Richtung SMTP-Daemon abwickelt.
 +
 +===== Installation =====
 +==== amavisd-milter ====
 +Da wir für den "​normalen SMTP-Traffic",​ als dem Verkehr von anderen SMTP-Server((**MTA** **M**ail **T**ransport **A**gent)),​ AMaViS als Milter in unseren Postfix-Mailserver integrieren wollen, installieren wir nun noch das zugehörige Paket **amavisd-milter**
 +   # yum install amavisd-milter -y
 +
 +Auch hier können wir uns anzeigen lassen, was das Paket uns alles ins System kopiert hat.
 +   # rpm -qil amavisd-milter
 +
 +<​code>​ Name        : amavisd-milter
 +Version ​    : 1.6.0
 +Release ​    : 5.el7.centos
 +Architecture:​ x86_64
 +Install Date: Mon 17 Nov 2014 11:22:52 AM CET
 +Group       : System Environment/​Daemons
 +Size        : 72981
 +License ​    : Petr Rehor <​rx@rx.cz>​. All rights reserved.
 +Signature ​  : RSA/SHA1, Mon 17 Nov 2014 11:13:36 AM CET, Key ID 60ecfb9e8195aea0
 +Source RPM  : amavisd-milter-1.6.0-5.el7.centos.src.rpm
 +Build Date  : Mon 17 Nov 2014 11:13:23 AM CET
 +Build Host  : vml000200.dmz.nausch.org
 +Relocations : (not relocatable)
 +Packager ​   : Django <​django@nausch.org>​
 +Vendor ​     : Amavisd-new
 +URL         : http://​amavisd-milter.sourceforge.net/​
 +Summary ​    : Milter helper for Amavisd-new
 +Description :
 +amavisd-milter is a milter (mail filter) for amavisd-new 2.4.3 and above which uses the AM.PDP protocol.
 +It has been tested to work with mail servers sendmail 8.13+ and postfix 2.9+
 +/​etc/​amavisd/​amavisd-milter.conf
 +/​usr/​lib/​systemd/​system/​amavisd-milter.service
 +/​usr/​sbin/​amavisd-milter
 +/​usr/​sbin/​amavisd-milter-helper
 +/​usr/​share/​doc/​amavisd-milter-1.6.0
 +/​usr/​share/​doc/​amavisd-milter-1.6.0/​CHANGES
 +/​usr/​share/​doc/​amavisd-milter-1.6.0/​LICENSE
 +/​usr/​share/​doc/​amavisd-milter-1.6.0/​README
 +/​usr/​share/​doc/​amavisd-milter-1.6.0/​TODO
 +/​usr/​share/​man/​man8/​amavisd-milter.8.gz
 +</​code>​
 +
 +==== amavisd ====
 +Als erstes installieren wir uns das Paket **amavisd-new** aus dem **[[centos:​epel7|EPEL Repository]]** mit Hilfe von **yum**.
 +   # yum install amavisd-new -y
 +
 +Was uns das Paket alles mitbrachte, zeigt uns bei Bedarf der folgende Aufruf.
 +   # rpm -qil amavisd-new
 +
 +<​code>​Name ​       : amavisd-new ​              
 +Version ​    : 2.9.1                     
 +Release ​    : 5.el7                     
 +Architecture:​ noarch ​                   ​
 +Install Date: Mon 17 Nov 2014 11:48:23 AM CET
 +Group       : Applications/​System ​           ​
 +Size        : 3105963 ​                       ​
 +License ​    : GPLv2+ and BSD and GFDL        ​
 +Signature ​  : RSA/SHA256, Thu 21 Aug 2014 12:07:05 AM CEST, Key ID 6a2faea2352c64e5
 +Source RPM  : amavisd-new-2.9.1-5.el7.src.rpm ​                                     ​
 +Build Date  : Wed 20 Aug 2014 03:26:15 PM CEST                                     
 +Build Host  : buildvm-24.phx2.fedoraproject.org ​                                   ​
 +Relocations : (not relocatable) ​                                                   ​
 +Packager ​   : Fedora Project ​                                                      
 +Vendor ​     : Fedora Project ​                                                      
 +URL         : http://​www.ijs.si/​software/​amavisd/ ​                                 ​
 +Summary ​    : Email filter with virus scanner and spamassassin support ​            
 +Description :                                                                      ​
 +amavisd-new is a high-performance and reliable interface between mailer ​           ​
 +(MTA) and one or more content checkers: virus scanners, and/​or ​                    
 +Mail::​SpamAssassin Perl module. It is written in Perl, assuring high               
 +reliability,​ portability and maintainability. It talks to MTA via (E)SMTP ​         ​
 +or LMTP, or by using helper programs. No timing gaps exist in the design ​          
 +which could cause a mail loss.                                                     
 +/​etc/​amavisd ​                                                                      
 +/​etc/​amavisd/​amavisd.conf ​                                                         ​
 +/​etc/​clamd.d/​amavisd.conf ​                                                         ​
 +/​usr/​bin/​amavisd-agent ​                                                            
 +/​usr/​bin/​amavisd-nanny ​                                                            
 +/​usr/​bin/​amavisd-release ​                                                          
 +/​usr/​lib/​systemd/​system/​amavisd-clean-quarantine.service ​                          
 +/​usr/​lib/​systemd/​system/​amavisd-clean-quarantine.timer ​                            
 +/​usr/​lib/​systemd/​system/​amavisd-clean-tmp.service ​                                 ​
 +/​usr/​lib/​systemd/​system/​amavisd-clean-tmp.timer ​                                   ​
 +/​usr/​lib/​systemd/​system/​amavisd.service ​                                           ​
 +/​usr/​lib/​tmpfiles.d/​amavisd-new.conf ​                                              
 +/​usr/​sbin/​amavisd ​                                                                 ​
 +/​usr/​share/​doc/​amavisd-new-2.9.1 ​                                                  
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​AAAREADME.first ​                                  
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​LDAP.ldif ​                                        
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​LDAP.schema ​                                      
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​LICENSE ​                                          
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES ​                                     ​
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.banned ​                       ​
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.chroot ​                       ​
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.contributed ​                  
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.courier ​                      
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.courier-old ​                  
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.customize ​                    
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.exim_v3 ​                      
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.exim_v3_app ​                  
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.exim_v4 ​                      
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.exim_v4_app ​                  
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.exim_v4_app2 ​                 ​
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.fedora ​                       ​
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.ldap ​                         ​
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.lookups ​                      
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.milter ​                       ​
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.old.scanners ​                 ​
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.performance ​                  
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.policy-on-notifications ​      
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.postfix ​                      
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.postfix.html
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.protocol
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.quarantine
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.sendmail
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.sendmail-dual
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.sendmail-dual.old
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.sql
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.sql-mysql
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​README.sql-pg
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​amavisd-new-docs.html
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​blank.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts/​1.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts/​10.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts/​11.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts/​12.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts/​13.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts/​14.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts/​15.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts/​2.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts/​3.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts/​4.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts/​5.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts/​6.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts/​7.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts/​8.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​callouts/​9.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​caution.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​draft.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​home.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​important.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​next.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​note.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​prev.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​tip.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​toc-blank.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​toc-minus.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​toc-plus.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​up.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​images/​warning.png
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​README_FILES/​screen.css
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​RELEASE_NOTES
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​amavisd.conf-default
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​test-messages
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​test-messages/​README
 +/​usr/​share/​doc/​amavisd-new-2.9.1/​test-messages/​sample.tar.gz.compl
 +/​var/​run/​amavisd
 +/​var/​run/​clamd.amavisd
 +/​var/​spool/​amavisd
 +/​var/​spool/​amavisd/​db
 +/​var/​spool/​amavisd/​quarantine
 +/​var/​spool/​amavisd/​tmp
 +</​code>​
 +
 +===== Konfiguration =====
 +==== amavisd-milter ====
 +Die Konfiguration des Milters erfolgt über dessen Konfigurationsdatei **amavisd-milter.conf** im Verzeichnis //​**/​etc/​amavisd/​**//​.
 +   # vim /​etc/​amavisd/​amavisd-milter.conf
 +<file bash /​etc/​amavisd/​amavisd-milter.conf># ​        User to run under (must be same as amavisd daemon)
 +AMAVIS_USER=amavis ​                                         ​
 +
 +#         Set working directory (default /​var/​amavis).
 +# Django : 2014-11-21 ​                                
 +# default: WORKING_DIRECTORY=/​var/​spool/​amavisd
 +WORKING_DIRECTORY=/​var/​spool/​amavisd/​tmp
 +
 +#         ​Communication socket between sendmail and amavisd-milter (default
 +#         /​var/​amavis/​amavisd-milter.sock). ​ The protocol spoken over this
 +#         ​socket is MILTER (Mail FILTER). ​ It must agree with the
 +#         ​INPUT_MAIL_FILTER entry in sendmail.mc
 +#         The socket should be in "​proto:​address"​ format:
 +#         ​o ​  ​{unix|local}:/​path/​to/​file - A named pipe.
 +#         ​o ​  ​inet:​port@{hostname|ip-address} - An IPV4 socket.
 +#         ​o ​  ​inet6:​port@{hostname|ip-address} - An IPV6 socket.
 +# Django : 2014-11-18
 +# default: SOCKET=/​var/​run/​amavisd/​amavisd-milter.sock
 +SOCKET=inet:​8899@10.0.0.67
 +
 +#         ​Communication socket between amavisd-milter and amavisd-new
 +#         ​(default /​var/​amavis/​amavisd.sock). It must agree with the
 +#         ​$unix_socketname entry in amavisd.conf
 +#         The socket should be in "​proto:​address"​ format:
 +#         ​o ​  ​{unix|local}:/​path/​to/​file - A named pipe.
 +#         ​o ​  ​inet:​port@{hostname|ip-address} - An IPV4 socket.
 +#         ​o ​  ​inet6:​port@{hostname|ip-address} - An IPV6 socket.
 +AMAVISD_SOCKET=/​var/​spool/​amavisd/​amavisd.sock
 +
 +#         Use this pid file (default /​var/​amavis/​amavisd-milter.pid).
 +#         ​Better to create /​var/​run/​amavis and put it there
 +#​PID_FILE=/​var/​run/​amavisd/​amavisd-milter.pid
 +
 +#         ​Maximum concurrent amavisd connections (default 0 - unlimited
 +#         ​number of connections). ​ It must agree with the $max_servers
 +#         entry in amavisd.conf.
 +MAX_CONNECTIONS=5
 +
 +#         ​Maximum wait for connection to amavisd in seconds (default 300 =
 +#         5 minutes). ​ It must be less then sending MTA timeout for a
 +#         ​response to the final "​." ​ that terminates a message on sending
 +#         ​MTA. ​ sendmail has default value 1 hour, postfix 10 minutes and
 +#         qmail 20 minutes. ​ We suggest to use less than 10 minutes.
 +MAX_WAIT=300
 +
 +#         ​sendmail connection timeout in seconds (default 600 = 10 min-
 +#         ​utes). ​ It must agree with the INPUT_MAIL_FILTER entry in send-
 +#         ​mail.mc and must be greater than or equal to the amavisd-new con-
 +#         ​nection timeout. ​ When you use other milters (especially time-
 +#         ​consuming),​ the timeout must be sufficient to process message in
 +#         all milters.
 +MAILDAEMON_TIMEOUT=600
 +
 +#         ​amavisd-new connection timeout in seconds (default 600 = 10 min-
 +#         ​utes). ​ This timeout must be sufficient for message processing in
 +#         ​amavisd-new. ​ It's usually a good idea to adjust them to the same
 +#         value as sendmail connection timeout.
 +AMAVISD_TIMEOUT=600
 +</​file>​
 +Die Parameter sind in der Konfigurationsdatei ausreichend beschrieben. Lediglich beim Parameter **MAX_CONNECTIONS** ist darauf zu achten, dass dort der gleiche Wert eingetragen wird, wie beim Parameter **max_servers** in der //​**/​etc/​amavisd/​amavisd.conf**//,​ in unserem Konfigurationsbeispiel auls den Wert **5**.
 +
 +
 +==== amavisd ====
 +In der originalen Konfigurationsdatei aus dem RPM sind alle wesentlichen Optionen bereits enthalten, die für den Betrieb des AMaViS-Servers benötigt. Wer nicht täglich an der Datei Hand anlegen will/muss, und das ist auch in den seltensten Fällen notwendig, der sucht und stolper gerne mal über die ein oder andere Stelle in der Konfigurationsdatei. ​
 +
 +=== original Konfigurationsdatei ===
 +Werfen wir doch einfach mal einen Blick in die Datei.
 +   # less /​etc/​amavisd/​amavisd.conf
 +<file perl /​etc/​amavisd/​amavisd.conf>​use strict; ​                                                                                                                                                 ​
 +
 +# a minimalistic configuration file for amavisd-new with all necessary settings
 +#                                                                              ​
 +#   see amavisd.conf-default for a list of all variables with their defaults;  ​
 +#   for more details see documentation in INSTALL, README_FILES/​* ​             ​
 +#   and at http://​www.ijs.si/​software/​amavisd/​amavisd-new-docs.html ​           ​
 +
 +
 +# COMMONLY ADJUSTED SETTINGS:
 +
 +# @bypass_virus_checks_maps = (1);  # controls running of anti-virus code
 +# @bypass_spam_checks_maps ​ = (1);  # controls running of anti-spam code 
 +# $bypass_decode_parts = 1;         # controls running of decoders&​dearchivers
 +
 +$max_servers = 2;            # num of pre-forked children (2..30 is common), -m
 +$daemon_user ​ = '​amavis'; ​   # (no default; ​ customary: vscan or amavis), -u   
 +$daemon_group = '​amavis'; ​   # (no default; ​ customary: vscan or amavis), -g   
 +
 +$mydomain = '​example.com'; ​  # a convenient default for other settings
 +
 +$MYHOME = '/​var/​spool/​amavisd'; ​  # a convenient default for other settings, -H
 +$TEMPBASE = "​$MYHOME/​tmp"; ​  # working directory, needs to exist, -T           
 +$ENV{TMPDIR} = $TEMPBASE; ​   # environment variable TMPDIR, used by SA, etc.   
 +$QUARANTINEDIR = undef; ​     # -Q                                              ​
 +# $quarantine_subdir_levels = 1;  # add level of subdirs to disperse quarantine
 +# $release_format = '​resend'; ​    # '​attach',​ '​plain',​ '​resend' ​               ​
 +# $report_format ​ = '​arf'; ​       # '​attach',​ '​plain',​ '​resend',​ '​arf' ​        
 +
 +# $daemon_chroot_dir = $MYHOME; ​  # chroot directory or undef, -R
 +
 +$db_home ​  = "​$MYHOME/​db"; ​       # dir for bdb nanny/​cache/​snmp databases, -D
 +# $helpers_home = "​$MYHOME/​var"; ​ # working directory for SpamAssassin,​ -S    ​
 +$lock_file = "/​var/​run/​amavisd/​amavisd.lock"; ​ # -L                           
 +$pid_file ​ = "/​var/​run/​amavisd/​amavisd.pid"; ​  # -P                           
 +#NOTE: create directories $MYHOME/​tmp,​ $MYHOME/​var,​ $MYHOME/db manually ​      
 +
 +$log_level = 0;              # verbosity 0..5, -d
 +$log_recip_templ = undef; ​   # disable by-recipient level-0 log entries
 +$do_syslog = 1;              # log via syslogd (preferred) ​            
 +$syslog_facility = '​mail'; ​  # Syslog facility as a string ​            
 +           # e.g.: mail, daemon, user, local0, ... local7 ​             ​
 +
 +$enable_db = 1;              # enable use of BerkeleyDB/​libdb (SNMP and nanny)
 +# $enable_zmq = 1;           # enable use of ZeroMQ (SNMP and nanny) ​         ​
 +$nanny_details_level = 2;    # nanny verbosity: 1: traditional,​ 2: detailed ​  
 +$enable_dkim_verification = 1;  # enable DKIM signatures verification ​        
 +$enable_dkim_signing = 1;    # load DKIM signing code, keys defined by dkim_key
 +
 +@local_domains_maps = ( ["​.$mydomain"​] );  # list of all local domains
 +
 +@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
 +                  10.0.0.0/8 172.16.0.0/​12 192.168.0.0/​16 );
 +
 +$unix_socketname = "​$MYHOME/​amavisd.sock"; ​ # amavisd-release or amavis-milter
 +               # option(s) -p overrides $inet_socket_port and $unix_socketname
 +
 +$inet_socket_port = 10024; ​  # listen on this local TCP port(s)
 +# $inet_socket_port = [10024,​10026]; ​ # listen on multiple TCP ports
 +
 +$policy_bank{'​MYNETS'​} = {   # mail originating from @mynetworks
 +  originating => 1,  # is true in MYNETS by default, but let's make it explicit
 +  os_fingerprint_method => undef, ​ # don't query p0f for internal clients ​     ​
 +};                                                                             
 +
 +# it is up to MTA to re-route mail from authenticated roaming users or
 +# from internal hosts to a dedicated TCP port (such as 10026) for filtering
 +$interface_policy{'​10026'​} = '​ORIGINATING'; ​                               ​
 +
 +$policy_bank{'​ORIGINATING'​} = {  # mail supposedly originating from our users
 +  originating => 1,  # declare that mail was submitted by our smtp client ​   ​
 +  allow_disclaimers => 1,  # enables disclaimer insertion if available ​      
 +  # notify administrator of locally originating malware ​                     ​
 +  virus_admin_maps => ["​virusalert\@$mydomain"​], ​                            
 +  spam_admin_maps ​ => ["​virusalert\@$mydomain"​], ​                            
 +  warnbadhsender ​  => 1,                                                     
 +  # forward to a smtpd service providing DKIM signing service ​               ​
 +  forward_method => '​smtp:​[127.0.0.1]:​10027', ​                               ​
 +  # force MTA conversion to 7-bit (e.g. before DKIM signing) ​                
 +  smtpd_discard_ehlo_keywords => ['​8BITMIME'​], ​                              
 +  bypass_banned_checks_maps => [1],  # allow sending any file names and types
 +  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
 +};                                                                           
 +
 +$interface_policy{'​SOCK'​} = '​AM.PDP-SOCK';​ # only applies with $unix_socketname
 +
 +# Use with amavis-release over a socket or with Petr Rehor'​s amavis-milter.c
 +# (with amavis-milter.c from this package or old amavis.c client use '​AM.CL'​):​
 +$policy_bank{'​AM.PDP-SOCK'​} = {                                               
 +  protocol => '​AM.PDP', ​                                                      
 +  auth_required_release => 0,  # do not require secret_id for amavisd-release ​
 +};                                                                            ​
 +
 +$sa_tag_level_deflt ​ = 2.0;  # add spam info headers if at, or above that level
 +$sa_tag2_level_deflt = 6.2;  # add 'spam detected'​ headers at that level       
 +$sa_kill_level_deflt = 6.9;  # triggers spam evasive actions (e.g. blocks mail)
 +$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent       
 +$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
 +# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
 +$penpals_bonus_score = 8;    # (no effect without a @storage_sql_dsn database) ​
 +$penpals_threshold_high = $sa_kill_level_deflt; ​ # don't waste time on hi spam 
 +$bounce_killer_score = 100;  # spam score points to add for joe-jobbed bounces ​
 +
 +$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
 +$sa_local_tests_only = 0;    # only tests which do not require internet access?
 +
 +# @lookup_sql_dsn =
 +#   ( ['​DBI:​mysql:​database=mail;​host=127.0.0.1;​port=3306',​ '​user1',​ '​passwd1'​],​
 +#     ​['​DBI:​mysql:​database=mail;​host=host2',​ '​username2',​ '​password2'​], ​       ​
 +#     ​["​DBI:​SQLite:​dbname=$MYHOME/​sql/​mail_prefs.sqlite",​ '',​ ''​] );           
 +# @storage_sql_dsn = @lookup_sql_dsn; ​ # none, same, or separate database ​     ​
 +# @storage_redis_dsn = ( {server=>'​127.0.0.1:​6379',​ db_id=>​1} );               
 +# $redis_logging_key = '​amavis-log'; ​                                          
 +# $redis_logging_queue_size_limit = 300000; ​ # about 250 MB / 100000 ​          
 +
 +# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
 +#   ​defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)
 +
 +$virus_admin ​              = undef; ​                   # notifications recip.
 +
 +$mailfrom_notify_admin ​    = undef; ​                   # notifications sender
 +$mailfrom_notify_recip ​    = undef; ​                   # notifications sender
 +$mailfrom_notify_spamadmin = undef; ​                   # notifications sender
 +$mailfrom_to_quarantine = '';​ # null return path; uses original sender if undef
 +
 +@addr_extension_virus_maps ​     = ('​virus'​);​
 +@addr_extension_banned_maps ​    = ('​banned'​);​
 +@addr_extension_spam_maps ​      = ('​spam'​);  ​
 +@addr_extension_bad_header_maps = ('​badh'​);  ​
 +# $recipient_delimiter = '​+'; ​ # undef disables address extensions altogether
 +# when enabling addr extensions do also Postfix/​main.cf:​ recipient_delimiter=+
 +
 +$path = '/​usr/​local/​sbin:/​usr/​local/​bin:/​usr/​sbin:/​sbin:/​usr/​bin:/​bin';​
 +# $dspam = '​dspam'; ​                                                   ​
 +
 +$MAXLEVELS = 14;
 +$MAXFILES = 3000;
 +$MIN_EXPANSION_QUOTA =      100*1024; ​ # bytes  (default undef, not enforced)
 +$MAX_EXPANSION_QUOTA = 500*1024*1024; ​ # bytes  (default undef, not enforced)
 +
 +$sa_spam_subject_tag = '​***Spam*** ';
 +$defang_virus ​ = 1;  # MIME-wrap passed infected mail
 +$defang_banned = 1;  # MIME-wrap passed mail containing banned name
 +# for defanging bad headers only turn on certain minor contents categories:
 +$defang_by_ccat{CC_BADH.",​3"​} = 1;  # NUL or CR character in header ​       ​
 +$defang_by_ccat{CC_BADH.",​5"​} = 1;  # header line longer than 998 characters
 +$defang_by_ccat{CC_BADH.",​6"​} = 1;  # header field syntax error             
 +
 +
 +# OTHER MORE COMMON SETTINGS (defaults may suffice):
 +
 +# $myhostname = '​host.example.com'; ​ # must be a fully-qualified domain name!
 +
 +# $notify_method ​ = '​smtp:​[127.0.0.1]:​10025';​
 +# $forward_method = '​smtp:​[127.0.0.1]:​10025'; ​ # set to undef with milter!
 +
 +$final_virus_destiny ​     = D_DISCARD;
 +$final_banned_destiny ​    = D_BOUNCE; ​
 +$final_spam_destiny ​      = D_DISCARD; ​ #!!!  D_DISCARD / D_REJECT
 +$final_bad_header_destiny = D_BOUNCE; ​                            
 +# $bad_header_quarantine_method = undef; ​                         ​
 +
 +# $os_fingerprint_method = '​p0f:​*:​2345'; ​ # to query p0f-analyzer.pl
 +
 +## hierarchy by which a final setting is chosen:
 +##   ​policy bank (based on port or IP address) -> *_by_ccat
 +##   ​*_by_ccat (based on mail contents) -> *_maps ​         ​
 +##   ​*_maps (based on recipient address) -> final configuration value
 +
 +
 +# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all)
 +
 +# $warnbadhsender,​
 +# $warnvirusrecip,​ $warnbannedrecip,​ $warnbadhrecip,​ (or @warn*recip_maps)
 +#                                                                         
 +# @bypass_virus_checks_maps,​ @bypass_spam_checks_maps, ​                   ​
 +# @bypass_banned_checks_maps,​ @bypass_header_checks_maps, ​                
 +#                                                                         
 +# @virus_lovers_maps,​ @spam_lovers_maps, ​                                 ​
 +# @banned_files_lovers_maps,​ @bad_header_lovers_maps, ​                    
 +#                                                                         
 +# @blacklist_sender_maps,​ @score_sender_maps, ​                            
 +#                                                                         
 +# $clean_quarantine_method,​ $virus_quarantine_to,​ $banned_quarantine_to,  ​
 +# $bad_header_quarantine_to,​ $spam_quarantine_to, ​                        
 +#                                                                         
 +# $defang_bad_header,​ $defang_undecipherable,​ $defang_spam ​               ​
 +
 +
 +# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
 +
 +@keep_decoded_original_maps = (new_RE(
 +  qr'​^MAIL$', ​               # let virus scanner see full original message
 +  qr'​^MAIL-UNDECIPHERABLE$',​ # same as ^MAIL$ if mail is undecipherable ​  
 +  qr'​^(ASCII(?​! cpio)|text|uuencoded|xxencoded|binhex)'​i, ​                
 +# qr'​^Zip archive data', ​    # don't trust Archive::​Zip ​                  
 +));                                                                       
 +
 +
 +$banned_filename_re = new_RE(
 +
 +### BLOCKED ANYWHERE
 +# qr'​^UNDECIPHERABLE$', ​ # is or contains any undecipherable components
 +  qr'​^\.(exe-ms|dll)$', ​                  # banned file(1) types, rudimentary
 +# qr'​^\.(exe|lha|cab|dll)$', ​             # banned file(1) types             
 +
 +### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
 +# [ qr'​^\.(gz|bz2)$' ​            => 0 ],  # allow any in gzip or bzip2
 +  [ qr'​^\.(rpm|cpio|tar)$' ​      => 0 ],  # allow any in Unix-type archives
 +
 +  qr'​.\.(pif|scr)$'​i, ​                    # banned extensions - rudimentary
 +# qr'​^\.zip$', ​                           # block zip type                 
 +
 +### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
 +# [ qr'​^\.(zip|rar|arc|arj|zoo)$'​=>​ 0 ],  # allow any within these archives
 +
 +  qr'​^application/​x-msdownload$'​i, ​       # block these MIME types
 +  qr'​^application/​x-msdos-program$'​i, ​                            
 +  qr'​^application/​hta$'​i, ​                                        
 +
 +# qr'​^message/​partial$'​i, ​        # rfc2046 MIME type
 +# qr'​^message/​external-body$'​i, ​  # rfc2046 MIME type
 +
 +# qr'​^(application/​x-msmetafile|image/​x-wmf)$'​i, ​ # Windows Metafile MIME type
 +# qr'​^\.wmf$', ​                           # Windows Metafile file(1) type     
 +
 +  # block certain double extensions in filenames
 +  qr'​^(?​!cid:​).*\.[^./​]*[A-Za-z][^./​]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'​i,​
 +
 +# qr'​\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'​i,​ # Class ID CLSID, strict
 +# qr'​\{[0-9a-z]{4,​}(-[0-9a-z]{4,​}){0,​7}\}?'​i,​ # Class ID extension CLSID, loose
 +
 +  qr'​.\.(exe|vbs|pif|scr|cpl)$'​i, ​            # banned extension - basic
 +# qr'​.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'​i,​ # banned extension - basic+cmd
 +# qr'​.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| ​  
 +#        inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi| ​   ​
 +#        msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|
 +#        wmf|wsc|wsf|wsh)$'​ix, ​               # banned extensions - long    ​
 +# qr'​.\.(asd|asf|asx|url|vcs|wmd|wmz)$'​i, ​    # consider also               
 +# qr'​.\.(ani|cur|ico)$'​i, ​                # banned cursors and icons filename
 +# qr'​^\.ani$', ​                           # banned animated cursor file(1) type
 +# qr'​.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'​i, ​ # banned extension - WinZip vulnerab.
 +);                                                                             
 +# See http://​support.microsoft.com/​default.aspx?​scid=kb;​EN-US;​q262631 ​         ​
 +# and http://​www.cknow.com/​vtutor/​vtextensions.htm ​                            
 +
 +
 +# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
 +
 +@score_sender_maps = ({ # a by-recipient hash lookup table,
 +                        # results from all matching recipient tables are summed
 +
 +# ## per-recipient personal tables ​ (NOTE: positive: black, negative: white)
 +# '​user1@example.com' ​ => [{'​bla-mobile.press@example.com'​ => 10.0}], ​      
 +# '​user3@example.com' ​ => [{'​.ebay.com' ​                => -3.0}], ​         ​
 +# '​user4@example.com' ​ => [{'​cleargreen@cleargreen.com'​ => -7.0,            ​
 +#                           '​.cleargreen.com' ​          => -5.0}], ​         ​
 +
 +  ## site-wide opinions about senders (the '​.'​ matches any recipient)
 +  '​.'​ => [  # the _first_ matching sender determines the score boost 
 +
 +   ​new_RE( ​ # regexp-type lookup table, just happens to be all soft-blacklist
 +    [qr'​^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'​i ​        => 5.0],
 +    [qr'​^(greatcasino|investments|lose_weight_today|market\.alert)@'​i=>​ 5.0],
 +    [qr'​^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'​i=>​ 5.0],
 +    [qr'​^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'​i ​  => 5.0],
 +    [qr'​^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'​i ​ => 5.0],
 +    [qr'​^(your_friend|greatoffers)@'​i ​                               => 5.0],
 +    [qr'​^(inkjetplanet|marketopt|MakeMoney)\d*@'​i ​                   => 5.0],
 +   ​), ​                                                                       ​
 +
 +#  read_hash("/​var/​amavis/​sender_scores_sitewide"​),​
 +
 +   { # a hash-type lookup table (associative array)
 +     '​nobody@cert.org' ​                       => -3.0,
 +     '​cert-advisory@us-cert.gov' ​             => -3.0,
 +     '​owner-alert@iss.net' ​                   => -3.0,
 +     '​slashdot@slashdot.org' ​                 => -3.0,
 +     '​securityfocus.com' ​                     => -3.0,
 +     '​ntbugtraq@listserv.ntbugtraq.com' ​      => -3.0,
 +     '​security-alerts@linuxsecurity.com' ​     => -3.0,
 +     '​mailman-announce-admin@python.org' ​     => -3.0,
 +     '​amavis-user-admin@lists.sourceforge.net'​=>​ -3.0,
 +     '​amavis-user-bounces@lists.sourceforge.net'​ => -3.0,
 +     '​spamassassin.apache.org' ​               => -3.0,   
 +     '​notification-return@lists.sophos.com' ​  => -3.0,   
 +     '​owner-postfix-users@postfix.org' ​       => -3.0,   
 +     '​owner-postfix-announce@postfix.org' ​    => -3.0,   
 +     '​owner-sendmail-announce@lists.sendmail.org' ​  => -3.0,
 +     '​sendmail-announce-request@lists.sendmail.org'​ => -3.0,
 +     '​donotreply@sendmail.org' ​               => -3.0,      ​
 +     '​ca+envelope@sendmail.org' ​              => -3.0,      ​
 +     '​noreply@freshmeat.net' ​                 => -3.0,      ​
 +     '​owner-technews@postel.acm.org' ​         => -3.0,      ​
 +     '​ietf-123-owner@loki.ietf.org' ​          => -3.0,      ​
 +     '​cvs-commits-list-admin@gnome.org' ​      => -3.0,      ​
 +     '​rt-users-admin@lists.fsck.com' ​         => -3.0,      ​
 +     '​clp-request@comp.nus.edu.sg' ​           => -3.0,      ​
 +     '​surveys-errors@lists.nua.ie' ​           => -3.0,      ​
 +     '​emailnews@genomeweb.com' ​               => -5.0,      ​
 +     '​yahoo-dev-null@yahoo-inc.com' ​          => -3.0,      ​
 +     '​returns.groups.yahoo.com' ​              => -3.0,      ​
 +     '​clusternews@linuxnetworx.com' ​          => -3.0,      ​
 +     ​lc('​lvs-users-admin@LinuxVirtualServer.org'​) ​   => -3.0,
 +     ​lc('​owner-textbreakingnews@CNNIMAIL12.CNN.COM'​) => -5.0,
 +
 +     # soft-blacklisting (positive score)
 +     '​sender@example.net' ​                    ​=> ​ 3.0,
 +     '​.example.net' ​                          ​=> ​ 1.0,
 +
 +   },
 +  ],  # end of site-wide tables
 +});                            ​
 +
 +
 +@decoders = (
 +  ['​mail',​ \&​do_mime_decode],​
 +# [[qw(asc uue hqx ync)], \&​do_ascii], ​ # not safe
 +  ['​F', ​   \&​do_uncompress,​ ['​unfreeze',​ '​freeze -d', '​melt',​ '​fcat'​] ],
 +  ['​Z', ​   \&​do_uncompress,​ ['​uncompress',​ 'gzip -d', '​zcat'​] ],        ​
 +  ['​gz', ​  ​\&​do_uncompress,​ 'gzip -d'​], ​                                
 +  ['​gz', ​  ​\&​do_gunzip], ​                                               ​
 +  ['​bz2', ​ \&​do_uncompress,​ 'bzip2 -d'​], ​                               ​
 +  ['​xz', ​  ​\&​do_uncompress, ​                                            
 +           ​['​xzdec',​ 'xz -dc', 'unxz -c', '​xzcat'​] ],                   
 +  ['​lzma',​ \&​do_uncompress, ​                                            
 +           ​['​lzmadec',​ 'xz -dc --format=lzma', ​                         ​
 +            'lzma -dc', '​unlzma -c', '​lzcat',​ '​lzmadec'​] ],             
 +  ['​lrz', ​ \&​do_uncompress, ​                                            
 +           ​['​lrzip -q -k -d -o -', '​lrzcat -q -k'] ],                   
 +  ['​lzo', ​ \&​do_uncompress,​ 'lzop -d'​], ​                                
 +  ['​rpm', ​ \&​do_uncompress,​ ['​rpm2cpio.pl',​ '​rpm2cpio'​] ],              ​
 +  [['​cpio','​tar'​],​ \&​do_pax_cpio,​ ['​pax',​ '​gcpio',​ '​cpio'​] ],           
 +           # ['/​usr/​local/​heirloom/​usr/​5bin/​pax',​ '​pax',​ '​gcpio',​ '​cpio'​]
 +  ['​deb', ​ \&​do_ar,​ '​ar'​], ​                                              
 +# ['​a', ​   \&​do_ar,​ '​ar'​], ​ # unpacking .a seems an overkill ​            
 +  ['​rar', ​ \&​do_unrar,​ ['​unrar',​ '​rar'​] ],                               
 +  ['​arj', ​ \&​do_unarj,​ ['​unarj',​ '​arj'​] ],                               
 +  ['​arc', ​ \&​do_arc, ​  ​['​nomarch',​ '​arc'​] ],                             
 +  ['​zoo', ​ \&​do_zoo, ​  ​['​zoo',​ '​unzoo'​] ],                               
 +# ['​doc', ​ \&​do_ole, ​  '​ripole'​], ​ # no ripole package so far            ​
 +  ['​cab', ​ \&​do_cabextract,​ '​cabextract'​], ​                              
 +# ['​tnef',​ \&​do_tnef_ext,​ '​tnef'​], ​ # use internal do_tnef() instead ​    
 +  ['​tnef',​ \&​do_tnef], ​                                                  
 +# ['​lha', ​ \&​do_lha, ​  '​lha'​], ​ # not safe, use 7z instead ​              
 +# ['​sit', ​ \&​do_unstuff,​ '​unstuff'​], ​ # not safe                         
 +  [['​zip','​kmz'​],​ \&​do_7zip, ​ ['​7za',​ '​7z'​] ],                           
 +  [['​zip','​kmz'​],​ \&​do_unzip], ​                                          
 +  ['​7z', ​  ​\&​do_7zip, ​ ['​7zr',​ '​7za',​ '​7z'​] ],                           
 +  [[qw(7z zip gz bz2 Z tar)], ​                                           ​
 +           ​\&​do_7zip, ​ ['​7za',​ '​7z'​] ],                                  ​
 +  [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], ​              
 +           ​\&​do_7zip, ​ '​7z'​ ],                                           
 +  ['​exe', ​ \&​do_executable,​ ['​unrar','​rar'​],​ '​lha',​ ['​unarj','​arj'​] ],   
 +);                                                                       
 +
 +
 +@av_scanners = (
 +
 +# ### http://​www.sophos.com/​
 +# ['​Sophos-SSSP', ​ # SAV Dynamic Interface
 +#   ​\&​ask_daemon,​ ["​{}",​ '​sssp:/​var/​run/​savdi/​sssp.sock'​],​
 +#           # or: ["​{}",​ '​sssp:​[127.0.0.1]:​4010'​], ​       ​
 +#   ​qr/​^DONE OK\b/m, qr/​^VIRUS\b/​m,​ qr/​^VIRUS\s*(\S*)/​m ],
 +
 +# ### http://​www.clanfield.info/​sophie/​ (http://​www.vanja.com/​tools/​sophie/​)
 +# ['​Sophie', ​                                                               ​
 +#   ​\&​ask_daemon,​ ["​{}/​\n",​ '​sophie:/​var/​run/​sophie'​], ​                     ​
 +#   ​qr/​(?​x)^ 0+ ( : | [\000\r\n]* $)/,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/,   
 +#   ​qr/​(?​x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],                           
 +
 +# ### http://​www.csupomona.edu/​~henson/​www/​projects/​SAVI-Perl/​
 +# ['​Sophos SAVI', \&​ask_daemon,​ ['​{}','​savi-perl:'​] ],        ​
 +
 +# ['​Avira SAVAPI',​
 +#   ​\&​ask_daemon,​ ["​*",​ '​savapi:/​var/​tmp/​.savapi3',​ '​product-id'​],​
 +#   ​qr/​^(200|210)/​m, ​ qr/​^(310|420|319)/​m, ​                       ​
 +#   ​qr/​^(?:​310|420)[,​\s]*(?:​.* <<<​ )?(.+?)(?: ; |$)/m ],          ​
 +# settings for the SAVAPI3.conf:​ ArchiveScan=1,​ HeurLevel=2,​ MailboxScan=1
 +
 +  ### http://​www.clamav.net/​
 +  ['​ClamAV-clamd', ​         ​
 +    \&​ask_daemon,​ ["​CONTSCAN {}\n", "/​var/​run/​clamd.amavisd/​clamd.sock"​],​
 +    qr/\bOK$/m, qr/​\bFOUND$/​m, ​                                          
 +    qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],                        ​
 +  # NOTE: run clamd under the same user as amavisd - or run it under its own
 +  #   uid such as clamav, add user clamav to the amavis group, and then add 
 +  #   ​AllowSupplementaryGroups to clamd.conf; ​                              
 +  # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
 +  #   this entry; when running chrooted one may prefer a socket under $MYHOME.
 +
 +# ### http://​www.clamav.net/​ and CPAN  (memory-hungry! clamd is preferred)
 +# # note that Mail::​ClamAV requires perl to be build with threading! ​     ​
 +# ['​Mail::​ClamAV',​ \&​ask_daemon,​ ['​{}','​clamav-perl:'​], ​                  
 +#   [0], [1], qr/​^INFECTED:​ (.+)/​m], ​                                     ​
 +
 +# ### http://​www.openantivirus.org/​
 +# ['​OpenAntiVirus ScannerDaemon (OAV)',​
 +#   ​\&​ask_daemon,​ ["SCAN {}\n", '​127.0.0.1:​8127'​],​
 +#   ​qr/​^OK/​m,​ qr/^FOUND: /m, qr/^FOUND: (.+)/m ], 
 +
 +# ### http://​www.vanja.com/​tools/​trophie/​
 +# ['​Trophie', ​                           ​
 +#   ​\&​ask_daemon,​ ["​{}/​\n",​ '​trophie:/​var/​run/​trophie'​],​
 +#   ​qr/​(?​x)^ 0+ ( : | [\000\r\n]* $)/m,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
 +#   ​qr/​(?​x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],                          ​
 +
 +# ### http://​www.grisoft.com/​
 +# ['AVG Anti-Virus', ​        
 +#   ​\&​ask_daemon,​ ["SCAN {}\n", '​127.0.0.1:​55555'​],​
 +#   ​qr/​^200/​m,​ qr/^403/m, qr/^403[- ].*: ([^\r\n]+)/​m ],
 +
 +# ### http://​www.f-prot.com/​
 +# ['​F-Prot fpscand', ​ # F-PROT Antivirus for BSD/​Linux/​Solaris,​ version 6
 +#   ​\&​ask_daemon, ​                                                       ​
 +#   ​["​SCAN FILE {}/​*\n",​ '​127.0.0.1:​10200'​], ​                            
 +#   ​qr/​^(0|8|64) /m,                                                     
 +#   ​qr/​^([1235679]|1[01345]) |<​[^>:​]*(?​i)(infected|suspicious|unwanted)/​m,​
 +#   ​qr/​(?​i)<​[^>:​]*(?:​infected|suspicious|unwanted)[^>:​]*:​ ([^>​]*)>/​m ],   
 +
 +# ### http://​www.f-prot.com/​
 +# ['​F-Prot f-protd', ​ # old version
 +#   ​\&​ask_daemon, ​                 ​
 +#   ​["​GET {}/​*?​-dumb%20-archive%20-packed HTTP/​1.0\r\n\r\n",​
 +#     ​['​127.0.0.1:​10200',​ '​127.0.0.1:​10201',​ '​127.0.0.1:​10202',​
 +#      '​127.0.0.1:​10203',​ '​127.0.0.1:​10204'​] ],                ​
 +#   ​qr/​(?​i)<​summary[^>​]*>​clean<​\/​summary>/​m, ​                  
 +#   ​qr/​(?​i)<​summary[^>​]*>​infected<​\/​summary>/​m, ​               ​
 +#   ​qr/​(?​i)<​name>​(.+)<​\/​name>/​m ],                             
 +
 +# ### http://​www.sald.com/,​ http://​www.dials.ru/​english/,​ http://​www.drweb.ru/​
 +# ['​DrWebD',​ \&​ask_daemon, ​  # DrWebD 4.31 or later                           
 +#   ​[pack('​N',​1). ​ # DRWEBD_SCAN_CMD ​                                         ​
 +#    pack('​N',​0x00280001). ​  # DONT_CHANGEMAIL,​ IS_MAIL, RETURN_VIRUSES ​      
 +#    pack('​N', ​    # path length ​                                             ​
 +#      length("​$TEMPBASE/​amavis-yyyymmddTHHMMSS-xxxxx/​parts/​pxxx"​)). ​         ​
 +#    '​{}/​*'​. ​      # path                                                     
 +#    pack('​N',​0). ​ # content size                                             
 +#    pack('​N',​0), ​                                                            
 +#    '/​var/​drweb/​run/​drwebd.sock', ​                                           ​
 +#  # '/​var/​amavis/​var/​run/​drwebd.sock', ​  # suitable for chroot ​              
 +#  # '/​usr/​local/​drweb/​run/​drwebd.sock', ​ # FreeBSD drweb ports default ​      
 +#  # '​127.0.0.1:​3000', ​                   # or over an inet socket ​           ​
 +#   ​], ​                                                                       ​
 +#   ​qr/​\A\x00[\x10\x11][\x00\x10]\x00/​sm, ​       # IS_CLEAN,​EVAL_KEY;​ SKIPPED ​
 +#   ​qr/​\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/​sm,#​ KNOWN_V,​UNKNOWN_V,​V._MODIF
 +#   ​qr/​\A.{12}(?:​infected with )?​([^\x00]+)\x00/​sm, ​                           ​
 +# ],                                                                           
 +# # NOTE: If using amavis-milter,​ change length to:                            ​
 +# # length("​$TEMPBASE/​amavis-milter-xxxxxxxxxxxxxx/​parts/​pxxx"​). ​              
 +
 +  ### http://​www.kaspersky.com/ ​ (kav4mailservers)
 +  ['​KasperskyLab AVP - aveclient', ​               ​
 +    ['/​usr/​local/​kav/​bin/​aveclient','/​usr/​local/​share/​kav/​bin/​aveclient',​
 +     '/​opt/​kav/​5.5/​kav4mailservers/​bin/​aveclient','​aveclient'​], ​         ​
 +    '-p /​var/​run/​aveserver -s {}/​*', ​                                    
 +    [0,3,6,8], qr/​\b(INFECTED|SUSPICION|SUSPICIOUS)\b/​m, ​                
 +    qr/​(?:​INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/​m, ​                
 +  ],                                                                     
 +  # NOTE: one may prefer [0],​[2,​3,​4,​5],​ depending on how suspicious, ​    
 +  # currupted or protected archives are to be handled ​                   ​
 +
 +  ### http://​www.kaspersky.com/​
 +  ['​KasperskyLab AntiViral Toolkit Pro (AVP)',​ ['​avp'​],​
 +    '-* -P -B -Y -O- {}', [0,3,6,8], [2,​4], ​   # any use for -A -K   ?
 +    qr/​infected:​ (.+)/​m, ​                                             ​
 +    sub {chdir('/​opt/​AVP'​) or die "​Can'​t chdir to AVP: $!"​}, ​         ​
 +    sub {chdir($TEMPBASE) or die "​Can'​t chdir back to $TEMPBASE $!"​}, ​
 +  ],                                                                  ​
 +
 +  ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
 +  ### products and replaced by aveserver and aveclient ​                
 +  ['​KasperskyLab AVPDaemonClient', ​                                    
 +    [ '/​opt/​AVP/​kavdaemon', ​      '​kavdaemon', ​                        
 +      '/​opt/​AVP/​AvpDaemonClient',​ '​AvpDaemonClient', ​                  
 +      '/​opt/​AVP/​AvpTeamDream', ​   '​AvpTeamDream', ​                     ​
 +      '/​opt/​AVP/​avpdc',​ '​avpdc'​ ],                                     
 +    "​-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/​infected:​ ([^\r\n]+)/​m ],  ​
 +    # change the startup-script in /​etc/​init.d/​kavd to:                ​
 +    #   ​DPARMS="​-* -Y -dl -f=/​var/​amavis /​var/​amavis" ​                 ​
 +    #   (or perhaps: ​  ​DPARMS="​-I0 -Y -* /​var/​amavis"​ )                ​
 +    # adjusting /var/amavis above to match your $TEMPBASE. ​            
 +    # The '​-f=/​var/​amavis'​ is needed if not running it as root, so it  ​
 +    # can find, read, and write its pid file, etc., see 'man kavdaemon'​.
 +    # defUnix.prf:​ there must be an entry "​*/​var/​amavis"​ (or whatever ​  
 +    #   ​directory $TEMPBASE specifies) in the '​Names='​ section. ​        
 +    # cd /​opt/​AVP/​DaemonClients;​ configure; cd Sample; make             
 +    # cp AvpDaemonClient /​opt/​AVP/ ​                                     ​
 +    # su - vscan -c "​${PREFIX}/​kavdaemon ${DPARMS}" ​                    
 +
 +  ### http://​www.centralcommand.com/​
 +  ['​CentralCommand Vexira (new) vascan',​
 +    ['​vascan','/​usr/​lib/​Vexira/​vascan'​],​
 +    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
 +    "​--log=/​var/​log/​vascan.log {}", ​                        
 +    [0,3], [1,​2,​5], ​                                        
 +    qr/(?x)^\s* (?:​virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s'​]+ )\ \.\.\.\ /m ],
 +    # Adjust the path of the binary and the virus database as needed. ​                            
 +    # '​vascan'​ does not allow to have the temp directory to be the same as                        ​
 +    # the quarantine directory, and the quarantine option can not be disabled. ​                   ​
 +    # If $QUARANTINEDIR is not used, then another directory must be specified ​                    
 +    # to appease '​vascan'​. Move status 3 to the second list if password ​                          
 +    # protected files are to be considered infected. ​                                             ​
 +
 +  ### http://​www.avira.com/​
 +  ### old Avira AntiVir 2.x (ex H+BEDV) or old CentralCommand Vexira Antivirus
 +  ['​Avira AntiVir',​ ['​antivir','​vexira'​], ​                                    
 +    '​--allfiles -noboot -nombr -rs -s -z {}', [0], qr/​ALERT:​|VIRUS:/​m, ​       ​
 +    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |                           
 +         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s'​]+ )/m ],                      ​
 +    # NOTE: if you only have a demo version, remove -z and add 214, as in:    ​
 +    #  '​--allfiles -noboot -nombr -rs -s {}', [0,214], qr/​ALERT:​|VIRUS:/, ​    
 +
 +  ### http://​www.avira.com/​
 +  ### Avira for UNIX 3.x   
 +  ['​Avira AntiVir',​ ['​avscan'​],​
 +   '​-s --batch --alert-action=none {}', [0,4], qr/​(?:​ALERT|FUND):/​m,​
 +   ​qr/​(?:​ALERT|FUND):​ (?:.* <<<​ )?(.+?)(?: ; |$)/m ],               
 +
 +  ### http://​www.commandsoftware.com/​
 +  ['​Command AntiVirus for Linux',​ '​csav',​
 +    '-all -archive -packed {}', [50], [51,52,53],
 +    qr/​Infection:​ (.+)/m ],                      ​
 +
 +  ### http://​www.symantec.com/​
 +  ['​Symantec CarrierScan via Symantec CommandLineScanner',​
 +    '​cscmdline',​ '-a scan -i 1 -v -s 127.0.0.1:​7777 {}',  ​
 +    qr/^Files Infected:​\s+0$/​m,​ qr/​^Infected\b/​m, ​        
 +    qr/​^(?:​Info|Virus Name):​\s+(.+)/​m ],                  ​
 +
 +  ### http://​www.symantec.com/​
 +  ['​Symantec AntiVirus Scan Engine',​
 +    '​savsecls',​ '​-server 127.0.0.1:​7777 -mode scanrepair -details -verbose {}',
 +    [0], qr/​^Infected\b/​m, ​                                                    
 +    qr/​^(?:​Info|Virus Name):​\s+(.+)/​m ],                                       
 +    # NOTE: check options and patterns to see which entry better applies ​      
 +
 +# ### http://​www.f-secure.com/​products/​anti-virus/ ​ version 5.52
 +#  ['​F-Secure Antivirus for Linux servers', ​                    
 +#   ​['/​opt/​f-secure/​fsav/​bin/​fsav',​ '​fsav'​], ​                   ​
 +#   '​--virus-action1=report --archive=yes --auto=yes '​. ​        
 +#   '​--dumb=yes --list=no --mime=yes {}', [0], [3,​4,​6,​8], ​      
 +#   ​qr/​(?:​infection|Infected|Suspected|Riskware):​ (.+)/m ],     
 +#   # NOTE: internal archive handling may be switched off by '​--archive=no'​
 +#   # ​  to prevent fsav from exiting with status 9 on broken archives ​     ​
 +
 +  ### http://​www.f-secure.com/​ version 9.14
 +   ​['​F-Secure Linux Security', ​            
 +    ['/​opt/​f-secure/​fsav/​bin/​fsav',​ '​fsav'​],​
 +    '​--virus-action1=report --archive=yes --auto=yes '.
 +    '​--list=no --nomimeerr {}', [0], [3,​4,​6,​8], ​       ​
 +    qr/​(?:​infection|Infected|Suspected|Riskware):​ (.+)/m ],
 +    # NOTE: internal archive handling may be switched off by '​--archive=no'​
 +    #   to prevent fsav from exiting with status 9 on broken archives ​     ​
 +
 +# ### http://​www.avast.com/​
 +# ['​avast! Antivirus daemon',​
 +#   ​\&​ask_daemon, ​ # greets with 220, terminate with QUIT
 +#   ​["​SCAN {}\015\012QUIT\015\012",​ '/​var/​run/​avast4/​mailscanner.sock'​],​
 +#   ​qr/​\t\[\+\]/​m,​ qr/​\t\[L\]\t/​m,​ qr/​\t\[L\]\t[0-9]+\s+([^[ \t\015\012]+)/​m ],
 +
 +# ### http://​www.avast.com/​
 +# ['​avast! Antivirus - Client/​Server Version',​ '​avastlite',​
 +#   '​-a /​var/​run/​avast4/​mailscanner.sock -n {}', [0], [1], 
 +#   ​qr/​\t\[L\]\t([^[ \t\015\012]+)/​m ],                    ​
 +
 +  ['CAI InoculateIT',​ '​inocucmd', ​ # retired product
 +    '-sec -nex {}', [0], [100], ​                    
 +    qr/was infected by virus (.+)/m ],              ​
 +  # see: http://​www.flatmtn.com/​computer/​Linux-Antivirus_CAI.html
 +
 +  ### http://​www3.ca.com/​Solutions/​Product.asp?​ID=156 ​ (ex InoculateIT)
 +  ['CAI eTrust Antivirus',​ '​etrust-wrapper', ​                          
 +    '-arc -nex -spm h {}', [0], [101], ​                                
 +    qr/is infected by virus: (.+)/m ],                                 
 +    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
 +    # see http://​marc.theaimsgroup.com/?​l=amavis-user&​m=109229779912783 ​       ​
 +
 +  ### http://​mks.com.pl/​english.html
 +  ['​MkS_Vir for Linux (beta)',​ ['​mks32','​mks'​],​
 +    '-s {}/*', [0], [1,​2], ​                    
 +    qr/--[ \t]*(.+)/m ],                       
 +
 +  ### http://​mks.com.pl/​english.html
 +  ['​MkS_Vir daemon',​ '​mksscan', ​    
 +    '-s -q {}', [0], [1..7], ​       ​
 +    qr/^... (\S+)/m ],              ​
 +
 +# ### http://​www.nod32.com/, ​ version v2.52 (old)
 +# ['ESET NOD32 for Linux Mail servers', ​         ​
 +#   ​['/​opt/​eset/​nod32/​bin/​nod32cli',​ '​nod32cli'​],​
 +#    '​--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '.
 +#    '-w -a --action-on-infected=accept --action-on-uncleanable=accept '​.  ​
 +#    '​--action-on-notscanned=accept {}', ​                                  
 +#   ​[0,​3],​ [1,2], qr/​virus="​([^"​]+)"/​m ],                                  ​
 +
 +# ### http://​www.eset.com/,​ version v2.7 (old)
 +# ['ESET NOD32 Linux Mail Server - command line interface',​
 +#   ​['/​usr/​bin/​nod32cli',​ '/​opt/​eset/​nod32/​bin/​nod32cli',​ '​nod32cli'​],​
 +#   '​--subdir {}', [0,3], [1,2], qr/​virus="​([^"​]+)"/​m ],              ​
 +
 +# ### http://​www.eset.com/,​ version 2.71.12
 +# ['ESET Software ESETS Command Line Interface',​
 +#   ​['/​usr/​bin/​esets_cli',​ '​esets_cli'​], ​       ​
 +#   '​--subdir {}', [0], [1,2,3], qr/​virus="​([^"​]+)"/​m ],
 +
 +  ### http://​www.eset.com/,​ version 3.0
 +  ['ESET Software ESETS Command Line Interface',​
 +    ['/​usr/​bin/​esets_cli',​ '​esets_cli'​], ​       ​
 +    '​--subdir {}', [0], [1,​2,​3], ​               ​
 +    qr/:​\s*action="​(?​!accepted)[^"​]*"​\n.*:​\s*virus="​([^"​]*)"/​m ],
 +
 +  ## http://​www.nod32.com/, ​ NOD32LFS version 2.5 and above
 +  ['ESET NOD32 for Linux File servers', ​                   ​
 +    ['/​opt/​eset/​nod32/​sbin/​nod32','​nod32'​], ​               ​
 +    '​--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
 +    '-w -a --action=1 -b {}', ​                                          
 +    [0], [1,10], qr/​^object=.*,​ virus="​(.*?​)",/​m ],                     
 +
 +# Experimental,​ based on posting from Rado Dibarbora (Dibo) on 2002-05-31
 +# ['ESET Software NOD32 Client/​Server (NOD32SS)', ​                       ​
 +#   ​\&​ask_daemon2, ​   # greets with 200, persistent, terminate with QUIT 
 +#   ​["​SCAN {}/​*\r\n",​ '​127.0.0.1:​8448'​ ],                                ​
 +#   ​qr/​^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ],                     
 +
 +  ### http://​www.norman.com/​products_nvc.shtml
 +  ['​Norman Virus Control v5 / Linux',​ '​nvcc', ​
 +    '-c -l:0 -s -u -temp:​$TEMPBASE {}', [0,10,11], [1,2,14],
 +    qr/(?i).* virus in .* -> \'​(.+)\'/​m ],                  ​
 +
 +  ### http://​www.pandasoftware.com/​
 +  ['​Panda CommandLineSecure 9 for Linux',​
 +    ['/​opt/​pavcl/​usr/​bin/​pavcl','​pavcl'​],​
 +    '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
 +    qr/Number of files infected[ .]*: 0+(?​!\d)/​m, ​     ​
 +    qr/Number of files infected[ .]*: 0*[1-9]/​m, ​      
 +    qr/Found virus :\s*(\S+)/m ],                      ​
 +  # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
 +  # before starting amavisd - the bases are then loaded only once at startup.
 +  # To reload bases in a signature update script: ​                           ​
 +  #   /​opt/​pavcl/​usr/​bin/​pavcl -tsr -ulr; /​opt/​pavcl/​usr/​bin/​pavcl -tsr      ​
 +  # Please review other options of pavcl, for example: ​                      
 +  #  -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies ​               ​
 +
 +# ### http://​www.pandasoftware.com/​
 +# ['​Panda Antivirus for Linux',​ ['​pavcl'​],​
 +#   '​-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}',
 +#   [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0],
 +#   ​qr/​Found virus :\s*(\S+)/m ],                         
 +
 +# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
 +# Check your RAV license terms before fiddling with the following two lines!
 +# ['​GeCAD RAV AntiVirus 8', '​ravav', ​                                       ​
 +#   '​--all --archive --mail {}', [1], [2,3,4,5], qr/​Infected:​ (.+)/m ],     
 +# # NOTE: the command line switches changed with scan engine 8.5 !          ​
 +# # (btw, assigning stdin to /dev/null causes RAV to fail)                  ​
 +
 +  ### http://​www.nai.com/​
 +  ['NAI McAfee AntiVirus (uvscan)',​ '​uvscan',​
 +    '​--secure -rv --mime --summary --noboot - {}', [0], [13],
 +    qr/(?x) Found (?:                                        ​
 +        \ the\ (.+)\ (?:​virus|trojan) ​ |                     
 +        \ (?:​virus|trojan)\ or\ variant\ ([^ ]+)  |          ​
 +        :\ (.+)\ NOT\ a\ virus)/​m, ​                          
 +  # sub {$ENV{LD_PRELOAD}='/​lib/​libc.so.6'​}, ​                
 +  # sub {delete $ENV{LD_PRELOAD}}, ​                          
 +  ],                                                         
 +  # NOTE1: with RH9: force the dynamic linker to look at /​lib/​libc.so.6 before
 +  # anything else by setting environment variable LD_PRELOAD=/​lib/​libc.so.6 ​  
 +  # and then clear it when finished to avoid confusing anything else.         
 +  # NOTE2: to treat encrypted files as viruses replace the [13] with:         
 +  #  qr/​^\s{5,​}(Found|is password-protected|.*(virus|trojan))/ ​               ​
 +
 +  ### http://​www.virusbuster.hu/​en/​
 +  ['​VirusBuster',​ ['​vbuster',​ '​vbengcl'​],​
 +    "{} -ss -i '​*'​ -log=$MYHOME/​vbuster.log",​ [0], [1],
 +    qr/: '​(.*)'​ - Virus/m ],                           
 +  # VirusBuster Ltd. does not support the daemon version for the workstation
 +  # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of 
 +  # binaries, some parameters AND return codes have changed (from 3 to 1).  ​
 +  # See also the new Vexira entry '​vascan'​ which is possibly related. ​      
 +
 +# ### http://​www.virusbuster.hu/​en/​
 +# ['​VirusBuster (Client + Daemon)',​ '​vbengd',​
 +#   '​-f -log scandir {}', [0], [3],          ​
 +#   ​qr/​Virus found = (.*);/m ],              ​
 +# # HINT: for an infected file it always returns 3,
 +# # although the man-page tells a different story  ​
 +
 +  ### http://​www.cyber.com/​
 +  ['​CyberSoft VFind',​ '​vfind',​
 +    '​--vexit {}/*', [0], [23], qr/##​==>>>>​ VIRUS ID: CVDL (.+)/m,
 +  # sub {$ENV{VSTK_HOME}='/​usr/​lib/​vstk'​}, ​                      
 +  ],                                                             
 +
 +  ### http://​www.avast.com/​
 +  ['​avast! Antivirus',​ ['/​usr/​bin/​avastcmd','​avastcmd'​],​
 +    '-a -i -n -t=A {}', [0], [1], qr/​\binfected by:\s+([^ \t\n\[\]]+)/​m ],
 +
 +  ### http://​www.ikarus-software.com/​
 +  ['​Ikarus AntiVirus for Linux',​ '​ikarus',​
 +    '​{}',​ [0], [40], qr/​Signature (.+) found/m ],
 +
 +  ### http://​www.bitdefender.com/​
 +  ['​BitDefender',​ '​bdscan', ​ # new version
 +    '​--action=ignore --no-list {}', qr/​^Infected files\s*:​\s*0+(?​!\d)/​m,​
 +    qr/​^(?:​Infected files|Identified viruses|Suspect files)\s*:​\s*0*[1-9]/​m,​
 +    qr/​(?:​suspected|infected)\s*:​\s*(.*)(?:​\033|$)/​m ],                     
 +
 +  ### http://​www.bitdefender.com/​
 +  ['​BitDefender',​ '​bdc', ​ # old version
 +    '--arc --mail {}', qr/​^Infected files *:​0+(?​!\d)/​m,​
 +    qr/​^(?:​Infected files|Identified viruses|Suspect files) *:​0*[1-9]/​m,​
 +    qr/​(?:​suspected|infected):​ (.*)(?:​\033|$)/​m ],                      ​
 +  # consider also: --all --nowarn --alev=15 --flev=15. ​ The --all argument may
 +  # not apply to your version of bdc, check documentation and see 'bdc --help'​
 +
 +  ### ArcaVir for Linux and Unix http://​www.arcabit.pl/​
 +  ['​ArcaVir for Linux',​ ['​arcacmd','​arcacmd.static'​],  ​
 +    '-v 1 -summary 0 -s {}', [0], [1,​2], ​              
 +    qr/​(?:​VIR|WIR):​[ \t]*(.+)/m ],                     
 +
 +# ### a generic SMTP-client interface to a SMTP-based virus scanner
 +# ['​av_smtp',​ \&​ask_av_smtp, ​                                      
 +#   ​['​{}',​ '​smtp:​[127.0.0.1]:​5525',​ '​dummy@localhost'​], ​           ​
 +#   ​qr/​^2/,​ qr/^5/, qr/​^\s*(.*?​)\s*$/​m ],                          ​
 +
 +# ['​File::​Scan',​ sub {Amavis::​AV::​ask_av(sub{
 +#   use File::Scan; my($fn)=@_; ​             ​
 +#   ​my($f)=File::​Scan->​new(max_txt_size=>​0,​ max_bin_size=>​0);​
 +#   ​my($vname) = $f->​scan($fn); ​                             ​
 +#   ​$f->​error ? (2,"​Error:​ "​.$f->​error) ​                     ​
 +#   : ($vname ne ''​) ? (1,"​$vname FOUND"​) : (0,"​Clean"​)},​ @_) },
 +#   ​["​{}/​*"​],​ [0], [1], qr/^(.*) FOUND$/m ],                    ​
 +
 +# ### fully-fledged checker for JPEG marker segments of invalid length
 +# ['​check-jpeg', ​                                                     ​
 +#   sub { use JpegTester (); Amavis::​AV::​ask_av(\&​JpegTester::​test_jpeg,​ @_) },
 +#   ​["​{}/​*"​],​ undef, [1], qr/^(bad jpeg: .*)$/m ],                             
 +# # NOTE: place file JpegTester.pm somewhere where Perl can find it,           
 +# #       for example in /​usr/​local/​lib/​perl5/​site_perl ​                       ​
 +
 +);
 +
 +
 +@av_scanners_backup = (
 +
 +  ### http://​www.clamav.net/ ​  - backs up clamd or Mail::​ClamAV
 +  ['​ClamAV-clamscan',​ '​clamscan', ​                             ​
 +    "​--stdout --no-summary -r --tempdir=$TEMPBASE {}", ​        
 +    [0], qr/:​.*\sFOUND$/​m,​ qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
 +
 +# ### http://​www.clamav.net/​ - using remote clamd scanner as a backup
 +# ['​ClamAV-clamdscan',​ '​clamdscan', ​                                 ​
 +#   "​--stdout --no-summary --config-file=/​etc/​clamd-client.conf {}", ​
 +#   [0], qr/:​.*\sFOUND$/​m,​ qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
 +
 +# ['​ClamAV-clamd-stream',​
 +#   ​\&​ask_daemon,​ ["​*",​ '​clamd:/​var/​run/​clamav/​clamd.sock'​],​
 +#   ​qr/​\bOK$/​m,​ qr/​\bFOUND$/​m, ​                             ​
 +#   ​qr/​^.*?:​ (?!Infected Archive)(.*) FOUND$/m ],           
 +
 +  ### http://​www.f-prot.com/ ​  - backs up F-Prot Daemon, V6
 +  ['​F-PROT Antivirus for UNIX', ['​fpscan'​],​
 +    '​--report --mount --adware {}', ​ # consider: --applications -s 4 -u 3 -z 10
 +    [0,​8,​64], ​ [1,2,3, 4+1,​4+2,​4+3,​ 8+1,​8+2,​8+3,​ 12+1,​12+2,​12+3],​
 +    qr/​^\[Found\s+[^\]]*\]\s+<​([^ \t(>​]*)/​m ],
 +
 +  ### http://​www.f-prot.com/ ​  - backs up F-Prot Daemon (old)
 +  ['​FRISK F-Prot Antivirus',​ ['​f-prot','​f-prot.sh'​],​
 +    '-dumb -archive -packed {}', [0,8], [3,​6], ​  # or: [0], [3,6,8],
 +    qr/​(?:​Infection:​|security risk named) (.+)|\s+contains\s+(.+)$/​m ],
 +
 +  ### http://​www.trendmicro.com/ ​  - backs up Trophie
 +  ['​Trend Micro FileScanner',​ ['/​etc/​iscan/​vscan','​vscan'​],​
 +    '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],
 +
 +  ### http://​www.sald.com/,​ http://​drweb.imshop.de/ ​  - backs up DrWebD
 +  ['​drweb - DrWeb Antivirus', ​ # security LHA hole in Dr.Web 4.33 and earlier
 +    ['/​usr/​local/​drweb/​drweb',​ '/​opt/​drweb/​drweb',​ '​drweb'​],​
 +    '​-path={} -al -go -ot -cn -upn -ok-',
 +    [0,32], [1,9,33], qr' infected (?:​with|by)(?:​ virus)? (.*)$'​m ],
 +
 +   ### http://​www.kaspersky.com/​
 +   ​['​Kaspersky Antivirus v5.5',
 +     ​['/​opt/​kaspersky/​kav4fs/​bin/​kav4fs-kavscanner',​
 +      '/​opt/​kav/​5.5/​kav4unix/​bin/​kavscanner',​
 +      '/​opt/​kav/​5.5/​kav4mailservers/​bin/​kavscanner',​ '​kavscanner'​],​
 +     '​-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,​20,​21,​25],​
 +     ​qr/​(?:​INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
 +#    sub {chdir('/​opt/​kav/​bin'​) or die "​Can'​t chdir to kav: $!"},
 +#    sub {chdir($TEMPBASE) or die "​Can'​t chdir back to $TEMPBASE $!"},
 +   ],
 +
 +  ### http://​www.sophos.com/​
 +  ['​Sophos Anti Virus (savscan)', ​  # formerly known as '​sweep'​
 +    ['/​opt/​sophos-av/​bin/​savscan',​ '​savscan'​], ​ # '​sweep'​
 +    '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
 +    '​--no-reset-atime {}',
 +    [0,2], qr/Virus .*? found/m,
 +    qr/​^>>>​ Virus(?: fragment)? '?​(.*?​)'?​ found/m,
 +  ],
 +  # other options to consider: -idedir=/​usr/​local/​sav
 +  # A name '​sweep'​ clashes with a name of an audio editor (Debian and FreeBSD).
 +  # Make sure the correct '​sweep'​ is found in the path if using the old name.
 +
 +# Always succeeds and considers mail clean.
 +# Potentially useful when all other scanners fail and it is desirable
 +# to let mail continue to flow with no virus checking (when uncommented).
 +# ['​always-clean',​ sub {0}],
 +
 +);
 +
 +
 +1;  # insure a defined return value
 +</​file>​
 +
 +Viele Parameter sind etwas arg verstreut in der Datei, so dass man oft nicht auf den ersten Blick deren Abhängigkeit erkennt. Wir werden daher, ähnlich auch schon wie bei der Konfiguration unseres **MTA**((**M**ail **T**ransport **A**gent)) [[centos:​mail_c7:​mta_4#​postfix_from_the_scratch|Postfix]],​ die Originalversion bei Seite legen und uns unsere eigene strukturierte AMaViS-Konfigurationsdatei aufsetzen.
 +
 +Wir benennen also als erstes einmal, die original mitgelieferte Konfigurationsdate des AMaViS-Daemon um.
 +   # mv /​etc/​amavisd/​amavisd.conf /​etc/​amavisd/​amavisd.conf.orig
 +
 +Dann legen wir uns eine neue Datei an.
 +   # touch /​etc/​amavisd/​amavisd.conf
 +
 +Zur Strukturierung unserer eigenen **amavisd.conf** nutzen wir jeweils folgende Überschriftszeile.
 +  ################################################################################​
 +  ## < beschreibenden Text > 
 +  #
 +
 +Wir werden später die einzelnen Konfigurationsoptionen strukturieren,​ d.h. zusammenfassen und jeweils bei den betreffenden Sectionen eintragen.
 +
 +
 +=== mögliche Konfigurationsparameterdatei ===
 +Wollen wir vor dem Anlegen unserer eigenen individuellen Datei uns noch einen Überblick verschaffen,​ welche Parameter der **amavisd** hat, werfen wir einen Blick in die Datei //​**/​usr/​share/​doc/​amavisd-new-2.9.1/​amavisd.conf-default**//​
 +   # less /​usr/​share/​doc/​amavisd-new-2.9.1/​amavisd.conf-default
 +
 +<file perl /​usr/​share/​doc/​amavisd-new-2.9.1/​amavisd.conf-default>​use strict; ​                                                                     ​
 +
 +## A CONFIGURATION FILE FOR AMAVISD-NEW,​ LISTING ALL CONFIGURATION VARIABLES
 +## WITH THEIR DEFAULT VALUES (FOR REFERENCE ONLY, NON-AUTHORITATIVE) ​       ​
 +
 +## This software is licensed under the GNU General Public License (GPL).
 +## See comments at the start of file amavisd for the whole license text.
 +##   ​Copyright (C) 2002-2012 ​ Mark Martinec, ​ All Rights Reserved. ​     ​
 +
 +## The '​after-default'​ comment indicates that these variables obtain their
 +## default value if the config file left them undefined. It means these values
 +## are not yet available during processing of the configuration file, but that
 +## they can derive their value from other configurations variables no matter  ​
 +## where in the configuration file they appear. ​                              
 +
 +
 +## GENERAL
 +
 +# $myhostname = ... predefined default from uname(3), must be a FQDN
 +# $mydomain ​  = ... no useful default, should be set if used in expressions
 +# $snmp_contact ​ = ''; ​                                                    
 +# $snmp_location = ''; ​                                                    
 +# $daemon_user ​  = undef; ​                                                 ​
 +# $daemon_group ​ = undef; ​                                                 ​
 +# $MYHOME ​       = '/​var/​amavis'; ​                                         ​
 +# $TEMPBASE ​     = $MYHOME; ​               # after-default ​                
 +# $db_home ​      = "​$MYHOME/​db"; ​          # after-default ​                
 +# $pid_file ​     = "​$MYHOME/​amavisd.pid"; ​ # after-default ​                
 +# $lock_file ​    = undef; ​                                                 ​
 +# $daemon_chroot_dir = undef; ​                                             ​
 +# $max_requests = 20;    # retire a child after that many accepts ​         ​
 +# $max_servers = 2;      # number of pre-forked children ​                  
 +# $min_servers ​      = undef; ​ # see Net::​Server::​Prefork for semantics ​   ​
 +# $min_spare_servers = undef; ​                                             ​
 +# $max_spare_servers = undef; ​                                             ​
 +# $child_timeout = 8*60;                                                   
 +# $localpart_is_case_sensitive = 0;                                        ​
 +# $enable_db = undef; ​                                                     ​
 +# $enable_zmq = undef; ​                                                    
 +# @zmq_sockets = ( "​ipc://​$MYHOME/​amavisd-zmq.sock"​ );  # after-default ​   ​
 +# $nanny_details_level = 1;  # verbosity: 0, 1, 2                          ​
 +# @additional_perl_modules = ();                                           
 +# @local_domains_maps=(\%local_domains,​\@local_domains_acl,​\$local_domains_re);​
 +# @mynetworks = qw( 127.0.0.0/8 [::1] 169.254.0.0/​16 [fe80::​]/​10 ​              
 +#                   ​10.0.0.0/​8 172.16.0.0/​12 192.168.0.0/​16 [fc00::]/7 );      ​
 +# @mynetworks_maps = (\@mynetworks); ​                                          
 +# @client_ipaddr_policy = map { $_ => '​MYNETS'​ } @mynetworks_maps; ​            
 +
 +
 +## LOGGING AND DEBUGGING
 +
 +# $log_level = 0;
 +# $logfile = undef;
 +# $do_syslog = undef; ​ # same as 0
 +# $syslog_ident = '​amavis'; ​      
 +# $syslog_facility = '​mail'; ​     ​
 +# $logline_maxlen = 980;          ​
 +# enable_log_capture_dump = undef;
 +
 +# $log_short_templ ​  ... built-in default at the end of file amavisd
 +# $log_verbose_templ ... built-in default at the end of file amavisd
 +# $log_recip_templ = ... built-in default at the end of file amavisd
 +# $log_templ = $log_short_templ; ​                                   ​
 +
 +# @debug_sender_acl = ();
 +# @debug_sender_maps = (\@debug_sender_acl);​
 +# @debug_recipient_maps = ();               
 +# $sa_debug = undef; ​                       ​
 +# $allow_preserving_evidence = 1;           
 +
 +
 +## DKIM VERIFICATION
 +
 +# $enable_dkim_verification = undef;
 +# $reputation_factor = 0.2;         
 +# @signer_reputation_maps = ();     
 +# @author_to_policy_bank_maps = (); 
 +# $dkim_minimum_key_bits = 1024;    ​
 +# $myauthservid = $myhostname; ​ # after-default (RFC 5451)
 +# $dkim_minimum_key_bits = 1024;                          ​
 +
 +## DKIM SIGNING
 +
 +# $enable_dkim_signing = undef;
 +# %dkim_signing_keys = ();     
 +# @dkim_signature_options_bysender_maps = ();
 +# $dkim_signing_service = undef; ​            
 +#                                            ​
 +# for (qw(Accept-Language Archived-At Auto-Submitted Content-Alternative
 +#         ​Content-Base Content-Class Content-Description Content-Disposition
 +#         ​Content-Duration Content-Features Content-Id Content-Language ​    
 +#         ​Content-Location Content-MD5 Content-Transfer-Encoding In-Reply-To
 +#         ​List-Archive List-Help List-Id List-Owner List-Post List-Subscribe
 +#         ​List-Unsubscribe Message-Context Message-ID MIME-Version ​         ​
 +#         ​Organisation Organization Original-Message-ID Pics-Label ​         ​
 +#         ​Precedence Received References Reply-To Resent-Date Resent-From ​  
 +#         ​Resent-Message-ID Resent-Sender Sensitivity Solicitation ​         ​
 +#         ​User-Agent VBR-Info X-Mailer)) ​  { $signed_header_fields{lc $_} = 1 }
 +# for (qw(From Date Subject Content-Type)) { $signed_header_fields{lc $_} = 2 }
 +
 +
 +## MTA INTERFACE - INPUT
 +
 +# @listen_sockets =  ... $unix_socketname and $inet_socket_port are added here
 +# $unix_socketname ​ = undef; # Unix socket to accept amavis helper protocol ​  
 +# $unix_socket_mode = undef; # sets sockets protection (numeric mode), or undef
 +# $inet_socket_port = undef; # accept connections on this TCP port(s) (SMTP...)
 +# $inet_socket_bind = [ '​127.0.0.1',​ '​[::​1]'​ ];  # if both inet & inet6 avail. ​
 +#   ​$inet_socket_bind = '​127.0.0.1'; ​            # if only inet available ​     ​
 +#   ​$inet_socket_bind = '​[::​1]' ​                 # if only inet6 available ​    
 +# @inet_acl = qw( 127.0.0.1 [::1] );                                           
 +# $listen_queue_size = undef; ​                                                 ​
 +
 +# $protocol = ... defaults to '​SMTP'​ or '​LMTP'​ (autodetected) on inet and inet6
 +#             ​sockets;​ must be configured explicitly for Unix sockets. ​        
 +#             ​Possible values: '​SMTP',​ '​LMTP',​ '​AM.PDP', ​                      
 +#             and with appropriate patches applied also: '​COURIER'​ or '​QMQPqq' ​
 +
 +# $soft_bounce = undef;
 +# $smtpd_timeout = 8*60;
 +# $smtpd_recipient_limit = 1100;
 +# $smtpd_message_size_limit = undef; ​ # site-wide limit
 +# @message_size_limit_maps = ();      # per-recipient limits
 +# $smtpd_greeting_banner = '​${helo-name} ${protocol} ${product} service ready';​
 +# $smtpd_quit_banner = '​${helo-name} ${product} closing transmission channel'; ​
 +# $auth_required_inp = undef; ​                                                 ​
 +# $auth_required_release = 1;                                                  ​
 +# @auth_mech_avail=();​ # empty list disables incoming AUTH; or: qw(PLAIN LOGIN)
 +# $tls_security_level_in = undef; ​ # undef, '​may',​ '​encrypt',​ ...              ​
 +# $smtpd_tls_cert_file = undef; ​                                               ​
 +# $smtpd_tls_key_file = undef; ​                                                
 +# $smtp_connection_cache_on_demand = 1;                                        ​
 +# $smtp_connection_cache_enable = 1;                                           
 +# $enforce_smtpd_message_size_limit_64kb_min = 1;                              ​
 +# @smtpd_discard_ehlo_keywords = ();                                           
 +
 +
 +## MTA INTERFACE - OUTPUT
 +
 +## see also $notify_method,​ $forward_method and $*_quarantine_method
 +
 +# $localhost_name = '​localhost';​ # my EHLO name, and inserted in Received
 +# $local_client_bind_address = undef; ​ # my source IP address as a SMTP client
 +# $auth_required_out = undef; ​                                                
 +# $amavis_auth_user ​ = undef; ​   # for submitting notifications and quarantine
 +# $amavis_auth_pass ​ = undef; ​                                                
 +# $auth_reauthenticate_forwarded = undef; # our credentials for forwarding too
 +# $tls_security_level_out = undef; ​ # undef, '​may',​ '​encrypt',​ ...            ​
 +
 +
 +## MAIL FORWARDING
 +
 +# $forward_method = '​smtp:​[127.0.0.1]:​10025'; ​ # may be arrayref
 +#              # or '​smtp:​[::​1]:​10025'​ when INET6 available and INET unavail.
 +# @forward_method_maps = ( sub { Opaque(c('​forward_method'​)) } );            ​
 +# $resend_method = undef; ​ # falls back to $forward_method ​                  
 +# $always_bcc = undef; ​                                                      
 +
 +# $final_virus_destiny ​ = D_DISCARD; ​ # subj to @viruses_that_fake_sender_maps
 +# $final_banned_destiny = D_DISCARD; ​                                         ​
 +# $final_spam_destiny ​  = D_PASS; ​    # subject to $sa_dsn_cutoff_level ​      
 +# $final_bad_header_destiny = D_PASS; ​                                        
 +
 +
 +## QUARANTINE
 +
 +# $release_method = undef; ​ # falls back to $notify_method
 +# $requeue_method = '​smtp:​[127.0.0.1]:​25'; ​               ​
 +#              # or '​smtp:​[::​1]:​25'​ when INET6 available and INET unavail.
 +# $release_format = '​resend'; ​ # (dsn), (arf), attach, ​ plain, ​ resend ​   ​
 +# $report_format ​ = '​arf'; ​    # (dsn), ​ arf,  attach, ​ plain, ​ resend ​   ​
 +# $attachment_password = '';​ # '':​ no pwd, undef: PIN, code ref, or static str
 +# $attachment_email_name = '​msg-%m.eml'; ​                                     ​
 +# $attachment_outer_name = '​msg-%m.zip'; ​                                     ​
 +
 +# $virus_quarantine_method ​       = '​local:​virus-%m';​
 +# $spam_quarantine_method ​        = '​local:​spam-%m.gz';​
 +# $banned_files_quarantine_method = '​local:​banned-%m'; ​
 +# $bad_header_quarantine_method ​  = '​local:​badh-%m'; ​  
 +# $clean_quarantine_method ​  = undef; ​                 ​
 +# $archive_quarantine_method = undef; ​                 ​
 +
 +# $mail_id_size_bits = 72;
 +
 +# $QUARANTINEDIR = undef;
 +# $quarantine_subdir_levels = undef; ​ # 0 or 1  (undef treated as 0)
 +# $sql_quarantine_chunksize_max; ​ # see SQL section ​                
 +
 +# $virus_quarantine_to ​    = '​virus-quarantine'; ​ # via %local_delivery_aliases
 +# $banned_quarantine_to ​   = '​banned-quarantine'; ​                             ​
 +# $bad_header_quarantine_to= '​bad-header-quarantine'; ​                         ​
 +# $spam_quarantine_to ​     = '​spam-quarantine'; ​                               ​
 +# $spam_quarantine_bysender_to = undef; ​                                       ​
 +# $clean_quarantine_to ​    = '​clean-quarantine'; ​                              
 +# $archive_quarantine_to ​  = '​archive-quarantine'; ​                            
 +
 +# @virus_quarantine_to_maps ​     = (\$virus_quarantine_to);​
 +# @banned_quarantine_to_maps ​    = (\$banned_quarantine_to);​
 +# @bad_header_quarantine_to_maps = (\$bad_header_quarantine_to);​
 +# @spam_quarantine_to_maps ​      = (\$spam_quarantine_to); ​     ​
 +# @spam_quarantine_bysender_to_maps = (\$spam_quarantine_bysender_to);​
 +# @clean_quarantine_to_maps ​     = (\$clean_quarantine_to); ​          
 +# @archive_quarantine_to_maps ​   = (\$archive_quarantine_to); ​        
 +
 +# %local_delivery_aliases ​ ... predefined, used by a delivery method '​local:'​
 +# $mailfrom_to_quarantine = undef; ​ # undef keeps original sender ​           ​
 +
 +
 +## NOTIFICATIONS (DSN, admin, recip)
 +
 +# $notify_method ​ = '​smtp:​[127.0.0.1]:​10025';​
 +#              # or '​smtp:​[::​1]:​10025'​ when INET6 available and INET unavail.
 +
 +# $propagate_dsn_if_possible = 1;
 +# $terminate_dsn_on_notify_success = 0;
 +
 +# $newvirus_admin = undef;
 +# $virus_admin = undef; ​  
 +# $spam_admin = undef; ​   ​
 +# $banned_admin = undef;  ​
 +# $bad_header_admin = undef;
 +
 +# $dsn_bcc = undef;
 +
 +# @newvirus_admin_maps ​  = (\$newvirus_admin);​
 +# @virus_admin_maps ​     = (\%virus_admin,​ \$virus_admin);​
 +# @banned_admin_maps ​    = (\$banned_admin); ​             ​
 +# @spam_admin_maps ​      = (\%spam_admin, ​ \$spam_admin); ​
 +# @bad_header_admin_maps = (\$bad_header_admin); ​         ​
 +
 +# $hdr_encoding = '​UTF-8'; ​ # header field bodies charset
 +# $bdy_encoding = '​UTF-8'; ​ # notification body text charset
 +# $hdr_encoding_qb = '​Q'; ​  # quoted-printable (Q or B)     
 +
 +# $notify_sender_templ ​      = ... built-in default at the end of file amavisd
 +# $notify_virus_sender_templ = ... built-in default at the end of file amavisd
 +# $notify_spam_sender_templ ​ = ... built-in default at the end of file amavisd
 +# $notify_virus_admin_templ ​ = ... built-in default at the end of file amavisd
 +# $notify_spam_admin_templ ​  = ... built-in default at the end of file amavisd
 +# $notify_virus_recips_templ = ... built-in default at the end of file amavisd
 +# $notify_spam_recips_templ ​ = ... built-in default at the end of file amavisd
 +# $notify_release_templ ​     = ... built-in default at the end of file amavisd
 +# $notify_report_templ ​      = ... built-in default at the end of file amavisd
 +
 +# $mailfrom_notify_admin = undef;
 +# $mailfrom_notify_recip = undef;
 +# $mailfrom_notify_spamadmin = undef;
 +
 +## these are after-defaults:​
 +# $hdrfrom_notify_sender = "​\"​Content-filter at $myhostname\"​ <​postmaster\@$myhostname>";​
 +# $hdrfrom_notify_recip ​    = ... derived from $mailfrom_notify_recip ​                   ​
 +# $hdrfrom_notify_admin ​    = ... derived from $mailfrom_notify_admin ​                   ​
 +# $hdrfrom_notify_spamadmin = ... derived from $mailfrom_notify_spamadmin ​               ​
 +# $hdrfrom_notify_release ​  = $hdrfrom_notify_sender; ​                                   ​
 +# $hdrfrom_notify_report ​   = $hdrfrom_notify_sender; ​                                   ​
 +
 +# $warnbannedsender = undef;
 +# $warnbadhsender ​  = undef;
 +
 +# $warn_offsite ​    = undef;
 +
 +# $warnvirusrecip ​  = undef;
 +# $warnbannedrecip ​ = undef;
 +# $warnbadhrecip ​   = undef;
 +# @warnvirusrecip_maps ​ = (\$warnvirusrecip);​
 +# @warnbannedrecip_maps = (\$warnbannedrecip);​
 +# @warnbadhrecip_maps ​  = (\$warnbadhrecip);  ​
 +
 +
 +## MODIFICATIONS TO PASSED MAIL
 +
 +# %allowed_added_header_fields = ...;     # built-in default
 +# %prefer_our_added_header_fields = ...;  # built-in default
 +# $remove_existing_x_scanned_headers = 0;                   
 +# $remove_existing_spam_headers = 1;                        ​
 +# @remove_existing_spam_headers_maps = (\$remove_existing_spam_headers);​
 +# $allow_fixing_improper_header = 1;   # all-white folding lines and long lines
 +# $allow_fixing_improper_header_folding = 1;                                   
 +# $allow_fixing_long_header_lines = 1;                                         
 +# $prepend_header_fields_hdridx = 0;                                           
 +
 +# $X_HEADER_TAG ​ = '​X-Virus-Scanned'; ​              # after-default
 +# $X_HEADER_LINE = "​$myproduct_name at $mydomain"; ​ # after-default
 +
 +# $defang_virus ​ = undef;
 +# $defang_banned = undef;
 +# $defang_spam ​  = undef;
 +# $defang_bad_header = undef;
 +# $defang_undecipherable = undef;
 +# $defang_all ​   = undef; ​ # mostly for testing
 +
 +# $allow_disclaimers = undef;
 +# $outbound_disclaimers_only = undef;
 +# $enable_anomy_sanitizer = 0;       
 +# @anomy_sanitizer_args = ();   # a config file or list of var=value pairs
 +# $altermime = '​altermime'; ​    # a path to the program ​                  
 +# @altermime_args_defang ​    = qw(--verbose --removeall); ​                
 +# @altermime_args_disclaimer = qw(--disclaimer=/​etc/​altermime-disclaimer.txt);​
 +# @disclaimer_options_bysender_maps = ();                                     
 +
 +# $undecipherable_subject_tag = '​***UNCHECKED*** ';
 +# $sa_spam_subject_tag = undef; ​                   ​
 +# $sa_spam_level_char = '​*'; ​                      
 +
 +# @spam_subject_tag_maps ​ = (\$sa_spam_subject_tag1);​ # N.B.: inconsistent name
 +# @spam_subject_tag2_maps = (\$sa_spam_subject_tag); ​ # N.B.: inconsistent name
 +# @spam_subject_tag3_maps = ();                                                ​
 +
 +
 +## ADDING ADDRESS EXTENSIONS TO RECIPIENTS - 'plus addressing'​
 +
 +# $recipient_delimiter = undef;
 +# $replace_existing_extension = 1;
 +# $addr_extension_virus ​ = undef; ​
 +# $addr_extension_banned = undef; ​
 +# $addr_extension_spam ​  = undef; ​
 +# $addr_extension_bad_header = undef;
 +# @addr_extension_virus_maps ​     = (\$addr_extension_virus);​
 +# @addr_extension_banned_maps ​    = (\$addr_extension_banned);​
 +# @addr_extension_spam_maps ​      = (\$addr_extension_spam);  ​
 +# @addr_extension_bad_header_maps = (\$addr_extension_bad_header);​
 +
 +
 +## MAIL DECODING
 +
 +# $bypass_decode_parts = undef;
 +
 +# $keep_decoded_original_re = undef;
 +# @keep_decoded_original_maps = (\$keep_decoded_original_re);​
 +
 +# $map_full_type_to_short_type_re = ... predefined regexp lookup table
 +# @map_full_type_to_short_type_maps = (\$map_full_type_to_short_type_re);​
 +
 +# $MAXLEVELS = undef;
 +# $MAXFILES ​ = undef;
 +# $MIN_EXPANSION_QUOTA = undef;
 +# $MAX_EXPANSION_QUOTA = undef;
 +# $MIN_EXPANSION_FACTOR =   ​5; ​ # times original mail size
 +# $MAX_EXPANSION_FACTOR = 500;  # times original mail size
 +
 +# $path = undef;
 +# $file = '​file';​
 +
 +# For backward compatibility the @decoders list defaults to use of legacy
 +# variables $gzip, $bzip2, $lzop, ...  It is cleaner to explicitly assign
 +# a list to @decoders in amavisd.conf and directly specify program paths,
 +# without indirections through legacy variables $gzip, etc.              ​
 +#                                                                        ​
 +# $gzip = $bzip2 = $lzop = $rpm2cpio = undef; ​                           ​
 +# $uncompress = $unfreeze = $arc = $unarj = $unrar = undef; ​             ​
 +# $zoo = $lha = $pax = $cpio = $cabextract = undef; ​                     ​
 +#                                                                        ​
 +# @decoders = (                                                          ​
 +#   ​['​mail',​ \&​do_mime_decode], ​                                         ​
 +### [[qw(asc uue hqx ync)], \&​do_ascii], ​ # not safe                     
 +#   ​['​F', ​   \&​do_uncompress,​ \$unfreeze], ​                              
 +#   ​['​Z', ​   \&​do_uncompress,​ \$uncompress], ​                            
 +#   ​['​gz', ​  ​\&​do_uncompress,​ \$gunzip], ​                                
 +#   ​['​gz', ​  ​\&​do_gunzip], ​                                              
 +#   ​['​bz2', ​ \&​do_uncompress,​ \$bunzip2], ​                               ​
 +#   ​['​xz', ​  ​\&​do_uncompress, ​                                           ​
 +#            ['​xzdec',​ 'xz -dc', 'unxz -c', '​xzcat'​] ],                  ​
 +#   ​['​lzma',​ \&​do_uncompress, ​                                           ​
 +#            ['​lzmadec',​ 'xz -dc --format=lzma', ​                        
 +#             '​lzma -dc', '​unlzma -c', '​lzcat',​ '​lzmadec'​] ],            ​
 +#   ​['​lrz', ​ \&​do_uncompress, ​                                           ​
 +#            ['​lrzip -q -k -d -o -', '​lrzcat -q -k'] ],                  ​
 +#   ​['​lzo', ​ \&​do_uncompress,​ \$unlzop], ​                                
 +#   ​['​rpm', ​ \&​do_uncompress,​ \$rpm2cpio], ​                              
 +#   ​[['​cpio','​tar'​],​ \&​do_pax_cpio,​ \$pax], ​                             ​
 +### ['​tar', ​ \&​do_tar], ​ # no longer supported ​                          
 +#   ​['​deb', ​ \&​do_ar,​ \$ar], ​                                            
 +### ['​a', ​   \&​do_ar,​ \$ar], ​ # unpacking .a seems an overkill ​          
 +#   ​['​rar', ​ \&​do_unrar,​ \$unrar], ​                                      
 +#   ​['​arj', ​ \&​do_unarj,​ \$unarj], ​                                      
 +#   ​['​arc', ​ \&​do_arc, ​  ​\$arc], ​                                        
 +#   ​['​zoo', ​ \&​do_zoo, ​  ​\$zoo], ​                                        
 +#   ​['​doc', ​ \&​do_ole, ​  ​\$ripole], ​                                     ​
 +#   ​['​cab', ​ \&​do_cabextract,​ \$cabextract], ​                            
 +#   ​['​tnef',​ \&​do_tnef_ext,​ \$tnef], ​                                    
 +#   ​['​tnef',​ \&​do_tnef], ​                                                
 +### ['​lha', ​ \&​do_lha, ​  ​\$lha], ​ # not safe, use 7z instead ​            
 +### ['​sit', ​ \&​do_unstuff,​ \$unstuff], ​ # not safe                       
 +#   ​[['​zip','​kmz'​],​ \&​do_7zip, ​ ['​7za',​ '​7z'​] ],                         
 +#   ​[['​zip','​kmz'​],​ \&​do_unzip], ​                                        
 +#   ​['​7z', ​  ​\&​do_7zip, ​ ['​7zr',​ '​7za',​ '​7z'​] ],                         
 +#   ​[[qw(7z zip gz bz2 Z tar)], ​                                         ​
 +#            \&​do_7zip, ​ ['​7za',​ '​7z'​] ],                                ​
 +#   ​[[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], ​            
 +#            \&​do_7zip, ​ '​7z'​ ],                                         
 +#   ​['​exe', ​ \&​do_executable,​ \$unrar, \$lha, \$unarj], ​                 ​
 +# );                                                                     
 +
 +
 +## ANTI-VIRUS AND INVALID/​FORBIDDEN CONTENTS CONTROLS
 +
 +# @av_scanners = ();
 +# @av_scanners_backup = ();
 +# $first_infected_stops_scan = undef;
 +# $virus_scanners_failure_is_fatal = undef;
 +
 +# $viruses_that_fake_sender_re = undef;
 +# @viruses_that_fake_sender_maps = (\$viruses_that_fake_sender_re,​ 1);
 +# @virus_name_to_policy_bank_maps = ();                               
 +#                                                                     
 +# @virus_name_to_spam_score_maps =                                    ​
 +#   ​(new_RE( ​ # the order matters, first match wins                   
 +#     [ qr'​^Structured\.(SSN|CreditCardNumber)\b' ​           => 0.1 ],
 +#     [ qr'​^(Heuristics\.)?​Phishing\.' ​                      => 0.1 ],
 +#     [ qr'​^(Email|HTML)\.Phishing\.(?​!.*Sanesecurity)' ​     => 0.1 ],
 +#     [ qr'​^Sanesecurity\.(Malware|Rogue|Trojan)\.'​ => undef ],# keep as infected
 +#     [ qr'​^Sanesecurity\.' ​                                 => 0.1 ],           
 +#     [ qr'​^Sanesecurity_PhishBar_' ​                         => 0   ​], ​          
 +#     [ qr'​^Sanesecurity.TestSig_' ​                          => 0   ​], ​          
 +#     [ qr'​^Email\.Spam\.Bounce(\.[^.,​ ]*)*\.Sanesecurity\.'​ => 0   ​], ​          
 +#     [ qr'​^Email\.Spammail\b' ​                              => 0.1 ],           
 +#     [ qr'​^MSRBL-(Images|SPAM)\b' ​                          => 0.1 ],           
 +#     [ qr'​^VX\.Honeypot-SecuriteInfo\.com\.Joke' ​           => 0.1 ],           
 +#     [ qr'​^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)'​ => 0.1 ],    ​
 +#     [ qr'​^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' ​         => 0.1 ],           
 +#     [ qr'​^Safebrowsing\.' ​                                 => 0.1 ],           
 +#     [ qr'​^winnow\.(phish|spam)\.' ​                         => 0.1 ],           
 +#     [ qr'​^INetMsg\.SpamDomain' ​                            => 0.1 ],           
 +#     [ qr'​^Doppelstern\.(Spam|Scam|Phishing|Junk|Lott|Loan)'​=>​ 0.1 ],           
 +#     [ qr'​^Bofhland\.Phishing' ​                             => 0.1 ],           
 +#     [ qr'​^ScamNailer\.' ​                                   => 0.1 ],           
 +#     [ qr'​^HTML/​Bankish' ​                                   => 0.1 ],  # F-Prot ​
 +#     [ qr'​^PORCUPINE_JUNK' ​                                 => 0.1 ],           
 +#     [ qr'​^PORCUPINE_PHISHING' ​                             => 0.1 ],           
 +#     [ qr'​-SecuriteInfo\.com(\.|\z)' ​        => undef ],  # keep as infected ​   ​
 +#     [ qr'​^MBL_NA\.UNOFFICIAL' ​              => 0.1 ],    # false positives ​    
 +#     [ qr'​^MBL_' ​                            => undef ],  # keep as infected ​   ​
 +#   ​)); ​                                                                         ​
 +
 +# @banned_filename_maps = ( '​DEFAULT'​ );
 +# %banned_rules = ( '​DEFAULT'​ => $banned_filename_re); ​ # after-default
 +# $banned_filename_re = undef; ​ # traditional ​                         ​
 +# $banned_namepath_re = undef; ​ # regexp-style ​                        
 +
 +# @bypass_virus_checks_maps = (\%bypass_virus_checks,​ \@bypass_virus_checks_acl,​ \$bypass_virus_checks_re);​
 +# @bypass_banned_checks_maps = (\%bypass_banned_checks,​ \@bypass_banned_checks_acl,​ \$bypass_banned_checks_re);​
 +# @bypass_header_checks_maps = (\%bypass_header_checks,​ \@bypass_header_checks_acl,​ \$bypass_header_checks_re);​
 +
 +# @virus_lovers_maps = (\%virus_lovers,​ \@virus_lovers_acl,​ \$virus_lovers_re);​
 +# @banned_files_lovers_maps = (\%banned_files_lovers,​ \@banned_files_lovers_acl,​ \$banned_files_lovers_re);​
 +# @bad_header_lovers_maps = (\%bad_header_lovers,​ \@bad_header_lovers_acl,​ \$bad_header_lovers_re); ​       ​
 +# @unchecked_lovers_maps = ();                                                                             
 +
 +# $allowed_header_tests{$_} = 1  for qw(other mime 8bit control empty long
 +#                                       ​syntax missing multiple); ​        
 +
 +
 +## ANTI-Spam CONTROLS
 +
 +# @spam_scanners = ( ['​SpamAssassin',​ '​Amavis::​SpamControl::​SpamAssassin'​] );
 +
 +# $helpers_home = $MYHOME; ​ # after-default
 +# $sa_configpath = undef; ​                 ​
 +# $sa_siteconfigpath = undef; ​             ​
 +# $sa_num_instances = 1;                   
 +# @sa_userconf_maps = ();                  ​
 +# @sa_username_maps = ();                  ​
 +
 +# $sa_mail_body_size_limit = undef;
 +# $sa_local_tests_only = 0;        ​
 +# $sa_spawned = 0;                 
 +# $dspam = undef; ​                 ​
 +
 +# $sa_timeout = 30;
 +
 +# @bypass_spam_checks_maps = (\%bypass_spam_checks,​ \@bypass_spam_checks_acl,​ \$bypass_spam_checks_re);​
 +# @spam_lovers_maps = (\%spam_lovers,​ \@spam_lovers_acl,​ \$spam_lovers_re); ​                           ​
 +
 +# $sa_tag_level_deflt ​ = undef;
 +# $sa_tag2_level_deflt = undef;
 +# $sa_tag3_level_deflt = undef;
 +# $sa_kill_level_deflt = undef;
 +# $sa_dsn_cutoff_level = undef;
 +# $sa_crediblefrom_dsn_cutoff_level = undef;
 +# $sa_quarantine_cutoff_level = undef; ​     ​
 +
 +# @spam_tag_level_maps ​ = (\$sa_tag_level_deflt);​
 +# @spam_tag2_level_maps = (\$sa_tag2_level_deflt);​
 +# @spam_tag3_level_maps = (\$sa_tag3_level_deflt);​
 +# @spam_kill_level_maps = (\$sa_kill_level_deflt);​
 +# @spam_quarantine_cutoff_level_maps = (\$sa_quarantine_cutoff_level);​
 +# @spam_notifyadmin_cutoff_level_maps = ();                           
 +# @spam_dsn_cutoff_level_maps ​         = (\$sa_dsn_cutoff_level); ​    
 +# @spam_dsn_cutoff_level_bysender_maps = (\$sa_dsn_cutoff_level); ​    
 +# @spam_crediblefrom_dsn_cutoff_level_maps =                          ​
 +#   ​(\$sa_crediblefrom_dsn_cutoff_level); ​                            
 +# @spam_crediblefrom_dsn_cutoff_level_bysender_maps =                 
 +#   ​(\$sa_crediblefrom_dsn_cutoff_level); ​                            
 +
 +# $bounce_killer_score = 0;
 +
 +# $penpals_bonus_score = undef;
 +# $penpals_halflife = 7*24*60*60;
 +# $penpals_threshold_low = 1.0;  ​
 +# $penpals_threshold_high = undef;
 +
 +# $reputation_factor = 0.2;
 +
 +# @score_sender_maps = ();
 +# @signer_reputation_maps = ();
 +
 +# @blacklist_sender_maps = (\%blacklist_sender,​ \@blacklist_sender_acl,​ \$blacklist_sender_re);​
 +# @whitelist_sender_maps = (\%whitelist_sender,​ \@whitelist_sender_acl,​ \$whitelist_sender_re);​
 +
 +# $per_recip_blacklist_sender_lookup_tables = undef;
 +# $per_recip_whitelist_sender_lookup_tables = undef; ​ # deprecated
 +
 +# $os_fingerprint_method = undef;
 +# $os_fingerprint_dst_ip_and_port = undef;
 +
 +
 +## SQL, LDAP, Redis
 +
 +# $database_sessions_persistent = 1;
 +# $trim_trailing_space_in_lookup_result_fields = 0;
 +# $lookup_maps_imply_sql_and_ldap = 1;             
 +
 +# @storage_redis_dsn = ();  # Redis server(s) for pen pals, IP reput, JSON log
 +# $storage_redis_ttl = 16*24*60*60; ​                                          
 +# $enable_ip_repu = 1;                                                        ​
 +# @ip_repu_ignore_networks = ();                                              ​
 +# @ip_repu_ignore_maps = (\@ip_repu_ignore_networks); ​                        
 +# $redis_logging_key = undef; ​                                                
 +# $redis_logging_queue_size_limit = undef; ​                                   ​
 +
 +# @lookup_sql_dsn ​ = ();  # SQL data source name for lookups, or empty
 +# @storage_sql_dsn = ();  # SQL data source name for log/​quarantine,​ or empty
 +
 +# $sql_store_info_for_all_msgs = 1;
 +# $sql_schema_version = $myversion_id_numeric;​
 +# $timestamp_fmt_mysql = undef; ​              
 +# $sql_partition_tag = undef; ​                
 +# $sql_allow_8bit_address = 0;  # VARCHAR (0), VARBINARY/​BYTEA (1)
 +# $sql_lookups_no_at_means_domain = 0;                            ​
 +# $sql_quarantine_chunksize_max = 16384; ​                         ​
 +
 +# $sql_select_policy =
 +#   '​SELECT *,​users.id'​.
 +#   '​ FROM users LEFT JOIN policy ON users.policy_id=policy.id'​.
 +#   '​ WHERE users.email IN (%k) ORDER BY users.priority DESC';  ​
 +
 +# $sql_select_white_black_list =
 +#   '​SELECT wb'​. ​               ​
 +#   '​ FROM wblist JOIN mailaddr ON wblist.sid=mailaddr.id'​.
 +#   '​ WHERE wblist.rid=?​ AND mailaddr.email IN (%k)'​. ​     ​
 +#   '​ ORDER BY mailaddr.priority DESC'; ​                   ​
 +
 +# %sql_clause = (
 +#   '​sel_policy'​ => \$sql_select_policy,​
 +#   '​sel_wblist'​ => \$sql_select_white_black_list,​
 +#   '​sel_adr'​ =>                                  ​
 +#     '​SELECT id FROM maddr WHERE partition_tag=?​ AND email=?',​
 +#   '​ins_adr'​ =>                                               
 +#     '​INSERT INTO maddr (partition_tag,​ email, domain) VALUES (?,?,?​)',​
 +#   '​ins_msg'​ =>                                                        ​
 +#     '​INSERT INTO msgs (partition_tag,​ mail_id, secret_id, am_id,'​. ​   ​
 +#     '​ time_num, time_iso, sid, policy, client_addr,​ size, host)'​. ​    
 +#     '​ VALUES (?,?,?,?,?,?,?,?,?,?,?​)', ​                               ​
 +#   '​upd_msg'​ =>                                                        ​
 +#     '​UPDATE msgs SET content=?, quar_type=?,​ quar_loc=?, dsn_sent=?,'​.
 +#     '​ spam_level=?,​ message_id=?,​ from_addr=?,​ subject=?, client_addr=?,'​.
 +#     '​ originating=?'​. ​                                                    
 +#     '​ WHERE partition_tag=?​ AND mail_id=?', ​                              
 +#   '​ins_rcp'​ =>                                                            ​
 +#     '​INSERT INTO msgrcpt (partition_tag,​ mail_id, rseqnum, rid, is_local,'​.
 +#     '​ content, ds, rs, bl, wl, bspam_level,​ smtp_resp)'​. ​                  
 +#     '​ VALUES (?,?,?,?,?,?,?,?,?,?,?,?​)', ​                                  
 +#   '​ins_quar'​ =>                                                            ​
 +#     '​INSERT INTO quarantine (partition_tag,​ mail_id, chunk_ind, mail_text)'​.
 +#     '​ VALUES (?,?,?,?​)', ​                                                   ​
 +#   '​sel_msg'​ =>  # obtains partition_tag if missing in a release request ​    
 +#     '​SELECT partition_tag FROM msgs WHERE mail_id=?', ​                      
 +#   '​sel_quar'​ =>                                                             
 +#     '​SELECT mail_text FROM quarantine'​. ​                                    
 +#     '​ WHERE partition_tag=?​ AND mail_id=?'​. ​                                
 +#     '​ ORDER BY chunk_ind', ​                                                 ​
 +#   '​sel_penpals'​ =>  # no message-id references list                         
 +#     "​SELECT msgs.time_num,​ msgs.mail_id,​ subject"​. ​                         ​
 +#     "​ FROM msgs JOIN msgrcpt USING (partition_tag,​mail_id)"​. ​               ​
 +#     "​ WHERE sid=? AND rid=? AND msgs.content!='​V'​ AND ds='​P'"​. ​             ​
 +#     "​ ORDER BY msgs.time_num DESC", ​ # LIMIT 1                              ​
 +#   '​sel_penpals_msgid'​ =>  # with a nonempty list of message-id references ​  
 +#     "​SELECT msgs.time_num,​ msgs.mail_id,​ subject, message_id, rid"​. ​        
 +#     "​ FROM msgs JOIN msgrcpt USING (partition_tag,​mail_id)"​. ​               ​
 +#     "​ WHERE sid=? AND msgs.content!='​V'​ AND ds='​P'​ AND message_id IN (%m)"​. ​
 +#       "​ AND rid!=sid"​. ​                                                     ​
 +#     "​ ORDER BY rid=? DESC, msgs.time_num DESC", ​ # LIMIT 1                  ​
 +# );                                                                          ​
 +
 +## LDAP, Please see file README.lookups for more info.
 +
 +# $enable_ldap = 0;
 +# $ldap_lookups_no_at_means_domain = 0;
 +#                                      ​
 +# $default_ldap = {                    ​
 +#   ​hostname ​      => '​localhost', ​    
 +#   ​localaddr ​     => undef, ​          
 +#   ​port ​          => undef, ​ # 389 or 636, default provided by Net::LDAP
 +#   ​scheme ​        => undef, ​ # '​ldaps'​ or '​ldap',​ depending on hostname ​
 +#   ​inet6 ​         => $have_inet6 ? 1 : 0,                               
 +#   ​version ​       => 3,                                                 
 +#   ​timeout ​       => 120,                                               
 +#   ​deref ​         => '​find', ​                                           ​
 +#   ​bind_dn ​       => undef, ​                                            
 +#   ​bind_password ​ => undef, ​                                            
 +#   ​tls ​           => 0,                                                 
 +#   ​verify ​        => '​none', ​                                           ​
 +#   ​sslversion ​    => '​tlsv1', ​                                          
 +#   ​clientcert ​    => undef, ​                                            
 +#   ​clientkey ​     => undef, ​                                            
 +#   ​cafile ​        => undef, ​                                            
 +#   ​capath ​        => undef, ​                                            
 +#   ​sasl ​          => 0,                                                 
 +#   ​sasl_mech ​     => undef, ​ # space-separated list of mech names       
 +#   ​sasl_auth_id ​  => undef, ​                                            
 +# };                                                                     
 +
 +
 +## hierarchy by which a final setting is chosen:
 +##   ​policy bank (based on port or IP address) -> *_by_ccat
 +##   ​*_by_ccat (based on mail contents) -> *_maps ​         ​
 +##   ​*_maps (based on recipient address) -> final configuration value
 +
 +
 +## MAPPING A CONTENTS CATEGORY TO A SETTING CHOSEN
 +
 +# %final_destiny_maps_by_ccat = (
 +#   ​CC_VIRUS, ​      sub { c('​final_virus_destiny'​) },
 +#   ​CC_BANNED, ​     sub { c('​final_banned_destiny'​) },
 +#   ​CC_UNCHECKED, ​  sub { c('​final_unchecked_destiny'​) },
 +#   ​CC_SPAM, ​       sub { c('​final_spam_destiny'​) },     
 +#   ​CC_BADH, ​       sub { c('​final_bad_header_destiny'​) },
 +#   ​CC_MTA.',​1', ​   D_TEMPFAIL, ​                          
 +#   ​CC_MTA.',​2', ​   D_REJECT, ​                            
 +#   ​CC_OVERSIZED, ​  ​D_BOUNCE, ​                            
 +#   ​CC_CATCHALL, ​   D_PASS, ​                              
 +# );                                                      ​
 +# %forward_method_maps_by_ccat = (                        ​
 +#   ​CC_CATCHALL, ​   sub { ca('​forward_method_maps'​) },    ​
 +# );                                                      ​
 +# %smtp_reason_by_ccat = (                                ​
 +#   # currently only used for blocked messages only, status 5xx
 +#   # a multiline message will produce a valid multiline SMTP response
 +#   ​CC_VIRUS, ​      '​id=%n - INFECTED: %V', ​                          
 +#   ​CC_BANNED, ​     'id=%n - BANNED: %F', ​                            
 +#   ​CC_UNCHECKED, ​  '​id=%n - UNCHECKED', ​                             ​
 +#   ​CC_SPAM, ​       'id=%n - spam', ​                                  
 +#   ​CC_SPAMMY.',​1',​ 'id=%n - spammy (tag3)', ​                         ​
 +#   ​CC_SPAMMY, ​     'id=%n - spammy', ​                                
 +#   ​CC_BADH.',​1', ​  '​id=%n - BAD HEADER: MIME error', ​                
 +#   ​CC_BADH.',​2', ​  '​id=%n - BAD HEADER: nonencoded 8-bit character', ​
 +#   ​CC_BADH.',​3', ​  '​id=%n - BAD HEADER: contains invalid control character',​
 +#   ​CC_BADH.',​4', ​  '​id=%n - BAD HEADER: line made up entirely of whitespace',​
 +#   ​CC_BADH.',​5', ​  '​id=%n - BAD HEADER: line longer than RFC 5322 limit', ​   ​
 +#   ​CC_BADH.',​6', ​  '​id=%n - BAD HEADER: syntax error', ​                      
 +#   ​CC_BADH.',​7', ​  '​id=%n - BAD HEADER: missing required header field', ​     ​
 +#   ​CC_BADH.',​8', ​  '​id=%n - BAD HEADER: duplicate header field', ​            
 +#   ​CC_BADH, ​       'id=%n - BAD HEADER', ​                                    
 +#   ​CC_OVERSIZED, ​  '​id=%n - Message size exceeds recipient\'​s size limit', ​  
 +#   ​CC_MTA.',​1', ​   'id=%n - Temporary MTA failure on relaying', ​             ​
 +#   ​CC_MTA.',​2', ​   'id=%n - Rejected by next-hop MTA on relaying', ​          
 +#   ​CC_MTA, ​        '​id=%n - Unable to relay message back to MTA', ​           ​
 +#   ​CC_CLEAN, ​      '​id=%n - CLEAN', ​                                         ​
 +#   ​CC_CATCHALL, ​   'id=%n - OTHER', ​ # should not happen ​                    
 +# );                                                                          ​
 +# %lovers_maps_by_ccat = (                                                    ​
 +#   ​CC_VIRUS, ​      sub { ca('​virus_lovers_maps'​) },                          ​
 +#   ​CC_BANNED, ​     sub { ca('​banned_files_lovers_maps'​) },                   
 +#   ​CC_UNCHECKED, ​  sub { ca('​unchecked_lovers_maps'​) },                      ​
 +#   ​CC_SPAM, ​       sub { ca('​spam_lovers_maps'​) },                           
 +#   ​CC_SPAMMY, ​     sub { ca('​spam_lovers_maps'​) },                           
 +#   ​CC_BADH, ​       sub { ca('​bad_header_lovers_maps'​) },                     
 +# );                                                                          ​
 +# %defang_maps_by_ccat = (                                                    ​
 +#   ​CC_VIRUS, ​      sub { c('​defang_virus'​) },                                ​
 +#   ​CC_BANNED, ​     sub { c('​defang_banned'​) },                               
 +#   ​CC_UNCHECKED, ​  sub { c('​defang_undecipherable'​) },                       
 +#   ​CC_SPAM, ​       sub { c('​defang_spam'​) },                                 
 +#   ​CC_SPAMMY, ​     sub { c('​defang_spam'​) },                                 
 +# # CC_BADH.',​3', ​  ​1, ​ # NUL or CR character in header section ​              
 +# # CC_BADH.',​5', ​  ​1, ​ # header line longer than 998 characters ​             ​
 +# # CC_BADH.',​6', ​  ​1, ​ # header field syntax error                           
 +#   ​CC_BADH, ​       sub { c('​defang_bad_header'​) },                           
 +# );                                                                          ​
 +# %subject_tag_maps_by_ccat = (                                               
 +#   ​CC_VIRUS, ​      [ '​***INFECTED*** ' ],                                    ​
 +#   ​CC_BANNED, ​     undef, ​                                                   ​
 +#   ​CC_UNCHECKED, ​  sub { [ c('​undecipherable_subject_tag'​) ] }, # not by-recip
 +#   ​CC_SPAM, ​       undef, ​                                                    
 +#   ​CC_SPAMMY.',​1',​ sub { ca('​spam_subject_tag3_maps'​) },                      ​
 +#   ​CC_SPAMMY, ​     sub { ca('​spam_subject_tag2_maps'​) },                      ​
 +#   ​CC_CLEAN.',​1', ​ sub { ca('​spam_subject_tag_maps'​) },                       
 +# );                                                                           
 +# %quarantine_method_by_ccat = (                                               
 +#   ​CC_VIRUS, ​      sub { c('​virus_quarantine_method'​) },                      ​
 +#   ​CC_BANNED, ​     sub { c('​banned_files_quarantine_method'​) },               
 +#   ​CC_UNCHECKED, ​  sub { c('​unchecked_quarantine_method'​) },                  ​
 +#   ​CC_SPAM, ​       sub { c('​spam_quarantine_method'​) },                       
 +#   ​CC_BADH, ​       sub { c('​bad_header_quarantine_method'​) },                 
 +#   ​CC_CLEAN, ​      sub { c('​clean_quarantine_method'​) },                      ​
 +# );                                                                           
 +# %quarantine_to_maps_by_ccat = (                                              ​
 +#   ​CC_VIRUS, ​      sub { ca('​virus_quarantine_to_maps'​) },                    ​
 +#   ​CC_BANNED, ​     sub { ca('​banned_quarantine_to_maps'​) },                   
 +#   ​CC_UNCHECKED, ​  sub { ca('​unchecked_quarantine_to_maps'​) },                ​
 +#   ​CC_SPAM, ​       sub { ca('​spam_quarantine_to_maps'​) },                     
 +#   ​CC_BADH, ​       sub { ca('​bad_header_quarantine_to_maps'​) },               
 +#   ​CC_CLEAN, ​      sub { ca('​clean_quarantine_to_maps'​) },                    ​
 +# );                                                                           
 +# %admin_maps_by_ccat = (                                                      ​
 +#   ​CC_VIRUS, ​      sub { ca('​virus_admin_maps'​) },                            ​
 +#   ​CC_BANNED, ​     sub { ca('​banned_admin_maps'​) },                           
 +#   ​CC_UNCHECKED, ​  sub { ca('​virus_admin_maps'​) },                            ​
 +#   ​CC_SPAM, ​       sub { ca('​spam_admin_maps'​) },                             
 +#   ​CC_BADH, ​       sub { ca('​bad_header_admin_maps'​) },                       
 +# );                                                                           
 +# %always_bcc_by_ccat = (                                                      ​
 +#   ​CC_CATCHALL, ​   sub { c('​always_bcc'​) },                                   
 +# );                                                                           
 +# %dsn_bcc_by_ccat = (                                                         
 +#   ​CC_CATCHALL, ​   sub { c('​dsn_bcc'​) },                                      ​
 +# );                                                                           
 +# %mailfrom_notify_admin_by_ccat = (                                           
 +#   ​CC_SPAM, ​       sub { c('​mailfrom_notify_spamadmin'​) },                    ​
 +#   ​CC_CATCHALL, ​   sub { c('​mailfrom_notify_admin'​) },                        ​
 +# );                                                                           
 +# %hdrfrom_notify_admin_by_ccat = (                                            ​
 +#   ​CC_SPAM, ​       sub { c('​hdrfrom_notify_spamadmin'​) },                     
 +#   ​CC_CATCHALL, ​   sub { c('​hdrfrom_notify_admin'​) },                         
 +# );                                                                           
 +# %mailfrom_notify_recip_by_ccat = (                                           
 +#   ​CC_CATCHALL, ​   sub { c('​mailfrom_notify_recip'​) },                        ​
 +# );                                                                           
 +# %hdrfrom_notify_recip_by_ccat = (                                            ​
 +#   ​CC_CATCHALL, ​   sub { c('​hdrfrom_notify_recip'​) },                         
 +# );                                                                           
 +# %hdrfrom_notify_sender_by_ccat = (                                           
 +#   ​CC_CATCHALL, ​   sub { c('​hdrfrom_notify_sender'​) },                        ​
 +# );                                                                           
 +# %hdrfrom_notify_release_by_ccat = (                                          ​
 +#   ​CC_CATCHALL, ​   sub { c('​hdrfrom_notify_release'​) },                       
 +# );                                                                           
 +# %hdrfrom_notify_report_by_ccat = (                                           
 +#   ​CC_CATCHALL, ​   sub { c('​hdrfrom_notify_report'​) },                        ​
 +# );                                                                           
 +# %notify_admin_templ_by_ccat = (                                              ​
 +#   ​CC_SPAM, ​       sub { cr('​notify_spam_admin_templ'​) },                     
 +#   ​CC_CATCHALL, ​   sub { cr('​notify_virus_admin_templ'​) },                    ​
 +# );                                                                           
 +# %notify_recips_templ_by_ccat = (                                             
 +#   ​CC_SPAM, ​       sub { cr('​notify_spam_recips_templ'​) },  #usualy empty     
 +#   ​CC_CATCHALL, ​   sub { cr('​notify_virus_recips_templ'​) },                   
 +# );                                                                           
 +# %notify_sender_templ_by_ccat = (  # bounce templates ​                        
 +#   ​CC_VIRUS, ​      sub { cr('​notify_virus_sender_templ'​) },                   
 +#   ​CC_BANNED, ​     sub { cr('​notify_virus_sender_templ'​) }, #historical reason
 +#   ​CC_SPAM, ​       sub { cr('​notify_spam_sender_templ'​) },                    ​
 +#   ​CC_CATCHALL, ​   sub { cr('​notify_sender_templ'​) },                         
 +# );                                                                           
 +# %notify_release_templ_by_ccat = (                                            ​
 +#   ​CC_CATCHALL, ​   sub { cr('​notify_release_templ'​) },                        ​
 +# );                                                                           
 +# %notify_report_templ_by_ccat = (                                             
 +#   ​CC_CATCHALL, ​   sub { cr('​notify_report_templ'​) },                         
 +# );                                                                           
 +# %notify_autoresp_templ_by_ccat = (                                           
 +#   ​CC_CATCHALL, ​   sub { cr('​notify_autoresp_templ'​) },                       
 +# );                                                                           
 +# %warnsender_by_ccat = (  # deprecated use, except perhaps for CC_BADH ​       ​
 +#   ​CC_VIRUS, ​      ​undef, ​                                                    
 +#   ​CC_BANNED, ​     sub { c('​warnbannedsender'​) },                             
 +#   ​CC_SPAM, ​       undef, ​                                                    
 +#   ​CC_BADH, ​       sub { c('​warnbadhsender'​) },                               
 +# );                                                                           
 +# %warnrecip_maps_by_ccat = (                                                  ​
 +#   ​CC_VIRUS, ​      sub { ca('​warnvirusrecip_maps'​) },                         
 +#   ​CC_BANNED, ​     sub { ca('​warnbannedrecip_maps'​) },                        ​
 +#   ​CC_SPAM, ​       undef, ​                                                    
 +#   ​CC_BADH, ​       sub { ca('​warnbadhrecip_maps'​) },                          ​
 +# );                                                                           
 +# %addr_extension_maps_by_ccat = (                                             
 +#   ​CC_VIRUS, ​      sub { ca('​addr_extension_virus_maps'​) },                   
 +#   ​CC_BANNED, ​     sub { ca('​addr_extension_banned_maps'​) },                  ​
 +#   ​CC_SPAM, ​       sub { ca('​addr_extension_spam_maps'​) },                    ​
 +#   ​CC_SPAMMY, ​     sub { ca('​addr_extension_spam_maps'​) },                    ​
 +#   ​CC_BADH, ​       sub { ca('​addr_extension_bad_header_maps'​) },              ​
 +# # CC_OVERSIZED, ​  '​oversized'; ​                                              
 +# );                                                                           
 +# %addr_rewrite_maps_by_ccat = ( );                                            ​
 +
 +
 +## POLICY BANKS
 +
 +# %interface_policy = ();  # maps input interface/​port to policy bank name
 +
 +# $policy_bank{''​} = { ...predefined... };
 +
 +    ## the built-in policy bank (empty name) is predefined, and includes
 +    ## references to most other variables listed above (the dynamic config
 +    ## variables), which are accessed only indirectly through the currently
 +    ## installed policy bank. Overlaying a policy bank with another policy ​
 +    ## bank may bring-in references to entirely different variables, ​      
 +    ## possibly unnamed. Here is a list of configuration variables ​        
 +    ## referenced from the built-in policy bank by keys of the same name   
 +    ## (e.g. { log_level => \$log_level,​ inet_acl => \@inet_acl, ...} )    ​
 +    ##                                                                     
 +    ##   ​$child_timeout $smtpd_timeout ​                                    
 +    ##   ​$policy_bank_name $protocol @inet_acl ​                            
 +    ##   ​$myhostname $myauthservid $snmp_contact $snmp_location ​           ​
 +    ##   ​$myprogram_name $syslog_ident $syslog_facility ​                   ​
 +    ##   ​$log_level $log_templ $log_recip_templ $enable_log_capture_dump ​  
 +    ##   ​$forward_method $notify_method $resend_method $report_format ​     ​
 +    ##   ​$release_method $requeue_method $release_format ​                  
 +    ##   ​$attachment_password $attachment_email_name $attachment_outer_name
 +    ##   ​$os_fingerprint_method $os_fingerprint_dst_ip_and_port ​           ​
 +    ##   ​$originating @smtpd_discard_ehlo_keywords $soft_bounce ​           ​
 +    ##   ​$propagate_dsn_if_possible $terminate_dsn_on_notify_success ​      
 +    ##   ​$amavis_auth_user $amavis_auth_pass $auth_reauthenticate_forwarded
 +    ##   ​$auth_required_out $auth_required_inp $auth_required_release ​     ​
 +    ##   ​@auth_mech_avail $tls_security_level_in $tls_security_level_out ​  
 +    ##   ​$local_client_bind_address $smtpd_message_size_limit ​             ​
 +    ##   ​$localhost_name $smtpd_greeting_banner $smtpd_quit_banner ​        
 +    ##   ​$mailfrom_to_quarantine $warn_offsite $bypass_decode_parts @decoders
 +    ##   ​@av_scanners @av_scanners_backup @spam_scanners ​                    
 +    ##   ​$first_infected_stops_scan $virus_scanners_failure_is_fatal ​        
 +    ##   ​$sa_spam_level_char $sa_mail_body_size_limit ​                       ​
 +    ##   ​$penpals_bonus_score $penpals_halflife $bounce_killer_score ​        
 +    ##   ​$reputation_factor ​                                                 ​
 +    ##   ​$undecipherable_subject_tag $localpart_is_case_sensitive ​           ​
 +    ##   ​$recipient_delimiter $replace_existing_extension ​                   ​
 +    ##   ​$hdr_encoding $bdy_encoding $hdr_encoding_qb ​                       ​
 +    ##   ​$allow_disclaimers $outbound_disclaimers_only ​                      
 +    ##   ​$prepend_header_fields_hdridx ​                                      
 +    ##   ​$allow_fixing_improper_header ​                                      
 +    ##   ​$allow_fixing_improper_header_folding $allow_fixing_long_header_lines
 +    ##   ​%allowed_added_header_fields %prefer_our_added_header_fields ​        
 +    ##   ​%allowed_header_tests ​                                               ​
 +    ##   ​$X_HEADER_TAG $X_HEADER_LINE ​                                        
 +    ##   ​$remove_existing_x_scanned_headers $remove_existing_spam_headers ​    
 +    ##   ​%sql_clause $partition_tag ​                                          
 +    ##   ​%local_delivery_aliases $banned_namepath_re ​                         ​
 +    ##   ​$per_recip_whitelist_sender_lookup_tables ​                           ​
 +    ##   ​$per_recip_blacklist_sender_lookup_tables ​                           ​
 +    ##   ​@anomy_sanitizer_args @altermime_args_defang ​                        
 +    ##   ​@altermime_args_disclaimer @disclaimer_options_bysender_maps ​        
 +    ##   ​%signed_header_fields @dkim_signature_options_bysender_maps ​         ​
 +    ##   ​$enable_dkim_verification $enable_dkim_signing $dkim_signing_service ​
 +    ##   ​$dkim_minimum_key_bits $enable_ldap $enable_ip_repu $redis_logging_key
 +    ##                                                                         
 +    ##   ​@local_domains_maps ​                                                  
 +    ##   ​@mynetworks_maps @client_ipaddr_policy @ip_repu_ignore_maps ​          
 +    ##   ​@forward_method_maps @newvirus_admin_maps @banned_filename_maps ​      
 +    ##   ​@spam_quarantine_bysender_to_maps ​                                    
 +    ##   ​@spam_tag_level_maps @spam_tag2_level_maps @spam_tag3_level_maps ​     ​
 +    ##   ​@spam_kill_level_maps ​                                                
 +    ##   ​@spam_subject_tag_maps @spam_subject_tag2_maps @spam_subject_tag3_maps
 +    ##   ​@spam_dsn_cutoff_level_maps @spam_dsn_cutoff_level_bysender_maps ​     ​
 +    ##   ​@spam_crediblefrom_dsn_cutoff_level_maps ​                             ​
 +    ##   ​@spam_crediblefrom_dsn_cutoff_level_bysender_maps ​                    
 +    ##   ​@spam_quarantine_cutoff_level_maps @spam_notifyadmin_cutoff_level_maps
 +    ##   ​@whitelist_sender_maps @blacklist_sender_maps @score_sender_maps ​     ​
 +    ##   ​@author_to_policy_bank_maps @signer_reputation_maps ​                  
 +    ##   ​@message_size_limit_maps @debug_sender_maps @debug_recipient_maps ​    
 +    ##   ​@bypass_virus_checks_maps @bypass_spam_checks_maps ​                   ​
 +    ##   ​@bypass_banned_checks_maps @bypass_header_checks_maps ​                
 +    ##   ​@viruses_that_fake_sender_maps ​                                       ​
 +    ##   ​@virus_name_to_spam_score_maps @virus_name_to_policy_bank_maps ​       ​
 +    ##   ​@remove_existing_spam_headers_maps ​                                   ​
 +    ##   ​@sa_userconf_maps @sa_username_maps
 +    ##
 +    ##   ​%final_destiny_maps_by_ccat %forward_method_maps_by_ccat
 +    ##   ​%lovers_maps_by_ccat %defang_maps_by_ccat %subject_tag_maps_by_ccat
 +    ##   ​%quarantine_method_by_ccat %quarantine_to_maps_by_ccat
 +    ##   ​%notify_admin_templ_by_ccat %notify_recips_templ_by_ccat
 +    ##   ​%notify_sender_templ_by_ccat %notify_autoresp_templ_by_ccat
 +    ##   ​%notify_release_templ_by_ccat %notify_report_templ_by_ccat
 +    ##   ​%warnsender_by_ccat
 +    ##   ​%hdrfrom_notify_admin_by_ccat %mailfrom_notify_admin_by_ccat
 +    ##   ​%hdrfrom_notify_recip_by_ccat %mailfrom_notify_recip_by_ccat
 +    ##   ​%hdrfrom_notify_sender_by_ccat
 +    ##   ​%hdrfrom_notify_release_by_ccat %hdrfrom_notify_report_by_ccat
 +    ##   ​%admin_maps_by_ccat %warnrecip_maps_by_ccat
 +    ##   ​%always_bcc_by_ccat %dsn_bcc_by_ccat
 +    ##   ​%addr_extension_maps_by_ccat %addr_rewrite_maps_by_ccat
 +    ##   ​%smtp_reason_by_ccat
 +
 +    # legacy dynamic configuration variables:
 +
 +    ##   ​$final_virus_destiny $final_banned_destiny $final_unchecked_destiny
 +    ##   ​$final_spam_destiny $final_bad_header_destiny
 +    ##   ​@virus_lovers_maps @spam_lovers_maps @unchecked_lovers_maps
 +    ##   ​@banned_files_lovers_maps @bad_header_lovers_maps
 +    ##   ​$always_bcc $dsn_bcc
 +    ##   ​$mailfrom_notify_sender $mailfrom_notify_recip
 +    ##   ​$mailfrom_notify_admin ​ $mailfrom_notify_spamadmin
 +    ##   ​$hdrfrom_notify_sender ​ $hdrfrom_notify_recip
 +    ##   ​$hdrfrom_notify_admin ​  ​$hdrfrom_notify_spamadmin
 +    ##   ​$hdrfrom_notify_release $hdrfrom_notify_report
 +    ##   ​$notify_virus_admin_templ ​ $notify_spam_admin_templ
 +    ##   ​$notify_virus_recips_templ $notify_spam_recips_templ
 +    ##   ​$notify_virus_sender_templ $notify_spam_sender_templ
 +    ##   ​$notify_sender_templ $notify_release_templ
 +    ##   ​$notify_report_templ $notify_autoresp_templ
 +    ##   ​$warnbannedsender $warnbadhsender
 +    ##   ​$defang_virus $defang_banned $defang_spam
 +    ##   ​$defang_bad_header $defang_undecipherable $defang_all
 +    ##   ​$virus_quarantine_method $banned_files_quarantine_method
 +    ##   ​$unchecked_quarantine_method $spam_quarantine_method
 +    ##   ​$bad_header_quarantine_method $clean_quarantine_method
 +    ##   ​$archive_quarantine_method
 +    ##   ​@virus_quarantine_to_maps @banned_quarantine_to_maps
 +    ##   ​@unchecked_quarantine_to_maps @spam_quarantine_to_maps
 +    ##   ​@bad_header_quarantine_to_maps @clean_quarantine_to_maps
 +    ##   ​@archive_quarantine_to_maps
 +    ##   ​@virus_admin_maps @banned_admin_maps
 +    ##   ​@spam_admin_maps @bad_header_admin_maps @spam_modifies_subj_maps
 +    ##   ​@warnvirusrecip_maps @warnbannedrecip_maps @warnbadhrecip_maps
 +    ##   ​@addr_extension_virus_maps ​ @addr_extension_spam_maps
 +    ##   ​@addr_extension_banned_maps @addr_extension_bad_header_maps
 +
 +1;  # insure a defined return value
 +</​file>​
 +
 +=== eigene, individuelle Konfigurationsdatei ===
 +Nun legen wir uns unsere eigene Konfigurationsdatei an. Wie bereits angesprochen,​ unterteilen wir unsere ​  Datei in unterschiedliche Sektionen.
 +  * **PFADANGABEN DER LOKALEN INSTALLATION**
 +  * **GRUNDSÄTZLICHE SERVERANGABEN UND -DEFINITIONEN**
 +  * **LOGGING**
 +  * **SOCKETS**
 +  * **POLICY MAPPINGS**
 +  * **DESTINATIONS**
 +  * **NOTIFICATIONS**
 +  * **VIRUS POLICY**
 +  * **SPAM POLICY**
 +  * **BANNED POLICY**
 +  * **HEADER POLICY**
 +  * **UNCHECKED POLICY**
 +  * **DKIM - Domain Key Identified Mail**
 +  * **POLICY BANKS**
 +
 +Somit ergibt isch folgende komplette neue AMaViS-Konfigurationsdatei.
 +   # vim /​etc/​amavisd/​amavisd.conf
 +
 +<file perl /​etc/​amavisd/​amavisd.conf>​use strict; ​                                     ​
 +################################################################################​
 +#                                                                              #
 +#     ​Django : 2014-11-15 - Musterkonfiguration AMaViS 2.9 unter CentOS 7      #
 +#                                                                              #
 +################################################################################​
 +
 +# Eine Aufstellung aller möglichen Variablen findet man in der Datei
 +# /​usr/​share/​doc/​amavisd-new-2.9.1/​amavisd.conf-default aus dem RPM. Auf der 
 +# Webseite http://​www.ijs.si/​software/​amavisd/​amavisd-new-docs.html findet ​  
 +# man darüber hinaus noch viele erklärungen und Konfigurationsbeispiele ​     ​
 +
 +################################################################################​
 +## PFADANGABEN DER LOKALEN INSTALLATION ​                                        
 +#                                                                               
 +
 +# Pfadangaben zu den Programmen und Tools
 +$path = '/​usr/​local/​sbin:/​usr/​local/​bin:/​usr/​sbin:/​sbin:/​usr/​bin:/​bin';​
 +
 +# Arbeitsverzeichnisses von AMaViS
 +$MYHOME = '/​var/​spool/​amavisd'; ​  
 +
 +# Verzeichnis für temporäre Daten
 +#$TEMPBASE = '​$MYHOME/​tmp'; ​     ​
 +$TEMPBASE = "​$MYHOME/​tmp"; ​      
 +
 +# Enviroment Variable TMPDIR, wird unter anderem von Spamassassion verwendet
 +$ENV{TMPDIR} = $TEMPBASE; ​                                                  
 +
 +# Keine Quarantäne -> kein Quarantäneverzeichnis notwendig
 +$QUARANTINEDIR = undef; ​                                  
 +
 +# Verzeichnisses für die Berkeley-Datenbank Dateien nanny/​cache/​snmp
 +$db_home ​  = "​$MYHOME/​db"; ​                                         ​
 +
 +# Pfade zur PID- und LOCK-Datei
 +$lock_file = "/​var/​run/​amavisd/​amavisd.lock";​
 +$pid_file ​ = "/​var/​run/​amavisd/​amavisd.pid"; ​
 +
 +# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
 +@score_sender_maps = ({ # a by-recipient hash lookup table,
 +                        # results from all matching recipient tables are summed
 +
 +# ## per-recipient personal tables ​ (NOTE: positive: black, negative: white)
 +# '​user1@example.com' ​ => [{'​bla-mobile.press@example.com' ​            => 10.0}],
 +# '​user3@example.com' ​ => [{'​.ebay.com' ​                               => -3.0}],
 +# '​user4@example.com' ​ => [{'​cleargreen@cleargreen.com' ​               => -7.0,
 +#                           '​.cleargreen.com' ​                         => -5.0}],
 +
 +  ## site-wide opinions about senders (the '​.'​ matches any recipient)
 +  '​.'​ => [  # the _first_ matching sender determines the score boost
 +
 +   ​new_RE( ​ # regexp-type lookup table, just happens to be all soft-blacklist
 +    [qr'​^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'​i ​          => 5.0],
 +    [qr'​^(greatcasino|investments|lose_weight_today|market\.alert)@'​i ​ => 5.0],
 +    [qr'​^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'​i ​ => 5.0],
 +    [qr'​^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'​i ​    => 5.0],
 +    [qr'​^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'​i ​   => 5.0],
 +    [qr'​^(your_friend|greatoffers)@'​i ​                                 => 5.0],
 +    [qr'​^(inkjetplanet|marketopt|MakeMoney)\d*@'​i ​                     => 5.0],
 +   ),
 +
 +#  read_hash("/​var/​amavis/​sender_scores_sitewide"​),​
 +
 +   { # a hash-type lookup table (associative array)
 +     '​nobody@cert.org' ​                                                => -3.0,
 +     '​cert-advisory@us-cert.gov' ​                                      => -3.0,
 +     '​owner-alert@iss.net' ​                                            => -3.0,
 +     '​slashdot@slashdot.org' ​                                          => -3.0,
 +     '​securityfocus.com' ​                                              => -3.0,
 +     '​ntbugtraq@listserv.ntbugtraq.com' ​                               => -3.0,
 +     '​security-alerts@linuxsecurity.com' ​                              => -3.0,
 +     '​mailman-announce-admin@python.org' ​                              => -3.0,
 +     '​amavis-user-admin@lists.sourceforge.net' ​                        => -3.0,
 +     '​amavis-user-bounces@lists.sourceforge.net' ​                      => -3.0,
 +     '​spamassassin.apache.org' ​                                        => -3.0,
 +     '​notification-return@lists.sophos.com' ​                           => -3.0,
 +     '​owner-postfix-users@postfix.org' ​                                => -3.0,
 +     '​owner-postfix-announce@postfix.org' ​                             => -3.0,
 +     '​owner-sendmail-announce@lists.sendmail.org' ​                     => -3.0,
 +     '​sendmail-announce-request@lists.sendmail.org' ​                   => -3.0,
 +     '​donotreply@sendmail.org' ​                                        => -3.0,
 +     '​ca+envelope@sendmail.org' ​                                       => -3.0,
 +     '​noreply@freshmeat.net' ​                                          => -3.0,
 +     '​owner-technews@postel.acm.org' ​                                  => -3.0,
 +     '​ietf-123-owner@loki.ietf.org' ​                                   => -3.0,
 +     '​cvs-commits-list-admin@gnome.org' ​                               => -3.0,
 +     '​rt-users-admin@lists.fsck.com' ​                                  => -3.0,
 +     '​clp-request@comp.nus.edu.sg' ​                                    => -3.0,
 +     '​surveys-errors@lists.nua.ie' ​                                    => -3.0,
 +     '​emailnews@genomeweb.com' ​                                        => -5.0,
 +     '​yahoo-dev-null@yahoo-inc.com' ​                                   => -3.0,
 +     '​returns.groups.yahoo.com' ​                                       => -3.0,
 +     '​clusternews@linuxnetworx.com' ​                                   => -3.0,
 +     ​lc('​lvs-users-admin@LinuxVirtualServer.org'​) ​                     => -3.0,
 +     ​lc('​owner-textbreakingnews@CNNIMAIL12.CNN.COM'​) ​                  => -5.0,
 +
 +     # soft-blacklisting (positive score)
 +     '​sender@example.net' ​                                             =>  3.0,
 +     '​.example.net' ​                                                   =>  1.0,
 +
 +   },
 +  ],  # end of site-wide tables
 +});
 +
 +# Utilities mit denen amavis Archive auspackt
 +@decoders = (                                ​
 +    ['​mail',​ \&​do_mime_decode], ​             ​
 +    ['​F', ​   \&​do_uncompress,​ ['​unfreeze',​ '​freeze -d', '​melt',​ '​fcat'​] ],
 +    ['​Z', ​   \&​do_uncompress,​ ['​uncompress',​ 'gzip -d', '​zcat'​] ],        ​
 +    ['​gz', ​  ​\&​do_uncompress,​ 'gzip -d'​], ​                                
 +    ['​gz', ​  ​\&​do_gunzip], ​                                               ​
 +    ['​bz2', ​ \&​do_uncompress,​ 'bzip2 -d'​], ​                               ​
 +    ['​xz', ​  ​\&​do_uncompress,​ ['​xzdec',​ 'xz -dc', 'unxz -c', '​xzcat'​] ],  ​
 +    ['​lzma',​ \&​do_uncompress,​ ['​lzmadec',​ 'xz -dc --format=lzma', ​        
 +            'lzma -dc', '​unlzma -c', '​lzcat',​ '​lzmadec'​] ],               
 +    ['​lrz', ​ \&​do_uncompress,​ ['​lrzip -q -k -d -o -', '​lrzcat -q -k'] ],  ​
 +    ['​lzo', ​ \&​do_uncompress,​ 'lzop -d'​], ​                                
 +    ['​rpm', ​ \&​do_uncompress,​ ['​rpm2cpio.pl',​ '​rpm2cpio'​] ],              ​
 +    [['​cpio','​tar'​],​ \&​do_pax_cpio,​ ['​pax',​ '​gcpio',​ '​cpio'​] ],           
 +    ['​deb', ​ \&​do_ar,​ '​ar'​], ​                                             ​
 +    ['​rar', ​ \&​do_unrar,​ ['​unrar',​ '​rar'​] ],                              ​
 +    ['​arj', ​ \&​do_unarj,​ ['​unarj',​ '​arj'​] ],                              ​
 +    ['​arc', ​ \&​do_arc, ​  ​['​nomarch',​ '​arc'​] ],                            ​
 +    ['​zoo', ​ \&​do_zoo, ​  ​['​zoo',​ '​unzoo'​] ],                              ​
 +    ['​cab', ​ \&​do_cabextract,​ '​cabextract'​], ​                             ​
 +    ['​tnef',​ \&​do_tnef], ​                                                 ​
 +    [['​zip','​kmz'​],​ \&​do_7zip, ​ ['​7za',​ '​7z'​] ],                          ​
 +    [['​zip','​kmz'​],​ \&​do_unzip], ​                                         ​
 +    ['​7z', ​  ​\&​do_7zip, ​ ['​7zr',​ '​7za',​ '​7z'​] ],                          ​
 +    [[qw(7z zip gz bz2 Z tar)], \&​do_7zip, ​ ['​7za',​ '​7z'​] ],              ​
 +    [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], \&​do_7zip, ​ '​7z'​ ],
 +    ['​exe', ​ \&​do_executable,​ ['​unrar','​rar'​],​ '​lha',​ ['​unarj','​arj'​] ],        ​
 +);                                                                              ​
 +
 +# eMails wird komplett dem Virenscanner zugestellt. Dem Inhalt von Archiven
 +# wird grundsätzlich nicht vertraut. ​                                      
 +@keep_decoded_original_maps = (new_RE( ​                                    
 +  qr'​^MAIL$', ​                                                             ​
 +  qr'​^MAIL-UNDECIPHERABLE$', ​                                              
 +  qr'​^(ASCII(?​! cpio)|text|uuencoded|xxencoded|binhex)', ​                  
 +));                                                                        ​
 +
 +
 +################################################################################​
 +## GRUNDSÄTZLICHE SERVERANGABEN UND -DEFINITIONEN ​                              
 +#                                                                               
 +
 +# Anzahl Server (pre-forked childs) die gestartet werden sollen.
 +$max_servers = 5;                                               
 +
 +# User und Gruppe des AMaViS Daemon
 +$daemon_user ​ = '​amavis'; ​         ​
 +$daemon_group = '​amavis'; ​         ​
 +
 +# Hostname (FQDN) des AMaViS-Servers
 +$myhostname = '​viruswall.dmz.nausch.org';​
 +
 +# Lokale Domäne des AMaViS-Servers
 +$mydomain = '​nausch.org'; ​        
 +
 +# Adresstrennzeichen in der eMail-Adresse
 +$recipient_delimiter = '​+'; ​             ​
 +
 +# Wir setzen alles auf NULL und definieren das Backrouting in den Policy Banks
 +
 +# Wie werden die eMails an den ;MTA zurückgegeben?​ "​undef"​ bei Verwendung des
 +# amavisd-milter! ​                                                           ​
 +$forward_method = undef; ​                                                    
 +
 +$notify_method ​ = '​smtp:​[mail.dmz.nausch.org]:​10025';​
 +
 +#​$allowed_added_header_fields{lc('​X-Virus-Scanned'​)} = 0;
 +
 +
 +################################################################################​
 +## LOGGING ​                                                                     ​
 +#                                                                               
 +
 +# verbosity 0..5, -d
 +# Django : 2014-11-18
 +# default: $log_level = 0;
 +$log_level = 3;           
 +# disable by-recipient level-0 log entries
 +$log_recip_templ = undef; ​                
 +# log via syslogd (preferred) ​            
 +$do_syslog = 1;                           
 +# Syslog facility as a string e.g.: mail, daemon, user, local0, ... local7
 +$syslog_facility = '​mail'; ​                                               ​
 +#Syslog base (minimal) priority ​                                          
 +$syslog_priority = '​debug'; ​                                              
 +# enable use of BerkeleyDB/​libdb (SNMP and nanny) ​                        
 +$enable_db = 1;                                                           
 +# enable use of libdb-based cache if $enable_db=1 ​                        
 +$enable_global_cache = 1;                                                 
 +# enable use of ZeroMQ (SNMP and nanny) ​                                  
 +# $enable_zmq = 1;                                                        ​
 +# # nanny verbosity: 1: traditional,​ 2: detailed ​                         ​
 +$nanny_details_level = 2;                                                 
 +
 +# @lookup_sql_dsn =
 +#   ( ['​DBI:​mysql:​database=mail;​host=127.0.0.1;​port=3306',​ '​user1',​ '​passwd1'​],​
 +#     ​['​DBI:​mysql:​database=mail;​host=host2',​ '​username2',​ '​password2'​], ​       ​
 +#     ​["​DBI:​SQLite:​dbname=$MYHOME/​sql/​mail_prefs.sqlite",​ '',​ ''​] );           
 +# @storage_sql_dsn = @lookup_sql_dsn; ​ # none, same, or separate database ​     ​
 +
 +# @storage_redis_dsn = ( {server=>'​127.0.0.1:​6379',​ db_id=>​1} );
 +# $redis_logging_key = '​amavis-log'; ​                           ​
 +# about 250 MB / 100000 ​                                        
 +# $redis_logging_queue_size_limit = 300000; ​                    
 +
 +# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
 +#   ​defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)
 +
 +
 +################################################################################​
 +## SOCKETS ​                                                                     ​
 +#                                                                               
 +
 +# Wo soll AMaViS auf eingehende Verbindungen lauschen?
 +@listen_sockets = (                                   
 +        '​10.0.0.67:​10024', ​                           ​
 +        '​127.0.0.1:​9998', ​                            
 +        "​$MYHOME/​amavisd.sock" ​                       ​
 +        );                                            ​
 +
 +
 +################################################################################​
 +## POLICY MAPPINGS ​                                                             ​
 +#                                                                               
 +
 +# Wir routen eingehende Verbindungen aufgrund unterschiedlicher Kriterien in
 +# Policy Banks. ​                                                            
 +
 +# TCP-Sockets auf Policies mappen
 +$interface_policy{'​9998'​} ​ = '​AM.PDP-INET';​
 +$interface_policy{'​10024'​} = '​ORIGINATING';​
 +
 +# UNIX-Domain-Sockets auf Policies mappen
 +$interface_policy{'​SOCK'​} ​ = '​AM.PDP-SOCK';​
 +
 +# IP-Adressen/​Ranges auf Policies mappen
 +@client_ipaddr_policy = (               
 +    [qw( 0.0.0.0/8 127.0.0.1/​32 [::] [::1] )]           => '​LOCALHOST',​
 +    [qw( !172.16.1.0/​24 172.16.0.0/​12 192.168.0.0/​16 )] => '​PRIVATENETS',​
 +    [qw( 192.0.2.0/​25 192.0.2.129 192.0.2.130 )]        => '​PARTNER', ​   ​
 +    [qw( 198.51.100.88/​32 )]                            => '​CUSTOMERS',  ​
 +    [qw( 203.0.113.164/​32 )]                            => '​HOSTING', ​   ​
 +    \@mynetworks ​                                       => '​MYNETS', ​    
 +);                                                                       
 +
 +# DKIM-verifizierte Sender(domains) auf Policies mappen
 +@author_to_policy_bank_maps = ( {                      ​
 +    '​piratenpartei-bayern.de'​ => '​WHITELIST,​NOBANNEDCHECK,​NOVIRUSCHECK',​
 +    '​.paypal.de' ​             => '​WHITELIST', ​                          
 +    '​.paypal.com' ​            => '​WHITELIST', ​                          
 +    '​amazon.de' ​              => '​WHITELIST', ​                          
 +} );                                                                    ​
 +
 +
 +################################################################################​
 +## DESTINATIONS ​                                                                
 +#                                                                               
 +
 +# Definition der Verkehrsrichtungen:​
 +
 +# Das ist nach intern. Alle anderen Destinationen sind im Umkehrschluss extern.
 +@local_domains_maps = (                                                        ​
 +    ["​.$mydomain"​], ​                                                           ​
 +    read_hash("/​etc/​postfix/​all_local_domains_map"​), ​                          
 +    );                                                                         
 +
 +# Das kommt von intern. Alles andere ist per Default von extern, ausser wir
 +# erkennen es an anderen Kriterien wie z.B. DKIM-Signatur oder originating Port
 +@mynetworks = qw(                                                              ​
 +    127.0.0.0/​8 ​                                                               ​
 +    [::1]                                                                      ​
 +    [FE80::​]/​10 ​                                                               ​
 +    [FEC0::​]/​10 ​                                                               ​
 +    10.0.0.0/​24 ​                                                               ​
 +    10.0.10.0/​26 ​                                                              
 +)
 +
 +
 +################################################################################​
 +## NOTIFICATIONS ​                                                               ​
 +#                                                                               
 +
 +# Externe warnen?
 +$warn_offsite = 0;
 +
 +# Envelope Sender
 +$mailfrom_notify_admin = "​postmaster\@$mydomain";​
 +$mailfrom_notify_recip = "​postmaster\@$mydomain";​
 +$mailfrom_notify_sender = "​postmaster\@$mydomain";​
 +$mailfrom_notify_spamadmin = "​postmaster\@$mydomain";​
 +$mailfrom_to_quarantine = ''; ​                       ​
 +$dsn_bcc = "​postmaster\@$mydomain"; ​                 ​
 +
 +# From: Header
 +$hdrfrom_notify_sender = "​Postmaster <​postmaster\@$mydomain>";​
 +$hdrfrom_notify_recip = "​Postmaster <​postmaster\@$mydomain>"; ​
 +$hdrfrom_notify_release = "​Postmaster <​postmaster\@$mydomain>";​
 +
 +
 +################################################################################​
 +## VIRUS POLICY ​                                                                
 +#                                                                               
 +
 +# Check aktivieren?
 +# @bypass_virus_checks_maps = (1);
 +
 +# In Quarantäne?​
 +$virus_quarantine_to = undef;
 +
 +# Admin benachrichtigen?​
 +$virus_admin = undef; ​  
 +
 +# Empfänger benachrichtigen?​
 +$warnvirusrecip = 1;        ​
 +
 +# Recipient-Adresse bei Release erweitern?
 +@addr_extension_virus_maps = ('​virus'​); ​  
 +
 +# eMail bei Release wrappen?
 +$defang_virus ​ = 1;         
 +
 +# Wollen wir Content transportieren?​
 +$final_virus_destiny = D_REJECT; ​   ​
 +
 +@av_scanners = (
 +  ### http://​www.clamav.net/​
 +  ['​ClamAV-clamd', ​         ​
 +    \&​ask_daemon,​ ["​CONTSCAN {}\n", "/​var/​run/​clamd.amavisd/​clamd.sock"​],​
 +    qr/\bOK$/m, qr/​\bFOUND$/​m, ​                                          
 +    qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],                        ​
 +);                                                                       
 +
 +@av_scanners_backup = ();
 +#​@av_scanners_backup = ( 
 +#  ### http://​www.clamav.net/ ​  - backs up clamd or Mail::​ClamAV
 +#  ['​ClamAV-clamscan',​ '​clamscan', ​                             ​
 +#    "​--stdout --no-summary -r --tempdir=$TEMPBASE {}", ​        
 +#    [0], qr/:​.*\sFOUND$/​m,​ qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
 +#);                                                                      ​
 +
 +
 +################################################################################​
 +## SPAM POLICY ​                                                                 ​
 +#                                                                               
 +
 +# Check aktivieren?
 +# @bypass_spam_checks_maps ​ = (1);
 +
 +# In Quarantäne?​
 +$spam_quarantine_to = undef;
 +
 +# Admin benachrichtigen?​
 +$spam_admin = undef; ​   ​
 +
 +# Recipient-Adresse bei Release erweitern?
 +@addr_extension_spam_maps = ('​spam'​); ​    
 +
 +# eMail bei Release wrappen?
 +$defang_spam = undef; ​      
 +
 +# Wollen wir Content transportieren?​
 +$final_spam_destiny = D_REJECT; ​    
 +
 +# add spam info headers if at, or above that level
 +$sa_tag_level_deflt ​ = -1000.0; ​                  
 +# add 'spam detected'​ headers at that level       
 +$sa_tag2_level_deflt = 6.31;                      ​
 +# triggers spam evasive actions (e.g. blocks mail)
 +$sa_kill_level_deflt = 6.31;                      ​
 +# spam level beyond which a DSN is not sent       
 +$sa_dsn_cutoff_level = 10;                        ​
 +# likewise, but for a likely valid From           
 +$sa_crediblefrom_dsn_cutoff_level = 18;           
 +# spam level beyond which quarantine is off       
 +# $sa_quarantine_cutoff_level = 25;               
 +
 +# (no effect without a @storage_sql_dsn database)
 +$penpals_bonus_score = 8;                        ​
 +# don't waste time on hi spam                    ​
 +$penpals_threshold_high = $sa_kill_level_deflt;  ​
 +# spam score points to add for joe-jobbed bounces
 +$bounce_killer_score = 100;                      ​
 +# don't waste time on SA if mail is larger ​      
 +$sa_mail_body_size_limit = 400*1024; ​            
 +# only tests which do not require internet access?
 +$sa_local_tests_only = 0;                         
 +
 +$sa_spam_subject_tag = '​***Spam*** ';
 +
 +
 +################################################################################​
 +## BANNED POLICY ​                                                               ​
 +#                                                                               
 +
 +# Check aktivieren?
 +#​@bypass_banned_checks_maps ​ = (1);
 +
 +# In Quarantäne?​
 +$banned_quarantine_to = undef;
 +
 +# Admin benachrichtigen?​
 +$banned_admin = undef;  ​
 +
 +# Recipient-Adresse bei Release erweitern?
 +@addr_extension_banned_maps = ('​banned'​); ​
 +
 +# eMail bei Release wrappen?
 +$defang_banned = 1;         
 +
 +# Wollen wir Content transportieren?​
 +$final_banned_destiny = D_BOUNCE; ​  
 +
 +# Definitionslisten in denen wir bestimmte Dateitypen zusammenfassen
 +# Die Definitionsnamen können wir in einer Policy verwenden ​        
 +%banned_rules = (                                                   
 +    '​NO-MS-EXEC'​=>​ new_RE( qr'​^\.(exe-ms)$'​ ),                      ​
 +    '​PASSALL' ​  => new_RE( [qr'​^'​ => 0] ),                          ​
 +    '​ALLOW_EXE'​ => new_RE( qr'​.\.(vbs|pif|scr|bat)$'​i,​ [qr'​^\.exe$'​ => 0] ),
 +    '​ALLOW_VBS'​ => new_RE( [qr'​.\.vbs$'​ => 0] ),                            ​
 +    '​NO-VIDEO' ​ => new_RE( qr'​^\.movie$',​ qr'​.\.(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'​i,​ ),                                                                                 
 +    '​NO-MOVIES'​ => new_RE( qr'​^\.movie$',​ qr'​.\.(mpg|avi|mov)$'​i,​ ),                           
 +    '​MYNETS-DEFAULT'​ => new_RE( [ qr'​^\.(rpm|cpio|tar)$'​ => 0 ], qr'​.\.(vbs|pif|scr)$'​i,​ ),    ​
 +    '​DEFAULT'​ => $banned_filename_re, ​                                                         ​
 +);                                                                                             
 +
 +# Alles was in der Definitionsliste oben DEFAULT ist
 +$banned_filename_re = new_RE( ​                      
 +    # banned file(1) types, rudimentary ​            
 +    qr'​^\.(exe-ms|dll)$', ​                          
 +    # allow any in Unix-type archives ​              
 +    [ qr'​^\.(rpm|cpio|tar)$' ​      => 0 ],          ​
 +    # banned extensions - rudimentary ​              
 +    qr'​.\.(pif|scr)$'​i, ​                            
 +    # block these MIME types                        ​
 +    qr'​^application/​x-msdownload$'​i, ​               ​
 +    qr'​^application/​x-msdos-program$'​i, ​            
 +    qr'​^application/​hta$'​i, ​                        
 +    # block certain double extensions in filenames  ​
 +    qr'​^(?​!cid:​).*\.[^./​]*[A-Za-z][^./​]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'​i,​
 +    # banned extension - basic+cmd ​                                                         ​
 +    qr'​.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'​i, ​                                            
 +);                                                                                          ​
 +
 +
 +################################################################################​
 +## HEADER POLICY ​                                                               ​
 +#                                                                               
 +
 +# Check aktivieren?
 +# @bypass_header_checks_maps = (1);
 +
 +# In Quarantäne?​
 +$bad_header_quarantine_method = undef;
 +
 +# Recipient-Adresse bei Release erweitern?
 +@addr_extension_bad_header_maps = ('​badh'​);​
 +
 +# eMail bei Release wrappen?
 +# NUL or CR character in header
 +$defang_by_ccat{CC_BADH.",​3"​} = 1;
 +# header line longer than 998 characters
 +$defang_by_ccat{CC_BADH.",​5"​} = 1;      ​
 +# header field syntax error             
 +$defang_by_ccat{CC_BADH.",​6"​} = 1;      ​
 +
 +# Wollen wir Content transportieren?​
 +$final_bad_header_destiny = D_PASS; ​
 +
 +# Admin benachrichtigen?​
 +$bad_header_admin = undef;
 +
 +# Sender benachrichtigen?​
 +$warnbadhsender = undef; ​
 +
 +# Empfänger benachrichtigen?​
 +$warnbadhrecip = undef; ​    
 +
 +
 +################################################################################​
 +## UNCHECKED POLICY ​                                                            
 +#                                                                               
 +$undecipherable_subject_tag = ''; ​                                              
 +
 +$MAXLEVELS = 14;
 +$MAXFILES = 3000;
 +# bytes  (default undef, not enforced)
 +$MIN_EXPANSION_QUOTA =      100*1024; ​
 +# bytes  (default undef, not enforced)
 +$MAX_EXPANSION_QUOTA = 500*1024*1024; ​
 +
 +
 +################################################################################​
 +## DKIM - Domain Key Identified Mail                                            ​
 +#                                                                               
 +
 +# DKIM-Signaturen verifizieren
 +$enable_dkim_verification = 0;
 +
 +# DKIM-Signaturen erstellen
 +$enable_dkim_signing = 0;  ​
 +
 +# Private Keys und Selectors
 +#                           
 +# signing domain ​        ​selector ​  ​private key                       ​options
 +# ------------- ​         -------- ​  ​---------------------- ​           ----------
 +# dkim_key('​nausch.org',​ '​201411',​ '/​var/​spool/​amavis/​dkim/​201411_nausch.org'​); ​
 +
 +# DKIM Signing Policies
 +@dkim_signature_options_bysender_maps = (
 +    { '​.'​ =>                             
 +        {                                ​
 +                ttl => 21*24*3600, ​      
 +                c => '​relaxed/​simple' ​   ​
 +        }                                ​
 +    }                                    ​
 +);                                       
 +
 +# to query p0f-analyzer.pl
 +# $os_fingerprint_method = '​p0f:​*:​2345';​
 +
 +## hierarchy by which a final setting is chosen:
 +##   ​policy bank (based on port or IP address) -> *_by_ccat
 +##   ​*_by_ccat (based on mail contents) -> *_maps ​         ​
 +##   ​*_maps (based on recipient address) -> final configuration value
 +
 +
 +################################################################################​
 +## POLICY BANKS                                                                 
 +#                                                                               
 +
 +## POLICY BANK MYNETWORK
 +# Alles Hosts, die in MYNETS gelistet sind
 +$policy_bank{'​MYNETS'​} = {                ​
 +    # Jede Mail von einen unserer Hosts wird als originating gesetzt
 +    originating => 1,                                               
 +    # Keine pof Abfragen für interne Clients durchführen. ​          
 +    os_fingerprint_method => undef,  ​
 +    # keinerlei unchecked-Meldungen verschicken
 +    #​$admin_maps_by_ccat{+CC_UNCHECKED} =  undef,
 +    # "​nur"​ keine UNCHECKED-ENCRYPTED Notifications verschicken
 +    $admin_maps_by_ccat{+CC_UNCHECKED.',​1'​} = undef;
 +};                                                                  ​
 +
 +## POLICY BANK SUBMISSON
 +# Nachrichten unserer Kunden, die auf Port 587 (Submisson) eingeliefert wurden
 +# wird als originating,​ also von uns gesetzt. ​                                
 +$policy_bank{'​ORIGINATING'​} = {                                               
 +    # welcher Host darf soll auf Port 10014 einliefern dürfen ​                
 +    inet_acl => [qw( 10.0.0.87 )],                                            ​
 +    # eMails vom Port 587 werdenals "von uns" = originating gesetzt ​          
 +    originating => 1,                                                         
 +    # Disclaimer an jede Mail anfügen, sofern welche verfügbar sind.          ​
 +    allow_disclaimers => 1,                                                   
 +    # notify administrator of locally originating malware ​                    
 +    virus_admin_maps => ["​virusalert\@$mydomain"​], ​                           ​
 +    spam_admin_maps ​ => ["​virusalert\@$mydomain"​], ​                           ​
 +    warnbadhsender ​  => 1, 
 +    # keinerlei unchecked-Meldungen verschicken
 +    #​$admin_maps_by_ccat{+CC_UNCHECKED} =  undef,
 +    # "​nur"​ keine UNCHECKED-ENCRYPTED Notifications verschicken
 +    $admin_maps_by_ccat{+CC_UNCHECKED.',​1'​} = undef;
 +    # forward to a smtpd service providing DKIM signing service ​              
 +    forward_method => '​smtp:​[127.0.0.1]:​10027', ​                              
 +    # force MTA conversion to 7-bit (e.g. before DKIM signing) ​               ​
 +    smtpd_discard_ehlo_keywords => ['​8BITMIME'​], ​                             ​
 +    # allow sending any file names and types                                  ​
 +    bypass_spam_checks_maps => [0],                                      ​
 +    # allow sending any file names and types                                  ​
 +    bypass_banned_checks_maps => [1],                                         
 +    # don't remove NOTIFY=SUCCESS option ​                                     ​
 +    terminate_dsn_on_notify_success => 0,
 +    notify_method ​ => '​smtp:​[10.0.0.87]:​10025',​
 +    forward_method => '​smtp:​[10.0.0.87]:​10025',​
 +    final_virus_destiny => '​D_BOUNCE',​
 +};
 +
 +# Hier schlägt der MILTER auf
 +$policy_bank{'​AM.PDP-SOCK'​} = {
 +    protocol => '​AM.PDP',​
 +    auth_required_release => 0,
 +};
 +
 +# Hier würden wir releasen
 +$policy_bank{'​AM.PDP-INET'​} = {
 +    protocol => '​AM.PDP',​
 +    inet_acl => [qw( 127.0.0.1 )],
 +    auth_required_release => 0,
 +};
 +
 +
 +## POLICY BANK: WHITELIST
 +  $policy_bank{'​WHITELIST'​} = {
 +    bypass_spam_checks_maps => [1],
 +    spam_lovers_maps => [1],
 +  };
 +
 +
 +## POLICY BANK: NOVIRUSCHECK
 +  $policy_bank{'​NOVIRUSCHECK'​} = {
 +    bypass_decode_parts => 1,
 +    bypass_virus_checks_maps => [1],
 +    virus_lovers_maps => [1],
 +  };
 +
 +
 +## POLICY BANK: NOBANNEDCHECK
 +  $policy_bank{'​NOBANNEDCHECK'​} = {
 +    bypass_banned_checks_maps => [1],
 +    banned_files_lovers_maps ​ => [1],
 +  };
 +
 +
 +1;  # insure a defined return value
 +
 +# vim: set ft=perl sw=4:</​file>​
 +
 +
 +
 +
 +==== Postfix ====
 +Die Anbindung des AMaViS-Servers an unseren Postfix-MTA nehmen wir nun im folgendem Konfigurationsschritt vor. Dabei unterscheiden wir die unterschiedlichen Verkehrsrichtungen bei unserem **MHS**((**M**ail **H**andling **S**ystem)):​
 +  * **MTA**((**M**ail **T**ransport **A**gent))-Traffic : Hier bewerten und prüfen wir die Nachricht noch während der Annahme der Nachricht. Daher nutzen wir hier unseren [[centos:​mail_c7:​spam_6#​amavisd-milter|amavisd-milter]] für die Anbindung des MTAs an das **AS/​AV**((**A**nti **S**pam/​**A**nti **V**irus))-System vor. Den zur Anbindung genutzten Milter, sprechen wir über den über TCP-Port **8899** an. Dazu definieren wir uns eine eigene Variable **amavisd_milter** für unseren Milter. Dieser Variable weisen wir in der Section **MILTER** den Wert //​inet:​10.0.0.67:​8899//​ zu. \\ \\ <​code>​ # vim /​etc/​postfix/​main.cf</​code><​code bash>...
 +
 +################################################################################​
 +## MILTER
 +# Django : 2014-11-18
 +# DMARC Test
 +amavisd_milter ​  = inet:​10.0.0.67:​8899
 +
 +...
 +</​code>​ Nun binden wir beim entsprechendem Daemon in der //​**/​etc/​postfix/​**//​ mit Hilfe unserer eigenen Variable den amavisd-milter ein. <​code>​ # vim /​etc/​postfix/​master.cf</​code><​code bash>#
 +# Postfix master process configuration file.  For details on the format
 +# of the file, see the master(5) manual page (command: "man 5 master"​).
 +#
 +# Do not forget to execute "​postfix reload"​ after editing this file.
 +#
 +# ==========================================================================
 +# service type  private unpriv ​ chroot ​ wakeup ​ maxproc command + args
 +#               ​(yes) ​  ​(yes) ​  ​(yes) ​  ​(never) (100)
 +# ==========================================================================
 +#
 +# Django : 2014-10-29 postscreen
 +#
 +smtp      inet  n       ​- ​      ​n ​      ​- ​      ​1 ​      ​postscreen
 +smtpd     ​pass ​ -       ​- ​      ​n ​      ​- ​      ​- ​      smtpd
 +  -o smtpd_sasl_auth_enable=no
 +# Django : 2014-11-29 amavisd-milter eingebunden
 +  -o smtpd_milters=${amavisd_milter}
 +dnsblog ​  ​unix ​ -       ​- ​      ​n ​      ​- ​      ​0 ​      ​dnsblog
 +tlsproxy ​ unix  -       ​- ​      ​n ​      ​- ​      ​0 ​      ​tlsproxy
 + 
 +...
 +</​code>​
 +  * **MUA**((**M**ail **U**ser **A**gent))-**MSA**((**M**ail **S**ubmission **A**gent))-Traffic : Bei der Annahme der eMail von unseren eigenen Kunden, wollen wir im Gegensatz zum MTA zu MTA Verkehr **nicht** prequeue über **amavisd-milter** filtern, sondern als content_filter. Dies hat vor allem den Grund, dass die Annahme der Nachrichten auf Port **587** sofort erfolgt und die NAchrichten erst im Anschluss gescannt werden. So muss ein einliefernder **MUA** nicht warten, bis der Content-Scanner die Nachricht verarbeitet hat. Somit vermeiden wir den Eindruck, dass die Einlieferung extrem lange dauert, wenn z.B. erst ein verschachteltes ZIP-Archiv aus dem Mailanhang mit 35 MB ausgepackt und gescannt werden muss. \\ \\ Wir tragen hierzu in der Konfigurationsdatei //​**/​etc/​postfix/​master.cf**//​ unseren **content_filter** nach. \\ \\ <​code>​ # vim /​etc/​postfix/​master.cf</​code><​code bash># Django : 2014-10-27 Submission auf Port 587 geöffnet
 +submission inet n       ​- ​      ​n ​      ​- ​      ​- ​      smtpd
 +  -o syslog_name=postfix/​submission
 +  -o smtpd_tls_security_level=encrypt
 +  -o smtpd_sasl_auth_enable=yes
 +  -o smtpd_reject_unlisted_recipient=no
 +  -o smtpd_etrn_restrictions=reject
 +  -o smtpd_recipient_restrictions=
 +  -o smtpd_relay_restrictions=permit_sasl_authenticated,​reject
 +  -o milter_macro_daemon_name=ORIGINATING
 +  -o content_filter=smtp:​[10.0.0.67]:​10024
 +  -o mydestination=lists.nausch.org,​fax.nausch.org</​code>​
 +
 +
 +==== Paketfilter ====
 +=== AMaViS-Host ===
 +Damit unser MTA-Server die Dienste/​Ports auf unserem AMaViS-Host erreichen können, müssen wir für diese noch Änderungen am Paketfilter firewalld vornehmen. ​
 +
 +Als erstes gestatten wir den Verkehr vom SMTP-Daemon zum AMaViS-Milter.
 +   # firewall-cmd --permanent --zone=public --add-rich-rule="​rule family="​ipv4"​ source address="​10.0.0.87/​32"​ port protocol="​tcp"​ port="​8899"​ destination address="​10.0.0.67/​32"​ accept"​
 +
 +   ​success
 +
 +Anschließend setzen wir eine weitere Firewall-Regel,​ die es erlaubt, dass der SMTP-Daemon die Nachrichten beim AMaViS-Port **10024**, die er von unseren eigennen Mailclients auf dem Submissionport **587** erhalten haben.
 +   # firewall-cmd --permanent --zone=public --add-rich-rule="​rule family="​ipv4"​ source address="​10.0.0.87/​32"​ port protocol="​tcp"​ port="​10024"​ destination address="​10.0.0.67/​32"​ accept"​
 +
 +   ​success
 +
 +Dann können wir den Firewall-Daemon einmal durchstarten und anschließend überprüfen,​ ob die Regeln auch entsprechend unserer Definition, gezogen haben. ​
 +   # firewall-cmd --reload
 +
 +   ​success
 +
 +   # iptables -nvL IN_public_allow
 +<​code>​Chain IN_public_allow (1 references)
 + pkts bytes target ​    prot opt in     ​out ​    ​source ​              ​destination
 +    0     0 ACCEPT ​    ​tcp ​ --  *      *       ​10.0.0.87 ​           10.0.0.67 ​           tcp dpt:8899 ctstate NEW
 +    0     0 ACCEPT ​    ​tcp ​ --  *      *       ​0.0.0.0/​0 ​           0.0.0.0/​0 ​           tcp dpt:22 ctstate NEW
 +</​code>​
 +
 +=== MTA-Host ===
 +Entsprechend müssen wir natürlich auch auf dem SMTP-Host eine weitere Firewall-Regel anlegen, damit __**nur der**__ AMaViS-Host von der policybank **SUBMISSON** zurück auf dem Port **10025** und seine Notification-Mails einliefern kann.
 +
 +   # firewall-cmd --permanent --zone=public --add-rich-rule="​rule family="​ipv4"​ source address="​10.0.0.67/​32"​ port protocol="​tcp"​ port="​10025"​ destination address="​10.0.0.87/​32"​ accept"​
 +
 +   ​success
 +
 +Anschließend starten wir den Firewall-Daemon einmal durch und überprüfen anschließend,​ ob die Regeln auch entsprechend unserer Definition, gezogen haben. ​
 +
 +   # firewall-cmd --reload
 +
 +   ​success
 +
 +Abschließend prüfen wir noch, ob die Erweiterung unseres Paketfilter aktiv ist. 
 +   # iptables -nvL IN_public_allow
 +<​code>​Chain IN_public_allow (1 references)
 + pkts bytes target ​    prot opt in     ​out ​    ​source ​              ​destination
 +    0     0 ACCEPT ​    ​tcp ​ --  *      *       ​10.0.0.67 ​           10.0.0.87 ​           tcp dpt:10025 ctstate NEW
 +    0     0 ACCEPT ​    ​tcp ​ --  *      *       ​0.0.0.0/​0 ​           0.0.0.0/​0 ​           tcp dpt:22 ctstate NEW
 +    0     0 ACCEPT ​    ​tcp ​ --  *      *       ​0.0.0.0/​0 ​           0.0.0.0/​0 ​           tcp dpt:587 ctstate NEW
 +    0     0 ACCEPT ​    ​tcp ​ --  *      *       ​0.0.0.0/​0 ​           0.0.0.0/​0 ​           tcp dpt:25 ctstate NEW
 +</​code>​
 +
 +
 +
 +
 +
 +===== Programmstart =====
 +Bevor wir nun unseren AMaViS-Daemon starten, installieren wir noch die beiden Backend-Filter:​
 +  * **[[centos:​mail_c7:​spam_7|ClamAV für AMaViS unter CentOS 7.x]]**
 +  * **[[centos:​mail_c7:​spam_8|Spamassassin für AMaViS unter CentOS 7.x]]**
 +
 +Ist dies erfolgt können wir die Dienste Starten und Testen.
 +==== amavisd-milter ====
 +Als erstes starten wir unseren Milter **amavisd-milter**. ​
 +   # systemctl start amavisd-milter
 +
 +Fragen wir nun den Status des Daemon ab sehen wir neben den Logeinträgen im **Maillog** und **Syslog** die Aufrufparameter des Daemon.
 +   # systemctl status amavisd-milter -l
 +<​code>​amavisd-milter.service - amavisd-milter is a milter (mailfilter) for amavisd-new which uses the AM.PDP protocol.
 +   ​Loaded:​ loaded (/​usr/​lib/​systemd/​system/​amavisd-milter.service;​ enabled)
 +   ​Active:​ active (running) since Tue 2014-12-02 09:38:09 CET; 49s ago
 +     Docs: http://​amavisd-milter.sourceforge.net/​
 +  Process: 15164 ExecStart=/​usr/​sbin/​amavisd-milter-helper (code=exited,​ status=0/​SUCCESS)
 + Main PID: 15166 (amavisd-milter)
 +   ​CGroup:​ /​system.slice/​amavisd-milter.service
 +           ​└─15166 /​usr/​sbin/​amavisd-milter -B -w /​var/​spool/​amavisd/​tmp -s inet:​8899@10.0.0.67 -S /​var/​spool/​amavisd/​amavisd.sock -p /​var/​run/​amavisd/​amavisd-milter.pid -m 2 -M 300 -t 600 -T 600
 +
 +Dec 02 09:38:09 vml000067.dmz.nausch.org systemd[1]: Starting amavisd-milter is a milter (mailfilter) for amavisd-new which uses the AM.PDP protocol....
 +Dec 02 09:38:09 vml000067.dmz.nausch.org systemd[1]: PID file /​var/​run/​amavisd/​amavisd-milter.pid not readable (yet?) after start.
 +Dec 02 09:38:09 vml000067.dmz.nausch.org amavisd-milter[15166]:​ starting amavisd-milter 1.6.0 on socket inet:​8899@10.0.0.67
 +Dec 02 09:38:09 vml000067.dmz.nausch.org systemd[1]: Started amavisd-milter is a milter (mailfilter) for amavisd-new which uses the AM.PDP protocol..</​code>​
 +
 +Mit **lsof** können wir auch den geöfneten Port überprüfen.
 +   # lsof -i :8899
 +
 +   ​COMMAND ​    ​PID ​  ​USER ​  ​FD ​  TYPE DEVICE SIZE/OFF NODE NAME
 +   ​amavisd-m 15166 amavis ​   3u  IPv4 158740 ​     0t0  TCP vml000067.dmz.nausch.org:​8899 (LISTEN)
 +
 +
 +==== amavisd ====
 +Als nächstes starten wir den AMaViS-Daemon **amavisd**.
 +   # systemctl status amavisd
 +
 +Fragen wir nun den Status des Daemon ab, sehen wir auch hier neben den Logeinträgen im **Maillog** und **Syslog** die Aufrufparameter des Daemon. ​
 +
 +   # systemctl status amavisd -l
 +<​code>​amavisd.service - Amavisd-new is an interface between MTA and content checkers.
 +   ​Loaded:​ loaded (/​usr/​lib/​systemd/​system/​amavisd.service;​ enabled)
 +   ​Active:​ active (running) since Tue 2014-12-02 09:45:20 CET; 4min 30s ago
 +     Docs: http://​www.ijs.si/​software/​amavisd/#​doc
 +  Process: 9164 ExecReload=/​usr/​sbin/​amavisd -c /​etc/​amavisd/​amavisd.conf reload (code=exited,​ status=0/​SUCCESS)
 +  Process: 15174 ExecStart=/​usr/​sbin/​amavisd -c /​etc/​amavisd/​amavisd.conf (code=exited,​ status=0/​SUCCESS)
 + Main PID: 15175 (/​usr/​sbin/​amavi)
 +   ​CGroup:​ /​system.slice/​amavisd.service
 +           ​├─15175 /​usr/​sbin/​amavisd (master
 +           ​├─15176 /​usr/​sbin/​amavisd (virgin child
 +           ​├─15177 /​usr/​sbin/​amavisd (virgin child
 +           ​├─15178 /​usr/​sbin/​amavisd (virgin child
 +           ​├─15179 /​usr/​sbin/​amavisd (virgin child
 +           ​└─15180 /​usr/​sbin/​amavisd (virgin child
 +
 +Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]:​ Found decoder for    .rpm  at /usr/bin/7z (backup, not used)
 +Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]:​ Found decoder for    .exe  at /​usr/​bin/​unarj
 +Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]:​ Using primary internal av scanner code for ClamAV-clamd
 +Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]:​ Deleting db files __db.001,​__db.002,​__db.003,​snmp.db,​nanny.db in /​var/​spool/​amavisd/​db
 +Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]:​ Creating db in /​var/​spool/​amavisd/​db/;​ BerkeleyDB 0.51, libdb 5.3
 +Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]:​ initializing Mail::​SpamAssassin (0)
 +Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]:​ SpamAssassin debug facilities: info
 +Dec 02 09:45:24 vml000067.dmz.nausch.org amavis[15175]:​ SpamAssassin loaded plugins: AutoLearnThreshold,​ Bayes, BodyEval, Check, DKIM, DNSEval, FreeMail, HTMLEval, HTTPSMismatch,​ Hashcash, HeaderEval, ImageInfo, MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags,​ SPF, SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject
 +Dec 02 09:45:24 vml000067.dmz.nausch.org amavis[15175]:​ SpamControl:​ init_pre_fork on SpamAssassin done
 +Dec 02 09:45:24 vml000067.dmz.nausch.org amavis[15175]:​ extra modules loaded after daemonizing/​chrooting:​ /​usr/​share/​perl5/​Net/​libnet.cfg,​ Mail/​SpamAssassin/​Plugin/​FreeMail.pm,​ Mail/​SpamAssassin/​Plugin/​SpamCop.pm,​ Net/Cmd.pm, Net/​Config.pm,​ Net/SMTP.pm
 +</​code>​
 +
 +Den vollständigen dokumentierten Start finden wir dann auch im **Maillog** des Servers.
 +   # less /​var/​log/​maillog/​
 +<​code>​Dec ​ 2 09:45:19 vml000067 amavis[15174]:​ logging initialized,​ log level 3, syslog: amavis.mail
 +Dec  2 09:45:19 vml000067 amavis[15174]:​ starting. /​usr/​sbin/​amavisd at viruswall.dmz.nausch.org amavisd-new-2.9.1 (20140627), Unicode aware, LANG="​en_US.UTF
 +-8"
 +Dec  2 09:45:19 vml000067 amavis[15174]:​ perl=5.016003,​ user=996, EUID: 996 (996); ​ group=, EGID: 995 995 (995 995)
 +Dec  2 09:45:19 vml000067 amavis[15174]:​ INFO: no optional modules: unicore::​lib::​Nt::​De.pl Unix::​Getrusage
 +Dec  2 09:45:19 vml000067 amavis[15174]:​ SpamControl:​ scanner SpamAssassin,​ module Amavis::​SpamControl::​SpamAssassin
 +Dec  2 09:45:20 vml000067 amavis[15174]:​ INFO: SA version: 3.3.2, 3.003002, no optional modules: Net::​CIDR::​Lite Image::Info Image::​Info::​GIF Image::​Info::​JP
 +EG Image::​Info::​PNG Image::​Info::​BMP Image::​Info::​TIFF
 +Dec  2 09:45:20 vml000067 amavis[15174]:​ SpamControl:​ init_pre_chroot on SpamAssassin done
 +Dec  2 09:45:20 vml000067 amavis[15174]:​ socket module IO::​Socket::​IP,​ protocol families available: INET, INET6
 +Dec  2 09:45:20 vml000067 amavis[15174]:​ bind to 10.0.0.67:​10024/​tcp,​ 127.0.0.1:​9998/​tcp,​ /​var/​spool/​amavisd/​amavisd.sock|unix
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Net::​Server:​ Process Backgrounded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Net::​Server:​ 2014/​12/​02-09:​45:​20 Amavis (type Net::​Server::​PreForkSimple) starting! pid(15175)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Net::​Server:​ Binding to TCP port 10024 on host 10.0.0.67 with IPv4
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Net::​Server:​ Binding to TCP port 9998 on host 127.0.0.1 with IPv4
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Net::​Server:​ Binding to UNIX socket file "/​var/​spool/​amavisd/​amavisd.sock"​
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Net::​Server:​ Group Not Defined. ​ Defaulting to EGID '995 995'
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Net::​Server:​ User Not Defined. ​ Defaulting to EUID '​996'​
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ config files read: /​etc/​amavisd/​amavisd.conf
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Amavis::​Conf ​       2.321
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Archive::​Zip ​       1.30
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module BerkeleyDB ​         0.51
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Compress::​Raw::​Zlib 2.061
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Compress::​Zlib ​     2.061
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Crypt::​OpenSSL::​RSA 0.28
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module DB_File ​            1.83
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Digest::​MD5 ​        2.52
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Digest::​SHA ​        5.85
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Encode ​             2.51
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module File::​Temp ​         0.2301
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module IO::​Socket::​INET6 ​  2.69
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module IO::​Socket::​IP ​     0.21
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module MIME::​Entity ​       5.505
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module MIME::​Parser ​       5.505
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module MIME::​Tools ​        5.505
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Mail::​DKIM::​Signer ​ 0.39
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Mail::​DKIM::​Verifier 0.39
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Mail::​Header ​       2.12
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Mail::​Internet ​     2.12
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Mail::​SPF ​          ​v2.008
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Mail::​SpamAssassin ​ 3.003002
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Net::​DNS ​           0.72
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Net::​Server ​        2.007
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module NetAddr::​IP ​        4.069
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Razor2::​Client::​Version 2.84
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Scalar::​Util ​       1.27
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Socket ​             2.010
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Socket6 ​            0.23
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Time::​HiRes ​        ​1.9725
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module URI                 1.60
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Module Unix::​Syslog ​       1.1
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Amavis::ZMQ code     NOT loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Amavis::DB code      loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ SQL base code        NOT loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ SQL::Log code        NOT loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ SQL::​Quarantine ​     NOT loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Lookup::SQL code     NOT loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Lookup::​LDAP code    NOT loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ AM.PDP-in proto code loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ SMTP-in proto code   ​loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Courier proto code   NOT loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ SMTP-out proto code  loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Pipe-out proto code  NOT loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ BSMTP-out proto code NOT loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Local-out proto code loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ OS_Fingerprint code  NOT loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ ANTI-VIRUS code      loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ ANTI-SPAM code       ​loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ ANTI-SPAM-EXT code   NOT loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ ANTI-SPAM-C code     NOT loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ ANTI-SPAM-SA code    loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Unpackers code       ​loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ DKIM code            loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Tools code           NOT loaded
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found $file            at /​usr/​bin/​file
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found $altermime ​      at /​usr/​bin/​altermime
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Internal decoder for .mail
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .F    at /​usr/​bin/​unfreeze
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .Z    at /​usr/​bin/​gzip -d
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .gz   at /​usr/​bin/​gzip -d
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Internal decoder for .gz   ​(backup,​ not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .bz2  at /​usr/​bin/​bzip2 -d
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .xz   at /​usr/​bin/​xzdec
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .lzma at /usr/bin/xz -dc --format=lzma
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .lrz  at /​usr/​bin/​lrzip -q -k -d -o -
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .lzo  at /​usr/​bin/​lzop -d
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .rpm  at /​usr/​bin/​rpm2cpio
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .cpio at /​usr/​bin/​cpio
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .tar  at /​usr/​bin/​cpio
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .deb  at /usr/bin/ar
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ No ext program for   .rar, tried: unrar, rar
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .arj  at /​usr/​bin/​unarj
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .arc  at /​usr/​bin/​nomarch
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .zoo  at /​usr/​bin/​unzoo
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .cab  at /​usr/​bin/​cabextract
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Internal decoder for .tnef
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .zip  at /​usr/​bin/​7za
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .kmz  at /​usr/​bin/​7za
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Internal decoder for .zip  (backup, not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Internal decoder for .kmz  (backup, not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .7z   at /​usr/​bin/​7za
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .7z   at /​usr/​bin/​7za (backup, not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .zip  at /​usr/​bin/​7za (backup, not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .gz   at /​usr/​bin/​7za (backup, not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .bz2  at /​usr/​bin/​7za (backup, not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .Z    at /​usr/​bin/​7za (backup, not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .tar  at /​usr/​bin/​7za (backup, not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .xz   at /usr/bin/7z (backup, not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .lzma at /usr/bin/7z (backup, not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .jar  at /usr/bin/7z
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .cpio at /usr/bin/7z (backup, not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .arj  at /usr/bin/7z (backup, not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .rar  at /usr/bin/7z
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .swf  at /usr/bin/7z
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .lha  at /usr/bin/7z
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .iso  at /usr/bin/7z
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .cab  at /usr/bin/7z (backup, not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .deb  at /usr/bin/7z (backup, not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .rpm  at /usr/bin/7z (backup, not used)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Found decoder for    .exe  at /​usr/​bin/​unarj
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Using primary internal av scanner code for ClamAV-clamd
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Deleting db files __db.001,​__db.002,​__db.003,​snmp.db,​nanny.db in /​var/​spool/​amavisd/​db
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ Creating db in /​var/​spool/​amavisd/​db/;​ BerkeleyDB 0.51, libdb 5.3
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ initializing Mail::​SpamAssassin (0)
 +Dec  2 09:45:20 vml000067 amavis[15175]:​ SpamAssassin debug facilities: info
 +Dec  2 09:45:24 vml000067 amavis[15175]:​ SpamAssassin loaded plugins: AutoLearnThreshold,​ Bayes, BodyEval, Check, DKIM, DNSEval, FreeMail, HTMLEval, HTTPSMismatch,​ Hashcash, HeaderEval, ImageInfo, MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags,​ SPF, SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject
 +Dec  2 09:45:24 vml000067 amavis[15175]:​ SpamControl:​ init_pre_fork on SpamAssassin done
 +Dec  2 09:45:24 vml000067 amavis[15175]:​ extra modules loaded after daemonizing/​chrooting:​ /​usr/​share/​perl5/​Net/​libnet.cfg,​ Mail/​SpamAssassin/​Plugin/​FreeMail.pm,​ Mail/​SpamAssassin/​Plugin/​SpamCop.pm,​ Net/Cmd.pm, Net/​Config.pm,​ Net/​SMTP.pm</​code>​
 +
 +Mit lsof können wir nun auch die Existenz der von AMaviS verwendeten Unix/​TCP-Sockets abfragen.
 +   # lsof | grep amavisd.sock
 +
 +<​code>/​usr/​sbin 15175        amavis ​   6u     unix 0xffff880079cfe780 ​      ​0t0 ​    ​159200 /​var/​spool/​amavisd/​amavisd.sock
 +/usr/sbin 15176        amavis ​   6u     unix 0xffff880079cfe780 ​      ​0t0 ​    ​159200 /​var/​spool/​amavisd/​amavisd.sock
 +/usr/sbin 15177        amavis ​   6u     unix 0xffff880079cfe780 ​      ​0t0 ​    ​159200 /​var/​spool/​amavisd/​amavisd.sock
 +/usr/sbin 15178        amavis ​   6u     unix 0xffff880079cfe780 ​      ​0t0 ​    ​159200 /​var/​spool/​amavisd/​amavisd.sock
 +/usr/sbin 15179        amavis ​   6u     unix 0xffff880079cfe780 ​      ​0t0 ​    ​159200 /​var/​spool/​amavisd/​amavisd.sock
 +/usr/sbin 15180        amavis ​   6u     unix 0xffff880079cfe780 ​      ​0t0 ​    ​159200 /​var/​spool/​amavisd/​amavisd.sock</​code>​
 +
 +   # lsof -i :10024
 +
 +<​code>​COMMAND ​    ​PID ​  ​USER ​  ​FD ​  TYPE DEVICE SIZE/OFF NODE NAME
 +/usr/sbin 15175 amavis ​   4u  IPv4 159198 ​     0t0  TCP vml000067.dmz.nausch.org:​10024 (LISTEN)
 +/usr/sbin 15176 amavis ​   4u  IPv4 159198 ​     0t0  TCP vml000067.dmz.nausch.org:​10024 (LISTEN)
 +/usr/sbin 15177 amavis ​   4u  IPv4 159198 ​     0t0  TCP vml000067.dmz.nausch.org:​10024 (LISTEN)
 +/usr/sbin 15178 amavis ​   4u  IPv4 159198 ​     0t0  TCP vml000067.dmz.nausch.org:​10024 (LISTEN)
 +/usr/sbin 15179 amavis ​   4u  IPv4 159198 ​     0t0  TCP vml000067.dmz.nausch.org:​10024 (LISTEN)
 +/usr/sbin 15180 amavis ​   4u  IPv4 159198 ​     0t0  TCP vml000067.dmz.nausch.org:​10024 (LISTEN)</​code>​
 +
 +==== postfix ====
 +Zu guter letzt führen wir noch einen Restart des Postfix-Master-Daemons auf unserem SMTP-Server durch.
 +   # systemctl restart postfix.service
 +
 +Auch hier können wir bei Bedarf den Status des Servers abfragen. ​
 +   # systemctl status postfix.service -l
 +
 +<​code>​postfix.service - Postfix Mail Transport Agent
 +   ​Loaded:​ loaded (/​usr/​lib/​systemd/​system/​postfix.service;​ enabled)
 +   ​Active:​ active (running) since Tue 2014-12-02 10:05:54 CET; 31s ago
 +  Process: 27047 ExecStop=/​usr/​sbin/​postfix stop (code=exited,​ status=0/​SUCCESS)
 +  Process: 27062 ExecStart=/​usr/​sbin/​postfix start (code=exited,​ status=0/​SUCCESS)
 +  Process: 27059 ExecStartPre=/​usr/​libexec/​postfix/​chroot-update (code=exited,​ status=0/​SUCCESS)
 +  Process: 27056 ExecStartPre=/​usr/​libexec/​postfix/​aliasesdb (code=exited,​ status=0/​SUCCESS)
 + Main PID: 27135 (master)
 +   ​CGroup:​ /​system.slice/​postfix.service
 +           ​├─27135 /​usr/​libexec/​postfix/​master -w
 +           ​├─27136 pickup -l -t unix -u
 +           ​└─27137 qmgr -l -t unix -u
 +
 +Dec 02 10:12:04 vml000087.dmz.nausch.org systemd[1]: Starting Postfix Mail Transport Agent...
 +Dec 02 10:12:05 vml000087.dmz.nausch.org postfix/​master[27245]:​ daemon started -- version 2.11.3, configuration /​etc/​postfix
 +Dec 02 10:12:05 vml000087.dmz.nausch.org systemd[1]: Started Postfix Mail Transport Agent.</​code>​
 +
 +Ebenso können wir überprüfen welche Ports bei unserem MAilserver geöffnet wurden.
 +   # netstat -tulpen
 +<​code>​Active Internet connections (only servers)
 +Proto Recv-Q Send-Q Local Address ​          ​Foreign Address ​        ​State ​      ​User ​      ​Inode ​     PID/Program name
 +tcp        0      0 0.0.0.0:​25 ​             0.0.0.0:​* ​              ​LISTEN ​     0          264422 ​    ​27135/​master
 +tcp        0      0 10.0.0.87:​10025 ​        ​0.0.0.0:​* ​              ​LISTEN ​     0          264433 ​    ​27135/​master
 +tcp        0      0 0.0.0.0:​587 ​            ​0.0.0.0:​* ​              ​LISTEN ​     0          264428 ​    ​27135/​master
 +tcp        0      0 127.0.0.1:​12525 ​        ​0.0.0.0:​* ​              ​LISTEN ​     0          30132      2147/​policyd-weight
 +tcp6       ​0 ​     0 :::25                   :::​* ​                   LISTEN ​     0          264423 ​    ​27135/​master
 +tcp6       ​0 ​     0 :::​587 ​                 :::*                    LISTEN ​     0          264429 ​    ​27135/​master
 +</​code>​
 +===== Tests =====
 +Nun ist es an der Zeit ausgiebig die Funktionsfähigkeit unseres **AS/​AV**((**A**nti **S**pam/​**A**nti **V**irus))-Systems zu überprüfen. Nacheinander wollen wir uns folgende Szenarien genauer ansehen und das unterschiedliche Verhalten jeweils beobachten.
 +  - **HAM** ​
 +    * **[[centos:​mail_c7:​spam_6?&#​ham_auf_port_25_mta_zu_mta_verkehr|HAM auf Port 25 (MTA zu MTA Verkehr)]]** ​
 +    * **[[centos:​mail_c7:​spam_6?&#​ham_auf_port_587_mua_zu_msa_verkehr|HAM auf Port 587 (MUA zu MSA Verkehr)]]**
 +  - **SPAM**
 +    * **[[centos:​mail_c7:​spam_6?&#​gtube_auf_port_25_mta_zu_mta_verkehr|GTUBE auf Port 25 (MTA zu MTA Verkehr)]]**
 +    * **[[centos:​mail_c7:​spam_6?&#​gtube_auf_port_587_mua_zu_msa_verkehr|GTUBE auf Port 587 (MUA zu MSA Verkehr)]]**
 +  - **Virus**
 +    * **[[centos:​mail_c7:​spam_6?&#​eicar-testmail_auf_port_25_mta_zu_mta_verkehr|Eicar-Testmail auf Port 25 (MTA zu MTA Verkehr)]]**
 +    * **[[centos:​mail_c7:​spam_6?&#​eicar-testmail_auf_port_587_mua_zu_msa_verkehr|Eicar-Testmail auf Port 587 (MUA zu MSA Verkehr)]]**
 +
 +
 +
 +==== HAM auf Port 25 (MTA zu MTA Verkehr) ====
 +Im ersten Test überprüfen wir, ob eine valide Testmail die wir an unseren **SMTP**-Bordefilter auf unserem **SMTP**-Host einliefern im Benutzerkonto unseres Mailkontoinhabers durchkommt.  ​
 +=== SMTP-Client (swaks) ===
 +Wir verschicken nun als erstes mit Hilfe von [[http://​www.jetmore.org/​john/​code/​swaks/​|Swaks]]((**S**wiss **A**rmy **K**nife for **S**MTP)) von John Jetmore eine Nachricht an einen unserer eigenen Empfänger.
 +   $ swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 25 --tls --header "​Subject:​ erste HAM-Testnachricht auf Port 25"
 +
 +<​code>​=== Trying 10.0.0.87:​25...
 +=== Connected to 10.0.0.87.
 +<-  220 mx01.nausch.org ESMTP Postfix
 + -> EHLO vml000087.dmz.nausch.org
 +<-  250-mx01.nausch.org
 +<-  250-PIPELINING
 +<-  250-SIZE 52428800
 +<-  250-ETRN
 +<-  250-STARTTLS
 +<-  250-ENHANCEDSTATUSCODES
 +<-  250-8BITMIME
 +<-  250 DSN
 + -> STARTTLS
 +<-  220 2.0.0 Ready to start TLS
 +=== TLS started with cipher TLSv1.2:​ECDHE-RSA-AES256-GCM-SHA384:​256
 +=== TLS no local certificate set
 +=== TLS peer DN="/​serialNumber=3S7x2lcbYiAccKZPoha0MSwP5hNsuSTP/​OU=GT49447951/​OU=See www.rapidssl.com/​resources/​cps (c)13/​OU=Domain Control Validated - RapidSSL(R)/​CN=*.nausch.org"​
 + ~> EHLO vml000087.dmz.nausch.org
 +<~  250-mx01.nausch.org
 +<~  250-PIPELINING
 +<~  250-SIZE 52428800
 +<~  250-ETRN
 +<~  250-ENHANCEDSTATUSCODES
 +<~  250-8BITMIME
 +<~  250 DSN
 + ~> MAIL FROM:<​n3rd@sec-mail.guru>​
 +<~  250 2.1.0 Ok
 + ~> RCPT TO:<​django@nausch.org>​
 +<~  250 2.1.5 Ok
 + ~> DATA
 +<~  354 End data with <​CR><​LF>​.<​CR><​LF>​
 + ~> Date: Tue, 02 Dec 2014 10:25:54 +0100
 + ~> To: django@nausch.org
 + ~> From: n3rd@sec-mail.guru
 + ~> Subject: erste HAM-Testnachricht auf Port 25
 + ~> X-Mailer: swaks v20130209.0 jetmore.org/​john/​code/​swaks/​
 + ~> X-Test: test eMail
 + ~>
 + ~> This is a test mailing
 + ~>
 + ~> .
 +<~  250 2.0.0 Ok: queued as C4DE0C00089
 + ~> QUIT
 +<~  221 2.0.0 Bye
 +=== Connection closed with remote host.
 +</​code>​
 +
 +Bevor der SMTP-Server die Nachricht mit der Zeile **250 2.0.0 Ok: queued as C4DE0C00089** bestätigt, merken wir eine kurze Verzögerung,​ da die komplette Nachricht im **pre_queue**-Modus vom Postfix- und AMaViS-Server gescannt werden. Erst am Ende der kompletten Überprüfung wird die Annahme der eMail bestätigt.
 +
 +=== SMTP-Server ===
 +Auf unserem Borderfilter finden wir auch die relevanten Einträge zu unserer Test-Nachricht im **Maillog**.
 +   # less /​var/​log/​maillog
 +
 +<​code>​ec ​ 2 10:25:54 vml000087 postfix/​smtpd[27251]:​ connect from vml000087.dmz.nausch.org[10.0.0.87]
 +Dec  2 10:25:54 vml000087 postfix/​smtpd[27251]:​ Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]:​ TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 +Dec  2 10:25:54 vml000087 postfix/​verify[27257]:​ cache btree:/​var/​lib/​postfix/​verify_cache full cleanup: retained=2 dropped=0 entries
 +Dec  2 10:25:54 vml000087 postfix/​smtpd[27251]:​ C4DE0C00089:​ client=vml000087.dmz.nausch.org[10.0.0.87]
 +Dec  2 10:25:54 vml000087 postfix/​cleanup[27258]:​ C24B7C00088:​ message-id=<​20141202092554.C24B7C00088@mx01.nausch.org>​
 +Dec  2 10:25:54 vml000087 postfix/​cleanup[27259]:​ C4DE0C00089:​ message-id=<​20141202092554.C4DE0C00089@mx01.nausch.org>​
 +Dec  2 10:25:54 vml000087 postfix/​qmgr[27247]:​ C24B7C00088:​ from=<​double-bounce@nausch.org>,​ size=231, nrcpt=1 (queue active)
 +Dec  2 10:25:54 vml000087 postfix/​lmtp[27260]:​ C24B7C00088:​ to=<​django@nausch.org>,​ relay=10.0.0.77[10.0.0.77]:​24,​ delay=0.07, delays=0.02/​0.03/​0/​0.02,​ dsn=2.1.5, status=deliverable (250 2.1.5 OK)
 +Dec  2 10:25:54 vml000087 postfix/​qmgr[27247]:​ C24B7C00088:​ removed
 +Dec  2 10:25:56 vml000087 postfix/​qmgr[27247]:​ C4DE0C00089:​ from=<​n3rd@sec-mail.guru>,​ size=644, nrcpt=1 (queue active)
 +Dec  2 10:25:56 vml000087 postfix/​smtpd[27251]:​ disconnect from vml000087.dmz.nausch.org[10.0.0.87]
 +Dec  2 10:25:56 vml000087 postfix/​lmtp[27260]:​ C4DE0C00089:​ to=<​django@nausch.org>,​ relay=10.0.0.77[10.0.0.77]:​24,​ delay=2.2, delays=2/​0.01/​0/​0.19,​ dsn=2.0.0, status=sent (250 2.0.0 <​django@nausch.org>​ RLueGlCFfVS2FwAArK2B9Q Saved)
 +Dec  2 10:25:56 vml000087 postfix/​qmgr[27247]:​ C4DE0C00089:​ removed
 +</​code>​
 +
 +=== ASAV-Host ===
 +Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert.
 +   # less /​var/​log/​maillog
 +
 +<​code>​Dec ​ 2 10:25:54 vml000067 amavis[15176]:​ loaded policy bank "​AM.PDP-SOCK"​
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ process_request:​ fileno sock=13, STDIN=0, STDOUT=1
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ policy protocol: request=AM.PDP
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ policy protocol: queue_id=C4DE0C00089
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ policy protocol: sender=<​n3rd@sec-mail.guru>​
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ policy protocol: recipient=<​django@nausch.org>​
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ policy protocol: tempdir=/​var/​spool/​amavisd/​tmp/​afXXXXOnBfs5
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ policy protocol: tempdir_removed_by=client
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ policy protocol: mail_file=/​var/​spool/​amavisd/​tmp/​afXXXXOnBfs5/​email.txt
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ policy protocol: delivery_care_of=client
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ policy protocol: client_address=10.0.0.87
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ policy protocol: client_name=vml000087.dmz.nausch.org
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ policy protocol: helo_name=vml000087.dmz.nausch.org
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ policy protocol: policy_bank=mx01.nausch.org
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) Request: AM.PDP ​ /​var/​spool/​amavisd/​tmp/​afXXXXOnBfs5:​ <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>​
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) loaded policy bank "​MYNETS"​ over "​AM.PDP-SOCK"​
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) body hash: 5e4a6c05336dff65870f1c8870955b2a
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) ip_trace: 10.0.0.87
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) Checking: RKf24-jwcKfN AM.PDP-SOCK/​MYNETS [10.0.0.87] <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>​
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) 2822.From: <​n3rd@sec-mail.guru>​
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) p001 1 Content-Type:​ text/plain, size: 24 B, name:
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) inspect_dsn:​ not a bounce
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) Checking for banned types and filenames
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) collect banned table[0]: django@nausch.org,​ tables:
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) p.path django@nausch.org:​ "​P=p001,​L=1,​M=text/​plain,​T=asc"​
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) presenting full original message to scanners as /​var/​spool/​amavisd/​tmp/​afXXXXOnBfs5/​parts/​p002
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) run_av Using (ClamAV-clamd):​ (code) CONTSCAN /​var/​spool/​amavisd/​tmp/​afXXXXOnBfs5/​parts\n
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) ClamAV-clamd:​ Connecting to socket ​ /​var/​run/​clamd.amavisd/​clamd.sock
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) new socket by IO::​Socket::​UNIX to /​var/​run/​clamd.amavisd/​clamd.sock,​ timeout 10
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) ClamAV-clamd:​ Sending CONTSCAN /​var/​spool/​amavisd/​tmp/​afXXXXOnBfs5/​parts\n to socket /​var/​run/​clamd.amavisd/​clamd.sock
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) rw_loop read: got eof
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) run_av (ClamAV-clamd):​ CLEAN
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) run_av (ClamAV-clamd) result: clean
 +Dec  2 10:25:54 vml000067 amavis[15176]:​ (15176-01) calling SA parse (0), SA vers 3.3.2, 3.003002, data as STRING, recips_ind [0], user: "​amavis"​
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) spam_scan: score=0.8 autolearn=no tests=[ALL_TRUSTED=-1,​DKIM_ADSP_DISCARD=1.8] recips=0
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) spam_scan: dsn_suppress_reason DKIM_ADSP_DISCARD
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) do_notify_and_quar:​ ccat=CleanTag (1,1) ("​1,​1":​CleanTag,​ "​1":​Clean,​ "​0":​CatchAll) ccat_block=(),​ qar_mth=
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) delivery method is 1, recips: django@nausch.org
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) spam-tag, <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>,​ No, score=0.8 tagged_above=-1000 required=6.31 tests=[ALL_TRUSTED=-1,​ DKIM_ADSP_DISCARD=1.8] autolearn=no
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) dkim: candidate originators:​ From:<​n3rd@sec-mail.guru>​
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) dkim: signing (author), From: <​n3rd@sec-mail.guru>​ (From:<​n3rd@sec-mail.guru>​),​ KEY.h=>​sha256,​ KEY.key_ind=>​13,​ a=>​rsa-sha256,​ c=>​relaxed/​simple,​ d=>​sec-mail.guru,​ s=>​140224,​ ttl=>​1814400,​ x=>​1419326755
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) DSN: sender is credible (orig), SA: 0.800, <​n3rd@sec-mail.guru>​
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) status counters: InMsgsStatus{Accepted,​AcceptedInternal,​AcceptedOriginating}
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) Passed CLEAN {AcceptedInternal},​ AM.PDP-SOCK/​MYNETS LOCAL [10.0.0.87] <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>,​ Queue-ID: C4DE0C00089,​ Message-ID: <​20141202092554.C4DE0C00089@mx01.nausch.org>,​ mail_id: RKf24-jwcKfN,​ Hits: 0.8, size: 495, dkim_new=140224:​sec-mail.guru,​ 1617 ms
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) TIMING-SA total 1504 ms - parse: 1.66 (0.1%), extract_message_metadata:​ 421 (28.0%), poll_dns_idle:​ 410 (27.3%), get_uri_detail_list:​ 0.31 (0.0%), tests_pri_-1000:​ 6 (0.4%), tests_pri_-950:​ 2 (0.1%), tests_pri_-900:​ 1.24 (0.1%), tests_pri_-400:​ 1.07 (0.1%), tests_pri_0:​ 1044 (69.4%), check_dkim_adsp:​ 6 (0.4%), check_spf: 0.46 (0.0%), check_razor2:​ 993 (66.0%), check_pyzor:​ 1.33 (0.1%), tests_pri_500:​ 8 (0.5%), get_report: 0.98 (0.1%)
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) mail checking ended: version_server=2\nlog_id=15176-01\nsetreply=250 2.5.0 Ok,​%20id=15176-01,​%20continue%20delivery\ninsheader=0 X-Spam-Status No,​%20score=0.8%20tagged_above=-1000%20required=6.31%0a%09tests=[ALL_TRUSTED=-1,​%20DKIM_ADSP_DISCARD=1.8]%20autolearn=no\ninsheader=0 X-Spam-Level \ninsheader=0 X-Spam-Score 0.8\ninsheader=0 X-Spam-Flag NO\ninsheader=0 X-Virus-Scanned amavisd-new%20at%20nausch.org\ninsheader=0 DKIM-Signature v=1;​%20a=rsa-sha256;​%20c=relaxed/​simple;​%20d=sec-mail.guru;​%20h=%0a%09message-id:​x-mailer:​subject:​subject:​from:​from:​date:​date;​%20s=%0a%09140224;​%20t=1417512354;​%20x=1419326755;​%20bh=ecGWgWCJeWxJFeM0urOVWP+KO%0a%09lqqvsQYKOpYUP8nk7I=;​%20b=bbc1o4gOnL12XyR9cx6S48gTh2+gateXrSIzx4w2L%0a%09lABYNNQlCGNZn6Iz5y+ZXN58u6yZFgRw9EEhM3QjxV0LDZkjoAkzh7FeavWB0Qb6%0a%09y6A5ypdrnESeAio4JwiyokvkFqlOAB/​qqNRdHuqRscQGxTvVsn0gRQfg68Ci3iRA%0a%09scz6B0bLGW497eqrp/​HOeSEL1pUyw8PG79bnI+Nfe1d8DY1jxFl/​WkTitjR2GlJ3%0a%09ncsCht/​xcME6eJLzSo0Hk4BKYA77F1XJbFS...
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) ...utaHMJWCEFWtOk4ZaScFxkLsWm8Vy%0a%09kng6yaEP03EY1ExuKrK0ccI6Yrlj9Qt2fBrxEfZYcrJEBVQiZVLYeer6eooM55wS%0a%09aOb3JfgRHrD05gDVFSCYGOlScx5X6oglGXbYqSbq8qPB5W5U041GOODNrm+8l4Qt%0a%09evEA9HRwy0Py/​DTgc89aLAnmVkzIyLKDStJoAYtW9RWYZreWwJV2IgmJ56Y3ptIq%0a%09kgVdQiv7F4LHccahsIujb+kDyvoqm894gpJKQE5Hag/​e54jx8FCKLK6HwzKcu1LF%0a%09sqyKmYQitPXYejddKPLhdNgFixEOKESoZbyN22uxFVoqrPZw2Jv8E1ucyeSV/​lPT%0a%09xiog65voE7/​xTKnJuwhGPRonTlD85lxL7kiDrUpkX3oQ+j3b+lO1aeCaHxYMuPHZ%0a%09Ac=\nreturn_value=continue\nexit_code=0
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) size: 495, TIMING [total 1645 ms] - got data: 0.0 (0%)0, check_init: 6 (0%)0, digest_hdr: 1.8 (0%)0, digest_body_dkim:​ 0.5 (0%)1, collect_info:​ 5 (0%)1, mkdir parts: 1.9 (0%)1, mime_decode:​ 10 (1%)2, get-file-type1:​ 19 (1%)3, parts_decode:​ 0.2 (0%)3, check_header:​ 0.6 (0%)3, AV-scan-1: 11 (1%)3, spam-wb-list:​ 0.7 (0%)3, SA msg read: 1.0 (0%)4, SA parse: 5 (0%)4, SA check: 1496 (91%)95, decide_mail_destiny:​ 9 (1%)95, notif-quar: 0.5 (0%)95, write-header:​ 9 (1%)96, fwd-data-dkim:​ 32 (2%)98, prepare-dsn:​ 1.3 (0%)98, report: 2.6 (0%)98, main_log_entry:​ 6 (0%)98, update_snmp:​ 1.5 (0%)98, rundown: 25 (2%)100
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) extra modules loaded: unicore/​lib/​Gc/​Nd.pl
 +Dec  2 10:25:56 vml000067 amavis[15176]:​ (15176-01) load: 100 %, total idle 0.000 s, busy 1.668 s</​code>​
 +
 +=== MUA (Empfänger) ===
 +Der Empfänger findet nun im Mail-Postfach unsere Testnachricht.
 +
 +<​code>​Return-Path:​ <​n3rd@sec-mail.guru>​
 +Delivered-To:​ django@nausch.org
 +Received: from mx01.nausch.org ([10.0.0.87])
 + by imap.nausch.org (Dovecot) with LMTP id RLueGlCFfVS2FwAArK2B9Q
 + for <​django@nausch.org>;​ Tue, 02 Dec 2014 10:25:56 +0100
 +DKIM-Signature:​ v=1; a=rsa-sha256;​ c=relaxed/​simple;​ d=sec-mail.guru;​ h=
 + message-id:​x-mailer:​subject:​subject:​from:​from:​date:​date;​ s=
 + 140224; t=1417512354;​ x=1419326755;​ bh=ecGWgWCJeWxJFeM0urOVWP+KO
 + lqqvsQYKOpYUP8nk7I=;​ b=bbc1o4gOnL12XyR9cx6S48gTh2+gateXrSIzx4w2L
 + lABYNNQlCGNZn6Iz5y+ZXN58u6yZFgRw9EEhM3QjxV0LDZkjoAkzh7FeavWB0Qb6
 + y6A5ypdrnESeAio4JwiyokvkFqlOAB/​qqNRdHuqRscQGxTvVsn0gRQfg68Ci3iRA
 + scz6B0bLGW497eqrp/​HOeSEL1pUyw8PG79bnI+Nfe1d8DY1jxFl/​WkTitjR2GlJ3
 + ncsCht/​xcME6eJLzSo0Hk4BKYA77F1XJbFSutaHMJWCEFWtOk4ZaScFxkLsWm8Vy
 + kng6yaEP03EY1ExuKrK0ccI6Yrlj9Qt2fBrxEfZYcrJEBVQiZVLYeer6eooM55wS
 + aOb3JfgRHrD05gDVFSCYGOlScx5X6oglGXbYqSbq8qPB5W5U041GOODNrm+8l4Qt
 + evEA9HRwy0Py/​DTgc89aLAnmVkzIyLKDStJoAYtW9RWYZreWwJV2IgmJ56Y3ptIq
 + kgVdQiv7F4LHccahsIujb+kDyvoqm894gpJKQE5Hag/​e54jx8FCKLK6HwzKcu1LF
 + sqyKmYQitPXYejddKPLhdNgFixEOKESoZbyN22uxFVoqrPZw2Jv8E1ucyeSV/​lPT
 + xiog65voE7/​xTKnJuwhGPRonTlD85lxL7kiDrUpkX3oQ+j3b+lO1aeCaHxYMuPHZ
 + Ac=
 +X-Virus-Scanned:​ amavisd-new at nausch.org
 +X-Spam-Flag:​ NO
 +X-Spam-Score:​ 0.8
 +X-Spam-Level: ​
 +X-Spam-Status:​ No, score=0.8 tagged_above=-1000 required=6.31
 + tests=[ALL_TRUSTED=-1,​ DKIM_ADSP_DISCARD=1.8] autolearn=no
 +Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87])
 + (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 + (No client certificate requested)
 + by mx01.nausch.org (Postfix) with ESMTPS id C4DE0C00089
 + for <​django@nausch.org>;​ Tue,  2 Dec 2014 10:25:54 +0100 (CET)
 +Date: Tue, 02 Dec 2014 10:25:54 +0100
 +To: django@nausch.org
 +From: n3rd@sec-mail.guru
 +Subject: erste HAM-Testnachricht auf Port 25
 +X-Mailer: swaks v20130209.0 jetmore.org/​john/​code/​swaks/​
 +X-Test: test eMail
 +Message-Id: <​20141202092554.C4DE0C00089@mx01.nausch.org>​
 +
 +This is a test mailing
 +</​code>​
 +
 +==== HAM auf Port 587 (MUA zu MSA Verkehr) ====
 +Als nächstes überprüfen wir, ob eine valide Testmail die einer unserer Mailboxinhaber von seinem **MUA**((**M**ail **U**ser **A**gent)) beim **MSA**((**M**ail **S**ubmission **A**gent)) erfolgreich einliefern kann, die dann im Benutzerkonto unseres Mailkontoinhabers eingestellt wird.
 +
 +=== SMTP-Client (swaks) ===
 +Auch hier verschicken wir nun mit Hilfe von [[http://​www.jetmore.org/​john/​code/​swaks/​|Swaks]]((**S**wiss **A**rmy **K**nife for **S**MTP)) von John Jetmore eine Nachricht an einen unserer eigenen Empfänger. Hierzu nutzen wir die Anmeldedaten eines unserer Testkonten und liefern die Nachricht auf dem Port **587** ein.
 +   $ # swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 587 --tls --header "​Subject:​ zweite HAM-Testnachricht auf Port 587" --auth NTLM --auth-user n3rd@sec-mail.guru --auth-password Dj4n90-d3r-M41153rv3rguru!
 +
 +<​code>​=== Trying 10.0.0.87:​587... ​                                                                                                                                 ​
 +=== Connected to 10.0.0.87. ​                                                                                                                                 ​
 +<-  220 mx01.nausch.org ESMTP Postfix ​                                                                                                                       ​
 + -> EHLO vml000087.dmz.nausch.org ​                                                                                                                           ​
 +<-  250-mx01.nausch.org
 +<-  250-PIPELINING
 +<-  250-SIZE 52428800
 +<-  250-ETRN
 +<-  250-STARTTLS
 +<-  250-ENHANCEDSTATUSCODES
 +<-  250-8BITMIME
 +<-  250 DSN
 + -> STARTTLS
 +<-  220 2.0.0 Ready to start TLS
 +=== TLS started with cipher TLSv1.2:​ECDHE-RSA-AES256-GCM-SHA384:​256
 +=== TLS no local certificate set
 +=== TLS peer DN="/​serialNumber=3S7x2lcbYiAccKZPoha0MSwP5hNsuSTP/​OU=GT49447951/​OU=See www.rapidssl.com/​resources/​cps (c)13/​OU=Domain Control Validated - RapidSSL(R)/​CN=*.nausch.org"​
 + ~> EHLO vml000087.dmz.nausch.org
 +<~  250-mx01.nausch.org
 +<~  250-PIPELINING
 +<~  250-SIZE 52428800
 +<~  250-ETRN
 +<~  250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM
 +<~  250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM
 +<~  250-ENHANCEDSTATUSCODES
 +<~  250-8BITMIME
 +<~  250 DSN
 + ~> AUTH NTLM
 +<~  334
 + ~> TlRUMTVNTUAABAAAABU6IAAAAAAAAAAAAAAAAAAAAAAAA=
 +<~  334 TlRMTUVNTUAUACAAAAMAAwADUAAAAAFAUoIAOUeYM1Dy0gHAAAAAAAUAAAADgAOABgAAAAdgBtAGwAMAAwADAAMAA3ADcALgBkAG0AegAuAG4AYQB1AHMAYwBoAC4AbUwByAGcAAwAwAHYAbQBsADAAMAAwADAANwA3AC4AZABtAHoALgBuAGEAdQBzAGMAaAAuAG8AcgBnAAAAAAA=
 + ~> UTlRMTVNTUAADUAAAAGAAYAEAAAAAYABUgAWAAAADAAMABwAAAAJAAkAKAAAAAkACQAxAAAAAAAAACoAAAABUQKCABKUTbcHiUVToxqvguZXpp6jgnmGYJ9jDa0UoXqDbxiyz+V1xFp8hFH2sd3yaZl/​qjY3YAbQBsADUAAMAAwADAANwA3AC4AZABtAHoALUgBuAGEAdQBzAGMUAaAAuAG8AcgBnAG4AMwByAGQAQABzAGUAYwAtAG0AYQBpAGwALgBnAHUAcgB1AG4AMwByAGQAQABzAGUAYwAtAG0UAYQBpAGwALgBnAHUAcgB1AA==
 +<~  235 2.7.0 Authentication successful
 + ~> MAIL FROM:<​n3rd@sec-mail.guru>​
 +<~  250 2.1.0 Ok
 + ~> RCPT TO:<​django@nausch.org>​
 +<~  250 2.1.5 Ok
 + ~> DATA
 +<~  354 End data with <​CR><​LF>​.<​CR><​LF>​
 + ~> Date: Tue, 02 Dec 2014 11:12:08 +0100
 + ~> To: django@nausch.org
 + ~> From: n3rd@sec-mail.guru
 + ~> Subject: zweite HAM-Testnachricht auf Port 587
 + ~> X-Mailer: swaks v20130209.0 jetmore.org/​john/​code/​swaks/​
 + ~> X-Test: test eMail
 + ~>
 + ~> This is a test mailing
 + ~>
 + ~> .
 +<~  250 2.0.0 Ok: queued as 2E10CC00088
 + ~> QUIT
 +<~  221 2.0.0 Bye
 +=== Connection closed with remote host.
 +</​code>​
 +
 +Hier bemerken wir keine Verzögerung bei der Annahme der Nachricht, da der Absender die Nachricht auf Port **587** einlieferte und die komplette Nachricht erst **__nach__** Annahme der Nachricht mit einem **250**er vom Postfix- und AMaViS-Server gescannt wird.
 +
 +=== SMTP-Server ===
 +Auf unserem Borderfilter finden wir auch die relevanten Einträge zu unserer Test-Nachricht im **Maillog**.
 +   # less /​var/​log/​maillog
 +
 +<​code>​Dec ​ 2 11:12:09 vml000087 postfix/​submission/​smtpd[27385]:​ connect from vml000087.dmz.nausch.org[10.0.0.87]
 +Dec  2 11:12:09 vml000087 postfix/​submission/​smtpd[27385]:​ Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]:​ TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 +Dec  2 11:12:09 vml000087 postfix/​submission/​smtpd[27385]:​ 2E10CC00088:​ client=vml000087.dmz.nausch.org[10.0.0.87],​ sasl_method=NTLM,​ sasl_username=n3rd@sec-mail.guru
 +Dec  2 11:12:09 vml000087 postfix/​cleanup[27387]:​ 2E10CC00088:​ message-id=<​20141202101209.2E10CC00088@mx01.nausch.org>​
 +Dec  2 11:12:09 vml000087 postfix/​qmgr[27247]:​ 2E10CC00088:​ from=<​n3rd@sec-mail.guru>,​ size=613, nrcpt=1 (queue active)
 +Dec  2 11:12:09 vml000087 postfix/​submission/​smtpd[27385]:​ disconnect from vml000087.dmz.nausch.org[10.0.0.87]
 +Dec  2 11:12:09 vml000087 postfix/​smtpd[27379]:​ connect from vml000067.dmz.nausch.org[10.0.0.67]
 +Dec  2 11:12:09 vml000087 postfix/​smtpd[27379]:​ BB77CC00089:​ client=vml000067.dmz.nausch.org[10.0.0.67],​ orig_client=unknown[10.0.0.87]
 +Dec  2 11:12:09 vml000087 postfix/​cleanup[27387]:​ BB77CC00089:​ message-id=<​20141202101209.2E10CC00088@mx01.nausch.org>​
 +Dec  2 11:12:09 vml000087 postfix/​qmgr[27247]:​ BB77CC00089:​ from=<​n3rd@sec-mail.guru>,​ size=2395, nrcpt=1 (queue active)
 +Dec  2 11:12:09 vml000087 postfix/​smtp[27388]:​ 2E10CC00088:​ to=<​django@nausch.org>,​ relay=10.0.0.67[10.0.0.67]:​10024,​ delay=0.65, delays=0.06/​0.03/​0.01/​0.54,​ dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:​[10.0.0.87]:​10025):​ 250 2.0.0 Ok: queued as BB77CC00089)
 +Dec  2 11:12:09 vml000087 postfix/​qmgr[27247]:​ 2E10CC00088:​ removed
 +Dec  2 11:12:10 vml000087 postfix/​lmtp[27389]:​ BB77CC00089:​ to=<​django@nausch.org>,​ relay=10.0.0.77[10.0.0.77]:​24,​ delay=0.27, delays=0.03/​0.02/​0.06/​0.17,​ dsn=2.0.0, status=sent (250 2.0.0 <​django@nausch.org>​ 5VK5M3mQfVQ+HQAArK2B9Q Saved)
 +Dec  2 11:12:10 vml000087 postfix/​qmgr[27247]:​ BB77CC00089:​ removed
 +</​code>​
 +
 +=== ASAV-Host ===
 +Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert.
 +   # less /​var/​log/​maillog
 +
 +<​code>​Dec ​ 2 11:12:09 vml000067 amavis[15389]:​ loaded policy bank "​ORIGINATING"​
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ process_request:​ fileno sock=13, STDIN=0, STDOUT=1
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) ESMTP:​[10.0.0.67]:​10024 /​var/​spool/​amavisd/​tmp/​amavis-20141202T111209-15389-JkrxvcKa:​ <​n3rd@sec-mail.guru
 +> -> <​django@nausch.org>​ Received: from mx01.nausch.org ([10.0.0.87]) by viruswall.dmz.nausch.org (viruswall.dmz.nausch.org [10.0.0.67]) (amavisd-new,​ port 1
 +0024) with ESMTP for <​django@nausch.org>;​ Tue,  2 Dec 2014 11:12:09 +0100 (CET)
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) body hash: 5e4a6c05336dff65870f1c8870955b2a
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) ip_trace: 10.0.0.87
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) client IP address unknown, fetched from Received: 10.0.0.87
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) Checking: SUMj5uZrONx7 ORIGINATING [10.0.0.87] <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>​
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) 2822.From: <​n3rd@sec-mail.guru>​
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) p001 1 Content-Type:​ text/plain, size: 24 B, name:
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) inspect_dsn:​ not a bounce
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) Checking for banned types and filenames
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) skipping banned check: all recipients bypass banned checks
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) presenting full original message to scanners as /​var/​spool/​amavisd/​tmp/​amavis-20141202T111209-15389-Jkrxv
 +cKa/​parts/​p002
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) run_av Using (ClamAV-clamd):​ (code) CONTSCAN /​var/​spool/​amavisd/​tmp/​amavis-20141202T111209-15389-JkrxvcKa
 +/parts\n
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) ClamAV-clamd:​ Connecting to socket ​ /​var/​run/​clamd.amavisd/​clamd.sock
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) new socket by IO::​Socket::​UNIX to /​var/​run/​clamd.amavisd/​clamd.sock,​ timeout 10
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) ClamAV-clamd:​ Sending CONTSCAN /​var/​spool/​amavisd/​tmp/​amavis-20141202T111209-15389-JkrxvcKa/​parts\n to so
 +cket /​var/​run/​clamd.amavisd/​clamd.sock
 +Dec  2 11:12:09 vml000067 clamd[1278]:​ SelfCheck: Database status OK.
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) rw_loop read: got eof
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) run_av (ClamAV-clamd):​ CLEAN
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) run_av (ClamAV-clamd) result: clean
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) calling SA parse (0), SA vers 3.3.2, 3.003002, data as STRING, recips_ind [0], user: "​amavis"​
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) spam_scan: score=0.8 autolearn=no tests=[ALL_TRUSTED=-1,​DKIM_ADSP_DISCARD=1.8] recips=0
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) spam_scan: dsn_suppress_reason DKIM_ADSP_DISCARD
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) do_notify_and_quar:​ ccat=CleanTag (1,1) ("​1,​1":​CleanTag,​ "​1":​Clean,​ "​0":​CatchAll) ccat_block=(),​ qar_mth=
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) delivery method is 1, recips: django@nausch.org
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) spam-tag, <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>,​ No, score=0.8 tagged_above=-1000 required=6.31 tests=[ALL_TRUSTED=-1,​ DKIM_ADSP_DISCARD=1.8] autolearn=no
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) dkim: candidate originators:​ From:<​n3rd@sec-mail.guru>​
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) dkim: signing (author), From: <​n3rd@sec-mail.guru>​ (From:<​n3rd@sec-mail.guru>​),​ KEY.h=>​sha256,​ KEY.key_ind=>​13,​ a=>​rsa-sha256,​ c=>​relaxed/​simple,​ d=>​sec-mail.guru,​ s=>​140224,​ ttl=>​1814400,​ x=>​1419329530
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) smtp session: setting up a new session
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) new socket using IO::​Socket::​IP to [10.0.0.87]:​10025,​ timeout 35
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) smtp greeting: 220 mx01.nausch.org ESMTP Postfix, dt: 7.9 ms
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) smtp cmd> EHLO viruswall.dmz.nausch.org
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) smtp resp to EHLO: 250 mx01.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nAUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nAUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nXFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) smtp cmd> XFORWARD ADDR=10.0.0.87
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) smtp resp to XFORWARD: 250 2.0.0 Ok
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) AUTH not needed, user='',​ MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM'
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) smtp cmd> MAIL FROM:<​n3rd@sec-mail.guru>​ BODY=7BIT
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) smtp cmd> RCPT TO:<​django@nausch.org>​ ORCPT=rfc822;​django@nausch.org
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) smtp cmd> DATA
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) smtp resp to MAIL (pip): 250 2.1.0 Ok
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) smtp resp to RCPT (pip) (<​django@nausch.org>​):​ 250 2.1.5 Ok
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) smtp resp to DATA: 354 End data with <​CR><​LF>​.<​CR><​LF>​
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) smtp resp to data-dot (<​django@nausch.org>​):​ 250 2.0.0 Ok: queued as BB77CC00089,​ dt: 22.7 ms
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) Amavis::​Out::​SMTP::​Session close, keeping connection
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) SUMj5uZrONx7 FWD from <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>,​ BODY=7BIT 250 2.0.0 from MTA(smtp:​[10.0.0.87]:​10025):​ 250 2.0.0 Ok: queued as BB77CC00089
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) DSN: sender is credible (orig), SA: 0.800, <​n3rd@sec-mail.guru>​
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) status counters: InMsgsStatus{Relayed,​RelayedUntagged,​RelayedUntaggedInternal,​RelayedUntaggedOriginating}
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) Passed CLEAN {RelayedInternal},​ ORIGINATING LOCAL [10.0.0.87] <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>,​ Message-ID: <​20141202101209.2E10CC00088@mx01.nausch.org>,​ mail_id: SUMj5uZrONx7,​ Hits: 0.8, size: 613, queued_as: BB77CC00089,​ dkim_new=140224:​sec-mail.guru,​ 546 ms
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) TIMING-SA total 329 ms - parse: 1.50 (0.5%), extract_message_metadata:​ 4 (1.2%), get_uri_detail_list:​ 0.36 (0.1%), tests_pri_-1000:​ 7 (2.2%), tests_pri_-950:​ 1.99 (0.6%), tests_pri_-900:​ 1.37 (0.4%), tests_pri_-400:​ 1.22 (0.4%), tests_pri_0:​ 289 (87.8%), check_dkim_adsp:​ 6 (1.8%), check_spf: 0.44 (0.1%), check_razor2:​ 242 (73.4%), check_pyzor:​ 0.26 (0.1%), tests_pri_500:​ 4 (1.1%), get_report: 0.99 (0.3%)
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) sending SMTP response: "250 2.0.0 from MTA(smtp:​[10.0.0.87]:​10025):​ 250 2.0.0 Ok: queued as BB77CC00089"​
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) size: 613, TIMING [total 553 ms] - SMTP greeting: 9 (2%)2, SMTP EHLO: 2.6 (0%)2, SMTP pre-MAIL: 0.6 (0%)2, mkdir tempdir: 1.4 (0%)2, create email.txt: 0.3 (0%)2, SMTP pre-DATA-flush:​ 4.1 (1%)3, SMTP DATA: 37 (7%)10, check_init: 0.9 (0%)10, digest_hdr: 1.5 (0%)10, digest_body_dkim:​ 0.6 (0%)10, collect_info:​ 2.6 (0%)11, mkdir parts: 1.8 (0%)11, mime_decode:​ 11 (2%)13, get-file-type1:​ 17 (3%)16, parts_decode:​ 0.2 (0%)16, check_header:​ 0.5 (0%)16, AV-scan-1: 11 (2%)18, spam-wb-list:​ 0.9 (0%)18, SA msg read: 0.8 (0%)19, SA parse: 3.6 (1%)19, SA check: 321 (58%)77, decide_mail_destiny:​ 9 (2%)79, notif-quar: 0.5 (0%)79, write-header:​ 10 (2%)81, fwd-data-dkim:​ 32 (6%)86, fwd-connect:​ 19 (3%)90, fwd-xforward:​ 2.3 (0%)90, fwd-mail-pip:​ 2.8 (1%)91, fwd-rcpt-pip:​ 0.2 (0%)91, fwd-data-chkpnt:​ 0.1 (0%)91, write-header:​ 0.5 (0%)91, fwd-data-contents:​ 0.0 (0%)91, fwd-end-chkpnt:​ 25 (4%)95, prepare-dsn:​ 1.6 (0%)96, report: 3.5 (1%)96, main_log_entry:​ 15 (3%)99, update_...
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) ...snmp: 3.1 (1%)100, SMTP pre-response:​ 0.7 (0%)100, SMTP response: 0.3 (0%)100, unlink-2-files:​ 0.6 (0%)100, rundown: 1.1 (0%)100
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) extra modules loaded: unicore/​lib/​Gc/​Nd.pl
 +Dec  2 11:12:09 vml000067 amavis[15389]:​ (15389-01) load: 100 %, total idle 0.002 s, busy 0.579 s
 +</​code>​
 +
 +=== MUA (Empfänger) ===
 +Der Empfänger findet nun im Mail-Postfach unsere Testnachricht. Im Gegensatz zum vorangegangenen Testlauf mit Einlieferung auf Port **25**, sehen wir hier im Mailheader den "​Schleifendurchlauf"​ beim Host //​viruswall.dmz.nausch.org//​ nach Annahme der Nachricht durch den **MSA**((**M**ail **S**ubmission **A**gent)).
 +
 +<​code>​Return-Path:​ <​n3rd@sec-mail.guru>​
 +Delivered-To:​ django@nausch.org
 +Received: from mx01.nausch.org ([10.0.0.87])
 + by imap.nausch.org (Dovecot) with LMTP id 5VK5M3mQfVQ+HQAArK2B9Q
 + for <​django@nausch.org>;​ Tue, 02 Dec 2014 11:12:09 +0100
 +Received: from viruswall.dmz.nausch.org (vml000067.dmz.nausch.org [10.0.0.67])
 + by mx01.nausch.org (Postfix) with ESMTP id BB77CC00089
 + for <​django@nausch.org>;​ Tue,  2 Dec 2014 11:12:09 +0100 (CET)
 +Authentication-Results:​ viruswall.dmz.nausch.org (amavisd-new);​
 + dkim=pass (4096-bit key) reason="​pass (just generated, assumed good)"
 + header.d=sec-mail.guru
 +DKIM-Signature:​ v=1; a=rsa-sha256;​ c=relaxed/​simple;​ d=sec-mail.guru;​ h=
 + message-id:​x-mailer:​subject:​subject:​from:​from:​date:​date:​received
 + :received; s=140224; t=1417515129;​ x=1419329530;​ bh=ecGWgWCJeWxJ
 + FeM0urOVWP+KOlqqvsQYKOpYUP8nk7I=;​ b=ArHGWDQmYsdOa/​OUk+FpIUpi8qRa
 + G+/​9TXitESTLrp1rCIFdjV51KpaBAkhyMrb2gk3pq+vaBNElRHK1BOD1F26ce/​xp
 + CnwvExI5giMa8vWs1tGHKRGpGVOFqxkw8IIGHroNNIF79Xky/​6NLQYuC+Tf6Q3C4
 + lIZcJivSK5RDzmMhn08v7KhJ8vW6EOIDAgKCD+HNpk60XKZ3OfWq3nerVTt/​Z7pC
 + kGdf/​QGLO6j4gKhotHLExOTYHh9wsVojw9Cwl//​yvmAxRaQ8uD5yJqvii/​CFpvAy
 + lzngq0uEYBGGDdtshrQjTECePpAFus3BSFHIJZWZwLl5kKlvyv9FNzilrQBTPia1
 + 6QeqAjoGEpqhLVPVWnVD0W9CFIBqpSUhxZ9zyYy7I9qDgGSh2XTo3YqXJWehfvDs
 + XyVvAW/​BVn75/​DYNRcsHT0Q8kkqdhOT1pPiGEc35297BngjqZpCq3nNFWHBgcfgv
 + I+pB+ld87SuC/​ocAJUjqhG1Onn/​RH44OsY24Pprl1/​G1sVC/​YgnuejE2CRg5JGd1
 + pg0Yic5HMkdCPr6ClxYA4f4sOQq1ESeqTbs44oLVohLYMZ9ZBV0qDSLG5b2VGinn
 + jI9NsZij40fDFsLf10f2LD050NpezV4du0Bd9Jgk930ft95yLzH2h5oMCJFN0hfR
 + 7+VYBVdVW1J0EAo=
 +X-Virus-Scanned:​ amavisd-new at nausch.org
 +X-Spam-Flag:​ NO
 +X-Spam-Score:​ 0.8
 +X-Spam-Level:​
 +X-Spam-Status:​ No, score=0.8 tagged_above=-1000 required=6.31
 + tests=[ALL_TRUSTED=-1,​ DKIM_ADSP_DISCARD=1.8] autolearn=no
 +Received: from mx01.nausch.org ([10.0.0.87])
 + by viruswall.dmz.nausch.org (viruswall.dmz.nausch.org [10.0.0.67]) (amavisd-new,​ port 10024)
 + with ESMTP id SUMj5uZrONx7 for <​django@nausch.org>;​
 + Tue,  2 Dec 2014 11:12:09 +0100 (CET)
 +Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87])
 + (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 + (No client certificate requested)
 + by mx01.nausch.org (Postfix) with ESMTPSA id 2E10CC00088
 + for <​django@nausch.org>;​ Tue,  2 Dec 2014 11:12:09 +0100 (CET)
 +Date: Tue, 02 Dec 2014 11:12:08 +0100
 +To: django@nausch.org
 +From: n3rd@sec-mail.guru
 +Subject: zweite HAM-Testnachricht auf Port 587
 +X-Mailer: swaks v20130209.0 jetmore.org/​john/​code/​swaks/​
 +X-Test: test eMail
 +Message-Id: <​20141202101209.2E10CC00088@mx01.nausch.org>​
 +
 +This is a test mailing
 +</​code>​
 +
 +
 +==== GTUBE auf Port 25 (MTA zu MTA Verkehr) ====
 +=== SMTP-Client (swaks) ===
 +Als nächstes versuchen wir eine SPAM-Mail ​ mit Hilfe von [[http://​www.jetmore.org/​john/​code/​swaks/​|Swaks]]((**S**wiss **A**rmy **K**nife for **S**MTP)) an einen unserer eigenen Empfänger zu verschicken. Dazu laden wir uns erst einmal die [[http://​spamassassin.apache.org/​gtube/​|GTUBE]] [[http://​spamassassin.apache.org/​gtube/​gtube.txt|Testmail]] auf unseren Rechner.
 +   # wget http://​spamassassin.apache.org/​gtube/​gtube.txt
 +
 +   # less gtube.txt
 +<file gtube.txt>​Subject:​ Test spam mail (GTUBE)
 +Message-ID: <​GTUBE1.1010101@example.net>​
 +Date: Wed, 23 Jul 2003 23:30:00 +0200
 +From: Sender <​sender@example.net>​
 +To: Recipient <​recipient@example.net>​
 +Precedence: junk
 +MIME-Version:​ 1.0
 +Content-Type:​ text/plain; charset=us-ascii
 +Content-Transfer-Encoding:​ 7bit
 +
 +This is the GTUBE, the
 +        Generic
 +        Test for
 +        Unsolicited
 +        Bulk
 +        Email
 +
 +If your spam filter supports it, the GTUBE provides a test by which you
 +can verify that the filter is installed correctly and is detecting incoming
 +spam. You can send yourself a test mail containing the following string of
 +characters (in upper case and with no white spaces and line breaks):
 +
 +XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
 +
 +You should send this test mail from an account outside of your network.
 +</​file>​
 +
 +Diese Nachricht versuchen wir nun loszuschicken:​
 +   # swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 25 --tls --header "​Subject:​ dritte GTUBE-Testnachricht auf Port 25" --body gtube.txt
 +<​code>​=== Trying 10.0.0.87:​25... ​                               ​
 +=== Connected to 10.0.0.87. ​                              
 +<-  220 mx01.nausch.org ESMTP Postfix ​                    
 + -> EHLO vml000087.dmz.nausch.org ​                        
 +<-  250-mx01.nausch.org ​                                  
 +<-  250-PIPELINING ​                                       ​
 +<-  250-SIZE 52428800 ​                                    
 +<-  250-ETRN ​                                             ​
 +<-  250-STARTTLS ​                                         ​
 +<-  250-ENHANCEDSTATUSCODES ​                              
 +<-  250-8BITMIME ​                                         ​
 +<-  250 DSN                                               
 + -> STARTTLS ​                                             ​
 +<-  220 2.0.0 Ready to start TLS                          ​
 +=== TLS started with cipher TLSv1.2:​ECDHE-RSA-AES256-GCM-SHA384:​256
 +=== TLS no local certificate set                                   
 +=== TLS peer DN="/​serialNumber=3S7x2lcbYiAccKZPoha0MSwP5hNsuSTP/​OU=GT49447951/​OU=See www.rapidssl.com/​resources/​cps (c)13/​OU=Domain Control Validated - RapidSSL(R)/​CN=*.nausch.org" ​                                                                                                                                     ​
 + ~> EHLO vml000087.dmz.nausch.org ​                                                                                                                           ​
 +<~  250-mx01.nausch.org ​                                                                                                                                     ​
 +<~  250-PIPELINING ​                                                                                                                                          
 +<~  250-SIZE 52428800 ​                                                                                                                                       ​
 +<~  250-ETRN ​                                                                                                                                                
 +<~  250-ENHANCEDSTATUSCODES ​                                                                                                                                 ​
 +<~  250-8BITMIME ​                                                                                                                                            
 +<~  250 DSN                                                                                                                                                  ​
 + ~> MAIL FROM:<​n3rd@sec-mail.guru> ​                                                                                                                          
 +<~  250 2.1.0 Ok                                                                                                                                             
 + ~> RCPT TO:<​django@nausch.org> ​                                                                                                                             ​
 +<~  250 2.1.5 Ok                                                                                                                                             
 + ~> DATA                                                                                                                                                     
 +<~  354 End data with <​CR><​LF>​.<​CR><​LF> ​                                                                                                                     ​
 + ~> Date: Tue, 02 Dec 2014 12:10:34 +0100                                                                                                                    ​
 + ~> To: django@nausch.org ​                                                                                                                                   ​
 + ~> From: n3rd@sec-mail.guru ​                                                                                                                                
 + ~> Subject: dritte GTUBE-Testnachricht auf Port 25                                                                                                          ​
 + ~> X-Mailer: swaks v20130209.0 jetmore.org/​john/​code/​swaks/ ​                                                                                                
 + ~> X-Test: test eMail                                                                                                                                       
 + ​~> ​                                                                                                                                                         ​
 + ~> Subject: Test spam mail (GTUBE) ​                                                                                                                         ​
 + ~> Message-ID: <​GTUBE1.1010101@example.net> ​                                                                                                                
 + ~> Date: Wed, 23 Jul 2003 23:30:00 +0200                                                                                                                    ​
 + ~> From: Sender <​sender@example.net> ​                                                                                                                       ​
 + ~> To: Recipient <​recipient@example.net> ​                                                                                                                   ​
 + ~> Precedence: junk                                                                                                                                         
 + ~> MIME-Version:​ 1.0                                                                                                                                        ​
 + ~> Content-Type:​ text/plain; charset=us-ascii ​                                                                                                              
 + ~> Content-Transfer-Encoding:​ 7bit                                                                                                                          ​
 + ​~> ​                                                                                                                                                         ​
 + ~> This is the GTUBE, the                                                                                                                                   
 + ​~> ​    ​Generic ​                                                                                                                                             ​
 + ​~> ​    Test for                                                                                                                                             
 + ​~> ​    ​Unsolicited ​                                                                                                                                         ​
 + ​~> ​    Bulk
 + ​~> ​    Email
 + ~>
 + ~> If your spam filter supports it, the GTUBE provides a test by which you
 + ~> can verify that the filter is installed correctly and is detecting incoming
 + ~> spam. You can send yourself a test mail containing the following string of
 + ~> characters (in upper case and with no white spaces and line breaks):
 + ~>
 + ~> XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
 + ~>
 + ~> You should send this test mail from an account outside of your network.
 + ~>
 + ~>
 + ~>
 + ~> .
 +<~* 554 5.7.0 Reject, id=15388-01 - spam. Contact your postmaster/​admin for technical assistance. He can achieve our postmaster via email: postmaster@nausch.org or via fax: +49 8121 883179. In any case, please provide the following information in your problem report: This error message, time (Dec 02 12:10:36), client (10.0.0.87) and server (mx01.nausch.org).
 + ~> QUIT
 +<~  221 2.0.0 Bye
 +</​code>​
 +
 +Wie wir sehen können hat der SMTP-Server die Annahme der Nachricht mit dem Fehlercode **554 5.7.0 Reject, id=15388-01 - spam.** verweigert. Zu dieser Fehlermeldung erhält der einliefernde SMTP-Client noch Informationen wie er sichh ggf mit uns in Verbindung setzen kann.
 +
 +=== SMTP-Server ===
 +Auf unserem Borderfilter finden wir im **Maillog** auch die relevanten Einträge zu dem Versuch eine SPAM-Mail einzuliefern.
 +   # less /​var/​log/​maillog
 +
 +<​code>​Dec ​ 2 12:10:34 vml000087 postfix/​smtpd[27450]:​ connect from vml000087.dmz.nausch.org[10.0.0.87]
 +Dec  2 12:10:34 vml000087 postfix/​smtpd[27450]:​ Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]:​ TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 +Dec  2 12:10:35 vml000087 postfix/​smtpd[27450]:​ 5651EC00088:​ client=vml000087.dmz.nausch.org[10.0.0.87]
 +Dec  2 12:10:35 vml000087 postfix/​cleanup[27456]:​ 5651EC00088:​ message-id=<​20141202111035.5651EC00088@mx01.nausch.org>​
 +Dec  2 12:10:36 vml000087 postfix/​cleanup[27456]:​ 5651EC00088:​ milter-reject:​ END-OF-MESSAGE from vml000087.dmz.nausch.org[10.0.0.87]:​ 5.7.0 Reject, id=15388-01 - spam; from=<​n3rd@sec-mail.guru>​ to=<​django@nausch.org>​ proto=ESMTP helo=<​vml000087.dmz.nausch.org>​
 +Dec  2 12:10:36 vml000087 postfix/​smtpd[27450]:​ disconnect from vml000087.dmz.nausch.org[10.0.0.87]
 +</​code>​
 +
 +Hir finden wie auch die **id=15388-01** wieder, die uns der AMaViS-Host genannt hat. Diesen können wir nun verwenden um auf dem AMaViS-Host im Maillog zu suchen um in Erfahrung zu bringen, warum die Nachricht abgeleht wurde.
 +
 +=== ASAV-Host ===
 +Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert.
 +   # less /​var/​log/​maillog
 +
 +<​code>​Dec ​ 2 12:10:35 vml000067 amavis[15388]:​ loaded policy bank "​AM.PDP-SOCK"​
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ process_request:​ fileno sock=13, STDIN=0, STDOUT=1
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ policy protocol: request=AM.PDP
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ policy protocol: queue_id=5651EC00088
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ policy protocol: sender=<​n3rd@sec-mail.guru>​
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ policy protocol: recipient=<​django@nausch.org>​
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ policy protocol: tempdir=/​var/​spool/​amavisd/​tmp/​afXXXXH8hJPB
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ policy protocol: tempdir_removed_by=client
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ policy protocol: mail_file=/​var/​spool/​amavisd/​tmp/​afXXXXH8hJPB/​email.txt
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ policy protocol: delivery_care_of=client
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ policy protocol: client_address=10.0.0.87
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ policy protocol: client_name=vml000087.dmz.nausch.org
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ policy protocol: helo_name=vml000087.dmz.nausch.org
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ policy protocol: policy_bank=mx01.nausch.org
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) Request: AM.PDP ​ /​var/​spool/​amavisd/​tmp/​afXXXXH8hJPB:​ <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>​
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) loaded policy bank "​MYNETS"​ over "​AM.PDP-SOCK"​
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) body hash: 4c7abc06887b1723a5b47a0f9562fd5c
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) ip_trace: 10.0.0.87
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) Checking: pMRMheNjbXZG AM.PDP-SOCK/​MYNETS [10.0.0.87] <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>​
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) 2822.From: <​n3rd@sec-mail.guru>​
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) p001 1 Content-Type:​ text/plain, size: 801 B, name:
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) inspect_dsn:​ not a bounce
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) Checking for banned types and filenames
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) collect banned table[0]: django@nausch.org,​ tables:
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) p.path django@nausch.org:​ "​P=p001,​L=1,​M=text/​plain,​T=asc"​
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) presenting full original message to scanners as /​var/​spool/​amavisd/​tmp/​afXXXXH8hJPB/​parts/​p002
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) run_av Using (ClamAV-clamd):​ (code) CONTSCAN /​var/​spool/​amavisd/​tmp/​afXXXXH8hJPB/​parts\n
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) ClamAV-clamd:​ Connecting to socket ​ /​var/​run/​clamd.amavisd/​clamd.sock
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) new socket by IO::​Socket::​UNIX to /​var/​run/​clamd.amavisd/​clamd.sock,​ timeout 10
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) ClamAV-clamd:​ Sending CONTSCAN /​var/​spool/​amavisd/​tmp/​afXXXXH8hJPB/​parts\n to socket /​var/​run/​clamd.amavisd/​clamd.sock
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) rw_loop read: got eof
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) run_av (ClamAV-clamd):​ CLEAN
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) run_av (ClamAV-clamd) result: clean
 +Dec  2 12:10:35 vml000067 amavis[15388]:​ (15388-01) calling SA parse (0), SA vers 3.3.2, 3.003002, data as STRING, recips_ind [0], user: "​amavis"​
 +Dec  2 12:10:36 vml000067 amavis[15388]:​ (15388-01) spam_scan: score=1000.8 autolearn=no tests=[ALL_TRUSTED=-1,​DKIM_ADSP_DISCARD=1.8,​GTUBE=1000] recips=0
 +Dec  2 12:10:36 vml000067 amavis[15388]:​ (15388-01) spam_scan: dsn_suppress_reason DKIM_ADSP_DISCARD
 +Dec  2 12:10:36 vml000067 amavis[15388]:​ (15388-01) blocking contents category is (6) for django@nausch.org,​ final_destiny -3
 +Dec  2 12:10:36 vml000067 amavis[15388]:​ (15388-01) do_notify_and_quar:​ ccat=Spam (6,0) ("​6":​Spam,​ "​5":​Spammy,​ "​1,​1":​CleanTag,​ "​1":​Clean,​ "​0":​CatchAll) ccat_block=(6),​ qar_mth=
 +Dec  2 12:10:36 vml000067 amavis[15388]:​ (15388-01) delivery method is 1, recips: django@nausch.org
 +Dec  2 12:10:36 vml000067 amavis[15388]:​ (15388-01) DSN: sender is credible (orig), SA: 1000.800, <​n3rd@sec-mail.guru>​
 +Dec  2 12:10:36 vml000067 amavis[15388]:​ (15388-01) status counters: InMsgsStatus{Rejected,​RejectedInternal,​RejectedOriginating}
 +Dec  2 12:10:36 vml000067 amavis[15388]:​ (15388-01) Blocked SPAM {RejectedInternal},​ AM.PDP-SOCK/​MYNETS LOCAL [10.0.0.87] <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>,​ Queue-ID: 5651EC00088,​ Message-ID: <​20141202111035.5651EC00088@mx01.nausch.org>,​ mail_id: pMRMheNjbXZG,​ Hits: 1000.8, size: 1301, 771 ms
 +Dec  2 12:10:36 vml000067 amavis[15388]:​ (15388-01) TIMING-SA total 691 ms - parse: 1.82 (0.3%), extract_message_metadata:​ 15 (2.1%), poll_dns_idle:​ 0.50 (0.1%), get_uri_detail_list:​ 1.64 (0.2%), tests_pri_-1000:​ 6 (0.9%), tests_pri_-950:​ 1.93 (0.3%), tests_pri_-900:​ 1.33 (0.2%), tests_pri_-400:​ 1.06 (0.2%), tests_pri_0:​ 644 (93.1%), check_dkim_adsp:​ 6 (0.8%), check_spf: 0.58 (0.1%), check_razor2:​ 531 (76.8%), check_pyzor:​ 0.26 (0.0%), tests_pri_500:​ 4 (0.6%), get_report: 1.36 (0.2%)
 +Dec  2 12:10:36 vml000067 amavis[15388]:​ (15388-01) mail checking ended: version_server=2\nlog_id=15388-01\nsetreply=554 5.7.0 Reject,​%20id=15388-01%20-%20spam\nreturn_value=reject\nexit_code=69
 +Dec  2 12:10:36 vml000067 amavis[15388]:​ (15388-01) size: 1301, TIMING [total 774 ms] - got data: 0.0 (0%)0, check_init: 6 (1%)1, digest_hdr: 1.8 (0%)1, digest_body_dkim:​ 0.4 (0%)1, collect_info:​ 4.9 (1%)2, mkdir parts: 1.9 (0%)2, mime_decode:​ 10 (1%)3, get-file-type1:​ 19 (2%)6, parts_decode:​ 0.2 (0%)6, check_header:​ 0.5 (0%)6, AV-scan-1: 16 (2%)8, spam-wb-list:​ 0.7 (0%)8, SA msg read: 0.8 (0%)8, SA parse: 4.8 (1%)9, SA check: 682 (88%)97, decide_mail_destiny:​ 10 (1%)98, notif-quar: 0.6 (0%)98, prepare-dsn:​ 1.0 (0%)98, report: 2.0 (0%)99, main_log_entry:​ 8 (1%)100, update_snmp:​ 1.8 (0%)100, rundown: 1.1 (0%)100
 +Dec  2 12:10:36 vml000067 amavis[15388]:​ (15388-01) extra modules loaded: unicore/​lib/​Gc/​Nd.pl
 +Dec  2 12:10:36 vml000067 amavis[15388]:​ (15388-01) load: 100 %, total idle 0.000 s, busy 0.809 s
 +</​code>​
 +==== GTUBE auf Port 587 (MUA zu MSA Verkehr) ====
 +Als nächstes überprüfen wir, ob wir die GTUBE-Testmail als authentifizierten User von einem **MUA**((**M**ail **U**ser **A**gent)) beim **MSA**((**M**ail **S**ubmission **A**gent)) erfolgreich einliefern können.
 +
 +=== SMTP-Client (swaks) ===
 +Das bereits heruntergeladene GTUBE-Testmail versuchen wir nun mit mit Hilfe von [[http://​www.jetmore.org/​john/​code/​swaks/​|Swaks]]((**S**wiss **A**rmy **K**nife for **S**MTP)) an einen unserer eigenen Empfänger zu verschicken. ​
 +   # swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 587 --tls --header "​Subject:​ vierte Testnachricht SPAM auf Port 587" --auth NTLM --auth-user n3rd@sec-mail.guru --auth-password Dj4n90-d3r-M41153rv3rguru! --body gtube.txt
 +
 +<​code>​=== Trying 10.0.0.87:​587...
 +=== Connected to 10.0.0.87.
 +<-  220 mx01.nausch.org ESMTP Postfix
 + -> EHLO vml000087.dmz.nausch.org
 +<-  250-mx01.nausch.org
 +<-  250-PIPELINING
 +<-  250-SIZE 52428800
 +<-  250-ETRN
 +<-  250-STARTTLS
 +<-  250-ENHANCEDSTATUSCODES
 +<-  250-8BITMIME
 +<-  250 DSN
 + -> STARTTLS
 +<-  220 2.0.0 Ready to start TLS
 +=== TLS started with cipher TLSv1.2:​ECDHE-RSA-AES256-GCM-SHA384:​256
 +=== TLS no local certificate set
 +=== TLS peer DN="/​serialNumber=3S7x2lcbYiAccKZPoha0MSwP5hNsuSTP/​OU=GT49447951/​OU=See www.rapidssl.com/​resources/​cps (c)13/​OU=Domain Control Validated - RapidSSL(R)/​CN=*.nausch.org"​
 + ~> EHLO vml000087.dmz.nausch.org
 +<~  250-mx01.nausch.org
 +<~  250-PIPELINING
 +<~  250-SIZE 52428800
 +<~  250-ETRN
 +<~  250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM
 +<~  250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM
 +<~  250-ENHANCEDSTATUSCODES
 +<~  250-8BITMIME
 +<~  250 DSN
 + ~> AUTH NTLM
 +<~  334 
 + ~> TlRUMTVNTUAABAAAABU6IAAAAAAAAAAAAAAAAAAAAAAAA=
 +<~  334 UTlRMTVNTUAADUAAAAGAAYAEAAAAAYABUgAWAAAADAAMABwAAAAJAAkAKAAAAAkACQAxAAAAAAAAACoAAAABUQKCABKUTbcHiUVToxqvguZXpp6jgnmGYJ9jDa0UoXqDbxiyz+V1xFp8hFH2sd3yaZl/​qjY3YAbQBsADUAAMAAwADAANwA3AC4AZABtAHoALUgBuAGEAdQBzAGMUAaAAuAG8AcgBnAG4AMwByAGQAQABzAGUAYwAtAG0AYQBpAGwALgBnAHUAcgB1AG4AMwByAGQAQABzAGUAYwAtAG0UAYQBpAGwALgBnAHUAcgB1AA==
 +<~  235 2.7.0 Authentication successful
 + ~> MAIL FROM:<​n3rd@sec-mail.guru>​
 +<~  250 2.1.0 Ok
 + ~> RCPT TO:<​django@nausch.org>​
 +<~  250 2.1.5 Ok
 + ~> DATA
 +<~  354 End data with <​CR><​LF>​.<​CR><​LF>​
 + ~> Date: Tue, 02 Dec 2014 15:27:15 +0100
 + ~> To: django@nausch.org
 + ~> From: n3rd@sec-mail.guru
 + ~> Subject: vierte Testnachricht SPAM auf Port 587
 + ~> X-Mailer: swaks v20130209.0 jetmore.org/​john/​code/​swaks/​
 + ~> X-Test: test eMail
 + ​~> ​
 + ~> Subject: Test spam mail (GTUBE)
 + ~> Message-ID: <​GTUBE1.1010101@example.net>​
 + ~> Date: Wed, 23 Jul 2003 23:30:00 +0200
 + ~> From: Sender <​sender@example.net>​
 + ~> To: Recipient <​recipient@example.net>​
 + ~> Precedence: junk
 + ~> MIME-Version:​ 1.0
 + ~> Content-Type:​ text/plain; charset=us-ascii
 + ~> Content-Transfer-Encoding:​ 7bit
 + ​~> ​
 + ~> This is the GTUBE, the
 + ​~> ​    ​Generic
 + ​~> ​    Test for
 + ​~> ​    ​Unsolicited
 + ​~> ​    Bulk
 + ​~> ​    Email
 + ​~> ​
 + ~> If your spam filter supports it, the GTUBE provides a test by which you
 + ~> can verify that the filter is installed correctly and is detecting incoming
 + ~> spam. You can send yourself a test mail containing the following string of
 + ~> characters (in upper case and with no white spaces and line breaks):
 + ​~> ​
 + ~> XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
 + ​~> ​
 + ~> You should send this test mail from an account outside of your network.
 + ​~> ​
 + ​~> ​
 + ​~> ​
 + ~> .
 +<~  250 2.0.0 Ok: queued as E5401C00088
 + ~> QUIT
 +<~  221 2.0.0 Bye
 +=== Connection closed with remote host.
 +</​code>​
 +
 +Die Nachricht wird dem authentifizierten User abgenommen und mit einem **250**er bestätigt. Heißt das nun, dass unsere Konfiguration fehlerhaft ist, oder der Contentscanner nicht richtig funktioniert?​ **Nein, ganz und gar nicht!** Wir haben bei der Konfiguration explizit angegeben, dass wir Nachrichten von authentifizierten Nutzern sofort anzunehmen und erst im zweiten Schritt scannen wollen und genau das macht unser AMaViS-Server auch.
 +
 +Den genauen Ablauf dazu, sehen wir uns nun im Detail an.
 +
 +=== SMTP-Server (Teil 1 von 3) ===
 +Im **Maillog** unseres Borderfilters sehen wir nun zu unserem gerade durchgeführten Versuch mehrere zusammenhängende Logeinträge.
 +   # less /​var/​log/​maillog
 +
 +Zunächst sehen wir den TLS-Verbindungsaufbau,​ gefolgt von der erfolgreichen Authentifizierung unseres Users und die Entgegennahme der eMail vom MSA((**M**ail **S**ubmission **A**gent)).
 +<​code>​Dec ​ 2 15:27:15 vml000087 postfix/​submission/​smtpd[27678]:​ connect from vml000087.dmz.nausch.org[10.0.0.87]
 +Dec  2 15:27:15 vml000087 postfix/​submission/​smtpd[27678]:​ Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]:​ TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 +Dec  2 15:27:15 vml000087 postfix/​submission/​smtpd[27678]:​ E5401C00088:​ client=vml000087.dmz.nausch.org[10.0.0.87],​ sasl_method=NTLM,​ sasl_username=n3rd@sec-mail.guru
 +Dec  2 15:27:15 vml000087 postfix/​cleanup[27683]:​ E5401C00088:​ message-id=<​20141202142715.E5401C00088@mx01.nausch.org>​
 +Dec  2 15:27:15 vml000087 postfix/​qmgr[27247]:​ E5401C00088:​ from=<​n3rd@sec-mail.guru>,​ size=1417, nrcpt=1 (queue active)
 +Dec  2 15:27:15 vml000087 postfix/​submission/​smtpd[27678]:​ disconnect from vml000087.dmz.nausch.org[10.0.0.87]
 +</​code>​
 +
 +=== ASAV-Host ===
 +Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert.
 +
 +   # less /​var/​log/​maillog
 +
 +<​code>​Dec ​ 2 15:27:16 vml000067 amavis[15668]:​ loaded policy bank "​ORIGINATING"​
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ process_request:​ fileno sock=13, STDIN=0, STDOUT=1
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) ESMTP:​[10.0.0.67]:​10024 /​var/​spool/​amavisd/​tmp/​amavis-20141202T152716-15668-4MUitFJK:​ <​n3rd@sec-mail.guru>​ -> <​django@nausch.
 +org> Received: from mx01.nausch.org ([10.0.0.87]) by viruswall.dmz.nausch.org (viruswall.dmz.nausch.org [10.0.0.67]) (amavisd-new,​ port 10024) with ESMTP for <​django@nausch.org>​
 +; Tue,  2 Dec 2014 15:27:16 +0100 (CET)
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) body hash: 4c7abc06887b1723a5b47a0f9562fd5c
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) ip_trace: 10.0.0.87
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) client IP address unknown, fetched from Received: 10.0.0.87
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) Checking: o1aYnuSaPRGv ORIGINATING [10.0.0.87] <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>​
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) 2822.From: <​n3rd@sec-mail.guru>​
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) p001 1 Content-Type:​ text/plain, size: 801 B, name:
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) inspect_dsn:​ not a bounce
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) Checking for banned types and filenames
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) skipping banned check: all recipients bypass banned checks
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) presenting full original message to scanners as /​var/​spool/​amavisd/​tmp/​amavis-20141202T152716-15668-4MUitFJK/​parts/​p002
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) run_av Using (ClamAV-clamd):​ (code) CONTSCAN /​var/​spool/​amavisd/​tmp/​amavis-20141202T152716-15668-4MUitFJK/​parts\n
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) ClamAV-clamd:​ Connecting to socket ​ /​var/​run/​clamd.amavisd/​clamd.sock
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) new socket by IO::​Socket::​UNIX to /​var/​run/​clamd.amavisd/​clamd.sock,​ timeout 10
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) ClamAV-clamd:​ Sending CONTSCAN /​var/​spool/​amavisd/​tmp/​amavis-20141202T152716-15668-4MUitFJK/​parts\n to socket /​var/​run/​clamd.
 +amavisd/​clamd.sock
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) rw_loop read: got eof
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) run_av (ClamAV-clamd):​ CLEAN
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) run_av (ClamAV-clamd) result: clean
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) calling SA parse (0), SA vers 3.3.2, 3.003002, data as STRING, recips_ind [0], user: "​amavis"​
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) spam_scan: score=1000.8 autolearn=no tests=[ALL_TRUSTED=-1,​DKIM_ADSP_DISCARD=1.8,​GTUBE=1000] recips=0
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) spam_scan: dsn_suppress_reason DKIM_ADSP_DISCARD
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) blocking contents category is (6) for django@nausch.org,​ final_destiny -3</​code>​
 +
 +Der SPAM-Wert von **1000.8** liegt doch "etwas über" unserem definierten Wert von **6.31**, die Nachricht wird also nicht zugestellt!
 +
 +<WRAP center round important>​
 +Gemäß unserer Konfiguration erhält der der Empfänger **virusalert@nausch.org** eine Nachricht von **postmaster@nausch.org** mit dem Details zu der SPAM-Mail. Der Postmaster kann so reagieren und mit dem authentifizierten Mailbox-Nutzer Kontalt aufnehmen und diesen ggf. darauf hinweisen, dass unter Umständen sein Rechner von einem Zombie gekapert wurde und dieser munter SPAM-Mails verschicken will. Ein weitere Ursache könnte auch ein durch eine **[[http://​de.wikipedia.org/​wiki/​Brute-Force-Methode|Brute-Force-Methode]]** geknacktem Mailkonto, da dort z.B. irgend ein __Trivialpasswort__ verwendet wurde, was leider durchweg des öfteren vorkommt. ​
 +
 +So kann der Postmaster tätig werden und weiteren Schaden vom Mailserver abwenden, bevor der eigene Server auf einer **Blacklist** landet und so dann gar keine Nachricht mehr verschickt werden könnte.
 +</​WRAP>​
 +
 +Im Maillog des AMaViS-Servers sehen wir nun, dass der Daemon die entsprechende Nachricht an den definierten Bearbeiter verschicken wird.
 +   # less /​var/​log/​maillog
 +
 +<​code>​Dec ​ 2 15:27:16 vml000067 amavis[15668]:​ (15668-01) do_notify_and_quar:​ ccat=Spam (6,0) ("​6":​Spam,​ "​5":​Spammy,​ "​1,​1":​CleanTag,​ "​1":​Clean,​ "​0":​CatchAll) ccat_block=(6),​ qar_mth=
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) dkim: candidate originators:​ From:<​postmaster@nausch.org>​
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) dkim: signing (author), From: <​postmaster@nausch.org>​ (From:<​postmaster@nausch.org>​),​ KEY.h=>​sha256,​ KEY.key_ind=>​1,​ a=>​rsa-sha256,​ c=>​relaxed/​simple,​ d=>​nausch.org,​ s=>​140224,​ ttl=>​1814400,​ x=>​1419344837
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) smtp session: setting up a new session
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) new socket using IO::​Socket::​IP to [10.0.0.87]:​10025,​ timeout 35
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) smtp greeting: 220 mx01.nausch.org ESMTP Postfix, dt: 52.5 ms
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) smtp cmd> EHLO viruswall.dmz.nausch.org
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) smtp resp to EHLO: 250 mx01.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nAUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nAUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nXFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) AUTH not needed, user='',​ MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM'
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) smtp cmd> MAIL FROM:<​postmaster@nausch.org>​ ENVID=AM.ofn-luxWKSUo.20141202T142716Z@viruswall.dmz.nausch.org
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) smtp cmd> RCPT TO:<​virusalert@nausch.org>​
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) smtp cmd> DATA
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) smtp resp to MAIL (pip): 250 2.1.0 Ok
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) smtp resp to RCPT (pip) (<​virusalert@nausch.org>​):​ 250 2.1.5 Ok
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) smtp resp to DATA: 354 End data with <​CR><​LF>​.<​CR><​LF>​
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) smtp resp to data-dot (<​virusalert@nausch.org>​):​ 250 2.0.0 Ok: queued as 9A6FBC00089,​ dt: 40.0 ms
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) Amavis::​Out::​SMTP::​Session close, keeping connection
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) ofn-luxWKSUo(o1aYnuSaPRGv) SEND from <​postmaster@nausch.org>​ -> <​virusalert@nausch.org>,​ ENVID=AM.ofn-luxWKSUo.20141202T142716Z@viruswall.dmz.nausch.org 250 2.0.0 from MTA(smtp:​[10.0.0.87]:​10025):​ 250 2.0.0 Ok: queued as 9A6FBC00089
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) delivery method is 1, recips: django@nausch.org
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) DSN: sender is credible (orig), SA: 1000.800, <​n3rd@sec-mail.guru>​
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) status counters: InMsgsStatus{Rejected,​RejectedInternal,​RejectedOriginating}
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) Blocked SPAM {RejectedInternal},​ ORIGINATING LOCAL [10.0.0.87] <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>,​ Message-ID: <​20141202142715.E5401C00088@mx01.nausch.org>,​ mail_id: o1aYnuSaPRGv,​ Hits: 1000.8, size: 1417, 692 ms
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) TIMING-SA total 404 ms - parse: 1.77 (0.4%), extract_message_metadata:​ 15 (3.6%), poll_dns_idle:​ 0.24 (0.1%), get_uri_detail_list:​ 1.66 (0.4%), tests_pri_-1000:​ 7 (1.7%), tests_pri_-950:​ 2.00 (0.5%), tests_pri_-900:​ 1.29 (0.3%), tests_pri_-400:​ 1.03 (0.3%), tests_pri_0:​ 356 (88.2%), check_dkim_adsp:​ 5 (1.2%), check_spf: 0.45 (0.1%), check_razor2:​ 250 (61.8%), check_pyzor:​ 0.28 (0.1%), tests_pri_500:​ 4 (0.9%), get_report: 1.31 (0.3%)
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) sending SMTP response: "554 5.7.0 Reject, id=15668-01 - spam"
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) size: 1417, TIMING [total 698 ms] - SMTP greeting: 9 (1%)1, SMTP EHLO: 3.1 (0%)2, SMTP pre-MAIL: 0.6 (0%)2, mkdir tempdir: 1.5 (0%)2, create email.txt: 0.3 (0%)2, SMTP pre-DATA-flush:​ 4.1 (1%)3, SMTP DATA: 39 (6%)8, check_init: 1.3 (0%)8, digest_hdr: 2.0 (0%)9, digest_body_dkim:​ 0.5 (0%)9, collect_info:​ 2.5 (0%)9, mkdir parts: 1.9 (0%)9, mime_decode:​ 11 (2%)11, get-file-type1:​ 19 (3%)14, parts_decode:​ 0.2 (0%)14, check_header:​ 0.6 (0%)14, AV-scan-1: 9 (1%)15, spam-wb-list:​ 0.9 (0%)15, SA msg read: 0.8 (0%)15, SA parse: 4.2 (1%)16, SA check: 395 (57%)72, decide_mail_destiny:​ 10 (1%)74, notif-quar: 0.6 (0%)74, write-header:​ 16 (2%)76, fwd-data-dkim:​ 35 (5%)81, fwd-connect:​ 57 (8%)89, fwd-mail-pip:​ 7 (1%)91, fwd-rcpt-pip:​ 0.3 (0%)91, fwd-data-chkpnt:​ 0.1 (0%)91, write-header:​ 0.5 (0%)91, fwd-data-contents:​ 2.6 (0%)91, fwd-end-chkpnt:​ 41 (6%)97, prepare-dsn:​ 2.4 (0%)97, report: 4.7 (1%)98, main_log_entry:​ 11 (2%)100, update_snmp:​ 1.9 (0%)100, SMTP pre-resp...
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) ...onse: 0.3 (0%)100, SMTP response: 0.3 (0%)100, unlink-2-files:​ 0.2 (0%)100, rundown: 0.7 (0%)100
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) extra modules loaded: unicore/​lib/​Gc/​Nd.pl
 +Dec  2 15:27:16 vml000067 amavis[15668]:​ (15668-01) load: 100 %, total idle 0.003 s, busy 0.700 s</​code>​
 +
 +=== SMTP-Server (Teil 2 von 3) ===
 +Im **Maillog** unseres Borderfilters sehen wir nun also als nächstes den Eingang dieser Notification-eMail an den definierten Empfänger.
 +   # less /​var/​log/​maillog
 +
 +<​code>​Dec ​ 2 15:27:16 vml000087 postfix/​smtpd[27685]:​ connect from vml000067.dmz.nausch.org[10.0.0.67]
 +Dec  2 15:27:16 vml000087 postfix/​smtpd[27685]:​ 9A6FBC00089:​ client=vml000067.dmz.nausch.org[10.0.0.67]
 +Dec  2 15:27:16 vml000087 postfix/​cleanup[27683]:​ 9A6FBC00089:​ message-id=<​SAo1aYnuSaPRGv@viruswall.dmz.nausch.org>​
 +Dec  2 15:27:16 vml000087 postfix/​qmgr[27247]:​ 9A6FBC00089:​ from=<​postmaster@nausch.org>,​ size=4328, nrcpt=1 (queue active)
 +Dec  2 15:27:16 vml000087 postfix/​smtp[27684]:​ E5401C00088:​ to=<​django@nausch.org>,​ relay=10.0.0.67[10.0.0.67]:​10024,​ delay=0.77, delays=0.04/​0.03/​0.02/​0.69,​ dsn=5.7.0, status=bounced (host 10.0.0.67[10.0.0.67] said: 554 5.7.0 Reject, id=15668-01 - spam (in reply to end of DATA command))
 +Dec  2 15:27:16 vml000087 postfix/​cleanup[27683]:​ B736EC0008A:​ message-id=<​20141202142716.B736EC0008A@mx01.nausch.org>​
 +Dec  2 15:27:16 vml000087 postfix/​qmgr[27247]:​ B736EC0008A:​ from=<>,​ size=4076, nrcpt=1 (queue active)
 +Dec  2 15:27:16 vml000087 postfix/​bounce[27687]:​ E5401C00088:​ sender non-delivery notification:​ B736EC0008A
 +Dec  2 15:27:16 vml000087 postfix/​qmgr[27247]:​ E5401C00088:​ removed
 +Dec  2 15:27:17 vml000087 postfix/​lmtp[27686]:​ 9A6FBC00089:​ to=<​django@nausch.org>,​ orig_to=<​virusalert@nausch.org>,​ relay=10.0.0.77[10.0.0.77]:​24,​ delay=0.46, delays=0.04/​0.01/​0.01/​0.39,​ dsn=2.0.0, status=sent (250 2.0.0 <​django@nausch.org>​ 0WGxKC3MfVQbPAAArK2B9Q Saved)
 +Dec  2 15:27:17 vml000087 postfix/​qmgr[27247]:​ 9A6FBC00089:​ removed
 +</​code>​
 +
 +=== SMTP-Server (Teil 3 von 3) ===
 +
 +<WRAP center round tip>
 +Zu guter Letzt sehen wir dann noch die **Bounce**-Nachricht an den ursprünglichen Absender, den wir ja zweifelsfrei kennen, da dieser sich beim Einliefern der Nachricht authentifizierten hatte. Somit ist die Gefahr von **[[http://​de.wikipedia.org/​wiki/​Backscatter_%28E-Mail%29|backscatter eMail]]** ausgeschlossen!
 +</​WRAP>​
 +
 +   # less /​var/​log/​messages
 +
 +   ​Dec ​ 2 15:27:17 vml000087 postfix/​lmtp[27688]:​ B736EC0008A:​ to=<​n3rd@sec-mail.guru>,​ relay=10.0.0.77[10.0.0.77]:​24,​ delay=0.49, delays=0.07/​0.01/​0.02/​0.39,​ dsn=2.0.0, status=sent (250 2.0.0 <​n3rd@sec-mail.guru>​ hwVTMkTMfVQfPAAArK2B9Q Saved)
 +   ​Dec ​ 2 15:27:17 vml000087 postfix/​qmgr[27247]:​ B736EC0008A:​ removed
 +
 +=== MUA (Empfänger der Notification Mail) ===
 +Wie schon angeschnitten erhält der verantwortliche Admin des Servers mit der Addresse **virusalert@nausch.org** eine Nachricht mit dem Detail des Versuches eine SPAM-Mail zu verschicken.
 +
 +<​code>​Return-Path:​ <​postmaster@nausch.org>​
 +Delivered-To:​ django@nausch.org
 +Received: from mx01.nausch.org ([10.0.0.87])
 + by imap.nausch.org (Dovecot) with LMTP id 0WGxKC3MfVQbPAAArK2B9Q
 + for <​django@nausch.org>;​ Tue, 02 Dec 2014 15:27:16 +0100
 +Received: from viruswall.dmz.nausch.org (vml000067.dmz.nausch.org [10.0.0.67])
 + by mx01.nausch.org (Postfix) with ESMTP id 9A6FBC00089
 + for <​virusalert@nausch.org>;​ Tue,  2 Dec 2014 15:27:16 +0100 (CET)
 +DKIM-Signature:​ v=1; a=rsa-sha256;​ c=relaxed/​simple;​ d=nausch.org;​ h=
 + message-id:​subject:​subject:​date:​date:​from:​from:​mime-version
 + :​content-transfer-encoding:​content-type:​content-type;​ s=140224;
 + t=1417530436;​ x=1419344837;​ bh=tVWIH0duwt/​kaEdApRyhDUvLvxAvX1C8
 + fu9jN2ZwFt0=;​ b=AZgQAhDSlqrdcLzC1k/​VopOx3PAKPHpmKeivYeIWA6KFVZH6
 + Xxbc0Unj1QQ08ZSGRNHFp5aJu4rN71BI8ad8OhRTSHdbhWR821V2Z2yRti7TUDwq
 + QZigx230dACkYKrzQhTKJawAmXKbg1V2EUbTTqUpwBDsaYnTML9i+fAr4mcVrN2n
 + JBAmg1K3OL0uokXp/​eaaKpxG+GDMgv8n6dsXgk29+1V2BznRz3HTcA0BsT9m0087
 + kxonaX5Bhio01JhAEuG+fy2f12N3QMNQ2l+8zWQskPXUaL/​q3SGG/​dYcBvtL2BuR
 + m6f1+Z8kBuZeosXe/​a3rma8v+Sdbg++u2bY6jCtGLChN/​M3/​bO/​qq1IiYSpLOLQI
 + adNxaPKefjC75FtY0AEYWpDlU8WIbk/​Wqb0/​KovhexGto84UTZcmRq0Z8t8RBNtN
 + xmy4M2uNK2l6aWbfQV0cjnrg0FQ2AfisP74d45dEaDNV+dsBhMiYgcZ1wHhW4Aro
 + ug1OiU1+hbie1t59J0Y15BHO/​BeJSvJYNTlf/​twopaObQc1LAJSzuIUZegyiFjMQ
 + /​AdpdmpWFKhPTZNp2JwDoBm3vd5DT555t5+kIuRh/​8mKhNRs194ZZzXCuUdrkgMm
 + LQL4HSB5TbVxVDhOfgaStlWWRZmt4IwWR3aOsfGA2TSEOle4cTJXWHxokec=
 +Content-Type:​ multipart/​mixed;​ boundary="​----------=_1417530436-15668-0"​
 +Content-Transfer-Encoding:​ 7bit
 +MIME-Version:​ 1.0
 +From: "​Content-filter at viruswall.dmz.nausch.org"​ <​postmaster@nausch.org>​
 +Date: Tue,  2 Dec 2014 15:27:16 +0100 (CET)
 +Subject: Spam FROM LOCAL [10.0.0.87] <​n3rd@sec-mail.guru>​
 +To: <​virusalert@nausch.org>​
 +Message-ID: <​SAo1aYnuSaPRGv@viruswall.dmz.nausch.org>​
 +
 +This is a multi-part message in MIME format...
 +
 +------------=_1417530436-15668-0
 +Content-Type:​ text/plain; charset="​UTF-8"​
 +Content-Disposition:​ inline
 +Content-Transfer-Encoding:​ 7bit
 +
 +Content type: Spam
 +Internal reference code for the message is 15668-01/​o1aYnuSaPRGv
 +
 +First upstream SMTP client IP address: [10.0.0.87] ​
 +Received from: 10.0.0.87
 +
 +Return-Path:​ <​n3rd@sec-mail.guru>​
 +From: n3rd@sec-mail.guru
 +Message-ID: <​20141202142715.E5401C00088@mx01.nausch.org>​
 +X-Mailer: swaks v20130209.0 jetmore.org/​john/​code/​swaks/​
 +Subject: vierte Testnachricht SPAM auf Port 587
 +Not quarantined.
 +
 +The message WAS NOT relayed to:
 +<​django@nausch.org>:​
 +   554 5.7.0 Reject, id=15668-01 - spam
 +
 +Spam scanner report:
 +Spam detection software, running on the system "​vml000067.dmz.nausch.org",​ has
 +identified this incoming email as possible spam.  The original message
 +has been attached to this so you can view it (if it isn't spam) or label
 +similar future email. ​ If you have any questions, see
 +the administrator of that system for details.
 +
 +Content preview: ​ Subject: Test spam mail (GTUBE) Message-ID: <​GTUBE1.1010101@example.net>​
 +   Date: Wed, 23 Jul 2003 23:30:00 +0200 From: Sender <​sender@example.net>​ To:
 +   ​Recipient <​recipient@example.net>​ Precedence: junk MIME-Version:​ 1.0 Content-Type:​
 +   ​text/​plain;​ charset=us-ascii Content-Transfer-Encoding:​ 7bit [...] 
 +
 +Content analysis details: ​  ​(1000.8 points, 5.0 required)
 +
 + pts rule name              description
 +---- ---------------------- --------------------------------------------------
 +-1.0 ALL_TRUSTED ​           Passed through trusted hosts only via SMTP
 + 1.8 DKIM_ADSP_DISCARD ​     No valid author signature, domain signs all mail
 +                            and suggests discarding the rest
 +1000 GTUBE                  BODY: Generic Test for Unsolicited Bulk Email
 +
 +------------=_1417530436-15668-0
 +Content-Type:​ text/​rfc822-headers;​ name="​header"​
 +Content-Disposition:​ inline; filename="​header"​
 +Content-Transfer-Encoding:​ 7bit
 +Content-Description:​ Message header section
 +
 +Return-Path:​ <​n3rd@sec-mail.guru>​
 +Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87])
 + (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 + (No client certificate requested)
 + by mx01.nausch.org (Postfix) with ESMTPSA id E5401C00088
 + for <​django@nausch.org>;​ Tue,  2 Dec 2014 15:27:15 +0100 (CET)
 +Date: Tue, 02 Dec 2014 15:27:15 +0100
 +To: django@nausch.org
 +From: n3rd@sec-mail.guru
 +Subject: vierte Testnachricht SPAM auf Port 587
 +X-Mailer: swaks v20130209.0 jetmore.org/​john/​code/​swaks/​
 +X-Test: test eMail
 +Message-Id: <​20141202142715.E5401C00088@mx01.nausch.org>​
 +
 +------------=_1417530436-15668-0--
 +</​code>​
 +
 +=== MUA (Empfänger der Bounce Mail) ===
 +Der Ursprüngliche authentifizierte Absender erhält die Bounce-Nachricht,​ dass seine Nachricht nicht weiterverschickt werden konnte. Dieser kann dann entsprechend tätig werden und den Fehler abstellen (helfen).
 +
 +<​code>​Return-Path:​ <>
 +Delivered-To:​ n3rd@sec-mail.guru
 +Received: from mx01.nausch.org ([10.0.0.87])
 + by imap.nausch.org (Dovecot) with LMTP id hwVTMkTMfVQfPAAArK2B9Q
 + for <​n3rd@sec-mail.guru>;​ Tue, 02 Dec 2014 15:27:16 +0100
 +Received: by mx01.nausch.org (Postfix)
 + id B736EC0008A;​ Tue,  2 Dec 2014 15:27:16 +0100 (CET)
 +Date: Tue,  2 Dec 2014 15:27:16 +0100 (CET)
 +From: MAILER-DAEMON@nausch.org (Mail Delivery System)
 +Subject: Rueckgabe nicht zustellbarer Nachricht an Absender
 +To: n3rd@sec-mail.guru
 +Auto-Submitted:​ auto-replied
 +MIME-Version:​ 1.0
 +Content-Type:​ multipart/​report;​ report-type=delivery-status;​
 + boundary="​E5401C00088.1417530436/​mx01.nausch.org"​
 +Message-Id: <​20141202142716.B736EC0008A@mx01.nausch.org>​
 +
 +This is a MIME-encapsulated message.
 +
 +--E5401C00088.1417530436/​mx01.nausch.org
 +Content-Description:​ Notification
 +Content-Type:​ text/plain; charset=iso-8859-1
 +
 +Dies ist eine automatisch generierte Nachricht des Postfix E-Mail-Dienstes.
 +Dieser Dienst wird auf dem Server mx01.nausch.org betrieben und teilt Ihnen
 +folgendes mit:
 +
 +
 +    Ihre Nachricht konnte an einen oder mehrere Empfaenger nicht zugestellt
 +    werden. Ein Problem-Bericht,​ sowie Ihre uspruengliche Nachricht wurden an
 +    das Ende dieser Nachricht angehaengt.
 +
 +
 +Fuer weitere Hilfe kontaktieren Sie bitte den fuer Sie zustaendigen
 +<​postmaster>​.
 +
 +Senden Sie dazu den an diese E-Mail angefuegten Problem-Bericht mit.
 +Den Inhalt Ihrer urspruenglichen Nachricht koennen Sie - zum Schutz Ihrer
 +Privatsphaere - entfernen; er ist fuer eine Fehler-Diagnose nicht zwingend
 +notwendig.
 +
 +                   Der Postfix E-Mail-Dienst
 +
 +                        INTERNATIONAL VERSION
 +
 +This is the Postfix program at host mx01.nausch.org.
 +
 +I'm sorry to have to inform you that your message could not
 +be delivered to one or more recipients. It's attached below.
 +
 +For further assistance, please send mail to <​postmaster>​
 +
 +If you do so, please include this problem report. You can
 +delete your own text from the attached returned message.
 +
 +
 +<​django@nausch.org>:​ host 10.0.0.67[10.0.0.67] said: 554 5.7.0 Reject,
 +    id=15668-01 - spam (in reply to end of DATA command)
 +
 +--E5401C00088.1417530436/​mx01.nausch.org
 +Content-Description:​ Delivery report
 +Content-Type:​ message/​delivery-status
 +
 +Reporting-MTA:​ dns; mx01.nausch.org
 +X-Postfix-Queue-ID:​ E5401C00088
 +X-Postfix-Sender:​ rfc822; n3rd@sec-mail.guru
 +Arrival-Date:​ Tue,  2 Dec 2014 15:27:15 +0100 (CET)
 +
 +Final-Recipient:​ rfc822; django@nausch.org
 +Original-Recipient:​ rfc822;​django@nausch.org
 +Action: failed
 +Status: 5.7.0
 +Remote-MTA: dns; 10.0.0.67
 +Diagnostic-Code:​ smtp; 554 5.7.0 Reject, id=15668-01 - spam
 +
 +--E5401C00088.1417530436/​mx01.nausch.org
 +Content-Description:​ Undelivered Message
 +Content-Type:​ message/​rfc822
 +
 +Return-Path:​ <​n3rd@sec-mail.guru>​
 +Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87])
 + (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 + (No client certificate requested)
 + by mx01.nausch.org (Postfix) with ESMTPSA id E5401C00088
 + for <​django@nausch.org>;​ Tue,  2 Dec 2014 15:27:15 +0100 (CET)
 +Date: Tue, 02 Dec 2014 15:27:15 +0100
 +To: django@nausch.org
 +From: n3rd@sec-mail.guru
 +Subject: vierte Testnachricht SPAM auf Port 587
 +X-Mailer: swaks v20130209.0 jetmore.org/​john/​code/​swaks/​
 +X-Test: test eMail
 +Message-Id: <​20141202142715.E5401C00088@mx01.nausch.org>​
 +
 +Subject: Test spam mail (GTUBE)
 +Message-ID: <​GTUBE1.1010101@example.net>​
 +Date: Wed, 23 Jul 2003 23:30:00 +0200
 +From: Sender <​sender@example.net>​
 +To: Recipient <​recipient@example.net>​
 +Precedence: junk
 +MIME-Version:​ 1.0
 +Content-Type:​ text/plain; charset=us-ascii
 +Content-Transfer-Encoding:​ 7bit
 +
 +This is the GTUBE, the
 + Generic
 + Test for
 + Unsolicited
 + Bulk
 + Email
 +
 +If your spam filter supports it, the GTUBE provides a test by which you
 +can verify that the filter is installed correctly and is detecting incoming
 +spam. You can send yourself a test mail containing the following string of
 +characters (in upper case and with no white spaces and line breaks):
 +
 +XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
 +
 +You should send this test mail from an account outside of your network.
 +
 +
 +
 +
 +--E5401C00088.1417530436/​mx01.nausch.org--
 +</​code>​
 +
 +
 +==== Eicar-Testmail auf Port 25 (MTA zu MTA Verkehr) ====
 +
 +=== SMTP-Client (swaks) ===
 +Beim vorletzten Test unseres **AS/​AV**((**A**nti **S**pam/​**A**nti **V**irus))-Systems versuchen wir nun eine eMail mit einem Virus mit Hilfe von [[http://​www.jetmore.org/​john/​code/​swaks/​|Swaks]]((**S**wiss **A**rmy **K**nife for **S**MTP)) an einen unserer eigenen Empfänger zu verschicken. ​
 +
 +Dazu laden wir uns erst einmal einen Testpattern [[http://​www.eicar.org/​download/​eicarcom2.zip|eicarcom2.zip]] von der [[http://​www.eicar.org/​86-0-Intended-use.html|EICAR-Webseite]] auf unseren Rechner.
 +   # curl -O http://​www.eicar.org/​download/​eicarcom2.zip
 +
 +Wir versuchen nun eine eMail zusammen mit dieser Testdatei zu versenden, zunächst auf Port **25**.
 +Diese Nachricht versuchen wir nun loszuschicken:​
 +   # swaks -t django@nausch.org --attach - --server 10.0.0.87 --suppress-data <​eicarcom2.zip --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 25 --tls --header "​Subject:​ 5. Test-Testnachricht mit EICAR-Testdatei im Anhang auf Port 25"
 +
 +<​code>​=== Trying 10.0.0.87:​25...
 +=== Connected to 10.0.0.87.
 +<-  220 mx01.nausch.org ESMTP Postfix
 + -> EHLO vml000087.dmz.nausch.org
 +<-  250-mx01.nausch.org
 +<-  250-PIPELINING
 +<-  250-SIZE 52428800
 +<-  250-ETRN
 +<-  250-STARTTLS
 +<-  250-ENHANCEDSTATUSCODES
 +<-  250-8BITMIME
 +<-  250 DSN
 + -> STARTTLS
 +<-  220 2.0.0 Ready to start TLS
 +=== TLS started with cipher TLSv1.2:​ECDHE-RSA-AES256-GCM-SHA384:​256
 +=== TLS no local certificate set
 +=== TLS peer DN="/​serialNumber=3S7x2lcbYiAccKZPoha0MSwP5hNsuSTP/​OU=GT49447951/​OU=See www.rapidssl.com/​resources/​cps (c)13/​OU=Domain Control Validated - RapidSSL(R)/​CN=*.nausch.org"​
 + ~> EHLO vml000087.dmz.nausch.org
 +<~  250-mx01.nausch.org
 +<~  250-PIPELINING
 +<~  250-SIZE 52428800
 +<~  250-ETRN
 +<~  250-ENHANCEDSTATUSCODES
 +<~  250-8BITMIME
 +<~  250 DSN
 + ~> MAIL FROM:<​n3rd@sec-mail.guru>​
 +<~  250 2.1.0 Ok
 + ~> RCPT TO:<​django@nausch.org>​
 +<~  250 2.1.5 Ok
 + ~> DATA
 +<~  354 End data with <​CR><​LF>​.<​CR><​LF>​
 + ~> 29 lines sent
 +<~* 554 5.7.0 Reject, id=15809-01 - INFECTED: Eicar-Test-Signature. Contact your postmaster/​admin for technical assistance. He can achieve our postmaster via email: postmaster@nausch.org or via fax: +49 8121 883179. In any case, please provide the following information in your problem report: This error message, time (Dec 02 17:26:50), client (10.0.0.87) and server (mx01.nausch.org).
 + ~> QUIT
 +<~  221 2.0.0 Bye
 +=== Connection closed with remote host.</​code>​
 +
 +Wie wir sehen können, hat der SMTP-Server die Annahme der Nachricht mit dem Fehlercode **554 5.7.0 Reject, id=15809-01 - INFECTED: Eicar-Test-Signature.** verweigert. Zu dieser Fehlermeldung erhält der einliefernde SMTP-Client noch Informationen wie er sich ggf. mit uns in Verbindung setzen kann.
 +
 +=== SMTP-Server (Teil 1 von 2) ===
 +Im **Maillog** unseres Borderfilters sehen wir nun zu unserem gerade durchgeführten Versuch eine Mail mit einem Virus einzuliefern mehrere zusammenhängende Logeinträge. ​
 +   # less /​var/​log/​maillog
 +
 +<​code>​Dec ​ 2 17:26:49 vml000087 postfix/​smtpd[27815]:​ connect from vml000087.dmz.nausch.org[10.0.0.87]
 +Dec  2 17:26:49 vml000087 postfix/​smtpd[27815]:​ Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]:​ TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (2
 +56/256 bits)
 +Dec  2 17:26:50 vml000087 postfix/​smtpd[27815]:​ 3339FC00088:​ client=vml000087.dmz.nausch.org[10.0.0.87]
 +Dec  2 17:26:50 vml000087 postfix/​cleanup[27821]:​ 3339FC00088:​ message-id=<​20141202162650.3339FC00088@mx01.nausch.org>​
 +Dec  2 17:26:50 vml000087 postfix/​smtpd[27822]:​ connect from vml000067.dmz.nausch.org[10.0.0.67]
 +Dec  2 17:26:50 vml000087 postfix/​smtpd[27822]:​ 8250AC00089:​ client=vml000067.dmz.nausch.org[10.0.0.67]
 +Dec  2 17:26:50 vml000087 postfix/​cleanup[27823]:​ 8250AC00089:​ message-id=<​VRaCP3zN0_kicy@viruswall.dmz.nausch.org>​
 +Dec  2 17:26:50 vml000087 postfix/​qmgr[27247]:​ 8250AC00089:​ from=<​postmaster@nausch.org>,​ size=2289, nrcpt=1 (queue active)
 +Dec  2 17:26:50 vml000087 postfix/​cleanup[27821]:​ 3339FC00088:​ milter-reject:​ END-OF-MESSAGE from vml000087.dmz.nausch.org[10.0.0.87]:​ 5.7.0 Reject, id=15809-01 - INFECTED: Eicar-Test-Signature;​ from=<​n3rd@sec-mail.guru>​ to=<​django@nausch.org>​ proto=ESMTP helo=<​vml000087.dmz.nausch.org>​
 +Dec  2 17:26:50 vml000087 postfix/​smtpd[27815]:​ disconnect from vml000087.dmz.nausch.org[10.0.0.87]
 +</​code>​
 +Zunächst sehen wir den TLS-Verbindungsaufbau und dem erfolglosen Einlieferungsversuch des MTA((**M**ail **T**ransport **A**gent))-Clients. Hier finden wie auch die **id=15809-01** wieder, die uns der AMaViS-Host genannt hat. Diesen können wir nun verwenden um auf dem AMaViS-Host im Maillog zu suchen um in Erfahrung zu bringen, warum die Nachricht abgeleht wurde.
 +
 +=== ASAV-Host ===
 +Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert.
 +   # less /​var/​log/​maillog
 +
 +<​code>​Dec ​ 2 17:26:50 vml000067 amavis[15809]:​ loaded policy bank "​AM.PDP-SOCK"​
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ process_request:​ fileno sock=13, STDIN=0, STDOUT=1
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ policy protocol: request=AM.PDP
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ policy protocol: queue_id=3339FC00088
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ policy protocol: sender=<​n3rd@sec-mail.guru>​
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ policy protocol: recipient=<​django@nausch.org>​
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ policy protocol: tempdir=/​var/​spool/​amavisd/​tmp/​afXXXXRW5Vp3
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ policy protocol: tempdir_removed_by=client
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ policy protocol: mail_file=/​var/​spool/​amavisd/​tmp/​afXXXXRW5Vp3/​email.txt
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ policy protocol: delivery_care_of=client
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ policy protocol: client_address=10.0.0.87
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ policy protocol: client_name=vml000087.dmz.nausch.org
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ policy protocol: helo_name=vml000087.dmz.nausch.org
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ policy protocol: policy_bank=mx01.nausch.org
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) Request: AM.PDP ​ /​var/​spool/​amavisd/​tmp/​afXXXXRW5Vp3:​ <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>​
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) loaded policy bank "​MYNETS"​ over "​AM.PDP-SOCK"​
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) body hash: ca2e97181bfa35cf2924c8de9332cafe
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) ip_trace: 10.0.0.87
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) Checking: aCP3zN0_kicy AM.PDP-SOCK/​MYNETS [10.0.0.87] <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>​
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) 2822.From: <​n3rd@sec-mail.guru>​
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) p003 1 Content-Type:​ multipart/​mixed
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) p001 1/1 Content-Type:​ text/plain, size: 22 B, name:
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) p002 1/2 Content-Type:​ application/​octet-stream,​ size: 308 B, name:
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) inspect_dsn:​ not a bounce
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) Checking for banned types and filenames
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) collect banned table[0]: django@nausch.org,​ tables:
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) p.path django@nausch.org:​ "​P=p003,​L=1,​M=multipart/​mixed | P=p001,​L=1/​1,​M=text/​plain,​T=asc"​
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) p.path django@nausch.org:​ "​P=p003,​L=1,​M=multipart/​mixed | P=p002,​L=1/​2,​M=application/​octet-stream,​T=zip | P=p004,​L=1/​2/​1,​T=zip,​N=eicar_com.zip | P=p005,​L=1/​2/​1/​1,​T=asc,​N=eicar.com"​
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) presenting full original message to scanners as /​var/​spool/​amavisd/​tmp/​afXXXXRW5Vp3/​parts/​p006
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) run_av Using (ClamAV-clamd):​ (code) CONTSCAN /​var/​spool/​amavisd/​tmp/​afXXXXRW5Vp3/​parts\n
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) ClamAV-clamd:​ Connecting to socket ​ /​var/​run/​clamd.amavisd/​clamd.sock
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) new socket by IO::​Socket::​UNIX to /​var/​run/​clamd.amavisd/​clamd.sock,​ timeout 10
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) ClamAV-clamd:​ Sending CONTSCAN /​var/​spool/​amavisd/​tmp/​afXXXXRW5Vp3/​parts\n to socket /​var/​run/​clamd.amavisd/​clamd.sock
 +Dec  2 17:26:50 vml000067 clamd[1278]:​ /​var/​spool/​amavisd/​tmp/​afXXXXRW5Vp3/​parts/​p006:​ Eicar-Test-Signature FOUND
 +Dec  2 17:26:50 vml000067 clamd[1278]:​ /​var/​spool/​amavisd/​tmp/​afXXXXRW5Vp3/​parts/​p005:​ Eicar-Test-Signature FOUND
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) rw_loop read: got eof
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) run_av (ClamAV-clamd):​ /​var/​spool/​amavisd/​tmp/​afXXXXRW5Vp3/​parts INFECTED: Eicar-Test-Signature,​ Eicar-Test-Signature
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) virus_scan: (Eicar-Test-Signature),​ detected by 1 scanners: ClamAV-clamd
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) Virus Eicar-Test-Signature matches (constant:​1),​ sender addr ignored
 +</​code>​
 +
 +Es wurde also die **Eicar-Test-Signature** in der Nachricht gefunden! Im **Maillog** des AMaViS-Servers sehen wir nun nachfolgend,​ dass der Daemon die entsprechende Notification eMail an den definierten Bearbeiter verschicken wird. 
 +    # less /​var/​log/​maillog
 +
 +<​code>​ec ​ 2 17:26:50 vml000067 amavis[15809]:​ (15809-01) blocking contents category is (9) for django@nausch.org,​ final_destiny -3
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) do_notify_and_quar:​ ccat=Virus (9,0) ("​9":​Virus,​ "​1,​1":​CleanTag,​ "​1":​Clean,​ "​0":​CatchAll) ccat_block=(9),​ qar_mth=
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) dkim: candidate originators:​ From:<​postmaster@nausch.org>​
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) dkim: signing (author), From: <​postmaster@nausch.org>​ (From:<​postmaster@nausch.org>​),​ KEY.h=>​sha256,​ KEY.key_ind=>​1,​ a=>​rsa-sha256,​ c=>​relaxed/​simple,​ d=>​nausch.org,​ s=>​140224,​ ttl=>​1814400,​ x=>​1419352011
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) smtp session: setting up a new session
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) new socket using IO::​Socket::​IP to [10.0.0.87]:​10025,​ timeout 35
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) smtp greeting: 220 mx01.nausch.org ESMTP Postfix, dt: 51.7 ms
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) smtp cmd> EHLO viruswall.dmz.nausch.org
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) smtp resp to EHLO: 250 mx01.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nAUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nAUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nXFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) AUTH not needed, user='',​ MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM'
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) smtp cmd> MAIL FROM:<​postmaster@nausch.org>​ ENVID=AM.Ndh64tU7lUEd.20141202T162650Z@viruswall.dmz.nausch.org
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) smtp cmd> RCPT TO:<​django@nausch.org>​
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) smtp cmd> DATA
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) smtp resp to MAIL (pip): 250 2.1.0 Ok
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) smtp resp to RCPT (pip) (<​django@nausch.org>​):​ 250 2.1.5 Ok
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) smtp resp to DATA: 354 End data with <​CR><​LF>​.<​CR><​LF>​
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) smtp resp to data-dot (<​django@nausch.org>​):​ 250 2.0.0 Ok: queued as 8250AC00089,​ dt: 30.3 ms
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) Amavis::​Out::​SMTP::​Session close, keeping connection
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) Ndh64tU7lUEd(aCP3zN0_kicy) SEND from <​postmaster@nausch.org>​ -> <​django@nausch.org>,​ ENVID=AM.Ndh64tU7lUEd.20141202T162650Z@viruswall.dmz.nausch.org 250 2.0.0 from MTA(smtp:​[10.0.0.87]:​10025):​ 250 2.0.0 Ok: queued as 8250AC00089
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) delivery method is 1, recips: django@nausch.org
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) DSN: sender is credible (orig), SA: 0.000, <​n3rd@sec-mail.guru>​
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) status counters: InMsgsStatus{Rejected,​RejectedInternal,​RejectedOriginating}
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) Blocked INFECTED (Eicar-Test-Signature) {RejectedInternal},​ AM.PDP-SOCK/​MYNETS LOCAL [10.0.0.87] <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>,​ Queue-ID: 3339FC00088,​ Message-ID: <​20141202162650.3339FC00088@mx01.nausch.org>,​ mail_id: aCP3zN0_kicy,​ Hits: -, size: 1282, 309 ms
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) mail checking ended: version_server=2\nlog_id=15809-01\nsetreply=554 5.7.0 Reject,​%20id=15809-01%20-%20INFECTED:​%20Eicar-Test-Signature\nreturn_value=reject\nexit_code=69
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) size: 1282, TIMING [total 321 ms] - got data: 0.0 (0%)0, check_init: 6 (2%)2, digest_hdr: 2.0 (1%)2, digest_body_dkim:​ 0.5 (0%)3, collect_info:​ 2.3 (1%)3, mkdir parts: 4.6 (1%)5, mime_decode:​ 14 (5%)9, get-file-type2:​ 18 (6%)15, ren1-unl0-files1:​ 25 (8%)23, decompose_part:​ 0.3 (0%)23, get-file-type1:​ 9 (3%)25, ren1-unl0-files1:​ 23 (7%)32, decompose_part:​ 0.3 (0%)32, get-file-type1:​ 13 (4%)37, parts_decode:​ 0.1 (0%)37, check_header:​ 0.5 (0%)37, AV-scan-1: 12 (4%)41, read_snmp_variables:​ 0.9 (0%)41, decide_mail_destiny:​ 2.5 (1%)42, notif-quar: 0.6 (0%)42, write-header:​ 20 (6%)48, fwd-data-dkim:​ 33 (10%)58, fwd-connect:​ 55 (17%)76, fwd-mail-pip:​ 21 (7%)82, fwd-rcpt-pip:​ 0.3 (0%)82, fwd-data-chkpnt:​ 0.1 (0%)82, write-header:​ 0.4 (0%)82, fwd-data-contents:​ 1.0 (0%)83, fwd-end-chkpnt:​ 31 (10%)92, prepare-dsn:​ 2.0 (1%)93, report: 1.7 (1%)94, main_log_entry:​ 9 (3%)96, update_snmp:​ 10 (3%)99, rundown: 2.2 (1%)100
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) extra modules loaded: unicore/​lib/​Gc/​Nd.pl
 +Dec  2 17:26:50 vml000067 amavis[15809]:​ (15809-01) load: 100 %, total idle 0.000 s, busy 0.354 s
 +</​code>​
 +
 +=== SMTP-Server (Teil 2 von 2) ===
 +Im **Maillog** unseres Borderfilters sehen wir nun also als nächstes den Eingang dieser Notification-eMail an den definierten Empfänger.
 +   # less /​var/​log/​maillog
 +
 +<​code>​Dec ​ 2 17:26:50 vml000087 postfix/​lmtp[27824]:​ 8250AC00089:​ to=<​django@nausch.org>,​ relay=10.0.0.77[10.0.0.77]:​24,​ delay=0.2, delays=0.05/​0.03/​0.02/​0.1,​ dsn=2.0.0, status=sent (250 2.0.0 <​django@nausch.org>​ HpapJErofVSPSgAArK2B9Q Saved)
 +Dec  2 17:26:50 vml000087 postfix/​qmgr[27247]:​ 8250AC00089:​ removed
 +</​code>​
 +
 +=== MUA (Empfänger der Notification Mail) ===
 +Wie schon angeschnitten erhält der verantwortliche Admin des Servers mit der Addresse **virusalert@nausch.org** eine Nachricht mit dem Detail des Versuches eine SPAM-Mail zu verschicken.
 +
 +<​code>​Return-Path:​ <​postmaster@nausch.org>​
 +Delivered-To:​ django@nausch.org
 +Received: from mx01.nausch.org ([10.0.0.87])
 + by imap.nausch.org (Dovecot) with LMTP id HpapJErofVSPSgAArK2B9Q
 + for <​django@nausch.org>;​ Tue, 02 Dec 2014 17:26:50 +0100
 +Received: from viruswall.dmz.nausch.org (vml000067.dmz.nausch.org [10.0.0.67])
 + by mx01.nausch.org (Postfix) with ESMTP id 8250AC00089
 + for <​django@nausch.org>;​ Tue,  2 Dec 2014 17:26:50 +0100 (CET)
 +DKIM-Signature:​ v=1; a=rsa-sha256;​ c=relaxed/​simple;​ d=nausch.org;​ h=
 + content-transfer-encoding:​content-disposition:​content-type
 + :​content-type:​message-id:​subject:​subject:​date:​date:​from:​from
 + :​mime-version;​ s=140224; t=1417537610;​ x=1419352011;​ bh=tVt05RIQ
 + Bpj4qmzmNJoEPHHj22aTtLu2THUwcwoCsls=;​ b=Tc7gljO5SN9Y4X1yxVbiC4IH
 + szuBz2F49Mdzyx48m2VfA0mKMi1EmnT1D5QOs2tYdElBc35le8T3kLD9TfVheonI
 + XtwGnJKfUycJEQ/​nwrNWPaYXrJZXjGK08TmQ08WoIg9+uH1G2SqzAeWhMKND3+K8
 + lEunOg/​CmMKoJElhvp3X0k2TnSTXvPSsK1+Nvrhs1zcJzd5SSKka1eseyvnlYRB0
 + AWu8oties5VOEIM601gt2T7tBbKEFj9KMpZHiapeNGpu6UoddkvfY779Vs0DfLvj
 + WX/​VLK6WNrE+qb0wjmisR1hW5+RaXFcAMRtFT/​5vXhryfjLjP0RQOCPyheLrjBux
 + 1w5KfXJEmqeb1efZ9MZTfp4SrS90wcXbJRicSt+vzYmsOcB9rXj+hO5JJf7Uj/​ag
 + dP4ngXl+BvI2drOf33hjKrFynTVdpEMF8gLH/​qYaydLf0h8lh0v4U9py7kvZRHfy
 + BXhF0en2YdcoIaof2ZMOxD17VLZtkouUaqDT6UxLyr60KHMS7Fx9+NeSEUjI7zTH
 + DobySVImu63dS8j3XTzFu8pFKthAod6dD2FgW2NuM00BTECEaZeDxp7CY7nuXmcg
 + pxpsoPuJYV12Y+1os+DW53ZuaLMEtsoJLQC7VF91oXkgJTk0PIaeB1FPQjOGudvd
 + QfnZYUFETGcNRt1SAd0=
 +MIME-Version:​ 1.0
 +From: Postmaster <​postmaster@nausch.org>​
 +Date: Tue,  2 Dec 2014 17:26:50 +0100 (CET)
 +Subject: VIRUS (Eicar-Test-Signature) in mail TO YOU from <​n3rd@sec-mail.guru>​
 +To: django@nausch.org
 +Message-ID: <​VRaCP3zN0_kicy@viruswall.dmz.nausch.org>​
 +Content-Type:​ text/plain; charset="​UTF-8"​
 +Content-Disposition:​ inline
 +Content-Transfer-Encoding:​ 7bit
 +
 +VIRUS ALERT
 +
 +Our content checker found
 +    virus: Eicar-Test-Signature
 +
 +in an email to you from probably faked sender:
 +  ​
 +claiming to be: <​n3rd@sec-mail.guru>​
 +
 +Content type: Virus
 +Our internal reference code for your message is 15809-01/​aCP3zN0_kicy
 +
 +First upstream SMTP client IP address: [10.0.0.87] vml000087.dmz.nausch.org
 +Received from: 10.0.0.87
 +
 +Return-Path:​ <​n3rd@sec-mail.guru>​
 +From: n3rd@sec-mail.guru
 +Message-ID: <​20141202162650.3339FC00088@mx01.nausch.org>​
 +X-Mailer: swaks v20130209.0 jetmore.org/​john/​code/​swaks/​
 +Subject: 5. Test-Testnachricht mit EICAR-Testdatei im Anhang auf Port 25
 +Not quarantined.
 +
 +Please contact your system administrator for details.
 +</​code>​
 +
 +
 +==== Eicar-Testmail auf Port 587 (MUA zu MSA Verkehr) ====
 +Zum Abschluss unserer Testreihe überprüfen wir, ob wir die EICAR-Testsignatur als authentifizierten User von einem **MUA**((**M**ail **U**ser **A**gent)) beim **MSA**((**M**ail **S**ubmission **A**gent)) erfolgreich einliefern können.
 +
 +=== SMTP-Client (swaks) ===
 +Die bereits heruntergeladene EICAR-Testmail versuchen wir nun mit mit Hilfe von [[http://​www.jetmore.org/​john/​code/​swaks/​|Swaks]]((**S**wiss **A**rmy **K**nife for **S**MTP)) an einen unserer eigenen Empfänger zu verschicken. ​
 +   # swaks -t django@nausch.org --attach - --server 10.0.0.87 --suppress-data <​eicarcom2.zip --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 587 --tls --header "​Subject:​ 6. und letzter Test-Testnachricht mit EICAR-Testdatei im Anhang auf Port 25" --auth NTLM --auth-user n3rd@sec-mail.guru --auth-password Dj4n90-d3r-M41153rv3rguru! --body gtube.txt
 +
 +<​code>​=== Trying 10.0.0.87:​587...
 +=== Connected to 10.0.0.87.
 +<-  220 mx01.nausch.org ESMTP Postfix
 + -> EHLO vml000087.dmz.nausch.org
 +<-  250-mx01.nausch.org
 +<-  250-PIPELINING
 +<-  250-SIZE 52428800
 +<-  250-ETRN
 +<-  250-STARTTLS
 +<-  250-ENHANCEDSTATUSCODES
 +<-  250-8BITMIME
 +<-  250 DSN
 + -> STARTTLS
 +<-  220 2.0.0 Ready to start TLS
 +=== TLS started with cipher TLSv1.2:​ECDHE-RSA-AES256-GCM-SHA384:​256
 +=== TLS no local certificate set
 +=== TLS peer DN="/​serialNumber=3S7x2lcbYiAccKZPoha0MSwP5hNsuSTP/​OU=GT49447951/​OU=See www.rapidssl.com/​resources/​cps (c)13/​OU=Domain Control Validated - RapidSSL(R)/​CN=*.nausch.org"​
 + ~> EHLO vml000087.dmz.nausch.org
 +<~  250-mx01.nausch.org
 +<~  250-PIPELINING
 +<~  250-SIZE 52428800
 +<~  250-ETRN
 +<~  250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM
 +<~  250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM
 +<~  250-ENHANCEDSTATUSCODES
 +<~  250-8BITMIME
 +<~  250 DSN
 + ~> AUTH NTLM
 +<~  334 
 + ~> TlRUMTVNTUAABAAAABU6IAAAAAAAAAAAAAAAAAAAAAAAA=
 +<~  334 UTlRMTVNTUAADUAAAAGAAYAEAAAAAYABUgAWAAAADAAMABwAAAAJAAkAKAAAAAkACQAxAAAAAAAAACoAAAABUQKCABKUTbcHiUVToxqvguZXpp6jgnmGYJ9jDa0UoXqDbxiyz+V1xFp8hFH2sd3yaZl/​qjY3YAbQBsADUAAMAAwADAANwA3AC4AZABtAHoALUgBuAGEAdQBzAGMUAaAAuAG8AcgBnAG4AMwByAGQAQABzAGUAYwAtAG0AYQBpAGwALgBnAHUAcgB1AG4AMwByAGQAQABzAGUAYwAtAG0UAYQBpAGwALgBnAHUAcgB1AA==
 +<~  235 2.7.0 Authentication successful
 + ~> MAIL FROM:<​n3rd@sec-mail.guru>​
 +<~  250 2.1.0 Ok
 + ~> RCPT TO:<​django@nausch.org>​
 +<~  250 2.1.5 Ok
 + ~> DATA
 +<~  354 End data with <​CR><​LF>​.<​CR><​LF>​
 + ~> 55 lines sent
 +<~  250 2.0.0 Ok: queued as 82EB5C00088
 + ~> QUIT
 +<~  221 2.0.0 Bye
 +=== Connection closed with remote host.
 +</​code>​
 +
 +Wie auch schon bei vorhergehenden GTUBE-Test wird dem authentifizierten User die Nachricht abgenommen und mit einem **250**er bestätigt. Auch hier ist das Verhalten legitim und erklärbar, haben wir doch bei der Konfiguration explizit angegeben, dass wir Nachrichten von authentifizierten Nutzern sofort anzunehmen und erst im zweiten Schritt scannen wollen. Genau das machte unser AMaViS-Server auch.
 +
 +Den genauen Ablauf dazu, sehen wir uns nun im Detail an.
 +
 +=== SMTP-Server (Teil 1 von 2) ===
 +Im **Maillog** unseres Borderfilters sehen wir nun zu unserem gerade durchgeführten Versuch mehrere zusammenhängende Logeinträge.
 +   # less /​var/​log/​maillog
 +
 +Zunächst sehen wir den TLS-Verbindungsaufbau,​ gefolgt von der erfolgreichen Authentifizierung unseres Users und die Entgegennahme der eMail vom MSA((**M**ail **S**ubmission **A**gent)).
 +<​code>​Dec ​ 2 18:14:17 vml000087 postfix/​submission/​smtpd[27873]:​ connect from vml000087.dmz.nausch.org[10.0.0.87]
 +Dec  2 18:14:17 vml000087 postfix/​submission/​smtpd[27873]:​ Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]:​ TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 +Dec  2 18:14:17 vml000087 postfix/​submission/​smtpd[27873]:​ 82EB5C00088:​ client=vml000087.dmz.nausch.org[10.0.0.87],​ sasl_method=NTLM,​ sasl_username=n3rd@sec-mail.guru
 +Dec  2 18:14:17 vml000087 postfix/​cleanup[27878]:​ 82EB5C00088:​ message-id=<​20141202171417.82EB5C00088@mx01.nausch.org>​
 +Dec  2 18:14:17 vml000087 postfix/​qmgr[27247]:​ 82EB5C00088:​ from=<​n3rd@sec-mail.guru>,​ size=2213, nrcpt=1 (queue active)
 +Dec  2 18:14:17 vml000087 postfix/​submission/​smtpd[27873]:​ disconnect from vml000087.dmz.nausch.org[10.0.0.87]
 +</​code>​
 +
 +
 +=== ASAV-Host ===
 +Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert.
 +
 +   # less /​var/​log/​maillog
 +
 +<​code>​Dec ​ 2 18:14:17 vml000067 amavis[15810]:​ loaded policy bank "​ORIGINATING"​
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ process_request:​ fileno sock=13, STDIN=0, STDOUT=1
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) ESMTP:​[10.0.0.67]:​10024 /​var/​spool/​amavisd/​tmp/​amavis-20141202T181417-15810-limsNKq3:​ <​n3rd@sec-mail.guru>​ -> <​django@nausch.
 +org> Received: from mx01.nausch.org ([10.0.0.87]) by viruswall.dmz.nausch.org (viruswall.dmz.nausch.org [10.0.0.67]) (amavisd-new,​ port 10024) with ESMTP for <​django@nausch.org>​
 +; Tue,  2 Dec 2014 18:14:17 +0100 (CET)
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) body hash: d54368018a0d3ca16ae3f56772551bae
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) ip_trace: 10.0.0.87
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) client IP address unknown, fetched from Received: 10.0.0.87
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) Checking: uj-7SfJU0v_M ORIGINATING [10.0.0.87] <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>​
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) 2822.From: <​n3rd@sec-mail.guru>​
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) p003 1 Content-Type:​ multipart/​mixed
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) p001 1/1 Content-Type:​ text/plain, size: 799 B, name:
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) p002 1/2 Content-Type:​ application/​octet-stream,​ size: 308 B, name:
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) inspect_dsn:​ not a bounce
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) Checking for banned types and filenames
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) skipping banned check: all recipients bypass banned checks
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) presenting full original message to scanners as /​var/​spool/​amavisd/​tmp/​amavis-20141202T181417-15810-limsNKq3/​parts/​p006
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) run_av Using (ClamAV-clamd):​ (code) CONTSCAN /​var/​spool/​amavisd/​tmp/​amavis-20141202T181417-15810-limsNKq3/​parts\n
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) ClamAV-clamd:​ Connecting to socket ​ /​var/​run/​clamd.amavisd/​clamd.sock
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) new socket by IO::​Socket::​UNIX to /​var/​run/​clamd.amavisd/​clamd.sock,​ timeout 10
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) ClamAV-clamd:​ Sending CONTSCAN /​var/​spool/​amavisd/​tmp/​amavis-20141202T181417-15810-limsNKq3/​parts\n to socket /​var/​run/​clamd.
 +amavisd/​clamd.sock
 +Dec  2 18:14:17 vml000067 clamd[1278]:​ /​var/​spool/​amavisd/​tmp/​amavis-20141202T181417-15810-limsNKq3/​parts/​p006:​ Eicar-Test-Signature FOUND
 +Dec  2 18:14:17 vml000067 clamd[1278]:​ /​var/​spool/​amavisd/​tmp/​amavis-20141202T181417-15810-limsNKq3/​parts/​p005:​ Eicar-Test-Signature FOUND
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) rw_loop read: got eof
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) run_av (ClamAV-clamd):​ /​var/​spool/​amavisd/​tmp/​amavis-20141202T181417-15810-limsNKq3/​parts INFECTED: Eicar-Test-Signature,​ Eic
 +ar-Test-Signature
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) virus_scan: (Eicar-Test-Signature),​ detected by 1 scanners: ClamAV-clamd
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) Virus Eicar-Test-Signature matches (constant:​1),​ sender addr ignored
 +</​code>​
 +
 +Der Virenscanner hat also die Eicar-Test-Signatur in der Nachricht entdeckt, die Nachricht wird also nicht zugestellt!
 +
 +<WRAP center round important>​
 +Gemäß unserer Konfiguration erhält der der Empfänger **virusalert@nausch.org** eine Nachricht von **postmaster@nausch.org** mit dem Details zu der Virenmail-Mail. Der Postmaster kann so reagieren und mit dem authentifizierten Mailbox-Nutzer Kontakt aufnehmen und diesen ggf. darauf hinweisen, dass er versucht hatte einen Virus zu verschicken.
 +</​WRAP>​
 +
 +Im Maillog des AMaViS-Servers sehen wir nun, dass der Daemon die entsprechende Nachricht an den definierten Bearbeiter verschicken wird.
 +   # less /​var/​log/​maillog
 +
 +<​code>​Dec ​ 2 18:14:17 vml000067 amavis[15810]:​ (15810-01) blocking contents category is (9) for django@nausch.org,​ final_destiny 0
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) do_notify_and_quar:​ ccat=Virus (9,0) ("​9":​Virus,​ "​1,​1":​CleanTag,​ "​1":​Clean,​ "​0":​CatchAll) ccat_block=(9),​ qar_mth=
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) dkim: candidate originators:​ From:<​postmaster@nausch.org>​
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) dkim: signing (author), From: <​postmaster@nausch.org>​ (From:<​postmaster@nausch.org>​),​ KEY.h=>​sha256,​ KEY.key_ind=>​1,​ a=>rsa-s
 +ha256, c=>​relaxed/​simple,​ d=>​nausch.org,​ s=>​140224,​ ttl=>​1814400,​ x=>​1419354858
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) smtp session: setting up a new session
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) new socket using IO::​Socket::​IP to [10.0.0.87]:​10025,​ timeout 35
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) smtp greeting: 220 mx01.nausch.org ESMTP Postfix, dt: 64.7 ms
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) smtp cmd> EHLO viruswall.dmz.nausch.org
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) smtp resp to EHLO: 250 mx01.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nAUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nAUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nXFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) AUTH not needed, user='',​ MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM'
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) smtp cmd> MAIL FROM:<​postmaster@nausch.org>​ ENVID=AM.MtEXZuZdm5qb.20141202T171417Z@viruswall.dmz.nausch.org
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) smtp cmd> RCPT TO:<​virusalert@nausch.org>​
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) smtp cmd> DATA
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) smtp resp to MAIL (pip): 250 2.1.0 Ok
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) smtp resp to RCPT (pip) (<​virusalert@nausch.org>​):​ 250 2.1.5 Ok
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) smtp resp to DATA: 354 End data with <​CR><​LF>​.<​CR><​LF>​
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) smtp resp to data-dot (<​virusalert@nausch.org>​):​ 250 2.0.0 Ok: queued as E5434C00089,​ dt: 33.0 ms
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) Amavis::​Out::​SMTP::​Session close, keeping connection
 +Dec  2 18:14:17 vml000067 amavis[15810]:​ (15810-01) MtEXZuZdm5qb(uj-7SfJU0v_M) SEND from <​postmaster@nausch.org>​ -> <​virusalert@nausch.org>,​ ENVID=AM.MtEXZuZdm5qb.20141202T171417Z@viruswall.dmz.nausch.org 250 2.0.0 from MTA(smtp:​[10.0.0.87]:​10025):​ 250 2.0.0 Ok: queued as E5434C00089
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) dkim: candidate originators:​ From:<​postmaster@nausch.org>​
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) dkim: signing (author), From: <​postmaster@nausch.org>​ (From:<​postmaster@nausch.org>​),​ KEY.h=>​sha256,​ KEY.key_ind=>​1,​ a=>​rsa-sha256,​ c=>​relaxed/​simple,​ d=>​nausch.org,​ s=>​140224,​ ttl=>​1814400,​ x=>​1419354858
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) smtp session reuse (smtp:​[10.0.0.87]:​10025),​ 1 transactions so far
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) smtp session most likely still valid (short idle 0.1 s)
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) AUTH not needed, user='',​ MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM'
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) smtp cmd> MAIL FROM:<​postmaster@nausch.org>​ ENVID=AM.IKpCZDv4QKL3.20141202T171418Z@viruswall.dmz.nausch.org
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) smtp cmd> RCPT TO:<​django@nausch.org>​
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) smtp cmd> DATA
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) smtp resp to MAIL (pip): 250 2.1.0 Ok
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) smtp resp to RCPT (pip) (<​django@nausch.org>​):​ 250 2.1.5 Ok
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) smtp resp to DATA: 354 End data with <​CR><​LF>​.<​CR><​LF>​
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) smtp resp to data-dot (<​django@nausch.org>​):​ 250 2.0.0 Ok: queued as 11605C00089,​ dt: 22.2 ms
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) Amavis::​Out::​SMTP::​Session close, keeping connection
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) IKpCZDv4QKL3(uj-7SfJU0v_M) SEND from <​postmaster@nausch.org>​ -> <​django@nausch.org>,​ ENVID=AM.IKpCZDv4QKL3.20141202T171418Z@viruswall.dmz.nausch.org 250 2.0.0 from MTA(smtp:​[10.0.0.87]:​10025):​ 250 2.0.0 Ok: queued as 11605C00089
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) delivery method is 1, recips: django@nausch.org
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) DSN: sender is credible (orig), SA: 0.000, <​n3rd@sec-mail.guru>​
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) status counters: InMsgsStatus{Discarded,​DiscardedInternal,​DiscardedOriginating}
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) Blocked INFECTED (Eicar-Test-Signature) {DiscardedInternal},​ ORIGINATING LOCAL [10.0.0.87] <​n3rd@sec-mail.guru>​ -> <​django@nausch.org>,​ Message-ID: <​20141202171417.82EB5C00088@mx01.nausch.org>,​ mail_id: uj-7SfJU0v_M,​ Hits: -, size: 2213, 501 ms
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) sending SMTP response: "250 2.7.0 Ok, discarded, id=15810-01 - INFECTED: Eicar-Test-Signature"​
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) size: 2213, TIMING [total 507 ms] - SMTP greeting: 8 (2%)2, SMTP EHLO: 2.6 (1%)2, SMTP pre-MAIL: 0.8 (0%)2, mkdir tempdir: 1.6 (0%)3, create email.txt: 0.3 (0%)3, SMTP pre-DATA-flush:​ 4.3 (1%)3, SMTP DATA: 42 (8%)12, check_init: 1.2 (0%)12, digest_hdr: 1.9 (0%)12, digest_body_dkim:​ 0.5 (0%)12, collect_info:​ 2.5 (0%)13, mkdir parts: 1.8 (0%)13, mime_decode:​ 15 (3%)16, get-file-type2:​ 19 (4%)20, ren1-unl0-files1:​ 25 (5%)25, decompose_part:​ 0.3 (0%)25, get-file-type1:​ 8 (2%)27, ren1-unl0-files1:​ 22 (4%)31, decompose_part:​ 0.3 (0%)31, get-file-type1:​ 13 (3%)34, parts_decode:​ 0.2 (0%)34, check_header:​ 0.5 (0%)34, AV-scan-1: 14 (3%)37, read_snmp_variables:​ 0.9 (0%)37, decide_mail_destiny:​ 2.6 (1%)37, notif-quar: 0.5 (0%)37, write-header:​ 20 (4%)41, fwd-data-dkim:​ 35 (7%)48, fwd-connect:​ 78 (15%)64, fwd-mail-pip:​ 11 (2%)66, fwd-rcpt-pip:​ 1.3 (0%)66, fwd-data-chkpnt:​ 0.2 (0%)66, write-header:​ 0.5 (0%)66, fwd-data-contents:​ 2.2 (0%)67, fwd-end-chkpnt:​ 35 (7%)74...
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) ..., write-header:​ 32 (6%)80, fwd-data-dkim:​ 52 (10%)90, fwd-connect:​ 1.0 (0%)91, fwd-mail-pip:​ 6 (1%)92, fwd-rcpt-pip:​ 0.2 (0%)92, fwd-data-chkpnt:​ 0.0 (0%)92, write-header:​ 0.4 (0%)92, fwd-data-contents:​ 2.2 (0%)92, fwd-end-chkpnt:​ 24 (5%)97, prepare-dsn:​ 1.6 (0%)97, report: 1.9 (0%)98, main_log_entry:​ 4.7 (1%)99, update_snmp:​ 5 (1%)100, SMTP pre-response:​ 0.3 (0%)100, SMTP response: 0.3 (0%)100, unlink-3-files:​ 0.2 (0%)100, rundown: 0.7 (0%)100
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) extra modules loaded: unicore/​lib/​Gc/​Nd.pl
 +Dec  2 18:14:18 vml000067 amavis[15810]:​ (15810-01) load: 100 %, total idle 0.002 s, busy 0.510 s
 +</​code>​
 +
 +=== SMTP-Server (Teil 2 von 2) ===
 +Im **Maillog** unseres Borderfilters sehen wir nun also als nächstes den Eingang dieser Notification-eMail an den definierten Empfänger.
 +   # less /​var/​log/​maillog
 +
 +<​code>​Dec ​ 2 18:14:17 vml000087 postfix/​smtpd[27880]:​ connect from vml000067.dmz.nausch.org[10.0.0.67]
 +Dec  2 18:14:17 vml000087 postfix/​smtpd[27880]:​ E5434C00089:​ client=vml000067.dmz.nausch.org[10.0.0.67]
 +Dec  2 18:14:17 vml000087 postfix/​cleanup[27878]:​ E5434C00089:​ message-id=<​VAuj-7SfJU0v_M@viruswall.dmz.nausch.org>​
 +Dec  2 18:14:17 vml000087 postfix/​qmgr[27247]:​ E5434C00089:​ from=<​postmaster@nausch.org>,​ size=3536, nrcpt=1 (queue active)
 +Dec  2 18:14:18 vml000087 postfix/​lmtp[27881]:​ E5434C00089:​ to=<​django@nausch.org>,​ orig_to=<​virusalert@nausch.org>,​ relay=10.0.0.77[10.0.0.77]:​24,​ delay=0.11, delays=0.04/​0.03/​0/​0.05,​ dsn=2.0.0, status=sent (250 2.0.0 <​django@nausch.org>​ +kkIHTLzfVSXTwAArK2B9Q Saved)
 +Dec  2 18:14:18 vml000087 postfix/​qmgr[27247]:​ E5434C00089:​ removed
 +Dec  2 18:14:18 vml000087 postfix/​smtpd[27880]:​ 11605C00089:​ client=vml000067.dmz.nausch.org[10.0.0.67]
 +Dec  2 18:14:18 vml000087 postfix/​cleanup[27878]:​ 11605C00089:​ message-id=<​VRuj-7SfJU0v_M@viruswall.dmz.nausch.org>​
 +Dec  2 18:14:18 vml000087 postfix/​qmgr[27247]:​ 11605C00089:​ from=<​postmaster@nausch.org>,​ size=2280, nrcpt=1 (queue active)
 +Dec  2 18:14:18 vml000087 postfix/​smtp[27879]:​ 82EB5C00088:​ to=<​django@nausch.org>,​ relay=10.0.0.67[10.0.0.67]:​10024,​ delay=0.59, delays=0.05/​0.03/​0.01/​0.5,​ dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=15810-01 - INFECTED: Eicar-Test-Signature)
 +Dec  2 18:14:18 vml000087 postfix/​qmgr[27247]:​ 82EB5C00088:​ removed
 +Dec  2 18:14:18 vml000087 postfix/​lmtp[27881]:​ 11605C00089:​ to=<​django@nausch.org>,​ relay=10.0.0.77[10.0.0.77]:​24,​ delay=0.13, delays=0.03/​0/​0/​0.1,​ dsn=2.0.0, status=sent (250 2.0.0 <​django@nausch.org>​ /​kkIHTLzfVSXTwAArK2B9Q Saved)
 +Dec  2 18:14:18 vml000087 postfix/​qmgr[27247]:​ 11605C00089:​ removed
 +</​code>​
 +
 +=== MUA (Empfänger der Notification Mail) ===
 +Wie schon angeschnitten erhält der verantwortliche Admin des Servers mit der Addresse **virusalert@nausch.org** eine Nachricht mit dem Detail des Versuches eine SPAM-Mail zu verschicken.
 +
 +<​code>​Return-Path:​ <​postmaster@nausch.org>​
 +Delivered-To:​ django@nausch.org
 +Received: from mx01.nausch.org ([10.0.0.87])
 + by imap.nausch.org (Dovecot) with LMTP id /​kkIHTLzfVSXTwAArK2B9Q
 + for <​django@nausch.org>;​ Tue, 02 Dec 2014 18:14:18 +0100
 +Received: from viruswall.dmz.nausch.org (vml000067.dmz.nausch.org [10.0.0.67])
 + by mx01.nausch.org (Postfix) with ESMTP id 11605C00089
 + for <​django@nausch.org>;​ Tue,  2 Dec 2014 18:14:18 +0100 (CET)
 +DKIM-Signature:​ v=1; a=rsa-sha256;​ c=relaxed/​simple;​ d=nausch.org;​ h=
 + content-transfer-encoding:​content-disposition:​content-type
 + :​content-type:​message-id:​subject:​subject:​date:​date:​from:​from
 + :​mime-version;​ s=140224; t=1417540457;​ x=1419354858;​ bh=mFctWodC
 + oPn36vNDqRoivIeBgUX0G0lRWQSp8HGIA6A=;​ b=eIeO/​pgpVbysZ5j6Myoz281/​
 + XX8lxTCdzecXPxva+XoERso6WO4fN2r+ATj9R1DDrW4F/​Q0e0jYfszbWHx6JU6kd
 + 3XBPe6mYWqbbz/​MDbXOG6cBBQ6v1SLuF98RPpwIAH8DuYDqyURMZS3zPJQT5LM7J
 + glfWWvj9qa+WU8KJSgICO8VLjNyxj/​ibG9i3OOmiLmGlEd4VpxuGa8E8DYaLtrmt
 + nGQS6rzuBqkBIbrDGdXlEU3JjRQStAp+sto+xnGj0tufa/​NYE57+Gap7tgWEK0cs
 + gpwjoHs2sTBsRmW17mkyfmR+iA3DQr8qZKvtKhpGxWD8L3lARLNuwod6XMCldPMY
 + 6jKzohNbBasgl9eApl2BckMVeB0I3uHHpU/​ypgjJQPePsS/​JfhmBJC97d4MBTa+2
 + 8dZ86FBWL6z2pS2SYfBP3+gE9al11r1iGQI233wWZAsGMbOYC9XjJl/​g5/​dyOwVF
 + YbUYSQfEqR0HN+/​cXEXiaQ0yLEj36mFn42EtyBT/​vufRRmN52bhNFONofaCD7W9A
 + OuBuaw5jLUJBKq7OoHeNjimEJglPIX53gxSIsW89ZBUhL64BnYYurCPzNoJ8GhLF
 + 0ILaxukNAzqQJY3aoP5zkKOAWLDet9NpwdHOYnsyHPcMv0+dmistSfktNlWUNy3M
 + v+PuSR8FGh6/​10vRHsI=
 +MIME-Version:​ 1.0
 +From: Postmaster <​postmaster@nausch.org>​
 +Date: Tue,  2 Dec 2014 18:14:17 +0100 (CET)
 +Subject: VIRUS (Eicar-Test-Signature) in mail TO YOU from <​n3rd@sec-mail.guru>​
 +To: django@nausch.org
 +Message-ID: <​VRuj-7SfJU0v_M@viruswall.dmz.nausch.org>​
 +Content-Type:​ text/plain; charset="​UTF-8"​
 +Content-Disposition:​ inline
 +Content-Transfer-Encoding:​ 7bit
 +
 +VIRUS ALERT
 +
 +Our content checker found
 +    virus: Eicar-Test-Signature
 +
 +in an email to you from probably faked sender:
 +  ​
 +claiming to be: <​n3rd@sec-mail.guru>​
 +
 +Content type: Virus
 +Our internal reference code for your message is 15810-01/​uj-7SfJU0v_M
 +
 +First upstream SMTP client IP address: [10.0.0.87] ​
 +Received from: 10.0.0.87
 +
 +Return-Path:​ <​n3rd@sec-mail.guru>​
 +From: n3rd@sec-mail.guru
 +Message-ID: <​20141202171417.82EB5C00088@mx01.nausch.org>​
 +X-Mailer: swaks v20130209.0 jetmore.org/​john/​code/​swaks/​
 +Subject: 6. und letzter Test-Testnachricht mit EICAR-Testdatei im Anhang auf
 +  Port 25
 +Not quarantined.
 +
 +Please contact your system administrator for details.
 +</​code>​
 +
 +====== Links ======
 +  * **⇐ [[centos:​mail_c7:​spam_5|Zurück zum Kapitel "​Header und Bodychecks mit Postfix 2.11.3 unter CentOS 7.x"​]]**
 +  * **⇒ [[centos:​mail_c7:​spam_7|Weiter zum Kapitel "​ClamAV für AMaViS unter CentOS 7.x"​]]**
 +  * **[[centos:​mail_c7:​start|Zurück zum Kapitel >>​Mailserverinstallation unter CentOS 7<<​]]**
 +  * **[[wiki:​start|Zurück zu >>​Projekte und Themenkapitel<<​]]**
 +  * **[[http://​dokuwiki.nausch.org/​doku.php/​|Zurück zur Startseite]]**
 +