Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
— | centos:mail_c7:spam_6 [22.07.2019 15:02. ] (aktuell) – Externe Bearbeitung 127.0.0.1 | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== Grundinstallation von AMaViS unter CentOS 7.x ====== | ||
+ | {{: | ||
+ | |||
+ | <WRAP round important> | ||
+ | |||
+ | Viele der Design und Konfigurationsvorschläge stammen aus einem Idividualtraining beim **" | ||
+ | |||
+ | </ | ||
+ | |||
+ | ===== Grundlagen ===== | ||
+ | Bei der Definition der [[centos: | ||
+ | * **Stufe 1** : Einsatz von [[centos: | ||
+ | * **Stufe 2** : Nutzung von [[centos: | ||
+ | * **Stufe 3** : Einbindung und Nutzung von [[|SpamAssassin]] und [[|ClamAV]] mit Hilfe von [[http:// | ||
+ | |||
+ | Der prinzipielle Ablauf und die Einbindung des AMaViS veranschaulich folgende Skizze. | ||
+ | |||
+ | {{page> | ||
+ | |||
+ | AMaVis übernimmt in unserem eMailworkflow eigentlich nur die Steuerung des Ablaufes, sie nimmt also die eMail vom AMaViS-Milter entgegen und leitet diese an die Backendsysteme weiter: | ||
+ | * **PACKER** Zum Entpacken von Dateianhängen | ||
+ | * **Virenscanner** Zur Prüfung der eMail und der Inhalte auf Schadcode, in unserem Fall übernimmt dies das freie Projekt **ClamAV** | ||
+ | * **Spamassassin** Zur Prüfung der eMail auf unerwünschte Inhalte (SPAM und UCE) | ||
+ | Anschließend meldet AMaviS an den Milter den Status zurück, der dann die Kommunikation in Richtung SMTP-Daemon abwickelt. | ||
+ | |||
+ | ===== Installation ===== | ||
+ | ==== amavisd-milter ==== | ||
+ | Da wir für den " | ||
+ | # yum install amavisd-milter -y | ||
+ | |||
+ | Auch hier können wir uns anzeigen lassen, was das Paket uns alles ins System kopiert hat. | ||
+ | # rpm -qil amavisd-milter | ||
+ | |||
+ | < | ||
+ | Version | ||
+ | Release | ||
+ | Architecture: | ||
+ | Install Date: Mon 17 Nov 2014 11:22:52 AM CET | ||
+ | Group : System Environment/ | ||
+ | Size : 72981 | ||
+ | License | ||
+ | Signature | ||
+ | Source RPM : amavisd-milter-1.6.0-5.el7.centos.src.rpm | ||
+ | Build Date : Mon 17 Nov 2014 11:13:23 AM CET | ||
+ | Build Host : vml000200.dmz.nausch.org | ||
+ | Relocations : (not relocatable) | ||
+ | Packager | ||
+ | Vendor | ||
+ | URL : http:// | ||
+ | Summary | ||
+ | Description : | ||
+ | amavisd-milter is a milter (mail filter) for amavisd-new 2.4.3 and above which uses the AM.PDP protocol. | ||
+ | It has been tested to work with mail servers sendmail 8.13+ and postfix 2.9+ | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | ==== amavisd ==== | ||
+ | Als erstes installieren wir uns das Paket **amavisd-new** aus dem **[[centos: | ||
+ | # yum install amavisd-new -y | ||
+ | |||
+ | Was uns das Paket alles mitbrachte, zeigt uns bei Bedarf der folgende Aufruf. | ||
+ | # rpm -qil amavisd-new | ||
+ | |||
+ | < | ||
+ | Version | ||
+ | Release | ||
+ | Architecture: | ||
+ | Install Date: Mon 17 Nov 2014 11:48:23 AM CET | ||
+ | Group : Applications/ | ||
+ | Size : 3105963 | ||
+ | License | ||
+ | Signature | ||
+ | Source RPM : amavisd-new-2.9.1-5.el7.src.rpm | ||
+ | Build Date : Wed 20 Aug 2014 03:26:15 PM CEST | ||
+ | Build Host : buildvm-24.phx2.fedoraproject.org | ||
+ | Relocations : (not relocatable) | ||
+ | Packager | ||
+ | Vendor | ||
+ | URL : http:// | ||
+ | Summary | ||
+ | Description : | ||
+ | amavisd-new is a high-performance and reliable interface between mailer | ||
+ | (MTA) and one or more content checkers: virus scanners, and/ | ||
+ | Mail:: | ||
+ | reliability, | ||
+ | or LMTP, or by using helper programs. No timing gaps exist in the design | ||
+ | which could cause a mail loss. | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | ===== Konfiguration ===== | ||
+ | ==== amavisd-milter ==== | ||
+ | Die Konfiguration des Milters erfolgt über dessen Konfigurationsdatei **amavisd-milter.conf** im Verzeichnis // | ||
+ | # vim / | ||
+ | <file bash / | ||
+ | AMAVIS_USER=amavis | ||
+ | |||
+ | # Set working directory (default / | ||
+ | # Django : 2014-11-21 | ||
+ | # default: WORKING_DIRECTORY=/ | ||
+ | WORKING_DIRECTORY=/ | ||
+ | |||
+ | # | ||
+ | # / | ||
+ | # | ||
+ | # | ||
+ | # The socket should be in " | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # Django : 2014-11-18 | ||
+ | # default: SOCKET=/ | ||
+ | SOCKET=inet: | ||
+ | |||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # The socket should be in " | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | AMAVISD_SOCKET=/ | ||
+ | |||
+ | # Use this pid file (default / | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # | ||
+ | # entry in amavisd.conf. | ||
+ | MAX_CONNECTIONS=5 | ||
+ | |||
+ | # | ||
+ | # 5 minutes). | ||
+ | # | ||
+ | # | ||
+ | # qmail 20 minutes. | ||
+ | MAX_WAIT=300 | ||
+ | |||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # all milters. | ||
+ | MAILDAEMON_TIMEOUT=600 | ||
+ | |||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # value as sendmail connection timeout. | ||
+ | AMAVISD_TIMEOUT=600 | ||
+ | </ | ||
+ | Die Parameter sind in der Konfigurationsdatei ausreichend beschrieben. Lediglich beim Parameter **MAX_CONNECTIONS** ist darauf zu achten, dass dort der gleiche Wert eingetragen wird, wie beim Parameter **max_servers** in der // | ||
+ | |||
+ | |||
+ | ==== amavisd ==== | ||
+ | In der originalen Konfigurationsdatei aus dem RPM sind alle wesentlichen Optionen bereits enthalten, die für den Betrieb des AMaViS-Servers benötigt. Wer nicht täglich an der Datei Hand anlegen will/muss, und das ist auch in den seltensten Fällen notwendig, der sucht und stolper gerne mal über die ein oder andere Stelle in der Konfigurationsdatei. | ||
+ | |||
+ | === original Konfigurationsdatei === | ||
+ | Werfen wir doch einfach mal einen Blick in die Datei. | ||
+ | # less / | ||
+ | <file perl / | ||
+ | |||
+ | # a minimalistic configuration file for amavisd-new with all necessary settings | ||
+ | # | ||
+ | # see amavisd.conf-default for a list of all variables with their defaults; | ||
+ | # for more details see documentation in INSTALL, README_FILES/ | ||
+ | # and at http:// | ||
+ | |||
+ | |||
+ | # COMMONLY ADJUSTED SETTINGS: | ||
+ | |||
+ | # @bypass_virus_checks_maps = (1); # controls running of anti-virus code | ||
+ | # @bypass_spam_checks_maps | ||
+ | # $bypass_decode_parts = 1; # controls running of decoders& | ||
+ | |||
+ | $max_servers = 2; # num of pre-forked children (2..30 is common), -m | ||
+ | $daemon_user | ||
+ | $daemon_group = ' | ||
+ | |||
+ | $mydomain = ' | ||
+ | |||
+ | $MYHOME = '/ | ||
+ | $TEMPBASE = " | ||
+ | $ENV{TMPDIR} = $TEMPBASE; | ||
+ | $QUARANTINEDIR = undef; | ||
+ | # $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine | ||
+ | # $release_format = ' | ||
+ | # $report_format | ||
+ | |||
+ | # $daemon_chroot_dir = $MYHOME; | ||
+ | |||
+ | $db_home | ||
+ | # $helpers_home = " | ||
+ | $lock_file = "/ | ||
+ | $pid_file | ||
+ | #NOTE: create directories $MYHOME/ | ||
+ | |||
+ | $log_level = 0; # verbosity 0..5, -d | ||
+ | $log_recip_templ = undef; | ||
+ | $do_syslog = 1; # log via syslogd (preferred) | ||
+ | $syslog_facility = ' | ||
+ | # e.g.: mail, daemon, user, local0, ... local7 | ||
+ | |||
+ | $enable_db = 1; # enable use of BerkeleyDB/ | ||
+ | # $enable_zmq = 1; # enable use of ZeroMQ (SNMP and nanny) | ||
+ | $nanny_details_level = 2; # nanny verbosity: 1: traditional, | ||
+ | $enable_dkim_verification = 1; # enable DKIM signatures verification | ||
+ | $enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key | ||
+ | |||
+ | @local_domains_maps = ( [" | ||
+ | |||
+ | @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 | ||
+ | 10.0.0.0/8 172.16.0.0/ | ||
+ | |||
+ | $unix_socketname = " | ||
+ | # option(s) -p overrides $inet_socket_port and $unix_socketname | ||
+ | |||
+ | $inet_socket_port = 10024; | ||
+ | # $inet_socket_port = [10024, | ||
+ | |||
+ | $policy_bank{' | ||
+ | originating => 1, # is true in MYNETS by default, but let's make it explicit | ||
+ | os_fingerprint_method => undef, | ||
+ | }; | ||
+ | |||
+ | # it is up to MTA to re-route mail from authenticated roaming users or | ||
+ | # from internal hosts to a dedicated TCP port (such as 10026) for filtering | ||
+ | $interface_policy{' | ||
+ | |||
+ | $policy_bank{' | ||
+ | originating => 1, # declare that mail was submitted by our smtp client | ||
+ | allow_disclaimers => 1, # enables disclaimer insertion if available | ||
+ | # notify administrator of locally originating malware | ||
+ | virus_admin_maps => [" | ||
+ | spam_admin_maps | ||
+ | warnbadhsender | ||
+ | # forward to a smtpd service providing DKIM signing service | ||
+ | forward_method => ' | ||
+ | # force MTA conversion to 7-bit (e.g. before DKIM signing) | ||
+ | smtpd_discard_ehlo_keywords => [' | ||
+ | bypass_banned_checks_maps => [1], # allow sending any file names and types | ||
+ | terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option | ||
+ | }; | ||
+ | |||
+ | $interface_policy{' | ||
+ | |||
+ | # Use with amavis-release over a socket or with Petr Rehor' | ||
+ | # (with amavis-milter.c from this package or old amavis.c client use ' | ||
+ | $policy_bank{' | ||
+ | protocol => ' | ||
+ | auth_required_release => 0, # do not require secret_id for amavisd-release | ||
+ | }; | ||
+ | |||
+ | $sa_tag_level_deflt | ||
+ | $sa_tag2_level_deflt = 6.2; # add 'spam detected' | ||
+ | $sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail) | ||
+ | $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent | ||
+ | $sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From | ||
+ | # $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off | ||
+ | $penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database) | ||
+ | $penpals_threshold_high = $sa_kill_level_deflt; | ||
+ | $bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces | ||
+ | |||
+ | $sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger | ||
+ | $sa_local_tests_only = 0; # only tests which do not require internet access? | ||
+ | |||
+ | # @lookup_sql_dsn = | ||
+ | # ( [' | ||
+ | # | ||
+ | # | ||
+ | # @storage_sql_dsn = @lookup_sql_dsn; | ||
+ | # @storage_redis_dsn = ( {server=>' | ||
+ | # $redis_logging_key = ' | ||
+ | # $redis_logging_queue_size_limit = 300000; | ||
+ | |||
+ | # $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; | ||
+ | # | ||
+ | |||
+ | $virus_admin | ||
+ | |||
+ | $mailfrom_notify_admin | ||
+ | $mailfrom_notify_recip | ||
+ | $mailfrom_notify_spamadmin = undef; | ||
+ | $mailfrom_to_quarantine = ''; | ||
+ | |||
+ | @addr_extension_virus_maps | ||
+ | @addr_extension_banned_maps | ||
+ | @addr_extension_spam_maps | ||
+ | @addr_extension_bad_header_maps = (' | ||
+ | # $recipient_delimiter = ' | ||
+ | # when enabling addr extensions do also Postfix/ | ||
+ | |||
+ | $path = '/ | ||
+ | # $dspam = ' | ||
+ | |||
+ | $MAXLEVELS = 14; | ||
+ | $MAXFILES = 3000; | ||
+ | $MIN_EXPANSION_QUOTA = 100*1024; | ||
+ | $MAX_EXPANSION_QUOTA = 500*1024*1024; | ||
+ | |||
+ | $sa_spam_subject_tag = ' | ||
+ | $defang_virus | ||
+ | $defang_banned = 1; # MIME-wrap passed mail containing banned name | ||
+ | # for defanging bad headers only turn on certain minor contents categories: | ||
+ | $defang_by_ccat{CC_BADH.", | ||
+ | $defang_by_ccat{CC_BADH.", | ||
+ | $defang_by_ccat{CC_BADH.", | ||
+ | |||
+ | |||
+ | # OTHER MORE COMMON SETTINGS (defaults may suffice): | ||
+ | |||
+ | # $myhostname = ' | ||
+ | |||
+ | # $notify_method | ||
+ | # $forward_method = ' | ||
+ | |||
+ | $final_virus_destiny | ||
+ | $final_banned_destiny | ||
+ | $final_spam_destiny | ||
+ | $final_bad_header_destiny = D_BOUNCE; | ||
+ | # $bad_header_quarantine_method = undef; | ||
+ | |||
+ | # $os_fingerprint_method = ' | ||
+ | |||
+ | ## hierarchy by which a final setting is chosen: | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | |||
+ | |||
+ | # SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all) | ||
+ | |||
+ | # $warnbadhsender, | ||
+ | # $warnvirusrecip, | ||
+ | # | ||
+ | # @bypass_virus_checks_maps, | ||
+ | # @bypass_banned_checks_maps, | ||
+ | # | ||
+ | # @virus_lovers_maps, | ||
+ | # @banned_files_lovers_maps, | ||
+ | # | ||
+ | # @blacklist_sender_maps, | ||
+ | # | ||
+ | # $clean_quarantine_method, | ||
+ | # $bad_header_quarantine_to, | ||
+ | # | ||
+ | # $defang_bad_header, | ||
+ | |||
+ | |||
+ | # REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS | ||
+ | |||
+ | @keep_decoded_original_maps = (new_RE( | ||
+ | qr' | ||
+ | qr' | ||
+ | qr' | ||
+ | # qr' | ||
+ | )); | ||
+ | |||
+ | |||
+ | $banned_filename_re = new_RE( | ||
+ | |||
+ | ### BLOCKED ANYWHERE | ||
+ | # qr' | ||
+ | qr' | ||
+ | # qr' | ||
+ | |||
+ | ### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: | ||
+ | # [ qr' | ||
+ | [ qr' | ||
+ | |||
+ | qr' | ||
+ | # qr' | ||
+ | |||
+ | ### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: | ||
+ | # [ qr' | ||
+ | |||
+ | qr' | ||
+ | qr' | ||
+ | qr' | ||
+ | |||
+ | # qr' | ||
+ | # qr' | ||
+ | |||
+ | # qr' | ||
+ | # qr' | ||
+ | |||
+ | # block certain double extensions in filenames | ||
+ | qr' | ||
+ | |||
+ | # qr' | ||
+ | # qr' | ||
+ | |||
+ | qr' | ||
+ | # qr' | ||
+ | # qr' | ||
+ | # inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi| | ||
+ | # msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd| | ||
+ | # wmf|wsc|wsf|wsh)$' | ||
+ | # qr' | ||
+ | # qr' | ||
+ | # qr' | ||
+ | # qr' | ||
+ | ); | ||
+ | # See http:// | ||
+ | # and http:// | ||
+ | |||
+ | |||
+ | # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING | ||
+ | |||
+ | @score_sender_maps = ({ # a by-recipient hash lookup table, | ||
+ | # results from all matching recipient tables are summed | ||
+ | |||
+ | # ## per-recipient personal tables | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | |||
+ | ## site-wide opinions about senders (the ' | ||
+ | ' | ||
+ | |||
+ | | ||
+ | [qr' | ||
+ | [qr' | ||
+ | [qr' | ||
+ | [qr' | ||
+ | [qr' | ||
+ | [qr' | ||
+ | [qr' | ||
+ | | ||
+ | |||
+ | # read_hash("/ | ||
+ | |||
+ | { # a hash-type lookup table (associative array) | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | | ||
+ | | ||
+ | |||
+ | # soft-blacklisting (positive score) | ||
+ | ' | ||
+ | ' | ||
+ | |||
+ | }, | ||
+ | ], # end of site-wide tables | ||
+ | }); | ||
+ | |||
+ | |||
+ | @decoders = ( | ||
+ | [' | ||
+ | # [[qw(asc uue hqx ync)], \& | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | | ||
+ | [' | ||
+ | | ||
+ | 'lzma -dc', ' | ||
+ | [' | ||
+ | | ||
+ | [' | ||
+ | [' | ||
+ | [[' | ||
+ | # ['/ | ||
+ | [' | ||
+ | # [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | # [' | ||
+ | [' | ||
+ | # [' | ||
+ | [' | ||
+ | # [' | ||
+ | # [' | ||
+ | [[' | ||
+ | [[' | ||
+ | [' | ||
+ | [[qw(7z zip gz bz2 Z tar)], | ||
+ | | ||
+ | [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], | ||
+ | | ||
+ | [' | ||
+ | ); | ||
+ | |||
+ | |||
+ | @av_scanners = ( | ||
+ | |||
+ | # ### http:// | ||
+ | # [' | ||
+ | # | ||
+ | # # or: [" | ||
+ | # | ||
+ | |||
+ | # ### http:// | ||
+ | # [' | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # ### http:// | ||
+ | # [' | ||
+ | |||
+ | # [' | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # settings for the SAVAPI3.conf: | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | \& | ||
+ | qr/\bOK$/m, qr/ | ||
+ | qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], | ||
+ | # NOTE: run clamd under the same user as amavisd - or run it under its own | ||
+ | # uid such as clamav, add user clamav to the amavis group, and then add | ||
+ | # | ||
+ | # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in | ||
+ | # this entry; when running chrooted one may prefer a socket under $MYHOME. | ||
+ | |||
+ | # ### http:// | ||
+ | # # note that Mail:: | ||
+ | # [' | ||
+ | # [0], [1], qr/ | ||
+ | |||
+ | # ### http:// | ||
+ | # [' | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # ### http:// | ||
+ | # [' | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # ### http:// | ||
+ | # ['AVG Anti-Virus', | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # ### http:// | ||
+ | # [' | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # ### http:// | ||
+ | # [' | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # ' | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # ### http:// | ||
+ | # [' | ||
+ | # | ||
+ | # pack(' | ||
+ | # pack(' | ||
+ | # length(" | ||
+ | # ' | ||
+ | # pack(' | ||
+ | # pack(' | ||
+ | # '/ | ||
+ | # # '/ | ||
+ | # # '/ | ||
+ | # # ' | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # ], | ||
+ | # # NOTE: If using amavis-milter, | ||
+ | # # length(" | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | ['/ | ||
+ | '/ | ||
+ | '-p / | ||
+ | [0,3,6,8], qr/ | ||
+ | qr/ | ||
+ | ], | ||
+ | # NOTE: one may prefer [0], | ||
+ | # currupted or protected archives are to be handled | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | '-* -P -B -Y -O- {}', [0,3,6,8], [2, | ||
+ | qr/ | ||
+ | sub {chdir('/ | ||
+ | sub {chdir($TEMPBASE) or die " | ||
+ | ], | ||
+ | |||
+ | ### The kavdaemon and AVPDaemonClient have been removed from Kasperky | ||
+ | ### products and replaced by aveserver and aveclient | ||
+ | [' | ||
+ | [ '/ | ||
+ | '/ | ||
+ | '/ | ||
+ | '/ | ||
+ | " | ||
+ | # change the startup-script in / | ||
+ | # | ||
+ | # (or perhaps: | ||
+ | # adjusting /var/amavis above to match your $TEMPBASE. | ||
+ | # The ' | ||
+ | # can find, read, and write its pid file, etc., see 'man kavdaemon' | ||
+ | # defUnix.prf: | ||
+ | # | ||
+ | # cd / | ||
+ | # cp AvpDaemonClient / | ||
+ | # su - vscan -c " | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | [' | ||
+ | "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". | ||
+ | " | ||
+ | [0,3], [1, | ||
+ | qr/(?x)^\s* (?: | ||
+ | # Adjust the path of the binary and the virus database as needed. | ||
+ | # ' | ||
+ | # the quarantine directory, and the quarantine option can not be disabled. | ||
+ | # If $QUARANTINEDIR is not used, then another directory must be specified | ||
+ | # to appease ' | ||
+ | # protected files are to be considered infected. | ||
+ | |||
+ | ### http:// | ||
+ | ### old Avira AntiVir 2.x (ex H+BEDV) or old CentralCommand Vexira Antivirus | ||
+ | [' | ||
+ | ' | ||
+ | qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | | ||
+ | (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s' | ||
+ | # NOTE: if you only have a demo version, remove -z and add 214, as in: | ||
+ | # ' | ||
+ | |||
+ | ### http:// | ||
+ | ### Avira for UNIX 3.x | ||
+ | [' | ||
+ | ' | ||
+ | | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | '-all -archive -packed {}', [50], [51,52,53], | ||
+ | qr/ | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | ' | ||
+ | qr/^Files Infected: | ||
+ | qr/ | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | ' | ||
+ | [0], qr/ | ||
+ | qr/ | ||
+ | # NOTE: check options and patterns to see which entry better applies | ||
+ | |||
+ | # ### http:// | ||
+ | # [' | ||
+ | # | ||
+ | # ' | ||
+ | # ' | ||
+ | # | ||
+ | # # NOTE: internal archive handling may be switched off by ' | ||
+ | # # | ||
+ | |||
+ | ### http:// | ||
+ | | ||
+ | ['/ | ||
+ | ' | ||
+ | ' | ||
+ | qr/ | ||
+ | # NOTE: internal archive handling may be switched off by ' | ||
+ | # to prevent fsav from exiting with status 9 on broken archives | ||
+ | |||
+ | # ### http:// | ||
+ | # [' | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # ### http:// | ||
+ | # [' | ||
+ | # ' | ||
+ | # | ||
+ | |||
+ | ['CAI InoculateIT', | ||
+ | '-sec -nex {}', [0], [100], | ||
+ | qr/was infected by virus (.+)/m ], | ||
+ | # see: http:// | ||
+ | |||
+ | ### http:// | ||
+ | ['CAI eTrust Antivirus', | ||
+ | '-arc -nex -spm h {}', [0], [101], | ||
+ | qr/is infected by virus: (.+)/m ], | ||
+ | # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer | ||
+ | # see http:// | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | '-s {}/*', [0], [1, | ||
+ | qr/--[ \t]*(.+)/m ], | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | '-s -q {}', [0], [1..7], | ||
+ | qr/^... (\S+)/m ], | ||
+ | |||
+ | # ### http:// | ||
+ | # ['ESET NOD32 for Linux Mail servers', | ||
+ | # | ||
+ | # ' | ||
+ | # '-w -a --action-on-infected=accept --action-on-uncleanable=accept ' | ||
+ | # ' | ||
+ | # | ||
+ | |||
+ | # ### http:// | ||
+ | # ['ESET NOD32 Linux Mail Server - command line interface', | ||
+ | # | ||
+ | # ' | ||
+ | |||
+ | # ### http:// | ||
+ | # ['ESET Software ESETS Command Line Interface', | ||
+ | # | ||
+ | # ' | ||
+ | |||
+ | ### http:// | ||
+ | ['ESET Software ESETS Command Line Interface', | ||
+ | ['/ | ||
+ | ' | ||
+ | qr/: | ||
+ | |||
+ | ## http:// | ||
+ | ['ESET NOD32 for Linux File servers', | ||
+ | ['/ | ||
+ | ' | ||
+ | '-w -a --action=1 -b {}', | ||
+ | [0], [1,10], qr/ | ||
+ | |||
+ | # Experimental, | ||
+ | # ['ESET Software NOD32 Client/ | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | '-c -l:0 -s -u -temp: | ||
+ | qr/(?i).* virus in .* -> \' | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | ['/ | ||
+ | '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}', | ||
+ | qr/Number of files infected[ .]*: 0+(? | ||
+ | qr/Number of files infected[ .]*: 0*[1-9]/ | ||
+ | qr/Found virus :\s*(\S+)/m ], | ||
+ | # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr' | ||
+ | # before starting amavisd - the bases are then loaded only once at startup. | ||
+ | # To reload bases in a signature update script: | ||
+ | # / | ||
+ | # Please review other options of pavcl, for example: | ||
+ | # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies | ||
+ | |||
+ | # ### http:// | ||
+ | # [' | ||
+ | # ' | ||
+ | # [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0], | ||
+ | # | ||
+ | |||
+ | # GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. | ||
+ | # Check your RAV license terms before fiddling with the following two lines! | ||
+ | # [' | ||
+ | # ' | ||
+ | # # NOTE: the command line switches changed with scan engine 8.5 ! | ||
+ | # # (btw, assigning stdin to /dev/null causes RAV to fail) | ||
+ | |||
+ | ### http:// | ||
+ | ['NAI McAfee AntiVirus (uvscan)', | ||
+ | ' | ||
+ | qr/(?x) Found (?: | ||
+ | \ the\ (.+)\ (?: | ||
+ | \ (?: | ||
+ | :\ (.+)\ NOT\ a\ virus)/ | ||
+ | # sub {$ENV{LD_PRELOAD}='/ | ||
+ | # sub {delete $ENV{LD_PRELOAD}}, | ||
+ | ], | ||
+ | # NOTE1: with RH9: force the dynamic linker to look at / | ||
+ | # anything else by setting environment variable LD_PRELOAD=/ | ||
+ | # and then clear it when finished to avoid confusing anything else. | ||
+ | # NOTE2: to treat encrypted files as viruses replace the [13] with: | ||
+ | # qr/ | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | "{} -ss -i ' | ||
+ | qr/: ' | ||
+ | # VirusBuster Ltd. does not support the daemon version for the workstation | ||
+ | # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of | ||
+ | # binaries, some parameters AND return codes have changed (from 3 to 1). | ||
+ | # See also the new Vexira entry ' | ||
+ | |||
+ | # ### http:// | ||
+ | # [' | ||
+ | # ' | ||
+ | # | ||
+ | # # HINT: for an infected file it always returns 3, | ||
+ | # # although the man-page tells a different story | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | ' | ||
+ | # sub {$ENV{VSTK_HOME}='/ | ||
+ | ], | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | '-a -i -n -t=A {}', [0], [1], qr/ | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | ' | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | ' | ||
+ | qr/ | ||
+ | qr/ | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | '--arc --mail {}', qr/ | ||
+ | qr/ | ||
+ | qr/ | ||
+ | # consider also: --all --nowarn --alev=15 --flev=15. | ||
+ | # not apply to your version of bdc, check documentation and see 'bdc --help' | ||
+ | |||
+ | ### ArcaVir for Linux and Unix http:// | ||
+ | [' | ||
+ | '-v 1 -summary 0 -s {}', [0], [1, | ||
+ | qr/ | ||
+ | |||
+ | # ### a generic SMTP-client interface to a SMTP-based virus scanner | ||
+ | # [' | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # [' | ||
+ | # use File::Scan; my($fn)=@_; | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # : ($vname ne '' | ||
+ | # | ||
+ | |||
+ | # ### fully-fledged checker for JPEG marker segments of invalid length | ||
+ | # [' | ||
+ | # sub { use JpegTester (); Amavis:: | ||
+ | # | ||
+ | # # NOTE: place file JpegTester.pm somewhere where Perl can find it, | ||
+ | # # for example in / | ||
+ | |||
+ | ); | ||
+ | |||
+ | |||
+ | @av_scanners_backup = ( | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | " | ||
+ | [0], qr/: | ||
+ | |||
+ | # ### http:// | ||
+ | # [' | ||
+ | # " | ||
+ | # [0], qr/: | ||
+ | |||
+ | # [' | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | ' | ||
+ | [0, | ||
+ | qr/ | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | '-dumb -archive -packed {}', [0,8], [3, | ||
+ | qr/ | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ], | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | ['/ | ||
+ | ' | ||
+ | [0,32], [1,9,33], qr' infected (?: | ||
+ | |||
+ | ### http:// | ||
+ | | ||
+ | | ||
+ | '/ | ||
+ | '/ | ||
+ | ' | ||
+ | | ||
+ | # sub {chdir('/ | ||
+ | # sub {chdir($TEMPBASE) or die " | ||
+ | ], | ||
+ | |||
+ | ### http:// | ||
+ | [' | ||
+ | ['/ | ||
+ | '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. | ||
+ | ' | ||
+ | [0,2], qr/Virus .*? found/m, | ||
+ | qr/ | ||
+ | ], | ||
+ | # other options to consider: -idedir=/ | ||
+ | # A name ' | ||
+ | # Make sure the correct ' | ||
+ | |||
+ | # Always succeeds and considers mail clean. | ||
+ | # Potentially useful when all other scanners fail and it is desirable | ||
+ | # to let mail continue to flow with no virus checking (when uncommented). | ||
+ | # [' | ||
+ | |||
+ | ); | ||
+ | |||
+ | |||
+ | 1; # insure a defined return value | ||
+ | </ | ||
+ | |||
+ | Viele Parameter sind etwas arg verstreut in der Datei, so dass man oft nicht auf den ersten Blick deren Abhängigkeit erkennt. Wir werden daher, ähnlich auch schon wie bei der Konfiguration unseres **MTA**((**M**ail **T**ransport **A**gent)) [[centos: | ||
+ | |||
+ | Wir benennen also als erstes einmal, die original mitgelieferte Konfigurationsdate des AMaViS-Daemon um. | ||
+ | # mv / | ||
+ | |||
+ | Dann legen wir uns eine neue Datei an. | ||
+ | # touch / | ||
+ | |||
+ | Zur Strukturierung unserer eigenen **amavisd.conf** nutzen wir jeweils folgende Überschriftszeile. | ||
+ | ################################################################################ | ||
+ | ## < beschreibenden Text > | ||
+ | # | ||
+ | |||
+ | Wir werden später die einzelnen Konfigurationsoptionen strukturieren, | ||
+ | |||
+ | |||
+ | === mögliche Konfigurationsparameterdatei === | ||
+ | Wollen wir vor dem Anlegen unserer eigenen individuellen Datei uns noch einen Überblick verschaffen, | ||
+ | # less / | ||
+ | |||
+ | <file perl / | ||
+ | |||
+ | ## A CONFIGURATION FILE FOR AMAVISD-NEW, | ||
+ | ## WITH THEIR DEFAULT VALUES (FOR REFERENCE ONLY, NON-AUTHORITATIVE) | ||
+ | |||
+ | ## This software is licensed under the GNU General Public License (GPL). | ||
+ | ## See comments at the start of file amavisd for the whole license text. | ||
+ | ## | ||
+ | |||
+ | ## The ' | ||
+ | ## default value if the config file left them undefined. It means these values | ||
+ | ## are not yet available during processing of the configuration file, but that | ||
+ | ## they can derive their value from other configurations variables no matter | ||
+ | ## where in the configuration file they appear. | ||
+ | |||
+ | |||
+ | ## GENERAL | ||
+ | |||
+ | # $myhostname = ... predefined default from uname(3), must be a FQDN | ||
+ | # $mydomain | ||
+ | # $snmp_contact | ||
+ | # $snmp_location = ''; | ||
+ | # $daemon_user | ||
+ | # $daemon_group | ||
+ | # $MYHOME | ||
+ | # $TEMPBASE | ||
+ | # $db_home | ||
+ | # $pid_file | ||
+ | # $lock_file | ||
+ | # $daemon_chroot_dir = undef; | ||
+ | # $max_requests = 20; # retire a child after that many accepts | ||
+ | # $max_servers = 2; # number of pre-forked children | ||
+ | # $min_servers | ||
+ | # $min_spare_servers = undef; | ||
+ | # $max_spare_servers = undef; | ||
+ | # $child_timeout = 8*60; | ||
+ | # $localpart_is_case_sensitive = 0; | ||
+ | # $enable_db = undef; | ||
+ | # $enable_zmq = undef; | ||
+ | # @zmq_sockets = ( " | ||
+ | # $nanny_details_level = 1; # verbosity: 0, 1, 2 | ||
+ | # @additional_perl_modules = (); | ||
+ | # @local_domains_maps=(\%local_domains, | ||
+ | # @mynetworks = qw( 127.0.0.0/8 [::1] 169.254.0.0/ | ||
+ | # | ||
+ | # @mynetworks_maps = (\@mynetworks); | ||
+ | # @client_ipaddr_policy = map { $_ => ' | ||
+ | |||
+ | |||
+ | ## LOGGING AND DEBUGGING | ||
+ | |||
+ | # $log_level = 0; | ||
+ | # $logfile = undef; | ||
+ | # $do_syslog = undef; | ||
+ | # $syslog_ident = ' | ||
+ | # $syslog_facility = ' | ||
+ | # $logline_maxlen = 980; | ||
+ | # enable_log_capture_dump = undef; | ||
+ | |||
+ | # $log_short_templ | ||
+ | # $log_verbose_templ ... built-in default at the end of file amavisd | ||
+ | # $log_recip_templ = ... built-in default at the end of file amavisd | ||
+ | # $log_templ = $log_short_templ; | ||
+ | |||
+ | # @debug_sender_acl = (); | ||
+ | # @debug_sender_maps = (\@debug_sender_acl); | ||
+ | # @debug_recipient_maps = (); | ||
+ | # $sa_debug = undef; | ||
+ | # $allow_preserving_evidence = 1; | ||
+ | |||
+ | |||
+ | ## DKIM VERIFICATION | ||
+ | |||
+ | # $enable_dkim_verification = undef; | ||
+ | # $reputation_factor = 0.2; | ||
+ | # @signer_reputation_maps = (); | ||
+ | # @author_to_policy_bank_maps = (); | ||
+ | # $dkim_minimum_key_bits = 1024; | ||
+ | # $myauthservid = $myhostname; | ||
+ | # $dkim_minimum_key_bits = 1024; | ||
+ | |||
+ | ## DKIM SIGNING | ||
+ | |||
+ | # $enable_dkim_signing = undef; | ||
+ | # %dkim_signing_keys = (); | ||
+ | # @dkim_signature_options_bysender_maps = (); | ||
+ | # $dkim_signing_service = undef; | ||
+ | # | ||
+ | # for (qw(Accept-Language Archived-At Auto-Submitted Content-Alternative | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # for (qw(From Date Subject Content-Type)) { $signed_header_fields{lc $_} = 2 } | ||
+ | |||
+ | |||
+ | ## MTA INTERFACE - INPUT | ||
+ | |||
+ | # @listen_sockets = ... $unix_socketname and $inet_socket_port are added here | ||
+ | # $unix_socketname | ||
+ | # $unix_socket_mode = undef; # sets sockets protection (numeric mode), or undef | ||
+ | # $inet_socket_port = undef; # accept connections on this TCP port(s) (SMTP...) | ||
+ | # $inet_socket_bind = [ ' | ||
+ | # | ||
+ | # | ||
+ | # @inet_acl = qw( 127.0.0.1 [::1] ); | ||
+ | # $listen_queue_size = undef; | ||
+ | |||
+ | # $protocol = ... defaults to ' | ||
+ | # | ||
+ | # | ||
+ | # and with appropriate patches applied also: ' | ||
+ | |||
+ | # $soft_bounce = undef; | ||
+ | # $smtpd_timeout = 8*60; | ||
+ | # $smtpd_recipient_limit = 1100; | ||
+ | # $smtpd_message_size_limit = undef; | ||
+ | # @message_size_limit_maps = (); # per-recipient limits | ||
+ | # $smtpd_greeting_banner = ' | ||
+ | # $smtpd_quit_banner = ' | ||
+ | # $auth_required_inp = undef; | ||
+ | # $auth_required_release = 1; | ||
+ | # @auth_mech_avail=(); | ||
+ | # $tls_security_level_in = undef; | ||
+ | # $smtpd_tls_cert_file = undef; | ||
+ | # $smtpd_tls_key_file = undef; | ||
+ | # $smtp_connection_cache_on_demand = 1; | ||
+ | # $smtp_connection_cache_enable = 1; | ||
+ | # $enforce_smtpd_message_size_limit_64kb_min = 1; | ||
+ | # @smtpd_discard_ehlo_keywords = (); | ||
+ | |||
+ | |||
+ | ## MTA INTERFACE - OUTPUT | ||
+ | |||
+ | ## see also $notify_method, | ||
+ | |||
+ | # $localhost_name = ' | ||
+ | # $local_client_bind_address = undef; | ||
+ | # $auth_required_out = undef; | ||
+ | # $amavis_auth_user | ||
+ | # $amavis_auth_pass | ||
+ | # $auth_reauthenticate_forwarded = undef; # our credentials for forwarding too | ||
+ | # $tls_security_level_out = undef; | ||
+ | |||
+ | |||
+ | ## MAIL FORWARDING | ||
+ | |||
+ | # $forward_method = ' | ||
+ | # # or ' | ||
+ | # @forward_method_maps = ( sub { Opaque(c(' | ||
+ | # $resend_method = undef; | ||
+ | # $always_bcc = undef; | ||
+ | |||
+ | # $final_virus_destiny | ||
+ | # $final_banned_destiny = D_DISCARD; | ||
+ | # $final_spam_destiny | ||
+ | # $final_bad_header_destiny = D_PASS; | ||
+ | |||
+ | |||
+ | ## QUARANTINE | ||
+ | |||
+ | # $release_method = undef; | ||
+ | # $requeue_method = ' | ||
+ | # # or ' | ||
+ | # $release_format = ' | ||
+ | # $report_format | ||
+ | # $attachment_password = ''; | ||
+ | # $attachment_email_name = ' | ||
+ | # $attachment_outer_name = ' | ||
+ | |||
+ | # $virus_quarantine_method | ||
+ | # $spam_quarantine_method | ||
+ | # $banned_files_quarantine_method = ' | ||
+ | # $bad_header_quarantine_method | ||
+ | # $clean_quarantine_method | ||
+ | # $archive_quarantine_method = undef; | ||
+ | |||
+ | # $mail_id_size_bits = 72; | ||
+ | |||
+ | # $QUARANTINEDIR = undef; | ||
+ | # $quarantine_subdir_levels = undef; | ||
+ | # $sql_quarantine_chunksize_max; | ||
+ | |||
+ | # $virus_quarantine_to | ||
+ | # $banned_quarantine_to | ||
+ | # $bad_header_quarantine_to= ' | ||
+ | # $spam_quarantine_to | ||
+ | # $spam_quarantine_bysender_to = undef; | ||
+ | # $clean_quarantine_to | ||
+ | # $archive_quarantine_to | ||
+ | |||
+ | # @virus_quarantine_to_maps | ||
+ | # @banned_quarantine_to_maps | ||
+ | # @bad_header_quarantine_to_maps = (\$bad_header_quarantine_to); | ||
+ | # @spam_quarantine_to_maps | ||
+ | # @spam_quarantine_bysender_to_maps = (\$spam_quarantine_bysender_to); | ||
+ | # @clean_quarantine_to_maps | ||
+ | # @archive_quarantine_to_maps | ||
+ | |||
+ | # %local_delivery_aliases | ||
+ | # $mailfrom_to_quarantine = undef; | ||
+ | |||
+ | |||
+ | ## NOTIFICATIONS (DSN, admin, recip) | ||
+ | |||
+ | # $notify_method | ||
+ | # # or ' | ||
+ | |||
+ | # $propagate_dsn_if_possible = 1; | ||
+ | # $terminate_dsn_on_notify_success = 0; | ||
+ | |||
+ | # $newvirus_admin = undef; | ||
+ | # $virus_admin = undef; | ||
+ | # $spam_admin = undef; | ||
+ | # $banned_admin = undef; | ||
+ | # $bad_header_admin = undef; | ||
+ | |||
+ | # $dsn_bcc = undef; | ||
+ | |||
+ | # @newvirus_admin_maps | ||
+ | # @virus_admin_maps | ||
+ | # @banned_admin_maps | ||
+ | # @spam_admin_maps | ||
+ | # @bad_header_admin_maps = (\$bad_header_admin); | ||
+ | |||
+ | # $hdr_encoding = ' | ||
+ | # $bdy_encoding = ' | ||
+ | # $hdr_encoding_qb = ' | ||
+ | |||
+ | # $notify_sender_templ | ||
+ | # $notify_virus_sender_templ = ... built-in default at the end of file amavisd | ||
+ | # $notify_spam_sender_templ | ||
+ | # $notify_virus_admin_templ | ||
+ | # $notify_spam_admin_templ | ||
+ | # $notify_virus_recips_templ = ... built-in default at the end of file amavisd | ||
+ | # $notify_spam_recips_templ | ||
+ | # $notify_release_templ | ||
+ | # $notify_report_templ | ||
+ | |||
+ | # $mailfrom_notify_admin = undef; | ||
+ | # $mailfrom_notify_recip = undef; | ||
+ | # $mailfrom_notify_spamadmin = undef; | ||
+ | |||
+ | ## these are after-defaults: | ||
+ | # $hdrfrom_notify_sender = " | ||
+ | # $hdrfrom_notify_recip | ||
+ | # $hdrfrom_notify_admin | ||
+ | # $hdrfrom_notify_spamadmin = ... derived from $mailfrom_notify_spamadmin | ||
+ | # $hdrfrom_notify_release | ||
+ | # $hdrfrom_notify_report | ||
+ | |||
+ | # $warnbannedsender = undef; | ||
+ | # $warnbadhsender | ||
+ | |||
+ | # $warn_offsite | ||
+ | |||
+ | # $warnvirusrecip | ||
+ | # $warnbannedrecip | ||
+ | # $warnbadhrecip | ||
+ | # @warnvirusrecip_maps | ||
+ | # @warnbannedrecip_maps = (\$warnbannedrecip); | ||
+ | # @warnbadhrecip_maps | ||
+ | |||
+ | |||
+ | ## MODIFICATIONS TO PASSED MAIL | ||
+ | |||
+ | # %allowed_added_header_fields = ...; # built-in default | ||
+ | # %prefer_our_added_header_fields = ...; # built-in default | ||
+ | # $remove_existing_x_scanned_headers = 0; | ||
+ | # $remove_existing_spam_headers = 1; | ||
+ | # @remove_existing_spam_headers_maps = (\$remove_existing_spam_headers); | ||
+ | # $allow_fixing_improper_header = 1; # all-white folding lines and long lines | ||
+ | # $allow_fixing_improper_header_folding = 1; | ||
+ | # $allow_fixing_long_header_lines = 1; | ||
+ | # $prepend_header_fields_hdridx = 0; | ||
+ | |||
+ | # $X_HEADER_TAG | ||
+ | # $X_HEADER_LINE = " | ||
+ | |||
+ | # $defang_virus | ||
+ | # $defang_banned = undef; | ||
+ | # $defang_spam | ||
+ | # $defang_bad_header = undef; | ||
+ | # $defang_undecipherable = undef; | ||
+ | # $defang_all | ||
+ | |||
+ | # $allow_disclaimers = undef; | ||
+ | # $outbound_disclaimers_only = undef; | ||
+ | # $enable_anomy_sanitizer = 0; | ||
+ | # @anomy_sanitizer_args = (); # a config file or list of var=value pairs | ||
+ | # $altermime = ' | ||
+ | # @altermime_args_defang | ||
+ | # @altermime_args_disclaimer = qw(--disclaimer=/ | ||
+ | # @disclaimer_options_bysender_maps = (); | ||
+ | |||
+ | # $undecipherable_subject_tag = ' | ||
+ | # $sa_spam_subject_tag = undef; | ||
+ | # $sa_spam_level_char = ' | ||
+ | |||
+ | # @spam_subject_tag_maps | ||
+ | # @spam_subject_tag2_maps = (\$sa_spam_subject_tag); | ||
+ | # @spam_subject_tag3_maps = (); | ||
+ | |||
+ | |||
+ | ## ADDING ADDRESS EXTENSIONS TO RECIPIENTS - 'plus addressing' | ||
+ | |||
+ | # $recipient_delimiter = undef; | ||
+ | # $replace_existing_extension = 1; | ||
+ | # $addr_extension_virus | ||
+ | # $addr_extension_banned = undef; | ||
+ | # $addr_extension_spam | ||
+ | # $addr_extension_bad_header = undef; | ||
+ | # @addr_extension_virus_maps | ||
+ | # @addr_extension_banned_maps | ||
+ | # @addr_extension_spam_maps | ||
+ | # @addr_extension_bad_header_maps = (\$addr_extension_bad_header); | ||
+ | |||
+ | |||
+ | ## MAIL DECODING | ||
+ | |||
+ | # $bypass_decode_parts = undef; | ||
+ | |||
+ | # $keep_decoded_original_re = undef; | ||
+ | # @keep_decoded_original_maps = (\$keep_decoded_original_re); | ||
+ | |||
+ | # $map_full_type_to_short_type_re = ... predefined regexp lookup table | ||
+ | # @map_full_type_to_short_type_maps = (\$map_full_type_to_short_type_re); | ||
+ | |||
+ | # $MAXLEVELS = undef; | ||
+ | # $MAXFILES | ||
+ | # $MIN_EXPANSION_QUOTA = undef; | ||
+ | # $MAX_EXPANSION_QUOTA = undef; | ||
+ | # $MIN_EXPANSION_FACTOR = | ||
+ | # $MAX_EXPANSION_FACTOR = 500; # times original mail size | ||
+ | |||
+ | # $path = undef; | ||
+ | # $file = ' | ||
+ | |||
+ | # For backward compatibility the @decoders list defaults to use of legacy | ||
+ | # variables $gzip, $bzip2, $lzop, ... It is cleaner to explicitly assign | ||
+ | # a list to @decoders in amavisd.conf and directly specify program paths, | ||
+ | # without indirections through legacy variables $gzip, etc. | ||
+ | # | ||
+ | # $gzip = $bzip2 = $lzop = $rpm2cpio = undef; | ||
+ | # $uncompress = $unfreeze = $arc = $unarj = $unrar = undef; | ||
+ | # $zoo = $lha = $pax = $cpio = $cabextract = undef; | ||
+ | # | ||
+ | # @decoders = ( | ||
+ | # | ||
+ | ### [[qw(asc uue hqx ync)], \& | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # [' | ||
+ | # | ||
+ | # [' | ||
+ | # ' | ||
+ | # | ||
+ | # [' | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | ### [' | ||
+ | # | ||
+ | ### [' | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | ### [' | ||
+ | ### [' | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # \& | ||
+ | # | ||
+ | # \& | ||
+ | # | ||
+ | # ); | ||
+ | |||
+ | |||
+ | ## ANTI-VIRUS AND INVALID/ | ||
+ | |||
+ | # @av_scanners = (); | ||
+ | # @av_scanners_backup = (); | ||
+ | # $first_infected_stops_scan = undef; | ||
+ | # $virus_scanners_failure_is_fatal = undef; | ||
+ | |||
+ | # $viruses_that_fake_sender_re = undef; | ||
+ | # @viruses_that_fake_sender_maps = (\$viruses_that_fake_sender_re, | ||
+ | # @virus_name_to_policy_bank_maps = (); | ||
+ | # | ||
+ | # @virus_name_to_spam_score_maps = | ||
+ | # | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # [ qr' | ||
+ | # | ||
+ | |||
+ | # @banned_filename_maps = ( ' | ||
+ | # %banned_rules = ( ' | ||
+ | # $banned_filename_re = undef; | ||
+ | # $banned_namepath_re = undef; | ||
+ | |||
+ | # @bypass_virus_checks_maps = (\%bypass_virus_checks, | ||
+ | # @bypass_banned_checks_maps = (\%bypass_banned_checks, | ||
+ | # @bypass_header_checks_maps = (\%bypass_header_checks, | ||
+ | |||
+ | # @virus_lovers_maps = (\%virus_lovers, | ||
+ | # @banned_files_lovers_maps = (\%banned_files_lovers, | ||
+ | # @bad_header_lovers_maps = (\%bad_header_lovers, | ||
+ | # @unchecked_lovers_maps = (); | ||
+ | |||
+ | # $allowed_header_tests{$_} = 1 for qw(other mime 8bit control empty long | ||
+ | # | ||
+ | |||
+ | |||
+ | ## ANTI-Spam CONTROLS | ||
+ | |||
+ | # @spam_scanners = ( [' | ||
+ | |||
+ | # $helpers_home = $MYHOME; | ||
+ | # $sa_configpath = undef; | ||
+ | # $sa_siteconfigpath = undef; | ||
+ | # $sa_num_instances = 1; | ||
+ | # @sa_userconf_maps = (); | ||
+ | # @sa_username_maps = (); | ||
+ | |||
+ | # $sa_mail_body_size_limit = undef; | ||
+ | # $sa_local_tests_only = 0; | ||
+ | # $sa_spawned = 0; | ||
+ | # $dspam = undef; | ||
+ | |||
+ | # $sa_timeout = 30; | ||
+ | |||
+ | # @bypass_spam_checks_maps = (\%bypass_spam_checks, | ||
+ | # @spam_lovers_maps = (\%spam_lovers, | ||
+ | |||
+ | # $sa_tag_level_deflt | ||
+ | # $sa_tag2_level_deflt = undef; | ||
+ | # $sa_tag3_level_deflt = undef; | ||
+ | # $sa_kill_level_deflt = undef; | ||
+ | # $sa_dsn_cutoff_level = undef; | ||
+ | # $sa_crediblefrom_dsn_cutoff_level = undef; | ||
+ | # $sa_quarantine_cutoff_level = undef; | ||
+ | |||
+ | # @spam_tag_level_maps | ||
+ | # @spam_tag2_level_maps = (\$sa_tag2_level_deflt); | ||
+ | # @spam_tag3_level_maps = (\$sa_tag3_level_deflt); | ||
+ | # @spam_kill_level_maps = (\$sa_kill_level_deflt); | ||
+ | # @spam_quarantine_cutoff_level_maps = (\$sa_quarantine_cutoff_level); | ||
+ | # @spam_notifyadmin_cutoff_level_maps = (); | ||
+ | # @spam_dsn_cutoff_level_maps | ||
+ | # @spam_dsn_cutoff_level_bysender_maps = (\$sa_dsn_cutoff_level); | ||
+ | # @spam_crediblefrom_dsn_cutoff_level_maps = | ||
+ | # | ||
+ | # @spam_crediblefrom_dsn_cutoff_level_bysender_maps = | ||
+ | # | ||
+ | |||
+ | # $bounce_killer_score = 0; | ||
+ | |||
+ | # $penpals_bonus_score = undef; | ||
+ | # $penpals_halflife = 7*24*60*60; | ||
+ | # $penpals_threshold_low = 1.0; | ||
+ | # $penpals_threshold_high = undef; | ||
+ | |||
+ | # $reputation_factor = 0.2; | ||
+ | |||
+ | # @score_sender_maps = (); | ||
+ | # @signer_reputation_maps = (); | ||
+ | |||
+ | # @blacklist_sender_maps = (\%blacklist_sender, | ||
+ | # @whitelist_sender_maps = (\%whitelist_sender, | ||
+ | |||
+ | # $per_recip_blacklist_sender_lookup_tables = undef; | ||
+ | # $per_recip_whitelist_sender_lookup_tables = undef; | ||
+ | |||
+ | # $os_fingerprint_method = undef; | ||
+ | # $os_fingerprint_dst_ip_and_port = undef; | ||
+ | |||
+ | |||
+ | ## SQL, LDAP, Redis | ||
+ | |||
+ | # $database_sessions_persistent = 1; | ||
+ | # $trim_trailing_space_in_lookup_result_fields = 0; | ||
+ | # $lookup_maps_imply_sql_and_ldap = 1; | ||
+ | |||
+ | # @storage_redis_dsn = (); # Redis server(s) for pen pals, IP reput, JSON log | ||
+ | # $storage_redis_ttl = 16*24*60*60; | ||
+ | # $enable_ip_repu = 1; | ||
+ | # @ip_repu_ignore_networks = (); | ||
+ | # @ip_repu_ignore_maps = (\@ip_repu_ignore_networks); | ||
+ | # $redis_logging_key = undef; | ||
+ | # $redis_logging_queue_size_limit = undef; | ||
+ | |||
+ | # @lookup_sql_dsn | ||
+ | # @storage_sql_dsn = (); # SQL data source name for log/ | ||
+ | |||
+ | # $sql_store_info_for_all_msgs = 1; | ||
+ | # $sql_schema_version = $myversion_id_numeric; | ||
+ | # $timestamp_fmt_mysql = undef; | ||
+ | # $sql_partition_tag = undef; | ||
+ | # $sql_allow_8bit_address = 0; # VARCHAR (0), VARBINARY/ | ||
+ | # $sql_lookups_no_at_means_domain = 0; | ||
+ | # $sql_quarantine_chunksize_max = 16384; | ||
+ | |||
+ | # $sql_select_policy = | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | |||
+ | # $sql_select_white_black_list = | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | |||
+ | # %sql_clause = ( | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # " | ||
+ | # " | ||
+ | # " | ||
+ | # " | ||
+ | # ' | ||
+ | # " | ||
+ | # " | ||
+ | # " | ||
+ | # " | ||
+ | # " | ||
+ | # ); | ||
+ | |||
+ | ## LDAP, Please see file README.lookups for more info. | ||
+ | |||
+ | # $enable_ldap = 0; | ||
+ | # $ldap_lookups_no_at_means_domain = 0; | ||
+ | # | ||
+ | # $default_ldap = { | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # }; | ||
+ | |||
+ | |||
+ | ## hierarchy by which a final setting is chosen: | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | |||
+ | |||
+ | ## MAPPING A CONTENTS CATEGORY TO A SETTING CHOSEN | ||
+ | |||
+ | # %final_destiny_maps_by_ccat = ( | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # ); | ||
+ | # %forward_method_maps_by_ccat = ( | ||
+ | # | ||
+ | # ); | ||
+ | # %smtp_reason_by_ccat = ( | ||
+ | # # currently only used for blocked messages only, status 5xx | ||
+ | # # a multiline message will produce a valid multiline SMTP response | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # ); | ||
+ | # %lovers_maps_by_ccat = ( | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # ); | ||
+ | # %defang_maps_by_ccat = ( | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # # CC_BADH.', | ||
+ | # # CC_BADH.', | ||
+ | # # CC_BADH.', | ||
+ | # | ||
+ | # ); | ||
+ | # %subject_tag_maps_by_ccat = ( | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # ); | ||
+ | # %quarantine_method_by_ccat = ( | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # ); | ||
+ | # %quarantine_to_maps_by_ccat = ( | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # ); | ||
+ | # %admin_maps_by_ccat = ( | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # ); | ||
+ | # %always_bcc_by_ccat = ( | ||
+ | # | ||
+ | # ); | ||
+ | # %dsn_bcc_by_ccat = ( | ||
+ | # | ||
+ | # ); | ||
+ | # %mailfrom_notify_admin_by_ccat = ( | ||
+ | # | ||
+ | # | ||
+ | # ); | ||
+ | # %hdrfrom_notify_admin_by_ccat = ( | ||
+ | # | ||
+ | # | ||
+ | # ); | ||
+ | # %mailfrom_notify_recip_by_ccat = ( | ||
+ | # | ||
+ | # ); | ||
+ | # %hdrfrom_notify_recip_by_ccat = ( | ||
+ | # | ||
+ | # ); | ||
+ | # %hdrfrom_notify_sender_by_ccat = ( | ||
+ | # | ||
+ | # ); | ||
+ | # %hdrfrom_notify_release_by_ccat = ( | ||
+ | # | ||
+ | # ); | ||
+ | # %hdrfrom_notify_report_by_ccat = ( | ||
+ | # | ||
+ | # ); | ||
+ | # %notify_admin_templ_by_ccat = ( | ||
+ | # | ||
+ | # | ||
+ | # ); | ||
+ | # %notify_recips_templ_by_ccat = ( | ||
+ | # | ||
+ | # | ||
+ | # ); | ||
+ | # %notify_sender_templ_by_ccat = ( # bounce templates | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # ); | ||
+ | # %notify_release_templ_by_ccat = ( | ||
+ | # | ||
+ | # ); | ||
+ | # %notify_report_templ_by_ccat = ( | ||
+ | # | ||
+ | # ); | ||
+ | # %notify_autoresp_templ_by_ccat = ( | ||
+ | # | ||
+ | # ); | ||
+ | # %warnsender_by_ccat = ( # deprecated use, except perhaps for CC_BADH | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # ); | ||
+ | # %warnrecip_maps_by_ccat = ( | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # ); | ||
+ | # %addr_extension_maps_by_ccat = ( | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # # CC_OVERSIZED, | ||
+ | # ); | ||
+ | # %addr_rewrite_maps_by_ccat = ( ); | ||
+ | |||
+ | |||
+ | ## POLICY BANKS | ||
+ | |||
+ | # %interface_policy = (); # maps input interface/ | ||
+ | |||
+ | # $policy_bank{'' | ||
+ | |||
+ | ## the built-in policy bank (empty name) is predefined, and includes | ||
+ | ## references to most other variables listed above (the dynamic config | ||
+ | ## variables), which are accessed only indirectly through the currently | ||
+ | ## installed policy bank. Overlaying a policy bank with another policy | ||
+ | ## bank may bring-in references to entirely different variables, | ||
+ | ## possibly unnamed. Here is a list of configuration variables | ||
+ | ## referenced from the built-in policy bank by keys of the same name | ||
+ | ## (e.g. { log_level => \$log_level, | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | |||
+ | # legacy dynamic configuration variables: | ||
+ | |||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | |||
+ | 1; # insure a defined return value | ||
+ | </ | ||
+ | |||
+ | === eigene, individuelle Konfigurationsdatei === | ||
+ | Nun legen wir uns unsere eigene Konfigurationsdatei an. Wie bereits angesprochen, | ||
+ | * **PFADANGABEN DER LOKALEN INSTALLATION** | ||
+ | * **GRUNDSÄTZLICHE SERVERANGABEN UND -DEFINITIONEN** | ||
+ | * **LOGGING** | ||
+ | * **SOCKETS** | ||
+ | * **POLICY MAPPINGS** | ||
+ | * **DESTINATIONS** | ||
+ | * **NOTIFICATIONS** | ||
+ | * **VIRUS POLICY** | ||
+ | * **SPAM POLICY** | ||
+ | * **BANNED POLICY** | ||
+ | * **HEADER POLICY** | ||
+ | * **UNCHECKED POLICY** | ||
+ | * **DKIM - Domain Key Identified Mail** | ||
+ | * **POLICY BANKS** | ||
+ | |||
+ | Somit ergibt isch folgende komplette neue AMaViS-Konfigurationsdatei. | ||
+ | # vim / | ||
+ | |||
+ | <file perl / | ||
+ | ################################################################################ | ||
+ | # # | ||
+ | # | ||
+ | # # | ||
+ | ################################################################################ | ||
+ | |||
+ | # Eine Aufstellung aller möglichen Variablen findet man in der Datei | ||
+ | # / | ||
+ | # Webseite http:// | ||
+ | # man darüber hinaus noch viele erklärungen und Konfigurationsbeispiele | ||
+ | |||
+ | ################################################################################ | ||
+ | ## PFADANGABEN DER LOKALEN INSTALLATION | ||
+ | # | ||
+ | |||
+ | # Pfadangaben zu den Programmen und Tools | ||
+ | $path = '/ | ||
+ | |||
+ | # Arbeitsverzeichnisses von AMaViS | ||
+ | $MYHOME = '/ | ||
+ | |||
+ | # Verzeichnis für temporäre Daten | ||
+ | #$TEMPBASE = ' | ||
+ | $TEMPBASE = " | ||
+ | |||
+ | # Enviroment Variable TMPDIR, wird unter anderem von Spamassassion verwendet | ||
+ | $ENV{TMPDIR} = $TEMPBASE; | ||
+ | |||
+ | # Keine Quarantäne -> kein Quarantäneverzeichnis notwendig | ||
+ | $QUARANTINEDIR = undef; | ||
+ | |||
+ | # Verzeichnisses für die Berkeley-Datenbank Dateien nanny/ | ||
+ | $db_home | ||
+ | |||
+ | # Pfade zur PID- und LOCK-Datei | ||
+ | $lock_file = "/ | ||
+ | $pid_file | ||
+ | |||
+ | # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING | ||
+ | @score_sender_maps = ({ # a by-recipient hash lookup table, | ||
+ | # results from all matching recipient tables are summed | ||
+ | |||
+ | # ## per-recipient personal tables | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | |||
+ | ## site-wide opinions about senders (the ' | ||
+ | ' | ||
+ | |||
+ | | ||
+ | [qr' | ||
+ | [qr' | ||
+ | [qr' | ||
+ | [qr' | ||
+ | [qr' | ||
+ | [qr' | ||
+ | [qr' | ||
+ | ), | ||
+ | |||
+ | # read_hash("/ | ||
+ | |||
+ | { # a hash-type lookup table (associative array) | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | | ||
+ | | ||
+ | |||
+ | # soft-blacklisting (positive score) | ||
+ | ' | ||
+ | ' | ||
+ | |||
+ | }, | ||
+ | ], # end of site-wide tables | ||
+ | }); | ||
+ | |||
+ | # Utilities mit denen amavis Archive auspackt | ||
+ | @decoders = ( | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | 'lzma -dc', ' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [[' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [[' | ||
+ | [[' | ||
+ | [' | ||
+ | [[qw(7z zip gz bz2 Z tar)], \& | ||
+ | [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], \& | ||
+ | [' | ||
+ | ); | ||
+ | |||
+ | # eMails wird komplett dem Virenscanner zugestellt. Dem Inhalt von Archiven | ||
+ | # wird grundsätzlich nicht vertraut. | ||
+ | @keep_decoded_original_maps = (new_RE( | ||
+ | qr' | ||
+ | qr' | ||
+ | qr' | ||
+ | )); | ||
+ | |||
+ | |||
+ | ################################################################################ | ||
+ | ## GRUNDSÄTZLICHE SERVERANGABEN UND -DEFINITIONEN | ||
+ | # | ||
+ | |||
+ | # Anzahl Server (pre-forked childs) die gestartet werden sollen. | ||
+ | $max_servers = 5; | ||
+ | |||
+ | # User und Gruppe des AMaViS Daemon | ||
+ | $daemon_user | ||
+ | $daemon_group = ' | ||
+ | |||
+ | # Hostname (FQDN) des AMaViS-Servers | ||
+ | $myhostname = ' | ||
+ | |||
+ | # Lokale Domäne des AMaViS-Servers | ||
+ | $mydomain = ' | ||
+ | |||
+ | # Adresstrennzeichen in der eMail-Adresse | ||
+ | $recipient_delimiter = ' | ||
+ | |||
+ | # Wir setzen alles auf NULL und definieren das Backrouting in den Policy Banks | ||
+ | |||
+ | # Wie werden die eMails an den ;MTA zurückgegeben? | ||
+ | # amavisd-milter! | ||
+ | $forward_method = undef; | ||
+ | |||
+ | $notify_method | ||
+ | |||
+ | # | ||
+ | |||
+ | |||
+ | ################################################################################ | ||
+ | ## LOGGING | ||
+ | # | ||
+ | |||
+ | # verbosity 0..5, -d | ||
+ | # Django : 2014-11-18 | ||
+ | # default: $log_level = 0; | ||
+ | $log_level = 3; | ||
+ | # disable by-recipient level-0 log entries | ||
+ | $log_recip_templ = undef; | ||
+ | # log via syslogd (preferred) | ||
+ | $do_syslog = 1; | ||
+ | # Syslog facility as a string e.g.: mail, daemon, user, local0, ... local7 | ||
+ | $syslog_facility = ' | ||
+ | #Syslog base (minimal) priority | ||
+ | $syslog_priority = ' | ||
+ | # enable use of BerkeleyDB/ | ||
+ | $enable_db = 1; | ||
+ | # enable use of libdb-based cache if $enable_db=1 | ||
+ | $enable_global_cache = 1; | ||
+ | # enable use of ZeroMQ (SNMP and nanny) | ||
+ | # $enable_zmq = 1; | ||
+ | # # nanny verbosity: 1: traditional, | ||
+ | $nanny_details_level = 2; | ||
+ | |||
+ | # @lookup_sql_dsn = | ||
+ | # ( [' | ||
+ | # | ||
+ | # | ||
+ | # @storage_sql_dsn = @lookup_sql_dsn; | ||
+ | |||
+ | # @storage_redis_dsn = ( {server=>' | ||
+ | # $redis_logging_key = ' | ||
+ | # about 250 MB / 100000 | ||
+ | # $redis_logging_queue_size_limit = 300000; | ||
+ | |||
+ | # $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; | ||
+ | # | ||
+ | |||
+ | |||
+ | ################################################################################ | ||
+ | ## SOCKETS | ||
+ | # | ||
+ | |||
+ | # Wo soll AMaViS auf eingehende Verbindungen lauschen? | ||
+ | @listen_sockets = ( | ||
+ | ' | ||
+ | ' | ||
+ | " | ||
+ | ); | ||
+ | |||
+ | |||
+ | ################################################################################ | ||
+ | ## POLICY MAPPINGS | ||
+ | # | ||
+ | |||
+ | # Wir routen eingehende Verbindungen aufgrund unterschiedlicher Kriterien in | ||
+ | # Policy Banks. | ||
+ | |||
+ | # TCP-Sockets auf Policies mappen | ||
+ | $interface_policy{' | ||
+ | $interface_policy{' | ||
+ | |||
+ | # UNIX-Domain-Sockets auf Policies mappen | ||
+ | $interface_policy{' | ||
+ | |||
+ | # IP-Adressen/ | ||
+ | @client_ipaddr_policy = ( | ||
+ | [qw( 0.0.0.0/8 127.0.0.1/ | ||
+ | [qw( !172.16.1.0/ | ||
+ | [qw( 192.0.2.0/ | ||
+ | [qw( 198.51.100.88/ | ||
+ | [qw( 203.0.113.164/ | ||
+ | \@mynetworks | ||
+ | ); | ||
+ | |||
+ | # DKIM-verifizierte Sender(domains) auf Policies mappen | ||
+ | @author_to_policy_bank_maps = ( { | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | } ); | ||
+ | |||
+ | |||
+ | ################################################################################ | ||
+ | ## DESTINATIONS | ||
+ | # | ||
+ | |||
+ | # Definition der Verkehrsrichtungen: | ||
+ | |||
+ | # Das ist nach intern. Alle anderen Destinationen sind im Umkehrschluss extern. | ||
+ | @local_domains_maps = ( | ||
+ | [" | ||
+ | read_hash("/ | ||
+ | ); | ||
+ | |||
+ | # Das kommt von intern. Alles andere ist per Default von extern, ausser wir | ||
+ | # erkennen es an anderen Kriterien wie z.B. DKIM-Signatur oder originating Port | ||
+ | @mynetworks = qw( | ||
+ | 127.0.0.0/ | ||
+ | [::1] | ||
+ | [FE80:: | ||
+ | [FEC0:: | ||
+ | 10.0.0.0/ | ||
+ | 10.0.10.0/ | ||
+ | ) | ||
+ | |||
+ | |||
+ | ################################################################################ | ||
+ | ## NOTIFICATIONS | ||
+ | # | ||
+ | |||
+ | # Externe warnen? | ||
+ | $warn_offsite = 0; | ||
+ | |||
+ | # Envelope Sender | ||
+ | $mailfrom_notify_admin = " | ||
+ | $mailfrom_notify_recip = " | ||
+ | $mailfrom_notify_sender = " | ||
+ | $mailfrom_notify_spamadmin = " | ||
+ | $mailfrom_to_quarantine = ''; | ||
+ | $dsn_bcc = " | ||
+ | |||
+ | # From: Header | ||
+ | $hdrfrom_notify_sender = " | ||
+ | $hdrfrom_notify_recip = " | ||
+ | $hdrfrom_notify_release = " | ||
+ | |||
+ | |||
+ | ################################################################################ | ||
+ | ## VIRUS POLICY | ||
+ | # | ||
+ | |||
+ | # Check aktivieren? | ||
+ | # @bypass_virus_checks_maps = (1); | ||
+ | |||
+ | # In Quarantäne? | ||
+ | $virus_quarantine_to = undef; | ||
+ | |||
+ | # Admin benachrichtigen? | ||
+ | $virus_admin = undef; | ||
+ | |||
+ | # Empfänger benachrichtigen? | ||
+ | $warnvirusrecip = 1; | ||
+ | |||
+ | # Recipient-Adresse bei Release erweitern? | ||
+ | @addr_extension_virus_maps = (' | ||
+ | |||
+ | # eMail bei Release wrappen? | ||
+ | $defang_virus | ||
+ | |||
+ | # Wollen wir Content transportieren? | ||
+ | $final_virus_destiny = D_REJECT; | ||
+ | |||
+ | @av_scanners = ( | ||
+ | ### http:// | ||
+ | [' | ||
+ | \& | ||
+ | qr/\bOK$/m, qr/ | ||
+ | qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], | ||
+ | ); | ||
+ | |||
+ | @av_scanners_backup = (); | ||
+ | # | ||
+ | # ### http:// | ||
+ | # [' | ||
+ | # " | ||
+ | # [0], qr/: | ||
+ | #); | ||
+ | |||
+ | |||
+ | ################################################################################ | ||
+ | ## SPAM POLICY | ||
+ | # | ||
+ | |||
+ | # Check aktivieren? | ||
+ | # @bypass_spam_checks_maps | ||
+ | |||
+ | # In Quarantäne? | ||
+ | $spam_quarantine_to = undef; | ||
+ | |||
+ | # Admin benachrichtigen? | ||
+ | $spam_admin = undef; | ||
+ | |||
+ | # Recipient-Adresse bei Release erweitern? | ||
+ | @addr_extension_spam_maps = (' | ||
+ | |||
+ | # eMail bei Release wrappen? | ||
+ | $defang_spam = undef; | ||
+ | |||
+ | # Wollen wir Content transportieren? | ||
+ | $final_spam_destiny = D_REJECT; | ||
+ | |||
+ | # add spam info headers if at, or above that level | ||
+ | $sa_tag_level_deflt | ||
+ | # add 'spam detected' | ||
+ | $sa_tag2_level_deflt = 6.31; | ||
+ | # triggers spam evasive actions (e.g. blocks mail) | ||
+ | $sa_kill_level_deflt = 6.31; | ||
+ | # spam level beyond which a DSN is not sent | ||
+ | $sa_dsn_cutoff_level = 10; | ||
+ | # likewise, but for a likely valid From | ||
+ | $sa_crediblefrom_dsn_cutoff_level = 18; | ||
+ | # spam level beyond which quarantine is off | ||
+ | # $sa_quarantine_cutoff_level = 25; | ||
+ | |||
+ | # (no effect without a @storage_sql_dsn database) | ||
+ | $penpals_bonus_score = 8; | ||
+ | # don't waste time on hi spam | ||
+ | $penpals_threshold_high = $sa_kill_level_deflt; | ||
+ | # spam score points to add for joe-jobbed bounces | ||
+ | $bounce_killer_score = 100; | ||
+ | # don't waste time on SA if mail is larger | ||
+ | $sa_mail_body_size_limit = 400*1024; | ||
+ | # only tests which do not require internet access? | ||
+ | $sa_local_tests_only = 0; | ||
+ | |||
+ | $sa_spam_subject_tag = ' | ||
+ | |||
+ | |||
+ | ################################################################################ | ||
+ | ## BANNED POLICY | ||
+ | # | ||
+ | |||
+ | # Check aktivieren? | ||
+ | # | ||
+ | |||
+ | # In Quarantäne? | ||
+ | $banned_quarantine_to = undef; | ||
+ | |||
+ | # Admin benachrichtigen? | ||
+ | $banned_admin = undef; | ||
+ | |||
+ | # Recipient-Adresse bei Release erweitern? | ||
+ | @addr_extension_banned_maps = (' | ||
+ | |||
+ | # eMail bei Release wrappen? | ||
+ | $defang_banned = 1; | ||
+ | |||
+ | # Wollen wir Content transportieren? | ||
+ | $final_banned_destiny = D_BOUNCE; | ||
+ | |||
+ | # Definitionslisten in denen wir bestimmte Dateitypen zusammenfassen | ||
+ | # Die Definitionsnamen können wir in einer Policy verwenden | ||
+ | %banned_rules = ( | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ); | ||
+ | |||
+ | # Alles was in der Definitionsliste oben DEFAULT ist | ||
+ | $banned_filename_re = new_RE( | ||
+ | # banned file(1) types, rudimentary | ||
+ | qr' | ||
+ | # allow any in Unix-type archives | ||
+ | [ qr' | ||
+ | # banned extensions - rudimentary | ||
+ | qr' | ||
+ | # block these MIME types | ||
+ | qr' | ||
+ | qr' | ||
+ | qr' | ||
+ | # block certain double extensions in filenames | ||
+ | qr' | ||
+ | # banned extension - basic+cmd | ||
+ | qr' | ||
+ | ); | ||
+ | |||
+ | |||
+ | ################################################################################ | ||
+ | ## HEADER POLICY | ||
+ | # | ||
+ | |||
+ | # Check aktivieren? | ||
+ | # @bypass_header_checks_maps = (1); | ||
+ | |||
+ | # In Quarantäne? | ||
+ | $bad_header_quarantine_method = undef; | ||
+ | |||
+ | # Recipient-Adresse bei Release erweitern? | ||
+ | @addr_extension_bad_header_maps = (' | ||
+ | |||
+ | # eMail bei Release wrappen? | ||
+ | # NUL or CR character in header | ||
+ | $defang_by_ccat{CC_BADH.", | ||
+ | # header line longer than 998 characters | ||
+ | $defang_by_ccat{CC_BADH.", | ||
+ | # header field syntax error | ||
+ | $defang_by_ccat{CC_BADH.", | ||
+ | |||
+ | # Wollen wir Content transportieren? | ||
+ | $final_bad_header_destiny = D_PASS; | ||
+ | |||
+ | # Admin benachrichtigen? | ||
+ | $bad_header_admin = undef; | ||
+ | |||
+ | # Sender benachrichtigen? | ||
+ | $warnbadhsender = undef; | ||
+ | |||
+ | # Empfänger benachrichtigen? | ||
+ | $warnbadhrecip = undef; | ||
+ | |||
+ | |||
+ | ################################################################################ | ||
+ | ## UNCHECKED POLICY | ||
+ | # | ||
+ | $undecipherable_subject_tag = ''; | ||
+ | |||
+ | $MAXLEVELS = 14; | ||
+ | $MAXFILES = 3000; | ||
+ | # bytes (default undef, not enforced) | ||
+ | $MIN_EXPANSION_QUOTA = 100*1024; | ||
+ | # bytes (default undef, not enforced) | ||
+ | $MAX_EXPANSION_QUOTA = 500*1024*1024; | ||
+ | |||
+ | |||
+ | ################################################################################ | ||
+ | ## DKIM - Domain Key Identified Mail | ||
+ | # | ||
+ | |||
+ | # DKIM-Signaturen verifizieren | ||
+ | $enable_dkim_verification = 0; | ||
+ | |||
+ | # DKIM-Signaturen erstellen | ||
+ | $enable_dkim_signing = 0; | ||
+ | |||
+ | # Private Keys und Selectors | ||
+ | # | ||
+ | # signing domain | ||
+ | # ------------- | ||
+ | # dkim_key(' | ||
+ | |||
+ | # DKIM Signing Policies | ||
+ | @dkim_signature_options_bysender_maps = ( | ||
+ | { ' | ||
+ | { | ||
+ | ttl => 21*24*3600, | ||
+ | c => ' | ||
+ | } | ||
+ | } | ||
+ | ); | ||
+ | |||
+ | # to query p0f-analyzer.pl | ||
+ | # $os_fingerprint_method = ' | ||
+ | |||
+ | ## hierarchy by which a final setting is chosen: | ||
+ | ## | ||
+ | ## | ||
+ | ## | ||
+ | |||
+ | |||
+ | ################################################################################ | ||
+ | ## POLICY BANKS | ||
+ | # | ||
+ | |||
+ | ## POLICY BANK MYNETWORK | ||
+ | # Alles Hosts, die in MYNETS gelistet sind | ||
+ | $policy_bank{' | ||
+ | # Jede Mail von einen unserer Hosts wird als originating gesetzt | ||
+ | originating => 1, | ||
+ | # Keine pof Abfragen für interne Clients durchführen. | ||
+ | os_fingerprint_method => undef, | ||
+ | # keinerlei unchecked-Meldungen verschicken | ||
+ | # | ||
+ | # " | ||
+ | $admin_maps_by_ccat{+CC_UNCHECKED.', | ||
+ | }; | ||
+ | |||
+ | ## POLICY BANK SUBMISSON | ||
+ | # Nachrichten unserer Kunden, die auf Port 587 (Submisson) eingeliefert wurden | ||
+ | # wird als originating, | ||
+ | $policy_bank{' | ||
+ | # welcher Host darf soll auf Port 10014 einliefern dürfen | ||
+ | inet_acl => [qw( 10.0.0.87 )], | ||
+ | # eMails vom Port 587 werdenals "von uns" = originating gesetzt | ||
+ | originating => 1, | ||
+ | # Disclaimer an jede Mail anfügen, sofern welche verfügbar sind. | ||
+ | allow_disclaimers => 1, | ||
+ | # notify administrator of locally originating malware | ||
+ | virus_admin_maps => [" | ||
+ | spam_admin_maps | ||
+ | warnbadhsender | ||
+ | # keinerlei unchecked-Meldungen verschicken | ||
+ | # | ||
+ | # " | ||
+ | $admin_maps_by_ccat{+CC_UNCHECKED.', | ||
+ | # forward to a smtpd service providing DKIM signing service | ||
+ | forward_method => ' | ||
+ | # force MTA conversion to 7-bit (e.g. before DKIM signing) | ||
+ | smtpd_discard_ehlo_keywords => [' | ||
+ | # allow sending any file names and types | ||
+ | bypass_spam_checks_maps => [0], | ||
+ | # allow sending any file names and types | ||
+ | bypass_banned_checks_maps => [1], | ||
+ | # don't remove NOTIFY=SUCCESS option | ||
+ | terminate_dsn_on_notify_success => 0, | ||
+ | notify_method | ||
+ | forward_method => ' | ||
+ | final_virus_destiny => ' | ||
+ | }; | ||
+ | |||
+ | # Hier schlägt der MILTER auf | ||
+ | $policy_bank{' | ||
+ | protocol => ' | ||
+ | auth_required_release => 0, | ||
+ | }; | ||
+ | |||
+ | # Hier würden wir releasen | ||
+ | $policy_bank{' | ||
+ | protocol => ' | ||
+ | inet_acl => [qw( 127.0.0.1 )], | ||
+ | auth_required_release => 0, | ||
+ | }; | ||
+ | |||
+ | |||
+ | ## POLICY BANK: WHITELIST | ||
+ | $policy_bank{' | ||
+ | bypass_spam_checks_maps => [1], | ||
+ | spam_lovers_maps => [1], | ||
+ | }; | ||
+ | |||
+ | |||
+ | ## POLICY BANK: NOVIRUSCHECK | ||
+ | $policy_bank{' | ||
+ | bypass_decode_parts => 1, | ||
+ | bypass_virus_checks_maps => [1], | ||
+ | virus_lovers_maps => [1], | ||
+ | }; | ||
+ | |||
+ | |||
+ | ## POLICY BANK: NOBANNEDCHECK | ||
+ | $policy_bank{' | ||
+ | bypass_banned_checks_maps => [1], | ||
+ | banned_files_lovers_maps | ||
+ | }; | ||
+ | |||
+ | |||
+ | 1; # insure a defined return value | ||
+ | |||
+ | # vim: set ft=perl sw=4:</ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== Postfix ==== | ||
+ | Die Anbindung des AMaViS-Servers an unseren Postfix-MTA nehmen wir nun im folgendem Konfigurationsschritt vor. Dabei unterscheiden wir die unterschiedlichen Verkehrsrichtungen bei unserem **MHS**((**M**ail **H**andling **S**ystem)): | ||
+ | * **MTA**((**M**ail **T**ransport **A**gent))-Traffic : Hier bewerten und prüfen wir die Nachricht noch während der Annahme der Nachricht. Daher nutzen wir hier unseren [[centos: | ||
+ | |||
+ | ################################################################################ | ||
+ | ## MILTER | ||
+ | # Django : 2014-11-18 | ||
+ | # DMARC Test | ||
+ | amavisd_milter | ||
+ | |||
+ | ... | ||
+ | </ | ||
+ | # Postfix master process configuration file. For details on the format | ||
+ | # of the file, see the master(5) manual page (command: "man 5 master" | ||
+ | # | ||
+ | # Do not forget to execute " | ||
+ | # | ||
+ | # ========================================================================== | ||
+ | # service type private unpriv | ||
+ | # | ||
+ | # ========================================================================== | ||
+ | # | ||
+ | # Django : 2014-10-29 postscreen | ||
+ | # | ||
+ | smtp inet n | ||
+ | smtpd | ||
+ | -o smtpd_sasl_auth_enable=no | ||
+ | # Django : 2014-11-29 amavisd-milter eingebunden | ||
+ | -o smtpd_milters=${amavisd_milter} | ||
+ | dnsblog | ||
+ | tlsproxy | ||
+ | |||
+ | ... | ||
+ | </ | ||
+ | * **MUA**((**M**ail **U**ser **A**gent))-**MSA**((**M**ail **S**ubmission **A**gent))-Traffic : Bei der Annahme der eMail von unseren eigenen Kunden, wollen wir im Gegensatz zum MTA zu MTA Verkehr **nicht** prequeue über **amavisd-milter** filtern, sondern als content_filter. Dies hat vor allem den Grund, dass die Annahme der Nachrichten auf Port **587** sofort erfolgt und die NAchrichten erst im Anschluss gescannt werden. So muss ein einliefernder **MUA** nicht warten, bis der Content-Scanner die Nachricht verarbeitet hat. Somit vermeiden wir den Eindruck, dass die Einlieferung extrem lange dauert, wenn z.B. erst ein verschachteltes ZIP-Archiv aus dem Mailanhang mit 35 MB ausgepackt und gescannt werden muss. \\ \\ Wir tragen hierzu in der Konfigurationsdatei // | ||
+ | submission inet n | ||
+ | -o syslog_name=postfix/ | ||
+ | -o smtpd_tls_security_level=encrypt | ||
+ | -o smtpd_sasl_auth_enable=yes | ||
+ | -o smtpd_reject_unlisted_recipient=no | ||
+ | -o smtpd_etrn_restrictions=reject | ||
+ | -o smtpd_recipient_restrictions= | ||
+ | -o smtpd_relay_restrictions=permit_sasl_authenticated, | ||
+ | -o milter_macro_daemon_name=ORIGINATING | ||
+ | -o content_filter=smtp: | ||
+ | -o mydestination=lists.nausch.org, | ||
+ | |||
+ | |||
+ | ==== Paketfilter ==== | ||
+ | === AMaViS-Host === | ||
+ | Damit unser MTA-Server die Dienste/ | ||
+ | |||
+ | Als erstes gestatten wir den Verkehr vom SMTP-Daemon zum AMaViS-Milter. | ||
+ | # firewall-cmd --permanent --zone=public --add-rich-rule=" | ||
+ | |||
+ | | ||
+ | |||
+ | Anschließend setzen wir eine weitere Firewall-Regel, | ||
+ | # firewall-cmd --permanent --zone=public --add-rich-rule=" | ||
+ | |||
+ | | ||
+ | |||
+ | Dann können wir den Firewall-Daemon einmal durchstarten und anschließend überprüfen, | ||
+ | # firewall-cmd --reload | ||
+ | |||
+ | | ||
+ | |||
+ | # iptables -nvL IN_public_allow | ||
+ | < | ||
+ | pkts bytes target | ||
+ | 0 0 ACCEPT | ||
+ | 0 0 ACCEPT | ||
+ | </ | ||
+ | |||
+ | === MTA-Host === | ||
+ | Entsprechend müssen wir natürlich auch auf dem SMTP-Host eine weitere Firewall-Regel anlegen, damit __**nur der**__ AMaViS-Host von der policybank **SUBMISSON** zurück auf dem Port **10025** und seine Notification-Mails einliefern kann. | ||
+ | |||
+ | # firewall-cmd --permanent --zone=public --add-rich-rule=" | ||
+ | |||
+ | | ||
+ | |||
+ | Anschließend starten wir den Firewall-Daemon einmal durch und überprüfen anschließend, | ||
+ | |||
+ | # firewall-cmd --reload | ||
+ | |||
+ | | ||
+ | |||
+ | Abschließend prüfen wir noch, ob die Erweiterung unseres Paketfilter aktiv ist. | ||
+ | # iptables -nvL IN_public_allow | ||
+ | < | ||
+ | pkts bytes target | ||
+ | 0 0 ACCEPT | ||
+ | 0 0 ACCEPT | ||
+ | 0 0 ACCEPT | ||
+ | 0 0 ACCEPT | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Programmstart ===== | ||
+ | Bevor wir nun unseren AMaViS-Daemon starten, installieren wir noch die beiden Backend-Filter: | ||
+ | * **[[centos: | ||
+ | * **[[centos: | ||
+ | |||
+ | Ist dies erfolgt können wir die Dienste Starten und Testen. | ||
+ | ==== amavisd-milter ==== | ||
+ | Als erstes starten wir unseren Milter **amavisd-milter**. | ||
+ | # systemctl start amavisd-milter | ||
+ | |||
+ | Fragen wir nun den Status des Daemon ab sehen wir neben den Logeinträgen im **Maillog** und **Syslog** die Aufrufparameter des Daemon. | ||
+ | # systemctl status amavisd-milter -l | ||
+ | < | ||
+ | | ||
+ | | ||
+ | Docs: http:// | ||
+ | Process: 15164 ExecStart=/ | ||
+ | Main PID: 15166 (amavisd-milter) | ||
+ | | ||
+ | | ||
+ | |||
+ | Dec 02 09:38:09 vml000067.dmz.nausch.org systemd[1]: Starting amavisd-milter is a milter (mailfilter) for amavisd-new which uses the AM.PDP protocol.... | ||
+ | Dec 02 09:38:09 vml000067.dmz.nausch.org systemd[1]: PID file / | ||
+ | Dec 02 09:38:09 vml000067.dmz.nausch.org amavisd-milter[15166]: | ||
+ | Dec 02 09:38:09 vml000067.dmz.nausch.org systemd[1]: Started amavisd-milter is a milter (mailfilter) for amavisd-new which uses the AM.PDP protocol..</ | ||
+ | |||
+ | Mit **lsof** können wir auch den geöfneten Port überprüfen. | ||
+ | # lsof -i :8899 | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | |||
+ | ==== amavisd ==== | ||
+ | Als nächstes starten wir den AMaViS-Daemon **amavisd**. | ||
+ | # systemctl status amavisd | ||
+ | |||
+ | Fragen wir nun den Status des Daemon ab, sehen wir auch hier neben den Logeinträgen im **Maillog** und **Syslog** die Aufrufparameter des Daemon. | ||
+ | |||
+ | # systemctl status amavisd -l | ||
+ | < | ||
+ | | ||
+ | | ||
+ | Docs: http:// | ||
+ | Process: 9164 ExecReload=/ | ||
+ | Process: 15174 ExecStart=/ | ||
+ | Main PID: 15175 (/ | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]: | ||
+ | Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]: | ||
+ | Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]: | ||
+ | Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]: | ||
+ | Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]: | ||
+ | Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]: | ||
+ | Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]: | ||
+ | Dec 02 09:45:24 vml000067.dmz.nausch.org amavis[15175]: | ||
+ | Dec 02 09:45:24 vml000067.dmz.nausch.org amavis[15175]: | ||
+ | Dec 02 09:45:24 vml000067.dmz.nausch.org amavis[15175]: | ||
+ | </ | ||
+ | |||
+ | Den vollständigen dokumentierten Start finden wir dann auch im **Maillog** des Servers. | ||
+ | # less / | ||
+ | < | ||
+ | Dec 2 09:45:19 vml000067 amavis[15174]: | ||
+ | -8" | ||
+ | Dec 2 09:45:19 vml000067 amavis[15174]: | ||
+ | Dec 2 09:45:19 vml000067 amavis[15174]: | ||
+ | Dec 2 09:45:19 vml000067 amavis[15174]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15174]: | ||
+ | EG Image:: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15174]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15174]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15174]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:20 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:24 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:24 vml000067 amavis[15175]: | ||
+ | Dec 2 09:45:24 vml000067 amavis[15175]: | ||
+ | |||
+ | Mit lsof können wir nun auch die Existenz der von AMaviS verwendeten Unix/ | ||
+ | # lsof | grep amavisd.sock | ||
+ | |||
+ | < | ||
+ | /usr/sbin 15176 amavis | ||
+ | /usr/sbin 15177 amavis | ||
+ | /usr/sbin 15178 amavis | ||
+ | /usr/sbin 15179 amavis | ||
+ | /usr/sbin 15180 amavis | ||
+ | |||
+ | # lsof -i :10024 | ||
+ | |||
+ | < | ||
+ | /usr/sbin 15175 amavis | ||
+ | /usr/sbin 15176 amavis | ||
+ | /usr/sbin 15177 amavis | ||
+ | /usr/sbin 15178 amavis | ||
+ | /usr/sbin 15179 amavis | ||
+ | /usr/sbin 15180 amavis | ||
+ | |||
+ | ==== postfix ==== | ||
+ | Zu guter letzt führen wir noch einen Restart des Postfix-Master-Daemons auf unserem SMTP-Server durch. | ||
+ | # systemctl restart postfix.service | ||
+ | |||
+ | Auch hier können wir bei Bedarf den Status des Servers abfragen. | ||
+ | # systemctl status postfix.service -l | ||
+ | |||
+ | < | ||
+ | | ||
+ | | ||
+ | Process: 27047 ExecStop=/ | ||
+ | Process: 27062 ExecStart=/ | ||
+ | Process: 27059 ExecStartPre=/ | ||
+ | Process: 27056 ExecStartPre=/ | ||
+ | Main PID: 27135 (master) | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | Dec 02 10:12:04 vml000087.dmz.nausch.org systemd[1]: Starting Postfix Mail Transport Agent... | ||
+ | Dec 02 10:12:05 vml000087.dmz.nausch.org postfix/ | ||
+ | Dec 02 10:12:05 vml000087.dmz.nausch.org systemd[1]: Started Postfix Mail Transport Agent.</ | ||
+ | |||
+ | Ebenso können wir überprüfen welche Ports bei unserem MAilserver geöffnet wurden. | ||
+ | # netstat -tulpen | ||
+ | < | ||
+ | Proto Recv-Q Send-Q Local Address | ||
+ | tcp 0 0 0.0.0.0: | ||
+ | tcp 0 0 10.0.0.87: | ||
+ | tcp 0 0 0.0.0.0: | ||
+ | tcp 0 0 127.0.0.1: | ||
+ | tcp6 | ||
+ | tcp6 | ||
+ | </ | ||
+ | ===== Tests ===== | ||
+ | Nun ist es an der Zeit ausgiebig die Funktionsfähigkeit unseres **AS/ | ||
+ | - **HAM** | ||
+ | * **[[centos: | ||
+ | * **[[centos: | ||
+ | - **SPAM** | ||
+ | * **[[centos: | ||
+ | * **[[centos: | ||
+ | - **Virus** | ||
+ | * **[[centos: | ||
+ | * **[[centos: | ||
+ | |||
+ | |||
+ | |||
+ | ==== HAM auf Port 25 (MTA zu MTA Verkehr) ==== | ||
+ | Im ersten Test überprüfen wir, ob eine valide Testmail die wir an unseren **SMTP**-Bordefilter auf unserem **SMTP**-Host einliefern im Benutzerkonto unseres Mailkontoinhabers durchkommt. | ||
+ | === SMTP-Client (swaks) === | ||
+ | Wir verschicken nun als erstes mit Hilfe von [[http:// | ||
+ | $ swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 25 --tls --header " | ||
+ | |||
+ | < | ||
+ | === Connected to 10.0.0.87. | ||
+ | <- 220 mx01.nausch.org ESMTP Postfix | ||
+ | -> EHLO vml000087.dmz.nausch.org | ||
+ | <- 250-mx01.nausch.org | ||
+ | <- 250-PIPELINING | ||
+ | <- 250-SIZE 52428800 | ||
+ | <- 250-ETRN | ||
+ | <- 250-STARTTLS | ||
+ | <- 250-ENHANCEDSTATUSCODES | ||
+ | <- 250-8BITMIME | ||
+ | <- 250 DSN | ||
+ | -> STARTTLS | ||
+ | <- 220 2.0.0 Ready to start TLS | ||
+ | === TLS started with cipher TLSv1.2: | ||
+ | === TLS no local certificate set | ||
+ | === TLS peer DN="/ | ||
+ | ~> EHLO vml000087.dmz.nausch.org | ||
+ | <~ 250-mx01.nausch.org | ||
+ | <~ 250-PIPELINING | ||
+ | <~ 250-SIZE 52428800 | ||
+ | <~ 250-ETRN | ||
+ | <~ 250-ENHANCEDSTATUSCODES | ||
+ | <~ 250-8BITMIME | ||
+ | <~ 250 DSN | ||
+ | ~> MAIL FROM:< | ||
+ | <~ 250 2.1.0 Ok | ||
+ | ~> RCPT TO:< | ||
+ | <~ 250 2.1.5 Ok | ||
+ | ~> DATA | ||
+ | <~ 354 End data with < | ||
+ | ~> Date: Tue, 02 Dec 2014 10:25:54 +0100 | ||
+ | ~> To: django@nausch.org | ||
+ | ~> From: n3rd@sec-mail.guru | ||
+ | ~> Subject: erste HAM-Testnachricht auf Port 25 | ||
+ | ~> X-Mailer: swaks v20130209.0 jetmore.org/ | ||
+ | ~> X-Test: test eMail | ||
+ | ~> | ||
+ | ~> This is a test mailing | ||
+ | ~> | ||
+ | ~> . | ||
+ | <~ 250 2.0.0 Ok: queued as C4DE0C00089 | ||
+ | ~> QUIT | ||
+ | <~ 221 2.0.0 Bye | ||
+ | === Connection closed with remote host. | ||
+ | </ | ||
+ | |||
+ | Bevor der SMTP-Server die Nachricht mit der Zeile **250 2.0.0 Ok: queued as C4DE0C00089** bestätigt, merken wir eine kurze Verzögerung, | ||
+ | |||
+ | === SMTP-Server === | ||
+ | Auf unserem Borderfilter finden wir auch die relevanten Einträge zu unserer Test-Nachricht im **Maillog**. | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 10:25:54 vml000087 postfix/ | ||
+ | Dec 2 10:25:54 vml000087 postfix/ | ||
+ | Dec 2 10:25:54 vml000087 postfix/ | ||
+ | Dec 2 10:25:54 vml000087 postfix/ | ||
+ | Dec 2 10:25:54 vml000087 postfix/ | ||
+ | Dec 2 10:25:54 vml000087 postfix/ | ||
+ | Dec 2 10:25:54 vml000087 postfix/ | ||
+ | Dec 2 10:25:54 vml000087 postfix/ | ||
+ | Dec 2 10:25:56 vml000087 postfix/ | ||
+ | Dec 2 10:25:56 vml000087 postfix/ | ||
+ | Dec 2 10:25:56 vml000087 postfix/ | ||
+ | Dec 2 10:25:56 vml000087 postfix/ | ||
+ | </ | ||
+ | |||
+ | === ASAV-Host === | ||
+ | Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert. | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:54 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | Dec 2 10:25:56 vml000067 amavis[15176]: | ||
+ | |||
+ | === MUA (Empfänger) === | ||
+ | Der Empfänger findet nun im Mail-Postfach unsere Testnachricht. | ||
+ | |||
+ | < | ||
+ | Delivered-To: | ||
+ | Received: from mx01.nausch.org ([10.0.0.87]) | ||
+ | by imap.nausch.org (Dovecot) with LMTP id RLueGlCFfVS2FwAArK2B9Q | ||
+ | for < | ||
+ | DKIM-Signature: | ||
+ | message-id: | ||
+ | 140224; t=1417512354; | ||
+ | lqqvsQYKOpYUP8nk7I=; | ||
+ | lABYNNQlCGNZn6Iz5y+ZXN58u6yZFgRw9EEhM3QjxV0LDZkjoAkzh7FeavWB0Qb6 | ||
+ | y6A5ypdrnESeAio4JwiyokvkFqlOAB/ | ||
+ | scz6B0bLGW497eqrp/ | ||
+ | ncsCht/ | ||
+ | kng6yaEP03EY1ExuKrK0ccI6Yrlj9Qt2fBrxEfZYcrJEBVQiZVLYeer6eooM55wS | ||
+ | aOb3JfgRHrD05gDVFSCYGOlScx5X6oglGXbYqSbq8qPB5W5U041GOODNrm+8l4Qt | ||
+ | evEA9HRwy0Py/ | ||
+ | kgVdQiv7F4LHccahsIujb+kDyvoqm894gpJKQE5Hag/ | ||
+ | sqyKmYQitPXYejddKPLhdNgFixEOKESoZbyN22uxFVoqrPZw2Jv8E1ucyeSV/ | ||
+ | xiog65voE7/ | ||
+ | Ac= | ||
+ | X-Virus-Scanned: | ||
+ | X-Spam-Flag: | ||
+ | X-Spam-Score: | ||
+ | X-Spam-Level: | ||
+ | X-Spam-Status: | ||
+ | tests=[ALL_TRUSTED=-1, | ||
+ | Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87]) | ||
+ | (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) | ||
+ | (No client certificate requested) | ||
+ | by mx01.nausch.org (Postfix) with ESMTPS id C4DE0C00089 | ||
+ | for < | ||
+ | Date: Tue, 02 Dec 2014 10:25:54 +0100 | ||
+ | To: django@nausch.org | ||
+ | From: n3rd@sec-mail.guru | ||
+ | Subject: erste HAM-Testnachricht auf Port 25 | ||
+ | X-Mailer: swaks v20130209.0 jetmore.org/ | ||
+ | X-Test: test eMail | ||
+ | Message-Id: < | ||
+ | |||
+ | This is a test mailing | ||
+ | </ | ||
+ | |||
+ | ==== HAM auf Port 587 (MUA zu MSA Verkehr) ==== | ||
+ | Als nächstes überprüfen wir, ob eine valide Testmail die einer unserer Mailboxinhaber von seinem **MUA**((**M**ail **U**ser **A**gent)) beim **MSA**((**M**ail **S**ubmission **A**gent)) erfolgreich einliefern kann, die dann im Benutzerkonto unseres Mailkontoinhabers eingestellt wird. | ||
+ | |||
+ | === SMTP-Client (swaks) === | ||
+ | Auch hier verschicken wir nun mit Hilfe von [[http:// | ||
+ | $ # swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 587 --tls --header " | ||
+ | |||
+ | < | ||
+ | === Connected to 10.0.0.87. | ||
+ | <- 220 mx01.nausch.org ESMTP Postfix | ||
+ | -> EHLO vml000087.dmz.nausch.org | ||
+ | <- 250-mx01.nausch.org | ||
+ | <- 250-PIPELINING | ||
+ | <- 250-SIZE 52428800 | ||
+ | <- 250-ETRN | ||
+ | <- 250-STARTTLS | ||
+ | <- 250-ENHANCEDSTATUSCODES | ||
+ | <- 250-8BITMIME | ||
+ | <- 250 DSN | ||
+ | -> STARTTLS | ||
+ | <- 220 2.0.0 Ready to start TLS | ||
+ | === TLS started with cipher TLSv1.2: | ||
+ | === TLS no local certificate set | ||
+ | === TLS peer DN="/ | ||
+ | ~> EHLO vml000087.dmz.nausch.org | ||
+ | <~ 250-mx01.nausch.org | ||
+ | <~ 250-PIPELINING | ||
+ | <~ 250-SIZE 52428800 | ||
+ | <~ 250-ETRN | ||
+ | <~ 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM | ||
+ | <~ 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM | ||
+ | <~ 250-ENHANCEDSTATUSCODES | ||
+ | <~ 250-8BITMIME | ||
+ | <~ 250 DSN | ||
+ | ~> AUTH NTLM | ||
+ | <~ 334 | ||
+ | ~> TlRUMTVNTUAABAAAABU6IAAAAAAAAAAAAAAAAAAAAAAAA= | ||
+ | <~ 334 TlRMTUVNTUAUACAAAAMAAwADUAAAAAFAUoIAOUeYM1Dy0gHAAAAAAAUAAAADgAOABgAAAAdgBtAGwAMAAwADAAMAA3ADcALgBkAG0AegAuAG4AYQB1AHMAYwBoAC4AbUwByAGcAAwAwAHYAbQBsADAAMAAwADAANwA3AC4AZABtAHoALgBuAGEAdQBzAGMAaAAuAG8AcgBnAAAAAAA= | ||
+ | ~> UTlRMTVNTUAADUAAAAGAAYAEAAAAAYABUgAWAAAADAAMABwAAAAJAAkAKAAAAAkACQAxAAAAAAAAACoAAAABUQKCABKUTbcHiUVToxqvguZXpp6jgnmGYJ9jDa0UoXqDbxiyz+V1xFp8hFH2sd3yaZl/ | ||
+ | <~ 235 2.7.0 Authentication successful | ||
+ | ~> MAIL FROM:< | ||
+ | <~ 250 2.1.0 Ok | ||
+ | ~> RCPT TO:< | ||
+ | <~ 250 2.1.5 Ok | ||
+ | ~> DATA | ||
+ | <~ 354 End data with < | ||
+ | ~> Date: Tue, 02 Dec 2014 11:12:08 +0100 | ||
+ | ~> To: django@nausch.org | ||
+ | ~> From: n3rd@sec-mail.guru | ||
+ | ~> Subject: zweite HAM-Testnachricht auf Port 587 | ||
+ | ~> X-Mailer: swaks v20130209.0 jetmore.org/ | ||
+ | ~> X-Test: test eMail | ||
+ | ~> | ||
+ | ~> This is a test mailing | ||
+ | ~> | ||
+ | ~> . | ||
+ | <~ 250 2.0.0 Ok: queued as 2E10CC00088 | ||
+ | ~> QUIT | ||
+ | <~ 221 2.0.0 Bye | ||
+ | === Connection closed with remote host. | ||
+ | </ | ||
+ | |||
+ | Hier bemerken wir keine Verzögerung bei der Annahme der Nachricht, da der Absender die Nachricht auf Port **587** einlieferte und die komplette Nachricht erst **__nach__** Annahme der Nachricht mit einem **250**er vom Postfix- und AMaViS-Server gescannt wird. | ||
+ | |||
+ | === SMTP-Server === | ||
+ | Auf unserem Borderfilter finden wir auch die relevanten Einträge zu unserer Test-Nachricht im **Maillog**. | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 11:12:09 vml000087 postfix/ | ||
+ | Dec 2 11:12:09 vml000087 postfix/ | ||
+ | Dec 2 11:12:09 vml000087 postfix/ | ||
+ | Dec 2 11:12:09 vml000087 postfix/ | ||
+ | Dec 2 11:12:09 vml000087 postfix/ | ||
+ | Dec 2 11:12:09 vml000087 postfix/ | ||
+ | Dec 2 11:12:09 vml000087 postfix/ | ||
+ | Dec 2 11:12:09 vml000087 postfix/ | ||
+ | Dec 2 11:12:09 vml000087 postfix/ | ||
+ | Dec 2 11:12:09 vml000087 postfix/ | ||
+ | Dec 2 11:12:09 vml000087 postfix/ | ||
+ | Dec 2 11:12:10 vml000087 postfix/ | ||
+ | Dec 2 11:12:10 vml000087 postfix/ | ||
+ | </ | ||
+ | |||
+ | === ASAV-Host === | ||
+ | Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert. | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | > -> < | ||
+ | 0024) with ESMTP for < | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | cKa/ | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | /parts\n | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | cket / | ||
+ | Dec 2 11:12:09 vml000067 clamd[1278]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | Dec 2 11:12:09 vml000067 amavis[15389]: | ||
+ | </ | ||
+ | |||
+ | === MUA (Empfänger) === | ||
+ | Der Empfänger findet nun im Mail-Postfach unsere Testnachricht. Im Gegensatz zum vorangegangenen Testlauf mit Einlieferung auf Port **25**, sehen wir hier im Mailheader den " | ||
+ | |||
+ | < | ||
+ | Delivered-To: | ||
+ | Received: from mx01.nausch.org ([10.0.0.87]) | ||
+ | by imap.nausch.org (Dovecot) with LMTP id 5VK5M3mQfVQ+HQAArK2B9Q | ||
+ | for < | ||
+ | Received: from viruswall.dmz.nausch.org (vml000067.dmz.nausch.org [10.0.0.67]) | ||
+ | by mx01.nausch.org (Postfix) with ESMTP id BB77CC00089 | ||
+ | for < | ||
+ | Authentication-Results: | ||
+ | dkim=pass (4096-bit key) reason=" | ||
+ | header.d=sec-mail.guru | ||
+ | DKIM-Signature: | ||
+ | message-id: | ||
+ | :received; s=140224; t=1417515129; | ||
+ | FeM0urOVWP+KOlqqvsQYKOpYUP8nk7I=; | ||
+ | G+/ | ||
+ | CnwvExI5giMa8vWs1tGHKRGpGVOFqxkw8IIGHroNNIF79Xky/ | ||
+ | lIZcJivSK5RDzmMhn08v7KhJ8vW6EOIDAgKCD+HNpk60XKZ3OfWq3nerVTt/ | ||
+ | kGdf/ | ||
+ | lzngq0uEYBGGDdtshrQjTECePpAFus3BSFHIJZWZwLl5kKlvyv9FNzilrQBTPia1 | ||
+ | 6QeqAjoGEpqhLVPVWnVD0W9CFIBqpSUhxZ9zyYy7I9qDgGSh2XTo3YqXJWehfvDs | ||
+ | XyVvAW/ | ||
+ | I+pB+ld87SuC/ | ||
+ | pg0Yic5HMkdCPr6ClxYA4f4sOQq1ESeqTbs44oLVohLYMZ9ZBV0qDSLG5b2VGinn | ||
+ | jI9NsZij40fDFsLf10f2LD050NpezV4du0Bd9Jgk930ft95yLzH2h5oMCJFN0hfR | ||
+ | 7+VYBVdVW1J0EAo= | ||
+ | X-Virus-Scanned: | ||
+ | X-Spam-Flag: | ||
+ | X-Spam-Score: | ||
+ | X-Spam-Level: | ||
+ | X-Spam-Status: | ||
+ | tests=[ALL_TRUSTED=-1, | ||
+ | Received: from mx01.nausch.org ([10.0.0.87]) | ||
+ | by viruswall.dmz.nausch.org (viruswall.dmz.nausch.org [10.0.0.67]) (amavisd-new, | ||
+ | with ESMTP id SUMj5uZrONx7 for < | ||
+ | Tue, 2 Dec 2014 11:12:09 +0100 (CET) | ||
+ | Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87]) | ||
+ | (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) | ||
+ | (No client certificate requested) | ||
+ | by mx01.nausch.org (Postfix) with ESMTPSA id 2E10CC00088 | ||
+ | for < | ||
+ | Date: Tue, 02 Dec 2014 11:12:08 +0100 | ||
+ | To: django@nausch.org | ||
+ | From: n3rd@sec-mail.guru | ||
+ | Subject: zweite HAM-Testnachricht auf Port 587 | ||
+ | X-Mailer: swaks v20130209.0 jetmore.org/ | ||
+ | X-Test: test eMail | ||
+ | Message-Id: < | ||
+ | |||
+ | This is a test mailing | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== GTUBE auf Port 25 (MTA zu MTA Verkehr) ==== | ||
+ | === SMTP-Client (swaks) === | ||
+ | Als nächstes versuchen wir eine SPAM-Mail | ||
+ | # wget http:// | ||
+ | |||
+ | # less gtube.txt | ||
+ | <file gtube.txt> | ||
+ | Message-ID: < | ||
+ | Date: Wed, 23 Jul 2003 23:30:00 +0200 | ||
+ | From: Sender < | ||
+ | To: Recipient < | ||
+ | Precedence: junk | ||
+ | MIME-Version: | ||
+ | Content-Type: | ||
+ | Content-Transfer-Encoding: | ||
+ | |||
+ | This is the GTUBE, the | ||
+ | Generic | ||
+ | Test for | ||
+ | Unsolicited | ||
+ | Bulk | ||
+ | |||
+ | |||
+ | If your spam filter supports it, the GTUBE provides a test by which you | ||
+ | can verify that the filter is installed correctly and is detecting incoming | ||
+ | spam. You can send yourself a test mail containing the following string of | ||
+ | characters (in upper case and with no white spaces and line breaks): | ||
+ | |||
+ | XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X | ||
+ | |||
+ | You should send this test mail from an account outside of your network. | ||
+ | </ | ||
+ | |||
+ | Diese Nachricht versuchen wir nun loszuschicken: | ||
+ | # swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 25 --tls --header " | ||
+ | < | ||
+ | === Connected to 10.0.0.87. | ||
+ | <- 220 mx01.nausch.org ESMTP Postfix | ||
+ | -> EHLO vml000087.dmz.nausch.org | ||
+ | <- 250-mx01.nausch.org | ||
+ | <- 250-PIPELINING | ||
+ | <- 250-SIZE 52428800 | ||
+ | <- 250-ETRN | ||
+ | <- 250-STARTTLS | ||
+ | <- 250-ENHANCEDSTATUSCODES | ||
+ | <- 250-8BITMIME | ||
+ | <- 250 DSN | ||
+ | -> STARTTLS | ||
+ | <- 220 2.0.0 Ready to start TLS | ||
+ | === TLS started with cipher TLSv1.2: | ||
+ | === TLS no local certificate set | ||
+ | === TLS peer DN="/ | ||
+ | ~> EHLO vml000087.dmz.nausch.org | ||
+ | <~ 250-mx01.nausch.org | ||
+ | <~ 250-PIPELINING | ||
+ | <~ 250-SIZE 52428800 | ||
+ | <~ 250-ETRN | ||
+ | <~ 250-ENHANCEDSTATUSCODES | ||
+ | <~ 250-8BITMIME | ||
+ | <~ 250 DSN | ||
+ | ~> MAIL FROM:< | ||
+ | <~ 250 2.1.0 Ok | ||
+ | ~> RCPT TO:< | ||
+ | <~ 250 2.1.5 Ok | ||
+ | ~> DATA | ||
+ | <~ 354 End data with < | ||
+ | ~> Date: Tue, 02 Dec 2014 12:10:34 +0100 | ||
+ | ~> To: django@nausch.org | ||
+ | ~> From: n3rd@sec-mail.guru | ||
+ | ~> Subject: dritte GTUBE-Testnachricht auf Port 25 | ||
+ | ~> X-Mailer: swaks v20130209.0 jetmore.org/ | ||
+ | ~> X-Test: test eMail | ||
+ | | ||
+ | ~> Subject: Test spam mail (GTUBE) | ||
+ | ~> Message-ID: < | ||
+ | ~> Date: Wed, 23 Jul 2003 23:30:00 +0200 | ||
+ | ~> From: Sender < | ||
+ | ~> To: Recipient < | ||
+ | ~> Precedence: junk | ||
+ | ~> MIME-Version: | ||
+ | ~> Content-Type: | ||
+ | ~> Content-Transfer-Encoding: | ||
+ | | ||
+ | ~> This is the GTUBE, the | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ~> | ||
+ | ~> If your spam filter supports it, the GTUBE provides a test by which you | ||
+ | ~> can verify that the filter is installed correctly and is detecting incoming | ||
+ | ~> spam. You can send yourself a test mail containing the following string of | ||
+ | ~> characters (in upper case and with no white spaces and line breaks): | ||
+ | ~> | ||
+ | ~> XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X | ||
+ | ~> | ||
+ | ~> You should send this test mail from an account outside of your network. | ||
+ | ~> | ||
+ | ~> | ||
+ | ~> | ||
+ | ~> . | ||
+ | <~* 554 5.7.0 Reject, id=15388-01 - spam. Contact your postmaster/ | ||
+ | ~> QUIT | ||
+ | <~ 221 2.0.0 Bye | ||
+ | </ | ||
+ | |||
+ | Wie wir sehen können hat der SMTP-Server die Annahme der Nachricht mit dem Fehlercode **554 5.7.0 Reject, id=15388-01 - spam.** verweigert. Zu dieser Fehlermeldung erhält der einliefernde SMTP-Client noch Informationen wie er sichh ggf mit uns in Verbindung setzen kann. | ||
+ | |||
+ | === SMTP-Server === | ||
+ | Auf unserem Borderfilter finden wir im **Maillog** auch die relevanten Einträge zu dem Versuch eine SPAM-Mail einzuliefern. | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 12:10:34 vml000087 postfix/ | ||
+ | Dec 2 12:10:35 vml000087 postfix/ | ||
+ | Dec 2 12:10:35 vml000087 postfix/ | ||
+ | Dec 2 12:10:36 vml000087 postfix/ | ||
+ | Dec 2 12:10:36 vml000087 postfix/ | ||
+ | </ | ||
+ | |||
+ | Hir finden wie auch die **id=15388-01** wieder, die uns der AMaViS-Host genannt hat. Diesen können wir nun verwenden um auf dem AMaViS-Host im Maillog zu suchen um in Erfahrung zu bringen, warum die Nachricht abgeleht wurde. | ||
+ | |||
+ | === ASAV-Host === | ||
+ | Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert. | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:35 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:36 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:36 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:36 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:36 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:36 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:36 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:36 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:36 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:36 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:36 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:36 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:36 vml000067 amavis[15388]: | ||
+ | Dec 2 12:10:36 vml000067 amavis[15388]: | ||
+ | </ | ||
+ | ==== GTUBE auf Port 587 (MUA zu MSA Verkehr) ==== | ||
+ | Als nächstes überprüfen wir, ob wir die GTUBE-Testmail als authentifizierten User von einem **MUA**((**M**ail **U**ser **A**gent)) beim **MSA**((**M**ail **S**ubmission **A**gent)) erfolgreich einliefern können. | ||
+ | |||
+ | === SMTP-Client (swaks) === | ||
+ | Das bereits heruntergeladene GTUBE-Testmail versuchen wir nun mit mit Hilfe von [[http:// | ||
+ | # swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 587 --tls --header " | ||
+ | |||
+ | < | ||
+ | === Connected to 10.0.0.87. | ||
+ | <- 220 mx01.nausch.org ESMTP Postfix | ||
+ | -> EHLO vml000087.dmz.nausch.org | ||
+ | <- 250-mx01.nausch.org | ||
+ | <- 250-PIPELINING | ||
+ | <- 250-SIZE 52428800 | ||
+ | <- 250-ETRN | ||
+ | <- 250-STARTTLS | ||
+ | <- 250-ENHANCEDSTATUSCODES | ||
+ | <- 250-8BITMIME | ||
+ | <- 250 DSN | ||
+ | -> STARTTLS | ||
+ | <- 220 2.0.0 Ready to start TLS | ||
+ | === TLS started with cipher TLSv1.2: | ||
+ | === TLS no local certificate set | ||
+ | === TLS peer DN="/ | ||
+ | ~> EHLO vml000087.dmz.nausch.org | ||
+ | <~ 250-mx01.nausch.org | ||
+ | <~ 250-PIPELINING | ||
+ | <~ 250-SIZE 52428800 | ||
+ | <~ 250-ETRN | ||
+ | <~ 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM | ||
+ | <~ 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM | ||
+ | <~ 250-ENHANCEDSTATUSCODES | ||
+ | <~ 250-8BITMIME | ||
+ | <~ 250 DSN | ||
+ | ~> AUTH NTLM | ||
+ | <~ 334 | ||
+ | ~> TlRUMTVNTUAABAAAABU6IAAAAAAAAAAAAAAAAAAAAAAAA= | ||
+ | <~ 334 UTlRMTVNTUAADUAAAAGAAYAEAAAAAYABUgAWAAAADAAMABwAAAAJAAkAKAAAAAkACQAxAAAAAAAAACoAAAABUQKCABKUTbcHiUVToxqvguZXpp6jgnmGYJ9jDa0UoXqDbxiyz+V1xFp8hFH2sd3yaZl/ | ||
+ | <~ 235 2.7.0 Authentication successful | ||
+ | ~> MAIL FROM:< | ||
+ | <~ 250 2.1.0 Ok | ||
+ | ~> RCPT TO:< | ||
+ | <~ 250 2.1.5 Ok | ||
+ | ~> DATA | ||
+ | <~ 354 End data with < | ||
+ | ~> Date: Tue, 02 Dec 2014 15:27:15 +0100 | ||
+ | ~> To: django@nausch.org | ||
+ | ~> From: n3rd@sec-mail.guru | ||
+ | ~> Subject: vierte Testnachricht SPAM auf Port 587 | ||
+ | ~> X-Mailer: swaks v20130209.0 jetmore.org/ | ||
+ | ~> X-Test: test eMail | ||
+ | | ||
+ | ~> Subject: Test spam mail (GTUBE) | ||
+ | ~> Message-ID: < | ||
+ | ~> Date: Wed, 23 Jul 2003 23:30:00 +0200 | ||
+ | ~> From: Sender < | ||
+ | ~> To: Recipient < | ||
+ | ~> Precedence: junk | ||
+ | ~> MIME-Version: | ||
+ | ~> Content-Type: | ||
+ | ~> Content-Transfer-Encoding: | ||
+ | | ||
+ | ~> This is the GTUBE, the | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ~> If your spam filter supports it, the GTUBE provides a test by which you | ||
+ | ~> can verify that the filter is installed correctly and is detecting incoming | ||
+ | ~> spam. You can send yourself a test mail containing the following string of | ||
+ | ~> characters (in upper case and with no white spaces and line breaks): | ||
+ | | ||
+ | ~> XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X | ||
+ | | ||
+ | ~> You should send this test mail from an account outside of your network. | ||
+ | | ||
+ | | ||
+ | | ||
+ | ~> . | ||
+ | <~ 250 2.0.0 Ok: queued as E5401C00088 | ||
+ | ~> QUIT | ||
+ | <~ 221 2.0.0 Bye | ||
+ | === Connection closed with remote host. | ||
+ | </ | ||
+ | |||
+ | Die Nachricht wird dem authentifizierten User abgenommen und mit einem **250**er bestätigt. Heißt das nun, dass unsere Konfiguration fehlerhaft ist, oder der Contentscanner nicht richtig funktioniert? | ||
+ | |||
+ | Den genauen Ablauf dazu, sehen wir uns nun im Detail an. | ||
+ | |||
+ | === SMTP-Server (Teil 1 von 3) === | ||
+ | Im **Maillog** unseres Borderfilters sehen wir nun zu unserem gerade durchgeführten Versuch mehrere zusammenhängende Logeinträge. | ||
+ | # less / | ||
+ | |||
+ | Zunächst sehen wir den TLS-Verbindungsaufbau, | ||
+ | < | ||
+ | Dec 2 15:27:15 vml000087 postfix/ | ||
+ | Dec 2 15:27:15 vml000087 postfix/ | ||
+ | Dec 2 15:27:15 vml000087 postfix/ | ||
+ | Dec 2 15:27:15 vml000087 postfix/ | ||
+ | Dec 2 15:27:15 vml000087 postfix/ | ||
+ | </ | ||
+ | |||
+ | === ASAV-Host === | ||
+ | Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert. | ||
+ | |||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | org> Received: from mx01.nausch.org ([10.0.0.87]) by viruswall.dmz.nausch.org (viruswall.dmz.nausch.org [10.0.0.67]) (amavisd-new, | ||
+ | ; Tue, 2 Dec 2014 15:27:16 +0100 (CET) | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | amavisd/ | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | |||
+ | Der SPAM-Wert von **1000.8** liegt doch "etwas über" unserem definierten Wert von **6.31**, die Nachricht wird also nicht zugestellt! | ||
+ | |||
+ | <WRAP center round important> | ||
+ | Gemäß unserer Konfiguration erhält der der Empfänger **virusalert@nausch.org** eine Nachricht von **postmaster@nausch.org** mit dem Details zu der SPAM-Mail. Der Postmaster kann so reagieren und mit dem authentifizierten Mailbox-Nutzer Kontalt aufnehmen und diesen ggf. darauf hinweisen, dass unter Umständen sein Rechner von einem Zombie gekapert wurde und dieser munter SPAM-Mails verschicken will. Ein weitere Ursache könnte auch ein durch eine **[[http:// | ||
+ | |||
+ | So kann der Postmaster tätig werden und weiteren Schaden vom Mailserver abwenden, bevor der eigene Server auf einer **Blacklist** landet und so dann gar keine Nachricht mehr verschickt werden könnte. | ||
+ | </ | ||
+ | |||
+ | Im Maillog des AMaViS-Servers sehen wir nun, dass der Daemon die entsprechende Nachricht an den definierten Bearbeiter verschicken wird. | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | Dec 2 15:27:16 vml000067 amavis[15668]: | ||
+ | |||
+ | === SMTP-Server (Teil 2 von 3) === | ||
+ | Im **Maillog** unseres Borderfilters sehen wir nun also als nächstes den Eingang dieser Notification-eMail an den definierten Empfänger. | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 15:27:16 vml000087 postfix/ | ||
+ | Dec 2 15:27:16 vml000087 postfix/ | ||
+ | Dec 2 15:27:16 vml000087 postfix/ | ||
+ | Dec 2 15:27:16 vml000087 postfix/ | ||
+ | Dec 2 15:27:16 vml000087 postfix/ | ||
+ | Dec 2 15:27:16 vml000087 postfix/ | ||
+ | Dec 2 15:27:16 vml000087 postfix/ | ||
+ | Dec 2 15:27:16 vml000087 postfix/ | ||
+ | Dec 2 15:27:17 vml000087 postfix/ | ||
+ | Dec 2 15:27:17 vml000087 postfix/ | ||
+ | </ | ||
+ | |||
+ | === SMTP-Server (Teil 3 von 3) === | ||
+ | |||
+ | <WRAP center round tip> | ||
+ | Zu guter Letzt sehen wir dann noch die **Bounce**-Nachricht an den ursprünglichen Absender, den wir ja zweifelsfrei kennen, da dieser sich beim Einliefern der Nachricht authentifizierten hatte. Somit ist die Gefahr von **[[http:// | ||
+ | </ | ||
+ | |||
+ | # less / | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | === MUA (Empfänger der Notification Mail) === | ||
+ | Wie schon angeschnitten erhält der verantwortliche Admin des Servers mit der Addresse **virusalert@nausch.org** eine Nachricht mit dem Detail des Versuches eine SPAM-Mail zu verschicken. | ||
+ | |||
+ | < | ||
+ | Delivered-To: | ||
+ | Received: from mx01.nausch.org ([10.0.0.87]) | ||
+ | by imap.nausch.org (Dovecot) with LMTP id 0WGxKC3MfVQbPAAArK2B9Q | ||
+ | for < | ||
+ | Received: from viruswall.dmz.nausch.org (vml000067.dmz.nausch.org [10.0.0.67]) | ||
+ | by mx01.nausch.org (Postfix) with ESMTP id 9A6FBC00089 | ||
+ | for < | ||
+ | DKIM-Signature: | ||
+ | message-id: | ||
+ | : | ||
+ | t=1417530436; | ||
+ | fu9jN2ZwFt0=; | ||
+ | Xxbc0Unj1QQ08ZSGRNHFp5aJu4rN71BI8ad8OhRTSHdbhWR821V2Z2yRti7TUDwq | ||
+ | QZigx230dACkYKrzQhTKJawAmXKbg1V2EUbTTqUpwBDsaYnTML9i+fAr4mcVrN2n | ||
+ | JBAmg1K3OL0uokXp/ | ||
+ | kxonaX5Bhio01JhAEuG+fy2f12N3QMNQ2l+8zWQskPXUaL/ | ||
+ | m6f1+Z8kBuZeosXe/ | ||
+ | adNxaPKefjC75FtY0AEYWpDlU8WIbk/ | ||
+ | xmy4M2uNK2l6aWbfQV0cjnrg0FQ2AfisP74d45dEaDNV+dsBhMiYgcZ1wHhW4Aro | ||
+ | ug1OiU1+hbie1t59J0Y15BHO/ | ||
+ | / | ||
+ | LQL4HSB5TbVxVDhOfgaStlWWRZmt4IwWR3aOsfGA2TSEOle4cTJXWHxokec= | ||
+ | Content-Type: | ||
+ | Content-Transfer-Encoding: | ||
+ | MIME-Version: | ||
+ | From: " | ||
+ | Date: Tue, 2 Dec 2014 15:27:16 +0100 (CET) | ||
+ | Subject: Spam FROM LOCAL [10.0.0.87] < | ||
+ | To: < | ||
+ | Message-ID: < | ||
+ | |||
+ | This is a multi-part message in MIME format... | ||
+ | |||
+ | ------------=_1417530436-15668-0 | ||
+ | Content-Type: | ||
+ | Content-Disposition: | ||
+ | Content-Transfer-Encoding: | ||
+ | |||
+ | Content type: Spam | ||
+ | Internal reference code for the message is 15668-01/ | ||
+ | |||
+ | First upstream SMTP client IP address: [10.0.0.87] | ||
+ | Received from: 10.0.0.87 | ||
+ | |||
+ | Return-Path: | ||
+ | From: n3rd@sec-mail.guru | ||
+ | Message-ID: < | ||
+ | X-Mailer: swaks v20130209.0 jetmore.org/ | ||
+ | Subject: vierte Testnachricht SPAM auf Port 587 | ||
+ | Not quarantined. | ||
+ | |||
+ | The message WAS NOT relayed to: | ||
+ | < | ||
+ | 554 5.7.0 Reject, id=15668-01 - spam | ||
+ | |||
+ | Spam scanner report: | ||
+ | Spam detection software, running on the system " | ||
+ | identified this incoming email as possible spam. The original message | ||
+ | has been attached to this so you can view it (if it isn't spam) or label | ||
+ | similar future email. | ||
+ | the administrator of that system for details. | ||
+ | |||
+ | Content preview: | ||
+ | Date: Wed, 23 Jul 2003 23:30:00 +0200 From: Sender < | ||
+ | | ||
+ | | ||
+ | |||
+ | Content analysis details: | ||
+ | |||
+ | pts rule name description | ||
+ | ---- ---------------------- -------------------------------------------------- | ||
+ | -1.0 ALL_TRUSTED | ||
+ | 1.8 DKIM_ADSP_DISCARD | ||
+ | and suggests discarding the rest | ||
+ | 1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email | ||
+ | |||
+ | ------------=_1417530436-15668-0 | ||
+ | Content-Type: | ||
+ | Content-Disposition: | ||
+ | Content-Transfer-Encoding: | ||
+ | Content-Description: | ||
+ | |||
+ | Return-Path: | ||
+ | Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87]) | ||
+ | (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) | ||
+ | (No client certificate requested) | ||
+ | by mx01.nausch.org (Postfix) with ESMTPSA id E5401C00088 | ||
+ | for < | ||
+ | Date: Tue, 02 Dec 2014 15:27:15 +0100 | ||
+ | To: django@nausch.org | ||
+ | From: n3rd@sec-mail.guru | ||
+ | Subject: vierte Testnachricht SPAM auf Port 587 | ||
+ | X-Mailer: swaks v20130209.0 jetmore.org/ | ||
+ | X-Test: test eMail | ||
+ | Message-Id: < | ||
+ | |||
+ | ------------=_1417530436-15668-0-- | ||
+ | </ | ||
+ | |||
+ | === MUA (Empfänger der Bounce Mail) === | ||
+ | Der Ursprüngliche authentifizierte Absender erhält die Bounce-Nachricht, | ||
+ | |||
+ | < | ||
+ | Delivered-To: | ||
+ | Received: from mx01.nausch.org ([10.0.0.87]) | ||
+ | by imap.nausch.org (Dovecot) with LMTP id hwVTMkTMfVQfPAAArK2B9Q | ||
+ | for < | ||
+ | Received: by mx01.nausch.org (Postfix) | ||
+ | id B736EC0008A; | ||
+ | Date: Tue, 2 Dec 2014 15:27:16 +0100 (CET) | ||
+ | From: MAILER-DAEMON@nausch.org (Mail Delivery System) | ||
+ | Subject: Rueckgabe nicht zustellbarer Nachricht an Absender | ||
+ | To: n3rd@sec-mail.guru | ||
+ | Auto-Submitted: | ||
+ | MIME-Version: | ||
+ | Content-Type: | ||
+ | boundary=" | ||
+ | Message-Id: < | ||
+ | |||
+ | This is a MIME-encapsulated message. | ||
+ | |||
+ | --E5401C00088.1417530436/ | ||
+ | Content-Description: | ||
+ | Content-Type: | ||
+ | |||
+ | Dies ist eine automatisch generierte Nachricht des Postfix E-Mail-Dienstes. | ||
+ | Dieser Dienst wird auf dem Server mx01.nausch.org betrieben und teilt Ihnen | ||
+ | folgendes mit: | ||
+ | |||
+ | |||
+ | Ihre Nachricht konnte an einen oder mehrere Empfaenger nicht zugestellt | ||
+ | werden. Ein Problem-Bericht, | ||
+ | das Ende dieser Nachricht angehaengt. | ||
+ | |||
+ | |||
+ | Fuer weitere Hilfe kontaktieren Sie bitte den fuer Sie zustaendigen | ||
+ | < | ||
+ | |||
+ | Senden Sie dazu den an diese E-Mail angefuegten Problem-Bericht mit. | ||
+ | Den Inhalt Ihrer urspruenglichen Nachricht koennen Sie - zum Schutz Ihrer | ||
+ | Privatsphaere - entfernen; er ist fuer eine Fehler-Diagnose nicht zwingend | ||
+ | notwendig. | ||
+ | |||
+ | Der Postfix E-Mail-Dienst | ||
+ | |||
+ | INTERNATIONAL VERSION | ||
+ | |||
+ | This is the Postfix program at host mx01.nausch.org. | ||
+ | |||
+ | I'm sorry to have to inform you that your message could not | ||
+ | be delivered to one or more recipients. It's attached below. | ||
+ | |||
+ | For further assistance, please send mail to < | ||
+ | |||
+ | If you do so, please include this problem report. You can | ||
+ | delete your own text from the attached returned message. | ||
+ | |||
+ | |||
+ | < | ||
+ | id=15668-01 - spam (in reply to end of DATA command) | ||
+ | |||
+ | --E5401C00088.1417530436/ | ||
+ | Content-Description: | ||
+ | Content-Type: | ||
+ | |||
+ | Reporting-MTA: | ||
+ | X-Postfix-Queue-ID: | ||
+ | X-Postfix-Sender: | ||
+ | Arrival-Date: | ||
+ | |||
+ | Final-Recipient: | ||
+ | Original-Recipient: | ||
+ | Action: failed | ||
+ | Status: 5.7.0 | ||
+ | Remote-MTA: dns; 10.0.0.67 | ||
+ | Diagnostic-Code: | ||
+ | |||
+ | --E5401C00088.1417530436/ | ||
+ | Content-Description: | ||
+ | Content-Type: | ||
+ | |||
+ | Return-Path: | ||
+ | Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87]) | ||
+ | (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) | ||
+ | (No client certificate requested) | ||
+ | by mx01.nausch.org (Postfix) with ESMTPSA id E5401C00088 | ||
+ | for < | ||
+ | Date: Tue, 02 Dec 2014 15:27:15 +0100 | ||
+ | To: django@nausch.org | ||
+ | From: n3rd@sec-mail.guru | ||
+ | Subject: vierte Testnachricht SPAM auf Port 587 | ||
+ | X-Mailer: swaks v20130209.0 jetmore.org/ | ||
+ | X-Test: test eMail | ||
+ | Message-Id: < | ||
+ | |||
+ | Subject: Test spam mail (GTUBE) | ||
+ | Message-ID: < | ||
+ | Date: Wed, 23 Jul 2003 23:30:00 +0200 | ||
+ | From: Sender < | ||
+ | To: Recipient < | ||
+ | Precedence: junk | ||
+ | MIME-Version: | ||
+ | Content-Type: | ||
+ | Content-Transfer-Encoding: | ||
+ | |||
+ | This is the GTUBE, the | ||
+ | Generic | ||
+ | Test for | ||
+ | Unsolicited | ||
+ | Bulk | ||
+ | |||
+ | |||
+ | If your spam filter supports it, the GTUBE provides a test by which you | ||
+ | can verify that the filter is installed correctly and is detecting incoming | ||
+ | spam. You can send yourself a test mail containing the following string of | ||
+ | characters (in upper case and with no white spaces and line breaks): | ||
+ | |||
+ | XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X | ||
+ | |||
+ | You should send this test mail from an account outside of your network. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | --E5401C00088.1417530436/ | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Eicar-Testmail auf Port 25 (MTA zu MTA Verkehr) ==== | ||
+ | |||
+ | === SMTP-Client (swaks) === | ||
+ | Beim vorletzten Test unseres **AS/ | ||
+ | |||
+ | Dazu laden wir uns erst einmal einen Testpattern [[http:// | ||
+ | # curl -O http:// | ||
+ | |||
+ | Wir versuchen nun eine eMail zusammen mit dieser Testdatei zu versenden, zunächst auf Port **25**. | ||
+ | Diese Nachricht versuchen wir nun loszuschicken: | ||
+ | # swaks -t django@nausch.org --attach - --server 10.0.0.87 --suppress-data < | ||
+ | |||
+ | < | ||
+ | === Connected to 10.0.0.87. | ||
+ | <- 220 mx01.nausch.org ESMTP Postfix | ||
+ | -> EHLO vml000087.dmz.nausch.org | ||
+ | <- 250-mx01.nausch.org | ||
+ | <- 250-PIPELINING | ||
+ | <- 250-SIZE 52428800 | ||
+ | <- 250-ETRN | ||
+ | <- 250-STARTTLS | ||
+ | <- 250-ENHANCEDSTATUSCODES | ||
+ | <- 250-8BITMIME | ||
+ | <- 250 DSN | ||
+ | -> STARTTLS | ||
+ | <- 220 2.0.0 Ready to start TLS | ||
+ | === TLS started with cipher TLSv1.2: | ||
+ | === TLS no local certificate set | ||
+ | === TLS peer DN="/ | ||
+ | ~> EHLO vml000087.dmz.nausch.org | ||
+ | <~ 250-mx01.nausch.org | ||
+ | <~ 250-PIPELINING | ||
+ | <~ 250-SIZE 52428800 | ||
+ | <~ 250-ETRN | ||
+ | <~ 250-ENHANCEDSTATUSCODES | ||
+ | <~ 250-8BITMIME | ||
+ | <~ 250 DSN | ||
+ | ~> MAIL FROM:< | ||
+ | <~ 250 2.1.0 Ok | ||
+ | ~> RCPT TO:< | ||
+ | <~ 250 2.1.5 Ok | ||
+ | ~> DATA | ||
+ | <~ 354 End data with < | ||
+ | ~> 29 lines sent | ||
+ | <~* 554 5.7.0 Reject, id=15809-01 - INFECTED: Eicar-Test-Signature. Contact your postmaster/ | ||
+ | ~> QUIT | ||
+ | <~ 221 2.0.0 Bye | ||
+ | === Connection closed with remote host.</ | ||
+ | |||
+ | Wie wir sehen können, hat der SMTP-Server die Annahme der Nachricht mit dem Fehlercode **554 5.7.0 Reject, id=15809-01 - INFECTED: Eicar-Test-Signature.** verweigert. Zu dieser Fehlermeldung erhält der einliefernde SMTP-Client noch Informationen wie er sich ggf. mit uns in Verbindung setzen kann. | ||
+ | |||
+ | === SMTP-Server (Teil 1 von 2) === | ||
+ | Im **Maillog** unseres Borderfilters sehen wir nun zu unserem gerade durchgeführten Versuch eine Mail mit einem Virus einzuliefern mehrere zusammenhängende Logeinträge. | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 17:26:49 vml000087 postfix/ | ||
+ | 56/256 bits) | ||
+ | Dec 2 17:26:50 vml000087 postfix/ | ||
+ | Dec 2 17:26:50 vml000087 postfix/ | ||
+ | Dec 2 17:26:50 vml000087 postfix/ | ||
+ | Dec 2 17:26:50 vml000087 postfix/ | ||
+ | Dec 2 17:26:50 vml000087 postfix/ | ||
+ | Dec 2 17:26:50 vml000087 postfix/ | ||
+ | Dec 2 17:26:50 vml000087 postfix/ | ||
+ | Dec 2 17:26:50 vml000087 postfix/ | ||
+ | </ | ||
+ | Zunächst sehen wir den TLS-Verbindungsaufbau und dem erfolglosen Einlieferungsversuch des MTA((**M**ail **T**ransport **A**gent))-Clients. Hier finden wie auch die **id=15809-01** wieder, die uns der AMaViS-Host genannt hat. Diesen können wir nun verwenden um auf dem AMaViS-Host im Maillog zu suchen um in Erfahrung zu bringen, warum die Nachricht abgeleht wurde. | ||
+ | |||
+ | === ASAV-Host === | ||
+ | Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert. | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 clamd[1278]: | ||
+ | Dec 2 17:26:50 vml000067 clamd[1278]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | </ | ||
+ | |||
+ | Es wurde also die **Eicar-Test-Signature** in der Nachricht gefunden! Im **Maillog** des AMaViS-Servers sehen wir nun nachfolgend, | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | Dec 2 17:26:50 vml000067 amavis[15809]: | ||
+ | </ | ||
+ | |||
+ | === SMTP-Server (Teil 2 von 2) === | ||
+ | Im **Maillog** unseres Borderfilters sehen wir nun also als nächstes den Eingang dieser Notification-eMail an den definierten Empfänger. | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 17:26:50 vml000087 postfix/ | ||
+ | </ | ||
+ | |||
+ | === MUA (Empfänger der Notification Mail) === | ||
+ | Wie schon angeschnitten erhält der verantwortliche Admin des Servers mit der Addresse **virusalert@nausch.org** eine Nachricht mit dem Detail des Versuches eine SPAM-Mail zu verschicken. | ||
+ | |||
+ | < | ||
+ | Delivered-To: | ||
+ | Received: from mx01.nausch.org ([10.0.0.87]) | ||
+ | by imap.nausch.org (Dovecot) with LMTP id HpapJErofVSPSgAArK2B9Q | ||
+ | for < | ||
+ | Received: from viruswall.dmz.nausch.org (vml000067.dmz.nausch.org [10.0.0.67]) | ||
+ | by mx01.nausch.org (Postfix) with ESMTP id 8250AC00089 | ||
+ | for < | ||
+ | DKIM-Signature: | ||
+ | content-transfer-encoding: | ||
+ | : | ||
+ | : | ||
+ | Bpj4qmzmNJoEPHHj22aTtLu2THUwcwoCsls=; | ||
+ | szuBz2F49Mdzyx48m2VfA0mKMi1EmnT1D5QOs2tYdElBc35le8T3kLD9TfVheonI | ||
+ | XtwGnJKfUycJEQ/ | ||
+ | lEunOg/ | ||
+ | AWu8oties5VOEIM601gt2T7tBbKEFj9KMpZHiapeNGpu6UoddkvfY779Vs0DfLvj | ||
+ | WX/ | ||
+ | 1w5KfXJEmqeb1efZ9MZTfp4SrS90wcXbJRicSt+vzYmsOcB9rXj+hO5JJf7Uj/ | ||
+ | dP4ngXl+BvI2drOf33hjKrFynTVdpEMF8gLH/ | ||
+ | BXhF0en2YdcoIaof2ZMOxD17VLZtkouUaqDT6UxLyr60KHMS7Fx9+NeSEUjI7zTH | ||
+ | DobySVImu63dS8j3XTzFu8pFKthAod6dD2FgW2NuM00BTECEaZeDxp7CY7nuXmcg | ||
+ | pxpsoPuJYV12Y+1os+DW53ZuaLMEtsoJLQC7VF91oXkgJTk0PIaeB1FPQjOGudvd | ||
+ | QfnZYUFETGcNRt1SAd0= | ||
+ | MIME-Version: | ||
+ | From: Postmaster < | ||
+ | Date: Tue, 2 Dec 2014 17:26:50 +0100 (CET) | ||
+ | Subject: VIRUS (Eicar-Test-Signature) in mail TO YOU from < | ||
+ | To: django@nausch.org | ||
+ | Message-ID: < | ||
+ | Content-Type: | ||
+ | Content-Disposition: | ||
+ | Content-Transfer-Encoding: | ||
+ | |||
+ | VIRUS ALERT | ||
+ | |||
+ | Our content checker found | ||
+ | virus: Eicar-Test-Signature | ||
+ | |||
+ | in an email to you from probably faked sender: | ||
+ | | ||
+ | claiming to be: < | ||
+ | |||
+ | Content type: Virus | ||
+ | Our internal reference code for your message is 15809-01/ | ||
+ | |||
+ | First upstream SMTP client IP address: [10.0.0.87] vml000087.dmz.nausch.org | ||
+ | Received from: 10.0.0.87 | ||
+ | |||
+ | Return-Path: | ||
+ | From: n3rd@sec-mail.guru | ||
+ | Message-ID: < | ||
+ | X-Mailer: swaks v20130209.0 jetmore.org/ | ||
+ | Subject: 5. Test-Testnachricht mit EICAR-Testdatei im Anhang auf Port 25 | ||
+ | Not quarantined. | ||
+ | |||
+ | Please contact your system administrator for details. | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Eicar-Testmail auf Port 587 (MUA zu MSA Verkehr) ==== | ||
+ | Zum Abschluss unserer Testreihe überprüfen wir, ob wir die EICAR-Testsignatur als authentifizierten User von einem **MUA**((**M**ail **U**ser **A**gent)) beim **MSA**((**M**ail **S**ubmission **A**gent)) erfolgreich einliefern können. | ||
+ | |||
+ | === SMTP-Client (swaks) === | ||
+ | Die bereits heruntergeladene EICAR-Testmail versuchen wir nun mit mit Hilfe von [[http:// | ||
+ | # swaks -t django@nausch.org --attach - --server 10.0.0.87 --suppress-data < | ||
+ | |||
+ | < | ||
+ | === Connected to 10.0.0.87. | ||
+ | <- 220 mx01.nausch.org ESMTP Postfix | ||
+ | -> EHLO vml000087.dmz.nausch.org | ||
+ | <- 250-mx01.nausch.org | ||
+ | <- 250-PIPELINING | ||
+ | <- 250-SIZE 52428800 | ||
+ | <- 250-ETRN | ||
+ | <- 250-STARTTLS | ||
+ | <- 250-ENHANCEDSTATUSCODES | ||
+ | <- 250-8BITMIME | ||
+ | <- 250 DSN | ||
+ | -> STARTTLS | ||
+ | <- 220 2.0.0 Ready to start TLS | ||
+ | === TLS started with cipher TLSv1.2: | ||
+ | === TLS no local certificate set | ||
+ | === TLS peer DN="/ | ||
+ | ~> EHLO vml000087.dmz.nausch.org | ||
+ | <~ 250-mx01.nausch.org | ||
+ | <~ 250-PIPELINING | ||
+ | <~ 250-SIZE 52428800 | ||
+ | <~ 250-ETRN | ||
+ | <~ 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM | ||
+ | <~ 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM | ||
+ | <~ 250-ENHANCEDSTATUSCODES | ||
+ | <~ 250-8BITMIME | ||
+ | <~ 250 DSN | ||
+ | ~> AUTH NTLM | ||
+ | <~ 334 | ||
+ | ~> TlRUMTVNTUAABAAAABU6IAAAAAAAAAAAAAAAAAAAAAAAA= | ||
+ | <~ 334 UTlRMTVNTUAADUAAAAGAAYAEAAAAAYABUgAWAAAADAAMABwAAAAJAAkAKAAAAAkACQAxAAAAAAAAACoAAAABUQKCABKUTbcHiUVToxqvguZXpp6jgnmGYJ9jDa0UoXqDbxiyz+V1xFp8hFH2sd3yaZl/ | ||
+ | <~ 235 2.7.0 Authentication successful | ||
+ | ~> MAIL FROM:< | ||
+ | <~ 250 2.1.0 Ok | ||
+ | ~> RCPT TO:< | ||
+ | <~ 250 2.1.5 Ok | ||
+ | ~> DATA | ||
+ | <~ 354 End data with < | ||
+ | ~> 55 lines sent | ||
+ | <~ 250 2.0.0 Ok: queued as 82EB5C00088 | ||
+ | ~> QUIT | ||
+ | <~ 221 2.0.0 Bye | ||
+ | === Connection closed with remote host. | ||
+ | </ | ||
+ | |||
+ | Wie auch schon bei vorhergehenden GTUBE-Test wird dem authentifizierten User die Nachricht abgenommen und mit einem **250**er bestätigt. Auch hier ist das Verhalten legitim und erklärbar, haben wir doch bei der Konfiguration explizit angegeben, dass wir Nachrichten von authentifizierten Nutzern sofort anzunehmen und erst im zweiten Schritt scannen wollen. Genau das machte unser AMaViS-Server auch. | ||
+ | |||
+ | Den genauen Ablauf dazu, sehen wir uns nun im Detail an. | ||
+ | |||
+ | === SMTP-Server (Teil 1 von 2) === | ||
+ | Im **Maillog** unseres Borderfilters sehen wir nun zu unserem gerade durchgeführten Versuch mehrere zusammenhängende Logeinträge. | ||
+ | # less / | ||
+ | |||
+ | Zunächst sehen wir den TLS-Verbindungsaufbau, | ||
+ | < | ||
+ | Dec 2 18:14:17 vml000087 postfix/ | ||
+ | Dec 2 18:14:17 vml000087 postfix/ | ||
+ | Dec 2 18:14:17 vml000087 postfix/ | ||
+ | Dec 2 18:14:17 vml000087 postfix/ | ||
+ | Dec 2 18:14:17 vml000087 postfix/ | ||
+ | </ | ||
+ | |||
+ | |||
+ | === ASAV-Host === | ||
+ | Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert. | ||
+ | |||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | org> Received: from mx01.nausch.org ([10.0.0.87]) by viruswall.dmz.nausch.org (viruswall.dmz.nausch.org [10.0.0.67]) (amavisd-new, | ||
+ | ; Tue, 2 Dec 2014 18:14:17 +0100 (CET) | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | amavisd/ | ||
+ | Dec 2 18:14:17 vml000067 clamd[1278]: | ||
+ | Dec 2 18:14:17 vml000067 clamd[1278]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | ar-Test-Signature | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | </ | ||
+ | |||
+ | Der Virenscanner hat also die Eicar-Test-Signatur in der Nachricht entdeckt, die Nachricht wird also nicht zugestellt! | ||
+ | |||
+ | <WRAP center round important> | ||
+ | Gemäß unserer Konfiguration erhält der der Empfänger **virusalert@nausch.org** eine Nachricht von **postmaster@nausch.org** mit dem Details zu der Virenmail-Mail. Der Postmaster kann so reagieren und mit dem authentifizierten Mailbox-Nutzer Kontakt aufnehmen und diesen ggf. darauf hinweisen, dass er versucht hatte einen Virus zu verschicken. | ||
+ | </ | ||
+ | |||
+ | Im Maillog des AMaViS-Servers sehen wir nun, dass der Daemon die entsprechende Nachricht an den definierten Bearbeiter verschicken wird. | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | ha256, c=> | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:17 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | Dec 2 18:14:18 vml000067 amavis[15810]: | ||
+ | </ | ||
+ | |||
+ | === SMTP-Server (Teil 2 von 2) === | ||
+ | Im **Maillog** unseres Borderfilters sehen wir nun also als nächstes den Eingang dieser Notification-eMail an den definierten Empfänger. | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Dec 2 18:14:17 vml000087 postfix/ | ||
+ | Dec 2 18:14:17 vml000087 postfix/ | ||
+ | Dec 2 18:14:17 vml000087 postfix/ | ||
+ | Dec 2 18:14:18 vml000087 postfix/ | ||
+ | Dec 2 18:14:18 vml000087 postfix/ | ||
+ | Dec 2 18:14:18 vml000087 postfix/ | ||
+ | Dec 2 18:14:18 vml000087 postfix/ | ||
+ | Dec 2 18:14:18 vml000087 postfix/ | ||
+ | Dec 2 18:14:18 vml000087 postfix/ | ||
+ | Dec 2 18:14:18 vml000087 postfix/ | ||
+ | Dec 2 18:14:18 vml000087 postfix/ | ||
+ | Dec 2 18:14:18 vml000087 postfix/ | ||
+ | </ | ||
+ | |||
+ | === MUA (Empfänger der Notification Mail) === | ||
+ | Wie schon angeschnitten erhält der verantwortliche Admin des Servers mit der Addresse **virusalert@nausch.org** eine Nachricht mit dem Detail des Versuches eine SPAM-Mail zu verschicken. | ||
+ | |||
+ | < | ||
+ | Delivered-To: | ||
+ | Received: from mx01.nausch.org ([10.0.0.87]) | ||
+ | by imap.nausch.org (Dovecot) with LMTP id / | ||
+ | for < | ||
+ | Received: from viruswall.dmz.nausch.org (vml000067.dmz.nausch.org [10.0.0.67]) | ||
+ | by mx01.nausch.org (Postfix) with ESMTP id 11605C00089 | ||
+ | for < | ||
+ | DKIM-Signature: | ||
+ | content-transfer-encoding: | ||
+ | : | ||
+ | : | ||
+ | oPn36vNDqRoivIeBgUX0G0lRWQSp8HGIA6A=; | ||
+ | XX8lxTCdzecXPxva+XoERso6WO4fN2r+ATj9R1DDrW4F/ | ||
+ | 3XBPe6mYWqbbz/ | ||
+ | glfWWvj9qa+WU8KJSgICO8VLjNyxj/ | ||
+ | nGQS6rzuBqkBIbrDGdXlEU3JjRQStAp+sto+xnGj0tufa/ | ||
+ | gpwjoHs2sTBsRmW17mkyfmR+iA3DQr8qZKvtKhpGxWD8L3lARLNuwod6XMCldPMY | ||
+ | 6jKzohNbBasgl9eApl2BckMVeB0I3uHHpU/ | ||
+ | 8dZ86FBWL6z2pS2SYfBP3+gE9al11r1iGQI233wWZAsGMbOYC9XjJl/ | ||
+ | YbUYSQfEqR0HN+/ | ||
+ | OuBuaw5jLUJBKq7OoHeNjimEJglPIX53gxSIsW89ZBUhL64BnYYurCPzNoJ8GhLF | ||
+ | 0ILaxukNAzqQJY3aoP5zkKOAWLDet9NpwdHOYnsyHPcMv0+dmistSfktNlWUNy3M | ||
+ | v+PuSR8FGh6/ | ||
+ | MIME-Version: | ||
+ | From: Postmaster < | ||
+ | Date: Tue, 2 Dec 2014 18:14:17 +0100 (CET) | ||
+ | Subject: VIRUS (Eicar-Test-Signature) in mail TO YOU from < | ||
+ | To: django@nausch.org | ||
+ | Message-ID: < | ||
+ | Content-Type: | ||
+ | Content-Disposition: | ||
+ | Content-Transfer-Encoding: | ||
+ | |||
+ | VIRUS ALERT | ||
+ | |||
+ | Our content checker found | ||
+ | virus: Eicar-Test-Signature | ||
+ | |||
+ | in an email to you from probably faked sender: | ||
+ | | ||
+ | claiming to be: < | ||
+ | |||
+ | Content type: Virus | ||
+ | Our internal reference code for your message is 15810-01/ | ||
+ | |||
+ | First upstream SMTP client IP address: [10.0.0.87] | ||
+ | Received from: 10.0.0.87 | ||
+ | |||
+ | Return-Path: | ||
+ | From: n3rd@sec-mail.guru | ||
+ | Message-ID: < | ||
+ | X-Mailer: swaks v20130209.0 jetmore.org/ | ||
+ | Subject: 6. und letzter Test-Testnachricht mit EICAR-Testdatei im Anhang auf | ||
+ | Port 25 | ||
+ | Not quarantined. | ||
+ | |||
+ | Please contact your system administrator for details. | ||
+ | </ | ||
+ | |||
+ | ====== Links ====== | ||
+ | * **⇐ [[centos: | ||
+ | * **⇒ [[centos: | ||
+ | * **[[centos: | ||
+ | * **[[wiki: | ||
+ | * **[[http:// | ||
+ | |||