Virenschutz mit AMaViS

Für die eMailkommunikation in unserem SOHO1)-LAN bedienen wir uns des SMTP-Server Postfix. Zur weiteren Absichereung (Viren- und Spam-Schutz) nutzen wir weitere Programme und Dämonen, wie amavisd-new, clamav und spamassassin. Die Installation und Konfiguration, der einzelnen Getriebezahnräder beschreibt diese und nachfolgende Seite.

Die Installation erfolgt, wie soll es auch anders sein, wie gewohnt via yum:

yum install amavisd-new

Info

Was uns amavisd-new bietet, entnehmen wir am einfachsten dem rpm

# yum info amavisd-new

Name   : amavisd-new
...
Summary: Mail virus-scanner
Description: AMaViS is a program that interfaces a mail transfer agent (MTA) with one or more virus scanners.  
Amavisd-new is a branch created by Mark Martinec that adds serveral performance and robustness features. It's 
partly based on work being done on the official amavisd branch. Please see the README.amavisd-new-RELNOTES 
file for a detailed description.

Programmpfade und -inhalte

Über die einzelnen Dateien und Pfade der installierten Programme, informieren wir uns mittels:

# rpm -ql amavisd-new

/etc/amavisd.conf
/etc/cron.daily/amavisd
/etc/logrotate.d/amavisd
/etc/openldap/schema/amavisd-new.schema
/etc/rc.d/init.d/amavisd
/etc/sysconfig/amavisd
/usr/sbin/amavisd
/usr/sbin/amavisd-agent
/usr/sbin/amavisd-nanny
/usr/sbin/amavisd-release
/usr/sbin/p0f-analyzer
/usr/share/doc/amavisd-new-2.6.4
/usr/share/doc/amavisd-new-2.6.4/AAAREADME.first
/usr/share/doc/amavisd-new-2.6.4/LDAP.schema
/usr/share/doc/amavisd-new-2.6.4/LICENSE
/usr/share/doc/amavisd-new-2.6.4/MANIFEST
/usr/share/doc/amavisd-new-2.6.4/README.banned
/usr/share/doc/amavisd-new-2.6.4/README.chroot
/usr/share/doc/amavisd-new-2.6.4/README.contributed
/usr/share/doc/amavisd-new-2.6.4/README.courier
/usr/share/doc/amavisd-new-2.6.4/README.courier-old
/usr/share/doc/amavisd-new-2.6.4/README.customize
/usr/share/doc/amavisd-new-2.6.4/README.exim_v3
/usr/share/doc/amavisd-new-2.6.4/README.exim_v3_app
/usr/share/doc/amavisd-new-2.6.4/README.exim_v4
/usr/share/doc/amavisd-new-2.6.4/README.exim_v4_app
/usr/share/doc/amavisd-new-2.6.4/README.exim_v4_app2
/usr/share/doc/amavisd-new-2.6.4/README.ldap
/usr/share/doc/amavisd-new-2.6.4/README.lookups
/usr/share/doc/amavisd-new-2.6.4/README.milter
/usr/share/doc/amavisd-new-2.6.4/README.old.scanners
/usr/share/doc/amavisd-new-2.6.4/README.performance
/usr/share/doc/amavisd-new-2.6.4/README.policy-on-notifications
/usr/share/doc/amavisd-new-2.6.4/README.postfix
/usr/share/doc/amavisd-new-2.6.4/README.postfix.html
/usr/share/doc/amavisd-new-2.6.4/README.protocol
/usr/share/doc/amavisd-new-2.6.4/README.sendmail
/usr/share/doc/amavisd-new-2.6.4/README.sendmail-dual
/usr/share/doc/amavisd-new-2.6.4/README.sendmail-dual.old
/usr/share/doc/amavisd-new-2.6.4/README.sql
/usr/share/doc/amavisd-new-2.6.4/README.sql-mysql
/usr/share/doc/amavisd-new-2.6.4/README.sql-pg
/usr/share/doc/amavisd-new-2.6.4/RELEASE_NOTES
/usr/share/doc/amavisd-new-2.6.4/amavisd-new-docs.html
/usr/share/doc/amavisd-new-2.6.4/amavisd.conf
/usr/share/doc/amavisd-new-2.6.4/amavisd.conf-default
/usr/share/doc/amavisd-new-2.6.4/amavisd.conf-sample
/usr/share/doc/amavisd-new-2.6.4/amavisd.conf.orig
/usr/share/doc/amavisd-new-2.6.4/images
/usr/share/doc/amavisd-new-2.6.4/images/blank.png
/usr/share/doc/amavisd-new-2.6.4/images/callouts
/usr/share/doc/amavisd-new-2.6.4/images/callouts/1.png
/usr/share/doc/amavisd-new-2.6.4/images/callouts/10.png
/usr/share/doc/amavisd-new-2.6.4/images/callouts/11.png
/usr/share/doc/amavisd-new-2.6.4/images/callouts/12.png
/usr/share/doc/amavisd-new-2.6.4/images/callouts/13.png
/usr/share/doc/amavisd-new-2.6.4/images/callouts/14.png
/usr/share/doc/amavisd-new-2.6.4/images/callouts/15.png
/usr/share/doc/amavisd-new-2.6.4/images/callouts/2.png
/usr/share/doc/amavisd-new-2.6.4/images/callouts/3.png
/usr/share/doc/amavisd-new-2.6.4/images/callouts/4.png
/usr/share/doc/amavisd-new-2.6.4/images/callouts/5.png
/usr/share/doc/amavisd-new-2.6.4/images/callouts/6.png
/usr/share/doc/amavisd-new-2.6.4/images/callouts/7.png
/usr/share/doc/amavisd-new-2.6.4/images/callouts/8.png
/usr/share/doc/amavisd-new-2.6.4/images/callouts/9.png
/usr/share/doc/amavisd-new-2.6.4/images/caution.png
/usr/share/doc/amavisd-new-2.6.4/images/draft.png
/usr/share/doc/amavisd-new-2.6.4/images/home.png
/usr/share/doc/amavisd-new-2.6.4/images/important.png
/usr/share/doc/amavisd-new-2.6.4/images/next.png
/usr/share/doc/amavisd-new-2.6.4/images/note.png
/usr/share/doc/amavisd-new-2.6.4/images/prev.png
/usr/share/doc/amavisd-new-2.6.4/images/tip.png
/usr/share/doc/amavisd-new-2.6.4/images/toc-blank.png
/usr/share/doc/amavisd-new-2.6.4/images/toc-minus.png
/usr/share/doc/amavisd-new-2.6.4/images/toc-plus.png
/usr/share/doc/amavisd-new-2.6.4/images/up.png
/usr/share/doc/amavisd-new-2.6.4/images/warning.png
/usr/share/doc/amavisd-new-2.6.4/screen.css
/usr/share/doc/amavisd-new-2.6.4/test-messages
/usr/share/doc/amavisd-new-2.6.4/test-messages/README
/usr/share/doc/amavisd-new-2.6.4/test-messages/sample.tar.gz.compl
/var/amavis
/var/amavis/db
/var/amavis/tmp
/var/amavis/var
/var/log/amavis.log
/var/virusmails

Grundkonfiguration

Für die weitere Viren- und Spam-Prüfung der uns angetragenen elektronischen Post, verwenden wir die smtp_proxy_filter-Funktionen, also die Pre-Queue unseres Postfixes. Somit können wir die Nachricht in Echtzeit filtern und wenn uns diese „nicht gefällt“, einfach abweisen.

Der externe Mailserver versucht mit unserer neuen Konfiguration eine eMail bei uns auf Port 25 abzusetzen. Unser Postfix reicht diese direkt an den Port 10024 unseres AMaViS-Daemon weiter, der die Nachricht on-the-fly weiteren daemons zum Virenscanner und Spambewerten unterzieht. Wird dabei die Nachricht für O.K. befunden, so reicht AMaViS die Mail zurück an den Postfix auf Port 10025, oder signalisiert Postfix, dass die Nachricht O.K. ist und der externe SMTP-Dialog erfolgreich zu Ende gebracht werden kann.
Im ersten Schritt definieren wir also die ersten drei Parameter, Hostnamen, Domäne und Port in der Konfigurationsdatei unter /etc/amavisd.conf.

...

$myhostname = 'amavis.nausch.org'; # hostname 
$mydomain = 'nausch.org';          # a convenient default for other settings

...

$inet_socket_port = 10024;         # listen on this local TCP port(s)

...

Gesamtkonfiguration

Unser lauffähges System benötigt eine umfangreiche Konfiguration, die wir unseren Bedürfnissen anpassen.

 # egrep -v '(^#|^$)' /etc/amavisd.conf
use strict;
$max_servers = 5;            # num of pre-forked children (2..30 is common), -m
$daemon_user  = "amavis";     # (no default;  customary: vscan or amavis), -u
$daemon_group = "amavis";     # (no default;  customary: vscan or amavis), -g
$myhostname = 'amavis.nausch.org'; # hostname
$mydomain = 'nausch.org';   # a convenient default for other settings
$MYHOME = '/var/amavis';   # a convenient default for other settings, -H
$TEMPBASE = "$MYHOME/tmp";   # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR, used by SA, etc.
$QUARANTINEDIR = "/var/virusmails";
$db_home   = "$MYHOME/db";      # dir for bdb nanny/cache/snmp databases, -D
$helpers_home = "$MYHOME/var";  # working directory for SpamAssassin, -S
$lock_file = "$MYHOME/var/amavisd.lock";  # -L
$pid_file  = "$MYHOME/var/amavisd.pid";   # -P
$log_level = 3;              # verbosity 0..5, -d
$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_facility = 'mail';   # Syslog facility as a string
           # e.g.: mail, daemon, user, local0, ... local7
$syslog_priority = 'debug';  # Syslog base (minimal) priority as a string,
           # choose from: emerg, alert, crit, err, warning, notice, info, debug
$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1
$nanny_details_level = 2;    # nanny verbosity: 1: traditional, 2: detailed
$enable_dkim_verification = 1;  # enable DKIM signatures verification
$enable_dkim_signing = 1;    # load DKIM signing code, keys defined by dkim_key
@local_domains_maps = ( [".$mydomain"] );  # list of all local domains
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
                  10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
$unix_socketname = "$MYHOME/amavisd.sock";  # amavisd-release or amavis-milter
               # option(s) -p overrides $inet_socket_port and $unix_socketname
$inet_socket_port = 10024;   # listen on this local TCP port(s)
$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients
};
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["virusalert\@$mydomain"],
  spam_admin_maps  => ["virusalert\@$mydomain"],
  warnbadhsender   => 1,
  # forward to a smtpd service providing DKIM signing service
  forward_method => 'smtp:[127.0.0.1]:10027',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and types
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};
$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname
$policy_bank{'AM.PDP-SOCK'} = {
  protocol => 'AM.PDP',
  auth_required_release => 0,  # do not require secret_id for amavisd-release
};
$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31;  # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
$penpals_bonus_score = 8;    # (no effect without a @storage_sql_dsn database)
$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi spam
$bounce_killer_score = 100;  # spam score points to add for joe-jobbed bounces
$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;    # only tests which do not require internet access?
$virus_admin               = "virusalert\@$mydomain";  # notifications recip.
$mailfrom_notify_admin     = "virusalert\@$mydomain";  # notifications sender
$mailfrom_notify_recip     = "virusalert\@$mydomain";  # notifications sender
$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef
@addr_extension_virus_maps      = ('virus');
@addr_extension_banned_maps     = ('banned');
@addr_extension_spam_maps       = ('spam');
@addr_extension_bad_header_maps = ('badh');
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not enforced)
$sa_spam_subject_tag = '***SPAM*** ';
$defang_virus  = 1;  # MIME-wrap passed infected mail
$defang_banned = 1;  # MIME-wrap passed mail containing banned name
$defang_by_ccat{+CC_BADH.",3"} = 1;  # NUL or CR character in header
$defang_by_ccat{+CC_BADH.",5"} = 1;  # header line longer than 998 characters
$defang_by_ccat{+CC_BADH.",6"} = 1;  # header field syntax error
$final_virus_destiny      = D_REJECT;
$final_banned_destiny     = D_REJECT;
$final_spam_destiny       = D_REJECT;
$virus_quarantine_to = undef;
$banned_quarantine_to = undef;
$spam_quarantine_to = undef;
$bad_header_quarantine_to = undef;
@keep_decoded_original_maps = (new_RE(
  qr'^MAIL$',   # retain full original message for virus checking
  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));
$banned_filename_re = new_RE(
  qr'^\.(exe-ms|dll)$',                   # banned file(1) types, rudimentary
  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
  qr'.\.(pif|scr)$'i,                     # banned extensions - rudimentary
  qr'^application/x-msdownload$'i,        # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,
  # block certain double extensions in filenames
  qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
  qr'.\.(exe|vbs|pif|scr|cpl)$'i,             # banned extension - basic
);
@score_sender_maps = ({ # a by-recipient hash lookup table,
                        # results from all matching recipient tables are summed
  ## site-wide opinions about senders (the '.' matches any recipient)
  '.' => [  # the _first_ matching sender determines the score boost
   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
    [qr'^(your_friend|greatoffers)@'i                                => 5.0],
    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
   ),
   { # a hash-type lookup table (associative array)
     'nobody@cert.org'                        => -3.0,
     'cert-advisory@us-cert.gov'              => -3.0,
     'owner-alert@iss.net'                    => -3.0,
     'slashdot@slashdot.org'                  => -3.0,
     'securityfocus.com'                      => -3.0,
     'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,
     'security-alerts@linuxsecurity.com'      => -3.0,
     'mailman-announce-admin@python.org'      => -3.0,
     'amavis-user-admin@lists.sourceforge.net'=> -3.0,
     'amavis-user-bounces@lists.sourceforge.net' => -3.0,
     'spamassassin.apache.org'                => -3.0,
     'notification-return@lists.sophos.com'   => -3.0,
     'owner-postfix-users@postfix.org'        => -3.0,
     'owner-postfix-announce@postfix.org'     => -3.0,
     'owner-sendmail-announce@lists.sendmail.org'   => -3.0,
     'sendmail-announce-request@lists.sendmail.org' => -3.0,
     'donotreply@sendmail.org'                => -3.0,
     'ca+envelope@sendmail.org'               => -3.0,
     'noreply@freshmeat.net'                  => -3.0,
     'owner-technews@postel.acm.org'          => -3.0,
     'ietf-123-owner@loki.ietf.org'           => -3.0,
     'cvs-commits-list-admin@gnome.org'       => -3.0,
     'rt-users-admin@lists.fsck.com'          => -3.0,
     'clp-request@comp.nus.edu.sg'            => -3.0,
     'surveys-errors@lists.nua.ie'            => -3.0,
     'emailnews@genomeweb.com'                => -5.0,
     'yahoo-dev-null@yahoo-inc.com'           => -3.0,
     'returns.groups.yahoo.com'               => -3.0,
     'clusternews@linuxnetworx.com'           => -3.0,
     lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,
     lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
     # soft-blacklisting (positive score)
     'sender@example.net'                     =>  3.0,
     '.example.net'                           =>  1.0,
   },
  ],  # end of site-wide tables
});
@decoders = (
  ['mail', \&do_mime_decode],
  ['asc',  \&do_ascii],
  ['uue',  \&do_ascii],
  ['hqx',  \&do_ascii],
  ['ync',  \&do_ascii],
  ['F',    \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
  ['Z',    \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
  ['gz',   \&do_uncompress,  'gzip -d'],
  ['gz',   \&do_gunzip],
  ['bz2',  \&do_uncompress,  'bzip2 -d'],
  ['lzo',  \&do_uncompress,  'lzop -d'],
  ['rpm',  \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
  ['cpio', \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['tar',  \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['deb',  \&do_ar,          'ar'],
  ['zip',  \&do_unzip],
  ['7z',   \&do_7zip,       ['7zr','7za','7z'] ],
  ['rar',  \&do_unrar,      ['rar','unrar'] ],
  ['arj',  \&do_unarj,      ['arj','unarj'] ],
  ['arc',  \&do_arc,        ['nomarch','arc'] ],
  ['zoo',  \&do_zoo,        ['zoo','unzoo'] ],
  ['lha',  \&do_lha,         'lha'],
  ['cab',  \&do_cabextract,  'cabextract'],
  ['tnef', \&do_tnef_ext,    'tnef'],
  ['tnef', \&do_tnef],
  ['exe',  \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
);
@av_scanners = (
['ClamAV-clamd',
  \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"],
  qr/\bOK$/m, qr/\bFOUND$/m,
  qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
  ### http://www.kaspersky.com/  (kav4mailservers)
  ['KasperskyLab AVP - aveclient',
    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
     '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
    '-p /var/run/aveserver -s {}/*',
    [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m,
    qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m,
  ],
  # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
  # currupted or protected archives are to be handled
  ### http://www.kaspersky.com/
  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?
    qr/infected: (.+)/m,
    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
  ],
  ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
  ### products and replaced by aveserver and aveclient
  ['KasperskyLab AVPDaemonClient',
    [ '/opt/AVP/kavdaemon',       'kavdaemon',
      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',
      '/opt/AVP/avpdc', 'avpdc' ],
    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ],
    # change the startup-script in /etc/init.d/kavd to:
    #   DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
    #   (or perhaps:   DPARMS="-I0 -Y -* /var/amavis" )
    # adjusting /var/amavis above to match your $TEMPBASE.
    # The '-f=/var/amavis' is needed if not running it as root, so it
    # can find, read, and write its pid file, etc., see 'man kavdaemon'.
    # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
    #   directory $TEMPBASE specifies) in the 'Names=' section.
    # cd /opt/AVP/DaemonClients; configure; cd Sample; make
    # cp AvpDaemonClient /opt/AVP/
    # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"
  ### http://www.centralcommand.com/
  ['CentralCommand Vexira (new) vascan',
    ['vascan','/usr/lib/Vexira/vascan'],
    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
    "--log=/var/log/vascan.log {}",
    [0,3], [1,2,5],
    qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ],
    # Adjust the path of the binary and the virus database as needed.
    # 'vascan' does not allow to have the temp directory to be the same as
    # the quarantine directory, and the quarantine option can not be disabled.
    # If $QUARANTINEDIR is not used, then another directory must be specified
    # to appease 'vascan'. Move status 3 to the second list if password
    # protected files are to be considered infected.
  ### http://www.avira.com/
  ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus
  ['Avira AntiVir', ['antivir','vexira'],
    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m,
    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ],
    # NOTE: if you only have a demo version, remove -z and add 214, as in:
    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,
  ### http://www.commandsoftware.com/
  ['Command AntiVirus for Linux', 'csav',
    '-all -archive -packed {}', [50], [51,52,53],
    qr/Infection: (.+)/m ],
  ### http://www.symantec.com/
  ['Symantec CarrierScan via Symantec CommandLineScanner',
    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
    qr/^Files Infected:\s+0$/m, qr/^Infected\b/m,
    qr/^(?:Info|Virus Name):\s+(.+)/m ],
  ### http://www.symantec.com/
  ['Symantec AntiVirus Scan Engine',
    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
    [0], qr/^Infected\b/m,
    qr/^(?:Info|Virus Name):\s+(.+)/m ],
    # NOTE: check options and patterns to see which entry better applies
  ### http://www.f-secure.com/products/anti-virus/  version 5.52
   ['F-Secure Antivirus for Linux servers',
    ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
    '--virus-action1=report --archive=yes --auto=yes '.
    '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8],
    qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
    # NOTE: internal archive handling may be switched off by '--archive=no'
    #   to prevent fsav from exiting with status 9 on broken archives
  ['CAI InoculateIT', 'inocucmd',  # retired product
    '-sec -nex {}', [0], [100],
    qr/was infected by virus (.+)/m ],
  # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html
  ### http://www3.ca.com/Solutions/Product.asp?ID=156  (ex InoculateIT)
  ['CAI eTrust Antivirus', 'etrust-wrapper',
    '-arc -nex -spm h {}', [0], [101],
    qr/is infected by virus: (.+)/m ],
    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
    # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783
  ### http://mks.com.pl/english.html
  ['MkS_Vir for Linux (beta)', ['mks32','mks'],
    '-s {}/*', [0], [1,2],
    qr/--[ \t]*(.+)/m ],
  ### http://mks.com.pl/english.html
  ['MkS_Vir daemon', 'mksscan',
    '-s -q {}', [0], [1..7],
    qr/^... (\S+)/m ],
  ### http://www.eset.com/, version 3.0
  ['ESET Software ESETS Command Line Interface',
    ['/usr/bin/esets_cli', 'esets_cli'],
    '--subdir {}', [0], [1,2,3],
    qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],
  ## http://www.nod32.com/,  NOD32LFS version 2.5 and above
  ['ESET NOD32 for Linux File servers',
    ['/opt/eset/nod32/sbin/nod32','nod32'],
    '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
    '-w -a --action=1 -b {}',
    [0], [1,10], qr/^object=.*, virus="(.*?)",/m ],
  ### http://www.norman.com/products_nvc.shtml
  ['Norman Virus Control v5 / Linux', 'nvcc',
    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
    qr/(?i).* virus in .* -> \'(.+)\'/m ],
  ### http://www.pandasoftware.com/
  ['Panda CommandLineSecure 9 for Linux',
    ['/opt/pavcl/usr/bin/pavcl','pavcl'],
    '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
    qr/Number of files infected[ .]*: 0+(?!\d)/m,
    qr/Number of files infected[ .]*: 0*[1-9]/m,
    qr/Found virus :\s*(\S+)/m ],
  # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
  # before starting amavisd - the bases are then loaded only once at startup.
  # To reload bases in a signature update script:
  #   /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
  # Please review other options of pavcl, for example:
  #  -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies
  ### http://www.nai.com/
  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
    '--secure -rv --mime --summary --noboot - {}', [0], [13],
    qr/(?x) Found (?:
        \ the\ (.+)\ (?:virus|trojan)  |
        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |
        :\ (.+)\ NOT\ a\ virus)/m,
  # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
  # sub {delete $ENV{LD_PRELOAD}},
  ],
  # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
  # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
  # and then clear it when finished to avoid confusing anything else.
  # NOTE2: to treat encrypted files as viruses replace the [13] with:
  #  qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
  ### http://www.virusbuster.hu/en/
  ['VirusBuster', ['vbuster', 'vbengcl'],
    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
    qr/: '(.*)' - Virus/m ],
  # VirusBuster Ltd. does not support the daemon version for the workstation
  # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
  # binaries, some parameters AND return codes have changed (from 3 to 1).
  # See also the new Vexira entry 'vascan' which is possibly related.
  ### http://www.cyber.com/
  ['CyberSoft VFind', 'vfind',
    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m,
  # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
  ],
  ### http://www.avast.com/
  ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
    '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ],
  ### http://www.ikarus-software.com/
  ['Ikarus AntiVirus for Linux', 'ikarus',
    '{}', [0], [40], qr/Signature (.+) found/m ],
  ### http://www.bitdefender.com/
  ['BitDefender', 'bdscan',  # new version
    '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m,
    qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m,
    qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ],
  ### http://www.bitdefender.com/
  ['BitDefender', 'bdc',  # old version
    '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m,
    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
    qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
  # consider also: --all --nowarn --alev=15 --flev=15.  The --all argument may
  # not apply to your version of bdc, check documentation and see 'bdc --help'
  ### ArcaVir for Linux and Unix http://www.arcabit.pl/
  ['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
    '-v 1 -summary 0 -s {}', [0], [1,2],
    qr/(?:VIR|WIR):[ \t]*(.+)/m ],
);
@av_scanners_backup = (
  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
  ['ClamAV-clamscan', 'clamscan',
    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
    [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
  ### http://www.f-prot.com/   - backs up F-Prot Daemon, V6
  ['F-PROT Antivirus for UNIX', ['fpscan'],
    '--report --mount --adware {}',  # consider: --applications -s 4 -u 3 -z 10
    [0,8,64],  [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
    qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ],
  ### http://www.f-prot.com/   - backs up F-Prot Daemon (old)
  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
    '-dumb -archive -packed {}', [0,8], [3,6],   # or: [0], [3,6,8],
    qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ],
  ### http://www.trendmicro.com/   - backs up Trophie
  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
    '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],
  ### http://www.sald.com/, http://drweb.imshop.de/   - backs up DrWebD
  ['drweb - DrWeb Antivirus',  # security LHA hole in Dr.Web 4.33 and earlier
    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
    '-path={} -al -go -ot -cn -upn -ok-',
    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ],
   ### http://www.kaspersky.com/
   ['Kaspersky Antivirus v5.5',
     ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
      '/opt/kav/5.5/kav4unix/bin/kavscanner',
      '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
     '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
     qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
   ],
);
1;  # insure a defined return value 

Nun ist es an der Zeit unseren A MAil Virus Scanner das erste mal zu starten.

 # service amavisd start
 Mail Virus Scanner (amavisd) starten:                      [  OK  ]

Im /var/log/maillog wird der erfolgreiche Start ausreichend dokumentiert:

Jul 14 19:58:46 nss amavis[16065]: starting.  /usr/sbin/amavisd at amavis.nausch.org amavisd-new-2.6.4 (20090625), Unicode aware, LANG="de_DE.UTF-8"
Jul 14 19:58:46 nss amavis[16065]: user=103, EUID: 103 (103);  group=, EGID: 106 106 (106 106)
Jul 14 19:58:46 nss amavis[16065]: Perl version               5.008008
Jul 14 19:58:47 nss amavis[16065]: SpamControl: scanner SpamAssassin, module Amavis::SpamControl::SpamAssassin
Jul 14 19:58:47 nss amavis[16065]: INFO: SA version: 3.2.5, 3.002005, no optional modules: Net::CIDR::Lite Sys::Hostname::Long Encode::Detect Razor2::Client::Agent IP::Coun
try::Fast Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF Mail::SPF::Server Mail::SPF::Request Mail::SPF::Mech Mail::SPF::Mech::
A Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::Mech::Exists Mail::SPF::Mech::IP4 Mail::SPF::Mech::IP6 Mail::SPF::Mech::Include Mail::SPF::Mech::MX Mail::SPF::Mod Ma
il::SPF::Mod::Exp Mail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMech Mail::SPF::v1::Record Mail::SPF::v2::Record NetAddr::IP NetAddr::IP::Util auto::NetAddr::IP::Util::in
et_n2dx auto::NetAddr::IP::Util::ipv6_n2d auto::NetAddr::IP::Util::ipv6_n2x Error
Jul 14 19:58:47 nss amavis[16065]: SpamControl: init_pre_chroot on SpamAssassin done
Jul 14 19:58:47 nss amavis[16106]: Net::Server: Process Backgrounded
Jul 14 19:58:47 nss amavis[16106]: Net::Server: 2009/07/14-19:58:47 Amavis (type Net::Server::PreForkSimple) starting! pid(16106)
Jul 14 19:58:47 nss amavis[16106]: Net::Server: Binding to UNIX socket file /var/amavis/amavisd.sock using SOCK_STREAM
Jul 14 19:58:47 nss amavis[16106]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1
Jul 14 19:58:47 nss amavis[16106]: Net::Server: Group Not Defined.  Defaulting to EGID '106 106'
Jul 14 19:58:47 nss amavis[16106]: Net::Server: User Not Defined.  Defaulting to EUID '103'
Jul 14 19:58:47 nss amavis[16106]: config files read: /etc/amavisd.conf
Jul 14 19:58:47 nss amavis[16106]: Module Amavis::Conf        2.207
Jul 14 19:58:47 nss amavis[16106]: Module Archive::Zip        1.16
Jul 14 19:58:47 nss amavis[16106]: Module BerkeleyDB          0.36
Jul 14 19:58:47 nss amavis[16106]: Module Compress::Zlib      2.02
Jul 14 19:58:47 nss amavis[16106]: Module Convert::TNEF       0.17
Jul 14 19:58:47 nss amavis[16106]: Module Convert::UUlib      1.051
Jul 14 19:58:47 nss amavis[16106]: Module Crypt::OpenSSL::RSA 0.25
Jul 14 19:58:47 nss amavis[16106]: Module DBD::mysql          4.012
Jul 14 19:58:47 nss amavis[16106]: Module DBI                 1.52
Jul 14 19:58:47 nss amavis[16106]: Module DB_File             1.814
Jul 14 19:58:47 nss amavis[16106]: Module Digest::MD5         2.36
Jul 14 19:58:47 nss amavis[16106]: Module Digest::SHA         5.47
Jul 14 19:58:47 nss amavis[16106]: Module Digest::SHA1        2.11
Jul 14 19:58:47 nss amavis[16106]: Module IO::Socket::INET6   2.51
Jul 14 19:58:47 nss amavis[16106]: Module MIME::Entity        5.420
Jul 14 19:58:47 nss amavis[16106]: Module MIME::Parser        5.420
Jul 14 19:58:47 nss amavis[16106]: Module MIME::Tools         5.420
Jul 14 19:58:47 nss amavis[16106]: Module Mail::DKIM::Verifier 0.36
Jul 14 19:58:47 nss amavis[16106]: Module Mail::Header        1.77
Jul 14 19:58:47 nss amavis[16106]: Module Mail::Internet      1.77
Jul 14 19:58:47 nss amavis[16106]: Module Mail::SpamAssassin  3.002005
Jul 14 19:58:47 nss amavis[16106]: Module Net::DNS            0.59
Jul 14 19:58:47 nss amavis[16106]: Module Net::Server         0.97
Jul 14 19:58:47 nss amavis[16106]: Module Socket6             0.19
Jul 14 19:58:47 nss amavis[16106]: Module Time::HiRes         1.9715
Jul 14 19:58:47 nss amavis[16106]: Module URI                 1.35
Jul 14 19:58:47 nss amavis[16106]: Module Unix::Syslog        1.1
Jul 14 19:58:47 nss amavis[16106]: Amavis::DB code      loaded
Jul 14 19:58:47 nss amavis[16106]: Amavis::Cache code   loaded
Jul 14 19:58:47 nss amavis[16106]: SQL base code        NOT loaded
Jul 14 19:58:47 nss amavis[16106]: SQL::Log code        NOT loaded
Jul 14 19:58:47 nss amavis[16106]: SQL::Quarantine      NOT loaded
Jul 14 19:58:47 nss amavis[16106]: Lookup::SQL code     NOT loaded
Jul 14 19:58:47 nss amavis[16106]: Lookup::LDAP code    NOT loaded
Jul 14 19:58:47 nss amavis[16106]: AM.PDP-in proto code loaded
Jul 14 19:58:47 nss amavis[16106]: SMTP-in proto code   loaded
Jul 14 19:58:47 nss amavis[16106]: Courier proto code   NOT loaded
Jul 14 19:58:47 nss amavis[16106]: SMTP-out proto code  loaded
Jul 14 19:58:47 nss amavis[16106]: Pipe-out proto code  NOT loaded
Jul 14 19:58:47 nss amavis[16106]: BSMTP-out proto code NOT loaded
Jul 14 19:58:47 nss amavis[16106]: Local-out proto code loaded
Jul 14 19:58:47 nss amavis[16106]: OS_Fingerprint code  NOT loaded
Jul 14 19:58:47 nss amavis[16106]: ANTI-VIRUS code      loaded
Jul 14 19:58:47 nss amavis[16106]: ANTI-SPAM code       loaded
Jul 14 19:58:47 nss amavis[16106]: ANTI-SPAM-EXT code   NOT loaded
Jul 14 19:58:47 nss amavis[16106]: ANTI-SPAM-C code     NOT loaded
Jul 14 19:58:47 nss amavis[16106]: ANTI-SPAM-SA code    loaded
Jul 14 19:58:47 nss amavis[16106]: Unpackers code       loaded
Jul 14 19:58:47 nss amavis[16106]: DKIM code            NOT loaded
Jul 14 19:58:47 nss amavis[16106]: Tools code           NOT loaded
Jul 14 19:58:47 nss amavis[16106]: Found $file            at /usr/bin/file
Jul 14 19:58:47 nss amavis[16106]: No $altermime,         not using it
Jul 14 19:58:47 nss amavis[16106]: Internal decoder for .mail
Jul 14 19:58:47 nss amavis[16106]: Internal decoder for .asc 
Jul 14 19:58:47 nss amavis[16106]: Internal decoder for .uue 
Jul 14 19:58:47 nss amavis[16106]: Internal decoder for .hqx 
Jul 14 19:58:47 nss amavis[16106]: Internal decoder for .ync 
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .F    at /usr/bin/unfreeze
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .Z    at /usr/bin/uncompress
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .gz   at /usr/bin/gzip -d
Jul 14 19:58:47 nss amavis[16106]: Internal decoder for .gz   (backup, not used)
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .bz2  at /usr/bin/bzip2 -d
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .lzo  at /usr/bin/lzop -d
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .rpm  at /usr/bin/rpm2cpio
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .cpio at /usr/bin/pax
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .tar  at /usr/bin/pax
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .deb  at /usr/bin/ar
Jul 14 19:58:47 nss amavis[16106]: Internal decoder for .zip 
Jul 14 19:58:47 nss amavis[16106]: No decoder for       .7z   tried: 7zr, 7za, 7z
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .rar  at /usr/bin/unrar
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .arj  at /usr/bin/arj
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .arc  at /usr/bin/nomarch
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .zoo  at /usr/bin/zoo
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .lha  at /usr/bin/lha
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .cab  at /usr/bin/cabextract
Jul 14 19:58:47 nss amavis[16106]: No decoder for       .tnef tried: tnef
Jul 14 19:58:47 nss amavis[16106]: Internal decoder for .tnef
Jul 14 19:58:47 nss amavis[16106]: Found decoder for    .exe  at /usr/bin/unrar; /usr/bin/lha; /usr/bin/arj
Jul 14 19:58:47 nss amavis[16106]: Using primary internal av scanner code for ClamAV-clamd
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: KasperskyLab AVP - aveclient
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: KasperskyLab AntiViral Toolkit Pro (AVP)
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: KasperskyLab AVPDaemonClient
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: CentralCommand Vexira (new) vascan
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: Avira AntiVir
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: Command AntiVirus for Linux
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: Symantec CarrierScan via Symantec CommandLineScanner
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: Symantec AntiVirus Scan Engine
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: F-Secure Antivirus for Linux servers
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: CAI InoculateIT
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: CAI eTrust Antivirus
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: MkS_Vir for Linux (beta)
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: MkS_Vir daemon
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: ESET NOD32 Linux Mail Server - command line interface
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: ESET NOD32 for Linux File servers
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: Norman Virus Control v5 / Linux
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: Panda CommandLineSecure 9 for Linux
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: NAI McAfee AntiVirus (uvscan)
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: VirusBuster
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: CyberSoft VFind
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: avast! Antivirus
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: Ikarus AntiVirus for Linux
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: BitDefender
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: BitDefender
Jul 14 19:58:47 nss amavis[16106]: No primary av scanner: ArcaVir for Linux
Jul 14 19:58:47 nss amavis[16106]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
Jul 14 19:58:47 nss amavis[16106]: No secondary av scanner: F-PROT Antivirus for UNIX
Jul 14 19:58:47 nss amavis[16106]: No secondary av scanner: FRISK F-Prot Antivirus
Jul 14 19:58:47 nss amavis[16106]: No secondary av scanner: Trend Micro FileScanner
Jul 14 19:58:47 nss amavis[16106]: No secondary av scanner: drweb - DrWeb Antivirus
Jul 14 19:58:47 nss amavis[16106]: No secondary av scanner: Kaspersky Antivirus v5.5
Jul 14 19:58:47 nss amavis[16106]: Creating db in /var/amavis/db/; BerkeleyDB 0.36, libdb 4.3
Jul 14 19:58:47 nss amavis[16106]: initializing Mail::SpamAssassin
Jul 14 19:58:47 nss amavis[16106]: SpamAssassin debug facilities: info
Jul 14 19:58:49 nss amavis[16106]: SpamAssassin loaded plugins: AWL, AutoLearnThreshold, Bayes, BodyEval, Check, DNSEval, HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, Ima
geInfo, MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject
Jul 14 19:58:49 nss amavis[16106]: SpamControl: init_pre_fork on SpamAssassin done
Jul 14 19:58:49 nss amavis[16106]: DKIM signature verification disabled, corresponding features not available. If not intentional, consider enabling it by setting: $enable_
dkim_verification to 1, or explicitly disable it by setting it to 0 to quench down this warning.
Jul 14 19:58:49 nss amavis[16130]: TIMING [total 7 ms] - bdb-open: 7 (100%)100, rundown: 0 (0%)100
Jul 14 19:58:49 nss amavis[16131]: TIMING [total 6 ms] - bdb-open: 6 (100%)100, rundown: 0 (0%)100
Jul 14 19:58:49 nss amavis[16132]: TIMING [total 7 ms] - bdb-open: 7 (100%)100, rundown: 0 (0%)100
Jul 14 19:58:49 nss amavis[16133]: TIMING [total 6 ms] - bdb-open: 6 (100%)100, rundown: 0 (0%)100 

Über den Port 10024 sollte nun unser daemon ansprechbar sein. Was wir auch sehr einfach mittels lsof überprüfen können:

lsof -i :10024
COMMAND   PID   USER   FD   TYPE  DEVICE SIZE NODE NAME
amavisd 29499 amavis    6u  IPv4 6036705       TCP localhost.localdomain:10024 (LISTEN)
amavisd 29501 amavis    6u  IPv4 6036705       TCP localhost.localdomain:10024 (LISTEN)
amavisd 29502 amavis    6u  IPv4 6036705       TCP localhost.localdomain:10024 (LISTEN)

Via telnet localhost 10024 können wir uns nun zum virusscanner-daemon verbinden.

telnet localhost 10024
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
quit
221 2.0.0 [127.0.0.1] amavisd-new closing transmission channel
Connection closed by foreign host.

Damit nun unser AMaViS-Server beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.

chkconfig amavisd on

Anschließend überprüfen wir noch unsere Änderung:

chkconfig --list | grep amavisd
amavisd         0:Aus   1:Aus   2:Ein   3:Ein   4:Ein   5:Ein   6:Aus

Konfiguration

Wie schon beim Punkt Konfiguration beschrieben, erweitern wir nun unsere Postfixkonfiguration so, dass die zwei Ports 10024 und 10025 von Postfix bedient werden.

Diese Ergänzungen definieren wir in der vim /etc/postfix/master.cf.

vim /etc/postfix/master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service       type  private unpriv  chroot  wakeup  maxproc command + args
#                     (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp            inet  n       -       n       -       -       smtpd
        -o smtpd_proxy_filter=localhost:10024
        -o content_filter=
localhost:10025 inet  n       -       n       -       -       smtpd
        -o content_filter=
        -o smtpd_proxy_filter=
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
        -o smtp_client_restrictions=
        -o smtp_helo_restrictions=
        -o smtp_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtp_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o receive_override_options=no_unknown_recipient_checks

Neustart

Zur aktivierung unserer Änderung starten wir unseren Mailserver einmal durch:

service postfix restart
Postfix beenden:                                           [  OK  ]
Postfix starten:                                           [  OK  ]

Test

Über den Port 10024 sollte nun unser daemon ansprechbar sein. Was wir auch sehr einfach mittels lsof überprüfen können:

lsof -i :25
COMMAND   PID    USER   FD   TYPE  DEVICE SIZE NODE NAME
master  28235    root   11u  IPv4 1396426       TCP *:smtp (LISTEN)
smtpd   28242 postfix    6u  IPv4 1396426       TCP *:smtp (LISTEN)

Von der Konsole aus testen wir nun den Zugang über Port25:

telnet localhost 25

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mx1.nausch.org ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.

Für den zweiten Port 10025 machen wir auch noch den gleichen Test.

lsof -i :10025
COMMAND   PID    USER   FD   TYPE  DEVICE SIZE NODE NAME
master  28235    root   14u  IPv4 1396432       TCP localhost.localdomain:10025 (LISTEN)
smtpd   28248 postfix    6u  IPv4 1396432       TCP localhost.localdomain:10025 (LISTEN)

Auch hier prüfen wir via telnet, ob unser Postfix auf Anfragen auf Port 10025 reagiert.

telnet localhost 10025

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mx1.nausch.org ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.

Da sich bei entsprechenden Trafic die Zugriffe auf die Harddisk ungünstig auf die Performance auswirkt, legen wir eine RAM-Disk für den Virenscanner an. Dort kann er dann die Attachments ablegen und entpacken.

Wir legen uns eine 250 MB große RAM-Disk an:

 vim /etc/fstab
 /dev/shm                /var/amavis/tmp         tmpfs   defaults,size=250m,mode=750,uid=103,gid=106 0 0

Anschließend mounten wir unser neues Laufwerk mit

 mount /var/amavis/tmp

Je nach Belastung werden nun in unserem Arbeitsverzeichnis die Daten abgelegt

 df -h -t tmpfs
 Dateisystem          Größe Benut  Verf Ben% Eingehängt auf
 /dev/shm              250M   16K  250M   1% /var/amavis/tmp

1)
Small Office Home Office
Cookies helfen bei der Bereitstellung von Inhalten. Durch die Nutzung dieser Seiten erklären Sie sich damit einverstanden, dass Cookies auf Ihrem Rechner gespeichert werden. Weitere Information
  • centos/mailserver/grundinstallation_von_amavis.txt
  • Zuletzt geändert: 31.05.2017 16:42.
  • von django