Erinevus lehekülje "Postfix" redaktsioonide vahel
Allikas: Kuutõrvaja
43. rida: | 43. rida: | ||
'''konfig amavisd''' | '''konfig amavisd''' | ||
− | use strict; | + | use strict; |
− | + | ||
− | + | $max_servers = 4; # number of pre-forked children (2..15 is common) | |
− | $max_servers = 4; # number of pre-forked children (2..15 is common) | + | $daemon_user = 'vscan'; # (no default; customary: vscan or amavis) |
− | $daemon_user = 'vscan'; # (no default; customary: vscan or amavis) | + | $daemon_group = 'vscan'; # (no default; customary: vscan or amavis) |
− | $daemon_group = 'vscan'; # (no default; customary: vscan or amavis) | + | |
− | + | $mydomain = 'eenet.ee'; # a convenient default for other settings | |
− | $mydomain = 'eenet.ee'; # a convenient default for other settings | + | |
− | + | $MYHOME = '/var/amavis'; # a convenient default for other settings | |
− | $MYHOME = '/var/amavis'; # a convenient default for other settings | + | $TEMPBASE = "$MYHOME/tmp"; # working directory, needs to be created manually |
− | $TEMPBASE = "$MYHOME/tmp"; # working directory, needs to be created manually | + | $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR |
− | $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR | + | $QUARANTINEDIR = '/var/virusmails'; |
− | $QUARANTINEDIR = '/var/virusmails'; | + | @local_domains_maps = ( [".$mydomain"] ); |
− | @local_domains_maps = ( [".$mydomain"] ); | + | |
− | + | $log_level = 2; # verbosity 0..5 | |
− | $log_level = 2; # verbosity 0..5 | + | $log_recip_templ = undef; # disable by-recipient level-0 log entries |
− | $log_recip_templ = undef; # disable by-recipient level-0 log entries | + | $DO_SYSLOG = 1; # log via syslogd (preferred) |
− | $DO_SYSLOG = 1; # log via syslogd (preferred) | + | $SYSLOG_LEVEL = 'mail.debug'; |
− | $SYSLOG_LEVEL = 'mail.debug'; | + | |
− | + | $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) | |
− | $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) | + | $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 |
− | $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 | + | |
− | + | $inet_socket_port = 10024; # listen on this local TCP port(s) (see $protocol) | |
− | $inet_socket_port = 10024; # listen on this local TCP port(s) (see $protocol) | + | |
− | + | $sa_tag_level_deflt = undef; # add spam info headers if at, or above that level | |
− | + | $sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level | |
− | $sa_tag_level_deflt = undef; # add spam info headers if at, or above that level | + | $sa_kill_level_deflt = 7.0; # triggers spam evasive actions |
− | $sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level | + | $sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent |
− | $sa_kill_level_deflt = 7.0; # triggers spam evasive actions | + | $sa_quarantine_cutoff_level = 20; # spam level beyond which quarantine is off |
− | $sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent | + | $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger |
− | $sa_quarantine_cutoff_level = 20; # spam level beyond which quarantine is off | + | $sa_local_tests_only = 0; # only tests which do not require internet access? |
− | + | $sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant | |
− | $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger | + | $virus_admin = undef; # notifications recip. |
− | $sa_local_tests_only = 0; # only tests which do not require internet access? | + | |
− | $sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant | + | $mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender |
− | + | $mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender | |
− | + | $mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender | |
− | + | $mailfrom_to_quarantine = ''; # null return path; uses original sender if undef | |
− | $virus_admin = undef; # notifications recip. | + | |
− | + | @addr_extension_virus_maps = ('virus'); | |
− | $mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender | + | @addr_extension_spam_maps = ('spam'); |
− | $mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender | + | @addr_extension_banned_maps = ('banned'); |
− | $mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender | + | @addr_extension_bad_header_maps = ('badh'); |
− | $mailfrom_to_quarantine = ''; # null return path; uses original sender if undef | + | |
− | + | $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; | |
− | @addr_extension_virus_maps = ('virus'); | + | |
− | @addr_extension_spam_maps = ('spam'); | + | $MAXLEVELS = 14; |
− | @addr_extension_banned_maps = ('banned'); | + | $MAXFILES = 1500; |
− | @addr_extension_bad_header_maps = ('badh'); | + | $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) |
− | + | $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) | |
− | + | ||
− | + | $sa_spam_subject_tag = '***SPAM*** '; | |
− | $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; | + | $defang_virus = 1; # MIME-wrap passed infected mail |
− | + | $defang_banned = 1; # MIME-wrap passed mail containing banned name | |
− | + | ||
− | $MAXLEVELS = 14; | + | $final_virus_destiny = D_DISCARD; |
− | $MAXFILES = 1500; | + | $final_banned_destiny = D_DISCARD; |
− | $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) | + | $final_spam_destiny = D_DISCARD; |
− | $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) | + | $final_bad_header_destiny = D_PASS; |
− | + | ||
− | $sa_spam_subject_tag = '***SPAM*** '; | ||
− | $defang_virus = 1; # MIME-wrap passed infected mail | ||
− | $defang_banned = 1; # MIME-wrap passed mail containing banned name | ||
− | |||
− | |||
− | $final_virus_destiny = D_DISCARD; | ||
− | $final_banned_destiny = D_DISCARD; | ||
− | |||
− | $final_spam_destiny = D_DISCARD; | ||
− | $final_bad_header_destiny = D_PASS; | ||
− | |||
− | |||
− | |||
− | |||
[qr/^/ => 1], # true for everything else | [qr/^/ => 1], # true for everything else | ||
− | )); | + | )); |
− | @keep_decoded_original_maps = (new_RE( | + | @keep_decoded_original_maps = (new_RE( |
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables | qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables | ||
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, | qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, | ||
− | )); | + | )); |
− | |||
− | |||
− | |||
− | |||
+ | $banned_filename_re = new_RE( | ||
+ | |||
# block certain double extensions anywhere in the base name | # block certain double extensions anywhere in the base name | ||
qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, | qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, | ||
− | + | ||
− | |||
qr'^application/x-msdownload$'i, # block these MIME types | qr'^application/x-msdownload$'i, # block these MIME types | ||
qr'^application/x-msdos-program$'i, | qr'^application/x-msdos-program$'i, | ||
qr'^application/hta$'i, | qr'^application/hta$'i, | ||
− | + | ||
− | |||
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives | [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives | ||
− | |||
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic | qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic | ||
− | |||
− | |||
qr'^\.(exe-ms)$', # banned file(1) types | qr'^\.(exe-ms)$', # banned file(1) types | ||
− | ); | + | ); |
− | + | ||
− | + | @score_sender_maps = ({ # a by-recipient hash lookup table, | |
− | + | # results from all matching recipient tables are summed | |
− | @score_sender_maps = ({ # a by-recipient hash lookup table, | ||
− | |||
− | |||
− | |||
− | |||
− | |||
'.' => [ # the _first_ matching sender determines the score boost | '.' => [ # the _first_ matching sender determines the score boost | ||
− | + | ||
new_RE( # regexp-type lookup table, just happens to be all soft-blacklist | new_RE( # regexp-type lookup table, just happens to be all soft-blacklist | ||
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], | [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], | ||
165. rida: | 138. rida: | ||
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], | [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], | ||
), | ), | ||
− | + | ||
− | |||
− | |||
{ # a hash-type lookup table (associative array) | { # a hash-type lookup table (associative array) | ||
'pac@c-s.fr' => -3.0, | 'pac@c-s.fr' => -3.0, | ||
199. rida: | 170. rida: | ||
lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, | lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, | ||
lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, | lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, | ||
− | + | ||
# soft-blacklisting (positive score) | # soft-blacklisting (positive score) | ||
'sender@example.net' => 3.0, | 'sender@example.net' => 3.0, | ||
'.example.net' => 1.0, | '.example.net' => 1.0, | ||
− | |||
}, | }, | ||
], # end of site-wide tables | ], # end of site-wide tables | ||
− | }); | + | }); |
− | + | ||
− | + | @decoders = ( | |
− | @decoders = ( | ||
['mail', \&do_mime_decode], | ['mail', \&do_mime_decode], | ||
['asc', \&do_ascii], | ['asc', \&do_ascii], | ||
235. rida: | 204. rida: | ||
['tnef', \&do_tnef], | ['tnef', \&do_tnef], | ||
['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], | ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], | ||
− | ); | + | ); |
− | + | ||
− | + | @av_scanners = ( | |
− | @av_scanners = ( | + | |
− | |||
− | |||
### http://www.clamav.net/ | ### http://www.clamav.net/ | ||
['ClamAV-clamd', | ['ClamAV-clamd', | ||
246. rida: | 213. rida: | ||
qr/\bOK$/, qr/\bFOUND$/, | qr/\bOK$/, qr/\bFOUND$/, | ||
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], | qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], | ||
− | + | ||
### http://www.centralcommand.com/ | ### http://www.centralcommand.com/ | ||
['CentralCommand Vexira (new) vascan', | ['CentralCommand Vexira (new) vascan', | ||
254. rida: | 221. rida: | ||
[0,3], [1,2,5], | [0,3], [1,2,5], | ||
qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ], | qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ], | ||
− | + | ||
### http://www.hbedv.com/ | ### http://www.hbedv.com/ | ||
['H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus', | ['H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus', | ||
261. rida: | 228. rida: | ||
qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | | qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | | ||
(?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ], | (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ], | ||
− | + | ||
### http://www.commandsoftware.com/ | ### http://www.commandsoftware.com/ | ||
['Command AntiVirus for Linux', 'csav', | ['Command AntiVirus for Linux', 'csav', | ||
'-all -archive -packed {}', [50], [51,52,53], | '-all -archive -packed {}', [50], [51,52,53], | ||
qr/Infection: (.+)/ ], | qr/Infection: (.+)/ ], | ||
− | + | ||
### http://www.symantec.com/ | ### http://www.symantec.com/ | ||
['Symantec CarrierScan via Symantec CommandLineScanner', | ['Symantec CarrierScan via Symantec CommandLineScanner', | ||
272. rida: | 239. rida: | ||
qr/^Files Infected:\s+0$/, qr/^Infected\b/, | qr/^Files Infected:\s+0$/, qr/^Infected\b/, | ||
qr/^(?:Info|Virus Name):\s+(.+)/ ], | qr/^(?:Info|Virus Name):\s+(.+)/ ], | ||
− | + | ||
### http://www.symantec.com/ | ### http://www.symantec.com/ | ||
['Symantec AntiVirus Scan Engine', | ['Symantec AntiVirus Scan Engine', | ||
279. rida: | 246. rida: | ||
qr/^(?:Info|Virus Name):\s+(.+)/ ], | qr/^(?:Info|Virus Name):\s+(.+)/ ], | ||
# NOTE: check options and patterns to see which entry better applies | # NOTE: check options and patterns to see which entry better applies | ||
− | + | ||
### http://www.f-secure.com/products/anti-virus/ | ### http://www.f-secure.com/products/anti-virus/ | ||
['F-Secure Antivirus', 'fsav', | ['F-Secure Antivirus', 'fsav', | ||
'--dumb --mime --archive {}', [0], [3,8], | '--dumb --mime --archive {}', [0], [3,8], | ||
qr/(?:infection|Infected|Suspected): (.+)/ ], | qr/(?:infection|Infected|Suspected): (.+)/ ], | ||
− | + | ||
['CAI InoculateIT', 'inocucmd', # retired product | ['CAI InoculateIT', 'inocucmd', # retired product | ||
'-sec -nex {}', [0], [100], | '-sec -nex {}', [0], [100], | ||
qr/was infected by virus (.+)/ ], | qr/was infected by virus (.+)/ ], | ||
# see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html | # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html | ||
− | + | ||
### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) | ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) | ||
['CAI eTrust Antivirus', 'etrust-wrapper', | ['CAI eTrust Antivirus', 'etrust-wrapper', | ||
296. rida: | 263. rida: | ||
# NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer | # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer | ||
# see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 | # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 | ||
− | + | ||
### http://mks.com.pl/english.html | ### http://mks.com.pl/english.html | ||
['MkS_Vir for Linux (beta)', ['mks32','mks'], | ['MkS_Vir for Linux (beta)', ['mks32','mks'], | ||
'-s {}/*', [0], [1,2], | '-s {}/*', [0], [1,2], | ||
qr/--[ \t]*(.+)/ ], | qr/--[ \t]*(.+)/ ], | ||
− | + | ||
### http://mks.com.pl/english.html | ### http://mks.com.pl/english.html | ||
['MkS_Vir daemon', 'mksscan', | ['MkS_Vir daemon', 'mksscan', | ||
'-s -q {}', [0], [1..7], | '-s -q {}', [0], [1..7], | ||
qr/^... (\S+)/ ], | qr/^... (\S+)/ ], | ||
− | + | ||
### http://www.nod32.com/ | ### http://www.nod32.com/ | ||
['ESET Software NOD32', 'nod32', | ['ESET Software NOD32', 'nod32', | ||
313. rida: | 280. rida: | ||
# '-all -subdir+ {}', [0], [1,2], | # '-all -subdir+ {}', [0], [1,2], | ||
# qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ], | # qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ], | ||
− | + | ||
### http://www.nod32.com/ | ### http://www.nod32.com/ | ||
['ESET Software NOD32 - Client/Server Version', 'nod32cli', | ['ESET Software NOD32 - Client/Server Version', 'nod32cli', | ||
'-a -r -d recurse --heur standard {}', [0], [10,11], | '-a -r -d recurse --heur standard {}', [0], [10,11], | ||
qr/^\S+\s+infected:\s+(.+)/ ], | qr/^\S+\s+infected:\s+(.+)/ ], | ||
− | + | ||
### http://www.norman.com/products_nvc.shtml | ### http://www.norman.com/products_nvc.shtml | ||
['Norman Virus Control v5 / Linux', 'nvcc', | ['Norman Virus Control v5 / Linux', 'nvcc', | ||
'-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], | '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], | ||
qr/(?i).* virus in .* -> \'(.+)\'/ ], | qr/(?i).* virus in .* -> \'(.+)\'/ ], | ||
− | + | ||
### http://www.pandasoftware.com/ | ### http://www.pandasoftware.com/ | ||
['Panda Antivirus for Linux', ['pavcl'], | ['Panda Antivirus for Linux', ['pavcl'], | ||
330. rida: | 297. rida: | ||
qr/Number of files infected[ .]*: 0*[1-9]/, | qr/Number of files infected[ .]*: 0*[1-9]/, | ||
qr/Found virus :\s*(\S+)/ ], | qr/Found virus :\s*(\S+)/ ], | ||
− | + | ||
### http://www.nai.com/ | ### http://www.nai.com/ | ||
['NAI McAfee AntiVirus (uvscan)', 'uvscan', | ['NAI McAfee AntiVirus (uvscan)', 'uvscan', | ||
339. rida: | 306. rida: | ||
:\ (.+)\ NOT\ a\ virus)/, | :\ (.+)\ NOT\ a\ virus)/, | ||
], | ], | ||
− | + | ||
### http://www.virusbuster.hu/en/ | ### http://www.virusbuster.hu/en/ | ||
['VirusBuster', ['vbuster', 'vbengcl'], | ['VirusBuster', ['vbuster', 'vbengcl'], | ||
"{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], | "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], | ||
qr/: '(.*)' - Virus/ ], | qr/: '(.*)' - Virus/ ], | ||
− | + | ||
− | |||
### http://www.cyber.com/ | ### http://www.cyber.com/ | ||
['CyberSoft VFind', 'vfind', | ['CyberSoft VFind', 'vfind', | ||
351. rida: | 317. rida: | ||
# sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, | # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, | ||
], | ], | ||
− | + | ||
### http://www.ikarus-software.com/ | ### http://www.ikarus-software.com/ | ||
['Ikarus AntiVirus for Linux', 'ikarus', | ['Ikarus AntiVirus for Linux', 'ikarus', | ||
'{}', [0], [40], qr/Signature (.+) found/ ], | '{}', [0], [40], qr/Signature (.+) found/ ], | ||
− | + | ||
### http://www.bitdefender.com/ | ### http://www.bitdefender.com/ | ||
['BitDefender', 'bdc', | ['BitDefender', 'bdc', | ||
361. rida: | 327. rida: | ||
qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, | qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, | ||
qr/(?:suspected|infected): (.*)(?:\033|$)/ ], | qr/(?:suspected|infected): (.*)(?:\033|$)/ ], | ||
+ | |||
+ | ); | ||
− | + | @av_scanners_backup = ( | |
− | + | ||
− | |||
− | @av_scanners_backup = ( | ||
− | |||
### http://www.clamav.net/ - backs up clamd or Mail::ClamAV | ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV | ||
['ClamAV-clamscan', 'clamscan', | ['ClamAV-clamscan', 'clamscan', | ||
"--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], | "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], | ||
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], | qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], | ||
− | + | ||
### http://www.f-prot.com/ - backs up F-Prot Daemon | ### http://www.f-prot.com/ - backs up F-Prot Daemon | ||
['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], | ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], | ||
'-dumb -archive -packed {}', [0,8], [3,6], | '-dumb -archive -packed {}', [0,8], [3,6], | ||
qr/Infection: (.+)|\s+contains\s+(.+)$/ ], | qr/Infection: (.+)|\s+contains\s+(.+)$/ ], | ||
− | + | ||
### http://www.trendmicro.com/ - backs up Trophie | ### http://www.trendmicro.com/ - backs up Trophie | ||
['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], | ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], | ||
'-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], | '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], | ||
− | + | ||
### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD | ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD | ||
['drweb - DrWeb Antivirus', | ['drweb - DrWeb Antivirus', | ||
['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], | ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], | ||
'-path={} -al -go -ot -cn -upn -ok-', | '-path={} -al -go -ot -cn -upn -ok-', | ||
− | [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'], | + | [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'], |
− | + | ); | |
− | |||
− | |||
− | ); | ||
− | |||
− | |||
− | |||
Redaktsioon: 20. august 2006, kell 16:09
serveritarkvara paigaldus
amavisd-new
clamav
kogu süsteem toimib nii ,et postfix annab kirja edasi amavisd'le mis kontrollib seda kasutades amavisd'd ja smapsassassinit
seadistus postfix
main.cf
content_filter = amavis:[127.0.0.1]:10024 smtpd_sender_restrictions = reject_unknown_sender_domain, permit_mynetworks, reject_rbl_client bl.spamcop.net, reject_rbl_client relays.ordb.org, reject_rbl_client sbl-xbl.spamhaus.org
master.cf
localhost:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o myhostname=localhost.eenet.ee -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 # amavis unix - - n - 4 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes
konfig amavisd
use strict; $max_servers = 4; # number of pre-forked children (2..15 is common) $daemon_user = 'vscan'; # (no default; customary: vscan or amavis) $daemon_group = 'vscan'; # (no default; customary: vscan or amavis) $mydomain = 'eenet.ee'; # a convenient default for other settings $MYHOME = '/var/amavis'; # a convenient default for other settings $TEMPBASE = "$MYHOME/tmp"; # working directory, needs to be created manually $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR $QUARANTINEDIR = '/var/virusmails'; @local_domains_maps = ( [".$mydomain"] ); $log_level = 2; # verbosity 0..5 $log_recip_templ = undef; # disable by-recipient level-0 log entries $DO_SYSLOG = 1; # log via syslogd (preferred) $SYSLOG_LEVEL = 'mail.debug'; $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 $inet_socket_port = 10024; # listen on this local TCP port(s) (see $protocol) $sa_tag_level_deflt = undef; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level $sa_kill_level_deflt = 7.0; # triggers spam evasive actions $sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent $sa_quarantine_cutoff_level = 20; # spam level beyond which quarantine is off $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger $sa_local_tests_only = 0; # only tests which do not require internet access? $sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant $virus_admin = undef; # notifications recip. $mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender $mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender $mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender $mailfrom_to_quarantine = ; # null return path; uses original sender if undef @addr_extension_virus_maps = ('virus'); @addr_extension_spam_maps = ('spam'); @addr_extension_banned_maps = ('banned'); @addr_extension_bad_header_maps = ('badh'); $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; $MAXLEVELS = 14; $MAXFILES = 1500; $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) $sa_spam_subject_tag = '***SPAM*** '; $defang_virus = 1; # MIME-wrap passed infected mail $defang_banned = 1; # MIME-wrap passed mail containing banned name $final_virus_destiny = D_DISCARD; $final_banned_destiny = D_DISCARD; $final_spam_destiny = D_DISCARD; $final_bad_header_destiny = D_PASS; [qr/^/ => 1], # true for everything else ));
@keep_decoded_original_maps = (new_RE( qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, ));
$banned_filename_re = new_RE( # block certain double extensions anywhere in the base name qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic qr'^\.(exe-ms)$', # banned file(1) types ); @score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], ), { # a hash-type lookup table (associative array) 'pac@c-s.fr' => -3.0, 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'bugtraq@securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0, 'amavis-user-admin@lists.sourceforge.net'=> -3.0, 'notification-return@lists.sophos.com' => -3.0, 'owner-postfix-users@postfix.org' => -3.0, 'owner-postfix-announce@postfix.org' => -3.0, 'owner-sendmail-announce@lists.sendmail.org' => -3.0, 'sendmail-announce-request@lists.sendmail.org' => -3.0, 'donotreply@sendmail.org' => -3.0, 'ca+envelope@sendmail.org' => -3.0, 'noreply@freshmeat.net' => -3.0, 'owner-technews@postel.acm.org' => -3.0, 'ietf-123-owner@loki.ietf.org' => -3.0, 'cvs-commits-list-admin@gnome.org' => -3.0, 'rt-users-admin@lists.fsck.com' => -3.0, 'clp-request@comp.nus.edu.sg' => -3.0, 'surveys-errors@lists.nua.ie' => -3.0, 'emailnews@genomeweb.com' => -5.0, 'yahoo-dev-null@yahoo-inc.com' => -3.0, 'returns.groups.yahoo.com' => -3.0, 'clusternews@linuxnetworx.com' => -3.0, lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, # soft-blacklisting (positive score) 'sender@example.net' => 3.0, '.example.net' => 1.0, }, ], # end of site-wide tables }); @decoders = ( ['mail', \&do_mime_decode], ['asc', \&do_ascii], ['uue', \&do_ascii], ['hqx', \&do_ascii], ['ync', \&do_ascii], ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ], ['gz', \&do_gunzip], ['gz', \&do_uncompress, 'gzip -d'], ['bz2', \&do_uncompress, 'bzip2 -d'], ['lzo', \&do_uncompress, 'lzop -d'], ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ], ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ], ['tar', \&do_tar], ['deb', \&do_ar, 'ar'], ['zip', \&do_unzip], ['rar', \&do_unrar, ['rar','unrar'] ], ['arj', \&do_unarj, ['arj','unarj'] ], ['arc', \&do_arc, ['nomarch','arc'] ], ['zoo', \&do_zoo, 'zoo'], ['lha', \&do_lha, 'lha'], ['cab', \&do_cabextract, 'cabextract'], ['tnef', \&do_tnef], ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], ); @av_scanners = ( ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ### http://www.centralcommand.com/ ['CentralCommand Vexira (new) vascan', ['vascan','/usr/lib/Vexira/vascan'], "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". "--vdb=/usr/lib/Vexira/vexira8.vdb --log=/var/log/vascan.log {}", [0,3], [1,2,5], qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ], ### http://www.hbedv.com/ ['H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus', ['antivir','vexira'], '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/, qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ], ### http://www.commandsoftware.com/ ['Command AntiVirus for Linux', 'csav', '-all -archive -packed {}', [50], [51,52,53], qr/Infection: (.+)/ ], ### http://www.symantec.com/ ['Symantec CarrierScan via Symantec CommandLineScanner', 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', qr/^Files Infected:\s+0$/, qr/^Infected\b/, qr/^(?:Info|Virus Name):\s+(.+)/ ], ### http://www.symantec.com/ ['Symantec AntiVirus Scan Engine', 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', [0], qr/^Infected\b/, qr/^(?:Info|Virus Name):\s+(.+)/ ], # NOTE: check options and patterns to see which entry better applies ### http://www.f-secure.com/products/anti-virus/ ['F-Secure Antivirus', 'fsav', '--dumb --mime --archive {}', [0], [3,8], qr/(?:infection|Infected|Suspected): (.+)/ ], ['CAI InoculateIT', 'inocucmd', # retired product '-sec -nex {}', [0], [100], qr/was infected by virus (.+)/ ], # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) ['CAI eTrust Antivirus', 'etrust-wrapper', '-arc -nex -spm h {}', [0], [101], qr/is infected by virus: (.+)/ ], # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 ### http://mks.com.pl/english.html ['MkS_Vir for Linux (beta)', ['mks32','mks'], '-s {}/*', [0], [1,2], qr/--[ \t]*(.+)/ ], ### http://mks.com.pl/english.html ['MkS_Vir daemon', 'mksscan', '-s -q {}', [0], [1..7], qr/^... (\S+)/ ], ### http://www.nod32.com/ ['ESET Software NOD32', 'nod32', '--arch --mail {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/ ], # with old versions use: # '-all -subdir+ {}', [0], [1,2], # qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ], ### http://www.nod32.com/ ['ESET Software NOD32 - Client/Server Version', 'nod32cli', '-a -r -d recurse --heur standard {}', [0], [10,11], qr/^\S+\s+infected:\s+(.+)/ ], ### http://www.norman.com/products_nvc.shtml ['Norman Virus Control v5 / Linux', 'nvcc', '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], qr/(?i).* virus in .* -> \'(.+)\'/ ], ### http://www.pandasoftware.com/ ['Panda Antivirus for Linux', ['pavcl'], '-aut -aex -heu -cmp -nbr -nor -nso -eng {}', qr/Number of files infected[ .]*: 0+(?!\d)/, qr/Number of files infected[ .]*: 0*[1-9]/, qr/Found virus :\s*(\S+)/ ], ### http://www.nai.com/ ['NAI McAfee AntiVirus (uvscan)', 'uvscan', '--secure -rv --mime --summary --noboot - {}', [0], [13], qr/(?x) Found (?: \ the\ (.+)\ (?:virus|trojan) | \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | :\ (.+)\ NOT\ a\ virus)/, ], ### http://www.virusbuster.hu/en/ ['VirusBuster', ['vbuster', 'vbengcl'], "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], qr/: '(.*)' - Virus/ ], ### http://www.cyber.com/ ['CyberSoft VFind', 'vfind', '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/, # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, ], ### http://www.ikarus-software.com/ ['Ikarus AntiVirus for Linux', 'ikarus', '{}', [0], [40], qr/Signature (.+) found/ ], ### http://www.bitdefender.com/ ['BitDefender', 'bdc', '--all --arc --mail {}', qr/^Infected files *:0+(?!\d)/, qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, qr/(?:suspected|infected): (.*)(?:\033|$)/ ], );
@av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ### http://www.f-prot.com/ - backs up F-Prot Daemon ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], '-dumb -archive -packed {}', [0,8], [3,6], qr/Infection: (.+)|\s+contains\s+(.+)$/ ], ### http://www.trendmicro.com/ - backs up Trophie ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD ['drweb - DrWeb Antivirus', ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], '-path={} -al -go -ot -cn -upn -ok-', [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'], );
automaatne start
amavisd_enable="YES" clamav_clamd_enable="YES" clamav_freshclam_enable="YES"
kontroll töötamisel
heidame pilgu maillog faili kõigi kirjadekohta peaks tekkima rida