Erinevus lehekülje "Postfix" redaktsioonide vahel
Allikas: Kuutõrvaja
| 43. rida: | 43. rida: | ||
'''konfig amavisd''' | '''konfig amavisd''' | ||
| − | use strict; | + | use strict; |
| − | + | ||
| − | + | $max_servers = 4; # number of pre-forked children (2..15 is common) | |
| − | $max_servers = 4; # number of pre-forked children (2..15 is common) | + | $daemon_user = 'vscan'; # (no default; customary: vscan or amavis) |
| − | $daemon_user = 'vscan'; # (no default; customary: vscan or amavis) | + | $daemon_group = 'vscan'; # (no default; customary: vscan or amavis) |
| − | $daemon_group = 'vscan'; # (no default; customary: vscan or amavis) | + | |
| − | + | $mydomain = 'eenet.ee'; # a convenient default for other settings | |
| − | $mydomain = 'eenet.ee'; # a convenient default for other settings | + | |
| − | + | $MYHOME = '/var/amavis'; # a convenient default for other settings | |
| − | $MYHOME = '/var/amavis'; # a convenient default for other settings | + | $TEMPBASE = "$MYHOME/tmp"; # working directory, needs to be created manually |
| − | $TEMPBASE = "$MYHOME/tmp"; # working directory, needs to be created manually | + | $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR |
| − | $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR | + | $QUARANTINEDIR = '/var/virusmails'; |
| − | $QUARANTINEDIR = '/var/virusmails'; | + | @local_domains_maps = ( [".$mydomain"] ); |
| − | @local_domains_maps = ( [".$mydomain"] ); | + | |
| − | + | $log_level = 2; # verbosity 0..5 | |
| − | $log_level = 2; # verbosity 0..5 | + | $log_recip_templ = undef; # disable by-recipient level-0 log entries |
| − | $log_recip_templ = undef; # disable by-recipient level-0 log entries | + | $DO_SYSLOG = 1; # log via syslogd (preferred) |
| − | $DO_SYSLOG = 1; # log via syslogd (preferred) | + | $SYSLOG_LEVEL = 'mail.debug'; |
| − | $SYSLOG_LEVEL = 'mail.debug'; | + | |
| − | + | $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) | |
| − | $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) | + | $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 |
| − | $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 | + | |
| − | + | $inet_socket_port = 10024; # listen on this local TCP port(s) (see $protocol) | |
| − | $inet_socket_port = 10024; # listen on this local TCP port(s) (see $protocol) | + | |
| − | + | $sa_tag_level_deflt = undef; # add spam info headers if at, or above that level | |
| − | + | $sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level | |
| − | $sa_tag_level_deflt = undef; # add spam info headers if at, or above that level | + | $sa_kill_level_deflt = 7.0; # triggers spam evasive actions |
| − | $sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level | + | $sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent |
| − | $sa_kill_level_deflt = 7.0; # triggers spam evasive actions | + | $sa_quarantine_cutoff_level = 20; # spam level beyond which quarantine is off |
| − | $sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent | + | $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger |
| − | $sa_quarantine_cutoff_level = 20; # spam level beyond which quarantine is off | + | $sa_local_tests_only = 0; # only tests which do not require internet access? |
| − | + | $sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant | |
| − | $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger | + | $virus_admin = undef; # notifications recip. |
| − | $sa_local_tests_only = 0; # only tests which do not require internet access? | + | |
| − | $sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant | + | $mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender |
| − | + | $mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender | |
| − | + | $mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender | |
| − | + | $mailfrom_to_quarantine = ''; # null return path; uses original sender if undef | |
| − | $virus_admin = undef; # notifications recip. | + | |
| − | + | @addr_extension_virus_maps = ('virus'); | |
| − | $mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender | + | @addr_extension_spam_maps = ('spam'); |
| − | $mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender | + | @addr_extension_banned_maps = ('banned'); |
| − | $mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender | + | @addr_extension_bad_header_maps = ('badh'); |
| − | $mailfrom_to_quarantine = ''; # null return path; uses original sender if undef | + | |
| − | + | $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; | |
| − | @addr_extension_virus_maps = ('virus'); | + | |
| − | @addr_extension_spam_maps = ('spam'); | + | $MAXLEVELS = 14; |
| − | @addr_extension_banned_maps = ('banned'); | + | $MAXFILES = 1500; |
| − | @addr_extension_bad_header_maps = ('badh'); | + | $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) |
| − | + | $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) | |
| − | + | ||
| − | + | $sa_spam_subject_tag = '***SPAM*** '; | |
| − | $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; | + | $defang_virus = 1; # MIME-wrap passed infected mail |
| − | + | $defang_banned = 1; # MIME-wrap passed mail containing banned name | |
| − | + | ||
| − | $MAXLEVELS = 14; | + | $final_virus_destiny = D_DISCARD; |
| − | $MAXFILES = 1500; | + | $final_banned_destiny = D_DISCARD; |
| − | $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) | + | $final_spam_destiny = D_DISCARD; |
| − | $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) | + | $final_bad_header_destiny = D_PASS; |
| − | + | ||
| − | $sa_spam_subject_tag = '***SPAM*** '; | ||
| − | $defang_virus = 1; # MIME-wrap passed infected mail | ||
| − | $defang_banned = 1; # MIME-wrap passed mail containing banned name | ||
| − | |||
| − | |||
| − | $final_virus_destiny = D_DISCARD; | ||
| − | $final_banned_destiny = D_DISCARD; | ||
| − | |||
| − | $final_spam_destiny = D_DISCARD; | ||
| − | $final_bad_header_destiny = D_PASS; | ||
| − | |||
| − | |||
| − | |||
| − | |||
[qr/^/ => 1], # true for everything else | [qr/^/ => 1], # true for everything else | ||
| − | )); | + | )); |
| − | @keep_decoded_original_maps = (new_RE( | + | @keep_decoded_original_maps = (new_RE( |
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables | qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables | ||
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, | qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, | ||
| − | )); | + | )); |
| − | |||
| − | |||
| − | |||
| − | |||
| + | $banned_filename_re = new_RE( | ||
| + | |||
# block certain double extensions anywhere in the base name | # block certain double extensions anywhere in the base name | ||
qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, | qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, | ||
| − | + | ||
| − | |||
qr'^application/x-msdownload$'i, # block these MIME types | qr'^application/x-msdownload$'i, # block these MIME types | ||
qr'^application/x-msdos-program$'i, | qr'^application/x-msdos-program$'i, | ||
qr'^application/hta$'i, | qr'^application/hta$'i, | ||
| − | + | ||
| − | |||
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives | [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives | ||
| − | |||
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic | qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic | ||
| − | |||
| − | |||
qr'^\.(exe-ms)$', # banned file(1) types | qr'^\.(exe-ms)$', # banned file(1) types | ||
| − | ); | + | ); |
| − | + | ||
| − | + | @score_sender_maps = ({ # a by-recipient hash lookup table, | |
| − | + | # results from all matching recipient tables are summed | |
| − | @score_sender_maps = ({ # a by-recipient hash lookup table, | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
'.' => [ # the _first_ matching sender determines the score boost | '.' => [ # the _first_ matching sender determines the score boost | ||
| − | + | ||
new_RE( # regexp-type lookup table, just happens to be all soft-blacklist | new_RE( # regexp-type lookup table, just happens to be all soft-blacklist | ||
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], | [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], | ||
| 165. rida: | 138. rida: | ||
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], | [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], | ||
), | ), | ||
| − | + | ||
| − | |||
| − | |||
{ # a hash-type lookup table (associative array) | { # a hash-type lookup table (associative array) | ||
'pac@c-s.fr' => -3.0, | 'pac@c-s.fr' => -3.0, | ||
| 199. rida: | 170. rida: | ||
lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, | lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, | ||
lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, | lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, | ||
| − | + | ||
# soft-blacklisting (positive score) | # soft-blacklisting (positive score) | ||
'sender@example.net' => 3.0, | 'sender@example.net' => 3.0, | ||
'.example.net' => 1.0, | '.example.net' => 1.0, | ||
| − | |||
}, | }, | ||
], # end of site-wide tables | ], # end of site-wide tables | ||
| − | }); | + | }); |
| − | + | ||
| − | + | @decoders = ( | |
| − | @decoders = ( | ||
['mail', \&do_mime_decode], | ['mail', \&do_mime_decode], | ||
['asc', \&do_ascii], | ['asc', \&do_ascii], | ||
| 235. rida: | 204. rida: | ||
['tnef', \&do_tnef], | ['tnef', \&do_tnef], | ||
['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], | ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], | ||
| − | ); | + | ); |
| − | + | ||
| − | + | @av_scanners = ( | |
| − | @av_scanners = ( | + | |
| − | |||
| − | |||
### http://www.clamav.net/ | ### http://www.clamav.net/ | ||
['ClamAV-clamd', | ['ClamAV-clamd', | ||
| 246. rida: | 213. rida: | ||
qr/\bOK$/, qr/\bFOUND$/, | qr/\bOK$/, qr/\bFOUND$/, | ||
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], | qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], | ||
| − | + | ||
### http://www.centralcommand.com/ | ### http://www.centralcommand.com/ | ||
['CentralCommand Vexira (new) vascan', | ['CentralCommand Vexira (new) vascan', | ||
| 254. rida: | 221. rida: | ||
[0,3], [1,2,5], | [0,3], [1,2,5], | ||
qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ], | qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ], | ||
| − | + | ||
### http://www.hbedv.com/ | ### http://www.hbedv.com/ | ||
['H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus', | ['H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus', | ||
| 261. rida: | 228. rida: | ||
qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | | qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | | ||
(?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ], | (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ], | ||
| − | + | ||
### http://www.commandsoftware.com/ | ### http://www.commandsoftware.com/ | ||
['Command AntiVirus for Linux', 'csav', | ['Command AntiVirus for Linux', 'csav', | ||
'-all -archive -packed {}', [50], [51,52,53], | '-all -archive -packed {}', [50], [51,52,53], | ||
qr/Infection: (.+)/ ], | qr/Infection: (.+)/ ], | ||
| − | + | ||
### http://www.symantec.com/ | ### http://www.symantec.com/ | ||
['Symantec CarrierScan via Symantec CommandLineScanner', | ['Symantec CarrierScan via Symantec CommandLineScanner', | ||
| 272. rida: | 239. rida: | ||
qr/^Files Infected:\s+0$/, qr/^Infected\b/, | qr/^Files Infected:\s+0$/, qr/^Infected\b/, | ||
qr/^(?:Info|Virus Name):\s+(.+)/ ], | qr/^(?:Info|Virus Name):\s+(.+)/ ], | ||
| − | + | ||
### http://www.symantec.com/ | ### http://www.symantec.com/ | ||
['Symantec AntiVirus Scan Engine', | ['Symantec AntiVirus Scan Engine', | ||
| 279. rida: | 246. rida: | ||
qr/^(?:Info|Virus Name):\s+(.+)/ ], | qr/^(?:Info|Virus Name):\s+(.+)/ ], | ||
# NOTE: check options and patterns to see which entry better applies | # NOTE: check options and patterns to see which entry better applies | ||
| − | + | ||
### http://www.f-secure.com/products/anti-virus/ | ### http://www.f-secure.com/products/anti-virus/ | ||
['F-Secure Antivirus', 'fsav', | ['F-Secure Antivirus', 'fsav', | ||
'--dumb --mime --archive {}', [0], [3,8], | '--dumb --mime --archive {}', [0], [3,8], | ||
qr/(?:infection|Infected|Suspected): (.+)/ ], | qr/(?:infection|Infected|Suspected): (.+)/ ], | ||
| − | + | ||
['CAI InoculateIT', 'inocucmd', # retired product | ['CAI InoculateIT', 'inocucmd', # retired product | ||
'-sec -nex {}', [0], [100], | '-sec -nex {}', [0], [100], | ||
qr/was infected by virus (.+)/ ], | qr/was infected by virus (.+)/ ], | ||
# see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html | # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html | ||
| − | + | ||
### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) | ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) | ||
['CAI eTrust Antivirus', 'etrust-wrapper', | ['CAI eTrust Antivirus', 'etrust-wrapper', | ||
| 296. rida: | 263. rida: | ||
# NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer | # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer | ||
# see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 | # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 | ||
| − | + | ||
### http://mks.com.pl/english.html | ### http://mks.com.pl/english.html | ||
['MkS_Vir for Linux (beta)', ['mks32','mks'], | ['MkS_Vir for Linux (beta)', ['mks32','mks'], | ||
'-s {}/*', [0], [1,2], | '-s {}/*', [0], [1,2], | ||
qr/--[ \t]*(.+)/ ], | qr/--[ \t]*(.+)/ ], | ||
| − | + | ||
### http://mks.com.pl/english.html | ### http://mks.com.pl/english.html | ||
['MkS_Vir daemon', 'mksscan', | ['MkS_Vir daemon', 'mksscan', | ||
'-s -q {}', [0], [1..7], | '-s -q {}', [0], [1..7], | ||
qr/^... (\S+)/ ], | qr/^... (\S+)/ ], | ||
| − | + | ||
### http://www.nod32.com/ | ### http://www.nod32.com/ | ||
['ESET Software NOD32', 'nod32', | ['ESET Software NOD32', 'nod32', | ||
| 313. rida: | 280. rida: | ||
# '-all -subdir+ {}', [0], [1,2], | # '-all -subdir+ {}', [0], [1,2], | ||
# qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ], | # qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ], | ||
| − | + | ||
### http://www.nod32.com/ | ### http://www.nod32.com/ | ||
['ESET Software NOD32 - Client/Server Version', 'nod32cli', | ['ESET Software NOD32 - Client/Server Version', 'nod32cli', | ||
'-a -r -d recurse --heur standard {}', [0], [10,11], | '-a -r -d recurse --heur standard {}', [0], [10,11], | ||
qr/^\S+\s+infected:\s+(.+)/ ], | qr/^\S+\s+infected:\s+(.+)/ ], | ||
| − | + | ||
### http://www.norman.com/products_nvc.shtml | ### http://www.norman.com/products_nvc.shtml | ||
['Norman Virus Control v5 / Linux', 'nvcc', | ['Norman Virus Control v5 / Linux', 'nvcc', | ||
'-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], | '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], | ||
qr/(?i).* virus in .* -> \'(.+)\'/ ], | qr/(?i).* virus in .* -> \'(.+)\'/ ], | ||
| − | + | ||
### http://www.pandasoftware.com/ | ### http://www.pandasoftware.com/ | ||
['Panda Antivirus for Linux', ['pavcl'], | ['Panda Antivirus for Linux', ['pavcl'], | ||
| 330. rida: | 297. rida: | ||
qr/Number of files infected[ .]*: 0*[1-9]/, | qr/Number of files infected[ .]*: 0*[1-9]/, | ||
qr/Found virus :\s*(\S+)/ ], | qr/Found virus :\s*(\S+)/ ], | ||
| − | + | ||
### http://www.nai.com/ | ### http://www.nai.com/ | ||
['NAI McAfee AntiVirus (uvscan)', 'uvscan', | ['NAI McAfee AntiVirus (uvscan)', 'uvscan', | ||
| 339. rida: | 306. rida: | ||
:\ (.+)\ NOT\ a\ virus)/, | :\ (.+)\ NOT\ a\ virus)/, | ||
], | ], | ||
| − | + | ||
### http://www.virusbuster.hu/en/ | ### http://www.virusbuster.hu/en/ | ||
['VirusBuster', ['vbuster', 'vbengcl'], | ['VirusBuster', ['vbuster', 'vbengcl'], | ||
"{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], | "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], | ||
qr/: '(.*)' - Virus/ ], | qr/: '(.*)' - Virus/ ], | ||
| − | + | ||
| − | |||
### http://www.cyber.com/ | ### http://www.cyber.com/ | ||
['CyberSoft VFind', 'vfind', | ['CyberSoft VFind', 'vfind', | ||
| 351. rida: | 317. rida: | ||
# sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, | # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, | ||
], | ], | ||
| − | + | ||
### http://www.ikarus-software.com/ | ### http://www.ikarus-software.com/ | ||
['Ikarus AntiVirus for Linux', 'ikarus', | ['Ikarus AntiVirus for Linux', 'ikarus', | ||
'{}', [0], [40], qr/Signature (.+) found/ ], | '{}', [0], [40], qr/Signature (.+) found/ ], | ||
| − | + | ||
### http://www.bitdefender.com/ | ### http://www.bitdefender.com/ | ||
['BitDefender', 'bdc', | ['BitDefender', 'bdc', | ||
| 361. rida: | 327. rida: | ||
qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, | qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, | ||
qr/(?:suspected|infected): (.*)(?:\033|$)/ ], | qr/(?:suspected|infected): (.*)(?:\033|$)/ ], | ||
| + | |||
| + | ); | ||
| − | + | @av_scanners_backup = ( | |
| − | + | ||
| − | |||
| − | @av_scanners_backup = ( | ||
| − | |||
### http://www.clamav.net/ - backs up clamd or Mail::ClamAV | ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV | ||
['ClamAV-clamscan', 'clamscan', | ['ClamAV-clamscan', 'clamscan', | ||
"--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], | "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], | ||
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], | qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], | ||
| − | + | ||
### http://www.f-prot.com/ - backs up F-Prot Daemon | ### http://www.f-prot.com/ - backs up F-Prot Daemon | ||
['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], | ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], | ||
'-dumb -archive -packed {}', [0,8], [3,6], | '-dumb -archive -packed {}', [0,8], [3,6], | ||
qr/Infection: (.+)|\s+contains\s+(.+)$/ ], | qr/Infection: (.+)|\s+contains\s+(.+)$/ ], | ||
| − | + | ||
### http://www.trendmicro.com/ - backs up Trophie | ### http://www.trendmicro.com/ - backs up Trophie | ||
['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], | ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], | ||
'-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], | '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], | ||
| − | + | ||
### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD | ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD | ||
['drweb - DrWeb Antivirus', | ['drweb - DrWeb Antivirus', | ||
['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], | ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], | ||
'-path={} -al -go -ot -cn -upn -ok-', | '-path={} -al -go -ot -cn -upn -ok-', | ||
| − | [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'], | + | [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'], |
| − | + | ); | |
| − | |||
| − | |||
| − | ); | ||
| − | |||
| − | |||
| − | |||
Redaktsioon: 20. august 2006, kell 16:09
serveritarkvara paigaldus
amavisd-new
clamav
kogu süsteem toimib nii ,et postfix annab kirja edasi amavisd'le mis kontrollib seda kasutades amavisd'd ja smapsassassinit
seadistus postfix
main.cf
content_filter = amavis:[127.0.0.1]:10024
smtpd_sender_restrictions =
reject_unknown_sender_domain,
permit_mynetworks,
reject_rbl_client bl.spamcop.net,
reject_rbl_client relays.ordb.org,
reject_rbl_client sbl-xbl.spamhaus.org
master.cf
localhost:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o myhostname=localhost.eenet.ee -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 # amavis unix - - n - 4 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes
konfig amavisd
use strict;
$max_servers = 4; # number of pre-forked children (2..15 is common)
$daemon_user = 'vscan'; # (no default; customary: vscan or amavis)
$daemon_group = 'vscan'; # (no default; customary: vscan or amavis)
$mydomain = 'eenet.ee'; # a convenient default for other settings
$MYHOME = '/var/amavis'; # a convenient default for other settings
$TEMPBASE = "$MYHOME/tmp"; # working directory, needs to be created manually
$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR
$QUARANTINEDIR = '/var/virusmails';
@local_domains_maps = ( [".$mydomain"] );
$log_level = 2; # verbosity 0..5
$log_recip_templ = undef; # disable by-recipient level-0 log entries
$DO_SYSLOG = 1; # log via syslogd (preferred)
$SYSLOG_LEVEL = 'mail.debug';
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
$inet_socket_port = 10024; # listen on this local TCP port(s) (see $protocol)
$sa_tag_level_deflt = undef; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 7.0; # triggers spam evasive actions
$sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent
$sa_quarantine_cutoff_level = 20; # spam level beyond which quarantine is off
$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0; # only tests which do not require internet access?
$sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant
$virus_admin = undef; # notifications recip.
$mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender
$mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender
$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender
$mailfrom_to_quarantine = ; # null return path; uses original sender if undef
@addr_extension_virus_maps = ('virus');
@addr_extension_spam_maps = ('spam');
@addr_extension_banned_maps = ('banned');
@addr_extension_bad_header_maps = ('badh');
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
$sa_spam_subject_tag = '***SPAM*** ';
$defang_virus = 1; # MIME-wrap passed infected mail
$defang_banned = 1; # MIME-wrap passed mail containing banned name
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_DISCARD;
$final_spam_destiny = D_DISCARD;
$final_bad_header_destiny = D_PASS;
[qr/^/ => 1], # true for everything else
));
@keep_decoded_original_maps = (new_RE( qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, ));
$banned_filename_re = new_RE(
# block certain double extensions anywhere in the base name
qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
qr'^\.(exe-ms)$', # banned file(1) types
);
@score_sender_maps = ({ # a by-recipient hash lookup table,
# results from all matching recipient tables are summed
'.' => [ # the _first_ matching sender determines the score boost
new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
[qr'^(your_friend|greatoffers)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
),
{ # a hash-type lookup table (associative array)
'pac@c-s.fr' => -3.0,
'nobody@cert.org' => -3.0,
'cert-advisory@us-cert.gov' => -3.0,
'owner-alert@iss.net' => -3.0,
'slashdot@slashdot.org' => -3.0,
'bugtraq@securityfocus.com' => -3.0,
'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
'security-alerts@linuxsecurity.com' => -3.0,
'mailman-announce-admin@python.org' => -3.0,
'amavis-user-admin@lists.sourceforge.net'=> -3.0,
'notification-return@lists.sophos.com' => -3.0,
'owner-postfix-users@postfix.org' => -3.0,
'owner-postfix-announce@postfix.org' => -3.0,
'owner-sendmail-announce@lists.sendmail.org' => -3.0,
'sendmail-announce-request@lists.sendmail.org' => -3.0,
'donotreply@sendmail.org' => -3.0,
'ca+envelope@sendmail.org' => -3.0,
'noreply@freshmeat.net' => -3.0,
'owner-technews@postel.acm.org' => -3.0,
'ietf-123-owner@loki.ietf.org' => -3.0,
'cvs-commits-list-admin@gnome.org' => -3.0,
'rt-users-admin@lists.fsck.com' => -3.0,
'clp-request@comp.nus.edu.sg' => -3.0,
'surveys-errors@lists.nua.ie' => -3.0,
'emailnews@genomeweb.com' => -5.0,
'yahoo-dev-null@yahoo-inc.com' => -3.0,
'returns.groups.yahoo.com' => -3.0,
'clusternews@linuxnetworx.com' => -3.0,
lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0,
lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
# soft-blacklisting (positive score)
'sender@example.net' => 3.0,
'.example.net' => 1.0,
},
], # end of site-wide tables
});
@decoders = (
['mail', \&do_mime_decode],
['asc', \&do_ascii],
['uue', \&do_ascii],
['hqx', \&do_ascii],
['ync', \&do_ascii],
['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
['gz', \&do_gunzip],
['gz', \&do_uncompress, 'gzip -d'],
['bz2', \&do_uncompress, 'bzip2 -d'],
['lzo', \&do_uncompress, 'lzop -d'],
['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
['tar', \&do_tar],
['deb', \&do_ar, 'ar'],
['zip', \&do_unzip],
['rar', \&do_unrar, ['rar','unrar'] ],
['arj', \&do_unarj, ['arj','unarj'] ],
['arc', \&do_arc, ['nomarch','arc'] ],
['zoo', \&do_zoo, 'zoo'],
['lha', \&do_lha, 'lha'],
['cab', \&do_cabextract, 'cabextract'],
['tnef', \&do_tnef],
['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
);
@av_scanners = (
### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
### http://www.centralcommand.com/
['CentralCommand Vexira (new) vascan',
['vascan','/usr/lib/Vexira/vascan'],
"-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
"--vdb=/usr/lib/Vexira/vexira8.vdb --log=/var/log/vascan.log {}",
[0,3], [1,2,5],
qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ],
### http://www.hbedv.com/
['H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus',
['antivir','vexira'],
'--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
(?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
### http://www.commandsoftware.com/
['Command AntiVirus for Linux', 'csav',
'-all -archive -packed {}', [50], [51,52,53],
qr/Infection: (.+)/ ],
### http://www.symantec.com/
['Symantec CarrierScan via Symantec CommandLineScanner',
'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
qr/^Files Infected:\s+0$/, qr/^Infected\b/,
qr/^(?:Info|Virus Name):\s+(.+)/ ],
### http://www.symantec.com/
['Symantec AntiVirus Scan Engine',
'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
[0], qr/^Infected\b/,
qr/^(?:Info|Virus Name):\s+(.+)/ ],
# NOTE: check options and patterns to see which entry better applies
### http://www.f-secure.com/products/anti-virus/
['F-Secure Antivirus', 'fsav',
'--dumb --mime --archive {}', [0], [3,8],
qr/(?:infection|Infected|Suspected): (.+)/ ],
['CAI InoculateIT', 'inocucmd', # retired product
'-sec -nex {}', [0], [100],
qr/was infected by virus (.+)/ ],
# see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html
### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT)
['CAI eTrust Antivirus', 'etrust-wrapper',
'-arc -nex -spm h {}', [0], [101],
qr/is infected by virus: (.+)/ ],
# NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
# see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783
### http://mks.com.pl/english.html
['MkS_Vir for Linux (beta)', ['mks32','mks'],
'-s {}/*', [0], [1,2],
qr/--[ \t]*(.+)/ ],
### http://mks.com.pl/english.html
['MkS_Vir daemon', 'mksscan',
'-s -q {}', [0], [1..7],
qr/^... (\S+)/ ],
### http://www.nod32.com/
['ESET Software NOD32', 'nod32',
'--arch --mail {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/ ],
# with old versions use:
# '-all -subdir+ {}', [0], [1,2],
# qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ],
### http://www.nod32.com/
['ESET Software NOD32 - Client/Server Version', 'nod32cli',
'-a -r -d recurse --heur standard {}', [0], [10,11],
qr/^\S+\s+infected:\s+(.+)/ ],
### http://www.norman.com/products_nvc.shtml
['Norman Virus Control v5 / Linux', 'nvcc',
'-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
qr/(?i).* virus in .* -> \'(.+)\'/ ],
### http://www.pandasoftware.com/
['Panda Antivirus for Linux', ['pavcl'],
'-aut -aex -heu -cmp -nbr -nor -nso -eng {}',
qr/Number of files infected[ .]*: 0+(?!\d)/,
qr/Number of files infected[ .]*: 0*[1-9]/,
qr/Found virus :\s*(\S+)/ ],
### http://www.nai.com/
['NAI McAfee AntiVirus (uvscan)', 'uvscan',
'--secure -rv --mime --summary --noboot - {}', [0], [13],
qr/(?x) Found (?:
\ the\ (.+)\ (?:virus|trojan) |
\ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
:\ (.+)\ NOT\ a\ virus)/,
],
### http://www.virusbuster.hu/en/
['VirusBuster', ['vbuster', 'vbengcl'],
"{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
qr/: '(.*)' - Virus/ ],
### http://www.cyber.com/
['CyberSoft VFind', 'vfind',
'--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,
# sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
],
### http://www.ikarus-software.com/
['Ikarus AntiVirus for Linux', 'ikarus',
'{}', [0], [40], qr/Signature (.+) found/ ],
### http://www.bitdefender.com/
['BitDefender', 'bdc',
'--all --arc --mail {}', qr/^Infected files *:0+(?!\d)/,
qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
qr/(?:suspected|infected): (.*)(?:\033|$)/ ],
);
@av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ### http://www.f-prot.com/ - backs up F-Prot Daemon ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], '-dumb -archive -packed {}', [0,8], [3,6], qr/Infection: (.+)|\s+contains\s+(.+)$/ ], ### http://www.trendmicro.com/ - backs up Trophie ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD ['drweb - DrWeb Antivirus', ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], '-path={} -al -go -ot -cn -upn -ok-', [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'], );
automaatne start
amavisd_enable="YES" clamav_clamd_enable="YES" clamav_freshclam_enable="YES"
kontroll töötamisel
heidame pilgu maillog faili kõigi kirjadekohta peaks tekkima rida
