use strict; $MYHOME = '/var/lib/amavis'; # (default is '/var/amavis') $mydomain = 'localhost.localdomain'; # (no useful default) $daemon_user = 'amavis'; # (no default; customary: vscan or amavis) $daemon_group = 'amavis'; # (no default; customary: vscan or amavis or sweep) $TEMPBASE = $MYHOME; # (must be set if other config vars use is) $pid_file = "/var/run/amavis/amavisd.pid"; # (default is "$MYHOME/amavisd.pid") $lock_file = "var/run/amavis/amavisd.lock"; # (default is "$MYHOME/amavisd.lock") $ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 $max_servers = 2; # number of pre-forked children (default 2) $max_requests = 20; # retire a child after that many accepts (default 10) $child_timeout=5*60; # abort child if it does not complete each task in @local_domains_maps = ( [".$mydomain"] ); # $mydomain and its subdomains # (does not apply to sendmail/milter) # (default is true) $unix_socketname = "/var/lib/amavis/amavisd.sock"; # amavis helper protocol socket $inet_socket_port = 10024; # accept SMTP on this local TCP port @inet_acl = qw(127.0.0.1 [::1]); # allow SMTP access only from localhost IP $DO_SYSLOG = 0; # (defaults to 0) $LOGFILE = "/var/log/amavis.log"; # (defaults to empty, no log) $log_level = 0; # (defaults to 0) $log_recip_templ = undef; # undef disables by-recipient level-0 log entries $log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], # [?%o|(?)|<%o>] -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c'; read_l10n_templates('de_DE', '/etc/amavis'); $final_virus_destiny = D_DISCARD; # (defaults to D_DISCARD) $final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE) $final_spam_destiny = D_REJECT; # (defaults to D_BOUNCE) $final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested @viruses_that_fake_sender_maps = (new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i, qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i, qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i, qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc [qr'^(EICAR|Joke\.|Junk\.)'i => 0], [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0], [qr/^/ => 1], # true by default (remove or comment-out if undesired) )); $virus_admin = "virusalert\@$mydomain"; $virus_admin = 'postmaster/@$mydomain'; $spam_admin = "spamalert\@$mydomain"; $mailfrom_to_quarantine = ''; # override sender address with null return path $QUARANTINEDIR = '/var/lib/amavis/virusmails'; $virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%m.bsmtp"; $spam_quarantine_method = "bsmtp:$QUARANTINEDIR/spam-%m.bsmtp"; $virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine $banned_quarantine_to = 'banned-quarantine'; # local quarantine $bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine $spam_quarantine_to = 'spam-quarantine'; # local quarantine $X_HEADER_TAG = 'X-Virus-Scanned'; # (default: 'X-Virus-Scanned') $X_HEADER_LINE = "by $myversion (Debian) at $mydomain"; $undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it $defang_virus = 1; # default is false: don't modify mail body $defang_banned = 1; # default is false: don't modify mail body $remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone # (defaults to false) $remove_existing_spam_headers = 1; # remove existing spam headers if # spam scanning is enabled (default) @keep_decoded_original_maps = (new_RE( qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, )); $banned_filename_re = new_RE( qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic qr'^\.(exe-ms)$', # banned file(1) types ); $banned_namepath_re = new_RE( qr'(?#NO X-MSDOWNLOAD) ^(.*\t)? M=application/x-msdownload (\t.*)? $'xmi, qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi, qr'(?#NO HTA) ^(.*\t)? M=application/hta (\t.*)? $'xmi, [ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ], # allow qr'(?# BLOCK DOUBLE-EXTENSIONS ) ^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \. (exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi, qr'(?# BLOCK COMMON NAME EXENSIONS ) ^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|bat|com|cpl) (\t.*)? $'xmi, [ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM ) ^ (.*\t)? M=application/octet-stream \t(.*\t)* T=empty (\t.*)? $'xmi => 'DISCARD' ], qr'(?# BLOCK Microsoft EXECUTABLES ) ^ (.*\t)? T=exe-ms (\t.*)? $'xm, # banned file(1) type ); $banned_namepath_re = undef; # to disable new-style $sql_select_white_black_list = undef; # undef disables SQL white/blacklisting $localpart_is_case_sensitive = 0; # (default is false) @score_sender_maps = ({ # a by-recipient hash lookup table '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], ), { # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'bugtraq@securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0, 'amavis-user-admin@lists.sourceforge.net'=> -3.0, 'notification-return@lists.sophos.com' => -3.0, 'owner-postfix-users@postfix.org' => -3.0, 'owner-postfix-announce@postfix.org' => -3.0, 'owner-sendmail-announce@lists.sendmail.org' => -3.0, 'sendmail-announce-request@lists.sendmail.org' => -3.0, 'donotreply@sendmail.org' => -3.0, 'ca+envelope@sendmail.org' => -3.0, 'noreply@freshmeat.net' => -3.0, 'owner-technews@postel.acm.org' => -3.0, 'ietf-123-owner@loki.ietf.org' => -3.0, 'cvs-commits-list-admin@gnome.org' => -3.0, 'rt-users-admin@lists.fsck.com' => -3.0, 'clp-request@comp.nus.edu.sg' => -3.0, 'surveys-errors@lists.nua.ie' => -3.0, 'emailnews@genomeweb.com' => -5.0, 'yahoo-dev-null@yahoo-inc.com' => -3.0, 'returns.groups.yahoo.com' => -3.0, 'clusternews@linuxnetworx.com' => -3.0, lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, 'sender@example.net' => 3.0, '.example.net' => 1.0, }, ], # end of site-wide tables }); @blacklist_sender_maps = ( new_RE( qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i, qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i, qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i, qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i, qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i, qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i, )); $MAXLEVELS = 14; # (default is undef, no limit) $MAXFILES = 1500; # (default is undef, no limit) $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) $MIN_EXPANSION_FACTOR = 5; # times original mail size (default is 5) $MAX_EXPANSION_FACTOR = 500; # times original mail size (default is 500) $virus_check_negative_ttl= 3*60; # time to remember that mail was not infected $virus_check_positive_ttl= 30*60; # time to remember that mail was infected $spam_check_negative_ttl = 30*60; # time to remember that mail was not spam $spam_check_positive_ttl = 30*60; # time to remember that mail was spam $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; $file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability $dspam = 'dspam'; @decoders = ( ['mail', \&do_mime_decode], ['asc', \&do_ascii], ['uue', \&do_ascii], ['hqx', \&do_ascii], ['ync', \&do_ascii], ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ], ['gz', \&do_gunzip], ['gz', \&do_uncompress, 'gzip -d'], ['bz2', \&do_uncompress, 'bzip2 -d'], ['lzo', \&do_uncompress, 'lzop -d'], ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ], ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ], ['tar', \&do_tar], ['deb', \&do_ar, 'ar'], ['zip', \&do_unzip], ['rar', \&do_unrar, ['rar','unrar'] ], ['arj', \&do_unarj, ['arj','unarj'] ], ['arc', \&do_arc, ['nomarch','arc'] ], ['zoo', \&do_zoo, 'zoo'], ['lha', \&do_lha, 'lha'], ['cab', \&do_cabextract, 'cabextract'], ['tnef', \&do_tnef_ext, 'tnef'], ['tnef', \&do_tnef], ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], ); $sa_local_tests_only = 1; # (default: false) $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger # (less than 1% of spam is > 64k) # default: undef, no limitations $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level; # undef is interpreted as lower than any spam level $sa_tag2_level_deflt = 6.31;# add 'spam detected' headers at that level to $sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions # at or above that level: bounce/reject/drop, # quarantine, and adding mail address extension $sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent, # (only seen when spam is passed and recipient is # undef or empty disables inserting X-Spam-Level @av_scanners = ( ['KasperskyLab AVP - aveclient', ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', '/opt/kav/bin/aveclient','aveclient'], '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/, qr/(?:INFECTED|SUSPICION) (.+)/, ], ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? qr/infected: (.+)/, sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], ['KasperskyLab AVPDaemonClient', [ '/opt/AVP/kavdaemon', 'kavdaemon', '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', '/opt/AVP/AvpTeamDream', 'AvpTeamDream', '/opt/AVP/avpdc', 'avpdc' ], "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ], ['CentralCommand Vexira (new) vascan', ['vascan','/usr/lib/Vexira/vascan'], "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". "--vdb=/usr/lib/Vexira/vexira8.vdb --log=/var/log/vascan.log {}", [0,3], [1,2,5], qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ], ['H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus', ['antivir','vexira'], '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/, qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ], ['Command AntiVirus for Linux', 'csav', '-all -archive -packed {}', [50], [51,52,53], qr/Infection: (.+)/ ], ['Symantec CarrierScan via Symantec CommandLineScanner', 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', qr/^Files Infected:\s+0$/, qr/^Infected\b/, qr/^(?:Info|Virus Name):\s+(.+)/ ], ['Symantec AntiVirus Scan Engine', 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', [0], qr/^Infected\b/, qr/^(?:Info|Virus Name):\s+(.+)/ ], ['F-Secure Antivirus', 'fsav', '--dumb --mime --archive {}', [0], [3,8], qr/(?:infection|Infected|Suspected): (.+)/ ], ['CAI InoculateIT', 'inocucmd', # retired product '-sec -nex {}', [0], [100], qr/was infected by virus (.+)/ ], ['CAI eTrust Antivirus', 'etrust-wrapper', '-arc -nex -spm h {}', [0], [101], qr/is infected by virus: (.+)/ ], ['MkS_Vir for Linux (beta)', ['mks32','mks'], '-s {}/*', [0], [1,2], qr/--[ \t]*(.+)/ ], ['MkS_Vir daemon', 'mksscan', '-s -q {}', [0], [1..7], qr/^... (\S+)/ ], ['ESET Software NOD32', 'nod32', '--arch --mail {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/ ], ['ESET Software NOD32 - Client/Server Version', 'nod32cli', '-a -r -d recurse --heur standard {}', [0], [10,11], qr/^\S+\s+infected:\s+(.+)/ ], ['Norman Virus Control v5 / Linux', 'nvcc', '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], qr/(?i).* virus in .* -> \'(.+)\'/ ], ['Panda Antivirus for Linux', ['pavcl'], '-aut -aex -heu -cmp -nbr -nor -nso -eng {}', qr/Number of files infected[ .]*: 0+(?!\d)/, qr/Number of files infected[ .]*: 0*[1-9]/, qr/Found virus :\s*(\S+)/ ], ['NAI McAfee AntiVirus (uvscan)', 'uvscan', '--secure -rv --mime --summary --noboot - {}', [0], [13], qr/(?x) Found (?: \ the\ (.+)\ (?:virus|trojan) | \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | :\ (.+)\ NOT\ a\ virus)/, ], ['VirusBuster', ['vbuster', 'vbengcl'], "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], qr/: '(.*)' - Virus/ ], ['CyberSoft VFind', 'vfind', '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/, ], ['Ikarus AntiVirus for Linux', 'ikarus', '{}', [0], [40], qr/Signature (.+) found/ ], ['BitDefender', 'bdc', '--all --arc --mail {}', qr/^Infected files *:0+(?!\d)/, qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, qr/(?:suspected|infected): (.*)(?:\033|$)/ ], ); @av_scanners_backup = ( ['ClamAV-clamscan', 'clamscan', "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], '-dumb -archive -packed {}', [0,8], [3,6], qr/Infection: (.+)|\s+contains\s+(.+)$/ ], ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], ['drweb - DrWeb Antivirus', ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], '-path={} -al -go -ot -cn -upn -ok-', [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'], ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'], '-i1 -xp {}', [0,10,15], [5,20,21,25], qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ , sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], ); 1; # insure a defined return