Postfix und amavisd per amavisd-milter

Hallo Postfix-Profis! Ich brauch wieder mal eure Hilfe bei amavisd per amavisd-milter.

Ich bin gerade dabei einen All-in-One-Mailserver lt. https://dokuwiki.nausch.org/doku.php/centos:mail_c7:start zu konfigurieren. Ich habe auch das mailguru repo eingebunden (wg. amavisd-milter usw.) MTA zu MTA über Port 25 mit amavisd funktioniert MUA zu MTA über submission port 587 ohne amavisd funktioniert auch

Aber Sobald ich amavisd per amavisd-milter einbinde, scheitert das Ganze und ich komme einfach nicht dahinter, woran es liegt. Ihr seht sicher sofort, wo der/die Fehler liegen.

Vielen Dank im Voraus. vg, Andi

Test von fremden MTA zu meinem MTA funktioniert: Auszug aus maillog: Nov 8 11:44:02 mail postfix/postscreen[23037]: CONNECT from [89.26.12.242]:55315 to [172.31.1.100]:25 Nov 8 11:44:02 mail postfix/postscreen[23037]: PASS OLD [89.26.12.242]:55315 Nov 8 11:44:02 mail postfix/smtpd[23038]: connect from mail1.glasgasperlmair.at[89.26.12.242] Nov 8 11:44:02 mail postfix/smtpd[23038]: 7D0EC208EC: client=mail1.glasgasperlmair.at[89.26.12.242] Nov 8 11:44:02 mail postfix/cleanup[23048]: 7D0EC208EC: message-id=5821AC6F.30309@glas-gasperlmair.at Nov 8 11:44:02 mail amavis[22995]: (22995-02) Checking: qNoKsxTWQPpG AM.PDP-SOCK [89.26.12.242] a.wass@glas-gasperlmair.at -> andi@wassa.at Nov 8 11:44:03 mail amavis[22995]: (22995-02) Passed CLEAN {AcceptedInbound}, AM.PDP-SOCK [89.26.12.242] [89.26.12.242] a.wass@glas-gasperlmair.at -> andi@wassa.at, Queue-ID: 7D0EC208EC, Message-ID: 5821AC6F.30309@glas-gasperlmair.at, mail_id: qNoKsxTWQPpG, Hits: 0.001, size: 2512, 770 ms Nov 8 11:44:03 mail postfix/qmgr[22911]: 7D0EC208EC: from=a.wass@glas-gasperlmair.at, size=2538, nrcpt=1 (queue active) Nov 8 11:44:03 mail postfix/smtpd[23038]: disconnect from mail1.glasgasperlmair.at[89.26.12.242] Nov 8 11:44:03 mail dovecot: lmtp(23052): Connect from 127.0.0.1 Nov 8 11:44:03 mail dovecot: lmtp(andi@wassa.at): 60mlH3OsIVgMWgAAu6NIgg: msgid=5821AC6F.30309@glas-gasperlmair.at: saved mail to INBOX Nov 8 11:44:03 mail dovecot: lmtp(23052): Disconnect from 127.0.0.1: Successful quit Nov 8 11:44:03 mail postfix/lmtp[23051]: 7D0EC208EC: to=andi@wassa.at, relay=127.0.0.1[127.0.0.1]:24, delay=1.7, delays=1.2/0.02/0.09/0.37, dsn=2.0.0, status=sent (250 2.0.0 andi@wassa.at 60mlH3OsIVgMWgAAu6NIgg Saved) Nov 8 11:44:03 mail postfix/qmgr[22911]: 7D0EC208EC: removed

Test mit Thunderbird über port 587 funktioniert nicht Auszug aus maillog: Nov 8 11:40:27 mail postfix/submission/smtpd[23001]: connect from unknown[89.26.12.241] Nov 8 11:40:27 mail postfix/submission/smtpd[23001]: Anonymous TLS connection established from unknown[89.26.12.241]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Nov 8 11:40:27 mail postfix/submission/smtpd[23001]: BC58A208E3: client=unknown[89.26.12.241], sasl_method=PLAIN, sasl_username=andi@wassa.at Nov 8 11:40:27 mail postfix/cleanup[23014]: BC58A208E3: message-id=5821AB9A.4040706@wassa.at Nov 8 11:40:27 mail postfix/qmgr[22911]: BC58A208E3: from=andi@wassa.at, size=692, nrcpt=1 (queue active) Nov 8 11:40:27 mail amavis[22995]: (22995-01) ESMTP [127.0.0.1]:10024 /var/spool/amavisd/tmp/amavis-20161108T114027-22995-9FDAxjys: andi@wassa.at -> a.wass@glas-gasperlmair.at Received: from mail.wassa.at ([127.0.0.1]) by localhost (mail.wassa.at [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for a.wass@glas-gasperlmair.at; Tue, 8 Nov 2016 11:40:27 +0100 (CET) Nov 8 11:40:27 mail postfix/submission/smtpd[23001]: disconnect from unknown[89.26.12.241] Nov 8 11:40:27 mail amavis[22995]: (22995-01) Checking: 9pw322ZKDeoc ORIGINATING [127.0.0.1] andi@wassa.at -> a.wass@glas-gasperlmair.at Nov 8 11:40:28 mail amavis[22995]: (22995-01) (!)connect to [127.0.0.1]:10025 failed, attempt #1: Can't connect to socket [127.0.0.1]:10025 using module IO::Socket::IP: Connection refused Nov 8 11:40:28 mail amavis[22995]: (22995-01) (!)9pw322ZKDeoc FWD from andi@wassa.at -> a.wass@glas-gasperlmair.at, 451 4.5.0 From MTA() during fwd-connect (All attempts (1) failed connecting to smtp:[127.0.0.1]:10025): id=22995-01 Nov 8 11:40:28 mail amavis[22995]: (22995-01) Blocked MTA-BLOCKED {TempFailedOutbound}, ORIGINATING LOCAL [127.0.0.1] [89.26.12.241] andi@wassa.at -> a.wass@glas-gasperlmair.at, Message-ID: 5821AB9A.4040706@wassa.at, mail_id: 9pw322ZKDeoc, Hits: -0.999, size: 692, 597 ms Nov 8 11:40:28 mail postfix/smtp[23015]: BC58A208E3: to=a.wass@glas-gasperlmair.at, relay=127.0.0.1[127.0.0.1]:10024, delay=0.8, delays=0.17/0.02/0.02/0.59, dsn=4.5.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 id=22995-01 - Temporary MTA failure on relaying, From MTA() during fwd-connect (All attempts (1) failed connecting to smtp:[127.0.0.1]:10025): id=22995-01 (in reply to end of DATA command))

Meine Konfigurationen:

##################################################################### /etc/amavisd/amavisd-milter.conf AMAVIS_USER=amavis WORKING_DIRECTORY=/var/spool/amavisd/tmp SOCKET=inet:10010@127.0.0.1 AMAVISD_SOCKET=/var/spool/amavisd/amavisd.sock MAX_CONNECTIONS=5 MAX_WAIT=300 MAILDAEMON_TIMEOUT=600 AMAVISD_TIMEOUT=600

##################################################################### /etc/postfix/master.cf smtp inet n - n - 1 postscreen smtpd pass - - n - - smtpd -o smtpd_sasl_auth_enable=no # Django : 2014-11-29 amavisd-milter eingebunden -o smtpd_milters=${amavisd_milter} dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o content_filter=smtp:127.0.0.1:10024

#############################################################################

/etc/postfix/main.cf amavisd_milter = inet:127.0.0.1:10010

###############################################################################

/etc/amavisd/amavisd.conf use strict; ################################################################################ # # # Django : 2014-11-15 - Musterkonfiguration AMaViS 2.9 unter CentOS 7 # # # ################################################################################

# Eine Aufstellung aller möglichen Variablen findet man in der Datei # /usr/share/doc/amavisd-new-2.9.1/amavisd.conf-default aus dem RPM. Auf der # Webseite http://www.ijs.si/software/amavisd/amavisd-new-docs.html findet # man darüber hinaus noch viele erklärungen und Konfigurationsbeispiele

################################################################################ ## PFADANGABEN DER LOKALEN INSTALLATION #

# Pfadangaben zu den Programmen und Tools $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';

# Arbeitsverzeichnisses von AMaViS $MYHOME = '/var/spool/amavisd';

# Verzeichnis für temporäre Daten #$TEMPBASE = '$MYHOME/tmp'; $TEMPBASE = "$MYHOME/tmp";

# Enviroment Variable TMPDIR, wird unter anderem von Spamassassion verwendet $ENV{TMPDIR} = $TEMPBASE;

# Keine Quarantäne -> kein Quarantäneverzeichnis notwendig $QUARANTINEDIR = undef;

# Verzeichnisses für die Berkeley-Datenbank Dateien nanny/cache/snmp $db_home = "$MYHOME/db";

# Pfade zur PID- und LOCK-Datei $lock_file = "/var/run/amavisd/amavisd.lock"; $pid_file = "/var/run/amavisd/amavisd.pid";

# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING @score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed

# ## per-recipient personal tables (NOTE: positive: black, negative: white) # 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], # 'user3@example.com' => [{'.ebay.com' => -3.0}], # 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, # '.cleargreen.com' => -5.0}],

## site-wide opinions about senders (the '.' matches any recipient) '.' => [ # the _first_ matching sender determines the score boost

new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market.alert)@'i => 5.0], [qr'^(money2you|MyGreenCard|new.tld.registry|opt-out|opt-in)@'i => 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], ),

# read_hash("/var/amavis/sender_scores_sitewide"),

{ # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0, 'amavis-user-admin@lists.sourceforge.net' => -3.0, 'amavis-user-bounces@lists.sourceforge.net' => -3.0, 'spamassassin.apache.org' => -3.0, 'notification-return@lists.sophos.com' => -3.0, 'owner-postfix-users@postfix.org' => -3.0, 'owner-postfix-announce@postfix.org' => -3.0, 'owner-sendmail-announce@lists.sendmail.org' => -3.0, 'sendmail-announce-request@lists.sendmail.org' => -3.0, 'donotreply@sendmail.org' => -3.0, 'ca+envelope@sendmail.org' => -3.0, 'noreply@freshmeat.net' => -3.0, 'owner-technews@postel.acm.org' => -3.0, 'ietf-123-owner@loki.ietf.org' => -3.0, 'cvs-commits-list-admin@gnome.org' => -3.0, 'rt-users-admin@lists.fsck.com' => -3.0, 'clp-request@comp.nus.edu.sg' => -3.0, 'surveys-errors@lists.nua.ie' => -3.0, 'emailnews@genomeweb.com' => -5.0, 'yahoo-dev-null@yahoo-inc.com' => -3.0, 'returns.groups.yahoo.com' => -3.0, 'clusternews@linuxnetworx.com' => -3.0, lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,

# soft-blacklisting (positive score) 'sender@example.net' => 3.0, '.example.net' => 1.0,

}, ], # end of site-wide tables });

# Utilities mit denen amavis Archive auspackt @decoders = ( ['mail', &do_mime_decode], ['F', &do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], ['Z', &do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ], ['gz', &do_uncompress, 'gzip -d'], ['gz', &do_gunzip], ['bz2', &do_uncompress, 'bzip2 -d'], ['xz', &do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], ['lzma', &do_uncompress, ['lzmadec', 'xz -dc --format=lzma', 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], ['lrz', &do_uncompress, ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], ['lzo', &do_uncompress, 'lzop -d'], ['rpm', &do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ], [['cpio','tar'], &do_pax_cpio, ['pax', 'gcpio', 'cpio'] ], ['deb', &do_ar, 'ar'], ['rar', &do_unrar, ['unrar', 'rar'] ], ['arj', &do_unarj, ['unarj', 'arj'] ], ['arc', &do_arc, ['nomarch', 'arc'] ], ['zoo', &do_zoo, ['zoo', 'unzoo'] ], ['cab', &do_cabextract, 'cabextract'], ['tnef', &do_tnef], [['zip','kmz'], &do_7zip, ['7za', '7z'] ], [['zip','kmz'], &do_unzip], ['7z', &do_7zip, ['7zr', '7za', '7z'] ], [[qw(7z zip gz bz2 Z tar)], &do_7zip, ['7za', '7z'] ], [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], &do_7zip, '7z' ], ['exe', &do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ], );

# eMails wird komplett dem Virenscanner zugestellt. Dem Inhalt von Archiven # wird grundsätzlich nicht vertraut. @keep_decoded_original_maps = (new_RE( qr'^MAIL$', qr'^MAIL-UNDECIPHERABLE$', qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)', ));

################################################################################ ## GRUNDSÄTZLICHE SERVERANGABEN UND -DEFINITIONEN #

# Anzahl Server (pre-forked childs) die gestartet werden sollen. $max_servers = 5;

# User und Gruppe des AMaViS Daemon $daemon_user = 'amavis'; $daemon_group = 'amavis';

# Hostname (FQDN) des AMaViS-Servers $myhostname = 'mail.wassa.at';

# Lokale Domäne des AMaViS-Servers $mydomain = 'wassa.at';

# Adresstrennzeichen in der eMail-Adresse $recipient_delimiter = '+';

# Wir setzen alles auf NULL und definieren das Backrouting in den Policy Banks

# Wie werden die eMails an den ;MTA zurückgegeben? "undef" bei Verwendung des # amavisd-milter! $forward_method = undef;

$notify_method = 'smtp:[mail.wassa.at]:10025';

#$allowed_added_header_fields{lc('X-Virus-Scanned')} = 0;

################################################################################ ## LOGGING #

# verbosity 0..5, -d # Django : 2014-11-18 # default: $log_level = 0; $log_level = 3; # disable by-recipient level-0 log entries $log_recip_templ = undef; # log via syslogd (preferred) $do_syslog = 1; # Syslog facility as a string e.g.: mail, daemon, user, local0, ... local7 $syslog_facility = 'mail'; #Syslog base (minimal) priority $syslog_priority = 'debug'; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_db = 1; # enable use of libdb-based cache if $enable_db=1 $enable_global_cache = 1; # enable use of ZeroMQ (SNMP and nanny) # $enable_zmq = 1; # # nanny verbosity: 1: traditional, 2: detailed $nanny_details_level = 2;

# @lookup_sql_dsn = # ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], # ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], # ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); # @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database

# @storage_redis_dsn = ( {server=>'127.0.0.1:6379', db_id=>1} ); # $redis_logging_key = 'amavis-log'; # about 250 MB / 100000 # $redis_logging_queue_size_limit = 300000;

# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; # defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)

################################################################################ ## SOCKETS #

# Wo soll AMaViS auf eingehende Verbindungen lauschen? @listen_sockets = ( '127.0.0.1:10024', '127.0.0.1:9998', "$MYHOME/amavisd.sock" );

################################################################################ ## POLICY MAPPINGS #

# Wir routen eingehende Verbindungen aufgrund unterschiedlicher Kriterien in # Policy Banks.

# TCP-Sockets auf Policies mappen $interface_policy{'9998'} = 'AM.PDP-INET'; $interface_policy{'10024'} = 'ORIGINATING';

# UNIX-Domain-Sockets auf Policies mappen $interface_policy{'SOCK'} = 'AM.PDP-SOCK';

# IP-Adressen/Ranges auf Policies mappen @client_ipaddr_policy = ( [qw( 0.0.0.0/8 127.0.0.1/32 [::] [::1] )] => 'LOCALHOST', [qw( !172.16.1.0/24 172.16.0.0/12 192.168.0.0/16 )] => 'PRIVATENETS', [qw( 192.0.2.0/25 192.0.2.129 192.0.2.130 )] => 'PARTNER', [qw( 198.51.100.88/32 )] => 'CUSTOMERS', [qw( 203.0.113.164/32 )] => 'HOSTING', @mynetworks => 'MYNETS', );

# DKIM-verifizierte Sender(domains) auf Policies mappen @author_to_policy_bank_maps = ( { 'piratenpartei-bayern.de' => 'WHITELIST,NOBANNEDCHECK,NOVIRUSCHECK', '.paypal.de' => 'WHITELIST', '.paypal.com' => 'WHITELIST', 'amazon.de' => 'WHITELIST', } );

################################################################################ ## DESTINATIONS #

# Definition der Verkehrsrichtungen:

# Das ist nach intern. Alle anderen Destinationen sind im Umkehrschluss extern. @local_domains_maps = ( [".$mydomain"], read_hash("/etc/postfix/all_local_domains_map"), );

# Das kommt von intern. Alles andere ist per Default von extern, ausser wir # erkennen es an anderen Kriterien wie z.B. DKIM-Signatur oder originating Port @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 172.31.1.0/24 10.0.10.0/26 );

################################################################################ ## NOTIFICATIONS #

# Externe warnen? $warn_offsite = 0;

# Envelope Sender $mailfrom_notify_admin = "postmaster@$mydomain"; $mailfrom_notify_recip = "postmaster@$mydomain"; $mailfrom_notify_sender = "postmaster@$mydomain"; $mailfrom_notify_spamadmin = "postmaster@$mydomain"; $mailfrom_to_quarantine = ''; $dsn_bcc = "postmaster@$mydomain";

# From: Header $hdrfrom_notify_sender = "Postmaster <postmaster@$mydomain>"; $hdrfrom_notify_recip = "Postmaster <postmaster@$mydomain>"; $hdrfrom_notify_release = "Postmaster <postmaster@$mydomain>";

################################################################################ ## VIRUS POLICY #

# Check aktivieren? # @bypass_virus_checks_maps = (1);

# In Quarantäne? $virus_quarantine_to = undef;

# Admin benachrichtigen? $virus_admin = undef;

# Empfänger benachrichtigen? $warnvirusrecip = 1;

# Recipient-Adresse bei Release erweitern? @addr_extension_virus_maps = ('virus');

# eMail bei Release wrappen? $defang_virus = 1;

# Wollen wir Content transportieren? $final_virus_destiny = D_REJECT;

@av_scanners = ( ### http://www.clamav.net/ ['ClamAV-clamd', &ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], );

@av_scanners_backup = (); #@av_scanners_backup = ( # ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV # ['ClamAV-clamscan', 'clamscan', # "--stdout --no-summary -r --tempdir=$TEMPBASE {}", # [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], #);

################################################################################ ## SPAM POLICY #

# Check aktivieren? # @bypass_spam_checks_maps = (1);

# In Quarantäne? $spam_quarantine_to = undef;

# Admin benachrichtigen? $spam_admin = undef;

# Recipient-Adresse bei Release erweitern? @addr_extension_spam_maps = ('spam');

# eMail bei Release wrappen? $defang_spam = undef;

# Wollen wir Content transportieren? $final_spam_destiny = D_REJECT;

# add spam info headers if at, or above that level $sa_tag_level_deflt = -1000.0; # add 'spam detected' headers at that level $sa_tag2_level_deflt = 6.31; # triggers spam evasive actions (e.g. blocks mail) $sa_kill_level_deflt = 6.31; # spam level beyond which a DSN is not sent $sa_dsn_cutoff_level = 10; # likewise, but for a likely valid From $sa_crediblefrom_dsn_cutoff_level = 18; # spam level beyond which quarantine is off # $sa_quarantine_cutoff_level = 25;

# (no effect without a @storage_sql_dsn database) $penpals_bonus_score = 8; # don't waste time on hi spam $penpals_threshold_high = $sa_kill_level_deflt; # spam score points to add for joe-jobbed bounces $bounce_killer_score = 100; # don't waste time on SA if mail is larger $sa_mail_body_size_limit = 400*1024; # only tests which do not require internet access? $sa_local_tests_only = 0;

$sa_spam_subject_tag = '***Spam*** ';

################################################################################ ## BANNED POLICY #

# Check aktivieren? #@bypass_banned_checks_maps = (1);

# In Quarantäne? $banned_quarantine_to = undef;

# Admin benachrichtigen? $banned_admin = undef;

# Recipient-Adresse bei Release erweitern? @addr_extension_banned_maps = ('banned');

# eMail bei Release wrappen? $defang_banned = 1;

# Wollen wir Content transportieren? $final_banned_destiny = D_BOUNCE;

# Definitionslisten in denen wir bestimmte Dateitypen zusammenfassen # Die Definitionsnamen können wir in einer Policy verwenden %banned_rules = ( 'NO-MS-EXEC'=> new_RE( qr'^.(exe-ms)$' ), 'PASSALL' => new_RE( [qr'^' => 0] ), 'ALLOW_EXE' => new_RE( qr'..(vbs|pif|scr|bat)$'i, [qr'^.exe$' => 0] ), 'ALLOW_VBS' => new_RE( [qr'..vbs$' => 0] ), 'NO-VIDEO' => new_RE( qr'^.movie$', qr'..(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ), 'NO-MOVIES' => new_RE( qr'^.movie$', qr'..(mpg|avi|mov)$'i, ), 'MYNETS-DEFAULT' => new_RE( [ qr'^.(rpm|cpio|tar)$' => 0 ], qr'..(vbs|pif|scr)$'i, ), 'DEFAULT' => $banned_filename_re, );

# Alles was in der Definitionsliste oben DEFAULT ist $banned_filename_re = new_RE( # banned file(1) types, rudimentary qr'^.(exe-ms|dll)$', # allow any in Unix-type archives [ qr'^.(rpm|cpio|tar)$' => 0 ], # banned extensions - rudimentary qr'..(pif|scr)$'i, # block these MIME types qr'^application/x-msdownload$'i, qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # block certain double extensions in filenames qr'^(?!cid:).*.[^./]*[A-Za-z][^./]*.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, # banned extension - basic+cmd qr'..(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, );

################################################################################ ## HEADER POLICY #

# Check aktivieren? # @bypass_header_checks_maps = (1);

# In Quarantäne? $bad_header_quarantine_method = undef;

# Recipient-Adresse bei Release erweitern? @addr_extension_bad_header_maps = ('badh');

# eMail bei Release wrappen? # NUL or CR character in header $defang_by_ccat{CC_BADH.",3"} = 1; # header line longer than 998 characters $defang_by_ccat{CC_BADH.",5"} = 1; # header field syntax error $defang_by_ccat{CC_BADH.",6"} = 1;

# Wollen wir Content transportieren? $final_bad_header_destiny = D_PASS;

# Admin benachrichtigen? $bad_header_admin = undef;

# Sender benachrichtigen? $warnbadhsender = undef;

# Empfänger benachrichtigen? $warnbadhrecip = undef;

################################################################################ ## UNCHECKED POLICY # $undecipherable_subject_tag = '';

$MAXLEVELS = 14; $MAXFILES = 3000; # bytes (default undef, not enforced) $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) $MAX_EXPANSION_QUOTA = 500*1024*1024;

################################################################################ ## DKIM - Domain Key Identified Mail #

# DKIM-Signaturen verifizieren $enable_dkim_verification = 0;

# DKIM-Signaturen erstellen $enable_dkim_signing = 0;

# Private Keys und Selectors # # signing domain selector private key options # ------------- -------- ---------------------- ---------- # dkim_key('nausch.org', '201411', '/var/spool/amavis/dkim/201411_nausch.org');

# DKIM Signing Policies @dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

# to query p0f-analyzer.pl # $os_fingerprint_method = 'p0f:*:2345';

## hierarchy by which a final setting is chosen: ## policy bank (based on port or IP address) -> *_by_ccat ## *_by_ccat (based on mail contents) -> *_maps ## *_maps (based on recipient address) -> final configuration value

################################################################################ ## POLICY BANKS #

## POLICY BANK MYNETWORK # Alles Hosts, die in MYNETS gelistet sind $policy_bank{'MYNETS'} = { # Jede Mail von einen unserer Hosts wird als originating gesetzt originating => 1, # Keine pof Abfragen für interne Clients durchführen. os_fingerprint_method => undef, };

## POLICY BANK SUBMISSON # Nachrichten unserer Kunden, die auf Port 587 (Submisson) eingeliefert wurden # wird als originating, also von uns gesetzt. $policy_bank{'ORIGINATING'} = { # welcher Host darf soll auf Port 10014 einliefern dürfen inet_acl => [qw( 127.0.0.1 )], # eMails vom Port 587 werdenals "von uns" = originating gesetzt originating => 1, # Disclaimer an jede Mail anfügen, sofern welche verfügbar sind. allow_disclaimers => 1, # notify administrator of locally originating malware virus_admin_maps => ["virusalert@$mydomain"], spam_admin_maps => ["virusalert@$mydomain"], warnbadhsender => 1, # forward to a smtpd service providing DKIM signing service forward_method => 'smtp:[127.0.0.1]:10027', # force MTA conversion to 7-bit (e.g. before DKIM signing) smtpd_discard_ehlo_keywords => ['8BITMIME'], # allow sending any file names and types bypass_spam_checks_maps => [0], # allow sending any file names and types bypass_banned_checks_maps => [1], # don't remove NOTIFY=SUCCESS option terminate_dsn_on_notify_success => 0, notify_method => 'smtp:[127.0.0.1]:10025', forward_method => 'smtp:[127.0.0.1]:10025', final_virus_destiny => 'D_BOUNCE', };

# Hier schlägt der MILTER auf $policy_bank{'AM.PDP-SOCK'} = { protocol => 'AM.PDP', auth_required_release => 0, };

# Hier würden wir releasen $policy_bank{'AM.PDP-INET'} = { protocol => 'AM.PDP', inet_acl => [qw( 127.0.0.1 )], auth_required_release => 0, };

## POLICY BANK: WHITELIST $policy_bank{'WHITELIST'} = { bypass_spam_checks_maps => [1], spam_lovers_maps => [1], };

## POLICY BANK: NOVIRUSCHECK $policy_bank{'NOVIRUSCHECK'} = { bypass_decode_parts => 1, bypass_virus_checks_maps => [1], virus_lovers_maps => [1], };

## POLICY BANK: NOBANNEDCHECK $policy_bank{'NOBANNEDCHECK'} = { bypass_banned_checks_maps => [1], banned_files_lovers_maps => [1], };

1; # insure a defined return value

# vim: set ft=perl sw=4: