Postfix und amavisd per amavisd-milter

8 Nov 2016


      Hallo Postfix-Profis!
Ich brauch wieder mal eure Hilfe bei amavisd per amavisd-milter.
Ich bin gerade dabei einen All-in-One-Mailserver lt. 
https://dokuwiki.nausch.org/doku.php/centos:mail_c7:start zu konfigurieren.
Ich habe auch das mailguru repo eingebunden (wg. amavisd-milter usw.)
MTA zu MTA über Port 25 mit amavisd funktioniert
MUA zu MTA über submission port 587 ohne amavisd funktioniert auch
Aber Sobald ich amavisd per amavisd-milter einbinde, scheitert das Ganze 
und ich komme einfach nicht dahinter, woran es liegt.
Ihr seht sicher sofort, wo der/die Fehler liegen.
Vielen Dank im Voraus.
vg, Andi
Test von fremden MTA zu meinem MTA funktioniert:
Auszug aus maillog:
Nov  8 11:44:02 mail postfix/postscreen[23037]: CONNECT from 
[89.26.12.242]:55315 to [172.31.1.100]:25
Nov  8 11:44:02 mail postfix/postscreen[23037]: PASS OLD 
[89.26.12.242]:55315
Nov  8 11:44:02 mail postfix/smtpd[23038]: connect from 
mail1.glasgasperlmair.at[89.26.12.242]
Nov  8 11:44:02 mail postfix/smtpd[23038]: 7D0EC208EC: 
client=mail1.glasgasperlmair.at[89.26.12.242]
Nov  8 11:44:02 mail postfix/cleanup[23048]: 7D0EC208EC: 
message-id=5821AC6F.30309@glas-gasperlmair.at
Nov  8 11:44:02 mail amavis[22995]: (22995-02) Checking: qNoKsxTWQPpG 
AM.PDP-SOCK [89.26.12.242] a.wass@glas-gasperlmair.at -> andi@wassa.at
Nov  8 11:44:03 mail amavis[22995]: (22995-02) Passed CLEAN 
{AcceptedInbound}, AM.PDP-SOCK [89.26.12.242] [89.26.12.242] 
a.wass@glas-gasperlmair.at -> andi@wassa.at, Queue-ID: 7D0EC208EC, 
Message-ID: 5821AC6F.30309@glas-gasperlmair.at, mail_id: qNoKsxTWQPpG, 
Hits: 0.001, size: 2512, 770 ms
Nov  8 11:44:03 mail postfix/qmgr[22911]: 7D0EC208EC: 
from=a.wass@glas-gasperlmair.at, size=2538, nrcpt=1 (queue active)
Nov  8 11:44:03 mail postfix/smtpd[23038]: disconnect from 
mail1.glasgasperlmair.at[89.26.12.242]
Nov  8 11:44:03 mail dovecot: lmtp(23052): Connect from 127.0.0.1
Nov  8 11:44:03 mail dovecot: lmtp(andi@wassa.at): 
60mlH3OsIVgMWgAAu6NIgg: msgid=5821AC6F.30309@glas-gasperlmair.at: 
saved mail to INBOX
Nov  8 11:44:03 mail dovecot: lmtp(23052): Disconnect from 127.0.0.1: 
Successful quit
Nov  8 11:44:03 mail postfix/lmtp[23051]: 7D0EC208EC: 
to=andi@wassa.at, relay=127.0.0.1[127.0.0.1]:24, delay=1.7, 
delays=1.2/0.02/0.09/0.37, dsn=2.0.0, status=sent (250 2.0.0 
andi@wassa.at 60mlH3OsIVgMWgAAu6NIgg Saved)
Nov  8 11:44:03 mail postfix/qmgr[22911]: 7D0EC208EC: removed
Test mit Thunderbird über port 587 funktioniert nicht
Auszug aus maillog:
Nov  8 11:40:27 mail postfix/submission/smtpd[23001]: connect from 
unknown[89.26.12.241]
Nov  8 11:40:27 mail postfix/submission/smtpd[23001]: Anonymous TLS 
connection established from unknown[89.26.12.241]: TLSv1.2 with cipher 
ECDHE-RSA-AES256-SHA (256/256 bits)
Nov  8 11:40:27 mail postfix/submission/smtpd[23001]: BC58A208E3: 
client=unknown[89.26.12.241], sasl_method=PLAIN, sasl_username=andi@wassa.at
Nov  8 11:40:27 mail postfix/cleanup[23014]: BC58A208E3: 
message-id=5821AB9A.4040706@wassa.at
Nov  8 11:40:27 mail postfix/qmgr[22911]: BC58A208E3: 
from=andi@wassa.at, size=692, nrcpt=1 (queue active)
Nov  8 11:40:27 mail amavis[22995]: (22995-01) ESMTP [127.0.0.1]:10024 
/var/spool/amavisd/tmp/amavis-20161108T114027-22995-9FDAxjys: 
andi@wassa.at -> a.wass@glas-gasperlmair.at Received: from 
mail.wassa.at ([127.0.0.1]) by localhost (mail.wassa.at [127.0.0.1]) 
(amavisd-new, port 10024) with ESMTP for a.wass@glas-gasperlmair.at; 
Tue,  8 Nov 2016 11:40:27 +0100 (CET)
Nov  8 11:40:27 mail postfix/submission/smtpd[23001]: disconnect from 
unknown[89.26.12.241]
Nov  8 11:40:27 mail amavis[22995]: (22995-01) Checking: 9pw322ZKDeoc 
ORIGINATING [127.0.0.1] andi@wassa.at -> a.wass@glas-gasperlmair.at
Nov  8 11:40:28 mail amavis[22995]: (22995-01) (!)connect to 
[127.0.0.1]:10025 failed, attempt #1: Can't connect to socket 
[127.0.0.1]:10025 using module IO::Socket::IP: Connection refused
Nov  8 11:40:28 mail amavis[22995]: (22995-01) (!)9pw322ZKDeoc FWD from 
andi@wassa.at -> a.wass@glas-gasperlmair.at,  451 4.5.0 From MTA() 
during fwd-connect (All attempts (1) failed connecting to 
smtp:[127.0.0.1]:10025): id=22995-01
Nov  8 11:40:28 mail amavis[22995]: (22995-01) Blocked MTA-BLOCKED 
{TempFailedOutbound}, ORIGINATING LOCAL [127.0.0.1] [89.26.12.241] 
andi@wassa.at -> a.wass@glas-gasperlmair.at, Message-ID: 
5821AB9A.4040706@wassa.at, mail_id: 9pw322ZKDeoc, Hits: -0.999, size: 
692, 597 ms
Nov  8 11:40:28 mail postfix/smtp[23015]: BC58A208E3: 
to=a.wass@glas-gasperlmair.at, relay=127.0.0.1[127.0.0.1]:10024, 
delay=0.8, delays=0.17/0.02/0.02/0.59, dsn=4.5.0, status=deferred (host 
127.0.0.1[127.0.0.1] said: 451 4.5.0 id=22995-01 - Temporary MTA failure 
on relaying, From MTA() during fwd-connect (All attempts (1) failed 
connecting to smtp:[127.0.0.1]:10025): id=22995-01 (in reply to end of 
DATA command))
Meine Konfigurationen:
#####################################################################
/etc/amavisd/amavisd-milter.conf
AMAVIS_USER=amavis
WORKING_DIRECTORY=/var/spool/amavisd/tmp
SOCKET=inet:10010@127.0.0.1
AMAVISD_SOCKET=/var/spool/amavisd/amavisd.sock
MAX_CONNECTIONS=5
MAX_WAIT=300
MAILDAEMON_TIMEOUT=600
AMAVISD_TIMEOUT=600
#####################################################################
/etc/postfix/master.cf
smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd
   -o smtpd_sasl_auth_enable=no
# Django : 2014-11-29 amavisd-milter eingebunden
   -o smtpd_milters=${amavisd_milter}
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
   -o smtpd_recipient_restrictions=
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING
   -o content_filter=smtp:127.0.0.1:10024
#############################################################################
/etc/postfix/main.cf
amavisd_milter = inet:127.0.0.1:10010
###############################################################################
/etc/amavisd/amavisd.conf
use strict;
################################################################################
# #
#     Django : 2014-11-15 - Musterkonfiguration AMaViS 2.9 unter CentOS 
7      #
# #
################################################################################
# Eine Aufstellung aller möglichen Variablen findet man in der Datei
# /usr/share/doc/amavisd-new-2.9.1/amavisd.conf-default aus dem RPM. Auf 
der
# Webseite http://www.ijs.si/software/amavisd/amavisd-new-docs.html findet
# man darüber hinaus noch viele erklärungen und Konfigurationsbeispiele
################################################################################
## PFADANGABEN DER LOKALEN INSTALLATION
#
# Pfadangaben zu den Programmen und Tools
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
# Arbeitsverzeichnisses von AMaViS
$MYHOME = '/var/spool/amavisd';
# Verzeichnis für temporäre Daten
#$TEMPBASE = '$MYHOME/tmp';
$TEMPBASE = "$MYHOME/tmp";
# Enviroment Variable TMPDIR, wird unter anderem von Spamassassion verwendet
$ENV{TMPDIR} = $TEMPBASE;
# Keine Quarantäne -> kein Quarantäneverzeichnis notwendig
$QUARANTINEDIR = undef;
# Verzeichnisses für die Berkeley-Datenbank Dateien nanny/cache/snmp
$db_home   = "$MYHOME/db";
# Pfade zur PID- und LOCK-Datei
$lock_file = "/var/run/amavisd/amavisd.lock";
$pid_file  = "/var/run/amavisd/amavisd.pid";
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
@score_sender_maps = ({ # a by-recipient hash lookup table,
                         # results from all matching recipient tables 
are summed
# ## per-recipient personal tables  (NOTE: positive: black, negative: white)
# 'user1@example.com'  => [{'bla-mobile.press@example.com'             
=> 10.0}],
# 'user3@example.com'  => [{'.ebay.com'                                
=> -3.0}],
# 'user4@example.com'  => [{'cleargreen@cleargreen.com'                
=> -7.0,
# '.cleargreen.com'                          => -5.0}],
## site-wide opinions about senders (the '.' matches any recipient)
   '.' => [  # the _first_ matching sender determines the score boost
new_RE(  # regexp-type lookup table, just happens to be all 
soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|market.alert)@'i => 5.0],
[qr'^(money2you|MyGreenCard|new.tld.registry|opt-out|opt-in)@'i => 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
[qr'^(your_friend|greatoffers)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
    ),
#  read_hash("/var/amavis/sender_scores_sitewide"),
{ # a hash-type lookup table (associative array)
'nobody@cert.org' => -3.0,
'cert-advisory@us-cert.gov' => -3.0,
'owner-alert@iss.net' => -3.0,
'slashdot@slashdot.org' => -3.0,
'securityfocus.com' => -3.0,
'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
'security-alerts@linuxsecurity.com' => -3.0,
'mailman-announce-admin@python.org' => -3.0,
'amavis-user-admin@lists.sourceforge.net' => -3.0,
'amavis-user-bounces@lists.sourceforge.net' => -3.0,
'spamassassin.apache.org' => -3.0,
'notification-return@lists.sophos.com' => -3.0,
'owner-postfix-users@postfix.org' => -3.0,
'owner-postfix-announce@postfix.org' => -3.0,
'owner-sendmail-announce@lists.sendmail.org' => -3.0,
'sendmail-announce-request@lists.sendmail.org' => -3.0,
'donotreply@sendmail.org' => -3.0,
'ca+envelope@sendmail.org' => -3.0,
'noreply@freshmeat.net' => -3.0,
'owner-technews@postel.acm.org' => -3.0,
'ietf-123-owner@loki.ietf.org' => -3.0,
'cvs-commits-list-admin@gnome.org' => -3.0,
'rt-users-admin@lists.fsck.com' => -3.0,
'clp-request@comp.nus.edu.sg' => -3.0,
'surveys-errors@lists.nua.ie' => -3.0,
'emailnews@genomeweb.com' => -5.0,
'yahoo-dev-null@yahoo-inc.com' => -3.0,
'returns.groups.yahoo.com' => -3.0,
'clusternews@linuxnetworx.com' => -3.0,
lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0,
lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
# soft-blacklisting (positive score)
'sender@example.net' =>  3.0,
'.example.net' =>  1.0,
},
   ],  # end of site-wide tables
});
# Utilities mit denen amavis Archive auspackt
@decoders = (
     ['mail', &do_mime_decode],
     ['F',    &do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
     ['Z',    &do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
     ['gz',   &do_uncompress, 'gzip -d'],
     ['gz', &do_gunzip],
     ['bz2',  &do_uncompress, 'bzip2 -d'],
     ['xz',   &do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
     ['lzma', &do_uncompress, ['lzmadec', 'xz -dc --format=lzma',
             'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
     ['lrz',  &do_uncompress, ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
     ['lzo',  &do_uncompress, 'lzop -d'],
     ['rpm',  &do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
     [['cpio','tar'], &do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
     ['deb',  &do_ar, 'ar'],
     ['rar',  &do_unrar, ['unrar', 'rar'] ],
     ['arj',  &do_unarj, ['unarj', 'arj'] ],
     ['arc',  &do_arc,   ['nomarch', 'arc'] ],
     ['zoo',  &do_zoo,   ['zoo', 'unzoo'] ],
     ['cab',  &do_cabextract, 'cabextract'],
     ['tnef', &do_tnef],
     [['zip','kmz'], &do_7zip,  ['7za', '7z'] ],
     [['zip','kmz'], &do_unzip],
     ['7z',   &do_7zip,  ['7zr', '7za', '7z'] ],
     [[qw(7z zip gz bz2 Z tar)], &do_7zip,  ['7za', '7z'] ],
     [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], 
&do_7zip,  '7z' ],
     ['exe',  &do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
);
# eMails wird komplett dem Virenscanner zugestellt. Dem Inhalt von Archiven
# wird grundsätzlich nicht vertraut.
@keep_decoded_original_maps = (new_RE(
qr'^MAIL$',
qr'^MAIL-UNDECIPHERABLE$',
   qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)',
));
################################################################################
## GRUNDSÄTZLICHE SERVERANGABEN UND -DEFINITIONEN
#
# Anzahl Server (pre-forked childs) die gestartet werden sollen.
$max_servers = 5;
# User und Gruppe des AMaViS Daemon
$daemon_user  = 'amavis';
$daemon_group = 'amavis';
# Hostname (FQDN) des AMaViS-Servers
$myhostname = 'mail.wassa.at';
# Lokale Domäne des AMaViS-Servers
$mydomain = 'wassa.at';
# Adresstrennzeichen in der eMail-Adresse
$recipient_delimiter = '+';
# Wir setzen alles auf NULL und definieren das Backrouting in den Policy 
Banks
# Wie werden die eMails an den ;MTA zurückgegeben? "undef" bei 
Verwendung des
# amavisd-milter!
$forward_method = undef;
$notify_method  = 'smtp:[mail.wassa.at]:10025';
#$allowed_added_header_fields{lc('X-Virus-Scanned')} = 0;
################################################################################
## LOGGING
#
# verbosity 0..5, -d
# Django : 2014-11-18
# default: $log_level = 0;
$log_level = 3;
# disable by-recipient level-0 log entries
$log_recip_templ = undef;
# log via syslogd (preferred)
$do_syslog = 1;
# Syslog facility as a string e.g.: mail, daemon, user, local0, ... local7
$syslog_facility = 'mail';
#Syslog base (minimal) priority
$syslog_priority = 'debug';
# enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_db = 1;
# enable use of libdb-based cache if $enable_db=1
$enable_global_cache = 1;
# enable use of ZeroMQ (SNMP and nanny)
# $enable_zmq = 1;
# # nanny verbosity: 1: traditional, 2: detailed
$nanny_details_level = 2;
# @lookup_sql_dsn =
#   ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 
'passwd1'],
#     ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
#     ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
# @storage_sql_dsn = @lookup_sql_dsn;  # none, same, or separate database
# @storage_redis_dsn = ( {server=>'127.0.0.1:6379', db_id=>1} );
# $redis_logging_key = 'amavis-log';
# about 250 MB / 100000
# $redis_logging_queue_size_limit = 300000;
# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is 
TIMESTAMP;
#   defaults to 0, which is good for non-MySQL or if msgs.time_iso is 
CHAR(16)
################################################################################
## SOCKETS
#
# Wo soll AMaViS auf eingehende Verbindungen lauschen?
@listen_sockets = (
         '127.0.0.1:10024',
         '127.0.0.1:9998',
         "$MYHOME/amavisd.sock"
         );
################################################################################
## POLICY MAPPINGS
#
# Wir routen eingehende Verbindungen aufgrund unterschiedlicher Kriterien in
# Policy Banks.
# TCP-Sockets auf Policies mappen
$interface_policy{'9998'}  = 'AM.PDP-INET';
$interface_policy{'10024'} = 'ORIGINATING';
# UNIX-Domain-Sockets auf Policies mappen
$interface_policy{'SOCK'}  = 'AM.PDP-SOCK';
# IP-Adressen/Ranges auf Policies mappen
@client_ipaddr_policy = (
     [qw( 0.0.0.0/8 127.0.0.1/32 [::] [::1] )]           => 'LOCALHOST',
     [qw( !172.16.1.0/24 172.16.0.0/12 192.168.0.0/16 )] => 'PRIVATENETS',
     [qw( 192.0.2.0/25 192.0.2.129 192.0.2.130 )]        => 'PARTNER',
     [qw( 198.51.100.88/32 )]                            => 'CUSTOMERS',
     [qw( 203.0.113.164/32 )]                            => 'HOSTING',
     @mynetworks                                        => 'MYNETS',
);
# DKIM-verifizierte Sender(domains) auf Policies mappen
@author_to_policy_bank_maps = ( {
     'piratenpartei-bayern.de' => 'WHITELIST,NOBANNEDCHECK,NOVIRUSCHECK',
     '.paypal.de'              => 'WHITELIST',
     '.paypal.com'             => 'WHITELIST',
     'amazon.de'               => 'WHITELIST',
} );
################################################################################
## DESTINATIONS
#
# Definition der Verkehrsrichtungen:
# Das ist nach intern. Alle anderen Destinationen sind im Umkehrschluss 
extern.
@local_domains_maps = (
[".$mydomain"],
read_hash("/etc/postfix/all_local_domains_map"),
);
# Das kommt von intern. Alles andere ist per Default von extern, ausser wir
# erkennen es an anderen Kriterien wie z.B. DKIM-Signatur oder 
originating Port
@mynetworks = qw(
127.0.0.0/8
[::1]
[FE80::]/10
[FEC0::]/10
172.31.1.0/24
10.0.10.0/26
);
################################################################################
## NOTIFICATIONS
#
# Externe warnen?
$warn_offsite = 0;
# Envelope Sender
$mailfrom_notify_admin = "postmaster@$mydomain";
$mailfrom_notify_recip = "postmaster@$mydomain";
$mailfrom_notify_sender = "postmaster@$mydomain";
$mailfrom_notify_spamadmin = "postmaster@$mydomain";
$mailfrom_to_quarantine = '';
$dsn_bcc = "postmaster@$mydomain";
# From: Header
$hdrfrom_notify_sender = "Postmaster <postmaster@$mydomain>";
$hdrfrom_notify_recip = "Postmaster <postmaster@$mydomain>";
$hdrfrom_notify_release = "Postmaster <postmaster@$mydomain>";
################################################################################
## VIRUS POLICY
#
# Check aktivieren?
# @bypass_virus_checks_maps = (1);
# In Quarantäne?
$virus_quarantine_to = undef;
# Admin benachrichtigen?
$virus_admin = undef;
# Empfänger benachrichtigen?
$warnvirusrecip = 1;
# Recipient-Adresse bei Release erweitern?
@addr_extension_virus_maps = ('virus');
# eMail bei Release wrappen?
$defang_virus  = 1;
# Wollen wir Content transportieren?
$final_virus_destiny = D_REJECT;
@av_scanners = (
   ### http://www.clamav.net/
   ['ClamAV-clamd',
     &ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"],
     qr/\bOK$/m, qr/\bFOUND$/m,
     qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
);
@av_scanners_backup = ();
#@av_scanners_backup = (
#  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
#  ['ClamAV-clamscan', 'clamscan',
#    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
#    [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
#);
################################################################################
## SPAM POLICY
#
# Check aktivieren?
# @bypass_spam_checks_maps  = (1);
# In Quarantäne?
$spam_quarantine_to = undef;
# Admin benachrichtigen?
$spam_admin = undef;
# Recipient-Adresse bei Release erweitern?
@addr_extension_spam_maps = ('spam');
# eMail bei Release wrappen?
$defang_spam = undef;
# Wollen wir Content transportieren?
$final_spam_destiny = D_REJECT;
# add spam info headers if at, or above that level
$sa_tag_level_deflt  = -1000.0;
# add 'spam detected' headers at that level
$sa_tag2_level_deflt = 6.31;
# triggers spam evasive actions (e.g. blocks mail)
$sa_kill_level_deflt = 6.31;
# spam level beyond which a DSN is not sent
$sa_dsn_cutoff_level = 10;
# likewise, but for a likely valid From
$sa_crediblefrom_dsn_cutoff_level = 18;
# spam level beyond which quarantine is off
# $sa_quarantine_cutoff_level = 25;
# (no effect without a @storage_sql_dsn database)
$penpals_bonus_score = 8;
# don't waste time on hi spam
$penpals_threshold_high = $sa_kill_level_deflt;
# spam score points to add for joe-jobbed bounces
$bounce_killer_score = 100;
# don't waste time on SA if mail is larger
$sa_mail_body_size_limit = 400*1024;
# only tests which do not require internet access?
$sa_local_tests_only = 0;
$sa_spam_subject_tag = '***Spam*** ';
################################################################################
## BANNED POLICY
#
# Check aktivieren?
#@bypass_banned_checks_maps  = (1);
# In Quarantäne?
$banned_quarantine_to = undef;
# Admin benachrichtigen?
$banned_admin = undef;
# Recipient-Adresse bei Release erweitern?
@addr_extension_banned_maps = ('banned');
# eMail bei Release wrappen?
$defang_banned = 1;
# Wollen wir Content transportieren?
$final_banned_destiny = D_BOUNCE;
# Definitionslisten in denen wir bestimmte Dateitypen zusammenfassen
# Die Definitionsnamen können wir in einer Policy verwenden
%banned_rules = (
     'NO-MS-EXEC'=> new_RE( qr'^.(exe-ms)$' ),
     'PASSALL'   => new_RE( [qr'^' => 0] ),
     'ALLOW_EXE' => new_RE( qr'..(vbs|pif|scr|bat)$'i, [qr'^.exe$' => 
0] ),
     'ALLOW_VBS' => new_RE( [qr'..vbs$' => 0] ),
     'NO-VIDEO'  => new_RE( qr'^.movie$', 
qr'..(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ),
     'NO-MOVIES' => new_RE( qr'^.movie$', qr'..(mpg|avi|mov)$'i, ),
     'MYNETS-DEFAULT' => new_RE( [ qr'^.(rpm|cpio|tar)$' => 0 ], 
qr'..(vbs|pif|scr)$'i, ),
     'DEFAULT' => $banned_filename_re,
);
# Alles was in der Definitionsliste oben DEFAULT ist
$banned_filename_re = new_RE(
     # banned file(1) types, rudimentary
     qr'^.(exe-ms|dll)$',
     # allow any in Unix-type archives
     [ qr'^.(rpm|cpio|tar)$'       => 0 ],
     # banned extensions - rudimentary
     qr'..(pif|scr)$'i,
     # block these MIME types
     qr'^application/x-msdownload$'i,
     qr'^application/x-msdos-program$'i,
     qr'^application/hta$'i,
     # block certain double extensions in filenames
qr'^(?!cid:).*.[^./]*[A-Za-z][^./]*.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
     # banned extension - basic+cmd
qr'..(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i,
);
################################################################################
## HEADER POLICY
#
# Check aktivieren?
# @bypass_header_checks_maps = (1);
# In Quarantäne?
$bad_header_quarantine_method = undef;
# Recipient-Adresse bei Release erweitern?
@addr_extension_bad_header_maps = ('badh');
# eMail bei Release wrappen?
# NUL or CR character in header
$defang_by_ccat{CC_BADH.",3"} = 1;
# header line longer than 998 characters
$defang_by_ccat{CC_BADH.",5"} = 1;
# header field syntax error
$defang_by_ccat{CC_BADH.",6"} = 1;
# Wollen wir Content transportieren?
$final_bad_header_destiny = D_PASS;
# Admin benachrichtigen?
$bad_header_admin = undef;
# Sender benachrichtigen?
$warnbadhsender = undef;
# Empfänger benachrichtigen?
$warnbadhrecip = undef;
################################################################################
## UNCHECKED POLICY
#
$undecipherable_subject_tag = '';
$MAXLEVELS = 14;
$MAXFILES = 3000;
# bytes  (default undef, not enforced)
$MIN_EXPANSION_QUOTA =      100*1024;
# bytes  (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 500*1024*1024;
################################################################################
## DKIM - Domain Key Identified Mail
#
# DKIM-Signaturen verifizieren
$enable_dkim_verification = 0;
# DKIM-Signaturen erstellen
$enable_dkim_signing = 0;
# Private Keys und Selectors
#
# signing domain         selector   private key                       
options
# -------------          -------- ----------------------            
----------
# dkim_key('nausch.org', '201411', 
'/var/spool/amavis/dkim/201411_nausch.org');
# DKIM Signing Policies
@dkim_signature_options_bysender_maps = (
     { '.' =>
         {
                 ttl => 21*24*3600,
                 c => 'relaxed/simple'
         }
     }
);
# to query p0f-analyzer.pl
# $os_fingerprint_method = 'p0f:*:2345';
## hierarchy by which a final setting is chosen:
##   policy bank (based on port or IP address) -> *_by_ccat
##   *_by_ccat (based on mail contents) -> *_maps
##   *_maps (based on recipient address) -> final configuration value
################################################################################
## POLICY BANKS
#
## POLICY BANK MYNETWORK
# Alles Hosts, die in MYNETS gelistet sind
$policy_bank{'MYNETS'} = {
     # Jede Mail von einen unserer Hosts wird als originating gesetzt
     originating => 1,
     # Keine pof Abfragen für interne Clients durchführen.
     os_fingerprint_method => undef,
};
## POLICY BANK SUBMISSON
# Nachrichten unserer Kunden, die auf Port 587 (Submisson) eingeliefert 
wurden
# wird als originating, also von uns gesetzt.
$policy_bank{'ORIGINATING'} = {
     # welcher Host darf soll auf Port 10014 einliefern dürfen
     inet_acl => [qw( 127.0.0.1 )],
     # eMails vom Port 587 werdenals "von uns" = originating gesetzt
     originating => 1,
     # Disclaimer an jede Mail anfügen, sofern welche verfügbar sind.
     allow_disclaimers => 1,
     # notify administrator of locally originating malware
     virus_admin_maps => ["virusalert@$mydomain"],
     spam_admin_maps  => ["virusalert@$mydomain"],
     warnbadhsender   => 1,
     # forward to a smtpd service providing DKIM signing service
     forward_method => 'smtp:[127.0.0.1]:10027',
     # force MTA conversion to 7-bit (e.g. before DKIM signing)
     smtpd_discard_ehlo_keywords => ['8BITMIME'],
     # allow sending any file names and types
     bypass_spam_checks_maps => [0],
     # allow sending any file names and types
     bypass_banned_checks_maps => [1],
     # don't remove NOTIFY=SUCCESS option
     terminate_dsn_on_notify_success => 0,
     notify_method  => 'smtp:[127.0.0.1]:10025',
     forward_method => 'smtp:[127.0.0.1]:10025',
     final_virus_destiny => 'D_BOUNCE',
};
# Hier schlägt der MILTER auf
$policy_bank{'AM.PDP-SOCK'} = {
     protocol => 'AM.PDP',
     auth_required_release => 0,
};
# Hier würden wir releasen
$policy_bank{'AM.PDP-INET'} = {
     protocol => 'AM.PDP',
     inet_acl => [qw( 127.0.0.1 )],
     auth_required_release => 0,
};
## POLICY BANK: WHITELIST
   $policy_bank{'WHITELIST'} = {
     bypass_spam_checks_maps => [1],
     spam_lovers_maps => [1],
   };
## POLICY BANK: NOVIRUSCHECK
   $policy_bank{'NOVIRUSCHECK'} = {
     bypass_decode_parts => 1,
     bypass_virus_checks_maps => [1],
     virus_lovers_maps => [1],
   };
## POLICY BANK: NOBANNEDCHECK
   $policy_bank{'NOBANNEDCHECK'} = {
     bypass_banned_checks_maps => [1],
     banned_files_lovers_maps  => [1],
   };
1;  # insure a defined return value
# vim: set ft=perl sw=4:

Andreas Wass - Glas Gasperlmair

Christian Wally

Andreas Wass - Glas Gasperlmair

Andreas Wass - Glas Gasperlmair

Andreas Wass - Glas Gasperlmair

tags (0)

participants (2)