Clamav will nicht :(

[HansOffenburg]

Hallo,

versuche derzeit verzweifelt clamav dazu zu bringen, Viren Emails zu erkennen.
Habe derzeit (nach Platten Crash) meinen Server unter Ubuntu 10.04 neu aufgesetzt und Amavis sowie SA laufen perfekt auf dem Server.
Was jedoch einfach nicht klappen will ist das Clamav meckert wenn ich Viren Testmails an mich schicke.
Ich sehe in den Logfiles auch irgendwie nicht das überhaupt etwas gescannt wird.
Clamav ist auch in der Gruppe Amavis.

Ich habe das ganze gemäß der Wiki von Ubuntuusers eingerichtet aber bekomme es nicht an's laufen.
Was mich im übrigen auch wundert ist folgendes wenn ich Amavis neu gestartet habe:

amavis[5031]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan

Kann natürlich sein, das es damit zusammen hängt, wobei die Frage ist, warum dies so ist?

Eventuell hat ja jemand eine Idee wie man das ganze an's laufen bekommt.

Sag schon mal dankeschön für die Antworten.

Gruß
Hans

P.S. Habe zwar hier und bei Google schon gesucht jedoch leider nicht wirklich was in meinen Augen brauchbares gefunden.

[Roger Wilco]

Poste die Ausgabe von `postconf -n`, die relevanten darin referenzierten Dateien, deine master.cf und deine amavisd.conf.

[HansOffenburg]

Hallo,

also hier erst mal mein postconf -n

Code: Select all

 postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
default_transport = smtp
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 51200000
message_size_limit = 10240000
mydestination = localhost, localhost.localdomain
myhostname = h147*****
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_transport = smtp
relayhost = 
smtp_send_xforward_command = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org
smtpd_proxy_timeout = 3600s
smtpd_recipient_restrictions = permit_mynetworks, check_client_access pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re
smtpd_timeout = 3600s
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/var/spool/postfix/plesk/transport
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_gid_maps = static:31
virtual_mailbox_base = /var/qmail/mailnames
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox
virtual_transport = plesk_virtual
virtual_uid_maps = static:110

Hier der Inhalt der master.cf:

Code: Select all

cat /etc/postfix/master.cf
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup fifo n - - 60 1 pickup -o content_filter=smtp:127.0.0.1:10027
         -o content_filter=
         -o receive_override_options=no_header_body_checks

cleanup   unix  n       -       -       -       0       cleanup
qmgr fifo n - n 1 1 qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
	-o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe flags=R user=list:list argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}


plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames
127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue
127.0.0.1:10026 inet n - - - - smtpd  -o smtpd_client_restrictions=  -o smtpd_helo_restrictions=  -o smtpd_sender_restrictions=  -o smtpd_recipient_restrictions=permit_mynetworks,reject  -o smtpd_data_restrictions=  -o receive_override_options=no_unknown_recipient_checks
127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote
plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db


smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_tls_wrappermode=yes

smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
	-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
#        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Sowie der Inhalt von 15-content_filter_mode:

Code: Select all

cat 15-content_filter_mode 
use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

#
# Default antivirus checking mode
# Please note, that anti-virus checking is DISABLED by 
# default.
# If You wish to enable it, please uncomment the following lines:


@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);


#
# Default SPAM checking mode
# Please note, that anti-spam checking is DISABLED by 
# default.
# If You wish to enable it, please uncomment the following lines:


@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1;  # ensure a defined return

Habe mal im übrigen komplette Ausgabe von postconf gepostet, da ich nicht wusste was gemeintwar mit referenzieten Dateien.

Danke und Gruß
Hans

[Roger Wilco]

Sowie der Inhalt von 15-content_filter_mode:

Das ist nicht deine komplette Amavisd-Konfiguration. Den Rest bitte auch nachliefern.

[HansOffenburg]

Hallo,

hoffe Du meinst das hier:

Code: Select all

 cat 15-av_scanners 
use strict;

##
## AV Scanners (Debian version)
##

@av_scanners = (

# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)
# ['Sophie',
#   \&ask_daemon, ["{}/\n", '/var/run/sophie'],
#   qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
#   qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],

# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
# ['Sophos SAVI', \&sophos_savi ],

### http://www.clamav.net/
 ['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
   qr/\bOK$/m, qr/\bFOUND$/m,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
# NOTE: run clamd under the same user as amavisd, or run it under its own
#   uid such as clamav, add user clamav to the amavis group, and then add
#   AllowSupplementaryGroups to clamd.conf;
# NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
#   this entry; when running chrooted one may prefer socket "$MYHOME/clamd".

# ### http://www.openantivirus.org/
# ['OpenAntiVirus ScannerDaemon (OAV)',
#   \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],
#   qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ],

# ### http://www.vanja.com/tools/trophie/
# ['Trophie',
#   \&ask_daemon, ["{}/\n", '/var/run/trophie'],
#   qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
#   qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],

# ### http://www.grisoft.com/
# ['AVG Anti-Virus',
#   \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'],
#   qr/^200/m, qr/^403/m, qr/^403 .*?: ([^\r\n]+)/m ],

# ### http://www.f-prot.com/
# ['F-Prot fpscand',  # F-PROT Antivirus for BSD/Linux/Solaris, version 6
#   \&ask_daemon,
#   ["SCAN FILE {}/*\n", '127.0.0.1:10200'],
#   qr/^(0|8|64) /m,
#   qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m,
#   qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ],

# ### http://www.f-prot.com/
# ['F-Prot f-protd',  # old version
#   \&ask_daemon,
#   ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
#     ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202',
#      '127.0.0.1:10203', '127.0.0.1:10204'] ],
#   qr/(?i)<summary[^>]*>clean<\/summary>/m,
#   qr/(?i)<summary[^>]*>infected<\/summary>/m,
#   qr/(?i)<name>(.+)<\/name>/m ],

# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/
# ['DrWebD', \&ask_daemon,   # DrWebD 4.31 or later
#   [pack('N',1).  # DRWEBD_SCAN_CMD
#    pack('N',0x00280001).   # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
#    pack('N',     # path length
#      length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")).
#    '{}/*'.       # path
#    pack('N',0).  # content size
#    pack('N',0),
#    '/var/drweb/run/drwebd.sock',
#  # '/var/amavis/var/run/drwebd.sock',   # suitable for chroot
#  # '/usr/local/drweb/run/drwebd.sock',  # FreeBSD drweb ports default
#  # '127.0.0.1:3000',                    # or over an inet socket
#   ],
#   qr/\A\x00[\x10\x11][\x00\x10]\x00/sm,        # IS_CLEAN,EVAL_KEY; SKIPPED
#   qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF
#   qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm,
# ],
# # NOTE: If using amavis-milter, change length to:
# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx").

  ### http://www.kaspersky.com/  (kav4mailservers)
  ['KasperskyLab AVP - aveclient',
    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
     '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
    '-p /var/run/aveserver -s {}/*',
    [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m,
    qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m,
  ],
  # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
  # currupted or protected archives are to be handled

  ### http://www.kaspersky.com/
  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?
    qr/infected: (.+)/m,
    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
  ],

  ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
  ### products and replaced by aveserver and aveclient
  ['KasperskyLab AVPDaemonClient',
    [ '/opt/AVP/kavdaemon',       'kavdaemon',
      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',
      '/opt/AVP/avpdc', 'avpdc' ],
    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ],
    # change the startup-script in /etc/init.d/kavd to:
    #   DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
    #   (or perhaps:   DPARMS="-I0 -Y -* /var/amavis" )
    # adjusting /var/amavis above to match your $TEMPBASE.
    # The '-f=/var/amavis' is needed if not running it as root, so it
    # can find, read, and write its pid file, etc., see 'man kavdaemon'.
    # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
    #   directory $TEMPBASE specifies) in the 'Names=' section.
    # cd /opt/AVP/DaemonClients; configure; cd Sample; make
    # cp AvpDaemonClient /opt/AVP/
    # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"

  ### http://www.centralcommand.com/
  ['CentralCommand Vexira (new) vascan',
    ['vascan','/usr/lib/Vexira/vascan'],
    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
    "--log=/var/log/vascan.log {}",
    [0,3], [1,2,5],
    qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ],
    # Adjust the path of the binary and the virus database as needed.
    # 'vascan' does not allow to have the temp directory to be the same as
    # the quarantine directory, and the quarantine option can not be disabled.
    # If $QUARANTINEDIR is not used, then another directory must be specified
    # to appease 'vascan'. Move status 3 to the second list if password
    # protected files are to be considered infected.

  ### http://www.avira.com/
  ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus
  ['Avira AntiVir', ['antivir','vexira'],
    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m,
    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ],
    # NOTE: if you only have a demo version, remove -z and add 214, as in:
    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,

  ### http://www.commandsoftware.com/
  ['Command AntiVirus for Linux', 'csav',
    '-all -archive -packed {}', [50], [51,52,53],
    qr/Infection: (.+)/m ],

  ### http://www.symantec.com/
  ['Symantec CarrierScan via Symantec CommandLineScanner',
    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
    qr/^Files Infected:\s+0$/m, qr/^Infected\b/m,
    qr/^(?:Info|Virus Name):\s+(.+)/m ],

  ### http://www.symantec.com/
  ['Symantec AntiVirus Scan Engine',
    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
    [0], qr/^Infected\b/m,
    qr/^(?:Info|Virus Name):\s+(.+)/m ],
    # NOTE: check options and patterns to see which entry better applies

# ### http://www.f-secure.com/products/anti-virus/  version 4.65
#  ['F-Secure Antivirus for Linux servers',
#   ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
#   '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '.
#   '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8],
#   qr/(?:infection|Infected|Suspected): (.+)/m ],

  ### http://www.f-secure.com/products/anti-virus/  version 5.52
   ['F-Secure Antivirus for Linux servers',
    ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
    '--virus-action1=report --archive=yes --auto=yes '.
    '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8],
    qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
    # NOTE: internal archive handling may be switched off by '--archive=no'
    #   to prevent fsav from exiting with status 9 on broken archives

# ### http://www.avast.com/
# ['avast! Antivirus daemon',
#   \&ask_daemon,	# greets with 220, terminate with QUIT
#   ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'],
#   qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t([^[ \t\015\012]+)/m ],

# ### http://www.avast.com/
# ['avast! Antivirus - Client/Server Version', 'avastlite',
#   '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1],
#   qr/\t\[L\]\t([^[ \t\015\012]+)/m ],

  ['CAI InoculateIT', 'inocucmd',  # retired product
    '-sec -nex {}', [0], [100],
    qr/was infected by virus (.+)/m ],
  # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html

  ### http://www3.ca.com/Solutions/Product.asp?ID=156  (ex InoculateIT)
  ['CAI eTrust Antivirus', 'etrust-wrapper',
    '-arc -nex -spm h {}', [0], [101],
    qr/is infected by virus: (.+)/m ],
    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
    # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783

  ### http://mks.com.pl/english.html
  ['MkS_Vir for Linux (beta)', ['mks32','mks'],
    '-s {}/*', [0], [1,2],
    qr/--[ \t]*(.+)/m ],

  ### http://mks.com.pl/english.html
  ['MkS_Vir daemon', 'mksscan',
    '-s -q {}', [0], [1..7],
    qr/^... (\S+)/m ],

# ### http://www.nod32.com/,  version v2.52 (old)
# ['ESET NOD32 for Linux Mail servers',
#   ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
#    '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '.
#    '-w -a --action-on-infected=accept --action-on-uncleanable=accept '.
#    '--action-on-notscanned=accept {}',
#   [0,3], [1,2], qr/virus="([^"]+)"/m ],

# ### http://www.eset.com/, version v2.7 (old)
# ['ESET NOD32 Linux Mail Server - command line interface',
#   ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
#   '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ],

# ### http://www.eset.com/, version 2.71.12
# ['ESET Software ESETS Command Line Interface',
#   ['/usr/bin/esets_cli', 'esets_cli'],
#   '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ],

  ### http://www.eset.com/, version 3.0
  ['ESET Software ESETS Command Line Interface',
    ['/usr/bin/esets_cli', 'esets_cli'],
    '--subdir {}', [0], [1,2,3],
    qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],

  ## http://www.nod32.com/,  NOD32LFS version 2.5 and above
  ['ESET NOD32 for Linux File servers',
    ['/opt/eset/nod32/sbin/nod32','nod32'],
    '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
    '-w -a --action=1 -b {}',
    [0], [1,10], qr/^object=.*, virus="(.*?)",/m ],

# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31
# ['ESET Software NOD32 Client/Server (NOD32SS)',
#   \&ask_daemon2,    # greets with 200, persistent, terminate with QUIT
#   ["SCAN {}/*\r\n", '127.0.0.1:8448' ],
#   qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ],

  ### http://www.norman.com/products_nvc.shtml
  ['Norman Virus Control v5 / Linux', 'nvcc',
    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
    qr/(?i).* virus in .* -> \'(.+)\'/m ],

  ### http://www.pandasoftware.com/
  ['Panda CommandLineSecure 9 for Linux',
    ['/opt/pavcl/usr/bin/pavcl','pavcl'],
    '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
    qr/Number of files infected[ .]*: 0+(?!\d)/m,
    qr/Number of files infected[ .]*: 0*[1-9]/m,
    qr/Found virus :\s*(\S+)/m ],
  # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
  # before starting amavisd - the bases are then loaded only once at startup.
  # To reload bases in a signature update script:
  #   /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
  # Please review other options of pavcl, for example:
  #  -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies

# ### http://www.pandasoftware.com/
# ['Panda Antivirus for Linux', ['pavcl'],
#   '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}',
#   [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0],
#   qr/Found virus :\s*(\S+)/m ],

# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
# Check your RAV license terms before fiddling with the following two lines!
# ['GeCAD RAV AntiVirus 8', 'ravav',
#   '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ],
# # NOTE: the command line switches changed with scan engine 8.5 !
# # (btw, assigning stdin to /dev/null causes RAV to fail)

  ### http://www.nai.com/
  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
    '--secure -rv --mime --summary --noboot - {}', [0], [13],
    qr/(?x) Found (?:
        \ the\ (.+)\ (?:virus|trojan)  |
        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |
        :\ (.+)\ NOT\ a\ virus)/m,
  # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
  # sub {delete $ENV{LD_PRELOAD}},
  ],
  # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
  # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
  # and then clear it when finished to avoid confusing anything else.
  # NOTE2: to treat encrypted files as viruses replace the [13] with:
  #  qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/

  ### http://www.virusbuster.hu/en/
  ['VirusBuster', ['vbuster', 'vbengcl'],
    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
    qr/: '(.*)' - Virus/m ],
  # VirusBuster Ltd. does not support the daemon version for the workstation
  # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
  # binaries, some parameters AND return codes have changed (from 3 to 1).
  # See also the new Vexira entry 'vascan' which is possibly related.

# ### http://www.virusbuster.hu/en/
# ['VirusBuster (Client + Daemon)', 'vbengd',
#   '-f -log scandir {}', [0], [3],
#   qr/Virus found = (.*);/m ],
# # HINT: for an infected file it always returns 3,
# # although the man-page tells a different story

  ### http://www.cyber.com/
  ['CyberSoft VFind', 'vfind',
    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m,
  # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
  ],

  ### http://www.avast.com/
  ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
    '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ],

  ### http://www.ikarus-software.com/
  ['Ikarus AntiVirus for Linux', 'ikarus',
    '{}', [0], [40], qr/Signature (.+) found/m ],

  ### http://www.bitdefender.com/
  ['BitDefender', 'bdscan',  # new version
    '--action=ignore --no-list {}', qr/^Infected files *:0+(?!\d)/m,
    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
    qr/(?:suspected|infected): (.*)(?:\033|$)/m ],

  ### http://www.bitdefender.com/
  ['BitDefender', 'bdc',  # old version
    '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m,
    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
    qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
  # consider also: --all --nowarn --alev=15 --flev=15.  The --all argument may
  # not apply to your version of bdc, check documentation and see 'bdc --help'

  ### ArcaVir for Linux and Unix http://www.arcabit.pl/
  ['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
    '-v 1 -summary 0 -s {}', [0], [1,2],
    qr/(?:VIR|WIR):[ \t]*(.+)/m ],

# ['File::Scan', sub {Amavis::AV::ask_av(sub{
#   use File::Scan; my($fn)=@_;
#   my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0);
#   my($vname) = $f->scan($fn);
#   $f->error ? (2,"Error: ".$f->error)
#   : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) },
#   ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ],

# ### fully-fledged checker for JPEG marker segments of invalid length
# ['check-jpeg',
#   sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) },
#   ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ],
# # NOTE: place file JpegTester.pm somewhere where Perl can find it,
# #       for example in /usr/local/lib/perl5/site_perl

# ### example: simpleminded checker for JPEG marker segments with
# ### invalid length (only checks first 32k, which is not thorough enough)
# ['check-jpeg-simple',
#   sub { Amavis::AV::ask_av(sub {
#     my($f)=@_; local(*FF,$_,$1,$2); my(@r)=(0,'not jpeg');
#     open(FF,$f) or die "jpeg: open err $f: $!";
#     binmode(FF) or die "jpeg: binmode err $f: $!";
#     defined read(FF,$_,32000) or die "jpeg: read err $f: $!";
#     close(FF) or die "jpeg: close err $f: $!";
#     if (/^\xff\xd8\xff/) {
#       @r=(0,'jpeg ok');
#       while (!/\G(?:\xff\xd9|\z)/gc) {          # EOI or eof
#         if (/\G\xff+(?=\xff|\z)/gc) {}          # fill-bytes before marker
#         elsif (/\G\xff([\x01\xd0-\xd8])/gc) {}  # TEM, RSTi, SOI
#         elsif (/\G\xff([^\x00\xff])(..)/gcs) {  # marker segment start
#           my($n)=unpack("n",$2)-2;
#           $n=32766 if $n>32766;  # Perl regexp limit
#           if ($n<0) {@r=(1,"bad jpeg: len=$n, pos=".pos); last}
#           elsif (/\G.{$n}/gcs) {}          # ok
#           elsif (/\G.{0,$n}\z/gcs) {last}  # truncated
#           else {@r=(1,"bad jpeg: unexpected, pos=".pos); last}
#         }
#         elsif (/\G[^\xff]+/gc)      {}  # ECS
#         elsif (/\G(?:\xff\x00)+/gc) {}  # ECS
#         else {@r=(2,"bad jpeg: unexpected char, pos=".pos); last}
#       }
#     }; @r}, @_) },
#   ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ],

# ### an example/testing/template virus scanner (external), wastes 3 seconds
# ['wasteful sleeper example',
#   '/bin/sleep', '3',  # calls external program
#   undef, undef, qr/no such/m ],

# ### an example/testing/template virus scanner (internal), does nothing
# ['null',
#   sub {}, ["{}"],     # supplies its own subroutine, no external program
#   undef, undef, qr/no such/m ],

);


# If no virus scanners from the @av_scanners list produce 'clean' nor
# 'infected' status (i.e. they all fail to run or the list is empty),
# then _all_ scanners from the @av_scanners_backup list are tried
# (again, subject to $first_infected_stops_scan). When there are both
# daemonized and equivalent or similar command-line scanners available,
# it is customary to place slower command-line scanners in the
# @av_scanners_backup list. The default choice is somewhat arbitrary,
# move entries from one list to another as desired, keeping main scanners
# in the primary list to avoid warnings.

@av_scanners_backup = (

  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
  ['ClamAV-clamscan', 'clamscan',
    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
    [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

  ### http://www.f-prot.com/   - backs up F-Prot Daemon, V6
  ['F-PROT Antivirus for UNIX', ['fpscan'],
    '--report --mount --adware {}',  # consider: --applications -s 4 -u 3 -z 10
    [0,8,64],  [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
    qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ],

  ### http://www.f-prot.com/   - backs up F-Prot Daemon (old)
  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
    '-dumb -archive -packed {}', [0,8], [3,6],   # or: [0], [3,6,8],
    qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ],

  ### http://www.trendmicro.com/   - backs up Trophie
  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
    '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],

  ### http://www.sald.com/, http://drweb.imshop.de/   - backs up DrWebD
  ['drweb - DrWeb Antivirus',  # security LHA hole in Dr.Web 4.33 and earlier
    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
    '-path={} -al -go -ot -cn -upn -ok-',
    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ],

   ### http://www.kaspersky.com/
   ['Kaspersky Antivirus v5.5',
     ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
      '/opt/kav/5.5/kav4unix/bin/kavscanner',
      '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
     '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
     qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
#    sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
#    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
   ],

# Commented out because the name 'sweep' clashes with Debian and FreeBSD
# package/port of an audio editor. Make sure the correct 'sweep' is found
# in the path when enabling.
#
# ### http://www.sophos.com/   - backs up Sophie or SAVI-Perl
# ['Sophos Anti Virus (sweep)', 'sweep',
#   '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
#   '--no-reset-atime {}',
#   [0,2], qr/Virus .*? found/m,
#   qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
# ],
# # other options to consider: -idedir=/usr/local/sav

# Always succeeds and considers mail clean.
# Potentially useful when all other scanners fail and it is desirable
# to let mail continue to flow with no virus checking (when uncommented).
# ['always-clean', sub {0}],

);

1;  # ensure a defined return

bzw. das:

Code: Select all

cat 20-debian_defaults 
use strict;

# ADMINISTRATORS:
# Debian suggests that any changes you need to do that should never
# be "updated" by the Debian package should be made in another file,
# overriding the settings in this file.
#
# The package will *not* overwrite your settings, but by keeping
# them separate, you will make the task of merging changes on these
# configuration files much simpler...

#   see /usr/share/doc/amavisd-new/examples/amavisd.conf-default for
#       a list of all variables with their defaults;
#   see /usr/share/doc/amavisd-new/examples/amavisd.conf-sample for
#       a traditional-style commented file  
#   [note: the above files were not converted to Debian settings!]
#
#   for more details see documentation in /usr/share/doc/amavisd-new
#   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html

$QUARANTINEDIR = "$MYHOME/virusmails";
$quarantine_subdir_levels = 1; # enable quarantine dir hashing

$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug';  # switch to info to drop debug output, etc

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

$inet_socket_port = 10024;   # default listening socket

$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;    # only tests which do not require internet access?

# Quota limits to avoid bombs (like 42.zip)

$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA =      100*1024;  # bytes
$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes

# You should:
#   Use D_DISCARD to discard data (viruses)
#   Use D_BOUNCE to generate local bounces by amavisd-new
#   Use D_REJECT to generate local or remote bounces by the calling MTA
#   Use D_PASS to deliver the message
#
# Whatever you do, *NEVER* use D_REJECT if you have other MTAs *forwarding*
# mail to your account.  Use D_BOUNCE instead, otherwise you are delegating
# the bounce work to your friendly forwarders, which might not like it at all.
#
# On dual-MTA setups, one can often D_REJECT, as this just makes your own
# MTA generate the bounce message.  Test it first.
#
# Bouncing viruses is stupid, always discard them after you are sure the AV
# is working correctly.  Bouncing real SPAM is also useless, if you cannot
# D_REJECT it (and don't D_REJECT mail coming from your forwarders!).

$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
$final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA
$final_spam_destiny       = D_BOUNCE;
$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)

$enable_dkim_verification = 0; #disabled to prevent warning

$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default

# Set to empty ("") to add no header
$X_HEADER_LINE = "Debian $myproduct_name at $mydomain";

# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS

#
# DO NOT SEND VIRUS NOTIFICATIONS TO OUTSIDE OF YOUR DOMAIN. EVER.
#
# These days, almost all viruses fake the envelope sender and mail headers.
# Therefore, "virus notifications" became nothing but undesired, aggravating
# SPAM.  This holds true even inside one's domain.  We disable them all by
# default, except for the EICAR test pattern.
#

@viruses_that_fake_sender_maps = (new_RE(
  [qr'\bEICAR\b'i => 0],            # av test pattern name
  [qr/.*/ => 1],  # true for everything else
));

@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$',   # retain full original message for virus checking (can be slow)
  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data',     # don't trust Archive::Zip
));


# for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample

$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components

  # block certain double extensions anywhere in the base name
  qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

  qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict

  qr'^application/x-msdownload$'i,                  # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,

# qr'^application/x-msmetafile$'i,	# Windows Metafile MIME type
# qr'^\.wmf$',				# Windows Metafile file(1) type

# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types

# [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
# [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives
# [ qr'^application/x-zip-compressed$'i => 0],  # allow any within such archives

  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
#        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
#        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
#        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.

  qr'^\.(exe-ms)$',                       # banned file(1) types
# qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm


# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING

@score_sender_maps = ({ # a by-recipient hash lookup table,
                        # results from all matching recipient tables are summed

# ## per-recipient personal tables  (NOTE: positive: black, negative: white)
# 'user1@example.com'  => [{'bla-mobile.press@example.com' => 10.0}],
# 'user3@example.com'  => [{'.ebay.com'                 => -3.0}],
# 'user4@example.com'  => [{'cleargreen@cleargreen.com' => -7.0,
#                           '.cleargreen.com'           => -5.0}],

  ## site-wide opinions about senders (the '.' matches any recipient)
  '.' => [  # the _first_ matching sender determines the score boost

   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
    [qr'^(your_friend|greatoffers)@'i                                => 5.0],
    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
   ),

#  read_hash("/var/amavis/sender_scores_sitewide"),

# This are some examples for whitelists, since envelope senders can be forged
# they are not enabled by default. 
   { # a hash-type lookup table (associative array)
     #'nobody@cert.org'                        => -3.0,
     #'cert-advisory@us-cert.gov'              => -3.0,
     #'owner-alert@iss.net'                    => -3.0,
     #'slashdot@slashdot.org'                  => -3.0,
     #'securityfocus.com'                      => -3.0,
     #'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,
     #'security-alerts@linuxsecurity.com'      => -3.0,
     #'mailman-announce-admin@python.org'      => -3.0,
     #'amavis-user-admin@lists.sourceforge.net'=> -3.0,
     #'amavis-user-bounces@lists.sourceforge.net' => -3.0,
     #'spamassassin.apache.org'                => -3.0,
     #'notification-return@lists.sophos.com'   => -3.0,
     #'owner-postfix-users@postfix.org'        => -3.0,
     #'owner-postfix-announce@postfix.org'     => -3.0,
     #'owner-sendmail-announce@lists.sendmail.org'   => -3.0,
     #'sendmail-announce-request@lists.sendmail.org' => -3.0,
     #'donotreply@sendmail.org'                => -3.0,
     #'ca+envelope@sendmail.org'               => -3.0,
     #'noreply@freshmeat.net'                  => -3.0,
     #'owner-technews@postel.acm.org'          => -3.0,
     #'ietf-123-owner@loki.ietf.org'           => -3.0,
     #'cvs-commits-list-admin@gnome.org'       => -3.0,
     #'rt-users-admin@lists.fsck.com'          => -3.0,
     #'clp-request@comp.nus.edu.sg'            => -3.0,
     #'surveys-errors@lists.nua.ie'            => -3.0,
     #'emailnews@genomeweb.com'                => -5.0,
     #'yahoo-dev-null@yahoo-inc.com'           => -3.0,
     #'returns.groups.yahoo.com'               => -3.0,
     #'clusternews@linuxnetworx.com'           => -3.0,
     #lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,
     #lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,

     # soft-blacklisting (positive score)
     #'sender@example.net'                     =>  3.0,
     #'.example.net'                           =>  1.0,

   },
  ],  # end of site-wide tables
});

1;  # ensure a defined return

Ansonsten bitte sagen was genau gebraucht wird.

Gruß
Hans

[Roger Wilco]

Ist dein clamd über den Socket /var/run/clamav/clamd.ctl erreichbar, so wie dein amavisd konfiguriert ist?

Code: Select all

# You should:
#   Use D_DISCARD to discard data (viruses)
[…]
$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)

Diese Einstellung solltest du dir auch nochmal ansehen.

[HansOffenburg]

Hallo,

ja ist es:

var/run/clamav# ls
clamd.ctl clamd.pid freshclam.pid


Wsa meinst Du mit:

Code: Select all

# You should:
#   Use D_DISCARD to discard data (viruses)
[…]
$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)

.
Bin halt leider kein Linux crack.
Sprich hatte nur die Einstellungen gemacht die bei unbuntuusers angegeben waren um clamav an's laufen zu bringen.

Gruß
Hans

[Roger Wilco]

var/run/clamav# ls
clamd.ctl clamd.pid freshclam.pid

Darf auch der Benutzer, unter dem amavisd läuft, auf diesen Socket zugreifen? -> `namei -l /var/run/clamav/clamd.ctl`

Wsa meinst Du mit:
[…]
Bin halt leider kein Linux crack.

Einfach die Dokumentation zu amavisd bzw. die Kommentare in der Konfigurationsdatei lesen. Das hat nichts mit dem Betriebssystem zu tun.

[HansOffenburg]

Hallo,

also laut rechten darf der User amavis darauf zugreifen unter dem amavis läuft.

Code: Select all

groups clamav
clamav : clamav amavis

Code: Select all

s -l
insgesamt 8
srw-rw-rw- 1 clamav clamav 0 2011-05-02 22:52 clamd.ctl
-rw-rw-r-- 1 clamav clamav 4 2011-05-02 22:52 clamd.pid
-rw-rw---- 1 clamav clamav 4 2011-04-28 17:14 freshclam.pid

Was mir halt aufgefallen ist als ich mir diverse EICAR Dateien habe zuschicken lassen, das im mail.log nichts auftaucht in Bezug auf clamav.

Als würde die Mail erst gar nicht durch den clamd laufen.
Hoffe mal drücke mich da richtig bzw. verständlich aus.


Gruß
Hans

[Roger Wilco]

Nur weil der Benutzer clamav Mitglied der Gruppe amavis ist, heißt das noch lange nicht, dass der Benutzer amavis (der vermutlich nicht Mitglied der Gruppe clamav ist) auf dessen Dateien zugreifen darf.

Du hast außerdem nicht die geforderte Ausgabe geposted.

[HansOffenburg]

Nur weil der Benutzer clamav Mitglied der Gruppe amavis ist, heißt das noch lange nicht, dass der Benutzer amavis (der vermutlich nicht Mitglied der Gruppe clamav ist) auf dessen Dateien zugreifen darf.

Du hast außerdem nicht die geforderte Ausgabe geposted.

Sorry war nicht beabsichtig :(

Hier die Ausgabe:

namei -l /var/run/clamav/clamd.ctl
f: /var/run/clamav/clamd.ctl
drwxr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root run
drwxr-xr-x clamav root clamav
srw-rw-rw- clamav clamav clamd.ctl

Ja Du hast recht clamav ist nicht mitglied der gruppe amavis.
Sollte er dies sein?

Gruß
Hans

[HansOffenburg]

Hallo,

benutze keinen Clamsmtp da ich ja Amavis auf dem Server habe.
Soweit ich es verstanden habe kannst Du entweder clamsmtp nutzen oder halt Amavis.

Würde halt gern Amavis zusammen mit SA und einem Virenscanner betreiben.
Wobei ich mich halt für clamav entschieden habe da es Opensource ist und somit im Gegensatz zu (Beispiel) Kaspersky keine weiterne Kosten anfallen.

So lange der Virenscanner funktioniert wäre es mir eigentlich egal welcher es ist so lange keine Kosten für Virensignaturen anfallen, da der Server nicht kommerziell ist.

Gruß
Hans

[HansOffenburg]

Wie schon gesagt, habe ich mich mit dem Thema schon mal beschäftig und für mich festgestellt, dass SpamAssassin eigentlich verzichtbar ist.
-> policyd_weight macht das deutlich besser und vor allem, juristisch korrekt.
Soweit zur Spam bekampfung.

clamsmtpd ist ebenfalls opensource und nutzt natürlich clamav, was ja auch opensource ist.

Ich hate für mein dafürhalten die Konfigurationen für deutlich einfacher und nachvollziehbar.

Hallo,

nun ich denke die Kombi macht es aus :) Benutze bei mir derzeit 3 Dinge um Spam zu dezimieren, weil ganz Ausschließen dank des Einfallsreichtums der Spammer (steckt ja jede menge Geld dahinter) wirst Du es nie können.

Zum einen Benutze ich SA, zum Anderen noch Greylisting sowie policy_weight.

Aber auf SA möchte ich trotzdem nicht verzichten da es recht gut in meinen Augen läuft.

Ja clamsmtp ist opensource schon richtig aber wenn ich das richtig gelesen habe ein Proxy und somit kannst du entweder Amavis oder Clamsmtp nutzen aber halt nicht beides.

Somit käme für ich halt nur (wenn es denn clamav ist) clamav oder clamav-milter infrage. (hoffe mal sage da nix verkehrtes)

Aber wenn natürlich jemand noch eine Idee hat bin da für alles offen sofern keine Kosten entstehen.

Fakt ist halt das derzeit ganz offensichtlich clamav nicht läuft. Wobei ich mir derzeit nicht sicher bin ob Amavis läuft da der Server unter Plesk läuft und auch plesk ja SA nutzt.

Somit wäre die Frage halt wie ich das überprüfen kann. Evtl. ist da ja der Fehler zu suchen und unter umständen die master.cf bzw. main.cf noch entsprechend zu modifizieren.

Gruß
Hans

[HansOffenburg]

Mit plesk werden die Einstellungen u.U. wieder rückgängig gemacht. Sagen wir mal so, es macht nicht unbedingt sinn, Emails über clamstmpd und amavis zu gegen Viren zu scannen. Allerdings funktioniert beides miteinander. Also amavisd und clamsmtpd können meines wissens beide gleichzeitig verwendet werden.

Hallo,

bin für alles offen und zu Plesk nun das könnte man ja mit chattr +i verhindern :)

Sofern ich wüßte was ich da ändern muss damit plesk was viren und spam anbelangt außen vor bleibt.

Weil nutze das ding eigentlich nur um domains, Emailadressen sowie Datenbanken anzulegen, da dies komfortabler ist als über die shell.

Gruß
Hans

[HansOffenburg]

Läuft nicht amavis auch auf 10025?

Außerdem habe ich in der master.cf gesehen (habe mal den kompletten block kopiert):

Code: Select all

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames
127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue
127.0.0.1:10026 inet n - - - - smtpd  -o smtpd_client_restrictions=  -o smtpd_helo_restrictions=  -o smtpd_sender_restrictions=  -o smtpd_recipient_restrictions=permit_mynetworks,reject  -o smtpd_data_restrictions=  -o receive_override_options=no_unknown_recipient_checks
127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote
plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db


smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_tls_wrappermode=yes

smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0 
#        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Weiß jedoch nicht woher die Einträge kommen meine die obersten mit port 10026/7

Die Frage wäre auch ob ich die Teile wo plesk steht entfernen kann ohne das hinterher der Postfix gar nicht mehr läuft.

Gruß
Hans

[HansOffenburg]

Das mit den Ports war u. a. was ich damit gemeint habe, an Deine Bedürfnisse anpassen! such dir was freies z.B. 10028,10029

Habe es grad mal über apt installiert.
Jetzt meckert obwohl ich port 10030 angebeben habe postfix das der Port 1026 bereits in benutzung ist. Finde aber nirgends bei clamstmp den port 10026 in den conf dateien angegeben aber wenn ich mache:

netstat -nap | grep 10026
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 26478/clamsmtpd

sehe ich halt das der port 10026 durch clamsmtpd in benutzung ist.

Wie kann ich das ändern?

Danke und Gruß
Hans

[HansOffenburg]

Prozess killen und clamsmtp mit geÄndertet Konfiguration neu starten.

Hallo habe ich gemacht jetzt lauscht er auf 10031.

Allerdings meldet postfix jetzt:

postfix/smtpd[30727]: connect from mail-gy0-f175.google.com[209.85.160.175]
May 6 16:43:26 postfix/smtpd[30732]: fatal: unexpected command-line argument: localhost:10031
May 6 16:43:27 postfix/smtpd[30727]: warning: lost connection with proxy 127.0.0.1:10025

Nachtrag: Habe noch mal localhost ersetzt durch 127.0.0.1 jetzt sagt wieder Postfix:

fatal: bind 127.0.0.1 port 10031: Address already in use

Was ja laut netstat:

tcp 0 0 127.0.0.1:10031 0.0.0.0:* LISTEN 30472/clamsmtpd

Auch richtig ist :(

Gruß
Hans

[HansOffenburg]

-> Ja wirf doch mal einen Blick in Deine Konfiguration und schau, wer da noch auf Port 10025 horcht. ziemlich am Anfang Deiner Konfiguration!

Also 10025 ist Amavis, da brauch ich nicht groß schauen.
Muss also 10031 (clamsmtp) vor amavis stehen in der config?

Kann gern mal den letzten teil der master.cf posten, wenn erforderlich?

NACHTRAG: Habe mal zweiten root user angelegt, kann dir gern mal die Daten schicken, weil irgendwie blick ich es nicht. Sprich die Ports sind normal nicht belegt gewesen jetzt halt Durch clamsmtp und wie man es macht ständig meckert postix mit den Ports.

Scheinbar genauso komplex wie clamav Einbindung :(

Gruß
Hans

[HansOffenburg]

2 smtp Empfänger horchen nach Deiner Konfiguration auf Port 10025 beides mal der Postfix.

Der hier,

127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue


und den, welchen Du von mir übernommen hast.

Ganz kurz und knapp:
Postfix schickt die Email an 127.0.0.1:10031
clamsmtpd schickt diese nach Bearbeitung wieder an den Postfix und zwar den Port
z.B. 10032. Deshalb an einen anderen Port, damit diese eingehende Email nicht mit den gleichen Regeln weiter verarbeitet wird, die eine normal über port 25 eingehende Email.
Dann hättest Du damit einen netten loop.

Hatte den nicht übernommen sondern so hier:

clamsmtp.conf

Code: Select all

  Action: drop
    ClamAddress: 127.0.0.1:3310
    Listen: 127.0.0.1:10031
    Header:X-Virus-Scanned: ClamAV using ClamSMTP %i
    KeepAlives: 0
    Quarantine: on
    TempDirectory: /tmp/
    MaxConnections: 128
    OutAddress: 127.0.0.1:10030
    TimeOut: 320
    TransparentProxy: off
    User: clamsmtp
    #VirusAction: /email-virus-notice.sh
    #XClient

main.cf

Code: Select all

....
#content_filter=scan:127.0.0.1:10031

Master.cf

Code: Select all

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames
# 127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue
127.0.0.1:10026 inet n - - - - smtpd  -o smtpd_client_restrictions=  -o smtpd_helo_restrictions=  -o smtpd_sender_restrictions=  -o smtpd_recipient_restrictions=permit_mynetworks,reject  -o smtpd_data_restrictions=  -o receive_override_options=no_unknown_recipient_checks
127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote
plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db


smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_tls_wrappermode=yes

smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0 
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

#127.0.0.1:10031 inet   n       -       n       -       -       smtpd
#      -o content_filter=
#      -o smtpd_delay_reject=no
#      -o smtpd_client_restrictions=permit_mynetworks,reject
#      -o smtpd_helo_restrictions=
#      -o smtpd_sender_restrictions=
#      -o smtpd_recipient_restrictions=permit_mynetworks,reject
#      -o smtpd_data_restrictions=reject_unauth_pipelining
#      -o smtpd_end_of_data_restrictions=
#      -o smtpd_restriction_classes=
#      -o mynetworks=127.0.0.0/8
#      -o smtpd_error_sleep_time=0
#      -o smtpd_soft_error_limit=1001
#      -o smtpd_hard_error_limit=1000
#      -o smtpd_client_connection_count_limit=0
#      -o smtpd_client_connection_rate_limit=0 
#      -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
#      -o local_header_rewrite_clients=
#      -o local_recipient_maps=

Wobei ich erst mal das mit dem clamsmtp jetzt deaktiviert habe wegen des fehlers.
Würde ja am liebsten plesk ganz raus nehmen aus der Konfiguration aber weiß halt nicht wie ich das anstelle ohne das hinterher nichts mehr geht.

[HansOffenburg]

Zu was gehört die Zeile:

127.0.0.1:10025 inet n - - - - smtpd

soll hier amavisd die gescannten mails einliefern?
Dann würde ich auch hir einen anderen Port wählen.
-> Da Du ja die Plesk qeue heraus genommen hast.

Plesk lässt ich btw. nur mit einer sauberen neuen Installation von Postfix "verbannen" aber dann werden u.U. andere Dienste nicht sauber funktionieren.
Dementsprechend wäre wohl ein neues System ohne Plesk die vernünftige wahl.

Also die Zeile gehört zu Amavis. Aber amavis lauscht auf 10024 laut netstat.

netstat -tulpen | grep amavis
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 114 2332292 32389/amavisd (mast

10025 ist derzeit nicht benutzt.

Ich denke mal das müsste ja dann der Eintrag in der main.cf sein?

Code: Select all

content_filter=smtp-amavis:[127.0.0.1]:10024

Habe es jetzt mal geändert auf 10027.

Die Frage halt ob jetzt clamsmtp laufen könnte mit dieser Änderung?

Wobei jetzt bringt postfix:

proxy-reject: END-OF-MESSAGE: 451 mail server temporary failed;

echt zum Mäusemelken :(

[HansOffenburg]

Naja, der Rückkanal wird eventuell schon gebraucht.
Die Frage ist nur, die stelle ich mir grad auch selber, welche Reihenfolge da sinnvoll ist.

-> Statt 10025, für den Rückkanal für amavisd nimm halt 10029, sofern der noch frei ist.
Auf den Port 10025 horcht übrigens nicht amavisd etc. sondern nur der Postfix und ursprünglich wollte er 2 mal.

Hab es jetzt auf 10028 (war frei) allerdings immer noch fehler:

roxy-reject: END-OF-MESSAGE: 451 mail server temporary failed;

Habe es grad noch mal getestet stell ich es um auf 10025 also wie anfänglich gehen die emails durch. Also liegt es (egal welchen port ich da nehme) an der portangabe von Amavis.

[HansOffenburg]

Hallo,

also das ergebnis war:

Code: Select all

telnet localhost 10028
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 h1470227.stratoserver.net ESMTP Postfix (Ubuntu)
HELO localhost
250 h1470227.stratoserver.net
MAIL FROM: <>
250 2.1.0 Ok
RCPT TO: recipient@domain.de
250 2.1.5 Ok
From: virus-tester
221 2.7.0 Error: I can break rules, too. Goodbye.
Connection closed by foreign host.

[HansOffenburg]

Hallo,

also das ging schon mal:

Code: Select all

telnet localhost 10028
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 xxx.stratoserver.net ESMTP Postfix (Ubuntu)
HELO localhost
250 xxx.stratoserver.net
MAIL FROM: <>
250 2.1.0 Ok
RCPT TO: meine-email
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
To: undisclosed-recipients:;
Subject: amavis test - simple - no spam test pattern
Hello,
this ist an test
.
250 2.0.0 Ok: queued as 7586B8D8C5B
quit
221 2.0.0 Bye
Connection closed by foreign host.

Nachtrag: Jedoch wenn ich was an den Server schicke dann kommt die o.a. Fehlermeldung.

[HansOffenburg]

Du musst natürlich alle anderen Dienste auch prüfen!
Die mail kommt über Port 25 an, wird dann vom postfix vermutlich an amavisd geschickt, kommt von dort zurück, wird dann wieder von postfix zum nächsten ggf. clamsmtpd geschickt usw.

Also clamsmtp hab ich erst mal deaktiviert.
Weil jetzt geht es erst mal für mich darum raus zu finden warum amavis nicht läuft.

Also somit sollte normal die Email über Port 25 ankommen wird dann (wenn ich es richtig sehe) an 10028 weitergeleitet,

Wenn ich das ganze jetzt mache kommt zwar keine Fehlermeldung jedoch baut sich ein loop auf 10024 (amavis) auf.

Was mir auch nicht klar ist, was das hier ist:

Code: Select all

smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_tls_wrappermode=yes

Nachtrag:

Habe grad mal den 10024 getestet.

Da kam folgende Fehlermeldung:

Code: Select all

RCPT TO: hans@domain.ltd
500 5.5.2 Error: command DATARCPT not recognized

Gebe ich ein z.b. postmaster dann geht es.