Postfix und amavisd per amavisd-milter
Andreas Wass - Glas Gasperlmair
a.wass at glas-gasperlmair.at
Di Nov 8 11:59:53 CET 2016
Hallo Postfix-Profis!
Ich brauch wieder mal eure Hilfe bei amavisd per amavisd-milter.
Ich bin gerade dabei einen All-in-One-Mailserver lt.
https://dokuwiki.nausch.org/doku.php/centos:mail_c7:start zu konfigurieren.
Ich habe auch das mailguru repo eingebunden (wg. amavisd-milter usw.)
MTA zu MTA über Port 25 mit amavisd funktioniert
MUA zu MTA über submission port 587 ohne amavisd funktioniert auch
Aber Sobald ich amavisd per amavisd-milter einbinde, scheitert das Ganze
und ich komme einfach nicht dahinter, woran es liegt.
Ihr seht sicher sofort, wo der/die Fehler liegen.
Vielen Dank im Voraus.
vg, Andi
Test von fremden MTA zu meinem MTA funktioniert:
Auszug aus maillog:
Nov 8 11:44:02 mail postfix/postscreen[23037]: CONNECT from
[89.26.12.242]:55315 to [172.31.1.100]:25
Nov 8 11:44:02 mail postfix/postscreen[23037]: PASS OLD
[89.26.12.242]:55315
Nov 8 11:44:02 mail postfix/smtpd[23038]: connect from
mail1.glasgasperlmair.at[89.26.12.242]
Nov 8 11:44:02 mail postfix/smtpd[23038]: 7D0EC208EC:
client=mail1.glasgasperlmair.at[89.26.12.242]
Nov 8 11:44:02 mail postfix/cleanup[23048]: 7D0EC208EC:
message-id=<5821AC6F.30309 at glas-gasperlmair.at>
Nov 8 11:44:02 mail amavis[22995]: (22995-02) Checking: qNoKsxTWQPpG
AM.PDP-SOCK [89.26.12.242] <a.wass at glas-gasperlmair.at> -> <andi at wassa.at>
Nov 8 11:44:03 mail amavis[22995]: (22995-02) Passed CLEAN
{AcceptedInbound}, AM.PDP-SOCK [89.26.12.242] [89.26.12.242]
<a.wass at glas-gasperlmair.at> -> <andi at wassa.at>, Queue-ID: 7D0EC208EC,
Message-ID: <5821AC6F.30309 at glas-gasperlmair.at>, mail_id: qNoKsxTWQPpG,
Hits: 0.001, size: 2512, 770 ms
Nov 8 11:44:03 mail postfix/qmgr[22911]: 7D0EC208EC:
from=<a.wass at glas-gasperlmair.at>, size=2538, nrcpt=1 (queue active)
Nov 8 11:44:03 mail postfix/smtpd[23038]: disconnect from
mail1.glasgasperlmair.at[89.26.12.242]
Nov 8 11:44:03 mail dovecot: lmtp(23052): Connect from 127.0.0.1
Nov 8 11:44:03 mail dovecot: lmtp(andi at wassa.at):
60mlH3OsIVgMWgAAu6NIgg: msgid=<5821AC6F.30309 at glas-gasperlmair.at>:
saved mail to INBOX
Nov 8 11:44:03 mail dovecot: lmtp(23052): Disconnect from 127.0.0.1:
Successful quit
Nov 8 11:44:03 mail postfix/lmtp[23051]: 7D0EC208EC:
to=<andi at wassa.at>, relay=127.0.0.1[127.0.0.1]:24, delay=1.7,
delays=1.2/0.02/0.09/0.37, dsn=2.0.0, status=sent (250 2.0.0
<andi at wassa.at> 60mlH3OsIVgMWgAAu6NIgg Saved)
Nov 8 11:44:03 mail postfix/qmgr[22911]: 7D0EC208EC: removed
Test mit Thunderbird über port 587 funktioniert nicht
Auszug aus maillog:
Nov 8 11:40:27 mail postfix/submission/smtpd[23001]: connect from
unknown[89.26.12.241]
Nov 8 11:40:27 mail postfix/submission/smtpd[23001]: Anonymous TLS
connection established from unknown[89.26.12.241]: TLSv1.2 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
Nov 8 11:40:27 mail postfix/submission/smtpd[23001]: BC58A208E3:
client=unknown[89.26.12.241], sasl_method=PLAIN, sasl_username=andi at wassa.at
Nov 8 11:40:27 mail postfix/cleanup[23014]: BC58A208E3:
message-id=<5821AB9A.4040706 at wassa.at>
Nov 8 11:40:27 mail postfix/qmgr[22911]: BC58A208E3:
from=<andi at wassa.at>, size=692, nrcpt=1 (queue active)
Nov 8 11:40:27 mail amavis[22995]: (22995-01) ESMTP [127.0.0.1]:10024
/var/spool/amavisd/tmp/amavis-20161108T114027-22995-9FDAxjys:
<andi at wassa.at> -> <a.wass at glas-gasperlmair.at> Received: from
mail.wassa.at ([127.0.0.1]) by localhost (mail.wassa.at [127.0.0.1])
(amavisd-new, port 10024) with ESMTP for <a.wass at glas-gasperlmair.at>;
Tue, 8 Nov 2016 11:40:27 +0100 (CET)
Nov 8 11:40:27 mail postfix/submission/smtpd[23001]: disconnect from
unknown[89.26.12.241]
Nov 8 11:40:27 mail amavis[22995]: (22995-01) Checking: 9pw322ZKDeoc
ORIGINATING [127.0.0.1] <andi at wassa.at> -> <a.wass at glas-gasperlmair.at>
Nov 8 11:40:28 mail amavis[22995]: (22995-01) (!)connect to
[127.0.0.1]:10025 failed, attempt #1: Can't connect to socket
[127.0.0.1]:10025 using module IO::Socket::IP: Connection refused
Nov 8 11:40:28 mail amavis[22995]: (22995-01) (!)9pw322ZKDeoc FWD from
<andi at wassa.at> -> <a.wass at glas-gasperlmair.at>, 451 4.5.0 From MTA()
during fwd-connect (All attempts (1) failed connecting to
smtp:[127.0.0.1]:10025): id=22995-01
Nov 8 11:40:28 mail amavis[22995]: (22995-01) Blocked MTA-BLOCKED
{TempFailedOutbound}, ORIGINATING LOCAL [127.0.0.1] [89.26.12.241]
<andi at wassa.at> -> <a.wass at glas-gasperlmair.at>, Message-ID:
<5821AB9A.4040706 at wassa.at>, mail_id: 9pw322ZKDeoc, Hits: -0.999, size:
692, 597 ms
Nov 8 11:40:28 mail postfix/smtp[23015]: BC58A208E3:
to=<a.wass at glas-gasperlmair.at>, relay=127.0.0.1[127.0.0.1]:10024,
delay=0.8, delays=0.17/0.02/0.02/0.59, dsn=4.5.0, status=deferred (host
127.0.0.1[127.0.0.1] said: 451 4.5.0 id=22995-01 - Temporary MTA failure
on relaying, From MTA() during fwd-connect (All attempts (1) failed
connecting to smtp:[127.0.0.1]:10025): id=22995-01 (in reply to end of
DATA command))
Meine Konfigurationen:
#####################################################################
/etc/amavisd/amavisd-milter.conf
AMAVIS_USER=amavis
WORKING_DIRECTORY=/var/spool/amavisd/tmp
SOCKET=inet:10010 at 127.0.0.1
AMAVISD_SOCKET=/var/spool/amavisd/amavisd.sock
MAX_CONNECTIONS=5
MAX_WAIT=300
MAILDAEMON_TIMEOUT=600
AMAVISD_TIMEOUT=600
#####################################################################
/etc/postfix/master.cf
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
-o smtpd_sasl_auth_enable=no
# Django : 2014-11-29 amavisd-milter eingebunden
-o smtpd_milters=${amavisd_milter}
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o content_filter=smtp:127.0.0.1:10024
#############################################################################
/etc/postfix/main.cf
amavisd_milter = inet:127.0.0.1:10010
###############################################################################
/etc/amavisd/amavisd.conf
use strict;
################################################################################
# #
# Django : 2014-11-15 - Musterkonfiguration AMaViS 2.9 unter CentOS
7 #
# #
################################################################################
# Eine Aufstellung aller möglichen Variablen findet man in der Datei
# /usr/share/doc/amavisd-new-2.9.1/amavisd.conf-default aus dem RPM. Auf
der
# Webseite http://www.ijs.si/software/amavisd/amavisd-new-docs.html findet
# man darüber hinaus noch viele erklärungen und Konfigurationsbeispiele
################################################################################
## PFADANGABEN DER LOKALEN INSTALLATION
#
# Pfadangaben zu den Programmen und Tools
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
# Arbeitsverzeichnisses von AMaViS
$MYHOME = '/var/spool/amavisd';
# Verzeichnis für temporäre Daten
#$TEMPBASE = '$MYHOME/tmp';
$TEMPBASE = "$MYHOME/tmp";
# Enviroment Variable TMPDIR, wird unter anderem von Spamassassion verwendet
$ENV{TMPDIR} = $TEMPBASE;
# Keine Quarantäne -> kein Quarantäneverzeichnis notwendig
$QUARANTINEDIR = undef;
# Verzeichnisses für die Berkeley-Datenbank Dateien nanny/cache/snmp
$db_home = "$MYHOME/db";
# Pfade zur PID- und LOCK-Datei
$lock_file = "/var/run/amavisd/amavisd.lock";
$pid_file = "/var/run/amavisd/amavisd.pid";
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
@score_sender_maps = ({ # a by-recipient hash lookup table,
# results from all matching recipient tables
are summed
# ## per-recipient personal tables (NOTE: positive: black, negative: white)
# 'user1 at example.com' => [{'bla-mobile.press at example.com'
=> 10.0}],
# 'user3 at example.com' => [{'.ebay.com'
=> -3.0}],
# 'user4 at example.com' => [{'cleargreen at cleargreen.com'
=> -7.0,
# '.cleargreen.com' => -5.0}],
## site-wide opinions about senders (the '.' matches any recipient)
'.' => [ # the _first_ matching sender determines the score boost
new_RE( # regexp-type lookup table, just happens to be all
soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i => 5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i => 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
[qr'^(your_friend|greatoffers)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
),
# read_hash("/var/amavis/sender_scores_sitewide"),
{ # a hash-type lookup table (associative array)
'nobody at cert.org' => -3.0,
'cert-advisory at us-cert.gov' => -3.0,
'owner-alert at iss.net' => -3.0,
'slashdot at slashdot.org' => -3.0,
'securityfocus.com' => -3.0,
'ntbugtraq at listserv.ntbugtraq.com' => -3.0,
'security-alerts at linuxsecurity.com' => -3.0,
'mailman-announce-admin at python.org' => -3.0,
'amavis-user-admin at lists.sourceforge.net' => -3.0,
'amavis-user-bounces at lists.sourceforge.net' => -3.0,
'spamassassin.apache.org' => -3.0,
'notification-return at lists.sophos.com' => -3.0,
'owner-postfix-users at postfix.org' => -3.0,
'owner-postfix-announce at postfix.org' => -3.0,
'owner-sendmail-announce at lists.sendmail.org' => -3.0,
'sendmail-announce-request at lists.sendmail.org' => -3.0,
'donotreply at sendmail.org' => -3.0,
'ca+envelope at sendmail.org' => -3.0,
'noreply at freshmeat.net' => -3.0,
'owner-technews at postel.acm.org' => -3.0,
'ietf-123-owner at loki.ietf.org' => -3.0,
'cvs-commits-list-admin at gnome.org' => -3.0,
'rt-users-admin at lists.fsck.com' => -3.0,
'clp-request at comp.nus.edu.sg' => -3.0,
'surveys-errors at lists.nua.ie' => -3.0,
'emailnews at genomeweb.com' => -5.0,
'yahoo-dev-null at yahoo-inc.com' => -3.0,
'returns.groups.yahoo.com' => -3.0,
'clusternews at linuxnetworx.com' => -3.0,
lc('lvs-users-admin at LinuxVirtualServer.org') => -3.0,
lc('owner-textbreakingnews at CNNIMAIL12.CNN.COM') => -5.0,
# soft-blacklisting (positive score)
'sender at example.net' => 3.0,
'.example.net' => 1.0,
},
], # end of site-wide tables
});
# Utilities mit denen amavis Archive auspackt
@decoders = (
['mail', \&do_mime_decode],
['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
['gz', \&do_uncompress, 'gzip -d'],
['gz', \&do_gunzip],
['bz2', \&do_uncompress, 'bzip2 -d'],
['xz', \&do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
['lzma', \&do_uncompress, ['lzmadec', 'xz -dc --format=lzma',
'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
['lrz', \&do_uncompress, ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
['lzo', \&do_uncompress, 'lzop -d'],
['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
[['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
['deb', \&do_ar, 'ar'],
['rar', \&do_unrar, ['unrar', 'rar'] ],
['arj', \&do_unarj, ['unarj', 'arj'] ],
['arc', \&do_arc, ['nomarch', 'arc'] ],
['zoo', \&do_zoo, ['zoo', 'unzoo'] ],
['cab', \&do_cabextract, 'cabextract'],
['tnef', \&do_tnef],
[['zip','kmz'], \&do_7zip, ['7za', '7z'] ],
[['zip','kmz'], \&do_unzip],
['7z', \&do_7zip, ['7zr', '7za', '7z'] ],
[[qw(7z zip gz bz2 Z tar)], \&do_7zip, ['7za', '7z'] ],
[[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
\&do_7zip, '7z' ],
['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
);
# eMails wird komplett dem Virenscanner zugestellt. Dem Inhalt von Archiven
# wird grundsätzlich nicht vertraut.
@keep_decoded_original_maps = (new_RE(
qr'^MAIL$',
qr'^MAIL-UNDECIPHERABLE$',
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)',
));
################################################################################
## GRUNDSÄTZLICHE SERVERANGABEN UND -DEFINITIONEN
#
# Anzahl Server (pre-forked childs) die gestartet werden sollen.
$max_servers = 5;
# User und Gruppe des AMaViS Daemon
$daemon_user = 'amavis';
$daemon_group = 'amavis';
# Hostname (FQDN) des AMaViS-Servers
$myhostname = 'mail.wassa.at';
# Lokale Domäne des AMaViS-Servers
$mydomain = 'wassa.at';
# Adresstrennzeichen in der eMail-Adresse
$recipient_delimiter = '+';
# Wir setzen alles auf NULL und definieren das Backrouting in den Policy
Banks
# Wie werden die eMails an den ;MTA zurückgegeben? "undef" bei
Verwendung des
# amavisd-milter!
$forward_method = undef;
$notify_method = 'smtp:[mail.wassa.at]:10025';
#$allowed_added_header_fields{lc('X-Virus-Scanned')} = 0;
################################################################################
## LOGGING
#
# verbosity 0..5, -d
# Django : 2014-11-18
# default: $log_level = 0;
$log_level = 3;
# disable by-recipient level-0 log entries
$log_recip_templ = undef;
# log via syslogd (preferred)
$do_syslog = 1;
# Syslog facility as a string e.g.: mail, daemon, user, local0, ... local7
$syslog_facility = 'mail';
#Syslog base (minimal) priority
$syslog_priority = 'debug';
# enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_db = 1;
# enable use of libdb-based cache if $enable_db=1
$enable_global_cache = 1;
# enable use of ZeroMQ (SNMP and nanny)
# $enable_zmq = 1;
# # nanny verbosity: 1: traditional, 2: detailed
$nanny_details_level = 2;
# @lookup_sql_dsn =
# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1',
'passwd1'],
# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
# ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
# @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database
# @storage_redis_dsn = ( {server=>'127.0.0.1:6379', db_id=>1} );
# $redis_logging_key = 'amavis-log';
# about 250 MB / 100000
# $redis_logging_queue_size_limit = 300000;
# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is
TIMESTAMP;
# defaults to 0, which is good for non-MySQL or if msgs.time_iso is
CHAR(16)
################################################################################
## SOCKETS
#
# Wo soll AMaViS auf eingehende Verbindungen lauschen?
@listen_sockets = (
'127.0.0.1:10024',
'127.0.0.1:9998',
"$MYHOME/amavisd.sock"
);
################################################################################
## POLICY MAPPINGS
#
# Wir routen eingehende Verbindungen aufgrund unterschiedlicher Kriterien in
# Policy Banks.
# TCP-Sockets auf Policies mappen
$interface_policy{'9998'} = 'AM.PDP-INET';
$interface_policy{'10024'} = 'ORIGINATING';
# UNIX-Domain-Sockets auf Policies mappen
$interface_policy{'SOCK'} = 'AM.PDP-SOCK';
# IP-Adressen/Ranges auf Policies mappen
@client_ipaddr_policy = (
[qw( 0.0.0.0/8 127.0.0.1/32 [::] [::1] )] => 'LOCALHOST',
[qw( !172.16.1.0/24 172.16.0.0/12 192.168.0.0/16 )] => 'PRIVATENETS',
[qw( 192.0.2.0/25 192.0.2.129 192.0.2.130 )] => 'PARTNER',
[qw( 198.51.100.88/32 )] => 'CUSTOMERS',
[qw( 203.0.113.164/32 )] => 'HOSTING',
\@mynetworks => 'MYNETS',
);
# DKIM-verifizierte Sender(domains) auf Policies mappen
@author_to_policy_bank_maps = ( {
'piratenpartei-bayern.de' => 'WHITELIST,NOBANNEDCHECK,NOVIRUSCHECK',
'.paypal.de' => 'WHITELIST',
'.paypal.com' => 'WHITELIST',
'amazon.de' => 'WHITELIST',
} );
################################################################################
## DESTINATIONS
#
# Definition der Verkehrsrichtungen:
# Das ist nach intern. Alle anderen Destinationen sind im Umkehrschluss
extern.
@local_domains_maps = (
[".$mydomain"],
read_hash("/etc/postfix/all_local_domains_map"),
);
# Das kommt von intern. Alles andere ist per Default von extern, ausser wir
# erkennen es an anderen Kriterien wie z.B. DKIM-Signatur oder
originating Port
@mynetworks = qw(
127.0.0.0/8
[::1]
[FE80::]/10
[FEC0::]/10
172.31.1.0/24
10.0.10.0/26
);
################################################################################
## NOTIFICATIONS
#
# Externe warnen?
$warn_offsite = 0;
# Envelope Sender
$mailfrom_notify_admin = "postmaster\@$mydomain";
$mailfrom_notify_recip = "postmaster\@$mydomain";
$mailfrom_notify_sender = "postmaster\@$mydomain";
$mailfrom_notify_spamadmin = "postmaster\@$mydomain";
$mailfrom_to_quarantine = '';
$dsn_bcc = "postmaster\@$mydomain";
# From: Header
$hdrfrom_notify_sender = "Postmaster <postmaster\@$mydomain>";
$hdrfrom_notify_recip = "Postmaster <postmaster\@$mydomain>";
$hdrfrom_notify_release = "Postmaster <postmaster\@$mydomain>";
################################################################################
## VIRUS POLICY
#
# Check aktivieren?
# @bypass_virus_checks_maps = (1);
# In Quarantäne?
$virus_quarantine_to = undef;
# Admin benachrichtigen?
$virus_admin = undef;
# Empfänger benachrichtigen?
$warnvirusrecip = 1;
# Recipient-Adresse bei Release erweitern?
@addr_extension_virus_maps = ('virus');
# eMail bei Release wrappen?
$defang_virus = 1;
# Wollen wir Content transportieren?
$final_virus_destiny = D_REJECT;
@av_scanners = (
### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"],
qr/\bOK$/m, qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
);
@av_scanners_backup = ();
#@av_scanners_backup = (
# ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
# ['ClamAV-clamscan', 'clamscan',
# "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
# [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
#);
################################################################################
## SPAM POLICY
#
# Check aktivieren?
# @bypass_spam_checks_maps = (1);
# In Quarantäne?
$spam_quarantine_to = undef;
# Admin benachrichtigen?
$spam_admin = undef;
# Recipient-Adresse bei Release erweitern?
@addr_extension_spam_maps = ('spam');
# eMail bei Release wrappen?
$defang_spam = undef;
# Wollen wir Content transportieren?
$final_spam_destiny = D_REJECT;
# add spam info headers if at, or above that level
$sa_tag_level_deflt = -1000.0;
# add 'spam detected' headers at that level
$sa_tag2_level_deflt = 6.31;
# triggers spam evasive actions (e.g. blocks mail)
$sa_kill_level_deflt = 6.31;
# spam level beyond which a DSN is not sent
$sa_dsn_cutoff_level = 10;
# likewise, but for a likely valid From
$sa_crediblefrom_dsn_cutoff_level = 18;
# spam level beyond which quarantine is off
# $sa_quarantine_cutoff_level = 25;
# (no effect without a @storage_sql_dsn database)
$penpals_bonus_score = 8;
# don't waste time on hi spam
$penpals_threshold_high = $sa_kill_level_deflt;
# spam score points to add for joe-jobbed bounces
$bounce_killer_score = 100;
# don't waste time on SA if mail is larger
$sa_mail_body_size_limit = 400*1024;
# only tests which do not require internet access?
$sa_local_tests_only = 0;
$sa_spam_subject_tag = '***Spam*** ';
################################################################################
## BANNED POLICY
#
# Check aktivieren?
#@bypass_banned_checks_maps = (1);
# In Quarantäne?
$banned_quarantine_to = undef;
# Admin benachrichtigen?
$banned_admin = undef;
# Recipient-Adresse bei Release erweitern?
@addr_extension_banned_maps = ('banned');
# eMail bei Release wrappen?
$defang_banned = 1;
# Wollen wir Content transportieren?
$final_banned_destiny = D_BOUNCE;
# Definitionslisten in denen wir bestimmte Dateitypen zusammenfassen
# Die Definitionsnamen können wir in einer Policy verwenden
%banned_rules = (
'NO-MS-EXEC'=> new_RE( qr'^\.(exe-ms)$' ),
'PASSALL' => new_RE( [qr'^' => 0] ),
'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' =>
0] ),
'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ),
'NO-VIDEO' => new_RE( qr'^\.movie$',
qr'.\.(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ),
'NO-MOVIES' => new_RE( qr'^\.movie$', qr'.\.(mpg|avi|mov)$'i, ),
'MYNETS-DEFAULT' => new_RE( [ qr'^\.(rpm|cpio|tar)$' => 0 ],
qr'.\.(vbs|pif|scr)$'i, ),
'DEFAULT' => $banned_filename_re,
);
# Alles was in der Definitionsliste oben DEFAULT ist
$banned_filename_re = new_RE(
# banned file(1) types, rudimentary
qr'^\.(exe-ms|dll)$',
# allow any in Unix-type archives
[ qr'^\.(rpm|cpio|tar)$' => 0 ],
# banned extensions - rudimentary
qr'.\.(pif|scr)$'i,
# block these MIME types
qr'^application/x-msdownload$'i,
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
# block certain double extensions in filenames
qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
# banned extension - basic+cmd
qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i,
);
################################################################################
## HEADER POLICY
#
# Check aktivieren?
# @bypass_header_checks_maps = (1);
# In Quarantäne?
$bad_header_quarantine_method = undef;
# Recipient-Adresse bei Release erweitern?
@addr_extension_bad_header_maps = ('badh');
# eMail bei Release wrappen?
# NUL or CR character in header
$defang_by_ccat{CC_BADH.",3"} = 1;
# header line longer than 998 characters
$defang_by_ccat{CC_BADH.",5"} = 1;
# header field syntax error
$defang_by_ccat{CC_BADH.",6"} = 1;
# Wollen wir Content transportieren?
$final_bad_header_destiny = D_PASS;
# Admin benachrichtigen?
$bad_header_admin = undef;
# Sender benachrichtigen?
$warnbadhsender = undef;
# Empfänger benachrichtigen?
$warnbadhrecip = undef;
################################################################################
## UNCHECKED POLICY
#
$undecipherable_subject_tag = '';
$MAXLEVELS = 14;
$MAXFILES = 3000;
# bytes (default undef, not enforced)
$MIN_EXPANSION_QUOTA = 100*1024;
# bytes (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 500*1024*1024;
################################################################################
## DKIM - Domain Key Identified Mail
#
# DKIM-Signaturen verifizieren
$enable_dkim_verification = 0;
# DKIM-Signaturen erstellen
$enable_dkim_signing = 0;
# Private Keys und Selectors
#
# signing domain selector private key
options
# ------------- -------- ----------------------
----------
# dkim_key('nausch.org', '201411',
'/var/spool/amavis/dkim/201411_nausch.org');
# DKIM Signing Policies
@dkim_signature_options_bysender_maps = (
{ '.' =>
{
ttl => 21*24*3600,
c => 'relaxed/simple'
}
}
);
# to query p0f-analyzer.pl
# $os_fingerprint_method = 'p0f:*:2345';
## hierarchy by which a final setting is chosen:
## policy bank (based on port or IP address) -> *_by_ccat
## *_by_ccat (based on mail contents) -> *_maps
## *_maps (based on recipient address) -> final configuration value
################################################################################
## POLICY BANKS
#
## POLICY BANK MYNETWORK
# Alles Hosts, die in MYNETS gelistet sind
$policy_bank{'MYNETS'} = {
# Jede Mail von einen unserer Hosts wird als originating gesetzt
originating => 1,
# Keine pof Abfragen für interne Clients durchführen.
os_fingerprint_method => undef,
};
## POLICY BANK SUBMISSON
# Nachrichten unserer Kunden, die auf Port 587 (Submisson) eingeliefert
wurden
# wird als originating, also von uns gesetzt.
$policy_bank{'ORIGINATING'} = {
# welcher Host darf soll auf Port 10014 einliefern dürfen
inet_acl => [qw( 127.0.0.1 )],
# eMails vom Port 587 werdenals "von uns" = originating gesetzt
originating => 1,
# Disclaimer an jede Mail anfügen, sofern welche verfügbar sind.
allow_disclaimers => 1,
# notify administrator of locally originating malware
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 1,
# forward to a smtpd service providing DKIM signing service
forward_method => 'smtp:[127.0.0.1]:10027',
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
# allow sending any file names and types
bypass_spam_checks_maps => [0],
# allow sending any file names and types
bypass_banned_checks_maps => [1],
# don't remove NOTIFY=SUCCESS option
terminate_dsn_on_notify_success => 0,
notify_method => 'smtp:[127.0.0.1]:10025',
forward_method => 'smtp:[127.0.0.1]:10025',
final_virus_destiny => 'D_BOUNCE',
};
# Hier schlägt der MILTER auf
$policy_bank{'AM.PDP-SOCK'} = {
protocol => 'AM.PDP',
auth_required_release => 0,
};
# Hier würden wir releasen
$policy_bank{'AM.PDP-INET'} = {
protocol => 'AM.PDP',
inet_acl => [qw( 127.0.0.1 )],
auth_required_release => 0,
};
## POLICY BANK: WHITELIST
$policy_bank{'WHITELIST'} = {
bypass_spam_checks_maps => [1],
spam_lovers_maps => [1],
};
## POLICY BANK: NOVIRUSCHECK
$policy_bank{'NOVIRUSCHECK'} = {
bypass_decode_parts => 1,
bypass_virus_checks_maps => [1],
virus_lovers_maps => [1],
};
## POLICY BANK: NOBANNEDCHECK
$policy_bank{'NOBANNEDCHECK'} = {
bypass_banned_checks_maps => [1],
banned_files_lovers_maps => [1],
};
1; # insure a defined return value
# vim: set ft=perl sw=4:
Mehr Informationen über die Mailingliste postfix-users