#!/bin/bash
# atualizar_clamav.sh
VERSAO=”0.1.26 -14/09/2006″
echo -e “==================================================================================”
echo -e “================ ATENÇÂO =====================================================”\\n
echo -e “Este script vai fazer a atualização do Clamav Anti-Vírus para versão mais recente”
echo -e “e instalar o F-prot Anti-vírus.”\\n
echo -e “============================================= Versão $VERSAO ==========”\\n
echo “Pressione ENTER para prosseguir”
read p
echo -e \\n
echo -e “Iremos agora fazer a atualização do Clamav Anti-virus.”\\n
echo -e “Fazendo backup do /etc/apt/sources.list para /etc/apt/sources.list_ORIGINAL”\\n
if (test -f /etc/apt/sources.list_ORIGINAL)
then
echo “Arquivo de backup já Existe”
else
echo “Criando backup:”
echo “cp /etc/apt/sources.list /etc/apt/sources.list_ORIGINAL”
cp /etc/apt/sources.list /etc/apt/sources.list_ORIGINAL
fi
#cat /etc/apt/sources.list
#deb ftp://ftp.uk.debian.org/debian/ testing main
#EOF
cat > /etc/apt/sources.list
#Clamav Binary packages for Debian stable/sarge:
deb http://ftp2.de.debian.org/debian-volatile sarge/volatile main
EOF
echo -e \\n
echo -e “Fazendo a atualização do anti-virus”\\n
apt-get update
apt-get install clamav clamav-daemon
freshclam
echo -e \\n
echo -e “Agora, precisamos instalar uma nova versão do kernel, porque durante a instalação”
echo -e “da versão nova do Clamav, ele tentou remover a versão mais antiga do kernel.”\\n
echo -e “Instalaremos a versão kernel-image-2.4.27-3-386 e mais alguns pacotes que também foram removidos”\\n
apt-get install kernel-image-2.4.27-2-386 kernel-image-2.4.27-3-386 base-config initrd-tools libgmp3
echo -e \\n
echo -e “OK, seu sistema foi atualizado.”\\n
echo -e “Instalando um anti-vírus adicional, o F-Prot”\\n
cd /tmp
wget http://http.us.debian.org/debian/pool/contrib/f/f-prot-installer/f-prot-installer_0.5.22_i386.deb
apt-get install libwww-perl liburi-perl libhtml-parser-perl libhtml-tree-perl libhtml-tagset-perl
dpkg -i f-prot-installer_0.5.22_i386.deb
echo -e \\n
echo -e “Gerando uma entrado no crontab para que o F-Prot se atualize”\\n
echo /etc/cron.d/f-prot-installer
#
27 4,16 * * * root if [ -x /usr/lib/f-prot/tools/check-updates ]; then /usr/lib/f-prot/tools/check-updates -cron; fi
#
# Uncomment to check for new version of program once a week
#
00 12 * * 1 root if [ -x /usr/sbin/update-f-prot ]; then /usr/sbin/update-f-prot -i; fi
EOF
echo -e “Alterando o /etc/amavis/amavisd.conf para dar suporte ao F-Prot”\\n
#echo “Pressione ENTER para prosseguir”
#read p
echo -e “Fazendo backup do /etc/amavis/amavisd.conf para /etc/amavis/amavisd.conf_OLD”\\n
if (test -f /etc/amavis/amavisd.conf_OLD)
then
echo “Arquivo de backup já Existe”
else
echo “Criando backup:”
echo “mv /etc/amavis/amavisd.conf /etc/amavis/amavisd.conf_OLD”
mv /etc/amavis/amavisd.conf /etc/amavis/amavisd.conf_OLD
fi
cat /etc/amavis/amavisd.conf
use strict;
# Configuration file for amavisd-new
# Defaults modified for the Debian amavisd-new package
# \$Id: amavisd.conf,v 1.27.2.2 2004/11/18 23:27:55 hmh Exp \$
#
# This software is licensed under the GNU General Public License (GPL).
# See comments at the start of amavisd-new for the whole license text.
#Sections:
# Section I – Essential daemon and MTA settings
# Section II – MTA specific
# Section III – Logging
# Section IV – Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine
# Section V – Per-recipient and per-sender handling, whitelisting, etc.
# Section VI – Resource limits
# Section VII – External programs, virus scanners, SpamAssassin
# Section VIII – Debugging
#GENERAL NOTES:
# This file is a normal Perl code, interpreted by Perl itself.
# – make sure this file (or directory where it resides) is NOT WRITABLE
# by mere mortals (not even vscan/amavis; best to make it owned by root),
# otherwise it represents a severe security risk!
# – for values which are interpreted as booleans, it is recommended
# to use 1 for true, undef for false.
# THIS IS DIFFERENT FROM OLD AMAVIS VERSIONS where “no” also meant false,
# now it means true, like any nonempty string does!
# – Perl syntax applies. Most notably: strings in “” may include variables
# (which start with \$ or @); to include characters @ and \$ in double
# quoted strings, precede them by a backslash; in single-quoted strings
# the \$ and @ lose their special meaning, so it is usually easier to use
# single quoted strings (or qw operator) for e-mail addresses.
# Still, in both cases a backslash needs to be doubled.
# – variables with names starting with a ‘@’ are lists, the values assigned
# to them should be lists as well, e.g. (‘one@foo’, \$mydomain, “three”);
# note the comma-separation and parenthesis. If strings in the list
# do not contain spaces nor variables, a Perl operator qw() may be used
# as a shorthand to split its argument on whitespace and produce a list
# of strings, e.g. qw( one@foo example.com three ); Note that the argument
# to qw is quoted implicitly and no variable interpretation is done within
# (no ‘\$’ variable evaluations). The #-initiated comments can NOT be used
# within a string. In other words, \$ and # lose their special meaning
# within a qw argument, just like within ‘…’ strings.
# – all e-mail addresses in this file and as used internally by the daemon
# are in their raw (rfc2821-unquoted and non-bracketed) form, i.e.
# Bob “Funny” Dude@example.com, not: “Bob \”Funny\” Dude”@example.com
# and not ; also: ” and not ”.
# – the term ‘default value’ in examples below refers to the value of a
# variable pre-assigned to it by the program; any explicit assignment
# to a variable in this configuration file overrides the default value;
#
# Section I – Essential daemon and MTA settings
#
# \$MYHOME serves as a quick default for some other configuration settings.
# More refined control is available with each individual setting further down.
# \$MYHOME is not used directly by the program. No trailing slash!
\$MYHOME = ‘/var/lib/amavis’; # (default is ‘/var/amavis’)
# \$mydomain serves as a quick default for some other configuration settings.
# More refined control is available with each individual setting further down.
# \$mydomain is never used directly by the program.
\$mydomain = ‘example.com’; # (no useful default)
# \$myhostname = ‘host.example.com’; # fqdn of this host, default by uname(3)
# Set the user and group to which the daemon will change if started as root
# (otherwise just keeps the UID unchanged, and these settings have no effect):
\$daemon_user = ‘amavis’; # (no default (undef))
\$daemon_group = ‘amavis’; # (no default (undef))
# Runtime working directory (cwd), and a place where
# temporary directories for unpacking mail are created.
# if you change this, you might want to modify the cleanup()
# function in /etc/init.d/amavisd-new
# (no trailing slash, may be a scratch file system)
\$TEMPBASE = \$MYHOME; # (must be set if other config vars use is)
#\$TEMPBASE = “\$MYHOME/tmp”; # prefer to keep home dir /var/amavis clean?
# \$helpers_home sets environment variable HOME, and is passed as option
# ‘home_dir_for_helpers’ to Mail::SpamAssassin::new. It should be a directory
# on a normal persistent file system, not a scratch or temporary file system
#\$helpers_home = \$MYHOME; # (defaults to \$MYHOME)
# Run the daemon in the specified chroot jail if nonempty:
#\$daemon_chroot_dir = \$MYHOME; # (default is undef, meaning: do not chroot)
\$pid_file = “/var/run/amavis/amavisd.pid”; # (default: “\$MYHOME/amavisd.pid”)
\$lock_file = “/var/run/amavis/amavisd.lock”; # (default: “\$MYHOME/amavisd.lock”)
# set environment variables if you want (no defaults):
\$ENV{TMPDIR} = \$TEMPBASE; # wise to set TMPDIR, but not obligatory
#…
# MTA SETTINGS, UNCOMMENT AS APPROPRIATE,
# both \$forward_method and \$notify_method default to ‘smtp:127.0.0.1:10025′
# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4
# (set host and port number as required; host can be specified
# as IP address or DNS name (A or CNAME, but MX is ignored)
#\$forward_method = ‘smtp:127.0.0.1:10025′; # where to forward checked mail
#\$notify_method = \$forward_method; # where to submit notifications
# NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST
# uncomment the appropriate settings below if using other setups!
# SENDMAIL MILTER, using amavis-milter.c helper program:
# SEE amavisd-new-milter package docs FOR DEBIAN INSTRUCTIONS
#\$forward_method = undef; # no explicit forwarding, sendmail does it by itself
# milter; option -odd is needed to avoid deadlocks
#\$notify_method = ‘pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f \${sender} — \${recipient}’;
# just a thought: can we use use -Am instead of -odd ?
# SENDMAIL (old non-milter setup, as relay):
#\$forward_method = ‘pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f \${sender} — \${recipient}’;
#\$notify_method = \$forward_method;
# SENDMAIL (old non-milter setup, amavis.c calls local delivery agent):
#\$forward_method = undef; # no explicit forwarding, amavis.c will call LDA
#\$notify_method = ‘pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f \${sender} — \${recipient}’;
# EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead):
#\$forward_method = ‘pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f \${sender} — \${recipient}’;
#\$notify_method = \$forward_method;
# prefer to collect mail for forwarding as BSMTP files?
#\$forward_method = “bsmtp:\$MYHOME/out-%i-%n.bsmtp”;
#\$notify_method = \$forward_method;
# Net::Server pre-forking settings
# You may want \$max_servers to match the width of your MTA pipe
# feeding amavisd, e.g. with Postfix the ‘Max procs’ field in the
# master.cf file, like the ’2′ in the: smtp-amavis unix – - n – 2 smtp
#
\$max_servers = 2; # number of pre-forked children (default 2)
\$max_requests = 10; # retire a child after that many accepts (default 10)
\$child_timeout=5*60; # abort child if it does not complete each task in n sec
# (default: 8*60 seconds)
# Check also the settings of @av_scanners at the end if you want to use
# virus scanners. If not, you may want to delete the whole long assignment
# to the variable @av_scanners, which will also remove the virus checking
# code (e.g. if you only want to do spam scanning).
# Here is a QUICK WAY to completely DISABLE some sections of code
# that WE DO NOT WANT (it won’t even be compiled-in).
# For more refined controls leave the following two lines commented out,
# and see further down what these two lookup lists really mean.
#
# @bypass_virus_checks_acl = qw( . ); # uncomment to DISABLE anti-virus code
# @bypass_spam_checks_acl = qw( . ); # uncomment to DISABLE anti-spam code
#
# Any setting can be changed with a new assignment, so make sure
# you do not unintentionally override these settings further down!
@bypass_spam_checks_acl = qw( . ); # No default dependency on spamassassin
# Lookup list of local domains (see README.lookups for syntax details)
#
# NOTE:
# For backwards compatibility the variable names @local_domains (old) and
# @local_domains_acl (new) are synonyms. For consistency with other lookups
# the name @local_domains_acl is now preferred. It also makes it more
# obviously distinct from the new %local_domains hash lookup table.
#
# local_domains* lookup tables are used in deciding whether a recipient
# is local or not, or in other words, if the message is outgoing or not.
# This affects inserting spam-related headers for local recipients,
# limiting recipient virus notifications (if enabled) to local recipients,
# in deciding if address extension may be appended, and in SQL lookups
# for non-fqdn addresses. Set it up correctly if you need features
# that rely on this setting (or just leave empty otherwise).
#
# With Postfix (2.0) a quick reminder on what local domains normally are:
# a union of domains specified in: \$mydestination, \$virtual_alias_domains,
# \$virtual_mailbox_domains, and \$relay_domains.
#
@local_domains_acl = ( “.\$mydomain” ); # \$mydomain and its subdomains
# @local_domains_acl = ( “.\$mydomain”, “my.other.domain” );
# @local_domains_acl = qw(); # default is empty, no recipient treated as local
# @local_domains_acl = qw( .example.com );
# @local_domains_acl = qw( .example.com !host.sub.example.net .sub.example.net );
# or alternatively(A), using a Perl hash lookup table, which may be assigned
# directly, or read from a file, one domain per line; comments and empty lines
# are ignored, a dot before a domain name implies its subdomains:
#
#read_hash(\%local_domains, ‘/etc/amavis/local_domains’);
#or alternatively(B), using a list of regular expressions:
# \$local_domains_re = new_RE( qr’[@.]example\.com\$’i );
#
# see README.lookups for syntax and semantics
#
# Section II – MTA specific (defaults should be ok)
#
# if \$relayhost_is_client is true, the IP address in \$notify_method and
# \$forward_method is dynamically overridden with SMTP client peer address
# (if available), which makes it possible for several hosts to share one
# daemon. The static port number is also overridden, and is dynamically
# calculated as being one above the incoming SMTP/LMTP session port number.
#
# These are logged at level 3, so enable logging until you know you got it
# right.
\$relayhost_is_client = 0; # (defaults to false)
\$insert_received_line = 1; # behave like MTA: insert ‘Received:’ header
# (does not apply to sendmail/milter)
# (default is true (1) )
# AMAVIS-CLIENT PROTOCOL INPUT SETTINGS (e.g. with sendmail milter)
# (used with amavis helper clients like amavis-milter.c and amavis.c,
# NOT needed for Postfix and Exim or dual-sendmail – keep it undefined.)
#\$unix_socketname = “/var/lib/amavis/amavisd.sock”; # amavis helper protocol socket
\$unix_socketname = undef; # disable listening on a unix socket
# (default is undef, i.e. disabled)
# Do we receive quoted or raw addresses from the helper program?
# (does not apply to SMTP; defaults to true)
#\$gets_addr_in_quoted_form = 1; # “Bob \”Funny\” Dude”@example.com
#\$gets_addr_in_quoted_form = 0; # Bob “Funny” Dude@example.com
# SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, …)
# (used when MTA is configured to pass mail to amavisd via SMTP or LMTP)
\$inet_socket_port = 10024; # accept SMTP on this local TCP port
# (default is undef, i.e. disabled)
# multiple ports may be provided: \$inet_socket_port = [10024, 10026, 10028];
# SMTP SERVER (INPUT) access control
# – do not allow free access to the amavisd SMTP port !!!
#
# when MTA is at the same host, use the following (one or the other or both):
\$inet_socket_bind = ’127.0.0.1′; # limit socket bind to loopback interface
# (default is ’127.0.0.1′)
@inet_acl = qw( 127.0.0.1 ); # allow SMTP access only from localhost IP
# (default is qw( 127.0.0.1 ) )
# when MTA (one or more) is on a different host, use the following:
# @inet_acl = qw(127/8 10.1.0.1 10.1.0.2); # adjust the list as appropriate
# \$inet_socket_bind = undef; # bind to all IP interfaces if undef
#
# Example1:
# @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 );
# permit only SMTP access from loopback and rfc1918 private address space
#
# Example2:
# @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0
# 127.0.0.1 10/8 172.16/12 192.168/16 );
# matches loopback and rfc1918 private address space except host 192.168.1.12
# and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches)
#
# Example3:
# @inet_acl = qw( 127/8
# !172.16.3.0 !172.16.3.127 172.16.3.0/25
# !172.16.3.128 !172.16.3.255 172.16.3.128/25 );
# matches loopback and both halves of the 172.16.3/24 C-class,
# split into two subnets, except all four broadcast addresses
# for these subnets
#
# See README.lookups for details on specifying access control lists.
#
# Section III – Logging
#
# true (e.g. 1) => syslog; false (e.g. 0) => logging to file
\$DO_SYSLOG = 1; # (defaults to false)
#\$SYSLOG_LEVEL = ‘user.info’; # (facility.priority, default ‘mail.info’)
# Log file (if not using syslog)
\$LOGFILE = “/var/log/amavis.log”; # (defaults to empty, no log)
#NOTE: levels are not strictly observed and are somewhat arbitrary
# 0: startup/exit/failure messages, viruses detected
# 1: args passed from client, some more interesting messages
# 2: virus scanner output, timing
# 3: server, client
# 4: decompose parts
# 5: more debug details
#\$log_level = 2; # (defaults to 0)
# Customizable template for the most interesting log file entry (e.g. with
# \$log_level=0) (take care to properly quote Perl special characters like ‘\’)
# For a list of available macros see README.customize .
# only log infected messages (useful with log level 0):
# \$log_templ = ‘[? %#V |[? %#F ||banned filename ([%F|,])]|infected ([%V|,])]#
# [? %#V |[? %#F ||, from=[?%o|(?)|], to=[|,][? %i ||, quarantine %i]]#
# |, from=[?%o|(?)|], to=[|,][? %i ||, quarantine %i]]’;
# log both infected and noninfected messages (default):
\$log_templ = ‘[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], #
[?%o|(?)|] -> [|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c’;
#
# Section IV – Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine
#
# Select notifications text encoding when Unicode-aware Perl is converting
# text from internal character representation to external encoding (charset
# in MIME terminology). Used as argument to Perl Encode::encode subroutine.
#
# to be used in RFC 2047-encoded header field bodies, e.g. in Subject:
#\$hdr_encoding = ‘iso-8859-1′; # (default: ‘iso-8859-1′)
#
# to be used in notification body text: its encoding and Content-type.charset
#\$bdy_encoding = ‘iso-8859-1′; # (default: ‘iso-8859-1′)
# Default template texts for notifications may be overruled by directly
# assigning new text to template variables, or by reading template text
# from files. A second argument may be specified in a call to read_text(),
# specifying character encoding layer to be used when reading from the
# external file, e.g. ‘utf8′, ‘iso-8859-1′, or often just \$bdy_encoding.
# Text will be converted to internal character representation by Perl 5.8.0
# or later; second argument is ignored otherwise. See PerlIO::encoding,
# Encode::PerlIO and perluniintro man pages.
#
# \$notify_sender_templ = read_text(‘/var/amavis/notify_sender.txt’);
# \$notify_virus_sender_templ= read_text(‘/var/amavis/notify_virus_sender.txt’);
# \$notify_virus_admin_templ = read_text(‘/var/amavis/notify_virus_admin.txt’);
# \$notify_virus_recips_templ= read_text(‘/var/amavis/notify_virus_recips.txt’);
# \$notify_spam_sender_templ = read_text(‘/var/amavis/notify_spam_sender.txt’);
# \$notify_spam_admin_templ = read_text(‘/var/amavis/notify_spam_admin.txt’);
# If notification template files are collectively available in some directory,
# use read_l10n_templates which calls read_text for each known template.
#
# read_l10n_templates(‘/etc/amavis/en_US’);
#
# Debian available locales: en_US, pt_BR, de_DE, it_IT
read_l10n_templates(‘en_US’, ‘/etc/amavis’);
# Here is an overall picture (sequence of events) of how pieces fit together
# (only virus controls are shown, spam controls work the same way):
#
# bypass_virus_checks? ==> PASS
# no viruses? ==> PASS
# log virus if \$log_templ is nonempty
# quarantine if \$virus_quarantine_to is nonempty
# notify admin if \$virus_admin (lookup) nonempty
# notify recips if \$warnvirusrecip and (recipient is local or \$warn_offsite)
# add address extensions if adding extensions is enabled and virus will pass
# send (non-)delivery notifications
# to sender if DSN needed (BOUNCE or (\$warn_virus_sender and D_PASS))
# virus_lovers or final_destiny==D_PASS ==> PASS
# DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny)
#
# Equivalent flow diagram applies for spam checks.
# If a virus is detected, spam checking is skipped entirely.
# The following symbolic constants can be used in *destiny settings:
#
# D_PASS mail will pass to recipients, regardless of bad contents;
#
# D_DISCARD mail will not be delivered to its recipients, sender will NOT be
# notified. Effectively we lose mail (but will be quarantined
# unless disabled). Losing mail is not decent for a mailer,
# but might be desired.
#
# D_BOUNCE mail will not be delivered to its recipients, a non-delivery
# notification (bounce) will be sent to the sender by amavisd-new;
# Exception: bounce (DSN) will not be sent if a virus name matches
# \$viruses_that_fake_sender_re, or to messages from mailing lists
# (Precedence: bulk|list|junk);
#
# D_REJECT mail will not be delivered to its recipients, sender should
# preferably get a reject, e.g. SMTP permanent reject response
# (e.g. with milter), or non-delivery notification from MTA
# (e.g. Postfix). If this is not possible (e.g. different recipients
# have different tolerances to bad mail contents and not using LMTP)
# amavisd-new sends a bounce by itself (same as D_BOUNCE).
#
# Notes:
# D_REJECT and D_BOUNCE are similar, the difference is in who is responsible
# for informing the sender about non-delivery, and how informative
# the notification can be (amavisd-new knows more than MTA);
# With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status
# notification, colloquially called ‘bounce’) – depending on MTA;
# Best suited for sendmail milter, especially for spam.
# With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the
# reason for mail non-delivery, but unable to reject the original
# SMTP session). Best suited to reporting viruses, and for Postfix
# and other dual-MTA setups, which can’t reject original client SMTP
# session, as the mail has already been enqueued.
\$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)
\$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
\$final_spam_destiny = D_REJECT; # (defaults to D_REJECT)
\$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested
# Alternatives to consider for spam:
# – use D_PASS if clients will do filtering based on inserted mail headers;
# – use D_DISCARD, if kill_level is set safely high;
# – use D_BOUNCE instead of D_REJECT if not using milter;
#
# D_BOUNCE is preferred for viruses, but consider:
# – use D_DISCARD to avoid bothering the rest of the network, it is hopeless
# to try to keep up with the viruses that faker the envelope sender anyway,
# and bouncing only increases the network cost of viruses for everyone
# – use D_PASS (or virus_lovers) and \$warnvirussender=1 to deliver viruses;
# – use D_REJECT instead of D_BOUNCE if using milter and under heavy
# virus storm;
#
# Don’t bother to set both D_DISCARD and \$warn*sender=1, it will get mapped
# to D_BOUNCE.
#
# The separation of *_destiny values into D_BOUNCE, D_REJECT, D_DISCARD
# and D_PASS made settings \$warnvirussender and \$warnspamsender only still
# useful with D_PASS.
# The following \$warn*sender settings are ONLY used when mail is
# actually passed to recipients (\$final_*_destiny=D_PASS, or *_lovers*).
# Bounces or rejects produce non-delivery status notification anyway.
# Notify virus sender?
#\$warnvirussender = 1; # (defaults to false (undef))
# Notify spam sender?
#\$warnspamsender = 1; # (defaults to false (undef))
# Notify sender of banned files?
#\$warnbannedsender = 1; # (defaults to false (undef))
# Notify sender of syntactically invalid header containing non-ASCII characters?
#\$warnbadhsender = 1; # (defaults to false (undef))
# Notify virus (or banned files) RECIPIENT?
# (not very useful, but some policies demand it)
#\$warnvirusrecip = 1; # (defaults to false (undef))
#\$warnbannedrecip = 1; # (defaults to false (undef))
# Notify also non-local virus/banned recipients if \$warn*recip is true?
# (including those not matching local_domains*)
#\$warn_offsite = 1; # (defaults to false (undef), i.e. only notify locals)
# Treat envelope sender address as unreliable and don’t send sender
# notification / bounces if name(s) of detected virus(es) match the list.
# Note that virus names are supplied by external virus scanner(s) and are
# not standardized, so virus names may need to be adjusted.
# See README.lookups for syntax, check also README.policy-on-notifications
#
\$viruses_that_fake_sender_re = new_RE(
qr’nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar’i,
qr’tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces’i,
qr’dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la’i,
qr’frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown’i,
qr’@mm|@MM’, # mass mailing viruses as labeled by f-prot and uvscan
qr’Worm’i, # worms as labeled by ClamAV, Kaspersky, etc
[qr'^(EICAR|Joke\.|Junk\.)'i => 0],
[qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
[qr/.*/ => 1], # true by default (remove or comment-out if undesired)
);
# where to send ADMIN VIRUS NOTIFICATIONS (should be a fully qualified address)
# – the administrator address may be a simple fixed e-mail address (a scalar),
# or may depend on the SENDER address (e.g. its domain), in which case
# a ref to a hash table can be specified (specify lower-cased keys,
# dot is a catchall, see README.lookups).
#
# Empty or undef lookup disables virus admin notifications.
# \$virus_admin = undef; # do not send virus admin notifications (default)
# \$virus_admin = {‘not.example.com’ => ”, ‘.’ => ‘virusalert@example.com’};
# \$virus_admin = ‘virus-admin@example.com’;
\$virus_admin = “postmaster\@\$mydomain”; # due to D_DISCARD default
# equivalent to \$virus_admin, but for spam admin notifications:
# \$spam_admin = “spamalert\@\$mydomain”;
# \$spam_admin = undef; # do not send spam admin notifications (default)
# \$spam_admin = {‘not.example.com’ => ”, ‘.’ => ‘spamalert@example.com’};
#advanced example, using a hash lookup table:
#\$virus_admin = {
# ‘baduser@sub1.example.com’ => ‘HisBoss@sub1.example.com’,
# ‘.sub1.example.com’ => ‘virusalert@sub1.example.com’,
# ‘.sub2.example.com’ => ”, # don’t send admin notifications
# ‘a.sub3.example.com’ => ‘abuse@sub3.example.com’,
# ‘.sub3.example.com’ => ‘virusalert@sub3.example.com’,
# ‘.example.com’ => ‘noc@example.com’, # catchall for our virus senders
# ‘.’ => ‘virusalert@hq.example.com’, # catchall for the rest
#};
# whom notification reports are sent from (ENVELOPE SENDER);
# may be a null reverse path, or a fully qualified address:
# (admin and recip sender addresses default to \$mailfrom
# for compatibility, which in turn defaults to undef (empty) )
# If using strings in double quotes, don’t forget to quote @, i.e. \@
#
#\$mailfrom_notify_admin = “virusalert\@\$mydomain”;
#\$mailfrom_notify_recip = “virusalert\@\$mydomain”;
#\$mailfrom_notify_spamadmin = “spam.police\@\$mydomain”;
# ‘From’ HEADER FIELD for sender and admin notifications.
# This should be a replyable address, see rfc1894. Not to be confused
# with \$mailfrom_notify_sender, which is the envelope return address
# and should be empty (null reverse path) according to rfc2821.
#
# The syntax of the ‘From’ header field is specified in rfc2822, section
# ’3.4. Address Specification’. Note in particular that display-name must be
# a quoted-string if it contains any special characters like spaces and dots.
#
# \$hdrfrom_notify_sender = “amavisd-new “;
# \$hdrfrom_notify_sender = ‘amavisd-new ‘;
# \$hdrfrom_notify_sender = ‘”Content-Filter Master” ‘;
# (defaults to: “amavisd-new “)
# \$hdrfrom_notify_admin = \$mailfrom_notify_admin;
# (defaults to: \$mailfrom_notify_admin)
# \$hdrfrom_notify_spamadmin = \$mailfrom_notify_spamadmin;
# (defaults to: \$mailfrom_notify_spamadmin)
# whom quarantined messages appear to be sent from (envelope sender);
# keeps original sender if undef, or set it explicitly, default is undef
\$mailfrom_to_quarantine = ”; # override sender address with null return path
# Location to put infected mail into: (applies to ‘local:’ quarantine method)
# empty for not quarantining, may be a file (mailbox),
# or a directory (no trailing slash)
# (the default value is undef, meaning no quarantine)
#
\$QUARANTINEDIR = ‘/var/lib/amavis/virusmails’;
#\$virus_quarantine_method = “local:virus-%i-%n”; # default
#\$spam_quarantine_method = “local:spam-%b-%i-%n”; # default
#
#use the new ‘bsmtp:’ method as an alternative to the default ‘local:’
#\$virus_quarantine_method = “bsmtp:\$QUARANTINEDIR/virus-%i-%n.bsmtp”;
#\$spam_quarantine_method = “bsmtp:\$QUARANTINEDIR/spam-%b-%i-%n.bsmtp”;
# When using the ‘local:’ quarantine method (default), the following applies:
#
# A finer control of quarantining is available through variable
# \$virus_quarantine_to/\$spam_quarantine_to. It may be a simple scalar string,
# or a ref to a hash lookup table, or a regexp lookup table object,
# which makes possible to set up per-recipient quarantine addresses.
#
# The value of scalar \$virus_quarantine_to/\$spam_quarantine_to (or a
# per-recipient lookup result from the hash table %\$virus_quarantine_to)
# is/are interpreted as follows:
#
# VARIANT 1:
# empty or undef disables quarantine;
#
# VARIANT 2:
# a string NOT containing an ‘@’;
# amavisd will behave as a local delivery agent (LDA) and will quarantine
# viruses to local files according to hash %local_delivery_aliases (pseudo
# aliases map) – see subroutine mail_to_local_mailbox() for details.
# Some of the predefined aliases are ‘virus-quarantine’ and ‘spam-quarantine’.
# Setting \$virus_quarantine_to (\$spam_quarantine_to) to this string will:
#
# * if \$QUARANTINEDIR is a directory, each quarantined virus will go
# to a separate file in the \$QUARANTINEDIR directory (traditional
# amavis style, similar to maildir mailbox format);
#
# * otherwise \$QUARANTINEDIR is treated as a file name of a Unix-style
# mailbox. All quarantined messages will be appended to this file.
# Amavisd child process must obtain an exclusive lock on the file during
# delivery, so this may be less efficient than using individual files
# or forwarding to MTA, and it may not work across NFS or other non-local
# file systems (but may be handy for pickup of quarantined files via IMAP
# for example);
#
# VARIANT 3:
# any email address (must contain ‘@’).
# The e-mail messages to be quarantined will be handed to MTA
# for delivery to the specified address. If a recipient address local to MTA
# is desired, you may leave the domain part empty, e.g. ‘infected@’, but the
# ‘@’ character must nevertheless be included to distinguish it from variant 2.
#
# This method enables more refined delivery control made available by MTA
# (e.g. its aliases file, other local delivery agents, dealing with
# privileges and file locking when delivering to user’s mailbox, nonlocal
# delivery and forwarding, fan-out lists). Make sure the mail-to-be-quarantined
# will not be handed back to amavisd for checking, as this will cause a loop
# (hopefully broken at some stage)! If this can be assured, notifications
# will benefit too from not being unnecessarily virus-scanned.
#
# By default this is safe to do with Postfix and Exim v4 and dual-sendmail
# setup, but probably not safe with sendmail milter interface without
# precaution.
# (the default value is undef, meaning no quarantine)
\$virus_quarantine_to = ‘virus-quarantine’; # traditional local quarantine
#\$virus_quarantine_to = ‘infected@’; # forward to MTA for delivery
#\$virus_quarantine_to = “virus-quarantine\@\$mydomain”; # similar
#\$virus_quarantine_to = ‘virus-quarantine@example.com’; # similar
#\$virus_quarantine_to = undef; # no quarantine
#
#\$virus_quarantine_to = new_RE( # per-recip multiple quarantines
# [qr'^user@example\.com\$'i => 'infected@'],
# [qr'^(.*)@example\.com\$'i => 'virus-\${1}@example.com'],
# [qr'^(.*)(@[^@])?\$’i => ‘virus-\${1}\${2}’],
# [qr/.*/ => 'virus-quarantine'] );
# similar for spam
# (the default value is undef, meaning no quarantine)
#
\$spam_quarantine_to = ‘spam-quarantine’;
#\$spam_quarantine_to = “spam-quarantine\@\$mydomain”;
#\$spam_quarantine_to = new_RE( # per-recip multiple quarantines
# [qr'^(.*)@example\.com\$'i => 'spam-\${1}@example.com'],
# [qr/.*/ => 'spam-quarantine'] );
# In addition to per-recip quarantine, a by-sender lookup is possible. It is
# similar to \$spam_quarantine_to, but the lookup key is the sender address:
#\$spam_quarantine_bysender_to = undef; # dflt: no by-sender spam quarantine
# Add X-Virus-Scanned header field to mail?
\$X_HEADER_TAG = ‘X-Virus-Scanned’; # (default: undef)
# Leave empty to add no header # (default: undef)
\$X_HEADER_LINE = “by \$myversion (Debian) at \$mydomain”;
# a string to prepend to Subject (for local recipients only) if mail could
# not be decoded or checked entirely, e.g. due to password-protected archives
\$undecipherable_subject_tag = ‘***UNCHECKED*** ‘; # undef disables it
\$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone
#\$remove_existing_x_scanned_headers= 1; # remove existing headers
# (defaults to false)
#\$remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone
\$remove_existing_spam_headers = 1; # remove existing spam headers if
# spam scanning is enabled (default)
# set \$bypass_decode_parts to true if you only do spam scanning, or if you
# have a good virus scanner that can deal with compression and recursively
# unpacking archives by itself, and save amavisd the trouble.
# Disabling decoding also causes banned_files checking to only see
# MIME names and MIME content types, not the content classification types
# as provided by the file(1) utility.
# It is a double-edged sword, make sure you know what you are doing!
#
#\$bypass_decode_parts = 1; # (defaults to false)
# don’t trust this file type or corresponding unpacker for this file type,
# keep both the original and the unpacked file for a virus checker to see
# (lookup key is what file(1) utility returned):
#
\$keep_decoded_original_re = new_RE(
# qr’^MAIL\$’, # retain full original message for virus checking (can be slow)
qr’^MAIL-UNDECIPHERABLE\$’, # retain full mail if it contains undecipherables
qr’^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)’i,
# qr’^Zip archive data’,
);
# Checking for banned MIME types and names. If any mail part matches,
# the whole mail is rejected, much like the way viruses are handled.
# A list in object \$banned_filename_re can be defined to provide a list
# of Perl regular expressions to be matched against each part’s:
#
# * Content-Type value (both declared and effective mime-type),
# including the possible security risk content types
# message/partial and message/external-body, as specified by rfc2046;
#
# * declared (i.e. recommended) file names as specified by MIME subfields
# Content-Disposition.filename and Content-Type.name, both in their
# raw (encoded) form and in rfc2047-decoded form if applicable;
#
# * file content type as guessed by ‘file’ utility, both the raw
# result from ‘file’, as well as short type name, classified
# into names such as .asc, .txt, .html, .doc, .jpg, .pdf,
# .zip, .exe, … – see subroutine determine_file_types().
# This step is done only if \$bypass_decode_parts is not true.
#
# * leave \$banned_filename_re undefined to disable these checks
# (giving an empty list to new_RE() will also always return false)
\$banned_filename_re = new_RE(
# qr’^UNDECIPHERABLE\$’, # is or contains any undecipherable components
qr’\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)\$’i, # some double extensions
qr’[{}]‘, # curly braces in names (serve as Class ID extensions – CLSID)
# qr’.\.(exe|vbs|pif|scr|bat|cmd|com)\$’i, # banned extension – basic
# qr’.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
# jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|
# vbe|vbs|wsc|wsf|wsh)\$’ix, # banned extension – long
# qr’.\.(mim|b64|bhx|hqx|xxe|uu|uue)\$’i, # banned extension – WinZip vulnerab.
# qr’^\.(zip|lha|tnef|cab)\$’i, # banned file(1) types
# qr’^\.exe\$’i, # banned file(1) types
# qr’^application/x-msdownload\$’i, # banned MIME types
# qr’^application/x-msdos-program\$’i,
qr’^message/partial\$’i, # rfc2046. this one is deadly for Outcrook
# qr’^message/external-body\$’i, # block rfc2046
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm
# A little trick: a pattern qr’\.exe\$’ matches both a short type name ‘.exe’,
# as well as any file name which happens to end with .exe. If only matching
# a file name is desired, but not the short name, a pattern qr’.\.exe\$’i
# or similar may be used, which requires that at least one character precedes
# the ‘.exe’, and so it will never match short file types, which always start
# with a dot.
#
# Section V – Per-recipient and per-sender handling, whitelisting, etc.
#
# %virus_lovers, @virus_lovers_acl and \$virus_lovers_re lookup tables:
# (these should be considered policy options, they do not disable checks,
# see bypass*checks for that!)
#
# Exclude certain RECIPIENTS from virus filtering by adding their lower-cased
# envelope e-mail address (or domain only) to the hash %virus_lovers, or to
# the access list @virus_lovers_acl – see README.lookups and examples.
# Make sure the appropriate form (e.g. external/internal) of address
# is used in case of virtual domains, or when mapping external to internal
# addresses, etc. – this is MTA-specific.
#
# Notifications would still be generated however (see the overall
# picture above), and infected mail (if passed) gets additional header:
# X-AMaViS-Alert: INFECTED, message contains virus: …
# (header not inserted with milter interface!)
#
# NOTE (milter interface only): in case of multiple recipients,
# it is only possible to drop or accept the message in its entirety – for all
# recipients. If all of them are virus lovers, we’ll accept mail, but if
# at least one recipient is not a virus lover, we’ll discard the message.
# %bypass_virus_checks, @bypass_virus_checks_acl and \$bypass_virus_checks_re
# lookup tables:
# (this is mainly a time-saving option, unlike virus_lovers* !)
#
# Similar in concept to %virus_lovers, a hash %bypass_virus_checks,
# access list @bypass_virus_checks_acl and regexp list \$bypass_virus_checks_re
# are used to skip entirely the decoding, unpacking and virus checking,
# but only if ALL recipients match the lookup.
#
# %bypass_virus_checks/@bypass_virus_checks_acl/\$bypass_virus_checks_re
# do NOT GUARANTEE the message will NOT be checked for viruses – this may
# still happen when there is more than one recipient for a message, and
# not all of them match these lookup tables. To guarantee virus delivery,
# a recipient must also match %virus_lovers/@virus_lovers_acl lookups
# (but see milter limitations above),
# NOTE: it would not be clever to base virus checks on SENDER address,
# since there are no guarantees that it is genuine. Many viruses
# and spam messages fake sender address. To achieve selective filtering
# based on the source of the mail (e.g. IP address, MTA port number, …),
# use mechanisms provided by MTA if available.
# Similar to lookup tables controlling virus checking, there exist
# spam scanning, banned names/types, and headers_checks control counterparts:
# %spam_lovers, @spam_lovers_acl, \$spam_lovers_re
# %banned_files_lovers, @banned_files_lovers_acl, \$banned_files_lovers_re
# %bad_header_lovers, @bad_header_lovers_acl, \$bad_header_lovers_re
# and:
# %bypass_spam_checks/@bypass_spam_checks_acl/\$bypass_spam_checks_re
# %bypass_banned_checks/@bypass_banned_checks_acl/\$bypass_banned_checks_re
# %bypass_header_checks/@bypass_header_checks_acl/\$bypass_header_checks_re
# See README.lookups for details about the syntax.
# The following example disables spam checking altogether,
# since it matches any recipient e-mail address (any address
# is a subdomain of the top-level root DNS domain):
# @bypass_spam_checks_acl = qw( . );
# @bypass_header_checks_acl = qw( user@example.com );
# @bad_header_lovers_acl = qw( user@example.com );
# See README.lookups for further detail, and examples below.
# \$virus_lovers{lc(“postmaster\@\$mydomain”)} = 1;
# \$virus_lovers{lc(‘postmaster@example.com’)} = 1;
# \$virus_lovers{lc(‘abuse@example.com’)} = 1;
# \$virus_lovers{lc(‘some.user@’)} = 1; # this recipient, regardless of domain
# \$virus_lovers{lc(‘boss@example.com’)} = 0; # never, even if domain matches
# \$virus_lovers{lc(‘example.com’)} = 1; # this domain, but not its subdomains
# \$virus_lovers{lc(‘.example.com’)}= 1; # this domain, including its subdomains
#or:
# @virus_lovers_acl = qw( me@lab.xxx.com !lab.xxx.com .xxx.com yyy.org );
#
# \$bypass_virus_checks{lc(‘some.user2@butnot.example.com’)} = 1;
# @bypass_virus_checks_acl = qw( some.ddd !butnot.example.com .example.com );
# @virus_lovers_acl = qw( postmaster@example.com );
# \$virus_lovers_re = new_RE( qr’^(helpdesk|postmaster)@example\.com\$’i );
# \$spam_lovers{lc(“postmaster\@\$mydomain”)} = 1;
# \$spam_lovers{lc(‘postmaster@example.com’)} = 1;
# \$spam_lovers{lc(‘abuse@example.com’)} = 1;
# @spam_lovers_acl = qw( !.example.com );
# \$spam_lovers_re = new_RE( qr’^user@example\.com\$’i );
# don’t run spam check for these RECIPIENT domains:
# @bypass_spam_checks_acl = qw( d1.com .d2.com a.d3.com );
# or the other way around (bypass check for all BUT these):
# @bypass_spam_checks_acl = qw( !d1.com !.d2.com !a.d3.com . );
# a practical application: don’t check outgoing mail for spam:
# @bypass_spam_checks_acl = ( “!.\$mydomain”, “.” );
# (a downside of which is that such mail will not count as ham in SA bayes db)
# Where to find SQL server(s) and database to support SQL lookups?
# A list of triples: (dsn,user,passw). (dsn = data source name)
# More than one entry may be specified for multiple (backup) SQL servers.
# See ‘man DBI’, ‘man DBD::mysql’, ‘man DBD::Pg’, … for details.
# When chroot-ed, accessing SQL server over inet socket may be more convenient.
#
# @lookup_sql_dsn =
# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'] );
#
# (‘mail’ in the example is the database name, choose what you like)
# With PostgreSQL the dsn (first element of the triple) may look like:
# ‘DBI:Pg:host=host1;dbname=mail’
# The SQL select clause to fetch per-recipient policy settings.
# The %k will be replaced by a comma-separated list of query addresses
# (e.g. full address, domain only, catchall). Use ORDER, if there
# is a chance that multiple records will match – the first match wins.
# If field names are not unique (e.g. ‘id’), the later field overwrites the
# earlier in a hash returned by lookup, which is why we use ‘*,users.id’.
# \$sql_select_policy = ‘SELECT *,users.id FROM users,policy’.
# ‘ WHERE (users.policy_id=policy.id) AND (users.email IN (%k))’.
# ‘ ORDER BY users.priority DESC’;
#
# The SQL select clause to check sender in per-recipient whitelist/blacklist
# The first SELECT argument ‘?’ will be users.id from recipient SQL lookup,
# the %k will be sender addresses (e.g. full address, domain only, catchall).
# \$sql_select_white_black_list = ‘SELECT wb FROM wblist,mailaddr’.
# ‘ WHERE (wblist.rid=?) AND (wblist.sid=mailaddr.id)’.
# ‘ AND (mailaddr.email IN (%k))’.
# ‘ ORDER BY mailaddr.priority DESC’;
\$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting
# If you decide to pass viruses (or spam) to certain recipients using the
# above lookup tables or using \$final_virus_destiny=D_PASS, you can set
# the variable \$addr_extension_virus (\$addr_extension_spam) to some
# string, and the recipient address will have this string appended
# as an address extension to the local-part of the address. This extension
# can be used by final local delivery agent to place such mail in different
# folders. Leave these two variables undefined or empty strings to prevent
# appending address extensions. Setting has no effect on recipient which will
# not be receiving viruses/spam. Recipients who do not match lookup tables
# local_domains* are not affected.
#
# LDAs usually default to stripping away address extension if no special
# handling is specified, so having this option enabled normally does no harm,
# provided the \$recipients_delimiter matches the setting on the final
# MTA’s LDA.
# \$addr_extension_virus = ‘virus’; # (default is undef, same as empty)
# \$addr_extension_spam = ‘spam’; # (default is undef, same as empty)
# \$addr_extension_banned = ‘banned’; # (default is undef, same as empty)
# Delimiter between local part of the recipient address and address extension
# (which can optionally be added, see variables \$addr_extension_virus and
# \$addr_extension_spam). E.g. recipient address gets changed
# to .
#
# Delimiter should match equivalent (final) MTA delimiter setting.
# (e.g. for Postfix add ‘recipient_delimiter = +’ to main.cf)
# Setting it to an empty string or to undef disables this feature
# regardless of \$addr_extension_virus and \$addr_extension_spam settings.
\$recipient_delimiter = ‘+’; # (default is ‘+’)
# true: replace extension; false: append extension
\$replace_existing_extension = 1; # (default is false)
# Affects matching of localpart of e-mail addresses (left of ‘@’)
# in lookups: true = case sensitive, false = case insensitive
\$localpart_is_case_sensitive = 0; # (default is false)
# ENVELOPE SENDER WHITELISTING / BLACKLISTING – GLOBAL (RECIPIENT-INDEPENDENT)
# (affects spam checking only, has no effect on virus and other checks)
# WHITELISTING: use ENVELOPE SENDER lookups to ENSURE DELIVERY from whitelisted
# senders even if the message would be recognized as spam. Effectively, for
# the specified senders, message recipients temporarily become ‘spam_lovers’.
# To avoid surprises, whitelisted sender also suppresses inserting/editing
# the tag2-level header fields (X-Spam-*, Subject), appending spam address
# extension, and quarantining.
# BLACKLISTING: messages from specified SENDERS are DECLARED SPAM.
# Effectively, for messages from blacklisted senders, spam level
# is artificially pushed high, and the normal spam processing applies,
# resulting in ‘X-Spam-Flag: YES’, high ‘X-Spam-Level’ bar and other usual
# reactions to spam, including possible rejection. If the message nevertheless
# still passes (e.g. for spam loving recipients), it is tagged as BLACKLISTED
# in the ‘X-Spam-Status’ header field, but the reported spam value and
# set of tests in this report header field (if available from SpamAssassin,
# which may have not been called) is not adjusted.
#
# A sender may be both white- and blacklisted at the same time, settings
# are independent. For example, being both white- and blacklisted, message
# is delivered to recipients, but is not tagged as spam (X-Spam-Flag: No;
# X-Spam-Status: No, …), but the reported spam level (if computed) may
# still indicate high spam score.
#
# If ALL recipients of the message either white- or blacklist the sender,
# spam scanning (calling the SpamAssassin) is bypassed, saving on time.
#
# The following variables (lookup tables) are available, with the semantics
# and syntax as specified in README.lookups:
#
# %whitelist_sender, @whitelist_sender_acl, \$whitelist_sender_re
# %blacklist_sender, @blacklist_sender_acl, \$blacklist_sender_re
# SOME EXAMPLES:
#
#ACL:
# @whitelist_sender_acl = qw( .example.com );
#
# @whitelist_sender_acl = ( “.\$mydomain” ); # \$mydomain and its subdomains
# NOTE: This is not a reliable way of turning off spam checks for
# locally-originating mail, as sender address can easily be faked.
# To reliably avoid spam-scanning outgoing mail,
# use @bypass_spam_checks_acl .
#RE:
# \$whitelist_sender_re = new_RE(
# qr’^postmaster@.*\bexample\.com\$’i,
# qr’owner-[^@]*@’i, qr’-request@’i,
# qr’\.example\.com\$’i );
#
\$blacklist_sender_re = new_RE(
qr’^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@’i,
qr’^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@’i,
qr’^(new\.tld\.registry|opt-out|opt-in|optin|saveonl|smoking2002k)@’i,
qr’^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@’i,
qr’^(workathome|yesitsfree|your_friend|greatoffers)@’i,
qr’^(inkjetplanet|marketopt|MakeMoney)\d*@’i,
);
#HASH lookup variant:
# NOTE: Perl operator qw splits its argument string by whitespace
# and produces a list. This means that addresses can not contain
# whitespace, and there is no provision for comments within the string.
# You can use the normal Perl list syntax if you have special requirements,
# e.g. map {…} (‘one user@bla’, ‘.second.com’), or use read_hash to read
# addresses from a file.
#
# a hash lookup table can be read from a file,
# one address per line, comments and empty lines are permitted:
#
# read_hash(\%whitelist_sender, ‘/var/amavis/whitelist_sender’);
# … or set directly:
map { \$whitelist_sender{lc(\$_)}=1 } (qw(
nobody@cert.org
owner-alert@iss.net
slashdot@slashdot.org
bugtraq@securityfocus.com
NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
security-alerts@linuxsecurity.com
amavis-user-admin@lists.sourceforge.net
razor-users-admin@lists.sourceforge.net
notification-return@lists.sophos.com
mailman-announce-admin@python.org
zope-announce-admin@zope.org
owner-postfix-users@postfix.org
owner-postfix-announce@postfix.org
owner-sendmail-announce@lists.sendmail.org
sendmail-announce-request@lists.sendmail.org
ca+envelope@sendmail.org
owner-technews@postel.ACM.ORG
lvs-users-admin@LinuxVirtualServer.org
ietf-123-owner@loki.ietf.org
cvs-commits-list-admin@gnome.org
rt-users-admin@lists.fsck.com
owner-announce@mnogosearch.org
owner-hackers@ntp.org
owner-bugs@ntp.org
clp-request@comp.nus.edu.sg
surveys-errors@lists.nua.ie
emailNews@genomeweb.com
owner-textbreakingnews@CNNIMAIL12.CNN.COM
yahoo-dev-null@yahoo-inc.com
));
# ENVELOPE SENDER WHITELISTING / BLACKLISTING – PER-RECIPIENT
# The same semantics as for global white/blacklisting applies, but this
# time each recipient (or its domain, or subdomain, …) can be given
# an individual lookup table for matching senders. The per-recipient lookups
# override the global lookups, which serve as a fallback default.
# Specify a two-level lookup table: the key for the outer table is recipient,
# and the result should be an inner lookup table (hash or ACL or RE),
# where the key used will be the sender.
#
#\$per_recip_blacklist_sender_lookup_tables = {
# ‘user1@my.example.com’=>new_RE(qr’^(inkjetplanet|marketopt|MakeMoney)\d*@’i),
# ‘user2@my.example.com’=>[qw( spammer@d1.example,org .d2.example,org )],
#};
#\$per_recip_whitelist_sender_lookup_tables = {
# ‘user@my.example.com’ => [qw( friend@example.org .other.example.org )],
# ‘.my1.example.com’ => [qw( !foe.other.example,org .other.example,org )],
# ‘.my2.example.com’ => read_hash(‘/var/amavis/my2-wl.dat’),
# ‘abuse@’ => { ‘postmaster@’=>1,
# ‘cert-advisory-owner@cert.org’=>1, ‘owner-alert@iss.net’=>1 },
#};
#
# Section VI – Resource limits
#
# Sanity limit to the number of allowed recipients per SMTP transaction
# \$smtpd_recipient_limit = 1000; # (default is 1000)
# Resource limits to protect unpackers, decompressors and virus scanners
# against mail bombs (e.g. 42.zip)
# Maximum recursion level for extraction/decoding (0 or undef disables limit)
\$MAXLEVELS = 14; # (default is undef, no limit)
# Maximum number of extracted files (0 or undef disables the limit)
\$MAXFILES = 1500; # (default is undef, no limit)
# For the cumulative total of all decoded mail parts we set max storage size
# to defend against mail bombs. Even though parts may be deleted (replaced
# by decoded text) during decoding, the size they occupied is _not_ returned
# to the quota pool.
#
# Parameters to storage quota formula for unpacking/decoding/decompressing
# Formula:
# quota = max(\$MIN_EXPANSION_QUOTA,
# \$mail_size*\$MIN_EXPANSION_FACTOR,
# min(\$MAX_EXPANSION_QUOTA, \$mail_size*\$MAX_EXPANSION_FACTOR))
# In plain words (later condition overrules previous ones):
# allow MAX_EXPANSION_FACTOR times initial mail size,
# but not more than MAX_EXPANSION_QUOTA,
# but not less than MIN_EXPANSION_FACTOR times initial mail size,
# but never less than MIN_EXPANSION_QUOTA
#
\$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
\$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
\$MIN_EXPANSION_FACTOR = 5; # times original mail size (must be specified)
\$MAX_EXPANSION_FACTOR = 500; # times original mail size (must be specified)
#
# Section VII – External programs, virus scanners
#
# Specify a path string, which is a colon-separated string of directories
# (no trailing slashes!) to be assigned to the environment variable PATH
# and to serve for locating external programs below.
# NOTE: if \$daemon_chroot_dir is nonempty, the directories will be
# relative to the chroot directory specified;
\$path = ‘/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin’;
# Specify one string or a search list of strings (first match wins).
# The string (or: each string in a list) may be an absolute path,
# or just a program name, to be located via \$path;
# Empty string or undef (=default) disables the use of that external program.
# Optionally command arguments may be specified – only the first substring
# up to the whitespace is used for file searching.
\$file = ‘file’; # file(1) utility; use 3.41 or later to avoid vulnerability
\$gzip = ‘gzip’;
\$bzip2 = ‘bzip2′;
\$lzop = ‘lzop’;
\$uncompress = ['uncompress', 'gzip -d', 'zcat'];
\$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
\$arc = ['nomarch', 'arc'];
\$unarj = ['arj', 'unarj']; # both can extract, arj is recommended
\$unrar = ['rar', 'unrar']; # both can extract, same options
\$zoo = ‘zoo’;
\$lha = ‘lha’;
\$cpio = ‘cpio’; # comment out if cpio does not support GNU options
# SpamAssassin settings
# \$sa_local_tests_only is passed to Mail::SpamAssassin::new as a value
# of the option local_tests_only. See Mail::SpamAssassin man page.
# If set to 1, SA tests are restricted to local tests only, i.e. no tests
# that require internet access will be performed.
#
\$sa_local_tests_only = 1; # (default: false)
#\$sa_auto_whitelist = 1; # turn on AWL (default: false)
# Timout for SpamAssassin. This is only used if spamassassin does NOT
# override it (which it often does if sa_local_tests_only is not true)
\$sa_timeout = 30; # timeout in seconds for a call to SpamAssassin
# (default is 30 seconds, undef disables it)
# AWL (auto whitelisting), requires spamassassin 2.44 or better
# \$sa_auto_whitelist = 1; # defaults to undef
\$sa_mail_body_size_limit = 150*1024; # don’t waste time on SA is mail is larger
# (less than 1% of spam is > 64k)
# default: undef, no limitations
# default values, can be overridden by more specific lookups, e.g. SQL
\$sa_tag_level_deflt = 4.0; # add spam info headers if at, or above that level
\$sa_tag2_level_deflt = 6.3; # add ‘spam detected’ headers at that level
\$sa_kill_level_deflt = \$sa_tag2_level_deflt; # triggers spam evasive actions
# at or above that level: bounce/reject/drop,
# quarantine, and adding mail address extension
\$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent,
# effectively turning D_BOUNCE into D_DISCARD;
# undef disables this feature and is a default;
#
# The \$sa_tag_level_deflt, \$sa_tag2_level_deflt and \$sa_kill_level_deflt
# may also be hashrefs to hash lookup tables, to make static per-recipient
# settings possible without having to resort to SQL or LDAP lookups.
# a quick reference:
# tag_level controls adding the X-Spam-Status and X-Spam-Level headers,
# tag2_level controls adding ‘X-Spam-Flag: YES’, and editing Subject,
# kill_level controls ‘evasive actions’ (reject, quarantine, extensions);
# it only makes sense to maintain the relationship:
# tag_level ]*>clean/,
# qr/(?i)]*>infected/,
# qr/(?i)(.+)/ ],
['KasperskyLab AVP - aveclient',
['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
'/opt/kav/bin/aveclient','aveclient'],
‘-p /var/run/aveserver -s {}/*’, [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/,
qr/(?:INFECTED|SUSPICION) (.+)/,
],
['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
‘-* -P -B -Y -O- {}’, [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22],
qr/infected: (.+)/,
sub {chdir(‘/opt/AVP’) or die “Can’t chdir to AVP: \$!”},
sub {chdir(\$TEMPBASE) or die “Can’t chdir back to \$TEMPBASE \$!”},
],
### The kavdaemon and AVPDaemonClient have been removed from Kasperky
### products and replaced by aveserver and aveclient
['KasperskyLab AVPDaemonClient',
[ '/opt/AVP/kavdaemon', 'kavdaemon',
'/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
'/opt/AVP/AvpTeamDream', 'AvpTeamDream',
'/opt/AVP/avpdc', 'avpdc' ],
“-f=\$TEMPBASE {}”, [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22],
qr/infected: ([^\r\n]+)/ ],
# change the startup-script in /etc/init.d/kavd to:
# DPARMS=”-* -Y -dl -f=/var/amavis /var/amavis”
# (or perhaps: DPARMS=”-I0 -Y -* /var/amavis” )
# adjusting /var/amavis above to match your \$TEMPBASE.
# The ‘-f=/var/amavis’ is needed if not running it as root, so it
# can find, read, and write its pid file, etc., see ‘man kavdaemon’.
# defUnix.prf: there must be an entry “*/var/amavis” (or whatever
# directory \$TEMPBASE specifies) in the ‘Names=’ section.
# cd /opt/AVP/DaemonClients; configure; cd Sample; make
# cp AvpDaemonClient /opt/AVP/
# su – vscan -c “\${PREFIX}/kavdaemon \${DPARMS}”
### http://www.hbedv.com/ or http://www.centralcommand.com/
['H+BEDV AntiVir or CentralCommand Vexira Antivirus',
['antivir','vexira'],
‘–allfiles -noboot -nombr -rs -s -z {}’, [0], qr/ALERT:|VIRUS:/,
qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ‘ ) |
(?i) VIRUS:\ .*?\ virus\ ‘?) ( [^\]\s’]+ )/ ],
# NOTE: if you only have a demo version, remove -z and add 214, as in:
# ‘–allfiles -noboot -nombr -rs -s {}’, [0,214], qr/ALERT:|VIRUS:/,
### http://www.commandsoftware.com/
['Command AntiVirus for Linux', 'csav',
'-all -archive -packed {}', [50], [51,52,53],
qr/Infection: (.+)/ ],
### http://www.symantec.com/
['Symantec CarrierScan via Symantec CommandLineScanner',
'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
qr/^Files Infected:\s+0\$/, qr/^Infected\b/,
qr/^(?:Info|Virus Name):\s+(.+)/ ],
### http://www.symantec.com/
['Symantec AntiVirus Scan Engine',
'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
[0], qr/^Infected\b/,
qr/^(?:Info|Virus Name):\s+(.+)/ ],
# NOTE: check options and patterns to see which entry better applies
### http://www.sald.com/, http://drweb.imshop.de/
['drweb - DrWeb Antivirus',
['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
‘-path={} -al -go -ot -cn -upn -ok-’,
[0,32], [1,33], qr’ infected (?:with|by)(?: virus)? (.*)\$’],
# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/
# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later
# [pack('N',1). # DRWEBD_SCAN_CMD
# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
# pack('N', # path length
# length("\$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/part-xxxxx")).
# '{}/*'. # path
# pack('N',0). # content size
# pack('N',0),
# '/var/drweb/run/drwebd.sock',
# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot
# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default
# # '127.0.0.1:3000', # or over an inet socket
# ],
# qr/\A\x00(\x10|\x11)\x00\x00/s, # IS_CLEAN, EVAL_KEY
# qr/\A\x00(\x00|\x01)\x00(\x20|\x40|\x80)/s, # KNOWN_V, UNKNOWN_V, V._MODIF
# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/s,
# ],
# # NOTE: If you are using amavis-milter, change length to:
# # length(“\$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/part-xxxxx”).
### http://www.f-secure.com/products/anti-virus/
['F-Secure Antivirus', 'fsav',
'--dumb --mime --archive {}', [0], [3,8],
qr/(?:infection|Infected|Suspected): (.+)/ ],
['CAI InoculateIT', 'inocucmd',
'-sec -nex {}', [0], [100],
qr/was infected by virus (.+)/ ],
['MkS_Vir for Linux (beta)', ['mks32','mks'],
‘-s {}/*’, [0], [1,2], # any use for options: -a -c ?
qr/–[ \t]*(.+)/ ],
### http://www.nod32.com/
['ESET Software NOD32', 'nod32',
'-all -subdir+ {}', [0], [1,2],
qr/^.+? – (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ],
### http://www.nod32.com/
['ESET Software NOD32 - Client/Server Version', 'nod32cli',
'-a -r -d recurse --heur standard {}', [0], [10,11],
qr/^\S+\s+infected:\s+(.+)/ ],
### http://www.norman.com/products_nvc.shtml
['Norman Virus Control v5 / Linux', 'nvcc',
'-c -l:0 -s -u {}', [0], [1],
qr/(?i).* virus in .* -> \’(.+)\’/ ],
### http://www.pandasoftware.com/
['Panda Antivirus for Linux', ['pavcl'],
‘-aut -aex -heu -cmp -nbr -nor -nso -eng {}’,
qr/Number of files infected[ .]*: 0(?!\d)/,
qr/Number of files infected[ .]*: 0*[1-9]/,
qr/Found virus :\s*(\S+)/ ],
# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
# Check your RAV license terms before fiddling with the following two lines!
# ['GeCAD RAV AntiVirus 8', 'ravav',
# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ],
# # NOTE: the command line switches changed with scan engine 8.5 !
# # (btw, assigning stdin to /dev/null causes RAV to fail)
### http://www.nai.com/
['NAI McAfee AntiVirus (uvscan)', 'uvscan',
'--secure -rv --mime --summary --noboot - {}', [0], [13],
qr/(?x) Found (?:
\ the\ (.+)\ (?:virus|trojan) |
\ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
:\ (.+)\ NOT\ a\ virus)/,
# sub {\$ENV{LD_PRELOAD}=’/lib/libc.so.6′},
# sub {delete \$ENV{LD_PRELOAD}},
],
# NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
# anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
# and then clear it when finished to avoid confusing anything else.
# NOTE2: to treat encrypted files as viruses replace the [13] with:
# qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
### http://www.virusbuster.hu/en/
['VirusBuster', ['vbuster', 'vbengcl'],
# VirusBuster Ltd. does not support the daemon version for the workstation
# engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
# binaries, some parameters AND return codes (from 3 to 1) changed.
“{} -ss -i ‘*’ -log=\$MYHOME/vbuster.log”, [0], [1],
qr/: ‘(.*)’ – Virus/ ],
# ### http://www.virusbuster.hu/en/
# ['VirusBuster (Client + Daemon)', 'vbengd',
# # HINT: for an infected file it returns always 3,
# # although the man-page tells a different story
# '-f -log scandir {}', [0], [3],
# qr/Virus found = (.*);/ ],
### http://www.cyber.com/
['CyberSoft VFind', 'vfind',
'--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,
# sub {\$ENV{VSTK_HOME}=’/usr/lib/vstk’},
],
### http://www.ikarus-software.com/
['Ikarus AntiVirus for Linux', 'ikarus',
'{}', [0], [40], qr/Signature (.+) found/ ],
### http://www.bitdefender.com/
['BitDefender', 'bdc',
'--all --arc --mail {}', qr/^Infected files *:0(?!\d)/,
qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
qr/(?:suspected|infected): (.*)(?:33|\$)/ ],
### F-Prot http://www.f-prot.com
['FRISK F-Prot Antivirus', ['f-prot','/usr/lib/f-prot/f-prot.sh'],
‘-dumb -archive -packed {}’, [0,8], [3,6],
qr/Infection: (.+)|\s+contains\s+(.+)\$/ ],
);
# If no virus scanners from the @av_scanners list produce ‘clean’ nor
# ‘infected’ status (e.g. they all fail to run or the list is empty),
# then _all_ scanners from the @av_scanners_backup list are tried.
# When there are both daemonized and command-line scanners available,
# it is customary to place slower command-line scanners in the
# @av_scanners_backup list. The default choice is somewhat arbitrary,
# move entries from one list to another as desired.
@av_scanners_backup = (
### http://www.clamav.net/
['Clam Antivirus - clamscan', 'clamscan',
"--stdout --no-summary -r --tempdir=\$TEMPBASE {}", [0], [1],
qr/^.*?: (?!Infected Archive)(.*) FOUND\$/ ],
### http://www.f-prot.com/
['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
‘-dumb -archive -packed {}’, [0,8], [3,6],
qr/Infection: (.+)/ ],
### http://www.trendmicro.com/
['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
‘-za -a {}’, [0], qr/Found virus/, qr/Found virus (.+) in/ ],
['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'],
‘-i1 -xp {}’, [0,10,15], [5,20,21,25],
qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,
sub {chdir(‘/opt/kav/bin’) or die “Can’t chdir to kav: \$!”},
sub {chdir(\$TEMPBASE) or die “Can’t chdir back to \$TEMPBASE \$!”},
],
# Commented out because the name ‘sweep’ clashes with the Debian package of
# the same name. Make sure the correct sweep is found in the path when enabling
#
# ### http://www.sophos.com/
# ['Sophos Anti Virus (sweep)', 'sweep',
# '-nb -f -all -rec -ss -sc -archive -cab -tnef --no-reset-atime {}',
# [0,2], qr/Virus .*? found/,
# qr/^>>> Virus(?: fragment)? ‘?(.*?)’? found/,
# ],
# # other options to consider: -mime -oe -idedir=/usr/local/sav
# always succeeds (uncomment to consider mail clean if all other scanners fail)
# ['always-clean', sub {0}],
);
#
# Section VIII – Debugging
#
# The most useful debugging tool is to run amavisd-new non-detached
# from a terminal window:
# amavisd debug
# Some more refined approaches:
# If sender matches ACL, turn log level fully up, just for this one message,
# and preserve temporary directory
#@debug_sender_acl = ( “test-sender\@\$mydomain” );
#@debug_sender_acl = qw( debug@example.com );
# May be useful along with @debug_sender_acl:
# Prevent all decoded originals being deleted (replaced by decoded part)
#\$keep_decoded_original_re = new_RE( qr/.*/ );
# Turn on SpamAssassin debugging (output to STDERR, use with ‘amavisd debug’)
#\$sa_debug = 1; # defaults to false
#————-
1; # insure a defined return
EOF
echo -e “Re-iniciando o amavis”\\m
/etc/init.d/amavis restart
# Dando uma olhada no syslog
tail -n 10 /var/log/syslog
echo -e \\n
echo -e “Pronto, seu Clamav {http://www.clamav.net/} foi atualizado e adicionamos o Anti-Vírus F-Prot “
echo -e “{http://www.f-prot.com.pt/} para melhor proteção”\\n
echo -e “O seguinte conteudo foi adicionado ao seu /etc/amavis/amavisd.conf:”
echo -e “
### F-Prot http://www.f-prot.com
['FRISK F-Prot Antivirus', ['f-prot','/usr/lib/f-prot/f-prot.sh'],
‘-dumb -archive -packed {}’, [0,8], [3,6],
qr/Infection: (.+)|\s+contains\s+(.+)\$/ ],
“\\n
echo -e “Para instalar outros software adicionais e melhorar a segurança do sistema,”
echo -e “recomendamos dar uma olhada em http://www.howtoforge.com/postfix_amavisd_antispam”\\n
