Portál AbcLinuxu, 25. prosince 2025 08:54
Clamav virse chyta ako ma, ale SA na mna kasla... V mailoch mam hlavicky: X-Virus-Scanned: amavisd-new at lion.sk X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 required=4 tests=[none] Zhruba to vyzera takto, to je kus /var/log/amavisd.log, mode debug:
Jun 12 17:14:30 mail /usr/sbin/amavisd[11112]: (11112-05) ESMTP::10024 /var/spool/amavis/tmp/amavis-20070612T164547-11112: some@mail ->
some@mail SIZE=4213 Received: from mail ([127.0.0.1]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for some@mail
; Tue, 12 Jun 2007 17:14:30 +0200 (CEST)
Jun 12 17:14:30 mail /usr/sbin/amavisd[11112]: (11112-05) body hash: d38541a0426add93ae9d33c7db6c4484
Jun 12 17:14:30 mail /usr/sbin/amavisd[11112]: (11112-05) Checking: Al1Wntwnzlfn [217.118.96.202] some@mail -> some@mail
Jun 12 17:14:30 mail /usr/sbin/amavisd[11112]: (11112-05) p001 1 Content-Type: text/plain, size: 1328 B, name:
Jun 12 17:14:30 mail /usr/sbin/amavisd[11112]: (11112-05) Checking for banned types and filenames
Jun 12 17:14:30 mail /usr/sbin/amavisd[11112]: (11112-05) collect banned table[0]: bdf@lion.sk, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x8cda31c)
Jun 12 17:14:30 mail /usr/sbin/amavisd[11112]: (11112-05) p.path some@mail: "P=p001,L=1,M=text/plain,T=txt"
Jun 12 17:14:30 mail /usr/sbin/amavisd[11112]: (11112-05) Using ClamAV-clamd: (built-in interface)
Jun 12 17:14:30 mail /usr/sbin/amavisd[11112]: (11112-05) Using (ClamAV-clamd) on dir: CONTSCAN /var/spool/amavis/tmp/amavis-20070612T164547-11112/par
ts\n
Jun 12 17:14:30 mail /usr/sbin/amavisd[11112]: (11112-05) ClamAV-clamd: Connecting to socket /var/run/clamav/clamd.sock
Jun 12 17:14:30 mail /usr/sbin/amavisd[11112]: (11112-05) ClamAV-clamd: Sending CONTSCAN /var/spool/amavis/tmp/amavis-20070612T164547-11112/parts\n to
UNIX socket /var/run/clamav/clamd.sock
Jun 12 17:14:31 mail /usr/sbin/amavisd[11112]: (11112-05) ask_av (ClamAV-clamd): /var/spool/amavis/tmp/amavis-20070612T164547-11112/parts CLEAN
Jun 12 17:14:31 mail /usr/sbin/amavisd[11112]: (11112-05) ClamAV-clamd result: clean
Jun 12 17:14:31 mail /usr/sbin/amavisd[11112]: (11112-05) spam_scan: score=0 tests=[none]
Jun 12 17:14:31 mail /usr/sbin/amavisd[11112]: (11112-05) do_notify_and_quarantine: ccat=Clean, (1,0)
Jun 12 17:14:31 mail /usr/sbin/amavisd[11112]: (11112-05) AUTH not needed, user='', MTA offers ''
Jun 12 17:14:31 mail /usr/sbin/amavisd[11112]: (11112-05) response to RCPT TO for some@mail: "250 Ok"
Jun 12 17:14:31 mail /usr/sbin/amavisd[11112]: (11112-05) FWD via SMTP: some@mail -> some@mail, 250 2.6.0 Ok, id=11112-05, from MTA([
127.0.0.1]:10025): 250 Ok: queued as 2CD78280034
Jun 12 17:14:31 mail /usr/sbin/amavisd[11112]: (11112-05) Passed CLEAN, [217.118.96.202] [62.168.208.129] some@mail -> some@mail, Mes
sage-ID: <20070612150922.16CCFCBA65@blablabla>, mail_id: Al1Wntwnzlfn, Hits: 0., queued_as: 2CD78280034, 397 ms
Jun 12 17:14:31 mail /usr/sbin/amavisd[11112]: (11112-05) TIMING [total 401 ms] - SMTP EHLO: 2 (1%)1, SMTP pre-MAIL: 1 (0%)1, SMTP pre-DATA-flush: 2 (
1%)1, SMTP DATA: 78 (19%)21, body_digest: 1 (0%)21, gen_mail_id: 0 (0%)21, mime_decode: 7 (2%)23, get-file-type1: 8 (2%)25, parts_decode: 0 (0%)25, AV-scan-1:
9 (2%)27, spam-wb-list: 2 (0%)28, SA msg read: 1 (0%)28, SA parse: 3 (1%)29, SA check: 145 (36%)65, SA finish: 1 (0%)65, update_cache: 1 (0%)65, decide_mail_
destiny: 1 (0%)65, fwd-connect: 22 (5%)71, fwd-mail-from: 2 (1%)71, fwd-rcpt-to: 3 (1%)72, fwd-data-cmd: 1 (0%)72, write-header: 1 (0%)72, fwd-data-contents:
1 (0%)73, fwd-data-end: 98 (24%)97, fwd-rundown: 1 (0%)97, prepare-dsn: 0 (0%)97, main_log_entry: 8 (2%)99, update_snmp: 1 (0%)100, unlink-1-files: 1 (0%)100,
rundown: 0 (0%)100
Jun 12 17:14:31 mail /usr/sbin/amavisd[11112]: (11112-05) load: 0 %, total idle 1721.243 s, busy 2.197 s
master.cf:
# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_etrn_restrictions=reject
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
#tlsmgr fifo - - n 300 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
bigandslow unix - - n - - smtp
-o smtp_connect_timeout=20
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
scache unix - - n - 1 scache
discard unix - - n - - discard
tlsmgr unix - - n 1000? 1 tlsmgr
amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_bind_address=127.0.0.1
kusok main.cf:
.... content_filter = amavis:[127.0.0.1]:10024 ...local.cf:
# Add *****SPAM***** to the Subject header of spam e-mails # rewrite_header Subject *****SPAM***** # Save spam messages as a message/rfc822 MIME attachment instead of # modifying the original message (0: off, 2: use text/plain instead) # report_safe 1 # Set which networks or hosts are considered 'trusted' by your mail # server (i.e. not spammers) # # trusted_networks 10. 127. # Set file-locking method (flock is not safe over NFS, but is faster) # lock_method flock # Set the threshold at which a message is considered spam (default: 5.0) # required_score 4.0 # Use Bayesian classifier (default: 1) # use_bayes 1 # Bayesian classifier auto-learning (default: 1) # bayes_auto_learn 1Vopred vsetkym dakujem za pomoc.
amavisd.conf. Chyba bude v tom.
use strict;
$MYHOME = '/var/spool/amavis'; # (default is '/var/spool/amavis')
$mydomain = 'lion.sk'; # (no useful default)
$myhostname = 'mail.lion.sk'; # fqdn of this host, default by uname(3)
$daemon_user = 'amavis'; # (no default; customary: vscan or amavis)
$daemon_group = 'amavis'; # (no default; customary: vscan or amavis or sweep)
$TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/spool/amavis clean?
$db_home = "$MYHOME/db"; # DB databases directory, default "$MYHOME/db"
$ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
$forward_method = 'smtp:[127.0.0.1]:10025'; # where to forward checked mail
$notify_method = $forward_method; # where to submit notifications
$max_servers = 2; # number of pre-forked children (default 2)
$max_requests = 20; # retire a child after that many accepts (default 10)
$child_timeout=5*60; # abort child if it does not complete each task in
@local_domains_maps = ( [".$mydomain", "teleperformance.sk", "lion.sk"] ); # $mydomain and its subdomains
$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket
$inet_socket_port = 10024; # accept SMTP on this local TCP port
@inet_acl = qw( 127.0.0.1 ::1 ); # allow SMTP access only from localhost IP
$DO_SYSLOG = 0; # (defaults to false)
$SYSLOG_LEVEL = 'daemon.debug'; # (facility.priority, default 'mail.info')
$LOGFILE = "/var/log/amavis.log"; # (defaults to empty, no log)
$log_level = 5; # (defaults to 0)
$log_recip_templ = undef; # undef disables by-recipient level-0 log entries
$final_virus_destiny = D_DISCARD; # (defaults to D_DISCARD)
$final_banned_destiny = D_DISCARD; # (defaults to D_BOUNCE)
$final_spam_destiny = D_DISCARD; # (defaults to D_BOUNCE)
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested
@viruses_that_fake_sender_maps = (new_RE(
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan
qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc
[qr'^(EICAR|Joke\.|Junk\.)'i => 0],
[qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
[qr/.*/ => 1], # true by default (remove or comment-out if undesired)
));
$virus_admin = 'suvakin@teleperformance.sk';
$spam_admin = "suvakin\@teleperformance.sk";
$mailfrom_notify_admin = "virusalert\@$mydomain";
$mailfrom_notify_recip = "virusalert\@$mydomain";
$mailfrom_notify_spamadmin = "spam.police\@$mydomain";
$mailfrom_to_quarantine = ''; # override sender address with null return path
$QUARANTINEDIR = '/var/spool/amavis/virusmails';
$virus_quarantine_method = 'local:virus/virus-%i-%n';
$spam_quarantine_method = 'local:spam/spam-%b-%i-%n';
$banned_files_quarantine_method = 'local:banned/banned-%i-%n';
$bad_header_quarantine_method = 'local:badh/badh-%i-%n';
$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: 'X-Virus-Scanned')
$X_HEADER_LINE = "$myproduct_name at $mydomain";
$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it
$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone
$remove_existing_spam_headers = 1; # remove existing spam headers if
@keep_decoded_original_maps = (new_RE(
qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));
$banned_filename_re = new_RE(
qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any type in Unix archives
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|exe|fxp|hlp|hta|inf|ins|isp|
js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|ops|pcd|pif|prg|
reg|scr|sct|shb|shs|vb|vbe|vbs|wsc|wsf|wsh)$'ix, # banned ext - long
qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
qr'^\.(exe-ms)$', # banned file(1) types
);
$banned_namepath_re = new_RE(
qr'(?#NO X-MSDOWNLOAD) ^(.*\t)? M=application/x-msdownload (\t.*)? $'xmi,
qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi,
qr'(?#NO HTA) ^(.*\t)? M=application/hta (\t.*)? $'xmi,
[ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ], # allow
qr'(?# BLOCK DOUBLE-EXTENSIONS )
^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* \.
(exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi,
qr'(?# BLOCK COMMON NAME EXENSIONS )
^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|bat|com|cpl) (\t.*)? $'xmi,
[ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM )
^ (.*\t)? M=application/octet-stream \t(.*\t)* T=empty (\t.*)? $'xmi
=> 'DISCARD' ],
qr'(?# BLOCK Microsoft EXECUTABLES )
^ (.*\t)? T=exe-ms (\t.*)? $'xm, # banned file(1) type
);
$banned_namepath_re = undef; # to disable new-style
$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting
$localpart_is_case_sensitive = 0; # (default is false)
@score_sender_maps = ({ # a by-recipient hash lookup table
'.' => [ # the _first_ matching sender determines the score boost
new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
[qr'^(your_friend|greatoffers)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
),
{ # a hash-type lookup table (associative array)
'nobody@cert.org' => -3.0,
'cert-advisory@us-cert.gov' => -3.0,
'owner-alert@iss.net' => -3.0,
'slashdot@slashdot.org' => -3.0,
'bugtraq@securityfocus.com' => -3.0,
'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
'security-alerts@linuxsecurity.com' => -3.0,
'mailman-announce-admin@python.org' => -3.0,
'amavis-user-admin@lists.sourceforge.net'=> -3.0,
'notification-return@lists.sophos.com' => -3.0,
'owner-postfix-users@postfix.org' => -3.0,
'owner-postfix-announce@postfix.org' => -3.0,
'owner-sendmail-announce@lists.sendmail.org' => -3.0,
'sendmail-announce-request@lists.sendmail.org' => -3.0,
'donotreply@sendmail.org' => -3.0,
'ca+envelope@sendmail.org' => -3.0,
'noreply@freshmeat.net' => -3.0,
'owner-technews@postel.acm.org' => -3.0,
'ietf-123-owner@loki.ietf.org' => -3.0,
'cvs-commits-list-admin@gnome.org' => -3.0,
'rt-users-admin@lists.fsck.com' => -3.0,
'clp-request@comp.nus.edu.sg' => -3.0,
'surveys-errors@lists.nua.ie' => -3.0,
'emailnews@genomeweb.com' => -5.0,
'yahoo-dev-null@yahoo-inc.com' => -3.0,
'returns.groups.yahoo.com' => -3.0,
'clusternews@linuxnetworx.com' => -3.0,
lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0,
lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
'sender@example.net' => 3.0,
'.example.net' => 1.0,
},
], # end of site-wide tables
});
@blacklist_sender_maps = ( new_RE(
qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,
qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i,
qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,
qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,
qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,
qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
));
$MAXLEVELS = 14; # (default is undef, no limit)
$MAXFILES = 1500; # (default is undef, no limit)
$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
$MIN_EXPANSION_FACTOR = 5; # times original mail size (default is 5)
$MAX_EXPANSION_FACTOR = 500; # times original mail size (default is 500)
$virus_check_negative_ttl= 3*60; # time to remember that mail was not infected
$virus_check_positive_ttl= 30*60; # time to remember that mail was infected
$spam_check_negative_ttl = 30*60; # time to remember that mail was not spam
$spam_check_positive_ttl = 30*60; # time to remember that mail was spam
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability
$gzip = 'gzip';
$bzip2 = 'bzip2';
$lzop = 'lzop';
$rpm2cpio = ['rpm2cpio.pl','rpm2cpio'];
$cabextract = 'cabextract';
$uncompress = ['uncompress', 'gzip -d', 'zcat'];
$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
$arc = ['nomarch', 'arc'];
$unarj = ['arj', 'unarj']; # both can extract, arj is recommended
$unrar = ['rar', 'unrar']; # both can extract, same options
$zoo = 'zoo';
$lha = 'lha';
$cpio = ['gcpio','cpio']; # gcpio is a GNU cpio on OpenBSD, which supports
$ar = 'ar'; # Unix binary archives and Debian binary packages
$dspam = 'dspam';
$sa_local_tests_only = 0; # (default: false)
$sa_mail_body_size_limit = 2000*1024; # don't waste time on SA if mail is larger
$sa_tag_level_deflt = undef; # add spam info headers if at, or above that level;
$sa_tag2_level_deflt = 4.0; # add 'spam detected' headers at that level to
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent,
$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled)
$sa_spam_modifies_subj = 1; # in @sa_spam_modifies_subj_maps, default is true
$sa_spam_level_char = '*'; # char for X-Spam-Level bar, defaults to '*';
$sa_spam_report_header = 1; # insert X-Spam-Report header field? default false
@av_scanners = (
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);
@av_scanners_backup = (
['ClamAV-clamscan', 'clamscan',
"--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1],
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);
1; # insure a defined return
Tiskni
Sdílej:
ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.