Antivirus

---------

amavis postfix on centos 8

Install Clamav

# install from EPEL

[root@mail ~]# dnf --enablerepo=epel -y install clamav clamav-update

[root@mail ~]# vi /etc/freshclam.conf

# line 8: comment out if it enabled

#Example

# update pattern files manually

[root@mail ~]# freshclam

ClamAV update process started at Thu Sep 26 00:45:12 2019

main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)

daily.cvd is up to date (version: 25583, sigs: 1778105, f-level: 63, builder: raynman)

bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)

# scan /home

[root@mail ~]# clamscan --infected --remove --recursive /home

----------- SCAN SUMMARY -----------

Known viruses: 6334004

Engine version: 0.101.4

Scanned directories: 2

Scanned files: 3

Infected files: 0

Data scanned: 0.00 MB

Data read: 0.00 MB (ratio 0.00:1)

Time: 40.722 sec (0 m 40 s)

# download trial virus

[root@mail ~]# wget http://www.eicar.org/download/eicar.com

[root@mail ~]# clamscan --infected --remove --recursive .

# just detected and removed

./eicar.com: Eicar-Test-Signature FOUND

./eicar.com: Removed.

----------- SCAN SUMMARY -----------

Known viruses: 6334004

Engine version: 0.101.4

Scanned directories: 1

Scanned files: 9

Infected files: 1

Data scanned: 0.01 MB

Data read: 0.00 MB (ratio 2.00:1)

Time: 39.496 sec (0 m 39 s)

--------------------------------------------------------------

Install Amavisd and Clamav Server.

# install from EPEL and PowerTools (disabled by default)

[root@mail ~]# dnf --enablerepo=epel,PowerTools -y install amavisd-new clamd perl-Digest-SHA1 perl-IO-stringy

[root@mail ~]# vi /etc/clamd.d/scan.conf

# line 8: comment out

#Example

# line 14: uncomment

LogFile /var/log/clamd.scan

# line 74: uncomment

PidFile /var/run/clamd.scan/clamd.pid

# line 78: uncomment

TemporaryDirectory /var/tmp

# line 93: uncomment

LocalSocket /var/run/clamd.scan/clamd.sock

[root@mail ~]# touch /var/log/clamd.scan

[root@mail ~]# chown clamscan. /var/log/clamd.scan

[root@mail ~]# systemctl enable --now clamd@scan

If SELinux is enabled, add rules to start Clamav Server like follows.

[root@mail ~]# restorecon -v /var/log/clamd.scan

[root@mail ~]# setsebool -P antivirus_can_scan_system on

Configure Amavisd.

[root@mail ~]# vi /etc/amavisd/amavisd.conf

# line 23: change to the own domain name

$mydomain = 'worldcm.net';

# line 155: uncomment and change to the own hostname

$myhostname = 'mail.worldcm.net';

# line 157,158: uncomment

$notify_method = 'smtp:[127.0.0.1]:10025';

$forward_method = 'smtp:[127.0.0.1]:10025';

[root@mail ~]# systemctl enable --now amavisd

Configure Postfix.

[root@mail ~]# vi /etc/postfix/main.cf

# add follows to the end

content_filter=smtp-amavis:[127.0.0.1]:10024

[root@mail ~]# vi /etc/postfix/master.cf

# add follows to the end

smtp-amavis unix - - n - 2 smtp

-o smtp_data_done_timeout=1200

-o smtp_send_xforward_command=yes

-o disable_dns_lookups=yes

127.0.0.1:10025 inet n - n - - smtpd

-o content_filter=

-o local_recipient_maps=

-o relay_recipient_maps=

-o smtpd_restriction_classes=

-o smtpd_client_restrictions=

-o smtpd_helo_restrictions=

-o smtpd_sender_restrictions=

-o smtpd_recipient_restrictions=permit_mynetworks,reject

-o mynetworks=127.0.0.0/8

-o strict_rfc821_envelopes=yes

-o smtpd_error_sleep_time=0

-o smtpd_soft_error_limit=1001

-o smtpd_hard_error_limit=1000

[root@mail ~]# systemctl restart postfix

-----------------------------XXXXXXXXXXXXX---------------------------------

Installation

amavisd-milter

Da wir für den „normalen SMTP-Traffic“, als dem Verkehr von anderen SMTP-Server2), AMaViS als Milter in unseren Postfix-Mailserver integrieren wollen, installieren wir nun noch das zugehörige Paket amavisd-milter

# yum install amavisd-milter -y

Auch hier können wir uns anzeigen lassen, was das Paket uns alles ins System kopiert hat.

# rpm -qil amavisd-milter

Name : amavisd-milter Version : 1.6.0 Release : 5.el7.centos Architecture: x86_64 Install Date: Mon 17 Nov 2014 11:22:52 AM CET Group : System Environment/Daemons Size : 72981 License : Petr Rehor <rx@rx.cz>. All rights reserved. Signature : RSA/SHA1, Mon 17 Nov 2014 11:13:36 AM CET, Key ID 60ecfb9e8195aea0 Source RPM : amavisd-milter-1.6.0-5.el7.centos.src.rpm Build Date : Mon 17 Nov 2014 11:13:23 AM CET Build Host : vml000200.dmz.nausch.org Relocations : (not relocatable) Packager : Django <django@nausch.org> Vendor : Amavisd-new URL : http://amavisd-milter.sourceforge.net/ Summary : Milter helper for Amavisd-new Description : amavisd-milter is a milter (mail filter) for amavisd-new 2.4.3 and above which uses the AM.PDP protocol. It has been tested to work with mail servers sendmail 8.13+ and postfix 2.9+ /etc/amavisd/amavisd-milter.conf /usr/lib/systemd/system/amavisd-milter.service /usr/sbin/amavisd-milter /usr/sbin/amavisd-milter-helper /usr/share/doc/amavisd-milter-1.6.0 /usr/share/doc/amavisd-milter-1.6.0/CHANGES /usr/share/doc/amavisd-milter-1.6.0/LICENSE /usr/share/doc/amavisd-milter-1.6.0/README /usr/share/doc/amavisd-milter-1.6.0/TODO /usr/share/man/man8/amavisd-milter.8.gz

amavisd

Als erstes installieren wir uns das Paket amavisd-new aus dem EPEL Repository mit Hilfe von yum.

# yum install amavisd-new -y

Was uns das Paket alles mitbrachte, zeigt uns bei Bedarf der folgende Aufruf.

# rpm -qil amavisd-new

Name : amavisd-new Version : 2.9.1 Release : 5.el7 Architecture: noarch Install Date: Mon 17 Nov 2014 11:48:23 AM CET Group : Applications/System Size : 3105963 License : GPLv2+ and BSD and GFDL Signature : RSA/SHA256, Thu 21 Aug 2014 12:07:05 AM CEST, Key ID 6a2faea2352c64e5 Source RPM : amavisd-new-2.9.1-5.el7.src.rpm Build Date : Wed 20 Aug 2014 03:26:15 PM CEST Build Host : buildvm-24.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.ijs.si/software/amavisd/ Summary : Email filter with virus scanner and spamassassin support Description : amavisd-new is a high-performance and reliable interface between mailer (MTA) and one or more content checkers: virus scanners, and/or Mail::SpamAssassin Perl module. It is written in Perl, assuring high reliability, portability and maintainability. It talks to MTA via (E)SMTP or LMTP, or by using helper programs. No timing gaps exist in the design which could cause a mail loss. /etc/amavisd /etc/amavisd/amavisd.conf /etc/clamd.d/amavisd.conf /usr/bin/amavisd-agent /usr/bin/amavisd-nanny /usr/bin/amavisd-release /usr/lib/systemd/system/amavisd-clean-quarantine.service /usr/lib/systemd/system/amavisd-clean-quarantine.timer /usr/lib/systemd/system/amavisd-clean-tmp.service /usr/lib/systemd/system/amavisd-clean-tmp.timer /usr/lib/systemd/system/amavisd.service /usr/lib/tmpfiles.d/amavisd-new.conf /usr/sbin/amavisd /usr/share/doc/amavisd-new-2.9.1 /usr/share/doc/amavisd-new-2.9.1/AAAREADME.first /usr/share/doc/amavisd-new-2.9.1/LDAP.ldif /usr/share/doc/amavisd-new-2.9.1/LDAP.schema /usr/share/doc/amavisd-new-2.9.1/LICENSE /usr/share/doc/amavisd-new-2.9.1/README_FILES /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.banned /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.chroot /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.contributed /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.courier /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.courier-old /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.customize /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.exim_v3 /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.exim_v3_app /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.exim_v4 /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.exim_v4_app /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.exim_v4_app2 /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.fedora /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.ldap /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.lookups /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.milter /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.old.scanners /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.performance /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.policy-on-notifications /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.postfix /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.postfix.html /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.protocol /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.quarantine /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.sendmail /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.sendmail-dual /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.sendmail-dual.old /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.sql /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.sql-mysql /usr/share/doc/amavisd-new-2.9.1/README_FILES/README.sql-pg /usr/share/doc/amavisd-new-2.9.1/README_FILES/amavisd-new-docs.html /usr/share/doc/amavisd-new-2.9.1/README_FILES/images /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/blank.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts/1.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts/10.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts/11.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts/12.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts/13.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts/14.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts/15.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts/2.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts/3.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts/4.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts/5.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts/6.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts/7.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts/8.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/callouts/9.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/caution.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/draft.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/home.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/important.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/next.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/note.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/prev.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/tip.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/toc-blank.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/toc-minus.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/toc-plus.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/up.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/images/warning.png /usr/share/doc/amavisd-new-2.9.1/README_FILES/screen.css /usr/share/doc/amavisd-new-2.9.1/RELEASE_NOTES /usr/share/doc/amavisd-new-2.9.1/amavisd.conf-default /usr/share/doc/amavisd-new-2.9.1/test-messages /usr/share/doc/amavisd-new-2.9.1/test-messages/README /usr/share/doc/amavisd-new-2.9.1/test-messages/sample.tar.gz.compl /var/run/amavisd /var/run/clamd.amavisd /var/spool/amavisd /var/spool/amavisd/db /var/spool/amavisd/quarantine /var/spool/amavisd/tmp

Konfiguration

amavisd-milter

Die Konfiguration des Milters erfolgt über dessen Konfigurationsdatei amavisd-milter.conf im Verzeichnis /etc/amavisd/.

# vim /etc/amavisd/amavisd-milter.conf

/etc/amavisd/amavisd-milter.conf

# User to run under (must be same as amavisd daemon)AMAVIS_USER=amavis # Set working directory (default /var/amavis).# Django : 2014-11-21 # default: WORKING_DIRECTORY=/var/spool/amavisdWORKING_DIRECTORY=/var/spool/amavisd/tmp # Communication socket between sendmail and amavisd-milter (default# /var/amavis/amavisd-milter.sock). The protocol spoken over this# socket is MILTER (Mail FILTER). It must agree with the# INPUT_MAIL_FILTER entry in sendmail.mc# The socket should be in "proto:address" format:# o {unix|local}:/path/to/file - A named pipe.# o inet:port@{hostname|ip-address} - An IPV4 socket.# o inet6:port@{hostname|ip-address} - An IPV6 socket.# Django : 2014-11-18# default: SOCKET=/var/run/amavisd/amavisd-milter.sockSOCKET=inet:8899@10.0.0.67 # Communication socket between amavisd-milter and amavisd-new# (default /var/amavis/amavisd.sock). It must agree with the# $unix_socketname entry in amavisd.conf# The socket should be in "proto:address" format:# o {unix|local}:/path/to/file - A named pipe.# o inet:port@{hostname|ip-address} - An IPV4 socket.# o inet6:port@{hostname|ip-address} - An IPV6 socket.AMAVISD_SOCKET=/var/spool/amavisd/amavisd.sock # Use this pid file (default /var/amavis/amavisd-milter.pid).# Better to create /var/run/amavis and put it there#PID_FILE=/var/run/amavisd/amavisd-milter.pid # Maximum concurrent amavisd connections (default 0 - unlimited# number of connections). It must agree with the $max_servers# entry in amavisd.conf.MAX_CONNECTIONS=5 # Maximum wait for connection to amavisd in seconds (default 300 =# 5 minutes). It must be less then sending MTA timeout for a# response to the final "." that terminates a message on sending# MTA. sendmail has default value 1 hour, postfix 10 minutes and# qmail 20 minutes. We suggest to use less than 10 minutes.MAX_WAIT=300 # sendmail connection timeout in seconds (default 600 = 10 min-# utes). It must agree with the INPUT_MAIL_FILTER entry in send-# mail.mc and must be greater than or equal to the amavisd-new con-# nection timeout. When you use other milters (especially time-# consuming), the timeout must be sufficient to process message in# all milters.MAILDAEMON_TIMEOUT=600 # amavisd-new connection timeout in seconds (default 600 = 10 min-# utes). This timeout must be sufficient for message processing in# amavisd-new. It's usually a good idea to adjust them to the same# value as sendmail connection timeout.AMAVISD_TIMEOUT=600

Die Parameter sind in der Konfigurationsdatei ausreichend beschrieben. Lediglich beim Parameter MAX_CONNECTIONS ist darauf zu achten, dass dort der gleiche Wert eingetragen wird, wie beim Parameter max_servers in der /etc/amavisd/amavisd.conf, in unserem Konfigurationsbeispiel auls den Wert 5.

amavisd

In der originalen Konfigurationsdatei aus dem RPM sind alle wesentlichen Optionen bereits enthalten, die für den Betrieb des AMaViS-Servers benötigt. Wer nicht täglich an der Datei Hand anlegen will/muss, und das ist auch in den seltensten Fällen notwendig, der sucht und stolper gerne mal über die ein oder andere Stelle in der Konfigurationsdatei.

original Konfigurationsdatei

Werfen wir doch einfach mal einen Blick in die Datei.

# less /etc/amavisd/amavisd.conf

/etc/amavisd/amavisd.conf

use strict; # a minimalistic configuration file for amavisd-new with all necessary settings# # see amavisd.conf-default for a list of all variables with their defaults; # for more details see documentation in INSTALL, README_FILES/* # and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html # COMMONLY ADJUSTED SETTINGS: # @bypass_virus_checks_maps = (1); # controls running of anti-virus code# @bypass_spam_checks_maps = (1); # controls running of anti-spam code # $bypass_decode_parts = 1; # controls running of decoders&dearchivers $max_servers = 2; # num of pre-forked children (2..30 is common), -m$daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u $daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g $mydomain = 'example.com'; # a convenient default for other settings $MYHOME = '/var/spool/amavisd'; # a convenient default for other settings, -H$TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc. $QUARANTINEDIR = undef; # -Q # $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine# $release_format = 'resend'; # 'attach', 'plain', 'resend' # $report_format = 'arf'; # 'attach', 'plain', 'resend', 'arf' # $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R $db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D# $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S $lock_file = "/var/run/amavisd/amavisd.lock"; # -L $pid_file = "/var/run/amavisd/amavisd.pid"; # -P #NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually $log_level = 0; # verbosity 0..5, -d$log_recip_templ = undef; # disable by-recipient level-0 log entries$do_syslog = 1; # log via syslogd (preferred) $syslog_facility = 'mail'; # Syslog facility as a string # e.g.: mail, daemon, user, local0, ... local7 $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)# $enable_zmq = 1; # enable use of ZeroMQ (SNMP and nanny) $nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed $enable_dkim_verification = 1; # enable DKIM signatures verification $enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key @local_domains_maps = ( [".$mydomain"] ); # list of all local domains @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); $unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter # option(s) -p overrides $inet_socket_port and $unix_socketname $inet_socket_port = 10024; # listen on this local TCP port(s)# $inet_socket_port = [10024,10026]; # listen on multiple TCP ports $policy_bank{'MYNETS'} = { # mail originating from @mynetworks originating => 1, # is true in MYNETS by default, but let's make it explicit os_fingerprint_method => undef, # don't query p0f for internal clients }; # it is up to MTA to re-route mail from authenticated roaming users or# from internal hosts to a dedicated TCP port (such as 10026) for filtering$interface_policy{'10026'} = 'ORIGINATING'; $policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users originating => 1, # declare that mail was submitted by our smtp client allow_disclaimers => 1, # enables disclaimer insertion if available # notify administrator of locally originating malware virus_admin_maps => ["virusalert\@$mydomain"], spam_admin_maps => ["virusalert\@$mydomain"], warnbadhsender => 1, # forward to a smtpd service providing DKIM signing service forward_method => 'smtp:[127.0.0.1]:10027', # force MTA conversion to 7-bit (e.g. before DKIM signing) smtpd_discard_ehlo_keywords => ['8BITMIME'], bypass_banned_checks_maps => [1], # allow sending any file names and types terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option}; $interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname # Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'):$policy_bank{'AM.PDP-SOCK'} = { protocol => 'AM.PDP', auth_required_release => 0, # do not require secret_id for amavisd-release }; $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level$sa_tag2_level_deflt = 6.2; # add 'spam detected' headers at that level $sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail)$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent $sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off$penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database) $penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam $bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces $sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger$sa_local_tests_only = 0; # only tests which do not require internet access? # @lookup_sql_dsn =# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], # ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); # @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database # @storage_redis_dsn = ( {server=>'127.0.0.1:6379', db_id=>1} ); # $redis_logging_key = 'amavis-log'; # $redis_logging_queue_size_limit = 300000; # about 250 MB / 100000 # $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;# defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16) $virus_admin = undef; # notifications recip. $mailfrom_notify_admin = undef; # notifications sender$mailfrom_notify_recip = undef; # notifications sender$mailfrom_notify_spamadmin = undef; # notifications sender$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef @addr_extension_virus_maps = ('virus');@addr_extension_banned_maps = ('banned');@addr_extension_spam_maps = ('spam'); @addr_extension_bad_header_maps = ('badh'); # $recipient_delimiter = '+'; # undef disables address extensions altogether# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+ $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';# $dspam = 'dspam'; $MAXLEVELS = 14;$MAXFILES = 3000;$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)$MAX_EXPANSION_QUOTA = 500*1024*1024; # bytes (default undef, not enforced) $sa_spam_subject_tag = '***Spam*** ';$defang_virus = 1; # MIME-wrap passed infected mail$defang_banned = 1; # MIME-wrap passed mail containing banned name# for defanging bad headers only turn on certain minor contents categories:$defang_by_ccat{CC_BADH.",3"} = 1; # NUL or CR character in header $defang_by_ccat{CC_BADH.",5"} = 1; # header line longer than 998 characters$defang_by_ccat{CC_BADH.",6"} = 1; # header field syntax error # OTHER MORE COMMON SETTINGS (defaults may suffice): # $myhostname = 'host.example.com'; # must be a fully-qualified domain name! # $notify_method = 'smtp:[127.0.0.1]:10025';# $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter! $final_virus_destiny = D_DISCARD;$final_banned_destiny = D_BOUNCE; $final_spam_destiny = D_DISCARD; #!!! D_DISCARD / D_REJECT$final_bad_header_destiny = D_BOUNCE; # $bad_header_quarantine_method = undef; # $os_fingerprint_method = 'p0f:*:2345'; # to query p0f-analyzer.pl ## hierarchy by which a final setting is chosen:## policy bank (based on port or IP address) -> *_by_ccat## *_by_ccat (based on mail contents) -> *_maps ## *_maps (based on recipient address) -> final configuration value # SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all) # $warnbadhsender,# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps)# # @bypass_virus_checks_maps, @bypass_spam_checks_maps, # @bypass_banned_checks_maps, @bypass_header_checks_maps, # # @virus_lovers_maps, @spam_lovers_maps, # @banned_files_lovers_maps, @bad_header_lovers_maps, # # @blacklist_sender_maps, @score_sender_maps, # # $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to, # $bad_header_quarantine_to, $spam_quarantine_to, # # $defang_bad_header, $defang_undecipherable, $defang_spam # REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # let virus scanner see full original message qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, # qr'^Zip archive data', # don't trust Archive::Zip )); $banned_filename_re = new_RE( ### BLOCKED ANYWHERE# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary# qr'^\.(exe|lha|cab|dll)$', # banned file(1) types ### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:# [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives qr'.\.(pif|scr)$'i, # banned extensions - rudimentary# qr'^\.zip$', # block zip type ### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # qr'^message/partial$'i, # rfc2046 MIME type# qr'^message/external-body$'i, # rfc2046 MIME type # qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type# qr'^\.wmf$', # Windows Metafile file(1) type # block certain double extensions in filenames qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, # qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| # inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi| # msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|# wmf|wsc|wsf|wsh)$'ix, # banned extensions - long # qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i, # consider also # qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename# qr'^\.ani$', # banned animated cursor file(1) type# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.); # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 # and http://www.cknow.com/vtutor/vtextensions.htm # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING @score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed # ## per-recipient personal tables (NOTE: positive: black, negative: white)# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], # 'user3@example.com' => [{'.ebay.com' => -3.0}], # 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, # '.cleargreen.com' => -5.0}], ## site-wide opinions about senders (the '.' matches any recipient) '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], ), # read_hash("/var/amavis/sender_scores_sitewide"), { # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0, 'amavis-user-admin@lists.sourceforge.net'=> -3.0, 'amavis-user-bounces@lists.sourceforge.net' => -3.0, 'spamassassin.apache.org' => -3.0, 'notification-return@lists.sophos.com' => -3.0, 'owner-postfix-users@postfix.org' => -3.0, 'owner-postfix-announce@postfix.org' => -3.0, 'owner-sendmail-announce@lists.sendmail.org' => -3.0, 'sendmail-announce-request@lists.sendmail.org' => -3.0, 'donotreply@sendmail.org' => -3.0, 'ca+envelope@sendmail.org' => -3.0, 'noreply@freshmeat.net' => -3.0, 'owner-technews@postel.acm.org' => -3.0, 'ietf-123-owner@loki.ietf.org' => -3.0, 'cvs-commits-list-admin@gnome.org' => -3.0, 'rt-users-admin@lists.fsck.com' => -3.0, 'clp-request@comp.nus.edu.sg' => -3.0, 'surveys-errors@lists.nua.ie' => -3.0, 'emailnews@genomeweb.com' => -5.0, 'yahoo-dev-null@yahoo-inc.com' => -3.0, 'returns.groups.yahoo.com' => -3.0, 'clusternews@linuxnetworx.com' => -3.0, lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, # soft-blacklisting (positive score) 'sender@example.net' => 3.0, '.example.net' => 1.0, }, ], # end of site-wide tables}); @decoders = ( ['mail', \&do_mime_decode],# [[qw(asc uue hqx ync)], \&do_ascii], # not safe ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ], ['gz', \&do_uncompress, 'gzip -d'], ['gz', \&do_gunzip], ['bz2', \&do_uncompress, 'bzip2 -d'], ['xz', \&do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], ['lzma', \&do_uncompress, ['lzmadec', 'xz -dc --format=lzma', 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], ['lrz', \&do_uncompress, ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], ['lzo', \&do_uncompress, 'lzop -d'], ['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ], [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ], # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio'] ['deb', \&do_ar, 'ar'], # ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill ['rar', \&do_unrar, ['unrar', 'rar'] ], ['arj', \&do_unarj, ['unarj', 'arj'] ], ['arc', \&do_arc, ['nomarch', 'arc'] ], ['zoo', \&do_zoo, ['zoo', 'unzoo'] ], # ['doc', \&do_ole, 'ripole'], # no ripole package so far ['cab', \&do_cabextract, 'cabextract'], # ['tnef', \&do_tnef_ext, 'tnef'], # use internal do_tnef() instead ['tnef', \&do_tnef], # ['lha', \&do_lha, 'lha'], # not safe, use 7z instead # ['sit', \&do_unstuff, 'unstuff'], # not safe [['zip','kmz'], \&do_7zip, ['7za', '7z'] ], [['zip','kmz'], \&do_unzip], ['7z', \&do_7zip, ['7zr', '7za', '7z'] ], [[qw(7z zip gz bz2 Z tar)], \&do_7zip, ['7za', '7z'] ], [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], \&do_7zip, '7z' ], ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ], ); @av_scanners = ( # ### http://www.sophos.com/# ['Sophos-SSSP', # SAV Dynamic Interface# \&ask_daemon, ["{}", 'sssp:/var/run/savdi/sssp.sock'],# # or: ["{}", 'sssp:[127.0.0.1]:4010'], # qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ], # ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)# ['Sophie', # \&ask_daemon, ["{}/\n", 'sophie:/var/run/sophie'], # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], # ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/# ['Sophos SAVI', \&ask_daemon, ['{}','savi-perl:'] ], # ['Avira SAVAPI',# \&ask_daemon, ["*", 'savapi:/var/tmp/.savapi3', 'product-id'],# qr/^(200|210)/m, qr/^(310|420|319)/m, # qr/^(?:310|420)[,\s]*(?:.* <<< )?(.+?)(?: ; |$)/m ], # settings for the SAVAPI3.conf: ArchiveScan=1, HeurLevel=2, MailboxScan=1 ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], # NOTE: run clamd under the same user as amavisd - or run it under its own # uid such as clamav, add user clamav to the amavis group, and then add # AllowSupplementaryGroups to clamd.conf; # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in # this entry; when running chrooted one may prefer a socket under $MYHOME. # ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred)# # note that Mail::ClamAV requires perl to be build with threading! # ['Mail::ClamAV', \&ask_daemon, ['{}','clamav-perl:'], # [0], [1], qr/^INFECTED: (.+)/m], # ### http://www.openantivirus.org/# ['OpenAntiVirus ScannerDaemon (OAV)',# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],# qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ], # ### http://www.vanja.com/tools/trophie/# ['Trophie', # \&ask_daemon, ["{}/\n", 'trophie:/var/run/trophie'],# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], # ### http://www.grisoft.com/# ['AVG Anti-Virus', # \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'],# qr/^200/m, qr/^403/m, qr/^403[- ].*: ([^\r\n]+)/m ], # ### http://www.f-prot.com/# ['F-Prot fpscand', # F-PROT Antivirus for BSD/Linux/Solaris, version 6# \&ask_daemon, # ["SCAN FILE {}/*\n", '127.0.0.1:10200'], # qr/^(0|8|64) /m, # qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m,# qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ], # ### http://www.f-prot.com/# ['F-Prot f-protd', # old version# \&ask_daemon, # ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",# ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202',# '127.0.0.1:10203', '127.0.0.1:10204'] ], # qr/(?i)<summary[^>]*>clean<\/summary>/m, # qr/(?i)<summary[^>]*>infected<\/summary>/m, # qr/(?i)<name>(.+)<\/name>/m ], # ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later # [pack('N',1). # DRWEBD_SCAN_CMD # pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES # pack('N', # path length # length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). # '{}/*'. # path # pack('N',0). # content size # pack('N',0), # '/var/drweb/run/drwebd.sock', # # '/var/amavis/var/run/drwebd.sock', # suitable for chroot # # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default # # '127.0.0.1:3000', # or over an inet socket # ], # qr/\A\x00[\x10\x11][\x00\x10]\x00/sm, # IS_CLEAN,EVAL_KEY; SKIPPED # qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm, # ], # # NOTE: If using amavis-milter, change length to: # # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). ### http://www.kaspersky.com/ (kav4mailservers) ['KasperskyLab AVP - aveclient', ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'], '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m, qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m, ], # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious, # currupted or protected archives are to be handled ### http://www.kaspersky.com/ ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? qr/infected: (.+)/m, sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], ### The kavdaemon and AVPDaemonClient have been removed from Kasperky ### products and replaced by aveserver and aveclient ['KasperskyLab AVPDaemonClient', [ '/opt/AVP/kavdaemon', 'kavdaemon', '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', '/opt/AVP/AvpTeamDream', 'AvpTeamDream', '/opt/AVP/avpdc', 'avpdc' ], "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ], # change the startup-script in /etc/init.d/kavd to: # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) # adjusting /var/amavis above to match your $TEMPBASE. # The '-f=/var/amavis' is needed if not running it as root, so it # can find, read, and write its pid file, etc., see 'man kavdaemon'. # defUnix.prf: there must be an entry "*/var/amavis" (or whatever # directory $TEMPBASE specifies) in the 'Names=' section. # cd /opt/AVP/DaemonClients; configure; cd Sample; make # cp AvpDaemonClient /opt/AVP/ # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" ### http://www.centralcommand.com/ ['CentralCommand Vexira (new) vascan', ['vascan','/usr/lib/Vexira/vascan'], "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". "--log=/var/log/vascan.log {}", [0,3], [1,2,5], qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ], # Adjust the path of the binary and the virus database as needed. # 'vascan' does not allow to have the temp directory to be the same as # the quarantine directory, and the quarantine option can not be disabled. # If $QUARANTINEDIR is not used, then another directory must be specified # to appease 'vascan'. Move status 3 to the second list if password # protected files are to be considered infected. ### http://www.avira.com/ ### old Avira AntiVir 2.x (ex H+BEDV) or old CentralCommand Vexira Antivirus ['Avira AntiVir', ['antivir','vexira'], '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m, qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ], # NOTE: if you only have a demo version, remove -z and add 214, as in: # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, ### http://www.avira.com/ ### Avira for UNIX 3.x ['Avira AntiVir', ['avscan'], '-s --batch --alert-action=none {}', [0,4], qr/(?:ALERT|FUND):/m, qr/(?:ALERT|FUND): (?:.* <<< )?(.+?)(?: ; |$)/m ], ### http://www.commandsoftware.com/ ['Command AntiVirus for Linux', 'csav', '-all -archive -packed {}', [50], [51,52,53], qr/Infection: (.+)/m ], ### http://www.symantec.com/ ['Symantec CarrierScan via Symantec CommandLineScanner', 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', qr/^Files Infected:\s+0$/m, qr/^Infected\b/m, qr/^(?:Info|Virus Name):\s+(.+)/m ], ### http://www.symantec.com/ ['Symantec AntiVirus Scan Engine', 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', [0], qr/^Infected\b/m, qr/^(?:Info|Virus Name):\s+(.+)/m ], # NOTE: check options and patterns to see which entry better applies # ### http://www.f-secure.com/products/anti-virus/ version 5.52# ['F-Secure Antivirus for Linux servers', # ['/opt/f-secure/fsav/bin/fsav', 'fsav'], # '--virus-action1=report --archive=yes --auto=yes '. # '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8], # qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ], # # NOTE: internal archive handling may be switched off by '--archive=no'# # to prevent fsav from exiting with status 9 on broken archives ### http://www.f-secure.com/ version 9.14 ['F-Secure Linux Security', ['/opt/f-secure/fsav/bin/fsav', 'fsav'], '--virus-action1=report --archive=yes --auto=yes '. '--list=no --nomimeerr {}', [0], [3,4,6,8], qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ], # NOTE: internal archive handling may be switched off by '--archive=no' # to prevent fsav from exiting with status 9 on broken archives # ### http://www.avast.com/# ['avast! Antivirus daemon',# \&ask_daemon, # greets with 220, terminate with QUIT# ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'],# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t[0-9]+\s+([^[ \t\015\012]+)/m ], # ### http://www.avast.com/# ['avast! Antivirus - Client/Server Version', 'avastlite',# '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1], # qr/\t\[L\]\t([^[ \t\015\012]+)/m ], ['CAI InoculateIT', 'inocucmd', # retired product '-sec -nex {}', [0], [100], qr/was infected by virus (.+)/m ], # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) ['CAI eTrust Antivirus', 'etrust-wrapper', '-arc -nex -spm h {}', [0], [101], qr/is infected by virus: (.+)/m ], # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 ### http://mks.com.pl/english.html ['MkS_Vir for Linux (beta)', ['mks32','mks'], '-s {}/*', [0], [1,2], qr/--[ \t]*(.+)/m ], ### http://mks.com.pl/english.html ['MkS_Vir daemon', 'mksscan', '-s -q {}', [0], [1..7], qr/^... (\S+)/m ], # ### http://www.nod32.com/, version v2.52 (old)# ['ESET NOD32 for Linux Mail servers', # ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'],# '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '.# '-w -a --action-on-infected=accept --action-on-uncleanable=accept '. # '--action-on-notscanned=accept {}', # [0,3], [1,2], qr/virus="([^"]+)"/m ], # ### http://www.eset.com/, version v2.7 (old)# ['ESET NOD32 Linux Mail Server - command line interface',# ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'],# '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ], # ### http://www.eset.com/, version 2.71.12# ['ESET Software ESETS Command Line Interface',# ['/usr/bin/esets_cli', 'esets_cli'], # '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ], ### http://www.eset.com/, version 3.0 ['ESET Software ESETS Command Line Interface', ['/usr/bin/esets_cli', 'esets_cli'], '--subdir {}', [0], [1,2,3], qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ], ## http://www.nod32.com/, NOD32LFS version 2.5 and above ['ESET NOD32 for Linux File servers', ['/opt/eset/nod32/sbin/nod32','nod32'], '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '. '-w -a --action=1 -b {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/m ], # Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31# ['ESET Software NOD32 Client/Server (NOD32SS)', # \&ask_daemon2, # greets with 200, persistent, terminate with QUIT # ["SCAN {}/*\r\n", '127.0.0.1:8448' ], # qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ], ### http://www.norman.com/products_nvc.shtml ['Norman Virus Control v5 / Linux', 'nvcc', '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], qr/(?i).* virus in .* -> \'(.+)\'/m ], ### http://www.pandasoftware.com/ ['Panda CommandLineSecure 9 for Linux', ['/opt/pavcl/usr/bin/pavcl','pavcl'], '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}', qr/Number of files infected[ .]*: 0+(?!\d)/m, qr/Number of files infected[ .]*: 0*[1-9]/m, qr/Found virus :\s*(\S+)/m ], # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr' # before starting amavisd - the bases are then loaded only once at startup. # To reload bases in a signature update script: # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr # Please review other options of pavcl, for example: # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies # ### http://www.pandasoftware.com/# ['Panda Antivirus for Linux', ['pavcl'],# '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}',# [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0],# qr/Found virus :\s*(\S+)/m ], # GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.# Check your RAV license terms before fiddling with the following two lines!# ['GeCAD RAV AntiVirus 8', 'ravav', # '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ], # # NOTE: the command line switches changed with scan engine 8.5 ! # # (btw, assigning stdin to /dev/null causes RAV to fail) ### http://www.nai.com/ ['NAI McAfee AntiVirus (uvscan)', 'uvscan', '--secure -rv --mime --summary --noboot - {}', [0], [13], qr/(?x) Found (?: \ the\ (.+)\ (?:virus|trojan) | \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | :\ (.+)\ NOT\ a\ virus)/m, # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, # sub {delete $ENV{LD_PRELOAD}}, ], # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 # and then clear it when finished to avoid confusing anything else. # NOTE2: to treat encrypted files as viruses replace the [13] with: # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ ### http://www.virusbuster.hu/en/ ['VirusBuster', ['vbuster', 'vbengcl'], "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], qr/: '(.*)' - Virus/m ], # VirusBuster Ltd. does not support the daemon version for the workstation # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of # binaries, some parameters AND return codes have changed (from 3 to 1). # See also the new Vexira entry 'vascan' which is possibly related. # ### http://www.virusbuster.hu/en/# ['VirusBuster (Client + Daemon)', 'vbengd',# '-f -log scandir {}', [0], [3], # qr/Virus found = (.*);/m ], # # HINT: for an infected file it always returns 3,# # although the man-page tells a different story ### http://www.cyber.com/ ['CyberSoft VFind', 'vfind', '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m, # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, ], ### http://www.avast.com/ ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ], ### http://www.ikarus-software.com/ ['Ikarus AntiVirus for Linux', 'ikarus', '{}', [0], [40], qr/Signature (.+) found/m ], ### http://www.bitdefender.com/ ['BitDefender', 'bdscan', # new version '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m, qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m, qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ], ### http://www.bitdefender.com/ ['BitDefender', 'bdc', # old version '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m, qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m, qr/(?:suspected|infected): (.*)(?:\033|$)/m ], # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may # not apply to your version of bdc, check documentation and see 'bdc --help' ### ArcaVir for Linux and Unix http://www.arcabit.pl/ ['ArcaVir for Linux', ['arcacmd','arcacmd.static'], '-v 1 -summary 0 -s {}', [0], [1,2], qr/(?:VIR|WIR):[ \t]*(.+)/m ], # ### a generic SMTP-client interface to a SMTP-based virus scanner# ['av_smtp', \&ask_av_smtp, # ['{}', 'smtp:[127.0.0.1]:5525', 'dummy@localhost'], # qr/^2/, qr/^5/, qr/^\s*(.*?)\s*$/m ], # ['File::Scan', sub {Amavis::AV::ask_av(sub{# use File::Scan; my($fn)=@_; # my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0);# my($vname) = $f->scan($fn); # $f->error ? (2,"Error: ".$f->error) # : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) },# ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ], # ### fully-fledged checker for JPEG marker segments of invalid length# ['check-jpeg', # sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) },# ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ], # # NOTE: place file JpegTester.pm somewhere where Perl can find it, # # for example in /usr/local/lib/perl5/site_perl ); @av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], # ### http://www.clamav.net/ - using remote clamd scanner as a backup# ['ClamAV-clamdscan', 'clamdscan', # "--stdout --no-summary --config-file=/etc/clamd-client.conf {}", # [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], # ['ClamAV-clamd-stream',# \&ask_daemon, ["*", 'clamd:/var/run/clamav/clamd.sock'],# qr/\bOK$/m, qr/\bFOUND$/m, # qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], ### http://www.f-prot.com/ - backs up F-Prot Daemon, V6 ['F-PROT Antivirus for UNIX', ['fpscan'], '--report --mount --adware {}', # consider: --applications -s 4 -u 3 -z 10 [0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3], qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ], ### http://www.f-prot.com/ - backs up F-Prot Daemon (old) ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], '-dumb -archive -packed {}', [0,8], [3,6], # or: [0], [3,6,8], qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ], ### http://www.trendmicro.com/ - backs up Trophie ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ], ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], '-path={} -al -go -ot -cn -upn -ok-', [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ], ### http://www.kaspersky.com/ ['Kaspersky Antivirus v5.5', ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner', '/opt/kav/5.5/kav4unix/bin/kavscanner', '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'], '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25], qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,# sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},# sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], ### http://www.sophos.com/ ['Sophos Anti Virus (savscan)', # formerly known as 'sweep' ['/opt/sophos-av/bin/savscan', 'savscan'], # 'sweep' '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. '--no-reset-atime {}', [0,2], qr/Virus .*? found/m, qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m, ], # other options to consider: -idedir=/usr/local/sav # A name 'sweep' clashes with a name of an audio editor (Debian and FreeBSD). # Make sure the correct 'sweep' is found in the path if using the old name. # Always succeeds and considers mail clean.# Potentially useful when all other scanners fail and it is desirable# to let mail continue to flow with no virus checking (when uncommented).# ['always-clean', sub {0}], ); 1; # insure a defined return value

Viele Parameter sind etwas arg verstreut in der Datei, so dass man oft nicht auf den ersten Blick deren Abhängigkeit erkennt. Wir werden daher, ähnlich auch schon wie bei der Konfiguration unseres MTA3) Postfix, die Originalversion bei Seite legen und uns unsere eigene strukturierte AMaViS-Konfigurationsdatei aufsetzen.

Wir benennen also als erstes einmal, die original mitgelieferte Konfigurationsdate des AMaViS-Daemon um.

# mv /etc/amavisd/amavisd.conf /etc/amavisd/amavisd.conf.orig

Dann legen wir uns eine neue Datei an.

# touch /etc/amavisd/amavisd.conf

Zur Strukturierung unserer eigenen amavisd.conf nutzen wir jeweils folgende Überschriftszeile.

################################################################################ ## < beschreibenden Text > #

Wir werden später die einzelnen Konfigurationsoptionen strukturieren, d.h. zusammenfassen und jeweils bei den betreffenden Sectionen eintragen.

mögliche Konfigurationsparameterdatei

Wollen wir vor dem Anlegen unserer eigenen individuellen Datei uns noch einen Überblick verschaffen, welche Parameter der amavisd hat, werfen wir einen Blick in die Datei /usr/share/doc/amavisd-new-2.9.1/amavisd.conf-default

# less /usr/share/doc/amavisd-new-2.9.1/amavisd.conf-default

/usr/share/doc/amavisd-new-2.9.1/amavisd.conf-default

use strict; ## A CONFIGURATION FILE FOR AMAVISD-NEW, LISTING ALL CONFIGURATION VARIABLES## WITH THEIR DEFAULT VALUES (FOR REFERENCE ONLY, NON-AUTHORITATIVE) ## This software is licensed under the GNU General Public License (GPL).## See comments at the start of file amavisd for the whole license text.## Copyright (C) 2002-2012 Mark Martinec, All Rights Reserved. ## The 'after-default' comment indicates that these variables obtain their## default value if the config file left them undefined. It means these values## are not yet available during processing of the configuration file, but that## they can derive their value from other configurations variables no matter ## where in the configuration file they appear. ## GENERAL # $myhostname = ... predefined default from uname(3), must be a FQDN# $mydomain = ... no useful default, should be set if used in expressions# $snmp_contact = ''; # $snmp_location = ''; # $daemon_user = undef; # $daemon_group = undef; # $MYHOME = '/var/amavis'; # $TEMPBASE = $MYHOME; # after-default # $db_home = "$MYHOME/db"; # after-default # $pid_file = "$MYHOME/amavisd.pid"; # after-default # $lock_file = undef; # $daemon_chroot_dir = undef; # $max_requests = 20; # retire a child after that many accepts # $max_servers = 2; # number of pre-forked children # $min_servers = undef; # see Net::Server::Prefork for semantics # $min_spare_servers = undef; # $max_spare_servers = undef; # $child_timeout = 8*60; # $localpart_is_case_sensitive = 0; # $enable_db = undef; # $enable_zmq = undef; # @zmq_sockets = ( "ipc://$MYHOME/amavisd-zmq.sock" ); # after-default # $nanny_details_level = 1; # verbosity: 0, 1, 2 # @additional_perl_modules = (); # @local_domains_maps=(\%local_domains,\@local_domains_acl,\$local_domains_re);# @mynetworks = qw( 127.0.0.0/8 [::1] 169.254.0.0/16 [fe80::]/10 # 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 [fc00::]/7 ); # @mynetworks_maps = (\@mynetworks); # @client_ipaddr_policy = map { $_ => 'MYNETS' } @mynetworks_maps; ## LOGGING AND DEBUGGING # $log_level = 0;# $logfile = undef;# $do_syslog = undef; # same as 0# $syslog_ident = 'amavis'; # $syslog_facility = 'mail'; # $logline_maxlen = 980; # enable_log_capture_dump = undef; # $log_short_templ ... built-in default at the end of file amavisd# $log_verbose_templ ... built-in default at the end of file amavisd# $log_recip_templ = ... built-in default at the end of file amavisd# $log_templ = $log_short_templ; # @debug_sender_acl = ();# @debug_sender_maps = (\@debug_sender_acl);# @debug_recipient_maps = (); # $sa_debug = undef; # $allow_preserving_evidence = 1; ## DKIM VERIFICATION # $enable_dkim_verification = undef;# $reputation_factor = 0.2; # @signer_reputation_maps = (); # @author_to_policy_bank_maps = (); # $dkim_minimum_key_bits = 1024; # $myauthservid = $myhostname; # after-default (RFC 5451)# $dkim_minimum_key_bits = 1024; ## DKIM SIGNING # $enable_dkim_signing = undef;# %dkim_signing_keys = (); # @dkim_signature_options_bysender_maps = ();# $dkim_signing_service = undef; # # for (qw(Accept-Language Archived-At Auto-Submitted Content-Alternative# Content-Base Content-Class Content-Description Content-Disposition# Content-Duration Content-Features Content-Id Content-Language # Content-Location Content-MD5 Content-Transfer-Encoding In-Reply-To# List-Archive List-Help List-Id List-Owner List-Post List-Subscribe# List-Unsubscribe Message-Context Message-ID MIME-Version # Organisation Organization Original-Message-ID Pics-Label # Precedence Received References Reply-To Resent-Date Resent-From # Resent-Message-ID Resent-Sender Sensitivity Solicitation # User-Agent VBR-Info X-Mailer)) { $signed_header_fields{lc $_} = 1 }# for (qw(From Date Subject Content-Type)) { $signed_header_fields{lc $_} = 2 } ## MTA INTERFACE - INPUT # @listen_sockets = ... $unix_socketname and $inet_socket_port are added here# $unix_socketname = undef; # Unix socket to accept amavis helper protocol # $unix_socket_mode = undef; # sets sockets protection (numeric mode), or undef# $inet_socket_port = undef; # accept connections on this TCP port(s) (SMTP...)# $inet_socket_bind = [ '127.0.0.1', '[::1]' ]; # if both inet & inet6 avail. # $inet_socket_bind = '127.0.0.1'; # if only inet available # $inet_socket_bind = '[::1]' # if only inet6 available # @inet_acl = qw( 127.0.0.1 [::1] ); # $listen_queue_size = undef; # $protocol = ... defaults to 'SMTP' or 'LMTP' (autodetected) on inet and inet6# sockets; must be configured explicitly for Unix sockets. # Possible values: 'SMTP', 'LMTP', 'AM.PDP', # and with appropriate patches applied also: 'COURIER' or 'QMQPqq' # $soft_bounce = undef;# $smtpd_timeout = 8*60;# $smtpd_recipient_limit = 1100;# $smtpd_message_size_limit = undef; # site-wide limit# @message_size_limit_maps = (); # per-recipient limits# $smtpd_greeting_banner = '${helo-name} ${protocol} ${product} service ready';# $smtpd_quit_banner = '${helo-name} ${product} closing transmission channel'; # $auth_required_inp = undef; # $auth_required_release = 1; # @auth_mech_avail=(); # empty list disables incoming AUTH; or: qw(PLAIN LOGIN)# $tls_security_level_in = undef; # undef, 'may', 'encrypt', ... # $smtpd_tls_cert_file = undef; # $smtpd_tls_key_file = undef; # $smtp_connection_cache_on_demand = 1; # $smtp_connection_cache_enable = 1; # $enforce_smtpd_message_size_limit_64kb_min = 1; # @smtpd_discard_ehlo_keywords = (); ## MTA INTERFACE - OUTPUT ## see also $notify_method, $forward_method and $*_quarantine_method # $localhost_name = 'localhost'; # my EHLO name, and inserted in Received# $local_client_bind_address = undef; # my source IP address as a SMTP client# $auth_required_out = undef; # $amavis_auth_user = undef; # for submitting notifications and quarantine# $amavis_auth_pass = undef; # $auth_reauthenticate_forwarded = undef; # our credentials for forwarding too# $tls_security_level_out = undef; # undef, 'may', 'encrypt', ... ## MAIL FORWARDING # $forward_method = 'smtp:[127.0.0.1]:10025'; # may be arrayref# # or 'smtp:[::1]:10025' when INET6 available and INET unavail.# @forward_method_maps = ( sub { Opaque(c('forward_method')) } ); # $resend_method = undef; # falls back to $forward_method # $always_bcc = undef; # $final_virus_destiny = D_DISCARD; # subj to @viruses_that_fake_sender_maps# $final_banned_destiny = D_DISCARD; # $final_spam_destiny = D_PASS; # subject to $sa_dsn_cutoff_level # $final_bad_header_destiny = D_PASS; ## QUARANTINE # $release_method = undef; # falls back to $notify_method# $requeue_method = 'smtp:[127.0.0.1]:25'; # # or 'smtp:[::1]:25' when INET6 available and INET unavail.# $release_format = 'resend'; # (dsn), (arf), attach, plain, resend # $report_format = 'arf'; # (dsn), arf, attach, plain, resend # $attachment_password = ''; # '': no pwd, undef: PIN, code ref, or static str# $attachment_email_name = 'msg-%m.eml'; # $attachment_outer_name = 'msg-%m.zip'; # $virus_quarantine_method = 'local:virus-%m';# $spam_quarantine_method = 'local:spam-%m.gz';# $banned_files_quarantine_method = 'local:banned-%m'; # $bad_header_quarantine_method = 'local:badh-%m'; # $clean_quarantine_method = undef; # $archive_quarantine_method = undef; # $mail_id_size_bits = 72; # $QUARANTINEDIR = undef;# $quarantine_subdir_levels = undef; # 0 or 1 (undef treated as 0)# $sql_quarantine_chunksize_max; # see SQL section # $virus_quarantine_to = 'virus-quarantine'; # via %local_delivery_aliases# $banned_quarantine_to = 'banned-quarantine'; # $bad_header_quarantine_to= 'bad-header-quarantine'; # $spam_quarantine_to = 'spam-quarantine'; # $spam_quarantine_bysender_to = undef; # $clean_quarantine_to = 'clean-quarantine'; # $archive_quarantine_to = 'archive-quarantine'; # @virus_quarantine_to_maps = (\$virus_quarantine_to);# @banned_quarantine_to_maps = (\$banned_quarantine_to);# @bad_header_quarantine_to_maps = (\$bad_header_quarantine_to);# @spam_quarantine_to_maps = (\$spam_quarantine_to); # @spam_quarantine_bysender_to_maps = (\$spam_quarantine_bysender_to);# @clean_quarantine_to_maps = (\$clean_quarantine_to); # @archive_quarantine_to_maps = (\$archive_quarantine_to); # %local_delivery_aliases ... predefined, used by a delivery method 'local:'# $mailfrom_to_quarantine = undef; # undef keeps original sender ## NOTIFICATIONS (DSN, admin, recip) # $notify_method = 'smtp:[127.0.0.1]:10025';# # or 'smtp:[::1]:10025' when INET6 available and INET unavail. # $propagate_dsn_if_possible = 1;# $terminate_dsn_on_notify_success = 0; # $newvirus_admin = undef;# $virus_admin = undef; # $spam_admin = undef; # $banned_admin = undef; # $bad_header_admin = undef; # $dsn_bcc = undef; # @newvirus_admin_maps = (\$newvirus_admin);# @virus_admin_maps = (\%virus_admin, \$virus_admin);# @banned_admin_maps = (\$banned_admin); # @spam_admin_maps = (\%spam_admin, \$spam_admin); # @bad_header_admin_maps = (\$bad_header_admin); # $hdr_encoding = 'UTF-8'; # header field bodies charset# $bdy_encoding = 'UTF-8'; # notification body text charset# $hdr_encoding_qb = 'Q'; # quoted-printable (Q or B) # $notify_sender_templ = ... built-in default at the end of file amavisd# $notify_virus_sender_templ = ... built-in default at the end of file amavisd# $notify_spam_sender_templ = ... built-in default at the end of file amavisd# $notify_virus_admin_templ = ... built-in default at the end of file amavisd# $notify_spam_admin_templ = ... built-in default at the end of file amavisd# $notify_virus_recips_templ = ... built-in default at the end of file amavisd# $notify_spam_recips_templ = ... built-in default at the end of file amavisd# $notify_release_templ = ... built-in default at the end of file amavisd# $notify_report_templ = ... built-in default at the end of file amavisd # $mailfrom_notify_admin = undef;# $mailfrom_notify_recip = undef;# $mailfrom_notify_spamadmin = undef; ## these are after-defaults:# $hdrfrom_notify_sender = "\"Content-filter at $myhostname\" <postmaster\@$myhostname>";# $hdrfrom_notify_recip = ... derived from $mailfrom_notify_recip # $hdrfrom_notify_admin = ... derived from $mailfrom_notify_admin # $hdrfrom_notify_spamadmin = ... derived from $mailfrom_notify_spamadmin # $hdrfrom_notify_release = $hdrfrom_notify_sender; # $hdrfrom_notify_report = $hdrfrom_notify_sender; # $warnbannedsender = undef;# $warnbadhsender = undef; # $warn_offsite = undef; # $warnvirusrecip = undef;# $warnbannedrecip = undef;# $warnbadhrecip = undef;# @warnvirusrecip_maps = (\$warnvirusrecip);# @warnbannedrecip_maps = (\$warnbannedrecip);# @warnbadhrecip_maps = (\$warnbadhrecip); ## MODIFICATIONS TO PASSED MAIL # %allowed_added_header_fields = ...; # built-in default# %prefer_our_added_header_fields = ...; # built-in default# $remove_existing_x_scanned_headers = 0; # $remove_existing_spam_headers = 1; # @remove_existing_spam_headers_maps = (\$remove_existing_spam_headers);# $allow_fixing_improper_header = 1; # all-white folding lines and long lines# $allow_fixing_improper_header_folding = 1; # $allow_fixing_long_header_lines = 1; # $prepend_header_fields_hdridx = 0; # $X_HEADER_TAG = 'X-Virus-Scanned'; # after-default# $X_HEADER_LINE = "$myproduct_name at $mydomain"; # after-default # $defang_virus = undef;# $defang_banned = undef;# $defang_spam = undef;# $defang_bad_header = undef;# $defang_undecipherable = undef;# $defang_all = undef; # mostly for testing # $allow_disclaimers = undef;# $outbound_disclaimers_only = undef;# $enable_anomy_sanitizer = 0; # @anomy_sanitizer_args = (); # a config file or list of var=value pairs# $altermime = 'altermime'; # a path to the program # @altermime_args_defang = qw(--verbose --removeall); # @altermime_args_disclaimer = qw(--disclaimer=/etc/altermime-disclaimer.txt);# @disclaimer_options_bysender_maps = (); # $undecipherable_subject_tag = '***UNCHECKED*** ';# $sa_spam_subject_tag = undef; # $sa_spam_level_char = '*'; # @spam_subject_tag_maps = (\$sa_spam_subject_tag1); # N.B.: inconsistent name# @spam_subject_tag2_maps = (\$sa_spam_subject_tag); # N.B.: inconsistent name# @spam_subject_tag3_maps = (); ## ADDING ADDRESS EXTENSIONS TO RECIPIENTS - 'plus addressing' # $recipient_delimiter = undef;# $replace_existing_extension = 1;# $addr_extension_virus = undef; # $addr_extension_banned = undef; # $addr_extension_spam = undef; # $addr_extension_bad_header = undef;# @addr_extension_virus_maps = (\$addr_extension_virus);# @addr_extension_banned_maps = (\$addr_extension_banned);# @addr_extension_spam_maps = (\$addr_extension_spam); # @addr_extension_bad_header_maps = (\$addr_extension_bad_header); ## MAIL DECODING # $bypass_decode_parts = undef; # $keep_decoded_original_re = undef;# @keep_decoded_original_maps = (\$keep_decoded_original_re); # $map_full_type_to_short_type_re = ... predefined regexp lookup table# @map_full_type_to_short_type_maps = (\$map_full_type_to_short_type_re); # $MAXLEVELS = undef;# $MAXFILES = undef;# $MIN_EXPANSION_QUOTA = undef;# $MAX_EXPANSION_QUOTA = undef;# $MIN_EXPANSION_FACTOR = 5; # times original mail size# $MAX_EXPANSION_FACTOR = 500; # times original mail size # $path = undef;# $file = 'file'; # For backward compatibility the @decoders list defaults to use of legacy# variables $gzip, $bzip2, $lzop, ... It is cleaner to explicitly assign# a list to @decoders in amavisd.conf and directly specify program paths,# without indirections through legacy variables $gzip, etc. # # $gzip = $bzip2 = $lzop = $rpm2cpio = undef; # $uncompress = $unfreeze = $arc = $unarj = $unrar = undef; # $zoo = $lha = $pax = $cpio = $cabextract = undef; # # @decoders = ( # ['mail', \&do_mime_decode], ### [[qw(asc uue hqx ync)], \&do_ascii], # not safe # ['F', \&do_uncompress, \$unfreeze], # ['Z', \&do_uncompress, \$uncompress], # ['gz', \&do_uncompress, \$gunzip], # ['gz', \&do_gunzip], # ['bz2', \&do_uncompress, \$bunzip2], # ['xz', \&do_uncompress, # ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], # ['lzma', \&do_uncompress, # ['lzmadec', 'xz -dc --format=lzma', # 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], # ['lrz', \&do_uncompress, # ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], # ['lzo', \&do_uncompress, \$unlzop], # ['rpm', \&do_uncompress, \$rpm2cpio], # [['cpio','tar'], \&do_pax_cpio, \$pax], ### ['tar', \&do_tar], # no longer supported # ['deb', \&do_ar, \$ar], ### ['a', \&do_ar, \$ar], # unpacking .a seems an overkill # ['rar', \&do_unrar, \$unrar], # ['arj', \&do_unarj, \$unarj], # ['arc', \&do_arc, \$arc], # ['zoo', \&do_zoo, \$zoo], # ['doc', \&do_ole, \$ripole], # ['cab', \&do_cabextract, \$cabextract], # ['tnef', \&do_tnef_ext, \$tnef], # ['tnef', \&do_tnef], ### ['lha', \&do_lha, \$lha], # not safe, use 7z instead ### ['sit', \&do_unstuff, \$unstuff], # not safe # [['zip','kmz'], \&do_7zip, ['7za', '7z'] ], # [['zip','kmz'], \&do_unzip], # ['7z', \&do_7zip, ['7zr', '7za', '7z'] ], # [[qw(7z zip gz bz2 Z tar)], # \&do_7zip, ['7za', '7z'] ], # [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], # \&do_7zip, '7z' ], # ['exe', \&do_executable, \$unrar, \$lha, \$unarj], # ); ## ANTI-VIRUS AND INVALID/FORBIDDEN CONTENTS CONTROLS # @av_scanners = ();# @av_scanners_backup = ();# $first_infected_stops_scan = undef;# $virus_scanners_failure_is_fatal = undef; # $viruses_that_fake_sender_re = undef;# @viruses_that_fake_sender_maps = (\$viruses_that_fake_sender_re, 1);# @virus_name_to_policy_bank_maps = (); # # @virus_name_to_spam_score_maps = # (new_RE( # the order matters, first match wins # [ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1 ],# [ qr'^(Heuristics\.)?Phishing\.' => 0.1 ],# [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ],# [ qr'^Sanesecurity\.(Malware|Rogue|Trojan)\.' => undef ],# keep as infected# [ qr'^Sanesecurity\.' => 0.1 ], # [ qr'^Sanesecurity_PhishBar_' => 0 ], # [ qr'^Sanesecurity.TestSig_' => 0 ], # [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ], # [ qr'^Email\.Spammail\b' => 0.1 ], # [ qr'^MSRBL-(Images|SPAM)\b' => 0.1 ], # [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 0.1 ], # [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ], # [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 0.1 ], # [ qr'^Safebrowsing\.' => 0.1 ], # [ qr'^winnow\.(phish|spam)\.' => 0.1 ], # [ qr'^INetMsg\.SpamDomain' => 0.1 ], # [ qr'^Doppelstern\.(Spam|Scam|Phishing|Junk|Lott|Loan)'=> 0.1 ], # [ qr'^Bofhland\.Phishing' => 0.1 ], # [ qr'^ScamNailer\.' => 0.1 ], # [ qr'^HTML/Bankish' => 0.1 ], # F-Prot # [ qr'^PORCUPINE_JUNK' => 0.1 ], # [ qr'^PORCUPINE_PHISHING' => 0.1 ], # [ qr'-SecuriteInfo\.com(\.|\z)' => undef ], # keep as infected # [ qr'^MBL_NA\.UNOFFICIAL' => 0.1 ], # false positives # [ qr'^MBL_' => undef ], # keep as infected # )); # @banned_filename_maps = ( 'DEFAULT' );# %banned_rules = ( 'DEFAULT' => $banned_filename_re); # after-default# $banned_filename_re = undef; # traditional # $banned_namepath_re = undef; # regexp-style # @bypass_virus_checks_maps = (\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);# @bypass_banned_checks_maps = (\%bypass_banned_checks, \@bypass_banned_checks_acl, \$bypass_banned_checks_re);# @bypass_header_checks_maps = (\%bypass_header_checks, \@bypass_header_checks_acl, \$bypass_header_checks_re); # @virus_lovers_maps = (\%virus_lovers, \@virus_lovers_acl, \$virus_lovers_re);# @banned_files_lovers_maps = (\%banned_files_lovers, \@banned_files_lovers_acl, \$banned_files_lovers_re);# @bad_header_lovers_maps = (\%bad_header_lovers, \@bad_header_lovers_acl, \$bad_header_lovers_re); # @unchecked_lovers_maps = (); # $allowed_header_tests{$_} = 1 for qw(other mime 8bit control empty long# syntax missing multiple); ## ANTI-Spam CONTROLS # @spam_scanners = ( ['SpamAssassin', 'Amavis::SpamControl::SpamAssassin'] ); # $helpers_home = $MYHOME; # after-default# $sa_configpath = undef; # $sa_siteconfigpath = undef; # $sa_num_instances = 1; # @sa_userconf_maps = (); # @sa_username_maps = (); # $sa_mail_body_size_limit = undef;# $sa_local_tests_only = 0; # $sa_spawned = 0; # $dspam = undef; # $sa_timeout = 30; # @bypass_spam_checks_maps = (\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);# @spam_lovers_maps = (\%spam_lovers, \@spam_lovers_acl, \$spam_lovers_re); # $sa_tag_level_deflt = undef;# $sa_tag2_level_deflt = undef;# $sa_tag3_level_deflt = undef;# $sa_kill_level_deflt = undef;# $sa_dsn_cutoff_level = undef;# $sa_crediblefrom_dsn_cutoff_level = undef;# $sa_quarantine_cutoff_level = undef; # @spam_tag_level_maps = (\$sa_tag_level_deflt);# @spam_tag2_level_maps = (\$sa_tag2_level_deflt);# @spam_tag3_level_maps = (\$sa_tag3_level_deflt);# @spam_kill_level_maps = (\$sa_kill_level_deflt);# @spam_quarantine_cutoff_level_maps = (\$sa_quarantine_cutoff_level);# @spam_notifyadmin_cutoff_level_maps = (); # @spam_dsn_cutoff_level_maps = (\$sa_dsn_cutoff_level); # @spam_dsn_cutoff_level_bysender_maps = (\$sa_dsn_cutoff_level); # @spam_crediblefrom_dsn_cutoff_level_maps = # (\$sa_crediblefrom_dsn_cutoff_level); # @spam_crediblefrom_dsn_cutoff_level_bysender_maps = # (\$sa_crediblefrom_dsn_cutoff_level); # $bounce_killer_score = 0; # $penpals_bonus_score = undef;# $penpals_halflife = 7*24*60*60;# $penpals_threshold_low = 1.0; # $penpals_threshold_high = undef; # $reputation_factor = 0.2; # @score_sender_maps = ();# @signer_reputation_maps = (); # @blacklist_sender_maps = (\%blacklist_sender, \@blacklist_sender_acl, \$blacklist_sender_re);# @whitelist_sender_maps = (\%whitelist_sender, \@whitelist_sender_acl, \$whitelist_sender_re); # $per_recip_blacklist_sender_lookup_tables = undef;# $per_recip_whitelist_sender_lookup_tables = undef; # deprecated # $os_fingerprint_method = undef;# $os_fingerprint_dst_ip_and_port = undef; ## SQL, LDAP, Redis # $database_sessions_persistent = 1;# $trim_trailing_space_in_lookup_result_fields = 0;# $lookup_maps_imply_sql_and_ldap = 1; # @storage_redis_dsn = (); # Redis server(s) for pen pals, IP reput, JSON log# $storage_redis_ttl = 16*24*60*60; # $enable_ip_repu = 1; # @ip_repu_ignore_networks = (); # @ip_repu_ignore_maps = (\@ip_repu_ignore_networks); # $redis_logging_key = undef; # $redis_logging_queue_size_limit = undef; # @lookup_sql_dsn = (); # SQL data source name for lookups, or empty# @storage_sql_dsn = (); # SQL data source name for log/quarantine, or empty # $sql_store_info_for_all_msgs = 1;# $sql_schema_version = $myversion_id_numeric;# $timestamp_fmt_mysql = undef; # $sql_partition_tag = undef; # $sql_allow_8bit_address = 0; # VARCHAR (0), VARBINARY/BYTEA (1)# $sql_lookups_no_at_means_domain = 0; # $sql_quarantine_chunksize_max = 16384; # $sql_select_policy =# 'SELECT *,users.id'.# ' FROM users LEFT JOIN policy ON users.policy_id=policy.id'.# ' WHERE users.email IN (%k) ORDER BY users.priority DESC'; # $sql_select_white_black_list =# 'SELECT wb'. # ' FROM wblist JOIN mailaddr ON wblist.sid=mailaddr.id'.# ' WHERE wblist.rid=? AND mailaddr.email IN (%k)'. # ' ORDER BY mailaddr.priority DESC'; # %sql_clause = (# 'sel_policy' => \$sql_select_policy,# 'sel_wblist' => \$sql_select_white_black_list,# 'sel_adr' => # 'SELECT id FROM maddr WHERE partition_tag=? AND email=?',# 'ins_adr' => # 'INSERT INTO maddr (partition_tag, email, domain) VALUES (?,?,?)',# 'ins_msg' => # 'INSERT INTO msgs (partition_tag, mail_id, secret_id, am_id,'. # ' time_num, time_iso, sid, policy, client_addr, size, host)'. # ' VALUES (?,?,?,?,?,?,?,?,?,?,?)', # 'upd_msg' => # 'UPDATE msgs SET content=?, quar_type=?, quar_loc=?, dsn_sent=?,'.# ' spam_level=?, message_id=?, from_addr=?, subject=?, client_addr=?,'.# ' originating=?'. # ' WHERE partition_tag=? AND mail_id=?', # 'ins_rcp' => # 'INSERT INTO msgrcpt (partition_tag, mail_id, rseqnum, rid, is_local,'.# ' content, ds, rs, bl, wl, bspam_level, smtp_resp)'. # ' VALUES (?,?,?,?,?,?,?,?,?,?,?,?)', # 'ins_quar' => # 'INSERT INTO quarantine (partition_tag, mail_id, chunk_ind, mail_text)'.# ' VALUES (?,?,?,?)', # 'sel_msg' => # obtains partition_tag if missing in a release request # 'SELECT partition_tag FROM msgs WHERE mail_id=?', # 'sel_quar' => # 'SELECT mail_text FROM quarantine'. # ' WHERE partition_tag=? AND mail_id=?'. # ' ORDER BY chunk_ind', # 'sel_penpals' => # no message-id references list # "SELECT msgs.time_num, msgs.mail_id, subject". # " FROM msgs JOIN msgrcpt USING (partition_tag,mail_id)". # " WHERE sid=? AND rid=? AND msgs.content!='V' AND ds='P'". # " ORDER BY msgs.time_num DESC", # LIMIT 1 # 'sel_penpals_msgid' => # with a nonempty list of message-id references # "SELECT msgs.time_num, msgs.mail_id, subject, message_id, rid". # " FROM msgs JOIN msgrcpt USING (partition_tag,mail_id)". # " WHERE sid=? AND msgs.content!='V' AND ds='P' AND message_id IN (%m)". # " AND rid!=sid". # " ORDER BY rid=? DESC, msgs.time_num DESC", # LIMIT 1 # ); ## LDAP, Please see file README.lookups for more info. # $enable_ldap = 0;# $ldap_lookups_no_at_means_domain = 0;# # $default_ldap = { # hostname => 'localhost', # localaddr => undef, # port => undef, # 389 or 636, default provided by Net::LDAP# scheme => undef, # 'ldaps' or 'ldap', depending on hostname # inet6 => $have_inet6 ? 1 : 0, # version => 3, # timeout => 120, # deref => 'find', # bind_dn => undef, # bind_password => undef, # tls => 0, # verify => 'none', # sslversion => 'tlsv1', # clientcert => undef, # clientkey => undef, # cafile => undef, # capath => undef, # sasl => 0, # sasl_mech => undef, # space-separated list of mech names # sasl_auth_id => undef, # }; ## hierarchy by which a final setting is chosen:## policy bank (based on port or IP address) -> *_by_ccat## *_by_ccat (based on mail contents) -> *_maps ## *_maps (based on recipient address) -> final configuration value ## MAPPING A CONTENTS CATEGORY TO A SETTING CHOSEN # %final_destiny_maps_by_ccat = (# CC_VIRUS, sub { c('final_virus_destiny') },# CC_BANNED, sub { c('final_banned_destiny') },# CC_UNCHECKED, sub { c('final_unchecked_destiny') },# CC_SPAM, sub { c('final_spam_destiny') }, # CC_BADH, sub { c('final_bad_header_destiny') },# CC_MTA.',1', D_TEMPFAIL, # CC_MTA.',2', D_REJECT, # CC_OVERSIZED, D_BOUNCE, # CC_CATCHALL, D_PASS, # ); # %forward_method_maps_by_ccat = ( # CC_CATCHALL, sub { ca('forward_method_maps') }, # ); # %smtp_reason_by_ccat = ( # # currently only used for blocked messages only, status 5xx# # a multiline message will produce a valid multiline SMTP response# CC_VIRUS, 'id=%n - INFECTED: %V', # CC_BANNED, 'id=%n - BANNED: %F', # CC_UNCHECKED, 'id=%n - UNCHECKED', # CC_SPAM, 'id=%n - spam', # CC_SPAMMY.',1', 'id=%n - spammy (tag3)', # CC_SPAMMY, 'id=%n - spammy', # CC_BADH.',1', 'id=%n - BAD HEADER: MIME error', # CC_BADH.',2', 'id=%n - BAD HEADER: nonencoded 8-bit character', # CC_BADH.',3', 'id=%n - BAD HEADER: contains invalid control character',# CC_BADH.',4', 'id=%n - BAD HEADER: line made up entirely of whitespace',# CC_BADH.',5', 'id=%n - BAD HEADER: line longer than RFC 5322 limit', # CC_BADH.',6', 'id=%n - BAD HEADER: syntax error', # CC_BADH.',7', 'id=%n - BAD HEADER: missing required header field', # CC_BADH.',8', 'id=%n - BAD HEADER: duplicate header field', # CC_BADH, 'id=%n - BAD HEADER', # CC_OVERSIZED, 'id=%n - Message size exceeds recipient\'s size limit', # CC_MTA.',1', 'id=%n - Temporary MTA failure on relaying', # CC_MTA.',2', 'id=%n - Rejected by next-hop MTA on relaying', # CC_MTA, 'id=%n - Unable to relay message back to MTA', # CC_CLEAN, 'id=%n - CLEAN', # CC_CATCHALL, 'id=%n - OTHER', # should not happen # ); # %lovers_maps_by_ccat = ( # CC_VIRUS, sub { ca('virus_lovers_maps') }, # CC_BANNED, sub { ca('banned_files_lovers_maps') }, # CC_UNCHECKED, sub { ca('unchecked_lovers_maps') }, # CC_SPAM, sub { ca('spam_lovers_maps') }, # CC_SPAMMY, sub { ca('spam_lovers_maps') }, # CC_BADH, sub { ca('bad_header_lovers_maps') }, # ); # %defang_maps_by_ccat = ( # CC_VIRUS, sub { c('defang_virus') }, # CC_BANNED, sub { c('defang_banned') }, # CC_UNCHECKED, sub { c('defang_undecipherable') }, # CC_SPAM, sub { c('defang_spam') }, # CC_SPAMMY, sub { c('defang_spam') }, # # CC_BADH.',3', 1, # NUL or CR character in header section # # CC_BADH.',5', 1, # header line longer than 998 characters # # CC_BADH.',6', 1, # header field syntax error # CC_BADH, sub { c('defang_bad_header') }, # ); # %subject_tag_maps_by_ccat = ( # CC_VIRUS, [ '***INFECTED*** ' ], # CC_BANNED, undef, # CC_UNCHECKED, sub { [ c('undecipherable_subject_tag') ] }, # not by-recip# CC_SPAM, undef, # CC_SPAMMY.',1', sub { ca('spam_subject_tag3_maps') }, # CC_SPAMMY, sub { ca('spam_subject_tag2_maps') }, # CC_CLEAN.',1', sub { ca('spam_subject_tag_maps') }, # ); # %quarantine_method_by_ccat = ( # CC_VIRUS, sub { c('virus_quarantine_method') }, # CC_BANNED, sub { c('banned_files_quarantine_method') }, # CC_UNCHECKED, sub { c('unchecked_quarantine_method') }, # CC_SPAM, sub { c('spam_quarantine_method') }, # CC_BADH, sub { c('bad_header_quarantine_method') }, # CC_CLEAN, sub { c('clean_quarantine_method') }, # ); # %quarantine_to_maps_by_ccat = ( # CC_VIRUS, sub { ca('virus_quarantine_to_maps') }, # CC_BANNED, sub { ca('banned_quarantine_to_maps') }, # CC_UNCHECKED, sub { ca('unchecked_quarantine_to_maps') }, # CC_SPAM, sub { ca('spam_quarantine_to_maps') }, # CC_BADH, sub { ca('bad_header_quarantine_to_maps') }, # CC_CLEAN, sub { ca('clean_quarantine_to_maps') }, # ); # %admin_maps_by_ccat = ( # CC_VIRUS, sub { ca('virus_admin_maps') }, # CC_BANNED, sub { ca('banned_admin_maps') }, # CC_UNCHECKED, sub { ca('virus_admin_maps') }, # CC_SPAM, sub { ca('spam_admin_maps') }, # CC_BADH, sub { ca('bad_header_admin_maps') }, # ); # %always_bcc_by_ccat = ( # CC_CATCHALL, sub { c('always_bcc') }, # ); # %dsn_bcc_by_ccat = ( # CC_CATCHALL, sub { c('dsn_bcc') }, # ); # %mailfrom_notify_admin_by_ccat = ( # CC_SPAM, sub { c('mailfrom_notify_spamadmin') }, # CC_CATCHALL, sub { c('mailfrom_notify_admin') }, # ); # %hdrfrom_notify_admin_by_ccat = ( # CC_SPAM, sub { c('hdrfrom_notify_spamadmin') }, # CC_CATCHALL, sub { c('hdrfrom_notify_admin') }, # ); # %mailfrom_notify_recip_by_ccat = ( # CC_CATCHALL, sub { c('mailfrom_notify_recip') }, # ); # %hdrfrom_notify_recip_by_ccat = ( # CC_CATCHALL, sub { c('hdrfrom_notify_recip') }, # ); # %hdrfrom_notify_sender_by_ccat = ( # CC_CATCHALL, sub { c('hdrfrom_notify_sender') }, # ); # %hdrfrom_notify_release_by_ccat = ( # CC_CATCHALL, sub { c('hdrfrom_notify_release') }, # ); # %hdrfrom_notify_report_by_ccat = ( # CC_CATCHALL, sub { c('hdrfrom_notify_report') }, # ); # %notify_admin_templ_by_ccat = ( # CC_SPAM, sub { cr('notify_spam_admin_templ') }, # CC_CATCHALL, sub { cr('notify_virus_admin_templ') }, # ); # %notify_recips_templ_by_ccat = ( # CC_SPAM, sub { cr('notify_spam_recips_templ') }, #usualy empty # CC_CATCHALL, sub { cr('notify_virus_recips_templ') }, # ); # %notify_sender_templ_by_ccat = ( # bounce templates # CC_VIRUS, sub { cr('notify_virus_sender_templ') }, # CC_BANNED, sub { cr('notify_virus_sender_templ') }, #historical reason# CC_SPAM, sub { cr('notify_spam_sender_templ') }, # CC_CATCHALL, sub { cr('notify_sender_templ') }, # ); # %notify_release_templ_by_ccat = ( # CC_CATCHALL, sub { cr('notify_release_templ') }, # ); # %notify_report_templ_by_ccat = ( # CC_CATCHALL, sub { cr('notify_report_templ') }, # ); # %notify_autoresp_templ_by_ccat = ( # CC_CATCHALL, sub { cr('notify_autoresp_templ') }, # ); # %warnsender_by_ccat = ( # deprecated use, except perhaps for CC_BADH # CC_VIRUS, undef, # CC_BANNED, sub { c('warnbannedsender') }, # CC_SPAM, undef, # CC_BADH, sub { c('warnbadhsender') }, # ); # %warnrecip_maps_by_ccat = ( # CC_VIRUS, sub { ca('warnvirusrecip_maps') }, # CC_BANNED, sub { ca('warnbannedrecip_maps') }, # CC_SPAM, undef, # CC_BADH, sub { ca('warnbadhrecip_maps') }, # ); # %addr_extension_maps_by_ccat = ( # CC_VIRUS, sub { ca('addr_extension_virus_maps') }, # CC_BANNED, sub { ca('addr_extension_banned_maps') }, # CC_SPAM, sub { ca('addr_extension_spam_maps') }, # CC_SPAMMY, sub { ca('addr_extension_spam_maps') }, # CC_BADH, sub { ca('addr_extension_bad_header_maps') }, # # CC_OVERSIZED, 'oversized'; # ); # %addr_rewrite_maps_by_ccat = ( ); ## POLICY BANKS # %interface_policy = (); # maps input interface/port to policy bank name # $policy_bank{''} = { ...predefined... }; ## the built-in policy bank (empty name) is predefined, and includes ## references to most other variables listed above (the dynamic config ## variables), which are accessed only indirectly through the currently ## installed policy bank. Overlaying a policy bank with another policy ## bank may bring-in references to entirely different variables, ## possibly unnamed. Here is a list of configuration variables ## referenced from the built-in policy bank by keys of the same name ## (e.g. { log_level => \$log_level, inet_acl => \@inet_acl, ...} ) ## ## $child_timeout $smtpd_timeout ## $policy_bank_name $protocol @inet_acl ## $myhostname $myauthservid $snmp_contact $snmp_location ## $myprogram_name $syslog_ident $syslog_facility ## $log_level $log_templ $log_recip_templ $enable_log_capture_dump ## $forward_method $notify_method $resend_method $report_format ## $release_method $requeue_method $release_format ## $attachment_password $attachment_email_name $attachment_outer_name ## $os_fingerprint_method $os_fingerprint_dst_ip_and_port ## $originating @smtpd_discard_ehlo_keywords $soft_bounce ## $propagate_dsn_if_possible $terminate_dsn_on_notify_success ## $amavis_auth_user $amavis_auth_pass $auth_reauthenticate_forwarded ## $auth_required_out $auth_required_inp $auth_required_release ## @auth_mech_avail $tls_security_level_in $tls_security_level_out ## $local_client_bind_address $smtpd_message_size_limit ## $localhost_name $smtpd_greeting_banner $smtpd_quit_banner ## $mailfrom_to_quarantine $warn_offsite $bypass_decode_parts @decoders ## @av_scanners @av_scanners_backup @spam_scanners ## $first_infected_stops_scan $virus_scanners_failure_is_fatal ## $sa_spam_level_char $sa_mail_body_size_limit ## $penpals_bonus_score $penpals_halflife $bounce_killer_score ## $reputation_factor ## $undecipherable_subject_tag $localpart_is_case_sensitive ## $recipient_delimiter $replace_existing_extension ## $hdr_encoding $bdy_encoding $hdr_encoding_qb ## $allow_disclaimers $outbound_disclaimers_only ## $prepend_header_fields_hdridx ## $allow_fixing_improper_header ## $allow_fixing_improper_header_folding $allow_fixing_long_header_lines ## %allowed_added_header_fields %prefer_our_added_header_fields ## %allowed_header_tests ## $X_HEADER_TAG $X_HEADER_LINE ## $remove_existing_x_scanned_headers $remove_existing_spam_headers ## %sql_clause $partition_tag ## %local_delivery_aliases $banned_namepath_re ## $per_recip_whitelist_sender_lookup_tables ## $per_recip_blacklist_sender_lookup_tables ## @anomy_sanitizer_args @altermime_args_defang ## @altermime_args_disclaimer @disclaimer_options_bysender_maps ## %signed_header_fields @dkim_signature_options_bysender_maps ## $enable_dkim_verification $enable_dkim_signing $dkim_signing_service ## $dkim_minimum_key_bits $enable_ldap $enable_ip_repu $redis_logging_key ## ## @local_domains_maps ## @mynetworks_maps @client_ipaddr_policy @ip_repu_ignore_maps ## @forward_method_maps @newvirus_admin_maps @banned_filename_maps ## @spam_quarantine_bysender_to_maps ## @spam_tag_level_maps @spam_tag2_level_maps @spam_tag3_level_maps ## @spam_kill_level_maps ## @spam_subject_tag_maps @spam_subject_tag2_maps @spam_subject_tag3_maps ## @spam_dsn_cutoff_level_maps @spam_dsn_cutoff_level_bysender_maps ## @spam_crediblefrom_dsn_cutoff_level_maps ## @spam_crediblefrom_dsn_cutoff_level_bysender_maps ## @spam_quarantine_cutoff_level_maps @spam_notifyadmin_cutoff_level_maps ## @whitelist_sender_maps @blacklist_sender_maps @score_sender_maps ## @author_to_policy_bank_maps @signer_reputation_maps ## @message_size_limit_maps @debug_sender_maps @debug_recipient_maps ## @bypass_virus_checks_maps @bypass_spam_checks_maps ## @bypass_banned_checks_maps @bypass_header_checks_maps ## @viruses_that_fake_sender_maps ## @virus_name_to_spam_score_maps @virus_name_to_policy_bank_maps ## @remove_existing_spam_headers_maps ## @sa_userconf_maps @sa_username_maps ## ## %final_destiny_maps_by_ccat %forward_method_maps_by_ccat ## %lovers_maps_by_ccat %defang_maps_by_ccat %subject_tag_maps_by_ccat ## %quarantine_method_by_ccat %quarantine_to_maps_by_ccat ## %notify_admin_templ_by_ccat %notify_recips_templ_by_ccat ## %notify_sender_templ_by_ccat %notify_autoresp_templ_by_ccat ## %notify_release_templ_by_ccat %notify_report_templ_by_ccat ## %warnsender_by_ccat ## %hdrfrom_notify_admin_by_ccat %mailfrom_notify_admin_by_ccat ## %hdrfrom_notify_recip_by_ccat %mailfrom_notify_recip_by_ccat ## %hdrfrom_notify_sender_by_ccat ## %hdrfrom_notify_release_by_ccat %hdrfrom_notify_report_by_ccat ## %admin_maps_by_ccat %warnrecip_maps_by_ccat ## %always_bcc_by_ccat %dsn_bcc_by_ccat ## %addr_extension_maps_by_ccat %addr_rewrite_maps_by_ccat ## %smtp_reason_by_ccat # legacy dynamic configuration variables: ## $final_virus_destiny $final_banned_destiny $final_unchecked_destiny ## $final_spam_destiny $final_bad_header_destiny ## @virus_lovers_maps @spam_lovers_maps @unchecked_lovers_maps ## @banned_files_lovers_maps @bad_header_lovers_maps ## $always_bcc $dsn_bcc ## $mailfrom_notify_sender $mailfrom_notify_recip ## $mailfrom_notify_admin $mailfrom_notify_spamadmin ## $hdrfrom_notify_sender $hdrfrom_notify_recip ## $hdrfrom_notify_admin $hdrfrom_notify_spamadmin ## $hdrfrom_notify_release $hdrfrom_notify_report ## $notify_virus_admin_templ $notify_spam_admin_templ ## $notify_virus_recips_templ $notify_spam_recips_templ ## $notify_virus_sender_templ $notify_spam_sender_templ ## $notify_sender_templ $notify_release_templ ## $notify_report_templ $notify_autoresp_templ ## $warnbannedsender $warnbadhsender ## $defang_virus $defang_banned $defang_spam ## $defang_bad_header $defang_undecipherable $defang_all ## $virus_quarantine_method $banned_files_quarantine_method ## $unchecked_quarantine_method $spam_quarantine_method ## $bad_header_quarantine_method $clean_quarantine_method ## $archive_quarantine_method ## @virus_quarantine_to_maps @banned_quarantine_to_maps ## @unchecked_quarantine_to_maps @spam_quarantine_to_maps ## @bad_header_quarantine_to_maps @clean_quarantine_to_maps ## @archive_quarantine_to_maps ## @virus_admin_maps @banned_admin_maps ## @spam_admin_maps @bad_header_admin_maps @spam_modifies_subj_maps ## @warnvirusrecip_maps @warnbannedrecip_maps @warnbadhrecip_maps ## @addr_extension_virus_maps @addr_extension_spam_maps ## @addr_extension_banned_maps @addr_extension_bad_header_maps 1; # insure a defined return value

eigene, individuelle Konfigurationsdatei

Nun legen wir uns unsere eigene Konfigurationsdatei an. Wie bereits angesprochen, unterteilen wir unsere Datei in unterschiedliche Sektionen.

- PFADANGABEN DER LOKALEN INSTALLATION
- GRUNDSÄTZLICHE SERVERANGABEN UND -DEFINITIONEN
- LOGGING
- SOCKETS
- POLICY MAPPINGS
- DESTINATIONS
- NOTIFICATIONS
- VIRUS POLICY
- SPAM POLICY
- BANNED POLICY
- HEADER POLICY
- UNCHECKED POLICY
- DKIM - Domain Key Identified Mail
- POLICY BANKS

Somit ergibt isch folgende komplette neue AMaViS-Konfigurationsdatei.

# vim /etc/amavisd/amavisd.conf

/etc/amavisd/amavisd.conf

use strict; ################################################################################# ## Django : 2014-11-15 - Musterkonfiguration AMaViS 2.9 unter CentOS 7 ## ################################################################################# # Eine Aufstellung aller möglichen Variablen findet man in der Datei# /usr/share/doc/amavisd-new-2.9.1/amavisd.conf-default aus dem RPM. Auf der # Webseite http://www.ijs.si/software/amavisd/amavisd-new-docs.html findet # man darüber hinaus noch viele erklärungen und Konfigurationsbeispiele ################################################################################## PFADANGABEN DER LOKALEN INSTALLATION # # Pfadangaben zu den Programmen und Tools$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; # Arbeitsverzeichnisses von AMaViS$MYHOME = '/var/spool/amavisd'; # Verzeichnis für temporäre Daten#$TEMPBASE = '$MYHOME/tmp'; $TEMPBASE = "$MYHOME/tmp"; # Enviroment Variable TMPDIR, wird unter anderem von Spamassassion verwendet$ENV{TMPDIR} = $TEMPBASE; # Keine Quarantäne -> kein Quarantäneverzeichnis notwendig$QUARANTINEDIR = undef; # Verzeichnisses für die Berkeley-Datenbank Dateien nanny/cache/snmp$db_home = "$MYHOME/db"; # Pfade zur PID- und LOCK-Datei$lock_file = "/var/run/amavisd/amavisd.lock";$pid_file = "/var/run/amavisd/amavisd.pid"; # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING@score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed # ## per-recipient personal tables (NOTE: positive: black, negative: white)# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}],# 'user3@example.com' => [{'.ebay.com' => -3.0}],# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0,# '.cleargreen.com' => -5.0}], ## site-wide opinions about senders (the '.' matches any recipient) '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i => 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i => 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], ), # read_hash("/var/amavis/sender_scores_sitewide"), { # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0, 'amavis-user-admin@lists.sourceforge.net' => -3.0, 'amavis-user-bounces@lists.sourceforge.net' => -3.0, 'spamassassin.apache.org' => -3.0, 'notification-return@lists.sophos.com' => -3.0, 'owner-postfix-users@postfix.org' => -3.0, 'owner-postfix-announce@postfix.org' => -3.0, 'owner-sendmail-announce@lists.sendmail.org' => -3.0, 'sendmail-announce-request@lists.sendmail.org' => -3.0, 'donotreply@sendmail.org' => -3.0, 'ca+envelope@sendmail.org' => -3.0, 'noreply@freshmeat.net' => -3.0, 'owner-technews@postel.acm.org' => -3.0, 'ietf-123-owner@loki.ietf.org' => -3.0, 'cvs-commits-list-admin@gnome.org' => -3.0, 'rt-users-admin@lists.fsck.com' => -3.0, 'clp-request@comp.nus.edu.sg' => -3.0, 'surveys-errors@lists.nua.ie' => -3.0, 'emailnews@genomeweb.com' => -5.0, 'yahoo-dev-null@yahoo-inc.com' => -3.0, 'returns.groups.yahoo.com' => -3.0, 'clusternews@linuxnetworx.com' => -3.0, lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, # soft-blacklisting (positive score) 'sender@example.net' => 3.0, '.example.net' => 1.0, }, ], # end of site-wide tables}); # Utilities mit denen amavis Archive auspackt@decoders = ( ['mail', \&do_mime_decode], ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ], ['gz', \&do_uncompress, 'gzip -d'], ['gz', \&do_gunzip], ['bz2', \&do_uncompress, 'bzip2 -d'], ['xz', \&do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], ['lzma', \&do_uncompress, ['lzmadec', 'xz -dc --format=lzma', 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], ['lrz', \&do_uncompress, ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], ['lzo', \&do_uncompress, 'lzop -d'], ['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ], [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ], ['deb', \&do_ar, 'ar'], ['rar', \&do_unrar, ['unrar', 'rar'] ], ['arj', \&do_unarj, ['unarj', 'arj'] ], ['arc', \&do_arc, ['nomarch', 'arc'] ], ['zoo', \&do_zoo, ['zoo', 'unzoo'] ], ['cab', \&do_cabextract, 'cabextract'], ['tnef', \&do_tnef], [['zip','kmz'], \&do_7zip, ['7za', '7z'] ], [['zip','kmz'], \&do_unzip], ['7z', \&do_7zip, ['7zr', '7za', '7z'] ], [[qw(7z zip gz bz2 Z tar)], \&do_7zip, ['7za', '7z'] ], [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], \&do_7zip, '7z' ], ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ], ); # eMails wird komplett dem Virenscanner zugestellt. Dem Inhalt von Archiven# wird grundsätzlich nicht vertraut. @keep_decoded_original_maps = (new_RE( qr'^MAIL$', qr'^MAIL-UNDECIPHERABLE$', qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)', )); ################################################################################## GRUNDSÄTZLICHE SERVERANGABEN UND -DEFINITIONEN # # Anzahl Server (pre-forked childs) die gestartet werden sollen.$max_servers = 5; # User und Gruppe des AMaViS Daemon$daemon_user = 'amavis'; $daemon_group = 'amavis'; # Hostname (FQDN) des AMaViS-Servers$myhostname = 'viruswall.dmz.nausch.org'; # Lokale Domäne des AMaViS-Servers$mydomain = 'nausch.org'; # Adresstrennzeichen in der eMail-Adresse$recipient_delimiter = '+'; # Wir setzen alles auf NULL und definieren das Backrouting in den Policy Banks # Wie werden die eMails an den ;MTA zurückgegeben? "undef" bei Verwendung des# amavisd-milter! $forward_method = undef; $notify_method = 'smtp:[mail.dmz.nausch.org]:10025'; #$allowed_added_header_fields{lc('X-Virus-Scanned')} = 0; ################################################################################## LOGGING # # verbosity 0..5, -d# Django : 2014-11-18# default: $log_level = 0;$log_level = 3; # disable by-recipient level-0 log entries$log_recip_templ = undef; # log via syslogd (preferred) $do_syslog = 1; # Syslog facility as a string e.g.: mail, daemon, user, local0, ... local7$syslog_facility = 'mail'; #Syslog base (minimal) priority $syslog_priority = 'debug'; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_db = 1; # enable use of libdb-based cache if $enable_db=1 $enable_global_cache = 1; # enable use of ZeroMQ (SNMP and nanny) # $enable_zmq = 1; # # nanny verbosity: 1: traditional, 2: detailed $nanny_details_level = 2; # @lookup_sql_dsn =# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], # ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); # @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database # @storage_redis_dsn = ( {server=>'127.0.0.1:6379', db_id=>1} );# $redis_logging_key = 'amavis-log'; # about 250 MB / 100000 # $redis_logging_queue_size_limit = 300000; # $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;# defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16) ################################################################################## SOCKETS # # Wo soll AMaViS auf eingehende Verbindungen lauschen?@listen_sockets = ( '10.0.0.67:10024', '127.0.0.1:9998', "$MYHOME/amavisd.sock" ); ################################################################################## POLICY MAPPINGS # # Wir routen eingehende Verbindungen aufgrund unterschiedlicher Kriterien in# Policy Banks. # TCP-Sockets auf Policies mappen$interface_policy{'9998'} = 'AM.PDP-INET';$interface_policy{'10024'} = 'ORIGINATING'; # UNIX-Domain-Sockets auf Policies mappen$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # IP-Adressen/Ranges auf Policies mappen@client_ipaddr_policy = ( [qw( 0.0.0.0/8 127.0.0.1/32 [::] [::1] )] => 'LOCALHOST', [qw( !172.16.1.0/24 172.16.0.0/12 192.168.0.0/16 )] => 'PRIVATENETS', [qw( 192.0.2.0/25 192.0.2.129 192.0.2.130 )] => 'PARTNER', [qw( 198.51.100.88/32 )] => 'CUSTOMERS', [qw( 203.0.113.164/32 )] => 'HOSTING', \@mynetworks => 'MYNETS', ); # DKIM-verifizierte Sender(domains) auf Policies mappen@author_to_policy_bank_maps = ( { 'piratenpartei-bayern.de' => 'WHITELIST,NOBANNEDCHECK,NOVIRUSCHECK', '.paypal.de' => 'WHITELIST', '.paypal.com' => 'WHITELIST', 'amazon.de' => 'WHITELIST', } ); ################################################################################## DESTINATIONS # # Definition der Verkehrsrichtungen: # Das ist nach intern. Alle anderen Destinationen sind im Umkehrschluss extern.@local_domains_maps = ( [".$mydomain"], read_hash("/etc/postfix/all_local_domains_map"), ); # Das kommt von intern. Alles andere ist per Default von extern, ausser wir# erkennen es an anderen Kriterien wie z.B. DKIM-Signatur oder originating Port@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 10.0.0.0/24 10.0.10.0/26 ) ################################################################################## NOTIFICATIONS # # Externe warnen?$warn_offsite = 0; # Envelope Sender$mailfrom_notify_admin = "postmaster\@$mydomain";$mailfrom_notify_recip = "postmaster\@$mydomain";$mailfrom_notify_sender = "postmaster\@$mydomain";$mailfrom_notify_spamadmin = "postmaster\@$mydomain";$mailfrom_to_quarantine = ''; $dsn_bcc = "postmaster\@$mydomain"; # From: Header$hdrfrom_notify_sender = "Postmaster <postmaster\@$mydomain>";$hdrfrom_notify_recip = "Postmaster <postmaster\@$mydomain>"; $hdrfrom_notify_release = "Postmaster <postmaster\@$mydomain>"; ################################################################################## VIRUS POLICY # # Check aktivieren?# @bypass_virus_checks_maps = (1); # In Quarantäne?$virus_quarantine_to = undef; # Admin benachrichtigen?$virus_admin = undef; # Empfänger benachrichtigen?$warnvirusrecip = 1; # Recipient-Adresse bei Release erweitern?@addr_extension_virus_maps = ('virus'); # eMail bei Release wrappen?$defang_virus = 1; # Wollen wir Content transportieren?$final_virus_destiny = D_REJECT; @av_scanners = ( ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], ); @av_scanners_backup = ();#@av_scanners_backup = ( # ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV# ['ClamAV-clamscan', 'clamscan', # "--stdout --no-summary -r --tempdir=$TEMPBASE {}", # [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],#); ################################################################################## SPAM POLICY # # Check aktivieren?# @bypass_spam_checks_maps = (1); # In Quarantäne?$spam_quarantine_to = undef; # Admin benachrichtigen?$spam_admin = undef; # Recipient-Adresse bei Release erweitern?@addr_extension_spam_maps = ('spam'); # eMail bei Release wrappen?$defang_spam = undef; # Wollen wir Content transportieren?$final_spam_destiny = D_REJECT; # add spam info headers if at, or above that level$sa_tag_level_deflt = -1000.0; # add 'spam detected' headers at that level $sa_tag2_level_deflt = 6.31; # triggers spam evasive actions (e.g. blocks mail)$sa_kill_level_deflt = 6.31; # spam level beyond which a DSN is not sent $sa_dsn_cutoff_level = 10; # likewise, but for a likely valid From $sa_crediblefrom_dsn_cutoff_level = 18; # spam level beyond which quarantine is off # $sa_quarantine_cutoff_level = 25; # (no effect without a @storage_sql_dsn database)$penpals_bonus_score = 8; # don't waste time on hi spam $penpals_threshold_high = $sa_kill_level_deflt; # spam score points to add for joe-jobbed bounces$bounce_killer_score = 100; # don't waste time on SA if mail is larger $sa_mail_body_size_limit = 400*1024; # only tests which do not require internet access?$sa_local_tests_only = 0; $sa_spam_subject_tag = '***Spam*** '; ################################################################################## BANNED POLICY # # Check aktivieren?#@bypass_banned_checks_maps = (1); # In Quarantäne?$banned_quarantine_to = undef; # Admin benachrichtigen?$banned_admin = undef; # Recipient-Adresse bei Release erweitern?@addr_extension_banned_maps = ('banned'); # eMail bei Release wrappen?$defang_banned = 1; # Wollen wir Content transportieren?$final_banned_destiny = D_BOUNCE; # Definitionslisten in denen wir bestimmte Dateitypen zusammenfassen# Die Definitionsnamen können wir in einer Policy verwenden %banned_rules = ( 'NO-MS-EXEC'=> new_RE( qr'^\.(exe-ms)$' ), 'PASSALL' => new_RE( [qr'^' => 0] ), 'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ), 'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ), 'NO-VIDEO' => new_RE( qr'^\.movie$', qr'.\.(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ), 'NO-MOVIES' => new_RE( qr'^\.movie$', qr'.\.(mpg|avi|mov)$'i, ), 'MYNETS-DEFAULT' => new_RE( [ qr'^\.(rpm|cpio|tar)$' => 0 ], qr'.\.(vbs|pif|scr)$'i, ), 'DEFAULT' => $banned_filename_re, ); # Alles was in der Definitionsliste oben DEFAULT ist$banned_filename_re = new_RE( # banned file(1) types, rudimentary qr'^\.(exe-ms|dll)$', # allow any in Unix-type archives [ qr'^\.(rpm|cpio|tar)$' => 0 ], # banned extensions - rudimentary qr'.\.(pif|scr)$'i, # block these MIME types qr'^application/x-msdownload$'i, qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # block certain double extensions in filenames qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, # banned extension - basic+cmd qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, ); ################################################################################## HEADER POLICY # # Check aktivieren?# @bypass_header_checks_maps = (1); # In Quarantäne?$bad_header_quarantine_method = undef; # Recipient-Adresse bei Release erweitern?@addr_extension_bad_header_maps = ('badh'); # eMail bei Release wrappen?# NUL or CR character in header$defang_by_ccat{CC_BADH.",3"} = 1;# header line longer than 998 characters$defang_by_ccat{CC_BADH.",5"} = 1; # header field syntax error $defang_by_ccat{CC_BADH.",6"} = 1; # Wollen wir Content transportieren?$final_bad_header_destiny = D_PASS; # Admin benachrichtigen?$bad_header_admin = undef; # Sender benachrichtigen?$warnbadhsender = undef; # Empfänger benachrichtigen?$warnbadhrecip = undef; ################################################################################## UNCHECKED POLICY # $undecipherable_subject_tag = ''; $MAXLEVELS = 14;$MAXFILES = 3000;# bytes (default undef, not enforced)$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)$MAX_EXPANSION_QUOTA = 500*1024*1024; ################################################################################## DKIM - Domain Key Identified Mail # # DKIM-Signaturen verifizieren$enable_dkim_verification = 0; # DKIM-Signaturen erstellen$enable_dkim_signing = 0; # Private Keys und Selectors# # signing domain selector private key options# ------------- -------- ---------------------- ----------# dkim_key('nausch.org', '201411', '/var/spool/amavis/dkim/201411_nausch.org'); # DKIM Signing Policies@dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } ); # to query p0f-analyzer.pl# $os_fingerprint_method = 'p0f:*:2345'; ## hierarchy by which a final setting is chosen:## policy bank (based on port or IP address) -> *_by_ccat## *_by_ccat (based on mail contents) -> *_maps ## *_maps (based on recipient address) -> final configuration value ################################################################################## POLICY BANKS # ## POLICY BANK MYNETWORK# Alles Hosts, die in MYNETS gelistet sind$policy_bank{'MYNETS'} = { # Jede Mail von einen unserer Hosts wird als originating gesetzt originating => 1, # Keine pof Abfragen für interne Clients durchführen. os_fingerprint_method => undef, # keinerlei unchecked-Meldungen verschicken #$admin_maps_by_ccat{+CC_UNCHECKED} = undef, # "nur" keine UNCHECKED-ENCRYPTED Notifications verschicken $admin_maps_by_ccat{+CC_UNCHECKED.',1'} = undef;}; ## POLICY BANK SUBMISSON# Nachrichten unserer Kunden, die auf Port 587 (Submisson) eingeliefert wurden# wird als originating, also von uns gesetzt. $policy_bank{'ORIGINATING'} = { # welcher Host darf soll auf Port 10014 einliefern dürfen inet_acl => [qw( 10.0.0.87 )], # eMails vom Port 587 werdenals "von uns" = originating gesetzt originating => 1, # Disclaimer an jede Mail anfügen, sofern welche verfügbar sind. allow_disclaimers => 1, # notify administrator of locally originating malware virus_admin_maps => ["virusalert\@$mydomain"], spam_admin_maps => ["virusalert\@$mydomain"], warnbadhsender => 1, # keinerlei unchecked-Meldungen verschicken #$admin_maps_by_ccat{+CC_UNCHECKED} = undef, # "nur" keine UNCHECKED-ENCRYPTED Notifications verschicken $admin_maps_by_ccat{+CC_UNCHECKED.',1'} = undef; # forward to a smtpd service providing DKIM signing service forward_method => 'smtp:[127.0.0.1]:10027', # force MTA conversion to 7-bit (e.g. before DKIM signing) smtpd_discard_ehlo_keywords => ['8BITMIME'], # allow sending any file names and types bypass_spam_checks_maps => [0], # allow sending any file names and types bypass_banned_checks_maps => [1], # don't remove NOTIFY=SUCCESS option terminate_dsn_on_notify_success => 0, notify_method => 'smtp:[10.0.0.87]:10025', forward_method => 'smtp:[10.0.0.87]:10025', final_virus_destiny => 'D_BOUNCE',}; # Hier schlägt der MILTER auf$policy_bank{'AM.PDP-SOCK'} = { protocol => 'AM.PDP', auth_required_release => 0,}; # Hier würden wir releasen$policy_bank{'AM.PDP-INET'} = { protocol => 'AM.PDP', inet_acl => [qw( 127.0.0.1 )], auth_required_release => 0,}; ## POLICY BANK: WHITELIST $policy_bank{'WHITELIST'} = { bypass_spam_checks_maps => [1], spam_lovers_maps => [1], }; ## POLICY BANK: NOVIRUSCHECK $policy_bank{'NOVIRUSCHECK'} = { bypass_decode_parts => 1, bypass_virus_checks_maps => [1], virus_lovers_maps => [1], }; ## POLICY BANK: NOBANNEDCHECK $policy_bank{'NOBANNEDCHECK'} = { bypass_banned_checks_maps => [1], banned_files_lovers_maps => [1], }; 1; # insure a defined return value # vim: set ft=perl sw=4:

Postfix

Die Anbindung des AMaViS-Servers an unseren Postfix-MTA nehmen wir nun im folgendem Konfigurationsschritt vor. Dabei unterscheiden wir die unterschiedlichen Verkehrsrichtungen bei unserem MHS4):

- MTA5)-Traffic : Hier bewerten und prüfen wir die Nachricht noch während der Annahme der Nachricht. Daher nutzen wir hier unseren amavisd-milter für die Anbindung des MTAs an das AS/AV6)-System vor. Den zur Anbindung genutzten Milter, sprechen wir über den über TCP-Port 8899 an. Dazu definieren wir uns eine eigene Variable amavisd_milter für unseren Milter. Dieser Variable weisen wir in der Section MILTER den Wert inet:10.0.0.67:8899 zu.
  - # vim /etc/postfix/main.cf
  - ... ################################################################################## MILTER# Django : 2014-11-18# DMARC Test amavisd_milter = inet:10.0.0.67:8899 ...
  - Nun binden wir beim entsprechendem Daemon in der /etc/postfix/ mit Hilfe unserer eigenen Variable den amavisd-milter ein.
  - # vim /etc/postfix/master.cf
  - ## Postfix master process configuration file. For details on the format# of the file, see the master(5) manual page (command: "man 5 master").## Do not forget to execute "postfix reload" after editing this file.## ==========================================================================# service type private unpriv chroot wakeup maxproc command + args# (yes) (yes) (yes) (never) (100)# ==========================================================================## Django : 2014-10-29 postscreen# smtp inet n - n - 1 postscreen smtpd pass - - n - - smtpd -o smtpd_sasl_auth_enable=no # Django : 2014-11-29 amavisd-milter eingebunden -o smtpd_milters=${amavisd_milter} dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy ...
- MUA7)-MSA8)-Traffic : Bei der Annahme der eMail von unseren eigenen Kunden, wollen wir im Gegensatz zum MTA zu MTA Verkehr nicht prequeue über amavisd-milter filtern, sondern als content_filter. Dies hat vor allem den Grund, dass die Annahme der Nachrichten auf Port 587 sofort erfolgt und die NAchrichten erst im Anschluss gescannt werden. So muss ein einliefernder MUA nicht warten, bis der Content-Scanner die Nachricht verarbeitet hat. Somit vermeiden wir den Eindruck, dass die Einlieferung extrem lange dauert, wenn z.B. erst ein verschachteltes ZIP-Archiv aus dem Mailanhang mit 35 MB ausgepackt und gescannt werden muss.
- Wir tragen hierzu in der Konfigurationsdatei /etc/postfix/master.cf unseren content_filter nach.
  - # vim /etc/postfix/master.cf
  - # Django : 2014-10-27 Submission auf Port 587 geöffnet submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_etrn_restrictions=reject -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o content_filter=smtp:[10.0.0.67]:10024 -o mydestination=lists.nausch.org,fax.nausch.org

Paketfilter

AMaViS-Host

Damit unser MTA-Server die Dienste/Ports auf unserem AMaViS-Host erreichen können, müssen wir für diese noch Änderungen am Paketfilter firewalld vornehmen.

Als erstes gestatten wir den Verkehr vom SMTP-Daemon zum AMaViS-Milter.

# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="10.0.0.87/32" port protocol="tcp" port="8899" destination address="10.0.0.67/32" accept"

success

Anschließend setzen wir eine weitere Firewall-Regel, die es erlaubt, dass der SMTP-Daemon die Nachrichten beim AMaViS-Port 10024, die er von unseren eigennen Mailclients auf dem Submissionport 587 erhalten haben.

# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="10.0.0.87/32" port protocol="tcp" port="10024" destination address="10.0.0.67/32" accept"

success

Dann können wir den Firewall-Daemon einmal durchstarten und anschließend überprüfen, ob die Regeln auch entsprechend unserer Definition, gezogen haben.

# firewall-cmd --reload

success

# iptables -nvL IN_public_allow

Chain IN_public_allow (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 10.0.0.87 10.0.0.67 tcp dpt:8899 ctstate NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW

MTA-Host

Entsprechend müssen wir natürlich auch auf dem SMTP-Host eine weitere Firewall-Regel anlegen, damit nur der AMaViS-Host von der policybank SUBMISSON zurück auf dem Port 10025 und seine Notification-Mails einliefern kann.

# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="10.0.0.67/32" port protocol="tcp" port="10025" destination address="10.0.0.87/32" accept"

success

Anschließend starten wir den Firewall-Daemon einmal durch und überprüfen anschließend, ob die Regeln auch entsprechend unserer Definition, gezogen haben.

# firewall-cmd --reload

success

Abschließend prüfen wir noch, ob die Erweiterung unseres Paketfilter aktiv ist.

# iptables -nvL IN_public_allow

Chain IN_public_allow (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 10.0.0.67 10.0.0.87 tcp dpt:10025 ctstate NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 ctstate NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ctstate NEW

Programmstart

Bevor wir nun unseren AMaViS-Daemon starten, installieren wir noch die beiden Backend-Filter:

- ClamAV für AMaViS unter CentOS 7.x
- Spamassassin für AMaViS unter CentOS 7.x

Ist dies erfolgt können wir die Dienste Starten und Testen.

amavisd-milter

Als erstes starten wir unseren Milter amavisd-milter.

# systemctl start amavisd-milter

Fragen wir nun den Status des Daemon ab sehen wir neben den Logeinträgen im Maillog und Syslog die Aufrufparameter des Daemon.

# systemctl status amavisd-milter -l

amavisd-milter.service - amavisd-milter is a milter (mailfilter) for amavisd-new which uses the AM.PDP protocol. Loaded: loaded (/usr/lib/systemd/system/amavisd-milter.service; enabled) Active: active (running) since Tue 2014-12-02 09:38:09 CET; 49s ago Docs: http://amavisd-milter.sourceforge.net/ Process: 15164 ExecStart=/usr/sbin/amavisd-milter-helper (code=exited, status=0/SUCCESS) Main PID: 15166 (amavisd-milter) CGroup: /system.slice/amavisd-milter.service └─15166 /usr/sbin/amavisd-milter -B -w /var/spool/amavisd/tmp -s inet:8899@10.0.0.67 -S /var/spool/amavisd/amavisd.sock -p /var/run/amavisd/amavisd-milter.pid -m 2 -M 300 -t 600 -T 600 Dec 02 09:38:09 vml000067.dmz.nausch.org systemd[1]: Starting amavisd-milter is a milter (mailfilter) for amavisd-new which uses the AM.PDP protocol.... Dec 02 09:38:09 vml000067.dmz.nausch.org systemd[1]: PID file /var/run/amavisd/amavisd-milter.pid not readable (yet?) after start. Dec 02 09:38:09 vml000067.dmz.nausch.org amavisd-milter[15166]: starting amavisd-milter 1.6.0 on socket inet:8899@10.0.0.67 Dec 02 09:38:09 vml000067.dmz.nausch.org systemd[1]: Started amavisd-milter is a milter (mailfilter) for amavisd-new which uses the AM.PDP protocol..

Mit lsof können wir auch den geöfneten Port überprüfen.

# lsof -i :8899

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME amavisd-m 15166 amavis 3u IPv4 158740 0t0 TCP vml000067.dmz.nausch.org:8899 (LISTEN)

amavisd

Als nächstes starten wir den AMaViS-Daemon amavisd.

# systemctl status amavisd

Fragen wir nun den Status des Daemon ab, sehen wir auch hier neben den Logeinträgen im Maillog und Syslog die Aufrufparameter des Daemon.

# systemctl status amavisd -l

amavisd.service - Amavisd-new is an interface between MTA and content checkers. Loaded: loaded (/usr/lib/systemd/system/amavisd.service; enabled) Active: active (running) since Tue 2014-12-02 09:45:20 CET; 4min 30s ago Docs: http://www.ijs.si/software/amavisd/#doc Process: 9164 ExecReload=/usr/sbin/amavisd -c /etc/amavisd/amavisd.conf reload (code=exited, status=0/SUCCESS) Process: 15174 ExecStart=/usr/sbin/amavisd -c /etc/amavisd/amavisd.conf (code=exited, status=0/SUCCESS) Main PID: 15175 (/usr/sbin/amavi) CGroup: /system.slice/amavisd.service ├─15175 /usr/sbin/amavisd (master ├─15176 /usr/sbin/amavisd (virgin child ├─15177 /usr/sbin/amavisd (virgin child ├─15178 /usr/sbin/amavisd (virgin child ├─15179 /usr/sbin/amavisd (virgin child └─15180 /usr/sbin/amavisd (virgin child Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]: Found decoder for .rpm at /usr/bin/7z (backup, not used) Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]: Found decoder for .exe at /usr/bin/unarj Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]: Using primary internal av scanner code for ClamAV-clamd Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]: Deleting db files __db.001,__db.002,__db.003,snmp.db,nanny.db in /var/spool/amavisd/db Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]: Creating db in /var/spool/amavisd/db/; BerkeleyDB 0.51, libdb 5.3 Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]: initializing Mail::SpamAssassin (0) Dec 02 09:45:20 vml000067.dmz.nausch.org amavis[15175]: SpamAssassin debug facilities: info Dec 02 09:45:24 vml000067.dmz.nausch.org amavis[15175]: SpamAssassin loaded plugins: AutoLearnThreshold, Bayes, BodyEval, Check, DKIM, DNSEval, FreeMail, HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject Dec 02 09:45:24 vml000067.dmz.nausch.org amavis[15175]: SpamControl: init_pre_fork on SpamAssassin done Dec 02 09:45:24 vml000067.dmz.nausch.org amavis[15175]: extra modules loaded after daemonizing/chrooting: /usr/share/perl5/Net/libnet.cfg, Mail/SpamAssassin/Plugin/FreeMail.pm, Mail/SpamAssassin/Plugin/SpamCop.pm, Net/Cmd.pm, Net/Config.pm, Net/SMTP.pm

Den vollständigen dokumentierten Start finden wir dann auch im Maillog des Servers.

# less /var/log/maillog/

Dec 2 09:45:19 vml000067 amavis[15174]: logging initialized, log level 3, syslog: amavis.mail Dec 2 09:45:19 vml000067 amavis[15174]: starting. /usr/sbin/amavisd at viruswall.dmz.nausch.org amavisd-new-2.9.1 (20140627), Unicode aware, LANG="en_US.UTF -8" Dec 2 09:45:19 vml000067 amavis[15174]: perl=5.016003, user=996, EUID: 996 (996); group=, EGID: 995 995 (995 995) Dec 2 09:45:19 vml000067 amavis[15174]: INFO: no optional modules: unicore::lib::Nt::De.pl Unix::Getrusage Dec 2 09:45:19 vml000067 amavis[15174]: SpamControl: scanner SpamAssassin, module Amavis::SpamControl::SpamAssassin Dec 2 09:45:20 vml000067 amavis[15174]: INFO: SA version: 3.3.2, 3.003002, no optional modules: Net::CIDR::Lite Image::Info Image::Info::GIF Image::Info::JP EG Image::Info::PNG Image::Info::BMP Image::Info::TIFF Dec 2 09:45:20 vml000067 amavis[15174]: SpamControl: init_pre_chroot on SpamAssassin done Dec 2 09:45:20 vml000067 amavis[15174]: socket module IO::Socket::IP, protocol families available: INET, INET6 Dec 2 09:45:20 vml000067 amavis[15174]: bind to 10.0.0.67:10024/tcp, 127.0.0.1:9998/tcp, /var/spool/amavisd/amavisd.sock|unix Dec 2 09:45:20 vml000067 amavis[15175]: Net::Server: Process Backgrounded Dec 2 09:45:20 vml000067 amavis[15175]: Net::Server: 2014/12/02-09:45:20 Amavis (type Net::Server::PreForkSimple) starting! pid(15175) Dec 2 09:45:20 vml000067 amavis[15175]: Net::Server: Binding to TCP port 10024 on host 10.0.0.67 with IPv4 Dec 2 09:45:20 vml000067 amavis[15175]: Net::Server: Binding to TCP port 9998 on host 127.0.0.1 with IPv4 Dec 2 09:45:20 vml000067 amavis[15175]: Net::Server: Binding to UNIX socket file "/var/spool/amavisd/amavisd.sock" Dec 2 09:45:20 vml000067 amavis[15175]: Net::Server: Group Not Defined. Defaulting to EGID '995 995' Dec 2 09:45:20 vml000067 amavis[15175]: Net::Server: User Not Defined. Defaulting to EUID '996' Dec 2 09:45:20 vml000067 amavis[15175]: config files read: /etc/amavisd/amavisd.conf Dec 2 09:45:20 vml000067 amavis[15175]: Module Amavis::Conf 2.321 Dec 2 09:45:20 vml000067 amavis[15175]: Module Archive::Zip 1.30 Dec 2 09:45:20 vml000067 amavis[15175]: Module BerkeleyDB 0.51 Dec 2 09:45:20 vml000067 amavis[15175]: Module Compress::Raw::Zlib 2.061 Dec 2 09:45:20 vml000067 amavis[15175]: Module Compress::Zlib 2.061 Dec 2 09:45:20 vml000067 amavis[15175]: Module Crypt::OpenSSL::RSA 0.28 Dec 2 09:45:20 vml000067 amavis[15175]: Module DB_File 1.83 Dec 2 09:45:20 vml000067 amavis[15175]: Module Digest::MD5 2.52 Dec 2 09:45:20 vml000067 amavis[15175]: Module Digest::SHA 5.85 Dec 2 09:45:20 vml000067 amavis[15175]: Module Encode 2.51 Dec 2 09:45:20 vml000067 amavis[15175]: Module File::Temp 0.2301 Dec 2 09:45:20 vml000067 amavis[15175]: Module IO::Socket::INET6 2.69 Dec 2 09:45:20 vml000067 amavis[15175]: Module IO::Socket::IP 0.21 Dec 2 09:45:20 vml000067 amavis[15175]: Module MIME::Entity 5.505 Dec 2 09:45:20 vml000067 amavis[15175]: Module MIME::Parser 5.505 Dec 2 09:45:20 vml000067 amavis[15175]: Module MIME::Tools 5.505 Dec 2 09:45:20 vml000067 amavis[15175]: Module Mail::DKIM::Signer 0.39 Dec 2 09:45:20 vml000067 amavis[15175]: Module Mail::DKIM::Verifier 0.39 Dec 2 09:45:20 vml000067 amavis[15175]: Module Mail::Header 2.12 Dec 2 09:45:20 vml000067 amavis[15175]: Module Mail::Internet 2.12 Dec 2 09:45:20 vml000067 amavis[15175]: Module Mail::SPF v2.008 Dec 2 09:45:20 vml000067 amavis[15175]: Module Mail::SpamAssassin 3.003002 Dec 2 09:45:20 vml000067 amavis[15175]: Module Net::DNS 0.72 Dec 2 09:45:20 vml000067 amavis[15175]: Module Net::Server 2.007 Dec 2 09:45:20 vml000067 amavis[15175]: Module NetAddr::IP 4.069 Dec 2 09:45:20 vml000067 amavis[15175]: Module Razor2::Client::Version 2.84 Dec 2 09:45:20 vml000067 amavis[15175]: Module Scalar::Util 1.27 Dec 2 09:45:20 vml000067 amavis[15175]: Module Socket 2.010 Dec 2 09:45:20 vml000067 amavis[15175]: Module Socket6 0.23 Dec 2 09:45:20 vml000067 amavis[15175]: Module Time::HiRes 1.9725 Dec 2 09:45:20 vml000067 amavis[15175]: Module URI 1.60 Dec 2 09:45:20 vml000067 amavis[15175]: Module Unix::Syslog 1.1 Dec 2 09:45:20 vml000067 amavis[15175]: Amavis::ZMQ code NOT loaded Dec 2 09:45:20 vml000067 amavis[15175]: Amavis::DB code loaded Dec 2 09:45:20 vml000067 amavis[15175]: SQL base code NOT loaded Dec 2 09:45:20 vml000067 amavis[15175]: SQL::Log code NOT loaded Dec 2 09:45:20 vml000067 amavis[15175]: SQL::Quarantine NOT loaded Dec 2 09:45:20 vml000067 amavis[15175]: Lookup::SQL code NOT loaded Dec 2 09:45:20 vml000067 amavis[15175]: Lookup::LDAP code NOT loaded Dec 2 09:45:20 vml000067 amavis[15175]: AM.PDP-in proto code loaded Dec 2 09:45:20 vml000067 amavis[15175]: SMTP-in proto code loaded Dec 2 09:45:20 vml000067 amavis[15175]: Courier proto code NOT loaded Dec 2 09:45:20 vml000067 amavis[15175]: SMTP-out proto code loaded Dec 2 09:45:20 vml000067 amavis[15175]: Pipe-out proto code NOT loaded Dec 2 09:45:20 vml000067 amavis[15175]: BSMTP-out proto code NOT loaded Dec 2 09:45:20 vml000067 amavis[15175]: Local-out proto code loaded Dec 2 09:45:20 vml000067 amavis[15175]: OS_Fingerprint code NOT loaded Dec 2 09:45:20 vml000067 amavis[15175]: ANTI-VIRUS code loaded Dec 2 09:45:20 vml000067 amavis[15175]: ANTI-SPAM code loaded Dec 2 09:45:20 vml000067 amavis[15175]: ANTI-SPAM-EXT code NOT loaded Dec 2 09:45:20 vml000067 amavis[15175]: ANTI-SPAM-C code NOT loaded Dec 2 09:45:20 vml000067 amavis[15175]: ANTI-SPAM-SA code loaded Dec 2 09:45:20 vml000067 amavis[15175]: Unpackers code loaded Dec 2 09:45:20 vml000067 amavis[15175]: DKIM code loaded Dec 2 09:45:20 vml000067 amavis[15175]: Tools code NOT loaded Dec 2 09:45:20 vml000067 amavis[15175]: Found $file at /usr/bin/file Dec 2 09:45:20 vml000067 amavis[15175]: Found $altermime at /usr/bin/altermime Dec 2 09:45:20 vml000067 amavis[15175]: Internal decoder for .mail Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .F at /usr/bin/unfreeze Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .Z at /usr/bin/gzip -d Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .gz at /usr/bin/gzip -d Dec 2 09:45:20 vml000067 amavis[15175]: Internal decoder for .gz (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .bz2 at /usr/bin/bzip2 -d Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .xz at /usr/bin/xzdec Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .lzma at /usr/bin/xz -dc --format=lzma Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .lrz at /usr/bin/lrzip -q -k -d -o - Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .lzo at /usr/bin/lzop -d Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .rpm at /usr/bin/rpm2cpio Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .cpio at /usr/bin/cpio Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .tar at /usr/bin/cpio Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .deb at /usr/bin/ar Dec 2 09:45:20 vml000067 amavis[15175]: No ext program for .rar, tried: unrar, rar Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .arj at /usr/bin/unarj Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .arc at /usr/bin/nomarch Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .zoo at /usr/bin/unzoo Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .cab at /usr/bin/cabextract Dec 2 09:45:20 vml000067 amavis[15175]: Internal decoder for .tnef Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .zip at /usr/bin/7za Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .kmz at /usr/bin/7za Dec 2 09:45:20 vml000067 amavis[15175]: Internal decoder for .zip (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Internal decoder for .kmz (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .7z at /usr/bin/7za Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .7z at /usr/bin/7za (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .zip at /usr/bin/7za (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .gz at /usr/bin/7za (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .bz2 at /usr/bin/7za (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .Z at /usr/bin/7za (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .tar at /usr/bin/7za (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .xz at /usr/bin/7z (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .lzma at /usr/bin/7z (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .jar at /usr/bin/7z Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .cpio at /usr/bin/7z (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .arj at /usr/bin/7z (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .rar at /usr/bin/7z Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .swf at /usr/bin/7z Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .lha at /usr/bin/7z Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .iso at /usr/bin/7z Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .cab at /usr/bin/7z (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .deb at /usr/bin/7z (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .rpm at /usr/bin/7z (backup, not used) Dec 2 09:45:20 vml000067 amavis[15175]: Found decoder for .exe at /usr/bin/unarj Dec 2 09:45:20 vml000067 amavis[15175]: Using primary internal av scanner code for ClamAV-clamd Dec 2 09:45:20 vml000067 amavis[15175]: Deleting db files __db.001,__db.002,__db.003,snmp.db,nanny.db in /var/spool/amavisd/db Dec 2 09:45:20 vml000067 amavis[15175]: Creating db in /var/spool/amavisd/db/; BerkeleyDB 0.51, libdb 5.3 Dec 2 09:45:20 vml000067 amavis[15175]: initializing Mail::SpamAssassin (0) Dec 2 09:45:20 vml000067 amavis[15175]: SpamAssassin debug facilities: info Dec 2 09:45:24 vml000067 amavis[15175]: SpamAssassin loaded plugins: AutoLearnThreshold, Bayes, BodyEval, Check, DKIM, DNSEval, FreeMail, HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject Dec 2 09:45:24 vml000067 amavis[15175]: SpamControl: init_pre_fork on SpamAssassin done Dec 2 09:45:24 vml000067 amavis[15175]: extra modules loaded after daemonizing/chrooting: /usr/share/perl5/Net/libnet.cfg, Mail/SpamAssassin/Plugin/FreeMail.pm, Mail/SpamAssassin/Plugin/SpamCop.pm, Net/Cmd.pm, Net/Config.pm, Net/SMTP.pm

Mit lsof können wir nun auch die Existenz der von AMaviS verwendeten Unix/TCP-Sockets abfragen.

# lsof | grep amavisd.sock

/usr/sbin 15175 amavis 6u unix 0xffff880079cfe780 0t0 159200 /var/spool/amavisd/amavisd.sock /usr/sbin 15176 amavis 6u unix 0xffff880079cfe780 0t0 159200 /var/spool/amavisd/amavisd.sock /usr/sbin 15177 amavis 6u unix 0xffff880079cfe780 0t0 159200 /var/spool/amavisd/amavisd.sock /usr/sbin 15178 amavis 6u unix 0xffff880079cfe780 0t0 159200 /var/spool/amavisd/amavisd.sock /usr/sbin 15179 amavis 6u unix 0xffff880079cfe780 0t0 159200 /var/spool/amavisd/amavisd.sock /usr/sbin 15180 amavis 6u unix 0xffff880079cfe780 0t0 159200 /var/spool/amavisd/amavisd.sock

# lsof -i :10024

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME /usr/sbin 15175 amavis 4u IPv4 159198 0t0 TCP vml000067.dmz.nausch.org:10024 (LISTEN) /usr/sbin 15176 amavis 4u IPv4 159198 0t0 TCP vml000067.dmz.nausch.org:10024 (LISTEN) /usr/sbin 15177 amavis 4u IPv4 159198 0t0 TCP vml000067.dmz.nausch.org:10024 (LISTEN) /usr/sbin 15178 amavis 4u IPv4 159198 0t0 TCP vml000067.dmz.nausch.org:10024 (LISTEN) /usr/sbin 15179 amavis 4u IPv4 159198 0t0 TCP vml000067.dmz.nausch.org:10024 (LISTEN) /usr/sbin 15180 amavis 4u IPv4 159198 0t0 TCP vml000067.dmz.nausch.org:10024 (LISTEN)

postfix

Zu guter letzt führen wir noch einen Restart des Postfix-Master-Daemons auf unserem SMTP-Server durch.

# systemctl restart postfix.service

Auch hier können wir bei Bedarf den Status des Servers abfragen.

# systemctl status postfix.service -l

postfix.service - Postfix Mail Transport Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled) Active: active (running) since Tue 2014-12-02 10:05:54 CET; 31s ago Process: 27047 ExecStop=/usr/sbin/postfix stop (code=exited, status=0/SUCCESS) Process: 27062 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS) Process: 27059 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS) Process: 27056 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS) Main PID: 27135 (master) CGroup: /system.slice/postfix.service ├─27135 /usr/libexec/postfix/master -w ├─27136 pickup -l -t unix -u └─27137 qmgr -l -t unix -u Dec 02 10:12:04 vml000087.dmz.nausch.org systemd[1]: Starting Postfix Mail Transport Agent... Dec 02 10:12:05 vml000087.dmz.nausch.org postfix/master[27245]: daemon started -- version 2.11.3, configuration /etc/postfix Dec 02 10:12:05 vml000087.dmz.nausch.org systemd[1]: Started Postfix Mail Transport Agent.

Ebenso können wir überprüfen welche Ports bei unserem MAilserver geöffnet wurden.

# netstat -tulpen

Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 0 264422 27135/master tcp 0 0 10.0.0.87:10025 0.0.0.0:* LISTEN 0 264433 27135/master tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 0 264428 27135/master tcp 0 0 127.0.0.1:12525 0.0.0.0:* LISTEN 0 30132 2147/policyd-weight tcp6 0 0 :::25 :::* LISTEN 0 264423 27135/master tcp6 0 0 :::587 :::* LISTEN 0 264429 27135/master

Tests

Nun ist es an der Zeit ausgiebig die Funktionsfähigkeit unseres AS/AV9)-Systems zu überprüfen. Nacheinander wollen wir uns folgende Szenarien genauer ansehen und das unterschiedliche Verhalten jeweils beobachten.

HAM auf Port 25 (MTA zu MTA Verkehr)

Im ersten Test überprüfen wir, ob eine valide Testmail die wir an unseren SMTP-Bordefilter auf unserem SMTP-Host einliefern im Benutzerkonto unseres Mailkontoinhabers durchkommt.

SMTP-Client (swaks)

Wir verschicken nun als erstes mit Hilfe von Swaks 10) von John Jetmore eine Nachricht an einen unserer eigenen Empfänger.

$ swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 25 --tls --header "Subject: erste HAM-Testnachricht auf Port 25"

Bevor der SMTP-Server die Nachricht mit der Zeile 250 2.0.0 Ok: queued as C4DE0C00089 bestätigt, merken wir eine kurze Verzögerung, da die komplette Nachricht im pre_queue-Modus vom Postfix- und AMaViS-Server gescannt werden. Erst am Ende der kompletten Überprüfung wird die Annahme der eMail bestätigt.

SMTP-Server

Auf unserem Borderfilter finden wir auch die relevanten Einträge zu unserer Test-Nachricht im Maillog.

# less /var/log/maillog

ec 2 10:25:54 vml000087 postfix/smtpd[27251]: connect from vml000087.dmz.nausch.org[10.0.0.87] Dec 2 10:25:54 vml000087 postfix/smtpd[27251]: Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 2 10:25:54 vml000087 postfix/verify[27257]: cache btree:/var/lib/postfix/verify_cache full cleanup: retained=2 dropped=0 entries Dec 2 10:25:54 vml000087 postfix/smtpd[27251]: C4DE0C00089: client=vml000087.dmz.nausch.org[10.0.0.87] Dec 2 10:25:54 vml000087 postfix/cleanup[27258]: C24B7C00088: message-id=<20141202092554.C24B7C00088@mx01.nausch.org> Dec 2 10:25:54 vml000087 postfix/cleanup[27259]: C4DE0C00089: message-id=<20141202092554.C4DE0C00089@mx01.nausch.org> Dec 2 10:25:54 vml000087 postfix/qmgr[27247]: C24B7C00088: from=<double-bounce@nausch.org>, size=231, nrcpt=1 (queue active) Dec 2 10:25:54 vml000087 postfix/lmtp[27260]: C24B7C00088: to=<django@nausch.org>, relay=10.0.0.77[10.0.0.77]:24, delay=0.07, delays=0.02/0.03/0/0.02, dsn=2.1.5, status=deliverable (250 2.1.5 OK) Dec 2 10:25:54 vml000087 postfix/qmgr[27247]: C24B7C00088: removed Dec 2 10:25:56 vml000087 postfix/qmgr[27247]: C4DE0C00089: from=<n3rd@sec-mail.guru>, size=644, nrcpt=1 (queue active) Dec 2 10:25:56 vml000087 postfix/smtpd[27251]: disconnect from vml000087.dmz.nausch.org[10.0.0.87] Dec 2 10:25:56 vml000087 postfix/lmtp[27260]: C4DE0C00089: to=<django@nausch.org>, relay=10.0.0.77[10.0.0.77]:24, delay=2.2, delays=2/0.01/0/0.19, dsn=2.0.0, status=sent (250 2.0.0 <django@nausch.org> RLueGlCFfVS2FwAArK2B9Q Saved) Dec 2 10:25:56 vml000087 postfix/qmgr[27247]: C4DE0C00089: removed

ASAV-Host

Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert.

# less /var/log/maillog

Dec 2 10:25:54 vml000067 amavis[15176]: loaded policy bank "AM.PDP-SOCK" Dec 2 10:25:54 vml000067 amavis[15176]: process_request: fileno sock=13, STDIN=0, STDOUT=1 Dec 2 10:25:54 vml000067 amavis[15176]: policy protocol: request=AM.PDP Dec 2 10:25:54 vml000067 amavis[15176]: policy protocol: queue_id=C4DE0C00089 Dec 2 10:25:54 vml000067 amavis[15176]: policy protocol: sender=<n3rd@sec-mail.guru> Dec 2 10:25:54 vml000067 amavis[15176]: policy protocol: recipient=<django@nausch.org> Dec 2 10:25:54 vml000067 amavis[15176]: policy protocol: tempdir=/var/spool/amavisd/tmp/afXXXXOnBfs5 Dec 2 10:25:54 vml000067 amavis[15176]: policy protocol: tempdir_removed_by=client Dec 2 10:25:54 vml000067 amavis[15176]: policy protocol: mail_file=/var/spool/amavisd/tmp/afXXXXOnBfs5/email.txt Dec 2 10:25:54 vml000067 amavis[15176]: policy protocol: delivery_care_of=client Dec 2 10:25:54 vml000067 amavis[15176]: policy protocol: client_address=10.0.0.87 Dec 2 10:25:54 vml000067 amavis[15176]: policy protocol: client_name=vml000087.dmz.nausch.org Dec 2 10:25:54 vml000067 amavis[15176]: policy protocol: helo_name=vml000087.dmz.nausch.org Dec 2 10:25:54 vml000067 amavis[15176]: policy protocol: policy_bank=mx01.nausch.org Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) Request: AM.PDP /var/spool/amavisd/tmp/afXXXXOnBfs5: <n3rd@sec-mail.guru> -> <django@nausch.org> Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) loaded policy bank "MYNETS" over "AM.PDP-SOCK" Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) body hash: 5e4a6c05336dff65870f1c8870955b2a Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) ip_trace: 10.0.0.87 Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) Checking: RKf24-jwcKfN AM.PDP-SOCK/MYNETS [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org> Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) 2822.From: <n3rd@sec-mail.guru> Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) p001 1 Content-Type: text/plain, size: 24 B, name: Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) inspect_dsn: not a bounce Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) Checking for banned types and filenames Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) collect banned table[0]: django@nausch.org, tables: Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) p.path django@nausch.org: "P=p001,L=1,M=text/plain,T=asc" Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) presenting full original message to scanners as /var/spool/amavisd/tmp/afXXXXOnBfs5/parts/p002 Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) run_av Using (ClamAV-clamd): (code) CONTSCAN /var/spool/amavisd/tmp/afXXXXOnBfs5/parts\n Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) ClamAV-clamd: Connecting to socket /var/run/clamd.amavisd/clamd.sock Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) new socket by IO::Socket::UNIX to /var/run/clamd.amavisd/clamd.sock, timeout 10 Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/tmp/afXXXXOnBfs5/parts\n to socket /var/run/clamd.amavisd/clamd.sock Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) rw_loop read: got eof Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) run_av (ClamAV-clamd): CLEAN Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) run_av (ClamAV-clamd) result: clean Dec 2 10:25:54 vml000067 amavis[15176]: (15176-01) calling SA parse (0), SA vers 3.3.2, 3.003002, data as STRING, recips_ind [0], user: "amavis" Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) spam_scan: score=0.8 autolearn=no tests=[ALL_TRUSTED=-1,DKIM_ADSP_DISCARD=1.8] recips=0 Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) spam_scan: dsn_suppress_reason DKIM_ADSP_DISCARD Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) do_notify_and_quar: ccat=CleanTag (1,1) ("1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(), qar_mth= Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) delivery method is 1, recips: django@nausch.org Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) spam-tag, <n3rd@sec-mail.guru> -> <django@nausch.org>, No, score=0.8 tagged_above=-1000 required=6.31 tests=[ALL_TRUSTED=-1, DKIM_ADSP_DISCARD=1.8] autolearn=no Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) dkim: candidate originators: From:<n3rd@sec-mail.guru> Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) dkim: signing (author), From: <n3rd@sec-mail.guru> (From:<n3rd@sec-mail.guru>), KEY.h=>sha256, KEY.key_ind=>13, a=>rsa-sha256, c=>relaxed/simple, d=>sec-mail.guru, s=>140224, ttl=>1814400, x=>1419326755 Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) DSN: sender is credible (orig), SA: 0.800, <n3rd@sec-mail.guru> Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) status counters: InMsgsStatus{Accepted,AcceptedInternal,AcceptedOriginating} Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) Passed CLEAN {AcceptedInternal}, AM.PDP-SOCK/MYNETS LOCAL [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org>, Queue-ID: C4DE0C00089, Message-ID: <20141202092554.C4DE0C00089@mx01.nausch.org>, mail_id: RKf24-jwcKfN, Hits: 0.8, size: 495, dkim_new=140224:sec-mail.guru, 1617 ms Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) TIMING-SA total 1504 ms - parse: 1.66 (0.1%), extract_message_metadata: 421 (28.0%), poll_dns_idle: 410 (27.3%), get_uri_detail_list: 0.31 (0.0%), tests_pri_-1000: 6 (0.4%), tests_pri_-950: 2 (0.1%), tests_pri_-900: 1.24 (0.1%), tests_pri_-400: 1.07 (0.1%), tests_pri_0: 1044 (69.4%), check_dkim_adsp: 6 (0.4%), check_spf: 0.46 (0.0%), check_razor2: 993 (66.0%), check_pyzor: 1.33 (0.1%), tests_pri_500: 8 (0.5%), get_report: 0.98 (0.1%) Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) mail checking ended: version_server=2\nlog_id=15176-01\nsetreply=250 2.5.0 Ok,%20id=15176-01,%20continue%20delivery\ninsheader=0 X-Spam-Status No,%20score=0.8%20tagged_above=-1000%20required=6.31%0a%09tests=[ALL_TRUSTED=-1,%20DKIM_ADSP_DISCARD=1.8]%20autolearn=no\ninsheader=0 X-Spam-Level \ninsheader=0 X-Spam-Score 0.8\ninsheader=0 X-Spam-Flag NO\ninsheader=0 X-Virus-Scanned amavisd-new%20at%20nausch.org\ninsheader=0 DKIM-Signature v=1;%20a=rsa-sha256;%20c=relaxed/simple;%20d=sec-mail.guru;%20h=%0a%09message-id:x-mailer:subject:subject:from:from:date:date;%20s=%0a%09140224;%20t=1417512354;%20x=1419326755;%20bh=ecGWgWCJeWxJFeM0urOVWP+KO%0a%09lqqvsQYKOpYUP8nk7I=;%20b=bbc1o4gOnL12XyR9cx6S48gTh2+gateXrSIzx4w2L%0a%09lABYNNQlCGNZn6Iz5y+ZXN58u6yZFgRw9EEhM3QjxV0LDZkjoAkzh7FeavWB0Qb6%0a%09y6A5ypdrnESeAio4JwiyokvkFqlOAB/qqNRdHuqRscQGxTvVsn0gRQfg68Ci3iRA%0a%09scz6B0bLGW497eqrp/HOeSEL1pUyw8PG79bnI+Nfe1d8DY1jxFl/WkTitjR2GlJ3%0a%09ncsCht/xcME6eJLzSo0Hk4BKYA77F1XJbFS... Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) ...utaHMJWCEFWtOk4ZaScFxkLsWm8Vy%0a%09kng6yaEP03EY1ExuKrK0ccI6Yrlj9Qt2fBrxEfZYcrJEBVQiZVLYeer6eooM55wS%0a%09aOb3JfgRHrD05gDVFSCYGOlScx5X6oglGXbYqSbq8qPB5W5U041GOODNrm+8l4Qt%0a%09evEA9HRwy0Py/DTgc89aLAnmVkzIyLKDStJoAYtW9RWYZreWwJV2IgmJ56Y3ptIq%0a%09kgVdQiv7F4LHccahsIujb+kDyvoqm894gpJKQE5Hag/e54jx8FCKLK6HwzKcu1LF%0a%09sqyKmYQitPXYejddKPLhdNgFixEOKESoZbyN22uxFVoqrPZw2Jv8E1ucyeSV/lPT%0a%09xiog65voE7/xTKnJuwhGPRonTlD85lxL7kiDrUpkX3oQ+j3b+lO1aeCaHxYMuPHZ%0a%09Ac=\nreturn_value=continue\nexit_code=0 Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) size: 495, TIMING [total 1645 ms] - got data: 0.0 (0%)0, check_init: 6 (0%)0, digest_hdr: 1.8 (0%)0, digest_body_dkim: 0.5 (0%)1, collect_info: 5 (0%)1, mkdir parts: 1.9 (0%)1, mime_decode: 10 (1%)2, get-file-type1: 19 (1%)3, parts_decode: 0.2 (0%)3, check_header: 0.6 (0%)3, AV-scan-1: 11 (1%)3, spam-wb-list: 0.7 (0%)3, SA msg read: 1.0 (0%)4, SA parse: 5 (0%)4, SA check: 1496 (91%)95, decide_mail_destiny: 9 (1%)95, notif-quar: 0.5 (0%)95, write-header: 9 (1%)96, fwd-data-dkim: 32 (2%)98, prepare-dsn: 1.3 (0%)98, report: 2.6 (0%)98, main_log_entry: 6 (0%)98, update_snmp: 1.5 (0%)98, rundown: 25 (2%)100 Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) extra modules loaded: unicore/lib/Gc/Nd.pl Dec 2 10:25:56 vml000067 amavis[15176]: (15176-01) load: 100 %, total idle 0.000 s, busy 1.668 s

MUA (Empfänger)

Der Empfänger findet nun im Mail-Postfach unsere Testnachricht.

Return-Path: <n3rd@sec-mail.guru> Delivered-To: django@nausch.org Received: from mx01.nausch.org ([10.0.0.87]) by imap.nausch.org (Dovecot) with LMTP id RLueGlCFfVS2FwAArK2B9Q for <django@nausch.org>; Tue, 02 Dec 2014 10:25:56 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sec-mail.guru; h= message-id:x-mailer:subject:subject:from:from:date:date; s= 140224; t=1417512354; x=1419326755; bh=ecGWgWCJeWxJFeM0urOVWP+KO lqqvsQYKOpYUP8nk7I=; b=bbc1o4gOnL12XyR9cx6S48gTh2+gateXrSIzx4w2L lABYNNQlCGNZn6Iz5y+ZXN58u6yZFgRw9EEhM3QjxV0LDZkjoAkzh7FeavWB0Qb6 y6A5ypdrnESeAio4JwiyokvkFqlOAB/qqNRdHuqRscQGxTvVsn0gRQfg68Ci3iRA scz6B0bLGW497eqrp/HOeSEL1pUyw8PG79bnI+Nfe1d8DY1jxFl/WkTitjR2GlJ3 ncsCht/xcME6eJLzSo0Hk4BKYA77F1XJbFSutaHMJWCEFWtOk4ZaScFxkLsWm8Vy kng6yaEP03EY1ExuKrK0ccI6Yrlj9Qt2fBrxEfZYcrJEBVQiZVLYeer6eooM55wS aOb3JfgRHrD05gDVFSCYGOlScx5X6oglGXbYqSbq8qPB5W5U041GOODNrm+8l4Qt evEA9HRwy0Py/DTgc89aLAnmVkzIyLKDStJoAYtW9RWYZreWwJV2IgmJ56Y3ptIq kgVdQiv7F4LHccahsIujb+kDyvoqm894gpJKQE5Hag/e54jx8FCKLK6HwzKcu1LF sqyKmYQitPXYejddKPLhdNgFixEOKESoZbyN22uxFVoqrPZw2Jv8E1ucyeSV/lPT xiog65voE7/xTKnJuwhGPRonTlD85lxL7kiDrUpkX3oQ+j3b+lO1aeCaHxYMuPHZ Ac= X-Virus-Scanned: amavisd-new at nausch.org X-Spam-Flag: NO X-Spam-Score: 0.8 X-Spam-Level: X-Spam-Status: No, score=0.8 tagged_above=-1000 required=6.31 tests=[ALL_TRUSTED=-1, DKIM_ADSP_DISCARD=1.8] autolearn=no Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx01.nausch.org (Postfix) with ESMTPS id C4DE0C00089 for <django@nausch.org>; Tue, 2 Dec 2014 10:25:54 +0100 (CET) Date: Tue, 02 Dec 2014 10:25:54 +0100 To: django@nausch.org From: n3rd@sec-mail.guru Subject: erste HAM-Testnachricht auf Port 25 X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ X-Test: test eMail Message-Id: <20141202092554.C4DE0C00089@mx01.nausch.org> This is a test mailing

HAM auf Port 587 (MUA zu MSA Verkehr)

Als nächstes überprüfen wir, ob eine valide Testmail die einer unserer Mailboxinhaber von seinem MUA11) beim MSA12) erfolgreich einliefern kann, die dann im Benutzerkonto unseres Mailkontoinhabers eingestellt wird.

SMTP-Client (swaks)

Auch hier verschicken wir nun mit Hilfe von Swaks 13) von John Jetmore eine Nachricht an einen unserer eigenen Empfänger. Hierzu nutzen wir die Anmeldedaten eines unserer Testkonten und liefern die Nachricht auf dem Port 587 ein.

$ # swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 587 --tls --header "Subject: zweite HAM-Testnachricht auf Port 587" --auth NTLM --auth-user n3rd@sec-mail.guru --auth-password Dj4n90-d3r-M41153rv3rguru!

=== Trying 10.0.0.87:587... === Connected to 10.0.0.87. <- 220 mx01.nausch.org ESMTP Postfix -> EHLO vml000087.dmz.nausch.org <- 250-mx01.nausch.org <- 250-PIPELINING <- 250-SIZE 52428800 <- 250-ETRN <- 250-STARTTLS <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250 DSN -> STARTTLS <- 220 2.0.0 Ready to start TLS === TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 === TLS no local certificate set === TLS peer DN="/serialNumber=3S7x2lcbYiAccKZPoha0MSwP5hNsuSTP/OU=GT49447951/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.nausch.org" ~> EHLO vml000087.dmz.nausch.org <~ 250-mx01.nausch.org <~ 250-PIPELINING <~ 250-SIZE 52428800 <~ 250-ETRN <~ 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM <~ 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM <~ 250-ENHANCEDSTATUSCODES <~ 250-8BITMIME <~ 250 DSN ~> AUTH NTLM <~ 334 ~> TlRUMTVNTUAABAAAABU6IAAAAAAAAAAAAAAAAAAAAAAAA= <~ 334 TlRMTUVNTUAUACAAAAMAAwADUAAAAAFAUoIAOUeYM1Dy0gHAAAAAAAUAAAADgAOABgAAAAdgBtAGwAMAAwADAAMAA3ADcALgBkAG0AegAuAG4AYQB1AHMAYwBoAC4AbUwByAGcAAwAwAHYAbQBsADAAMAAwADAANwA3AC4AZABtAHoALgBuAGEAdQBzAGMAaAAuAG8AcgBnAAAAAAA= ~> UTlRMTVNTUAADUAAAAGAAYAEAAAAAYABUgAWAAAADAAMABwAAAAJAAkAKAAAAAkACQAxAAAAAAAAACoAAAABUQKCABKUTbcHiUVToxqvguZXpp6jgnmGYJ9jDa0UoXqDbxiyz+V1xFp8hFH2sd3yaZl/qjY3YAbQBsADUAAMAAwADAANwA3AC4AZABtAHoALUgBuAGEAdQBzAGMUAaAAuAG8AcgBnAG4AMwByAGQAQABzAGUAYwAtAG0AYQBpAGwALgBnAHUAcgB1AG4AMwByAGQAQABzAGUAYwAtAG0UAYQBpAGwALgBnAHUAcgB1AA== <~ 235 2.7.0 Authentication successful ~> MAIL FROM:<n3rd@sec-mail.guru> <~ 250 2.1.0 Ok ~> RCPT TO:<django@nausch.org> <~ 250 2.1.5 Ok ~> DATA <~ 354 End data with <CR><LF>.<CR><LF> ~> Date: Tue, 02 Dec 2014 11:12:08 +0100 ~> To: django@nausch.org ~> From: n3rd@sec-mail.guru ~> Subject: zweite HAM-Testnachricht auf Port 587 ~> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ ~> X-Test: test eMail ~> ~> This is a test mailing ~> ~> . <~ 250 2.0.0 Ok: queued as 2E10CC00088 ~> QUIT <~ 221 2.0.0 Bye === Connection closed with remote host.

Hier bemerken wir keine Verzögerung bei der Annahme der Nachricht, da der Absender die Nachricht auf Port 587 einlieferte und die komplette Nachricht erst nach Annahme der Nachricht mit einem 250er vom Postfix- und AMaViS-Server gescannt wird.

SMTP-Server

Auf unserem Borderfilter finden wir auch die relevanten Einträge zu unserer Test-Nachricht im Maillog.

# less /var/log/maillog

Dec 2 11:12:09 vml000087 postfix/submission/smtpd[27385]: connect from vml000087.dmz.nausch.org[10.0.0.87] Dec 2 11:12:09 vml000087 postfix/submission/smtpd[27385]: Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 2 11:12:09 vml000087 postfix/submission/smtpd[27385]: 2E10CC00088: client=vml000087.dmz.nausch.org[10.0.0.87], sasl_method=NTLM, sasl_username=n3rd@sec-mail.guru Dec 2 11:12:09 vml000087 postfix/cleanup[27387]: 2E10CC00088: message-id=<20141202101209.2E10CC00088@mx01.nausch.org> Dec 2 11:12:09 vml000087 postfix/qmgr[27247]: 2E10CC00088: from=<n3rd@sec-mail.guru>, size=613, nrcpt=1 (queue active) Dec 2 11:12:09 vml000087 postfix/submission/smtpd[27385]: disconnect from vml000087.dmz.nausch.org[10.0.0.87] Dec 2 11:12:09 vml000087 postfix/smtpd[27379]: connect from vml000067.dmz.nausch.org[10.0.0.67] Dec 2 11:12:09 vml000087 postfix/smtpd[27379]: BB77CC00089: client=vml000067.dmz.nausch.org[10.0.0.67], orig_client=unknown[10.0.0.87] Dec 2 11:12:09 vml000087 postfix/cleanup[27387]: BB77CC00089: message-id=<20141202101209.2E10CC00088@mx01.nausch.org> Dec 2 11:12:09 vml000087 postfix/qmgr[27247]: BB77CC00089: from=<n3rd@sec-mail.guru>, size=2395, nrcpt=1 (queue active) Dec 2 11:12:09 vml000087 postfix/smtp[27388]: 2E10CC00088: to=<django@nausch.org>, relay=10.0.0.67[10.0.0.67]:10024, delay=0.65, delays=0.06/0.03/0.01/0.54, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[10.0.0.87]:10025): 250 2.0.0 Ok: queued as BB77CC00089) Dec 2 11:12:09 vml000087 postfix/qmgr[27247]: 2E10CC00088: removed Dec 2 11:12:10 vml000087 postfix/lmtp[27389]: BB77CC00089: to=<django@nausch.org>, relay=10.0.0.77[10.0.0.77]:24, delay=0.27, delays=0.03/0.02/0.06/0.17, dsn=2.0.0, status=sent (250 2.0.0 <django@nausch.org> 5VK5M3mQfVQ+HQAArK2B9Q Saved) Dec 2 11:12:10 vml000087 postfix/qmgr[27247]: BB77CC00089: removed

ASAV-Host

Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert.

# less /var/log/maillog

Dec 2 11:12:09 vml000067 amavis[15389]: loaded policy bank "ORIGINATING" Dec 2 11:12:09 vml000067 amavis[15389]: process_request: fileno sock=13, STDIN=0, STDOUT=1 Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) ESMTP:[10.0.0.67]:10024 /var/spool/amavisd/tmp/amavis-20141202T111209-15389-JkrxvcKa: <n3rd@sec-mail.guru > -> <django@nausch.org> Received: from mx01.nausch.org ([10.0.0.87]) by viruswall.dmz.nausch.org (viruswall.dmz.nausch.org [10.0.0.67]) (amavisd-new, port 1 0024) with ESMTP for <django@nausch.org>; Tue, 2 Dec 2014 11:12:09 +0100 (CET) Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) body hash: 5e4a6c05336dff65870f1c8870955b2a Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) ip_trace: 10.0.0.87 Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) client IP address unknown, fetched from Received: 10.0.0.87 Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) Checking: SUMj5uZrONx7 ORIGINATING [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org> Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) 2822.From: <n3rd@sec-mail.guru> Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) p001 1 Content-Type: text/plain, size: 24 B, name: Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) inspect_dsn: not a bounce Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) Checking for banned types and filenames Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) skipping banned check: all recipients bypass banned checks Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) presenting full original message to scanners as /var/spool/amavisd/tmp/amavis-20141202T111209-15389-Jkrxv cKa/parts/p002 Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) run_av Using (ClamAV-clamd): (code) CONTSCAN /var/spool/amavisd/tmp/amavis-20141202T111209-15389-JkrxvcKa /parts\n Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) ClamAV-clamd: Connecting to socket /var/run/clamd.amavisd/clamd.sock Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) new socket by IO::Socket::UNIX to /var/run/clamd.amavisd/clamd.sock, timeout 10 Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/tmp/amavis-20141202T111209-15389-JkrxvcKa/parts\n to so cket /var/run/clamd.amavisd/clamd.sock Dec 2 11:12:09 vml000067 clamd[1278]: SelfCheck: Database status OK. Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) rw_loop read: got eof Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) run_av (ClamAV-clamd): CLEAN Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) run_av (ClamAV-clamd) result: clean Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) calling SA parse (0), SA vers 3.3.2, 3.003002, data as STRING, recips_ind [0], user: "amavis" Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) spam_scan: score=0.8 autolearn=no tests=[ALL_TRUSTED=-1,DKIM_ADSP_DISCARD=1.8] recips=0 Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) spam_scan: dsn_suppress_reason DKIM_ADSP_DISCARD Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) do_notify_and_quar: ccat=CleanTag (1,1) ("1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(), qar_mth= Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) delivery method is 1, recips: django@nausch.org Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) spam-tag, <n3rd@sec-mail.guru> -> <django@nausch.org>, No, score=0.8 tagged_above=-1000 required=6.31 tests=[ALL_TRUSTED=-1, DKIM_ADSP_DISCARD=1.8] autolearn=no Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) dkim: candidate originators: From:<n3rd@sec-mail.guru> Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) dkim: signing (author), From: <n3rd@sec-mail.guru> (From:<n3rd@sec-mail.guru>), KEY.h=>sha256, KEY.key_ind=>13, a=>rsa-sha256, c=>relaxed/simple, d=>sec-mail.guru, s=>140224, ttl=>1814400, x=>1419329530 Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) smtp session: setting up a new session Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) new socket using IO::Socket::IP to [10.0.0.87]:10025, timeout 35 Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) smtp greeting: 220 mx01.nausch.org ESMTP Postfix, dt: 7.9 ms Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) smtp cmd> EHLO viruswall.dmz.nausch.org Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) smtp resp to EHLO: 250 mx01.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nAUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nAUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nXFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) smtp cmd> XFORWARD ADDR=10.0.0.87 Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) smtp resp to XFORWARD: 250 2.0.0 Ok Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) AUTH not needed, user='', MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM' Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) smtp cmd> MAIL FROM:<n3rd@sec-mail.guru> BODY=7BIT Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) smtp cmd> RCPT TO:<django@nausch.org> ORCPT=rfc822;django@nausch.org Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) smtp cmd> DATA Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) smtp resp to MAIL (pip): 250 2.1.0 Ok Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) smtp resp to RCPT (pip) (<django@nausch.org>): 250 2.1.5 Ok Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF> Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) smtp resp to data-dot (<django@nausch.org>): 250 2.0.0 Ok: queued as BB77CC00089, dt: 22.7 ms Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) Amavis::Out::SMTP::Session close, keeping connection Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) SUMj5uZrONx7 FWD from <n3rd@sec-mail.guru> -> <django@nausch.org>, BODY=7BIT 250 2.0.0 from MTA(smtp:[10.0.0.87]:10025): 250 2.0.0 Ok: queued as BB77CC00089 Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) DSN: sender is credible (orig), SA: 0.800, <n3rd@sec-mail.guru> Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) status counters: InMsgsStatus{Relayed,RelayedUntagged,RelayedUntaggedInternal,RelayedUntaggedOriginating} Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org>, Message-ID: <20141202101209.2E10CC00088@mx01.nausch.org>, mail_id: SUMj5uZrONx7, Hits: 0.8, size: 613, queued_as: BB77CC00089, dkim_new=140224:sec-mail.guru, 546 ms Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) TIMING-SA total 329 ms - parse: 1.50 (0.5%), extract_message_metadata: 4 (1.2%), get_uri_detail_list: 0.36 (0.1%), tests_pri_-1000: 7 (2.2%), tests_pri_-950: 1.99 (0.6%), tests_pri_-900: 1.37 (0.4%), tests_pri_-400: 1.22 (0.4%), tests_pri_0: 289 (87.8%), check_dkim_adsp: 6 (1.8%), check_spf: 0.44 (0.1%), check_razor2: 242 (73.4%), check_pyzor: 0.26 (0.1%), tests_pri_500: 4 (1.1%), get_report: 0.99 (0.3%) Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) sending SMTP response: "250 2.0.0 from MTA(smtp:[10.0.0.87]:10025): 250 2.0.0 Ok: queued as BB77CC00089" Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) size: 613, TIMING [total 553 ms] - SMTP greeting: 9 (2%)2, SMTP EHLO: 2.6 (0%)2, SMTP pre-MAIL: 0.6 (0%)2, mkdir tempdir: 1.4 (0%)2, create email.txt: 0.3 (0%)2, SMTP pre-DATA-flush: 4.1 (1%)3, SMTP DATA: 37 (7%)10, check_init: 0.9 (0%)10, digest_hdr: 1.5 (0%)10, digest_body_dkim: 0.6 (0%)10, collect_info: 2.6 (0%)11, mkdir parts: 1.8 (0%)11, mime_decode: 11 (2%)13, get-file-type1: 17 (3%)16, parts_decode: 0.2 (0%)16, check_header: 0.5 (0%)16, AV-scan-1: 11 (2%)18, spam-wb-list: 0.9 (0%)18, SA msg read: 0.8 (0%)19, SA parse: 3.6 (1%)19, SA check: 321 (58%)77, decide_mail_destiny: 9 (2%)79, notif-quar: 0.5 (0%)79, write-header: 10 (2%)81, fwd-data-dkim: 32 (6%)86, fwd-connect: 19 (3%)90, fwd-xforward: 2.3 (0%)90, fwd-mail-pip: 2.8 (1%)91, fwd-rcpt-pip: 0.2 (0%)91, fwd-data-chkpnt: 0.1 (0%)91, write-header: 0.5 (0%)91, fwd-data-contents: 0.0 (0%)91, fwd-end-chkpnt: 25 (4%)95, prepare-dsn: 1.6 (0%)96, report: 3.5 (1%)96, main_log_entry: 15 (3%)99, update_... Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) ...snmp: 3.1 (1%)100, SMTP pre-response: 0.7 (0%)100, SMTP response: 0.3 (0%)100, unlink-2-files: 0.6 (0%)100, rundown: 1.1 (0%)100 Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) extra modules loaded: unicore/lib/Gc/Nd.pl Dec 2 11:12:09 vml000067 amavis[15389]: (15389-01) load: 100 %, total idle 0.002 s, busy 0.579 s

MUA (Empfänger)

Der Empfänger findet nun im Mail-Postfach unsere Testnachricht. Im Gegensatz zum vorangegangenen Testlauf mit Einlieferung auf Port 25, sehen wir hier im Mailheader den „Schleifendurchlauf“ beim Host viruswall.dmz.nausch.org nach Annahme der Nachricht durch den MSA14).

Return-Path: <n3rd@sec-mail.guru> Delivered-To: django@nausch.org Received: from mx01.nausch.org ([10.0.0.87]) by imap.nausch.org (Dovecot) with LMTP id 5VK5M3mQfVQ+HQAArK2B9Q for <django@nausch.org>; Tue, 02 Dec 2014 11:12:09 +0100 Received: from viruswall.dmz.nausch.org (vml000067.dmz.nausch.org [10.0.0.67]) by mx01.nausch.org (Postfix) with ESMTP id BB77CC00089 for <django@nausch.org>; Tue, 2 Dec 2014 11:12:09 +0100 (CET) Authentication-Results: viruswall.dmz.nausch.org (amavisd-new); dkim=pass (4096-bit key) reason="pass (just generated, assumed good)" header.d=sec-mail.guru DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sec-mail.guru; h= message-id:x-mailer:subject:subject:from:from:date:date:received :received; s=140224; t=1417515129; x=1419329530; bh=ecGWgWCJeWxJ FeM0urOVWP+KOlqqvsQYKOpYUP8nk7I=; b=ArHGWDQmYsdOa/OUk+FpIUpi8qRa G+/9TXitESTLrp1rCIFdjV51KpaBAkhyMrb2gk3pq+vaBNElRHK1BOD1F26ce/xp CnwvExI5giMa8vWs1tGHKRGpGVOFqxkw8IIGHroNNIF79Xky/6NLQYuC+Tf6Q3C4 lIZcJivSK5RDzmMhn08v7KhJ8vW6EOIDAgKCD+HNpk60XKZ3OfWq3nerVTt/Z7pC kGdf/QGLO6j4gKhotHLExOTYHh9wsVojw9Cwl//yvmAxRaQ8uD5yJqvii/CFpvAy lzngq0uEYBGGDdtshrQjTECePpAFus3BSFHIJZWZwLl5kKlvyv9FNzilrQBTPia1 6QeqAjoGEpqhLVPVWnVD0W9CFIBqpSUhxZ9zyYy7I9qDgGSh2XTo3YqXJWehfvDs XyVvAW/BVn75/DYNRcsHT0Q8kkqdhOT1pPiGEc35297BngjqZpCq3nNFWHBgcfgv I+pB+ld87SuC/ocAJUjqhG1Onn/RH44OsY24Pprl1/G1sVC/YgnuejE2CRg5JGd1 pg0Yic5HMkdCPr6ClxYA4f4sOQq1ESeqTbs44oLVohLYMZ9ZBV0qDSLG5b2VGinn jI9NsZij40fDFsLf10f2LD050NpezV4du0Bd9Jgk930ft95yLzH2h5oMCJFN0hfR 7+VYBVdVW1J0EAo= X-Virus-Scanned: amavisd-new at nausch.org X-Spam-Flag: NO X-Spam-Score: 0.8 X-Spam-Level: X-Spam-Status: No, score=0.8 tagged_above=-1000 required=6.31 tests=[ALL_TRUSTED=-1, DKIM_ADSP_DISCARD=1.8] autolearn=no Received: from mx01.nausch.org ([10.0.0.87]) by viruswall.dmz.nausch.org (viruswall.dmz.nausch.org [10.0.0.67]) (amavisd-new, port 10024) with ESMTP id SUMj5uZrONx7 for <django@nausch.org>; Tue, 2 Dec 2014 11:12:09 +0100 (CET) Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx01.nausch.org (Postfix) with ESMTPSA id 2E10CC00088 for <django@nausch.org>; Tue, 2 Dec 2014 11:12:09 +0100 (CET) Date: Tue, 02 Dec 2014 11:12:08 +0100 To: django@nausch.org From: n3rd@sec-mail.guru Subject: zweite HAM-Testnachricht auf Port 587 X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ X-Test: test eMail Message-Id: <20141202101209.2E10CC00088@mx01.nausch.org> This is a test mailing

GTUBE auf Port 25 (MTA zu MTA Verkehr)

SMTP-Client (swaks)

Als nächstes versuchen wir eine SPAM-Mail mit Hilfe von Swaks 15) an einen unserer eigenen Empfänger zu verschicken. Dazu laden wir uns erst einmal die GTUBE Testmail auf unseren Rechner.

# wget http://spamassassin.apache.org/gtube/gtube.txt

# less gtube.txt

Subject: Test spam mail (GTUBE) Message-ID: <GTUBE1.1010101@example.net> Date: Wed, 23 Jul 2003 23:30:00 +0200 From: Sender <sender@example.net> To: Recipient <recipient@example.net> Precedence: junk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit This is the GTUBE, the Generic Test for Unsolicited Bulk Email If your spam filter supports it, the GTUBE provides a test by which you can verify that the filter is installed correctly and is detecting incoming spam. You can send yourself a test mail containing the following string of characters (in upper case and with no white spaces and line breaks): XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X You should send this test mail from an account outside of your network.

Diese Nachricht versuchen wir nun loszuschicken:

# swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 25 --tls --header "Subject: dritte GTUBE-Testnachricht auf Port 25" --body gtube.txt

=== Trying 10.0.0.87:25... === Connected to 10.0.0.87. <- 220 mx01.nausch.org ESMTP Postfix -> EHLO vml000087.dmz.nausch.org <- 250-mx01.nausch.org <- 250-PIPELINING <- 250-SIZE 52428800 <- 250-ETRN <- 250-STARTTLS <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250 DSN -> STARTTLS <- 220 2.0.0 Ready to start TLS === TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 === TLS no local certificate set === TLS peer DN="/serialNumber=3S7x2lcbYiAccKZPoha0MSwP5hNsuSTP/OU=GT49447951/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.nausch.org" ~> EHLO vml000087.dmz.nausch.org <~ 250-mx01.nausch.org <~ 250-PIPELINING <~ 250-SIZE 52428800 <~ 250-ETRN <~ 250-ENHANCEDSTATUSCODES <~ 250-8BITMIME <~ 250 DSN ~> MAIL FROM:<n3rd@sec-mail.guru> <~ 250 2.1.0 Ok ~> RCPT TO:<django@nausch.org> <~ 250 2.1.5 Ok ~> DATA <~ 354 End data with <CR><LF>.<CR><LF> ~> Date: Tue, 02 Dec 2014 12:10:34 +0100 ~> To: django@nausch.org ~> From: n3rd@sec-mail.guru ~> Subject: dritte GTUBE-Testnachricht auf Port 25 ~> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ ~> X-Test: test eMail ~> ~> Subject: Test spam mail (GTUBE) ~> Message-ID: <GTUBE1.1010101@example.net> ~> Date: Wed, 23 Jul 2003 23:30:00 +0200 ~> From: Sender <sender@example.net> ~> To: Recipient <recipient@example.net> ~> Precedence: junk ~> MIME-Version: 1.0 ~> Content-Type: text/plain; charset=us-ascii ~> Content-Transfer-Encoding: 7bit ~> ~> This is the GTUBE, the ~> Generic ~> Test for ~> Unsolicited ~> Bulk ~> Email ~> ~> If your spam filter supports it, the GTUBE provides a test by which you ~> can verify that the filter is installed correctly and is detecting incoming ~> spam. You can send yourself a test mail containing the following string of ~> characters (in upper case and with no white spaces and line breaks): ~> ~> XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X ~> ~> You should send this test mail from an account outside of your network. ~> ~> ~> ~> . <~* 554 5.7.0 Reject, id=15388-01 - spam. Contact your postmaster/admin for technical assistance. He can achieve our postmaster via email: postmaster@nausch.org or via fax: +49 8121 883179. In any case, please provide the following information in your problem report: This error message, time (Dec 02 12:10:36), client (10.0.0.87) and server (mx01.nausch.org). ~> QUIT <~ 221 2.0.0 Bye

Wie wir sehen können hat der SMTP-Server die Annahme der Nachricht mit dem Fehlercode 554 5.7.0 Reject, id=15388-01 - spam. verweigert. Zu dieser Fehlermeldung erhält der einliefernde SMTP-Client noch Informationen wie er sichh ggf mit uns in Verbindung setzen kann.

SMTP-Server

Auf unserem Borderfilter finden wir im Maillog auch die relevanten Einträge zu dem Versuch eine SPAM-Mail einzuliefern.

# less /var/log/maillog

Dec 2 12:10:34 vml000087 postfix/smtpd[27450]: connect from vml000087.dmz.nausch.org[10.0.0.87] Dec 2 12:10:34 vml000087 postfix/smtpd[27450]: Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 2 12:10:35 vml000087 postfix/smtpd[27450]: 5651EC00088: client=vml000087.dmz.nausch.org[10.0.0.87] Dec 2 12:10:35 vml000087 postfix/cleanup[27456]: 5651EC00088: message-id=<20141202111035.5651EC00088@mx01.nausch.org> Dec 2 12:10:36 vml000087 postfix/cleanup[27456]: 5651EC00088: milter-reject: END-OF-MESSAGE from vml000087.dmz.nausch.org[10.0.0.87]: 5.7.0 Reject, id=15388-01 - spam; from=<n3rd@sec-mail.guru> to=<django@nausch.org> proto=ESMTP helo=<vml000087.dmz.nausch.org> Dec 2 12:10:36 vml000087 postfix/smtpd[27450]: disconnect from vml000087.dmz.nausch.org[10.0.0.87]

Hir finden wie auch die id=15388-01 wieder, die uns der AMaViS-Host genannt hat. Diesen können wir nun verwenden um auf dem AMaViS-Host im Maillog zu suchen um in Erfahrung zu bringen, warum die Nachricht abgeleht wurde.

ASAV-Host

Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert.

# less /var/log/maillog

Dec 2 12:10:35 vml000067 amavis[15388]: loaded policy bank "AM.PDP-SOCK" Dec 2 12:10:35 vml000067 amavis[15388]: process_request: fileno sock=13, STDIN=0, STDOUT=1 Dec 2 12:10:35 vml000067 amavis[15388]: policy protocol: request=AM.PDP Dec 2 12:10:35 vml000067 amavis[15388]: policy protocol: queue_id=5651EC00088 Dec 2 12:10:35 vml000067 amavis[15388]: policy protocol: sender=<n3rd@sec-mail.guru> Dec 2 12:10:35 vml000067 amavis[15388]: policy protocol: recipient=<django@nausch.org> Dec 2 12:10:35 vml000067 amavis[15388]: policy protocol: tempdir=/var/spool/amavisd/tmp/afXXXXH8hJPB Dec 2 12:10:35 vml000067 amavis[15388]: policy protocol: tempdir_removed_by=client Dec 2 12:10:35 vml000067 amavis[15388]: policy protocol: mail_file=/var/spool/amavisd/tmp/afXXXXH8hJPB/email.txt Dec 2 12:10:35 vml000067 amavis[15388]: policy protocol: delivery_care_of=client Dec 2 12:10:35 vml000067 amavis[15388]: policy protocol: client_address=10.0.0.87 Dec 2 12:10:35 vml000067 amavis[15388]: policy protocol: client_name=vml000087.dmz.nausch.org Dec 2 12:10:35 vml000067 amavis[15388]: policy protocol: helo_name=vml000087.dmz.nausch.org Dec 2 12:10:35 vml000067 amavis[15388]: policy protocol: policy_bank=mx01.nausch.org Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) Request: AM.PDP /var/spool/amavisd/tmp/afXXXXH8hJPB: <n3rd@sec-mail.guru> -> <django@nausch.org> Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) loaded policy bank "MYNETS" over "AM.PDP-SOCK" Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) body hash: 4c7abc06887b1723a5b47a0f9562fd5c Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) ip_trace: 10.0.0.87 Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) Checking: pMRMheNjbXZG AM.PDP-SOCK/MYNETS [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org> Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) 2822.From: <n3rd@sec-mail.guru> Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) p001 1 Content-Type: text/plain, size: 801 B, name: Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) inspect_dsn: not a bounce Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) Checking for banned types and filenames Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) collect banned table[0]: django@nausch.org, tables: Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) p.path django@nausch.org: "P=p001,L=1,M=text/plain,T=asc" Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) presenting full original message to scanners as /var/spool/amavisd/tmp/afXXXXH8hJPB/parts/p002 Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) run_av Using (ClamAV-clamd): (code) CONTSCAN /var/spool/amavisd/tmp/afXXXXH8hJPB/parts\n Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) ClamAV-clamd: Connecting to socket /var/run/clamd.amavisd/clamd.sock Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) new socket by IO::Socket::UNIX to /var/run/clamd.amavisd/clamd.sock, timeout 10 Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/tmp/afXXXXH8hJPB/parts\n to socket /var/run/clamd.amavisd/clamd.sock Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) rw_loop read: got eof Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) run_av (ClamAV-clamd): CLEAN Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) run_av (ClamAV-clamd) result: clean Dec 2 12:10:35 vml000067 amavis[15388]: (15388-01) calling SA parse (0), SA vers 3.3.2, 3.003002, data as STRING, recips_ind [0], user: "amavis" Dec 2 12:10:36 vml000067 amavis[15388]: (15388-01) spam_scan: score=1000.8 autolearn=no tests=[ALL_TRUSTED=-1,DKIM_ADSP_DISCARD=1.8,GTUBE=1000] recips=0 Dec 2 12:10:36 vml000067 amavis[15388]: (15388-01) spam_scan: dsn_suppress_reason DKIM_ADSP_DISCARD Dec 2 12:10:36 vml000067 amavis[15388]: (15388-01) blocking contents category is (6) for django@nausch.org, final_destiny -3 Dec 2 12:10:36 vml000067 amavis[15388]: (15388-01) do_notify_and_quar: ccat=Spam (6,0) ("6":Spam, "5":Spammy, "1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(6), qar_mth= Dec 2 12:10:36 vml000067 amavis[15388]: (15388-01) delivery method is 1, recips: django@nausch.org Dec 2 12:10:36 vml000067 amavis[15388]: (15388-01) DSN: sender is credible (orig), SA: 1000.800, <n3rd@sec-mail.guru> Dec 2 12:10:36 vml000067 amavis[15388]: (15388-01) status counters: InMsgsStatus{Rejected,RejectedInternal,RejectedOriginating} Dec 2 12:10:36 vml000067 amavis[15388]: (15388-01) Blocked SPAM {RejectedInternal}, AM.PDP-SOCK/MYNETS LOCAL [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org>, Queue-ID: 5651EC00088, Message-ID: <20141202111035.5651EC00088@mx01.nausch.org>, mail_id: pMRMheNjbXZG, Hits: 1000.8, size: 1301, 771 ms Dec 2 12:10:36 vml000067 amavis[15388]: (15388-01) TIMING-SA total 691 ms - parse: 1.82 (0.3%), extract_message_metadata: 15 (2.1%), poll_dns_idle: 0.50 (0.1%), get_uri_detail_list: 1.64 (0.2%), tests_pri_-1000: 6 (0.9%), tests_pri_-950: 1.93 (0.3%), tests_pri_-900: 1.33 (0.2%), tests_pri_-400: 1.06 (0.2%), tests_pri_0: 644 (93.1%), check_dkim_adsp: 6 (0.8%), check_spf: 0.58 (0.1%), check_razor2: 531 (76.8%), check_pyzor: 0.26 (0.0%), tests_pri_500: 4 (0.6%), get_report: 1.36 (0.2%) Dec 2 12:10:36 vml000067 amavis[15388]: (15388-01) mail checking ended: version_server=2\nlog_id=15388-01\nsetreply=554 5.7.0 Reject,%20id=15388-01%20-%20spam\nreturn_value=reject\nexit_code=69 Dec 2 12:10:36 vml000067 amavis[15388]: (15388-01) size: 1301, TIMING [total 774 ms] - got data: 0.0 (0%)0, check_init: 6 (1%)1, digest_hdr: 1.8 (0%)1, digest_body_dkim: 0.4 (0%)1, collect_info: 4.9 (1%)2, mkdir parts: 1.9 (0%)2, mime_decode: 10 (1%)3, get-file-type1: 19 (2%)6, parts_decode: 0.2 (0%)6, check_header: 0.5 (0%)6, AV-scan-1: 16 (2%)8, spam-wb-list: 0.7 (0%)8, SA msg read: 0.8 (0%)8, SA parse: 4.8 (1%)9, SA check: 682 (88%)97, decide_mail_destiny: 10 (1%)98, notif-quar: 0.6 (0%)98, prepare-dsn: 1.0 (0%)98, report: 2.0 (0%)99, main_log_entry: 8 (1%)100, update_snmp: 1.8 (0%)100, rundown: 1.1 (0%)100 Dec 2 12:10:36 vml000067 amavis[15388]: (15388-01) extra modules loaded: unicore/lib/Gc/Nd.pl Dec 2 12:10:36 vml000067 amavis[15388]: (15388-01) load: 100 %, total idle 0.000 s, busy 0.809 s

GTUBE auf Port 587 (MUA zu MSA Verkehr)

Als nächstes überprüfen wir, ob wir die GTUBE-Testmail als authentifizierten User von einem MUA16) beim MSA17) erfolgreich einliefern können.

SMTP-Client (swaks)

Das bereits heruntergeladene GTUBE-Testmail versuchen wir nun mit mit Hilfe von Swaks 18) an einen unserer eigenen Empfänger zu verschicken.

# swaks --to django@nausch.org --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 587 --tls --header "Subject: vierte Testnachricht SPAM auf Port 587" --auth NTLM --auth-user n3rd@sec-mail.guru --auth-password Dj4n90-d3r-M41153rv3rguru! --body gtube.txt

=== Trying 10.0.0.87:587... === Connected to 10.0.0.87. <- 220 mx01.nausch.org ESMTP Postfix -> EHLO vml000087.dmz.nausch.org <- 250-mx01.nausch.org <- 250-PIPELINING <- 250-SIZE 52428800 <- 250-ETRN <- 250-STARTTLS <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250 DSN -> STARTTLS <- 220 2.0.0 Ready to start TLS === TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 === TLS no local certificate set === TLS peer DN="/serialNumber=3S7x2lcbYiAccKZPoha0MSwP5hNsuSTP/OU=GT49447951/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.nausch.org" ~> EHLO vml000087.dmz.nausch.org <~ 250-mx01.nausch.org <~ 250-PIPELINING <~ 250-SIZE 52428800 <~ 250-ETRN <~ 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM <~ 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM <~ 250-ENHANCEDSTATUSCODES <~ 250-8BITMIME <~ 250 DSN ~> AUTH NTLM <~ 334 ~> TlRUMTVNTUAABAAAABU6IAAAAAAAAAAAAAAAAAAAAAAAA= <~ 334 UTlRMTVNTUAADUAAAAGAAYAEAAAAAYABUgAWAAAADAAMABwAAAAJAAkAKAAAAAkACQAxAAAAAAAAACoAAAABUQKCABKUTbcHiUVToxqvguZXpp6jgnmGYJ9jDa0UoXqDbxiyz+V1xFp8hFH2sd3yaZl/qjY3YAbQBsADUAAMAAwADAANwA3AC4AZABtAHoALUgBuAGEAdQBzAGMUAaAAuAG8AcgBnAG4AMwByAGQAQABzAGUAYwAtAG0AYQBpAGwALgBnAHUAcgB1AG4AMwByAGQAQABzAGUAYwAtAG0UAYQBpAGwALgBnAHUAcgB1AA== <~ 235 2.7.0 Authentication successful ~> MAIL FROM:<n3rd@sec-mail.guru> <~ 250 2.1.0 Ok ~> RCPT TO:<django@nausch.org> <~ 250 2.1.5 Ok ~> DATA <~ 354 End data with <CR><LF>.<CR><LF> ~> Date: Tue, 02 Dec 2014 15:27:15 +0100 ~> To: django@nausch.org ~> From: n3rd@sec-mail.guru ~> Subject: vierte Testnachricht SPAM auf Port 587 ~> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ ~> X-Test: test eMail ~> ~> Subject: Test spam mail (GTUBE) ~> Message-ID: <GTUBE1.1010101@example.net> ~> Date: Wed, 23 Jul 2003 23:30:00 +0200 ~> From: Sender <sender@example.net> ~> To: Recipient <recipient@example.net> ~> Precedence: junk ~> MIME-Version: 1.0 ~> Content-Type: text/plain; charset=us-ascii ~> Content-Transfer-Encoding: 7bit ~> ~> This is the GTUBE, the ~> Generic ~> Test for ~> Unsolicited ~> Bulk ~> Email ~> ~> If your spam filter supports it, the GTUBE provides a test by which you ~> can verify that the filter is installed correctly and is detecting incoming ~> spam. You can send yourself a test mail containing the following string of ~> characters (in upper case and with no white spaces and line breaks): ~> ~> XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X ~> ~> You should send this test mail from an account outside of your network. ~> ~> ~> ~> . <~ 250 2.0.0 Ok: queued as E5401C00088 ~> QUIT <~ 221 2.0.0 Bye === Connection closed with remote host.

Die Nachricht wird dem authentifizierten User abgenommen und mit einem 250er bestätigt. Heißt das nun, dass unsere Konfiguration fehlerhaft ist, oder der Contentscanner nicht richtig funktioniert? Nein, ganz und gar nicht! Wir haben bei der Konfiguration explizit angegeben, dass wir Nachrichten von authentifizierten Nutzern sofort anzunehmen und erst im zweiten Schritt scannen wollen und genau das macht unser AMaViS-Server auch.

Den genauen Ablauf dazu, sehen wir uns nun im Detail an.

SMTP-Server (Teil 1 von 3)

Im Maillog unseres Borderfilters sehen wir nun zu unserem gerade durchgeführten Versuch mehrere zusammenhängende Logeinträge.

# less /var/log/maillog

Zunächst sehen wir den TLS-Verbindungsaufbau, gefolgt von der erfolgreichen Authentifizierung unseres Users und die Entgegennahme der eMail vom MSA19).

Dec 2 15:27:15 vml000087 postfix/submission/smtpd[27678]: connect from vml000087.dmz.nausch.org[10.0.0.87] Dec 2 15:27:15 vml000087 postfix/submission/smtpd[27678]: Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 2 15:27:15 vml000087 postfix/submission/smtpd[27678]: E5401C00088: client=vml000087.dmz.nausch.org[10.0.0.87], sasl_method=NTLM, sasl_username=n3rd@sec-mail.guru Dec 2 15:27:15 vml000087 postfix/cleanup[27683]: E5401C00088: message-id=<20141202142715.E5401C00088@mx01.nausch.org> Dec 2 15:27:15 vml000087 postfix/qmgr[27247]: E5401C00088: from=<n3rd@sec-mail.guru>, size=1417, nrcpt=1 (queue active) Dec 2 15:27:15 vml000087 postfix/submission/smtpd[27678]: disconnect from vml000087.dmz.nausch.org[10.0.0.87]

ASAV-Host

Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert.

# less /var/log/maillog

Dec 2 15:27:16 vml000067 amavis[15668]: loaded policy bank "ORIGINATING" Dec 2 15:27:16 vml000067 amavis[15668]: process_request: fileno sock=13, STDIN=0, STDOUT=1 Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) ESMTP:[10.0.0.67]:10024 /var/spool/amavisd/tmp/amavis-20141202T152716-15668-4MUitFJK: <n3rd@sec-mail.guru> -> <django@nausch. org> Received: from mx01.nausch.org ([10.0.0.87]) by viruswall.dmz.nausch.org (viruswall.dmz.nausch.org [10.0.0.67]) (amavisd-new, port 10024) with ESMTP for <django@nausch.org> ; Tue, 2 Dec 2014 15:27:16 +0100 (CET) Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) body hash: 4c7abc06887b1723a5b47a0f9562fd5c Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) ip_trace: 10.0.0.87 Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) client IP address unknown, fetched from Received: 10.0.0.87 Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) Checking: o1aYnuSaPRGv ORIGINATING [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org> Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) 2822.From: <n3rd@sec-mail.guru> Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) p001 1 Content-Type: text/plain, size: 801 B, name: Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) inspect_dsn: not a bounce Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) Checking for banned types and filenames Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) skipping banned check: all recipients bypass banned checks Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) presenting full original message to scanners as /var/spool/amavisd/tmp/amavis-20141202T152716-15668-4MUitFJK/parts/p002 Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) run_av Using (ClamAV-clamd): (code) CONTSCAN /var/spool/amavisd/tmp/amavis-20141202T152716-15668-4MUitFJK/parts\n Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) ClamAV-clamd: Connecting to socket /var/run/clamd.amavisd/clamd.sock Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) new socket by IO::Socket::UNIX to /var/run/clamd.amavisd/clamd.sock, timeout 10 Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/tmp/amavis-20141202T152716-15668-4MUitFJK/parts\n to socket /var/run/clamd. amavisd/clamd.sock Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) rw_loop read: got eof Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) run_av (ClamAV-clamd): CLEAN Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) run_av (ClamAV-clamd) result: clean Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) calling SA parse (0), SA vers 3.3.2, 3.003002, data as STRING, recips_ind [0], user: "amavis" Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) spam_scan: score=1000.8 autolearn=no tests=[ALL_TRUSTED=-1,DKIM_ADSP_DISCARD=1.8,GTUBE=1000] recips=0 Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) spam_scan: dsn_suppress_reason DKIM_ADSP_DISCARD Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) blocking contents category is (6) for django@nausch.org, final_destiny -3

Der SPAM-Wert von 1000.8 liegt doch „etwas über“ unserem definierten Wert von 6.31, die Nachricht wird also nicht zugestellt!

Gemäß unserer Konfiguration erhält der der Empfänger virusalert@nausch.org eine Nachricht von postmaster@nausch.org mit dem Details zu der SPAM-Mail. Der Postmaster kann so reagieren und mit dem authentifizierten Mailbox-Nutzer Kontalt aufnehmen und diesen ggf. darauf hinweisen, dass unter Umständen sein Rechner von einem Zombie gekapert wurde und dieser munter SPAM-Mails verschicken will. Ein weitere Ursache könnte auch ein durch eine Brute-Force-Methode geknacktem Mailkonto, da dort z.B. irgend ein Trivialpasswort verwendet wurde, was leider durchweg des öfteren vorkommt.

So kann der Postmaster tätig werden und weiteren Schaden vom Mailserver abwenden, bevor der eigene Server auf einer Blacklist landet und so dann gar keine Nachricht mehr verschickt werden könnte.

Im Maillog des AMaViS-Servers sehen wir nun, dass der Daemon die entsprechende Nachricht an den definierten Bearbeiter verschicken wird.

# less /var/log/maillog

Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) do_notify_and_quar: ccat=Spam (6,0) ("6":Spam, "5":Spammy, "1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(6), qar_mth= Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) dkim: candidate originators: From:<postmaster@nausch.org> Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) dkim: signing (author), From: <postmaster@nausch.org> (From:<postmaster@nausch.org>), KEY.h=>sha256, KEY.key_ind=>1, a=>rsa-sha256, c=>relaxed/simple, d=>nausch.org, s=>140224, ttl=>1814400, x=>1419344837 Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp session: setting up a new session Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) new socket using IO::Socket::IP to [10.0.0.87]:10025, timeout 35 Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp greeting: 220 mx01.nausch.org ESMTP Postfix, dt: 52.5 ms Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp cmd> EHLO viruswall.dmz.nausch.org Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp resp to EHLO: 250 mx01.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nAUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nAUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nXFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) AUTH not needed, user='', MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM' Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp cmd> MAIL FROM:<postmaster@nausch.org> ENVID=AM.ofn-luxWKSUo.20141202T142716Z@viruswall.dmz.nausch.org Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp cmd> RCPT TO:<virusalert@nausch.org> Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp cmd> DATA Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp resp to MAIL (pip): 250 2.1.0 Ok Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp resp to RCPT (pip) (<virusalert@nausch.org>): 250 2.1.5 Ok Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF> Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) smtp resp to data-dot (<virusalert@nausch.org>): 250 2.0.0 Ok: queued as 9A6FBC00089, dt: 40.0 ms Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) Amavis::Out::SMTP::Session close, keeping connection Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) ofn-luxWKSUo(o1aYnuSaPRGv) SEND from <postmaster@nausch.org> -> <virusalert@nausch.org>, ENVID=AM.ofn-luxWKSUo.20141202T142716Z@viruswall.dmz.nausch.org 250 2.0.0 from MTA(smtp:[10.0.0.87]:10025): 250 2.0.0 Ok: queued as 9A6FBC00089 Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) delivery method is 1, recips: django@nausch.org Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) DSN: sender is credible (orig), SA: 1000.800, <n3rd@sec-mail.guru> Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) status counters: InMsgsStatus{Rejected,RejectedInternal,RejectedOriginating} Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) Blocked SPAM {RejectedInternal}, ORIGINATING LOCAL [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org>, Message-ID: <20141202142715.E5401C00088@mx01.nausch.org>, mail_id: o1aYnuSaPRGv, Hits: 1000.8, size: 1417, 692 ms Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) TIMING-SA total 404 ms - parse: 1.77 (0.4%), extract_message_metadata: 15 (3.6%), poll_dns_idle: 0.24 (0.1%), get_uri_detail_list: 1.66 (0.4%), tests_pri_-1000: 7 (1.7%), tests_pri_-950: 2.00 (0.5%), tests_pri_-900: 1.29 (0.3%), tests_pri_-400: 1.03 (0.3%), tests_pri_0: 356 (88.2%), check_dkim_adsp: 5 (1.2%), check_spf: 0.45 (0.1%), check_razor2: 250 (61.8%), check_pyzor: 0.28 (0.1%), tests_pri_500: 4 (0.9%), get_report: 1.31 (0.3%) Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) sending SMTP response: "554 5.7.0 Reject, id=15668-01 - spam" Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) size: 1417, TIMING [total 698 ms] - SMTP greeting: 9 (1%)1, SMTP EHLO: 3.1 (0%)2, SMTP pre-MAIL: 0.6 (0%)2, mkdir tempdir: 1.5 (0%)2, create email.txt: 0.3 (0%)2, SMTP pre-DATA-flush: 4.1 (1%)3, SMTP DATA: 39 (6%)8, check_init: 1.3 (0%)8, digest_hdr: 2.0 (0%)9, digest_body_dkim: 0.5 (0%)9, collect_info: 2.5 (0%)9, mkdir parts: 1.9 (0%)9, mime_decode: 11 (2%)11, get-file-type1: 19 (3%)14, parts_decode: 0.2 (0%)14, check_header: 0.6 (0%)14, AV-scan-1: 9 (1%)15, spam-wb-list: 0.9 (0%)15, SA msg read: 0.8 (0%)15, SA parse: 4.2 (1%)16, SA check: 395 (57%)72, decide_mail_destiny: 10 (1%)74, notif-quar: 0.6 (0%)74, write-header: 16 (2%)76, fwd-data-dkim: 35 (5%)81, fwd-connect: 57 (8%)89, fwd-mail-pip: 7 (1%)91, fwd-rcpt-pip: 0.3 (0%)91, fwd-data-chkpnt: 0.1 (0%)91, write-header: 0.5 (0%)91, fwd-data-contents: 2.6 (0%)91, fwd-end-chkpnt: 41 (6%)97, prepare-dsn: 2.4 (0%)97, report: 4.7 (1%)98, main_log_entry: 11 (2%)100, update_snmp: 1.9 (0%)100, SMTP pre-resp... Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) ...onse: 0.3 (0%)100, SMTP response: 0.3 (0%)100, unlink-2-files: 0.2 (0%)100, rundown: 0.7 (0%)100 Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) extra modules loaded: unicore/lib/Gc/Nd.pl Dec 2 15:27:16 vml000067 amavis[15668]: (15668-01) load: 100 %, total idle 0.003 s, busy 0.700 s

SMTP-Server (Teil 2 von 3)

Im Maillog unseres Borderfilters sehen wir nun also als nächstes den Eingang dieser Notification-eMail an den definierten Empfänger.

# less /var/log/maillog

Dec 2 15:27:16 vml000087 postfix/smtpd[27685]: connect from vml000067.dmz.nausch.org[10.0.0.67] Dec 2 15:27:16 vml000087 postfix/smtpd[27685]: 9A6FBC00089: client=vml000067.dmz.nausch.org[10.0.0.67] Dec 2 15:27:16 vml000087 postfix/cleanup[27683]: 9A6FBC00089: message-id=<SAo1aYnuSaPRGv@viruswall.dmz.nausch.org> Dec 2 15:27:16 vml000087 postfix/qmgr[27247]: 9A6FBC00089: from=<postmaster@nausch.org>, size=4328, nrcpt=1 (queue active) Dec 2 15:27:16 vml000087 postfix/smtp[27684]: E5401C00088: to=<django@nausch.org>, relay=10.0.0.67[10.0.0.67]:10024, delay=0.77, delays=0.04/0.03/0.02/0.69, dsn=5.7.0, status=bounced (host 10.0.0.67[10.0.0.67] said: 554 5.7.0 Reject, id=15668-01 - spam (in reply to end of DATA command)) Dec 2 15:27:16 vml000087 postfix/cleanup[27683]: B736EC0008A: message-id=<20141202142716.B736EC0008A@mx01.nausch.org> Dec 2 15:27:16 vml000087 postfix/qmgr[27247]: B736EC0008A: from=<>, size=4076, nrcpt=1 (queue active) Dec 2 15:27:16 vml000087 postfix/bounce[27687]: E5401C00088: sender non-delivery notification: B736EC0008A Dec 2 15:27:16 vml000087 postfix/qmgr[27247]: E5401C00088: removed Dec 2 15:27:17 vml000087 postfix/lmtp[27686]: 9A6FBC00089: to=<django@nausch.org>, orig_to=<virusalert@nausch.org>, relay=10.0.0.77[10.0.0.77]:24, delay=0.46, delays=0.04/0.01/0.01/0.39, dsn=2.0.0, status=sent (250 2.0.0 <django@nausch.org> 0WGxKC3MfVQbPAAArK2B9Q Saved) Dec 2 15:27:17 vml000087 postfix/qmgr[27247]: 9A6FBC00089: removed

SMTP-Server (Teil 3 von 3)

Zu guter Letzt sehen wir dann noch die Bounce-Nachricht an den ursprünglichen Absender, den wir ja zweifelsfrei kennen, da dieser sich beim Einliefern der Nachricht authentifizierten hatte. Somit ist die Gefahr von backscatter eMail ausgeschlossen!

# less /var/log/messages

Dec 2 15:27:17 vml000087 postfix/lmtp[27688]: B736EC0008A: to=<n3rd@sec-mail.guru>, relay=10.0.0.77[10.0.0.77]:24, delay=0.49, delays=0.07/0.01/0.02/0.39, dsn=2.0.0, status=sent (250 2.0.0 <n3rd@sec-mail.guru> hwVTMkTMfVQfPAAArK2B9Q Saved) Dec 2 15:27:17 vml000087 postfix/qmgr[27247]: B736EC0008A: removed

MUA (Empfänger der Notification Mail)

Wie schon angeschnitten erhält der verantwortliche Admin des Servers mit der Addresse virusalert@nausch.org eine Nachricht mit dem Detail des Versuches eine SPAM-Mail zu verschicken.

Return-Path: <postmaster@nausch.org> Delivered-To: django@nausch.org Received: from mx01.nausch.org ([10.0.0.87]) by imap.nausch.org (Dovecot) with LMTP id 0WGxKC3MfVQbPAAArK2B9Q for <django@nausch.org>; Tue, 02 Dec 2014 15:27:16 +0100 Received: from viruswall.dmz.nausch.org (vml000067.dmz.nausch.org [10.0.0.67]) by mx01.nausch.org (Postfix) with ESMTP id 9A6FBC00089 for <virusalert@nausch.org>; Tue, 2 Dec 2014 15:27:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nausch.org; h= message-id:subject:subject:date:date:from:from:mime-version :content-transfer-encoding:content-type:content-type; s=140224; t=1417530436; x=1419344837; bh=tVWIH0duwt/kaEdApRyhDUvLvxAvX1C8 fu9jN2ZwFt0=; b=AZgQAhDSlqrdcLzC1k/VopOx3PAKPHpmKeivYeIWA6KFVZH6 Xxbc0Unj1QQ08ZSGRNHFp5aJu4rN71BI8ad8OhRTSHdbhWR821V2Z2yRti7TUDwq QZigx230dACkYKrzQhTKJawAmXKbg1V2EUbTTqUpwBDsaYnTML9i+fAr4mcVrN2n JBAmg1K3OL0uokXp/eaaKpxG+GDMgv8n6dsXgk29+1V2BznRz3HTcA0BsT9m0087 kxonaX5Bhio01JhAEuG+fy2f12N3QMNQ2l+8zWQskPXUaL/q3SGG/dYcBvtL2BuR m6f1+Z8kBuZeosXe/a3rma8v+Sdbg++u2bY6jCtGLChN/M3/bO/qq1IiYSpLOLQI adNxaPKefjC75FtY0AEYWpDlU8WIbk/Wqb0/KovhexGto84UTZcmRq0Z8t8RBNtN xmy4M2uNK2l6aWbfQV0cjnrg0FQ2AfisP74d45dEaDNV+dsBhMiYgcZ1wHhW4Aro ug1OiU1+hbie1t59J0Y15BHO/BeJSvJYNTlf/twopaObQc1LAJSzuIUZegyiFjMQ /AdpdmpWFKhPTZNp2JwDoBm3vd5DT555t5+kIuRh/8mKhNRs194ZZzXCuUdrkgMm LQL4HSB5TbVxVDhOfgaStlWWRZmt4IwWR3aOsfGA2TSEOle4cTJXWHxokec= Content-Type: multipart/mixed; boundary="----------=_1417530436-15668-0" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 From: "Content-filter at viruswall.dmz.nausch.org" <postmaster@nausch.org> Date: Tue, 2 Dec 2014 15:27:16 +0100 (CET) Subject: Spam FROM LOCAL [10.0.0.87] <n3rd@sec-mail.guru> To: <virusalert@nausch.org> Message-ID: <SAo1aYnuSaPRGv@viruswall.dmz.nausch.org> This is a multi-part message in MIME format... ------------=_1417530436-15668-0 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit Content type: Spam Internal reference code for the message is 15668-01/o1aYnuSaPRGv First upstream SMTP client IP address: [10.0.0.87] Received from: 10.0.0.87 Return-Path: <n3rd@sec-mail.guru> From: n3rd@sec-mail.guru Message-ID: <20141202142715.E5401C00088@mx01.nausch.org> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ Subject: vierte Testnachricht SPAM auf Port 587 Not quarantined. The message WAS NOT relayed to: <django@nausch.org>: 554 5.7.0 Reject, id=15668-01 - spam Spam scanner report: Spam detection software, running on the system "vml000067.dmz.nausch.org", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Subject: Test spam mail (GTUBE) Message-ID: <GTUBE1.1010101@example.net> Date: Wed, 23 Jul 2003 23:30:00 +0200 From: Sender <sender@example.net> To: Recipient <recipient@example.net> Precedence: junk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit [...] Content analysis details: (1000.8 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP 1.8 DKIM_ADSP_DISCARD No valid author signature, domain signs all mail and suggests discarding the rest 1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email ------------=_1417530436-15668-0 Content-Type: text/rfc822-headers; name="header" Content-Disposition: inline; filename="header" Content-Transfer-Encoding: 7bit Content-Description: Message header section Return-Path: <n3rd@sec-mail.guru> Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx01.nausch.org (Postfix) with ESMTPSA id E5401C00088 for <django@nausch.org>; Tue, 2 Dec 2014 15:27:15 +0100 (CET) Date: Tue, 02 Dec 2014 15:27:15 +0100 To: django@nausch.org From: n3rd@sec-mail.guru Subject: vierte Testnachricht SPAM auf Port 587 X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ X-Test: test eMail Message-Id: <20141202142715.E5401C00088@mx01.nausch.org> ------------=_1417530436-15668-0--

MUA (Empfänger der Bounce Mail)

Der Ursprüngliche authentifizierte Absender erhält die Bounce-Nachricht, dass seine Nachricht nicht weiterverschickt werden konnte. Dieser kann dann entsprechend tätig werden und den Fehler abstellen (helfen).

Return-Path: <> Delivered-To: n3rd@sec-mail.guru Received: from mx01.nausch.org ([10.0.0.87]) by imap.nausch.org (Dovecot) with LMTP id hwVTMkTMfVQfPAAArK2B9Q for <n3rd@sec-mail.guru>; Tue, 02 Dec 2014 15:27:16 +0100 Received: by mx01.nausch.org (Postfix) id B736EC0008A; Tue, 2 Dec 2014 15:27:16 +0100 (CET) Date: Tue, 2 Dec 2014 15:27:16 +0100 (CET) From: MAILER-DAEMON@nausch.org (Mail Delivery System) Subject: Rueckgabe nicht zustellbarer Nachricht an Absender To: n3rd@sec-mail.guru Auto-Submitted: auto-replied MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="E5401C00088.1417530436/mx01.nausch.org" Message-Id: <20141202142716.B736EC0008A@mx01.nausch.org> This is a MIME-encapsulated message. --E5401C00088.1417530436/mx01.nausch.org Content-Description: Notification Content-Type: text/plain; charset=iso-8859-1 Dies ist eine automatisch generierte Nachricht des Postfix E-Mail-Dienstes. Dieser Dienst wird auf dem Server mx01.nausch.org betrieben und teilt Ihnen folgendes mit: Ihre Nachricht konnte an einen oder mehrere Empfaenger nicht zugestellt werden. Ein Problem-Bericht, sowie Ihre uspruengliche Nachricht wurden an das Ende dieser Nachricht angehaengt. Fuer weitere Hilfe kontaktieren Sie bitte den fuer Sie zustaendigen <postmaster>. Senden Sie dazu den an diese E-Mail angefuegten Problem-Bericht mit. Den Inhalt Ihrer urspruenglichen Nachricht koennen Sie - zum Schutz Ihrer Privatsphaere - entfernen; er ist fuer eine Fehler-Diagnose nicht zwingend notwendig. Der Postfix E-Mail-Dienst INTERNATIONAL VERSION This is the Postfix program at host mx01.nausch.org. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to <postmaster> If you do so, please include this problem report. You can delete your own text from the attached returned message. <django@nausch.org>: host 10.0.0.67[10.0.0.67] said: 554 5.7.0 Reject, id=15668-01 - spam (in reply to end of DATA command) --E5401C00088.1417530436/mx01.nausch.org Content-Description: Delivery report Content-Type: message/delivery-status Reporting-MTA: dns; mx01.nausch.org X-Postfix-Queue-ID: E5401C00088 X-Postfix-Sender: rfc822; n3rd@sec-mail.guru Arrival-Date: Tue, 2 Dec 2014 15:27:15 +0100 (CET) Final-Recipient: rfc822; django@nausch.org Original-Recipient: rfc822;django@nausch.org Action: failed Status: 5.7.0 Remote-MTA: dns; 10.0.0.67 Diagnostic-Code: smtp; 554 5.7.0 Reject, id=15668-01 - spam --E5401C00088.1417530436/mx01.nausch.org Content-Description: Undelivered Message Content-Type: message/rfc822 Return-Path: <n3rd@sec-mail.guru> Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx01.nausch.org (Postfix) with ESMTPSA id E5401C00088 for <django@nausch.org>; Tue, 2 Dec 2014 15:27:15 +0100 (CET) Date: Tue, 02 Dec 2014 15:27:15 +0100 To: django@nausch.org From: n3rd@sec-mail.guru Subject: vierte Testnachricht SPAM auf Port 587 X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ X-Test: test eMail Message-Id: <20141202142715.E5401C00088@mx01.nausch.org> Subject: Test spam mail (GTUBE) Message-ID: <GTUBE1.1010101@example.net> Date: Wed, 23 Jul 2003 23:30:00 +0200 From: Sender <sender@example.net> To: Recipient <recipient@example.net> Precedence: junk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit This is the GTUBE, the Generic Test for Unsolicited Bulk Email If your spam filter supports it, the GTUBE provides a test by which you can verify that the filter is installed correctly and is detecting incoming spam. You can send yourself a test mail containing the following string of characters (in upper case and with no white spaces and line breaks): XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X You should send this test mail from an account outside of your network. --E5401C00088.1417530436/mx01.nausch.org--

Eicar-Testmail auf Port 25 (MTA zu MTA Verkehr)

SMTP-Client (swaks)

Beim vorletzten Test unseres AS/AV20)-Systems versuchen wir nun eine eMail mit einem Virus mit Hilfe von Swaks 21) an einen unserer eigenen Empfänger zu verschicken.

Dazu laden wir uns erst einmal einen Testpattern eicarcom2.zip von der EICAR-Webseite auf unseren Rechner.

# curl -O http://www.eicar.org/download/eicarcom2.zip

Wir versuchen nun eine eMail zusammen mit dieser Testdatei zu versenden, zunächst auf Port 25. Diese Nachricht versuchen wir nun loszuschicken:

Wie wir sehen können, hat der SMTP-Server die Annahme der Nachricht mit dem Fehlercode 554 5.7.0 Reject, id=15809-01 - INFECTED: Eicar-Test-Signature. verweigert. Zu dieser Fehlermeldung erhält der einliefernde SMTP-Client noch Informationen wie er sich ggf. mit uns in Verbindung setzen kann.

SMTP-Server (Teil 1 von 2)

Im Maillog unseres Borderfilters sehen wir nun zu unserem gerade durchgeführten Versuch eine Mail mit einem Virus einzuliefern mehrere zusammenhängende Logeinträge.

# less /var/log/maillog

Dec 2 17:26:49 vml000087 postfix/smtpd[27815]: connect from vml000087.dmz.nausch.org[10.0.0.87] Dec 2 17:26:49 vml000087 postfix/smtpd[27815]: Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (2 56/256 bits) Dec 2 17:26:50 vml000087 postfix/smtpd[27815]: 3339FC00088: client=vml000087.dmz.nausch.org[10.0.0.87] Dec 2 17:26:50 vml000087 postfix/cleanup[27821]: 3339FC00088: message-id=<20141202162650.3339FC00088@mx01.nausch.org> Dec 2 17:26:50 vml000087 postfix/smtpd[27822]: connect from vml000067.dmz.nausch.org[10.0.0.67] Dec 2 17:26:50 vml000087 postfix/smtpd[27822]: 8250AC00089: client=vml000067.dmz.nausch.org[10.0.0.67] Dec 2 17:26:50 vml000087 postfix/cleanup[27823]: 8250AC00089: message-id=<VRaCP3zN0_kicy@viruswall.dmz.nausch.org> Dec 2 17:26:50 vml000087 postfix/qmgr[27247]: 8250AC00089: from=<postmaster@nausch.org>, size=2289, nrcpt=1 (queue active) Dec 2 17:26:50 vml000087 postfix/cleanup[27821]: 3339FC00088: milter-reject: END-OF-MESSAGE from vml000087.dmz.nausch.org[10.0.0.87]: 5.7.0 Reject, id=15809-01 - INFECTED: Eicar-Test-Signature; from=<n3rd@sec-mail.guru> to=<django@nausch.org> proto=ESMTP helo=<vml000087.dmz.nausch.org> Dec 2 17:26:50 vml000087 postfix/smtpd[27815]: disconnect from vml000087.dmz.nausch.org[10.0.0.87]

Zunächst sehen wir den TLS-Verbindungsaufbau und dem erfolglosen Einlieferungsversuch des MTA22)-Clients. Hier finden wie auch die id=15809-01 wieder, die uns der AMaViS-Host genannt hat. Diesen können wir nun verwenden um auf dem AMaViS-Host im Maillog zu suchen um in Erfahrung zu bringen, warum die Nachricht abgeleht wurde.

ASAV-Host

Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert.

# less /var/log/maillog

Dec 2 17:26:50 vml000067 amavis[15809]: loaded policy bank "AM.PDP-SOCK" Dec 2 17:26:50 vml000067 amavis[15809]: process_request: fileno sock=13, STDIN=0, STDOUT=1 Dec 2 17:26:50 vml000067 amavis[15809]: policy protocol: request=AM.PDP Dec 2 17:26:50 vml000067 amavis[15809]: policy protocol: queue_id=3339FC00088 Dec 2 17:26:50 vml000067 amavis[15809]: policy protocol: sender=<n3rd@sec-mail.guru> Dec 2 17:26:50 vml000067 amavis[15809]: policy protocol: recipient=<django@nausch.org> Dec 2 17:26:50 vml000067 amavis[15809]: policy protocol: tempdir=/var/spool/amavisd/tmp/afXXXXRW5Vp3 Dec 2 17:26:50 vml000067 amavis[15809]: policy protocol: tempdir_removed_by=client Dec 2 17:26:50 vml000067 amavis[15809]: policy protocol: mail_file=/var/spool/amavisd/tmp/afXXXXRW5Vp3/email.txt Dec 2 17:26:50 vml000067 amavis[15809]: policy protocol: delivery_care_of=client Dec 2 17:26:50 vml000067 amavis[15809]: policy protocol: client_address=10.0.0.87 Dec 2 17:26:50 vml000067 amavis[15809]: policy protocol: client_name=vml000087.dmz.nausch.org Dec 2 17:26:50 vml000067 amavis[15809]: policy protocol: helo_name=vml000087.dmz.nausch.org Dec 2 17:26:50 vml000067 amavis[15809]: policy protocol: policy_bank=mx01.nausch.org Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) Request: AM.PDP /var/spool/amavisd/tmp/afXXXXRW5Vp3: <n3rd@sec-mail.guru> -> <django@nausch.org> Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) loaded policy bank "MYNETS" over "AM.PDP-SOCK" Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) body hash: ca2e97181bfa35cf2924c8de9332cafe Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) ip_trace: 10.0.0.87 Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) Checking: aCP3zN0_kicy AM.PDP-SOCK/MYNETS [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org> Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) 2822.From: <n3rd@sec-mail.guru> Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) p003 1 Content-Type: multipart/mixed Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) p001 1/1 Content-Type: text/plain, size: 22 B, name: Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) p002 1/2 Content-Type: application/octet-stream, size: 308 B, name: Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) inspect_dsn: not a bounce Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) Checking for banned types and filenames Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) collect banned table[0]: django@nausch.org, tables: Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) p.path django@nausch.org: "P=p003,L=1,M=multipart/mixed | P=p001,L=1/1,M=text/plain,T=asc" Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) p.path django@nausch.org: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/octet-stream,T=zip | P=p004,L=1/2/1,T=zip,N=eicar_com.zip | P=p005,L=1/2/1/1,T=asc,N=eicar.com" Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) presenting full original message to scanners as /var/spool/amavisd/tmp/afXXXXRW5Vp3/parts/p006 Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) run_av Using (ClamAV-clamd): (code) CONTSCAN /var/spool/amavisd/tmp/afXXXXRW5Vp3/parts\n Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) ClamAV-clamd: Connecting to socket /var/run/clamd.amavisd/clamd.sock Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) new socket by IO::Socket::UNIX to /var/run/clamd.amavisd/clamd.sock, timeout 10 Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/tmp/afXXXXRW5Vp3/parts\n to socket /var/run/clamd.amavisd/clamd.sock Dec 2 17:26:50 vml000067 clamd[1278]: /var/spool/amavisd/tmp/afXXXXRW5Vp3/parts/p006: Eicar-Test-Signature FOUND Dec 2 17:26:50 vml000067 clamd[1278]: /var/spool/amavisd/tmp/afXXXXRW5Vp3/parts/p005: Eicar-Test-Signature FOUND Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) rw_loop read: got eof Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) run_av (ClamAV-clamd): /var/spool/amavisd/tmp/afXXXXRW5Vp3/parts INFECTED: Eicar-Test-Signature, Eicar-Test-Signature Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) virus_scan: (Eicar-Test-Signature), detected by 1 scanners: ClamAV-clamd Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) Virus Eicar-Test-Signature matches (constant:1), sender addr ignored

Es wurde also die Eicar-Test-Signature in der Nachricht gefunden! Im Maillog des AMaViS-Servers sehen wir nun nachfolgend, dass der Daemon die entsprechende Notification eMail an den definierten Bearbeiter verschicken wird.

# less /var/log/maillog

ec 2 17:26:50 vml000067 amavis[15809]: (15809-01) blocking contents category is (9) for django@nausch.org, final_destiny -3 Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) do_notify_and_quar: ccat=Virus (9,0) ("9":Virus, "1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(9), qar_mth= Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) dkim: candidate originators: From:<postmaster@nausch.org> Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) dkim: signing (author), From: <postmaster@nausch.org> (From:<postmaster@nausch.org>), KEY.h=>sha256, KEY.key_ind=>1, a=>rsa-sha256, c=>relaxed/simple, d=>nausch.org, s=>140224, ttl=>1814400, x=>1419352011 Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp session: setting up a new session Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) new socket using IO::Socket::IP to [10.0.0.87]:10025, timeout 35 Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp greeting: 220 mx01.nausch.org ESMTP Postfix, dt: 51.7 ms Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp cmd> EHLO viruswall.dmz.nausch.org Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp resp to EHLO: 250 mx01.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nAUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nAUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nXFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) AUTH not needed, user='', MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM' Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp cmd> MAIL FROM:<postmaster@nausch.org> ENVID=AM.Ndh64tU7lUEd.20141202T162650Z@viruswall.dmz.nausch.org Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp cmd> RCPT TO:<django@nausch.org> Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp cmd> DATA Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp resp to MAIL (pip): 250 2.1.0 Ok Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp resp to RCPT (pip) (<django@nausch.org>): 250 2.1.5 Ok Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF> Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) smtp resp to data-dot (<django@nausch.org>): 250 2.0.0 Ok: queued as 8250AC00089, dt: 30.3 ms Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) Amavis::Out::SMTP::Session close, keeping connection Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) Ndh64tU7lUEd(aCP3zN0_kicy) SEND from <postmaster@nausch.org> -> <django@nausch.org>, ENVID=AM.Ndh64tU7lUEd.20141202T162650Z@viruswall.dmz.nausch.org 250 2.0.0 from MTA(smtp:[10.0.0.87]:10025): 250 2.0.0 Ok: queued as 8250AC00089 Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) delivery method is 1, recips: django@nausch.org Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) DSN: sender is credible (orig), SA: 0.000, <n3rd@sec-mail.guru> Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) status counters: InMsgsStatus{Rejected,RejectedInternal,RejectedOriginating} Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) Blocked INFECTED (Eicar-Test-Signature) {RejectedInternal}, AM.PDP-SOCK/MYNETS LOCAL [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org>, Queue-ID: 3339FC00088, Message-ID: <20141202162650.3339FC00088@mx01.nausch.org>, mail_id: aCP3zN0_kicy, Hits: -, size: 1282, 309 ms Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) mail checking ended: version_server=2\nlog_id=15809-01\nsetreply=554 5.7.0 Reject,%20id=15809-01%20-%20INFECTED:%20Eicar-Test-Signature\nreturn_value=reject\nexit_code=69 Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) size: 1282, TIMING [total 321 ms] - got data: 0.0 (0%)0, check_init: 6 (2%)2, digest_hdr: 2.0 (1%)2, digest_body_dkim: 0.5 (0%)3, collect_info: 2.3 (1%)3, mkdir parts: 4.6 (1%)5, mime_decode: 14 (5%)9, get-file-type2: 18 (6%)15, ren1-unl0-files1: 25 (8%)23, decompose_part: 0.3 (0%)23, get-file-type1: 9 (3%)25, ren1-unl0-files1: 23 (7%)32, decompose_part: 0.3 (0%)32, get-file-type1: 13 (4%)37, parts_decode: 0.1 (0%)37, check_header: 0.5 (0%)37, AV-scan-1: 12 (4%)41, read_snmp_variables: 0.9 (0%)41, decide_mail_destiny: 2.5 (1%)42, notif-quar: 0.6 (0%)42, write-header: 20 (6%)48, fwd-data-dkim: 33 (10%)58, fwd-connect: 55 (17%)76, fwd-mail-pip: 21 (7%)82, fwd-rcpt-pip: 0.3 (0%)82, fwd-data-chkpnt: 0.1 (0%)82, write-header: 0.4 (0%)82, fwd-data-contents: 1.0 (0%)83, fwd-end-chkpnt: 31 (10%)92, prepare-dsn: 2.0 (1%)93, report: 1.7 (1%)94, main_log_entry: 9 (3%)96, update_snmp: 10 (3%)99, rundown: 2.2 (1%)100 Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) extra modules loaded: unicore/lib/Gc/Nd.pl Dec 2 17:26:50 vml000067 amavis[15809]: (15809-01) load: 100 %, total idle 0.000 s, busy 0.354 s

SMTP-Server (Teil 2 von 2)

Im Maillog unseres Borderfilters sehen wir nun also als nächstes den Eingang dieser Notification-eMail an den definierten Empfänger.

# less /var/log/maillog

Dec 2 17:26:50 vml000087 postfix/lmtp[27824]: 8250AC00089: to=<django@nausch.org>, relay=10.0.0.77[10.0.0.77]:24, delay=0.2, delays=0.05/0.03/0.02/0.1, dsn=2.0.0, status=sent (250 2.0.0 <django@nausch.org> HpapJErofVSPSgAArK2B9Q Saved) Dec 2 17:26:50 vml000087 postfix/qmgr[27247]: 8250AC00089: removed

MUA (Empfänger der Notification Mail)

Wie schon angeschnitten erhält der verantwortliche Admin des Servers mit der Addresse virusalert@nausch.org eine Nachricht mit dem Detail des Versuches eine SPAM-Mail zu verschicken.

Return-Path: <postmaster@nausch.org> Delivered-To: django@nausch.org Received: from mx01.nausch.org ([10.0.0.87]) by imap.nausch.org (Dovecot) with LMTP id HpapJErofVSPSgAArK2B9Q for <django@nausch.org>; Tue, 02 Dec 2014 17:26:50 +0100 Received: from viruswall.dmz.nausch.org (vml000067.dmz.nausch.org [10.0.0.67]) by mx01.nausch.org (Postfix) with ESMTP id 8250AC00089 for <django@nausch.org>; Tue, 2 Dec 2014 17:26:50 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nausch.org; h= content-transfer-encoding:content-disposition:content-type :content-type:message-id:subject:subject:date:date:from:from :mime-version; s=140224; t=1417537610; x=1419352011; bh=tVt05RIQ Bpj4qmzmNJoEPHHj22aTtLu2THUwcwoCsls=; b=Tc7gljO5SN9Y4X1yxVbiC4IH szuBz2F49Mdzyx48m2VfA0mKMi1EmnT1D5QOs2tYdElBc35le8T3kLD9TfVheonI XtwGnJKfUycJEQ/nwrNWPaYXrJZXjGK08TmQ08WoIg9+uH1G2SqzAeWhMKND3+K8 lEunOg/CmMKoJElhvp3X0k2TnSTXvPSsK1+Nvrhs1zcJzd5SSKka1eseyvnlYRB0 AWu8oties5VOEIM601gt2T7tBbKEFj9KMpZHiapeNGpu6UoddkvfY779Vs0DfLvj WX/VLK6WNrE+qb0wjmisR1hW5+RaXFcAMRtFT/5vXhryfjLjP0RQOCPyheLrjBux 1w5KfXJEmqeb1efZ9MZTfp4SrS90wcXbJRicSt+vzYmsOcB9rXj+hO5JJf7Uj/ag dP4ngXl+BvI2drOf33hjKrFynTVdpEMF8gLH/qYaydLf0h8lh0v4U9py7kvZRHfy BXhF0en2YdcoIaof2ZMOxD17VLZtkouUaqDT6UxLyr60KHMS7Fx9+NeSEUjI7zTH DobySVImu63dS8j3XTzFu8pFKthAod6dD2FgW2NuM00BTECEaZeDxp7CY7nuXmcg pxpsoPuJYV12Y+1os+DW53ZuaLMEtsoJLQC7VF91oXkgJTk0PIaeB1FPQjOGudvd QfnZYUFETGcNRt1SAd0= MIME-Version: 1.0 From: Postmaster <postmaster@nausch.org> Date: Tue, 2 Dec 2014 17:26:50 +0100 (CET) Subject: VIRUS (Eicar-Test-Signature) in mail TO YOU from <n3rd@sec-mail.guru> To: django@nausch.org Message-ID: <VRaCP3zN0_kicy@viruswall.dmz.nausch.org> Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit VIRUS ALERT Our content checker found virus: Eicar-Test-Signature in an email to you from probably faked sender: claiming to be: <n3rd@sec-mail.guru> Content type: Virus Our internal reference code for your message is 15809-01/aCP3zN0_kicy First upstream SMTP client IP address: [10.0.0.87] vml000087.dmz.nausch.org Received from: 10.0.0.87 Return-Path: <n3rd@sec-mail.guru> From: n3rd@sec-mail.guru Message-ID: <20141202162650.3339FC00088@mx01.nausch.org> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ Subject: 5. Test-Testnachricht mit EICAR-Testdatei im Anhang auf Port 25 Not quarantined. Please contact your system administrator for details.

Eicar-Testmail auf Port 587 (MUA zu MSA Verkehr)

Zum Abschluss unserer Testreihe überprüfen wir, ob wir die EICAR-Testsignatur als authentifizierten User von einem MUA23) beim MSA24) erfolgreich einliefern können.

SMTP-Client (swaks)

Die bereits heruntergeladene EICAR-Testmail versuchen wir nun mit mit Hilfe von Swaks 25) an einen unserer eigenen Empfänger zu verschicken.

# swaks -t django@nausch.org --attach - --server 10.0.0.87 --suppress-data <eicarcom2.zip --from n3rd@sec-mail.guru --header-X-Test "test eMail" --server 10.0.0.87 --port 587 --tls --header "Subject: 6. und letzter Test-Testnachricht mit EICAR-Testdatei im Anhang auf Port 25" --auth NTLM --auth-user n3rd@sec-mail.guru --auth-password Dj4n90-d3r-M41153rv3rguru! --body gtube.txt

Wie auch schon bei vorhergehenden GTUBE-Test wird dem authentifizierten User die Nachricht abgenommen und mit einem 250er bestätigt. Auch hier ist das Verhalten legitim und erklärbar, haben wir doch bei der Konfiguration explizit angegeben, dass wir Nachrichten von authentifizierten Nutzern sofort anzunehmen und erst im zweiten Schritt scannen wollen. Genau das machte unser AMaViS-Server auch.

Den genauen Ablauf dazu, sehen wir uns nun im Detail an.

SMTP-Server (Teil 1 von 2)

Im Maillog unseres Borderfilters sehen wir nun zu unserem gerade durchgeführten Versuch mehrere zusammenhängende Logeinträge.

# less /var/log/maillog

Zunächst sehen wir den TLS-Verbindungsaufbau, gefolgt von der erfolgreichen Authentifizierung unseres Users und die Entgegennahme der eMail vom MSA26).

Dec 2 18:14:17 vml000087 postfix/submission/smtpd[27873]: connect from vml000087.dmz.nausch.org[10.0.0.87] Dec 2 18:14:17 vml000087 postfix/submission/smtpd[27873]: Anonymous TLS connection established from vml000087.dmz.nausch.org[10.0.0.87]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 2 18:14:17 vml000087 postfix/submission/smtpd[27873]: 82EB5C00088: client=vml000087.dmz.nausch.org[10.0.0.87], sasl_method=NTLM, sasl_username=n3rd@sec-mail.guru Dec 2 18:14:17 vml000087 postfix/cleanup[27878]: 82EB5C00088: message-id=<20141202171417.82EB5C00088@mx01.nausch.org> Dec 2 18:14:17 vml000087 postfix/qmgr[27247]: 82EB5C00088: from=<n3rd@sec-mail.guru>, size=2213, nrcpt=1 (queue active) Dec 2 18:14:17 vml000087 postfix/submission/smtpd[27873]: disconnect from vml000087.dmz.nausch.org[10.0.0.87]

ASAV-Host

Die Überprüfung der Nachricht durch unseren Contentfilter wird auf dem AMaViS-Host im Maillog dokumentiert.

# less /var/log/maillog

Dec 2 18:14:17 vml000067 amavis[15810]: loaded policy bank "ORIGINATING" Dec 2 18:14:17 vml000067 amavis[15810]: process_request: fileno sock=13, STDIN=0, STDOUT=1 Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) ESMTP:[10.0.0.67]:10024 /var/spool/amavisd/tmp/amavis-20141202T181417-15810-limsNKq3: <n3rd@sec-mail.guru> -> <django@nausch. org> Received: from mx01.nausch.org ([10.0.0.87]) by viruswall.dmz.nausch.org (viruswall.dmz.nausch.org [10.0.0.67]) (amavisd-new, port 10024) with ESMTP for <django@nausch.org> ; Tue, 2 Dec 2014 18:14:17 +0100 (CET) Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) body hash: d54368018a0d3ca16ae3f56772551bae Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) ip_trace: 10.0.0.87 Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) client IP address unknown, fetched from Received: 10.0.0.87 Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) Checking: uj-7SfJU0v_M ORIGINATING [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org> Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) 2822.From: <n3rd@sec-mail.guru> Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) p003 1 Content-Type: multipart/mixed Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) p001 1/1 Content-Type: text/plain, size: 799 B, name: Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) p002 1/2 Content-Type: application/octet-stream, size: 308 B, name: Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) inspect_dsn: not a bounce Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) Checking for banned types and filenames Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) skipping banned check: all recipients bypass banned checks Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) presenting full original message to scanners as /var/spool/amavisd/tmp/amavis-20141202T181417-15810-limsNKq3/parts/p006 Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) run_av Using (ClamAV-clamd): (code) CONTSCAN /var/spool/amavisd/tmp/amavis-20141202T181417-15810-limsNKq3/parts\n Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) ClamAV-clamd: Connecting to socket /var/run/clamd.amavisd/clamd.sock Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) new socket by IO::Socket::UNIX to /var/run/clamd.amavisd/clamd.sock, timeout 10 Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/tmp/amavis-20141202T181417-15810-limsNKq3/parts\n to socket /var/run/clamd. amavisd/clamd.sock Dec 2 18:14:17 vml000067 clamd[1278]: /var/spool/amavisd/tmp/amavis-20141202T181417-15810-limsNKq3/parts/p006: Eicar-Test-Signature FOUND Dec 2 18:14:17 vml000067 clamd[1278]: /var/spool/amavisd/tmp/amavis-20141202T181417-15810-limsNKq3/parts/p005: Eicar-Test-Signature FOUND Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) rw_loop read: got eof Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) run_av (ClamAV-clamd): /var/spool/amavisd/tmp/amavis-20141202T181417-15810-limsNKq3/parts INFECTED: Eicar-Test-Signature, Eic ar-Test-Signature Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) virus_scan: (Eicar-Test-Signature), detected by 1 scanners: ClamAV-clamd Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) Virus Eicar-Test-Signature matches (constant:1), sender addr ignored

Der Virenscanner hat also die Eicar-Test-Signatur in der Nachricht entdeckt, die Nachricht wird also nicht zugestellt!

Gemäß unserer Konfiguration erhält der der Empfänger virusalert@nausch.org eine Nachricht von postmaster@nausch.org mit dem Details zu der Virenmail-Mail. Der Postmaster kann so reagieren und mit dem authentifizierten Mailbox-Nutzer Kontakt aufnehmen und diesen ggf. darauf hinweisen, dass er versucht hatte einen Virus zu verschicken.

Im Maillog des AMaViS-Servers sehen wir nun, dass der Daemon die entsprechende Nachricht an den definierten Bearbeiter verschicken wird.

# less /var/log/maillog

Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) blocking contents category is (9) for django@nausch.org, final_destiny 0 Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) do_notify_and_quar: ccat=Virus (9,0) ("9":Virus, "1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(9), qar_mth= Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) dkim: candidate originators: From:<postmaster@nausch.org> Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) dkim: signing (author), From: <postmaster@nausch.org> (From:<postmaster@nausch.org>), KEY.h=>sha256, KEY.key_ind=>1, a=>rsa-s ha256, c=>relaxed/simple, d=>nausch.org, s=>140224, ttl=>1814400, x=>1419354858 Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp session: setting up a new session Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) new socket using IO::Socket::IP to [10.0.0.87]:10025, timeout 35 Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp greeting: 220 mx01.nausch.org ESMTP Postfix, dt: 64.7 ms Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp cmd> EHLO viruswall.dmz.nausch.org Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp resp to EHLO: 250 mx01.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nAUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nAUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nXFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) AUTH not needed, user='', MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM' Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp cmd> MAIL FROM:<postmaster@nausch.org> ENVID=AM.MtEXZuZdm5qb.20141202T171417Z@viruswall.dmz.nausch.org Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp cmd> RCPT TO:<virusalert@nausch.org> Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp cmd> DATA Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp resp to MAIL (pip): 250 2.1.0 Ok Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp resp to RCPT (pip) (<virusalert@nausch.org>): 250 2.1.5 Ok Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF> Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) smtp resp to data-dot (<virusalert@nausch.org>): 250 2.0.0 Ok: queued as E5434C00089, dt: 33.0 ms Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) Amavis::Out::SMTP::Session close, keeping connection Dec 2 18:14:17 vml000067 amavis[15810]: (15810-01) MtEXZuZdm5qb(uj-7SfJU0v_M) SEND from <postmaster@nausch.org> -> <virusalert@nausch.org>, ENVID=AM.MtEXZuZdm5qb.20141202T171417Z@viruswall.dmz.nausch.org 250 2.0.0 from MTA(smtp:[10.0.0.87]:10025): 250 2.0.0 Ok: queued as E5434C00089 Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) dkim: candidate originators: From:<postmaster@nausch.org> Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) dkim: signing (author), From: <postmaster@nausch.org> (From:<postmaster@nausch.org>), KEY.h=>sha256, KEY.key_ind=>1, a=>rsa-sha256, c=>relaxed/simple, d=>nausch.org, s=>140224, ttl=>1814400, x=>1419354858 Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp session reuse (smtp:[10.0.0.87]:10025), 1 transactions so far Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp session most likely still valid (short idle 0.1 s) Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) AUTH not needed, user='', MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM' Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp cmd> MAIL FROM:<postmaster@nausch.org> ENVID=AM.IKpCZDv4QKL3.20141202T171418Z@viruswall.dmz.nausch.org Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp cmd> RCPT TO:<django@nausch.org> Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp cmd> DATA Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp resp to MAIL (pip): 250 2.1.0 Ok Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp resp to RCPT (pip) (<django@nausch.org>): 250 2.1.5 Ok Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF> Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) smtp resp to data-dot (<django@nausch.org>): 250 2.0.0 Ok: queued as 11605C00089, dt: 22.2 ms Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) Amavis::Out::SMTP::Session close, keeping connection Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) IKpCZDv4QKL3(uj-7SfJU0v_M) SEND from <postmaster@nausch.org> -> <django@nausch.org>, ENVID=AM.IKpCZDv4QKL3.20141202T171418Z@viruswall.dmz.nausch.org 250 2.0.0 from MTA(smtp:[10.0.0.87]:10025): 250 2.0.0 Ok: queued as 11605C00089 Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) delivery method is 1, recips: django@nausch.org Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) DSN: sender is credible (orig), SA: 0.000, <n3rd@sec-mail.guru> Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) status counters: InMsgsStatus{Discarded,DiscardedInternal,DiscardedOriginating} Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) Blocked INFECTED (Eicar-Test-Signature) {DiscardedInternal}, ORIGINATING LOCAL [10.0.0.87] <n3rd@sec-mail.guru> -> <django@nausch.org>, Message-ID: <20141202171417.82EB5C00088@mx01.nausch.org>, mail_id: uj-7SfJU0v_M, Hits: -, size: 2213, 501 ms Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) sending SMTP response: "250 2.7.0 Ok, discarded, id=15810-01 - INFECTED: Eicar-Test-Signature" Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) size: 2213, TIMING [total 507 ms] - SMTP greeting: 8 (2%)2, SMTP EHLO: 2.6 (1%)2, SMTP pre-MAIL: 0.8 (0%)2, mkdir tempdir: 1.6 (0%)3, create email.txt: 0.3 (0%)3, SMTP pre-DATA-flush: 4.3 (1%)3, SMTP DATA: 42 (8%)12, check_init: 1.2 (0%)12, digest_hdr: 1.9 (0%)12, digest_body_dkim: 0.5 (0%)12, collect_info: 2.5 (0%)13, mkdir parts: 1.8 (0%)13, mime_decode: 15 (3%)16, get-file-type2: 19 (4%)20, ren1-unl0-files1: 25 (5%)25, decompose_part: 0.3 (0%)25, get-file-type1: 8 (2%)27, ren1-unl0-files1: 22 (4%)31, decompose_part: 0.3 (0%)31, get-file-type1: 13 (3%)34, parts_decode: 0.2 (0%)34, check_header: 0.5 (0%)34, AV-scan-1: 14 (3%)37, read_snmp_variables: 0.9 (0%)37, decide_mail_destiny: 2.6 (1%)37, notif-quar: 0.5 (0%)37, write-header: 20 (4%)41, fwd-data-dkim: 35 (7%)48, fwd-connect: 78 (15%)64, fwd-mail-pip: 11 (2%)66, fwd-rcpt-pip: 1.3 (0%)66, fwd-data-chkpnt: 0.2 (0%)66, write-header: 0.5 (0%)66, fwd-data-contents: 2.2 (0%)67, fwd-end-chkpnt: 35 (7%)74... Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) ..., write-header: 32 (6%)80, fwd-data-dkim: 52 (10%)90, fwd-connect: 1.0 (0%)91, fwd-mail-pip: 6 (1%)92, fwd-rcpt-pip: 0.2 (0%)92, fwd-data-chkpnt: 0.0 (0%)92, write-header: 0.4 (0%)92, fwd-data-contents: 2.2 (0%)92, fwd-end-chkpnt: 24 (5%)97, prepare-dsn: 1.6 (0%)97, report: 1.9 (0%)98, main_log_entry: 4.7 (1%)99, update_snmp: 5 (1%)100, SMTP pre-response: 0.3 (0%)100, SMTP response: 0.3 (0%)100, unlink-3-files: 0.2 (0%)100, rundown: 0.7 (0%)100 Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) extra modules loaded: unicore/lib/Gc/Nd.pl Dec 2 18:14:18 vml000067 amavis[15810]: (15810-01) load: 100 %, total idle 0.002 s, busy 0.510 s

SMTP-Server (Teil 2 von 2)

Im Maillog unseres Borderfilters sehen wir nun also als nächstes den Eingang dieser Notification-eMail an den definierten Empfänger.

# less /var/log/maillog

Dec 2 18:14:17 vml000087 postfix/smtpd[27880]: connect from vml000067.dmz.nausch.org[10.0.0.67] Dec 2 18:14:17 vml000087 postfix/smtpd[27880]: E5434C00089: client=vml000067.dmz.nausch.org[10.0.0.67] Dec 2 18:14:17 vml000087 postfix/cleanup[27878]: E5434C00089: message-id=<VAuj-7SfJU0v_M@viruswall.dmz.nausch.org> Dec 2 18:14:17 vml000087 postfix/qmgr[27247]: E5434C00089: from=<postmaster@nausch.org>, size=3536, nrcpt=1 (queue active) Dec 2 18:14:18 vml000087 postfix/lmtp[27881]: E5434C00089: to=<django@nausch.org>, orig_to=<virusalert@nausch.org>, relay=10.0.0.77[10.0.0.77]:24, delay=0.11, delays=0.04/0.03/0/0.05, dsn=2.0.0, status=sent (250 2.0.0 <django@nausch.org> +kkIHTLzfVSXTwAArK2B9Q Saved) Dec 2 18:14:18 vml000087 postfix/qmgr[27247]: E5434C00089: removed Dec 2 18:14:18 vml000087 postfix/smtpd[27880]: 11605C00089: client=vml000067.dmz.nausch.org[10.0.0.67] Dec 2 18:14:18 vml000087 postfix/cleanup[27878]: 11605C00089: message-id=<VRuj-7SfJU0v_M@viruswall.dmz.nausch.org> Dec 2 18:14:18 vml000087 postfix/qmgr[27247]: 11605C00089: from=<postmaster@nausch.org>, size=2280, nrcpt=1 (queue active) Dec 2 18:14:18 vml000087 postfix/smtp[27879]: 82EB5C00088: to=<django@nausch.org>, relay=10.0.0.67[10.0.0.67]:10024, delay=0.59, delays=0.05/0.03/0.01/0.5, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=15810-01 - INFECTED: Eicar-Test-Signature) Dec 2 18:14:18 vml000087 postfix/qmgr[27247]: 82EB5C00088: removed Dec 2 18:14:18 vml000087 postfix/lmtp[27881]: 11605C00089: to=<django@nausch.org>, relay=10.0.0.77[10.0.0.77]:24, delay=0.13, delays=0.03/0/0/0.1, dsn=2.0.0, status=sent (250 2.0.0 <django@nausch.org> /kkIHTLzfVSXTwAArK2B9Q Saved) Dec 2 18:14:18 vml000087 postfix/qmgr[27247]: 11605C00089: removed

MUA (Empfänger der Notification Mail)

Wie schon angeschnitten erhält der verantwortliche Admin des Servers mit der Addresse virusalert@nausch.org eine Nachricht mit dem Detail des Versuches eine SPAM-Mail zu verschicken.

Return-Path: <postmaster@nausch.org> Delivered-To: django@nausch.org Received: from mx01.nausch.org ([10.0.0.87]) by imap.nausch.org (Dovecot) with LMTP id /kkIHTLzfVSXTwAArK2B9Q for <django@nausch.org>; Tue, 02 Dec 2014 18:14:18 +0100 Received: from viruswall.dmz.nausch.org (vml000067.dmz.nausch.org [10.0.0.67]) by mx01.nausch.org (Postfix) with ESMTP id 11605C00089 for <django@nausch.org>; Tue, 2 Dec 2014 18:14:18 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nausch.org; h= content-transfer-encoding:content-disposition:content-type :content-type:message-id:subject:subject:date:date:from:from :mime-version; s=140224; t=1417540457; x=1419354858; bh=mFctWodC oPn36vNDqRoivIeBgUX0G0lRWQSp8HGIA6A=; b=eIeO/pgpVbysZ5j6Myoz281/ XX8lxTCdzecXPxva+XoERso6WO4fN2r+ATj9R1DDrW4F/Q0e0jYfszbWHx6JU6kd 3XBPe6mYWqbbz/MDbXOG6cBBQ6v1SLuF98RPpwIAH8DuYDqyURMZS3zPJQT5LM7J glfWWvj9qa+WU8KJSgICO8VLjNyxj/ibG9i3OOmiLmGlEd4VpxuGa8E8DYaLtrmt nGQS6rzuBqkBIbrDGdXlEU3JjRQStAp+sto+xnGj0tufa/NYE57+Gap7tgWEK0cs gpwjoHs2sTBsRmW17mkyfmR+iA3DQr8qZKvtKhpGxWD8L3lARLNuwod6XMCldPMY 6jKzohNbBasgl9eApl2BckMVeB0I3uHHpU/ypgjJQPePsS/JfhmBJC97d4MBTa+2 8dZ86FBWL6z2pS2SYfBP3+gE9al11r1iGQI233wWZAsGMbOYC9XjJl/g5/dyOwVF YbUYSQfEqR0HN+/cXEXiaQ0yLEj36mFn42EtyBT/vufRRmN52bhNFONofaCD7W9A OuBuaw5jLUJBKq7OoHeNjimEJglPIX53gxSIsW89ZBUhL64BnYYurCPzNoJ8GhLF 0ILaxukNAzqQJY3aoP5zkKOAWLDet9NpwdHOYnsyHPcMv0+dmistSfktNlWUNy3M v+PuSR8FGh6/10vRHsI= MIME-Version: 1.0 From: Postmaster <postmaster@nausch.org> Date: Tue, 2 Dec 2014 18:14:17 +0100 (CET) Subject: VIRUS (Eicar-Test-Signature) in mail TO YOU from <n3rd@sec-mail.guru> To: django@nausch.org Message-ID: <VRuj-7SfJU0v_M@viruswall.dmz.nausch.org> Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit VIRUS ALERT Our content checker found virus: Eicar-Test-Signature in an email to you from probably faked sender: claiming to be: <n3rd@sec-mail.guru> Content type: Virus Our internal reference code for your message is 15810-01/uj-7SfJU0v_M First upstream SMTP client IP address: [10.0.0.87] Received from: 10.0.0.87 Return-Path: <n3rd@sec-mail.guru> From: n3rd@sec-mail.guru Message-ID: <20141202171417.82EB5C00088@mx01.nausch.org> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ Subject: 6. und letzter Test-Testnachricht mit EICAR-Testdatei im Anhang auf Port 25 Not quarantined. Please contact your system administrator for details.

--------------