use strict; $max_servers = 2; # number of pre-forked children (2..15 is common) $daemon_user = '_vscan'; # (no default; customary: vscan or amavis) $daemon_group = '_vscan'; # (no default; customary: vscan or amavis) $mydomain = 'wahanamotorent.co.id'; # a convenient default for other settings $MYHOME = '/var/amavisd'; # a convenient default for other settings $TEMPBASE = "$MYHOME/tmp"; # working directory, needs to be created manually $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR $QUARANTINEDIR = '/var/virusmails'; @local_domains_maps = ( [".$mydomain"] ); $log_level = 0; # verbosity 0..5 $log_recip_templ = undef; # disable by-recipient level-0 log entries $DO_SYSLOG = 1; # log via syslogd (preferred) $SYSLOG_LEVEL = 'mail.debug'; $enable_db = 0; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 $inet_socket_port = 10024; # listen on this local TCP port(s) (see $protocol) $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level $sa_kill_level_deflt = 6.31; # triggers spam evasive actions $sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent $sa_quarantine_cutoff_level = 20; # spam level beyond which quarantine is off $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger $sa_local_tests_only = 0; # only tests which do not require internet access? $sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant # for SA 3.0, cf option is 'use_auto_whitelist') $virus_admin = "virusalert\@$mydomain"; # notifications recip. $mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender $mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender $mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender $mailfrom_to_quarantine = ''; # null return path; uses original sender if undef @addr_extension_virus_maps = ('virus'); @addr_extension_spam_maps = ('spam'); @addr_extension_banned_maps = ('banned'); @addr_extension_bad_header_maps = ('badh'); $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; $MAXLEVELS = 14; $MAXFILES = 1500; $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) $sa_spam_subject_tag = '***SPAM*** '; $defang_virus = 1; # MIME-wrap passed infected mail $defang_banned = 1; # MIME-wrap passed mail containing banned name @viruses_that_fake_sender_maps = (new_RE( # [qr'\bEICAR\b'i => 0], # av test pattern name # [qr'^(WM97|OF97|Joke\.)'i => 0], # adjust names to match your AV scanner [qr/^/ => 1], # true for everything else )); @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking (can be slow) qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, qr'^Zip archive data', # don't trust Archive::Zip )); $banned_filename_re = new_RE( qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extensions - CLSID qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # qr'^message/partial$'i, # rfc2046 MIME type # qr'^message/external-body$'i, # rfc2046 MIME type # [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| # inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| # ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| # wmf|wsc|wsf|wsh)$'ix, # banned ext - long qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. qr'^\.(exe-ms)$', # banned file(1) types # qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types ); # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING @score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed ## site-wide opinions about senders (the '.' matches any recipient) '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], ), # read_hash("/var/amavis/sender_scores_sitewide"), { # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'bugtraq@securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0, 'amavis-user-admin@lists.sourceforge.net'=> -3.0, 'notification-return@lists.sophos.com' => -3.0, 'owner-postfix-users@postfix.org' => -3.0, 'owner-postfix-announce@postfix.org' => -3.0, 'owner-sendmail-announce@lists.sendmail.org' => -3.0, 'sendmail-announce-request@lists.sendmail.org' => -3.0, 'donotreply@sendmail.org' => -3.0, 'ca+envelope@sendmail.org' => -3.0, 'noreply@freshmeat.net' => -3.0, 'owner-technews@postel.acm.org' => -3.0, 'ietf-123-owner@loki.ietf.org' => -3.0, 'cvs-commits-list-admin@gnome.org' => -3.0, 'rt-users-admin@lists.fsck.com' => -3.0, 'clp-request@comp.nus.edu.sg' => -3.0, 'surveys-errors@lists.nua.ie' => -3.0, 'emailnews@genomeweb.com' => -5.0, 'yahoo-dev-null@yahoo-inc.com' => -3.0, 'returns.groups.yahoo.com' => -3.0, 'clusternews@linuxnetworx.com' => -3.0, lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, # soft-blacklisting (positive score) 'sender@example.net' => 3.0, '.example.net' => 1.0, }, ], # end of site-wide tables }); @decoders = ( ['mail', \&do_mime_decode], ['asc', \&do_ascii], ['uue', \&do_ascii], ['hqx', \&do_ascii], ['ync', \&do_ascii], ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ], ['gz', \&do_gunzip], ['gz', \&do_uncompress, 'gzip -d'], ['bz2', \&do_uncompress, 'bzip2 -d'], ['lzo', \&do_uncompress, 'lzop -d'], ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ], ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ], ['tar', \&do_tar], ['deb', \&do_ar, 'ar'], # ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill ['zip', \&do_unzip], ['rar', \&do_unrar, ['rar','unrar'] ], ['arj', \&do_unarj, ['arj','unarj'] ], ['arc', \&do_arc, ['nomarch','arc'] ], ['zoo', \&do_zoo, 'zoo'], ['lha', \&do_lha, 'lha'], # ['doc', \&do_ole, 'ripole'], ['cab', \&do_cabextract, 'cabextract'], ['tnef', \&do_tnef_ext, 'tnef'], ['tnef', \&do_tnef], ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], ); @av_scanners = ( # ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/amavisd/clamd.sock"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], # # NOTE: the easiest is to run clamd under the same user as amavisd; match the # # socket name (LocalSocket) in clamav.conf to the socket name in this entry # # When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"], ); @av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ); 1; # insure a defined return