Problem AMaVis
Klaus Tachtler
klaus at tachtler.net
Di Feb 4 04:25:56 CET 2020
Hallo Franz-Josef,
ich finde Deine Postfix-Konfiguration (master.cf) nicht?
Du solltest etwas wie nachfolgendes in Deiner master.cf haben:
https://dokuwiki.tachtler.net/doku.php?id=tachtler:postfix_centos_6#amavis_einbinden
(!!! So habe ich das früher auch gemacht - BESSER AMaViS-MILTER, siehe
weiter unten !!!)
---- %< Beispiel - Ausschnitt master.cf ----
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
# Tachtler
# default: smtp inet n - n - - smtpd
# AMaViS - Incoming and forward to AMaViS listen on Port 10024
smtp inet n - n - 20 smtpd
-o smtpd_proxy_filter=192.168.0.70:10024
-o smtp_send_xforward_command=yes
-o content_filter=
# Tachtler
# AMaViS - Outgoing from AMaViS, BACK to Postfix
192.168.0.60:10025 inet n - n - 20 smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_authorized_xforward_hosts=192.168.0.0/24
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=0.0.0.0/32,127.0.0.0/8,192.168.0.0/24
-o receive_override_options=no_unknown_recipient_checks
usw. ...
---- Beispiel - Ausschnitt master.cf >% ----
Hast Du in Deiner AMaViS-Konfiguration so etwas wie -->
$forward_method = 'smtp:[192.168.0.60]:10025';
$notify_method = 'smtp:[192.168.0.60]:10025';
(Nachrichten an Postfix-Zurückgeben, habe ich nicht gesehen!)
Komfortabler und meiner Meinung BESSER, wäre eher der Einsatz eines
AMaViS-MILTER, so wie unter nachfolgenden Links, auch aus meinem
DokuWiki, welches ich mal für mich erstellt habe:
AMaViS CentOS 7
===============
https://dokuwiki.tachtler.net/doku.php?id=tachtler:amavis_centos_7
Konfiguration: amavisd-milter
=============================
https://dokuwiki.tachtler.net/doku.php?id=tachtler:amavis_centos_7#konfigurationamavisd-milter
Postfix CentOS 7 - AMaViS anbinden (amavisd-milter)
===================================================
https://dokuwiki.tachtler.net/doku.php?id=tachtler:postfix_centos_7_-_amavis_anbinden_amavisd-milter
Grüße
Klaus.
> Hallo Profis,
>
> Ich beschäftige mich mit dem Buch: Das Postfix Buch Band 3. Peer Heinlein.
> Ich Test im Moment folgendes Setup: Das Postfix Gateway soll Spam
> und Virus Mails nicht annehmen
>
> Internet ---- Postfix Mail Gateway / Spam Filter ----- Exchange
> server lokales netz
>
> Ich nutze Debian 10 mit Postfix 3.4.7
> Und den Tools aus dem Debian 10 reposity.
>
> Die Weiterleitung von Mails auf den Exchange funktioniert schonmal
> einwandfrei. Ich versuche nun den AMAVIS Filter in Betrieb zu
> bekommen.
>
> Ich versuche alles nachzuvollziehen aber hänge schon sehr lange bei
> AMaVis fest.
>
> Ports 10024 (amavisd-new) und 10025 (Postfix) sind offen und
> scheinen in Ordnung zu sein. Telnet darauf geht.
>
> Ich verstehe ehrlich gesagt nicht, wie ich nach Handbuch die
> master.cf und main.cf konfigurieren soll.
>
> Kann es sein, dass man in die main.cf gar nichts einträgt für AMaVis?
>
> Ich möchte die E-Mail Pre-Queue filtern. Also gar nicht erst
> annehmen, so wie das auch empfohlen wird. Ich habe den Eicar Virus
> versucht zu schicken. Die Mail kommt nicht an, es wird aber auch
> kein Fehler an den Sender zurückgegeben. Es sieht so aus, als wäre
> sie angekommen.
>
> Ich denke, ich habe etwas übersehen, vielleicht kann mir jemand auf
> die Sprünge helfen...
>
> Danke
> Franz
>
> Meine Configs:
>
> [main.cf]
> # See /usr/share/postfix/main.cf.dist for a commented, more complete version
>
> # Debian specific: Specifying a file name will cause the first
> # line of that file to be used as the name. The Debian default
> # is /etc/mailname.
> #myorigin = /etc/mailname
>
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> biff = no
>
> # appending .domain is the MUA's job.
> append_dot_mydomain = no
>
> # Uncomment the next line to generate "delayed mail" warnings
> #delay_warning_time = 4h
>
> readme_directory = /usr/share/doc/postfix
>
> # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
> # fresh installs.
> compatibility_level = 2
>
>
>
> # TLS parameters
> smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
> # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
> # information on enabling SSL in the smtp client.
>
> smtpd_relay_restrictions = permit_mynetworks
> permit_sasl_authenticated defer_unauth_destination
> myhostname = mail2.test.de
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> myorigin = /etc/mailname
> mydestination = $myhostname, lin4.test.de, spamgate2.test.de,
> localhost.test.de, localhost
> relayhost =
> mynetworks = 127.0.0.0/8 192.168.26.0/24 [::ffff:127.0.0.0]/104 [::1]/128
> mailbox_size_limit = 0
> recipient_delimiter = +
> inet_interfaces = all
> inet_protocols = all
> html_directory = /usr/share/doc/postfix/html
> relay_domains = hash:/etc/postfix/relay_domains
> transport_maps = hash:/etc/postfix/relay_domains
> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> # example: https://www.syn-flut.de/mit-postfix-spam-blockieren
>
> #smtpd_milters = inet:localhost:11332
> #milter_default_action = accept
> #
> # debug Seite 201
> # defer_if_permit
> # defer_if_reject
> # warn_if_reject # Eintrag im Logbuch statt Zurückweisung
> #
>
> smtpd_recipient_restrictions =
> permit_mynetworks,
> # permit_sasl_authenticated,
> #whitelist and blacklist here, after change file: postfix reload
> # ****** global whitelist, no checks:
> # ip adressen Sender
> check_client_access cidr:/etc/postfix/access-client,
> check_sender_access hash:/etc/postfix/check_sender,
>
> #pruefe unsaubere Mail
> reject_unauth_destination,
> reject_unauth_pipelining,
> # reject_unknown_helo_hostname,
> reject_invalid_hostname,
> reject_non_fqdn_hostname,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_client_hostname,
> # permit_dnswl_client list.dnswl.org,
> # ****** whitelist for blacklists
> check_client_access cidr:/etc/postfix/whitelist-rbl,
> reject_rbl_client ix.dnsbl.manitu.net,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client b.barracudacentral.org,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client psbl.surriel.com,
> reject_rbl_client noptr.spamrats.com,
> reject_rbl_client dyna.spamrats.com,
> reject_rbl_client dnsbl.sorbs.net
> # greylist, verzögert neue Mailserver um 10 Minuten
> check_policy_service inet:127.0.0.1:10023,
> permit
> #Bei Fehler 4xx zurück geben. Für große Tests
> soft_bounce = no
> # ********+ mit virutal_maps beliebige Mails umleiten
> # Postfixbuch ab Seite 113
>
> ##### ******** Amavis
>
> [ponstconf -n]
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> compatibility_level = 2
> html_directory = /usr/share/doc/postfix/html
> inet_interfaces = all
> inet_protocols = all
> mailbox_size_limit = 0
> mydestination = $myhostname, lin4.test.de, spamgate2.test.de,
> localhost.test.de, localhost
> myhostname = mail2.test.de
> mynetworks = 127.0.0.0/8 192.168.26.0/24 [::ffff:127.0.0.0]/104 [::1]/128
> myorigin = /etc/mailname
> readme_directory = /usr/share/doc/postfix
> recipient_delimiter = +
> relay_domains = hash:/etc/postfix/relay_domains
> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> relayhost =
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> smtpd_recipient_restrictions = permit_mynetworks,
> check_client_access cidr:/etc/postfix/access-client,
> check_sender_access hash:/etc/postfix/check_sender,
> reject_unauth_destination, reject_unauth_pipelining,
> reject_invalid_hostname, reject_non_fqdn_hostname,
> reject_non_fqdn_recipient, reject_unknown_sender_domain,
> reject_unknown_client_hostname, check_client_access
> cidr:/etc/postfix/whitelist-rbl, reject_rbl_client
> ix.dnsbl.manitu.net, reject_rbl_client zen.spamhaus.org,
> reject_rbl_client b.barracudacentral.org, reject_rbl_client
> bl.spamcop.net, reject_rbl_client psbl.surriel.com,
> reject_rbl_client noptr.spamrats.com, reject_rbl_client
> dyna.spamrats.com, reject_rbl_client dnsbl.sorbs.net
> check_policy_service inet:127.0.0.1:10023, permit
> smtpd_relay_restrictions = permit_mynetworks
> permit_sasl_authenticated defer_unauth_destination
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> soft_bounce = no
> transport_maps = hash:/etc/postfix/relay_domains
>
> (***
>
> Config zu AMAVIS:
>
>
> ****)
>
>
> [15-content-filter-mode]
> use strict;
>
> # You can modify this file to re-enable SPAM checking through spamassassin
> # and to re-enable antivirus checking.
>
> #
> # Default antivirus checking mode
> # Please note, that anti-virus checking is DISABLED by
> # default.
> # If You wish to enable it, please uncomment the following lines:
>
>
> @bypass_virus_checks_maps = (
> \%bypass_virus_checks, \@bypass_virus_checks_acl,
> \$bypass_virus_checks_re);
>
>
> #
> # Default SPAM checking mode
> # Please note, that anti-spam checking is DISABLED by
> # default.
> # If You wish to enable it, please uncomment the following lines:
>
>
> #@bypass_spam_checks_maps = (
> # \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
>
> 1; # ensure a defined return
>
> [20-debian_defaults]
> use strict;
>
> # ADMINISTRATORS:
> # Debian suggests that any changes you need to do that should never
> # be "updated" by the Debian package should be made in another file,
> # overriding the settings in this file.
> #
> # The package will *not* overwrite your settings, but by keeping
> # them separate, you will make the task of merging changes on these
> # configuration files much simpler...
>
> # see /usr/share/doc/amavisd-new/examples/amavisd.conf-default for
> # a list of all variables with their defaults;
> # see /usr/share/doc/amavisd-new/examples/amavisd.conf-sample for
> # a traditional-style commented file
> # [note: the above files were not converted to Debian settings!]
> #
> # for more details see documentation in /usr/share/doc/amavisd-new
> # and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
>
> $QUARANTINEDIR = "$MYHOME/virusmails";
> $quarantine_subdir_levels = 1; # enable quarantine dir hashing
>
> $log_recip_templ = undef; # disable by-recipient level-0 log entries
> $DO_SYSLOG = 1; # log via syslogd (preferred)
> $syslog_ident = 'amavis'; # syslog ident tag, prepended to all messages
> $syslog_facility = 'mail';
> $syslog_priority = 'debug'; # switch to info to drop debug output, etc
>
> $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP
> and nanny)
> $enable_global_cache = 1; # enable use of libdb-based cache if
> $enable_db=1
>
> $inet_socket_port = 10024; # default listening socket
>
> $sa_spam_subject_tag = '***SPAM*** ';
> $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above
> that level
> $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
> $sa_kill_level_deflt = 6.31; # triggers spam evasive actions
> $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
>
> $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if
> mail is larger
> $sa_local_tests_only = 0; # only tests which do not require
> internet access?
>
> # Quota limits to avoid bombs (like 42.zip)
>
> $MAXLEVELS = 14;
> $MAXFILES = 1500;
> $MIN_EXPANSION_QUOTA = 100*1024; # bytes
> $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes
>
> # You should:
> # Use D_DISCARD to discard data (viruses)
> # Use D_BOUNCE to generate local bounces by amavisd-new
> # Use D_REJECT to generate local or remote bounces by the calling MTA
> # Use D_PASS to deliver the message
> #
> # Whatever you do, *NEVER* use D_REJECT if you have other MTAs *forwarding*
> # mail to your account. Use D_BOUNCE instead, otherwise you are delegating
> # the bounce work to your friendly forwarders, which might not like
> it at all.
> #
> # On dual-MTA setups, one can often D_REJECT, as this just makes your own
> # MTA generate the bounce message. Test it first.
> #
> # Bouncing viruses is stupid, always discard them after you are sure the AV
> # is working correctly. Bouncing real SPAM is also useless, if you cannot
> # D_REJECT it (and don't D_REJECT mail coming from your forwarders!).
>
> $final_virus_destiny = D_REJECT; # (data not lost, see virus
> quarantine)
> $final_banned_destiny = D_REJECT;
> $final_spam_destiny = D_REJECT;
> #$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)
>
> $enable_dkim_verification = 0; #disabled to prevent warning
>
> $virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
>
> # Set to empty ("") to add no header
> $X_HEADER_LINE = "Debian $myproduct_name at $mydomain";
>
> # REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
>
> #
> # DO NOT SEND VIRUS NOTIFICATIONS TO OUTSIDE OF YOUR DOMAIN. EVER.
> #
> # These days, almost all viruses fake the envelope sender and mail headers.
> # Therefore, "virus notifications" became nothing but undesired, aggravating
> # SPAM. This holds true even inside one's domain. We disable them all by
> # default, except for the EICAR test pattern.
> #
>
> @viruses_that_fake_sender_maps = (new_RE(
> [qr'\bEICAR\b'i => 0], # av test pattern name
> [qr/.*/ => 1], # true for everything else
> ));
>
> @keep_decoded_original_maps = (new_RE(
> # qr'^MAIL$', # retain full original message for virus checking
> (can be slow)
> qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains
> undecipherables
> qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
> # qr'^Zip archive data', # don't trust Archive::Zip
> ));
>
>
> # for $banned_namepath_re, a new-style of banned table, see
> amavisd.conf-sample
>
> $banned_filename_re = new_RE(
> # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
>
> # block certain double extensions anywhere in the base name
> qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
>
> qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows
> Class ID CLSID, strict
>
> qr'^application/x-msdownload$'i, # block these MIME types
> qr'^application/x-msdos-program$'i,
> qr'^application/hta$'i,
>
> # qr'^application/x-msmetafile$'i, # Windows Metafile MIME type
> # qr'^\.wmf$', #
> Windows Metafile file(1) type
>
> # qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types
>
> # [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed
> # [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
> # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives
> # [ qr'^application/x-zip-compressed$'i => 0], # allow any within
> such archives
>
> qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
> # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
> # inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
> # ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
> # wmf|wsc|wsf|wsh)$'ix, # banned ext - long
>
> # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension -
> WinZip vulnerab.
>
> qr'^\.(exe-ms)$', # banned file(1) types
> # qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types
> );
> # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
> # and http://www.cknow.com/vtutor/vtextensions.htm
>
>
> # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
>
> @score_sender_maps = ({ # a by-recipient hash lookup table,
> # results from all matching recipient tables
> are summed
>
> # ## per-recipient personal tables (NOTE: positive: black, negative: white)
> # 'user1 at example.com' => [{'bla-mobile.press at example.com' => 10.0}],
> # 'user3 at example.com' => [{'.ebay.com' => -3.0}],
> # 'user4 at example.com' => [{'cleargreen at cleargreen.com' => -7.0,
> # '.cleargreen.com' => -5.0}],
>
> ## site-wide opinions about senders (the '.' matches any recipient)
> '.' => [ # the _first_ matching sender determines the score boost
>
> new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
> [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
> [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
> [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
> [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
> [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
> [qr'^(your_friend|greatoffers)@'i => 5.0],
> [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
> ),
>
> # read_hash("/var/amavis/sender_scores_sitewide"),
>
> # This are some examples for whitelists, since envelope senders can be forged
> # they are not enabled by default.
> { # a hash-type lookup table (associative array)
> #'nobody at cert.org' => -3.0,
> #'cert-advisory at us-cert.gov' => -3.0,
> #'owner-alert at iss.net' => -3.0,
> #'slashdot at slashdot.org' => -3.0,
> #'securityfocus.com' => -3.0,
> #'ntbugtraq at listserv.ntbugtraq.com' => -3.0,
> #'security-alerts at linuxsecurity.com' => -3.0,
> #'mailman-announce-admin at python.org' => -3.0,
> #'amavis-user-admin at lists.sourceforge.net'=> -3.0,
> #'amavis-user-bounces at lists.sourceforge.net' => -3.0,
> #'spamassassin.apache.org' => -3.0,
> #'notification-return at lists.sophos.com' => -3.0,
> #'owner-postfix-users at postfix.org' => -3.0,
> #'owner-postfix-announce at postfix.org' => -3.0,
> #'owner-sendmail-announce at lists.sendmail.org' => -3.0,
> #'sendmail-announce-request at lists.sendmail.org' => -3.0,
> #'donotreply at sendmail.org' => -3.0,
> #'ca+envelope at sendmail.org' => -3.0,
> #'noreply at freshmeat.net' => -3.0,
> #'owner-technews at postel.acm.org' => -3.0,
> #'ietf-123-owner at loki.ietf.org' => -3.0,
> #'cvs-commits-list-admin at gnome.org' => -3.0,
> #'rt-users-admin at lists.fsck.com' => -3.0,
> #'clp-request at comp.nus.edu.sg' => -3.0,
> #'surveys-errors at lists.nua.ie' => -3.0,
> #'emailnews at genomeweb.com' => -5.0,
> #'yahoo-dev-null at yahoo-inc.com' => -3.0,
> #'returns.groups.yahoo.com' => -3.0,
> #'clusternews at linuxnetworx.com' => -3.0,
> #lc('lvs-users-admin at LinuxVirtualServer.org') => -3.0,
> #lc('owner-textbreakingnews at CNNIMAIL12.CNN.COM') => -5.0,
>
> # soft-blacklisting (positive score)
> #'sender at example.net' => 3.0,
> #'.example.net' => 1.0,
>
> },
> ], # end of site-wide tables
> });
>
> 1; # ensure a defined return
----- Ende der Nachricht von Franz-Josef Vorspohl
<fj.vorspohl at vorspohl.com> -----
--
---------------------------------------
e-Mail : klaus at tachtler.net
Homepage: https://www.tachtler.net
DokuWiki: https://dokuwiki.tachtler.net
---------------------------------------
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname : nicht verfügbar
Dateityp : application/pgp-keys
Dateigröße : 3121 bytes
Beschreibung: Öffentlicher PGP-Schlüssel
URL : <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20200204/e5097416/attachment.skr>
Mehr Informationen über die Mailingliste Postfixbuch-users