Problem AMaVis

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem AMaVis

Franz-Josef Vorspohl

Hallo Profis,

 

Ich beschäftige mich mit dem Buch: Das Postfix Buch Band 3. Peer Heinlein.

Ich Test im Moment folgendes Setup: Das Postfix Gateway soll Spam und Virus Mails nicht annehmen

 

Internet ---- Postfix Mail Gateway / Spam Filter ----- Exchange server lokales netz

 

Ich nutze Debian 10 mit Postfix 3.4.7

Und den Tools aus dem Debian 10 reposity.

 

Die Weiterleitung von Mails auf den Exchange funktioniert schonmal einwandfrei. Ich versuche nun den AMAVIS Filter in Betrieb zu bekommen.

 

Ich versuche alles nachzuvollziehen aber hänge schon sehr lange bei AMaVis fest.

 

Ports 10024 (amavisd-new)  und 10025 (Postfix) sind offen und scheinen in Ordnung zu sein. Telnet darauf geht.

 

Ich verstehe ehrlich gesagt nicht, wie ich nach Handbuch die master.cf und main.cf konfigurieren soll.

 

Kann es sein, dass man in die main.cf gar nichts einträgt für AMaVis?

 

Ich möchte die E-Mail Pre-Queue filtern. Also gar nicht erst annehmen, so wie das auch empfohlen wird. Ich habe den Eicar Virus versucht zu schicken. Die Mail kommt nicht an, es wird aber auch kein Fehler an den Sender zurückgegeben. Es sieht so aus, als wäre sie angekommen.

 

Ich denke, ich habe etwas übersehen, vielleicht kann mir jemand auf die Sprünge helfen…

 

Danke

Franz

 

Meine Configs:

 

[main.cf]

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

 

# Debian specific:  Specifying a file name will cause the first

# line of that file to be used as the name.  The Debian default

# is /etc/mailname.

#myorigin = /etc/mailname

 

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

biff = no

 

# appending .domain is the MUA's job.

append_dot_mydomain = no

 

# Uncomment the next line to generate "delayed mail" warnings

#delay_warning_time = 4h

 

readme_directory = /usr/share/doc/postfix

 

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on

# fresh installs.

compatibility_level = 2

 

 

 

# TLS parameters

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem

smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

smtpd_use_tls=yes

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

 

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

# information on enabling SSL in the smtp client.

 

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

myhostname = mail2.test.de

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

myorigin = /etc/mailname

mydestination = $myhostname, lin4.test.de, spamgate2.test.de, localhost.test.de, localhost

relayhost =

mynetworks = 127.0.0.0/8 192.168.26.0/24 [::ffff:127.0.0.0]/104 [::1]/128

mailbox_size_limit = 0

recipient_delimiter = +

inet_interfaces = all

inet_protocols = all

html_directory = /usr/share/doc/postfix/html

relay_domains = hash:/etc/postfix/relay_domains

transport_maps = hash:/etc/postfix/relay_domains

relay_recipient_maps = hash:/etc/postfix/relay_recipients

# example: https://www.syn-flut.de/mit-postfix-spam-blockieren

 

#smtpd_milters = inet:localhost:11332

#milter_default_action = accept

#

# debug Seite 201

# defer_if_permit

# defer_if_reject

# warn_if_reject # Eintrag im Logbuch statt Zurückweisung

#

 

smtpd_recipient_restrictions =

                permit_mynetworks,

#             permit_sasl_authenticated,

#whitelist and blacklist here, after change file: postfix reload

# ****** global whitelist, no checks:

                # ip adressen Sender

                check_client_access cidr:/etc/postfix/access-client,

                check_sender_access hash:/etc/postfix/check_sender,

 

#pruefe unsaubere Mail

                reject_unauth_destination,

                reject_unauth_pipelining,

#             reject_unknown_helo_hostname,

                reject_invalid_hostname,

                reject_non_fqdn_hostname,

                reject_non_fqdn_recipient,

                reject_unknown_sender_domain,

                reject_unknown_client_hostname,

#             permit_dnswl_client list.dnswl.org,

# ****** whitelist for blacklists

                check_client_access cidr:/etc/postfix/whitelist-rbl,

                reject_rbl_client ix.dnsbl.manitu.net,

                reject_rbl_client zen.spamhaus.org,

                reject_rbl_client b.barracudacentral.org,

                reject_rbl_client bl.spamcop.net,

                reject_rbl_client psbl.surriel.com,

                reject_rbl_client noptr.spamrats.com,

                reject_rbl_client dyna.spamrats.com,

                reject_rbl_client dnsbl.sorbs.net

# greylist, verzögert neue Mailserver um 10 Minuten

                check_policy_service inet:127.0.0.1:10023,

                permit

#Bei Fehler 4xx zurück geben. Für große Tests

soft_bounce = no

# ********+ mit virutal_maps beliebige Mails umleiten

# Postfixbuch ab Seite 113

 

##### ******** Amavis

 

[ponstconf -n]

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

append_dot_mydomain = no

biff = no

compatibility_level = 2

html_directory = /usr/share/doc/postfix/html

inet_interfaces = all

inet_protocols = all

mailbox_size_limit = 0

mydestination = $myhostname, lin4.test.de, spamgate2.test.de, localhost.test.de, localhost

myhostname = mail2.test.de

mynetworks = 127.0.0.0/8 192.168.26.0/24 [::ffff:127.0.0.0]/104 [::1]/128

myorigin = /etc/mailname

readme_directory = /usr/share/doc/postfix

recipient_delimiter = +

relay_domains = hash:/etc/postfix/relay_domains

relay_recipient_maps = hash:/etc/postfix/relay_recipients

relayhost =

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

smtpd_recipient_restrictions = permit_mynetworks, check_client_access cidr:/etc/postfix/access-client, check_sender_access hash:/etc/postfix/check_sender, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_client_hostname, check_client_access cidr:/etc/postfix/whitelist-rbl, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spamcop.net, reject_rbl_client psbl.surriel.com, reject_rbl_client noptr.spamrats.com, reject_rbl_client dyna.spamrats.com, reject_rbl_client dnsbl.sorbs.net check_policy_service inet:127.0.0.1:10023, permit

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem

smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtpd_use_tls = yes

soft_bounce = no

transport_maps = hash:/etc/postfix/relay_domains

 

(***

 

Config zu AMAVIS:

 

 

****)

 

 

[15-content-filter-mode]

use strict;

 

# You can modify this file to re-enable SPAM checking through spamassassin

# and to re-enable antivirus checking.

 

#

# Default antivirus checking mode

# Please note, that anti-virus checking is DISABLED by

# default.

# If You wish to enable it, please uncomment the following lines:

 

 

@bypass_virus_checks_maps = (

   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

 

 

#

# Default SPAM checking mode

# Please note, that anti-spam checking is DISABLED by

# default.

# If You wish to enable it, please uncomment the following lines:

 

 

#@bypass_spam_checks_maps = (

#   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

 

1;  # ensure a defined return

 

[20-debian_defaults]

use strict;

 

# ADMINISTRATORS:

# Debian suggests that any changes you need to do that should never

# be "updated" by the Debian package should be made in another file,

# overriding the settings in this file.

#

# The package will *not* overwrite your settings, but by keeping

# them separate, you will make the task of merging changes on these

# configuration files much simpler...

 

#   see /usr/share/doc/amavisd-new/examples/amavisd.conf-default for

#       a list of all variables with their defaults;

#   see /usr/share/doc/amavisd-new/examples/amavisd.conf-sample for

#       a traditional-style commented file 

#   [note: the above files were not converted to Debian settings!]

#

#   for more details see documentation in /usr/share/doc/amavisd-new

#   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html

 

$QUARANTINEDIR = "$MYHOME/virusmails";

$quarantine_subdir_levels = 1; # enable quarantine dir hashing

 

$log_recip_templ = undef;    # disable by-recipient level-0 log entries

$DO_SYSLOG = 1;              # log via syslogd (preferred)

$syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages

$syslog_facility = 'mail';

$syslog_priority = 'debug';  # switch to info to drop debug output, etc

 

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)

$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

 

$inet_socket_port = 10024;   # default listening socket

 

$sa_spam_subject_tag = '***SPAM*** ';

$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level

$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level

$sa_kill_level_deflt = 6.31; # triggers spam evasive actions

$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

 

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger

$sa_local_tests_only = 0;    # only tests which do not require internet access?

 

# Quota limits to avoid bombs (like 42.zip)

 

$MAXLEVELS = 14;

$MAXFILES = 1500;

$MIN_EXPANSION_QUOTA =      100*1024;  # bytes

$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes

 

# You should:

#   Use D_DISCARD to discard data (viruses)

#   Use D_BOUNCE to generate local bounces by amavisd-new

#   Use D_REJECT to generate local or remote bounces by the calling MTA

#   Use D_PASS to deliver the message

#

# Whatever you do, *NEVER* use D_REJECT if you have other MTAs *forwarding*

# mail to your account.  Use D_BOUNCE instead, otherwise you are delegating

# the bounce work to your friendly forwarders, which might not like it at all.

#

# On dual-MTA setups, one can often D_REJECT, as this just makes your own

# MTA generate the bounce message.  Test it first.

#

# Bouncing viruses is stupid, always discard them after you are sure the AV

# is working correctly.  Bouncing real SPAM is also useless, if you cannot

# D_REJECT it (and don't D_REJECT mail coming from your forwarders!).

 

$final_virus_destiny      = D_REJECT;  # (data not lost, see virus quarantine)

$final_banned_destiny     = D_REJECT; 

$final_spam_destiny       = D_REJECT;   

#$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)

 

$enable_dkim_verification = 0; #disabled to prevent warning

 

$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default

 

# Set to empty ("") to add no header

$X_HEADER_LINE = "Debian $myproduct_name at $mydomain";

 

# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS

 

#

# DO NOT SEND VIRUS NOTIFICATIONS TO OUTSIDE OF YOUR DOMAIN. EVER.

#

# These days, almost all viruses fake the envelope sender and mail headers.

# Therefore, "virus notifications" became nothing but undesired, aggravating

# SPAM.  This holds true even inside one's domain.  We disable them all by

# default, except for the EICAR test pattern.

#

 

@viruses_that_fake_sender_maps = (new_RE(

  [qr'\bEICAR\b'i => 0],            # av test pattern name

  [qr/.*/ => 1],  # true for everything else

));

 

@keep_decoded_original_maps = (new_RE(

# qr'^MAIL$',   # retain full original message for virus checking (can be slow)

  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables

  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,

# qr'^Zip archive data',     # don't trust Archive::Zip

));

 

 

# for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample

 

$banned_filename_re = new_RE(

# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components

 

  # block certain double extensions anywhere in the base name

  qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

 

  qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict

 

  qr'^application/x-msdownload$'i,                  # block these MIME types

  qr'^application/x-msdos-program$'i,

  qr'^application/hta$'i,

 

# qr'^application/x-msmetafile$'i,           # Windows Metafile MIME type

# qr'^\.wmf$',                                                  # Windows Metafile file(1) type

 

# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types

 

# [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed

# [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives

# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives

# [ qr'^application/x-zip-compressed$'i => 0],  # allow any within such archives

 

  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic

# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|

#        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|

#        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|

#        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long

 

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.

 

  qr'^\.(exe-ms)$',                       # banned file(1) types

# qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types

);

# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631

# and http://www.cknow.com/vtutor/vtextensions.htm

 

 

# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING

 

@score_sender_maps = ({ # a by-recipient hash lookup table,

                        # results from all matching recipient tables are summed

 

# ## per-recipient personal tables  (NOTE: positive: black, negative: white)

# '[hidden email]'  => [{'[hidden email]' => 10.0}],

# '[hidden email]'  => [{'.ebay.com'                 => -3.0}],

# '[hidden email]'  => [{'[hidden email]' => -7.0,

#                           '.cleargreen.com'           => -5.0}],

 

  ## site-wide opinions about senders (the '.' matches any recipient)

  '.' => [  # the _first_ matching sender determines the score boost

 

   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist

    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],

    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],

    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],

    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],

    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],

    [qr'^(your_friend|greatoffers)@'i                                => 5.0],

    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],

   ),

 

#  read_hash("/var/amavis/sender_scores_sitewide"),

 

# This are some examples for whitelists, since envelope senders can be forged

# they are not enabled by default.

   { # a hash-type lookup table (associative array)

     #'[hidden email]'                        => -3.0,

     #'[hidden email]'              => -3.0,

     #'[hidden email]'                    => -3.0,

     #'[hidden email]'                  => -3.0,

     #'securityfocus.com'                      => -3.0,

     #'[hidden email]'       => -3.0,

     #'[hidden email]'      => -3.0,

     #'[hidden email]'      => -3.0,

     #'[hidden email]'=> -3.0,

     #'[hidden email]' => -3.0,

     #'spamassassin.apache.org'                => -3.0,

     #'[hidden email]'   => -3.0,

     #'[hidden email]'        => -3.0,

     #'[hidden email]'     => -3.0,

     #'[hidden email]'   => -3.0,

     #'[hidden email]' => -3.0,

     #'[hidden email]'                => -3.0,

     #'ca+[hidden email]'               => -3.0,

     #'[hidden email]'                  => -3.0,

     #'[hidden email]'          => -3.0,

     #'[hidden email]'           => -3.0,

     #'[hidden email]'       => -3.0,

     #'[hidden email]'          => -3.0,

     #'[hidden email]'            => -3.0,

     #'[hidden email]'            => -3.0,

     #'[hidden email]'                => -5.0,

     #'[hidden email]'           => -3.0,

     #'returns.groups.yahoo.com'               => -3.0,

     #'[hidden email]'           => -3.0,

     #lc('[hidden email]')    => -3.0,

     #lc('[hidden email]') => -5.0,

 

     # soft-blacklisting (positive score)

     #'[hidden email]'                     =>  3.0,

     #'.example.net'                           =>  1.0,

 

   },

  ],  # end of site-wide tables

});

 

1;  # ensure a defined return

Reply | Threaded
Open this post in threaded view
|

Re: Problem AMaVis

Klaus Tachtler
Hallo Franz-Josef,

ich finde Deine Postfix-Konfiguration (master.cf) nicht?

Du solltest etwas wie nachfolgendes in Deiner master.cf haben:

https://dokuwiki.tachtler.net/doku.php?id=tachtler:postfix_centos_6#amavis_einbinden

(!!! So habe ich das früher auch gemacht - BESSER AMaViS-MILTER, siehe
weiter unten !!!)

---- %< Beispiel - Ausschnitt master.cf ----

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
# Tachtler
# default: smtp      inet  n       -       n       -       -       smtpd
# AMaViS - Incoming and forward to AMaViS listen on Port 10024
smtp      inet  n       -       n       -       20       smtpd
         -o smtpd_proxy_filter=192.168.0.70:10024
         -o smtp_send_xforward_command=yes
         -o content_filter=
# Tachtler
# AMaViS - Outgoing from AMaViS, BACK to Postfix
192.168.0.60:10025 inet  n       -       n       -       20       smtpd
         -o content_filter=
         -o smtpd_proxy_filter=
         -o smtpd_authorized_xforward_hosts=192.168.0.0/24
         -o smtpd_client_restrictions=
         -o smtpd_helo_restrictions=
         -o smtpd_sender_restrictions=
         -o smtpd_recipient_restrictions=permit_mynetworks,reject
         -o smtpd_data_restrictions=
         -o mynetworks=0.0.0.0/32,127.0.0.0/8,192.168.0.0/24
         -o receive_override_options=no_unknown_recipient_checks

usw. ...

---- Beispiel - Ausschnitt master.cf >% ----

Hast Du in Deiner AMaViS-Konfiguration so etwas wie -->

$forward_method = 'smtp:[192.168.0.60]:10025';
$notify_method  = 'smtp:[192.168.0.60]:10025';

(Nachrichten an Postfix-Zurückgeben, habe ich nicht gesehen!)

Komfortabler und meiner Meinung BESSER, wäre eher der Einsatz eines
AMaViS-MILTER, so wie unter nachfolgenden Links, auch aus meinem
DokuWiki, welches ich mal für mich erstellt habe:

AMaViS CentOS 7
===============

https://dokuwiki.tachtler.net/doku.php?id=tachtler:amavis_centos_7

Konfiguration: amavisd-milter
=============================

https://dokuwiki.tachtler.net/doku.php?id=tachtler:amavis_centos_7#konfigurationamavisd-milter

Postfix CentOS 7 - AMaViS anbinden (amavisd-milter)
===================================================

https://dokuwiki.tachtler.net/doku.php?id=tachtler:postfix_centos_7_-_amavis_anbinden_amavisd-milter


Grüße
Klaus.


> Hallo Profis,
>
> Ich beschäftige mich mit dem Buch: Das Postfix Buch Band 3. Peer Heinlein.
> Ich Test im Moment folgendes Setup: Das Postfix Gateway soll Spam
> und Virus Mails nicht annehmen
>
> Internet ---- Postfix Mail Gateway / Spam Filter ----- Exchange
> server lokales netz
>
> Ich nutze Debian 10 mit Postfix 3.4.7
> Und den Tools aus dem Debian 10 reposity.
>
> Die Weiterleitung von Mails auf den Exchange funktioniert schonmal
> einwandfrei. Ich versuche nun den AMAVIS Filter in Betrieb zu
> bekommen.
>
> Ich versuche alles nachzuvollziehen aber hänge schon sehr lange bei
> AMaVis fest.
>
> Ports 10024 (amavisd-new)  und 10025 (Postfix) sind offen und
> scheinen in Ordnung zu sein. Telnet darauf geht.
>
> Ich verstehe ehrlich gesagt nicht, wie ich nach Handbuch die
> master.cf und main.cf konfigurieren soll.
>
> Kann es sein, dass man in die main.cf gar nichts einträgt für AMaVis?
>
> Ich möchte die E-Mail Pre-Queue filtern. Also gar nicht erst
> annehmen, so wie das auch empfohlen wird. Ich habe den Eicar Virus
> versucht zu schicken. Die Mail kommt nicht an, es wird aber auch
> kein Fehler an den Sender zurückgegeben. Es sieht so aus, als wäre
> sie angekommen.
>
> Ich denke, ich habe etwas übersehen, vielleicht kann mir jemand auf
> die Sprünge helfen...
>
> Danke
> Franz
>
> Meine Configs:
>
> [main.cf]
> # See /usr/share/postfix/main.cf.dist for a commented, more complete version
>
> # Debian specific:  Specifying a file name will cause the first
> # line of that file to be used as the name.  The Debian default
> # is /etc/mailname.
> #myorigin = /etc/mailname
>
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> biff = no
>
> # appending .domain is the MUA's job.
> append_dot_mydomain = no
>
> # Uncomment the next line to generate "delayed mail" warnings
> #delay_warning_time = 4h
>
> readme_directory = /usr/share/doc/postfix
>
> # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
> # fresh installs.
> compatibility_level = 2
>
>
>
> # TLS parameters
> smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
> # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
> # information on enabling SSL in the smtp client.
>
> smtpd_relay_restrictions = permit_mynetworks
> permit_sasl_authenticated defer_unauth_destination
> myhostname = mail2.test.de
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> myorigin = /etc/mailname
> mydestination = $myhostname, lin4.test.de, spamgate2.test.de,
> localhost.test.de, localhost
> relayhost =
> mynetworks = 127.0.0.0/8 192.168.26.0/24 [::ffff:127.0.0.0]/104 [::1]/128
> mailbox_size_limit = 0
> recipient_delimiter = +
> inet_interfaces = all
> inet_protocols = all
> html_directory = /usr/share/doc/postfix/html
> relay_domains = hash:/etc/postfix/relay_domains
> transport_maps = hash:/etc/postfix/relay_domains
> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> # example: https://www.syn-flut.de/mit-postfix-spam-blockieren
>
> #smtpd_milters = inet:localhost:11332
> #milter_default_action = accept
> #
> # debug Seite 201
> # defer_if_permit
> # defer_if_reject
> # warn_if_reject # Eintrag im Logbuch statt Zurückweisung
> #
>
> smtpd_recipient_restrictions =
>                 permit_mynetworks,
> #             permit_sasl_authenticated,
> #whitelist and blacklist here, after change file: postfix reload
> # ****** global whitelist, no checks:
>                 # ip adressen Sender
>                 check_client_access cidr:/etc/postfix/access-client,
>                 check_sender_access hash:/etc/postfix/check_sender,
>
> #pruefe unsaubere Mail
>                 reject_unauth_destination,
>                 reject_unauth_pipelining,
> #             reject_unknown_helo_hostname,
>                 reject_invalid_hostname,
>                 reject_non_fqdn_hostname,
>                 reject_non_fqdn_recipient,
>                 reject_unknown_sender_domain,
>                 reject_unknown_client_hostname,
> #             permit_dnswl_client list.dnswl.org,
> # ****** whitelist for blacklists
>                 check_client_access cidr:/etc/postfix/whitelist-rbl,
>                 reject_rbl_client ix.dnsbl.manitu.net,
>                 reject_rbl_client zen.spamhaus.org,
>                 reject_rbl_client b.barracudacentral.org,
>                 reject_rbl_client bl.spamcop.net,
>                 reject_rbl_client psbl.surriel.com,
>                 reject_rbl_client noptr.spamrats.com,
>                 reject_rbl_client dyna.spamrats.com,
>                 reject_rbl_client dnsbl.sorbs.net
> # greylist, verzögert neue Mailserver um 10 Minuten
>                 check_policy_service inet:127.0.0.1:10023,
>                 permit
> #Bei Fehler 4xx zurück geben. Für große Tests
> soft_bounce = no
> # ********+ mit virutal_maps beliebige Mails umleiten
> # Postfixbuch ab Seite 113
>
> ##### ******** Amavis
>
> [ponstconf -n]
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> compatibility_level = 2
> html_directory = /usr/share/doc/postfix/html
> inet_interfaces = all
> inet_protocols = all
> mailbox_size_limit = 0
> mydestination = $myhostname, lin4.test.de, spamgate2.test.de,
> localhost.test.de, localhost
> myhostname = mail2.test.de
> mynetworks = 127.0.0.0/8 192.168.26.0/24 [::ffff:127.0.0.0]/104 [::1]/128
> myorigin = /etc/mailname
> readme_directory = /usr/share/doc/postfix
> recipient_delimiter = +
> relay_domains = hash:/etc/postfix/relay_domains
> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> relayhost =
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> smtpd_recipient_restrictions = permit_mynetworks,
> check_client_access cidr:/etc/postfix/access-client,
> check_sender_access hash:/etc/postfix/check_sender,
> reject_unauth_destination, reject_unauth_pipelining,
> reject_invalid_hostname, reject_non_fqdn_hostname,
> reject_non_fqdn_recipient, reject_unknown_sender_domain,
> reject_unknown_client_hostname, check_client_access
> cidr:/etc/postfix/whitelist-rbl, reject_rbl_client
> ix.dnsbl.manitu.net, reject_rbl_client zen.spamhaus.org,
> reject_rbl_client b.barracudacentral.org, reject_rbl_client
> bl.spamcop.net, reject_rbl_client psbl.surriel.com,
> reject_rbl_client noptr.spamrats.com, reject_rbl_client
> dyna.spamrats.com, reject_rbl_client dnsbl.sorbs.net
> check_policy_service inet:127.0.0.1:10023, permit
> smtpd_relay_restrictions = permit_mynetworks
> permit_sasl_authenticated defer_unauth_destination
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> soft_bounce = no
> transport_maps = hash:/etc/postfix/relay_domains
>
> (***
>
> Config zu AMAVIS:
>
>
> ****)
>
>
> [15-content-filter-mode]
> use strict;
>
> # You can modify this file to re-enable SPAM checking through spamassassin
> # and to re-enable antivirus checking.
>
> #
> # Default antivirus checking mode
> # Please note, that anti-virus checking is DISABLED by
> # default.
> # If You wish to enable it, please uncomment the following lines:
>
>
> @bypass_virus_checks_maps = (
>    \%bypass_virus_checks, \@bypass_virus_checks_acl,
> \$bypass_virus_checks_re);
>
>
> #
> # Default SPAM checking mode
> # Please note, that anti-spam checking is DISABLED by
> # default.
> # If You wish to enable it, please uncomment the following lines:
>
>
> #@bypass_spam_checks_maps = (
> #   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
>
> 1;  # ensure a defined return
>
> [20-debian_defaults]
> use strict;
>
> # ADMINISTRATORS:
> # Debian suggests that any changes you need to do that should never
> # be "updated" by the Debian package should be made in another file,
> # overriding the settings in this file.
> #
> # The package will *not* overwrite your settings, but by keeping
> # them separate, you will make the task of merging changes on these
> # configuration files much simpler...
>
> #   see /usr/share/doc/amavisd-new/examples/amavisd.conf-default for
> #       a list of all variables with their defaults;
> #   see /usr/share/doc/amavisd-new/examples/amavisd.conf-sample for
> #       a traditional-style commented file
> #   [note: the above files were not converted to Debian settings!]
> #
> #   for more details see documentation in /usr/share/doc/amavisd-new
> #   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
>
> $QUARANTINEDIR = "$MYHOME/virusmails";
> $quarantine_subdir_levels = 1; # enable quarantine dir hashing
>
> $log_recip_templ = undef;    # disable by-recipient level-0 log entries
> $DO_SYSLOG = 1;              # log via syslogd (preferred)
> $syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
> $syslog_facility = 'mail';
> $syslog_priority = 'debug';  # switch to info to drop debug output, etc
>
> $enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP
> and nanny)
> $enable_global_cache = 1;    # enable use of libdb-based cache if
> $enable_db=1
>
> $inet_socket_port = 10024;   # default listening socket
>
> $sa_spam_subject_tag = '***SPAM*** ';
> $sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above
> that level
> $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
> $sa_kill_level_deflt = 6.31; # triggers spam evasive actions
> $sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
>
> $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if
> mail is larger
> $sa_local_tests_only = 0;    # only tests which do not require
> internet access?
>
> # Quota limits to avoid bombs (like 42.zip)
>
> $MAXLEVELS = 14;
> $MAXFILES = 1500;
> $MIN_EXPANSION_QUOTA =      100*1024;  # bytes
> $MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes
>
> # You should:
> #   Use D_DISCARD to discard data (viruses)
> #   Use D_BOUNCE to generate local bounces by amavisd-new
> #   Use D_REJECT to generate local or remote bounces by the calling MTA
> #   Use D_PASS to deliver the message
> #
> # Whatever you do, *NEVER* use D_REJECT if you have other MTAs *forwarding*
> # mail to your account.  Use D_BOUNCE instead, otherwise you are delegating
> # the bounce work to your friendly forwarders, which might not like
> it at all.
> #
> # On dual-MTA setups, one can often D_REJECT, as this just makes your own
> # MTA generate the bounce message.  Test it first.
> #
> # Bouncing viruses is stupid, always discard them after you are sure the AV
> # is working correctly.  Bouncing real SPAM is also useless, if you cannot
> # D_REJECT it (and don't D_REJECT mail coming from your forwarders!).
>
> $final_virus_destiny      = D_REJECT;  # (data not lost, see virus
> quarantine)
> $final_banned_destiny     = D_REJECT;
> $final_spam_destiny       = D_REJECT;
> #$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
>
> $enable_dkim_verification = 0; #disabled to prevent warning
>
> $virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
>
> # Set to empty ("") to add no header
> $X_HEADER_LINE = "Debian $myproduct_name at $mydomain";
>
> # REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
>
> #
> # DO NOT SEND VIRUS NOTIFICATIONS TO OUTSIDE OF YOUR DOMAIN. EVER.
> #
> # These days, almost all viruses fake the envelope sender and mail headers.
> # Therefore, "virus notifications" became nothing but undesired, aggravating
> # SPAM.  This holds true even inside one's domain.  We disable them all by
> # default, except for the EICAR test pattern.
> #
>
> @viruses_that_fake_sender_maps = (new_RE(
>   [qr'\bEICAR\b'i => 0],            # av test pattern name
>   [qr/.*/ => 1],  # true for everything else
> ));
>
> @keep_decoded_original_maps = (new_RE(
> # qr'^MAIL$',   # retain full original message for virus checking
> (can be slow)
>   qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains
> undecipherables
>   qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
> # qr'^Zip archive data',     # don't trust Archive::Zip
> ));
>
>
> # for $banned_namepath_re, a new-style of banned table, see
> amavisd.conf-sample
>
> $banned_filename_re = new_RE(
> # qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
>
>   # block certain double extensions anywhere in the base name
>   qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
>
>   qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows
> Class ID CLSID, strict
>
>   qr'^application/x-msdownload$'i,                  # block these MIME types
>   qr'^application/x-msdos-program$'i,
>   qr'^application/hta$'i,
>
> # qr'^application/x-msmetafile$'i,           # Windows Metafile MIME type
> # qr'^\.wmf$',                                                  #
> Windows Metafile file(1) type
>
> # qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types
>
> # [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
> # [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
> # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives
> # [ qr'^application/x-zip-compressed$'i => 0],  # allow any within
> such archives
>
>   qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
> # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
> #        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
> #        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
> #        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long
>
> # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension -
> WinZip vulnerab.
>
>   qr'^\.(exe-ms)$',                       # banned file(1) types
> # qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types
> );
> # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
> # and http://www.cknow.com/vtutor/vtextensions.htm
>
>
> # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
>
> @score_sender_maps = ({ # a by-recipient hash lookup table,
>                         # results from all matching recipient tables
> are summed
>
> # ## per-recipient personal tables  (NOTE: positive: black, negative: white)
> # '[hidden email]'  => [{'[hidden email]' => 10.0}],
> # '[hidden email]'  => [{'.ebay.com'                 => -3.0}],
> # '[hidden email]'  => [{'[hidden email]' => -7.0,
> #                           '.cleargreen.com'           => -5.0}],
>
>   ## site-wide opinions about senders (the '.' matches any recipient)
>   '.' => [  # the _first_ matching sender determines the score boost
>
>    new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
>     [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
>     [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
>     [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
>     [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
>     [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
>     [qr'^(your_friend|greatoffers)@'i                                => 5.0],
>     [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
>    ),
>
> #  read_hash("/var/amavis/sender_scores_sitewide"),
>
> # This are some examples for whitelists, since envelope senders can be forged
> # they are not enabled by default.
>    { # a hash-type lookup table (associative array)
>      #'[hidden email]'                        => -3.0,
>      #'[hidden email]'              => -3.0,
>      #'[hidden email]'                    => -3.0,
>      #'[hidden email]'                  => -3.0,
>      #'securityfocus.com'                      => -3.0,
>      #'[hidden email]'       => -3.0,
>      #'[hidden email]'      => -3.0,
>      #'[hidden email]'      => -3.0,
>      #'[hidden email]'=> -3.0,
>      #'[hidden email]' => -3.0,
>      #'spamassassin.apache.org'                => -3.0,
>      #'[hidden email]'   => -3.0,
>      #'[hidden email]'        => -3.0,
>      #'[hidden email]'     => -3.0,
>      #'[hidden email]'   => -3.0,
>      #'[hidden email]' => -3.0,
>      #'[hidden email]'                => -3.0,
>      #'[hidden email]'               => -3.0,
>      #'[hidden email]'                  => -3.0,
>      #'[hidden email]'          => -3.0,
>      #'[hidden email]'           => -3.0,
>      #'[hidden email]'       => -3.0,
>      #'[hidden email]'          => -3.0,
>      #'[hidden email]'            => -3.0,
>      #'[hidden email]'            => -3.0,
>      #'[hidden email]'                => -5.0,
>      #'[hidden email]'           => -3.0,
>      #'returns.groups.yahoo.com'               => -3.0,
>      #'[hidden email]'           => -3.0,
>      #lc('[hidden email]')    => -3.0,
>      #lc('[hidden email]') => -5.0,
>
>      # soft-blacklisting (positive score)
>      #'[hidden email]'                     =>  3.0,
>      #'.example.net'                           =>  1.0,
>
>    },
>   ],  # end of site-wide tables
> });
>
> 1;  # ensure a defined return

----- Ende der Nachricht von Franz-Josef Vorspohl
<[hidden email]> -----



--

---------------------------------------
e-Mail  : [hidden email]
Homepage: https://www.tachtler.net
DokuWiki: https://dokuwiki.tachtler.net
---------------------------------------

attachment0 (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

AW: Problem AMaVis

Franz-Josef Vorspohl
Hi Klaus

In dem Buch steht das mit AMaViS-MILTER nicht, oder?

Sorry, die master.cf hatte ich wohl vergessen.

Ich würde es gerne im ersten Schritt so wie im Buch schaffen wenn das mit den aktuellen Versionnen noch geht und dann gerne auf eine bessere Lösung umstellen, wenn das sinnvoll ist.

Franz

[master.cf]
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}



# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
localhost:10025      inet  n       -       y       -       -       smtpd
        -o content_filter=
        -o smtpd_proxy_filter=
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o receive_override_options=no_unknown_recipient_checks
       

-----Ursprüngliche Nachricht-----
Von: Postfixbuch-users <[hidden email]> Im Auftrag von Klaus Tachtler
Gesendet: Dienstag, 4. Februar 2020 04:26
An: Diskussionen und Support rund um Postfix <[hidden email]>
Betreff: Re: Problem AMaVis

Hallo Franz-Josef,

ich finde Deine Postfix-Konfiguration (master.cf) nicht?

Du solltest etwas wie nachfolgendes in Deiner master.cf haben:

https://dokuwiki.tachtler.net/doku.php?id=tachtler:postfix_centos_6#amavis_einbinden

(!!! So habe ich das früher auch gemacht - BESSER AMaViS-MILTER, siehe weiter unten !!!)

---- %< Beispiel - Ausschnitt master.cf ----

#
# Postfix master process configuration file.  For details on the format # of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
# Tachtler
# default: smtp      inet  n       -       n       -       -       smtpd
# AMaViS - Incoming and forward to AMaViS listen on Port 10024
smtp      inet  n       -       n       -       20       smtpd
         -o smtpd_proxy_filter=192.168.0.70:10024
         -o smtp_send_xforward_command=yes
         -o content_filter=
# Tachtler
# AMaViS - Outgoing from AMaViS, BACK to Postfix
192.168.0.60:10025 inet  n       -       n       -       20       smtpd
         -o content_filter=
         -o smtpd_proxy_filter=
         -o smtpd_authorized_xforward_hosts=192.168.0.0/24
         -o smtpd_client_restrictions=
         -o smtpd_helo_restrictions=
         -o smtpd_sender_restrictions=
         -o smtpd_recipient_restrictions=permit_mynetworks,reject
         -o smtpd_data_restrictions=
         -o mynetworks=0.0.0.0/32,127.0.0.0/8,192.168.0.0/24
         -o receive_override_options=no_unknown_recipient_checks

usw. ...

---- Beispiel - Ausschnitt master.cf >% ----

Hast Du in Deiner AMaViS-Konfiguration so etwas wie -->

$forward_method = 'smtp:[192.168.0.60]:10025'; $notify_method  = 'smtp:[192.168.0.60]:10025';

(Nachrichten an Postfix-Zurückgeben, habe ich nicht gesehen!)

Komfortabler und meiner Meinung BESSER, wäre eher der Einsatz eines AMaViS-MILTER, so wie unter nachfolgenden Links, auch aus meinem DokuWiki, welches ich mal für mich erstellt habe:

AMaViS CentOS 7
===============

https://dokuwiki.tachtler.net/doku.php?id=tachtler:amavis_centos_7

Konfiguration: amavisd-milter
=============================

https://dokuwiki.tachtler.net/doku.php?id=tachtler:amavis_centos_7#konfigurationamavisd-milter

Postfix CentOS 7 - AMaViS anbinden (amavisd-milter) ===================================================

https://dokuwiki.tachtler.net/doku.php?id=tachtler:postfix_centos_7_-_amavis_anbinden_amavisd-milter


Grüße
Klaus.


> Hallo Profis,
>
> Ich beschäftige mich mit dem Buch: Das Postfix Buch Band 3. Peer Heinlein.
> Ich Test im Moment folgendes Setup: Das Postfix Gateway soll Spam und
> Virus Mails nicht annehmen
>
> Internet ---- Postfix Mail Gateway / Spam Filter ----- Exchange server
> lokales netz
>
> Ich nutze Debian 10 mit Postfix 3.4.7
> Und den Tools aus dem Debian 10 reposity.
>
> Die Weiterleitung von Mails auf den Exchange funktioniert schonmal
> einwandfrei. Ich versuche nun den AMAVIS Filter in Betrieb zu
> bekommen.
>
> Ich versuche alles nachzuvollziehen aber hänge schon sehr lange bei
> AMaVis fest.
>
> Ports 10024 (amavisd-new)  und 10025 (Postfix) sind offen und scheinen
> in Ordnung zu sein. Telnet darauf geht.
>
> Ich verstehe ehrlich gesagt nicht, wie ich nach Handbuch die master.cf
> und main.cf konfigurieren soll.
>
> Kann es sein, dass man in die main.cf gar nichts einträgt für AMaVis?
>
> Ich möchte die E-Mail Pre-Queue filtern. Also gar nicht erst annehmen,
> so wie das auch empfohlen wird. Ich habe den Eicar Virus versucht zu
> schicken. Die Mail kommt nicht an, es wird aber auch kein Fehler an
> den Sender zurückgegeben. Es sieht so aus, als wäre sie angekommen.
>
> Ich denke, ich habe etwas übersehen, vielleicht kann mir jemand auf
> die Sprünge helfen...
>
> Danke
> Franz
>
> Meine Configs:
>
> [main.cf]
> # See /usr/share/postfix/main.cf.dist for a commented, more complete
> version
>
> # Debian specific:  Specifying a file name will cause the first # line
> of that file to be used as the name.  The Debian default # is
> /etc/mailname.
> #myorigin = /etc/mailname
>
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no
>
> # appending .domain is the MUA's job.
> append_dot_mydomain = no
>
> # Uncomment the next line to generate "delayed mail" warnings
> #delay_warning_time = 4h
>
> readme_directory = /usr/share/doc/postfix
>
> # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2
> on # fresh installs.
> compatibility_level = 2
>
>
>
> # TLS parameters
> smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database =
> btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
> # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package
> for # information on enabling SSL in the smtp client.
>
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
> defer_unauth_destination myhostname = mail2.test.de alias_maps =
> hash:/etc/aliases alias_database = hash:/etc/aliases myorigin =
> /etc/mailname mydestination = $myhostname, lin4.test.de,
> spamgate2.test.de, localhost.test.de, localhost relayhost = mynetworks
> = 127.0.0.0/8 192.168.26.0/24 [::ffff:127.0.0.0]/104 [::1]/128
> mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all
> inet_protocols = all html_directory = /usr/share/doc/postfix/html
> relay_domains = hash:/etc/postfix/relay_domains transport_maps =
> hash:/etc/postfix/relay_domains relay_recipient_maps =
> hash:/etc/postfix/relay_recipients
> # example: https://www.syn-flut.de/mit-postfix-spam-blockieren
>
> #smtpd_milters = inet:localhost:11332
> #milter_default_action = accept
> #
> # debug Seite 201
> # defer_if_permit
> # defer_if_reject
> # warn_if_reject # Eintrag im Logbuch statt Zurückweisung #
>
> smtpd_recipient_restrictions =
>                 permit_mynetworks,
> #             permit_sasl_authenticated,
> #whitelist and blacklist here, after change file: postfix reload #
> ****** global whitelist, no checks:
>                 # ip adressen Sender
>                 check_client_access cidr:/etc/postfix/access-client,
>                 check_sender_access hash:/etc/postfix/check_sender,
>
> #pruefe unsaubere Mail
>                 reject_unauth_destination,
>                 reject_unauth_pipelining,
> #             reject_unknown_helo_hostname,
>                 reject_invalid_hostname,
>                 reject_non_fqdn_hostname,
>                 reject_non_fqdn_recipient,
>                 reject_unknown_sender_domain,
>                 reject_unknown_client_hostname,
> #             permit_dnswl_client list.dnswl.org,
> # ****** whitelist for blacklists
>                 check_client_access cidr:/etc/postfix/whitelist-rbl,
>                 reject_rbl_client ix.dnsbl.manitu.net,
>                 reject_rbl_client zen.spamhaus.org,
>                 reject_rbl_client b.barracudacentral.org,
>                 reject_rbl_client bl.spamcop.net,
>                 reject_rbl_client psbl.surriel.com,
>                 reject_rbl_client noptr.spamrats.com,
>                 reject_rbl_client dyna.spamrats.com,
>                 reject_rbl_client dnsbl.sorbs.net # greylist,
> verzögert neue Mailserver um 10 Minuten
>                 check_policy_service inet:127.0.0.1:10023,
>                 permit
> #Bei Fehler 4xx zurück geben. Für große Tests soft_bounce = no #
> ********+ mit virutal_maps beliebige Mails umleiten # Postfixbuch ab
> Seite 113
>
> ##### ******** Amavis
>
> [ponstconf -n]
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> compatibility_level = 2
> html_directory = /usr/share/doc/postfix/html inet_interfaces = all
> inet_protocols = all mailbox_size_limit = 0 mydestination =
> $myhostname, lin4.test.de, spamgate2.test.de, localhost.test.de,
> localhost myhostname = mail2.test.de mynetworks = 127.0.0.0/8
> 192.168.26.0/24 [::ffff:127.0.0.0]/104 [::1]/128 myorigin =
> /etc/mailname readme_directory = /usr/share/doc/postfix
> recipient_delimiter = + relay_domains =
> hash:/etc/postfix/relay_domains relay_recipient_maps =
> hash:/etc/postfix/relay_recipients
> relayhost =
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> smtpd_recipient_restrictions = permit_mynetworks, check_client_access
> cidr:/etc/postfix/access-client, check_sender_access
> hash:/etc/postfix/check_sender, reject_unauth_destination,
> reject_unauth_pipelining, reject_invalid_hostname,
> reject_non_fqdn_hostname, reject_non_fqdn_recipient,
> reject_unknown_sender_domain, reject_unknown_client_hostname,
> check_client_access cidr:/etc/postfix/whitelist-rbl, reject_rbl_client
> ix.dnsbl.manitu.net, reject_rbl_client zen.spamhaus.org,
> reject_rbl_client b.barracudacentral.org, reject_rbl_client
> bl.spamcop.net, reject_rbl_client psbl.surriel.com, reject_rbl_client
> noptr.spamrats.com, reject_rbl_client dyna.spamrats.com,
> reject_rbl_client dnsbl.sorbs.net check_policy_service
> inet:127.0.0.1:10023, permit smtpd_relay_restrictions =
> permit_mynetworks permit_sasl_authenticated defer_unauth_destination
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_session_cache_database =
> btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> soft_bounce = no
> transport_maps = hash:/etc/postfix/relay_domains
>
> (***
>
> Config zu AMAVIS:
>
>
> ****)
>
>
> [15-content-filter-mode]
> use strict;
>
> # You can modify this file to re-enable SPAM checking through
> spamassassin # and to re-enable antivirus checking.
>
> #
> # Default antivirus checking mode
> # Please note, that anti-virus checking is DISABLED by # default.
> # If You wish to enable it, please uncomment the following lines:
>
>
> @bypass_virus_checks_maps = (
>    \%bypass_virus_checks, \@bypass_virus_checks_acl,  
> \$bypass_virus_checks_re);
>
>
> #
> # Default SPAM checking mode
> # Please note, that anti-spam checking is DISABLED by
> # default.
> # If You wish to enable it, please uncomment the following lines:
>
>
> #@bypass_spam_checks_maps = (
> #   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
>
> 1;  # ensure a defined return
>
> [20-debian_defaults]
> use strict;
>
> # ADMINISTRATORS:
> # Debian suggests that any changes you need to do that should never
> # be "updated" by the Debian package should be made in another file,
> # overriding the settings in this file.
> #
> # The package will *not* overwrite your settings, but by keeping
> # them separate, you will make the task of merging changes on these
> # configuration files much simpler...
>
> #   see /usr/share/doc/amavisd-new/examples/amavisd.conf-default for
> #       a list of all variables with their defaults;
> #   see /usr/share/doc/amavisd-new/examples/amavisd.conf-sample for
> #       a traditional-style commented file
> #   [note: the above files were not converted to Debian settings!]
> #
> #   for more details see documentation in /usr/share/doc/amavisd-new
> #   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
>
> $QUARANTINEDIR = "$MYHOME/virusmails";
> $quarantine_subdir_levels = 1; # enable quarantine dir hashing
>
> $log_recip_templ = undef;    # disable by-recipient level-0 log entries
> $DO_SYSLOG = 1;              # log via syslogd (preferred)
> $syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
> $syslog_facility = 'mail';
> $syslog_priority = 'debug';  # switch to info to drop debug output, etc
>
> $enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP  
> and nanny)
> $enable_global_cache = 1;    # enable use of libdb-based cache if  
> $enable_db=1
>
> $inet_socket_port = 10024;   # default listening socket
>
> $sa_spam_subject_tag = '***SPAM*** ';
> $sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above  
> that level
> $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
> $sa_kill_level_deflt = 6.31; # triggers spam evasive actions
> $sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
>
> $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if  
> mail is larger
> $sa_local_tests_only = 0;    # only tests which do not require  
> internet access?
>
> # Quota limits to avoid bombs (like 42.zip)
>
> $MAXLEVELS = 14;
> $MAXFILES = 1500;
> $MIN_EXPANSION_QUOTA =      100*1024;  # bytes
> $MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes
>
> # You should:
> #   Use D_DISCARD to discard data (viruses)
> #   Use D_BOUNCE to generate local bounces by amavisd-new
> #   Use D_REJECT to generate local or remote bounces by the calling MTA
> #   Use D_PASS to deliver the message
> #
> # Whatever you do, *NEVER* use D_REJECT if you have other MTAs *forwarding*
> # mail to your account.  Use D_BOUNCE instead, otherwise you are delegating
> # the bounce work to your friendly forwarders, which might not like  
> it at all.
> #
> # On dual-MTA setups, one can often D_REJECT, as this just makes your own
> # MTA generate the bounce message.  Test it first.
> #
> # Bouncing viruses is stupid, always discard them after you are sure the AV
> # is working correctly.  Bouncing real SPAM is also useless, if you cannot
> # D_REJECT it (and don't D_REJECT mail coming from your forwarders!).
>
> $final_virus_destiny      = D_REJECT;  # (data not lost, see virus  
> quarantine)
> $final_banned_destiny     = D_REJECT;
> $final_spam_destiny       = D_REJECT;
> #$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
>
> $enable_dkim_verification = 0; #disabled to prevent warning
>
> $virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
>
> # Set to empty ("") to add no header
> $X_HEADER_LINE = "Debian $myproduct_name at $mydomain";
>
> # REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
>
> #
> # DO NOT SEND VIRUS NOTIFICATIONS TO OUTSIDE OF YOUR DOMAIN. EVER.
> #
> # These days, almost all viruses fake the envelope sender and mail headers.
> # Therefore, "virus notifications" became nothing but undesired, aggravating
> # SPAM.  This holds true even inside one's domain.  We disable them all by
> # default, except for the EICAR test pattern.
> #
>
> @viruses_that_fake_sender_maps = (new_RE(
>   [qr'\bEICAR\b'i => 0],            # av test pattern name
>   [qr/.*/ => 1],  # true for everything else
> ));
>
> @keep_decoded_original_maps = (new_RE(
> # qr'^MAIL$',   # retain full original message for virus checking  
> (can be slow)
>   qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains  
> undecipherables
>   qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
> # qr'^Zip archive data',     # don't trust Archive::Zip
> ));
>
>
> # for $banned_namepath_re, a new-style of banned table, see  
> amavisd.conf-sample
>
> $banned_filename_re = new_RE(
> # qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
>
>   # block certain double extensions anywhere in the base name
>   qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
>
>   qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows  
> Class ID CLSID, strict
>
>   qr'^application/x-msdownload$'i,                  # block these MIME types
>   qr'^application/x-msdos-program$'i,
>   qr'^application/hta$'i,
>
> # qr'^application/x-msmetafile$'i,           # Windows Metafile MIME type
> # qr'^\.wmf$',                                                  #  
> Windows Metafile file(1) type
>
> # qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types
>
> # [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
> # [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
> # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives
> # [ qr'^application/x-zip-compressed$'i => 0],  # allow any within  
> such archives
>
>   qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
> # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
> #        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
> #        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
> #        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long
>
> # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension -  
> WinZip vulnerab.
>
>   qr'^\.(exe-ms)$',                       # banned file(1) types
> # qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types
> );
> # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
> # and http://www.cknow.com/vtutor/vtextensions.htm
>
>
> # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
>
> @score_sender_maps = ({ # a by-recipient hash lookup table,
>                         # results from all matching recipient tables  
> are summed
>
> # ## per-recipient personal tables  (NOTE: positive: black, negative: white)
> # '[hidden email]'  => [{'[hidden email]' => 10.0}],
> # '[hidden email]'  => [{'.ebay.com'                 => -3.0}],
> # '[hidden email]'  => [{'[hidden email]' => -7.0,
> #                           '.cleargreen.com'           => -5.0}],
>
>   ## site-wide opinions about senders (the '.' matches any recipient)
>   '.' => [  # the _first_ matching sender determines the score boost
>
>    new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
>     [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
>     [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
>     [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
>     [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
>     [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
>     [qr'^(your_friend|greatoffers)@'i                                => 5.0],
>     [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
>    ),
>
> #  read_hash("/var/amavis/sender_scores_sitewide"),
>
> # This are some examples for whitelists, since envelope senders can be forged
> # they are not enabled by default.
>    { # a hash-type lookup table (associative array)
>      #'[hidden email]'                        => -3.0,
>      #'[hidden email]'              => -3.0,
>      #'[hidden email]'                    => -3.0,
>      #'[hidden email]'                  => -3.0,
>      #'securityfocus.com'                      => -3.0,
>      #'[hidden email]'       => -3.0,
>      #'[hidden email]'      => -3.0,
>      #'[hidden email]'      => -3.0,
>      #'[hidden email]'=> -3.0,
>      #'[hidden email]' => -3.0,
>      #'spamassassin.apache.org'                => -3.0,
>      #'[hidden email]'   => -3.0,
>      #'[hidden email]'        => -3.0,
>      #'[hidden email]'     => -3.0,
>      #'[hidden email]'   => -3.0,
>      #'[hidden email]' => -3.0,
>      #'[hidden email]'                => -3.0,
>      #'[hidden email]'               => -3.0,
>      #'[hidden email]'                  => -3.0,
>      #'[hidden email]'          => -3.0,
>      #'[hidden email]'           => -3.0,
>      #'[hidden email]'       => -3.0,
>      #'[hidden email]'          => -3.0,
>      #'[hidden email]'            => -3.0,
>      #'[hidden email]'            => -3.0,
>      #'[hidden email]'                => -5.0,
>      #'[hidden email]'           => -3.0,
>      #'returns.groups.yahoo.com'               => -3.0,
>      #'[hidden email]'           => -3.0,
>      #lc('[hidden email]')    => -3.0,
>      #lc('[hidden email]') => -5.0,
>
>      # soft-blacklisting (positive score)
>      #'[hidden email]'                     =>  3.0,
>      #'.example.net'                           =>  1.0,
>
>    },
>   ],  # end of site-wide tables
> });
>
> 1;  # ensure a defined return


----- Ende der Nachricht von Franz-Josef Vorspohl  
<[hidden email]> -----



--

---------------------------------------
e-Mail  : [hidden email]
Homepage: https://www.tachtler.net
DokuWiki: https://dokuwiki.tachtler.net
---------------------------------------
Reply | Threaded
Open this post in threaded view
|

AW: Problem AMaVis

Franz-Josef Vorspohl
In reply to this post by Klaus Tachtler
So, das System läuft nun einwandfrei soweit ich das sehen kann.
In den Logifles gibt es keine Fehlermeldungen mehr. Die testmal mit Viren und Spam werden geblockt, so wie es geplant ist.

Postfix, amavis, clamav, postgrey und SpamAssassin.

Nochmals danke für die Hilfe

Franz

-----Ursprüngliche Nachricht-----
Von: Postfixbuch-users <[hidden email]> Im Auftrag von Klaus Tachtler
Gesendet: Dienstag, 4. Februar 2020 04:26
An: Diskussionen und Support rund um Postfix <[hidden email]>
Betreff: Re: Problem AMaVis

Hallo Franz-Josef,

ich finde Deine Postfix-Konfiguration (master.cf) nicht?

Du solltest etwas wie nachfolgendes in Deiner master.cf haben:

https://dokuwiki.tachtler.net/doku.php?id=tachtler:postfix_centos_6#amavis_einbinden

(!!! So habe ich das früher auch gemacht - BESSER AMaViS-MILTER, siehe weiter unten !!!)

---- %< Beispiel - Ausschnitt master.cf ----

#
# Postfix master process configuration file.  For details on the format # of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
# Tachtler
# default: smtp      inet  n       -       n       -       -       smtpd
# AMaViS - Incoming and forward to AMaViS listen on Port 10024
smtp      inet  n       -       n       -       20       smtpd
         -o smtpd_proxy_filter=192.168.0.70:10024
         -o smtp_send_xforward_command=yes
         -o content_filter=
# Tachtler
# AMaViS - Outgoing from AMaViS, BACK to Postfix
192.168.0.60:10025 inet  n       -       n       -       20       smtpd
         -o content_filter=
         -o smtpd_proxy_filter=
         -o smtpd_authorized_xforward_hosts=192.168.0.0/24
         -o smtpd_client_restrictions=
         -o smtpd_helo_restrictions=
         -o smtpd_sender_restrictions=
         -o smtpd_recipient_restrictions=permit_mynetworks,reject
         -o smtpd_data_restrictions=
         -o mynetworks=0.0.0.0/32,127.0.0.0/8,192.168.0.0/24
         -o receive_override_options=no_unknown_recipient_checks

usw. ...

---- Beispiel - Ausschnitt master.cf >% ----

Hast Du in Deiner AMaViS-Konfiguration so etwas wie -->

$forward_method = 'smtp:[192.168.0.60]:10025'; $notify_method  = 'smtp:[192.168.0.60]:10025';

(Nachrichten an Postfix-Zurückgeben, habe ich nicht gesehen!)

Komfortabler und meiner Meinung BESSER, wäre eher der Einsatz eines AMaViS-MILTER, so wie unter nachfolgenden Links, auch aus meinem DokuWiki, welches ich mal für mich erstellt habe:

AMaViS CentOS 7
===============

https://dokuwiki.tachtler.net/doku.php?id=tachtler:amavis_centos_7

Konfiguration: amavisd-milter
=============================

https://dokuwiki.tachtler.net/doku.php?id=tachtler:amavis_centos_7#konfigurationamavisd-milter

Postfix CentOS 7 - AMaViS anbinden (amavisd-milter) ===================================================

https://dokuwiki.tachtler.net/doku.php?id=tachtler:postfix_centos_7_-_amavis_anbinden_amavisd-milter


Grüße
Klaus.


> Hallo Profis,
>
> Ich beschäftige mich mit dem Buch: Das Postfix Buch Band 3. Peer Heinlein.
> Ich Test im Moment folgendes Setup: Das Postfix Gateway soll Spam und
> Virus Mails nicht annehmen
>
> Internet ---- Postfix Mail Gateway / Spam Filter ----- Exchange server
> lokales netz
>
> Ich nutze Debian 10 mit Postfix 3.4.7
> Und den Tools aus dem Debian 10 reposity.
>
> Die Weiterleitung von Mails auf den Exchange funktioniert schonmal
> einwandfrei. Ich versuche nun den AMAVIS Filter in Betrieb zu
> bekommen.
>
> Ich versuche alles nachzuvollziehen aber hänge schon sehr lange bei
> AMaVis fest.
>
> Ports 10024 (amavisd-new)  und 10025 (Postfix) sind offen und scheinen
> in Ordnung zu sein. Telnet darauf geht.
>
> Ich verstehe ehrlich gesagt nicht, wie ich nach Handbuch die master.cf
> und main.cf konfigurieren soll.
>
> Kann es sein, dass man in die main.cf gar nichts einträgt für AMaVis?
>
> Ich möchte die E-Mail Pre-Queue filtern. Also gar nicht erst annehmen,
> so wie das auch empfohlen wird. Ich habe den Eicar Virus versucht zu
> schicken. Die Mail kommt nicht an, es wird aber auch kein Fehler an
> den Sender zurückgegeben. Es sieht so aus, als wäre sie angekommen.
>
> Ich denke, ich habe etwas übersehen, vielleicht kann mir jemand auf
> die Sprünge helfen...
>
> Danke
> Franz
>
> Meine Configs:
>
> [main.cf]
> # See /usr/share/postfix/main.cf.dist for a commented, more complete
> version
>
> # Debian specific:  Specifying a file name will cause the first # line
> of that file to be used as the name.  The Debian default # is
> /etc/mailname.
> #myorigin = /etc/mailname
>
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no
>
> # appending .domain is the MUA's job.
> append_dot_mydomain = no
>
> # Uncomment the next line to generate "delayed mail" warnings
> #delay_warning_time = 4h
>
> readme_directory = /usr/share/doc/postfix
>
> # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2
> on # fresh installs.
> compatibility_level = 2
>
>
>
> # TLS parameters
> smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database =
> btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
> # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package
> for # information on enabling SSL in the smtp client.
>
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
> defer_unauth_destination myhostname = mail2.test.de alias_maps =
> hash:/etc/aliases alias_database = hash:/etc/aliases myorigin =
> /etc/mailname mydestination = $myhostname, lin4.test.de,
> spamgate2.test.de, localhost.test.de, localhost relayhost = mynetworks
> = 127.0.0.0/8 192.168.26.0/24 [::ffff:127.0.0.0]/104 [::1]/128
> mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all
> inet_protocols = all html_directory = /usr/share/doc/postfix/html
> relay_domains = hash:/etc/postfix/relay_domains transport_maps =
> hash:/etc/postfix/relay_domains relay_recipient_maps =
> hash:/etc/postfix/relay_recipients
> # example: https://www.syn-flut.de/mit-postfix-spam-blockieren
>
> #smtpd_milters = inet:localhost:11332
> #milter_default_action = accept
> #
> # debug Seite 201
> # defer_if_permit
> # defer_if_reject
> # warn_if_reject # Eintrag im Logbuch statt Zurückweisung #
>
> smtpd_recipient_restrictions =
>                 permit_mynetworks,
> #             permit_sasl_authenticated,
> #whitelist and blacklist here, after change file: postfix reload #
> ****** global whitelist, no checks:
>                 # ip adressen Sender
>                 check_client_access cidr:/etc/postfix/access-client,
>                 check_sender_access hash:/etc/postfix/check_sender,
>
> #pruefe unsaubere Mail
>                 reject_unauth_destination,
>                 reject_unauth_pipelining,
> #             reject_unknown_helo_hostname,
>                 reject_invalid_hostname,
>                 reject_non_fqdn_hostname,
>                 reject_non_fqdn_recipient,
>                 reject_unknown_sender_domain,
>                 reject_unknown_client_hostname,
> #             permit_dnswl_client list.dnswl.org,
> # ****** whitelist for blacklists
>                 check_client_access cidr:/etc/postfix/whitelist-rbl,
>                 reject_rbl_client ix.dnsbl.manitu.net,
>                 reject_rbl_client zen.spamhaus.org,
>                 reject_rbl_client b.barracudacentral.org,
>                 reject_rbl_client bl.spamcop.net,
>                 reject_rbl_client psbl.surriel.com,
>                 reject_rbl_client noptr.spamrats.com,
>                 reject_rbl_client dyna.spamrats.com,
>                 reject_rbl_client dnsbl.sorbs.net # greylist,
> verzögert neue Mailserver um 10 Minuten
>                 check_policy_service inet:127.0.0.1:10023,
>                 permit
> #Bei Fehler 4xx zurück geben. Für große Tests soft_bounce = no #
> ********+ mit virutal_maps beliebige Mails umleiten # Postfixbuch ab
> Seite 113
>
> ##### ******** Amavis
>
> [ponstconf -n]
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> compatibility_level = 2
> html_directory = /usr/share/doc/postfix/html inet_interfaces = all
> inet_protocols = all mailbox_size_limit = 0 mydestination =
> $myhostname, lin4.test.de, spamgate2.test.de, localhost.test.de,
> localhost myhostname = mail2.test.de mynetworks = 127.0.0.0/8
> 192.168.26.0/24 [::ffff:127.0.0.0]/104 [::1]/128 myorigin =
> /etc/mailname readme_directory = /usr/share/doc/postfix
> recipient_delimiter = + relay_domains =
> hash:/etc/postfix/relay_domains relay_recipient_maps =
> hash:/etc/postfix/relay_recipients
> relayhost =
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> smtpd_recipient_restrictions = permit_mynetworks, check_client_access
> cidr:/etc/postfix/access-client, check_sender_access
> hash:/etc/postfix/check_sender, reject_unauth_destination,
> reject_unauth_pipelining, reject_invalid_hostname,
> reject_non_fqdn_hostname, reject_non_fqdn_recipient,
> reject_unknown_sender_domain, reject_unknown_client_hostname,
> check_client_access cidr:/etc/postfix/whitelist-rbl, reject_rbl_client
> ix.dnsbl.manitu.net, reject_rbl_client zen.spamhaus.org,
> reject_rbl_client b.barracudacentral.org, reject_rbl_client
> bl.spamcop.net, reject_rbl_client psbl.surriel.com, reject_rbl_client
> noptr.spamrats.com, reject_rbl_client dyna.spamrats.com,
> reject_rbl_client dnsbl.sorbs.net check_policy_service
> inet:127.0.0.1:10023, permit smtpd_relay_restrictions =
> permit_mynetworks permit_sasl_authenticated defer_unauth_destination
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_session_cache_database =
> btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> soft_bounce = no
> transport_maps = hash:/etc/postfix/relay_domains
>
> (***
>
> Config zu AMAVIS:
>
>
> ****)
>
>
> [15-content-filter-mode]
> use strict;
>
> # You can modify this file to re-enable SPAM checking through
> spamassassin # and to re-enable antivirus checking.
>
> #
> # Default antivirus checking mode
> # Please note, that anti-virus checking is DISABLED by # default.
> # If You wish to enable it, please uncomment the following lines:
>
>
> @bypass_virus_checks_maps = (
>    \%bypass_virus_checks, \@bypass_virus_checks_acl,  
> \$bypass_virus_checks_re);
>
>
> #
> # Default SPAM checking mode
> # Please note, that anti-spam checking is DISABLED by
> # default.
> # If You wish to enable it, please uncomment the following lines:
>
>
> #@bypass_spam_checks_maps = (
> #   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
>
> 1;  # ensure a defined return
>
> [20-debian_defaults]
> use strict;
>
> # ADMINISTRATORS:
> # Debian suggests that any changes you need to do that should never
> # be "updated" by the Debian package should be made in another file,
> # overriding the settings in this file.
> #
> # The package will *not* overwrite your settings, but by keeping
> # them separate, you will make the task of merging changes on these
> # configuration files much simpler...
>
> #   see /usr/share/doc/amavisd-new/examples/amavisd.conf-default for
> #       a list of all variables with their defaults;
> #   see /usr/share/doc/amavisd-new/examples/amavisd.conf-sample for
> #       a traditional-style commented file
> #   [note: the above files were not converted to Debian settings!]
> #
> #   for more details see documentation in /usr/share/doc/amavisd-new
> #   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
>
> $QUARANTINEDIR = "$MYHOME/virusmails";
> $quarantine_subdir_levels = 1; # enable quarantine dir hashing
>
> $log_recip_templ = undef;    # disable by-recipient level-0 log entries
> $DO_SYSLOG = 1;              # log via syslogd (preferred)
> $syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
> $syslog_facility = 'mail';
> $syslog_priority = 'debug';  # switch to info to drop debug output, etc
>
> $enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP  
> and nanny)
> $enable_global_cache = 1;    # enable use of libdb-based cache if  
> $enable_db=1
>
> $inet_socket_port = 10024;   # default listening socket
>
> $sa_spam_subject_tag = '***SPAM*** ';
> $sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above  
> that level
> $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
> $sa_kill_level_deflt = 6.31; # triggers spam evasive actions
> $sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
>
> $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if  
> mail is larger
> $sa_local_tests_only = 0;    # only tests which do not require  
> internet access?
>
> # Quota limits to avoid bombs (like 42.zip)
>
> $MAXLEVELS = 14;
> $MAXFILES = 1500;
> $MIN_EXPANSION_QUOTA =      100*1024;  # bytes
> $MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes
>
> # You should:
> #   Use D_DISCARD to discard data (viruses)
> #   Use D_BOUNCE to generate local bounces by amavisd-new
> #   Use D_REJECT to generate local or remote bounces by the calling MTA
> #   Use D_PASS to deliver the message
> #
> # Whatever you do, *NEVER* use D_REJECT if you have other MTAs *forwarding*
> # mail to your account.  Use D_BOUNCE instead, otherwise you are delegating
> # the bounce work to your friendly forwarders, which might not like  
> it at all.
> #
> # On dual-MTA setups, one can often D_REJECT, as this just makes your own
> # MTA generate the bounce message.  Test it first.
> #
> # Bouncing viruses is stupid, always discard them after you are sure the AV
> # is working correctly.  Bouncing real SPAM is also useless, if you cannot
> # D_REJECT it (and don't D_REJECT mail coming from your forwarders!).
>
> $final_virus_destiny      = D_REJECT;  # (data not lost, see virus  
> quarantine)
> $final_banned_destiny     = D_REJECT;
> $final_spam_destiny       = D_REJECT;
> #$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
>
> $enable_dkim_verification = 0; #disabled to prevent warning
>
> $virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
>
> # Set to empty ("") to add no header
> $X_HEADER_LINE = "Debian $myproduct_name at $mydomain";
>
> # REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
>
> #
> # DO NOT SEND VIRUS NOTIFICATIONS TO OUTSIDE OF YOUR DOMAIN. EVER.
> #
> # These days, almost all viruses fake the envelope sender and mail headers.
> # Therefore, "virus notifications" became nothing but undesired, aggravating
> # SPAM.  This holds true even inside one's domain.  We disable them all by
> # default, except for the EICAR test pattern.
> #
>
> @viruses_that_fake_sender_maps = (new_RE(
>   [qr'\bEICAR\b'i => 0],            # av test pattern name
>   [qr/.*/ => 1],  # true for everything else
> ));
>
> @keep_decoded_original_maps = (new_RE(
> # qr'^MAIL$',   # retain full original message for virus checking  
> (can be slow)
>   qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains  
> undecipherables
>   qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
> # qr'^Zip archive data',     # don't trust Archive::Zip
> ));
>
>
> # for $banned_namepath_re, a new-style of banned table, see  
> amavisd.conf-sample
>
> $banned_filename_re = new_RE(
> # qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
>
>   # block certain double extensions anywhere in the base name
>   qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
>
>   qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows  
> Class ID CLSID, strict
>
>   qr'^application/x-msdownload$'i,                  # block these MIME types
>   qr'^application/x-msdos-program$'i,
>   qr'^application/hta$'i,
>
> # qr'^application/x-msmetafile$'i,           # Windows Metafile MIME type
> # qr'^\.wmf$',                                                  #  
> Windows Metafile file(1) type
>
> # qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types
>
> # [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
> # [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
> # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives
> # [ qr'^application/x-zip-compressed$'i => 0],  # allow any within  
> such archives
>
>   qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
> # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
> #        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
> #        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
> #        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long
>
> # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension -  
> WinZip vulnerab.
>
>   qr'^\.(exe-ms)$',                       # banned file(1) types
> # qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types
> );
> # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
> # and http://www.cknow.com/vtutor/vtextensions.htm
>
>
> # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
>
> @score_sender_maps = ({ # a by-recipient hash lookup table,
>                         # results from all matching recipient tables  
> are summed
>
> # ## per-recipient personal tables  (NOTE: positive: black, negative: white)
> # '[hidden email]'  => [{'[hidden email]' => 10.0}],
> # '[hidden email]'  => [{'.ebay.com'                 => -3.0}],
> # '[hidden email]'  => [{'[hidden email]' => -7.0,
> #                           '.cleargreen.com'           => -5.0}],
>
>   ## site-wide opinions about senders (the '.' matches any recipient)
>   '.' => [  # the _first_ matching sender determines the score boost
>
>    new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
>     [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
>     [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
>     [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
>     [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
>     [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
>     [qr'^(your_friend|greatoffers)@'i                                => 5.0],
>     [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
>    ),
>
> #  read_hash("/var/amavis/sender_scores_sitewide"),
>
> # This are some examples for whitelists, since envelope senders can be forged
> # they are not enabled by default.
>    { # a hash-type lookup table (associative array)
>      #'[hidden email]'                        => -3.0,
>      #'[hidden email]'              => -3.0,
>      #'[hidden email]'                    => -3.0,
>      #'[hidden email]'                  => -3.0,
>      #'securityfocus.com'                      => -3.0,
>      #'[hidden email]'       => -3.0,
>      #'[hidden email]'      => -3.0,
>      #'[hidden email]'      => -3.0,
>      #'[hidden email]'=> -3.0,
>      #'[hidden email]' => -3.0,
>      #'spamassassin.apache.org'                => -3.0,
>      #'[hidden email]'   => -3.0,
>      #'[hidden email]'        => -3.0,
>      #'[hidden email]'     => -3.0,
>      #'[hidden email]'   => -3.0,
>      #'[hidden email]' => -3.0,
>      #'[hidden email]'                => -3.0,
>      #'[hidden email]'               => -3.0,
>      #'[hidden email]'                  => -3.0,
>      #'[hidden email]'          => -3.0,
>      #'[hidden email]'           => -3.0,
>      #'[hidden email]'       => -3.0,
>      #'[hidden email]'          => -3.0,
>      #'[hidden email]'            => -3.0,
>      #'[hidden email]'            => -3.0,
>      #'[hidden email]'                => -5.0,
>      #'[hidden email]'           => -3.0,
>      #'returns.groups.yahoo.com'               => -3.0,
>      #'[hidden email]'           => -3.0,
>      #lc('[hidden email]')    => -3.0,
>      #lc('[hidden email]') => -5.0,
>
>      # soft-blacklisting (positive score)
>      #'[hidden email]'                     =>  3.0,
>      #'.example.net'                           =>  1.0,
>
>    },
>   ],  # end of site-wide tables
> });
>
> 1;  # ensure a defined return


----- Ende der Nachricht von Franz-Josef Vorspohl  
<[hidden email]> -----



--

---------------------------------------
e-Mail  : [hidden email]
Homepage: https://www.tachtler.net
DokuWiki: https://dokuwiki.tachtler.net
---------------------------------------