# gentoo-wiki complete virtual mailsystem woes... need help!

## ali3nx

I've gone about building the email server configuration outlined in gentoo-wiki's popular Complete Virtual System email server howto and i'm very close to completing it. The majority of the server is completely installed but i have made some modifications to the outlined setup by using mysql instead of postgres and by using a local webserver for the email server administration which reflected our current setup. Some may have noticed a few of the edits i had made to the howto to assist with it's further refinement. My problem lies with issues concerning mail relaying being deferred and with amavis and a broken socket and bad file descriptor error that i'm a bit puzzled over. It may be useful to add for prosterity sake that i'm both very experienced with gentoo, retired from the gentoo infrastructre team some years ago and linux+ certified so lack of abilty would be the lesser of things to be the cause of this situation. Any and all help would be greatly welcome. I'll outline any errors that i can offer below with the config's edited to protect the innocent (and my mailserver from obliteration by spammers) from both postconf -n, amavisd.conf, pur database structure and anything else relative. I am using all hardened gentoo on amd64 servers for both our database server and the email server. Each server is in perfect condition and in excess of 50 days uptime. The database server is an x2 4400 amd64 running hardened sources with grsec and pax. The email server is an smp 2.80GHz em64t

also running a similar configuration with hardened+grsec and pax. Domain names in the below examples have been replaced with (servername).domain.tld, sender@domain.tld, mail.sender.tld, mail.domain.tld and virtual.tld for virtual hosted domains respectively. ip addresses and subnets have been replaced by x.x.x.x

Truly sorry spammers... your info wasn't masked. too bad for you. Thanks in advance to anyone willing to have a look through all of this code. It it allot to take in and no doubt why i may have missed something or made a mistake.

Relay access error

```
Mar 22 18:53:57 champion postfix/smtpd[5893]: initializing the server-side TLS engine

Mar 22 18:54:02 champion postfix/smtpd[5893]: connect from mail1.sender.tld[x.x.x.x]

Mar 22 18:54:05 champion sqlgrey: spam: 69.6.17.220: b.promocentral.0-6d9d3c1-2807.virtual.tld.-john@mx17220.tt03.com -> john@virtual.tld at 2006-03-21 17:50:39

Mar 22 18:54:05 champion sqlgrey: perf: spent 0s cleaning: from_awl (0) domain_awl (0) connect (1)

Mar 22 18:54:05 champion sqlgrey: grey: new: x.x.x(x.x.x.x), sender@domain.tld -> ali3n@virtual.tld

Mar 22 18:54:05 champion postfix/smtpd[5893]: warning: support for restriction "check_relay_domains" will be removed from Postfix; use "reject_unauth_destination" instead

Mar 22 18:54:05 champion postfix/smtpd[5893]: NOQUEUE: reject: RCPT from servername.domain.tld[x.x.x.x]: 554 <ali3n@virtual.tld>: Recipient address rejected: Relay access denied; from=<sender@domain.tld> to=<sender@domain.tld> proto=ESMTP helo=<mail1.sender.tld>

Mar 22 18:54:05 champion postfix/smtpd[5893]: disconnect from mail.sender.org[x.x.x.x]
```

tail -f /var/log/mail.err

```
Mar 22 17:54:18 champion amavis[21963]: (21963-01) TROUBLE in process_request: Transactions not supported by database at /usr/lib/perl5/vendor_perl/5.8.7/x86_64-linux-thread-multi/DBI.pm line 1632, <GEN8> line 14.
```

tail -f /var/log/mail.info

```
Mar 22 18:27:38 champion postfix/lmtp[23216]: D1963238AC1: to=<xlnt@domain.tld>, relay=127.0.0.1[127.0.0.1], delay=255815, status=deferred (lost connection with 127.0.0.1[127.0.0.1] while sending end of data -- message may be sent more than once)

Mar 22 18:27:38 champion amavis[13183]: (13183-01) SMTP shutdown: Error writing a SMTP response to the socket: Bad file descriptor at (eval 43) line 813.\n
```

tail -f /var/log/mail.log

```

champion ~ # tail -f -n100 /var/log/mail.log

Mar 22 18:27:38 champion amavis[30400]: (30400-01) SMTP< LHLO mail.domain.tld\r\n

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP> 250-[127.0.0.1]

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP> 250-PIPELINING

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP> 250-SIZE

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP> 250-8BITMIME

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP> 250-ENHANCEDSTATUSCODES

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP> 250 XFORWARD NAME ADDR PROTO HELO

Mar 22 18:27:38 champion amavis[30400]: (30400-01) idle_proc, 6: was busy, 2.3 ms, total idle 0.001 s, busy 0.015 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) idle_proc, 5: was idle, 0.8 ms, total idle 0.001 s, busy 0.015 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) prolong_timer after reading SMTP command: remaining time = 300 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP< XFORWARD NAME=[UNAVAILABLE] ADDR=x.x.x.x\r\n

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP> 250 2.5.0 Ok XFORWARD

Mar 22 18:27:38 champion amavis[30400]: (30400-01) idle_proc, 6: was busy, 3.1 ms, total idle 0.001 s, busy 0.018 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) idle_proc, 5: was idle, 0.2 ms, total idle 0.002 s, busy 0.018 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) prolong_timer after reading SMTP command: remaining time = 300 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP< XFORWARD PROTO=ESMTP HELO=mail.domain.tld\r\n

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP> 250 2.5.0 Ok XFORWARD

Mar 22 18:27:38 champion amavis[30400]: (30400-01) idle_proc, 6: was busy, 1.7 ms, total idle 0.002 s, busy 0.020 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) idle_proc, 5: was idle, 0.8 ms, total idle 0.002 s, busy 0.020 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) prolong_timer after reading SMTP command: remaining time = 300 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP< MAIL FROM:<postmaster@domain.tld> SIZE=433\r\n

Mar 22 18:27:38 champion amavis[30400]: (30400-01) prolong_timer after MAIL FROM received - timer reset: remaining time = 300 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) check_mail_begin_task: task_count=1

Mar 22 18:27:38 champion amavis[30400]: (30400-01) prepare_tempdir: creating directory /var/amavis/tmp/amavis-20060322T182738-30400

Mar 22 18:27:38 champion amavis[30400]: (30400-01) prepare_tempdir: creating file /var/amavis/tmp/amavis-20060322T182738-30400/email.txt

Mar 22 18:27:38 champion amavis[30400]: (30400-01) lookup (debug_sender) => undef, "postmaster@domain.tld" does not match

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP> 250 2.1.0 Sender postmaster@domain.tld OK

Mar 22 18:27:38 champion amavis[30400]: (30400-01) idle_proc, 6: was busy, 7.1 ms, total idle 0.002 s, busy 0.027 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) idle_proc, 5: was idle, 0.2 ms, total idle 0.003 s, busy 0.027 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) prolong_timer after reading SMTP command: remaining time = 300 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP< RCPT TO:<ali3n@virtual.tld>\r\n

Mar 22 18:27:38 champion amavis[30400]: (30400-01) lookup_acl(ali3n@virtual.tld), no match

Mar 22 18:27:38 champion amavis[30400]: (30400-01) lookup (local_domains) => undef, "ali3n@virtual.tld" does not match

Mar 22 18:27:38 champion amavis[30400]: (30400-01) query_keys: ali3n@virtual.tld, @virtual.tld, @.virtual.tld, @.net, @.

Mar 22 18:27:38 champion amavis[30400]: (30400-01) lookup_sql "ali3n@virtual.tld", query args: "ali3n@virtual.tld", "@virtual.tld", "@.virtual.tld", "@.net", "@."

Mar 22 18:27:38 champion amavis[30400]: (30400-01) lookup_sql select: SELECT *,users.id FROM users,policy WHERE (users.policy_id=policy.id) AND (users.email IN (?,?,?,?,?)) ORDER BY users.priority DESC

Mar 22 18:27:38 champion amavis[30400]: (30400-01) sql begin, nontransaction

Mar 22 18:27:38 champion amavis[30400]: (30400-01) Connecting to SQL database server

Mar 22 18:27:38 champion amavis[30400]: (30400-01) connect_to_sql: trying 'DBI:mysql:database=amavis;host=x.x.x.x;port=3306'

Mar 22 18:27:38 champion amavis[30400]: (30400-01) connect_to_sql: 'DBI:mysql:database=amavis;host=x.x.x.x;port=3306' succeeded

Mar 22 18:27:38 champion amavis[30400]: (30400-01) sql: preparing and executing: SELECT *,users.id FROM users,policy WHERE (users.policy_id=policy.id) AND (users.email IN (?,?,?,?,?)) ORDER BY users.priority DESC

Mar 22 18:27:38 champion amavis[30400]: (30400-01) lookup_sql, "ali3n@virtual.tld" no match

Mar 22 18:27:38 champion amavis[30400]: (30400-01) lookup_sql_field(message_size_limit), "ali3n@virtual.tld" no matching records

Mar 22 18:27:38 champion amavis[30400]: (30400-01) lookup (message_size_limit) => undef, "ali3n@virtual.tld" does not match

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP> 250 2.1.5 Recipient ali3n@virtual.tld OK

Mar 22 18:27:38 champion amavis[30400]: (30400-01) idle_proc, 6: was busy, 18.7 ms, total idle 0.003 s, busy 0.045 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) idle_proc, 5: was idle, 0.4 ms, total idle 0.003 s, busy 0.045 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) prolong_timer after reading SMTP command: remaining time = 300 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP< DATA\r\n

Mar 22 18:27:38 champion amavis[30400]: (30400-01) prolong_timer after DATA received - timer reset: remaining time = 300 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP::10024 /var/amavis/tmp/amavis-20060322T182738-30400: <postmaster@domain.tld> -> <ali3n@virtual.tld> Received: SIZE=433 from mail.domail.tld ([127.0.0.1]) by localhost (server.domain.tld [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 30400-01 for <ali3n@virtual.tld>; Wed, 22 Mar 2006 18:27:38 +0100 (CET)

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP> 354 End data with <CR><LF>.<CR><LF>

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP< .\r\n

Mar 22 18:27:38 champion amavis[30400]: (30400-01) setting body type: 7BIT (0,0)

Mar 22 18:27:38 champion amavis[30400]: (30400-01) body hash: 3bb2fef7aad5009856f79143f2eb95ad

Mar 22 18:27:38 champion amavis[30400]: (30400-01) Original mail size: 433; quota set to: 216500 bytes

Mar 22 18:27:38 champion amavis[30400]: (30400-01) sql begin transaction

Mar 22 18:27:38 champion amavis[30400]: (30400-01) sql begin transaction failed, probably disconnected by server, reconnecting (Transactions not supported by database at /usr/lib/perl5/vendor_perl/5.8.7/x86_64-linux-thread-multi/DBI.pm line 1632, <GEN8> line 9.)

Mar 22 18:27:38 champion amavis[30400]: (30400-01) disconnecting from SQL

Mar 22 18:27:38 champion amavis[30400]: (30400-01) Connecting to SQL database server

Mar 22 18:27:38 champion amavis[30400]: (30400-01) connect_to_sql: trying 'DBI:mysql:database=amavis;host=x.x.x.x;port=3306'

Mar 22 18:27:38 champion amavis[30400]: (30400-01) connect_to_sql: 'DBI:mysql:database=amavis;host=x.x.x.x;port=3306' succeeded

Mar 22 18:27:38 champion amavis[30400]: (30400-01) TROUBLE in process_request: Transactions not supported by database at /usr/lib/perl5/vendor_perl/5.8.7/x86_64-linux-thread-multi/DBI.pm line 1632, <GEN8> line 9.

Mar 22 18:27:38 champion amavis[30400]: (30400-01) Requesting process rundown after fatal error

Mar 22 18:27:38 champion amavis[30400]: (30400-01) post_process_request_hook: timer stopped

Mar 22 18:27:38 champion amavis[30400]: (30400-01) idle_proc, bye: was busy, 34.7 ms, total idle 0.003 s, busy 0.080 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) load: 97 %, total idle 0.003 s, busy 0.080 s

Mar 22 18:27:38 champion amavis[30400]: (30400-01) child_finish_hook: invoking DESTROY methods

Mar 22 18:27:38 champion amavis[30400]: (30400-01) Amavis::In::SMTP DESTROY called

Mar 22 18:27:38 champion amavis[30400]: (30400-01) SMTP shutdown: tempdir is to be PRESERVED: /var/amavis/tmp/amavis-20060322T182738-30400

Mar 22 18:27:38 champion amavis[30400]: (30400-01) LMTP> 421 4.3.2 Service shutting down, closing channel

Mar 22 18:27:38 champion amavis[30400]: (30400-01) SMTP shutdown: Error writing a SMTP response to the socket: Bad file descriptor at (eval 43) line 813.\n

Mar 22 18:27:38 champion amavis[30400]: (30400-01) Amavis::Out::SQL::Log DESTROY called

Mar 22 18:27:38 champion amavis[30400]: (30400-01) Amavis::Lookup::SQL DESTROY called

Mar 22 18:27:38 champion amavis[30400]: (30400-01) Amavis::Cache DESTROY called

Mar 22 18:27:38 champion postfix/lmtp[14761]: 3E25B238AB2: to=<ali3n@virtual.tld>, relay=127.0.0.1[127.0.0.1], delay=424610, status=deferred (lost connection with 127.0.0.1[127.0.0.1] while sending end of data -- message may be sent more than once)

Mar 22 18:27:38 champion amavis[30400]: (30400-01) Amavis::DB::SNMP DESTROY called

Mar 22 18:27:38 champion amavis[30400]: (30400-01) Amavis::Out::SQL::Connection DESTROY called

Mar 22 18:27:38 champion amavis[30400]: (30400-01) disconnecting from SQL

Mar 22 18:27:38 champion amavis[30400]: (30400-01) Amavis::Lookup::SQL DESTROY called

Mar 22 18:27:38 champion amavis[25646]: TIMING [total 14 ms] - bdb-open: 14 (100%)100, rundown: 0 (0%)100

Mar 22 18:27:38 champion amavis[25646]: storage and lookups will use the same connection to SQL

Mar 22 18:27:38 champion amavis[21715]: TIMING [total 10 ms] - bdb-open: 10 (100%)100, rundown: 0 (0%)100

Mar 22 18:27:38 champion amavis[21715]: storage and lookups will use the same connection to SQL

Mar 22 18:27:39 champion amavis[13183]: (13183-01) Amavis::Out::SQL::Connection DESTROY called

Mar 22 18:27:39 champion amavis[24701]: (24701-01) Amavis::Out::SQL::Connection DESTROY called

Mar 22 18:27:39 champion amavis[24701]: (24701-01) disconnecting from SQL

Mar 22 18:27:39 champion amavis[13183]: (13183-01) disconnecting from SQL

Mar 22 18:27:39 champion amavis[13183]: (13183-01) Amavis::Lookup::SQL DESTROY called

Mar 22 18:27:39 champion amavis[24701]: (24701-01) Amavis::Lookup::SQL DESTROY called

Mar 22 18:27:39 champion amavis[31199]: TIMING [total 15 ms] - bdb-open: 15 (100%)100, rundown: 0 (0%)100

Mar 22 18:27:39 champion amavis[31199]: storage and lookups will use the same connection to SQL

Mar 22 18:27:39 champion amavis[20875]: TIMING [total 11 ms] - bdb-open: 11 (100%)100, rundown: 0 (0%)100

Mar 22 18:27:39 champion amavis[20875]: storage and lookups will use the same connection to SQL
```

tail -f /var/log/mail.warn

```
Mar 22 18:27:38 champion amavis[30400]: (30400-01) Requesting process rundown after fatal error

Mar 22 18:27:38 champion amavis[30400]: (30400-01) SMTP shutdown: tempdir is to be PRESERVED: /var/amavis/tmp/amavis-20060322T182738-30400

Mar 22 18:44:18 champion amavis[25646]: (25646-01) sql begin transaction failed, probably disconnected by server, reconnecting (Transactions not supported by database at /usr/lib/perl5/vendor_perl/5.8.7/x86_64-linux-thread-multi/DBI.pm line 1632, <GEN8> line 14.)

Mar 22 18:44:18 champion amavis[25646]: (25646-01) Requesting process rundown after fatal error

Mar 22 18:44:18 champion amavis[25646]: (25646-01) SMTP shutdown: tempdir is to be PRESERVED: /var/amavis/tmp/amavis-20060322T184418-25646

Mar 22 18:44:18 champion amavis[20875]: (20875-01) sql begin transaction failed, probably disconnected by server, reconnecting (Transactions not supported by database at /usr/lib/perl5/vendor_perl/5.8.7/x86_64-linux-thread-multi/DBI.pm line 1632, <GEN8> line 14.)

Mar 22 18:44:18 champion amavis[20875]: (20875-01) Requesting process rundown after fatal error

Mar 22 18:44:18 champion amavis[20875]: (20875-01) SMTP shutdown: tempdir is to be PRESERVED: /var/amavis/tmp/amavis-20060322T184418-20875
```

postconf -n

```
alias_maps = mysql:/etc/postfix/mysql/mysql-virtual.cf

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/lib/postfix

debug_peer_level = 2

default_destination_concurrency_limit = 20

disable_vrfy_command = yes

fast_flush_domains = $relay_domains

html_directory = /usr/share/doc/postfix-2.2.5/html

local_destination_concurrency_limit = 2

local_recipient_maps = $virtual_mailbox_maps

mail_owner = postfix

mail_spool_directory = /var/spool/mail

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

mydestination = $myhostname, localhost.$mydomain, localhost

mydomain = domain.tld

myhostname = mail.domain.tld

mynetworks = x.x.x.x/24, 127.0.0.0/8, [::1]/128

mynetworks_style = host

myorigin = $mydomain

newaliases_path = /usr/bin/newaliases

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.2.5/readme

relay_domains = mysql:/etc/postfix/mysql/mysql-relay-domains.cf

relay_recipient_maps = mysql:/etc/postfix/mysql/mysql-relay-domains.cf

sample_directory = /etc/postfix

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop

smtpd_banner = $myhostname NO UCE ESMTP

smtpd_delay_reject = no

smtpd_etrn_restrictions = permit_mynetworks, reject

smtpd_helo_required = yes

smtpd_helo_restrictions = reject_invalid_hostname,        reject_unknown_hostname

smtpd_recipient_restrictions = permit_mynetworks,        permit_sasl_authenticated,        reject_non_fqdn_sender,        reject_non_fqdn_recipient, reject_unauth_pipelining,        reject_rbl_client opm.blitzed.org,        reject_rbl_client list.dsbl.org,        reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org        check_policy_service inet:127.0.0.1:2501        check_relay_domains

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = $myhostname

smtpd_sasl_security_options = noanonymous

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access,        reject_non_fqdn_sender

smtpd_tls_CAfile = /etc/postfix/demoCA/cacert.pem

smtpd_tls_auth_only = yes

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_key_file = /etc/postfix/newkey.pem

smtpd_tls_loglevel = 2

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

smtpd_use_tls = yes

tls_random_source = dev:/dev/urandom

unknown_local_recipient_reject_code = 550

virtual_alias_maps = mysql:/etc/postfix/mysql/mysql-virtual.cf

virtual_create_maildirsize = yes

virtual_gid_maps = static:12

virtual_mailbox_base = /home/vmail

virtual_mailbox_domains = mysql:/etc/postfix/mysql/mysql-virtual-domains.cf

virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql/mysql-virtual-mailbox-limit.cf

virtual_mailbox_limit_override = yes

virtual_mailbox_maps = mysql:/etc/postfix/mysql/mysql-virtual-maps.cf

virtual_maildir_limit_message = Sorry, the recipients mailbox is currently full. Please try again later.

virtual_overquota_bounce = yes

virtual_uid_maps = static:2006
```

amavisd.conf

[code]use strict;

# Sample configuration file for amavisd-new (traditional style, chatty,

# you may prefer to start with the more concise supplied amavisd.conf)

#

# See amavisd.conf-default for a list of all variables with their defaults;

# for more details see documentation in INSTALL, README_FILES/*

# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html

# This software is licensed under the GNU General Public License (GPL).

# See comments at the start of amavisd-new for the whole license text.

#Sections:

# Section I    - Essential daemon and MTA settings

# Section II   - MTA specific

# Section III  - Logging

# Section IV   - Notifications/DSN, bounce/reject/discard/pass, quarantine

# Section V    - Per-recipient and per-sender handling, whitelisting, etc.

# Section VI   - Resource limits

# Section VII  - External programs, virus scanners, SpamAssassin

# Section VIII - Debugging

# Section IX   - Policy banks (dynamic policy switching)

#GENERAL NOTES:

#  This file is a normal Perl code, interpreted by Perl itself.

#  - make sure this file (or directory where it resides) is NOT WRITABLE

#    by mere mortals (not even vscan/amavis; best to make it owned by root),

#    otherwise it can represent a severe security risk!

#  - for values which are interpreted as booleans, it is recommended

#    to use 1 for true, and 0 or undef or '' for false.

#    THIS IS DIFFERENT FROM OLD AMAVIS VERSIONS where "no" also meant false,

#    now it means true, like any nonempty string does!

#  - Perl syntax applies. Most notably: strings in "" may include variables

#    (which start with $ or @); to include characters $ and @ and \ in double

#    quoted strings precede them by a backslash; in single-quoted strings

#    the $ and @ lose their special meaning, so it is usually easier to use

#    single quoted strings (or qw operator) for e-mail addresses.

#    In both types of quoting a backslash should to be doubled.

#  - variables with names starting with a '@' are lists, the values assigned

#    to them should be lists too, e.g. ('one@foo', $mydomain, "three");

#    note the comma-separation and parenthesis. If strings in the list

#    do not contain spaces nor variables, a Perl operator qw() may be used

#    as a shorthand to split its argument on whitespace and produce a list

#    of strings, e.g. qw( one@foo example.com three );  Note that the argument

#    to qw is quoted implicitly and no variable interpretation is done within

#    (no '$' variable evaluations). The #-initiated comments can NOT be used

#    within a string. In other words, $ and # lose their special meaning

#    within a qw argument, just like within '...' strings.

#  - all e-mail addresses in this file and as used internally by the daemon

#    are in their raw (rfc2821-unquoted and non-bracketed) form, i.e.

#    Bob "Funny" Dude@example.com, not: "Bob \"Funny\" Dude"@example.com

#    and not <"Bob \"Funny\" Dude"@example.com>; also: '' and not '<>'.

#  - the term 'default value' in examples below refers to the value of a

#    variable pre-assigned to it by the program; any explicit assignment

#    to a variable in this configuration file overrides the default value;

#

# Section I - Essential daemon and MTA settings

#

# $MYHOME serves as a quick default for some other configuration settings.

# More refined control is available with each individual setting further down.

# $MYHOME is not used directly by the program. No trailing slash!

$MYHOME = '/var/amavis';   # (default is '/var/amavis')

# $mydomain serves as a quick default for some other configuration settings.

# More refined control is available with each individual setting further down.

# $mydomain is never used directly by the program.

$mydomain = 'domain.tld';      # (no useful default)

$myhostname = 'servername.domain.tld';  # fqdn of this host, default by uname(3)

# Set the user and group to which the daemon will change if started as root

# (otherwise just keeps the UID unchanged, and these settings have no effect):

$daemon_user  = 'amavis';   # (no default;  customary: vscan or amavis)

$daemon_group = 'amavis';   # (no default;  customary: vscan or amavis or sweep)

# Runtime working directory (cwd), and a place where

# temporary directories for unpacking mail are created.

# (no trailing slash, may be a scratch file system)

#$TEMPBASE = $MYHOME;           # (must be set if other config vars use is)

$TEMPBASE = "$MYHOME/tmp";      # prefer to keep home dir /var/amavis clean?

$db_home = "$MYHOME/db";        # DB databases directory, default "$MYHOME/db"

# $helpers_home sets environment variable HOME, and is passed as option

# 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory

# on a normal persistent file system, not a scratch or temporary file system

$helpers_home = $MYHOME;        # (defaults to $MYHOME)

# Run the daemon in the specified chroot jail if nonempty:

#$daemon_chroot_dir = $MYHOME;  # (default is undef, meaning: do not chroot)

#$pid_file  = "$MYHOME/amavisd.pid";  # (default is "$MYHOME/amavisd.pid")

#$lock_file = "$MYHOME/amavisd.lock"; # (default is "$MYHOME/amavisd.lock")

# set environment variables if you want (no defaults):

$ENV{TMPDIR} = $TEMPBASE;       # wise to set TMPDIR, but not obligatory

#...

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)

$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

# MTA SETTINGS, UNCOMMENT AS APPROPRIATE,

# both $forward_method and $notify_method default to 'smtp:[127.0.0.1]:10025'

# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4

# (set host and port number as required; host can be specified

# as an IP address or a DNS name (A or CNAME, but MX is ignored)

#$forward_method = 'smtp:[127.0.0.1]:10025';  # where to forward checked mail

#$notify_method = $forward_method;            # where to submit notifications

# To make it possible for several hosts to share one content checking daemon,

# the IP address and/or the port number in $forward_method and $notify_method

# may be spacified as an asterisk. An asterisk in the colon-separated

# second field (host) will be replaced by the SMTP client peer address,

# An asterisk in the third field (tcp port) will be replaced by the incoming

# SMTP/LMTP session port number plus one. This obsoletes the previously used

# less flexible configuration parameter $relayhost_is_client. An example:

#   $forward_method = 'smtp:*:*'; $notify_method = 'smtp:*:10587';

# NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST

#       uncomment the appropriate settings below if using other setups!

# SENDMAIL MILTER, using amavis-milter.c helper program:

#$forward_method = undef;  # no explicit forwarding, sendmail does it by itself

# milter; option -odd is needed to avoid deadlocks

#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}';

# just a thought: can we use use -Am instead of -odd ?

# SENDMAIL (old non-milter setup, as relay, deprecated):

#$forward_method = 'pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f ${sender} -- ${recipient}';

#$notify_method = $forward_method;

# SENDMAIL (old non-milter setup, amavis.c calls local delivery agent, deprecated):

#$forward_method = undef;  # no explicit forwarding, amavis.c will call LDA

#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}';

# EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead):

#$forward_method = 'pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f ${sender} -- ${recipient}';

#$notify_method = $forward_method;

# prefer to collect mail for forwarding as BSMTP files?

#$forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp";

#$notify_method = $forward_method;

# Net::Server pre-forking settings

# The $max_servers should match the width of your MTA pipe

# feeding amavisd, e.g. with Postfix the 'Max procs' field in the

# master.cf file, like the '2' in the:  smtp-amavis unix - - n - 2 smtp

#

$max_servers  =  4;   # number of pre-forked children          (default 2)

$max_requests = 20;   # retire a child after that many accepts (default 10)

$child_timeout=5*60;  # abort child if it does not complete each task in

                      # approximately n sec (default: 8*60 seconds)

# Here is a QUICK WAY to completely DISABLE some sections of code

# that WE DO NOT WANT (it won't even be compiled-in).

# For more refined controls leave the following two lines commented out,

# and see further down what these two lookup lists really mean.

#

# @bypass_virus_checks_maps = (1);  # uncomment to DISABLE anti-virus code

# @bypass_spam_checks_maps  = (1);  # uncomment to DISABLE anti-spam code

#

# Any setting can be changed with a new assignment, so make sure

# you do not unintentionally override these settings further down!

# Check also the settings of @av_scanners at the end if you want to use

# virus scanners. If not, you may want to delete the whole long assignment

# to the variable @av_scanners and @av_scanners_backup, which will also

# remove the virus checking code (e.g. if you only want to do spam scanning).

# Lookup list of local domains (see README.lookups for syntax details)

#

# @local_domains_maps list of lookup tables are used in deciding whether a

# recipient is local or not, or in other words, if the message is outgoing

# or not. This affects inserting spam-related headers for local recipients,

# limiting recipient virus notifications (if enabled) to local recipients,

# in deciding if address extension may be appended, and in SQL lookups

# for non-fqdn addresses. Set it up correctly if you need features

# that rely on this setting (or just leave empty otherwise).

#

# With Postfix (2.0) a quick hint on what local domains normally are:

# a union of domains specified in: mydestination, virtual_alias_domains,

# virtual_mailbox_domains, and relay_domains.

@local_domains_maps = ( [".$mydomain"] );  # $mydomain and its subdomains

# @local_domains_maps = (); # default is empty list, no recip. considered local

# @local_domains_maps =  # using ACL lookup table

#   ( [ ".$mydomain", 'sub.example.net', '.example.com' ] );

# @local_domains_maps =  # similar, split list elements on whitespace

#   ( [qw( .example.com !host.sub.example.net .sub.example.net )] );

# @local_domains_maps = ( new_RE( qr'[@.]example\.com$'i ) );   # using regexp

# @local_domains_maps = ( read_hash("$MYHOME/local_domains") ); # using hash

#   perhaps combined with Postfix: mydestination = /var/amavis/local_domains

# for debugging purposes: dump_hash($local_domains_maps[0]);

#

# Section II - MTA specific (defaults should be ok)

#

#$insert_received_line = 1;       # behave like MTA: insert 'Received:' header

                                  # (does not apply to sendmail/milter)

                                  # (default is true)

# AMAVIS-CLIENT PROTOCOL INPUT SETTINGS (e.g. with sendmail milter)

#   (used with amavis helper clients like amavis-milter.c and amavis.c,

#   NOT needed for Postfix or Exim or dual-sendmail - keep it undefined.

$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket

#$unix_socketname = undef;        # disable listening on a unix socket

                                  # (default is undef, i.e. disabled)

                                  # (usual setting is $MYHOME/amavisd.sock)

# SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...)

#   (used when MTA is configured to pass mail to amavisd via SMTP or LMTP)

$inet_socket_port = [10024, 9998];       # accept SMTP on this local TCP port

                                  # (default is undef, i.e. disabled)

# multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028];

# SMTP SERVER (INPUT) access control

# - do not allow free access to the amavisd SMTP port !!!

#

# when MTA is at the same host, use the following (one or the other or both):

$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface

                                  # (default is '127.0.0.1')

@inet_acl = qw(127.0.0.1 [::1]);  # allow SMTP access only from localhost IP

                                  # (default is qw(127.0.0.1 [::1]) )

# when MTA (one or more) is on a different host, use the following:

#@inet_acl = qw(127/8 [::1]);  # adjust list as needed

#$inet_socket_bind = 127.0.0.1;       # bind to all IP interfaces if undef

#

# Example1:

# @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 );

# permit only SMTP access from loopback and rfc1918 private address space

#

# Example2:

# @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0

#                 127.0.0.1 10/8 172.16/12 192.168/16 );

# matches loopback and rfc1918 private address space except host 192.168.1.12

# and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches)

#

# Example3:

# @inet_acl = qw( 127/8

#                 !172.16.3.0   !172.16.3.127 172.16.3.0/25

#                 !172.16.3.128 !172.16.3.255 172.16.3.128/25 );

# matches loopback and both halves of the 172.16.3/24 C-class,

# split into two subnets, except all four broadcast addresses

# for these subnets

# @mynetworks is an IP access list which determines if the original SMTP client

# IP address belongs to our internal networks, i.e. mail is coming from inside.

# It is much like the Postfix parameter 'mynetworks' in semantics and similar

# in syntax, and its value should normally match the Postfix counterpart.

# It only affects the value of a macro %l (=sender-is-local),

# and the loading of policy 'MYNETS' if present (see below).

# Note that '-o smtp_send_xforward_command=yes' (or its lmtp counterpart)

# must be enabled in the Postfix service that feeds amavisd, otherwise

# client IP address is not available to amavisd-new.

#

# @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10

#                   10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );  # default

#

# A list of networks can also be read from a file, either as an IP acl in

# CIDR notation, one address per line (comments and empty lines are allowed):

#   @mynetworks_maps = (read_array('/etc/amavisd-mynetworks'), \@mynetworks);

#

# or less flexibly (but provides faster lookups for large lists) by reading

# into a hash lookup table, which only allows for full addresses or classful

# IPv4 subnets with truncated octets, such as 127, 10, 192.168, 10.11.12.13,

# one address per line (comments and empty lines are allowed):

#   @mynetworks_maps = (read_hash('/etc/amavisd-mynetworks'), \@mynetworks);

# See README.lookups for details on specifying access control lists.

#

# Section III - Logging

#

# true (e.g. 1) => syslog;  false (e.g. 0) => logging to file

$DO_SYSLOG = 1;                   # (defaults to 0)

#$SYSLOG_LEVEL = 'mail.debug';     # (facility.priority, default 'mail.info')

# Log file (if not using syslog)

$LOGFILE = "$MYHOME/amavis.log";  # (defaults to empty, no log)

#NOTE: levels are not strictly observed and are somewhat arbitrary

# 0: startup/exit/failure messages, viruses detected

# 1: args passed from client, some more interesting messages

# 2: virus scanner output, timing

# 3: server, client

# 4: decompose parts

# 5: more debug details

$log_level = 5;           # (defaults to 0)

# Customizable template for the most interesting log file entry (e.g. with

# $log_level=0) (take care to properly quote Perl special characters like '\')

# For a list of available macros see README.customize .

# $log_templ = undef;      # undef disables by-message level-0 log entries

$log_recip_templ = undef;  # undef disables by-recipient level-0 log entries

# log both infected and noninfected messages (new default):

# (remove the leading '#' and a space in the following lines to activate)

# $log_templ = '

# [?%#D|#|Passed #

# [? [?%#V|1] |INFECTED (%V)|#

# [? [?%#F|1] |BANNED (%F)|#

# [? [? %2|1] |SPAM|#

# [? [?%#X|1] |BAD-HEADER|CLEAN]]]]#

# , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]<%o> -> [%D|,]#

# [? %q ||, quarantine: %q]#

# [? %Q ||, Queue-ID: %Q]#

# [? %m ||, Message-ID: %m]#

# [? %r ||, Resent-Message-ID: %r]#

# , mail_id: %i#

# , Hits: %c#

# #, size: %z#

# #[? %j ||, Subject: "%j"]#

# #[? %#T ||, Tests: \[[%T|,]]\]#

# , %y ms#

# ]

# [?%#O|#|Blocked #

# [? [?%#V|1] |INFECTED (%V)|#

# [? [?%#F|1] |BANNED (%F)|#

# [? [? %2|1] |SPAM|#

# [? [?%#X|1] |BAD-HEADER|CLEAN]]]]#

# , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]<%o> -> [%O|,]#

# [? %q ||, quarantine: %q]#

# [? %Q ||, Queue-ID: %Q]#

# [? %m ||, Message-ID: %m]#

# [? %r ||, Resent-Message-ID: %r]#

# , mail_id: %i#

# , Hits: %c#

# #, size: %z#

# #[? %j ||, Subject: "%j"]#

# #[? %#T ||, Tests: \[[%T|,]]\]#

# , %y ms#

# ]';

# log template compatible with amavisd-new-20030616-p10:

# $log_recip_templ = undef;

# $log_templ = '

# [? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], #

# <%o> -> [<%R>|,][? %q ||, quarantine %q], Message-ID: %m, Hits: %c';

#

# Section IV - Notifications/DSN, bounce/reject/discard/pass, quarantine

#

# Select notifications text encoding when Unicode-aware Perl is converting

# text from internal character representation to external encoding (charset

# in MIME terminology). Used as argument to Perl Encode::encode subroutine.

#

#   to be used in RFC 2047-encoded header field bodies, e.g. in Subject:

#$hdr_encoding = 'iso-8859-1';  # MIME charset (default: 'iso-8859-1')

#$hdr_encoding_qb = 'Q';        # MIME encoding: quoted-printable (default)

#$hdr_encoding_qb = 'B';        # MIME encoding: base64

#

#   to be used in notification body text: its encoding and Content-type.charset

#$bdy_encoding = 'iso-8859-1';  # (default: 'iso-8859-1')

# Default template texts for notifications may be overruled by directly

# assigning new text to template variables, or by reading template text

# from files. A second argument may be specified in a call to read_text(),

# specifying character encoding layer to be used when reading from the

# external file, e.g. 'utf8', 'iso-8859-1', or often just $bdy_encoding.

# Text will be converted to internal character representation by Perl 5.8.0

# or later; second argument is ignored otherwise. See PerlIO::encoding,

# Encode::PerlIO and perluniintro man pages.

#

# $notify_sender_templ      = read_text("$MYHOME/notify_sender.txt");

# $notify_virus_sender_templ= read_text("$MYHOME/notify_virus_sender.txt");

# $notify_virus_admin_templ = read_text("$MYHOME/notify_virus_admin.txt");

# $notify_virus_recips_templ= read_text("$MYHOME/notify_virus_recips.txt");

# $notify_spam_sender_templ = read_text("$MYHOME/notify_spam_sender.txt");

# $notify_spam_admin_templ  = read_text("$MYHOME/notify_spam_admin.txt");

# If notification template files are collectively available in some directory,

# one may call read_l10n_templates which invokes read_text for each known

# template. This is primarily a Debian-specific feature, but was incorporated

# into base code to facilitate porting.

#

#   read_l10n_templates('/etc/amavis/en_US');

#

# If read_l10n_templates is called, a localization template directory must

# contain the following files:

#   charset                       this file should contain a one-line name

#                                 of the character set used in the template

#                                 files (e.g. utf8, iso-8859-2, ...) and is

#                                 passed as the second argument to read_text;

#   template-dsn.txt              content fills the $notify_sender_templ

#   template-virus-sender.txt     content fills the $notify_virus_sender_templ

#   template-virus-admin.txt      content fills the $notify_virus_admin_templ

#   template-virus-recipient.txt  content fills the $notify_virus_recips_templ

#   template-spam-sender.txt      content fills the $notify_spam_sender_templ

#   template-spam-admin.txt       content fills the $notify_spam_admin_templ

# Here is an overall picture (sequence of events) of how pieces fit together

#

#   bypass_virus_checks set for all recipients? ==> PASS

#   no viruses?   ==> PASS

#   log virus     if $log_templ is nonempty

#   quarantine    if $virus_quarantine_to is nonempty

#   notify admin  if $virus_admin (lookup) nonempty

#   notify recips if $warnvirusrecip and (recipient is local or $warn_offsite)

#   add address extensions for local recipients (when enabled)

#   send (non-)delivery notifications

#      to sender if DSN needed (BOUNCE or ($warnvirussender and D_PASS))

#   virus_lovers or final_destiny==D_PASS  ==> PASS

#   DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny)

#

# Equivalent flow diagram applies for spam checks.

# If a virus is detected, spam checking is skipped entirely.

# The following symbolic constants can be used in *_destiny settings:

#

# D_PASS     mail will pass to recipients, regardless of bad contents;

#

# D_DISCARD  mail will not be delivered to its recipients, sender will NOT be

#            notified. Effectively we lose mail (but will be quarantined

#            unless disabled). Losing mail is not decent for a mailer,

#            but might be desired.

#

# D_BOUNCE   mail will not be delivered to its recipients, a non-delivery

#            notification (bounce) will be sent to the sender by amavisd-new;

#            Exception: bounce (DSN) will not be sent if a virus name matches

#            @viruses_that_fake_sender_maps, or to messages from mailing lists

#            (Precedence: bulk|list|junk), or for spam level that exceeds

#            the $sa_dsn_cutoff_level.

#

# D_REJECT   mail will not be delivered to its recipients, sender should

#            preferably get a reject, e.g. SMTP permanent reject response

#            (e.g. with milter), or non-delivery notification from MTA

#            (e.g. Postfix). If this is not possible (e.g. different recipients

#            have different tolerances to bad mail contents and not using LMTP)

#            amavisd-new sends a bounce by itself (same as D_BOUNCE).

#            Not to be used with Postfix or dual-MTA setups!

#

# Notes:

#   D_REJECT and D_BOUNCE are similar, the difference is in who is responsible

#            for informing the sender about non-delivery, and how informative

#            the notification can be (amavisd-new knows more than MTA);

#   With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status

#            notification, colloquially called 'bounce') - depending on MTA;

#            Best suited for sendmail milter, especially for spam.

#   With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the

#            reason for mail non-delivery or even suppress DSN, but unable

#            to reject the original SMTP session). Best suited to reporting

#            viruses, and for Postfix and other dual-MTA setups, which can't

#            reject original client SMTP session, as the mail has already

#            been enqueued.

########

#

# Please think about what you are doing when you set these options.

# If necessary, question your origanization's e-mail policies:

#

# D_BOUNCE contributes to the overall spread of virii and spam on the

# internet. Both the envelope and header from addresses can be forged

# accurately with no effort.

#

# D_DISCARD breaks internet mail specifications. However, with a

# properly implemented Quaratine system, the concern for breaking the

# specification is addressed to some extent.

#

# D_PASS is the safest way to handle e-mails. You must implement

# client-side filtering to handle this method.

#

# -Cory Visi <merlin@gentoo.org> 07/28/04

#

#######

$final_virus_destiny      = D_DISCARD;  # (defaults to D_DISCARD)

$final_banned_destiny     = D_DISCARD;  # (defaults to D_BOUNCE)

$final_spam_destiny       = D_DISCARD;  # (defaults to D_BOUNCE)

$final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested

# Alternatives to consider for spam:

# - use D_PASS if clients will do filtering based on inserted

#   mail headers or added address extensions ('plus-addressing');

# - use D_DISCARD, if kill_level is set comfortably high;

#

# D_BOUNCE is preferred for viruses, but consider:

# - use D_PASS (or virus_lovers) to deliver viruses;

# - use D_REJECT instead of D_BOUNCE if using milter and under heavy

#   virus storm;

#

# Don't bother to set both D_DISCARD and $warn*sender=1, it will get mapped

# to D_BOUNCE.

#

# The separation of *_destiny values into D_BOUNCE, D_REJECT, D_DISCARD

# and D_PASS made settings $warnvirussender and $warnspamsender only still

# marginally useful with D_PASS.

# The following $warn*sender settings are ONLY used when mail is

# actually passed to recipients ($final_*_destiny=D_PASS, or *_lovers*).

# Bounces or rejects produce non-delivery status notification regardless.

# Notify virus sender?

#$warnvirussender = 1;  # (defaults to false (undef))

# Notify spam sender?

#$warnspamsender = 1;   # (defaults to false (undef))

# Notify sender of banned files?

#$warnbannedsender = 1; # (defaults to false (undef))

# Notify sender of syntactically invalid header containing non-ASCII characters?

#$warnbadhsender = 1;   # (defaults to false (undef))

# Notify virus (or banned files or bad headers) RECIPIENT?

#  (not very useful, but some policies demand it)

#$warnvirusrecip = 1;   # (defaults to false (undef))

#$warnbannedrecip = 1;  # (defaults to false (undef))

#$warnbadhrecip = 1;    # (defaults to false (undef))

# Notify also non-local virus/banned recipients if $warn*recip is true?

#  (including those not matching local_domains*)

#$warn_offsite = 1;     # (defaults to false (undef), i.e. only notify locals)

# Treat envelope sender address as unreliable and don't send sender

# notification / bounces if name(s) of detected virus(es) match the list.

# Note that virus names are supplied by external virus scanner(s) and are

# not standardized, so virus names may need to be adjusted.

# See README.lookups for syntax, check also README.policy-on-notifications.

# If the intention is to treat all viruses as faking the sender address, it

# is equivalent but more efficient to just set $final_virus_destiny=D_DISCARD;

#

@viruses_that_fake_sender_maps = (new_RE(

  qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,

  qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,

  qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,

  qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,

  qr'@mm|@MM',    # mass mailing viruses as labeled by f-prot and uvscan

  qr'Worm'i,      # worms as labeled by ClamAV, Kaspersky, etc

# [qr'^(EICAR|Joke\.|Junk\.)'i         => 0],

# [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i  => 0],

  [qr/^/ => 1],   # true by default  (remove or comment-out if undesired)

));

# where to send ADMIN VIRUS NOTIFICATIONS (should be a fully qualified address)

# - the administrator envelope address may be a simple fixed e-mail address

#   (a scalar), or may depend on the RECIPIENT address (e.g. its domain).

#

#   Empty or undef lookup disables virus admin notifications.

# The full set of configurable administrator addresses is:

#   @virus_admin_maps    ... notifications to admin about viruses

#   @newvirus_admin_maps ... newly encountered viruses since amavisd startup

#   @spam_admin_maps     ... notifications to admin about spam

#   @banned_admin_maps   ... notifications to admin about banned contents

#   @bad_header_admin_maps ... notifications to admin about bad headers

#$virus_admin = "virusalert\@$mydomain";

# $virus_admin = 'virus-admin@example.com';

$virus_admin = undef;   # do not send virus admin notifications (default)

#

#@virus_admin_maps = (    # by-recipient maps

#  {'not.example.com' => '',

#   '.' => 'virusalert@example.com'},

#  $virus_admin,   # the usual default

#);

# equivalent to $virus_admin, but for spam admin notifications:

# $spam_admin = "spamalert\@$mydomain";

# $spam_admin = undef;    # do not send spam admin notifications (default)

#@spam_admin_maps = (     # by-recipient maps

#  {'not.example.com' => '',

#   '.' => 'spamalert@example.com'},

#  $spam_admin,   # the usual default

#);

#advanced example, using a hash lookup table and a scalar default,

#lookup key is a recipient envelope address:

#@virus_admin_maps = (    # by-recipient maps

#  { 'baduser@sub1.example.com' => 'HisBoss@sub1.example.com',

#    '.sub1.example.com'  => 'virusalert@sub1.example.com',

#    '.sub2.example.com'  => '',               # don't send admin notifications

#    'a.sub3.example.com' => 'abuse@sub3.example.com',

#    '.sub3.example.com'  => 'virusalert@sub3.example.com',

#    '.example.com'       => 'noc@example.com', # default for our virus senders

#  },

#  'virusalert@hq.example.com',  # catchall for the rest

#);

# sender envelope address, from which notification reports are sent from;

# may be a null reverse path, or a fully qualified address:

#   (admin and recip sender addresses default to a null return path).

#   If using strings in double quotes, don't forget to quote @, i.e. \@

#

$mailfrom_notify_admin     = undef;

$mailfrom_notify_recip     = undef;

$mailfrom_notify_spamadmin = undef;

# 'From' HEADER FIELD for sender and admin notifications.

# This should be a replyable address, see rfc1894. Not to be confused

# with $mailfrom_notify_sender, which is the envelope return address

# and can be empty (null reverse path) according to rfc2821.

#

# The syntax of the 'From' header field is specified in rfc2822, section

# '3.4. Address Specification'. Note in particular that display-name must be

# a quoted-string if it contains any special characters like spaces and dots.

#

# $hdrfrom_notify_sender = "amavisd-new <postmaster\@$mydomain>";

# $hdrfrom_notify_sender = 'amavisd-new <postmaster@example.com>';

# $hdrfrom_notify_sender = '"Content-Filter Master" <postmaster@example.com>';

# $hdrfrom_notify_admin = $mailfrom_notify_admin;

# $hdrfrom_notify_spamadmin = $mailfrom_notify_spamadmin;

#   (default: "\"Content-filter at $myhostname\" <postmaster\@$myhostname>")

# whom quarantined messages appear to be sent from (envelope sender);

# keeps original sender if undef, or set it explicitly, default is undef

$mailfrom_to_quarantine = '';   # override sender address with null return path

# Location to put infected mail into: (applies to 'local:' quarantine method)

#   empty for not quarantining, may be a file (Unix-style mailbox),

#   or a directory (no trailing slash)

#   (the default value is undef, meaning no quarantine)

#

$QUARANTINEDIR = "$MYHOME/quarantine";

#$quarantine_subdir_levels = 1;  # add level of subdirs to disperse quarantine

$virus_quarantine_method          = 'local:virus-%m';     # default

$spam_quarantine_method           = 'local:spam-%m.gz';   # default

$banned_files_quarantine_method   = 'local:banned-%m';    # default

$bad_header_quarantine_method     = 'local:badh-%m';      # default

# Separate quarantine subdirectories virus, spam, banned and badh within

# the directory $QUARANTINEDIR may be specified by the following settings

# (the subdirectories need to exist - must be created manually):

#$virus_quarantine_method          = 'local:virus/virus-%m';

#$spam_quarantine_method           = 'local:spam/spam-%m.gz';

#$banned_files_quarantine_method   = 'local:banned/banned-%m';

#$bad_header_quarantine_method     = 'local:badh/badh-%m';

#

#use the 'bsmtp:' method as an alternative to the default 'local:'

#$virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%m.bsmtp";

#$spam_quarantine_method  = "bsmtp:$QUARANTINEDIR/spam-%m.bsmtp";

#

#using the 'pipe:' method might be useful for some special purpose:

#$mailfrom_to_quarantine = undef;  # pass on the original sender address

#$spam_quarantine_method = 'pipe:argv=/usr/bin/myscript.sh spam-%b ${sender}';

#

#using the 'sql:' method to store quarantined message to a SQL database:

#$virus_quarantine_method = $spam_quarantine_method =

$banned_files_quarantine_method = $bad_header_quarantine_method = 'sql:';

# When using the 'local:' quarantine method (default), the following applies:

#

# A finer control of quarantining is available through

# variables $virus_quarantine_method/$spam_quarantine_method/

# $banned_files_quarantine_method/$bad_header_quarantine_method.

#

# The value of scalar $virus_quarantine_to/$spam_quarantine_to (or a

# per-recipient lookup result from lookup tables @virus_quarantine_to_maps)

# is/are interpreted as follows:

#

# VARIANT 1:

#   empty or undef disables quarantine;

#

# VARIANT 2:

#   a string NOT containing an '@';

# amavisd will behave as a local delivery agent (LDA) and will quarantine

# viruses to local files according to hash %local_delivery_aliases (pseudo

# aliases map) - see subroutine mail_to_local_mailbox() for details.

# Some of the predefined aliases are 'virus-quarantine' and 'spam-quarantine'.

# Setting $virus_quarantine_to ($spam_quarantine_to) to this string will:

#

# * if $QUARANTINEDIR is a directory, each quarantined virus will go

#   to a separate file in the $QUARANTINEDIR directory (traditional

#   amavis style, similar to maildir mailbox format);

#

# * otherwise $QUARANTINEDIR is treated as a file name of a Unix-style

#   mailbox. All quarantined messages will be appended to this file.

#   Amavisd child process must obtain an exclusive lock on the file during

#   delivery, so this may be less efficient than using individual files

#   or forwarding to MTA, and it may not work across NFS or other non-local

#   file systems (but may be handy for pickup of quarantined files via IMAP

#   for example);

#

# VARIANT 3:

#   any email address (must contain '@').

# The e-mail messages to be quarantined will be handed to MTA

# for delivery to the specified address. If a recipient address local to MTA

# is desired, you may leave the domain part empty, e.g. 'infected@', but the

# '@' character must nevertheless be included to distinguish it from variant 2.

#

# This variant enables more refined delivery control made available by MTA

# (e.g. its aliases file, other local delivery agents, dealing with

# privileges and file locking when delivering to user's mailbox, nonlocal

# delivery and forwarding, fan-out lists). Make sure the mail-to-be-quarantined

# will not be handed back to amavisd for checking, as this will cause a loop

# (hopefully broken at some stage)! If this can be assured, notifications

# will benefit too from not being unnecessarily virus-scanned.

#

# By default this is safe to do with Postfix and Exim v4 and dual-sendmail

# setup, but probably not safe with sendmail milter interface without tricks.

# (default values are: virus-quarantine, banned-quarantine, spam-quarantine)

$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine

#$virus_quarantine_to = 'infected@';           # forward to MTA for delivery

#$virus_quarantine_to = "virus-quarantine\@$mydomain";   # similar

#$virus_quarantine_to = 'virus-quarantine@example.com';  # similar

#$virus_quarantine_to = undef;                 # no quarantine

#

# lookup key is envelope recipient address:

#@virus_quarantine_to_maps = (   # per-recip multiple quarantines

#  new_RE( [qr'^user@example\.com$'i => 'infected@'],

#          [qr'^(.*)@example\.com$'i => 'virus-${1}@example.com'],

#          [qr'^(.*)(@[^@])?$'i      => 'virus-${1}${2}'] ),

#  $virus_quarantine_to,  # the usual default

#);

# similar for banned names and bad headers and spam (set to undef to disable)

$banned_quarantine_to     = 'banned-quarantine';     # local quarantine

$bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine

$spam_quarantine_to       = 'spam-quarantine';       # local quarantine

# or to a mailbox:

#$spam_quarantine_to = "spam-quarantine\@$mydomain";

#

#@spam_quarantine_to_maps = (    # per-recip multiple quarantines

#  new_RE( [qr'^(.*)@example\.com$'i => 'spam-${1}@example.com'] ),

#  $spam_quarantine_to,  # the usual default

#);

# In addition to per-recip quarantine, a by-sender lookup is possible.

# It is similar to $spam_quarantine_to, but the lookup key is the

# envelope sender address:

#$spam_quarantine_bysender_to = undef;   # dflt: no by-sender spam quarantine

# Spam level beyond which quarantining is disabled (global value):

#$sa_quarantine_cutoff_level = 20;  # dflt: undef, which disables this feature

#@spam_quarantine_cutoff_level_maps = (  # per-recip. quarantine cutoff levels

#  { 'user1@example.com' => 20.5,

#    'postmaster@example.com' => 9999,

#    '.example.com' => 25 },

#  \$sa_quarantine_cutoff_level,   # catchall default

#);

# Add X-Virus-Scanned header field to mail?

$X_HEADER_TAG = 'X-Virus-Scanned';      # (default: 'X-Virus-Scanned')

# Set to empty to add no header field   # (dflt "$myproduct_name at $mydomain")

# $X_HEADER_LINE = "$myproduct_name at $mydomain";

# $X_HEADER_LINE = "by $myproduct_name using ClamAV at $mydomain";

# $X_HEADER_LINE = "$myproduct_name $myversion_id ($myversion_date) at $mydomain";

# a string to prepend to Subject (for local recipients only) if mail could

# not be decoded or checked entirely, e.g. due to password-protected archives

$undecipherable_subject_tag = '***UNCHECKED*** ';  # undef disables it

# MIME defanging wraps the entire original mail in a MIME container of type

# 'Content-type: multipart/mixed', where the first part is a text/plain with

# a short explanation, and the second part is a complete original mail,

# enclosed in a 'Content-type: message/rfc822' MIME part.

# Defanging is only done when enabled (selectively by malware type),

# and mail is considered malware (virus/spam/...), and the malware is allowed

# to pass (*_lovers or *_des

----------

