# Problem mit Postfix + Amavisd-new + ClamAV

## hambuergaer

Hallo Leute.

Ich habe auf meinem Server einen Postfix mit courier-imap-ssl installiert. Läuft einwandfrei!

Jetzt wollte ich Amavisd-new und ClamAV mit einbinden. Jetzt stellt mein Postfix keine Mails mehr, die ich über fetchmail abhole.

Folgende Fehlermeldung:

/var/log/mail.err

Jan 22 15:07:19 server clamd[22752]: Can't unlink the pid file /var/run/clamd.pid

Jan 22 15:09:01 server clamd[6420]: Can't save PID in file /var/run/clamd.pid

und /var/log/mail.log

Jan 22 15:25:48 server postfix/qmgr[7327]: F13096E0CB: from=<tester@testvirus.org>

, size=1846, nrcpt=1 (queue active)

Jan 22 15:25:48 server postfix/qmgr[7327]: D2B216E0CD: from=<apache@gentoo.org>, s

ize=2336, nrcpt=1 (queue active)

Jan 22 15:25:48 server postfix/smtp[7529]: connect to 127.0.0.1[127.0.0.1]: Connec

tion refused (port 10024)

Jan 22 15:25:48 server postfix/smtp[7528]: connect to 127.0.0.1[127.0.0.1]: Connec

tion refused (port 10024)

habe diesen eintrag in der /etc/postfix/main.cf

content_filter = smtp-amavis:[127.0.0.1]:10024

und das in der master.cf

smtp-amavis unix - - n - 3 smtp

-o smtp_data_done_timeout=1200

-o disable_dns_lookups=yes

127.0.0.1:10025 inet n - n - - smtpd

-o content_filter=

-o local_recipient_maps=

-o relay_recipient_maps=

-o smtpd_restriction_classes=

-o smtpd_client_restrictions=

-o smtpd_helo_restrictions=

-o smtpd_sender_restrictions=

-o smtpd_recipient_restrictions=permit_mynetworks,reject

-o mynetworks=127.0.0.0/8

-o strict_rfc821_envelopes=yes

Kann mir jemand helfen?

----------

## steveb

und wie sieht dein /etc/clamd.conf oder /etc/clamav.conf aus (je nach version ist es die eine oder die andere konfigurations datei)?

gruss

steve

----------

## hambuergaer

Meine configs sehen wie folgt aus:

/etc/clamd.conf

LogFile /var/log/clamd.log

LogFileMaxSize 2M

LogTime

LogSyslog

LogFacility LOG_LOCAL6

LogVerbose

PidFile /var/run/clamd.pid

DatabaseDirectory /var/lib/clamav

LocalSocket /var/run/clamav/clamd

MaxThreads 10

ReadTimeout 300

MaxDirectoryRecursion 15

User clamav

AllowSupplementaryGroups

ScanMail

ScanArchive

ScanRAR

ArchiveMaxFileSize 50M

------------------------------------------------------------------------------------------

/etc/freshclam.conf

DatabaseDirectory /var/lib/clamav

UpdateLogFile /var/log/clam-update.log

LogVerbose

LogSyslog

LogFacility LOG_LOCAL6

------------------------------------------------------------------------------------------

/etc/conf.d/clamd

START_CLAMD=yes

------------------------------------------------------------------------------------------

----------

## Haldir

Jan 22 15:25:48 server postfix/smtp[7528]: connect to 127.0.0.1[127.0.0.1]: Connection refused (port 10024) 

Deutet eher drauf hin das amavisd nicht läuft, afaik brauchst du bei amavisd-new den clamd nicht, der sollte clamav direkt aufrufen. kannst ihn also stoppen, schau einfach in den Amavisd.log inwiefern er clamav erkennt.

Desweiteren ist clamav eigentlich ein secondary virenscanner, im Normalfall solltest du für ernsthaften Einsatz einen "richtigen" einsetzen, da clamav teilweise noch einige Lücken in der Erkennung hat.

----------

## hambuergaer

hallo haldir,

welchen virenscanner würdest du nutzen und wie bindest du ihn in dein system ein? bin auf dem gebiet noch neu und bräuchte da ein wenig hilfe.

ich möchte natürlich, dass ausgehende mails und natürlich auch mails, die ich mit fetchmail abhole, durch den scanner laufen.

----------

## hambuergaer

Hier noch ein paar weitere Fehlermeldungen:

Jan 23 15:02:14 server clamd[6497]: Can't save PID in file /var/run/clamd.pid

Jan 23 15:06:28 server clamd[6497]: Can't unlink the pid file /var/run/clamd.pid

Jan 23 15:15:59 server amavis[7826]: TROUBLE in pre_loop_hook: TEMPBASE director

y inaccessible, Permission denied: /var/amavis/tmp at /usr/sbin/amavisd line 554

1.

----------

## steveb

mein /etc/clamd.conf:

```
LogFile /var/log/clamd.log

LogFileMaxSize 2M

LogTime

LogSyslog

LocalSocket /var/run/clamav/clamd

FixStaleSocket

MaxConnectionQueueLength 30

StreamMaxLength 50M

MaxThreads 20

ReadTimeout 300

IdleTimeout 60

MaxDirectoryRecursion 20

ScanRAR

ArchiveMaxFileSize 50M

ArchiveMaxRecursion 8

ArchiveMaxFiles 1500

ArchiveMaxCompressionRatio 300

ClamukoScanOnOpen

ClamukoScanOnClose

ClamukoScanOnExec

ClamukoMaxFileSize 10M
```

mein /etc/freshclam.conf:

```
DNSDatabaseInfo current.cvd.clamav.net

DatabaseMirror database.clamav.net
```

mein /etc/conf.d/clamd:

```
START_CLAMD="yes"

CLAMD_OPTS="--config-file=/etc/clamd.conf"

CLAMD_LOG="/var/log/clamd.log"

START_FRESHCLAM="yes"

FRESHCLAM_OPTS="-d -c 2"

FRESHCLAM_LOG="/var/log/clam-update.log"
```

mein /etc/amavisd.conf (habe neue amavisd version und habe einige einträge anonymisiert):

```
use strict;

$MYHOME = '/var/amavis';   # (default is '/var/amavis')

$mydomain = 'xxxxxxx';      # (no useful default)

$myhostname = 'xxxxxx';  # fqdn of this host, default by uname(3)

$daemon_user  = 'amavis';   # (no default;  customary: vscan or amavis)

$daemon_group = 'amavis';   # (no default;  customary: vscan or amavis or sweep)

$TEMPBASE = "$MYHOME/tmp";     # prefer to keep home dir /var/amavis clean?

$db_home = "$MYHOME/db";        # DB databases directory, default "$MYHOME/db"

$helpers_home = $MYHOME;        # (defaults to $MYHOME)

$ENV{TMPDIR} = $TEMPBASE;       # wise to set TMPDIR, but not obligatory

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)

$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

$max_servers  =  4;   # number of pre-forked children          (default 2)

$max_requests = 20;   # retire a child after that many accepts (default 10)

$child_timeout=5*60;  # abort child if it does not complete each task in

                      # approximately n sec (default: 8*60 seconds)

@bypass_spam_checks_maps = (1);  # uncomment to DISABLE anti-spam code

@local_domains_maps = ( [qw( .$mydomain .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .localhost.local .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxx )] );

                                  # (does not apply to sendmail/milter)

                                  # (default is true)

$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket

                                  # (default is undef, i.e. disabled)

                                  # (usual setting is $MYHOME/amavisd.sock)

$inet_socket_port = 10024;        # accept SMTP on this local TCP port

                                  # (default is undef, i.e. disabled)

                                  # (default is '127.0.0.1')

@inet_acl = qw( 127.0.0.1 ::1 );  # allow SMTP access only from localhost IP

                                  # (default is qw(127.0.0.1 ::1) )

@mynetworks = qw( 127.0.0.0/8 ::1 aaa.bbb.ccc.ddd/29 192.168.0.0/24 );

$DO_SYSLOG = 1;                   # (defaults to 0)

$LOGFILE = "$MYHOME/amavis.log";  # (defaults to empty, no log)

$log_level = 0;           # (defaults to 0)

$log_recip_templ = undef;  # undef disables by-recipient level-0 log entries

$final_virus_destiny      = D_DISCARD;  # (defaults to D_DISCARD)

$final_banned_destiny     = D_DISCARD;  # (defaults to D_BOUNCE)

$final_spam_destiny       = D_DISCARD;  # (defaults to D_BOUNCE)

$final_bad_header_destiny = D_PASS;     # (defaults to D_PASS)

@viruses_that_fake_sender_maps = (new_RE(

  qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,

  qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,

  qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,

  qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,

  qr'@mm|@MM',    # mass mailing viruses as labeled by f-prot and uvscan

  qr'Worm'i,      # worms as labeled by ClamAV, Kaspersky, etc

  [qr/.*/ => 1],  # true by default  (remove or comment-out if undesired)

));

$virus_admin = "virusalert\@$mydomain";

$mailfrom_notify_admin     = "virusalert\@$mydomain";

$mailfrom_notify_recip     = "virusalert\@$mydomain";

$mailfrom_notify_spamadmin = "spam.police\@$mydomain";

$mailfrom_to_quarantine = '';   # override sender address with null return path

$QUARANTINEDIR = "$MYHOME/quarantine";

$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine

$banned_quarantine_to     = 'banned-quarantine';     # local quarantine

$bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine

$spam_quarantine_to       = 'spam-quarantine';       # local quarantine

$X_HEADER_TAG = 'X-Virus-Scanned';      # (default: 'X-Virus-Scanned')

$undecipherable_subject_tag = '***UNCHECKED*** ';  # undef disables it

$defang_virus  = 1;  # default is false: don't modify mail body

$defang_banned = 1;  # default is false: don't modify mail body

$defang_undecipherable = 1;  # default is false: don't modify mail body

$remove_existing_x_scanned_headers= 1; # remove existing headers

                                        # (defaults to false)

$remove_existing_spam_headers  = 1;     # remove existing spam headers if

                                        # spam scanning is enabled (default)

@keep_decoded_original_maps = (new_RE(

  qr'^MAIL-UNDECIPHERABLE$',  # retain full mail if it contains undecipherables

  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,

));

$banned_filename_re = new_RE(

  # block certain double extensions anywhere in the base name

  qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

  qr'^application/x-msdownload$'i,                  # block these MIME types

  qr'^application/x-msdos-program$'i,

  qr'^application/hta$'i,

  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives

  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic

  qr'^\.(exe-ms)$',                       # banned file(1) types

);

$banned_namepath_re = new_RE(

  # block these MIME types

  qr'(?#NO X-MSDOWNLOAD)   ^(.*\t)? M=application/x-msdownload   (\t.*)? $'xmi,

  qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi,

  qr'(?#NO HTA)            ^(.*\t)? M=application/hta            (\t.*)? $'xmi,

  # within traditional Unix archives allow any name and type

  [ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ],  # allow

  # block certain double extensions in filenames

  qr'(?# BLOCK DOUBLE-EXTENSIONS )

     ^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* \.

                  (exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi,

  # banned filename extensions (in declared names) anywhere - basic

  qr'(?# BLOCK COMMON NAME EXENSIONS )

     ^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|bat|com|cpl) (\t.*)? $'xmi,

  [ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM )

       ^ (.*\t)? M=application/octet-stream \t(.*\t)* T=empty (\t.*)? $'xmi

    => 'DISCARD' ],

  qr'(?# BLOCK Microsoft EXECUTABLES )

     ^ (.*\t)? T=exe-ms (\t.*)? $'xm,              # banned file(1) type

);

  $banned_namepath_re = undef;  # to disable new-style

@bypass_spam_checks_maps = (1);

@lookup_sql_dsn =

  ( ['DBI:mysql:database=amavisd;host=127.0.0.1;port=3306', 'yyyyyyyyyyyyyy', 'yyyyyyyyyyyyyy'],

    ['DBI:mysql:database=amavisd;host=192.168.0.115', 'yyyyyyyyyyyyyy', 'yyyyyyyyyyyyyy'] );

$sql_select_white_black_list = undef;  # undef disables SQL white/blacklisting

$recipient_delimiter = '+';             # (default is undef, i.e. disabled)

$localpart_is_case_sensitive = 0;       # (default is false)

@score_sender_maps = ({  # a by-recipient hash lookup table

  # site-wide opinions about senders (the '.' matches any recipient)

  '.' => [  # the _first_ matching sender determines the score boost

   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist

    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],

    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],

    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],

    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],

    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],

    [qr'^(your_friend|greatoffers)@'i                                => 5.0],

    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],

   ),

   { # a hash-type lookup table (associative array)

     'nobody@cert.org'                        => -3.0,

     'cert-advisory@us-cert.gov'              => -3.0,

     'owner-alert@iss.net'                    => -3.0,

     'slashdot@slashdot.org'                  => -3.0,

     'bugtraq@securityfocus.com'              => -3.0,

     'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,

     'security-alerts@linuxsecurity.com'      => -3.0,

     'mailman-announce-admin@python.org'      => -3.0,

     'amavis-user-admin@lists.sourceforge.net'=> -3.0,

     'notification-return@lists.sophos.com'   => -3.0,

     'owner-postfix-users@postfix.org'        => -3.0,

     'owner-postfix-announce@postfix.org'     => -3.0,

     'owner-sendmail-announce@lists.sendmail.org'   => -3.0,

     'sendmail-announce-request@lists.sendmail.org' => -3.0,

     'donotreply@sendmail.org'                => -3.0,

     'ca+envelope@sendmail.org'               => -3.0,

     'noreply@freshmeat.net'                  => -3.0,

     'owner-technews@postel.acm.org'          => -3.0,

     'ietf-123-owner@loki.ietf.org'           => -3.0,

     'cvs-commits-list-admin@gnome.org'       => -3.0,

     'rt-users-admin@lists.fsck.com'          => -3.0,

     'clp-request@comp.nus.edu.sg'            => -3.0,

     'surveys-errors@lists.nua.ie'            => -3.0,

     'emailnews@genomeweb.com'                => -5.0,

     'yahoo-dev-null@yahoo-inc.com'           => -3.0,

     'returns.groups.yahoo.com'               => -3.0,

     'clusternews@linuxnetworx.com'           => -3.0,

     lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,

     lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,

     # soft-blacklisting (positive score)

     'sender@example.net'                     =>  3.0,

     '.example.net'                           =>  1.0,

   },

  ],  # end of site-wide tables

});

@blacklist_sender_maps = ( new_RE(

    qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,

    qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i,

    qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,

    qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,

    qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,

    qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,

));

$MAXLEVELS = 14;                # (default is undef, no limit)

$MAXFILES = 1500;               # (default is undef, no limit)

$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)

$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not enforced)

$MIN_EXPANSION_FACTOR =   5;  # times original mail size  (default is 5)

$MAX_EXPANSION_FACTOR = 500;  # times original mail size  (default is 500)

$virus_check_negative_ttl=  3*60; # time to remember that mail was not infected

$virus_check_positive_ttl= 30*60; # time to remember that mail was infected

$spam_check_negative_ttl = 30*60; # time to remember that mail was not spam

$spam_check_positive_ttl = 30*60; # time to remember that mail was spam

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin:/opt/bin';

$file   = 'file';   # file(1) utility; use 3.41 or later to avoid vulnerability

$gzip   = 'gzip';

$bzip2  = 'bzip2';

$lzop   = 'lzop';

$rpm2cpio   = ['rpm2cpio.pl','rpm2cpio'];

$cabextract = 'cabextract';

$uncompress = ['uncompress', 'gzip -d', 'zcat'];

$unfreeze   = ['unfreeze', 'freeze -d', 'melt', 'fcat'];

$arc        = ['nomarch', 'arc'];

$unarj      = ['arj', 'unarj'];  # both can extract, arj is recommended

$unrar      = ['rar', 'unrar'];  # both can extract, same options

$zoo    = 'zoo';

$lha    = 'lha';

$pax    = 'pax'; # pax preferred to cpio, if pax is avail the cpio is not used

$cpio   = ['gcpio','cpio']; # gcpio is a GNU cpio on OpenBSD, which supports

                            # the options needed; the rest of us use cpio

$ar     = 'ar';  # Unix binary archives and Debian binary packages

$ripole = 'ripole';

$dspam  = 'dspam';

$sa_local_tests_only = 0;   # (default: false)

                            # for SA 3.0, its cf option is use_auto_whitelist)

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger

                            # (less than 1% of spam is > 64k)

                            # default: undef, no limitations

$sa_tag_level_deflt  = 2.0; # add spam info headers if at, or above that level;

                            # undef is interpreted as lower than any spam level

$sa_tag2_level_deflt = 6.31;# add 'spam detected' headers at that level to

                            # passed mail (e.g. when $final_spam_destiny=D_PASS

                            # or for spam_lovers or when below kill_level)

$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions

                            # at or above that level: bounce/reject/drop,

                            # quarantine, and adding mail address extension

$sa_dsn_cutoff_level = 10;  # spam level beyond which a DSN is not sent,

                            # effectively turning D_BOUNCE into D_DISCARD;

                            # undef disables this feature and is a default;

                             # (only seen when spam is passed and recipient is

                             # in local_domains*)

                             # undef or empty disables inserting X-Spam-Level

$first_infected_stops_scan = 1;  # default is false, all scanners in a section

                                  # are called

@av_scanners = (

['ClamAV-clamd',

  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],

  qr/\bOK$/, qr/\bFOUND$/,

  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

  ### http://www.kaspersky.com/  (in the 'file server version')

  ['KasperskyLab AVP - aveclient',

    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',

     '/opt/kav/bin/aveclient','aveclient'],

    '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/,

    qr/(?:INFECTED|SUSPICION) (.+)/,

  ],

  ### http://www.kaspersky.com/

  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],

    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?

    qr/infected: (.+)/,

    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},

    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},

  ],

  ### The kavdaemon and AVPDaemonClient have been removed from Kasperky

  ### products and replaced by aveserver and aveclient

  ['KasperskyLab AVPDaemonClient',

    [ '/opt/AVP/kavdaemon',       'kavdaemon',

      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',

      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',

      '/opt/AVP/avpdc', 'avpdc' ],

    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ],

    # change the startup-script in /etc/init.d/kavd to:

    #   DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"

    #   (or perhaps:   DPARMS="-I0 -Y -* /var/amavis" )

    # adjusting /var/amavis above to match your $TEMPBASE.

    # The '-f=/var/amavis' is needed if not running it as root, so it

    # can find, read, and write its pid file, etc., see 'man kavdaemon'.

    # defUnix.prf: there must be an entry "*/var/amavis" (or whatever

    #   directory $TEMPBASE specifies) in the 'Names=' section.

    # cd /opt/AVP/DaemonClients; configure; cd Sample; make

    # cp AvpDaemonClient /opt/AVP/

    # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"

  ### http://www.hbedv.com/ or http://www.centralcommand.com/

  ['H+BEDV AntiVir or CentralCommand Vexira Antivirus',

    ['antivir','vexira'],

    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,

    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |

         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],

    # NOTE: if you only have a demo version, remove -z and add 214, as in:

    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,

    # According to the documentations, the new version of Vexira has

    # reasonable defaults, one may consider: "--timeout=60 --temp=$TEMPBASE {}"

  ### http://www.commandsoftware.com/

  ['Command AntiVirus for Linux', 'csav',

    '-all -archive -packed {}', [50], [51,52,53],

    qr/Infection: (.+)/ ],

  ### http://www.symantec.com/

  ['Symantec CarrierScan via Symantec CommandLineScanner',

    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',

    qr/^Files Infected:\s+0$/, qr/^Infected\b/,

    qr/^(?:Info|Virus Name):\s+(.+)/ ],

  ### http://www.symantec.com/

  ['Symantec AntiVirus Scan Engine',

    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',

    [0], qr/^Infected\b/,

    qr/^(?:Info|Virus Name):\s+(.+)/ ],

    # NOTE: check options and patterns to see which entry better applies

  ### http://www.f-secure.com/products/anti-virus/

  ['F-Secure Antivirus', 'fsav',

    '--dumb --mime --archive {}', [0], [3,8],

    qr/(?:infection|Infected|Suspected): (.+)/ ],

  ['CAI InoculateIT', 'inocucmd',  # retired product

    '-sec -nex {}', [0], [100],

    qr/was infected by virus (.+)/ ],

  # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html

  ### http://www3.ca.com/Solutions/Product.asp?ID=156  (ex InoculateIT)

  ['CAI eTrust Antivirus', 'etrust-wrapper',

    '-arc -nex -spm h {}', [0], [101],

    qr/is infected by virus: (.+)/ ],

    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer

    # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783

  ### http://mks.com.pl/english.html

  ['MkS_Vir for Linux (beta)', ['mks32','mks'],

    '-s {}/*', [0], [1,2],

    qr/--[ \t]*(.+)/ ],

  ### http://mks.com.pl/english.html

  ['MkS_Vir daemon', 'mksscan',

    '-s -q {}', [0], [1..7],

    qr/^... (\S+)/ ],

  ### http://www.nod32.com/

  ['ESET Software NOD32', 'nod32',

    '--arch --mail {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/ ],

  # with old versions use:

  #   '-all -subdir+ {}', [0], [1,2],

  #   qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ],

  ### http://www.nod32.com/

  ['ESET Software NOD32 - Client/Server Version', 'nod32cli',

    '-a -r -d recurse --heur standard {}', [0], [10,11],

    qr/^\S+\s+infected:\s+(.+)/ ],

  ### http://www.norman.com/products_nvc.shtml

  ['Norman Virus Control v5 / Linux', 'nvcc',

    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],

    qr/(?i).* virus in .* -> \'(.+)\'/ ],

  ### http://www.pandasoftware.com/

  ['Panda Antivirus for Linux', ['pavcl'],

    '-aut -aex -heu -cmp -nbr -nor -nso -eng {}',

    qr/Number of files infected[ .]*: 0+(?!\d)/,

    qr/Number of files infected[ .]*: 0*[1-9]/,

    qr/Found virus :\s*(\S+)/ ],

  ### http://www.nai.com/

  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',

    '--secure --mime --program --mailbox -rv --summary --noboot --timeout 180 - {}', [0], [13],

    qr/(?x) Found (?:

        \ the\ (.+)\ (?:virus|trojan)  |

        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |

        :\ (.+)\ NOT\ a\ virus)/,

  # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},

  # sub {delete $ENV{LD_PRELOAD}},

  ],

  # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before

  # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6

  # and then clear it when finished to avoid confusing anything else.

  # NOTE2: to treat encrypted files as viruses replace the [13] with:

  #  qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/

  ### http://www.virusbuster.hu/en/

  ['VirusBuster', ['vbuster', 'vbengcl'],

    # VirusBuster Ltd. does not support the daemon version for the workstation

    # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of

    # binaries, some parameters AND return codes have changed (from 3 to 1).

    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],

    qr/: '(.*)' - Virus/ ],

  ### http://www.cyber.com/

  ['CyberSoft VFind', 'vfind',

    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,

  # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},

  ],

  ### http://www.ikarus-software.com/

  ['Ikarus AntiVirus for Linux', 'ikarus',

    '{}', [0], [40], qr/Signature (.+) found/ ],

  ### http://www.bitdefender.com/

  ['BitDefender', 'bdc',

    '--all --arc --mail {}', qr/^Infected files *:0+(?!\d)/,

    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,

    qr/(?:suspected|infected): (.*)(?:\033|$)/ ],

);

@av_scanners_backup = (

  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV

  ['ClamAV-clamscan', 'clamscan',

    "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1],

    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

  ### http://www.f-prot.com/   - backs up F-Prot Daemon

  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],

    '-dumb -ai -packed -server {}', [0,8], [3,6],

    qr/Infection: (.+)/ ],

  ### http://www.trendmicro.com/   - backs up Trophie

  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],

    '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],

  ### http://www.sald.com/, http://drweb.imshop.de/   - backs up DrWebD

  ['drweb - DrWeb Antivirus',

    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],

    '-path={} -al -go -ot -cn -upn -ok-',

    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'],

  ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'],

    '-i1 -xp {}', [0,10,15], [5,20,21,25],

    qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,

    sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},

    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},

  ],

);

1;  # insure a defined return
```

als virenscanner setze ich folgende 3 produkte ein:

```
app-antivirus/clamav

app-antivirus/bitdefender-console

app-antivirus/f-prot
```

für viren pattern update führe ich alle paar stunden folgendes script aus:

```
#!/bin/bash

[ -e /opt/f-prot/check-updates.pl ] && /usr/bin/perl /opt/f-prot/check-updates.pl -cron -quiet 1>/dev/null 2>&1

[ -e /usr/bin/freshclam ] && /usr/bin/freshclam --quiet 1>/dev/null 2>&1

[ -e /usr/bin/bdc ] && /usr/bin/bdc --update 1>/dev/null 2>&1

exit 0
```

amavisd habe ich in postfix integriert und habe auch eine tabelle in mysql für die preferences.

mysql tabelle:

```
CREATE TABLE `mailaddr` (

  `id` int(10) unsigned NOT NULL auto_increment,

  `priority` int(11) NOT NULL default '7',

  `email` varchar(255) NOT NULL default '',

  PRIMARY KEY  (`id`),

  UNIQUE KEY `mailaddr_idx_email` (`email`),

  KEY `email` (`email`)

) TYPE=MyISAM;

CREATE TABLE `policy` (

  `id` int(10) unsigned NOT NULL auto_increment,

  `policy_name` varchar(32) default NULL,

  `virus_lover` char(1) default NULL,

  `spam_lover` char(1) default NULL,

  `banned_files_lover` char(1) default NULL,

  `bad_header_lover` char(1) default NULL,

  `bypass_virus_checks` char(1) default NULL,

  `bypass_spam_checks` char(1) default NULL,

  `bypass_banned_checks` char(1) default NULL,

  `bypass_header_checks` char(1) default NULL,

  `spam_modifies_subj` char(1) default NULL,

  `virus_quarantine_to` varchar(64) default NULL,

  `spam_quarantine_to` varchar(64) default NULL,

  `banned_quarantine_to` varchar(64) default NULL,

  `bad_header_quarantine_to` varchar(64) default NULL,

  `spam_tag_level` float default NULL,

  `spam_tag2_level` float default NULL,

  `spam_kill_level` float default NULL,

  `spam_dsn_cutoff_level` float default NULL,

  `addr_extension_virus` varchar(64) default NULL,

  `addr_extension_spam` varchar(64) default NULL,

  `addr_extension_banned` varchar(64) default NULL,

  `addr_extension_bad_header` varchar(64) default NULL,

  PRIMARY KEY  (`id`)

) TYPE=MyISAM;

CREATE TABLE `users` (

  `id` int(10) unsigned NOT NULL auto_increment,

  `priority` int(11) NOT NULL default '7',

  `policy_id` int(10) unsigned NOT NULL default '1',

  `email` varchar(255) NOT NULL default '',

  `fullname` varchar(255) default NULL,

  `local` char(1) default NULL,

  PRIMARY KEY  (`id`),

  UNIQUE KEY `users_idx_email` (`email`),

  KEY `email` (`email`)

) TYPE=MyISAM;

CREATE TABLE `wblist` (

  `rid` int(10) unsigned NOT NULL default '0',

  `sid` int(10) unsigned NOT NULL default '0',

  `wb` varchar(10) NOT NULL default '',

  PRIMARY KEY  (`rid`,`sid`)

) TYPE=MyISAM;
```

in postfix habe ich nur ein scanning auf der externen ip aktiviert (benütze noch dspam als antispam, habe dies jetzt hier aber raus genommen, um dich nicht zu verwirren). hier der relevante inhalt von /etc/postfix/master.cf:

```
aaa.bbb.ccc.ddd:smtp      inet  n       -       n       -       -       smtpd

   -o content_filter=smtp-amavis:[127.0.0.1]:10024

192.168.0.115:smtp        inet  n       -       n       -       -       smtpd

127.0.0.1:smtp            inet  n       -       n       -       -       smtpd

pickup    fifo  n       -       n       60      1       pickup

   -o cleanup_service_name=pre-cleanup

cleanup   unix  n       -       n       -       0       cleanup

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

smtp-amavis unix -      -       n       -       2       lmtp

  -o smtp_data_done_timeout=1200

  -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n  -       n       -       -       smtpd

    -o cleanup_service_name=pre-cleanup

    -o local_recipient_maps=

    -o relay_recipient_maps=

    -o smtpd_restriction_classes=

    -o smtpd_client_restrictions=

    -o smtpd_helo_restrictions=

    -o smtpd_sender_restrictions=

    -o smtpd_recipient_restrictions=permit_mynetworks,reject

    -o mynetworks=127.0.0.0/8

    -o strict_rfc821_envelopes=yes

    -o smtpd_error_sleep_time=0

    -o smtpd_soft_error_limit=1001

    -o smtpd_hard_error_limit=1000

127.0.0.1:10026 inet n  -       n       -       -       smtpd

    -o local_recipient_maps=

    -o relay_recipient_maps=

    -o smtpd_restriction_classes=

    -o smtpd_client_restrictions=

    -o smtpd_helo_restrictions=

    -o smtpd_sender_restrictions=

    -o smtpd_recipient_restrictions=permit_mynetworks,reject

    -o mynetworks=127.0.0.0/8

    -o strict_rfc821_envelopes=yes

    -o smtpd_error_sleep_time=0

    -o smtpd_soft_error_limit=1001

    -o smtpd_hard_error_limit=1000

pre-cleanup     unix  n  -       n       -        0     cleanup

    -o virtual_alias_maps=

    -o canonical_maps=

    -o sender_canonical_maps=

    -o recipient_canonical_maps=

    -o masquerade_domains=

    -o always_bcc=

    -o sender_bcc_maps=

    -o recipient_bcc_maps=

cleanup         unix  n  -        n       -        0     cleanup

    -o mime_header_checks=

    -o nested_header_checks=

    -o body_checks=

    -o header_checks

local           unix  -  n        n       -       -       local

    -o content_filter=

    -o myhostname=localhost

    -o local_recipient_maps=

    -o relay_recipient_maps=

    -o mynetworks=127.0.0.0/8

    -o mynetworks_style=host

    -o smtpd_restriction_classes=

    -o smtpd_client_restrictions=

    -o smtpd_helo_restrictions=

    -o smtpd_sender_restrictions=

    -o smtpd_recipient_restrictions=permit_mynetworks,reject
```

inhalt von /var/amavis/:

```
total 20K

drwxr-x---   5 amavis amavis 4.0K Jan 23 12:42 .

drwxr-xr-x  18 root   root   4.0K Jan  3 18:39 ..

-rw-r--r--   1 root   root      0 Jan 23 02:50 .keep

-rw-r-----   1 amavis amavis    0 Jan  3 02:26 amavisd-10562.lock

-rw-r-----   1 amavis amavis    0 Jan 19 15:49 amavisd-14773.lock

-rw-r-----   1 amavis amavis    0 Jan  2 16:25 amavisd-15613.lock

-rw-r-----   1 amavis amavis    0 Jan  3 18:43 amavisd-18091.lock

-rw-r-----   1 amavis amavis    0 Jan 19 16:38 amavisd-19955.lock

-rw-r-----   1 amavis amavis    0 Jan  2 16:35 amavisd-20042.lock

-rw-r-----   1 amavis amavis    0 Jan  3 17:56 amavisd-20506.lock

-rw-r-----   1 amavis amavis    0 Jan 19 15:08 amavisd-21589.lock

-rw-r-----   1 amavis amavis    0 Jan  2 17:10 amavisd-22879.lock

-rw-r-----   1 amavis amavis    0 Jan 19 16:13 amavisd-23841.lock

-rw-r-----   1 amavis amavis    0 Jan 19 19:39 amavisd-27815.lock

-rw-r-----   1 amavis amavis    0 Jan 19 17:11 amavisd-29234.lock

-rw-r-----   1 amavis amavis    0 Dec 24 13:56 amavisd-3434.lock

-rw-r-----   1 amavis amavis    0 Dec 24 13:59 amavisd-5482.lock

-rw-r-----   1 amavis amavis    0 Dec 24 14:03 amavisd-6249.lock

-rw-r-----   1 amavis amavis    0 Dec 24 14:03 amavisd-6441.lock

-rw-r-----   1 amavis amavis    0 Dec 25 23:49 amavisd-6965.lock

-rw-r-----   1 amavis amavis    0 Jan 22 23:41 amavisd-7725.lock

-rw-r-----   1 amavis amavis    0 Jan 18 01:43 amavisd-7904.lock

-rw-r-----   1 amavis amavis    0 Jan  2 15:51 amavisd-7953.lock

-rw-r-----   1 amavis amavis    0 Jan 12 10:24 amavisd-8067.lock

-rw-r-----   1 amavis amavis    0 Jan 19 10:12 amavisd-8153.lock

-rw-r-----   1 amavis amavis    0 Jan 15 04:42 amavisd-8265.lock

-rw-r-----   1 amavis amavis    0 Jan 19 14:33 amavisd-8280.lock

-rw-r-----   1 amavis amavis    0 Jan 19 16:37 amavisd-9070.lock

-rw-r-----   1 amavis amavis    0 Jan 23 15:01 amavisd.lock

-rw-r-----   1 amavis amavis    6 Jan 23 12:42 amavisd.pid

srwxr-x---   1 amavis amavis    0 Jan 23 12:42 amavisd.sock

-rw-r--r--   1 amavis amavis    0 Jan 23 02:50 blacklist

drwxr-xr-x   2 amavis amavis  129 Jan 23 12:42 db

drwxr-xr-x   2 amavis amavis 4.0K Jan 23 13:52 quarantine

-rw-r--r--   1 amavis amavis    0 Jan 23 02:50 spam_lovers

drwxr-xr-x  22 amavis amavis 4.0K Jan 23 14:35 tmp

-rw-r--r--   1 amavis amavis    0 Jan 23 02:50 whitelist
```

ein restart von amavis spuckt folgendes in das log rein:

```
Jan 23 15:26:32 mail amavis[31584]: starting.  /usr/sbin/amavisd at xxxxxxxxxxxxxxxxx amavisd-new-2.2.1 (20041222), Unicode aware

Jan 23 15:26:32 mail amavis[31584]: Perl version               5.008005

Jan 23 15:26:32 mail amavis[31585]: Module Amavis::Conf        2.034

Jan 23 15:26:32 mail amavis[31585]: Module Archive::Tar        1.23

Jan 23 15:26:32 mail amavis[31585]: Module Archive::Zip        1.14

Jan 23 15:26:32 mail amavis[31585]: Module BerkeleyDB          0.25

Jan 23 15:26:32 mail amavis[31585]: Module Compress::Zlib      1.33

Jan 23 15:26:32 mail amavis[31585]: Module Convert::TNEF       0.17

Jan 23 15:26:32 mail amavis[31585]: Module Convert::UUlib      0.31

Jan 23 15:26:32 mail amavis[31585]: Module DBI                 1.38

Jan 23 15:26:32 mail amavis[31585]: Module MIME::Entity        5.415

Jan 23 15:26:32 mail amavis[31585]: Module MIME::Parser        5.415

Jan 23 15:26:32 mail amavis[31585]: Module MIME::Tools         5.415

Jan 23 15:26:32 mail amavis[31585]: Module Mail::Header        1.60

Jan 23 15:26:32 mail amavis[31585]: Module Mail::Internet      1.60

Jan 23 15:26:32 mail amavis[31585]: Module Net::Cmd            2.24

Jan 23 15:26:32 mail amavis[31585]: Module Net::SMTP           2.26

Jan 23 15:26:32 mail amavis[31585]: Module Net::Server         0.85

Jan 23 15:26:32 mail amavis[31585]: Module Time::HiRes         1.54

Jan 23 15:26:32 mail amavis[31585]: Module Unix::Syslog        0.100

Jan 23 15:26:32 mail amavis[31585]: Amavis::DB code        loaded

Jan 23 15:26:32 mail amavis[31585]: Amavis::Cache code     loaded

Jan 23 15:26:32 mail amavis[31585]: Lookup::SQL code       loaded

Jan 23 15:26:32 mail amavis[31585]: Lookup::LDAP code      NOT loaded

Jan 23 15:26:32 mail amavis[31585]: AMCL-in protocol code  loaded

Jan 23 15:26:32 mail amavis[31585]: SMTP-in protocol code  loaded

Jan 23 15:26:32 mail amavis[31585]: ANTI-VIRUS code        loaded

Jan 23 15:26:32 mail amavis[31585]: ANTI-SPAM  code        NOT loaded

Jan 23 15:26:32 mail amavis[31585]: Unpackers  code        loaded

Jan 23 15:26:32 mail amavis[31585]: Found $file       at /usr/bin/file

Jan 23 15:26:32 mail amavis[31585]: Found $arc        at /usr/bin/arc

Jan 23 15:26:32 mail amavis[31585]: Found $gzip       at /bin/gzip

Jan 23 15:26:32 mail amavis[31585]: Found $bzip2      at /bin/bzip2

Jan 23 15:26:32 mail amavis[31585]: Found $lzop       at /usr/bin/lzop

Jan 23 15:26:32 mail amavis[31585]: Found $lha        at /usr/bin/lha

Jan 23 15:26:32 mail amavis[31585]: Found $unarj      at /usr/bin/unarj

Jan 23 15:26:32 mail amavis[31585]: Found $uncompress at /usr/bin/uncompress

Jan 23 15:26:32 mail amavis[31585]: Found $unfreeze   at /usr/bin/unfreeze

Jan 23 15:26:32 mail amavis[31585]: Found $unrar      at /usr/bin/unrar

Jan 23 15:26:32 mail amavis[31585]: Found $zoo        at /usr/bin/zoo

Jan 23 15:26:32 mail amavis[31585]: Found $pax        at /usr/bin/pax

Jan 23 15:26:32 mail amavis[31585]: Found $cpio       at /usr/bin/cpio

Jan 23 15:26:32 mail amavis[31585]: Found $ar         at /usr/bin/ar

Jan 23 15:26:32 mail amavis[31585]: Found $rpm2cpio   at /usr/bin/rpm2cpio

Jan 23 15:26:32 mail amavis[31585]: Found $cabextract at /usr/bin/cabextract

Jan 23 15:26:32 mail amavis[31585]: Found $ripole     at /usr/bin/ripole

Jan 23 15:26:32 mail amavis[31585]: Found $dspam      at /usr/bin/dspam

Jan 23 15:26:32 mail amavis[31585]: Using internal av scanner code for (primary) ClamAV-clamd

Jan 23 15:26:32 mail amavis[31585]: Found primary av scanner BitDefender at /usr/bin/bdc

Jan 23 15:26:32 mail amavis[31585]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan

Jan 23 15:26:32 mail amavis[31585]: Found secondary av scanner FRISK F-Prot Antivirus at /usr/bin/f-prot

Jan 23 15:26:32 mail amavis[31585]: Creating db in /var/amavis/db/; BerkeleyDB 0.25, libdb 4.1
```

ich habe geschaut, dass ich so viel wie möglich bei amavis aktiv habe. gerade gestern habe ich ripole aktiviert (das ebuild dazu kannst du auf bugs.gentoo.org finden. ich habe es gestern geposted).

und die lokalen domänen lese ich aus der mysql datenbank (da ich mysql und postfix integriert habe) und ändere jeweils bei bedarf die einträge in amavis:

```
#!/bin/bash

db_user="xxxxxxx"

db_password="yyyyyyyy"

db_name="zzzzzzz"

db_table="transport"

db_field="domain"

db_where="and destination = 'virtual:' OR destination = 'local:'"

amavis_local_domains_new=""

amavisd_conf="/etc/amavisd.conf"

amavisd_restart="/etc/init.d/amavisd restart"

postfix_main_config="/etc/postfix/main.cf"

for sql_result in $(mysql -h localhost -u ${db_user} --password=${db_password} -e "select ${db_field} from ${db_table} where 1 ${db_where} order by ${db_field} desc" ${db_name}|grep -i "\.")

do

        amavis_local_domains_new=".${sql_result} ${amavis_local_domains_new}"

done

amavis_local_domains_conf="$(grep "^@local_domains_maps " ${amavisd_conf})"

if [ "${amavis_local_domains_conf}" != "@local_domains_maps = ( [qw( .\$mydomain ${amavis_local_domains_new})] );" ]

then

        sed -i "s/^@local_domains_maps.*$/@local_domains_maps = ( [qw( .\$mydomain ${amavis_local_domains_new})] )\;/g" ${amavisd_conf}

        exec ${amavisd_restart}

fi
```

brauchst du noch mehr infos?

gruss

steve

----------

