# postfix-amavis-dspam filtered twice?

## fefeh

First, let me say that my e-mail does work, but it seems like the mail is being filtered twice.  I see most of the mail in my dspam logs, but some of it doesn't go through that way. 

Can you tell by my maillog?  All personal data has been changed to protect the guilty.   :Very Happy: 

```
Jun  1 14:49:33 myserver postfix/smtpd[1696]: connect from sender.mail.server[sender.mail.ip]

Jun  1 14:49:33 myserver postfix/smtpd[1696]: setting up TLS connection from sender.mail.server[sender.mail.ip]

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:before/accept initialization

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:error in SSLv2/v3 read client hello A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:error in SSLv2/v3 read client hello B

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:SSLv3 read client hello A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:SSLv3 write server hello A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:SSLv3 write certificate A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:SSLv3 write key exchange A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:SSLv3 write server done A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:SSLv3 flush data

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:error in SSLv3 read client certificate A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:error in SSLv3 read client certificate A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:error in SSLv3 read client certificate A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:SSLv3 read client key exchange A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:error in SSLv3 read certificate verify A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:error in SSLv3 read certificate verify A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:error in SSLv3 read certificate verify A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:error in SSLv3 read certificate verify A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:SSLv3 read finished A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:SSLv3 write change cipher spec A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:SSLv3 write finished A

Jun  1 14:49:33 myserver postfix/smtpd[1696]: SSL_accept:SSLv3 flush data

Jun  1 14:49:33 myserver postfix/smtpd[1696]: TLS connection established from sender.mail.server[sender.mail.ip]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Jun  1 14:49:33 myserver postfix/smtpd[1696]: 964A16C793: client=sender.mail.server[sender.mail.ip]

Jun  1 14:49:33 myserver postfix/cleanup[1703]: 964A16C793: message-id=<F09B9FFBBA522647B14AABAF3DCF2E3D2EE885@sender_domain_server>

Jun  1 14:49:33 myserver postfix/qmgr[1443]: 964A16C793: from=<sender>, size=1330, nrcpt=1 (queue active)

Jun  1 14:49:33 myserver postfix/smtpd[1696]: disconnect from sender.mail.server[sender.mail.ip]

Jun  1 14:49:33 myserver dspam[1707]: No such feature 'chained'

Jun  1 14:49:36 myserver postfix/smtpd[1712]: initializing the server-side TLS engine

Jun  1 14:49:36 myserver postfix/smtpd[1712]: connect from localhost[127.0.0.1]

Jun  1 14:49:36 myserver postfix/smtpd[1712]: 7EA60F845F: client=sender.mail.server[sender.mail.ip]

Jun  1 14:49:36 myserver postfix/cleanup[1703]: 7EA60F845F: message-id=<F09B9FFBBA522647B14AABAF3DCF2E3D2EE885@sender_domain_server>

Jun  1 14:49:36 myserver postfix/qmgr[1443]: 7EA60F845F: from=<sender>, size=2195, nrcpt=1 (queue active)

Jun  1 14:49:36 myserver postfix/smtpd[1712]: disconnect from localhost[127.0.0.1]

Jun  1 14:49:36 myserver amavis[1623]: (01623-01) Passed CLEAN, [sender.mail.ip] [sender.mail.ip2] <sender> -> <recipient>, Message-ID: <F09B9FFBBA522647B14AABAF3DCF2E3D2EE885@sender_domain_server>, mail_id: 7eU74u-wSaRC, Hits: 0., queued_as: 7EA60F845F, 2891 ms

Jun  1 14:49:36 myserver postfix/smtp[1704]: 964A16C793: to=<recipient>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.2, delays=0.26/0.04/0.02/2.9, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=01623-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7EA60F845F)

Jun  1 14:49:36 myserver postfix/qmgr[1443]: 964A16C793: removed

Jun  1 14:49:37 myserver postfix/local[1713]: 7EA60F845F: to=<recipient>, relay=local, delay=1.1, delays=0.09/0.07/0/0.94, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -a "$EXTENSION")

Jun  1 14:49:37 myserver postfix/qmgr[1443]: 7EA60F845F: removed

```

I can give you the config files too, if you need to see them.

----------

## steveb

What do you mean with filtering twice? Filtering twice with DSPAM and/or with Amavis?

I only see that you first (one time) filter with DSPAM (probably using 3.8.0 because of the error "No such feature 'chained'" and probably you use DSPAM as content filter?) and then (one time) you filter with Amavis (using probably SMTP delivery to localhost on port 10024 and outbound from Amavis is localhost port 10025).

You could use DSPAM from within Amavis but I personally don't like this approach.

What exactly is your goal? What do you want to do?

----------

## fefeh

 *steveb wrote:*   

> What do you mean with filtering twice? Filtering twice with DSPAM and/or with Amavis?
> 
> I only see that you first (one time) filter with DSPAM (probably using 3.8.0 because of the error "No such feature 'chained'" and probably you use DSPAM as content filter?) and then (one time) you filter with Amavis (using probably SMTP delivery to localhost on port 10024 and outbound from Amavis is localhost port 10025).
> 
> You could use DSPAM from within Amavis but I personally don't like this approach.
> ...

 

I thought I was using DSPAM within Amavis, so I guess that's where it is being duplicated.

What config files will help?

```
dspam # ~/confcat dspam.conf

Home /var/spool/dspam

StorageDriver /usr/lib/dspam/libmysql_drv.so

TrustedDeliveryAgent "/usr/bin/procmail"

DeliveryHost        127.0.0.1

DeliveryPort        10025

DeliveryIdent       localhost

DeliveryProto       SMTP

OnFail error

Trust root

Trust dspam

Trust apache

Trust mail

Trust mailnull

Trust smmsp

Trust daemon

Trust amavis

Trust filter

TrainingMode teft

TestConditionalTraining on

Feature whitelist

Algorithm graham burton

Tokenizer chain

PValue bcr

WebStats on

Preference "spamAction=quarantine"

Preference "signatureLocation=message"  # 'message' or 'headers'

Preference "showFactors=on"

AllowOverride trainingMode

AllowOverride spamAction spamSubject

AllowOverride statisticalSedation

AllowOverride enableBNR

AllowOverride enableWhitelist

AllowOverride signatureLocation

AllowOverride showFactors

AllowOverride optIn optOut

AllowOverride whitelistThreshold

MySQLServer     /var/run/mysqld/mysqld.sock

MySQLUser               dspam

MySQLPass               12341234

MySQLDb                 dspam

MySQLCompress           true

MySQLCompress           true

HashRecMax              98317

HashAutoExtend          on

HashMaxExtents          0

HashExtentSize          49157

HashPctIncrease 10

HashMaxSeek             10

HashConnectionCache     10

Notifications   off

PurgeSignature  off # Specified in purge.sql

PurgeNeutral   30

PurgeUnused    off # Specified in purge.sql

PurgeHapaxes   off # Specified in purge.sql

PurgeHits1S    off # Specified in purge.sql

PurgeHits1I    off # Specified in purge.sql

LocalMX 127.0.0.1

SystemLog on

UserLog   on

Opt out

ServerPID              /var/run/dspam/dspam.pid

ServerMode auto

ServerParameters        "--user filter --deliver=innocent -d %u"

ServerDomainSocketPath  "/var/run/dspam/dspam.sock"

ClientHost      "/var/run/dspam/dspam.sock"

ProcessorURLContext on

ProcessorBias on

```

```
etc # ~/confcat amavisd.conf

use strict;

$MYHOME = '/var/amavis';   # (default is '/var/amavis')

$mydomain = 'mydomain';      # (no useful default)

$myhostname = 'myserver.mydomain';  # fqdn of this host, default by uname(3)

$daemon_user  = 'filter';   # (no default;  customary: vscan or amavis)

$daemon_group = 'spam';   # (no default;  customary: vscan or amavis or sweep)

$TEMPBASE = "$MYHOME/tmp";     # prefer to keep home dir /var/amavis clean?

$ENV{TMPDIR} = $TEMPBASE;       # wise to set TMPDIR, but not obligatory

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)

$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

$max_servers  =  4;   # number of pre-forked children          (default 2)

$max_requests = 20;   # retire a child after that many accepts (default 10)

$child_timeout=5*60;  # abort child if it does not complete its processing in

$smtpd_timeout = 120; # disconnect session if client is idle for too long

@local_domains_maps = ( [".$mydomain"] );  # $mydomain and its subdomains

$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket

$inet_socket_port = 10024;        # accept SMTP on this local TCP port

@inet_acl = qw(127.0.0.1 [::1]);  # allow SMTP access only from localhost IP

$DO_SYSLOG = 1;                   # (defaults to 0)

$syslog_ident = 'amavis';     # Syslog ident string (defaults to 'amavis')

$syslog_facility = 'mail';    # Syslog facility as a string

$syslog_priority = 'debug';   # Syslog base (minimal) priority as a string,

$LOGFILE = "$MYHOME/amavis.log";  # (defaults to empty, no log)

$log_level = 0;           # (defaults to 0)

$log_recip_templ = undef;  # undef disables by-recipient level-0 log entries

$final_virus_destiny      = D_DISCARD; # (defaults to D_DISCARD)

$final_banned_destiny     = D_DISCARD;  # (defaults to D_BOUNCE)

$final_spam_destiny       = D_DISCARD;  # (defaults to D_BOUNCE)

$final_bad_header_destiny = D_PASS;    # (defaults to D_PASS)

%final_destiny_by_ccat = (

  CC_VIRUS,      D_DISCARD,

  CC_BANNED,     D_BOUNCE,

  CC_UNCHECKED,  D_PASS,

  CC_SPAM,       D_DISCARD,

  CC_BADH,       D_PASS,

  CC_OVERSIZED,  D_BOUNCE,

  CC_CLEAN,      D_PASS,

  CC_CATCHALL,   D_PASS,

);

@viruses_that_fake_sender_maps = (new_RE(

  qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,

  qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,

  qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,

  qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,

  qr'@mm|@MM',    # mass mailing viruses as labeled by f-prot and uvscan

  qr'Worm'i,      # worms as labeled by ClamAV, Kaspersky, etc

  [qr/^/ => 1],   # true by default  (remove or comment-out if undesired)

));

$virus_admin = "virusalert\@$mydomain";

$spam_admin = "spamalert\@$mydomain";

$mailfrom_notify_admin     = "virusalert\@$mydomain";

$mailfrom_notify_recip     = "virusalert\@$mydomain";

$mailfrom_notify_spamadmin = "spam.police\@$mydomain";

$mailfrom_to_quarantine = '';   # override sender address with null return path

$QUARANTINEDIR = "$MYHOME/quarantine";

$virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%i-%n.bsmtp";

$spam_quarantine_method  = "bsmtp:$QUARANTINEDIR/spam-%b-%i-%n.bsmtp";

$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine

$banned_quarantine_to     = 'banned-quarantine';     # local quarantine

$bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine

$spam_quarantine_to       = 'spam-quarantine';       # local quarantine

$X_HEADER_TAG = 'X-Virus-Scanned';      # (default: 'X-Virus-Scanned')

$undecipherable_subject_tag = '***UNCHECKED*** ';  # undef disables it

$defang_virus  = 1;  # default is false: don't modify mail body

$defang_banned = 1;  # default is false: don't modify mail body

$defang_undecipherable = 1;  # default is false: don't modify mail body

$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone

$remove_existing_spam_headers  = 1;     # remove existing spam headers if

@keep_decoded_original_maps = (new_RE(

  qr'^MAIL-UNDECIPHERABLE$',  # retain full mail if it contains undecipherables

  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,

));

$banned_filename_re = new_RE(

  qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

  qr'^application/x-msdownload$'i,                  # block these MIME types

  qr'^application/x-msdos-program$'i,

  qr'^application/hta$'i,

  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives

  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic

  qr'^\.(exe-ms)$',                       # banned file(1) types

);

$banned_namepath_re = new_RE(

  qr'(?#NO X-MSDOWNLOAD)   ^(.*\t)? M=application/x-msdownload   (\t.*)? $'xmi,

  qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi,

  qr'(?#NO HTA)            ^(.*\t)? M=application/hta            (\t.*)? $'xmi,

  [ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ],  # allow

  qr'(?# BLOCK DOUBLE-EXTENSIONS )

     ^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \.

                  (exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi,

  qr'(?# BLOCK COMMON NAME EXENSIONS )

     ^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|bat|com|cpl) (\t.*)? $'xmi,

  [ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM )

       ^ (.*\t)? M=application/octet-stream \t(.*\t)* T=empty (\t.*)? $'xmi

    => 'DISCARD' ],

  qr'(?# BLOCK Microsoft EXECUTABLES )

     ^ (.*\t)? T=exe-ms (\t.*)? $'xm,              # banned file(1) type

);

  $banned_namepath_re = undef;  # to disable new-style

%banned_rules = (

  'MYNETS-DEFAULT' => new_RE(   # permissive set of rules for internal hosts

    [ qr'^\.(rpm|cpio|tar)$' => 0 ],  # allow any name/type in Unix archives

    qr'.\.(vbs|pif|scr)$'i,     # banned extension - rudimentary

  ),

  'DEFAULT' => $banned_filename_re,

);

$sql_select_white_black_list = undef;  # undef disables SQL white/blacklisting

$localpart_is_case_sensitive = 0;       # (default is false)

@score_sender_maps = ({  # a by-recipient hash lookup table

  '.' => [  # the _first_ matching sender determines the score boost

   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist

    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],

    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],

    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],

    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],

    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],

    [qr'^(your_friend|greatoffers)@'i                                => 5.0],

    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],

   ),

   { # a hash-type lookup table (associative array)

     'nobody@cert.org'                        => -3.0,

     'cert-advisory@us-cert.gov'              => -3.0,

     'owner-alert@iss.net'                    => -3.0,

     'slashdot@slashdot.org'                  => -3.0,

     'bugtraq@securityfocus.com'              => -3.0,

     'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,

     'security-alerts@linuxsecurity.com'      => -3.0,

     'mailman-announce-admin@python.org'      => -3.0,

     'amavis-user-admin@lists.sourceforge.net'=> -3.0,

     'spamassassin.apache.org'                => -3.0,

     'notification-return@lists.sophos.com'   => -3.0,

     'owner-postfix-users@postfix.org'        => -3.0,

     'owner-postfix-announce@postfix.org'     => -3.0,

     'owner-sendmail-announce@lists.sendmail.org'   => -3.0,

     'sendmail-announce-request@lists.sendmail.org' => -3.0,

     'donotreply@sendmail.org'                => -3.0,

     'ca+envelope@sendmail.org'               => -3.0,

     'noreply@freshmeat.net'                  => -3.0,

     'owner-technews@postel.acm.org'          => -3.0,

     'ietf-123-owner@loki.ietf.org'           => -3.0,

     'cvs-commits-list-admin@gnome.org'       => -3.0,

     'rt-users-admin@lists.fsck.com'          => -3.0,

     'clp-request@comp.nus.edu.sg'            => -3.0,

     'surveys-errors@lists.nua.ie'            => -3.0,

     'emailnews@genomeweb.com'                => -5.0,

     'yahoo-dev-null@yahoo-inc.com'           => -3.0,

     'returns.groups.yahoo.com'               => -3.0,

     'clusternews@linuxnetworx.com'           => -3.0,

     lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,

     lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,

   },

  ],  # end of site-wide tables

});

@blacklist_sender_maps = ( new_RE(

    qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,

    qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i,

    qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,

    qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,

    qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,

    qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,

));

$MAXLEVELS = 14;                # (default is undef, no limit)

$MAXFILES = 1500;               # (default is undef, no limit)

$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)

$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not enforced)

$MIN_EXPANSION_FACTOR =   5;  # times original mail size  (default is 5)

$MAX_EXPANSION_FACTOR = 500;  # times original mail size  (default is 500)

$virus_check_negative_ttl=  3*60; # time to remember that mail was not infected

$virus_check_positive_ttl= 30*60; # time to remember that mail was infected

$spam_check_negative_ttl = 30*60; # time to remember that mail was not spam

$spam_check_positive_ttl = 30*60; # time to remember that mail was spam

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin:/opt/bin';

$file   = 'file';   # file(1) utility; use 3.41 or later to avoid vulnerability

$dspam  = 'dspam';

@decoders = (

  ['mail', \&do_mime_decode],

  ['asc',  \&do_ascii],

  ['uue',  \&do_ascii],

  ['hqx',  \&do_ascii],

  ['ync',  \&do_ascii],

  ['F',    \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],

  ['Z',    \&do_uncompress, ['uncompress','gzip -d','zcat'] ],

  ['gz',   \&do_gunzip],

  ['gz',   \&do_uncompress,  'gzip -d'],

  ['bz2',  \&do_uncompress,  'bzip2 -d'],

  ['lzo',  \&do_uncompress,  'lzop -d'],

  ['rpm',  \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],

  ['cpio', \&do_pax_cpio,   ['pax','gcpio','cpio'] ],

  ['tar',  \&do_pax_cpio,   ['pax','gcpio','cpio'] ],

  ['tar',  \&do_tar],

  ['deb',  \&do_ar,          'ar'],

  ['zip',  \&do_unzip],

  ['rar',  \&do_unrar,      ['rar','unrar'] ],

  ['arj',  \&do_unarj,      ['arj','unarj'] ],

  ['arc',  \&do_arc,        ['nomarch','arc'] ],

  ['zoo',  \&do_zoo,         'zoo'],

  ['lha',  \&do_lha,         'lha'],

  ['cab',  \&do_cabextract,  'cabextract'],

  ['tnef', \&do_tnef_ext,    'tnef'],

  ['tnef', \&do_tnef],

  ['exe',  \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],

);

$sa_local_tests_only = 0;   # only tests which do not require internet access?

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger

$sa_tag_level_deflt  = -5.0; # add spam info headers if at, or above that level;

$sa_tag2_level_deflt = 5.0;# add 'spam detected' headers at that level to

$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions

$sa_dsn_cutoff_level = 9;   # spam level beyond which a DSN is not sent,

@av_scanners = (

['ClamAV-clamd',

   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],

   qr/\bOK$/, qr/\bFOUND$/,

   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

  ['KasperskyLab AVP - aveclient',

    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',

     '/opt/kav/bin/aveclient','aveclient'],

    '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/,

    qr/(?:INFECTED|SUSPICION) (.+)/,

  ],

  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],

    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?

    qr/infected: (.+)/,

    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},

    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},

  ],

  ['KasperskyLab AVPDaemonClient',

    [ '/opt/AVP/kavdaemon',       'kavdaemon',

      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',

      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',

      '/opt/AVP/avpdc', 'avpdc' ],

    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ],

  ['CentralCommand Vexira (new) vascan',

    ['vascan','/usr/lib/Vexira/vascan'],

    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".

    "--vdb=/usr/lib/Vexira/vexira8.vdb --log=/var/log/vascan.log {}",

    [0,3], [1,2,5],

    qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ],

  ['H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus',

    ['antivir','vexira'],

    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,

    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |

         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],

  ['Command AntiVirus for Linux', 'csav',

    '-all -archive -packed {}', [50], [51,52,53],

    qr/Infection: (.+)/ ],

  ['Symantec CarrierScan via Symantec CommandLineScanner',

    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',

    qr/^Files Infected:\s+0$/, qr/^Infected\b/,

    qr/^(?:Info|Virus Name):\s+(.+)/ ],

  ['Symantec AntiVirus Scan Engine',

    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',

    [0], qr/^Infected\b/,

    qr/^(?:Info|Virus Name):\s+(.+)/ ],

  ['F-Secure Antivirus', 'fsav',

    '--dumb --mime --archive {}', [0], [3,8],

    qr/(?:infection|Infected|Suspected): (.+)/ ],

  ['CAI InoculateIT', 'inocucmd',  # retired product

    '-sec -nex {}', [0], [100],

    qr/was infected by virus (.+)/ ],

  ['CAI eTrust Antivirus', 'etrust-wrapper',

    '-arc -nex -spm h {}', [0], [101],

    qr/is infected by virus: (.+)/ ],

  ['MkS_Vir for Linux (beta)', ['mks32','mks'],

    '-s {}/*', [0], [1,2],

    qr/--[ \t]*(.+)/ ],

  ['MkS_Vir daemon', 'mksscan',

    '-s -q {}', [0], [1..7],

    qr/^... (\S+)/ ],

  ['ESET Software NOD32 Command Line Interface v 2.51', 'nod32cli',

    '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/ ],

  ['Norman Virus Control v5 / Linux', 'nvcc',

    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],

    qr/(?i).* virus in .* -> \'(.+)\'/ ],

  ['Panda Antivirus for Linux', ['pavcl'],

    '-aut -aex -heu -cmp -nbr -nor -nso -eng {}',

    qr/Number of files infected[ .]*: 0+(?!\d)/,

    qr/Number of files infected[ .]*: 0*[1-9]/,

    qr/Found virus :\s*(\S+)/ ],

  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',

    '--secure -rv --mime --summary --noboot --mailbox --program --timeout 180 - {}', [0], [13],

    qr/(?x) Found (?:

        \ the\ (.+)\ (?:virus|trojan)  |

        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |

        :\ (.+)\ NOT\ a\ virus)/,

  ],

  ['VirusBuster', ['vbuster', 'vbengcl'],

    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],

    qr/: '(.*)' - Virus/ ],

  ['CyberSoft VFind', 'vfind',

    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,

  ],

  ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],

    '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/ ],

  ['Ikarus AntiVirus for Linux', 'ikarus',

    '{}', [0], [40], qr/Signature (.+) found/ ],

  ['BitDefender', 'bdc',

    '--arc --mail {}', qr/^Infected files *:0+(?!\d)/,

    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,

    qr/(?:suspected|infected): (.*)(?:\033|$)/ ],

);

@av_scanners_backup = (

  ['ClamAV-clamscan', 'clamscan',

    "--stdout --disable-summary -r --tempdir=$TEMPBASE {}",

    [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],

    '-dumb -ai -archive -packed -server {}', [0,8], [3,6],

    qr/Infection: (.+)|\s+contains\s+(.+)$/ ],

  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],

    '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],

  ['drweb - DrWeb Antivirus',

    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],

    '-path={} -al -go -ot -cn -upn -ok-',

    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'],

  ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'],

    '-i1 -xp {}', [0,10,15], [5,20,21,25],

    qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,

    sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},

    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},

  ],

);

1;  # insure a defined return

```

----------

## fefeh

Here's my master.cf file

```
postfix # ~/confcat master.cf

smtp      inet  n       -       n       -       -       smtpd -o smtpd_sasl_auth_enable=yes

dspam     unix  -       -       n       -       10      lmtp

pickup    fifo  n       -       n       60      1       pickup

cleanup   unix  n       -       n       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

smtp      unix  -       -       n       -       -       smtp

relay     unix  -       -       n       -       -       smtp

        -o fallback_relay=

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

discard   unix  -       -       n       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

scache    unix  -       -       n       -       1       scache

maildrop  unix  -       n       n       -       -       pipe

  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

old-cyrus unix  -       n       n       -       -       pipe

  flags=R user=cyrus argv=/usr/lib/cyrus/deliver -e -m ${extension} ${user}

cyrus     unix  -       n       n       -       -       pipe

  flags=hu user=cyrus argv=/usr/lib/cyrus/deliver -e -r ${sender} -m ${extension} ${user}

virt-cyrus     unix  -       n       n       -       -       pipe

  flags=hu user=cyrus argv=/usr/lib/cyrus/deliver -e -r ${sender} -m ${recipient} ${user}

uucp      unix  -       n       n       -       -       pipe

  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

ifmail    unix  -       n       n       -       -       pipe

  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp     unix  -       n       n       -       -       pipe

  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

smtp-amavis unix -      -       n       -       2       smtp

  -o smtp_data_done_timeout=1200

  -o smtp_send_xforward_command=yes

  -o disable_dns_lookups=yes

127.0.0.1:10025 inet n  -       n       -       -       smtpd

  -o content_filter=

  -o local_recipient_maps=

  -o receive_override_options=no_unknown_recipient_checks

  -o relay_recipient_maps=

  -o mynetworks=127.0.0.0/8

  -o smtpd_authorized_xforward_hosts=127.0.0.0/8

  -o smtpd_restriction_classes=

  -o smtpd_client_restrictions=

  -o smtpd_helo_restrictions=

  -o smtpd_sender_restrictions=

  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

  -o strict_rfc821_envelopes=yes

  -o smtpd_error_sleep_time=0

  -o smtpd_soft_error_limit=1001

  -o smtpd_hard_error_limit=1000

```

I used several different faqs to put this together and I just think it may be inefficient if it is processing each mail twice.

----------

## fefeh

 :Question: 

Anyone?

----------

## steveb

Please post main.cf from Postfix.

Looking at your configuration I would guess that you send mail from Postfix with a content_filter to DSPAM. Could that be? Do you send it with LMTP or DMTP to /var/run/dspam/dspam.sock?

I guess that DSPAM then delivers to localhost on port 10025 (which is again Postfix). I have not figured out how you send the mail to Amavis (localhost port 10024)?

Or are you maybe using Postfix transport mechanism to send the mail to DSPAM and then as next hop to send it to Amavis. How are you doing it?

When I look at your Amavis configuration, then I see that you correctly are using DSPAM from Amavis ($dspam  = 'dspam' :Wink: . So it looks like you use DSPAM from within Amavis. But I can not say that 100%.

----------

## fefeh

Here is main.cf

```
postfix # ~/confcat main.cf

soft_bounce = no

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myhostname = myserver.mydomain

myorigin = $mydomain

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain

unknown_local_recipient_reject_code = 550

mynetworks = 192.168.1.0/24,127.0.0.0/8

alias_maps = hash:/etc/mail/aliases

alias_database = hash:/etc/mail/aliases

home_mailbox = .maildir/

mailbox_command = /usr/bin/procmail -a "$EXTENSION"

header_checks = pcre:/etc/postfix/pcre-header.cf

body_checks = pcre:/etc/postfix/pcre-body.cf

local_destination_concurrency_limit = 2

default_destination_concurrency_limit = 2

debug_peer_level = 5

debugger_command =

        PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;

        echo where) | gdb $daemon_directory/$process_name $process_id 2>&1

        >$config_directory/$process_name.$process_id.log & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

html_directory = /usr/share/doc/postfix-2.3.6/html

manpage_directory = /usr/share/man

sample_directory = /etc/postfix

readme_directory = /usr/share/doc/postfix-2.3.6/readme

smtp_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options =

content_filter = smtp-amavis:[127.0.0.1]:10024

smtpd_helo_required = yes

disable_vrfy_command = yes

from_freemail_host = check_client_access hash:/etc/postfix/freemail_hosts,

   reject

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

smtpd_sasl2_auth_enable = yes

broken_sasl_auth_clients = yes

smtpd_helo_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 2

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

smtpd_restriction_classes = from_freemail_host

from_freemail_host = check_client_access hash:/etc/postfix/freemail_hosts,

   reject

smtpd_client_restrictions =

   permit_mynetworks,

   permit_sasl_authenticated,

   check_client_access hash:/etc/postfix/access,

   check_client_access hash:/etc/postfix/sender_restrictions,

   permit

smtpd_data_restrictions =

   reject_unauth_pipelining,

   permit

smtpd_sender_restrictions =

   permit_mynetworks,

   check_sender_access hash:/etc/postfix/sender_restrictions,

   reject_unknown_sender_domain,

   reject_non_fqdn_sender,

   permit

smtpd_recipient_restrictions =

   permit_mynetworks,

   reject_invalid_hostname,

   reject_non_fqdn_hostname,

   reject_non_fqdn_sender,

   reject_non_fqdn_recipient,

   reject_unknown_sender_domain,

   reject_unknown_recipient_domain,

   permit_sasl_authenticated,

   reject_unauth_destination,

   check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,

   check_helo_access hash:/etc/postfix/helo_checks,

   check_sender_access hash:/etc/postfix/sender_checks,

   check_client_access hash:/etc/postfix/client_checks,

   check_recipient_access hash:/etc/postfix/sender_restrictions,

   check_sender_access hash:/etc/postfix/freemail_access,

   reject_rbl_client sbl.spamhaus.org,

   reject_rbl_client bl.spamcop.net,

   reject_rbl_client list.dsbl.org,

   reject_rbl_client dnsbl.sorbs.net,

   reject_rbl_client combined.njabl.org,

   check_recipient_access pcre:/etc/postfix/dspam_incoming,

   permit

smtpd_error_sleep_time = 60

smtpd_soft_error_limit = 60

smtpd_hard_error_limit = 10

```

I really appreciate you looking at this, I have tried to follow the path that it travels, but just can't seem to do it.  Like I said, I pieced this together from several different FAQ/wikis so I know this is not the most efficient.

Sometimes I get e-mail in /var/amavis/quarantine that has not been sent through DSPAM, and sometimes it will actually be delivered without going through DSPAM.

I would like everything to go through amavisd then dspam then delivery.

----------

## steveb

 *fefeh wrote:*   

> I would like everything to go through amavisd then dspam then delivery.

 

Allow me to ask. You want mail to:hit Postfixthen pass through Amavisdthen pass DSPAMthen being delivered

You don't want Amavisd to take control over DSPAM. Is that right? If so, then you want to start/use DSPAM not from within Amavisd?

 *fefeh wrote:*   

> Sometimes I get e-mail in /var/amavis/quarantine that has not been sent through DSPAM

 

If Amavisd is a processing level just after Postfix gets a email, then it can be normal (depending on the configuration) that a mail gets into the quarantine and does not get processed by DSPAM. Do you want to change that? Do you want every mail (even virus infected mails) to be processed by DSPAM?

 *fefeh wrote:*   

> and sometimes it will actually be delivered without going through DSPAM.

 

This can happen if the message size is bigger then the value "MaxMessageSize" in dspam.conf. Another possibility is that Amavisd is delivering that message but in such a way that it passes around DSPAM. Another possibility could be that DSPAM was not able to tag the message and that it exited with an error.

----------

## steveb

Please post the content of /etc/postfix/dspam_incoming

----------

## steveb

Is this setup for your private mail server or is this something where a lot of other users are on that system as well?

Does that system has more then one IP where it is listening to SMTP? I mean public and internal?

----------

## steveb

I have done many setups for Postfix, amavisd-new and DSPAM. What I do mostly do is:

amavisd-new:Use LMTP delivery to amavisd-newListen on localhost on port 10024Forward (inject into Postfix) mail on localhost port 10025Submit notifications to localhost port 10026

DSPAM:Use local domain sockets (/var/run/dspam/dspam.sock)Run in Client/Server modeDeliver to localhost on port 10026 with SMTP protocol

Mail normally gets first to amavisd-new and then back to Postfix and then to DSPAM and then again back to Postfix and then to the delivery.

Would you like me to post how to do that kind of setup?

----------

## magic919

 *steveb wrote:*   

> Please post the content of /etc/postfix/dspam_incoming

 

I bet this is it, Steve.

```

/./     FILTER dspam:unix:/var/run/dspam/dspam.sock

```

----------

## fefeh

 *steveb wrote:*   

> Is this setup for your private mail server or is this something where a lot of other users are on that system as well?
> 
> Does that system has more then one IP where it is listening to SMTP? I mean public and internal?

 

No, it only has one IP as it is my private mail server.  Only a few friends and family are on it.

----------

## fefeh

 *steveb wrote:*   

> 
> 
> Mail normally gets first to amavisd-new and then back to Postfix and then to DSPAM and then again back to Postfix and then to the delivery.
> 
> Would you like me to post how to do that kind of setup?

 

OK, but why would it need to go to Postfix twice?

It's a miracle I got this to work at all, because I really don't understand it, and I've tried.

----------

## fefeh

 *magic919 wrote:*   

>  *steveb wrote:*   Please post the content of /etc/postfix/dspam_incoming 
> 
> I bet this is it, Steve.
> 
> ```
> ...

 

Yes, thanks!

----------

## fefeh

Any other ideas?

----------

