--- /dev/null
+head 1.4;
+access;
+symbols;
+locks; strict;
+comment @# @;
+
+
+1.4
+date 2010.12.01.23.32.18; author root; state Exp;
+branches;
+next 1.3;
+
+1.3
+date 2010.12.01.15.48.50; author root; state Exp;
+branches;
+next 1.2;
+
+1.2
+date 2010.05.27.13.09.20; author root; state Exp;
+branches;
+next 1.1;
+
+1.1
+date 2010.05.26.13.08.21; author root; state Exp;
+branches;
+next ;
+
+
+desc
+@Initial
+@
+
+
+1.4
+log
+@Checked in.
+@
+text
+@use strict;
+
+# Sample configuration file for amavisd-new (traditional style, chatty,
+# you may prefer to start with the more concise supplied amavisd.conf)
+#
+# See amavisd.conf-default for a list of all variables with their defaults;
+# for more details see documentation in INSTALL, README_FILES/*
+# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
+
+# This software is licensed under the GNU General Public License (GPL).
+# See comments at the start of amavisd-new for the whole license text.
+
+#Sections:
+# Section I - Essential daemon and MTA settings
+# Section II - MTA specific
+# Section III - Logging
+# Section IV - Notifications/DSN, bounce/reject/discard/pass, quarantine
+# Section V - Per-recipient and per-sender handling, whitelisting, etc.
+# Section VI - Resource limits
+# Section VII - External programs, virus scanners, SpamAssassin
+# Section VIII - Debugging
+# Section IX - Policy banks (dynamic policy switching)
+
+#GENERAL NOTES:
+# This file is a normal Perl code, interpreted by Perl itself.
+# - make sure this file (or directory where it resides) is NOT WRITABLE
+# by mere mortals (not even vscan/amavis; best to make it owned by root),
+# otherwise it can represent a severe security risk!
+# - for values which are interpreted as booleans, it is recommended
+# to use 1 for true, and 0 or undef or '' for false;
+# Note that this interpretation of boolean values does not apply directly
+# to LDAP and SQL lookups, which follow their own rules - see README.lookups
+# and README.ldap (in short: use Y/N in SQL, and TRUE/FALSE in LDAP);
+# - Perl syntax applies. Most notably: strings in "" may include variables
+# (which start with $ or @@); to include characters $ and @@ and \ in double
+# quoted strings precede them by a backslash; in single-quoted strings
+# the $ and @@ lose their special meaning, so it is usually easier to use
+# single quoted strings (or qw operator) for e-mail addresses.
+# In both types of quoting a backslash should to be doubled.
+# - variables with names starting with a '@@' are lists, the values assigned
+# to them should be lists too, e.g. ('one@@foo', $mydomain, "three");
+# note the comma-separation and parenthesis. If strings in the list
+# do not contain spaces nor variables, a Perl operator qw() may be used
+# as a shorthand to split its argument on whitespace and produce a list
+# of strings, e.g. qw( one@@foo example.com three ); Note that the argument
+# to qw is quoted implicitly and no variable interpretation is done within
+# (no '$' variable evaluations). The #-initiated comments can NOT be used
+# within a string. In other words, $ and # lose their special meaning
+# within a qw argument, just like within '...' strings.
+# - all e-mail addresses in this file and as used internally by the daemon
+# are in their raw (rfc2821-unquoted and non-bracketed) form, i.e.
+# Bob "Funny" Dude@@example.com, not: "Bob \"Funny\" Dude"@@example.com
+# and not <"Bob \"Funny\" Dude"@@example.com>; also: '' and not '<>'.
+# - the term 'default value' in examples below refers to the value of a
+# variable pre-assigned to it by the program; any explicit assignment
+# to a variable in this configuration file overrides the default value;
+
+
+#
+# Section I - Essential daemon and MTA settings
+#
+
+# $MYHOME serves as a quick default for some other configuration settings.
+# More refined control is available with each individual setting further down.
+# $MYHOME is not used directly by the program. No trailing slash!
+$MYHOME = '/var/amavis'; # (default is '/var/amavis'), -H
+
+# $mydomain serves as a quick default for some other configuration settings.
+# More refined control is available with each individual setting further down.
+# $mydomain is never used directly by the program.
+$mydomain = 'brehm-online.com'; # (no useful default)
+
+# $myhostname = 'host.example.com'; # fqdn of this host, default by uname(3)
+$myhostname = 'helga.brehm-online.com';
+
+# Set the user and group to which the daemon will change if started as root
+# (otherwise just keeps the UID unchanged, and these settings have no effect):
+$daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u
+$daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g
+
+# Runtime working directory (cwd), and a place where
+# temporary directories for unpacking mail are created.
+# (no trailing slash, may be a scratch file system)
+#$TEMPBASE = $MYHOME; # (must be set if other config vars use is), -T
+$TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean?
+
+#$db_home = "$MYHOME/db"; # DB databases directory, default "$MYHOME/db", -D
+
+# $helpers_home sets environment variable HOME, and is passed as option
+# 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory
+# on a normal persistent file system, not a scratch or temporary file system
+#$helpers_home = $MYHOME; # (defaults to $MYHOME), -S
+
+# Run the daemon in the specified chroot jail if nonempty:
+#$daemon_chroot_dir = $MYHOME; # (default is undef, meaning: do not chroot), -R
+
+#$pid_file = "$MYHOME/amavisd.pid"; # (default is "$MYHOME/amavisd.pid"), -P
+#$lock_file = "$MYHOME/amavisd.lock"; # (default is "$MYHOME/amavisd.lock"), -L
+
+# set environment variables if you want (no defaults):
+$ENV{TMPDIR} = $TEMPBASE; # used for SA temporary files, by some decoders, etc.
+
+$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
+$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
+
+$enable_dkim_verification = 0; # enable DKIM signatures verification
+$enable_dkim_signing = 0; # load DKIM signing code, keys defined by dkim_key
+
+# MTA SETTINGS, UNCOMMENT AS APPROPRIATE,
+# both $forward_method and $notify_method default to 'smtp:[127.0.0.1]:10025'
+
+# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4
+# (set host and port number as required; host can be specified
+# as an IP address or a DNS name (A or CNAME, but MX is ignored)
+#$forward_method = 'smtp:[127.0.0.1]:10025'; # where to forward checked mail
+#$notify_method = $forward_method; # where to submit notifications
+
+#$os_fingerprint_method = 'p0f:127.0.0.1:2345'; # query p0f-analyzer.pl
+
+# To make it possible for several hosts to share one content checking daemon,
+# the IP address and/or the port number in $forward_method and $notify_method
+# may be spacified as an asterisk. An asterisk in the colon-separated
+# second field (host) will be replaced by the SMTP client peer address,
+# An asterisk in the third field (tcp port) will be replaced by the incoming
+# SMTP/LMTP session port number plus one. This obsoletes the previously used
+# less flexible configuration parameter $relayhost_is_client. An example:
+# $forward_method = 'smtp:*:*'; $notify_method = 'smtp:*:10587';
+
+
+# NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST
+# uncomment the appropriate settings below if using other setups!
+
+# SENDMAIL MILTER, using amavis-milter.c helper program:
+#$forward_method = undef; # no explicit forwarding, sendmail does it by itself
+# milter; option -odd is needed to avoid deadlocks
+#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}';
+# just a thought: can we use use -Am instead of -odd ?
+
+# SENDMAIL (old non-milter setup, as relay, deprecated):
+#$forward_method = 'pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f ${sender} -- ${recipient}';
+#$notify_method = $forward_method;
+
+# SENDMAIL (old non-milter setup, amavis.c calls local delivery agent, deprecated):
+#$forward_method = undef; # no explicit forwarding, amavis.c will call LDA
+#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}';
+
+# EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead):
+#$forward_method = 'pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f ${sender} -- ${recipient}';
+#$notify_method = $forward_method;
+
+# COURIER using courierfilter
+#$forward_method = undef; # no explicit forwarding, Courier does it itself
+#$notify_method = 'pipe:flags=q argv=perl -e $pid=fork();if($pid==-1){exit(75)}elsif($pid==0){exec(@@ARGV)}else{exit(0)} /usr/sbin/sendmail -f ${sender} -- ${recipient}';
+# Only set $courierfilter_shutdown to 1 if you are using courierfilter to
+# control the startup and shutdown of amavis
+#$courierfilter_shutdown = 1; # (default 0)
+
+# prefer to collect mail for forwarding as BSMTP files?
+#$forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp";
+#$notify_method = $forward_method;
+
+@@auth_mech_avail = qw(PLAIN LOGIN);
+$auth_required_inp = 0;
+$auth_required_out = 0;
+
+# Net::Server pre-forking settings
+# The $max_servers should match the width of your MTA pipe
+# feeding amavisd, e.g. with Postfix the 'Max procs' field in the
+# master.cf file, like the '2' in the: smtp-amavis unix - - n - 2 smtp
+#
+$max_servers = 2; # num of pre-forked children (2..30 is common), -m
+$max_requests = 20; # retire a child after that many accepts (default 20)
+
+$child_timeout=5*60; # abort child if it does not complete its processing in
+ # approximately n seconds (default: 8*60 seconds)
+
+$smtpd_timeout = 120; # disconnect session if client is idle for too long
+ # (default: 8*60 seconds); should be higher than a
+ # Postfix setting max_idle (default 100s)
+
+# Here is a QUICK WAY to completely DISABLE some sections of code
+# that WE DO NOT WANT (it won't even be compiled-in).
+# For more refined controls leave the following two lines commented out,
+# and see further down what these two lookup lists really mean.
+#
+# @@bypass_virus_checks_maps = (1); # controls running of anti-virus code
+# @@bypass_spam_checks_maps = (1); # controls running of anti-spam code
+# $bypass_decode_parts = 1; # controls running of decoders&dearchivers
+#
+# Any setting can be changed with a new assignment, so make sure
+# you do not unintentionally override these settings further down!
+
+# Check also the settings of @@av_scanners at the end if you want to use
+# virus scanners. If not, you may want to delete the whole long assignment
+# to the variable @@av_scanners and @@av_scanners_backup, which will also
+# remove the virus checking code (e.g. if you only want to do spam scanning).
+
+
+# Lookup list of local domains (see README.lookups for syntax details)
+#
+# @@local_domains_maps is a list of lookup tables which are used in deciding
+# whether a recipient is local or not, or in other words, if the message is
+# outgoing or not. This affects inserting spam-related and OS fingerprinting
+# header fields for local recipients, editing Subject header field and allowing
+# mail body defanging, limiting recipient notifications to local recipients,
+# in deciding if address extension may be appended, in matching mail addresses
+# to non-fqdn SQL record keys, for proper operation of pen pals feature,
+# for selecting statistics counters (distinguishing outgoing from internal-
+# to internal mail), and possibly more in future versions.
+# Set it up correctly if you need features that rely on this setting.
+#
+# With Postfix (2.0) a quick hint on what local domains normally are:
+# a union of domains specified in: mydestination, virtual_alias_domains,
+# virtual_mailbox_domains, and relay_domains.
+
+@@local_domains_maps = ( [".$mydomain"] ); # $mydomain and its subdomains
+# @@local_domains_maps = (); # default is empty list, no recip. considered local
+# @@local_domains_maps = # using ACL lookup table
+# ( [ ".$mydomain", 'sub.example.net', '.example.com' ] );
+# @@local_domains_maps = # similar, split list elements on whitespace
+# ( [qw( .example.com !host.sub.example.net .sub.example.net )] );
+# @@local_domains_maps = ( new_RE( qr'[@@.]example\.com$'i ) ); # using regexp
+# @@local_domains_maps = ( read_hash("$MYHOME/local_domains") ); # using hash
+# perhaps combined with Postfix: mydestination = /var/amavis/local_domains
+# for debugging purposes: dump_hash($local_domains_maps[0]);
+#
+# Section II - MTA specific (defaults should be ok)
+#
+
+#$insert_received_line = 1; # behave like MTA: insert 'Received:' header
+ # (does not apply to sendmail/milter)
+ # (default is true)
+
+# AMAVIS-CLIENT AND COURIER PROTOCOL INPUT SETTINGS (e.g. amavisd-release, or
+# sendmail milter through helper clients like amavis-milter.c and amavis.c)
+# option(s) -p overrides $inet_socket_port and $unix_socketname
+$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket
+#$unix_socketname = undef; # disable listening on a unix socket
+ # (default is undef, i.e. disabled)
+#$unix_socketname = "/var/lib/courier/allfilters/amavisd"; # Courier socket
+ # (usual setting is $MYHOME/amavisd.sock)
+
+# SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...)
+# (used when MTA is configured to pass mail to amavisd via SMTP or LMTP)
+$inet_socket_port = 10024; # accept SMTP on this local TCP port
+ # (default is undef, i.e. disabled)
+# multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028];
+
+# SMTP SERVER (INPUT) access control
+# - do not allow free access to the amavisd SMTP port !!!
+#
+# when MTA is at the same host, use the following (one or the other or both):
+#$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface
+ # (default is '127.0.0.1')
+@@inet_acl = qw(127.0.0.1 [::1]); # allow SMTP access only from localhost IP
+ # (default is qw(127.0.0.1 [::1]) )
+
+# when MTA (one or more) is on a different host, use the following:
+#@@inet_acl = qw(127.0.0.0/8 [::1] 10.1.0.1 10.1.0.2); # adjust list as needed
+#$inet_socket_bind = undef; # bind to all IP interfaces if undef
+
+#
+# Example1:
+# @@inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 );
+# permit only SMTP access from loopback and rfc1918 private address space
+#
+# Example2:
+# @@inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0
+# 127.0.0.1 10/8 172.16/12 192.168/16 );
+# matches loopback and rfc1918 private address space except host 192.168.1.12
+# and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches)
+#
+# Example3:
+# @@inet_acl = qw( 127/8
+# !172.16.3.0 !172.16.3.127 172.16.3.0/25
+# !172.16.3.128 !172.16.3.255 172.16.3.128/25 );
+# matches loopback and both halves of the 172.16.3/24 C-class,
+# split into two subnets, except all four broadcast addresses
+# for these subnets
+
+
+# @@mynetworks is an IP access list which determines if the original SMTP client
+# IP address belongs to our internal networks, i.e. mail is coming from inside.
+# It is much like the Postfix parameter 'mynetworks' in semantics and similar
+# in syntax, and its value should normally match the Postfix counterpart.
+# It only affects the value of a macro %l (=sender-is-local),
+# and the loading of policy 'MYNETS' if present (see below).
+# Note that '-o smtp_send_xforward_command=yes' (or its lmtp counterpart)
+# must be enabled in the Postfix service that feeds amavisd, otherwise
+# client IP address is not available to amavisd-new.
+#
+# @@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
+# 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); # default
+#
+# A list of networks can also be read from a file, either as an IP acl in
+# CIDR notation, one address per line (comments and empty lines are allowed):
+# @@mynetworks_maps = (read_array('/etc/amavisd-mynetworks'), \@@mynetworks);
+#
+# or less flexibly (but provides faster lookups for large lists) by reading
+# into a hash lookup table, which only allows for full addresses or classful
+# IPv4 subnets with truncated octets, such as 127, 10, 192.168, 10.11.12.13,
+# one address per line (comments and empty lines are allowed):
+# @@mynetworks_maps = (read_hash('/etc/amavisd-mynetworks'), \@@mynetworks);
+
+# See README.lookups for details on specifying access control lists.
+
+
+#
+# Section III - Logging
+#
+
+# true (e.g. 1) => syslog; false (e.g. 0) => logging to file
+$DO_SYSLOG = 1; # (defaults to 0)
+
+$syslog_ident = 'amavis'; # Syslog ident string (defaults to 'amavis')
+$syslog_facility = 'mail'; # Syslog facility as a string
+ # e.g.: mail, daemon, user, local0, ... local7, ...
+$syslog_priority = 'info'; # Syslog base (minimal) priority as a string,
+ # choose from: emerg, alert, crit, err, warning, notice, info, debug
+
+# Log file (if not using syslog)
+$LOGFILE = "$MYHOME/amavis.log"; # (defaults to empty, no log)
+
+#NOTE: levels are not strictly observed and are somewhat arbitrary
+# 0: startup/exit/failure messages, viruses detected
+# 1: args passed from client, some more interesting messages
+# 2: virus scanner output, timing
+# 3: server, client
+# 4: decompose parts
+# 5: more debug details
+$log_level = 3; # (defaults to 0), -d
+
+# Customizable template for the most interesting log file entry (e.g. with
+# $log_level=0) (take care to properly quote Perl special characters like '\')
+# For a list of available macros see README.customize .
+
+# $log_templ = undef; # undef disables by-message level-0 log entries
+$log_recip_templ = undef; # undef disables by-recipient level-0 log entries
+
+
+# log both infected and noninfected messages (as deflt, with size,subj,tests):
+# (remove the leading '#' and a space in the following lines to activate)
+
+# $log_templ = <<'EOD';
+# [?%#D|#|Passed #
+# [? [:ccat|major] |OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER|SPAMMY|SPAM|\
+# UNCHECKED|BANNED (%F)|INFECTED (%V)]#
+# , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]%s -> [%D|,]#
+# [? %q ||, quarantine: %q]#
+# [? %Q ||, Queue-ID: %Q]#
+# [? %m ||, Message-ID: %m]#
+# [? %r ||, Resent-Message-ID: %r]#
+# , mail_id: %i#
+# , Hits: [:SCORE]#
+# , size: %z#
+# [~[:remote_mta_smtp_response]|["^$"]||[", queued_as: "]]\
+# [remote_mta_smtp_response|[~%x|["queued as ([0-9A-Z]+)$"]|["%1"]|["%0"]]|/]#
+# [? [:header_field|Subject] ||, Subject: [:dquote|[:header_field|Subject]]]#
+# [? [:header_field|From] ||, From: [:uquote|[:header_field|From]]]#
+# [? [:useragent|name] ||, [:useragent|name]: [:uquote|[:useragent|body]]]#
+# [? %#T ||, Tests: \[[%T|,]\]]#
+# [:supplementary_info|SCTYPE|, shortcircuit=%%s]#
+# [:supplementary_info|AUTOLEARN|, autolearn=%%s]#
+# , %y ms#
+# ]
+# [?%#O|#|Blocked #
+# [? [:ccat|major|blocking] |#
+# OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER|SPAMMY|SPAM|\
+# UNCHECKED|BANNED (%F)|INFECTED (%V)]#
+# , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]%s -> [%O|,]#
+# [? %q ||, quarantine: %q]#
+# [? %Q ||, Queue-ID: %Q]#
+# [? %m ||, Message-ID: %m]#
+# [? %r ||, Resent-Message-ID: %r]#
+# , mail_id: %i#
+# , Hits: [:SCORE]#
+# , size: %z#
+# #, smtp_resp: [:smtp_response]#
+# [? [:header_field|Subject] ||, Subject: [:dquote|[:header_field|Subject]]]#
+# [? [:header_field|From] ||, From: [:uquote|[:header_field|From]]]#
+# [? [:useragent|name] ||, [:useragent|name]: [:uquote|[:useragent|body]]]#
+# [? %#T ||, Tests: \[[%T|,]\]]#
+# [:supplementary_info|SCTYPE|, shortcircuit=%%s]#
+# [:supplementary_info|AUTOLEARN|, autolearn=%%s]#
+# , %y ms#
+# ]
+# EOD
+
+#
+# Section IV - Notifications/DSN, bounce/reject/discard/pass, quarantine
+#
+
+# Select notifications text encoding when Unicode-aware Perl is converting
+# text from internal character representation to external encoding (charset
+# in MIME terminology). Used as argument to Perl Encode::encode subroutine.
+#
+# to be used in RFC 2047-encoded header field bodies, e.g. in Subject:
+#$hdr_encoding = 'iso-8859-1'; # MIME charset (default: 'iso-8859-1')
+#$hdr_encoding_qb = 'Q'; # MIME encoding: quoted-printable (default)
+#$hdr_encoding_qb = 'B'; # MIME encoding: base64
+#
+# to be used in notification body text: its encoding and Content-type.charset
+#$bdy_encoding = 'iso-8859-1'; # (default: 'iso-8859-1')
+
+# Default template texts for notifications may be overruled by directly
+# assigning new text to template variables, or by reading template text
+# from files. A second argument may be specified in a call to read_text(),
+# specifying character encoding layer to be used when reading from the
+# external file, e.g. 'utf8', 'iso-8859-1', or often just $bdy_encoding.
+# Text will be converted to internal character representation by Perl 5.8.0
+# or later; second argument is ignored otherwise. See PerlIO::encoding,
+# Encode::PerlIO and perluniintro man pages.
+#
+# $notify_sender_templ = read_text("$MYHOME/notify_sender.txt");
+# $notify_virus_sender_templ= read_text("$MYHOME/notify_virus_sender.txt");
+# $notify_virus_admin_templ = read_text("$MYHOME/notify_virus_admin.txt");
+# $notify_virus_recips_templ= read_text("$MYHOME/notify_virus_recips.txt");
+# $notify_spam_sender_templ = read_text("$MYHOME/notify_spam_sender.txt");
+# $notify_spam_admin_templ = read_text("$MYHOME/notify_spam_admin.txt");
+
+# If notification template files are collectively available in some directory,
+# one may call read_l10n_templates which invokes read_text for each known
+# template. This is primarily a Debian-specific feature, but was incorporated
+# into base code to facilitate porting.
+#
+# read_l10n_templates('/etc/amavis/en_US');
+#
+# If read_l10n_templates is called, a localization template directory must
+# contain the following files:
+# charset this file should contain a one-line name
+# of the character set used in the template
+# files (e.g. utf8, iso-8859-2, ...) and is
+# passed as the second argument to read_text;
+# template-dsn.txt content fills the $notify_sender_templ
+# template-virus-sender.txt content fills the $notify_virus_sender_templ
+# template-virus-admin.txt content fills the $notify_virus_admin_templ
+# template-virus-recipient.txt content fills the $notify_virus_recips_templ
+# template-spam-sender.txt content fills the $notify_spam_sender_templ
+# template-spam-admin.txt content fills the $notify_spam_admin_templ
+
+# Here is an overall picture (sequence of events) of how pieces fit together
+#
+# bypass_virus_checks set for all recipients? ==> PASS
+# no viruses? ==> PASS
+# log virus if $log_templ is nonempty
+# quarantine if $virus_quarantine_to is nonempty
+# notify admin if $virus_admin (lookup) nonempty
+# notify recips if $warnvirusrecip and (recipient is local or $warn_offsite)
+# add address extensions for local recipients (when enabled)
+# send (non-)delivery notifications
+# to sender if DSN needed (BOUNCE or ($warnvirussender and D_PASS))
+# virus_lovers or final_destiny==D_PASS ==> PASS
+# DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny)
+#
+# Equivalent flow diagram applies for spam checks.
+# If a virus is detected, spam checking is skipped entirely.
+
+# The following symbolic constants can be used in *_destiny settings:
+#
+# D_PASS mail will pass to recipients, regardless of bad contents;
+#
+# D_DISCARD mail will not be delivered to its recipients, sender will NOT be
+# notified. Effectively we lose mail (but will be quarantined
+# unless disabled). Losing mail is not decent for a mailer,
+# but might be desired.
+#
+# D_BOUNCE mail will not be delivered to its recipients, a non-delivery
+# notification (bounce) will be sent to the sender by amavisd-new;
+# Exception: bounce (DSN) will not be sent if a virus name matches
+# @@viruses_that_fake_sender_maps, or to messages from mailing lists
+# (Precedence: bulk|list|junk), or for spam level that exceeds
+# the $sa_dsn_cutoff_level.
+#
+# D_REJECT mail will not be delivered to its recipients, sender should
+# preferably get a reject, e.g. SMTP permanent reject response
+# (e.g. with milter), or non-delivery notification from MTA
+# (e.g. Postfix). If this is not possible (e.g. different recipients
+# have different tolerances to bad mail contents and not using LMTP)
+# amavisd-new sends a bounce by itself (same as D_BOUNCE).
+# Not to be used with Postfix or dual-MTA setups!
+#
+# Notes:
+# D_REJECT and D_BOUNCE are similar, the difference is in who is responsible
+# for informing the sender about non-delivery, and how informative
+# the notification can be (amavisd-new knows more than MTA);
+# With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status
+# notification, colloquially called 'bounce') - depending on MTA;
+# Best suited for sendmail milter and Courier, especially for spam.
+# With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the
+# reason for mail non-delivery or even suppress DSN, but unable
+# to reject the original SMTP session). Best suited to reporting
+# viruses, and for Postfix and other dual-MTA setups, which can't
+# reject original client SMTP session, as the mail has already
+# been enqueued.
+
+# Alternatives to consider for spam:
+# - use D_PASS if clients will do filtering based on inserted
+# mail headers or added address extensions ('plus-addressing');
+# - use D_DISCARD, if kill_level is set comfortably high;
+#
+# D_BOUNCE is preferred for viruses, but consider:
+# - use D_PASS (or virus_lovers) to deliver viruses;
+# - use D_REJECT instead of D_BOUNCE if using Courier or milter and under heavy
+# virus storm;
+
+
+# The use of new *_by_ccat hashes is illustrated by the following examples
+# on configuring final_*_destiny.
+
+
+# using traditional settings of $final_*_destiny variables, relying on a
+# default setting of an associative array %final_destiny_by_ccat which is
+# backwards compatible and contains references to these traditional variables:
+#
+$final_virus_destiny = D_REJECT; # (defaults to D_DISCARD)
+$final_banned_destiny = D_REJECT; # (defaults to D_BOUNCE)
+$final_spam_destiny = D_REJECT; # (defaults to D_BOUNCE)
+$final_bad_header_destiny = D_PASS; # (defaults to D_PASS)
+
+########
+#
+# Please think about what you are doing when you set these options.
+# If necessary, question your origanization's e-mail policies:
+#
+# D_BOUNCE contributes to the overall spread of virii and spam on the
+# internet. Both the envelope and header from addresses can be forged
+# accurately with no effort, causing the bounces to go to innocent parties,
+# whose addresses have been forged.
+#
+# D_DISCARD breaks internet mail specifications. However, with a
+# properly implemented Quaratine system, the concern for breaking the
+# specification is addressed to some extent.
+#
+# D_PASS is the safest way to handle e-mails. You must implement
+# client-side filtering to handle this method.
+#
+# -Cory Visi <merlin@@gentoo.org> 07/28/04
+#
+#######
+
+# to explicitly list all (or most) possible contents category (ccat) keys:
+%final_destiny_by_ccat = (
+ CC_VIRUS, D_DISCARD,
+ CC_BANNED, D_BOUNCE,
+ CC_UNCHECKED, D_PASS,
+ CC_SPAM, D_DISCARD,
+ CC_BADH, D_PASS,
+ CC_OVERSIZED, D_BOUNCE,
+ CC_CLEAN, D_PASS,
+ CC_CATCHALL, D_PASS,
+);
+
+# to rely on a catchall ccat key and only list exceptions (alternative 1):
+#%final_destiny_by_ccat = (
+# CC_VIRUS, D_DISCARD,
+# CC_BANNED, D_BOUNCE,
+# CC_SPAM, D_BOUNCE,
+# CC_BADH.',4', D_BOUNCE, # BadHdrSpace
+# CC_BADH.',3', D_BOUNCE, # BadHdrChar
+# CC_OVERSIZED, D_BOUNCE,
+# CC_CATCHALL, D_PASS,
+#);
+
+# to rely on a catchall ccat key and list exceptions (alternative 2):
+#%final_destiny_by_ccat = (
+# CC_VIRUS, D_DISCARD,
+# CC_UNCHECKED, D_PASS,
+# CC_BADH.',6', D_PASS, # BadHdrSyntax
+# CC_BADH.',5', D_PASS, # BadHdrLong
+# CC_BADH.',2', D_PASS, # BadHdr8bit
+# CC_BADH.',1', D_PASS, # BadHdrMime
+# CC_CLEAN, D_PASS,
+# CC_CATCHALL, D_BOUNCE,
+#);
+
+# to rely on a catchall ccat key and list exceptions (alternative 3):
+#%final_destiny_by_ccat = (
+# CC_VIRUS, D_DISCARD,
+# CC_UNCHECKED, D_PASS,
+# CC_BADH.',4', D_BOUNCE, # BadHdrSpace
+# CC_BADH.',3', D_BOUNCE, # BadHdrChar
+# CC_BADH, D_PASS, # sub-catchall for CC_BADH
+# CC_CLEAN, D_PASS,
+# CC_CATCHALL, D_BOUNCE,
+#);
+
+# to rely on a default %final_destiny_by_ccat and only change few settings:
+#$final_destiny_by_ccat{+CC_SPAM} = D_PASS;
+#$final_destiny_by_ccat{+CC_BADH} = D_BOUNCE;
+#$final_destiny_by_ccat{+CC_BADH.',2'} = D_PASS; # BadHdr8bit
+
+
+
+# For monitoring / testing purposes let the administrator receive a copy
+# of certain delivery status notifications that are mailed back to senders:
+#
+#%dsn_bcc_by_ccat = (
+# CC_BANNED, undef,
+# CC_SPAM, undef,
+# CC_BADH, undef,
+# CC_CATCHALL, 'admin+test@@example.com',
+#);
+#
+# or use a simpler form, taking advantage of defaults in %dsn_bcc_by_ccat:
+#$dsn_bcc = 'admin+test@@example.com';
+
+
+# The following $warn*sender settings are ONLY used when mail is
+# actually passed to recipients ($final_*_destiny=D_PASS, or *_lovers*).
+# Bounces or rejects produce non-delivery status notification regardless.
+#
+# Notify sender of syntactically invalid header containing non-ASCII chars?
+#$warnbadhsender = 1; # (defaults to false (undef))
+
+# Notify virus (or banned files or bad headers) RECIPIENT?
+# (not very useful, but some policies demand it)
+#$warnvirusrecip = 1; # (defaults to false (undef))
+#$warnbannedrecip = 1; # (defaults to false (undef))
+#$warnbadhrecip = 1; # (defaults to false (undef))
+
+# Notify also non-local virus/banned recipients if $warn*recip is true?
+# (including those not matching local_domains*)
+#$warn_offsite = 1; # (defaults to false (undef), i.e. only notify locals)
+
+
+# Treat envelope sender address as unreliable and don't send sender
+# notification / bounces if name(s) of detected virus(es) match the list.
+# Note that virus names are supplied by external virus scanner(s) and are
+# not standardized, so virus names may need to be adjusted.
+# See README.lookups for syntax, check also README.policy-on-notifications.
+# If the intention is to treat all viruses as faking the sender address, it
+# is equivalent but more efficient to just set $final_virus_destiny=D_DISCARD;
+#
+@@viruses_that_fake_sender_maps = (new_RE(
+ qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
+ qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
+ qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
+ qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
+ qr'@@mm|@@MM', # mass mailing viruses as labeled by f-prot and uvscan
+ qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc
+# [qr'^(EICAR|Joke\.|Junk\.)'i => 0],
+# [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
+ [qr/^/ => 1], # true by default (remove or comment-out if undesired)
+));
+
+# where to send ADMIN VIRUS NOTIFICATIONS (should be a fully qualified address)
+# - the administrator envelope address may be a simple fixed e-mail address
+# (a scalar), or may depend on the RECIPIENT address (e.g. its domain).
+#
+# Empty or undef lookup disables virus admin notifications.
+
+# The full set of configurable administrator addresses is:
+# @@virus_admin_maps ... notifications to admin about viruses
+# @@newvirus_admin_maps ... newly encountered viruses since amavisd startup
+# @@spam_admin_maps ... notifications to admin about spam
+# @@banned_admin_maps ... notifications to admin about banned contents
+# @@bad_header_admin_maps ... notifications to admin about bad headers
+
+$virus_admin = "virusalert\@@$mydomain";
+# $virus_admin = 'virus-admin@@example.com';
+# $virus_admin = undef; # do not send virus admin notifications (default)
+#
+#@@virus_admin_maps = ( # by-recipient maps
+# {'not.example.com' => '',
+# '.' => 'virusalert@@example.com'},
+# $virus_admin, # the usual default
+#);
+
+# equivalent to $virus_admin, but for spam admin notifications:
+# $spam_admin = "spamalert\@@$mydomain";
+# $spam_admin = undef; # do not send spam admin notifications (default)
+#@@spam_admin_maps = ( # by-recipient maps
+# {'not.example.com' => '',
+# '.' => 'spamalert@@example.com'},
+# $spam_admin, # the usual default
+#);
+
+# receive a copy of all delivery status notifications sent;
+# useful for testing or monitoring
+#$dsn_bcc = "mailadmin\@@$mydomain";
+
+#advanced example, using a hash lookup table and a scalar default,
+#lookup key is a recipient envelope address:
+#@@virus_admin_maps = ( # by-recipient maps
+# { 'baduser@@sub1.example.com' => 'HisBoss@@sub1.example.com',
+# '.sub1.example.com' => 'virusalert@@sub1.example.com',
+# '.sub2.example.com' => '', # don't send admin notifications
+# 'a.sub3.example.com' => 'abuse@@sub3.example.com',
+# '.sub3.example.com' => 'virusalert@@sub3.example.com',
+# '.example.com' => 'noc@@example.com', # default for our virus senders
+# },
+# 'virusalert@@hq.example.com', # catchall for the rest
+#);
+
+# sender envelope address, from which notification reports are sent from;
+# may be a null reverse path, or a fully qualified address:
+# (admin and recip sender addresses default to a null return path).
+# If using strings in double quotes, don't forget to quote @@, i.e. \@@
+#
+$mailfrom_notify_admin = "virusalert\@@$mydomain";
+$mailfrom_notify_recip = "virusalert\@@$mydomain";
+$mailfrom_notify_spamadmin = "spam.police\@@$mydomain";
+
+# 'From' HEADER FIELD for sender and admin notifications.
+# This should be a replyable address, see rfc1894. Not to be confused
+# with $mailfrom_notify_sender, which is the envelope return address
+# and can be empty (null reverse path) according to rfc2821.
+#
+# The syntax of the 'From' header field is specified in rfc2822, section
+# '3.4. Address Specification'. Note in particular that display-name must be
+# a quoted-string if it contains any special characters like spaces and dots.
+#
+# $hdrfrom_notify_sender = "amavisd-new <postmaster\@@$mydomain>";
+# $hdrfrom_notify_sender = 'amavisd-new <postmaster@@example.com>';
+# $hdrfrom_notify_sender = '"Content-Filter Master" <postmaster@@example.com>';
+# $hdrfrom_notify_admin = $mailfrom_notify_admin;
+# $hdrfrom_notify_spamadmin = $mailfrom_notify_spamadmin;
+# (default: "\"Content-filter at $myhostname\" <postmaster\@@$myhostname>")
+
+# whom quarantined messages appear to be sent from (envelope sender);
+# keeps original sender if undef, or set it explicitly, default is undef
+$mailfrom_to_quarantine = ''; # override sender address with null return path
+
+
+# Location to put infected mail into: (applies to 'local:' quarantine method)
+# empty for not quarantining, may be a file (Unix-style mailbox),
+# or a directory (no trailing slash)
+# (the default value is undef, meaning no quarantine)
+#
+$QUARANTINEDIR = "$MYHOME/quarantine";
+
+#$quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine
+
+#$clean_quarantine_method = 'local:clean-%m'; # disabled by default
+#$virus_quarantine_method = 'local:virus-%m'; # default
+#$spam_quarantine_method = 'local:spam-%m.gz'; # default
+#$banned_files_quarantine_method = 'local:banned-%m'; # default
+#$bad_header_quarantine_method = 'local:badh-%m'; # default
+
+# Separate quarantine subdirectories virus, spam, banned and badh within
+# the directory $QUARANTINEDIR may be specified by the following settings
+# (the subdirectories need to exist - must be created manually):
+#$clean_quarantine_method = 'local:clean/%m';
+#$virus_quarantine_method = 'local:virus/%m';
+#$spam_quarantine_method = 'local:spam/%m.gz';
+#$banned_files_quarantine_method = 'local:banned/%m';
+#$bad_header_quarantine_method = 'local:badh/%m';
+#
+#use the 'bsmtp:' method as an alternative to the default 'local:'
+#$virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%m.bsmtp";
+#$spam_quarantine_method = "bsmtp:$QUARANTINEDIR/spam-%m.bsmtp";
+#
+#using the 'pipe:' method might be useful for some special purpose:
+#$mailfrom_to_quarantine = undef; # pass on the original sender address
+#$spam_quarantine_method = 'pipe:argv=/usr/bin/myscript.sh spam-%b ${sender}';
+#
+#using the 'sql:' method to store quarantined message to a SQL database:
+#$virus_quarantine_method = $spam_quarantine_method =
+# $banned_files_quarantine_method = $bad_header_quarantine_method = 'sql:';
+
+# Send copy of every mail to an archival mail address:
+#$archive_quarantine_method = $notify_method;
+#@@archive_quarantine_to_maps = ( 'collector@@example.com' );
+
+
+# When using the 'local:' quarantine method (default), the following applies:
+#
+# A finer control of quarantining is available through
+# variables $virus_quarantine_method/$spam_quarantine_method/
+# $banned_files_quarantine_method/$bad_header_quarantine_method.
+#
+# The value of scalar $virus_quarantine_to/$spam_quarantine_to (or a
+# per-recipient lookup result from lookup tables @@virus_quarantine_to_maps)
+# is/are interpreted as follows:
+#
+# VARIANT 1:
+# empty or undef disables quarantine;
+#
+# VARIANT 2:
+# a string NOT containing an '@@';
+# amavisd will behave as a local delivery agent (LDA) and will quarantine
+# viruses to local files according to hash %local_delivery_aliases (pseudo
+# aliases map) - see subroutine mail_to_local_mailbox() for details.
+# Some of the predefined aliases are 'virus-quarantine' and 'spam-quarantine'.
+# Setting $virus_quarantine_to ($spam_quarantine_to) to this string will:
+#
+# * if $QUARANTINEDIR is a directory, each quarantined virus will go
+# to a separate file in the $QUARANTINEDIR directory (traditional
+# amavis style, similar to maildir mailbox format);
+#
+# * otherwise $QUARANTINEDIR is treated as a file name of a Unix-style
+# mailbox. All quarantined messages will be appended to this file.
+# Amavisd child process must obtain an exclusive lock on the file during
+# delivery, so this may be less efficient than using individual files
+# or forwarding to MTA, and it may not work across NFS or other non-local
+# file systems (but may be handy for pickup of quarantined files via IMAP
+# for example);
+#
+# VARIANT 3:
+# any email address (must contain '@@').
+# The e-mail messages to be quarantined will be handed to MTA
+# for delivery to the specified address. If a recipient address local to MTA
+# is desired, you may leave the domain part empty, e.g. 'infected@@', but the
+# '@@' character must nevertheless be included to distinguish it from variant 2.
+#
+# This variant enables more refined delivery control made available by MTA
+# (e.g. its aliases file, other local delivery agents, dealing with
+# privileges and file locking when delivering to user's mailbox, nonlocal
+# delivery and forwarding, fan-out lists). Make sure the mail-to-be-quarantined
+# will not be handed back to amavisd for checking, as this will cause a loop
+# (hopefully broken at some stage)! If this can be assured, notifications
+# will benefit too from not being unnecessarily virus-scanned.
+#
+# By default this is safe to do with Postfix and Exim v4 and dual-sendmail
+# setup, but probably not safe with sendmail milter interface without tricks.
+
+# (default values are: virus-quarantine, banned-quarantine, spam-quarantine)
+
+$virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine
+#$virus_quarantine_to = 'infected@@'; # forward to MTA for delivery
+#$virus_quarantine_to = "virus-quarantine\@@$mydomain"; # similar
+#$virus_quarantine_to = 'virus-quarantine@@example.com'; # similar
+#$virus_quarantine_to = undef; # no quarantine
+#
+# lookup key is envelope recipient address:
+#@@virus_quarantine_to_maps = ( # per-recip multiple quarantines
+# new_RE( [qr'^user@@example\.com$'i => 'infected@@'],
+# [qr'^(.*)@@example\.com$'i => 'virus-${1}@@example.com'],
+# [qr'^(.*)(@@[^@@])?$'i => 'virus-${1}${2}'] ),
+# $virus_quarantine_to, # the usual default
+#);
+
+# similar for banned names and bad headers and spam (set to undef to disable)
+$banned_quarantine_to = 'banned-quarantine'; # local quarantine
+$bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine
+$spam_quarantine_to = 'spam-quarantine'; # local quarantine
+
+# or to a mailbox:
+#$spam_quarantine_to = "spam-quarantine\@@$mydomain";
+#
+#@@spam_quarantine_to_maps = ( # per-recip quarantines
+# new_RE( [qr'^(.*)@@example\.com$'i => 'spam-${1}@@example.com'] ),
+# $spam_quarantine_to, # the usual default
+#);
+
+
+# In addition to per-recip quarantine, a by-sender lookup is possible.
+# It is similar to $spam_quarantine_to, but the lookup key is the
+# envelope sender address:
+#$spam_quarantine_bysender_to = undef; # dflt: no by-sender spam quarantine
+
+
+# Spam level beyond which quarantining is disabled (global value):
+#$sa_quarantine_cutoff_level = 20; # dflt: undef, which disables this feature
+
+#@@spam_quarantine_cutoff_level_maps = ( # per-recip. quarantine cutoff levels
+# { 'user1@@example.com' => 20.5,
+# 'postmaster@@example.com' => 9999,
+# '.example.com' => 25 },
+# \$sa_quarantine_cutoff_level, # catchall default
+#);
+
+
+# Add X-Virus-Scanned header field to mail?
+$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: 'X-Virus-Scanned')
+
+# Set to empty to add no header field # (dflt "$myproduct_name at $mydomain")
+# $X_HEADER_LINE = "$myproduct_name at $mydomain";
+# $X_HEADER_LINE = "by $myproduct_name using ClamAV at $mydomain";
+# $X_HEADER_LINE = "$myproduct_name $myversion_id ($myversion_date) at $mydomain";
+
+# a string to prepend to Subject (for local recipients only) if mail could
+# not be decoded or checked entirely, e.g. due to password-protected archives
+$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it
+
+# MIME defanging wraps the entire original mail in a MIME container of type
+# 'Content-type: multipart/mixed', where the first part is a text/plain with
+# a short explanation, and the second part is a complete original mail,
+# enclosed in a 'Content-type: message/rfc822' MIME part.
+# Defanging is only done when enabled (selectively by malware type),
+# and mail is considered malware (virus/spam/...), and the malware is allowed
+# to pass (*_lovers or *_destiny=D_PASS)
+#
+$defang_virus = 1; # default is false: don't modify mail body
+$defang_banned = 1; # default is false: don't modify mail body
+# $defang_bad_header = 1; # default is false: don't modify mail body
+# $defang_undecipherable = 1; # default is false: don't modify mail body
+# $defang_spam = 1; # default is false: don't modify mail body
+
+# NOTE: setting the following variables to true may break mail signatures
+# (DKIM and DomainKeys) when verification is done after content filtering:
+# $remove_existing_x_scanned_headers, $remove_existing_x_scanned_headers,
+# and $allow_fixing_improper_header_folding (and defanging, described
+# elsewhere). This is rarely an issue, as mail signing should be done
+# after content filtering, and mail verification should preferably be done
+# before filtering or by SpamAssassin called from within amavisd, which
+# sees still-unmodified mail.
+#
+$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone
+ # (defaults to false)
+#$remove_existing_x_scanned_headers= 1; # remove existing X-Virus-Scanned
+#$remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone
+$remove_existing_spam_headers = 1; # remove existing spam headers if
+ # spam scanning is enabled (default)
+#$allow_fixing_improper_header_folding = 1; # (default is true)
+
+# set $bypass_decode_parts to true if you only do spam scanning, or if you
+# have a good virus scanner that can deal with compression and recursively
+# unpacking archives by itself, and save amavisd the trouble.
+# Disabling decoding also causes banned_files checking NOT to see MIME types
+# and content classification types as provided by the file(1) utility.
+# It is a double-edged sword, make sure you know what you are doing!
+#
+#$bypass_decode_parts = 1; # (defaults to false)
+
+# don't trust this file type or corresponding unpacker for this file type,
+# keep both the original and the unpacked file for a virus checker to see
+# (lookup key is what file(1) utility returned):
+#
+@@keep_decoded_original_maps = (new_RE(
+# qr'^MAIL$', # retain full original message for virus checking (can be slow)
+ qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables
+ qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
+# qr'^Zip archive data', # don't trust Archive::Zip
+));
+
+
+# Checking for banned MIME types and names. If any mail part matches,
+# the whole mail is rejected. Object $banned_filename_re provides a list
+# of Perl regular expressions to be matched against each part's:
+#
+# * Content-Type value (both declared and effective mime-type),
+# such as the possible security-risk content types
+# 'message/partial' and 'message/external-body', as specified in rfc2046
+# or 'application/x-msdownload' and 'application/x-msdos-program';
+#
+# * declared (recommended) file names as specified by MIME subfields
+# Content-Disposition.filename and Content-Type.name, both in their
+# raw (encoded) form and in rfc2047-decoded form if applicable
+# as well as (recommended) file names specified in archives;
+#
+# * file content type as guessed by 'file(1)' utility, mapped
+# (by @@map_full_type_to_short_type_maps) into short type names such as
+# .asc, .txt, .html, .doc, .jpg, .pdf, .zip, .exe-ms, ..., which always
+# starts with a dot. These short types are available unless
+# $bypass_decode_parts is true.
+#
+# All nodes (mail parts) of the fully recursively decoded mail and embedded
+# archives are checked, each node independently from remaining nodes.
+#
+# For each node all its ancestor nodes including itself are checked against
+# $banned_filename_re lookup list, top-down. The search for a node stops
+# at the first match, the right-hand side of the matching key determines
+# the result (true or false, absent right-hand side implies true, as explained
+# in README.lookups).
+#
+# Although repeatedly re-checking ancestor nodes may seem excessive, it gives
+# the opportunity to specify rules which make a particular node hide its
+# descendents, e.g. allow any name or file type within a .zip, even though
+# .exe files may otherwise not be allowed.
+#
+# Leave $banned_filename_re undefined to disable these checks
+# (giving an empty list to new_RE() will also always return false)
+
+# for $banned_namepath_re (a new-style of banned table) see amavisd.conf-sample
+
+$banned_filename_re = new_RE(
+
+### BLOCKED ANYWHERE
+# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
+ qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary
+# qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types
+
+### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
+# [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2
+ [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
+
+ qr'.\.(pif|scr)$'i, # banned extensions - rudimentary
+# qr'^\.zip$', # block zip type
+
+### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
+# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives
+
+ qr'^application/x-msdownload$'i, # block these MIME types
+ qr'^application/x-msdos-program$'i,
+ qr'^application/hta$'i,
+
+# qr'^message/partial$'i, # rfc2046 MIME type
+# qr'^message/external-body$'i, # rfc2046 MIME type
+
+# qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type
+# qr'^\.wmf$', # Windows Metafile file(1) type
+
+ # block certain double extensions in filenames
+ qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
+
+# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict
+# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose
+
+ qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic
+# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
+# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
+# inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
+# ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
+# wmf|wsc|wsf|wsh)$'ix, # banned ext - long
+# qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename
+# qr'^\.ani$', # banned animated cursor file(1) type
+
+# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
+);
+# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
+# and http://www.cknow.com/vtutor/vtextensions.htm
+
+# A little trick: a pattern qr'\.exe$' matches both a short type name '.exe',
+# as well as any file name which happens to end with .exe. If only matching
+# a file name is desired, but not the short type, a pattern qr'.\.exe$'i
+# or similar may be used, which requires that at least one character precedes
+# the '.exe', and so it will never match short file types which always start
+# with a dot.
+
+
+# the syntax of these Perl regular expressions is a bit awkward if not
+# familiar with them, so please do follow examples and stick to the idioms:
+# \A ... at the beginning of the first component
+# \z ... at the end of the the last (leaf) component
+# ^ ... at the beginning of each component in the path
+# $ ... at the end of each component in the path
+# (.*\t)? ... at the beginning of a field
+# (\t.*)? ... at the end of a field
+# \t(.*\t)* ... separating fields
+# [^\t\n] ... any single character, but don't escape from this field
+# (.*\n)+ ... one or more levels down
+# (?#...) ... a comment within a regexp
+
+# new-style of banned lookup table
+$banned_namepath_re = new_RE(
+
+### BLOCKED ANYWHERE
+
+ qr'(?# BLOCK Microsoft EXECUTABLES and DLL )
+ ^ (.*\t)? T=(exe-ms|dll) (\t.*)? $'xm, # banned file(1) types, rudimentary
+
+# qr'(?# BLOCK ANY EXECUTABLE )
+# ^ (.*\t)? T=exe (\t.*)? $'xm, # banned file(1) type
+
+# qr'(?# BLOCK THESE TYPES )
+# ^ (.*\t)? T=(exe|lha|tnef|cab|dll) (\t.*)? $'xm, # banned file(1) types
+
+
+### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
+
+# # within traditional gzip and bzip2 allow any name and type
+# [ qr'(?#rule-3) ^ (.*\t)? T=(gz|bz2) (\t.*)? $'xmi => 0 ], # allow
+
+ # within traditional Unix archives allow any name and type
+ [ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ], # allow
+
+ # banned filename extensions (in declared names) anywhere - rudimentary
+ qr'(?# BLOCK COMMON NAME EXENSIONS )
+ ^ (.*\t)? N= [^\t\n]* \. (pif|scr) (\t.*)? $'xmi,
+
+# # block anything within a zip
+# qr'(?#rule-5) ^ (.*\t)? T=zip (\t.*)? (.*\n)+ .* $'xmi,
+
+
+### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES OR CRYPTED:
+
+# # within PC archives allow any types or names at any depth
+# [ qr'(?#rule-7) ^ (.*\t)? T=(zip|rar|arc|arj|zoo) (\t.*)? $'xmi => 0 ], # ok
+
+# # within certain archives allow leaf members at any depth if crypted
+# [ qr'(?# ALLOW ENCRYPTED )
+# ^ (.*\t)? T=(zip|rar|arj) (.*\n)+ (.*\t)? A=C (\t.*)? \z'xmi => 0 ],
+
+# # allow crypted leaf members regardless of their name or type
+# [ qr'(?# ALLOW IF ENCRYPTED ) ^ (.*\t)? A=C (\t.*)? \z'xmi => 0 ],
+
+ # block these MIME types
+ qr'(?#NO X-MSDOWNLOAD) ^(.*\t)? M=application/x-msdownload (\t.*)? $'xmi,
+ qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi,
+ qr'(?#NO HTA) ^(.*\t)? M=application/hta (\t.*)? $'xmi,
+
+# # block rfc2046 MIME types
+# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/partial (\t.*)? $'xmi,
+# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/external-body (\t.*)? $'xmi,
+
+# qr'(?#No Metafile MIME) ^(.*\t)? M=application/x-msmetafile (\t.*)? $'xmi,
+# qr'(?#No Metafile MIME) ^(.*\t)? M=image/x-wmf (\t.*)? $'xmi,
+# qr'(?#No Metafile file) ^(.*\t)? T=wmf (\t.*)? $'xm,
+# qr'(?#No animated cursors) ^(.*\t)? T=ani (\t.*)? $'xm,
+
+ # block certain double extensions in filenames
+ qr'(?# BLOCK DOUBLE-EXTENSIONS )
+ ^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \. \ *
+ (exe|vbs|pif|scr|bat|cmd|com|cpl|dll) [. ]* (\t.*)? $'xmi,
+
+ [ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM )
+ ^ (.*\t)? M=application/(octet-stream|x-msdownload|x-msdos-program)
+ \t(.*\t)* T=empty (\t.*)? $'xmi
+ => 'DISCARD' ],
+
+# [ qr'(?# BLOCK EMPTY MIME PARTS )
+# ^ (.*\t)? M= [^\t\n]+ \t(.*\t)* T=empty (\t.*)? $'xmi => 'DISCARD' ],
+
+# # block Class ID (CLSID) extensions in filenames, strict
+# qr'(?# BLOCK CLSID-EXTENSIONS )
+# ^ (.*\t)? N= [^\t\n]* \{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?
+# [^\t\n]* (\t.*)? $'xmi,
+
+# # banned suggested names with three or more consecutive spaces
+# qr'(?# BLOCK NAMES WITH SPACES )
+# ^ (.*\t)? N= [^\t\n]* [ ]{3,} 'xmi,
+
+# # block if any component can not be decoded (is encrypted or bad archive)
+# qr'(?# BLOCK IF UNDECIPHERABLE ) ^ (.*\t)? A=U (\t.*)? \z'xmi,
+
+# [ qr'(?# SPECIAL ALLOWANCES - MAGIC NAMES)
+# \A (.*\t)? T=(rpm|cpio|tar|zip|rar|arc|arj|zoo|Z|gz|bz2)
+# \t(.*\t)* N=example\d+[^\t\n]*
+# (\t.*)? $'xmi => 0 ],
+
+ # banned filename extensions (in suggested names) anywhere - basic
+ qr'(?# BLOCK COMMON NAME EXENSIONS )
+ ^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|cpl) (\t.*)? $'xmi,
+
+# # banned filename extensions (in suggested names) anywhere - basic+cmd
+# qr'(?# BLOCK COMMON NAME EXENSIONS )
+# ^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|cpl|bat|cmd|com) (\t.*)? $'xmi,
+
+# # banned filename extensions (in suggested names) anywhere - long
+# qr'(?# BLOCK MORE NAME EXTENSIONS )
+# ^ (.*\t)? N= [^\t\n]* \. (
+# ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
+# inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
+# ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
+# wmf|wsc|wsf|wsh) (\t.*)? $'xmi,
+
+# qr'(?# BLOCK CURSOR AND ICON NAME EXENSIONS )
+# ^ (.*\t)? N= [^\t\n]* \. (ani|cur|ico) (\t.*)? $'xmi,
+
+# # banned filename extensions anywhere - WinZip vulnerability (pre-V9)
+# qr'(?# BLOCK WinZip VULNERABILITY EXENSIONS )
+# ^ (.*\t)? N= [^\t\n]* \. (mim|b64|bhx|hqx|xxe|uu|uue) (\t.*)? $'xmi,
+
+);
+
+# use old or new style of banned lookup table; not both to avoid confusion
+#
+# @@banned_filename_maps = (); # to disable old-style
+ $banned_namepath_re = undef; # to disable new-style
+
+
+%banned_rules = (
+ 'MYNETS-DEFAULT' => new_RE( # permissive set of rules for internal hosts
+ [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any name/type in Unix archives
+ qr'.\.(vbs|pif|scr)$'i, # banned extension - rudimentary
+ ),
+ 'DEFAULT' => $banned_filename_re,
+);
+
+
+#
+# Section V - Per-recipient and per-sender handling, whitelisting, etc.
+#
+
+# @@virus_lovers_maps list of lookup tables:
+# (this should be considered a policy option, is does not disable checks,
+# see bypass*checks for that!)
+#
+# Exclude certain RECIPIENTS from virus filtering by adding their (lower-cased)
+# envelope e-mail address (or domain only) to one of the lookup tables in
+# the @@virus_lovers_maps list - see README.lookups and examples.
+# Make sure the appropriate form (e.g. external/internal) of address
+# is used in case of virtual domains, or when mapping external to internal
+# addresses, etc. - this is MTA-specific.
+#
+# Notifications would still be generated however (see the overall
+# picture above), and infected mail (if passed) gets additional header:
+# X-AMaViS-Alert: INFECTED, message contains virus: ...
+# (header not inserted with Courier or milter interface!)
+#
+# Setting $final_*_destiny=D_PASS is functionally equivalent to having
+# all recipients match the @@*_lovers_maps.
+#
+# NOTE (milter interface only): in case of multiple recipients,
+# it is only possible to drop or accept the message in its entirety - for all
+# recipients. If all of them are virus lovers, we'll accept mail, but if
+# at least one recipient is not a virus lover, we'll discard the message.
+
+
+# @@bypass_virus_checks_maps list of lookup tables:
+# (this is mainly a time-saving option, unlike virus_lovers* !)
+#
+# Similar in concept to @@virus_lovers_maps, a @@bypass_virus_checks_maps
+# is used to skip entirely the decoding, unpacking and virus checking,
+# but only if ALL recipients match the lookup.
+#
+# @@bypass_virus_checks_maps does NOT GUARANTEE the message will NOT be checked
+# for viruses - this may still happen when there is more than one recipient
+# for a message and not all of them match these lookup tables, or when
+# check result was cached (i.e. the same contents was recently sent to other
+# recipients). To guarantee virus delivery, a recipient must also match
+# @@virus_lovers_maps lookups (but see milter limitations above),
+#
+# The following table summarizes the possible combinations:
+# bypass lover
+# 0 0 useful, check for malware and block it
+# 0 1 useful, check but deliver nevertheless, possibly tagged
+# 1 0 not too useful, free riding on cached or other-people's checks
+# 1 1 useful, no checks if possible, and no effects
+
+# NOTE: it would not be clever to base enabling of virus checks on SENDER
+# address, since there are no guarantees that it is genuine. Many viruses
+# and spam messages fake sender address. To achieve selective filtering
+# based on the source of the mail (e.g. IP address, MTA port number, ...),
+# use mechanisms provided by MTA if available, possibly combined with policy
+# banks feature.
+
+# Similar to lists of lookup tables controlling virus checking, there are
+# counterparts for spam scanning, banned names/types, and headers_checks
+# control:
+# @@spam_lovers_maps,
+# @@banned_files_lovers_maps,
+# @@bad_header_lovers_maps
+# and:
+# @@bypass_spam_checks_maps,
+# @@bypass_banned_checks_maps,
+# @@bypass_header_checks_maps
+
+# Example:
+# @@bypass_header_checks_maps = ( [qw( user@@example.com )] );
+# @@bad_header_lovers_maps = ( [qw( user@@example.com )] );
+
+# The following example disables spam checking altogether,
+# since it matches any recipient e-mail address.
+# @@bypass_spam_checks_maps = (1);
+
+
+# See README.lookups for further detail, and examples below.
+
+# In the following example a list of lookup tables @@virus_lovers_maps
+# contains three elements, the first is a reference to an ACL lookup table
+# (brackets in Perl indicate a ref to a list), the second is a reference
+# to a hash lookup table (curly braces in Perl indicate a ref to a hash),
+# the third is a regexp lookup table, indicated by the type of object
+# created by new_RE() :
+#
+#@@virus_lovers_maps = (
+# [ qw( me@@lab.xxx.com !lab.xxx.com .xxx.com yyy.org ) ],
+# { "postmaster\@@$mydomain" => 1, # double quotes permit variable evaluation
+# 'postmaster@@example.com'=> 1, # in single quotes the '@@' need not be quoted
+# 'abuse@@example.com'=> 1,
+# 'some.user@@' => 1, # this recipient, regardless of domain
+# 'boss@@example.com' => 0, # never, even if domain matches
+# 'example.com' => 1, # this domain, but not its subdomains
+# '.example.com' => 1, # this domain, including its subdomains
+# },
+# new_RE( qr'^(helpdesk|postmaster)@@example\.com$'i ),
+#);
+
+#@@spam_lovers_maps = (
+# ["postmaster\@@$mydomain", 'postmaster@@example.com', 'abuse@@example.com'],
+#);
+
+#@@bad_header_lovers_maps = (
+# ["postmaster\@@", "abuse\@@$mydomain"],
+#);
+
+
+# as an alternative to fiddling with @@_lovers_maps and similar _maps, here
+# is an illustration of using a more general *_by_ccat associative array,
+# introduced with 2.4.0, like %lovers_maps_by_ccat in this example:
+#
+#$lovers_maps_by_ccat{+CC_SPAM} = [
+# read_hash("$MYHOME/etc/spam_lovers.txt"),
+# [qw(postmaster@@example.com abuse@@example.com)],
+#];
+#
+#$lovers_maps_by_ccat{+CC_BANNED} = [
+# { map {lc $_ => 1} # construct a hash lookup table from a list
+# qw(user1@@example.com user2.example.com)
+# },
+#];
+
+
+# to save some typing of quotes and commas, a Perl operator qw can be used
+# to split its argument on whitespace and to quote resulting elements:
+#@@bypass_spam_checks_maps = (
+# [ qw( some.ddd !butnot.example.com .example.com ) ],
+#);
+
+
+# don't run spam check for these RECIPIENT domains:
+# @@bypass_spam_checks_maps = ( [qw( d1.com .d2.com a.d3.com )] );
+# or the other way around (bypass check for all BUT these):
+# @@bypass_spam_checks_maps = ( [qw( !d1.com !.d2.com !a.d3.com . )] );
+# a practical application: don't check outgoing mail for spam:
+# @@bypass_spam_checks_maps = ( [ "!.$mydomain", "." ] );
+# or calculated (negated) from the %local_domains:
+# @@bypass_spam_checks_maps =
+# ( {map {$_ => !$local_domains{$_}} keys %local_domains}, 1);
+# (a downside of which is that such mail will not count as ham in SA bayes db)
+#
+# Note that 'outgoing' is not the same as 'originating from inside'. We refer
+# to 'outgoing' here as 'mail addressed to recipients outside our domain(s)'.
+# The internal-to-internal mail is not outgoing, but is still originating from
+# inside. To base rules on 'originating from inside', the use of a policy bank
+# with 'originating => 1' is needed (such as MYNETS), in conjunction with
+# XFORWARD Postfix extension to SMTP.
+
+# Where to find SQL server(s) and database to support SQL lookups?
+# A list of triples: (dsn,user,passw). (dsn = data source name)
+# More than one entry may be specified for multiple (backup) SQL servers.
+# See 'man DBI', 'man DBD::mysql', 'man DBD::Pg', ... for details.
+# When chroot-ed, accessing SQL server over inet socket may be more convenient.
+#
+# @@lookup_sql_dsn =
+# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
+# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
+# ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
+# @@storage_sql_dsn = @@lookup_sql_dsn; # none, same, or separate database
+#
+# ('mail' in the example is the database name, choose what you like)
+# With PostgreSQL the dsn (first element of the triple) may look like:
+# 'DBI:Pg:dbname=mail;host=host1'
+
+# The SQL select clause to fetch per-recipient policy settings.
+# The %k will be replaced by a comma-separated list of query addresses
+# (e.g. full address, domain only (stripped level by level), and a catchall).
+# Use ORDER if there is a chance that multiple records will match - the first
+# match wins. If field names are not unique (e.g. 'id'), the later field
+# overwrites the earlier in a hash returned by lookup, which is why we use
+# '*,users.id' instead of just '*'. No need to uncomment the following
+# assignment if the default is ok.
+# $sql_select_policy = 'SELECT *,users.id FROM users,policy'.
+# ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'.
+# ' ORDER BY users.priority DESC';
+#
+# The SQL select clause to check sender in per-recipient whitelist/blacklist
+# The first SELECT argument '?' will be users.id from recipient SQL lookup,
+# the %k will be sender addresses (e.g. full address, domain only, catchall).
+# The default value is:
+# $sql_select_white_black_list = 'SELECT wb FROM wblist,mailaddr'.
+# ' WHERE (wblist.rid=?) AND (wblist.sid=mailaddr.id)'.
+# ' AND (mailaddr.email IN (%k))'.
+# ' ORDER BY mailaddr.priority DESC';
+#
+# To disable SQL white/black list, set to undef (otherwise comment-out
+# the following statement, leaving it at the default value):
+$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting
+
+# Controls the format of timestamps in the field msgs.time_iso:
+# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
+# defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)
+
+# Does a database mail address field with no '@@' character represent a
+# local username or a domain name? By default it implies a username in
+# SQL and LDAP lookups (but represents a domain in hash and acl lookups),
+# so domain names in SQL and LDAP should be specified as '@@domain'.
+# Setting these to true will cause 'xxx' to be interpreted as a domain
+# name, just like in hash or acl lookups.
+#
+# $sql_lookups_no_at_means_domain = 0; # default is 0
+# $ldap_lookups_no_at_means_domain = 0; # default is 0
+
+# Here is an example of a SELECT clause that fabricates an artificial 'users'
+# table from actual table 'postfix_domains' containing a field 'domain_name'.
+# The effect is that domains listed in the 'postfix_domains' table will be
+# treated as local by amavisd, and be given settings from a policy id 99
+# if such a policy id exists, or just fall back to static lookups.
+# The user.id (with a value 1) is there only to provide a user id (same id
+# for all listed domains) when global SQL-based white/blacklisting is used.
+#
+# $sql_lookups_no_at_means_domain = 1;
+# $sql_select_policy =
+# 'SELECT *, user.id'.
+# ' FROM (SELECT 1 as id, 99 as policy_id, "Y" AS local'.
+# ' FROM postfix_domains WHERE domain_name IN (%k)) AS user'.
+# ' LEFT JOIN policy ON policy_id=policy.id';
+
+# If passing malware to certain recipients ($final_*_destiny=D_PASS or
+# *_lovers), the recipient-based lookup tables @@addr_extension_*_maps may
+# return a string, which (if nonempty) will be added as an address extension
+# to the local-part of the recipient's address. This extension may be used
+# by the final local delivery agent (LDA) to place such mail into different
+# subfolders (the extension is usually interpreted as a folder name).
+# This is sometimes known as the 'plus addressing'. Appending address
+# extensions is prevented when:
+# - recipient does not match lookup tables @@local_domains_maps;
+# - lookup into corresponding @@addr_extension_*_maps results
+# in an empty string or undef;
+# - $recipient_delimiter is empty (see below)
+# LDAs usually default to stripping away address extension if no special
+# handling is specified or if a named subfolder or alias does not exist,
+# so adding address extensions normally does no harm.
+
+# @@addr_extension_virus_maps = ('virus'); # defaults to empty
+# @@addr_extension_spam_maps = ('spam'); # defaults to empty
+# @@addr_extension_banned_maps = ('banned'); # defaults to empty
+# @@addr_extension_bad_header_maps = ('badh'); # defaults to empty
+#
+# A more complex example:
+# @@addr_extension_virus_maps = (
+# {'sub.example.com'=>'infected', '.example.com'=>'filtered'}, 'virus' );
+
+# Delimiter between local part of the envelope recipient address and address
+# extension (which can optionally be added, see @@addr_extension_*_maps. E.g.
+# recipient address <user@@example.com> is changed to <user+virus@@example.com>.
+#
+# Delimiter must match the equivalent (final) MTA delimiter setting.
+# (e.g. for Postfix add 'recipient_delimiter = +' to main.cf)
+# Setting it to an empty string or to undef disables adding extensions
+# regardless of $addr_extension_*_maps.
+
+# $recipient_delimiter = '+'; # (default is undef, i.e. disabled)
+
+# true: replace extension; false: append extension
+# $replace_existing_extension = 1; # (default is true)
+
+# Affects matching of localpart of e-mail addresses (left of '@@')
+# in lookups: true = case sensitive, false = case insensitive
+$localpart_is_case_sensitive = 0; # (default is false)
+
+
+# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
+
+# Instead of hard black- or whitelisting, a softer approach is to add
+# score points (penalties) to the SA score for mail from certain senders.
+# Positive points lean towards blacklisting, negative towards whitelisting.
+# This is much like adding SA rules or using its white/blacklisting, except
+# that here only envelope sender addresses are considered (not addresses
+# in a mail header), and that score points can be assigned per-recipient
+# (or globally), and the assigned penalties are customarily much lower
+# than the default SA white/blacklisting score.
+#
+# The table structure is similar to $per_recip_blacklist_sender_lookup_tables
+# i.e. the first level key is recipient, pointing to by-sender lookup tables.
+# The essential difference is that scores from _all_ matching by-recipient
+# lookups (not just the first that matches) are summed to give the final
+# score boost. That means that both the site and domain administrators,
+# as well as the recipient can have a say on the final score.
+#
+# NOTE: keep hash keys in lowercase, either manually or by using function lc
+
+@@score_sender_maps = ({ # a by-recipient hash lookup table
+
+# # per-recipient personal tables (NOTE: positive: black, negative: white)
+# 'user1@@example.com' => [{'bla-mobile.press@@example.com' => 10.0}],
+# 'user3@@example.com' => [{'.ebay.com' => -3.0}],
+# 'user4@@example.com' => [{'cleargreen@@cleargreen.com' => -7.0,
+# '.cleargreen.com' => -5.0}],
+
+ # site-wide opinions about senders (the '.' matches any recipient)
+ '.' => [ # the _first_ matching sender determines the score boost
+
+ new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
+ [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@@'i => 5.0],
+ [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@@'i=> 5.0],
+ [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@@'i=> 5.0],
+ [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@@'i => 5.0],
+ [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@@'i => 5.0],
+ [qr'^(your_friend|greatoffers)@@'i => 5.0],
+ [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@@'i => 5.0],
+ [ qr'@@strato(?:-rz)\.de$'i => -5.0 ],
+ [ qr'^Doris\.Hennig@@BA-MH\.Verwalt-Berlin\.de$'i => -5.0 ],
+ [ qr'^doris@@hennig-berlin\.org$'i => -5.0 ],
+ ),
+
+# read_hash("/var/amavis/sender_scores_sitewide"),
+
+ { # a hash-type lookup table (associative array)
+ 'nobody@@cert.org' => -3.0,
+ 'cert-advisory@@us-cert.gov' => -3.0,
+ 'owner-alert@@iss.net' => -3.0,
+ 'slashdot@@slashdot.org' => -3.0,
+ 'securityfocus.com' => -3.0,
+ 'ntbugtraq@@listserv.ntbugtraq.com' => -3.0,
+ 'security-alerts@@linuxsecurity.com' => -3.0,
+ 'mailman-announce-admin@@python.org' => -3.0,
+ 'amavis-user-admin@@lists.sourceforge.net'=> -3.0,
+ 'amavis-user-bounces@@lists.sourceforge.net' => -3.0,
+ 'spamassassin.apache.org' => -3.0,
+ 'notification-return@@lists.sophos.com' => -3.0,
+ 'owner-postfix-users@@postfix.org' => -3.0,
+ 'owner-postfix-announce@@postfix.org' => -3.0,
+ 'owner-sendmail-announce@@lists.sendmail.org' => -3.0,
+ 'sendmail-announce-request@@lists.sendmail.org' => -3.0,
+ 'donotreply@@sendmail.org' => -3.0,
+ 'ca+envelope@@sendmail.org' => -3.0,
+ 'noreply@@freshmeat.net' => -3.0,
+ 'owner-technews@@postel.acm.org' => -3.0,
+ 'ietf-123-owner@@loki.ietf.org' => -3.0,
+ 'cvs-commits-list-admin@@gnome.org' => -3.0,
+ 'rt-users-admin@@lists.fsck.com' => -3.0,
+ 'clp-request@@comp.nus.edu.sg' => -3.0,
+ 'surveys-errors@@lists.nua.ie' => -3.0,
+ 'emailnews@@genomeweb.com' => -5.0,
+ 'yahoo-dev-null@@yahoo-inc.com' => -3.0,
+ 'returns.groups.yahoo.com' => -3.0,
+ 'clusternews@@linuxnetworx.com' => -3.0,
+ lc('lvs-users-admin@@LinuxVirtualServer.org') => -3.0,
+ lc('owner-textbreakingnews@@CNNIMAIL12.CNN.COM') => -5.0,
+ 'niels@@google.com' => -3.0,
+ 'kameu@@gmx.de' => -3.0,
+
+ # soft-blacklisting (positive score)
+ 'sender@@example.net' => 3.0,
+ '.example.net' => 1.0,
+
+ },
+ ], # end of site-wide tables
+});
+
+
+# ENVELOPE SENDER WHITELISTING / BLACKLISTING - GLOBAL (RECIPIENT-INDEPENDENT)
+# (affects spam checking only, has no effect on virus and other checks)
+
+# WHITELISTING: use ENVELOPE SENDER lookups to ENSURE DELIVERY from whitelisted
+# senders even if the message would be recognized as spam. Effectively, for
+# the specified senders, message recipients temporarily become 'spam_lovers'.
+# To avoid surprises, whitelisted sender also suppresses inserting/editing
+# the tag2-level header fields (X-Spam-*, Subject), appending spam address
+# extension, and quarantining.
+#
+# BLACKLISTING: messages from specified SENDERS are DECLARED SPAM.
+# Effectively, for messages from blacklisted envelope sender addresses, spam
+# level is artificially pushed high, and the normal spam processing applies,
+# resulting in 'X-Spam-Flag: YES', high 'X-Spam-Level' bar and other usual
+# reactions to spam, including possible rejection. If the message nevertheless
+# still passes (e.g. for spam loving recipients), it is tagged as BLACKLISTED
+# in the 'X-Spam-Status' header field, but the reported spam value and
+# set of tests in this report header field (if available from SpamAssassin,
+# which may or may not have been called) is not adjusted.
+#
+# A sender may be both white- and blacklisted at the same time, settings
+# are independent. For example, being both white- and blacklisted, message
+# is delivered to recipients, but is not tagged as spam (X-Spam-Flag: No;
+# X-Spam-Status: No, ...), but the reported spam level (if computed) may
+# still indicate high spam score.
+#
+# If ALL recipients of the message either white- or blacklist the sender,
+# spam scanning (calling the SpamAssassin) is bypassed, saving on time.
+#
+# The following variables (lists of lookup tables) are available,
+# with the semantics and syntax as specified in README.lookups:
+# @@whitelist_sender_maps, @@blacklist_sender_maps
+
+# SOME EXAMPLES:
+#
+#ACL:
+# @@whitelist_sender_maps = ( ['.example.org', '.example.net'] );
+# @@whitelist_sender_maps = ( [qw(.example.org .example.net)] ); # same thing
+#
+# @@whitelist_sender_maps = ( [".$mydomain"] ); # $mydomain and its subdomains
+# NOTE: This is not a reliable way of turning off spam checks for
+# locally-originating mail, as sender address can easily be faked.
+# To reliably avoid spam-scanning outgoing mail, use @@bypass_spam_checks_maps
+# for nonlocal recipients. To reliably avoid spam scanning for locally
+# originating mail (including internal-to-internal mail), recognized by
+# the original SMTP client IP address matching @@mynetworks, use policy bank
+# MYNETS, adjust @@mynetworks, and turn on XFORWARD in the Postfix smtp client
+# service feeding amavisd.
+
+#with regexps:
+# @@whitelist_sender_maps = ( new_RE(
+# qr'^postmaster@@.*\bexample\.com$'i,
+# qr'^owner-[^@@]*@@'i, qr'-request@@'i,
+# qr'\.example\.com$'i
+# ));
+
+
+# illustrates the use of regexp lookup table:
+
+@@blacklist_sender_maps = ( new_RE(
+ qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@@'i,
+ qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@@'i,
+ qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@@'i,
+ qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@@'i,
+ qr'^(workathome|yesitsfree|your_friend|greatoffers)@@'i,
+ qr'^(inkjetplanet|marketopt|MakeMoney)\d*@@'i,
+));
+
+
+# NOTE: whitelisting is becoming deprecated because sender address is
+# all too often faked; use @@score_sender_maps for soft-whitelisting!
+#
+# Illustrates the use of several lookup tables:
+#
+# @@whitelist_sender_maps = (
+#
+# # read_hash("$MYHOME/whitelist_sender"), # a hash table read from a file
+#
+# # and another hash lookup table constructed in-line, with keys lowercased:
+# { map {lc $_ => 1} qw(
+# nobody@@cert.org
+# cert-advisory@@us-cert.gov
+# owner-alert@@iss.net
+# slashdot@@slashdot.org
+# bugtraq@@securityfocus.com
+# NTBUGTRAQ@@LISTSERV.NTBUGTRAQ.COM
+# security-alerts@@linuxsecurity.com
+# amavis-user-admin@@lists.sourceforge.net
+# amavis-user-bounces@@lists.sourceforge.net
+# notification-return@@lists.sophos.com
+# mailman-announce-admin@@python.org
+# owner-postfix-users@@postfix.org
+# owner-postfix-announce@@postfix.org
+# owner-sendmail-announce@@lists.sendmail.org
+# sendmail-announce-request@@lists.sendmail.org
+# owner-technews@@postel.ACM.ORG
+# lvs-users-admin@@LinuxVirtualServer.org
+# ietf-123-owner@@loki.ietf.org
+# cvs-commits-list-admin@@gnome.org
+# rt-users-admin@@lists.fsck.com
+# clp-request@@comp.nus.edu.sg
+# surveys-errors@@lists.nua.ie
+# emailNews@@genomeweb.com
+# owner-textbreakingnews@@CNNIMAIL12.CNN.COM
+# yahoo-dev-null@@yahoo-inc.com
+# returns.groups.yahoo.com
+# )},
+#
+# # { '' => 1 }, # and another one, containing just an empty reverse path (DSN)
+#
+# );
+
+
+# ENVELOPE SENDER WHITELISTING / BLACKLISTING - PER-RECIPIENT
+
+# The same semantics as for global white/blacklisting applies, but this
+# time each recipient (or its domain, or subdomain, ...) can be given
+# an individual lookup table for matching senders. The per-recipient lookups
+# take precedence over the global lookups, which serve as a fallback default.
+
+# Specify a two-level lookup table: the key for the outer table is recipient,
+# and the result should be an inner lookup table (hash or ACL or RE),
+# where the key used will be the sender. (Note that this structure is flatter
+# than @@score_sender_maps, where the first level result is a ref to a _list_
+# of inner lookup tables, not a ref to a single lookup table.)
+#
+#$per_recip_blacklist_sender_lookup_tables = {
+# 'user1@@my.example.com'=>new_RE(qr'^(inkjetplanet|marketopt|MakeMoney)\d*@@'i),
+# 'user2@@my.example.com'=>[qw( spammer@@d1.example,org .d2.example,org )],
+#};
+#$per_recip_whitelist_sender_lookup_tables = {
+# 'user@@my.example.com' => [qw( friend@@example.org .other.example.org )],
+# '.my1.example.com' => [qw( !foe.other.example,org .other.example,org )],
+# '.my2.example.com' => read_hash("$MYHOME/my2-wl.dat"),
+# 'abuse@@' => { 'postmaster@@'=>1,
+# 'cert-advisory-owner@@cert.org'=>1, 'owner-alert@@iss.net'=>1 },
+#};
+
+
+#
+# Section VI - Resource limits
+#
+
+# Sanity limit to the number of allowed recipients per SMTP transaction
+# $smtpd_recipient_limit = 1100; # (default is 1100)
+
+# Resource limits to protect unpackers, decompressors and virus scanners
+# against mail bombs (e.g. 42.zip)
+
+
+# Maximum recursion level for extraction/decoding (0 or undef disables limit)
+$MAXLEVELS = 14; # (default is undef, no limit)
+
+# Maximum number of extracted files (0 or undef disables the limit)
+$MAXFILES = 1500; # (default is undef, no limit)
+
+# For the cumulative total of all decoded mail parts we set max storage size
+# to defend against mail bombs. Even though parts may be deleted (replaced
+# by decoded text) during decoding, the size they occupied is _not_ returned
+# to the quota pool.
+#
+# Parameters to storage quota formula for unpacking/decoding/decompressing
+# Formula:
+# quota = max($MIN_EXPANSION_QUOTA,
+# $mail_size*$MIN_EXPANSION_FACTOR,
+# min($MAX_EXPANSION_QUOTA, $mail_size*$MAX_EXPANSION_FACTOR))
+# In plain words (later condition overrules previous ones):
+# allow MAX_EXPANSION_FACTOR times initial mail size,
+# but not more than MAX_EXPANSION_QUOTA,
+# but not less than MIN_EXPANSION_FACTOR times initial mail size,
+# but never less than MIN_EXPANSION_QUOTA
+#
+$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
+$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
+$MIN_EXPANSION_FACTOR = 5; # times original mail size (default is 5)
+$MAX_EXPANSION_FACTOR = 500; # times original mail size (default is 500)
+
+# expiration time of cached results: time to live in seconds
+# (how long the result of a virus/spam test remains valid)
+$virus_check_negative_ttl= 3*60; # time to remember that mail was not infected
+$virus_check_positive_ttl= 30*60; # time to remember that mail was infected
+$spam_check_negative_ttl = 10*60; # time to remember that mail was not spam
+$spam_check_positive_ttl = 30*60; # time to remember that mail was spam
+#
+# NOTE:
+# Cache size will be determined by the largest of the $*_ttl values.
+# Depending on the mail rate, the cache database may grow quite large.
+# Reasonable compromise for the max value is 15 minutes to 2 hours.
+
+#
+# Section VII - External programs, virus scanners
+#
+
+# Specify a path string, which is a colon-separated string of directories
+# (no trailing slashes!) to be assigned to the environment variable PATH
+# and to serve for locating external programs below.
+
+# NOTE: if $daemon_chroot_dir is nonempty, the directories will be
+# relative to the chroot directory specified;
+
+$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin:/opt/bin';
+
+# For external programs specify one string or a search list of strings (first
+# match wins). The string (or: each string in a list) may be an absolute path,
+# or just a program name, to be located via $path;
+# Empty string or undef (=default) disables the use of that external program.
+# Optionally command arguments may be specified - only the first substring
+# up to the whitespace is used for file searching.
+
+$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability
+$dspam = 'dspam';
+
+# A list of pairs or n-tuples: [short-type, code_ref, optional-args...].
+# Maps short types to a decoding routine, the first match wins.
+# Arguments beyond the first two can be program path string (or a listref of
+# paths to be searched) or a reference to a variable containing such a path,
+# which allows for lazy evaluation, making possible to assign values to
+# legacy configuration variables even after the assignment to @@decoders.
+#
+@@decoders = (
+ ['mail', \&do_mime_decode],
+ ['asc', \&do_ascii],
+ ['uue', \&do_ascii],
+ ['hqx', \&do_ascii],
+ ['ync', \&do_ascii],
+ ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
+ ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
+ ['gz', \&do_uncompress, 'gzip -d'],
+ ['gz', \&do_gunzip],
+ ['bz2', \&do_uncompress, 'bzip2 -d'],
+ ['lzo', \&do_uncompress, 'lzop -d'],
+ ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
+ ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
+ ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
+ ['deb', \&do_ar, 'ar'],
+# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill
+ ['zip', \&do_unzip],
+ ['7z', \&do_7zip, ['7zr','7za','7z'] ],
+ ['rar', \&do_unrar, ['rar','unrar'] ],
+ ['arj', \&do_unarj, ['arj','unarj'] ],
+ ['arc', \&do_arc, ['nomarch','arc'] ],
+ ['zoo', \&do_zoo, ['zoo','unzoo'] ],
+ ['lha', \&do_lha, 'lha'],
+# ['doc', \&do_ole, 'ripole'],
+ ['cab', \&do_cabextract, 'cabextract'],
+ ['tnef', \&do_tnef_ext, 'tnef'],
+ ['tnef', \&do_tnef],
+# ['sit', \&do_unstuff, 'unstuff'], # broken/unsafe decoder
+ ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
+);
+
+
+# SpamAssassin settings
+
+# $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value
+# of the option local_tests_only. See Mail::SpamAssassin man page.
+# If set to 1, no SA tests that require internet access will be performed.
+#
+$sa_local_tests_only = 0; # only tests which do not require internet access?
+#$sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant
+ # for SA 3.0, its cf option is use_auto_whitelist)
+
+$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
+ # (less than 1% of spam is > 64k)
+ # default: undef, no limitations
+
+# default values, customarily used in the @@spam_*_level_maps as the last entry
+$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level;
+ # undef is interpreted as lower than any spam level
+$sa_tag2_level_deflt = 6.31;# add 'spam detected' headers at that level to
+ # passed mail, adding address extensions;
+$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
+ # at or above that level: bounce/reject/drop,
+ # quarantine
+$sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent,
+ # effectively turning D_BOUNCE into D_DISCARD;
+ # undef disables this feature and is a default;
+# see also $sa_quarantine_cutoff_level above, which only controls quarantining
+
+# $penpals_bonus_score = 5; # (positive) score by which spam score is lowered
+ # when sender is known to have previously received mail from our
+ # local user from this mail system; zero or undef disables penpals
+ # lookups in SQL; default: undef
+# $penpals_halflife = 10*24*60*60; #exponential decay time constant in seconds;
+ # penpal bonus is halved for each halflife period from the last mail
+ # sent by a local user to a current mail's sender; default: 7 days
+# $penpals_threshold_low = 1.0; # no need for pen pals lookup on low spam score
+# $penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam
+
+# $bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces
+ # bounce killer needs operational SQL logging (pen pals) !
+
+# advanced example specifying per-recipient values using a hash lookup:
+#@@spam_tag_level_maps = (\$sa_tag_level_deflt); # this is a default
+#@@spam_tag2_level_maps = (
+# { 'user1@@example.com' => 8.0, '.example.com' => 6.0 },
+# \$sa_tag2_level_deflt, # catchall default
+#);
+#@@spam_kill_level_maps = (
+# { 'user1@@example.com' => 8.0, '.example.com' => 6.0 },
+# \$sa_kill_level_deflt, # catchall default
+#);
+#@@spam_dsn_cutoff_level_maps = (
+# { 'user1@@example.com' => 10, '.example.com' => 15 },
+# \$sa_dsn_cutoff_level, # catchall default
+#);
+
+# selectively trim down bounces to domains sending their own bounces with
+# non-null return path, to frequently abused domains, or to those sending
+# marginal spam
+@@spam_dsn_cutoff_level_bysender_maps = (
+ { # an associative array (hash) lookup table, use lowercase keys
+ 'virgilio.it' => 7, 'mail.ru' => 7, '0451.com' => 7,
+ 'yahoo.co.uk' => 7, 'yahoo.co.jp' => 7, 'nobody@@' => 7,
+ 'noreply@@' => 0, 'no-reply@@' => 0, 'donotreply@@' => 0,
+ 'opt-in@@' => 0, 'opt-out@@' => 0, 'yahoo-dev-null@@' => 0,
+ '.optin-out.com' => 0, 'daily@@astrocenter.com' => 0,
+ 'spamadmin@@fraunhofer.de'=> 7, # Sophos PureMessage spam bounces
+ },
+ \$sa_dsn_cutoff_level, # catchall default value
+);
+
+# a quick reference:
+# tag_level contents category: CC_CLEAN,
+# controls adding the X-Spam-Status and X-Spam-Level headers,
+# tag2_level contents category: CC_SPAMMY,
+# controls adding 'X-Spam-Flag: YES', editing (tagging) Subject,
+# and adding address extensions,
+# tag3_level contents category: CC_SPAMMY, minor category 1,
+# like tag2, but may insert different Subject tag
+# e.g. @@spam_subject_tag3_maps=('***BLATANT*SPAM*** ');
+# kill_level contents category: CC_SPAM,
+# controls 'evasive actions' (reject, quarantine);
+# it only makes sense to maintain the relationship:
+# tag_level <= tag2_level <= tag3_level <= kill_level <
+# < dsn_cutoff_level <= quarantine_cutoff_level
+
+# string to prepend to Subject header field when message exceeds tag2 level
+#$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled)
+ # (only seen when spam is passed and recipient is
+ # in local_domains*)
+# more examples, using @@*_maps directly:
+#@@spam_subject_tag_maps = ('[possible-spam:_SCORE_] ');
+#@@spam_subject_tag2_maps = ('***SPAM*** _SCORE_ (_REQD_) ');
+#@@spam_subject_tag3_maps = ('***BLATANT*SPAM**** _SCORE_ (_REQD_) ');
+# another examples, using _maps_by_ccat:
+#$subject_tag_maps_by_ccat{+CC_CLEAN} = [
+# { lc('TestUser@@example.net') =>
+# '**TEST:_U_,hits=_SCORE_,req=_REQD_,amid=_TASKID_,mid=_MAILID_**' } ];
+
+#$sa_spam_modifies_subj = 1; # in @@spam_modifies_subj_maps, default is true
+
+# Example: modify Subject for all local recipients except user@@example.com
+#@@spam_modifies_subj_maps = ( [qw( !user@@example.com . )] );
+
+#$sa_spam_level_char = '*'; # char for X-Spam-Level bar, defaults to '*';
+ # undef or empty disables inserting X-Spam-Level
+#$sa_spam_report_header = 0; # insert X-Spam-Report header field? default false
+
+# stop anti-virus scanning when the first scanner detects a virus?
+#$first_infected_stops_scan = 1; # default is false, all scanners in a section
+ # are called
+
+# @@av_scanners is a list of n-tuples, where fields semantics is:
+# 1. av scanner plain name, to be used in log and reports;
+# 2a.scanner program name; this string will be submitted to subroutine
+# find_external_programs(), which will try to find the full program path
+# name during startup; if program is not found, this scanner is disabled.
+# Besides a simple string (full program path name or just the basename
+# to be looked for in PATH), this may be an array ref of alternative
+# program names or full paths - the first match in the list will be used;
+# 2b.alternatively, this second field may be a subroutine reference,
+# and the whole n-tuple entry is passed to it as args; it should return
+# a triple: ($scan_status,$output,$virusnames_ref), where:
+# - $scan_status is: true if a virus was found, 0 if no viruses,
+# undef if scanner was unable to complete its job (failed);
+# - $output is an optional result string to appear in logging and macro %v;
+# - $virusnames_ref is a ref to a list of detected virus names (may be
+# undef or a ref to an empty list);
+# 3. command arguments to be given to the scanner program;
+# a substring {} will be replaced by the directory name to be scanned, i.e.
+# "$tempdir/parts", a "*" will be replaced by base file names of parts;
+# 4. an array ref of av scanner exit status values, or a regexp (to be
+# matched against scanner output), indicating NO VIRUSES found;
+# a special case is a value undef, which does not claim file to be clean
+# (i.e. it never matches, similar to []), but suppresses a failure warning;
+# to be used when the result is inconclusive (useful for specialized and
+# quick partial scanners such as jpeg checker);
+# 5. an array ref of av scanner exit status values, or a regexp (to be
+# matched against scanner output), indicating VIRUSES WERE FOUND;
+# a value undef may be used and it never matches (for consistency with 4.);
+# Note: the virus match prevails over a 'not found' match, so it is safe
+# even if the no. 4. matches for viruses too;
+# 6. a regexp (to be matched against scanner output), returning a list
+# of virus names found, or a sub ref, returning such a list when given
+# scanner output as argument;
+# 7. and 8.: (optional) subroutines to be executed before and after scanner
+# (e.g. to set environment or current directory);
+# see examples for these at KasperskyLab AVP and NAI uvscan.
+
+# NOTES:
+#
+# - NOT DEFINING @@av_scanners (e.g. setting it to empty list, or deleting the
+# whole assignment) TURNS OFF LOADING AND COMPILING OF THE ANTIVIRUS CODE
+# (which can be handy if all you want to do is spam scanning);
+#
+# - the order matters: although _all_ available entries from the list
+# are tried regardless of their verdict, scanners are run in the order
+# specified: the report from the first one detecting a virus will be used
+# (providing virus names and scanner output); REARRANGE THE ORDER TO WILL;
+# see also $first_infected_stops_scan;
+#
+# - it doesn't hurt to keep an unused command line scanner entry in the list
+# if the program can not be found; the path search is only performed once
+# during the program startup;
+#
+# COROLLARY: to disable a scanner that _does_ exist on your system,
+# comment out its entry or use undef or '' as its program name/path
+# (second parameter). An example where this is almost a must: disable
+# Sophos 'sweep' if you have its daemonized version Sophie or SAVI-Perl
+# (same for Trophie/vscan, and clamd/clamscan), or if another unrelated
+# program happens to have a name matching one of the entries ('sweep'
+# again comes to mind);
+#
+# - it DOES HURT to keep unwanted entries which use INTERNAL SUBROUTINES
+# for interfacing (where the second parameter starts with \&).
+# Keeping such entry and not having a corresponding virus scanner daemon
+# causes an unnecessary connection attempt (which eventually times out,
+# but it wastes precious time). For this reason the daemonized entries
+# are commented in the distribution - just remove the '#' where needed.
+#
+# CERT list of av resources: http://www.cert.org/other_sources/viruses.html
+
+@@av_scanners = (
+
+# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)
+# ['Sophie',
+# \&ask_daemon, ["{}/\n", '/var/run/sophie'],
+# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
+# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
+
+# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
+# ['Sophos SAVI', \&sophos_savi ],
+
+### http://www.clamav.net/
+['ClamAV-clamd',
+ \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
+ qr/\bOK$/m, qr/\bFOUND$/m,
+ qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+# NOTE: run clamd under the same user as amavisd, or run it under its own
+# uid such as clamav, add user clamav to the amavis group, and then add
+# AllowSupplementaryGroups to clamd.conf;
+# NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
+# this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
+
+# ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred)
+# # note that Mail::ClamAV requires perl to be build with threading!
+# ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/m ],
+
+# ### http://www.openantivirus.org/
+# ['OpenAntiVirus ScannerDaemon (OAV)',
+# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],
+# qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ],
+
+# ### http://www.vanja.com/tools/trophie/
+# ['Trophie',
+# \&ask_daemon, ["{}/\n", '/var/run/trophie'],
+# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
+# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
+
+# ### http://www.grisoft.com/
+# ['AVG Anti-Virus',
+# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'],
+# qr/^200/m, qr/^403/m, qr/^403 .*?: ([^\r\n]+)/m ],
+
+# ### http://www.f-prot.com/
+# ['F-Prot fpscand', # F-PROT Antivirus for BSD/Linux/Solaris, version 6
+# \&ask_daemon,
+# ["SCAN FILE {}/*\n", '127.0.0.1:10200'],
+# qr/^(0|8|64) /m,
+# qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m,
+# qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ],
+
+# ### http://www.f-prot.com/
+# ['F-Prot f-protd', # old version
+# \&ask_daemon,
+# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
+# ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202',
+# '127.0.0.1:10203', '127.0.0.1:10204'] ],
+# qr/(?i)<summary[^>]*>clean<\/summary>/m,
+# qr/(?i)<summary[^>]*>infected<\/summary>/m,
+# qr/(?i)<name>(.+)<\/name>/m ],
+
+# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/
+# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later
+# [pack('N',1). # DRWEBD_SCAN_CMD
+# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
+# pack('N', # path length
+# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")).
+# '{}/*'. # path
+# pack('N',0). # content size
+# pack('N',0),
+# '/var/drweb/run/drwebd.sock',
+# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot
+# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default
+# # '127.0.0.1:3000', # or over an inet socket
+# ],
+# qr/\A\x00[\x10\x11][\x00\x10]\x00/sm, # IS_CLEAN,EVAL_KEY; SKIPPED
+# qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF
+# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm,
+# ],
+# # NOTE: If using amavis-milter, change length to:
+# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx").
+
+ ### http://www.kaspersky.com/ (kav4mailservers)
+ ['KasperskyLab AVP - aveclient',
+ ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
+ '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
+ '-p /var/run/aveserver -s {}/*',
+ [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m,
+ qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m,
+ ],
+ # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
+ # currupted or protected archives are to be handled
+
+ ### http://www.kaspersky.com/
+ ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
+ '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ?
+ qr/infected: (.+)/m,
+ sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
+ sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
+ ],
+
+ ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
+ ### products and replaced by aveserver and aveclient
+ ['KasperskyLab AVPDaemonClient',
+ [ '/opt/AVP/kavdaemon', 'kavdaemon',
+ '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
+ '/opt/AVP/AvpTeamDream', 'AvpTeamDream',
+ '/opt/AVP/avpdc', 'avpdc' ],
+ "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ],
+ # change the startup-script in /etc/init.d/kavd to:
+ # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
+ # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" )
+ # adjusting /var/amavis above to match your $TEMPBASE.
+ # The '-f=/var/amavis' is needed if not running it as root, so it
+ # can find, read, and write its pid file, etc., see 'man kavdaemon'.
+ # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
+ # directory $TEMPBASE specifies) in the 'Names=' section.
+ # cd /opt/AVP/DaemonClients; configure; cd Sample; make
+ # cp AvpDaemonClient /opt/AVP/
+ # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"
+
+ ### http://www.centralcommand.com/
+ ['CentralCommand Vexira (new) vascan',
+ ['vascan','/usr/lib/Vexira/vascan'],
+ "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
+ "--log=/var/log/vascan.log {}",
+ [0,3], [1,2,5],
+ qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ],
+ # Adjust the path of the binary and the virus database as needed.
+ # 'vascan' does not allow to have the temp directory to be the same as
+ # the quarantine directory, and the quarantine option can not be disabled.
+ # If $QUARANTINEDIR is not used, then another directory must be specified
+ # to appease 'vascan'. Move status 3 to the second list if password
+ # protected files are to be considered infected.
+
+ ### http://www.avira.com/
+ ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus
+ ['Avira AntiVir', ['antivir','vexira'],
+ '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m,
+ qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
+ (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ],
+ # NOTE: if you only have a demo version, remove -z and add 214, as in:
+ # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,
+
+ ### http://www.commandsoftware.com/
+ ['Command AntiVirus for Linux', 'csav',
+ '-all -archive -packed {}', [50], [51,52,53],
+ qr/Infection: (.+)/m ],
+
+ ### http://www.symantec.com/
+ ['Symantec CarrierScan via Symantec CommandLineScanner',
+ 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
+ qr/^Files Infected:\s+0$/m, qr/^Infected\b/m,
+ qr/^(?:Info|Virus Name):\s+(.+)/m ],
+
+ ### http://www.symantec.com/
+ ['Symantec AntiVirus Scan Engine',
+ 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
+ [0], qr/^Infected\b/m,
+ qr/^(?:Info|Virus Name):\s+(.+)/m ],
+ # NOTE: check options and patterns to see which entry better applies
+
+# ### http://www.f-secure.com/products/anti-virus/ version 4.65
+# ['F-Secure Antivirus for Linux servers',
+# ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
+# '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '.
+# '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8],
+# qr/(?:infection|Infected|Suspected): (.+)/m ],
+
+ ### http://www.f-secure.com/products/anti-virus/ version 5.52
+ ['F-Secure Antivirus for Linux servers',
+ ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
+ '--virus-action1=report --archive=yes --auto=yes '.
+ '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8],
+ qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
+ # NOTE: internal archive handling may be switched off by '--archive=no'
+ # to prevent fsav from exiting with status 9 on broken archives
+
+# ### http://www.avast.com/
+# ['avast! Antivirus daemon',
+# \&ask_daemon, # greets with 220, terminate with QUIT
+# ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'],
+# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t([^[ \t\015\012]+)/m ],
+
+# ### http://www.avast.com/
+# ['avast! Antivirus - Client/Server Version', 'avastlite',
+# '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1],
+# qr/\t\[L\]\t([^[ \t\015\012]+)/m ],
+
+ ['CAI InoculateIT', 'inocucmd', # retired product
+ '-sec -nex {}', [0], [100],
+ qr/was infected by virus (.+)/m ],
+ # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html
+
+ ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT)
+ ['CAI eTrust Antivirus', 'etrust-wrapper',
+ '-arc -nex -spm h {}', [0], [101],
+ qr/is infected by virus: (.+)/m ],
+ # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
+ # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783
+
+ ### http://mks.com.pl/english.html
+ ['MkS_Vir for Linux (beta)', ['mks32','mks'],
+ '-s {}/*', [0], [1,2],
+ qr/--[ \t]*(.+)/m ],
+
+ ### http://mks.com.pl/english.html
+ ['MkS_Vir daemon', 'mksscan',
+ '-s -q {}', [0], [1..7],
+ qr/^... (\S+)/m ],
+
+# ### http://www.nod32.com/, version v2.52 (old)
+# ['ESET NOD32 for Linux Mail servers',
+# ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
+# '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '.
+# '-w -a --action-on-infected=accept --action-on-uncleanable=accept '.
+# '--action-on-notscanned=accept {}',
+# [0,3], [1,2], qr/virus="([^"]+)"/m ],
+
+# ### http://www.eset.com/, version v2.7 (old)
+# ['ESET NOD32 Linux Mail Server - command line interface',
+# ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
+# '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ],
+
+# ### http://www.eset.com/, version 2.71.12
+# ['ESET Software ESETS Command Line Interface',
+# ['/usr/bin/esets_cli', 'esets_cli'],
+# '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ],
+
+ ### http://www.eset.com/, version 3.0
+ ['ESET Software ESETS Command Line Interface',
+ ['/usr/bin/esets_cli', 'esets_cli'],
+ '--subdir {}', [0], [1,2,3],
+ qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],
+
+ ## http://www.nod32.com/, NOD32LFS version 2.5 and above
+ ['ESET NOD32 for Linux File servers',
+ ['/opt/eset/nod32/sbin/nod32','nod32'],
+ '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
+ '-w -a --action=1 -b {}',
+ [0], [1,10], qr/^object=.*, virus="(.*?)",/m ],
+
+# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31
+# ['ESET Software NOD32 Client/Server (NOD32SS)',
+# \&ask_daemon2, # greets with 200, persistent, terminate with QUIT
+# ["SCAN {}/*\r\n", '127.0.0.1:8448' ],
+# qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ],
+
+ ### http://www.norman.com/products_nvc.shtml
+ ['Norman Virus Control v5 / Linux', 'nvcc',
+ '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
+ qr/(?i).* virus in .* -> \'(.+)\'/m ],
+
+ ### http://www.pandasoftware.com/
+ ['Panda CommandLineSecure 9 for Linux',
+ ['/opt/pavcl/usr/bin/pavcl','pavcl'],
+ '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
+ qr/Number of files infected[ .]*: 0+(?!\d)/m,
+ qr/Number of files infected[ .]*: 0*[1-9]/m,
+ qr/Found virus :\s*(\S+)/m ],
+ # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
+ # before starting amavisd - the bases are then loaded only once at startup.
+ # To reload bases in a signature update script:
+ # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
+ # Please review other options of pavcl, for example:
+ # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies
+
+# ### http://www.pandasoftware.com/
+# ['Panda Antivirus for Linux', ['pavcl'],
+# '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}',
+# [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0],
+# qr/Found virus :\s*(\S+)/m ],
+
+# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
+# Check your RAV license terms before fiddling with the following two lines!
+# ['GeCAD RAV AntiVirus 8', 'ravav',
+# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ],
+# # NOTE: the command line switches changed with scan engine 8.5 !
+# # (btw, assigning stdin to /dev/null causes RAV to fail)
+
+ ### http://www.nai.com/
+ ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
+ '--secure -rv --mime --summary --noboot --mailbox --program --timeout 180 - {}', [0], [13],
+ qr/(?x) Found (?:
+ \ the\ (.+)\ (?:virus|trojan) |
+ \ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
+ :\ (.+)\ NOT\ a\ virus)/m,
+ # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
+ # sub {delete $ENV{LD_PRELOAD}},
+ ],
+ # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
+ # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
+ # and then clear it when finished to avoid confusing anything else.
+ # NOTE2: to treat encrypted files as viruses replace the [13] with:
+ # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
+
+ ### http://www.virusbuster.hu/en/
+ ['VirusBuster', ['vbuster', 'vbengcl'],
+ "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
+ qr/: '(.*)' - Virus/m ],
+ # VirusBuster Ltd. does not support the daemon version for the workstation
+ # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
+ # binaries, some parameters AND return codes have changed (from 3 to 1).
+ # See also the new Vexira entry 'vascan' which is possibly related.
+
+# ### http://www.virusbuster.hu/en/
+# ['VirusBuster (Client + Daemon)', 'vbengd',
+# '-f -log scandir {}', [0], [3],
+# qr/Virus found = (.*);/m ],
+# # HINT: for an infected file it always returns 3,
+# # although the man-page tells a different story
+
+ ### http://www.cyber.com/
+ ['CyberSoft VFind', 'vfind',
+ '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m,
+ # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
+ ],
+
+ ### http://www.avast.com/
+ ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
+ '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ],
+
+ ### http://www.ikarus-software.com/
+ ['Ikarus AntiVirus for Linux', 'ikarus',
+ '{}', [0], [40], qr/Signature (.+) found/m ],
+
+ ### http://www.bitdefender.com/
+ ['BitDefender', 'bdscan', # new version
+ '--action=ignore --no-list {}', qr/^Infected files *:0+(?!\d)/m,
+ qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
+ qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
+
+ ### http://www.bitdefender.com/
+ ['BitDefender', 'bdc', # old version
+ '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m,
+ qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
+ qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
+ # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may
+ # not apply to your version of bdc, check documentation and see 'bdc --help'
+
+ ### ArcaVir for Linux and Unix http://www.arcabit.pl/
+ ['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
+ '-v 1 -summary 0 -s {}', [0], [1,2],
+ qr/(?:VIR|WIR):[ \t]*(.+)/m ],
+
+# ['File::Scan', sub {Amavis::AV::ask_av(sub{
+# use File::Scan; my($fn)=@@_;
+# my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0);
+# my($vname) = $f->scan($fn);
+# $f->error ? (2,"Error: ".$f->error)
+# : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @@_) },
+# ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ],
+
+# ### fully-fledged checker for JPEG marker segments of invalid length
+# ['check-jpeg',
+# sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @@_) },
+# ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ],
+# # NOTE: place file JpegTester.pm somewhere where Perl can find it,
+# # for example in /usr/local/lib/perl5/site_perl
+
+# ### example: simpleminded checker for JPEG marker segments with
+# ### invalid length (only checks first 32k, which is not thorough enough)
+# ['check-jpeg-simple',
+# sub { Amavis::AV::ask_av(sub {
+# my($f)=@@_; local(*FF,$_,$1,$2); my(@@r)=(0,'not jpeg');
+# open(FF,$f) or die "jpeg: open err $f: $!";
+# binmode(FF) or die "jpeg: binmode err $f: $!";
+# defined read(FF,$_,32000) or die "jpeg: read err $f: $!";
+# close(FF) or die "jpeg: close err $f: $!";
+# if (/^\xff\xd8\xff/) {
+# @@r=(0,'jpeg ok');
+# while (!/\G(?:\xff\xd9|\z)/gc) { # EOI or eof
+# if (/\G\xff+(?=\xff|\z)/gc) {} # fill-bytes before marker
+# elsif (/\G\xff([\x01\xd0-\xd8])/gc) {} # TEM, RSTi, SOI
+# elsif (/\G\xff([^\x00\xff])(..)/gcs) { # marker segment start
+# my($n)=unpack("n",$2)-2;
+# $n=32766 if $n>32766; # Perl regexp limit
+# if ($n<0) {@@r=(1,"bad jpeg: len=$n, pos=".pos); last}
+# elsif (/\G.{$n}/gcs) {} # ok
+# elsif (/\G.{0,$n}\z/gcs) {last} # truncated
+# else {@@r=(1,"bad jpeg: unexpected, pos=".pos); last}
+# }
+# elsif (/\G[^\xff]+/gc) {} # ECS
+# elsif (/\G(?:\xff\x00)+/gc) {} # ECS
+# else {@@r=(2,"bad jpeg: unexpected char, pos=".pos); last}
+# }
+# }; @@r}, @@_) },
+# ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ],
+
+# ### an example/testing/template virus scanner (external), wastes 3 seconds
+# ['wasteful sleeper example',
+# '/bin/sleep', '3', # calls external program
+# undef, undef, qr/no such/m ],
+
+# ### an example/testing/template virus scanner (internal), does nothing
+# ['null',
+# sub {}, ["{}"], # supplies its own subroutine, no external program
+# undef, undef, qr/no such/m ],
+
+);
+
+
+# If no virus scanners from the @@av_scanners list produce 'clean' nor
+# 'infected' status (i.e. they all fail to run or the list is empty),
+# then _all_ scanners from the @@av_scanners_backup list are tried
+# (again, subject to $first_infected_stops_scan). When there are both
+# daemonized and equivalent or similar command-line scanners available,
+# it is customary to place slower command-line scanners in the
+# @@av_scanners_backup list. The default choice is somewhat arbitrary,
+# move entries from one list to another as desired, keeping main scanners
+# in the primary list to avoid warnings.
+
+@@av_scanners_backup = (
+
+ ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
+ ['ClamAV-clamscan', 'clamscan',
+ "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
+ [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+
+ ### http://www.f-prot.com/ - backs up F-Prot Daemon, V6
+ ['F-PROT Antivirus for UNIX', ['fpscan'],
+ '--report --mount --adware {}', # consider: --applications -s 4 -u 3 -z 10
+ [0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
+ qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ],
+
+ ### http://www.f-prot.com/ - backs up F-Prot Daemon (old)
+ ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
+ '-dumb -ai -archive -packed -server {}', [0,8], [3,6], # or: [0], [3,6,8],
+ qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ],
+
+ ### http://www.trendmicro.com/ - backs up Trophie
+ ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
+ '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],
+
+ ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD
+ ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier
+ ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
+ '-path={} -al -go -ot -cn -upn -ok-',
+ [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ],
+
+ ### http://www.kaspersky.com/
+ ['Kaspersky Antivirus v5.5',
+ ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
+ '/opt/kav/5.5/kav4unix/bin/kavscanner',
+ '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
+ '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
+ qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
+# sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
+# sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
+ ],
+
+# Commented out because the name 'sweep' clashes with Debian and FreeBSD
+# package/port of an audio editor. Make sure the correct 'sweep' is found
+# in the path when enabling.
+#
+# ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl
+# ['Sophos Anti Virus (sweep)', 'sweep',
+# '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
+# '--no-reset-atime {}',
+# [0,2], qr/Virus .*? found/m,
+# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
+# ],
+# # other options to consider: -idedir=/usr/local/sav
+
+# Always succeeds and considers mail clean.
+# Potentially useful when all other scanners fail and it is desirable
+# to let mail continue to flow with no virus checking (when uncommented).
+# ['always-clean', sub {0}],
+
+);
+
+
+#
+# Section VIII - Debugging
+#
+
+# The most useful debugging tool is to run amavisd-new non-detached
+# from a terminal window using command: # amavisd debug
+
+# Some more refined approaches:
+
+# If sender matches ACL, turn debugging fully up, just for this one message
+#@@debug_sender_maps = ( ["test-sender\@@$mydomain"] );
+#@@debug_sender_maps = ( [qw( debug@@example.com debug@@example.net )] );
+
+# May be useful along with @@debug_sender_maps:
+# Prevent all decoded originals being deleted (replaced by decoded part)
+#@@keep_decoded_original_maps = (1);
+
+# Turn on SpamAssassin debugging (output to STDERR, use with 'amavisd debug')
+#$sa_debug = '1,all'; # defaults to false
+
+
+#
+# Section IX - Policy banks (dynamic policy switching)
+#
+
+## Define some policy banks (sets of settings) and give them
+## arbitrary names (the names '', 'MYNETS' and 'MYUSERS' have special meaning):
+#
+# $policy_bank{'ALT'} = {
+# log_level => 3,
+# syslog_ident => 'alt-amavis',
+# syslog_facility => 'LOCAL3',
+# inet_acl => [qw( 10.0.1.14 )],
+# final_spam_destiny => D_PASS, final_bad_header_destiny => D_PASS,
+# forward_method => 'smtp:*:*',
+# notify_method => 'smtp:[127.0.0.1]:10025',
+# virus_admin_maps => "abuse\@@$mydomain",
+# spam_lovers_maps => [@@spam_lovers_maps, [qw( abuse@@example.com )]],
+# spam_tag_level_maps => 2.1,
+# spam_tag2_level_maps => 6.32,
+# spam_kill_level_maps => 6.72,
+# spam_dsn_cutoff_level_maps => 8,
+# defang_spam => 1,
+# local_client_bind_address => '10.11.12.13',
+# localhost_name => 'amavis.example.com',
+# smtpd_greeting_banner =>
+# '${helo-name} ${protocol} ${product} ${version-id} (${version-date}) TEST service ready';
+# auth_mech_avail => [qw(PLAIN LOGIN)],
+# auth_required_inp => 1,
+# auth_required_out => 1,
+# amavis_auth_user => 'amavisd', amavis_auth_pass = 'tOpsecretX',
+# av_scanners => [ # provide only 'free' scanners
+# ['ClamAV-clamd',
+# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
+# qr/\bOK$/, qr/\bFOUND$/,
+# qr/^.*?: (?!Infected Archive)(.*) FOUND$/,
+# ],
+# ],
+# av_scanners_backup => [
+# ['ClamAV-clamscan', 'clamscan',
+# "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1],
+# qr/^.*?: (?!Infected Archive)(.*) FOUND$/,
+# ],
+# ],
+# };
+
+# NOTE: the use of policy banks for changing protocol on the input socket is
+# only needed when different protocols need to be spoken on different sockets
+# at the same time. For normal use just set globally e.g.: $protocol='AM.PDP';
+#
+#$policy_bank{'AM.PDP-SOCK'} = {
+# protocol => 'AM.PDP', # Amavis policy delegation protocol
+# auth_required_release => 0, # do not require secret_id for amavisd-release
+#};
+#
+#$policy_bank{'AM.PDP-INET'} = {
+# protocol => 'AM.PDP', # Amavis policy delegation protocol
+# inet_acl => [qw( 127.0.0.1 [::1] )], # restrict to these IP addresses
+#};
+#
+## the name 'MYNETS' has special semantics: this policy bank gets loaded
+## whenever MTA supplies the original SMTP client IP address (Postfix XFORWARD
+## extension or a new AM.PDP protocol) and that address matches @@mynetworks.
+#
+# $terminate_dsn_on_notify_success = 1;
+# $policy_bank{'MYNETS'} = { # mail originating from @@mynetworks
+# originating => 1, # is true in MYNETS by deflt, but let's make it explicit
+# terminate_dsn_on_notify_success => 0,
+# spam_kill_level_maps => 6.9,
+# syslog_facility => 'LOCAL4', # tell syslog to log to a separate file
+# virus_admin_maps => ["virusalert\@@$mydomain"], # alert of internal viruses
+# spam_admin_maps => ["spamalert\@@$mydomain"], # alert of internal spam
+# bypass_spam_checks_maps => [1], # or: don't spam-check internal mail
+# bypass_banned_checks_maps => [1], # don't banned-check internal mail
+# warnbadhsender => 1, # warn local senders about their broken MUA
+# banned_filename_maps => ['MYNETS-DEFAULT'], # more permissive banning rules
+# spam_quarantine_cutoff_level_maps => undef, # quarantine all local spam
+# spam_dsn_cutoff_level_maps => undef, # ensure NDN regardless of spam level
+# spam_dsn_cutoff_level_bysender_maps => # but only from local domain senders
+# [ { lc(".$mydomain") => undef, '.' => 15 } ],
+# };
+
+## the name 'MYUSERS' has special semantics: this policy bank gets loaded
+## whenever the sender matches @@local_domains_maps. This only makes sense
+## if local sender addresses can be trusted -- for example by requiring
+## authentication before letting users send with their local address.
+#
+# $policy_bank{'MYUSERS'} = {
+# final_virus_destiny => D_BOUNCE, # bounce only to authenticated local users
+# final_banned_destiny=> D_BOUNCE,
+# };
+
+# Needed for Courier: speak courier protocol on the socket
+#$interface_policy{'SOCK'} = 'AM-SOCK';
+#$policy_bank{'AM-SOCK'} = {protocol => 'COURIER'};
+
+## Now we can assign policy banks to amavisd tcp port numbers listed in
+## $inet_socket_port. Whenever the connection from MTA is received, first
+## a built-in policy bank $policy_bank{''} gets loaded, which bringings-in
+## all the global/legacy settings, then it gets overlaid by the bank
+## named in the $interface_policy{$port} if any, and finally the bank
+## 'MYNETS' is overlaid if it exists and the SMTP client IP address
+## is known (by XFORWARD command from MTA) and it matches @@mynetworks.
+
+# $interface_policy{'10026'} = 'ALT';
+
+# used by amavisd-release utility of a new AM.PDP-based amavis-milter client
+#$interface_policy{'9998'} = 'AM.PDP-INET';
+#$interface_policy{'SOCK'} = 'AM.PDP-SOCK';
+
+# invoke custom hooks or additional configuration files:
+# include_config_files('/etc/amavisd-custom.conf');
+
+# Want to execute additional configuration files from some directory?
+#{ my($d) = '/etc/amavis/conf.d'; # do *.cf or *.conf files in this directory
+# local(*D); opendir(D,$d) or die "Can't open dir $d: $!";
+# my(@@d) = sort grep {/\.(cf|conf)$/ && -f} map {/^(.*)$/,"$d/$1"} readdir(D);
+# closedir(D) or die "Can't close $d: $!";
+# include_config_files($_) for (@@d);
+#}
+
+1; # insure a defined return value
+@
+
+
+1.3
+log
+@Checked in.
+@
+text
+@d74 1
+d162 3
+d318 1
+a318 1
+$syslog_priority = 'debug'; # Syslog base (minimal) priority as a string,
+d331 1
+a331 1
+$log_level = 2; # (defaults to 0), -d
+d515 4
+a518 4
+#$final_virus_destiny = D_DISCARD; # (defaults to D_DISCARD)
+#$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
+#$final_spam_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
+#$final_bad_header_destiny = D_PASS; # (defaults to D_PASS)
+d921 1
+a921 1
+ qr'^MAIL$', # retain full original message for virus checking (can be slow)
+d1464 3
+d1503 2
+d1959 10
+a1968 10
+# ### http://www.clamav.net/
+# ['ClamAV-clamd',
+# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
+# qr/\bOK$/m, qr/\bFOUND$/m,
+# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+# # NOTE: run clamd under the same user as amavisd, or run it under its own
+# # uid such as clamav, add user clamav to the amavis group, and then add
+# # AllowSupplementaryGroups to clamd.conf;
+# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
+# # this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
+@
+
+
+1.2
+log
+@Checked in.
+@
+text
+@a73 1
+$myhostname = 'helga.brehm-online.com';
+a160 3
+@@auth_mech_avail = qw(PLAIN LOGIN);
+$auth_required_inp = 0;
+$auth_required_out = 0;
+d314 1
+a314 1
+$syslog_priority = 'info'; # Syslog base (minimal) priority as a string,
+d327 1
+a327 1
+$log_level = 3; # (defaults to 0), -d
+d511 4
+a514 4
+$final_virus_destiny = D_REJECT; # (defaults to D_DISCARD)
+$final_banned_destiny = D_REJECT; # (defaults to D_BOUNCE)
+$final_spam_destiny = D_REJECT; # (defaults to D_BOUNCE)
+$final_bad_header_destiny = D_PASS; # (defaults to D_PASS)
+d917 1
+a917 1
+# qr'^MAIL$', # retain full original message for virus checking (can be slow)
+a1459 3
+ [ qr'@@strato(?:-rz)\.de$'i => -5.0 ],
+ [ qr'^Doris\.Hennig@@BA-MH\.Verwalt-Berlin\.de$'i => -5.0 ],
+ [ qr'^doris@@hennig-berlin\.org$'i => -5.0 ],
+a1495 2
+ 'niels@@google.com' => -3.0,
+ 'kameu@@gmx.de' => -3.0,
+d1950 10
+a1959 10
+### http://www.clamav.net/
+['ClamAV-clamd',
+ \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
+ qr/\bOK$/m, qr/\bFOUND$/m,
+ qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+# NOTE: run clamd under the same user as amavisd, or run it under its own
+# uid such as clamav, add user clamav to the amavis group, and then add
+# AllowSupplementaryGroups to clamd.conf;
+# NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
+# this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
+@
+
+
+1.1
+log
+@Initial revision
+@
+text
+@d74 1
+d162 3
+d318 1
+a318 1
+$syslog_priority = 'debug'; # Syslog base (minimal) priority as a string,
+d331 1
+a331 1
+$log_level = 2; # (defaults to 0), -d
+d515 4
+a518 4
+#$final_virus_destiny = D_DISCARD; # (defaults to D_DISCARD)
+#$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
+#$final_spam_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
+#$final_bad_header_destiny = D_PASS; # (defaults to D_PASS)
+d921 1
+a921 1
+ qr'^MAIL$', # retain full original message for virus checking (can be slow)
+d1464 3
+d1503 2
+d1959 10
+a1968 10
+# ### http://www.clamav.net/
+# ['ClamAV-clamd',
+# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
+# qr/\bOK$/m, qr/\bFOUND$/m,
+# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+# # NOTE: run clamd under the same user as amavisd, or run it under its own
+# # uid such as clamav, add user clamav to the amavis group, and then add
+# # AllowSupplementaryGroups to clamd.conf;
+# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
+# # this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
+@
--- /dev/null
+head 1.1;
+access;
+symbols;
+locks; strict;
+comment @# @;
+
+
+1.1
+date 2011.09.08.21.17.36; author root; state Exp;
+branches;
+next ;
+
+
+desc
+@Initialising repository
+@
+
+
+1.1
+log
+@Initial revision
+@
+text
+@use strict;
+
+# a minimalistic configuration file for amavisd-new with all necessary settings
+#
+# see amavisd.conf-default for a list of all variables with their defaults;
+# for more details see documentation in INSTALL, README_FILES/*
+# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
+
+
+# COMMONLY ADJUSTED SETTINGS:
+
+# @@bypass_virus_checks_maps = (1); # controls running of anti-virus code
+# @@bypass_spam_checks_maps = (1); # controls running of anti-spam code
+# $bypass_decode_parts = 1; # controls running of decoders&dearchivers
+
+$max_servers = 2; # num of pre-forked children (2..30 is common), -m
+$daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u
+$daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g
+
+$mydomain = 'example.com'; # a convenient default for other settings
+
+# $MYHOME = '/var/amavis'; # a convenient default for other settings, -H
+$TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T
+$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc.
+$QUARANTINEDIR = "$MYHOME/quarantine"; # -Q
+# $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine
+# $release_format = 'resend'; # 'attach', 'plain', 'resend'
+# $report_format = 'arf'; # 'attach', 'plain', 'resend', 'arf'
+
+# $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R
+
+# $db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D
+# $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S
+# $lock_file = "$MYHOME/var/amavisd.lock"; # -L
+# $pid_file = "$MYHOME/var/amavisd.pid"; # -P
+#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually
+
+$log_level = 0; # verbosity 0..5, -d
+$log_recip_templ = undef; # disable by-recipient level-0 log entries
+$do_syslog = 1; # log via syslogd (preferred)
+$syslog_facility = 'mail'; # Syslog facility as a string
+ # e.g.: mail, daemon, user, local0, ... local7
+
+$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
+$nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed
+$enable_dkim_verification = 0; # enable DKIM signatures verification
+$enable_dkim_signing = 0; # load DKIM signing code, keys defined by dkim_key
+
+@@local_domains_maps = ( [".$mydomain"] ); # list of all local domains
+
+@@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
+ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
+
+$unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter
+ # option(s) -p overrides $inet_socket_port and $unix_socketname
+
+$inet_socket_port = 10024; # listen on this local TCP port(s)
+# $inet_socket_port = [10024,10026]; # listen on multiple TCP ports
+
+$policy_bank{'MYNETS'} = { # mail originating from @@mynetworks
+ originating => 1, # is true in MYNETS by default, but let's make it explicit
+ os_fingerprint_method => undef, # don't query p0f for internal clients
+};
+
+# it is up to MTA to re-route mail from authenticated roaming users or
+# from internal hosts to a dedicated TCP port (such as 10026) for filtering
+$interface_policy{'10026'} = 'ORIGINATING';
+
+$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
+ originating => 1, # declare that mail was submitted by our smtp client
+ allow_disclaimers => 1, # enables disclaimer insertion if available
+ # notify administrator of locally originating malware
+ virus_admin_maps => ["virusalert\@@$mydomain"],
+ spam_admin_maps => ["virusalert\@@$mydomain"],
+ warnbadhsender => 1,
+ # forward to a smtpd service providing DKIM signing service
+ forward_method => 'smtp:[127.0.0.1]:10027',
+ # force MTA conversion to 7-bit (e.g. before DKIM signing)
+ smtpd_discard_ehlo_keywords => ['8BITMIME'],
+ bypass_banned_checks_maps => [1], # allow sending any file names and types
+ terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
+};
+
+$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname
+
+# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c
+# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'):
+$policy_bank{'AM.PDP-SOCK'} = {
+ protocol => 'AM.PDP',
+ auth_required_release => 0, # do not require secret_id for amavisd-release
+};
+
+$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
+$sa_tag2_level_deflt = 6.2; # add 'spam detected' headers at that level
+$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail)
+$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
+$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
+# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
+$penpals_bonus_score = 8; # (no effect without a @@storage_sql_dsn database)
+$penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam
+$bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces
+
+$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
+$sa_local_tests_only = 0; # only tests which do not require internet access?
+
+# @@lookup_sql_dsn =
+# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
+# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
+# ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
+# @@storage_sql_dsn = @@lookup_sql_dsn; # none, same, or separate database
+
+# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
+# defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)
+
+$virus_admin = "virusalert\@@$mydomain"; # notifications recip.
+
+$mailfrom_notify_admin = "virusalert\@@$mydomain"; # notifications sender
+$mailfrom_notify_recip = "virusalert\@@$mydomain"; # notifications sender
+$mailfrom_notify_spamadmin = "spam.police\@@$mydomain"; # notifications sender
+$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef
+
+@@addr_extension_virus_maps = ('virus');
+@@addr_extension_banned_maps = ('banned');
+@@addr_extension_spam_maps = ('spam');
+@@addr_extension_bad_header_maps = ('badh');
+# $recipient_delimiter = '+'; # undef disables address extensions altogether
+# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+
+
+$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
+# $dspam = 'dspam';
+
+$MAXLEVELS = 14;
+$MAXFILES = 1500;
+$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
+$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
+
+$sa_spam_subject_tag = '***Spam*** ';
+$defang_virus = 1; # MIME-wrap passed infected mail
+$defang_banned = 1; # MIME-wrap passed mail containing banned name
+# for defanging bad headers only turn on certain minor contents categories:
+$defang_by_ccat{CC_BADH.",3"} = 1; # NUL or CR character in header
+$defang_by_ccat{CC_BADH.",5"} = 1; # header line longer than 998 characters
+$defang_by_ccat{CC_BADH.",6"} = 1; # header field syntax error
+
+
+# OTHER MORE COMMON SETTINGS (defaults may suffice):
+
+# $myhostname = 'host.example.com'; # must be a fully-qualified domain name!
+
+# $notify_method = 'smtp:[127.0.0.1]:10025';
+# $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter!
+
+# $final_virus_destiny = D_DISCARD;
+# $final_banned_destiny = D_DISCARD;
+# $final_spam_destiny = D_PASS; #!!! D_DISCARD / D_REJECT
+# $final_bad_header_destiny = D_PASS;
+# $bad_header_quarantine_method = undef;
+
+# $os_fingerprint_method = 'p0f:*:2345'; # to query p0f-analyzer.pl
+
+## hierarchy by which a final setting is chosen:
+## policy bank (based on port or IP address) -> *_by_ccat
+## *_by_ccat (based on mail contents) -> *_maps
+## *_maps (based on recipient address) -> final configuration value
+
+
+# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all)
+
+# $warnbadhsender,
+# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @@warn*recip_maps)
+#
+# @@bypass_virus_checks_maps, @@bypass_spam_checks_maps,
+# @@bypass_banned_checks_maps, @@bypass_header_checks_maps,
+#
+# @@virus_lovers_maps, @@spam_lovers_maps,
+# @@banned_files_lovers_maps, @@bad_header_lovers_maps,
+#
+# @@blacklist_sender_maps, @@score_sender_maps,
+#
+# $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to,
+# $bad_header_quarantine_to, $spam_quarantine_to,
+#
+# $defang_bad_header, $defang_undecipherable, $defang_spam
+
+
+# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
+
+@@keep_decoded_original_maps = (new_RE(
+ qr'^MAIL$', # retain full original message for virus checking
+ qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
+ qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
+# qr'^Zip archive data', # don't trust Archive::Zip
+));
+
+
+$banned_filename_re = new_RE(
+
+### BLOCKED ANYWHERE
+# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
+ qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary
+# qr'^\.(exe|lha|cab|dll)$', # banned file(1) types
+
+### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
+# [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2
+ [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
+
+ qr'.\.(pif|scr)$'i, # banned extensions - rudimentary
+# qr'^\.zip$', # block zip type
+
+### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
+# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives
+
+ qr'^application/x-msdownload$'i, # block these MIME types
+ qr'^application/x-msdos-program$'i,
+ qr'^application/hta$'i,
+
+# qr'^message/partial$'i, # rfc2046 MIME type
+# qr'^message/external-body$'i, # rfc2046 MIME type
+
+# qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type
+# qr'^\.wmf$', # Windows Metafile file(1) type
+
+ # block certain double extensions in filenames
+ qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
+
+# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict
+# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose
+
+ qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic
+# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
+# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
+# inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|
+# msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|
+# wmf|wsc|wsf|wsh)$'ix, # banned extensions - long
+# qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i, # consider also
+# qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename
+# qr'^\.ani$', # banned animated cursor file(1) type
+# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
+);
+# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
+# and http://www.cknow.com/vtutor/vtextensions.htm
+
+
+# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
+
+@@score_sender_maps = ({ # a by-recipient hash lookup table,
+ # results from all matching recipient tables are summed
+
+# ## per-recipient personal tables (NOTE: positive: black, negative: white)
+# 'user1@@example.com' => [{'bla-mobile.press@@example.com' => 10.0}],
+# 'user3@@example.com' => [{'.ebay.com' => -3.0}],
+# 'user4@@example.com' => [{'cleargreen@@cleargreen.com' => -7.0,
+# '.cleargreen.com' => -5.0}],
+
+ ## site-wide opinions about senders (the '.' matches any recipient)
+ '.' => [ # the _first_ matching sender determines the score boost
+
+ new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
+ [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@@'i => 5.0],
+ [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@@'i=> 5.0],
+ [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@@'i=> 5.0],
+ [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@@'i => 5.0],
+ [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@@'i => 5.0],
+ [qr'^(your_friend|greatoffers)@@'i => 5.0],
+ [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@@'i => 5.0],
+ ),
+
+# read_hash("/var/amavis/sender_scores_sitewide"),
+
+ { # a hash-type lookup table (associative array)
+ 'nobody@@cert.org' => -3.0,
+ 'cert-advisory@@us-cert.gov' => -3.0,
+ 'owner-alert@@iss.net' => -3.0,
+ 'slashdot@@slashdot.org' => -3.0,
+ 'securityfocus.com' => -3.0,
+ 'ntbugtraq@@listserv.ntbugtraq.com' => -3.0,
+ 'security-alerts@@linuxsecurity.com' => -3.0,
+ 'mailman-announce-admin@@python.org' => -3.0,
+ 'amavis-user-admin@@lists.sourceforge.net'=> -3.0,
+ 'amavis-user-bounces@@lists.sourceforge.net' => -3.0,
+ 'spamassassin.apache.org' => -3.0,
+ 'notification-return@@lists.sophos.com' => -3.0,
+ 'owner-postfix-users@@postfix.org' => -3.0,
+ 'owner-postfix-announce@@postfix.org' => -3.0,
+ 'owner-sendmail-announce@@lists.sendmail.org' => -3.0,
+ 'sendmail-announce-request@@lists.sendmail.org' => -3.0,
+ 'donotreply@@sendmail.org' => -3.0,
+ 'ca+envelope@@sendmail.org' => -3.0,
+ 'noreply@@freshmeat.net' => -3.0,
+ 'owner-technews@@postel.acm.org' => -3.0,
+ 'ietf-123-owner@@loki.ietf.org' => -3.0,
+ 'cvs-commits-list-admin@@gnome.org' => -3.0,
+ 'rt-users-admin@@lists.fsck.com' => -3.0,
+ 'clp-request@@comp.nus.edu.sg' => -3.0,
+ 'surveys-errors@@lists.nua.ie' => -3.0,
+ 'emailnews@@genomeweb.com' => -5.0,
+ 'yahoo-dev-null@@yahoo-inc.com' => -3.0,
+ 'returns.groups.yahoo.com' => -3.0,
+ 'clusternews@@linuxnetworx.com' => -3.0,
+ lc('lvs-users-admin@@LinuxVirtualServer.org') => -3.0,
+ lc('owner-textbreakingnews@@CNNIMAIL12.CNN.COM') => -5.0,
+
+ # soft-blacklisting (positive score)
+ 'sender@@example.net' => 3.0,
+ '.example.net' => 1.0,
+
+ },
+ ], # end of site-wide tables
+});
+
+
+@@decoders = (
+ ['mail', \&do_mime_decode],
+# ['asc', \&do_ascii],
+# ['uue', \&do_ascii],
+# ['hqx', \&do_ascii],
+# ['ync', \&do_ascii],
+ ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
+ ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
+ ['gz', \&do_uncompress, 'gzip -d'],
+ ['gz', \&do_gunzip],
+ ['bz2', \&do_uncompress, 'bzip2 -d'],
+ ['xz', \&Amavis::Unpackers::do_uncompress,
+ ['xzdec'. 'xz -dc', 'unxz -c', 'xzcat'] ],
+ ['lzma', \&Amavis::Unpackers::do_uncompress,
+ ['lzmadec', 'xz -dc --format=lzma',
+ 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
+ ['lzo', \&do_uncompress, 'lzop -d'],
+ ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
+ ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
+ ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
+ ['deb', \&do_ar, 'ar'],
+# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill
+ ['zip', \&do_unzip],
+ ['7z', \&do_7zip, ['7zr','7za','7z'] ],
+ ['rar', \&do_unrar, ['rar','unrar'] ],
+ ['arj', \&do_unarj, ['arj','unarj'] ],
+ ['arc', \&do_arc, ['nomarch','arc'] ],
+ ['zoo', \&do_zoo, ['zoo','unzoo'] ],
+ ['lha', \&do_lha, 'lha'],
+# ['doc', \&do_ole, 'ripole'],
+ ['cab', \&do_cabextract, 'cabextract'],
+ ['tnef', \&do_tnef_ext, 'tnef'],
+ ['tnef', \&do_tnef],
+# ['sit', \&do_unstuff, 'unstuff'], # broken/unsafe decoder
+ ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
+);
+
+
+@@av_scanners = (
+
+# ### http://www.sophos.com/
+# ['Sophos-SSSP',
+# \&ask_daemon, ["{}", 'sssp:/var/run/savdi/sssp.sock'],
+# # or: ["{}", 'sssp:[127.0.0.1]:4010'],
+# qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ],
+
+# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)
+# ['Sophie',
+# \&ask_daemon, ["{}/\n", 'sophie:/var/run/sophie'],
+# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
+# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
+
+# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
+# ['Sophos SAVI', \&ask_daemon, ['{}','savi-perl:'] ],
+
+# ['Avira SAVAPI',
+# \&ask_daemon, ["*", 'savapi:/var/tmp/.savapi3', 'product-id'],
+# qr/^(200|210)/m, qr/^(310|420|319)/m,
+# qr/^(?:310|420)[,\s]*(?:.* <<< )?(.+?)(?: ; |$)/m
+# settings for the SAVAPI3.conf: ArchiveScan=1, HeurLevel=2, MailboxScan=1
+
+# ### http://www.clamav.net/
+# ['ClamAV-clamd',
+# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
+# qr/\bOK$/m, qr/\bFOUND$/m,
+# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+# # NOTE: run clamd under the same user as amavisd, or run it under its own
+# # uid such as clamav, add user clamav to the amavis group, and then add
+# # AllowSupplementaryGroups to clamd.conf;
+# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
+# # this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
+
+# ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred)
+# # note that Mail::ClamAV requires perl to be build with threading!
+# ['Mail::ClamAV', \&ask_daemon, ['{}','clamav-perl:'],
+# [0], [1], qr/^INFECTED: (.+)/m],
+
+# ### http://www.openantivirus.org/
+# ['OpenAntiVirus ScannerDaemon (OAV)',
+# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],
+# qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ],
+
+# ### http://www.vanja.com/tools/trophie/
+# ['Trophie',
+# \&ask_daemon, ["{}/\n", 'trophie:/var/run/trophie'],
+# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
+# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
+
+# ### http://www.grisoft.com/
+# ['AVG Anti-Virus',
+# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'],
+# qr/^200/m, qr/^403/m, qr/^403 .*?: ([^\r\n]+)/m ],
+
+# ### http://www.f-prot.com/
+# ['F-Prot fpscand', # F-PROT Antivirus for BSD/Linux/Solaris, version 6
+# \&ask_daemon,
+# ["SCAN FILE {}/*\n", '127.0.0.1:10200'],
+# qr/^(0|8|64) /m,
+# qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m,
+# qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ],
+
+# ### http://www.f-prot.com/
+# ['F-Prot f-protd', # old version
+# \&ask_daemon,
+# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
+# ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202',
+# '127.0.0.1:10203', '127.0.0.1:10204'] ],
+# qr/(?i)<summary[^>]*>clean<\/summary>/m,
+# qr/(?i)<summary[^>]*>infected<\/summary>/m,
+# qr/(?i)<name>(.+)<\/name>/m ],
+
+# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/
+# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later
+# [pack('N',1). # DRWEBD_SCAN_CMD
+# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
+# pack('N', # path length
+# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")).
+# '{}/*'. # path
+# pack('N',0). # content size
+# pack('N',0),
+# '/var/drweb/run/drwebd.sock',
+# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot
+# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default
+# # '127.0.0.1:3000', # or over an inet socket
+# ],
+# qr/\A\x00[\x10\x11][\x00\x10]\x00/sm, # IS_CLEAN,EVAL_KEY; SKIPPED
+# qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF
+# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm,
+# ],
+# # NOTE: If using amavis-milter, change length to:
+# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx").
+
+ ### http://www.kaspersky.com/ (kav4mailservers)
+ ['KasperskyLab AVP - aveclient',
+ ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
+ '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
+ '-p /var/run/aveserver -s {}/*',
+ [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m,
+ qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m,
+ ],
+ # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
+ # currupted or protected archives are to be handled
+
+ ### http://www.kaspersky.com/
+ ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
+ '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ?
+ qr/infected: (.+)/m,
+ sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
+ sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
+ ],
+
+ ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
+ ### products and replaced by aveserver and aveclient
+ ['KasperskyLab AVPDaemonClient',
+ [ '/opt/AVP/kavdaemon', 'kavdaemon',
+ '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
+ '/opt/AVP/AvpTeamDream', 'AvpTeamDream',
+ '/opt/AVP/avpdc', 'avpdc' ],
+ "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ],
+ # change the startup-script in /etc/init.d/kavd to:
+ # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
+ # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" )
+ # adjusting /var/amavis above to match your $TEMPBASE.
+ # The '-f=/var/amavis' is needed if not running it as root, so it
+ # can find, read, and write its pid file, etc., see 'man kavdaemon'.
+ # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
+ # directory $TEMPBASE specifies) in the 'Names=' section.
+ # cd /opt/AVP/DaemonClients; configure; cd Sample; make
+ # cp AvpDaemonClient /opt/AVP/
+ # su - amavis -c "${PREFIX}/kavdaemon ${DPARMS}"
+
+ ### http://www.centralcommand.com/
+ ['CentralCommand Vexira (new) vascan',
+ ['vascan','/usr/lib/Vexira/vascan'],
+ "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
+ "--log=/var/log/vascan.log {}",
+ [0,3], [1,2,5],
+ qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ],
+ # Adjust the path of the binary and the virus database as needed.
+ # 'vascan' does not allow to have the temp directory to be the same as
+ # the quarantine directory, and the quarantine option can not be disabled.
+ # If $QUARANTINEDIR is not used, then another directory must be specified
+ # to appease 'vascan'. Move status 3 to the second list if password
+ # protected files are to be considered infected.
+
+ ### http://www.avira.com/
+ ### old Avira AntiVir 2.x (ex H+BEDV) or old CentralCommand Vexira Antivirus
+ ['Avira AntiVir', ['antivir','vexira'],
+ '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m,
+ qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
+ (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ],
+ # NOTE: if you only have a demo version, remove -z and add 214, as in:
+ # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,
+
+ ### http://www.avira.com/
+ ### Avira for UNIX 3.x
+ ['Avira AntiVir', ['avscan'],
+ '-s --batch --alert-action=none {}', [0,4], qr/(?:ALERT|FUND):/m,
+ qr/(?:ALERT|FUND): (?:.* <<< )?(.+?)(?: ; |$)/m ],
+
+ ### http://www.commandsoftware.com/
+ ['Command AntiVirus for Linux', 'csav',
+ '-all -archive -packed {}', [50], [51,52,53],
+ qr/Infection: (.+)/m ],
+
+ ### http://www.symantec.com/
+ ['Symantec CarrierScan via Symantec CommandLineScanner',
+ 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
+ qr/^Files Infected:\s+0$/m, qr/^Infected\b/m,
+ qr/^(?:Info|Virus Name):\s+(.+)/m ],
+
+ ### http://www.symantec.com/
+ ['Symantec AntiVirus Scan Engine',
+ 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
+ [0], qr/^Infected\b/m,
+ qr/^(?:Info|Virus Name):\s+(.+)/m ],
+ # NOTE: check options and patterns to see which entry better applies
+
+# ### http://www.f-secure.com/products/anti-virus/ version 4.65
+# ['F-Secure Antivirus for Linux servers',
+# ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
+# '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '.
+# '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8],
+# qr/(?:infection|Infected|Suspected): (.+)/m ],
+
+ ### http://www.f-secure.com/products/anti-virus/ version 5.52
+ ['F-Secure Antivirus for Linux servers',
+ ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
+ '--virus-action1=report --archive=yes --auto=yes '.
+ '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8],
+ qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
+ # NOTE: internal archive handling may be switched off by '--archive=no'
+ # to prevent fsav from exiting with status 9 on broken archives
+
+# ### http://www.avast.com/
+# ['avast! Antivirus daemon',
+# \&ask_daemon, # greets with 220, terminate with QUIT
+# ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'],
+# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t([^[ \t\015\012]+)/m ],
+
+# ### http://www.avast.com/
+# ['avast! Antivirus - Client/Server Version', 'avastlite',
+# '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1],
+# qr/\t\[L\]\t([^[ \t\015\012]+)/m ],
+
+ ['CAI InoculateIT', 'inocucmd', # retired product
+ '-sec -nex {}', [0], [100],
+ qr/was infected by virus (.+)/m ],
+ # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html
+
+ ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT)
+ ['CAI eTrust Antivirus', 'etrust-wrapper',
+ '-arc -nex -spm h {}', [0], [101],
+ qr/is infected by virus: (.+)/m ],
+ # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
+ # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783
+
+ ### http://mks.com.pl/english.html
+ ['MkS_Vir for Linux (beta)', ['mks32','mks'],
+ '-s {}/*', [0], [1,2],
+ qr/--[ \t]*(.+)/m ],
+
+ ### http://mks.com.pl/english.html
+ ['MkS_Vir daemon', 'mksscan',
+ '-s -q {}', [0], [1..7],
+ qr/^... (\S+)/m ],
+
+# ### http://www.nod32.com/, version v2.52 (old)
+# ['ESET NOD32 for Linux Mail servers',
+# ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
+# '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '.
+# '-w -a --action-on-infected=accept --action-on-uncleanable=accept '.
+# '--action-on-notscanned=accept {}',
+# [0,3], [1,2], qr/virus="([^"]+)"/m ],
+
+# ### http://www.eset.com/, version v2.7 (old)
+# ['ESET NOD32 Linux Mail Server - command line interface',
+# ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
+# '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ],
+
+# ### http://www.eset.com/, version 2.71.12
+# ['ESET Software ESETS Command Line Interface',
+# ['/usr/bin/esets_cli', 'esets_cli'],
+# '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ],
+
+ ### http://www.eset.com/, version 3.0
+ ['ESET Software ESETS Command Line Interface',
+ ['/usr/bin/esets_cli', 'esets_cli'],
+ '--subdir {}', [0], [1,2,3],
+ qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],
+
+ ## http://www.nod32.com/, NOD32LFS version 2.5 and above
+ ['ESET NOD32 for Linux File servers',
+ ['/opt/eset/nod32/sbin/nod32','nod32'],
+ '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
+ '-w -a --action=1 -b {}',
+ [0], [1,10], qr/^object=.*, virus="(.*?)",/m ],
+
+# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31
+# ['ESET Software NOD32 Client/Server (NOD32SS)',
+# \&ask_daemon2, # greets with 200, persistent, terminate with QUIT
+# ["SCAN {}/*\r\n", '127.0.0.1:8448' ],
+# qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ],
+
+ ### http://www.norman.com/products_nvc.shtml
+ ['Norman Virus Control v5 / Linux', 'nvcc',
+ '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
+ qr/(?i).* virus in .* -> \'(.+)\'/m ],
+
+ ### http://www.pandasoftware.com/
+ ['Panda CommandLineSecure 9 for Linux',
+ ['/opt/pavcl/usr/bin/pavcl','pavcl'],
+ '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
+ qr/Number of files infected[ .]*: 0+(?!\d)/m,
+ qr/Number of files infected[ .]*: 0*[1-9]/m,
+ qr/Found virus :\s*(\S+)/m ],
+ # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
+ # before starting amavisd - the bases are then loaded only once at startup.
+ # To reload bases in a signature update script:
+ # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
+ # Please review other options of pavcl, for example:
+ # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies
+
+# ### http://www.pandasoftware.com/
+# ['Panda Antivirus for Linux', ['pavcl'],
+# '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}',
+# [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0],
+# qr/Found virus :\s*(\S+)/m ],
+
+# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
+# Check your RAV license terms before fiddling with the following two lines!
+# ['GeCAD RAV AntiVirus 8', 'ravav',
+# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ],
+# # NOTE: the command line switches changed with scan engine 8.5 !
+# # (btw, assigning stdin to /dev/null causes RAV to fail)
+
+ ### http://www.nai.com/
+ ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
+ '--secure -rv --mime --summary --noboot - {}', [0], [13],
+ qr/(?x) Found (?:
+ \ the\ (.+)\ (?:virus|trojan) |
+ \ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
+ :\ (.+)\ NOT\ a\ virus)/m,
+ # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
+ # sub {delete $ENV{LD_PRELOAD}},
+ ],
+ # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
+ # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
+ # and then clear it when finished to avoid confusing anything else.
+ # NOTE2: to treat encrypted files as viruses replace the [13] with:
+ # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
+
+ ### http://www.virusbuster.hu/en/
+ ['VirusBuster', ['vbuster', 'vbengcl'],
+ "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
+ qr/: '(.*)' - Virus/m ],
+ # VirusBuster Ltd. does not support the daemon version for the workstation
+ # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
+ # binaries, some parameters AND return codes have changed (from 3 to 1).
+ # See also the new Vexira entry 'vascan' which is possibly related.
+
+# ### http://www.virusbuster.hu/en/
+# ['VirusBuster (Client + Daemon)', 'vbengd',
+# '-f -log scandir {}', [0], [3],
+# qr/Virus found = (.*);/m ],
+# # HINT: for an infected file it always returns 3,
+# # although the man-page tells a different story
+
+ ### http://www.cyber.com/
+ ['CyberSoft VFind', 'vfind',
+ '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m,
+ # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
+ ],
+
+ ### http://www.avast.com/
+ ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
+ '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ],
+
+ ### http://www.ikarus-software.com/
+ ['Ikarus AntiVirus for Linux', 'ikarus',
+ '{}', [0], [40], qr/Signature (.+) found/m ],
+
+ ### http://www.bitdefender.com/
+ ['BitDefender', 'bdscan', # new version
+ '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m,
+ qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m,
+ qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ],
+
+ ### http://www.bitdefender.com/
+ ['BitDefender', 'bdc', # old version
+ '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m,
+ qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
+ qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
+ # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may
+ # not apply to your version of bdc, check documentation and see 'bdc --help'
+
+ ### ArcaVir for Linux and Unix http://www.arcabit.pl/
+ ['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
+ '-v 1 -summary 0 -s {}', [0], [1,2],
+ qr/(?:VIR|WIR):[ \t]*(.+)/m ],
+
+# ### a generic SMTP-client interface to a SMTP-based virus scanner
+# ['av_smtp', \&ask_av_smtp,
+# ['{}', 'smtp:[127.0.0.1]:5525', 'dummy@@localhost'],
+# qr/^2/, qr/^5/, qr/^\s*(.*?)\s*$/m ],
+
+# ['File::Scan', sub {Amavis::AV::ask_av(sub{
+# use File::Scan; my($fn)=@@_;
+# my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0);
+# my($vname) = $f->scan($fn);
+# $f->error ? (2,"Error: ".$f->error)
+# : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @@_) },
+# ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ],
+
+# ### fully-fledged checker for JPEG marker segments of invalid length
+# ['check-jpeg',
+# sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @@_) },
+# ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ],
+# # NOTE: place file JpegTester.pm somewhere where Perl can find it,
+# # for example in /usr/local/lib/perl5/site_perl
+
+);
+
+
+@@av_scanners_backup = (
+
+ ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
+ ['ClamAV-clamscan', 'clamscan',
+ "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
+ [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+
+# ### http://www.clamav.net/ - using remote clamd scanner as a backup
+# ['ClamAV-clamdscan', 'clamdscan',
+# "--stdout --no-summary --config-file=/etc/clamd-client.conf {}",
+# [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+
+# ['ClamAV-clamd-stream',
+# \&ask_daemon, ["*", 'clamd:/var/run/clamav/clamd'],
+# qr/\bOK$/m, qr/\bFOUND$/m,
+# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+
+ ### http://www.f-prot.com/ - backs up F-Prot Daemon, V6
+ ['F-PROT Antivirus for UNIX', ['fpscan'],
+ '--report --mount --adware {}', # consider: --applications -s 4 -u 3 -z 10
+ [0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
+ qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ],
+
+ ### http://www.f-prot.com/ - backs up F-Prot Daemon (old)
+ ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
+ '-dumb -archive -packed {}', [0,8], [3,6], # or: [0], [3,6,8],
+ qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ],
+
+ ### http://www.trendmicro.com/ - backs up Trophie
+ ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
+ '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],
+
+ ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD
+ ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier
+ ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
+ '-path={} -al -go -ot -cn -upn -ok-',
+ [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ],
+
+ ### http://www.kaspersky.com/
+ ['Kaspersky Antivirus v5.5',
+ ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
+ '/opt/kav/5.5/kav4unix/bin/kavscanner',
+ '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
+ '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
+ qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
+# sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
+# sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
+ ],
+
+# Commented out because the name 'sweep' clashes with Debian and FreeBSD
+# package/port of an audio editor. Make sure the correct 'sweep' is found
+# in the path when enabling.
+#
+# ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl
+# ['Sophos Anti Virus (sweep)', 'sweep',
+# '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
+# '--no-reset-atime {}',
+# [0,2], qr/Virus .*? found/m,
+# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
+# ],
+# # other options to consider: -idedir=/usr/local/sav
+
+# Always succeeds and considers mail clean.
+# Potentially useful when all other scanners fail and it is desirable
+# to let mail continue to flow with no virus checking (when uncommented).
+# ['always-clean', sub {0}],
+
+);
+
+
+1; # insure a defined return value
+@
projects / config / helga / etc.git / commitdiff