Re: RelayedOpenRelay?
On 21/07/2022 03:54, Alex wrote: I realize this is an FAQ, but I've tried an exhaustive list of changes to try and solve it and still can't figure out why mail is reported as RelayedOpenRelay... I get this all the time and I ignore it. I suggest you do the same, as long as you are confident you are not running an open relay, of course...
Re: Better antivirus (AV) protection?
On 05/04/2022 08:57, Nikolaos Milas wrote: Hello, We have amavisd-new v2.12.1 in service with ClamAV v0.103.4 (on Rocky Linux 8.5) together with additional unofficial signatures from eXtremeSHOK (ref.: https://github.com/extremeshok/clamav-unofficial-sigs) Yet, we are recently receiving a lot of mails with virus-infected attachments (usually in 7z files) which are scanned by amavis/clamav but are NOT getting detected. Obviously, our current setup does not provide sufficient protection. Based on your experiences with similar setups, can you please suggest additional ways to provide high (or at least better) AV protection? I found that amavis unpacking of 7z archives did not work, I removed that line from @decoders and now rely on clamav which can do this itself.
Re: problems with whitelisting
On 24/03/2022 17:13, hiller wrote:
Dear list,
i have installed amavisd-new version 2.11.0. I have problems with whitelisting.
I have googled around and none of the soltions worked.
I amavisd.conf i did:
read_hash(\%whitelist_sender, '/etc/amavisd.whitelist_ext'),
@whitelist_sender_maps = (\%whitelist_sender),
/etc/amavisd.whitelist_ext contains:
.gooddomain.com
fri...@nospammer.org
This does not work. Mails from the good addresses are still spamchecked,
bannedchecked and headerchecked.
This also does not work:
@whitelist_sender_maps = (['.gooddomain.com', 'fri...@nospammer.org']);
Also this does not work either:
read_hash(\%whitelist_sender, '/etc/amavisd.whitelist_ext');
@whitelist_sender_maps = (\%whitelist_sender);
$interface_policy{'10024'} = 'VIRUSONLY';
$policy_bank{'VIRUSONLY'} = { # mail from the pickup daemon
bypass_spam_checks_maps => ['@whitelist_sender_maps'], # don't spam-check
this mail
bypass_banned_checks_maps => ['@whitelist_sender_maps'], # don't banned-check
this mail
bypass_header_checks_maps => ['@whitelist_sender_maps'], # don't header-check
this mail
};
For me bypass_*_checks_maps seems to be a global on/off switch. With this
method i do whitelist any address, no matter of the contents of
/etc/amavisd.whitelist_ext.
These are the definition of the ports:
# 10024 = outside email - check, don't sign
# 10026 = inside email - check & sign
# 10028 = mailman - sign only; email was checked on delivery
$inet_socket_port = [10024, 10026, 10028]; # listen on multiple TCP ports
This should work:
@whitelist_sender_maps = ( read_hash('/etc/amavisd.whitelist_ext') );
But it may not be applied to mail inside policy banks, I am not sure. I
avoid policy banks.
Note that amavis whitelisting applies *both* to the From: address *and*
to the Envelope Sender i.e. if *either* one matches, the mail passes.
This is not very wise IMO but it is how it is coded (same as for
blacklisting, where it makes more sense).
I think a better approach than amavis whitelist is to reduce SA scoring
for 'From:' addresses where appropriate.
Re: Keyword based custom subject warning
On 07/03/2022 11:12, Damian wrote: apparently, our users are receiving emails containing links and /or references to various publications, some of which are considered 'predatory'. Emails usually contain ISSN (International Standard Serial Number) and the idea is to scan the body of an email for the ISSN and if it matches one on the 'blacklist', the subject of the email should be prepended with some specific warning (other than ***SPAM***). We're already using Amavisd-new on our inbound SMTP server, so I wonder if that would be possible with it? This would have been a use-case for [1]. The corresponding Amavis feature is still unreleased, unfortunately. [1] https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#subjprefix Good call. But if Amavis is calling SA (which is normal) this feature in SA can still be used can't it? As Benny has pointed out, changing the subject will break DKIM signing, but that may not matter to OP.
Re: Excluding blocking macro/xlsx/docx files to specific recipients?
On 24/02/2022 19:37, Alex wrote: Hi, We have some users who receive machine-generated Excel spreadsheets that have macros, but our policy is to block them outright... A different possible approach is to use mraptor (see olevba project on Github) to analyse attachments that are macro-laden Office files to see if they may be malicious, and if not then the email can be delivered. The starting point is to use ClamAV to identify *any* emails with macro-laden attachments, then have them quarantined by Amavis, then subject them to bespoke (but automated) analysis, and - if they pass - release them with amavisd-release.
Re: Remove headers from Amavis
I do not believe amavis can do this, but your MTA maybe can. Postfix has this capability, and if you want complex conditions to be met you can use postfwd, for example. On Fri, 21 Jan 2022, 08:58 Miro Igov, wrote: > I do not use DMARC and am not interested in ARC rules. > > I asked is it possible that Amavis could strip any previous DKIM headers > before placing it's own DKIM? >
Re: disable bad header checks ?
On 29/10/2021 06:32, li...@sbt.net.au wrote: long time installation of amavisd-new noticed some inbound emails ends in my badh inbasket how do I disable bad header checks ? the few emails in badh inbasket all genuine, so I think I don't really need it ? thanks for any pointers set: $final_bad_header_destiny = D_PASS; $bad_header_quarantine_method = undef;
Re: How do you change the file decoder in amavisd-new?
On 29/08/2021 04:03, Nick Tait wrote: Hi there. Apologies for resending this, but I discovered I had a problem with my DKIM signature on the original email, so it may have been blocked by many list recipients... I've recently upgraded my email relay, which has amavisd-new installed, and when amavis starts up it logs all the file types which it doesn't have decoders for. Looking at the amavisd-new script, I can see that @decoders is set to: @decoders = ( ['mail', \&Amavis::Unpackers::do_mime_decode], # [[qw(asc uue hqx ync)], \&Amavis::Unpackers::do_ascii], # not safe ['F', \&Amavis::Unpackers::do_uncompress, \$unfreeze], # ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], ['Z', \&Amavis::Unpackers::do_uncompress, \$uncompress], # ['uncompress', 'gzip -d', 'zcat'] ], ['gz', \&Amavis::Unpackers::do_uncompress, \$gunzip], ['gz', \&Amavis::Unpackers::do_gunzip], ['bz2', \&Amavis::Unpackers::do_uncompress, \$bunzip2], ['xz', \&Amavis::Unpackers::do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], ['lzma', \&Amavis::Unpackers::do_uncompress, ['lzmadec', 'xz -dc --format=lzma', 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], ['lrz', \&Amavis::Unpackers::do_uncompress, ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], ['lzo', \&Amavis::Unpackers::do_uncompress, \$unlzop], ['lz4', \&Amavis::Unpackers::do_uncompress, ['lz4c -d'] ], ['rpm', \&Amavis::Unpackers::do_uncompress, \$rpm2cpio], # ['rpm2cpio.pl', 'rpm2cpio'] ], [['cpio','tar'], \&Amavis::Unpackers::do_pax_cpio, \$pax], # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio'] ], # ['tar', \&Amavis::Unpackers::do_tar], # no longer supported ['deb', \&Amavis::Unpackers::do_ar, \$ar], # ['a', \&Amavis::Unpackers::do_ar, \$ar], #unpacking .a seems an overkill ['rar', \&Amavis::Unpackers::do_unrar, \$unrar], # ['unrar', 'rar'] ['arj', \&Amavis::Unpackers::do_unarj, \$unarj], # ['unarj', 'arj'] ['arc', \&Amavis::Unpackers::do_arc, \$arc], # ['nomarch', 'arc'] ['zoo', \&Amavis::Unpackers::do_zoo, \$zoo], # ['zoo', 'unzoo'] ['doc', \&Amavis::Unpackers::do_ole, \$ripole], ['cab', \&Amavis::Unpackers::do_cabextract, \$cabextract], ['tnef', \&Amavis::Unpackers::do_tnef_ext, \$tnef], ['tnef', \&Amavis::Unpackers::do_tnef], # ['lha', \&Amavis::Unpackers::do_lha, \$lha], # not safe, use 7z instead # ['sit', \&Amavis::Unpackers::do_unstuff, \$unstuff], # not safe [['zip','kmz'], \&Amavis::Unpackers::do_7zip, ['7za', '7z'] ], [['zip','kmz'], \&Amavis::Unpackers::do_unzip], ['7z', \&Amavis::Unpackers::do_7zip, ['7zr', '7za', '7z'] ], [[qw(gz bz2 Z tar)], \&Amavis::Unpackers::do_7zip, ['7za', '7z'] ], [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], \&Amavis::Unpackers::do_7zip, '7z' ], ['exe', \&Amavis::Unpackers::do_executable, \$unrar, \$lha, \$unarj], ); Which seems to say that 7z can be used for the following file extensions: zip kmz 7z gz bz2 Z tar xz lzma jar cpio arj rar swf lha iso cab deb rpm So after installing p7zip-full and p7zip-rar packages, which provide the 7z program (and also 7zr and 7za), I'm curious why I still see warnings for rpm, rar, arj and cab: Aug 29 13:13:39 mx amavis[10781]: No ext program for .rpm, tried: rpm2cpio.pl, rpm2cpio Aug 29 13:13:39 mx amavis[10781]: No ext program for .rar, tried: unrar-free Aug 29 13:13:39 mx amavis[10781]: No ext program for .arj, tried: arj, unarj Aug 29 13:13:39 mx amavis[10781]: No ext program for .cab, tried: cabextract Does this mean that 7z isn't going to be used for these file types? And if so, is there something I can do to get amavis to use 7z for these file types? Or should these messages just be ignored? And on a related note, I know (on Windows at least) 7-zip can handle self-extracting exe files, although I notice that the "man 7z" manual page doesn't mention EXE files. So I wonder whether exe should or shouldn't be added to the list of files that 7z can handle in a future version of amavis? You can set @decoders yourself (e.g. in /etc/amavis/conf.d/50-user). I let ClamAV do the unpacking for extensions that it can handle (see https://www.clamav.net/documents/introduction), but I have: [[qw(jar swf lha rpm)], \&do_7zip, '7z' ], and with $log_level = 1 when I reload amavis I see: 2021-08-29 09:06:01 streamingbats amavis[2976]: Found decoder for .jar at /usr/bin/7z 2021-08-29 09:06:01 streamingbats amavis[2976]: Found decoder for .swf at /usr/bin/7z 2021-08-29 09:06:01 streamingbats amavis[2976]: Found decoder for .lha at /u
Re: Amavisd-new policy banks and sasl_username in the returning smtpd instance
On 20/05/2021 10:29, Egoitz Aurrekoetxea wrote: I think I have been confusing XCLIENT with XFORWARD. I saw, that Amavis entered in different policy banks depending in the connecting ip to Postfix and I though it was ... I don't distinguish between XFORWARD and XCLIENT really :) I have been confusing concepts I assume... So, there is no way of receiving original sasl_username from Amavis, in order to have it available using a Postfix policy in the returning back from Amavis smtpd instance?. It would be valid for me too... if for instance: Postfix auth -> Amavis auth -> Returning Postfix auth instance If in some manner amavis smtp feed, should had to auth always against final returning smtpd instance being Amavis some sort of proxy in that moment¿?. Any ideas about how could I achieve my goal? :) A workaround is to set 'smtpd_sasl_authenticated_header = yes' in the first (pre-Amavis) Postfix instance to add the sasl_username info to the new Received: header, then (after this information has been used in some way) strip it from the header in the second (post-Amavis) Postfix instance, so it does not pass to third parties. Latter action can be done by header_checks e.g. if /^Received: from .*by myserver\.tld/ /^(.*)\s*\(Authenticated sender:[^)]*\)\s*(.*)/ REPLACE $1$2 endif
Re: The good old "permission denied", the ignored group memberships, and a proposed solution
On 16/05/2021 16:37, Luc Pardon wrote:
On Sat, 15 May 2021 17:29:40 +0100
Dominic Raferd wrote:
I believe that if you use the new preferred way of calling clamav
i.e. with --fdpass, the whole permissions issue disappears.
Example:
@av_scanners = (
['ClamAV-clamdscan', 'clamdscan', "--fdpass --stdout --no-summary
{}", [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*)
FOUND$/m ], );
Thanks, but no, it does not work, I still get "Permission denied". The
wording is a little different, but the meaning is the same: no go.
That makes sense. In fact, clamdscan is just a client for clamd, and it
will talk to the daemon over the same socket that amavisd would use if
it talked directly to clamd. And because the client is run by
amavisd (after dropping privileges), it can't have more access than
amavisd itself...
The default setting for the clamav socket is to be world-readable and
world-writeable. In Ubuntu (and Debian?) this is set explicitly (but
presumably unnecessarily) in clamd.conf thus:
LocalSocketMode 666
Do you have mode 660?
Re: The good old "permission denied", the ignored group memberships, and a proposed solution
On 15/05/2021 16:55, Luc Pardon wrote:
Recently I decided to do some restructuring of a Postfix/Amavis/ClamAV
installation and ran into a puzzling situation. After some head-scratching, I
came up with a solution and thought I'd share it, in case it should be helpful
to others (that's also why I'm posting here, rather than to the developers
list).
FWIW, the setup is Amavis 2.12.1 on Linux with Perl 5.30, and ClamAV 0.103.2.
The packages are loosely based on Fedora but locally-built.
Now, as for the setup:
* There are two user accounts, "amavis" and "clamscan".
* Both are members of "clamgroup".
* The ClamAV socket is owned by user "clamscan",
* and "clamgroup" has r+w permission on it.
Unfortunately, that won't fly, at least not with $daemon_group = "amavis" in
amavisd.conf. That brings the infamous "Permission denied" on the socket.
However, with $daemon_group = "clamgroup", all is well, and the amavisd
daemon can talk to clamd, as expected. Incidentally, that means that
things on disk are OK...
I believe that if you use the new preferred way of calling clamav i.e.
with --fdpass, the whole permissions issue disappears.
Example:
@av_scanners = (
['ClamAV-clamdscan', 'clamdscan', "--fdpass --stdout --no-summary {}",
[0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
);
Re: amavis user login shell needed?
On 17/02/2021 18:18, Alexander Dalloz wrote: Am 17.02.2021 um 12:44 schrieb Dominic Raferd: On Linux, is it necessary that the amavis user have a valid login shell such as /bin/sh? For security I would prefer it to use a null shell. If it makes a difference, our amavis calls clamdscan with --fdpass (the 'modern' way). And of course amavis uses SA in the normal way. /sbin/nologin is valid and sufficient. Alexander Thanks that is helpful, I have implemented it now. In my case: # usermod --shell /usr/sbin/nologin amavis # usermod --shell /usr/sbin/nologin debian-spamd
amavis user login shell needed?
On Linux, is it necessary that the amavis user have a valid login shell such as /bin/sh? For security I would prefer it to use a null shell. If it makes a difference, our amavis calls clamdscan with --fdpass (the 'modern' way). And of course amavis uses SA in the normal way.
Re: FW: amavis set nice level on ubuntu 18
Try: man start-stop-daemon
The command adds -N10 to the call of start-stop-daemon
On Wed, 10 Feb 2021, 12:00 , wrote:
> Thank you Dominic, I have run this command, checked the chane, done a
> reboot to be certain, checked again and it appears to have done the job.
> Much appreciated. :)
>
> I spent a lot of time on this one, and if you can spare a bit of your
> time give me an insight on how this command works, so I can understand
> more clearly what has been done.
>
> TIA, Greg
>
> > I think this should work (and it writes a backup copy to amavis.bak):
>
> > sed -i.bak 's/daemon \(${START}\)/daemon -N10 \1/' /etc/init.d/amavis
>
> > On 2021-02-09 14:16, webmas...@vbox.com.au wrote:
> > Thankyou Dominic.
> >
> > Yes I do want to limit amavis, as it does use a bit of memory when
> > active. No need for speed on the mail server side of things as only a
> > small number of domains/mail accounts. Using iRedMail BTW.
> >
> > I have already set ClamAV to a suitable nice level using a method like
> > this:
> > =>
> >
> https://blog.christosoft.de/2018/07/debian-stretch-cpu-nice-level-of-daemons-like-spamassasin/
> >
> > I've created a file in /etc/systemd/system/amavis.service with this
> > directive.
> >
> > ## Added to recduce the load on other service
> > Nice=10
> >
> > However, this method doesn't work for amavis on Ubuntu 18 as the
> > directives are created by "systemd-sysv-generator" as note below. I
> > cannot find where that config file is so I can set the nice level in
> > the file it writes desired the nice level to the generated file.
> >
> > More ideas welcome, thank you.
>
Re: amavis set nice level on ubuntu 18
I think this should work (and it writes a backup copy to amavis.bak):
sed -i.bak 's/daemon \(${START}\)/daemon -N10 \1/' /etc/init.d/amavis
On 09/02/2021 03:16, webmas...@vbox.com.au wrote:
Thankyou Dominic.
Yes I do want to limit amavis, as it does use a bit of memory when
active. No need for speed on the mail server side of things as only a
small number of domains/mail accounts. Using iRedMail BTW.
I have already set ClamAV to a suitable nice level using a method like
this:
=>
https://blog.christosoft.de/2018/07/debian-stretch-cpu-nice-level-of-daemons-like-spamassasin/
I've created a file in /etc/systemd/system/amavis.service with this
directive.
## Added to recduce the load on other service
Nice=10
However, this method doesn't work for amavis on Ubuntu 18 as the
directives are created by "systemd-sysv-generator" as note below. I
cannot find where that config file is so I can set the nice level in
the file it writes desired the nice level to the generated file.
More ideas welcome, thank you.
On 2021-02-09 13:55, Postmaster @ MX wrote:
-Original Message-
From: Dominic Raferd <
Sent: Monday, 8 February 2021 10:24 PM
To: amavis-users@amavis.org
Subject: Re: amavis set nice level on ubuntu 18
Hello, I want to set Amavis to a nice level around 15 so other
services take priority. I have done a lot of looking and found
where the file is that can accept a nice level, say Nice=15.
However that file amavis.service is in
/run/systemd/generator.late and is Automatically generated
by systemd-sysv-generator changes made to the file are
overwritten.
I've tried putting the file amavis.service in /etc/systemd/system
and /lib/systemd/system but systemd-sysv-generator or Amavis
doesn't like that and throws an error.
I had found the directive DefaultLimitNICE=+15 and changed
both=files /etc/systemd/user.conf and /etc/systemd/system.conf.
Still no change after restart the service or even a reboot.
Can do renice but it isn't persistent.
Does anyone have any pointer on where to put the Nice=15
directive so that it will work?
Are you sure you want to throttle Amavis rather than Clamav (which is
called by it)? My experience is that Clamav is the resource hog, so I
have:
# cat /etc/systemd/system/clamav-daemon.service.d/extend.conf
[Service]
# add -p switch to prevent error messages in syslog [D 30 Jul 2018]
ExecStartPre=-/bin/mkdir -p /run/clamav ExecStartPre=/bin/chown clamav
/run/clamav # prevent clamd from being a resource hog CPUQuota=80%
Nice=10
IOSchedulingClass=best-effort
IOSchedulingPriority=6
Re: Whitelisting server "non-deliverable" notices
On 30/01/2021 09:15, Nikolaos Milas wrote: I would like to ask: is there a way an (incoming) mail gateway server (i.e. a server accepting incoming mail for an organization) to somehow detect/understand genuine non-deliverable notices and avoid blocking them as spam? These non-deliverable notices occur due to mail sending by the outgoing mail server our organization (postfix/dovecot); if there is any problem, the remote servers may reply with such notices, which in turn reach the incoming mail gateway servers of our organization. These servers, running postfix/amavis/clamav/spamassassin, usually block such responses which, however, may be useful to the original sender. I see a lot of such notices in the quarantine. How do you handle this issue in your setups? Your own mail gateway servers should not block DSNs that are in reply to your own senders (but should probably block DSNs issued by any onward relays for incoming mail from third parties). In postfix you block DSNs with smtpd_discard_ehlo_keywords=silent-discard,dsn (in master.cf for port 25[smtpd]), but leave it unset on auth ports (typically 587[submission] and/or 465 [smtps]). I am not sure why your amavis quarantines DSNs, it doesn't normally do so for us.
***ACHTUNG UNGEPRUEFT*** Re: amavis set nice level on ubuntu 18
--- Begin Message --- Hello, I want to set Amavis to a nice level around 15 so other services take priority. I have done a lot of looking and found where the file is that can accept a nice level, say Nice=15. However that file amavis.service is in /run/systemd/generator.late and is "Automatically generated by systemd-sysv-generator" Any changes made to the file are overwritten. I've tried putting the file amavis.service in /etc/systemd/system and /lib/systemd/system but systemd-sysv-generator or Amavis doesn't like that and throws an error. I had found the directive DefaultLimitNICE=+15 and changed both files /etc/systemd/user.conf and /etc/systemd/system.conf. Still no change after restart the service or even a reboot. Can do renice but it isn't persistent. Does anyone have any pointer on where to put the Nice=15 directive so that it will work? Are you sure you want to throttle Amavis rather than Clamav (which is called by it)? My experience is that Clamav is the resource hog, so I have: # cat /etc/systemd/system/clamav-daemon.service.d/extend.conf [Service] # add -p switch to prevent error messages in syslog [D 30 Jul 2018] ExecStartPre=-/bin/mkdir -p /run/clamav ExecStartPre=/bin/chown clamav /run/clamav # prevent clamd from being a resource hog CPUQuota=80% Nice=10 IOSchedulingClass=best-effort IOSchedulingPriority=6 --- End Message ---
***ACHTUNG UNGEPRUEFT*** Re: Normal mail classified as virus
--- Begin Message ---
On 05/02/2021 17:55, Nikolaos Milas
wrote:
We had a report that some normal emails from a gmail user would not
reach their destination (users in our org).
It turned out that practically all of that user's mails were classified
as virus infected. In those mails' headers (in the quarantine) I found:
X-Amavis-Alert: INFECTED, message contains virus:
sigs.InterServer.net.HEX.Topline.phisher.email.fros.gmail.760.UNOFFICIAL
and in the log:
Blocked INFECTED
(sigs.InterServer.net.HEX.Topline.phisher.email.fros.gmail.760.UNOFFICIAL)
{DiscardedInbound,Quarantined}
It was very strange, because some of these emails were essentially
empty, sent as test messages.
Question 1: Is there a way to disable checking for that (or any other)
specific virus signature?
Additionally, I see in the virus quarantine that a lot of mail messages
were in fact spam and not virus-infected. Obviously, everything that
clamd discards is classified as virus; yet, some of the clamd signatures
may not target viruses but spam.
In our setup I am using extremeshok.com unofficial sigs. Some of them
may be more offensive than they should.
Question 2: Is there a way to reduce impact of some clamd scans by
forcing a score to such positive tests rather than directly discarding
mail based on their results?
@virus_name_to_spam_score_maps - the latest default list can be
obtained from
https://gitlab.com/amavis/amavis/-/blob/master/conf/amavisd.conf-default.
Start with this and then modify as required.
--- End Message ---
Re: Blocking cannibalized spam/virus mail with password-protected attachments
On 22/12/2020 08:39, Nikolaos Milas wrote: On 22/12/2020 10:24 π.μ., Nikolaos Milas wrote: Can you please suggest ways in which we can configure amavis so as to recognize and drop this kind of mail? Another, probably better, approach would be to add to amavis a scan rule like: If body contains text like: Password archivio: -or- Archive pass: [where is a 3- or 4-digit number] ...followed by any number of spaces and/or end-of-line characters and then by the exact Sender name, then send to quarantine. That, because all such mails include in the body the following (injected) text: Password archivio: 851 The_exact_Sender_name The_original_sender_email (i.e. not the changed one) Can someone please compose such a rule and guide me how to add it to amavis? If you are using a reasonably modern version of ClamAV then just turn on one or more these options in clamd.conf to enable identification (see man clamd.conf): AlertEncrypted yes AlertEncryptedArchive yes AlertEncryptedDoc yes and reload ClamAV. The normal amavis settings will then treat any emails that are flagged as virus-laden. What happens in that case depends on your other amavis settings, especially $virus_quarantine_method.
Re: Blocking by country
On Wed, 21 Oct 2020 at 01:57, Alex wrote: > I have a fedora32 server system with amavisd and postfix installed and > would like to block all email from China and a number of other > countries. It doesn't look like there's an easy way to do this. > > Perhaps a better approach would be to block all email and only allow > connections from US servers (even though foreign email could be routed > through a US server first)? > > Would the GeoIP stuff be helpful in amavisd? Perhaps we can block by ASN? > > I'm also using spamassassin and could write rules to block email based > on the TLD, like .cn etc. > > Perhaps we could create a policy bank or domain map with a list of the > different countries? Maybe a sender map that can block on a > per-recipient basis? > > I've done quite a bit of searching and most of what I see is from > decades ago to links that no longer exist. I have code to set up GeoIP2 for use in SA (not GeoIP which is deprecated), but for Ubuntu i.e.using apt and Maxmind's Launchpad repository. GeoIP2 works pretty well, it can geolocate most IPs. I use it to raise the SA/amavis score for mails from 'suspect' countries. Alternatively I vaguely recall a discussion either here or on the SA list about RBLs that offer responses allowing filtering by geolocation, you might be able to find it by googling or someone here may remember better.
Re: clamav (under amavis) not filtering out viruses!
On Thu, 15 Oct 2020 at 12:15, Nikolaos Milas wrote:
>
> On 15/10/2020 12:52 μ.μ., Dominic Raferd wrote:
>
> > start with something like this to check your amavis virus settings:
> > ...
> > There are other possible explanations too e.g. is amavis calling
> > clamav for incoming mails or is clamav being called directly by the
> > MTA? have you got clamav and amavis user permissions sorted (ensured
> > that clamav and amavis users are both members of each other's group)?
>
> Hi Dominic,
>
> Here is the info you requested (there is no amavis conf.d directory in
> this amavis package):
>
> # grep -r virus_ /etc/amavisd.conf | sed 's/\s*#.*//;/^$/d;/.*:$/d'|sort
> @addr_extension_virus_maps = ('virus');
> bypass_virus_checks_maps => [1],
> $final_virus_destiny = D_DISCARD;
> @virus_name_to_spam_score_maps =
> $virus_quarantine_method = "local:virus/%n-%m" ;
>
> (I am attaching the whole amavisd.conf for your reference.)
>
> Postfix is calling amavis which in turn scans (clamav / SA) mail:
>
> === from postfix main.cf
>
>
> content_filter = smtp-amavis:[127.0.0.1]:10024
>
> ==
>
> Permissions are OK, because the setup works and *some* viruses are
> identified and quarantined.
>
> However, the thing here is that the main definition database seems to
> not being used. What should we check to make sure that all definition
> databases are being used for filtering?
>
> Can we make sure that the main database is updated correctly and used
> successfully?
>
> By the way, freshclam.log shows successful database updates; for
> example, today:
>
> ==
> ClamAV update process started at Thu Oct 15 04:02:26 2020
> main.cld is up to date (version: 59, sigs: 4564902, f-level: 60,
> builder: sigmgr)
> Downloading daily-25957.cdiff [100%]
> daily.cld updated (version: 25957, sigs: 4330982, f-level: 63, builder:
> raynman)
> Can't query
> daily.25957.77.1.0.260647006810da54.ping.clamav.net
> bytecode.cld is up to date (version: 331, sigs: 94, f-level: 63,
> builder: anvilleg)
> Database updated (8895978 signatures) from db.gr.clamav.net (IP:
> 2606:4700::6810:da54)
> Clamd successfully notified about the update.
> ==
>
> I am also listing for your reference:
> # ls -lt /var/clamav/
> total 777108
> drwxr-xr-x 6 clamav clamav 4096 Oct 15 12:14 tmp
> -rw-rw-r-- 1 clamav clamav181612 Oct 15 12:10 blurl.ndb
> ...
> I am attaching here the whole amavisd.conf for your reference.
>
It is unlikely that clamav is not reading its official databases, but
it is very rare for viruses to be found through the official
databases, so the hits you will see in the real world will come from
the unofficial databases (which need to be updated regularly too).
Worth checking your clamav settings (e.g. in /etc/clamav/clamd.conf).
Now I look more closely at your amavis log I see:
Turning AV infection into a spam report: score=5,
AV:winnow.malware.test.eicar.com.UNOFFICIAL=5
This happens because of the settings for
@virus_name_to_spam_score_maps in your amavisd.conf, specifically:
[ qr'^winnow\.malware\.' => 5.0 ]
- this causes viruses that are identified by a name starting with
'winnow.malware.' to be 'converted' into spam and given a score +5.0.
I think you need to revisit your settings for
@virus_name_to_spam_score_maps. You could remove them entirely to use
the default settings for your version of amavis, or pick up the
latest'n'greatest default settings from
https://gitlab.com/amavis/amavis/-/blob/master/conf/amavisd.conf-default:
I use these with some modifications (including changing scores from
0.1 to 3.0).
Re: clamav (under amavis) not filtering out viruses!
On Thu, 15 Oct 2020 at 09:52, Nikolaos Milas wrote: > > Hello, > > As you may also see in another mail (thread) I have started (for bayes > db migration), we have an installation with > postfix/amavis/clamav/spamassassin on CentOS 6 using (legacy?) rpmforge > packages (for amavis/clamav). > > The setup includes scamp 5.6 > (https://sourceforge.net/projects/scamp/files/scamp/scamp-5.6/), which > seems unsupported (not updated since 2013), to include additional clamav > definition files. > > In fact, we have two identical mail gateway servers for incoming mail. I > have started migrating the one of them, so it is no more available as an > MX server. > > My problem is with our currently one and only MX Server (yes the one > with the rpmforge installation): it seems to be allowing virus-infected > mails to pass through. (The same problem was occurring to the other twin > server, that's why I started migration.) > > Our users have started receiving significant amounts of virus-infected > mails, and this issue has triggered an investigation from our part, to > find out the cause. > > I have tested with a test signature > (https://www.eicar.org/?page_id=3950) in an attachment and although it > was detected, it reached its destination as sent, without modification. > I found in amavisd.log: > > ... > > Please advise me: how can I find out what is going wrong with > clamav/amavis and correct things? > > In essence, we need to stop the virus-infected mail flooding. start with something like this to check your amavis virus settings: grep -r virus_ /etc/amavis/conf.d|sed 's/\s*#.*//;/^$/d;/.*:$/d'|sort This would be typical to be included in the output (and not overridden by later lines): $final_virus_destiny = D_DISCARD; $virus_quarantine_method = 'local:virus-%m'; - with these settings the incoming email is not actually discarded, it is placed in local quarantine. But if you have D_PASS then the virus passes straight through. There are other possible explanations too e.g. is amavis calling clamav for incoming mails or is clamav being called directly by the MTA? have you got clamav and amavis user permissions sorted (ensured that clamav and amavis users are both members of each other's group)?
Re: prerving envelope address via X-Original-to
On Wed, 14 Oct 2020 at 10:34, Andrey Lelikov wrote: > > Good day. > > A newbie amavisd-new user here. I run a small mail server for myself & > family. Recently I've changed from to a iredmail system and discovered > postfix/amavisd setup. For a long time I have a set of filters that rely > on the X-Envelope-to header, and suddenly all these filters stopped working. > > This question was apparently discussed here several times, yet I failed > to find an up to date answer. > > So, firstly, BCC reveal is not the issue - this is a family setup and > all users are in "trusted circle" - if the message is sent to two or > more users via BCC it is explicitly OK for any user of this server to > learn other BCC recipients. > > My perl knowledge is very limited, but as it was mentioned here, the > X-Envelope-to could be added inside add_forwarding_header_edits_common sub . > > I'm using a debian system, and my understanding is that it is possible > to add a hook to amavis/conf.d/something that would modify actions > inside add_forwarding_header_edits_common without hacking original > script in /usr/sbin ? > > Is this possible? The specific code would be very welcome. The X-Original-To header is normally added by the postfix delivery agent (local, smtp, virtual etc). Are you sure it isn't being stripped by something bespoke in your system?
Re: Permission Denied Issue in amavisd service
On Wed, 26 Aug 2020 at 14:01, Aung Ye Kyaw wrote: > > Dear Sirs, > > I would like to ask one issue that I added a new dkim in amavisd.conf file > and then restarted amavisd service but service failed so I changed back to > original amavisd.conf file .The service is still failed.Let me know why this > happened ? Please help me if u are available .Thank You so much. It looks as if users 'amavis' needs read permission for /etc/amavisd/amavisd.conf e.g. chmod a+r /etc/amavisd/amavisd.conf But as you are using a different version of amavis and/or on a different distribution to me, I cannot be certain.
Re: Outgoing mail being scanned? Open relay warning.
On Wed, 5 Aug 2020 at 19:19, Ian Evans wrote:
>
> On Tue, Aug 4, 2020 at 6:19 PM Patrick Ben Koetter wrote:
>>
>> Ian,
>>
>> * Ian Evans :
>> > On Tue, Aug 4, 2020 at 3:38 PM Matus UHLAR - fantomas
>> > wrote:
>> >
>> > > >Open relay? Nonlocal recips but not originating: [person I'm emailing]
>> > >
>> > > this happens when 'originating' flag is not set and recipient is not
>> > > local.
>> > > maybe you don't have $mynetworks amavis variable set
>> > >
>> >
>> > Okay bizarre. Just did a grep on my conf.d dir and 'originating' and
>> > '$mynetworks' don't appear in any of these files:
>> [snip]>
>> > Again except for these outgoing notices in the logs, the server has worked
>> > fine for years. Amavis, Postfix and Dovecot are all on the same server.
>>
>> for any domain/recipient that amavis should feel responsible for add its name
>> to @local_domains_maps or let amavis read it from a file, e.g.
>> /etc/postfix/relay_domains:
>>
>> @local_domains_maps = (
>> ".$mydomain",
>> read_hash('/etc/postfix/relay_domains')
>> );
>>
>> This will tell amavis what it should classify as "incoming".
>>
>> For any IP address/network that is internal add it to @mynetworks. This will
>> tell amavis which sources are internal:
>>
>> @mynetworks = qw(
>> 127.0.0.0/8
>> );
>>
>> In reverse conclusion all other senders not listed in @mynetworks are
>> considered to be "outside".
>>
>> If your authenticated senders submit messages via Port 465 or 587 then route
>> their messages into a dedicated port into amavis and assign that port to a
>> policy bank, where you declare everything in that policy bank as originating:
>>
>> # Claim the port:
>> @listen_sockets = (
>> # Release
>> '[::1]:9998',
>> # Post-Queue, Submission
>> '[::1]:10024',
>> # Pre-Queue, MTA zu MTA
>> "$MYHOME/amavisd.sock"
>> );
>>
>> # Assign the port to a $policy_bank:
>> $interface_policy{'10024'} = 'SUBMISSION';
>>
>> # Tag everything as $originating in that policy_bank:
>> $policy_bank{'SUBMISSION'} = {
>> originating => 1,
>> bypass_spam_checks_maps => [1],
>> final_virus_destiny => D_BOUNCE,
>> final_banned_destiny=> D_PASS,
>> final_bad_header_destiny => D_PASS,
>> banned_filename_maps => ['MYNETS-DEFAULT'],
>> warnbadhsender => 0,
>> forward_method => 'smtp:127.0.0.1:10025',
>> notify_method => 'smtp:127.0.0.1:10025',
>> undecipherable_subject_tag => undef,
>> };
>>
>>
>> > Just so I don't upset the apple cart, what do I need to add and to which
>> > file do I need to add it?
>>
>> I suggest you copy over 50-user to 60-mysystem and add your local config
>> there. It will never be overwritten by an update.
>>
>
> Patrick, thanks for the detailed notes. I wanted to respond when I had time
> to look at my setup. A few questions:
>
> I only handle email for my domain so I'm assuming this is okay?
>
> @local_domains_maps = (
> ".$mydomain"
> );
> @mynetworks = qw(
> 127.0.0.0/8
> );
>
> My biggest question and config I don't want to foul up is the submission
> section for the amavis config.
>
> Here's what's in my master.cf in Postfix:
>
> submission inet n - - - - smtpd
> -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_reject_unlisted_recipient=no
> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
> #OpenDKIM signing
> -o smtpd_milters=inet:localhost:12345
>
> So the email is sent to port 587 and processed through OpenDKIM. Being coffee
> and sleep-deprived I don't want to FUBAR anything in the amavis config? Your
> example said to claim the port:
>
> # Claim the port:
> @listen_sockets = (
> # Release
> '[::1]:9998',
> # Post-Queue, Submission
> '[::1]:10024',
> # Pre-Queue, MTA zu MTA
> "$MYHOME/amavisd.sock"
> );
>
> So which one do I change? And will that interfere with the master.cf
> submission interfacing with OpenDKIM.
>
> Thanks again. If I was feeling better I'm sure this would be clearer to me.
>
> Take care.
Do you need to change anything? I see OpenRelay reported by amavis all
the time and I just ignore it (I know I am not running an open relay).
And I think it is wise to have amavis check outgoing emails.
Re: Re: Timeout Amavis AV-Scan?
On Tue, 7 Jul 2020 at 11:12, wrote: > > Hi, > > in var/mail.log I see that amavis does not wait until longer av-scan results > are available. > There is a timeout. > > av-scanner FAILED: run_av error: Exceeded allowed time\n > > Would be great to know, how/where to customize this timeout. > > -- > Best regard, > -Benjamin- > > > Gesendet: Montag, 29. Juni 2020 um 18:04 Uhr > Von: "Damian" > An: amavis-users@amavis.org > Betreff: Re: Timeout Amavis AV-Scan? > > > is it somehow possible to define, how long amavis should wait for the result > of an AV-Scan? > Is it customizable? > > Nothing I am aware of. There is a confvar $child_timeout, but that timeout is > for the whole mail processing. > > > In 15-av-scanner config file I added a script and inserted a delay of 60sec > on purpose... but amavis does not wait until my delay is out of time and > sends the mail to the user instantly... > > > Sounds strange. Are you sure that your av script got executed? Set $child_timeout. The default setting is 8*60 i.e. 8 minutes. So you could try: $child_timeout = 20*60;
Re: skip checking for mail address
On Mon, 18 May 2020 at 15:37, Matus UHLAR - fantomas wrote:
>
> seems that addresses used in bypass_virus_checks_maps and
> bypass_spam_checks_maps, are the envelope from addresses.
>
> We have gateway that sends reports with envelope addresses empty ("<>"), but
> From: in headers is in form MAILER-DAEMON@mail.gateway
>
> unfortunately, other mails come through the gateway with emppty envelope
> from, so the only address I can safely (gateway takes care of faking the
> address) whitelist is therefore the header address.
>
> is it possible to use header address in whitelisting?
>
> Or is there any trick to whitelist such address?
@whitelist_sender_maps whitelists based on either of the From header
address or the envelope sender address. (It is not very good behaviour
IMO: I suspect the code was really written for @blacklist_sender_maps
and just carried over to work with the whitelist, the behaviour is
conservative for a blacklist but risks letting through bad stuff with
a whitelist. I don't use this type of whitelisting at all any more.)
Re: Unable to load spamassassin
On Wed, 1 Apr 2020 at 13:09, Marcio Merlone wrote: > > I had to disable pyzor. > > use_pyzor 0 > > In general pyzor works fine with SA and amavis. But you should have (e.g. in /etc/spamassassin/local.cf): pyzor_timeout 20
Re: Finding the version number from amavis.
On Sat, 18 Jan 2020 at 07:52, Hoyer-Reuther, Christian < christian.hoyer-reut...@cac-chem.de> wrote: > grep myversion_id amavisd-new > > -Ursprüngliche Nachricht- > Von: amavis-users cac-chem...@amavis.org> Im Auftrag von Philip > Gesendet: Samstag, 18. Januar 2020 05:32 > An: amavis-users@amavis.org > Betreff: Finding the version number from amavis. > > How do I find out what version of amavis-new is running on your server? > for example: # grep -a "amavis.*starting" /var/log/mail.log|tail -n1 2020-01-18 01:00:02 streamingbats amavis[5780]: starting. (warm) /usr/sbin/amavisd-new at streamingbats.co.uk amavisd-new-2.11.0 (20160426), Unicode aware, LC_ALL="C", LANG="en_GB.UTF-8"
Re: Extra support for some archive types
On Sat, 10 Aug 2019 at 10:41, korsar...@gmail.com wrote: > Ralph Seichter писал(а) в своём письме Sat, 10 > Aug > 2019 00:05:12 +0300: > > > * korsar: > > > >> 1) ACE has no support at all, need to add it > > > > Not having seen ACE archives in the wild for more than 10 years, I don't > > think so. Besides, to my knowledge ACE is a proprietary format with a > > Windows focus and a license that does not permit including it in free > > software. > > > >> 2) gzip - gzip -d command changes original file names of extracted > >> files, [...] 7z, please. > > > > You can adjust filetype-to-decoder mappings in your amavisd.conf if you > > don't like the defaults. > > > > -Ralph > > I mean 7zip supports 35 archive type, any of them may be used to hide > ransomware in the .rar or .zip file and opened by end user. So the mail > system is only half protected. > > How I can make filetype-to-decoder mappings in amavisd.conf? > Set "$gzip = '7z';"? > Example: @decoders = ( [snip] ['7z', \&do_7zip, ['7zr','7za','7z'] ], ['rar', \&do_unrar, ['unrar-free','7zr','7za','7z'] ], [snip] );
Re: Spam sneaking in.
On Mon, 5 Aug 2019 at 23:15, Bob D wrote: > Well, I am still getting some sneaking in and it still seems funny, here > is one from today. > This is the header as it came in: > > ... > > There was some time difference between the message in and the command line > run, but still big difference. > Also I am wondering why the preceding "Content analysis details:" are not > included in the original amavis header ? > Is there a way to get amavis to include this detail ? > I wonder if I still have a config issue ? > Am I performing an equivilent SA call via the command line ? > > Maybe you have amavis set to allow spamassassin only to run local tests? Try this: grep -Fr '$sa_local_tests_only' /etc/amavis/conf.d If you make a change you then need to reload or restart amavis.
Re: Log SpamAsssassin X-Spam-Status (rules and scores) into amavis log file
On Fri, 19 Jul 2019 at 14:06, mabi wrote:
> Hello,
>
> I would like to log the typical X-Spam-Status mail header which gets added
> by SpamAssassin to a mail into the amavis log file in order to track the
> rules and their scores which gets triggered by ham and spam mails.
>
> Is this somehow possible with Amavis?
>
The X-Spam-Status header is added by Amavis itself. With postfix (and
postfix-pcre) you could log it thus (untested):
/etc/postfix/master.cf:
...
# this smtpd receives emails being re-injected into postfix by amavis
127.0.0.1:10025 inet n - y - - smtpd
...
-o cleanup_service_name=cleanup_post_amavis
...
cleanup_post_amavis unix n - y - 0 cleanup
...
-o header_checks=pcre:/etc/postfix/log_spam_status.pcre
...
/etc/postfix/log_spam_status.pcre:
/^(X-Spam-Status: .*)$/ INFO ${1}
Note that due to a feature (bug?) any 'X-Spam-Status' line in a quarantined
email is stripped out by Amavis when the email is released (using
amavisd-release) and so will not be seen by postfix. My workaround is to
rename any such header in the quarantined email before releasing it.
Re: whitelist
On Sat, 13 Jul 2019 at 10:47, Matus UHLAR - fantomas wrote: > > On 12.07.19 16:47, Deeztek Support wrote: > >> BUT... amavis identifies the address by matching the envelope sender OR > >> the From: header sender. So (in theory) a spammer can easily fake the > >> envelope sender and get whitelisted. > > > >I was under the impression that amavis uses the Return-Path header and not > >the From header. > > It's actually envelope from header. > Yes, amavis uses that one. I quote again from amavis 2.6.6 release notes: "white and blacklisting now takes into account both the SMTP envelope sender address, as well as the author address from a header section (address(es) in a 'From:' header field). Note that whitelisting based only on a sender-specified address is mostly useless nowadays." You can confirm this by looking at the code.
Re: whitelist
On Fri, 12 Jul 2019 at 19:14, Benny Pedersen wrote: > > Gregory Sloop skrev den 2019-07-12 17:55: > > > DR> From: header) have their SA score reduced by (typically) 4. > > > > DR> /etc/spamassassin/local_whitening.cf: > > DR> describe LOCAL_WHITENING_4 Whiten known good senders > > DR> score LOCAL_WHITENING_4 -4 > > DR> header LOCAL_WHITENING_4 From =~ > > DR> /(known\@goodname\.tld|\@good\.domain\.tld)>?\s*$/i > > > > DR> After any changes to this file amavis needs to reloaded. > > and amavisd supports dkim whitelistning, just like spamassassin does > > the above rules blindly whitelist forged senders > > spammers dreams that all do this :=) > > for mta stage i do not accept envelope from to be local domain at all, > will not write books for why The SA rule I gave is applied to From header and not to envelope sender, and it is whitening (reducing spam score) not whitelisting (bypassing spam checking). Those (very few of us) who use DMARC with p=reject are protected against our domains being faked in From header (at least to all major mail providers and anyone else who uses dmarc checking). Passing mails based on the combination of a whitelist of addresses (matched against From: header) *and* DKIM verification might be neat (details at https://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-am-verify and at https://github.com/aosm/amavisd/blob/master/amavisd/amavisd-new-2.6.6/RELEASE_NOTES, search for @author_to_policy_bank_maps). But I hate using policy banks in amavis as they override some critical variables and the different syntax for settings inside policy banks is even more of a nightmare than standard perl. BTW, quote from amavis 2.6.6 release notes: 'white and blacklisting now takes into account both the SMTP envelope sender address, as well as the author address from a header section (address(es) in a 'From:' header field). Note that whitelisting based only on a sender-specified address is mostly useless nowadays. For a reliable whitelisting see @author_to_policy_bank_maps below, as well as a set of whitelisting possibilities in SpamAssassin (based on DKIM, SPF, or on Received header fields).'
Re: whitelist
On Thu, 11 Jul 2019 at 22:10, Bob D wrote:
>
> Do you really wish to bypass virus checks via amavis ?
> Is Spamassassin used ?
> You can whitelist in Spamassassin via /etc/spamassassin/local.cf and append
> lines like:
> whitelist_from *@whitelistdomain.whatever
> this bypasses spamassassin checks only for those addresses.
> I use this and it works fine.
> If you want to bypass amavis checks without bypassing virus checks, here is
> one way to do it:
> https://forum.iredmail.org/topic4681-iredmail-support-solved-how-to-bypass-amavisd-for-some-senders.html
> Regards
>
> On 7/11/19 3:38 PM, Curtis Vaughan wrote:
>
> I have been unable for a very long time now to figure out how to
> whitelist certain email address or domains.
> I have found several different blogs/help sites that "provide" an answer,
> but none of them have ever worked.
> Creating whitelists for postfix that referred to by main.cf definitely
> haven't worked. Another "solution" involved including a line in main.cf
> that basically tried to bypass amavis.
> Anyhow, I feel I'm approaching the solution in either case the wrong way
> as they concentrate on postfix and not amavis.
> Hopefully someone can't point me in the right direction?
> Thanks!
>
> I'm using postfix with amavis on ubuntu.
In answer to OP, you can whitelist sender addresses in amavis by
setting (e.g. in /etc/amavis/conf.d/50-user):
@whitelist_sender_maps = ( read_hash('/etc/amavis/whitelist') );
and then create your file /etc/amavis/whitelist which lists email
addresses or domains to be whitelisted. They are still scanned for
viruses but not for spam scoring.
BUT... amavis identifies the address by matching the envelope sender
OR the From: header sender. So (in theory) a spammer can easily fake
the envelope sender and get whitelisted.
So I've now given up using this and instead I use a form of
'whitening' where emails from whitelisted senders (identified only by
From: header) have their SA score reduced by (typically) 4.
/etc/spamassassin/local_whitening.cf:
describe LOCAL_WHITENING_4 Whiten known good senders
score LOCAL_WHITENING_4 -4
header LOCAL_WHITENING_4 From =~
/(known\@goodname\.tld|\@good\.domain\.tld)>?\s*$/i
After any changes to this file amavis needs to reloaded.
Re: Recommended web UI for Amavisd quarantine?
On Tue, 9 Jul 2019 at 16:41, Rich Wales wrote: > On 07/09/2019 07:44, Dominic Raferd wrote: > > I don't use a web ui but I have some CLI-based bash code built around > > mutt and formail which allows me to manipulate quarantined mails. I also > > have it email me a few times a day with a list of quarantined mails and > > I can email reply with short codes to delete/release etc. It's a bit > > specific to my setup but a lot of it is similar to yours (Ubuntu 18.04 / > > SA / amavisd-new / dovecot). It wouldn't help if you want a web ui > though. > > I would certainly be interested in seeing what you have. I would prefer > a web UI if possible, but I'm open to other possibilities. > > Does your setup allow you to view a quarantined message before you make > a decision whether you want to release or delete it? Yes - from inside mutt. This requires me to log in and run the script from the CLI. Usually it's clear enough from sender / subject / score whether it's worth sending to original recipient or not.
Re: Recommended web UI for Amavisd quarantine?
On Tue, 9 Jul 2019 at 15:02, Rich Wales wrote: > > I'm not looking for a total replacement of my entire e-mail system. I'm > happily using Postfix, Spamassassin, Amavisd-new, and Dovecot. All I'm > looking for at this time is a replacement for Mailzu. > I don't use a web ui but I have some CLI-based bash code built around mutt and formail which allows me to manipulate quarantined mails. I also have it email me a few times a day with a list of quarantined mails and I can email reply with short codes to delete/release etc. It's a bit specific to my setup but a lot of it is similar to yours (Ubuntu 18.04 / SA / amavisd-new / dovecot). It wouldn't help if you want a web ui though.
Re: amavis broken
On Wed, 19 Jun 2019 at 13:34, Dorian ROSSE wrote: > I attach to you the files, > I add a semicolon where It is ask then It asks again to add a semicolon, > I think the amavis shell want become myself crazy about my Ubuntu server, > I don’t know what I must do, Thank you in advance to bring your help, > Regards. Dorian ROSSE. > Just scattering semicolons is not the way. This is all you need: use strict; $myhostname = "bitfenix-server"; 1;
Re: clamd does not scan emails
So I guess you have explicitly set (probably in /etc/amavis/conf.d/50-user): $MYHOME = '/var/amavis'; whereas the preset in debian/ubuntu package of amavis is: $MYHOME = '/var/lib/amavis'; ... or maybe you built amavis from source? On Wed, 22 May 2019 at 15:28, Alexander Azeev wrote: > Question about selinux from uh...@fantomas.sk got me thinking. > As it turns out, the issue was with apparmor. > > In /etc/apparmor.d/usr.sbin.clamd there is a line: > "# For amavisd-new integration > /var/lib/amavis/tmp/** r, " > > I changed it to "/var/amavis/tmp/** r,", rebooted and it works now! > Thanks everyone for helping. > > ср, 22 мая 2019 г. в 16:42, Patrick Ben Koetter : > >> Alexander, >> >> I've just checked on an Ubuntu 14 LTS and I want you to check this too: >> >> What are the permissions where amavis stores messages (and parts)? In my >> case >> the directory (NOTE: Your's seems to be /var/amavis/tmp/? Is that >> correct?) is >> 0755 for amavis:amavis: >> >> # ls -ld /var/lib/amavis/tmp/ >> drwxr-xr-x 19 amavis amavis 380 May 22 15:27 /var/lib/amavis/tmp/ >> >> Clamav is in group amavis: >> # id clamav >> uid=110(clamav) gid=117(clamav) groups=117(clamav),119(amavis) >> >> Amavis is in group amavis: >> # id amavis >> uid=112(amavis) gid=119(amavis) groups=119(amavis) >> >> Did you restart clamav after you added its user to amavis' group? >> Can you confirm the same settings? >> >> Tanks >> >> p@rick >> >> >> * Alexander Azeev : >> > Ubuntu 18.04.1 LTS, selinux is disabled. >> > >> > getenforce >> > Command 'getenforce' not found, but can be installed with: >> > sudo apt install selinux-utils >> > >> > ср, 22 мая 2019 г. в 15:46, Matus UHLAR - fantomas : >> > >> > > >> >> On Tue, 21 May 2019 at 14:54, Alexander Azeev < >> artan...@gmail.com> >> > > wrote: >> > > >> >>> Hello, I have a problem with clamd not being able to scan mail >> > > properly. >> > > >> >>> In the amavis log there are messages like: >> > > >> >>> >> > > >> >>> run_av (ClamAV-clamd) result: >> > > >> >>> /var/amavis/tmp/amavis-20190518T065844-01954-dOjV4CBP/parts: >> lstat() >> > > >> >>> failed: Permission denied. >> > > >> >>> >> ERROR\n/var/amavis/tmp/amavis-20190518T065844-01954-dOjV4CBP/parts: >> > > OK\n >> > > >> >>> run_av (ClamAV-clamd): CLEAN >> > > >> >>> run_av (ClamAV-clamd) result: clean >> > > >> >>> >> > > >> >>> So it passes everything as CLEAN, even the EICAR test virus. >> > > >> >>> It seems to be a permissions issue. >> > > >> >>> I used this article to check my settings >> > > >> >>> >> > > >> https://www.moshe-schmidt.de/linux/clamav-permission-denied-how-to-fix-it/ >> > > >> >>> , >> > > >> >>> but everything seems to be correct. >> > > >> > > >вт, 21 мая 2019 г. в 21:23, Matus UHLAR - fantomas < >> uh...@fantomas.sk>: >> > > >> did you restart clamav after? >> > > >> > > On 22.05.19 14:42, Alexander Azeev wrote: >> > > >Of course, I did that as well as restarting amavis and even the >> machine >> > > >itself. >> > > >> > > what os/distro? Don't you run with selinux enabled by any chance? >> > > -- >> > > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ >> > > Warning: I wish NOT to receive e-mail advertising to this address. >> > > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. >> > > Fighting for peace is like fucking for virginity... >> > > >> > >> > >> > -- >> > С уважением, >> > Азеев Александр >> >> -- >> [*] sys4 AG >> >> https://sys4.de, +49 (89) 30 90 46 64 >> Schleißheimer Straße 26/MG,80333 München >> >> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 >> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief >> Aufsichtsratsvorsitzender: Florian Kirstein >> >> > > -- > С уважением, > Азеев Александр > >
Re: clamd does not scan emails
On Tue, 21 May 2019 at 14:54, Alexander Azeev wrote: > Hello, I have a problem with clamd not being able to scan mail properly. > In the amavis log there are messages like: > > run_av (ClamAV-clamd) result: > /var/amavis/tmp/amavis-20190518T065844-01954-dOjV4CBP/parts: lstat() > failed: Permission denied. > ERROR\n/var/amavis/tmp/amavis-20190518T065844-01954-dOjV4CBP/parts: OK\n > run_av (ClamAV-clamd): CLEAN > run_av (ClamAV-clamd) result: clean > > So it passes everything as CLEAN, even the EICAR test virus. > It seems to be a permissions issue. > I used this article to check my settings > https://www.moshe-schmidt.de/linux/clamav-permission-denied-how-to-fix-it/ > , > but everything seems to be correct. > > Try adding user amavis to group clamav (as well as adding user clamav to group amavis, which I guess you already did): # adduser amavis clamav
Re: reload or restart after spamassassin/local.cf change?
On Wed, 17 Apr 2019 at 11:45, Matus UHLAR - fantomas wrote: > >> On Wed, 2019-04-17 at 09:57 +0100, Dominic Raferd wrote: > >> > Just wanted to double check this, because it is counter-intuitive to > >> > me. I thought amavis called SA 'from scratch' each time it wanted to > >> > use it, so any change in SA config would be picked up immediately > >> > (because SA must reload its config each time it is called by amavis as > >> > there is no running SA daemon). If that is not the case, can someone > >> > explain why? > > >On Wed, 17 Apr 2019 at 10:22, Martin Johannes Dauser < > mdau...@cs.sbg.ac.at> > >wrote: > >> Amavis is the SA daemon substitute. You can say, you have a SA daemon > >> but it's not the standard daemon from the SA project. That's why you > >> need to restart the amavis daemon which took over this role. > > reload is enough. > > On 17.04.19 10:47, Dominic Raferd wrote: > >Thanks for the reply. I realise amavisd-new runs as a daemon but it then > >calls SA (technically, perl Mail::SpamAssassin) for each mail it wants to > >check - and I would expect that SA loads its parameters *each time* from > >its config files. > > amavisd calls SA routines. Amavis loads them, including configs, at > startup > to avoid loading it and parsing config files every time new mail arrives. > > spamd behaves the same way, because of the same reason, and you need to > reload after config change too. > OK thanks for the explanation
Re: reload or restart after spamassassin/local.cf change?
On Wed, 17 Apr 2019 at 10:22, Martin Johannes Dauser wrote: > Amavis is the SA daemon substitute. You can say, you have a SA daemon > but it's not the standard daemon from the SA project. That's why you > need to restart the amavis daemon which took over this role. > > On Wed, 2019-04-17 at 09:57 +0100, Dominic Raferd wrote: > > > > Just wanted to double check this, because it is counter-intuitive to > > me. I thought amavis called SA 'from scratch' each time it wanted to > > use it, so any change in SA config would be picked up immediately > > (because SA must reload its config each time it is called by amavis as > > there is no running SA daemon). If that is not the case, can someone > > explain why? > Thanks for the reply. I realise amavisd-new runs as a daemon but it then calls SA (technically, perl Mail::SpamAssassin) for each mail it wants to check - and I would expect that SA loads its parameters *each time* from its config files. I may be wrong but if so I don't understand why. (Some help info at https://www.ijs.si/software/amavisd/#faq-spam confirms that SA, running from amavis, reads and honours its local.cf - but doesn't answer my question)
Re: reload or restart after spamassassin/local.cf change?
On Tue, 12 Feb 2019 at 19:55, Patrick Ben Koetter wrote: > * Patrick Proniewski : > > Hi, > > > > I often adjust scores in spamassassin config (spamassassin/local.cf > and/or spamassassin/*.pre). > > How should I proceed so that amavisd takes this modification into > account: > > - reload? > > - restart? > > - just wait? > > Unless you have a nightly cron job or systemd timer to restart/reload > amavis > you can reload it. > Just wanted to double check this, because it is counter-intuitive to me. I thought amavis called SA 'from scratch' each time it wanted to use it, so any change in SA config would be picked up immediately (because SA must reload its config each time it is called by amavis as there is no running SA daemon). If that is not the case, can someone explain why?
Re: Delays when scanning outbound e-mails
On Wed, 27 Mar 2019 at 21:12, Nick Howitt wrote: > > > On 27/03/2019 20:27, Marc Pujol wrote: > > > > A 27/03/2019 15:39, Nick Howitt escrigué: > > > >> I am not sure how to read this but the TIMING and TIMING-SA figures > >> are huge with tests_pri_-90: 299180, b_finish: 297503 and > >> expire_bayes: 297448 jumping out to me. I am not aware of using bayes > >> filtering. > > > > You most probably are using bayes filtering. This is controlled by the > > "use_bayes" directive in your spamassassin (not amavis) configuration. > > > > What is weird is I've been down this route. "grep bayes /etc/* -r" > returned one commented line in /etc/mail/spamassassin/v320.pre: > > # and create a header containing ASN data for bayes tokenization. > > > and that is it. I also tried an "sa-learn --sync" and "sa-learn > --force-expire" and got no improvements. I am really puzzled. > use_bayes is enabled by default in spamassassin. To turn it off, add this directive to /etc/spamassassin/local.cf: use_bayes 0 and then restart amavis.
Re: Error when ...Cron test -e /usr/sbin/amavisd-new-cronjob && /usr/sbin/amavisd-new-cronjob sa-sync
On Tue, 19 Mar 2019 at 16:29, OLCESE, Marcelo Oscar wrote: > Estos errores son a diario y aprox desde el 15/03 > Asunto: Cron test -e /usr/sbin/amavisd-new-cronjob && > /usr/sbin/amavisd-new-cronjob sa-sync > Debian 8 > razor2: razor2 check failed: razor2: razor2 had unknown error during > get_server_info at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line > 186, line 1. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm > line 329. > Debian 7 > razor2: razor2 check failed: razor2: razor2 had unknown error during > get_server_info at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line > 185, line 1. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm > line 325. See https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1819977 - read the comments for a workaround
Re: Error message generated by AMAVIS.
On Thu, 14 Mar 2019 at 22:06, Patrick Ben Koetter wrote: > > * Philip : > > I'm getting this error when this cronjob runs: > > > > Cron test -e /usr/sbin/amavisd-new-cronjob && > > /usr/sbin/amavisd-new-cronjob sa-clean > > > > Error: > > > > razor2: razor2 check failed: razor2: razor2 had unknown error during > > get_server_info at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line > > 186, line 1. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm > > line 329. > > razor2 is a SpamAssassin module. You need to debug SpamAssasin to find out > what causes the error. FWIW I am also seeing the same error in the last couple of days. Some problems with razor servers? Razor is hosted at http://razor.sourceforge.net/ and there is a user group (but v v quiet).
Re: Update to SA cf requires amavis restart?
On Tue, 12 Feb 2019 at 22:30, Michael Orlitzky wrote: > > On 2/12/19 12:30 PM, Curtis Maurand wrote: > > sudo /usr/sbin/amavisd-new reload > > The systemd service should be able to do this for you, e.g. > ExecReload=/usr/sbin/amavisd -c /etc/amavisd.conf reload > if the "forking" service type is used. Thanks Curtis and Michael. I have now implemented this. In Ubuntu 18.04 the systemd service is just calling /etc/init.d/amavis (SysV) so this is what needed changing by adding the reload option. I attach a patch for this file (/etc/init.d/amavis), after applying it do 'systemctl daemon-reload' so that 'systemctl reload-or-restart amavis' will do a warm reload of amavis instead of the full shutdown/start. If it is working the first log entry for the action will show '(warm)': 2019-02-13 10:10:42 streamingbats amavis[30715]: starting. (warm) /usr/sbin/amavisd-new at streamingbats.co.uk amavisd-new-2.11.0 (20160426), Unicode aware, LC_ALL="C", LANG="en_GB.UTF-8" >From Patrick's reply to another question I take it that reloading amavis *is* required after updating any SA configs. init.d-amavis.patch Description: Binary data
Re: Update to SA cf requires amavis restart?
On Tue, 12 Feb 2019 at 22:30, Michael Orlitzky wrote:
>
> On 2/12/19 12:30 PM, Curtis Maurand wrote:
> > sudo /usr/sbin/amavisd-new reload
>
> The systemd service should be able to do this for you, e.g.
> ExecReload=/usr/sbin/amavisd -c /etc/amavisd.conf reload
> if the "forking" service type is used.
Thanks Curtis and Michael. I have now implemented this. In Ubuntu
18.04 the systemd service is just calling /etc/init.d/amavis (SysV) so
this is what needed changing by adding the reload option. I attach a
patch for this file (/etc/init.d/amavis), after applying it do
'systemctl daemon-reload' so that 'systemctl reload-or-restart amavis'
will do a warm reload of amavis instead of the full shutdown/start.
If it is working the first log entry for the action will show '(warm)':
2019-02-13 10:10:42 streamingbats amavis[30715]: starting. (warm)
/usr/sbin/amavisd-new at streamingbats.co.uk amavisd-new-2.11.0
(20160426), Unicode aware, LC_ALL="C", LANG="en_GB.UTF-8"
>From Patrick's reply to another question I take it that reloading
amavis *is* required after updating any SA configs.
--- /tmp/amavis 2019-02-13 10:12:34.738692753 +
+++ /etc/init.d/amavis 2019-02-13 10:09:18.378072890 +
@@ -118,10 +118,11 @@
fi
fi
;;
-# reload)
-# echo "Reloading $DESC configuration files."
+ reload)
+ echo "Reloading $DESC configuration files."
+ $DAEMON reload || { echo "(failed)."; exit 1; }
# start-stop-daemon ${STOP} --signal 1
-# ;;
+ ;;
restart|force-reload)
$0 stop
exec $0 start
@@ -139,7 +140,7 @@
*)
N=/etc/init.d/amavis
#echo "Usage: $N {start|stop|restart|reload|force-reload|debug}" >&2
- echo "Usage: $N {start|stop|restart|force-reload|status|debug}" >&2
+ echo "Usage: $N {start|stop|reload|restart|force-reload|status|debug}" >&2
exit 1
;;
esac
Update to SA cf requires amavis restart?
Does a change to a spamassassin configuration file (.cf) requires a restart of amavis for it to be effective (when SA is being called by amavis)? (Amavis doesn't seem to have a reload option, or at least systemctl doesn't seem to know about it under Debian).
Re: Amavis not being called from postfix
On Fri, 8 Feb 2019 at 18:40, Patrick Ben Koetter wrote: > There will be a MILTER section in the upcoming docs. great > If you use Postfix and want to use other milters, such as > open(dkim|spf|dmarc|...) together with amavis you *have* to use milter for > amavis, because smtpd_proxy_filter and milters don't work together. If you use > smtpd_proxy_filter a milter can't 'see' the content - only the session. That's > a technical limitation caused by Postfix compartmentalized architecture. Only a problem if you use smtpd_proxy_filter I suppose. I use milters for open(dkim|dmarc) and content_filter for amavis, but no smtpd_proxy_filter, and they play together nicely.
Re: Amavis not being called from postfix
On Sat, 9 Feb 2019 at 00:01, Patrick Ben Koetter wrote: > > * Matus UHLAR - fantomas : > > > On Fri, 8 Feb 2019 at 17:17, Robert Moskowitz > > > wrote: > > > ... > > > > I would think I want to use MILTER. > > > > On 08.02.19 17:34, Dominic Raferd wrote: > > > I too am interested in running amavis as milter (Patrick has written > > > some instructions in German), but the standard and more common setup, > > > and the one which you are emulating at present, is as content filter > > > instead, and I think you should focus on getting that working first. > > > > I use milter when receiving mail from outside (mail servers). > > When I configured milter on users connections, users were complaining that > > sending mail takes too long. > > Thus, clients on submission,smtps ports (and when possible, port 25 clients > > on internal interface) use content_filter. > > > So am I. And it conforms with German jurisdiction. And yes, *SIGH* it is > important to comply. ;) Thanks Matus and Patrick for pointing that out. It would certainly be a complexifier [(c) J Bezos] to have to run it both as milter and content_filter. But in my case I whitelist emails from our domains within amavis so they would process quickly even when it runs as milter. (I realise this whitelisting carries some risk, but in our situation I think it is minimal.) Alternatively I suppose one could have a different length child_timeout for auth and non-auth mails (via a policy bank, though I prefer to avoid these) i.e. a short timeout for auth mails (say 3-4 seconds) and longer for non-auth (say 20 seconds) - this way (depending on server load and power) most auth mails (and the overwhelming majority of non-auth) would still get checked.
Re: Amavis not being called from postfix
On Fri, 8 Feb 2019 at 17:17, Robert Moskowitz wrote: ... > I would think I want to use MILTER. I too am interested in running amavis as milter (Patrick has written some instructions in German), but the standard and more common setup, and the one which you are emulating at present, is as content filter instead, and I think you should focus on getting that working first. As I understand it the disadvantages of this content filter post-queue(?) approach are - that mails are queued twice in the MTA [postfix] (once when it sends them out to amavis, and again when they return), with two different queue-ids, which is untidy and can make log tracking harder, and - that the response from amavis cannot be passed back to the client because the client has been told all is ok (250) when the email is passed over to amavis and before amavis has processed it - but usually you may not want to tell the client if you are quaranting or discarding the mail it has sent. The main advantage over calling amavis as a milter is that it doesn't really matter how long amavis takes to process the mail, whereas with a milter you have the client still connected and waiting for a response. You can use something like $child_timeout = 20; so that amavis forces any child processes (esp. clamav) to give up after a given period - this isn't required with the content_filter approach.
Re: Send recipient notification of quarantined spam
On Fri, 8 Feb 2019 at 10:20, Dino Edwards wrote: > We have been able to accomplish what you are asking for with our appliance. > We have a job that runs on a scheduled basis (2, 4, 8 hours or daily > depending on recipient preferences) that goes through the msgs table and > selects any messages that were quarantined during that time period (viruses, > banned files, spam, bad headers) and creates a report that it sends to the > recipient with a list of the messages that were quarantined. The report > contains the listing as well as a link to view/release the message back to > the recipients mailbox. > Our appliance is open source and free. You can read it about it and download > it here if you are interested: > https://www.deeztek.com/products/hermes-secure-email-gateway/ > Source code is also posted on github if you wanna see how we went about > implementing that functionality, or you can simply download and implement our > appliance in your environment. We also have very extensive documentation. That sounds pretty neat. I have a bash script that achieves something very similar based on maildir-style quarantine.
Re: Send recipient notification of quarantined spam
On Thu, 7 Feb 2019 at 04:46, Tom Robinson wrote: > bump > On 5/2/19 12:08 pm, Tom Robinson wrote: > > Hi, > > I'm sure this has been answered before but I just can't seem to find the > right settings. > > I want the recipient of a quarantined SPAM email to receive a notification > that it was quarantined. > > Notifications are working for viruses that get quarantined but I can't get > it to work for SPAM. > > I have the following in my amavisd.conf > > $virus_admin = "postmaster\@$mydomain"; # > notifications recip. > $mailfrom_notify_admin = "virusalert\@$mydomain"; # > notifications sender > $mailfrom_notify_recip = "virusalert\@$mydomain"; # > notifications sender > $mailfrom_notify_spamadmin = "spamalert\@$mydomain";# > notifications sender > $mailfrom_to_quarantine = ''; # null return path; uses original sender if > undef > > $final_virus_destiny = D_DISCARD; > $final_banned_destiny = D_DISCARD; > $final_spam_destiny = D_DISCARD; #!!! D_DISCARD / D_REJECT > $final_bad_header_destiny = D_PASS; > $virus_quarantine_method= 'local:virus/%m'; > $spam_quarantine_method = 'local:spam/%m.gz'; > $banned_files_quarantine_method = 'local:banned/%m'; > $bad_header_quarantine_method = 'local:badh/%m'; > > $warnvirusrecip = 1; > $warnbannedrecip = 1; > $warnbannedsender = 0; > > Try: https://lists.amavis.org/pipermail/amavis-users/2012-July/001717.html I'm not clear how amavis decides whether a recipient is 'local'. Might be worth setting $warn_offsite to 1 if only to rule this out. Looking at comments in amavisd-new code 2.11.0 it seems that warnbannedrecip is deprecated in favour of warnbannedrecip_maps (although it should still work). You aren't using any named policy banks are you? If so, it might also need to be set explicitly inside each named policy bank (as do a lot of things, sadly), and with different syntax (warnbannedrecip => 1,).
Re: Whitelisting specific sender addresses for specific recipient addresses
On Tue, 8 Jan 2019 at 08:37, Engels, Jan wrote:
>
> Hi everyone,
>
> I'm currently trying to setup amavisd-new for whitelisting emails **from** a
> specific sender address **to** a specific recipient address (under CentOS 7).
> By whitelist I mean no virus/banned/header checks and no spam tagging. The
> whitelisting should however only apply for specific senders on a
> per-recipient basis.
>
> Using the @score_sender_maps I can easily assign custom spam scores on a
> per-recipient basis, as shown in the default amavisd.conf:
>
> @score_sender_maps = ({ # a by-recipient hash lookup table,
> # results from all matching recipient tables are
> summed
>
> ## per-recipient personal tables (NOTE: positive: black, negative: white)
> # 'us...@example.com' => [{'bla-mobile.pr...@example.com' => 10.0}],
> # 'us...@example.com' => [{'.ebay.com' => -3.0}],
> # 'us...@example.com' => [{'cleargr...@cleargreen.com' => -7.0,
> # '.cleargreen.com' => -5.0}],
> #...
> });
>
> The problem is that using the *_lovers_maps variables does not work using the
> same syntax, i.e. I've tried for example:
>
> @virus_lovers_maps = ({ # a by-recipient hash lookup table,
> 'us...@example.com' => [{'n...@foobar.com' => 1}],
> });
>
> @banned_files_lovers_maps = ({ # a by-recipient hash lookup table,
> 'us...@example.com' => [{'n...@foobar.com' => 1}],
> });
>
> @bad_header_lovers_maps = ({ # a by-recipient hash lookup table,
> 'us...@example.com' => [{'n...@foobar.com' => 1}],
> });
>
> or using the bypass_*checks_maps variables:
>
> @bypass_virus_checks_maps = ({
> 'us...@example.com' => [{'n...@foobar.com' => 1}],
> });
>
> @bypass_banned_checks_maps = ({
> 'us...@example.com' => [{'n...@foobar.com' => 1}],
> });
>
> @bypass_header_checks_maps = ({
> 'us...@example.com' => [{'n...@foobar.com' => 1}],
> });
>
> and the result in both variants is that **all** emails sent to
> us...@example.com get whitelisted (not only the ones coming from
> n...@foobar.com).
>
> Is there some way to get the same behaviour using the *_lovers_maps or
> bypass_* variables as with the @score_sender_maps variable (i.e on a
> per-recipient basis)?
>
> Any help would be greatly appreciated.
I think you want: $per_recip_whitelist_sender_lookup_tables (although
it is marked as deprecated)
Re: Amavis-new whitelist sender address and mail log
On Tue, 8 Jan 2019 at 07:09, Admin Beckspaced wrote:
>
> Hello there ;),
>
> I've set a sender address to be whitelisted by amavis-new.
> If I look in the amavis-new log:
>
> 2019-01-07T05:55:43.476393+01:00 cx20 amavis[14703]: (14703-20) Passed
> CLEAN {RelayedInbound}, EXTERNAL [129.41.222.125]:37319 [129.41.222.125]
> -> , Queue-ID:
> ED4FC1A1EDA, Message-ID:
> <1357051094.785971071546836934544.JavaMail.app@rbg73.sng01is>, mail_id:
> SbCRIirAbHc6, Hits: -, size: 10027, queued_as: 6EA4A1A1EDB,
> dkim_sd=sending-domain.com, 133 ms
>
> So in the log there's Hits: -,
>
> Is this the only way how I can recognize a whitelisted sender address in
> the log?
Yes, I think, without raising log level to 5 or changing the code
> Or is there an option to have the log entry display 'whitelisted sender
> address' or something similar?
> to make it more easy to find whitelisted addresses in the log ;)
The easiest way to get a special log entry is to modify the log level
for the relevant line in amavisd-new:
Find this line (using amavisd-new 2.11.1):
do_log(5,'wbl: recip <%s> whitelisted sender <%s>', $recip,$sender);
and change 5 to 0, then restart amavis
Note: as this extra logging will reveal, whitelisting works against
*both* the envelope sender address and against the 'From' header
address. IMO this is a bit unsafe, so I have changed it in mine to
skip the envelope sender.
ClamAV detection does not trigger Amavis virus action
I use ClamAV (with SaneSecurity addons) as my primary (and only) antivirus
scanner under amavisd-new-2.11.0. I have always assumed that if ClamAV
finds something, Amavis will take the defined 'virus action' (in my case
this is to block i.e. discard the mail), but I now find this is not
necessarily the case:
In this case the infected mail is blocked:
2018-12-17 12:13:41 vps1 clamd[1081]: Mon Dec 17 12:13:41 2018 ->
~/var/lib/amavis/tmp/amavis-20181217T111618-20069-1T2DHFXX/parts/p002:
MBL_20559167.UNOFFICIAL(:552) FOUND
2018-12-17 12:13:41 vps1 clamd[1081]:
/var/lib/amavis/tmp/amavis-20181217T111618-20069-1T2DHFXX/parts/p002:
MBL_20559167.UNOFFICIAL(:552) FOUND
2018-12-17 12:13:41 vps1 amavis[20069]: (20069-10) Blocked INFECTED
(MBL_20559167.UNOFFICIAL) {DiscardedInbound}, INCOMING
[193.233.31.24]:54896 [193.233.31.24] -> <
tri...@streamingbats.co.uk>, Queue-ID: B2F163E85E, Message-ID: <
2d07b915e16bccc0ef2a9ccf3bf78d8195e80...@orientalwisdom.info>, mail_id:
kFYoqSLUSVWw, Hits: -, size: 2602, 194 ms
But in this case it isn't:
2018-12-16 13:49:14 vps1 clamd[1081]: Sun Dec 16 13:49:14 2018 ->
~/var/lib/amavis/tmp/amavis-20181216T101603-18225-tHPkrYWE/parts/p002:
Sanesecurity.Blurl.989ed7.UNOFFICIAL(:25273)
FOUND
2018-12-16 13:49:14 vps1 clamd[1081]:
/var/lib/amavis/tmp/amavis-20181216T101603-18225-tHPkrYWE/parts/p002:
Sanesecurity.Blurl.989ed7.UNOFFICIAL(:25273)
FOUND
2018-12-16 13:49:16 vps1 amavis[18225]: (18225-19) Passed CLEAN
{RelayedInbound}, INCOMING [54.240.27.30]:60070 [54.240.27.30] <
01010167b7102d87-3d5db8e0-1b25-4732-87c9-66ceaa6499c1-000...@us-west-2.amazonses.com>
-> , Queue-ID: C4E973E8CA, Message-ID: <
01010167b7102d87-3d5db8e0-1b25-4732-87c9-66ceaa6499c1-000...@us-west-2.amazonses.com>,
mail_id: K3LXdSUItskO, Hits: 2.951, size: 57240, queued_as: 701F63F9AE,
2264 ms
Any ideas as to why the difference? Is this intended behaviour and if so is
it wise and can it be changed? My relevant Amavis settings are:
$virus_quarantine_method = undef;
$banned_files_quarantine_method = 'local:banned-%m';
$spam_quarantine_method = 'local:spam-%m';
$bad_header_quarantine_method = undef;
Re: R: Bypass spam check for message from my local domain
On Wed, 7 Nov 2018 at 06:12, Benny Pedersen wrote: > Scappatura Rocco skrev den 2018-11-06 18:50: > > > Could you instruct me on how I could define ORIGINATING Policy Bank? > > > https://forum.iredmail.org/topic5009-iredmail-support-disabling-oubout-amavisd-scanning.html > > dont disable amavisd for virus scanning, make the policy bank bounce > virus to local senders > This is good advice in principle, but in my experience most of the time taken by amavis is actually taken by child process clamav, so if you don't disable virus scanning you don't save much time. To kill child processes (i.e. clamav) that take too long I use $child_timeout = 20;
Re: Example for amavisd-signer as separate systemd service?
On Fri, 2 Nov 2018 at 09:11, Dino Edwards wrote: > -Original Message- > From: amavis-users [mailto:amavis-users-bounces+dino.edwards= > mydirectmail@amavis.org] On Behalf Of ge...@ssl-mail.com > Sent: Thursday, November 1, 2018 8:00 PM > > I am just installing Amavisd-New to use with Postfix. > I am working on DKIM signing. > I read the docs about amavisd-signer and have some questions. > I want to set up amavisd-signer as a separate signing service. > I am looking for an example of launching it with systemd .service. > Also I want to understand if it uses then a separate configuration file? > From the amavisd.conf? > Is there a good example or documentation of these? > > If you want it as a separate service, wouldn't be better to use opendkim instead? +1. And once opendkim is working ok, add opendmarc - which has similar/compatible configuration.
Re: get rid of "Open relay?" and set up DKIM
On Thu, 18 Oct 2018 at 15:32, Matus UHLAR - fantomas
wrote:
> Hello,
>
> I am trying to get rid of annoying "Open relay?" messages and later set up
> DKIM signing, which both I believe are doable by properly setting
> @mynetworks.
>
> the README.lookups says:
>
> @mynetworks_maps = (read_array('/etc/amavisd-mynetworks'), \@mynetworks);
>
> or
>
> @mynetworks_maps = (read_hash('/etc/amavisd-mynetworks'), \@mynetworks);
>
> and https://sourceforge.net/p/amavis/mailman/message/24573173/ recommends
> "not to forget to re-evaluate the @client_ipaddr_policy after/if
> @mynetworks_maps is changed:"
>
> @client_ipaddr_policy = map(($_,'MYNETS'), @mynetworks_maps);
>
>
> I have tried it all.
>
> I have even assigned direct IP addresses to @mynetworks:
>
> @mynetworks = qw(127.0.0.1 192.168.20.40 );
>
> but the message still appears:
>
> Oct 18 16:15:48 smtp2 amavis[1814]: (01814-15) Checking: WwuVqzvm1fVY
> AM.PDP-SOCK [192.168.20.40] ->
> Oct 18 16:15:48 smtp2 amavis[1814]: (01814-15) Open relay? Nonlocal recips
> but not originating: censored
>
> I am using amavisd-milter to process mail at SMTP level.
> do I need to play with policy banks?
>
> amavisd-new-2.10.1, Debian 8.
>
I too have had this problem. But now, based on studying
amavisd.conf-default, I think the problem is that when we set a policy_bank
it overwrites (for emails that are covered by it) with default values many
variables that may be specifically defined by us outside the policy bank -
which is not the behaviour you or I would expect. This includes
@mynetworks; so you need to define @mynetworks *inside* the policy bank for
it to be effective for these emails - in your case this means inside
$policy_bank { 'AM.PDP-SOCK' }.
HTH, Dominic
Re: amavis: Next Steps
On Thu, 11 Oct 2018 at 17:13, Benny Pedersen wrote: > Curtis Maurand skrev den 2018-10-11 16:09: > > > I get public key not available. I have one other domain with a 512 bit > > keys and it works. > > opendkim have minimal keysize of 1024 > > so you will randomly get dkim fails > opendkim has default requirement of keysize 1024+, but you can change this with MinimumKeyBits in opendkim.conf. Still, it is inadvisable (and not only for this reason) to continue using a key with 512 bits.
Re: Amavis not filtering spam for entries in second domain
On Tue, 18 Sep 2018 at 09:13, Miguel Almeida wrote: > My postfix installation is working correctly (delivery via dovecot, spam > filtering via amavis - spamassasin). > > I receive emails in itc.com and bbv.com domains. For the emails that sent > to, bbv.com amavis is not adding the spam headers (which I have > configured to be always added, via $sa_tag_level_deflt = -20;) > > I initially had the following in /etc/amavis/conf.d/05-domain_id: > > $mydomain = "itc.com"; > @local_domains_acl = ( ".$mydomain"); > > I have tried to add my second domain in two ways: > @local_domains_acl = ( ".$mydomain", ".bbv.com" ); > and > @local_domains_maps = ( [".$mydomain", ".bbv.com"]); > (and both) > > But the headers are not added. > Here is an example log (with log_level = 5) of an email received at > i...@bbv.com: > https://gist.github.com/mmalmeida/b3523d9ec2fbab5d4aac3fed28961bf1 > > I can successfully see the email headers added if I change $mydomain to > bbv.com. > > Can you help me understand why I am not able to have both domains with the > spam headers added at the same time? > I think there is a bug in amavis so that headers are not always added when the score is above $sa_tag_level_deflt. Maybe it only arises if $sa_tag_level_deflt<0? I tried $sa_tag_level_deflt=-999 and found that still a lot of emails did not have info headers added. (I was then I believe using amavis v2.10.)
Re: amavisd-release
On Tue, 28 Aug 2018 at 16:26, Deeztek Support wrote:
>
> What command are you using to release message?
>
> -Original Message-
> From: amavis-users
> [mailto:amavis-users-bounces+support=deeztek@amavis.org] On Behalf Of R.
> Sterenborg (Lists)
> Sent: Tuesday, August 28, 2018 5:23 AM
> To: amavis-users@amavis.org
> Subject: amavisd-release
>
> I'm struggling with getting amavisd-release to work.
>
> Amavisd 2.11.0 on CentOS 7.
>
>
> In amavisd.conf:
> =
> $inet_socket_port = [ 9998, 10024, 10026 ];
>
> $do_syslog= 0;
> $logfile = '/path/to/amavisd.log';
>
> $QUARANTINEDIR= '/path/to/amavisd/quarantine';
> $virus_quarantine_method = 'local:virus/virus-%i-%n';
> $spam_quarantine_method = 'local:spam/spam-%b-%i-%n';
> $banned_files_quarantine_method = 'local:banned/banned-%i-%n';
> $bad_header_quarantine_method = 'local:badh/badh-%i-%n';
>
> $interface_policy{'9998'} = 'AM.PDP-INET';
> $policy_bank{'AM.PDP-INET'} = {
>protocol=> 'AM.PDP',
>inet_acl=> [qw( 127.0.0.1 )],
>auth_required_release => 0, }; =
>
>
> In amavisd-release:
> =
>$socketname = '127.0.0.1:9998';
> =
>
>
> From
> https://www.ijs.si/software/amavisd/amavisd-new-docs.html#quar-release:
>
> "The secret_id is stored in SQL table msgs when logging to SQL is enabled,
> otherwise this information is not accessible."
>
> We're not using SQL with amavisd, so I set auth_required_release to 0.
>
>
> Whenever I try to release an email, it fails:
>
> # amavisd-release virus/virus-20180827T110127-45477-09
> 250 2.5.0 No recipients, nothing to do
>
> # amavisd-release virus/virus-20180827T110127-45477-09 ''
> 250 2.5.0 No recipients, nothing to do
>
> # amavisd-release virus/virus-20180827T110127-45477-09 '' u...@domain.tld
> 450 4.5.0 ERROR: Stored quarantine ID 'ziXFTUeDuvT7' does not match requested
> ID 'virus-20180827T110127-45477-09' at /usr/sbin/amavisd line 11904.
>
>
> Changing from inet_socket_port to unix_socketname doesn't change the result.
>
>
> Can someone please help me find the error I'm making?
Are you sure that the file you are trying to release is a valid email
which specifies a recipient?
Did you try:
# amavisd-release virus/virus-20180827T110127-45477-09 ziXFTUeDuvT7
u...@domain.tld
If this works it reveals a vulnerability in the 'secret-id' system
used by amavisd-release, but it would enable you to move forward.
docx decoding (docx2txt.pl)
Can Amavis 2.11.0 decode docx files out of the box? A while ago I installed docx2txt.pl (which, as its name suggests, provides simple text output from a docx file) and set this in 50-user.conf: @decoders = ( ... ['doc', \&do_ole, 'docx2txt.pl'], ['docx', \&do_ole, 'docx2txt.pl'], ... but now I find error messages in the log like this: amavis[22144]: (22144-01) (!!)collect_results from [26149] (/usr/local/bin/ docx2txt.pl): exit 255 \nUsage:\t/usr/local/bin/docx2txt.pl [infile.docx|-|-h] [outfile.txt|-]\n\t/usr/local/bin/docx2txt.pl < infile.docx\n\t/usr/local/bin/docx2txt.pl < infile.docx > outfile.txt\n\n\tIn second usage, output is dumped on STDOUT.\n\n\tUse '-h' as the first argument to get this usage information.\n\n\tUse '-' as the infile name to read the docx file from STDIN.\n\n\tUse '-' as the outfile name to dump the text on STDOUT.\n\tOutput is saved in infile.txt if second argument is omitted.\n\nNote:\tinfile.docx can also be a directory name holding the unzipped content\n\tof concerned .docx file.\n\n Evidently amavis is not passing parameters to docx2txt.pl in the correct way, and so docx2txt.pl outputs its help text. Probably it omits the required '-' as the second parameter. (When I pass the docx attachment directly to docx2txt.pl it processes it fine.) Is this fixable or should docx files be handled in a different way? The default setting for 'doc' files also seems to fail on my installation because I have no program 'ripole'. What happens about 'docm' files?
Re: What dictates when freshclam updates?
On Wed, 1 Aug 2018 at 13:39, Danny Horne wrote: > Hi all, > > I've been trying to figure out what dictates the interval at which > freshclam updates the virus database. It currently updates every three > hours, but I rebooted my server at midnight last night, expecting > updates to be done at 03:00, 06:00 etc., but they started at 05:00, then > 08:00 etc. > > /etc/freshclam.conf is set to update every hour (for testing purposes), > but this is ignored (guessing I need to set a cron job, but if that's > the case why offer a time interval in the configuration file). > > Just trying to understand the update process. > I think it should be determined by freshclam.conf, which in my case is at /etc/clamav (and is shown as such in my 'man freshclam'). On my system (Ubuntu 18.04) freshclam is run by systemd (as clamav-freshclam), but it knows not to run if /etc/cron.d/clamav-freshclam exists (which it doesn't in my case), as presumably in this case freshclam is being run from cron. My setting in freshclam.conf is to update every hour (Checks 24) and it works like that. You probably have to reload freshclam if you make changes to the freshclam.conf file. So: - are you sure you are editing the correct freshclam.conf file? - did you reload freshclam after making changes to it?
Bug in Debian/Ubuntu amavisd-release 2.11
There is a bug in the latest amavisd-release as found in Debian sid and
carried into Ubuntu 18.04 (bionic): the unix socket is incorrectly defined.
The effect is that amavisd-release will not release quarantined emails
because it can't find the unix socket. You can fix it manually or use the
attached bash script which checks it and offers a fix if required.
The reason for the problem is that Debian's packaged amavis uses
non-standard $MYHOME '/var/lib/amavis' instead of '/var/amavis' and this
has not (yet) been corrected in the packaged version of amavisd-release (it
was corrected in the previously-packaged 2.10).
(I've submitted a bug report for Ubuntu and hopefully it will make its way
back to the Debian maintainers.)
#!/bin/bash
VERSION="0.2 [01 Aug 2018]"
THIS=$(basename $0)
echo -e "\n$THIS v$VERSION - by Dominic Raferd domi...@timedicer.co.uk
${THIS//?/=}\n"
echo -e "This checks and can fix amavisd-release to use \
the correct unix socket for amavisd-new\n"
AMAVISD_RELEASE=$(whereis amavisd-release|cut -d" " -f2)
if [[ ! -x $AMAVISD_RELEASE ]]; then
echo "Can't find amavisd-release, aborting" >&2
exit 1
fi
echo -e "Found amavisd-release at '$AMAVISD_RELEASE'\n"
# SOCKETDATA[0]: line number containing the definition in amavisd-release
# SOCKETDATA[1]: the socket address defined in amavisd-release
SOCKETDATA=( $(grep -n '^\s*$socketname =' $AMAVISD_RELEASE|\
awk -F"[\"':]" '{print $1,$3}') )
[[ -n ${SOCKETDATA[0]} && -n ${SOCKETDATA[1]} ]] || { echo "Can't locate \
\$socketname in $AMAVISD_RELEASE, aborting" >&2; exit 1; }
TRUESOCKET=$(grep -r "^\$unix_socketname =" /etc/amavis/conf.d\
|awk -F"['\"]" '{print $2}')
if [[ -z $TRUESOCKET ]]; then
echo "Can't find \$unix_socketname in /etc/amavis/conf.d, aborting">&2
EXITCODE=1
elif [[ ${SOCKETDATA[1]} == $TRUESOCKET ]]; then
echo "$AMAVISD_RELEASE already has correct socket address
'$TRUESOCKET', no change required"
EXITCODE=0
else
echo -e "$AMAVISD_RELEASE has wrong socket address \
${SOCKETDATA[1]} at line ${SOCKETDATA[0]}"
if [[ $(id -u) != 0 ]]; then
echo "You must be root to fix this, aborting now" >&2
EXITCODE=1
else
read -t 30 -p "Change it now to $TRUESOCKET (y/-)? "
if [[ $REPLY != y ]]; then
echo "No changes made"
else
sed -i "${SOCKETDATA[0]}{s~=.*~= \"$TRUESOCKET\"~}" $AMAVISD_RELEASE
echo "Change was attempted, please re-run $THIS to check it is now ok"
fi
EXITCODE=0
fi
fi
exit $EXITCODE
Re: whitelist sender domain 'Return-path:' vs 'From:'
On 21 March 2018 at 16:44, Martin Johannes Dauser
wrote:
> Regarding that whitelist_sender_maps would work on 'From:' header, not the
> envelope sender, I can not comply!
>
> I set buxdehu.de in whitelist
>
> Then I telnet to my mailserver
>
> $ *telnet localhost 25*
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 mail.cs.sbg.ac.at ESMTP Postfix (RHEL/GNU)
> *EHLO mail.cs.sbg.ac.at <http://mail.cs.sbg.ac.at>*
> 250-mail.cs.sbg.ac.at
> 250-PIPELINING
> 250-SIZE 52428800
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250-XFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> *MAIL FROM:*
> 250 2.1.0 Ok
> *RCPT TO:*
> 250 2.1.5 Ok
> *DATA*
> 354 End data with .
> *FROM: lum...@la.la *
> *SUBJECT: testmail*
>
> *test*
> *.*
> 250 2.0.0 Ok: queued as 31F66200A4D2
> *QUIT*
>
> And I get
> X-spam-status: No, score=x required=6 WHITELISTED tests=[]
>
> So at least in my setup it's the envelope sender which is observed.
>
> A failure of mine in the previous posts was, that I used quotes within the
> files for whitelisting.
> Thats's a baaad idea.
>
> Best regards
> Martin Johannes Dauser
>
> On Wed, 2018-03-21 at 14:35 +, Dominic Raferd wrote:
>
>
>
> On 26 February 2018 at 16:34, Dominic Raferd
> wrote:
>
> I have now updated my 50-user.conf to this:
> $interface_policy{'10024'} = 'INCOMING';
> $policy_bank{'INCOMING'} = {
> whitelist_sender_maps => [ read_hash('/etc/amavis/whitelist') ],
> };
>
>
> Note that this whitelisting technique works on the address given in the
> 'From:' header, not the envelope sender (aka Return-Path).
>
> Each address in /etc/amavis/whitelist (one per line, comments and blank
> lines are ignored) can be whole email address, domain only, or domain
> preceded by dot in which case it matches emails from domain *and* any
> subdomains:
>
> # example amavis whitelist file
>
> amavis-users@amavis.org
> .currys.co.uk
> zpg.co.uk
>
> After updating the file you (probably - untested) have to reload amavis
> for it to take account of the changes. If you have systemd:
> systemctl reload-or-restart amavis
>
>
Interesting but in my setup it is definitely the From: header that is
compared, I have numerous examples, and I cannot find a single
counter-example (where an email is whitelisted and the whitelist can only
be because of the envelope sender). I guess there must be some subtle
difference in our setup?
Re: whitelist sender domain
On 26 February 2018 at 16:34, Dominic Raferd
wrote:
> I have now updated my 50-user.conf to this:
> $interface_policy{'10024'} = 'INCOMING';
> $policy_bank{'INCOMING'} = {
> whitelist_sender_maps => [ read_hash('/etc/amavis/whitelist') ],
> };
>
Note that this whitelisting technique works on the address given in the
'From:' header, not the envelope sender (aka Return-Path).
Each address in /etc/amavis/whitelist (one per line, comments and blank
lines are ignored) can be whole email address, domain only, or domain
preceded by dot in which case it matches emails from domain *and* any
subdomains:
# example amavis whitelist file
amavis-users@amavis.org
.currys.co.uk
zpg.co.uk
After updating the file you (probably - untested) have to reload amavis
for it to take account of the changes. If you have systemd:
systemctl reload-or-restart amavis
Re: whitelist sender domain
On 21 February 2018 at 10:21, Martin Johannes Dauser
wrote:
>
> On Sat, 2018-02-17 at 09:49 +, Dominic Raferd wrote:
> > On 16 February 2018 at 21:05, Dauser Martin Johannes
> > wrote:
> > > Well this topic is quite old, still when searching for hard
> > > whitelisting with amavisd-new you'll find this solution on
> > > different
> > > sites.
> > >
> > > Dominic Raferd wrote on Dec 11 2016
> > >
> > > I use a whitelist with amavis: I have a file
> > > /etc/amavis/whitelist
> > > which contains on each line either a comment (starting with
> > > hash #),
> > > full email address or just a domain, and then in
> > > /etc/amavis/conf.d/50-user I have lines like this:
> > >
> > > # whitelist some senders to save time and avoid false positives
> > > # - you can list full addresses or domains, one per line
> > > # idea from http://www.iredmail.org/forum/topic4681-iredmail-su
> > > pport
> > > -solved-how-to-bypass-amavisd-for-some-senders.html
> > > # This policy will perform virus checks only.
> > > read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
> > > @whitelist_sender_maps = (\%whitelist_sender);
> > >
> > > $interface_policy{'10026'} = 'VIRUSONLY';
> > > $policy_bank{'VIRUSONLY'} = {
> > > bypass_spam_checks_maps => ['@whitelist_sender_maps']
> > > ,
> > > bypass_banned_checks_maps => ['@whitelist_sender_maps'],
> > > bypass_header_checks_maps => ['@whitelist_sender_maps'],
> > > };
> > >
> > >
> > > The problem is, I've got the impression that this policy_bank is
> > > set
> > > wrong and doesn't serve the intended purpose to whitelist SENDERS
> > > --
> > > neither incoming nor outgoing. Actually it seems to state nonsense.
> > > Here are my thoughts and I gladly accept corrections:
> > >
> > > To make it more clearly I moved the bypass_spam_checks_maps out of
> > > the
> > > hash/associative array:
> > >
> > > @bypass_spam_maps = ('@whitelist_sender_maps');
> > >
> > > + First, and this took for me a while to fully realise, @*_maps
> > > just
> > > tells the subroutine 'lookup' where and with which method (SQL,
> > > LDAP,
> > > hash, access control list, regexp, constant) it should search. [1]
> > >
> > > + Second, if it is not stated otherwise it searches for the
> > > RECIPIENT's
> > > envelope address. And I couldn't find anywhere that this very map
> > > is
> > > meant to search for senders:
> > >
> > > Documentation for whitelisting [2] is talking about senders but
> > > only in
> > > conjunction with the lookup tables @whitelist_sender_maps,
> > > @blacklist_sender_maps and
> > > $per_recip_blacklist_sender_lookup_tables.
> > >
> > > But the same Document [3] states: "Using configuration variables
> > > @bypass_virus_checks_maps, @bypass_banned_checks_maps,
> > > @bypass_header_checks_maps and @bypass_spam_checks_maps each
> > > RECIPIENT
> > > ... may suggest that certain tests are not needed ... . Although
> > > the
> > > @bypass_*_checks_maps PERTAIN TO INDIVIDUAL RECIPIENTS, ...
> > > Suggestion
> > > by some of the RECIPIENTS that certain check ... is to be bypassed
> > > ...
> > > does not guarantee the test will not be performed. "
> > >
> > > So you can't set whitelisted senders with @bypass_*_maps.
> > >
> > > + Third, looking at my code line above @bypass_spam_maps is an
> > > array/"list" containing one member, which is a STRING '@whitelist_s
> > > ende
> > > r_maps'. This means the subroutine interprets this as a constant
> > > and
> > > returns this very string '@whitelist_sender_maps' as a value, which
> > > doesn't make any sense in this context as it is neither an email
> > > address nor a domain. -- Perl itself won't complain as the syntax
> > > is
> > > still correct and there won't be a hit ever.
> > >
> > > @bypass_spam_maps = (\%whitelist_sender);
> > >
> > > or within the policy bank I guess:
> > >
> > > bypass_spam_maps => [\%whitelist_sender
Re: whitelist sender domain
On 16 February 2018 at 21:05, Dauser Martin Johannes
wrote:
> Well this topic is quite old, still when searching for hard
> whitelisting with amavisd-new you'll find this solution on different
> sites.
>
> Dominic Raferd wrote on Dec 11 2016
>
> I use a whitelist with amavis: I have a file /etc/amavis/whitelist
> which contains on each line either a comment (starting with hash #),
> full email address or just a domain, and then in
> /etc/amavis/conf.d/50-user I have lines like this:
>
> # whitelist some senders to save time and avoid false positives
> # - you can list full addresses or domains, one per line
> # idea from http://www.iredmail.org/forum/topic4681-iredmail-support
> -solved-how-to-bypass-amavisd-for-some-senders.html
> # This policy will perform virus checks only.
> read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
> @whitelist_sender_maps = (\%whitelist_sender);
>
> $interface_policy{'10026'} = 'VIRUSONLY';
> $policy_bank{'VIRUSONLY'} = {
> bypass_spam_checks_maps => ['@whitelist_sender_maps'],
> bypass_banned_checks_maps => ['@whitelist_sender_maps'],
> bypass_header_checks_maps => ['@whitelist_sender_maps'],
> };
>
>
> The problem is, I've got the impression that this policy_bank is set
> wrong and doesn't serve the intended purpose to whitelist SENDERS --
> neither incoming nor outgoing. Actually it seems to state nonsense.
> Here are my thoughts and I gladly accept corrections:
>
> To make it more clearly I moved the bypass_spam_checks_maps out of the
> hash/associative array:
>
> @bypass_spam_maps = ('@whitelist_sender_maps');
>
> + First, and this took for me a while to fully realise, @*_maps just
> tells the subroutine 'lookup' where and with which method (SQL, LDAP,
> hash, access control list, regexp, constant) it should search. [1]
>
> + Second, if it is not stated otherwise it searches for the RECIPIENT's
> envelope address. And I couldn't find anywhere that this very map is
> meant to search for senders:
>
> Documentation for whitelisting [2] is talking about senders but only in
> conjunction with the lookup tables @whitelist_sender_maps,
> @blacklist_sender_maps and $per_recip_blacklist_sender_lookup_tables.
>
> But the same Document [3] states: "Using configuration variables
> @bypass_virus_checks_maps, @bypass_banned_checks_maps,
> @bypass_header_checks_maps and @bypass_spam_checks_maps each RECIPIENT
> ... may suggest that certain tests are not needed ... . Although the
> @bypass_*_checks_maps PERTAIN TO INDIVIDUAL RECIPIENTS, ... Suggestion
> by some of the RECIPIENTS that certain check ... is to be bypassed ...
> does not guarantee the test will not be performed. "
>
> So you can't set whitelisted senders with @bypass_*_maps.
>
> + Third, looking at my code line above @bypass_spam_maps is an
> array/"list" containing one member, which is a STRING '@whitelist_sende
> r_maps'. This means the subroutine interprets this as a constant and
> returns this very string '@whitelist_sender_maps' as a value, which
> doesn't make any sense in this context as it is neither an email
> address nor a domain. -- Perl itself won't complain as the syntax is
> still correct and there won't be a hit ever.
>
> @bypass_spam_maps = (\%whitelist_sender);
>
> or within the policy bank I guess:
>
> bypass_spam_maps => [\%whitelist_sender],
>
> would search for email addresses within the file /etc/amavis/whitelist,
> I think. But as noted at my second point, those are sender addresses,
> not the expected recipients.
>
>
> Ah, global hard whitelisting of senders. How might it be done then. (Be
> aware of the caveats of whitelisting!)
>
> read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
> @whitelist_sende
> r_maps = (\%whitelist_sender);
>
> And content of /etc/amavis/whitelist:
>
> some.trustwor...@doma.in #full email address
> some.trustworthy@ #full local part
> in.domain.we.trust#full email domain
> .we.trust #accepting sub domains
>
>
> It should even be possible to set a sender whitelist within a policy
> bank:
>
> $policy_bank{'WHITELIST'} = {
> whitelist_sender_maps => [ read_hash('/etc/amavis/whitelist') ],
> }
>
>
> As already noted, these are my thoughts and I gladly accept
> corrections.
>
> Martin Johannes Dauser
>
>
> 1 https://www.ijs.si/software/amavisd/README.lookups.txt
>
> 2 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#wblist
>
> 3 https://www.ijs.si/software/amavisd/amavisd-new-docs.html#checks
I defer to your greater understanding of amavis and perl, but at a
practical level the whitelist settings that I suggested above do work
for me.
Re: originating flag not working - critical bug - RelayedOpenRelay / DKIM signing not working
On 12 February 2018 at 10:06, Dino Edwards wrote: > Wouldn't this be avoided by simply using opendkim for DKIM signing instead of > relying on amavis for that? ... and use a program to do one thing and do it well - https://en.wikipedia.org/wiki/Unix_philosophy
Re: Header -> amavis quarantine
On 9 February 2018 at 17:56, Markus Clardy wrote:
> On Fri, Feb 9, 2018 at 5:41 PM, Dominic Raferd
> wrote:
>>
>> On 9 February 2018 at 16:59, Markus Clardy wrote:
>> > On Fri, Feb 9, 2018 at 4:23 PM, Dominic Raferd
>> > wrote:
>> >>
>> >> Is there a way to have the presence of a specific header (or, better,
>> >> a specific beginning to a header, where the later text might vary)
>> >> causing quarantining by amavis. Use case is that postfix header_checks
>> >> will identify a suspect mail and add the header before the mail is
>> >> passed to amavis.
>> >>
>> >> Example header which should lead to amavis quarantining the mail:
>> >>
>> >> X-Hold: mydomain.tld; Withheld by order of check_header.pcre (.world
>> >> domain)
>> >>
>> >> I feel sure amavis is powerful enough to do this but the plethora of
>> >> options, and the perl terminology, leave me baffled. Thanks for any
>> >> help.
>> >>
>> > What you can do is have a port/policy in Amavisd for Quarantining
>> > everything, then just instead of adding a header in Postfix, have the
>> > mail
>> > redirect to that port.
>> >
>> > This way, mail that is meant to be held as designated by Postfix, will
>> > go to
>> > the quarantine that way.
>> >
>>
>> Thanks Marcus but I want amavis to continue doing its own stuff as
>> normal as well as quarantining these extra mails. Also it sounds
>> complicated to resubmit mails via a different port but it is very easy
>> to add a header using the postfix PREPEND option.
> Not that hard actually.
>
> Your create a new port for Amavisd:
>
> $inet_socket_port = [10024, 10030]
>
> Then create a Policy for it:
>
> $interface_policy{'10030'} = 'Quarantine.Postfix';
> $policy_bank{'Quarantine.Postfix'} = {
> archive_quarantine_to_maps = > ['archive-quarantine'];
> archive_quarantine_method => 'local:hold-%m',
> final_destiny_maps_by_ccat => { REPLACE = 1, &CC_CATCHALL => D_DISCARD
> },
> forward_method => 'smtp:[127.0.0.1]:10024'
> };
>
>
> After that, in your header checks, you would have the header check cause
> "FILTER smtp-amavis:[127.0.0.1]:10030" instead of "PREPEND X-Hold: ".
>
> This will mean that any mail submitted on port 10030 of Amavisd gets
> quarantined (and will appear as hold-UniqID in your quarantine (UniqID being
> the Amavisd ID), and anything submitted on your normal port (assumed 10024
> in this case), will get scanned as normal.
>
> This is just an example, and you could do more with it if you'd like, such
> as separating different reasons to be quarantined.
>
>
> To my knowledge, Amavis doesn't have an automatic quarantine header list.
>
>
>
> The other option would be to add a large score in SpamAssassin if this
> header is found. That would also cause the mail to get quarantined, but may
> not appear necessarily the same way you are looking for it to appear in the
> quarantine (it'll get marked as Spam).
>
I've implemented your second suggestion with a couple of lines in
/etc/spamassassin/local.cf thus:
header LOCAL_SUSPECT_HEADER X-Hold =~ /mydomain\.tld; suspect/
score LOCAL_SUSPECT_HEADER 9
and entries in my postfix access tables like this:
world PREPEND X-Hold: mydomain.tld; suspect sender (.world)
and it is working perfectly. Thanks for your help.
Re: Header -> amavis quarantine
On 9 February 2018 at 16:59, Markus Clardy wrote: > On Fri, Feb 9, 2018 at 4:23 PM, Dominic Raferd > wrote: >> >> Is there a way to have the presence of a specific header (or, better, >> a specific beginning to a header, where the later text might vary) >> causing quarantining by amavis. Use case is that postfix header_checks >> will identify a suspect mail and add the header before the mail is >> passed to amavis. >> >> Example header which should lead to amavis quarantining the mail: >> >> X-Hold: mydomain.tld; Withheld by order of check_header.pcre (.world >> domain) >> >> I feel sure amavis is powerful enough to do this but the plethora of >> options, and the perl terminology, leave me baffled. Thanks for any >> help. >> > What you can do is have a port/policy in Amavisd for Quarantining > everything, then just instead of adding a header in Postfix, have the mail > redirect to that port. > > This way, mail that is meant to be held as designated by Postfix, will go to > the quarantine that way. > Thanks Marcus but I want amavis to continue doing its own stuff as normal as well as quarantining these extra mails. Also it sounds complicated to resubmit mails via a different port but it is very easy to add a header using the postfix PREPEND option.
Header -> amavis quarantine
Is there a way to have the presence of a specific header (or, better, a specific beginning to a header, where the later text might vary) causing quarantining by amavis. Use case is that postfix header_checks will identify a suspect mail and add the header before the mail is passed to amavis. Example header which should lead to amavis quarantining the mail: X-Hold: mydomain.tld; Withheld by order of check_header.pcre (.world domain) I feel sure amavis is powerful enough to do this but the plethora of options, and the perl terminology, leave me baffled. Thanks for any help.
Re: Scoring questions
On 30 January 2018 at 17:26, Computer Bob wrote: > > I spoke too soon. > Apparently the upgrade from Ubuntu 14.04 LTS to 16.04 LTS whacked the > spamassassin somehow and it was acting funny. > There was no report template somehow and any SA call did not return a report. On that specific point, and in the hope that it might help others, my old notes of upgrading from Ubuntu 14.04 (to 15.04) state that I had to do: chmod 755 /var/lib/spamassassin to get it working again after upgrade. An alternative (I wrote at the time) might be to make user amavis a member of debian-spamd group. (I had no further problems with SA/amavis when upgrading from 15.04 to 16.04.)
Re: Block ..rar files in amavisd
On 22 January 2018 at 22:28, @lbutlr wrote: > I have a file mime_headers.pcre in postfix: > /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(ade|adp| > bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|isp| > js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd| > pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|vb[esx]?|vxd| > wsc|wsf|wsh))(\?=)?"?\s*(;|$)/x REJECT Attachment name "$2" may not end > with ".$3” > I do this too, but I use the exact example at http://www.postfix.org/header_checks.5.html - is there a reason why yours is subtly different?
Re: noisy amavisd-log, how to reduce but keep spam-score and attachment-log?
> > what does this do and is this documented somewhere? >> > are all amavisd-new config variables so cryptic? For those of us who don't know perl, I think so. I suggest you look at amavisd.conf-default which is available in the standard download package at https://www.ijs.si/software/amavisd/#download. Here you find: # $log_short_templ ... built-in default at the end of file amavisd # $log_verbose_templ ... built-in default at the end of file amavisd # $log_recip_templ = ... built-in default at the end of file amavisd # $log_templ = $log_short_templ;
Re: R: R: R: R: Message quarantined as SPAM
These headers are from SpamAssassin not from amavis. Here is an example of
headers from amavisd-new:
X-Spam-Flag: YES
X-Spam-Score: 4.426
X-Spam-Level:
X-Spam-Status: Yes, score=4.426 tag=4 tag2=4 kill=4 tests=[DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_LOW_CONTRAST=0.001,
HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.365,
RAZOR2_CF_RANGE_E8_51_100=2.43, RAZOR2_CHECK=1.729, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=disabled
Is it possible you are running spamassassin separately *after* amavis, and
spamassassin (when called independently, not via amavis) is clearing out
amavis headers and substituting its own?
My understanding (and I am not an expert) is that spamassassin should be
called *by* amavis and should not be adding any of its headers to the
email, the headers should be added by amavis based on all its testing
results (including from spamassassin). I do not know the exact relationship
between the hit score of amavis and the score that it gets back from
spamassassin, I would expect that amavis uses spamassassin score and adds
some more tests of its own to make an overall total. Someone more expert
will know.
On 20 July 2017 at 14:58, Scappatura Rocco
wrote:
> Hello.
>
>
>
> Thank you for the anwer. $sa_tag_level_deflt is already set to 2.0. Here
> the headers of the message relative the score:
>
>
>
> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on av9.infracom.it
>
> X-Spam-Level: *
>
> X-Spam-Status: No, score=1.9 required=5.0 tests=BASE64_LENGTH_79_INF,
> BAYES_00,
>
> HTML_IMAGE_ONLY_20,HTML_MESSAGE,MIME_HTML_ONLY,
> MISSING_MIME_HB_SEP,
>
> MPART_ALT_DIFF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,
>
> TO_NO_BRKTS_HTML_IMG,T_REMOTE_IMAGE autolearn=no
> autolearn_force=no
>
> version=3.4.0
>
> Delivered-To: spam-quarantine
>
> X-Envelope-To:
>
> X-Envelope-To-Blocked:
>
> X-Quarantine-ID:
>
> X-Amavis-Alert: BAD HEADER SECTION, Non-encoded non-ASCII data (and not
> UTF-8)
>
> (char B0 hex): Subject: Annullamento Ordine n\x{B0} 217026098 del
>
> [...]
>
>
>
> So the thing to be clarified is the difference between the ‘score’
> reported by spamassassin (and X-Spam-Status header) and the Hits reported
> by the amavisd log.
>
>
>
> Could someone explain the difference?
>
>
>
> Regards,
>
>
>
> RS
>
>
>
> *Da:* amavis-users [mailto:amavis-users-bounces+rocco.scappatura=
> infracom...@amavis.org] *Per conto di *Dominic Raferd
> *Inviato:* giovedì 20 luglio 2017 07:18
> *A:* amavis-users@amavis.org
> *Oggetto:* Re: R: R: R: R: Message quarantined as SPAM
>
>
>
> You can set $sa_tag_level_deflt (different from $sa_tag2_level_deflt) to
> lower level - mails with scores above $sa_tag_level_deflt will have spam
> info header added; this header shows how amavis has calculated the score.
>
>
>
> On 19 July 2017 at 14:02, Scappatura Rocco
> wrote:
>
> Thank you for the answer.
>
>
>
> Yes, you are right. Anyway I set ‘$sa_kill_level_deflt = 6.31’ too in
> amavis configuration.
>
>
>
> I could agree for the differnce of the score of the message assigned by
> amavis and the score of the SA test of the quarantined message..
>
>
>
> But, I would like to understand why amavis assigns a so high score (7.946)
> to a harmless message ..
>
>
>
> Regards,
>
>
>
> RS
>
>
>
>
>
> *Da:* amavis-users [mailto:amavis-users-bounces+rocco.scappatura=
> infracom...@amavis.org] *Per conto di *Dominic Raferd
> *Inviato:* mercoledì 19 luglio 2017 14:28
> *A:* amavis-users@amavis.org
> *Oggetto:* Re: R: R: R: R: Message quarantined as SPAM
>
>
>
>
>
>
>
> On 19 July 2017 at 12:56, Scappatura Rocco
> wrote:
>
> Hello.
>
> Even after the changes done to the amavis configuration, I still notice
> that some messages has been blocked as SPAM. For example:
>
> Jul 18 12:04:55 zzz amavis[18242]: (18242-14) Blocked SPAM
> {DiscardedInbound,Quarantined}, [195.245.231.137]:39849 [193.67.127.189] <
> orderfl...@example.org> -> , quarantine:
> B/spam-BknEtFAN2Yh1.gz, Queue-ID: 31099D5C4B, Message-ID: <
> of2b08da46.86f90238-on80258161.00376...@leaseplancorp.net>, mail_id:
> BknEtFAN2Yh1, Hits: 7.946, size: 170434, 551 ms
>
> while the score I get while testing the messages is much lower that
> $sa_tag2_level_deflt (1.9 < 6.31):
>
> ...
>
>
>
> Where is the problem? Why the message is tagged as SPAM and quarantined?
>
>
>
> It is not $sa_tag2_level_deflt that determines whether message is
> quarantined, this only determines whether to add 'spam detected' headers in
> the emails.
>
>
>
> Score above $sa_kill_level_deflt triggers evasive action (i.e. according
> to $spam_quarantine_method).
>
>
>
> Also I am not sure you can rely on getting same spam calculation when you
> re-test a quarantined email as when it arrives from outside, perhaps this
> is why header shows score of 7.946 but retest only 1.9?
>
>
>
Re: R: R: R: R: Message quarantined as SPAM
You can set $sa_tag_level_deflt (different from $sa_tag2_level_deflt) to
lower level - mails with scores above $sa_tag_level_deflt will have spam
info header added; this header shows how amavis has calculated the score.
On 19 July 2017 at 14:02, Scappatura Rocco
wrote:
> Thank you for the answer.
>
>
>
> Yes, you are right. Anyway I set ‘$sa_kill_level_deflt = 6.31’ too in
> amavis configuration.
>
>
>
> I could agree for the differnce of the score of the message assigned by
> amavis and the score of the SA test of the quarantined message..
>
>
>
> But, I would like to understand why amavis assigns a so high score (7.946)
> to a harmless message ..
>
>
>
> Regards,
>
>
>
> RS
>
>
>
>
>
> *Da:* amavis-users [mailto:amavis-users-bounces+rocco.scappatura=
> infracom...@amavis.org] *Per conto di *Dominic Raferd
> *Inviato:* mercoledì 19 luglio 2017 14:28
> *A:* amavis-users@amavis.org
> *Oggetto:* Re: R: R: R: R: Message quarantined as SPAM
>
>
>
>
>
>
>
> On 19 July 2017 at 12:56, Scappatura Rocco
> wrote:
>
> Hello.
>
> Even after the changes done to the amavis configuration, I still notice
> that some messages has been blocked as SPAM. For example:
>
> Jul 18 12:04:55 zzz amavis[18242]: (18242-14) Blocked SPAM
> {DiscardedInbound,Quarantined}, [195.245.231.137]:39849 [193.67.127.189] <
> orderfl...@example.org> -> , quarantine:
> B/spam-BknEtFAN2Yh1.gz, Queue-ID: 31099D5C4B, Message-ID: <
> of2b08da46.86f90238-on80258161.00376...@leaseplancorp.net>, mail_id:
> BknEtFAN2Yh1, Hits: 7.946, size: 170434, 551 ms
>
> while the score I get while testing the messages is much lower that
> $sa_tag2_level_deflt (1.9 < 6.31):
>
> ...
>
>
>
> Where is the problem? Why the message is tagged as SPAM and quarantined?
>
>
>
> It is not $sa_tag2_level_deflt that determines whether message is
> quarantined, this only determines whether to add 'spam detected' headers in
> the emails.
>
>
>
> Score above $sa_kill_level_deflt triggers evasive action (i.e. according
> to $spam_quarantine_method).
>
>
>
> Also I am not sure you can rely on getting same spam calculation when you
> re-test a quarantined email as when it arrives from outside, perhaps this
> is why header shows score of 7.946 but retest only 1.9?
>
Re: R: R: R: R: Message quarantined as SPAM
On 19 July 2017 at 12:56, Scappatura Rocco
wrote:
> Hello.
>
> Even after the changes done to the amavis configuration, I still notice
> that some messages has been blocked as SPAM. For example:
>
> Jul 18 12:04:55 zzz amavis[18242]: (18242-14) Blocked SPAM
> {DiscardedInbound,Quarantined}, [195.245.231.137]:39849 [193.67.127.189] <
> orderfl...@example.org> -> , quarantine:
> B/spam-BknEtFAN2Yh1.gz, Queue-ID: 31099D5C4B, Message-ID: <
> of2b08da46.86f90238-on80258161.00376...@leaseplancorp.net>, mail_id:
> BknEtFAN2Yh1, Hits: 7.946, size: 170434, 551 ms
>
> while the score I get while testing the messages is much lower that
> $sa_tag2_level_deflt (1.9 < 6.31):
>
> ...
>
>
> Where is the problem? Why the message is tagged as SPAM and quarantined?
It is not $sa_tag2_level_deflt that determines whether message is
quarantined, this only determines whether to add 'spam detected' headers in
the emails.
Score above $sa_kill_level_deflt triggers evasive action (i.e. according
to $spam_quarantine_method).
Also I am not sure you can rely on getting same spam calculation when you
re-test a quarantined email as when it arrives from outside, perhaps this
is why header shows score of 7.946 but retest only 1.9?
Re: DSN generation problem for UTF-8 files
On 18 July 2017 at 12:24, Dmitry Melekhov wrote: > Hello! > > > I run Ubuntu 16.04, it has 2.10.1 of amavisd-new . > > If file is blocked by amavis, let's say it .exe file, and this file has > UTF8 name (let's say Тест.exe), then > > amavis dies, without DSN generation and message stucks in queue: > > > open body: Invalid argument at /usr/local/share/perl/5.22.1/MIME/Entity.pm > line 1878, line 17244.): id=01268-01 at /usr/sbin/amavisd-new line > 15165 > > > Could you tell me how to fix this problem? > > > Thank you! > > > Just a thought, but looking at /etc/amavis/conf.d/30-template_localization, it might be worth trying in /etc/amavis/conf.d/50-user: $hdr_encoding = 'utf8'; $bdy_encoding = 'utf8';
Re: Amavis stopping
On 28 June 2017 at 02:44, Paul R. Ganci wrote:
> I have had the same problem which has recently begun maybe 10 days or so
> ago. I have managed to track it down to two particular emails that are
> definitely spam and have created a Amavis DoS attack situation. Basically
> the symptom appears to be that all 6 of the Amavis processes on the server
> end up taking up 100% of the 6 processors assigned for spam detection. The
> Amavis processes attempt to scan these messages and never complete. As a
> result any other email gets "stuck" in the mailq and hence the postifx
> error message that you mention appears in the maillog file.
>
> The only way I have managed to fix this problem is to move all the email
> out of the Postfix mail queue, restart Amavis and then start re-submitting
> the mail back into the queue. That is how I found which spam emails were
> causing the DoS attack on the Amavis daemon. These emails originated mostly
> from Amsterdam, France and Enihosting.com here in the US. I have blocked
> the hosts from which these emails have originated and have been okay since.
> I also have created a hourly cron job to restart Amavis and then flush the
> Postifix mailq which seemed to help a bit but did not completely stop the
> problem
>
> What I would really like to know is what in these messages is causing the
> 100% CPU usage and the subsequent DoS situation. I have the emails handy if
> that would help but are there any suggestions as to how to configure Amavis
> to avoid situations like a combinatorial explosion (no I am not using my
> own spamassassin rules) mentioned in the other thread (Amavis 100%)? I
> would even consider a timer... Give a Amavis process a 5 minute CPU limit
> and then just deliver the message is a better situation than having
> thousands of messages queued up because all the Amavis processes are
> running at 100% CPU for hours on end in my case.
>
> I realize this is kind of general but people might have suggestions as to
> Amavis configuration which can at least avoid the problem which pretty much
> has shutdown my two email servers twice over the last couple of weeks. I am
> also willing to provide the two culprit emails to anyone who might like to
> look them over. In the meantime I might try raising the debug level and
> running strace as suggested in the previously mentioned thread... in
> principle I just need to re-submit one of the offending messages. Any other
> ideas are welcome. Thanks.
I don't have a solution to the problem but the following is quick'n'dirty
fix by adding a line to /etc/crontab to warn you (if you monitor cron
output) - by monitoring CPU usage hourly - that amavis (or postfix) is very
active (>30% CPU), which might imply something wrong:
2 * * * * root for PROCESS in amavis postfix; do [[ $(top -bn1|grep
$PROCESS|awk '{CPU=CPU+$10} END {printf "\%d", CPU}') -gt 30 ]] && echo
"$PROCESS CPU usage high!"; done
If you are running it outside of crontab omit the backslash before the %
Re: Message quarantined as SPAM
On 22 June 2017 at 13:13, Scappatura Rocco
wrote:
> Hi,
>
> I have Debian Lenny with postfix+amavisd-new+spamassassin+clamav.
>
> I have detected that a message has been quarantined:
>
> Jun 22 11:45:48 av8 amavis[22610]: (22610-11) Blocked SPAM
> {DiscardedOpenRelay,Quarantined}, [xxx.yyy.zzz.uuu]:50412
> [xxx.yyy.zzz.uuu] -> , quarantine:
> z/spam-zRJd9Wo5250M.gz, Queue-ID: 8647AD5DBA, Message-ID: <
> 776AB7C587CC457C95FF35582FC9F0E1@AutoRPZ.local>, mail_id: zRJd9Wo5250M,
> Hits: 6.793, size: 77514, 364 ms
>
> But I have checked it against spamassassin:
>
> gunzip -c z/spam-zRJd9Wo5250M.gz | spamassassin -t
>
> and I get:
>
> .
> .
> .
>
> Content analysis details: (4.1 points, 5.0 required)
>
> pts rule name description
> -- --
>
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.4 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
> -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
> [score: 0.]
> 0.8 MPART_ALT_DIFF BODY: HTML and text parts are different
> 1.7 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words
> 0.0 TVD_SPACE_RATIONo description available.
> 1.4 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
> 1.8 IMG_DIRECT_TO_MX No description available.
>
> So the total score is 4,2.
>
> In amavisd configuraton file I have set:
>
> $sa_spam_subject_tag = '[Spam] ';
> $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that
> level
> $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
> $sa_kill_level_deflt = 6.31; # triggers spam evasive actions
> $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
>
> How the the score 6.793 of amavis is obtained?
>
If you look at this mail in your quarantine it should have 'X-Spam-Status'
header added by amavis showing how the score was calculated. Amavis
doesn't only use spamassassin for the calculation.
Re: SPF and trusted forwarder
On 5 June 2017 at 18:55, Phil Susi wrote: > I prefer to use my @ubuntu.com alias, which forwards mail to my real > server. Amavis then tries to check SPF against the forwarder, which > fails. Is there a way to configure it to trust this forwarding server > and check SPF against the Recieved: header rather than the forwarder? > I don't know whether it is possible to change Amavis's behaviour but it is doing the right thing in terms of SPF because it is only the latest ip that it can have any confidence in - earlier headers (reporting a previous ip) could be fake. The reality is that SPF is broken if you forward emails, you need to use a different technology to verify identity such as DKIM (e.g. opendkim), or combine the two with DMARC (e.g. opendmarc + opendkim + python-policyd-spf). If amavis can't do this (I'm not sure), your MTA should be able to.
Re: Training with sa-learn for viruses?
On 31 May 2017 at 15:56, Nikolaos Milas wrote: > Would you happen to know if/how we can train clamav based on our actual > messages? > I don't think you can, but I would be interested if anyone knows otherwise. In my case, after passing through our mailserver all incoming emails are relayed to Gmail (end users all have Gmail accounts) so our end users get the benefit of Google's AV too; but it is rare for Gmail to reject an email relayed from our mailserver on the grounds that it contains a virus (Gmail response is '552 5.7.0 This message was blocked because its content presents a potential security issue'); and our mailserver blocks the source ip if this happens.
Re: Training with sa-learn for viruses?
On 31 May 2017 at 11:09, Nikolaos Milas wrote: > Hello, > > I am using amavis with clamav and spamassassin and I am regularly training > for spam using the command: > >sa-learn --dbpath '/var/amavis/var/.spamassassin' --spam >/var/amavis/reported-spam > > Things work fine with "pure" spam. > > My problem is that some highly suspicious email messages that they look > like they most probably carry infected attachments are not processed as > spam using the above procedure in order to be blocked in the future. > > For example, I am training for 4 messages of which one is true spam and > the rest are infected mails, but I only get: > >Learned tokens from 1 message(s) (4 message(s) examined) > > What should I be doing to train the system and/or its components to > characterize such mails as "virus" (or at least "spam") and block similar > ones in the future? Spamassassin is not a tool for identifying or blocking viruses - see https://wiki.apache.org/spamassassin/FilteringViruses. For this you need an antivirus tool. Clamav in its standard form is pretty useless IMHO but it is rather more effective with the sanesecurity addon signatures.
Re: Pflogsumm emails through amavisd and SA hitting BAYES_99
On 28 April 2017 at 11:34, Simon Wilson wrote: > Hi all, > > I have pflogsumm running log summaries on my postfix install, and sending > to an address that resolves locally. All is on localhost, which is a newly > installed CentOS7 server, amavisd-new 2.10.1 from EPEL. > > The pflogsumm emails from root are triggering BAYES_99 as they go through > amavisd-new and spamassassin, and are often ending up marked as spam. > > What's the best way to ensure that those are not flagged as spam, or > potentially to whitelist them somehow? You can whitelist sender addresses, would this solve your problem? I have these lines in /etc/amavis/conf.d/50-user: read_hash(\%whitelist_sender, '/etc/amavis/whitelist'); @whitelist_sender_maps = (\%whitelist_sender); bypass_spam_checks_maps => ['@whitelist_sender_maps'], # don't spam-check this mail bypass_banned_checks_maps => ['@whitelist_sender_maps'], # don't banned-check this mail bypass_header_checks_maps => ['@whitelist_sender_maps'], # don't header-check this mail File /etc/amavis/whitelist contains a line-by-line list of whitelisted addresses. To whitelist a whole domain, just precede with a dot. Examples: f...@bloggs.com .spammers-united.com HTH, Dominic
Re: Open relay from localhost and other questions
On 22 April 2017 at 00:00, Benny Pedersen wrote:
> Robert Moskowitz skrev den 2017-04-21 21:16:
>
> Been doing some research. mynetworks should stop the localhost from
>> seeming like an Open relay. I don't have this problem on my old
>> production server. I am researching it.
>
>
If mynetworks is undefined then it takes its value according to
mynetworks_style and the default for this setting changed for Postfix 3.0 -
see http://www.postfix.org/postconf.5.html#mynetworks_style. Perhaps this
could explain the difference you are seeing.
However external authenticated senders are not local (and I don't trust any
non-authenticated senders outside the host) so in such a case the message
from amavis is correct ('Nonlocal recips but not originating') while the
warning ('Open relay?') is unnecessary.
Re: Open relay from localhost and other questions
On 19 April 2017 at 21:48, Robert Moskowitz wrote: > This is my new test setup. > .. > > > Lots of questions. The 4th line has a amavis SQL failure. > Then concern that it is coming from an open relay? > Amavis gets called a 2nd then 3rd time? Should I put content_filter= with > gmgr so it does not call amavis? > > > Apr 10 03:34:37 z9m9z postfix/cleanup[2077]: C735BB25B: message-id= > <20170410073436.c735bb...@z9m9z.test.htt-consult.com> > <20170410073436.c735bb...@z9m9z.test.htt-consult.com> > > Apr 10 03:34:37 z9m9z postfix/qmgr[3107]: C735BB25B: from= > , > size=5300, nrcpt=1 (queue active) > > Apr 10 03:34:38 z9m9z amavis[2045]: (02045-11) NOTICE: reconnecting in > response to: err=2006, HY000, DBD::mysql::st execute failed: MySQL server > has gone away at (eval 129) line 172. > > Apr 10 03:34:38 z9m9z amavis[2045]: (02045-11) LMTP [127.0.0.1]:10024 > /var/spool/amavisd/tmp/amavis-20170409T010521-02045-SZAIGFN5: > -> > > SIZE=5300 Received: from z9m9z.test.htt-consult.com ([127.0.0.1]) by > localhost (z9m9z.test.htt-consult.com [127.0.0.1]) (amavisd-new, port > 10024) with LMTP for > ; Mon, 10 Apr 2017 03:34:38 -0400 (EDT) > > Apr 10 03:34:38 z9m9z amavis[2045]: (02045-11) Checking: SGMxb1MYeOCZ > [127.0.0.1] > -> > > > Apr 10 03:34:38 z9m9z amavis[2045]: (02045-11) Open relay? Nonlocal recips > but not originating: r...@z9m9z.test.htt-consult.com > > Re the open relay messages, I too get these. If you have authenticated, but non-local, senders who are submitting emails to third parties and you pass these through amavis then it generates such messages. I don't know of a way to stop this behaviour, I just ignore the messages. Re the MySQL error, I can't help as I don't use MySQL with amavis, are you sure you need to? Dominic
Re: Keep X-Spam-... header lines when releasing message from quarantine?
On 30 March 2017 at 05:09, Rich Wales wrote:
> From examining the amavisd-new code, it appears the relevant portion is at
> line 11554:
>
> *11554* } elsif (!$reporting && /^(?:X-Spam|X-CRM114)-.+:/si) {
> *11555* # skip header fields inserted by us
> *11556* } else {
>
> This is amavisd-new-2.10.1 (20141025).
>
> So it doesn't look like changing *$sa_tag_level_deflt*, or any other
> user-tunable value, is going to do what I want.
>
> I suppose I could try commenting out lines 11554 and 11555 if I really,
> really want the X-Spam lines to be retained when releasing a message from
> quarantine. Any other ideas?
>
Could you just pick up the spam file(s) from /var/lib/amavis/virusmails
(or wherever you have amavisd-new set to store them) and re-inject them
into postfix via the port used by amavisd-new? Often this is 127.0.0.1:10025.
This would avoid them being picked up again by amavisd-new so they should
be sent on to their original destination with all headers intact.
Re: amavisd-release does not work with SQL quarantine (missing quar_type = "Q")
On 16 February 2017 at 06:52, wrote: > Hello, > > We are using amavisd with iRedMail. Banned mails are quarantined in a SQL > quarantine. > > Everytime I tried to release an email with amavisd-release an error occured: > > 450 4.5.0 Failure: File /var/lib/amavis/virusmails/BWEgBXUllkJU does not > exist at (eval 95) line 386, line 5. > > Now I realized that in amavisd-release there is no way to change $quar_type > to "Q", see the line: > > my $quar_type = $fn_suffix eq '.gz' ? 'Z' : $fn_path ne '' ? 'F' : ''; > > After I changed this line to > > my $quar_type = $fn_suffix eq '.gz' ? 'Z' : $fn_path ne '' ? 'F' : 'Q'; > > mails in SQL-quarantine are released by amavisd-release. > > But I don't know if this right for users not using a SQL-quarantine. We use file-based quarantine. I tried this change and then amavisd-release does not work, I am sorry to report; there is no error message - just the mail is not released and the file remains in quarantine.
Re: Amavis DNS query timeout
Ah yes you may be right, I have: $enable_dkim_verification = 0; On 13 February 2017 at 10:41, Dino Edwards wrote: > I don't think you are correct. That header is usually generated when > $enable_dkim_verification = 1; is set in the amavis config file. > > -Original Message- > From: amavis-users [mailto:amavis-users-bounces+dino.edwards= > mydirectmail@amavis.org] On Behalf Of Dominic Raferd > Sent: Sunday, February 12, 2017 12:37 PM > To: amavis-users@amavis.org > Subject: Re: Amavis DNS query timeout > > > >>I don't think the presence of (amavisd-new) in the Authentication > Header means that the header was generated by or has anything to do with > amavisd-new. The header looks to be from a dkim milter such as opendkim, > which may not be correctly set up to generate the dkim header for your > outgoing > >> emails. >
Re: Amavis DNS query timeout
On 12 February 2017 at 17:20, Tim Smith wrote: > > Well surely amavis is using the same DNS servers as the server ? > Therefore a "dig" on the server indicates that my DNS lookups are > working, and therefore why I am saying amavis is not right when it > says "DNS timeout". > > If you could point me in the right direction of how to collect the > further troubleshooting data you need, I'll be happy to oblige ! > > On 12 February 2017 at 14:52, Patrick Domack wrote: > > I don't see how the dig test has anything to do with amavis dns test. > > > > The amavis dns lookup could have timeout but still succeeded in your dns > > cache server, and your dig would return that result instantly. > > > > Without any more details, such as un-mung results, no more investigation can > > be done. > > > > > > > > Quoting Tim Smith : > > > >> Hi, > >> > >> amavisd is adding the following header to my mails : > >> > >> Authentication-Results: my.example.com (amavisd-new); dkim=neutral > >> reason="invalid (public key: DNS query timeout for > >> their._domainkey.example.com)" header.d=example.com > >> > >> The problem is that this is a lie ! > >> > >> I have no DNS problems, and if I do : > >> > >> dig their._domainkey.example.com TXT > >> > >> dig returns fine without any substantial wait. > >> > >> What setting am I missing ? Where am I going wrong ? > >> > >> > >> Thanks ! I don't think the presence of (amavisd-new) in the Authentication Header means that the header was generated by or has anything to do with amavisd-new. The header looks to be from a dkim milter such as opendkim, which may not be correctly set up to generate the dkim header for your outgoing emails.
Re: Subject change for password-protected archives
Point of info: most (or all?) of us need this command to check amavis version (undocumented in my man or info): # amavisd-new -V amavisd-new-2.10.1 (20141025) On 14 December 2016 at 22:25, Jonathan Engbrecht wrote: > solution: upgrade to amavisd 2.11.0 to fix a bug the way it handles > archives that are extracted using 7-zip. > > On 5 December 2016 at 15:44, Jonathan Engbrecht wrote: >> >> I'm trying to subject-tag password-protected archives, but I'm apparently >> missing something: >> >> # amavisd -V >> amavisd-new-2.9.1 (20140627) >> >> in /etc/amavisd.conf: >> $undecipherable_subject_tag= '***UNSCANNED ATTACHMENT***'; >> >> ...but messages are passing through untagged when a password-protected >> .zip comes through the system. >> >> Is there another parameter I need to configure here? > >
Re: whitelist sender domain
On 11 December 2016 at 09:33, Dusan Obradovic wrote:
>
>> On Dec 11, 2016, at 07:24, Asif Iqbal wrote:
>>
>> How do I make sure it is working? After I configured like below, I restarted
>> amavisd and postfix and I am seeing a lot of
>> ``RelayedOpenRelay'' like below..
>
> You should configure @local_domains_maps and @mynetworks, for amavisd to be
> able to distinguish {RelayedInbound} and {RelayedOutbound} traffic.
>
> @local_domains_maps = ( [ ".example.com" ] );
> @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 10.0.0.0/8
> 172.16.0.0/12 192.168.0.0/16 );
>
Thanks for the tip Dusan, I've implemented that.
Re: whitelist sender domain
I have similar setup. I too see these statements in amavis log
messages that it is RelayedOpenRelay but in fact with my setup it is
not. I think amavis is just warning you that you *may* have an open
relay. You should have postfix set so that it is not an open relay, of
course, and I don't think amavis is the best way to do this.
I use a whitelist with amavis: I have a file /etc/amavis/whitelist
which contains on each line either a comment (starting with hash #), a
full email address or just a domain, and then in
/etc/amavis/conf.d/50-user I have lines like this:
# whitelist some senders to save time and avoid false positives
# - you can list full addresses or domains, one per line
# idea from
http://www.iredmail.org/forum/topic4681-iredmail-support-solved-how-to-bypass-amavisd-for-some-senders.html
# This policy will perform virus checks only.
read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);
$interface_policy{'10026'} = 'VIRUSONLY';
$policy_bank{'VIRUSONLY'} = {
bypass_spam_checks_maps => ['@whitelist_sender_maps'], # don't
spam-check this mail
bypass_banned_checks_maps => ['@whitelist_sender_maps'], # don't
banned-check this mail
bypass_header_checks_maps => ['@whitelist_sender_maps'], # don't
header-check this mail
};
The idea is that all mails will still be passed to amavis which will
submit them for virus check, but whitelisted sender address will not
be checked for other things.
As far as I can tell this is working fine, although I am *not* an
amavis expert. Other suggestions welcome.
Dominic
On 11 December 2016 at 06:24, Asif Iqbal wrote:
> I am running amavid-new with postfix and I like to skip content filter for
> senders with domain example.com
>
> I do have amavisd-new setup with postfix like this where amavisd is setup as
> the content_filter globally like below
>
> # cat /etc/postfix/main.cf
>
> ...
> content_filter = amavisfeed:[127.0.0.1]:10024
> ...
>
> # cat /etc/postfix/master.cf
> ...
>
> amavisfeed unix- - n- 2 lmtp
> -o lmtp_data_done_timeout=1200
> -o lmtp_send_xforward_command=yes
> -o disable_dns_lookups=yes
> -o max_use=20
>
> 127.0.0.1:10025 inet n- n - - smtpd
> -o content_filter=
> -o smtpd_delay_reject=no
> -o smtpd_client_restrictions=permit_mynetworks,reject
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_data_restrictions=reject_unauth_pipelining
> -o smtpd_end_of_data_restrictions=
> -o smtpd_restriction_classes=
> -o mynetworks=127.0.0.0/8
> -o smtpd_error_sleep_time=0
> -o smtpd_soft_error_limit=1001
> -o smtpd_hard_error_limit=1000
> -o smtpd_client_connection_count_limit=0
> -o smtpd_client_connection_rate_limit=0
> -o
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
> -o local_header_rewrite_clients=
> -o smtpd_milters=
> -o local_recipient_maps=
> -o relay_recipient_maps=
>
> # netstat -tunlp | grep 10024
> tcp0 0 127.0.0.1:10024 0.0.0.0:*
> LISTEN 26131/amavisd (mast
> tcp0 0 ::1:10024 :::*
> LISTEN 26131/amavisd (mast
>
> # netstat -tunlp | grep 10025
> tcp0 0 127.0.0.1:10025 0.0.0.0:*
> LISTEN 28242/smtpd
>
> # ps -ef | grep 26131
> amavis 26131 1 0 05:49 ?00:00:02 /usr/sbin/amavisd (master)
> amavis 28157 26131 0 14:22 ?00:00:01 /usr/sbin/amavisd
> (ch6-28157-06-3)
> amavis 28322 26131 4 14:27 ?00:00:06 /usr/sbin/amavisd
> (ch5-28322-05-7)
>
> # ps -ef | grep 28242
> postfix 28242 29732 0 14:25 ?00:00:00 smtpd -n 127.0.0.1:10025 -t
> inet -u -o content_filter= -o smtpd_delay_reject=no -o
> smtpd_client_restrictions=permit_mynetworks,reject -o
> smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
> smtpd_recipient_restrictions=permit_mynetworks,reject -o
> smtpd_data_restrictions=reject_unauth_pipelining -o
> smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o
> mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o
> smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o
> smtpd_client_connection_count_limit=0 -o
> smtpd_client_connection_rate_limit=0 -o
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
> -o local_header_rewrite_clients= -o smtpd_milters= -o local_recipient_maps=
> -o relay_recipient_maps=
>
>
> And in amavisd.conf file I am using whitelist domains and email addresses
> like below
>
> # cat /etc/amavisd/amavisd.conf
>
> ...
>
> read_hash(\%whitelist_sender, '/etc/amavisd/whitelist');
> @whitelist_sender_maps = (\%whitelist_sender);
> ...
>
> $policy_bank{'ORIGINATING'} = { # mail supposedly originating from our
> users
> originating => 1, # declare tha
Re: Sender notifications - disable? customize?
I don't think there is a way to check what the current active settings are
for amavisd-new (nothing like postconf -n) - including all defaults -
unfortunately. We can of course check our own settings with something
like: grep -r "warn" /etc/amavis/conf.d|grep -v "\s*#"
The defaults that I am aware of are:
$warnbannedsender = undef;
$warnbadhsender = undef;
$warn_offsite = undef;
$warnvirusrecip = undef;
$warnbannedrecip = undef;
$warnbadhrecip= undef;
I presume this means there are no warnings issued unless these variables
are set explicitly, and this isn't the case with ubuntu (or I think debian)
standard installations? Are you sure that warnings are being issued by
amavisd-new on your system?
On 26 November 2016 at 22:44, MRob wrote:
> Are there best practices advice about sender notifications?
>
> Looks like default is to have notifications ("warnings?") enabled for
> attachments with banned file extensions. Doesn't this risk backscatter
> problems when sender address is forged?
>
> I cannot find a way to disable them - tried setting these all to 0 but no
> luck: $warnbadhsender $warnbannedsender $warn_offsite
>
> I'm having a very hard time finding documentation on any of those
> settings, what exactly they do - where can I find that?
>
> Also, is there a place to customize the message body (and possibly
> headers) for these notifications ("warnings?")?
>
> Thank you for your great product.
>
Re: Amavisd and Bayes (again...)
Maybe this can help: https://www.nerd-quickies.net/2015/10/02/spamassassin-bayes_00-1-90-although-sa-learn-runs-daily/ On 24 November 2016 at 13:43, @lbutlr wrote: > On Nov 24, 2016, at 2:09 AM, Alex Masidlover > wrote: > > Any help would be appreciated before I drown in spam... > > I’ve posted a couple of times about the same exact issue with amavisnot > using bases and so far no one has been able to provide any guidance as to > why. > > For now, I’ve given up. AMavis still catches a lot os spam without bases, > and then I manually run received mail through SA again. It’s ugly, but it > works. > >
