Amavisd-new

From Kolab Wiki

Jump to: navigation, search


Contents

Banned file types

1) Amavisd has a list of banned file types. Edit

/kolab/etc/kolab/templates/amavisd.conf.template

and look for

banned_filename_re

You will find instructions how you can change these there. When you're finished, run

/kolab/sbin/kolabconf 

to make the changes permanent.

2) Another way is to allow banned files to pass: edit /kolab/etc/kolab/templates/amavis.conf.template.conf and modify this line:

$final_banned_destiny     = D_PASS;  # (defaults to D_BOUNCE).

After that run

/kolab/sbin/kolabconf

to make the changes permanent. Keep in mind: This will (effectively) completely disable checking of banned file types, virus scanning will still work though.

Releasing mails from quarantine

Oxone

Using amavis-release

The utility amavisd-release (amavisd-new-2.3.3 or later) tells the amavisd daemon to fetch a mail from a local quarantine, and send it to MTA through its regular channels ($notify_method), bypassing re-checking.

amavisd-release is included in the amavisd source tarball (which in turn is included in the source rpm), but unfortunately OpenPKG does not install it by default. To manually extract it do the following (this assumes your host distribution has 'rpm' installed, but OpenPKG-internal tools should work as well):

$ cp amavisd-<VERSION>.src.rpm /tmp
$ cd /tmp
$ rpm2cpio amavisd-<VERSION>.src.rpm | cpio -idmv
$ tar xzf amavisd-new-<VERSION>.tar.gz
$ cp amavisd-<VERSION>/amavisd-release /kolab/sbin/
$ chown kolab:kolab /kolab/sbin/amavisd-release

By default it connects to socket /var/amavis/amavisd.sock, on which amavisd should be listening for AM.PDP protocol, but one can use inet socket instead of a Unix socket if there is a need to run amavisd-release from a remote host.

In the amavisd.conf.template the following should be added:

# $unix_socketname = "$MYHOME/amavisd.sock";  # listen on Unix socket
$unix_socketname = "/kolab/var/amavisd/amavisd.sock";  # listen on Unix socket

# alternatively (less common):
# $inet_socket_port = [10024, 9998];  # listen on listed inet tcp ports

# apply policy bank AM.PDP-SOCK on a Unix socket:
#  (note that this precludes the use of old amavis-milter
#   helper program (with sendmail) on the same socket)
$interface_policy{'SOCK'} = 'AM.PDP-SOCK';

# apply policy bank AM.PDP-INET to some inet tcp socket, e.g. tcp port 9998: 
$interface_policy{'9998'} = 'AM.PDP-INET';

$policy_bank{'AM.PDP-SOCK'} = {
  protocol => 'AM.PDP',  # select Amavis policy delegation protocol
  auth_required_release => 0,  # don't require secret_id for amavisd-release
};
$policy_bank{'AM.PDP-INET'} = {
  protocol => 'AM.PDP',  # select Amavis policy delegation protocol
  inet_acl => [qw( 127.0.0.1 [::1] )],  # restrict access to these IP addresses
# auth_required_release => 0,  # don't require secret_id for amavisd-release
};

Setting of $auth_required_release decides whether the requestor needs to specify secret_id in addition to mail_id to authorize a mail release. The secret_id is stored in SQL table msgs when logging to SQL is enabled, otherwise this information is not accessible.

Note that turning off $auth_required_release check is safe as long as access to the socket is restricted, like with file protections on a Unix socket, or restricted with inet_acl to specific IP addresses. Enabling or disabling $auth_required_release is a management / setup decision and convenience.

To release a mail message an exact quarantine location should be specified as an argument to amavisd-release, e.g.:

$ amavisd-release /kolab/var/amavisd/virusmails/spam-UM3XM3XDbN52.gz

The amavisd-release utility also accepts mail_id from STDIN if releasing more than one message in one go is more convenient:

$ amavisd-release -
/kolab/var/amavisd/virusmails/spam-UM3XM3XDbN52.gz
/kolab/var/amavisd/virusmails/spam-gnwKVFKiuey3.gz
/kolab/var/amavisd/virusmails/spam-Xpkj9mLLBHTR.gz

Using cyrdeliver

You may also use cyrdeliver to inject a banned mail directly into a users mail account:

/kolab/bin/cyrdeliver my.user@example.com < /kolab/var/amavisd/virusmails/banned-kXuJ2d3uGVCT

Also see this mail & Agen Domino99.

Amavis quarantine cleanup

To cleanup the Amavis Quarantine directory, just add these cronjobs

# cleanup AMAVIS quarantine directory
10 2 	* * * 	root 	find /kolab/var/amavisd/virusmails/ -mtime +31 -exec rm {} \;
15 2 	* * * 	root 	find /kolab/var/amavisd/tmp/ -mtime +31 -exec rm -r {} \;
# For kolab since at least 2.2.3 the latter should read
# 15 2 	* * * 	root 	find /kolab/var/amavisd/ -iname "amavis-*" -mtime +31 -exec rm -r {} \;

See Also

Personal tools