sql quarantine ignoring amavisd settings?

Thread: sql quarantine ignoring amavisd settings?

Search this list only Search all lists
sql quarantine ignoring amavisd settings?
United States	2007-09-19 13:37:21
I'm having a hell of a time tuning our quarantine and thought I'd finally actually ask the peeps here to give me the nugget of information that I'm currently lacking. (Even if it's just the nouns I need to use to search this mailing list history for the answer) Currently, we've got a special user "archiver" that gets all emails are BCC'ed to. I've been trying to figure out how to get amavisd to simply send all emails through to this user without exception, even if it contains spam, bad headers, virii, etc... So far I've got these rules: bypass_virus_checks_maps = ( { "archiver$mydomain" => 1, } ); virus_lovers_maps = ( { "archiver$mydomain" => 1, } ); bypass_spam_checks_maps = ( { "archiver$mydomain" => 1, } ); spam_lovers_maps = ( { "archiver$mydomain" => 1, } ); bypass_banned_checks_maps = ( { "archiver$mydomain" => 1, } ); banned_files_lovers_maps = ( { "archiver$mydomain" => 1, } ); bypass_header_checks_maps = ( { "archiver$mydomain" => 1, } ); bad_header_lovers_maps = ( { "archiver$mydomain" => 1, } ); According to the logs, things seem to be working correctly: ########################################################### Sep 19 10:49:38 wopr amavis[9249]: (09249-10) FWD via SMTP: <usermydomain.com> -> <archivermydomain.com>, BODY=8BITMIME RET=FULL 250 2.6.0 Ok, id=09249-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1CA7F5D08530 Sep 19 10:49:39 wopr amavis[9249]: (09249-10) Passed BANNED (multipart/mixed \| application/x-zip-compressed,.zip,38426.zip \| .dat,38426.xls), LOCAL [192.168.0.14] [192.168.0.14] <usermydomain.com> -> <archivermydomain.com>, quarantine: FGiiGTluaLV2, Message-ID: <8F58176F06B35443B28E8EA107DB4F385859CEexchange1.intranet.mydomain.com>, mail_id: FGiiGTluaLV2, Hits: -, queued_as: 1CA7F5D08530, 29589 ms Sep 19 10:49:39 wopr amavis[9249]: (09249-10) Blocked BANNED (multipart/mixed \| application/x-zip-compressed,.zip,38426.zip \| .dat,38426.xls), LOCAL [192.168.0.14] [192.168.0.14] <usermydomain.com> -> <user2theirdomain.com>, quarantine: FGiiGTluaLV2, Message-ID: <8F58176F06B35443B28E8EA107DB4F385859CEexchange1.intranet.mydomain.com>, mail_id: FGiiGTluaLV2, Hits: -, 29589 ms Sep 19 10:49:39 wopr postfix/smtp[10249]: DBA835D08554: to=<user2theirdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=44, delays=0.58/0.24/14/30, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=09249-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1CA7F5D08530, but 1 DISCARD) Sep 19 10:49:39 wopr postfix/smtp[10249]: DBA835D08554: to=<archivermydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=44, delays=0.58/0.24/14/30, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=09249-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1CA7F5D08530, but 1 DISCARD) Sep 19 10:49:39 wopr postfix/qmgr[2106]: DBA835D08554: removed ############################################################ ## And it even states so in the notify email as well: The message has been quarantined as: FGiiGTluaLV2 The message WILL BE relayed to: <archivermydomain.com> The message WAS NOT relayed to: <user2theirdomain.com>: ############################################################ ### yet, when I go in and view the quarantine, I see two copies of the email, one for archiver, and one for the original recipient. How can I avoid this? Also, it looks like spam that should have been cut off and dropped is still showing up in the quarantine as well: $sa_tag2_level_deflt = 5; $sa_kill_level_deflt = 5; $sa_dsn_cutoff_level = 10; $sa_quarantine_cutoff_level = 10; Finally, how the heck can I disable the bad headers check? I get way too many false positives from this! Thanks, Ian ------------------------------------------------------------ ------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: sql quarantine ignoring amavisd settings?
United States	2007-09-19 13:55:38
You don't need the => 1 in your entry. That syntax is for creating policy banks, where you assign values to a perl array. Normal rules just take the values as a list. bypass_virus_checks_maps = ( "archiver$mydomain"); That syntax for all of your entries should work. Ian wrote: > I'm having a hell of a time tuning our quarantine and thought I'd finally > actually ask the peeps here to give me the nugget of information that I'm > currently lacking. (Even if it's just the nouns I need to use to search > this mailing list history for the answer) > > Currently, we've got a special user "archiver" that gets all emails are > BCC'ed to. I've been trying to figure out how to get amavisd to simply > send all emails through to this user without exception, even if it > contains spam, bad headers, virii, etc... > > So far I've got these rules: > > bypass_virus_checks_maps = ( > { "archiver$mydomain" => 1, > } > ); > > virus_lovers_maps = ( > { "archiver$mydomain" => 1, > } > ); > > bypass_spam_checks_maps = ( > { "archiver$mydomain" => 1, > } > ); > > spam_lovers_maps = ( > { "archiver$mydomain" => 1, > } > ); > > bypass_banned_checks_maps = ( > { "archiver$mydomain" => 1, > } > ); > > banned_files_lovers_maps = ( > { "archiver$mydomain" => 1, > } > ); > > bypass_header_checks_maps = ( > { "archiver$mydomain" => 1, > } > ); > > bad_header_lovers_maps = ( > { "archiver$mydomain" => 1, > } > ); > > > According to the logs, things seem to be working correctly: > ########################################################### > Sep 19 10:49:38 wopr amavis[9249]: (09249-10) FWD via SMTP: > <usermydomain.com> -> <archivermydomain.com>, BODY=8BITMIME RET=FULL 250 > 2.6.0 Ok, id=09249-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued > as 1CA7F5D08530 > Sep 19 10:49:39 wopr amavis[9249]: (09249-10) Passed BANNED > (multipart/mixed \| application/x-zip-compressed,.zip,38426.zip \| > .dat,38426.xls), LOCAL [192.168.0.14] [192.168.0.14] <usermydomain.com> > -> <archivermydomain.com>, quarantine: FGiiGTluaLV2, Message-ID: > <8F58176F06B35443B28E8EA107DB4F385859CEexchange1.intranet.mydomain.com>, > mail_id: FGiiGTluaLV2, Hits: -, queued_as: 1CA7F5D08530, 29589 ms > Sep 19 10:49:39 wopr amavis[9249]: (09249-10) Blocked BANNED > (multipart/mixed \| application/x-zip-compressed,.zip,38426.zip \| > .dat,38426.xls), LOCAL [192.168.0.14] [192.168.0.14] <usermydomain.com> > -> <user2theirdomain.com>, quarantine: FGiiGTluaLV2, Message-ID: > <8F58176F06B35443B28E8EA107DB4F385859CEexchange1.intranet.mydomain.com>, > mail_id: FGiiGTluaLV2, Hits: -, 29589 ms > Sep 19 10:49:39 wopr postfix/smtp[10249]: DBA835D08554: > to=<user2theirdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=44, > delays=0.58/0.24/14/30, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=09249-10, > from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1CA7F5D08530, but 1 > DISCARD) > Sep 19 10:49:39 wopr postfix/smtp[10249]: DBA835D08554: > to=<archivermydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=44, > delays=0.58/0.24/14/30, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=09249-10, > from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1CA7F5D08530, but 1 > DISCARD) > Sep 19 10:49:39 wopr postfix/qmgr[2106]: DBA835D08554: removed > ############################################################ ## > And it even states so in the notify email as well: > > The message has been quarantined as: FGiiGTluaLV2 > > The message WILL BE relayed to: <archivermydomain.com> > > The message WAS NOT relayed to: > <user2theirdomain.com>: > ############################################################ ### > > yet, when I go in and view the quarantine, I see two copies of the email, > one for archiver, and one for the original recipient. How can I avoid > this? > > > Also, it looks like spam that should have been cut off and dropped is > still showing up in the quarantine as well: > $sa_tag2_level_deflt = 5; > $sa_kill_level_deflt = 5; > $sa_dsn_cutoff_level = 10; > $sa_quarantine_cutoff_level = 10; > > > Finally, how the heck can I disable the bad headers check? I get way too > many false positives from this! > > Thanks, > > Ian > > ------------------------------------------------------------ ------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > AMaViS-user mailing list > AMaViS-userlists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/amavis-user > AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 > AMaViS-HowTos:http://www.amavis.org/ho wto/ > -- Puryear Information Technology, LLC Baton Rouge, LA * 225-706-8414 http://www.puryear-it.com Visit http://www.pur year-it.com/pubs/ebooks/ to download your free copies of: "Best Practices for Managing Linux and UNIX Servers" "Spam Fighting and Email Security in the 21st Century" ------------------------------------------------------------ ------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: sql quarantine ignoring amavisd settings?
United States	2007-09-20 11:59:35
> You don't need the => 1 in your entry. That syntax is for creating > policy banks, where you assign values to a perl array. Normal rules > just take the values as a list. > > bypass_virus_checks_maps = ( "archiver$mydomain"); > > That syntax for all of your entries should work. > > Ian wrote: >> I'm having a hell of a time tuning our quarantine and thought I'd >> finally >> actually ask the peeps here to give me the nugget of information that >> I'm >> currently lacking. (Even if it's just the nouns I need to use to search >> this mailing list history for the answer) >> >> Currently, we've got a special user "archiver" that gets all emails are >> BCC'ed to. I've been trying to figure out how to get amavisd to simply >> send all emails through to this user without exception, even if it >> contains spam, bad headers, virii, etc... >> >> So far I've got these rules: >> I changed the settings from: bypass_virus_checks_maps = ({ "archiver$mydomain" => 1}); to bypass_virus_checks_maps = ("archiver$mydomain"); Along with all the other related checks_maps, and now nothing is quarantined and everyone receives spam. Are you certain that is the correct format? ------------------------------------------------------------ ------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: sql quarantine ignoring amavisd settings?
Slovenia	2007-09-20 13:59:53
Ian, > Currently, we've got a special user "archiver" that gets all emails are > BCC'ed to. I've been trying to figure out how to get amavisd to simply > send all emails through to this user without exception, even if it > contains spam, bad headers, virii, etc... > So far I've got these rules: > bypass_virus_checks_maps = ({ "archiver$mydomain" => 1 }); > virus_lovers_maps = ({ "archiver$mydomain" => 1 } ); > bypass_spam_checks_maps = ({ "archiver$mydomain" => 1 }); > spam_lovers_maps = ({ "archiver$mydomain" => 1 }); > bypass_banned_checks_maps = ({ "archiver$mydomain" => 1 }); > banned_files_lovers_maps = ({ "archiver$mydomain" => 1 }); > bypass_header_checks_maps = ({ "archiver$mydomain" => 1 }); > bad_header_lovers_maps = ({ "archiver$mydomain" => 1 }); Ok. > According to the logs, things seem to be working correctly: > Sep 19 10:49:39 wopr amavis[9249]: (09249-10) Passed BANNED > (multipart/mixed \| application/x-zip-compressed,.zip,38426.zip \| > .dat,38426.xls), LOCAL [192.168.0.14] [192.168.0.14] <usermydomain.com> > -> <archivermydomain.com>, quarantine: FGiiGTluaLV2, Message-ID: > <8F58176F06B35443B28E8EA107DB4F385859CEexchange1.intranet.mydomain.com>, > mail_id: FGiiGTluaLV2, Hits: -, queued_as: 1CA7F5D08530, 29589 ms > Sep 19 10:49:39 wopr amavis[9249]: (09249-10) Blocked BANNED > (multipart/mixed \| application/x-zip-compressed,.zip,38426.zip \| > .dat,38426.xls), LOCAL [192.168.0.14] [192.168.0.14] <usermydomain.com> > -> <user2theirdomain.com>, quarantine: FGiiGTluaLV2, Message-ID:... > And it even states so in the notify email as well: > The message has been quarantined as: FGiiGTluaLV2 > The message WILL BE relayed to: <archivermydomain.com> > The message WAS NOT relayed to: <user2theirdomain.com>: Ok. > yet, when I go in and view the quarantine, I see two copies of the email, > one for archiver, and one for the original recipient. How can I avoid > this? Turn off quarantining for the archiver: archive_quarantine_to_maps = ( { "archiver$mydomain" => '' }, $archive_quarantine_to, ); Btw, it would be easier to get away with all of the above, and let amavisd do the archiving, instead of using always_bcc in MTA: $archive_quarantine_to = 'archivermydomain.com'; $archive_quarantine_method = 'smtp:[127.0.0.1]:10025'; See also: http://www.ijs.si/software/amavisd/amavisd-ne w-docs.html#quarantine amavisd-new-2.4.3 release notes: - added configuration variables archive_quarantine_to_maps and $archive_quarantine_method, allowing for archival quarantine of all mail (configurable by recipient and by policy banks) regardless of its contents category. This archive is independent from other quarantining, i.e. if spam quarantining and archival quarantining are both enabled, two copies will be stored to quarantine. When quarantining for archive one has two choices: archive_quarantine would store all mail addressed to recipient, whereas enabling clean quarantine as in: $quarantine_method_by_ccat{+CC_CLEAN} = 'local:clean-%m'; $quarantine_to_maps_by_ccat{+CC_CLEAN} = 'clean-quarantine'; would quarantine only clean mail, no spam, no viruses, no banned, no badh. Note that logging to SQL has only one field to store quarantine location, so in case of multiple quarantine locations only the first is remembered. The usual logging however reports all quarantine locations with the main log entry. > Also, it looks like spam that should have been cut off and dropped is > still showing up in the quarantine as well: > $sa_tag2_level_deflt = 5; > $sa_kill_level_deflt = 5; > $sa_dsn_cutoff_level = 10; > $sa_quarantine_cutoff_level = 10; Show an example from a log. Your provided example hit a BANNED, SpamAssassin was not even called, $sa_quarantine_cutoff_level did not apply. > Finally, how the heck can I disable the bad headers check? bypass_header_checks_maps = ( 1 ); > I get way too many false positives from this! False positives in what sense? That a test said a header is bad but is really not??? Or, more likely, that a header is bad, but mail is passed anyway. Yoy can turn off quarantining of bad header mail if that is what you are asking: $bad_header_quarantine_method = undef; Steven writes: > You don't need the => 1 in your entry. That syntax is for creating > policy banks, where you assign values to a perl array. Bad advice, Ian is using hash-type lookups, syntax is correct. > Normal rules just take the values as a list. > bypass_virus_checks_maps = ( "archiver$mydomain"); Bad advice, a *_maps value is a LIST OF LOOKUP TABLES. The above example is inperpreted as a list of one element, which is a pseudo-lookup table A CONSTANT, which always yields its value regardless of a query key. When interpreted as a boolean, it is always true in the above example, regardless of the query key. Mark ------------------------------------------------------------ ------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: sql quarantine ignoring amavisd settings?
Slovenia	2007-09-20 17:57:41
Ian, > > bypass_header_checks_maps = ( 1 ); > > Thanks again... I see now in the comments that the same method can be used > to disable spam and virii checks. > > >> I get way too many false positives from this! > > > > False positives in what sense? That a test said a header is bad > > but is really not??? Or, more likely, that a header is bad, > > but mail is passed anyway. Yoy can turn off quarantining > > of bad header mail if that is what you are asking: > > $bad_header_quarantine_method = undef; > > The emails were coming from particular companies that likely do have bad > headers when generating their emails... They were all being quarantined > though, and were not being passed through. The default setting is $final_bad_header_destiny=D_PASS . If you see mail being blocked by header checks, it must be because you have explicitly overridden the default in your amavisd.conf. Do not be misled by the fact that default setting is also to quarantine a mail with a bad header (i.e. a copy goes to a guarantine, but mail is passed to recipients nevertheless). To avoid quarantining mail with bad headers, it must be turned off explicitly, as shown above. Btw, it is also posible to be more selective and just disable some of the header checks subtests, e.g. $allowed_header_tests{'8bit'} = 0; amavisd-new-2.4.4 release notes: - new configuration variable %allowed_header_tests, also member of policy banks, allows for selectively disabling some of the header checks, e.g. checks for non-encoded 8-bit characters. The %allowed_header_tests hash contains all available header test names as its keys by default (with a value of true); removing a key, or setting its value to false, disables a test, e.g.: $allowed_header_tests{'8bit'} = 0; $allowed_header_tests{'missing'} = 0; Currently available keys (i.e. test names) are: other mime 8bit control empty long syntax missing multiple each corresponding to its own minor contents category of CC_BADH; ccat test min name description --- ------- ----------- 0 other (catchall for everything else, normally not used) 1 mime Bad MIME (sub)headers or bad MIME structure 2 8bit Invalid non-encoded 8-bit characters in header 3 control Invalid control characters in header (CR or NUL) 4 empty Folded header field made up entirely of whitespace 5 long Header line longer than RFC 2822 limit of 998 characters 6 syntax Header field syntax error 7 missing Missing required header field 8 multiple Duplicate or multiple occurrence of a header field legend: ccat min: minor contents category under a major category CC_BADH, available in templates as a macro ccat_min; test name: corresponding test name - a key in %allowed_header_tests; descr.: description of a header test or MIME subheaders/structure test; Mark ------------------------------------------------------------ ------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: sql quarantine ignoring amavisd settings?
United States	2007-09-20 18:20:30
> The default setting is $final_bad_header_destiny=D_PASS . > If you see mail being blocked by header checks, it must be > because you have explicitly overridden the default in > your amavisd.conf. Ah, I must have then. Okay, I'm beginning to see the flow of things now. Very IPTABLES like. > Do not be misled by the fact that default setting is also > to quarantine a mail with a bad header (i.e. a copy goes > to a guarantine, but mail is passed to recipients nevertheless). > To avoid quarantining mail with bad headers, it must be turned off > explicitly, as shown above. This was one thing that I didn't find intuitive. When would someone want something quarantined while it was delivered anyway? > Btw, it is also posible to be more selective and just disable some > of the header checks subtests, e.g. $allowed_header_tests{'8bit'} = 0; I assume the logs will show what part of the header failed so that I could flip off that switch? If I wanted to whitlist a particular domain, is there a check_maps I could use to do that instead? Back to the spam still being quarantined: here's some log entries: Sep 20 13:56:34 wopr amavis[27296]: (27296-02) do_notify_and_quarantine: spam level exceeds quarantine cutoff level 10 Sep 20 13:56:35 wopr amavis[27296]: (27296-02) Blocked SPAM, [189.142.141.237] [189.142.141.237] <qqqblumelaw.com> -> <memydomain.com>, quarantine: archivermydomain.com, Message-ID: <01c7fbc8$ae796210$ed8d8ebdqqq>, mail_id: udQjw39pAJbo, Hits: 39.67, 20288 ms Here are my settings: $sa_tag_level_deflt = -9999; $sa_tag2_level_deflt = 5; $sa_kill_level_deflt = 5; $sa_dsn_cutoff_level = 10; $sa_quarantine_cutoff_level = 10; Thanks for your help. ------------------------------------------------------------ ------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: sql quarantine ignoring amavisd settings?
Slovenia	2007-09-20 18:45:53
Ian, > > Do not be misled by the fact that default setting is also > > to quarantine a mail with a bad header (i.e. a copy goes > > to a guarantine, but mail is passed to recipients nevertheless). > > To avoid quarantining mail with bad headers, it must be turned off > > explicitly, as shown above. > > This was one thing that I didn't find intuitive. I agree it can be puzzling. I keep it this way for historical continuity and to maintain upwards compatibility. Quarantining was always completely independent from passing/blockig mail, with its own set of controls. It makes it possible for example to use a $clean_quarantine_method for similar purposes as $archive_quarantine_method, except that it would not save junk and malware to a clean quarantine. > When would someone want something quarantined while it was delivered anyway? For archive? Or to see what silly header mistakes some mailers put in their mail, and help diagnose and fix them, but still keep the mail flowing normally. > > Btw, it is also posible to be more selective and just disable some > > of the header checks subtests, e.g. $allowed_header_tests{'8bit'} = 0; > > I assume the logs will show what part of the header failed so that > I could flip off that switch? Not by default, although you could modify the $log_templ to show it (using macro [:ccat\|minor] when [:ccat\|major] indicates bad header). A log at level 2 does show the reason, e.g.: (64562-12) check_header: 8, Duplicate header field: "Message-ID" (19083-16-2) check_header: 5, Header line longer than 998 characters: Content-Type:\n text/html;GB23... Another option is to look into a quarantined copy of a mail with bad header, which does state the reason: X-Amavis-Alert: BAD HEADER Duplicate header field: "Message-ID" > If I wanted to whitlist a particular domain, is > there a check_maps I could use to do that instead? Yes, by-recipients setting is available: bypass_header_checks_maps = ( list of lookup tables as usual ); There is no fine-grained subtest selection on a by-recipient basis. Also, there is no by-sender setting. > Back to the spam still being quarantined: > > here's some log entries: > > Sep 20 13:56:34 wopr amavis[27296]: (27296-02) do_notify_and_quarantine: > spam level exceeds quarantine cutoff level 10 > > Sep 20 13:56:35 wopr amavis[27296]: (27296-02) Blocked SPAM, > [189.142.141.237] [189.142.141.237] <qqqblumelaw.com> -> > <memydomain.com>, quarantine: archivermydomain.com, Message-ID: > <01c7fbc8$ae796210$ed8d8ebdqqq>, mail_id: udQjw39pAJbo, Hits: 39.67, > 20288 ms Archival quarantine works independently of mail content type: - added configuration variables archive_quarantine_to_maps and $archive_quarantine_method, allowing for archival quarantine of all mail (configurable by recipient and by policy banks) regardless of its contents category. This archive is independent from other quarantining, i.e. if spam quarantining and archival quarantining are both enabled, two copies will be stored to quarantine. When quarantining for archive one has two choices: archive_quarantine would store all mail addressed to recipient, whereas enabling clean quarantine as in: $quarantine_method_by_ccat{+CC_CLEAN} = 'local:clean-%m'; $quarantine_to_maps_by_ccat{+CC_CLEAN} = 'clean-quarantine'; would quarantine only clean mail, no spam, no viruses, no banned, no badh. Note that logging to SQL has only one field to store quarantine location, so in case of multiple quarantine locations only the first is remembered. The usual logging however reports all quarantine locations with the main log entry. If you'd prefer to archive only clean messages, use a clean_quarantine* equivalent, or some other combination of spam/virus/badh/banned quarantines. Mark ------------------------------------------------------------ ------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: sql quarantine ignoring amavisd settings?
United States	2007-09-20 19:45:04
>> If I wanted to whitlist a particular domain, is >> there a check_maps I could use to do that instead? > > Yes, by-recipients setting is available: > > bypass_header_checks_maps = ( list of lookup tables as usual ); So the lookup table is simply regex matched? I.E. I could even do something like: bypass_header_checks_maps = ( { ".com" => 1 } ); or bypass_header_checks_maps = ( { ".(com\|edu)" => 1 } ); >> >> Sep 20 13:56:34 wopr amavis[27296]: (27296-02) do_notify_and_quarantine: >> spam level exceeds quarantine cutoff level 10 >> >> Sep 20 13:56:35 wopr amavis[27296]: (27296-02) Blocked SPAM, >> [189.142.141.237] [189.142.141.237] <qqqblumelaw.com> -> >> <memydomain.com>, quarantine: archivermydomain.com, Message-ID: >> <01c7fbc8$ae796210$ed8d8ebdqqq>, mail_id: udQjw39pAJbo, Hits: 39.67, >> 20288 ms > > Archival quarantine works independently of mail content type: okay, another non-intuitive thing happening again. I've got settings that tell amavisd not to quarantine here: $sa_quarantine_cutoff_level = 10; yet it will still be quarantined, because there is more than one quarantine or because there is more than one content type? Note that what shows up in the sql DB is not addressed to "archivermydomain.com". That is set like this: $archive_quarantine_to = "archiver$mydomain"; $archive_quarantine_method = 'smtp:[127.0.0.1]:10025'; Which I assume the method to mean NOT to use sql. ------------------------------------------------------------ ------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: sql quarantine ignoring amavisd settings?
Slovenia	2007-09-21 04:54:01
Ian, > > Yes, by-recipients setting is available: > > bypass_header_checks_maps = ( list of lookup tables as usual ); > > So the lookup table is simply regex matched? If you use a regexp-type of a lookup table, then yes. All types of availabe lookups are explainded in README.lookups . > I.E. I could even do something like: > > bypass_header_checks_maps = ( { ".com" => 1 } ); > or > bypass_header_checks_maps = ( { ".(com\|edu)" => 1 } ); You are showing a hash-type lookup, and hash doesn't do regexp. But for the above simple cases you don't need regexp-type lookup, a simple hash-type or a list-type (acl) lookup table would do. The following are all equivalent: bypass_header_checks_maps = ( { ".com" => 1, ".edu" => 1 } ); # hash bypass_header_checks_maps = ( [ ".com", ".edu" ] ); # list (acl) bypass_header_checks_maps = ( [ qw(.com .edu) ); bypass_header_checks_maps = ( new_RE( qr(.(com\|edu)$) )); # regexp The last one is the trickiest to get right (quoting dots, anchoring, not not allowing another in domain name, case sensitivity, ...) the slowest, and the most rarely needed. More examples in amavisd.conf-sample . > > Archival quarantine works independently of mail content type: > > okay, another non-intuitive thing happening again. I've got settings > that tell amavisd not to quarantine here: > $sa_quarantine_cutoff_level = 10; The $sa_quarantine_cutoff_level setting tells not to quarantine SPAM to a SPAM quarantine if its score level is above the specified score. It has no effect on any other quarantine type. > yet it will still be quarantined, because there is more than one > quarantine or because there is more than one content type? The purpose or archival quarantine is to quarantine everything. If you want to be more selective, pick other quarantine types. As already quoted: This archive is independent from other quarantining, i.e. if spam quarantining and archival quarantining are both enabled, two copies will be stored to quarantine. Archive quarantine is somewhat special in that it works independently and in addition to other quarantining, as stated. Other quarantine types are chosen according to a category of mail content, and there is only one final verdict on a mail content category (therefore only one quarantine type chosen, besides archival quarantine), in the following priority: CC_VIRUS CC_BANNED CC_UNCHECKED CC_SPAM # kill_level CC_SPAMMY # tag2_level (and: tag3_level = "CC_SPAMMY,1") CC_BADH CC_OVERSIZED CC_MTA # trouble passing mail back to MTA CC_CLEAN # tag_level = "CC_CLEAN,1" CC_CATCHALL Actually it is slightly more complicated for multi-recipient mail, but the above should do for a general understanding. For full control there are two general settings: $quarantine_method_by_ccat and $quarantine_to_maps_by_ccat, if unusual need arises. RELEASE_NOTES tells more on _by_ccat and content categories concept, although it is rarelly necessary to modify these defaults. Here are some further details: amavisd-new-2.5.0 release notes - added a new concept of a 'blocking contents category', which in most cases corresponds to a familiar 'main contents category' (the highest ranking category of contents pertaining to a message, e.g. virus, blocked, spam, spammy, bad header ...). The difference between the two arises when recipients are declared to be 'lovers' of some higher-ranking contents, or when a higher ranking contents category has its *_destiny set to D_PASS. For example: a message contains a banned part, but is also spam and may even have a bad header. Its contents categories are (simplified): CC_BANNED, CC_SPAM and CC_BADH, in this order. The main contents category of a message is CC_BANNED, which usually is also a reason for blocking a message, yielding a blocking ccat to also be CC_BANNED. But if some recipient is banned_files_lover (or if $final_banned_destiny is set to D_PASS), then the main ccat remains to be CC_BANNED, but the blocking ccat is CC_SPAM, i.e. the next in the list which is responsible for actually blocking the mail. If recipient would also be a spam lover, the blocking ccat might be CC_BADH (if $final_bad_header_destiny were not D_PASS); If a message is not being blocked, the 'blocking contents category' (i.e. a blocking_ccat attribute of a per-message or a per-recipient object) remains empty (undefined). For convenience some internal routines and some new macros fall back to showing the main contents category in this case. Almost all processing decisions, DSN, notification assembling, quarantining, logging etc. is now based on 'blocking contents category' when a message is being blocked, and on 'main contents category' (as before) when a message is not being blocked. There is a new macro 'ccat' which is useful in notification and logging templates, which can query the blocking contents category, as well as a main contents category. It provides access to information that was formerly available through macros ccat_maj, ccat_min, ccat_name, plus access to additional information. Macros ccat_maj, ccat_min and ccat_name are still available, but their use is deprecated, as their functionality has been incorporated into the new macro 'ccat'. Macro 'ccat' takes two optional fixed-string arguments, which are interpreted case-insensitively. In their absence it expands to a string "(maj,min)" which shows a major and a minor contents category number of a blocking ccat for a blocked message, and of a main contents category for a passed message. [...] > Note that what shows up in the sql DB is not addressed > to "archivermydomain.com". You mean the SQL logging, like: select quar_loc from msgs where mail_id='nZodEgK55xCd'; --> spam/n/nZodEgK55xCd.gz ? To reduce clutter, I left out the quarantine location from SQL and the log when quarantine method is smtp: or lmtp:, as in your case. I'll put it back with the next version for consistency, so you will see in the log: (67201-05-4) Blocked SPAM, [...] [...] <...> -> <...>, quarantine: archiveexample.com, spam/s/ss1DM3Kb-sYE.gz, Message-ID: ..., mail_id: ... The patch to 2.5.2 is trivial, if you need it immediately: --- amavisd.orig Mon Sep 10 02:02:39 2007 +++ amavisd Fri Sep 21 11:47:25 2007 -14945,4 +14945,5 $r->recip_remote_mta_smtp_response($smtp_resp); $r->recip_smtp_response($smtp_resp); $r->recip_done(2); + $r->recip_mbxname($r->recip_final_addr) if $smtp_resp =~ /^2/; } if ($first) { # fetch an uncollected response -15041,4 +15042,5 if (!$r->recip_done) { # mark it as done $r->recip_smtp_response($smtp_response); $r->recip_done(2); + $r->recip_mbxname($r->recip_final_addr) if $smtp_response =~ /^2/; } elsif ($any_valid_recips_and_data_sent && $r->recip_smtp_response =~ /^452/) { Also note, as quoted in my previous mail: Note that logging to SQL has only one field to store quarantine location, so in case of multiple quarantine locations only the first is remembered. The usual logging however reports all quarantine locations with the main log entry. > That is set like this: > $archive_quarantine_to = "archiver$mydomain"; > $archive_quarantine_method = 'smtp:[127.0.0.1]:10025'; > > Which I assume the method to mean NOT to use sql. Are you referring to SQL logging or to SQL quarantining here? You may do quarantining to SQL is you like, just as with any quarantine type: $archive_quarantine_method = 'sql:'; or just for clean mail: $clean_quarantine_method = 'sql:'; Mark ------------------------------------------------------------ ------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

[1-9]

about | contact Other archives ( Real Estate discussion Medical topics )