Rob,
> > I'd like to use amavisd-new (2.4.1) to
selectively pass viruses by name
> > through to selected mailboxes, without defining
them as virus_lovers.
> Even better, is this a reasonable feature request for
the next version? I'm
> not really comfortable with ClamAV's proposal to
special-case phishing, and
> I think this sort of policy application really belongs
in the
> content-filter layer.
Your request makes sense, sounds like a reasonable feature
request,
if it turns out that a simple modification to  av_scanners wouldn't
suffice.
> ['ClamAV-clamd',
> \&ask_daemon, ["CONTSCAN {}\n",
"/var/run/clamav/clamd"],
> qr/(\bOK|\.Phishing\.\S+ FOUND)$/,
qr/(?!\.Phishing\.)(.*) FOUND$/,
> qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
Seems like a good approach. You should test it, but looks
alright.
Btw, have you tried asking ClamAV folks to make an option to
ignore
phishing test, or if it is possible to just remove them from
a database?
> I can think of a couple of approaches:
> 1. Set up a policy bank that overrides av_scanners, including:
That is certainly possible, but policy bank switching is
done based
on some global attribute of a message, like client's IP
address
or perhaps a sender address. It probably does not address
your
need, which would be to ignore a virus test if it says
'phishing'.
As far as I understand it, you don't need a policy bank,
just
replace a global setting in av_scanners.
> 2. Set up quarantine to be delivered to some SMTP
destination
> via virus_quarantine_to_maps instead of
"local:" and have forwarding rules
> at the quarantine destination handle it. This would
probably be more work
> to integrate with our existing stuff (quarantine expiry
scripts, etc.)
Probably unnecessary work.
> 3. Just run a cron job that releases the messages I
want from quarantine.
> This is what I have now.
>
> At a guess, option 1 would be the least disruptive to
the rest of our
> environment, option 2 would be the easiest to extend
with more users and
> virus name patterns, and option 3 the simplest to
implement, though
> lacking some timeliness of delivery.
I think just modifying a global 'ClamAV-clamd' entry is
the least work.
> Am I right in thinking that to use option 1 with
Postfix, I'd need proper
> multi-instance and feed mail to amavisd via transport
maps rather than
> content_filter to correctly handle multi-recipient
mail? And would that
> break XFORWARD (TFM suggests it won't)?
Even if you use policy banks, there is rarely a need to use
dual-instance
setup (one may want it for clarity, but that's up to
personal taste).
Usually just an alternative -o content_filter setting on a
specific
smtpd service suffices, or a FILTER on a restriction, or
just the fact that
a client IP address belongs to mynetworks or not. But like
said, you don't
need policy banks for your goal, unless you want to treat
e.g. outgoing mail
differently.
Mark
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the
Cost and Risk!
Fully trained technicians. The highest number of Red Hat
certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/
sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|