diff --git a/install_amavis.sh b/install_amavis.sh index 7653404..2058ec2 100755 --- a/install_amavis.sh +++ b/install_amavis.sh @@ -3169,6 +3169,34 @@ if ! $installation_failed ; then echo_ok fi +echononl " Create file '/etc/postfix/spam_lovers'" +if [[ ! -f "" ]]; then + cat << EOF > /etc/postfix/spam_lovers 2> '$tmp_err_msg' +# - Example '/etc/postfix/spam_lovers' +# - +# - # Adresses +# - adress@domain1.com 1 +# - [..] +# - +# - # All addresses of a domain +# - domain2.com 1 +# - [..] +# - +# - # All adresses of a domain except a single user +# - adress_1@domain3.com 0 +# - domain3.com 1 +# - +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi +else + echo_skipped +fi + ## - Configure amavis in /etc/amavis/conf.d ## - @@ -3269,20 +3297,80 @@ use strict; ## - Default antivirus checking mode ## - @bypass_virus_checks_maps = ( - \%bypass_virus_checks, \@bypass_virus_checks_acl, - \$bypass_virus_checks_re); + \%bypass_virus_checks, \@bypass_virus_checks_acl, \\\$bypass_virus_checks_re); ## - Default SPAM checking mode ## - + +## - bypass_spam_checks_maps +## - +## - Addresses/Domains listet here will not be checked. +## - +## - !! Notice !! +## - +## - Spam checks are bypassed only if all of the recipients of a message have +## - been added to one of these variables. If even one recipient is not listed, +## - spam-checking will still be performed. To ensure that spam is still delivered +## - to whitelisted recipients in such cases, use the "spam_lovers" features +## - see below. +## - @bypass_spam_checks_maps = ( - \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); + \%bypass_spam_checks, \@bypass_spam_checks_acl, \\\$bypass_spam_checks_re); + +## - We will use '%bypass_spam_checks'. So we could set: +## - +## - %bypass_spam_checks = ( +## - # Adresses +## - adress@domain1.com => '1', +## - [..] +## - # All addresses of a domain +## - domain2.com => '1', +## - [..] +## - # All adresses of a domain except a single user +## - address_1@domain3.com => '0', +## - domain3.com => '1', +## - ); +## - +## - But we will use the read_hash function to read in a list +## - of recipients from the external file '/etc/postfix/spam_lovers' +## - +## - Example '/etc/postfix/spam_lovers' +## - +## - # Adresses +## - adress@domain1.com 1 +## - [..] +## - +## - # All addresses of a domain +## - domain2.com 1 +## - [..] +## - +## - # All adresses of a domain except a single user +## - adress_1@domain3.com 0 +## - domain3.com 1 +## - +read_hash(\%bypass_spam_checks, '/etc/postfix/spam_lovers'); + + +## - spam_lovers_maps +## - +## - For Adresses/Domains listet at spam_lovers_maps, no spam actions (like +## - adding spam headers or discarding the mail) will be performed. +## - +@spam_lovers_maps = ( + \%spam_lovers, \@spam_lovers_acl, \\\$spam_lovers_re); + +## - We will use the read_hash function to read in a list of recipients +## - from the external file '/etc/postfix/spam_lovers' into '%spam_lovers'. +## - +## - For more explanations see above +## - +read_hash(\%spam_lovers, '/etc/postfix/spam_lovers'); ## - overrides settings in 20-debian_defaults ## - - \$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine) \$final_banned_destiny = D_DISCARD; # D_REJECT when front-end MTA #\$final_spam_destiny = D_DISCARD; @@ -3291,9 +3379,15 @@ use strict; \$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level \$sa_tag2_level_deflt = 5.1; # add 'spam detected' headers at that level +\$sa_kill_level_deflt = 10.31; # reject/bounce/discard/pass -## - user / domain specific settings -## - example for \$sa_tag2_level_deflt: +## - +## - User / Domain specific settings +## - + +## - Per-recipient mapping of tag2 levels to email addresses (tag2 level): +## - +## - Set directly: ## - #\$sa_tag2_level_deflt = { # # oopen.de @@ -3305,14 +3399,58 @@ use strict; # # default # '.'=>'5.1' #}; +## - +## - Read from file using @spam_tag2_level_maps +## - +## - default: @spam_tag2_level_maps = (\\\$sa_tag2_level_deflt); +## - +## - Example file '/etc/postfix/tag2_level_maps.dat' +## - +## - # oopen.de +## - oopen.de 2.1 +## - ckubu@oopen.de 2.2 +## - argus@oopen.de 2.3 +## - [..] +## - # k8h.de +## - k8h.de 6.5 +## - [..] +## - # default +## - . 5.1 +## - +#@spam_tag2_level_maps = ( read_hash('/etc/postfix/tag2_level_maps.dat') ); + +## - Per-recipient mapping of kill levels to email addresses (kill level): +## - +## - Set directly +## - +#\$sa_kill_level_deflt = { +# 'ckubu@oopen.de'=>'1500.0', +# 'ckubu-adm@oopen.de'=>'1500.0', +# # default +# '.'=>'10.31' +#}; +## - +## - Read from file using @spam_kill_level_maps +## - +## - default: @spam_kill_level_maps = (\\\$sa_kill_level_deflt); +## - +## - Example file '/etc/postfix/kill_level_maps.dat' +## - +## - # oopen.de +## - ckubu@oopen.de 1500.0 +## - ckubu-adm@oopen.de 1500.0 +## - [..] +## - # default +## - . 10.31 +## - +#@spam_kill_level_maps = ( read_hash('/etc/postfix/kill_level_maps.dat') ); -\$sa_kill_level_deflt = 10.31; # reject/bounce/discard/pass -#\$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent ## - We will inform the sender about bouncing his mail with a DSN (Delivery ## - StatusNotification). That DSN message will no be send, if the spamvalue ## - exceeds the value of sa_dsn_cutoff_level ## - +#\$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent \$sa_dsn_cutoff_level = 20; @@ -3371,14 +3509,15 @@ use strict; \$admin_maps_by_ccat{+CC_SPAMMY} = sub { ca('spam_admin_maps') }; -# Bypass spam checking fro trusted networks using mynetworks +# Bypass spam checking for trusted networks using mynetworks # # list of trusted IPs: # # - $HOSTNAME ($IPV4 [${IPV6}]) +# - b.mx.oopen.de (83.223.86.97 [2a01:30:0:13:21f:92ff:fe00:538b]) # -#\@mynetworks = qw( 127.0.0.0/8 [::1] 83.223.86.162 [2a01:30:1fff:a::162] ); -# +#@mynetworks = qw( 127.0.0.0/8 [::1] $IPV4 [${IPV6}] 83.223.86.97 [2a01:30:0:13:21f:92ff:fe00:538b] ); + #\$policy_bank{'MYNETS'} = { # clients in @mynetworks # bypass_spam_checks_maps => [1], # don't spam-check internal mail # bypass_header_checks_maps => [1], # don't header-check internal mail @@ -3465,6 +3604,7 @@ fi cat >> /etc/amavis/conf.d/50-user < { ttl => 21*24*3600, c => 'relaxed/simple' } } ); + +@dkim_signature_options_bysender_maps = ( + { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } ); + +## - Laut RFC 4871 können auch die +## - +## - Received: from-Zeilen +## - +## - zur Signierung der e-Mail mit herangezogen werden. +## - +## - Dies hat jedoch den Nachteil, dass bei einer Veränderung der Received: from-Zeilen +## - im Nachhinein, wie es z.B. bei der Einlieferung durch Postfix via smtpd_proxy_filter +## - (Pre-Queue) bei AMaViS der Fall sein könnte, die DKIM-Sigantur sprichwörtlich „ +## - kaputt“ geht. +## - +## - Dies kann durch hinzufügen von nachfolgender Konfigurationszeile in die +## - datei /etc/amavisd.conf +## - +## - \$signed_header_fields{'received'} = 0; # turn off signing of Received +## - +## - verhindert werden, indem die Received: from-Zeilen nicht mehr mit in die +## - Berechnung der DKIM-Signatur mit einfließen. +## - +\$signed_header_fields{'received'} = 0; # turn off signing of Received