Здравствуйте.
Уже слегка жалею что что когда-то поставил убунту в качестве почтового сервера. Проблем такая, стоит ubuntu 9.04, Postfix, Courier, Amavisd-new, SpamAssassin, ClamAV. В общем все как у всех :) Недавно потребовалось внести некоторых отправителей в белый список. И тут возникла проблема... Я почитал документацию к amavisd-new, увидел whitelist_sender_* и начал их заполнять, заполнил и ничего. Погуглил. Нашел вот это https://help.ubuntu.com/8.10/serverguide/C/mail-filtering.html где сказано: Amavisd-new can be configured to automatically Whitelist addresses from domains with valid Domain Keys. There are some pre-configured domains in the /etc/amavis/conf.d/40-policy_banks. В этот самый 40-policy_banks я написал адреса нужных мне отправителей и опять ничего. Т.е. сообщения и дальше блокируются как спам. Я включил sa_debug и log_level = 5, стал читать километровые логи и вычитал там примерно следующие:May 4 11:20:47 mail amavis[2487]: (02487-05) lookup [whitelist_recip<mail@mydomain.ru>] => undef, "mail@mydomain.ru" does
not match
May 4 11:20:47 mail amavis[2487]: (02487-05) query_keys: nonameforever@inbox.ru, nonameforever@, inbox.ru, .inbox.ru, .ru, .
May 4 11:20:47 mail amavis[2487]: (02487-05) lookup_hash(nonameforever@inbox.ru), no matches
May 4 11:20:47 mail amavis[2487]: (02487-05) lookup_acl(nonameforever@inbox.ru), no match
May 4 11:20:47 mail amavis[2487]: (02487-05) lookup [whitelist_sender<nonameforever@inbox.ru>,whitelist_sender] => undef, "nonamefore
ver@inbox.ru" does not match
Как будто я ничего не вносил и вообще ничего не делал?
Мои конфиги:
20-debian_defaultsuse strict;# ADMINISTRATORS:
# Debian suggests that any changes you need to do that should never
# be "updated" by the Debian package should be made in another file,
# overriding the settings in this file.
#
# The package will *not* overwrite your settings, but by keeping
# them separate, you will make the task of merging changes on these
# configuration files much simpler...# see /usr/share/doc/amavisd-new/examples/amavisd.conf-default for
# a list of all variables with their defaults;
# see /usr/share/doc/amavisd-new/examples/amavisd.conf-sample for
# a traditional-style commented file
# [note: the above files were not converted to Debian settings!]
#
# for more details see documentation in /usr/share/doc/amavisd-new
# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html$QUARANTINEDIR = "$MYHOME/virusmails";
$quarantine_subdir_levels = 1; # enable quarantine dir hashing$max_servers = 10;
$max_requests = 45;
$daemon_user = 'amavis';
$daemon_group = 'amavis';
$log_recip_templ = undef; # disable by-recipient level-0 log entries
$DO_SYSLOG = 1; # log via syslogd (preferred)
$syslog_ident = 'amavis'; # syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug'; # switch to info to drop debug output, etc
$log_level = 5;$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1$inet_socket_port = 10024; # default listening socket
$sa_spam_modifies_subj = 1;
$sa_spam_subject_tag = '****SPAM**** ';
$sa_tag_level_deflt = 3.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 3.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 4.0; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$sa_debug = '1,all';
$sa_mail_body_size_limit = 300*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0; # only tests which do not require internet access?# Quota limits to avoid bombs (like 42.zip)
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA = 100*1024; # bytes
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes# You should:
# Use D_DISCARD to discard data (viruses)
# Use D_BOUNCE to generate local bounces by amavisd-new
# Use D_REJECT to generate local or remote bounces by the calling MTA
# Use D_PASS to deliver the message
#
# Whatever you do, *NEVER* use D_REJECT if you have other MTAs *forwarding*
# mail to your account. Use D_BOUNCE instead, otherwise you are delegating
# the bounce work to your friendly forwarders, which might not like it at all.
#
# On dual-MTA setups, one can often D_REJECT, as this just makes your own
# MTA generate the bounce message. Test it first.
#
# Bouncing viruses is stupid, always discard them after you are sure the AV
# is working correctly. Bouncing real SPAM is also useless, if you cannot
# D_REJECT it (and don't D_REJECT mail coming from your forwarders!).$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine)
$final_banned_destiny = D_PASS; # D_REJECT when front-end MTA
$final_spam_destiny = D_DISCARD;
$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)$virus_admin = 'spamandvirus@mydomain.ru'; # due to D_DISCARD default
$spam_admin = 'spamandvirus@mydomain.ru';#$hdr_encoding = 'windows-1251';
#$bdy_encoding = 'windows-1251';
$warnvirussender = [1];
$warnspamsender = [1];
$warnbannedsender = [1];
$warnbadhsender = [1];
$warnvirusrecip = [1];
$warnbannedrecip = [1];
$warnbadhrecip = [1];
$warn_offsite = [1];
$mailfrom_notify_admin = 'mailsrvroot@mydomain.ru';
$mailfrom_notify_recip = 'mailsrvroot@mydomain.ru';
$mailfrom_notify_spamadmin = 'mailsrvroot@mydomain.ru';
$mailfrom_to_quarantine = 'mailsrvroot@mydomain.ru';$virus_quarantine_method = 'local:';
$spam_quarantine_method = 'local:';
$virus_quarantine_to = 'virusotake@mydomain.ru';
$spam_quarantine_to = 'spamotake@mydomain.ru';
#$spam_quarantine_bysender_to = 'spamotake@mydomain.ru';$virus_check_negative_ttl = 2*60;
$virus_check_positive_ttl = 30*60;
$spam_check_negative_ttl = 30*60;
$spam_check_positive_ttl = 30*60;$bypass_decode_parts = 0;
# Set to empty ("") to add no header
$X_HEADER_LINE = "Debian $myproduct_name at $mydomain";# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
#
# DO NOT SEND VIRUS NOTIFICATIONS TO OUTSIDE OF YOUR DOMAIN. EVER.
#
# These days, almost all viruses fake the envelope sender and mail headers.
# Therefore, "virus notifications" became nothing but undesired, aggravating
# SPAM. This holds true even inside one's domain. We disable them all by
# default, except for the EICAR test pattern.
#@viruses_that_fake_sender_maps = (new_RE(
[qr'\bEICAR\b'i => 0], # av test pattern name
[qr/.*/ => 1], # true for everything else
));#@virus_lovers_acl = qw( cher_bal@mail.ru aim48@mail.ru .mosgortrans.com .mosgortrans.ru .comkor.ru .smartek.ru .comstar-direct.ru .elektra.ru .mosenergo.elektra.ru .r-style.ru .taxcom.ru .mintrans.ru .mosinsur.ru .mosenergosbyt.ru .kaspersky.com .winsmeta2000.ru .cryptopro.ru .newsymbol.ru .mmbank.ru );
#@bypass_virus_checks_acl = qw( cher_bal@mail.ru aim48@mail.ru .mosgortrans.com .mosgortrans.ru .comkor.ru .smartek.ru .comstar-direct.ru .elektra.ru .mosenergo.elektra.ru .r-style.ru .taxcom.ru .mintrans.ru .mosinsur.ru .mosenergosbyt.ru .kaspersky.com .winsmeta2000.ru .cryptopro.ru .newsymbol.ru .mmbank.ru );
#@spam_lovers_acl = qw( cher_bal@mail.ru aim48@mail.ru .mosgortrans.com .mosgortrans.ru .comkor.ru .smartek.ru .comstar-direct.ru .elektra.ru .mosenergo.elektra.ru .r-style.ru .taxcom.ru .mintrans.ru .mosinsur.ru .mosenergosbyt.ru .kaspersky.com .winsmeta2000.ru .cryptopro.ru .newsymbol.ru .mmbank.ru );
#@bypass_spam_checks_acl = qw( cher_bal@mail.ru aim48@mail.ru .mosgortrans.com .mosgortrans.ru .comkor.ru .smartek.ru .comstar-direct.ru .elektra.ru .mosenergo.elektra.ru .r-style.ru .taxcom.ru .mintrans.ru .mosinsur.ru .mosenergosbyt.ru .kaspersky.com .winsmeta2000.ru .cryptopro.ru .newsymbol.ru .mmbank.ru );
#@banned_files_lovers_acl = qw( cher_bal@mail.ru aim48@mail.ru .mosgortrans.com .mosgortrans.ru .comkor.ru .smartek.ru .comstar-direct.ru .elektra.ru .mosenergo.elektra.ru .r-style.ru .taxcom.ru .mintrans.ru .mosinsur.ru .mosenergosbyt.ru .kaspersky.com .winsmeta2000.ru .cryptopro.ru .newsymbol.ru .mmbank.ru );
#@bypass_banned_checks_acl = qw( cher_bal@mail.ru aim48@mail.ru .mosgortrans.com .mosgortrans.ru .comkor.ru .smartek.ru .comstar-direct.ru .elektra.ru .mosenergo.elektra.ru .r-style.ru .taxcom.ru .mintrans.ru .mosinsur.ru .mosenergosbyt.ru .kaspersky.com .winsmeta2000.ru .cryptopro.ru .newsymbol.ru .mmbank.ru );
#@bad_header_lovers_acl = qw( cher_bal@mail.ru aim48@mail.ru .mosgortrans.com .mosgortrans.ru .comkor.ru .smartek.ru .comstar-direct.ru .elektra.ru .mosenergo.elektra.ru .r-style.ru .taxcom.ru .mintrans.ru .mosinsur.ru .mosenergosbyt.ru .kaspersky.com .winsmeta2000.ru .cryptopro.ru .newsymbol.ru .mmbank.ru );
#@bypass_header_checks_acl = qw( cher_bal@mail.ru aim48@mail.ru .mosgortrans.com .mosgortrans.ru .comkor.ru .smartek.ru .comstar-direct.ru .elektra.ru .mosenergo.elektra.ru .r-style.ru .taxcom.ru .mintrans.ru .mosinsur.ru .mosenergosbyt.ru .kaspersky.com .winsmeta2000.ru .cryptopro.ru .newsymbol.ru .mmbank.ru );
#@whitelist_sender_acl = qw( cher_bal@mail.ru nonameforever@inbox.ru aim48@mail.ru .mosgortrans.com .mosgortrans.ru .comkor.ru .smartek.ru .comstar-direct.ru .elektra.ru .mosenergo.elektra.ru .r-style.ru .taxcom.ru .mintrans.ru .mosinsur.ru .mosenergosbyt.ru .kaspersky.com .winsmeta2000.ru .cryptopro.ru .newsymbol.ru .mmbank.ru );
#@whitelist_sender_maps = (\@whitelist_sender_acl);
#read_hash(\%whitelist_sender, '/etc/amavis/conf.d/whitelist');@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$', # retain full original message for virus checking (can be slow)
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data', # don't trust Archive::Zip
));
# for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components# block certain double extensions anywhere in the base name
qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,# qr'^application/x-msmetafile$'i, # Windows Metafile MIME type
# qr'^\.wmf$', # Windows Metafile file(1) type# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types
# [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed
# [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives
# [ qr'^application/x-zip-compressed$'i => 0], # allow any within such archivesqr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl|chm|js|jse|pif|vb|vbe|vbs)$'i, # banned extension - basic
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
# inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
# ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
# wmf|wsc|wsf|wsh)$'ix, # banned ext - long# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
qr'^\.(exe-ms)$', # banned file(1) types
# qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING@score_sender_maps = ({ # a by-recipient hash lookup table,
# results from all matching recipient tables are summed# ## per-recipient personal tables (NOTE: positive: black, negative: white)
# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}],
# 'user3@example.com' => [{'.ebay.com' => -3.0}],
# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0,
# '.cleargreen.com' => -5.0}],## site-wide opinions about senders (the '.' matches any recipient)
'.' => [ # the _first_ matching sender determines the score boostnew_RE( # regexp-type lookup table, just happens to be all soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
[qr'^(your_friend|greatoffers)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
),# read_hash("/var/amavis/sender_scores_sitewide"),
{ # a hash-type lookup table (associative array)
# 'nobody@cert.org' => -3.0,
# 'cert-advisory@us-cert.gov' => -3.0,
# 'owner-alert@iss.net' => -3.0,
# 'slashdot@slashdot.org' => -3.0,
# 'securityfocus.com' => -3.0,
# 'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
# 'security-alerts@linuxsecurity.com' => -3.0,
# 'mailman-announce-admin@python.org' => -3.0,
'amavis-user-admin@lists.sourceforge.net'=> -3.0,
'amavis-user-bounces@lists.sourceforge.net' => -3.0,
'spamassassin.apache.org' => -3.0,
'notification-return@lists.sophos.com' => -3.0,
'owner-postfix-users@postfix.org' => -3.0,
'owner-postfix-announce@postfix.org' => -3.0,
# 'owner-sendmail-announce@lists.sendmail.org' => -3.0,
# 'sendmail-announce-request@lists.sendmail.org' => -3.0,
# 'donotreply@sendmail.org' => -3.0,
# 'ca+envelope@sendmail.org' => -3.0,
# 'noreply@freshmeat.net' => -3.0,
# 'owner-technews@postel.acm.org' => -3.0,
# 'ietf-123-owner@loki.ietf.org' => -3.0,
# 'cvs-commits-list-admin@gnome.org' => -3.0,
# 'rt-users-admin@lists.fsck.com' => -3.0,
# 'clp-request@comp.nus.edu.sg' => -3.0,
# 'surveys-errors@lists.nua.ie' => -3.0,
# 'emailnews@genomeweb.com' => -5.0,
# 'yahoo-dev-null@yahoo-inc.com' => -3.0,
# 'returns.groups.yahoo.com' => -3.0,
# 'clusternews@linuxnetworx.com' => -3.0,
# lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0,
# lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,# soft-blacklisting (positive score)
'sender@example.net' => 3.0,
'.example.net' => 1.0,},
], # end of site-wide tables
});1; # ensure a defined return
40-policy_bank# DKIM signing domain whitelist. The domain to use is the domain after
# d= in the DKIM header.@author_to_policy_bank_maps = ( {
'nonameforever@inbox.ru' => 'WHITELIST',
# 'friends.example.net' => 'WHITELIST,NOBANNEDCHECK',
# 'user1@cust.example.net' => 'WHITELIST,NOBANNEDCHECK',
#'.ebay.com' => 'WHITELIST',
#'.ebay.co.uk' => 'WHITELIST',
#'ebay.at' => 'WHITELIST',
#'ebay.ca' => 'WHITELIST',
#'ebay.de' => 'WHITELIST',
#'ebay.fr' => 'WHITELIST',
#'.paypal.co.uk' => 'WHITELIST',
#'.paypal.com' => 'WHITELIST', # author signatures
#'./@paypal.com' => 'WHITELIST', # 3rd-party sign. by paypal.com
#'alert.bankofamerica.com' => 'WHITELIST',
#'amazon.com' => 'WHITELIST',
#'cisco.com' => 'WHITELIST',
#'.cnn.com' => 'WHITELIST',
#'skype.net' => 'WHITELIST',
#'welcome.skype.com' => 'WHITELIST',
#'cc.yahoo-inc.com' => 'WHITELIST',
#'cc.yahoo-inc.com/@yahoo-inc.com' => 'WHITELIST',
# 'google.com' => 'MILD_WHITELIST',
# 'googlemail.com' => 'MILD_WHITELIST',
# './@googlegroups.com' => 'MILD_WHITELIST',
# './@yahoogroups.com' => 'MILD_WHITELIST',
# './@yahoogroups.co.uk' => 'MILD_WHITELIST',
# './@yahoogroupes.fr' => 'MILD_WHITELIST',
# 'yousendit.com' => 'MILD_WHITELIST',
# 'meetup.com' => 'MILD_WHITELIST',
# 'dailyhoroscope@astrology.com' => 'MILD_WHITELIST',
} );
Подскажите, что, куда надо написать чтобы заработал белый список?
Если нужен просто белый список, то надо раскомментировать
#read_hash(\%whitelist_sender, '/etc/amavis/conf.d/whitelist');
и заполнить файл whitelist>automatically Whitelist addresses from domains with valid Domain Keys. There
>are some pre-configured domains in the /etc/amavis/conf.d/40-policy_banks. В этот самыйЕсли через механизм DKI, то добавить в конфиг
$enable_dkim_verification = 1;
>Если нужен просто белый список, то надо раскомментировать
>#read_hash(\%whitelist_sender, '/etc/amavis/conf.d/whitelist');
>и заполнить файл whitelist
>
>>automatically Whitelist addresses from domains with valid Domain Keys. There
>>are some pre-configured domains in the /etc/amavis/conf.d/40-policy_banks. В этот самый
>
>Если через механизм DKI, то добавить в конфиг
>$enable_dkim_verification = 1;увы #read_hash(\%whitelist_sender, '/etc/amavis/conf.d/whitelist'); это я писал, оно не работало, поэтому было закоментировано. Т.е. при заполненом /etc/amavis/conf.d/whitelist в лог все равно сыпалось whitelist_sender => undef со всеми вытекающими.
Про DKIM я только что почитал, и вряд ли это то что мне сейчас нужно... Мне нужно просто чтобы письма с определенных почтовых ящиков amavis не подвергал проверкам.
Белый список надо заполнять доменами без @mail.ru;
yandex.ru
>[оверквотинг удален]
>>>are some pre-configured domains in the /etc/amavis/conf.d/40-policy_banks. В этот самый
>>
>>Если через механизм DKI, то добавить в конфиг
>>$enable_dkim_verification = 1;
> увы #read_hash(\%whitelist_sender, '/etc/amavis/conf.d/whitelist'); это я писал, оно
> не работало, поэтому было закоментировано. Т.е. при заполненом /etc/amavis/conf.d/whitelist
> в лог все равно сыпалось whitelist_sender => undef со всеми вытекающими.
> Про DKIM я только что почитал, и вряд ли это то что
> мне сейчас нужно... Мне нужно просто чтобы письма с определенных почтовых
> ящиков amavis не подвергал проверкам.А как правильно заполнять файл whitelist? Просто через новую страку список доменов?