From 46469a787fbc6c588c581d191dc695d6adf33d3f Mon Sep 17 00:00:00 2001
From: Juan Orti Alcaine <jortialc@redhat.com>
Date: Fri, 1 Jan 2021 13:30:16 +0100
Subject: [PATCH] Fedora configuration modifications
---
amavis-mc | 6 ++--
amavisd-agent | 2 +-
amavisd-nanny | 2 +-
amavisd-signer | 4 +--
amavisd.conf | 98 ++++++++++++++++++++++++++------------------------
5 files changed, 59 insertions(+), 53 deletions(-)
diff --git a/amavis-mc b/amavis-mc
index 88d9701..5e7e0e7 100755
--- a/amavis-mc
+++ b/amavis-mc
@@ -70,10 +70,10 @@ use vars qw(@path @services $daemon_user $daemon_group $pid_file $log_level
### USER CONFIGURABLE:
-$daemon_user = 'vscan';
-$daemon_group = 'vscan';
+$daemon_user = 'amavis';
+$daemon_group = 'amavis';
-$pid_file = '/var/amavis/amavis-mc.pid';
+$pid_file = '/run/amavisd/amavis-mc.pid';
$log_level = 0;
$syslog_ident = 'amavis-mc';
diff --git a/amavisd-agent b/amavisd-agent
index 1ebe2bb..b8271a3 100755
--- a/amavisd-agent
+++ b/amavisd-agent
@@ -53,7 +53,7 @@ use BerkeleyDB;
my($dbfile) = 'snmp.db';
my($db_home) = # DB databases directory
- defined $ENV{'AMAVISD_DB_HOME'} ? $ENV{'AMAVISD_DB_HOME'} : '/var/amavis/db';
+ defined $ENV{'AMAVISD_DB_HOME'} ? $ENV{'AMAVISD_DB_HOME'} : '/var/spool/amavisd/db';
my($wakeuptime) = 10; # -w, sleep time in seconds, may be fractional
my($repeatcount); # -c, repeat count (when defined)
diff --git a/amavisd-nanny b/amavisd-nanny
index 80b84dc..164549f 100755
--- a/amavisd-nanny
+++ b/amavisd-nanny
@@ -61,7 +61,7 @@ my($activettl) = 10*60; # stuck active children are sent a SIGTERM
my($dbfile) = 'nanny.db';
my($db_home) = # DB databases directory
- defined $ENV{'AMAVISD_DB_HOME'} ? $ENV{'AMAVISD_DB_HOME'} : '/var/amavis/db';
+ defined $ENV{'AMAVISD_DB_HOME'} ? $ENV{'AMAVISD_DB_HOME'} : '/var/spool/amavisd/db';
my($wakeuptime) = 2; # -w, sleep time in seconds, may be fractional
my($repeatcount); # -c, repeat count (when defined)
diff --git a/amavisd-signer b/amavisd-signer
index f154646..3042b7c 100755
--- a/amavisd-signer
+++ b/amavisd-signer
@@ -86,8 +86,8 @@ $VERSION = 1.001; # 20100730
# Please adjust the following settings as necessary:
#
-$daemon_user = 'vscan';
-$daemon_group = 'vscan';
+$daemon_user = 'amavis';
+$daemon_group = 'amavis';
# $daemon_chroot_dir = '/var/amavis'; # chroot directory or undef
# $daemonize = 1;
diff --git a/amavisd.conf b/amavisd.conf
index bb562e6..615a75a 100644
--- a/amavisd.conf
+++ b/amavisd.conf
@@ -17,25 +17,25 @@ use strict;
# truncation in /proc/<pid>/stat and ps -e output
$max_servers = 2; # num of pre-forked children (2..30 is common), -m
-$daemon_user = 'vscan'; # (no default; customary: vscan or amavis), -u
-$daemon_group = 'vscan'; # (no default; customary: vscan or amavis), -g
+$daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u
+$daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g
$mydomain = 'example.com'; # a convenient default for other settings
-# $MYHOME = '/var/amavis'; # a convenient default for other settings, -H
+$MYHOME = '/var/spool/amavisd'; # a convenient default for other settings, -H
$TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc.
-$QUARANTINEDIR = '/var/virusmails'; # -Q
+$QUARANTINEDIR = undef; # -Q
# $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine
# $release_format = 'resend'; # 'attach', 'plain', 'resend'
# $report_format = 'arf'; # 'attach', 'plain', 'resend', 'arf'
# $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R
-# $db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D
+$db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D
# $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S
-# $lock_file = "$MYHOME/var/amavisd.lock"; # -L
-# $pid_file = "$MYHOME/var/amavisd.pid"; # -P
+$lock_file = "/run/amavisd/amavisd.lock"; # -L
+$pid_file = "/run/amavisd/amavisd.pid"; # -P
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually
$log_level = 0; # verbosity 0..5, -d
@@ -55,11 +55,14 @@ $enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
-$unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter
+$unix_socketname = "/run/amavisd/amavisd.sock"; # amavisd-release or amavis-milter
# option(s) -p overrides $inet_socket_port and $unix_socketname
+# The default receiving port in the Fedora and RHEL SELinux policy is 10024.
+# To allow additional ports you need to label them as 'amavisd_recv_port_t'
+# For example: semanage port -a -t amavisd_recv_port_t -p tcp 10022
$inet_socket_port = 10024; # listen on this local TCP port(s)
-# $inet_socket_port = [10024,10026]; # listen on multiple TCP ports
+# $inet_socket_port = [10022,10024]; # listen on multiple TCP ports
$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
originating => 1, # is true in MYNETS by default, but let's make it explicit
@@ -67,8 +70,8 @@ $policy_bank{'MYNETS'} = { # mail originating from @mynetworks
};
# it is up to MTA to re-route mail from authenticated roaming users or
-# from internal hosts to a dedicated TCP port (such as 10026) for filtering
-$interface_policy{'10026'} = 'ORIGINATING';
+# from internal hosts to a dedicated TCP port (such as 10022) for filtering
+$interface_policy{'10022'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
@@ -78,7 +81,7 @@ $policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 1,
# forward to a smtpd service providing DKIM signing service
- forward_method => 'smtp:[127.0.0.1]:10027',
+ forward_method => 'smtp:[127.0.0.1]:10025',
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1], # allow sending any file names and types
@@ -119,11 +122,11 @@ $sa_local_tests_only = 0; # only tests which do not require internet access?
# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
# defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)
-$virus_admin = "virusalert\@$mydomain"; # notifications recip.
+$virus_admin = undef; # notifications recip.
-$mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender
-$mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender
-$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender
+$mailfrom_notify_admin = undef; # notifications sender
+$mailfrom_notify_recip = undef; # notifications sender
+$mailfrom_notify_spamadmin = undef; # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef
@addr_extension_virus_maps = ('virus');
@@ -154,13 +157,16 @@ $defang_by_ccat{CC_BADH.",6"} = 1; # header field syntax error
# $myhostname = 'host.example.com'; # must be a fully-qualified domain name!
-# $notify_method = 'smtp:[127.0.0.1]:10025';
-# $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter!
+# The default forwarding port in the Fedora and RHEL SELinux policy is 10025.
+# To allow additional ports you need to label them as 'amavisd_send_port_t'.
+# For example: semanage port -a -t amavisd_send_port_t -p tcp 10023
+# $notify_method = 'smtp:[127.0.0.1]:10023';
+# $forward_method = 'smtp:[127.0.0.1]:10023'; # set to undef with milter!
-# $final_virus_destiny = D_DISCARD;
-# $final_banned_destiny = D_DISCARD;
-# $final_spam_destiny = D_PASS; #!!! D_DISCARD / D_REJECT
-# $final_bad_header_destiny = D_PASS;
+$final_virus_destiny = D_DISCARD;
+$final_banned_destiny = D_BOUNCE;
+$final_spam_destiny = D_DISCARD; #!!! D_DISCARD / D_REJECT
+$final_bad_header_destiny = D_BOUNCE;
# $bad_header_quarantine_method = undef;
# $os_fingerprint_method = 'p0f:*:2345'; # to query p0f-analyzer.pl
@@ -329,8 +335,8 @@ $banned_filename_re = new_RE(
['lzma', \&do_uncompress,
['lzmadec', 'xz -dc --format=lzma',
'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
- ['lrz', \&do_uncompress,
- ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
+# ['lrz', \&do_uncompress,
+# ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
['lzo', \&do_uncompress, 'lzop -d'],
['lz4', \&do_uncompress, ['lz4c -d'] ],
['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
@@ -342,9 +348,9 @@ $banned_filename_re = new_RE(
['arj', \&do_unarj, ['unarj', 'arj'] ],
['arc', \&do_arc, ['nomarch', 'arc'] ],
['zoo', \&do_zoo, ['zoo', 'unzoo'] ],
- ['doc', \&do_ole, 'ripole'],
+# ['doc', \&do_ole, 'ripole'], # no ripole package so far
['cab', \&do_cabextract, 'cabextract'],
- ['tnef', \&do_tnef_ext, 'tnef'],
+# ['tnef', \&do_tnef_ext, 'tnef'], # use internal do_tnef() instead
['tnef', \&do_tnef],
# ['lha', \&do_lha, 'lha'], # not safe, use 7z instead
# ['sit', \&do_unstuff, 'unstuff'], # not safe
@@ -363,13 +369,13 @@ $banned_filename_re = new_RE(
# ### http://www.sophos.com/
# ['Sophos-SSSP', # SAV Dynamic Interface
-# \&ask_daemon, ["{}", 'sssp:/var/run/savdi/sssp.sock'],
+# \&ask_daemon, ["{}", 'sssp:/run/savdi/sssp.sock'],
# # or: ["{}", 'sssp:[127.0.0.1]:4010'],
# qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ],
# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)
# ['Sophie',
-# \&ask_daemon, ["{}/\n", 'sophie:/var/run/sophie'],
+# \&ask_daemon, ["{}/\n", 'sophie:/run/sophie'],
# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
@@ -382,16 +388,16 @@ $banned_filename_re = new_RE(
# qr/^(?:310|420)[,\s]*(?:.* <<< )?(.+?)(?: ; |$)/m ],
# settings for the SAVAPI3.conf: ArchiveScan=1, HeurLevel=2, MailboxScan=1
-# ### http://www.clamav.net/
-# ['ClamAV-clamd',
-# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
-# qr/\bOK$/m, qr/\bFOUND$/m,
-# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
-# # NOTE: run clamd under the same user as amavisd - or run it under its own
-# # uid such as clamav, add user clamav to the amavis group, and then add
-# # AllowSupplementaryGroups to clamd.conf;
-# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
-# # this entry; when running chrooted one may prefer a socket under $MYHOME.
+ ### http://www.clamav.net/
+ ['ClamAV-clamd',
+ \&ask_daemon, ["CONTSCAN {}\n", "/run/clamd.amavisd/clamd.sock"],
+ qr/\bOK$/m, qr/\bFOUND$/m,
+ qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+ # NOTE: run clamd under the same user as amavisd - or run it under its own
+ # uid such as clamav, add user clamav to the amavis group, and then add
+ # AllowSupplementaryGroups to clamd.conf;
+ # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
+ # this entry; when running chrooted one may prefer a socket under $MYHOME.
# ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred)
# # note that Mail::ClamAV requires perl to be build with threading!
@@ -405,7 +411,7 @@ $banned_filename_re = new_RE(
# ### http://www.vanja.com/tools/trophie/
# ['Trophie',
-# \&ask_daemon, ["{}/\n", 'trophie:/var/run/trophie'],
+# \&ask_daemon, ["{}/\n", 'trophie:/run/trophie'],
# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
@@ -442,7 +448,7 @@ $banned_filename_re = new_RE(
# pack('N',0). # content size
# pack('N',0),
# '/var/drweb/run/drwebd.sock',
-# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot
+# # '/var/amavis/run/drwebd.sock', # suitable for chroot
# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default
# # '127.0.0.1:3000', # or over an inet socket
# ],
@@ -457,7 +463,7 @@ $banned_filename_re = new_RE(
['KasperskyLab AVP - aveclient',
['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
'/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
- '-p /var/run/aveserver -s {}/*',
+ '-p /run/aveserver -s {}/*',
[0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m,
qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m,
],
@@ -560,12 +566,12 @@ $banned_filename_re = new_RE(
# ### http://www.avast.com/
# ['avast! Antivirus daemon',
# \&ask_daemon, # greets with 220, terminate with QUIT
-# ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'],
+# ["SCAN {}\015\012QUIT\015\012", '/run/avast4/mailscanner.sock'],
# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t[0-9]+\s+([^[ \t\015\012]+)/m ],
# ### http://www.avast.com/
# ['avast! Antivirus - Client/Server Version', 'avastlite',
-# '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1],
+# '-a /run/avast4/mailscanner.sock -n {}', [0], [1],
# qr/\t\[L\]\t([^[ \t\015\012]+)/m ],
['CAI InoculateIT', 'inocucmd', # retired product
@@ -701,8 +707,8 @@ $banned_filename_re = new_RE(
# ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
# '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ],
- ### http://www.avast.com/
- ['avast! Antivirus', '/bin/scan', '{}', [0], [1], qr/\t(.+)/m ],
+# ### http://www.avast.com/
+# ['avast! Antivirus', '/bin/scan', '{}', [0], [1], qr/\t(.+)/m ],
### http://www.ikarus-software.com/
['Ikarus AntiVirus for Linux', 'ikarus',
@@ -763,7 +769,7 @@ $banned_filename_re = new_RE(
# [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
# ['ClamAV-clamd-stream',
-# \&ask_daemon, ["*", 'clamd:/var/run/clamav/clamd.sock'],
+# \&ask_daemon, ["*", 'clamd:/run/clamav/clamd.sock'],
# qr/\bOK$/m, qr/\bFOUND$/m,
# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
--
2.29.2