The above information was not correct, from the amavisd.conf:
# Here is an overall picture (sequence of events) of how pieces fit together # (only virus controls are shown, spam controls work the same way): # # bypass_virus_checks? ==> PASS # no viruses? ==> PASS # log virus if $log_templ is nonempty # quarantine if $virus_quarantine_to is nonempty # notify admin if $virus_admin (lookup) nonempty # notify recips if $warnvirusrecip and (recipient is local or $warn_offsite) # add address extensions if adding extensions is enabled and virus will pass # send non-delivery notifications # to sender if DSN needed (BOUNCE) or ($warn_virus_sender and D_PASS) # virus_lovers or final_destiny==D_PASS ==> PASS # DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny)
It will only send to non-local if $warn_offsite is set to on.
So $warn_offsite=undef; ?
regardless of local user or not. So the easyest way is to use different mailserver for sending out and receiving in.
Why a different mail server? One needs that the mail Sent containing a virus should be blocked, but the LAN sender should be warned that he was sending a virus...; Indeed this should be done in a more powerful way because generally if the Sender takes a virus (like SoBig,BugBear, etc.), generally it would fake addresses even if coming from LAN. So an effective way for doing this would a double checking:
For the spoofed viruses a map can be set up to not warn at all:
Yes, but the sending user of the LAN won't know he has taken a virus...
# Treat envelope sender address as unreliable and don't send sender # notification / bounces if name(s) of detected virus(es) match the list. # Note that virus names are supplied by external virus scanner(s) and are # not standardized, so virus names may need to be adjusted. # See README.lookups for syntax. #
That's suppose there is a list of virus faking address, but is "$warn_offsite" applying also to this?
$viruses_that_fake_sender_re = new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|palyh|inor|fizzer'i );
I don't understand. IMHO there is no need to warn the sender if external, as the sending address can be always forged (and maybe this also would unveil attacker your kind of virus scanner and maybe whether it's not updated or not able to maybe recognize a certain virus). IMHO the needing could be to warn the sending user only if it's in the locale address and he is sending trough the MTA. But there is no way to know the REAL address without a MAP of mail<=>IP? suppose there are two users: "foo" and "bar" at mydomain.com: "foo" has virus and send it trough the postfix SMTP of "mydomain.com" as if mail was appearing "From:<[EMAIL PROTECTED]>". Now if I understand right, you are saying that amavis-new understands that <[EMAIL PROTECTED]> is a FAKE address and then doesn't send any bounced "warning" message. What I'm asking here is: "what to do if I want that <[EMAIL PROTECTED]> will receive a mail from the SMTP that he was trying to sending a VIRUS mail with address <[EMAIL PROTECTED]>.
- let spam pass to users (but with X-Spam-Status) and at the same time collect all the recognized spam to a repository for further bayes learning.
Tis is done by default if you configure final_spam_destiny as D_PASS. every spam mail over the sa_kill_level_deflt value will be copied to /var/spool/amavisd/viruses
Yes, but for viruses the Warning messages doesn't contain the ID of the file, like it happens in amavis-0.3.12.
I am not entirely sure what you mean, this is a virus message from amavisd-new:
------ A virus (PE_Magistr.B.Dam) was found.
Scanner detecting a virus: Trophie
The mail originated from: <[EMAIL PROTECTED]>
According to the 'Received:' trace, the message originated at: pppdslh205.mpls.uswest.net (HELO Bed) (216.160.26.205)
The message WILL NOT BE delivered to: <[EMAIL PROTECTED]>: 550 5.7.1 Message content rejected, id=20707-06 - VIRUS: PE_Magistr.B.Dam
Virus scanner output: 1:PE_Magistr.B.Dam
The message has been quarantined as: /var/lib/amavis/virusmails/virus-20030703-093755-20707-06
Good. What I wasn't obtaining was this last line..., I got, trying the EICAR test:
===================================================== VIRUS ALERT
Our content checker found
virus: EICAR_Test_File
in your email to the following recipient:
-> [EMAIL PROTECTED]Please check your system for viruses, or ask your system administrator to do so.
Delivery of the email was stopped! -------------------------------------------
For your reference, here are headers from your email: ======================================================
Bye. Giuseppe.
