Differences

This shows you the differences between two versions of the page.

Link to this comparison view

fitxer_de_configuracio [2012/06/06 12:15] (current)
Line 1: Line 1:
 +<code perl>
 +use strict;
 +
 +# Configuration file for amavisd-new
 +# Defaults modified for the Debian amavisd-new package
 +# $Id: amavisd.conf,​v 1.27.2.2 2004/11/18 23:27:55 hmh Exp $
 +#
 +# This software is licensed under the GNU General Public License (GPL).
 +# See comments at the start of amavisd-new for the whole license text.
 +
 +#Sections:
 +# Section I    - Essential daemon and MTA settings
 +# Section II   - MTA specific
 +# Section III  - Logging
 +# Section IV   - Notifications/​DSN,​ BOUNCE/​REJECT/​DROP/​PASS destiny, quarantine
 +# Section V    - Per-recipient and per-sender handling, whitelisting,​ etc.
 +# Section VI   - Resource limits
 +# Section VII  - External programs, virus scanners, SpamAssassin
 +# Section VIII - Debugging
 +
 +#GENERAL NOTES:
 +#  This file is a normal Perl code, interpreted by Perl itself.
 +#  - make sure this file (or directory where it resides) is NOT WRITABLE
 +#    by mere mortals (not even vscan/​amavis;​ best to make it owned by root),
 +#    otherwise it represents a severe security risk!
 +#  - for values which are interpreted as booleans, it is recommended
 +#    to use 1 for true, undef for false.
 +#    THIS IS DIFFERENT FROM OLD AMAVIS VERSIONS where "​no"​ also meant false,
 +#    now it means true, like any nonempty string does!
 +#  - Perl syntax applies. Most notably: strings in ""​ may include variables
 +#    (which start with $ or @); to include characters @ and $ in double
 +#    quoted strings, precede them by a backslash; in single-quoted strings
 +#    the $ and @ lose their special meaning, so it is usually easier to use
 +#    single quoted strings (or qw operator) for e-mail addresses.
 +#    Still, in both cases a backslash needs to be doubled.
 +#  - variables with names starting with a '​@'​ are lists, the values assigned
 +#    to them should be lists as well, e.g. ('​one@foo',​ $mydomain, "​three"​);​
 +#    note the comma-separation and parenthesis. If strings in the list
 +#    do not contain spaces nor variables, a Perl operator qw() may be used
 +#    as a shorthand to split its argument on whitespace and produce a list
 +#    of strings, e.g. qw( one@foo example.com three );  Note that the argument
 +#    to qw is quoted implicitly and no variable interpretation is done within
 +#    (no '​$'​ variable evaluations). The #-initiated comments can NOT be used
 +#    within a string. In other words, $ and # lose their special meaning
 +#    within a qw argument, just like within '​...'​ strings.
 +#  - all e-mail addresses in this file and as used internally by the daemon
 +#    are in their raw (rfc2821-unquoted and non-bracketed) form, i.e. 
 +#    Bob "​Funny"​ Dude@example.com,​ not: "Bob \"​Funny\"​ Dude"​@example.com
 +#    and not <"​Bob \"​Funny\"​ Dude"​@example.com>;​ also: ''​ and not '<>'​.
 +#  - the term '​default value' in examples below refers to the value of a
 +#    variable pre-assigned to it by the program; any explicit assignment
 +#    to a variable in this configuration file overrides the default value;
 +
 +
 +#
 +# Section I - Essential daemon and MTA settings
 +#
 +
 +# $MYHOME serves as a quick default for some other configuration settings.
 +# More refined control is available with each individual setting further down.
 +# $MYHOME is not used directly by the program. No trailing slash!
 +$MYHOME = '/​var/​lib/​amavis'; ​  # (default is '/​var/​amavis'​)
 +
 +# $mydomain serves as a quick default for some other configuration settings.
 +# More refined control is available with each individual setting further down.
 +# $mydomain is never used directly by the program.
 +$mydomain = '​ubuntu.oriol.joor.net'; ​     # (no useful default)
 +
 +# $myhostname = '​host.example.com'; ​ # fqdn of this host, default by uname(3)
 +$myhostname='​ubuntu.oriol.joor.net';​
 +
 +# Set the user and group to which the daemon will change if started as root
 +# (otherwise just keeps the UID unchanged, and these settings have no effect):
 +$daemon_user ​ = '​amavis';​ #​ (no default (undef))
 +$daemon_group = '​amavis';​ #​ (no default (undef))
 +
 +# Runtime working directory (cwd), and a place where
 +# temporary directories for unpacking mail are created.
 +# if you change this, you might want to modify the cleanup()
 +# function in /​etc/​init.d/​amavisd-new
 +# (no trailing slash, may be a scratch file system)
 +$TEMPBASE = $MYHOME; ​          # (must be set if other config vars use is)
 +#$TEMPBASE = "​$MYHOME/​tmp"; ​    # prefer to keep home dir /var/amavis clean?
 +
 +# $helpers_home sets environment variable HOME, and is passed as option
 +# '​home_dir_for_helpers'​ to Mail::​SpamAssassin::​new. It should be a directory
 +# on a normal persistent file system, not a scratch or temporary file system
 +#​$helpers_home = $MYHOME; ​     # (defaults to $MYHOME)
 +
 +# Run the daemon in the specified chroot jail if nonempty:
 +#​$daemon_chroot_dir = $MYHOME; ​ # (default is undef, meaning: do not chroot)
 +
 +$pid_file ​ = "/​var/​run/​amavis/​amavisd.pid"; ​ # (default: "​$MYHOME/​amavisd.pid"​)
 +$lock_file = "/​var/​run/​amavis/​amavisd.lock";​ # (default: "​$MYHOME/​amavisd.lock"​)
 +
 +# set environment variables if you want (no defaults):
 +$ENV{TMPDIR} = $TEMPBASE; ​      # wise to set TMPDIR, but not obligatory
 +#...
 +
 +
 +# MTA SETTINGS, UNCOMMENT AS APPROPRIATE,​
 +# both $forward_method and $notify_method default to '​smtp:​127.0.0.1:​10025'​
 +
 +# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4
 +# (set host and port number as required; host can be specified
 +# as IP address or DNS name (A or CNAME, but MX is ignored)
 +$forward_method = '​smtp:​127.0.0.1:​10025'; ​ # where to forward checked mail
 +$notify_method = $forward_method; ​         # where to submit notifications
 +
 +# NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST
 +#       ​uncomment the appropriate settings below if using other setups!
 +
 +# SENDMAIL MILTER, using amavis-milter.c helper program:
 +# SEE amavisd-new-milter package docs FOR DEBIAN INSTRUCTIONS
 +#​$forward_method = undef; ​ # no explicit forwarding, sendmail does it by itself
 +# milter; option -odd is needed to avoid deadlocks
 +#​$notify_method = '​pipe:​flags=q argv=/​usr/​sbin/​sendmail -Ac -i -odd -f ${sender} -- ${recipient}';​
 +# just a thought: can we use use -Am instead of -odd ?
 +
 +# SENDMAIL (old non-milter setup, as relay):
 +#​$forward_method = '​pipe:​flags=q argv=/​usr/​sbin/​sendmail -C/​etc/​sendmail.orig.cf -i -f ${sender} -- ${recipient}';​
 +#​$notify_method = $forward_method;​
 +
 +# SENDMAIL (old non-milter setup, amavis.c calls local delivery agent):
 +#​$forward_method = undef; ​ # no explicit forwarding, amavis.c will call LDA
 +#​$notify_method = '​pipe:​flags=q argv=/​usr/​sbin/​sendmail -Ac -i -f ${sender} -- ${recipient}';​
 +
 +# EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead):
 +#​$forward_method = '​pipe:​flags=q argv=/​usr/​sbin/​exim -oMr scanned-ok -i -f ${sender} -- ${recipient}';​
 +#​$notify_method = $forward_method;​
 +
 +# prefer to collect mail for forwarding as BSMTP files?
 +#​$forward_method = "​bsmtp:​$MYHOME/​out-%i-%n.bsmtp";​
 +#​$notify_method = $forward_method;​
 +
 +
 +# Net::Server pre-forking settings
 +# You may want $max_servers to match the width of your MTA pipe
 +# feeding amavisd, e.g. with Postfix the 'Max procs' field in the
 +# master.cf file, like the '​2'​ in the:  smtp-amavis unix - - n - 2 smtp
 +#
 +$max_servers ​ = 10;   # number of pre-forked children ​         (default 2)
 +$max_requests = 20;   # retire a child after that many accepts (default 10)
 +
 +$child_timeout=5*60; ​ # abort child if it does not complete each task in n sec
 +                      # (default: 8*60 seconds)
 +
 +# Check also the settings of @av_scanners at the end if you want to use
 +# virus scanners. If not, you may want to delete the whole long assignment
 +# to the variable @av_scanners,​ which will also remove the virus checking
 +# code (e.g. if you only want to do spam scanning).
 +
 +# Here is a QUICK WAY to completely DISABLE some sections of code
 +# that WE DO NOT WANT (it won't even be compiled-in).
 +# For more refined controls leave the following two lines commented out,
 +# and see further down what these two lookup lists really mean.
 +#
 +# @bypass_virus_checks_acl = qw( . );  # uncomment to DISABLE anti-virus code
 +# @bypass_spam_checks_acl ​ = qw( . );  # uncomment to DISABLE anti-spam code
 +#
 +# Any setting can be changed with a new assignment, so make sure
 +# you do not unintentionally override these settings further down!
 +@bypass_spam_checks_acl ​ = qw( . );    # No default dependency on spamassassin
 +
 +# Lookup list of local domains (see README.lookups for syntax details)
 +#
 +# NOTE:
 +#   For backwards compatibility the variable names @local_domains (old) and
 +#   ​@local_domains_acl (new) are synonyms. For consistency with other lookups
 +#   the name @local_domains_acl is now preferred. It also makes it more
 +#   ​obviously distinct from the new %local_domains hash lookup table.
 +#
 +# local_domains* lookup tables are used in deciding whether a recipient
 +# is local or not, or in other words, if the message is outgoing or not.
 +# This affects inserting spam-related headers for local recipients,
 +# limiting recipient virus notifications (if enabled) to local recipients,
 +# in deciding if address extension may be appended, and in SQL lookups
 +# for non-fqdn addresses. Set it up correctly if you need features
 +# that rely on this setting (or just leave empty otherwise).
 +#
 +# With Postfix (2.0) a quick reminder on what local domains normally are:
 +# a union of domains specified in: $mydestination,​ $virtual_alias_domains,​
 +# $virtual_mailbox_domains,​ and $relay_domains.
 +#
 +@local_domains_acl = ( "​.$mydomain"​ );  # $mydomain and its subdomains
 +# @local_domains_acl = ( "​.$mydomain",​ "​my.other.domain"​ );
 +# @local_domains_acl = qw();  # default is empty, no recipient treated as local
 +# @local_domains_acl = qw( .example.com );
 +# @local_domains_acl = qw( .example.com !host.sub.example.net .sub.example.net );
 +
 +# or alternatively(A),​ using a Perl hash lookup table, which may be assigned
 +# directly, or read from a file, one domain per line; comments and empty lines
 +# are ignored, a dot before a domain name implies its subdomains:
 +#
 +#​read_hash(\%local_domains,​ '/​etc/​amavis/​local_domains'​);​
 +
 +#or alternatively(B),​ using a list of regular expressions:​
 +# $local_domains_re = new_RE( qr'​[@.]example\.com$'​i );
 +#
 +# see README.lookups for syntax and semantics
 +
 +
 +#
 +# Section II - MTA specific (defaults should be ok)
 +#
 +
 +# if $relayhost_is_client is true, the IP address in $notify_method and
 +# $forward_method is dynamically overridden with SMTP client peer address
 +# (if available), which makes it possible for several hosts to share one 
 +# daemon. ​ The static port number is also overridden, and is dynamically ​
 +# calculated ​ as being one above the incoming SMTP/LMTP session port number.
 +#
 +# These are logged at level 3, so enable logging until you know you got it
 +# right.
 +$relayhost_is_client = 0;         # (defaults to false)
 +
 +$insert_received_line = 1;        # behave like MTA: insert '​Received:'​ header
 +           # (does not apply to sendmail/​milter)
 +           # (default is true (1) )
 +
 +# AMAVIS-CLIENT PROTOCOL INPUT SETTINGS (e.g. with sendmail milter)
 +#   (used with amavis helper clients like amavis-milter.c and amavis.c,
 +#   NOT needed for Postfix and Exim  or dual-sendmail - keep it undefined.)
 +#​$unix_socketname = "/​var/​lib/​amavis/​amavisd.sock";​ # amavis helper protocol socket
 +$unix_socketname = undef; ​        # disable listening on a unix socket
 +                                  # (default is undef, i.e. disabled)
 +
 +# Do we receive quoted or raw addresses from the helper program?
 +# (does not apply to SMTP;  defaults to true)
 +#​$gets_addr_in_quoted_form = 1;   # "Bob \"​Funny\"​ Dude"​@example.com
 +#​$gets_addr_in_quoted_form = 0;   # Bob "​Funny"​ Dude@example.com
 +
 +
 +
 +# SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...)
 +#   (used when MTA is configured to pass mail to amavisd via SMTP or LMTP)
 +$inet_socket_port = 10024; ​       # accept SMTP on this local TCP port
 +                                  # (default is undef, i.e. disabled)
 +# multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028];
 +
 +# SMTP SERVER (INPUT) access control
 +# - do not allow free access to the amavisd SMTP port !!!
 +#
 +# when MTA is at the same host, use the following (one or the other or both):
 +$inet_socket_bind = '​127.0.0.1'; ​ # limit socket bind to loopback interface
 +                                  # (default is '​127.0.0.1'​)
 +@inet_acl = qw( 127.0.0.1 );      # allow SMTP access only from localhost IP
 +                                  # (default is qw( 127.0.0.1 ) )
 +
 +# when MTA (one or more) is on a different host, use the following:
 +# @inet_acl = qw(127/8 10.1.0.1 10.1.0.2); ​ # adjust the list as appropriate
 +# $inet_socket_bind = undef; ​     # bind to all IP interfaces if undef
 +#
 +# Example1:
 +@inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 );
 +# permit only SMTP access from loopback and rfc1918 private address space
 +#
 +# Example2:
 +# @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/​255.255.255.0
 +#   127.0.0.1 10/8 172.16/12 192.168/16 );
 +# matches loopback and rfc1918 private address space except host 192.168.1.12
 +# and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches)
 +#
 +# Example3:
 +# @inet_acl = qw( 127/8
 +#   !172.16.3.0 ​  ​!172.16.3.127 172.16.3.0/​25
 +#   !172.16.3.128 !172.16.3.255 172.16.3.128/​25 );
 +# matches loopback and both halves of the 172.16.3/24 C-class,
 +# split into two subnets, except all four broadcast addresses
 +# for these subnets
 +#
 +# See README.lookups for details on specifying access control lists.
 +
 +
 +#
 +# Section III - Logging
 +#
 +
 +# true (e.g. 1) => syslog; ​ false (e.g. 0) => logging to file
 +$DO_SYSLOG = 1;                 # (defaults to false)
 +#​$SYSLOG_LEVEL = '​user.info'; ​    # (facility.priority,​ default '​mail.info'​)
 +
 +# Log file (if not using syslog)
 +$LOGFILE = "/​var/​log/​amavis.log"; ​ # (defaults to empty, no log)
 +
 +#NOTE: levels are not strictly observed and are somewhat arbitrary
 +# 0: startup/​exit/​failure messages, viruses detected
 +# 1: args passed from client, some more interesting messages
 +# 2: virus scanner output, timing
 +# 3: server, client
 +# 4: decompose parts
 +# 5: more debug details
 +#log_level = 5; # (defaults to 0)
 +
 +# Customizable template for the most interesting log file entry (e.g. with
 +# $log_level=0) (take care to properly quote Perl special characters like '​\'​)
 +# For a list of available macros see README.customize .
 +
 +# only log infected messages (useful with log level 0):
 +# $log_templ = '[? %#V |[? %#F ||banned filename ([%F|,​])]|infected ([%V|,])]#
 +# [? %#V |[? %#F ||, from=[?​%o|(?​)|<​%o>​],​ to=[<​%R>​|,​][?​ %i ||, quarantine %i]]#
 +# |, from=[?​%o|(?​)|<​%o>​],​ to=[<​%R>​|,​][?​ %i ||, quarantine %i]]';
 +
 +# log both infected and noninfected messages (default):
 +$log_templ = '[? %#V |[? %#F |[?​%#​D|Not-Delivered|Passed]|BANNED name/type (%F)]|INFECTED (%V)], #
 +[?​%o|(?​)|<​%o>​] -> [<​%R>​|,​][?​ %i ||, quarantine %i], Message-ID: %m, Hits: %c';
 +
 +
 +#
 +# Section IV - Notifications/​DSN,​ BOUNCE/​REJECT/​DROP/​PASS destiny, quarantine
 +#
 +
 +# Select notifications text encoding when Unicode-aware Perl is converting
 +# text from internal character representation to external encoding (charset
 +# in MIME terminology). Used as argument to Perl Encode::​encode subroutine.
 +#
 +#   to be used in RFC 2047-encoded header field bodies, e.g. in Subject:
 +#​$hdr_encoding = '​iso-8859-1'; ​ # (default: '​iso-8859-1'​)
 +#
 +#   to be used in notification body text: its encoding and Content-type.charset
 +#​$bdy_encoding = '​iso-8859-1'; ​ # (default: '​iso-8859-1'​)
 +
 +# Default template texts for notifications may be overruled by directly
 +# assigning new text to template variables, or by reading template text
 +# from files. A second argument may be specified in a call to read_text(),​
 +# specifying character encoding layer to be used when reading from the
 +# external file, e.g. '​utf8',​ '​iso-8859-1',​ or often just $bdy_encoding.
 +# Text will be converted to internal character representation by Perl 5.8.0
 +# or later; second argument is ignored otherwise. See PerlIO::​encoding,​
 +# Encode::​PerlIO and perluniintro man pages.
 +#
 +#​$notify_sender_templ ​     = read_text('/​var/​amavis/​notify_sender.txt'​);​
 +#​$notify_virus_sender_templ= read_text('/​var/​amavis/​notify_virus_sender.txt'​);​
 +#​$notify_virus_admin_templ = read_text('/​var/​amavis/​notify_virus_admin.txt'​);​
 +#​$notify_virus_recips_templ= read_text('/​var/​amavis/​notify_virus_recips.txt'​);​
 +#​$notify_spam_sender_templ = read_text('/​var/​amavis/​notify_spam_sender.txt'​);​
 +#​$notify_spam_admin_templ ​ = read_text('/​var/​amavis/​notify_spam_admin.txt'​);​
 +
 +# If notification template files are collectively available in some directory,
 +# use read_l10n_templates which calls read_text for each known template.
 +#
 +#   ​read_l10n_templates('/​etc/​amavis/​en_US'​);​
 +#
 +# Debian available locales: en_US, pt_BR, de_DE, it_IT
 +read_l10n_templates('​es_ES',​ '/​etc/​amavis'​);​
 +
 +
 +# Here is an overall picture (sequence of events) of how pieces fit together
 +# (only virus controls are shown, spam controls work the same way):
 +#
 +#   ​bypass_virus_checks?​ ==> PASS
 +#   no viruses? ​  ​==>​ PASS
 +#   log virus     if $log_templ is nonempty
 +#   ​quarantine ​   if $virus_quarantine_to is nonempty
 +#   ​notify admin  if $virus_admin (lookup) nonempty
 +#   ​notify recips if $warnvirusrecip and (recipient is local or $warn_offsite)
 +#   add address extensions if adding extensions is enabled and virus will pass
 +#   send (non-)delivery notifications
 +#      to sender if DSN needed (BOUNCE or ($warn_virus_sender and D_PASS))
 +#   ​virus_lovers or final_destiny==D_PASS ​ ==> PASS
 +#   ​DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny)
 +#
 +# Equivalent flow diagram applies for spam checks.
 +# If a virus is detected, spam checking is skipped entirely.
 +
 +# The following symbolic constants can be used in *destiny settings:
 +#
 +# D_PASS ​    mail will pass to recipients, regardless of bad contents;
 +#
 +# D_DISCARD ​ mail will not be delivered to its recipients, sender will NOT be
 +#            notified. Effectively we lose mail (but will be quarantined
 +#            unless disabled). Losing mail is not decent for a mailer,
 +#            but might be desired.
 +#
 +# D_BOUNCE ​  mail will not be delivered to its recipients, a non-delivery
 +#            notification (bounce) will be sent to the sender by amavisd-new;​
 +#            Exception: bounce (DSN) will not be sent if a virus name matches
 +#            $viruses_that_fake_sender_re,​ or to messages from mailing lists
 +#            (Precedence:​ bulk|list|junk);​
 +#
 +# D_REJECT ​  mail will not be delivered to its recipients, sender should
 +#            preferably get a reject, e.g. SMTP permanent reject response
 +#            (e.g. with milter), or non-delivery notification from MTA
 +#            (e.g. Postfix). If this is not possible (e.g. different recipients
 +#            have different tolerances to bad mail contents and not using LMTP)
 +#            amavisd-new sends a bounce by itself (same as D_BOUNCE).
 +#
 +# Notes:
 +#   ​D_REJECT and D_BOUNCE are similar, the difference is in who is responsible
 +#            for informing the sender about non-delivery,​ and how informative
 +#            the notification can be (amavisd-new knows more than MTA);
 +#   With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status
 +#            notification,​ colloquially called '​bounce'​) - depending on MTA;
 +#            Best suited for sendmail milter, especially for spam.
 +#   With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the
 +#            reason for mail non-delivery,​ but unable to reject the original
 +#            SMTP session). Best suited to reporting viruses, and for Postfix
 +#            and other dual-MTA setups, which can't reject original client SMTP
 +#            session, as the mail has already been enqueued.
 +
 +$final_virus_destiny ​     = D_DISCARD; # (defaults to D_BOUNCE)
 +$final_banned_destiny ​    = D_BOUNCE; ​ # (defaults to D_BOUNCE)
 +$final_spam_destiny ​      = D_REJECT; ​ # (defaults to D_REJECT)
 +$final_bad_header_destiny = D_PASS; ​ # (defaults to D_PASS), D_BOUNCE suggested
 +
 +# Alternatives to consider for spam:
 +# - use D_PASS if clients will do filtering based on inserted mail headers;
 +# - use D_DISCARD, if kill_level is set safely high;
 +# - use D_BOUNCE instead of D_REJECT if not using milter;
 +#
 +# D_BOUNCE is preferred for viruses, but consider:
 +# - use D_DISCARD to avoid bothering the rest of the network, it is hopeless
 +#   to try to keep up with the viruses that faker the envelope sender anyway,
 +#   and bouncing only increases the network cost of viruses for everyone
 +# - use D_PASS (or virus_lovers) and $warnvirussender=1 to deliver viruses;
 +# - use D_REJECT instead of D_BOUNCE if using milter and under heavy
 +#   virus storm;
 +#
 +# Don't bother to set both D_DISCARD and $warn*sender=1,​ it will get mapped
 +# to D_BOUNCE.
 +#
 +# The separation of *_destiny values into D_BOUNCE, D_REJECT, D_DISCARD
 +# and D_PASS made settings $warnvirussender and $warnspamsender only still
 +# useful with D_PASS.
 +
 +# The following $warn*sender settings are ONLY used when mail is
 +# actually passed to recipients ($final_*_destiny=D_PASS,​ or *_lovers*).
 +# Bounces or rejects produce non-delivery status notification anyway.
 +
 +# Notify virus sender?
 +#​$warnvirussender = 1; # (defaults to false (undef))
 +
 +# Notify spam sender?
 +#​$warnspamsender = 1; # (defaults to false (undef))
 +
 +# Notify sender of banned files?
 +$warnbannedsender = 1; # (defaults to false (undef))
 +
 +# Notify sender of syntactically invalid header containing non-ASCII characters?
 +$warnbadhsender = 1; # (defaults to false (undef))
 +
 +# Notify virus (or banned files) RECIPIENT?
 +#  (not very useful, but some policies demand it)
 +$warnvirusrecip = 1; # (defaults to false (undef))
 +$warnbannedrecip = 1; # (defaults to false (undef))
 +
 +# Notify also non-local virus/​banned recipients if $warn*recip is true?
 +#  (including those not matching local_domains*)
 +#​$warn_offsite = 1;    # (defaults to false (undef), i.e. only notify locals)
 +
 +
 +# Treat envelope sender address as unreliable and don't send sender
 +# notification / bounces if name(s) of detected virus(es) match the list.
 +# Note that virus names are supplied by external virus scanner(s) and are
 +# not standardized,​ so virus names may need to be adjusted.
 +# See README.lookups for syntax, check also README.policy-on-notifications
 +#
 +$viruses_that_fake_sender_re = new_RE(
 +  qr'​nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'​i,​
 +  qr'​tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'​i,​
 +  qr'​dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?​la'​i,​
 +  qr'​frethem|sircam|be?​agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'​i,​
 +  qr'​@mm|@MM', ​   # mass mailing viruses as labeled by f-prot and uvscan
 +  qr'​Worm'​i, ​     # worms as labeled by ClamAV, Kaspersky, etc
 +  [qr'​^(EICAR|Joke\.|Junk\.)'​i ​        => 0],
 +  [qr'​^(WM97|OF97|W95/​CIH-|JS/​Fort)'​i ​ => 0],
 +  [qr/.*/ => 1],  # true by default ​ (remove or comment-out if undesired)
 +);
 +
 +# where to send ADMIN VIRUS NOTIFICATIONS (should be a fully qualified address)
 +# - the administrator address may be a simple fixed e-mail address (a scalar),
 +#   or may depend on the SENDER address (e.g. its domain), in which case
 +#   a ref to a hash table can be specified (specify lower-cased keys,
 +#   dot is a catchall, see README.lookups).
 +#
 +#   Empty or undef lookup disables virus admin notifications.
 +
 +# $virus_admin = undef; ​  # do not send virus admin notifications (default)
 +# $virus_admin = {'​not.example.com'​ => '',​ '​.'​ => '​virusalert@example.com'​};​
 +# $virus_admin = '​virus-admin@example.com';​
 +$virus_admin = "​postmaster\@oriol.joor.net";​ #​ due to D_DISCARD default
 +
 +# equivalent to $virus_admin,​ but for spam admin notifications:​
 +# $spam_admin = "​spamalert\@$mydomain";​
 +# $spam_admin = undef; ​   # do not send spam admin notifications (default)
 +# $spam_admin = {'​not.example.com'​ => '',​ '​.'​ => '​spamalert@example.com'​};​
 +$spam_admin = "​postmaster\@oriol.joor.net";​
 +
 +#advanced example, using a hash lookup table:
 +#​$virus_admin = {
 +# '​baduser@sub1.example.com'​ => '​HisBoss@sub1.example.com',​
 +# '​.sub1.example.com' ​ => '​virusalert@sub1.example.com',​
 +# '​.sub2.example.com' ​ => '', ​                 # don't send admin notifications
 +# '​a.sub3.example.com'​ => '​abuse@sub3.example.com',​
 +# '​.sub3.example.com' ​ => '​virusalert@sub3.example.com',​
 +# '​.example.com' ​      => '​noc@example.com', ​  # catchall for our virus senders
 +# '​.' ​                 => '​virusalert@hq.example.com', ​ # catchall for the rest
 +#};
 +
 +
 +# whom notification reports are sent from (ENVELOPE SENDER);
 +# may be a null reverse path, or a fully qualified address:
 +#   ​(admin and recip sender addresses default to $mailfrom
 +#   for compatibility,​ which in turn defaults to undef (empty) )
 +#   If using strings in double quotes, don't forget to quote @, i.e. \@
 +#
 +#​$mailfrom_notify_admin ​    = "​virusalert\@$mydomain";​
 +#​$mailfrom_notify_recip ​    = "​virusalert\@$mydomain";​
 +#​$mailfrom_notify_spamadmin = "​spam.police\@$mydomain";​
 +
 +$mailfrom_notify_admin ​    = "​postmaster\@oriol.joor.net";​
 +$mailfrom_notify_recip ​    = "​postmaster\@oriol.joor.net";​
 +$mailfrom_notify_spamadmin = "​postmaster\@oriol.joor.net";​
 +
 +# '​From'​ HEADER FIELD for sender and admin notifications.
 +# This should be a replyable address, see rfc1894. Not to be confused
 +# with $mailfrom_notify_sender,​ which is the envelope return address
 +# and should be empty (null reverse path) according to rfc2821.
 +#
 +# The syntax of the '​From'​ header field is specified in rfc2822, section
 +# '3.4. Address Specification'​. Note in particular that display-name must be
 +# a quoted-string if it contains any special characters like spaces and dots.
 +#
 +# $hdrfrom_notify_sender = "​amavisd-new <​postmaster\@$mydomain>";​
 +# $hdrfrom_notify_sender = '​amavisd-new <​postmaster@example.com>';​
 +# $hdrfrom_notify_sender = '"​Content-Filter Master"​ <​postmaster@example.com>';​
 +#   ​(defaults to: "​amavisd-new <​postmaster\@$myhostname>"​)
 +# $hdrfrom_notify_admin = $mailfrom_notify_admin;​
 +#   ​(defaults to: $mailfrom_notify_admin)
 +# $hdrfrom_notify_spamadmin = $mailfrom_notify_spamadmin;​
 +#   ​(defaults to: $mailfrom_notify_spamadmin)
 +
 +# whom quarantined messages appear to be sent from (envelope sender);
 +# keeps original sender if undef, or set it explicitly, default is undef
 +$mailfrom_to_quarantine = ''; ​  # override sender address with null return path
 +
 +
 +# Location to put infected mail into: (applies to '​local:'​ quarantine method)
 +#   empty for not quarantining,​ may be a file (mailbox),
 +#   or a directory (no trailing slash)
 +#   (the default value is undef, meaning no quarantine)
 +#
 +$QUARANTINEDIR = '/​var/​lib/​amavis/​virusmails';​
 +
 +#​$virus_quarantine_method = "​local:​virus-%i-%n"; ​   # default
 +#​$spam_quarantine_method ​ = "​local:​spam-%b-%i-%n"; ​ # default
 +#
 +#use the new '​bsmtp:'​ method as an alternative to the default '​local:'​
 +#​$virus_quarantine_method = "​bsmtp:​$QUARANTINEDIR/​virus-%i-%n.bsmtp";​
 +#​$spam_quarantine_method ​ = "​bsmtp:​$QUARANTINEDIR/​spam-%b-%i-%n.bsmtp";​
 +
 +# When using the '​local:'​ quarantine method (default), the following applies:
 +#
 +# A finer control of quarantining is available through variable
 +# $virus_quarantine_to/​$spam_quarantine_to. It may be a simple scalar string,
 +# or a ref to a hash lookup table, or a regexp lookup table object,
 +# which makes possible to set up per-recipient quarantine addresses.
 +#
 +# The value of scalar $virus_quarantine_to/​$spam_quarantine_to (or a
 +# per-recipient lookup result from the hash table %$virus_quarantine_to)
 +# is/are interpreted as follows:
 +#
 +# VARIANT 1:
 +#   empty or undef disables quarantine;
 +#
 +# VARIANT 2:
 +#   a string NOT containing an '​@';​
 +# amavisd will behave as a local delivery agent (LDA) and will quarantine
 +# viruses to local files according to hash %local_delivery_aliases (pseudo
 +# aliases map) - see subroutine mail_to_local_mailbox() for details.
 +# Some of the predefined aliases are '​virus-quarantine'​ and '​spam-quarantine'​.
 +# Setting $virus_quarantine_to ($spam_quarantine_to) to this string will:
 +#
 +# * if $QUARANTINEDIR is a directory, each quarantined virus will go
 +#   to a separate file in the $QUARANTINEDIR directory (traditional
 +#   ​amavis style, similar to maildir mailbox format);
 +#
 +# * otherwise $QUARANTINEDIR is treated as a file name of a Unix-style
 +#   ​mailbox. All quarantined messages will be appended to this file.
 +#   ​Amavisd child process must obtain an exclusive lock on the file during
 +#   ​delivery,​ so this may be less efficient than using individual files
 +#   or forwarding to MTA, and it may not work across NFS or other non-local
 +#   file systems (but may be handy for pickup of quarantined files via IMAP
 +#   for example);
 +#
 +# VARIANT 3:
 +#   any email address (must contain '​@'​).
 +# The e-mail messages to be quarantined will be handed to MTA
 +# for delivery to the specified address. If a recipient address local to MTA
 +# is desired, you may leave the domain part empty, e.g. '​infected@',​ but the
 +# '​@'​ character must nevertheless be included to distinguish it from variant 2.
 +#
 +# This method enables more refined delivery control made available by MTA
 +# (e.g. its aliases file, other local delivery agents, dealing with
 +# privileges and file locking when delivering to user's mailbox, nonlocal
 +# delivery and forwarding, fan-out lists). Make sure the mail-to-be-quarantined
 +# will not be handed back to amavisd for checking, as this will cause a loop
 +# (hopefully broken at some stage)! If this can be assured, notifications
 +# will benefit too from not being unnecessarily virus-scanned.
 +#
 +# By default this is safe to do with Postfix and Exim v4 and dual-sendmail
 +# setup, but probably not safe with sendmail milter interface without
 +# precaution.
 +
 +# (the default value is undef, meaning no quarantine)
 +
 +#​$virus_quarantine_to ​ = '​virus-quarantine'; ​   # traditional local quarantine
 +#​$virus_quarantine_to = '​infected@'; ​          # forward to MTA for delivery
 +#​$virus_quarantine_to = "​virus-quarantine\@$mydomain"; ​  # similar
 +#​$virus_quarantine_to = '​virus-quarantine@example.com'; ​ # similar
 +#​$virus_quarantine_to = undef; ​                # no quarantine
 +$virus_quarantine_to = '​postmaster@oriol.joor.net';​
 +#
 +#​$virus_quarantine_to = new_RE( ​               # per-recip multiple quarantines
 +#  [qr'​^user@example\.com$'​i => '​infected@'​],​
 +#  [qr'​^(.*)@example\.com$'​i => '​virus-${1}@example.com'​],​
 +#  [qr'​^(.*)(@[^@])?​$'​i ​     => '​virus-${1}${2}'​],​
 +#  [qr/​.*/ ​                  => '​virus-quarantine'​] );
 +
 +# similar for spam
 +# (the default value is undef, meaning no quarantine)
 +#
 +#​$spam_quarantine_to = '​spam-quarantine';​
 +#​$spam_quarantine_to = "​spam-quarantine\@$mydomain";​
 +#​$spam_quarantine_to = new_RE( ​                # per-recip multiple quarantines
 +#  [qr'​^(.*)@example\.com$'​i => '​spam-${1}@example.com'​],​
 +#  [qr/​.*/ ​                  => '​spam-quarantine'​] );
 +$spam_quarantine_to = '​postmaster@oriol.joor.net';​
 +
 +# In addition to per-recip quarantine, a by-sender lookup is possible. It is
 +# similar to $spam_quarantine_to,​ but the lookup key is the sender address:
 +#​$spam_quarantine_bysender_to = undef; ​  # dflt: no by-sender spam quarantine
 +
 +
 +# Add X-Virus-Scanned header field to mail?
 +$X_HEADER_TAG = '​X-Virus-Scanned';​ #​ (default: undef)
 +# Leave empty to add no header # (default: undef)
 +$X_HEADER_LINE = "by $myversion at $mydomain";​
 +
 +# a string to prepend to Subject (for local recipients only) if mail could
 +# not be decoded or checked entirely, e.g. due to password-protected archives
 +$undecipherable_subject_tag = '​***UNCHECKED*** '; ​ # undef disables it
 +
 +$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone
 +#​$remove_existing_x_scanned_headers= 1; # remove existing headers
 + # (defaults to false)
 +#​$remove_existing_spam_headers = 0;     # leave existing X-Spam* headers alone
 +$remove_existing_spam_headers ​ = 1;     # remove existing spam headers if
 + # spam scanning is enabled (default)
 +
 +# set $bypass_decode_parts to true if you only do spam scanning, or if you
 +# have a good virus scanner that can deal with compression and recursively
 +# unpacking archives by itself, and save amavisd the trouble.
 +# Disabling decoding also causes banned_files checking to only see
 +# MIME names and MIME content types, not the content classification types
 +# as provided by the file(1) utility.
 +# It is a double-edged sword, make sure you know what you are doing!
 +#
 +#​$bypass_decode_parts = 1; # (defaults to false)
 +
 +# don't trust this file type or corresponding unpacker for this file type,
 +# keep both the original and the unpacked file for a virus checker to see
 +# (lookup key is what file(1) utility returned):
 +#
 +$keep_decoded_original_re = new_RE(
 +# qr'​^MAIL$', ​  # retain full original message for virus checking (can be slow)
 +  qr'​^MAIL-UNDECIPHERABLE$', ​ # retain full mail if it contains undecipherables
 +  qr'​^(ASCII(?​! cpio)|text|uuencoded|xxencoded|binhex)'​i,​
 +# qr'​^Zip archive data',
 +);
 +
 +# Checking for banned MIME types and names. If any mail part matches,
 +# the whole mail is rejected, much like the way viruses are handled.
 +# A list in object $banned_filename_re can be defined to provide a list
 +# of Perl regular expressions to be matched against each part'​s:​
 +#
 +#  * Content-Type value (both declared and effective mime-type),
 +#    including the possible security risk content types
 +#    message/​partial and message/​external-body,​ as specified by rfc2046;
 +#
 +#  * declared (i.e. recommended) file names as specified by MIME subfields
 +#    Content-Disposition.filename and Content-Type.name,​ both in their
 +#    raw (encoded) form and in rfc2047-decoded form if applicable;
 +#
 +#  * file content type as guessed by '​file'​ utility, both the raw
 +#    result from '​file',​ as well as short type name, classified
 +#    into names such as .asc, .txt, .html, .doc, .jpg, .pdf,
 +#    .zip, .exe, ... - see subroutine determine_file_types().
 +#    This step is done only if $bypass_decode_parts is not true.
 +#
 +#  * leave $banned_filename_re undefined to disable these checks
 +#    (giving an empty list to new_RE() will also always return false)
 +
 +$banned_filename_re = new_RE(
 +#  qr'​^UNDECIPHERABLE$', ​ # is or contains any undecipherable components
 +   ​qr'​\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'​i,​ # some double extensions
 +   ​qr'​[{}]', ​    # curly braces in names (serve as Class ID extensions - CLSID)
 +#  qr'​.\.(exe|vbs|pif|scr|bat|cmd|com)$'​i, ​          # banned extension - basic
 +#  qr'​.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
 +#         ​jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|
 +#         ​vbe|vbs|wsc|wsf|wsh)$'​ix, ​                 # banned extension - long
 +#  qr'​.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'​i,​ # banned extension - WinZip vulnerab.
 +#  qr'​^\.(zip|lha|tnef|cab)$'​i, ​                     # banned file(1) types
 +#  qr'​^\.exe$'​i, ​                                    # banned file(1) types
 +#  qr'​^application/​x-msdownload$'​i, ​                 # banned MIME types
 +#  qr'​^application/​x-msdos-program$'​i,​
 +   ​qr'​^message/​partial$'​i, ​ # rfc2046. this one is deadly for Outcrook
 +#  qr'​^message/​external-body$'​i,​ # block rfc2046
 +);
 +# See http://​support.microsoft.com/​default.aspx?​scid=kb;​EN-US;​q262631
 +# and http://​www.cknow.com/​vtutor/​vtextensions.htm
 +
 +# A little trick: a pattern qr'​\.exe$'​ matches both a short type name '​.exe',​
 +# as well as any file name which happens to end with .exe. If only matching
 +# a file name is desired, but not the short name, a pattern qr'​.\.exe$'​i
 +# or similar may be used, which requires that at least one character precedes
 +# the '​.exe',​ and so it will never match short file types, which always start
 +# with a dot.
 +
 +
 +#
 +# Section V - Per-recipient and per-sender handling, whitelisting,​ etc.
 +#
 +
 +# %virus_lovers,​ @virus_lovers_acl and $virus_lovers_re lookup tables:
 +#   ​(these should be considered policy options, they do not disable checks,
 +#   see bypass*checks for that!)
 +#
 +# Exclude certain RECIPIENTS from virus filtering by adding their lower-cased
 +# envelope e-mail address (or domain only) to the hash %virus_lovers,​ or to
 +# the access list @virus_lovers_acl - see README.lookups and examples.
 +# Make sure the appropriate form (e.g. external/​internal) of address
 +# is used in case of virtual domains, or when mapping external to internal
 +# addresses, etc. - this is MTA-specific.
 +#
 +# Notifications would still be generated however (see the overall
 +# picture above), and infected mail (if passed) gets additional header:
 +#   ​X-AMaViS-Alert:​ INFECTED, message contains virus: ...
 +# (header not inserted with milter interface!)
 +#
 +# NOTE (milter interface only): in case of multiple recipients,
 +# it is only possible to drop or accept the message in its entirety - for all
 +# recipients. If all of them are virus lovers, we'll accept mail, but if
 +# at least one recipient is not a virus lover, we'll discard the message.
 +
 +
 +# %bypass_virus_checks,​ @bypass_virus_checks_acl and $bypass_virus_checks_re
 +# lookup tables:
 +#   (this is mainly a time-saving option, unlike virus_lovers* !)
 +#
 +# Similar in concept to %virus_lovers,​ a hash %bypass_virus_checks,​
 +# access list @bypass_virus_checks_acl and regexp list $bypass_virus_checks_re
 +# are used to skip entirely the decoding, unpacking and virus checking,
 +# but only if ALL recipients match the lookup.
 +#
 +# %bypass_virus_checks/​@bypass_virus_checks_acl/​$bypass_virus_checks_re
 +# do NOT GUARANTEE the message will NOT be checked for viruses - this may
 +# still happen when there is more than one recipient for a message, and
 +# not all of them match these lookup tables. To guarantee virus delivery,
 +# a recipient must also match %virus_lovers/​@virus_lovers_acl lookups
 +# (but see milter limitations above),
 +
 +# NOTE: it would not be clever to base virus checks on SENDER address,
 +# since there are no guarantees that it is genuine. Many viruses
 +# and spam messages fake sender address. To achieve selective filtering
 +# based on the source of the mail (e.g. IP address, MTA port number, ...),
 +# use mechanisms provided by MTA if available.
 +
 +
 +# Similar to lookup tables controlling virus checking, there exist
 +# spam scanning, banned names/​types,​ and headers_checks control counterparts:​
 +#   ​%spam_lovers,​ @spam_lovers_acl,​ $spam_lovers_re
 +#   ​%banned_files_lovers,​ @banned_files_lovers_acl,​ $banned_files_lovers_re
 +#   ​%bad_header_lovers,​ @bad_header_lovers_acl,​ $bad_header_lovers_re
 +# and:
 +#   ​%bypass_spam_checks/​@bypass_spam_checks_acl/​$bypass_spam_checks_re
 +#   ​%bypass_banned_checks/​@bypass_banned_checks_acl/​$bypass_banned_checks_re
 +#   ​%bypass_header_checks/​@bypass_header_checks_acl/​$bypass_header_checks_re
 +# See README.lookups for details about the syntax.
 +
 +# The following example disables spam checking altogether,
 +# since it matches any recipient e-mail address (any address
 +# is a subdomain of the top-level root DNS domain):
 +#   ​@bypass_spam_checks_acl = qw( . );
 +
 +#   ​@bypass_header_checks_acl = qw( user@example.com );
 +#   ​@bad_header_lovers_acl ​   = qw( user@example.com );
 +
 +
 +# See README.lookups for further detail, and examples below.
 +
 +# $virus_lovers{lc("​postmaster\@$mydomain"​)} = 1;
 +# $virus_lovers{lc('​postmaster@example.com'​)} = 1;
 +# $virus_lovers{lc('​abuse@example.com'​)} = 1;
 +# $virus_lovers{lc('​some.user@'​)} = 1;  # this recipient, regardless of domain
 +# $virus_lovers{lc('​boss@example.com'​)} = 0; # never, even if domain matches
 +# $virus_lovers{lc('​example.com'​)} = 1; # this domain, but not its subdomains
 +# $virus_lovers{lc('​.example.com'​)}= 1; # this domain, including its subdomains
 +#or:
 +# @virus_lovers_acl = qw( me@lab.xxx.com !lab.xxx.com .xxx.com yyy.org );
 +#
 +# $bypass_virus_checks{lc('​some.user2@butnot.example.com'​)} = 1;
 +# @bypass_virus_checks_acl = qw( some.ddd !butnot.example.com .example.com );
 +@bypass_virus_checks_acl=(1);​
 +read_hash(\%local_domains,​ '/​etc/​postfix/​relay_domains'​);​
 +
 +
 +# @virus_lovers_acl = qw( postmaster@example.com );
 +# $virus_lovers_re = new_RE( qr'​^(helpdesk|postmaster)@example\.com$'​i );
 +
 +# $spam_lovers{lc("​postmaster\@$mydomain"​)} = 1;
 +# $spam_lovers{lc('​postmaster@example.com'​)} = 1;
 +# $spam_lovers{lc('​abuse@example.com'​)} = 1;
 +# @spam_lovers_acl = qw( !.example.com );
 +# $spam_lovers_re = new_RE( qr'​^user@example\.com$'​i );
 +
 +
 +# don't run spam check for these RECIPIENT domains:
 +#   ​@bypass_spam_checks_acl = qw( d1.com .d2.com a.d3.com );
 +# or the other way around (bypass check for all BUT these):
 +#   ​@bypass_spam_checks_acl = qw( !d1.com !.d2.com !a.d3.com . );
 +# a practical application:​ don't check outgoing mail for spam:
 +#   ​@bypass_spam_checks_acl = ( "​!.$mydomain",​ "​."​ );
 +# (a downside of which is that such mail will not count as ham in SA bayes db)
 +
 +
 +# Where to find SQL server(s) and database to support SQL lookups?
 +# A list of triples: (dsn,​user,​passw). ​  (dsn = data source name)
 +# More than one entry may be specified for multiple (backup) SQL servers.
 +# See 'man DBI', 'man DBD::​mysql',​ 'man DBD::​Pg',​ ... for details.
 +# When chroot-ed, accessing SQL server over inet socket may be more convenient.
 +#
 +# @lookup_sql_dsn =
 +#   ( ['​DBI:​mysql:​database=mail;​host=127.0.0.1;​port=3306',​ '​user1',​ '​passwd1'​],​
 +#     ​['​DBI:​mysql:​database=mail;​host=host2',​ '​username2',​ '​password2'​] );
 +#
 +# ('​mail'​ in the example is the database name, choose what you like)
 +# With PostgreSQL the dsn (first element of the triple) may look like:
 +#      '​DBI:​Pg:​host=host1;​dbname=mail'​
 +
 +# The SQL select clause to fetch per-recipient policy settings.
 +# The %k will be replaced by a comma-separated list of query addresses
 +# (e.g. full address, domain only, catchall). ​ Use ORDER, if there
 +# is a chance that multiple records will match - the first match wins.
 +# If field names are not unique (e.g. '​id'​),​ the later field overwrites the
 +# earlier in a hash returned by lookup, which is why we use '​*,​users.id'​.
 +# $sql_select_policy = '​SELECT *,users.id FROM users,​policy'​.
 +#   '​ WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'​.
 +#   '​ ORDER BY users.priority DESC';
 +#
 +# The SQL select clause to check sender in per-recipient whitelist/​blacklist
 +# The first SELECT argument '?'​ will be users.id from recipient SQL lookup,
 +# the %k will be sender addresses (e.g. full address, domain only, catchall).
 +# $sql_select_white_black_list = '​SELECT wb FROM wblist,​mailaddr'​.
 +#     '​ WHERE (wblist.rid=?​) AND (wblist.sid=mailaddr.id)'​.
 +#     ' ​  AND (mailaddr.email IN (%k))'​.
 +#   '​ ORDER BY mailaddr.priority DESC';
 +
 +$sql_select_white_black_list = undef; ​ # undef disables SQL white/​blacklisting
 +
 +
 +# If you decide to pass viruses (or spam) to certain recipients using the
 +# above lookup tables or using $final_virus_destiny=D_PASS,​ you can set
 +# the variable $addr_extension_virus ($addr_extension_spam) to some
 +# string, and the recipient address will have this string appended
 +# as an address extension to the local-part of the address. This extension
 +# can be used by final local delivery agent to place such mail in different
 +# folders. Leave these two variables undefined or empty strings to prevent
 +# appending address extensions. Setting has no effect on recipient which will
 +# not be receiving viruses/​spam. Recipients who do not match lookup tables
 +# local_domains* are not affected.
 +#
 +# LDAs usually default to stripping away address extension if no special
 +# handling is specified, so having this option enabled normally does no harm,
 +# provided the $recipients_delimiter matches the setting on the final
 +# MTA's LDA.
 +
 +# $addr_extension_virus ​ = '​virus';​ #​ (default is undef, same as empty)
 +# $addr_extension_spam ​  = '​spam';​ #​ (default is undef, same as empty)
 +# $addr_extension_banned = '​banned';​ #​ (default is undef, same as empty)
 +
 +
 +# Delimiter between local part of the recipient address and address extension
 +# (which can optionally be added, see variables $addr_extension_virus and
 +# $addr_extension_spam). E.g. recipient address <​user@example.com>​ gets changed
 +# to <​user+virus@example.com>​.
 +#
 +# Delimiter should match equivalent (final) MTA delimiter setting.
 +# (e.g. for Postfix add '​recipient_delimiter = +' to main.cf)
 +# Setting it to an empty string or to undef disables this feature
 +# regardless of $addr_extension_virus and $addr_extension_spam settings.
 +
 +$recipient_delimiter = '​+';​ #​ (default is '​+'​)
 +
 +# true: replace extension; ​ false: append extension
 +$replace_existing_extension = 1; # (default is false)
 +
 +# Affects matching of localpart of e-mail addresses (left of '​@'​)
 +# in lookups: true = case sensitive, false = case insensitive
 +$localpart_is_case_sensitive = 0; # (default is false)
 +
 +
 +# ENVELOPE SENDER WHITELISTING / BLACKLISTING ​ - GLOBAL (RECIPIENT-INDEPENDENT)
 +# (affects spam checking only, has no effect on virus and other checks)
 +
 +# WHITELISTING:​ use ENVELOPE SENDER lookups to ENSURE DELIVERY from whitelisted
 +# senders even if the message would be recognized as spam. Effectively,​ for
 +# the specified senders, message recipients temporarily become '​spam_lovers'​.
 +# To avoid surprises, whitelisted sender also suppresses inserting/​editing
 +# the tag2-level header fields (X-Spam-*, Subject), appending spam address
 +# extension, and quarantining.
 +
 +# BLACKLISTING:​ messages from specified SENDERS are DECLARED SPAM.
 +# Effectively,​ for messages from blacklisted senders, spam level
 +# is artificially pushed high, and the normal spam processing applies,
 +# resulting in '​X-Spam-Flag:​ YES', high '​X-Spam-Level'​ bar and other usual
 +# reactions to spam, including possible rejection. If the message nevertheless
 +# still passes (e.g. for spam loving recipients),​ it is tagged as BLACKLISTED
 +# in the '​X-Spam-Status'​ header field, but the reported spam value and
 +# set of tests in this report header field (if available from SpamAssassin,​
 +# which may have not been called) is not adjusted.
 +#
 +# A sender may be both white- and blacklisted at the same time, settings
 +# are independent. For example, being both white- and blacklisted,​ message
 +# is delivered to recipients, but is not tagged as spam (X-Spam-Flag:​ No;
 +# X-Spam-Status:​ No, ...), but the reported spam level (if computed) may
 +# still indicate high spam score.
 +#
 +# If ALL recipients of the message either white- or blacklist the sender,
 +# spam scanning (calling the SpamAssassin) is bypassed, saving on time.
 +#
 +# The following variables (lookup tables) are available, with the semantics
 +# and syntax as specified in README.lookups:​
 +#
 +# %whitelist_sender,​ @whitelist_sender_acl,​ $whitelist_sender_re
 +# %blacklist_sender,​ @blacklist_sender_acl,​ $blacklist_sender_re
 +
 +
 +read_hash(\%whitelist_sender,​ '/​etc/​amavis/​whitelist'​);​
 +read_hash(\%blacklist_sender,​ '/​etc/​amavis/​blacklist'​);​
 +read_hash(\%spam_lovers,​ '/​etc/​amavis/​spam_lovers'​);​
 +
 +
 +
 +# SOME EXAMPLES:
 +#
 +#ACL:
 +# @whitelist_sender_acl = qw( .example.com );
 +#
 +# @whitelist_sender_acl = ( "​.$mydomain"​ );  # $mydomain and its subdomains
 +# NOTE: This is not a reliable way of turning off spam checks for
 +#       ​locally-originating mail, as sender address can easily be faked.
 +#       To reliably avoid spam-scanning outgoing mail,
 +#       use @bypass_spam_checks_acl .
 +
 +#RE:
 +# $whitelist_sender_re = new_RE(
 +#   ​qr'​^postmaster@.*\bexample\.com$'​i,​
 +#   ​qr'​owner-[^@]*@'​i, ​ qr'​-request@'​i,​
 +#   ​qr'​\.example\.com$'​i );
 +#
 +$blacklist_sender_re = new_RE(
 +    qr'​^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'​i,​
 +    qr'​^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'​i,​
 +    qr'​^(new\.tld\.registry|opt-out|opt-in|optin|saveonl|smoking2002k)@'​i,​
 +    qr'​^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'​i,​
 +    qr'​^(workathome|yesitsfree|your_friend|greatoffers)@'​i,​
 +    qr'​^(inkjetplanet|marketopt|MakeMoney)\d*@'​i,​
 +);
 +
 +#HASH lookup variant:
 +# NOTE: Perl operator qw splits its argument string by whitespace
 +# and produces a list. This means that addresses can not contain
 +# whitespace, and there is no provision for comments within the string.
 +# You can use the normal Perl list syntax if you have special requirements,​
 +# e.g. map {...} ('one user@bla',​ '​.second.com'​),​ or use read_hash to read
 +# addresses from a file.
 +#
 +
 +# a hash lookup table can be read from a file,
 +# one address per line, comments and empty lines are permitted:
 +#
 +# read_hash(\%whitelist_sender,​ '/​var/​amavis/​whitelist_sender'​);​
 +
 +# ... or set directly:
 +map { $whitelist_sender{lc($_)}=1 } (qw(
 +  nobody@cert.org
 +  owner-alert@iss.net
 +  slashdot@slashdot.org
 +  bugtraq@securityfocus.com
 +  NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
 +  security-alerts@linuxsecurity.com
 +  amavis-user-admin@lists.sourceforge.net
 +  razor-users-admin@lists.sourceforge.net
 +  notification-return@lists.sophos.com
 +  mailman-announce-admin@python.org
 +  zope-announce-admin@zope.org
 +  owner-postfix-users@postfix.org
 +  owner-postfix-announce@postfix.org
 +  owner-sendmail-announce@lists.sendmail.org
 +  sendmail-announce-request@lists.sendmail.org
 +  ca+envelope@sendmail.org
 +  owner-technews@postel.ACM.ORG
 +  lvs-users-admin@LinuxVirtualServer.org
 +  ietf-123-owner@loki.ietf.org
 +  cvs-commits-list-admin@gnome.org
 +  rt-users-admin@lists.fsck.com
 +  owner-announce@mnogosearch.org
 +  owner-hackers@ntp.org
 +  owner-bugs@ntp.org
 +  clp-request@comp.nus.edu.sg
 +  surveys-errors@lists.nua.ie
 +  emailNews@genomeweb.com
 +  owner-textbreakingnews@CNNIMAIL12.CNN.COM
 +  yahoo-dev-null@yahoo-inc.com
 +));
 +
 +
 +# ENVELOPE SENDER WHITELISTING / BLACKLISTING - PER-RECIPIENT
 +
 +# The same semantics as for global white/​blacklisting applies, but this
 +# time each recipient (or its domain, or subdomain, ...) can be given
 +# an individual lookup table for matching senders. The per-recipient lookups
 +# override the global lookups, which serve as a fallback default.
 +
 +# Specify a two-level lookup table: the key for the outer table is recipient,
 +# and the result should be an inner lookup table (hash or ACL or RE),
 +# where the key used will be the sender.
 +#
 +#​$per_recip_blacklist_sender_lookup_tables = {
 +# '​user1@my.example.com'​=>​new_RE(qr'​^(inkjetplanet|marketopt|MakeMoney)\d*@'​i),​
 +# '​user2@my.example.com'​=>​[qw( spammer@d1.example,​org .d2.example,​org )],
 +#};
 +#​$per_recip_whitelist_sender_lookup_tables = {
 +# '​user@my.example.com'​ => [qw( friend@example.org .other.example.org )],
 +# '​.my1.example.com' ​   => [qw( !foe.other.example,​org .other.example,​org )],
 +# '​.my2.example.com' ​   => read_hash('/​var/​amavis/​my2-wl.dat'​),​
 +# '​abuse@'​ => { '​postmaster@'​=>​1,​
 +#               '​cert-advisory-owner@cert.org'​=>​1,​ '​owner-alert@iss.net'​=>​1 },
 +#};
 +
 +
 +#
 +# Section VI - Resource limits
 +#
 +
 +# Sanity limit to the number of allowed recipients per SMTP transaction
 +# $smtpd_recipient_limit = 1000;  # (default is 1000)
 +
 +
 +# Resource limits to protect unpackers, decompressors and virus scanners
 +# against mail bombs (e.g. 42.zip)
 +
 +# Maximum recursion level for extraction/​decoding (0 or undef disables limit)
 +$MAXLEVELS = 14; # (default is undef, no limit)
 +
 +# Maximum number of extracted files (0 or undef disables the limit)
 +$MAXFILES = 1500; # (default is undef, no limit)
 +
 +# For the cumulative total of all decoded mail parts we set max storage size
 +# to defend against mail bombs. Even though parts may be deleted (replaced
 +# by decoded text) during decoding, the size they occupied is _not_ returned
 +# to the quota pool.
 +#
 +# Parameters to storage quota formula for unpacking/​decoding/​decompressing
 +#   ​Formula:​
 +#     quota = max($MIN_EXPANSION_QUOTA,​
 +#                 ​$mail_size*$MIN_EXPANSION_FACTOR,​
 +#                 ​min($MAX_EXPANSION_QUOTA,​ $mail_size*$MAX_EXPANSION_FACTOR))
 +#   In plain words (later condition overrules previous ones):
 +#     allow MAX_EXPANSION_FACTOR times initial mail size,
 +#     but not more than MAX_EXPANSION_QUOTA,​
 +#     but not less than MIN_EXPANSION_FACTOR times initial mail size,
 +#     but never less than MIN_EXPANSION_QUOTA
 +#
 +$MIN_EXPANSION_QUOTA =      100*1024; ​ # bytes  (default undef, not enforced)
 +$MAX_EXPANSION_QUOTA = 300*1024*1024; ​ # bytes  (default undef, not enforced)
 +$MIN_EXPANSION_FACTOR =   ​5; ​ # times original mail size  (must be specified)
 +$MAX_EXPANSION_FACTOR = 500;  # times original mail size  (must be specified)
 +
 +
 +#
 +# Section VII - External programs, virus scanners
 +#
 +
 +# Specify a path string, which is a colon-separated string of directories
 +# (no trailing slashes!) to be assigned to the environment variable PATH
 +# and to serve for locating external programs below.
 +
 +# NOTE: if $daemon_chroot_dir is nonempty, the directories will be
 +#       ​relative to the chroot directory specified;
 +
 +$path = '/​usr/​local/​sbin:/​usr/​local/​bin:/​usr/​sbin:/​sbin:/​usr/​bin:/​bin';​
 +
 +# Specify one string or a search list of strings (first match wins).
 +# The string (or: each string in a list) may be an absolute path,
 +# or just a program name, to be located via $path;
 +# Empty string or undef (=default) disables the use of that external program.
 +# Optionally command arguments may be specified - only the first substring
 +# up to the whitespace is used for file searching.
 +
 +$file   = '​file'; ​  # file(1) utility; use 3.41 or later to avoid vulnerability
 +
 +$gzip   = '​gzip';​
 +$bzip2 ​ = '​bzip2';​
 +$lzop   = '​lzop';​
 +$uncompress = ['​uncompress',​ 'gzip -d', '​zcat'​];​
 +$unfreeze ​  = ['​unfreeze',​ '​freeze -d', '​melt',​ '​fcat'​];​
 +$arc        = ['​nomarch',​ '​arc'​];​
 +$unarj ​     = ['​arj',​ '​unarj'​]; ​ # both can extract, arj is recommended
 +$unrar ​     = ['​rar',​ '​unrar'​]; ​ # both can extract, same options
 +$zoo    = '​zoo';​
 +$lha    = '​lha';​
 +$cpio   = '​cpio'; ​  # comment out if cpio does not support GNU options
 +
 +
 +# SpamAssassin settings
 +
 +# $sa_local_tests_only is passed to Mail::​SpamAssassin::​new as a value
 +# of the option local_tests_only. See Mail::​SpamAssassin man page.
 +# If set to 1, SA tests are restricted to local tests only, i.e. no tests
 +# that require internet access will be performed.
 +#
 +$sa_local_tests_only = 0;   # (default: false)
 +$sa_auto_whitelist = 1;    # turn on AWL (default: false)
 +
 +# Timout for SpamAssassin. This is only used if spamassassin does NOT
 +# override it (which it often does if sa_local_tests_only is not true)
 +$sa_timeout = 30;           # timeout in seconds for a call to SpamAssassin
 +                            # (default is 30 seconds, undef disables it)
 +
 +# AWL (auto whitelisting),​ requires spamassassin 2.44 or better
 +# $sa_auto_whitelist = 1;   # defaults to undef
 +
 +$sa_mail_body_size_limit = 150*1024; ​ # don't waste time on SA is mail is larger
 +     # (less than 1% of spam is > 64k)
 +     # default: undef, no limitations
 +
 +# default values, can be overridden by more specific lookups, e.g. SQL
 +$sa_tag_level_deflt ​ = 3.0; # add spam info headers if at, or above that level
 +$sa_tag2_level_deflt = 6.3; # add 'spam detected'​ headers at that level
 +$sa_kill_level_deflt = $sa_tag2_level_deflt;​ # triggers spam evasive actions
 +                           # at or above that level: bounce/​reject/​drop,​
 +                           # quarantine, and adding mail address extension
 +
 +$sa_dsn_cutoff_level = 10;  # spam level beyond which a DSN is not sent,
 +                            # effectively turning D_BOUNCE into D_DISCARD;
 +                            # undef disables this feature and is a default;
 +
 +#
 +# The $sa_tag_level_deflt,​ $sa_tag2_level_deflt and $sa_kill_level_deflt
 +# may also be hashrefs to hash lookup tables, to make static per-recipient
 +# settings possible without having to resort to SQL or LDAP lookups.
 +
 +# a quick reference:
 +#   ​tag_level ​ controls adding the X-Spam-Status and X-Spam-Level headers,
 +#   ​tag2_level controls adding '​X-Spam-Flag:​ YES', and editing Subject,
 +#   ​kill_level controls '​evasive actions'​ (reject, quarantine, extensions);​
 +# it only makes sense to maintain the relationship:​
 +# tag_level <= tag2_level <= kill_level < $sa_dsn_cutoff_level
 +
 +# string to prepend to Subject header field when message exceeds tag2 level
 +$sa_spam_subject_tag = '​***SPAM*** '; # (defaults to undef, disabled)
 +      # (only seen when spam is not to be rejected
 +      # and recipient is in local_domains*)
 +
 +#​$sa_spam_modifies_subj = 1; # may be a ref to a lookup table, default is true
 +# Example: modify Subject for all local recipients except user@example.com
 +#​$sa_spam_modifies_subj = [qw( !user@example.com . )];
 +
 +# stop anti-virus scanning when the first scanner detects a virus?
 +$first_infected_stops_scan = 1;  # default is false, all scanners are called
 +
 +# @av_scanners is a list of n-tuples, where fields semantics is:
 +#  1. av scanner plain name, to be used in log and reports;
 +#  2. scanner program name; this string will be submitted to subroutine
 +#     ​find_external_programs(),​ which will try to find the full program
 +#     path name; if program is not found, this scanner is disabled.
 +#     ​Besides a simple string (full program path name or just the basename
 +#     to be looked for in PATH), this may be an array ref of alternative
 +#     ​program names or full paths - the first match in the list will be used;
 +#     As a special case for more complex scanners, this field may be
 +#     a subroutine reference, and the whole n-tuple is passed to it as args.
 +#  3. command arguments to be given to the scanner program;
 +#     a substring {} will be replaced by the directory name to be scanned,
 +#     i.e. "​$tempdir/​parts",​ a "​*"​ will be replaced by file names of parts;
 +#  4. an array ref of av scanner exit status values, or a regexp (to be
 +#     ​matched against scanner output), indicating NO VIRUSES found;
 +#  5. an array ref of av scanner exit status values, or a regexp (to be
 +#     ​matched against scanner output), indicating VIRUSES WERE FOUND;
 +#     Note: the virus match prevails over a 'not found' match, so it is safe
 +#     even if the no. 4. matches for viruses too;
 +#  6. a regexp (to be matched against scanner output), returning a list
 +#     of virus names found.
 +#  7. and 8.: (optional) subroutines to be executed before and after scanner
 +#     (e.g. to set environment or current directory);
 +#     see examples for these at KasperskyLab AVP and Sophos sweep.
 +
 +# NOTES:
 +#
 +# - NOT DEFINING @av_scanners (e.g. setting it to empty list, or deleting the
 +#   whole assignment) TURNS OFF LOADING AND COMPILING OF THE ANTIVIRUS CODE
 +#   ​(which can be handy if all you want to do is spam scanning);
 +#
 +# - the order matters: although _all_ available entries from the list are
 +#   ​always tried regardless of their verdict, scanners are run in the order
 +#   ​specified:​ the report from the first one detecting a virus will be used
 +#   ​(providing virus names and scanner output); REARRANGE THE ORDER TO WILL;
 +#
 +# - it doesn'​t hurt to keep an unused command line scanner entry in the list
 +#   if the program can not be found; the path search is only performed once
 +#   ​during the program startup;
 +#
 +#   ​COROLLARY:​ to disable a scanner that _does_ exist on your system,
 +#   ​comment out its entry or use undef or ''​ as its program name/path
 +#   ​(second parameter). An example where this is almost a must: disable
 +#   ​Sophos '​sweep'​ if you have its daemonized version Sophie or SAVI-Perl
 +#   (same for Trophie/​vscan,​ and clamd/​clamscan),​ or if another unrelated
 +#   ​program happens to have a name matching one of the entries ('​sweep'​
 +#   again comes to mind);
 +#
 +# - it DOES HURT to keep unwanted entries which use INTERNAL SUBROUTINES
 +#   for interfacing (where the second parameter starts with \&).
 +#   ​Keeping such entry and not having a corresponding virus scanner daemon
 +#   ​causes an unnecessary connection attempt (which eventually times out,
 +#   but it wastes precious time). For this reason the daemonized entries
 +#   are commented in the distribution - just remove the '#'​ where needed.
 +#
 +# CERT list of av resources: http://​www.cert.org/​other_sources/​viruses.html
 +
 +@av_scanners = (
 +
 +# ### http://​www.vanja.com/​tools/​sophie/​
 +# ['​Sophie',​
 +#   ​\&​ask_daemon,​ ["​{}/​\n",​ '/​var/​run/​sophie'​],​
 +#   ​qr/​(?​x)^ 0+ ( : | [\000\r\n]* $)/,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
 +#   ​qr/​(?​x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],
 +
 +# ### http://​www.csupomona.edu/​~henson/​www/​projects/​SAVI-Perl/​
 +# ['​Sophos SAVI', \&​sophos_savi ],
 +
 +### http://​www.clamav.net/​
 +['Clam Antivirus-clamd',​
 +  \&​ask_daemon,​ ["​CONTSCAN {}\n", "/​var/​run/​clamav/​clamd.ctl"​],​
 +  qr/\bOK$/, qr/​\bFOUND$/,​
 +  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
 +# NOTE: run clamd under the same user as amavisd; ​ match the socket
 +# name (LocalSocket) in clamav.conf to the socket name in this entry
 +# When running chrooted one may prefer: ["​CONTSCAN {}\n","​$MYHOME/​clamd"​],​
 +
 +# ### http://​www.openantivirus.org/​
 +# ['​OpenAntiVirus ScannerDaemon (OAV)',​
 +#   ​\&​ask_daemon,​ ["SCAN {}\n", '​127.0.0.1:​8127'​],​
 +#   ​qr/​^OK/,​ qr/^FOUND: /, qr/^FOUND: (.+)/ ],
 +
 +# ### http://​www.vanja.com/​tools/​trophie/​
 +# ['​Trophie',​
 +#   ​\&​ask_daemon,​ ["​{}/​\n",​ '/​var/​run/​trophie'​],​
 +#   ​qr/​(?​x)^ 0+ ( : | [\000\r\n]* $)/,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
 +#   ​qr/​(?​x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],
 +
 +# ### http://​www.grisoft.com/​
 +# ['AVG Anti-Virus',​
 +#   ​\&​ask_daemon,​ ["SCAN {}\n", '​127.0.0.1:​55555'​],​
 +#   ​qr/​^200/,​ qr/^403/, qr/^403 .*?: (.+)/ ],
 +
 +# ### http://​www.f-prot.com/​
 +# ['​FRISK F-Prot Daemon',​
 +#   ​\&​ask_daemon,​
 +#   ​["​GET {}/​*?​-dumb%20-archive%20-packed HTTP/​1.0\r\n\r\n",​
 +#     ​['​127.0.0.1:​10200','​127.0.0.1:​10201','​127.0.0.1:​10202',​
 +#      '​127.0.0.1:​10203','​127.0.0.1:​10204'​] ],
 +#   ​qr/​(?​i)<​summary[^>​]*>​clean<​\/​summary>/,​
 +#   ​qr/​(?​i)<​summary[^>​]*>​infected<​\/​summary>/,​
 +#   ​qr/​(?​i)<​name>​(.+)<​\/​name>/​ ],
 +
 +  ['​KasperskyLab AVP - aveclient',​
 +    ['/​usr/​local/​kav/​bin/​aveclient','/​usr/​local/​share/​kav/​bin/​aveclient',​
 +     '/​opt/​kav/​bin/​aveclient','​aveclient'​],​
 +    '-p /​var/​run/​aveserver -s {}/*', [0,3,6,8], qr/​\b(INFECTED|SUSPICION)\b/,​
 +    qr/​(?:​INFECTED|SUSPICION) (.+)/,
 +  ],
 +
 +  ['​KasperskyLab AntiViral Toolkit Pro (AVP)',​ ['​avp'​],​
 +    '-* -P -B -Y -O- {}', [0,​8,​16,​24],​ [2,3,4,5,6, 18,​19,​20,​21,​22],​
 +    qr/​infected:​ (.+)/,
 +    sub {chdir('/​opt/​AVP'​) or die "​Can'​t chdir to AVP: $!"},
 +    sub {chdir($TEMPBASE) or die "​Can'​t chdir back to $TEMPBASE $!"},
 +  ],
 +
 +  ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
 +  ### products and replaced by aveserver and aveclient
 +  ['​KasperskyLab AVPDaemonClient',​
 +    [ '/​opt/​AVP/​kavdaemon', ​      '​kavdaemon',​
 +      '/​opt/​AVP/​AvpDaemonClient',​ '​AvpDaemonClient',​
 +      '/​opt/​AVP/​AvpTeamDream', ​   '​AvpTeamDream',​
 +      '/​opt/​AVP/​avpdc',​ '​avpdc'​ ],
 +    "​-f=$TEMPBASE {}", [0,​8,​16,​24],​ [2,3,4,5,6, 18,​19,​20,​21,​22],​
 +    qr/​infected:​ ([^\r\n]+)/ ],
 +    # change the startup-script in /​etc/​init.d/​kavd to:
 +    #   ​DPARMS="​-* -Y -dl -f=/​var/​amavis /​var/​amavis"​
 +    #   (or perhaps: ​  ​DPARMS="​-I0 -Y -* /​var/​amavis"​ )
 +    # adjusting /var/amavis above to match your $TEMPBASE.
 +    # The '​-f=/​var/​amavis'​ is needed if not running it as root, so it
 +    # can find, read, and write its pid file, etc., see 'man kavdaemon'​.
 +    # defUnix.prf:​ there must be an entry "​*/​var/​amavis"​ (or whatever
 +    #   ​directory $TEMPBASE specifies) in the '​Names='​ section.
 +    # cd /​opt/​AVP/​DaemonClients;​ configure; cd Sample; make
 +    # cp AvpDaemonClient /opt/AVP/
 +    # su - vscan -c "​${PREFIX}/​kavdaemon ${DPARMS}"​
 +
 +  ### http://​www.hbedv.com/​ or http://​www.centralcommand.com/​
 +  ['​H+BEDV AntiVir or CentralCommand Vexira Antivirus',​
 +    ['​antivir','​vexira'​],​
 +    '​--allfiles -noboot -nombr -rs -s -z {}', [0], qr/​ALERT:​|VIRUS:/,​
 +    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
 +         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s'​]+ )/ ],
 +    # NOTE: if you only have a demo version, remove -z and add 214, as in:
 +    #  '​--allfiles -noboot -nombr -rs -s {}', [0,214], qr/​ALERT:​|VIRUS:/,​
 +
 +  ### http://​www.commandsoftware.com/​
 +  ['​Command AntiVirus for Linux',​ '​csav',​
 +    '-all -archive -packed {}', [50], [51,52,53],
 +    qr/​Infection:​ (.+)/ ],
 +
 +  ### http://​www.symantec.com/​
 +  ['​Symantec CarrierScan via Symantec CommandLineScanner',​
 +    '​cscmdline',​ '-a scan -i 1 -v -s 127.0.0.1:​7777 {}',
 +    qr/^Files Infected:​\s+0$/,​ qr/​^Infected\b/,​
 +    qr/​^(?:​Info|Virus Name):​\s+(.+)/​ ],
 +
 +  ### http://​www.symantec.com/​
 +  ['​Symantec AntiVirus Scan Engine',​
 +    '​savsecls',​ '​-server 127.0.0.1:​7777 -mode scanrepair -details -verbose {}',
 +    [0], qr/​^Infected\b/,​
 +    qr/​^(?:​Info|Virus Name):​\s+(.+)/​ ],
 +    # NOTE: check options and patterns to see which entry better applies
 +
 +  ### http://​www.sald.com/,​ http://​drweb.imshop.de/​
 +  ['​drweb - DrWeb Antivirus',​
 +    ['/​usr/​local/​drweb/​drweb',​ '/​opt/​drweb/​drweb',​ '​drweb'​],​
 +    '​-path={} -al -go -ot -cn -upn -ok-',
 +    [0,32], [1,33], qr' infected (?:​with|by)(?:​ virus)? (.*)$'​],​
 +
 +# ### http://​www.sald.com/,​ http://​www.dials.ru/​english/,​ http://​www.drweb.ru/​
 +# ['​DrWebD',​ \&​ask_daemon, ​  # DrWebD 4.31 or later
 +#   ​[pack('​N',​1). ​ # DRWEBD_SCAN_CMD
 +#    pack('​N',​0x00280001). ​  # DONT_CHANGEMAIL,​ IS_MAIL, RETURN_VIRUSES
 +#    pack('​N', ​    # path length
 +#      length("​$TEMPBASE/​amavis-yyyymmddTHHMMSS-xxxxx/​parts/​part-xxxxx"​)).
 +#    '​{}/​*'​. ​      # path
 +#    pack('​N',​0). ​ # content size
 +#    pack('​N',​0),​
 +#    '/​var/​drweb/​run/​drwebd.sock',​
 +#  # '/​var/​amavis/​var/​run/​drwebd.sock', ​  # suitable for chroot
 +#  # '/​usr/​local/​drweb/​run/​drwebd.sock', ​ # FreeBSD drweb ports default
 +#  # '​127.0.0.1:​3000', ​                   # or over an inet socket
 +#   ],
 +#   ​qr/​\A\x00(\x10|\x11)\x00\x00/​s, ​             # IS_CLEAN, EVAL_KEY
 +#   ​qr/​\A\x00(\x00|\x01)\x00(\x20|\x40|\x80)/​s, ​ # KNOWN_V, UNKNOWN_V, V._MODIF
 +#   ​qr/​\A.{12}(?:​infected with )?​([^\x00]+)\x00/​s,​
 +# ],
 +# # NOTE: If you are using amavis-milter,​ change length to:
 +# # length("​$TEMPBASE/​amavis-milter-xxxxxxxxxxxxxx/​parts/​part-xxxxx"​).
 +
 +  ### http://​www.f-secure.com/​products/​anti-virus/​
 +  ['​F-Secure Antivirus',​ '​fsav',​
 +   '​--dumb --mime --archive {}', [0], [3,8],
 +   ​qr/​(?:​infection|Infected|Suspected):​ (.+)/ ],
 +
 +  ['CAI InoculateIT',​ '​inocucmd',​
 +    '-sec -nex {}', [0], [100],
 +    qr/was infected by virus (.+)/ ],
 +
 +  ['​MkS_Vir for Linux (beta)',​ ['​mks32','​mks'​],​
 +    '-s {}/*', [0], [1,​2], ​   # any use for options: -a -c  ?
 +    qr/--[ \t]*(.+)/ ], 
 +
 +  ### http://​www.nod32.com/​
 +  ['ESET Software NOD32',​ '​nod32',​
 +    '-all -subdir+ {}', [0], [1,2],
 +    qr/^.+? - (.+?​)\s*(?:​backdoor|joke|trojan|virus|worm)/​ ],
 +
 +  ### http://​www.nod32.com/​
 +  ['ESET Software NOD32 - Client/​Server Version',​ '​nod32cli',​
 +    '-a -r -d recurse --heur standard {}', [0], [10,11],
 +    qr/​^\S+\s+infected:​\s+(.+)/​ ],
 +
 +  ### http://​www.norman.com/​products_nvc.shtml
 +  ['​Norman Virus Control v5 / Linux',​ '​nvcc',​
 +    '-c -l:0 -s -u {}', [0], [1],
 +    qr/(?i).* virus in .* -> \'​(.+)\'/​ ],
 +
 +  ### http://​www.pandasoftware.com/​
 +  ['​Panda Antivirus for Linux',​ ['​pavcl'​],​
 +    '-aut -aex -heu -cmp -nbr -nor -nso -eng {}',
 +    qr/Number of files infected[ .]*: 0(?!\d)/,
 +    qr/Number of files infected[ .]*: 0*[1-9]/,
 +    qr/Found virus :\s*(\S+)/ ],
 +
 +# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
 +# Check your RAV license terms before fiddling with the following two lines!
 +# ['​GeCAD RAV AntiVirus 8', '​ravav',​
 +#   '​--all --archive --mail {}', [1], [2,3,4,5], qr/​Infected:​ (.+)/ ],
 +# # NOTE: the command line switches changed with scan engine 8.5 !
 +# # (btw, assigning stdin to /dev/null causes RAV to fail)
 +
 +  ### http://​www.nai.com/​
 +  ['NAI McAfee AntiVirus (uvscan)',​ '​uvscan',​
 +    '​--secure -rv --mime --summary --noboot - {}', [0], [13],
 +    qr/(?x) Found (?:
 +        \ the\ (.+)\ (?:​virus|trojan) ​ |
 +        \ (?:​virus|trojan)\ or\ variant\ ([^ ]+)  |
 +        :\ (.+)\ NOT\ a\ virus)/,
 +  # sub {$ENV{LD_PRELOAD}='/​lib/​libc.so.6'​},​
 +  # sub {delete $ENV{LD_PRELOAD}},​
 +  ],
 +  # NOTE1: with RH9: force the dynamic linker to look at /​lib/​libc.so.6 before
 +  # anything else by setting environment variable LD_PRELOAD=/​lib/​libc.so.6
 +  # and then clear it when finished to avoid confusing anything else.
 +  # NOTE2: to treat encrypted files as viruses replace the [13] with:
 +  #  qr/​^\s{5,​}(Found|is password-protected|.*(virus|trojan))/​
 +
 +  ### http://​www.virusbuster.hu/​en/​
 +  ['​VirusBuster',​ ['​vbuster',​ '​vbengcl'​],​
 +    # VirusBuster Ltd. does not support the daemon version for the workstation ​
 +    # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
 +    # binaries, some parameters AND return codes (from 3 to 1) changed.
 +    "{} -ss -i '​*'​ -log=$MYHOME/​vbuster.log",​ [0], [1],
 +    qr/: '​(.*)'​ - Virus/ ],
 +
 +# ### http://​www.virusbuster.hu/​en/​
 +# ['​VirusBuster (Client + Daemon)',​ '​vbengd',​
 +#   # HINT: for an infected file it returns always 3,
 +#   # although the man-page tells a different story
 +#   '​-f -log scandir {}', [0], [3],
 +#   ​qr/​Virus found = (.*);/ ],
 +
 +  ### http://​www.cyber.com/​
 +  ['​CyberSoft VFind',​ '​vfind',​
 +    '​--vexit {}/*', [0], [23], qr/##​==>>>>​ VIRUS ID: CVDL (.+)/,
 +  # sub {$ENV{VSTK_HOME}='/​usr/​lib/​vstk'​},​
 +  ],
 +
 +  ### http://​www.ikarus-software.com/​
 +  ['​Ikarus AntiVirus for Linux',​ '​ikarus',​
 +    '​{}',​ [0], [40], qr/​Signature (.+) found/ ],
 +
 +  ### http://​www.bitdefender.com/​
 +  ['​BitDefender',​ '​bdc',​
 +    '--all --arc --mail {}', qr/​^Infected files *:0(?!\d)/,
 +    qr/​^(?:​Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
 +    qr/​(?:​suspected|infected):​ (.*)(?:​\033|$)/​ ],
 +);
 +
 +# If no virus scanners from the @av_scanners list produce '​clean'​ nor
 +# '​infected'​ status (e.g. they all fail to run or the list is empty),
 +# then _all_ scanners from the @av_scanners_backup list are tried.
 +# When there are both daemonized and command-line scanners available,
 +# it is customary to place slower command-line scanners in the
 +# @av_scanners_backup list. The default choice is somewhat arbitrary,
 +# move entries from one list to another as desired.
 +
 +@av_scanners_backup = (
 +
 +  ### http://​www.clamav.net/​
 +  ['Clam Antivirus - clamscan',​ '​clamscan',​
 +    "​--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], [1],
 +    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
 +
 +  ### http://​www.f-prot.com/​
 +  ['​FRISK F-Prot Antivirus',​ ['​f-prot','​f-prot.sh'​],​
 +    '-dumb -archive -packed {}', [0,8], [3,6],
 +    qr/​Infection:​ (.+)/ ],
 +
 +  ### http://​www.trendmicro.com/​
 +  ['​Trend Micro FileScanner',​ ['/​etc/​iscan/​vscan','​vscan'​],​
 +    '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],
 +
 +  ['​KasperskyLab kavscanner',​ ['/​opt/​kav/​bin/​kavscanner','​kavscanner'​],​
 +    '-i1 -xp {}', [0,10,15], [5,​20,​21,​25],​
 +    qr/​(?:​CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,
 +    sub {chdir('/​opt/​kav/​bin'​) or die "​Can'​t chdir to kav: $!"},
 +    sub {chdir($TEMPBASE) or die "​Can'​t chdir back to $TEMPBASE $!"},
 +  ],
 +
 +# Commented out because the name '​sweep'​ clashes with the Debian package of
 +# the same name. Make sure the correct sweep is found in the path when enabling
 +#
 +# ### http://​www.sophos.com/​
 +# ['​Sophos Anti Virus (sweep)',​ '​sweep',​
 +#   '​-nb -f -all -rec -ss -sc -archive -cab -tnef --no-reset-atime {}',
 +#   ​[0,​2],​ qr/Virus .*? found/,
 +#   ​qr/​^>>>​ Virus(?: fragment)? '?​(.*?​)'?​ found/,
 +# ],
 +# # other options to consider: -mime -oe -idedir=/​usr/​local/​sav
 +
 +# always succeeds (uncomment to consider mail clean if all other scanners fail)
 +# ['​always-clean',​ sub {0}],
 +
 +);
 +
 +
 +#
 +# Section VIII - Debugging
 +#
 +
 +# The most useful debugging tool is to run amavisd-new non-detached
 +# from a terminal window:
 +# amavisd debug
 +
 +# Some more refined approaches:
 +
 +# If sender matches ACL, turn log level fully up, just for this one message,
 +# and preserve temporary directory
 +#​@debug_sender_acl = ( "​test-sender\@$mydomain"​ );
 +#​@debug_sender_acl = qw( debug@example.com );
 +
 +# May be useful along with @debug_sender_acl:​
 +# Prevent all decoded originals being deleted (replaced by decoded part)
 +#​$keep_decoded_original_re = new_RE( qr/.*/ );
 +
 +# Turn on SpamAssassin debugging (output to STDERR, use with '​amavisd debug'​)
 +$sa_debug = 1;            # defaults to false
 +
 +#​-------------
 +1;  # insure a defined return
 +</​code>​