From: Frank Brehm Date: Thu, 8 Dec 2011 23:20:19 +0000 (+0100) Subject: Erste Dateien dazu X-Git-Url: https://git.uhu-banane.net/?a=commitdiff_plain;h=65930f3a70f92e07db42c9283065d2a7fe96e161;p=config%2Fhelga%2Fetc.git Erste Dateien dazu --- diff --git a/DIR_COLORS b/DIR_COLORS new file mode 100644 index 0000000..985fcae --- /dev/null +++ b/DIR_COLORS @@ -0,0 +1,223 @@ +# Configuration file for dircolors, a utility to help you set the +# LS_COLORS environment variable used by GNU ls with the --color option. + +# Copyright (C) 1996, 1999-2010 Free Software Foundation, Inc. +# Copying and distribution of this file, with or without modification, +# are permitted provided the copyright notice and this notice are preserved. + +# The keywords COLOR, OPTIONS, and EIGHTBIT (honored by the +# slackware version of dircolors) are recognized but ignored. + +# You can copy this file to .dir_colors in your $HOME directory to override +# the system defaults. + +# Below, there should be one TERM entry for each termtype that is colorizable +TERM Eterm +TERM ansi +TERM color-xterm +TERM con132x25 +TERM con132x30 +TERM con132x43 +TERM con132x60 +TERM con80x25 +TERM con80x28 +TERM con80x30 +TERM con80x43 +TERM con80x50 +TERM con80x60 +TERM cons25 +TERM console +TERM cygwin +TERM dtterm +TERM eterm-color +TERM gnome +TERM gnome-256color +TERM jfbterm +TERM konsole +TERM kterm +TERM linux +TERM linux-c +TERM mach-color +TERM mlterm +TERM putty +TERM rxvt +TERM rxvt-256color +TERM rxvt-cygwin +TERM rxvt-cygwin-native +TERM rxvt-unicode +TERM rxvt-unicode-256color +TERM rxvt-unicode256 +TERM screen +TERM screen-256color +TERM screen-256color-bce +TERM screen-bce +TERM screen-w +TERM screen.rxvt +TERM screen.linux +TERM terminator +TERM vt100 +TERM xterm +TERM xterm-16color +TERM xterm-256color +TERM xterm-88color +TERM xterm-color +TERM xterm-debian + +# Below are the color init strings for the basic file types. A color init +# string consists of one or more of the following numeric codes: +# Attribute codes: +# 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed +# Text color codes: +# 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white +# Background color codes: +# 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white +#NORMAL 00 # no color code at all +#FILE 00 # regular file: use no color at all +RESET 0 # reset to "normal" color +DIR 01;34 # directory +LINK 01;36 # symbolic link. (If you set this to 'target' instead of a + # numerical value, the color is as for the file pointed to.) +MULTIHARDLINK 00 # regular file with more than one link +FIFO 40;33 # pipe +SOCK 01;35 # socket +DOOR 01;35 # door +BLK 40;33;01 # block device driver +CHR 40;33;01 # character device driver +ORPHAN 01;05;37;41 # orphaned syminks +MISSING 01;05;37;41 # ... and the files they point to +SETUID 37;41 # file that is setuid (u+s) +SETGID 30;43 # file that is setgid (g+s) +CAPABILITY 30;41 # file with capability +STICKY_OTHER_WRITABLE 30;42 # dir that is sticky and other-writable (+t,o+w) +OTHER_WRITABLE 34;42 # dir that is other-writable (o+w) and not sticky +STICKY 37;44 # dir with the sticky bit set (+t) and not other-writable + +# This is for files with execute permission: +EXEC 01;32 + +# List any file extensions like '.gz' or '.tar' that you would like ls +# to colorize below. Put the extension, a space, and the color init string. +# (and any comments you want to add after a '#') + +# If you use DOS-style suffixes, you may want to uncomment the following: +#.cmd 01;32 # executables (bright green) +#.exe 01;32 +#.com 01;32 +#.btm 01;32 +#.bat 01;32 +# Or if you want to colorize scripts even if they do not have the +# executable bit actually set. +#.sh 01;32 +#.csh 01;32 + + # archives or compressed (bright red) +.tar 01;31 +.tgz 01;31 +.arj 01;31 +.taz 01;31 +.lzh 01;31 +.lzma 01;31 +.tlz 01;31 +.txz 01;31 +.zip 01;31 +.z 01;31 +.Z 01;31 +.dz 01;31 +.gz 01;31 +.lz 01;31 +.xz 01;31 +.bz2 01;31 +.bz 01;31 +.tbz 01;31 +.tbz2 01;31 +.tz 01;31 +.deb 01;31 +.rpm 01;31 +.jar 01;31 +.rar 01;31 +.ace 01;31 +.zoo 01;31 +.cpio 01;31 +.7z 01;31 +.rz 01;31 + +# image formats +.jpg 01;35 +.jpeg 01;35 +.gif 01;35 +.bmp 01;35 +.pbm 01;35 +.pgm 01;35 +.ppm 01;35 +.tga 01;35 +.xbm 01;35 +.xpm 01;35 +.tif 01;35 +.tiff 01;35 +.png 01;35 +.svg 01;35 +.svgz 01;35 +.mng 01;35 +.pcx 01;35 +.mov 01;35 +.mpg 01;35 +.mpeg 01;35 +.m2v 01;35 +.mkv 01;35 +.ogm 01;35 +.mp4 01;35 +.m4v 01;35 +.mp4v 01;35 +.vob 01;35 +.qt 01;35 +.nuv 01;35 +.wmv 01;35 +.asf 01;35 +.rm 01;35 +.rmvb 01;35 +.flc 01;35 +.avi 01;35 +.fli 01;35 +.flv 01;35 +.gl 01;35 +.dl 01;35 +.xcf 01;35 +.xwd 01;35 +.yuv 01;35 +.cgm 01;35 +.emf 01;35 + +# http://wiki.xiph.org/index.php/MIME_Types_and_File_Extensions +.axv 01;35 +.anx 01;35 +.ogv 01;35 +.ogx 01;35 + +# Document files +.pdf 00;32 +.ps 00;32 +.txt 00;32 +.patch 00;32 +.diff 00;32 +.log 00;32 +.tex 00;32 +.doc 00;32 + +# audio formats +.aac 00;36 +.au 00;36 +.flac 00;36 +.mid 00;36 +.midi 00;36 +.mka 00;36 +.mp3 00;36 +.mpc 00;36 +.ogg 00;36 +.ra 00;36 +.wav 00;36 + +# http://wiki.xiph.org/index.php/MIME_Types_and_File_Extensions +.axa 00;36 +.oga 00;36 +.spx 00;36 +.xspf 00;36 diff --git a/GeoIP.conf b/GeoIP.conf new file mode 100644 index 0000000..33f5526 --- /dev/null +++ b/GeoIP.conf @@ -0,0 +1,19 @@ +# If you purchase a subscription to the GeoIP database, +# then you will obtain a license key which you can +# use to automatically obtain updates. +# for more details, please go to +# http://www.maxmind.com/app/products + +# see https://www.maxmind.com/app/license_key_login to obtain License Key, +# UserId, and available ProductIds + +# Enter your license key here +LicenseKey YOUR_LICENSE_KEY_HERE + +# Enter your User ID here +UserId YOUR_USER_ID_HERE + +# Enter the Product ID(s) of the database(s) you would like to update +# By default 106 (MaxMind GeoIP Country) is listed below +ProductIds 106 + diff --git a/adjtime b/adjtime new file mode 100644 index 0000000..3537aac --- /dev/null +++ b/adjtime @@ -0,0 +1,3 @@ +0.000000 1294695034 0.000000 +1294695034 +UTC diff --git a/aliases b/aliases new file mode 120000 index 0000000..2dc1ac7 --- /dev/null +++ b/aliases @@ -0,0 +1 @@ +postfix/maps/aliases \ No newline at end of file diff --git a/amavisd.conf b/amavisd.conf new file mode 100644 index 0000000..0834395 --- /dev/null +++ b/amavisd.conf @@ -0,0 +1,2560 @@ +use strict; + +# Sample configuration file for amavisd-new (traditional style, chatty, +# you may prefer to start with the more concise supplied amavisd.conf) +# +# See amavisd.conf-default for a list of all variables with their defaults; +# for more details see documentation in INSTALL, README_FILES/* +# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html + +# This software is licensed under the GNU General Public License (GPL). +# See comments at the start of amavisd-new for the whole license text. + +#Sections: +# Section I - Essential daemon and MTA settings +# Section II - MTA specific +# Section III - Logging +# Section IV - Notifications/DSN, bounce/reject/discard/pass, quarantine +# Section V - Per-recipient and per-sender handling, whitelisting, etc. +# Section VI - Resource limits +# Section VII - External programs, virus scanners, SpamAssassin +# Section VIII - Debugging +# Section IX - Policy banks (dynamic policy switching) + +#GENERAL NOTES: +# This file is a normal Perl code, interpreted by Perl itself. +# - make sure this file (or directory where it resides) is NOT WRITABLE +# by mere mortals (not even vscan/amavis; best to make it owned by root), +# otherwise it can represent a severe security risk! +# - for values which are interpreted as booleans, it is recommended +# to use 1 for true, and 0 or undef or '' for false; +# Note that this interpretation of boolean values does not apply directly +# to LDAP and SQL lookups, which follow their own rules - see README.lookups +# and README.ldap (in short: use Y/N in SQL, and TRUE/FALSE in LDAP); +# - Perl syntax applies. Most notably: strings in "" may include variables +# (which start with $ or @); to include characters $ and @ and \ in double +# quoted strings precede them by a backslash; in single-quoted strings +# the $ and @ lose their special meaning, so it is usually easier to use +# single quoted strings (or qw operator) for e-mail addresses. +# In both types of quoting a backslash should to be doubled. +# - variables with names starting with a '@' are lists, the values assigned +# to them should be lists too, e.g. ('one@foo', $mydomain, "three"); +# note the comma-separation and parenthesis. If strings in the list +# do not contain spaces nor variables, a Perl operator qw() may be used +# as a shorthand to split its argument on whitespace and produce a list +# of strings, e.g. qw( one@foo example.com three ); Note that the argument +# to qw is quoted implicitly and no variable interpretation is done within +# (no '$' variable evaluations). The #-initiated comments can NOT be used +# within a string. In other words, $ and # lose their special meaning +# within a qw argument, just like within '...' strings. +# - all e-mail addresses in this file and as used internally by the daemon +# are in their raw (rfc2821-unquoted and non-bracketed) form, i.e. +# Bob "Funny" Dude@example.com, not: "Bob \"Funny\" Dude"@example.com +# and not <"Bob \"Funny\" Dude"@example.com>; also: '' and not '<>'. +# - the term 'default value' in examples below refers to the value of a +# variable pre-assigned to it by the program; any explicit assignment +# to a variable in this configuration file overrides the default value; + + +# +# Section I - Essential daemon and MTA settings +# + +# $MYHOME serves as a quick default for some other configuration settings. +# More refined control is available with each individual setting further down. +# $MYHOME is not used directly by the program. No trailing slash! +$MYHOME = '/var/amavis'; # (default is '/var/amavis'), -H + +# $mydomain serves as a quick default for some other configuration settings. +# More refined control is available with each individual setting further down. +# $mydomain is never used directly by the program. +$mydomain = 'brehm-online.com'; # (no useful default) + +# $myhostname = 'host.example.com'; # fqdn of this host, default by uname(3) +$myhostname = 'helga.brehm-online.com'; + +# Set the user and group to which the daemon will change if started as root +# (otherwise just keeps the UID unchanged, and these settings have no effect): +$daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u +$daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g + +# Runtime working directory (cwd), and a place where +# temporary directories for unpacking mail are created. +# (no trailing slash, may be a scratch file system) +#$TEMPBASE = $MYHOME; # (must be set if other config vars use is), -T +$TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean? + +#$db_home = "$MYHOME/db"; # DB databases directory, default "$MYHOME/db", -D + +# $helpers_home sets environment variable HOME, and is passed as option +# 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory +# on a normal persistent file system, not a scratch or temporary file system +#$helpers_home = $MYHOME; # (defaults to $MYHOME), -S + +# Run the daemon in the specified chroot jail if nonempty: +#$daemon_chroot_dir = $MYHOME; # (default is undef, meaning: do not chroot), -R + +#$pid_file = "$MYHOME/amavisd.pid"; # (default is "$MYHOME/amavisd.pid"), -P +#$lock_file = "$MYHOME/amavisd.lock"; # (default is "$MYHOME/amavisd.lock"), -L + +# set environment variables if you want (no defaults): +$ENV{TMPDIR} = $TEMPBASE; # used for SA temporary files, by some decoders, etc. + +$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) +$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 + +$enable_dkim_verification = 0; # enable DKIM signatures verification +$enable_dkim_signing = 0; # load DKIM signing code, keys defined by dkim_key + +# MTA SETTINGS, UNCOMMENT AS APPROPRIATE, +# both $forward_method and $notify_method default to 'smtp:[127.0.0.1]:10025' + +# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4 +# (set host and port number as required; host can be specified +# as an IP address or a DNS name (A or CNAME, but MX is ignored) +#$forward_method = 'smtp:[127.0.0.1]:10025'; # where to forward checked mail +#$notify_method = $forward_method; # where to submit notifications + +#$os_fingerprint_method = 'p0f:127.0.0.1:2345'; # query p0f-analyzer.pl + +# To make it possible for several hosts to share one content checking daemon, +# the IP address and/or the port number in $forward_method and $notify_method +# may be spacified as an asterisk. An asterisk in the colon-separated +# second field (host) will be replaced by the SMTP client peer address, +# An asterisk in the third field (tcp port) will be replaced by the incoming +# SMTP/LMTP session port number plus one. This obsoletes the previously used +# less flexible configuration parameter $relayhost_is_client. An example: +# $forward_method = 'smtp:*:*'; $notify_method = 'smtp:*:10587'; + + +# NOTE: The defaults (above) are good for Postfix or dual-sendmail. You MUST +# uncomment the appropriate settings below if using other setups! + +# SENDMAIL MILTER, using amavis-milter.c helper program: +#$forward_method = undef; # no explicit forwarding, sendmail does it by itself +# milter; option -odd is needed to avoid deadlocks +#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}'; +# just a thought: can we use use -Am instead of -odd ? + +# SENDMAIL (old non-milter setup, as relay, deprecated): +#$forward_method = 'pipe:flags=q argv=/usr/sbin/sendmail -C/etc/sendmail.orig.cf -i -f ${sender} -- ${recipient}'; +#$notify_method = $forward_method; + +# SENDMAIL (old non-milter setup, amavis.c calls local delivery agent, deprecated): +#$forward_method = undef; # no explicit forwarding, amavis.c will call LDA +#$notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -f ${sender} -- ${recipient}'; + +# EXIM v3 (not recommended with v4 or later, which can use SMTP setup instead): +#$forward_method = 'pipe:flags=q argv=/usr/sbin/exim -oMr scanned-ok -i -f ${sender} -- ${recipient}'; +#$notify_method = $forward_method; + +# COURIER using courierfilter +#$forward_method = undef; # no explicit forwarding, Courier does it itself +#$notify_method = 'pipe:flags=q argv=perl -e $pid=fork();if($pid==-1){exit(75)}elsif($pid==0){exec(@ARGV)}else{exit(0)} /usr/sbin/sendmail -f ${sender} -- ${recipient}'; +# Only set $courierfilter_shutdown to 1 if you are using courierfilter to +# control the startup and shutdown of amavis +#$courierfilter_shutdown = 1; # (default 0) + +# prefer to collect mail for forwarding as BSMTP files? +#$forward_method = "bsmtp:$MYHOME/out-%i-%n.bsmtp"; +#$notify_method = $forward_method; + +@auth_mech_avail = qw(PLAIN LOGIN); +$auth_required_inp = 0; +$auth_required_out = 0; + +# Net::Server pre-forking settings +# The $max_servers should match the width of your MTA pipe +# feeding amavisd, e.g. with Postfix the 'Max procs' field in the +# master.cf file, like the '2' in the: smtp-amavis unix - - n - 2 smtp +# +$max_servers = 2; # num of pre-forked children (2..30 is common), -m +$max_requests = 20; # retire a child after that many accepts (default 20) + +$child_timeout=5*60; # abort child if it does not complete its processing in + # approximately n seconds (default: 8*60 seconds) + +$smtpd_timeout = 120; # disconnect session if client is idle for too long + # (default: 8*60 seconds); should be higher than a + # Postfix setting max_idle (default 100s) + +# Here is a QUICK WAY to completely DISABLE some sections of code +# that WE DO NOT WANT (it won't even be compiled-in). +# For more refined controls leave the following two lines commented out, +# and see further down what these two lookup lists really mean. +# +# @bypass_virus_checks_maps = (1); # controls running of anti-virus code +# @bypass_spam_checks_maps = (1); # controls running of anti-spam code +# $bypass_decode_parts = 1; # controls running of decoders&dearchivers +# +# Any setting can be changed with a new assignment, so make sure +# you do not unintentionally override these settings further down! + +# Check also the settings of @av_scanners at the end if you want to use +# virus scanners. If not, you may want to delete the whole long assignment +# to the variable @av_scanners and @av_scanners_backup, which will also +# remove the virus checking code (e.g. if you only want to do spam scanning). + + +# Lookup list of local domains (see README.lookups for syntax details) +# +# @local_domains_maps is a list of lookup tables which are used in deciding +# whether a recipient is local or not, or in other words, if the message is +# outgoing or not. This affects inserting spam-related and OS fingerprinting +# header fields for local recipients, editing Subject header field and allowing +# mail body defanging, limiting recipient notifications to local recipients, +# in deciding if address extension may be appended, in matching mail addresses +# to non-fqdn SQL record keys, for proper operation of pen pals feature, +# for selecting statistics counters (distinguishing outgoing from internal- +# to internal mail), and possibly more in future versions. +# Set it up correctly if you need features that rely on this setting. +# +# With Postfix (2.0) a quick hint on what local domains normally are: +# a union of domains specified in: mydestination, virtual_alias_domains, +# virtual_mailbox_domains, and relay_domains. + +@local_domains_maps = ( [".$mydomain"] ); # $mydomain and its subdomains +# @local_domains_maps = (); # default is empty list, no recip. considered local +# @local_domains_maps = # using ACL lookup table +# ( [ ".$mydomain", 'sub.example.net', '.example.com' ] ); +# @local_domains_maps = # similar, split list elements on whitespace +# ( [qw( .example.com !host.sub.example.net .sub.example.net )] ); +# @local_domains_maps = ( new_RE( qr'[@.]example\.com$'i ) ); # using regexp +# @local_domains_maps = ( read_hash("$MYHOME/local_domains") ); # using hash +# perhaps combined with Postfix: mydestination = /var/amavis/local_domains +# for debugging purposes: dump_hash($local_domains_maps[0]); +# +# Section II - MTA specific (defaults should be ok) +# + +#$insert_received_line = 1; # behave like MTA: insert 'Received:' header + # (does not apply to sendmail/milter) + # (default is true) + +# AMAVIS-CLIENT AND COURIER PROTOCOL INPUT SETTINGS (e.g. amavisd-release, or +# sendmail milter through helper clients like amavis-milter.c and amavis.c) +# option(s) -p overrides $inet_socket_port and $unix_socketname +$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket +#$unix_socketname = undef; # disable listening on a unix socket + # (default is undef, i.e. disabled) +#$unix_socketname = "/var/lib/courier/allfilters/amavisd"; # Courier socket + # (usual setting is $MYHOME/amavisd.sock) + +# SMTP SERVER (INPUT) PROTOCOL SETTINGS (e.g. with Postfix, Exim v4, ...) +# (used when MTA is configured to pass mail to amavisd via SMTP or LMTP) +$inet_socket_port = 10024; # accept SMTP on this local TCP port + # (default is undef, i.e. disabled) +# multiple ports may be provided: $inet_socket_port = [10024, 10026, 10028]; + +# SMTP SERVER (INPUT) access control +# - do not allow free access to the amavisd SMTP port !!! +# +# when MTA is at the same host, use the following (one or the other or both): +#$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface + # (default is '127.0.0.1') +@inet_acl = qw(127.0.0.1 [::1]); # allow SMTP access only from localhost IP + # (default is qw(127.0.0.1 [::1]) ) + +# when MTA (one or more) is on a different host, use the following: +#@inet_acl = qw(127.0.0.0/8 [::1] 10.1.0.1 10.1.0.2); # adjust list as needed +#$inet_socket_bind = undef; # bind to all IP interfaces if undef + +# +# Example1: +# @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 ); +# permit only SMTP access from loopback and rfc1918 private address space +# +# Example2: +# @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0 +# 127.0.0.1 10/8 172.16/12 192.168/16 ); +# matches loopback and rfc1918 private address space except host 192.168.1.12 +# and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches) +# +# Example3: +# @inet_acl = qw( 127/8 +# !172.16.3.0 !172.16.3.127 172.16.3.0/25 +# !172.16.3.128 !172.16.3.255 172.16.3.128/25 ); +# matches loopback and both halves of the 172.16.3/24 C-class, +# split into two subnets, except all four broadcast addresses +# for these subnets + + +# @mynetworks is an IP access list which determines if the original SMTP client +# IP address belongs to our internal networks, i.e. mail is coming from inside. +# It is much like the Postfix parameter 'mynetworks' in semantics and similar +# in syntax, and its value should normally match the Postfix counterpart. +# It only affects the value of a macro %l (=sender-is-local), +# and the loading of policy 'MYNETS' if present (see below). +# Note that '-o smtp_send_xforward_command=yes' (or its lmtp counterpart) +# must be enabled in the Postfix service that feeds amavisd, otherwise +# client IP address is not available to amavisd-new. +# +# @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 +# 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); # default +# +# A list of networks can also be read from a file, either as an IP acl in +# CIDR notation, one address per line (comments and empty lines are allowed): +# @mynetworks_maps = (read_array('/etc/amavisd-mynetworks'), \@mynetworks); +# +# or less flexibly (but provides faster lookups for large lists) by reading +# into a hash lookup table, which only allows for full addresses or classful +# IPv4 subnets with truncated octets, such as 127, 10, 192.168, 10.11.12.13, +# one address per line (comments and empty lines are allowed): +# @mynetworks_maps = (read_hash('/etc/amavisd-mynetworks'), \@mynetworks); + +# See README.lookups for details on specifying access control lists. + + +# +# Section III - Logging +# + +# true (e.g. 1) => syslog; false (e.g. 0) => logging to file +$DO_SYSLOG = 1; # (defaults to 0) + +$syslog_ident = 'amavis'; # Syslog ident string (defaults to 'amavis') +$syslog_facility = 'mail'; # Syslog facility as a string + # e.g.: mail, daemon, user, local0, ... local7, ... +$syslog_priority = 'info'; # Syslog base (minimal) priority as a string, + # choose from: emerg, alert, crit, err, warning, notice, info, debug + +# Log file (if not using syslog) +$LOGFILE = "$MYHOME/amavis.log"; # (defaults to empty, no log) + +#NOTE: levels are not strictly observed and are somewhat arbitrary +# 0: startup/exit/failure messages, viruses detected +# 1: args passed from client, some more interesting messages +# 2: virus scanner output, timing +# 3: server, client +# 4: decompose parts +# 5: more debug details +$log_level = 3; # (defaults to 0), -d + +# Customizable template for the most interesting log file entry (e.g. with +# $log_level=0) (take care to properly quote Perl special characters like '\') +# For a list of available macros see README.customize . + +# $log_templ = undef; # undef disables by-message level-0 log entries +$log_recip_templ = undef; # undef disables by-recipient level-0 log entries + + +# log both infected and noninfected messages (as deflt, with size,subj,tests): +# (remove the leading '#' and a space in the following lines to activate) + +# $log_templ = <<'EOD'; +# [?%#D|#|Passed # +# [? [:ccat|major] |OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER|SPAMMY|SPAM|\ +# UNCHECKED|BANNED (%F)|INFECTED (%V)]# +# , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]%s -> [%D|,]# +# [? %q ||, quarantine: %q]# +# [? %Q ||, Queue-ID: %Q]# +# [? %m ||, Message-ID: %m]# +# [? %r ||, Resent-Message-ID: %r]# +# , mail_id: %i# +# , Hits: [:SCORE]# +# , size: %z# +# [~[:remote_mta_smtp_response]|["^$"]||[", queued_as: "]]\ +# [remote_mta_smtp_response|[~%x|["queued as ([0-9A-Z]+)$"]|["%1"]|["%0"]]|/]# +# [? [:header_field|Subject] ||, Subject: [:dquote|[:header_field|Subject]]]# +# [? [:header_field|From] ||, From: [:uquote|[:header_field|From]]]# +# [? [:useragent|name] ||, [:useragent|name]: [:uquote|[:useragent|body]]]# +# [? %#T ||, Tests: \[[%T|,]\]]# +# [:supplementary_info|SCTYPE|, shortcircuit=%%s]# +# [:supplementary_info|AUTOLEARN|, autolearn=%%s]# +# , %y ms# +# ] +# [?%#O|#|Blocked # +# [? [:ccat|major|blocking] |# +# OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER|SPAMMY|SPAM|\ +# UNCHECKED|BANNED (%F)|INFECTED (%V)]# +# , [? %p ||%p ][?%a||[?%l||LOCAL ]\[%a\] ][?%e||\[%e\] ]%s -> [%O|,]# +# [? %q ||, quarantine: %q]# +# [? %Q ||, Queue-ID: %Q]# +# [? %m ||, Message-ID: %m]# +# [? %r ||, Resent-Message-ID: %r]# +# , mail_id: %i# +# , Hits: [:SCORE]# +# , size: %z# +# #, smtp_resp: [:smtp_response]# +# [? [:header_field|Subject] ||, Subject: [:dquote|[:header_field|Subject]]]# +# [? [:header_field|From] ||, From: [:uquote|[:header_field|From]]]# +# [? [:useragent|name] ||, [:useragent|name]: [:uquote|[:useragent|body]]]# +# [? %#T ||, Tests: \[[%T|,]\]]# +# [:supplementary_info|SCTYPE|, shortcircuit=%%s]# +# [:supplementary_info|AUTOLEARN|, autolearn=%%s]# +# , %y ms# +# ] +# EOD + +# +# Section IV - Notifications/DSN, bounce/reject/discard/pass, quarantine +# + +# Select notifications text encoding when Unicode-aware Perl is converting +# text from internal character representation to external encoding (charset +# in MIME terminology). Used as argument to Perl Encode::encode subroutine. +# +# to be used in RFC 2047-encoded header field bodies, e.g. in Subject: +#$hdr_encoding = 'iso-8859-1'; # MIME charset (default: 'iso-8859-1') +#$hdr_encoding_qb = 'Q'; # MIME encoding: quoted-printable (default) +#$hdr_encoding_qb = 'B'; # MIME encoding: base64 +# +# to be used in notification body text: its encoding and Content-type.charset +#$bdy_encoding = 'iso-8859-1'; # (default: 'iso-8859-1') + +# Default template texts for notifications may be overruled by directly +# assigning new text to template variables, or by reading template text +# from files. A second argument may be specified in a call to read_text(), +# specifying character encoding layer to be used when reading from the +# external file, e.g. 'utf8', 'iso-8859-1', or often just $bdy_encoding. +# Text will be converted to internal character representation by Perl 5.8.0 +# or later; second argument is ignored otherwise. See PerlIO::encoding, +# Encode::PerlIO and perluniintro man pages. +# +# $notify_sender_templ = read_text("$MYHOME/notify_sender.txt"); +# $notify_virus_sender_templ= read_text("$MYHOME/notify_virus_sender.txt"); +# $notify_virus_admin_templ = read_text("$MYHOME/notify_virus_admin.txt"); +# $notify_virus_recips_templ= read_text("$MYHOME/notify_virus_recips.txt"); +# $notify_spam_sender_templ = read_text("$MYHOME/notify_spam_sender.txt"); +# $notify_spam_admin_templ = read_text("$MYHOME/notify_spam_admin.txt"); + +# If notification template files are collectively available in some directory, +# one may call read_l10n_templates which invokes read_text for each known +# template. This is primarily a Debian-specific feature, but was incorporated +# into base code to facilitate porting. +# +# read_l10n_templates('/etc/amavis/en_US'); +# +# If read_l10n_templates is called, a localization template directory must +# contain the following files: +# charset this file should contain a one-line name +# of the character set used in the template +# files (e.g. utf8, iso-8859-2, ...) and is +# passed as the second argument to read_text; +# template-dsn.txt content fills the $notify_sender_templ +# template-virus-sender.txt content fills the $notify_virus_sender_templ +# template-virus-admin.txt content fills the $notify_virus_admin_templ +# template-virus-recipient.txt content fills the $notify_virus_recips_templ +# template-spam-sender.txt content fills the $notify_spam_sender_templ +# template-spam-admin.txt content fills the $notify_spam_admin_templ + +# Here is an overall picture (sequence of events) of how pieces fit together +# +# bypass_virus_checks set for all recipients? ==> PASS +# no viruses? ==> PASS +# log virus if $log_templ is nonempty +# quarantine if $virus_quarantine_to is nonempty +# notify admin if $virus_admin (lookup) nonempty +# notify recips if $warnvirusrecip and (recipient is local or $warn_offsite) +# add address extensions for local recipients (when enabled) +# send (non-)delivery notifications +# to sender if DSN needed (BOUNCE or ($warnvirussender and D_PASS)) +# virus_lovers or final_destiny==D_PASS ==> PASS +# DISCARD (2xx) or REJECT (5xx) (depending on final_*_destiny) +# +# Equivalent flow diagram applies for spam checks. +# If a virus is detected, spam checking is skipped entirely. + +# The following symbolic constants can be used in *_destiny settings: +# +# D_PASS mail will pass to recipients, regardless of bad contents; +# +# D_DISCARD mail will not be delivered to its recipients, sender will NOT be +# notified. Effectively we lose mail (but will be quarantined +# unless disabled). Losing mail is not decent for a mailer, +# but might be desired. +# +# D_BOUNCE mail will not be delivered to its recipients, a non-delivery +# notification (bounce) will be sent to the sender by amavisd-new; +# Exception: bounce (DSN) will not be sent if a virus name matches +# @viruses_that_fake_sender_maps, or to messages from mailing lists +# (Precedence: bulk|list|junk), or for spam level that exceeds +# the $sa_dsn_cutoff_level. +# +# D_REJECT mail will not be delivered to its recipients, sender should +# preferably get a reject, e.g. SMTP permanent reject response +# (e.g. with milter), or non-delivery notification from MTA +# (e.g. Postfix). If this is not possible (e.g. different recipients +# have different tolerances to bad mail contents and not using LMTP) +# amavisd-new sends a bounce by itself (same as D_BOUNCE). +# Not to be used with Postfix or dual-MTA setups! +# +# Notes: +# D_REJECT and D_BOUNCE are similar, the difference is in who is responsible +# for informing the sender about non-delivery, and how informative +# the notification can be (amavisd-new knows more than MTA); +# With D_REJECT, MTA may reject original SMTP, or send DSN (delivery status +# notification, colloquially called 'bounce') - depending on MTA; +# Best suited for sendmail milter and Courier, especially for spam. +# With D_BOUNCE, amavisd-new (not MTA) sends DSN (can better explain the +# reason for mail non-delivery or even suppress DSN, but unable +# to reject the original SMTP session). Best suited to reporting +# viruses, and for Postfix and other dual-MTA setups, which can't +# reject original client SMTP session, as the mail has already +# been enqueued. + +# Alternatives to consider for spam: +# - use D_PASS if clients will do filtering based on inserted +# mail headers or added address extensions ('plus-addressing'); +# - use D_DISCARD, if kill_level is set comfortably high; +# +# D_BOUNCE is preferred for viruses, but consider: +# - use D_PASS (or virus_lovers) to deliver viruses; +# - use D_REJECT instead of D_BOUNCE if using Courier or milter and under heavy +# virus storm; + + +# The use of new *_by_ccat hashes is illustrated by the following examples +# on configuring final_*_destiny. + + +# using traditional settings of $final_*_destiny variables, relying on a +# default setting of an associative array %final_destiny_by_ccat which is +# backwards compatible and contains references to these traditional variables: +# +$final_virus_destiny = D_REJECT; # (defaults to D_DISCARD) +$final_banned_destiny = D_REJECT; # (defaults to D_BOUNCE) +$final_spam_destiny = D_REJECT; # (defaults to D_BOUNCE) +$final_bad_header_destiny = D_PASS; # (defaults to D_PASS) + +######## +# +# Please think about what you are doing when you set these options. +# If necessary, question your origanization's e-mail policies: +# +# D_BOUNCE contributes to the overall spread of virii and spam on the +# internet. Both the envelope and header from addresses can be forged +# accurately with no effort, causing the bounces to go to innocent parties, +# whose addresses have been forged. +# +# D_DISCARD breaks internet mail specifications. However, with a +# properly implemented Quaratine system, the concern for breaking the +# specification is addressed to some extent. +# +# D_PASS is the safest way to handle e-mails. You must implement +# client-side filtering to handle this method. +# +# -Cory Visi 07/28/04 +# +####### + +# to explicitly list all (or most) possible contents category (ccat) keys: +%final_destiny_by_ccat = ( + CC_VIRUS, D_DISCARD, + CC_BANNED, D_BOUNCE, + CC_UNCHECKED, D_PASS, + CC_SPAM, D_DISCARD, + CC_BADH, D_PASS, + CC_OVERSIZED, D_BOUNCE, + CC_CLEAN, D_PASS, + CC_CATCHALL, D_PASS, +); + +# to rely on a catchall ccat key and only list exceptions (alternative 1): +#%final_destiny_by_ccat = ( +# CC_VIRUS, D_DISCARD, +# CC_BANNED, D_BOUNCE, +# CC_SPAM, D_BOUNCE, +# CC_BADH.',4', D_BOUNCE, # BadHdrSpace +# CC_BADH.',3', D_BOUNCE, # BadHdrChar +# CC_OVERSIZED, D_BOUNCE, +# CC_CATCHALL, D_PASS, +#); + +# to rely on a catchall ccat key and list exceptions (alternative 2): +#%final_destiny_by_ccat = ( +# CC_VIRUS, D_DISCARD, +# CC_UNCHECKED, D_PASS, +# CC_BADH.',6', D_PASS, # BadHdrSyntax +# CC_BADH.',5', D_PASS, # BadHdrLong +# CC_BADH.',2', D_PASS, # BadHdr8bit +# CC_BADH.',1', D_PASS, # BadHdrMime +# CC_CLEAN, D_PASS, +# CC_CATCHALL, D_BOUNCE, +#); + +# to rely on a catchall ccat key and list exceptions (alternative 3): +#%final_destiny_by_ccat = ( +# CC_VIRUS, D_DISCARD, +# CC_UNCHECKED, D_PASS, +# CC_BADH.',4', D_BOUNCE, # BadHdrSpace +# CC_BADH.',3', D_BOUNCE, # BadHdrChar +# CC_BADH, D_PASS, # sub-catchall for CC_BADH +# CC_CLEAN, D_PASS, +# CC_CATCHALL, D_BOUNCE, +#); + +# to rely on a default %final_destiny_by_ccat and only change few settings: +#$final_destiny_by_ccat{+CC_SPAM} = D_PASS; +#$final_destiny_by_ccat{+CC_BADH} = D_BOUNCE; +#$final_destiny_by_ccat{+CC_BADH.',2'} = D_PASS; # BadHdr8bit + + + +# For monitoring / testing purposes let the administrator receive a copy +# of certain delivery status notifications that are mailed back to senders: +# +#%dsn_bcc_by_ccat = ( +# CC_BANNED, undef, +# CC_SPAM, undef, +# CC_BADH, undef, +# CC_CATCHALL, 'admin+test@example.com', +#); +# +# or use a simpler form, taking advantage of defaults in %dsn_bcc_by_ccat: +#$dsn_bcc = 'admin+test@example.com'; + + +# The following $warn*sender settings are ONLY used when mail is +# actually passed to recipients ($final_*_destiny=D_PASS, or *_lovers*). +# Bounces or rejects produce non-delivery status notification regardless. +# +# Notify sender of syntactically invalid header containing non-ASCII chars? +#$warnbadhsender = 1; # (defaults to false (undef)) + +# Notify virus (or banned files or bad headers) RECIPIENT? +# (not very useful, but some policies demand it) +#$warnvirusrecip = 1; # (defaults to false (undef)) +#$warnbannedrecip = 1; # (defaults to false (undef)) +#$warnbadhrecip = 1; # (defaults to false (undef)) + +# Notify also non-local virus/banned recipients if $warn*recip is true? +# (including those not matching local_domains*) +#$warn_offsite = 1; # (defaults to false (undef), i.e. only notify locals) + + +# Treat envelope sender address as unreliable and don't send sender +# notification / bounces if name(s) of detected virus(es) match the list. +# Note that virus names are supplied by external virus scanner(s) and are +# not standardized, so virus names may need to be adjusted. +# See README.lookups for syntax, check also README.policy-on-notifications. +# If the intention is to treat all viruses as faking the sender address, it +# is equivalent but more efficient to just set $final_virus_destiny=D_DISCARD; +# +@viruses_that_fake_sender_maps = (new_RE( + qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, + qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i, + qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i, + qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i, + qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan + qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc +# [qr'^(EICAR|Joke\.|Junk\.)'i => 0], +# [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0], + [qr/^/ => 1], # true by default (remove or comment-out if undesired) +)); + +# where to send ADMIN VIRUS NOTIFICATIONS (should be a fully qualified address) +# - the administrator envelope address may be a simple fixed e-mail address +# (a scalar), or may depend on the RECIPIENT address (e.g. its domain). +# +# Empty or undef lookup disables virus admin notifications. + +# The full set of configurable administrator addresses is: +# @virus_admin_maps ... notifications to admin about viruses +# @newvirus_admin_maps ... newly encountered viruses since amavisd startup +# @spam_admin_maps ... notifications to admin about spam +# @banned_admin_maps ... notifications to admin about banned contents +# @bad_header_admin_maps ... notifications to admin about bad headers + +$virus_admin = "virusalert\@$mydomain"; +# $virus_admin = 'virus-admin@example.com'; +# $virus_admin = undef; # do not send virus admin notifications (default) +# +#@virus_admin_maps = ( # by-recipient maps +# {'not.example.com' => '', +# '.' => 'virusalert@example.com'}, +# $virus_admin, # the usual default +#); + +# equivalent to $virus_admin, but for spam admin notifications: +# $spam_admin = "spamalert\@$mydomain"; +# $spam_admin = undef; # do not send spam admin notifications (default) +#@spam_admin_maps = ( # by-recipient maps +# {'not.example.com' => '', +# '.' => 'spamalert@example.com'}, +# $spam_admin, # the usual default +#); + +# receive a copy of all delivery status notifications sent; +# useful for testing or monitoring +#$dsn_bcc = "mailadmin\@$mydomain"; + +#advanced example, using a hash lookup table and a scalar default, +#lookup key is a recipient envelope address: +#@virus_admin_maps = ( # by-recipient maps +# { 'baduser@sub1.example.com' => 'HisBoss@sub1.example.com', +# '.sub1.example.com' => 'virusalert@sub1.example.com', +# '.sub2.example.com' => '', # don't send admin notifications +# 'a.sub3.example.com' => 'abuse@sub3.example.com', +# '.sub3.example.com' => 'virusalert@sub3.example.com', +# '.example.com' => 'noc@example.com', # default for our virus senders +# }, +# 'virusalert@hq.example.com', # catchall for the rest +#); + +# sender envelope address, from which notification reports are sent from; +# may be a null reverse path, or a fully qualified address: +# (admin and recip sender addresses default to a null return path). +# If using strings in double quotes, don't forget to quote @, i.e. \@ +# +$mailfrom_notify_admin = "virusalert\@$mydomain"; +$mailfrom_notify_recip = "virusalert\@$mydomain"; +$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; + +# 'From' HEADER FIELD for sender and admin notifications. +# This should be a replyable address, see rfc1894. Not to be confused +# with $mailfrom_notify_sender, which is the envelope return address +# and can be empty (null reverse path) according to rfc2821. +# +# The syntax of the 'From' header field is specified in rfc2822, section +# '3.4. Address Specification'. Note in particular that display-name must be +# a quoted-string if it contains any special characters like spaces and dots. +# +# $hdrfrom_notify_sender = "amavisd-new "; +# $hdrfrom_notify_sender = 'amavisd-new '; +# $hdrfrom_notify_sender = '"Content-Filter Master" '; +# $hdrfrom_notify_admin = $mailfrom_notify_admin; +# $hdrfrom_notify_spamadmin = $mailfrom_notify_spamadmin; +# (default: "\"Content-filter at $myhostname\" ") + +# whom quarantined messages appear to be sent from (envelope sender); +# keeps original sender if undef, or set it explicitly, default is undef +$mailfrom_to_quarantine = ''; # override sender address with null return path + + +# Location to put infected mail into: (applies to 'local:' quarantine method) +# empty for not quarantining, may be a file (Unix-style mailbox), +# or a directory (no trailing slash) +# (the default value is undef, meaning no quarantine) +# +$QUARANTINEDIR = "$MYHOME/quarantine"; + +#$quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine + +#$clean_quarantine_method = 'local:clean-%m'; # disabled by default +#$virus_quarantine_method = 'local:virus-%m'; # default +#$spam_quarantine_method = 'local:spam-%m.gz'; # default +#$banned_files_quarantine_method = 'local:banned-%m'; # default +#$bad_header_quarantine_method = 'local:badh-%m'; # default + +# Separate quarantine subdirectories virus, spam, banned and badh within +# the directory $QUARANTINEDIR may be specified by the following settings +# (the subdirectories need to exist - must be created manually): +#$clean_quarantine_method = 'local:clean/%m'; +#$virus_quarantine_method = 'local:virus/%m'; +#$spam_quarantine_method = 'local:spam/%m.gz'; +#$banned_files_quarantine_method = 'local:banned/%m'; +#$bad_header_quarantine_method = 'local:badh/%m'; +# +#use the 'bsmtp:' method as an alternative to the default 'local:' +#$virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%m.bsmtp"; +#$spam_quarantine_method = "bsmtp:$QUARANTINEDIR/spam-%m.bsmtp"; +# +#using the 'pipe:' method might be useful for some special purpose: +#$mailfrom_to_quarantine = undef; # pass on the original sender address +#$spam_quarantine_method = 'pipe:argv=/usr/bin/myscript.sh spam-%b ${sender}'; +# +#using the 'sql:' method to store quarantined message to a SQL database: +#$virus_quarantine_method = $spam_quarantine_method = +# $banned_files_quarantine_method = $bad_header_quarantine_method = 'sql:'; + +# Send copy of every mail to an archival mail address: +#$archive_quarantine_method = $notify_method; +#@archive_quarantine_to_maps = ( 'collector@example.com' ); + + +# When using the 'local:' quarantine method (default), the following applies: +# +# A finer control of quarantining is available through +# variables $virus_quarantine_method/$spam_quarantine_method/ +# $banned_files_quarantine_method/$bad_header_quarantine_method. +# +# The value of scalar $virus_quarantine_to/$spam_quarantine_to (or a +# per-recipient lookup result from lookup tables @virus_quarantine_to_maps) +# is/are interpreted as follows: +# +# VARIANT 1: +# empty or undef disables quarantine; +# +# VARIANT 2: +# a string NOT containing an '@'; +# amavisd will behave as a local delivery agent (LDA) and will quarantine +# viruses to local files according to hash %local_delivery_aliases (pseudo +# aliases map) - see subroutine mail_to_local_mailbox() for details. +# Some of the predefined aliases are 'virus-quarantine' and 'spam-quarantine'. +# Setting $virus_quarantine_to ($spam_quarantine_to) to this string will: +# +# * if $QUARANTINEDIR is a directory, each quarantined virus will go +# to a separate file in the $QUARANTINEDIR directory (traditional +# amavis style, similar to maildir mailbox format); +# +# * otherwise $QUARANTINEDIR is treated as a file name of a Unix-style +# mailbox. All quarantined messages will be appended to this file. +# Amavisd child process must obtain an exclusive lock on the file during +# delivery, so this may be less efficient than using individual files +# or forwarding to MTA, and it may not work across NFS or other non-local +# file systems (but may be handy for pickup of quarantined files via IMAP +# for example); +# +# VARIANT 3: +# any email address (must contain '@'). +# The e-mail messages to be quarantined will be handed to MTA +# for delivery to the specified address. If a recipient address local to MTA +# is desired, you may leave the domain part empty, e.g. 'infected@', but the +# '@' character must nevertheless be included to distinguish it from variant 2. +# +# This variant enables more refined delivery control made available by MTA +# (e.g. its aliases file, other local delivery agents, dealing with +# privileges and file locking when delivering to user's mailbox, nonlocal +# delivery and forwarding, fan-out lists). Make sure the mail-to-be-quarantined +# will not be handed back to amavisd for checking, as this will cause a loop +# (hopefully broken at some stage)! If this can be assured, notifications +# will benefit too from not being unnecessarily virus-scanned. +# +# By default this is safe to do with Postfix and Exim v4 and dual-sendmail +# setup, but probably not safe with sendmail milter interface without tricks. + +# (default values are: virus-quarantine, banned-quarantine, spam-quarantine) + +$virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine +#$virus_quarantine_to = 'infected@'; # forward to MTA for delivery +#$virus_quarantine_to = "virus-quarantine\@$mydomain"; # similar +#$virus_quarantine_to = 'virus-quarantine@example.com'; # similar +#$virus_quarantine_to = undef; # no quarantine +# +# lookup key is envelope recipient address: +#@virus_quarantine_to_maps = ( # per-recip multiple quarantines +# new_RE( [qr'^user@example\.com$'i => 'infected@'], +# [qr'^(.*)@example\.com$'i => 'virus-${1}@example.com'], +# [qr'^(.*)(@[^@])?$'i => 'virus-${1}${2}'] ), +# $virus_quarantine_to, # the usual default +#); + +# similar for banned names and bad headers and spam (set to undef to disable) +$banned_quarantine_to = 'banned-quarantine'; # local quarantine +$bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine +$spam_quarantine_to = 'spam-quarantine'; # local quarantine + +# or to a mailbox: +#$spam_quarantine_to = "spam-quarantine\@$mydomain"; +# +#@spam_quarantine_to_maps = ( # per-recip quarantines +# new_RE( [qr'^(.*)@example\.com$'i => 'spam-${1}@example.com'] ), +# $spam_quarantine_to, # the usual default +#); + + +# In addition to per-recip quarantine, a by-sender lookup is possible. +# It is similar to $spam_quarantine_to, but the lookup key is the +# envelope sender address: +#$spam_quarantine_bysender_to = undef; # dflt: no by-sender spam quarantine + + +# Spam level beyond which quarantining is disabled (global value): +#$sa_quarantine_cutoff_level = 20; # dflt: undef, which disables this feature + +#@spam_quarantine_cutoff_level_maps = ( # per-recip. quarantine cutoff levels +# { 'user1@example.com' => 20.5, +# 'postmaster@example.com' => 9999, +# '.example.com' => 25 }, +# \$sa_quarantine_cutoff_level, # catchall default +#); + + +# Add X-Virus-Scanned header field to mail? +$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: 'X-Virus-Scanned') + +# Set to empty to add no header field # (dflt "$myproduct_name at $mydomain") +# $X_HEADER_LINE = "$myproduct_name at $mydomain"; +# $X_HEADER_LINE = "by $myproduct_name using ClamAV at $mydomain"; +# $X_HEADER_LINE = "$myproduct_name $myversion_id ($myversion_date) at $mydomain"; + +# a string to prepend to Subject (for local recipients only) if mail could +# not be decoded or checked entirely, e.g. due to password-protected archives +$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it + +# MIME defanging wraps the entire original mail in a MIME container of type +# 'Content-type: multipart/mixed', where the first part is a text/plain with +# a short explanation, and the second part is a complete original mail, +# enclosed in a 'Content-type: message/rfc822' MIME part. +# Defanging is only done when enabled (selectively by malware type), +# and mail is considered malware (virus/spam/...), and the malware is allowed +# to pass (*_lovers or *_destiny=D_PASS) +# +$defang_virus = 1; # default is false: don't modify mail body +$defang_banned = 1; # default is false: don't modify mail body +# $defang_bad_header = 1; # default is false: don't modify mail body +# $defang_undecipherable = 1; # default is false: don't modify mail body +# $defang_spam = 1; # default is false: don't modify mail body + +# NOTE: setting the following variables to true may break mail signatures +# (DKIM and DomainKeys) when verification is done after content filtering: +# $remove_existing_x_scanned_headers, $remove_existing_x_scanned_headers, +# and $allow_fixing_improper_header_folding (and defanging, described +# elsewhere). This is rarely an issue, as mail signing should be done +# after content filtering, and mail verification should preferably be done +# before filtering or by SpamAssassin called from within amavisd, which +# sees still-unmodified mail. +# +$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone + # (defaults to false) +#$remove_existing_x_scanned_headers= 1; # remove existing X-Virus-Scanned +#$remove_existing_spam_headers = 0; # leave existing X-Spam* headers alone +$remove_existing_spam_headers = 1; # remove existing spam headers if + # spam scanning is enabled (default) +#$allow_fixing_improper_header_folding = 1; # (default is true) + +# set $bypass_decode_parts to true if you only do spam scanning, or if you +# have a good virus scanner that can deal with compression and recursively +# unpacking archives by itself, and save amavisd the trouble. +# Disabling decoding also causes banned_files checking NOT to see MIME types +# and content classification types as provided by the file(1) utility. +# It is a double-edged sword, make sure you know what you are doing! +# +#$bypass_decode_parts = 1; # (defaults to false) + +# don't trust this file type or corresponding unpacker for this file type, +# keep both the original and the unpacked file for a virus checker to see +# (lookup key is what file(1) utility returned): +# +@keep_decoded_original_maps = (new_RE( +# qr'^MAIL$', # retain full original message for virus checking (can be slow) + qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables + qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, +# qr'^Zip archive data', # don't trust Archive::Zip +)); + + +# Checking for banned MIME types and names. If any mail part matches, +# the whole mail is rejected. Object $banned_filename_re provides a list +# of Perl regular expressions to be matched against each part's: +# +# * Content-Type value (both declared and effective mime-type), +# such as the possible security-risk content types +# 'message/partial' and 'message/external-body', as specified in rfc2046 +# or 'application/x-msdownload' and 'application/x-msdos-program'; +# +# * declared (recommended) file names as specified by MIME subfields +# Content-Disposition.filename and Content-Type.name, both in their +# raw (encoded) form and in rfc2047-decoded form if applicable +# as well as (recommended) file names specified in archives; +# +# * file content type as guessed by 'file(1)' utility, mapped +# (by @map_full_type_to_short_type_maps) into short type names such as +# .asc, .txt, .html, .doc, .jpg, .pdf, .zip, .exe-ms, ..., which always +# starts with a dot. These short types are available unless +# $bypass_decode_parts is true. +# +# All nodes (mail parts) of the fully recursively decoded mail and embedded +# archives are checked, each node independently from remaining nodes. +# +# For each node all its ancestor nodes including itself are checked against +# $banned_filename_re lookup list, top-down. The search for a node stops +# at the first match, the right-hand side of the matching key determines +# the result (true or false, absent right-hand side implies true, as explained +# in README.lookups). +# +# Although repeatedly re-checking ancestor nodes may seem excessive, it gives +# the opportunity to specify rules which make a particular node hide its +# descendents, e.g. allow any name or file type within a .zip, even though +# .exe files may otherwise not be allowed. +# +# Leave $banned_filename_re undefined to disable these checks +# (giving an empty list to new_RE() will also always return false) + +# for $banned_namepath_re (a new-style of banned table) see amavisd.conf-sample + +$banned_filename_re = new_RE( + +### BLOCKED ANYWHERE +# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components + qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary +# qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types + +### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: +# [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 + [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives + + qr'.\.(pif|scr)$'i, # banned extensions - rudimentary +# qr'^\.zip$', # block zip type + +### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: +# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives + + qr'^application/x-msdownload$'i, # block these MIME types + qr'^application/x-msdos-program$'i, + qr'^application/hta$'i, + +# qr'^message/partial$'i, # rfc2046 MIME type +# qr'^message/external-body$'i, # rfc2046 MIME type + +# qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type +# qr'^\.wmf$', # Windows Metafile file(1) type + + # block certain double extensions in filenames + qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, + +# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict +# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose + + qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic +# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd +# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| +# inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| +# ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| +# wmf|wsc|wsf|wsh)$'ix, # banned ext - long +# qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename +# qr'^\.ani$', # banned animated cursor file(1) type + +# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. +); +# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 +# and http://www.cknow.com/vtutor/vtextensions.htm + +# A little trick: a pattern qr'\.exe$' matches both a short type name '.exe', +# as well as any file name which happens to end with .exe. If only matching +# a file name is desired, but not the short type, a pattern qr'.\.exe$'i +# or similar may be used, which requires that at least one character precedes +# the '.exe', and so it will never match short file types which always start +# with a dot. + + +# the syntax of these Perl regular expressions is a bit awkward if not +# familiar with them, so please do follow examples and stick to the idioms: +# \A ... at the beginning of the first component +# \z ... at the end of the the last (leaf) component +# ^ ... at the beginning of each component in the path +# $ ... at the end of each component in the path +# (.*\t)? ... at the beginning of a field +# (\t.*)? ... at the end of a field +# \t(.*\t)* ... separating fields +# [^\t\n] ... any single character, but don't escape from this field +# (.*\n)+ ... one or more levels down +# (?#...) ... a comment within a regexp + +# new-style of banned lookup table +$banned_namepath_re = new_RE( + +### BLOCKED ANYWHERE + + qr'(?# BLOCK Microsoft EXECUTABLES and DLL ) + ^ (.*\t)? T=(exe-ms|dll) (\t.*)? $'xm, # banned file(1) types, rudimentary + +# qr'(?# BLOCK ANY EXECUTABLE ) +# ^ (.*\t)? T=exe (\t.*)? $'xm, # banned file(1) type + +# qr'(?# BLOCK THESE TYPES ) +# ^ (.*\t)? T=(exe|lha|tnef|cab|dll) (\t.*)? $'xm, # banned file(1) types + + +### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: + +# # within traditional gzip and bzip2 allow any name and type +# [ qr'(?#rule-3) ^ (.*\t)? T=(gz|bz2) (\t.*)? $'xmi => 0 ], # allow + + # within traditional Unix archives allow any name and type + [ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ], # allow + + # banned filename extensions (in declared names) anywhere - rudimentary + qr'(?# BLOCK COMMON NAME EXENSIONS ) + ^ (.*\t)? N= [^\t\n]* \. (pif|scr) (\t.*)? $'xmi, + +# # block anything within a zip +# qr'(?#rule-5) ^ (.*\t)? T=zip (\t.*)? (.*\n)+ .* $'xmi, + + +### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES OR CRYPTED: + +# # within PC archives allow any types or names at any depth +# [ qr'(?#rule-7) ^ (.*\t)? T=(zip|rar|arc|arj|zoo) (\t.*)? $'xmi => 0 ], # ok + +# # within certain archives allow leaf members at any depth if crypted +# [ qr'(?# ALLOW ENCRYPTED ) +# ^ (.*\t)? T=(zip|rar|arj) (.*\n)+ (.*\t)? A=C (\t.*)? \z'xmi => 0 ], + +# # allow crypted leaf members regardless of their name or type +# [ qr'(?# ALLOW IF ENCRYPTED ) ^ (.*\t)? A=C (\t.*)? \z'xmi => 0 ], + + # block these MIME types + qr'(?#NO X-MSDOWNLOAD) ^(.*\t)? M=application/x-msdownload (\t.*)? $'xmi, + qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi, + qr'(?#NO HTA) ^(.*\t)? M=application/hta (\t.*)? $'xmi, + +# # block rfc2046 MIME types +# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/partial (\t.*)? $'xmi, +# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/external-body (\t.*)? $'xmi, + +# qr'(?#No Metafile MIME) ^(.*\t)? M=application/x-msmetafile (\t.*)? $'xmi, +# qr'(?#No Metafile MIME) ^(.*\t)? M=image/x-wmf (\t.*)? $'xmi, +# qr'(?#No Metafile file) ^(.*\t)? T=wmf (\t.*)? $'xm, +# qr'(?#No animated cursors) ^(.*\t)? T=ani (\t.*)? $'xm, + + # block certain double extensions in filenames + qr'(?# BLOCK DOUBLE-EXTENSIONS ) + ^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \. \ * + (exe|vbs|pif|scr|bat|cmd|com|cpl|dll) [. ]* (\t.*)? $'xmi, + + [ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM ) + ^ (.*\t)? M=application/(octet-stream|x-msdownload|x-msdos-program) + \t(.*\t)* T=empty (\t.*)? $'xmi + => 'DISCARD' ], + +# [ qr'(?# BLOCK EMPTY MIME PARTS ) +# ^ (.*\t)? M= [^\t\n]+ \t(.*\t)* T=empty (\t.*)? $'xmi => 'DISCARD' ], + +# # block Class ID (CLSID) extensions in filenames, strict +# qr'(?# BLOCK CLSID-EXTENSIONS ) +# ^ (.*\t)? N= [^\t\n]* \{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}? +# [^\t\n]* (\t.*)? $'xmi, + +# # banned suggested names with three or more consecutive spaces +# qr'(?# BLOCK NAMES WITH SPACES ) +# ^ (.*\t)? N= [^\t\n]* [ ]{3,} 'xmi, + +# # block if any component can not be decoded (is encrypted or bad archive) +# qr'(?# BLOCK IF UNDECIPHERABLE ) ^ (.*\t)? A=U (\t.*)? \z'xmi, + +# [ qr'(?# SPECIAL ALLOWANCES - MAGIC NAMES) +# \A (.*\t)? T=(rpm|cpio|tar|zip|rar|arc|arj|zoo|Z|gz|bz2) +# \t(.*\t)* N=example\d+[^\t\n]* +# (\t.*)? $'xmi => 0 ], + + # banned filename extensions (in suggested names) anywhere - basic + qr'(?# BLOCK COMMON NAME EXENSIONS ) + ^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|cpl) (\t.*)? $'xmi, + +# # banned filename extensions (in suggested names) anywhere - basic+cmd +# qr'(?# BLOCK COMMON NAME EXENSIONS ) +# ^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|cpl|bat|cmd|com) (\t.*)? $'xmi, + +# # banned filename extensions (in suggested names) anywhere - long +# qr'(?# BLOCK MORE NAME EXTENSIONS ) +# ^ (.*\t)? N= [^\t\n]* \. ( +# ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| +# inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| +# ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| +# wmf|wsc|wsf|wsh) (\t.*)? $'xmi, + +# qr'(?# BLOCK CURSOR AND ICON NAME EXENSIONS ) +# ^ (.*\t)? N= [^\t\n]* \. (ani|cur|ico) (\t.*)? $'xmi, + +# # banned filename extensions anywhere - WinZip vulnerability (pre-V9) +# qr'(?# BLOCK WinZip VULNERABILITY EXENSIONS ) +# ^ (.*\t)? N= [^\t\n]* \. (mim|b64|bhx|hqx|xxe|uu|uue) (\t.*)? $'xmi, + +); + +# use old or new style of banned lookup table; not both to avoid confusion +# +# @banned_filename_maps = (); # to disable old-style + $banned_namepath_re = undef; # to disable new-style + + +%banned_rules = ( + 'MYNETS-DEFAULT' => new_RE( # permissive set of rules for internal hosts + [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any name/type in Unix archives + qr'.\.(vbs|pif|scr)$'i, # banned extension - rudimentary + ), + 'DEFAULT' => $banned_filename_re, +); + + +# +# Section V - Per-recipient and per-sender handling, whitelisting, etc. +# + +# @virus_lovers_maps list of lookup tables: +# (this should be considered a policy option, is does not disable checks, +# see bypass*checks for that!) +# +# Exclude certain RECIPIENTS from virus filtering by adding their (lower-cased) +# envelope e-mail address (or domain only) to one of the lookup tables in +# the @virus_lovers_maps list - see README.lookups and examples. +# Make sure the appropriate form (e.g. external/internal) of address +# is used in case of virtual domains, or when mapping external to internal +# addresses, etc. - this is MTA-specific. +# +# Notifications would still be generated however (see the overall +# picture above), and infected mail (if passed) gets additional header: +# X-AMaViS-Alert: INFECTED, message contains virus: ... +# (header not inserted with Courier or milter interface!) +# +# Setting $final_*_destiny=D_PASS is functionally equivalent to having +# all recipients match the @*_lovers_maps. +# +# NOTE (milter interface only): in case of multiple recipients, +# it is only possible to drop or accept the message in its entirety - for all +# recipients. If all of them are virus lovers, we'll accept mail, but if +# at least one recipient is not a virus lover, we'll discard the message. + + +# @bypass_virus_checks_maps list of lookup tables: +# (this is mainly a time-saving option, unlike virus_lovers* !) +# +# Similar in concept to @virus_lovers_maps, a @bypass_virus_checks_maps +# is used to skip entirely the decoding, unpacking and virus checking, +# but only if ALL recipients match the lookup. +# +# @bypass_virus_checks_maps does NOT GUARANTEE the message will NOT be checked +# for viruses - this may still happen when there is more than one recipient +# for a message and not all of them match these lookup tables, or when +# check result was cached (i.e. the same contents was recently sent to other +# recipients). To guarantee virus delivery, a recipient must also match +# @virus_lovers_maps lookups (but see milter limitations above), +# +# The following table summarizes the possible combinations: +# bypass lover +# 0 0 useful, check for malware and block it +# 0 1 useful, check but deliver nevertheless, possibly tagged +# 1 0 not too useful, free riding on cached or other-people's checks +# 1 1 useful, no checks if possible, and no effects + +# NOTE: it would not be clever to base enabling of virus checks on SENDER +# address, since there are no guarantees that it is genuine. Many viruses +# and spam messages fake sender address. To achieve selective filtering +# based on the source of the mail (e.g. IP address, MTA port number, ...), +# use mechanisms provided by MTA if available, possibly combined with policy +# banks feature. + +# Similar to lists of lookup tables controlling virus checking, there are +# counterparts for spam scanning, banned names/types, and headers_checks +# control: +# @spam_lovers_maps, +# @banned_files_lovers_maps, +# @bad_header_lovers_maps +# and: +# @bypass_spam_checks_maps, +# @bypass_banned_checks_maps, +# @bypass_header_checks_maps + +# Example: +# @bypass_header_checks_maps = ( [qw( user@example.com )] ); +# @bad_header_lovers_maps = ( [qw( user@example.com )] ); + +# The following example disables spam checking altogether, +# since it matches any recipient e-mail address. +# @bypass_spam_checks_maps = (1); + + +# See README.lookups for further detail, and examples below. + +# In the following example a list of lookup tables @virus_lovers_maps +# contains three elements, the first is a reference to an ACL lookup table +# (brackets in Perl indicate a ref to a list), the second is a reference +# to a hash lookup table (curly braces in Perl indicate a ref to a hash), +# the third is a regexp lookup table, indicated by the type of object +# created by new_RE() : +# +#@virus_lovers_maps = ( +# [ qw( me@lab.xxx.com !lab.xxx.com .xxx.com yyy.org ) ], +# { "postmaster\@$mydomain" => 1, # double quotes permit variable evaluation +# 'postmaster@example.com'=> 1, # in single quotes the '@' need not be quoted +# 'abuse@example.com'=> 1, +# 'some.user@' => 1, # this recipient, regardless of domain +# 'boss@example.com' => 0, # never, even if domain matches +# 'example.com' => 1, # this domain, but not its subdomains +# '.example.com' => 1, # this domain, including its subdomains +# }, +# new_RE( qr'^(helpdesk|postmaster)@example\.com$'i ), +#); + +#@spam_lovers_maps = ( +# ["postmaster\@$mydomain", 'postmaster@example.com', 'abuse@example.com'], +#); + +#@bad_header_lovers_maps = ( +# ["postmaster\@", "abuse\@$mydomain"], +#); + + +# as an alternative to fiddling with @_lovers_maps and similar _maps, here +# is an illustration of using a more general *_by_ccat associative array, +# introduced with 2.4.0, like %lovers_maps_by_ccat in this example: +# +#$lovers_maps_by_ccat{+CC_SPAM} = [ +# read_hash("$MYHOME/etc/spam_lovers.txt"), +# [qw(postmaster@example.com abuse@example.com)], +#]; +# +#$lovers_maps_by_ccat{+CC_BANNED} = [ +# { map {lc $_ => 1} # construct a hash lookup table from a list +# qw(user1@example.com user2.example.com) +# }, +#]; + + +# to save some typing of quotes and commas, a Perl operator qw can be used +# to split its argument on whitespace and to quote resulting elements: +#@bypass_spam_checks_maps = ( +# [ qw( some.ddd !butnot.example.com .example.com ) ], +#); + + +# don't run spam check for these RECIPIENT domains: +# @bypass_spam_checks_maps = ( [qw( d1.com .d2.com a.d3.com )] ); +# or the other way around (bypass check for all BUT these): +# @bypass_spam_checks_maps = ( [qw( !d1.com !.d2.com !a.d3.com . )] ); +# a practical application: don't check outgoing mail for spam: +# @bypass_spam_checks_maps = ( [ "!.$mydomain", "." ] ); +# or calculated (negated) from the %local_domains: +# @bypass_spam_checks_maps = +# ( {map {$_ => !$local_domains{$_}} keys %local_domains}, 1); +# (a downside of which is that such mail will not count as ham in SA bayes db) +# +# Note that 'outgoing' is not the same as 'originating from inside'. We refer +# to 'outgoing' here as 'mail addressed to recipients outside our domain(s)'. +# The internal-to-internal mail is not outgoing, but is still originating from +# inside. To base rules on 'originating from inside', the use of a policy bank +# with 'originating => 1' is needed (such as MYNETS), in conjunction with +# XFORWARD Postfix extension to SMTP. + +# Where to find SQL server(s) and database to support SQL lookups? +# A list of triples: (dsn,user,passw). (dsn = data source name) +# More than one entry may be specified for multiple (backup) SQL servers. +# See 'man DBI', 'man DBD::mysql', 'man DBD::Pg', ... for details. +# When chroot-ed, accessing SQL server over inet socket may be more convenient. +# +# @lookup_sql_dsn = +# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], +# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], +# ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); +# @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database +# +# ('mail' in the example is the database name, choose what you like) +# With PostgreSQL the dsn (first element of the triple) may look like: +# 'DBI:Pg:dbname=mail;host=host1' + +# The SQL select clause to fetch per-recipient policy settings. +# The %k will be replaced by a comma-separated list of query addresses +# (e.g. full address, domain only (stripped level by level), and a catchall). +# Use ORDER if there is a chance that multiple records will match - the first +# match wins. If field names are not unique (e.g. 'id'), the later field +# overwrites the earlier in a hash returned by lookup, which is why we use +# '*,users.id' instead of just '*'. No need to uncomment the following +# assignment if the default is ok. +# $sql_select_policy = 'SELECT *,users.id FROM users,policy'. +# ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'. +# ' ORDER BY users.priority DESC'; +# +# The SQL select clause to check sender in per-recipient whitelist/blacklist +# The first SELECT argument '?' will be users.id from recipient SQL lookup, +# the %k will be sender addresses (e.g. full address, domain only, catchall). +# The default value is: +# $sql_select_white_black_list = 'SELECT wb FROM wblist,mailaddr'. +# ' WHERE (wblist.rid=?) AND (wblist.sid=mailaddr.id)'. +# ' AND (mailaddr.email IN (%k))'. +# ' ORDER BY mailaddr.priority DESC'; +# +# To disable SQL white/black list, set to undef (otherwise comment-out +# the following statement, leaving it at the default value): +$sql_select_white_black_list = undef; # undef disables SQL white/blacklisting + +# Controls the format of timestamps in the field msgs.time_iso: +# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; +# defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16) + +# Does a database mail address field with no '@' character represent a +# local username or a domain name? By default it implies a username in +# SQL and LDAP lookups (but represents a domain in hash and acl lookups), +# so domain names in SQL and LDAP should be specified as '@domain'. +# Setting these to true will cause 'xxx' to be interpreted as a domain +# name, just like in hash or acl lookups. +# +# $sql_lookups_no_at_means_domain = 0; # default is 0 +# $ldap_lookups_no_at_means_domain = 0; # default is 0 + +# Here is an example of a SELECT clause that fabricates an artificial 'users' +# table from actual table 'postfix_domains' containing a field 'domain_name'. +# The effect is that domains listed in the 'postfix_domains' table will be +# treated as local by amavisd, and be given settings from a policy id 99 +# if such a policy id exists, or just fall back to static lookups. +# The user.id (with a value 1) is there only to provide a user id (same id +# for all listed domains) when global SQL-based white/blacklisting is used. +# +# $sql_lookups_no_at_means_domain = 1; +# $sql_select_policy = +# 'SELECT *, user.id'. +# ' FROM (SELECT 1 as id, 99 as policy_id, "Y" AS local'. +# ' FROM postfix_domains WHERE domain_name IN (%k)) AS user'. +# ' LEFT JOIN policy ON policy_id=policy.id'; + +# If passing malware to certain recipients ($final_*_destiny=D_PASS or +# *_lovers), the recipient-based lookup tables @addr_extension_*_maps may +# return a string, which (if nonempty) will be added as an address extension +# to the local-part of the recipient's address. This extension may be used +# by the final local delivery agent (LDA) to place such mail into different +# subfolders (the extension is usually interpreted as a folder name). +# This is sometimes known as the 'plus addressing'. Appending address +# extensions is prevented when: +# - recipient does not match lookup tables @local_domains_maps; +# - lookup into corresponding @addr_extension_*_maps results +# in an empty string or undef; +# - $recipient_delimiter is empty (see below) +# LDAs usually default to stripping away address extension if no special +# handling is specified or if a named subfolder or alias does not exist, +# so adding address extensions normally does no harm. + +# @addr_extension_virus_maps = ('virus'); # defaults to empty +# @addr_extension_spam_maps = ('spam'); # defaults to empty +# @addr_extension_banned_maps = ('banned'); # defaults to empty +# @addr_extension_bad_header_maps = ('badh'); # defaults to empty +# +# A more complex example: +# @addr_extension_virus_maps = ( +# {'sub.example.com'=>'infected', '.example.com'=>'filtered'}, 'virus' ); + +# Delimiter between local part of the envelope recipient address and address +# extension (which can optionally be added, see @addr_extension_*_maps. E.g. +# recipient address is changed to . +# +# Delimiter must match the equivalent (final) MTA delimiter setting. +# (e.g. for Postfix add 'recipient_delimiter = +' to main.cf) +# Setting it to an empty string or to undef disables adding extensions +# regardless of $addr_extension_*_maps. + +# $recipient_delimiter = '+'; # (default is undef, i.e. disabled) + +# true: replace extension; false: append extension +# $replace_existing_extension = 1; # (default is true) + +# Affects matching of localpart of e-mail addresses (left of '@') +# in lookups: true = case sensitive, false = case insensitive +$localpart_is_case_sensitive = 0; # (default is false) + + +# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING + +# Instead of hard black- or whitelisting, a softer approach is to add +# score points (penalties) to the SA score for mail from certain senders. +# Positive points lean towards blacklisting, negative towards whitelisting. +# This is much like adding SA rules or using its white/blacklisting, except +# that here only envelope sender addresses are considered (not addresses +# in a mail header), and that score points can be assigned per-recipient +# (or globally), and the assigned penalties are customarily much lower +# than the default SA white/blacklisting score. +# +# The table structure is similar to $per_recip_blacklist_sender_lookup_tables +# i.e. the first level key is recipient, pointing to by-sender lookup tables. +# The essential difference is that scores from _all_ matching by-recipient +# lookups (not just the first that matches) are summed to give the final +# score boost. That means that both the site and domain administrators, +# as well as the recipient can have a say on the final score. +# +# NOTE: keep hash keys in lowercase, either manually or by using function lc + +@score_sender_maps = ({ # a by-recipient hash lookup table + +# # per-recipient personal tables (NOTE: positive: black, negative: white) +# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], +# 'user3@example.com' => [{'.ebay.com' => -3.0}], +# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, +# '.cleargreen.com' => -5.0}], + + # site-wide opinions about senders (the '.' matches any recipient) + '.' => [ # the _first_ matching sender determines the score boost + + new_RE( # regexp-type lookup table, just happens to be all soft-blacklist + [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], + [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], + [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], + [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], + [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], + [qr'^(your_friend|greatoffers)@'i => 5.0], + [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], + [ qr'@strato(?:-rz)\.de$'i => -5.0 ], + [ qr'^Doris\.Hennig@BA-MH\.Verwalt-Berlin\.de$'i => -5.0 ], + [ qr'^doris@hennig-berlin\.org$'i => -5.0 ], + ), + +# read_hash("/var/amavis/sender_scores_sitewide"), + + { # a hash-type lookup table (associative array) + 'nobody@cert.org' => -3.0, + 'cert-advisory@us-cert.gov' => -3.0, + 'owner-alert@iss.net' => -3.0, + 'slashdot@slashdot.org' => -3.0, + 'securityfocus.com' => -3.0, + 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, + 'security-alerts@linuxsecurity.com' => -3.0, + 'mailman-announce-admin@python.org' => -3.0, + 'amavis-user-admin@lists.sourceforge.net'=> -3.0, + 'amavis-user-bounces@lists.sourceforge.net' => -3.0, + 'spamassassin.apache.org' => -3.0, + 'notification-return@lists.sophos.com' => -3.0, + 'owner-postfix-users@postfix.org' => -3.0, + 'owner-postfix-announce@postfix.org' => -3.0, + 'owner-sendmail-announce@lists.sendmail.org' => -3.0, + 'sendmail-announce-request@lists.sendmail.org' => -3.0, + 'donotreply@sendmail.org' => -3.0, + 'ca+envelope@sendmail.org' => -3.0, + 'noreply@freshmeat.net' => -3.0, + 'owner-technews@postel.acm.org' => -3.0, + 'ietf-123-owner@loki.ietf.org' => -3.0, + 'cvs-commits-list-admin@gnome.org' => -3.0, + 'rt-users-admin@lists.fsck.com' => -3.0, + 'clp-request@comp.nus.edu.sg' => -3.0, + 'surveys-errors@lists.nua.ie' => -3.0, + 'emailnews@genomeweb.com' => -5.0, + 'yahoo-dev-null@yahoo-inc.com' => -3.0, + 'returns.groups.yahoo.com' => -3.0, + 'clusternews@linuxnetworx.com' => -3.0, + lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, + lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, + 'niels@google.com' => -3.0, + 'kameu@gmx.de' => -3.0, + + # soft-blacklisting (positive score) + 'sender@example.net' => 3.0, + '.example.net' => 1.0, + + }, + ], # end of site-wide tables +}); + + +# ENVELOPE SENDER WHITELISTING / BLACKLISTING - GLOBAL (RECIPIENT-INDEPENDENT) +# (affects spam checking only, has no effect on virus and other checks) + +# WHITELISTING: use ENVELOPE SENDER lookups to ENSURE DELIVERY from whitelisted +# senders even if the message would be recognized as spam. Effectively, for +# the specified senders, message recipients temporarily become 'spam_lovers'. +# To avoid surprises, whitelisted sender also suppresses inserting/editing +# the tag2-level header fields (X-Spam-*, Subject), appending spam address +# extension, and quarantining. +# +# BLACKLISTING: messages from specified SENDERS are DECLARED SPAM. +# Effectively, for messages from blacklisted envelope sender addresses, spam +# level is artificially pushed high, and the normal spam processing applies, +# resulting in 'X-Spam-Flag: YES', high 'X-Spam-Level' bar and other usual +# reactions to spam, including possible rejection. If the message nevertheless +# still passes (e.g. for spam loving recipients), it is tagged as BLACKLISTED +# in the 'X-Spam-Status' header field, but the reported spam value and +# set of tests in this report header field (if available from SpamAssassin, +# which may or may not have been called) is not adjusted. +# +# A sender may be both white- and blacklisted at the same time, settings +# are independent. For example, being both white- and blacklisted, message +# is delivered to recipients, but is not tagged as spam (X-Spam-Flag: No; +# X-Spam-Status: No, ...), but the reported spam level (if computed) may +# still indicate high spam score. +# +# If ALL recipients of the message either white- or blacklist the sender, +# spam scanning (calling the SpamAssassin) is bypassed, saving on time. +# +# The following variables (lists of lookup tables) are available, +# with the semantics and syntax as specified in README.lookups: +# @whitelist_sender_maps, @blacklist_sender_maps + +# SOME EXAMPLES: +# +#ACL: +# @whitelist_sender_maps = ( ['.example.org', '.example.net'] ); +# @whitelist_sender_maps = ( [qw(.example.org .example.net)] ); # same thing +# +# @whitelist_sender_maps = ( [".$mydomain"] ); # $mydomain and its subdomains +# NOTE: This is not a reliable way of turning off spam checks for +# locally-originating mail, as sender address can easily be faked. +# To reliably avoid spam-scanning outgoing mail, use @bypass_spam_checks_maps +# for nonlocal recipients. To reliably avoid spam scanning for locally +# originating mail (including internal-to-internal mail), recognized by +# the original SMTP client IP address matching @mynetworks, use policy bank +# MYNETS, adjust @mynetworks, and turn on XFORWARD in the Postfix smtp client +# service feeding amavisd. + +#with regexps: +# @whitelist_sender_maps = ( new_RE( +# qr'^postmaster@.*\bexample\.com$'i, +# qr'^owner-[^@]*@'i, qr'-request@'i, +# qr'\.example\.com$'i +# )); + + +# illustrates the use of regexp lookup table: + +@blacklist_sender_maps = ( new_RE( + qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i, + qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i, + qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i, + qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i, + qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i, + qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i, +)); + + +# NOTE: whitelisting is becoming deprecated because sender address is +# all too often faked; use @score_sender_maps for soft-whitelisting! +# +# Illustrates the use of several lookup tables: +# +# @whitelist_sender_maps = ( +# +# # read_hash("$MYHOME/whitelist_sender"), # a hash table read from a file +# +# # and another hash lookup table constructed in-line, with keys lowercased: +# { map {lc $_ => 1} qw( +# nobody@cert.org +# cert-advisory@us-cert.gov +# owner-alert@iss.net +# slashdot@slashdot.org +# bugtraq@securityfocus.com +# NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM +# security-alerts@linuxsecurity.com +# amavis-user-admin@lists.sourceforge.net +# amavis-user-bounces@lists.sourceforge.net +# notification-return@lists.sophos.com +# mailman-announce-admin@python.org +# owner-postfix-users@postfix.org +# owner-postfix-announce@postfix.org +# owner-sendmail-announce@lists.sendmail.org +# sendmail-announce-request@lists.sendmail.org +# owner-technews@postel.ACM.ORG +# lvs-users-admin@LinuxVirtualServer.org +# ietf-123-owner@loki.ietf.org +# cvs-commits-list-admin@gnome.org +# rt-users-admin@lists.fsck.com +# clp-request@comp.nus.edu.sg +# surveys-errors@lists.nua.ie +# emailNews@genomeweb.com +# owner-textbreakingnews@CNNIMAIL12.CNN.COM +# yahoo-dev-null@yahoo-inc.com +# returns.groups.yahoo.com +# )}, +# +# # { '' => 1 }, # and another one, containing just an empty reverse path (DSN) +# +# ); + + +# ENVELOPE SENDER WHITELISTING / BLACKLISTING - PER-RECIPIENT + +# The same semantics as for global white/blacklisting applies, but this +# time each recipient (or its domain, or subdomain, ...) can be given +# an individual lookup table for matching senders. The per-recipient lookups +# take precedence over the global lookups, which serve as a fallback default. + +# Specify a two-level lookup table: the key for the outer table is recipient, +# and the result should be an inner lookup table (hash or ACL or RE), +# where the key used will be the sender. (Note that this structure is flatter +# than @score_sender_maps, where the first level result is a ref to a _list_ +# of inner lookup tables, not a ref to a single lookup table.) +# +#$per_recip_blacklist_sender_lookup_tables = { +# 'user1@my.example.com'=>new_RE(qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i), +# 'user2@my.example.com'=>[qw( spammer@d1.example,org .d2.example,org )], +#}; +#$per_recip_whitelist_sender_lookup_tables = { +# 'user@my.example.com' => [qw( friend@example.org .other.example.org )], +# '.my1.example.com' => [qw( !foe.other.example,org .other.example,org )], +# '.my2.example.com' => read_hash("$MYHOME/my2-wl.dat"), +# 'abuse@' => { 'postmaster@'=>1, +# 'cert-advisory-owner@cert.org'=>1, 'owner-alert@iss.net'=>1 }, +#}; + + +# +# Section VI - Resource limits +# + +# Sanity limit to the number of allowed recipients per SMTP transaction +# $smtpd_recipient_limit = 1100; # (default is 1100) + +# Resource limits to protect unpackers, decompressors and virus scanners +# against mail bombs (e.g. 42.zip) + + +# Maximum recursion level for extraction/decoding (0 or undef disables limit) +$MAXLEVELS = 14; # (default is undef, no limit) + +# Maximum number of extracted files (0 or undef disables the limit) +$MAXFILES = 1500; # (default is undef, no limit) + +# For the cumulative total of all decoded mail parts we set max storage size +# to defend against mail bombs. Even though parts may be deleted (replaced +# by decoded text) during decoding, the size they occupied is _not_ returned +# to the quota pool. +# +# Parameters to storage quota formula for unpacking/decoding/decompressing +# Formula: +# quota = max($MIN_EXPANSION_QUOTA, +# $mail_size*$MIN_EXPANSION_FACTOR, +# min($MAX_EXPANSION_QUOTA, $mail_size*$MAX_EXPANSION_FACTOR)) +# In plain words (later condition overrules previous ones): +# allow MAX_EXPANSION_FACTOR times initial mail size, +# but not more than MAX_EXPANSION_QUOTA, +# but not less than MIN_EXPANSION_FACTOR times initial mail size, +# but never less than MIN_EXPANSION_QUOTA +# +$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) +$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) +$MIN_EXPANSION_FACTOR = 5; # times original mail size (default is 5) +$MAX_EXPANSION_FACTOR = 500; # times original mail size (default is 500) + +# expiration time of cached results: time to live in seconds +# (how long the result of a virus/spam test remains valid) +$virus_check_negative_ttl= 3*60; # time to remember that mail was not infected +$virus_check_positive_ttl= 30*60; # time to remember that mail was infected +$spam_check_negative_ttl = 10*60; # time to remember that mail was not spam +$spam_check_positive_ttl = 30*60; # time to remember that mail was spam +# +# NOTE: +# Cache size will be determined by the largest of the $*_ttl values. +# Depending on the mail rate, the cache database may grow quite large. +# Reasonable compromise for the max value is 15 minutes to 2 hours. + +# +# Section VII - External programs, virus scanners +# + +# Specify a path string, which is a colon-separated string of directories +# (no trailing slashes!) to be assigned to the environment variable PATH +# and to serve for locating external programs below. + +# NOTE: if $daemon_chroot_dir is nonempty, the directories will be +# relative to the chroot directory specified; + +$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin:/opt/bin'; + +# For external programs specify one string or a search list of strings (first +# match wins). The string (or: each string in a list) may be an absolute path, +# or just a program name, to be located via $path; +# Empty string or undef (=default) disables the use of that external program. +# Optionally command arguments may be specified - only the first substring +# up to the whitespace is used for file searching. + +$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability +$dspam = 'dspam'; + +# A list of pairs or n-tuples: [short-type, code_ref, optional-args...]. +# Maps short types to a decoding routine, the first match wins. +# Arguments beyond the first two can be program path string (or a listref of +# paths to be searched) or a reference to a variable containing such a path, +# which allows for lazy evaluation, making possible to assign values to +# legacy configuration variables even after the assignment to @decoders. +# +@decoders = ( + ['mail', \&do_mime_decode], + ['asc', \&do_ascii], + ['uue', \&do_ascii], + ['hqx', \&do_ascii], + ['ync', \&do_ascii], + ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], + ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ], + ['gz', \&do_uncompress, 'gzip -d'], + ['gz', \&do_gunzip], + ['bz2', \&do_uncompress, 'bzip2 -d'], + ['lzo', \&do_uncompress, 'lzop -d'], + ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], + ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ], + ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ], + ['deb', \&do_ar, 'ar'], +# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill + ['zip', \&do_unzip], + ['7z', \&do_7zip, ['7zr','7za','7z'] ], + ['rar', \&do_unrar, ['rar','unrar'] ], + ['arj', \&do_unarj, ['arj','unarj'] ], + ['arc', \&do_arc, ['nomarch','arc'] ], + ['zoo', \&do_zoo, ['zoo','unzoo'] ], + ['lha', \&do_lha, 'lha'], +# ['doc', \&do_ole, 'ripole'], + ['cab', \&do_cabextract, 'cabextract'], + ['tnef', \&do_tnef_ext, 'tnef'], + ['tnef', \&do_tnef], +# ['sit', \&do_unstuff, 'unstuff'], # broken/unsafe decoder + ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], +); + + +# SpamAssassin settings + +# $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value +# of the option local_tests_only. See Mail::SpamAssassin man page. +# If set to 1, no SA tests that require internet access will be performed. +# +$sa_local_tests_only = 0; # only tests which do not require internet access? +#$sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant + # for SA 3.0, its cf option is use_auto_whitelist) + +$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger + # (less than 1% of spam is > 64k) + # default: undef, no limitations + +# default values, customarily used in the @spam_*_level_maps as the last entry +$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level; + # undef is interpreted as lower than any spam level +$sa_tag2_level_deflt = 6.31;# add 'spam detected' headers at that level to + # passed mail, adding address extensions; +$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions + # at or above that level: bounce/reject/drop, + # quarantine +$sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent, + # effectively turning D_BOUNCE into D_DISCARD; + # undef disables this feature and is a default; +# see also $sa_quarantine_cutoff_level above, which only controls quarantining + +# $penpals_bonus_score = 5; # (positive) score by which spam score is lowered + # when sender is known to have previously received mail from our + # local user from this mail system; zero or undef disables penpals + # lookups in SQL; default: undef +# $penpals_halflife = 10*24*60*60; #exponential decay time constant in seconds; + # penpal bonus is halved for each halflife period from the last mail + # sent by a local user to a current mail's sender; default: 7 days +# $penpals_threshold_low = 1.0; # no need for pen pals lookup on low spam score +# $penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam + +# $bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces + # bounce killer needs operational SQL logging (pen pals) ! + +# advanced example specifying per-recipient values using a hash lookup: +#@spam_tag_level_maps = (\$sa_tag_level_deflt); # this is a default +#@spam_tag2_level_maps = ( +# { 'user1@example.com' => 8.0, '.example.com' => 6.0 }, +# \$sa_tag2_level_deflt, # catchall default +#); +#@spam_kill_level_maps = ( +# { 'user1@example.com' => 8.0, '.example.com' => 6.0 }, +# \$sa_kill_level_deflt, # catchall default +#); +#@spam_dsn_cutoff_level_maps = ( +# { 'user1@example.com' => 10, '.example.com' => 15 }, +# \$sa_dsn_cutoff_level, # catchall default +#); + +# selectively trim down bounces to domains sending their own bounces with +# non-null return path, to frequently abused domains, or to those sending +# marginal spam +@spam_dsn_cutoff_level_bysender_maps = ( + { # an associative array (hash) lookup table, use lowercase keys + 'virgilio.it' => 7, 'mail.ru' => 7, '0451.com' => 7, + 'yahoo.co.uk' => 7, 'yahoo.co.jp' => 7, 'nobody@' => 7, + 'noreply@' => 0, 'no-reply@' => 0, 'donotreply@' => 0, + 'opt-in@' => 0, 'opt-out@' => 0, 'yahoo-dev-null@' => 0, + '.optin-out.com' => 0, 'daily@astrocenter.com' => 0, + 'spamadmin@fraunhofer.de'=> 7, # Sophos PureMessage spam bounces + }, + \$sa_dsn_cutoff_level, # catchall default value +); + +# a quick reference: +# tag_level contents category: CC_CLEAN, +# controls adding the X-Spam-Status and X-Spam-Level headers, +# tag2_level contents category: CC_SPAMMY, +# controls adding 'X-Spam-Flag: YES', editing (tagging) Subject, +# and adding address extensions, +# tag3_level contents category: CC_SPAMMY, minor category 1, +# like tag2, but may insert different Subject tag +# e.g. @spam_subject_tag3_maps=('***BLATANT*SPAM*** '); +# kill_level contents category: CC_SPAM, +# controls 'evasive actions' (reject, quarantine); +# it only makes sense to maintain the relationship: +# tag_level <= tag2_level <= tag3_level <= kill_level < +# < dsn_cutoff_level <= quarantine_cutoff_level + +# string to prepend to Subject header field when message exceeds tag2 level +#$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled) + # (only seen when spam is passed and recipient is + # in local_domains*) +# more examples, using @*_maps directly: +#@spam_subject_tag_maps = ('[possible-spam:_SCORE_] '); +#@spam_subject_tag2_maps = ('***SPAM*** _SCORE_ (_REQD_) '); +#@spam_subject_tag3_maps = ('***BLATANT*SPAM**** _SCORE_ (_REQD_) '); +# another examples, using _maps_by_ccat: +#$subject_tag_maps_by_ccat{+CC_CLEAN} = [ +# { lc('TestUser@example.net') => +# '**TEST:_U_,hits=_SCORE_,req=_REQD_,amid=_TASKID_,mid=_MAILID_**' } ]; + +#$sa_spam_modifies_subj = 1; # in @spam_modifies_subj_maps, default is true + +# Example: modify Subject for all local recipients except user@example.com +#@spam_modifies_subj_maps = ( [qw( !user@example.com . )] ); + +#$sa_spam_level_char = '*'; # char for X-Spam-Level bar, defaults to '*'; + # undef or empty disables inserting X-Spam-Level +#$sa_spam_report_header = 0; # insert X-Spam-Report header field? default false + +# stop anti-virus scanning when the first scanner detects a virus? +#$first_infected_stops_scan = 1; # default is false, all scanners in a section + # are called + +# @av_scanners is a list of n-tuples, where fields semantics is: +# 1. av scanner plain name, to be used in log and reports; +# 2a.scanner program name; this string will be submitted to subroutine +# find_external_programs(), which will try to find the full program path +# name during startup; if program is not found, this scanner is disabled. +# Besides a simple string (full program path name or just the basename +# to be looked for in PATH), this may be an array ref of alternative +# program names or full paths - the first match in the list will be used; +# 2b.alternatively, this second field may be a subroutine reference, +# and the whole n-tuple entry is passed to it as args; it should return +# a triple: ($scan_status,$output,$virusnames_ref), where: +# - $scan_status is: true if a virus was found, 0 if no viruses, +# undef if scanner was unable to complete its job (failed); +# - $output is an optional result string to appear in logging and macro %v; +# - $virusnames_ref is a ref to a list of detected virus names (may be +# undef or a ref to an empty list); +# 3. command arguments to be given to the scanner program; +# a substring {} will be replaced by the directory name to be scanned, i.e. +# "$tempdir/parts", a "*" will be replaced by base file names of parts; +# 4. an array ref of av scanner exit status values, or a regexp (to be +# matched against scanner output), indicating NO VIRUSES found; +# a special case is a value undef, which does not claim file to be clean +# (i.e. it never matches, similar to []), but suppresses a failure warning; +# to be used when the result is inconclusive (useful for specialized and +# quick partial scanners such as jpeg checker); +# 5. an array ref of av scanner exit status values, or a regexp (to be +# matched against scanner output), indicating VIRUSES WERE FOUND; +# a value undef may be used and it never matches (for consistency with 4.); +# Note: the virus match prevails over a 'not found' match, so it is safe +# even if the no. 4. matches for viruses too; +# 6. a regexp (to be matched against scanner output), returning a list +# of virus names found, or a sub ref, returning such a list when given +# scanner output as argument; +# 7. and 8.: (optional) subroutines to be executed before and after scanner +# (e.g. to set environment or current directory); +# see examples for these at KasperskyLab AVP and NAI uvscan. + +# NOTES: +# +# - NOT DEFINING @av_scanners (e.g. setting it to empty list, or deleting the +# whole assignment) TURNS OFF LOADING AND COMPILING OF THE ANTIVIRUS CODE +# (which can be handy if all you want to do is spam scanning); +# +# - the order matters: although _all_ available entries from the list +# are tried regardless of their verdict, scanners are run in the order +# specified: the report from the first one detecting a virus will be used +# (providing virus names and scanner output); REARRANGE THE ORDER TO WILL; +# see also $first_infected_stops_scan; +# +# - it doesn't hurt to keep an unused command line scanner entry in the list +# if the program can not be found; the path search is only performed once +# during the program startup; +# +# COROLLARY: to disable a scanner that _does_ exist on your system, +# comment out its entry or use undef or '' as its program name/path +# (second parameter). An example where this is almost a must: disable +# Sophos 'sweep' if you have its daemonized version Sophie or SAVI-Perl +# (same for Trophie/vscan, and clamd/clamscan), or if another unrelated +# program happens to have a name matching one of the entries ('sweep' +# again comes to mind); +# +# - it DOES HURT to keep unwanted entries which use INTERNAL SUBROUTINES +# for interfacing (where the second parameter starts with \&). +# Keeping such entry and not having a corresponding virus scanner daemon +# causes an unnecessary connection attempt (which eventually times out, +# but it wastes precious time). For this reason the daemonized entries +# are commented in the distribution - just remove the '#' where needed. +# +# CERT list of av resources: http://www.cert.org/other_sources/viruses.html + +@av_scanners = ( + +# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/) +# ['Sophie', +# \&ask_daemon, ["{}/\n", '/var/run/sophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], + +# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ +# ['Sophos SAVI', \&sophos_savi ], + +### http://www.clamav.net/ +['ClamAV-clamd', + \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"], + qr/\bOK$/m, qr/\bFOUND$/m, + qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], +# NOTE: run clamd under the same user as amavisd, or run it under its own +# uid such as clamav, add user clamav to the amavis group, and then add +# AllowSupplementaryGroups to clamd.conf; +# NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in +# this entry; when running chrooted one may prefer socket "$MYHOME/clamd". + +# ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) +# # note that Mail::ClamAV requires perl to be build with threading! +# ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/m ], + +# ### http://www.openantivirus.org/ +# ['OpenAntiVirus ScannerDaemon (OAV)', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], +# qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ], + +# ### http://www.vanja.com/tools/trophie/ +# ['Trophie', +# \&ask_daemon, ["{}/\n", '/var/run/trophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], + +# ### http://www.grisoft.com/ +# ['AVG Anti-Virus', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], +# qr/^200/m, qr/^403/m, qr/^403 .*?: ([^\r\n]+)/m ], + +# ### http://www.f-prot.com/ +# ['F-Prot fpscand', # F-PROT Antivirus for BSD/Linux/Solaris, version 6 +# \&ask_daemon, +# ["SCAN FILE {}/*\n", '127.0.0.1:10200'], +# qr/^(0|8|64) /m, +# qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m, +# qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ], + +# ### http://www.f-prot.com/ +# ['F-Prot f-protd', # old version +# \&ask_daemon, +# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", +# ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202', +# '127.0.0.1:10203', '127.0.0.1:10204'] ], +# qr/(?i)]*>clean<\/summary>/m, +# qr/(?i)]*>infected<\/summary>/m, +# qr/(?i)(.+)<\/name>/m ], + +# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ +# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later +# [pack('N',1). # DRWEBD_SCAN_CMD +# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES +# pack('N', # path length +# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). +# '{}/*'. # path +# pack('N',0). # content size +# pack('N',0), +# '/var/drweb/run/drwebd.sock', +# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot +# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default +# # '127.0.0.1:3000', # or over an inet socket +# ], +# qr/\A\x00[\x10\x11][\x00\x10]\x00/sm, # IS_CLEAN,EVAL_KEY; SKIPPED +# qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF +# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm, +# ], +# # NOTE: If using amavis-milter, change length to: +# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). + + ### http://www.kaspersky.com/ (kav4mailservers) + ['KasperskyLab AVP - aveclient', + ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', + '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'], + '-p /var/run/aveserver -s {}/*', + [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m, + qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m, + ], + # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious, + # currupted or protected archives are to be handled + + ### http://www.kaspersky.com/ + ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], + '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? + qr/infected: (.+)/m, + sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, + sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + + ### The kavdaemon and AVPDaemonClient have been removed from Kasperky + ### products and replaced by aveserver and aveclient + ['KasperskyLab AVPDaemonClient', + [ '/opt/AVP/kavdaemon', 'kavdaemon', + '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', + '/opt/AVP/AvpTeamDream', 'AvpTeamDream', + '/opt/AVP/avpdc', 'avpdc' ], + "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ], + # change the startup-script in /etc/init.d/kavd to: + # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" + # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) + # adjusting /var/amavis above to match your $TEMPBASE. + # The '-f=/var/amavis' is needed if not running it as root, so it + # can find, read, and write its pid file, etc., see 'man kavdaemon'. + # defUnix.prf: there must be an entry "*/var/amavis" (or whatever + # directory $TEMPBASE specifies) in the 'Names=' section. + # cd /opt/AVP/DaemonClients; configure; cd Sample; make + # cp AvpDaemonClient /opt/AVP/ + # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" + + ### http://www.centralcommand.com/ + ['CentralCommand Vexira (new) vascan', + ['vascan','/usr/lib/Vexira/vascan'], + "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". + "--log=/var/log/vascan.log {}", + [0,3], [1,2,5], + qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ], + # Adjust the path of the binary and the virus database as needed. + # 'vascan' does not allow to have the temp directory to be the same as + # the quarantine directory, and the quarantine option can not be disabled. + # If $QUARANTINEDIR is not used, then another directory must be specified + # to appease 'vascan'. Move status 3 to the second list if password + # protected files are to be considered infected. + + ### http://www.avira.com/ + ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus + ['Avira AntiVir', ['antivir','vexira'], + '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m, + qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | + (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ], + # NOTE: if you only have a demo version, remove -z and add 214, as in: + # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, + + ### http://www.commandsoftware.com/ + ['Command AntiVirus for Linux', 'csav', + '-all -archive -packed {}', [50], [51,52,53], + qr/Infection: (.+)/m ], + + ### http://www.symantec.com/ + ['Symantec CarrierScan via Symantec CommandLineScanner', + 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', + qr/^Files Infected:\s+0$/m, qr/^Infected\b/m, + qr/^(?:Info|Virus Name):\s+(.+)/m ], + + ### http://www.symantec.com/ + ['Symantec AntiVirus Scan Engine', + 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', + [0], qr/^Infected\b/m, + qr/^(?:Info|Virus Name):\s+(.+)/m ], + # NOTE: check options and patterns to see which entry better applies + +# ### http://www.f-secure.com/products/anti-virus/ version 4.65 +# ['F-Secure Antivirus for Linux servers', +# ['/opt/f-secure/fsav/bin/fsav', 'fsav'], +# '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '. +# '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8], +# qr/(?:infection|Infected|Suspected): (.+)/m ], + + ### http://www.f-secure.com/products/anti-virus/ version 5.52 + ['F-Secure Antivirus for Linux servers', + ['/opt/f-secure/fsav/bin/fsav', 'fsav'], + '--virus-action1=report --archive=yes --auto=yes '. + '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8], + qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ], + # NOTE: internal archive handling may be switched off by '--archive=no' + # to prevent fsav from exiting with status 9 on broken archives + +# ### http://www.avast.com/ +# ['avast! Antivirus daemon', +# \&ask_daemon, # greets with 220, terminate with QUIT +# ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'], +# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t([^[ \t\015\012]+)/m ], + +# ### http://www.avast.com/ +# ['avast! Antivirus - Client/Server Version', 'avastlite', +# '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1], +# qr/\t\[L\]\t([^[ \t\015\012]+)/m ], + + ['CAI InoculateIT', 'inocucmd', # retired product + '-sec -nex {}', [0], [100], + qr/was infected by virus (.+)/m ], + # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html + + ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) + ['CAI eTrust Antivirus', 'etrust-wrapper', + '-arc -nex -spm h {}', [0], [101], + qr/is infected by virus: (.+)/m ], + # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer + # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 + + ### http://mks.com.pl/english.html + ['MkS_Vir for Linux (beta)', ['mks32','mks'], + '-s {}/*', [0], [1,2], + qr/--[ \t]*(.+)/m ], + + ### http://mks.com.pl/english.html + ['MkS_Vir daemon', 'mksscan', + '-s -q {}', [0], [1..7], + qr/^... (\S+)/m ], + +# ### http://www.nod32.com/, version v2.52 (old) +# ['ESET NOD32 for Linux Mail servers', +# ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'], +# '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '. +# '-w -a --action-on-infected=accept --action-on-uncleanable=accept '. +# '--action-on-notscanned=accept {}', +# [0,3], [1,2], qr/virus="([^"]+)"/m ], + +# ### http://www.eset.com/, version v2.7 (old) +# ['ESET NOD32 Linux Mail Server - command line interface', +# ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'], +# '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ], + +# ### http://www.eset.com/, version 2.71.12 +# ['ESET Software ESETS Command Line Interface', +# ['/usr/bin/esets_cli', 'esets_cli'], +# '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ], + + ### http://www.eset.com/, version 3.0 + ['ESET Software ESETS Command Line Interface', + ['/usr/bin/esets_cli', 'esets_cli'], + '--subdir {}', [0], [1,2,3], + qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ], + + ## http://www.nod32.com/, NOD32LFS version 2.5 and above + ['ESET NOD32 for Linux File servers', + ['/opt/eset/nod32/sbin/nod32','nod32'], + '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '. + '-w -a --action=1 -b {}', + [0], [1,10], qr/^object=.*, virus="(.*?)",/m ], + +# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31 +# ['ESET Software NOD32 Client/Server (NOD32SS)', +# \&ask_daemon2, # greets with 200, persistent, terminate with QUIT +# ["SCAN {}/*\r\n", '127.0.0.1:8448' ], +# qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ], + + ### http://www.norman.com/products_nvc.shtml + ['Norman Virus Control v5 / Linux', 'nvcc', + '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], + qr/(?i).* virus in .* -> \'(.+)\'/m ], + + ### http://www.pandasoftware.com/ + ['Panda CommandLineSecure 9 for Linux', + ['/opt/pavcl/usr/bin/pavcl','pavcl'], + '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}', + qr/Number of files infected[ .]*: 0+(?!\d)/m, + qr/Number of files infected[ .]*: 0*[1-9]/m, + qr/Found virus :\s*(\S+)/m ], + # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr' + # before starting amavisd - the bases are then loaded only once at startup. + # To reload bases in a signature update script: + # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr + # Please review other options of pavcl, for example: + # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies + +# ### http://www.pandasoftware.com/ +# ['Panda Antivirus for Linux', ['pavcl'], +# '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}', +# [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0], +# qr/Found virus :\s*(\S+)/m ], + +# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. +# Check your RAV license terms before fiddling with the following two lines! +# ['GeCAD RAV AntiVirus 8', 'ravav', +# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ], +# # NOTE: the command line switches changed with scan engine 8.5 ! +# # (btw, assigning stdin to /dev/null causes RAV to fail) + + ### http://www.nai.com/ + ['NAI McAfee AntiVirus (uvscan)', 'uvscan', + '--secure -rv --mime --summary --noboot --mailbox --program --timeout 180 - {}', [0], [13], + qr/(?x) Found (?: + \ the\ (.+)\ (?:virus|trojan) | + \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | + :\ (.+)\ NOT\ a\ virus)/m, + # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, + # sub {delete $ENV{LD_PRELOAD}}, + ], + # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before + # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 + # and then clear it when finished to avoid confusing anything else. + # NOTE2: to treat encrypted files as viruses replace the [13] with: + # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ + + ### http://www.virusbuster.hu/en/ + ['VirusBuster', ['vbuster', 'vbengcl'], + "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], + qr/: '(.*)' - Virus/m ], + # VirusBuster Ltd. does not support the daemon version for the workstation + # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of + # binaries, some parameters AND return codes have changed (from 3 to 1). + # See also the new Vexira entry 'vascan' which is possibly related. + +# ### http://www.virusbuster.hu/en/ +# ['VirusBuster (Client + Daemon)', 'vbengd', +# '-f -log scandir {}', [0], [3], +# qr/Virus found = (.*);/m ], +# # HINT: for an infected file it always returns 3, +# # although the man-page tells a different story + + ### http://www.cyber.com/ + ['CyberSoft VFind', 'vfind', + '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m, + # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, + ], + + ### http://www.avast.com/ + ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], + '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ], + + ### http://www.ikarus-software.com/ + ['Ikarus AntiVirus for Linux', 'ikarus', + '{}', [0], [40], qr/Signature (.+) found/m ], + + ### http://www.bitdefender.com/ + ['BitDefender', 'bdscan', # new version + '--action=ignore --no-list {}', qr/^Infected files *:0+(?!\d)/m, + qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m, + qr/(?:suspected|infected): (.*)(?:\033|$)/m ], + + ### http://www.bitdefender.com/ + ['BitDefender', 'bdc', # old version + '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m, + qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m, + qr/(?:suspected|infected): (.*)(?:\033|$)/m ], + # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may + # not apply to your version of bdc, check documentation and see 'bdc --help' + + ### ArcaVir for Linux and Unix http://www.arcabit.pl/ + ['ArcaVir for Linux', ['arcacmd','arcacmd.static'], + '-v 1 -summary 0 -s {}', [0], [1,2], + qr/(?:VIR|WIR):[ \t]*(.+)/m ], + +# ['File::Scan', sub {Amavis::AV::ask_av(sub{ +# use File::Scan; my($fn)=@_; +# my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0); +# my($vname) = $f->scan($fn); +# $f->error ? (2,"Error: ".$f->error) +# : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) }, +# ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ], + +# ### fully-fledged checker for JPEG marker segments of invalid length +# ['check-jpeg', +# sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) }, +# ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ], +# # NOTE: place file JpegTester.pm somewhere where Perl can find it, +# # for example in /usr/local/lib/perl5/site_perl + +# ### example: simpleminded checker for JPEG marker segments with +# ### invalid length (only checks first 32k, which is not thorough enough) +# ['check-jpeg-simple', +# sub { Amavis::AV::ask_av(sub { +# my($f)=@_; local(*FF,$_,$1,$2); my(@r)=(0,'not jpeg'); +# open(FF,$f) or die "jpeg: open err $f: $!"; +# binmode(FF) or die "jpeg: binmode err $f: $!"; +# defined read(FF,$_,32000) or die "jpeg: read err $f: $!"; +# close(FF) or die "jpeg: close err $f: $!"; +# if (/^\xff\xd8\xff/) { +# @r=(0,'jpeg ok'); +# while (!/\G(?:\xff\xd9|\z)/gc) { # EOI or eof +# if (/\G\xff+(?=\xff|\z)/gc) {} # fill-bytes before marker +# elsif (/\G\xff([\x01\xd0-\xd8])/gc) {} # TEM, RSTi, SOI +# elsif (/\G\xff([^\x00\xff])(..)/gcs) { # marker segment start +# my($n)=unpack("n",$2)-2; +# $n=32766 if $n>32766; # Perl regexp limit +# if ($n<0) {@r=(1,"bad jpeg: len=$n, pos=".pos); last} +# elsif (/\G.{$n}/gcs) {} # ok +# elsif (/\G.{0,$n}\z/gcs) {last} # truncated +# else {@r=(1,"bad jpeg: unexpected, pos=".pos); last} +# } +# elsif (/\G[^\xff]+/gc) {} # ECS +# elsif (/\G(?:\xff\x00)+/gc) {} # ECS +# else {@r=(2,"bad jpeg: unexpected char, pos=".pos); last} +# } +# }; @r}, @_) }, +# ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ], + +# ### an example/testing/template virus scanner (external), wastes 3 seconds +# ['wasteful sleeper example', +# '/bin/sleep', '3', # calls external program +# undef, undef, qr/no such/m ], + +# ### an example/testing/template virus scanner (internal), does nothing +# ['null', +# sub {}, ["{}"], # supplies its own subroutine, no external program +# undef, undef, qr/no such/m ], + +); + + +# If no virus scanners from the @av_scanners list produce 'clean' nor +# 'infected' status (i.e. they all fail to run or the list is empty), +# then _all_ scanners from the @av_scanners_backup list are tried +# (again, subject to $first_infected_stops_scan). When there are both +# daemonized and equivalent or similar command-line scanners available, +# it is customary to place slower command-line scanners in the +# @av_scanners_backup list. The default choice is somewhat arbitrary, +# move entries from one list to another as desired, keeping main scanners +# in the primary list to avoid warnings. + +@av_scanners_backup = ( + + ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV + ['ClamAV-clamscan', 'clamscan', + "--stdout --no-summary -r --tempdir=$TEMPBASE {}", + [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], + + ### http://www.f-prot.com/ - backs up F-Prot Daemon, V6 + ['F-PROT Antivirus for UNIX', ['fpscan'], + '--report --mount --adware {}', # consider: --applications -s 4 -u 3 -z 10 + [0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3], + qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ], + + ### http://www.f-prot.com/ - backs up F-Prot Daemon (old) + ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], + '-dumb -ai -archive -packed -server {}', [0,8], [3,6], # or: [0], [3,6,8], + qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ], + + ### http://www.trendmicro.com/ - backs up Trophie + ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], + '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ], + + ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD + ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier + ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], + '-path={} -al -go -ot -cn -upn -ok-', + [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ], + + ### http://www.kaspersky.com/ + ['Kaspersky Antivirus v5.5', + ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner', + '/opt/kav/5.5/kav4unix/bin/kavscanner', + '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'], + '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25], + qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m, +# sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, +# sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + +# Commented out because the name 'sweep' clashes with Debian and FreeBSD +# package/port of an audio editor. Make sure the correct 'sweep' is found +# in the path when enabling. +# +# ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl +# ['Sophos Anti Virus (sweep)', 'sweep', +# '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. +# '--no-reset-atime {}', +# [0,2], qr/Virus .*? found/m, +# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m, +# ], +# # other options to consider: -idedir=/usr/local/sav + +# Always succeeds and considers mail clean. +# Potentially useful when all other scanners fail and it is desirable +# to let mail continue to flow with no virus checking (when uncommented). +# ['always-clean', sub {0}], + +); + + +# +# Section VIII - Debugging +# + +# The most useful debugging tool is to run amavisd-new non-detached +# from a terminal window using command: # amavisd debug + +# Some more refined approaches: + +# If sender matches ACL, turn debugging fully up, just for this one message +#@debug_sender_maps = ( ["test-sender\@$mydomain"] ); +#@debug_sender_maps = ( [qw( debug@example.com debug@example.net )] ); + +# May be useful along with @debug_sender_maps: +# Prevent all decoded originals being deleted (replaced by decoded part) +#@keep_decoded_original_maps = (1); + +# Turn on SpamAssassin debugging (output to STDERR, use with 'amavisd debug') +#$sa_debug = '1,all'; # defaults to false + + +# +# Section IX - Policy banks (dynamic policy switching) +# + +## Define some policy banks (sets of settings) and give them +## arbitrary names (the names '', 'MYNETS' and 'MYUSERS' have special meaning): +# +# $policy_bank{'ALT'} = { +# log_level => 3, +# syslog_ident => 'alt-amavis', +# syslog_facility => 'LOCAL3', +# inet_acl => [qw( 10.0.1.14 )], +# final_spam_destiny => D_PASS, final_bad_header_destiny => D_PASS, +# forward_method => 'smtp:*:*', +# notify_method => 'smtp:[127.0.0.1]:10025', +# virus_admin_maps => "abuse\@$mydomain", +# spam_lovers_maps => [@spam_lovers_maps, [qw( abuse@example.com )]], +# spam_tag_level_maps => 2.1, +# spam_tag2_level_maps => 6.32, +# spam_kill_level_maps => 6.72, +# spam_dsn_cutoff_level_maps => 8, +# defang_spam => 1, +# local_client_bind_address => '10.11.12.13', +# localhost_name => 'amavis.example.com', +# smtpd_greeting_banner => +# '${helo-name} ${protocol} ${product} ${version-id} (${version-date}) TEST service ready'; +# auth_mech_avail => [qw(PLAIN LOGIN)], +# auth_required_inp => 1, +# auth_required_out => 1, +# amavis_auth_user => 'amavisd', amavis_auth_pass = 'tOpsecretX', +# av_scanners => [ # provide only 'free' scanners +# ['ClamAV-clamd', +# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], +# qr/\bOK$/, qr/\bFOUND$/, +# qr/^.*?: (?!Infected Archive)(.*) FOUND$/, +# ], +# ], +# av_scanners_backup => [ +# ['ClamAV-clamscan', 'clamscan', +# "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], +# qr/^.*?: (?!Infected Archive)(.*) FOUND$/, +# ], +# ], +# }; + +# NOTE: the use of policy banks for changing protocol on the input socket is +# only needed when different protocols need to be spoken on different sockets +# at the same time. For normal use just set globally e.g.: $protocol='AM.PDP'; +# +#$policy_bank{'AM.PDP-SOCK'} = { +# protocol => 'AM.PDP', # Amavis policy delegation protocol +# auth_required_release => 0, # do not require secret_id for amavisd-release +#}; +# +#$policy_bank{'AM.PDP-INET'} = { +# protocol => 'AM.PDP', # Amavis policy delegation protocol +# inet_acl => [qw( 127.0.0.1 [::1] )], # restrict to these IP addresses +#}; +# +## the name 'MYNETS' has special semantics: this policy bank gets loaded +## whenever MTA supplies the original SMTP client IP address (Postfix XFORWARD +## extension or a new AM.PDP protocol) and that address matches @mynetworks. +# +# $terminate_dsn_on_notify_success = 1; +# $policy_bank{'MYNETS'} = { # mail originating from @mynetworks +# originating => 1, # is true in MYNETS by deflt, but let's make it explicit +# terminate_dsn_on_notify_success => 0, +# spam_kill_level_maps => 6.9, +# syslog_facility => 'LOCAL4', # tell syslog to log to a separate file +# virus_admin_maps => ["virusalert\@$mydomain"], # alert of internal viruses +# spam_admin_maps => ["spamalert\@$mydomain"], # alert of internal spam +# bypass_spam_checks_maps => [1], # or: don't spam-check internal mail +# bypass_banned_checks_maps => [1], # don't banned-check internal mail +# warnbadhsender => 1, # warn local senders about their broken MUA +# banned_filename_maps => ['MYNETS-DEFAULT'], # more permissive banning rules +# spam_quarantine_cutoff_level_maps => undef, # quarantine all local spam +# spam_dsn_cutoff_level_maps => undef, # ensure NDN regardless of spam level +# spam_dsn_cutoff_level_bysender_maps => # but only from local domain senders +# [ { lc(".$mydomain") => undef, '.' => 15 } ], +# }; + +## the name 'MYUSERS' has special semantics: this policy bank gets loaded +## whenever the sender matches @local_domains_maps. This only makes sense +## if local sender addresses can be trusted -- for example by requiring +## authentication before letting users send with their local address. +# +# $policy_bank{'MYUSERS'} = { +# final_virus_destiny => D_BOUNCE, # bounce only to authenticated local users +# final_banned_destiny=> D_BOUNCE, +# }; + +# Needed for Courier: speak courier protocol on the socket +#$interface_policy{'SOCK'} = 'AM-SOCK'; +#$policy_bank{'AM-SOCK'} = {protocol => 'COURIER'}; + +## Now we can assign policy banks to amavisd tcp port numbers listed in +## $inet_socket_port. Whenever the connection from MTA is received, first +## a built-in policy bank $policy_bank{''} gets loaded, which bringings-in +## all the global/legacy settings, then it gets overlaid by the bank +## named in the $interface_policy{$port} if any, and finally the bank +## 'MYNETS' is overlaid if it exists and the SMTP client IP address +## is known (by XFORWARD command from MTA) and it matches @mynetworks. + +# $interface_policy{'10026'} = 'ALT'; + +# used by amavisd-release utility of a new AM.PDP-based amavis-milter client +#$interface_policy{'9998'} = 'AM.PDP-INET'; +#$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; + +# invoke custom hooks or additional configuration files: +# include_config_files('/etc/amavisd-custom.conf'); + +# Want to execute additional configuration files from some directory? +#{ my($d) = '/etc/amavis/conf.d'; # do *.cf or *.conf files in this directory +# local(*D); opendir(D,$d) or die "Can't open dir $d: $!"; +# my(@d) = sort grep {/\.(cf|conf)$/ && -f} map {/^(.*)$/,"$d/$1"} readdir(D); +# closedir(D) or die "Can't close $d: $!"; +# include_config_files($_) for (@d); +#} + +1; # insure a defined return value diff --git a/amavisd.conf.orig b/amavisd.conf.orig new file mode 100644 index 0000000..7e6eb35 --- /dev/null +++ b/amavisd.conf.orig @@ -0,0 +1,806 @@ +use strict; + +# a minimalistic configuration file for amavisd-new with all necessary settings +# +# see amavisd.conf-default for a list of all variables with their defaults; +# for more details see documentation in INSTALL, README_FILES/* +# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html + + +# COMMONLY ADJUSTED SETTINGS: + +# @bypass_virus_checks_maps = (1); # controls running of anti-virus code +# @bypass_spam_checks_maps = (1); # controls running of anti-spam code +# $bypass_decode_parts = 1; # controls running of decoders&dearchivers + +$max_servers = 2; # num of pre-forked children (2..30 is common), -m +$daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u +$daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g + +$mydomain = 'example.com'; # a convenient default for other settings + +# $MYHOME = '/var/amavis'; # a convenient default for other settings, -H +$TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T +$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc. +$QUARANTINEDIR = "$MYHOME/quarantine"; # -Q +# $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine +# $release_format = 'resend'; # 'attach', 'plain', 'resend' +# $report_format = 'arf'; # 'attach', 'plain', 'resend', 'arf' + +# $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R + +# $db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D +# $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S +# $lock_file = "$MYHOME/var/amavisd.lock"; # -L +# $pid_file = "$MYHOME/var/amavisd.pid"; # -P +#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually + +$log_level = 0; # verbosity 0..5, -d +$log_recip_templ = undef; # disable by-recipient level-0 log entries +$do_syslog = 1; # log via syslogd (preferred) +$syslog_facility = 'mail'; # Syslog facility as a string + # e.g.: mail, daemon, user, local0, ... local7 + +$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) +$nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed +$enable_dkim_verification = 0; # enable DKIM signatures verification +$enable_dkim_signing = 0; # load DKIM signing code, keys defined by dkim_key + +@local_domains_maps = ( [".$mydomain"] ); # list of all local domains + +@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 + 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); + +$unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter + # option(s) -p overrides $inet_socket_port and $unix_socketname + +$inet_socket_port = 10024; # listen on this local TCP port(s) +# $inet_socket_port = [10024,10026]; # listen on multiple TCP ports + +$policy_bank{'MYNETS'} = { # mail originating from @mynetworks + originating => 1, # is true in MYNETS by default, but let's make it explicit + os_fingerprint_method => undef, # don't query p0f for internal clients +}; + +# it is up to MTA to re-route mail from authenticated roaming users or +# from internal hosts to a dedicated TCP port (such as 10026) for filtering +$interface_policy{'10026'} = 'ORIGINATING'; + +$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users + originating => 1, # declare that mail was submitted by our smtp client + allow_disclaimers => 1, # enables disclaimer insertion if available + # notify administrator of locally originating malware + virus_admin_maps => ["virusalert\@$mydomain"], + spam_admin_maps => ["virusalert\@$mydomain"], + warnbadhsender => 1, + # forward to a smtpd service providing DKIM signing service + forward_method => 'smtp:[127.0.0.1]:10027', + # force MTA conversion to 7-bit (e.g. before DKIM signing) + smtpd_discard_ehlo_keywords => ['8BITMIME'], + bypass_banned_checks_maps => [1], # allow sending any file names and types + terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option +}; + +$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname + +# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c +# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'): +$policy_bank{'AM.PDP-SOCK'} = { + protocol => 'AM.PDP', + auth_required_release => 0, # do not require secret_id for amavisd-release +}; + +$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level +$sa_tag2_level_deflt = 6.2; # add 'spam detected' headers at that level +$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail) +$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent +$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From +# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off +$penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database) +$penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam +$bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces + +$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger +$sa_local_tests_only = 0; # only tests which do not require internet access? + +# @lookup_sql_dsn = +# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], +# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], +# ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); +# @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database + +# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; +# defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16) + +$virus_admin = "virusalert\@$mydomain"; # notifications recip. + +$mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender +$mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender +$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender +$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef + +@addr_extension_virus_maps = ('virus'); +@addr_extension_banned_maps = ('banned'); +@addr_extension_spam_maps = ('spam'); +@addr_extension_bad_header_maps = ('badh'); +# $recipient_delimiter = '+'; # undef disables address extensions altogether +# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+ + +$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; +# $dspam = 'dspam'; + +$MAXLEVELS = 14; +$MAXFILES = 1500; +$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) +$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) + +$sa_spam_subject_tag = '***Spam*** '; +$defang_virus = 1; # MIME-wrap passed infected mail +$defang_banned = 1; # MIME-wrap passed mail containing banned name +# for defanging bad headers only turn on certain minor contents categories: +$defang_by_ccat{CC_BADH.",3"} = 1; # NUL or CR character in header +$defang_by_ccat{CC_BADH.",5"} = 1; # header line longer than 998 characters +$defang_by_ccat{CC_BADH.",6"} = 1; # header field syntax error + + +# OTHER MORE COMMON SETTINGS (defaults may suffice): + +# $myhostname = 'host.example.com'; # must be a fully-qualified domain name! + +# $notify_method = 'smtp:[127.0.0.1]:10025'; +# $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter! + +# $final_virus_destiny = D_DISCARD; +# $final_banned_destiny = D_DISCARD; +# $final_spam_destiny = D_PASS; #!!! D_DISCARD / D_REJECT +# $final_bad_header_destiny = D_PASS; +# $bad_header_quarantine_method = undef; + +# $os_fingerprint_method = 'p0f:*:2345'; # to query p0f-analyzer.pl + +## hierarchy by which a final setting is chosen: +## policy bank (based on port or IP address) -> *_by_ccat +## *_by_ccat (based on mail contents) -> *_maps +## *_maps (based on recipient address) -> final configuration value + + +# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all) + +# $warnbadhsender, +# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps) +# +# @bypass_virus_checks_maps, @bypass_spam_checks_maps, +# @bypass_banned_checks_maps, @bypass_header_checks_maps, +# +# @virus_lovers_maps, @spam_lovers_maps, +# @banned_files_lovers_maps, @bad_header_lovers_maps, +# +# @blacklist_sender_maps, @score_sender_maps, +# +# $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to, +# $bad_header_quarantine_to, $spam_quarantine_to, +# +# $defang_bad_header, $defang_undecipherable, $defang_spam + + +# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS + +@keep_decoded_original_maps = (new_RE( + qr'^MAIL$', # retain full original message for virus checking + qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables + qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, +# qr'^Zip archive data', # don't trust Archive::Zip +)); + + +$banned_filename_re = new_RE( + +### BLOCKED ANYWHERE +# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components + qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary +# qr'^\.(exe|lha|cab|dll)$', # banned file(1) types + +### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: +# [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 + [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives + + qr'.\.(pif|scr)$'i, # banned extensions - rudimentary +# qr'^\.zip$', # block zip type + +### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: +# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives + + qr'^application/x-msdownload$'i, # block these MIME types + qr'^application/x-msdos-program$'i, + qr'^application/hta$'i, + +# qr'^message/partial$'i, # rfc2046 MIME type +# qr'^message/external-body$'i, # rfc2046 MIME type + +# qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type +# qr'^\.wmf$', # Windows Metafile file(1) type + + # block certain double extensions in filenames + qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, + +# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict +# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose + + qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic +# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd +# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| +# inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi| +# msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd| +# wmf|wsc|wsf|wsh)$'ix, # banned extensions - long +# qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i, # consider also +# qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename +# qr'^\.ani$', # banned animated cursor file(1) type +# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. +); +# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 +# and http://www.cknow.com/vtutor/vtextensions.htm + + +# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING + +@score_sender_maps = ({ # a by-recipient hash lookup table, + # results from all matching recipient tables are summed + +# ## per-recipient personal tables (NOTE: positive: black, negative: white) +# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], +# 'user3@example.com' => [{'.ebay.com' => -3.0}], +# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, +# '.cleargreen.com' => -5.0}], + + ## site-wide opinions about senders (the '.' matches any recipient) + '.' => [ # the _first_ matching sender determines the score boost + + new_RE( # regexp-type lookup table, just happens to be all soft-blacklist + [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], + [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], + [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], + [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], + [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], + [qr'^(your_friend|greatoffers)@'i => 5.0], + [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], + ), + +# read_hash("/var/amavis/sender_scores_sitewide"), + + { # a hash-type lookup table (associative array) + 'nobody@cert.org' => -3.0, + 'cert-advisory@us-cert.gov' => -3.0, + 'owner-alert@iss.net' => -3.0, + 'slashdot@slashdot.org' => -3.0, + 'securityfocus.com' => -3.0, + 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, + 'security-alerts@linuxsecurity.com' => -3.0, + 'mailman-announce-admin@python.org' => -3.0, + 'amavis-user-admin@lists.sourceforge.net'=> -3.0, + 'amavis-user-bounces@lists.sourceforge.net' => -3.0, + 'spamassassin.apache.org' => -3.0, + 'notification-return@lists.sophos.com' => -3.0, + 'owner-postfix-users@postfix.org' => -3.0, + 'owner-postfix-announce@postfix.org' => -3.0, + 'owner-sendmail-announce@lists.sendmail.org' => -3.0, + 'sendmail-announce-request@lists.sendmail.org' => -3.0, + 'donotreply@sendmail.org' => -3.0, + 'ca+envelope@sendmail.org' => -3.0, + 'noreply@freshmeat.net' => -3.0, + 'owner-technews@postel.acm.org' => -3.0, + 'ietf-123-owner@loki.ietf.org' => -3.0, + 'cvs-commits-list-admin@gnome.org' => -3.0, + 'rt-users-admin@lists.fsck.com' => -3.0, + 'clp-request@comp.nus.edu.sg' => -3.0, + 'surveys-errors@lists.nua.ie' => -3.0, + 'emailnews@genomeweb.com' => -5.0, + 'yahoo-dev-null@yahoo-inc.com' => -3.0, + 'returns.groups.yahoo.com' => -3.0, + 'clusternews@linuxnetworx.com' => -3.0, + lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, + lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, + + # soft-blacklisting (positive score) + 'sender@example.net' => 3.0, + '.example.net' => 1.0, + + }, + ], # end of site-wide tables +}); + + +@decoders = ( + ['mail', \&do_mime_decode], +# ['asc', \&do_ascii], +# ['uue', \&do_ascii], +# ['hqx', \&do_ascii], +# ['ync', \&do_ascii], + ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], + ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ], + ['gz', \&do_uncompress, 'gzip -d'], + ['gz', \&do_gunzip], + ['bz2', \&do_uncompress, 'bzip2 -d'], + ['xz', \&Amavis::Unpackers::do_uncompress, + ['xzdec'. 'xz -dc', 'unxz -c', 'xzcat'] ], + ['lzma', \&Amavis::Unpackers::do_uncompress, + ['lzmadec', 'xz -dc --format=lzma', + 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], + ['lzo', \&do_uncompress, 'lzop -d'], + ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], + ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ], + ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ], + ['deb', \&do_ar, 'ar'], +# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill + ['zip', \&do_unzip], + ['7z', \&do_7zip, ['7zr','7za','7z'] ], + ['rar', \&do_unrar, ['rar','unrar'] ], + ['arj', \&do_unarj, ['arj','unarj'] ], + ['arc', \&do_arc, ['nomarch','arc'] ], + ['zoo', \&do_zoo, ['zoo','unzoo'] ], + ['lha', \&do_lha, 'lha'], +# ['doc', \&do_ole, 'ripole'], + ['cab', \&do_cabextract, 'cabextract'], + ['tnef', \&do_tnef_ext, 'tnef'], + ['tnef', \&do_tnef], +# ['sit', \&do_unstuff, 'unstuff'], # broken/unsafe decoder + ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], +); + + +@av_scanners = ( + +# ### http://www.sophos.com/ +# ['Sophos-SSSP', +# \&ask_daemon, ["{}", 'sssp:/var/run/savdi/sssp.sock'], +# # or: ["{}", 'sssp:[127.0.0.1]:4010'], +# qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ], + +# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/) +# ['Sophie', +# \&ask_daemon, ["{}/\n", 'sophie:/var/run/sophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], + +# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ +# ['Sophos SAVI', \&ask_daemon, ['{}','savi-perl:'] ], + +# ['Avira SAVAPI', +# \&ask_daemon, ["*", 'savapi:/var/tmp/.savapi3', 'product-id'], +# qr/^(200|210)/m, qr/^(310|420|319)/m, +# qr/^(?:310|420)[,\s]*(?:.* <<< )?(.+?)(?: ; |$)/m +# settings for the SAVAPI3.conf: ArchiveScan=1, HeurLevel=2, MailboxScan=1 + +# ### http://www.clamav.net/ +# ['ClamAV-clamd', +# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], +# qr/\bOK$/m, qr/\bFOUND$/m, +# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], +# # NOTE: run clamd under the same user as amavisd, or run it under its own +# # uid such as clamav, add user clamav to the amavis group, and then add +# # AllowSupplementaryGroups to clamd.conf; +# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in +# # this entry; when running chrooted one may prefer socket "$MYHOME/clamd". + +# ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) +# # note that Mail::ClamAV requires perl to be build with threading! +# ['Mail::ClamAV', \&ask_daemon, ['{}','clamav-perl:'], +# [0], [1], qr/^INFECTED: (.+)/m], + +# ### http://www.openantivirus.org/ +# ['OpenAntiVirus ScannerDaemon (OAV)', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], +# qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ], + +# ### http://www.vanja.com/tools/trophie/ +# ['Trophie', +# \&ask_daemon, ["{}/\n", 'trophie:/var/run/trophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], + +# ### http://www.grisoft.com/ +# ['AVG Anti-Virus', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], +# qr/^200/m, qr/^403/m, qr/^403 .*?: ([^\r\n]+)/m ], + +# ### http://www.f-prot.com/ +# ['F-Prot fpscand', # F-PROT Antivirus for BSD/Linux/Solaris, version 6 +# \&ask_daemon, +# ["SCAN FILE {}/*\n", '127.0.0.1:10200'], +# qr/^(0|8|64) /m, +# qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m, +# qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ], + +# ### http://www.f-prot.com/ +# ['F-Prot f-protd', # old version +# \&ask_daemon, +# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", +# ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202', +# '127.0.0.1:10203', '127.0.0.1:10204'] ], +# qr/(?i)]*>clean<\/summary>/m, +# qr/(?i)]*>infected<\/summary>/m, +# qr/(?i)(.+)<\/name>/m ], + +# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ +# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later +# [pack('N',1). # DRWEBD_SCAN_CMD +# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES +# pack('N', # path length +# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). +# '{}/*'. # path +# pack('N',0). # content size +# pack('N',0), +# '/var/drweb/run/drwebd.sock', +# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot +# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default +# # '127.0.0.1:3000', # or over an inet socket +# ], +# qr/\A\x00[\x10\x11][\x00\x10]\x00/sm, # IS_CLEAN,EVAL_KEY; SKIPPED +# qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF +# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm, +# ], +# # NOTE: If using amavis-milter, change length to: +# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). + + ### http://www.kaspersky.com/ (kav4mailservers) + ['KasperskyLab AVP - aveclient', + ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', + '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'], + '-p /var/run/aveserver -s {}/*', + [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m, + qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m, + ], + # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious, + # currupted or protected archives are to be handled + + ### http://www.kaspersky.com/ + ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], + '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? + qr/infected: (.+)/m, + sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, + sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + + ### The kavdaemon and AVPDaemonClient have been removed from Kasperky + ### products and replaced by aveserver and aveclient + ['KasperskyLab AVPDaemonClient', + [ '/opt/AVP/kavdaemon', 'kavdaemon', + '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', + '/opt/AVP/AvpTeamDream', 'AvpTeamDream', + '/opt/AVP/avpdc', 'avpdc' ], + "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ], + # change the startup-script in /etc/init.d/kavd to: + # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" + # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) + # adjusting /var/amavis above to match your $TEMPBASE. + # The '-f=/var/amavis' is needed if not running it as root, so it + # can find, read, and write its pid file, etc., see 'man kavdaemon'. + # defUnix.prf: there must be an entry "*/var/amavis" (or whatever + # directory $TEMPBASE specifies) in the 'Names=' section. + # cd /opt/AVP/DaemonClients; configure; cd Sample; make + # cp AvpDaemonClient /opt/AVP/ + # su - amavis -c "${PREFIX}/kavdaemon ${DPARMS}" + + ### http://www.centralcommand.com/ + ['CentralCommand Vexira (new) vascan', + ['vascan','/usr/lib/Vexira/vascan'], + "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". + "--log=/var/log/vascan.log {}", + [0,3], [1,2,5], + qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ], + # Adjust the path of the binary and the virus database as needed. + # 'vascan' does not allow to have the temp directory to be the same as + # the quarantine directory, and the quarantine option can not be disabled. + # If $QUARANTINEDIR is not used, then another directory must be specified + # to appease 'vascan'. Move status 3 to the second list if password + # protected files are to be considered infected. + + ### http://www.avira.com/ + ### old Avira AntiVir 2.x (ex H+BEDV) or old CentralCommand Vexira Antivirus + ['Avira AntiVir', ['antivir','vexira'], + '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m, + qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | + (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ], + # NOTE: if you only have a demo version, remove -z and add 214, as in: + # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, + + ### http://www.avira.com/ + ### Avira for UNIX 3.x + ['Avira AntiVir', ['avscan'], + '-s --batch --alert-action=none {}', [0,4], qr/(?:ALERT|FUND):/m, + qr/(?:ALERT|FUND): (?:.* <<< )?(.+?)(?: ; |$)/m ], + + ### http://www.commandsoftware.com/ + ['Command AntiVirus for Linux', 'csav', + '-all -archive -packed {}', [50], [51,52,53], + qr/Infection: (.+)/m ], + + ### http://www.symantec.com/ + ['Symantec CarrierScan via Symantec CommandLineScanner', + 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', + qr/^Files Infected:\s+0$/m, qr/^Infected\b/m, + qr/^(?:Info|Virus Name):\s+(.+)/m ], + + ### http://www.symantec.com/ + ['Symantec AntiVirus Scan Engine', + 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', + [0], qr/^Infected\b/m, + qr/^(?:Info|Virus Name):\s+(.+)/m ], + # NOTE: check options and patterns to see which entry better applies + +# ### http://www.f-secure.com/products/anti-virus/ version 4.65 +# ['F-Secure Antivirus for Linux servers', +# ['/opt/f-secure/fsav/bin/fsav', 'fsav'], +# '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '. +# '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8], +# qr/(?:infection|Infected|Suspected): (.+)/m ], + + ### http://www.f-secure.com/products/anti-virus/ version 5.52 + ['F-Secure Antivirus for Linux servers', + ['/opt/f-secure/fsav/bin/fsav', 'fsav'], + '--virus-action1=report --archive=yes --auto=yes '. + '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8], + qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ], + # NOTE: internal archive handling may be switched off by '--archive=no' + # to prevent fsav from exiting with status 9 on broken archives + +# ### http://www.avast.com/ +# ['avast! Antivirus daemon', +# \&ask_daemon, # greets with 220, terminate with QUIT +# ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'], +# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t([^[ \t\015\012]+)/m ], + +# ### http://www.avast.com/ +# ['avast! Antivirus - Client/Server Version', 'avastlite', +# '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1], +# qr/\t\[L\]\t([^[ \t\015\012]+)/m ], + + ['CAI InoculateIT', 'inocucmd', # retired product + '-sec -nex {}', [0], [100], + qr/was infected by virus (.+)/m ], + # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html + + ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) + ['CAI eTrust Antivirus', 'etrust-wrapper', + '-arc -nex -spm h {}', [0], [101], + qr/is infected by virus: (.+)/m ], + # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer + # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 + + ### http://mks.com.pl/english.html + ['MkS_Vir for Linux (beta)', ['mks32','mks'], + '-s {}/*', [0], [1,2], + qr/--[ \t]*(.+)/m ], + + ### http://mks.com.pl/english.html + ['MkS_Vir daemon', 'mksscan', + '-s -q {}', [0], [1..7], + qr/^... (\S+)/m ], + +# ### http://www.nod32.com/, version v2.52 (old) +# ['ESET NOD32 for Linux Mail servers', +# ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'], +# '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '. +# '-w -a --action-on-infected=accept --action-on-uncleanable=accept '. +# '--action-on-notscanned=accept {}', +# [0,3], [1,2], qr/virus="([^"]+)"/m ], + +# ### http://www.eset.com/, version v2.7 (old) +# ['ESET NOD32 Linux Mail Server - command line interface', +# ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'], +# '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ], + +# ### http://www.eset.com/, version 2.71.12 +# ['ESET Software ESETS Command Line Interface', +# ['/usr/bin/esets_cli', 'esets_cli'], +# '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ], + + ### http://www.eset.com/, version 3.0 + ['ESET Software ESETS Command Line Interface', + ['/usr/bin/esets_cli', 'esets_cli'], + '--subdir {}', [0], [1,2,3], + qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ], + + ## http://www.nod32.com/, NOD32LFS version 2.5 and above + ['ESET NOD32 for Linux File servers', + ['/opt/eset/nod32/sbin/nod32','nod32'], + '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '. + '-w -a --action=1 -b {}', + [0], [1,10], qr/^object=.*, virus="(.*?)",/m ], + +# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31 +# ['ESET Software NOD32 Client/Server (NOD32SS)', +# \&ask_daemon2, # greets with 200, persistent, terminate with QUIT +# ["SCAN {}/*\r\n", '127.0.0.1:8448' ], +# qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ], + + ### http://www.norman.com/products_nvc.shtml + ['Norman Virus Control v5 / Linux', 'nvcc', + '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], + qr/(?i).* virus in .* -> \'(.+)\'/m ], + + ### http://www.pandasoftware.com/ + ['Panda CommandLineSecure 9 for Linux', + ['/opt/pavcl/usr/bin/pavcl','pavcl'], + '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}', + qr/Number of files infected[ .]*: 0+(?!\d)/m, + qr/Number of files infected[ .]*: 0*[1-9]/m, + qr/Found virus :\s*(\S+)/m ], + # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr' + # before starting amavisd - the bases are then loaded only once at startup. + # To reload bases in a signature update script: + # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr + # Please review other options of pavcl, for example: + # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies + +# ### http://www.pandasoftware.com/ +# ['Panda Antivirus for Linux', ['pavcl'], +# '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}', +# [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0], +# qr/Found virus :\s*(\S+)/m ], + +# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. +# Check your RAV license terms before fiddling with the following two lines! +# ['GeCAD RAV AntiVirus 8', 'ravav', +# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ], +# # NOTE: the command line switches changed with scan engine 8.5 ! +# # (btw, assigning stdin to /dev/null causes RAV to fail) + + ### http://www.nai.com/ + ['NAI McAfee AntiVirus (uvscan)', 'uvscan', + '--secure -rv --mime --summary --noboot - {}', [0], [13], + qr/(?x) Found (?: + \ the\ (.+)\ (?:virus|trojan) | + \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | + :\ (.+)\ NOT\ a\ virus)/m, + # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, + # sub {delete $ENV{LD_PRELOAD}}, + ], + # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before + # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 + # and then clear it when finished to avoid confusing anything else. + # NOTE2: to treat encrypted files as viruses replace the [13] with: + # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ + + ### http://www.virusbuster.hu/en/ + ['VirusBuster', ['vbuster', 'vbengcl'], + "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], + qr/: '(.*)' - Virus/m ], + # VirusBuster Ltd. does not support the daemon version for the workstation + # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of + # binaries, some parameters AND return codes have changed (from 3 to 1). + # See also the new Vexira entry 'vascan' which is possibly related. + +# ### http://www.virusbuster.hu/en/ +# ['VirusBuster (Client + Daemon)', 'vbengd', +# '-f -log scandir {}', [0], [3], +# qr/Virus found = (.*);/m ], +# # HINT: for an infected file it always returns 3, +# # although the man-page tells a different story + + ### http://www.cyber.com/ + ['CyberSoft VFind', 'vfind', + '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m, + # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, + ], + + ### http://www.avast.com/ + ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], + '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ], + + ### http://www.ikarus-software.com/ + ['Ikarus AntiVirus for Linux', 'ikarus', + '{}', [0], [40], qr/Signature (.+) found/m ], + + ### http://www.bitdefender.com/ + ['BitDefender', 'bdscan', # new version + '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m, + qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m, + qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ], + + ### http://www.bitdefender.com/ + ['BitDefender', 'bdc', # old version + '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m, + qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m, + qr/(?:suspected|infected): (.*)(?:\033|$)/m ], + # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may + # not apply to your version of bdc, check documentation and see 'bdc --help' + + ### ArcaVir for Linux and Unix http://www.arcabit.pl/ + ['ArcaVir for Linux', ['arcacmd','arcacmd.static'], + '-v 1 -summary 0 -s {}', [0], [1,2], + qr/(?:VIR|WIR):[ \t]*(.+)/m ], + +# ### a generic SMTP-client interface to a SMTP-based virus scanner +# ['av_smtp', \&ask_av_smtp, +# ['{}', 'smtp:[127.0.0.1]:5525', 'dummy@localhost'], +# qr/^2/, qr/^5/, qr/^\s*(.*?)\s*$/m ], + +# ['File::Scan', sub {Amavis::AV::ask_av(sub{ +# use File::Scan; my($fn)=@_; +# my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0); +# my($vname) = $f->scan($fn); +# $f->error ? (2,"Error: ".$f->error) +# : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) }, +# ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ], + +# ### fully-fledged checker for JPEG marker segments of invalid length +# ['check-jpeg', +# sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) }, +# ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ], +# # NOTE: place file JpegTester.pm somewhere where Perl can find it, +# # for example in /usr/local/lib/perl5/site_perl + +); + + +@av_scanners_backup = ( + + ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV + ['ClamAV-clamscan', 'clamscan', + "--stdout --no-summary -r --tempdir=$TEMPBASE {}", + [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], + +# ### http://www.clamav.net/ - using remote clamd scanner as a backup +# ['ClamAV-clamdscan', 'clamdscan', +# "--stdout --no-summary --config-file=/etc/clamd-client.conf {}", +# [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], + +# ['ClamAV-clamd-stream', +# \&ask_daemon, ["*", 'clamd:/var/run/clamav/clamd'], +# qr/\bOK$/m, qr/\bFOUND$/m, +# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], + + ### http://www.f-prot.com/ - backs up F-Prot Daemon, V6 + ['F-PROT Antivirus for UNIX', ['fpscan'], + '--report --mount --adware {}', # consider: --applications -s 4 -u 3 -z 10 + [0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3], + qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ], + + ### http://www.f-prot.com/ - backs up F-Prot Daemon (old) + ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], + '-dumb -archive -packed {}', [0,8], [3,6], # or: [0], [3,6,8], + qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ], + + ### http://www.trendmicro.com/ - backs up Trophie + ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], + '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ], + + ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD + ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier + ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], + '-path={} -al -go -ot -cn -upn -ok-', + [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ], + + ### http://www.kaspersky.com/ + ['Kaspersky Antivirus v5.5', + ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner', + '/opt/kav/5.5/kav4unix/bin/kavscanner', + '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'], + '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25], + qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m, +# sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, +# sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + +# Commented out because the name 'sweep' clashes with Debian and FreeBSD +# package/port of an audio editor. Make sure the correct 'sweep' is found +# in the path when enabling. +# +# ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl +# ['Sophos Anti Virus (sweep)', 'sweep', +# '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. +# '--no-reset-atime {}', +# [0,2], qr/Virus .*? found/m, +# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m, +# ], +# # other options to consider: -idedir=/usr/local/sav + +# Always succeeds and considers mail clean. +# Potentially useful when all other scanners fail and it is desirable +# to let mail continue to flow with no virus checking (when uncommented). +# ['always-clean', sub {0}], + +); + + +1; # insure a defined return value diff --git a/ca-certificates.conf b/ca-certificates.conf new file mode 100644 index 0000000..8164d2e --- /dev/null +++ b/ca-certificates.conf @@ -0,0 +1,159 @@ +# Automatically generated by app-misc/ca-certificates-20110502-r1 +# Do 8. Sep 21:08:01 UTC 2011 +# Do not edit. +brasil.gov.br/brasil.gov.br.crt +cacert.org/cacert.org.crt +debconf.org/ca.crt +gouv.fr/cert_igca_dsa.crt +gouv.fr/cert_igca_rsa.crt +mozilla/ACEDICOM_Root.crt +mozilla/AC_Raíz_Certicámara_S.A..crt +mozilla/AddTrust_External_Root.crt +mozilla/AddTrust_Low-Value_Services_Root.crt +mozilla/AddTrust_Public_Services_Root.crt +mozilla/AddTrust_Qualified_Certificates_Root.crt +mozilla/America_Online_Root_Certification_Authority_1.crt +mozilla/America_Online_Root_Certification_Authority_2.crt +mozilla/AOL_Time_Warner_Root_Certification_Authority_1.crt +mozilla/AOL_Time_Warner_Root_Certification_Authority_2.crt +mozilla/ApplicationCA_-_Japanese_Government.crt +mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt +mozilla/Baltimore_CyberTrust_Root.crt +mozilla/Buypass_Class_2_CA_1.crt +mozilla/Buypass_Class_3_CA_1.crt +mozilla/CA_Disig.crt +mozilla/Camerfirma_Chambers_of_Commerce_Root.crt +mozilla/Camerfirma_Global_Chambersign_Root.crt +mozilla/Certigna.crt +mozilla/Certplus_Class_2_Primary_CA.crt +mozilla/certSIGN_ROOT_CA.crt +mozilla/Certum_Root_CA.crt +mozilla/Chambers_of_Commerce_Root_-_2008.crt +mozilla/CNNIC_ROOT.crt +mozilla/Comodo_AAA_Services_root.crt +mozilla/COMODO_Certification_Authority.crt +mozilla/COMODO_ECC_Certification_Authority.crt +mozilla/Comodo_Secure_Services_root.crt +mozilla/Comodo_Trusted_Services_root.crt +mozilla/ComSign_CA.crt +mozilla/ComSign_Secured_CA.crt +mozilla/Cybertrust_Global_Root.crt +mozilla/Deutsche_Telekom_Root_CA_2.crt +mozilla/DigiCert_Assured_ID_Root_CA.crt +mozilla/DigiCert_Global_Root_CA.crt +mozilla/DigiCert_High_Assurance_EV_Root_CA.crt +mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt +mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt +mozilla/DST_ACES_CA_X6.crt +mozilla/DST_Root_CA_X3.crt +mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt +mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt +mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt +mozilla/Entrust.net_Secure_Server_CA.crt +mozilla/Entrust_Root_Certification_Authority.crt +mozilla/ePKI_Root_Certification_Authority.crt +mozilla/Equifax_Secure_CA.crt +mozilla/Equifax_Secure_eBusiness_CA_1.crt +mozilla/Equifax_Secure_eBusiness_CA_2.crt +mozilla/Equifax_Secure_Global_eBusiness_CA.crt +mozilla/Firmaprofesional_Root_CA.crt +mozilla/GeoTrust_Global_CA_2.crt +mozilla/GeoTrust_Global_CA.crt +mozilla/GeoTrust_Primary_Certification_Authority.crt +mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt +mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt +mozilla/GeoTrust_Universal_CA_2.crt +mozilla/GeoTrust_Universal_CA.crt +mozilla/Global_Chambersign_Root_-_2008.crt +mozilla/GlobalSign_Root_CA.crt +mozilla/GlobalSign_Root_CA_-_R2.crt +mozilla/GlobalSign_Root_CA_-_R3.crt +mozilla/Go_Daddy_Class_2_CA.crt +mozilla/GTE_CyberTrust_Global_Root.crt +mozilla/Hongkong_Post_Root_CA_1.crt +mozilla/IGC_A.crt +mozilla/Izenpe.com.crt +mozilla/Juur-SK.crt +mozilla/Microsec_e-Szigno_Root_CA_2009.crt +mozilla/Microsec_e-Szigno_Root_CA.crt +mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt +mozilla/NetLock_Business_=Class_B=_Root.crt +mozilla/NetLock_Express_=Class_C=_Root.crt +mozilla/NetLock_Notary_=Class_A=_Root.crt +mozilla/NetLock_Qualified_=Class_QA=_Root.crt +mozilla/Network_Solutions_Certificate_Authority.crt +mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt +mozilla/QuoVadis_Root_CA_2.crt +mozilla/QuoVadis_Root_CA_3.crt +mozilla/QuoVadis_Root_CA.crt +mozilla/RSA_Root_Certificate_1.crt +mozilla/RSA_Security_2048_v3.crt +mozilla/Secure_Global_CA.crt +mozilla/SecureSign_RootCA11.crt +mozilla/SecureTrust_CA.crt +mozilla/Security_Communication_EV_RootCA1.crt +mozilla/Security_Communication_Root_CA.crt +mozilla/Sonera_Class_1_Root_CA.crt +mozilla/Sonera_Class_2_Root_CA.crt +mozilla/Staat_der_Nederlanden_Root_CA.crt +mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt +mozilla/Starfield_Class_2_CA.crt +mozilla/StartCom_Certification_Authority.crt +mozilla/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt +mozilla/Swisscom_Root_CA_1.crt +mozilla/SwissSign_Gold_CA_-_G2.crt +mozilla/SwissSign_Platinum_CA_-_G2.crt +mozilla/SwissSign_Silver_CA_-_G2.crt +mozilla/Taiwan_GRCA.crt +mozilla/TC_TrustCenter_Class_2_CA_II.crt +mozilla/TC_TrustCenter_Class_3_CA_II.crt +mozilla/TC_TrustCenter__Germany__Class_2_CA.crt +mozilla/TC_TrustCenter__Germany__Class_3_CA.crt +mozilla/TC_TrustCenter_Universal_CA_I.crt +mozilla/TC_TrustCenter_Universal_CA_III.crt +mozilla/TDC_Internet_Root_CA.crt +mozilla/TDC_OCES_Root_CA.crt +mozilla/Thawte_Personal_Freemail_CA.crt +mozilla/Thawte_Premium_Server_CA.crt +mozilla/thawte_Primary_Root_CA.crt +mozilla/thawte_Primary_Root_CA_-_G2.crt +mozilla/thawte_Primary_Root_CA_-_G3.crt +mozilla/Thawte_Server_CA.crt +mozilla/Thawte_Time_Stamping_CA.crt +mozilla/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt +mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt +mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt +mozilla/UTN_DATACorp_SGC_Root_CA.crt +mozilla/UTN_USERFirst_Email_Root_CA.crt +mozilla/UTN_USERFirst_Hardware_Root_CA.crt +mozilla/ValiCert_Class_1_VA.crt +mozilla/ValiCert_Class_2_VA.crt +mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt +mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt +mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt +mozilla/Verisign_Class_2_Public_Primary_Certification_Authority.crt +mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt +mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt +mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt +mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt +mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt +mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt +mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt +mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G2.crt +mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt +mozilla/VeriSign_Universal_Root_Certification_Authority.crt +mozilla/Visa_eCommerce_Root.crt +mozilla/Wells_Fargo_Root_CA.crt +mozilla/WellsSecure_Public_Root_Certificate_Authority.crt +mozilla/XRamp_Global_CA_Root.crt +signet.pl/signet_ca1_pem.crt +signet.pl/signet_ca2_pem.crt +signet.pl/signet_ca3_pem.crt +signet.pl/signet_ocspklasa2_pem.crt +signet.pl/signet_ocspklasa3_pem.crt +signet.pl/signet_pca2_pem.crt +signet.pl/signet_pca3_pem.crt +signet.pl/signet_rootca_pem.crt +signet.pl/signet_tsa1_pem.crt +spi-inc.org/spi-ca-2003.crt +spi-inc.org/spi-cacert-2008.crt diff --git a/clamd.conf b/clamd.conf new file mode 100644 index 0000000..bf35e17 --- /dev/null +++ b/clamd.conf @@ -0,0 +1,502 @@ +## +## Example config file for the Clam AV daemon +## Please read the clamd.conf(5) manual before editing this file. +## + + +# Comment or remove the line below. +# Example + +# Uncomment this option to enable logging. +# LogFile must be writable for the user running daemon. +# A full path is required. +# Default: disabled +LogFile /var/log/clamav/clamd.log + +# By default the log file is locked for writing - the lock protects against +# running clamd multiple times (if want to run another clamd, please +# copy the configuration file, change the LogFile variable, and run +# the daemon with --config-file option). +# This option disables log file locking. +# Default: no +#LogFileUnlock yes + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size +# in bytes just don't use modifiers. +# Default: 1M +#LogFileMaxSize 2M + +# Log time with each message. +# Default: no +LogTime yes + +# Also log clean files. Useful in debugging but drastically increases the +# log size. +# Default: no +#LogClean yes + +# Use system logger (can work together with LogFile). +# Default: no +#LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# Default: LOG_LOCAL6 +#LogFacility LOG_MAIL + +# Enable verbose logging. +# Default: no +#LogVerbose yes + +# Log additional information about the infected file, such as its +# size and hash, together with the virus name. +#ExtendedDetectionInfo yes + +# This option allows you to save a process identifier of the listening +# daemon (main thread). +# Default: disabled +PidFile /var/run/clamav/clamd.pid + +# Optional path to the global temporary directory. +# Default: system specific (usually /tmp or /var/tmp). +#TemporaryDirectory /var/tmp + +# Path to the database directory. +# Default: hardcoded (depends on installation options) +#DatabaseDirectory /var/lib/clamav + +# Only load the official signatures published by the ClamAV project. +# Default: no +#OfficialDatabaseOnly no + +# The daemon can work in local mode, network mode or both. +# Due to security reasons we recommend the local mode. + +# Path to a local socket file the daemon will listen on. +# Default: disabled (must be specified by a user) +LocalSocket /var/run/clamav/clamd.sock + +# Sets the group ownership on the unix socket. +# Default: disabled (the primary group of the user running clamd) +#LocalSocketGroup virusgroup + +# Sets the permissions on the unix socket to the specified mode. +# Default: disabled (socket is world accessible) +#LocalSocketMode 660 + +# Remove stale socket after unclean shutdown. +# Default: yes +#FixStaleSocket yes + +# TCP port address. +# Default: no +#TCPSocket 3310 + +# TCP address. +# By default we bind to INADDR_ANY, probably not wise. +# Enable the following to provide some degree of protection +# from the outside world. +# Default: no +#TCPAddr 127.0.0.1 + +# Maximum length the queue of pending connections may grow to. +# Default: 200 +#MaxConnectionQueueLength 30 + +# Clamd uses FTP-like protocol to receive data from remote clients. +# If you are using clamav-milter to balance load between remote clamd daemons +# on firewall servers you may need to tune the options below. + +# Close the connection when the data size limit is exceeded. +# The value should match your MTA's limit for a maximum attachment size. +# Default: 25M +#StreamMaxLength 10M + +# Limit port range. +# Default: 1024 +#StreamMinPort 30000 +# Default: 2048 +#StreamMaxPort 32000 + +# Maximum number of threads running at the same time. +# Default: 10 +#MaxThreads 20 + +# Waiting for data from a client socket will timeout after this time (seconds). +# Default: 120 +#ReadTimeout 300 + +# This option specifies the time (in seconds) after which clamd should +# timeout if a client doesn't provide any initial command after connecting. +# Default: 5 +#CommandReadTimeout 5 + +# This option specifies how long to wait (in miliseconds) if the send buffer is full. +# Keep this value low to prevent clamd hanging +# +# Default: 500 +#SendBufTimeout 200 + +# Maximum number of queued items (including those being processed by MaxThreads threads) +# It is recommended to have this value at least twice MaxThreads if possible. +# WARNING: you shouldn't increase this too much to avoid running out of file descriptors, +# the following condition should hold: +# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024) +# +# Default: 100 +#MaxQueue 200 + +# Waiting for a new job will timeout after this time (seconds). +# Default: 30 +#IdleTimeout 60 + +# Don't scan files and directories matching regex +# This directive can be used multiple times +# Default: scan all +#ExcludePath ^/proc/ +#ExcludePath ^/sys/ + +# Maximum depth directories are scanned at. +# Default: 15 +#MaxDirectoryRecursion 20 + +# Follow directory symlinks. +# Default: no +#FollowDirectorySymlinks yes + +# Follow regular file symlinks. +# Default: no +#FollowFileSymlinks yes + +# Scan files and directories on other filesystems. +# Default: yes +#CrossFilesystems yes + +# Perform a database check. +# Default: 600 (10 min) +#SelfCheck 600 + +# Execute a command when virus is found. In the command string %v will +# be replaced with the virus name. +# Default: no +#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" + +# Run as another user (clamd must be started by root for this option to work) +# Default: don't drop privileges +User clamav + +# Initialize supplementary group access (clamd must be started by root). +# Default: no +AllowSupplementaryGroups yes + +# Stop daemon when libclamav reports out of memory condition. +#ExitOnOOM yes + +# Don't fork into background. +# Default: no +#Foreground yes + +# Enable debug messages in libclamav. +# Default: no +#Debug yes + +# Do not remove temporary files (for debug purposes). +# Default: no +#LeaveTemporaryFiles yes + +# Detect Possibly Unwanted Applications. +# Default: no +#DetectPUA yes + +# Exclude a specific PUA category. This directive can be used multiple times. +# See http://www.clamav.net/support/pua for the complete list of PUA +# categories. +# Default: Load all categories (if DetectPUA is activated) +#ExcludePUA NetTool +#ExcludePUA PWTool + +# Only include a specific PUA category. This directive can be used multiple +# times. +# Default: Load all categories (if DetectPUA is activated) +#IncludePUA Spy +#IncludePUA Scanner +#IncludePUA RAT + +# In some cases (eg. complex malware, exploits in graphic files, and others), +# ClamAV uses special algorithms to provide accurate detection. This option +# controls the algorithmic detection. +# Default: yes +#AlgorithmicDetection yes + + +## +## Executable files +## + +# PE stands for Portable Executable - it's an executable file format used +# in all 32 and 64-bit versions of Windows operating systems. This option allows +# ClamAV to perform a deeper analysis of executable files and it's also +# required for decompression of popular executable packers such as UPX, FSG, +# and Petite. If you turn off this option, the original files will still be +# scanned, but without additional processing. +# Default: yes +#ScanPE yes + +# Executable and Linking Format is a standard format for UN*X executables. +# This option allows you to control the scanning of ELF files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanELF yes + +# With this option clamav will try to detect broken executables (both PE and +# ELF) and mark them as Broken.Executable. +# Default: no +#DetectBrokenExecutables yes + + +## +## Documents +## + +# This option enables scanning of OLE2 files, such as Microsoft Office +# documents and .msi files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanOLE2 yes + + +# With this option enabled OLE2 files with VBA macros, which were not +# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". +# Default: no +#OLE2BlockMacros no + +# This option enables scanning within PDF files. +# If you turn off this option, the original files will still be scanned, but +# without decoding and additional processing. +# Default: yes +#ScanPDF yes + + +## +## Mail files +## + +# Enable internal e-mail scanner. +# If you turn off this option, the original files will still be scanned, but +# without parsing individual messages/attachments. +# Default: yes +#ScanMail yes + +# Scan RFC1341 messages split over many emails. +# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. +# WARNING: This option may open your system to a DoS attack. +# Never use it on loaded servers. +# Default: no +#ScanPartialMessages yes + + +# With this option enabled ClamAV will try to detect phishing attempts by using +# signatures. +# Default: yes +#PhishingSignatures yes + +# Scan URLs found in mails for phishing attempts using heuristics. +# Default: yes +#PhishingScanURLs yes + +# Always block SSL mismatches in URLs, even if the URL isn't in the database. +# This can lead to false positives. +# +# Default: no +#PhishingAlwaysBlockSSLMismatch no + +# Always block cloaked URLs, even if URL isn't in database. +# This can lead to false positives. +# +# Default: no +#PhishingAlwaysBlockCloak no + +# Allow heuristic match to take precedence. +# When enabled, if a heuristic scan (such as phishingScan) detects +# a possible virus/phish it will stop scan immediately. Recommended, saves CPU +# scan-time. +# When disabled, virus/phish detected by heuristic scans will be reported only at +# the end of a scan. If an archive contains both a heuristically detected +# virus/phish, and a real malware, the real malware will be reported +# +# Keep this disabled if you intend to handle "*.Heuristics.*" viruses +# differently from "real" malware. +# If a non-heuristically-detected virus (signature-based) is found first, +# the scan is interrupted immediately, regardless of this config option. +# +# Default: no +#HeuristicScanPrecedence yes + +## +## Data Loss Prevention (DLP) +## + +# Enable the DLP module +# Default: No +#StructuredDataDetection yes + +# This option sets the lowest number of Credit Card numbers found in a file +# to generate a detect. +# Default: 3 +#StructuredMinCreditCardCount 5 + +# This option sets the lowest number of Social Security Numbers found +# in a file to generate a detect. +# Default: 3 +#StructuredMinSSNCount 5 + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxx-yy-zzzz +# Default: yes +#StructuredSSNFormatNormal yes + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxxyyzzzz +# Default: no +#StructuredSSNFormatStripped yes + + +## +## HTML +## + +# Perform HTML normalisation and decryption of MS Script Encoder code. +# Default: yes +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +#ScanHTML yes + + +## +## Archives +## + +# ClamAV can scan within archives and compressed files. +# If you turn off this option, the original files will still be scanned, but +# without unpacking and additional processing. +# Default: yes +#ScanArchive yes + +# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). +# Default: no +#ArchiveBlockEncrypted no + + +## +## Limits +## + +# The options below protect your system against Denial of Service attacks +# using archive bombs. + +# This option sets the maximum amount of data to be scanned for each input file. +# Archives and other containers are recursively extracted and scanned up to this +# value. +# Value of 0 disables the limit +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 100M +#MaxScanSize 150M + +# Files larger than this limit won't be scanned. Affects the input file itself +# as well as files contained inside it (when the input file is an archive, a +# document or some other kind of container). +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 25M +#MaxFileSize 30M + +# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR +# file, all files within it will also be scanned. This options specifies how +# deeply the process should be continued. +# Note: setting this limit too high may result in severe damage to the system. +# Default: 16 +#MaxRecursion 10 + +# Number of files to be scanned within an archive, a document, or any other +# container file. +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10000 +#MaxFiles 15000 + + +## +## Clamuko settings +## + +# Enable Clamuko. Dazuko must be configured and running. Clamuko supports +# both Dazuko (/dev/dazuko) and DazukoFS (/dev/dazukofs.ctrl). DazukoFS +# is the preferred option. For more information please visit www.dazuko.org +# Default: no +#ClamukoScanOnAccess yes + +# The number of scanner threads that will be started (DazukoFS only). +# Having multiple scanner threads allows Clamuko to serve multiple +# processes simultaneously. This is particularly beneficial on SMP machines. +# Default: 3 +#ClamukoScannerCount 3 + +# Don't scan files larger than ClamukoMaxFileSize +# Value of 0 disables the limit. +# Default: 5M +#ClamukoMaxFileSize 10M + +# Set access mask for Clamuko (Dazuko only). +# Default: no +#ClamukoScanOnOpen yes +#ClamukoScanOnClose yes +#ClamukoScanOnExec yes + +# Set the include paths (all files inside them will be scanned). You can have +# multiple ClamukoIncludePath directives but each directory must be added +# in a seperate line. (Dazuko only) +# Default: disabled +#ClamukoIncludePath /home +#ClamukoIncludePath /students + +# Set the exclude paths. All subdirectories are also excluded. (Dazuko only) +# Default: disabled +#ClamukoExcludePath /home/bofh + +# With this option you can whitelist specific UIDs. Processes with these UIDs +# will be able to access all files. +# This option can be used multiple times (one per line). +# Default: disabled +#ClamukoExcludeUID 0 + +# With this option enabled ClamAV will load bytecode from the database. +# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses. +# Default: yes +#Bytecode yes + +# Set bytecode security level. +# Possible values: +# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS +# This value is only available if clamav was built with --enable-debug! +# TrustSigned - trust bytecode loaded from signed .c[lv]d files, +# insert runtime safety checks for bytecode loaded from other sources +# Paranoid - don't trust any bytecode, insert runtime checks for all +# Recommended: TrustSigned, because bytecode in .cvd files already has these checks +# Note that by default only signed bytecode is loaded, currently you can only +# load unsigned bytecode in --enable-debug mode. +# +# Default: TrustSigned +#BytecodeSecurity TrustSigned + +# Set bytecode timeout in miliseconds. +# +# Default: 5000 +# BytecodeTimeout 1000 diff --git a/colordiffrc b/colordiffrc new file mode 100644 index 0000000..6e75b2b --- /dev/null +++ b/colordiffrc @@ -0,0 +1,26 @@ +# Example colordiffrc file for dark backgrounds +# +# Set banner=no to suppress authorship info at top of +# colordiff output +banner=no +# By default, when colordiff output is being redirected +# to a file, it detects this and does not colour-highlight +# To make the patch file *include* colours, change the option +# below to 'yes' +color_patches=no +# +# available colours are: white, yellow, green, blue, +# cyan, red, magenta, black, +# darkwhite, darkyellow, darkgreen, +# darkblue, darkcyan, darkred, +# darkmagenta, darkblack +# +# Can also specify 'none', 'normal' or 'off' which are all +# aliases for the same thing, namely "don't colour highlight +# this, use the default output colour" +# +plain=off +newtext=blue +oldtext=red +diffstuff=magenta +cvsstuff=green diff --git a/colordiffrc-lightbg b/colordiffrc-lightbg new file mode 100644 index 0000000..fe5333f --- /dev/null +++ b/colordiffrc-lightbg @@ -0,0 +1,26 @@ +# Example colordiffrc file for light backgrounds +# +# Set banner=no to suppress authorship info at top of +# colordiff output +banner=no +# By default, when colordiff output is being redirected +# to a file, it detects this and does not colour-highlight +# To make the patch file *include* colours, change the option +# below to 'yes' +color_patches=no +# +# available colours are: white, yellow, green, blue, +# cyan, red, magenta, black, +# darkwhite, darkyellow, darkgreen, +# darkblue, darkcyan, darkred, +# darkmagenta, darkblack +# +# Can also specify 'none', 'normal' or 'off' which are all +# aliases for the same thing, namely "don't colour highlight +# this, use the default output colour" +# +plain=off +newtext=blue +oldtext=red +diffstuff=darkgreen +cvsstuff=darkmagenta diff --git a/cron.deny b/cron.deny new file mode 100644 index 0000000..3fae422 --- /dev/null +++ b/cron.deny @@ -0,0 +1,5 @@ +# $Id: vixie-cron-4.1-cron.deny,v 1.1 2005/03/04 23:59:48 ciaranm Exp $ +# If for any reason you have users in the 'cron' group who should not +# be allowed to run crontab, add them to this file (one username per +# line) + diff --git a/crontab b/crontab new file mode 100644 index 0000000..a38b89e --- /dev/null +++ b/crontab @@ -0,0 +1,15 @@ +# for vixie cron +# $Header: /var/cvsroot/gentoo-x86/sys-process/vixie-cron/files/crontab-3.0.1-r4,v 1.2 2009/05/12 09:13:46 bangert Exp $ + +# Global variables +SHELL=/bin/bash +PATH=/sbin:/bin:/usr/sbin:/usr/bin +MAILTO=root +HOME=/ + +# check scripts in cron.hourly, cron.daily, cron.weekly and cron.monthly +59 * * * * root rm -f /var/spool/cron/lastrun/cron.hourly +9 3 * * * root rm -f /var/spool/cron/lastrun/cron.daily +19 4 * * 6 root rm -f /var/spool/cron/lastrun/cron.weekly +29 5 1 * * root rm -f /var/spool/cron/lastrun/cron.monthly +*/10 * * * * root test -x /usr/sbin/run-crons && /usr/sbin/run-crons diff --git a/csh.env b/csh.env new file mode 100644 index 0000000..2fadeaf --- /dev/null +++ b/csh.env @@ -0,0 +1,23 @@ +# THIS FILE IS AUTOMATICALLY GENERATED BY env-update. +# DO NOT EDIT THIS FILE. CHANGES TO STARTUP PROFILES +# GO INTO /etc/csh.cshrc NOT /etc/csh.env + +setenv CONFIG_PROTECT '/var/bind /usr/share/gnupg/qualified.txt' +setenv CONFIG_PROTECT_MASK '/etc/gentoo-release /etc/sandbox.d /etc/env.d/java/ /etc/php/cli-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/apache2-php5.3/ext-active/ /etc/fonts/fonts.conf /etc/terminfo /etc/ca-certificates.conf /etc/texmf/web2c /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/revdep-rebuild' +setenv EDITOR '/usr/bin/vim' +setenv GCC_SPECS '' +setenv GDK_USE_XFT '1' +setenv GUILE_LOAD_PATH '/usr/share/guile/1.8' +setenv HG '/usr/bin/hg' +setenv INFOPATH '/usr/share/info:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.21.1/info:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.5.3/info' +setenv LESS '-R -M --shift 5' +setenv LESSOPEN '|lesspipe %s' +setenv MANPATH '/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.21.1/man:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.5.3/man:/etc/java-config/system-vm/man/:/usr/lib64/php5.3/man/' +setenv PAGER '/usr/bin/less' +setenv PATH '/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.5.3:/usr/lib64/subversion/bin' +setenv PYTHONDOCS '/usr/share/doc/python-docs-2.7.1/html/library' +setenv PYTHONDOCS_2_7 '/usr/share/doc/python-docs-2.7.1/html/library' +setenv PYTHONDOCS_3_1 '/usr/share/doc/python-docs-3.1.3/html/library' +setenv ROOTPATH '/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.5.3:/usr/lib64/subversion/bin' +setenv XDG_CONFIG_DIRS '/etc/xdg' +setenv XDG_DATA_DIRS '/usr/local/share:/usr/share' diff --git a/dhcpcd.conf b/dhcpcd.conf new file mode 100644 index 0000000..eb625a7 --- /dev/null +++ b/dhcpcd.conf @@ -0,0 +1,23 @@ +# A sample configuration for dhcpcd. +# See dhcpcd.conf(5) for details. + +# Inform the DHCP server of our hostname for DDNS. +hostname +# To share the DHCP lease across OSX and Windows a ClientID is needed. +# Enabling this may get a different lease than the kernel DHCP client. +# Some upstream DHCP servers may also require a ClientID, such as FRITZ!Box. +#clientid + +# A list of options to request from the DHCP server. +option domain_name_servers, domain_name, domain_search, host_name +option classless_static_routes +# Most distributions have NTP support. +option ntp_servers +# Respect the network MTU. +option interface_mtu +# A ServerID is required by RFC2131. +require dhcp_server_identifier + +# A hook script is provided to lookup the hostname if not set by the DHCP +# server, but it should not be run by default. +nohook lookup-hostname diff --git a/dispatch-conf.conf b/dispatch-conf.conf new file mode 100644 index 0000000..3d956a1 --- /dev/null +++ b/dispatch-conf.conf @@ -0,0 +1,57 @@ +# +# dispatch-conf.conf +# + +# Directory to archive replaced configs +archive-dir=/etc/config-archive + +# Use rcs for storing files in the archive directory? +# WARNING: When configured to use rcs, read and execute permissions of +# archived files may be inherited from the first check in of a working +# file, as documented in the ci(1) man page. This means that even if +# the permissions of the working file have since changed, the older +# permissions of the first check in may be inherited. As mentioned in +# the ci(1) man page, users can control access to RCS files by setting +# the permissions of the directory containing the files (see +# archive-dir above). +# (yes or no) +use-rcs=yes + +# Diff for display +# %s old file +# %s new file +# If using colordiff instead of diff, the less -R option may be required +# for correct display. +#diff="diff -Nu '%s' '%s' | less --no-init --QUIT-AT-EOF" +diff="diff -Nu '%s' '%s' | colordiff | less -r --no-init --QUIT-AT-EOF" + +# Diff for interactive merges. +# %s output file +# %s old file +# %s new file +merge="sdiff --suppress-common-lines --output='%s' '%s' '%s'" + +# Automerge files comprising only CVS interpolations (e.g. Header or Id) +# (yes or no) +replace-cvs=yes + +# Automerge files comprising only whitespace and/or comments +# (yes or no) +replace-wscomments=yes + +# Automerge files that the user hasn't modified +# (yes or no) +replace-unmodified=yes + +# Ignore a version that is identical to the previously merged version, +# even though it is different from the current user modified version +# Note that emerge already has a similar feature enabled by default, +# which can be disabled by the emerge --noconfmem option. +# (yes or no) +ignore-previously-merged=no + +# Per-session log file of changes made to configuration files +log-file=/var/log/dispatch-conf.log + +# List of frozen files for which dispatch-conf will automatically zap updates +#frozen-files="" diff --git a/dmtab b/dmtab new file mode 100644 index 0000000..5fc1d79 --- /dev/null +++ b/dmtab @@ -0,0 +1,12 @@ +#/etc/dmraid: config file for adding device-mapper volumes at boot +# $Header: /var/cvsroot/gentoo-x86/sys-fs/lvm2/files/dmtab,v 1.1 2009/04/09 23:00:10 caleb Exp $ + +# Format: : +# Example: isw0: 0 312602976 striped 2 128 /dev/sda 0 /dev/sdb 0 +# +# Alternatively you can create all your volumes the first time, and just run: +# +# dmsetup table >> /etc/dmtab +# +# and verify that they are correct. + diff --git a/e2fsck.conf b/e2fsck.conf new file mode 100644 index 0000000..401cec4 --- /dev/null +++ b/e2fsck.conf @@ -0,0 +1,6 @@ +# See the e2fsck.conf man page for more info + +[options] + +# allow fsck to run sanely at any point in time #142850 +buggy_init_scripts = yes diff --git a/eixrc b/eixrc new file mode 100644 index 0000000..deda6e9 --- /dev/null +++ b/eixrc @@ -0,0 +1,29 @@ +# /etc/eixrc +# +# In this file system-wide defaults for variables related to eix binaries +# are stored, i.e. the variables set in this file override the built-in +# defaults. Both can be overridden by ~/.eixrc and by environment variables. +# +# It is strongly recommended to set here only those variables which you +# want to *differ* from the built-in defaults (or for which you have a +# particular reason why the default should never change with an eix update). +# +# *Otherwise you might miss changes in the defaults in newer eix versions* +# which may result in confusing behavior of the eix binaries. +# +# ebuilds of <=eix-0.10.3 (and >=eix-0.7.4) used to set *all* variables in +# /etc/eixrc which is not recommended anymore. If you want to get such a file +# (i.e. a file where all variables are described and set to the current +# values resp. to the built-in default values) you can redirect the output +# of the options --dump or --dump-defaults, respectively. +# +# However once more: To avoid unexpected problems +# +# *IT IS NOT RECOMMENDED TO SET _ALL_ VARIABLES* in /etc/eixrc +# +# Only set those for which you have a reason to do so! +# +# For the available variables and their defaults, see the output of the +# options --dump or --dump-defaults. +# For more detailed explanations see the manpage of eix. + diff --git a/environment b/environment new file mode 100644 index 0000000..3e704a6 --- /dev/null +++ b/environment @@ -0,0 +1,5 @@ +# +# This file is parsed by pam_env module +# +# Syntax: simple "KEY=VAL" pairs on separate lines +# diff --git a/etc-update.conf b/etc-update.conf new file mode 100644 index 0000000..cea2173 --- /dev/null +++ b/etc-update.conf @@ -0,0 +1,82 @@ +# /etc/etc-update.conf: config file for `etc-update` utility +# edit the lines below to your liking + +# mode - 0 for text, 1 for menu (support incomplete) +# note that you need dev-util/dialog installed +mode="0" + +# Whether to clear the term prior to each display +#clear_term="yes" +clear_term="no" + +# Whether trivial/comment changes should be automerged +eu_automerge="yes" + +# arguments used whenever rm is called +rm_opts="-i" + +# arguments used whenever mv is called +mv_opts="-i" + +# arguments used whenever cp is called +cp_opts="-i" + +# pager for use with diff commands +pager="less" +#pager="" + +# For emacs-users (see NOTE_2) +# diff_command="eval emacs -nw --eval=\'\(ediff\ \"%file1\"\ \"%file2\"\)\'" +#using_editor=1 + +# vim-users: you CAN use vimdiff for diff_command. (see NOTE_1 and NOTE_2) +#diff_command="vim -d %file1 %file2" +#using_editor=1 + +# If using colordiff instead of diff, the less -R option may be required +# for correct display (see 'pager' setting above). +diff_command="diff -uN %file1 %file2" +using_editor=0 + + +# vim-users: don't use vimdiff for merging (see NOTE_1) +merge_command="sdiff -s -o %merged %orig %new" + +# EXPLANATION +# +# pager: +# +# Examples of pager usage: +# pager="" # don't use a pager +# pager="less -E" # less +# pager="more" # more +# +# +# diff_command: +# +# Arguments: +# %file1 [REQUIRED] +# %file2 [REQUIRED] +# +# Examples of diff_command: +# diff_command="diff -uN %file1 %file2" # diff +# diff_command="vim -d %file1 %file2" # vimdiff +# +# +# merge_command: +# +# Arguments: +# %orig [REQUIRED] +# %new [REQUIRED] +# %merged [REQUIRED] +# +# Examples of merge_command: +# merge_command="sdiff -s -o %merged %old %new" # sdiff +# + +# NOTE_1: Editors such as vim/vimdiff are not usable for the merge_command +# because it is not known what filenames the produced files have (the user can +# choose while using those programs) + +# NOTE_2: Make sure using_editor is set to "1" when using an editor as +# diff_command! diff --git a/filesystems b/filesystems new file mode 100644 index 0000000..0bb9c3c --- /dev/null +++ b/filesystems @@ -0,0 +1,14 @@ +# /etc/filesystems +# +# This file defines the filesystems search order used by a +# 'mount -t auto' command. +# + +# Uncomment the following line if your modular kernel has vfat +# support and you want mount to try vfat. +#vfat + +# Keep the last '*' intact as it directs mount to use the +# filesystems list available at /proc/filesystems also. +# Don't remove it unless you REALLY know what you are doing! +* diff --git a/freshclam.conf b/freshclam.conf new file mode 100644 index 0000000..a218449 --- /dev/null +++ b/freshclam.conf @@ -0,0 +1,215 @@ +## +## Example config file for freshclam +## Please read the freshclam.conf(5) manual before editing this file. +## + + +# Comment or remove the line below. +# Example + +# Path to the database directory. +# WARNING: It must match clamd.conf's directive! +# Default: hardcoded (depends on installation options) +#DatabaseDirectory /var/lib/clamav + +# Path to the log file (make sure it has proper permissions) +# Default: disabled +UpdateLogFile /var/log/clamav/freshclam.log + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). +# in bytes just don't use modifiers. +# Default: 1M +#LogFileMaxSize 2M + +# Log time with each message. +# Default: no +#LogTime yes + +# Enable verbose logging. +# Default: no +#LogVerbose yes + +# Use system logger (can work together with UpdateLogFile). +# Default: no +#LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# Default: LOG_LOCAL6 +#LogFacility LOG_MAIL + +# This option allows you to save the process identifier of the daemon +# Default: disabled +PidFile /var/run/clamav/freshclam.pid + +# By default when started freshclam drops privileges and switches to the +# "clamav" user. This directive allows you to change the database owner. +# Default: clamav (may depend on installation options) +DatabaseOwner clamav + +# Initialize supplementary group access (freshclam must be started by root). +# Default: no +AllowSupplementaryGroups yes + +# Use DNS to verify virus database version. Freshclam uses DNS TXT records +# to verify database and software versions. With this directive you can change +# the database verification domain. +# WARNING: Do not touch it unless you're configuring freshclam to use your +# own database verification domain. +# Default: current.cvd.clamav.net +#DNSDatabaseInfo current.cvd.clamav.net + +# Uncomment the following line and replace XY with your country +# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. +# You can use db.XY.ipv6.clamav.net for IPv6 connections. +#DatabaseMirror db.XY.clamav.net + +# database.clamav.net is a round-robin record which points to our most +# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is +# not working. DO NOT TOUCH the following line unless you know what you +# are doing. +DatabaseMirror database.clamav.net + +# How many attempts to make before giving up. +# Default: 3 (per mirror) +#MaxAttempts 5 + +# With this option you can control scripted updates. It's highly recommended +# to keep it enabled. +# Default: yes +ScriptedUpdates yes + +# By default freshclam will keep the local databases (.cld) uncompressed to +# make their handling faster. With this option you can enable the compression; +# the change will take effect with the next database update. +# Default: no +#CompressLocalDatabase no + +# With this option you can provide custom sources (http:// or file://) for +# database files. This option can be used multiple times. +# Default: no custom URLs +#DatabaseCustomURL http://myserver.com/mysigs.ndb +#DatabaseCustomURL file:///mnt/nfs/local.hdb + +# Number of database checks per day. +# Default: 12 (every two hours) +#Checks 24 + +# Proxy settings +# Default: disabled +#HTTPProxyServer myproxy.com +#HTTPProxyPort 1234 +#HTTPProxyUsername myusername +#HTTPProxyPassword mypass + +# If your servers are behind a firewall/proxy which applies User-Agent +# filtering you can use this option to force the use of a different +# User-Agent header. +# Default: clamav/version_number +#HTTPUserAgent SomeUserAgentIdString + +# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for +# multi-homed systems. +# Default: Use OS'es default outgoing IP address. +#LocalIPAddress aaa.bbb.ccc.ddd + +# Send the RELOAD command to clamd. +# Default: no +NotifyClamd /etc/clamd.conf + +# Run command after successful database update. +# Default: disabled +#OnUpdateExecute command + +# Run command when database update process fails. +# Default: disabled +#OnErrorExecute command + +# Run command when freshclam reports outdated version. +# In the command string %v will be replaced by the new version number. +# Default: disabled +#OnOutdatedExecute command + +# Don't fork into background. +# Default: no +#Foreground yes + +# Enable debug messages in libclamav. +# Default: no +#Debug yes + +# Timeout in seconds when connecting to database server. +# Default: 30 +#ConnectTimeout 60 + +# Timeout in seconds when reading from database server. +# Default: 30 +#ReceiveTimeout 60 + +# With this option enabled, freshclam will attempt to load new +# databases into memory to make sure they are properly handled +# by libclamav before replacing the old ones. +# Default: yes +#TestDatabases yes + +# When enabled freshclam will submit statistics to the ClamAV Project about +# the latest virus detections in your environment. The ClamAV maintainers +# will then use this data to determine what types of malware are the most +# detected in the field and in what geographic area they are. +# Freshclam will connect to clamd in order to get recent statistics. +# Default: no +#SubmitDetectionStats /path/to/clamd.conf + +# Country of origin of malware/detection statistics (for statistical +# purposes only). The statistics collector at ClamAV.net will look up +# your IP address to determine the geographical origin of the malware +# reported by your installation. If this installation is mainly used to +# scan data which comes from a different location, please enable this +# option and enter a two-letter code (see http://www.iana.org/domains/root/db/) +# of the country of origin. +# Default: disabled +#DetectionStatsCountry country-code + +# This option enables support for our "Personal Statistics" service. +# When this option is enabled, the information on malware detected by +# your clamd installation is made available to you through our website. +# To get your HostID, log on http://www.stats.clamav.net and add a new +# host to your host list. Once you have the HostID, uncomment this option +# and paste the HostID here. As soon as your freshclam starts submitting +# information to our stats collecting service, you will be able to view +# the statistics of this clamd installation by logging into +# http://www.stats.clamav.net with the same credentials you used to +# generate the HostID. For more information refer to: +# http://www.clamav.net/support/faq/faq-cctts/ +# This feature requires SubmitDetectionStats to be enabled. +# Default: disabled +#DetectionStatsHostID unique-id + +# This option enables support for Google Safe Browsing. When activated for +# the first time, freshclam will download a new database file (safebrowsing.cvd) +# which will be automatically loaded by clamd and clamscan during the next +# reload, provided that the heuristic phishing detection is turned on. This +# database includes information about websites that may be phishing sites or +# possible sources of malware. When using this option, it's mandatory to run +# freshclam at least every 30 minutes. +# Freshclam uses the ClamAV's mirror infrastructure to distribute the +# database and its updates but all the contents are provided under Google's +# terms of use. See http://code.google.com/support/bin/answer.py?answer=70015 +# and http://safebrowsing.clamav.net for more information. +# Default: disabled +#SafeBrowsing yes + +# This option enables downloading of bytecode.cvd, which includes additional +# detection mechanisms and improvements to the ClamAV engine. +# Default: enabled +#Bytecode yes + +# Download an additional 3rd party signature database distributed through +# the ClamAV mirrors. Here you can find a list of available databases: +# http://www.clamav.net/download/cvd/3rdparty +# This option can be used multiple times. +#ExtraDatabase dbname1 +#ExtraDatabase dbname2 diff --git a/fstab b/fstab new file mode 100644 index 0000000..ee8d4e0 --- /dev/null +++ b/fstab @@ -0,0 +1,48 @@ +# /etc/fstab: static file system information. +# +# noatime turns off atimes for increased performance (atimes normally aren't +# needed; notail increases performance of ReiserFS (at the expense of storage +# efficiency). It's safe to drop the noatime options if you want and to +# switch between notail / tail freely. +# +# The root filesystem should have a pass number of either 0 or 1. +# All other filesystems should have a pass number of 0 or greater than 1. +# +# See the manpage fstab(5) for more information. +# + +# + +# NOTE: If your BOOT partition is ReiserFS, add the notail option to opts. +/dev/md2 /boot ext3 noauto,noatime 0 0 +/dev/md3 / ext3 noatime,acl,user_xattr 0 1 + +/dev/md4 none swap sw 0 0 + +/dev/vg0/tmp /tmp ext4 noatime 0 0 +/dev/vg0/usr /usr ext4 acl,user_xattr 0 0 +/dev/vg0/var /var ext4 acl,user_xattr 0 0 +/dev/vg0/opt /opt ext4 acl,user_xattr 0 0 + +#/dev/vg0/home /home ext4 quota,grpquota,acl,user_xattr 0 0 +#/dev/vg0/home /home ext4 acl,user_xattr 0 0 +/dev/vg0/home /home ext4 acl,user_xattr,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 0 + +/dev/vg0/var_tmp /var/tmp ext4 noatime 0 0 +/dev/vg0/www /var/www ext4 acl,user_xattr 0 0 +/dev/vg0/var_lib /var/lib ext4 noatime,acl,user_xattr 0 0 +/dev/vg0/backup /var/backup ext4 noatime,acl,user_xattr 0 0 +/dev/vg0/portage /usr/portage ext4 noatime 0 0 +/dev/vg0/distfiles /usr/portage/distfiles ext4 noatime 0 0 + +#/dev/vg0/sarah /var/sarah reiserfs ro,acl,user_xattr 0 0 + + +/dev/cdrom /mnt/cdrom auto noauto,ro 0 0 +#/dev/fd0 /mnt/floppy auto noauto 0 0 + +# glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for +# POSIX shared memory (shm_open, shm_unlink). +# (tmpfs is a dynamically expandable/shrinkable ramdisk, and will +# use almost no memory if not populated with files) +shm /dev/shm tmpfs nodev,nosuid,noexec 0 0 diff --git a/fstab.orig b/fstab.orig new file mode 100644 index 0000000..0832486 --- /dev/null +++ b/fstab.orig @@ -0,0 +1,27 @@ +# /etc/fstab: static file system information. +# +# noatime turns off atimes for increased performance (atimes normally aren't +# needed; notail increases performance of ReiserFS (at the expense of storage +# efficiency). It's safe to drop the noatime options if you want and to +# switch between notail / tail freely. +# +# The root filesystem should have a pass number of either 0 or 1. +# All other filesystems should have a pass number of 0 or greater than 1. +# +# See the manpage fstab(5) for more information. +# + +# + +# NOTE: If your BOOT partition is ReiserFS, add the notail option to opts. +/dev/BOOT /boot ext2 noauto,noatime 1 2 +/dev/ROOT / ext3 noatime 0 1 +/dev/SWAP none swap sw 0 0 +/dev/cdrom /mnt/cdrom auto noauto,ro 0 0 +#/dev/fd0 /mnt/floppy auto noauto 0 0 + +# glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for +# POSIX shared memory (shm_open, shm_unlink). +# (tmpfs is a dynamically expandable/shrinkable ramdisk, and will +# use almost no memory if not populated with files) +shm /dev/shm tmpfs nodev,nosuid,noexec 0 0 diff --git a/ftpusers b/ftpusers new file mode 100644 index 0000000..4bc8872 --- /dev/null +++ b/ftpusers @@ -0,0 +1,37 @@ +# Provided by ftpbase (dont remove this line!) +# /etc/ftpusers: list of users disallowed FTP access +# $Header: /var/cvsroot/gentoo-x86/net-ftp/ftpbase/files/ftpusers,v 1.1 2005/06/28 14:52:26 uberlord Exp $ + +halt +operator +root +shutdown +sync +bin +daemon +adm +lp +mail +postmaster +news +uucp +man +games +at +cron +www +named +squid +gdm +mysql +postgres +guest +nobody +alias +qmaild +qmaill +qmailp +qmailq +qmailr +qmails +postfix diff --git a/gai.conf b/gai.conf new file mode 100644 index 0000000..ac31e38 --- /dev/null +++ b/gai.conf @@ -0,0 +1,75 @@ +# Configuration for getaddrinfo(3). +# +# So far only configuration for the destination address sorting is needed. +# RFC 3484 governs the sorting. But the RFC also says that system +# administrators should be able to overwrite the defaults. This can be +# achieved here. +# +# All lines have an initial identifier specifying the option followed by +# up to two values. Information specified in this file replaces the +# default information. Complete absence of data of one kind causes the +# appropriate default information to be used. The supported commands include: +# +# reload +# If set to yes, each getaddrinfo(3) call will check whether this file +# changed and if necessary reload. This option should not really be +# used. There are possible runtime problems. The default is no. +# +# label +# Add another rule to the RFC 3484 label table. See section 2.1 in +# RFC 3484. The default is: +# +#label ::1/128 0 +#label ::/0 1 +#label 2002::/16 2 +#label ::/96 3 +#label ::ffff:0:0/96 4 +#label fec0::/10 5 +#label fc00::/7 6 +#label 2001:0::/32 7 +# +# This default differs from the tables given in RFC 3484 by handling +# (now obsolete) site-local IPv6 addresses and Unique Local Addresses. +# The reason for this difference is that these addresses are never +# NATed while IPv4 site-local addresses most probably are. Given +# the precedence of IPv6 over IPv4 (see below) on machines having only +# site-local IPv4 and IPv6 addresses a lookup for a global address would +# see the IPv6 be preferred. The result is a long delay because the +# site-local IPv6 addresses cannot be used while the IPv4 address is +# (at least for the foreseeable future) NATed. We also treat Teredo +# tunnels special. +# +# precedence +# Add another rule to the RFC 3484 precedence table. See section 2.1 +# and 10.3 in RFC 3484. The default is: +# +#precedence ::1/128 50 +#precedence ::/0 40 +#precedence 2002::/16 30 +#precedence ::/96 20 +#precedence ::ffff:0:0/96 10 +# +# For sites which prefer IPv4 connections change the last line to +# +#precedence ::ffff:0:0/96 100 + +# +# scopev4 +# Add another rule to the RFC 3484 scope table for IPv4 addresses. +# The definitions in RFC 3484 are equivalent to: +# +#scopev4 ::ffff:169.254.0.0/112 2 +#scopev4 ::ffff:127.0.0.0/104 2 +#scopev4 ::ffff:10.0.0.0/104 5 +#scopev4 ::ffff:172.16.0.0/108 5 +#scopev4 ::ffff:192.168.0.0/112 5 +#scopev4 ::ffff:0.0.0.0/96 14 +# +# For sites which use site-local IPv4 addresses behind NAT there is +# the problem that even if IPv4 addresses are preferred they do not +# have the same scope and are therefore not sorted first. To change +# this use only these rules: +# +scopev4 ::ffff:169.254.0.0/112 2 +scopev4 ::ffff:127.0.0.0/104 2 +scopev4 ::ffff:0.0.0.0/96 14 diff --git a/gentoo-release b/gentoo-release new file mode 100644 index 0000000..12f72c1 --- /dev/null +++ b/gentoo-release @@ -0,0 +1 @@ +Gentoo Base System release 2.0.3 diff --git a/gitconfig b/gitconfig new file mode 100644 index 0000000..5a94055 --- /dev/null +++ b/gitconfig @@ -0,0 +1,2 @@ +[color] + ui = true diff --git a/group b/group new file mode 100644 index 0000000..8993b7d --- /dev/null +++ b/group @@ -0,0 +1,62 @@ +root:x:0:root,frank +bin:x:1:root,bin,daemon +daemon:x:2:root,bin,daemon +sys:x:3:root,bin,adm +adm:x:4:root,adm,daemon +tty:x:5:frank,taurec +disk:x:6:root,adm +lp:x:7:lp,frank,taurec +mem:x:8: +kmem:x:9: +wheel:x:10:root,frank,taurec,morph +floppy:x:11:root +mail:x:12:mail,postfix +news:x:13:news +uucp:x:14:uucp +man:x:15:man +cron:x:16:frank,taurec,morph,patrick,vivi,minecraft +console:x:17:frank,taurec +audio:x:18:frank,taurec +cdrom:x:19: +dialout:x:20:root +ftp:x:21: +sshd:x:22: +at:x:25: +tape:x:26:root +video:x:27:root,frank,taurec +games:x:35: +named:x:40: +mysql:x:60: +cdrw:x:80: +apache:x:81: +usb:x:85: +users:x:100:games,taurec +postgrey:x:101: +polw:x:102: +teamspeak3:x:103: +nagios:x:104:frank +wireshark:x:105: +lpadmin:x:106: +messagebus:x:110: +rpc:x:111: +locate:x:122:frank,taurec,morph,patrick,vivi +ntp:x:123: +tcpdump:x:196: +ulogd:x:197: +crontab:x:198: +ssmtp:x:199: +nofiles:x:200: +postfix:x:207: +postdrop:x:208: +smmsp:x:209:smmsp +portage:x:250:portage,frank,taurec +utmp:x:406: +ldap:x:439: +clamav:x:998: +amavis:x:999: +proftpd:x:1008: +vmail:x:1023: +nogroup:x:65533: +nobody:x:65534: +minecraft:x:1002: +git-commiters:x:222:frank,taurec,morph,portage diff --git a/gshadow b/gshadow new file mode 100644 index 0000000..37778a3 --- /dev/null +++ b/gshadow @@ -0,0 +1,62 @@ +root:::root,frank +bin:::root,bin,daemon +daemon:::root,bin,daemon +sys:::root,bin,adm +adm:::root,adm,daemon +tty:::frank,taurec +disk:::root,adm +lp:::lp,frank,taurec +mem::: +kmem::: +wheel:::root,frank,taurec,morph +floppy:::root +mail:::mail,postfix +news:::news +uucp:::uucp +man:::man +cron:x::frank,taurec,morph,patrick,vivi,minecraft +console:::frank,taurec +audio:::frank,taurec +cdrom::: +dialout:::root +ftp:x:: +sshd:x:: +at:x:: +tape:::root +video:::root,frank,taurec +games:x:: +named:x:: +mysql:x:: +cdrw::: +apache:x:: +usb::: +users:::games,taurec +postgrey:x:: +polw:x:: +teamspeak3:x:: +nagios:x::frank +wireshark:x:: +lpadmin:x:: +messagebus:x:: +rpc:x:: +locate:x::frank,taurec,morph,patrick,vivi +ntp:x:: +tcpdump:x:: +ulogd:x:: +crontab:x:: +ssmtp:x:: +nofiles:x:: +postfix:x:: +postdrop:x:: +smmsp:x::smmsp +portage:::portage,frank,taurec +utmp:x:: +ldap:x:: +clamav:x:: +amavis:x:: +proftpd:x:: +vmail:x:: +nogroup::: +nobody::: +minecraft:!:: +git-commiters:!:: diff --git a/host.conf b/host.conf new file mode 100644 index 0000000..4c58e52 --- /dev/null +++ b/host.conf @@ -0,0 +1,24 @@ +# /etc/host.conf: +# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/host.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $ + +# The file /etc/host.conf contains configuration information specific to +# the resolver library. It should contain one configuration keyword per +# line, followed by appropriate configuration information. The keywords +# recognized are order, trim, mdns, multi, nospoof, spoof, and reorder. + + + +# This keyword specifies how host lookups are to be performed. It +# should be followed by one or more lookup methods, separated by +# commas. Valid methods are bind, hosts, and nis. +# +order hosts, bind + + +# Valid values are on and off. If set to on, the resolv+ library +# will return all valid addresses for a host that appears in the +# /etc/hosts file, instead of only the first. This is off by +# default, as it may cause a substantial performance loss at sites +# with large hosts files. +# +multi off diff --git a/hosts b/hosts new file mode 100644 index 0000000..fbf80c2 --- /dev/null +++ b/hosts @@ -0,0 +1,45 @@ +# /etc/hosts: Local Host Database +# +# This file describes a number of aliases-to-address mappings for the for +# local hosts that share this file. +# +# In the presence of the domain name service or NIS, this file may not be +# consulted at all; see /etc/host.conf for the resolution order. +# + +# IPv4 and IPv6 localhost aliases +127.0.0.1 localhost + +::1 localhost ip6-localhost ip6-loopback + +85.214.134.152 helga.brehm-online.com helga h1763652.stratoserver.net h1763652 +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +ff02::3 ip6-allhosts + +192.166.201.59 gw.berlin.strato.de +192.166.192.168 gw-rz.berlin.strato.de +192.166.201.222 sarkomand-201-222-strato-full.cronon.net + +2001:6f8:1c00:365::2 home.brehm-online.com + +# +# Imaginary network. +#10.0.0.2 myname +#10.0.0.3 myfriend +# +# According to RFC 1918, you can use the following IP networks for private +# nets which will never be connected to the Internet: +# +# 10.0.0.0 - 10.255.255.255 +# 172.16.0.0 - 172.31.255.255 +# 192.168.0.0 - 192.168.255.255 +# +# In case you want to be able to connect directly to the Internet (i.e. not +# behind a NAT, ADSL router, etc...), you need real official assigned +# numbers. Do not try to invent your own network numbers but instead get one +# from your network provider (if any) or from your regional registry (ARIN, +# APNIC, LACNIC, RIPE NCC, or AfriNIC.) +# diff --git a/idn.conf b/idn.conf new file mode 100644 index 0000000..9943cf5 --- /dev/null +++ b/idn.conf @@ -0,0 +1,61 @@ +# $Id: idn.conf.sample.in,v 1.24 2003/03/05 23:25:02 miyayama Exp $ +# +# Sample file for idnkit configuration file (idn.conf). +# + +# +# `idn-encoding' entry specifies the encoding name used as the encoding +# of multilingualized names by resolvers and DNS servers. Currently, the +# following encodings are available: +# +# Punycode +# UTF-8 +# +# +# If you enabled extra ace feature, following IDN encoding can be used. +# +# AMC-ACE-Z (old name of Punycode) +# RACE +# +# syntax) +# idn-encoding +# +idn-encoding Punycode + +# +# `nameprep' entry specifies the version of NAMEPREP. +# idnkit currently supports the following version: +# +# RFC3491 -- name preparation scheme described in the +# RFC3491 +# +# syntax) +# nameprep +# +nameprep RFC3491 + +# +# `local-map' entry specifies TLD (top level domain) based local mapping +# schemes, which is performed before NAMEPREP. Available schemes are: +# +# -- nameprep version +# filemap: -- read mapping rules from a file +# +# syntax) +# local-map ... +# +# If the TLD of the domain name matches , local mapping specified +# by is performed on the name. Otherwise no mapping are +# performed. Multiple schemes can be specified; they are applied in +# turn. +# +# There are two special s for specifying a default mapping rule +# and a mapping rule for local names (domain names containing no +# dots). If is `.', its schemes are applied to domain names +# whose TLD does not match any TLDs specified in local-map entries. +# If is `-', its schemes are applied to domain names which +# contain no dots. +# +#local-map - filemap:/some/where/local.map +#local-map . filemap:/some/where/default.map +local-map .jp filemap:/usr/share/idnkit/jp.map diff --git a/idn.conf.sample b/idn.conf.sample new file mode 100644 index 0000000..9943cf5 --- /dev/null +++ b/idn.conf.sample @@ -0,0 +1,61 @@ +# $Id: idn.conf.sample.in,v 1.24 2003/03/05 23:25:02 miyayama Exp $ +# +# Sample file for idnkit configuration file (idn.conf). +# + +# +# `idn-encoding' entry specifies the encoding name used as the encoding +# of multilingualized names by resolvers and DNS servers. Currently, the +# following encodings are available: +# +# Punycode +# UTF-8 +# +# +# If you enabled extra ace feature, following IDN encoding can be used. +# +# AMC-ACE-Z (old name of Punycode) +# RACE +# +# syntax) +# idn-encoding +# +idn-encoding Punycode + +# +# `nameprep' entry specifies the version of NAMEPREP. +# idnkit currently supports the following version: +# +# RFC3491 -- name preparation scheme described in the +# RFC3491 +# +# syntax) +# nameprep +# +nameprep RFC3491 + +# +# `local-map' entry specifies TLD (top level domain) based local mapping +# schemes, which is performed before NAMEPREP. Available schemes are: +# +# -- nameprep version +# filemap: -- read mapping rules from a file +# +# syntax) +# local-map ... +# +# If the TLD of the domain name matches , local mapping specified +# by is performed on the name. Otherwise no mapping are +# performed. Multiple schemes can be specified; they are applied in +# turn. +# +# There are two special s for specifying a default mapping rule +# and a mapping rule for local names (domain names containing no +# dots). If is `.', its schemes are applied to domain names +# whose TLD does not match any TLDs specified in local-map entries. +# If is `-', its schemes are applied to domain names which +# contain no dots. +# +#local-map - filemap:/some/where/local.map +#local-map . filemap:/some/where/default.map +local-map .jp filemap:/usr/share/idnkit/jp.map diff --git a/idnalias.conf b/idnalias.conf new file mode 100644 index 0000000..3495dbc --- /dev/null +++ b/idnalias.conf @@ -0,0 +1,12 @@ +*.ISO_8859-1 ISO-8859-1 +*.ISO_8859-2 ISO-8859-1 +*.SJIS Shift_JIS +*.Shift_JIS Shift_JIS +ja_JP.EUC EUC-JP +ko_KR.EUC EUC-KR +*.big5 Big5 +*.Big5 Big5 +*.KOI8-R KOI8-R +*.GB2312 GB2312 +ja EUC-JP +japanese EUC-JP diff --git a/idnalias.conf.sample b/idnalias.conf.sample new file mode 100644 index 0000000..3495dbc --- /dev/null +++ b/idnalias.conf.sample @@ -0,0 +1,12 @@ +*.ISO_8859-1 ISO-8859-1 +*.ISO_8859-2 ISO-8859-1 +*.SJIS Shift_JIS +*.Shift_JIS Shift_JIS +ja_JP.EUC EUC-JP +ko_KR.EUC EUC-KR +*.big5 Big5 +*.Big5 Big5 +*.KOI8-R KOI8-R +*.GB2312 GB2312 +ja EUC-JP +japanese EUC-JP diff --git a/inittab b/inittab new file mode 100644 index 0000000..c5c8398 --- /dev/null +++ b/inittab @@ -0,0 +1,60 @@ +# +# /etc/inittab: This file describes how the INIT process should set up +# the system in a certain run-level. +# +# Author: Miquel van Smoorenburg, +# Modified by: Patrick J. Volkerding, +# Modified by: Daniel Robbins, +# Modified by: Martin Schlemmer, +# Modified by: Mike Frysinger, +# Modified by: Robin H. Johnson, +# +# $Header: /var/cvsroot/gentoo-x86/sys-apps/sysvinit/files/inittab-2.87,v 1.1 2010/01/08 16:55:07 williamh Exp $ + +# Default runlevel. +id:3:initdefault: + +# System initialization, mount local filesystems, etc. +si::sysinit:/sbin/rc sysinit + +# Further system initialization, brings up the boot runlevel. +rc::bootwait:/sbin/rc boot + +l0:0:wait:/sbin/rc shutdown +l0s:0:wait:/sbin/halt -dhp +l1:1:wait:/sbin/rc single +l2:2:wait:/sbin/rc nonetwork +l3:3:wait:/sbin/rc default +l4:4:wait:/sbin/rc default +l5:5:wait:/sbin/rc default +l6:6:wait:/sbin/rc reboot +l6r:6:wait:/sbin/reboot -dk +#z6:6:respawn:/sbin/sulogin + +# new-style single-user +su0:S:wait:/sbin/rc single +su1:S:wait:/sbin/sulogin + +# TERMINALS +c1:12345:respawn:/sbin/agetty 38400 tty1 linux +c2:2345:respawn:/sbin/agetty 38400 tty2 linux +c3:2345:respawn:/sbin/agetty 38400 tty3 linux +c4:2345:respawn:/sbin/agetty 38400 tty4 linux +c5:2345:respawn:/sbin/agetty 38400 tty5 linux +c6:2345:respawn:/sbin/agetty 38400 tty6 linux + +# SERIAL CONSOLES +#s0:12345:respawn:/sbin/agetty 9600 ttyS0 vt100 +#s1:12345:respawn:/sbin/agetty 9600 ttyS1 vt100 +s0:12345:respawn:/sbin/agetty -L ttyS0 57600 vt100 + +# What to do at the "Three Finger Salute". +ca:12345:ctrlaltdel:/sbin/shutdown -r now + +# Used by /etc/init.d/xdm to control DM startup. +# Read the comments in /etc/init.d/xdm for more +# info. Do NOT remove, as this will start nothing +# extra at boot if /etc/init.d/xdm is not added +# to the "default" runlevel. +x:a:once:/etc/X11/startDM.sh + diff --git a/inputrc b/inputrc new file mode 100644 index 0000000..2afc0b8 --- /dev/null +++ b/inputrc @@ -0,0 +1,72 @@ +# /etc/inputrc: initialization file for readline +# +# For more information on how this file works, please see the +# INITIALIZATION FILE section of the readline(3) man page +# +# Quick dirty little note: +# To get the key sequence for binding, you can abuse bash. +# While running bash, hit CTRL+V, and then type the key sequence. +# So, typing 'ALT + left arrow' in Konsole gets you back: +# ^[[1;3D +# The readline entry to make this skip back a word will then be: +# "\e[1;3D" backward-word +# + +# do not bell on tab-completion +#set bell-style none + +set meta-flag on +set input-meta on +set convert-meta off +set output-meta on + +# Completed names which are symbolic links to +# directories have a slash appended. +set mark-symlinked-directories on + +$if mode=emacs + +# for linux console and RH/Debian xterm +# allow the use of the Home/End keys +"\e[1~": beginning-of-line +"\e[4~": end-of-line +# map "page up" and "page down" to search history based on current cmdline +"\e[5~": history-search-backward +"\e[6~": history-search-forward +# allow the use of the Delete/Insert keys +"\e[3~": delete-char +"\e[2~": quoted-insert + +# gnome / others (escape + arrow key) +"\e[5C": forward-word +"\e[5D": backward-word +# konsole / xterm / rxvt (escape + arrow key) +"\e\e[C": forward-word +"\e\e[D": backward-word +# gnome / konsole / others (control + arrow key) +"\e[1;5C": forward-word +"\e[1;5D": backward-word +# aterm / eterm (control + arrow key) +"\eOc": forward-word +"\eOd": backward-word + +# konsole (alt + arrow key) +"\e[1;3C": forward-word +"\e[1;3D": backward-word + +$if term=rxvt +"\e[8~": end-of-line +$endif + +# for non RH/Debian xterm, can't hurt for RH/Debian xterm +"\eOH": beginning-of-line +"\eOF": end-of-line + +# for freebsd console +"\e[H": beginning-of-line +"\e[F": end-of-line +$endif + +# fix Home and End for German users +"\e[7~": beginning-of-line +"\e[8~": end-of-line diff --git a/issue b/issue new file mode 100644 index 0000000..015e46d --- /dev/null +++ b/issue @@ -0,0 +1,3 @@ + +This is \n.\O (\s \m \r) \t + diff --git a/issue.logo b/issue.logo new file mode 100644 index 0000000..d8e20ef --- /dev/null +++ b/issue.logo @@ -0,0 +1,13 @@ + . + .vir. d$b + .d$$$$$$b. .cd$$b. .d$$b. d$$$$$$$$$$$b .d$$b. .d$$b. + $$$$( )$$$b d$$$()$$$. d$$$$$$$b Q$$$$$$$P$$$P.$$$$$$$b. .$$$$$$$b. + Q$$$$$$$$$$B$$$$$$$$P" d$$$PQ$$$$b. $$$$. .$$$P' `$$$ .$$$P' `$$$ + "$$$$$$$P Q$$$$$$$b d$$$P Q$$$$b $$$$b $$$$b..d$$$ $$$$b..d$$$ + d$$$$$$P" "$$$$$$$$ Q$$$ Q$$$$ $$$$$ `Q$$$$$$$P `Q$$$$$$$P + $$$$$$$P `""""" "" "" Q$$$P "Q$$$P" "Q$$$P" + `Q$$P" """ + + +This is \n.\O (\s \m \r) \t + diff --git a/krb5.conf.example b/krb5.conf.example new file mode 100644 index 0000000..210348f --- /dev/null +++ b/krb5.conf.example @@ -0,0 +1,26 @@ +[libdefaults] + default_realm = ATHENA.MIT.EDU + +[realms] +# use "kdc = ..." if realm admins haven't put SRV records into DNS + ATHENA.MIT.EDU = { + admin_server = KERBEROS.MIT.EDU + default_domain = MIT.EDU + v4_instance_convert = { + mit = mit.edu + lithium = lithium.lcs.mit.edu + } + } + ANDREW.CMU.EDU = { + admin_server = vice28.fs.andrew.cmu.edu + } + +[domain_realm] + .mit.edu = ATHENA.MIT.EDU + mit.edu = ATHENA.MIT.EDU + .media.mit.edu = MEDIA-LAB.MIT.EDU + media.mit.edu = MEDIA-LAB.MIT.EDU + .ucsc.edu = CATS.UCSC.EDU + +[logging] +# kdc = CONSOLE diff --git a/ld.so.cache b/ld.so.cache new file mode 100644 index 0000000..b6d68e6 Binary files /dev/null and b/ld.so.cache differ diff --git a/ld.so.conf b/ld.so.conf new file mode 100644 index 0000000..6ad4829 --- /dev/null +++ b/ld.so.conf @@ -0,0 +1,14 @@ +# ld.so.conf autogenerated by env-update; make all changes to +# contents of /etc/env.d directory +/usr/local/lib +include ld.so.conf.d/*.conf +/lib64 +/usr/lib64 +/usr/local/lib64 +/lib32 +/usr/lib32 +/usr/local/lib32 +/lib +/usr/lib +/usr/lib/gcc/x86_64-pc-linux-gnu/4.5.3 +/usr/lib/gcc/x86_64-pc-linux-gnu/4.5.3/32 diff --git a/ldap.conf.sudo b/ldap.conf.sudo new file mode 100644 index 0000000..934f1b9 --- /dev/null +++ b/ldap.conf.sudo @@ -0,0 +1,5 @@ +# See ldap.conf(5) and README.LDAP for details\n" +# This file should only be readable by root\n\n" +# supported directives: host, port, ssl, ldap_version\n" +# uri, binddn, bindpw, sudoers_base, sudoers_debug\n" +# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key diff --git a/libaudit.conf b/libaudit.conf new file mode 100644 index 0000000..90855d7 --- /dev/null +++ b/libaudit.conf @@ -0,0 +1,7 @@ +# This is the configuration file for libaudit tunables. +# It is currently only used for the failure_action tunable. + +# failure_action can be: log, ignore, terminate +failure_action = ignore + + diff --git a/locale.gen b/locale.gen new file mode 100644 index 0000000..09ee60e --- /dev/null +++ b/locale.gen @@ -0,0 +1,31 @@ +# /etc/locale.gen: list all of the locales you want to have on your system +# +# The format of each line: +# +# +# Where is a locale located in /usr/share/i18n/locales/ and +# where is a charmap located in /usr/share/i18n/charmaps/. +# +# All blank lines and lines starting with # are ignored. +# +# For the default list of supported combinations, see the file: +# /usr/share/i18n/SUPPORTED +# +# Whenever glibc is emerged, the locales listed here will be automatically +# rebuilt for you. After updating this file, you can simply run `locale-gen` +# yourself instead of re-emerging glibc. + +#en_US ISO-8859-1 +#en_US.UTF-8 UTF-8 +#ja_JP.EUC-JP EUC-JP +#ja_JP.UTF-8 UTF-8 +#ja_JP EUC-JP +#en_HK ISO-8859-1 +#en_PH ISO-8859-1 +#de_DE ISO-8859-1 +#de_DE@euro ISO-8859-15 +#es_MX ISO-8859-1 +#fa_IR UTF-8 +#fr_FR ISO-8859-1 +#fr_FR@euro ISO-8859-15 +#it_IT ISO-8859-1 diff --git a/localtime b/localtime new file mode 100644 index 0000000..96059c7 Binary files /dev/null and b/localtime differ diff --git a/login.defs b/login.defs new file mode 100644 index 0000000..e99404c --- /dev/null +++ b/login.defs @@ -0,0 +1,386 @@ +# +# /etc/login.defs - Configuration control definitions for the shadow package. +# +# $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $ +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# Note: When PAM is used, some modules may enfore a minimal delay (e.g. +# pam_unix enforces a 2s delay) +# +FAIL_DELAY 3 + +# +# Enable logging and display of /var/log/faillog login failure info. +# +#FAILLOG_ENAB + +# +# Enable display of unknown usernames when login failures are recorded. +# +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable logging and display of /var/log/lastlog login time info. +# +#LASTLOG_ENAB + +# +# Enable checking and display of mailbox status upon login. +# +# Disable if the shell startup files already check for mail +# ("mailx -e" or equivalent). +# +#MAIL_CHECK_ENAB + +# +# Enable additional checks upon password changes. +# +#OBSCURE_CHECKS_ENAB + +# +# Enable checking of time restrictions specified in /etc/porttime. +# +#PORTTIME_CHECKS_ENAB + +# +# Enable setting of ulimit, umask, and niceness from passwd gecos field. +# +#QUOTAS_ENAB + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +CONSOLE /etc/securetty +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, ":" delimited list of "message of the day" files to +# be displayed upon login. +# +#MOTD_FILE +#MOTD_FILE + +# +# If defined, this file will be output before each login prompt. +# +#ISSUE_FILE /etc/issue + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format. +# last, when invoked as lastb, will read /var/log/btmp, so... +# +#FTMP_FILE + +# +# If defined, name of file whose presence which will inhibit non-root +# logins. The contents of this file should be a message indicating +# why logins are inhibited. +# +#NOLOGINS_FILE + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# If defined, either a TZ environment parameter spec or the +# fully-rooted pathname of a file containing such a spec. +# +#ENV_TZ TZ=CST6CDT +#ENV_TZ /etc/tzname + +# +# If defined, an HZ environment parameter spec. +# +# for Linux/x86 +#ENV_HZ +# For Linux/Alpha... +#ENV_HZ + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +ENV_PATH PATH=/bin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# ULIMIT Default "ulimit" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# The ULIMIT is used only if the system supports it. +# (now it works with setrlimit too; ulimit is in 512-byte units) +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +#ULIMIT 2097152 + +# Default initial "umask" value for non-PAM enabled systems. +# UMASK is also used by useradd and newusers to set the mode of new home +# directories. +# 022 is the default value, but 027, or even 077, could be considered +# better for privacy. There is no One True Answer here: each sysadmin +# must make up her mind. +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +#PASS_MIN_LEN +PASS_WARN_AGE 7 + +# +# If "yes", the user must be listed as a member of the first gid 0 group +# in /etc/group (called "root" on most Linux systems) to be able to "su" +# to uid 0 accounts. If the group doesn't exist or is empty, no one +# will be able to "su" to uid 0. +# +#SU_WHEEL_ONLY + +# +# If compiled with cracklib support, where are the dictionaries +# +#CRACKLIB_DICTPATH + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +SYS_UID_MIN 101 +SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +SYS_GID_MIN 101 +SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Maximum number of attempts to change password if rejected (too easy) +# +#PASS_CHANGE_TRIES + +# +# Warn about weak passwords (but still allow them) if you are root. +# +#PASS_ALWAYS_WARN + +# +# Number of significant characters in the password for crypt(). +# Default is 8, don't change unless your crypt() is better. +# Ignored if MD5_CRYPT_ENAB set to "yes". +# +#PASS_MAX_LEN 8 + +# +# Require password before chfn/chsh can make any changes. +# +#CHFN_AUTH + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Password prompt (%s will be replaced by user name). +# +# XXX - it doesn't work correctly yet, for now leave it commented out +# to use the default which is just "Password: ". +#LOGIN_STRING "%s's Password: " + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# Note: If you use PAM, it is recommended to use a value consistent with +# the PAM modules configuration. +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# Only works if compiled with ENCRYPTMETHOD_SELECT defined: +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: If you use PAM, it is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If this file exists and is readable, login environment will be +# read from it. Every line should be in the form name=value. +# +#ENVIRON_FILE + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# Enable setting of the umask group bits to be the same as owner bits +# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is +# the same as gid, and username is the same as the primary group name. +# +# This also enables userdel to remove user groups if no members exist. +# +USERGROUPS_ENAB yes + +# +# If set to a non-nul number, the shadow utilities will make sure that +# groups never have more than this number of users on one line. +# This permit to support split groups (groups split into multiple lines, +# with the same group ID, to avoid limitation of the line length in the +# group file). +# +# 0 is the default value and disables this feature. +# +#MAX_MEMBERS_PER_GROUP 0 + +# +# If useradd should create home directories for users by default (non +# system users only) +# This option is overridden with the -M or -m flags on the useradd command +# line. +# +#CREATE_HOME yes + diff --git a/logrotate.conf b/logrotate.conf new file mode 100644 index 0000000..44a0760 --- /dev/null +++ b/logrotate.conf @@ -0,0 +1,41 @@ +# $Header: /opt/cvsroot/logrotate/logrotate.conf,v 1.6 2003/08/25 19:22:22 jvalent Exp $ + +# see "man logrotate" for details +# rotate log files weekly +weekly + +# keep 999 weeks worth of backlogs +rotate 999 +maxage 2y + +# create new (empty) log files after rotating old ones +create + +tabooprefix \. + +dateext + +# do not rotate, if the file is empty +notifempty + +# uncomment this if you want your log files compressed +compress + +# is it okay, if a logfile doesn't exists ? +missingok + +# no packages own lastlog or wtmp -- we'll rotate them here +/var/log/wtmp { + weekly + create 0664 root utmp + rotate 12 + olddir /var/log/wtmp.d + size=4096K +} + +# RPM packages drop log rotation information into this directory +include /etc/logrotate.d + +# system-specific logs may be configured here + +# vim: ts=4 filetype=conf diff --git a/machine-id b/machine-id new file mode 100644 index 0000000..775709a --- /dev/null +++ b/machine-id @@ -0,0 +1 @@ +a80ef8537b9f69ff3c2d935f0034bdcf diff --git a/mailcap b/mailcap new file mode 100644 index 0000000..7c42a55 --- /dev/null +++ b/mailcap @@ -0,0 +1,25 @@ + +text/plain; less '%s'; needsterminal +application/x-troff-man; /usr/bin/nroff -mandoc -Tlatin1; copiousoutput; print=/usr/bin/nroff -mandoc -Tlatin1 | print text/plain:- +text/plain; shownonascii iso-8859-1 '%s'; description="Plain ASCII Text"; test=test "$(echo %{charset} | tr "[A-Z]" "[a-z]")" = iso-8859-1 -a "$DISPLAY" != "" +text/richtext; shownonascii iso-8859-1 -e richtext -p '%s'; description="Richtext"; copiousoutput; test=test "$(echo %{charset} | tr "[A-Z]" "[a-z]")" = iso-8859-1 -a "$DISPLAY" != "" +text/enriched; shownonascii iso-8859-1 -e richtext -e -p '%s'; description="Enriched Text"; copiousoutput; test=test "$(echo %{charset} | tr "[A-Z]" "[a-z]")" = iso-8859-1 -a "$DISPLAY" != "" +message/partial; showpartial '%s' %{id} %{number} %{total}; description="An incomplete message" +message/external-body; showexternal '%s' %{access-type} %{name} %{site} %{directory} %{mode} %{server}; needsterminal; description="A reference to data stored in an external location"; composetyped="extcompose '%s"' +audio/basic; /usr/lib/mime/playaudio '%s'; description=Basic uLaw Audio; nametemplate=%s.au +application/x-tar; /bin/tar tvf -; print=/bin/tar tvf - | print text/plain:-; copiousoutput +application/x-gtar; /bin/tar tvzf -; print=/bin/tar tvzf - | print text/plain:-; copiousoutput +text/plain; more '%s'; needsterminal +application/xrx; view=xrx '%s'; description="remote X application"; test=test "$DISPLAY"; nametemplate=%s.rx +text/richtext; richtext '%s'; description="Richtext"; copiousoutput +text/enriched; richtext -e '%s'; description="Enriched Text"; copiousoutput +text/plain; gview '%s'; edit=gvim -f '%s'; compose=gvim -f '%s'; test=test "$DISPLAY" != "" +text/plain; view '%s'; edit=vim '%s'; compose=vim '%s'; needsterminal +text/html; /usr/bin/lynx -force_html '%s'; needsterminal; description=HTML Text; nametemplate=%s.html +text/*; less '%s'; needsterminal +text/html; /usr/bin/lynx -dump -force_html '%s'; copiousoutput; description=HTML Text; nametemplate=%s.html +text/*; gview '%s'; edit=gvim -f '%s'; compose=gvim -f '%s'; test=test "$DISPLAY" != "" +text/*; view '%s'; edit=vim '%s'; compose=vim '%s'; needsterminal +text/*; more '%s'; needsterminal +*/*; less '%s'; needsterminal +*/*; false; print=lpr '%s' diff --git a/make.conf b/make.conf new file mode 100644 index 0000000..3399f5c --- /dev/null +++ b/make.conf @@ -0,0 +1,74 @@ +# These settings were set by the catalyst build script that automatically +# built this stage. +# Please consult /usr/share/portage/config/make.conf.example for a more +# detailed example. + +CFLAGS="-O2 -pipe -march=opteron" +CXXFLAGS="${CFLAGS}" + +# WARNING: Changing your CHOST is not something that should be done lightly. +# Please consult http://www.gentoo.org/doc/en/change-chost.xml before changing. +CHOST="x86_64-pc-linux-gnu" + +# These are the USE flags that were used in addition to what is provided by the +# profile used for building. +USE="3dnow X acl apache2 audit bash-completion bazaar bzip2 caps cgi cvs curl \ + darcs djvu doc examples expat fam fastcgi fontconfig ftp gd gif git gmp \ + gnutls gpg graphviz gs gsl gtk guile hscolour html icu idn imagemagick imap ipv6 ithreads \ + jadetex java javascript jbig jpeg jpeg2k kerberos lasi ldap libwww lua \ + lzma lzo maildir mailwrapper mercurial mmx mmxext modperl motif mp3 mysql \ + nis odbc ogg openldap pam pch pcre pdf perl pic png php python rar samba sasl \ + session smtp snmp soap spamassassin spell sqlite sqlite3 sse sse2 ssh \ + subversion svg syslog theora tiff tk truetype unicode vhosts vim-syntax \ + vorbis wmf x264 xattr xml xmlrpc xpm xsl xvid zlib" + +I_KNOW_WHAT_I_AM_DOING=yes + +ACCEPT_LICENSE="DOOM3 PUEL RTCW RTCW-ETEULA" + +APACHE2_MODULES="actions alias asis auth_basic auth_digest authn_alias + authn_anon authn_dbd authn_dbm authn_default authn_file + authz_dbm authz_default authz_groupfile authz_host + authz_owner authz_user autoindex cache cern_meta cgi cgid + charset_lite dav dav_fs dav_lock dbd deflate dir disk_cache + dumpio env expires ext_filter file_cache filter headers icu + ident imagemap include info log_config log_forensic logio + mem_cache mime mime_magic negotiation proxy proxy_ajp + proxy_balancer proxy_connect proxy_ftp proxy_http proxy_scgi + reqtimeout rewrite setenvif speling status substitute + unique_id userdir usertrack version vhost_alias " + +#APACHE2_MPMS="-event% -itk% -peruser% -prefork% -worker%" +APACHE2_MPMS="prefork" + +VIDEO_CARDS="intel mach64 r128 radeon savage via svga" + +CONFIG_PROTECT="/var/www/ldap/htdocs/config \ + /var/www/ldap/htdocs/templates \ + /var/www/bautagebuch/htdocs/wp-config.php \ + /var/www/myadmin/htdocs/config.inc.php \ + /var/www/webmail/htdocs/horde/config \ + " +CONFIG_PROTECT_MASK="/etc/init.d" + +PORTAGE_NICENESS=3 + +AUTOCLEAN="yes" + +PORTDIR_OVERLAY="/usr/local/portage" + +#FETCHCOMMAND="/usr/bin/wget -t 5 --passive-ftp -P \${DISTDIR} \${URI}" +#FETCHCOMMAND="mv -v \${DISTDIR}/.old/\${FILE} \${DISTDIR}/" + +FEATURES="parallel-fetch" +#MAKEOPTS="-j3" +EMERGE_DEFAULT_OPTS="--with-bdeps y " + +LINGUAS="de de_AT de_BE de_CH de_DE de_LU en en_AG en_AU en_BW en_CA en_DK en_GB en_HK en_IE en_IN en_NG en_NZ en_PH en_SG en_ZA en_ZW en_US ru_RU ru_UA" + +#GENTOO_MIRRORS="ftp://mirror.netcologne.de/gentoo/ ftp://mirror.muntinternet.net/pub/gentoo/ http://mirror.muntinternet.net/pub/gentoo/ http://gentoo.supp.name/" +GENTOO_MIRRORS="http://mirror.opteamax.de/gentoo/ http://gentoo.mneisen.org/ http://gentoo.mirror.dkm.cz/pub/gentoo/ http://de-mirror.org/gentoo/ http://gentoo.wheel.sk/" + +#PORT_LOGDIR="/var/log/portage" +source /var/lib/layman/make.conf + diff --git a/make.conf.catalyst b/make.conf.catalyst new file mode 100644 index 0000000..9806b00 --- /dev/null +++ b/make.conf.catalyst @@ -0,0 +1,12 @@ +# These settings were set by the catalyst build script that automatically +# built this stage. +# Please consult /usr/share/portage/config/make.conf.example for a more +# detailed example. +CFLAGS="-O2 -pipe" +CXXFLAGS="${CFLAGS}" +# WARNING: Changing your CHOST is not something that should be done lightly. +# Please consult http://www.gentoo.org/doc/en/change-chost.xml before changing. +CHOST="x86_64-pc-linux-gnu" +# These are the USE flags that were used in addition to what is provided by the +# profile used for building. +USE="mmx sse sse2" diff --git a/make.globals b/make.globals new file mode 120000 index 0000000..420193b --- /dev/null +++ b/make.globals @@ -0,0 +1 @@ +../usr/share/portage/config/make.globals \ No newline at end of file diff --git a/make.profile b/make.profile new file mode 120000 index 0000000..8811b51 --- /dev/null +++ b/make.profile @@ -0,0 +1 @@ +../usr/portage/profiles/default/linux/amd64/10.0/server \ No newline at end of file diff --git a/man.conf b/man.conf new file mode 100644 index 0000000..eb8ddd3 --- /dev/null +++ b/man.conf @@ -0,0 +1,144 @@ +# +# Generated automatically from man.conf.in by the +# configure script. +# +# man.conf from man-1.6f +# +# For more information about this file, see the man pages man(1) +# and man.conf(5). +# +# This file is read by man to configure the default manpath (also used +# when MANPATH contains an empty substring), to find out where the cat +# pages corresponding to given man pages should be stored, +# and to map each PATH element to a manpath element. +# It may also record the pathname of the man binary. [This is unused.] +# The format is: +# +# MANBIN pathname +# MANPATH manpath_element [corresponding_catdir] +# MANPATH_MAP path_element manpath_element +# +# If no catdir is given, it is assumed to be equal to the mandir +# (so that this dir has both man1 etc. and cat1 etc. subdirs). +# This is the traditional Unix setup. +# Certain versions of the FSSTND recommend putting formatted versions +# of /usr/.../man/manx/page.x into /var/catman/.../catx/page.x. +# The keyword FSSTND will cause this behaviour. +# Certain versions of the FHS recommend putting formatted versions of +# /usr/.../share/man/[locale/]manx/page.x into +# /var/cache/man/.../[locale/]catx/page.x. +# The keyword FHS will cause this behaviour (and overrides FSSTND). +# Explicitly given catdirs override. +# +# FSSTND +FHS +# +# This file is also read by man in order to find how to call nroff, less, etc., +# and to determine the correspondence between extensions and decompressors. +# +# MANBIN /usr/local/bin/man +# +# Every automatically generated MANPATH includes these fields +# +MANPATH /usr/share/man +MANPATH /usr/local/share/man +MANPATH /usr/X11R6/man +MANPATH /usr/local/man +MANPATH /usr/man +# +# Uncomment if you want to include one of these by default +# +# MANPATH /opt/*/man +# MANPATH /usr/lib/*/man +# MANPATH /usr/share/*/man +# MANPATH /usr/kerberos/man +# +# Set up PATH to MANPATH mapping +# +# If people ask for "man foo" and have "/dir/bin/foo" in their PATH +# and the docs are found in "/dir/man", then no mapping is required. +# +# The below mappings are superfluous when the right hand side is +# in the mandatory manpath already, but will keep man from statting +# lots of other nearby files and directories. +# +MANPATH_MAP /bin /usr/share/man +MANPATH_MAP /sbin /usr/share/man +MANPATH_MAP /usr/bin /usr/share/man +MANPATH_MAP /usr/sbin /usr/share/man +MANPATH_MAP /usr/local/bin /usr/local/share/man +MANPATH_MAP /usr/local/sbin /usr/local/share/man +MANPATH_MAP /usr/X11R6/bin /usr/X11R6/man +MANPATH_MAP /usr/bin/X11 /usr/X11R6/man +MANPATH_MAP /usr/bin/mh /usr/share/man +# +# NOAUTOPATH keeps man from automatically adding directories that look like +# manual page directories to the path. +# +#NOAUTOPATH +# +# NOCACHE keeps man from creating cache pages ("cat pages") +# (generally one enables/disable cat page creation by creating/deleting +# the directory they would live in - man never does mkdir) +# +#NOCACHE +# +# Useful paths - note that COL should not be defined when +# NROFF is defined as "groff -Tascii" or "groff -Tlatin1"; +# not only is it superfluous, but it actually damages the output. +# For use with utf-8, NROFF should be "nroff -mandoc" without -T option. +# (Maybe - but today I need -Tlatin1 to prevent double conversion to utf8.) +# +# If you have a new troff (version 1.18.1?) and its colored output +# causes problems, add the -c option to TROFF, NROFF, JNROFF. +# +TROFF /usr/bin/groff -Tps -mandoc +NROFF /usr/bin/nroff -mandoc +JNROFF /usr/bin/groff -Tnippon -mandocj +EQN /usr/bin/geqn -Tps +NEQN /usr/bin/geqn -Tlatin1 +JNEQN /usr/bin/geqn -Tnippon +TBL /usr/bin/gtbl +# COL /usr/bin/col +REFER /usr/bin/refer +PIC /usr/bin/pic +VGRIND +GRAP +PAGER /usr/bin/less -isR +BROWSER /usr/bin/less -isR +HTMLPAGER /bin/cat +CAT /bin/cat +# +# The command "man -a xyzzy" will show all man pages for xyzzy. +# When CMP is defined man will try to avoid showing the same +# text twice. (But compressed pages compare unequal.) +# +CMP /usr/bin/cmp -s +# +# Compress cat pages +# +COMPRESS /bin/bzip2 +COMPRESS_EXT .bz2 +# +# Default manual sections (and order) to search if -S is not specified +# and the MANSECT environment variable is not set. +# +MANSECT 1:1p:8:2:3:3p:4:5:6:7:9:0p:tcl:n:l:p:o:1x:2x:3x:4x:5x:6x:7x:8x +# +# Default options to use when man is invoked without options +# This is mainly for the benefit of those that think -a should be the default +# Note that some systems have /usr/man/allman, causing pages to be shown twice. +# +#MANDEFOPTIONS -a +# +# Decompress with given decompressor when input file has given extension +# The command given must act as a filter. +# +.gz /bin/gunzip -c +.bz2 /bin/bzip2 -c -d +.lzma /usr/bin/unlzma -c -d +.xz /usr/bin/unxz -c -d +.z +.Z /bin/zcat +.F +.Y diff --git a/mdev.conf b/mdev.conf new file mode 100644 index 0000000..df329b4 --- /dev/null +++ b/mdev.conf @@ -0,0 +1,110 @@ +# +# This is a sample mdev.conf +# + +# Provide user, group, and mode information for devices. If a regex matches +# the device name provided by sysfs, use the appropriate user:group and mode +# instead of the default 0:0 660. +# +# Syntax: +# [-]devicename_regex user:group mode [>|=path] [@|$|*cmd args...] +# +# =: move, >: move and create a symlink +# @|$|*: run $cmd on delete, @cmd on create, *cmd on both + +# support module loading on hotplug +$MODALIAS=.* root:root 660 @modprobe "$MODALIAS" + +# null may already exist; therefore ownership has to be changed with command +null root:root 666 @chmod 666 $MDEV +zero root:root 666 +full root:root 666 +random root:root 444 +urandom root:root 444 +hwrandom root:root 444 +grsec root:root 660 + +kmem root:root 640 +mem root:root 640 +port root:root 640 +# console may already exist; therefore ownership has to be changed with command +console root:tty 600 @chmod 600 $MDEV +ptmx root:tty 666 +pty.* root:tty 660 + +# Typical devices + +tty root:tty 666 +tty[0-9]* root:tty 660 +vcsa*[0-9]* root:tty 660 +ttyS[0-9]* root:uucp 660 + +# block devices +ram([0-9]*) root:disk 660 >rd/%1 +loop([0-9]+) root:disk 660 >loop/%1 +sd[a-z].* root:disk 660 */lib/mdev/usbdisk_link +hd[a-z][0-9]* root:disk 660 */lib/mdev/ide_links +md[0-9]* root:disk 660 +sr[0-9]* root:cdrom 660 @ln -sf $MDEV cdrom +fd[0-9]* root:floppy 660 + +# net devices +-net/.* root:root 600 @nameif +tun[0-9]* root:root 600 =net/ +tap[0-9]* root:root 600 =net/ + +# alsa sound devices and audio stuff +pcm.* root:audio 660 =snd/ +control.* root:audio 660 =snd/ +midi.* root:audio 660 =snd/ +seq root:audio 660 =snd/ +timer root:audio 660 =snd/ + +adsp root:audio 660 >sound/ +audio root:audio 660 >sound/ +dsp root:audio 660 >sound/ +mixer root:audio 660 >sound/ +sequencer.* root:audio 660 >sound/ + +# Less typical devices + +# raid controllers +cciss!(.*) root:disk 660 =cciss/%1 +ida!(.*) root:disk 660 =ida/%1 +rd!(.*) root:disk 660 =rd/%1 + +ttyLTM[0-9] root:dialout 660 @ln -sf $MDEV modem +ttySHSF[0-9] root:dialout 660 @ln -sf $MDEV modem +slamr root:dialout 660 @ln -sf $MDEV slamr0 +slusb root:dialout 660 @ln -sf $MDEV slusb0 + +fuse root:root 666 + +# dri device +card[0-9] root:video 660 =dri/ + +# misc stuff +agpgart root:root 660 >misc/ +psaux root:root 660 >misc/ +rtc root:root 664 >misc/ + +# input stuff +event[0-9]+ root:root 640 =input/ +mice root:root 640 =input/ +mouse[0-9] root:root 640 =input/ +ts[0-9] root:root 600 =input/ + +# v4l stuff +vbi[0-9] root:video 660 >v4l/ +video[0-9] root:video 660 >v4l/ + +# dvb stuff +dvb.* root:video 660 */lib/mdev/dvbdev + +# load drivers for usb devices +usbdev[0-9].[0-9] root:root 660 */lib/mdev/usbdev +usbdev[0-9].[0-9]_.* root:root 660 + +# zaptel devices +zap(.*) root:dialout 660 =zap/%1 +dahdi!(.*) root:dialout 660 =dahdi/%1 diff --git a/mime.types b/mime.types new file mode 100644 index 0000000..cea6685 --- /dev/null +++ b/mime.types @@ -0,0 +1,1391 @@ +# This file maps Internet media types to unique file extension(s). It is +# distributed as the app-misc/mime-types package. +# +# The table below contains both registered and (common) unregistered types. +# A type that has no unique extension can be ignored -- they are listed +# here to guide configurations toward known types and to make it easier to +# identify "new" types. File extensions are also commonly used to indicate +# content languages and encodings, so choose them carefully. +# +# Internet media types should be registered as described in RFC 4288. +# The registry is at . +# +# The reason that all types are managed by the mime-support package instead +# allowing individual packages to install types in much the same way as they +# add entries in to the mailcap file is so these types can be referenced by +# other programs (such as a web server) even if the specific support package +# for that type is not installed. +# +# Users can add their own types if they wish by creating a ".mime.types" +# file in their home directory. Definitions included there will take +# precedence over those listed here. (Note: compression schemes like "gzip" +# are note actually "mime-types". They are encodings and hence must _not_ +# have entries in this file to map their extensions. +# +# Sources used: +# +# http://packages.debian.org/etch/mime-support +# http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types + +application/activemessage +application/andrew-inset ez +application/applefile +application/applixware aw +application/atom+xml atom +application/atomcat+xml atomcat +application/atomicmail +application/atomsvc+xml atomsvc +application/auth-policy+xml +application/batch-smtp +application/beep+xml +application/cals-1840 +application/ccxml+xml ccxml +application/cea-2018+xml +application/cellml+xml +application/cnrp+xml +application/commonground +application/conference-info+xml +application/cpl+xml +application/csta+xml +application/cstadata+xml +application/cu-seeme cu +application/cybercash +application/davmount+xml davmount +application/dca-rft +application/dec-dx +application/dialog-info+xml +application/dicom +application/dns +application/dsptype tsp +application/dvcs +application/ecmascript ecma +application/edi-consent +application/edi-x12 +application/edifact +application/emma+xml emma +application/epp+xml +application/epub+zip epub +application/eshop +application/example +application/fastinfoset +application/fastsoap +application/fits +application/font-tdpfr pfr +application/futuresplash spl +application/h224 +application/hta hta +application/http +application/hyperstudio stk +application/ibe-key-request+xml +application/ibe-pkg-reply+xml +application/ibe-pp-data +application/iges +application/im-iscomposing+xml +application/index +application/index.cmd +application/index.obj +application/index.response +application/index.vnd +application/iotp +application/ipp +application/isup +application/java-archive jar +application/java-serialized-object ser +application/java-vm class +application/javascript js +application/json json +application/kpml-request+xml +application/kpml-response+xml +application/lost+xml lostxml +application/mac-binhex40 hqx +application/mac-compactpro cpt +application/macwriteii +application/marc mrc +application/mathematica ma mb nb +application/mathml+xml mathml +application/mbms-associated-procedure-description+xml +application/mbms-deregister+xml +application/mbms-envelope+xml +application/mbms-msk+xml +application/mbms-msk-response+xml +application/mbms-protection-description+xml +application/mbms-reception-report+xml +application/mbms-register+xml +application/mbms-register-response+xml +application/mbms-user-service-description+xml +application/mbox mbox +application/media_control+xml +application/mediaservercontrol+xml mscml +application/mikey +application/moss-keys +application/moss-signature +application/mosskey-data +application/mosskey-request +application/mp4 mp4s +application/mpeg4-generic +application/mpeg4-iod +application/mpeg4-iod-xmt +application/msaccess mdb +application/msword doc dot +application/mxf mxf +application/nasdata +application/news-checkgroups +application/news-groupinfo +application/news-transmission +application/nss +application/ocsp-request +application/ocsp-response +application/octet-stream bin bpk deploy dist distz dmg dms dump elc iso lha lrf lzh pkg so +application/oda oda +application/oebps-package+xml opf +application/ogg ogg ogx +application/onenote onepkg onetmp onetoc onetoc2 +application/parityfec +application/patch-ops-error+xml xer +application/pdf pdf +application/pgp-encrypted pgp +application/pgp-keys key +application/pgp-signature asc pgp sig +application/pics-rules prf +application/pidf+xml +application/pidf-diff+xml +application/pkcs10 p10 +application/pkcs7-mime p7c p7m +application/pkcs7-signature p7s +application/pkix-cert cer +application/pkix-crl crl +application/pkix-pkipath pkipath +application/pkixcmp pki +application/pls+xml pls +application/poc-settings+xml +application/postscript ai eps ps +application/prs.alvestrand.titrax-sheet +application/prs.cww cww +application/prs.nprend +application/prs.plucker +application/qsig +application/rar rar +application/rdf+xml rdf +application/reginfo+xml rif +application/relax-ng-compact-syntax rnc +application/remote-printing +application/resource-lists+xml rl +application/resource-lists-diff+xml rld +application/riscos +application/rlmi+xml +application/rls-services+xml rs +application/rsd+xml rsd +application/rss+xml rss +application/rtf rtf +application/rtx +application/samlassertion+xml +application/samlmetadata+xml +application/sbml+xml sbml +application/scvp-cv-request scq +application/scvp-cv-response scs +application/scvp-vp-request spq +application/scvp-vp-response spp +application/sdp sdp +application/set-payment +application/set-payment-initiation setpay +application/set-registration +application/set-registration-initiation setreg +application/sgml +application/sgml-open-catalog +application/shf+xml shf +application/sieve +application/simple-filter+xml +application/simple-message-summary +application/simplesymbolcontainer +application/slate +application/smil smi smil +application/smil+xml smi smil +application/soap+fastinfoset +application/soap+xml +application/sparql-query rq +application/sparql-results+xml srx +application/spirits-event+xml +application/srgs gram +application/srgs+xml grxml +application/ssml+xml ssml +application/timestamp-query +application/timestamp-reply +application/tve-trigger +application/ulpfec +application/vemmi +application/vividence.scriptfile +application/vnd.3gpp.bsf+xml +application/vnd.3gpp.pic-bw-large plb +application/vnd.3gpp.pic-bw-small psb +application/vnd.3gpp.pic-bw-var pvb +application/vnd.3gpp.sms +application/vnd.3gpp2.bcmcsinfo+xml +application/vnd.3gpp2.sms +application/vnd.3gpp2.tcap tcap +application/vnd.3m.post-it-notes pwn +application/vnd.accpac.simply.aso aso +application/vnd.accpac.simply.imp imp +application/vnd.acucobol acu +application/vnd.acucorp acutc atc +application/vnd.adobe.air-application-installer-package+zip air +application/vnd.adobe.xdp+xml xdp +application/vnd.adobe.xfdf xfdf +application/vnd.aether.imp +application/vnd.airzip.filesecure.azf azf +application/vnd.airzip.filesecure.azs azs +application/vnd.amazon.ebook azw +application/vnd.americandynamics.acc acc +application/vnd.amiga.ami ami +application/vnd.android.package-archive apk +application/vnd.anser-web-certificate-issue-initiation cii +application/vnd.anser-web-funds-transfer-initiation fti +application/vnd.antix.game-component atx +application/vnd.apple.installer+xml mpkg +application/vnd.arastra.swi swi +application/vnd.audiograph aep +application/vnd.autopackage +application/vnd.avistar+xml +application/vnd.blueice.multipass mpm +application/vnd.bluetooth.ep.oob +application/vnd.bmi bmi +application/vnd.businessobjects rep +application/vnd.cab-jscript +application/vnd.canon-cpdl +application/vnd.canon-lips +application/vnd.cendio.thinlinc.clientconf +application/vnd.chemdraw+xml cdxml +application/vnd.chipnuts.karaoke-mmd mmd +application/vnd.cinderella cdy +application/vnd.cirpack.isdn-ext +application/vnd.claymore cla +application/vnd.clonk.c4group c4d c4f c4g c4p c4u +application/vnd.commerce-battelle +application/vnd.commonspace csp +application/vnd.contact.cmsg cdbcmsg +application/vnd.cosmocaller cmc +application/vnd.crick.clicker clkx +application/vnd.crick.clicker.keyboard clkk +application/vnd.crick.clicker.palette clkp +application/vnd.crick.clicker.template clkt +application/vnd.crick.clicker.wordbank clkw +application/vnd.criticaltools.wbs+xml wbs +application/vnd.ctc-posml pml +application/vnd.ctct.ws+xml +application/vnd.cups-pdf +application/vnd.cups-postscript +application/vnd.cups-ppd ppd +application/vnd.cups-raster +application/vnd.cups-raw +application/vnd.curl.car car +application/vnd.curl.pcurl pcurl +application/vnd.cybank +application/vnd.data-vision.rdz rdz +application/vnd.denovo.fcselayout-link fe_launch +application/vnd.dir-bi.plate-dl-nosuffix +application/vnd.dna dna +application/vnd.dolby.mlp mlp +application/vnd.dolby.mobile.1 +application/vnd.dolby.mobile.2 +application/vnd.dpgraph dpg +application/vnd.dreamfactory dfac +application/vnd.dvb.esgcontainer +application/vnd.dvb.ipdcdftnotifaccess +application/vnd.dvb.ipdcesgaccess +application/vnd.dvb.ipdcroaming +application/vnd.dvb.iptv.alfec-base +application/vnd.dvb.iptv.alfec-enhancement +application/vnd.dvb.notif-aggregate-root+xml +application/vnd.dvb.notif-container+xml +application/vnd.dvb.notif-generic+xml +application/vnd.dvb.notif-ia-msglist+xml +application/vnd.dvb.notif-ia-registration-request+xml +application/vnd.dvb.notif-ia-registration-response+xml +application/vnd.dvb.notif-init+xml +application/vnd.dxr +application/vnd.dynageo geo +application/vnd.ecdis-update +application/vnd.ecowin.chart mag +application/vnd.ecowin.filerequest +application/vnd.ecowin.fileupdate +application/vnd.ecowin.series +application/vnd.ecowin.seriesrequest +application/vnd.ecowin.seriesupdate +application/vnd.emclient.accessrequest+xml +application/vnd.enliven nml +application/vnd.epson.esf esf +application/vnd.epson.msf msf +application/vnd.epson.quickanime qam +application/vnd.epson.salt slt +application/vnd.epson.ssf ssf +application/vnd.ericsson.quickcall +application/vnd.eszigno3+xml es3 et3 +application/vnd.etsi.aoc+xml +application/vnd.etsi.cug+xml +application/vnd.etsi.iptvcommand+xml +application/vnd.etsi.iptvdiscovery+xml +application/vnd.etsi.iptvprofile+xml +application/vnd.etsi.iptvsad-bc+xml +application/vnd.etsi.iptvsad-cod+xml +application/vnd.etsi.iptvsad-npvr+xml +application/vnd.etsi.iptvueprofile+xml +application/vnd.etsi.mcid+xml +application/vnd.etsi.sci+xml +application/vnd.etsi.simservs+xml +application/vnd.eudora.data +application/vnd.ezpix-album ez2 +application/vnd.ezpix-package ez3 +application/vnd.f-secure.mobile +application/vnd.fdf fdf +application/vnd.fdsn.mseed mseed +application/vnd.fdsn.seed dataless seed +application/vnd.ffsns +application/vnd.fints +application/vnd.flographit gph +application/vnd.fluxtime.clip ftc +application/vnd.font-fontforge-sfd +application/vnd.framemaker book fm frame maker +application/vnd.frogans.fnc fnc +application/vnd.frogans.ltf ltf +application/vnd.fsc.weblaunch fsc +application/vnd.fujitsu.oasys oas +application/vnd.fujitsu.oasys2 oa2 +application/vnd.fujitsu.oasys3 oa3 +application/vnd.fujitsu.oasysgp fg5 +application/vnd.fujitsu.oasysprs bh2 +application/vnd.fujixerox.art-ex +application/vnd.fujixerox.art4 +application/vnd.fujixerox.ddd ddd +application/vnd.fujixerox.docuworks xdw +application/vnd.fujixerox.docuworks.binder xbd +application/vnd.fujixerox.hbpl +application/vnd.fut-misnet +application/vnd.fuzzysheet fzs +application/vnd.genomatix.tuxedo txd +application/vnd.geogebra.file ggb +application/vnd.geogebra.tool ggt +application/vnd.geometry-explorer gex gre +application/vnd.gmx gmx +application/vnd.google-earth.kml+xml kml +application/vnd.google-earth.kmz kmz +application/vnd.grafeq gqf gqs +application/vnd.gridmp +application/vnd.groove-account gac +application/vnd.groove-help ghf +application/vnd.groove-identity-message gim +application/vnd.groove-injector grv +application/vnd.groove-tool-message gtm +application/vnd.groove-tool-template tpl +application/vnd.groove-vcard vcg +application/vnd.handheld-entertainment+xml zmm +application/vnd.hbci hbci +application/vnd.hcl-bireports +application/vnd.hhe.lesson-player les +application/vnd.hp-hpgl hpgl +application/vnd.hp-hpid hpid +application/vnd.hp-hps hps +application/vnd.hp-jlyt jlt +application/vnd.hp-pcl pcl +application/vnd.hp-pclxl pclxl +application/vnd.httphone +application/vnd.hydrostatix.sof-data sfd-hdstx +application/vnd.hzn-3d-crossword x3d +application/vnd.ibm.afplinedata +application/vnd.ibm.electronic-media +application/vnd.ibm.minipay mpy +application/vnd.ibm.modcap afp list3820 listafp +application/vnd.ibm.rights-management irm +application/vnd.ibm.secure-container sc +application/vnd.iccprofile icc icm +application/vnd.igloader igl +application/vnd.immervision-ivp ivp +application/vnd.immervision-ivu ivu +application/vnd.informedcontrol.rms+xml +application/vnd.informix-visionary +application/vnd.intercon.formnet xpw xpx +application/vnd.intertrust.digibox +application/vnd.intertrust.nncp +application/vnd.intu.qbo qbo +application/vnd.intu.qfx qfx +application/vnd.iptc.g2.conceptitem+xml +application/vnd.iptc.g2.knowledgeitem+xml +application/vnd.iptc.g2.newsitem+xml +application/vnd.iptc.g2.packageitem+xml +application/vnd.ipunplugged.rcprofile rcprofile +application/vnd.irepository.package+xml irp +application/vnd.is-xpr xpr +application/vnd.jam jam +application/vnd.japannet-directory-service +application/vnd.japannet-jpnstore-wakeup +application/vnd.japannet-payment-wakeup +application/vnd.japannet-registration +application/vnd.japannet-registration-wakeup +application/vnd.japannet-setstore-wakeup +application/vnd.japannet-verification +application/vnd.japannet-verification-wakeup +application/vnd.jcp.javame.midlet-rms rms +application/vnd.jisp jisp +application/vnd.joost.joda-archive joda +application/vnd.kahootz ktr ktz +application/vnd.kde.karbon karbon +application/vnd.kde.kchart chrt +application/vnd.kde.kformula kfo +application/vnd.kde.kivio flw +application/vnd.kde.kontour kon +application/vnd.kde.kpresenter kpr kpt +application/vnd.kde.kspread ksp +application/vnd.kde.kword kwd kwt +application/vnd.kenameaapp htke +application/vnd.kidspiration kia +application/vnd.kinar kne knp +application/vnd.koan skd skm skp skt +application/vnd.kodak-descriptor sse +application/vnd.liberty-request+xml +application/vnd.llamagraphics.life-balance.desktop lbd +application/vnd.llamagraphics.life-balance.exchange+xml lbe +application/vnd.lotus-1-2-3 123 +application/vnd.lotus-approach apr +application/vnd.lotus-freelance pre +application/vnd.lotus-notes nsf +application/vnd.lotus-organizer org +application/vnd.lotus-screencam scm +application/vnd.lotus-wordpro lwp +application/vnd.macports.portpkg portpkg +application/vnd.marlin.drm.actiontoken+xml +application/vnd.marlin.drm.conftoken+xml +application/vnd.marlin.drm.license+xml +application/vnd.marlin.drm.mdcf +application/vnd.mcd mcd +application/vnd.medcalcdata mc1 +application/vnd.mediastation.cdkey cdkey +application/vnd.meridian-slingshot +application/vnd.mfer mwf +application/vnd.mfmp mfm +application/vnd.micrografx.flo flo +application/vnd.micrografx.igx igx +application/vnd.mif mif +application/vnd.minisoft-hp3000-save +application/vnd.mitsubishi.misty-guard.trustweb +application/vnd.mobius.daf daf +application/vnd.mobius.dis dis +application/vnd.mobius.mbk mbk +application/vnd.mobius.mqy mqy +application/vnd.mobius.msl msl +application/vnd.mobius.plc plc +application/vnd.mobius.txf txf +application/vnd.mophun.application mpn +application/vnd.mophun.certificate mpc +application/vnd.motorola.flexsuite +application/vnd.motorola.flexsuite.adsi +application/vnd.motorola.flexsuite.fis +application/vnd.motorola.flexsuite.gotap +application/vnd.motorola.flexsuite.kmr +application/vnd.motorola.flexsuite.ttc +application/vnd.motorola.flexsuite.wem +application/vnd.motorola.iprm +application/vnd.mozilla.xul+xml xul +application/vnd.ms-artgalry cil +application/vnd.ms-asf +application/vnd.ms-cab-compressed cab +application/vnd.ms-excel xla xlb xlc xlm xls xlt xlw +application/vnd.ms-excel.addin.macroenabled.12 xlam +application/vnd.ms-excel.sheet.binary.macroenabled.12 xlsb +application/vnd.ms-excel.sheet.macroenabled.12 xlsm +application/vnd.ms-excel.template.macroenabled.12 xltm +application/vnd.ms-fontobject eot +application/vnd.ms-htmlhelp chm +application/vnd.ms-ims ims +application/vnd.ms-lrm lrm +application/vnd.ms-pki.seccat cat +application/vnd.ms-pki.stl stl +application/vnd.ms-playready.initiator+xml +application/vnd.ms-powerpoint pot pps ppt +application/vnd.ms-powerpoint.addin.macroenabled.12 ppam +application/vnd.ms-powerpoint.presentation.macroenabled.12 pptm +application/vnd.ms-powerpoint.slide.macroenabled.12 sldm +application/vnd.ms-powerpoint.slideshow.macroenabled.12 ppsm +application/vnd.ms-powerpoint.template.macroenabled.12 potm +application/vnd.ms-project mpp mpt +application/vnd.ms-tnef +application/vnd.ms-wmdrm.lic-chlg-req +application/vnd.ms-wmdrm.lic-resp +application/vnd.ms-wmdrm.meter-chlg-req +application/vnd.ms-wmdrm.meter-resp +application/vnd.ms-word.document.macroenabled.12 docm +application/vnd.ms-word.template.macroenabled.12 dotm +application/vnd.ms-works wcm wdb wks wps +application/vnd.ms-wpl wpl +application/vnd.ms-xpsdocument xps +application/vnd.mseq mseq +application/vnd.msign +application/vnd.multiad.creator +application/vnd.multiad.creator.cif +application/vnd.music-niff +application/vnd.musician mus +application/vnd.muvee.style msty +application/vnd.ncd.control +application/vnd.ncd.reference +application/vnd.nervana +application/vnd.netfpx +application/vnd.neurolanguage.nlu nlu +application/vnd.noblenet-directory nnd +application/vnd.noblenet-sealer nns +application/vnd.noblenet-web nnw +application/vnd.nokia.catalogs +application/vnd.nokia.conml+wbxml +application/vnd.nokia.conml+xml +application/vnd.nokia.iptv.config+xml +application/vnd.nokia.isds-radio-presets +application/vnd.nokia.landmark+wbxml +application/vnd.nokia.landmark+xml +application/vnd.nokia.landmarkcollection+xml +application/vnd.nokia.n-gage.ac+xml +application/vnd.nokia.n-gage.data ngdat +application/vnd.nokia.n-gage.symbian.install n-gage +application/vnd.nokia.ncd +application/vnd.nokia.pcd+wbxml +application/vnd.nokia.pcd+xml +application/vnd.nokia.radio-preset rpst +application/vnd.nokia.radio-presets rpss +application/vnd.novadigm.edm edm +application/vnd.novadigm.edx edx +application/vnd.novadigm.ext ext +application/vnd.oasis.opendocument.chart odc +application/vnd.oasis.opendocument.chart-template otc +application/vnd.oasis.opendocument.database odb +application/vnd.oasis.opendocument.formula odf +application/vnd.oasis.opendocument.formula-template odft +application/vnd.oasis.opendocument.graphics odg +application/vnd.oasis.opendocument.graphics-template otg +application/vnd.oasis.opendocument.image odi +application/vnd.oasis.opendocument.image-template oti +application/vnd.oasis.opendocument.presentation odp +application/vnd.oasis.opendocument.presentation-template otp +application/vnd.oasis.opendocument.spreadsheet ods +application/vnd.oasis.opendocument.spreadsheet-template ots +application/vnd.oasis.opendocument.text odt +application/vnd.oasis.opendocument.text-master odm otm +application/vnd.oasis.opendocument.text-template ott +application/vnd.oasis.opendocument.text-web oth +application/vnd.obn +application/vnd.olpc-sugar xo +application/vnd.oma-scws-config +application/vnd.oma-scws-http-request +application/vnd.oma-scws-http-response +application/vnd.oma.bcast.associated-procedure-parameter+xml +application/vnd.oma.bcast.drm-trigger+xml +application/vnd.oma.bcast.imd+xml +application/vnd.oma.bcast.ltkm +application/vnd.oma.bcast.notification+xml +application/vnd.oma.bcast.provisioningtrigger +application/vnd.oma.bcast.sgboot +application/vnd.oma.bcast.sgdd+xml +application/vnd.oma.bcast.sgdu +application/vnd.oma.bcast.simple-symbol-container +application/vnd.oma.bcast.smartcard-trigger+xml +application/vnd.oma.bcast.sprov+xml +application/vnd.oma.bcast.stkm +application/vnd.oma.dcd +application/vnd.oma.dcdc +application/vnd.oma.dd2+xml dd2 +application/vnd.oma.drm.risd+xml +application/vnd.oma.group-usage-list+xml +application/vnd.oma.poc.detailed-progress-report+xml +application/vnd.oma.poc.final-report+xml +application/vnd.oma.poc.groups+xml +application/vnd.oma.poc.invocation-descriptor+xml +application/vnd.oma.poc.optimized-progress-report+xml +application/vnd.oma.xcap-directory+xml +application/vnd.omads-email+xml +application/vnd.omads-file+xml +application/vnd.omads-folder+xml +application/vnd.omaloc-supl-init +application/vnd.openofficeorg.extension oxt +application/vnd.openxmlformats-officedocument.presentationml.presentation pptx +application/vnd.openxmlformats-officedocument.presentationml.slide sldx +application/vnd.openxmlformats-officedocument.presentationml.slideshow ppsx +application/vnd.openxmlformats-officedocument.presentationml.template potx +application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx +application/vnd.openxmlformats-officedocument.spreadsheetml.template xltx +application/vnd.openxmlformats-officedocument.wordprocessingml.document docx +application/vnd.openxmlformats-officedocument.wordprocessingml.template dotx +application/vnd.osa.netdeploy +application/vnd.osgi.bundle +application/vnd.osgi.dp dp +application/vnd.otps.ct-kip+xml +application/vnd.palm oprc pdb pqa +application/vnd.paos.xml +application/vnd.pg.format str +application/vnd.pg.osasli ei6 +application/vnd.piaccess.application-licence +application/vnd.picsel efif +application/vnd.poc.group-advertisement+xml +application/vnd.pocketlearn plf +application/vnd.powerbuilder6 pbd +application/vnd.powerbuilder6-s +application/vnd.powerbuilder7 +application/vnd.powerbuilder7-s +application/vnd.powerbuilder75 +application/vnd.powerbuilder75-s +application/vnd.preminet +application/vnd.previewsystems.box box +application/vnd.proteus.magazine mgz +application/vnd.publishare-delta-tree qps +application/vnd.pvi.ptid1 ptid +application/vnd.pwg-multiplexed +application/vnd.pwg-xhtml-print+xml +application/vnd.qualcomm.brew-app-res +application/vnd.quark.quarkxpress qwd qwt qxb qxd qxl qxt +application/vnd.rapid +application/vnd.recordare.musicxml mxl +application/vnd.recordare.musicxml+xml musicxml +application/vnd.renlearn.rlprint +application/vnd.rim.cod cod +application/vnd.rn-realmedia rm +application/vnd.route66.link66+xml link66 +application/vnd.ruckus.download +application/vnd.s3sms +application/vnd.sbm.cid +application/vnd.sbm.mid2 +application/vnd.scribus +application/vnd.sealed.3df +application/vnd.sealed.csf +application/vnd.sealed.doc +application/vnd.sealed.eml +application/vnd.sealed.mht +application/vnd.sealed.net +application/vnd.sealed.ppt +application/vnd.sealed.tiff +application/vnd.sealed.xls +application/vnd.sealedmedia.softseal.html +application/vnd.sealedmedia.softseal.pdf +application/vnd.seemail see +application/vnd.sema sema +application/vnd.semd semd +application/vnd.semf semf +application/vnd.shana.informed.formdata ifm +application/vnd.shana.informed.formtemplate itp +application/vnd.shana.informed.interchange iif +application/vnd.shana.informed.package ipk +application/vnd.simtech-mindmapper twd twds +application/vnd.smaf mmf +application/vnd.smart.teacher teacher +application/vnd.software602.filler.form+xml +application/vnd.software602.filler.form-xml-zip +application/vnd.solent.sdkm+xml sdkd sdkm +application/vnd.spotfire.dxp dxp +application/vnd.spotfire.sfs sfs +application/vnd.sss-cod +application/vnd.sss-dtf +application/vnd.sss-ntf +application/vnd.stardivision.calc sdc +application/vnd.stardivision.draw sda +application/vnd.stardivision.impress sdd sdp +application/vnd.stardivision.math sdf smf +application/vnd.stardivision.writer sdw vor +application/vnd.stardivision.writer-global sgl +application/vnd.street-stream +application/vnd.sun.wadl+xml +application/vnd.sun.xml.calc sxc +application/vnd.sun.xml.calc.template stc +application/vnd.sun.xml.draw sxd +application/vnd.sun.xml.draw.template std +application/vnd.sun.xml.impress sxi +application/vnd.sun.xml.impress.template sti +application/vnd.sun.xml.math sxm +application/vnd.sun.xml.writer sxw +application/vnd.sun.xml.writer.global sxg +application/vnd.sun.xml.writer.template stw +application/vnd.sus-calendar sus susp +application/vnd.svd svd +application/vnd.swiftview-ics +application/vnd.symbian.install sis sisx +application/vnd.syncml+xml xsm +application/vnd.syncml.dm+wbxml bdm +application/vnd.syncml.dm+xml xdm +application/vnd.syncml.dm.notification +application/vnd.syncml.ds.notification +application/vnd.tao.intent-module-archive tao +application/vnd.tmobile-livetv tmo +application/vnd.trid.tpt tpt +application/vnd.triscape.mxs mxs +application/vnd.trueapp tra +application/vnd.truedoc +application/vnd.ufdl ufd ufdl +application/vnd.uiq.theme utz +application/vnd.umajin umj +application/vnd.unity unityweb +application/vnd.uoml+xml uoml +application/vnd.uplanet.alert +application/vnd.uplanet.alert-wbxml +application/vnd.uplanet.bearer-choice +application/vnd.uplanet.bearer-choice-wbxml +application/vnd.uplanet.cacheop +application/vnd.uplanet.cacheop-wbxml +application/vnd.uplanet.channel +application/vnd.uplanet.channel-wbxml +application/vnd.uplanet.list +application/vnd.uplanet.list-wbxml +application/vnd.uplanet.listcmd +application/vnd.uplanet.listcmd-wbxml +application/vnd.uplanet.signal +application/vnd.vcx vcx +application/vnd.vd-study +application/vnd.vectorworks +application/vnd.vidsoft.vidconference +application/vnd.visio vsd vss vst vsw +application/vnd.visionary vis +application/vnd.vividence.scriptfile +application/vnd.vsf vsf +application/vnd.wap.sic +application/vnd.wap.slc +application/vnd.wap.wbxml wbxml +application/vnd.wap.wmlc wmlc +application/vnd.wap.wmlscriptc wmlsc +application/vnd.webturbo wtb +application/vnd.wfa.wsc +application/vnd.wmc +application/vnd.wmf.bootstrap +application/vnd.wordperfect wpd +application/vnd.wqd wqd +application/vnd.wrq-hp3000-labelled +application/vnd.wt.stf stf +application/vnd.wv.csp+wbxml +application/vnd.wv.csp+xml +application/vnd.wv.ssp+xml +application/vnd.xara xar +application/vnd.xfdl xfdl +application/vnd.xfdl.webform +application/vnd.xmi+xml +application/vnd.xmpie.cpkg +application/vnd.xmpie.dpkg +application/vnd.xmpie.plan +application/vnd.xmpie.ppkg +application/vnd.xmpie.xlim +application/vnd.yamaha.hv-dic hvd +application/vnd.yamaha.hv-script hvs +application/vnd.yamaha.hv-voice hvp +application/vnd.yamaha.openscoreformat osf +application/vnd.yamaha.openscoreformat.osfpvg+xml osfpvg +application/vnd.yamaha.smaf-audio saf +application/vnd.yamaha.smaf-phrase spf +application/vnd.yellowriver-custom-menu cmp +application/vnd.zul zir zirz +application/vnd.zzazz.deck+xml zaz +application/voicexml+xml vxml +application/watcherinfo+xml +application/whoispp-query +application/whoispp-response +application/winhlp hlp +application/wita +application/wordperfect wpd +application/wordperfect5.1 wp5 +application/wsdl+xml wsdl +application/wspolicy+xml wspolicy +application/x-123 wk +application/x-abiword abw +application/x-ace-compressed ace +application/x-apple-diskimage dmg +application/x-authorware-bin aab u32 vox x32 +application/x-authorware-map aam +application/x-authorware-seg aas +application/x-bcpio bcpio +application/x-bittorrent torrent +application/x-bzip bz +application/x-bzip2 boz bz2 +application/x-cdf cdf +application/x-cdlink vcd +application/x-chat chat +application/x-chess-pgn pgn +application/x-compress +application/x-cpio cpio +application/x-csh csh +application/x-debian-package deb udeb +application/x-director cct cst cxt dcr dir dxr fgd swa w3d +application/x-dms dms +application/x-doom wad +application/x-dtbncx+xml ncx +application/x-dtbook+xml dtb +application/x-dtbresource+xml res +application/x-dvi dvi +application/x-flac flac +application/x-font gsf pcf pcf.Z pfa pfb +application/x-font-bdf bdf +application/x-font-dos +application/x-font-framemaker +application/x-font-ghostscript gsf +application/x-font-libgrx +application/x-font-linux-psf psf +application/x-font-otf otf +application/x-font-pcf pcf +application/x-font-snf snf +application/x-font-speedo +application/x-font-sunos-news +application/x-font-ttf ttc ttf +application/x-font-type1 afm pfa pfb pfm +application/x-font-vfont +application/x-freemind mm +application/x-futuresplash spl +application/x-gnumeric gnumeric +application/x-go-sgf sgf +application/x-graphing-calculator gcf +application/x-gtar gtar taz tgz +application/x-gzip +application/x-hdf hdf +application/x-ica ica +application/x-internet-signup ins isp +application/x-iphone iii +application/x-iso9660-image iso +application/x-java-jnlp-file jnlp +application/x-javascript js +application/x-jmol jmz +application/x-kchart chrt +application/x-killustrator kil +application/x-koan skd skm skp skt +application/x-kpresenter kpr kpt +application/x-kspread ksp +application/x-kword kwd kwt +application/x-latex latex +application/x-lha lha +application/x-lzh lzh +application/x-lzx lzx +application/x-maker book fb fbdoc fm frame frm maker +application/x-mif mif +application/x-mobipocket-ebook mobi prc +application/x-ms-application application +application/x-ms-wmd wmd +application/x-ms-wmz wmz +application/x-ms-xbap xbap +application/x-msaccess mdb +application/x-msbinder obd +application/x-mscardfile crd +application/x-msclip clp +application/x-msdos-program bat com dll exe +application/x-msdownload bat com dll exe msi +application/x-msi msi +application/x-msmediaview m13 m14 mvb +application/x-msmetafile wmf +application/x-msmoney mny +application/x-mspublisher pub +application/x-msschedule scd +application/x-msterminal trm +application/x-mswrite wri +application/x-netcdf cdf nc +application/x-ns-proxy-autoconfig pac +application/x-nwc nwc +application/x-object o +application/x-oz-application oza +application/x-pkcs12 p12 pfx +application/x-pkcs7-certificates p7b spc +application/x-pkcs7-certreqresp p7r +application/x-pkcs7-crl crl +application/x-python-code pyc pyo +application/x-quicktimeplayer qtl +application/x-rar-compressed rar +application/x-redhat-package-manager rpm +application/x-sh sh +application/x-shar shar +application/x-shockwave-flash swf swfl +application/x-silverlight-app xap +application/x-stuffit sit sitx +application/x-stuffitx sitx +application/x-sv4cpio sv4cpio +application/x-sv4crc sv4crc +application/x-tar tar +application/x-tcl tcl +application/x-tex tex +application/x-tex-gf gf +application/x-tex-pk pk +application/x-tex-tfm tfm +application/x-texinfo texi texinfo +application/x-trash % bak old sik ~ +application/x-troff roff t tr +application/x-troff-man man +application/x-troff-me me +application/x-troff-ms ms +application/x-ustar ustar +application/x-wais-source src +application/x-wingz wz +application/x-x509-ca-cert crt der +application/x-xcf xcf +application/x-xfig fig +application/x-xpinstall xpi +application/x400-bp +application/xcap-att+xml +application/xcap-caps+xml +application/xcap-el+xml +application/xcap-error+xml +application/xcap-ns+xml +application/xcon-conference-info+xml +application/xcon-conference-info-diff+xml +application/xenc+xml xenc +application/xhtml+xml xht xhtml +application/xhtml-voice+xml +application/xml xml xsl +application/xml-dtd dtd +application/xml-external-parsed-entity +application/xmpp+xml +application/xop+xml xop +application/xslt+xml xslt +application/xspf+xml xspf +application/xv+xml mxml xhvml xvm xvml +application/zip zip +audio/32kadpcm +audio/3gpp +audio/3gpp2 +audio/ac3 +audio/adpcm adp +audio/amr +audio/amr-wb +audio/amr-wb+ +audio/asc +audio/basic au snd +audio/bv16 +audio/bv32 +audio/clearmode +audio/cn +audio/dat12 +audio/dls +audio/dsr-es201108 +audio/dsr-es202050 +audio/dsr-es202211 +audio/dsr-es202212 +audio/dvi4 +audio/eac3 +audio/evrc +audio/evrc-qcp +audio/evrc0 +audio/evrc1 +audio/evrcb +audio/evrcb0 +audio/evrcb1 +audio/evrcwb +audio/evrcwb0 +audio/evrcwb1 +audio/example +audio/g719 +audio/g722 +audio/g7221 +audio/g723 +audio/g726-16 +audio/g726-24 +audio/g726-32 +audio/g726-40 +audio/g728 +audio/g729 +audio/g7291 +audio/g729d +audio/g729e +audio/gsm +audio/gsm-efr +audio/ilbc +audio/l16 +audio/l20 +audio/l24 +audio/l8 +audio/lpc +audio/midi kar mid midi rmi +audio/mobile-xmf +audio/mp4 mp4a +audio/mp4a-latm +audio/mpa +audio/mpa-robust +audio/mpeg m2a m3a m4a mp2 mp2a mp3 mpega mpga +audio/mpeg4-generic +audio/mpegurl m3u +audio/ogg oga ogg spx +audio/parityfec +audio/pcma +audio/pcma-wb +audio/pcmu +audio/pcmu-wb +audio/prs.sid sid +audio/qcelp +audio/red +audio/rtp-enc-aescm128 +audio/rtp-midi +audio/rtx +audio/smv +audio/smv-qcp +audio/smv0 +audio/sp-midi +audio/t140c +audio/t38 +audio/telephone-event +audio/tone +audio/ulpfec +audio/vdvi +audio/vmr-wb +audio/vnd.3gpp.iufp +audio/vnd.4sb +audio/vnd.audiokoz +audio/vnd.celp +audio/vnd.cisco.nse +audio/vnd.cmles.radio-events +audio/vnd.cns.anp1 +audio/vnd.cns.inf1 +audio/vnd.digital-winds eol +audio/vnd.dlna.adts +audio/vnd.dolby.heaac.1 +audio/vnd.dolby.heaac.2 +audio/vnd.dolby.mlp +audio/vnd.dolby.mps +audio/vnd.dolby.pl2 +audio/vnd.dolby.pl2x +audio/vnd.dolby.pl2z +audio/vnd.dts dts +audio/vnd.dts.hd dtshd +audio/vnd.everad.plj +audio/vnd.hns.audio +audio/vnd.lucent.voice lvp +audio/vnd.ms-playready.media.pya pya +audio/vnd.nokia.mobile-xmf +audio/vnd.nortel.vbk +audio/vnd.nuera.ecelp4800 ecelp4800 +audio/vnd.nuera.ecelp7470 ecelp7470 +audio/vnd.nuera.ecelp9600 ecelp9600 +audio/vnd.octel.sbc +audio/vnd.qcelp +audio/vnd.rhetorex.32kadpcm +audio/vnd.sealedmedia.softseal.mpeg +audio/vnd.vmx.cvsd +audio/vorbis +audio/vorbis-config +audio/x-aac aac +audio/x-aiff aif aifc aiff +audio/x-gsm gsm +audio/x-mpegurl m3u +audio/x-ms-wax wax +audio/x-ms-wma wma +audio/x-pn-realaudio ra ram rm +audio/x-pn-realaudio-plugin rmp +audio/x-realaudio ra +audio/x-scpls pls +audio/x-sd2 sd2 +audio/x-wav wav +chemical/x-alchemy alc +chemical/x-cache cac cache +chemical/x-cache-csf csf +chemical/x-cactvs-binary cascii cbin ctab +chemical/x-cdx cdx +chemical/x-cerius cer +chemical/x-chem3d c3d +chemical/x-chemdraw chm +chemical/x-cif cif +chemical/x-cmdf cmdf +chemical/x-cml cml +chemical/x-compass cpa +chemical/x-crossfire bsd +chemical/x-csml csm csml +chemical/x-ctx ctx +chemical/x-cxf cef cxf +chemical/x-embl-dl-nucleotide emb embl +chemical/x-galactic-spc spc +chemical/x-gamess-input gam gamin inp +chemical/x-gaussian-checkpoint fch fchk +chemical/x-gaussian-cube cub +chemical/x-gaussian-input gau gjc gjf +chemical/x-gaussian-log gal +chemical/x-gcg8-sequence gcg +chemical/x-genbank gen +chemical/x-hin hin +chemical/x-isostar ist istr +chemical/x-jcamp-dx dx jdx +chemical/x-kinemage kin +chemical/x-macmolecule mcm +chemical/x-macromodel-input mmd mmod +chemical/x-mdl-molfile mol +chemical/x-mdl-rdfile rd +chemical/x-mdl-rxnfile rxn +chemical/x-mdl-sdfile sd sdf +chemical/x-mdl-tgf tgf +chemical/x-mmcif mcif +chemical/x-mol2 mol2 +chemical/x-molconn-Z b +chemical/x-mopac-graph gpt +chemical/x-mopac-input dat mop mopcrt mpc zmt +chemical/x-mopac-out moo +chemical/x-mopac-vib mvb +chemical/x-ncbi-asn1 asn +chemical/x-ncbi-asn1-ascii ent prt +chemical/x-ncbi-asn1-binary aso val +chemical/x-ncbi-asn1-spec asn +chemical/x-pdb ent pdb +chemical/x-rosdal ros +chemical/x-swissprot sw +chemical/x-vamas-iso14976 vms +chemical/x-vmd vmd +chemical/x-xtel xtel +chemical/x-xyz xyz +image/bmp bmp +image/cgm cgm +image/example +image/fits +image/g3fax g3 +image/gif gif +image/ief ief +image/jp2 +image/jpeg jpe jpeg jpg +image/jpm +image/jpx +image/naplps +image/pcx pcx +image/png png +image/prs.btif btif +image/prs.pti +image/svg+xml svg svgz +image/t38 +image/tiff tif tiff +image/tiff-fx +image/vnd.adobe.photoshop psd +image/vnd.cns.inf2 +image/vnd.djvu djv djvu +image/vnd.dwg dwg +image/vnd.dxf dxf +image/vnd.fastbidsheet fbs +image/vnd.fpx fpx +image/vnd.fst fst +image/vnd.fujixerox.edmics-mmr mmr +image/vnd.fujixerox.edmics-rlc rlc +image/vnd.globalgraphics.pgb +image/vnd.microsoft.icon +image/vnd.mix +image/vnd.ms-modi mdi +image/vnd.net-fpx npx +image/vnd.radiance +image/vnd.sealed.png +image/vnd.sealedmedia.softseal.gif +image/vnd.sealedmedia.softseal.jpg +image/vnd.svf +image/vnd.wap.wbmp wbmp +image/vnd.xiff xif +image/x-cmu-raster ras +image/x-cmx cmx +image/x-coreldraw cdr +image/x-coreldrawpattern pat +image/x-coreldrawtemplate cdt +image/x-corelphotopaint cpt +image/x-freehand fh fh4 fh5 fh7 fhc +image/x-icon ico +image/x-jg art +image/x-jng jng +image/x-ms-bmp bmp +image/x-pcx pcx +image/x-photoshop psd +image/x-pict pct pic +image/x-portable-anymap pnm +image/x-portable-bitmap pbm +image/x-portable-graymap pgm +image/x-portable-pixmap ppm +image/x-rgb rgb +image/x-xbitmap xbm +image/x-xpixmap xpm +image/x-xwindowdump xwd +message/cpim +message/delivery-status +message/disposition-notification +message/example +message/external-body +message/global +message/global-delivery-status +message/global-disposition-notification +message/global-headers +message/http +message/imdn+xml +message/news +message/partial +message/rfc822 eml mime +message/s-http +message/sip +message/sipfrag +message/tracking-status +message/vnd.si.simp +model/example +model/iges iges igs +model/mesh mesh msh silo +model/vnd.dwf dwf +model/vnd.flatland.3dml +model/vnd.gdl gdl +model/vnd.gs-gdl +model/vnd.gs.gdl +model/vnd.gtw gtw +model/vnd.moml+xml +model/vnd.mts mts +model/vnd.parasolid.transmit.binary +model/vnd.parasolid.transmit.text +model/vnd.vtu vtu +model/vrml vrml wrl +multipart/alternative +multipart/appledouble +multipart/byteranges +multipart/digest +multipart/encrypted +multipart/example +multipart/form-data +multipart/header-set +multipart/mixed +multipart/parallel +multipart/related +multipart/report +multipart/signed +multipart/voice-message +text/calendar ics icz ifb +text/comma-separated-values csv +text/css css +text/csv csv +text/directory +text/dns +text/ecmascript +text/enriched +text/example +text/h323 323 +text/html htm html shtml +text/iuls uls +text/javascript +text/mathml mml +text/parityfec +text/plain asc conf def diff in list log pot text txt +text/prs.fallenstein.rst +text/prs.lines.tag dsc +text/red +text/rfc822-headers +text/richtext rtx +text/rtf rtf +text/rtp-enc-aescm128 +text/rtx +text/scriptlet sct wsc +text/sgml sgm sgml +text/t140 +text/tab-separated-values tsv +text/texmacs tm ts +text/troff man me ms roff t tr +text/ulpfec +text/uri-list uri uris urls +text/vnd.abc +text/vnd.curl curl +text/vnd.curl.dcurl dcurl +text/vnd.curl.mcurl mcurl +text/vnd.curl.scurl scurl +text/vnd.dmclientscript +text/vnd.esmertec.theme-descriptor +text/vnd.fly fly +text/vnd.fmi.flexstor flx +text/vnd.graphviz gv +text/vnd.in3d.3dml 3dml +text/vnd.in3d.spot spot +text/vnd.iptc.newsml +text/vnd.iptc.nitf +text/vnd.latex-z +text/vnd.motorola.reflex +text/vnd.ms-mediapackage +text/vnd.net2phone.commcenter.command +text/vnd.si.uricatalogue +text/vnd.sun.j2me.app-descriptor jad +text/vnd.trolltech.linguist +text/vnd.wap.si +text/vnd.wap.sl +text/vnd.wap.wml wml +text/vnd.wap.wmlscript wmls +text/x-asm asm s +text/x-bibtex bib +text/x-c c cc cpp cxx dic h hh +text/x-c++hdr h++ hh hpp hxx +text/x-c++src c++ cc cpp cxx +text/x-chdr h +text/x-csh csh +text/x-csrc c +text/x-fortran f f77 f90 for +text/x-haskell hs +text/x-java java +text/x-java-source java +text/x-literate-haskell lhs +text/x-moc moc +text/x-pascal p pas +text/x-pcs-gcd gcd +text/x-perl pl pm +text/x-psp psp +text/x-python py +text/x-setext etx +text/x-sh sh +text/x-tcl tcl tk +text/x-tex cls ltx sty tex +text/x-uuencode uu +text/x-vcalendar vcs +text/x-vcard vcf +text/xml +text/xml-external-parsed-entity +video/3gpp 3gp +video/3gpp-tt +video/3gpp2 3g2 +video/bmpeg +video/bt656 +video/celb +video/dl dl +video/dv dif dv +video/example +video/fli fli +video/gl gl +video/h261 h261 +video/h263 h263 +video/h263-1998 +video/h263-2000 +video/h264 h264 +video/jpeg jpgv +video/jpeg2000 +video/jpm jpgm jpm +video/mj2 mj2 mjp2 +video/mp1s +video/mp2p +video/mp2t +video/mp4 mp4 mp4v mpg4 +video/mp4v-es +video/mpeg m1v m2v mpe mpeg mpg +video/mpeg4-generic +video/mpv +video/nv +video/ogg ogv +video/parityfec +video/pointer +video/quicktime mov qt +video/raw +video/rtp-enc-aescm128 +video/rtx +video/smpte292m +video/ulpfec +video/vc1 +video/vnd.cctv +video/vnd.dlna.mpeg-tts +video/vnd.fvt fvt +video/vnd.hns.video +video/vnd.iptvforum.1dparityfec-1010 +video/vnd.iptvforum.1dparityfec-2005 +video/vnd.iptvforum.2dparityfec-1010 +video/vnd.iptvforum.2dparityfec-2005 +video/vnd.iptvforum.ttsavc +video/vnd.iptvforum.ttsmpeg2 +video/vnd.motorola.video +video/vnd.motorola.videop +video/vnd.mpegurl m4u mxu +video/vnd.ms-playready.media.pyv pyv +video/vnd.nokia.interleaved-multimedia +video/vnd.nokia.videovoip +video/vnd.objectvideo +video/vnd.sealed.mpeg1 +video/vnd.sealed.mpeg4 +video/vnd.sealed.swf +video/vnd.sealedmedia.softseal.mov +video/vnd.vivo viv +video/x-f4v f4v +video/x-fli fli +video/x-flv flv +video/x-la-asf lsf lsx +video/x-m4v m4v +video/x-mng mng +video/x-ms-asf asf asx +video/x-ms-wm wm +video/x-ms-wmv wmv +video/x-ms-wmx wmx +video/x-ms-wvx wvx +video/x-msvideo avi +video/x-sgi-movie movie +x-conference/x-cooltalk ice +x-world/x-vrml vrm vrml wrl diff --git a/mke2fs.conf b/mke2fs.conf new file mode 100644 index 0000000..52fe58e --- /dev/null +++ b/mke2fs.conf @@ -0,0 +1,44 @@ +[defaults] + base_features = sparse_super,filetype,resize_inode,dir_index,ext_attr + blocksize = 4096 + inode_size = 256 + inode_ratio = 16384 + +[fs_types] + ext3 = { + features = has_journal + } + ext4 = { + features = has_journal,extent,huge_file,flex_bg,uninit_bg,dir_nlink,extra_isize + inode_size = 256 + } + ext4dev = { + features = has_journal,extent,huge_file,flex_bg,uninit_bg,dir_nlink,extra_isize + inode_size = 256 + options = test_fs=1 + } + small = { + blocksize = 1024 + inode_size = 128 + inode_ratio = 4096 + } + floppy = { + blocksize = 1024 + inode_size = 128 + inode_ratio = 8192 + } + news = { + inode_ratio = 4096 + } + largefile = { + inode_ratio = 1048576 + blocksize = -1 + } + largefile4 = { + inode_ratio = 4194304 + blocksize = -1 + } + hurd = { + blocksize = 4096 + inode_size = 128 + } diff --git a/mlocate-cron.conf b/mlocate-cron.conf new file mode 100644 index 0000000..f207344 --- /dev/null +++ b/mlocate-cron.conf @@ -0,0 +1,9 @@ +# nice value to run at: see -n in nice(1) +NICE="19" + +# ionice class to run at: see -c in ionice(1) +# you have to install sys-apps/util-linux manually +IONICE_CLASS="2" + +# ionice priority to run at: see -n in ionice(1) +IONICE_PRIORITY="7" diff --git a/motd b/motd new file mode 100644 index 0000000..2cc520e --- /dev/null +++ b/motd @@ -0,0 +1,15 @@ +Linux helga 3.0.6-gentoo #1 SMP Wed Oct 26 22:31:04 CEST 2011 x86_64 Quad-Core AMD Opteron(tm) Processor 1381 AuthenticAMD GNU/Linux +Gentoo Base System release 2.0.3 + ## ## ### + ## ## ## + ## ## #### ## ##### ##### + ###### ## ## ## ## ## ## ## + ## ## ######## ## ## ## ## ## +## ## ## ## ###### ## ### +## ## #### #### ## ### ## + ##### + +Nimm die Schaufel nicht so voll, wenn die Arbeit reichen soll. + +Today is Pungenday, the 51st day of The Aftermath in the YOLD 3177 + diff --git a/motd.1 b/motd.1 new file mode 100644 index 0000000..451ded3 --- /dev/null +++ b/motd.1 @@ -0,0 +1,16 @@ +Linux helga 3.0.6-gentoo #1 SMP Wed Oct 26 22:31:04 CEST 2011 x86_64 Quad-Core AMD Opteron(tm) Processor 1381 AuthenticAMD GNU/Linux +Gentoo Base System release 2.0.3 + ## ## ### + ## ## ## + ## ## #### ## ##### ##### + ###### ## ## ## ## ## ## ## + ## ## ######## ## ## ## ## ## +## ## ## ## ###### ## ### +## ## #### #### ## ### ## + ##### + +Die meisten Memoiren sind ein Make-up aus Worten. + -- Norman Mailer + +Today is Sweetmorn, the 9th day of The Aftermath in the YOLD 3177 + diff --git a/motd.tail b/motd.tail new file mode 100644 index 0000000..e3f0790 --- /dev/null +++ b/motd.tail @@ -0,0 +1,8 @@ + ## ## ### + ## ## ## + ## ## #### ## ##### ##### + ###### ## ## ## ## ## ## ## + ## ## ######## ## ## ## ## ## +## ## ## ## ###### ## ### +## ## #### #### ## ### ## + ##### diff --git a/mtab b/mtab new file mode 100644 index 0000000..b40eecf --- /dev/null +++ b/mtab @@ -0,0 +1,21 @@ +rootfs / rootfs rw 0 0 +/dev/root / ext3 rw,noatime,errors=continue,user_xattr,acl,barrier=0,data=writeback 0 0 +proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 +rc-svcdir /lib64/rc/init.d tmpfs rw,nosuid,nodev,noexec,relatime,size=1024k,mode=755 0 0 +sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0 +debugfs /sys/kernel/debug debugfs rw,nosuid,nodev,noexec,relatime 0 0 +udev /dev tmpfs rw,nosuid,relatime,size=10240k,mode=755 0 0 +devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620 0 0 +shm /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0 +/dev/mapper/vg0-tmp /tmp ext4 rw,noatime 0 0 +/dev/mapper/vg0-usr /usr ext4 rw,acl,user_xattr 0 0 +/dev/mapper/vg0-var /var ext4 rw,acl,user_xattr 0 0 +/dev/mapper/vg0-opt /opt ext4 rw,acl,user_xattr 0 0 +/dev/mapper/vg0-home /home ext4 rw,acl,user_xattr,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 0 +/dev/mapper/vg0-var_tmp /var/tmp ext4 rw,noatime 0 0 +/dev/mapper/vg0-www /var/www ext4 rw,acl,user_xattr 0 0 +/dev/mapper/vg0-var_lib /var/lib ext4 rw,noatime,acl,user_xattr 0 0 +/dev/mapper/vg0-backup /var/backup ext4 rw,noatime,acl,user_xattr 0 0 +/dev/mapper/vg0-portage /usr/portage ext4 rw,noatime 0 0 +/dev/mapper/vg0-distfiles /usr/portage/distfiles ext4 rw,noatime 0 0 +binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,noexec,nosuid,nodev 0 0 diff --git a/nail.rc b/nail.rc new file mode 100644 index 0000000..2250967 --- /dev/null +++ b/nail.rc @@ -0,0 +1,70 @@ +# This is the configuration file for Heirloom mailx (formerly +# known under the name "nail". +# See mailx(1) for further options. +# This file is not overwritten when 'make install' is run in +# the mailx build process again. + +# Sccsid @(#)nail.rc 2.10 (gritter) 3/4/06 + +# Do not forward to mbox by default since this is likely to be +# irritating for most users today. +set hold + +# Append rather than prepend when writing to mbox automatically. +# This has no effect unless 'hold' is unset again. +set append + +# Ask for a message subject. +set ask + +# Assume a CRT-like terminal and invoke a pager. +set crt + +# Messages may be terminated by a dot. +set dot + +# Do not remove empty mail folders in the spool directory. +# This may be relevant for privacy since other users could +# otherwise create them with different permissions. +set keep + +# Do not remove empty private mail folders. +set emptybox + +# Quote the original message in replies by "> " as usual on the Internet. +set indentprefix="> " + +# Automatically quote the text of the message that is responded to. +set quote + +# Outgoing messages are sent in ISO-8859-1 if all their characters are +# representable in it, otherwise in UTF-8. +set sendcharsets=iso-8859-1,utf-8 + +# Display sender's real names in header summaries. +set showname + +# Display the recipients of messages sent by the user himself in +# header summaries. +set showto + +# Automatically check for new messages at each prompt, but avoid polling +# of IMAP servers or maildir folders. +set newmail=nopoll + +# If threaded mode is activated, automatically collapse thread. +set autocollapse + +# Hide some header fields which are uninteresting for most human readers. +ignore received in-reply-to message-id references +ignore mime-version content-transfer-encoding + +# Only include selected header fields when forwarding messages. +fwdretain subject date from to + +# Use the local sendmail (/usr/sbin/sendmail) binary by default. +# (Uncomment the following line to use a SMTP server) +#set smtp=localhost + +# Ask for CC: list too. +set askcc diff --git a/nanorc b/nanorc new file mode 100644 index 0000000..746ccf2 --- /dev/null +++ b/nanorc @@ -0,0 +1,312 @@ +## Sample initialization file for GNU nano. +## +## Please note that you must have configured nano with --enable-nanorc +## for this file to be read! Also note that this file should not be in +## DOS or Mac format, and that characters specially interpreted by the +## shell should not be escaped here. +## +## To make sure a value is disabled, use "unset