forked from ISTI-ansible-roles/ansible-roles
303 lines
10 KiB
Django/Jinja
303 lines
10 KiB
Django/Jinja
##
|
|
## Example config file for clamav-milter
|
|
##
|
|
|
|
##
|
|
## Main options
|
|
##
|
|
|
|
# Define the interface through which we communicate with sendmail
|
|
# This option is mandatory! Possible formats are:
|
|
# [[unix|local]:]/path/to/file - to specify a unix domain socket
|
|
# inet:port@[hostname|ip-address] - to specify an ipv4 socket
|
|
# inet6:port@[hostname|ip-address] - to specify an ipv6 socket
|
|
#
|
|
# Default: no default
|
|
#MilterSocket local:/run/clamav-milter/clamav-milter.socket
|
|
MilterSocket {{ clamav_milter_socket }}
|
|
|
|
# Define the group ownership for the (unix) milter socket.
|
|
# Default: disabled (the primary group of the user running clamd)
|
|
#MilterSocketGroup virusgroup
|
|
|
|
# Sets the permissions on the (unix) milter socket to the specified mode.
|
|
# Default: disabled (obey umask)
|
|
MilterSocketMode 660
|
|
|
|
# Remove stale socket after unclean shutdown.
|
|
#
|
|
# Default: yes
|
|
FixStaleSocket yes
|
|
|
|
# Run as another user (clamav-milter must be started by root for this option
|
|
# to work)
|
|
#
|
|
# Default: unset (don't drop privileges)
|
|
User clamilt
|
|
|
|
# Waiting for data from clamd will timeout after this time (seconds).
|
|
# Value of 0 disables the timeout.
|
|
#
|
|
# Default: 120
|
|
#ReadTimeout 300
|
|
|
|
# Don't fork into background.
|
|
#
|
|
# Default: no
|
|
#Foreground yes
|
|
|
|
# Chroot to the specified directory.
|
|
# Chrooting is performed just after reading the config file and before
|
|
# dropping privileges.
|
|
#
|
|
# Default: unset (don't chroot)
|
|
#Chroot /newroot
|
|
|
|
# This option allows you to save a process identifier of the listening
|
|
# daemon (main thread).
|
|
#
|
|
# Default: disabled
|
|
PidFile /run/clamav-milter/clamav-milter.pid
|
|
|
|
# Optional path to the global temporary directory.
|
|
# Default: system specific (usually /tmp or /var/tmp).
|
|
#
|
|
TemporaryDirectory /var/tmp
|
|
|
|
##
|
|
## Clamd options
|
|
##
|
|
|
|
# Define the clamd socket to connect to for scanning.
|
|
# This option is mandatory! Syntax:
|
|
# ClamdSocket unix:path
|
|
# ClamdSocket tcp:host:port
|
|
# The first syntax specifies a local unix socket (needs an absolute path) e.g.:
|
|
# ClamdSocket unix:/var/run/clamd/clamd.socket
|
|
# The second syntax specifies a tcp local or remote tcp socket: the
|
|
# host can be a hostname or an ip address; the ":port" field is only required
|
|
# for IPv6 addresses, otherwise it defaults to 3310, e.g.:
|
|
# ClamdSocket tcp:192.168.0.1
|
|
#
|
|
# This option can be repeated several times with different sockets or even
|
|
# with the same socket: clamd servers will be selected in a round-robin
|
|
# fashion.
|
|
#
|
|
# Default: no default
|
|
{% if clamav_clamd_use_local_socket %}
|
|
ClamdSocket unix:{{ clamav_clamd_local_socket }}
|
|
{% elif clamav_clamd_use_net_socket %}
|
|
{% for clamsock in clamav_milter_clamd_net_socket_addrs %}
|
|
ClamdSocket tcp:{{ clamsock.addr }}:{{ clamsock.port }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
##
|
|
## Exclusions
|
|
##
|
|
|
|
# Messages originating from these hosts/networks will not be scanned
|
|
# This option takes a host(name)/mask pair in CIRD notation and can be
|
|
# repeated several times. If "/mask" is omitted, a host is assumed.
|
|
# To specify a locally originated, non-smtp, email use the keyword "local"
|
|
#
|
|
# Default: unset (scan everything regardless of the origin)
|
|
#LocalNet local
|
|
#LocalNet 192.168.0.0/24
|
|
#LocalNet 1111:2222:3333::/48
|
|
|
|
# This option specifies a file which contains a list of basic POSIX regular
|
|
# expressions. Addresses (sent to or from - see below) matching these regexes
|
|
# will not be scanned. Optionally each line can start with the string "From:"
|
|
# or "To:" (note: no whitespace after the colon) indicating if it is,
|
|
# respectively, the sender or recipient that is to be whitelisted.
|
|
# If the field is missing, "To:" is assumed.
|
|
# Lines starting with #, : or ! are ignored.
|
|
#
|
|
# Default unset (no exclusion applied)
|
|
#Whitelist /etc/whitelisted_addresses
|
|
{% if clamav_milter_use_whitelist_file %}
|
|
Whitelist {{ clamav_milter_whitelist_file }}
|
|
{% endif %}
|
|
# Messages from authenticated SMTP users matching this extended POSIX
|
|
# regular expression (egrep-like) will not be scanned.
|
|
# As an alternative, a file containing a plain (not regex) list of names (one
|
|
# per line) can be specified using the prefix "file:".
|
|
# e.g. SkipAuthenticated file:/etc/good_guys
|
|
#
|
|
# Note: this is the AUTH login name!
|
|
#
|
|
# Default: unset (no whitelisting based on SMTP auth)
|
|
{% if clamav_milter_use_skip_authenticated_file %}
|
|
SkipAuthenticated file:{{ clamav_milter_skip_authenticated_file }}
|
|
{% endif %}
|
|
|
|
# Messages larger than this value won't be scanned.
|
|
# Make sure this value is lower or equal than StreamMaxLength in clamd.conf
|
|
#
|
|
# Default: 25M
|
|
MaxFileSize {{ clamav_clamd_stream_max_lenght }}M
|
|
|
|
##
|
|
## Actions
|
|
##
|
|
|
|
# The following group of options controls the delivery process under
|
|
# different circumstances.
|
|
# The following actions are available:
|
|
# - Accept
|
|
# The message is accepted for delivery
|
|
# - Reject
|
|
# Immediately refuse delivery (a 5xx error is returned to the peer)
|
|
# - Defer
|
|
# Return a temporary failure message (4xx) to the peer
|
|
# - Blackhole (not available for OnFail)
|
|
# Like Accept but the message is sent to oblivion
|
|
# - Quarantine (not available for OnFail)
|
|
# Like Accept but message is quarantined instead of being delivered
|
|
#
|
|
# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ
|
|
# For Postfix this causes the message to be placed on hold
|
|
#
|
|
# Action to be performed on clean messages (mostly useful for testing)
|
|
# Default: Accept
|
|
OnClean {{ clamav_milter_onclean_action }}
|
|
|
|
# Action to be performed on infected messages
|
|
# Default: Quarantine
|
|
#OnInfected Quarantine
|
|
OnInfected {{ clamav_milter_oninfected_action }}
|
|
|
|
# Action to be performed on error conditions (this includes failure to
|
|
# allocate data structures, no scanners available, network timeouts,
|
|
# unknown scanner replies and the like)
|
|
# Default: Defer
|
|
OnFail {{ clamav_milter_onfail_action }}
|
|
|
|
# This option allows to set a specific rejection reason for infected messages
|
|
# and it's therefore only useful together with "OnInfected Reject"
|
|
# The string "%v", if present, will be replaced with the virus name.
|
|
# Default: MTA specific
|
|
{% if clamav_milter_send_reject_msg %}
|
|
RejectMsg "{{ clamav_milter_reject_msg }}"
|
|
{% endif %}
|
|
|
|
{% if clamav_milter_add_header %}
|
|
# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an
|
|
# "X-Virus-Status" headers will be attached to each processed message, possibly
|
|
# replacing existing headers.
|
|
# If it is set to Add, the X-Virus headers are added possibly on top of the
|
|
# existing ones.
|
|
# Note that while "Replace" can potentially break DKIM signatures, "Add" may
|
|
# confuse procmail and similar filters.
|
|
# Default: no
|
|
AddHeader {{ clamav_milter_add_header_action }}
|
|
|
|
# When AddHeader is in use, this option allows to arbitrary set the reported
|
|
# hostname. This may be desirable in order to avoid leaking internal names.
|
|
# If unset the real machine name is used.
|
|
# Default: disabled
|
|
ReportHostname {{ clamav_milter_report_hostname }}
|
|
{% endif %}
|
|
|
|
# Execute a command (possibly searching PATH) when an infected message is
|
|
# found.
|
|
# The following parameters are passed to the invoked program in this order:
|
|
# virus name, queue id, sender, destination, subject, message id, message date.
|
|
# Note #1: this requires MTA macroes to be available (see LogInfected below)
|
|
# Note #2: the process is invoked in the context of clamav-milter
|
|
# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to
|
|
# avoid unnecessary delays in email delivery
|
|
# Default: disabled
|
|
#VirusAction /usr/local/bin/my_infected_message_handler
|
|
|
|
##
|
|
## Logging options
|
|
##
|
|
|
|
# Uncomment this option to enable logging.
|
|
# LogFile must be writable for the user running daemon.
|
|
# A full path is required.
|
|
#
|
|
# Default: disabled
|
|
#LogFile /var/log/clamav-milter.log
|
|
|
|
# By default the log file is locked for writing - the lock protects against
|
|
# running clamav-milter multiple times.
|
|
# This option disables log file locking.
|
|
#
|
|
# Default: no
|
|
#LogFileUnlock yes
|
|
|
|
# Maximum size of the log file.
|
|
# Value of 0 disables the limit.
|
|
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
|
|
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
|
|
# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
|
|
# rotation (the LogRotate option) will always be enabled.
|
|
#
|
|
# Default: 1M
|
|
#LogFileMaxSize 2M
|
|
|
|
# Log time with each message.
|
|
#
|
|
# Default: no
|
|
#LogTime yes
|
|
|
|
# Use system logger (can work together with LogFile).
|
|
#
|
|
# Default: no
|
|
LogSyslog yes
|
|
|
|
# Specify the type of syslog messages - please refer to 'man syslog'
|
|
# for facility names.
|
|
#
|
|
# Default: LOG_LOCAL6
|
|
#LogFacility LOG_MAIL
|
|
|
|
# Enable verbose logging.
|
|
#
|
|
# Default: no
|
|
LogVerbose yes
|
|
|
|
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
|
|
# Default: no
|
|
#LogRotate yes
|
|
|
|
# This option allows to tune what is logged when a message is infected.
|
|
# Possible values are Off (the default - nothing is logged),
|
|
# Basic (minimal info logged), Full (verbose info logged)
|
|
# Note:
|
|
# For this to work properly in sendmail, make sure the msg_id, mail_addr,
|
|
# rcpt_addr and i macroes are available in eom. In other words add a line like:
|
|
# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i
|
|
# to your .cf file. Alternatively use the macro:
|
|
# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
|
|
# Postfix should be working fine with the default settings.
|
|
#
|
|
# Default: disabled
|
|
LogInfected Basic
|
|
|
|
# This option allows to tune what is logged when no threat is found in
|
|
# a scanned message.
|
|
# See LogInfected for possible values and caveats.
|
|
# Useful in debugging but drastically increases the log size.
|
|
# Default: disabled
|
|
LogClean Basic
|
|
|
|
# This option affects the behaviour of LogInfected, LogClean and VirusAction
|
|
# when a message with multiple recipients is scanned:
|
|
# If SupportMultipleRecipients is off (the default)
|
|
# then one single log entry is generated for the message and, in case the
|
|
# message is determined to be malicious, the command indicated by VirusAction
|
|
# is executed just once. In both cases only the last recipient is reported.
|
|
# If SupportMultipleRecipients is on:
|
|
# then one line is logged for each recipient and the command indicated
|
|
# by VirusAction is also executed once for each recipient.
|
|
#
|
|
# Note: although it's probably a good idea to enable this option, the default
|
|
# value
|
|
# is currently set to off for legacy reasons.
|
|
# Default: no
|
|
SupportMultipleRecipients no
|