From 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf Mon Sep 17 00:00:00 2001 From: takeshi_hoshina Date: Mon, 2 Nov 2020 11:07:33 +0900 Subject: basesystem-jj recipes --- .../clamav/files/clamav-milter.conf.sample | 293 +++++++++++++++++++++ 1 file changed, 293 insertions(+) create mode 100644 external/meta-security/recipes-scanners/clamav/files/clamav-milter.conf.sample (limited to 'external/meta-security/recipes-scanners/clamav/files/clamav-milter.conf.sample') diff --git a/external/meta-security/recipes-scanners/clamav/files/clamav-milter.conf.sample b/external/meta-security/recipes-scanners/clamav/files/clamav-milter.conf.sample new file mode 100644 index 00000000..ed0d519f --- /dev/null +++ b/external/meta-security/recipes-scanners/clamav/files/clamav-milter.conf.sample @@ -0,0 +1,293 @@ +## +## Example config file for clamav-milter +## + +# Comment or remove the line below. +Example + + +## +## Main options +## + +# Define the interface through which we communicate with sendmail +# This option is mandatory! Possible formats are: +# [[unix|local]:]/path/to/file - to specify a unix domain socket +# inet:port@[hostname|ip-address] - to specify an ipv4 socket +# inet6:port@[hostname|ip-address] - to specify an ipv6 socket +# +# Default: no default +#MilterSocket /tmp/clamav-milter.socket +#MilterSocket inet:7357 + +# Define the group ownership for the (unix) milter socket. +# Default: disabled (the primary group of the user running clamd) +#MilterSocketGroup virusgroup + +# Sets the permissions on the (unix) milter socket to the specified mode. +# Default: disabled (obey umask) +#MilterSocketMode 660 + +# Remove stale socket after unclean shutdown. +# +# Default: yes +#FixStaleSocket yes + +# Run as another user (clamav-milter must be started by root for this option to work) +# +# Default: unset (don't drop privileges) +#User clamav + +# Initialize supplementary group access (clamav-milter must be started by root). +# +# Default: no +#AllowSupplementaryGroups no + +# Waiting for data from clamd will timeout after this time (seconds). +# Value of 0 disables the timeout. +# +# Default: 120 +#ReadTimeout 300 + +# Don't fork into background. +# +# Default: no +#Foreground yes + +# Chroot to the specified directory. +# Chrooting is performed just after reading the config file and before dropping privileges. +# +# Default: unset (don't chroot) +#Chroot /newroot + +# This option allows you to save a process identifier of the listening +# daemon (main thread). +# +# Default: disabled +#PidFile /var/run/clamav/clamav-milter.pid + +# Optional path to the global temporary directory. +# Default: system specific (usually /tmp or /var/tmp). +# +#TemporaryDirectory /var/tmp + +## +## Clamd options +## + +# Define the clamd socket to connect to for scanning. +# This option is mandatory! Syntax: +# ClamdSocket unix:path +# ClamdSocket tcp:host:port +# The first syntax specifies a local unix socket (needs an absolute path) e.g.: +# ClamdSocket unix:/var/run/clamd/clamd.socket +# The second syntax specifies a tcp local or remote tcp socket: the +# host can be a hostname or an ip address; the ":port" field is only required +# for IPv6 addresses, otherwise it defaults to 3310, e.g.: +# ClamdSocket tcp:192.168.0.1 +# +# This option can be repeated several times with different sockets or even +# with the same socket: clamd servers will be selected in a round-robin fashion. +# +# Default: no default +ClamdSocket /var/run/clamav/clamd + + +## +## Exclusions +## + +# Messages originating from these hosts/networks will not be scanned +# This option takes a host(name)/mask pair in CIRD notation and can be +# repeated several times. If "/mask" is omitted, a host is assumed. +# To specify a locally orignated, non-smtp, email use the keyword "local" +# +# Default: unset (scan everything regardless of the origin) +#LocalNet local +#LocalNet 192.168.0.0/24 +#LocalNet 1111:2222:3333::/48 + +# This option specifies a file which contains a list of basic POSIX regular +# expressions. Addresses (sent to or from - see below) matching these regexes +# will not be scanned. Optionally each line can start with the string "From:" +# or "To:" (note: no whitespace after the colon) indicating if it is, +# respectively, the sender or recipient that is to be whitelisted. +# If the field is missing, "To:" is assumed. +# Lines starting with #, : or ! are ignored. +# +# Default unset (no exclusion applied) +#Whitelist /etc/whitelisted_addresses + +# Messages from authenticated SMTP users matching this extended POSIX +# regular expression (egrep-like) will not be scanned. +# As an alternative, a file containing a plain (not regex) list of names (one +# per line) can be specified using the prefix "file:". +# e.g. SkipAuthenticated file:/etc/good_guys +# +# Note: this is the AUTH login name! +# +# Default: unset (no whitelisting based on SMTP auth) +#SkipAuthenticated ^(tom|dick|henry)$ + +# Messages larger than this value won't be scanned. +# Make sure this value is lower or equal than StreamMaxLength in clamd.conf +# +# Default: 25M +#MaxFileSize 10M + + +## +## Actions +## + +# The following group of options controls the delievery process under +# different circumstances. +# The following actions are available: +# - Accept +# The message is accepted for delievery +# - Reject +# Immediately refuse delievery (a 5xx error is returned to the peer) +# - Defer +# Return a temporary failure message (4xx) to the peer +# - Blackhole (not available for OnFail) +# Like Accept but the message is sent to oblivion +# - Quarantine (not available for OnFail) +# Like Accept but message is quarantined instead of being delivered +# +# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ +# For Postfix this causes the message to be placed on hold +# +# Action to be performed on clean messages (mostly useful for testing) +# Default: Accept +#OnClean Accept + +# Action to be performed on infected messages +# Default: Quarantine +#OnInfected Quarantine + +# Action to be performed on error conditions (this includes failure to +# allocate data structures, no scanners available, network timeouts, +# unknown scanner replies and the like) +# Default: Defer +#OnFail Defer + +# This option allows to set a specific rejection reason for infected messages +# and it's therefore only useful together with "OnInfected Reject" +# The string "%v", if present, will be replaced with the virus name. +# Default: MTA specific +#RejectMsg + +# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an +# "X-Virus-Status" headers will be attached to each processed message, possibly +# replacing existing headers. +# If it is set to Add, the X-Virus headers are added possibly on top of the +# existing ones. +# Note that while "Replace" can potentially break DKIM signatures, "Add" may +# confuse procmail and similar filters. +# Default: no +#AddHeader Replace + +# When AddHeader is in use, this option allows to arbitrary set the reported +# hostname. This may be desirable in order to avoid leaking internal names. +# If unset the real machine name is used. +# Default: disabled +#ReportHostname my.mail.server.name + +# Execute a command (possibly searching PATH) when an infected message is found. +# The following parameters are passed to the invoked program in this order: +# virus name, queue id, sender, destination, subject, message id, message date. +# Note #1: this requires MTA macroes to be available (see LogInfected below) +# Note #2: the process is invoked in the context of clamav-milter +# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to +# avoid unnecessary delays in email delievery +# Default: disabled +#VirusAction /usr/local/bin/my_infected_message_handler + +## +## Logging options +## + +# Uncomment this option to enable logging. +# LogFile must be writable for the user running daemon. +# A full path is required. +# +# Default: disabled +#LogFile /var/log/clamav/clamav-milter.log + +# By default the log file is locked for writing - the lock protects against +# running clamav-milter multiple times. +# This option disables log file locking. +# +# Default: no +#LogFileUnlock yes + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size +# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log +# rotation (the LogRotate option) will always be enabled. +# +# Default: 1M +#LogFileMaxSize 2M + +# Log time with each message. +# +# Default: no +#LogTime yes + +# Use system logger (can work together with LogFile). +# +# Default: no +#LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# +# Default: LOG_LOCAL6 +#LogFacility LOG_MAIL + +# Enable verbose logging. +# +# Default: no +#LogVerbose yes + +# Enable log rotation. Always enabled when LogFileMaxSize is enabled. +# Default: no +#LogRotate yes + +# This option allows to tune what is logged when a message is infected. +# Possible values are Off (the default - nothing is logged), +# Basic (minimal info logged), Full (verbose info logged) +# Note: +# For this to work properly in sendmail, make sure the msg_id, mail_addr, +# rcpt_addr and i macroes are available in eom. In other words add a line like: +# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i +# to your .cf file. Alternatively use the macro: +# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i') +# Postfix should be working fine with the default settings. +# +# Default: disabled +#LogInfected Basic + +# This option allows to tune what is logged when no threat is found in a scanned message. +# See LogInfected for possible values and caveats. +# Useful in debugging but drastically increases the log size. +# Default: disabled +#LogClean Basic + +# This option affects the behaviour of LogInfected, LogClean and VirusAction +# when a message with multiple recipients is scanned: +# If SupportMultipleRecipients is off (the default) +# then one single log entry is generated for the message and, in case the +# message is determined to be malicious, the command indicated by VirusAction +# is executed just once. In both cases only the last recipient is reported. +# If SupportMultipleRecipients is on: +# then one line is logged for each recipient and the command indicated +# by VirusAction is also executed once for each recipient. +# +# Note: although it's probably a good idea to enable this option, the default value +# is currently set to off for legacy reasons. +# Default: no +#SupportMultipleRecipients yes + -- cgit 1.2.3-korg