## Sagator configuration file. ## (c) 2003-2010 Jan ONDREJ (SAL) ## Lines beginning with double # (##) are comments. Lines beginning ## with single # are commented examples. In default configuration ## there is one antivir scanner and one spam scanner uncomented, ## other scanner are commented out. ## Debugging level, 0=errors only, 1=return status, init messages, ## 2=smtp server communication, 3=detailed smtp server communication, ## 4=tracebacks, 5=smtp client communication ## Do not use debug level higher than 9! DEBUG_LEVEL = 3 ## Language used by web access ## You can define a locale language for which there are translations. LANG = ['en_US'] ## Where is new root path. For example '/var/spool/vscan' ## Comment out this line, if you don't need to run sagator in chroot. CHROOT = '/var/spool/vscan' ## Logfile (use logfile in chroot to allow rotating) LOGFILE = CHROOT + '/var/log/sagator/sagator.log' ## User and group, under which this program runs. USER, GROUP = 'vscan', 'vscan' ## SMTP server host and port. You must define this smtp server ## in postfix without filtering. SMTP_SERVER = ('127.0.0.1', 26) ## Scanners and services from scanners import * from srv import * ## Database engine definitions #DB_ENGINE = db.sqlite(dbname='/var/lib/sagator/sqlitedb') #DB_ENGINE = db.pymysql(host='127.0.0.1', port=3306, dbname='sagator', # dbuser='sagator', dbpasswd='your_pass') #DB_ENGINE = db.pgdb(host='127.0.0.1', port=5432, dbname='sagator', # dbuser='sagator', dbpasswd='your_pass') ## Local IPs LOCAL_IPS = '^(192\.168|172\.(1[6789]|2[0-9]|3[01])|10|127)\.' ## If you are using libclam() scanner, it's better to define one instance ## here and then use it later. CLAMAV = libclam() ## Now you can define SCANNERS array. This array contains definitions ## for all scanners used in sagator and it's scripts. ## You can define other array names for different services. ## SCANNERS array for sgscan must have this name. SCANNERS = [ ## We are defining an logger scanner. This scanner will log some ## special data into logfile. See log() scanner documentation ## for more information. You can comment out this line, if you don't ## need extra information in your logs. log(1, log.SUMMARY_REPORT, ## Also you can use SQL logger. If you uncomment a scanner here, ## do not forget to uncomment it's parenthesis below! #log_sql(DB_ENGINE, log_sql.FORMAT, ## Next scanner defines a status line for statistics collector. ## This line stores "Virus" count in collector. ## You don't need it if you don't need MRTG statistics. status("Virus", ## If you need to send some virus reports to adminstrator, ## you can use following line. For of message template (MSG_TMPL) ## syntax read scanner documentation and/or source. ## You can comment out this, if you don't need reports. ## .ifscan() extra parameter at end of this scanner is used to ## send these reports only for local IP addresses. report(['root@localhost'], report.MSG_TMPL, ## Following scanner defines, if you are need to reject, drop ## or deliver messages with viruses. By default viruses are ## rejected (and sent back to sender). Some viruses fakes ## it's sender and it is better do drop these emails. ## You can define virus names, which you want to drop. drop(drop.DEFAULT, ## Following scanner can quarantine all infected emails into ## files on server. This example quarantines files into a directory ## named /var/spool/sagator/quarantine/... in sagator's chroot. ## In this directory there will be each subdirectory for each ## year/month/day (for example 2007/01/30). quarantine('/var/spool/sagator/quarantine/%Y/%m/%d', '', ## Antivirus scanners follows here. ## Simple scanners ## Following scanner reports as virus all email larger than 10kB. #max_file_size(10*1024), ## Following scanner parses email for attachments and if ## one of them is executable, virus will be identified. #parsemail(file_type({'exe': 'Executable'})), ## Next scanner scans for viruses, if you can define a pattern, ## which is contained in each virus of this type. ## You can use it for it's own purposes to stop delivering ## of any king of emails. #string_scan(VIR_PATTERNS), ## This scanner is similiar to previous. It scans for regular ## expressions. #regexp_scan({'virname': ['___PATTERN___']}), ## Exec any program ## You can use this scanner for unsuported antivirus, ## if you can define, which exit statuses are returned ## for viruses and for clean emails. #b2f(exec_any(['/bin/grep', '-q', '^TVqQ'], [1], [0])), ## ClamAV - clam antivirus ## Uncoment one or more following lines. #alternatives( ## Next scanner uses clamav's library directly in sagator. ## This scanner is the best scanner from all clamav scanners. ## It's performance and stability is very high. buffer2mbox(CLAMAV), ## If you need to parse emails mime attachments, you ## can use parsemail() interscanner before calling clamav. ## Uncomment following line if you need this. ## Don't forget to comment out previous scanner, because ## it is useless to define two scanner for one antivirus. #parsemail(CLAMAV), ## Next scanner adds sagator's own decompression for clamav. ## It is only an example. You can use it for antivirs, ## which hasn't this feature implemented. #parsemail(buffer2file(decompress(CLAMAV))), ## Next scanner calls clamav scan over clamav's daemon. ## This daemon is waiting on local port 3310/tcp. #clamd(['127.0.0.1', 3310]), ## Next scanner calls clamav scan over clamav's daemon. ## This daemon is waiting on socket /var/run/clamav/clamd.sock. #clamd('/var/run/clamav/clamd.sock'), ## Following scanner is obsolete. It calls clamscan binary ## to scan for viruses. This scanner is very slow. #buffer2mbox(clamscan(['/usr/bin/clamscan', '--stdout', # '--infected', '--disable-summary', # '-r', '--mbox'])), #), ## AVG7 for linux ## This scanner can be used with AVG antivirus for linux. ## Uncomment next line, if you have it. #b2f(avgd(chroot=CHROOT)), ## Bitdefender bdc ## This scanner can be used with bitdefender antivirus. ## Uncomment next line, if you have it. #b2f(bdc()), ## NOD32 (by ESET) ## There are three ways to use this antivirus. ## Following scanner uses nod32pac (preload library) over scand(). #scanc(), ## Next scanner uses nod32 version 2 as command line scanner. #buffer2mbox(nod2()), ## Next scanner uses nod32lfs's dazuko support. #nod2dazuko('/tmp/dazuko/mb-', '/var/log/nod32fac.log'), ## Sophie (sophos libsavi) ## Following scanner can be used with Sophie. Sophie ## is a daemon which uses libsavi library from Sophos antivirus. #parsemail(b2f(decompress(sophie('/tmp/sophie', CHROOT)))), ## Kaspersky antivirus ## You can use following scanner for Kaspersky antivurus ## command line scanner. #b2f(kav()), ## Symantec antivirus scan engine. ## You can use following scanner for Symantec antivurus ## scan engine. Do not forget to configure ICAP protocol ## on port 1344. #savse('127.0.0.1', 1344), ) ) ## This extra parameter is used to send reports only if virus is ## comming from LOCAL_IPS (defined abowe). ).ifscan(sender_regexp({'LOCAL_IP': [LOCAL_IPS]})) ), ## Now we are defining status for "Spam", status("Spam", # and dropping of all spams. drop('.', # drop all spams ## quarantine for spams, quarantine('/var/spool/sagator/quarantine/%Y/%m/%d', '', ## Antispam scanners follows here. ## SpamAssassin ## This scanner using default configuration for spamd ## (spamassassin daemon) on local port 783/tcp. ## It is using spamassassin's default configuration. spamassassind(['127.0.0.1', 783], sa_user=USER), ## Bogofilter #bogofilter(['/usr/bin/bogofilter', '-v']), ## QuickSpamFilter #qsf(['/usr/bin/qsf', '-r']), ## Anomy Sanitizer #filter(['/usr/local/bin/sanitizer.pl']) ) ) ) #) ) ] ## LMTP scanner dictionary example: ## This definition is very simple. Use SCANNERS konfiguration for more ## examples and read sagator's documentation. #LMTP_SCANNERS = { # 'antivir_only: # log(1, log.SUMMARY_REPORT, # quarantine('/var/spool/sagator/quarantine/%Y%m', '', # drop(drop.DEFAULT, # buffer2mbox(CLAMAV) # ) # ) # ) # 'DEFAULT': # 'DEFAULT' string is hardcoded # SCANNERS[0], # define this as first scanner from SCANNERS #} ## smtpd_policy scanners: POLICY_SCANNERS = [ ## check SPF records #spf_check(), ## check if sender IP is resolvable #dns_check(), ## standard blacklist, users with "BA","BS" or "BR" are blacklisted status('Blacklist', listed('B')), ## Fast greylist status('Greylist', ## check for whitelist ("WA", "WS", "WR" flags), ## if user is not in whitelist, try to greylist them not_listed('W') & ## Greylist only IP from RBL #rbl_check( # 'bl.spamcop.net.', # 'zen.spamhaus.org.', #) & greylist(600) # greylist for 5 minutes ), ## return "dunno" to leave postfix's other restriction to effect set_action('dunno') ] POLICY_DATA_SCANNERS = [ status('Quota', policy_quota_auth_limit(interval=[300], max_conn=[30], max_rcpt=[300]), ), ## return "dunno" to leave postfix's other restriction to effect set_action('dunno') ] CLEANUP = { #DB_ENGINE: [ ## clean obsolete greylist records first #list_cleanup(), ## autogenerate some whitelist records ## POLICY_SCANNER #auto_whitelist(), #policy_quota_cleanup(), ## clean old logs from database #log_cleanup() #] } ## In this section you need to define services, which will be started ## by SAGATOR. You need at least one service to start. An SMTP gateway ## or a command can communicate with SAGATOR over this/these services. SRV = [ ## External daemons used by SAGATOR ## Uncomment following line, if you want to use clamd in chroot. #chroot_execvp('/usr/sbin/clamd', ['-c', '/etc/clamav.conf']), ## Uncomment following line, if you want to use AVG daemon in chroot. #chroot_execvpe('/opt/grisoft/avg7/bin/avgscan', ['-d'], # {'LANG':'C'}, pgrp_file='/var/run/avgd.pgrp'), ## Uncomment following line, if you want to use KAV daemon in chroot. #chroot_execvp('/opt/kav/5.5/kav4mailservers/bin/aveserver'), ## Line below is required by nod2pac() scanner. #scand(nod2pac(), '/usr/lib/libnod32pac.so'), ## Line below is required for esetspac() scanner. #scand(esetspac(), '/usr/lib/libesets_pac.so'), ## Resource limits (like ulimit) ## You can define resource limits for sagator processes. ## In this example address space is limited to 400 MB. ## Aprox. 100 MB address space is required only for libclamav database. #rlimit(AS=4096*MB), ## Statistics collector ## This service can be used to collect statistics data and an program ## (like RRDTOOL or MRTG) can use these data to show nice graphs. ## By default leave this service running, because there is a script ## in sagator, which using this service. collector(), ## SMTP daemon policy (can be used as postfix policy scanner) #smtpd_policy(POLICY_SCANNERS, DB_ENGINE, '127.0.0.1', 29), #smtpd_policy(POCLIY_DATA_SCANNERS, DB_ENGINE, '127.0.0.1', 30), ## Following scanner can be used to scan for policies in smtpd() or milter() ## services. It must be defined before them. #recipient_policy(POLICY_SCANNERS, DB_ENGINE), ## SMTP daemon (for postfix, ...) ## This service can be used by postfix or any other SMTP daemon. ## You need to configure your SMTPd to send all viruses over ## this SMTPd. It sends clean emails back to SMTPd defined above ## (by SMTP_SERVER variable). smtpd(SCANNERS, '127.0.0.1', 27, core_count()), ## LMTP daemon (for postfix, ...) ## This service can be used to scan each email recipient with different ## scanner. Configure postfix to use lmtp protocol (lmtp:IP:port). #lmtpd(SCANNERS, '0.0.0.0', 27), ## Milter daemon ## This service can be used by sendmail's milter. Leave it commented, ## if you don't use sendmail SMTP. #milter(SCANNERS, "sagator", "inet:3333@127.0.0.1"), ## sgfilter daemon (use sgfilter command as client) #sgfilterd(SCANNERS), ## Standard input filter ## Over this service you can use sagator as STDIN -> STDOUT filter. ## Configure avfilter service and run sagator: ## sagator --nodaemon < email ## and you will obtain modified email on standard output. #avfilter(SCANNERS), ## HTTP proxy filter ## This service can be used to scan HTTP connection for viruses. ## Please read proxy() service documentation for client configuration. ## WARNING: This service is in beta stage. USE WITH CAUTION! #http_proxy(SCANNERS, '127.0.0.1', 3129), ## FUSE daemon (to create a scanner filesystem) ## Please use only "quick" scanners, not command line scanners! #fusefs(SCANNERS, '/home', '/realhome'), ## Reporter virtual service #reporter(include = '@mydomain.com'), ## Web quarantine access #webq_jinja( # db=DB_ENGINE, # scanner=b2f(CLAMAV), # userconv=['^(.*)$','"\\1"@mydomain.com'] # not required #), ]