LOOKUP MAPS (hash, SQL) AND ACCESS LISTS EXPLAINED
==================================================
Updated: 2002-04, 2002-06, 2002-11, 2002-12,
2003-03, 2003-05, 2003-06, 2003-09
Mark Martinec <Mark.Martinec@ijs.si>
New with amavisd-new-20020630: SQL LOOKUPS
New with amavisd-new-20021116: Regular expression lookups
New with amavisd-new-20021227-p3: nonexistent SQL field now returns 0 or 1
as declared by field type, or logs a warning
(applies to the semantics of amavisd.conf variables like:
%virus_lovers, %bypass_checks,
@virus_lovers_acl, @bypass_checks_acl,
$virus_lovers_re, $bypass_checks_re,
%local_domains, @local_domains_acl, %mailto, ... )
NOTE:
All lookups are performed with raw (rfc2821-unquoted
and unbracketed) addresses as a key,
i.e.: Bob "Funny" Dude@example.com
not: "Bob \"Funny\" Dude"@example.com
and not: <"Bob \"Funny\" Dude"@example.com>
Several configurable settings in amavisd are controlled through
the use of table (hash) lookups, access control lists (array),
Perl-regexp -based access control lists, or SQL lookups.
The subroutine that does all the lookups is:
sub lookup ($@) {
my($addr, lists...) = @_;
It perform a lookup for a key (usually a recipient e-mail envelope address,
unless otherwise noted) against one or more lookup tables / maps.
The set of maps is hard-wired into program, and the order chosen
is: from specific to more general, and from faster to slower,
which is usually flexible enough. Thus the sequence of lookups is:
SQL, LDAP, hash, ACL, regexp, constant. The first that returns
a definitive answer (not undef/NULL) stops the search.
Some lookup maps can only return boolean result (e.g. ACL), other maps
may return any value, which can be interpreted as boolean, numeric, string
or possibly other. The result of some lookup maps (e.g. regexp) may include
pieces of lookup key.
If a match is found, the subroutine lookup() returns whatever the map
returns; undef is returned if nothing matches (which for Perl is false
as well).
A CONSTANT
Specifying a Perl scalar as an argument to lookup() is a degenerate
case of a lookup table: it matches any key, and the value of the
scalar is returned as the match value.
Specifying a scalar argument in a call to lookup() is useful as a
last-resort (catchall, default) value.
HASH LOOKUPS
For arguments to subroutine lookup() of type hash-ref, the argument
is passed to subroutine lookup_hash(), which does a lookup into
a Perl hash.
Hash lookups (e.g. for user+foo@sub.example.com) are performed in the
following order:
- lookup for user+foo@sub.example.com
- lookup for user@sub.example.com (only if $recipient_delimiter nonempty)
- lookup for user+foo@
- lookup for user@ (only if $recipient_delimiter is nonempty)
- lookup for sub.example.com
- lookup for .sub.example.com
- lookup for .example.com
- lookup for .com
- lookup for .
The search sequence stops as soon as a match is found, and the value
of the matched entry determines the result.
The domain part is always matched case-insensitively, the localpart
is matched case-sensitively when $localpart_is_case_sensitive
is true (not case-sensitive by default).
A field value undef implies that the next lookup table (if there are more)
is to be tried. In plain words, undef means "this table does not know
the answer, try the next one". Further searching in this table
(for possibly more general defaults) is terminated.
NOTE: a null reverse path e-mail address used by MTA for delivery status
notifications (DSN) has empty local part and empty domain. As far as the
lookup is concerned (which uses raw, i.e. non-quoted and non-bracketed
address form), this address is @, i.e. a single character "@".
The lookup_hash for null address goes through the following sequence
of keys: "@", "", "." (double quotes added for clarity, they are not part
of the key).
ACL LOOKUPS
For arguments to subroutine lookup() of type array-ref, the argument
is passed to subroutine lookup_acl(), which does an access list lookup:
sub lookup_acl($$) {
my($addr, $acl_ref) = @_;
Domain name of the supplied address is compared with each member of the
access list in turn, the first match wins (terminates the search),
and its value decides whether the result is true (yes, permit, pass)
or false (no, deny, drop). Falling through without a match
produces undef. Search is case-insensitive.
Acl lookup is not aware of address extensions and they are not
handled specially.
If a list member contains a '@', the full e-mail address is compared,
otherwise if a list member has a leading dot, the domain name part is
matched only, and the domain as well as its subdomains can match. If there
is no leading dot, the domain must match exactly (subdomains do not match).
The presence of character '!' prepended to the list member decides
whether the result will be true (without a '!') or false (with '!')
in case this list member matches.
Because search stops at the first match, it only makes sense
to place more specific patterns before the more general ones.
Although not a special case, it is good to remember that '.' always matches,
so a '.' would stop the search and return true, whereas '!.' would stop
the search and return false (0).
Examples:
given: @acl = qw( me.ac.uk !.ac.uk .uk )
'u@me.ac.uk' matches me.ac.uk, returns true and search stops
given: @acl = qw( me.ac.uk !.ac.uk .uk )
'u@you.ac.uk' matches .ac.uk, returns false (because of '!'), search stops
given: @acl = qw( me.ac.uk !.ac.uk .uk )
'u@them.co.uk' matches .uk, returns true and search stops
given: @acl = qw( me.ac.uk !.ac.uk .uk )
'u@some.com' does not match anything, falls through and returns undef
given: @acl = qw( me.ac.uk !.ac.uk .uk !. )
'u@some.com' similar to the previous, except it returns 0 instead of undef,
which would only make a difference if this ACL is not the last argument
in a call to lookup()
given: @acl = qw( me.ac.uk !.ac.uk .uk . )
'u@some.com' matches catchall ".", and returns true
more complex example: @acl = qw(
!The.Boss@dept1.xxx.com .dept1.xxx.com
.dept2.xxx.com .dept3.xxx.com lab.dept4.xxx.com
sub.xxx.com !.sub.xxx.com
me.d.aaa.com him.d.aaa.com !.d.aaa.com .aaa.com
);
Comparing hash and ACL:
For smaller sets of keys and if only boolean results are needed,
both hash and ACL are appropriate.
- hash is still effective for lots of keys, ACL search is linear;
- hash can be read from a file;
- hash can return any value, not just true or false;
- hash can strip away address extension, ACL does not;
- ACL is simpler and appears more obvious for smaller sets;
- ACL can accomodate arbitrarily nested if-then-elseif-then-...-else cases
whereas hash only follows a fixed order of stripping away addresses;
ACL FOR IP ADDRESSES
A special type of lookup is an IP-matching access list implemented by
lookup_ip_acl(). It performs a lookup for an IP address against
access control list of IPv4 networks. It is used by amavisd to check
if the SMTP client (normally your MTA) is allowed to connect - the variable
is @inet_acl .
IP address is compared with each member of the access list in turn,
the first match wins (terminates the search), and its value decides
whether the result is true (yes, permit) or false (no, deny).
Falling through without a match produces false (undef).
The presence of character '!' prepended to the list member decides
whether the result will be true (without a '!') or false (with '!')
in case this list member matches and terminates the search.
Because search stops at the first match, it only makes sense
to place more specific patterns before the more general ones.
Network can be specified in classless notation n.n.n.n/k, or using
a mask n.n.n.n/m.m.m.m . Missing mask implies /32, i.e. a host address.
Although not a special case, it is good to remember that '0/0' always matches.
NOTE: IPv4 syntax is assumed, IPv6 is not currently supported.
Example
given: @inet_acl = qw( !192.168.1.12 172.16.3.3 !172.16.3/255.255.255.0
10/8 172.16/12 192.168/16 );
matches rfc1918 private address space except host 192.168.1.12
and net 172.16.3/24 (but host 172.16.3.3 within 172.16.3/24 still matches)
More examples at amavisd.conf.
REGULAR EXPRESSION LOOKUPS
For arguments to subroutine lookup() of type Amavis::Lookup::RE
(objects), the object is passed to method lookup_re, which does a
lookup into a list of Perl regular expressions (regexp or RE for short).
The full unmodified e-mail address is always used, so splitting to localpart
and domain or lowercasing is NOT performed. The regexp is powerful enough
that this is unnecessary. The routine is useful for other RE tests, such as
looking for banned file names.
Each element of the list can be a ref to a pair, or directly a regexp
('Regexp' object created by qr operator, or just a (less efficient)
string containing a regular expression). If it is a pair, the first
element is treated as a regexp, and the second provides a return value
in case the regexp matches. If not a pair, the implied result value
of a match is 1.
The regular expression is taken as-is, no implicit anchoring or setting
case insensitivity is done, so use qr'(?i)^user@example\.com$',
and not a sloppy qr'user@example.com', which can easily backfire.
Also, if qr is used with a delimiter other than ', make sure to quote
the @ and $ .
The pattern allows for capturing of parenthesized substrings, which can
then be referenced from the result string using the $1, $2, ... notation,
as with the Perl m// operator. The number after the $ may be a multi-digit
decimal number. To avoid possible ambiguity the ${n} or $(n) form may be used.
Substring numbering starts with 1. Nonexistent references evaluate to empty
strings. If any substitution is done, the result inherits the taintedness
of the key. Keep in mind that the $ character needs to be backslash-quoted
in qq() strings. Example:
$virus_quarantine_to = new_RE(
[ qr'^(.*)@example\.com$'i => 'virus-${1}@example.com' ],
[ qr'^(.*)(@[^@]*)?$'i => 'virus-${1}${2}' ] );
Example (equivalent to the example in lookup_acl):
$acl_re = new_re->new(
qr'@me\.ac\.uk$'i,
[ qr'[@.]ac\.uk$'i => 0 ],
qr'\.uk$'i,
);
($r,$k) = $acl_re->lookup_re('user@me.ac.uk');
or $r = lookup('user@me.ac.uk', $acl_re);
'user@me.ac.uk' matches me.ac.uk, returns true and search stops
'user@you.ac.uk' matches .ac.uk, returns false (because of =>0) and search stops
'user@them.co.uk' matches .uk, returns true and search stops
'user@some.com' does not match anything, falls through and returns false (undef)
NOTE: new_re is a synonym (shorthand) for the
internal subroutine Amavis::Lookup::RE::new
See Perl documentation (or Google the Internet) for the description
of Perl regular expressions. They are just enhanced version of Posix regular
expressions, i.e. what your egrep, awk and sed thrive on. Here are the
most important constructs (simplified):
. Match any character inter..t
| Alternation alfa|beta|gamma
() Grouping (pre|post)fix
[] Character class [Aa]lfa[0-9]
^ Match the beginning of the string ^MakeMoney
$ Match the end of the string com$
\ Quote the next metacharacter \.com$
^\$\$\$\+spam@\[127\.0\.0\.1\]$
most other characters just match themselves
quantifiers may be placed after the pattern to modify its meaning
from 'match itself exactly once' into:
* Match 0 or more times ^alfa.*omega$
+ Match 1 or more times alfa +beta
? Match 1 or 0 times (first)?aid
{n} Match exactly n times 0{6}
{n,} Match at least n times !{3,}
{n,m} Match at least n but not more than m times
SQL LOOKUPS
For arguments to subroutine lookup() of type Amavis::Lookup::SQLfield
(objects), the object is passed to method lookup_sql_field, which does
a lookup into a SQL table by using Perl module DBI.
The amavisd.conf variable @lookup_sql_dsn controls access to the SQL
server (dsn = data source name). If the list @lookup_sql_dsn is empty,
no attempts to use SQL will be made, and no code to use DBI will be
loaded or compiled.
@lookup_sql_dsn variable is a list of triples: (dsn,user,passw).
More than one triple may be specified to list multiple (backup)
SQL servers - the first that responds will be used.
@lookup_sql_dsn =
( ['DBI:mysql:mail:host1', 'some-username1', 'some-password1'],
['DBI:mysql:mail:host2', 'some-username2', 'some-password2'] );
With PostgreSQL the dsn (first element of the triple) may look like:
'DBI:Pg:host=host1;dbname=mail'
See man page for the Perl module DBI, and corresponding DBD module
man pages (DBD::mysql, DBD::Pg, ...) for syntax of the first argument,
SQL 'select' requests all available fields from the specified
tables, and the result is cached (just for this mail message processing).
Individual fields can be extracted one at a time from this cache
very quickly, so there is no penalty in using several calls to lookup
for different fields (for the same key) in different parts of the program.
lookup_sql() performs a lookup for an e-mail address against a SQL map.
If a match is found it returns whatever the map returns (a reference
to a hash containing values of requested fields), otherwise returns undef.
A match aborts further fetching sequence.
lookup_sql_field() also performs a lookup for an e-mail address against
a SQL map. It first calls lookup_sql() if it hasn't been called yet for
this key, but instead of returning all available fields, it returns
just a value of one particular table field. This is the subroutine
that gets called from lookup() for arguments (objects) of type
Amavis::Lookup::SQLfield.
The field value NULL is translated to Perl undef, which according
to lookup rules implies that the next lookup table (if there are more)
is to be tried. In plain words, NULL means "this table does not know
the answer, try the next one". Further searching in this table
(e.g. for more general defaults) is terminated.
Boolean fields are usually declared as a single character (instead of
integer) to minimize storage. The characters N,n,F,f,0,NUL and SPACE
represent false (0), any other character represents true. Trailing blanks
are ignored. It is customary to use Y for true and N for false.
SQL lookups (e.g. for user+foo@example.com) are performed in order
which is normally requested by 'ORDER BY...DESC' in the SELECT statement;
otherwise the order is unspecified, which is only useful if just specific
entries exist in a database (e.g. full address always, not only domain part
or mailbox part).
The following order (implemented by sorting on the 'priority' field
in DESCending order, zero is low priority) is recommended, to follow
the same specific-to-general principle as in other lookup tables:
- lookup for user+foo@example.com
- lookup for user@example.com (only if $recipient_delimiter nonempty)
- lookup for user+foo (only if domain part is local)
- lookup for user (only local; only if $recipient_delimiter is nonempty)
- lookup for @example.com
- lookup for @. (catchall)
NOTE:
this is different from hash and ACL lookups in three important aspects:
- key without '@' implies mailbox name, not domain name;
- subdomains are not looked at, only full domain names are matched;
- the naked mailbox name lookups ('user') are only performed
when the address matches local_domains lookups.
The domain part is always lowercased when constructing a key,
the localpart is not lowercased when $localpart_is_case_sensitive is true.
Table names and field names are hard-wired in the routine
prepare_sql_queries(). Please adjust it to will. Field names should
be unique even without the table prefix. If they are not, the last one
in the SELECT field list prevails.
Below is an example database that can be used with MySQL or PostgreSQL
to test the code.
-- PostgreSQL notes (by Phil Regnauld):
-- - remove the 'unsigned' throughout,
-- - in tables 'users', 'mailaddr' and 'policy':
-- use SERIAL instead of INT...AUTO_INCREMENT when declaring id, e.g.:
-- id serial NOT NULL,
-- - create an amavis user and the database (choose name, e.g. mail)
-- $ creatuser -U pgsql --no-adduser --createdb amavis
-- $ createdb -U amavis mail
-- - populate the database using the schema below:
-- $ psql -U amavis mail < amavisd-pg.sql
-- local users
CREATE TABLE users (
id int unsigned DEFAULT '0' NOT NULL auto_increment,
priority int DEFAULT '7' NOT NULL, -- 0 is low priority
policy_id int unsigned DEFAULT '1' NOT NULL,
email varchar(255) NOT NULL,
fullname varchar(255) DEFAULT NULL, -- not used by amavisd-new
PRIMARY KEY (id),
KEY email (email)
);
CREATE UNIQUE INDEX users_idx_email ON users(email);
-- any e-mail address, external or local, used as senders in wblist
CREATE TABLE mailaddr (
id int unsigned DEFAULT '0' NOT NULL auto_increment,
priority int DEFAULT '7' NOT NULL, -- 0 is low priority
email varchar(255) NOT NULL,
PRIMARY KEY (id),
KEY email (email)
);
CREATE UNIQUE INDEX mailaddr_idx_email ON mailaddr(email);
-- per-recipient whitelist and/or blacklist,
-- puts sender and recipient in relation wb (white or blacklisted sender)
CREATE TABLE wblist (
rid int unsigned NOT NULL, -- recipient: users.id
sid int unsigned NOT NULL, -- sender: mailaddr.id
wb char(1) NOT NULL, -- W or Y / B or N / space=neutral
PRIMARY KEY (rid,sid)
);
CREATE TABLE policy (
id int unsigned DEFAULT '0' NOT NULL auto_increment,
policy_name varchar(32), -- not used by amavisd-new
virus_lover char(1), -- Y/N
spam_lover char(1), -- Y/N (optional field)
banned_files_lover char(1), -- Y/N (optional field)
bad_header_lover char(1), -- Y/N (optional field)
bypass_virus_checks char(1), -- Y/N
bypass_spam_checks char(1), -- Y/N
bypass_banned_checks char(1), -- Y/N (optional field)
bypass_header_checks char(1), -- Y/N (optional field)
spam_modifies_subj char(1), -- Y/N (optional field)
spam_quarantine_to varchar(64) DEFAULT NULL, -- (optional field)
spam_tag_level float, -- higher score inserts spam info headers
spam_tag2_level float DEFAULT NULL, -- higher score inserts
-- 'declared spam' info header fields
spam_kill_level float, -- higher score activates evasive actions, e.g.
-- reject/drop, quarantine, ...
-- (subject to final_spam_destiny setting)
PRIMARY KEY (id)
);
INSERT INTO users VALUES ( 1, 9, 5, 'user1+foo@y.example.com','Name1 Surname1');
INSERT INTO users VALUES ( 2, 7, 5, 'user1@y.example.com', 'Name1 Surname1');
INSERT INTO users VALUES ( 3, 7, 2, 'user2@y.example.com', 'Name2 Surname2');
INSERT INTO users VALUES ( 4, 7, 7, 'user3@z.example.com', 'Name3 Surname3');
INSERT INTO users VALUES ( 5, 7, 7, 'user4@example.com', 'Name4 Surname4');
INSERT INTO users VALUES ( 6, 7, 1, 'user5@example.com', 'Name5 Surname5');
INSERT INTO users VALUES ( 7, 5, 0, '@sub1.example.com', NULL);
INSERT INTO users VALUES ( 8, 5, 7, '@sub2.example.com', NULL);
INSERT INTO users VALUES ( 9, 5, 5, '@example.com', NULL);
INSERT INTO users VALUES (10, 3, 8, 'userA', 'NameA SurnameA anywhere');
INSERT INTO users VALUES (11, 3, 9, 'userB', 'NameB SurnameB');
INSERT INTO users VALUES (12, 3,10, 'userC', 'NameC SurnameC');
INSERT INTO users VALUES (13, 3,11, 'userD', 'NameD SurnameD');
INSERT INTO users VALUES (14, 3, 0, '@sub1.example.net', NULL);
INSERT INTO users VALUES (15, 3, 7, '@sub2.example.net', NULL);
INSERT INTO users VALUES (16, 3, 5, '@example.net', NULL);
INSERT INTO users VALUES (17, 7, 5, 'u1@example.org', 'u1');
INSERT INTO users VALUES (18, 7, 6, 'u2@example.org', 'u2');
INSERT INTO users VALUES (19, 7, 3, 'u3@example.org', 'u3');
-- INSERT INTO users VALUES (20, 0, 5, '@.', NULL); -- catchall
INSERT INTO policy VALUES (1, 'Non-paying', 'N','N','N','N', 'Y','Y','Y','N', 'Y',NULL, 3.0, 7, 10);
INSERT INTO policy VALUES (2, 'Uncensored', 'Y','Y','Y','Y', 'N','N','N','N', 'N',NULL, 3.0, 999, 999);
INSERT INTO policy VALUES (3, 'Wants all spam','N','Y','N','N', 'N','N','N','N', 'Y',NULL, 3.0, 999, 999);
INSERT INTO policy VALUES (4, 'Wants viruses', 'Y','N','Y','Y', 'N','N','N','N', 'Y',NULL, 3.0, 6.9, 6.9);
INSERT INTO policy VALUES (5, 'Normal', 'N','N','N','N', 'N','N','N','N', 'Y',NULL, 3.0, 6.9, 6.9);
INSERT INTO policy VALUES (6, 'Trigger happy', 'N','N','N','N', 'N','N','N','N', 'Y',NULL, 3.0, 5, 5);
INSERT INTO policy VALUES (7, 'Permissive', 'N','N','N','Y', 'N','N','N','N', 'Y',NULL, 3.0, 10, 20);
INSERT INTO policy VALUES (8, '6.5/7.8', 'N','N','N','N', 'N','N','N','N', 'N',NULL, 3.0, 6.5, 7.8);
INSERT INTO policy VALUES (9, 'userB', 'N','N','N','Y', 'N','N','N','N', 'Y',NULL, 3.0, 6.3, 6.3);
INSERT INTO policy VALUES (10,'userC', 'N','N','N','N', 'N','N','N','N', 'N',NULL, 3.0, 6.0, 6.0);
INSERT INTO policy VALUES (11,'userD', 'Y','N','Y','Y', 'N','N','N','N', 'N',NULL, 3.0, 7, 7);
-- sender envelope addresses needed for white/blacklisting
INSERT INTO mailaddr VALUES ( 1, 5, '@example.com');
INSERT INTO mailaddr VALUES ( 2, 9, 'owner-postfix-users@postfix.org');
INSERT INTO mailaddr VALUES ( 3, 9, 'amavis-user-admin@lists.sourceforge.net');
INSERT INTO mailaddr VALUES ( 4, 9, 'MakeMoney@example.com');
INSERT INTO mailaddr VALUES ( 5, 5, '@example.net');
INSERT INTO mailaddr VALUES ( 6, 9, 'spamassassin-talk-admin@lists.sourceforge.net');
INSERT INTO mailaddr VALUES ( 7, 9, 'spambayes-bounces@python.org');
-- whitelist for user 14, i.e. default for recipients in domain sub1.example.net
INSERT INTO wblist VALUES (14, 1, 'W');
INSERT INTO wblist VALUES (14, 3, 'W');
-- whitelist and blacklist for user 17, i.e. u1@example.org
INSERT INTO wblist VALUES (17, 2, 'W');
INSERT INTO wblist VALUES (17, 3, 'W');
INSERT INTO wblist VALUES (17, 6, 'W');
INSERT INTO wblist VALUES (17, 7, 'W');
INSERT INTO wblist VALUES (17, 5, 'B');
INSERT INTO wblist VALUES (17, 4, 'B');
-- $sql_select_policy setting in amavisd.conf tells amavisd
-- how to fetch per-recipient policy settings.
-- See comments there. Example:
--
-- SELECT * FROM users,policy
-- WHERE (users.policy_id=policy.id) AND (users.email IN (%k))
-- ORDER BY users.priority DESC;
-- $sql_select_white_black_listin amavisd.conf tells amavisd
-- how to check sender in per-recipient whitelist/blacklist.
-- See comments there. Example:
--
-- SELECT wb FROM wblist,mailaddr
-- WHERE (rid=%r) AND (sid=mailaddr.id) AND (mailaddr.email IN (%k))
-- ORDER BY mailaddr.priority DESC;
LDAP LOOKUPS
The decumentation in this section is a bit spartanic.
Here is the text from the RELEASE_NOTES and from the file 'amavisd'
pertaining to LDAP.
In the config file, you have to enable ldap first:
| $enable_ldap = 1;
Then you can define defaults for your ldap queries:
| $default_ldap = {
| hostname => 'localhost', tls => 0,
| base => 'ou=hosting,dc=example,dc=com', scope => 'sub',
| query_filter => '(&(objectClass=amavisAccount)(mail=%m))'
| };
And then the lookups themselves:
| $virus_lovers_ldap = {res_attr => 'amavisVirusLover'};
| $banned_files_lovers_ldap = {res_attr => 'amavisBannedFilesLover'};
| ...
With this method, you can define every parameter individually.
You could have a different ldap server for each lookup! Like that,
the configuration is closer to the one in postfix or courier.
The hashes are converted into lookups objects in the
Amavis::Lookup::LDAP class method.
Definitions of LDAP lookup queries.
hostname : The hostname of the LDAP server we connect to.
(Default = 'localhost')
port : The port where LDAP sends queries. (Default = 389)
timeout : Timeout (in sec) passed when connecting the remote
server. (Default = 120)
tls : Enable TLS/SSL if true. (Default = 0)
base : The DN that is the base object entry relative to
which the search is to be performed. (Default = undef)
scope : Scope can be 'base', 'one' or 'sub'. (Default = 'sub')
query_filter : The filter used to find the amavis account. The string
must contain a '%m' token that will be replaced by the
actual e-mail address.
(Default = '(&(objectClass=amavisAccount)(mail=%m))')
res_attr : (Default = undef)
res_filter : (Default = %r)
bind_dn : If binding is needed, this is where you specify the
DN to bind as. (Default = undef)
bind_password : Binding password. (Default = undef)
$default_ldap = {
hostname => 'ldap.example.com',
tls => 1,
base => 'dc=example,dc=com',
scope => 'sub',
query_filter => '(&(objectClass=amavisAccount)(mail=%m))'}
};
$virus_lovers_ldap = {res_attr => 'amavisVirusLover'};
$banned_files_lovers_ldap = {res_attr => 'amavisBannedFilesLover'};
$bypass_virus_checks_ldap = {res_attr => 'amavisBypassVirusChecks'};
$bypass_spam_checks_ldap = {res_attr => 'amavisBypassSpamChecks'};
$spam_tag_level_ldap = {res_attr => 'amavisSpamTagLevel'};
$spam_kill_level_ldap = {res_attr => 'amavisSpamKillLevel'};
$spam_whitelist_sender_ldap = {
query_filter => '(&(objectClass=amavisAccount)(mail=%m)
(amavisWhitelistSender=%s))',
res_filter => 'OK'};
$spam_blacklist_sender_ldap = {
query_filter => '(&(objectClass=amavisAccount)(mail=%m)
(amavisBlacklistSender=%s))',
res_filter => 'OK'};
$local_domains_ldap = {
query_filter => '(&(objectClass=mailDomain)(dc=%m))
res_filter => 'OK'};
The amavisd-new LDAP schema is available in file LDAP.schema of the
distribution, and at http://www.ijs.si/software/amavisd/LDAP.schema
