-
Notifications
You must be signed in to change notification settings - Fork 179
Q0713
I'd like to pass all messages through a virus-scanning system before delivery. Can Exim do this?
With the integration of Tom Kistner's original exiscan-acl patch into the main Exim codebase, an interface to a number of virus-scanning engines is now available. Chapter 41 of the Exim Specification contains more details on the use of the "malware" ACL condition to submit content to a number of support virus scanners including ClamAV's clamd, DrWeb_, and Sophos's sophie, at SMTP time. The result of the scan can then be used to determine whether to accept or refuse the message.
For example, to use ClamAV's clamd, first declare the type of virus scanner and a local socket to use to connect to it:
av_scanner = clamd:/var/run/clamd
and then in the DATA ACL the following would call the virus scanner and reject if the message is infected:
deny message = This message contains malware ($malware_name)
malware = *
It is expected that the virus scanner will understand how to unpack and
process MIME parts of a message. If not, the demime condition may be
used but this is now deprecated and must be explicitly enabled in Exim
at build-time using WITH_OLD_DEMIME.
For historical reasons, the following note is preserved, which describes a method of performing content scanning and pre-dates the availability of the above mechanism. It may be useful for other types of message manipulation that are not currently natively supported in Exim:
One way of achieving a form of content scanning is to deliver all
messages via a pipe to a checking program that resubmits them for
delivery in some private way that can be checked (e.g. on a specific
SMTP port, or IP address). One possibility is to use the
received protocol field that can be set for locally submitted mail via
the -oMr command line option. This router sends all messages that
are not from the local host and whose received protocol is not
scanned-ok to the virus_scan transport:
vircheck:
driver = accept
transport = virus_scan
condition = ${if or {{eq {$received_protocol}{scanned-ok}} \
{eq {$sender_host_address}{127.0.0.1}} }\
{0}{1}}
One problem is that this approach, by default, scans the message for
each recipient, not just once per message. However, you can set the
batch_max option on the transport to allow it to send a single copy
for multiple recipients. The virus_scan transport should be set up to
pipe the message to a suitable checking program or script which runs as
a trusted user. This can then re-submit the message to Exim, using
-oMr to set the received protocol to scanned-ok. It is probably
easiest to use the Batch SMTP (BSMTP) facilities for passing the sender
address and the recipient addresses to the checker and then back to Exim
(using the -bS command line option). Warning: If you forget to
make the resubmitting process run as a trusted user, the sender address
will be incorrect and what is worse, the received protocol does not get
set, and you are likely to generate a loop.
- How do I block unwanted messages from outside my host?
- I don't want to block spam entirely; how can I inspect each message
- How can I test that my spam blocks are working?
- How can I test that Exim is correctly configured to use a DNS black list
- How can I use tcpwrappers in conjunction with Exim?
- How can I get POP-auth-before-relay (aka POP-before-SMTP) support in
- I have one or two cases where my host correctly rejects messages, but
- How can I run customized verification checks on incoming addresses?
- Does Exim apply RBL checks to error messages, those with an envelope
- I want to reject certain sender-recipient combinations, with a specific
- Will Exim allow me to create a file of regexs and match incoming
- I've hacked sendmail to make an ioctl call at the time of the SMTP RCPT
- I'd like to pass all messages through a virus-scanning system before
- Is there a way to configure Exim to reject mail to a certain local host?
- How can I get Exim to remove attachments from messages?
- How can I arrange for each user to have a file listing the only sender
- When using Nessus on a system that runs Exim, a number of security
- Could anyone points me to right rules to prevent sending/receiving
- I would like to have a per-user limit for the maximum size of messages
- I set
accept hosts=192.168.122.96/32in order to accept mail for - I have POP-before-SMTP set up on my Exim server, but some clients use
- I installed Amavis and it is working, but bounces are simply vanishing.
- I can't get Pine to work with PLAIN authentication; Exim keeps
- I have used
:fail:in some aliases; when one of these addresses is refused, I see the message on the log, but the response to the remote user is unknown user > instead of the message from the alias file. How can I change this? - I've set up some specific rejection messages for certain recipients, but
- My SMTP authentication can be bypassed by sending an unknown user name
- When a message has many recipients, how can I stop SpamAssassin_ from
- How do I use Exiscan, SA-Exim, SpamAssassin_, Clam Antivirus, Sophos
- How can I screen out addresses that are neither valid usernames or
- How can I use the same passwords for SMTP authentication as I use for
- Is there any defence I can use against spam sent through an open proxy?
- I would like to either warn or deny when a host uses an underscore in
- Is there any way to tell Exim not to lookup the IP address against any
- How do MailScanner_ and Exiscan compare? What are the pros and cons?
- How can I block non-FQDNs in HELO/EHLOs?
- Is it possible to tell exim to drop the connection after a server
- Is there some way to tell Exim not to consider 127.0.0.1 as a valid MX?
- How can I configure Exim to delay the SMTP connection if more than 10
- Does Exim support SPF?
- How can I change the MAIL FROM address that is used for callouts?
- How can I get Outlook Express to use TLS when authenticating?
- How do I stop Exim being an open relay?
- What should I put in my acl_smtp_rcpt?
- I've got a queue full of "bounce" messages. How do I get rid of them?