Re: [Exim] Virus Scanning with mailhubs

Top Page
Delete this message
Reply to this message
Author: Jethro R Binks
Date:  
To: exim-users
Subject: Re: [Exim] Virus Scanning with mailhubs
Hi Mike,

We're doing exactly this, pretty much. We bought a couple of Sun Netra
t1s to do the job (although one handles it comfortably, "resilience" is
the buzzword of the year). We weren't comfortable putting it on the
existing main mail hosts, although it is possible one day I will have the
Netras as our site MX hosts and concentrate all our policy stuff on them.

On the mail scanning host I'm running ECS Soton's MailScanner with McAfee
(the comment about the EOL on McAfee was interesting, I didn't know about
that), but I guess the same idea would probably work for amavis and
exiscan, which I did briefly look at.

I did it like this:

SCANHOST = scanninghost.cc.strath.ac.uk
#SCANTESTDOMAIN = cc.strath.ac.uk
#SCANLOCALPARTS = jethro.binks

## Transport
## Pass mails along for scanning
send_to_scanner:
driver = smtp
hosts = SCANHOST
hosts_override = true

## Director
## If the incoming message contains doesn't contain a Mail Scan header,
## and does contain an attachment, then send this off to the directors
## for scanning
scan_check:
driver = smartuser
# MailScanner condition:
condition = ${if and{{!def:header_X-Mail-Scan:}{def:header_content-type:}} {yes}fail }
#domains = SCANTESTDOMAIN
local_parts = SCANLOCALPARTS
transport = send_to_scanner

## Router
## If the incoming message contains doesn't contain a Mail Scan header,
## and does contain an attachment, then send this off to the directors
## for scanning
scan_check:
driver = domainlist
condition = ${if and{ {!def:header_X-Mail-Scan:}{def:header_content-type:} } {yes}{no} }
#domains = SCANTESTDOMAIN
local_parts = SCANLOCALPARTS
route_list = * localhost byname
self = local


This on a machine that does some local deliveries and relays for other
hosts. It seems a bit kludgy to me, but works. More conditionals can be
added (especially during testing; like only scan mail for oneself). The
condition mentioned prevents it from being run again if the scanned mail
comes back this way (although in practice at the moment, if this is being
relayed to another local machine I let the scanning box do that directly
rather than sending it back here again).

"Having an attachment" is defined as "def:header_content-type:", which is
very very broad. In effect most mail goes through based on that, so I'll
probably refine that in future, maybe using something based on the Generic
Windows Executable Filter stuff.

Bob mentioned putting a condition based on IP address to prevent loops,
that would work too. If you're paranoid you could do several!

Shame on me ... I don't have Philip's book yet to see what he says about
it.

Jethro.


On Mon, 12 Nov 2001, Mike Richardson wrote:

> Hi,
>
> We've currently got 4 mailhubs running Exim. These pass mail onto a whole
> load of different back end systems (unix, netware, exchange). We want to do
> virus scanning of all incoming and outgoing mail with as little disruption
> to config of the mailhubs as possible. They don't have the power or
> resources to scan the volume of mail we handle.
>
> I'm familiar with exiscan and amavis and would like to use exiscan
> with Sophos or McAfee to achieve this.
>
> Ideally I'd like to be able to build machines specifically for scanning a
> mail queue. The mailhubs would redirect all mail to the virus scanners which
> do their job and return any clean mails to the mailhubs for delivery.
> Delivering the mails directly using the virus machines would cause us some
> problems.
>
>    ^
>    |
> =======         =========
> | Hub |<=====| Virus |
> |     |      | Scan  |
> |     |=====>|       |
> =======      =========
>    ^
>    |

>
> Am I asking the impossible here? If not then what sort of config do I need
> for the Hub and Virus Scan machine?
>
> I'm guessing that I could specify the Virus Scan machine as the remote_smtp
> destination, and the Hub as the remote_smtp's destination but to prevent
> loops I'd have to add a 'scanned-ok' header to the mail by the Virus Scanner
> and check for it on the Hub.
>
> Is this a good way? Any better ones or ones likely to work?


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks                                   Computing Officer, IT Services
Mailmaster, Listmaster, Webmaster,       University Of Strathclyde, Glasgow, UK
Cachemaster                                           jethro.binks@???