[Exim] Scanning mail with exim4

Top Page
Delete this message
Reply to this message
Author: Joachim Wieland
Date:  
To: exim-users
Subject: [Exim] Scanning mail with exim4
Hi,

I have a question on the mail scanning features of exim4. Originally I
wanted to write a script that is called as a transport_filter, does the
scanning and maybe replaces an infected e-mail with a warning message to
the recipient and sends another one back to the sender by calling
/usr/sbin/sendmail from within the script.

Now I read about local_scan() and have the following thoughts: Scanning
e-mail is probably _the_ task that takes most of the CPU of a typical
scanning mail server. As far as I understood, the function gets an
e-mail right at the SMTP connection time (after the client send the "."
and before sending the "250 OK...") and now I have to decide whether to
accept or decline the mail.

What if - by chance - there are a few simultaneous connections or some
client program doesn't deliver all the mail in one SMTP connection but opens
several ones. The mailserver would fire up the virus scanners (probably
not only one) and scan each mail. This will put some load on the server
while there are more and more mails still coming in. Now I have the
question on how to limit the work load?

I thought of these possibilities:

 -> check the load in the scanner and just delay firing up the scanners
    if there is heavy load
 -> use smtp_load_reserve to decline new messages completely
 -> write the mails to the hard disk and reinject them after the scan
 -> I think queue_only_load would not solve the problem since
    local_scan() would be called for queueing as well.



If you are an ISP you can't take any of the first two solutions. You can't
slow down your customers and you cannot just refuse connections on your
SMTP port.

I also don't want to write the mails to the disk, I think I mess up too
much with exim's internal information on an email (would I?).

So either I got it wrong or local_scan() really breaks all of the load
configuration directives except for smtp_load_reserve which is
absolutely not suitable here.

Well, I don't know a solution either, I think the problem is that if a
mail has several recipients the mail gets split up as soon as it is
queued and then one would have to scan the same message twice...


Does anybody have a suggestion for this?



Thank you very much,
Joachim

--
*****PGP key available - send e-mail request***** - ICQ: 37225940
Due to circumstances beyond your control, you are master of your fate
and captain of your soul.