Re: [Exim] Scanning mail with exim4

Top Page
Delete this message
Reply to this message
Author: Dave C.
Date:  
To: Joachim Wieland
CC: exim-users
Subject: Re: [Exim] Scanning mail with exim4

Its called scalability. If you need to do this, you need hardware that
can keep up. Have fast enough hardware to support many simultaneous
scanners. Use multiple servers, sharing the load. Have one set of
servers for outbound relay, one set for inbound mail..


On Sat, 16 Feb 2002, Joachim Wieland wrote:

> Hi,
>
> I have a question on the mail scanning features of exim4. Originally I
> wanted to write a script that is called as a transport_filter, does the
> scanning and maybe replaces an infected e-mail with a warning message to
> the recipient and sends another one back to the sender by calling
> /usr/sbin/sendmail from within the script.
>
> Now I read about local_scan() and have the following thoughts: Scanning
> e-mail is probably _the_ task that takes most of the CPU of a typical
> scanning mail server. As far as I understood, the function gets an
> e-mail right at the SMTP connection time (after the client send the "."
> and before sending the "250 OK...") and now I have to decide whether to
> accept or decline the mail.
>
> What if - by chance - there are a few simultaneous connections or some
> client program doesn't deliver all the mail in one SMTP connection but opens
> several ones. The mailserver would fire up the virus scanners (probably
> not only one) and scan each mail. This will put some load on the server
> while there are more and more mails still coming in. Now I have the
> question on how to limit the work load?
>
> I thought of these possibilities:
>
>  -> check the load in the scanner and just delay firing up the scanners
>     if there is heavy load
>  -> use smtp_load_reserve to decline new messages completely
>  -> write the mails to the hard disk and reinject them after the scan
>  -> I think queue_only_load would not solve the problem since
>     local_scan() would be called for queueing as well.

>
>
> If you are an ISP you can't take any of the first two solutions. You can't
> slow down your customers and you cannot just refuse connections on your
> SMTP port.
>
> I also don't want to write the mails to the disk, I think I mess up too
> much with exim's internal information on an email (would I?).
>
> So either I got it wrong or local_scan() really breaks all of the load
> configuration directives except for smtp_load_reserve which is
> absolutely not suitable here.
>
> Well, I don't know a solution either, I think the problem is that if a
> mail has several recipients the mail gets split up as soon as it is
> queued and then one would have to scan the same message twice...
>
>
> Does anybody have a suggestion for this?
>
>
>
> Thank you very much,
> Joachim
>
> --
> *****PGP key available - send e-mail request***** - ICQ: 37225940
> Due to circumstances beyond your control, you are master of your fate
> and captain of your soul.
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>


--