[Exim] Two local_scan functions - request for comments.

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Łukasz Grochal
Datum:  
To: exim-users
Alte Treads: [Exim] local_part_suffix redirecting
Betreff: [Exim] Two local_scan functions - request for comments.
Hello,

With Exim 4, local_scan api was inroduced and it is just too
nice and easy to use not to try it. I just finished testing
two simple local_scan functions I wrote; you'll find them
at <http://www.rotfl.eu.org/exim/>.

local_scan_nai.c  forks a child and runs Netwok Associates' uvscan.
local_scan_kav.c  connects to Kaspersky's AV daemon via unix socket
                  and tells it to scan the message.


Both functions have received some testing, including some stress
testing, and proved to be stable enough for me to make them publicly
available. They both give permanent error (550) if a virus is found
and temporary error (4xx) if there is some local problem (broken
antivirus software, problems with fork or socket opening).
Comments are welcome.

N.B. A friend of mine asked Wietse Venema, author of Postfix, if he
     would eventually add a functionality similar to local_scan to
     that MTA. Wietse Venema pointed out two things:
  1) With real-time scanning, as done with local_scan function, it's
     much easier to kill your machine with high load when many messages
     are received in a short period of time. This can be avoided with
     Exim by setting smtp_load_reserve (and perhaps the other two
     load-related options) appropriately.
  2) It's possible that such scanning will introduce duplicate messages,
     as described in RFC1047. <ftp://ftp.isi.edu/in-notes/rfc1047.txt>
     I don't believe this is likely to happen unless - again - the
     system is under high load and can't scan the messages fast enough.


Regards,

--
(-) Łukasz Grochal                                  lukie@???
                                                  (for PGP key visit:)
_____________________________________________ http://www.rotfl.eu.org/ __
... all in all it's just another rule in the firewall.       /Ping Flood/