Re: [Exim] Using SA-Exim and Exiscan at the same time

Pàgina inicial
Delete this message
Reply to this message
Autor: Marc MERLIN
Data:  
A: Jason L Tibbitts III
CC: exim-users
Assumptes vells: [Exim] Re: the Klez virus
Assumpte: Re: [Exim] Using SA-Exim and Exiscan at the same time
On Fri, May 10, 2002 at 02:16:34AM -0500, Jason L Tibbitts III wrote:
> >>>>> "SM" == Sam Michaels <swampgas@???> writes:
>
> SM> Taking 15 minutes to install Exiscan was the best decision I've
> SM> made since installing linux.
>
> Can someone describe the relationship between Exiscan and Marc's
> Spamassassin hooks? Do they work together?


I haven't looked at Exiscan in details but the quit version is that they
don't work together out of the box.
That said, if you were really enclined to, you could rather easily chain the
two. Run the quickest one first (SA-Exim probably) and where it accepts the
message, have it call the second filter
The only "trick" is that you need to reset the fd to where it is when
local_scan is initially called, I have code to do that (look for lseek and
the fgets in the savemail function)

That said, while I'd be happy to work with the exiscan author (sorry, I'm
not online right now, I can't look him up), I'm not convinced this is the
right way to do this.
Ideally, exim should allow local_scan modules (shared libraries) to register
with it, and it should then call each module in sequence, so that they don't
have to know about one another (just like sendmail does with milters)

I was of the opinion that you should intensively check for virii outside of
the SMTP session (you could do a few quick regexes at SMTP time), and I
still think you should if you can.
However, with crap like Klez and other virii that can give someone else's
Email as an envelope sender, it's unfortunately better to reject at SMTP
time, so that you don't have to get in the bouncing business.

> It seems wasteful to scan each message multiple times. Plus, I have to
> pick which to install first.


The checks are mostly orthogonal, you'd have to scan the body twice anyway.
I'm still thinking about adding some virus protection in my code, but I
don't want to take over exiscan's function (I'd merely do stupid string
regex matching, not full mime scanning and handing off to a real virus
checker)
That said, every time I think about it, I realize that I can probably do
this with condition statements in the ACLs. I haven't tried checking the
message body from a DATA ACL yet, but if it works, then the system_filter
checking can be done there.

Marc
--
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking


Home page: http://marc.merlins.org/ | Finger marc_f@??? for PGP key