Author: James P. Roberts Date: To: exim-users Subject: Re: [Exim] Exiscan and Clam Antivirus (SOLVED)
>Although I've always been of the opinion that it's the user's >responsibility to ensure they don't get or send viruses, not the network >admin's. If they're too stupid to be running a recent virus scanner,
>they deserve what they get.
Unfortunately, I've found that a certain well-known virus scanner scans
outgoing emails by setting up an SMTP proxy on the client's machine,
which is NOT compatible with TLS. Thus, in order to get the advantage
of SMTP AUTH over TLS, the user must disable scanning of outgoing
emails. Fortunately, they can still scan incoming messages.
This is not something I would expect the typical user to be capable of
dealing with, at least not without explicit directions from a competent
sysadmin. And in many cases, even WITH explicit directions... ;)
So, because of this, IMHO, it behooves the responsible email admin to at
least scan their user's outgoing emails, since you can't depend on
commercial client-side scanners to do the job.
Furthermore, I state for the record that all of us with systems that
accept SMTP connections for relaying of any sort, should be using TLS
for SMTP AUTH, in order to help prevent our systems becoming open-relays
by the nefarious method of having our user's passwords stolen by packet
sniffers and such. (Paranoid? Darn right I am).
I think we sysadmins should go to considerable effort to protect our
users as much as possible, even from their own ignorance/laziness (where
possible), simply because it is easier for an admin to learn how to do
it, than it is to teach a zillion users who have neither the
inclination, time, nor (in many cases) the aptitude, to deal with such
things.
Of course, I still think users ought to keep up-to-date scanners running
on their machines. Not all virii are email-borne!