On Tue, Sep 30, 2003 at 08:05:39PM +0200, Andreas Metzler writes:
> On Tue, Sep 30, 2003 at 06:34:19PM +0100, jzaw wrote:
> > On Tuesday, Sep 30, 2003, at 17:25 Europe/London, Nico Erfurth wrote:
> > >>exiscan-acl surely reduces your traffic ... you don't actually get the
> > >>body of the email transferred
>
> >> Hu?
> >> exiscan-acl works AFTER the mail is received, and BEFORE a response
> >> for DATA is send, so it doesn't reduce your traffic at all.
>
> >> exiscan is made to scan the body of the mail .....
>
> > thanks for correcting my understanding of that
>
> > so, for my clarity, when my mail server issues a
>
> >> acl_check_data:
> >> deny message = This message contains a nasty evil file extension \
> >> ($found_extension)
> >> demime = vbe:vbs:vbx:wsf:wsh:exe:com:cmd:shs:hta:bat:scr:lnk:pif
>
> > the exe has _already_ been transferred over to the server here? but is
> > then discarded and the 550 response sent?
>
> Yes. The only way to check whether a mesage contains an exe attachment
> is to look at it and you cannot do that if you haven't got the message.
Indirect information about attachments can be given from SIZE switch
in MAIL command.
> And even if you scanned the message while you were receiving it you
> could not immediately deny the message once you know that it contains
> an exe-attachment. - SMTP does not offer a command to interrupt the
> sending party and if you simply dropped the connection the sending
> side will requeue the mail and try later.
It's the reasons why I'm accept only messages with SIZE specified
in MAIL commands, and why I need acl after DATA (for accept callout
checks and reject mail with unknown size).
Also one solution is to drop connection if virus found and save
digest of helo/mail/rcpt contents for reject this mail on RCPT
stage next time. Not easy for configuration...
--
Lucky carrier,
Pavel.
