RE: [Exim] Failover virus/spam checking

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMGary Rule at <-
Richard Lithvall at ->
Delete this message
Reply to this message
Author: Eli
Date:  
To: 'Gary Rule', exim-users
Subject: RE: [Exim] Failover virus/spam checking
Why put the load of scanning for viruses and/or spam on a remote box when
it's all done inline as the message is being sent? I can only see having
another box do virus/spam scanning if they are done after mail is already
accepted - that would reduce the work for the actual MX server. If you have
the av and sa scanners going in the acls or routers or whatever, then the
message probably hasn't been accepted yet (since you say you can block a msg
based on spam before it's accepted) which means that even if the scanning is
done remotely, it's still tying up the mail process. You might be better
off having the scanners run locally on each mail server. If one system goes
down, the other can still cope. If both go down, you obviously aren't gonna
be accepting any email :) You save yourself 2 extra systems (you could give
yourself 4 MX servers now) which would have been just sitting there scanning
for spam and viruses - all of which probably would be over a sluggish TCP/IP
connection compared to if you set it up to use local pipes.

Just my 2 cents!

Also, if you want to spam checking and av scanning - check out amavisd-new.
A buddy of mine mentioned it to me. He uses it with Postfix and another MTA
as well I believe, and it's doing a decent job he says (and one of his
servers hosts an email acct of mine, and I can say that it does work!).

Eli.

-----Original Message-----
From: exim-users-admin@??? [mailto:exim-users-admin@exim.org] On Behalf
Of Gary Rule
Sent: Wednesday, December 31, 2003 6:45 PM
To: exim-users@???
Subject: [Exim] Failover virus/spam checking

--
All,
I apologize if this has been covered already. I did a quick search
through my mail history, I have been on the exiscan and exim lists since
September, but did not see the topic discussed.

I am designing a new mail system that will use spamassasin and clamAV
to scan mail during the SMTP transaction. This way I can reject the mail
before it is accepted.

The idea is to have two scanning boxes that are accessible to check for
spam and viruses. *

As I understand the possible solutions I can use are exiscan and/or
sa-exim. I have a test machine patched with both currently and I am
using exiscan to reject malformed mime, and scanning/rejecting with
clamAV. I am using sa-exim for spam checking.

What I like about exiscan is the ability to use an external box to do
the scanning (spamd_address, av_scanner). From what I have gathered the
sa-exim patch calls spamc to scan the message and what I like most about
this patch is that I can get more of the headers from SA. If anyone
knows a way to get more than $spam_report and $spam_score headers from
exiscan please let me know. I have SA configured to give me

X-Spam-Checker-Version:
X-Spam-Level:
X-Spam-Status:

I assume I could write a filter to check the score and add the status
boolean but there is some additional information that SA passes that I
would like to have access to.

Having the ability to scan on a remote machine and have additional
headers would be great.

With my existing configuration clamd can be running on a remote host and
as far as I know SA cannot, since I'm using sa-exim.

Ideally I would like to have the scanning, spam and virus, done on two
boxes and the traffic load balanced during optimal operations and fail
over during sub-optimal operations (read: scanning box X kicks the
bucket). I understand that because I have multiple mail exchangers
evenly weighted I will get reasonable load balancing but I also want to
protect the scanning boxes from being over loaded when one of the
exchangers dies.

Looking at the syntax for av_scanner I see:

av_scanner = <scanner-type>:<option1>:<option2>:[...]

Is it possible to have multiple av_scanner lines? If so how does it act
when there are two or more?

Same questions with spamd_address.

Additionally if all the scanning boxes die I would like to accept the
mail anyway and possibly add a header to email so that users can sort
the mail and trust it a bit less. Maybe

X-SCANNED: FALSE

So to sum it up: Multiple spam/virus scanning boxes that are load
balanced. When one scanning box dies the other picks up the slack and
when both die the mail is passed along blindly and a header is added
letting the users know the scanner is down.


I may be asking for too much here but this is my ideal set up. How close
to this can I get with the software currently? Am I missing something
here big or little? I'm open to any/all suggestions. 



--
Gary Rule                  2.6.0-mm1 GNU/Linux
Systems Administrator
Ph: 617.873.3274
Fx: 617.873.4500
--
  C-3PO:
      Don't call me a mindless philosopher, you overweight
      glob of grease!
--
--
Content-Description: This is a digitally signed message part


[ signature.asc of type application/pgp-signature deleted ]
--


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
details at http://www.exim.org/ ##

---
[This E-mail scanned for viruses]



---
[This E-mail scanned for viruses]



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] Using IP address in dnslists checkRe: [Exim] Failover virus/spam checking->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)