Re: [exim] New Stuff

Top Page
Delete this message
Reply to this message
Author: Edgar Lovecraft
Date:  
To: Exim-users
Subject: Re: [exim] New Stuff
exim-users-at-securitects.com wrote:
<
..[snip]...
>
> Hm, this indicates, that we have to substitute our "demime" in the data
> acl with a "decode" in the mime acl to play it safe. On the other hand,
> if I understood Edgar Lovecraft correctly, he doesn't use any mime
> decoding on the part of exim at all and is happy with the result.
> If the latter is true, exim could use clamd's stream mode to pass in the
> whole mail instead of a file descriptor. This would allow clamd to be
> moved to a different box, offering the same flexibility as spamd does
> today.


Okay, just for some clarification here...

In my mime_acl I do some basic checks for MIME sanity, but I
do not use the mime acl "decode" functions at all. There is no
need to IMO as once you use any exiscan facility, it creates the
MBOX .eml file for you. Then in my acl data section I just use the
lines needed to run my AV scanner(s) and Spammassassin, I do not
use the "demime" function at all any more. This is all done on
an Exim 4,43 install with exiscan-acl patch revision 28

Here are some snippets of my acls in question.
------------------------------------------------------------
acl_check_data
deny message = found a virus [$malware_name]:
  set acl_m4 = clamd:/var/run/clamd/clamd
     malware = */defer_ok
deny message = foudn a virus [$malware_name]:
  set acl_m4 = sophie:/var/run/sophie
     malware = */defer_ok
------------------------------------------------------------
WHERE AV SCANNER IS SET TO: av_scanner = $acl_m4
AND Spamassassin runs later but still no demime calls
------------------------------------------------------------
acl_check_mime:
deny message   = found empty MIME boundary:
     condition = $mime_is_multipart
     condition = ${if eq{$mime_boundary}{}{1}{0}}
deny message   = found long MIME boundary:
     condition = ${if >{${strlen:$mime_boundary}}{70}{1}{0}}
deny message   = found message/partial MIME entity:
     condition = ${if eq{$mime_content_type}{message/partial}{1}{0}}
deny message   = found restricted attachment type [$acl_m3]:
    set acl_m3 = ${extract{-1}{.}{$mime_filename}}
     condition = ${if match {$acl_m3}\
                   {(^(?i)(exe|etc...)\$)|\N(^\{[a-hA-H0-9-]{25,}\}$)\N}\
                   {1}{0} }
accept
------------------------------------------------------------


> Ok, it seems there's no single testcase/testsuite for checking clamd's
> mime decoding abilities, but people use the various anti-virus testing
> sites. David, please let us know your results, when you're finished
> testing. If you could supply a comparison "old demime - new decode - no
> demime/decode at all", that would be terrific. I haven't upgraded to
> v4.50 yet, so I can't do the testing myself at this point in time.


Here is my test case that I have no problems...
From my logs just today:
clamd[12729]: /var/spool/exim/scan/1D4jmM-00025D-6I/1D4jmM-00025D-6I.eml:
     Worm.SomeFool.P FOUND
clamd[6960]: /var/spool/exim/scan/1D4jpQ-00037F-8x/1D4jpQ-00037F-8x.eml:
     HTML.Phishing.Bank-101 FOUND
clamd[12729]: /var/spool/exim/scan/1D4jpR-0002gD-4u/1D4jpR-0002gD-4u.eml:
     Worm.SomeFool.Gen-1 FOUND
clamd[7260]: /var/spool/exim/scan/1D4jq7-0003Jd-7D/1D4jq7-0003Jd-7D.eml:
     Worm.Mydoom.I FOUND
clamd[13173]: /var/spool/exim/scan/1D4jtE-0003p1-6Z/1D4jtE-0003p1-6Z.eml:
     Encrypted.Zip FOUND
clamd[12798]: /var/spool/exim/scan/1D4k2J-00058K-5g/1D4k2J-00058K-5g.eml:
     Worm.Bagle.Gen-zippwd FOUND


--

--EAL--

--