Auteur: Bill Hacker Datum: Aan: exim Onderwerp: Re: [exim] malware and defer_ok
Paul Dekkers wrote:
> Hi,
>
> Riemer Palstra wrote:
>
>
>>>2) If I put malware = */defer_ok in my check data ACL, will that
>>>accept the mail and relay it out to the world, or will it accept and
>>>queue until clam is back up. The latter would be better, but I'm not
>>>sure if it is possible.
>>
>>The first. Consider putting a second scanner in the chain if you
>>*really* don't want a message to be sent out to the world without any
>>type of scanning.
>
>
> Can't we detect if the scanner failed or not? (I have a suspicion.)
Yes. Log entries are usually generated.
It should be possible to intercept that, and/or generate a header before
entering,
add a header as part of the pass, remove one, both, or neither afterwards.
You can simulate failure by denying the stack or socket to it.
> If not; wouldn't it make sense to have a variable that indicates this?
> (Something like $malware_failed or so. Something that can be used as to
> add a header as a warning, try another scanner instead, ...)
>
Perhaps X-Scan-Failed: going in, strip it if/as/when other indicators
show success.
> With defer_ok we can't add a header at a later stage that tells if the
> scan was successful... we can only be sure if there was indeed malware
> detected, if malware_name is defined, right?
>
> Paul
>
>