[exim] saving copies of virus infected mail?

Top Page
Delete this message
Reply to this message
Author: Marcus Barczak
Date:  
To: exim-users
Subject: [exim] saving copies of virus infected mail?
Hi Exim Users,

I'm trying to modify our current content scanning ACL to allow for us
to save/quarantine copies of virally infected email that passes
through our mail servers. We are using both Sophos and Clam to do the
scanning and our current setup scanning ACL's look like this:

---

# Sophos
  deny  message = This message contains malicious software ($malware_name)
        log_message =
VIRUS_DETAIL:[$recipients||$sender_host_address||$sender_address||$malware_name||SO]
        set acl_m1 = sophie:/var/run/sophie.sock
        demime = *
        malware = */defer_ok


# ClamAV
  deny  message = This message contains malicious software ($malware_name)
        log_message =
VIRUS_DETAIL:[$recipients||$sender_host_address||$sender_address||$malware_name||CL]
        set acl_m1 = clamd:/var/run/clamav/clamd
        demime = *
        malware = */defer_ok


---

Basically what I would like to do is save a copy of any messages
identified as a virus by either of the scanners. I'm relatively new
to exim coming from a postfix and sendmail background so am learning
as I go here. What I considered adding was the following line after
each malware call:

condition = ${run {/bin/cp
/var/spool/exim/scan/$message_id/$message_id.eml
/var/spool/quarantine/Q-$message_id}{1}{1}}

My theory here is to copy the message to the quarantine folder after
it has been identified as viral.

I'm having it return 1 regardless of the result of the cp as i'm
assuming here that is the message processing actually gets to evaluate
the condition statement we already know the message is viral.

Is this an appropriate approach to achieving my goal? Is there a
better way to do what i'm wanting to do.

Many thanks in advance.

Cheers,
Marcus