On Sat, 2007-06-09 at 17:57 -0700, snowcrash+exim-users wrote:
> > > i'm using CLAMAV & SPAMASSASSIN. both of which can listen on either
> > > UNIX socket or over TCP.
> >
> > Look at the content scanning stuff in the docs, you can configure the
> > spam and malware scanner functionality to call a TCP socket. But this
> > might not do what you want - I don't know if in these particular
> > cases, Exim will pass the content to be scanned across the socket -
> > I've a sneaky suspicion it just passes a path/filename - relying on
> > the process the other end of the socket to open the content file
> > directly.
ClamAV being called locally (using /path/to/socket) is called using the
Clam API as follows (from malware.c):
SCAN /path/to/spool/scan/filename
ClamAV being called on a network socket is called as follows (also from
malware.c):
STREAM
<data>
So calling out to a network socket forces Exim to send the content -
which in older versions of Exim was the unpacked MIME container, but now
doesn't have to be (it depends on your config) - across the network. I
guess in the case of most MIME emails that means the entire email will
be scanned, but it isn't really that expensive in terms of network
traffic given that the mean message size for most installations is
fairly small.
> the response i'd gotten earlier on _this_ was,
>
> > The reality would be:
> > Data Flow Type
> > Message edge -> core AV scan
> > Result core -> edge Hit/Not hit
> > Message edge -> core SA Scan
> > Result core -> edge SA report
> > Message edge -> core Message delivery
> >
> > Note that the "Result" data is far smaller, in most cases, than the
> > message itself; and that the first pass will only take place for
> > messages with MIME parts of an appropriate type anyway (the malware
> > condition is quite choosy, as it should be).
>
> where i understood the WHOLE message is passed three times, in the
> case of a 'good' message.
I did go on to say that the only time a message will get passed to the
AV scanner is if it contains MIME parts; re-reading the code makes me
question that assumption. Still, the question remains: why are you so
concerned about your internal network traffic?
> hm. the whole point of this exercise is to use the edge server to
> OFFLOAD load from the LAN/LAN-server, rejecting the "huge" majority of
> spam @ SMTP-chat at the edge, and to prevent suspect email from ever
> "setting foot" on the lan ...
Reducing the amount of stuff getting through to your AV/AS is easy:
1. Reject based on multiple DNSBL hits, for example:
acl_check_connect:
# Check against various blacklists one by one
# Don't reject for one hit, but set a variable for later checking.
#
# zen.spamhaus.org
warn dnslists = zen.spamhaus.org
set acl_c1 = $dnslist_domain (result=$dnslist_value)
# combined.njabl.org
warn dnslists = rhsbl.ahbl.org
set acl_c2 = $dnslist_domain (result=$dnslist_value)
# bl.spamcop.net
warn dnslists = bl.spamcop.net
set acl_c3 = $dnslist_domain (result=$dnslist_value)
# Now check what hits we got
deny condition = ${if and {\
{def:acl_c1}\
{def:acl_c2}\
{def:acl_c3}\
}\
}
message = REJECTED: Your IP address is listed in three
blacklists: \
$acl_c1; $acl_c2 and $acl_c3.
deny condition = ${if and {\
{def:acl_c1}\
{def:acl_c2}\
}\
}
message = REJECTED: Your IP address is listed in two
blacklists: \
$acl_c1 and $acl_c2.
deny condition = ${if and {\
{def:acl_c1}\
{def:acl_c3}\
}\
}
message = REJECTED: Your IP address is listed in two
blacklists: \
$acl_c1 and $acl_c3.
deny condition = ${if and {\
{def:acl_c2}\
{def:acl_c3}\
}\
}
message = REJECTED: Your IP address is listed in two
blacklists: \
$acl_c2 and $acl_c3
2. Reject on broken HELO/EHLO
I'd give you an ACL for this but mine is way too long to post in an
email to the list :)
That way you reduce - greatly - the amount of cruft getting through to
your AV/AS scanner, and you might find you can then run one (or both) of
them on your edge box anyway.
Also, if you "turn down" the AS rules a bit - turn off Bayes checking,
for example - you'll reduce your CPU usage dramatically.
Graeme
