Re: [exim] multiple malware acls

Top Page

Reply to this message
Author: Tom Bombadil
To: John Jetmore
CC: exim users, exim
Subject: Re: [exim] multiple malware acls

Thanks for taking the time to help...

warn set acl_m_avscanner = clamd:/var/clamav/clamd.sock

  warn   condition = ${if eq
{${readsocket{inet:}{PING}{2s}{}{cant connect to
clamd}}}{PONG} }
         set acl_m_avscanner = clamd: 3310

  warn   condition =  ${if and { {$acl_m_avscanner}
{clamd:/var/clamav/clamd.sock}} {eq
{${readsocket{inet:}{PING}{2s}{cant connect to
clamd}}}{PONG}}} {yes}{no}}
         set acl_m_avscanner = clamd: 3310

  deny    message   = malware detected: ($malware_name)
          malware   = *

Basically this is how it works:
- pings clamav server1.
- if ping is successful, use server1 to scan msg.
- if ping not successful, pings server2.
- if ping successful, use server2 to scan msg.
- if ping not successful, pings server3.
- if ping successful, use server3 to scan msg.
- if ping not successful, user clamav on localhost to scan msg.

This doesn't really load balance anything, but redundancy is much more
important for us now.
Another problem with the setup above is that if something bad happens
when scanning a message, the ACL will defer.

I gave a lot of thought on this, and it looks that the only way we can
achieve redundancy with clamav is by making malware to behave like
spamd, as Richard proposes.


PS: ohh... I should thank Ted Cooper for giving the idea of pinging the
server before triggering the malware condition.