[exim] Exiscan - selective behaviour by domain

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Guy
Dátum:  
Címzett: Exim-users
Tárgy: [exim] Exiscan - selective behaviour by domain
Hi folks,

My google-fu has failed me, so hopefully someone here can help me out. I'm
using ClamAV for my content scanning and have a fairly simple config for it
in exim.

acl_check_content:

<snip>

deny message = This message contains unwanted content ($malware_name)
>             malware = BC\.Heuristic.*
>             <snip>
>             malware = BC\.Heuristic\.Trojan.*

>



warn log_message = This message contains suspicious content
> ($malware_name)
>             message = X-Phishing: $malware_name
>             malware = *


<snip>


A router then quarantines anything with the X-Phishing header. But I need
one specific ClamAV test (Heuristics.Phishing.Email.SpoofedDomain) to add a
different header and then allow the rest of the checks to run as normal.
Logically, if I can add a "!malware =
Heuristics.Phishing.Email.SpoofedDomain" then I could do something like:

acl_check_content:
>   warn  log_message = This message contains suspicious content
> ($malware_name)
>             malware = Heuristics.Phishing.Email.SpoofedDomain
>             domains = sub1.example.com <http://mydomain1.example.com> :
> sub2.example.com
>             message = X-SpoofedDomain: yes
>   warn  log_message = This message contains suspicious content
> ($malware_name)
>             !malware = Heuristics.Phishing.Email.SpoofedDomain
>             domains = sub1.example.com <http://mydomain1.example.com/> :
> sub2.example.com
>             message = X-Phishing: $malware_name
>             malware = *

>
>   warn  log_message = This message contains unwanted content
> ($malware_name)
>             domains = !sub1.example.com : !sub2.example.com
>             message = X-Phishing: $malware_name
>             malware = *



Does anyone know whether the negation of a specific test should work? All
the examples I've found so far only use specifying a behaviour for a
signature/test. Or if you know a better way of doing this, that'd be great!

I'm running Exim 4.84 on CentOS 6.5.

Thanks
Guy

--
Don't just do something...sit there!