[SGVLUG] Adding A/V scanning to e-mail processing

Jeff Carlson jeff at ultimateevil.org
Wed Nov 2 18:31:05 PST 2005 

Emerson, Tom wrote:
> Any recommendations on Anti-virus scanners that run under linux to
> weed out windows-based viruses from e-mail [that will ultimately be
> read by a windows client, naturally]?

What's so natural about that?  Email is an Internet phenomenon, and the 
Internet was built on Unix.  I find nothing natural about Windows 
computers being on the Internet.  Cats and dogs, living together, mass 
hysteria.

Well, we wouldn't even need antivirus protection for email if it weren't 
for Windows email clients.

All Utopian ideals aside, I second the endorsement of ClamAV.

> Also, what techniques do people recommend to add this to the e-mail
> processing cycle in the first place [using postfix].  I presume it
> will be similar to adding spamsassassin, but it's been awhile since
> I've done that, so suggestions or even where to go to "RTFM" would be
> appreciated.

I don't use postfix, actually preferring sendmail.  I use milter-clamav, 
which I believe is a part of the ClamAV suite.  When configuring 
milters, I like to stack them in an order that ones which might block an 
email based on body content come after the ones that block based on DNS 
or envelope content.  Therefore, put antivirus after greylisting. 
Antivirus requires accepting the DATA command from the remote client, 
whereas greylisting only requires accepting the HELO, MAIL FROM, and 
RCPT TO portions.  And of course, DNS based filtering occurs before HELO 
is even accepted.

Finally, I prefer to run SpamAssassin from procmail.  All the 
SpamAssassin milters I have found seem to just apply one pass of 
SpamAssassin over an incoming message, meaning only one configuration is 
consulted, and thus users can't customize SpamAssassin settings. 
Running from procmail, and not at the MTA, allows me to pass the user 
name to spamc, and thus each user can customize SA settings.

The point there is that a virus is a virus, no matter how you stack it. 
  But spam tends to be rather individual.  I've seen some people want to 
receive some real crap.  That's better to let people customize.

More information about the SGVLUG mailing list