DMail Virus Checking




Virus attacks are becoming more and more common these days and so we have added anti virus functionality to DMail. This is quite resource intensive as each attachment has to be extracted out then scanned. You can use any virus scanner than can take command line arguments and be instructed to delete the extracted files if they contain a virus. If DSMTP detects the extracted file has been deleted then it will return a 500 error informing the sender that the message contains a virus and not deliver the message to the recipient.
 
 

external_viruschecker <path and filename of viruschecker> <arguments> $FILE$

This gives the location of the virus scanner and the arguments it needs to delete infected files, some examples are given below, The $FILE$ is the macro for the filename that DMail extracted to the directory.

extract_mime <path> [file extensions]

This is the path that DMail will use to extract files to for use with the virus scanning. By default it will extract any file to the directory but you can list extensions so that it only extracts certain types.

e.g.

extract_mime c:\mime\ exe zip com

There is a new way also using RAVMD, this is a daemon that will sit on the machine and DMail can "talk" to, this should be faster and also will report what files were infected and allows the cleaning of files etc, a lot more effective than the older method, you can see the RAV section further below

What anti virus software can I use?

As mentioned above you can use any anti virus software that will take a command line argument and that can be instructed to delete any infected file. Below is listed some examples of some of the anti-virus products available. Currently we recommend using RAV for DMail or Mailscan for DMail who have tailor made versions of their anti virus software specifically for DMail and MailScan also does content checking and a lot more.

Please be careful to follow the license agreements of the antivirus software as many vendors have specific licenses for use with mail servers.

RAVDMail , specially tailored to work with DMAIL - http://www.ravantivirus.com

Select products/ISP Portals and download a free trial

Using RAVMD you just need to add this setting to dmail.conf.
If you've installed rav into /usr/local/rav8 then you just need to add to dmail.conf

virus_robot /usr/local/rav8/bin/ravdmail

If you have defined scan_ext in your rav config file then be sure to include *.tmp in the list or it will give odd errors about not being able to find the file it is trying to scan.

That will take care of everything, and your users will be alerted to exactly what the virus was etc, this is by the far the best method, it also allows for passing of cleaned files which the other method doesn't.

 

MailScan For DMail/SurgeMail Mail Server http://www.mwti.net
30-day Trial version

We have looked at this product and it looks great, a lot more than just a virus scanner, currently only for windows users I am not sure of their plans for other platforms.

MailScan for DMail/SurgeMail is an Antivirus product for DMail and SurgeMail Server. MailScan has good features like Scanning Attachments, Content checking, automatic virus updation, POP-UP message notifiction and much more. Automatically configures DMail, this content checks at the socket level so won't upset any relay settings etc for DMail.

It is a 30-day Trial version. Any questions please email support@mwti.net

Sophos Anti-Virus - http://www.sophos.com

A very well known and respected virus checker that is available for a wide variety of platforms, is well suited for DMail with its on demand scanning utility - SWEEP.

Platforms: Windows 95/98/NT/2000, AIX PPC, Digital Unix - Alpha, FreeBSD 2 & 3 Intel, HP-UX, Linux libc5 & libc6, Linux Alpha, Solaris Sparc, Solaris Intel

Example
extract_mime /mimextract
external_viruschecker /usr/local/bin/sweep -s -nc -remove -archive $FILE$

Options for command line:
-s (silent)
-nc (no cofirmation)
-remove (delete file, compulsary)
-zip (search through zip files)
-tar (search through tar files)
-gzip (search through gzip files)
-cab (search through cab files)
-rar (search through rar files)
-arj (search through arj files)
-archive (serch through all the above types of archives)



Norton Anti Virus http://www.symantec.com

A very well known anti virus solution for home users, can be setup for use with DMail also but other anti virus soltuions that have been designed especially for command line driven use are probably better to use on serious systems.
Example:
extract_mime d:\mimeextract
external_viruschecker c:\program files\navnt\navwnt.exe /noresults $FILE$

You must also set in the Norton Anti Virus GUI for Norton to delete any affected files, otherwise it will not work.

Kaspersky Anti-Virus (AVP) - http://www.kaspersky.com


A well regarded virus checker that will satisfy most organizations anti-malware needs. Free downloads are available for evaluation purposes.

Supported platforms: Windows, Linux, FreeBSD, BSDi

Example of use with DMail:

After installing the AVP server product add the following lines to your dmail.conf file:
extract_mime /usr/local/dmail/extract
external_viruschecker /opt/AVP/kavscanner -E -Y $FILE$
Activate these changes with the command:
tellsmtp reload
All traffic through the SMTP server will now be scanned. Mail containing potentially malicious code will be returned to the sender
 

BrightMail - http://www.brightmail.com

BrightMail offers both virus and spam detection. BrightMail actively monitor email traffic and distribute rules on a real-time basis to filter out unsolicited and potentially harmful email messages. This solution will tend to be of  interest to those with more financial leverage.
 
 

How do I scan for just one domain or specific users?

To scan for specific users set this in dmail.conf
require_user_vscan <true/false>

Then in your authent database you can return vscan="true" as part of the return code. If this is returned the users email will be scanned otherwise it won't be.

If you want to scan for just one domain you can use these settings.
domain_vscan_skip <domain> (tells dmail to skip scanning for specified domains
domain_vscan_do <domain> (tells dmail to scan this domain (overides domain_vscan_skip))

Example: You just want to scan mail for users on domain test.com

domain_vscan_skip *
domain_vscan_do test.com