KBTAG: kben10000025
URL: http://www.securityportal.com/lskb/10000000/kben10000025.html
Date created: 13/04/2000
Date modified: 28/08/2000
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: How to scan email for viruses from your
Linux mail server
Keywords: Viruses, Network/Email
While Linux is not terribly susceptible to viruses, Windows clients are, scanning incoming and outgoing email is a very effective method for preventing infections on your network (considering email is one of the primary infection vectors for many modern viruses). For a list of Linux virus scanners please see knowledge base article kben1000024.
AMaViS
AMaViS uses third party scanning software (such as McAfee or Sophos) to scan incoming email for viruses. http://satan.oih.rwth-aachen.de/AMaViS/amavis.html.
Inflex
Inflex is an email scanner which encapsulates your existing sendmail server setup. It scans both incoming and outgoing email and it does not alter your current /etc/sendmail.cf file. It can scan for email viruses, unwanted file types (eg., EXE, BMP, MPEG) and file names (eg., prettypark.exe). It can also be used to scan for text snippets within emails and supports Exim for delivery. http://www.inflex.co.za/
exiscan
exiscan is an email virus scanner which works together with the Exim MTA (http://www.exim.org). It is written in Perl and designed to be as subtle and lightweight as possible. exiscan relies on McAffee's uvscan or Trend Micro's vscan to do the actual scanning work. http://duncanthrax.net/exiscan/
MIMEDefang
MIMEDefang is a flexible MIME e-mail scanner designed to protect Windows clients from viruses. It can alter or delete various parts of a MIME message according to a very flexible configuration file. It can also bounce messages with unnaceptable attachments. MIMEDefang works with Sendmail 8.10/8.11's new "Milter" API, which gives it much more flexibility than procmail-based approaches. http://www.roaringpenguin.com/mimedefang/
qscan
qscan is a Perl script which enables Sendmail to scan all queued email and rename any file attachments from .vbs to ~vbs, .vbe to ~vbe, etc. It can be customized to change any file extension or to rename any attached files. http://www.inetfido.com/qscan/
WMailScanner
wmailscanner allows a mail server system to scan e-mail attachments against viruses using any UNIX virus scanner. It is intended to be used in an environment where a UNIX server delivers mail to virus-prone workstations, i.e., Windows machines. http://messel.emse.fr/~pplantie/wmailscanner/
Scan4Virus
Qmail-Scanner (also known as Scan4Virus) is an addon that enables a Qmail e-mail server to scan all gatewayed e-mail for certain characteristics. It is typically used for its anti-virus protection functions, in which case it is used in conjunction with commercial virus scanners. But it also enables a site to react to e-mail that contains specific strings in particular headers, or particular attachment filenames or types. Qmail-Scanner is integrated into the mail server at a lower level than some other Unix-based virus scanners, resulting in better performance. It is capable of scanning not only locally sent/received e-mail, but also e-mail that crosses the server in a relay capacity. http://qmail-scanner.sourceforge.net/
Sendmail
Using AMaViS with Sendmail is relatively simple, it has a
program called scanmail that acts as a replacement
for procmail (typically the program that handles local delivery
of email). When an email comes in instead of using procmail to
deliver it, Sendmail calls scanmail which decompresses and
decodes any attachments/etc. and then uses a virus scanner (of
your choice) to scan the attachments. If no virus is found mail
delivery goes ahead as usual. If a virus is found however, an
email is sent to the sender informing them that they have sent a
virus, and an email is sent to the intended recipient informing
them about the person that sent them a virus. The instructions
for this are at:
http://satan.oih.rwth-aachen.de/AMaViS/amavis.html.
Postfix
Since Postfix can make use of procmail to do local mail delivery it should work in theory without any trouble. In practice it takes a few minor tweaks to work correctly. To enable it replace the line in main.cf:
mailbox_command = /usr/bin/procmail
with the line:
mailbox_command = /usr/sbin/scanmails
and restart postfix. For the local warning to work (a warning is sent to the intended recipient of the message) the hostname of the machine (sundog, mailserver01, etc.) must be listed in the mydestination in main.cf, otherwise the warning does not get delivered. You should (and most sites generally do) redirect roots email to a user account using the aliases file, otherwise warnings will not be delivered to root properly. By default as well mail to virusalert is directed to root, you should also redirect this mail to a normal user account.
You can get AMaViS at: http://aachalon.de/AMaViS/. Make sure you get the latest version, previous ones have security problems.