How does the Postfix plug-in work?

In-transit mail scanning in Postfix can be achieved using the postfix plug-in that is included in the F-PROT Antivirus Mail Scanner. To achieve this functionality Postfix must be configured to use an external filter at a given address, and run another SMTP daemon that doesn't use the external filter. Postfix's default SMTP daemon will then send the messages to the external filter. The external filter then contacts the SMTP daemon that is not filter enabled and the message will resume its course.

An example of this type of configuration would be to run the Mail Scanner on port 10025 and the non-filter enabled SMTP on port 10026, as is described in the FILTER_README file in the Postfix distribution.

First add this line to main.cf:

content_filter = smtp:[127.0.0.1]:10025

This will cause Postfix' default SMTP daemon to pipe all mail to the address 127.0.0.1:10025.

Then add these 3 entries to master.cf:

scan unix - - n - 10 smtp
localhost:10026 inet n - n - 10 smtpd

-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o myhostname=localhost.domain.tld
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8

localhost:10025 inet n n n - 10 spawn

user=nobody argv=/usr/local/f-prot/tools/scan-mail.pl -postfix 127.0.0.1:10026

The first entry specifies that Postfix's master service shall run at most 10 processes simultaneously to pipe the mail from the SMTP daemon to external filter. The second entry makes the master service run at most 10 smtpd processes simultaneously on address localhost:10026 to receive the mail from the filter, and configures it so it does not loop the mail back to the external filter. And the third entry makes the master service run at most 10 instances simultaneously of the Mail Scanner to filter the mail on address localhost:10026 and advises the Mail Scanner that the SMTP daemon it's supposed to relay SMTP connections to is running on address 127.0.0.1:10026.

The Mail Scanner will add a header line to your e-mail, "X-Antivirus: Scanned by F-PROT Antivirus (http://www.f-prot.com)"

If F-PROT Antivirus detects an infection in a message or attachment, the Mail Scanner will try to neutralize the threat. If the infection is removed, the Mail Scanner will only defang the message or attachment. If, however, F-PROT Antivirus fails to remove the infection, the message or attachment will be removed, and an appropriate message will be appended to the e-mail. The Mail Scanner will take no action if the attachment is found to be clean. In the case of a runtime error, the Mail Scanner will defang the message. Defanging involves changing the filename extension, and thus removing the danger of a user running the attached file by double-clicking it.

The Mail Scanner can be configured to generate backups of all incoming mail by supplying it with the -backup switch. To generate backups of infected messages only, use the -quarantine switch. This will cause the Mail Scanner to create a directory MMDD/ under /usr/local/f-prot/backup (where MM is a number representing the month, and DD is a number representing the day of the month), and a file underneath there in the format of unix-time.pid. That file will contain the original message before the Mail Scanner scanned it.

Feedback | Contact Technical Support | Contact Sales Support