NAME
scan-mail.pl - F-Prot Antivirus Mail ScannerSYNOPSIS
scan-mail.pl [-backup|-quarantine] [-daemon] [-server] [-server_port port] [[-milter P|C] | [-postfix address [-proxy [-proxy_address address] [-smtp_address address]]]
DESCRIPTION
scan-mail.pl is a perl program which uses the Anomy sanitizer to process e-mails. It extracts attachments and scans them for viruses fpscand(8)If F-Prot Antivirus detects an infection in a message or attachment, the Mail Scanner will try to neutralize the threat. If the message was clean or if all infection are removed, the Mail Scanner will check the filenames of the attachments against rules found in /etc/f-prot.conf to determine if attachments of that type are allowed through the system. If, however, F-Prot Antivirus fails to remove the infection, the message or attachment will be removed, an appropriate message will be appended to the e-mail. In case of a run-time error, the attachment is saved to disk and removed from the e-mail.
The scan-mail.pl script will add the header ""X-Antivirus: Scanned by F-Prot Antivirus (http://www.f-prot.com)"" to all filtered e-mail messages. scan-mail.pl can be passed the same configuration parameters as the sanitizer.pl program that comes with Anomy.
OPTIONS
Options are parsed until the first non-option argument. Any additional arguments are passed to Anomy::Sanitizer.- -h, --help
- Display this help and exit.
- -b, --backup
- Causes the script to create a directory MMDD/ under /usr/local/f-prot/backup (where MM is a number representing the month, and DD is a number representing the day of the month), and a file underneath there in the format of unix-time.pid. That file will contain the original message before scan-mail.pl scanned it.
- -q, --quarantine
- Works in the same manner as -backup, but removes messages from backup if they are not changed.
- -s, --server
- Causes the scan-mail.pl script to handle multiple requests via a socket and forking for each request.
- -d, --daemon
- Like --server but also forks scan-mail into the background. The PID of the forked process will be written to /var/run/scanmail.pid.
- -server_port port
- This option sets the port on which scan-mail.pl listens if it is run as a server.
- -milter P|C
-
f-prot-milter(8)
to connections from it. It takes an argument, either a libmilter type of port configuration (such as ``inet:12200@127.0.0.1'') or a path to the sendmail.cf. - -postfix address
- Causes scan-mail.pl to run in foreground piping input SMTP commands from standard input to an SMTP daemon running on the address specified in the form ipaddress:port, and piping replies from the SMTP daemon back to standard output. By sanitizing e-mails on the fly, scan-mail.pl can be run as a spawn service in Postfix' master.cf configuration file.
- -proxy
- This option causes scan-mail.pl to open a socket specified by -proxy_address or default (0.0.0.0:25) and proxy SMTP commands received from it to an SMTP daemon running on the address specified by -smtp_address or default (127.0.0.1:26). Sanitizing e-mails on the fly. This can be useful for running a standalone Postfix external filter (without the spawn service), or as a general purpose mail scanning utility for MTAs.
- -proxy_address address
- This option specifies the address, in the form ipaddress:port, at which scan-mail.pl should listen to for SMTP commands when run with the -proxy option.
- -smtp_address address
- This option specifies the address, in the form ipaddress:port, to which scan-mail.pl connects and relays SMTP commands to when run with the -proxy option.
LOGGING
This program will log to syslog under the scan-mail.pl ident. The log mask and log facility can be specified in /etc/f-prot.conf with the SCANMAIL_LOGLEVEL and SCANMAIL_LOGFACILITY variables, see f-prot.conf.USING WITH MILTER
To hook scan-mail.pl into a sendmail MTA using the milter framework, you must run scan-mail.pl with the -milter command-line option. Some configuration of sendmail is required. Further fp-milter(8)POSTFIX EXAMPLE
Usage as a Postfix spawn service
In-transit mail scanning in Postfix can be achieved using the -postfix option of scan-mail.pl. To achieve this functionality, Postfix must be configured to use an external filter at a given address, and run another SMTP daemon that does not use the external filter. Postfix's default SMTP daemon will then send the messages to the external filter. The external filter then contacts the SMTP daemon that is not filter enabled and the message will resume its course. An example of this type of configuration would be to run the Mail Scanner on port 10025 and the non-filter enabled SMTP on port 10026, as is described in the FILTER_README file in the Postfix distribution First add this line to main.cf:
content_filter = smtp:[127.0.0.1]:10025
This will induce Postfix's default SMTP daemon to pipe all mail to the address 127.0.0.1:10025. Then add these 3 entries to master.cf:
scan unix - - n - 10 smtp
localhost:10026 inet n - n - 10 smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o myhostname=localhost.domain.tld
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_use_tls=no
-o mynetworks=127.0.0.0/8
localhost:10025 inet n n n - 10 spawn
user=nobody argv=/usr/local/f-prot/tools/scan-mail.pl -postfix 127.0.0.1:10026
The first entry specifies that Postfix's master service shall run at most 10 processes simultaneously to pipe the mail from the SMTP daemon to external filter. The second entry makes the master service run at most 10 SMTP processes simultaneously on address localhost:10026 to receive the mail from the filter, and configures it so it does not loop the mail back to the external filter. And the third entry makes the master service run at most 10 instances simultaneously of the Mail Scanner to filter the mail on address localhost:10026 and advises the Mail Scanner that the SMTP daemon it is supposed to relay SMTP connections to is running on address 127.0.0.1:10026.
Postfix plugin run as a standalone proxy
You can minimize resource usage by running scan-mail.pl in a standalone proxy mode to handle filtering. You can achieve this using the -proxyoption of scan-mail.pl. To configure this, you setup the main.cf and master.cf files exactly as in the example above with the exclusion of the line for running scan-mail.pl as a spawn service.- main.cf
-
content_filter = smtp:[127.0.0.1]:10025 - master.cf
-
scan unix - - n - 10 smtp localhost:10026 inet n - n - 10 smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o myhostname=localhost.domain.tld -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_use_tls=no -o mynetworks=127.0.0.0/8Then, you start scan-mail.pl with the commandline:
scan-mail.pl -daemon -proxy -proxy_address 127.0.0.1:10025 -smtp_address 127.0.0.1:10026
PROCMAILRC EXAMPLES
To hook scan-mail.pl into the mail delivery chain, add this to either /etc/procmailrc (for adding e-mail scanning globally for the local mailsystem) or ~/.procmailrc (for individual user configuration):
:0 fw
| /usr/local/f-prot/tools/scan-mail.pl
To utilize the -backup option, use:
:0 fw
| /usr/local/f-prot/tools/scan-mail.pl -backup
To utilize the -quarantine option, use:
:0 fw
| /usr/local/f-prot/tools/scan-mail.pl -quarantine
Mail processing is a resource intensive task, and these rules could cause the system to run out of resources. If the system runs out of virtual memory it will start killing processes. In the event of a filter task getting killed procmail will allow the mail through in its original form. This can be avoided by implementing error checking of the filter's return value. The rule below will deliver the message to /usr/local/f-prot/backup/FAILED.<time>.<pid> if the scanners' return value indicates failure. Place it below the scan-mail.pl rule for the desired effect:
:0 fw
| /usr/local/f-prot/tools/scan-mail.pl
:0 e
/usr/local/f-prot/backup/FAILED.`date +%s`.$$
To avoid running out of resources due to multiple parallel instances of scan-mail.pl, locks can be implemented. Below is an example of how to make procmail run only one instance of scan-mail.pl at a given time. Using a lockfile called /var/tmp/scan-mail.pl.lock:
:0 fw:/var/tmp/scan-mail.pl.lock
/usr/local/f-prot/tools/scan-mail.pl
For more information about creating procmailrc rules, see the
procmailrc">procmailrc(5) and
CAVEATS
There is a problem with Unicode character support in some versions of
Red Hat Linux and its interaction with Perl, and therefore Anomy. If
scan-mail.pl fails to work, try making a shell script that sets the
following environment variables to their given respective values
before running scan-mail.pl:
LANG="en_US"
SUPPORTED="en_US:en"
CONTACT INFORMATION
Please direct any feedback to: http://www.f-prot.com/support/contact_support.htmlUpdates will be advertised on: http://www.f-prot.com/
LICENSING
For information about Licensing, see the LICENSE file that comes with F-Prot Antivirus.SEE ALSO
fp-milter(8)fpscand(8)