Best method for Integrating ClamAV
Hi all
Jay told me that there are three methods to implement ClamAV
1. Through conversion channel (performance issue)
2. aliasdetourhost
3. using libclamav.so (using latest patch)
Jay : Sun is not ready to certify that patch no " -58" so we
are trying to implement clamav in other best
method? so if you know any other best method
please let me know ?
i had gone through all our forum messages & i think
aliasdetourhost & conversion channel method are
too old mechanisms that you guys had discussed
before two years ....
If there is any other method other that this libclamav.so please let me know ?
Thanks in Advance
[726 byte] By [
bsnl-nib] at [2007-11-26 10:29:36]
# 1
If you can't get a patch that includes the new library, then ClamSMTP and aliasdetourhost works well. Amavis-new and aliasdetourhost also works, though it's not as "light weight" as ClamSMTP
Yes, patch -58 is not publically released. It's still a "t-patch". However, we do give it out when customers need something it has. I've heard nothing bad about it, yet.
# 2
Hi bsnl,
I called sun support ask for 118207-58 patch, they gave me, and I tried on my testing box, works as libspamass.so, perfact!
Just call SUN, they will give you, but warn you don't use production server...I think, I maybe wait until formally release, now just study JMS, tooo new for me. still struggle with channel, rewriting rule, ACL....
I still not figure out which channel I should turn on spamfilterXoptin, tcp_local, tcp_intranet, ims_ms? should use source or destination?
my mapping file seem not control my IP into INTERNAL_IP, FRIEND_IP, EXTERNEL_IP, so that I always use tcp_intranet channel. strange.
Jay, I saw some anti-virus software can send warnning email back to sender and reject email. etc how about this implementaion? do you have some example config? now I only know "addtag", it is not good enough for virus.
# 3
In fact, we give t-patches out for production all the time. We do, however, suggest you test 'em first.
for your mapping questions, have a look at your mail.log_currentl. Do all e-mails really come through tcp_intranet? If so, likely you have an inbound relay and that's where all your mails come from. You need to NOT "trust" that ip, and specifically add it to your "internal_ip" at the top:
123.123.123.123 $N
this will prevent you from being an open relay.
A warning mail about virus isn't likely a good idea anymore. Years ago, people would send mails, and might be infected, and so, attach a virus to such mails.
Today, most virii are sent by "spambots" or otherwise compromised systems, with forged return addresses. Getting a virus bounce message, to a fake address will just clog the works, and get you blacklisted. Bad Idea.
# 4
Thanks Jay, did as you said,
specifically add it to my "internal_ip" "friend_ip" at the top
123.123.123.123 $N
then msg enqueue from tcp_local channel.
I am doing testing and studying, want to ensure mesg come in/out in right channel, doing virus/spam scanning, so that want my PC to fall in internal_ip and friend_ip, but it just stay external_ip range, msg always come from tcp_local
03-Oct-2006 13:13:05.31 tcp_localims-msE 5 test1@my.com rfc822;test2@you.com test2%you.com@ims-ms-daemon
03-Oct-2006 13:13:07.17 ims-msD 5 test1@my.com rfc822;test2@you.com test2%you.com@ims-ms-daemon
i.e. my ip rang is
1. my PC ip is 123.123.123.123
2. my company ip is 123.123.123.0/24 that is our internal_ip
3. my isp ip is 123.123.0.0/16, that is our friend_ip
my mapping is:
PORT_ACCESS
! Allow internal connections in unconditionally
*|*|*|*|* $C$|INTERNAL_IP;$3|$Y$E
! Allow friend connections in unconditionally
*|*|*|*|* $C$|FRIEND_IP;$3|$Y$E
! Check other connections against RBL.test.net
TCP|*|25|*|* $C$[/opt/SUNWmsgsr/lib/dns_verify.so,dns_verify_domain_port,$1,r
bl.test.net,Your$ host$ ($1)$ found$ on$ dsbl.org$ dnsblock$ list]EXTERNAL$E
* $YEXTERNAL
INTERNAL_IP
! my PC IP
123.123.123.123 $N
$(123.123.123.111/24) $Y--mail server slef
127.0.0.1 $Y
! compamy internal IP
$(123.123.123.0/24) $Y--C class IP range belong to us
* $N
FRIEND_IP
! my PC IP (wan't to be friend IP)
123.123.123.123$Y
! Goconnect Dialup/ADSL access
$(123.123.0.0/16) $Y
! Others external IP
* $N
Why did not make diff? msg still come from tcp_local.
my imta.cnf :
! tcp_intranet
! Do mapping lookup for internal IP addresses
[] $E$R${INTERNAL_IP,$L}$U%[$L]@tcp_intranet-daemon
! tcp_friend
[] $E$R${FRIEND_IP,$L}$U%[$L]@tcp_friend-daemon
! channel define
! tcp_local-need to spam/virus scanning but not AUTH SMTP
tcp_local smtp mx single_sys remotehost inner switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL missingrecipientpolicy 0 mailfromdnsverify backoff "pt30m" "pt2h" "pt4h"
sourcespamfilter2 sourcespamfilter1optin spam
tcp-daemon
! tcp_intranet--need to do virus/spam scanning
tcp_intranet smtp mx single_sys subdirs 20 maxjobs 7 pool SMTP_POOL missingrecipientpolicy 4 sourcespamfilter2 sourcespamfilter1optin spam
tcp_intranet-daemon
! tcp_friend--need to do AuthSMTP, allow SMTP Relay, virus/spam scanning
tcp_friend smtp mx single_sys mustsaslserver noswitchchannel missingrecipientpolicy 4 sourcespamfilter2 sourcespamfilter1optin spam
tcp_friend-daemon
I have RBL DNS mirrored from dsbl.org, I am going to use that, DNS respond time is not a issue for us. What is the best implemention for us? PORT_ACCESS or MAIL_ACCESS/FROM_ACCESS/ORIG_MAIL_ACCESS? want to close connection before any mail data to come in.
I agree bounce message for virus is not good idea, how do you handle the mesg?
spamfilter2_string_action=data:,addtag "[Virus detected: $U]";
not good enough, any suggestion?
# 5
Hi Thanks Jay & JerrySun is not recommending that patch( -58) & they are saying that patch will alter the rewrite rules of our messaging config.is it true ?Thanks in Advance
# 6
specifically add it to my "internal_ip" "friend_ip" at the top
123.123.123.123 $N
then msg enqueue from tcp_local channel.
Yes, that's EXACTLY what is supposed to happen.
INTERNAL_IP is the range of ip addresses that will be assigned to tcp_intranet, the $N above means that this ip will NOT be tcp_intranet.
My suggestion was to ensure that your external mails in fact come in through tcp_local. If you have an inbound relay or firewall that makes the messages appear to come from one specific ip address, then you need to treat that address as external. Above is how.
If you're testing from your PC, and you need to test as EXTERNAL, above is how you do that.
You may find that your RBL callout seriously impacts performance. . .
Once you assign your ip to $N in internal_ip, you're not likely to do anything with friend_ip.
I don't know what rewrite rules you have, but multiple assignments of IP to different tables doesn't work.... Once you're assigned, you're assigned.
As far as I know, -58 is fine to use. Of course, I don't personally know everybody at "Sun". I doubt that "Sun" as an entity has stated anything like, "don't use -58".They may have stated, "this is a t-patch, test it before using it".
I don't know of any rewrite changes it may make.
