Re[3]: [vps-mail] Separate Mail Server

[Abigail Marshall <abigail@xxxxxxxxxxxx>]

> How do you force procmail (and virussnag.rc) to run before ClamAV? I
> thought procmail was run just before the mail hits the mailbox and that's
> why it doesn't run on mail forwarded off the server to an external mailbox?

I'm running Clamav FROM procmail - the procmail file looks
like this:

VERBOSE=off
LOGABSTRACT=yes
COMSAT=no
LOGFILE=/var/log/procmail.log

# Whitelist - Email that should get always get through:
:0 H:
* 1100^0 ^To:.*abuse@
* 1100^0 ^From:.*root@mydomain\.com
$DEFAULT

#####################################
# Scan Mail for Viruses:
#####################################

## My Custom Antivirus File:
INCLUDERC=/usr/local/etc/XVirus.rc

## Virus Snaggers, ver. 1.6.1
## See http://www.spamless.us/pub/procmail/virussnag.rc
MYVIRUS = /var/mail/quarantine/virussnag
INCLUDERC=/usr/local/etc/virussnag.rc


## BEGIN ClamAV version 0.67-1

TMPLOGFILE=$LOGFILE
TMPLOGABSTRACT=$LOGABSTRACT
TMPLOGABSTRACT=$LOGABSTRACT
TMPVERBOSE=$VERBOSE

LOGFILE=/var/log/procmail.clamav
LOGABSTRACT=yes
VERBOSE=off
NL="
"

:0
CLAMAV=|/usr/local/bin/clamscan --disable-summary --stdout --mbox -

:0
* CLAMAV ?? .*: \/.* FOUND
{
  LOG="Possible virus ${MATCH}${NL}"

  :0 fhw
  | formail -a"X-ClamAV: ${MATCH}"
}

:0E fhw
| formail -a"X-ClamAV: clean"

:0
* ^X-ClamAV: \/.*
* ! MATCH ?? ^^clean^^

/dev/null

LOGFILE=$TMPLOGFILE
LOGABSTRACT=$TMPLOGABSTRACT
VERBOSE=$TMPVERBOSE

## END ClamAV version 0.67-1


++++++++

I'd also recommend running ClamAV only for files larger than
a certain size (I just haven't gotten around to putting that
in my recipe - and since I haven't had load problems, it's
not that much of an issue for me). The largest files I see
being caught by ClamAV are about 75K, so you would probably
be very safe to have ClamAV invoked only for files less than
200K.

I would note that my custom AV file automatically screens
out almost all executable attachments, and that can be done
by merely scanning the headers for the type of attachments,
which is very quick & minimal server load.

-Abigail












> Andy


> At 05:27 PM 9/22/2004 -0700, you wrote:

>> >> Are you suggesting that I not use ClamAV, or just implement it some other
>> >> way?
>>
>> > There is nothing inherently wrong with spawning extra processes--as long
>> > as your server has sufficient resources. Sendmail spawns a new process
>> > with every incoming e-mail (for example).
>>
>> > I am so dependent on ClamAV for snagging viruses that I would get a bigger
>> > server before even thinking about not using ClamAV.
>>
>>You can cut down somewhat on the ClamAV load by running some
>>simple procmail recipes ahead of ClamAV, that will screen
>>for some of the more common viruses or disallowed types of
>>attachments.  I also use the virussnag.rc script and run it
>>ahead of ClamAV.
>>
>>
>>-Abigail
>>
>>
>>======================================================================
>>This is <vps-mail@xxxxxxxxxxxx>      
>><http://www.perlcode.org/lists/>
>>Before posting a question, please search the archives (see above URL).
>>
>>
>>
>>---
>>Incoming mail is certified Virus Free.
>>Checked by AVG anti-virus system (http://www.grisoft.com).
>>Version: 6.0.768 / Virus Database: 515 - Release Date: 9/22/2004

> --------------------------------------------------------------------
> PROTEUS - new anti-spam, anti-virus solution
> www.proteus.lu

> FOCUS Internet Services
> Domains, Design, Hosting, Custom Applications, E-Commerce
> 106 rue de Mersch, L-8181 KOPSTAL, Luxembourg
> tel. (+352) 305 197
> fax (+352) 305 188
> www.focus.lu  

======================================================================
This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
Before posting a question, please search the archives (see above URL).