This pages describe an alternative approach for antiviral filtering
under the Courier-MTA
package. The software described here, avfilter, accomplishes its task via the
courierfilter global filter mechanism and a commercial scanner that features a "C" interface.
For using it, you need the SAVI interface from Sophos,
which may require you to get a commercial licence (see below).
If you have more than 100 employees you need a licence also for using avfilter,
otherwise its free (see NOTICE). Finally,
you need the Courier sources for compiling avfilter.
Note: the regular approach to anti-virus e-mail filtering provides for installing a separate SMTP server that forwards upon filtering. However, this defeats an SMTP server's ability to discard unwanted mail before committing bandwidth and disk space in some cases. You may find some useful link below if you'd rather follow the regular approach.
I'm currently using this filter and it works quite well. However, I have a specific Courier configuration and version (0.39.3), hence I cannot guarantee that it works smoothly with different settings. I don't recommend using the filter as-is, but it may be an interesting example of how to integrate Courier filtering with a commercial antivirus, and it is yet another example of Courier native filter: a forking daemon, in this case.
The software consists of a few source files. A makefile is provided for Linux but there is not yet any configuration utility, so be careful to understand what you are doing. No porting has been done yet, hence you may be unable to compile it if you are not running Debian 'potato' and gcc 2.95.2. Please find download directions and detailed instructions HERE. You may safely skip the rest of this page if you are sure about what you want.
The filter is controlled by courierfilter(8). RTFP. Recall that
Courier will suspend receiving new mail when a filter is enabled but currently
not loaded (it will issue a 423 Mail filters temporarily unavailable
response after the client uploaded the body of the e-mail message, in that case.)
You enable avfilter using filterctl and starting courierfilter.
Upon loading, avfilter reads its run-time configuration files and
initialises the anti-virus interface, which in turn loads the virus database.
When avfilter is enabled, it is called right after the body of
any message has been received. It forks, then it extracts any MIME attachments
from the message and invokes the anti-virus scanner on them. If runtime errors
occur, such as not being able to read the message and/or to talk to the anti-virus
interface, it issues a 4xx response. Else, if it cannot
parse the MIME structure or if the anti-virus interface returns either a positive
response or an unexpected error, then it issues a 5xx
response. Otherwise it allows the message to proceed (200 Ok.)
It is peculiar that there are no open source anti-virus scanners. (On the opposite, all viral software is free or open source.) Let me point out why I use Sophos and what are the alternatives.
Sophos allows you to download an evaluation software. They have a SAVI interface that allows the scanner to be dynamically linked with the application. That betters performance because the anti-virus database is loaded only at startup and because there are no scripts to interpret. SAVI is designed around the Windows COM interface, but is truely multiplatform, as one can run it also on Macs. In addition, the scanner knows how to unpack archives such as zip, gzip, tar, arj, uue, cmz.
At Sophos, they are currently missing a licensing policy for ISPs. They are currently charging a few dollars per year per mailbox, which may be totally unsuitable if you have a large user base. I suggest that you contact them pointing out that ISPs don't own their client machines and urging them for a more suitable licensing scheme. Sophos solely produces anti-virus, therefore they should understand your point. I'm pretty sure I read that non-commercial organizations don't need to buy a license for using Sophos product, but I cannot find a pointer to that writing. Anyway, they make no distinction between using the full product or just the SAVI interface. Finally, let me state that my only relationship with Sophos consists of having bought a license from Sophos-Italy, and that's it.
In principle, avfilter may work with different (or multiple) anti-viral engines. Specifically, I'm looking for an anti-virus scanner that
I'd be grateful to anyone signalling such products. Please write to vesely@tana.it
I wrote to Palo Luka about NOD32
in November 2001. He released a daemonised version of the product, for getting
a more efficient startup. However, a client cannot interface the daemon directly.
In his words, "we cannot release the source code as open source because
they're tightly connected to the scanner and that would tie our hands as far
as making changes." I could then exec the nod32 client
from avfilter, piping its output to yet another child of avfilter for interpreting
it, but I'd rather wait until they release some doc about how to call the daemon
directly.
I wrote to Trend Micro asking for a license. "The actual situation is that for xSP's with such numbers as quoted by yourself, Trend Micro, do not at this time license the VSAPI", said Lianne Harcup, Trend Micro European Legal Advisor.
I wrote to F-secure. Mika Kuosmanen, a support engineer, answered that the product they have for Linux is FSAV for Firewalls on Linux.
I also wrote to McAfee, but they never answered.
AMAVIS is a set of scripts for automating e-mail filtering. Utilities for exctracting files from archives are also provided, taking advantage of installed software. A commercial scanner is required.
EPS has recently been advertised on the Courier mailing list, but I haven't checked it out yet.
the Anomy mail tools featuring Anomy Sanitizer.
Other Sophos integrators, mostly commercial, who use SAVI for e-mail filtering.
12 dec 2001 - published on this page
19 dec 2001 - bugfixing mime.c
03 may 2002 - correct typo (thanks Trevor)
12 may 2002 - discard corrupted headers but continue reading (mime.c)
21 sep 2002 - fix read base 64 ending at end of buffer (mime.c)
28 sep 2002 - fix bug introduced last week (uff)
Have fun!