Note: The following is now out of date with how to setup Exiscan. I am leaving this page up for archival information.
Note: The following is part of a series of steps to setup an email server using Exim 4.x, with imap and webmail access. It will use winbind to get user information from an NT server. If you found this page via a search engine it may not cover what you need or you may need to start at the beginning to understand everything I have done.
See http://www.exim.org/ and http://duncanthrax.net/exiscan/ for much more information.
Quick steps:
- Download and unpack exiscan
- Patch into the Exim source
- Build, install, and setup Exim and make sure it works.
- Setup your virus scanner and make sure it works.
- Setup SpamAssassin. (my steps to come soon)
- Edit the exim.conf file.
- Restart Exim.
- Test.
Note: I'm using exim in another situation, besides our primary email server. So I decided to use exiscan with it.
1) Download and unpack exiscan
Go to http://duncanthrax.net/exiscan/ and download. I am using exiscan-4.12-21.
To unpack:
tar -xvzf exiscan-[version].tar.gz
Cd into the top level of the exim source directory. Example:
cd /tmp/exim-4.12
Run (Note: "-p1" <-that is a number one, not a lower-case L):
patch -p1 < [path]/exiscan-[version].patch
If you have configured Exim (ie ran make), just delete the build directory (ie rm -rf build-Linux-i386) and run:
make makefile
Then you can build Exim as normal.
3) Build, install, and setup Exim and make sure it works
My steps are here.
4) Setup your virus scanner and make sure it works
Note: InoculateIT cannot be currently used because inocmd32 must be run as root.
See this page for other virus scanners.
My steps to come soon
Mine is in /etc/exim/exim.conf. Please read the "readme.txt" file that comes with exiscan for it's full list of options.
Now in exim.conf, place the exiscan settings at the end of "Main Configuration Settings" section. Note: If this is your first install of Exim it will write a default config file with markers as to where the exiscan items go. Here is my settings using ClamAV via command line (InoculateIT notes included in case it can be used at some point).
# YOUR EXISCAN CONFIGURATION GOES HERE # Scan only SMTP and ESMTP messages set to = 1 to force for all exiscan_condition = ${if or {{eq{$received_protocol}{esmtp}} \ {eq{$received_protocol}{smtp}}} \ {1}{0} } # Add header to determine if previously scanned. Required. Two characters. exiscan_crypt_salt = fo # Unpack MIME and TNEF for scanning instead of using the AV's mbox option. # For pre-4.12-22 version: exiscan_unpack_mime = true # For 4.12-22 version: #exiscan_demime_condition = 1 # What to do for malformed MIME container # For 4.12-22 version2 #exiscan_demime_action = reject # Timeout for scanner. Default is 15m. exiscan_timeout = 15m # EXISCAN AV OPTIONS # To call or not the virus scanner. = 1 forces for all messages. Conditions allowed. exiscan_av_condition = 1 # What to do if virus is found. Pass, reject, blackhole, freeze, or redirect [address]. exiscan_av_action = redirect postmaster@domain.com # What type of scanner. Cmdline, sophie, kavdaemon, openav. exiscan_av_scanner = cmdline # Full path to command line scanner if cmdline is chosen. # For InoculateIT #exiscan_av_scanner_path = /path/to/ino/bin/inocmd32 # For ClamAV exiscan_av_scanner_path = /path/to/clamscan # Options for command line scanner. Pipe (|) is where path to scan is placed. # For InoculateIT (example) #exiscan_av_scanner_options = -nex -arc -mod secure | # For ClamAV (example) exiscan_av_scanner_options = --disable-summary --max-files=100 \ --threads=5 --stdout | # What does command line scanner say when virus is found. String. # For InoculateIT #exiscan_av_scanner_regexp_trigger = infected by # For ClamAV exiscan_av_scanner_regexp_trigger = FOUND # Get the virus' name. Regexp # For InoculateIT #exiscan_av_scanner_regexp_description = virus: (.*) # For ClamAV exiscan_av_scanner_regexp_description = (.*) FOUND # Sophie scanner socket # exiscan_av_sophie_socket = /var/run/sophie # Kavdaemon scanner socket # exiscan_av_kavdaemon_socket = /opt/AVP/AvpCtl # OpenAV scanner IP address # exiscan_av_openav_host = 127.0.0.1 # OpenAV scanner port # exiscan_av_openav_port = 8127 # EXISCAN ANTISPAM OPTIONS # Note to come soon. See the exiscan documentation. # EXISCAN REGEX OPTIONS # Note I am not using this right now. See the exiscan documentation. # EXISCAN FILE EXTENSION OPTIONS # Note I am not using this right now. See the exiscan documentation.
Check your exim.conf file for errors first by running:
exim -bV
To start:
/etc/rc.d/init.d/exim restart
Do not do these tests on unsuspecting users. If nothing else, add an email in the /etc/aliases that loops back to your address.
Send an email with nothing but text. Does it get delivered? If not, check the exim logs. Does it have the header "X-Scanner: exiscan for exim4"? Try sending it with:
exim -v someone@dom.ain
From: me@my.domain To: someone@dom.ain Subject: test test .
so you can see all of exim's output. Tip: set exiscan_condition=1.
Send an email with an attached file that is known to be infected. If you don't have one, try the test signature eicar at http://www.eicar.org/anti_virus_test_file.htm. Is the virus detected? If not, does it have the header "X-Scanner: exiscan for exim4"?
Remember that what happens on detection is determined by the exiscan_av_action setting. If it is set to redirect, check that address and see if it was delivered. Look at exim's logs to see what happened for the other settings. I suggest using the redirect setting for testing.
When you get the header but the virus was not detected, that means your scanner is not running (ie the options are not correct so it fails). If you don't get the header, then the message is not passing through exiscan. Check your exiscan_condition and set it to just =1 to force for all types of messages.
