MailScanner Installation Guide - Exim

How mailscanner works with Exim

Exim Configuration

From the Exim FAQ:

Accepting and delivering a message are two entirely separate, independent processes, which communicate only by writing/reading the message on the disc.

MailScanner separates these two parts even further, by requiring them to use separate queues. Incoming mail is accepted into one queue, and outgoing mail is sent only from the other queue. The only way mail can get from one queue to the other is through the mailscanner.

Since there is no way to tell Exim to use two separate queues in this manner, we have to use two separate Exim processes. Each of these processes must have its own configuration file, so that the spool directories can be different. The spool directory to use is specified using the spool_directory configuration option.

To ensure that all mail is scanned, the "accepter" process (which accepts incoming messages from the network, or from the local command-line) must be prevented from actually sending any mail out, at least in normal use. This implies that we *must* use the compiled-in default path for the exim config file for the accepter process -- otherwise local users would evade the mailscanner when sending mail using the command-line interface to exim. Don't forget that many MUAs will also use the command-line interface without specifying a path for the config file, so this really is a must.

To prevent deliveries, you can either set "queue_only" to be true, or add the following director:

    defer_director:
      driver = smartuser
      new_address = :defer: All deliveries are deferred
      verify = false
...and the following router:
    defer_router:
      driver = domainlist
      self = defer
      route_list = "*  127.0.0.1  byname"
      verify = false
...or in Exim 4:
    defer_router:
      driver = dnslookup
      self = defer
      transport = remote_smtp
      route_list = "*  127.0.0.1  byname"
      verify = false
...to your exim.conf. Each should be the first entry in their particular section. If your current config file is ugly, unreadable and incomprehensible, you can find the start of the directors section by looking for the second line in the file that just says "end" on its own. The directors start immediately after that. The routers start immediately after the third such line. At least, that's true for the version of Exim I'm currently using (the Debian package of Exim 3.12).

If you elect for the "queue_only" option, you (and any local users) will be able to force mail to be delivered without being passed through the mailscanner by issuing a command such as "exim -qf".

If you elect for the extra director and router, you (and your users) will not be able to bypass the mailscanner. Well, not so easily, at any rate.

You need to start the outgoing Exim daemon without it attempting to provide any SMTP service on port 25. You can do this by starting is up without the "-bd" on the command line, so a command like "exim -q30m" will do it.

Finally (for Exim), you will need to clean up the "accepter" Exim's retry database regularly. To do this, you need to run the "exim_tidydb" command periodically (once a day at a quiet time is good). The exact command I use is:

    exim_tidydb -t 0m /var/spool/exim_incoming retry >/dev/null
I run this once a day from a crontab.

MailScanner Configuration

MailScanner itself needs to know how to invoke Exim to send mail; it does this to send warning messages to sender, recipients and postmaster when a virus is detected, and to initiate an immediate delivery attempt for a message when it has been placed in the outgoing queue. There are two settings in the mailscanner configuration that tell it how to invoke a mailer (in this case Exim); one for each of these cases.

The "Sendmail" setting is used to send mail that has been freshly created by mailscanner (warnings). You may want to set this such that it will be placed in the "incoming" queue so that it will be scanned before going out.

The "Sendmail2" setting is used to initiate a delivery attempt for a message that has just been scanned. It defaults to being the same as the "Sendmail" setting.

Example (running as daemon)

The Exim binary is located in /usr/sbin. Exim has been running as a daemon using the configuration file /etc/exim.conf. It has been started at boot-time, invoked as "/usr/sbin/exim -bd -q30m". The current spool directory is /var/spool/exim.

Copy the file /etc/exim.conf to /etc/exim_outgoing.conf (or whatever you want to call it).

Edit the file /etc/exim.conf -- add the following two lines in the main configuration section at the top of the file:

    spool_directory = /var/spool/exim_incoming
    queue_only = true

This next step is optional, but recommended. Add the following director to /etc/exim.conf, at the top of the directors section (that's right after the second "end" line in the file, as described above)...

    defer_director:
      driver = smartuser
      new_address = :defer: All deliveries are deferred
      verify = false
Add the following router to /etc/exim.conf, at the top of the routers section (right after the third "end" line in the file, as described above)...
    defer_router:
      driver = domainlist
      self = defer
      route_list = "*  127.0.0.1  byname"
      verify = false
Note that locations may vary in different versions of Exim, so make sure that I'm right about where the directors and routers go in your config file.

You should also set up a cron job to tidy up the "accepter" Exim's retry database every so often. The command should be something like:

    /usr/sbin/exim_tidydb -t 0m /var/spool/exim_incoming retry

Exactly what you put in your crontab file and where you put it will vary from system to system, so I won't try to tell you exactly how to do it here. Just make sure that it runs, say, once a night.

Edit your system startup scripts so that two Exim processes are started, as below:

    /usr/sbin/exim -bd
    /usr/sbin/exim -C /etc/exim_outgoing.conf -q30m

Set up mailscanner with

    MTA                = exim
    Sendmail           = /usr/sbin/exim
    Sendmail2          = /usr/sbin/exim -C /etc/exim_outgoing.conf
    Incoming Queue Dir = /var/spool/exim_incoming/input
    Outgoing Queue Dir = /var/spool/exim/input

...and check the rest of the mailscanner configuration carefully to make sure it is appropriate for your system.

Example (running from inetd & cron)

The Exim binary is located in /usr/sbin. Exim has been run by inetd (to accept incoming mail) and cron (to run over the queue) using the configuration file /etc/exim.conf. The current spool directory is /var/spool/exim.

Copy the file /etc/exim.conf to /etc/exim_outgoing.conf (or whatever you want to call it).

Edit the file /etc/exim.conf -- add the following two lines in the main configuration section at the top of the file:

    spool_directory = /var/spool/exim_incoming
    queue_only = true

This next step is optional, but recommended. Add the following director to /etc/exim.conf, at the top of the directors section (that's right after the second "end" line in the file, as described above)...

    defer_director:
      driver = smartuser
      new_address = :defer: All deliveries are deferred
      verify = false
Add the following router to /etc/exim.conf, at the top of the routers section (right after the third "end" line in the file, as described above)...
    defer_router:
      driver = domainlist
      self = defer
      route_list = "*  127.0.0.1  byname"
      verify = false
Note that locations may vary in different versions of Exim, so make sure that I'm right about where the directors and routers go in your config file.

You should also set up a cron job to tidy up the "accepter" Exim's retry database every so often. The command should be something like:

    /usr/sbin/exim_tidydb -t 0m /var/spool/exim_incoming retry

Exactly what you put in your crontab file and where you put it will vary from system to system, so I won't try to tell you exactly how to do it here. Just make sure that it runs, say, once a night.

Edit your crontab or cron scripts so that exim is started with a specific configuration file, as below:

    /usr/sbin/exim -C /etc/exim_outgoing.conf -q

You do not need to change the invocation of exim in inetd.conf

Set up mailscanner with

    MTA                = exim
    Sendmail           = /usr/sbin/exim
    Sendmail2          = /usr/sbin/exim -C /etc/exim_outgoing.conf
    Incoming Queue Dir = /var/spool/exim_incoming/input
    Outgoing Queue Dir = /var/spool/exim/input

...and check the rest of the mailscanner configuration carefully to make sure it is appropriate for your system.


Julian Field