phloryde
asked on
How do I integrate Linux Sendmail and Symantec AntiVirus for SMTP Gateways without MX records or port forwarding?
Here is my situation:
I have a Linux server (running Sendmail) acting as my gateway. I have a Windows server connected to the LAN running SAV4SMTPGW (Symantec AntiVirus for SMTP Gateways).
I would like Sendmail to check for the presence of a custom header and if it is not present, add it and try to send the message to SAV4SMTPGW. SAV4SMTPGW will scan the message and send the message back to Sendmail via SMTP (adds 2 extra hops to the message delivery).
If the custom header is already present when Sendmail receives a message (or SAV4SMTPGW is down for some reason), then deliver the message to its destination (if address locally, then deliver to Cyrus; if address externally, then deliver to the proper MX).
PS - I use SMTP with Authentication and TLS so my users can send email for anywhere they want and I can't lose that functionality.
I have a Linux server (running Sendmail) acting as my gateway. I have a Windows server connected to the LAN running SAV4SMTPGW (Symantec AntiVirus for SMTP Gateways).
I would like Sendmail to check for the presence of a custom header and if it is not present, add it and try to send the message to SAV4SMTPGW. SAV4SMTPGW will scan the message and send the message back to Sendmail via SMTP (adds 2 extra hops to the message delivery).
If the custom header is already present when Sendmail receives a message (or SAV4SMTPGW is down for some reason), then deliver the message to its destination (if address locally, then deliver to Cyrus; if address externally, then deliver to the proper MX).
PS - I use SMTP with Authentication and TLS so my users can send email for anywhere they want and I can't lose that functionality.
All of the ways that I can think of to do what you've asked in the question are really ugly and would require custom code to be written and integrated into Sendmail. However, there is another solution. And that would be to install MailScanner (http://www.mailscanner.info) on the Sendmail server, equip it with a virus scanner, and have the complete solution in one box. As a bonus you could have spam control, protection from the dangerous file types (.exe, .com, .pif, etc), and malicious content (ObjectCodeBase tags, etc).
ASKER
I'm interested in your solution even if you think it's really ugly. I don't have a problem with custom code. I've already modified our Sendmail configuration to add a custom header to all emails (althought it doesn't really so me any good), so I'm comfortable adding custom code. I'm also getting the hang of understanding rules and macros.
Thanks for the MailScanner suggestion. I'll look into it, but I'm really into integrating SAV into our setup. Thanks much.
Thanks for the MailScanner suggestion. I'll look into it, but I'm really into integrating SAV into our setup. Thanks much.
The most promising approach will require two Sendmail MTA configs and a custom applications. One MTA, listening on the standard SMTP port will accept mail and place it in a queue without attempting delivery. A custom application will have to monitor that input queue, pick qf/df pairs from there, reconstruct each into a message and send it to SAV using its own SMTP engine. Another MTA, listening on a non-standard port will accept the returned message from SAV and place the result in a queue without attempting delivery. That queue will have to be run periodically from cron with a sendmail configured for Cyrus delivery and using the standard SMTP port.
I don't see a way to do this with a single Sendmail config without incurring a mail loop. Well, with some pretty extensive modifications to the Sendmail sources I suspect it could be done safely. But that sounds like even more more work and is fraught with the possibility of opening security holes.
I don't see a way to do this with a single Sendmail config without incurring a mail loop. Well, with some pretty extensive modifications to the Sendmail sources I suspect it could be done safely. But that sounds like even more more work and is fraught with the possibility of opening security holes.
ASKER
So even with a custom header (X-SAV-Scanned: Yes), there is no way I can have a single Sendmail config without the mail loop?
I don't think it can be done safely, but it could be done. Consider the case where a message is received from the Internet, you add the custom header and attempt to send it to SAV and for what ever reason the delivery is deferred. That message will be placed in the queue for the next queue run. When the queue is run the header is already present and thus it will be immediately delivered without ever having been scanned. There's also the risk of someone figuring out that you check for a custom header and sending you infected mails with that header present. That risk could be lessened if you could have SAV add a site unique header to message after it was scanned. However, the header would have to be unique to your site and I don't know if SAV can be configured to do that. I see viral infected messages that contain headers indicating that the message was supposedly scanned by one or more anti-virus gateways when I know for a fact that the message has not passed through a scanner.
Given the frequency of viral infected messages seen by a mail server I want to see everything scanned and I also want to see all of the dangerous file types quarantined. Quarantining the dangerous file types that can carry a viral payload provides protection against an newly released virus for which an anti-virus definition isn't yet available. In my mind the only way to guarante that is to make the virus scanning an integral part of the mail stream precess.
Given the frequency of viral infected messages seen by a mail server I want to see everything scanned and I also want to see all of the dangerous file types quarantined. Quarantining the dangerous file types that can carry a viral payload provides protection against an newly released virus for which an anti-virus definition isn't yet available. In my mind the only way to guarante that is to make the virus scanning an integral part of the mail stream precess.
ASKER
Could you post how I would configure Sendmail to do that. I'm willing to take the risk since I have client side protection in place. Even if an infected message bypasses SAV, the client should catch it when Outlook gets the message. I'm just trying to reduce the number of virus emails my staff has to deal with. Thanks.
I can tell you what you'd need to do, but not what the lines of code would look like. You'd have to edit sendmail.cf and add a test just before a message would normally be passed to cyrus. That test would check for the special header and if it isn't present the message would be sent via SMTP to the virus scanner. Otherwise the rule would allow the message to fall through to cyrus.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.