Solved

Confused about Mailscanner

Posted on 2004-04-09
7
692 Views
Last Modified: 2008-02-01
I know what some of you are thinking "no not this dork again". Sorry its my obsessive personality I cant help it :)

I have a few questions to ask and maybe a few more depending on the answers I get. If it gets too involved or you feel its worth more than 500 points then don't hesitate to let me know, I will gladly open up a new post of needed :)

I have been running a postfix+spamassassin+procmail (sitewide setup with /etc/procmailrc) setup with Maildir. I would like to use Mailscanner but I am having a hard time understanding how my setup needs to adapt for Mailscanner to fit in. I have a few questions

I do not need procmail anymore for the MDA right? If I do not need procmail anymore how does spam that is tagged by spamassassin and Mailscanner get put in ~/Maildir/.spam/cur
Or do I still need procmail?

I really like how spammassassin tags spam and scores and reports on its results. How does mailscanner work? When mail arrives it gets scanned by mailscanner but then what. Lets say that it is spam and it get tags as such. Does it then get passed on to spamassassin for scanning also. See this is the part that is confusing to me. Would someone mind explaining to me how this works.

I am more interested in Mailscanner for filtering out mail with specific attachements than anything else at this point. The file filetype.rules.conf from what I understand controlls all of this. For example can I just do "deny exe" instead of "deny executable".

Thanks,
AD
0
Comment
Question by:illtbagu
  • 3
  • 2
  • 2
7 Comments
 
LVL 7

Accepted Solution

by:
troopern earned 250 total points
Comment Utility
MailScanner is a neat tool for spam filtering, indeed.

1.
Setting up MailScanner with postfix requires you do setup 2 daemons of postfix to be running. On for recieving mails, sending them to MailScanner for filtering. And when that's done MailScanner sends it to the next daemon that will take care of the maildir delivery.

2.
MailScanner works like following:
It uses SpamAssassing for scanning spam mails, it is capable of spamscanning itself, but that function I don't really know the effectivity of since I've always used SpamAssassin with my MailScanner setups. In short: MailScanner uses SpamAssassin, and doesn't send to SA afterwards.

3.
Denying executable probably means denying .exe, .com and other executable fileformats.
You should be able to do a "deny exe" without a doubt. But as far as I'm concerned it's bundled into "executable" since .exe is an executable filetype =).

I hope this helps you understanding MailScanner, I'm willing to answer more questions that might come up.
0
 
LVL 1

Author Comment

by:illtbagu
Comment Utility
I have 2 postfix daemons setup and running, mailscanner is setup and tagging the headers.

When I think of excutable I think of
bat|cmd|com|js|jse|msi|msp|ocx|pif|reg|scr|vb|vbe|vbs|wsc|wsf|exe
I have procmailrc setup on my home email server to delete any mail with these types of attachements and it works great. I will just use Mailscanner to do this for me now.

What antivirus works best with Mailscanner? What antivirus is the easyest to setup?

Here is how I picture things working as of right now without mailscanner
postfix ---> procmail ---> Maildir
                           |
                           |---------- > spamassassin

Here is how I picture things working with mailscanner
postfix.in ---> Mailscanner ---> postfix ---> procmail ---> Maildir
                                  |
                                  |---------- > spamassassin

I would still need to use procmail if I would like all detected spam to get delivered to the users spam box. I didn't hear any arguments otherwise so I will just assume this is the standard way of doing things with mailscanner.

I can just call out procmail to be used in this file /etc/postfix/main.cf like so
mailbox_command = /usr/bin/procmail
Am I right?

Thanks for your help
0
 
LVL 7

Expert Comment

by:troopern
Comment Utility
Yeah, you can call procmail like that.

You can add custom filetypes that is not allowed in MailScanner, right now I don't exactly remember how do to that. Haven't got it on a machine in within my reach, but the documentation that comes with MailScanner describes this good.

Procmail will probably be the best way of sorting messages to the users spambox. I haven't setup a similiar function in MailScanner myself yet.

Sorry for the late reply, I've been quite buzy lately with studies and Easter celebration...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 20

Expert Comment

by:Gns
Comment Utility
Um, did you really look through the excellently commented /etc/MailScanner/MailScanner.conf file? Look at the section starting with
# What to do with spam
... Note that it is MailScanner that actually performs these actions (default is more or less "none"...in the disguise "deliver":-). Since it would be less than fruitful to let both samassassin and MailScanner do spam RBL lookups, you should probably lookat making sure only one does... ISTR MailScanner by default is configured to "do it itself":).
Note that both filename and filetype checking come into play, so look through/adjust both.

And you shouldn't _need_ any particular procmail filters for what you want to do, but you can (of course:-) have 'em;)

-- Glenn
0
 
LVL 1

Author Comment

by:illtbagu
Comment Utility
So then If I don't need procmail how can I get all spam that has been tagged to be put in a folder called spam in the users mailbox? Before procmail did this. Are you saying that Mailscanner can do this for me?
0
 
LVL 20

Assisted Solution

by:Gns
Gns earned 250 total points
Comment Utility
Nono, either I read you wrong, or the other way around:-).
Procmail is still superior for "per user" delivery, but... why deliver confirmed spam, when there is such a remote possibility of "false positives"? All the alternative settings for handling spam in MailScanner can make sense ... depending on situation.
For example, dropping confirmed spam with a
High Scoring Spam Actions = delete
and perhaps notifying the recipient that suspected spam has been quarantined and is available upon request with a
Spam Actions = store notify
or perhaps just convert the message to an attachment to the warning message and deliver it with a
Spam Actions = attachment deliver
would be a workable solution. Still using procmail for the users convenience... Or the admins:-)... to do further things with the message at local delivery.
It wouldn't make sense to remove procmail from the equation... It's to damn versatile a tool to give up:-). You/your users might still want to make arbitrary _other_ sortings of the incoming messages...
What I'm implying is that there are other ways of dealing with spam than a straight delivery... is all.

One good thing (in my book at least) is that MailScanner will enforce the same rules pretty much regardless of direction of the mail (incoming or outgoing), so even if you haven't done any "NDR-spamming measures" you'd still be pretty insulated (postfix'll be able to take care of that too... Of course... Especially if you've been smart enough to have configured recipient_maps (local and/or relay).

BTW, I'm using clam for antiviral scanning, and (since I'm "fronting M-Sexchange") at local deliver also have virusscan in its "groupshield for exchange" guise. I'd rather drop M-Sexchange in the dustbin, but... well, corporate politics..:-). Clam is very easy, as well as the MailScanner config...:-). But from a MailScanner perspective _any_ AV program will do (well, noting the virusscan strangeness about links:-).

-- Glenn
0
 
LVL 1

Author Comment

by:illtbagu
Comment Utility
Thanks
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This is the error message I got (CODE) Error caused by incompatible libmp3lame 3.98-2 with ffmpeg I've googled this error message and found out sometimes it attaches this note "can be treated with downgrade libmp3lame to version 3.97 or 3.98" …
How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now