Virus Protection

SurgeMail has a variety of mechanisms for integrating with commercial and free products .

• Integrated and efficient Avast scanner (windows / linux only)
• Efficient external scanners
• External SMTP scanner ("virus wall")
• Arbitrary command line scanner (deleting message or return code)

Any of these mechanisms can be used but it is recommended that Avast is used as this is closely integrated with surgemail, is efficient and is less prone to errors under load.

Integrated and efficient Avast scanner (windows / linux only)

Avast is an integrated, efficient and cost effective virus scanner produced as third party product developed and maintained by ALWIL Software.

Click here to install Avast (there is a free trial license so you can get it going immediately)

If you wish to continue running Avast an avast license must be purchased from Netwin (contact : sales@netwinsite.com).

Under windows avast is integrated using a DLL that is loaded if required and on linux avast is integrated using a "g_virus_filter" external vpipe scanner. A variety of performance and usage statistics are available on the advanced status page / tellmail status output.

Efficient external scanners

SurgeMail has a interfaces that allows external scanners to be efficiently run (as a daemon / running executable) so that surgemail does not have to run an executable for each message processed. These require the virus scanner to support the required specialised syntax, most commercial scanners do not support this syntax.

• vpipe virus filter (g_virus_filter)

Originally setup as surgemail's primary antivirus interface, but is also very useful to integrate custom spam prevention tools. This allows you to run one or more virus checkers or filters that takes commands on stdin and response on stdout using simple command line syntax:

- Surgemail send filter : "nn scan <message file> <envelope file> "

- Filter responds: "nn CLEAN comment " or "nn REJECT comment"

where: nn would be a numeric command identification, message file a file containing the email message including all headers and envelope file a three line file containing RCPT, MAIL FROM address and sender's IP address as follows:

-- start of file --
To: <marijn@destdomain.com>
From: <marijn@sourcedomain.com>
IP: 127.0.0.1
--end of file --

eg.
d:\surgemail\rav8\bin\ravdmail.exe

1 scan c:\temp\test.txt c:\temp\test.env
1 CLEAN c:\temp\test.txt that was a good message
2 scan c:\temp\test.txt c:\temp\test.env
3 REJECT c:\temp\test.txt contained a virus

• FProt daemon interface

Surgemail will interface directly to the fprot daemon as described.

External SMTP scanner

External smtp scanners (sometimes called "virus wall" scanners) can be used by surgemail. If this kind of scanner is used it is _strongly recommended_ to let surgemail receive the mail from the internet, and then have surgemail pass all mail through the external virus scanner before delivering this locally. This will allow you to make full use of surgemail's spam prevention measures - primarily measures such as SPF, RBL etc that use sender's IP address. If mail is passed through the external scanner BEFORE it gets to surgemail, surgemail will see the external scanners ip address for all inbound mail.

This is configured using gateway rules as follows:

g_gateway domain="*" to="scanner.ip" user="" pass="" relay="false" check="" sms="" local="TRUE" g_gateway_ifnot "scanner.ip" g_gateway_ignorewild_ip "scanner.ip" g_relay_allow_ip "scanner.ip"

=> pass all mail to scanner* => deliver local deliveries if from scanner => deliver remote deliveries if from scanner => allow scanner to send outbound scanned messages

* notes: local="TRUE" means "only accepts mail for local domain if the account exists" and relay="FALSE" means "only accept outbound mail if using smtp authentication or other relay enabling setting" - this is called "restricted relay" in the web admin interface)

Mail getting gatewayed to specific domains through the use of the standard gateway rules can also be scanned. To configure this make sure you have the external smtp scanner setup as described above and the wildcard scanner g_gateway rule is before any gatewayed domains to make sure gatewayed mail is sent to the scanner before the normal gateway rule is matched.

g_gateway domain="*" to="scanner.ip" user="" pass="" relay="false" check="" sms="" local="TRUE"
g_gateway domain="gateway.domain" to="dest.server" user="" pass="" relay="" check="TRUE" sms="" local=""

Arbitrary command line scanner (deleting message or return code)

SurgeMail has the ability to integrate with a variety of other external scanners. These are all less efficient as a separate external process gets executed for each message that passes through the system

• g_virus_cmd

If defined the mail server will extract MIME parts in a multi part message and run the virus scanner over the extracted file. The command line can include $FILE$ which will be replaced with the actual file name of the extracted part. An intelligent cache is used so mailing lists, etc, will not require running the virus scanner on every message sent.

If you set this to "do_not_run" then SurgeMail will extract the MIME parts but not actually run any program, some virus scanners scan all files on the system so the file is deleted magically and SurgeMail will notice and bounce the message.

If your scanner supports the returning of return codes if a virus is found then you should use g_virus_cmd_codes with this setting as this is more reliable than having to detect if a file is deleted and also means also will work on viruses in archives which a lot of scanners won't delete.

• g_virus_cmd_codes

This lets SurgeMail listen to the return codes from g_virus_cmd and if the return code matches one specified in this command then it will assume its a virus and reject the message. This is often more reliable than detecting only by using g_virus_cmd as some virus scanners do things a bit differently. Also a lot of scanners won't delete archives containing viruses so this is the best way if your scanner supports it.

How do I configure surgemail using "Scanner X"

Many scanners they can be integrated in one of several ways dependent on how the scanner is configured. You should double check the virus scanning documentation to check the error codes given in the examples is still up to date.

Virus Scanner	Platform	Scanner (surgemail.ini entry)
Avast Recommeded!	Windows	Use web admin tool to enable
	Unix	Available on Linux only
	Comments: Highly recommended, fully integrated for ease of installation and performance. Note: "Avast! for SurgeMail" based on ALWIL Software antivirus technology. To enable go to the Avast section of the web admin tool (see details), but first purchase the 'Avast' license option from NetWin and re-activate your registration.
ClamAV	Unix	Note: we recommend avast for any serious load, it is more efficient and more reliable The best way to run ClamAV with SurgeMail is to use the scripts provided by one of our users. Instructions and downloads can be found here for the scripts (SCAVS) http://www.inoc.net/~dev/surgemail/scavs/ Or you can use the following lines but on busy systems you could run into problems with too many channels being tied up waiting for ClamAV to finish. Check the path below using 'whereis clamdscan' it may be /usr/bin/clamdscan Next in /etc/clamd.conf set clamd to run as user 'mail' and then restart clamd, you will need to set the ownership of the clamd directories to 'mail' too, e.g. chown -R mail /var/clamav (do this for all the paths in clamd.conf) cd /etc/init.d ./clamd stop ./calmd start g_virus_cmd "/usr/local/bin/clamdscan --stdout --no-summary --remove $FILE$" or g_virus_cmd "/usr/bin/clamdscan --stdout --no-summary --remove $FILE$" g_virus_cmd_codes "1"
	Comments: Free!, opensource,supports many UNIX platforms Set up the daemon (read clamav instructions) If you have a ramdisk then clamd will go faster if you make it use the ramdisk for it's temporary directory. YOU MUST SETUP THE DAEMON FIRST, or it will still run but be very slow and cause problems for SurgeMail.
Command Antivirus	Windows	*
	Unix	g_virus_cmd "/usr/bin/csav -delete $FILE$"
	Comments: We recommend avast for any serious load, it is more efficient and more reliable
F-Prot (daemon scanning)	Windows	N/A
	Unix (Daemon Mode, not available for Windows)	g_virus_fprot "11200"
	Comments: Full daemon support, very fast, the setting is the port the daemon runs on. You must also install the daemon for this to work, see g_virus_fprot
F-Prot (command line scanning)	Windows	g_virus_cmd "c:\progra~1\fsi\f-prot\fpcmd.exe $FILE$ /auto /delete /archive /silent" g_virus_cmd_codes "3,6,8"
	Comments: Command line scanning, We recommend avast for any serious load, it is more efficient and more reliable
McAfee	Unix	g_virus_cmd "/usr/local/uvscan/uvscan  --analyze  --mailbox --mime --program  --secure --unzip --noboot --delete $FILE$" g_virus_cmd_codes "12,13"
	Comments: instructions from a user, We recommend avast for any serious load, it is more efficient and more reliable
Norton Antivirus	(demand mode)	g_virus_cmd "c:\program files\navnt\navwnt.exe /noresults $FILE$" g_virus_cmd_sleep "3000"
	(always scanning) real time scanning	g_virus_cmd "do_not_run" g_virus_cmd_sleep "3000"
	If you have Norton's setup already and it scans files as you access them then use the real time scanning option otherwise use demand mode. Norton is best avoided for mail servers! We recommend avast for any serious load, it is more efficient and more reliable
Sophos	Windows	g_virus_cmd "c:\programs\Sophos SWEEP for NT\sav32cli -s -nc -remove -archive $FILE$" g_virus_cmd_codes "3"
	Unix	g_virus_cmd "/usr/local/bin/sweep -s -nc -remove -archive $FILE$" g_virus_cmd_codes "3"
	Comments: A very well known and respected virus checker that is available for a wide variety of platforms, is well suited for SurgeMail with its on demand scanning utility - Sweep. We recommend avast for any serious load, it is more efficient and more reliable
TrendMicro	Windows	g_virus_cmd "c:\sysclean\vscantm.bin /nbpm /D /Q /NM /NB $FILE$" g_virus_cmd_codes "1"
	Instuctions: Use this link to find out how to setup Trend for command line scanning. http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=17058
NOD32	Windows	g_virus_cmd "c:\Program Files\ESET\ESET NOD32 Antivirus\ecls.exe /no-log-console /clean-mode=delete $FILE$"
	Comments: We recommend avast for any serious load, it is more efficient and more reliable
RAV antivirus for DMAIL	Windows	g_virus_filter cmd="c:\surgemail\rav8\bin\ravdmail.exe"
	Unix	g_virus_filter cmd="/opt/rav/bin/ravdmail" type=""
	Comments: RAV is no longer being sold as a product (this is here for the benefit of existing RAV users)

* This configuration has not been explicitly tested. If you have experience with a virus scanner that is not listed here please let us know so we can help others in their server configuration efforts.