Simscan
From Qmailtoaster
Disclaimer: Most of the following is selectively copied from the fine folks at Inter7 (Reference: http://www.qmailwiki.org/Simscan/Guide). What will go here will be the essentials to help you understand simscan and how to tweak the toaster to you liking/needs. Things in the Inter7 documentation, such as compile time options, are omitted--because that is taken care of for us by the qmail-toaster team.
Simscan: what is it? Simscan was written for people who need a fast and efficent way to do virus scanning or spamassassin processing or attachment blocking. Simscan is less than 100K and uses the standard system libraries so it loads and runs much faster that the other well-known option for pre-processing, qmail-scanner.
Simscan: control files? Located at /var/qmail/control, simcontrol is the one and only file you need to edit to enable and controls these three features: Clamav and SpamAssassin and attachment blocking. Simscan reads info in from simcontrol.cdb and simversions.cbd and uses that info to scan and mark mails. Build the cdb's anytime you make changes to the simcontrol file or update SA or ClamAV by executing:
#/var/qmail/bin/simscanmk #/var/qmail/bin/simscanmk -g
They say you do not have to stop the toaster to build this file. Rebuilding assures simscan is using the current simcontrol file and marking (in email headers) the current installed versions of spamassassin and clamav.
I cannot seem to remember the commands to rebuild the cdb, so I bashed one up to do it for me, automagically...put it in /etc/cron.hourly...this way all your cdbs are never more than an hour old.
#!/bin/bash /var/qmail/bin/simscanmk sleep 2 /var/qmail/bin/simscanmk -g sleep 2 /var/qmail/bin/qmail-badloadertypes sleep 2 /var/qmail/bin/qmail-badmimetypes sleep 2 qmailctl cdb #eof
WORKSFORME. (don't forget to chmod x the file you save that as, like I did)
Stock 1-line simcontrol file
Your fresh toaster-install simcontrol file would look very much like this:
:clam=yes,spam=yes,spam_hits=12,attach=.exe:.pif:.scr
Breaking this down using parentheses() to help with clarity: (:) is default, as in default processing rule--higher ranking rules can be applied. (clam=yes) scan with clamd (spam=yes) scan with spamd (spam_hits=12) spam score of 12 or greater will be deleted--not delivered once the score hits 12 in this case (attach=.exe:.pif:.scr) block messages with attachments that have these extensions. If that is the only rule in simcontrol, every single mail for every single recipient on every single domain that is accepted by the toaster would be processed by those parameters.
The order of precedence for simcontrol file processing is:
email address (overrides all) domain (overrides default) default (only used if not overridden by domain or email address)
Lets get complicated (1 file, 3 lines):
postmaster@example.com:clam=yes,spam=no,attach=.txt:.com example.com:clam=no,spam=yes,attach=.mp3 :clam=yes,spam=yes,spam_hits=5
Breaking this down:
--mail specifically for postmaster@example.com gets clamd and blocked attachments for .com and .txt, no spamd--mail for every user at example.com (except postmaster) gets spamd and blocked mp3 files, no clamd--all mail not destined for the first 2 user/domain conditionals gets clamd and spamd with spam scoring more than 5 deleted, no attachment blocking. That applies to all domains accepting mail on the toaster.
Regex matching is supported in the toaster, and it would be configured in simcontrol...see http://www.qmailwiki.org/Simscan/Guide (don't know nuthin 'bout it)
About Extension Blocking
You need to consider what your users will be sending and determine which extensions to block. Of course, it seems to me that they can get around this by zipping them up, so this is not a failsafe, hard and fast way to secure your mail domain. Note that you add extensions to block by: (dot)(extension-letters)(:)
NOTE: the(:) in this case is a separator, the last trailing (:) not required
Here is a list to save you some typing and give you ideas of files to block:
.ade:.adp:.app:.asd:.asf:.asp:.asx:.avi:.bas:.bat:.bin:.chm:.cil:.cla:.class: .cmd:.com:.cpl:.crt:.csh:.css:.dll:.dot:.email:.eml:.exe:.fxp:.hlp:.hta:.htm: .html:.inf:.ins:.isp:.js:.jse:.ksh:.lnk:.mda:.mdb:.mde:.mdt:.mdw:.mdz:.mov:.mp3: .mpe:.mpeg:.mpg:.msc:.msi:.msp:.mst:.nws:.ocx:.ops:.pcd:.pif:.pl:.pm:.pot:.pps: .prf:.prg:.ps:.rar:.reg:.scf:.scr:.sct:.shb:.shm:.shs:.url:.vb:.vbe:.vbs:.vxd: .wav:.wmd:.wmf:.wms:.wmz:.wsc:.wsf:.wsh:.wsz:.xsl:.xlt:.xlw:
ALSO RELATED
Located at /etc/tcprules.d, tcp.smtp is the file that controls how these rules are applied by delivery-type (local,remote). It also calls chkuser to perform authentication, abuse checks and handles domainkey stuff and many other functions. This simple file is really complex in the instructions it contains and requires further examination. Watch for a more definitive explanation in a new sub-topic coming soon.