HOW TO: Exim, Exiscan, & ClamAV

[wish]

I was keen on getting exiscan to work with CPanel, but I couldn't find much on it or many that had done it, so after working through it, I put this together as a cookbook for setting up exiscan on systems identical to ours.

I tried to include enough information so that others can puzzle it out for their own systems. Exiscan works like a charm for us, and I'm very happy with it. Your mileage may vary, of course.

The text is a bit too long for a post, so I've attached it as a file.

This is a work in progress...comments are encouraged.

 

[dario2]

Really great article, Wish! Thanks!

I've been using MailScanner (with McAffee's VirusScan), but it's a HUGE processor and memory hog, so I'm seriously considering moving to Exiscan. I've managed to create a patched Exim for Cpanel RPM. But, after I installed it, without even modifying the exim.conf file, Exim started rejecting e-mails, like this (domais and IP altered for privacy):

2004-05-04 02:25:25 H=(remote.mailserver.com) [64.11.11.11] F=<[email protected]> temporarily rejected RCPT <[email protected]>: cannot test verify in RCPT ACL

The e-mail queue grew wildly, so I had to return to my previous config. Question is: did you have the same problem? Do you know what that error is?

Thx!
-Dario

 

[wish]

Thanks.

No, I didn't see this problem. If exim is having trouble with verify in the RCPT ACL, first I'd look at what user your new RPM build is running under (not likely to be your problem, but...), then verify that the exim config file was not overwritten or that even a different one is being used by your new build.

 

[dario2]

Thanks for the help! Turns out that I applied patch

exiscan-acl-4.30-13

which had a bug! I reapplied patch version -14, which, in my defense, was not mentioned in the Exiscan changelog, and it worked.

-Dario

 

[tAzMaNiAc]

Does exiscan actually work with lower levels? I'd be interested in trying ths out if so. I use MailScanner and have noticed processor hogging with mailing lists..

Brenden

 

[tawfiq]

i am interested in why did u chosse exisan over MailScanner or if u considered MailScanner at all?

 

[wish]

Brenden: It's not so much that exiscan works at a lower level but that it works at SMTP connect, instead of after mail has been accepted. Scanning during the SMTP dialog seems to be less resource intensive on several levels.

tawfiq: MailScanner is excellent, best-in-class even. Our current server was seeing what Brenden was seeing: high cpu loads. We wanted to see if exiscan could help us. So far it has, though I don't have anything but anectdotal evidence, no hard tests, since our server isn't up to full load yet.

I'd be very interested to hear what others experience if they decide to try exiscan.

 

[maras]

# wget http://diff.cpanel.net/exim-cpanel7...tmpcontrol_antivirus_rewrite_mailman2.src.rpm
# rpmbuild --recompile exim-4*

bash# rpmbuild --recompile exim-4*
bash: rpmbuild: command not found

I use FreeBSD. Ports does not contain rpmbuild ;(

 

[chrisbond]

BTW Nicks just released exim 4.34 that includes the exiacl patches. So you can skip a lot of the steps. I might update it later today if i get chance.

 

[rs-freddo]

Originally posted by chrisbond
BTW Nicks just released exim 4.34 that includes the exiacl patches. So you can skip a lot of the steps. I might update it later today if i get chance.

I would be interested in how to use exiscan with the new 4.34

 

[Valetia]

Originally posted by rs-freddo
I would be interested in how to use exiscan with the new 4.34

Same here, any updates?

 

[anand]

I got it working perfectly fine with the new exim. I have the auto installer also ready on this. Just finishing my notes, once done i will post everything here.

 

[casey]

Originally posted by anand
I got it working perfectly fine with the new exim. I have the auto installer also ready on this. Just finishing my notes, once done i will post everything here.

anand, could you also post what the advantages/disadvantages are to this over mailscanner? Does exiscan come with quarantine functions and the like? Does it add {virus?} or some other text to e-mails? Can it be customized?

Sorry. I'm too lazy to test it myself.

 

[anand]

Originally posted by casey
anand, could you also post what the advantages/disadvantages are to this over mailscanner? Does exiscan come with quarantine functions and the like? Does it add {virus?} or some other text to e-mails? Can it be customized?

Sorry. I'm too lazy to test it myself.

hey casey

The only thing i can say is the advantages are very serious, i got this running on 10 servers till now and on all servers i saw improvement on cpu loads. Mailscanner was choking the server with mail traffic increasing, atleast with this the load is reduced.

As for quarantine, understand this, the patch allows you to reject mail at the MTA level, so basically the mail doesn't enter your queue. This helps in reducing the load on the server considerably.

Let me know if i confused you.

 

[rs-freddo]

Originally posted by anand
I got it working perfectly fine with the new exim. I have the auto installer also ready on this. Just finishing my notes, once done i will post everything here.

Cool!

 

[chrisbond]

Loads dropped from 2.00+ (quite often it would jump to 10+) to 0.40!!

 

[casey]

Originally posted by anand

Let me know if i confused you.

Nope, not at all. I'm almost sold on it.

What I meant by the quarantine, though, is when a virus is found. What happens to emails with viruses? Does the sender get the email returned to him or is it just rejected? My customers will want one of the following:

1) If viruses are stripped and delivered, they will want to be able to retrieve the original message if it was a wrongful detection.

2) If viruses are simply rejected, the customers will want the email returned to the sender, so that again, if a message is wrongfully detected the sender will know to send again by some other means.

 

[JohnL]

no exim .src available

Hello there!

Problem here with rebuilding Exim ... as there is no .src available for any of the newer Exim relases. I have two RH 9 servers, but the same seems true for RHEL. cPanel v. 9.2.x comes with exim-4.34, but I just don't see any source code for that:

http://diff.cpanel.net/exim-cpanel7.2.0/s9/

Any suggestions?? First downgrading cPanel, then installing, and later upgradinga again?? By the way, would any cPanel upgrade overwrite the anti-virus package installed in this thread?

John

 

[anand]

Originally posted by casey
Nope, not at all. I'm almost sold on it.

:D

What I meant by the quarantine, though, is when a virus is found. What happens to emails with viruses? Does the sender get the email returned to him or is it just rejected?

The mail is rejected moment the virus info is found in them with info as "Mailware or Virus found in mail (Virus Name)". This looks like those mail server errors which you usually see.

My customers will want one of the following:

1) If viruses are stripped and delivered, they will want to be able to retrieve the original message if it was a wrongful detection.

2) If viruses are simply rejected, the customers will want the email returned to the sender, so that again, if a message is wrongfully detected the sender will know to send again by some other means.

The mail is just completely rejected. When exim accepts the data section, clam scans for virus or malware stuff, if found, the mail session is closed with an MTA error retuned to the sender stating that there is malware or virus.

I have been closely watching the 10 servers i have this installed now, the load has been very low on them. To compare it, with mailscanner i hardly remember a time when i saw the load less than 4-5, even shot up to 10 at times with heavy mail traffic. Now the load sits cool at < 1, i think thats a considerable gain

Just got stuck with something more, i have everything ready and with the auto installer it should be a piece of cake for anyone to install. I will try to post info asap.

 

[anand]

Re: no exim .src available

Originally posted by JohnL
Hello there!

Problem here with rebuilding Exim ... as there is no .src available for any of the newer Exim relases. I have two RH 9 servers, but the same seems true for RHEL. cPanel v. 9.2.x comes with exim-4.34, but I just don't see any source code for that:

http://diff.cpanel.net/exim-cpanel7.2.0/s9/

Any suggestions?? First downgrading cPanel, then installing, and later upgradinga again?? By the way, would any cPanel upgrade overwrite the anti-virus package installed in this thread?

John

Just upgrade to current releases, run the following on shell

/scripts/updated
/scripts/updatenow
/scripts/exim4

This should give you the new exim.