MailScanner.conf(5) Mail MailScanner.conf(5)NAMEMailScanner.conf - Main configuration for MailScanner
SYNOPSIS
none
DESCRIPTION
MailScanner is configured using the file MailScanner.conf. The location
of this file varies from operating system to operating system:
Linux: /etc/MailScanner
FreeBSD: /usr/local/etc/MailScanner
Other: /opt/MailScanner/etc
Blank lines are ignored, as are leading and trailing spaces. Comments
start at a '#' character and extend to the end of the line. All options
are expressed in the form
option = value
Many of the options can also be the filename of a ruleset, which can be
used to control features depending on the addresses of the message,
and/or the IP address where the message came from. You will find some
examples of rulesets and an explanation of them in the "rules" directo‐
ries within the MailScanner installation and in the section "RULESETS"
later in this manpage.
The options are best listed in a few categories. If this list looks
very large then don't worry, the supplied MailScanner.conf file (or
MailScanner.conf.sample) contains sensible defaults for all the values.
You will probably only need to change a very few of them to start with.
Starting with version 4.40.10 of MailScanner you can use shell environ‐
ment variables such as $HOSTNAME or ${HOSTNAME} in MailScanner.conf and
its relatives.
You should define the following variables:
%report-dir%
Default: /opt/MailScanner/etc/reports/en
Default FreeBSD: /usr/local/share/MailScanner/reports/en
Set the directory containing all the reports in the required
language.
%etc-dir%
Default: /opt/MailScanner/etc
Default FreeBSD: /usr/local/etc/MailScanner
Configuration directory containing this file
%rules-dir%
Default: /opt/MailScanner/etc/rules
Default FreeBSD: /usr/local/etc/MailScanner/rules
Rulesets directory containing your ".rules" files
%org-name%
Default: yoursite
Enter a short identifying name for your organisation below, this
is used to make the X-MailScanner headers unique for your organ‐
isation. Multiple servers within one site should use an identi‐
cal value here to avoid adding multiple redundant headers where
mail has passed through several servers within your organisa‐
tion.
Note: Some Symantec scanners complain (incorrectly) about "."
characters appearing in the names of headers.
%org-long-name%
Default: Your Organisation Name Here
Enter the full name of your organisation below, this is used in
the signature placed at the bottom of report messages sent by
MailScanner. It can include pretty much any text you like. You
can make the result span several lines by including "0 sequences
in the text. These will be replaced by line-breaks.
%web-site%
Default: www.your-organisation.com
Enter the location of your organisation's web site below. This
is used in the signature placed at the bottom of report messages
sent by MailScanner. It should preferably be the location of a
page that you have written explaining why you might have
rejected the mail and what the recipient and/or sender should do
about it.
System Settings
Max Children
Default: 5
MailScanner uses your server efficiently by running several
identical processes at the same time, all processing mail. This
is the number of these processes to run at once. Turning this
figure will optimise the performance of your system if you
process a lot of mail. A good figure to start with is 5 chil‐
dren per CPU. So if you have 4 CPUs in your server, start by
setting this to 20.
Run as User
Default: not to change user
Provided for Exim users (and anyone not running sendmail as
root), this changes the user under which MailScanner runs.
Run as Group
Default: not to change group
Provided for Exim users (and anyone not running sendmail as
root), this changes the group under which MailScanner runs.
Queue Scan Interval
Default: 5
How often (in seconds) should each process check the incoming
mail queue for new messages? If you have a quiet mail server,
you might want to increase this value so it causes less load on
your server, at the cost of slightly increasing the time taken
for an average message to be processed.
Incoming Queue Dir
Default: /var/spool/mqueue.in
Directory in which MailScanner should find e-mail messages for
scanning. This can be any of the following:
1. a directory name.
Example: /var/spool/mqueue.in
2. a wildcard giving directory names.
Example: /var/spool/mqueue.in/*
3. the name of a file containing a list of directory names,
which can in turn contain wildcards.
Example: /usr/local/etc/MailScanner/mqueue.in.list.conf
Outgoing Queue Dir
Default: /var/spool/mqueue
Directory in which MailScanner should place scanned e-mail mes‐
sages. This can also be the filename of a ruleset.
Incoming work dir
Default: /opt/MailScanner/var/incoming
Default FreeBSD: /var/spool/MailScanner/incoming
Directory in which to temporarily store unpacked MIME messages
during scanning process.
Quarantine Dir
Default: /opt/MailScanner/var/quarantine
Default FreeBSD: /var/spool/MailScanner/quarantine
Set where to store infected messages and attachments (if they
are kept). This can also be the filename of a ruleset.
PID file
Default: /opt/MailScanner/var/MailScanner.pid
Default FreeBSD: /var/run/MailScanner.pid
Set where to store the process id number so you can stop
MailScanner. In the FreeBSD port this should remain
/var/run/MailScanner.pid in order for the start/stop script to
work.
Restart Every
Default: 14400
To avoid resource leaks the MailScanner parent process stops and
restarts its child processes from time to time. Set the amount
of seconds each child process is supposed to live here.
MTA Default: sendmail
MailScanner works with sendmail and exim. Since the queue han‐
dling differs a bit, you have to tell MailScanner which MTA you
are using. Valid options are sendmail and exim.
Sendmail
Default: /usr/lib/sendmail
Default FreeBSD: /usr/sbin/sendmail
Set how to invoke MTA when sending messages MailScanner has cre‐
ated (e.g. to sender/recipient saying "found a virus in your
message"). This can also be the filename of a ruleset.
Sendmail2
Default: same value as the Sendmail setting
Sendmail2 is provided for exim users. It is the command used to
attempt delivery of outgoing cleaned/disinfected messages. This
is not usually required for sendmail.
For Exim users this could be: Sendmail2 = /usr/sbin/exim -C
/usr/local/etc/exim/configure.out
Incoming Work Dir Settings
You should not normally need to touch these settings at all, unless you
are using ClamAV and need to be able to use the external archive
unpackers instead of ClamAV's built-in ones.
Incoming Work User
Default:
If you want to create the temporary working files so they are
owned by a user other than the "Run As User" setting, you can
change that here. Note: If the "Run As User" is not "root" then
you cannot change the user but may still be able to change the
group, if the "Run As User" is a member of both of the groups
"Run As Group" and "Incoming Work Group".
Incoming Work Group
Default:
If you want to create the temporary working files so they are
owned by a group other than the "Run As User" setting, you can
change that here. Note: If the "Run As User" is not "root" then
you cannot change the user but may still be able to change the
group, if the "Run As User" is a member of both of the groups
"Run As Group" and "Incoming Work Group".
Incoming Work Permissions
Default: 0600
If you want processes running under the same *group* as
MailScanner to be able to read the working files (and list what
is in the directories, of course), set to 0640. If you want
*all* other users to be able to read them, set to 0644. For a
detailed description, if you're not already familiar with it,
refer to `man 2 chmod`. Typical use: external helper programs of
virus scanners (notably ClamAV), like unpackers. Use with care,
you may well open security holes.
Quarantine and Archive Settings
If, for example, you are using a web interface so that users can manage
their quarantined files, you might want to change the ownership and
permissions of the quarantined so that they can be read and/or deleted
by the web server. Don't touch this unless you know what you are doing!
Quarantine User
Default:
If you want to create the quarantine/archive so the files are
owned by a user other than the "Run As User" setting at the top
of this file, you can change that here. Note: If the "Run As
User" is not "root" then you cannot change the user but may
still be able to change the group, if the "Run As User" is a
member of both of the groups "Run As Group" and "Quarantine
Group".
Quarantine Group
Default:
If you want to create the quarantine/archive so the files are
owned by a user other than the "Run As User" setting at the top
of this file, you can change that here. Note: If the "Run As
User" is not "root" then you cannot change the user but may
still be able to change the group, if the "Run As User" is a
member of both of the groups "Run As Group" and "Quarantine
Group".
Quarantine Permissions
Default: 0600
If you want processes running under the same *group* as
MailScanner to be able to read the quarantined files (and list
what is in the directories, of course), set to 0640. If you want
*all* other users to be able to read them, set to 0644. For a
detailed description, if you're not already familiar with it,
refer to `man 2 chmod`. Typical use: let the webserver have
access to the files so users can download them if they really
want to. Use with care, you may well open security holes.
Process Incoming Mail
Max Unscanned Bytes Per Scan
Default: 100000000
MailScanner handles messages in batches for efficiency. Messages
are gathered (in strict date order) from the incoming queue
directory, one at a time, until this or one of the following
three limits is reached or the queue is empty.
This setting limits the total size of messages per batch for
which no scanning is done (i.e. Virus Scanning = no).
Max Unsafe Bytes per Scan
Default: 50000000
This setting limits the total size of messages per batch for
which scanning is done (i.e. Virus Scanning = yes).
Max Unscanned Messages Per Scan
Default: 100
This setting limits the total number of messages per batch for
which no scanning is done (i.e. Virus Scanning = no).
Max Unsafe Messages per Scan
Default: 100
This setting limits the total number of messages per batch for
which scanning is done (i.e. Virus Scanning = yes).
Max Normal Queue Size
Default: 1000
If more messages are found in the queue than this, then switch
to an "accelerated" mode of processing messages. This will cause
it to stop scanning messages in strict date order, but in the
order it finds them in the queue. If your queue is bigger than
this size a lot of the time, then some messages could be greatly
delayed. So treat this option as "in emergency only".
Scan Messages
Default: yes
If this is set to yes, then email messages passing through
MailScanner will be processed and checked, and all the other
options in this file will be used to control what checks are
made on the message. If this is set to no, then email messages
will NOT be processed or checked *at all*, and so any viruses or
other problems will be ignored.
Reject Messages
Default: no
You may not want to receive mail from certain addresses and/or
to certain addresses. If so, you can do this with your email
transport (sendmail, Postfix, etc) but that will just send a
one-line message which is not helpful to the user sending the
message. If this is set to yes, then the message set by the
"Rejection Report" will be sent instead, and the incoming mes‐
sage will be deleted. If you want to store a copy of the origi‐
nal incoming message then use the "Archive Mail" setting to ar‐
chive a copy of it. The purpose of this option is to set it to
be a ruleset, so that you can reject messages from a few offend‐
ing addresses where you need to send a polite reply instead of
just a brief 1-line rejection message.
Maximum Attachments Per Message
Default: 200
The maximum number of attachments allowed in a message before it
is considered to be an error. Some email systems, if bouncing a
message between 2 addresses repeatedly, add information about
each bounce as an attachment, creating a message with thousands
of attachments in just a few minutes. This can slow down or even
stop MailScanner as it uses all available memory to unpack these
thousands of attachments. This can also be the filename of a
ruleset.
Expand TNEF
Default: yes
TNEF is primarily used by Microsoft programs such as Outlook and
Outlook Express when mails are formatted/sent in Rich-Text-For‐
mat. Attachments are all put together in one WINMAIL.DAT file.
Should we use a TNEF decoder (external or Perl module)? This
should be "yes" unless the scanner you are using (Sophos,
McAfee) has the facility built-in. However, if you set it to
"no", then the filenames within the TNEF attachment will not be
checked against the filename rules.
Deliver Unparsable TNEF
Default: no
Rich Text format attachments produced by some versions of Micro‐
soft Outlook cannot be completely decoded at present. Setting
this option to yes allows compatibility with the behaviour of
earlier versions where these attachments were still delivered.
This would introduce the slight chance of a virus getting
through in the segment of the attachment that could not be
decoded, but the setting may be necessary if you have a large
number of Microsoft Outlook users who are troubled by the new
behaviour.
TNEF Expander
Default: /opt/MailScanner/bin/tnef
Default FreeBSD: /usr/local/bin/tnef
Full pathname giving location of the MS-TNEF expander/decoder
program, or the keyword internal which will force use of the
optional Perl Convert::TNEF module instead of the external pro‐
gram.
TNEF Timeout
Default: 120
The maximum length of time (in seconds) the TNEF Expander is
allowed to run for diassembling one attachment.
File Command
Default: /usr/bin/file
Where the "file" command is installed. This is used for checking
the content type of files, regardless of their filename. To dis‐
able Filetype checking, set this value to blank.
File Timeout
Default: 20
The maximum length of time the "file" command is allowed to run
for one batch of messages (in seconds).
Unrar Command
Default: /usr/bin/unrar
Where the "unrar" command is installed. If you haven't got this
command, look at www.rarlab.com. This is used for unpacking rar
archives so that the contents can be checked for banned file‐
names and filetypes, and also that the archive can be tested to
see if it is password-protected. Virus scanning the contents of
rar archives is still left to the virus scanner, with one excep‐
tion: If using the clavavmodule virus scanner, this adds exter‐
nal RAR checking to that scanner which is needed for archives
which are RAR version 3.
Unrar Timeout
Default: 50
The maximum length of time the "unrar" command is allowed to run
for 1 RAR archive (in seconds)
Block Encrypted Messages
Default: no
This is inteded for use with a ruleset to ensure that none of
your users is covertly mailing sites with which you would not
normally communicate (e.g. your competitors). If this is set to
yes (or the ruleset evaluates to yes) encrypted messages are
blocked.
Block Unencrypted Messages
Default: no
This is intended for use with a ruleset to ensure that mail is
always encrypted before being sent. This could be used to ensure
that mail to your business partners is sent securely.
Allow Password-Protected Archives
Default: no
Should archives which contain any password-protected files be
allowed? Leaving this set to "no" is a good way of protecting
against all the protected zip files used by viruses at the
moment. This can also be the filename of a ruleset.
Maximum Message Size
Default: 0
The maximum size, in bytes, of any message including the head‐
ers. If this is set to zero, then no size checking is done. This
can also be the filename of a ruleset, so you can have different
settings for different users. You might want to set this quite
small for dialup users so their email applications don't time
out downloading huge messages.
Maximum Attachment Size
Default: -1
The maximum size, in bytes, of any attachment in a message. If
this is set to zero, effectively no attachments are allowed. If
this is set less than zero, then no size checking is done. This
can also be the filename of a ruleset, so you can have different
settings for different users. You might want to set this quite
small for large mailing lists so they don't get deluged by large
attachments.
Maximum Archive Depth
Default: 3
The maximum depth to which zip archives will be unpacked to
allow for checking filenames and filetypes within zip archives.
Setting this to 0 will disable filename/-type checks within zip
files while still allowing to block password protected zip
files.
Find Archives By Content
Default: yes
Find zip archives by filename or by file contents? Finding them
by content is a far more reliable way of finding them, but it
does mean that you cannot tell your users to avoid zip file
checking by renaming the file from ".zip" to "_zip" and tricks
like that. Only set this to no (i.e. check by filename only) if
you don't want to reliably check the contents of zip files. Note
this does not affect virus checking, but it will affect all the
other checks done on the contents of the zip file. This can also
be the filename of a ruleset.
Options specific to Sophos Anti-Virus
Allowed Sophos Error Messages
Default:
Anything on the next line that appears in brackets at the end of
a line of output from Sophos will cause the error/infection to
be ignored. Use of this option is dangerous, and should only be
used if you are having trouble with lots of corrupt PDF files,
for example. This option allows for multiple strings as well. In
this case, the strings should be put in double quotes (") and
each string separated with commas. Examples:
Allowed Sophos Error Messages = corrupt format not supported
Allowed Sophos Error Messages = "corrupt", "format not sup‐
ported"
The first version will match "corrupt format not supported"
only. The second version will match "corrupt" and "format not
supported".
Sophos IDE Dir
Default: /usr/local/Sophos/ide
The directory (or a link to it) containing all the Sophos *.ide
files. This is only used by the "sophossavi" virus scanner, and
is irrelevant for all other scanners.
Sophos Lib Dir
Default: /usr/local/Sophos/lib
The directory (or a link to it) containing all the Sophos *.so
libraries.This is only used by the "sophossavi" virus scanner,
and is irrelevant for all other scanners.
Monitors For Sophos Updates
Default: /usr/local/Sophos/ide/*ides.zip
SophosSAVI only: monitor each of these files for changes in size
to detect when a Sophos update has happened. The date of the
Sophos Lib Dir is also monitored. This is only used by the
"sophossavi" virus scanner, not the "sophos" scanner setting.
Virus scanning and vulnerability testing
Virus Scanning
Default: yes
Do you want to scan email for viruses? A few people don't have
virus scanner licence and so want to disable all the virus scan‐
ning.
NOTE: Switching this to no completely disables all virus-scan‐
ning functionality. If you just want to switch of actual virus
scanning, then set "Virus Scanners = none" instead.
If you want to be able to switch scanning on/off for different
users or different domains, set this to the filename of a rule‐
set.
Virus Scanners
Default: none
Which Virus Scanning package to use. Possible choices are
sophos, sophossavi, mcafee, command, bitdefender, kaspersky,
kaspersky-4.5, kavdaemonclient, inoculate, inoculan, nod32,
nod32-1.99, f-secure, f-prot, panda, rav, antivir, clamav, cla‐
mavmodule, css, trend, norman, avg, vexira, symscanengine,
generic, none (no virus scanning at all). This *cannot* be the
filename of a ruleset.
Note for McAfee users: Do NOT use any symlinks with McAfee at
all. It is very strange but McAfee may not detect all viruses
when started from a symlink or scanning a directory path includ‐
ing symlinks.
Note: If you want to use multiple virus scanners, then this
should be a space-separated list of virus scanners.
Note: Make sure that you check that the base installation direc‐
tory in the 3rd column of virus.scanners.conf matches the loca‐
tion you have installed each of your virus scanners. The sup‐
plied virus.scanners.conf file assumes the default installation
locations recommended by each of the virus scanner installation
guides.
Virus Scanner Timeout
Default: 300
The maximum time (in seconds) that the cirus scanner is allowed
to take to scan one batch of messages.
Deliver Disinfected Files
Default: yes
Should infected attached documents be automatically disinfected
and sent on to the original recipients? Less than 1% of viruses
in the wild can be successfully disinfected,as macro viruses are
now a rare occurrence. So the default has been changed to "no"
as it gives a significant performance improvement.
Silent Viruses
Default: HTML-IFrame All-Viruses
Messages whose virus reports contain any of the words listed
here will be treated as "silent" viruses. No messages will be
sent back to the senders of these viruses, and the delivery to
the recipient of the message can be controlled by the next
option "Still Deliver Silent Viruses". This is primarily
designed for viruses such as "Klez" and "Bugbear" which put fake
addresses on messages they send, so there is no point informing
the sender of the message, as it won't actually be them who sent
it anyway. Other words that can be put in this list are the 5
special keywords
· HTML-IFrame: inserting this will stop senders being warned
about HTML Iframe tags, when they are not allowed.
· HTML-Codebase: inserting this will stop senders being warned
about HTML Object Codebase tags, when they are not allowed.
· Zip-Password: inserting this will stop senders being warned
about password-protected zip files when they are not allowd.
This keyword is not needed if you include All-Viruses.
· All-Viruses: inserting this will stop senders being warned
about any virus, while still allowing you to warn senders
about HTML-based attacks. This includes Zip-Password so you
don't need to include both.
The default of "All-Viruses" means that no senders of
viruses will be notified (as the sender address is always
forged these days anyway), but anyone who sends a message
that is blocked for other reasons will still be notified.
Still Deliver Silent Viruses
Default: no
If this is set to yes then disinfected messsages that originally
contained one of the "silent" viruses will still be delivered to
the original recipients, even those addresses were chosen at
random by the infected PC and do not correspond to anything a
user intended to send. Set this to yes so that your users (and
your management) appreciate how much MailScanner is doing to
protect them, but set it to no if they complain a lot about
receiving lots of virus warnings.
Non-Forging Viruses
Default: Joke/ OF97/ WM97/ W97M/
Strings listed here will be searched for in the output of the
virus scanners. It works to achieve the opposite effect of the
"Silent Viruses" listed above. If a string here is found in the
output of the virus scanners, then the message will be treated
as if it were not infected with a "Silent Virus". If a message
is detected as both a silent virus and a non-forging virus, then
the non-forging status will override the silent status. In sim‐
ple terms, you should list virus names (or parts of them) that
you know do *not* forge the From address. A good example of this
is a document macro virus or a Joke program. Another word that
can be put in this list is the special keyword "Zip-.Password".
Inserting this will cause senders to be warned about pass‐
word-protected zip files, whey they are not allowed.
Options specific to ClamAV Anti-Virus
Monitors for ClamAV Updates
Default: /usr/local/share/clamav/*.cvd
ClamAVModule only: monitor each of these files for changes in
size to detect when a ClamAV update has happened. This is only
used by the "clamavmodule" virus scanner, not the "clamav" scan‐
ner setting.
ClamAVmodule Maximum Recursion Level
Default: 5
ClamAVModule only: The maximum recursion level of archives. This
setting *cannot* be the filename of a ruleset, only a simple
number.
ClamAVmodule Maximum Files
Default: 100
ClamAVModule only: The maximum number of files per batch. This
setting *cannot* be the filename of a ruleset, only a simple
number.
ClamAVmodule Maximum File Size
Default: 10000000
ClamAVModule only: The maximum file of each file (Default =
10MB). This setting *cannot* be the filename of a ruleset, only
a simple number.
ClamAVmodule Maximum Compression Ratio
Default: 250
ClamAVModule only: The maximum compression ration of archives.
This setting *cannot* be the filename of a ruleset, only a sim‐
ple number.
Removing/Logging dangerous or potentially offensive content
Allow Partial Messages
Default: no
Do you want to allow partial messages, which only contain a
fraction of the attachments, not the whole thing? There is no
way that "partial messages" can be scanned for viruses properly,
as only a fragment of the message is ever processed, never the
whole message at once.
Setting this option to yes is very dangerous as it can let
viruses in. But you might want to use a ruleset to set it for
some customers' outgoing mail, for example.
Allow External Message Bodies
Default: no
There is a mechanism, very rarely used, in which the body of a
message is contained on a remote server, which the user's email
application should download when it displays the message. Cur‐
rently, I am only aware of this feature being supported by a few
versions of Netscape, and the only people who use it are the
IETF. There is no way to guarantee that the fetched file has no
viruses in it, as MailScanner never sees it.
Setting this option to yes is very dangerous as it can let
viruses in from remote "message body servers".
Find Phishing Fraud
Default: yes
Do you want to check for "Phishing" attacks? These are attacks
that look like a genuine email message from your bank, which
contain a link to click on to take you to the web site where you
will be asked to type in personal information such as your
account number or credit card details. Except it is not the real
bank's web site at all, it is a very good copy of it run by
thieves who want to steal your personal information or credit
card details. These can be spotted because the real address of
the link in the message is not the same as the text that appears
to be the link. Note: This does cause significant extra load,
particularly on systems receiving lots of spam such as
secondary MX hosts. This *cannot* be the filename of a ruleset,
it must be 'yes' or 'no'.
Also Find Numeric Phishing
Default: yes
While detecting "Phishing" attacks, do you also want to point
out links to numeric IP addresses. Genuine links to totally
numeric IP addresses are very rare, so this option is set to
"yes" by default. If a numeric IP address is found in a link,
the same phishing warning message is used as in the Find Phish‐
ing Fraud option above. This value cannot be the name of a rule‐
set, only a simple yes or no.
Phishing Safe Sites File
Default: %etc-dir%/phishing.safe.sites.conf
There are some companies, such as banks, that insist on sending
out email messages with links in them that are caught by the
"Find Phishing Fraud" test described above. This is the name of
a file which contains a list of link destinations which should
be ignored in the test. This may, for example, contain the known
websites of some banks. See the file itself for more informa‐
tion. This can only be the name of the file containing the list,
it *cannot* be the filename of a ruleset.
Allow IFrame Tags
Default: no
Do you want to allow HTML <IFrame> tags in email messages? This
is not a good idea as it allows various Microsoft Outlook secu‐
rity vulnerabilities to go unprotected, but if you have a load
of mailing lists sending them, then you will want to allow them
to keep your users happy. This can also be the filename of a
ruleset, so you can allow them from known mailing lists but ban
them from everywhere else. Possible Values:
· yes => Allow these tags to be in the message
· no => Ban messages containing these tags
· disarm => Allow these tags, but stop these tags from working
Log IFrame Tags
Default: no
You may receive complaints from your users that HTML mailing
lists they subscribe to have been stopped by the "Allow IFrame
Tags" option above. So before you use the option above, set this
option to "yes" and MailScanner will log the senders all mes‐
sages which contain IFrame tags. You can then setup a ruleset
for the option above which will allow IFrame tags in messages
sent by well known (and trusted) mailing lists, while banning
them from everywhere else.
Allow Form Tags
Default: disarm
Do you want to allow <Form> tags in email messages? This is a
bad idea as these are used as scams to persuade people to part
with credit card information and other personal data. This can
also be the filename of a ruleset. Possible values:
· yes => Allow these tags to be in the message
· no => Ban messages containing these tags
· disarm => Allow these tags, but stop these tags from working
Allow Script Tags
Default: no
Do you want to allow <Script> tags in email messages? This is a
bad idea as these are used to exploit vulnerabilities in email
applications and web browsers. This can also be the filename of
a ruleset. Possible values:
· yes => Allow these tags to be in the message
· no => Ban messages containing these tags
· disarm => Allow these tags, but stop these tags from working
Allow WebBugs
Default: disarm
Do you want to allow <Img> tags with very small images in email
messages? This is a bad idea as these are used as 'web bugs' to
find out if a message has been read. It is not dangerous, it is
just used to make you give away information. This can also be
the filename of a ruleset. Possible values:
· yes => Allow these tags to be in the message
· no => Ban messages containing these tags
· disarm => Allow these tags, but stop these tags from working
Allow Object Codebase Tags
Default: no
Do you want to allow <Object Codebase=...> tags in email mes‐
sages? This is a bad idea as it leaves you unprotected against
various Microsoft-specific security vulnerabilities. But if your
users demand it, you can do it. This can also be the filename of
a ruleset. Possible values:
· yes => Allow these tags to be in the message
· no => Ban messages containing these tags
· disarm => Allow these tags, but stop these tags from working
Convert Dangerous HTML To Text
Default: no
This option interacts with the "Allow ... Tags" options above
like this:
Allow...Tags Convert Danger... Action
============ ================= ============================
no no Blocked
no yes Blocked
disarm no Specified HTML tags disarmed
disarm yes Specified HTML tags disarmed
yes no Nothing
yes yes All HTML tags stripped
If an "Allow ... Tags = yes" is triggered by a message, and this
"Convert Dangerous HTML To Text" is set to "yes", then the HTML
message will be converted to plain text. This makes the HTML
harmless, while still allowing your users to see the text con‐
tent of the messages. Note that all graphical content will be
removed.
Convert HTML To Text
Default: no
If you have users who are children, or who are offended by
things like pornographic spam email, you can protect them by
converting incoming HTML email messages into plain text. HTML
attachments will not be affected. You could set this to be a
ruleset so you only convert messages addressed to some of your
users, or not convert messages from some known trusted sources.
This can be essential if you have a "duty of care" for some of
your users.
Allow Form Tags
Default: no
Do you want to allow <Form> tags in email messages? This is a
bad idea as these are used as scams to pursuade people to part
with credit card information and other personal data. This can
also be the filename of a ruleset.
Attachment filename checking
Allow Filenames
Default:
Allow any attachment filenames matching any of the patters
listed here. If this setting is empty, it is ignored and no
matches are made. This can also be the filename of a ruleset.
To simplify web-based configuration systems, there are now two
extra settings here. They are both intended for use with normal
rulesets that you would expect to find in %rules-dir%. The first
gives a list of patterns to match against the attachment file‐
names, and a filename is allowed if it matches any of these pat‐
terns. The second gives the the equivalent list for patterns
that are used to deny filenames. If either of these match at
all, then filename.rules.conf is ignored for that filename. So
you can easily have a set like this:
Allow Filenames = .txt$ .pdf$
Deny Filenames = .com$ .exe$ .cpl$ .pif$
which is a lot simpler than having to handle file‐
name.rules.conf! It is far simpler when you want to change the
allowed+denied list for different domains/addresses, as you can
use the filename of a simple ruleset here instead.
Deny Filenames
Default:
Deny any attachment filenames matching any of the patters listed
here. If this setting is empty, it is ignored and no matches are
made. This can also be the filename of a ruleset.
Filename Rules
Default: %etc-dir%/filename.rules.conf
File in which to store the attachment filename ruleset. This can
be a ruleset allowing different filename rules to apply to dif‐
ferent users or domains. The syntax of this file is described in
section "Attachment Filename Ruleset".
Allow Filetypes
Default:
Allow any attachment filetypes matching any of the patters
listed here. If this setting is empty, it is ignored and no
matches are made. This can also be the filetype of a ruleset.
To simplify web-based configuration systems, there are now two
extra settings here. They are both intended for use with normal
rulesets that you would expect to find in %rules-dir%. The first
gives a list of patterns to match against the attachment file‐
types, and a filetype is allowed if it matches any of these pat‐
terns. The second gives the the equivalent list for patterns
that are used to deny filetypes. If either of these match at
all, then filetype.rules.conf is ignored for that filetype. So
you can easily have a set like this:
Allow Filetypes = .txt$ .pdf$
Deny Filetypes = .com$ .exe$ .cpl$ .pif$
which is a lot simpler than having to handle file‐
type.rules.conf! It is far simpler when you want to change the
allowed+denied list for different domains/addresses, as you can
use the filetype of a simple ruleset here instead.
Deny Filetypes
Default:
Deny any attachment filetypes matching any of the patters listed
here. If this setting is empty, it is ignored and no matches are
made. This can also be the filetype of a ruleset.
Filetype Rules
Default: %etc-dir%/filetype.rules.conf
Set where to find the attachment filetype ruleset. The structure
of this file is explained elsewhere, but it is used to accept or
reject file attachments based on their content as determined by
the "file" command, regardless of whether they are infected or
not. This can also point to a ruleset, but the ruleset filename
must end in ".rules" so that MailScanner can determine if the
filename given a ruleset or not!
Reports and responses
Quarantine Infections
Default: yes
Set this to store infected / dangerous attachments in directo‐
ries created under the quarantine directory. Without this, they
will be deleted. Due to laws on privacy and data protection in
your country, you may be forced to set this to "no".
Quarantine Silent Viruses
Default: yes
There is no point quarantining most viruses these days, so if
you set this to "no" then no infections listed in your "Silent
Viruses" setting will be quarantined, even if you have chosen to
quarantine infections in general. This is currently set to "yes"
so the behaviour is the same as it was in in previous versions.
This can also be the filename of a ruleset.
Quarantine Modified Body
Default: no
Do you want to store copies of messages which have been disarmed
by having their HTML modified at all? This can also be the file‐
name of a ruleset.
Quarantine Whole Message
Default: no
When an infected message is stored in the quarantine, a copy of
the entire message will be saved, in addition to copies of the
infected attachments.
Quarantine Whole Messages As Queue Files
Default: no
When an entire message is saved in the quarantine for any rea‐
son, do you want to save it as the raw data files out of the
mail queue (which can be processed with the df2mbox script, and
which is easier to send to its original recipients), or do you
want a conventional message file consisting of the header fol‐
lowed by the body of the message. If the previous option is
switched off, then this will only affect archived mail and quar‐
antined spam. If the previous option is on, then this also
affects quarantined infections.
Keep Spam And MCP Archive Clean
Default: no
Do you want to stop any virus-infected spam getting into the
spam or MCP archives? If you have a system where users can
release messages from the spam or MCP archives, then you proba‐
bly want to stop them being able to release any infected mes‐
sages, so set this to yes. It is set to no by default as it
causes a small hit in performance, and many people don't allow
users to access the spam quarantine, so don't need it. This can
also be the filename of a ruleset.
Language Strings
Default: %reports-dir%/languages.conf
Set where to find all the strings used so they can be translated
into your local language. This can also be the filename of a
ruleset so you can produce different languages for different
messages.
Rejection Report
Default: %reports-dir%/rejection.report.txt
Set where to find the message text sent to users who triggered
the ruleset you are using with the "Reject Message" option.
Deleted Bad Filename Message Report
Default: %reports-dir%/deleted.filename.message.txt
When an attachment is deleted from a message because the file‐
name failed the filename rules in force for the message, it is
replaced by the contents of this file. A few variable substitu‐
tions can be made in this file, an example of each of which is
contained in the supplied sample file.
Deleted Virus Message Report
Default: %reports-dir%/deleted.virus.message.txt
When an attachment is deleted from a message because the attach‐
ment contained a virus or other dangerous content, it is
replaced by the contents of this file. A few variable substitu‐
tions can be made in this file, an example of each of which is
contained in the supplied sample file.
Stored Bad Filename Message Report
Default: %reports-dir%/stored.filename.message.txt
When an attachment is deleted and stored from a message (and the
attachment has been stored in the quarantine) because the file‐
name failed the filename rules in force for the message, it is
replaced by the contents of this file. A few variable substitu‐
tions can be made in this file, an example of each of which is
contained in the supplied sample file.
Deleted Bad Content Message Report
Default: /%reports-dir%/deleted.content.message.txt
This report is sent when a message is deleted because it con‐
tained bad or dangerous content. A few variable substitutions
can be made in this file, an example of each of which is con‐
tained in the supplied sample file.
Stored Bad Content Message Report
Default: %reports-dir%/stored.content.message.txt
This report is sent when a message is stored because it con‐
tained bad or dangerous content. A few variable substitutions
can be made in this file, an example of each of which is con‐
tained in the supplied sample file.
Disinfected Report
Default: %reports-dir%/disinfected.report.txt
When, for example, a Microsoft Word macro virus has been safely
removed from a document, leaving the original document intact,
it is delivered on to the original recipient. The contents of
this text file will be put in the body of the new message,
explaining to the user what has happened.
Inline HTML Signature
Default: %reports-dir%/inline.sig.html
If the "Sign Clean Messages" option is set, then the contents of
this file will be appended to the end of the body of every mes‐
sage that is scanned by MailScanner. You can use this to inform
your users that MailScanner has scanned it, and you can also add
any disclaimers you feel should be on mail travelling through
your servers. This option corresponds to the contents that is
appended to HTML messages.
Inline Text Signature
Default: %reports-dir%/inline.sig.txt
If the "Sign Clean Messages" option is set, then the contents of
this file will be appended to the end of the body of every mes‐
sage that is scanned by MailScanner. You can use this to inform
your users that MailScanner has scanned it, and you can also add
any disclaimers you feel should be on mail travelling through
your servers. This option corresponds to the contents that is
appended to text messages.
Sender Error Report
Default: %reports-dir%/sender.error.report.txt
When a message could not be processed completely for some rea‐
son, such as bad message structure or unreadable winmail.dat
TNEF attachments, this message is sent back to the sender. Read
the example file supplied for a demonstration of what variables
can be used inside the file.
Sender Bad Filename Report
Default: %reports-dir%/sender.filename.report.txt
When an attachment is trapped by the filename rules, this mes‐
sage is sent back to the sender.
Sender Virus Report
Default: %reports-dir%/sender.virus.report.txt
When an attachment is removed because of a virus, this message
is sent back to the sender.
Hide Incoming Work Dir
Default: yes
When this option is set, the full directory in which the virus
was found will be removed from report messages sent to users.
This makes the infection reports a lot easier to understand.
Include Scanner Name in Reports
Default: yes
Include the name of the virus scanner in each of the scanner
reports. This also includes the translation of "MailScanner" in
each of the report lines resulting from one of MailScanner's own
checks such as filename, filetype or dangerous HTML content. To
change the name "MailScanner", look in reports/...../lan‐
guages.conf.
Very useful if you use several virus scanners, but a bad idea if
you don't want to let your customers know which scanners you
use.
Changes to message headers
Mail Header
Default: X-MailScanner:
Extra header that should be added to all scanned messages to
show they have been scanned. You might want to add an abbrevia‐
tion of your site name to this, so that you can find headers
that are added by your MailScanner server.
Spam Header
Default: X-MailScanner-SpamCheck:
Name of the header to add to mail detected as spam. The text of
the header is a list of the causes that think the message is
spam.
Spam Score Header
Default: X-MailScanner-SpamScore:
If the option "Spam Score" is set, this is the name of the
header that is used to contain the list of characters.
Information Header
Default: X-MailScanner-Information:
Name of the header to add to all messages, to be used for simply
providing a URL or contact information for anyone receiving mail
that has gone through MailScanner. If you do not want this
header, simply set it blank.
Add Envelope From Header
Default: yes
Do you want to add the Envelope-From: header? This is very use‐
ful for tracking where spam came from as it contains the enve‐
lope sender address. This can also be the filename of a ruleset.
Add Envelope To Header
Default: no
Do you want to add the Envelope-To: header? This can be useful
for tracking span destinations, but should be used with care due
to possible privacy concerns with the use of Bcc: headers by
users. This can also be the filename of a ruleset.
Evelope From Header
Default: X-%org-name%-MailScanner-From:
This is the name of the Envelope From header controlled by the
option above. This can also be the filename of a ruleset.
Evelope To Header
Default: X-%org-name%-MailScanner-To:
This is the name of the Envelope To header controlled by the
option above. This can also be the filename of a ruleset.
Detailed Spam Report
Default: yes
If this is set to yes then you get the normal fully detailed
spam report in spam messages. If this is set to no then you sim‐
ply get a "spam" or "not spam" report. The exact text inserted
can be configured in the languages.conf file for your language.
Include Scores In SpamAssassin Report
Default: yes
Do you want to include the numerical scores in the detailed Spa‐
mAssassin report, or just list the names of the scores?
Spam Score Character
Default: s
If the option "Spam Score" is set, this is the character that
will be repeated in the "Spam Score Header", one letter for each
point in the SpamAssassin score.
SpamScore Number Instead Of Stars
Default: no
If this option is set to yes, you will get a spam-score header
saying just the value of the spam score, instead of the row of
characters representing the score. This can also be the filename
of a ruleset.
Minimum Stars If on Spam List
Default: 0
This sets the minimum number of "Spam Score Characters" which
will appear if a message triggered the "Spam List" setting but
received a very low SpamAssassin score. This means that people
who only filter on the "Spam Stars" will still be able to catch
messages which receive a very low SpamAssassin score. Set this
value to 0 to disable it. This can also be the filename of a
ruleset.
Clean header Value
Default: Found to be clean
This is the text that is added to the "Mail Header" when a mes‐
sage is found to be clean and free of viruses and other danger‐
ous content.
Infected Header Value
Default: Found to be infected
This is the text that is added to the "Mail Header" when a mes‐
sage is found to be infected with a virus or other dangerous
content.
Disinfected Header Value
Default: Disinfected
This is the text that is added to the "Mail Header" of a message
that is created by MailScanner to contain disinfected documents
containing macro viruses that could be completely removed, leav‐
ing the original document intact.
Information Header Value
Default: Please contact the ISP for more information
This is the text that is added to the "Information Header" of a
message that has passed through MailScanner at all. It could be
used to provide a URL or contact address for recipients if they
have any queries about the messages they have received. If the
setting "Information Header" is blank, this message will not be
added to the Mail Header.
Multiple Headers
Default: append
When a message passes through more than one MailScanner server
on your site, they will each try to add their own headers. This
option controls what should happen when trying to add a
MailScanner header that already exists in the message. Valid
options are append (append the new data to the existing header),
add (add a new header) and replace (replace the old data with
the new data).
Hostname
Default: the MailScanner
This is the name of the MailScanner server that is put in mes‐
sages to users. If you have more than one MailScanner server on
your site, you will want to change this on each server so that
you can tell them apart.
Sign Messages Already Processed
Default: no
If a message has already been processed by another MailScanner
server on your site, then the "Inline HTML/Text Signature" is
not added to the message again if this option is set. Without
it, you will get one signature added for every MailScanner
server that processes the message.
Sign Clean Messages
Default: no
If this option is set, then the "Inline HTML/Text Signature"
will be added to the end of every clean message processed by
MailScanner. You can use this to inform the recipient that the
message has been checked, and also to add any legal disclaimer
or copyright statement you want to add to every message. Using a
ruleset for this option, you could very simply set it so that
only messages leaving your site are signed, for example.
Mark Infected Messages
Default: yes
If this option is set, then the "Inline HTML/Text Warning" is
added to the start of every message that is found to be infected
or has had attachments removed for any reason. This can be used
to guide the recipients to read the infection reports contained
in the replacement attachments.
Mark Unscanned Messages
Default: yes
If this option is set, then any message which is not scanned by
MailScanner gets the "Mail Header" added to it with the string
contained in the "Unscanned Header Value" option. This can be
used to advertise your MailScanner service to customers/clients
who are currently not using it.
Unscanned Header Value
Default: Not scanned: please contact your Internet E-Mail Ser‐
vice Provider for details
This supplies the text that is placed in the "Mail Header" of
messages that have not been scanned, if the option "Mark
Unscanned Messages" is set. It is a useful place to advertise
your MailScanner service to new customers/clients.
Remove These Headers
Default:
If any of these headers are included in a a message, they will
be deleted. This is very useful for removing return-receipt
requests and any headers which mean special things to your email
client application, such as # X-Mozilla-Status. Each header
should end in a ":", but MailScanner will add it if you forget.
Headers should be separated by commas or spaces. This can also
be the filename of a ruleset.
Deliver Cleaned Messages
Default: yes
Once a message has had all viruses and dangerous content removed
from it, it will then be delivered to the original recipients if
this option is set. If you want the behaviour from previous ver‐
sions of MailScanner that had the "Deliver From Local Domains"
keyword, then you should set this to be a ruleset that only
returns "yes" for messages destined for inside your site, and
"no" for messages going out of your site.
Notifications back to the senders of blocked messages
Notifiy Senders
Default: yes
Do you want to notify the people who sent you messages contain‐
ing viruses or badly-named filenames? The default value has been
changed to "no" as most viruses now fake sender addresses and
therefore should be on the "Silent Viruses" list. This can also
be the filename of a ruleset.
Notify Senders Of Blocked Filenames Or Filetypes
Default: yes
*If* "Notify Senders" is set to yes, do you want to notify peo‐
ple who sent you messages containing attachments that are
blocked due to their filename or file contents? This can also be
the filename of a ruleset.
Notify Senders Of Other Blocked Content
Default: yes
*If* "Notify Senders" is set to yes, do you want to notify peo‐
ple who sent you messages containing other blocked content, such
as partial messages or messages with external bodies? This can
also be the filename of a ruleset.
Notify Senders Of Viruses
Default: no
*If* "Notify Senders" is set to yes, do you want to notify peo‐
ple who sent you messages containing viruses? This can also be
the filename of a ruleset.
Never Notify Senders Of Precedence
Default: list bulk
If you supply a space-separated list of message "precedence"
settings, then senders of those messages will not be warned
about anything you rejected. This is particularly suitable for
mailing lists, so that any MailScanner responses do not get sent
to the entire list.
Changes to subject line
Scanned Modify Subject
Default: no # end
If this is set to "start" or "end" then the "Scanned Subject
Text" is inserted at the start or the end of the Subject: line.
This only happens if the Subject: line has not already been mod‐
ified for any other reason.
Scanned Subject Text
Default: {Scanned}
This is the text inserted at the start or the end of the Sub‐
ject: line if the "Scanned Modify Subject" option above is in
effect.
Virus Modify Subject
Default: yes
If this is set, then the "Subject:" line of a message that was
infected with a virus will have the "Virus Subject Text" text
inserted at the start.
Virus Subject Text
Default: {Virus?}
This is the text inserted at the start of the "Subject:" line if
the "Virus Modify Subject" option is set.
Filename Modify Subject
Default: yes
If this is set, then the "Subject:" line of a message that had
an attachment with a dangerous filename will have the "Filename
Subject Text" text inserted at the start.
Filename Subject Text
Default: {Virus?}
This is the text inserted at the start of the "Subject:" line if
the "Filename Modify Subject" option is set.
Content Modify Subject
Default: yes
If this is set, then the "Subject:" line of a message that trig‐
gered a content check without anything else wrong in the message
will have the "Content Subject Text" text inserted at the start.
Content Subject Text
Default: {Filename?}
This is the text inserted at the start of the "Subject:" line if
the "Content Modify Subject" option is set.
Disarmed Modify Subject
Default: yes
If HTML tags in the message were "disarmed" by using the HTML
"Allow" options above with the "disarm" settings, do you want to
modify the subject line? This can also be the filename of a
ruleset.
Disarmed Subject Text
Default: {Disarmed}
This is the text to add to the start of the subject if the "Dis‐
armed Modify Subject" option is set. This can also be the file‐
name of a ruleset.
Spam Modify Subject
Default: yes
If this is set, then the "Subject:" line of a message that was
determined to be spam will have the "Spam Subject Text" text
inserted at the start.
Spam Subject Text
Default: {Spam?}
This is the text to add to the start of the subject if the "Spam
Modify Subject" option is set. The exact string "_SCORE_" will
be replaced by the numeric SpamAssassin score. This can also be
the filename of a ruleset.
High Scroing Spam Modify Subject
Default: yes
If this is set, then the "Subject:" line of a message that was
determined to be spam, and had a SpamAssassin score greater than
the "High SpamAssassin Score" will have the "High Scoring Spam
Subject Text" text inserted at the start.
High Scoring Spam Subject Text
Default: {Spam?}
This is just like the "Spam Subject Text" option above, except
that it applies then the score from SpamAssassin is higher than
the "High SpamAssassin Score" value. The exact string "_SCORE_"
will be replaced by the numeric SpamAssassin score. This can
also be the filename of a ruleset.
Changes to the message body
Warning Is Attachment
Default: yes
When an infected or dangerous attachment is replaced with a text
message containing the infection report, should the replacement
be an attachment (yes) or should it be included inline in the
main text of the message (no).
Attachment Warning Filename
Default: %org-name%-Attachment-Warning.txt
What an infected or dangerous attachment is replaced with a text
message containing the infection report, this is the filename of
the attachment that appears in the message.
Attachment Encoding Charset
Default: ISO-8859-1
This is the name of the encoding character set used for the con‐
tents of "VirusWarning.txt" attachments.
Mail archiving and monitoring
Archive Mail
Default:
Space-separated list of any combination of
1. email addresses to which mail should be forwarded,
2. directory names where you want mail to be stored,
3. file names to which mail will be appended.
The files (option 3) are using the "mbox" format suitable for
most Unix mail systems. These files must already exist since
MailScanner will not create them!
If you give this option a ruleset, you can control exactly whose
mail is archived or forwarded. If you do this, beware of the
legal implications as this could be deemed to be illegal inter‐
ception unless the police have asked you to do this.
Any of the items above can contain the magic string _DATE_ in
them which will be replaced with the current date in yyyymmdd
format. This will make archive-rolling and maintenance much eas‐
ier, as you can guarantee that yesterday's mail archive will not
be in active use today.
Notices to system administrators
Send Notices
Default: yes
Should system administrators listed in the "Notices To" option
be notified of every infection found?
Notices Include Full Headers
Default: no
If this option is set, then the system administrator notices
will include the full headers of every infected message. If this
option is set to "no" then only a restricted set of headers is
included in the notices.
Hide Incoming Work Dir in Notices
Default: no
When this option is set, the full directory in which the virus
was found will be removed from report messages sent to adminis‐
trators. This makes the infection reports a lot easier to under‐
stand. It is also very useful if your notices go to your cus‐
tomer sites.
Notice Signature
Default: -- \nMailScanner\nEmail Virus Scanner\nwww.mailscan‐
ner.info
This string is added to the bottom of all system administrator
notices, and is intended to be the signature of your MailScanner
system. To insert "line-breaks" or "newline" characters, use the
sequence 0
Notices From
Default: MailScanner
The visible part of the email address used in the "From:" line
of the notices. The <user@domain> part of the email address is
set to the "Local Postmaster" setting.
Notices To
Default: postmaster
This option provides a list of the addresses to which virus
notices should be sent. You may want to set this to be a rule‐
set, providing different notification addresses for different
domains that you administer.
Local Postmaster
Default: postmaster
When virus warnings are sent to any users, this is the email
address used as the "From:" header in the messages.
Definitions of virus scanners and spam detectors
Spam List Definitions
Default: %etc-dir%/spam.lists.conf
This file contains all the definitions of the "Spam Lists" (also
known as RBL's or DNSBL's) which can be used to try to detect
spam based on where each message came from. Many more spam lists
can be added to this file, but it contains the most popular ones
to get you started.
Virus Scanner Definitions
Default: %etc-dir%/virus.scanners.conf
This file contains the locations of all the commands that are
run for each virus scanner. Check this file before starting
MailScanner to make sure it will run the correct command or
wrapper script.
Spam detection and spam lists (DNS blocklists)
Spam Checks
Default: yes
If this option is set, messages will be checked to see if they
are spam.
Spam List
Default: ORDB-RBL Infinite-Monkeys
This provides a space-separated list of "Spam Lists" (or RBL's
or DNSBL's) which are checked for each message. These lists are
based on the numeric IP address of the server that sent the mes‐
sage to your MailScanner server. Every list used here must be
defined in the "Spam List Definitions" file mentioned above.
Spam Domain List
Default:
This provides a space-separated list of "Spam Lists" (or RBL's
or DNSBL's) which are checked for each message. These lists are
based on the domain name of the sender address of each message.
Every list used here must be defined in the "Spam List Defini‐
tions" file mentioned above.
Spam Lists To Be Spam
Default: 1
If a message appears in at least this number of "Spam Lists" (as
defined above), then the message will be treated as spam and so
the "Spam Actions" will happen, unless the message reaches the
levels for "High Scoring Spam". By default this is set to 1 to
mimic the previous behaviour, which means that appearing in any
"Spam Lists" will cause the message to be treated as spam. This
can also be the filename of a ruleset.
Spam Lists To Reach High Score
Default: 5
If a message appears in at least this number of "Spam Lists" (as
defined above), then the message will be treated as "High Scor‐
ing Spam" and so the "High Scoring Spam Actions" will happen.
You probably want to set this to 2 if you are actually using
this feature. 5 is high enough that it will never happen unless
you use lots of "Spam Lists". This can also be the filename of a
ruleset.
Spam List Timeout
Default: 10
This is the number of seconds to wait for each "Spam List"
lookup to complete. If the lookup takes longer than this, it is
killed and ignored.
Max Spam List Timeouts
Default: 7
If a "Spam List" lookup times out for this many consecutive
checks without ever succeeding, then the particular "Spam List"
entry will not be used any more, as it appears to be unreach‐
able. When MailScanner restarts itself after a few hours,
MailScanner will try to use the entry again, in case service has
resumed properly.
Spam List Timeouts History
Default: 10
The total number of Spam List attempts during which "Max Spam
List Timeouts" will cause the spam list fo be marked as
"unavailable". See the previous comment for more information.
The default values of 5 and 10 mean that 5 timeouts in any
sequence of 10 attempts will cause the list to be marked as
"unavailable" until the next periodic restart (see "Restart
Every").
Is Definitely Not Spam
Default: %rules-dir%/spam.whitelist.rules
This option would normally be a ruleset. Any messages for which
the ruleset result is "yes" will never be marked as spam. This
is used to create a spam "whitelist" of addresses which are
never spam. You will probably want to include your own site (or
your own site's IP addresses) in this ruleset.
Is Definitely Spam
Default: no
This option would normally be a ruleset. Any messages for which
the ruleset result is "yes" will always be marked as spam. This
is used to create a spam "blacklist" of addresses of known spam‐
mers.
Definite Spam Is High Scoring
Default: no
Setting this to yes means that spam found in the blacklist is
treated as "High Scoring Spam" in the "Spam Actions" section
below. Setting it to no means that it will be treated as "nor‐
mal" spam. This can also be the filename of a ruleset.
Ignore Spam Whitelist If Recipients Exceed
Default: 20
Spammers have learnt that they can get their message through by
sending a message with lots of recipients, one of which chooses
to whitelist everything coming to them, including the spammer.
So if a message arrives with more than this number of recipi‐
ents, ignore the "Is Definitely Not Spam" whitelist.
SpamAssassin
Use SpamAssassin
Default: no
Do you want to detect spam using the very good SpamAssassin
package? You must have installed SpamAssassin before using this
option, otherwise MailScanner will not start properly.
NOTE for FreeBSD port user: The SpamAssassin port is not auto‐
matically installed with the MailScanner port. You can find it
at /usr/ports/mail/p5-Mail-SpamAssassin.
Max SpamAssassin Size
Default: 90000
SpamAssassin is quite slow when processing very large messages.
To work round this problem, this option provides a maximum size
for messages that are processed with SpamAssassin. Most real
spam is usually less than about 50,000 bytes per message.
Required Spam Assassin Score
Default: 6
This gives the minimum SpamAssassin score value above which mes‐
sages are spam. This replaces SpamAssassin's own "required_hits"
value, so that it can be a ruleset and set to different values
for different users/domains.
High SpamAssassin Score
Default: 20
Messages with a SpamAssassin score greater than this value are
labelled as being "High Scoring Spam", and a different set of
"Spam Actions" are applied to messages scoring at least this
value.
SpamAssassin Auto Whitelist
Default: no
SpamAssassin has a feature which measures the ratio of spam to
non-spam originating from different addresses, and will automat‐
ically add addresses to its own internal "whitelist" if most of
the messages from an address is not spam. This option enables
this feature of SpamAssassin. Please read their documentation
for more information.
SpamAssassin Prefs File
Default: %etc-dir%/spam.assassin.prefs.conf
SpamAssassin uses a "user preferences" file which can be used to
set the values of various SpamAssassin options. This is the name
of that file. Its most useful feature is that the
RBL/DNSBL/"Spam List" checks done by SpamAssassin can be dis‐
abled as MailScanner already does them and there is little to be
gained by doing these checks twice for every message.
SpamAssassin Timeout
Default: 30
This option sets the maximum number of seconds to wait for Spa‐
mAssassin to process a message. This is a useful protection
against occasional bugs in SpamAssassin that can cause it to
take hours to process a single message.
Max SpamAssasin Timeouts
Default: 20
If several consecutive calls to SpamAssassin time out, then
MailScanner decides that there is something stopping SpamAssas‐
sin from working properly. It will therefore be disabled for the
next few hours until MailScanner restarts itself, at which point
it will be tried again.
SpamAssassin Timeouts History
Default: 30
The total number of SpamAssassin attempts during which "Max Spa‐
mAssassin Timeouts" will cause SpamAssassin to be marked as
"unavailable". See the previous comment for more information.
The default values of 10 and 20 mean that 10 timeouts in any
sequence of 20 attempts will trigger the behaviour described
above, until the next periodic restart (see "Restart Every").
Check SpamAssassin If On Spam List
Default: yes
If a message has already triggered any of the "Spam List"
checks, the SpamAssassin check will be skipped if this option is
set to "no". This can help reduce the load on your server if
SpamAssassin checks take a long time for some reason.
Always Include SpamAssasin Report
Default: no
If this option is set, then the "Spam Header" will be included
in the header of every message, so its presence cannot be used
to filter out spam by your users' e-mail applications.
Spam Score
Default: yes
If a message is spam, and this option is set, then a header will
be added to the message containing 1 character for each point in
the SpamAssassin score. This allows users to choose for them‐
selves the SpamAssassin scores at which they want to do differ‐
ent things with the message, such as file it or delete it.
Cache SpamAssassin Results
Default: yes
Many naive spammers send out the same message to lots of people.
These messages are very likely to have roughly the same SpamAs‐
sassin score. For extra speed, cache the SpamAssassin results
for the messages being processed so that you only call SpamAs‐
sassin once for all of the messages. This can also be the file‐
name of a ruleset.
SpamAssassin Cache Database File
Default: /var/spool/MailScanner/incoming/SpamAsssassin.cache.db
The SpamAssassin cache uses a database file which needs to be
writable by the MailScanner "Run As User". This file will be
created and setup for you automatically when MailScanner is
started.
Rebuild Bayes Every
Default: 0
If you are using the Bayesian statistics engine on a busy
server, you may well need to force a Bayesian database rebuild
and expiry at regular intervals. This is measures in seconds. 24
hours = 86400 seconds. To disable this feature set this to 0.
Wait During Bayes Rebuild
Default: no
The Bayesian database rebuild and expiry may take a 2 or 3 min‐
utes to complete. During this time you can either wait, or sim‐
ply disable SpamAssassin checks until it has completed.
Custom Spam Scanner Plugin
Use Custom Spam Scanner
Default: no
Use the Custom Spam Scanner. This is code you will have to write
yourself, a function called "GenericSpamScanner" stored in the
file "MailScanner/lib/MailScanner/CustomFunctions/GenericSpam‐
Scanner.pm". A sample function is given in the correct file in
the distribution. This sample function also includes code to
show you how to make it run an external program to produce a
spam score. This can also be the filename of a ruleset. The
function will be passed
· $IP - the numeric IP address of the system on the
remote end of the SMTP connections
· $From - the address of the envelope sender of the mes‐
sage
· $To - a perl reference to the envelope recipients of
the message
· $Message - a perl reference to the list of line of the mes‐
sage
Max Custom Spam Scanner Size
Default: 20000
How much of the message should be passed tot he Custom Spam
Scanner. Most spam tools only need the first 20kbytes of the
message to determine if it is spam or not. Passing more than is
necessary only slows things down. This can also be the filename
of a ruleset.
Custom Spam Scanner Timeout
Default: 20
How long should the custom spam scanner take to run? If it takes
more seconds than this, then it should be considered to have
crashed and should be killed. This stops denial-of-service
attacks.
Max Custom Spam Scanner Timeouts
Default: 10
If the Custom Spam Scanner times out more times in a row than
this, then it will be marked as "unavailable" until MailScanner
next re-starts itself.
Custom Spam Scanner Timeout History
Default: 20
The total number of Custom Spam Scanner attempts during which
"Max Custom Spam Scanner Timeouts" will cause the Custom Spam
Scanner to be marked as "unavailable". See the previous comment
for more information. The default values of 10 and 20 mean that
10 timeouts in any sequence of 20 attempts will trigger the be‐
haviour described above, until the next periodic restart (see
"Restart Every").
What to do with spam
Spam Actions
Default: deliver
This can be any combination of 1 or more of the following key‐
words, and these actions are applied to any message which is
spam.
· deliver - the message is delivered to the recipient as nor‐
mal
· delete - the message is deleted
· store - the message is stored in the quarantine
· forward - an email address is supplied, to which the message
is forwarded
· notify - Send the recipients a short notification that spam
addressed to them was not delivered. They can then take
action to request retrieval of the orginal message if they
think it was not spam.
· striphtml - convert all in-line HTML content in the message
to be stripped to plain text, which removes all images and
scripts and so can be used to protect your users from offen‐
sive spam. Note that using this action on its own does not
imply that the message will be delivered, you will need to
specify "deliver" or "forward" to actually deliver the mes‐
sage.
· attachment - Convert the original message into an attachment
of the message. This means the user has to take an extra
step to open the spam, and stops "web bugs" very effec‐
tively.
· bounce - bounce the spam message. This option should not be
used and must be enabled with the "Enable Spam Bounce"
option first.
· header "name: value" - Add the header "name: value" to the
message. name must not contain any spaces.
High Scoring Spam Actions
Default: deliver
This is the same as the "Spam Actions" option above, but it
gives the actions to apply to any message whose SpamAssassin
score is above the "High Scoring" threshold described above.
Non Spam Actions
Default: deliver
This is the same as the "Spam Actions" option above, except that
it applies to messages that are NOT spam. The bounce option does
not make much sense here so do not use it.
Sender Spam Report
Default: %reports-dir%/sender.spam.report.txt
When the "bounce" spam action is applied to a message that trig‐
gered both a "Spam List" check and SpamAssassin, this file gives
the text to put in that message.
Sender Spam List Report
Default: %reports-dir%/sender.spam.rbl.report.txt
When the "bounce" spam action is applied to a message that trig‐
gered a "Spam List" check, this file gives the text to put in
that message.
Sender SpamAssassin Report
Default: %reports-dir%/sender.spam.sa.report.txt
When the "bounce" spam action is applied to a message that trig‐
gered SpamAssassin, this file gives the text to put in that mes‐
sage.
Inline Spam Warning
Default: %reports-dir%/inline.spam.warning.txt
If you use the 'attachment' Spam Action or High Scoring Spam
Action then this is the location of inline spam report that is
inserted at the top of the message.
Recipient Spam Report
Default: %reports-dir%/recipient.spam.report.txt
If you use the 'notify' Spam Action or High Scoring Spam Action
then this is the location of the notification message that is
sent to the original recipients of the message.
Enable Spam Bounce
Default: %rules-dir%/bounce.rules
You can use this ruleset to enable the "bounce" Spam Action. You
must *only* enable this for mail from sites with which you have
agreed to bounce possible spam. Use it on low-scoring spam only
(<10) and only to your regular customers for use in the rare
case that a message is mis-tagged as spam when it shouldn't have
been. Beware that many sites will automatically delete the
bounce messages created by using this option unless you have
agreed this with them in advance.
System logging
Syslog Facility
Default: mail
This is the name of the "facility" used by syslogd to log
MailScanner's messages. If this doesn't mean anything to you,
then either leave it alone or else read the "syslogd" man page.
Log Speed
Default: no
Do you want to log the processing speed for each section of the
code for a batch? This can be very useful for diagnosing speed
problems, particularly in spam checking.
Log Spam
Default: no
If this option is set, then every spam message will be logged to
syslog. If you get a lot of spam, or your server load is high,
you will want to leave this option switched off. But if you are
having trouble with spam detection, setting this to "yes" tempo‐
rarily can provide useful debugging output.
Log Non Spam
Default: no
Do you want all non-spam to be logged? Useful if you want to see
all the SpamAssassin reports of mail that was marked as
non-spam. Note: It will generate a lot of log traffic.
Log Permitted Filenames
Default: no
If this option is set, then every attachment filename that
passes the "filename rules" checks will be logged to syslog.
Normally this is of no interest. But if you are having trouble
getting your filename rules correct, setting, this can provide
useful debugging output.
Log Permitted Filetypes
Default: no
Log all the filenames that are allowed by the Filetype Rules, or
just the filetypes that are denied? This can also be the file‐
name of a ruleset.
Log Silent Viruses
Default: no
Log all occurrences of "Silent Viruses" as defined above? This
can only be a simple yes/no value, not a ruleset.
Log Dangerous HTML Tags
Default: no
Log all occurrences of HTML tags found in messages, that can be
blocked. This will help you build up your whitelist of message
sources for which particular HTML tags should be allowed, such
as mail from newsletters and daily cartoon strips. This can also
be the filename of a ruleset.
Advanced SpamAssassin Settings
If you are using Postfix you may well need to use some of the settings
below, as the home directory for the "postfix" user cannot be written
to by the "postfix" user. You may also need to use these if you have
installed SpamAssassin somewhere other than the default location.
SpamAssassin User State Dir
Default:
The per-user files (bayes, auto-whitelist, user_prefs) are
looked for here and in ~/.spamassassin/. Note the files are
mutable. If this is unset then no extra places are searched for.
NOTE: SpamAssassin is always called from MailScanner as the same
user, and that is the "Run As" user specified in MailScan‐
ner.conf. So you can only have 1 set of "per-user" files, it's
just that you might possibly need to modify this location. You
should not normally need to set this at all. If using Postfix,
you probably want to set this to /var/spool/MailScanner/spamas‐
sassin and do
mkdir /var/spool/MailScanner/spamassassin
chown postfix.postfix /var/spool/MailScanner/spamassassin
SpamAssassin Install Prefix
Default:
This setting is useful if SpamAssassin is installed in an
unusual place, e.g. /opt/MailScanner. The install prefix is used
to find some fallback directories if neither of the following
two settings work. If this is set then it adds to the list of
places that are searched; otherwise it has no effect.
SpamAssassin Local Rules Dir
Default:
This tells MailScanner where to look for the site-local rules.
If this is set it adds to the list of places that are searched.
MailScanner will always look at the following places (even if
this option is not set):
· prefix/etc/spamassassin
· prefix/etc/mail/spamassassin
· /usr/local/etc/spamassassin
· /etc/spamassassin
· /etc/mail/spamassassin
· maybe others as well
SpamAssassin Default Rules Dir
Default:
This tells MailScanner where to look for the default rules. If
this is set it adds to the list of places that are searched.
MailScanner will always look at the following places (even if
this option is not set):
· prefix/share/spamassassin
· /usr/local/share/spamassassin
· /usr/share/spamassassin
· maybe others as well
Advanced Settings
Spam Score Number Format
Default: %d
When putting the value of the spam score of a message into the
headers, how do you want to format it. If you don't know how to
use sprintf() or printf() in C, please *do not modify* this
value. This can also be the filename of a ruleset. A few exam‐
ples for you:
%d ==> 12
%5.2f ==> 12.34
%05.1f ==> 012.3
Debug Default: no
Not for use by normal users. Setting this option to "yes" will
put MailScanner into debugging mode, in which it creates
slightly more output and will not become a daemon.
Debug SpamAssassin
Default: no
Do you want to debug SpamAssassin from within MailScanner?
Run In Foreground
Default: no
Set Run In Foreground to "yes" if you want MailScanner to oper‐
ate normally in foreground (and not as a background daemon). Use
this if you are controlling the execution of MailScanner with a
tool like DJB's 'supervise' (see http://cr.yp.to/daemon‐
tools.html).
LDAP Server
Default:
If you are using an LDAP server to read the configuration, these
are the details required for the LDAP connection. The connection
is anonymous. Example: localhost
LDAP Base
Default:
If you are using an LDAP server to read the configuration, these
are the details required for the LDAP connection. The connection
is anonymous. Example: o=fsl
LDAP Site
Default:
If you are using an LDAP server to read the configuration, these
are the details required for the LDAP connection. The connection
is anonymous. Example: default
Always Looked Up Last
Default: no
The value of the option is actually never used, but it is evalu‐
ated at the end of processing a batch of messages. It is
designed to be used in conjunction with a Custom Function. The
Custom Function should then be written to have a "side effect"
of doing something useful such as logging lots of information
about the batch of messages to a file or an SQL database.
Deliver in Background
Default: yes
When attempting delivery of any messages (when the "Delivery
Method = batch") the sendmail/Exim command will be run in the
background so that MailScanner does not have to wait for the
delivery attempt to complete. There are very few good reasons
for setting this to "no".
Lockfile Dir
Default: /tmp
This is the directory in which lock files are placed to stop the
virus scanners used while they are in the middle of updating
themselves with new virus definitions. If you change this at
all, you will need to edit the "autoupdate" scripts for all your
virus scanners.
Custom Functions Dir
Default: /opt/MailScanner/lib/MailScanner/CustomFunctions
Default FreeBSD: /usr/local/lib/MailScanner/MailScanner/Custom‐
Functions
Where to put the code for your "Custom Functions". No code in
this directory should be over-written by the installation or
upgrade process. All files starting with "." or ending with
".rpmnew" will be ignored, all other files will be compiled and
may be used with Custom Functions.
Lock Type
Do not set this option to anything unless you know exactly what
you are doing. For sendmail and Exim, MailScanner will choose
the correct value by default. This affects how mail queue files
are locked, and your mail will be totally screwed up if you set
this option to anything other than the correct value for your
MTA. So leave it alone and let MailScanner choose the correct
value for you.
Minimum Code Status
Default: supported
Minimum acceptable code stability status -- if we come across
code that's not at least as stable as this, we barf. This is
currently only used to check that you don't end up using
untested virus scanner support code without realising it. Don't
even *think* about setting this to anything other than "beta" or
"supported" on a system that receives real mail until you have
tested it yourself and are happy that it is all working as you
expect it to. Don't set it to anything other than "supported" on
a system that could ever receive important mail. Levels used
are:
· none - there may not even be any code.
· unsupported - code may be completely untested, a contributed
dirty hack, anything, really.
· alpha - code is pretty well untested. Don't assume it will
work.
· beta - code is tested a bit. It should work.
· supported - code *should* be reliable.
Split Exim Spool
Default: yes
Are you using Exim with split spool directories? If you don't
understand this, the answer is probably "no". Refer to the Exim
documentation for more information about split spool directo‐
ries.
Use Default Rules With Multiple Recipients
Default: no
When trying to work out the value of configuration parameters
which are using a ruleset, this controls the behaviour when a
rule is checking the "To:" addresses. If this option is set to
"no", then some rules will use the result they get from the
first matching rule for any of the recipients of a message, so
the exact value cannot be predicted for messages with more than
1 recipient. This value *cannot* be the filename of a ruleset.
If this option is set to "yes", then the following happens when
checking the ruleset:
a) 1 recipient. Same behaviour as normal.
b) Several recipients, but all in the same domain (domain.com
for example). The rules are checked for one that matches the
string "*@domain.com".
c) Several recipients, not all in the same domain. The rules
are checked for one that matches the string "*@*".
RULESETS
Ruleset files should all be put in /opt/MailScanner/etc/rules (FreeBSD:
/usr/local/etc/MailScanner/rules) and their filename should end in
".rules" wherever possible.
All blank lines are ignored, and comments start with "#" and continue
to the end of the line, like this:
# This line is just a comment
Other than that, every line is a rule and looks like this example:
From: john.doe@domain.com yes
As you can see, each rule has 3 fields:
1. Direction
2. Pattern to match
3. Result value (or values)
1. Direction should be one of the following:
From: Matches when the message is from a matching address
To: Matches when the message is to a matching address
FromOrTo:
Matches when the message is from or to a matching address
FromAndTo:
Matches when the message is from and to a matching address
The syntax of these is very loosely defined. Any word containing
"from", any word containing "to", any word containing "from" and "to"
(in either order), and any word containing "and" will work just fine.
You can put them in upper or lower case, it doesn't matter. And any
additional punctuation will be ignored.
This specifies the whether the rule should be matched against the
sender's address (or IP address), or the recipient's address.
2. The pattern describes what messages should match this rule. Some
examples are:
user@sub.domain.com # Individual address
user@* # 1 user at any domain
*@sub.domain.com # Any user at 1 domain
*@*.domain.com # Any user at any sub-domain of "domain.com"
*@domain.com # Any user at 1 specific domain
/pattern/ # Any address matching this Perl regular
# expression
192.168. # Any SMTP client IP address in this network
/pattern-with-no-letters/ # Any SMTP client IP address matching this
# Perl regular expression
/^192.168.1[4567]./ # Any SMTP client IP address in the networks
# 192.168.14 - 192.168.17
*@* # Default value
default # Default value
You should be able to do just about anything with that.
3. The result value is what you could have put in the entry in the main
mailscanner.conf file had you not given the filename of a ruleset
instead.
See the file EXAMPLES for a few ideas on how to do things with this
system.
ATTACHMENT FILENAME RULESET
This is held in the filename pointed to by the configuration option
Filename rules. It contains a set of rules that are used to judge
whether any given file attachment should be accepted or rejected on the
basis of its filename, regardless of whether it is found to be
virus-infected or not. This can not only be used for draconian measures
such as banning all .exe attachments, but it can be used with any Perl
regular expression to provide facilities such as detection of attempts
at hiding filenames.
Many Windows e-mail programs (eg. Microsoft Outlook) hide common file
extensions in an attempt to not baffle the user. The result is that
while an attachment called "Your Document.doc" is helpfully displayed
as "Your Document", a more sinister attachment just as "Looks
Safe.txt.pif" will appear simply as "Looks Safe.txt". Many users recog‐
nise the .txt filename extension as applying to plain text files, which
they know are safe. So even an experienced user may well double-click
on this attachment thinking it is just going to start Notepad and dis‐
play the text file. However, the file is really an MS-Dos shortcut
(.pif file) and can execute any arbitrary commands the author wanted:
all without any indication to the unwitting user.
The rules are matched in order from the top to the bottom of the file,
and the first rule containing a matching regular expression is used.
Each line of the file is either blank, a comment (in which case it
starts with a '#' character) or is a rule made up of 4 fields separated
by one or more TAB characters:
allow / deny
Accept or reject the attachment if its filename matches the reg‐
ular expression
regular expression
The rule is executed if the attachment matches this expression.
It may optionally be surrounded in '/' characters.
log text
If the rule matches, this text is placed in the syslog. If the
text is "-", no string is logged.
user text
If the rule matches, this text is placed in the text message
sent to the user. If the text is "-", no text is used.
Please have a look at the filename.rules.conf or file‐
name.rules.conf.sample file provided with this distribution/pack‐
age/port.
SEE ALSOMailScanner(8)Julian Field 4.50.1 MailScanner.conf(5)
