Hi, On Thu, Oct 17, 2002 at 10:44:06AM +0200, Russell Coker wrote: > On Thu, 17 Oct 2002 10:32, Brian May wrote: > > On Thu, Oct 17, 2002 at 10:25:52AM +0200, Russell Coker wrote: > > > Ideally we would be able to detect the virus as it comes in and give a > > > 5xx SMTP code. > > > > Yes, that would be the best solution. > > > > exim is the only MTA I know of where I have heard this is possible > > though. > > The best solution would be to have a transperant proxy in front of the mail > server that does this. > > The proxy could pass the data through until a SMTP "DATA" command is sent (so > if the envelope sender or recipient addresses or of the sending host name or > RBL isn't right then the mail server can drop it). Then it would pause the > data stream until it had received it all and scanned it (sending code 5xx for > a virus and passing it on otherwise). > > Is Linux transperant proxying up to this? Can you intercept a data stream > while preserving both the source and destination addresses? Well, once you separate the TCP listener from the actual SMTP server, as done for servers run from (ucspi-tcp's) tcpserver[1] or inetd, then you can insert arbitrary programs into the pipe, without having to dig at the networking layers. Qmail has such a smtp filter (rblsmtpd[2]) that checks MAIL FROM: domains against RBLs; it only runs the real server (qmail-smtpd[3]) if the domain is not listed. Of course, other policies could be implemented this way as well. Have a look at Cheers, Emile. [1] http://cr.yp.to/ucspi-tcp/tcpserver.html [2] http://cr.yp.to/ucspi-tcp/rblsmtpd.html [3] http://www.qmail.org/qmail-manual-html/man8/qmail-smtpd.html -- E-Advies / Emile van Bergen | emile@e-advies.info tel. +31 (0)70 3906153 | http://www.e-advies.info
Attachment:
pgpHngFc5wxxr.pgp
Description: PGP signature