Re: replacing sanitizer w/ amavisd-new
On Sat, Jan 10, 2004 at 08:39:39PM -0700, Michael Loftis wrote:
> ># mailscanner system, works with Postfix and other MTAs. This uses
> >unsupported methods to manipulate Postfix queue files, and there are
> >multiple reports of message duplication and/or delivery of truncated
> >messages.
>
> It isn't exactly supported nor unsupported....
anything that manipulates postfix queue files directly is definitely
unsupported. Wietse Venema (postfix's author) strongly recommends against
using any such tools as the exact format and structure of the postfix queues is
considered internal to postfix and is subject to change at any time without
notice.
> Basically it relies on the fact that postfix can be told to use deferred
> transports on inbound, automatically forcing everything to go into the
> deferred queue. You run one copy of postfix in that mode.
it also relies on the queue file format and queue directory structure not
changing, which is explicitly denied by the postfix author.
>
> MailScanner catches about 30% more 'dangerous content' and virii than
> amavisd-new given the same virus scanner because MS seems to unpack more
> thoroughly/properly.
the fact is, if you want to block viruses your best bet is to use body and
mime-header checks to block all executable attachments. very few users really
need to email an executable, and those that do can be taught to zip it up
first.
trojans inside zip files etc may still get through, so you still need a
scanner....but by blocking executables you are greatly reducing the amount of
work that the AV scanner has to do, and this greatly reducing the load on the
server.
also, trojans aren't anywhere near as much of a problem as viruses as they
require active user stupidity (to run them) rather than just passive user
stupidity (running outlook).
craig
Reply to: