ged at jubileegroup
Nov 10, 2009, 10:19 AM
Post #10 of 15
(1940 views)
Permalink
|
|
Re: Quarantine issue with new 0.95.x clamav-milter
[In reply to]
|
|
Hi there,
On Tue, 10 Nov 2009 Mark Costlow wrote:
> Prior to 0.95, I had my clamav-milter configured to quarantine messages
> and reject them. So the sender got a 550 SMTP response, and we got
> a copy of the payload they were trying to send.
>
> In 0.95.3, I have the choice to tell the milter to Reject the message
> (which results in no quarantine) or to quarantine the message (which
> results in sendmail giving the sender a 200 "message accepted" response).
You're not the first to mention this. Nor was I:
http://www.mail-archive.com/clamav-users%40lists.clamav.net/msg27971.html
As you have now seen there is a widely held misconception that reading
the text of an incoming message and accepting the message amount to the
same thing. As you know, they are not the same at all. It's necessary
to read an incoming mail to see if it has a malicious content, and of
course you might then not want to deliver it. So although you will
reject the message during the SMTP conversation, you've still read it.
It should come as no surprise to anyone that having read the message,
it's possible to store it somewhere in the filesystem, e.g. for later
analysis, despite the fact that the message is to be rejected.
> Does anyone know a way to make sendmail return a 550 for quarantined
> messages? I'm using Sendmail 8.14.3.
Not if the quarantining is caused by clamav-milter. When I asked
about this a while ago, the new milter's author said "if you don't
like it, you can always use the old version which is kept under
/contrib/old-clamav-milter". To be fair, I don't think his first
qualification was in Customer Relations. :)
The old milter and the new milter view quarantining differently. The
old milter wrote the message to a file in a quarantine directory of
its own. The new one doesn't do that, instead it uses the Sendmail
milter API to tell Sendmail to quarantine the message in the Sendmail
queue directory. The milter API definition states that flagging a
message for quarantine makes no other change to the message status, so
Sendmail won't reject it just for that reason:
https://www.milter.org/developers/api/index
That means that if you use the new clamav-milter to quarantine the
messages, then you're stuck with the behaviour that you've described
unless you want to do a bit of coding in the milter, or to shout loud
enough for the clamav developer concerned to notice. He also said
that if Sendmail is told both to quarantine and to reject a message it
doesn't do what it's told. That makes sense, so I haven't tried. (*)
You do need to think what is meant by 'quarantine'. I think there's a
basic incompatibility between the idea of 'quarantine' as implemented
by the Sendmail code and as in "put the message there and reject it".
Sendmail means 'defer delivery until somebody has had a look at this'.
So when it quarantines a message, practically all that Sendmail will
do is change the way the file is stored in its queue directory. This
results in the message being ignored by the queue runner (which would
otherwise cause the message to be delivered) until the 'quarantined'
status is removed from the message. The administrator can take a
coffee break, or go on holiday, before he gets around to doing this
and obviously nobody would expect the sending servers to sit around
waiting for a return code while he's lying on a beach in the Bahamas.
So Sendmail is pretty much obliged to accept those messages which it
quarantines in its own queue directory.
When the old clamav-milter quarantined a message by putting it in a
directory of its own, not within the grasp of Sendmail, as far as all
the mail servers were concerned if Sendmail then rejected the message
that was the end of it. You would have a copy, but Sendmail neither
knows nor cares about that.
To mimic the old behaviour you could have clamav-milter add headers to
infected messages, and use another milter to read those headers then
store and reject the mail if it sees an 'infected' header. MIMEDefang
can do what you want, at the price of some complexity and overhead.
A simpler alternative is to write all the incoming mail to a log file,
as it comes in, during the SMTP conversation. One of the milters that
I use (milter-regex, which I highly recommend) does this as an option.
If a message is rejected for any reason, the full text (or, depending
on how you configure things, perhaps just the text up to the point at
which a decision was made to reject) will be in the log. It's a bit
of a pain to retrieve messages from the logs, and naturally they grow
rapidly and will need to be rotated regularly.
..oOo..
* To try it, all you'd probably need to do is change one line in the
function action_quarantine() clamfi.c and recompile:
static sfsistat action_quarantine(SMFICTX *ctx) {
if(smfi_quarantine(ctx, "quarantined by clamav-milter") != MI_SUCCESS) {
logg("^Failed to quarantine message\n");
return SMFIS_TEMPFAIL;
}
return SMFIS_ACCEPT;
}
Change SMFIS_ACCEPT to SMFIS_REJECT and see what happens. If it does
work, please let us know. If it doesn't work, then maybe we can come
up with something. It might mean quite a bit of coding to set up a
quarantine directory, and I probably wouldn't have time for that, but
a lot of the work has probably been done in the old milter. The odds
are that the code wouldn't make it into the ClamAV trunk unless a lot
of people make their appreciation known on this list.
--
73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
|
signature.asc
