Hi, I have a question about virus scanning at smtp time. Sadly I still find Exim4 acl stuff a bit of a black art :(
Sometimes a virus that clamav *does* already know about gets through. I notice from my Exim logs that this is often accompanied by this sort of message: 2004-08-03 09:27:31 1BrmgJ-0006og-NA demime acl condition: base64 line length exceeds 76 characters 2004-08-03 09:27:31 1BrmgJ-0006og-NA demime acl condition: base64 line contains illegal character 2004-08-03 09:27:31 1BrmgJ-0006og-NA demime acl condition: base64 line length is not a multiple of 4 characters I'm figuring that this virus (in this case Worm.MyDoom.M) has deliberately broken it's mime encoding and Exim has been unable to extract the file to pass to ClamAV. Does this sound right? Has anyone seen this sort of thing? Is there anything I can do about it? I poked around a bit in google and found this site: http://www.webhostgear.com/149.html It offers these lines, which might help in /etc/exim4/conf.d/acl/40_exim4-config_check_data: deny message = This message contains malformed MIME ($demime_reason) demime = * condition = ${if >{$demime_errorlevel}{2}{1}{0}} If I understand this correctly, then it will deny any message with broken mime encoding. 1. Will this help in my above situation? 2. Is this likely to mean that some legitimate email from say a well known mail client will be rejected? (This is a business mail server, so I need to be sure we aren't rejecting legit mail) If this is indeed useful, maybe Paul could add it to hs "Rejecting Email Viruses the Right Way" page? Also you could add the rejecting of all messages containing dodgy windows execuatable extension too IMO. I'm running woody with backports of Exim4, ClamAV cheers dc -- David Purton [EMAIL PROTECTED] For the eyes of the LORD range throughout the earth to strengthen those whose hearts are fully committed to him. 2 Chronicles 16:9a
signature.asc
Description: Digital signature
