This site is now 100% read-only, and retired.

Rejecting viral email at SMTP time with exim4

Posted by Steve on Mon 16 May 2005 at 22:55

If you're using the exim4 mail server you can reject mails which have viral content at SMTP time - meaning they aren't delivered and you don't have to worry about sending bounce messages to the often-faked "From" address.

To make use of the virus checking you need :

  • ClamAV antivirus software.
  • The exim4-daemon-heavy package installed.

The exim4-daemon-heavy package has additional options compared to the exim4-daemon-light, including ACL checks which we'll use to validate the message body of incoming emails with the virus scanner.

To start with we need to install the virus scanner, running the following should install a scanner along with a tool to keep your definitions up to date:

apt-get install clamav-daemon

The clamav-daemon package will pull in clamav-freshclam package which will keep the virus definitions up to date - logging its update checks and results to the file /var/log/clamav/freshclam.log.

Once the package has been installed you should check that it's setup properly for use with the exim4 package.

You should examine the file /etc/clamav/clamd.conf file and make sure the following two lines are present:

User clamav
AllowSupplementaryGroups

(These are included by default).

Now that the scanner is setup we need to do two things:

  • Tell exim4 how to connect to the scanning deamon.
  • Force exim4 to reject incoming mails which are flagged as viruses by the scanner.

If you're using the split configuration of Exim4 you should add the following content to /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:

# Specify the virus scanner to use
av_scanner = clamd:/var/run/clamav/clamd.ctl

Then we need to edit the exim ACL check - inside the directory /etc/exim4/conf.d/acl there are several files which contain ACLs which you can use to reject mails.

The file we will need to look at is called 40_exim4-config_check_data - this is used to check the body of incoming messages. ("data" here means the data that is sent as part of a message body with the SMTP command "data").

The file that you'll be looking at reads like this by default:

# 40_exim4-config_check_data

acl_check_data:

   # Deny unless the address list headers are syntactically correct.
   #
   # This is disabled by default because it might reject legitimate mail.
   # If you want your system to insist on syntactically valid address
   # headers, you might want to enable the following lines.
   # deny message = Message headers fail syntax check
   #    !acl = acl_whitelist_local_deny
   #    !verify = header_syntax

   # require that there is a verifiable sender address in at least
   # one of the "Sender:", "Reply-To:", or "From:" header lines.
   # deny message = No verifiable sender address in message headers
   #    !acl = acl_whitelist_local_deny
   #    !verify = header_sender

   # accept otherwise
   accept

To this we need to add some new directives just before the "accept otherwise" lines.

Insert the following:

   # Reject messages that have serious MIME errors.
   # This calls the demime condition again, but it
   # will return cached results.
   deny message = Serious MIME defect detected ($demime_reason)
   demime = *
   condition = ${if >{$demime_errorlevel}{2}{1}{0}}
   
   #
   # Reject file extensions used by worms.
   #
   deny message = This domain has a policy of not accepting certain types \
                  of attachments in mail as they may contain a virus.  \
                  \
                  This mail has a file with a .$found_extension attachment and \
                  is not accepted. \
                  \
                  If you have a legitimate need to send this attachment, send it \
                  in a compressed archive, and it will then be forwarded to the \
                  recipient.
   demime = vbs:bat:pif:scr
   .ifdef TEERGRUBE
      delay = TEERGRUBE
   .endif
   
   # Reject messages containing malware.
   deny message = This message contains a virus ($malware_name) and has been rejected
   malware = *

Once you've made this addition then you can restart the server:

/etc/init.d/exim4 restart

You can test it's working correctly by sending a message from an outside machine and verifying that it is bounced without being delivered to your local user.

For this purpose the Eicar test virus is ideal, it is not a real virus at all! Instead it is a pattern that legitimate virus scanners add to their databases so they can be tested.

If you include an attatchment wiht your mail which has the following test scring as an attachment it should be identified as infected with a virus:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The test string actually is a real executable on DOS systems! It's a great example of pure ASCII shellcode - a program who's instructions come entirely from the printable ASCII range.

If you wish to run it you can save it to a file, named test.com - just note that the third character is the number zero, not the letter O...

 

 


Re: Rejecting viral email at SMTP time with exim4
Posted by Anonymous (69.157.xx.xx) on Tue 17 May 2005 at 21:03
debian noobs, be warned: this article assumes you chose to split up your exim configuration into a bunch of teeny files. this is something you need to adjust to, or perhaps reconfigure.

[ Parent ]

Doing the same with Courier (courier-mta)
Posted by Arthur (128.39.xx.xx) on Thu 19 May 2005 at 21:54
[ View Weblogs ]
I detest exim! I find Courier much easier to live with. If you need instructions for integrating ClamAV with Courier, a handy URL is http://karmak.org/2004/courier-clamav/.

There's no excuse for backscattering (bouncing messages to envelope sender addresses), because most bouncing mail these days is either spam or virus laden. Backscatter needlessly annoys innocent systems and users to no good end. If you want to reject mail based upon whatever criteria you choose, do it during the SMTP transaction!

[ Parent ]

Re: Doing the same with Courier (courier-mta)
Posted by Steve (82.41.xx.xx) on Fri 20 May 2005 at 06:30
[ View Weblogs ]

I'm curious as to why you dislike exim so much?

I've used sendmail, postfix, qmail and exim at various times (different systems/jobs/contract work, etc).

Each of them have pro's and con's but the only one I actively dislike using nowadays is sendmail.

Steve
-- Steve.org.uk

[ Parent ]

Re: Doing the same with Courier (courier-mta)
Posted by Arthur (193.219.xx.xx) on Fri 20 May 2005 at 07:41
[ View Weblogs ]
Exim works fine, of course, and I trust it to always get the job done if it's configured properly. It goes in as a .deb just fine and works right out of the box, but I'm not one to be satisfied with that. I want to know how to make the thing walk and talk even if I'm never going to ask it to do so, but I don't want to have to earn a Master's Degree in exim to do it. Maybe exim just gives too darn many buttons to push. Maybe the documentation just doesn't go far enough to make me comfy actually pushing those buttons on a production server.

Maybe I'm just too darn simple minded. Once I abandoned sendmail, I decided to keep the MTA as simple as possible -- never mind that I had to endure qmail's quirks and limitations (including backscatter) for far too long...

[ Parent ]

Re: Doing the same with Courier (courier-mta)
Posted by Anonymous (81.56.xx.xx) on Sat 4 Jun 2005 at 15:45
As all MTA, you need to "get in" the configuration and really understand how it behaves, what can be done or not, and how to get it doing what you want.

It took me 3 full days to "get in" Exim, but now I can setup almost any behavior in less than an hour.

And remember : want a simple MTA ? Use SSMTP :)

[ Parent ]

Re: Doing the same with Courier (courier-mta)
Posted by Anonymous (195.172.xx.xx) on Sun 29 May 2005 at 19:31
"deny" is not bouncing, but rejecting the smtp connection.

Refer to the introduction Exim ACL configuration for more information.

[ Parent ]

Re: Doing the same with Courier (courier-mta)
Posted by Arthur (193.219.xx.xx) on Sun 29 May 2005 at 20:50
[ View Weblogs ]
Oops... I wasn't aggressive enough in my editing. Prior to the edit, I had a lot of irrelevant stuff in there explaining my MTA migration from sendmail to qmail to Courier -- the part about backscatter was a rant about qmail.

I apologize for not being more careful. I didn't mean to imply that exim was responsible for backscattering.

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Anonymous (195.50.xx.xx) on Wed 8 Jun 2005 at 14:30
It would be nice, if exim had a way of having a backup virus scanner. I'm currently using woody with exim3 and old perl script exiscan daemon that's modified so, that when my primary av scanner (clamdscan) reports an error, then it runs secondary av scanner (clamscan). So that even, when clamd crashes mails would still be scanned.

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Anonymous (81.130.xx.xx) on Sun 3 Jul 2005 at 15:40
Steve,
Great article but can you tell me why I'm getting the following error message:

zorb:~# /etc/init.d/exim4 restart
Restarting MTA: 2005-07-03 15:35:07 Exim configuration error in line 333 of /var/lib/exim4/config.autogenerated.tmp:
error in ACL: unknown ACL condition/modifier in "and is not accepted. If you have a legitimate need to send this attachment,"
Invalid new configfile /var/lib/exim4/config.autogenerated.tmp
not installing /var/lib/exim4/config.autogenerated.tmp to
/var/lib/exim4/config.autogenerated
zorb:~#

Could you post the correct version of:

40_exim4-config_check_data

Great site and regards - John

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Steve (82.41.xx.xx) on Sun 3 Jul 2005 at 16:02
[ View Weblogs ]

Take a look at line 333 of the file which is named there - maybe there's a comment wrap, or other issue.

For reference here's my complete 40_exim4-config_check_data.

Steve
-- Steve.org.uk

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Anonymous (81.130.xx.xx) on Sun 3 Jul 2005 at 19:00
Thanks for the file. The problem was caused by a wrap issue whcih seems to have resolved itself now:

zorb:~# /etc/init.d/exim4 restart
Restarting MTA: exim4.
compassweb:~#

Prior to installing 'Clam' the mail was being delivered fine. However the system is now refusing to deliver mail to any address :-( and the Eicar virus test doesn't seem to work. Guess I must have screwed up the Clam installation somewhere. It's at times like these that one wishes Debian had a 'rollback' facility!

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Steve (82.41.xx.xx) on Sun 3 Jul 2005 at 21:52
[ View Weblogs ]

What do the exim logfiles show?

You should see messages in /var/log/exim4, the rejectlog, or mainlog might contain useful diagnostics.

Steve
-- Steve.org.uk

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Anonymous (81.130.xx.xx) on Mon 4 Jul 2005 at 22:03
I'll read up and 'get into' Exim rather than continuing to post blindly. I know others that have experienced similar problems with ClamAV - freezing their mail programme!

I suppose the real question should be how to backup Exim prior to tinkering with the installation?? Is it possible to rollback to a previous working backup insallation of Exim?

I have a friend that ran into similar problems with ClamAV and Qmail on a virtual server running Gentoo. Now he manages the mail with rbl smtp and spamassassin only.

Steve, it would be great if you could offer an Exim version of Qmail Rocks or perhaps even individual articles on setting up Squirrel Mail and Spamassassin on Exim 4??

Kind regards





[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Steve (82.41.xx.xx) on Mon 4 Jul 2005 at 22:09
[ View Weblogs ]

Backing up exim is a simple matter of preserving pristine copies of your configuration files before making changes, either:

cp -R /etc/exim /etc/exim.safe

Or:

cp -R /etc/exim4 /etc/exim4-safe

should be suitable for exim3 and exim4. Restoring these backups and then restarting the exim server, via the init script should be sufficient to rollback.

(Although personally I'd never make changes to a live server, without replicating the setup on a test machine, or a desktop system first - that allows me to make large changes without too many broken upgrades, and potential lost mail).

I'm happy to add more Exim pieces to the pending list of articles to write, but my time is severely limitted at the moment, so I wouldn't expect much more exim coverage at the moment.

Steve
-- Steve.org.uk

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Anonymous (65.222.xx.xx) on Tue 19 Jul 2005 at 22:17
I use the Exim4 Split Configuration Setup. Any file which is a baseline from Debian, I copy and append a .rul suffix. The update-exim4-conf program will pick up these as replacement files. In addition, at each stage (such as basic config working, integrate ClamAV) I tar the configuration as an additional backup. These two methods have so far protected me.


Good luck,

Tim

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by fviktor (195.228.xx.xx) on Sun 14 Aug 2005 at 19:06
Hello,

Thanks for the useful help in configuring clamav for exim4. I use Debian Sarge (r3.1). It's a clean installation, not an upgraded Woody. The solution in this article raises a problem related to access rights on Sarge systems. Just configure exim4, then try to send an e-mail with an attachment. The mail will be rejected temporarily (quoted from /var/log/exim4/mainlog):

2005-08-14 19:13:11 1E4M2o-0003CG-W6 malware acl condition: clamd: ClamAV returned /var/spool/exim4/scan/1E4M2o-0003CG-W6: Access denied. ERROR
2005-08-14 19:13:11 1E4M2o-0003CG-W6 H=(sirius) [192.168.0.136] F= temporarily rejected after DATA

I tracked this down. Exim places files to scan under: /var/spool/exim4/scan/

But clamd has no right to access those files, since:

s2:/var/spool# ls -la | grep exim
drwxr-x--- 6 Debian-exim Debian-exim 4096 2005-08-14 19:13 exim4
s2:/var/spool# cd exim4
s2:/var/spool/exim4# ls -la|grep scan
drwxr-x--- 2 Debian-exim Debian-exim 4096 2005-08-14 19:13 scan

Clamd is run as user clamav,

s2:/var/log/exim4# ps -Af|grep clamd
clamav 12700 1 0 19:46 ? 00:00:00 /usr/sbin/clamd

so I've added clamav to the Debian-exim group, then restarted exim4. This solved the problem for mails sent after restarting exim4.

The virus filtering has been verified by attaching a file containing the standard Eicar-Test-Signature. Mainlog entries:

2005-08-14 20:29:34 1E4NEk-0003Lu-3y H=(sirius) [192.168.0.136] F= rejected after DATA: A levele [Eicar-Test-Signa
ture] kartekony programot tartalmaz. Kerem virusirtas utan kuldje ujra!

The error message is in Hungarian (only ASCII characters used, no accented ones).

Note: It seems that Outlook cannot handle the reject response from the SMTP server (exim4). Raises error code 0x800CCC69 and reports some random characters as the reponse of the SMTP server. Anybody knows why?

I hope this helps to configure ClamAV for Exim4.

Greetings, Ferenczi Viktor - Hungary

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by jwinius (213.84.xx.xx) on Sat 24 Dec 2005 at 18:36
I had the same problem. I added clamav to the Debian-exim group and restarted exim4, but I still got the same error:

malware acl condition: clamd: ClamAV \
returned /var/spool/exim4/scan/1EqAmc-0005Be-UI: \
Access denied. ERROR

Unfortunately, in my case this wasn't going to solve anything. This is because I've got exim4 and clamd running on different machines. I'm running woody with exim-daemon-heavy 4.34.9 (a backport; the machine can't be upgraded any further for now) on the one and sarge with clamav 0.87.1 on the other.

For Exim on the woody box I have the following configuration:

- in ./acl/40_exim4-config_check_data:

malware = *

- in ./main/02_exim4-config_options:

av_scanner = clamd:192.168.242.11 3310


What I wanted to do was have the Exim contact clamd on the other box and stream its data there to have it checked. It's supposed to do this by contacting clamd on port 3310, issuing the 'STREAM' command after which clamd returns 'PORT <number>', establishing a concurrent connecting to that port number, stream the data there, and then receive the results on the 3310 connection. I tested this manually and it works just fine as far as I can tell.

However, this is not what Exim (Exiscan) does. Apparently, Exiscan can only issue the clamd 'SCAN' command and doesn't know about 'STREAM'. After 'SCAN', it sends a file name, '/var/spool/exim4/scan/<message_id>', for clamd to scan. Clamd on the other machine tries to access this file, finds nothing and assumes it's an acl problem. That's the reason for the error message.

The way I solved this problem was to export the mail server's /var/spool/exim4/scan directory to the same location on the clamd machine's file system and by making sure that clamd had sufficient access to it. It's not the most elegant solution, but it works.

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Anonymous (62.73.xx.xx) on Fri 16 Sep 2005 at 08:43
I had to add the "clamav" user to the "Debian-exim" group for access to the /var/spool/exim4/scan directory.

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Anonymous (216.231.xx.xx) on Sun 29 Jan 2006 at 21:35
I followed this to the letter, and exim choked on the first line:
av_scanner = clamd:/var/run/clamav/clamd.ctl

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Steve (82.41.xx.xx) on Sun 29 Jan 2006 at 21:59
[ View Weblogs ]

This will only work if you have the "heavy" version of exim4 installed:

apt-get install exim4-daemon-heavy

The "light" version will of course complain. I recently setup a new server using this recipe and all works fine, so I'm guessing that something is different on your system, or you didn't follow things 100% to the letter..

Steve

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Anonymous (216.231.xx.xx) on Thu 2 Feb 2006 at 13:34
Nope, you got it right, I'm using 'light'. I'll switch and try again.

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Anonymous (216.231.xx.xx) on Thu 2 Feb 2006 at 14:11
Finally got it.. I had to do the above twiddling with the /etc/group entry, plus restart ClamAV to get it to stop 'temporarily rejecting'.

(Jeesh, I can't believe I had light installed.. What a cad!)

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Anonymous (217.6.xx.xx) on Thu 13 Apr 2006 at 19:41
I just want to say: "Thank you" for that great feature.
After I added clamav to the Debian-exim group and restarted the deamon it works as expected.

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Anonymous (212.201.xx.xx) on Thu 21 Sep 2006 at 13:57
The article mentions that the third letter of the test virus must be the digit 0 and not the letter O whereas the website eicar.com says exactly the opposite. Pleas get a bit more consistent about this. Thanks.

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by popey (84.45.xx.xx) on Sun 11 Feb 2007 at 16:36
I planned to do this and also setup greylisting (not done yet) to try to stem some spam - I currently use mailscanner, but would like to add to that.

Just tried this process on my sarge box and came across an issue.

I installed clamav (used the debian-volatile source) and freshclam updates fine. I also installed exim-daemon-heavy and that seems fine too.

Only when I changed 40_exim4-config_check_data as per your suggestion I get mails bouncing (when I test via telnet) with an error 451, local problem. Of course, I then don't get the mail.

Amy ideas what could be the cause? I see nothing in mainlog or rejectlog.

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by popey (84.45.xx.xx) on Sun 11 Feb 2007 at 17:32
Oh how foolish I am, forgot I have /var/log/exim4 and /var/log/exim4_incoming..

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by chris (217.8.xx.xx) on Tue 10 Apr 2007 at 14:26
[ View Weblogs ]
I'm getting the following in exim4s paniclog:

clamd: unable to connect to UNIX socket /var/run/clamav/clamd.ctl

but the file exists. I see both exim and clam start as S20 under rc2.d - just wondering if maybe clamav isn't fully started when exim4 starts? I could try changing the numbers - but - I don't want to keep bouncing a live web/mail server - just wondering if any others have seen this? The clam headers appear to be correctly present in my mail.

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Anonymous (83.160.xx.xx) on Mon 13 Aug 2007 at 10:35
I have the same problem as Chris with lines being written to exim's paniclog.

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Anonymous (78.32.xx.xx) on Sun 23 Sep 2007 at 07:55
I found that (in version of 4.63-17 of exim4) the av_scanner line is already in main/02_exim4-config_options, but commented out.

This seems like a better place for it than main/01_exim4-config_listmacrosdefs, because it's not a macro.

Otherwise, this page is very helpful.

[ Parent ]

Re: viral email / shellcode
Posted by Anonymous (71.146.xx.xx) on Fri 9 Nov 2007 at 06:48
Pure ASCII shell code ... the website link is different now --
http://shellcode.org/Shellcode/linux/ascii/

Larry.

[ Parent ]

Re: Rejecting viral email at SMTP time with exim4
Posted by Anonymous (193.60.xx.xx) on Mon 1 Sep 2008 at 13:13
Remember update-exim4.conf if you've got split config

[ Parent ]