Scanmail

A multithreaded virus scanner for the MDaemon mailserver, based on Clam AV.


AltN/RIM (Blackberry) MDaemon is a highly effective and very configurable mailserver for the Windows platform. As one of the main rivals to Exchange Server, it offers far greater flexibility than the latter, full compliance with RFC standards, very high stability, and a highly-informative interface which makes the tracing and routing of mail very straightforward.

There are at least two commercial antivirus products for the MDaemon mailserver. Both of these are costly, approaching the license-price of the mailserver itself. The third-party offering  (in my experience) suffers from poor stability. The inhouse product, whilst far more reliable, may have prerequisites which your system cannot meet, for example the requirement to constantly keep upgrading to the latest release of MDaemon in order for the virus-scanner to remain effective. In view of this -and of success with writing a similar extension for the Mercury mailserver- it seemed reasonable to investigate whether a home-grown AV solution for MDaemon might be possible.

Clam AV is a GPL antivirus solution, primarily aimed at the Linux market, but which also has several Windows ports. Being a commandline scanner with the ability to probe within MIME-encoded email messages, it is an ideal choice for the scanning of email . That, its noninvasive nature, and its freedom from useage restrictions were the deciding factors in its choice.

A little experimentation revealed that the very simple integration of a virus-scanner which is possibly with Mercury is not possible with MDaemon.  This is in part due to MDaemon's greater sophistication. In order to provide effective virus-scanning calls for a routine to isolate  each message requiring scanning from the mailstream, re-inserting it into that mailstream once scanning is complete.   To achieve  good throughput on a busy server also calls for multiple instances of the virus-scanner to be launched,  such  that the arrival of new messages whilst an existing  batch-scanning operation is in progress will not cause a bottleneck.

Scanmail is written in the AutoIt scripting language, available from http://www.autoitscript.com. Sourcecode is available.

Executable and sourcecode are available from the local download link. They are no longer on Sourceforge.

Installation:

Create a folder named "scanmail" in the root of your MDaemon installation.  For example, "C:\MDaemon\scanmail"

Unzip the contents of the package into here.

Run Freshclam.exe once manually, to download virus definitions.

Open scanmail.ini in a texteditor. You may need to need to adjust one or two lines, although in most cases scanmail will work as-is.

MailAdmin is the email address of  a person who will be informed if an in-house computer is pouring-out infected messges to the Internet:
mailadmin=anyone @ this_domain.net
This might be the Postmaster account, but need not necessarily be.

In this versions, the QueueBase parameter is deprecated in favour of finding the queue locations automatically, from MDaemon.ini.
Provided that scanmail is installed into the base folder of the MDaemon structure, this should happen with no further adjustment.
If scanmail is installed elsewhere, then queuebase should be set to the location containing the localq and remoteq folders.

Now in the Mdaemon GUI:
For older versions open Setup -> Primary Domain  and go to the  "Pre-Processing" tab.
For the latest versions go to the Queues menu item and find the pre-processing tab.

Under Local Queue Processing:
Press the Browse button, and navigate to scanmail.exe
Add a space, and the word localq to the commandline.

Optionally, repeat the process for the remote queue,
but with the word remoteq added to the commandline.
(Remote queue scanning is nonessential, but may help to prevent a compromised computer from pouring-out infected messages)

Set the Suspend Interval to -1 seconds, and tick "Don't execute when queue is empty" for both cases.

The result should look like this:

 

Policies:


The policy for inbound infected mail is to strip all attachments, and to send a note to the intended recipient, using the same headers as the original. In this case there is no point in trying to warn the sender of the message. Since almost all viruses send messages with forged "From" headers, attempting to do so would be more likely to needlessly alarm an uninvolved person than to reach the person whose computer has been compromised. 

For  outbound infected messages,  the message is intercepted, and a warning sent to an administrator. The warning should in most cases contain the IP address of the offending computer.  In this instance there is no point in sending a warning to either the (apparent) sender or (would-be) recipient. Instead, we send one to a responsible person, who should then investigate the source of the message.

Infected messages can, if required,  be retrieved from a 'SinBin' folder located in the mailstore root.

 

Updating:


The virus defs should update automatically. You may wish to check the date of the files in the 'db' folder occasionally to see that this is happening.  To update the scanner itself, download the latest version from here, and unzip into any suitable place.  Copy everything except the .conf files to the scanmail folder.  Scanmail.exe makes no alterations to the Windows system itself, and uses no registry entries.

Note: Owing to changes to the Clam Antivirus database structure over time, you may need to periodically update the ClamAV executables as described above. When doing so,  retain the existing clamd.conf and freshclam.conf files as supplied with scanmail. After installing the updated exes, delete the contents of the 'db' subfolder and run freshclam.exe. If using a new scanmail package downloaded from here, do not allow the extraction process over-write scanmail.ini if it contains your site-specific settings.

Alternatively, you can download the latest version of ClamAV for Windows (console version) from http://oss.netfarm.it/clamav/   The download you need is the clamav-mingw-xxx.7z one, and you need 7-zip to extract it.  When installing, keep the original  clamd.conf and freshclam.conf files, as the scanmail settings differ from the vanilla ones.

Bear in-mind that  successive versions of ClamAV may have slight differences in the way  the commandline options behave, and this might require some adjustment of the parameters which clamscan.exe is called with.  This is only likely to occur with major-version changes, however.

Removal:


Delete the two commandlines from MDaemon's 'Pre-Processing' options, as entered above.

Optionally, delete the scanmail folder.

 

Disclaimer:


This software is supplied 'as-is' and without warranty of any kind. All use is entirely at your own risk.  Released under the GPL licence.

Scanmail mailserver-interface copyleft IWR Consultancy, 2007.
ClamAV native Windows port copyright Gianluigi Tiesi.