Block SOBER at MTA (postfix)

Drew Marshall drew at THEMARSHALLS.CO.UK
Mon Dec 5 18:02:15 GMT 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

On Mon, December 5, 2005 17:52, Drew Marshall wrote:
> On Mon, December 5, 2005 17:15, Dhawal Doshy wrote:
>> As Drew mentioned, this is NOT supposed to replace a real AV but at the
>> same time i'd like having a feature where viruses are rejected without
>> much processing power. Plugging in an AV at the MTA is not such a great
>> idea (no bandwidth savings and no decrease in resource usage).
>
> Oh, I don't know. If you plug in the clamAV scanner in the right place...
>
Replying to one's self, it's something to do with Postfix users. How sad...

> If you use before queue scanning as described here
> http://www.postfix.org/SMTPD_PROXY_README.html and set up the SMTP clam
> scanner as per here http://memberwebs.com/nielsen/software/clamsmtp/ you
> will save bandwidth as you can get Postfix to reject the mail at SMTP
> stage

Save some processing power not bandwidth is what I meant as you don't use
SA this early (Not indeed do you accept the message).

Thinking about this further, I wouldn't recommend it as you box would
start to die under a sustained mail bombardment as the mail wouldn't queue
for scanning (One of the advantages of MailScanner) and you would be
reliant on Clam returning before the SMTP session timed out.

>
> but it won't save processing in the same way as a decent MIME/ header/
> body check will do.

As that doesn't use Clam at all! A word of caution, which I should have
included before, all forms of message check come at a performance price so
the more you add or the more complex you make them the larger the hit
(Hence the word decent!).

>
>>
>> What i was not sure about is when do these body checks take place.
>>
>> a. Mail is almost accepted / rejected (just before 250 OK / 550 REJECT)
>> and then rejected in which case there is no substantial bandwidth
>> saving. This is not the case as per the postfix-users list.
>> b. Rejected as soon as the offending MIME line is found, this is done
>> using the body_checks_size_limit (default 51200) in postfix. This is
>> what really happens (see postfix ain't so bad after all).
>>
>> I have a significant benefit (decrease in bandwidth and resource usage)
>> in doing these checks, if someone benefits from this as well great!! but
>> i completely agree in NOT converting this in to a project but rather
>> continuing on a per incident basis in case of severe viral outbreaks and
>> let MailScanner handle regular non-PITA/N worms (so any volunteers? :)
>> ).
>
> Not being smart enough to do this (Reliably) I'll gracefully back away.
>
> It should also be remembered that you should consider what/ who you will
> be '550ing' and take suitable steps. For example one of my boxes relays
> for another Internet connected box, which also happens to serve another
> domain. The incoming mail is swept for viruses after this box relays to me
> so I receive 'unclean' mail from it and clean it before delivery. In this
> instance it is of no benefit to bounce this mail as it would just generate
> virus laden bounce messages from the incoming server (Who has, after all,
> accepted the message). Rather than remove the problem it adds to it (And
> possibly creates a Joe Job for some poor domain owner else where on the
> Internet). In this instance, I would rather take the bandwidth hit and
> just send those messages to the bit bucket to no longer pester the world.
>
> Drew
>
>
> --
> In line with our policy, this message has
> been scanned for viruses and dangerous
> content by MailScanner, and is believed to be clean.
> www.themarshalls.co.uk/policy
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>



-- 
In line with our policy, this message has 
been scanned for viruses and dangerous 
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list