MailScanner: selective virus scanning using a simple ruleset

Julian Field MailScanner at
Thu Feb 28 19:57:07 GMT 2008


There are many ways you can do this.
You want to use a "ruleset". In this case, it's a very simple one that 
just switches off the "Virus Scanning = yes" for these particular 
messages. You can set pretty much any setting in the MailScanner.conf 
file to different values for different messages, depending on where they 
come from and are going to. You can have a different ruleset for any 
setting, so you can build extremely complex configurations if that's 
what you need.

But in your case we can keep it very simple.
The setting we want to change is the "Virus Scanning" setting, which can 
take "yes" or "no" as its value. So first we build the ruleset file. 
These live in /etc/MailScanner/rules on most people's systems. You have 
to beware that the "from" address in an email message can be faked by a 
spammer or a virus, so you can't reliably control something as crucial 
as the actual virus scanning depending on only the "from" address. Less 
crucial settings, such as many of the spam detection settings are no 
problem, as a failure will just let through the occasional spam which is 
unlikely to cause anyone serious problems.

So we can say that, in your case, you want to set "Virus Scanning" to 
"yes" for most messages. You want it to be "no" for messages from 
root at, so long as they originate from the server 
itself, the IP address So put these 2 lines into 
/etc/MailScanner/rules/virus.scanning.rules file

From: root at and From: no
FromOrTo: default yes

That should have been 2 lines, just in case your email application 
wrapped the text onto 3 lines by mistake.

Then you just tell MailScanner to use the new ruleset file by setting 
this in your /etc/MailScanner/MailScanner.conf
Virus Scanning = %rules-dir%/virus.scanning.rules

The last 2 jobs are to check the new setting is right by running the command
    MailScanner --lint
and if that works okay then tell MailScanner to re-read its 
configuration immediately:
    /sbin/service MailScanner reload

You can have as many different rulesets as you like. Just don't put more 
than around 1000 lines into each ruleset as things will slow down a bit. 
In the /etc/MailScanner/rules directory, you will find a couple of 
examples which show you what you can put in ruleset files. You can make 
the 'address conditions' (just the simple "root at" 
in your case) very complicated if you need to, there are loads of 
different things you can do there.

If you can't write your requirements as a ruleset, but need to write 
some sort of a program to work out the value, you can write what are 
called "Custom Functions" to produce the result instead. Indeed, this is 
how the entire MailWatch package hooks into MailScanner.

The values set by a ruleset don't have to just be "yes" or "no". They 
can be whatever values are acceptable to the MailScanner.conf setting 
you are using the ruleset for. So you can give different report 
filenames for different customers, different languages for different 
domains, all sorts of things, it's only limited by your imagination and 

The configuration system I built into MailScanner is very easy to use, 
and most people's setups are very simple. But you can make it as complex 
as you need to, and it's all easy to manage and administer. Personally 
it's one of the cleverest bits of code I've written in quite a while :-) 
The bit I'm most proud of actually is the upgrade_MailScanner_conf 
script, as it can upgrade or downgrade from any MailScanner version to 
any other MailScanner version, without any external list of what the 
permitted options are or anything like that. It just uses the two 
filenames you give it to read from, and it works out everything from 
those. For example, did you know that upgrade_languages_conf and 
upgrade_MailScanner_conf are actually the same script? One is 
soft-linked to the other, there's only 1 copy of the script on your disk.

I hope that all helps you get started using rulesets. There are examples 
in the /etc/MailScanner/rules directory and in the wiki web site at and in the Book. The Book explains them 
all fairly well too.

If you haven't got the book, please can you buy one from the website? 
It's my only source of funding for MailScanner and its development and 
my ability to support it depend on the profits I make solely from 
selling the book. Many thanks!

If you can't afford a copy of the book, and just want the bit that 
explains rulesets, then drop me a line and I might give you a copy of 
that snippet of the book. It would be useful for that bit to be 
available for free on-line anyway, I think a lot of people would 
appreciate that, as many people seem to think they are more complicated 
than they actually are.

Good luck! And feel free to mail me if you really get stuck even after 
you've read the examples, the documentation on-line and in the book.



Julian Field MEng CITP CEng
Buy the MailScanner book at

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key:

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list