Scanmail

A multithreaded virus scanner for the MDaemon mailserver, based on Clam AV.


MDaemon is a highly effective and very configurable mailserver for the Windows platform. As one of the main rivals to Exchange Server, it offers far greater flexibility than the latter, full compliance with RFC standards, very high stability, and a highly-informative interface which makes the tracing and routing of mail very straightforward.

There are at least two commercial antivirus products for the MDaemon mailserver. Both of these are costly, approaching the license-price of the mailserver itself. The third-party offering  (in my experience) suffers from poor stability. The inhouse product, whilst far more reliable, may have prerequisites which your system cannot meet, for example the requirement to constantly keep upgrading to the latest release of MDaemon in order for the virus-scanner to remain effective. In view of this -and of success with writing a similar extension for the Mercury mailserver- it seemed reasonable to investigate whether a home-grown AV solution for MDaemon might be possible.

Clam AV is a GPL antivirus solution, primarily aimed at the Linux market, but which also has several Windows ports. Being a commandline scanner with the ability to probe within MIME-encoded email messages, it is an ideal choice for the scanning of email . That, its noninvasive nature, and its freedom from useage restrictions were the deciding factors in its choice.

A little experimentation revealed that the very simple integration of a virus-scanner which is possibly with Mercury is not possible with MDaemon.  This is in part due to MDaemon's greater sophistication. In order to provide effective virus-scanning calls for a routine to isolate  each message requiring scanning from the mailstream, re-inserting it into that mailstream once scanning is complete.   To achieve  good throughput on a busy server also calls for multiple instances of the virus-scanner to be launched,  such  that the arrival of new messages whilst an existing  batch-scanning operation is in progress will not cause a bottleneck.

Scanmail is written in the AutoIt scripting language, available from http://www.autoitscript.com. Sourcecode is available.

The complete scanmail package can be downloaded here (~30MB, includes ClamAV 0.96 and April '10 definitions.)

Alternatively, you can download just the interface files here if you intend to use an existing copy of ClamAV. (<1MB)

Note: Recent changes to Clam Antivirus (as of 15th April 2010) make versions of clamd.exe prior to 0.95 incompatible with the latest virus database. If you are using an older version, the scanner will probably not run at all. The download on this site now contains clamd 0.96 and a new virus database. Before installing the update, delete the contents of the 'db' subfolder. Do not allow the extraction process over-write scanmail.ini if it contains your site-specific settings.

Alternatively, you can download the latest version of ClamAV for Windows (console version) from http://oss.netfarm.it/clamav/   The download you need is the clamav-mingw-xxx.7z one, and you need 7-zip to extract it.  When installing, keep the original  clamd.conf and freshclam.conf files, as the scanmail settings differ from the vanilla ones.

Installation:


Create a folder named "scanmail" in the root of your MDaemon installation.  For example, "C:\MDaemon\scanmail"

Unzip the contents of the package into here.

Run Freshclam.exe once manually, to download virus definitions.

Open scanmail.ini in a texteditor. You need to adjust two lines.

QueueBase should be set to the location containing the localq and remoteq folders. The two most common values would be:
queuebase=c:\mdaemon
or
queuebase=c:\program files\mdaemon
MailAdmin is the email address of  a person who will be informed if an in-house computer is pouring-out infected messges to the Internet:
mailadmin=anyone@this_domain.net
This might be the Postmaster account, but need not necessarily be.

In Mdaemon, open Setup -> Primary Domain  and go to the  "Pre-Processing" tab.

Under Local Queue Processing:
Press the Browse button, and navigate to scanmail.exe
Add a space, and the word localq to the commandline.

Optionally, repeat the process for the remote queue,
but with the word remoteq added to the commandline.
(Remote queue scanning is nonessential, but may help to prevent a compromised computer from pouring-out infected messages)

Set the Suspend Interval to -1 seconds, and tick "Don't execute when queue is empty" for both cases.

The result should look like this:


Policies:


The policy for inbound infected mail is to strip all attachments, and to send a note to the intended recipient, using the same headers as the original. In this case there is no point in trying to warn the sender of the message. Since almost all viruses send messages with forged "From" headers, attempting to do so would be more likely to needlessly alarm an uninvolved person than to reach the person whose computer has been compromised. 

For  outbound infected messages,  the message is intercepted, and a warning sent to an administrator. The warning should in most cases contain the IP address of the offending computer.  In this instance there is no point in sending a warning to either the (apparent) sender or (would-be) recipient. Instead, we send one to a responsible person, who should then investigate the source of the message.

Infected messages can, if required,  be retrieved from a 'SinBin' folder located in the mailstore root.

Updating:


The virus defs should update automatically. You may wish to check the date of the files in the 'db' folder occasionally to see that this is happening.  To update the scanner itself, download the latest version from here, and unzip into any suitable place.  Copy everything except the .conf files to the scanmail folder.  Scanmail.exe makes no alterations to the Windows system itself, and uses no registry entries.

Bear in-mind that  successive versions of ClamAV may have slight differences in the way  the commandline options behave, and this might require some adjustment of the parameters which clamscan.exe is called with.  This is only likely to occur with major-version changes, however.

Removal:


Delete the two commandlines from MDaemon's 'Pre-Processing' options, as entered above.

Optionally, delete the scanmail folder.

Disclaimer:


This software is supplied 'as-is' and without warranty of any kind. All use is entirely at your own risk.  Released under the GPL licence.

Scanmail mailserver-interface copyleft IWR Consultancy, 2007.
ClamAV native Windows port copyright Gianluigi Tiesi.