|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: kill incoming mail connection as soon as virus recognized?
leolistas
solutti.com.br
Date: Tue Sep 02 2003 - 11:04:00 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Quoting Claudio Fleiner <postfixfleiner.com>:
> Hi,
>
> I'd like to change postfix so that it immediately terminates an incoming
> mail
> connection when it recognizes a virus. [...] I realize
> that this probably breaks the relevant RFC, but
> in the case of a virus I don't particularly care.
Well, seems that Wietse and all the world (except Microsoft of course )
do care about breaking RFCs.
> If I understand the architecture correctly, "smtpd" receives the email
> and then
> uses the "cleanup" program which will decide whether the email should be
> accepted or not. I believe that both programs need to be changed in
> order to
> get this behaviour (I did play around with smtpd but it seems that
> cleanup
> also needs to be changed).
Something like that. Antivirus scanning, which is probably being called
by a content filter, occurs AFTER the message was successfully and entired
received. Content filter decides if message should continue and get
delivered or not.
I'm not a postfix hacker, but I think what you're asking is not even by
far a simple modification.
There are some antivirus products, probably commercial (dont ask me
names, i dont know), which implements the idea of a SMTP Server which
receives 'real' connections and then, if clean, forward them to the 'real'
mailserver. These products should be able to do what you need, as they can
do 'inline' scanning.
About blocking IPs for some hours, you probably can do that with some
log analysis and iptables rules. Get your antivirus logs, awk, grep and
get your script running :)
Sincerily,
Leonardo Rodrigues
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]