NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2003-09

Re: kill incoming mail connection as soon as virus recognized?

From: Tony Earnshaw (tonnibilly.demon.nl)
Date: Tue Sep 02 2003 - 12:03:07 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Claudio Fleiner wrote:

> I'd like to change postfix so that it immediately terminates an incoming mail
> connection when it recognizes a virus.

At what stage in the incoming message would Postfix recognize the
content as being a virus? Like, have you ever downloaded half of a
Microsoft virus and tried to run it on a Windows machine? Don't work, do
it ...

> Currently it will receive the whole
> message, realize that its a virus (depending on header and/or body regexp) and
> then respond with an error.

Then again, that's how smtp/esmtp works. rfc2822. The poor beggar on the
receiving end can't do anything about anything until the final dot has
been given.

> Instead (in order to save bandwidth) I'd like to
> send back an error message and close the network connection as soon as the
> virus has been recognized (and not accept any more email commands on that
> connection;

You aren't the only one. People on the Exim list (I was/am an Exim
person) and I've no doubt those with Sendmail, Qmail, Smail and others
would dearly love the same thing. Postfix is about standards
compatibility, according to WV. How would you personally go about
achieving what you wanted with Postfix? Suggestion?

> In fact, the IP address that sent the virus may even be blocked for
> two or three hours).

It's even now, as things are, possible to block it for ever. But first
you have to prove it was ever a virus. And you can't until you've
accepted it.

> I realize that this probably breaks the relevant RFC, but
> in the case of a virus I don't particularly care.

How do you know it's a virus before you've accepted it? Do you already
have conclusive proof of life after death? If so, share with us all ;)
>
> If I understand the architecture correctly, "smtpd" receives the email and then
> uses the "cleanup" program which will decide whether the email should be
> accepted or not. I believe that both programs need to be changed in order to
> get this behaviour (I did play around with smtpd but it seems that cleanup
> also needs to be changed).

I'm sure that Wietse would have been be grateful for your advice. But,
I'm also sure you were not the first person to offer it.

--Tonni

--
Tony Earnshaw

Looking backwards is always easy with hindsight

http://www.billy.demon.nl
Mail: tonnibilly.demon.nl

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]