OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: A question about advanced filtering

From: Laurent Darrambide (ldarrambidegmail.com)
Date: Sat Apr 02 2005 - 06:44:03 CST

I do use that code in the script:

AV="`${CLAMAV} --disable-summary --stdout - < in.$$`"
RESULT=$?
if [ ${RESULT} = 1 ];then
echo "Virus trouve: " >> /tmp/virus
exit 0
fi

> > It doesn't work in the advanced filter setup, because I receive
> > an unwanted mail via port 10026 anyway.
>
> Show logs.

OK Magnus, here it is: I send a message with a virus inside from root to root for
testing purpose; obviously, the virus is found by the script.
Root is aliased to lvd, my login in the linux box.
Send by mutt, which uses pickup.
proxsmtp is the smtp proxy taking from 10025 to 10026

========================================================================
Apr 2 14:32:34 debian postfix/pickup[5569]: 112FA2BF37: uid=1000
from=<rootdebian>
Apr 2 14:32:34 debian postfix/cleanup[5603]: 112FA2BF37:
message-id=<20050402123233.GB5350debian>
Apr 2 14:32:34 debian postfix/qmgr[5570]: 112FA2BF37:
from=<rootdebian>, size=41557, nrcpt=1 (queue active)
Apr 2 14:32:34 debian proxsmtpd: 100015: accepted connection from:
127.0.0.1
Apr 2 14:32:34 debian postfix/smtpd[5608]: connect from
debian[127.0.0.1]
Apr 2 14:32:34 debian postfix/smtpd[5608]: 33D0F2BF0B:
client=debian[127.0.0.1]
Apr 2 14:32:34 debian postfix/cleanup[5603]: 33D0F2BF0B:
message-id=<20050402123234.33D0F2BF0Bdebian>
Apr 2 14:32:34 debian proxsmtpd: 100015: from=rootdebian,
to=rootdebian, status=FILTERED
Apr 2 14:32:34 debian postfix/smtp[5606]: 112FA2BF37: to=<rootdebian>,
relay=127.0.0.1[127.0.0.1], delay=1, status=sent (250 Ok: queued as
33D0F2BF0B)
Apr 2 14:32:34 debian postfix/smtpd[5608]: disconnect from
debian[127.0.0.1]
Apr 2 14:32:34 debian postfix/qmgr[5570]: 112FA2BF37: removed
Apr 2 14:32:34 debian postfix/qmgr[5570]: 33D0F2BF0B:
from=<rootdebian>, size=294, nrcpt=1 (queue active)
Apr 2 14:32:35 debian postfix/local[5622]: 33D0F2BF0B: to=<lvddebian>,
orig_to=<rootdebian>, relay=local, delay=1, status=sent (delivered to
command: procmail -a "$EXTENSION")
Apr 2 14:32:35 debian postfix/qmgr[5570]: 33D0F2BF0B: removed
==========================================================================

Then I receive a new empty mail, without any virus, like this:

From: rootdebian
To: undisclosed-recipients: ;
Date: Sat, 2 Apr 2005 14:31:05 +0200 (CEST)

==========================================================================

But now, I'am confused about my setup. Is this useful if I can use a
content filter for pickup as suggested by D.Walsh? Or is it better to
use advanced filtering?

>> No return code will cause Postfix to silently discard a message.

But in fact, exiting 0 in the simple content filtering does make the
mail discarded.

But I'm not an expert.

Thanks to all.