Rejecting viral email at SMTP time with exim4

Posted by Steve on Mon 16 May 2005 at 22:55

If you're using the exim4 mail server you can reject mails which have viral content at SMTP time - meaning they aren't delivered and you don't have to worry about sending bounce messages to the often-faked "From" address.

To make use of the virus checking you need :

• ClamAV antivirus software.
• The exim4-daemon-heavy package installed.

The exim4-daemon-heavy package has additional options compared to the exim4-daemon-light, including ACL checks which we'll use to validate the message body of incoming emails with the virus scanner.

To start with we need to install the virus scanner, running the following should install a scanner along with a tool to keep your definitions up to date:

apt-get install clamav-daemon

The clamav-daemon package will pull in clamav-freshclam package which will keep the virus definitions up to date - logging its update checks and results to the file /var/log/clamav/freshclam.log.

Once the package has been installed you should check that it's setup properly for use with the exim4 package.

You should examine the file /etc/clamav/clamd.conf file and make sure the following two lines are present:

User clamav
AllowSupplementaryGroups

(These are included by default).

Now that the scanner is setup we need to do two things:

• Tell exim4 how to connect to the scanning deamon.
• Force exim4 to reject incoming mails which are flagged as viruses by the scanner.

If you're using the split configuration of Exim4 you should add the following content to /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:

# Specify the virus scanner to use
av_scanner = clamd:/var/run/clamav/clamd.ctl

Then we need to edit the exim ACL check - inside the directory /etc/exim4/conf.d/acl there are several files which contain ACLs which you can use to reject mails.

The file we will need to look at is called 40_exim4-config_check_data - this is used to check the body of incoming messages. ("data" here means the data that is sent as part of a message body with the SMTP command "data").

The file that you'll be looking at reads like this by default:

# 40_exim4-config_check_data

acl_check_data:

   # Deny unless the address list headers are syntactically correct.
   #
   # This is disabled by default because it might reject legitimate mail.
   # If you want your system to insist on syntactically valid address
   # headers, you might want to enable the following lines.
   # deny message = Message headers fail syntax check
   #    !acl = acl_whitelist_local_deny
   #    !verify = header_syntax

   # require that there is a verifiable sender address in at least
   # one of the "Sender:", "Reply-To:", or "From:" header lines.
   # deny message = No verifiable sender address in message headers
   #    !acl = acl_whitelist_local_deny
   #    !verify = header_sender

   # accept otherwise
   accept

To this we need to add some new directives just before the "accept otherwise" lines.

Insert the following:

   # Reject messages that have serious MIME errors.
   # This calls the demime condition again, but it
   # will return cached results.
   deny message = Serious MIME defect detected ($demime_reason)
   demime = *
   condition = ${if >{$demime_errorlevel}{2}{1}{0}}
   
   #
   # Reject file extensions used by worms.
   #
   deny message = This domain has a policy of not accepting certain types \
                  of attachments in mail as they may contain a virus.  \
		  \
		  This mail has a file with a .$found_extension attachment and \
		  is not accepted. \
		  \
		  If you have a legitimate need to send this attachment, send it \
		  in a compressed archive, and it will then be forwarded to the \
		  recipient.
   demime = vbs:bat:pif:scr
   .ifdef TEERGRUBE
      delay = TEERGRUBE
   .endif
   
   # Reject messages containing malware.
   deny message = This message contains a virus ($malware_name) and has been rejected
   malware = *

Once you've made this addition then you can restart the server:

/etc/init.d/exim4 restart

You can test it's working correctly by sending a message from an outside machine and verifying that it is bounced without being delivered to your local user.

For this purpose the Eicar test virus is ideal, it is not a real virus at all! Instead it is a pattern that legitimate virus scanners add to their databases so they can be tested.

If you include an attatchment wiht your mail which has the following test scring as an attachment it should be identified as infected with a virus:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The test string actually is a real executable on DOS systems! It's a great example of pure ASCII shellcode - a program who's instructions come entirely from the printable ASCII range.

If you wish to run it you can save it to a file, named test.com - just note that the third character is the number zero, not the letter O...

This article can be found online at the Debian Administration website at the following bookmarkable URL (along with associated comments):

• http://www.debian-administration.org/article/Rejecting_viral_email_at_SMTP_time_with_exim4

This article is copyright 2005 Steve - please ask for permission to republish or translate.