Installing and configuring simscan

July 15, 2024 by Roberto Puzzanghera 72 comments

Simscan is a simple program that enables the qmail smtpd service to reject viruses, spam, and block attachments during the SMTP conversation so the processing load on the email system is kept to a minimum.

Version 1.4.4 details

As you can see, for convenience I moved the simscan sources to my github space. Nonetheless, all information about simscan will continue to be posted here, and this page remains the place to seek support if needed.

Version 1.4.4 is a fork of the 1.4.1 version, which updates the original simscan by Inter7.

In 1.4.1 version the sources have been polished and modernized a bit and contain a number of bug fixes and patches, including almost all the patches by jms (the only missing one is the "debug" patch which we will apply below) and the bug fix by Gustavo Castro that I had in my previous bundle of patches. Therefore the new 1.4.2 version simply adds the following:

  • the jms "debug" patch, to improve the debugging of simscan on qmail-smtpd log;
  • a bug fix by Bob Greco where a received message with multiple 'local' recipients executes spamc as null user and not as the user extracted from the first local recipient.
  • my attachments-size-limit feature which allows you to overcome a limitation where simscan doesn't pass messages over 250k to spamassassin. This feature let the administrator set the attachments' size limit in bytes by setting the size_limit variable in the /var/qmail/control/simcontrol file. Furthermore, events where simscan is not activated are now logged at smtpd level (it was logged only when debug is active).

ripMIME

ripMIME's primary purpose is to extract attachments out of a MIME encoded email packages. It is used by simscan. It is a recommended package.

RIPMIME_VER=1.4.1.0

cd /usr/local/src
wget https://github.com/inflex/ripMIME/archive/refs/tags/${RIPMIME_VER}.tar.gz
tar xzf ${RIPMIME_VER}.tar.gz
cd ripMIME-${RIPMIME_VER}
chown -R root:root .
make
make install

Testing

  • man ripmime for more info

Pick up an email file "message.eml" with an attachment.

mkdir tmp
ripmime --debug --disable-qmail-bounce -i message.eml -d tmp > ripmime.log

The extracted attachments should be inside the tmp folder.

# ls -l tmp/ 
total 2352 
-rw------- 1 root root 2396801 Aug  2 16:10 attached_file.jpeg 
-rw-r--r-- 1 root root       0 Aug  2 16:10 textfile0 
-rw-r--r-- 1 root root       4 Aug  2 16:10 textfile1 
-rw-r--r-- 1 root root      25 Aug  2 16:10 textfile2

As you can see, ripMIME extracted a file attached_file.jpeg which is not group readable. This is not a problem for us, because we are going to run simscan as the clamav user, but if you are planning to run it as simscan and then including clamav in the simscan group, you should patch ripMIME with this patch, otherwise clamav will not be allowed to read the attachments.

Installing simscan

Note that we have to explicitly tell the compiler where the clamav db is (--enable-clamavdb-path).

SIMSCAN_VER=1.4.4
cd /usr/local/src
wget https://github.com/sagredo-dev/simscan/archive/refs/tags/v${SIMSCAN_VER}.tar.gz
tar xzf simscan-${SIMSCAN_VER}.tar.gz
cd simscan-${SIMSCAN_VER}
chown -R root:root .

./configure \
--enable-user=clamav \
--enable-clamav=y \
--enable-spam=y \
--enable-spam-passthru=y \
--enable-spam-hits=9.5 \
--enable-per-domain=y \
--enable-ripmime \
--enable-attach=y \
--enable-custom-smtp-reject=y \
--enable-spamc-user=y \
--enable-received=y \
--enable-clamavdb-path=/usr/local/share/clamav

make
make install-strip

Take a look to the README file for an explanation of all the configuration options.  Concerning spam, I want to reject via smtp the spam with a score greater than 9.5 and pass to the user the spam below this score.

--enable-per-domain=y|n Turn on per domain based checking.
--enable-spam=y|n Turn on spam scanning. default no.
--enable-spam-passthru=y|n Pass spam email thru or reject. Default: disable (reject)
--enable-spam-hits=number Reject spam above this hit level. Default 10.0
--enable-custom-smtp-reject=y Turns custom smtp reject messages on and off.  When enabled simscan will place the virus name in the reject message if a virus is detected. Requires the qmail-queue-custom-error.patch. Enabling dropmsg disables this option (more info here).
--enable-spamc-user=y Mandatory option if you want to allow the spamassassin user preferences via SQL.
--enable-received=y Add a Received: line to the message, showing the scanners that were used and some stats (you have to patch simscan)

Now create the temporary dir and assign it proper permissions:

mkdir /var/qmail/simscan
chown clamav:clamav /var/qmail/simscan

qmail-queue-custom-error patch

As you know the qmail-queue-custom-error patch (more info here) that we applyed before enables simscan to return the appropriate message for each e-mail it refuses to deliver.

Please refer to this page to understand how the smtp rejection works with simscan. This guide shortly remainds that:

For virus rejection, the message contains the name of the virus such as :

Your email was rejected because it contains the Worm.Bagle.AU virus

For spam rejection, the message is more generic, merely stating that the message was rejected because it was considered spam:

Your email is considered spam (53.5 spam-hits)

For attachment rejection, the message contains the name of the attachment :

Your email was rejected because it contains a bad attachment: trojan.exe

How to setup simscan to manage the spamming as better as possible

Let's assume that spamassassin is configured with a spam level of 5.0, so that hits above this score are labeled as spam.

Of course, soon or later, spamassassin will label as junk an important email for a customer of yours, and we will never want to reject such a message. On the other hand there will be a score level, say 9.5, above which we can absolutely trust in spamassassin response and let simscan reject those emails without storing them in the user's mailbox.

Therefore we will configure simscan/spamassassin in order to:

  • Reject the emails with a score > 9.5
  • Pass through the emails with a score between 5.0 and 9.5
  • Consider ham all the other emails with a score < 5.0

To accomplish this create a simcontrol like the following:

cat > /var/qmail/control/simcontrol << __EOF__
:clam=yes,spam=yes,spam_hits=9.5,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif,size_limit=10000000
__EOF__

In addition, due to the size_limit=10000000 setting, attachments with size greater than 10000000 bytes (around 10MB) won't be passed to spamassassin (default is 250KB).

Remember to update simcontrol.cdb every time you modify simcontrol

# update simcontrol.cdb
/var/qmail/bin/simscanmk

Turning on scanning

echo ':allow,CHKUSER_WRONGRCPTLIMIT="3",QMAILQUEUE="/var/qmail/bin/simscan"' >> ~vpopmail/etc/tcp.smtp
qmailctl cdb

Now simscan/chkuser will close the smtp communication after 3 wrong recipient. You may want to add an instruction like CHKUSER_RCPTLIMIT="50" to limit to the number of recipient per SMTP connection. To be honest, these are settings for chkuser (not simscan).

Understanding the simcontrol file

You can setup rules for a specific user, a specific domain and a default rule as follows:

cat > /var/qmail/control/simcontrol << __EOF__
postmaster@example.com:clam=yes,spam=no,attach=.txt:.com
example.com:clam=no,spam=yes,attach=.mp3
:clam=yes,spam=yes,spam_hits=9.5,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif,size_limit=10000000
__EOF__
  1. The first line sets clam on and spam off for postmaster@example.com and checks for viruses inside attached file .txt and .com names.
  2. The second line sets clam off and spam on for the example.com domain and disallows .mp3 files for the attachment scanner.
  3. The third line sets the default for the whole machine to enable clam, spam scanning, and sets the reject level for spam hits to 9.5. It also sets the attachments size limit to be passed to spamassassin to around 10MB.

Configuring simscan with the DKIM patch

If you want to enable DKIM you have to modify the simscan configuration accordingly as explained in the DKIM page.

Updating simscan

The patch applied will add a line like this to the header:

Received: by simscan 1.4.0 ppid: 5613, pid: 5684, t: 0.7355s
          scanners: attach: 1.4.0 clamav: 0.98.4/m:55/d:19599 spam: 3.4.0

You have to update the simscan's database if you want to get the current versions of clamav and spamassassin:

# /var/qmail/bin/simscanmk -g
simscan versions cdb file built. /var/qmail/control/simversions.cdb

Since the update has to be done each time you refresh the virus database, you have to adjust you freshclam configutation as follows.

First of all let's download and install the program that will do the update:

wget --no-check-certificate https://qmail.jms1.net/simscan/update-simscan.c
gcc -s -o /usr/local/sbin/update-simscan update-simscan.c
chown root:clamav /usr/local/sbin/update-simscan
chmod 4110 /usr/local/sbin/update-simscan

Now modify the freshclam configuration file in order to run the update-simscan executable each time the database is changed. You have to edit the file /usr/local/etc/freshclam.conf and modify it in this way:

OnUpdateExecute
OnUpdateExecute /usr/local/sbin/update-simscan

/var/qmail/simscan on a ramdisk

On his simscan's information page, John Simpson suggests to mount the work directory of simscan on a ramdisk, in order to speed up the process of file load from the disk.

It is sufficient to mount that directory in this way in your /etc/fstab:

CLAMAV_UID=`id -u clamav` 
CLAMAV_GID=`id -g clamav` 
echo "none /var/qmail/simscan tmpfs nodev,noexec,noatime,uid=$CLAMAV_UID,gid=$CLAMAV_GID,mode=2750 0 0" >> /etc/fstab

Be aware that you have to adjust the uid and gid to the actual clamav user and group numbers respectively.

Comments

skipped message, greater than max message size (512000 bytes)

Hi,

Thanks for keeping qmail alive. simscan-1.4.3 still does not scan file greather than 512000 bytes. I've followed whole procedure that you've described. /var/qmail/control/simsizelimit set to 10000000 as per your suggestion ( echo 10000000 > /var/qmail/control/simsizelimit ). 

journalctl -b -f command shows "skipped message, greater than max message size (512000 bytes)"

Is there anything I'm missing.

OS: Debian bookworm

Thanks

BR.

Reply |

skipped message, greater than max message size (512000 bytes)

Hi,

I'm not sure that this log message is from simscan. Can you show the entire qmail-smtpd log line? In addition, what qmail are you using? Do you have any other patch that is filtering the msg size?

Reply |

skipped message, greater than max message size (512000 bytes)

Hi,

Thanks for reply. The message generated by spamc. Below is the whole message:

Jul 13 15:06:39 antispam.mydomain.com spamc[2573601]: skipped message, greater than max message size (512000 bytes)

My qmail is running as per your instruction from A to Z no otehr patch are applied. there is no such log on /var/log/qmail/smtpd/current or /var/log/spamassassin/spamd.log

I'm getting this log while I run following command:

journalctl -b -f

Thanks

BR

Reply |

skipped message, greater than max message size (512000 bytes)

I'll check it out tomorrow. Anyway, if you are following my instructions, simscan will log in qmail-smtpd log when the size limit is exceeded

Reply |

skipped message, greater than max message size (512000 bytes)

Hi,

Thanks for reply. My server is running according to your instructions. All spam messages are sent to querentine insted of bounce back. I'm getting below type of logs on smtpd of simscan:

2024-07-14 11:15:48.459856121 simscan:[3331936]:CLEAN (-191.20/5.00/5.00):4.1441s:Dyeing Status:209.85.210.47:planning7@yourdomain:sujanmia@mydomain.com
2024-07-14 11:15:59.458718411 simscan:[3332769]:SPAM DROPPED (24.40/5.00/5.00):3.3198s:*****SPAM***** Blood screening report:103.63.234.101:blood@quantummethod.org.bd:ripon@mydomain.com
2024-07-14 11:15:59.458753127 simscan:[3332769]: Putting the message in quarantine: /var/qmail/quarantine/msg.1720934156.138996.3332799
2024-07-14 11:15:59.459123471 simscan:[3332769]: Message recorded in quarantine successful
2024-07-14 11:16:04.458407684 simscan:[3332947]:SPAM DROPPED (87.40/5.00/5.00):3.5029s:*****SPAM***** RE_ Sacoor Brothers MAH3143 R2 Style Pre Final Booking //JFK // SS24 // OUTLET SWEATERS:118.179.92.24:abir@jfkfashionbd.com:akik.mahmud@mydomain.com
2024-07-14 11:16:04.458450125 simscan:[3332947]: Putting the message in quarantine: /var/qmail/quarantine/msg.1720934160.955580.3332962
2024-07-14 11:16:04.458875702 simscan:[3332947]: Message recorded in quarantine successful
2024-07-14 11:12:10.905890596 simscan:[3323407]:CLEAN (0.00/0.00/0.00):0.0481s:Re_ WEB240391098/Re_ Manual booking for "AXL & CO"//Shipper_:52.101.65.138:inzamul.haque@yourdoman.com:abc@mydomain.com
2024-07-14 11:12:12.624084538 simscan:[3321687]:CLEAN (0.00/0.00/0.00):0.0372s:Re_ Carton poly booking of style- 2200306924.:44.202.169.32:bj@fardingroup.com:sakib.islam@mydomain.com
2024-07-14 11:12:30.104466291 simscan:[3323969]:CLEAN (-298.50/5.00/5.00):3.3525s:RE_ RENAISSANCE BARIND LTD _ OVERDUE EXP:124.109.104.76:prvs=9187fdb7e=mostafa.karim@yourdomain.com

BR.

Reply |

skipped message, greater than max message size (512000 bytes)

None of the above log lines by simscan show a size limit skip. This is the exact  log line that you'll have in case of a size limit exceeded by simscan, with no need to enable simscan's debug:

2024-07-14 10:39:49.989994500 simscan: big file (931698 bytes); size limit is 80 bytes; skipping SpamAssassin

After a quick google search, I found out that the error message "skipped message, greater than max message size" is triggered by spamassassin itself (not simscan) when the variable SA_MAX_MAIL_SIZE is set. Can you do

grep -r SA_MAX_MAIL_SIZE /etc/mail/spamassassin

Reply |

skipped message, greater than max message size (512000 bytes)

man spamc says

-s max_size, --max-size=max_size
Set the maximum message size which will be sent to spamd -- any bigger than this threshold and the message will be returned unprocessed (default: 500 KB). If spamc gets handed a message bigger than this, it won't be passed to spamd. The maximum message size is 256 MB.

The size is specified in bytes, as a positive integer greater than 0. For example, -s 500000.

Reply |

typo [

tar xzf simscan-$[SIMSCAN_VER}.tar.gz should be {

Reply |

typo [

Thank you. Corrected

Reply |

missing $ sign in the last command

echo "none /var/qmail/simscan tmpfs nodev,noexec,noatime,uid=$CLAMAV_UID,gid=CLAMAV_GID,mode=2750 0 0" >> /etc/fstab

Reply |

Qmail-scanner

I'd like to use simscan, but I like qmail-scanner's built in perlscan to quickly dump emails. I also like the reports. Any suggestions?

Reply |

Qmail-scanner

Hi, I dropped qmail-scanner ages ago and I'm not familiar with it anymore, sorry

Reply |

simscan scanning order

Hi, 

i would like to ask you for help if you see it sensible, scanning order is first  spamc then clamd, but i manage it to reorder, so clamd scan message first /lighter on resources, than its pass to spamc . I manage to just move block od code above spam definition in simscan.c .

however, i would like to use this logic - if clamd detect virus, stop processing, return code, close it. because its not nececesary go for spamc check, its already detected by clamd as virus /with 3rd party db , even spams are detected by clamd/ , but its above my coding skills. 

this i done/manage somehow years ago, but its lost in server migration somewhere ;)   

main reason is to have it lighter on resources

thnx a lot

Reply |

simscan scanning order

Hi, I had a quick look. It's not a task to be accomplished with a few touches to the code. So it would be very time expensive...

Reply |

simscan scanning order

thank you Roberto for effort, I understand ,no problem. 

thnx a lot

miki

Reply |

simscan scanning order

I'll have a look. Thanks for the comment

Reply |

Error: 451_mail_server_temporarily_rejected_mess

Hi

I started noticing the increase of this error
Making a little research that the error appear when clamav can access some file attached to emails
Not a permission problem, is a "name" problem
For example:

Fri Oct 16 11:03:50 2020 -> /var/qmail/simscan/1602857030.173486.80905/Consulta Pública_edited.jpg: Can't access file ERROR

Obviously the file name have special chars, but this can't be a problem
Could be something related with ripmime that's involved in the process ?

Reply |

Error: 451_mail_server_temporarily_rejected_mess

did you try to debug ripmime in this way?

ripmime --debug --disable-qmail-bounce -i message.eml -d tmp > ripmime.log

Reply |

SimScan Vs Qmail Scanner

Hi Mr Robert,

i tried to install qmail scanner to replace Sim Scan, but i got 451 qq temporary problem (#4.3.0) while try to send a mail... is it the system designed flow here not compatible to work with qmail scanner?

thank you

Reply |

SimScan Vs Qmail Scanner

Hi, yes it is compatible with qmail scanner, I used it before switchimg to simscan

Reply |

SimScan Vs Qmail Scanner

Hi Mr Roberto,

after qmail scanner installation, i tried to run the "test_installation.sh" to test qmail scanner and the testing was successful... but when i tried to put it to tcp.smtp .. it pop out "451 qq temporary problem (#4.3.0)", i tried to find out what is the issue in qmail-queue.log file, but no error messages inside there. i also checked send and smtp log files, also no error messages.

below is the telnet result:

telnet 192.168.1.2 25
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
220 esmtt.com ESMTP
mail from:abc@mydomain.com
250 ok
rcpt to:kenny@mydomain.com
250 ok
data
354 go ahead
subject: testing
to: kenny@mydomain.com
from: abc@mydomain.com

testing 123
.
451 qq temporary problem (#4.3.0)
quit
221 mydomain.com
Connection closed by foreign host

thank you

Reply |

SimScan Vs Qmail Scanner

Unfortunately I'm not familiar with qmailscanner, as I switched to simscan about 10 years ago

PS be sure that your softlimit is high enough

Reply |

ripmime

I tried to compile ripmime, but it kept giving an error. Since I use Debian, it has this package available:

apt-get install ripmime

Reply |

Link to qmailwiki in your page.

Hi,

 I would like to inform you that qmailwiki.org seems to be not working anymore.

Being that lot of links ( in simscan at least ) point to that site, it becomes hard to follow instruction.

FYI.

Pierluigi

Reply |

Link to qmailwiki in your page.

Thank you. I linked the README file in place of the old qmailwiki

Reply |

Disabling simscan for outgoing emails

Hello,

Is there a way to disable simscan for outgoing emails? Because we send weekly newsletters with thousands of subscribers, and since simscan scans outgoing emails as well, the server load goes through the roof when we are sending these newsletters.

Any thoughts?

Cheers,

Gabriel.

Reply |

Disabling simscan for outgoing emails

I don't have simscan enabled for outgoing emails. It is sufficient that you don't export QMAILQUEUE="/var/qmail/bin/simscan" for outgoing emails, nor DKIMQUEUE=/var/qmail/bin/simscan if you are signing by means of qmail-smtpd

Reply |

Permissions for simscan

Make sure to create the simscan temp folder with the correct permissions, otherwise it won't work, giving the infamous "mail server temporarily rejected message (#4.3.0)"

mkdir /var/qmail/simscan

chown clamav:clamav /var/qmail/simscan

Also, make sure to follow all clamav installation steps before installing simscan.

Reply |

Permissions for simscan

thank you for all your corrections. Anyway following the order of this guide, simscan is supposed to be installed after clamav

Reply |

simscan+spamc not working when running under qmail, but works when testing,

Hi,

I'm trying to get the whole simscan/clamav/spamassassin stuff but I have this problem:

when I receive a mail from the net, the spamc report always clean ( from log )

2019-04-22 18:58:16.984370500 simscan: calling spamc
2019-04-22 18:58:16.984424500 simscan: calling /usr/bin/vendor_perl/spamc spamc -u XXXX@XXXXXXX.XX
2019-04-22 18:58:16.992705500 simscan:[5958]:CLEAN (0.00/0.00):6.6524s:Super aid super erection:212.124.180.14:MarvinAnderson@lrmmotors.it:XXXX@XXXXXXXX.XXX
2019-04-22 18:58:16.992954500 simscan: done, execing qmail-queue
2019-04-22 18:58:17.004802500 simscan: qmail-queue exited 0

If I test it with the command ( I've saved the mail with the SIMSCAN_DEBUG_FILES=2):

env QMAILQUEUE=/var/qmail/bin/simscan SIMSCAN_DEBUG=3 /var/qmail/bin/qmail-inject XXXX@XXXXXX.XX < /tmp/mailtest.txt

simscan: calling spamc
simscan: calling /usr/bin/vendor_perl/spamc spamc -u XXXXX@XXXXXX.XXX
simscan:[6046]:SPAM DROPPED (19.70/4.40):0.5449s:*****SPAM***** Super aid super erection:(null):root@XXX.XXXXXX.XX:XXX@XXXXXX.XX
simscan: check_spam detected spam refuse message

it works perfectly.

Do you have any idea where to search for the problem ?

Thanks

Reply |

simscan+spamc not working when running under qmail, but works when testing,

Do you have your spamassassin behind a firewall? A thing like this happened to me once, when I forgot to add the public IP to the spamd options...

what the spamd/spamc log say?

Reply |

simscan+spamc not working when running under qmail, but works when testing,

Roberto,

 no, the spamd/spamc are on the same machine.

It seems I have fixed the problem by increasing softlimit memory in the "run" script for qmail-smtpd.

It's rather strange as at first, with a lower limit I could see errors in logs, and increased a bit.

The error ( spamc: error while loading shared libraries: libcrypto.so.1.1: failed to map segment from shared object ) went away but stil it behaves as described.

I've then, just for test, increased the softlimit again ( although no errors were shown in logs ) and everything started to work as expected.

Thanks, and thank for your website/blog. Very informative !!!!

Reply |

simscan+spamc not working when running under qmail, but works when testing,

Hi Roberto,

I have the same error in smtp log.
Do you know how to fix it?

Thanks!
Joao

Reply |

simscan+spamc not working when running under qmail, but works when testing,

Do you have spamassassin and clamav working and running?

Reply |

simscan+spamc not working when running under qmail, but works when testing,

Hi Roberto,

I found an error in my /service/qmail-smtpd/run.
The problem was fixed.

Thanks
Joao

Reply |

simscan+spamc not working when running under qmail, but works when testing,

It would be interesting for those facing the same issue to know what you have found exactly...

Reply |

simscan+spamc not working when running under qmail, but works when testing,

Hi Roberto,

I don't now exacly what fixed this problem, because I've tried a lot of things like recompile simscam, clamav and netqmail (with your patch) and try to copy /usr/lib64/libcrypto.so* to /usr/local/lib64/.

I'll reinstall step by step in a fresh machine. If I had the same error, I'll back here with the solution.

Thank you very much

Joao

Reply |

simscan+spamc not working when running under qmail, but works when testing,

Hi Roberto,

I've found what I did to fix the problem.
My file /service/qmail-smtpd/run had this line:

exec /usr/local/bin/softlimit -m 8000000

I've changed to:

exec /usr/local/bin/softlimit -m 64000000

Thanks
Joao

Reply |

SMTP reject

Hi,

I had an email with a .mpp attachment got rejected with the bounce error

@400000005c6caf6110c3bd8c qlogreceived: result=rejected code=554 reason=queuereject detail=Your_email_was_rejected_because_it_contains_a_bad_attachment:_r helo=mail-pl1-f178.google.com mailfrom=nic@abc.sg rcptto=nic@xyz.sg relay=no rcpthosts= size= authuser= authtype= encrypted= sslverified=no localip=198.*.*.1 localport=25 remoteip=209.85.214.178 remoteport=34374 remotehost= qp=12744 pid=12743
@400000005c6caf6110c5636c qmail-smtpd: message rejected (Your email was rejected because it contains a bad attachment: r): : nic@abc.sg from 209.85.214.178 to nic@xyz.sg helo mail-pl1-f178.google.com

No matter what file name i change to the mpp file, i keep getting the same error (Your email was rejected because it contains a bad attachment: r). But the file name is not "r" at all.

This is my simcontrol

:clam=yes,spam=yes,spam_hits=10.0,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif:.jar

Any idea?

Thanks

Reply |

SMTP reject

This bug was fixed in the latest patch (tx Pablo Murillo)

Reply |

SMTP reject

I get the previous patch from: http://gcastrop.blogspot.com/2011/02/problemas-con-adjuntos-en-simscan-con.html

I'm using it and works !!!

Reply |

SMTP reject

Thank you. I'll check it out

Reply |

SMTP reject

I found a patch about that error some time ago

Is a problem on simscan and the way it check extension

--- ./configure.orig 2007-10-29 09:14:25.000000000 -0500
+++ ./configure 2012-06-26 14:20:22.000000000 -0500
@@ -1694,11 +1736,15 @@
for(i=0;i<MaxAttach;++i) {
if ( DebugFlag > 2 ) fprintf(stderr, "simscan: checking attachment %s against %s\n", mydirent->d_name, bk_attachments[i] );
lowerit(mydirent->d_name);
+ if ( strlen(mydirent->d_name) >= strlen(bk_attachments[i]) ) {
if ( str_rstr(mydirent->d_name,bk_attachments[i]) == 0 ) {
strncpy(AttachName, mydirent->d_name, sizeof(AttachName)-1);
closedir(mydir);
return(1);
}
+ } else {
+ if ( DebugFlag > 2 ) fprintf(stderr, "simscan: attachment name '%s' (%d) is shorter than '%s' (%d). IGNORED\n", mydirent->d_name, strlen( mydirent->d_name ), bk_attachments[i], strlen( bk_attachments[i] ) );
+ }
}
}
closedir(mydir); 

Reply |

SMTP reject

unfortunately no ideas

Reply |

Updated qmail-queue-custom-error.patch to work with netqmail-1.06

Hi
I updated the patch qmail-queue-custom-error.patch to work with netqmail-1.06

--- qmail.c 2018-12-07 16:47:31.950228000 -0300
+++ qmail.c 2018-12-07 17:12:46.186218000 -0300
@@ -23,22 +23,32 @@
{
int pim[2];
int pie[2];
+ int pierr[2];

setup_qqargs();

if (pipe(pim) == -1) return -1;
if (pipe(pie) == -1) { close(pim[0]); close(pim[1]); return -1; }
+ if (pipe(pierr) == -1) {
+ close(pim[0]); close(pim[1]);
+ close(pie[0]); close(pie[1]);
+ close(pierr[0]); close(pierr[1]);
+ return -1;
+ }

switch(qq->pid = vfork()) {
case -1:
+ close(pierr[0]); close(pierr[1]);
close(pim[0]); close(pim[1]);
close(pie[0]); close(pie[1]);
return -1;
case 0:
close(pim[1]);
close(pie[1]);
+ close(pierr[0]); /* we want to receive data */
if (fd_move(0,pim[0]) == -1) _exit(120);
if (fd_move(1,pie[0]) == -1) _exit(120);
+ if (fd_move(4,pierr[1]) == -1) _exit(120);
if (chdir(auto_qmail) == -1) _exit(61);
execv(*binqqargs,binqqargs);
_exit(120);
@@ -46,6 +56,7 @@

qq->fdm = pim[1]; close(pim[0]);
qq->fde = pie[1]; close(pie[0]);
+ qq->fderr = pierr[0]; close(pierr[1]);
substdio_fdbuf(&qq->ss,write,qq->fdm,qq->buf,sizeof(qq->buf));
qq->flagerr = 0;
return 0;
@@ -93,10 +104,22 @@
{
int wstat;
int exitcode;
+ int match;
+ char ch;
+ static char errstr[256];
+ int len = 0;

qmail_put(qq,"",1);
if (!qq->flagerr) if (substdio_flush(&qq->ss) == -1) qq->flagerr = 1;
close(qq->fde);
+ substdio_fdbuf(&qq->ss,read,qq->fderr,qq->buf,sizeof(qq->buf));
+ while( substdio_bget(&qq->ss,&ch,1) && len < 255){
+ errstr[len]=ch;
+ len++;
+ }
+ if (len > 0) errstr[len]='\0'; /* add str-term */
+
+ close(qq->fderr);

if (wait_pid(&wstat,qq->pid) != qq->pid)
return "Zqq waitpid surprise (#4.3.0)";
@@ -129,6 +152,9 @@
case 81: return "Zqq internal bug (#4.3.0)";
case 120: return "Zunable to exec qq (#4.3.0)";
default:
+ if (exitcode == 82 && len > 2){
+ return errstr;
+ }
if ((exitcode >= 11) && (exitcode <= 40))
return "Dqq permanent problem (#5.3.0)";
return "Zqq temporary problem (#4.3.0)";
--- qmail.h 1998-06-15 12:53:16.000000000 +0200
+++ ../../qmail-1.03/qmail.h 2004-05-26 14:48:23.000000000 +0200
@@ -8,6 +8,7 @@
unsigned long pid;
int fdm;
int fde;
+ int fderr;
substdio ss;
char buf[1024];
} ;

Reply |

Access denied on textfile2

Hi

I´m using FreeBSD 11.2
I installed simscan from ports, don't worked, so, I installed then simscan "manually" with the patch and with this options:

user = simscan
qmail directory = /var/qmail
work directory = /var/qmail/simscan
control directory = /var/qmail/control
qmail queue program = /var/qmail/bin/qmail-queue
clamdscan program = /usr/local/bin/clamdscan
clamav scan = ON
trophie scanning = OFF
attachement scan = ON
ripmime program = /usr/local/bin/ripmime
custom smtp reject = OFF
drop message = OFF
regex scanner = OFF
quarantine processing = OFF
domain based checking = OFF
add received header = ON
spam scanning = OFF
dspam scanning = OFF

I have:

-rws--x--x 1 simscan simscan /var/qmail/bin/simscan
-rwxr-xr-x 1 simscan simscan /var/qmail/bin/simscanmk

drwxr-s--- 2 simscan simscan simscan

Every time I test the smtp sending and email with or without attachment I get the next error on clamd.log

Access denied: /var/qmail/simscan/???????/textfile2

The directory's content is:

-rw-r----- 1 simscan simscan 52B addr.1543888712.202274.40537
-rw-r----- 1 simscan simscan 766B msg.1543888712.202274.40537
-rw-r----- 1 simscan simscan 0B textfile0
-rw-r----- 1 simscan simscan 23B textfile1
-rw------- 1 simscan simscan 23B textfile2

The problem is obvius, there is a missing permission on textfile2

I created a new jail, I installed all by hand, the same problem
I changed permission on /var/qmail/bin/simscan to:

-rws--x--x 1 simscan wheel /var/qmail/bin/simscan

The same problem

I added on qmail-smtpd/run for debug purpose :

umask 027
export SIMSCAN_DEBUG_FILES=1
export SIMSCAN_DEBUG=3

Any idea ?

Thanks in advance
Pablo Murillo

Reply |

Access denied on textfile2

everyone who decided to run simscan as the "simscan" user should add "clamav" user to the "simscan" group and then patch ripmime in order to make the extracted attachment group-readable, as now is also explained at the top of this page

Reply |

Access denied on textfile2

I would try to recompile it with --enable-user=clamav so that clamd has write permissions in the simscan directory...

Reply |

Access denied on textfile2

Changing the user solved the problem, but I think there is something wrong with ripmime, because, only the attached files to email are with the wrong permission

Thanks

Reply |

SPAM DROPPED (7.00/7.00):1.1858s:*****SPAM*****

Hello,

I have a problem with simscan with rejecting SPAM with less than 9.5 hits:

SPAM DROPPED (7.00/7.00):1.1858s:*****SPAM*****

In /var/qmail/control/simcontrol I have:

:clam=yes,spam=yes,spam_hits=9.5,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif

In /etc/mail/spamassassin/local.cf I put:

rewrite_header  subject *****SPAM*****

Do you know what could be wrong. 

Thank you a lot.

Regards

Reply |

did you update simcontrol.cdb

did you update simcontrol.cdb?

/var/qmail/bin/simscanmk

Reply |

Roberto,

Roberto,

 I forgot to do that. Problem is solved now.

Thank you,

Regards,

Al

Reply |

On simscan 1.4.1

Hi Roberto,

Yes you are right simscan 1.4.1 is essentially the same as 1.4.0 from functionality POfView

However it has some minor improvements:

  1. At line 781 in simscan.c uses  (char *)NULL whitch suppresses some comp warnings
  2. Same for line 1785 where val variable initialized (suppresses comp warns)
  3. Uses the modern autoconf approach to Makefiles

Additionally to further suppress all comp warnings one should:

  1. Edit cdb/conf-cc and append  -fno-builtin-malloc to gcc options
  2. Edit line 1735@simscan.c and replace globally: %d --> %zu

As far as the abnormal behaviour of simscan with spamc is concerned I think the relevant  simscan.c block of code is:

(in v1.4.1)

1313,1349

.........................................................................................

if ( MaxRcptTo==1 && i 0){
    spamc_args[i++] = "-u";
    spamc_args[i++] = spamuser;
#ifdef ENABLE_SPAMC_USER
  /*  } else if ( MaxRcptTo==1 && i0 && i 0 ) {
    fprintf(stderr, "simscan:[%d]: calling %s ", getppid(), SPAMC);
    i=0;
    while(spamc_args[i] != NULL){
      fprintf(stderr, " %s", spamc_args[i]);
      ++i;
    }
    fprintf(stderr, "\n");
  }
  if ( pipe(pim) == 0 ) {
    /* fork spamc */
    switch(pid = vfork()) {
      case -1:
        close(pim[0]);
        close(pim[1]);
        close(spam_fd);
        return(-1);
      case 0:
        close(pim[0]);
        dup2(pim[1],1);
        close(pim[1]);
        execve(SPAMC, spamc_args, 0);
        _exit(-1);
    }

.................................................................................................

MaxRcptTo always takes value 1 except when email has many recepients @ Cc or To Fields. In such a case MaxRcptTo counts the recepients

and has a positive value. So if we change the if condition

else if (MaxRcptTo==1 && i

to

else if (MaxRcptTo>0 && i

we get a more normal behavior.

I think it would be wise to ask the developers/mainteners of the current  simscan ver for a more formal and/or consistent amendment.

Ciao 

Bob

Reply |

Some thoughts...

Dear Rob

I think before anything else we should somehow unravel the logic of the simscan developer (or at least give it a shot, since he/she is unreachable).

The presence of MaxRcptTo var in simscan.c indicates the fact that at smtpd level one expects, in general, more than one recipients.

This fact has two realisations according to the way various MTAs connect to our smtpd.

Some MTAs open only one tcp conn per email msg (sendmail?), others open one tcp conn per recipient (qmail).

See: http://grokbase.com/t/perl/qpsmtpd/055bt3byjj/opinion-regarding-multiple-recipients-per-connection

So counting recipients in the 'forward smtp buffer' via MaxRcptTo shows us that the developer is aware of all these.

So why then imposes a condition with MaxRcptTo == 1 as if he/she expects only one connection per recipient?

One possible explanation is that he/she wants a somehow "pure" user pref policy ie
   one recipient      --   one local user (RcptTo[0]) --  reliable bayes entries in the SQL backend
   many recipients --                  ?                        --  no entries
                                                                              (Actually, we might get entries for clamd user!
                                                                               So eventually our SQL db gets polluted.
                                                                               Is this simply a real bug?)

So if someone (like me) is willing to impose more flexible policies on his users (eg global blacklists per domain etc) he can patch the condition to  MaxRcptTo > 0.

I've tested the code and the MaxRcptTo > 0  seems a pretty harmless change that meets my needs without spoiling the simscan functionality.

Ciao
Bob

Reply |

It's a bug!

Dear Roberto

After all this is a bug!

It had been pointed out previously by Sossi Andrej (you might know him...)

See: http://simscan.inter7.narkive.com/OQQ5ulG8/simscan-not-send-rcpt-address-to-spamassassin

So feel free to add it to some of your patches for our convenience...

Thanks 

Bob

Reply |

Patch updated, thank you 

Patch updated, thank you

Reply |

Your patch is working here.

Your patch is working here.

Unfortunately I coudn't find any contact of the author of the current 1.4.1 version

Reply |

did you test your patch

did you test your patch already?

Anyway, it's not clear to me why this happens only with gmail/hotmail...

Reply |

simscan 1.4.1

Roberto hi,

FYI there is a newer simscan 'bumdle' 1.4.1 @ https://github.com/qmail/simscan

However, I've noticed a strange simscan behavior (for both vers). When I send emails from @gmail/hotmail with multiple 'local' recepients [To, Cc] to my new qmail-simscan server the spamc scan is executed as null user!!! [SIMSCAN_DEBUG=4](The normal behaviour accordind to README is to extract the first local recepient.)

Any ideas?

Bob

Reply |

simscan 1.4.1

I had a better look to the 1.4.1 fork and noticed that actually it contains many bug fixes and most of the patches I am used to apply. A lot of garbage was cleaned as well so I decided to do the switch...

Reply |

Hi Bob,

Hi Bob,

I have the same strange behaviour when receiving from gmail with CC. Test from other senders made simscan call spamc twice (one for the To address and another for the CC address). At the moment I have no idea... Let me know if youe manage to solve or find a patch.

According to the changelog, the new simscan seems not to add anything important, I'll wait for further development.

Reply |

Option necessary for centos distributions

Hi, for centos distribution in my case i have to put this option in the configure "--enable-spamc=/usr/bin/spamc".

I hope to be useful

Thanks a lot Roberto for this great manual. 

Reply |

changing of spam hit

Hi,

I have been using --enable-spam-hits=9.5 and i would like to lower to 8.0. I had recompile simscan with --enable-spam-hits=8.0, make and make install-strip , still it did not change.

Did i missed out anything?

thanks, nic

Reply |

I think modifing and

I think modifing and  recompiling simcontrol should work

Reply |

Thanks Roberto.

Thanks Roberto.

I missed out the simcontol.

Reply |

Simscan update (for gcc 4.1 and up)

It will not compile unless you add the following to the function in "simscanmk.c" where ever it is referenced:

In function ‘open’, inlined from ‘make_cdb’ at simscanmk.c:429:6: /usr/include/x86_64-linux-gnu/bits/fcntl2.h:50:4: error: call to ‘__open_missing_mode’ declared with attribute error: open with O_CREAT in second argument needs 3 arguments 

so it looks like:

if ( (fdout = open(CdbTmpFile, O_CREAT | O_TRUNC | O_WRONLY, 0644)) < 0) { 

so in this case on line 429, I added "0644" - add it where ever it there's a "open_missing_mode"

Hope it helps someone.

Reply |

Thanks for your contribution,

Thanks for your contribution, Wlad

Reply |

I wish there was an

I wish there was an alternative to simscan 1.4.0 - compiling it requires an older version of gcc - which in this case prevents this from building without proper arguments (for security purposes).

Reply |

which gcc version?

which gcc version? I can compile up to gcc-4.8.2 here

Reply |

bounce email

Rather then reply to an email stating why the message was blocked can it just be dropped with no reply as spammers will send a fake repy to address and someone will be inundated with these messages.

Reply |

there are several options

there are several options, depending on the delivery program you use. Look at this for details http://www.gossamer-threads.com/lists/qmail/users/133589

I use CHKUSER_WRONGRCPTLIMIT in conjunction with a fail2ban rule

Reply |

blocking attachment

hello everyone , I have a question related to simscan, may I block all kind of attachment in the mail ? I need just this functionnality, is that possible ?

Reply |

Recent comments
See also...
Recent posts

RSS feeds