July 28, 2021 Roberto Puzzanghera 54 comments
Simscan is a simple program that enables the qmail smtpd service to reject viruses, spam, and block attachments during the SMTP conversation so the processing load on the email system is kept to a minimum.
Version 1.4.1 is a fork of the original
simscan by Inter7. The sources have been polished and modernized a bit and contain a number of bug fixes and patches, including almost all the patches by jms (the only missing one is the "debug" patch which we will apply below) and the bug fix by Gustavo Castro that I had in my previous bundle of patches. Therefore the new patch simply adds the following:
spamcas null user and not as the user extracted from the first local recipient.
simscandoesn't pass messages over 250k to
spamassassin. This patch let the administrator set the attachments' size limit in bytes at compilation time configuring in this way
autoreconf -f -i (this in needed as configure.ac was modified)
configure --with-attachments-size-limit=250000 (default 250k, value must be a number)
Furthermore, events where
simscan is not activated are now logged at
smtpd level (it was logged only when debug is active).
ripMIME's primary purpose is to extract attachments out of a MIME encoded email packages. It is used by
simscan. It is a recommended package.
cd /usr/local/src git clone https://github.com/inflex/ripMIME.git cd ripMIME chown -R root:root . make make install
ripmimefor more info
Pick up an email file "message.eml" with an attachment.
mkdir tmp ripmime --debug --disable-qmail-bounce -i message.eml -d tmp > ripmime.log
The extracted attachments should be inside the
# ls -l tmp/ total 2352 -rw------- 1 root root 2396801 Aug 2 16:10 attached_file.jpeg -rw-r--r-- 1 root root 0 Aug 2 16:10 textfile0 -rw-r--r-- 1 root root 4 Aug 2 16:10 textfile1 -rw-r--r-- 1 root root 25 Aug 2 16:10 textfile2
As you can see,
ripMIME extracted a file
attached_file.jpeg which is not group readable. This is not a problem for us, because we are going to run
clamav user, but if you are planning to run it as
simscan and then including
simscan group, you should patch
ripMIME with this patch (perhaps you have to do it manually, as this is for v. 22.214.171.124, which doesn't compile anymore), otherwise
clamav will not be allowed to read the attachments.
Install as follows (we have to create the file configure.in on old compilers). Note that with v. 1.4.1 we have to explicitly tell the compiler where the clamav db is (
--enable-clamavdb-path) and that we have to provide an
autoreconf as the configure.ac file has been modified:
cd /usr/local/src wget https://notes.sagredo.eu/files/qmail/tar/simscan-1.4.1.tar.gz wget https://notes.sagredo.eu/files/qmail/patches/simscan/simscan-1.4.1_20210728.patch tar xzf simscan-1.4.1.tar.gz cd simscan-1.4.1 chown -R root:root . patch < ../simscan-1.4.1_20210728.patch autoreconf -f -i ./configure \ --enable-user=clamav \ --enable-clamav=y \ --enable-spam=y \ --enable-spam-passthru=y \ --enable-spam-hits=9.5 \ --enable-per-domain=y \ --enable-ripmime \ --enable-attach=y \ --enable-custom-smtp-reject=y \ --enable-spamc-user=y \ --enable-received=y \ --enable-clamavdb-path=/usr/local/share/clamav \ --with-attachments-size-limit=500000 make make install-strip
Take a look to the README file for an explanation of all the configuration options. Concerning spam, I want to reject via smtp the spam with a score greater than 9.5 and pass to the user the spam below this score.
--enable-per-domain=y|n Turn on per domain based checking.
--enable-spam=y|n Turn on spam scanning. default no.
--enable-spam-passthru=y|n Pass spam email thru or reject. Default: disable (reject)
--enable-spam-hits=number Reject spam above this hit level. Default 10.0
--enable-custom-smtp-reject=y Turns custom smtp reject messages on and off. When enabled simscan will place the virus name in the reject message if a virus is detected. Requires the qmail-queue-custom-error.patch. Enabling dropmsg disables this option (more info here).
--enable-spamc-user=y Mandatory option if you want to allow the spamassassin user preferences via SQL.
--enable-received=y Add a Received: line to the message, showing the scanners that were used and some stats (you have to patch simscan)
--with-attachments-size-limit=500000 Attachments with size above 500000 bytes are not passed to
spamassassin (default 250k)
Now create the temporary dir and assign it proper permissions:
mkdir /var/qmail/simscan chown clamav:clamav /var/qmail/simscan
Please refer to this page to understand how the
smtp rejection works with
simscan. This guide shortly remainds that:
For virus rejection, the message contains the name of the virus such as :
Your email was rejected because it contains the Worm.Bagle.AU virus
For spam rejection, the message is more generic, merely stating that the message was rejected because it was considered spam:
Your email is considered spam (53.5 spam-hits)
For attachment rejection, the message contains the name of the attachment :
Your email was rejected because it contains a bad attachment: trojan.exe
Let's assume that spamassassin is configured with a spam level of 5.0, so that hits above this score are labeled as spam.
Of course, soon or later, spamassassin will label as junk an important email for a customer of yours, and we will never want to reject such a message. On the other hand there will be a score level, say 9.5, above which we can absolutely trust in spamassassin response and let simscan reject those emails without storing them in the user's mailbox.
Therefore we will configure simscan/spamassassin in order to:
To accomplish this create a simcontrol like the following:
cat > /var/qmail/control/simcontrol << __EOF__ :clam=yes,spam=yes,spam_hits=9.5,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif __EOF__
Remember to update simcontrol.cdb every time you modify simcontrol
# update simcontrol.cdb /var/qmail/bin/simscanmk
echo ':allow,CHKUSER_WRONGRCPTLIMIT="3",QMAILQUEUE="/var/qmail/bin/simscan"' >> ~vpopmail/etc/tcp.smtp qmailctl cdb
Now simscan/chkuser will close the smtp communication after 3 wrong recipient. You may want to add an instruction like CHKUSER_RCPTLIMIT="50" to limit to the number of recipient per SMTP connection. To be honest, these are settings chkuser (not simscan).
You can setup rules for a specific user, a specific domain and a default rule as follows:
cat > /var/qmail/control/simcontrol << __EOF__ email@example.com:clam=yes,spam=no,attach=.txt:.com example.com:clam=no,spam=yes,attach=.mp3 :clam=yes,spam=yes,spam_hits=9.5,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif __EOF__
If you want to enable DKIM you have to modify the simscan configuration accordingly as explained in the DKIM page.
The patch applied will add a line like this to the header:
Received: by simscan 1.4.0 ppid: 5613, pid: 5684, t: 0.7355s scanners: attach: 1.4.0 clamav: 0.98.4/m:55/d:19599 spam: 3.4.0
You have to update the
simscan's database if you want to get the current versions of
# /var/qmail/bin/simscanmk -g simscan versions cdb file built. /var/qmail/control/simversions.cdb
Since the update has to be done each time you refresh the virus database, you have to adjust you
freshclam configutation as follows.
First of all let's download and install the program that will do the update:
wget --no-check-certificate https://qmail.jms1.net/simscan/update-simscan.c gcc -s -o /usr/local/sbin/update-simscan update-simscan.c chown root:clamav /usr/local/sbin/update-simscan chmod 4110 /usr/local/sbin/update-simscan
Now modify the
freshclam configuration file in order to run the
update-simscan executable each time the database is changed. You have to edit the file /usr/local/etc/freshclam.conf and modify it in this way:
/var/qmail/simscanon a ramdisk
simscan's information page, John Simpson suggests to mount the work directory of simscan on a ramdisk, in order to speed up the process of file load from the disk.
It is sufficient to mount that directory in this way in your
none on /var/qmail/simscan type tmpfs (nodev,noexec,noatime,uid=1010,gid=1004,mode=2750)
Be aware that you have to adjust the
gid to the actual
clamav user and group numbers respectively.
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql openboard owncloud patches php proftpd qmail qmail to postfix qmail-spp qmailadmin rbl roundcube rsync sieve simscan slackware solr spamassassin spf ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin