- Info: https://github.com/qmail/simscan/releases
- John Simpson's simscan page (patch and a lot of info)
- Download (local copy)
- Combined patch used (Sep 13, 2023)
- Version: simscan-1.4.1
- Old 1.4.0 repo: http://sourceforge.net/projects/simscan/files/
Simscan is a simple program that enables the qmail smtpd service to reject viruses, spam, and block attachments during the SMTP conversation so the processing load on the email system is kept to a minimum.
Combined patch details
Version 1.4.1 is a fork of the original
simscan by Inter7. The sources have been polished and modernized a bit and contain a number of bug fixes and patches, including almost all the patches by jms (the only missing one is the "debug" patch which we will apply below) and the bug fix by Gustavo Castro that I had in my previous bundle of patches. Therefore the new patch simply adds the following:
- the jms "debug" patch, to improve the debugging of simscan on
- a bug fix by Bob Greco where a received message with multiple 'local' recipients executes
spamcas null user and not as the user extracted from the first local recipient.
- my attachments-size-limit patch which allows you to overcome a limitation where
simscandoesn't pass messages over 250k to
spamassassin. This patch let the administrator set the attachments' size limit in bytes by setting the /var/qmail/control/simsizelimit file. Furthermore, events where
simscanis not activated are now logged at
smtpdlevel (it was logged only when debug is active).
- Info: https://pldaniels.com/ripmime/
- Download dev version from github: https://github.com/inflex/ripMIME
- Old stable (won't compile): https://pldaniels.com/ripmime/ripmime-126.96.36.199.tar.gz
ripMIME's primary purpose is to extract attachments out of a MIME encoded email packages. It is used by
simscan. It is a recommended package.
cd /usr/local/src git clone https://github.com/inflex/ripMIME.git cd ripMIME chown -R root:root . make make install
ripmimefor more info
Pick up an email file "message.eml" with an attachment.
mkdir tmp ripmime --debug --disable-qmail-bounce -i message.eml -d tmp > ripmime.log
The extracted attachments should be inside the
# ls -l tmp/ total 2352 -rw------- 1 root root 2396801 Aug 2 16:10 attached_file.jpeg -rw-r--r-- 1 root root 0 Aug 2 16:10 textfile0 -rw-r--r-- 1 root root 4 Aug 2 16:10 textfile1 -rw-r--r-- 1 root root 25 Aug 2 16:10 textfile2
As you can see,
ripMIME extracted a file
attached_file.jpeg which is not group readable. This is not a problem for us, because we are going to run
simscan as the
clamav user, but if you are planning to run it as
simscan and then including
clamav in the
simscan group, you should patch
ripMIME with this patch (perhaps you have to do it manually, as this is for v. 188.8.131.52, which doesn't compile anymore), otherwise
clamav will not be allowed to read the attachments.
Install as follows (we have to create the file configure.in on old compilers). Note that with v. 1.4.1 we have to explicitly tell the compiler where the
clamav db is (
--enable-clamavdb-path) and that we have to provide an
autoreconf -f -i command:
cd /usr/local/src wget https://notes.sagredo.eu/files/qmail/tar/simscan-1.4.1.tar.gz wget https://notes.sagredo.eu/files/qmail/patches/simscan/simscan-1.4.1_20230913.patch tar xzf simscan-1.4.1.tar.gz cd simscan-1.4.1 chown -R root:root . patch < ../simscan-1.4.1_20230913.patch autoreconf -f -i ./configure \ --enable-user=clamav \ --enable-clamav=y \ --enable-spam=y \ --enable-spam-passthru=y \ --enable-spam-hits=9.5 \ --enable-per-domain=y \ --enable-ripmime \ --enable-attach=y \ --enable-custom-smtp-reject=y \ --enable-spamc-user=y \ --enable-received=y \ --enable-clamavdb-path=/usr/local/share/clamav make make install-strip
Take a look to the README file for an explanation of all the configuration options. Concerning spam, I want to reject via smtp the spam with a score greater than 9.5 and pass to the user the spam below this score.
--enable-per-domain=y|n Turn on per domain based checking.
--enable-spam=y|n Turn on spam scanning. default no.
--enable-spam-passthru=y|n Pass spam email thru or reject. Default: disable (reject)
--enable-spam-hits=number Reject spam above this hit level. Default 10.0
--enable-custom-smtp-reject=y Turns custom smtp reject messages on and off. When enabled simscan will place the virus name in the reject message if a virus is detected. Requires the qmail-queue-custom-error.patch. Enabling dropmsg disables this option (more info here).
--enable-spamc-user=y Mandatory option if you want to allow the spamassassin user preferences via SQL.
--enable-received=y Add a Received: line to the message, showing the scanners that were used and some stats (you have to patch
Configure the /var/qmail/control/simsizelimit file if not done yet. This will set to around
10MB the limit of file size of the messages to be passed to
echo 10000000 > /var/qmail/control/simsizelimit
Now create the temporary dir and assign it proper permissions:
mkdir /var/qmail/simscan chown clamav:clamav /var/qmail/simscan
Please refer to this page to understand how the
smtp rejection works with
simscan. This guide shortly remainds that:
For virus rejection, the message contains the name of the virus such as :
Your email was rejected because it contains the Worm.Bagle.AU virus
For spam rejection, the message is more generic, merely stating that the message was rejected because it was considered spam:
Your email is considered spam (53.5 spam-hits)
For attachment rejection, the message contains the name of the attachment :
Your email was rejected because it contains a bad attachment: trojan.exe
How to setup
simscan to manage the spamming as better as possible
Let's assume that spamassassin is configured with a spam level of 5.0, so that hits above this score are labeled as spam.
Of course, soon or later, spamassassin will label as junk an important email for a customer of yours, and we will never want to reject such a message. On the other hand there will be a score level, say 9.5, above which we can absolutely trust in spamassassin response and let simscan reject those emails without storing them in the user's mailbox.
Therefore we will configure simscan/spamassassin in order to:
- Reject the emails with a score > 9.5
- Pass through the emails with a 5.0
- Consider all the other emails with a score
To accomplish this create a simcontrol like the following:
cat > /var/qmail/control/simcontrol << __EOF__ :clam=yes,spam=yes,spam_hits=9.5,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif __EOF__
Remember to update simcontrol.cdb every time you modify simcontrol
# update simcontrol.cdb /var/qmail/bin/simscanmk
echo ':allow,CHKUSER_WRONGRCPTLIMIT="3",QMAILQUEUE="/var/qmail/bin/simscan"' >> ~vpopmail/etc/tcp.smtp qmailctl cdb
Now simscan/chkuser will close the smtp communication after 3 wrong recipient. You may want to add an instruction like CHKUSER_RCPTLIMIT="50" to limit to the number of recipient per SMTP connection. To be honest, these are settings chkuser (not simscan).
Understanding the simcontrol file
You can setup rules for a specific user, a specific domain and a default rule as follows:
cat > /var/qmail/control/simcontrol << __EOF__ firstname.lastname@example.org:clam=yes,spam=no,attach=.txt:.com example.com:clam=no,spam=yes,attach=.mp3 :clam=yes,spam=yes,spam_hits=9.5,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif __EOF__
- The first line sets clam on and spam off for email@example.com and checks for viruses inside attached file .txt and .com names.
- The second line sets clam off and spam on for the example.com domain and disallows .mp3 files for the attachment scanner.
- The third line sets the default for the whole machine to enable clam, spam scanning, and sets the reject level for spam hits to 9.5.
Configuring simscan with the DKIM patch
If you want to enable DKIM you have to modify the simscan configuration accordingly as explained in the DKIM page.
The patch applied will add a line like this to the header:
Received: by simscan 1.4.0 ppid: 5613, pid: 5684, t: 0.7355s scanners: attach: 1.4.0 clamav: 0.98.4/m:55/d:19599 spam: 3.4.0
You have to update the
simscan's database if you want to get the current versions of
# /var/qmail/bin/simscanmk -g simscan versions cdb file built. /var/qmail/control/simversions.cdb
Since the update has to be done each time you refresh the virus database, you have to adjust you
freshclam configutation as follows.
First of all let's download and install the program that will do the update:
wget --no-check-certificate https://qmail.jms1.net/simscan/update-simscan.c gcc -s -o /usr/local/sbin/update-simscan update-simscan.c chown root:clamav /usr/local/sbin/update-simscan chmod 4110 /usr/local/sbin/update-simscan
Now modify the
freshclam configuration file in order to run the
update-simscan executable each time the database is changed. You have to edit the file /usr/local/etc/freshclam.conf and modify it in this way:
/var/qmail/simscan on a ramdisk
simscan's information page, John Simpson suggests to mount the work directory of simscan on a ramdisk, in order to speed up the process of file load from the disk.
It is sufficient to mount that directory in this way in your
CLAMAV_UID=`id -u clamav` CLAMAV_GID=`id -g clamav` echo "none /var/qmail/simscan tmpfs nodev,noexec,noatime,uid=$CLAMAV_UID,gid=CLAMAV_GID,mode=2750 0 0" >> /etc/fstab
Be aware that you have to adjust the
gid to the actual
clamav user and group numbers respectively.