Virus scanning for SCO Openserver (MMDF)--Scanmails/Smtprelay

I have managed to setup e-mail virus scanning on an OSR504 system using MMDF as an e-mail gateway to a corporate network. It works off a collection of availables tools, some custom code and the SOPHOS anti-virus software (www.sophos.com).

Basic operation is a program I wrote (smtprelay) that is invoked out of inetd for incoming e-mail connections on port 25. It monitors the smtp protocol and interacts with the actual smtp server for MMDF (/usr/mmdf/chans/smtpsrvr).

Most commands are simply relayed (rcpt to, msg from, etc.) but at the DATA phase the incomming message is read into an internal buffer and passed to a backend program for filtering. The backend command is free to edit the message, pass it unmodified, or signal an error. This is where I do virus scanning.

If the messages passes, the DATA command is passed to the backend server followed by the (possibly edited) message.

The backend virus scanner is a hacked up version of AMAVIS (0.2.1) (http:www.amavis.org). The original version had some HUGE performance issues and was designed to cover a variety of virus scanners. I streamlined the file processing loop and stripped it down to just work with SOPHOS. It was also designed to handle final delivery of the message. I modified it to act as a filter instead.

The AMAVIS part handles breaking out MIME attachments and unpacking various archives and compressed files so they can be scanned.

The whole package consists of

smtpsrvr

Replacement for MMDF smtpsrvr to invoke smtprelay frontend.

Modify the smtpd line in /etc/inetd.conf

	    smtp	stream	tcp	nowait	root	/usr/mmdf/chans/smtpd smtpd /usr/local/scanmails/bin/smtpsrvr smtp
	

smtprelay

The core program to manage the e-mail connection and to invoke the real e-mail server and the virus scanner

scanmails

Shell script derived from amavis 0.2.1 to scan messages for viruses.

Modified 03/11/2002--Modified to use generated names when extracting mime segments so two segments with the same file name don't overwrite each other. Using the same name twice could have been used to mask a virus file by attaching a second file with the same name but which was not infected.

reformime

GNU program to extract mime attachments

makemime

GNU program to create mime attachments

securetar

Filter to patch tar filenames so tar archives can be safely extracted and examined (comes with amavis)

secureunzip

Version of unzip 5.4.2 ( ftp://ftp.freesoftware.com/pub/infozip/src/unzip542.tar.gz) modified to restore all files with simple sequential numbered file names.

amavis supplies an unzip like securetar but it had some severe bugs.

file

GNU version of the 'file' program. More informative than the native file program.

gunzip

GNU unzip for uncompressing .gz files

bunzip2

GNU bunzip2 for uncompressing .bz files

tnef

Another archive format

There are also hooks for other archive types for which I didn't include handling.

It also uses various standard programs ( uncompress, uudecode, logger, fgrep, egrep, grep, find, sed, awk, tar)

You can download...

• gzip'ed tarball of the whole thing.

  	    login as root
  	    cd /usr/local
  	    gunzip <scanmails.tar.gz | tar xvf -
  	

  This will create directories /usr/local/scanmails and /usr/local/smtprelay.

  scanmails contains all the scripts and executables.

  scanmails/bin

  All the scripts and executables

  scanmails/data/tmp/*

  Temporary files as e-mail messages are unpacked

  scanmails/data/log/*

  Log files (also syslog)

  smtprelay/*

  Source for smtprelay program

• smtprelay source code

Proceede at your own risk