ze-SpoolManager

ze-SpoolManager

This tool may be used to manage the quarantine of messages with attached XFILES.

This method of quarantine management isn't usual and many people don't appreciate it - because messages can be delayed some minutes… I understand !!!

But…

I think doing virus checking online, during an SMTP may be a bad idea :

virus checking may consume a lot of CPU resources;
because of this, the mail server may become vulnerable to DoS attacks.

Suppose a huge flood of messages arriving at near the same time. Or suppose a huge flood of messages with undetected malware not yet detected by the anti malware software running at the server. Or yet, suppose a near crash on the anti malware software.

All this situations don't happens frequently but when they happen, they can cause big damages.

If you run the anti malware software offline, just a small delay is enough, to be able to better manage unexpected situations and mitigate problems.

The idea is to run it periodically, started by cron.

It's important to understand how this tool works :

it may be launched with some profile. See example below;
it begins checking the content of the spool directory against an antivirus : currently only Clamav;
messages considered bad by Clamav are discarded or put in a side directory (dirbad);
messages considered good by Clamav may be resent to original recipients if :
- the age of the message shall be comprised in the interval [agemin, agemax];
- the number of freed messages is no more than maxfree messages (messages, not recipients);
- the quarantine isn't in state hold.
the quarantine is put in state hold (this means the quarantine is blocked) if :
- the number of messages available to be resent is bigger than minhold AND
- the flag nohold equals false.
when the quarantine is put in state hold :
- a notification is sent to mreport email address;
- it can exit this state only manually. To do so, you can launch it with the profile manual. See below.

All values defined at some profile may be overloaded by command line options
The command line option –op isn't really implemented for the moment. It shall be used to do some others operations on the quarantine, such as listing its contents, …

Command line options

Two command lines are important :

–op XXX - which defines what to do. XXX can take the values :
- conf - shows the configuration defined by the profile
- profiles - show the names of defined profiles.
- If this option isn't given, the default action is to handle the quarantine;
–profile YYY - the profile to be used in this run.
–doit - without this option the tool will just run on mode dry-run - just show what it would do. It's the contrary of the usual -n or –dry-run option found in other UNIX tools.

Other options (see below under section Help) can be used to overload all profile options.

# list available profiles
ze-SpoolManager --op profiles
# show the configuration values for profile "manual"
ze-SpoolManager --op conf --profile manual
# run the quarantine with profile "doc"
ze-SpoolManager --profile doc --doit
# the same but redefines ages interval to be considered
ze-SpoolManager --profile doc --agemin 5 --agemax 30 --scale minutes --doit

Example of cron file

In this example, the quarantine will be handled

each 10 minutes with profile default
each 2 minutes with profile doc

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/opt/filter-tools/bin
MAILTO=root
#
QFile=/var/ze-filter/files/ze-quarantine
#
# profile "doc"
0-59/10 * * * *  root  ze-SpoolManager --profile doc --doit < $QFile
2-59/10 * * * *  root  ze-SpoolManager --profile doc --doit < $QFile
4-59/10 * * * *  root  ze-SpoolManager --profile doc --doit < $QFile
6-59/10 * * * *  root  ze-SpoolManager --profile doc --doit < $QFile
8-59/10 * * * *  root  ze-SpoolManager --profile doc --doit < $QFile
# profile "default"
5-55/10 * * * *  root  ze-SpoolManager               --doit < $QFile

We need to add multiple lines for the profile doc to avoid have two instances running at the same time. This is a bug. Some kind of concurrence management (in clear words : lock) shall be implemented on this.

Configuration file - an example

#
# ze-SpoolManager configuration file
#
 
#
# default profile options
#
<profile default>
#
# When freeing a message from quarantine :
#   mreplyto defines what happens to the header "ReplyTo" :
#     preserve          : doesn't change
#     remove            : remove it
#     an email address  : change it to this email address
mreplyto     preserve
#   mfrom : defines what to do to the envelope FROM : 
mfrom        root+123456789@domain.com
 
#
# A report can be sent about what was done by this program
report       1
#   mreport : defines to recipient of this run
mreport      filtermaster@domain.com
 
#
# Sending notification about quarantined messages
# NOT YET IMPLEMENTED. 
notify       all
notifyfrom   filtermaster@domain.com
notifyto     filtermaster@domain.com
 
#
#
# Quarantine directories
dirspool     /var/spool/ze-filter
# where to move good messages
dirgood      /var/spool/ze-filter-good
# where to move bad messages
dirbad       /var/spool/ze-filter-bad
 
#
# time scale
scale        minutes
# minimum file age to be handled by this script
agemin       25
# maximum file age to be handled by this script
agemax       7200
 
# Max number of files to free at each run
maxfree      5
# Number of files at which the quarantine will be blocked
minhold      10
# Don't block the quarantine
nohold       false
 
# Path of clamdscan file
clamdscan    /usr/bin/clamdscan
# sendmail command
smbin        /usr/sbin/sendmail -oi
 
# extensions to apply this profile
extensions   all
</profile>
 
#
# doc files
#
<profile doc>
scale        minutes
agemin       1
agemax       1440
 
maxfree      2
minhold      15
 
extensions   doc,docx,docm
</profile>
 
#
# doc files
#
<profile manual>
scale        minutes
agemin       1
agemax       14400
 
maxfree      50
nohold       true
 
extensions   all
</profile>

Help

-h

# /opt/filter-tools/bin/ze-SpoolManager -h
 
   Usage : ze-SpoolManager [OPTIONS] < /var/ze-filter/files/ze-quarantine
 
     Management of ze-filter quarantine
 
  -h            This message
                default : false
  --help        This message
                default : false
  -d            Debug mode
                default : false
  --debug       Debug mode
                default : false
  -v            Verbose
                default : false
  --op          What to do ???
                default : 
  --profile     Profile
                default : default
  --cf          Configuration file
                default : ze-SpoolManager.conf
  --facility    Syslog facility
                default : local3
  --clamdscan   Path to clamdscan binary (or auto)
                default : /usr/bin/clamdscan
  --smbin       Path to sendmail binary (or auto)
                default : /usr/sbin/sendmail
  --smopt       sendmail CLI options
                default : -oi
  --agemin      minimum quarantine age
                default : 6
  --agemax      maximum quarantine age
                default : 72
  --scale       Time scale
                default : hour
  --dirspool    Quarantine spool path
                default : /var/spool/ze-filter
  --dirgood     Where to move clean messages
                default : /var/spool/ze-filter-good
  --dirbad      Where to move infected messages
                default : /var/spool/ze-filter-bad
  --extensions  File extensions to check
                default : all
  --maxfree     The max number of messages to free each run
                default : 3
  --nohold      Don't put the quarantine in hold state
                default : false
  --minhold     The amount of clean messages which puts the quarantine in hold state
                default : 10
  --mreplyto    Freed messages ReplyTo header 
                default : preserve
  --mfrom       Email address for free messages
                default : some-secret-key@domain.fr
  --notifyfrom  Email address for notifications
                default : thefilteraddr@domain.fr
  --notifyto    Quarantine manager email address
                default : thefilteraddr@domain.fr
  --report      Send summary report to quarantine manager after each run
                default : false
  --mreport     Email address for summary
                default : thefilteraddr@domain.fr
  --doit        The opposite of dry-run
                default : false
  --notify      Notify the quarantine manager
                default : all

Table of Contents

ze-SpoolManager

Command line options

Example of cron file

Configuration file - an example

Help