Table of Contents
ze-SpoolManager
This tool may be used to manage the quarantine of messages with attached XFILES.
This method of quarantine management isn't usual and many people don't appreciate it - because messages can be delayed some minutes… I understand !!!
But…
I think doing virus checking online, during an SMTP may be a bad idea :
- virus checking may consume a lot of
CPUresources; - because of this, the mail server may become vulnerable to
DoSattacks.
Suppose a huge flood of messages arriving at near the same time. Or suppose a huge flood of messages with undetected malware not yet detected by the anti malware software running at the server. Or yet, suppose a near crash on the anti malware software.
All this situations don't happens frequently but when they happen, they can cause big damages.
If you run the anti malware software offline, just a small delay is enough, to be able to better manage unexpected situations and mitigate problems.
The idea is to run it periodically, started by cron.
It's important to understand how this tool works :
- it may be launched with some profile. See example below;
- it begins checking the content of the spool directory against an antivirus : currently only
Clamav; - messages considered
badbyClamavare discarded or put in a side directory (dirbad); - messages considered
goodbyClamavmay be resent to original recipients if :- the age of the message shall be comprised in the interval
[agemin, agemax]; - the number of freed messages is no more than
maxfreemessages (messages, not recipients); - the quarantine isn't in state
hold.
- the quarantine is put in state
hold(this means the quarantine is blocked) if :- the number of messages available to be resent is bigger than
minholdAND - the flag
noholdequalsfalse.
- when the quarantine is put in state
hold:- a notification is sent to
mreportemail address; - it can exit this state only manually. To do so, you can launch it with the profile
manual. See below.
- All values defined at some profile may be overloaded by command line options
- The command line option
–opisn't really implemented for the moment. It shall be used to do some others operations on the quarantine, such as listing its contents, …
Command line options
Two command lines are important :
–op XXX- which defines what to do.XXXcan take the values :conf- shows the configuration defined by the profileprofiles- show the names of defined profiles.- If this option isn't given, the default action is to handle the quarantine;
–profile YYY- the profile to be used in this run.–doit- without this option the tool will just run on modedry-run- just show what it would do. It's the contrary of the usual-nor–dry-runoption found in otherUNIXtools.
Other options (see below under section Help) can be used to overload all profile options.
# list available profiles ze-SpoolManager --op profiles # show the configuration values for profile "manual" ze-SpoolManager --op conf --profile manual # run the quarantine with profile "doc" ze-SpoolManager --profile doc --doit # the same but redefines ages interval to be considered ze-SpoolManager --profile doc --agemin 5 --agemax 30 --scale minutes --doit
Example of cron file
In this example, the quarantine will be handled
- each 10 minutes with profile default
- each 2 minutes with profile doc
SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin:/opt/filter-tools/bin MAILTO=root # QFile=/var/ze-filter/files/ze-quarantine # # profile "doc" 0-59/10 * * * * root ze-SpoolManager --profile doc --doit < $QFile 2-59/10 * * * * root ze-SpoolManager --profile doc --doit < $QFile 4-59/10 * * * * root ze-SpoolManager --profile doc --doit < $QFile 6-59/10 * * * * root ze-SpoolManager --profile doc --doit < $QFile 8-59/10 * * * * root ze-SpoolManager --profile doc --doit < $QFile # profile "default" 5-55/10 * * * * root ze-SpoolManager --doit < $QFile
We need to add multiple lines for the profile
doc to avoid have two instances running at the same time. This is a bug. Some kind of concurrence management (in clear words : lock) shall be implemented on this.
Configuration file - an example
# # ze-SpoolManager configuration file # # # default profile options # <profile default> # # When freeing a message from quarantine : # mreplyto defines what happens to the header "ReplyTo" : # preserve : doesn't change # remove : remove it # an email address : change it to this email address mreplyto preserve # mfrom : defines what to do to the envelope FROM : mfrom root+123456789@domain.com # # A report can be sent about what was done by this program report 1 # mreport : defines to recipient of this run mreport filtermaster@domain.com # # Sending notification about quarantined messages # NOT YET IMPLEMENTED. notify all notifyfrom filtermaster@domain.com notifyto filtermaster@domain.com # # # Quarantine directories dirspool /var/spool/ze-filter # where to move good messages dirgood /var/spool/ze-filter-good # where to move bad messages dirbad /var/spool/ze-filter-bad # # time scale scale minutes # minimum file age to be handled by this script agemin 25 # maximum file age to be handled by this script agemax 7200 # Max number of files to free at each run maxfree 5 # Number of files at which the quarantine will be blocked minhold 10 # Don't block the quarantine nohold false # Path of clamdscan file clamdscan /usr/bin/clamdscan # sendmail command smbin /usr/sbin/sendmail -oi # extensions to apply this profile extensions all </profile> # # doc files # <profile doc> scale minutes agemin 1 agemax 1440 maxfree 2 minhold 15 extensions doc,docx,docm </profile> # # doc files # <profile manual> scale minutes agemin 1 agemax 14400 maxfree 50 nohold true extensions all </profile>
Help
- -h
# /opt/filter-tools/bin/ze-SpoolManager -h Usage : ze-SpoolManager [OPTIONS] < /var/ze-filter/files/ze-quarantine Management of ze-filter quarantine -h This message default : false --help This message default : false -d Debug mode default : false --debug Debug mode default : false -v Verbose default : false --op What to do ??? default : --profile Profile default : default --cf Configuration file default : ze-SpoolManager.conf --facility Syslog facility default : local3 --clamdscan Path to clamdscan binary (or auto) default : /usr/bin/clamdscan --smbin Path to sendmail binary (or auto) default : /usr/sbin/sendmail --smopt sendmail CLI options default : -oi --agemin minimum quarantine age default : 6 --agemax maximum quarantine age default : 72 --scale Time scale default : hour --dirspool Quarantine spool path default : /var/spool/ze-filter --dirgood Where to move clean messages default : /var/spool/ze-filter-good --dirbad Where to move infected messages default : /var/spool/ze-filter-bad --extensions File extensions to check default : all --maxfree The max number of messages to free each run default : 3 --nohold Don't put the quarantine in hold state default : false --minhold The amount of clean messages which puts the quarantine in hold state default : 10 --mreplyto Freed messages ReplyTo header default : preserve --mfrom Email address for free messages default : some-secret-key@domain.fr --notifyfrom Email address for notifications default : thefilteraddr@domain.fr --notifyto Quarantine manager email address default : thefilteraddr@domain.fr --report Send summary report to quarantine manager after each run default : false --mreport Email address for summary default : thefilteraddr@domain.fr --doit The opposite of dry-run default : false --notify Notify the quarantine manager default : all
