[Avcheck] Separation of checking and reporting parts?

Michael Tokarev mjt@tls.msk.ru
Wed, 01 Aug 2001 18:11:04 +0400 

After some thought about the whole virusscanning,
I want to implement it in slightly different way.
Let *checker* be as light as possible, to run
fast for normal mails.  But when it finds infected
message, it should call some other program (script
will be used in almost all cases), that can be run
slowly etc etc, but can be customized as someone
likes.  Avpcheck now saves message in temporary
file anyway, so it (file) will be passed to it
just easy.  But some other questions exists:

o how to pass antivirus messages to that
 external script?  I think it is ok to
 use stdin here, so it isn't an issue.

o how to reinject mails back (in case of
 e.g. virus-alerts etc) from that script?
 Avpcheck now has mini-smtp-client implemented
 (used for that purpose too), but external
 script will need to use it's own utility
 (well, /usr/sbin/sendmail is ok to use here
 with one exception: in this case one can't
 use "content_filter=xyz" as parameter in
 main.cf (to scan mails injected by sendmail
 too)).  Or, something like mini_sendmail
 should be used (or perl's Smtp client).
 Another external program dependence is not
 good here IMHO.

o what to do if script has ability to allow
 infected mail to at least some of recipients?
 Currently, it will need to send (reinject)
 it back itself.  I use avpcheck with
 content_INSPECTOR (mail doesn't leave the
 queue and continues routing after checking),
 so it will be bad if that script will reinject
 mail back (while avpcheck bounces a message).
 We should have a way to pass some information
 back from a script to avpcheck: e.g. a list
 of recipients that should receive mail anyway.
 Currently, I see no good way to do so.

o also as I noted earlier, my plan is to implement
 avcheck as a postfix daemon too (in parallel with
 "plain" external program).  It will have far more
 abilities to reinject message back, together
 with proper logging (just like local(8) logs now
 forwards:
   postfix/local[1234]: old-queue-id: forwarded as new-queue-id
 ).  So if script will reinject infected mail
 for *some* recipients back (see above), things
 will be even worse.

Again, this is a general questions, probably of
interest in amavis mailinglist too.  Oh, well, I
need to subscribe there too... :)

Regards,
 Michael.