[Avcheck] does avcheck scan outgoing mail?

Michael Tokarev mjt@tls.msk.ru
Mon, 24 Jun 2002 15:38:13 +0400 

Ries van Twisk wrote:
> 
> Ralf,
> 
> thanks for you extremely quick answer and it confirmed to be working.
> 
> Now I have one last question (I hope). I have set that the recipient will
> receive a notification that somebody send a message with a virus, I do this
> because otherwise people keeps asking me: 'somebody send me a mail but I
> didn't receive it, can you check......)
> But from out internal lan to a external user I don't want that because
> external users are not interested in our internal problems and it just does
> not look good.
> 
> Is possible to check weather mail was relayed from internal to external so I
> can stop sending recipient messages?

There are way too many possibilities.  And in fact, answer to your original
question isn't that simple.. ;)

First of all, whenever a mail will be checked or not depends on if this mail,
at a time it was accepted by postfix and queued (i.e. at submission time),
was marked "to be checked" or not -- i.e. if postfix delivery agent that was
used to submit this email (usually smtpd) instructed to place appropriate
record to a queue file.  You may have several such delivery agents listed
in master.cf - e.g. one for external clients (maybe two, one for one set
of domains via MX and another for another set), one for your internal lan
clients and so on, each with different settings.  For example, if you'll
have one listening on internal lan and another on external net, you may
control whenever postfix will check incoming (accepted from outside) and/or
outgoing (sent from your lan) separately, by using different settings for
each.

Each may use different avcheck "instances" in master.cf as well, with
different settings - this is one variant of answer to your second question.
I.e. have two different avcheck's in master.cf and set up each to call
different `infected' handler (you may write two simple shell scripts for
that that will in turn call a common one after setting some variables etc).

Another variant is to parse topmost Received: line in `infected' handler
to see where this message was originated from.  Once not so long ago I
posted an example of such code (in shell) here.

/mjt