[Avcheck] postfix xclient
Michael Tokarev
mjt at tls.msk.ru
Thu Nov 18 03:02:45 MSK 2004
Piotr KUCHARSKI wrote:
> Hey,
>
> Any thoughts about using postfix XCLIENT extension? Would be nice. :)
Alot of thoughts, really.... I posted a question here a while back
about this very topic. XCLIENT means realtime SMTP-based content
filter, so avcheck (or whatever) in this mode should run as a daemon,
listen on some port and speak SMTP as client and server.
Originally avcheck meant to be very small program to be called by
pipe(8) delivery agent. Small because in this mode it is spawned
for every mail message, so any startup costs should be minimized
(thus eg perl-based stuff is a no-no). In daemon mode, startup
costs are really irrelevant, and that same perl-based solution,
in fork-for-each-email should perform just fine (even memory
overhead will be minimal, because most large data -- executable
image and parsed perl modules -- will be shared between all the
processes).
I have some perl-based (ok ok, if not perl in final solution, it
is a quick way to do a prototype without much coding) code here,
which works on our main server (other servers are still using
avcheck). As a prototype it have some problematic cases, and
I *want* to improve it.. some day...
The more I think about all this, the more it becomes obvious that
postfix should have general smtp-proxy implementation (maybe 3rd
party but that's irrelevant now), and a simple socket-mode interface
for various content filters (virusscanners, spam filters etc) --
to accept a message over SMTP, save it in a temp file and tell
a scanner to check the given file, sort of.
The main problem still is a good resource/concurrency control
(as a start: it is unacceptable to run more virusscanners when
a system is overloaded as we're risking spending more time --
for this connection and for other active connections -- than
allowed by RFCs after the end-of-data, and, more important,
than our SMTP clients will wait (some clients waits for several
secounds only, instead of required 5 to 30 minutes - and some
of them are rather significant and thus can't be ignored because
of incompetence, like hotmail); and, at the same time, when
we accepting new connection, we can't know how loaded the system
will be when the client will send end-of-data marker, because
at that time other virusscanner sessions may finish).
But either way, this is something very-very different compared
to current avcheck... ;)
/mjt
More information about the Avcheck
mailing list