OK - You'll have to read on a bit to see the meaning of the subject.
I have used Procmail for several years, but only rarely write recipes. I
always have to get back up the learning curve when I do.
Clamassassin is a program which will invoke clamd scanning of email to
detect virus and (with the additional SaneSecurity signatures) other
malware. I use it in my current mail chain, calling it from Procmail.
The program is no longer in development and has a bug. I have tried to
contact the author without success, and then it occurred to me that I
could recreate the functionality either with a shell script, or directly
from within Procmail.
The functionality provided by Clamassassin, and which I wish to
recreate, is as follows:
1) It should call clamd.
2) It should add a header X-Clamd-Version (eg. "clamassassin 1.2.4 with
clamdscan / ClamAV 0.97.1/13398/Thu Aug 4 03:15:14 2011") to every mail
to show the version of clamd and sigs being used.
3) It should add a header X-Clamd-Status to every mail which will either
be "No" for clean mail, or "Yes" if malware is detected. This will be
used for subsequent filtering.
4) If malware is detected a third header would be added
"X-Clamd-Report:" which will detail the signature found (eg
"X-Clamd-Report: Sanesecurity.Phishing.Bank.15855.UNOFFICIAL FOUND")
5) If there is a problem with clamd (clamd is not running or there is a
SELinux permission problem etc) It will report the error concisely in
the headers.
Item 5 is the bug in the current version of Clamassassin. It will try to
insert a header with something like "ERROR: Can't connect to clamd:
Permission denied
ClamAV 0.97.1"
which splits over two lines. This causes a corruption of the mbox in
Dovecot.
Pseudocode:
===========
VERSION=Current Clamd Version & Signature Version
Foreach email:
{
IF (clamd produces an error)
{ Mark up the email with a concise header to that effect;
Stop this recipe and drop return to calling procmail recipe
}
ELSE
{ Scan the email for malware;
IF (malware detected)
{ mark up header "X-Clamd-Status: Yes"
mark up header "X-Clamd-Version: VERSION"
mark up header "X-Clamd-Report: Signature of Malware"
}
ELSE (message clean)
{ mark up header "X-Clamd-Status: No"
mark up header "X-Clamd-Version: VERSION"
}
return to calling procmail recipe
}
Soooo...
This is where I've got to so far:
Using Sean's testing sandbox, the recipe below *kind of* works, but
produces "procmail: Extraneous filter-flag ignored" warnings. I can't
work out how to get rid of them.
Also, I have not yet managed to incorporate the error checking. Can I
have a brace within a brace as in my pseudocode?
Finally, I guess I could also accomplish this with a shell script (my
bash scripting is only *marginally* better than my procmail recipe
writing) would it actually be cheaper or more expensive in processing
terms to shell out to a bash script?
Thanks in advance for any help, suggestions, constructive criticism or
general encouragement...
My first attempt:
===================8<============================================================
#################################################
#
#
# Clamd recipe Version 0.1
#
# Scan for viruses & malware
#
CLAMDSCAN=/usr/bin/clamdscan
CLAMDVERS=`${CLAMDSCAN} -V --stdout`
:0
VIRUS=|${CLAMDSCAN} --no-summary --stdout -
:0fw
* VIRUS ?? ^.*: \/.* FOUND
{
# Set Virus status to YES and include the virus found
:0fw
| formail -b -f -t -I "X-Clamd-Status: Yes"
:0fw
| formail -b -f -t -I "X-Clamd-Version: $CLAMDVERS"
:0fw
| formail -b -f -t -I "X-Clamd-Report: $MATCH"
# grab the subject, if any
:0afw
* ^Subject: \/.*
{ SUBJECT = "${MATCH}" }
# add the Virus warning message
:0afw
| formail -i "Subject: [Virus] ${SUBJECT}"
# Deliver to Virus Folder
:0:
Malware/Virus
}
:0Ew
{
:0fw
| formail -b -f -t -I "X-Clamd-Status: No"
:0fw
| formail -b -f -t -I "X-Clamd-Version: $CLAMDVERS"
# Deliver to OK Folder (for testing only)
# would normally drop through for further processing
:0:
Malware/OK
}
===================8<============================================================
signature.asc
Description: This is a digitally signed message part
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)de
http://mailman.rwth-aachen.de/mailman/listinfo/procmail