Dear All,

I am coming back with another questions

I am running redhat 7.1 and sendmail 8.11.9 with procmail and anomy sanitizer.

now i found that anomy sanitizer only able to scan incoming mails but not the outgoing mails.

This is the problem what i am facing now, because yesterday our email had been blocked by our vendor because they said we are sending virus to them and indeed we are sendiing the virus mail to them coz one of our computer here infected by worm32/mabutu.

Now i want to install the mailscanner which can scan all incoming and outgoing mail, so no matter it is incoming or outgoing, the mailscanner will scna the mail before give it to MTA ans so on.

I am want to know how to remove the anomy sanitizer and change it with mailscanner? i don't want to try because if i do something wrong, all the system will be in trouble and my users will start shouting at me.


Anybody know how to do this?the best way to remove sanitizer and install mailscanner on it.

If anomy is called directly by sendmail (needs a little modification to sendmail.cf) and not procmail, there is a possiblility to sanitize outgoing mail, too.

What you could do is: refer to the anomy documentation to see what changes you have to make to sendmail.cf to start anomy by sendmail; backup the original sendmail.cf; do the changes to a copy of it; replace sendmail.cf with the modified one; sighup sendmail and see if it works.

If it works you are done, if not, replace sendmail.cf with the original one, and sighup sendmail.

If you are paranoid, you can make two handy scripts:
one that creates the modified setup (replaces sendmail.cf, sighups sendmail and sends a test mail), and an other that recovers the original setup (replaces sendmail.cf with the backup copy and sighups sendmail)

If you do so, the server will be out of service only for some seconds.

However, I do not feel that you would be safe just because you scan outgoing mail: anomy (and MailScanner, that also uses anomy) use a virus scanner to find viruses. And you can bet the virus scanner will fail to find any new viruses regardless of whether incoming or outgoing.

So, I would rather advise you to keep the present setup, but configure anomy to impose much stricter rules on INCOMING mails: quarantine all executable attachments and everything that could not be sanitized (i.e. encrypted mails). Only release quarantined files after a week, when the virus scanner is ready to find even the viruses that were new in them.
Additionally, deny access to remote pop3 servers on the firewall (if users protest, tell them that this is the price of REAL safety or you can possibly install fetchmail to still allow them access to their mails from those remote pop3 servers, but this time filtered through you mail server).
As an addition, keep your eyes on the mail server: you can write a small script that alarms you (sends you a pop-up message) anytime mail traffic exceeds a pre-defined limit there.
I have been doing this for three years with success. Though we still had two infections in that time (I think its not that much with 70 users and in 3 years), but I could stop outgoing viral mails in a minute, due to the alarm pop-up message.
If you were interested, I could send you my alarm script. It needs bash, sendmail, and smbclient (for the pop-up).

Dear szucs,

Can you send me your script ? pls sent to joseph_goh@kintron.com

and can you tell me how to set anomy to scan outgoing mail too, what is the modificatin needed ?


thanks