Hi all, In case you haven't noticed a redesigned clamav-milter is now in SVN. That's actually a complete rewrite which doesn't share much with the previous codebase and which lacks a bunch of features previously available. The goal is to be simple and scan emails.
The most notable difference is that the internal mode has been dropped which means that now a working clamd companion is required. This has not only allowed me to keep the whole thing much more compact and readable but it also avoids a lot of code duplication: basically clamav-milter in internal mode was just an outdated clamd with a milter interface. The second important difference is that now the milter has got its own config and log files. As a bonus it has lost the gazilion of command line switches along the way. Before someone starts screaming: yes, there's a small bunch of perl magic to generate a working config file out of your existing milter options and clamd.conf. Third, a bunch of more or less useless features are gone as well. This includes: - any form or notification: the new milter won't send out emails at all. All the info are readily and easily available from the log files. - blacklisting - reporting: both of false positives and phishing - mangling of the email *body* (aka "This message was scanned by clamav-milter): the ability to add X-Virus headers is (optionally) still available - address sanitization: that's a job for the MTA and its admin - SPF: there are far superior SPF based milters out there Again, the new milter aims to scan emails, with no strings attached. Now before you guys start planning a visit to my home please let me explain a bit of the background. Since Nigel moved to bigger and better things the development of the milter basically stopped and started to lag behind. Bugs were starting to be difficult to figure out and to fix. Backporting new functionalities was also a pain and often it wasn't done at all. Finally, everytime we skimmed through the code for a new feature request or bug report, we realized that actually more stuff was missing... Oh did i mention that the old milter was a single file of 7500 LoC and counting? On the bright side... The new milter has got its own config file, with options pretty similar to those found clamd.conf. This allows to fine tune specific configs and to route log messages to a dedicated place. As I've said the milter now needs at least one clamd to operate. If more daemons are configured and available the milter will deliver scan requests to them in a round robin fashion. Should one of the daemon temporarily go down, no action is required: a probe request will be sent out every few minutes and the scanner will be readded to the pool as soon as it is back online. Scan requests to remote clamd's are performed via the STREAM command, while requests to a local scanner are (preferably) sent via a FILDES command (file descriptor passing over a UNIX socket). This allows to run the milter and clamd as a different users. Clamav-milter can now run as a completely unprivileged user (e.g. nobody). Quarantine has been reworked to use the native milter interface. The whitelist now uses regexes instead of strict matching. Works with both Postfix and Sendmail. It fully supports IPv6. The source code is now readable! :) And last but not least, if you don't like it, you can always use the old version which is kept under /contrib/old-clamav-milter. Installation instructions Just run ./configure --enable-milter and make as usual. For the configuration you have two options: you can either use the provided example clamav-milter.conf as a template for your own config (it's fairly well commented, but if something's not clear please report and I'll fix it) or, if you're a lazy BOFH, you can simply run the make-clamav-milter-conf.pl script with the same arguments you currently pass to clamav-milter and it'll spit out a ready made config file. Last... The new milter is currently a work in progress. Although I've streamed through it several hundred GBs of real emails, things in real life are usually more complex then inside the lab. At this point I expect it to fail to compile on certain *nix flavors. I'm working on it, however if you report your problems, things can get fixed much sooner. Having said that, clamav-milter is now a new piece of software. It is supposed to compile and work just fine on any "modern" system but, on the other hand, I don't intend to pester the code with gazilions of workarounds for legacy OSs support. Legacy systems should keep on using the old milter. Also, if you feel that a very important feature was left behind, please ask about it or, even better, send patches. If it makes sense and doesn't break the "do one thing" rule too much I'll add it. Known issues Besides possibly failing to compile there are two other issues I'm aware of. The whitelist format now uses regexes while the old one was a list of strings wrapped in <>'s. This means that some manual intervention is required. Still on this topic, libmilter may pass email addresses to the milter in two different formats: "[EMAIL PROTECTED]" or "<[EMAIL PROTECTED]>" depending on whether the message got in via via sendmail invocation or smtp. This is currently not handled but i plan to normalize those strings (probably to the bracket format so that the "<>" address can be matched too). The round robin clamd selection is a bit naive. It works well with either one or a "high" number of clamds but it's definitely not smart when only a limited number of scanners (2-3) is available. Please take a look and send back bug reports, comments, suggestions, requests, patches, flames, whatever. Thanks, -aCaB _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
