Hi there, On Tue, 10 Nov 2009 Mark Costlow wrote:
> Prior to 0.95, I had my clamav-milter configured to quarantine messages > and reject them. So the sender got a 550 SMTP response, and we got > a copy of the payload they were trying to send. > > In 0.95.3, I have the choice to tell the milter to Reject the message > (which results in no quarantine) or to quarantine the message (which > results in sendmail giving the sender a 200 "message accepted" response). You're not the first to mention this. Nor was I: http://www.mail-archive.com/clamav-users%40lists.clamav.net/msg27971.html As you have now seen there is a widely held misconception that reading the text of an incoming message and accepting the message amount to the same thing. As you know, they are not the same at all. It's necessary to read an incoming mail to see if it has a malicious content, and of course you might then not want to deliver it. So although you will reject the message during the SMTP conversation, you've still read it. It should come as no surprise to anyone that having read the message, it's possible to store it somewhere in the filesystem, e.g. for later analysis, despite the fact that the message is to be rejected. > Does anyone know a way to make sendmail return a 550 for quarantined > messages? I'm using Sendmail 8.14.3. Not if the quarantining is caused by clamav-milter. When I asked about this a while ago, the new milter's author said "if you don't like it, you can always use the old version which is kept under /contrib/old-clamav-milter". To be fair, I don't think his first qualification was in Customer Relations. :) The old milter and the new milter view quarantining differently. The old milter wrote the message to a file in a quarantine directory of its own. The new one doesn't do that, instead it uses the Sendmail milter API to tell Sendmail to quarantine the message in the Sendmail queue directory. The milter API definition states that flagging a message for quarantine makes no other change to the message status, so Sendmail won't reject it just for that reason: https://www.milter.org/developers/api/index That means that if you use the new clamav-milter to quarantine the messages, then you're stuck with the behaviour that you've described unless you want to do a bit of coding in the milter, or to shout loud enough for the clamav developer concerned to notice. He also said that if Sendmail is told both to quarantine and to reject a message it doesn't do what it's told. That makes sense, so I haven't tried. (*) You do need to think what is meant by 'quarantine'. I think there's a basic incompatibility between the idea of 'quarantine' as implemented by the Sendmail code and as in "put the message there and reject it". Sendmail means 'defer delivery until somebody has had a look at this'. So when it quarantines a message, practically all that Sendmail will do is change the way the file is stored in its queue directory. This results in the message being ignored by the queue runner (which would otherwise cause the message to be delivered) until the 'quarantined' status is removed from the message. The administrator can take a coffee break, or go on holiday, before he gets around to doing this and obviously nobody would expect the sending servers to sit around waiting for a return code while he's lying on a beach in the Bahamas. So Sendmail is pretty much obliged to accept those messages which it quarantines in its own queue directory. When the old clamav-milter quarantined a message by putting it in a directory of its own, not within the grasp of Sendmail, as far as all the mail servers were concerned if Sendmail then rejected the message that was the end of it. You would have a copy, but Sendmail neither knows nor cares about that. To mimic the old behaviour you could have clamav-milter add headers to infected messages, and use another milter to read those headers then store and reject the mail if it sees an 'infected' header. MIMEDefang can do what you want, at the price of some complexity and overhead. A simpler alternative is to write all the incoming mail to a log file, as it comes in, during the SMTP conversation. One of the milters that I use (milter-regex, which I highly recommend) does this as an option. If a message is rejected for any reason, the full text (or, depending on how you configure things, perhaps just the text up to the point at which a decision was made to reject) will be in the log. It's a bit of a pain to retrieve messages from the logs, and naturally they grow rapidly and will need to be rotated regularly. ..oOo.. * To try it, all you'd probably need to do is change one line in the function action_quarantine() clamfi.c and recompile: static sfsistat action_quarantine(SMFICTX *ctx) { if(smfi_quarantine(ctx, "quarantined by clamav-milter") != MI_SUCCESS) { logg("^Failed to quarantine message\n"); return SMFIS_TEMPFAIL; } return SMFIS_ACCEPT; } Change SMFIS_ACCEPT to SMFIS_REJECT and see what happens. If it does work, please let us know. If it doesn't work, then maybe we can come up with something. It might mean quite a bit of coding to set up a quarantine directory, and I probably wouldn't have time for that, but a lot of the work has probably been done in the old milter. The odds are that the code wouldn't make it into the ClamAV trunk unless a lot of people make their appreciation known on this list. -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
