Mail Scanning With Exim And The Exiscan ACL
by Michael Oliveri - Tuesday, 13 April 2004.
With all the spam and viruses circulating the Internet these days, any network admin worth his or her salt will have appropriate filters in place to prevent these irritants from getting to users and customers. My predecessor, unfortunately, was worth far less than that, so my first task upon assuming the role of a systems administrator for a small ISP was to establish a mail filter.

With no previous experience with a mail filtering system, I dug in and started my research. After reviewing open source solutions such as AmaViS and MailScanner and commercial solutions such as Postini and Mail Warden, I settled on Exim with the Exiscan-ACL plugin.

We already had Exim in place on our FreeBSD servers, so the ability to stay with the same system rather than test something new had a lot of appeal. It had been installed a while back for performance and ease-of-use reasons, but had not been upgraded since version 3.36, now long obsolete. I also wanted an open source program if possible, as the fees for a commercial solution would have forced us to increase our service fees, which in turn may have cost us customers.

Exiscan is actually a patch for the Exim MTA (version 4), with installation on most systems requiring use of the patch command, though it is available as an RPM. FreeBSD users will find the Exiscan-ACL patch is already included in the Exim port. While a number of the other open-source filtering solutions are also included in the FreeBSD ports tree, the ability to maintain mail and scanning configuration in one configure file appealed to me.

Exim uses a series of Access Control Lists in the configure file (in FreeBSD, this file is found at /usr/local/etc/exim/configure), a well-commented text file containing all the server settings to be set by the server administrator (see the Exim manual for more information). One such ACL is the acl_smtp_rcpt option, which examines the sending and receiving information of the email message. It is here that messages are rejected if they are included in administrator-defined blacklists, are not permitted relay hosts, and other rules. For example, the following rule rejects mail if the local part of the recipient's address contains @ or % or / or | or ! (note the use of regular expressions - the colon is a delimiter):

deny local_parts = ^.*[@%!/|] : ^\\.

These ACL rules allow for some rudimentary filtering, but not near enough to handle full spam and virus protection. The Exiscan patch adds its functionality to the acl_smtp_data ACL, which further scans mail during the data transmission portion of the SMTP session. As Exim is performing the scanning and not handing delivering messages into a queue for scanning by a separate program, unwanted mail is refused before it is even accepted, negating the need for bounce messages. For example, if a local user transmits a message with a blocked regular expression, the mail never really leaves his outbox; he instead receives an error message from his mail client (I have also seen rejection messages appear in Norton AntiVirus dialogs on Win32 systems). In the case of remote senders, their MTA will provide a rejection message.

The Exiscan patch has four major features: MIME filtering, spam filtering with SpamAssassin, antivirus filtering, and regular expression bocking.

MIME filtering can be simple or powerful, depending on how detailed the administrator wants to get. There may be a simple list of extensions to block, such as .scr or .pif, or the admin can set up an acl_smtp_mime ACL for finer control, such as blocking specific content types or character sets. If a message includes an illegal attachment or a bad MIME container, it is rejected. Here is an example of a simple MIME rule:


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th