These ACL rules allow for some rudimentary filtering, but not near enough to handle full spam and virus protection. The Exiscan patch adds its functionality to the acl_smtp_data ACL, which further scans mail during the data transmission portion of the SMTP session. As Exim is performing the scanning and not handing delivering messages into a queue for scanning by a separate program, unwanted mail is refused before it is even accepted, negating the need for bounce messages. For example, if a local user transmits a message with a blocked regular expression, the mail never really leaves his outbox; he instead receives an error message from his mail client (I have also seen rejection messages appear in Norton AntiVirus dialogs on Win32 systems). In the case of remote senders, their MTA will provide a rejection message.

The Exiscan patch has four major features: MIME filtering, spam filtering with SpamAssassin, antivirus filtering, and regular expression bocking.

MIME filtering can be simple or powerful, depending on how detailed the administrator wants to get. There may be a simple list of extensions to block, such as .scr or .pif, or the admin can set up an acl_smtp_mime ACL for finer control, such as blocking specific content types or character sets. If a message includes an illegal attachment or a bad MIME container, it is rejected. Here is an example of a simple MIME rule:



deny message = This message contains an unwanted \

extension ($found_extension)

demime = scr:vbs:bat:lnk:pif:exe:hta



In this example, the deny message is the error presented to the sender by Exim when the message is rejected, with the $found_extension variable notifying the sender which specific attachment the server refuses. The demime line is the list of extensions refused.


Antivirus scanning requires the user have a third-party virus scanner installed on their system. According to the Exiscan website, Exiscan works with several different scanners. We have chosen to use ClamAV locally. As one would expect, if a virus is found in an attachment, the message is rejected. The AV daemon's IP address (if not local host) and port (if not the default) are specified earlier in the configure file, and the ACL rule is very simple:



deny message = This message contains malware \

($malware_name)

malware = *



In this instance, any malware discovered by Clam is rejected and the sender is notified.

Spam filtering is performed with SpamAssassin and the spamd daemon, and a spam score is generated for every incoming message. Exiscan can be configured with two thresholds for this score: a flag threshold and a rejection threshold. If a message is higher than the flag threshold, a header is attached to the message designating it as spam. The recipient can then configure their MUA to deal with these messages as they see fit. Similarly, with a little extra tweaking, Exiscan can also be configured to rewrite the subject line or body of a message for more obvious labeling. If a message receives a higher score than the bounce threshold, then the message is rejected outright.