Qmail-Scanner 2.11

An add-on that enables a Qmail email server to scan gatewayed email for certain characteristics

  Add it to your Download Basket!

 Add it to your Watch List!


Rate it!

What's new in Qmail-Scanner 2.10:

  • Some minor bugs were fixed.
  • New features include DLP support and Team Cymru Malware Hash Registry support.
Read full changelog
send us
an update
GPL (GNU General Public License) 
Jason Haar
ROOT \ Communications \ Email
Qmail-Scanner is an add-on that enables a Qmail email server to scan gatewayed email for certain characteristics (i.e. a content scanner). It is typically used for its anti-virus and anti-spam protection functions, in which case it is used in conjunction with external scanners.

Qmail-Scanner application also enables a site (at a server/site level) to create "Policy blocks": i.e. react to email that contains specific strings in particular headers, or particular attachment filenames or types (e.g. *.VBS attachments).

Its archival features helps ISPs and corporations around the world with new or pending legislation, and regulatory requirements. It can archive all processed email into an archive maildir. This is ideal for backup purposes for audit policy reasons. Unlike certain Windows-based server solutions, the mail envelope headers (the "rcpt to:" and "mail from:" headers) are kept intact - appended to the bottom of each message - confirming true sender and destination addresses.

Archiving also supports filtering to a subset of addresses (e.g. only archive "support@domain.name" emails instead of all). In addition, the extensive single-line summaries generated for each message by Qmail-Scanner may be enough for companies meet their obligations - instead of the more disk-intensive full archiving. As usual, contact a lawyer for proper definitions.

Qmail-Scanner is integrated into the mail server at a lower level than some other Unix-based virus scanners, resulting in more thorough coverage. It is capable of scanning not only locally sent/received email, but also email that crosses the server in a relay capacity. Qmail-Scanner also leverages the wealth of meta-information provided by Qmail (such as client IP address, and whether or not the client is allowed to relay).

Here are some key features of "Qmail Scanner":

· Supports almost all commercial (Unix) virus scanners as well as the ever-popular Open Source ClamAV scanner.
· Can call more than one virus scanner for each mail message
· Has its own internal scanner that can be used for Policy enforcement, or to quarantine viruses that your AV currently cannot detect
· The internal scanner can also be used to quarantine email based on attachment types, or email with certain email headers... Need to stop *.mp3 files or "Subject: ILOVEYOU" email getting onto and off your LAN - can do! :-)
· The internal scanner can trigger a "greylist" action instead of a quarantine. This is designed for emergency situations where your current AV and static Policy blocks are not appropriate. e.g. a new ZIP-based virus comes out with random filenames. Your AV cannot detect it, and you can't globally block ZIP files without hurting valid users. A "greylist" action will cause Qmail-Scanner to exit with a SMTP temporary failure instead of delivering the message. Valid emails will simply be requeued and can flow through later once your AV can detect the virus, and you decide to remove the greylist policy.
· Internal engine scans for poorly formatted messages that are known to be used by trojans/virii to infect clients. As such, this is independent of any virus scanner, and can successfully operate against future virii/trojans. Such messages are quarantined immediately. Known to block such major virii as Klez and Aliz, and as a side effect, stops a fair amount of spam too! Format checks include:
· broken MIME continuation headers
· use of comments within standard headers (e.g. "Content-T(xxxxxx)ype:" is *identical* to "Content-Type:" according to the RFCs - but some virii use this as it circumvents some anti-virus scanners). Valid use of this is never seen in the wild - so it's blocked
· repeated occurrences of MIME headers makes Q-S rename the latter ones to nullify them
· MIME boundaries over 250 chars are blocked
· differing definitions of a particular attachment filename causes it to be blocked
· double-defining the same MIME boundary is blocked
· certain MIME types containing windows executable extensions are specifically blocked (e.g. an "audio/wav" of filename "wav.exe" could only be a virus)
· broken headers within a MIME attachment are blocked
· windows executable attachments that aren't marked as being of MIME type "application/....." are blocked (e.g. renaming notepade.exe to notepade.gif and sending it as a GIF attachment would be quarantined, as Qmail-Scanner would realise it's an executable pretending to be something else).
· attachment filenames over 256 chars are blocked
· some double-barreled filenames are blocked (e.g. file.gif.exe). It tries not to block common mistake variants
· CLSID file extensions are blocked
· Password-protected zip files can be blocked if you wish. This would stop any future viruses stuffed inside password-protected zip files from getting through, but of course would also stop any legitimate usage. Turned off by default, but perhaps useful to turn on during a new outbreak, and turned off again once an AV update occurs that can catch it.
· defaults to always running any AV you may have over messages first, then runs the internal scanner (Policy/perlscan) checks. This means if you block ".PIF" files due to them normally containing viruses, then any .PIF files that do contain a virus known to your AV system will be flagged as "viruses", and any that were missed (perhaps they were a Day-Zero virus) are then tagged as being blocked by "policy". This differentiation is then used by the alerting system. It defaults to not notifying the sender that a virus has been found, but can still notify them when it was a "policy" block.
· Quarantines emails it finds to contravene the above sub-systems. Viruses are quarantined into a maildir named "viruses/", policy-blocks into "policy/" and (potentially) high-rated SPAM into "spam/"
· Can integrate with SpamAssassin to provide comprehensive anti-spam tagging for an entire site. Typically uses also includes using Qmail-Scanner as a "front end" for Enterprise mail servers such as Notes and Exchange. Qmail-Scanner does all the dirty work - (hopefully) leaving nothing but clean mail for the backend :-)
· Auto-detects email from "postmaster"-style and mailing-list addresses - and doesn't send virus alert reports to them (i.e. attempts to act more like a responsible net citizen)
· Due to the fact that over 99.9% of all email-borne viruses are now sent using forged sender information, Q-S defaults to NOT alerting the sender that a message has been quarantined, unless it was due to a Policy/Perlscan block. This can be turned back to the "old" style by using "--notify sender" instead of the newer default of "--notify psender" (i.e. only notify sender for policy blocks)
· Knows of the virii which forge the From headers - so that the virus appears to come from some poor innocent. Qmail-Scanner will not send alerts to the sender for those types of virii. As the default is to not notify anyway, this only really takes effect if you are using the "--notify sender" option.
· Each message is tagged via a new Received: header with a virus report showing whether it is clean or not and virus scanner version numbers/etc
· [disabled by default] Messages classified as "serious SPAM" by the "--sa-quarantine" option (basically having a really high SA score) will be quarantined off into a "maildir" mail folder (./spam/). This separation into its own maildir allows sites to come up with their own methods of handling false positives. However...
· the "-z" cleanup option will delete messages in the quarantine subfolders older than 14 days - to ensure it doesn't grow too large. If you want to keep them longer, simply script something to move them out daily to another directory/maildir. There is a logrotate script in the contrib directory to automate this (for those systems that can use it - like Redhat/CentOS)
· Can optionally add a descriptive header: X-Qmail-Scanner to every email that passes through the system to allow users to see that a scanner has run over their messages.
· Messages caught by Qmail-Scanner generate an email message (currently supports English, Italian, Afrikaans, Polish, Swedish, Czech, German, Spanish, Turkish, Lithuanian, French, Portuguese, Dutch and Chinese messages) to a configurable combination of the sender, recipients and a "quarantine-admin" address explaining why their message was blocked.
· Can archive some or all processed email (that wasn't quarantined) into an archive maildir. Useful when debugging email-based apps, for backup purposes, and for audit policy reasons. Currently the mail envelope headers (the "rcpt to:" and "mail from:" headers) are appended to the bottom of each message. This option supports being called with a regular expression in which case only envelope headers that match the expression are archived (e.g. can archive "(support|sales)@domain.name" instead of all email)
· Reports via syslog or to a file, a one-line description of each processed message, giving extensive information such as subject line, attachment filenames, sizes, etc.
· Redundant scanning. Not only does it unpack each message before running the scanners over it, it can also scan the original "raw" email message as well as the unpacked components (i.e. if you think a particular scanner has better internal MIME parsing than Qmail-scanner)
· Reporting: in the contrib directory there's qs2mrtg.pl. A perl script for monitoring your syslog files for qmail-scanner records. It then graphs how Qmail-Scanner is processing your emails. It creates different graphs for incoming vs outgoing email, as well as the flow of spam and viruses.


· Netqmail 1.05 (or qmail-1.03 with patches)
· Create a separate account under which to run Qmail-Scanner: defaults to username and groupname "qscand". For extra security, create it with a normal home directory (e.g. "/home/qscand"), but with a "fake" shell (e.g. "/bin/false") - as it's never logged into directly.
· reformime from Maildrop 1.3.8+
· Perl 5.005_03+
· Perl module Time::HiRes
· Perl module DB_File (most distributions come with it pre-installed, although the latest Perl doesn't)
· Perl module Sys::Syslog (most distributions come with it pre-installed)
· Perl module MIME::Base64 (most distributions come with it pre-installed)
· Optional: Mark Simpson's TNEF unpacker. Can decode those annoying MS-TNEF MIME attachments that Microsoft mail servers just love to use. If you don't have this, there are several classes of email that Qmail-Scanner basically won't be able to extract attachments in. However, your AV might very well be able to handle them
· Optional: uudecode (part of sharutils on Redhat-style systems)
· Optional: unzip

Last updated on October 6th, 2011

#qmail scanner #mail scanner #scan gatewayed email #Qmail-Scanner #qmail #mail #scanner

Add your review!