Simscan

Simscan is a simple program that enables the qmail smtpd service to reject viruses, spam, and block attachments during the SMTP conversation so the processing load on the email system is kept to a minimum.

The testing verison of Simscan (v1.4) provides support for dspam

RipMIME
In order to scan attachments, SimScan requires RipMIME to be installed:

cd /extra/src
wget http://www.pldaniels.com/ripmime/ripmime-1.4.0.9.tar.gz
tar zxf ripmime-1.4.0.9.tar.gz
cd ripmime-1.4.0.9

There's a permissions issue with 1.4.0.9 than can be solved with a patch:

wget http://www.tjc.fi/dist/ripmime-1.4.0.9-permissions.patch
patch < ripmime-1.4.0.9-permissions.patch

Then build and install ripMIME

make
make install

SimScan installation
At the time of writing, the current version of SimScan was 1.4. Download and unpack the source code.

cd /extra/src
wget http://superb-dca2.dl.sourceforge.net/project/simscan/simscan/simscan-1.4.0/simscan-1.4.0.tar.gz
tar zxf simscan-1.4.0.tar.gz
cd simscan-1.4.0

There's a couple patches by John Simpson to fix a few issues with SimScan. Download and apply them:

wget http://qmail.jms1.net/simscan/simscan-1.4.0-combined.3.patch
patch < simscan-1.4.0-combined.3.patch

Create a user and group for SimScan to run as:

groupadd simscan
useradd -g simscan -s /bin/false -c "SimScan Content Filter" simscan

Create a "go" file to hold the configuration options (in case we need to recall them later). Then, put the following into that file:

  • Spamassassin

    #!/bin/sh
    ./configure \
    --enable-user=simscan \
    --enable-clamav=y \
    --enable-clamdscan=/usr/local/bin/clamdscan \
    --enable-custom-smtp-reject=y \
    --enable-attach=y \
    --enable-received=y \
    --enable-per-domain=y \
    --enable-ripmime=/usr/local/bin/ripmime \
    --enable-spam=y \
    --enable-spamc=/usr/bin/spamc \
    --enable-spam-hits=10
  • dspam
    #!/bin/sh
    ./configure \
    --enable-user=simscan \
    --enable-clamav=y \
    --enable-clamdscan=/usr/local/bin/clamdscan \
    --enable-custom-smtp-reject=y \
    --enable-attach=y \
    --enable-received=y \
    --enable-per-domain=y \
    --enable-ripmime=/usr/local/bin/ripmime \
    --enable-dspam=y \
    --enable-dspam-user=y

Make "go" executable and then run it to configure SimScan:

chmod ugo+x go
./go

If it compiles ok, make and install the programs:

make
make install-strip

In order for ClamAV to be able to work with the temp files in /var/qmail/simscan, we need to make some permission changes and add clamav to the simscan group:

chgrp simscan /var/qmail/simscan
chmod g+s /var/qmail/simscan
usermod -a -G simscan clamav

The AllowSupplementaryGroups option in /usr/local/etc/clamd.conf must also be set and ClamAV restarted:

AllowSupplementaryGroups yes
svc -t /service/clamav

Attachment Blocking
Create a text file, /var/qmail/control/ssattach, that contains a list of the attachment types that you want to block. The following list is a good start but might need to be modified to suit your particular needs:

.ade
.adp
.bas
.bat
.chm
.cmd
.com
.cpl
.crt
.exe
.hlp
.hta
.inf
.ins
.isp
.js
.jse
.lnk
.mdb
.mde
.msc
.msi
.msp
.mst
.pcd
.pif
.reg
.scr
.sct
.shb
.shs
.url
.vb
.vbe
.vbs
.wsc
.wsf
.wsh

/var/qmail/control/simcontrol
By compiling with --enable-per-domain=y, we can fine-tune scanning on a domain or email address basis. Create the control file /var/qmail/control/simcontrol and put in it a default entry:

:clam=yes,spam=yes,spam_hits=10

A couple other examples for a domain or an email address would look like:

postmaster@example.com:clam=yes,spam=no,attach=.txt:.com
example.com:clam=no,spam=yes,attach=.mp3

Once you've created the file, create the necessary CDB file:

/var/qmail/bin/simscanmk

SMTP run script
Edit your SMTP service's run script (eg. /service/smtp-external/run) to enable Simscan by uncommenting the relevant lines:

QMAILQUEUE="$VQ/bin/simscan"

update-simscan
In order to have the message headers indicate the correct version of ClamAVs database, simscan's version database needs to be updated when Freshclam updates the definitions. John Simpson has provide a nice program that does that.

cd /extra/src
wget http://qmail.jms1.net/simscan/update-simscan.c
gcc -s -o /usr/local/sbin/update-simscan update-simscan.c
chown root:simscan /usr/local/sbin/update-simscan
chmod 4110 /usr/local/sbin/update-simscan

Adjust /usr/local/etc/freshclam.conf to run update-simscan when it updates the definitions and allow supplementary group access:

OnUpdateExecute /usr/local/sbin/update-simscan
AllowSupplementaryGroups yes

Then restart FreshClam to load the change:

svc -t /service/freshclam

Other Patches
http://article.gmane.org/gmane.mail.qmail.simscan/3585

Recent Updates