[Mimedefang] MimeDefang vs clamav

Matthew Schumacher matt.s at aptalaska.net
Wed Aug 4 16:07:28 EDT 2004 

Richard A Nelson wrote:
> I'm stumped...
> 
> What difference does clamdscan see when invoked from clamav-milter
> and when invoked via mimedefang ?
> 
> I'm using the stock mimedefang-filter
> 
> I've just converted from running spamass-milter + clamav-milter
> to mimedefang (running all three at first, to ensure things are
> working).
> 
> I've now removed spamass-milter as the mimedefang integration is
> workin well in that regard.
> 
> I've not been able to remove the subsequent clamav-milter as of yet
> because it is catching viruses that it doesn't when invoked by
> mimedefang ?!?

You need to look at your mimedefang-filter.  Mime defang is just a perl 
program that breaks up email into mime parts and gives you the ability 
to do things with those mime parts.  This is what makes mimedefang so 
wonderful, it gives you complete control over your email in perl syntax, 
and without the typical perl performance hit to boot.  It's a beautiful 
thing!!!

That said, if it's not doing what you want, then you need to update your 
mimedefang-filter and tell it what you want to do.

Older versions of mimedefang passed each attachment to clamd for 
scanning, but there are viruses out there that break the MIME rfc so 
mimedefang doesn't break out the attachment because it isn't valid. 
Since the scanmail feature in clamd is specifically designed to detect 
viruses despite broken mime you may want to add:

md_copy_orig_msg_to_work_dir_as_mbox_file();

to the top of your filter_begin() rule add enable scanmail in your 
clamd.conf.  This will tell mime-defang to put the complete message in 
mbox format in the tmp extraction dir before calling clamd which will 
find the virus in the mbox file.  This is really a better solution 
anyway because you have two mime implementations parsing the message.

Another way around this (better?) is to use the action_rebuild() 
function to tell mimedefang to rebuild each message with a valid mime 
format.  This may cause things to break for clients that do not produce 
valid mime messages, but it can stop a lot problems.  It's your call (as 
David puts it).

HTH,

schu

More information about the MIMEDefang mailing list