[Mimedefang] compare mimedefang to mailscanner

John Rudd john at rudd.cc
Tue Jan 16 11:51:38 EST 2007


Mike Campbell wrote:
> I have been using mimedefang for a couple of years now and just today 
> ran across the mailscanner program. On first glance it appears that the 
> 2 do about the same thing. Have some of the experts here tried both of 
> these and have a comparison as to how they differ? Is it worth my while 
> to spend time trying to configure mailscanner?
> 
> For what it is worth my mail server currently processes around 500-600 
> messages a day on a P3 500 mhz machine with 128 meg of memory.
> 

The big differences are:

1) MIMEDefang happens during the SMTP session, so you have the option to 
do things like tempfails (SMTP 4xx return code), which allows you to do 
Greylisting, or rejections (SMTP 5xx return code).   MailScanner needs 2 
mail queues (one for pre-scanned mail, one for post-scanned mail), and 
does not happen during the SMTP session (so your only options are 
deliver, clean, silently delete (bad), send back a bounce report (bad)). 
  So, MIMEDefang lets you _reject_/refuse-to-accept a virus, a bad 
attachment, or a high-scoring spam message.  MailScanner does not.

(this also means that MailScanner has a sometimes significant latency 
between when it accepts a message, and when that message finally gets to 
the local recipient; in large environments this latency can be 
noticeable, and cause complaints from your users)

2) MailScanner gets an economy of scale out of doing HUGE volumes of 
anti-virus scans in one pass.  For example, MailScanner's 2 fastest 
virus scanners are the command-line sophos sweep, and the command-line 
clamscan (not clamdscan; clamd significantly slows things down for 
MailScanner).  In contrast, these are very SLOW mechanisms for 
MIMEDefang, because MIMEDefang doesn't get that economy of scale (with 
MIMEDefang you really DO want to use clamd).  For your 500-600 messages 
per day, you probably wont really see that economy of scale with 
MailScanner.

3) MIMEDefang lets you specify the order of checks.   With MailScanner, 
you HAVE to do SpamAssassin first, and Virus Scanning last.  That means 
you're running the very CPU expensive SpamAssassin checks on viruses. 
With MIMEDefang, you can set the order just by re-arranging code in your 
mimedefang-filter.

4) MIMEDefang also lets you do other kinds of checks: checks on the 
relay, checks on the sender, checks on each recipient, all before you do 
any other spam/virus checks.  This lets you do anything from blocking 
suspicious content, to doing the equivalent of "milter-ahead" to verify 
that a destination host has the recipient's address (with MailScanner 
you have to either use milter-ahead, or keep an up-to-date aliases file, 
or something like that).


That said, you CAN use them together.  You could use MIMEDefang for fast 
checks and during-SMTP-session checks (relay checks, helo checks, sender 
checks, recipient checks, attachment filename checks, maybe clamd 
anti-virus checks), and then use MailScanner for bulk checks and checks 
that would slow down your SMTP sessions (other virus scanners, 
SpamAssassin).  This reduces the amount of messages you're submitting to 
MailScanner (and thus SpamAssassin), and if you do clamd with MIMEDefang 
you're not going to be spamscanning most of your virus traffic nor 
bad-attachment traffic.


Personally, I stopped using MailScanner at home 2 years ago, and stopped 
using MailScanner at work 2 months ago.  I greatly prefer MIMEDefang. 
But, it does require a bit more CPU (so that you can do all of those 
checks on a per-message basis, and during the SMTP session before it 
times out).  But your traffic levels shouldn't be a big burden to most 
machines.

MailScanner is a great package.  I just prefer to have the option to 
reject content instead of cleaning/marking it and then delivering it.


(and, to be fair, I will probably stop using MIMEDefang at home, in the 
not so distant future; I am switching MTA's from Sendmail to CommuniGate 
Pro; CGP doesn't use the milter interface, but uses a plugin interface 
of a different kind ... so I'm in the process of building up the 
infrastructure for those plugins;  it's nothing against MIMEDefang -- if 
CGP had a means of using milters, I would keep using MIMEDefang with CGP)






More information about the MIMEDefang mailing list