[Mimedefang] Connecting Clamd via inet socket?
John Nemeth
jnemeth at cue.bc.ca
Fri Dec 2 21:26:54 EST 2016
On Dec 2, 1:22pm, "Bill Cole" wrote:
} On 2 Dec 2016, at 12:01, Dianne Skoll wrote:
} > On Fri, 2 Dec 2016 16:57:32 +0100
} > Benoit Panizzon <benoit.panizzon at imp.ch> wrote:
} >
} >> Does anyone know, if it's possible to use
} >> ClamdSock = "host:port";
} >> in MIMEDefang?
} >
} > No; the built-in code uses IO::Socket::UNIX and can only scan local
} > files. You need to write your own wrapper code if you want to
} > stream files to another host.
}
} Note that this is pretty easy if you have the 'socat' software
} installed. You could run something like this out of init (or whatever
} replacement for init your system uses):
}
} socat UNIX-LISTEN:/var/run/fakeclamd.sock,mode=777,fork
} TCP:<clamdhost>:<clamdport>
}
} Note that this provides no on-the-wire security but in its favor, only
} needs a persistent socat process on the client side. By using an OPENSSL
} socket type instead of TCP and a mirror image socat process on the
} server side (i.e. have socat instead of clamd listening on the network
} interface, talking to the clamd socket) you could secure the conversion.
} See the socat man page for more information.
Just curious, has anybody in this thread read the clamd manpage
recently?
The clamd socket is primarily a control channel, i.e. you send
it a command like, "SCAN <path>", which won't work very well if
<path> is inaccessible to clamd. There is "STREAM" (deprecated)
which returns "PORT <portno>" and "INSTREAM" which takes chunked
data. None of this is particularly amenable to use by socat (you
could use NFS to make <path> available to a remote clamd, but that
isn't recommended). Likewise, you can't just replace a connection
to a UNIX domain socket with a connection to an INET socket.
}-- End of excerpt from "Bill Cole"
More information about the MIMEDefang
mailing list