1MIMEDEFANG-FILTER(5)          File Formats Manual         MIMEDEFANG-FILTER(5)
2
3
4

NAME

6       mimedefang-filter - Configuration file for MIMEDefang mail filter.
7
8

DESCRIPTION

10       mimedefang-filter  is  a  Perl fragment that controls how mimedefang.pl
11       disposes of various parts of a MIME message.  In addition, it  contains
12       some  global  variable  settings  that  affect the operation of mimede‐
13       fang.pl.
14
15

CALLING SEQUENCE

17       Incoming messages are scanned as follows:
18
19
20       1) A temporary working directory is created.  It is  made  the  current
21       working  directory  and  the e-mail message is split into parts in this
22       directory.  Each part is  represented  internally  as  an  instance  of
23       MIME::Entity.
24
25
26       2)  If  the file /etc/mail/mimedefang-filter.pl defines a Perl function
27       called filter_begin, it is called with a single argument consisting  of
28       a  MIME::Entity  representing  the  parsed  e-mail message.  Any return
29       value is ignored.
30
31
32       3) For each leaf part of the mail message, filter is called  with  four
33       arguments: entity, a MIME::Entity object; fname, the suggested filename
34       taken from the MIME Content-Disposition header; ext,  the  file  exten‐
35       sion, and type, the MIME Content-Type value.  For each non-leaf part of
36       the mail message, filter_multipart is called with the same  four  argu‐
37       ments  as filter.  A non-leaf part of a message is a part that contains
38       nested parts.  Such a part has no useful body,  but  you  should  still
39       perform filename checks to check for viruses that use malformed MIME to
40       masquerade as non-leaf parts (like message/rfc822).   In  general,  any
41       action  you  perform in filter_multipart applies to the part itself and
42       any contained parts.
43
44
45       Note that both filter and filter_multipart are optional.  If you do not
46       define them, a default function that simply accepts each part is used.
47
48
49       4)  After  all  parts  have  been processed, the function filter_end is
50       called if it has been defined.  It is passed a single argument consist‐
51       ing  of  the  (possibly  modified) MIME::Entity object representing the
52       message about to be delivered.  Within filter_end, you can  call  func‐
53       tions that modify the message headers body.
54
55
56       5) After filter_end returns, the function filter_wrapup is called if it
57       has been defined.  It is passed a single  argument  consisting  of  the
58       (possibly  modified) MIME::Entity object representing the message about
59       to be  delivered,  including  any  modifications  made  in  filter_end.
60       Within  filter_wrapup,  you can not call functions that modify the mes‐
61       sage body, but you can still add or modify message headers.
62
63

DISPOSITION

65       mimedefang.pl examines each part of the MIME message and chooses a dis‐
66       position  for  that part.  (A disposition is selected by calling one of
67       the following functions from filter and  then  immediately  returning.)
68       Available dispositions are:
69
70
71       action_accept
72              The  part  is passed through unchanged.  If no disposition func‐
73              tion is returned, this is the default.
74
75
76       action_accept_with_warning
77              The part is passed through unchanged, but a warning is added  to
78              the mail message.
79
80
81       action_drop
82              The part is deleted without any notification to the recipients.
83
84
85       action_drop_with_warning
86              The part is deleted and a warning is added to the mail message.
87
88
89       action_replace_with_warning
90              The part is deleted and instead replaced with a text message.
91
92
93       action_quarantine
94              The  part is deleted and a warning is added to the mail message.
95              In addition, a copy of the part is saved on the mail  server  in
96              the  directory  /var/spool/MD-Quarantine  and  a notification is
97              sent to the MIMEDefang administrator.
98
99
100       action_bounce
101              The entire e-mail message is rejected and an error  returned  to
102              the  sender.   The  intended  recipients are not notified.  Note
103              that in spite of the name, MIMEDefang does not generate  and  e-
104              mail  a failure notification.  Rather, it causes the SMTP server
105              to return a 5XX SMTP failure code.
106
107
108       action_discard
109              The entire e-mail message is discarded  silently.   Neither  the
110              sender nor the intended recipients are notified.
111
112

CONTROLLING RELAYING

114       You  can  define  a  function called filter_relay in your filter.  This
115       lets you reject SMTP connection attempts early on in the  SMTP  dialog,
116       rather  than  waiting until the whole message has been sent.  Note that
117       for this check to take place, you must use the -r flag with mimedefang.
118
119
120       filter_relay is passed six arguments: $hostip is the IP address of  the
121       relay  host  (for  example, "127.0.0.1"), $hostname is the host name if
122       known (for example, "localhost.localdomain").  If the host  name  could
123       not  be  determined,  $hostname is $hostip enclosed in square brackets.
124       (That is, ("$hostname" eq "[$hostip]") will be true.)
125
126
127       The remaining four arguments to filter_relay are $port, $myip,  $myport
128       and  $qid,  which  contain the client's TCP port, the Sendmail daemon's
129       listening IP address, the Sendmail daemon's  listening  port,  and  the
130       Sendmail Queue-ID, respectively.  Note that the Queue-ID may not yet be
131       available at this stage (for  example,  Postfix  does  not  allocate  a
132       queue-ID this early.)  If the Queue-ID is not available, the string NO‐
133       QUEUE is passed instead.
134
135
136       filter_relay must return a two-element list: ($code, $msg).  $msg spec‐
137       ifies  the text message to use for the SMTP reply, but because of limi‐
138       tations in the Milter API, this message is for  documentation  purposes
139       only---you cannot set the text of the SMTP message returned to the SMTP
140       client from filter_relay.
141
142       $code is a literal string, and can have one of the following values:
143
144
145       'REJECT'
146              if the connection should be rejected.
147
148
149       'CONTINUE'
150              if the connection should be accepted.
151
152
153       'TEMPFAIL'
154              if a temporary failure code should be returned.
155
156
157       'DISCARD'
158              if the message should be accepted and silently discarded.
159
160
161       'ACCEPT_AND_NO_MORE_FILTERING'
162              if the connection should be accepted and  no  further  filtering
163              done.
164
165
166       Earlier versions of MIMEDefang used -1 for TEMPFAIL, 0 for REJECT and 1
167       for CONTINUE.  These values still work, but are deprecated.
168
169
170       In the case of REJECT or TEMPFAIL, $msg specifies the text part of  the
171       SMTP reply.  $msg must not contain newlines.
172
173
174       For example, if you wish to reject connection attempts from any machine
175       in the spammer.com domain, you could use this function:
176
177       sub filter_relay {
178            my ($ip, $name) = @_;
179            if ($name =~ /spammer\.com$/) {
180                 return ('REJECT', "Sorry; spammer.com is blacklisted");
181            }
182            return ('CONTINUE', "ok");
183       }
184
185

FILTERING BY HELO

187       You can define a function called filter_helo in your filter.  This lets
188       you reject connections after the HELO/EHLO SMTP command.  Note that for
189       this function to be called, you must use the -H flag with mimedefang.
190
191
192       filter_helo is passed seven arguments: $ip and $name are the IP address
193       and name of the sending relay, as in filter_relay.  The third argument,
194       $helo, is the argument supplied in the HELO/EHLO command.
195
196
197       The remaining four arguments to filter_helo are $port,  $myip,  $myport
198       and  $qid,  which  contain the client's TCP port, the Sendmail daemon's
199       listening IP address, the Sendmail daemon's  listening  port,  and  the
200       Sendmail Queue-ID, respectively.  Note that the Queue-ID may not yet be
201       available at this stage (for  example,  Postfix  does  not  allocate  a
202       queue-ID this early.)  If the Queue-ID is not available, the string NO‐
203       QUEUE is passed instead.
204
205
206       filter_helo must return  a  two-to-five  element  list:  ($code,  $msg,
207       $smtp_code,  $smtp_dsn, $delay).  $code is a return code, with the same
208       meaning as the $code return from filter_relay.  $msg specifies the text
209       message  to  use  for  the SMTP reply.  If $smtp_code and $smtp_dsn are
210       supplied, they become the SMTP numerical reply code  and  the  enhanced
211       status  delivery  code  (DSN code).  If they are not supplied, sensible
212       defaults are used.  $delay specifies a delay in seconds; the  C  milter
213       code  will sleep for $delay seconds before returning the reply to Send‐
214       mail.  $delay defaults to zero.
215
216       (Note that the delay is implemented in the Milter C code; if you  spec‐
217       ify  a  delay of 30 seconds, that doesn't mean a Perl worker is tied up
218       for the duration of  the  delay.   The  delay  only  costs  one  Milter
219       thread.)
220
221

FILTERING BY SENDER

223       You  can  define  a function called filter_sender in your filter.  This
224       lets you reject messages from certain senders, rather than waiting  un‐
225       til  the whole message has been sent.  Note that for this check to take
226       place, you must use the -s flag with mimedefang.
227
228
229       filter_sender is passed four arguments:  $sender is the envelope e-mail
230       address  of  the sender (for example, "<dfs@roaringpenguin.com>").  The
231       address may or may not be surrounded by angle brackets.  $ip and  $name
232       are  the IP address and host name of the SMTP relay.  Finally, $helo is
233       the argument to the SMTP "HELO" command.
234
235
236       Inside filter_sender, you can  access  any  ESMTP  arguments  (such  as
237       "SIZE=12345")  in  the  array @ESMTPArgs.  Each ESMTP argument occupies
238       one array element.
239
240
241       filter_sender must return a two-to-five element  list,  with  the  same
242       meaning as the return value from filter_helo.
243
244
245       For  example,  if  you wish to reject messages from spammer@badguy.com,
246       you could use this function:
247
248       sub filter_sender {
249            my ($sender, $ip, $hostname, $helo) = @_;
250            if ($sender =~ /^<?spammer\@badguy\.com>?$/i) {
251                 return ('REJECT', 'Sorry; spammer@badguy.com is blacklisted.');
252            }
253            return ('CONTINUE', "ok");
254       }
255
256
257       As another example, some spammers identify their own  machine  as  your
258       machine  in  the  SMTP "HELO" command.  This function rejects a machine
259       claiming to be in the "roaringpenguin.com" domain unless it really is a
260       Roaring Penguin machine:
261
262       sub filter_sender {
263         my($sender, $ip, $hostname, $helo) = @_;
264         if ($helo =~ /roaringpenguin.com/i) {
265           if ($ip ne "127.0.0.1" and
266               $ip ne "216.191.236.23" and
267               $ip ne "216.191.236.30") {
268                 return('REJECT', "Go away... $ip is not in roaringpenguin.com");
269           }
270         }
271         return ('CONTINUE', "ok");
272       }
273
274
275       As  a  third  example, you may wish to prevent spoofs by requiring SMTP
276       authentication when email is sent from some email addresses. This func‐
277       tion  rejects  mail from "king@example.com", unless the connecting user
278       properly authenticated as "elvisp". Note that this needs access to  the
279       %SendmailMacros  global,  that  is not available in filter_sender until
280       after a call to read_commands_file.
281
282       sub filter_sender {
283               my($sender, $ip, $hostname, $helo) = @_;
284               read_commands_file();
285               ### notice: This assumes The King uses authentication without realm!
286               if ($sender =~ /^<?king\@example\.com>?$/i and
287                   $SendmailMacros{auth_authen} ne "elvisp") {
288                       return('REJECT', "Faking mail from the king is not allowed.");
289               }
290               return ('CONTINUE', "ok");
291       }
292
293
294

FILTERING BY RECIPIENT

296       You can define a function called filter_recipient in your filter.  This
297       lets you reject messages to certain recipients, rather than waiting un‐
298       til the whole message has been sent.  Note that for this check to  take
299       place, you must use the -t flag with mimedefang.
300
301
302       filter_recipient  is passed nine arguments:  $recipient is the envelope
303       address of the recipient and $sender is the envelope e-mail address  of
304       the  sender  (for  example, "<dfs@roaringpenguin.com>").  The addresses
305       may or may not be surrounded by angle brackets.  $ip and $name are  the
306       IP address and host name of the SMTP relay.  $first is the envelope ad‐
307       dress of the first recipient for this message, and $helo is  the  argu‐
308       ment   to   the   SMTP  "HELO"  command.   The  last  three  arguments,
309       $rcpt_mailer, $rcpt_host and $rcpt_addr are the Sendmail  mailer,  host
310       and  address  triple for the recipient address.  For example, for local
311       recipients, $rcpt_mailer is likely to be "local", while for remote  re‐
312       cipients, it is likely to be "esmtp".
313
314
315       Inside  filter_recipient,  you  can access any ESMTP arguments (such as
316       "NOTIFY=never") in the array @ESMTPArgs.  Each ESMTP argument  occupies
317       one array element.
318
319
320       filter_recipient must return a two-to-five element list whose interpre‐
321       tation is the same as for filter_sender.  Note, however, that  if  fil‐
322       ter_recipient returns 'DISCARD', then the entire message for all recip‐
323       ients is discarded.  (It doesn't really make sense, but that's how Mil‐
324       ter works.)
325
326
327       For  example,  if  you wish to reject messages from spammer@badguy.com,
328       unless they are to postmaster@mydomain.com, you could  use  this  func‐
329       tion:
330
331       sub filter_recipient {
332            my ($recipient, $sender, $ip, $hostname, $first, $helo,
333                   $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_;
334            if ($sender =~ /^<?spammer\@badguy\.com>?$/i) {
335                 if ($recipient =~ /^<?postmaster\@mydomain\.com>?$/i) {
336                      return ('CONTINUE', "ok");
337                 }
338                 return ('REJECT', 'Sorry; spammer@badguy.com is blacklisted.');
339            }
340            return ('CONTINUE', "ok");
341       }
342
343

INITIALIZATION AND CLEANUP

345       Just  before  a  worker begins processing messages, mimedefang.pl calls
346       the functions filter_initialize (if it is defined) with  no  arguments.
347       By  the  time filter_initialize is called, all the other initialization
348       (such as setting up syslog facility and priority) has been done.
349
350       If you are not using an embedded Perl interpreter, then  performing  an
351       action  inside  filter_initialize is practically the same as performing
352       it directly in the filter file, outside any function definition.   How‐
353       ever,  if you are using an embedded Perl interpreter, then anything you
354       call directly from outside a function definition is executed once  only
355       in  the parent process.  Anything in filter_initialize is executed once
356       per worker.  If you use any code that opens a descriptor (for  example,
357       a  connection to a database server), you must run that code inside fil‐
358       ter_initialize and not directly from the  filter,  because  the  multi‐
359       plexor  closes  all  open  descriptors  when it activates a new worker.
360       From within filter_initialize a configuration file could be  loaded  by
361       calling read_config.  read_config accepts a configuration file path and
362       it can be used to overwrite global variables.  Configuration file  for‐
363       mat is pure Perl code.
364
365       When  a  worker is about to exit, mimedefang.pl calls the function fil‐
366       ter_cleanup (if it is defined) with no arguments.  This function can do
367       whatever  cleanup you like, such as closing file descriptors and clean‐
368       ing up  long-lived  worker  resources.   The  return  value  from  fil‐
369       ter_cleanup  becomes  the  worker's exit status.  (You should therefore
370       ensure that filter_cleanup returns an integer suitable  for  a  process
371       exit status.)
372
373
374       If  filter_cleanup  takes  longer than 10 seconds to run, the worker is
375       sent a SIGTERM signal.  If that doesn't kill it (because you're  catch‐
376       ing  signals,  perhaps), then a further 10 seconds later, the worker is
377       sent a SIGKILL signal.
378
379

CONTROLLING PARSING

381       If you define a function called filter_create_parser  taking  no  argu‐
382       ments,  then mimedefang.pl will call it to create a MIME::Parser object
383       for parsing mail messages.
384
385       Filter_create_parser is expected to return a MIME::Parser object (or an
386       instance of a class derived from MIME::Parser).
387
388       You  can  use  filter_create_parser  to  change  the  behavior  of  the
389       MIME::Parser used by mimedefang.pl.
390
391       If you do not define a filter_create_parser function, then  a  built-in
392       version equivalent to this is used:
393
394            sub filter_create_parser () {
395                 my $parser = MIME::Parser->new();
396                 $parser->extract_nested_messages(1);
397                 $parser->extract_uuencode(1);
398                 $parser->output_to_core(0);
399                 $parser->tmp_to_core(0);
400                 return $parser;
401            }
402

EXTENDING MIMEDEFANG

404       The  man page for mimedefang-protocol(7) lists commands that are passed
405       to workers in server mode (see "SERVER COMMANDS".)  You  can  define  a
406       function  called  filter_unknown_cmd to extend the set of commands your
407       filter can handle.
408
409       If you define filter_unknown_cmd, it is passed the unknown command as a
410       single  argument.   It  should return a list of values as follows:  The
411       first element of the list must be either "ok"  or  "error:"  (with  the
412       colon.)   The remaining arguments are percent-encoded.  All the result‐
413       ing pieces are joined together with a single space  between  them,  and
414       the resulting string passed back as the reply to the multiplexor.
415
416       For  example,  the  following function will make your filter reply to a
417       "PING" command with "PONG":
418
419       sub filter_unknown_cmd ($) {
420           my($cmd) = @_;
421           if ($cmd eq "PING") {
422               return("ok", "PONG");
423           }
424           return("error:", "Unknown command");
425       }
426
427       You can test this filter by typing the following as root:
428
429       md-mx-ctrl PING
430
431       The response should be:
432
433       ok PONG
434
435       If you extend the set of commands using filter_unknown_cmd, you  should
436       make all your commands start with an upper-case letter to avoid clashes
437       with future built-in commands.
438
439

REJECTING UNKNOWN USERS EARLY

441       A very common mail setup is to have a MIMEDefang machine act as an SMTP
442       proxy,  accepting  and  scanning  mail and then relaying it to the real
443       mail server.  Unfortunately, this means  that  the  MIMEDefang  machine
444       cannot  know  if  a local address is valid or not, and will forward all
445       mail for the appropriate domains.  If a mail comes in  for  an  unknown
446       user,  the  MIMEDefang machine will be forced to generate a bounce mes‐
447       sage when it tries to relay the mail.
448
449
450       It's often desirable to have the MIMEDefang host reply with a "User un‐
451       known"  SMTP  response directly.  While this can be done by copying the
452       list of local users to the MIMEDefang machine, MIMEDefang has a  built-
453       in  function  called  md_check_against_smtp_server for querying another
454       relay host:
455
456
457       md_check_against_smtp_server($sender, $recip,  $helo,  $server,  $port)
458       This
459              function  connects  to  the  SMTP server $server and pretends to
460              send mail from $sender to $recip.  The return value is always  a
461              two-element array.  If the RCPT TO: command succeeds, the return
462              value is ("CONTINUE", "OK").  If the RCPT fails with a permanent
463              failure, the return value is ("REJECT", $msg), where $msg is the
464              message from the SMTP server.  Any temporary  failures,  connec‐
465              tion  errors,  etc.  result  in  a  return value of ("TEMPFAIL",
466              $msg).
467
468              The optional argument $port specifies the TCP  port  to  connect
469              to.   If it is not supplied, then the default SMTP port of 25 is
470              used.
471
472              If the server offers STARTTLS support, TLS step-up is attempted.
473              If  TLS  step-up  fails, the check will fall-back to using clear
474              text and log the failure
475
476
477       Suppose the machine filter.domain.tld is filtering  mail  destined  for
478       the  real mail server mail.domain.tld.  You could have a filter_recipi‐
479       ent function like this:
480
481       sub filter_recipient
482       {
483           my($recip, $sender, $ip, $host, $first, $helo,
484              $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_;
485           return md_check_against_smtp_server($sender, $recip,
486                                "filter.domain.tld",
487                                "mail.domain.tld");
488       }
489
490       For each RCPT TO: command,  MIMEDefang  opens  an  SMTP  connection  to
491       mail.domain.tld and checks if the command would succeed.
492
493
494       Please  note  that  you should only use md_check_against_smtp_server if
495       your mail server responds with a failure code for nonexistent users  at
496       the  RCPT  TO: level.  Also, this function may impose too much overhead
497       if you receive a lot of e-mail, and it will generate  lots  of  useless
498       log  entries  on  the  real  mail  server  (because of all the RCPT TO:
499       probes.)  It may also significantly increase the load on the real  mail
500       server.
501
502

GLOBAL VARIABLES YOU CAN SET

504       The following Perl global variables should be set in mimedefang-filter:
505
506
507       $AdminAddress
508              The e-mail address of the MIMEDefang administrator.
509
510
511       $DaemonAddress
512              The  e-mail  address  from which MIMEDefang-originated notifica‐
513              tions come.
514
515
516       $AddWarningsInline
517              If this variable is set to 0, then all MIMEDefang warnings (such
518              as created by action_quarantine or action_drop_with_warning) are
519              collected together and added in  a  separate  MIME  part  called
520              WARNING.TXT.  If the variable is set to 1, then the warnings are
521              added directly in the first text/plain and  text/html  parts  of
522              the  message.  If the message does not contain any text/plain or
523              text/html parts, then a WARNING.TXT MIME part is  added  as  be‐
524              fore.
525
526
527       $MaxMIMEParts
528              A  message  containing  many MIME parts can cause MIME::Tools to
529              consume large amounts of memory and bring  your  system  to  its
530              knees.  If you set $MaxMIMEParts to a positive number, then MIME
531              parsing is terminated for messages  with  more  than  that  many
532              parts,  and  the message is bounced.  In this case, none of your
533              filter functions is called.
534
535              By default, $MaxMIMEParts is set to  -1,  meaning  there  is  no
536              limit  on  the number of parts in a message.  Note that in order
537              to use this variable,  you  must  install  the  Roaring  Penguin
538              patched  version of MIME::Tools, version 5.411a-RP-Patched-02 or
539              newer.
540
541
542       $Stupidity{"NoMultipleInlines"}
543              Set this to 1 if your e-mail is too stupid to  display  multiple
544              MIME parts in-line.  In this case, a nasty hack causes the first
545              part of the original message to appear as an attachment if warn‐
546              ing  are issued.  Mail clients that are not this stupid are Net‐
547              scape Communicator and Pine.  On the other hand,  Microsoft  Ex‐
548              change  and  Microsoft  Outlook are indeed this stupid.  Perhaps
549              users of those clients should switch.
550
551              The following global variables may optionally be set.   If  they
552              are not set, sensible defaults are used:
553
554
555       $AddApparentlyToForSpamAssassin
556              By default, MIMEDefang tries to pass SpamAssassin a message that
557              looks exactly like one it  would  receive  via  procmail.   This
558              means  adding  a Received: header, adding a Message-ID header if
559              necessary, and adding a Return-Path: header.  If you set $AddAp‐
560              parentlyToForSpamAssassin to 1, then MIMEDefang also adds an Ap‐
561              parently-To: header with  all  the  envelope  recipients  before
562              passing the message to SpamAssassin.  This lets SpamAssassin de‐
563              tect possibly whitelisted recipient addresses.
564
565              The default value for $AddApparentlyToForSpamAssassin is 0.
566
567
568       $SyslogFacility
569              This specifies the logging facility used by  mimedefang.pl.   By
570              default, it is set to "mail", but you can set it to other possi‐
571              bilites.  See the openlog(3) man page for details.   You  should
572              name  facilities  as  all-lowercase  without the leading "LOG_".
573              That is, use "local3", not "LOG_LOCAL3".
574
575
576       $WarningLocation (default 0)
577              If set to 0 (the default), non-inline warnings are placed first.
578              If  you  want  the  warning at the end of the e-mail, set $Warn‐
579              ingLocation to -1.
580
581
582       $DaemonName (default "MIMEDefang")
583              The full name used when MIMEDefang sends out notifications.
584
585
586       $AdminName (default "MIMEDefang Administrator")
587              The full name of the MIMEDefang administrator.
588
589
590       $SALocalTestsOnly (default 1)
591              If set to 1, SpamAssassin calls will use only local tests.  This
592              is the default and recommended setting.  This disables Received,
593              RBL and Razor tests in an all or nothing fashion.  To use  Razor
594              this  MUST be set to 0.  You can add 'skip_rbl_checks 1' to your
595              SpamAssassin config file if you need to.
596
597
598       $NotifySenderSubject (default "MIMEDefang Notification")
599              The  subject  used  when  e-mail  is  sent  out  by   action_no‐
600              tify_sender().  If you set this, you should set it each time you
601              call action_notify_sender() to ensure consistency.
602
603       $NotifyAdministratorSubject (default "MIMEDefang Notification")
604              The subject used when e-mail is sent out by action_notify_admin‐
605              istrator().   If  you  set this, you should set it each time you
606              call action_notify_administrator() to ensure consistency.
607
608
609       $QuarantineSubject (default "MIMEDefang Quarantine Report")
610              The subject used when a quarantine notice is sent to the  admin‐
611              istrator.  If you set this, you should set it each time you call
612              action_quarantine() or action_quarantine_entire_message().
613
614
615       $NotifyNoPreamble (default 0)
616              Normally, notifications sent by  action_notify_sender()  have  a
617              preamble  warning  about  message  modifications.  If you do not
618              want this, set $NotifyNoPreamble to 1.
619
620
621       $CSSHost (default 127.0.0.1:7777:local)
622              Host and port for the Symantec CarrierScan Server virus scanner.
623              This takes the form ip_addr:port:local_or_nonlocal.  The ip_addr
624              and port are the host and port on which  CarrierScan  Server  is
625              listening.   If  you  want to scan local files, append :local to
626              force the use of the AVSCANLOCAL command.   If  the  CarrierScan
627              Server  is  on  another host, append :nonlocal to force the file
628              contents to be sent to the scanner over the socket.
629
630
631       $SophieSock (default /var/spool/MIMEDefang/sophie)
632              Socket  used  for  Sophie  daemon  calls   within   message_con‐
633              tains_virus_sophie  and  entity_contains_virus_sophie  unless  a
634              socket is provided by the calling routine.
635
636
637       $ClamdSock (default /var/spool/MIMEDefang/clamd.sock)
638              Socket  used  for  clamd  daemon   calls   within   message_con‐
639              tains_virus_clamd   and   entity_contains_virus_clamd  unless  a
640              socket is provided by the calling routine.
641
642
643       $TrophieSock (default /var/spool/MIMEDefang/trophie)
644              Socket  used  for  Trophie  daemon  calls  within   message_con‐
645              tains_virus_trophie  and  entity_contains_virus_trophie unless a
646              socket is provided by the calling routine.
647
648
649

FILTER

651       The heart of mimedefang-filter is the filter procedure.  See the  exam‐
652       ples  that came with MIMEDefang to learn to write a filter.  The filter
653       is called with the following arguments:
654
655
656       $entity
657              The MIME::Entity object.  (See the MIME::tools Perl module docu‐
658              mentation.)
659
660
661       $fname The suggested attachment filename, or "" if none was supplied.
662
663
664       $ext   The  file extension (all characters from the rightmost period to
665              the end of the filename.)
666
667
668       $type  The MIME type (for example, "text/plain".)
669
670
671       The filename is derived as follows:
672
673
674       o      First, if the Content-Disposition header has a "filename" field,
675              it is used.
676
677
678       o      Otherwise,  if the Content-Type header has a "name" field, it is
679              used.
680
681
682       o      Otherwise, the Content-Description header value is used.
683
684
685       Note that the truly paranoid will check all three fields  for  matches.
686       The  functions  re_match  and  re_match_ext  perform regular expression
687       matches on all three of the fields named above, and  return  1  if  any
688       field  matches.   See  the sample filters for details.  The calling se‐
689       quence is:
690
691            re_match($entity, "regexp")
692            re_match_ext($entity, "regexp")
693
694       re_match returns true if any of the fields matches the  regexp  without
695       regard  to  case.   re_match_ext  returns  true if the extension in any
696       field matches.  An extension is defined as the last dot in a  name  and
697       all remaining characters.
698
699
700       A  third function called re_match_in_zip_directory will look inside zip
701       files and return true if any of the file names inside the  zip  archive
702       match the regular expression.  Call it like this:
703
704            my $bh = $entity->bodyhandle();
705            my $path = (defined($bh)) ? $bh->path() : undef;
706            if (defined($path) and re_match_in_zip_directory($path, "regexp")) {
707                # Take action...
708            }
709
710       You  should not call re_match_in_zip_directory unless you know that the
711       entity is a zip file attachment.
712
713
714       Another function called re_match_in_rar_directory will look inside  rar
715       files  and  return true if any of the file names inside the rar archive
716       match  the  regular  expression.   The  function  is  very  similar  to
717       re_match_in_zip_directory  but the unrar binary is required and must be
718       specified in $Features{"unrar"}.
719
720
721       Another function called re_match_in_7z_directory will look inside  7zip
722       files  and return true if any of the file names inside the 7zip archive
723       match  the  regular  expression.   The  function  is  very  similar  to
724       re_match_in_zip_directory  but  the  7z  binary is required and must be
725       specified in $Features{"7zip"}.
726
727

GLOBAL VARIABLES SET BY MIMEDEFANG.PL

729       The following global variables are set by mimedefang.pl and are  avail‐
730       able  for use in your filter.  All of these variables are always avail‐
731       able to filter_begin, filter, filter_multipart and filter_end.  In  ad‐
732       dition,  some  of  them are available in filter_relay, filter_sender or
733       filter_recipient.  If this is the case, it will be noted below.
734
735
736       %Features
737              This hash lets you determine at run-time whether  certain  func‐
738              tionality is available.  This hash is available at all times as‐
739              suming  the  detect_and_load_perl_modules()  function  has  been
740              called.  The defined features are:
741
742              $Features{"SpamAssassin"}  is 1 if SpamAssassin 1.6 or better is
743              installed; 0 otherwise.
744
745              $Features{"HTML::Parser"} is 1 if HTML::Parser is  installed;  0
746              otherwise.
747
748              $Features{"Virus:FPROTD"} is currently always 0.  Set it to 1 in
749              your filter file if you have  F-Risk's  FPROTD  scanner  earlier
750              than version 6.
751
752              $Features{"Virus:FPROTD6"}  is  currently always 0.  Set it to 1
753              in your filter file if you have version  6  of  F-Risk's  FPROTD
754              scanner.
755
756              $Features{"Virus:SymantecCSS"} is currently always 0.  Set it to
757              1 in your filter file  if  you  have  the  Symantec  CarrierScan
758              Server virus scanner.
759
760              $Features{"Virus:NAI"}  is  the full path to NAI uvscan if it is
761              installed; 0 if it is not.
762
763              $Features{"Virus:BDC"} is the full path to Bitdefender bdc if it
764              is installed; 0 if it is not.
765
766              $Features{"Virus:NVCC"} is the full path to Norman Virus Control
767              nvcc if it is installed; 0 if it is not.
768
769              $Features{"Virus:HBEDV"} is the full path to H+BEDV  AntiVir  if
770              it is installed; 0 if it is not.
771
772              $Features{"Virus:VEXIRA"}  is  the  full path to Central Command
773              Vexira if it is installed; 0 if it is not.
774
775              $Features{"Virus:SOPHOS"} is the full path to Sophos sweep if it
776              is installed; 0 if it is not.
777
778              $Features{"Virus:SAVSCAN"} is the full path to Sophos savscan if
779              it is installed; 0 if it is not.
780
781              $Features{"Virus:CLAMAV"} is the full path to Clam  AV  clamscan
782              if it is installed; 0 if it is not.
783
784              $Features{"Virus:AVP"} is the full path to AVP AvpLinux if it is
785              installed; 0 if it is not.
786
787              $Features{"Virus:AVP5"} is the  full  path  to  Kaspersky  "ave‐
788              client" if it is installed; 0 if it is not.
789
790              $Features{"Virus:CSAV"}  is  the full path to Command csav if it
791              is installed; 0 if it is not.
792
793              $Features{"Virus:FSAV"} is the full path to F-Secure fsav if  it
794              is installed; 0 if it is not.
795
796              $Features{"Virus:FPROT"} is the full path to F-Risk f-prot if it
797              is installed; 0 if it is not.
798
799              $Features{"Virus:FPSCAN"} is the full path to F-Risk  fpscan  if
800              it is installed; 0 if it is not.
801
802              $Features{"Virus:SOPHIE"}  is  the  full path to Sophie if it is
803              installed; 0 if it is not.
804
805              $Features{"Virus:CLAMD"} is the full path to clamd if it is  in‐
806              stalled; 0 if it is not.
807
808              $Features{"Virus:CLAMDSCAN"} is the full path to clamdscan if it
809              is installed; 0 if it is not.
810
811              $Features{"Virus:TROPHIE"} is the full path to Trophie if it  is
812              installed; 0 if it is not.
813
814              $Features{"Virus:NOD32"} is the full path to ESET NOD32 nod32cli
815              if it is installed; 0 if it is not.
816
817              $Features{"Path:RSPAMC"} is the full path to rspamc(1) if it  is
818              installed (deprecated); 0 if it is not.
819
820              NOTE: Perl-module based features such as SpamAssassin are deter‐
821              mined at runtime and may change as these are added and  removed.
822              Most  Virus features are predetermined at the time of configura‐
823              tion and do not adapt to runtime availability unless changed  by
824              the filter rules.
825
826
827       $CWD   This  variable  holds the working directory for the current mes‐
828              sage.  During filter processing, mimedefang.pl chdir's into this
829              directory  before  calling  any  of the filter_ functions.  Note
830              that this variable is set correctly in  filter_sender  and  fil‐
831              ter_recipient, but not in filter_relay.
832
833
834       $SuspiciousCharsInHeaders
835              If  this variable is true, then mimedefang has discovered suspi‐
836              cious characters in message headers.  This might be  an  exploit
837              for  bugs  in  MIME-parsing  routines in some badly-written mail
838              user agents (e.g. Microsoft Outlook.)  You  should  always  drop
839              such messages.
840
841
842       $SuspiciousCharsInBody
843              If  this variable is true, then mimedefang has discovered suspi‐
844              cious characters in the message body.  This might be an  exploit
845              for  bugs  in  MIME-parsing  routines in some badly-written mail
846              user agents (e.g. Microsoft Outlook.)  You  should  always  drop
847              such messages.
848
849
850       $RelayHostname
851              The  host  name of the relay.  This is the name of the host that
852              is attempting to send e-mail to your host.  May  be  "undef"  if
853              the  host name could not be determined.  This variable is avail‐
854              able in filter_relay, filter_sender and filter_recipient in  ad‐
855              dition to the body filtering functions.
856
857
858       $RelayAddr
859              The  IP  address of the sending relay (as a string consisting of
860              four dot-separated decimal numbers.)  One potential use of  $Re‐
861              layAddr  is  to  limit mailing to certain lists to people within
862              your organization.  This variable is available in  filter_relay,
863              filter_sender  and filter_recipient in addition to the body fil‐
864              tering functions.
865
866              $Helo The argument given to the SMTP "HELO" command.  This vari‐
867              able is available in filter_sender and filter_recipient, but not
868              in filter_relay.
869
870
871       $Subject
872              The contents of the "Subject:" header.
873
874
875       $Sender
876              The sender of the e-mail.  This variable is set in filter_sender
877              and  filter_recipient  in  addition  to the body filtering func‐
878              tions.
879
880
881       @Recipients
882              A list of the recipients.  In filter_recipient, it is set to the
883              single  recipient currently under consideration. Or, after call‐
884              ing read_commands_file within filter_recipient, the current  re‐
885              cipient  under consideration is in the final position of the ar‐
886              ray, at $Recipients[-1], while any previous (and  accepted)  re‐
887              cipients are at the beginning of the array, that is, in @Recipi‐
888              ents[0 .. $#Recipients-1].
889
890
891
892       $MessageID
893              The contents of the "Message-ID:"  header  if  one  is  present.
894              Otherwise, contains the string "NOQUEUE".
895
896
897       $QueueID
898              The  Sendmail  queue identifier if it could be determined.  This
899              variable is set correctly  in  filter_relay,  filter_helo,  fil‐
900              ter_sender  and  filter_recipient.   Note, however, that Postfix
901              may not allocate a queue ID until filter_recipient time.   If  a
902              Queue-ID  has  not  yet  been allocated, $QueueID is set to "NO‐
903              QUEUE".
904
905
906       $MsgID Set to $QueueID if the queue ID could be determined;  otherwise,
907              set  to  $MessageID.  This identifier should be used in logging,
908              because it matches the identifier used by Sendmail to  log  mes‐
909              sages.   Note  that  this  variable  is  set  correctly  in fil‐
910              ter_sender and filter_recipient, but it is not available in fil‐
911              ter_relay.
912
913
914       $VirusScannerMessages
915              Each time a virus-scanning function is called, messages (if any)
916              from the virus scanner are accumulated in  this  variable.   You
917              can  use  it  in  filter_end to formulate a notification (if you
918              wish.)
919
920
921       $VirusName
922              If a virus-scanning function found a virus, this  variable  will
923              hold the virus name (if it could be determined.)
924
925
926       $SASpamTester
927              If  defined,  this  is  the configured Mail::SpamAssassin object
928              used for mail tests.  It may  be  initialized  with  a  call  to
929              spam_assassin_init which also returns it.
930
931
932       %SendmailMacros
933              This hash contains the values of some Sendmail macros.  The hash
934              elements exist only for macros defined  by  Sendmail.   See  the
935              Sendmail documentation for the meanings of the macros.
936
937              By  default,  mimedefang  passes  the  values  of  the following
938              macros: ${daemon_name}, ${daemon_port}, ${if_name},  ${if_addr},
939              $j,   $_,   $i,   ${tls_version},   ${cipher},   ${cipher_bits},
940              ${cert_subject}, ${cert_issuer},  ${auth_type},  ${auth_authen},
941              ${auth_ssf},  ${auth_author},  ${mail_mailer},  ${mail_host} and
942              ${mail_addr}.   In  addition,  ${client_port}  is  set  to   the
943              client's TCP port.
944
945              If  any macro is not set or not passed to milter, it will be un‐
946              available.  To access the value of a macro, use:
947
948
949                   $SendmailMacros{"macro_name"}
950
951
952              Do not place curly brackets around the macro name.   This  vari‐
953              able  is available in filter_sender and filter_recipient after a
954              call to read_commands_file.
955
956
957       @SenderESMTPArgs
958              This array contains all the ESMTP arguments supplied in the MAIL
959              FROM: command.  For example:
960
961              sub print_sender_esmtp_args {
962                  foreach (@SenderESMTPArgs) {
963                      print STDERR "Sender ESMTP arg: $_0;
964                  }
965              }
966
967
968       %RecipientESMTPArgs
969              This hash contains all the ESMTP arguments supplied in each RCPT
970              TO: command.  For example:
971
972              sub print_recip_esmtp_args {
973                  foreach my $recip (@Recipients) {
974                      foreach(@{$RecipientESMTPArgs{$recip}}) {
975                          print STDERR "Recip ESMTP arg for $recip: $_0;
976                      }
977                  }
978              }
979
980
981       %RecipientMailers
982              This hash contains the Sendmail "mailer-host-address" triple for
983              each recipient.  Here's an example of how to use it:
984
985              sub print_mailer_info {
986                  my($recip, $mailer, $host, $addr);
987                  foreach $recip (@Recipients) {
988                      $mailer = ${RecipientMailers{$recip}}[0];
989                      $host = ${RecipientMailers{$recip}}[1];
990                      $addr =  ${RecipientMailers{$recip}}[2];
991                      print STDERR "$recip: mailer=$mailer, host=$host, addr=$addr\n";
992                  }
993              }
994
995              In  filter_recipient, this variable by default only contains in‐
996              formation on the recipient currently under investigation. Infor‐
997              mation  on  all  recipients is available after calling read_com‐
998              mands_file.
999
1000

ACTIONS

1002       When the filter procedure decides how to dispose of a part,  it  should
1003       call one or more action_ subroutines.  The action subroutines are:
1004
1005
1006       action_accept()
1007              Accept the part.
1008
1009
1010       action_rebuild()
1011              Rebuild the mail body, even if mimedefang thinks no changes were
1012              made.  Normally, mimedefang does  not  alter  a  message  if  no
1013              changes  were  made.   action_rebuild  may  be  used if you make
1014              changes to entities directly (by  manipulating  the  MIME::Head,
1015              for  example.)   Unless you call action_rebuild, mimedefang will
1016              be unaware of the changes.  Note that all the built-in action...
1017              routines that change a message implicitly call action_rebuild.
1018
1019
1020       action_add_header($hdr, $val)
1021              Add  a  header to the message.  This can be used in filter_begin
1022              or filter_end.  The $hdr component is the  header  name  without
1023              the  colon,  and  the $val is the header value.  For example, to
1024              add the header:
1025
1026                   X-MyHeader: A nice piece of text
1027
1028              use:
1029
1030                   action_add_header("X-MyHeader", "A nice piece of text");
1031
1032
1033       action_change_header($hdr, $val, $index)
1034              Changes an existing header in the message. This can be  used  in
1035              filter_begin  or  filter_end.   The $hdr parameter is the header
1036              name without the colon, and $val is the header  value.   If  the
1037              header  does  not  exist,  then a header with the given name and
1038              value is added.
1039
1040              The $index parameter is optional; it defaults to 1.  If you sup‐
1041              ply  it, then the $index'th occurrence of the header is changed,
1042              if there is more than one header with the same name.   (This  is
1043              common with the Received: header, for example.)
1044
1045
1046       action_insert_header($hdr, $val, $index)
1047              Add  a  header to the message int the specified position $index.
1048              A position of 0 specifies that the header  should  be  prepended
1049              before  existing  headers.   This can be used in filter_begin or
1050              filter_end.  The $hdr component is the header name  without  the
1051              colon, and the $val is the header value.
1052
1053
1054       action_delete_header($hdr, $index)
1055              Deletes  an  existing header in the message. This can be used in
1056              filter_begin or filter_end.  The $hdr parameter  is  the  header
1057              name without the colon.
1058
1059              The $index parameter is optional; it defaults to 1.  If you sup‐
1060              ply it, then the $index'th occurrence of the header is  deleted,
1061              if there is more than one header with the same name.
1062
1063
1064       action_delete_all_headers($hdr)
1065              Deletes  all  headers with the specified name.  This can be used
1066              in filter_begin or filter_end.  The $hdr parameter is the header
1067              name without the colon.
1068
1069
1070       action_drop()
1071              Drop  the part.  If called from filter_multipart, drops all con‐
1072              tained parts also.
1073
1074
1075       action_drop_with_warning($msg)
1076              Drop the part, but add the warning $msg to the  e-mail  message.
1077              If called from filter_multipart, drops all contained parts also.
1078
1079
1080       action_accept_with_warning($msg)
1081              Accept the part, but add the warning $msg to the e-mail message.
1082
1083
1084       action_replace_with_warning($msg)
1085              Drop  the  part and replace it with a text part $msg.  If called
1086              from filter_multipart, drops all contained parts also.
1087
1088
1089       action_replace_with_url($entity, $doc_root, $base_url, $msg, [$cd_data,
1090       $salt])
1091              Drop the part, but save it in a unique location under $doc_root.
1092              The part is replaced with the text  message  $msg.   The  string
1093              "_URL_"  in  $msg is replaced with $base_url/something, that can
1094              be used to retrieve the message.
1095
1096              You should not use this function in filter_multipart.
1097
1098              This action is intended for stripping large  parts  out  of  the
1099              message  and  replacing  them to a link on a Web server.  Here's
1100              how you would use it in filter():
1101
1102              $size = (stat($entity->bodyhandle->path))[7];
1103              if ($size > 1000000) {
1104                   return action_replace_with_url($entity,
1105                        "/home/httpd/html/mail_parts",
1106                        "http://mailserver.company.com/mail_parts",
1107                        "The attachment was larger than 1,000,000 bytes.\n" .
1108                        "It was removed, but may be accessed at this URL:\n\n" .
1109                        "\t_URL_\n");
1110              }
1111
1112              This example moves attachments greater than 1,000,000 bytes into
1113              /home/httpd/html/mail_parts  and replaces them with a link.  The
1114              directory  should  be   accessible   via   a   Web   server   at
1115              http://mailserver.company.com/mail_parts.
1116
1117              The  generated  name is created by performing a SHA1 hash of the
1118              part and adding the extension to the ASCII-HEX representation of
1119              the  hash.   If  many  different  e-mails are sent containing an
1120              identical large part, only one copy of the part is  stored,  re‐
1121              gardless of the number of senders or recipients.
1122
1123              For  privacy  reasons,  you must turn off Web server indexing in
1124              the directory in which you place mail parts, or anyone  will  be
1125              able  to  read them.  If indexing is disabled, an attacker would
1126              have to guess the SHA1 hash of a part in order to read it.
1127
1128              Optionally, a fifth argument can supply data to be saved into  a
1129              hidden  dot filename based on the generated name.  This data can
1130              then be read in on the fly by a CGI script  or  mod_perl  module
1131              before  serving the file to a web client, and used to add infor‐
1132              mation to the response, such as Content-Disposition data.
1133
1134              A sixth optional argument, $salt, is mixed in to the SHA1  hash.
1135              This  salt  can  be  any string and should be kept confidential.
1136              The salt is designed to prevent people from guessing whether  or
1137              not  a particular attachment has been received on your server by
1138              altering the SHA1 hash calculation.
1139
1140
1141       action_defang($entity, $name, $fname, $type)
1142              Accept the part, but change its name  to  $name,  its  suggested
1143              filename  to  $fname  and  its  MIME type to $type.  If $name or
1144              $fname are "", then mimedefang.pl generates generic  names.   Do
1145              not use this action in filter_multipart.
1146
1147              If  you  use  action_defang, you must define a subroutine called
1148              defang_warning in your filter.  This  routine  takes  two  argu‐
1149              ments: $oldfname (the original name of an attachment) and $fname
1150              (the defanged version.)  It should return a message telling  the
1151              user what happened.  For example:
1152
1153              sub defang_warning {
1154                  my($oldfname, $fname) = @_;
1155                  return "The attachment '$oldfname' was renamed to '$fname'\n";
1156              }
1157
1158
1159
1160       action_external_filter($entity, $cmd)
1161              Run  an  external UNIX command $cmd.  This command must read the
1162              part from the file ./FILTERINPUT and leave the result in  ./FIL‐
1163              TEROUTPUT.   If  the  command  executes successfully, returns 1,
1164              otherwise 0.  You can test the return value and call another ac‐
1165              tion_  if  the  filter  failed.   Do not use this action in fil‐
1166              ter_multipart.
1167
1168
1169       action_quarantine($entity, $msg)
1170              Drop and quarantine the part, but add the warning $msg to the e-
1171              mail message.
1172
1173
1174       action_quarantine_entire_message($msg)
1175              Quarantines  the entire message in a quarantine directory on the
1176              mail server, but does not otherwise affect  disposition  of  the
1177              message.  If "$msg" is non-empty, it is included in any adminis‐
1178              trator notification.
1179
1180
1181       action_sm_quarantine($reason)
1182              Quarantines a message in the Sendmail mail queue using  the  new
1183              QUARANTINE facility of Sendmail 8.13.  Consult the Sendmail doc‐
1184              umentation for details about this  facility.   If  you  use  ac‐
1185              tion_sm_quarantine  with  a  version  of Sendmail that lacks the
1186              QUARANTINE facility, mimedefang will log an  error  message  and
1187              not quarantine the message.
1188
1189
1190       action_bounce($reply, $code, $dsn)
1191              Reject  the entire e-mail message with an SMTP failure code, and
1192              the one-line error message $reply.  If the  optional  $code  and
1193              $dsn arguments are supplied, they specify the numerical SMTP re‐
1194              ply code and the extended status code (DSN code).  If the  codes
1195              you  supply  do  not  make sense for a bounce, they are replaced
1196              with "554" and "5.7.1" respectively.
1197
1198              action_bounce merely makes a note that  the  message  is  to  be
1199              bounced;  remaining parts are still processed.  If action_bounce
1200              is called for more than one part, the mail is bounced  with  the
1201              message  in the final call to action_bounce.  You can profitably
1202              call action_quarantine followed by action_bounce if you want  to
1203              keep a copy of the offending part.  Note that the message is not
1204              bounced immediately; rather, remaining parts are  processed  and
1205              the message is bounced after all parts have been processed.
1206
1207              Note  that  despite  its name, action_bounce does not generate a
1208              "bounce message".  It merely rejects the message  with  an  SMTP
1209              failure code.
1210
1211              WARNING: action_bounce() may cause the sending relay to generate
1212              spurious bounce messages if the sender address is  faked.   This
1213              is  a particular problem with viruses.  However, we believe that
1214              on balance, it's better to bounce a virus than to silently  dis‐
1215              card it.  It's almost never a good idea to hide a problem.
1216
1217
1218       action_tempfail($msg, $code, $dsn)
1219              Cause  an  SMTP  "temporary failure" code to be returned, so the
1220              sending mail relay requeues the message and tries  again  later.
1221              The  message  $msg  is included with the temporary failure code.
1222              If the optional $code and  $dsn  arguments  are  supplied,  they
1223              specify  the  numerical  SMTP reply code and the extended status
1224              code (DSN code).  If the codes you supply do not make sense  for
1225              a  temporary  failure,  they are replaced with "450" and "4.7.1"
1226              respectively.
1227
1228
1229       action_discard()
1230              Silently discard the message, notifying nobody.  You  can  prof‐
1231              itably  call action_quarantine followed by action_discard if you
1232              want to keep a copy of the offending part.  Note that  the  mes‐
1233              sage  is  not discarded immediately; rather, remaining parts are
1234              processed and the message is discarded after all parts have been
1235              processed.
1236
1237
1238       action_notify_sender($message)
1239              This action sends an e-mail back to the original sender with the
1240              indicated message.  You may call another action after this  one.
1241              If  action_notify_sender  is called more than once, the messages
1242              are accumulated into a single e-mail message -- at most one  no‐
1243              tification  message  is  sent per incoming message.  The message
1244              should be terminated with a newline.
1245
1246              The notification is delivered in deferred mode; you should run a
1247              client-queue runner if you are using Sendmail 8.12.
1248
1249              NOTE:  Viruses  often fake the sender address.  For that reason,
1250              if a virus-scanner has detected a virus, action_notify_sender is
1251              disabled  and will simply log an error message if you try to use
1252              it.
1253
1254
1255       action_notify_administrator($message)
1256              This action e-mails the MIMEDefang  administrator  the  supplied
1257              message.  You may call another action after this one; action_no‐
1258              tify_administrator does not  affect  mail  processing.   If  ac‐
1259              tion_notify_administrator is called more than once, the messages
1260              are accumulated into a single e-mail message -- at most one  no‐
1261              tification  message  is  sent per incoming message.  The message
1262              should be terminated with a newline.
1263
1264              The notification is delivered in deferred mode; you should run a
1265              client-queue runner if you are using Sendmail 8.12.
1266
1267
1268       append_text_boilerplate($entity, $boilerplate, $all)
1269              This  action  should only be called from filter_end.  It appends
1270              the text "\n$boilerplate\n" to the  first  text/plain  part  (if
1271              $all is 0) or to all text/plain parts (if $all is 1).
1272
1273
1274       append_html_boilerplate($entity, $boilerplate, $all)
1275              This  action should only be called from filter_end.  It adds the
1276              text "\n$boilerplate\n" to the first text/html part (if $all  is
1277              0)  or  to  all  text/html  parts (if $all is 1).  This function
1278              tries to be smart  about  inserting  the  boilerplate;  it  uses
1279              HTML::Parser  to detect closing tags and inserts the boilerplate
1280              before the </body> tag if there is one, or  before  the  </html>
1281              tag  if  there is no </body>.  If there is no </body> or </html>
1282              tag, it appends the boilerplate to the end of the part.
1283
1284              Do not use append_html_boilerplate unless you have installed the
1285              HTML::Parser Perl module.
1286
1287              Here is an example illustrating how to use the boilerplate func‐
1288              tions:
1289
1290                   sub filter_end {
1291                        my($entity) = @_;
1292                        append_text_boilerplate($entity,
1293                             "Lame text disclaimer", 0);
1294                        append_html_boilerplate($entity,
1295                             "<em>Lame</em> HTML disclaimer", 0);
1296                   }
1297
1298
1299       action_add_part($entity, $type, $encoding, $data, $fname,  $disposition
1300       [, $offset])
1301              This  action  should only be called from the filter_end routine.
1302              It adds a new part to the message, converting the original  mes‐
1303              sage to mutipart if necessary.  The function returns the part so
1304              that additional mime attributes may be set on it.  Here's an ex‐
1305              ample:
1306
1307                   sub filter_end {
1308                        my($entity) = @_;
1309
1310                        action_add_part($entity, "text/plain", "-suggest",
1311                                  "This e-mail does not represent" .
1312                                  "the official policy of FuBar, Inc.\n",
1313                                  "disclaimer.txt", "inline");
1314                      }
1315
1316              The  $entity  parameter  must  be the argument passed in to fil‐
1317              ter_end.  The $offset parameter is optional; if omitted, it  de‐
1318              faults  to  -1,  which  adds  the  new part at the end.  See the
1319              MIME::Entity man page and the add_part member function  for  the
1320              meaning of $offset.
1321
1322              Note that action_add_part tries to be more intelligent than sim‐
1323              ply calling $entity->add_part.  The decision process is as  fol‐
1324              lows:
1325
1326
1327       o      If  the  top-level  entity  is multipart/mixed, then the part is
1328              simply added.
1329
1330
1331       o      Otherwise, a new top-level multipart/mixed container  is  gener‐
1332              ated,  and  the original top-level entity is made the first part
1333              of the multipart/mixed container.  The new part is then added to
1334              the multipart/mixed container.
1335
1336
1337       action_add_entity($entity [, $offset])
1338              This  is  similar  to  action_add_part  but  takes  a  pre-built
1339              MIME::Entity object rather than constructing one based on $type,
1340              $encoding, $data, $fname and $disposition arguments.
1341
1342

USEFUL ROUTINES

1344       mimedefang.pl  includes  some  useful  functions you can call from your
1345       filter:
1346
1347
1348       detect_and_load_perl_modules()
1349              Unless you really know what you're doing, this function must  be
1350              called first thing in your filter file.  It causes mimedefang.pl
1351              to detect and load  Perl  modules  such  as  Mail::SpamAssassin,
1352              Net::DNS, etc., and to populate the %Features hash.
1353
1354
1355       send_quarantine_notifications()
1356              This  function  should  be called from filter_end.  If any parts
1357              were quarantined, a  quarantine  notification  is  sent  to  the
1358              MIMEDefang  administrator.   Please note that if you do not call
1359              send_quarantine_notifications, then no quarantine  notifications
1360              are sent.
1361
1362
1363       get_quarantine_dir()
1364              This  function  returns the full path name of the quarantine di‐
1365              rectory.  If you have not yet quarantined any parts of the  mes‐
1366              sage,  a  quarantine  directory  is created and its pathname re‐
1367              turned.
1368
1369
1370       change_sender($sender)
1371              This function changes the envelope sender to  $sender.   It  can
1372              only  be called from filter_begin or any later function.  Please
1373              note that this function is only supported  with  Sendmail/Milter
1374              8.14.0  or newer.  It has no effect if you're running older ver‐
1375              sions.
1376
1377
1378       add_recipient($recip)
1379              This function adds $recip to the list of envelope recipients.  A
1380              copy of the message (after any modifications by MIMEDefang) will
1381              be sent to $recip in addition to the original recipients.   Note
1382              that  add_recipient  does  not  modify the @Recipients array; it
1383              just makes a note to Sendmail to add the recipient.
1384
1385
1386       delete_recipient($recip)
1387              This function deletes $recip from the list of recipients.   That
1388              person  will  not receive a copy of the mail.  $recip should ex‐
1389              actly match an entry in the @Recipients array for delete_recipi‐
1390              ent()  to  work.  Note that delete_recipient does not modify the
1391              @Recipients array; it just makes a note to  Sendmail  to  delete
1392              the recipient.
1393
1394       resend_message($recip1, $recip2, ...)
1395              or
1396
1397       resend_message(@recips)
1398              This  function immediately resends the original, unmodified mail
1399              message to each of the named recipients.  The  sender's  address
1400              is preserved.  Be very careful when using this function, because
1401              it resends the original message, which may contain undesired at‐
1402              tachments.   Also,  you  should not call this function from fil‐
1403              ter(), because it resends the message each time  it  is  called.
1404              This  may  result  in  multiple copies being sent if you are not
1405              careful.  Call from filter_begin() or filter_end() to be safe.
1406
1407              The function returns true on success, or false if it fails.
1408
1409              Note that the resend_message function delivers the mail  in  de‐
1410              ferred  mode  (using  Sendmail's  "-odd"  flag.)  You must run a
1411              client-submission queue processor if you use Sendmail 8.12.   We
1412              recommend executing this command as part of the Sendmail startup
1413              sequence:
1414
1415                   sendmail -Ac -q5m
1416
1417
1418       remove_redundant_html_parts($entity)
1419              This function should only be called from filter_end.  It removes
1420              redundant HTML parts from the message.  It works by deleting any
1421              part of type text/html from the message if (1) it is a  sub-part
1422              of  a  multipart/alternative part, and (2) there is another part
1423              of type text/plain under the multipart/alternative part.
1424
1425
1426       replace_entire_message($entity)
1427              This function can only be called from filter_end.   It  replaces
1428              the  entire message with $entity, a MIME::Entity object that you
1429              have constructed.  You can use any of the MIME::Tools  functions
1430              to construct the entity.
1431
1432
1433       read_commands_file()
1434              This  function should only be called from filter_sender and fil‐
1435              ter_recipient. This will read the COMMANDS file (as described in
1436              mimedefang-protocol(7)),  and  will fill or update the following
1437              global variables: $Sender, @Recipients, %RecipientMailers,  $Re‐
1438              layAddr,   $RealRelayAddr,  $RelayHostname,  $RealRelayHostname,
1439              $QueueID, $Helo, %SendmailMacros.
1440
1441              If you do not call read_commands_file, then the only information
1442              available in filter_sender and filter_recipient is that which is
1443              passed as an argument to the function.
1444
1445
1446       stream_by_domain()
1447              Do not use this function unless you have Sendmail 8.12  and  lo‐
1448              cally- submitted e-mail is submitted using SMTP.
1449
1450              This  function  should  only  be called at the very beginning of
1451              filter_begin(), like this:
1452
1453                   sub filter_begin {
1454                        if (stream_by_domain()) {
1455                             return;
1456                        }
1457                        # Rest of filter_begin
1458                   }
1459
1460              stream_by_domain() looks at all the recipients of  the  message,
1461              and  if  they  belong  to the same domain (e.g., joe@domain.com,
1462              jane@domain.com and sue@domain.com), it returns 0 and  sets  the
1463              global  variable $Domain to the domain (domain.com in this exam‐
1464              ple.)
1465
1466              If users are in different  domains,  stream_by_domain()  resends
1467              the  message (once to each domain) and returns 1 For example, if
1468              the  original  recipients  are  joe@abc.net,  jane@xyz.net   and
1469              sue@abc.net,  the  original message is resent twice: One copy to
1470              joe@abc.net and sue@abc.net, and another copy  to  jane@xyz.net.
1471              Also,  any  subsequent  scanning  is canceled (filter() and fil‐
1472              ter_end() will not be called for the original message)  and  the
1473              message is silently discarded.
1474
1475              If  you  have Sendmail 8.12, then locally-submitted messages are
1476              sent via SMTP, and MIMEDefang will be  called  for  each  resent
1477              message.  It is possible to set up Sendmail 8.12 so locally-sub‐
1478              mitted  messages  are  delivered   directly;   in   this   case,
1479              stream_by_domain will not work.
1480
1481              Using stream_by_domain allows you to customize your filter rules
1482              for each domain.  If you use the function  as  described  above,
1483              you can do this in your filter routine:
1484
1485                   sub filter {
1486                        my($entity, $fname, $ext, $type) = @_;
1487                        if ($Domain eq "abc.com") {
1488                             # Filter actions for abc.com
1489                        } elsif ($Domain eq "xyz.com") {
1490                             # Filter actions for xyz.com
1491                        } else {
1492                             # Default filter actions
1493                        }
1494                   }
1495
1496              You  cannot  rely  on  $Domain  being set unless you have called
1497              stream_by_domain().
1498
1499
1500       stream_by_recipient()
1501              Do not use this function unless you have Sendmail 8.12  and  lo‐
1502              cally- submitted e-mail is submitted using SMTP.
1503
1504              This  function  should  only  be called at the very beginning of
1505              filter_begin(), like this:
1506
1507                   sub filter_begin {
1508                        if (stream_by_recipient()) {
1509                             return;
1510                        }
1511                        # Rest of filter_begin
1512                   }
1513
1514              If there is more than one recipient,  stream_by_recipient()  re‐
1515              sends  the  message  once  to each recipient.  That way, you can
1516              customize your filter rules on a per-recipient basis.  This  may
1517              increase the load on your mail server considerably.
1518
1519              Also,  a  "recipient"  is determined before alias expansion.  So
1520              "all@mydomain.com" is considered a  single  recipient,  even  if
1521              Sendmail delivers to a list.
1522
1523              If  you  have Sendmail 8.12, then locally-submitted messages are
1524              sent via SMTP, and MIMEDefang will be  called  for  each  resent
1525              message.  It is possible to set up Sendmail 8.12 so locally-sub‐
1526              mitted  messages  are  delivered   directly;   in   this   case,
1527              stream_by_recipient() will not work.
1528
1529              stream_by_recipient()  allows you to customize your filter rules
1530              for each recipient in a manner similar to stream_by_domain().
1531
1532

LOGGING

1534       md_graphdefang_log_enable($facility, $enum_recips)
1535              Enables the md_graphdefang_log function (described  next).   The
1536              function  logs  to  syslog using the specified facility.  If you
1537              omit $facility, it defaults to  'mail'.   If  you  do  not  call
1538              md_graphdefang_log_enable  in  your  filter,  then  any calls to
1539              md_graphdefang_log simply do nothing.
1540
1541              If you supply $enum_recips as 1, then a line of logging is  out‐
1542              put  for  each recipient of a mail message.  If it is zero, then
1543              only a single line is output for  each  message.   If  you  omit
1544              $enum_recips, it defaults to 1.
1545
1546
1547       md_graphdefang_log($event, $v1, $v2)
1548              Logs  an  event  with  up to two optional additional parameters.
1549              The log message has a specific format useful for graphing tools;
1550              the message looks like this:
1551
1552                   MDLOG,msgid,event,v1,v2,sender,recipient,subj
1553
1554              "MDLOG"  is literal text.  "msgid" is the Sendmail queue identi‐
1555              fier.  "event" is the event name, and "v1" and "v2" are the  ad‐
1556              ditional  parameters.   "sender" is the sender's e-mail address.
1557              "recipient" is the recipient's e-mail address, and "subj" is the
1558              message  subject.   If  a  message  has more than one recipient,
1559              md_graphdefang_log may log an event message for each  recipient,
1560              depending on how you called md_graphdefang_log_enable.
1561
1562              Note that md_graphdefang_log should not be used in filter_relay,
1563              filter_sender or filter_recipient.  The global variables it  re‐
1564              lies on are not valid in that context.
1565
1566              If  you want to log general text strings, do not use md_graphde‐
1567              fang_log.  Instead, use md_syslog (described next).
1568
1569
1570       md_syslog($level, $msg)
1571              Logs the message $msg to syslog, using level $level.  The  level
1572              is a literal string, and should be one of 'err', 'debug', 'warn‐
1573              ing', ´emerg', 'crit', 'notice' or 'info'.  (See  syslog(3)  for
1574              details.)
1575
1576              Note  that  md_syslog  does not perform %-subsitutions like sys‐
1577              log(3) does.  Depending on  your  Perl  installation,  md_syslog
1578              boils  down  to  a  call  to  Unix::Syslog::syslog  or Sys::Sys‐
1579              log::syslog.  See the Unix::Syslog or Sys::Syslog man pages  for
1580              more details.
1581
1582
1583       md_openlog($tag, $facility)
1584              Sets the tag used in syslog messages to $tag, and sends the logs
1585              to the $facility facility.  If you do not call md_openlog before
1586              you  call  md_syslog, then it is called implicitly with $tag set
1587              to mimedefang.pl and $facility set to mail.
1588
1589

RBL LOOKUP FUNCTIONS

1591       mimedefang.pl includes the following functions for looking  up  IP  ad‐
1592       dresses   in  DNS-based  real-time  blacklists.   Note  that  the  "re‐
1593       lay_is_blacklisted" functions are deprecated and may be  removed  in  a
1594       future  release.  Instead, you should use the module Net::DNSBL::Client
1595       from CPAN.
1596
1597
1598       relay_is_blacklisted($relay, $domain)
1599              This checks a DNS-based real-time spam  blacklist,  and  returns
1600              true  if the relay host is blacklisted, or false otherwise.  (In
1601              fact, the return value is whatever the blacklist  returns  as  a
1602              resolved hostname, such as "127.0.0.4")
1603
1604              Note  that  relay_is_blacklisted uses the built-in gethostbyname
1605              function; this is usually quite inefficient and does not  permit
1606              you to set a timeout on the lookup.  Instead, we recommend using
1607              one of the other DNS lookup function described in this  section.
1608              (Note,  though,  that  the  other  functions  require  the  Perl
1609              Net::DNS module, whereas relay_is_blacklisted does not.)
1610
1611              Here's an example of how to use relay_is_blacklisted:
1612
1613                   if (relay_is_blacklisted($RelayAddr, "rbl.spamhaus.org")) {
1614                        action_add_header("X-Blacklist-Warning",
1615                               "Relay $RelayAddr is blacklisted by Spamhaus");
1616                   }
1617
1618
1619       relay_is_blacklisted_multi($relay,  $timeout,  $answers_wanted,   [$do‐
1620       main1, $domain2, ...], $res)
1621              This function is similar to relay_is_blacklisted, except that it
1622              takes a timeout argument (specified in seconds) and an array  of
1623              domains  to check.  The function checks all domains in parallel,
1624              and is guaranteed to return in $timeout seconds.  (Actually,  it
1625              may take up to one second longer.)
1626
1627              The parameters are:
1628
1629              $relay -- the IP address you want to look up
1630
1631              $timeout -- a timeout in seconds after which the function should
1632              return
1633
1634              $answers_wanted -- the maximum number of  positive  answers  you
1635              care  about.  For example, if you're looking up an address in 10
1636              different RBLs, but are going to bounce it if it is on  four  or
1637              more, you can set $answers_wanted to 4, and the function returns
1638              as soon  as  four  "hits"  are  discovered.   If  you  set  $an‐
1639              swers_wanted to zero, then the function does not return early.
1640
1641              [$domain1, $domain2, ...] -- a reference to an array of strings,
1642              where each string is an RBL domain.
1643
1644              $res -- a Net::DNS::Resolver object.  This argument is optional;
1645              if  you  do  not supply it, then relay_is_blacklisted_multi con‐
1646              structs its own resolver.
1647
1648              The return value is a reference to a hash; the keys of the  hash
1649              are  the  original domains, and the corresponding values are ei‐
1650              ther SERVFAIL, NXDOMAIN, or a list of IP  addresses  in  dotted-
1651              quad notation.
1652
1653              Here's an example:
1654
1655                  $ans = relay_is_blacklisted_multi($RelayAddr, 8, 0,
1656                      ["sbl.spamhaus.org", "relays.ordb.org"]);
1657
1658                  foreach $domain (keys(%$ans)) {
1659                      $r = $ans->{$domain};
1660                      if (ref($r) eq "ARRAY") {
1661                          # It's an array -- it IS listed in RBL
1662                          print STDERR "Lookup in $domain yields [ ";
1663                          foreach $addr (@$r) {
1664                              print STDERR $addr . " ";
1665                          }
1666                          print STDERR "]\n";
1667                      } else {
1668                          # It is NOT listed in RBL
1669                          print STDERR "Lookup in $domain yields "
1670                                       . $ans->{$domain} . "\n";
1671                      }
1672                  }
1673
1674              You  should  compare  each  of $ans->{$domain} to "SERVFAIL" and
1675              "NXDOMAIN" to see if the relay is not listed.  Any other  return
1676              value will be an array of IP addresses indicating that the relay
1677              is listed.
1678
1679              Any lookup that does not succeed within $timeout seconds has the
1680              corresponding return value set to SERVFAIL.
1681
1682
1683       relay_is_blacklisted_multi_list($relay,    $timeout,   $answers_wanted,
1684       [$domain1, $domain2, ...], $res)
1685              This function is similar  to  relay_is_blacklisted_multi  except
1686              that the return value is simply an array of RBL domains in which
1687              the relay was listed.
1688
1689
1690       relay_is_blacklisted_multi_count($relay,   $timeout,   $answers_wanted,
1691       [$domain1, $domain2, ...], $res)
1692              This  function  is  similar to relay_is_blacklisted_multi except
1693              that the return value is an integer specifying the number of do‐
1694              mains on which the relay was blacklisted.
1695
1696
1697       md_get_bogus_mx_hosts($domain)
1698
1699              This  function looks up all the MX records for the specified do‐
1700              main (or A records if there are no MX  records)  and  returns  a
1701              list  of "bogus" IP addresses found amongst the records.  A "bo‐
1702              gus"  IP  address  is  an  IP  address  in  a  private   network
1703              (10.0.0.0/8,  172.16.0.0/12,  192.168.0.0/16), the loopback net‐
1704              work (127.0.0.0/8), local-link for  auto-DHCP  (169.254.0.0/16),
1705              IPv4 multicast (224.0.0.0/4) or reserved (240.0.0.0/4).
1706
1707
1708       Here's how you might use the function in filter_sender:
1709
1710       sub filter_sender {
1711           my ($sender, $ip, $hostname, $helo) = @_;
1712           if ($sender =~ /@([^>]+)/) {
1713               my $domain = $1;
1714               my @bogushosts = md_get_bogus_mx_hosts($domain);
1715               if (scalar(@bogushosts)) {
1716                   return('REJECT', "Domain $domain contains bogus MX record(s) " .
1717                          join(', ', @bogushosts));
1718               }
1719           }
1720           return ('CONTINUE', 'ok');
1721       }
1722
1723

TEST FUNCTIONS

1725       mimedefang.pl includes some "test" functions:
1726
1727
1728       md_version()
1729              returns  the  version  of  MIMEDefang  as a string (for example,
1730              "3.3").
1731
1732
1733       message_rejected()
1734              Returns true if any of  action_tempfail,  action_bounce  or  ac‐
1735              tion_discard  have  been  called for this message; returns false
1736              otherwise.
1737
1738
1739       If  you  have  the  Mail::SpamAssassin  Perl  module   installed   (see
1740       https://spamassassin.apache.org)  you  may  call any of the spam_assas‐
1741       sin_* functions.  They should only be called from filter_begin or  fil‐
1742       ter_end because they operate on the entire message at once.  Most func‐
1743       tions use an optionally provided config file.  If  no  config  file  is
1744       provided,  mimedefang.pl will look for one of four default SpamAssassin
1745       preference files.  The first of the following found will be used:
1746
1747
1748       o      /etc/mail/sa-mimedefang.cf
1749
1750       o      /etc/mail/spamassassin/sa-mimedefang.cf
1751
1752       o      /etc/mail/spamassassin/local.cf
1753
1754       o      /etc/mail/spamassassin.cf
1755
1756
1757       Important Note:  MIMEDefang does not permit SpamAssassin to modify mes‐
1758       sages.   If you want to tag spam messages with special headers or alter
1759       the subject line, you must use MIMEDefang functions to do it.   Setting
1760       SpamAssassin configuration options to alter messages will not work.
1761
1762
1763       spam_assassin_is_spam([ $config_file ])
1764              Determine  if  the  current message is SPAM/UCE as determined by
1765              SpamAssassin.  Compares the score of  the  message  against  the
1766              threshold  score  (see  below)  and returns true if it is.  Uses
1767              spam_assassin_check below.
1768
1769
1770       spam_assassin_check([ $config_file ])
1771              This function returns a four-element list of  the  form  ($hits,
1772              $required,  $tests, $report).  $hits is the "score" given to the
1773              message by SpamAssassin (higher score means more  likely  SPAM).
1774              $required  is  the  number  of hits required before SpamAssassin
1775              concludes that the message is SPAM.  $tests is a comma-separated
1776              list  of  SpamAssassin test names, and $report is text detailing
1777              which tests triggered and their point score.  This gives you in‐
1778              sight  into why SpamAssassin concluded that the message is SPAM.
1779              Uses spam_assassin_status below.
1780
1781
1782       spam_assassin_status([ $config_file ])
1783              This function returns a Mail::SpamAssasin::PerMsgStatus  object.
1784              Read  the  SpamAssassin documentation for details about this ob‐
1785              ject.  You are responsible for calling the  finish  method  when
1786              you  are  done with it.  Uses spam_assassin_init and spam_assas‐
1787              sin_mail below.
1788
1789
1790       spam_assassin_init([ $config_file ])
1791              This function returns the new global  Mail::SpamAssassin  object
1792              with  the  specified or default config (outlined above).  If the
1793              global object is already defined, returns it -- does not  change
1794              config  files!   The object can be used to perform other SpamAs‐
1795              sassin related functions.
1796
1797
1798       spam_assassin_mail()
1799              This function returns a  Mail::SpamAssassin::NoMailAudit  object
1800              with  the current email message contained in it.  It may be used
1801              to perform other SpamAssassin related functions.
1802
1803
1804       rspamd_check([ $uri ]) *experimental*
1805              This function returns a six-element list  of  the  form  ($hits,
1806              $required,  $tests,  $report,  $action, $is_spam).  $hits is the
1807              "score" given to the message by Rspamd (higher score means  more
1808              likely  SPAM).  $required  is the number of hits required before
1809              Rspamd concludes that the message is SPAM.  $tests is a list  of
1810              Rspamd  test  names,  and  $report is text detailing which tests
1811              triggered and their point score.  If JSON and  LWP  modules  are
1812              present  $report  will  be  a json string; $action is the action
1813              that rspamd(8) wants to apply and $is_spam is  a  boolean  value
1814              (true/false)  that  determines  if  the  message is spam or not.
1815              This gives you insight into why Rspamd concluded that  the  mes‐
1816              sage is SPAM.
1817
1818
1819       md_copy_orig_msg_to_work_dir()
1820              Normally,  virus-scanners  are passed only the unpacked, decoded
1821              parts of a MIME message.  If you want to pass the original,  un‐
1822              decoded  message  in  as well, call md_copy_orig_msg_to_work_dir
1823              prior to calling message_contains_virus.
1824
1825
1826       md_copy_orig_msg_to_work_dir_as_mbox_file()
1827              Normally, virus-scanners are passed only the  unpacked,  decoded
1828              parts  of a MIME message.  If you want to pass the original, un‐
1829              decoded  message  in  as  a   UNIX-style   "mbox"   file,   call
1830              md_copy_orig_msg_to_work_dir_as_mbox_file  prior to calling mes‐
1831              sage_contains_virus.  The only difference between this  function
1832              and  md_copy_orig_msg_to_work_dir is that this function prepends
1833              a "From_" line to make the message look like a  UNIX-style  mbox
1834              file.   This  is  required for some virus scanners (such as Clam
1835              AntiVirus) to recognize the file as an e-mail message.
1836
1837
1838       message_contains_virus()
1839              This function runs every installed virus-scanner and returns the
1840              scanner results.  The function should be called in list context;
1841              the return value is a three-element list ($code, $category, $ac‐
1842              tion).
1843
1844              $code is the actual return code from the virus scanner.
1845
1846              $category is a string categorizing the return code:
1847
1848              "ok" - no viruses detected.
1849
1850              "not-installed" - indicated virus scanner is not installed.
1851
1852              "cannot-execute" - for some reason, the scanner could not be ex‐
1853              ecuted.
1854
1855              "virus" - a virus was found.
1856
1857              "suspicious" - a "suspicious" file was found.
1858
1859              "interrupted" - scanning was interrupted.
1860
1861              "swerr" - an internal scanner software error occurred.
1862
1863              $action is a string containing the recommended action:
1864
1865              "ok" - allow the message through unmolested.
1866
1867              "quarantine" - a virus was detected; quarantine it.
1868
1869              "tempfail" - something went wrong; tempfail the message.
1870
1871
1872
1873       message_contains_virus_trend()
1874
1875       message_contains_virus_nai()
1876
1877       message_contains_virus_bdc()
1878
1879       message_contains_virus_nvcc()
1880
1881       message_contains_virus_csav()
1882
1883       message_contains_virus_fsav()
1884
1885       message_contains_virus_hbedv()
1886
1887       message_contains_virus_vexira()
1888
1889       message_contains_virus_sophos()
1890
1891       message_contains_virus_clamav()
1892
1893       message_contains_virus_clamdscan()
1894
1895       message_contains_virus_avp()
1896
1897       message_contains_virus_avp5()
1898
1899       message_contains_virus_fprot()
1900
1901       message_contains_virus_fpscan()
1902
1903       message_contains_virus_fprotd()
1904
1905       message_contains_virus_fprotd_v6()
1906
1907       message_contains_virus_nod32()
1908
1909              These functions should be called in list context.  They use  the
1910              indicated  anti-virus  software to scan the message for viruses.
1911              These functions are intended for use in filter_begin()  to  make
1912              an initial scan of the e-mail message.
1913
1914              The supported virus scanners are:
1915
1916       nai    NAI "uvscan" - http://www.nai.com/
1917
1918       Bitdefender "bdc" - http://www.bitdefender.com/
1919
1920       csav   Command Anti-Virus - http://www.commandsoftware.com/
1921
1922       fsav   F-Secure Anti-Virus - http://www.f-secure.com/
1923
1924       hbedv  H+BEDV "AntiVir" - http://www.hbedv.com/
1925
1926       vexira Vexira "Vexira" - http://www.centralcommand.com/
1927
1928       sophos Sophos AntiVirus - http://www.sophos.com/
1929
1930       avp    Kaspersky AVP and aveclient (AVP5) - http://www.avp.ru/
1931
1932       clamav Clam AntiVirus - https://www.clamav.net/
1933
1934       f-prot F-RISK F-PROT - http://www.f-prot.com/
1935
1936       nod32cli
1937              ESET NOD32 - http://www.eset.com/
1938
1939
1940       message_contains_virus_carrier_scan([$host])
1941              Connects  to  the specified host:port:local_or_nonlocal (default
1942              $CSSHost), where the Symantec CarrierScan Server daemon  is  ex‐
1943              pected to be listening.  Return values are the same as the other
1944              message_contains_virus functions.
1945
1946
1947       message_contains_virus_sophie([$sophie_sock])
1948              Connects to the specified socket  (default  $SophieSock),  where
1949              the  Sophie  daemon  is expected to be listening.  Return values
1950              are the same as the other message_contains_virus functions.
1951
1952
1953       message_contains_virus_clamd([$clamd_sock])
1954              Connects to the specified socket (default $ClamdSock), where the
1955              clamd daemon is expected to be listening.  Return values are the
1956              same as the other message_contains_virus functions.
1957
1958
1959       message_contains_virus_trophie([$trophie_sock])
1960              Connects to the specified socket (default  $TrophieSock),  where
1961              the  Trophie  daemon is expected to be listening.  Return values
1962              are the same as the other message_contains_virus functions.
1963
1964
1965       entity_contains_virus($entity)
1966
1967              This function runs the specified MIME::Entity through every  in‐
1968              stalled  virus-scanner and returns the scanner results.  The re‐
1969              turn values are the same as for message_contains_virus().
1970
1971
1972       entity_contains_virus_trend($entity)
1973
1974       entity_contains_virus_nai($entity)
1975
1976       entity_contains_virus_bdc($entity)
1977
1978       entity_contains_virus_nvcc($entity)
1979
1980       entity_contains_virus_csav($entity)
1981
1982       entity_contains_virus_fsav($entity)
1983
1984       entity_contains_virus_hbedv($entity)
1985
1986       entity_contains_virus_sophos($entity)
1987
1988       entity_contains_virus_clamav($entity)
1989
1990       entity_contains_virus_clamdscan($entity)
1991
1992       entity_contains_virus_avp($entity)
1993
1994       entity_contains_virus_avp5($entity)
1995
1996       entity_contains_virus_fprot($entity)
1997
1998       entity_contains_virus_fpscan($entity)
1999
2000       entity_contains_virus_fprotd($entity)
2001
2002       entity_contains_virus_fprotd_v6($entity)
2003
2004       entity_contains_virus_nod32($entity)
2005              These functions, meant to be called from filter(),  are  similar
2006              to  the  message_contains_virus  functions except they scan only
2007              the current part.  They should be called from list context,  and
2008              their  return  values  are  as  described  for  the message_con‐
2009              tains_virus functions.
2010
2011
2012       entity_contains_virus_carrier_scan($entity[, $host])
2013              Connects to the specified  host:port:local_or_nonlocal  (default
2014              $CSSHost),  where  the Symantec CarrierScan Server daemon is ex‐
2015              pected to be listening.  Return values are the same as the other
2016              entity_contains_virus functions.
2017
2018
2019       entity_contains_virus_sophie($entity[, $sophie_sock])
2020              Connects  to  the  specified socket (default $SophieSock), where
2021              the Sophie daemon is expected to be  listening.   Return  values
2022              are the same as the other entity_contains_virus functions.
2023
2024
2025       entity_contains_virus_trophie($entity[, $trophie_sock])
2026              Connects  to  the specified socket (default $TrophieSock), where
2027              the Trophie daemon is expected to be listening.   Return  values
2028              are the same as the other entity_contains_virus functions.
2029
2030
2031       entity_contains_virus_clamd($entity[, $clamd_sock])
2032              Connects to the specified socket (default $ClamdSock), where the
2033              clamd daemon is expected to be listening.  Return values are the
2034              same as the other entity_contains_virus functions.
2035
2036

SMTP FLOW

2038       This section illustrates the flow of messages through MIMEDefang.
2039
2040
2041       1. INITIAL CONNECTION
2042              If  you invoked mimedefang with the -r option and have defined a
2043              filter_relay routine, it is called.
2044
2045
2046       2. SMTP HELO COMMAND
2047              The HELO string is stored internally, but  no  filter  functions
2048              are called.
2049
2050
2051       3. SMTP MAIL FROM: COMMAND
2052              If  you invoked mimedefang with the -s option and have defined a
2053              filter_sender routine, it is called.
2054
2055
2056       4. SMTP RCPT TO: COMMAND
2057              If you invoked mimedefang with the -t option and have defined  a
2058              filter_recipient routine, it is called.
2059
2060
2061       5. END OF SMTP DATA
2062              filter_begin  is  called.  For each MIME part, filter is called.
2063              Then filter_end is called.
2064
2065

PRESERVING RELAY INFORMATION

2067       Most organizations have more than one machine handling internet e-mail.
2068       If  the primary machine is down, mail is routed to a secondary (or ter‐
2069       tiary, etc.) MX server, which stores the mail until the primary MX host
2070       comes back up.  Mail is then relayed to the primary MX host.
2071
2072
2073       Relaying from a secondary to a primary MX host has the unfortunate side
2074       effect of losing the original relay's IP address information.   MIMEDe‐
2075       fang allows you to preserve this information.  One way around the prob‐
2076       lem is to run MIMEDefang on all the secondary MX hosts and use the same
2077       filter.  However, you may not have control over the secondary MX hosts.
2078       If you can persuade the owners of the secondary MX hosts to run MIMEDe‐
2079       fang  with  a  simple  filter that only preserves relay information and
2080       does no other scanning, your primary MX host can obtain relay  informa‐
2081       tion and make decisions using $RelayAddr and $RelayHostname.
2082
2083
2084       When you configure MIMEDefang, supply the "--with-ipheader" argument to
2085       the ./configure script.  When you install  MIMEDefang,  a  file  called
2086       /etc/mail/mimedefang-ip-key  will be created which contains a randomly-
2087       generated header name.  Copy this file to all of your mail relays.   It
2088       is  important  that  all  of  your MX hosts have the same key.  The key
2089       should be kept confidential, but it's not disastrous if it leaks out.
2090
2091
2092       On your secondary MX hosts, add this line to filter_end:
2093
2094            add_ip_validation_header();
2095
2096
2097       Note:  You should only add the validation header to mail  destined  for
2098       one of your other MX hosts!  Otherwise, the validation header will leak
2099       out.
2100
2101
2102       When the secondary MX hosts relay to the primary  MX  host,  $RelayAddr
2103       and  $RelayHostname  will be set based on the IP validation header.  If
2104       MIMEDefang notices this header, it sets the global variable  $WasResent
2105       to  1.   Since  you don't want to trust the header unless it was set by
2106       one of your secondary MX hosts, you should put this code in  filter_be‐
2107       gin:
2108
2109            if ($WasResent) {
2110                 if ($RealRelayAddr ne "ip.of.secondary.mx" and
2111                     $RealRelayAddr ne "ip.of.tertiary.mx") {
2112                      $RelayAddr = $RealRelayAddr;
2113                      $RelayHostname = $RealRelayHostname;
2114                 }
2115            }
2116
2117       This  resets the relay address and hostname to the actual relay address
2118       and hostname, unless the message is coming from one of  your  other  MX
2119       hosts.
2120
2121
2122       On the primary MX host, you should add this in filter_begin:
2123
2124            delete_ip_validation_header();
2125
2126
2127       This prevents the validation header from leaking out to recipients.
2128
2129
2130       Note:  The  IP  validation  header works only in message-oriented func‐
2131       tions.  It (obviously) has no effect on filter_relay, filter_sender and
2132       filter_recipient,  because no header information is available yet.  You
2133       must take this into account when writing your filter;  you  must  defer
2134       relay-based decisions to the message filter for mail arriving from your
2135       other MX hosts.
2136
2137

GLOBAL VARIABLE LIFETIME

2139       The following list describes the lifetime of global  variables  (thanks
2140       to Tony Nugent for providing this documentation.)
2141
2142       If you set a global variable:
2143
2144
2145       Outside a subroutine in your filter file
2146              It is available to all functions, all the time.
2147
2148
2149       In filter_relay, filter_sender or filter_recipient
2150              Not  guaranteed  to be available to any other function, not even
2151              from one filter_recipient call to the  next,  when  receiving  a
2152              multi-recipient email message.
2153
2154
2155       In filter_begin
2156              Available to filter_begin, filter and filter_end
2157
2158
2159       In filter
2160              Available to filter and filter_end
2161
2162
2163       In filter_end
2164              Available within filter_end
2165
2166
2167       The  "built-in"  globals like $Subject, $Sender, etc. are always avail‐
2168       able to filter_begin, filter and filter_end. Some are available to fil‐
2169       ter_relay,  filter_sender or filter_recipient, but you should check the
2170       documentation of the variable above for details.
2171
2172

MAINTAINING STATE

2174       There are four basic groups of filtering functions:
2175
2176
2177       1      filter_relay
2178
2179
2180       2      filter_sender
2181
2182
2183       3      filter_recipient
2184
2185
2186       4      filter_begin, filter, filter_multipart, filter_end
2187
2188
2189       In general, for a given mail message, these groups of functions may  be
2190       called  in  completely different Perl processes.  Thus, there is no way
2191       to maintain state inside Perl between groups of  functions.   That  is,
2192       you cannot set a variable in filter_relay and expect it to be available
2193       in filter_sender, because the filter_sender invocation might take place
2194       in a completely different process.
2195
2196
2197       For a given mail message, it is always the case that filter_begin, fil‐
2198       ter, filter_multipart and  filter_end  are  called  in  the  same  Perl
2199       process.   Therefore, you can use global variables to carry state among
2200       those functions.  You should be very careful to initialize  such  vari‐
2201       ables  in  filter_begin to ensure no data leaks from one message to an‐
2202       other.
2203
2204
2205       Also for a given mail message, the $CWD global variable holds the  mes‐
2206       sage spool directory, and the current working directory is set to $CWD.
2207       Therefore, you can store state in files inside $CWD.  If  filter_sender
2208       stores  data  in a file inside $CWD, then filter_recipient can retrieve
2209       that data.
2210
2211
2212       Since filter_relay is called directly after a mail connection is estab‐
2213       lished,  there  is  no  message  context yet, no per-message mimedefang
2214       spool directory, and the $CWD global is not set. Therefore, it  is  not
2215       possible  to  share  information  from filter_relay to one of the other
2216       filter functions. The only thing that filter_relay has in  common  with
2217       the  other functions are the values in the globals $RelayAddr, and $Re‐
2218       layHostname. These could be used to access per-remote-host  information
2219       in some database.
2220
2221
2222       Inside $CWD, we reserve filenames beginning with upper-case letters for
2223       internal MIMEDefang use.  If you want to create files to  store  state,
2224       name  them beginning with a lower-case letter to avoid clashes with fu‐
2225       ture releases of MIMEDefang.
2226
2227

SOCKET MAPS

2229       If you have Sendmail 8.13 or later, and have compiled it with the SOCK‐
2230       ETMAP  option,  then  you  can use a special map type that communicates
2231       over a socket with another program (rather than looking up a key  in  a
2232       Berkeley database, for example.)
2233
2234
2235       mimedefang-multiplexor  implements  the  Sendmail SOCKETMAP protocol if
2236       you supply the -N option.  In that case,  you  can  define  a  function
2237       called filter_map to implement map lookups.  filter_map takes two argu‐
2238       ments:  $mapname is the name of the Sendmail map (as  given  in  the  K
2239       sendmail configuration directive), and $key is the key to be looked up.
2240
2241
2242       filter_map  must  return a two-element list: ($code, $val) $code can be
2243       one of:
2244
2245
2246       OK     The lookup was successful.  In this case, $val must be  the  re‐
2247              sult of the lookup
2248
2249
2250       NOTFOUND
2251              The  lookup  was unsuccessful -- the key was not found.  In this
2252              case, $val should be the empty string.
2253
2254
2255       TEMP   There was a temporary failure of some kind.  $val can be an  ex‐
2256              planatory error message.
2257
2258
2259       TIMEOUT
2260              There  was  a  timeout of some kind.  $val can be an explanatory
2261              error message.
2262
2263
2264       PERM   There was a permanent failure.  This is not the same as  an  un‐
2265              successful  lookup; it should be used only to indicate a serious
2266              misconfiguration.  As before, $val can be an  explanatory  error
2267              message.
2268
2269
2270       Consider  this small example.  Here is a minimal Sendmail configuration
2271       file:
2272
2273            V10/Berkeley
2274            Kmysock socket unix:/var/spool/MIMEDefang/map.sock
2275            kothersock socket unix:/var/spool/MIMEDefang/map.sock
2276
2277
2278       If  mimedefang-multiplexor   is   invoked   with   the   arguments   -N
2279       unix:/var/spool/MIMEDefang/map.sock,  and the filter defines filter_map
2280       as follows:
2281
2282            sub filter_map ($$) {
2283                my($mapname, $key) = @_;
2284                my $ans;
2285                if($mapname ne "mysock") {
2286                    return("PERM", "Unknown map $mapname");
2287                }
2288                $ans = reverse($key);
2289                return ("OK", $ans);
2290            }
2291
2292       Then in Sendmail's testing mode, we see the following:
2293
2294            > /map mysock testing123
2295            map_lookup: mysock (testing123) returns 321gnitset (0)
2296            > /map othersock foo
2297            map_lookup: othersock (foo) no match (69)
2298
2299
2300       (The return code of 69 means EX_UNAVAILABLE or Service Unavailable)
2301
2302
2303       A real-world example could do map lookups in an LDAP directory  or  SQL
2304       database, or perform other kinds of processing.  You can even implement
2305       standard Sendmail maps like virtusertable, mailertable, access_db, etc.
2306       using SOCKETMAP.
2307
2308

TICK REQUESTS

2310       If  you  supply  the -X option to mimedefang-multiplexor, then every so
2311       often, a "tick" request is sent to a free worker.  If your  filter  de‐
2312       fines  a function called filter_tick, then this function is called with
2313       a single argument: the tick type.  If you run multiple parallel  ticks,
2314       then  each tick has a type ranging from 0 to n-1, where n is the number
2315       of parallel ticks.  If you're only running one tick request,  then  the
2316       argument to filter_tick is always 0.
2317
2318       You can use this facility to run periodic tasks from within MIMEDefang.
2319       Note, however, that you have no control over which worker is picked  to
2320       run  filter_tick.  Also, at most one filter_tick call with a particular
2321       "type" argument will be active at any time, and if there  are  no  free
2322       workers when a tick would occur, the tick is skipped.
2323
2324

SUPPORTED VIRUS SCANNERS

2326       The following virus scanners are supported by MIMEDefang:
2327
2328
2329       o      Symantec    CarrierScan    Server   (http://www.symantec.com/re
2330              gion/can/eng/product/scs/)
2331
2332
2333       o      Trend Micro vscan (http://www.antivirus.com/)
2334
2335
2336       o      Sophos   Sweep   (http://www.sophos.com/products/antivirus/savu
2337              nix.html)
2338
2339
2340       o      H+BEDV AntiVir (http://www.hbedv.com/)
2341
2342
2343       o      Central Command Vexira (http://www.centralcommand.com/)
2344
2345
2346       o      NAI uvscan (http://www.nai.com)
2347
2348
2349       o      Bitdefender bdc (http://www.bitdefender.com)
2350
2351
2352       o      Norman Virus Control (NVCC) (http://www.norman.no/)
2353
2354
2355       o      Command csav (http://www.commandsoftware.com)
2356
2357
2358       o      F-Secure fsav (http://www.f-secure.com)
2359
2360
2361       o      The  clamscan  and clamdscan command-line scanners and the clamd
2362              daemon from Clam AntiVirus (https://www.clamav.net/)
2363
2364
2365       o      Kaspersky Anti-Virus (AVP) (http://www.kaspersky.com/)
2366
2367
2368       o      F-Risk F-Prot (http://www.f-prot.com/)
2369
2370
2371       o      F-Risk F-Prot v6 (http://www.f-prot.com/)
2372
2373
2374
2375       o      F-Risk FPROTD (daemonized version of F-Prot)
2376
2377
2378       o      Symantec    CarrierScan    Server    (http://www.symantec.ca/re
2379              gion/can/eng/product/scs/buymenu.html)
2380
2381
2382       o      Sophie (http://www.vanja.com/tools/sophie/), which uses the lib‐
2383              savi library from Sophos, is supported in daemon-scanning mode.
2384
2385
2386       o      Trophie (http://www.vanja.com/tools/trophie/),  which  uses  the
2387              libvsapi  library from Trend Micro, is supported in daemon-scan‐
2388              ning mode.
2389
2390
2391       o      ESET NOD32 (http://www.eset.com/)
2392
2393

AUTHORS

2395       mimedefang was written by Dianne Skoll  <dfs@roaringpenguin.com>.   The
2396       mimedefang home page is https://www.mimedefang.org/.
2397
2398

SEE ALSO

2400       mimedefang(8), mimedefang.pl(8), Mail::MIMEDefang(3)
2401
2402
2403
2404
2405
2406
24074th Berkeley Distribution       8 February 2005           MIMEDEFANG-FILTER(5)
Impressum