QMVC - Qmail Mail and Virus Control

QMVC

QMVC is an unidirectional Mail Filter and Virus Scanner for Qmail.

qmvc works in conjunction with the "dot-qmail" mechanism for qmail-local.

It is entirely designed for Qmail and there are no additional patches required for Qmail.

QMVC 1.7

Version 1.7 of QMVC provides the following new features (Release Notes):

• New and unique attachment filter technique based on the loader type recognition of executables ("!NOPASARAN!").
• Native support for the AV Scanner ClamAV (clamscan/clamdscan).
• Modulare AV Scanner API to support virtually any AV Scanner.
• The user interface of QMVC 1.7 complies to the CAR principle (see QMVC_17.html).
• qmvcportal to allow quick access to all Virtual Domains running with separate qmvc's logging.
• qmvcmonth allows to backup automatically all qmvc log files.
• qmvc includes now a badbodytexts command-API to call arbitrary programs, ie. the plainmail utility.

Usage

qmvc is a Korn-shell script plug-in for qmail-local which is called in first order from a "dot-qmail" file. This may be a user-specific "dot-qmail" file ~/.qmail or ~/.qmail-default. If the Qmail MTA acts as an Internet E-Mail relay, qmvc is called from Qmail's alias user "dot-qmail" file, in particular thru /var/qmail/alias/.qmail-default.

Example:

.qmail-default:

|qmvc #next instructions

qmvc accepts four arguments:

• -n
  qmvc will consult the control file control/noscantypes to improve execution performance for the external AV Scanners.
• -u
  User specific processing. Here, qmvc processes the E-Mail and stores the resultes in the (local) directory in the ~/qmvc. Eventually, qmvc creates all subsequent subdirectories. It will use the configuration files in the local control and template directory ("profile"); otherwise the system defaults as fall-back.
• -c BASEDIR
  Common qmvc profile according to BASEDIR. qmvc will evaluate the control and perhaps template directory available under BASEDIR, ie. /home/vpopmail/mydomain/qmvc. Otherwise, qmvc will use the local control and template directory or the system defaults as fall back.
• qmvc -v PREPEND - qmvc is adviced that this account is used to host virtualdomain(s) and the prepended Recipient address is be to stripped with the literal value of PREPEND (typically for accounts mapped via the qmail-users mechanism) or with the environment variable USER if PREPEND equals "-" (or: -v-).

Example: For the virtual domain mapped to the local user with home directory /home/domain you define

.qmail-default:

|qmvc -uv- ./Maildir/

and /home/domain/qmvc/control may be a modified copy of the default /var/qmvc/control directory (see qmvc-control(5)).

qmvc runs with minimal permissions, by default user alias and group nofiles. In case qmvc is called from a specific user, it has the effective rights of this user.

Description

qmvc - invoked from a user's dot-qmail file - filters and scans incoming E-Mails (on descriptor 1). It exits with return code 0 Otherwise it exits 99 if the message was filtered or exits 100 if the message shall be bounced.

This means in the first case, that the E-Mail is processed by the next command or instruction defined in dot-qmail. In the latter case, qmail-local stopps the processing of the E-Mail, see qmail-command(8).

qmvc inherits the following functional blocks:

• Message parser
  analysing the RFC822 Header of the message, and disentangling the MIME and/or UUDECODEd content of the message body, though without trying to unpack embedded archives (eg. attached zip and tar files).
• Message scanner
  reading the "Subject:" line, the body, and interpreting the attachments. Here, the attached filenames are identified in addition with their MIME and their loader types.
• Command-API
  integrated in the bodytext filter allows arbitrary programs (eg. plainmail) to be called.
• Anti-Virus scanners for Unix
  using a simple API to call up to four concurrent AV Scanners as external plug-ins. Currently supported are CLAM AV's Clamscan, F-Secure's FSAV, Sophos' SWEEP, NAI/McAfee's UVSCAN, Trend Micro's ISCAN and Computer Associates' InoculateIT.
• Notification report generator
  sending on demand multilingual notifications (E-Mails) to the recipient and/or sender of the filtered message respectiveley, showing the cause why the message was filtered, the messsage header, and some informational body parts. No notifications are send for Bounces, Nullsender, and Bulk E-Mails.
• Information report generator
  sending on demand messages (E-Mails) to responsible persons.
• Forwarding mechanism
  for recognized Badmails and/or Virusmails to dedicated E-Mail addresses for dumping and/or later investigation and analysis.
• Logfile writer
  creating a condensed and easy parseable qmvc action line per messagee and an additional incident logs.

Dependencies

In order to use qmvc you have to have:

• a Unix operating system (qmvc was developed under FreeBSD 4.3).
• Qmail 1.03 installed and working.
• Sam Varshavchik's Maildrop (old release version 1.6.3).
• An up-to-date file utility (old working release version 4.0.7).
• Dan Bernstein's UCSPI package (module http@).
• Dan Bernstein's message822 package.
• The Korn-Shell.

Supported UNIX Virus Scan Engines

QMVC has a built-in support for the following Virus Scan Engines:

• The public domain ClamAV Scanner/clam(d)scan
• F-Secure/fsav: (Linux - requires license key; Version 3.x and 4.x in addition with the AVP engine)
• Sophos/sweep: (AIX, Digital Unix/Alpha, FreeBSD/i386, HP-UX, Linux/i386, Linux/Alpha, SCO OpenServer/UnixWare, Solaris Sparc/i386 - trial)
• NAI/ McAfee/uvscan: (HP-UX, Linux*, SCO, Solaris, FreeBSD, AIX - trial)
• Trend-Micro/vscan: (Solaris, HP-UX, Linux/i386* - trial)
• Computer Associates/inoculateIT (Linux/i386* - license unkown)*) runs in FreeBSD 4.x compatibility mode.

Up to four Virus Scan Engines can be used mutually. They are only loaded into memory if a "positive" attachment is found.

Some more Features

• QMVC supports Qmail's virtual domains and the qmail-users mechanism.
• QMVC allows user (domain) specific "profiles".
• QMVC allows to use a set of common profiles.
• QMVC recognizes multiple infected E-Mails and Badmails.
• QMVC allows to trash or bounce E-Mails not complying to RFC (2)822.
• QMVC protects your system from "Virusbombs".

QMVC's command-API

The command-API is in particular useful to call qmvc-internally anti-spam programs, ie. bogofilter. The command-API understands qmail-local's address variables ($LOCAL, $RECIPIENT etc.) and thus allows a flexible re-routing of spam emails to different users/mailboxes/Maildirs.

The plainmail utility - which facilitates the command-API - can be additionally used to strip-out plain/text and to translate text/HTML MIME parts of the message to be eventually forwarded to ie. BlackBerry PDAs.

Analysis Tools

QMVC includes a rich set of analysis tools showing qmvc's activity in HTML format.
Usually, those tools are called frequently by cron and the results maybe read by a HTTP daemon to be published.

• Webcalendar: Convenient WebCalendar providing easy access to QMVC's analysis results.
• qmvcmonth: Monthly overview of all received and filtered Badmails and infected mails; fully crosslinked. Breakdown of all filtered viruses according to the different AV scanners.
• Virulator: Detailed analysis for Badmails and infected mails by Sender and Recipient. Badmail and Virus "Hit Lists" are available for the Virus Scan Engines.
• qmvclog2html: qmvc.log formatted in HTML.

QMVC's results may be published individually for specific users/virtual domains providing an optional anonymization of Sender/Recipient addresses.

Download and Installation

• Currently, QMVC Version 1.7.15 [Gentoo Release] can be downloaded: qmvc-1715.tgz (MD5: 33dee99d357421fbe665eeaae1d9296a) (MD5: 9829675a9223855c641bdd629a10c855). Please read the conclused documents carefully.
• Installation instructions are simple; most of the installation is facilitated by a script.
• The QMVC WebCalendar for 2008, 2009 and 2010.
  Modify the domain name ('mail.fehcom.de') to suit your domain.
  Create under /var/qmvc/html/ a subdirectory 200x and move all files *200x*.html there in.
  Run /var/qmvc/bin/webcalendar while staying in /var/qmvc/html.
  WebCalendar will fail partially for non-BSD systems. Thus, copy qmvc_calendar_200y.html to /var/qmvc/html/qmvc_calendar.html.
  If you use QMVC for virtual domains, proceed with those steps in each directory ~/qmvc/html.
• A beta version of QMVC 1.8 qmvc-1817.tgz (MD5: 9829675a9223855c641bdd629a10c855) can be used without guarantee. Please consult the in-line documents.

Documentation

• "Bird of a Feather" presention about an "Effective Virus Shelter on E-Mail Gateways" at the GUUG Frühjahrstagung in Bochum 2004/3/11.
• QMVC Presentation at the GUUG Frühjahrstagung in Bochum 2002/2/28.
• A comprehensive HOWTO is available.
• An Errata gives hints and bugs.

In case of suggestions and/or problems, please contact Erwin Hoffmann

---

• [FEHCom]
• [Impressum]
• [News]
• [top]