summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Colin Kissa <andrew@topdog.za.net>2017-03-12 19:14:47 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2017-03-12 19:14:47 +0000
commit71b32d412ac4792ca5e8d4a697afddb46c407bd9 (patch)
treee69ba0ceada72514eda7e058a7d73fd3e26b0264
parentea0d0cfba5fa9267c0f82af617f2094bc7545745 (diff)
Malware: new connection type "f-prot6d" for FPSCAND protocol over TCP
-rw-r--r--doc/doc-docbook/spec.xfpt12
-rw-r--r--doc/doc-txt/NewStuff2
-rw-r--r--src/src/malware.c57
-rw-r--r--test/confs/401129
-rw-r--r--test/log/401111
-rw-r--r--test/paniclog/40112
-rw-r--r--test/rejectlog/401124
-rw-r--r--test/scripts/4000-scanning/401188
-rw-r--r--test/stderr/40112
-rw-r--r--test/stdout/401168
10 files changed, 294 insertions, 1 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 44f9d26ff..be93cf670 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -31539,6 +31539,18 @@ av_scanner = f-protd:localhost 10200-10204
.endd
If you omit the argument, the default values show above are used.
+.new
+.vitem &%f-prot6d%&
+.cindex "virus scanners" "f-prot6d"
+The f-prot6d scanner is accessed using the FPSCAND protocol over TCP.
+One argument is taken, being a space-separated hostname and port number.
+For example:
+.code
+av_scanner = f-prot6d:localhost 10200
+.endd
+If you omit the argument, the default values show above are used.
+.wen
+
.vitem &%fsecure%&
.cindex "virus scanners" "F-Secure"
The F-Secure daemon scanner (&url(http://www.f-secure.com)) takes one
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 3594d1d6a..872371fcb 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -21,6 +21,8 @@ Version 4.90
making new TLS sessions, at the cost of having to proxy the data via
another process. Logging is also affected.
+ 4. A malware connection type for the FPSCAND protocol.
+
Version 4.89
------------
diff --git a/src/src/malware.c b/src/src/malware.c
index 549422ebb..f9c4c414f 100644
--- a/src/src/malware.c
+++ b/src/src/malware.c
@@ -13,7 +13,7 @@
#ifdef WITH_CONTENT_SCAN
typedef enum {M_FPROTD, M_DRWEB, M_AVES, M_FSEC, M_KAVD, M_CMDL,
- M_SOPHIE, M_CLAMD, M_SOCK, M_MKSD, M_AVAST} scanner_t;
+ M_SOPHIE, M_CLAMD, M_SOCK, M_MKSD, M_AVAST, M_FPROT6D} scanner_t;
typedef enum {MC_NONE, MC_TCP, MC_UNIX, MC_STRM} contype_t;
static struct scan
{
@@ -34,6 +34,7 @@ static struct scan
{ M_SOCK, US"sock", US"/tmp/malware.sock", MC_STRM },
{ M_MKSD, US"mksd", NULL, MC_NONE },
{ M_AVAST, US"avast", US"/var/run/avast/scan.sock", MC_STRM },
+ { M_FPROT6D, US"f-prot6d", US"localhost 10200", MC_TCP },
{ -1, NULL, NULL, MC_NONE } /* end-marker */
};
@@ -84,6 +85,11 @@ static const uschar * ava_re_virus_str = US "(?!\\\\)\\t\\[L\\]\\d\\.\\d\\t\\d\\
static const pcre * ava_re_clean = NULL;
static const pcre * ava_re_virus = NULL;
+static const uschar * fprot6d_re_error_str = US "^\\d+\\s<(.+?)>$";
+static const uschar * fprot6d_re_virus_str = US "^\\d+\\s<infected:\\s+(.+?)>\\s+.+$";
+static const pcre * fprot6d_re_error = NULL;
+static const pcre * fprot6d_re_virus = NULL;
+
/******************************************************************************/
@@ -1911,8 +1917,53 @@ if (!malware_ok)
sock);
default: break;
}
+ break;
}
+
+ case M_FPROT6D: /* "f-prot6d" scanner type ----------------------------------- */
+ {
+ int bread;
+ uschar * e;
+ uschar * linebuffer;
+ uschar * scanrequest;
+ uschar av_buffer[1024];
+
+ if ((!fprot6d_re_virus && !(fprot6d_re_virus = m_pcre_compile(fprot6d_re_virus_str, &errstr)))
+ || (!fprot6d_re_error && !(fprot6d_re_error = m_pcre_compile(fprot6d_re_error_str, &errstr))))
+ return malware_errlog_defer(errstr);
+
+ scanrequest = string_sprintf("SCAN FILE %s\n", eml_filename);
+ DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s: %s\n",
+ scanner_name, scanrequest);
+
+ if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest), &errstr) < 0)
+ return m_errlog_defer(scanent, CUS callout_address, errstr);
+
+ bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
+
+ if (bread <= 0)
+ return m_errlog_defer_3(scanent, CUS callout_address,
+ string_sprintf("unable to read from socket (%s)", strerror(errno)),
+ sock);
+
+ if (bread == sizeof(av_buffer))
+ return m_errlog_defer_3(scanent, CUS callout_address,
+ US"buffer too small", sock);
+
+ av_buffer[bread] = '\0';
+ linebuffer = string_copy(av_buffer);
+
+ m_sock_send(sock, US"QUIT\n", 5, 0);
+
+ if ((e = m_pcre_exec(fprot6d_re_error, linebuffer)))
+ return m_errlog_defer_3(scanent, CUS callout_address,
+ string_sprintf("scanner reported error (%s)", e), sock);
+
+ if (!(malware_name = m_pcre_exec(fprot6d_re_virus, linebuffer)))
+ malware_name = NULL;
+
break;
+ } /* f-prot6d */
} /* scanner type switch */
if (sock >= 0)
@@ -2028,6 +2079,10 @@ if (!ava_re_clean)
ava_re_clean = regex_must_compile(ava_re_clean_str, FALSE, TRUE);
if (!ava_re_virus)
ava_re_virus = regex_must_compile(ava_re_virus_str, FALSE, TRUE);
+if (!fprot6d_re_error)
+ fprot6d_re_error = regex_must_compile(fprot6d_re_error_str, FALSE, TRUE);
+if (!fprot6d_re_virus)
+ fprot6d_re_virus = regex_must_compile(fprot6d_re_virus_str, FALSE, TRUE);
}
#endif /*WITH_CONTENT_SCAN*/
diff --git a/test/confs/4011 b/test/confs/4011
new file mode 100644
index 000000000..7be64dc6d
--- /dev/null
+++ b/test/confs/4011
@@ -0,0 +1,29 @@
+# Exim test configuration 4011
+# Content-scan: f-prot6d interface
+
+.include DIR/aux-var/std_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+av_scanner = f-prot6d : localhost4 PORT_S
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+acl_smtp_data = c_data
+
+begin acl
+
+c_data:
+ accept !malware = * OPT
+ deny logwrite = $callout_address malware_name $malware_name
+
+# ----- Routers -----
+
+begin routers
+
+r:
+ driver = redirect
+ data = :blackhole:
+
+# End
diff --git a/test/log/4011 b/test/log/4011
new file mode 100644
index 000000000..48f0f886c
--- /dev/null
+++ b/test/log/4011
@@ -0,0 +1,11 @@
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <userx@test.ex> R=r
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 [127.0.0.1]:1111 malware_name EICAR_Test_File
+1999-03-02 09:44:33 10HmaZ-0005vi-00 U=CALLER F=<CALLER@myhost.test.ex> rejected after DATA
+1999-03-02 09:44:33 10HmaX-0005vi-00 malware acl condition: f-prot6d [127.0.0.1]:1111 : unable to read from socket (Connection timed out)
+1999-03-02 09:44:33 10HmaX-0005vi-00 U=CALLER F=<CALLER@myhost.test.ex> temporarily rejected after DATA
+1999-03-02 09:44:33 10HmaY-0005vi-00 malware acl condition: f-prot6d [127.0.0.1]:1111 : unable to read from socket (Connection timed out)
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <userx@test.ex> R=r
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/paniclog/4011 b/test/paniclog/4011
new file mode 100644
index 000000000..73c3c0111
--- /dev/null
+++ b/test/paniclog/4011
@@ -0,0 +1,2 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 malware acl condition: f-prot6d [127.0.0.1]:1111 : unable to read from socket (Connection timed out)
+1999-03-02 09:44:33 10HmaY-0005vi-00 malware acl condition: f-prot6d [127.0.0.1]:1111 : unable to read from socket (Connection timed out)
diff --git a/test/rejectlog/4011 b/test/rejectlog/4011
new file mode 100644
index 000000000..adeded6fb
--- /dev/null
+++ b/test/rejectlog/4011
@@ -0,0 +1,24 @@
+1999-03-02 09:44:33 10HmaZ-0005vi-00 U=CALLER F=<CALLER@myhost.test.ex> rejected after DATA
+Envelope-from: <CALLER@myhost.test.ex>
+Envelope-to: <userx@test.ex>
+P Received: from CALLER (helo=test.ex)
+ by myhost.test.ex with local-esmtp (Exim x.yz)
+ (envelope-from <CALLER@myhost.test.ex>)
+ id 10HmaZ-0005vi-00
+ for userx@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
+ Date: Tue, 2 Mar 1999 09:44:33 +0000
+ Subject: message should be rejected
+I Message-Id: <E10HmaZ-0005vi-00@myhost.test.ex>
+F From: CALLER_NAME <CALLER@myhost.test.ex>
+1999-03-02 09:44:33 10HmaX-0005vi-00 U=CALLER F=<CALLER@myhost.test.ex> temporarily rejected after DATA
+Envelope-from: <CALLER@myhost.test.ex>
+Envelope-to: <userx@test.ex>
+P Received: from CALLER (helo=test.ex)
+ by myhost.test.ex with local-esmtp (Exim x.yz)
+ (envelope-from <CALLER@myhost.test.ex>)
+ id 10HmaX-0005vi-00
+ for userx@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
+ Date: Tue, 2 Mar 1999 09:44:33 +0000
+ Subject: message should be deferred due to timeout
+I Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
+F From: CALLER_NAME <CALLER@myhost.test.ex>
diff --git a/test/scripts/4000-scanning/4011 b/test/scripts/4000-scanning/4011
new file mode 100644
index 000000000..20e6ab2b8
--- /dev/null
+++ b/test/scripts/4000-scanning/4011
@@ -0,0 +1,88 @@
+# content scan interface: f-prot6d
+need_ipv4
+munge loopback
+#
+server PORT_S
+<SCAN FILE
+>0 <clean>
+>*eof
+****
+#
+#
+#
+exim -odi -bs -DOPT=
+ehlo test.ex
+mail from:<>
+rcpt to:<userx@test.ex>
+data
+Date: Fri, 17 Dec 2004 14:35:01 +0100
+Subject: message should be accepted
+
+.
+quit
+****
+#
+#
+#
+server PORT_S
+<SCAN FILE
+>0 <infected: EICAR_Test_File> DIR/spool/scan/1clxBT-0003I9-8y/1clxBT-0003I9-8y.eml
+>*eof
+****
+#
+#
+#
+exim -odi -bs -DOPT=
+ehlo test.ex
+mail from:<>
+rcpt to:<userx@test.ex>
+data
+Date: Fri, 17 Dec 2004 14:35:01 +0100
+Subject: message should be rejected
+
+due to the server response (above)
+.
+quit
+****
+#
+#
+#
+server PORT_S
+<SCAN FILE
+*sleep 3
+****
+#
+#
+#
+exim -odi -bs -DOPT="/tmo=2s"
+ehlo test.ex
+mail from:<>
+rcpt to:<userx@test.ex>
+data
+Date: Fri, 17 Dec 2004 14:35:01 +0100
+Subject: message should be deferred due to timeout
+
+.
+quit
+****
+#
+#
+#
+server PORT_S
+<SCAN FILE
+*sleep 3
+****
+#
+#
+#
+exim -odi -bs -DOPT="/tmo=2s/defer_ok"
+ehlo test.ex
+mail from:<>
+rcpt to:<userx@test.ex>
+data
+Date: Fri, 17 Dec 2004 14:35:01 +0100
+Subject: message should be accepted despite timeout
+
+.
+quit
+****
diff --git a/test/stderr/4011 b/test/stderr/4011
new file mode 100644
index 000000000..73c3c0111
--- /dev/null
+++ b/test/stderr/4011
@@ -0,0 +1,2 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 malware acl condition: f-prot6d [127.0.0.1]:1111 : unable to read from socket (Connection timed out)
+1999-03-02 09:44:33 10HmaY-0005vi-00 malware acl condition: f-prot6d [127.0.0.1]:1111 : unable to read from socket (Connection timed out)
diff --git a/test/stdout/4011 b/test/stdout/4011
new file mode 100644
index 000000000..dd4eddeee
--- /dev/null
+++ b/test/stdout/4011
@@ -0,0 +1,68 @@
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250-myhost.test.ex Hello CALLER at test.ex
+250-SIZE 52428800
+250-8BITMIME
+250-PIPELINING
+250 HELP
+250 OK
+250 Accepted
+354 Enter message, ending with "." on a line by itself
+250 OK id=10HmbA-0005vi-00
+221 myhost.test.ex closing connection
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250-myhost.test.ex Hello CALLER at test.ex
+250-SIZE 52428800
+250-8BITMIME
+250-PIPELINING
+250 HELP
+250 OK
+250 Accepted
+354 Enter message, ending with "." on a line by itself
+550 Administrative prohibition
+221 myhost.test.ex closing connection
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250-myhost.test.ex Hello CALLER at test.ex
+250-SIZE 52428800
+250-8BITMIME
+250-PIPELINING
+250 HELP
+250 OK
+250 Accepted
+354 Enter message, ending with "." on a line by itself
+451 Temporary local problem - please try later
+221 myhost.test.ex closing connection
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250-myhost.test.ex Hello CALLER at test.ex
+250-SIZE 52428800
+250-8BITMIME
+250-PIPELINING
+250 HELP
+250 OK
+250 Accepted
+354 Enter message, ending with "." on a line by itself
+250 OK id=10HmaY-0005vi-00
+221 myhost.test.ex closing connection
+
+******** SERVER ********
+Listening on port 1224 ...
+Connection request from [IP_LOOPBACK_ADDR]
+<SCAN FILE TESTSUITE/spool/scan/10HmbA-0005vi-00/10HmbA-0005vi-00.eml
+>0 <clean>
+>*eof
+End of script
+Listening on port 1224 ...
+Connection request from [IP_LOOPBACK_ADDR]
+<SCAN FILE TESTSUITE/spool/scan/10HmaZ-0005vi-00/10HmaZ-0005vi-00.eml
+>0 <infected: EICAR_Test_File> DIR/spool/scan/10HmbB-0005vi-00/10HmbB-0005vi-00.eml
+>*eof
+End of script
+Listening on port 1224 ...
+Connection request from [IP_LOOPBACK_ADDR]
+<SCAN FILE TESTSUITE/spool/scan/10HmaX-0005vi-00/10HmaX-0005vi-00.eml
+*sleep 3
+End of script
+Listening on port 1224 ...
+Connection request from [IP_LOOPBACK_ADDR]
+<SCAN FILE TESTSUITE/spool/scan/10HmaY-0005vi-00/10HmaY-0005vi-00.eml
+*sleep 3
+End of script