Freesco, NND, CDN, EOS

http://www.security-forums.com/forum/viewtopic.php?t=8212

Folks,

I have been searching for an answer to this question for the past couple of days and I couldn't find it. I remembered I had done this before, but when Googling I didn't find any useful hints.

I always ran into the same answer 'Use libmilter or have to hack sendmail yourself.', but never a decent description how.

Browsing throught the local CVS we store the configurations in finally paid off, so I finally found out again how I did it, and I thought I'd share this information with the folks here a SFDC. (Sorry for it's quick&dirty-ness..)

Maybe there's even a simpler way of accomplishing this (share it ), but this one works like a charm.

Why scan outgoing mails?
You can think of different reasons for doing this; it could be because of (corporate) security, where every outgoing email should be scanned for virusses, etc.

Or maybe Management wants copies of the outgoing emails certain employers sends out.


How to implement it
As some of you probably have used 'procmail' for scanning incoming mails, you probably also found out this doesn't work for outgoing mails.

We can however, set up another mailer through which all outgoing mails are piped. This 'mailer' actually is a local running script which you have to `bake' yourself.

This program, let's call it 'scanmail' and put it in /usr/local/bin. It must expect the email message to come in on stdin.

In this 'scanmail' script we can inspect an email, for instance using formail, call a third party program to scan for virusses or use 'grep' to search for certain topics or keywords that should enable the copying of this email to someone else.

First of all make a backup of your existing sendmail.cf to sendmail.real.cf (we will use this later to actually deliver the message).

We have to edit the sendmail.cf file to make it work. Locate the Ruleset 0 -- Parse Address line in sendmail.cf. It probably will say something like:
Code:

Sparse=0
R$*                     $: $>Parse0 $1          initial parsing
R$*                     $: $>ParseLocal $1      handle local hacks
R$*                     $: $>Parse1 $1          final parsing
 


In between the 'handle local hack' and 'final parsing' line insert the following line:
Code:

R$*                     $#scanmail $@$1 $:$1    scan the email
 


So you get something like this:
Code:

Sparse=0
R$*                     $: $>Parse0 $1          initial parsing
R$*                     $: $>ParseLocal $1      handle local hacks
R$*                     $#scanmail $@$1 $:$1    scan the email
R$*                     $: $>Parse1 $1          final parsing
 


This configures sendmail to call that program every time a mail is being sent.

We're not there yet, we have to tell sendmail where this scanmail-program is, etc. Locate the lines where you see this:

Code:

Mlocal,         P=/usr/bin/procmail, F=lsDFMAw5:/|@qShP, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
                T=DNS/RFC822/X-Unix,
                A=procmail -a $h -d $u

#####################################
###   SMTP Mailer specification   ###
#####################################
<snip>
 


Below Mlocal and above the lines ### SMTP Mailer spec, add the following lines:
Code:

Mscanmail,      P=/usr/local/bin/scanmail, F=7CsDFM:/|@qShP, S=0, R=0,
                T=DNS/RFC822/X-Unix,
                A=scanmail $u
 



This almost completes the whole setup, there is only one thing to keep in mind. The email is not really piped through 'scanmail', because the output of the scanmail program isn't parsed by sendmail.

Although we now can inspect the contents of the email, it isn't delivered yet. For this we need to call sendmail again, but with an alternate configuration-file (the one that you backed-up earlier.). This is a bit tricky, but it works.

Example scanmail script in pseudo-code:
Code:

#!/bin/sh

# Write stdin to a file to work with, put name in $TMPFILE
# ...


# Get the TO and FROM field with formail, put it in $TO and $FROM
# Inspect the email
[ -n `grep "pr0n" $TMPFILE` ] && {
      # Archive this email
}

# Finally really send and deliver the mail.
cat $TMPFILE | sendmail -C/etc/mail/sendmail.real.cf "$TO"

 


Any comments or suggestions are welcome, of course.