1

Topic: Redundant, external anti-virus scanning

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8 MARIADB
- Deployed with iRedMail Easy or the downloadable installer?: Installer
- Linux/BSD distribution name and version: CentOS 7.8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?: Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Lately I have found that ClamAV is not catching malware that users' anti-virus software is picking up. This has been going on since early August, so it looks like ClamAV/Cisco are significantly falling behind.

For this reason I would like to implement redundant anti-virus scanning, either with another anti-virus engine also installed on the same server, or routing inbound and outbound email through another machine, or another service. This is my list, in decreasing order of preference:

1) Engine installed on the same server as ClamAV (and iRedMail [Pro]),
2) A discrete machine on the same LAN, managed by us, or
3) An external commercial service.

A search here turned up this eight-year-old thread ( https://forum.iredmail.org/topic2868-ex … teway.html ) and I'm wondering (before I set up some servers and test) if this is still the recommended way of going about it. @Zhang?

I did look at http://web.archive.org/web/201505191412 … ssing.html , linked to from that thread, but none of the use cases listed in the index seem related. The last one seems close, but it certainly doesn't seem to address the second machine doing virus scanning. Most of the use cases seem to be about *avoiding* scanning, which is certainly not what I'm trying to do; I'm trying to double the scanning, although it does make sense to deactivate identical scans on one server or the other. (Actually, a couple of the external links look they might be good starting points.)

Does anyone have any suggestions for or experience with this? Any links to suggested solutions? One scanning solution I'm looking at is MailScanner ( https://www.mailscanner.info ). One reference I found pointed to http://web.archive.org/web/201510240801 … _a_gateway as a starting point. I will, of course, do testing on a dev server, but I'm also wondering about installing MailScanner immediately after installing iRedMail. Their instructions are at https://www.mailscanner.info/postfix/ .

My machine is processing -- depending on what statistics you look at -- only about 20 000 to 40 000 messages a day, fewer on weekends of course.

Thanks!


Craig

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Redundant, external anti-virus scanning

I'd never rely on on one check alone. We are running a mail proxy (on a hardware firewall + ESZET +CLAMAV), then it reaches iRedMail.

3

Re: Redundant, external anti-virus scanning

The quickest and easiest way is adding more third-party clamav databases. for example:
https://sanesecurity.com/usage/signatures/

You can find some more third-party databases.

Note: The more databases you enabled, the more memory ClamAV requires. Make sure your server has enough RAM for it.

4

Re: Redundant, external anti-virus scanning

Hi Zhang,

Sorry, I didn't realise that you had replied. I forgot that no more notifications are sent after the first one if I don't log in again.

Anyway, appreciate the suggestion. I will add this to my list of considerations.


Craig