MailScanner Installation Guide — mailscanner.conf

All the configuration options are held in the file /opt/mailscanner/etc/mailscanner.conf by default, and each is described below. To use a different configuration file, specify it on the MailScanner command line.

Blank lines are ignored, as are leading and trailing spaces. Comments start at a '#' character and extend to the end of the line. All options are expressed in the form

option = value

Many of the options can also be the filename of a ruleset, which can be used to control features depending on the addresses of the message, and/or the IP address where the message came from. You will find some examples of rulesets and an explanation of them in the etc/rules directories within the MailScanner installation.

The options are best listed in a few categories. This is also the order in which you will find them in the mailscanner.conf file.

If this list looks very large then don't worry, the supplied mailscanner.conf file contains sensible defaults for all the values. You will probably only need to change a very few of them to start with.

System Settings

Max Children: Default is 5; MailScanner uses your server efficiently by running several identical processes at the same time, all processing mail. This is the number of these processes to run at once. Tuning this figure will optimise the performance of your system if you process a lot of mail. A good figure to start with is 5 children per CPU. So if you have 4 CPU's in your server, start by setting this to 20.
Run As User: Default is to not change user; Provided for Exim users (and anyone not running sendmail as root), this changes the user under which MailScanner runs
Run As Group: Default is to not change group; Provided for Exim users (and anyone not running sendmail as root), this changes the group under which MailScanner runs
Incoming queue dir: Default is /var/spool/mqueue.in; Directory in which MailScanner should find e-mail messages for scanning
Outgoing queue dir: Default is /var/spool/mqueue; Directory in which MailScanner should place scanned e-mail messages
Incoming work dir: Default is /opt/MailScanner/var/incoming; Directory in which to temporarily store unpacked MIME messages during scanning process
Quarantine dir: Default is /opt/MailScanner/var/quarantine; Directory under which to archive quarantined infected e-mail attachments
PID dir: Default is /opt/MailScanner/var; Directory in which to store MailScanner process id files
MTA: sendmail or exim; Default is sendmail; Specifies which email package you are using
Sendmail: Default is /usr/lib/sendmail; Location of sendmail program
Sendmail2: Default is the value of the Sendmail setting; Command line used to deliver outgoing/cleaned messages.; Provided for Exim users so they can specify a different exim.conf file for delivering from the outgoing queue.

Processing Incoming Mail

Max Unscanned Bytes Per Scan
Max Unsafe Bytes Per Scan
Max Unscanned Messages Per Scan
Max Unsafe Messages Per Scan: These values define the maximum size of a batch of messages which are all processed together. If you have problems with your server not processing messages fast enough, you might want to increase these values from those supplied.
Expand TNEF: Default is yes; Should we use an external TNEF decoder or not? TNEF decoding is built into Sophos and McAfee, so this should be no for Sophos/McAfee users and yes for all others.
Deliver Unparsable TNEF: Default is no; Rich Text format attachments produced by some versions of Microsoft Outlook cannot be completely decoded at present. Setting this option to yes allows compatibility with the behaviour of earlier versions where these attachments were still delivered. This would introduce the slight chance of a virus getting through in the segment of the attachment that could not be decoded, but the setting may be necessary if you have a large number of Microsoft Outlook users who are troubled by the new behaviour.
TNEF Expander: Default is /opt/mailscanner/bin/tnef; Full pathname giving location of the MS-TNEF expander/decoder program, or the keyword internal which will force use of the optional Perl Convert::TNEF module instead of the external program.
TNEF Timeout: Default is 120; The maximum time (in seconds) that the TNEF decoder is allowed to take to disassemble 1 Microsoft Outlook attachment.
Block Encrypted Messages: Default is no; This is intended for use with a ruleset to ensure that none of your users is covertly mailing sites with which you would not normally communicate (e.g. your competitors).
Block Unencrypted Messages: Default is no; This is intended for use with a ruleset to ensure that mail is always encrypted before being sent. This could be used to ensure that mail to your business partners is sent securely.

Virus Scanning and Vulnerability Testing

Virus Scanning: yes or no; Default is yes; Scan email for viruses? Switching this to no completely disables all virus-scanning functionality.
Virus Scanners: sophos, mcafee, command, kaspersky, inoculate, inoculan, nod32, f-prot, f-secure, antivir, panda, rav, none; Default is none; Specified which anti-virus package you are using; Note: If you are using several virus scanners, then this should be a space-separated list of the names of the scanners.
Virus Scanner Timeout: Default is 300; The maximum time (in seconds) that the virus scanner is allowed to take to scan 1 batch of messages.
Deliver Disinfected Files: Default is yes; Value is "yes" or "no"; Should infected attached documents be automatically disinfected and sent on to the original recipients
Silent Viruses: Messages whose virus reports contain any of the words listed here will be treated as "silent" viruses. No messages will be sent back to the senders of these viruses, and the delivery to the recipient of the message can be controlled by the next option "Still Deliver Silent Viruses". This is primarily designed for viruses such as "Klez" and "Bugbear" which put fake addresses on messages they send, so there is no point informing the sender of the message, as it won't actually be them who sent it anyway.
Still Deliver Silent Viruses: If this is set to yes then disinfected messsages that originally contained one of the "silent" viruses will still be delivered to the original recipients, even those addresses were chosen at random by the infected PC and do not correspond to anything a user intended to send. Set this to yes so that your users (and your management) appreciate how much MailScanner is doing to protect them, but set it to no if they complain a lot about receiving lots of virus warnings.

Removing Dangerous or Potentially Offensive Content

Allow Partial Messages: Default is no; Do you want to allow partial messages, which only contain a fraction of the attachments, not the whole thing? There is no way that "partial messages" can be scanned for viruses properly, as only a fragment of the message is ever processed, never the whole message at once.; Setting this option to yes is very dangerous as it can let viruses in. But you might want to use a ruleset to set it for some customers' outgoing mail, for example.
Allow External Message Bodiees: Default is no; There is a mechanism, very rarely used, in which the body of a message is contained on a remote server, which the user's email application should download when it displays the message. Currently, I am only aware of this feature being supported by a few versions of Netscape, and the only people who use it are the IETF. There is no way to guarantee that the fetched file has no viruses in it, as MailScanner never sees it.; Setting this option to yes is very dangerous as it can let viruses in from remote "message body servers".
Allow IFrame Tags: Default is no; Do you want to allow HTML <IFrame> tags in email messages? This is not a good idea as it allows various Microsoft Outlook security vulnerabilities to go unprotected, but if you have a load of mailing lists sending them, then you will want to allow them to keep your users happy.
Log IFrame Tags: You may receive complaints from your users that HTML mailing lists they subscribe to have been stopped by the "Allow IFrame Tags" option above. So before you use the option above, set this option to "yes" and MailScanner will log the senders all messages which contain IFrame tags. You can then setup a ruleset for the option above which will allow IFrame tags in messages sent by well known (and trusted) mailing lists, while banning them from everywhere else.
Allow Object Codebase Tags: Default is no; Do you want to allow HTML <Object Codebase=...> tags in email messages? This will allow various Microsoft security vulnerabilities to go unprotected. I strongly advise you set this to "no" unless you have a very specific requirement.
Convert Dangerous HTML To Text: Default is no; When <IFrame> or <Object Codebase=...> HTML tags are allowed in messages, would you like to convert any messages containing them to be plain text. This is very useful as an alternative to either banning them using the 2 options above, or else allowing them through untouched. This option will still give the users the chance to read the text content of the message while not exposing them to potentially dangerous or offensive HTML content.
Convert HTML To Text: If you have users who are children, or who are offended by things like pornographic spam email, you can protect them by converting incoming HTML email messages into plain text. HTML attachments will not be affected. You could set this to be a ruleset so you only convert messages addressed to some of your users, or not convert messages from some known trusted sources. This can be essential if you have a "duty of care" for some of your users.

Attachment Filename Checking

Filename rules: Default is /opt/MailScanner/etc/filename.rules.conf; File in which to store the attachment filename ruleset, documented below. This can be a ruleset allowing different filename rules to apply to different users or domains.

Reports and Responses

Quarantine Infections: Set this to store infected / dangerous attachments in directories created under the quarantine directory. Without this, they will be deleted. Due to laws on privacy and data protection in your country, you may be forced to set this to "no".
Quarantine Whole Message: Default is no; When an infected message is stored in the quarantine, a copy of the entire message will be saved, in addition to copies of the infected attachments.
Quarantine Whole Messages As Queue Files: Default is no; When an entire message is saved in the quarantine for any reason, do you want to save it as the raw data files out of the mail queue (which can be processed with the df2mbox script, and which is easier to send to its original recipients), or do you want a conventional message file consisting of the header followed by the body of the message. If the previous option is switched off, then this will only affect archived mail and quarantined spam. If the prevous option is on, then this also affects quarantined infections.
Deleted Bad Filename Message Report: When an attachment is deleted from a message because the filename failed the filename rules in force for the message, it is replaced by the contents of this file. A few variable substitutions can be made in this file, an example of each of which is contained in the supplied sample file.
Deleted Virus Message Report: When an attachment is deleted from a message because the attachment contained a virus or other dangerous content, it is replaced by the contents of this file. A few variable substitutions can be made in this file, an example of each of which is contained in the supplied sample file.
Stored Bad Filename Message Report: When an attachment is deleted from a message (and the attachment has been stored in the quarantine) because the filename failed the filename rules in force for the message, it is replaced by the contents of this file. A few variable substitutions can be made in this file, an example of each of which is contained in the supplied sample file.
Stored Virus Message Report: When an attachment is deleted from a message (and the attachment has been stored in the quarantine) because the attachment contained a virus or other dangerous content, it is replaced by the contents of this file. A few variable substitutions can be made in this file, an example of each of which is contained in the supplied sample file.
Disinfected Report: When, for example, a Microsoft Word macro virus has been safely removed from a document, leaving the original document intact, it is delivered on to the original recipient. The contents of this text file will be put in the body of the new message, explaining to the user what has happened.
Inline HTML Signature
Inline Text Signature: If the "Sign Clean Messages" option is set, then the contents of this file will be appended to the end of the body of every message that is scanned by MailScanner. You can use this to inform your users that MailScanner has scanned it, and you can also add any disclaimers you feel should be on mail travelling through your servers. The two options correspond to the contents that are appended to HTML messages and text messages respectively.
Inline HTML Warning Inline Text Warning: When attachments have been removed from a message, the contents of these files are inserted at the start of the body of the message to guide the recipient to read the "VirusWarning.txt" attachments that contain the virus reports themselves.
Sender Error Report: When a message could not be processed completely for some reason, such as bad message structure or unreadable winmail.dat TNEF attachments, this message is sent back to the sender. Read the example file supplied for a demonstration of what variables can be used inside the file.
Sender Bad Filename Report: When an attachment is trapped by the filename rules, this message is sent back to the sender.
Sender Virus Report: When an attachment is removed because of a virus, this message is sent back to the sender.
Hide Incoming Work Dir When this option is set, the full directory in which the virus was found will be removed from report messages sent to users. This makes the infection reports a lot easier to understand.

Changes to Message Headers

Mail header: Default is X-MailScanner:; Extra header that should be added to all scanned messages to show they have been scanned. You might want to add an abbreviation of your site name to this, so that you can find headers that are added by your MailScanner server.
Spam Header: Default is X-MailScanner-SpamCheck:; Name of the header to add to mail detected as spam. The text of the header is a list of the causes that think the message is spam.
Spam Score Header: Default is X-MailScanner-SpamScore:; If the option "Spam Score" is set, this is the name of the header that is used to contain the list of characters.
Information Header: Default is X-MailScanner-Information:; Name of the header to add to all messages, to be used for simply providing a URL or contact information for anyone receiving mail that has gone through MailScanner. If you do not want this header, simply comment out this setting or set it blank.
Detailed Spam Report: Default is yes; If this is set to yes then you get the normal fully detailed spam report in spam messages. If this is set to no then you simply get a "spam" or "not spam" report. The exact text inserted can be configured in the languages.conf file for your language.
Spam Score Character: If the option "Spam Score" is set, this is the character that will be repeated in the "Spam Score Header", one letter for each point in the SpamAssassin score.
Clean Header Value: This is the text that is added to the "Mail Header" when a message is found to be clean and free of viruses and other dangerous content.
Infected Header Value: This is the text that is added to the "Mail Header" when a message is found to be infected with a virus or other dangerous content.
Disinfected Header Value: This is the text that is added to the "Mail Header" of a message that is created by MailScanner to contain disinfected documents containing macro viruses that could be completely removed, leaving the original document intact.
Information Header Value: This is the text that is added to the "Information Header" of a message that has passed through MailScanner at all. It could be used to provide a URL or contact address for recipients if they have any queries about the messages they have received.
Multiple Headers: When a message passes through more than one MailScanner server on your site, they will each try to add their own headers. This option controls what should happen when trying to add a MailScanner header that already exists in the message.
Hostname: This is the name of the MailScanner server that is put in messages to users. If you have more than one MailScanner server on your site, you will want to change this on each server so that you can tell them apart.
Sign Messsages Already Processed: If a message has already been processed by another MailScanner server on your site, then the "Inline HTML/Text Signature" is not added to the message again if this option is set. Without it, you will get one signature added for every MailScanner server that processes the message.
Sign Clean Messages: If this option is set, then the "Inline HTML/Text Signature" will be added to the end of every clean message processed by MailScanner. You can use this to inform the recipient that the message has been checked, and also to add any legal disclaimer or copyright statement you want to add to every message. Using a ruleset for this option, you could very simply set it so that only messages leaving your site are signed, for example.
Mark Infected Messages: If this option is set, then the "Inline HTML/Text Warning" is added to the start of every message that is found to be infected or has had attachments removed for any reason. This can be used to guide the recipients to read the infection reports contained in the replacement attachments.
Mark Unscanned Messages: If this option is set, then any message which is not scanned by MailScanner gets the "Mail Header" added to it with the string contained in the "Unscanned Header Value" option. This can be used to advertise your MailScanner service to customers/clients who are currently not using it.
Unscanned Header Value: This supplies the text that is placed in the "Mail Header" of messages that have not been scanned, if the option "Mark Unscanned Messages" is set. It is a useful place to advertise your MailScanner service to new customers/clients.
Deliver Cleaned Messages: Once a message has had all viruses and dangerous content removed from it, it will then be delivered to the original recipients if this option is set. If you want the behaviour from previous versions of MailScanner that had the "Deliver From Local Domains" keyword, then you should set this to be a ruleset that only returns "yes" for messages destined for inside your site, and "no" for messages going out of your site.
Notify Senders: If this option is set, a message will be sent back to the address that sent each infected message. The text contained in these messages is supplied by the "Sender Reports" described earlier in this document.
Never Notify Senders Of Precedence: This contains a space-separated list of message "Precedence:" header values. If you receive a nasty message, the sender will not be notified if the "Precedence:" header value appears in this list. This is particularly useful for stopping MailScanner responding to poorly-maintained mailing lists.

Changes to the Subject: Line

Scanned Modify Subject: If this is set to "start" or "end" then the "Scanned Subject Text" is inserted at the start or the end of the Subject: line. This only happens if the Subject: line has not already been modified for any other reason.
Scanned Subject Text: This is the text inserted at the start or the end of the Subject: line if the "Scanned Modify Subject" option above is in effect.
Virus Modify Subject: If this is set, then the "Subject:" line of a message that was infected with a virus will have the "Virus Subject Text" text inserted at the start.
Virus Subject Text: This is the text inserted at the start of the "Subject:" line if the "Virus Modify Subject" option is set.
Filename Modify Subject: If this is set, then the "Subject:" line of a message that had an attachment with a dangerous filename will have the "Virus Subject Text" text inserted at the start.
Filename Subject Text: This is the text inserted at the start of the "Subject:" line if the "Filename Modify Subject" option is set.
Spam Modify Subject: If this is set, then the "Subject:" line of a message that was determined to be spam will have the "Spam Subject Text" text inserted at the start.
Spam Subject Text: This is the text inserted at the start of the "Subject:" line if the "Spam Modify Subject" option is set.
High Scoring Spam Modify Subject: If this is set, then the "Subject:" line of a message that was determined to be spam, and had a SpamAssassin score greater than the "High SpamAssassin Score" will have the "High Scoring Spam Subject Text" text inserted at the start.
High Scoring Spam Subject Text: This is the text inserted at the start of the "Subject:" line if the "High Scoring Spam Modify Subject" option is set.

Changes to the Message Body

Warning Is Attachment: When an infected or dangerous attachment is replaced with a text message containing the infection report, should the replacement be an attachment (yes) or should it be included inline in the main text of the message (no).
Attachment Warning Filename: What an infected or dangerous attachment is replaced with a text message containing the infection report, this is the filename of the attachment that appears in the message.
Attachment Encoding Charset: This is the name of the encoding character set used for the contents of "VirusWarning.txt" attachments. If your users do not use English as their preferred language, you may want to set this to "ISO-8859-1".

Mail Archiving and Monitoring

Archive Mail: This option provides a list of directory names and/or email addresses to which all mail should be copied. You will probably want to make this a ruleset so that only mail to/from certain users is archived. Note that there may be severe legal privacy implications of using this option without the prior knowledge of the individuals whose messages you are archiving/copying.

Notices to System Administrators

Send Notices: Should system administrators listed in the "Notices To" option be notified of every infection found?
Notices Include Full Headers: If this option is set, then the system administrator notices will include the full headers of every infected message. If this option is set to "no" then only a restricted set of headers is included in the notices.
Hide Incoming Work Dir in Notices: When this option is set, the full directory in which the virus was found will be removed from report messages sent to administrators. This makes the infection reports a lot easier to understand. It is also very useful if your notices go to your customer sites.
Notice Signature: This string is added to the bottom of all system administrator notices, and is intended to be the signature of your MailScanner system. To insert "line-breaks" or "newline" characters, use the sequence \n.
Notices To: This option provides a list of the addresses to which virus notices should be sent. You may want to set this to be a ruleset, providing different notification addresses for different domains that you administer.
Local Postmaster: When virus warnings are sent to any users, this is the email address used as the "From:" header in the messages.

Definitions of Virus Scanners and Spam Detectors

Spam List Definitions: This file contains all the definitions of the "Spam Lists" (also known as RBL's or DNSBL's) which can be used to try to detect spam based on where each message came from. Many more spam lists can be added to this file, but it contains the most popular ones to get you started.
Virus Scanner Definitions: This file contains the locations of all the commands that are run for each virus scanner. Check this file before starting MailScanner to make sure it will run the correct command or wrapper script.

Spam Detection and Spam Lists (DNS Blocklists)

Spam Checks: If this option is set, messages will be checked to see if they are spam.
Spam List: This provides a space-separated list of "Spam Lists" (or RBL's or DNSBL's) which are checked for each message. These lists are based on the numeric IP address of the server that sent the message to your MailScanner server. Every list used here must be defined in the "Spam List Definitions" file mentioned above.
Spam Domain List: This provides a space-separated list of "Spam Lists" (or RBL's or DNSBL's) which are checked for each message. These lists are based on the domain name of the sender address of each message. Every list used here must be defined in the "Spam List Definitions" file mentioned above.
Spam List Timeout: This is the number of seconds to wait for each "Spam List" lookup to complete. If the lookup takes longer than this, it is killed and ignored.
Max Spam List Timeouts: If a "Spam List" lookup times out for this many consecutive checks without ever succeeding, then the particular "Spam List" entry will not be used any more, as it appears to be unreachable. When MailScanner restarts itself after a few hours, MailScanner will try to use the entry again, in case service has resumed properly.
Is Definitely Not Spam: This option would normally be a ruleset. Any messages for which the ruleset result is "yes" will never be marked as spam. This is used to create a spam "whitelist" of addresses which are never spam. You will probably want to include your own site (or your own site's IP addresses) in this ruleset.
Is Definitely Spam: This option would normally be a ruleset. Any messages for which the ruleset result is "yes" will always be marked as spam. This is used to create a spam "blacklist" of addresses of known spammers.

SpamAssassin

Use SpamAssassin: Do you want to detect spam using the very good SpamAssassin package? You must have installed SpamAssassin before using this option, otherwise MailScanner will not start properly.
Max SpamAssassin Size: SpamAssassin is quite slow when processing very large messages. To work round this problem, this option provides a maximum size for messages that are processed with SpamAssassin. Most real spam is usually less than about 50,000 bytes per message.
Required SpamAssassin Score: This gives the minimum SpamAssassin score value above which messages are spam. This replaces SpamAssassin's own "required_hits" value, so that it can be a ruleset and set to different values for different users/domains.
High SpamAssassin Score: Messages with a SpamAssassin score greater than this value are labelled as being "High Scoring Spam", and a different set of "Spam Actions" are applied to messages scoring at least this value.
SpamAssassin Auto Whitelist: SpamAssassin has a feature which measures the ratio of spam to non-spam originating from different addresses, and will automatically add addresses to its own internal "whitelist" if most of the messages from an address is not spam. This option enables this feature of SpamAssassin. Please read their documentation for more information.
SpamAssassin Prefs File: SpamAssassin uses a "user preferences" file which can be used to set the values of various SpamAssassin options. This is the name of that file. Its most useful feature is that the RBL/DNSBL/"Spam List" checks done by SpamAssassin can be disabled as MailScanner already does them and there is little to be gained by doing these checks twice for every message.
SpamAssassin Timeout: This option sets the maximum number of seconds to wait for SpamAssassin to process a message. This is a useful protection against occasional bugs in SpamAssassin that can cause it to take hours to process a single message.
Max SpamAssassin Timeouts: If several consecutive calls to SpamAssassin time out, then MailScanner decides that there is something stopping SpamAssassin from working properly. It will therefore be disabled for the next few hours until MailScanner restarts itself, at which point it will be tried again.
Check SpamAssassin If On Spam List: If a message has already triggered any of the "Spam List" checks, the SpamAssassin check will be skipped if this option is set to "no". This can help reduce the load on your server if SpamAssassin checks take a long time for some reason.
Always Include SpamAssassin Report: If this option is set, then the "Spam Header" will be included in the header of every message, so its presence cannot be used to filter out spam by your users' e-mail applications.
Spam Score: If a message is spam, and this option is set, then a header will be added to the message containing 1 character for each point in the SpamAssassin score. This allows users to choose for themselves the SpamAssassin scores at which they want to do different things with the message, such as file it or delete it.

What to do with Spam

Spam Actions: This can be any combination of 1 or more of the following keywords, and these actions are applied to any message which is spam.; "deliver" - the message is delivered to the recipient as normal; "delete" - the message is deleted; "store" - the message is stored in the quarantine; "bounce" - a rejection message is sent back to the sender; "forward" - an email address is supplied, to which the message is forwarded; "striphtml" - convert all in-line HTML content in the message to be stripped to plain text, which removes all images and scripts and so can be used to protect your users from offensive spam. Note that using this action on its own does not imply that the message will be delivered, you will need to specify "deliver" or "forward" to actually deliver the message.
High Scoring Spam Actions: This is the same as the "Spam Actions" option above, but it gives the actions to apply to any message whose SpamAssassin score is above the "High Scoring" threshold described above.
Sender Spam Report: When the "bounce" spam action is applied to a message that triggered both a "Spam List" check and SpamAssassin, this file gives the text to put in that message.
Sender Spam List Report: When the "bounce" spam action is applied to a message that triggered a "Spam List" check, this file gives the text to put in that message.
Sender SpamAssassin Report: When the "bounce" spam action is applied to a message that triggered SpamAssassin, this file gives the text to put in that message.

System Logging

Syslog Facility: This is the name of the "facility" used by syslogd to log MailScanner's messages. If this doesn't mean anything to you, then either leave it alone or else read the "syslogd" man page.
Log Spam: If this option is set, then every spam message will be logged to syslog. If you get a lot of spam, or your server load is high, you will want to leave this option switched off. But if you are having trouble with spam detection, setting this to "yes" temporarily can provide useful debugging output.
Log Permitted Filenames: If this option is set, then every attachment filename that passes the "filename rules" checks will be logged to syslog. Normally this is of no interest. But if you are having trouble getting your filename rules correct, setting, this can provide useful debugging output.

Advanced Settings

Debug: Not for use by normal users. Setting this option to "yes" will put MailScanner into debugging mode, in which it creates slightly more output and will not become a daemon.
Always Looked Up Last: The value of the option is actually never used, but it is evaluated at the end of processing a batch of messages. It is designed to be used in conjunction with a Custom Function. The Custom Function should then be written to have a "side effect" of doing something useful such as logging lots of information about the batch of messages to a file or an SQL database.
Deliver In Background: When attempting delivery of any messages (when the "Delivery Method = batch") the sendmail/Exim command will be run in the background so that MailScanner does not have to wait for the delivery attempt to complete. There are very few good reasons for setting this to "no".
Delivery Method: With this option set to "batch", then an attempt is made to deliver all of the messages in the current batch once they have been completely processed by MailScanner. With this option set to "queue", the messages are just placed in the outgoing queue, leaving sendmail/Exim to attempt to deliver them the next time it processes its queue. This can be useful on servers with very high load.
Lockfile Dir: This is the directory in which lock files are placed to stop the virus scanners used while they are in the middle of updating themselves with new virus definitions. If you change this at all, you will need to edit the "autoupdate" scripts for all your virus scanners.
Lock Type: Do not set this option to anything unless you know exactly what you are doing. For sendmail and Exim, MailScanner will choose the correct value by default. This affects how mail queue files are locked, and your mail will be totally screwed up if you set this option to anything other than the correct value for your MTA. So leave it alone and let MailScanner choose the correct value for you.
Minimum Code Status: Some of the virus scanners are not supported by the authors of MailScanner, and they may use code contributed by another user. If this option is set to the wrong value for your virus scanners, then you will get an error message in your maillog (syslog) telling you that it is set wrong and MailScanner will refuse to start. The error message will include the location of a web page describing this option in more detail, and this tells you what value to set this to for each virus scanner that can be used by MailScanner.

Attachment Filename Ruleset

This is held in the filename pointed to by the configuration option Filename rules. It contains a set of rules that are used to judge whether any given file attachment should be accepted or rejected on the basis of its filename, regardless of whether it is found to be virus-infected or not.

This can not only be used for draconian measures such as banning all .exe attachments, but it can be used with any Perl regular expression to provide facilities such as detection of attempts at hiding filenames.

Many Windows e-mail programs (eg. Microsoft Outlook) hide common file extensions in an attempt to not baffle the user. The result is that while an attachment called "Your Document.doc" is helpfully displayed as "Your Document", a more sinister attachment just as "Looks Safe.txt.pif" will appear simply as "Looks Safe.txt". Many users recognise the .txt filename extension as applying to plain text files, which they know are safe. So even an experienced user may well double-click on this attachment thinking it is just going to start Notepad and display the text file.

However, the file is really an MS-Dos shortcut (.pif file) and can execute any arbitrary commands the author wanted: all without any indication to the unwitting user.

The rules are matched in order from the top to the bottom of the file, and the first rule containing a matching regular expression is used.

Each line of the file is either blank, a comment (in which case it starts with a '#' character) or is a rule made up of 4 fields separated by one or more TAB characters.

allow / deny: Accept or reject the attachment if its filename matches the regular expression
regular expression: The rule is executed if the attachment matches this expression. It may optionally be surrounded in '/' characters.
log text: If the rule matches, this text is placed in the syslog. If the text is "-", no string is logged.
user text: If the rule matches, this text is placed in the text message sent to the user. If the text is "-", no text is used.

The configuration file example demonstrates what can easily be done with this syntax.

Julian Field