MailScanner Installation Guide ? mailscanner.conf

All the configuration options are held in the file
/opt/mailscanner/etc/mailscanner.conf by default, and each is described
below. To use a different configuration file, specify it on the
MailScanner command line.

Blank lines are ignored, as are leading and trailing spaces. Comments
start at a '#' character and extend to the end of the line. All options
are expressed in the form

    option = value

    Many of the options can also be the filename of a ruleset, which can
    be used to control features depending on the addresses of the
    message, and/or the IP address where the message came from. You will
    find some examples of rulesets and an explanation of them in the
    etc/rules directories within the MailScanner installation.

    The options are best listed in a few categories. This is also the
    order in which you will find them in the mailscanner.conf file.

    If this list looks very large then don't worry, the supplied
    mailscanner.conf file contains sensible defaults for all the values.
    You will probably only need to change a very few of them to start with.

        * System settings <#system>
        * Processing incoming mail <#incoming>
        * Virus scanning and vulnerability testing <#scanning>
        * Removing dangerous or potentially offensive content <#content>
        * Attachment filename checking <#attachments>
        * Reports and responses <#reports>
        * Changes to message headers <#headers>
        * Changes to the Subject: line <#subject>
        * Changes to the message body <#body>
        * Mail archiving and monitoring <#archiving>
        * Notices to system administrators <#notices>
        * Definitions of virus scanners and spam detectors <#defs>
        * Spam detection and spam lists (DNS blocklists) <#rbl>
        * SpamAssassin <#spamassassin>
        * What to do with spam <#spam>
        * System logging <#logging>
        * Advanced settings <#advanced> 


        System Settings

*Max Children*
    Default is 5 
    MailScanner uses your server efficiently by running several
    identical processes at the same time, all processing mail. This is
    the number of these processes to run at once. Tuning this figure
    will optimise the performance of your system if you process a lot of
    mail. A good figure to start with is 5 children per CPU. So if you
    have 4 CPU's in your server, start by setting this to 20. 
*Run As User*
    Default is to not change user 
    Provided for Exim users (and anyone not running sendmail as root),
    this changes the user under which MailScanner runs 
*Run As Group*
    Default is to not change group 
    Provided for Exim users (and anyone not running sendmail as root),
    this changes the group under which MailScanner runs 
*Incoming queue dir*
    Default is /var/spool/mqueue.in 
    Directory in which MailScanner should find e-mail messages for scanning 
*Outgoing queue dir*
    Default is /var/spool/mqueue 
    Directory in which MailScanner should place scanned e-mail messages 
*Incoming work dir*
    Default is /opt/MailScanner/var/incoming 
    Directory in which to temporarily store unpacked MIME messages
    during scanning process 
*Quarantine dir*
    Default is /opt/MailScanner/var/quarantine 
    Directory under which to archive quarantined infected e-mail
    attachments 
*PID dir*
    Default is /opt/MailScanner/var 
    Directory in which to store MailScanner process id files 
*MTA*
    sendmail or exim 
    Default is sendmail 
    Specifies which email package you are using 
*Sendmail*
    Default is /usr/lib/sendmail 
    Location of sendmail program 
*Sendmail2*
    Default is the value of the Sendmail setting 
    Command line used to deliver outgoing/cleaned messages. 
    Provided for Exim users so they can specify a different exim.conf
    file for delivering from the outgoing queue. 


    Processing Incoming Mail

*Max Unscanned Bytes Per Scan*
*Max Unsafe Bytes Per Scan*
*Max Unscanned Messages Per Scan*
*Max Unsafe Messages Per Scan*
    These values define the maximum size of a batch of messages which
    are all processed together. If you have problems with your server
    not processing messages fast enough, you might want to increase
    these values from those supplied. 
*Expand TNEF*
    Default is yes 
    Should we use an external TNEF decoder or not? TNEF decoding is
    built into Sophos and McAfee, so this should be no for Sophos/McAfee
    users and yes for all others. 
*Deliver Unparsable TNEF*
    Default is no 
    Rich Text format attachments produced by some versions of Microsoft
    Outlook cannot be completely decoded at present. Setting this option
    to yes allows compatibility with the behaviour of earlier versions
    where these attachments were still delivered. This would introduce
    the slight chance of a virus getting through in the segment of the
    attachment that could not be decoded, but the setting may be
    necessary if you have a large number of Microsoft Outlook users who
    are troubled by the new behaviour. 
*TNEF Expander*
    Default is /opt/mailscanner/bin/tnef 
    Full pathname giving location of the MS-TNEF expander/decoder
    program, or the keyword internal which will force use of the
    optional Perl Convert::TNEF module instead of the external program. 
*TNEF Timeout*
    Default is 120 
    The maximum time (in seconds) that the TNEF decoder is allowed to
    take to disassemble 1 Microsoft Outlook attachment. 
*Block Encrypted Messages*
    Default is no 
    This is intended for use with a ruleset to ensure that none of your
    users is covertly mailing sites with which you would not normally
    communicate (e.g. your competitors). 
*Block Unencrypted Messages*
    Default is no 
    This is intended for use with a ruleset to ensure that mail is
    always encrypted before being sent. This could be used to ensure
    that mail to your business partners is sent securely. 


    Virus Scanning and Vulnerability Testing

*Virus Scanning*
    yes or no 
    Default is yes 
    Scan email for viruses? Switching this to no completely disables all
    virus-scanning functionality. 
*Virus Scanners*
    sophos, mcafee, command, kaspersky, inoculate, inoculan, nod32,
    f-prot, f-secure, antivir, panda, rav, none 
    Default is none 
    Specified which anti-virus package you are using 
    *Note:* If you are using several virus scanners, then this should be
    a space-separated list of the names of the scanners. 
*Virus Scanner Timeout*
    Default is 300 
    The maximum time (in seconds) that the virus scanner is allowed to
    take to scan 1 batch of messages. 
*Deliver Disinfected Files*
    Default is yes 
    Value is "yes" or "no" 
    Should infected attached documents be automatically disinfected and
    sent on to the original recipients 
*Silent Viruses*
    Messages whose virus reports contain any of the words listed here
    will be treated as "silent" viruses. No messages will be sent back
    to the senders of these viruses, and the delivery to the recipient
    of the message can be controlled by the next option "Still Deliver
    Silent Viruses". This is primarily designed for viruses such as
    "Klez" and "Bugbear" which put fake addresses on messages they send,
    so there is no point informing the sender of the message, as it
    won't actually be them who sent it anyway. 
*Still Deliver Silent Viruses*
    If this is set to yes then disinfected messsages that originally
    contained one of the "silent" viruses will still be delivered to the
    original recipients, even those addresses were chosen at random by
    the infected PC and do not correspond to anything a user intended to
    send. Set this to yes so that your users (and your management)
    appreciate how much MailScanner is doing to protect them, but set it
    to no if they complain a lot about receiving lots of virus warnings. 


    Removing Dangerous or Potentially Offensive Content

*Allow Partial Messages*
    Default is no 
    Do you want to allow partial messages, which only contain a fraction
    of the attachments, not the whole thing? There is no way that
    "partial messages" can be scanned for viruses properly, as only a
    fragment of the message is ever processed, never the whole message
    at once. 
    Setting this option to yes is *very dangerous* as it can let viruses
    in. But you might want to use a ruleset to set it for some
    customers' outgoing mail, for example. 
*Allow External Message Bodiees*
    Default is no 
    There is a mechanism, very rarely used, in which the body of a
    message is contained on a remote server, which the user's email
    application should download when it displays the message. Currently,
    I am only aware of this feature being supported by a few versions of
    Netscape, and the only people who use it are the IETF. There is no
    way to guarantee that the fetched file has no viruses in it, as
    MailScanner never sees it. 
    Setting this option to yes is *very dangerous* as it can let viruses
    in from remote "message body servers". 
*Allow IFrame Tags*
    Default is no 
    Do you want to allow HTML <IFrame> tags in email messages? This is
    not a good idea as it allows various Microsoft Outlook security
    vulnerabilities to go unprotected, but if you have a load of mailing
    lists sending them, then you will want to allow them to keep your
    users happy. 
*Log IFrame Tags*
    You may receive complaints from your users that HTML mailing lists
    they subscribe to have been stopped by the "Allow IFrame Tags"
    option above. So before you use the option above, set this option to
    "yes" and MailScanner will log the senders all messages which
    contain IFrame tags. You can then setup a ruleset for the option
    above which will allow IFrame tags in messages sent by well known
    (and trusted) mailing lists, while banning them from everywhere else. 
*Allow Object Codebase Tags*
    Default is no 
    Do you want to allow HTML <Object Codebase=...> tags in email
    messages? This will allow various Microsoft security vulnerabilities
    to go unprotected. I strongly advise you set this to "no" unless you
    have a very specific requirement. 
*Convert Dangerous HTML To Text*
    Default is no 
    When <IFrame> or <Object Codebase=...> HTML tags are allowed in
    messages, would you like to convert any messages containing them to
    be plain text. This is very useful as an alternative to either
    banning them using the 2 options above, or else allowing them
    through untouched. This option will still give the users the chance
    to read the text content of the message while not exposing them to
    potentially dangerous or offensive HTML content. 
*Convert HTML To Text*
    If you have users who are children, or who are offended by things
    like pornographic spam email, you can protect them by converting
    incoming HTML email messages into plain text. HTML attachments will
    not be affected. You could set this to be a ruleset so you only
    convert messages addressed to some of your users, or not convert
    messages from some known trusted sources. This can be essential if
    you have a "duty of care" for some of your users. 


    Attachment Filename Checking

*Filename rules*
    Default is /opt/MailScanner/etc/filename.rules.conf 
    File in which to store the attachment filename ruleset, documented
    below <#ruleset>. This can be a ruleset allowing different filename
    rules to apply to different users or domains. 


    Reports and Responses

*Quarantine Infections*
    Set this to store infected / dangerous attachments in directories
    created under the quarantine directory. Without this, they will be
    deleted. Due to laws on privacy and data protection in your country,
    you may be forced to set this to "no". 
*Quarantine Whole Message*
    Default is no 
    When an infected message is stored in the quarantine, a copy of the
    entire message will be saved, in addition to copies of the infected
    attachments. 
*Quarantine Whole Messages As Queue Files*
    Default is no 
    When an entire message is saved in the quarantine for any reason, do
    you want to save it as the raw data files out of the mail queue
    (which can be processed with the df2mbox script, and which is easier
    to send to its original recipients), or do you want a conventional
    message file consisting of the header followed by the body of the
    message. If the previous option is switched off, then this will only
    affect archived mail and quarantined spam. If the prevous option is
    on, then this also affects quarantined infections. 
*Deleted Bad Filename Message Report*
    When an attachment is deleted from a message because the filename
    failed the filename rules in force for the message, it is replaced
    by the contents of this file. A few variable substitutions can be
    made in this file, an example of each of which is contained in the
    supplied sample file. 
*Deleted Virus Message Report*
    When an attachment is deleted from a message because the attachment
    contained a virus or other dangerous content, it is replaced by the
    contents of this file. A few variable substitutions can be made in
    this file, an example of each of which is contained in the supplied
    sample file. 
*Stored Bad Filename Message Report*
    When an attachment is deleted from a message (and the attachment has
    been stored in the quarantine) because the filename failed the
    filename rules in force for the message, it is replaced by the
    contents of this file. A few variable substitutions can be made in
    this file, an example of each of which is contained in the supplied
    sample file. 
*Stored Virus Message Report*
    When an attachment is deleted from a message (and the attachment has
    been stored in the quarantine) because the attachment contained a
    virus or other dangerous content, it is replaced by the contents of
    this file. A few variable substitutions can be made in this file, an
    example of each of which is contained in the supplied sample file. 
*Disinfected Report*
    When, for example, a Microsoft Word macro virus has been safely
    removed from a document, leaving the original document intact, it is
    delivered on to the original recipient. The contents of this text
    file will be put in the body of the new message, explaining to the
    user what has happened. 
*Inline HTML Signature*
*Inline Text Signature*
    If the "Sign Clean Messages" option is set, then the contents of
    this file will be appended to the end of the body of every message
    that is scanned by MailScanner. You can use this to inform your
    users that MailScanner has scanned it, and you can also add any
    disclaimers you feel should be on mail travelling through your
    servers. The two options correspond to the contents that are
    appended to HTML messages and text messages respectively. 
*Inline HTML Warning* *Inline Text Warning*
    When attachments have been removed from a message, the contents of
    these files are inserted at the start of the body of the message to
    guide the recipient to read the "VirusWarning.txt" attachments that
    contain the virus reports themselves. 
*Sender Error Report*
    When a message could not be processed completely for some reason,
    such as bad message structure or unreadable winmail.dat TNEF
    attachments, this message is sent back to the sender. Read the
    example file supplied for a demonstration of what variables can be
    used inside the file. 
*Sender Bad Filename Report*
    When an attachment is trapped by the filename rules, this message is
    sent back to the sender. 
*Sender Virus Report*
    When an attachment is removed because of a virus, this message is
    sent back to the sender. 
*Hide Incoming Work Dir* When this option is set, the full directory in
which the virus was found will be removed from report messages sent to
users. This makes the infection reports a lot easier to understand.


    Changes to Message Headers

*Mail header*
    Default is X-MailScanner: 
    Extra header that should be added to all scanned messages to show
    they have been scanned. You might want to add an abbreviation of
    your site name to this, so that you can find headers that are added
    by your MailScanner server. 
*Spam Header*
    Default is X-MailScanner-SpamCheck: 
    Name of the header to add to mail detected as spam. The text of the
    header is a list of the causes that think the message is spam. 
*Spam Score Header*
    Default is X-MailScanner-SpamScore: 
    If the option "Spam Score" is set, this is the name of the header
    that is used to contain the list of characters. 
*Information Header*
    Default is X-MailScanner-Information: 
    Name of the header to add to all messages, to be used for simply
    providing a URL or contact information for anyone receiving mail
    that has gone through MailScanner. If you do not want this header,
    simply comment out this setting or set it blank. 
*Detailed Spam Report*
    Default is yes 
    If this is set to yes then you get the normal fully detailed spam
    report in spam messages. If this is set to no then you simply get a
    "spam" or "not spam" report. The exact text inserted can be
    configured in the languages.conf file for your language. 
*Spam Score Character*
    If the option "Spam Score" is set, this is the character that will
    be repeated in the "Spam Score Header", one letter for each point in
    the SpamAssassin score. 
*Clean Header Value*
    This is the text that is added to the "Mail Header" when a message
    is found to be clean and free of viruses and other dangerous content. 
*Infected Header Value*
    This is the text that is added to the "Mail Header" when a message
    is found to be infected with a virus or other dangerous content. 
*Disinfected Header Value*
    This is the text that is added to the "Mail Header" of a message
    that is created by MailScanner to contain disinfected documents
    containing macro viruses that could be completely removed, leaving
    the original document intact. 
*Information Header Value*
    This is the text that is added to the "Information Header" of a
    message that has passed through MailScanner at all. It could be used
    to provide a URL or contact address for recipients if they have any
    queries about the messages they have received. 
*Multiple Headers*
    When a message passes through more than one MailScanner server on
    your site, they will each try to add their own headers. This option
    controls what should happen when trying to add a MailScanner header
    that already exists in the message. 
*Hostname*
    This is the name of the MailScanner server that is put in messages
    to users. If you have more than one MailScanner server on your site,
    you will want to change this on each server so that you can tell
    them apart. 
*Sign Messsages Already Processed*
    If a message has already been processed by another MailScanner
    server on your site, then the "Inline HTML/Text Signature" is not
    added to the message again if this option is set. Without it, you
    will get one signature added for every MailScanner server that
    processes the message. 
*Sign Clean Messages*
    If this option is set, then the "Inline HTML/Text Signature" will be
    added to the end of every clean message processed by MailScanner.
    You can use this to inform the recipient that the message has been
    checked, and also to add any legal disclaimer or copyright statement
    you want to add to every message. Using a ruleset for this option,
    you could very simply set it so that only messages leaving your site
    are signed, for example. 
*Mark Infected Messages*
    If this option is set, then the "Inline HTML/Text Warning" is added
    to the start of every message that is found to be infected or has
    had attachments removed for any reason. This can be used to guide
    the recipients to read the infection reports contained in the
    replacement attachments. 
*Mark Unscanned Messages*
    If this option is set, then any message which is not scanned by
    MailScanner gets the "Mail Header" added to it with the string
    contained in the "Unscanned Header Value" option. This can be used
    to advertise your MailScanner service to customers/clients who are
    currently not using it. 
*Unscanned Header Value*
    This supplies the text that is placed in the "Mail Header" of
    messages that have not been scanned, if the option "Mark Unscanned
    Messages" is set. It is a useful place to advertise your MailScanner
    service to new customers/clients. 
*Deliver Cleaned Messages*
    Once a message has had all viruses and dangerous content removed
    from it, it will then be delivered to the original recipients if
    this option is set. If you want the behaviour from previous versions
    of MailScanner that had the "Deliver From Local Domains" keyword,
    then you should set this to be a ruleset that only returns "yes" for
    messages destined for inside your site, and "no" for messages going
    out of your site. 
*Notify Senders*
    If this option is set, a message will be sent back to the address
    that sent each infected message. The text contained in these
    messages is supplied by the "Sender Reports" described earlier in
    this document. 
*Never Notify Senders Of Precedence*
    This contains a space-separated list of message "Precedence:" header
    values. If you receive a nasty message, the sender will *not* be
    notified if the "Precedence:" header value appears in this list.
    This is particularly useful for stopping MailScanner responding to
    poorly-maintained mailing lists. 


    Changes to the Subject: Line

*Scanned Modify Subject*
    If this is set to "start" or "end" then the "Scanned Subject Text"
    is inserted at the start or the end of the Subject: line. This only
    happens if the Subject: line has not already been modified for any
    other reason. 
*Scanned Subject Text*
    This is the text inserted at the start or the end of the Subject:
    line if the "Scanned Modify Subject" option above is in effect. 
*Virus Modify Subject*
    If this is set, then the "Subject:" line of a message that was
    infected with a virus will have the "Virus Subject Text" text
    inserted at the start. 
*Virus Subject Text*
    This is the text inserted at the start of the "Subject:" line if the
    "Virus Modify Subject" option is set. 
*Filename Modify Subject*
    If this is set, then the "Subject:" line of a message that had an
    attachment with a dangerous filename will have the "Virus Subject
    Text" text inserted at the start. 
*Filename Subject Text*
    This is the text inserted at the start of the "Subject:" line if the
    "Filename Modify Subject" option is set. 
*Spam Modify Subject*
    If this is set, then the "Subject:" line of a message that was
    determined to be spam will have the "Spam Subject Text" text
    inserted at the start. 
*Spam Subject Text*
    This is the text inserted at the start of the "Subject:" line if the
    "Spam Modify Subject" option is set. 
*High Scoring Spam Modify Subject*
    If this is set, then the "Subject:" line of a message that was
    determined to be spam, and had a SpamAssassin score greater than the
    "High SpamAssassin Score" will have the "High Scoring Spam Subject
    Text" text inserted at the start. 
*High Scoring Spam Subject Text*
    This is the text inserted at the start of the "Subject:" line if the
    "High Scoring Spam Modify Subject" option is set. 


    Changes to the Message Body

*Warning Is Attachment*
    When an infected or dangerous attachment is replaced with a text
    message containing the infection report, should the replacement be
    an attachment (yes) or should it be included inline in the main text
    of the message (no). 
*Attachment Warning Filename*
    What an infected or dangerous attachment is replaced with a text
    message containing the infection report, this is the filename of the
    attachment that appears in the message. 
*Attachment Encoding Charset*
    This is the name of the encoding character set used for the contents
    of "VirusWarning.txt" attachments. If your users do not use English
    as their preferred language, you may want to set this to "ISO-8859-1". 


    Mail Archiving and Monitoring

*Archive Mail*
    This option provides a list of directory names and/or email
    addresses to which all mail should be copied. You will probably want
    to make this a ruleset so that only mail to/from certain users is
    archived. Note that there may be severe legal privacy implications
    of using this option without the prior knowledge of the individuals
    whose messages you are archiving/copying. 


    Notices to System Administrators

*Send Notices*
    Should system administrators listed in the "Notices To" option be
    notified of every infection found? 
*Notices Include Full Headers*
    If this option is set, then the system administrator notices will
    include the full headers of every infected message. If this option
    is set to "no" then only a restricted set of headers is included in
    the notices. 
*Hide Incoming Work Dir in Notices*
    When this option is set, the full directory in which the virus was
    found will be removed from report messages sent to administrators.
    This makes the infection reports a lot easier to understand. It is
    also very useful if your notices go to your customer sites. 
*Notice Signature*
    This string is added to the bottom of all system administrator
    notices, and is intended to be the signature of your MailScanner
    system. To insert "line-breaks" or "newline" characters, use the
    sequence *\n*. 
*Notices To*
    This option provides a list of the addresses to which virus notices
    should be sent. You may want to set this to be a ruleset, providing
    different notification addresses for different domains that you
    administer. 
*Local Postmaster*
    When virus warnings are sent to any users, this is the email address
    used as the "From:" header in the messages. 


    Definitions of Virus Scanners and Spam Detectors

*Spam List Definitions*
    This file contains all the definitions of the "Spam Lists" (also
    known as RBL's or DNSBL's) which can be used to try to detect spam
    based on where each message came from. Many more spam lists can be
    added to this file, but it contains the most popular ones to get you
    started. 
*Virus Scanner Definitions*
    This file contains the locations of all the commands that are run
    for each virus scanner. Check this file before starting MailScanner
    to make sure it will run the correct command or wrapper script. 


    Spam Detection and Spam Lists (DNS Blocklists)

*Spam Checks*
    If this option is set, messages will be checked to see if they are
    spam. 
*Spam List*
    This provides a space-separated list of "Spam Lists" (or RBL's or
    DNSBL's) which are checked for each message. These lists are based
    on the numeric IP address of the server that sent the message to
    your MailScanner server. Every list used here must be defined in the
    "Spam List Definitions" file mentioned above. 
*Spam Domain List*
    This provides a space-separated list of "Spam Lists" (or RBL's or
    DNSBL's) which are checked for each message. These lists are based
    on the domain name of the sender address of each message. Every list
    used here must be defined in the "Spam List Definitions" file
    mentioned above. 
*Spam List Timeout*
    This is the number of seconds to wait for each "Spam List" lookup to
    complete. If the lookup takes longer than this, it is killed and
    ignored. 
*Max Spam List Timeouts*
    If a "Spam List" lookup times out for this many consecutive checks
    without ever succeeding, then the particular "Spam List" entry will
    not be used any more, as it appears to be unreachable. When
    MailScanner restarts itself after a few hours, MailScanner will try
    to use the entry again, in case service has resumed properly. 
*Is Definitely Not Spam*
    This option would normally be a ruleset. Any messages for which the
    ruleset result is "yes" will never be marked as spam. This is used
    to create a spam "whitelist" of addresses which are never spam. You
    will probably want to include your own site (or your own site's IP
    addresses) in this ruleset. 
*Is Definitely Spam*
    This option would normally be a ruleset. Any messages for which the
    ruleset result is "yes" will always be marked as spam. This is used
    to create a spam "blacklist" of addresses of known spammers. 


    SpamAssassin

*Use SpamAssassin*
    Do you want to detect spam using the very good SpamAssassin
    <http://www.spamassassin.org/> package? You must have installed
    SpamAssassin before using this option, otherwise MailScanner will
    not start properly. 
*Max SpamAssassin Size*
    SpamAssassin is quite slow when processing very large messages. To
    work round this problem, this option provides a maximum size for
    messages that are processed with SpamAssassin. Most real spam is
    usually less than about 50,000 bytes per message. 
*Required SpamAssassin Score*
    This gives the minimum SpamAssassin score value above which messages
    are spam. This replaces SpamAssassin's own "required_hits" value, so
    that it can be a ruleset and set to different values for different
    users/domains. 
*High SpamAssassin Score*
    Messages with a SpamAssassin score greater than this value are
    labelled as being "High Scoring Spam", and a different set of "Spam
    Actions" are applied to messages scoring at least this value. 
*SpamAssassin Auto Whitelist*
    SpamAssassin has a feature which measures the ratio of spam to
    non-spam originating from different addresses, and will
    automatically add addresses to its own internal "whitelist" if most
    of the messages from an address is not spam. This option enables
    this feature of SpamAssassin. Please read their documentation for
    more information. 
*SpamAssassin Prefs File*
    SpamAssassin uses a "user preferences" file which can be used to set
    the values of various SpamAssassin options. This is the name of that
    file. Its most useful feature is that the RBL/DNSBL/"Spam List"
    checks done by SpamAssassin can be disabled as MailScanner already
    does them and there is little to be gained by doing these checks
    twice for every message. 
*SpamAssassin Timeout*
    This option sets the maximum number of seconds to wait for
    SpamAssassin to process a message. This is a useful protection
    against occasional bugs in SpamAssassin that can cause it to take
    hours to process a single message. 
*Max SpamAssassin Timeouts*
    If several consecutive calls to SpamAssassin time out, then
    MailScanner decides that there is something stopping SpamAssassin
    from working properly. It will therefore be disabled for the next
    few hours until MailScanner restarts itself, at which point it will
    be tried again. 
*Check SpamAssassin If On Spam List*
    If a message has already triggered any of the "Spam List" checks,
    the SpamAssassin check will be skipped if this option is set to
    "no". This can help reduce the load on your server if SpamAssassin
    checks take a long time for some reason. 
*Always Include SpamAssassin Report*
    If this option is set, then the "Spam Header" will be included in
    the header of every message, so its presence cannot be used to
    filter out spam by your users' e-mail applications. 
*Spam Score*
    If a message is spam, and this option is set, then a header will be
    added to the message containing 1 character for each point in the
    SpamAssassin score. This allows users to choose for themselves the
    SpamAssassin scores at which they want to do different things with
    the message, such as file it or delete it. 


    What to do with Spam

*Spam Actions*
    This can be any combination of 1 or more of the following keywords,
    and these actions are applied to any message which is spam. 
    "deliver" - the message is delivered to the recipient as normal 
    "delete" - the message is deleted 
    "store" - the message is stored in the quarantine 
    "bounce" - a rejection message is sent back to the sender 
    "forward" - an email address is supplied, to which the message is
    forwarded 
    "striphtml" - convert all in-line HTML content in the message to be
    stripped to plain text, which removes all images and scripts and so
    can be used to protect your users from offensive spam. Note that
    using this action on its own does not imply that the message will be
    delivered, you will need to specify "deliver" or "forward" to
    actually deliver the message. 
*High Scoring Spam Actions*
    This is the same as the "Spam Actions" option above, but it gives
    the actions to apply to any message whose SpamAssassin score is
    above the "High Scoring" threshold described above. 
*Sender Spam Report*
    When the "bounce" spam action is applied to a message that triggered
    both a "Spam List" check and SpamAssassin, this file gives the text
    to put in that message. 
*Sender Spam List Report*
    When the "bounce" spam action is applied to a message that triggered
    a "Spam List" check, this file gives the text to put in that message. 
*Sender SpamAssassin Report*
    When the "bounce" spam action is applied to a message that triggered
    SpamAssassin, this file gives the text to put in that message. 


    System Logging

*Syslog Facility*
    This is the name of the "facility" used by syslogd to log
    MailScanner's messages. If this doesn't mean anything to you, then
    either leave it alone or else read the "syslogd" man page. 
*Log Spam*
    If this option is set, then every spam message will be logged to
    syslog. If you get a lot of spam, or your server load is high, you
    will want to leave this option switched off. But if you are having
    trouble with spam detection, setting this to "yes" temporarily can
    provide useful debugging output. 
*Log Permitted Filenames*
    If this option is set, then every attachment filename that passes
    the "filename rules" checks will be logged to syslog. Normally this
    is of no interest. But if you are having trouble getting your
    filename rules correct, setting, this can provide useful debugging
    output. 


    Advanced Settings

*Debug*
    Not for use by normal users. Setting this option to "yes" will put
    MailScanner into debugging mode, in which it creates slightly more
    output and will not become a daemon. 
*Always Looked Up Last*
    The value of the option is actually never used, but it is evaluated
    at the end of processing a batch of messages. It is designed to be
    used in conjunction with a Custom Function. The Custom Function
    should then be written to have a "side effect" of doing something
    useful such as logging lots of information about the batch of
    messages to a file or an SQL database. 
*Deliver In Background*
    When attempting delivery of any messages (when the "Delivery Method
    = batch") the sendmail/Exim command will be run in the background so
    that MailScanner does not have to wait for the delivery attempt to
    complete. There are very few good reasons for setting this to "no". 
*Delivery Method*
    With this option set to "batch", then an attempt is made to deliver
    all of the messages in the current batch once they have been
    completely processed by MailScanner. With this option set to
    "queue", the messages are just placed in the outgoing queue, leaving
    sendmail/Exim to attempt to deliver them the next time it processes
    its queue. This can be useful on servers with very high load. 
*Lockfile Dir*
    This is the directory in which lock files are placed to stop the
    virus scanners used while they are in the middle of updating
    themselves with new virus definitions. If you change this at all,
    you will need to edit the "autoupdate" scripts for all your virus
    scanners. 
*Lock Type*
    Do not set this option to anything unless you know *exactly* what
    you are doing. For sendmail and Exim, MailScanner will choose the
    correct value by default. This affects how mail queue files are
    locked, and your mail will be totally screwed up if you set this
    option to anything other than the correct value for your MTA. So
    leave it alone and let MailScanner choose the correct value for you. 
*Minimum Code Status*
    Some of the virus scanners are not supported by the authors of
    MailScanner, and they may use code contributed by another user. If
    this option is set to the wrong value for your virus scanners, then
    you will get an error message in your maillog (syslog) telling you
    that it is set wrong and MailScanner will refuse to start. The error
    message will include the location of a web page describing this
    option in more detail, and this tells you what value to set this to
    for each virus scanner that can be used by MailScanner. 


  Attachment Filename Ruleset

This is held in the filename pointed to by the configuration option
Filename rules. It contains a set of rules that are used to judge
whether any given file attachment should be accepted or rejected on the
basis of its filename, regardless of whether it is found to be
virus-infected or not.

This can not only be used for draconian measures such as banning all
.exe attachments, but it can be used with any Perl regular expression to
provide facilities such as detection of attempts at hiding filenames.

Many Windows e-mail programs (eg. Microsoft Outlook) hide common file
extensions in an attempt to not baffle the user. The result is that
while an attachment called "Your Document.doc" is helpfully displayed as
"Your Document", a more sinister attachment just as "Looks Safe.txt.pif"
will appear simply as "Looks Safe.txt". Many users recognise the .txt
filename extension as applying to plain text files, which they know are
safe. So even an experienced user may well double-click on this
attachment thinking it is just going to start Notepad and display the
text file.

However, the file is really an MS-Dos shortcut (.pif file) and can
execute any arbitrary commands the author wanted: all without any
indication to the unwitting user.

The rules are matched in order from the top to the bottom of the file,
and the first rule containing a matching regular expression is used.

Each line of the file is either blank, a comment (in which case it
starts with a '#' character) or is a rule made up of 4 fields separated
by one or more TAB characters.

allow / deny
    Accept or reject the attachment if its filename matches the regular
    expression 
regular expression
    The rule is executed if the attachment matches this expression. It
    may optionally be surrounded in '/' characters. 
log text
    If the rule matches, this text is placed in the syslog. If the text
    is "-", no string is logged. 
user text
    If the rule matches, this text is placed in the text message sent to
    the user. If the text is "-", no text is used. 

The configuration file example <filesnscripts.shtml#filename.rules.conf>
demonstrates what can easily be done with this syntax.

------------------------------------------------------------------------
Julian Field <http://www.ecs.soton.ac.uk/info/people/jkf>