1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
--- ../MailScanner-4.22-5.old/docs/man/MailScanner.conf.5 Mon Aug 11 12:15:30 2003
+++ docs/man/MailScanner.conf.5 Mon Aug 11 12:36:06 2003
@@ -1,4 +1,4 @@
-.TH "MailScanner.conf" "5" "4.22-4" "Julian Field" "Mail"
+.TH "MailScanner.conf" "5" "4.23" "Julian Field" "Mail"
.SH "NAME"
.LP
MailScanner.conf \- Main configuration for MailScanner
@@ -279,9 +279,15 @@
.br
.br
-Anything on the next line that appears in brackets at the end of a line of output from Sophos will cause the error/infection to be ignored. Use of this option is dangerous, and should only be used if you are having trouble with lots of corrupt PDF files, for example. Example:
+Anything on the next line that appears in brackets at the end of a line of output from Sophos will cause the error/infection to be ignored. Use of this option is dangerous, and should only be used if you are having trouble with lots of corrupt PDF files, for example. This option allows for multiple strings as well. In this case, the strings should be put in double quotes (") and each string separated with commas. Examples:
.br
Allowed Sophos Error Messages = corrupt format not supported
+.br
+Allowed Sophos Error Messages = "corrupt", "format not supported"
+.br
+
+.br
+The first version will match "corrupt format not supported" only. The second version will match "corrupt" and "format not supported".
.TP
\fBSophos IDE Dir\fR
@@ -358,11 +364,13 @@
.br
.br
-Messages whose virus reports contain any of the words listed here will be treated as "silent" viruses. No messages will be sent back to the senders of these viruses, and the delivery to the recipient of the message can be controlled by the next option "Still Deliver Silent Viruses". This is primarily designed for viruses such as "Klez" and "Bugbear" which put fake addresses on messages they send, so there is no point informing the sender of the message, as it won't actually be them who sent it anyway. Other words that can be put in this list are the 2 special keywords
+Messages whose virus reports contain any of the words listed here will be treated as "silent" viruses. No messages will be sent back to the senders of these viruses, and the delivery to the recipient of the message can be controlled by the next option "Still Deliver Silent Viruses". This is primarily designed for viruses such as "Klez" and "Bugbear" which put fake addresses on messages they send, so there is no point informing the sender of the message, as it won't actually be them who sent it anyway. Other words that can be put in this list are the 3 special keywords
.br
HTML\-IFrame: inserting this will stop senders being warned about HTML Iframe tags, when they are not allowed.
.br
HTML\-Codebase: inserting this will stop senders being warned about HTML Object Codebase tags, when they are not allowed.
+.br
+All\-Viruses: inserting this will stop senders being warned about any virus, while still allowing you to warn senders about HTML\-based attacks.
.TP
@@ -539,7 +547,31 @@
.br
.br
-When an attachment is deleted from a message (and the attachment has been stored in the quarantine) because the filename failed the filename rules in force for the message, it is replaced by the contents of this file. A few variable substitutions can be made in this file, an example of each of which is contained in the supplied sample file.
+When an attachment is deleted and stored from a message (and the attachment has been stored in the quarantine) because the filename failed the filename rules in force for the message, it is replaced by the contents of this file. A few variable substitutions can be made in this file, an example of each of which is contained in the supplied sample file.
+
+.TP
+\fBDeleted Bad Content Message Report\fR
+Default: /opt/MailScanner/etc/reports/en/deleted.content.message.txt
+.br
+Default Linux: /etc/MailScanner/reports/en/deleted.content.message.txt
+.br
+Default FreeBSD: /usr/local/share/MailScanner/reports/en/deleted.content.message.txt
+.br
+
+.br
+This report is sent when a message is deleted because it contained bad or dangerous content. A few variable substitutions can be made in this file, an example of each of which is contained in the supplied sample file.
+
+.TP
+\fBStored Bad Content Message Report\fR
+Default: /opt/MailScanner/etc/reports/en/stored.content.message.txt
+.br
+Default Linux: /etc/MailScanner/reports/en/stored.content.message.txt
+.br
+Default FreeBSD: /usr/local/share/MailScanner/reports/en/stored.content.message.txt
+.br
+
+.br
+This report is sent when a message is stored because it contained bad or dangerous content. A few variable substitutions can be made in this file, an example of each of which is contained in the supplied sample file.
.TP
\fBDisinfected Report\fR
@@ -600,7 +632,8 @@
.br
When an attachment is trapped by the filename rules, this message is sent back to the sender.
-:
+
+
.TP
\fBSender Virus Report\fR
Default: /opt/MailScanner/etc/reports/en/sender.virus.report.txt
@@ -613,6 +646,7 @@
.br
When an attachment is removed because of a virus, this message is sent back to the sender.
+
.TP
\fBHide Incoming Work Dir\fR
Default: yes
@@ -623,11 +657,13 @@
.TP
\fBInclude Scanner Name in Reports\fR
-Default: no
+Default: yes
.br
.br
-Include the name of the virus scanner in each of the scanner reports. Very useful if you use several virus scanners, but a bad idea if you don't want to let your customers know which scanners you use.
+Include the name of the virus scanner in each of the scanner reports. This also includes the translation of "MailScanner" in each of the report lines resulting from one of MailScanner's own checks such as filename, filetype or dangerous HTML content. To change the name "MailScanner", look in reports/...../languages.conf.
+.br
+Very useful if you use several virus scanners, but a bad idea if you don't want to let your customers know which scanners you use.
.SH "Changes to message headers"
.TP
\fBMail Header\fR
@@ -839,17 +875,34 @@
.br
.br
-If this is set, then the "Subject:" line of a message that had an attachment with a dangerous filename will have the "Virus Subject Text" text inserted at the start.
+If this is set, then the "Subject:" line of a message that had an attachment with a dangerous filename will have the "Filename Subject Text" text inserted at the start.
.TP
\fBFilename Subject Text\fR
-Default: yes
+Default: {Virus?}
.br
.br
This is the text inserted at the start of the "Subject:" line if the "Filename Modify Subject" option is set.
.TP
+\fBContent Modify Subject\fR
+Default: yes
+.br
+
+.br
+If this is set, then the "Subject:" line of a message that triggered a content check without anything else wrong in the message will have the "Content Subject Text" text inserted at the start.
+
+.TP
+\fBContent Subject Text\fR
+Default: {Filename?}
+.br
+
+.br
+This is the text inserted at the start of the "Subject:" line if the "Content Modify Subject" option is set.
+
+
+.TP
\fBSpam Modify Subject\fR
Default: yes
.br
@@ -1081,6 +1134,14 @@
.br
This option would normally be a ruleset. Any messages for which the ruleset result is "yes" will always be marked as spam. This is used to create a spam "blacklist" of addresses of known spammers.
+.TP
+\fBDefinite Spam Is High Scoring\fR
+Default: no
+.br
+
+.br
+Setting this to yes means that spam found in the blacklist is treated as "High Scoring Spam" in the "Spam Actions" section below. Setting it to no means that it will be treated as "normal" spam. This can also be the filename of a ruleset.
+
.SH "SpamAssassin"
.TP
\fBUse SpamAssassin\fR
@@ -1411,6 +1472,27 @@
.br
Are you using Exim with split spool directories? If you don't understand this, the answer is probably "no". Refer to the Exim documentation for more information about split spool directories.
+
+.TP
+\fBUse Default Rules With Multiple Recipients\fR
+Default: no
+.br
+
+.br
+When trying to work out the value of configuration parameters which are using a ruleset, this controls the behaviour when a rule is checking the "To:" addresses. If this option is set to "yes", then the following happens when checking the ruleset:
+.br
+
+.br
+a) 1 recipient. Same behaviour as normal.
+.br
+b) Several recipients, but all in the same domain (domain.com for example). The rules are checked for one that matches the string "*@domain.com".
+.br
+c) Several recipients, not all in the same domain. The rules are checked for one that matches the string "*@*".
+.br
+
+.br
+If this option is set to "no", then some rules will use the result they get from the first matching rule for any of the recipients of a message, so the exact value cannot be predicted for messages with more than 1 recipient. This value *cannot* be the filename of a ruleset.
+
.SH "RULESETS"
.LP
Ruleset files should all be put in /opt/MailScanner/etc/rules (FreeBSD: /usr/local/etc/MailScanner/rules) and their filename should end in ".rules" wherever possible.
|