MailScanner Installation and Configuration: Part Two

MailScannerIn the previous article, we introduced MailScanner and covered installation as well as basic configuration. In this article, we will look at some of the other configuration options.

If we navigate to Services -> MailScanner, there are nine tabs. The second tab is “Attachments“. Under the “Attachments” heading, there are several settings. The “Attachments features” list box controls how attachments are handled. “Expand TNEF” causes MailScanner to expand TNEF (Transport Neutral Encapsulation Format) attachments. TNEF is a proprietary e-mail attachment format used by Microsoft Outlook and Microsoft Exchange Server. “Deliver Unparsable TNEF” will do the opposite, and leave TNEF attachments unexpanded. “Find Archive By Content” will enable searching archives. “Unpack Microsoft Documents” will expand non-TNEF Microsoft attachments, and “Zip Attachments” will allow zip attachments through.

TNEF Contents” specifies what to do when TNEF attachments are expanded. If this is set to “no”, a TNEF attachment will be listed as an attachment, but not the attachments contained therein. If however, this is set to “add” or “replace”, then the attachments contained in the archive will be added to the list of attachments in the message, and recipients of messages sent in this format will be able to read the attachments even if they are not using Microsoft Outlook.

Maximum Attachment Size” specifies the maximum size (in bytes) of any attachment in a message. If this is set to zero, no attachments will be allowed. If this is set to less than zero, then no size checking will be done. The default value is -1.

Scrolling down, you will see edit boxes containing two separate config files: filename.rules.conf and filetypes.rules.conf. filename.rules.conf allows or denies certain files based on the file’s extension, while filetypes.rules.conf allows or denies certain file types based on their MIME (Multipurpose Internet Mail Extensions) type.

The next tab is “Antivirus“. under the “Antivirus” heading, there are several settings. The first is “Virus scanner features“. “Virus Scanning” is enabled by default, as is “Check Filenames In Password-Protected Archives“. In addition, you can enable such features as “Deliver Disinfected Files” (deliver files after they have been disinfected by the antivirus engine), “Still Deliver Silent Viruses“, “Block Encrypted Messages“, “Block Unencrypted Messages“, and “Allow Password Protected Archives“. The next setting is “Virus scanner“, which controls which virus scanner to use. Possible settings are “auto” (let MailScanner decide what to use), “clamav” (Clam AV), “clamd” (the Clam daemon), or “none” for no e-mail scanning. “Virus Scanner Timeout” controls the maximum length of time the commercial virus scanner is allowed to run for one batch of messages. The default is 300 seconds. The next heading, “Custom antivirus options“, allows you to add any custom parameters you need to specify.

The next tab is “Content“. The first heading is “Removing/Logging dangerous or potentially offensive content“. The first setting is the “Contents” list box, which determines what content for which MailScanner will scan. The default settings are “Dangerous content Scanning“, “Find Phishing Fraud“, “Also Find Numeric Phishing“, “Use stricter Phishing Net“, and “Highlight Phishing Fraud“. Other settings include “Allow Partial Messages“, “Allow External Message Bodies“, “Convert Dangerous HTML To Text“, “Convert HTML To Text“.

External Links:

The official MailScanner web site
MailScanner at Wikipedia

Virus Check with HTTP AntiVirus Proxy

virus check

The HTTP Proxy settings page in HAVP under pfSense 2.1.3.

HTTP AntiVirus proxy (HAVP) is a proxy with an anti-virus filter. it does not cache or filter content, but completely scans incoming traffic while doing a virus check. The main objectives of HAVP are: [1] continuous and non-blocking downloads, and [2] smooth scanning of dynamic and password protected home pages.

HAVP’s virus check works by writing data from a server in a temporary file and hard locks the end of a file. A second fork begins scanning all written data. During this time, the data is sent to the client. You can define the size of data which is held back and only deliver it to the client when scanning is complete. This way, scanning starts simultaneously with the download. If the scanning process is too slow and the file is larger than the defined “hold back data”, you can still receive a virus. Moreover, if the file contains a virus and the file is bigger than the defined “hold back data” buffer size, the download will be canceled without warning.

Virus Check with HTTP AntiVirus Proxy: Installation and Configuration

Like all packages, installation of the HAVP virus check package is fairly easy. Just navigate to System -> Packages and scroll down to HAVP antivirus. Press the “plus” button to the right of the listing, and on the next page, click on the “Confirm” button. Installation of HAVP antivirus will take a few minutes.

Once HAVP antivirus is installed, there will be a new item on the “Services” menu called “Antivirus“. There are three available tabs: “General Page“, “HTTP Proxy“, and “Settings“, containing relevant settings for the HAVP virus check. If you click on the “Settings” tab, you will find several parameters relevant to HAVP antivirus configuration. The “AV base update” dropdown box defines at what interval the antivirus database will update itself. You can update at intervals between 1 and 24 hours. The “Regional AV database update mirror” dropdown box allows you to select the location of the update server. You can specify additional servers in the “Optional AV database update servers” box. The “Log” check box allows you to enable logging; the “SysLog” check box enables the SysLog.

The second tab is “HTTP proxy“. Checking the “Enable” check box here enables the HTTP proxy to perform a virus check. The next setting is the “Proxy mode” dropdown box. If you select “Standard“, clients will bind to the proxy port on the proxy interface. But if you choose “Parent for Squid“, then HAVP will insert itself between the Squid proxy and the WAN interface (Internet). If you have the Squid proxy installed, you probably want to choose this option. “Transparent” causes HAVP to act as a parent for Squid with a transparent Squid proxy, while “Internal” causes HAVP to listen on the loopback on the configured proxy port.

virus check

The HAVP dashboard.

Proxy interface(s)” allows you to select one or more interfaces for client connections to the proxy. Normally, clients will be connecting through the LAN interface, so you probably want to leave only “LAN” selected. “Proxy port” allows you to select the port the proxy server will listen on. The port must be different than the Squid proxy port. You can probably leave it as the default of 3125. Moving further down the page, you probably want to change the “Language” in which the proxy server will display error messages to users.

Most of the remaining “HTTP proxy” settings can remain unchanged, but a few are worth noting. “Max download size” allows you to enter a value (in bytes) of the maximum file download size. But be warned: downloads larger than this size will be blocked if not whitelisted. “Whitelist” allows you to specify URLs that will be accessible to users without scanning, while “Blacklist” allows you to specify URLs that will be blocked. “Enable RAM Disk” allows you to use a RAM disk for HAVP temporary files for a quicker traffic scan in virus checking. The RAM disk size will be either 25 percent of the available system memory or 100 times the maximum scan file size, whichever is greater. “Scan max file size” allows you to select the maximum file size or not set a maximum file size at all. If you set a maximum file size, then file sizes larger than the limit won’t be scanned, so there is a security risk involved in setting this parameter. The “Scan images” check box allows you to scan image files, and “Scan media stream” allows you to scan audio/video streams. The “Log” check box enables logging.

Once you are done configuring the settings, press the “Save” button at the bottom of the page to save the settings. In order to ensure the HAVP virus check is working correctly, you probably should download the EICAR virus test file from The test file is not an actual virus, but contains a standardized signature that is used to test antivirus programs. If the HAVP virus check is working properly, you should be redirected to a page with an access denied message.

If you click on the “General Page” tab, you can see the HAVP dashboard. You will be able to see which services are started, the update status and scanner status, and which if any viruses have been found.

One additional caveat is that HAVP requires a fair amount of memory to work, and if it is enabled on pfSense systems that are towards the low end of pfSense’s memory requirements (e.g. 256 MB), pfSense may become slow and unresponsive. Ideally you should have at least 1 GB of RAM if you are running HAVP.

External Links:

The official HTTP AntiVirus Proxy web site

How to Set Up an HTTP Anti-Virus Proxy Using pfSense and HAVP at

Anti-Malware testfile from

© 2013 David Zientara. All rights reserved. Privacy Policy