Best Antivirus Options for a Mailserver? 91
CSIP asks: "I am setting up a small mailserver, with ~500 users, across 80 domains. I'm planning to use qmail-scanner and an antivirus scanner to block incoming viruses. I would prefer to use ClamAV, however I've read conflicting reports on its effectiveness. The commercial scanners appear to detect 99.X% however they are licensed per-user, which at 500+ users becomes quite the annual bill.
What is everyone's experience with ClamAV? Are their other commercial scanners that allow you to license on a per-server basis?" The best indicator of quality for a virus scanner is the information in its virus database. How do ClamAV's virus definitions compare to commercial scanners, like McAfee's?
Re:ClamAV (Score:2, Insightful)
Score:1, Interesting
Right....
there's always the blowtorch on an ant method! (Score:3, Insightful)
Now, granted, with 500 users, I'm going to assume that is not an option for you as people likely send files back and forth via email quite often.
Still, I just wanted to point out that blocking email with attachments is probably the most effective antivirus option for a mailserver, though certainly not the best solution.
Re:there's always the blowtorch on an ant method! (Score:5, Insightful)
It's extremely easy to do, and you could even set it up so that each uploaded file gets a little key so only the intended recipient can get it. The uploader script will automatically send an email to the desired recipient, containing a URL with the unique key embedded. Having all of the files stored on the server like that will probably cut down on all the inappropriate files too.
Solution should take no more than three PHP files of 100 or less lines each.
something to check for in your AV scanner (Score:4, Insightful)
Re:Here's an idea... (Score:3, Insightful)
I've admined corporate networks with between five hundred and a thousand clients and admined ISPs with five times as many so yeah, I've dealt with end users. It was my experience that you can either marvel at their stupidity and bang your head on your desk or marvel at their stupidity, try to help and educate them and then bang your head on your desk. I found the latter gave me the always heartwarming excuse, "I tried."
At any rate, I think that perhaps you've missed my point. You can't prevent all bad things from happening but by putting a block in place which causes people to pause and reflect, you _may_ aid them in helping themselves. This is why we have railings on stair cases, seatbelt warning lights in cars etc. I should also add that my suggestion does not in any way prevent an admin from also implementing some kind of server-side virus protection. The more protection, the merrier.
As for users just opening things in their browser which are configured to execute anything executable they come across, what's to stop the same script from changing .exe to .xex with a note telling users that in order to execute the program they will have to manually change it back?
Granted, you can't prevent a determinedly stupid person from being themselves but you can try to help those waivering on the edge. You also have to try to stay one step ahead of stupid because, contradictory to Darwin's teachings, stupid is evolving at a terrifying rate.
Clam is *better* at times . . . (Score:2, Insightful)
With the recent bagle and somefool worms, I was seeing lots of catches by amavis-clam, but it didn't handle the encrypted zips correctly (though word on the mailing lists are there are mods/updates that can be made to start handling them right. I'm just gonna dump all zips for now, those pesky users dont deserve 'em anyways). To answer the original question though? Is Clam ready for primetime? I think so, but erring on the side of caution and having another layer of virus checks in there can't hurt . . . either way, you'll need to keep tabs on it for the next 'catch you by surprise' variant that even the commercial products aren't responding to in time; the more users you are supporting, the higher the probability that you are going to be the one dealing with an account that was one of the first to receive the newest worm . . .