Linux's stability and secure default installs make ita good choice for many company email exchanges (MXs), even if the company chooses to use a different system for internal mail. Hence Linux is a popular choice for many email gateways, and as a result, there's quite a few virus scanners avaliable for the platform, from the usual suspects - Sophos, Network Associates/McAfee, Trend, Kapersky, etc (visit OpenAntivirus for more information).

Sophos MailMonitor is a virus scanning SMTP Server for Linux, Unix and BSD systems. Its a proprietary app which runs on top of Sophos AntiVirus, and can be used to filter incoming mail for a particular company for the latest Windows and MS Office viruses.

There are many similar virus scanning apps for Linux avaliable, but the reason I prefer Sophos at clients is:

• SMTP API - Sophos MailMonitor already runs as a daemonized service
• Good documentation
• Frequent updates
• Reasonable staff - after bad experiences with Network Associates sales staff in the Asia Pacific region with nonexistent Unix platform skills, I appreciate Sophos smart employees.
• Availability of good support resources from the Open Source community - for example, SavGet

It has its downsides, which are mainly a result of the proprietary engine used in the product. Sophos don't make money from their engine. They make money from their virus definition upgrades, which are charged to customers per year of subscription. Having Sophos engine proprietary makes it:

• Integrate less well with other apps. For example, Sophos isn't packaged, doesn't have an initscript, requires users to create their own gloabl environment variables, etc.
• Slightly buggy - the application dies when the locale is set to en_gb
• Less popular, as it cannot ship with many Linux distributions which limit their core OS to Open Source software
• Less secure due to the unavaliability of peer reviewable source code

If Sophos Open Sourced their engine, but still charged for subscriptions, they'd gain significant mindshare amongst the IT security and Linux communities who are well aware of the security and reliability advantages of Open Source products, maintaining their current revenue from subscriptions and increasing it from OSS focused customers who can appreciate the value this provides. The quality fo their product may also be significantly improved by Open Source enhancements - this page provides a good example.

Sophos Antivirus Packages

This Sophos AntiVirus includes a couple of changes to the unpackaged version avaliable from the Sophos website:

• A packaged installation, in accordance with the Linux Standards Base. This allows for standardized and automated install, uninstall, querying, and verification.
• Intercheck starts as a standard Linux SysV init script, with Red Hat color OK and failed messages to make it easier for users to determine exactly whether their actions starting the service were successful
• Automatically creates the `sweep' user on package installation
• Install into the correct locations under /usr necessary for the application to be inclued as part of a Linux distribution (see the LSBs notes on /usr/local)
• Sets environment variables automatically for all users
• Provides sample configuration files

None of the original files from the freely downloadable SAV from the Sophos web site have been modified. These packages are made available to other administrators who have purchased Sophos AntiVirus and want a way of installing the application using standard mechanisms. Ideally Sophos should provide properly packages versions of their apps themselves - why not ask your support contact to do so? Its a great app, but unpackaged software is a nightmare to maintain in the long term.

Guide to Installing Sophos MailMonitor on Linux Systems

In the setup outlined below, Postfix accepts incoming mails on port 25 and leads them to a content_filter. The content_filter is now Sophos MailMonitor, which takes over the mails on port 10025. After the mails have been scanned, they are placed back to postfix on port 10026. Finally postfix delivers the mails.

Configuring Postfix and MailMonitor

1. Stop the postfix service:
   
   service postfix stop
   
2. Edit the file /etc/postfix/main.cf and insert this line:
   content_filter = smtp:127.0.0.1:10025
   
   This tells postfix to pass incoming messages to a content filter, which is the program listening on 127.0.0.1 port 10025
   
3. Edit the file /etc/mmsmtp/mmsmtp.cfg and change
   
   interfaces = 127.0.0.1:10025
   
   smtp_server_address = 127.0.0.1
   
   smtp_server_port = 10026
   
   This tells MailMonitor to listen on port 10025 of localhost. After it has processed the mails, send the messages which haven't bounced to port 10026 of localhost
   
   
4. Edit the file /etc/postfix/master.cf and add a line:
   
   localhost:10026 inet n - y - - smtpd -o content_filter= -o myhostname=delivermail.yourcompany.com.au
   

   This tells Postfix to start a second instance of itself, running on Port 10026. This second version of postfix should NOT use the content filter, but rather just deliver the messages as normal. It also has a different hostname, which both assists in troubleshooting and allows postfix to know its not looping mail back to itself.

5. Start MailMonitor at boot time:
   
   chkconfig --level 345 mmsmtpd start
   
   
6. Edit the file /etc/aliases and make sure the aliases for the sophos warning users are set up. Run newaliases when you're done.
   
   
7. Start the scanner by entering
   
   service mmsmtpd start
   
   
8. Start the postfix services by entering
   
   service postfix start
   
   And you're done.