Re: SMTP A/V Design

[Christoph Schneeberger <cschnee () telemedia ch>]

Let me throw in my 2 cents:
I have had a similar setup which looked like

-Firewall Box-
        I
        I
-Scanserver (symantec)-
        I
        I
-internal Mail Hub (sendmail)-
        I
        I
-internal Mailserver (whatever)-

Incoming Mail:
The firewall sends incoming mail straight to the Scanserver. The scanserver
then forwards the mail to the mail hub (after scanning it of course) which
decides if the mail is incoming or outgoing and depending on that forwards
it either to the mailserver (incoming) or to the firewall (outgoing).
Outgoing Mail:
SMTP server on the clients mail program is set to the scanserver.
scanserver forwards mail to the internal hub and the internal hub decides
if the mail has to go out (-> firewall) or is internal (-> mailserver).

This way every msg sent is scanned, and I think outgoing scanning is as
important as incoming. Because if a virus leaves you it does real damage to
your companies public image.

The configuration of the internal mail hub is just made with sendmail using
simple mailertables.

This has worked fine for about 2 years for me (and I catched loads of
viruses this way).

If your firewall supports CVP as you mention you should be able to do
everything in one step over the firewall, but I have no experience with CVP
at all.

Hope this helps,
Christoph Schneeberger
SCS Telemedia


At 12:51 16.02.99 -0700, Matt McClung wrote:
> I am lokking at designing a new email anti-virus scanning architecture for
> incoming mail.  However, I don't see a clean way to scan email, review it
> for destination (bouncing etc) and then final delivery.  Allow me to be more
> clear.
>
> 1.  Internet email for x company is first identified at the firewall.
> 2.  The firewall knows to pass SMTP traffic to a A/V scanning server, which
> it does
> 3.  The A/V Servers finds nothing and sends back the message information to
> the firewall
> 4.  The firewall then allows the email to the mail relay server on it
> service network (MX)
> 5.  The Mail relay server (running sendmail) scans the envelope and other
> information to
>    determine if the email is for a domain it is accepting mail for...
> 6.  The mail relay host delivers mail to an internal SMTP server for final
> deliver to the
>    email system.
>
> Questions:  This almost seems like its too complicated with the seperate A/V
> Server and mail relay host.  The delivery time is not the main concern, but
> rather the complexity and the steps the messages takes to finally get
> delivered.
>
> Anyone created such a beast?  Because of the software (A/V) you have only a
> small choice of platforms, as well as the relay host.  Therefore, you almost
> have to have something like this.
>
> Of course, this assumes that your company policy is to scan the email before
> it is allowed into the internal network (good idea).  Otherwise you could do
> desktop scanning, or mail server scanning.
>
> INFO:
> The FW is FW-1 using CVP.  The A/V server is NT running an A/V application
> to check SMTP and the mail relay host is a Sun Ultra running sendmail 8.9.x
>
> Your thoughts on this are requested...
>
> Matt McClung
> Net.Works Security Engineer
> mmcclung () ndwcorp com