Setting ESETS for MTA Sendmail

Inbound email message scanning

Warning: This installation is not compatible with SELinux. Either disable SELinux or proceed to the next section.

The objective of this installation is to insert esets_mda before Sendmail’s original MDA.

Note: On FreeBSD, Sendmail may be communicating with MDA using LMTP. However, esets_mda does not understand LMTP. If you have FEATURE(local_lmtp) in ‘hostname’.mc, comment it out now and recreate sendmail.cf.

The currently-used MDA can be found in the file sendmail.cf in section Mlocal: parameters ‘P’ (executable) and ‘A’ (its name and arguments).

First, set the ‘mda_path’ in the [mda] section of the ESETS configuration file to the currently used MDA executable (Sendmail’s ‘P’ parameter). Then restart the ESETS daemon.

Next, add the lines below to the sendmail.mc file (or `‘hostname’.mc on FreeBSD) before all MAILER definitions:

define(`LOCAL_MAILER_PATH', `@BINDIR@/esets_mda')dnl
define(`LOCAL_MAILER_ARGS', `esets_mda original_arguments -- --sender $f --recipient $u@$j')dnl

In the example above, original_arguments is Sendmail’s ‘A’ parameter without the name (first word).

Lastly, recreate sendmail.cf and restart Sendmail.

Bi-directional email message scanning

The objective of this installation is to scan all mail in Sendmail using the esets_smfi filter. In the [smfi] section of the ESETS configuration file, set the following parameters:

agent_enabled = yes
smfi_sock_path = "/var/run/esets_smfi.sock"

Restart the ESETS daemon. Then, add the lines below to the sendmail.mc file (or ‘hostname’.mc on FreeBSD) before all MAILER definitions:

INPUT_MAIL_FILTER(`esets_smfi', `S=local:/var/run/esets_smfi.sock, F=T, T=S:2m;R:2m;E:5m')dnl

With these settings, Sendmail will communicate with esets_smfi via unix socket ‘/var/run/esets_smfi.sock’. Flag ‘F=T’ will result in a temporary failed connection if the filter is unavailable. ‘S:2m’ defines a 2 minute timeout for sending information from MTA to the filter, ‘R:2m’ defines a 2 minute timeout for reading replies from the filter and ‘E:5m’ sets an overall 5 minute timeout between sending end-of-message to the filter and waiting for final acknowledgment.

If the timeouts for the esets_smfi filter are too short, Sendmail can temporarily defer the message to the queue and attempt to pass it through later. However, this may lead to continuous deferral of the same messages. To avoid this problem, the timeouts should be set properly. You can experiment with Sendmail’s ‘confMAX_MESSAGE_SIZE’ parameter, which is the maximum accepted message size in bytes. Taking into account this value and the approximate maximum time for MTA to process a message of that size (this can be measured), you can determine the most effective timeout settings for the esets_smfi filter.

Lastly, recreate sendmail.cf and restart Sendmail.