Qmail-Scanner (st patch) configure options

The following shows what options the Qmail-Scanner-2.10st (st patch) installation supports:

 ./configure --help

valid options:

  --qs-user <username>            (default: qscand)
                   User that Qmail-Scanner runs as

  --qs-group <usergroup>          (default: same as qs-user)
                   Group that Qmail-Scanner runs as, qs-user must
                   be member of this group.

  --qmaildir <top of qmail>       (defaults to /var/qmail/)

  --spooldir <spooldir>           (defaults to /var/spool/qscan/)

  --bindir <installdir>           (defaults to /var/qmail/bin/)
                   Where to install qmail-scanner-queue.pl

  --setuidgid-path <path to setuidgid program>
                   Defaults to nothing, the configure script will
                   search for it, this option is only necessary if
                   'setuidgid' from daemontools packet is installed
                   in an unusual path.

  --admin <username>              (default: root)
                   User to Email alerts to

  --domain <domain name>
                   "user"@"domain" makes up Email address to Email alerts to

  --admin-description <"description">  (default: "System Anti-Virus Administrator")
                   From line  information used when making reports, the input
                   must be quoted. i.e. --admin-description "Antivirus Admin"

  --local-domains "one.domain,two.domain"
                   Defaults to the value of the "--domain" setting.
                   Comma-separated list (no spaces!)  of domains that are
                   classified as "local". This is needed to ensure alerts
                   are only sent to local users and not remote when
                   '--notify "recips"' is chosen. This will drastically
                   reduce the chance of alerts being sent to mailing-lists.

  --scanners <list of installed content scanners>
                   Defaults to "auto" - will use whatever scanners are found
                   on system.
                   Use this option to override "auto" - set to one or more
                   of the following:

                   [auto|none|clamscan,clamdscan,sweep,sophie,vscan,trophie,
                   uvscan,csav,antivir,kavscanner,AvpLinux,kavdaemon,
                   AvpDaemonClient,fsav,fprot,inocucmd,vexira,bitdefender,
                   verbose_spamassassin,fast_spamassassin]

                   Note the special-case "none". This will disable all but
                   the internal perlscanner module.

  --skip-text-msgs [yes|no]       (defaults to "yes")
                   Q-S will skip running any anti-virus scanner on any messages
                   it works out are text-only. i.e. don't have any attachments.
                   Set to "no" if you want them to be scanned anyway.

  --normalize [yes|no]            (defaults to "yes")
                   This decides if base64/qp attachment 
                   filenames and/or Subject: headers should 
                   be "normalized" back to their decoded form 
                   before being checked against entries in
                   quarantine-events.txt.

  --notify [none|sender|recips|precips|admin|nmladm|nmlvadm|all] (defaults to "psender,nmlvadm")
                   Comma-separated list (no spaces!) of addresses to which
                   alerts should be sent to. "nmladm" means only notify
                   admin for "user infections", 
                   i.e. non-mailing-list mail.
                   "nmlvadm" is the same as nmladm - except that it also doesn't
                   notify for viral e-mails.
                   i.e. just "policy" quarantines get e-mails.
                   This allows you to still notify people when an e-mail is
                   blocked due to a policy decision (such as blocking
                   password-protected zip files), but a message tagged as viral
                   by an AV system will *not* trigger notification.
                   Similarly, "psender" means notify the sender only if their
                   e-mail was blocked for policy reasons.
                   i.e. if an AV system found a virus, then don't notify the
                   sender as the address was probably forged.

  --silent-viruses "virus1,virus2"     (defaults to "auto")
                   This option allows you to tell  Qmail-Scanner *not* to
                   notify senders when it quarantines one of these viruses.
                   Viruses such as Klez alter the sender address so that it
                   has no relation to the actual sender - so there's no point
                   in responding to Klez messages - it just confuses people.
                   The admin and recips will still be notified as set
                   by "--notify". Use this option to override "auto".
                   By default this is set to:
                   "klez,bugbear,hybris,yaha,braid,nimda,tanatos,sobig,winevar,
                   palyh,fizzer,gibe,cailont,lovelorn,swen,dumaru,sober,hawawi,
                   hawaii,holar-i,mimail,poffer,bagle,worm.galil,mydoom,worm.sco,
                   tanx,novarg,\@mm,cissy,cissi,qizy,bugler,dloade,netsky,spam"

  --dlp-monitor "string1|string2"      (defaults to "none")
                   Using this will cause Q-S to *not* block events that match
                   this regex.
                   Typically used in environments where you want to track the 
                   movement of sensitive files/etc outside of your
                   environment, without blocking

  --lang <lang>                   (defaults to en_GB)
                  "af_ZA cs_CZ de_DE en_GB enlt_LT enlt_LT_short en_PL es_ES
                   fr_FR it_IT ja_JP.EUC nl_NL no_NO pl_PL pt_BR pt_PT sv_SE
                   tr_TR tr_TR_ascii tw_BIG5"

  --archive [yes|no|regex]        (defaults to "no")
                   Whether to archive mail after it as been processed.
                   If "yes", all copies of processed mail will be moved into
                   the maildir "/var/spool/qmailscan/archives/".
                   Any other string besides "yes" and "no" will be treated
                   as a REGEX. Only mail from or to an address that contains
                   that regex will be archived. e.g. "jhaar|harry" or
                   "\@our.domain".
                   Be careful with this option, a badly written regex
                   will cause Qmail-Scanner to crash.

  --redundant [yes|no]            (defaults to "yes")
                   Whether or not to let the scanners also scan any zip files
                   and the original "raw" Email file.

  --unzip    [yes|no]             (defaults to "no" - off)
                   Whether or not to forcibly unzip all zip files.
                   Off by default as most AV's do unzip'ping themselves.

  --max-zip-size <number-bytes>   (defaults to 1 Gbytes)
                   This setting allows you to control the maximum size you
                   are willing to allow zip file attachments to unpack to.
                   This is to enable you to limit DoS attacks against your
                   Qmail-Scanner installation (someone could send you a small
                   zip file that unpacks to Gbytes of useless files - filling
                   your harddisk). Set to whatever value you think is
                   appropriate for your system. The default value of 1Gb is
                   set so large so as not to assume anything about your
                   system - YOU WILL NEED TO SET THIS VALUE IN ORDER TO GAIN
                   ANY PROTECTION.
                   Something like "100000000" (100 Mb) might be appropriate.

  --max-unpacked-files <number-files>   (defaults to 10000 files)

  --max-scan-size <number-bytes>        (defaults to 100 Mbytes)
                   Email messages (raw size) larger than this 
                   number (in bytes) will skip all AV and Spam 
                   scanning checks. It's to stop Q-S scanning
                   300Mbyte TIFF file messages and the like.

  --log-crypto [yes|no]           (defaults to "no")
                   Whether or not to log the presence
                   of cryptographic (both signing and encrypting)
                   technologies in the "log-details". Q-S can flag
                   PGP, S/MIME and password-protected zip files. This
                   is informational logging only.

  --fix-mime [yes|no|num]         (defaults to "2")
                   Whether or not to attempt to "fix" broken MIME messages
                   before doing anything else. Should be safe, but *may* break
                   some strange, old mailers (none known yet).
                   Defaults to "2" enables a bunch of extra MIME checks that
                   have proven to be very useful.

  --ignore-eol-check [yes|no]     (defaults to "no")
                   Making this "yes" stops Qmail-Scanner
                   from treating "\r" or "\0" chars in the headers of 
                   MIME mail messages as being suspicious enough to quarantine
                   mail over. Some sites receive so much broken e-mail that this
                   option has been created so that they can still receive such
                   messages without having to be as drastic as to "--fix-mime no"
                   which disables all sorts of other good stuff.
                   Use only if you have to.

  --add-dscr-hdrs [yes|no|all]    (defaults to "no")
                   This adds the now old-fashion X-Qmail-Scanner headers to the
                   message. "all" adds the "rcpt to" headers too - this is a
                   privacy hole.

  --dscr-hdrs-text <"Descrip-Headers-Text">   (defaults to "X-Qmail-Scanner")
                   Input must be quoted.
                   i.e. --dscr-hdrs-text "X-Antivirus-MYDOMAIN"

  --log-details [yes|syslog|no]   (defaults to "syslog")
                   Whether or not to log to mailstats.csv/via syslog the
                   attachment structure of every Email message.

  --debug [0|1|2|3|4|5]           (defaults:1)
                   Whether or not debugging is turned on. Can be also set to
                   a number. Numbers over 100 cause Q-S to not cleanup working
                   files. Thus allowing for offline debugging...
                   debug >= 5, all info is logged.

  --batch
                   Do not confirm configure information (mainly for scripting)

  --install
                   Create directory paths, install perl script, and
                   change ownerships to match.

  --mime-unpacker "reformime"     (defaults to "reformime")

  --spamdir <maildir name>        (defaults to "spam")
                   This will be the maildir directory structure
                   into which spam mails are quarantined 
                   (under /var/spool/qscan/quarantine/spam)
                   It is possible to set it per user/domain enabling the
                   feature settings-per-domain, see the docs.

  --sa-timeout [num]              (defaults to "30")
                   This is the max number of seconds
                   you will allow spamc to take on processing
                   a mail message. Anything longer implies
                   spamd has hung on some narly DNS lookup
                   or the like, and will cause QS to give
                   the message a SPAM score of (?/?)

  --sa-faulttolerant [yes|no]     (defaults to "no")
                   This can be used in addition to sa-timeout
                   as a way of telling Qmail-Scanner to let
                   SA "have another go" at processing a message
                   if it was unable to get it right the first time.
                   It will cause Q-S to run SA up to THREE TIMES
                   on a particular email - if SA fails to return any
                   value (in the past this used to lead to Q-S reporting
                   (?/?)). This can get around emails from far-off domains
                   that "hang" SA due to DNS lookups - and *may* allow SA
                   to operate correctly the next time it is called on the same
                   message. See "--sa-tempfail" for even more
                   reliability options

  --sa-maxsize [num]              (defaults to "256000")
                   This size (in bytes) sets the
                   max size email that will be
                   processed by SpamAssassin.

  --sa-tempfail [yes|no]          (defaults to "yes")
                   Should Qmail-Scanner treat SpamAssassin
                   like AV products and tempfail if it 
                   fails to return a score?

  --settings-per-domain [yes|no]        (defaults to "no")
                   Enable or disable the domain-wise mode, each user/domain
                   will have a customized settings (@scanner_array and
                   sa_settings). If the user/domain haven't a custom 
                   settings, qmail-scanner will fall to the defaults
                   site settings (@scanner_array and sa_site_settings).

  --virus-to-delete [yes|no]      (defaults to "no")
                   Enable this option if you want to delete some viruses
                   (i.e. mydoom) without notifying anyone. If you don't enable
                   it now, you can later edit qmail-scanner-queue.pl and add
                   the virus you want to the list virus_to_delete.

  --sa-sql [yes|no]               (defaults to "no")
                   Whether to run spamassassin with the 'rcpt to' as option,
                   only useful if you are running spamassassin with user
                   settings in mysql.
                   If you enable 'settings-per-domain' a message with multiples
                   recipients will be scanned for each recipient with his
                   own spamassassin settings.

  --sa-delta [num]                (default: 0)
                   If $spamc_subject is defined, and fast_spamassassin mode is
                   selected, a tag will be added to the subject indicating how
                   the message is to be considered as spam, in this way:
                   LOW: required_hits < score < required_hits + sa_delta
                   MEDIUM: required_hits + sa_delta < score < required_hits + 2 * sa_delta
                   HIGH: required_hits + 2 * sa_delta < score
                   Be aware, sa_max+2*sa_delta must be lower than sa_quarantine.
                   'required_hits' is the value set in the SpamAssassin
                   configuration file.

  --sa-subject <"some text">   (defaults to nothing)
                   This is an alternative way to set the tag that qmail-scanner
                   add to subject of spam mails, to some text.
                   Spamassassin must be working in *fast_spamassassin* mode
                   Be sure that is better to tag the subject, of spam messages,
                   through qmail-scanner than with the rewrite_subject
                   of SpamAssassin.
                   The input must be quoted i.e. "SPAM *** ". 

  --sa-forward <username@domain>     (default: nothing)
                   User to redirect spam mails 'being quarantined' for
                   admin purposes...
                   The message is forwarded almost unmodified so you can
                   use 'sa-learn' with it.
                   If you prefer that the message includes the spam headers
                   enable the next option.
                   (i.e.  --sa-forward antispam@mydomain.com)

  --sa-fwd-verbose [yes|no]       (default: no)
                   Whether to add the X-Spam headers to the forwarded message.

  --sa-quarantine [num]           (default: 0)
                   Spam messages with a score higher than
                   (required_hits + sa_quarantine) should be quarantined.
                   Only relevant if SpamAssassin is used.
                   Score of 0 means deliver all messages.

  --sa-delete [num]               (default: 0)
                   Spam messages with a score higher than
                   (required_hits + sa_delete) should be deleted.
                   Only relevant if SpamAssassin is used.
                   Score of 0 means deliver all messages.

  --sa-reject [yes|no]            (default: no)
  --quarantine-reject [yes|no]
                   If you enable sa-reject and sa-delete is properly set,
                   messages with a score higher than sa-delete will be rejected
                   before the smtp session is closed. Otherwise they are just
                   dropped silently. (1/0)
                   Different from the official version, only spam mails are
                   rejected, if your installation has the 'custom error patch'
                   a nice little text message is sent, those without just
                   produce a generic Qmail error. BE CAREFUL IF ENABLING AND
                   YOUR Q-S SERVER ISN'T DIRECTLY FACING THE INTERNET

  --sa-alt [yes|no]               (default: no)
                   Use the alternative subroutine for spamassassin, it runs in
                   *fast_spamassassin* mode and doesn't pass the '-u' option
                   to spamc. (1/0)

  --sa-debug [yes|no]             (default: no)
                   If sa-alt is enabled an you enable this option, you will
                   have a beautiful log with the tests and the scores of
                   spamassassin in the file qmail-queue.log (1/0)

  --sa-report [yes|no]            (default: no)
                   If sa-alt is enabled you can add the X-Spam-Report header
                   to the messages enabling this option.

  --sa-socket     (defaults to nothing)
                   Actually the configure script can automatically discover
                   if spamd is running in unix-socket mode, but,
                   if for some reasson the socket couldn't be
                   found properly you can set the path with this option.
                   i.e. --sa-socket /var/run/spamd

  --sa-remote remote.spamd.host[,port]  (defaults to nothing)
                   You can use the hostname or the ip address, if not specified
                   the default port is 783

       ****************
         Rarely Used
       ****************

  --no-QQ-check
                   Do not check that the QMAILQUEUE patch is installed.
                   This explicitly disables any "--install" reference
                   as that is NOT POSSIBLE with a manual install.
                   Use ONLY IF YOU MUST. The QMAILQUEUE patch is REALLY
                   a GOOD THING!!!!

  --skip-setuid-test
                   don't test for setuid perl. Only of use for those wanting
                   to run the C-wrapper version.

  --qmail-queue-binary
                   Set this to the FULL PATH to the Qmail qmail-queue
                   binary. This is only EVER set when doing a manual install.


This script must be run as root so it can detect problems with setuid
perl scripts!


Back

Salvatore Toribio

20111118