[Contents] [Prev] [Next] [Index] [Report an Error]

Understanding SMTP Antivirus Scanning

If SMTP (Simple Mail Transfer Protocol) antivirus scanning is enabled in a content security profile, the security device redirects traffic from local SMTP clients to the antivirus scanner before sending it to the local mail server.

Note: Chunking is an alternative to the data command. It provides a mechanism to transmit a large message in small chunks. It is not supported. Messages using chunking are bypassed and are not scanned.

This is a general description of how SMTP traffic is intercepted, scanned, and acted upon by the antivirus scanner:

  1. An SMTP client sends an e-mail message to a local mail server or a remote mail server forwards an e-mail message via SMTP to the local mail server.
  2. The security device intercepts the e-mail message and passes the data to the antivirus scanner, which scans it for viruses.
  3. After completing the scan, the device follows one of two courses:
    • If there is no virus, the device forwards the message to the local server.
    • If there is a virus, the device sends a replacement message to the client.

This topic includes the following sections:

Understanding SMTP Antivirus Mail Message Replacement

If the antivirus scanner finds a virus in an e-mail message, the original message is dropped, the message body is truncated, and the content is replaced by a message that may appear as follows:

nContent-Type: text/plainYour mail <src_ip> : <src_port> — <dst_port>: <dst_port> contains contaminated file <filename> with virus <virusname>, so it is dropped.

If a scan error is returned and the fail mode is set to drop, the original message is dropped and the entire message body is truncated. The content is replaced by a message that may appear as follows:

nContent-Type: text/plainYour mail <src_ip> : <src_port> — <dst_port>: <dst_port> is dropped for <reason>.

Understanding SMTP Antivirus Sender Notification

If notify-sender-on-virus is set and the message is dropped due to a detected virus, an e-mail is sent to the mail sender. The content of the notification may appear as follows:

From: <admin>@<gateway_ip>To: <sender_e-mail>Subject: Mail Delivery Failure This message is created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients for the reason:<src_ip> : <src_port> — <dst_port>: <dst_port> <ENVID> contaminated file <filename> with virus <virusname>.e-mail Header is:<header of scanned e-mail>

If notify-sender-on-error-drop is set and the message is dropped due to a scan error, an e-mail is sent to the mail sender of the scanned message. The content of the e-mail may appear as follows:

From: <admin>@<gateway_ip>To: <sender_e-mail>Subject: Mail Delivery Failure This message is created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients for the reason:<src_ip> : <src_port> — <dst_port>: <dst_port> <ENVID> <reason>.e-mail Header is:<header of scanned e-mail>

Note: For information on the ENVID parameter, refer to RFC 3461.

Understanding SMTP Antivirus Subject Tagging

If a scan error is returned and the fail mode is set to pass, the antivirus module passes the message through to the server. If notify-recipient-on-error-pass is set, the following string is appended to the end of the subject field:

(No virus check: <reason>)

Related Topics

JUNOS Software Feature Support Reference for SRX Series and J Series Devices

[Contents] [Prev] [Next] [Index] [Report an Error]


[an error occurred while processing this directive]