MBF Knowledge Base

How to use Message Sniffer with Exim without the use of SpamAssassin

Exim4 installation:

Exim4 must be compiled with exim4-daemon-heavy. Exim install specifics will not be covered in this article.

Message Sniffer installation:

Download Package: snf-server_3.2.1-1_amd64.deb from https://www.messagesniffer.com/message-sniffer/download/packages/

Install: dpkg -i snf-server_3.2.1-1_amd64.deb

Dropping in Message Sniffer:

In config: /etc/exim4/conf.d/main/02_exim4-config-options find: #av_scanner =

Change to: av_scanner = cmdline:\/path/of/exim4-to-snf-shim.sh %s \'((1[4-9])|([2-9][0-9]))':'.*'
Note: exim4-to-snf-shim.sh will be specified below. The 'X-MessageSniffer:' regex matches on message sniffer scores greater than or equal to 14 (recommended setting)

In config: /etc/exim4/conf.d/acl/40_exim4-config_check_data find:

#malware = *
#message = This message was detected as possible malware ($malware_name)

Uncomment those three lines.

Reload configs: service exim4 reload

Creating the exim4-to-snf.sh bash shim:

navigate to desired folder where script will be placed

create file: touch exim4-to-snf.sh

modify exim4-to-snf.sh to look like this:


message_id=$(basename $path).eml

chmod 770 $file

/usr/sbin/SNFClient $file
echo $?           

Make sure Message Sniffer can can access the mail spool:

usermod -a -G Debian-exim snfuser

Header injection:

In config: /etc/snf-server/SNFServer.xml

<output mode='inject'/>

change 'inject' to 'api'>