Setting up Exiscan

Note: The following is now out of date with how to setup Exiscan. I am leaving this page up for archival information.

Note: The following is part of a series of steps to setup an email server using Exim 4.x, with imap and webmail access. It will use winbind to get user information from an NT server. If you found this page via a search engine it may not cover what you need or you may need to start at the beginning to understand everything I have done.

See and for much more information.

Quick steps:

  1. Download and unpack exiscan
  2. Patch into the Exim source
  3. Build, install, and setup Exim and make sure it works.
  4. Setup your virus scanner and make sure it works.
  5. Setup SpamAssassin. (my steps to come soon)
  6. Edit the exim.conf file.
  7. Restart Exim.
  8. Test.

Note: I'm using exim in another situation, besides our primary email server. So I decided to use exiscan with it.

1) Download and unpack exiscan

Go to and download. I am using exiscan-4.12-21.

To unpack:
tar -xvzf exiscan-[version].tar.gz

2) Patch into the Exim source

Cd into the top level of the exim source directory. Example:
cd /tmp/exim-4.12

Run (Note: "-p1" <-that is a number one, not a lower-case L):
patch -p1 < [path]/exiscan-[version].patch

If you have configured Exim (ie ran make), just delete the build directory (ie rm -rf build-Linux-i386) and run:
make makefile
Then you can build Exim as normal.

3) Build, install, and setup Exim and make sure it works

My steps are here.

4) Setup your virus scanner and make sure it works

Note: InoculateIT cannot be currently used because inocmd32 must be run as root.

See this page for other virus scanners.

5) Setup SpamAssassin

My steps to come soon

6) Edit the exim.conf file

Mine is in /etc/exim/exim.conf. Please read the "readme.txt" file that comes with exiscan for it's full list of options.

Now in exim.conf, place the exiscan settings at the end of "Main Configuration Settings" section. Note: If this is your first install of Exim it will write a default config file with markers as to where the exiscan items go. Here is my settings using ClamAV via command line (InoculateIT notes included in case it can be used at some point).

# Scan only SMTP and ESMTP messages set to = 1 to force for all
exiscan_condition = ${if or {{eq{$received_protocol}{esmtp}} \
                    {eq{$received_protocol}{smtp}}} \
                    {1}{0} }
# Add header to determine if previously scanned. Required. Two characters.
exiscan_crypt_salt = fo
# Unpack MIME and TNEF for scanning instead of using the AV's mbox option.
# For pre-4.12-22 version:
exiscan_unpack_mime = true
# For 4.12-22 version:
#exiscan_demime_condition = 1
# What to do for malformed MIME container
# For 4.12-22 version2
#exiscan_demime_action = reject
# Timeout for scanner. Default is 15m.
exiscan_timeout = 15m
# To call or not the virus scanner. = 1 forces for all messages. Conditions allowed.
exiscan_av_condition = 1
# What to do if virus is found. Pass, reject, blackhole, freeze, or redirect [address].
exiscan_av_action = redirect
# What type of scanner. Cmdline, sophie, kavdaemon, openav.
exiscan_av_scanner = cmdline
# Full path to command line scanner if cmdline is chosen.
# For InoculateIT
#exiscan_av_scanner_path = /path/to/ino/bin/inocmd32
# For ClamAV
exiscan_av_scanner_path = /path/to/clamscan
# Options for command line scanner. Pipe (|) is where path to scan is placed.
# For InoculateIT (example)
#exiscan_av_scanner_options = -nex -arc -mod secure |
# For ClamAV (example)
exiscan_av_scanner_options = --disable-summary --max-files=100 \
                             --threads=5 --stdout |
# What does command line scanner say when virus is found. String.
# For InoculateIT
#exiscan_av_scanner_regexp_trigger = infected by
# For ClamAV
exiscan_av_scanner_regexp_trigger = FOUND
# Get the virus' name. Regexp
# For InoculateIT
#exiscan_av_scanner_regexp_description = virus: (.*)
# For ClamAV
exiscan_av_scanner_regexp_description = (.*) FOUND
# Sophie scanner socket
# exiscan_av_sophie_socket = /var/run/sophie
# Kavdaemon scanner socket
# exiscan_av_kavdaemon_socket = /opt/AVP/AvpCtl
# OpenAV scanner IP address
# exiscan_av_openav_host =
# OpenAV scanner port
# exiscan_av_openav_port = 8127
# Note to come soon. See the exiscan documentation.
# Note I am not using this right now. See the exiscan documentation.
# Note I am not using this right now. See the exiscan documentation.

7) Restart Exim

Check your exim.conf file for errors first by running:
exim -bV

To start:
/etc/rc.d/init.d/exim restart

8) Test

Do not do these tests on unsuspecting users. If nothing else, add an email in the /etc/aliases that loops back to your address.

Send an email with nothing but text. Does it get delivered? If not, check the exim logs. Does it have the header "X-Scanner: exiscan for exim4"? Try sending it with:
exim -v someone@dom.ain

From: me@my.domain
To: someone@dom.ain
Subject: test

so you can see all of exim's output. Tip: set exiscan_condition=1.

Send an email with an attached file that is known to be infected. If you don't have one, try the test signature eicar at Is the virus detected? If not, does it have the header "X-Scanner: exiscan for exim4"?

Remember that what happens on detection is determined by the exiscan_av_action setting. If it is set to redirect, check that address and see if it was delivered. Look at exim's logs to see what happened for the other settings. I suggest using the redirect setting for testing.

When you get the header but the virus was not detected, that means your scanner is not running (ie the options are not correct so it fails). If you don't get the header, then the message is not passing through exiscan. Check your exiscan_condition and set it to just =1 to force for all types of messages.