Setting up MailScanner with Exim

Note: The following is part of a series of steps to setup an email server using Exim 4.x, with imap and webmail access. It will use winbind to get user information from an NT server. If you found this page via a search engine it may not cover what you need or you may need to start at the beginning to understand everything I have done.

See and for much more information. MailScanner mailing list is here:

(Note: These instructions reference software that is now possibly much newer with many new or different configuration options. This page is being left up for reference.)

Quick steps:

  1. Setup Exim and make sure it works. My steps are here.
  2. Setup AV and make sure it works. My steps for ClamAV are here.
  3. Download and install MailScanner.
  4. Edit the exim.conf file.
  5. Edit the /etc//MailScanner/MailScanner.conf file.
  6. Edit the /etc/MailScanner/virus.scanners.conf file.
  7. Edit the /etc/sysconfig/MailScanner file.
  8. Verify directories need and permissions.
  9. Restart Exim and start MailScanner.
  10. Test.
  11. Setup cron job to clean up the retry database.
  12. Misc notes.

Here is everything the way I did it. (Currently running v4.23-11.)

3) Download and install MailScanner

Go to and download. I used the RPM for RedHat.

Unpack the tar file:
tar xvzf MailScanner-version.rpm.tar.gz

Cd into the MailScanner directory and read the README and QuickInstall.txt files.

Run the install script:
If you have problems, follow what the install script outputs and/or see the README file. For instance I had to update a Perl module.

4) Edit the exim.conf file

First, stop exim and possibly MailScanner (it will start because of a cron job that is run hourly):
service exim stop
service MailScanner stop

Mine is in /etc/exim/exim.conf. Per the MailScanner instructions copy it to a new file, which will be used for the second instance of exim.

cp exim.conf exim_scanned.conf

Now in exim.conf, place this in the "Main Configuration Settings" section at the top:

# Added for MailScanner
spool_directory = /var/spool/exim_incoming
queue_only = true

Then in the "Routers Configuration" add:

# Added for MailScanner
  driver = manualroute
  route_list = * byname
  self = defer
  verify = false

I placed this below the domain_literal and dnslookup routers, but before the local domain routers, such as the system_aliases router. It works for both incoming and outgoing here.

Another alternative, recommended to me by Michael using Exim v4.13, is this:

   driver = smartuser
   new_address = :defer: All deliveries are deferred
   verify = false
   driver = domainlist
   self = defer
   route_list = "*  byname"
   verify = false

5) Edit the /etc/MailScanner/MailScanner.conf file

Here are parts of my MailScanner.conf file that I changed from the default. Note that each version of MailScanner tends to add more features. Please use this only as an example that may be out of date.

# System settings
# ---------------
# ...
# Set location of incoming mail queue
# ....
Incoming Queue Dir = /var/spool/exim_incoming/input/
# Set location of outgoing mail queue.
# This can also be the filename of a ruleset.
Outgoing Queue Dir = /var/spool/exim/input/
# ...
# Set whether to use sendmail or exim (default is sendmail)
MTA = exim
# Set how to invoke MTA when sending created message
# (e.g. to sender/recipient saying "found a virus in your message")
Sendmail = /usr/sbin/exim
# Sendmail2 is provided for Exim users.
# ...
Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_scanned.conf
# ------------------------
# ...
# Pay attention to these sections.
# Config as needed.
# Notices to System Administrators
# --------------------------------
# ...
Notices Include Full Headers = yes
# Where to send the notices.
# This can also be the filename of a ruleset.
Notices To = postmaster@your.domain
# Address of the local Postmaster, which is used as the "From" address in
# virus warnings sent to users.
# This can also be the filename of a ruleset.
Local Postmaster = postmaster@your.domain
# ...

There are many more options you need to setup to your liking, such as HTML exploit protection, virus scanner to be used, and SpamAssasin options if applicable.

6) Edit the /etc/MailScanner/virus.scanners.conf file

This is to make sure the path to your scanner is correct. Note that they currently point to wrapper files. If you scanner does not have a wrapper for it in /usr/lib/MailScanner, like inoculate did not in a previous version, then you place the path to the command line scanner executable. Such as:
inoculate /usr/local/MailScanner/inoculate/ino/bin/inocmd32

If it does have a wrapper file, then you need to look though that for any options you may want to modify. For example, if you are using clamav, ala clamscan, and you get messages that say "File size limit exceeded" edit /usr/lib/MailScanner/clamav-wrapper. Uncomment the second "ExtraScanOptions" line, which can be dangerous, or define your own "ExtraScanOptions" below it like:
ExtraScanOptions="--max-space=30M $ExtraScanOptions"
That would allow a file up to 30meg in size to be unzipped from a file an scanned without the warning.

7) Edit the /etc/sysconfig/MailScanner file

The default setup tries to start sendmail. Here is mine:

# Are you running Postfix, sendmail, Exim or ZMailer?
# ...
# Exim settings
EXIMINCF=/etc/exim/exim.conf            # Incoming configuration file
EXIMSENDCF=/etc/exim/exim_scanned.conf  # Outgoing configuration file

chkconfig exim off

8) Verify directories need and permissions

Remember in the exim.config you specified a spool directory. Make sure it is created and that the Exim user and group have rights to it. Example:

cd /var/spool
mkdir exim_incoming
mkdir exim_incoming/input
mkdir exim_incoming/db
mkdir exim_incoming/msglog
chown -R mail.mail exim_incoming

Also make sure the MailScanner directories are setup as called in the mailscanner.conf file. As to rights, see "Misc Notes" below.

9) Restart Exim and start MailScanner

Check your exim config files for errors first by running:
exim -bV
exim -bV -C /etc/exim/exim_scanned.conf

To start:
service MailScanner start

With the older versions and if you did not want to use the MailScanner init.d script remember to also:
service exim start

10) Test

Do not do these tests on unsuspecting users. If nothing else, add an email in the /etc/aliases that loops back to your address.

Send an email with nothing but text. Does it get delivered? If not, check the exim logs. It may be the queue runner has not passed by yet. Does it have the header "X-[ID]-MailScanner: Found to be clean"?

Send an email with an attached file that is known to be infected. If you don't have one, try the test signature eicar at Is the virus detected? If not, does it have the header "X-[ID]-MailScanner: Found to be clean"?

Send the same email with infected file to an outside address that is yours or someone that has agreed to be a test subject. Is the virus detected? If not, does it have the header "X-[ID]-MailScanner: Found to be clean"?

When you get the header but the virus was not detected, that means your virus scanner is obviously not working. If you don't get the header, then MailScanner is not working. See if there are any files in the /var/spool/exim_incoming/input directory. If so, Exim is fine and it is MailScanner. If not, Exim is not working so check it's logs.

Once you are done testing, don't forget to edit the files in /etc/MailScanner/reports to suit. And also see the other config files /etc/MailScanner/.

11) Setup cron job to clean up the retry database

Most of this depends on how your cron is setup and how often you want it to run. I wanted mine to run daily and with RH I have an /etc/cron.daily directory. So I added a file called eximretrytidy which has:

[ -x /usr/bin/exim_tidydb ] || exit 0
/usr/bin/exim_tidydb -t 1m /var/spool/exim_incoming retry
exit 0

Then I made it executable:
chmod 0755 eximretrytidy

And tested it:

I could have done this in the /etc/crontab file or using Webmin. This RedHat document has some good information on how their cron works:

12) Misc notes

  • One problem with InoculateIT v6 is that inocmd32 must run as root. However, mailscanner.conf has the lines:
    # User to run as (not normally used for sendmail)
    #Run As User = mail
    # Group to run as (not normally used for sendmail)
    #Run As Group = mail
    Which the install guide says is provided for Exim. If you set this then inocmd32 is run as that user and group. I found that not setting them works fine. Inocmd32 runs properly and Exim delivers the mail.
  • If you set MailScanner to run as another user, make sure to chown its spool directory.
  • If you do not want your virus signatures updated hourly, but instead what them updated daily, weekly, or monthly instead and want to use this script, do something like:
    mv update_virus_scanners /etc/cron.daily
    If you have your own virus updater scripts and prefer them, read the MailScanner documentation first.
  • Also, if you are using winbind and have Exim set to use a Windows group name, you will want to edit /etc/init.d/MailScanner so it starts after winbind. For example:
    chkconfig: 2345 95 30
  • What I don't like about Mailscanner is that two Exim processes must be run along with Mailscanner, which uses the most memory all my processes. If you are using one of the scanners that can run with exiscan, which InoculateIT currently can't, I would suggest it if you are tight on memory. However, MailScanner does have the ability to disinfect (if your virus scanner can) and send the cleaned attachment onward. Not to mention email reports and the ability to send the parts of the message not infected onward.
  • Note: There was a bug with 4.10 clipping a few characters off an email if it modifies it. It was fixed in 4.11.