
                         +----------------------+
                         |                      
                         |   AntiVir MailGate   
                         |                      
                         |         FAQ          
                         |   Frequently asked   
                         |      questions       
                         |      (english)       
                         |                      
                         |    last modified:    
                         |      16.04.2002      
                         |                      
                         +----------------------+



Q: Is there a free version of AntiVir for Linux for private use?

A: Yes, private users can use AntiVir for Linux free of charge - like
   the AntiVir Personal Edition under Windows. You can register as a
   private user at http://www.antivir.de/order/privreg/linux.htm.
   You will then receive a licence file which you should copy to the
   AntiVir program directory. The private licence is valid for a year;
   after that, you will have to re-register your AntiVir for Linux.

---------------------------------------------------------------------

Q: What is the difference between AntiVir for Linux and AntiVir
   MailGate?

A: AntiVir for Linux is a command line scanner. This program enables
   you to perform scans on the file system of the server (e.g. if
   you use your Linux server as a file server with Samba).
   AntiVir MailGate is an SMTP scanner which checks all incoming and
   outgoing emails on a Linux mail server for alerts.

---------------------------------------------------------------------

Q: How does AntiVir MailGate work?

A: AntiVir MailGate acts as a store-and-forward agent whereby the work
   is shared by two programs: avgated receives the mails, filters them
   according to the IP address and places them in a specific directory
   (spool directory). This program can operate as an independent server
   occupying port 25 (SMTP) or being started by the internet super daemon
   'inetd'.
   avgatefwd is the daemon which reads the mails stored in the spool
   directory, decodes any attachments and then starts the scan.
   Depending on the result, the mails are blocked or forwarded to the
   MTA. Besides blocking, deleting or forwarding the infected mail, it
   also issues status signals via 'syslog'. The 'postmaster' receives a
   mail with a detailed report, and the sender and receiver can also be
   notified of the infection in addition.

---------------------------------------------------------------------

Q: Which MTAs does AntiVir MailGate work with?

A: AntiVir MailGate works with all common MTAs (Mail Transport
   Agents), e.g. sendmail, postfix, qmail, exim, etc.

---------------------------------------------------------------------

Q: Which Linux distributions does AntiVir work with?

A: AntiVir works independently of Linux distributions. It depends
   entirely on the MTA.
   The program is available for downloading as a zipped TAR file (TGZ)
   and can therefore be installed on all Linux systems.

---------------------------------------------------------------------

Q: I use FreeBSD or OpenBSD. Will AntiVir still work?

A: AntiVir is also available for FreeBSD and OpenBSD. These versions
   can be found in the download section of http://www.antivir.de. Please
   make a note of the directory containing sendmail (e.g.
   /usr/lib/sendmail or /usr/sbin/sendmail) and enter it accordingly in
   the configuration file avmailgate.conf ("ForwardTo" entry).

---------------------------------------------------------------------

Q: How often are updates available?

A: For private users and customers who have purchased FUSE 6, updates
   are provided every 2 months.
   For customers with FUSE 6/wi, intermediate updates are provided on a
   weekly basis.

---------------------------------------------------------------------

Q: Where can I find these updates?

A: The latest programs are always in the download section of
   http://www.antivir.de

---------------------------------------------------------------------

Q: Is the source code of the AntiVir programs for Linux freely
   available?

A: No.

---------------------------------------------------------------------

Q: Will AntiVir MailGate work on anything other than the Intel
   x86-compatible processor?

A: Not yet. As soon as AntiVir for Linux is ported, AntiVir MailGate
   will be available for other processors too.

---------------------------------------------------------------------


Q: How do I configure sendmail?

A: There are two ways to make AntiVir MailGate work with sendmail. The 
   backdoor or piping mechanism. 
   For more details, please refer to the INSTALL and INSTALL.sendmail 
   file contained in archive.

---------------------------------------------------------------------


Q: How do I configure exim?

A: AntiVir MailGate works with Exim from version 3.0 upwards. Please
   read and follow the instructions in INSTALL and INSTALL.exim


---------------------------------------------------------------------

 
Q: How do I configure qmail?
 
A: There are two possible ways of integrating AntiVir MailGate under
   qmail. One of these is to send emails further through the call 
   of the sendmail wrapper of qmail. Follow the installation
   incstruction of qmail and read and follow the instructions in 
   INSTALL and INSTALL.qmail  


---------------------------------------------------------------------


Q: How do I configure postfix?

A: There are two possible ways of integrating AntiVir MailGate under
   postfix. One of these is to make AntiVir MailGate listen at port 25
   and forward the emails to postfix. The other is to integrate AntiVir
   MailGate in postfix as a content filter.
   For more details read and follow the instructions in INSTALL and 
   INSTALL.postfix


---------------------------------------------------------------------

Q: How do I integrate AntiVir MailGate into the SuSE eMail Server 2/3?

A: You can integrate AntiVir MailGate as a content filter in the MTA
   postfix used by the SuSE Email Server II and III.
   See also section "How do i configure postfix".

---------------------------------------------------------------------

Q: How do I configure AntiVir MailGate with SuSE 8.0?

A: You have two possibilities:

   1. sendmail is running on backdoor port. Please read 
   INSTALL.sendmail und follow the instructions. Next edit 
   /etc/sysconfig/mail and set SMTPD_LISTEN_REMOTE to "yes".
   The mails will be looped between AntiVir MailGate and sendmail
   if SMTPD_LISTEN_REMOTE is "no". 

   2. The same happens if you are using the piping method 
   ForwardTo /usr/lib/sendmail -oem -oi. If you add -Am to this 
   line then the mails will be "normally" delivered, BUT only if 
   AntiVir MailGate is running as user root and group root (but 
   this is not recommended).

---------------------------------------------------------------------

Q: How do I configure AntiVir MailGate in combination with SuSE Linux
   Groupware Server (Lotus Domino R5 Application Server)?

A: First follow the installation instruction in INSTALL

   Then make the next two steps:

   1. Configure the SMTP-Port with help of your admin web interface 
      from port 25 (default) to port 825.

   2. AntiVir MailGate has to send all mails to 825. Therefore you 
      have to modify the following entry "ForwardTo" in
      avmailgate.conf:  

      ForwardTo    SMTP: localhost port 825

---------------------------------------------------------------------

Q: What is the meaning of the files df-*, qf-*, Qf-*, xf-*, vf-* and
   mf-* in the spool directory of AntiVir MailGate ?

A: An email is represented by two files in the spool directory of
   AntiVir MailGate. One is a data file, the other a control file. The
   data file is identified by a "df-" at the beginning of the file name.
   The corresponding control file can assume different file names
   depending on the processing status of the email:
   "xf-": Control file is currently being processed
   "qf-": Email is ready for a check
   "Qf-": Email is ready for direct forwarding without a check
   "vf-": Email contains an alert
   "mf-": A MIME problem has occurred in this email

---------------------------------------------------------------------

Q: What happens when an infected mail is found?

A: An infected email is identified by "vf-" at the beginning of the
   name of the control file in the spool directory of AntiVir MailGate.
   These emails are not forwarded. The corresponding data file contains
   the email in which the alert was found, which can now be either
   deleted together with the control file or forwarded by executing
   the queue manager avq.

---------------------------------------------------------------------

Q: What is the meaning of the message "List port is obsolete" in
   /var/log/mail or /var/log/maillog?

A: In older versions of AntiVir MailGate, the settings for the
   interface and port which AntiVir MailGate is to monitor were made via
   the two entries "List address" and "List port" in the configuration
   file avmailgate.conf.
   In new versions of AntiVir MailGate, these two entries are grouped
   together:
   "List address ... port ...". The default entry is "List address
   0.0.0.0 port 25".
   If you find the message "List port is obsolete" in the logfile, delete
   the entry "List port" in avmailgate.conf and enter the port as shown
   in the above example after the entry "List address".

---------------------------------------------------------------------

Q: What is the meaning of the message "bind failed (Address already in use)"
   in /var/log/mail (mail.log or maillog)?

A: This message appeared if AntiVir MailGate couldn't bind to the port
   (default: 25) you have specified an avmailgate.conf (see option 
   ListenAddress). This means another program is already listening on
   port 25. Test this with "lsof -i" or just do a "telnet localhost 25",
   then you will see what program is listening on the SMTP port. 
   Check also /etc/inetd.conf, if there is an entry of sendmail, qmail, etc.

---------------------------------------------------------------------

Q: What is the meaning of the message "can't initialize scan engine!"? 

A: This message appeared if AntiVir MailGate couldn't initialize the 
   scan engine antivir. The binary antivir needs access rights for 
   writing in the directory /tmp. Please check this directory and set
   the correct rights. 

---------------------------------------------------------------------

Q: What is the meaning of the message "init failed, err=3" in
/var/log/mail or /var/log/maillog?

A: This message tells you that port 25 is occupied by another daemon.
   This probably means that you failed to close your MTA properly before
   installing AntiVir MailGate or to adapt the configuration file of your
   MTA. For more details, please refer to the installation instructions
   which you will find in the TGZ file.

---------------------------------------------------------------------

Q: What is the meaning of the message "init failed, err=6" in
   /var/log/mail or /var/log/maillog?

A: This means that your AntiVir directory contains a wrong virus
   definition file (VDF).
   The definition file must coincide with the program version, i.e. the
   first two digits of the version numbers must be the same in both
   files, e.g. 6.8.x.x).
   The latest VDF files can be found in the download section of
   http://www.antivir.de

---------------------------------------------------------------------

Q: What is the meaning of the message "Relaying denied for rcpt "
   in /var/log/mail, /var/log/maillog or /var/log/mail.log?

A: This means that the host connected to AntiVir MailGate is not
   allowed to send E-Mails via the AntiVir MailGate server.
   Hosts that are allowed to relay can be found in the "avmailgate.acl".

   avmailgate.acl:

      ----snipp----
   # These hosts and/or domains are local.
   local: localhost 127.0.0.1
   local: antivir.de
   # These hosts and networks are allowed to relay.
   relay: 127.0.0.1/8  192.168.0.0/16
      ----snapp----

   The above entries in "avmailgate.acl" mean that any E-Mail to
   localhost or 127.0.0.1 or hbedv.com or antivir.de is allowed to be relayed
   with no care of what is entered in "relay:".
   Connections from hosts starting with the IP-Address 127 and
   connections from hosts starting with the IP-Address 192.168
   are allowed to relay with no care of what is entered in "local:".

   The interpretation of the keyword local in avmailgate.acl
   can be modified in the avmailgate.conf file in
   section "MatchMailAddressForLocal".

   You can set this option to RECIPIENT, SENDER or BOTH to allow matching of 
   domain name of the recipient and/or sender mail address, to check if it's 
   to be considered local. 

   If MatchMailAddressForLocal is RECIPIENT, and the recipient address matches
   the domain given in "local:", mail will be accepted.
   If MatchMailAddressForLocal is SENDER, and the sender address matches the 
   domain given in "local:", mail will be accepted.
   If MatchMailAdressForLocal is BOTH, and the recipient or the sender adresses 
   matches the domain given in "local:" mail will be accepted. 

---------------------------------------------------------------------

Q: Every scanned E-Mail contains an advertising slogan, how do I 
   turn it off?

A: AntiVir MailGate only adds an advertising slogan to every mail
   when it is running in non-key mode. If you are using a licensed
   version, the advertising slogan will no longer be displayed.
   If you are a private user, you will have to register at 
   http://www.antivir.de/order/privreg/linux.htm. If you use AntiVir
   MailGate for business purposes, please contact our sales department.
   The contact address can be found at
   http://www.antivir.de/infos/kontakt.htm. 

---------------------------------------------------------------------

Q: I have copied the file avmgate.key to the AntiVir
   program directory but AntiVir will still only run in non-key mode.
   Why?

A: Your licence has probably expired. If you are a private user, you
   will have to re-register at
   http://www.antivir.de/order/privreg/linux.htm. If you use AntiVir
   MailGate for business purposes, please contact our sales department.
   The contact address can be found at
   http://www.antivir.de/infos/kontakt.htm.

---------------------------------------------------------------------

Q: Why are emails received via the SMTP command ETRN not scanned?

A: If you use the SMTP command ETRN to retrieve your emails from the
   server, they will not pass through the local SMTP daemon. To avoid
   this problem, use pop, imap and fetchmail to retrieve your emails.

---------------------------------------------------------------------

Q: Sendmail can no longer send any emails once AntiVir MailGate is
   installed.

   NOTE:
   We recommend using AntiVir Milter for sendmail instead of AntiVir
   MailGate. With AntiVir Milter all functionality of sendmail will
   still be available!

A: You are using a SuSE distribution in which the security level is
   set to SECURE or PARANOID. Add the following entry in the file
   /etc/permissions.local: 
   /var/spool/mqueue root.root 775
   Don't forget to start SuSEconfig afterwards.

---------------------------------------------------------------------

Q: Since AntiVir MailGate has been installed, procmail will no longer
   deliver emails to the local mailboxes.

A: This problem occurs in some systems. One possible solution is to
   set the SUID bit of /usr/bin/procmail.

---------------------------------------------------------------------

Q: The daemon avgated terminates the connection before any data can be
   sent. What's wrong?

A: This problem occurs in the distribution Red Hat 7.0. The glibc
   supplied with Red Hat 7.0 is faulty: a new version of it is available
   for updates on the FTP server of Red Hat. Please download the two RPM
   packages glibc-2.2-12.i386.rpm and glibc-common-2.2-12.i386.rpm, and
   this will solve the problem.

---------------------------------------------------------------------

Q: Does AntiVir MailGate work with fetchmail?

A: Yes. Fetchmail transfers all emails to the process, which listens
   at port 25 (SMTP) - in this case, that of the daemon avgated.

---------------------------------------------------------------------

Q: How can I test AntiVir MailGate after installation?

A: There is a test signature called Eicar which is detected by all
   scanners.
   To use this, simply copy the following character string to a file and
   send it to AntiVir MailGate:
   X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

   or visit the website http://www.eicar.com
   download the Eicar files and attach them to the test email:

---------------------------------------------------------------------

Q: Is there a graphical configuration tool for AntiVir MailGate?

A: Yes, this utility (TkAvGate) is a Tcl/Tk Frontend developed 
   by Sebastian Geiges. You can download this tool here:

   http://www.sebastian-geiges.de/tkantivir/tkavgate/index.htm
 
---------------------------------------------------------------------

Q: I can't find an answer to my question here. What shall I do?

A: First check the frequently updated FAQ on our website, if your
   question is presented there. If you have purchased AntiVir, you
   can use our normal support channels
   (telephone, fax and email). The telephone number and email can be found
   at: http://www.antivir.de/infos/kontakt.htm
