Post.Office Server Scanning Extension

Post.Office Support: Index

Post.Office recommends using McAfee's Virex 7 to scan messages after they are received by Post.Office, but before they are delivered to the individual user mail boxes.

These scripts, created by Euregio.Net, are designed to manage the execution of Virex 7 on Post.Office systems. The scripts are run using a cron job or through a daemon. They provide a range of scanning levels that can work directly on the message content and attachment file names, with or without Virex 7.

How this script works

A cron job is executed every minute which scans the server with the Virex command line scanner for new messages since the last execution of the script. A daemonized version of the script is also available which scans the mailbox directory continously for new messages.

It sounds rather simple compared to other (expensive) anti-virus systems but it's quite effective. Development and testing of this script took more than 100 hours. It's been running without any major problems on our production mail server since late August 2003.

Different scanning options can be turned on or off by editing a few variables at the top of the anti-virus script

The script also uses some other methods to discovered unwelcome file attachments ( .lnk, .bat, .chm, .cmd, .vxd, .pif, .scr, .hta, .jse, .vbs ). This gives you a pretty good protection against any new viruses which are not yet covered by the Virex DAT files (virus definitions). When there are attachments with a suffix of .exe, .com, .dll or .zip then the subject line of the message is rewritten to alert the user that there is a potentially dangerous attachment in the message.

Attention Panther Users

It's been reported that there are some problems running these scripts on MacOS X 10.3.x (Panther). I still have to install a test server running Panther to find out what's going on. The scripts do work on MacOS X 10.2.x (Jaguar) without any problems. By the way, I'm currently testing the next version of the anti-virus scripts which also work with ClamAV (an open source anti-virus solution).

Current version: 0.8 - updated 11th February 2004


Here are the features of the script:

And best of all, there is an online configurator/wizard for the script which allows you to set your preferred configuration without having to wade through code of my shell script.

System Requirements

This script has been tested on MacOS X 10.2.x and is currently running a our mail server (MacOS X 10.2.8) without any problems.

Virex and the vscanx command line scanners are not provided in this script. You have to get a copy of Virex either through your McAfee or included with your .Mac subscription.

munpack is a small utility that can be used to extract attachments from an e-mail message which makes scanning a bit easier for Virex. This is optional for the virexscript but can provide better scanning results. You can get the munpack binary through the Communigate Virusscan script: CGVirusscan. Download CGVirusscan, extract the archive and then copy the munpack binary to /usr/local/bin/ on your server.

Unix "munpack" utility ( Copyright 1993,1994 by Carnegie Mellon University, All Rights Reserved)


Here's a quick installation guide:

  1. use the online configurator to adapt the script for your system or download the default script
    (You won't need to edit the script in a text editor afterwards.)
  2. copy the virexscript.txt file to the top level of your server
  3. copy the virus.list file to the top level of your server if you want to use it
  4. open your Terminal application
  5. change to the root user by typing the following after root#
    su -
  6. move virexscript.txt from the top level to the root home directory
    mv /virexscript.txt ~/
  7. go to the root home directory
    cd ~root
  8. change the file permissions of to make it executable
    chmod 755
  9. change the file ownership of
    chown root:wheel
  10. create a temporary directory for Virex to store extracted attachments
    mkdir -p /tmp/virex
  11. install munpack on your server if you want to use it
    (see System Requirements)
  12. create a "quarantine" folder on the top level of your server to store messages with unwelcome attachments
    mkdir -p /quarantine
  13. run the virexscript for the first time manually
    This will take some time as it checks all files in your mailbox directory for a first time. It will also show any errors that could occur. After the first run, the script will only verify the newest files since the last execution.
  14. Append your list of cron jobs ( /etc/crontab ) to execute the every minute
    echo "*/1 * * * * root ~root/ > /dev/null 2>&1" >> /etc/crontab
    Careful: be sure it says " >> /etc/crontab" as this will append the cron job at the end of the crontab file. If there is just a single > it will overwrite the whole crontab file.
    You can also edit your crontab file manually with your favorite command line editor by putting
    */1 * * * * root ~root/ > /dev/null 2>&1
    at the end of that file.
  15. All done. The script now executes every minute and scans your mailbox directory for new viruses.
    It wasn't all that hard, was it?

Make sure to read the rest of this page as well and if the anti-virus system is working for you, please support the development by donating something... :-)

Files and Folders being used

Here's a list of files and folders that are being used by the script. This information is provided just for your information, so you know what is going where.

Some minor problems

Slight chance of viruses slipping through

Since verison 0.8 it's possible to run the script as a daemon/background process. This will check your mailbox directory continuously instead of just once per minute. The script should be able to scan 99% of the messages.

The very first version checked the whole mailbox directory on every execution. That took too much time when there were lots of messages. Therefore I looked for a way to only scan any new messages. Using a cron job for your anti-virus solution is not 100% ideal because new messages could arrive and being downloaded while the script is still running.


The e-mail that arrives between the start of the scanning process and the next execution of the scanning process could contain a virus and get downloaded before the system has a chance to scan it. Personally, I think this little risk is worth having when the rest of the messages are being checked for viruses.

Some quirks with munpack and Virex

As this anti-virus script is being used on our production server, I discovered some minor problems with the Virex command line scanner: it was unable to check some kind of messages because they used a special encoding mechanism. Eventually, I found out how to use munpack to extract the attachments first from the messages and then scan them with virex.

Sometimes, munpack also has problems with e-mail messages and it could get stuck. I'v already put some limits into the script (maximum execution time of 5 minutes) which should prevent this kind of problems, but if you notice that your server becomes slow, just type this at the command line prompt:

ps -ax | grep munpack | grep -v "grep munpack"

This returns the currently running munpack process with its process ID number. To terminate that process, type:

kill -9 <processID>

Unwelcome Attachment Names

Following attachment suffixes are moved to the quarantine directory if that option is enabled:


Message subjects are prepended with [Careful: Attachment] when they contain any attachments with these suffixes:


Messages with attachments that match any of the names listed in the virus.list file are also moved to the quarantine directory. This is useful for well-know viruses which have suffixes of .exe, .zip, .com, .dll that would otherwise only get the subject line changed.


Current version: 0.8 - updated 11th February 2004

Version: 0.7 - updated 26th January 2004

A little personal anti-virus history:

During the 80's and the early 90's our family business was running Mactivity/Macclub Benelux. It was the largest Mac User Group in Europe with more than 16,000 members in more than 20 countries. One of its services was the "free anti-virus update". It allowed people from around the world to send a self-addressed envelope to our company and receive the latest version of the then popular Disinfectant anti-virus tool by John Norstad. Our address was even listed in the Disinfectant documentation so people always knew where to get the latest version for free. There was also a commercial variant of the service: for a small yearly fee, our company sent out a disk containing Disinfectant as soon as a new version was released. At that time I made a lot of friends and pen pals from around the world whom I got to know through the anti-virus update service.

I've written some anti-virus software of my own during the past decades. When the first HyperCard virus appeared in 1991, I wrote the first vaccine for it. We called the virus "Musidenn" but other anti-virus companies later called it "MerryXmas". The first version of my antidote removed the virus from HyperCard stacks -- it was distributed to all the members of Mactivity and also included on the anti-virus update disks. Later versions where more advanced and included a checksum-based protection for all stacks -- making them immune to other viruses as well. That functionality was included in my PowerMenus developer tools for HyperCard which received a 3 mice rating from ZiffNet (a Ziff-Davis publishing division).

In 20 years of using Macintosh computers I've only had 1 virus infection on my computers which was immediately detected by Disinfectant.

In recent years, I've spend a lot of time fighting against viruses on our mail servers. It was the first time I had to deal with Windows viruses. My first scripts scanned our sendmail servers and blocked virus senders. Since we installed Post.Office on MacOS X I've been developing various tools to fight viruses on that platform.

More information about myself is available on our corporate site... (scroll down that page for the English information)

Copyright by Jochen "Joe" Savelberg - 2003-2004 -- Last Modified: 11th February 2004