Welcome to part two in our series. Today, we will discuss External Agents.
External Agents – What are they?
External Agents allow you to link external software to ORF to perform additional tests on the incoming emails. The external software could be virtually anything (anti-virus, anti-spam or simple text analyzing software), the only requirement is that it should be a command line tool and it should run on the same server ORF is installed on.
How do External Agents work?
When an email arrives and reaches the External Agent test of ORF, a temporary copy of the email file is created (in a directory you specify). Then the agent calls the executable of the external software to scan this temporary file, the same way as you would perform a scan from command line. Once the scanning is finished, the external software returns an exit code (which tells ORF the final status of the email (e.g. 1 – I found no viruses, 2 – the incoming email is infected, 3 – I could not scan the file due to an error)) then it exits and the temporary copy is deleted. ORF can perform different actions based on the exit code returned by the external software: for example, if the email file is infected, drop it, or tag the subject line with [VIRUS].
External Agent Roles
Basically, there are two groups of External Agents: the ones you use for spam filtering purposes, and the ones you use for other security purposes (anti-virus). The latter ones can override regular whitelists in ORF, while the spam filtering agents act like other, normal tests in ORF (whitelists are applied, even if the email would be blacklisted by the agent).
Pros and Cons
Using External Agents provide further control over the email flow, for example you can add keyword filtering expressions using egrep and assign different actions for each (tag the email on X keyword but drop it on Y). You may also use it as an additional line of defense against viruses, or to scan incoming emails with an additional spam filtering software like SpamAssassin. Unfortunately, in most cases these additional, free software are quite complicated and hard to setup, but usually they worth the hassle.
However, no matter how effective some external software can be, you should keep in mind that some whitelists are applied in ORF no matter what (even if you add the External Agent test to the whitelist exceptions): emails originated from private local IP addresses (in other words, outgoing and internal emails) will never be scanned by ORF, so viruses may spread on your local network undetected if you rely on External Agents alone. Due to this, we strongly suggest using this feature as a second line of defense in addition to your existing anti-virus solution.
Shall I Use External Agents?
That depends on your intentions and the software you want to connect ORF with: if you anti-virus product has an email filtering feature by default which runs in the background, it does not make sense to use the command line feature of that anti-virus product in addition and scan all emails twice. But if you would like to widen the filtering tools of ORF, you may find the External Agent test quite useful.
In the next article, we will build an External Agent definition for a 3rd party anti-virus product to demonstrate how easy it is :)