ICAP Pro/Ent only

When composing new messages or replying to existing ones in Webmail Messenger or PDF Messenger, you can attach files to your emails. Once you send a message to recipients within your organization, it is delivered through the SMTP protocol, which is the standard method for sending emails. This delivery process ensures that your organization’s mail scanning system automatically checks all outgoing messages for potential security threats such as viruses or harmful content.

For enhanced security, the CipherMail gateway can be configured to perform an additional scan of your message content and attachments before delivery. This scan uses a remote ICAP server to analyze the message in real-time. If any threats or policy violations are detected during this scan, the message will be blocked immediately, preventing potentially dangerous content from reaching recipients. This provides an extra layer of protection for your organization’s email communication.

To configure icap, you need to create an ansible override file /etc/ciphermail/ansible/group_vars/all/icap.yml

The following settings are the main settings:

---
# the host name of the ICAP server is a required setting that should be configured in an override file
ciphermail_portal_icap__host: <hostname-or-ip-of-icap-server>

# if true, icap client will be enabled
ciphermail_portal_icap__enabled: true

# ICAP server port
ciphermail_portal_icap__port: 1344

# ICAP service name for antivirus
ciphermail_portal_icap__service: <service-name>

# use TLS for ICAP connection
ciphermail_portal_icap__tls: false

# extra options passed verbatim to c-icap-client
ciphermail_portal_icap__extra_options: ''

Replace <hostname-or-ip-of-icap-server> with the hostname or IP of the ICAP server. Replace <service-name> with the name of the ICAP service.

After creating the override file, you need to run the playbook to apply the changes:

sudo cm-run-playbook

After the playbook run, the icap config file located at /etc/ciphermail/icap.conf should have been created.

Note

The CipherMail gateway integrates with your configured ICAP server through a script located at /opt/ciphermail/scripts/cm-icap-scan.sh. This script serves as the interface layer between CipherMail and the ICAP server. When content needs to be scanned, the cm-icap-scan.sh script uses the c-icap-client command-line utility to establish a connection with your ICAP server and submit the content for inspection. It’s important to note that the ICAP protocol does not define a standardized method for servers to communicate that uploaded content contains malware, viruses, or other threats that should be blocked. Different ICAP server implementations may report these findings in different ways. To address this limitation, the cm-icap-scan.sh script includes built-in detection logic that recognizes the most common response patterns used by ICAP servers. This approach ensures compatibility with the majority of ICAP server products available on the market. However, if you are using a less common ICAP server implementation, you may need to customize the script to properly interpret the responses from your specific server.

To verify that your ICAP server configuration can properly detect viruses, obtain an EICAR test file from the EICAR website at https://www.eicar.org/download-anti-malware-testfile/. After downloading the test file, execute the cm-icap-scan.sh script from your command line interface to perform the virus detection test:

curl --output eicar.com.txt https://secure.eicar.org/eicar.com.txt
/opt/ciphermail/scripts/cm-icap-scan.sh -f eicar.com.txt; echo $?

The output of the above command should look similar to the following:

ICAP server:10.7.7.3, ip:10.7.7.3, port:1344

ICAP HEADERS:
    ICAP/1.0 200 OK
    Server: C-ICAP/0.6.3
    Connection: keep-alive
    ISTag: "CI0001-SEV2wKY9ILBEAKMf7dZAwAAA"
    X-Infection-Found: Type=0; Resolution=2; Threat=Win.Test.EICAR_HDB-1;
    X-Violations-Found: 1
    -
    Win.Test.EICAR_HDB-1
    0
    0
    Encapsulated: res-hdr=0, res-body=193

RESPMOD HEADERS:
    HTTP/1.1 403 Forbidden
    Server: C-ICAP
    Connection: close
    Content-Type: text/html
    Content-Language: en
    Content-Length: 421
    Via: ICAP/1.0 YourServerName (C-ICAP/0.6.3 Antivirus service )
100

When a virus is detected by the cm-icap-scan.sh script, the script returns an exit code of 100.