Enabling virus scanning on a first server in a domain
There are several steps necessary to enable virus scanning for the first time in a Domino domain. Thereafter, it is much simpler to enable virus scanning on additional servers in the domain.
Overview
You run the mailscan task on the first server in order to create the cscancfg.nsf database which will hold the configuration data for the virus scanning feature. You should let the mailscan task do this creation because it creates a domain replica with correct permissions and settings. After creating cscancfg.nsf, mailscan will exit because the first server will by definition not yet have any configuration. The next step is to create a configuration document in cscancfg.nsf which specifies information about the ICAP server and how you want Domino to handle viruses. As part of creating the configuration document, you import the ICAP server's TLS certificate into certstore.nsf and reference that certificate in your configuration document. Then you create a server document in cscancfg.nsf which selects the configuration document you just created, and defines a few server-specific settings such as console logging level. Finally, you run the mailscan task again. This time it reads the server's configuration data and starts its cooperation with the router task to scan messages before they are routed.
Running mailscan for the first time to create cscancfg.nsf
- Identify which server is the administration server of your Domino domain and assure Domino is up and running on that server.
- Choose a first server to configure. It should be a mail server or a server that routes mail, that is, one that runs the router task.
- On that server, issue the console command
load mailscan
.The mailscan task starts up, creates cscancfg.nsf on the administration server, creates a replica on the current server, and shuts down.
Tip: You can ignore any error messages that mailscan prints at this time, as the errors are because there isn't yet a configuration for your server.
Creating a configuration document in cscancfg.nsf
A configuration document defines two major sets of data. The Mail Scan tab contains settings that customize how Domino handles messages containing viruses. The Scan Config tab contains settings that define specifics about the ICAP server and the TLS certificate it uses to assure a secure connection. Depending on the needs of your organization, you may create just a single configuration document or several of them. In a simple Domino domain with a limited number of mail servers and routers, a single ICAP server may be able to manage the load. In more complex environments, multiple ICAP servers may be needed. If your domain is geographically dispersed, you may wish to have at least one ICAP server in each geography. In those cases, you create multiple configuration documents, one for each ICAP server. Another possible case for multiple configuration documents is if, for some reason, you want different mail servers to be customized differently in how they handle viruses.
Create a server document in cscancfg.nsf
A server gets most of its configuration data from a configuration document. However, there are a few settings that are specific to each server, which is the reason for server documents. You create a server document that references a configuration document by name, and defines a few other settings such as whether virus scanning is Enabled or Disabled on the server, its logging level, and whether to log to a file instead of console.log.
Running mailscan
Now that you have a configuration defined for your first server, you are ready to start virus scanning on the server.
- Verify that the server runs the router task. Virus scanning is done by in conjunction with the router.
- Add mailscan to the ServerTasks notes.ini variable for your server, to assure the task will start up automatically when Domino starts.
- Issue the command
load mailscan
to load the mailscan task and initiate virus scanning. - See Troubleshooting virus scanning for statistics that you can monitor to verify the feature is operating correctly.