MTA delivers a mail where the virusscanner finds nothing. Mail gets delivered. Some time later there is a scannerupdate. Now the scanner would find a malicious content. So I may instantly scan the complete mailstore each time a new pattern arrives or scan only each accessed mail with the latest pattern. This seems smarter to me. For this scenario I would like to see a concept for datainspection/datamodification in dovecot. What about when dovecot would act as a milter client? Sounds strange but the problems are the same, why not use existing solutions ?
The problems are the same, but a milter has the duty to filter incoming mail. It's not a general mail-(content)-only filter. You want a IMAP/POP3 mail inspector, well, that's fine. There are in-between firewall inspecting the contents of the routed connections. They understand POP3 and IMAP, as long as it is not encrypted. Some can act as proxy themselves, decrypt the connection. They work transparently. To solve the problem in Dovecot one need to create an "iilter" (IMAP filter), aka Dovecot plugin. Which hands over the contents to the virus scanner and replaces the malicous part with a dummy value. However, because of caching in IMAP clients doing so may not work as expected. That plugin could be derived from the zlib plugin, as it also has the duty to inspect the data on its flow from the disk to client and around. This won't work in Dovecot proxy mode, however, I guess.
I see a leakage with on-access virus scanning while using IMAP. Imagine users are sharing mailboxes, one uploading malware via imap, others downloading it via imap. Another one is the above mentioned virus scanner update. Scanning in the MUA is nice but can't deliver 99% sureness. I can't control every client. In my next setup there will be a SSL/SASL only configuration. So proxies will have problems and are one more possible point of failure (and need maintenance).
The only solution i see for this is a general AV-daemon or something like dazuko to scan whole disk activity. Weekly scans of the whole filesystem are usefull anyway. Or some dovecot filter plugin.
Sven