[Dovecot] Just in time AV scanning
I'm curious if anyone has any plugins for AV integration directly into dovecot.
Our old pop servers have been scanning messges as they're moved from new->cur in the inbox and, at least where user's aren't poping every few seconds, there is occasionally enough time between scanning through the MXs to message retreval to snag a few more virues with updated definitions before they reach customers.
Anyone doing anything similar?
-- Kelsey Cummings - kgc@corp.sonic.net sonic.net, inc. System Architect 2260 Apollo Way 707.522.1000 Santa Rosa, CA 95407
On Wed, 2012-03-14 at 16:51 -0700, Kelsey Cummings wrote:
I'm curious if anyone has any plugins for AV integration directly into dovecot.
Our old pop servers have been scanning messges as they're moved from new->cur in the inbox and, at least where user's aren't poping every few seconds, there is occasionally enough time between scanning through the MXs to message retreval to snag a few more virues with updated definitions before they reach customers.
Anyone doing anything similar?
http://dovecot.org/patches/2.1/mail-filter.tar.gz allows you to run a script that modifies a mail while it's being read. You could make it run a virus check, and if that happens you could change the virus MIME part to be full of spaces (better not to change message size, line count or MIME structure).
On 15/03/2012 10:33, Timo Sirainen wrote:
I'm curious if anyone has any plugins for AV integration directly into dovecot.
Our old pop servers have been scanning messges as they're moved from new->cur in the inbox and, at least where user's aren't poping every few seconds, there is occasionally enough time between scanning through the MXs to message retreval to snag a few more virues with updated definitions before they reach customers.
Anyone doing anything similar? http://dovecot.org/patches/2.1/mail-filter.tar.gz allows you to run a
On Wed, 2012-03-14 at 16:51 -0700, Kelsey Cummings wrote: script that modifies a mail while it's being read. You could make it run a virus check, and if that happens you could change the virus MIME part to be full of spaces (better not to change message size, line count or MIME structure).
Couple of other ideas:
Could use one of the (buggy and variously unsupported) on access virus scanners. I think Dazuko is now abandoned, but this is a new one mentioned via the Clamav site: http://www.fsl.cs.sunysb.edu/docs/avfs-security04/index.html
Extremely racey, but if you were on maildir you could use some kind of pre-login scripting to kick off a scan on login. Touch some lock file so that you can tell when last scanned and only scan if the definitions have been updated since you last scanned?
There are some POP proxies which offer inline virus scanning. Could place one in front of your mail server. Presumably this will expose you to all the bugs in that proxy...
Good luck
Ed W
On 03/16/12 08:30, Ed W wrote:
- Extremely racey, but if you were on maildir you could use some kind of pre-login scripting to kick off a scan on login. Touch some lock file so that you can tell when last scanned and only scan if the definitions have been updated since you last scanned?
I think this is actually the best solution to match our existing POP behavior. This was a lot cooler back when 90% of our users were on POP and on average had a couple of hours between checks - it may be a feature that has outlived its usefulness.
Still need to take a look at Timo's patch set.
-K
On 16.3.2012, at 19.52, Kelsey Cummings wrote:
On 03/16/12 08:30, Ed W wrote:
- Extremely racey, but if you were on maildir you could use some kind of pre-login scripting to kick off a scan on login. Touch some lock file so that you can tell when last scanned and only scan if the definitions have been updated since you last scanned?
I think this is actually the best solution to match our existing POP behavior. This was a lot cooler back when 90% of our users were on POP and on average had a couple of hours between checks - it may be a feature that has outlived its usefulness.
Whatever you do: Don't modify existing message files (without renaming them so they appear as new mails). IMAP (and Dovecot) require that messages never change.
participants (3)
-
Ed W
-
Kelsey Cummings
-
Timo Sirainen