[Dovecot] Virusscanning

Sven spamagent at gmx.de
Wed Apr 14 13:41:34 EEST 2010 

>> MTA delivers a mail where the virusscanner finds nothing. Mail gets 
>> delivered.
>> Some time later there is a scannerupdate. Now the scanner would find 
>> a malicious content.
>> So I may instantly scan the complete mailstore each time a new 
>> pattern arrives
>> or scan only each accessed mail with the latest pattern. This seems 
>> smarter to me.
>> For this scenario I would like to see a concept for 
>> datainspection/datamodification in dovecot.
>> What about when dovecot would act as a milter client?
>> Sounds strange but the problems are the same, why not use existing 
>> solutions ?
>
> The problems are the same, but a milter has the duty to filter 
> incoming mail. It's not a general mail-(content)-only filter.
> You want a IMAP/POP3 mail inspector, well, that's fine. There are 
> in-between firewall inspecting the contents of the routed connections. 
> They understand POP3 and IMAP, as long as it is not encrypted. Some 
> can act as proxy themselves, decrypt the connection. They work 
> transparently.
> To solve the problem in Dovecot one need to create an "iilter" (IMAP 
> filter), aka Dovecot plugin. Which hands over the contents to the 
> virus scanner and replaces the malicous part with a dummy value. 
> However, because of caching in IMAP clients doing so may not work as 
> expected.
> That plugin could be derived from the zlib plugin, as it also has the 
> duty to inspect the data on its flow from the disk to client and 
> around. This won't work in Dovecot proxy mode, however, I guess.

I see a leakage with on-access virus scanning while using IMAP. Imagine 
users are sharing mailboxes, one uploading malware via imap, others 
downloading it via imap.
Another one is the above mentioned virus scanner update.
Scanning in the MUA is nice but can't deliver 99% sureness. I can't 
control every client.
In my next setup there will be a SSL/SASL only configuration. So proxies 
will have problems and are one more possible point of failure (and need 
maintenance).

The only solution i see for this is a general AV-daemon or something 
like dazuko to scan whole disk activity. Weekly scans of the whole 
filesystem are usefull anyway.
Or some dovecot filter plugin.

Sven

More information about the dovecot mailing list