Virus scan + removal on a mdbox mail storage

[David Pottage]

On 2019-02-20 01:46, Christoph Haas via dovecot wrote:
> I need advice on how virus scan and removal can be done on a _mdbox_
> mail storage?
> 
> On a maildir storage the virus scanner (e.g. clamav etc.) can detect
> and remove a email that is infected, since every email and attachment
> are stored in separate files.
> 
> But in mdbox the emails and attachments are compressed together in one
>  ore more mdbox-files ...
> 
> I am anxious to convert my mail storage for virus scanning into
> maildir format, since I don't know if a virus or crypto trojan con be
> activated with this converting action =:-o

To clarify: You want to convert your mail storage from mdbox to maildir, 
but you want to scan for viruses first?

You are doing things in the wrong order.

Firstly converting mail storage format is very unlikely to trigger a 
virus. For that to happen the virus author would need to find and write 
an exploit for dovecot that will trick it into treating email as 
executable code. While not impossible that is quite unlikely because 
there is no normal situation where dovecot will execute email as code. 
Also it is unlikely that a virus writer will target dovecot when 
Microsoft exchange is much more common and would be a higher value 
target.

Secondly, as a rule you want to scan email for viruses as it arrives and 
leaves, not when it is at rest in user mailboxes, again it is possible 
that a new virus will be discovered some time after the email arrives so 
a retrospective scan would find it, but that won't help you much because 
most users read their email and open attachments soon after the email 
arrives.

So my advice is to do the conversion to maildir now, then scan all the 
files as a one off, and going forward you should configure your email 
transport daemon (postfix, exim etc) to pass incoming (and possibly 
outgoing) email through clamav.

-- 
David Pottage