MTA delivers a mail where the virusscanner finds nothing. Mail gets
delivered.
Some time later there is a scannerupdate. Now the scanner would find
a malicious content.
So I may instantly scan the complete mailstore each time a new
pattern arrives
or scan only each accessed mail with the latest pattern. This seems
smarter to me.
For this scenario I would like to see a concept for
datainspection/datamodification in dovecot.
What about when dovecot would act as a milter client?
Sounds strange but the problems are the same, why not use existing
solutions ?
The problems are the same, but a milter has the duty to filter
incoming mail. It's not a general mail-(content)-only filter.
You want a IMAP/POP3 mail inspector, well, that's fine. There are
in-between firewall inspecting the contents of the routed connections.
They understand POP3 and IMAP, as long as it is not encrypted. Some
can act as proxy themselves, decrypt the connection. They work
transparently.
To solve the problem in Dovecot one need to create an "iilter" (IMAP
filter), aka Dovecot plugin. Which hands over the contents to the
virus scanner and replaces the malicous part with a dummy value.
However, because of caching in IMAP clients doing so may not work as
expected.
That plugin could be derived from the zlib plugin, as it also has the
duty to inspect the data on its flow from the disk to client and
around. This won't work in Dovecot proxy mode, however, I guess.
I see a leakage with on-access virus scanning while using IMAP. Imagine
users are sharing mailboxes, one uploading malware via imap, others
downloading it via imap.
Another one is the above mentioned virus scanner update.
Scanning in the MUA is nice but can't deliver 99% sureness. I can't
control every client.
In my next setup there will be a SSL/SASL only configuration. So proxies
will have problems and are one more possible point of failure (and need
maintenance).
The only solution i see for this is a general AV-daemon or something
like dazuko to scan whole disk activity. Weekly scans of the whole
filesystem are usefull anyway.
Or some dovecot filter plugin.
Sven
