On 09.11.2016 23:36, Brad Koehn wrote: > I have discovered that many times the virus definitions I use for scanning > messages (ClamAV, with the unofficial signatures > http://sanesecurity.com/usage/linux-scripts/) are updated some time after my > server has received an infected email. It seems the virus creators are trying > to race the virus definition creators to see who can deliver first; more than > half of the infected messages are found after they’ve been delivered. Great. > > To help detect and remove the infected messages after they’ve been delivered > to users’ mailboxes, I created a small script that iterates the INBOX and > Junk mailbox directories, scans recent messages for viruses, and deletes them > if found. The source of my script (run via cron) is here: > https://gitlab.koehn.com/snippets/9 > > Unfortunately Dovecot doesn’t like it if messages are deleted (dbox) out from > under it. I tried a doveadm force-resync on the folder containing the > messages, but it seems Dovecot is still unhappy. At least on the new version > (2.2.26.0) it doesn’t crash; 2.2.25 would panic and coredump when it > discovered messages had been deleted. > > I’m wondering if there’s a better way to scan recent messages and eradicate > them so the Dovecot isn’t upset when it happens. Maybe using doveadm search? > Looking for suggestions. The removal should if possible be done with the doveadm cli tool or using the doveadm http api.
br, Teemu Huovila > > > > > --- > Brad >
