ClamAV - Parsing An IMAP Store

Currently my mail-server accepts email for our end-users, pipes it through PROCMAIL and ClamAV.  

It's an IMAP server - thus the end-result for each IMAP-folder (inbox)  is just a huge ascii file.

ClamAV handles the incoming messages just fine - then/when PROCMail puts the infected email into a quarantined folder once ClamAV appends a new header.

Though, an end-user can copy an email BACK into their IMAP folder (messages) which could contain a virus or trojan by cutting/pasting onto their email files using their client. Thus, it's not parsed back through the PROCMail script and not parsed through ClamAV.

Is there a way to pipe an entire IMAP email store (the message(s) ALL of them) back through to ClamAV  - and have it display which email contain(ed) a trojan or virus?

Hope that makes sense.
Who is Participating?
nociConnect With a Mentor Software EngineerCommented:
Your question makes sense but...

the mail chain is as follows:

MUA -{smtp}->  MTA -{smtp}-> MTA .... MTA -{smtp/lmtp}-> MDA -{smtp/lmtp/pipe}-> Store <-{pop/imap}-> MUA.

MUA = mail user agent [ Outlook,
MTA = mail transfer agent [ Exim, Postfix, Qmail, Courier, Sendmail ]
MDA = mail delivery agent [ Procmail,  almost every MTA is also capable as MDA. ]
Store = [ some kind of storage, mailfile [ exim, postfix, sendmail ] like you have, maildir [ qmail, courier, exim, postfix ] or some database [ cyrus ].

This also shows why mail is not handled by the MDA again, it passes there only once.
all other transactions are between the MUA & the Store.

In the case of maildir's all mails are in individial files, and can be scanned as such. In all other cases you need tooling to retrieve all mails from a mail folder & then scan it.

So maybe you realy want to look into maildir storage solutions. The mails can then be parsed on the mailstore  host.
I don't use pro mail so I can't say if there are other data structures associated with each inbox. But to do what you want you will need a tolol that opens each users INBOX, breaks the store into messages, and sends that message through clamav. Care would have to be taken to ensure that the user's mail store is locked while scanning.

What makes more sense to me is to impose the virus scanner between sendmail and the world. That way messages in or out bound are scanned. In a sense it doesn't if a user with a virus infected computer pushes a message back to the server that has been infected as long as that message goes no further.
BillFinkNCAuthor Commented:
It's the tool that you mention that I'm looking for.

Grab the inbox, parse each message sending it back through ClamAV, and having it display which particular message contain(ed) the virus. ClamAV scans the ENTIRE file, though.

As far as where the AV parses the email inbound, it's working like a charm. Hence, the use of  a Procmail recipe. - Scans it incoming, puts the email aside (in my case I just have it deleted/dev-null when it detects a trojan or a virus) and the user never knows.

It's the end-user that copies emails from a different source and puts an infected email back on top of their mailboxes using their email clietn software that I have no control over.

Each night, I DO scan their entire message folders, but due to IMAP just having one great big ASCII file, does ClamAV report there's a virus ... back to square one.

I hope all this makes sense. - as in your post, it's the "tool" that you're referring to that I'm looking for. Any help???
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

BillFinkNCAuthor Commented:
Picture this, a user has two mail-accounts, one personal one work, and is using Outlook as their email client.

They copy one email from their "personal" account (that's not controlled by or scanned by their work-server) by cutting/pasting a copy of an email from that account on-top (inside) of their "work email" folder.

Each/every one of their "folders as displayed in Outlook" are really just ONE great big huge ASCII file, each individual email is merely parsed by the IMAP server, separated by the "From" information in the header(s).

Relying on them to scan their "personal" email is a never ending battle, eh!??!

I need something that I can execute on our Unix host (FreeBSD) to help with. Sorry for any further confusion, I know I simply need to parse their IMAP files with the ability to distinguish each email, and then remove the offending email putting BACK the rest of their emails.

Storage, processing, access is not an issue.
nociConnect With a Mentor Software EngineerCommented:
If you use a MailDir based mail solution the user won't notice the difference [ they just see IMAP ], on the server you can run clamav jobs that scan all MailFolders regularly.

There are no IMAP files, IMAP is a network protocol.
So i suggest you look into courier-imap, or dovecot used in maildir mode.  with maildir's each MAIL-Message has it's own separate file.
BillFinkNCAuthor Commented:
I've requested that this question be deleted for the following reason:

nociSoftware EngineerCommented:
imho you get a decent answer, delete is not the way to react to that.
If you have problems with specific parts of an answer please ask on about those details.
nociSoftware EngineerCommented:
see last comment.
nociSoftware EngineerCommented:
The question shows that asker has no idea about the mail flow.., so that's explained.
and why mail is not rescanned when it is moved around folders.
Also an advise is given how to most effectively approach the scanning issue if that is still the perceived route. (Maildir storage allows for easy management of messages as files)

IMO, all my answers up to the DELETE seem relevant.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.