ClamAV - Parsing An IMAP Store

Posted on 2012-09-06
Last Modified: 2012-09-13
Currently my mail-server accepts email for our end-users, pipes it through PROCMAIL and ClamAV.  

It's an IMAP server - thus the end-result for each IMAP-folder (inbox)  is just a huge ascii file.

ClamAV handles the incoming messages just fine - then/when PROCMail puts the infected email into a quarantined folder once ClamAV appends a new header.

Though, an end-user can copy an email BACK into their IMAP folder (messages) which could contain a virus or trojan by cutting/pasting onto their email files using their client. Thus, it's not parsed back through the PROCMail script and not parsed through ClamAV.

Is there a way to pipe an entire IMAP email store (the message(s) ALL of them) back through to ClamAV  - and have it display which email contain(ed) a trojan or virus?

Hope that makes sense.
Question by:BillFinkNC
    LVL 40

    Expert Comment

    I don't use pro mail so I can't say if there are other data structures associated with each inbox. But to do what you want you will need a tolol that opens each users INBOX, breaks the store into messages, and sends that message through clamav. Care would have to be taken to ensure that the user's mail store is locked while scanning.

    What makes more sense to me is to impose the virus scanner between sendmail and the world. That way messages in or out bound are scanned. In a sense it doesn't if a user with a virus infected computer pushes a message back to the server that has been infected as long as that message goes no further.

    Author Comment

    It's the tool that you mention that I'm looking for.

    Grab the inbox, parse each message sending it back through ClamAV, and having it display which particular message contain(ed) the virus. ClamAV scans the ENTIRE file, though.

    As far as where the AV parses the email inbound, it's working like a charm. Hence, the use of  a Procmail recipe. - Scans it incoming, puts the email aside (in my case I just have it deleted/dev-null when it detects a trojan or a virus) and the user never knows.

    It's the end-user that copies emails from a different source and puts an infected email back on top of their mailboxes using their email clietn software that I have no control over.

    Each night, I DO scan their entire message folders, but due to IMAP just having one great big ASCII file, does ClamAV report there's a virus ... back to square one.

    I hope all this makes sense. - as in your post, it's the "tool" that you're referring to that I'm looking for. Any help???
    LVL 39

    Accepted Solution

    Your question makes sense but...

    the mail chain is as follows:

    MUA -{smtp}->  MTA -{smtp}-> MTA .... MTA -{smtp/lmtp}-> MDA -{smtp/lmtp/pipe}-> Store <-{pop/imap}-> MUA.

    MUA = mail user agent [ Outlook,
    MTA = mail transfer agent [ Exim, Postfix, Qmail, Courier, Sendmail ]
    MDA = mail delivery agent [ Procmail,  almost every MTA is also capable as MDA. ]
    Store = [ some kind of storage, mailfile [ exim, postfix, sendmail ] like you have, maildir [ qmail, courier, exim, postfix ] or some database [ cyrus ].

    This also shows why mail is not handled by the MDA again, it passes there only once.
    all other transactions are between the MUA & the Store.

    In the case of maildir's all mails are in individial files, and can be scanned as such. In all other cases you need tooling to retrieve all mails from a mail folder & then scan it.

    So maybe you realy want to look into maildir storage solutions. The mails can then be parsed on the mailstore  host.

    Author Comment

    Picture this, a user has two mail-accounts, one personal one work, and is using Outlook as their email client.

    They copy one email from their "personal" account (that's not controlled by or scanned by their work-server) by cutting/pasting a copy of an email from that account on-top (inside) of their "work email" folder.

    Each/every one of their "folders as displayed in Outlook" are really just ONE great big huge ASCII file, each individual email is merely parsed by the IMAP server, separated by the "From" information in the header(s).

    Relying on them to scan their "personal" email is a never ending battle, eh!??!

    I need something that I can execute on our Unix host (FreeBSD) to help with. Sorry for any further confusion, I know I simply need to parse their IMAP files with the ability to distinguish each email, and then remove the offending email putting BACK the rest of their emails.

    Storage, processing, access is not an issue.
    LVL 39

    Assisted Solution

    If you use a MailDir based mail solution the user won't notice the difference [ they just see IMAP ], on the server you can run clamav jobs that scan all MailFolders regularly.

    There are no IMAP files, IMAP is a network protocol.
    So i suggest you look into courier-imap, or dovecot used in maildir mode.  with maildir's each MAIL-Message has it's own separate file.

    Author Comment

    I've requested that this question be deleted for the following reason:

    LVL 39

    Expert Comment

    imho you get a decent answer, delete is not the way to react to that.
    If you have problems with specific parts of an answer please ask on about those details.
    LVL 39

    Expert Comment

    see last comment.
    LVL 39

    Expert Comment

    The question shows that asker has no idea about the mail flow.., so that's explained.
    and why mail is not rescanned when it is moved around folders.
    Also an advise is given how to most effectively approach the scanning issue if that is still the perceived route. (Maildir storage allows for easy management of messages as files)

    IMO, all my answers up to the DELETE seem relevant.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Suggested Solutions

    Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap ( Version 1.2 2.      Jpcap( Version 0.6 Prerequisite: 1.      GCC …
    Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
    Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
    This tutorial goes over how to archive and restore FreeBSD jails that are managed by ezjail.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now