On 2019-02-20 19:02, Christoph Haas via dovecot wrote:
On 2019-02-20 01:46, Christoph Haas via dovecot wrote:
I need advice on how virus scan and removal can be done on a _mdbox_
mail storage?
On a maildir storage the virus scanner (e.g. clamav etc.) can detect
and remove a email that is infected, since every email and attachment
are stored in separate files.
But in mdbox the emails and attachments are compressed together in
one
ore more mdbox-files ...
I am anxious to convert my mail storage for virus scanning into
maildir format, since I don't know if a virus or crypto trojan con be
activated with this converting action =:-o
To clarify: You want to convert your mail storage from mdbox to
maildir, but you want to scan for viruses first?
NO! My mail storage is mdbox. And at the moment I have no intention to
convert it to Maildir!
[snip]
Could I ask why? maildir is a better storage format is almost every
respect.
You are doing things in the wrong order.
Firstly converting mail storage format is very unlikely to trigger a
virus. For that to happen the virus author would need to find and
write an exploit for dovecot that will trick it into treating email
as executable code. While not impossible that is quite unlikely
because there is no normal situation where dovecot will execute email
as code. Also it is unlikely that a virus writer will target dovecot
when Microsoft exchange is much more common and would be a higher
value target.
Secondly, as a rule you want to scan email for viruses as it arrives
and leaves, not when it is at rest in user mailboxes, again it is
possible that a new virus will be discovered some time after the
email arrives so a retrospective scan would find it, but that won't
help you much because most users read their email and open
attachments soon after the email arrives.
I'm completely with you! I have of course configured my postfix with
Amavisd-new and all that stuff. But viruses evolve quite faster than
detection patterns of e.g. Clam-AV.
So it is likely, that Clam-AV didn't detect a virus when scanning the
mail-traffic on arrival and the malware now resides in the
mdbox-storage.
For this situation an afterward virus scan of the existing mail
storage on a regular basis seems to me an appropriate method to get
rid of viruses, trojans etc. that were not detected on arrival and
reside like a time bomb in my mail storage...
The thing is that users will usually open emails shortly after they
arrive. Most emails are not opened again later, especially the
attachments.
So if a virus laden email got through because the definitions for your
anti-virus solution where not updated in time, then it is fairly likely
that the user's desktop computer is now infected (the endpoint). To fix
that risk, you need a traditional endpoint virus scanner. In the
unlikely event that a user opens an attachment in an old email, then
their endpoint security will also intervene and prevent an infection.
In other words, it all comes back to endpoint security. Without it you
are very prone to a virus infection. Scanning incoming email is helpful
to reduce noise and inconvenience, but it is not a substitute for
endpoint security, as in any case users can be infected in plenty of
other ways, such as booby trapped websites or infected USB keys that
they bring into the office.
Btw.: what virus scanners besides Clam-AV are the people on this list
using? And how is the virus scanner implemented: via Amavisd-new or
e.g. rspamd or ...?
- I hope this question is not too offtopic for the dovecot list!
You are right, that is a little offtopic. It is realy a postfix
question.
For my day job I work for Sophos (A cyber security vendor), so all this
is familiar to me. If you have the budget for a commercial product, then
Sophos PureMessage does have postfix support. Technical details here:
https://docs.sophos.com/msg/pmx/help/en-us/msg/pmx/tasks/GSGConfigExtPostfixConfig.html
Other AV vendors probably have similar support, but I don't know any
details.
--
David Pottage
