On 21 Jan 2003, [EMAIL PROTECTED] writes: > At 14:16 -0800 Jonathan Marsden wrote: >> How about checking for viruses before mail reaches Cyrus? Such as >> with a virus scanner that runs as a milter which sendmail talks to >> when it receives mail? Or a similar approach for whatever your >> chosen MTA is?
> Because (as mentioned elsewhere in this thread) lmtpd is not the > only way messages can be stored on an IMAP server: eg think of > sending a poisoned attachment, which magically ends up in your sent > folder. I don't see the 'elsewhere in this thread' mail yet, but anyway: This is technically correct. (a) That 'poisoned attachment' came from somewhere -- where? If from a workstation within your organization, why didn't the virus scanning software on that workstation detect it? Shouldn't this be the first priority? For the attachment to be sent to the Sent folder, the primary layer of workstation virus protection must already have failed. If that happens at all frequently, there is an underlying issue which needs to be addressed on the workstations. (b) That attachment in the IMAP Sent folder can't exactly do much damage from there... it can't be sent to anyone, since the outgoing MTA will trap it. Sure, it can be read/downloaded/run by the sending user... but they already have a copy on their workstation anyway, else how did they get it into the IMAP server in the first place? (c) I suspect that 99.9% of viral email does in fact arrive over the SMTP/MTA channel, so if you configured the server file system scanner to *report* stuff it found under the Cyrus mail partitions(s) but not remove it, and also use an MTA-hosted scanner for the other 99.9%, you'd have a manual user support task for one virus in 1000. That task would be something like: go to or otherwise gain control over the user's workstation concerned, fix that workstation's virus issues if any, then use their mail client to delete that attachment from their Sent folder. This last part is probably not a huge additional workload, since you'd be dealing with the infected workstation anyway. If you absolutely have to have a way to delete rare viral messages from the Cyrus mailstore 100% automatically, I'd suggest writing a small Perl script making use of Cyrus::IMAP::Admin that looks at the output of your filesystem scanner (set to report only, not delete), looks at the content of the file(s) in question (to find a Message ID or other unique identifier) and logs into Cyrus as the admin user and deletes the message(s) concerned. As a general principle, external tools *must* *not* add/edit/delete files or directories within the Cyrus mailstore. Just as they must not add/edit/delete stuff within your Oracle, Postgres or MySQL databases. Cyrus gives you a well defined API (well, two: LMTP and IMAP!). Use them, and only them, to make changes to the Cyrus mailstore, and Cyrus will stay healthier than if you bypass them. Just because your chosen scanner apparently does not respect this principle in its current (default?) configuration, does not mean the problem lies with Cyrus :-) Jonathan -- Jonathan Marsden | Internet: [EMAIL PROTECTED] | Making electronic 1252 Judson Street | Phone: +1 (909) 795-3877 | communications work Redlands, CA 92374 | Fax: +1 (909) 795-0327 | reliably for Christian USA | http://www.xc.org/jonathan | missions worldwide