Re: Problem with cyrus and deleting a message with a virus.
Mark London schrieb: Hi - We are running uvscan, and it will delete a cyrus message file that contains a virus. Of course, cyrus doesn't know that the message is deleted, so it still shows that message, albeit it shows up as being from Unknown with (no subject). The problem is that this message can't be deleted, no matter what method the user tries. The only solution we have found is to replace the deleted message with a dummy file, and then it can be deleted. We can't be the only one having this problem. Do other people run virus scanning software, like uvscan, on their server? Thanks. - Mark If you're messing around with the internal data stores of a program, and then you get upset when the program doesn't work, I'd say that you've created your own problem. I'm not messing with it, uvscan is doing it. Is there a better software alternative that will delete viruses on the server? Are we the only people using cyrus that are running virus scanning software on the server? Btw, I would think cyrus should be able to handle the simple case of a missing single file. I should be able to delete a message for which the message file is already missing. We're not talking about a complex database file structure here. It's a single file with a single message. Did I get you right that you simply run the scanner via cron to delete infected files? Why - if you don't want to put it on a proxy - don't you run amavis together with uvscan when sendmail attempts to deliver the mail locally via cyrus-deliver? This is what we're doing here, and it works really fine. Infected Mails won't reach the cyrus spool area and therefore cause no problem. One thing left: when a user moves a mail into the imap folders from his email client, it could possibly be infected. So we do two things about that: Every user has a server-controlled Anti-Virus System (Symatec AV Corporate) running that makes sure the clients itself are clean. Second is, we run uvscan via cronjob also, but don't let it quarantine oder delete infected files automatically. If it really should find a virus that has stolen itself into a client or the cyrus spool, we delete it manually. This never happened up till now, it's just a second 'Line of Defense' for absolute safety. Running this system really works quite perfect, never had any problem up till now. Regards, Andreas Grimmel
Re: Problem with cyrus and deleting a message with a virus.
On Tue, 21 Jan 2003, Mark London wrote: I'm not messing with it, uvscan is doing it. Is there a better software alternative that will delete viruses on the server? Are we the only people using cyrus that are running virus scanning software on the server? I do the virus scanning and spam filtering before it even reaches cyrus. I use the sendmail milter interface to pipe the messages through Amavis. Amavis in its turn then uses SpamAssassin and Clam Antivirus. Works like a charm. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Piet RUYSSINCKe-mail: [EMAIL PROTECTED] Unix Systeem Administratie tel: +32 9 264 4733 Directie Informatie- en Communicatietechnologie (ICT) fax: +32 9 264 4994 Universiteit Gent (RUG) Krijgslaan 281, gebouw S9 - 9000 Gent, Belgie -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Please avoid sending me Word or PowerPoint attachments See http://www.fsf.org/philosophy/no-word-attachments.html
Re: Problem with cyrus and deleting a message with a virus.
On Jan 21 Jonathan Marsden wrote: Because (as mentioned elsewhere in this thread) lmtpd is not the only way messages can be stored on an IMAP server: eg think of sending a poisoned attachment, which magically ends up in your sent folder. I don't see the 'elsewhere in this thread' mail yet, but anyway: This is technically correct. (a) That 'poisoned attachment' came from somewhere -- where? If from Irrelevant question. The fact that it could happen is enough. I can't stop my users going to someone's computer (which has no virus protection) and connecting to my IMAP server. I have students who will no doubt use the IMAP server as a filestore when they run out of quota on the fileserver. (b) That attachment in the IMAP Sent folder can't exactly do much damage from there... it can't be sent to anyone, since the outgoing Imagine my answer to (a) but in reverse. [snip] Just because your chosen scanner apparently does not respect this principle in its current (default?) configuration, does not mean the problem lies with Cyrus :-) ..and, conversely, you can't say your IMAP server is free from viruses because you blindly trust your users not to do silly things.
Re: Problem with cyrus and deleting a message with a virus.
Bottom line: The virus scanning should be done by your MTA. If you muck around in user mailboxes, deleting messages willy nilly without letting Cyrus know, you *will* corrupt users' mailstores, unless you tediously plan to run reconstruct on a mailbox everytime a virus is found. Unless your name is Rube Goldberg, this seems like a bad idea to me. If you must alter messages after they've been delivered, run Courier or some other MH-based mailserver. Cyrus isn't for you. It's really that simple. commentary IMHO, all *YOU* can be expected to be responsible for as a socially responsible sys admin is the mail sent through your mailserver. If virus scanning is done on all outbound/inbound SMTP connections, then you can rest well knowing you're doing your part. If some clueless user uploads a virus as an IMAP piece of mail and they don't run anti-viral software, well it'll only happen to them once if they're smart ;-) /commentary The benefits of scanning inbound outbound SMTP traffic only becomes apparent if you really think about it. -- Brian
Re: Problem with cyrus and deleting a message with a virus.
[EMAIL PROTECTED] wrote: Irrelevant question. The fact that it could happen is enough. I can't stop my users going to someone's computer (which has no virus protection) and connecting to my IMAP server. I have students who will no doubt use the IMAP server as a filestore when they run out of quota on the fileserver. The same arguments apply if you were talking about an Oracle database -- users could store viruses into the database and someone else could extract it from that database and execute it. However, you wouldn't run a virus scanner on Oracle databases that just deleted files if it didn't like them -- the Cyrus mailstore is no different, even if some of the parts are stored in a familiar format. The clean way would be to add a filtering layer wherever messages could be stored into Cyrus. It is easy enough to add a front-end to the delivery side using the various MTAs, but it would be more work to filter messages stored via IMAP. Until then, the correct way to do it would be to use IMAP to muck with the message store (even if you found which files you had a problem with by running directly on the filesystem, but of course there is no guarantee you are seeing a consistent state). If you insist on deleting the files out from under Cyrus, then be content with private hacks to work around the problem, reconstruct the mailboxes you tamper with, or just live with a partially broken mailstore. -- John A. Tamplin Unix System Administrator Emory University, School of Public Health +1 404/727-9931
Problem with cyrus and deleting a message with a virus.
Hi - We are running uvscan, and it will delete a cyrus message file that contains a virus. Of course, cyrus doesn't know that the message is deleted, so it still shows that message, albeit it shows up as being from Unknown with (no subject). The problem is that this message can't be deleted, no matter what method the user tries. The only solution we have found is to replace the deleted message with a dummy file, and then it can be deleted. We can't be the only one having this problem. Do other people run virus scanning software, like uvscan, on their server? Thanks. - Mark
Re: Problem with cyrus and deleting a message with a virus.
On Tue, 21 Jan 2003, Mark London wrote: Hi - We are running uvscan, and it will delete a cyrus message file that contains a virus. Of course, cyrus doesn't know that the message is deleted, so it still shows that message, albeit it shows up as being from Unknown with (no subject). The problem is that this message can't be deleted, no matter what method the user tries. The only solution we have found is to replace the deleted message with a dummy file, and then it can be deleted. We can't be the only one having this problem. Do other people run virus scanning software, like uvscan, on their server? Thanks. - Mark If you're messing around with the internal data stores of a program, and then you get upset when the program doesn't work, I'd say that you've created your own problem. If you really want to do this, convince your virus scanner to delete the files via the IMAP protocol instead of arbitrarly altering data structures that it knows nothing about. -Rob (Note that you can also rebuild the mailbox with the reconstruct command, but I don't recommend this as a general solution). -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Problem with cyrus and deleting a message with a virus.
Hi - We are running uvscan, and it will delete a cyrus message file that contains a virus. Of course, cyrus doesn't know that the message is deleted, so it still shows that message, albeit it shows up as being from Unknown with (no subject). The problem is that this message can't be deleted, no matter what method the user tries. The only solution we have found is to replace the deleted message with a dummy file, and then it can be deleted. We can't be the only one having this problem. Do other people run virus scanning software, like uvscan, on their server? Thanks. - Mark If you're messing around with the internal data stores of a program, and then you get upset when the program doesn't work, I'd say that you've created your own problem. I'm not messing with it, uvscan is doing it. Is there a better software alternative that will delete viruses on the server? Are we the only people using cyrus that are running virus scanning software on the server? Btw, I would think cyrus should be able to handle the simple case of a missing single file. I should be able to delete a message for which the message file is already missing. We're not talking about a complex database file structure here. It's a single file with a single message.
Re: Problem with cyrus and deleting a message with a virus.
On Tue, 21 Jan 2003, Mark London wrote: I'm not messing with it, uvscan is doing it. Is there a better software alternative that will delete viruses on the server? Are we the only people using cyrus that are running virus scanning software on the server? Run a scanner as a part of your MTA, and don't let the messages get delivered to cyrus in the first place. Programs such as mimedefang provide ways to do this. Btw, I would think cyrus should be able to handle the simple case of a missing single file. I should be able to delete a message for which the message file is already missing. We're not talking about a complex database file structure here. It's a single file with a single message. Why is it any different from a database? Just because the mailstore is spread between multiple files and an index doesn't mean that one part can be tossed away needlessly. A mailstore is just that... a database. If you deleted the data file for a mysql database, but left the index file around, would you expect it to still work perfectly? -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Problem with cyrus and deleting a message with a virus.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii In message [EMAIL PROTECTED], Rob S iemborski writes: On Tue, 21 Jan 2003, Mark London wrote: If you're messing around with the internal data stores of a program, and then you get upset when the program doesn't work, I'd say that you've created your own problem. If you really want to do this, convince your virus scanner to delete the files via the IMAP protocol instead of arbitrarly altering data structures that it knows nothing about. -Rob (Note that you can also rebuild the mailbox with the reconstruct command, but I don't recommend this as a general solution). Right. Other than losing the flags data, are there any other downsides to this solution? (We were thinking of using this to delete old messages from users spam folders) - -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] I have taken all knowledge to be my province. -F. Bacon [EMAIL PROTECTED] Human kind cannot bear very much reality.-T.S.Eliot[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) Comment: Exmh version 2.5 07/13/2001 iD8DBQE+Lb10oayJfLoDSdIRAruBAJ47lR+8YkN3UwjBLE4KCBD0lwVsVACgpbwD 0xC2+RXRVadgscm59feoPP4= =YLop -END PGP SIGNATURE-
Re: Problem with cyrus and deleting a message with a virus.
On 21 Jan 2003 at 16:31, Mark London wrote: I'm not messing with it, uvscan is doing it. Is there a better software alternative that will delete viruses on the server? Are we the only people using cyrus that are running virus scanning software on the server? The only valid way to access messages under Cyrus control is via the protocols (IMAP/POP), that's stated clearly in the project description. Why don't you stop the virus before the MTA hands the infected message to Cyrus or even better before the MTA accepts it. There are several software pieces (both commercial and Open Source) that implement that kind of functionality. Btw, I would think cyrus should be able to handle the simple case of a missing single file. I should be able to delete a message for which the message file is already missing. We're not talking about a complex database file structure here. It's a single file with a single message. Ok if that's simple enough then implement this functionality or get somebody on your organization with the relevant programming skills to implement it. Send the patch to the Cyrus developers maybe they will accept and it will get included in the official distribution. If not, you can maintain a it as a local patch and update is to every new Cyrus release you deploy. - Ramiro
Re: Problem with cyrus and deleting a message with a virus.
We run Interscan VirusWall--it only deleted the infected attachment, and leaves the message intact (with a note inside telling the user that the attachment was deleted). This makes for some confusion (the user still wants the attachment, thinking it is real mail, and not just a virus. That seems to be a hard concept), but leaves cyrus unaffected. Are there any viruses that infect the whole message? I cannot think of any, maybe you can modify the uvscan program to just delete the attachment, instead of the whole message? c* - Original Message - From: Mark London [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, January 21, 2003 3:07 PM Subject: Problem with cyrus and deleting a message with a virus. Hi - We are running uvscan, and it will delete a cyrus message file that contains a virus. Of course, cyrus doesn't know that the message is deleted, so it still shows that message, albeit it shows up as being from Unknown with (no subject). The problem is that this message can't be deleted, no matter what method the user tries. The only solution we have found is to replace the deleted message with a dummy file, and then it can be deleted. We can't be the only one having this problem. Do other people run virus scanning software, like uvscan, on their server? Thanks. - Mark
Re: Problem with cyrus and deleting a message with a virus.
Mark London wrote: I'm not messing with it, uvscan is doing it. Is there a better software alternative that will delete viruses on the server? Are we the only people using cyrus that are running virus scanning software on the server? I think most people scanning their mail do so before it is stored in the filesystem. Btw, I would think cyrus should be able to handle the simple case of a missing single file. I should be able to delete a message for which the message file is already missing. We're not talking about a complex database file structure here. It's a single file with a single message. How far should the server go assuming it knows the reason why some unexpected condition exists? Should it happily ignore a missing /etc/cyrus.conf and assume default settings? Should it assume /var/imap ran out of disk space because there were log files it should silently clean up for you? I imagine it wouldn't be very difficult to hack the source so that whenever it tried to open a message file that didn't exist, it could create a message that says it was removed by virus scanning and then open that file, but that would have to be something you want to run -- I wouldn't want that in the version I was running and I doubt such a hack would get accepted into the codebase. -- John A. Tamplin Unix System Administrator Emory University, School of Public Health +1 404/727-9931
Re: Problem with cyrus and deleting a message with a virus.
On Tue, 21 Jan 2003, Mark London wrote: I'm not messing with it, uvscan is doing it. Is there a better software You told it to... alternative that will delete viruses on the server? Are we the only people Yes, you don't let the virus in the server on the first place, using a content scanning proxy coupled to the antivirus, and tie them to the MTA BEFORE Cyrus. Users can still upload viruses through IMAP, but then they're asking for a account removal... using cyrus that are running virus scanning software on the server? Well, everyone I know does it in the MTA to avoid trashing the Cyrus spool. Btw, I would think cyrus should be able to handle the simple case of a missing It handles that fine, but not in the way you want it to :) I am not sure exactly what changes would need to be made to make it 'test if a message file is there before it tries to unlink it', or to ignore JUST the 'file not found' error when trying to unlink it. After all, all other IO errors must still not be ignored... -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh
Re: Problem with cyrus and deleting a message with a virus.
Mark London said: I'm not messing with it, uvscan is doing it. Is there a better software alternative that will delete viruses on the server? Are we the only people using cyrus that are running virus scanning software on the server? There was a discussion on this last week. Search the archives. Btw, I would think cyrus should be able to handle the simple case of a missing single file. I should be able to delete a message for which the message file is already missing. We're not talking about a complex database file structure here. It's a single file with a single message. It's not as simple as a simple missing file and if that's the depth of your understanding of how Cyrus works, you're in trouble. You have an index of all messages and just arbitrarily removing or mangling it outside of the proper delivery mechanism will cause problems. -- Brian
Re: Problem with cyrus and deleting a message with a virus.
On 21 Jan 2003, Mark London writes: Hi - We are running uvscan, and it will delete a cyrus message file that contains a virus. ... If you're messing around with the internal data stores of a program, and then you get upset when the program doesn't work, I'd say that you've created your own problem. I'm not messing with it, uvscan is doing it. Is there a better software alternative that will delete viruses on the server? Are we the only people using cyrus that are running virus scanning software on the server? How about checking for viruses before mail reaches Cyrus? Such as with a virus scanner that runs as a milter which sendmail talks to when it receives mail? Or a similar approach for whatever your chosen MTA is? We use RAV http://www.ravantivirus.com in its Sendmail-milter version with good results here. There is no really need to treat the cyrus mailstore as a pile of files, or to run software that naively does that (thereby causing your own problem, as has been pointed out) in order to scan email for viruses. Jonathan -- Jonathan Marsden| Internet: [EMAIL PROTECTED] | Making electronic 1252 Judson Street | Phone: +1 (909) 795-3877 | communications work Redlands, CA 92374 | Fax: +1 (909) 795-0327 | reliably for Christian USA | http://www.xc.org/jonathan| missions worldwide
Re: Problem with cyrus and deleting a message with a virus.
Ted Cabeen wrote: Right. Other than losing the flags data, are there any other downsides to this solution? (We were thinking of using this to delete old messages from users spam folders) If your users all have spam folders named the same or similar (presumably put there by spam filtering software), wouldn't ipurge do what you want already and without screwing with Cyrus's data structures? -- John A. Tamplin Unix System Administrator Emory University, School of Public Health +1 404/727-9931
Re: Problem with cyrus and deleting a message with a virus.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii In message [EMAIL PROTECTED], John Alton Tamplin writes: Ted Cabeen wrote: Right. Other than losing the flags data, are there any other downsides to this solution? (We were thinking of using this to delete old messages from users spam folders) If your users all have spam folders named the same or similar (presumably put there by spam filtering software), wouldn't ipurge do what you want already and without screwing with Cyrus's data structures? Hmmm. Didn't know that existed. I'll take a look at that - -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] I have taken all knowledge to be my province. -F. Bacon [EMAIL PROTECTED] Human kind cannot bear very much reality.-T.S.Eliot[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) Comment: Exmh version 2.5 07/13/2001 iD8DBQE+LcrEoayJfLoDSdIRAt/kAJwMxrY/wMyrOHwxWdybg1jYGgLaIQCgynOV Da8Xp41o5SFKOlt6LEFf37Q= =D6Fz -END PGP SIGNATURE-
Re: Problem with cyrus and deleting a message with a virus.
On Tuesday 21 January 2003 16:58 pm, Will Day wrote: A short time ago, at a computer terminal not so far away, Mark London wrote: If you're messing around with the internal data stores of a program, and then you get upset when the program doesn't work, I'd say that you've created your own problem. I'm not messing with it, uvscan is doing it. Is there a better software alternative that will delete viruses on the server? Are we the only people using cyrus that are running virus scanning software on the server? We're using Cyrus and doing virus scanning (with uvscan in fact), but we do it from the MTA, before it reaches cyrus (using Anomy as content-filter in postfix). Yes, amavis-new also will do this and is uvscan compatible. http://www.ijs.si/software/amavisd/ Cheers, Jeremy
Re: Problem with cyrus and deleting a message with a virus.
At 16:56 -0500 Brian wrote: Mark London said: I'm not messing with it, uvscan is doing it. Is there a better software alternative that will delete viruses on the server? Are we the only people using cyrus that are running virus scanning software on the server? But uvscan is treating your cyrus store as a fileserver, and you shouldn't do that. Your Cyrus store is a black box which happens to have enough structure to make a tape restore feasible, but even that is living dangerously. I've told my users (who are CS academics and students) that our shiny new IMAP service has got algorithms and leave it at that :) Then they see the dramatic speed increase over our old system, and suddenly the need to quiz my silly slogan vapourises! There was a discussion on this last week. Search the archives. Yes.. unfortunately I don't have time to write an ICAP client, especially as I only have access to uvscan, which doesn't daemonise (and so would probably not benefit from an ICAP server unless there was a big farm of 'em..). (I would have replied earlier, but have been plagued both by illness and our students' return..) Maybe if your uvscan is running as a cron job, you can wrapper it in a privileged IMAP client which fetches every message into a ramdisk, runs uvscan on it and if necessary then move the file from your ramdisk into a quarantine area, uses IMAP to delete expunge the users' mail and finally mails the user to say what's happened.. if your client has got algorithms it could track Message IDs (amongst other things) so that you don't repeatedly scan mail which hasn't changed.
Re: Problem with cyrus and deleting a message with a virus.
At 14:16 -0800 Jonathan Marsden wrote: How about checking for viruses before mail reaches Cyrus? Such as with a virus scanner that runs as a milter which sendmail talks to when it receives mail? Or a similar approach for whatever your chosen MTA is? Because (as mentioned elsewhere in this thread) lmtpd is not the only way messages can be stored on an IMAP server: eg think of sending a poisoned attachment, which magically ends up in your sent folder.
Re: Problem with cyrus and deleting a message with a virus.
On 21 Jan 2003, [EMAIL PROTECTED] writes: At 14:16 -0800 Jonathan Marsden wrote: How about checking for viruses before mail reaches Cyrus? Such as with a virus scanner that runs as a milter which sendmail talks to when it receives mail? Or a similar approach for whatever your chosen MTA is? Because (as mentioned elsewhere in this thread) lmtpd is not the only way messages can be stored on an IMAP server: eg think of sending a poisoned attachment, which magically ends up in your sent folder. I don't see the 'elsewhere in this thread' mail yet, but anyway: This is technically correct. (a) That 'poisoned attachment' came from somewhere -- where? If from a workstation within your organization, why didn't the virus scanning software on that workstation detect it? Shouldn't this be the first priority? For the attachment to be sent to the Sent folder, the primary layer of workstation virus protection must already have failed. If that happens at all frequently, there is an underlying issue which needs to be addressed on the workstations. (b) That attachment in the IMAP Sent folder can't exactly do much damage from there... it can't be sent to anyone, since the outgoing MTA will trap it. Sure, it can be read/downloaded/run by the sending user... but they already have a copy on their workstation anyway, else how did they get it into the IMAP server in the first place? (c) I suspect that 99.9% of viral email does in fact arrive over the SMTP/MTA channel, so if you configured the server file system scanner to *report* stuff it found under the Cyrus mail partitions(s) but not remove it, and also use an MTA-hosted scanner for the other 99.9%, you'd have a manual user support task for one virus in 1000. That task would be something like: go to or otherwise gain control over the user's workstation concerned, fix that workstation's virus issues if any, then use their mail client to delete that attachment from their Sent folder. This last part is probably not a huge additional workload, since you'd be dealing with the infected workstation anyway. If you absolutely have to have a way to delete rare viral messages from the Cyrus mailstore 100% automatically, I'd suggest writing a small Perl script making use of Cyrus::IMAP::Admin that looks at the output of your filesystem scanner (set to report only, not delete), looks at the content of the file(s) in question (to find a Message ID or other unique identifier) and logs into Cyrus as the admin user and deletes the message(s) concerned. As a general principle, external tools *must* *not* add/edit/delete files or directories within the Cyrus mailstore. Just as they must not add/edit/delete stuff within your Oracle, Postgres or MySQL databases. Cyrus gives you a well defined API (well, two: LMTP and IMAP!). Use them, and only them, to make changes to the Cyrus mailstore, and Cyrus will stay healthier than if you bypass them. Just because your chosen scanner apparently does not respect this principle in its current (default?) configuration, does not mean the problem lies with Cyrus :-) Jonathan -- Jonathan Marsden| Internet: [EMAIL PROTECTED] | Making electronic 1252 Judson Street | Phone: +1 (909) 795-3877 | communications work Redlands, CA 92374 | Fax: +1 (909) 795-0327 | reliably for Christian USA | http://www.xc.org/jonathan| missions worldwide
Re: Problem with cyrus and deleting a message with a virus.
[EMAIL PROTECTED] wrote: At 14:16 -0800 Jonathan Marsden wrote: How about checking for viruses before mail reaches Cyrus? Such as with a virus scanner that runs as a milter which sendmail talks to when it receives mail? Or a similar approach for whatever your chosen MTA is? Because (as mentioned elsewhere in this thread) lmtpd is not the only way messages can be stored on an IMAP server: eg think of sending a poisoned attachment, which magically ends up in your sent folder. ...where it would be relatively harmless anyway except to the already-infected local user... Putting the virus scanner in your MTA not only greatly limits the possibility that computers accessing your Cyrus server will be infected in the first place, but also insures against the possibility of having locally infected computers sending virii to all your associates, clients, vendors, etc. (assuming that you block unauthorized outgoing SMTP at your firewall). IMHO the MTA is by far the best possible place to put a virus scanner. -- Jules Agee System Administrator Pacific Coast Feather Co. [EMAIL PROTECTED] x284