Problem with cyrus and deleting a message with a virus.

Tue Jan 21 19:25:28 EST 2003

On 21 Jan 2003, mb/cyrus at dcs.qmul.ac.uk writes:

> At 14:16 -0800 Jonathan Marsden wrote:

>> How about checking for viruses before mail reaches Cyrus?  Such as
>> with a virus scanner that runs as a milter which sendmail talks to
>> when it receives mail?  Or a similar approach for whatever your
>> chosen MTA is?

> Because (as mentioned elsewhere in this thread) lmtpd is not the
> only way messages can be stored on an IMAP server: eg think of
> sending a poisoned attachment, which magically ends up in your sent
> folder.

I don't see the 'elsewhere in this thread' mail yet, but anyway:

This is technically correct.

(a) That 'poisoned attachment' came from somewhere -- where?  If from
a workstation within your organization, why didn't the virus scanning
software on that workstation detect it?  Shouldn't this be the first
priority?  For the attachment to be sent to the Sent folder, the
primary layer of workstation virus protection must already have
failed.  If that happens at all frequently, there is an underlying
issue which needs to be addressed on the workstations.

(b) That attachment in the IMAP Sent folder can't exactly do much
damage from there... it can't be sent to anyone, since the outgoing
MTA will trap it.  Sure, it can be read/downloaded/run by the sending
user... but they already have a copy on their workstation anyway, else
how did they get it into the IMAP server in the first place?

(c) I suspect that 99.9% of viral email does in fact arrive over the
SMTP/MTA channel, so if you configured the server file system scanner
to *report* stuff it found under the Cyrus mail partitions(s) but not
remove it, and also use an MTA-hosted scanner for the other 99.9%,
you'd have a manual user support task for one virus in 1000.

That task would be something like: go to or otherwise gain control
over the user's workstation concerned, fix that workstation's virus
issues if any, then use their mail client to delete that attachment
from their Sent folder.  This last part is probably not a huge
additional workload, since you'd be dealing with the infected
workstation anyway.

If you absolutely have to have a way to delete rare viral messages
from the Cyrus mailstore 100% automatically, I'd suggest writing a
small Perl script making use of Cyrus::IMAP::Admin that looks at the
output of your filesystem scanner (set to report only, not delete),
looks at the content of the file(s) in question (to find a Message ID
or other unique identifier) and logs into Cyrus as the admin user and
deletes the message(s) concerned.

As a general principle, external tools *must* *not* add/edit/delete
files or directories within the Cyrus mailstore.  Just as they must
not add/edit/delete stuff within your Oracle, Postgres or MySQL
databases.  Cyrus gives you a well defined API (well, two: LMTP and
IMAP!).  Use them, and only them, to make changes to the Cyrus
mailstore, and Cyrus will stay healthier than if you bypass them.
Just because your chosen scanner apparently does not respect this
principle in its current (default?) configuration, does not mean the
problem lies with Cyrus :-)

Jonathan
--
Jonathan Marsden       	| Internet: jonathan at xc.org	| Making electronic 
1252 Judson Street  	| Phone: +1 (909) 795-3877	| communications work 
Redlands, CA 92374     	| Fax:   +1 (909) 795-0327	| reliably for Christian 
USA            		| http://www.xc.org/jonathan	| missions worldwide 