On 2016-11-09 21:36, Brad Koehn wrote:
I have discovered that many times the virus definitions I use for
scanning messages (ClamAV, with the unofficial signatures
http://sanesecurity.com/usage/linux-scripts/) are updated some time
after my server has received an infected email. It seems the virus
creators are trying to race the virus definition creators to see who
can deliver first; more than half of the infected messages are found
after they’ve been delivered. Great.
To help detect and remove the infected messages after they’ve been
delivered to users’ mailboxes, I created a small script that iterates
the INBOX and Junk mailbox directories, scans recent messages for
viruses, and deletes them if found. The source of my script (run via
cron) is here: https://gitlab.koehn.com/snippets/9
Unfortunately Dovecot doesn’t like it if messages are deleted (dbox)
out from under it. I tried a doveadm force-resync on the folder
containing the messages, but it seems Dovecot is still unhappy. At
least on the new version (2.2.26.0) it doesn’t crash; 2.2.25 would
panic and coredump when it discovered messages had been deleted.
I’m wondering if there’s a better way to scan recent messages and
eradicate them so the Dovecot isn’t upset when it happens. Maybe using
doveadm search? Looking for suggestions.
leave an empty message behind with the same name as deleted message ?
--
key ID: 0x4BFEBB31
