[clamav-users] Scanning IMAP traffic without user credential storage

[Simon Hobson]

Beeblebrox <zaphod at berentweb.com> wrote:

>> ... If clamd finds something (it does happen), what's the plan?
>> The message is *already* in the user's mail box, and I'd say it should
>> *not* be there in your scenario, because the user can pick up the bad
>> mail simply by connecting other than through your gateway.
> 
> I was thinking "somehow" to move the email to a quarantine folder and
> then sending an advisory to the user "message from joe has been
> quarantined, please take following steps". Perhaps even some process to
> strip all attachments, convert message to text-only (risky?) and send
> the text-only content along with the advisory.
> 
> Moving the message to quarantine folder on the host server (Gmail)
> would require user credential by MTA, so there's another hole in my
> concept. I wonder if there's an MTA that stores hashed credentials but
> is also able to auto-update such credentials as received from client
> device / MUA so that no direct user interaction with the Gateway is
> necessary.

Well if you could act as a MiM then you'd act as an IMAP server to the client and get the credentials from them as they log in. You'd then log into the real upstream server using those credentials. You'd have to proxy everything so that the client sees the contents of the mailboxes - but you'd have the access you'd need to move the infected mail and add a new warning message.

BUT, two problems.
I have no idea at all if there is such a proxy mechanism in existence.

Most of all, it can't be done with SSL connections without either the client users getting security warnings which they'd have to accept, or the clients having your own root certificate installed. Neither of these are a good idea - one teaches users to ignore certificate errors, the other opens the door to all manner of "mischief".