cyr_virusscan - Man Page

cyr_virusscan — Cyrus IMAP documentation

Scan for viruses using configured virus scanner or manage infected messages using search criteria.

cyr_virusscan [ -C config-file ] [ -s imap-search-string ] [ -r [ -n] ] [-v] [ mboxpattern1 ... ]

cyr_virusscan can be used to invoke an external virus scanner (currently only ClamAV is supported) to scan specified IMAP mailboxes. If no mboxpattern is given, cyr_virusscan works on all mailboxes.

Alternately, with the -s option, the IMAP SEARCH string will be used as a specification of messages which are assumed to be infected, and will be treated as such.  The virus scanner is not invoked. Useful for removing messages without a distinct signature, such as Phish.

A table of infected messages will be output.

To remove infected messages, use the -r flag. Infected messages will be expunged from the user's mailbox.

With the notify flag, -n, notifications will be appended to the inbox of the mailbox owner, containing message digest information for the affected mail. This flag only works in combination with -r.  The notification message can by customised by template, for details see Notifications below.

cyr_virusscan can be configured to run periodically by cron(8) via crontab(5) or your preferred method (i.e. /etc/cron.hourly), or by master(8) via the EVENTS{} section in cyrus.conf(5).

cyr_virusscan reads its configuration options out of the imapd.conf(5) file unless specified otherwise by -C.

Note that Cyrus does not ship with any virus scanners: you need to install one separately to make use of it with Cyrus.

-C config-file

Use the specified configuration file config-file rather than the default imapd.conf(5).

-n,  --notify

Notify mailbox owner of deleted messages via email.  This flag is only operable in combination with -r.

-r,  --remove-infected

Remove infected messages.

-s imap-search-string, --search=imap-search-string

Rather than scanning for viruses, messages matching the search criteria will be treated as infected.

-v,  --verbose

Produce more verbose output

When the -n flag is provided, notifications are sent to mailbox owners when infected messages are removed.  One notification is sent per owner, containing a digest of each message that was deleted from any of their mailboxes.

The default notification subject is "Automatically deleted mail", which can be overridden by setting virusscan_notification_subject in imapd.conf(5) to a UTF-8 value.

Each infected message will be described according to the following template:

The following message was deleted from mailbox '%MAILBOX%'
because it was infected with virus '%VIRUS%'

    Message-ID: %MSG_ID%
    Date: %MSG_DATE%
    From: %MSG_FROM%
    Subject: %MSG_SUBJECT%
    IMAP UID: %MSG_UID%

To use a custom template, create a UTF-8 file containing your desired text and using the same %-delimited substitutions as above, and set the virusscan_notification_template option in imapd.conf(5) to its path.

The notification message will be properly MIME-encoded at delivery. Do not pre-encode the template file or the subject!

When cyr_virusscan starts up, if notifications have been requested (with the -n flag), a basic sanity check of the template will be performed prior to initialising the antivirus engine.  If it appears that the resultant notifications would be undeliverable for some reason, cyr_virusscan will exit immediately with an error, rather than risk deleting messages without notifying.

Virus scan support was first introduced in Cyrus version 3.0.

/etc/imapd.conf

imapd.conf(5), master(8), ClamAV

The Cyrus Team, Nic Bernstein (Onlight)

1993–2024, The Cyrus Team

imapd.conf(5).