ClamAV on mdbox instead of maildir

Hedloff

Well-Known Member
Jun 7, 2004
165
8
168
Up north!
cPanel Access Level
DataCenter Provider
Hello,

How does clamav scan work on mdbox? On maildir it will remove a email that is infected in the same folder when running command:
clamscan -ri --remove

But in mdbox the emails are compressed togheter in same file, how will that work?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,216
463
Hello @Hedloff,

I don't recommend using the "--remove" flag with the clamscan command when the mdbox mailbox format is enabled because it can remove legitimate messages. For instance, let's say clamscan finds a virus in an email that's stored on an account using the mdbox format. The output will look like this:

Code:
/home/username/mail/domain.com/test2/storage/m.1: Eicar-Test-Signature FOUND
If you were to add the "--remove" flag to the clamscan command, it would remove the entire /home/username/mail/domain.com/test2/storage/m.1 storage file and thus remove all emails stored in that file.

The better approach is to use clamscan to find the infected files, and then use the doveadm command to further search for and remove the individual email. Here's some information on this topic from our Configure ClamAV Scanner document:

Unlike the maildir mailbox, which stores messages individually, the mbox mailbox format uses a simpler index and bundles messages into files. In order to successfully locate, inspect, and manage files that ClamAV flags on mbox-formatted mailboxes, system administrators need additional expertise with the doveadm command. System administrators unfamiliar with the doveadm command who wish to use ClamAV may wish to convert their server's mailboxes to the maildir format.

For more information about the doveadm command and the mbox format, read DoveCot's MailboxFormat documentation.

For more information on how to convert your server's mailboxes to the maildir format, read our Mailbox Conversion documentation.
Thank you.