How can I scan all existing scalix mail boxes for virus?

[cenetadmin]

Is it possible to scan existing scalix mail boxes for virus? If so how can I do this? If not, what procedure do we use to scan for viruses in the mail boxes?

Thanks

Eric

[Valerion]

I would suggest either a client-side scanner (Outlook plugin, maybe) or a virus scanner that can scan via IMAP.

If you want to, you can scan /var/opt/scalix/data (Scalix 10), but be warned that this may generate false positives (leading to lost legitimate email if deleted). You should NOT delete from this directory without understanding how it impacts the whole mailstore structure. You can, however, trace this information back to the user mailbox and delete it with a proper client afer verifying it is indeed a virus.

[cenetadmin]

Thanks

Eric

[Marc]

You can, however, trace this information back to the user mailbox...

This is probably a dumb question, but could you give a hint on how to do that? I scanned our mailstore and found a bunch of stuff like "/var/opt/scalix/data/000000u/0004aum: Worm.SCO.A FOUND". Now how do I connect 000000u/0004aum to a username?


Marc

[Valerion]

Not a stupid question at all. The structure is not easy to reverse, since the mail server aways searches forward (from the root down).

There's two ways of doing it. The first is using omcontain to track the information. The other is to trace the structure of the mailstore. This is from an old HP OpenMail document I have, describing both options:

Code: Select all

It looks like the item browser is having trouble rendering
a message as mime. The message *could* be related to the
container ~/data/0000028/00046ge:2

If you cannot find the message in question with another
client you will need to build a snapshot structure log of the
message store to find were the message is attached, as openmail
does not store upward links. This is quite complicated
so the best option is to try to find the message but here
goes.

Do the following - it might take a while!

Create a record of the message store structure with.

omscan -av -l /tmp/BIGLOGFILE

convert this into a database
omupdtis -I -d 2 -l /tmp/BIGLOGFILE -v > /tmp/EvenBiggerFile

(this needs space in /var/opt/openmail, log size x2)

You can then look in /tmp/EvenBiggerFile to find were
the above container file is attached. Working up the tree you
will get to something like

~/user/g0000023/0000001

The g directory bit is the OpenMail user ID, look at the owner
of the corresponding ~/user/u0000023 directory to see who it
is.

0000001 is the Intray, 2 is the outtray, 3 pending tray,
4 Filing cabinet, 5 distribution list area.

To match the attach position of an item use the omgui client
and set the sorting to unsorted.


Alternatively if you know the omcontain password you can
(O)pen the file above and then work back up the message
store tree with the (F)ind all parents option.

When you have finished with the database delete it with

omupdtis -I -d 2

[Marc]

Valerion, thanks for the instructions. I don't mind taking the long route, but if I understand this correctly, I could use omcontain also to delete the files directly instead of having the users scan their mailboxes with a virus scanner, right?

Now what do I have to do to get this legendary omcontain-password?


Marc

[Valerion]

Have a look at this thread

http://www.scalix.com/community/viewtop ... n+password

Be warned, though, the tools in /opt/scalix/diag can SERIOUSLY mess up your mailstore if used incorrectly. They allow you to modify the mailstore in whatever way you see fit and assume it is correct. Usually used for serious disaster / corruption recovery.

[Marc]

Sounds scary. I better explain what I'm trying to achieve, maybe there's a better way to do that. We're having frequent issues with file ownership and file permissions in the mailstore, an omcheck keeps logging a lot of lines like

# Uid is 60588 (UNKNOWN) should be 100 (scalix)
chown scalix /var/opt/scalix/data/000000j/00hd9eg

and

# Mode is 664 (-rw-rw-r--) should be 660 (-rw-rw----)
chmod 660 /var/opt/scalix/user/g000072/000003v.1

They are not the same as the infected files, they don't always belong to the same user... I couldn't find any definite pattern which files would show up in the scan output yet.

Support told us it might be related to infected mails, and though I fail to see why SLES should care or even know if a file contains a virus and refuse to change the owner or permissions on it, I'm trying to get rid of everything clamscan doesn't like.

Is there a recommended "best practice" how to do that?


Marc

[Valerion]

If you fix the permission errors, does it then at some point in the future change again? This would suggest a script/app somewhere on the server that changes permissions. Scalix itself will not change ownership of files, not to a random user.

[Marc]

If you fix the permission errors, does it then at some point in the future change again?

Yes. Currently these are about 1200 files all belonging to the same user. This isn't always the case, sometimes they belong to several (and different) users.

The only thing that has access to any files on the server directly is our backup (amanda), and I'm sure it doesn't change permissions.

Scalix itself will not change ownership of files, not to a random user.

Doesn't it need to at some point? The in.imap41ds are all running with virtual user ids, could this somehow happen when someone copies files between different folders?


Marc

[Valerion]

Yes. Currently these are about 1200 files all belonging to the same user. This isn't always the case, sometimes they belong to several (and different) users.

Can you spot any patterns in the users it's being owned as? Maybe some directories are owned by some users, or they are owned by only a small number of users, or maybe all files older/newer than a certain age are incorrect.

Doesn't it need to at some point? The in.imap41ds are all running with virtual user ids, could this somehow happen when someone copies files between different folders?Marc

Not neccesarily. The IMAP daemon uses the Remote Client Interface, which (I think) talks to the Container Access Monitor to access the mailbox. The IMAP daemon doesn't directly talk to it. Though I do notice that the files in ~/user/u* are owned by the system ID of the person whose mailbox it is. However, if Scalix was changing the permissions on files in ~/data, I would see it on my server as well. Most of my users use SWA, which also runs over IMAP.

[Marc]

Can you spot any patterns in the users it's being owned as? Maybe some directories are owned by some users, or they are owned by only a small number of users, or maybe all files older/newer than a certain age are incorrect.

No, nothing definite. A lot but not all of them are empty, filesize 0 bytes. ctime is always < date of the last time I used the omcheck output to correct permissions. That's why I thought they might be leftovers from some move or delete operation.

They seem not to do any harm, but I currently have about 8000 files with 0 bytes in the ~/data folder and I don't think they are supposed to be there.

The non-empty files with wrong owners/permissions are sometimes normal mails in ~/data and sometimes files in ~/user that seem to contain snippets of the system directory (all lines with usernames and mailaddresses), but there are only very few of them.


Marc

[Valerion]

Must admit I am a bit lost here, I can't imgaine why this behaviour would happen.

I would suggest doing a omcheck (both installed components and mail store), then do an active omscan afterwards to see if that resolves the 0-byte file issues. Otherwise we will have to wait for someone who has seen this before to assist us.

[jaime.pinto]

I know the scalix mailstore is not maildir or mbox format, but its own form of an "expanded" directory tree.

The question is: if we run Clamscan will it ruin the entire mailbox?

I say this because we replicate the mailstore onto another server every evening, and on the backup server we're constantly detecting virus, but not with the ClamAV that runs on the original scalix server. For ex.:
/backups/scalix/m2/s/data/000009v/002v04a: HTML.Phishing.Bank-391 FOUND
/backups/scalix/m2/s/data/00000fj/0065bju: Worm.Stration.pac-1 FOUND
/backups/scalix/m2/s/data/00000go/0065co2: HTML.Phishing.Pay-211 FOUND
/backups/scalix/m2/s/data/00000io/0065eon: Trojan.Downloader-11827 FOUND

If the above files are moved into quarantine, how does that affect the users on the client side?

[Valerion]

Scalix stores files in a binary format. As such it is possible you will get false positives. If you scan the mailbox structure and find a virus, it should be examined from the client side, as that will give you an authoratitve answer.

If you manage to move certain files out to another directory, you have messed up the mail store integrity, from a Scalix point of view. Run an active (not passive) omscan in fix mode directly afterwards. Chances are good it will simply remove the missing links.

Also, some emails will now be inconsistent between a SmartCache profile and the server, leading to possible issues there, I am not sure how Scalix will handle bodyparts going missing on the server and not in the cache.