[Contents] [Prev] [Next] [Index] [Report an Error]

Understanding IMAP Antivirus Scanning

If IMAP (Internet Message Access Protocol) antivirus scanning is enabled in a content security profile, the security device redirects traffic from a local mail server to the internal antivirus scanner before sending it to the local IMAP client.

This is a general description of how IMAP traffic is intercepted, scanned, and acted upon by the antivirus scanner.

  1. The IMAP client downloads an e-mail message from the local mail server.
  2. The security device intercepts the e-mail message and passes the data to the antivirus scanner, which scans it for viruses.
  3. After completing the scan, the security device follows one of two courses:
    • If there is no virus, the device forwards the message to the client.
    • If there is a virus, the device sends a message reporting the infection to the client.

    Note: See Protocol-Only Virus-Detected Notifications for information on protocol-only notifications for IMAP.

This topic includes the following sections:

Understanding IMAP Antivirus Mail Message Replacement

If the antivirus scanner finds a virus in an e-mail message, the original message is dropped, the message body is truncated, and the content is replaced by a message that may appear as follows:

nContent-Type: text/plainYour mail <src_ip> : <src_port> — <dst_port>: <dst_port> contains contaminated file <filename> with virus <virusname>, so it is dropped.

Understanding IMAP Antivirus Sender Notification

If notify-sender-on-virus is set and the message is dropped due to a detected virus, an e-mail is sent to the mail sender.

From: <admin>@<gateway_ip>To: <sender_e-mail>Subject: Mail Delivery Failure This message is created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients for the reason:<src_ip> : <src_port> — <dst_port>: <dst_port> contaminated file <filename> with virus <virusname>.e-mail Header is:<header of scanned e-mail>

If notify-sender-on-error-drop is set and the message is dropped due to a scan error, an e-mail is sent to the mail sender of the scanned message. The content of the e-mail may appear as follows:

From: <admin>@<gateway_ip>To: <sender_e-mail>Subject: Mail Delivery Failure This message is created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients for the reason:<src_ip> : <src_port> — <dst_port>: <dst_port> <reason>.e-mail Header is:<header of scanned e-mail>

Understanding IMAP Antivirus Subject Tagging

If a scan error is returned and the fail mode is set to pass, the antivirus module passes the message through to the server. If notify-recipient-on-error-pass is set, the following string is appended to the end of subject field:

(No virus check: <reason>)

Understanding IMAP Antivirus Scanning Limitations

Mail Fragments — It is possible to chop one e-mail into multiple parts and to send each part through a different response. This is called mail fragmenting and most popular mail clients support it in order to send and receive large e-mails. Scanning of mail fragments is not supported by the antivirus scanner and in such cases, the message body is not scanned.

Partial Content — Some mail clients treat e-mail of different sizes differently. For example, small e-mails (less than 10 KB) are downloaded as a whole. Large e-mails (e.g. less than 1 MB) are chopped into 10 KB pieces upon request from the IMAP server. Scanning of any partial content requests is not supported by the antivirus scanner.

IMAP Uploads — Only antivirus scanning of IMAP downloads is supported. IMAP upload traffic is not scanned.

Related Topics

JUNOS Software Feature Support Reference for SRX Series and J Series Devices

[Contents] [Prev] [Next] [Index] [Report an Error]


[an error occurred while processing this directive]