Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Email AV

CSM scans email attachments in real-time using ClamAV and YARA-X on the Exim mail spool.

How It Works

  1. fanotify watches the Exim spool directory for new messages
  2. Attachments are extracted and scanned by ClamAV (socket) and YARA-X (if available)
  3. Zip and tar.gz attachments are unpacked within configured size and file limits
  4. Extracted parts are staged under state_path/emailav-tmp, which must stay daemon-owned and private
  5. Attachment names written to logs and the UI use sanitized base names
  6. Infected messages are quarantined with full metadata
  7. Sender, recipient, and message ID are logged

Web UI

The Email page (/email) shows:

  • AV watcher status (active, engine health)
  • Scan statistics (scanned, infected, quarantined)
  • Quarantined email list with release/delete actions

API Endpoints

GET  /api/v1/email/stats         Scan statistics
GET  /api/v1/email/quarantine    Quarantined email list
GET  /api/v1/email/av/status     AV watcher status
POST /api/v1/email/quarantine/   Release or delete quarantined email
  • email_content - scans outbound email body for credentials and suspicious URLs
  • email_weak_password - detects email accounts with weak passwords
  • email_forwarder_audit - audits forwarders for exfiltration redirects
  • mail_queue - alerts on queue buildup (spam outbreak indicator)
  • mail_per_account - per-account sending volume spikes