Scanning IMAP traffic without user credential storage

[Beeblebrox]

Hello.
There isn't much documentation on email scanning for OPNsense gateway. I'm more interested in incoming IMAP4s (port 993, gmail) than outgoing mail and no POP3 necessary. Unless I'm completely missing something obvious,

* Is mail scanning relegated to IDS Suricata?
* Certain view points argue against mail scanning if the spam engine is doing a good job, but I don't find it convincing.
* Looks like I'll have to setup a mail proxy, but I don't want an MTA that requires user credential maintenance or caching. The proxy should directly pass credentials from client (ex mobile device) on to the main server, and handoff to ClamAV for scanning.
* I found proxies that can do this: mail/perdition & of course www/nginx (which was initially designed as a mail proxy). There's mail/mailscanner, but looks like it requires an MTA back-end and not sure if its able to scan in-flight.

I welcome any thoughts & ideas...

Some Resources:
Configuring Perdition for Gmail IMAPS
Comparison of Perdition vs Nginx (slideshow)