Results 1 to 4 of 4

Thread: Virus not blocked in archive mailbox

  1. #1
    tvtsg is offline Junior Member
    Join Date
    Sep 2011
    Posts
    5
    Rep Power
    3

    Default Virus not blocked in archive mailbox

    I am evaluating a multi-server install of Zimbra ZCS 7.12 and have everything working fairly well, except for this one annoying issue. If an incoming message is found to have a virus, or has a password encrypted zip attachment, the message is blocked as expected. Note, I have "Block encrypted archives" option enabled, so the message is not delivered to the user's mailbox, exactly the way I want it to work.

    However, if the account has the archiving feature enabled, the message is delivered to the user's archive mailbox. This probably wouldn't be much of a problem, except that we plan to present the user with a View Only share of the archive mailbox. I don't want the user to have access to any encrypted zip files, period. I've seen too many viruses being sent in this manner. How do I block delivery of encrypted archives to both mailboxes???

    General architecture:

    mx1 - MTA, A/V, A/S, Proxy
    mx2 - LDAP
    mx3 - user mailboxes
    mx4 - archive mailboxes

  2. #2
    soba@ukw.edu.pl is offline Special Member
    Join Date
    Jul 2011
    Posts
    146
    Rep Power
    4

    Default

    Check your configuration for clamd.conf . Clamd have a poor reputation in my opinion. For best virus detection you can use any external antyvirus solution. You can add a different virus scaner in amavisd.conf
    # ZCS 7.1.3 SLES11 SP1

  3. #3
    tvtsg is offline Junior Member
    Join Date
    Sep 2011
    Posts
    5
    Rep Power
    3

    Default

    Soba,

    Thanks for the reply! Unfortunately, due to budget constraints, I need to make this work with the included spam and AV applications. This looks to be a probable configuration issue with amavisd or postfix? What logs should I be looking at? /opt/zimbra/logs/clamd.log shows the virus detection. Where do I look to determine why it decides to forward the message to the archive mailbox?

    Let me explain the problem a different way. Clam DOES detect the virus (and/or encrypted zip file) and it DOES quarantine the message. The issue is, if the account is configured for archiving, a copy of the message is forwarded to the archive mailbox.

    If a message is flagged as spam, it is not forwarded to the archive mailbox. If a message is good, it is forwarded to the archive mailbox. That is exactly how I would expect it to work. I do not want to waste disk space archiving spam.

    The problem is, if a message is flagged as a virus, it should not be forwarded to the archive mailbox, but it is. How do I prevent it this?

    I tried clearing the amavisArchiveQuarantineTo attribute for the account, but that breaks archiving completely.

    Here is the Virus Alert sent to the recipient. Notice that it says the message is quarantined to both the archive account AND the virus quarantine account.

    VIRUS ALERT

    Our content checker found
    virus:

    in an email to you from probably faked sender:
    ?@[38.96.163.28]
    claiming to be: <eicar@aleph-tec.com>

    Content type: Virus
    Our internal reference code for your message is 25596-01/J+lb3TfVSRsA

    First upstream SMTP client IP address: [38.96.163.28]
    spammy.outbound.your-site.com
    According to a 'Received:' trace, the message apparently originated at:
    [38.96.163.28],

    Return-Path: <eicar@aleph-tec.com>
    From: eicar@aleph-tec.com
    Message-ID: <201109221427.p8MERRvJ008794@5081.web.vm.your-site.com>
    X-Mailer: PHP/5.3.2-1ubuntu4.9
    Subject: EICAR anti-virus test file:
    The message has been quarantined as: bryan@tvtsghosting.com.archive, virus-quarantine.iqeofwjpv@tvtsghosting.com

    Please contact your system administrator for details.

  4. #4
    soba@ukw.edu.pl is offline Special Member
    Join Date
    Jul 2011
    Posts
    146
    Rep Power
    4

    Default

    Check your amavisd.conf

    banned_rules = (

    search lines like this:

    'NO-ENCRYPT' => new_RE( qr'.\.(UNDECIPHERABLE)$'i, ),
    'DEFAULT' => new_RE( [ qr'.*' => 0 ]),


    or banned_filename

    check also yor clamd config (/opt/zimbra/conf).

    I don't remember this, but probably Zimbra has GUI feature to enable / disable blocking encrypted archives.
    # ZCS 7.1.3 SLES11 SP1

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 3
    Last Post: 10-26-2010, 12:36 PM
  2. server dropped connection
    By ferra in forum Installation
    Replies: 20
    Last Post: 10-06-2008, 04:32 PM
  3. can't you help me
    By iwan siahaan in forum Administrators
    Replies: 6
    Last Post: 12-17-2007, 06:53 PM
  4. archive mailbox on OpenSource edition
    By Artturi in forum Administrators
    Replies: 0
    Last Post: 09-08-2007, 04:47 AM
  5. Allow user to view blocked virus email.
    By McPringle in forum Administrators
    Replies: 4
    Last Post: 06-23-2006, 04:22 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •