Best Practice virus.quarantine

[steffenm]

Hi out there,

I wanted to discuss the best practice for handling quarantined mails.

Since update from ZCS 6.x.x to 7.1.2 more and more notifications of customers coming in reporting mails moved to quarantine - mostly because of encrypted pdfs. Before the update we havn't had those problems. Don't know what damn filter rule has changed and I don't want to search for hours and try for months to find best settings...

To bring it to the point:

I am searching for a good way to handle that quarantined mails. I've learned from the google-oracle that there is no nice and easy way to release those mails but I also don't want the customer to call me for every mail with a pdf attached.

So I thought about moving all mails from one customer in a folder in the incoming of the virus-waurantine.XYZ@domain.de-Account with a filter and then share this folder to the customer (surely with explaining hin what this is and warning to open one of these mails without double checking).

• What do you think of this idea?
• It would be great to have the possibility to let delete these mails after 30 days. Any ideas?
• Also I am wondering what would happen, if the customer syncs this folder with the Outlook Connector. Will his antivirus run wild?

I'm thankful for every comment and help. I hope that more Zimbra-admins are interested in this issue and I can start a discussion in this thread.
How do you handle quarantined mails?

Regards,
Steffen

[xeon]

I had to disable flagging on encrypted PDFs. Its becoming a more popular thing to password protect PDF files at least with our infrastructure. I ensure I have up to date virus protection on the client machines as well.

I am wondering a nice way to release the quarantine emails as well. I had to forward a few out of the box then I get phone calls about those emails because it came from the quarantine mailbox not my own.

[ewilen]

Bug 8454 – Quarantined email management functions

Note that the script mentioned in the (current) last comment is for older versions of Zimbra. In another thread, I mentioned how I used zmlmtpinject to released quarantined messages in ZCS 6. Not sure either of these would work in 7.

I agree that if someone is sending/receiving a lot of (legitimate) encrypted PDFs, there's no point in filtering them out. In my opinion, the whole point of quarantine is to interpose a layer of human-administrator caution into the process of opening a suspect email.

That said if you want to, essentially, deliver all suspect emails (possibly with certain additional criteria such as source address), then using a filter and a shared folder sounds like a good idea. The local A/V of your customer will see any (true) viral attachments if your customer uses ZCO or IMAP, but I don't think that should be a concern.

As for the emails being retained for exactly 30 days, that's what happens with all emails in the quarantine account. It shouldn't matter where the mails are filed, see http://www.zimbra.com/docs/ne/latest...on_Policy.html

Also see Bug 65475 – quarantined email is retained for 30 days, not 7. At the moment my observation is that mail is retained in quarantine for 30 days even though the account setting is 7 days. If this is fixed, though, you should still be able to set the retention to whatever you want, as described in the admin guide.

[steffenm]

@ewilen: Thanks for your opinion. I have read about this php-script to show the quarantine-folder and I gave it a try. But this doesn't solve my problems. Also the "download"-button doesn't work for me. I guess it's a unix-right-problem - haven't found time to debug this yet...

I also got in touch with this 7-day-retaining-"bug" as I wanted to change settings and the web-admin-console told me, that I have to set the value to a minimal value of 30 although I haven't changed this value. I guess this was a missing-communication-problem between different developers ;-)