Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 10-10-2011, 06:33 AM
Elite Member
 
Posts: 469
Default How is quarantine working in 7.1.x ?

I just received an email with a .exe attachment. I got a notification of the following ...

Code:
BANNED CONTENTS ALERT

Our content checker found
    banned name: .exe,.exe-ms,scsi su windows 7/aspi_460/aspiinst.exe

in an email to you from: .........
.....

The message has been quarantined as: banned-n5zPcYRYL+B7

Please contact your system administrator for details.
as I would expect.

However, I was under the impression that the "Virus Quarantine" user account that is created during setup was supposed to get these emails. But, when I login to the Admin Panel, and "View Mail" for the Virus Quarantine user, there is nothing there.

If I look in the folder /opt/zimbra/data/amavisd/quarantine I can see the file referred to above.

Am I misunderstanding the purpose of the "Virus Quarantine" account ?

Is there some configuration I may be missing that is stopping it working as it should ?

This is a server originally deployed with 6.0.4 and upgraded through most if not all releases up to 7.1.3 at time of writing.

Thanks in advance.
Reply With Quote
  #2 (permalink)  
Old 10-11-2011, 01:44 PM
Moderator
 
Posts: 1,432
Default

I'm still on 7.1.1, upgraded from 6.0.12. The virus quarantine account is getting the viral mails here.

(Minor bug: Bug 65475 – quarantined email is retained for 30 days, not 7)

It sounds like a piece of your configuration wasn't properly updated. Maybe you should check out [SOLVED] How to Move the AntiVirus Quarantine Account

Also maybe check /opt/zimbra/conf/amavisd.conf.in and make sure it has

%%uncomment VAR:zimbraAmavisQuarantineAccount%%$virus_quaranti ne_to = '%%zimbraAmavisQuarantineAccount%%';
__________________
Elliot Wilen
Berkeley, CA

Don't forget to enter your Zimbra version in your forum profile.
Reply With Quote
  #3 (permalink)  
Old 10-11-2011, 02:24 PM
Elite Member
 
Posts: 469
Default

The account is set correctly.

In the file I see

$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_DISCARD;
# $final_bad_header_destiny = D_PASS;

Is this correct ?

Is there anything else I can look for ?
Reply With Quote
  #4 (permalink)  
Old 10-11-2011, 03:06 PM
Moderator
 
Posts: 1,432
Default

All those agree with what I have. Sorry I can't be more help.
__________________
Elliot Wilen
Berkeley, CA

Don't forget to enter your Zimbra version in your forum profile.
Reply With Quote
  #5 (permalink)  
Old 10-25-2011, 03:43 AM
New Member
 
Posts: 3
Default

Here follows the current official word on this matter....

Hi again Ray
Looking further into this, it would appear that the emails found to have anything that is "banned-content", Zimbra simply discards said email into the quarantine folder, and does not send it to an account, as it would if it found a virus.

Below is a sample from our log, after some testing. We had .wmf attachments being discarded as banned. As you can see, the file is given a unique name ("banned-JD-jJwh8c1Nq"), and placed in the quarantine directory (/opt/zimbra/data/amavisd/quarantine/).
Oct 24 17:39:23 zcs7-ga amavis[27701]: (27701-01) Checking: JD-jJwh8c1Nq MYNETS [10.21.71.188] <fred@zcs7.cork.zimbralab.com> -> <pierce@zcs7.cork.zimbralab.com>
Oct 24 17:39:23 zcs7-ga amavis[27701]: (27701-01) p.path BANNED:1 pierce@zcs7.cork.zimbralab.com: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=image/x-wmf,T=asc,N=test.wmf", matching_key="(?i-xsm:.\\.(wmf)$)"
Oct 24 17:39:23 zcs7-ga amavis[27701]: (27701-01) local delivery: <> -> banned-quarantine, mbx=/opt/zimbra/data/amavisd/quarantine/banned-JD-jJwh8c1Nq

I am sorry I can give you nothing better in relation to this Ray.

Regards
Pierce Preston
GSS - Global Support Services
Zimbra, a division of VMware

Pierce advises the use of the following commands to deliver the banned mail directly to the appropriate mailbox (where it appears in an already "Read" condition, not "Unread" as you might expect):

Then, what you will need to do to retrieve the email is run the following command:

$ zmmailbox -z -m <account to send the message to> am "/<Folder to put email>" banned-X

example $ zmmailbox -z -m myuser am "/Inbox" banned-P0x9poP0Xx7F


banned-X is found from:

zimbra@zimbra:~/data/amavisd/quarantine$ ls -lh

Hope this helps....

Last edited by rays; 10-25-2011 at 03:54 AM.. Reason: Addition of the workaround solution
Reply With Quote
  #6 (permalink)  
Old 10-25-2011, 04:00 AM
Elite Member
 
Posts: 469
Default

Thanks a million for reporting back your findings from zimbra support.

It is not good, but at least it gives me some confidence my configuration is most likely not screwed up.

Time to check the bug report list ...
Reply With Quote
  #7 (permalink)  
Old 10-25-2011, 06:54 AM
Elite Member
 
Posts: 469
Default

I have filed a bug/rfe for this. Please add your vote

Bug 66388 &ndash; banned-content emails should go to Virus-Quarantine Account

Thanks
Reply With Quote
  #8 (permalink)  
Old 10-25-2011, 09:15 AM
Moderator
 
Posts: 1,432
Default

Thanks for that update, rays.

Also, the following is good to know.

Quote:
Originally Posted by rays View Post
Then, what you will need to do to retrieve the email is run the following command:

$ zmmailbox -z -m <account to send the message to> am "/<Folder to put email>" banned-X

example $ zmmailbox -z -m myuser am "/Inbox" banned-P0x9poP0Xx7F

[/I]
banned-X is found from:

zimbra@zimbra:~/data/amavisd/quarantine$ ls -lh
An alternative would probably be to use zmlmtpinject.
__________________
Elliot Wilen
Berkeley, CA

Don't forget to enter your Zimbra version in your forum profile.
Reply With Quote
  #9 (permalink)  
Old 10-25-2011, 08:12 PM
Advanced Member
 
Posts: 206
Default

Is valid something like this?

cd /opt/zimbra/data/amavisd/quarantine/
for i in `ls`
do
echo "Moving quarantined message " $i;
zmmailbox -z -m virus-quarantine.whatever7wjw2x6vqg@domain.com am "/Inbox" $i && rm -f $i && echo "Deleting " $i;
done
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com




 

SEO by vBSEO ©2011, Crawlability, Inc.