Results 1 to 9 of 9

Thread: How is quarantine working in 7.1.x ?

  1. #1
    liverpoolfcfan's Avatar
    liverpoolfcfan is offline Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    698
    Rep Power
    6

    Default How is quarantine working in 7.1.x ?

    I just received an email with a .exe attachment. I got a notification of the following ...

    Code:
    BANNED CONTENTS ALERT
    
    Our content checker found
        banned name: .exe,.exe-ms,scsi su windows 7/aspi_460/aspiinst.exe
    
    in an email to you from: .........
    .....
    
    The message has been quarantined as: banned-n5zPcYRYL+B7
    
    Please contact your system administrator for details.
    as I would expect.

    However, I was under the impression that the "Virus Quarantine" user account that is created during setup was supposed to get these emails. But, when I login to the Admin Panel, and "View Mail" for the Virus Quarantine user, there is nothing there.

    If I look in the folder /opt/zimbra/data/amavisd/quarantine I can see the file referred to above.

    Am I misunderstanding the purpose of the "Virus Quarantine" account ?

    Is there some configuration I may be missing that is stopping it working as it should ?

    This is a server originally deployed with 6.0.4 and upgraded through most if not all releases up to 7.1.3 at time of writing.

    Thanks in advance.

  2. #2
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    8

    Default

    I'm still on 7.1.1, upgraded from 6.0.12. The virus quarantine account is getting the viral mails here.

    (Minor bug: Bug 65475 – quarantined email is retained for 30 days, not 7)

    It sounds like a piece of your configuration wasn't properly updated. Maybe you should check out [SOLVED] How to Move the AntiVirus Quarantine Account

    Also maybe check /opt/zimbra/conf/amavisd.conf.in and make sure it has

    %%uncomment VAR:zimbraAmavisQuarantineAccount%%$virus_quaranti ne_to = '%%zimbraAmavisQuarantineAccount%%';

  3. #3
    liverpoolfcfan's Avatar
    liverpoolfcfan is offline Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    698
    Rep Power
    6

    Default

    The account is set correctly.

    In the file I see

    $final_virus_destiny = D_DISCARD;
    $final_banned_destiny = D_BOUNCE;
    $final_spam_destiny = D_DISCARD;
    # $final_bad_header_destiny = D_PASS;

    Is this correct ?

    Is there anything else I can look for ?

  4. #4
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    8

    Default

    All those agree with what I have. Sorry I can't be more help.

  5. #5
    rays is offline New Member
    Join Date
    Jul 2010
    Posts
    3
    Rep Power
    4

    Default

    Here follows the current official word on this matter....

    Hi again Ray
    Looking further into this, it would appear that the emails found to have anything that is "banned-content", Zimbra simply discards said email into the quarantine folder, and does not send it to an account, as it would if it found a virus.

    Below is a sample from our log, after some testing. We had .wmf attachments being discarded as banned. As you can see, the file is given a unique name ("banned-JD-jJwh8c1Nq"), and placed in the quarantine directory (/opt/zimbra/data/amavisd/quarantine/).
    Oct 24 17:39:23 zcs7-ga amavis[27701]: (27701-01) Checking: JD-jJwh8c1Nq MYNETS [10.21.71.188] <fred@zcs7.cork.zimbralab.com> -> <pierce@zcs7.cork.zimbralab.com>
    Oct 24 17:39:23 zcs7-ga amavis[27701]: (27701-01) p.path BANNED:1 pierce@zcs7.cork.zimbralab.com: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=image/x-wmf,T=asc,N=test.wmf", matching_key="(?i-xsm:.\\.(wmf)$)"
    Oct 24 17:39:23 zcs7-ga amavis[27701]: (27701-01) local delivery: <> -> banned-quarantine, mbx=/opt/zimbra/data/amavisd/quarantine/banned-JD-jJwh8c1Nq

    I am sorry I can give you nothing better in relation to this Ray.

    Regards
    Pierce Preston
    GSS - Global Support Services
    Zimbra, a division of VMware

    Pierce advises the use of the following commands to deliver the banned mail directly to the appropriate mailbox (where it appears in an already "Read" condition, not "Unread" as you might expect):

    Then, what you will need to do to retrieve the email is run the following command:

    $ zmmailbox -z -m <account to send the message to> am "/<Folder to put email>" banned-X

    example $ zmmailbox -z -m myuser am "/Inbox" banned-P0x9poP0Xx7F


    banned-X is found from:

    zimbra@zimbra:~/data/amavisd/quarantine$ ls -lh

    Hope this helps....
    Last edited by rays; 10-25-2011 at 03:54 AM. Reason: Addition of the workaround solution

  6. #6
    liverpoolfcfan's Avatar
    liverpoolfcfan is offline Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    698
    Rep Power
    6

    Default

    Thanks a million for reporting back your findings from zimbra support.

    It is not good, but at least it gives me some confidence my configuration is most likely not screwed up.

    Time to check the bug report list ...

  7. #7
    liverpoolfcfan's Avatar
    liverpoolfcfan is offline Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    698
    Rep Power
    6

    Default

    I have filed a bug/rfe for this. Please add your vote

    Bug 66388 &ndash; banned-content emails should go to Virus-Quarantine Account

    Thanks

  8. #8
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    8

    Default

    Thanks for that update, rays.

    Also, the following is good to know.

    Quote Originally Posted by rays View Post
    Then, what you will need to do to retrieve the email is run the following command:

    $ zmmailbox -z -m <account to send the message to> am "/<Folder to put email>" banned-X

    example $ zmmailbox -z -m myuser am "/Inbox" banned-P0x9poP0Xx7F

    [/I]
    banned-X is found from:

    zimbra@zimbra:~/data/amavisd/quarantine$ ls -lh
    An alternative would probably be to use zmlmtpinject.

  9. #9
    ccelis5215 is online now Elite Member
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    442
    Rep Power
    3

    Default

    Is valid something like this?

    cd /opt/zimbra/data/amavisd/quarantine/
    for i in `ls`
    do
    echo "Moving quarantined message " $i;
    zmmailbox -z -m virus-quarantine.whatever7wjw2x6vqg@domain.com am "/Inbox" $i && rm -f $i && echo "Deleting " $i;
    done

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 0
    Last Post: 04-24-2011, 07:47 AM
  2. Documents not working
    By scasperson in forum Installation
    Replies: 1
    Last Post: 11-04-2010, 12:06 AM
  3. Zimlets all not working?
    By jadestorm in forum Administrators
    Replies: 16
    Last Post: 10-28-2007, 07:25 PM
  4. Zimbra stoped working overnight
    By vlskip in forum Installation
    Replies: 32
    Last Post: 03-07-2006, 01:52 PM
  5. HTTPS Is Working, HTTP Not Working
    By uh-nu-bu in forum Installation
    Replies: 12
    Last Post: 11-09-2005, 06:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •