How is quarantine working in 7.1.x ?

[liverpoolfcfan]

I just received an email with a .exe attachment. I got a notification of the following ...

Code:

BANNED CONTENTS ALERT

Our content checker found
    banned name: .exe,.exe-ms,scsi su windows 7/aspi_460/aspiinst.exe

in an email to you from: .........
.....

The message has been quarantined as: banned-n5zPcYRYL+B7

Please contact your system administrator for details.

as I would expect.

However, I was under the impression that the "Virus Quarantine" user account that is created during setup was supposed to get these emails. But, when I login to the Admin Panel, and "View Mail" for the Virus Quarantine user, there is nothing there.

If I look in the folder /opt/zimbra/data/amavisd/quarantine I can see the file referred to above.

Am I misunderstanding the purpose of the "Virus Quarantine" account ?

Is there some configuration I may be missing that is stopping it working as it should ?

This is a server originally deployed with 6.0.4 and upgraded through most if not all releases up to 7.1.3 at time of writing.

Thanks in advance.

[ewilen]

I'm still on 7.1.1, upgraded from 6.0.12. The virus quarantine account is getting the viral mails here.

(Minor bug: Bug 65475 – quarantined email is retained for 30 days, not 7)

It sounds like a piece of your configuration wasn't properly updated. Maybe you should check out [SOLVED] How to Move the AntiVirus Quarantine Account

Also maybe check /opt/zimbra/conf/amavisd.conf.in and make sure it has

%%uncomment VAR:zimbraAmavisQuarantineAccount%%$virus_quaranti ne_to = '%%zimbraAmavisQuarantineAccount%%';

[liverpoolfcfan]

The account is set correctly.

In the file I see

$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_DISCARD;
# $final_bad_header_destiny = D_PASS;

Is this correct ?

Is there anything else I can look for ?

[ewilen]

All those agree with what I have. Sorry I can't be more help.

[rays]

Here follows the current official word on this matter....

Hi again Ray
Looking further into this, it would appear that the emails found to have anything that is "banned-content", Zimbra simply discards said email into the quarantine folder, and does not send it to an account, as it would if it found a virus.

Below is a sample from our log, after some testing. We had .wmf attachments being discarded as banned. As you can see, the file is given a unique name ("banned-JD-jJwh8c1Nq"), and placed in the quarantine directory (/opt/zimbra/data/amavisd/quarantine/).
Oct 24 17:39:23 zcs7-ga amavis[27701]: (27701-01) Checking: JD-jJwh8c1Nq MYNETS [10.21.71.188] <fred@zcs7.cork.zimbralab.com> -> <pierce@zcs7.cork.zimbralab.com>
Oct 24 17:39:23 zcs7-ga amavis[27701]: (27701-01) p.path BANNED:1 pierce@zcs7.cork.zimbralab.com: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=image/x-wmf,T=asc,N=test.wmf", matching_key="(?i-xsm:.\\.(wmf)$)"
Oct 24 17:39:23 zcs7-ga amavis[27701]: (27701-01) local delivery: <> -> banned-quarantine, mbx=/opt/zimbra/data/amavisd/quarantine/banned-JD-jJwh8c1Nq

I am sorry I can give you nothing better in relation to this Ray.

Regards
Pierce Preston
GSS - Global Support Services
Zimbra, a division of VMware

Pierce advises the use of the following commands to deliver the banned mail directly to the appropriate mailbox (where it appears in an already "Read" condition, not "Unread" as you might expect):

Then, what you will need to do to retrieve the email is run the following command:

$ zmmailbox -z -m <account to send the message to> am "/<Folder to put email>" banned-X

example $ zmmailbox -z -m myuser am "/Inbox" banned-P0x9poP0Xx7F


banned-X is found from:

zimbra@zimbra:~/data/amavisd/quarantine$ ls -lh

Hope this helps....

[liverpoolfcfan]

Thanks a million for reporting back your findings from zimbra support.

It is not good, but at least it gives me some confidence my configuration is most likely not screwed up.

Time to check the bug report list ...

[liverpoolfcfan]

I have filed a bug/rfe for this. Please add your vote

Bug 66388 &ndash; banned-content emails should go to Virus-Quarantine Account

Thanks

[ewilen]

Thanks for that update, rays.

Also, the following is good to know.

Quote:

Originally Posted by rays

Then, what you will need to do to retrieve the email is run the following command:

$ zmmailbox -z -m <account to send the message to> am "/<Folder to put email>" banned-X

example $ zmmailbox -z -m myuser am "/Inbox" banned-P0x9poP0Xx7F

[/I]
banned-X is found from:

zimbra@zimbra:~/data/amavisd/quarantine$ ls -lh

An alternative would probably be to use zmlmtpinject.

[ccelis5215]

Is valid something like this?

cd /opt/zimbra/data/amavisd/quarantine/
for i in `ls`
do
echo "Moving quarantined message " $i;
zmmailbox -z -m virus-quarantine.whatever7wjw2x6vqg@domain.com am "/Inbox" $i && rm -f $i && echo "Deleting " $i;
done