Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Mail being virus scanned twice?

  1. #1
    thunder04 is offline Special Member
    Join Date
    Dec 2007
    Location
    Stockton, CA
    Posts
    164
    Rep Power
    7

    Default Mail being virus scanned twice?

    I'm running Zimbra 8.0.2, and it looks like internal messages are being virus scanned twice.

    This sample is of me sending myself a test message. Notice the double virus scanning?

    Code:
    Return-Path: ahoppe@mpcsd.org
    Received: from cottontail.mpcsd.org (LHLO cottontail.mpcsd.org) (10.1.1.37)
     by cottontail.mpcsd.org with LMTP; Wed, 9 Jan 2013 15:02:28 -0800 (PST)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    	by cottontail.mpcsd.org (Postfix) with ESMTP id 6A5D513003FA
    	for <ahoppe@mpcsd.org>; Wed,  9 Jan 2013 15:02:28 -0800 (PST)
    X-Virus-Scanned: amavisd-new at mpcsd.org
    Received: from cottontail.mpcsd.org ([127.0.0.1])
    	by localhost (cottontail.mpcsd.org [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id Q-E7reEF_hCp for <ahoppe@mpcsd.org>;
    	Wed,  9 Jan 2013 15:02:23 -0800 (PST)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    	by cottontail.mpcsd.org (Postfix) with ESMTP id 98760130043E
    	for <ahoppe@mpcsd.org>; Wed,  9 Jan 2013 15:02:22 -0800 (PST)
    X-Virus-Scanned: amavisd-new at mpcsd.org
    Received: from cottontail.mpcsd.org ([127.0.0.1])
    	by localhost (cottontail.mpcsd.org [127.0.0.1]) (amavisd-new, port 10026)
    	with ESMTP id yzxYc2tlBePN for <ahoppe@mpcsd.org>;
    	Wed,  9 Jan 2013 15:02:21 -0800 (PST)
    Received: from cottontail.mpcsd.org (cottontail.mpcsd.org [10.1.1.37])
    	by cottontail.mpcsd.org (Postfix) with ESMTP id 9789E1300433
    	for <ahoppe@mpcsd.org>; Wed,  9 Jan 2013 15:02:21 -0800 (PST)
    Date: Wed, 9 Jan 2013 15:02:21 -0800 (PST)
    From: Anthony Hoppe <ahoppe@mpcsd.org>
    To: Anthony Hoppe <ahoppe@mpcsd.org>
    Message-ID: <202652381.159722.1357772541292.JavaMail.root@mpcsd.org>
    Subject: Test
    MIME-Version: 1.0
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: 7bit
    X-Originating-IP: [10.10.45.40]
    X-Mailer: Zimbra 8.0.2_GA_5569 (ZimbraWebClient - GC23 (Mac)/8.0.2_GA_5569)
    Thread-Topic: Test
    Thread-Index: sSVLV0LfkoHhnUpZbrPo+EcgTtIwnw==
    Here is a message from an internal user to me (user is masked for privacy) before we upgraded to 8.0.2 (we were previously running 6.0.14). Only

    Code:
    Return-Path: [maskeduser]@mpcsd.org
    Received: from cottontail.mpcsd.org (LHLO cottontail.mpcsd.org) (10.1.1.37)
     by cottontail.mpcsd.org with LMTP; Fri, 14 Dec 2012 16:04:29 -0800 (PST)
    Received: from localhost (localhost [127.0.0.1])
    	by cottontail.mpcsd.org (Postfix) with ESMTP id CC4E3DD0006;
    	Fri, 14 Dec 2012 16:04:29 -0800 (PST)
    X-Virus-Scanned: amavisd-new at cottontail.mpcsd.org
    Received: from cottontail.mpcsd.org ([127.0.0.1])
    	by localhost (cottontail.mpcsd.org [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id nMsPGHQVT9Bq; Fri, 14 Dec 2012 16:04:22 -0800 (PST)
    Received: from cottontail.mpcsd.org (cottontail.mpcsd.org [10.1.1.37])
    	by cottontail.mpcsd.org (Postfix) with ESMTP id ED65413D0001;
    	Fri, 14 Dec 2012 16:04:22 -0800 (PST)
    Date: Fri, 14 Dec 2012 16:04:22 -0800 (PST)
    From: [maskeduser] <[maskeduser]@mpcsd.org>
    To: Anthony Hoppe <ahoppe@mpcsd.org>
    Message-ID: <26790457.3341.1355529862933.JavaMail.root@cottontail>
    In-Reply-To: <12270407.2983.1355526724187.JavaMail.root@cottontail>
    Subject: Fwd: Report Card Update
    MIME-Version: 1.0
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: quoted-printable
    X-Originating-IP: [10.20.45.11]
    X-Mailer: Zimbra 6.0.14_GA_2931 (ZimbraWebClient - FF3.0 (Mac)/6.0.14_GA_2928)
    Am I crazy? If not, how to I configure 8.0.2's virus scanning to behave like 6.0.14?

  2. #2
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,265
    Rep Power
    10

    Default

    You can configure amavis to bypass SA by editing the related key in localconfig. Set it to true instead of false.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  3. #3
    thunder04 is offline Special Member
    Join Date
    Dec 2007
    Location
    Stockton, CA
    Posts
    164
    Rep Power
    7

    Default

    If you are referring to

    Code:
    amavis_originating_bypass_sa = true
    It's already set that way.

    Code:
    zimbra@cottontail:~$ zmlocalconfig | grep bypass_sa
    amavis_originating_bypass_sa = true
    Are there any other config tweaks I can do?

  4. #4
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,265
    Rep Power
    10

    Default

    Wierd... did you restart the MTA after making that change on the MTA? Shouldn't be required, but maybe it didn't take.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  5. #5
    thunder04 is offline Special Member
    Join Date
    Dec 2007
    Location
    Stockton, CA
    Posts
    164
    Rep Power
    7

    Default

    Yep. Since that option has been set, I've done a zmmtactl restart, zmcontrol restart, and even power cycled the server (not for this issue, though).

  6. #6
    mpeltier is offline Member
    Join Date
    Aug 2012
    Posts
    11
    Rep Power
    2

    Default

    Hi,
    If I understand well, when amavis_originating_bypass_sa = true, only spam checking is disabled in amavid.conf, but mails are still check (twice) for virus:

    $policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
    ...
    bypass_spam_checks_maps => [1], # don't spam-check internal mail (added by amavis_originating_bypass_sa = true)
    ...
    };

    If I add bypass_virus_checks_maps => [1], virus check seems to still occurs for internal user (??) but now only one time (I get one X-Virus-Scanned header).

    Is it the expected behavior? How to prevent mail to be checked twice AND still enable spam and virus checks for internal users?
    Mathieu

  7. #7
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,265
    Rep Power
    10

    Default

    Quote Originally Posted by mpeltier View Post
    Hi,
    If I understand well, when amavis_originating_bypass_sa = true, only spam checking is disabled in amavid.conf, but mails are still check (twice) for virus:

    $policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
    ...
    bypass_spam_checks_maps => [1], # don't spam-check internal mail (added by amavis_originating_bypass_sa = true)
    ...
    };

    If I add bypass_virus_checks_maps => [1], virus check seems to still occurs for internal user (??) but now only one time (I get one X-Virus-Scanned header).

    Is it the expected behavior? How to prevent mail to be checked twice AND still enable spam and virus checks for internal users?
    Mathieu
    bypass SA bypasses SpamAssassin, not Virus checks. There is no setting (currently) to bypass AntiVirus for originating email.

    You see it scanned twice because the email is going through amavis twice -- Once at origination (outgoing) and once at delivery (incoming).

    This is the intended behavior.

    I would note that the changes you made means your users can now use your server to email viruses to people who are outside of your mail system. I.e., if one of your users ends up with an infected windows box, that infection can now use your MTA to email out viruses to people at other locations. This is probably not a desirable state.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  8. #8
    thunder04 is offline Special Member
    Join Date
    Dec 2007
    Location
    Stockton, CA
    Posts
    164
    Rep Power
    7

    Default

    Quote Originally Posted by quanah View Post
    bypass SA bypasses SpamAssassin, not Virus checks. There is no setting (currently) to bypass AntiVirus for originating email.

    You see it scanned twice because the email is going through amavis twice -- Once at origination (outgoing) and once at delivery (incoming).

    This is the intended behavior.
    --Quanah
    It makes sense why messages are scanned twice. However, in 6.0.14, why was local mail only scanned once (see my header example above)? I think this is much more efficient. If a message originates from my server, wouldn't only one scan be necessary? Or, is it common for the MTA to become infected itself and inject viruses into messages?

  9. #9
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,265
    Rep Power
    10

    Default

    Behavior was changed to accommodate a number of new features. Amavis now differentiates between originating and incoming mail, it didn't used to do that. Think of it more as

    Zimbra outgoing:
    originating email -> MTA (postfix ->amavis -> opendkim ->postfix) -> destination MTA

    Zimbra incoming:
    incoming email -> destination MTA (postfix -> amavis -> postfix) -> inbox

    In your case now, destination MTA happens to be the same as your originating MTA, so things are scanned twice, once for outgoing, once for incoming. It is slightly less efficient due to the double SA/AV scanning. On the other hand, it allows for marking mail as originating, and easily handing off mail to OpenDKIM for DKIM signing.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  10. #10
    mpeltier is offline Member
    Join Date
    Aug 2012
    Posts
    11
    Rep Power
    2

    Default

    It seems that mails sent to external email address are also scanned
    twice? I just retested by sending a mail from the webmail to my gmail
    account, I get two "X-Virus-Scanned" headers.

    See also Bug 79585 &ndash; Antivirus launched twice on outgoing mails
    Mathieu

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. How to disable X-Mailer and X-Virus-Scanned
    By barth in forum Administrators
    Replies: 18
    Last Post: 10-23-2011, 10:33 PM
  2. Can't receive scanned file.
    By Jakall in forum Administrators
    Replies: 7
    Last Post: 03-24-2010, 02:15 AM
  3. Can't receive scanned file.
    By Jakall in forum Error Reports
    Replies: 2
    Last Post: 03-23-2010, 02:36 AM
  4. Replies: 2
    Last Post: 04-03-2009, 12:20 AM
  5. Is outgoing mail virus scanned by default?
    By iain in forum Administrators
    Replies: 1
    Last Post: 02-04-2009, 12:35 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •