Mail being virus scanned twice?

[thunder04]

I'm running Zimbra 8.0.2, and it looks like internal messages are being virus scanned twice.

This sample is of me sending myself a test message. Notice the double virus scanning?

Code:

Return-Path: ahoppe@mpcsd.org
Received: from cottontail.mpcsd.org (LHLO cottontail.mpcsd.org) (10.1.1.37)
 by cottontail.mpcsd.org with LMTP; Wed, 9 Jan 2013 15:02:28 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by cottontail.mpcsd.org (Postfix) with ESMTP id 6A5D513003FA
	for <ahoppe@mpcsd.org>; Wed,  9 Jan 2013 15:02:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at mpcsd.org
Received: from cottontail.mpcsd.org ([127.0.0.1])
	by localhost (cottontail.mpcsd.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Q-E7reEF_hCp for <ahoppe@mpcsd.org>;
	Wed,  9 Jan 2013 15:02:23 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by cottontail.mpcsd.org (Postfix) with ESMTP id 98760130043E
	for <ahoppe@mpcsd.org>; Wed,  9 Jan 2013 15:02:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at mpcsd.org
Received: from cottontail.mpcsd.org ([127.0.0.1])
	by localhost (cottontail.mpcsd.org [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id yzxYc2tlBePN for <ahoppe@mpcsd.org>;
	Wed,  9 Jan 2013 15:02:21 -0800 (PST)
Received: from cottontail.mpcsd.org (cottontail.mpcsd.org [10.1.1.37])
	by cottontail.mpcsd.org (Postfix) with ESMTP id 9789E1300433
	for <ahoppe@mpcsd.org>; Wed,  9 Jan 2013 15:02:21 -0800 (PST)
Date: Wed, 9 Jan 2013 15:02:21 -0800 (PST)
From: Anthony Hoppe <ahoppe@mpcsd.org>
To: Anthony Hoppe <ahoppe@mpcsd.org>
Message-ID: <202652381.159722.1357772541292.JavaMail.root@mpcsd.org>
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.10.45.40]
X-Mailer: Zimbra 8.0.2_GA_5569 (ZimbraWebClient - GC23 (Mac)/8.0.2_GA_5569)
Thread-Topic: Test
Thread-Index: sSVLV0LfkoHhnUpZbrPo+EcgTtIwnw==

Here is a message from an internal user to me (user is masked for privacy) before we upgraded to 8.0.2 (we were previously running 6.0.14). Only

Code:

Return-Path: [maskeduser]@mpcsd.org
Received: from cottontail.mpcsd.org (LHLO cottontail.mpcsd.org) (10.1.1.37)
 by cottontail.mpcsd.org with LMTP; Fri, 14 Dec 2012 16:04:29 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
	by cottontail.mpcsd.org (Postfix) with ESMTP id CC4E3DD0006;
	Fri, 14 Dec 2012 16:04:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at cottontail.mpcsd.org
Received: from cottontail.mpcsd.org ([127.0.0.1])
	by localhost (cottontail.mpcsd.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id nMsPGHQVT9Bq; Fri, 14 Dec 2012 16:04:22 -0800 (PST)
Received: from cottontail.mpcsd.org (cottontail.mpcsd.org [10.1.1.37])
	by cottontail.mpcsd.org (Postfix) with ESMTP id ED65413D0001;
	Fri, 14 Dec 2012 16:04:22 -0800 (PST)
Date: Fri, 14 Dec 2012 16:04:22 -0800 (PST)
From: [maskeduser] <[maskeduser]@mpcsd.org>
To: Anthony Hoppe <ahoppe@mpcsd.org>
Message-ID: <26790457.3341.1355529862933.JavaMail.root@cottontail>
In-Reply-To: <12270407.2983.1355526724187.JavaMail.root@cottontail>
Subject: Fwd: Report Card Update
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [10.20.45.11]
X-Mailer: Zimbra 6.0.14_GA_2931 (ZimbraWebClient - FF3.0 (Mac)/6.0.14_GA_2928)

Am I crazy? If not, how to I configure 8.0.2's virus scanning to behave like 6.0.14?

[quanah]

You can configure amavis to bypass SA by editing the related key in localconfig. Set it to true instead of false.

[thunder04]

If you are referring to

Code:

amavis_originating_bypass_sa = true

It's already set that way.

Code:

zimbra@cottontail:~$ zmlocalconfig | grep bypass_sa
amavis_originating_bypass_sa = true

Are there any other config tweaks I can do?

[quanah]

Wierd... did you restart the MTA after making that change on the MTA? Shouldn't be required, but maybe it didn't take.

[thunder04]

Yep. Since that option has been set, I've done a zmmtactl restart, zmcontrol restart, and even power cycled the server (not for this issue, though).

[mpeltier]

Hi,
If I understand well, when amavis_originating_bypass_sa = true, only spam checking is disabled in amavid.conf, but mails are still check (twice) for virus:

$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
...
bypass_spam_checks_maps => [1], # don't spam-check internal mail (added by amavis_originating_bypass_sa = true)
...
};

If I add bypass_virus_checks_maps => [1], virus check seems to still occurs for internal user (??) but now only one time (I get one X-Virus-Scanned header).

Is it the expected behavior? How to prevent mail to be checked twice AND still enable spam and virus checks for internal users?
Mathieu

[quanah]

Hi,
If I understand well, when amavis_originating_bypass_sa = true, only spam checking is disabled in amavid.conf, but mails are still check (twice) for virus:

$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
...
bypass_spam_checks_maps => [1], # don't spam-check internal mail (added by amavis_originating_bypass_sa = true)
...
};

If I add bypass_virus_checks_maps => [1], virus check seems to still occurs for internal user (??) but now only one time (I get one X-Virus-Scanned header).

Is it the expected behavior? How to prevent mail to be checked twice AND still enable spam and virus checks for internal users?
Mathieu

bypass SA bypasses SpamAssassin, not Virus checks. There is no setting (currently) to bypass AntiVirus for originating email.

You see it scanned twice because the email is going through amavis twice -- Once at origination (outgoing) and once at delivery (incoming).

This is the intended behavior.

I would note that the changes you made means your users can now use your server to email viruses to people who are outside of your mail system. I.e., if one of your users ends up with an infected windows box, that infection can now use your MTA to email out viruses to people at other locations. This is probably not a desirable state.

--Quanah

[thunder04]

bypass SA bypasses SpamAssassin, not Virus checks. There is no setting (currently) to bypass AntiVirus for originating email.

You see it scanned twice because the email is going through amavis twice -- Once at origination (outgoing) and once at delivery (incoming).

This is the intended behavior.
--Quanah

It makes sense why messages are scanned twice. However, in 6.0.14, why was local mail only scanned once (see my header example above)? I think this is much more efficient. If a message originates from my server, wouldn't only one scan be necessary? Or, is it common for the MTA to become infected itself and inject viruses into messages?

[quanah]

Behavior was changed to accommodate a number of new features. Amavis now differentiates between originating and incoming mail, it didn't used to do that. Think of it more as

Zimbra outgoing:
originating email -> MTA (postfix ->amavis -> opendkim ->postfix) -> destination MTA

Zimbra incoming:
incoming email -> destination MTA (postfix -> amavis -> postfix) -> inbox

In your case now, destination MTA happens to be the same as your originating MTA, so things are scanned twice, once for outgoing, once for incoming. It is slightly less efficient due to the double SA/AV scanning. On the other hand, it allows for marking mail as originating, and easily handing off mail to OpenDKIM for DKIM signing.

--Quanah

[mpeltier]

It seems that mails sent to external email address are also scanned
twice? I just retested by sending a mail from the webmail to my gmail
account, I get two "X-Virus-Scanned" headers.

See also Bug 79585 – Antivirus launched twice on outgoing mails
Mathieu