Results 1 to 10 of 10

Thread: Disable virus notification to admin

  1. #1
    PeterEraly is offline Junior Member
    Join Date
    Jan 2014
    Posts
    8
    Rep Power
    1

    Default Disable virus notification to admin

    Hello,

    I try to disable the virus notification email sent to the admin account.

    I found following posts:
    45686-zimbra-disable-virus-notification-admin-account
    33080-disable-av-send-notification-recipient-without-admin-gui
    44219-content-filter-virus-alerts-sent-admin-mailbox-recipient
    42967-solved-drop-virus-messages

    and they all state that I should change the global properties: zimbraVirusWarnRecipient and zimbraVirusWarnAdmin using
    Code:
    zmprov mcf zimbraVirusWarnRecipient FALSE
    zmprov mcf zimbraVirusWarnAdmin FALSE
    I have done this, and I have doublechecked the values (both are FALSE), I restarted everything mentionned in these posts:
    Code:
    zmamavisdctl restart
    zmcontrol stop
    zmcontrol start
    and I rebooted the server.

    The notifications for the recipient were stopped immediately, but I still get the notifications to my admin account.
    Is there anything that I forgot to disable the notification to the admin account?

    I'm using ZCS Release 7.2.6_GA_2926.RHEL6_64_20131203115858 CentOS6_64 FOSS edition.

    Thank you for your help!

  2. #2
    PeterEraly is offline Junior Member
    Join Date
    Jan 2014
    Posts
    8
    Rep Power
    1

    Default

    anyone?

    Some more information:
    After all restarts mentioned in the first post, I still received notifications.
    Currently, since the day after my post, it seems that the notifications are stopped. It's also possible that I haven't received any email with a virus since then!

    I suppose that the notifications should be stopped immediately, at least after the server reboot, but this was not the case.
    Has anybody come across this issue?

  3. #3
    PeterEraly is offline Junior Member
    Join Date
    Jan 2014
    Posts
    8
    Rep Power
    1

    Default

    anyone?

    today I got again 823 virus notification mails of mails send to non existing email addresses in my domain... It's annoying and I don't find more information about this issue.

    Thank you

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,485
    Rep Power
    56

    Default

    Quote Originally Posted by PeterEraly View Post
    today I got again 823 virus notification mails of mails send to non existing email addresses in my domain...
    Have you tried modifying the setting to reject unlisted recipients?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    PeterEraly is offline Junior Member
    Join Date
    Jan 2014
    Posts
    8
    Rep Power
    1

    Default

    Thank you for your reply Bill.

    using:
    Code:
    postconf | grep smtpd_reject_unlisted_recipient
    I found that the setting was currently "smtpd_reject_unlisted_recipient = no"

    I suppose changing this setting to "yes" will reject the message before AV/AS will scan the message?
    Currently the messages are also rejected, but if a virus is included, the admin is still getting a report about this. (that's the message that I want to stop).

    According to following threads:
    24376-solved-smtpd_reject_unlisted_recipient-ignored
    10895-solved-reject_unlisted_recipient
    34340-simple-how-question-smtpd_reject_unlisted_recipient

    I changed it manually in the file /opt/zimbra/conf/zmmta.cf and rebooted the server. The setting is now modified to "yes".

    I tried sending an email to a non-existing email address before and after the change, and there's no difference between the response. In both cases I get a "Undelivered Mail Returned to Sender" message back to my originating email:
    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.

    For further assistance, please send mail to <postmaster>

    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.

    <abc@domain.tld>: 550 5.1.1 <abc@domain.tld>: Recipient address rejected: domain.tld
    Hopefully the virus notifications to the admin account are stopped this way too!
    I will update the thread again (as soon as I'm sure) with the result: solved or not working

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,485
    Rep Power
    56

    Default

    Quote Originally Posted by PeterEraly View Post
    I found that the setting was currently "smtpd_reject_unlisted_recipient = no"
    Yes, that's the default for versions prior to ZCS 8.x

    Quote Originally Posted by PeterEraly View Post
    I suppose changing this setting to "yes" will reject the message before AV/AS will scan the message?
    Correct.

    Quote Originally Posted by PeterEraly View Post
    I tried sending an email to a non-existing email address before and after the change, and there's no difference between the response. In both cases I get a "Undelivered Mail Returned to Sender" message back to my originating email:
    Did you restart ZCS? You should see entries in the log files showing them being rejected. I assume you also have some RBLs enabled and (possibly) the spam Kill/Tag settings reduced slightly?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    PeterEraly is offline Junior Member
    Join Date
    Jan 2014
    Posts
    8
    Rep Power
    1

    Default

    Hello Phoenix,

    I have rebooted the complete server after the change.

    In the log file /var/log/messages I see these records from my test messages:
    Jan 17 10:17:37 ctb01 postfix/smtpd[21361]: NOQUEUE: reject: RCPT from server.otherdomain.tld[94.143.184.115]: 550 5.1.1 <abc@domain.tld>: Recipient address rejected: domain.tld; from=<prvs=409456566b=myself@otherdomain.tld> to=<abc@domain.tld> proto=ESMTP helo=<server.otherdomain.tld>
    Jan 17 10:48:24 ctb01 postfix/smtpd[18392]: NOQUEUE: reject: RCPT from server.otherdomain.tld[94.143.184.115]: 550 5.1.1 <abc@domain.tld>: Recipient address rejected: domain.tld; from=<prvs=109472945e=myself@otherdomain.tld> to=<abc@domain.tld> proto=ESMTP helo=<server.otherdomain.tld>
    so basically I don't see a difference between setting "no" (10:17:37) and "yes" (10:48:24)

    I see also in the logs that the spam messages are rejected, even before changing the smtpd_reject_unlisted_recipient to "yes".

    The only message I still get is the virus notification (and this one I want to stop too), send from my own account: "content-filter at myserver.domain.tld" <admin@domain.tld>
    Example:
    title: VIRUS (Suspect.DoubleExtension-zippwd-15) in mail FROM [83.43.96.109] <cosmologys3@watersteam.com>
    body:
    A virus was found: Suspect.DoubleExtension-zippwd-15

    Scanner detecting a virus: ClamAV-clamd

    Content type: Virus
    Internal reference code for the message is 11821-04/7392KxJJeWbR

    First upstream SMTP client IP address: [83.43.96.109]
    109.Red-83-43-96.dynamicIP.rima-tde.net
    According to a 'Received:' trace, the message apparently originated at:
    .....
    I have no RBLs enabled and I also haven't changed the Kill/Tag settings.
    Basically, all settings in MTA and AV/AS tab are default, except the "send notification to recipient" on the AV/AS tab: this one is disabled as mentionned in my first post. I want to disable this also for the admin account.

  8. #8
    PeterEraly is offline Junior Member
    Join Date
    Jan 2014
    Posts
    8
    Rep Power
    1

    Default

    Hello Bill,

    It seems that I have found the issue!

    All virus notifications that I receive are sent to a domain alias. If you define a domain alias for a certain domain, there's a catchall defined using zimbraMailCatchAllAddress and that will be send to the zimbraMailCatchAllForwardingAddress.
    Because smtpd_reject_unlisted_recipient and catchall will never work together, emails send to this domain alias are accepted and processed by the AS/AV scanner, and after that forwarded to the main domain that will reject the message because the user does not exist.

    While processing by the AS/AV scanner, the notification is send to the admin. It seems so that the flag zimbraVirusWarnAdmin FALSE is not working in this case.
    All other spam/virus mails (to regular domains) are rejected by the server.

    Do you have any idea to fix this issue?
    - Can I just remove the zimbraMailCatchAllAddress and zimbraMailCatchAllForwardingAddress settings or will this disable the working of my domain alias?
    - Do I just need to delete the alias and redefine the domain as a normal domain?
    - Or do you have an idea to make the flag zimbraVirusWarnAdmin FALSE working?

    Thank you for your assistance!
    Last edited by PeterEraly; 01-17-2014 at 05:22 AM.

  9. #9
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,485
    Rep Power
    56

    Default

    I dislike using (or even recommending) domain aliases for the very reason you've hit - using a catchall means that you may be flooded with spam and not able to do anything about it. I've answered this recently in another post but effectively what you need to do is remove the domain alias and any other modifications (and the catchall) that were made. Depending on how many users there are on your system you need to dump the current list of users into a file, create the new domain (obviously with the name you were using for the alias domain) then modify the file you've just created to run zmprov for each of those user accounts and add an alias to the account that your were using in the alias domain. The only problem you might encounter is that you're running a live server and the alias domain won't be available until you've done the above steps and added the alias to each of your current accounts. Details of zmprov are in the wiki and an example of adding an alias. That's somewhat tortuous but I prefer that to an alias domain. Having said all that you really don't want to disable the virus notification because that will mean you don't get any genuine notifications, however, it should work if you have the notification sent to a 'real' user address in the primary domain.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  10. #10
    PeterEraly is offline Junior Member
    Join Date
    Jan 2014
    Posts
    8
    Rep Power
    1

    Default

    Thank you Bill!

    This did the trick. I removed the domain alias and recreated it as a new domain. After that I defined all proper aliases for every user and enabled the setting zimbraVirusWarnAdmin again.
    I'm pretty confident it will work now

    Thanks for all the helpful information!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 0
    Last Post: 04-11-2012, 11:48 AM
  2. Zimbra disable Virus Notification to Admin Account
    By rex_ray in forum Administrators
    Replies: 1
    Last Post: 12-13-2010, 10:58 AM
  3. Bouncing virus notification mails to virus-admins
    By ploeger in forum Administrators
    Replies: 4
    Last Post: 11-11-2010, 06:48 AM
  4. Replies: 2
    Last Post: 09-22-2009, 09:53 AM
  5. Replies: 0
    Last Post: 02-25-2008, 11:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •