Banned files claiming to be quarantined, but not in quarantine -Resolved-

listserv.traffic at sloop.net listserv.traffic at sloop.net
Fri May 22 23:56:39 CEST 2015



So, I've had two of these:

The server gets a message with winmail.dat which is banned through the rule that blocks tnef's.
Which, while may not be exactly how I want it to act, I'm fine with it so far.

This is the "report" for the banned file:
---
No viruses were found.

Banned name: .image,.png,image001.png,image001.png
Content type: Banned
Internal reference code for the message is 21212-12/vdxXxXxXxXxX

First upstream SMTP client IP address: [12.121.212.121] xyxz-xyz.zxy.xyz.zzx.xxxzzz.com
According to a 'Received:' trace, the message originated at: [45.545.454.545],
 xyzxyzxyz at xyz.com [5.4.3.2]

Return-Path: <xyzxyzxyz at xyz.com>
From: "ABC XYZ" <xyzxyzxyz at xyz.com>
Message-ID:
 <123456789.123456789 at xyz.com>
Subject: blah blah blah blah blah blah
The message has been quarantined as: abc at def.com

The message WAS NOT relayed to:
<def at def.com>:
  250 2.7.0 Ok, discarded, id=19676-18 - BANNED: .image,.png,image001.png,image001.png
<ghi at def.com>:
  250 2.7.0 Ok, discarded, id=19676-18 - BANNED: .image,.png,image001.png,image001.png
---

So, it claims to have quarantined it - there's no file name that it quarantined it as. And if I search the quarantine directories for this message, it's simply not there.

Can someone shed some light on this?

Amavis-new 2.6.5 on Ubuntu 12.04, with Postfix and Dovecot.
Pre-accept proxy setup.
Relevent vars:
$final_banned_destiny     = D_DISCARD;
$virus_admin = 'it-ops at somewhere.zzz';
$banned_quarantine_to = 'it-ops at somewhere.zzz';

Other messages - at least all we've seen so far get quarantined properly - it just appears to happen to messages with winmail.dat attachments.

So, the fix is this var:
$banned_quarantine_to = 'it-ops at somewhere.zzz';

In my testing, I was quite sure [but must be wrong] that setting this would BOTH quarantine AND send the sysop a copy of the quarantined message. That's NOT the case however. Testing reveals that you get one or the other, NOT BOTH.

So, leaving $banned_quarantine_to undefined [commented out, in my case] returns the system to quarantining the file properly again.

Hope that helps someone.

-Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20150522/2da9d804/attachment.html>


More information about the amavis-users mailing list