[prev in list] [next in list] [prev in thread] [next in thread]
List: amavis-user
Subject: Re: Banned files claiming to be quarantined, but not in quarantine -Resolved-
From: listserv.traffic () sloop ! net
Date: 2015-05-22 21:56:39
Message-ID: 141897643.20150522145639 () sloop ! net
[Download RAW message or body]
So, I've had two of these:
The server gets a message with winmail.dat which is banned through the rule that \
blocks tnef's. Which, while may not be exactly how I want it to act, I'm fine with it \
so far.
This is the "report" for the banned file:
---
No viruses were found.
Banned name: .image,.png,image001.png,image001.png
Content type: Banned
Internal reference code for the message is 21212-12/vdxXxXxXxXxX
First upstream SMTP client IP address: [12.121.212.121] \
xyxz-xyz.zxy.xyz.zzx.xxxzzz.com According to a 'Received:' trace, the message \
originated at: [45.545.454.545], xyzxyzxyz@xyz.com [5.4.3.2]
Return-Path: <xyzxyzxyz@xyz.com>
From: "ABC XYZ" <xyzxyzxyz@xyz.com>
Message-ID:
<123456789.123456789@xyz.com>
Subject: blah blah blah blah blah blah
The message has been quarantined as: abc@def.com
The message WAS NOT relayed to:
<def@def.com>:
250 2.7.0 Ok, discarded, id=19676-18 - BANNED: \
.image,.png,image001.png,image001.png <ghi@def.com>:
250 2.7.0 Ok, discarded, id=19676-18 - BANNED: \
.image,.png,image001.png,image001.png
---
So, it claims to have quarantined it - there's no file name that it quarantined it \
as. And if I search the quarantine directories for this message, it's simply not \
there.
Can someone shed some light on this?
Amavis-new 2.6.5 on Ubuntu 12.04, with Postfix and Dovecot.
Pre-accept proxy setup.
Relevent vars:
$final_banned_destiny = D_DISCARD;
$virus_admin = 'it-ops@somewhere.zzz';
$banned_quarantine_to = 'it-ops@somewhere.zzz';
Other messages - at least all we've seen so far get quarantined properly - it just \
appears to happen to messages with winmail.dat attachments.
So, the fix is this var:
$banned_quarantine_to = 'it-ops@somewhere.zzz';
In my testing, I was quite sure [but must be wrong] that setting this would BOTH \
quarantine AND send the sysop a copy of the quarantined message. That's NOT the case \
however. Testing reveals that you get one or the other, NOT BOTH.
So, leaving $banned_quarantine_to undefined [commented out, in my case] returns the \
system to quarantining the file properly again.
Hope that helps someone.
-Greg
[Attachment #3 (text/html)]
<html><head><title>Re: Banned files claiming to be quarantined, but not in quarantine \
-Resolved-</title> <META http-equiv=Content-Type content="text/html; \
charset=iso-8859-15"> </head>
<body>
<br><br>
<table>
<tr>
<td width=3 bgcolor= #0000ff><br>
</td>
<td><span style=" font-family:'courier new'; font-size: 9pt;">So, I've had two of \
these:<br> <br>
The server gets a message with winmail.dat which is banned through the rule that \
blocks tnef's.<br> Which, while may not be exactly how I want it to act, I'm fine \
with it so far.<br> <br>
This is the "report" for the banned file:<br>
---<br>
No viruses were found.<br>
<br>
Banned name: .image,.png,image001.png,image001.png<br>
Content type: Banned<br>
Internal reference code for the message is 21212-12/vdxXxXxXxXxX<br>
<br>
First upstream SMTP client IP address: [12.121.212.121] \
xyxz-xyz.zxy.xyz.zzx.xxxzzz.com<br> According to a 'Received:' trace, the message \
originated at: [45.545.454.545],<br> xyzxyzxyz@xyz.com [5.4.3.2]<br>
<br>
Return-Path: <xyzxyzxyz@xyz.com><br>
From: "ABC XYZ" <xyzxyzxyz@xyz.com><br>
Message-ID:<br>
<123456789.123456789@xyz.com><br>
Subject: blah blah blah blah blah blah<br>
The message has been quarantined as: abc@def.com<br>
<br>
The message WAS NOT relayed to:<br>
<def@def.com>:<br>
250 2.7.0 Ok, discarded, id=19676-18 - BANNED: \
.image,.png,image001.png,image001.png<br> <ghi@def.com>:<br>
250 2.7.0 Ok, discarded, id=19676-18 - BANNED: \
.image,.png,image001.png,image001.png<br>
---<br>
<br>
So, it claims to have quarantined it - there's no file name that it quarantined it \
as. And if I search the quarantine directories for this message, it's simply not \
there.<br> <br>
Can someone shed some light on this?<br>
<br>
Amavis-new 2.6.5 on Ubuntu 12.04, with Postfix and Dovecot.<br>
Pre-accept proxy setup.<br>
Relevent vars:<br>
$final_banned_destiny = D_DISCARD;<br>
$virus_admin = '</span><a style=" font-family:'courier new'; font-size: 9pt;" \
href="mailto:sysop.alerts@royalmoore.com">it-ops@somewhere.zzz'</a><span style=" \
font-family:'courier new'; font-size: 9pt;">;<br> $banned_quarantine_to = '</span><a \
style=" font-family:'courier new'; font-size: 9pt;" \
href="mailto:sysop.alerts@royalmoore.com">it-ops@somewhere.zzz'</a><span style=" \
font-family:'courier new'; font-size: 9pt;">;<br> <br>
Other messages - at least all we've seen so far get quarantined properly - it just \
appears to happen to messages with winmail.dat attachments.</td> </tr>
</table>
<br><br>
<span style=" font-family:'Courier New'; font-size: 9pt;">So, the fix is this \
var:<br> $banned_quarantine_to = '</span><a style=" font-family:'courier new'; \
font-size: 9pt;" href="mailto:sysop.alerts@royalmoore.com">it-ops@somewhere.zzz'</a><span \
style=" font-family:'courier new'; font-size: 9pt;">;<br> <br>
In my testing, I was quite sure [but must be wrong] that setting this would BOTH \
quarantine AND send the sysop a copy of the quarantined message. That's NOT the case \
however. Testing reveals that you get one or the other, NOT BOTH.<br> <br>
So, leaving $banned_quarantine_to undefined [commented out, in my case] returns the \
system to quarantining the file properly again.<br> <br>
Hope that helps someone.<br>
<br>
-Greg<br>
<br>
</span><a style=" font-family:'arial';" \
href="mailto:listserv.traffic@sloop.net"></a></body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic