How to release virus quarantined email
How to release virus quarantined email
I'm posting this because I spent the better part of a day trying to figure out how to do this in the 8.X series of Zimbra, and was surprised how hard it was to find something documenting this.
A user received an email with an encrypted attachment which was moved to quarantine by the virus scanner and the user received the usual "message quarantined" notice. This was in fact a valid email and I needed to release the quarantined email back to the user. I googled how to do this and unfortunately all the answers I found pertain to older (pre 8.X) versions of zimbra and don't work on new versions, mainly because quarantined messages are no longer stored in a fixed directory (/opt/zimbra/data/amavis) but are stored in the mailbox of the system quarantine account. According to the bug database on this (bug 8454), a simpler way to do this doesn't yet exist, although I'm hopeful that the recent switch to a mailbox-based quarantine means its being worked on.
On to the current workarounds:
First - its possible to view mail in the quarantine account via the admin console:
Log into the admin console with the admin account
In the search box at the top, enter 'virus' as the search term and hit enter/click the magnifier. This should list an account like virus-quarantine.<random>@mailhost. You won't be able to find this account through the usual Manage --> Accounts screen since its a hidden account. I didn't know of another way to view hidden accounts.
Right-click the account and select View Mail. You will then be taken to the webmail for that account, where you can look for the offending email.
Note: I tried from here to just right-click the message and select "Redirect" (also tried "Forward) but unfortunately it doesn't work since the message just gets re-quarantined. For this to work, the virus checks would need to be bypassed for *both* outgoing and incoming (ie. avoid checking the message on the way out from the quarantine account and on the way in to the original recipient). I tried setting various options on the quarantine account (amavisBypassSpamChecks already set to TRUE, added amavisBypassVirusChecks TRUE) without success, again I think because of the incoming check.
The message can be resent using the same basic method from pre 8.X of injecting into the LMTP pipe, but with some modifications around how to find the message.
Become zimbra user
su - zimbra
Get quarantine account
zmprov gcf zimbraAmavisQuarantineAccount
(returns: zimbraAmavisQuarantineAccount: virus-quarantine.randomstring@mymail.mydomain.com)
Get mailbox id for quarantine user
zmprov gmi <quarantine_user>
(e.g. zmprov gmi virus-quarantine.randomstring@mymail.mydomain.com)
(returns: mailboxId: 42)
Change to quarantine user message store
cd /opt/zimbra/store/0/<mailbox id>/msg/0
(e.g. cd /opt/zimbra/store/0/42/msg/0)
Identify message by searching for recipient, message content, etc. You can use the quarantine webmail from above to view for some identifiers
grep -l someuser@mydomain.com *
(returns: 123-45.msg)
Send message to recipient using LMTP re-injection (bypasses virus checks)
zmlmtpinject -r <recipient email> -s <sender email> <message filename>
(e.g. zmlmtpinject -r someuser@mydomain.com -s admin@mydomain.com 123-45.msg)
Hopefully this helps others. Please feel free to comment on this if you find easier ways to do this or when something user-friendly is finally released.
A user received an email with an encrypted attachment which was moved to quarantine by the virus scanner and the user received the usual "message quarantined" notice. This was in fact a valid email and I needed to release the quarantined email back to the user. I googled how to do this and unfortunately all the answers I found pertain to older (pre 8.X) versions of zimbra and don't work on new versions, mainly because quarantined messages are no longer stored in a fixed directory (/opt/zimbra/data/amavis) but are stored in the mailbox of the system quarantine account. According to the bug database on this (bug 8454), a simpler way to do this doesn't yet exist, although I'm hopeful that the recent switch to a mailbox-based quarantine means its being worked on.
On to the current workarounds:
First - its possible to view mail in the quarantine account via the admin console:
Log into the admin console with the admin account
In the search box at the top, enter 'virus' as the search term and hit enter/click the magnifier. This should list an account like virus-quarantine.<random>@mailhost. You won't be able to find this account through the usual Manage --> Accounts screen since its a hidden account. I didn't know of another way to view hidden accounts.
Right-click the account and select View Mail. You will then be taken to the webmail for that account, where you can look for the offending email.
Note: I tried from here to just right-click the message and select "Redirect" (also tried "Forward) but unfortunately it doesn't work since the message just gets re-quarantined. For this to work, the virus checks would need to be bypassed for *both* outgoing and incoming (ie. avoid checking the message on the way out from the quarantine account and on the way in to the original recipient). I tried setting various options on the quarantine account (amavisBypassSpamChecks already set to TRUE, added amavisBypassVirusChecks TRUE) without success, again I think because of the incoming check.
The message can be resent using the same basic method from pre 8.X of injecting into the LMTP pipe, but with some modifications around how to find the message.
Become zimbra user
su - zimbra
Get quarantine account
zmprov gcf zimbraAmavisQuarantineAccount
(returns: zimbraAmavisQuarantineAccount: virus-quarantine.randomstring@mymail.mydomain.com)
Get mailbox id for quarantine user
zmprov gmi <quarantine_user>
(e.g. zmprov gmi virus-quarantine.randomstring@mymail.mydomain.com)
(returns: mailboxId: 42)
Change to quarantine user message store
cd /opt/zimbra/store/0/<mailbox id>/msg/0
(e.g. cd /opt/zimbra/store/0/42/msg/0)
Identify message by searching for recipient, message content, etc. You can use the quarantine webmail from above to view for some identifiers
grep -l someuser@mydomain.com *
(returns: 123-45.msg)
Send message to recipient using LMTP re-injection (bypasses virus checks)
zmlmtpinject -r <recipient email> -s <sender email> <message filename>
(e.g. zmlmtpinject -r someuser@mydomain.com -s admin@mydomain.com 123-45.msg)
Hopefully this helps others. Please feel free to comment on this if you find easier ways to do this or when something user-friendly is finally released.
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
How to release virus quarantined email
Wow dshields, thank you so much for this valuable info. I will check with the team if have easier way, and if not, we will write in the wiki a new article based in your perfect steps.
Best regards
Best regards
How to release virus quarantined email
Thanks for this dshields. Zimbra's own wiki article (http://wiki.zimbra.com/wiki/Restore-Quarantined-Emails) didn't work, however your method worked great.
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
How to release virus quarantined email
Thanks guys,
I've updated the Wiki article.
https://wiki.zimbra.com/wiki/Restore-Quarantined-Emails
Best regards
I've updated the Wiki article.
https://wiki.zimbra.com/wiki/Restore-Quarantined-Emails
Best regards
How to release virus quarantined email
Great news, thanks Jorge.
Re: How to release virus quarantined email
Hello,
it doesn't work for me:
[zimbra@zimbra ~]$ zmprov gcf zimbraAmavisQuarantineAccount
zimbraAmavisQuarantineAccount: virus-quarantine.hwkdid5_jp@zimbra.kas.it
[zimbra@zimbra ~]$ zmprov gmi virus-quarantine.hwkdid5_jp@zimbra.kas.it
ERROR: account.NO_SUCH_ACCOUNT (no such account: virus-quarantine.hwkdid5_jp@zimbra.kas.it)
Also searching "virus" in web admin console doesn't give me any result.
Any ideas?
it doesn't work for me:
[zimbra@zimbra ~]$ zmprov gcf zimbraAmavisQuarantineAccount
zimbraAmavisQuarantineAccount: virus-quarantine.hwkdid5_jp@zimbra.kas.it
[zimbra@zimbra ~]$ zmprov gmi virus-quarantine.hwkdid5_jp@zimbra.kas.it
ERROR: account.NO_SUCH_ACCOUNT (no such account: virus-quarantine.hwkdid5_jp@zimbra.kas.it)
Also searching "virus" in web admin console doesn't give me any result.
Any ideas?
Re: How to release virus quarantined email
Hello.
It seems that you've deleted the quarantine account. You may make a try to recreate it: https://wiki.zimbra.com/wiki/How_to_re- ... ne_Account
Good luck!
It seems that you've deleted the quarantine account. You may make a try to recreate it: https://wiki.zimbra.com/wiki/How_to_re- ... ne_Account
Code: Select all
https://wiki.zimbra.com/wiki/How_to_re-create_the_Quarantine_Account
markb wrote:Hello,
it doesn't work for me:
[zimbra@zimbra ~]$ zmprov gcf zimbraAmavisQuarantineAccount
zimbraAmavisQuarantineAccount: virus-quarantine.hwkdid5_jp@zimbra.kas.it
[zimbra@zimbra ~]$ zmprov gmi virus-quarantine.hwkdid5_jp@zimbra.kas.it
ERROR: account.NO_SUCH_ACCOUNT (no such account: virus-quarantine.hwkdid5_jp@zimbra.kas.it)
Also searching "virus" in web admin console doesn't give me any result.
Any ideas?
-
- Advanced member
- Posts: 133
- Joined: Sat Jul 19, 2014 7:07 am
- ZCS/ZD Version: Release 8.6.0.GA.1153.UBUNTU14.64 U
Re: How to release virus quarantined email
I didn't think I was that dirty?
Code: Select all
imbra@Zimbra8-MTA1:~/data/amavisd/quarantine$ zmprov gmi virus-quarantine.5ooknfa8g@ics-il.net
ERROR: service.INVALID_REQUEST (invalid request: can only be used with SOAP)
-
- Advanced member
- Posts: 133
- Joined: Sat Jul 19, 2014 7:07 am
- ZCS/ZD Version: Release 8.6.0.GA.1153.UBUNTU14.64 U
Re: How to release virus quarantined email
That command has to be run from the mailstore that has the particular quarantine you're looking for. How you determine that I'm not sure. I only have two and guessed correctly on the first one.
Re: How to release virus quarantined email
Hello,
i got a mail today that was quarantined and i got a message from the admin account about that.
I Tried following the steps outlined here and also at https://wiki.zimbra.com/wiki/Restore-Quarantined-Emails.
I can find the zimbraAmavisQuarantineAccount and also the corresponding ID but in the message store for that account there are absolutly no mails.
Also when trying the GUI way there are no messages in the mailbox for the quarantine user.
I send myself the eicar file to reproduce and get the attached e-mail notice.
But again no mail in the mailbox for virus-quarantine.xlfoacboau@theuerkorn.net
Where are the mails going to?
KR Johannes
--------
VIRUS ALERT
Our content checker found
virus: Eicar-Test-Signature
in an email to you from probably faked sender:
?@[178.32.224.88]
claiming to be: <consulting@theuerkorn.net>
Content type: Virus
Our internal reference code for your message is 10605-01/A7TYv5jfjvse
First upstream SMTP client IP address: [178.32.224.88]:32850
post.theuerkorn.net
Received trace: ESMTP://[178.32.224.88]:32850
Return-Path: <consulting@theuerkorn.net>
From: Johannes Theuerkorn <consulting@theuerkorn.net>
Message-ID: <1912400976.28179.1534424333371.JavaMail.zimbra@theuerkorn.net>
X-Mailer: Zimbra 8.8.9_GA_3006 (ZimbraWebClient - GC68 (Mac)/8.8.9_GA_3006)
Subject: Eicar
The message has been quarantined as: virus-quarantine.xlfoacboau@theuerkorn.net
Please contact your system administrator for details.
i got a mail today that was quarantined and i got a message from the admin account about that.
I Tried following the steps outlined here and also at https://wiki.zimbra.com/wiki/Restore-Quarantined-Emails.
I can find the zimbraAmavisQuarantineAccount and also the corresponding ID but in the message store for that account there are absolutly no mails.
Also when trying the GUI way there are no messages in the mailbox for the quarantine user.
I send myself the eicar file to reproduce and get the attached e-mail notice.
But again no mail in the mailbox for virus-quarantine.xlfoacboau@theuerkorn.net
Where are the mails going to?
KR Johannes
--------
VIRUS ALERT
Our content checker found
virus: Eicar-Test-Signature
in an email to you from probably faked sender:
?@[178.32.224.88]
claiming to be: <consulting@theuerkorn.net>
Content type: Virus
Our internal reference code for your message is 10605-01/A7TYv5jfjvse
First upstream SMTP client IP address: [178.32.224.88]:32850
post.theuerkorn.net
Received trace: ESMTP://[178.32.224.88]:32850
Return-Path: <consulting@theuerkorn.net>
From: Johannes Theuerkorn <consulting@theuerkorn.net>
Message-ID: <1912400976.28179.1534424333371.JavaMail.zimbra@theuerkorn.net>
X-Mailer: Zimbra 8.8.9_GA_3006 (ZimbraWebClient - GC68 (Mac)/8.8.9_GA_3006)
Subject: Eicar
The message has been quarantined as: virus-quarantine.xlfoacboau@theuerkorn.net
Please contact your system administrator for details.