How to release virus quarantined email
Posted: Sat Sep 20, 2014 3:02 pm
I'm posting this because I spent the better part of a day trying to figure out how to do this in the 8.X series of Zimbra, and was surprised how hard it was to find something documenting this.
A user received an email with an encrypted attachment which was moved to quarantine by the virus scanner and the user received the usual "message quarantined" notice. This was in fact a valid email and I needed to release the quarantined email back to the user. I googled how to do this and unfortunately all the answers I found pertain to older (pre 8.X) versions of zimbra and don't work on new versions, mainly because quarantined messages are no longer stored in a fixed directory (/opt/zimbra/data/amavis) but are stored in the mailbox of the system quarantine account. According to the bug database on this (bug 8454), a simpler way to do this doesn't yet exist, although I'm hopeful that the recent switch to a mailbox-based quarantine means its being worked on.
On to the current workarounds:
First - its possible to view mail in the quarantine account via the admin console:
Log into the admin console with the admin account
In the search box at the top, enter 'virus' as the search term and hit enter/click the magnifier. This should list an account like virus-quarantine.<random>@mailhost. You won't be able to find this account through the usual Manage --> Accounts screen since its a hidden account. I didn't know of another way to view hidden accounts.
Right-click the account and select View Mail. You will then be taken to the webmail for that account, where you can look for the offending email.
Note: I tried from here to just right-click the message and select "Redirect" (also tried "Forward) but unfortunately it doesn't work since the message just gets re-quarantined. For this to work, the virus checks would need to be bypassed for *both* outgoing and incoming (ie. avoid checking the message on the way out from the quarantine account and on the way in to the original recipient). I tried setting various options on the quarantine account (amavisBypassSpamChecks already set to TRUE, added amavisBypassVirusChecks TRUE) without success, again I think because of the incoming check.
The message can be resent using the same basic method from pre 8.X of injecting into the LMTP pipe, but with some modifications around how to find the message.
Become zimbra user
su - zimbra
Get quarantine account
zmprov gcf zimbraAmavisQuarantineAccount
(returns: zimbraAmavisQuarantineAccount: virus-quarantine.randomstring@mymail.mydomain.com)
Get mailbox id for quarantine user
zmprov gmi <quarantine_user>
(e.g. zmprov gmi virus-quarantine.randomstring@mymail.mydomain.com)
(returns: mailboxId: 42)
Change to quarantine user message store
cd /opt/zimbra/store/0/<mailbox id>/msg/0
(e.g. cd /opt/zimbra/store/0/42/msg/0)
Identify message by searching for recipient, message content, etc. You can use the quarantine webmail from above to view for some identifiers
grep -l someuser@mydomain.com *
(returns: 123-45.msg)
Send message to recipient using LMTP re-injection (bypasses virus checks)
zmlmtpinject -r <recipient email> -s <sender email> <message filename>
(e.g. zmlmtpinject -r someuser@mydomain.com -s admin@mydomain.com 123-45.msg)
Hopefully this helps others. Please feel free to comment on this if you find easier ways to do this or when something user-friendly is finally released.
A user received an email with an encrypted attachment which was moved to quarantine by the virus scanner and the user received the usual "message quarantined" notice. This was in fact a valid email and I needed to release the quarantined email back to the user. I googled how to do this and unfortunately all the answers I found pertain to older (pre 8.X) versions of zimbra and don't work on new versions, mainly because quarantined messages are no longer stored in a fixed directory (/opt/zimbra/data/amavis) but are stored in the mailbox of the system quarantine account. According to the bug database on this (bug 8454), a simpler way to do this doesn't yet exist, although I'm hopeful that the recent switch to a mailbox-based quarantine means its being worked on.
On to the current workarounds:
First - its possible to view mail in the quarantine account via the admin console:
Log into the admin console with the admin account
In the search box at the top, enter 'virus' as the search term and hit enter/click the magnifier. This should list an account like virus-quarantine.<random>@mailhost. You won't be able to find this account through the usual Manage --> Accounts screen since its a hidden account. I didn't know of another way to view hidden accounts.
Right-click the account and select View Mail. You will then be taken to the webmail for that account, where you can look for the offending email.
Note: I tried from here to just right-click the message and select "Redirect" (also tried "Forward) but unfortunately it doesn't work since the message just gets re-quarantined. For this to work, the virus checks would need to be bypassed for *both* outgoing and incoming (ie. avoid checking the message on the way out from the quarantine account and on the way in to the original recipient). I tried setting various options on the quarantine account (amavisBypassSpamChecks already set to TRUE, added amavisBypassVirusChecks TRUE) without success, again I think because of the incoming check.
The message can be resent using the same basic method from pre 8.X of injecting into the LMTP pipe, but with some modifications around how to find the message.
Become zimbra user
su - zimbra
Get quarantine account
zmprov gcf zimbraAmavisQuarantineAccount
(returns: zimbraAmavisQuarantineAccount: virus-quarantine.randomstring@mymail.mydomain.com)
Get mailbox id for quarantine user
zmprov gmi <quarantine_user>
(e.g. zmprov gmi virus-quarantine.randomstring@mymail.mydomain.com)
(returns: mailboxId: 42)
Change to quarantine user message store
cd /opt/zimbra/store/0/<mailbox id>/msg/0
(e.g. cd /opt/zimbra/store/0/42/msg/0)
Identify message by searching for recipient, message content, etc. You can use the quarantine webmail from above to view for some identifiers
grep -l someuser@mydomain.com *
(returns: 123-45.msg)
Send message to recipient using LMTP re-injection (bypasses virus checks)
zmlmtpinject -r <recipient email> -s <sender email> <message filename>
(e.g. zmlmtpinject -r someuser@mydomain.com -s admin@mydomain.com 123-45.msg)
Hopefully this helps others. Please feel free to comment on this if you find easier ways to do this or when something user-friendly is finally released.