How to release virus quarantined email

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
dshields
Posts: 1
Joined: Sat Sep 20, 2014 1:56 pm

How to release virus quarantined email

Postby dshields » Sat Sep 20, 2014 3:02 pm

I'm posting this because I spent the better part of a day trying to figure out how to do this in the 8.X series of Zimbra, and was surprised how hard it was to find something documenting this.


A user received an email with an encrypted attachment which was moved to quarantine by the virus scanner and the user received the usual "message quarantined" notice.  This was in fact a valid email and I needed to release the quarantined email back to the user.  I googled how to do this and unfortunately all the answers I found pertain to older (pre 8.X) versions of zimbra and don't work on new versions, mainly because quarantined messages are no longer stored in a fixed directory (/opt/zimbra/data/amavis) but are stored in the mailbox of the system quarantine account.  According to the bug database on this (bug 8454), a simpler way to do this doesn't yet exist, although I'm hopeful that the recent switch to a mailbox-based quarantine means its being worked on.


On to the current workarounds:


First - its possible to view mail in the quarantine account via the admin console:



  1. Log into the admin console with the admin account

  2. In the search box at the top, enter 'virus' as the search term and hit enter/click the magnifier.  This should list an account like virus-quarantine.<random>@mailhost.  You won't be able to find this account through the usual Manage --> Accounts screen since its a hidden account.  I didn't know of another way to view hidden accounts.

  3. Right-click the account and select View Mail.  You will then be taken to the webmail for that account, where you can look for the offending email.


Note: I tried from here to just right-click the message and select "Redirect" (also tried "Forward) but unfortunately it doesn't work since the message just gets re-quarantined.  For this to work, the virus checks would need to be bypassed for *both* outgoing and incoming (ie. avoid checking the message on the way out from the quarantine account and on the way in to the original recipient).  I tried setting various options on the quarantine account (amavisBypassSpamChecks already set to TRUE, added amavisBypassVirusChecks TRUE) without success, again I think because of the incoming check.


The message can be resent using the same basic method from pre 8.X of injecting into the LMTP pipe, but with some modifications around how to find the message.



  1. Become zimbra user
    su - zimbra

  2. Get quarantine account
    zmprov gcf zimbraAmavisQuarantineAccount
    (returns: zimbraAmavisQuarantineAccount: virus-quarantine.randomstring@mymail.mydomain.com)

  3. Get mailbox id for quarantine user
    zmprov gmi <quarantine_user>
    (e.g. zmprov gmi virus-quarantine.randomstring@mymail.mydomain.com)
    (returns: mailboxId: 42)

  4. Change to quarantine user message store
    cd /opt/zimbra/store/0/<mailbox id>/msg/0
    (e.g. cd /opt/zimbra/store/0/42/msg/0)

  5. Identify message by searching for recipient, message content, etc.  You can use the quarantine webmail from above to view for some identifiers
    grep -l someuser@mydomain.com *
    (returns: 123-45.msg)

  6. Send message to recipient using LMTP re-injection (bypasses virus checks)
    zmlmtpinject -r <recipient email> -s <sender email> <message filename>
    (e.g. zmlmtpinject -r someuser@mydomain.com -s admin@mydomain.com 123-45.msg)


Hopefully this helps others.  Please feel free to comment on this if you find easier ways to do this or when something user-friendly is finally released.



User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

How to release virus quarantined email

Postby jorgedlcruz » Sat Sep 20, 2014 3:15 pm

Wow dshields, thank you so much for this valuable info. I will check with the team if have easier way, and if not, we will write in the wiki a new article based in your perfect steps.



Best regards
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
Verta
Posts: 5
Joined: Sun Nov 16, 2014 2:50 am

How to release virus quarantined email

Postby Verta » Mon Dec 29, 2014 10:28 am

Thanks for this dshields. Zimbra's own wiki article (http://wiki.zimbra.com/wiki/Restore-Quarantined-Emails) didn't work, however your method worked great.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

How to release virus quarantined email

Postby jorgedlcruz » Mon Dec 29, 2014 1:06 pm

Thanks guys,


I've updated the Wiki article.




Best regards

Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
Verta
Posts: 5
Joined: Sun Nov 16, 2014 2:50 am

How to release virus quarantined email

Postby Verta » Mon Dec 29, 2014 2:39 pm

Great news, thanks Jorge.
markb
Posts: 8
Joined: Thu Jul 14, 2016 8:48 am

Re: How to release virus quarantined email

Postby markb » Thu Mar 16, 2017 8:46 am

Hello,
it doesn't work for me:
[zimbra@zimbra ~]$ zmprov gcf zimbraAmavisQuarantineAccount
zimbraAmavisQuarantineAccount: virus-quarantine.hwkdid5_jp@zimbra.kas.it
[zimbra@zimbra ~]$ zmprov gmi virus-quarantine.hwkdid5_jp@zimbra.kas.it
ERROR: account.NO_SUCH_ACCOUNT (no such account: virus-quarantine.hwkdid5_jp@zimbra.kas.it)

Also searching "virus" in web admin console doesn't give me any result.

Any ideas?
ShumaDK
Posts: 2
Joined: Tue Oct 03, 2017 8:13 am

Re: How to release virus quarantined email

Postby ShumaDK » Tue Oct 03, 2017 10:12 am

Hello.
It seems that you've deleted the quarantine account. You may make a try to recreate it: https://wiki.zimbra.com/wiki/How_to_re- ... ne_Account

Code: Select all

https://wiki.zimbra.com/wiki/How_to_re-create_the_Quarantine_Account

Good luck!

markb wrote:Hello,
it doesn't work for me:
[zimbra@zimbra ~]$ zmprov gcf zimbraAmavisQuarantineAccount
zimbraAmavisQuarantineAccount: virus-quarantine.hwkdid5_jp@zimbra.kas.it
[zimbra@zimbra ~]$ zmprov gmi virus-quarantine.hwkdid5_jp@zimbra.kas.it
ERROR: account.NO_SUCH_ACCOUNT (no such account: virus-quarantine.hwkdid5_jp@zimbra.kas.it)

Also searching "virus" in web admin console doesn't give me any result.

Any ideas?
mhammett
Advanced member
Advanced member
Posts: 80
Joined: Sat Jul 19, 2014 7:07 am
ZCS/ZD Version: Release 8.6.0.GA.1153.UBUNTU14.64 U

Re: How to release virus quarantined email

Postby mhammett » Tue May 01, 2018 3:17 pm

I didn't think I was that dirty?

Code: Select all

imbra@Zimbra8-MTA1:~/data/amavisd/quarantine$ zmprov gmi virus-quarantine.5ooknfa8g@ics-il.net
ERROR: service.INVALID_REQUEST (invalid request: can only be used with SOAP)
mhammett
Advanced member
Advanced member
Posts: 80
Joined: Sat Jul 19, 2014 7:07 am
ZCS/ZD Version: Release 8.6.0.GA.1153.UBUNTU14.64 U

Re: How to release virus quarantined email

Postby mhammett » Tue May 01, 2018 3:55 pm

That command has to be run from the mailstore that has the particular quarantine you're looking for. How you determine that I'm not sure. I only have two and guessed correctly on the first one.
JoeKar
Posts: 3
Joined: Sat Sep 13, 2014 2:38 am

Re: How to release virus quarantined email

Postby JoeKar » Thu Aug 16, 2018 1:29 pm

Hello,

i got a mail today that was quarantined and i got a message from the admin account about that.

I Tried following the steps outlined here and also at https://wiki.zimbra.com/wiki/Restore-Quarantined-Emails.

I can find the zimbraAmavisQuarantineAccount and also the corresponding ID but in the message store for that account there are absolutly no mails.
Also when trying the GUI way there are no messages in the mailbox for the quarantine user.

I send myself the eicar file to reproduce and get the attached e-mail notice.

But again no mail in the mailbox for virus-quarantine.xlfoacboau@theuerkorn.net

Where are the mails going to?

KR Johannes
--------
VIRUS ALERT

Our content checker found
virus: Eicar-Test-Signature

in an email to you from probably faked sender:
?@[178.32.224.88]
claiming to be: <consulting@theuerkorn.net>

Content type: Virus
Our internal reference code for your message is 10605-01/A7TYv5jfjvse

First upstream SMTP client IP address: [178.32.224.88]:32850
post.theuerkorn.net

Received trace: ESMTP://[178.32.224.88]:32850

Return-Path: <consulting@theuerkorn.net>
From: Johannes Theuerkorn <consulting@theuerkorn.net>
Message-ID: <1912400976.28179.1534424333371.JavaMail.zimbra@theuerkorn.net>
X-Mailer: Zimbra 8.8.9_GA_3006 (ZimbraWebClient - GC68 (Mac)/8.8.9_GA_3006)
Subject: Eicar
The message has been quarantined as: virus-quarantine.xlfoacboau@theuerkorn.net

Please contact your system administrator for details.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 21 guests