Dec 29, 2023: iRedMail-1.6.8 has been released.

**Dominique** · 2014-03-27 05:06:41

Dominique
Member
Offline

Registered: 2014-01-09
Posts: 98

Topic: Why does email with virus get delivered?

==== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Centos 6
- Related log if you're reporting an issue: /var/log/maillog

Emails with attachments containing viruses seem to be coming without being blocked. I found this in the logs:

Mar 26 20:53:55 ip-hidden postfix/smtpd[3375]: connect from unknown[4.31.76.74]
Mar 26 20:53:55 ip-hidden postfix/smtpd[3375]: C043BDB2632: client=unknown[4.31.76.74]
Mar 26 20:53:56 ip-hidden postfix/cleanup[3406]: C043BDB2632: message-id=<001e01cf4934cf1253c4c800000a@SIT-RDP-EST-01>
Mar 26 20:53:57 ip-hidden postfix/qmgr[21871]: C043BDB2632: from=<dontreply303@asklawyers.com>, size=109901, nrcpt=2 (queue active)
Mar 26 20:53:57 ip-hidden postfix/smtpd[3375]: disconnect from unknown[4.31.76.74]
Mar 26 20:53:58 ip-hidden postfix/smtpd[3429]: connect from localhost[127.0.0.1]
Mar 26 20:53:58 ip-hidden postfix/smtpd[3429]: 5E544DB266A: client=localhost[127.0.0.1]
Mar 26 20:53:58 ip-hidden postfix/cleanup[3406]: 5E544DB266A: message-id=<001e01cf4934cf1253c4c800000a@SIT-RDP-EST-01>
Mar 26 20:53:58 ip-hidden postfix/smtpd[3430]: connect from localhost[127.0.0.1]
Mar 26 20:53:58 ip-hidden postfix/smtpd[3429]: disconnect from localhost[127.0.0.1]
Mar 26 20:53:58 ip-hidden postfix/qmgr[21871]: 5E544DB266A: from=<dontreply303@asklawyers.com>, size=110517, nrcpt=1 (queue active)
Mar 26 20:53:58 ip-hidden postfix/smtpd[3430]: 603B9DB266B: client=localhost[127.0.0.1]
Mar 26 20:53:58 ip-hidden postfix/cleanup[3406]: 603B9DB266B: message-id=<001e01cf4934cf1253c4c800000a@SIT-RDP-EST-01>
Mar 26 20:53:58 ip-hidden amavis[3102]: (03102-03) Passed BANNED (.exe,.exe-ms,Court_Notice.exe) {RelayedTaggedOutbound}, LOCAL [4.31.76.74]:5970 [4.31.76.74] <dontreply303@asklawyers.com> -> <xxxxx@yyyyy.com>, Message-ID: <001e01cf4934cf1253c4c800000a@SIT-RDP-EST-01>, mail_id: 24cyMsygNso9, Hits: 3.419, size: 109901, queued_as: 5E544DB266A, 1268 ms
Mar 26 20:53:58 ip-hidden postfix/qmgr[21871]: 603B9DB266B: from=<dontreply303@asklawyers.com>, size=110509, nrcpt=1 (queue active)
Mar 26 20:53:58 ip-hidden postfix/smtpd[3430]: disconnect from localhost[127.0.0.1]
Mar 26 20:53:58 ip-hidden postfix/smtp[3410]: C043BDB2632: to=<xxxxx@yyyyy.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.9, delays=1.6/0.02/0/1.3, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 5E544DB266A)
Mar 26 20:53:58 ip-hidden amavis[1190]: (01190-19) Passed BANNED (.exe,.exe-ms,Court_Notice.exe) {RelayedTaggedOutbound}, LOCAL [4.31.76.74]:5970 [4.31.76.74] <dontreply303@asklawyers.com> -> <xxxxx@yyyyy.com>, Message-ID: <001e01cf4934cf1253c4c800000a@SIT-RDP-EST-01>, mail_id: gZf768fkYbnt, Hits: 3.419, size: 109901, queued_as: 603B9DB266B, 1259 ms
Mar 26 20:53:58 ip-hidden postfix/smtp[3411]: C043BDB2632: to=<xxxxx@yyyyy.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.9, delays=1.6/0.03/0/1.3, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 603B9DB266B)
Mar 26 20:53:58 ip-hidden postfix/qmgr[21871]: C043BDB2632: removed
Mar 26 20:53:58 ip-hidden postfix/pipe[3431]: 5E544DB266A: to=<xxxxx@yyyyy.com>, relay=dovecot, delay=0.04, delays=0.01/0.01/0/0.03, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 26 20:53:58 ip-hidden postfix/qmgr[21871]: 5E544DB266A: removed

As you can see the email has an attachment with an executable in it and Amavis says Passed BANNED. Is there a way of getting better protection or configuring Amavis to block those emails?

FYI: certain things might appear twice as there is a forward for the destination mailbox active

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**hferreira** · 2014-03-28 02:02:12

hferreira
Member
Offline

Registered: 2012-08-14
Posts: 81

Re: Why does email with virus get delivered?

It says that it was banned so the email actually got blocked on the server.

Did you check with the users if they received the emails with the attachments?

**ZhangHuangbin** · 2014-03-28 09:43:14

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: Why does email with virus get delivered?

According to your log:

*) This mail is not detected as virus. With default iRedMail settings, virus mail will be blocked by default, and not delivered to user mailbox.
*) This email has '.exe' attachment, and detected as "banned" attachment. With deafult iRedMail setting in Amavisd config file, banned emails will be passed to user mailbox with below setting in /etc/amavisd/amavisd.conf:

$final_banned_destiny     = D_PASS;

If you want to discard it, you should change it to:

$final_banned_destiny     = D_DISCARD;

A better solution is, discard it with 'D_DISCARD', and quarantine it in SQL database, then manage quarantined mails with iRedAdmin-Pro. References:

- How to configure Amavisd to quarantine spam/virus/banned emails: http://www.iredmail.org/wiki/index.php? … ining.SPAM
- Screenshots of quarantining management in iRedAdmin-Pro:

**Dominique** · 2014-03-28 16:53:47

Dominique
Member
Offline

Registered: 2014-01-09
Posts: 98

Re: Why does email with virus get delivered?

The default settings seem to be:

$final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_PASS;
$final_spam_destiny       = D_PASS;
$final_bad_header_destiny = D_PASS;

so the banned email being delivered is making sense. I will configure it to quarantine spam and banned emails as per your instructions.

Thank you for a very extensive reply! very helpful as usual

**Dominique** · 2014-03-28 17:29:15

Dominique
Member
Offline

Registered: 2014-01-09
Posts: 98

Re: Why does email with virus get delivered?

So I configured the quarantine... and it's working. I got some spam and banned message sent by some spam checker website and they didn't get delivered and appeared in the quarantine list.

I did come across a small bug though... I tried releasing a spam message, which did work, but right after that iRedAdmin Pro took me to

https://mail.domain.tld/iredadmin/activities/quarantined?msg=RELEASED   <-- real domain name replaced for privacy reasons

showing only this error message on the page:

internal server error

It's not really a problem but still worth solving I suppose.

Cheers!

**Dominique** · 2014-03-28 17:31:19

Dominique
Member
Offline

Registered: 2014-01-09
Posts: 98

Re: Why does email with virus get delivered?

and

https://mail.domain.tld/iredadmin/activities/quarantined

gives me the same error message... I can only open the pages for a specific type (spam/virus/banned)

EDIT: this turned the issue into something that is almost annoying

**ZhangHuangbin** · 2014-03-29 09:36:01

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: Why does email with virus get delivered?

Is there any related error log in Apache log file? Apache always logs related log for a "internal server error".

**Dominique** · 2014-03-31 17:48:22

Dominique
Member
Offline

Registered: 2014-01-09
Posts: 98

Re: Why does email with virus get delivered?

yes, there is:

[error]  Traceback (most recent call last):
[error]    File "/usr/lib/python2.6/site-packages/web/application.py", line 239, in process
[error]      return self.handle()
[error]    File "/usr/lib/python2.6/site-packages/web/application.py", line 230, in handle
[error]      return self._delegate(fn, self.fvars, args)
[error]    File "/usr/lib/python2.6/site-packages/web/application.py", line 420, in _delegate
[error]      return handle_class(cls)
[error]    File "/usr/lib/python2.6/site-packages/web/application.py", line 396, in handle_class
[error]      return tocall(*args)
[error]    File "/var/www/iredadmin/controllers/decorators.py", line 11, in proxyfunc
[error]      return func(self, *args, **kw)
[error]    File "/var/www/iredadmin/controllers/amavisd/log.py", line 154, in GET
[error]      page = int(quarantined_type) or 1
[error]  TypeError: int() argument must be a string or a number, not 'NoneType'

**ZhangHuangbin** · 2014-04-01 00:14:22

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: Why does email with virus get delivered?

Sorry about this trouble. Does this thread help?
http://www.iredmail.org/forum/topic5989 … mails.html

**Dominique** · 2014-04-01 22:21:27

Dominique
Member
Offline

Registered: 2014-01-09
Posts: 98

Re: Why does email with virus get delivered?

It did help.. thanks! quite interesting how iRedAdmin-Pro is turning into a hobby kit when following that thread

Dec 29, 2023: iRedMail-1.6.8 has been released.

[ Closed ] Why does email with virus get delivered?

Posts: 10

1 Topic by Dominique 2014-03-27 05:06:41 (edited by Dominique 2014-03-27 05:08:15)

Topic: Why does email with virus get delivered?

2 Reply by hferreira 2014-03-28 02:02:12

Re: Why does email with virus get delivered?

3 Reply by ZhangHuangbin 2014-03-28 09:43:14

Re: Why does email with virus get delivered?

4 Reply by Dominique 2014-03-28 16:53:47

Re: Why does email with virus get delivered?

5 Reply by Dominique 2014-03-28 17:29:15

Re: Why does email with virus get delivered?

6 Reply by Dominique 2014-03-28 17:31:19 (edited by Dominique 2014-03-28 17:49:12)

Re: Why does email with virus get delivered?

7 Reply by ZhangHuangbin 2014-03-29 09:36:01

Re: Why does email with virus get delivered?

8 Reply by Dominique 2014-03-31 17:48:22

Re: Why does email with virus get delivered?

9 Reply by ZhangHuangbin 2014-04-01 00:14:22

Re: Why does email with virus get delivered?

10 Reply by Dominique 2014-04-01 22:21:27

Re: Why does email with virus get delivered?

Posts: 10