1 (edited by vinacc 2017-02-01 13:48:25)

Topic: Amavisd Blocked BANNED

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6
- Linux/BSD distribution name and version: Debian 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
====

A few days ago I did a clean install of new iRedMail v0.9.6. Today on logwatch I see this message:

**Unmatched Entries**
       1   (24043-03) Blocked BANNED (.asc,hotmail.com!domain.com!1485813600!1485900000.xml) {NoBounceInbound}, [65.54.190.152]:50474 [65.54.190.188] <dmarcrep@microsoft.com> -> , Queue-ID: 0E7862471E, Message-ID: <BAY004-OMC3S14PLlxw0012b686@bay004-omc3s14.hotmail.com>, mail_id: naEL0OyZZDDP, Hits: -, size: 2367, 113 ms
       1   (18956-09) Blocked BANNED (.xml,google.com!domain.com!1485734400!1485820799.xml) {NoBounceInbound}, [209.85.213.201]:36369 [209.85.213.201] <noreply-dmarc-support@google.com> -> , Queue-ID: DD41524B00, Message-ID: <12638144341835416940@google.com>, mail_id: Yo_iTfs7HLaW, Hits: -, size: 3412, dkim_sd=20161025:google.com, 177 ms
       1   (18955-09) Blocked BANNED (.xml,google.com!domain.com!1485734400!1485820799.xml) {NoBounceInbound}, [209.85.192.202]:37700 [209.85.192.202] <noreply-dmarc-support@google.com> -> , Queue-ID: 2ECCE24B00, Message-ID: <13840407389445864435@google.com>, mail_id: ZFJ0yiaQlirp, Hits: -, size: 3371, dkim_sd=20161025:google.com, 129 ms

Given that I have always received correctly DMARC report why now have to quarantine? I tried to release them with amavisd-release but the folder /var/lib/amavis/virusmails appears to be empty and so there is nothing to release. Why?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Stable release is out.

2

Re: Amavisd Blocked BANNED

It's banned, not quarantined, so there's no email you can release.

3

Re: Amavisd Blocked BANNED

ZhangHuangbin wrote:

It's banned, not quarantined, so there's no email you can release.

can you tell me why it was banned? It depends on version 0.9.6?

4

Re: Amavisd Blocked BANNED

Does your "postmaster@<your_domain>" user receive any email notification about banned email?

5 (edited by dsp3 2017-02-02 01:22:54)

Re: Amavisd Blocked BANNED

vinacc wrote:
ZhangHuangbin wrote:

It's banned, not quarantined, so there's no email you can release.

can you tell me why it was banned? It depends on version 0.9.6?

It happened because version 0.96 has changed amavisd.conf to something which isn't working correctly:
See here: http://www.iredmail.org/docs/upgrade.ir … in-amavisd

6

Re: Amavisd Blocked BANNED

ZhangHuangbin wrote:

Does your "postmaster@<your_domain>" user receive any email notification about banned email?

No, no mail on postmaster@<your_domain>

7

Re: Amavisd Blocked BANNED

dsp3 wrote:
vinacc wrote:
ZhangHuangbin wrote:

It's banned, not quarantined, so there's no email you can release.

can you tell me why it was banned? It depends on version 0.9.6?

It happened because version 0.96 has changed amavisd.conf to something which isn't working correctly:
See here: http://www.iredmail.org/docs/upgrade.ir … in-amavisd

Seen. For me at the moment the only blocks concern DMARC report they generally provide zipped XML file. Does not seem to me that the new configuration of amavisd blocks XML. Some idea?

8

Re: Amavisd Blocked BANNED

Please remove 'zip|' in '$banned_filename_re'.

9

Re: Amavisd Blocked BANNED

ZhangHuangbin wrote:

Please remove 'zip|' in '$banned_filename_re'.

I have, but it still doesn't work:

Feb  3 12:38:04 mail amavis[18960]: (18960-01) Blocked BANNED (.dat,image1.wmf) {NoBounceInternal},

This is when sending .xlsx file created in Libreoffice

10

Re: Amavisd Blocked BANNED

dsp3 wrote:
ZhangHuangbin wrote:

Please remove 'zip|' in '$banned_filename_re'.

I have, but it still doesn't work:

Feb  3 12:38:04 mail amavis[18960]: (18960-01) Blocked BANNED (.dat,image1.wmf) {NoBounceInternal},

This is when sending .xlsx file created in Libreoffice

Did you restart amavis after making the change?

11

Re: Amavisd Blocked BANNED

mir wrote:
dsp3 wrote:
ZhangHuangbin wrote:

Please remove 'zip|' in '$banned_filename_re'.

I have, but it still doesn't work:

Feb  3 12:38:04 mail amavis[18960]: (18960-01) Blocked BANNED (.dat,image1.wmf) {NoBounceInternal},

This is when sending .xlsx file created in Libreoffice

Did you restart amavis after making the change?

Yes

12 (edited by ThASattler 2017-02-04 23:53:47)

Re: Amavisd Blocked BANNED

Hi dsp3,

you should enable administrator notifying about banned mails

change in /etc/amavis/conf.d/50-user:

$banned_admin = undef;,

to

[b]$banned_admin = "root\@$mydomain";,[/b]

then postmaster gets an email and you can post the head of the mail in the forum.

I suppose the reason is [edit] (this was not right):
   

 [qr'T=x-(msdownload|msdos-program|msmetafile|wmf)(,|\t)'xmi => 'DISCARD'],

13

Re: Amavisd Blocked BANNED

ThASattler wrote:

Hi dsp3,

you should enable administrator notifying about banned mails

change in /etc/amavis/conf.d/50-user:

$banned_admin = undef;,

to

$banned_admin = "root\@$mydomain";,

and then post the mail to postmaster in the forum.

I suppose the reason is:
   

 [qr'T=x-(msdownload|msdos-program|msmetafile|wmf)(,|\t)'xmi => 'DISCARD'],

Thanks for the reply ThASattler. Here is the postmaster message:

No viruses were found.

Banned name: .dat,image1.wmf
Content type: Banned
Internal reference code for the message is 24692-01/Zp-8Kcybv8KU

14 (edited by ThASattler 2017-02-05 00:07:01)

Re: Amavisd Blocked BANNED

dsp3 wrote:

Thanks for the reply ThASattler. Here is the postmaster message:

No viruses were found.

Banned name: .dat,image1.wmf

The reason of banning this mail is there is an attached file with file extension .wmf.
You can remove 'wmf|' in section of  '# Dangerous file name extensions' in Amavisd config file.

15

Re: Amavisd Blocked BANNED

ThASattler wrote:
dsp3 wrote:

Thanks for the reply ThASattler. Here is the postmaster message:

No viruses were found.

Banned name: .dat,image1.wmf

The reason of banning this mail is there is an attached file with file extension .wmf.
You can remove 'wmf|' in section of  '# Dangerous file name extensions' in Amavisd config file.

There isn't a .wmf attachment. There is only an .xlsx file attached. As this is a test email, I know what is in it.
This new feature I will be keeping off our production server until I can explore further.

16

Re: Amavisd Blocked BANNED

dsp3 wrote:

There isn't a .wmf attachment. There is only an .xlsx file attached. As this is a test email, I know what is in it.
This new feature I will be keeping off our production server until I can explore further.

A .xlsx file is virtually a zip archive containing a number of files so maybe the .xlsx zip archive contains a .wmf file inside?

17

Re: Amavisd Blocked BANNED

dsp3 wrote:

There isn't a .wmf attachment. There is only an .xlsx file attached. As this is a test email, I know what is in it.
This new feature I will be keeping off our production server until I can explore further.

A "Strict open xml-document (xlsx)" is a zip archiv which could contain a windows meta file picture.
But in my case an excel file example.xlsx with a wmf-picture isn't banned whereas the same file renamed to example.wmf is banned.

18

Re: Amavisd Blocked BANNED

Thanks for the feedback and help. Repacked iRedMail-0.9.6 with this fix, also updated upgrade tutorial.

19

Re: Amavisd Blocked BANNED

ZhangHuangbin wrote:

Thanks for the feedback and help. Repacked iRedMail-0.9.6 with this fix, also updated upgrade tutorial.

Can you tell me what has changed in the amavisd.conf for this fix? As far as I can see there is no difference in what is on the upgrade tutorial page compared to what I had previously. I have refreshed my browser page.

20

Re: Amavisd Blocked BANNED

dsp3 wrote:

Can you tell me what has changed in the amavisd.conf for this fix? As far as I can see there is no difference in what is on the upgrade tutorial page compared to what I had previously. I have refreshed my browser page.

Me too, I would like to know what is changed in update tutorial, but can't find a difference.

21

Re: Amavisd Blocked BANNED

Oops, I changed doc but forgot to commit, will commit later (out of office now).

The changes are:

- don't block "zip"
- don't block "wmf"

22

Re: Amavisd Blocked BANNED

ZhangHuangbin wrote:

Oops, I changed doc but forgot to commit, will commit later (out of office now).

The changes are:

- don't block "zip"
- don't block "wmf"

Thanks. This update appears to have solved the issue.

23

Re: Amavisd Blocked BANNED

ZhangHuangbin wrote:

Oops, I changed doc but forgot to commit, will commit later (out of office now).

The changes are:

- don't block "zip"
- don't block "wmf"

Now it seems to work correctly. Thank you.