Topic: Virus detected not returning a notification to sender
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.7.4
- Deployed with iRedMail Easy or the downloadable installer? Downloaded installer
- Linux/BSD distribution name and version: 9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
/var/log/maillog
---------------------
Feb 25 18:47:58 mail postfix/anvil[45117]: statistics: max cache size 1 at Feb 25 18:40:12
Feb 25 18:48:05 mail postfix/submission/smtpd[45980]: warning: run-time library vs. compile-time header version mismatch: OpenSSL 3.5.0 may not be compatible with OpenSSL 3.0.0
Feb 25 18:48:05 mail postfix/submission/smtpd[45980]: connect from tester.test.com[192.168.50.106]
Feb 25 18:48:05 mail postfix/submission/smtpd[45980]: discarding EHLO keywords: CHUNKING
Feb 25 18:48:05 mail postfix/submission/smtpd[45980]: Anonymous TLS connection established from tester.test.com[192.168.50.106]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
Feb 25 18:48:05 mail postfix/submission/smtpd[45980]: discarding EHLO keywords: CHUNKING
Feb 25 18:48:05 mail postfix/submission/smtpd[45980]: 4fLt9K6r6hz1XS673: client=tester.test.com[192.168.50.106], sasl_method=LOGIN, sasl_username=paco@test.com
Feb 25 18:48:05 mail postfix/cleanup[45986]: 4fLt9K6r6hz1XS673: message-id=<20260225184805.004430@tester.test.com>
Feb 25 18:48:05 mail postfix/qmgr[2149]: 4fLt9K6r6hz1XS673: from=<paco@test.com>, size=1203, nrcpt=1 (queue active)
Feb 25 18:48:05 mail postfix/submission/smtpd[45980]: disconnect from tester.test.com[192.168.50.106] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Feb 25 18:48:06 mail postfix/amavis/smtp[45991]: warning: run-time library vs. compile-time header version mismatch: OpenSSL 3.5.0 may not be compatible with OpenSSL 3.0.0
Feb 25 18:48:06 mail clamd[1089]: /var/spool/amavisd/tmp/amavis-20260225T175832-03091-RiWY7j2c/parts/p002: Eicar-Test-Signature FOUND
Feb 25 18:48:06 mail postfix/10025/smtpd[45994]: connect from localhost[127.0.0.1]
Feb 25 18:48:06 mail postfix/10025/smtpd[45994]: discarding EHLO keywords: CHUNKING
Feb 25 18:48:06 mail postfix/10025/smtpd[45994]: 4fLt9L3d3Yz1XS676: client=localhost[127.0.0.1]
Feb 25 18:48:06 mail postfix/cleanup[45986]: 4fLt9L3d3Yz1XS676: message-id=<VAwL11rjnPbrgZ@mail.test.com>
Feb 25 18:48:06 mail postfix/qmgr[2149]: 4fLt9L3d3Yz1XS676: from=<postmaster@mail.test.com>, size=3013, nrcpt=1 (queue active)
Feb 25 18:48:06 mail postfix/10025/smtpd[45994]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Feb 25 18:48:06 mail amavis[3091]: (03091-03) Blocked INFECTED (Eicar-Test-Signature) {DiscardedInternal,Quarantined}, ORIGINATING LOCAL [192.168.50.106]:56430 ESMTP/ESMTP <paco@test.com> -> <hugo@test.com>, (), quarantine: wL11rjnPbrgZ, Queue-ID: 4fLt9K6r6hz1XS673, Message-ID: <20260225184805.004430@tester.test.com>, mail_id: wL11rjnPbrgZ, b: R_nWynlaM, Hits: -, size: 1203, Subject: "Prueba en adjunto", From: <paco@test.com>, X-Mailer: swaks_v20240103.0_jetmore.org/john/code/swaks/, helo=[172.16.0.106], 470 ms
Feb 25 18:48:06 mail amavis[3091]: (03091-03) Blocked INFECTED (Eicar-Test-Signature), <paco@test.com> -> , Hits: -, tag=2, tag2=6.2, kill=6.9, L/0/0/0
Feb 25 18:48:06 mail postfix/amavis/smtp[45991]: 4fLt9K6r6hz1XS673: to=<hugo@test.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.63, delays=0.07/0.07/0/0.48, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=03091-03 - INFECTED: Eicar-Test-Signature)
Feb 25 18:48:06 mail postfix/qmgr[2149]: 4fLt9K6r6hz1XS673: removed
Feb 25 18:48:06 mail postfix/cleanup[45986]: 4fLt9L3wSTz1XS673: message-id=<VAwL11rjnPbrgZ@mail.test.com>
Feb 25 18:48:06 mail postfix/local[45995]: 4fLt9L3d3Yz1XS676: to=<root@mail.test.com>, relay=local, delay=0.05, delays=0.01/0.03/0/0.01, dsn=2.0.0, status=sent (forwarded as 4fLt9L3wSTz1XS673)
Feb 25 18:48:06 mail postfix/qmgr[2149]: 4fLt9L3wSTz1XS673: from=<postmaster@mail.test.com>, size=3159, nrcpt=1 (queue active)
Feb 25 18:48:06 mail postfix/qmgr[2149]: 4fLt9L3d3Yz1XS676: removed
Feb 25 18:48:06 mail postfix/pipe[45996]: 4fLt9L3wSTz1XS673: to=<postmaster@test.com>, orig_to=<root@mail.test.com>, relay=dovecot, delay=0.11, delays=0.01/0.01/0/0.09, dsn=2.0.0, status=sent (delivered via dovecot service)
Feb 25 18:48:06 mail postfix/qmgr[2149]: 4fLt9L3wSTz1XS673: removed
Feb 25 18:51:25 mail postfix/anvil[45982]: statistics: max connection rate 1/60s for (submission:192.168.50.106) at Feb 25 18:48:05
Feb 25 18:51:25 mail postfix/anvil[45982]: statistics: max connection count 1 for (submission:192.168.50.106) at Feb 25 18:48:05
Feb 25 18:51:25 mail postfix/anvil[45982]: statistics: max cache size 1 at Feb 25 18:48:05
-----------------------------------
The virus detection worked properly, and sent a notification mail to postmaster.
Bur previously (a different iRedMail installation), I ran EXACTLY the same test (same syntax in the swaks command, same version, same installer, and same everything). Only domain name was different. An in the previous one in addition to the current behavior (delivered a mail notification to postmaster), it also returned a notification mail to the sender, but not now.
I suppose there is any configuration parameter that was active in the previous one, but is inactive in the current one, or something like that.
Does someone have any idea of the reason for this different behavior?
Thank you in advance,
Tinatiuh
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.