NS6.8 amavis, found out something interesting

fasttech · September 28, 2016, 10:24pm

Using NS6.8 as a standalone mail server behind a utm gateway.
User said to me "I thought we were blocking zip files…"
What I think I’ve found is that the utm spam scanner module repackages the emails it deems spam as it marks them and in so doing then amavis cannot see the attachments.

Sep 28 11:44:33 server9b amavis[4412]: (04412-35) ESMTP:[127.0.0.1]:10024 /var/spool/amavisd/tmp/amavis-20160928T085107-04412-wDur0eHs:  ->  Received: from server9b.domain.com ([127.0.0.1]) by localhost (server9b.domain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Wed, 28 Sep 2016 11:44:33 -0700 (MST)
Sep 28 11:44:33 server9b amavis[4412]: (04412-35) Checking: jE6eCYe6LJ5y [45.251.60.162]  -> 
Sep 28 11:44:33 server9b amavis[4412]: (04412-35) p003 1 Content-Type: multipart/mixed
Sep 28 11:44:33 server9b amavis[4412]: (04412-35) p001 1/1 Content-Type: text/plain, size: 167 B, name: 
Sep 28 11:44:33 server9b amavis[4412]: (04412-35) p002 1/2 Content-Type: message/rfc822, size: 15453 B, name: 
Sep 28 11:44:33 server9b amavis[4412]: (04412-35) mangling NO: 0 (was: disclaimer), discl_allowed=0,  -> 
Sep 28 11:44:33 server9b queue/smtpd[6001]: connect from localhost[127.0.0.1]
Sep 28 11:44:33 server9b queue/smtpd[6001]: 85B5AE400D: client=localhost[127.0.0.1], orig_client=unknown[45.251.60.162]
Sep 28 11:44:33 server9b postfix/cleanup[6002]: 85B5AE400D: message-id=<7971527.3121475088273466.JavaMail.root@localhost>
Sep 28 11:44:33 server9b postfix/qmgr[2106]: 85B5AE400D: from=, size=17465, nrcpt=1 (queue active)
Sep 28 11:44:33 server9b queue/smtpd[6001]: disconnect from localhost[127.0.0.1]
Sep 28 11:44:33 server9b amavis[4412]: (04412-35) jE6eCYe6LJ5y FWD from  -> , BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 85B5AE400D
Sep 28 11:44:33 server9b amavis[4412]: (04412-35) Passed CLEAN {RelayedInbound}, [45.251.60.162]:52099 [45.251.60.162]  -> , Message-ID: <7971527.3121475088273466.JavaMail.root@localhost>, mail_id: jE6eCYe6LJ5y, Hits: -, size: 17012, queued_as: 85B5AE400D, 139 ms
Sep 28 11:44:33 server9b transfer/smtpd[5994]: proxy-accept: END-OF-MESSAGE: 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 85B5AE400D; from= to= proto=ESMTP helo=<[45.251.61.183]>
Sep 28 11:44:33 server9b amavis[4412]: (04412-35) size: 17012, TIMING [total 141 ms] - SMTP greeting: 0.9 (1%)1, SMTP EHLO: 0.5 (0%)1, SMTP pre-MAIL: 1.0 (1%)2, SMTP pre-DATA-flush: 1.3 (1%)3, SMTP DATA: 0.2 (0%)3, check_init: 0.1 (0%)3, digest_hdr: 0.2 (0%)3, digest_body: 0.1 (0%)3, collect_info: 0.9 (1%)4, mime_decode: 5 (4%)7, get-file-type2: 5 (4%)11, decompose_part: 0.6 (0%)12, parts_decode: 0.1 (0%)12, check_header: 0.3 (0%)12, AV-scan-1: 47 (33%)45, decide_mail_destiny: 0.4 (0%)45, notif-quar: 0.0 (0%)45, fwd-connect: 2.7 (2%)47, fwd-xforward: 0.2 (0%)48, fwd-mail-pip: 16 (12%)59, fwd-rcpt-pip: 0.1 (0%)59, fwd-data-chkpnt: 0.0 (0%)59, write-header: 0.3 (0%)60, fwd-data-contents: 0.2 (0%)60, fwd-end-chkpnt: 51 (37%)96, prepare-dsn: 0.4 (0%)97, report: 0.9 (1%)97, main_log_entry: 2.4 (2%)99, SMTP pre-response: 0.1 (0%)99, SMTP response: 1.0 (1%)100, unlink-2-files: 0.1 (0%)100, rundown: 0.4 (0%)100
Sep 28 11:44:33 server9b dovecot: lmtp(6010): Connect from local
Sep 28 11:44:33 server9b dovecot: lmtp(6010, user): tIA6JZEP7Fd6FwAAYcTBPg: sieve: msgid=<7971527.3121475088273466.JavaMail.root@localhost>: stored mail into mailbox 'INBOX'
Sep 28 11:44:33 server9b delivery/lmtp[6004]: 85B5AE400D: to=, orig_to=, relay=server9b.domain.com[/var/run/dovecot/lmtp], delay=0.14, delays=0.07/0/0.01/0.07, dsn=2.0.0, status=sent (250 2.0.0  tIA6JZEP7Fd6FwAAYcTBPg Saved)
Sep 28 11:44:33 server9b dovecot: lmtp(6010): Disconnect from local: Client quit (in reset)
Sep 28 11:44:33 server9b postfix/qmgr[2106]: 85B5AE400D: removed
Sep 28 11:44:33 server9b transfer/smtpd[5994]: disconnect from unknown[45.251.60.162]

davidep · September 29, 2016, 8:26am

Hi @fasttech,
from the attached log file I can’t see the zip file

It seems very small. Does the delivered message contain the zip file?

fasttech · September 29, 2016, 8:53pm

Yeah, it’s just this line;

Sep 28 11:44:33 server9b amavis[4412]: (04412-35) mangling NO: 0 (was: disclaimer), discl_allowed=0, <Peck.82@billwilliams.org> -> <user@domain.com>

The zip is attached, I even uploaded it to google’s virus scanner and it hit 11 out of 55 with a 2hr live time.

Whereas now, with the scanner off;

Sep 29 07:36:51 server9b amavis[14995]: (14995-05) p003 1 Content-Type: multipart/mixed Sep 29 07:36:51 server9b amavis[14995]: (14995-05) p001 1/1 Content-Type: text/plain, size: 318 B, name: Sep 29 07:36:51 server9b amavis[14995]: (14995-05) p002 1/2 Content-Type: application/zip, size: 11553 B, name: debit_card_12189f6c.zip Sep 29 07:36:52 server9b amavis[14995]: (14995-05) p.path BANNED:1

davidep · September 29, 2016, 9:07pm

So, is your utm gateway removing the zip? Did I understand correctly?

fasttech · September 29, 2016, 9:33pm

No.

12345

davidep · September 29, 2016, 10:14pm

fasttech · September 29, 2016, 10:44pm

What? What am I missing?

fasttech · September 29, 2016, 11:10pm

I guess I’ve not been clear enough. Let me try again.

Yes.

No.

I’m not sure.

Just to be clear, I’m not assigning blame to NS or amavis, nor really even the Untangle gateway software, just that what I’ve seen is that if the Untangle spam scanner triggers against an email as spam, then amavis sees the attachments in the email but is unable to ‘process’ them. I have turned off the spam blocker in Untangle because it was basically useless for this client anyway, I’ve found Thunderbird’s junk filter to be far more effective and accurate. That is why I titled this post the way I did.

davidep · September 30, 2016, 6:34am

I’d like to reproduce it. Can I download the message from somewhere?

Stefano_Zamboni · September 30, 2016, 7:59am

that’s basically because amavis sees mail already processed… having 2 different mail scanning systems is prone to errors…
if you need to process emails, choose where/which device must do it

fasttech · September 30, 2016, 3:53pm

It’s not msg specific, I can do it with any msg, it’s specific to how Untangle presents the stream to NS when Untangle’s spam scanner (spamassassin +) triggers on the email and them ‘marks it’. One thing Untangle does is ‘repackage’ the original email and attaches it as an .eml, so the original email with an attachment is now a new email with 2 attachments, but another thing that confuses the issue is that they’ve always claimed that the traffic is scanned on the fly, that Untangle is not a store and forward.
I’m wondering if it’s a timeout issue, but I can’t tell from the log, they have a line in their wiki about adjusting the timeout on exchange servers if the email isn’t delivered.

@Stefano_Zamboni I definitely agree with you in this instance, I’ve disabled it, I was really just using it to help the users, but their Thunderbird filters perform much better.

I have left the virus blocker module running on the gateway, it removes the virus on the rare occasion it actually triggers… I’m amazed at how many more emails the clam av scanner in NS triggers against, than Untangles paid virus scanner, it’s kind of embarrassing for Untangle really, but the point is, if the Untangle virus scanner triggers it strips the file from the email and marks it, so the NS scanners don’t have an issue with the email since there’s nothing left to scan.