Mail with Bad Content not stored in quarantine

buduboti · Post by **buduboti** » 09 Apr 2025 19:01

Hi!

I've configured efa (MailScanner) to store all emails, but we've got a mail yesterday which we cannot release since it's "not found in quarantine."

: Screenshot 2025-04-09 at 21.50.20.png (101.98 KiB) Viewed 5587 times

In /etc/MailScanner/MailScanner.conf:

Code: Select all

Quarantine Whole Messages = yes
Spam Actions = store deliver header "X-Spam-Status:Yes"
[...]

Also on the web interface the message's page shows that store action is set on the message:

: Screenshot 2025-04-09 at 21.57.44.png (36.43 KiB) Viewed 5587 times

Still we can't release and also I didn't found the message (4ZX6jR0Q0FzCryB) in /var/spool/MailScanner/quarantine/20250408/spam/ (nor in nonspam).

Here are the logs:

Code: Select all

Apr  8 16:43:22 spam2 postfix/smtpd[3567801]: connect from incomingMailServer[incomingMailServerIP]
Apr  8 16:43:22 spam2 postfix/smtpd[3567801]: Anonymous TLS connection established from incomingMailServer[incomingMailServerIP]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr  8 16:43:23 spam2 postfix/smtpd[3567801]: 4ZX6jR0Q0FzCryB: client=incomingMailServer[incomingMailServerIP]
Apr  8 16:43:23 spam2 postfix/cleanup[3567803]: 4ZX6jR0Q0FzCryB: message-id=<messageID@notifications.google.com>
Apr  8 16:43:25 spam2 MSMilter[3567871]: MailWatch: Allowlist refresh time reached
Apr  8 16:43:25 spam2 MSMilter[3567871]: MailWatch: Starting up MailWatch SQL Allowlist
Apr  8 16:43:25 spam2 MSMilter[3567871]: MailWatch: Read 272 allowlist entries
Apr  8 16:43:25 spam2 MSMilter[3567871]: MailWatch: Blocklist refresh time reached
Apr  8 16:43:25 spam2 MSMilter[3567871]: MailWatch: Starting up MailWatch SQL Blocklist
Apr  8 16:43:25 spam2 MSMilter[3567871]: MailWatch: Read 33 blocklist entries
Apr  8 16:43:25 spam2 postfix/cleanup[3567803]: 4ZX6jR0Q0FzCryB: milter-discard: END-OF-MESSAGE from incomingMailServer[incomingMailServerIP]: milter triggers DISCARD action; from=<{FROM_EMAIL}> to=<{TO_EMAIL}> proto=ESMTP helo=<incomingMailServer>
Apr  8 16:43:25 spam2 postfix/smtpd[3567801]: disconnect from incomingMailServer[incomingMailServerIP] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Apr  8 16:43:28 spam2 MailScanner[3567635]: New Batch: Scanning 1 messages, 311203 bytes
Apr  8 16:43:28 spam2 MailScanner[3567635]: Filename Checks: Very long filename, possible OE attack (4ZX6jR0Q0FzCryB {TOO_LONG_NAME}.pdf)
Apr  8 16:43:28 spam2 MailScanner[3567635]: Other Checks: Found 1 problems
Apr  8 16:43:28 spam2 MailScanner[3567635]: Virus and Content Scanning: Starting
Apr  8 16:43:29 spam2 MailScanner[3567635]: HTML Img tag found in message 4ZX6jR0Q0FzCryB from {FROM_EMAIL}
Apr  8 16:43:29 spam2 MailScanner[3567635]: Spam Checks: Starting
Apr  8 16:43:31 spam2 MailScanner[3567635]: Message 4ZX6jR0Q0FzCryB from incomingMailServerIP ({FROM_EMAIL}) to {DOMAIN} is spam, SpamAssassin (not cached, score=6.144, required 5, ARC_SIGNED 0.00, ARC_VALID 0.00, BAYES_50 0.80, DCC_CHECK 1.10, DKIM_ADSP_CUSTOM_MED 0.00, DKIM_INVALID 0.10, DKIM_SIGNED 0.10, DMARC_REJECT 1.80, HEADER_FROM_DIFFERENT_DOMAINS 0.00, HTML_IMAGE_ONLY_32 0.00, HTML_MESSAGE 0.00, KHOP_HELO_FCRDNS 0.40, NML_ADSP_CUSTOM_MED 0.90, SPF_HELO_NONE 0.00, SPF_SOFTFAIL 0.67, TXREP 0.28)
Apr  8 16:43:31 spam2 MailScanner[3567635]: Spam Checks: Found 1 spam messages
Apr  8 16:43:31 spam2 MailScanner[3567635]: Spam Actions: message 4ZX6jR0Q0FzCryB actions are deliver,header,store
Apr  8 16:43:31 spam2 MailScanner[3567635]: Deleted 1 messages from processing-database
Apr  8 16:43:31 spam2 MailScanner[3567635]: MailWatch: Logging message 4ZX6jR0Q0FzCryB to SQL
Apr  8 16:43:31 spam2 MailWatch SQL[3567637]: MailWatch SQL[3567637]: 4ZX6jR0Q0FzCryB: Logged to MailWatch SQL

Any idea how to solve this problem?