No Money No Honey

Releasing mail from the quarantine – queue files

For the purposes of this, I’m assuming you have set up a single (safe!) postfix instance, with messages going to the HOLD queue, before being processed by MailScanner and sent to the INCOMING queue. You also need to be saving whole messages as queue files.

In MailScanner.conf ensure that you have

# When you quarantine an entire message, do you want to store it as
# raw mail queue files (so you can easily send them onto users) or
# as human-readable files (header then body in 1 file)?
Quarantine Whole Messages As Queue Files = yes 

Quarantined emails are by default kept in /var/spool/MailScanner/quarantine and sorted into subdirectories by date. With any luck it will be dead easy to find, as MailScanner will have sent a message including text along the lines of either:

A: If it’s a quarantined virus, or other dangerous content.

“Note to Help Desk: Look on the <Your text> in /var/spool/MailScanner/quarantine/20050309 (message
6BC5E368497.3C3A6).” 

MailScanner keeps such quarantined emails in their own directories, thus the directory containing the quarantined message will be (in this example): /var/spool/MailScanner/quarantine/20050309/6BC5E368497.3C3A6. In this directory, you should see the original queue file, named as a 10 digit hex number matching the name of the directory. There should also be copies of any attachments that may have been picked up by the virus scanning engine or file filtering.

B: If it’s a quarantined spam

"Your system administrators will need the following information:
Server name: <Your Server>
Message id: 46EE0E18151.CE630
Date code: 20080509"

MailScanner keeps all spam on a given day in the same directory, thus the directory containing the quarantined message will be (in this example): /var/spool/MailScanner/quarantine/20080509/spam.

If you want to check the original message use:

# postcat <filename>

Releasing an email from quarantine is a simple matter of replacing the queue file back into the Postfix queue, so that it gets sent. The permissions on the file are wrong, however and must be changed.

# chmod 700 <filename>

The file must now be moved into /var/spool/postfix/incoming. There may be 16 directories in there (Collectively referred to as ‘hashed queue files’) each corresponding to a hexadecimal digit, depending which version of Postfix you are running. First check if you have hashed queue files by:

# ls /var/spool/postfix/incoming

If no directories are listed then follow the instructions below but do not add the trailing letter/ number.

The file must be placed in the directory which corresponds to the first digit of the filename. So in the example above, it must go into /var/spool/postfix/incoming/6. We must also be sure to preserve the ownership and permissions of the file when moving it, so we use “cp -p”. If the message is a spam, we must also remove the trailing 6 characters.

Thus for the example above:

# cp –p 6BC5E368497 /var/spool/postfix/incoming/6

or for the example quarantined spam

# cp –p 46EE0E18151.CE630 /var/spool/postfix/incoming/4/46EE0E18151

The email will disappear from the queue and be delivered.

Thanks to Joshua Hirsh for the details and Stef Morrell for writing the document

Releasing mail from the quarantine – with a bash script

Maybe it’s too circuitous for you to do all the steps in the section above to release a mail. For this I wrote a tiny script to release very easily. To use this script you should set the MailScanner environment identically to the article above.

To use this script copy it to a file and make it executable.

The Syntax: release.sh <Message-ID> (e.g. release.sh 5B604228086.932F0)

#!/bin/sh

if [ -z "$1" ]; then
        echo "Syntax: release.sh <Message-ID> i.e. 5B604228086.932F0 (case sensitive)" 
        exit
fi

#change in the quarantine folder
folder=`find /var/spool/MailScanner/quarantine/ -name $1`
cd $folder

#set the mailfile executable
mailname=`echo $1 | cut -d . -f 1`
chmod u+x $mailname

#lets get the first character
char=`echo $1 | cut -b 1-1`

#copy the mail 
cp -a $mailname /var/spool/postfix/incoming/$char/

echo Mail $mailname released

Releasing mail from the quarantine – message files

If you don’t quarantine the complete queue file, but instead have the rfc822 message file, releasing messages are actually a bit simpler (for postfix) than the above, since you can use the postfix sendmail convenience program.

In MailScanner.conf you have

Quarantine Whole Messages As Queue Files = no 

and in the quarantine directory you have a file called message (this is the complete human-readible message, but without the envelope info). Just do

cd /path/to/quarantine/dir
sendmail -t -i < message

to send the message to the recipient(s) as found in the message file, or

cd /path/to/quarantine/dir
sendmail -i alternate_recipient@example.net < message

to send the message to an alternate recipient (of course you can combine them). The -i option is to avoid terminating the message prematurely on a spurious single “.” on a line in the message file.

If you use MailWatch, this can also release the message iff you don’t quarantine the whole message file as the queue file, although this uses a different method to release messages from the GUI.

Releasing mail from the quarantine – queue files postfix (again)

In a larger environment with many hosts and thousands of quarantined emails per day, we’ve found it impractical to reply to each email released or deleted from a queue, and simply process it without fanfare. The code below is modified from the release.sh above to accomodate moving the released mail back into postfix using the original mail ID. In addition, our postfix install required us to rename the queue file to its shortname, that is, the 10 or 11 character filename before postfix would accept the email into the queue.

The Syntax: release.sh <Message-ID> (e.g. release.sh 5B604228086.932F0)

#!/bin/sh

if [ -z "$1" ]; then
        echo "Syntax: release.sh <Message-ID> i.e. 5B604228086.932F0 (case sensitive)" 
        exit
fi

#change in the quarantine folder
folder=`find /var/spool/MailScanner/quarantine/ -name $1 | sed -e "s/$1//g"`
cd $folder

#set the mailfile executable
mailname=`echo $1 | cut -d . -f1`
chmod u+x $1

#lets get the first character
char=`echo $1 | cut -b 1-1`

#copy the mail 
cp -a $1 /var/spool/postfix/incoming/$char/$mailname

The following is for recent postfixes (2.3, 2.4) which seem to have a flat incoming directory:

#!/bin/sh

# this is the final destination for the mail to be released:
# postfix's incoming queue
POSTFIX_DEST=/var/spool/postfix/incoming

# check for valid parameters
if [ -z "$1" ]; then
        echo "Syntax: release.sh <Message-ID>"
        echo "Example: release.sh 678362AC.9CFE7"
        exit
fi

# find the specific mail in the quarantine folders
folder=`find /var/spool/MailScanner/quarantine/ -name $1`

mailname=`echo $1 | cut -d . -f1`

# copy the mail 
if [ -e $POSTFIX_DEST/$mailname ] ; then
        echo "ERROR: $mailname already in $POSTFIX_DEST! EXITING"
        echo "This should not happen"
        exit 255
fi

cp -avi "$folder/$mailname" "$POSTFIX_DEST/$mailname"

# make it 0700 so that the mail is deemed ready
chmod 0700 $POSTFIX_DEST/$mailname

Releasing mail from the quarantine – the one liner

sudo install -m 0700 -o postfix <source message> /var/spool/postfix/incoming

Releasing mail from the quarantine – alias with intelligence

integrate() {
  # integration: antonym of quarantine
  # Pass the message ID as obtained from user's email as $1
  DEST=$(postconf queue_directory | cut -d= -f2)/incoming
  SOURCE=$(find /var/spool/MailScanner/quarantine -name "$1")
  install --verbose --mode=0700 --owner=postfix $SOURCE $DEST
}

Updated bash script

Line 9 on initial bash script returned filename with full path and not folder, as expected. Instructions at the top also used the cp -p option, and not -a. Instead of cd’ing to quarantine folder, this will do the copy and preserve permissions.

#!/bin/sh

if [ -z "$1" ]; then
        echo "Syntax: release.sh <Message-ID> i.e. 5B604228086.932F0 (case sensitive)" 
        exit
fi

#find the quarantined file and set permissions
quarantined_file=`find /var/spool/MailScanner/quarantine/ -name $1`
chmod u+x $quarantined_file

#truncate the filename
mailname=`echo $1 | cut -d . -f 1`

#lets get the first character
char=`echo $1 | cut -b 1-1`

#copy the mail, destination is the truncated filename
cp -p $quarantined_file /var/spool/postfix/incoming/$char/$mailname

echo Mail $mailname released