Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
993
Views
0
Helpful
2
Replies

Released message from Policy Quanrantine

informatique
Level 1
Level 1

‎03-13-2008 09:52 PM

I have a content filter that goes like this :

If attachment==exe then
1. Quarantine - duplicate-quarantine("Policy")
2. Strip Attachment by File Info - drop-attachments-by-filetype("Executable")

It seems to be working fine. The recipient get the email without attachment and there's a copy of the original email with the attachment in the quarantine. My problem is when I try to release the original message I never get it. If I use the "send a copy" option in the quarantine, the user gets a copy. But releasing doesn't seem to work. Message tracking in Exchange 2003 doesn't find anything.

Anyone have any idea what's going on?

Here's a snippet of the mail_logs :

Thu Mar 13 15:39:27 2008 Info: MID 1600484 antivirus negative
Thu Mar 13 15:39:27 2008 Info: MID 1600484 queued for delivery
Thu Mar 13 15:39:27 2008 Info: Delivery start DCID 504524 MID 1600484 to RID [0]
Thu Mar 13 15:39:27 2008 Info: Message done DCID 504524 MID 1600484 to RID [0]
Thu Mar 13 15:39:27 2008 Info: MID 1600484 RID [0] Response '2.6.0 <f4aed9e81f2dd> Queued mail for delivery'
Thu Mar 13 15:39:27 2008 Info: Message finished MID 1600484 done

1 person had this problem
Labels:
0 Helpful
2 Replies 2

kluu_ironport
Level 2
Level 2

‎03-21-2008 12:01 AM

When something gets released from the Policy quarantine, the entry in the "mail_logs" should look something like this:


Thu Mar 20 22:54:59 2008 Info: MID 530 released from quarantine "Policy" (manual) t=331
Thu Mar 20 22:54:59 2008 Info: MID 530 released from all quarantines
Thu Mar 20 22:54:59 2008 Info: MID 530 matched all recipients for per-recipient policy DEFAULT in the outbound table
Thu Mar 20 22:54:59 2008 Info: MID 530 queued for delivery

Search for this on your command line:


grep -i "released from quarantine \"Policy\"" mail_logs

0 Helpful

bddgrw_ironport
Level 1
Level 1

‎10-16-2008 10:33 AM

I had the same problem. The Problem is, if the Message is released from Quarantine the same Message-ID is used. The Exchange Server doesn't recognize that a new mail has been send.

To solve that Problem you have to strip Message-ID in the E-Mail Header first with an Action Rule like strip-header("Message-ID") before you Quarantine the mail. Now the Mail gets a new Message-ID and the Exchange-Server will send the released Mail properly.

Hope that will help you.

Regards,
Andreas

0 Helpful
Customers Also Viewed These Support Documents