Missing quarantine report

Prefetch mode is switched off.

When spam arrives, sophos blocks this mail and notify me with an "E-mail blocked ...." mail.

But I would prefer, not getting those mails, but instead getting once or twice a day a quarantine report.

Any ideas?

Hallo,

"Prefetch" only applies to the POP3 Proxy.  The SMTP Proxy is a mail transfer agent (MTA) that receives/rejects emails sent to you.  Depending on your settings, mail that appears to be SPAM will be quarantined.  If you have properly configured 'Mail Protection >> Quarantine Report' and a user is known to the UTM, the user will receive Quarantine Reports instead of  individual alerts - see #6 in Rulz (last updated 2019-04-17).

Cheers - Bob

Hello Bob,

not sure what could be wrong configured in "Mail Protection >> Quarantine Report"..

There's only to configure the time and exceptions (nothing entered) and on advanced

for the Host the internal IP adress of the sophos with unchanged port and allowed internal network addresses.

Furthermore, the users are known to the UTM by sync from AD.

Any other ideas what might be the problem?

Internal system reports from Sophos are getting delivered....

Smpt Log just shows up following:

2019:12:30-14:52:17 router smtpd[5706]: MASTER[5706]: (Re-)loading configuration from Confd
2019:12:30-14:52:17 router smtpd[5706]: MASTER[5706]: Past 07:00:00, QR status one set to 'sent'
2019:12:30-14:52:17 router smtpd[5706]: MASTER[5706]: Past 14:45:00, QR status two set to 'sent'
2019:12:30-14:52:17 router exim-in[5799]: 2019-12-30 14:52:17 pid 5799: SIGHUP received: re-exec daemon
2019:12:30-14:52:17 router exim-in[5799]: 2019-12-30 14:52:17 exim 4.82_1-5b7a7c0-XX daemon started: pid=5799, no queue runs, listening for SMTP on port 25 (IPv4) port 587 (IPv4) and for SMTPS on port 465 (IPv4)

Greetings,

Joe

Verzeihung!

I didn't read your initial post closely enough.  The Quarantine Report is only sent if there are new items in the quarantine since the user last received a Quarantine report.  To see emails that were delivered, rejected, bounced or blackholed, the user must login to the User Portal.

Cheers - Bob

Thanks Bob,

but although I do get recognized/marked Spam (as I can see in the User Portal and in my Inbox), I don't get any quarantine report.

I do get all the other system mails, but no quarantine reports....

Any other idea?

Does the following command indicate that you had items quarantined today?

grep quarantined /var/log/smtp.log|more

Cheers - Bob

Does the following command indicate that you had items quarantined today?

grep quarantined /var/log/smtp.log|more

Cheers - Bob

no "quarantined" at all in the smtp.log

Anyways I get recognized SPAM mails every day, marked with "E-Mail blocked" at the beginning of the mail-subject.

This are my settings for the Spam-Filter

Ahhhhh - POP3, not SMTP!

Please show us a picture of the 'POP3 Servers and Prefetch Settings' box on the 'Advanced' tab of 'POP3'.

Have you read the Help for the Quarantine Report?  When you log in to the User Portal, do you see a tab labeled 'POP3 Quarantine'?

Cheers - Bob

Hi, here's the pop3-log:

grep quarantined pop3.log|more

2020:01:24-01:15:26 mailintext pop3proxy[16753]: id="1101" severity="info" sys="SecureMail" sub="pop3" name="email quarantined" from="info@centauri.co.in" to="xxx" subject="Nieder m it den Betrügen!" size="4392" srcip="213.32.103.71" dstip="xxx" uid="00012a964cfe800b" ident="0/16753-1-1579824925" reason="as" extra="confirmed" 2020:01:24-01:39:37 mailintext pop3proxy[19446]: Cleanup: dropped_orphans=0, dropped_cache_files=0, dropped_quarantined_messages=0, delete_marked_messages=1
2020:01:24-03:39:36 mailintext pop3proxy[31819]: Cleanup: dropped_orphans=1, dropped_cache_files=0, dropped_quarantined_messages=0, delete_marked_messages=2
2020:01:24-05:39:37 mailintext pop3proxy[10130]: Cleanup: dropped_orphans=2, dropped_cache_files=0, dropped_quarantined_messages=0, delete_marked_messages=1
2020:01:24-07:29:12 mailintext pop3proxy[26046]: id="1101" severity="info" sys="SecureMail" sub="pop3" name="email quarantined" from="c.sonzogni@cham-savoie.fr" to="" subject="Sehr geehrter E-Mail-Be sitzer !!!" size="5758" srcip="152.76.130.18" dstip="xxx" uid="00012b824cfe8247" ident="0/26046-1-1579847352" reason="as" extra="confirmed"
20202020:01:24-07:39:36 mailintext pop3proxy[27257]: Cleanup: dropped_orphans=1, dropped_cache_files=0, dropped_quarantined_messages=0, delete_marked_messages=1
2020:01:24-07:41:12 mailintext pop3proxy[27350]: id="1101" severity="info" sys="SecureMail" sub="pop3" name="email quarantined" from="c.sonzogni@cham-savoie.fr" to="" subject="Sehr geehrter E-Mail-Be sitzer !!!" size="5767" srcip="152.76.130.18" dstip="xxx" uid="00012b834cfe8247" ident="0/27350-1-1579848072" reason="as" extra="confirmed" 2020:01:24-09:11:11 mailintext pop3proxy[6130]: id="1101" severity="info" sys="SecureMail" sub="pop3" name="email quarantined" from="ohrichon@gmail.com" to="undisclosed-recipients: ;" subject="Good d ay." size="3649" srcip="142.93.184.30" dstip="xxx" uid="00012b874cfe8247" ident="0/6130-1-1579853471" reason="as"
2020:01:24-09:29:12 mailintext pop3proxy[9876]: id="1101" severity="info" sys="SecureMail" sub="pop3" name="email quarantined" from="ericpaxnoe@yourpartsbank.com" to="xxx" subject="Roh r sauber halten" size="7155" srcip="83.143.119.52" dstip="xxx" uid="00012b8a4cfe8247" ident="0/9876-1-1579854551" reason="as"
2020:01:24-09:39:37 mailintext pop3proxy[11552]: Cleanup: dropped_orphans=1, dropped_cache_files=0, dropped_quarantined_messages=0, delete_marked_messages=1
2020:01:24-10:03:12 mailintext pop3proxy[15738]: id="1101" severity="info" sys="SecureMail" sub="pop3" name="email quarantined" from="ericpahnoe@gwappliancerepair.com" to="xxx" subject ="Rohr sauber halten" size="7088" srcip="83.143.119.52" dstip="xxx" uid="00012b8d4cfe8247" ident="0/15738-2-1579856592" reason="as"

and here's the "POP3 Servers and Prefetch Settings' box":

the listed server is the external mail provider, from where I get the mails by pop3.

The user portal looks like this (unfortunately only in german)

not sure if the translation from "pop3 quarantine" is "Mail-Quarantäne".

I will check Sophos Help...

Hallo Joe,

Deutsch ist meine zweite Sprache - habe ein Jahr bei IBM Deutschland in Berlin gearbeitet.

That there's only a "Mail-Quarantäne" tab means that you don't receive SMTP emails.  If you did, you would instead see "POP3-Quarantäne" and "SMTP-Quarantäne."

Once I realized you were using POP3, I should have re-read the beginning of the thread.  I'm almost certain that 'prefetch mode' must be enabled for a Quarantine Report to be generated, but it's been several years since I last configured the POP3 Proxy for a client.  If some people are getting Quarantine Reports even with prefetch disabled, then check that the User object for user A has the correct email address.

Cheers - Bob