Since a few month we have a unusual problem with our sophos utm which acts as a smtp proxy only.Sometimes we get "zombie emails" which clog up the whole email processing of the smtp proxy.I will try to explain the problem as accurate as possible:
- for example a "zombie email" is arriving at 09:00 am and it is moved to work queue- since this moment - no new delivered or sent emails show up in smtp log in mail manager- at the mail manager "overview page" the counter of emails which "wait to be delivered (spooled)" increases- in the smtp.log via the cli emails arrive and only "moved to work queue"- the directory "/var/chroot-smtp/spool/work/" fills up with files
At this point no email is delivered neither inbound nor outbound. Only moved to work queue. The CPU fires up to 90%-100% usage.
After a random time span, for example 15 or 30 minutes, an email appears in mail manager unter "smtp-spool" with status "error". Now all spooled mails are processed and delivered.If you select "retry" as action, the process starts again everything breaks up and nothing is sent like described above. The only way to handle this is downloading the email and send it to the internal recipient via outlook. After this we have to delete this email out of sophos utm.
So we tried to figure out, what the problem with this emails is. So we downloaded the email and opened it. In every case there was a pdf file attached. But not a "normal" pdf. It was this kind of pdf file, which wants to be saved when closing it (like a pdf formular). In the most cases it was a pdf created by one of these handy-dandy smartphone pdf scan apps.It made no difference to switch between dual-scan / single scan and between avira and sophos av engine.I think make an exclusion for pdf attachments is not a good way either.We had firmware 9.704 and updated to 9.705 but it did not solve the problem.
Have anybody had this problem too? I tried to figure it out with sophos support, but this was a nightmare. The case got closed because i surrendered.
Sorry for my unusual expressions but i am struggeling very hard with this problem and with sophos support.Maybe anyone can help me with that!
are you using Sandbox? Maybe there is any relationship. Just a guess.
i forgot to say, that it makes no difference if sandstorm is enabled / disabled.But this have could been a good point.
Thanks for your reply!