Advisory: Sophos Endpoint - "Your connection isn't private." We're aware of a certificate issue and are actively working to resolve it. Please see: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No Mails in Mail Manager since Update 9.706-9

HI,

in most cases SPAM  mails get sorted into the Mailmanager for a human ceck.

since update 9.706-9 there are no mails in the mail manager.

what happend ?



This thread was automatically locked due to age.
Parents
  • What do you see on the 'SMTP Log' tab, Wolfgang?  What result do you get from the following?

         du -shx /var/chroot-smtp/spool/quarantine/*

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    here we go:

    /root # du -shx /var/chroot-smtp/spool/quarantine/*


    252K /var/chroot-smtp/spool/quarantine/0
    0 /var/chroot-smtp/spool/quarantine/quarantine.lock

  • 252K means that the quarantine is empty (4K x 63 directories), Wolfgang, so it's not a database issue.

    Are you seeing emails delivered that would have been quarantined in the past?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 252K means that the quarantine is empty (4K x 63 directories), Wolfgang, so it's not a database issue.

    Are you seeing emails delivered that would have been quarantined in the past?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Yes, i get a LOT of more Spam then before !

  • Show us the lines from the SMTP log for a spam that should have been quarantined.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, i am comming back to this on Friday. 

  • by the way, do you wanna see mails from mailmanger SMTP Log or complete from SMTP log ?

  • Definitely from the complete SMTP log file Wolfgang.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Ok, here we go, if you need more let me know:

    2021:06:23-21:31:27 matrix exim-in[11289]: 2021-06-23 21:31:27 SMTP connection from [199.116.112.134]:56350 (TCP/IP connection count = 1)
    2021:06:23-21:31:29 matrix exim-in[1441]: 2021-06-23 21:31:29 H=srv5.sevaa.com [199.116.112.134]:56350 Warning: Exception matched: Skipping greylisting for this message
    2021:06:23-21:31:29 matrix exim-in[1441]: 2021-06-23 21:31:29 H=srv5.sevaa.com [199.116.112.134]:56350 Warning: domain.net profile excludes SANDBOX scan
    2021:06:23-21:31:29 matrix exim-in[1441]: 2021-06-23 21:31:29 [199.116.112.134] F=<julianhernandez@onemoresponsor.com> R=<mail@goes.here> Verifying recipient address with callout
    2021:06:23-21:31:30 matrix exim-in[1441]: 2021-06-23 21:31:30 1lw8av-0000NF-12 sasi reports probability: 0.109877, version: Antispam-Engine: 4.1.4, AntispamData: 2021.6.23.190316
    2021:06:23-21:31:30 matrix exim-in[1441]: 2021-06-23 21:31:30 1lw8av-0000NF-12 <= julianhernandez@onemoresponsor.com H=srv5.sevaa.com [199.116.112.134]:56350 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=4532 id=E1lw8ap-00Fent-Lm@srv5.sevaa.com
    2021:06:23-21:31:30 matrix exim-in[1441]: 2021-06-23 21:31:30 SMTP connection from srv5.sevaa.com [199.116.112.134]:56350 closed by QUIT
    2021:06:23-21:31:31 matrix smtpd[11283]: QMGR[11283]: 1lw8av-0000NF-12 moved to work queue
    2021:06:23-21:31:40 matrix smtpd[1459]: SCANNER[1459]: 1lw8b6-0000NX-5E <= julianhernandez@onemoresponsor.com R=1lw8av-0000NF-12 P=INPUT S=984
    2021:06:23-21:31:40 matrix smtpd[1459]: SCANNER[1459]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="199.116.112.134" from="julianhernandez@onemoresponsor.com" to="mail@goes.here" subject="Ein halb Steifer kommt sicher nicht gut an" queueid="1lw8b6-0000NX-5E" size="984"
    2021:06:23-21:31:40 matrix smtpd[1459]: SCANNER[1459]: 1lw8av-0000NF-12 => work R=SCANNER T=SCANNER
    2021:06:23-21:31:40 matrix smtpd[1459]: SCANNER[1459]: 1lw8av-0000NF-12 Completed
    2021:06:23-21:31:40 matrix exim-out[1462]: 2021-06-23 21:31:40 1lw8b6-0000NX-5E => mail@goes.here P=<julianhernandez@onemoresponsor.com> R=static_route_hostlist T=static_smtp H=000.000.000.000 [000.000.000.000]:25 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 2.0.0 Ok: queued as 55A2CF60353"
    2021:06:23-21:31:40 matrix exim-out[1462]: 2021-06-23 21:31:40 1lw8b6-0000NX-5E Completed

    next:

    21:06:23-20:23:43 matrix exim-in[24981]: 2021-06-23 20:23:43 [141.94.34.22] F=<return-dyn_mlid-dyncluster_iii20210623ca2027333-26817-426ab3=2@princeton.bounces.news.wahrmailler.de> R=<mail@goes.here> Verifying recipient address with callout
    2021:06:23-20:23:44 matrix exim-in[24981]: 2021-06-23 20:23:44 1lw7XM-0006Uv-02 sasi reports probability: 0.129995, version: Antispam-Engine: 4.1.4, AntispamData: 2021.6.23.174216
    2021:06:23-20:23:44 matrix exim-in[24981]: 2021-06-23 20:23:44 1lw7XM-0006Uv-02 Greylisting: Greylisted 141.94.34.22
    2021:06:23-20:23:44 matrix exim-in[24981]: [1\72] 2021-06-23 20:23:44 1lw7XM-0006Uv-02 H=smtp117-023.beyond-mta.de [141.94.34.22]:54833 X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no F=<return-dyn_mlid-dyncluster_iii20210623ca2027333-26817-426ab3=2@princeton.bounces.news.wahrmailler.de> temporarily rejected after DATA: Temporary local problem, please try again!
    2021:06:23-20:23:44 matrix exim-in[24981]: [2\72] Envelope-from: <return-dyn_mlid-dyncluster_iii20210623ca2027333-26817-426ab3=2@princeton.bounces.news.wahrmailler.de>
    2021:06:23-20:23:44 matrix exim-in[24981]: [3\72] Envelope-to: <mail@goes.here>
    2021:06:23-20:23:44 matrix exim-in[24981]: [4\72] P Received: from smtp117-023.beyond-mta.de ([141.94.34.22]:54833)
    2021:06:23-20:23:44 matrix exim-in[24981]: [5\72] by domain.here.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    2021:06:23-20:23:44 matrix exim-in[24981]: [6\72] (Exim 4.94.2)
    2021:06:23-20:23:44 matrix exim-in[24981]: [7\72] (envelope-from <return-dyn_mlid-dyncluster_iii20210623ca2027333-26817-426ab3=2@princeton.bounces.news.wahrmailler.de>)
    2021:06:23-20:23:44 matrix exim-in[24981]: [8\72] id 1lw7XM-0006Uv-02
    2021:06:23-20:23:44 matrix exim-in[24981]: [9\72] for mail@goes.here; Wed, 23 Jun 2021 20:23:44 +0200
    2021:06:23-20:23:44 matrix exim-in[24981]: [10\72] X-SASI-Hits: BODYTEXTH_SIZE_3000_MORE 0.000000, BODY_SIZE_10000_PLUS 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [11\72] CTYPE_JUST_HTML 0.847999, DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [12\72] FONT_STYLE_0PT 0.000000, FROM_NAME_PHRASE 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [13\72] HREF_LABEL_TEXT_NO_URI 0.000000, HTML_90_100 0.100000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [14\72] HTML_FONT_INVISIBLE 0.100000, IMGSPAM_TABLE_1 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [15\72] KNOWN_MTA_TFX 0.000000, LINK_TO_IMAGE 0.000000, LIST_HEADER 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [16\72] MIME_LOWER_CASE 0.050000, OBFUSCATION 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [17\72] REPLYTO_FROM_DIFF_ADDY 0.100000, SENDER_NO_AUTH 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [18\72] STYLE_RATWARE_REF 0.000000, SXL_IP_TFX_WM 0.000000, URI_ENDS_IN_PHP 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [19\72] URI_WITH_PATH_ONLY 0.000000, __ANY_URI 0.000000, __BODY_NO_MAILTO 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [20\72] __BODY_TEXT_X4 0.000000, __CP_MEDIA_BODY 0.000000, __CP_URI_IN_BODY 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [21\72] __CT 0.000000, __CTE 0.000000, __CTYPE_HTML 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [22\72] __CTYPE_IS_HTML 0.000000, __DKIM_ALIGNS_1 0.000000, __DKIM_ALIGNS_2 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [23\72] __FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [24\72] __HAS_FROM 0.000000, __HAS_HTML 0.000000, __HAS_LIST_HEADER 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [25\72] __HAS_LIST_UNSUBSCRIBE 0.000000, __HAS_MSGID 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [26\72] __HAS_REPLYTO 0.000000, __HIDDEN_HTML_CONTENT 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [27\72] __HREF_LABEL_IMG 0.000000, __HREF_LABEL_TEXT 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [28\72] __HTML_AHREF_TAG 0.000000, __HTML_BAD_END 0.000000, __HTML_BOLD 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [29\72] __HTML_HREF_TAG_X2 0.000000, __HTML_TAG_CENTER 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [30\72] __HTML_TAG_DIV 0.000000, __HTML_TAG_TABLE 0.000000, __HTTPS_URI 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [31\72] __HTTP_IMAGE_TAG 0.000000, __IMGSPAM_TABLE_1 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [32\72] __IMG_THEN_TEXT 0.000000, __LEGIT_LIST_HEADER 0.000000, __MIME_HTML 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [33\72] __MIME_HTML_ONLY 0.000000, __MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [34\72] __MIME_VERSION 0.000000, __MULTIPLE_URI_HTML 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [35\72] __MULTIPLE_URI_TEXT 0.000000, __SANE_MSGID 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [36\72] __STOCK_PHRASE_7 0.000000, __STYLE_RATWARE 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [37\72] __STYLE_RATWARE_NEG 0.000000, __STYLE_TAG 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [38\72] __TAG_EXISTS_HTML 0.000000, __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [39\72] __URI_HAS_HYPHEN_USC 0.000000, __URI_IN_BODY 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [40\72] __URI_NOT_IMG 0.000000, __URI_NO_MAILTO 0.000000, __URI_NO_WWW 0.000000,
    2021:06:23-20:23:44 matrix exim-in[24981]: [41\72] __URI_NS 0.000000, __URI_WITH_PATH 0.000000
    2021:06:23-20:23:44 matrix exim-in[24981]: [42\72] X-SASI-Probability: 13%
    2021:06:23-20:23:44 matrix exim-in[24981]: [43\72] X-SASI-RCODE: 200
    2021:06:23-20:23:44 matrix exim-in[24981]: [44\72] X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2021.6.23.174216
    2021:06:23-20:23:44 matrix exim-in[24981]: [45\72] DKIM-Signature: a=rsa-sha256; bh=a2FwY5Lw3tK8wENUE60iMKz39ODWd+Vu8jradbkAcKo=;
    2021:06:23-20:23:44 matrix exim-in[24981]: [46\72] c=relaxed/relaxed; d=news.wahrmailler.de;
    2021:06:23-20:23:44 matrix exim-in[24981]: [47\72] h=X-Mailer-Info:Mime-Version:X-Skip:Reply-To:Content-Type:X-Rclientid:X-Groupid:X-Providerid:X-Clientid:X-Brm-Dtag:From:Date:X-Campaignid:X-Rpcampaign:Message-Id:Subject:To:Content-Transfer-Encoding:List-Unsubscribe:X-Messageid:X-Memberid;
    2021:06:23-20:23:44 matrix exim-in[24981]: [48\72] s=as; t=1624472623; v=1;
    2021:06:23-20:23:44 matrix exim-in[24981]: [49\72] b=MnsvEgHfr04nieMXTSTUyWM0HvadUXJHcWklt724PdcdMehXK2m+cTsM53aiSRBM1G3k57kV
    2021:06:23-20:23:44 matrix exim-in[24981]: [50\72] kplIEx86w+bp6/jBgeaAWMcd3368mYU1GTKxLRvAP2bYY8g8Tuler+R7f+GhYarKc9MMxL73FIG
    2021:06:23-20:23:44 matrix exim-in[24981]: [51\72] i0pJezWeq0pETMI8YV15A8nA=
    2021:06:23-20:23:44 matrix exim-in[24981]: [52\72] X-Mailer-Info: 3.QWeu9VbslGZ.AZ552YsV3c0VmcflWapJDMyEDM2IzMjFmMwIzNzMzM.09mczRXZuB0cjhmch1Wbl5mLuVGd.Imct1yYsFmch1iMwIDN30SMyUTOzkzMyMDOtEDO1UDO1MTLyAjM3MzMz0SM
    2021:06:23-20:23:44 matrix exim-in[24981]: [53\72] Mime-Version: 1.0
    2021:06:23-20:23:44 matrix exim-in[24981]: [54\72] X-Skip: 0
    2021:06:23-20:23:44 matrix exim-in[24981]: [55\72] R Reply-To: reply@inflamesense.de
    2021:06:23-20:23:44 matrix exim-in[24981]: [56\72] Content-Type: text/html; charset=utf-8
    2021:06:23-20:23:44 matrix exim-in[24981]: [57\72] X-Rclientid: 1000
    2021:06:23-20:23:44 matrix exim-in[24981]: [58\72] X-Groupid: 999
    2021:06:23-20:23:44 matrix exim-in[24981]: [59\72] X-Providerid: 999
    2021:06:23-20:23:44 matrix exim-in[24981]: [60\72] X-Clientid: 20247
    2021:06:23-20:23:44 matrix exim-in[24981]: [61\72] X-Brm-Dtag:
    2021:06:23-20:23:44 matrix exim-in[24981]: [62\72] F From: "Top-Verkaufspreise in Ihrer Region" <mail@news.wahrmailler.de>
    2021:06:23-20:23:44 matrix exim-in[24981]: [63\72] Date: Wed, 23 Jun 2021 20:23:43 +0200
    2021:06:23-20:23:44 matrix exim-in[24981]: [64\72] X-Campaignid: 2027333
    2021:06:23-20:23:44 matrix exim-in[24981]: [65\72] X-Rpcampaign: brm_2027333
    2021:06:23-20:23:44 matrix exim-in[24981]: [66\72] I Message-Id: <1624471915-2027333-1259393238-d3a14955a15e8d6b05ad37b7f48a439a-7dd230@bounces.news.wahrmailler.de>
    2021:06:23-20:23:44 matrix exim-in[24981]: [67\72] Subject: Immobilienverkauf: Ist jetzt der richtige Zeitpunkt?
    2021:06:23-20:23:44 matrix exim-in[24981]: [68\72] T To: mail@goes.here
    2021:06:23-20:23:44 matrix exim-in[24981]: [69\72] Content-Transfer-Encoding: quoted-printable
    2021:06:23-20:23:44 matrix exim-in[24981]: [70\72] List-Unsubscribe: <mailto:mail+5-1000-2027333-1259393238-55d2e3c3412eb305c28a184d00525b09@unsubscribe.news.wahrmailler.de>, <news.wahrmailler.de/unsubscribe
    2021:06:23-20:23:44 matrix exim-in[24981]: [71\72] X-Messageid: 1855853
    2021:06:23-20:23:44 matrix exim-in[24981]: [72/72] X-Memberid: 1259393238
    2021:06:23-20:23:44 matrix exim-in[24981]: 2021-06-23 20:23:44 SMTP connection from smtp117-023.beyond-mta.de [141.94.34.22]:54833 closed by QUIT

    2021:06:23-20:37:43 matrix exim-in[26157]: 2021-06-23 20:37:43 H=smtp117-105.beyond-mta.de [141.94.34.104]:50015 Warning: domain.net profile excludes SANDBOX scan
    2021:06:23-20:37:43 matrix exim-in[26157]: 2021-06-23 20:37:43 [141.94.34.104] F=<return-dyn_mlid-dyncluster_iii20210623ca2027333-26817-426ab3=2@princeton.bounces.news.wahrmailler.de> R=<mail@goes.here> Verifying recipient address with callout
    2021:06:23-20:37:44 matrix exim-in[26157]: 2021-06-23 20:37:44 1lw7kt-0006nt-2v sasi reports probability: 0.129995, version: Antispam-Engine: 4.1.4, AntispamData: 2021.6.23.180016
    2021:06:23-20:37:44 matrix exim-in[26157]: 2021-06-23 20:37:44 1lw7kt-0006nt-2v Greylisting: Successful greylist retry from 141.94.34.104 (original host was 141.94.34.22/32)
    2021:06:23-20:37:44 matrix exim-in[26157]: 2021-06-23 20:37:44 1lw7kt-0006nt-2v <= return-dyn_mlid-dyncluster_iii20210623ca2027333-26817-426ab3=2@princeton.bounces.news.wahrmailler.de H=smtp117-105.beyond-mta.de [141.94.34.104]:50015 P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=25566 DKIM=news.wahrmailler.de id=1624471915-2027333-1259393238-d3a14955a15e8d6b05ad37b7f48a439a-7dd230@bounces.news.wahrmailler.de
    2021:06:23-20:37:44 matrix exim-in[26157]: 2021-06-23 20:37:44 SMTP connection from smtp117-105.beyond-mta.de [141.94.34.104]:50015 closed by QUIT

  • The one from  [199.116.112.134] shows "Exception matched" - can you see which Exception might have matched that?

    In the past, did the SMTP Proxy quarantine emails from news.wahrmailler.de?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    The expextion was greylisting for the recipient e-mail.

    Exception matched: Skipping greylisting for this message. The skipped greylisting should no issue at all.

    No, the proxy never quarantined mail from news.wahrmailler.de. so as workarround i put a blocklist in my postfix mailserver.

    But that should not be the solution either...

    cheers

  • How about this, Wolfgang - Show the lines from the log file for similar emails where one before the Up2Date was quarantined and one after the update was not quarantined.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I can't , because i also switched to complete new hardware, because the support told me anti spam does not work anymore with my old hardware.

    you can find my post related to that toppic under: spamd not working