in roundcube, what does "unchecked" alongside emails in the inbox mean?

Discussion in 'Technical' started by adamjedgar, Nov 12, 2019.

  1. adamjedgar

    adamjedgar Member

    i have a new ISPConfig 4 install and setup a mail domain on it.

    when i access emails in roundcube, i notice that alongside all of the incoming emails in the inbox (undersubject) i see the word "unchecked".

    what causes this?

    Is this because the email scanner is not running?
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. Steini86

    Steini86 Active Member

    Seems like a roundcube feature. Can you post a screenshot? Probably means, the mail was not checked by a spam/virus scanner? Just my guess..
     
  4. adamjedgar

    adamjedgar Member

    screenshot image of round cube interface showing the "unchecked" warning attached...

    I am wondering if the reason for the "unchecked" notification is because of the webserver has 1GB RAM - can clamav/spam filters etc run with this amount of RAM? (server has only a generic ispconfig static html webpage on it and this domain and email account), and the system cannot run the appropriate checking of emails hence the notification? (how to check this?)
     

    Attached Files:

  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    From old discussions on this forum: it can not run. But this can be fixed with swap, 2 or 4 GB swap gives enough virtual memory.
    You maybe have log entries in syslog about out of memory errors or clamav is not running.
    What shows
    Code:
    free -h
    when your server is active?
    Just to see if all services on your host are actually running, use this command:
    Code:
    systemctl --state=failed
     
  6. Steini86

    Steini86 Active Member

    So as far as I can see, the "*** unchecked ***" is not coming from roundcube, but is part of the subject line. So this was probably added by amavis when scanning the mail. Search the forum, there are a lot of threads about this. (Have not read them, just did a quick search):
    https://www.howtoforge.com/communit...-for-encrypted-messages-or-attachments.75751/
    https://www.howtoforge.com/community/threads/unchecked-email-subject-postfix.66405/
    https://www.howtoforge.com/community/threads/remove-unchecked-from-mail-subject.62142/

    ...

    Seems like amavis is not running correctly. Can be related to your lack of memory.
     
  7. adamjedgar

    adamjedgar Member

    yes thats what i am thinking as well.
    This system has only 1GB RAM.
    The interesting thing is, the only thing on it is ISPConfig and the default Ispconfig static html webpage. I would have thought that 1GB RAM would have been enough to also run ClamAV etc.
    Is there a way to configure scanning so that it can run on a 1GB RAM system?

    What I am planning on doing is runniing the ISPConfig system as a mail server to support website/domain email needs on other servers. So i only need to setup the scanning for emails at present.
     
  8. Steini86

    Steini86 Active Member

    I have not seen a single email rejected because of what a virus scanner found for years (except false positives). Today, most viruses come by websites, which are linked in the mails, or are not recognized by the scanners. If they have malicious code, they are usually rejected by the spam filter anyway. Not using AV saves a lot of ram.
    The other option is to use a swap partition as pointed out by @Taleman
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    What you have on your system is not just ISPConfig and that's the reason why 1GB RAM is not enough. So when you claim that you just have ISPConfig installed which uses your RAM, then thats complete nonsense. You can easily check it yourself, run ps aux and sum up the ram usage of the Linux user 'ispconfig', that's the amount of RAM used by ISPConfig.

    Your RAM is used because you run a full blown mail server consisting of postfix, dovecot, amavis or rspamd, clamav and mysql or mariadb and that's the programs that use up your RAM, not ISPConfig. Especially ClamAV uses a lot of RAM. If you don't need antivirus scanning for emails (and unlike what Steini86 experienced, I get mails sorted out by ClamAV daily on my systems) then remove ClamAV.
     
  10. adamjedgar

    adamjedgar Member

    Till you misunderstand what i am saying...I am not blaming ISPConfig for the high RAM usage...I believe quite the opposite actually.

    What i was asking was, considering the system does not have any websites on it (i usually host Wordpress websites on my other server which can use a lot of Memory as you know), i was wondering if there is a way to throttle CLAMAV at runtime to use less RAM.

    Take the following example...

    1. Lets say this was a VPS (1CPU, 1GB RAM) for a single client wordpress website,
    2. The client would obviously need CLAMAV because of Wordpress
    3. A control Panel would also be helpful for the administrator (me) and so i put ISPConfig on it

    Presently, the system is going to shit itself the minute CLAMAV runs. This is not acceptable at all for the example client, so i would need to reconfigure CLAMAV (and other memory heavy processes) so that everything runs nicely (in a minimal configuration i suppose) for the client without errors in the front end whilst still achieving a secure system.

    Now its easy for people to turn around and say, "oh but the systems needs more RAM"...in my (very common) example client scenario above, that is not an option because the VPS is what has been purchased by a single client for a single wordpress website...and there are increasingly more webhosts offering VPS of 1CPU, 1GB RAM VPS's that are being used for exactly this purpose.

    In Virtualmin Control Panel for example, there is a kind of wizard which allows one to configure the LAMP for low memory usage...and one can get it working on a system with less than 1GB Memory...its not brilliant but works ok.

    note.... the above is by no means a comparison whereby i am attempting to earbash ISPConfig, i love ISPConfig and trust it implicitly more than any other panel i have ever used.

    So, for the sake of me learning something important, how would i best acheive the stability I am looking for given the current system resource restrictions?

    Do i need to consider a different virus scanner?
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    You compare apples with pies here. a LAMP System with ISPConfig does not need more than 1GB as well. But what you have there is not LAMP, see my post above.

    For example I run an ISPConfig DNS system on 256MB RAM and there is still free RAM and I have a 1GB ISPConfig LEMP system which works fine as well and you can run LAMP on such a smal amount of RAM too. So the relevant part is not ISPConfig here, what's relevant is which services you run and ClamAV simply uses much ressources so if you want to run it, you must provide the ressources required by ClamAV, no matter if you use ISPConfig on that server or not.

    If you can't afford the amount of RAM that ClamAV needs, then run your mail system without it as @Steini86 suggested, most of the attacks these days are in the way he described it and won't be catched by an antivirus system for emails anyway.
     
  12. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If you just want to get clamav working, add 2 or 4 GB swap and it has enough virtual memory to run. I wrote this in #5.
     
    till likes this.
  13. adamjedgar

    adamjedgar Member

    Ah I understand.
    1. So in the event a client did open an infected file from an email, is that really only going to then infect the system the email client is being accessed by? (Ie local desktop pc etc)

    2. If we don't run Clamav on the client VPS, what strategies can be implemented to fill the void? Are the following good enough
    1. WordPress own antivirus plugins (e.g. Wordfence)
    2. External scan from another ISPConfig system which is running a suitable product to do this?

    Also, on a low memory system, what if the system did get a virus? How does one even know before it's too late without any protection at all? Surely there must be an option to simply restrict the resource usage of the virus software...are you absolutely sure that Clam cannot be configured to use less memory? (The daemon doesn't have to run all the time and i know we can configure the time of the day when it automatically scans)
     
    Last edited: Nov 15, 2019
  14. Steini86

    Steini86 Active Member

    I doubt that
    On first order: Yes.
    On second order: That malware could steal account data for your server and then the attacker could infect your server.
    There is no void, if no virus scanner is installed. The virus scanners are there to protect windows clients. The linux malware is much more advanced and does not come by email. In fact, the list of all known linux viruses is quite small: https://help.ubuntu.com/community/Linuxvirus and https://en.wikipedia.org/wiki/Linux_malware#Threats
    ClamAV does not protect your server! There are other products designed for that. It is a virus scanner, which scans Mails being transmitted by your server to protect your windows clients.
    Linux systems do not get a virus. However, there is (a lot of) other malware around which can harm your server, but this will not be mitigated by clamav.
    When your server is infected, it 'is' too late. Way to protect you is to use secure software, install all security fixes as soon as possible and sandbox your insecure software (like wordpress).
     
  15. adamjedgar

    adamjedgar Member

    I always run latest updates...what do you mean sandbox WordPress?
     
  16. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  17. adamjedgar

    adamjedgar Member

    I am already in a sandboxed environment...I always use VPS (either Google Cloud or Vultr)

    At the system level, doesnt Apache virtual hosts add a level of sandboxing natively?

    I run chroot jails on ISPConfig (whilst i have no programming skills and cannot personally verify this, i have read on other forums that chroot jails provides almost no additional layer of protection for astute hackers and their malicious scripts)

    The only other sandboxed mechanism i can think of is staging site for wordpress. But if its on the same apache system, is there any real benefit should the staging environment get corrupted and then attacks the parent vps? In this way, what is the security benefits between Wordpress on parent vs subdomain/subdirectory or staging url exactly? (other than its not live site...but i am concerned about the server itself)

    Finally, if Linux systems are not vulnerable to viruses, does that mean that webhosts dont use antivirus software on their linux webhosting systems?
     

Share This Page