postfix – Blocking encrypted emails attachments with Amavis

I’m having a problem with amavis on my Centos 7 machine (amavisd-new 2.12.0, postfix 2.10.1, ISPConfig Version: 3.1dev).

I’m trying to configure amavis so that it discards emails with encrypted .zip or .rar files attached. (sender gets a notification of undelivered email because of non-allowed content and a notification is also sent to virusalert@machine-domain.com as notification of what happened. The alias of virusalert is already configured, I receive those emails in my mailbox).

At the moment, amavis detects the encrypted package attached to an email, but it forwards it to the recipient anyway and it sends to virusalert mailbox a notification of what has been done.

Here’s the message I receive from virusalert@machine-domain.com:
(I’ve sent an email from our internal mail server, that uses the one with amavis configured as relay, to my personal mailbox)

No viruses were found.

Content type: UncheckedEncrypted

Internal reference code for the message is 21621-04/VDsYr4oLBKP5

First upstream SMTP client IP address: (Sender IP):7555

Sender rDNS

Received trace: ESMTPA://(Sender IP):7555 <

  Microsoft_SMTP_Server://InternalServerIP < mapi://

Return-Path: <me@mydomain.com>

From: "My user"

  <me@mydomain.com>

Message-ID: <81c03676859d4503bf70c4e14de4cb4e@mydomain.com>

Subject: Test encrypted archive

Not quarantined.


The message WILL BE relayed to:

<me@my-test-domain.com>

Postfix’s log shows the following:

postfix/smtpd(21623): connect from myhost(myIP)
postfix/smtpd(21623): NOQUEUE: filter: RCPT from myhost(myIP): <me@mydomain.com>: Sender address triggers FILTER amavis:(127.0.0.1):10026; from=<me@mydomain.com> to=<me@my-test-domain.com> proto=ESMTP helo=<SMTP.local>
postfix/smtpd(21623): 53BFA7FB: myhost(myIP), sasl_method=LOGIN, sasl_username=myusername
postfix/cleanup(21634): 53BFA7FB: message-id=<81c03676859d4503bf70c4e14de4cb4e@mydomain.com>
postfix/qmgr(20232): 53BFA7FB: from=<me@mydomain.com>, size=28650, nrcpt=1 (queue active)
postfix/smtpd(21623): disconnect from myhost(myIP)
postfix/smtpd(21639): connect from localhost(127.0.0.1)
postfix/smtpd(21639): C04406DC: client=localhost(127.0.0.1)
postfix/cleanup(21647): C04406DC: message-id=<VAVDsYr4oLBKP5@machine-domain.com>
postfix/qmgr(20232): C04406DC: from=<postmaster@machine-domain.com>, size=3126, nrcpt=1 (queue active)
postfix/smtpd(21639): disconnect from localhost(127.0.0.1)
postfix/cleanup(21634): CA805A93: message-id=<VAVDsYr4oLBKP5@machine-domain.com>
postfix/qmgr(20232): CA805A93: from=<postmaster@machine-domain.com>, size=3261, nrcpt=1 (queue active)
postfix/local(21678): C04406DC: to=<virusalert@machine-domain.com>, relay=local, delay=0.05, delays=0.02/0.03/0/0.01, dsn=2.0.0, status=sent (forwarded as CA805A93)
postfix/qmgr(20232): C04406DC: removed
postfix/smtpd(21646): connect from localhost(127.0.0.1)
postfix/smtpd(21646): D5426A67: client=localhost(127.0.0.1)
postfix/cleanup(21647): D5426A67: message-id=<81c03676859d4503bf70c4e14de4cb4e@domain.com>
postfix/qmgr(20232): D5426A67: from=<me@mydomain.com>, size=29603, nrcpt=1 (queue active)
postfix/smtpd(21646): disconnect from localhost(127.0.0.1)
amavis(21621): (21621-04) ***Passed UNCHECKED-ENCRYPTED*** {RelayedOutbound}, ORIGINATING LOCAL (myIP):7555 (myIP) <me@mydomain.com> -> <me@my-test-domain.com>, Queue-ID: 53BFA7FB, Message-ID: <81c03676859d4503bf70c4e14de4cb4e@mydomain.com>, mail_id: VDsYr4oLBKP5, Hits: -0.998, size: 28650, queued_as: D5426A67, dkim_new=default:domain.com, 2477 ms
postfix/smtp(21635): 53BFA7FB: to=<me@my-test-domain.com>, relay=127.0.0.1(127.0.0.1):10026, delay=2.6, delays=0.08/0/0/2.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:(127.0.0.1):10027): 250 2.0.0 Ok: queued as D5426A67)
postfix/qmgr(20232): 53BFA7FB: removed
dovecot: lda(me@mydomain.com): sieve: msgid=<VAVDsYr4oLBKP5@machine-domain.com>: stored mail into mailbox 'INBOX'
postfix/pipe(21679): CA805A93: to=<me@mydomain.com>, orig_to=<virusalert@machine-domain.com>, relay=dovecot, delay=0.08, delays=0.01/0.02/0/0.06, dsn=2.0.0, status=sent (delivered via dovecot service)
postfix/qmgr(20232): CA805A93: removed

Why amavis detects the emails correctly but it just marks them as Passed UNCHECKED-ENCRYPTED and forwards them to the recipient anyway?

I’ve researched online for the correct configuration to stop forwarding messages that attach encrypted archives (or gets marked as unchecked-encrypted by amavis), but so far nothing fully works.

Can someone help me?

Thanks a lot