There is a mail destined for an external host that is using mandatory TLS and it gets caught in quarantine. When this mail is attempted to be released it will not release and remains in quarantine.
The brightmail log will show the error "530 must issue a starttls command first"
The release from quarantine takes place over a smaller MTA which is not the primary MTA, this MTA is not supporting TLS. As a result of this the mail cannot be released with TLS and must be deleted and resent.
Create a policy group which would avoid the quarantine incident if this is possible, by excluding that group from the particular policy which is causing the quarantine in the first place.
Please subscribe to this article as engineering is working on this to fix it.