Hi, I have some rules in "/etc/postfix/header_checks" to reject windows executables; but they are not working, they are being handled by amavis_new. How do I restore header_checks to scan before amavis_new? For example, I managed to put on hold a bounce of a .zip file - of course, it is a virus, but that is not the reason of the reject it is reporting: |Diagnostic-Code: X-Postfix; host localhost[127.0.0.1] said: 550 5.7.1 Message | content rejected, id=11262-10 - BANNED: .exe (in reply to end of DATA | command) ... |Content-Type: application/octet-stream; | name="Important.zip" So, it is rejecting zip files, and thus, I may loose legitimate mail containing zip files. This is amavisd-new-20030616p9-0 on SuSE 9.1. -- Cheers, Carlos Robinson
Fri, 02 Jul 2004, by robin1.listas@tiscali.es:
Hi,
I have some rules in "/etc/postfix/header_checks" to reject windows executables; but they are not working, they are being handled by amavis_new. How do I restore header_checks to scan before amavis_new?
The Postfis header- and bodychecks will always be done before piping the mail to the content-filter. If they're not working there's something wrong with these checks. To disable the amavis checks read amavis.conf # * leave $banned_filename_re undefined to disable these checks # (giving an empty list to new_RE() will also always return # false) $banned_filename_re = new_RE( qr'\.[a-zA-Z][a-zA-Z0-9]{0,3}\.(vbs|pif|scr|bat|com|exe|dll)$'i, Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. + ICQ: 277217131 SUSE 9.1 + Jabber: gurp@nedlinux.nl Kernel k_athlon-2.6.4 + MSN: twe-msn@ferrets4me.xs4all.nl See headers for PGP/GPG info. +
The Friday 2004-07-02 at 23:16 +0200, Theo v. Werkhoven wrote:
I have some rules in "/etc/postfix/header_checks" to reject windows executables; but they are not working, they are being handled by amavis_new. How do I restore header_checks to scan before amavis_new?
The Postfis header- and bodychecks will always be done before piping the mail to the content-filter. If they're not working there's something wrong with these checks.
The file is the same one I had before upgrading... hold on, it is dissabled in /etc/postfix/main.cf: #header_checks = regexp:/etc/postfix/header_checks Thanks, you pointed me to look again :-)
To disable the amavis checks read amavis.conf
That is a goog bedside reading: as soon as I start reading it, my head starts nodding strangely to the sides :-p
# * leave $banned_filename_re undefined to disable these checks # (giving an empty list to new_RE() will also always return # false)
$banned_filename_re = new_RE( qr'\.[a-zA-Z][a-zA-Z0-9]{0,3}\.(vbs|pif|scr|bat|com|exe|dll)$'i,
However, there is no .zip there, and it seems to be rejecting zip files.
For example, I see in a report bounced to me:
|The message WAS NOT delivered to:
|
On Monday 05 July 2004 05:16, Carlos E. R. wrote:
The Friday 2004-07-02 at 23:16 +0200, Theo v. Werkhoven wrote:
# * leave $banned_filename_re undefined to disable these checks # (giving an empty list to new_RE() will also always return # false)
$banned_filename_re = new_RE( qr'\.[a-zA-Z][a-zA-Z0-9]{0,3}\.(vbs|pif|scr|bat|com|exe|dll)$'i,
However, there is no .zip there, and it seems to be rejecting zip files.
Read the reports more carefully... Note that exe *is* in your banned list.
For example, I see in a report bounced to me: |The message WAS NOT delivered to: |
: | 550 5.7.1 Message content rejected, id=09888-09 - BANNED: .exe
Note the BANNED: .exe part.
|The message has been quarantined as: | /var/spool/amavis/virusmails/virus-20040705-115345-09888-09
I look at the quarantined file, and I see: |X-Amavis-Alert: BANNED FILENAME, message contains part named: .exe
And again, the .exe part...
|Content-Type: application/octet-stream; | name="Bill.zip"
Perhaps the file is actually called Bill.zip.exe, or maybe there are multiple attachments. But amavisd appears to be functioning correctly.
Then, I find it is trying to send back bounces to external addresses,
when it should _never_ do so: |nimrodel:/etc/postfix # mailq |-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- |22FE7DF675 5459 Mon Jul 5 11:59:10 MAILER-DAEMON |(Host or domain name not found. Name service error for |name=copamericaperu.com.org type=MX: Host not found, try again) | ipinasco at | copamericaperu.com.org
Looking at the contens of that mail, I find: |From: amavisd-new
|To: <ipinasco at copamericaperu.com.org>
Double-check your amavisd.conf, there's a place in there to configure that behavior.
|BANNED CONTENTS ALERT | |Our content checker found | banned name: .exe |in email presumably from you (<ipinasco at copamericaperu.com.org>), to | the following recipient: |-> cer@localhost.nimrodel.valinor | |Delivery of the email was stopped!
¡I don't want amavis-new to send _any_ report, bounce, reject message or anything to any body whatsoever outside of my machine! I want it to report only to ME.
That's what I do. You just need to configure amavisd.conf properly.
I'm modifying the from addresses amavis uses:
$mailfrom_notify_admin = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_recip = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_spamadmin = "amavis_new.spam.police\@$mydomain";
$hdrfrom_notify_sender = '"amavisd-new.postmaster
"';
Look for $warnvirussender and disable it. -- Jarod C. Wilson, RHCE jcw@wilsonet.com
The Tuesday 2004-07-06 at 10:59 -0700, Jarod Wilson wrote:
|Content-Type: application/octet-stream; | name="Bill.zip"
Perhaps the file is actually called Bill.zip.exe, or maybe there are multiple attachments. But amavisd appears to be functioning correctly.
No, that was not the problem. The "problem" is that amavis-new tries to be overtly clever by: 1) looking inside zip files for exe files and 2) not trusting filename extensions but instead using the output of the command "file". This behaviour can be dissabled, and I have done so: # set $bypass_decode_parts to true if you only do spam scanning, or if you # have a good virus scanner that can deal with compression and recursively # unpacking archives by itself, and save amavisd the trouble. # Disabling decoding also causes banned_files checking to only see # MIME names and MIME content types, not the content classification types # as provided by the file(1) utility. # It is a double-edged sword, make sure you know what you are doing! # #Cer $bypass_decode_parts = 1; # (defaults to false) ...
Double-check your amavisd.conf, there's a place in there to configure that behavior.
Unfortunately, that program should have a man page at least. Better, a documentation directory with samples. ...
Look for $warnvirussender and disable it.
It was already dissabled, by the default settings:
#$warnvirussender = 1; # (defaults to false (undef))
I have explicitly dissabled it now - I can not trust the default being
"false":
$warnvirussender = 0; # (defaults to false (undef))
An that seems to work, but only with the help of the next trick:
$mailfrom_notify_admin = "amavis_new.virusalert\@$mydomain";
$mailfrom_notify_recip = "amavis_new.virusalert\@$mydomain";
$mailfrom_notify_spamadmin = "amavis_new.spam.police\@$mydomain";
$hdrfrom_notify_sender = '"amavisd_new.postmaster"
On Thu, 8 Jul 2004 01:26:05 +0200 (CEST), you wrote:
The Tuesday 2004-07-06 at 10:59 -0700, Jarod Wilson wrote:
|Content-Type: application/octet-stream; | name="Bill.zip"
Perhaps the file is actually called Bill.zip.exe, or maybe there are multiple attachments. But amavisd appears to be functioning correctly.
No, that was not the problem. The "problem" is that amavis-new tries to be overtly clever by: 1) looking inside zip files for exe files and 2) not trusting filename extensions but instead using the output of the command "file". This behaviour can be dissabled, and I have done so:
# set $bypass_decode_parts to true if you only do spam scanning, or if you # have a good virus scanner that can deal with compression and recursively # unpacking archives by itself, and save amavisd the trouble. # Disabling decoding also causes banned_files checking to only see # MIME names and MIME content types, not the content classification types # as provided by the file(1) utility. # It is a double-edged sword, make sure you know what you are doing! # #Cer $bypass_decode_parts = 1; # (defaults to false)
...
Double-check your amavisd.conf, there's a place in there to configure that behavior.
Unfortunately, that program should have a man page at least. Better, a documentation directory with samples.
...
Look for $warnvirussender and disable it.
It was already dissabled, by the default settings:
#$warnvirussender = 1; # (defaults to false (undef))
I have explicitly dissabled it now - I can not trust the default being "false":
$warnvirussender = 0; # (defaults to false (undef))
An that seems to work, but only with the help of the next trick:
$mailfrom_notify_admin = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_recip = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_spamadmin = "amavis_new.spam.police\@$mydomain"; $hdrfrom_notify_sender = '"amavisd_new.postmaster"
'; and then, in "/etc/postfix/access" I explicitly dissable those addresses from bein able to send:
amavis_new.virusalert@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor amavis_new.spam.police@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor amavis_new.postmaster@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor
Both things, the warnvirussender=0 and the redirect clauses ensure they don't get sent outside.
-- Cheers, Carlos Robinson
Why are you going to such lengths to disable a large part of your system security? There's an excellent reason why amavis "is overly clever". Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
On Thursday 08 July 2004 05:04, Michael W.Cocke wrote:
On Thu, 8 Jul 2004 01:26:05 +0200 (CEST), you wrote:
The Tuesday 2004-07-06 at 10:59 -0700, Jarod Wilson wrote:
|Content-Type: application/octet-stream; | name="Bill.zip"
Perhaps the file is actually called Bill.zip.exe, or maybe there are multiple attachments. But amavisd appears to be functioning correctly.
No, that was not the problem. The "problem" is that amavis-new tries to be overtly clever by: 1) looking inside zip files for exe files
That's a good thing.
and 2) not trusting filename extensions but instead using the output of the command "file".
And so is that.
This behaviour can be dissabled, and I have done so:
But that really isn't. At least not if you want amavisd to be as effective as possible...
Look for $warnvirussender and disable it.
It was already dissabled, by the default settings:
#$warnvirussender = 1; # (defaults to false (undef))
I have explicitly dissabled it now - I can not trust the default being "false":
$warnvirussender = 0; # (defaults to false (undef))
An that seems to work, but only with the help of the next trick:
$mailfrom_notify_admin = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_recip = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_spamadmin = "amavis_new.spam.police\@$mydomain"; $hdrfrom_notify_sender = '"amavisd_new.postmaster"
'; and then, in "/etc/postfix/access" I explicitly dissable those addresses from bein able to send:
amavis_new.virusalert@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor amavis_new.spam.police@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor amavis_new.postmaster@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor
Both things, the warnvirussender=0 and the redirect clauses ensure they don't get sent outside.
Why are you going to such lengths to disable a large part of your system security? There's an excellent reason why amavis "is overly clever".
My thoughts exactly... -- Jarod C. Wilson, RHCE jcw@wilsonet.com
The Thursday 2004-07-08 at 08:04 -0400, Michael W.Cocke wrote:
Why are you going to such lengths to disable a large part of your system security? There's an excellent reason why amavis "is overly clever".
For one thing, my system is Linux only, so it can not be damaged at all by windows viruses. For another, sending executables inside zip archives has been for a long time standard practice in many places - and I want to allow that. At most, I would like to be warned, but I don't want those zip files to be stopped. If I had to protect a network of windows users, then, yes, of course I would stop executables contained in zip files - and I would use things like banned_files_lovers instead. -- Cheers, Carlos Robinson
participants (4)
-
Carlos E. R.
-
Jarod Wilson
-
Michael W.Cocke
-
Theo v. Werkhoven