I want to dissable amavis-new

Carlos E. R.

2 Jul 2004 2 Jul '04

09:21

Hi, I have some rules in "/etc/postfix/header_checks" to reject windows executables; but they are not working, they are being handled by amavis_new. How do I restore header_checks to scan before amavis_new? For example, I managed to put on hold a bounce of a .zip file - of course, it is a virus, but that is not the reason of the reject it is reporting: |Diagnostic-Code: X-Postfix; host localhost[127.0.0.1] said: 550 5.7.1 Message | content rejected, id=11262-10 - BANNED: .exe (in reply to end of DATA | command) ... |Content-Type: application/octet-stream; | name="Important.zip" So, it is rejecting zip files, and thus, I may loose legitimate mail containing zip files. This is amavisd-new-20030616p9-0 on SuSE 9.1. -- Cheers, Carlos Robinson

Show replies by date

Theo v. Werkhoven

2 Jul 2 Jul

21:16

New subject: [SLE] I want to dissable amavis-new

Fri, 02 Jul 2004, by robin1.listas@tiscali.es:

...

Hi,

I have some rules in "/etc/postfix/header_checks" to reject windows executables; but they are not working, they are being handled by amavis_new. How do I restore header_checks to scan before amavis_new?

The Postfis header- and bodychecks will always be done before piping the mail to the content-filter. If they're not working there's something wrong with these checks. To disable the amavis checks read amavis.conf # * leave $banned_filename_re undefined to disable these checks # (giving an empty list to new_RE() will also always return # false) $banned_filename_re = new_RE( qr'\.[a-zA-Z][a-zA-Z0-9]{0,3}\.(vbs|pif|scr|bat|com|exe|dll)$'i, Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. + ICQ: 277217131 SUSE 9.1 + Jabber: gurp@nedlinux.nl Kernel k_athlon-2.6.4 + MSN: twe-msn@ferrets4me.xs4all.nl See headers for PGP/GPG info. +

Carlos E. R.

5 Jul 5 Jul

12:16

New subject: [SLE] I want to dissable amavis-new

The Friday 2004-07-02 at 23:16 +0200, Theo v. Werkhoven wrote:

...

...
I have some rules in "/etc/postfix/header_checks" to reject windows executables; but they are not working, they are being handled by amavis_new. How do I restore header_checks to scan before amavis_new?

The Postfis header- and bodychecks will always be done before piping the mail to the content-filter. If they're not working there's something wrong with these checks.

The file is the same one I had before upgrading... hold on, it is dissabled in /etc/postfix/main.cf: #header_checks = regexp:/etc/postfix/header_checks Thanks, you pointed me to look again :-)

...

To disable the amavis checks read amavis.conf

That is a goog bedside reading: as soon as I start reading it, my head starts nodding strangely to the sides :-p

...

# * leave $banned_filename_re undefined to disable these checks # (giving an empty list to new_RE() will also always return # false)

$banned_filename_re = new_RE( qr'\.[a-zA-Z][a-zA-Z0-9]{0,3}\.(vbs|pif|scr|bat|com|exe|dll)$'i,

However, there is no .zip there, and it seems to be rejecting zip files. For example, I see in a report bounced to me: |The message WAS NOT delivered to: |: | 550 5.7.1 Message content rejected, id=09888-09 - BANNED: .exe | |The message has been quarantined as: | /var/spool/amavis/virusmails/virus-20040705-115345-09888-09 I look at the quarantined file, and I see: |X-Amavis-Alert: BANNED FILENAME, message contains part named: .exe ... |Content-Type: application/octet-stream; | name="Bill.zip" I'm sure that zip archive contains a virus, but that is not the point. As far as file ataches, it must pass; then, if it a virus, it must be reported and rejected as a virus, not as a banned file name. Then, I find it is trying to send back bounces to external addresses, when it should _never_ do so: |nimrodel:/etc/postfix # mailq |-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- |22FE7DF675 5459 Mon Jul 5 11:59:10 MAILER-DAEMON |(Host or domain name not found. Name service error for |name=copamericaperu.com.org type=MX: Host not found, try again) | ipinasco at copamericaperu.com.org Looking at the contens of that mail, I find: |From: amavisd-new |To: <ipinasco at copamericaperu.com.org> ... |BANNED CONTENTS ALERT | |Our content checker found | banned name: .exe |in email presumably from you (<ipinasco at copamericaperu.com.org>), to the |following recipient: |-> cer@localhost.nimrodel.valinor | |Delivery of the email was stopped! ¡I don't want amavis-new to send _any_ report, bounce, reject message or anything to any body whatsoever outside of my machine! I want it to report only to ME. I'm modifying the from addresses amavis uses: $mailfrom_notify_admin = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_recip = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_spamadmin = "amavis_new.spam.police\@$mydomain"; $hdrfrom_notify_sender = '"amavisd-new.postmaster "'; Then I close them in the access file: amavis_new.virusalert@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor amavis_new.spam.police@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor amavis-new.postmaster@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor Let us see if that works :-) -- Cheers, Carlos Robinson

Jarod Wilson

6 Jul 6 Jul

17:59

New subject: [SLE] I want to dissable amavis-new

On Monday 05 July 2004 05:16, Carlos E. R. wrote:

...

The Friday 2004-07-02 at 23:16 +0200, Theo v. Werkhoven wrote:

...

...
# * leave $banned_filename_re undefined to disable these checks # (giving an empty list to new_RE() will also always return # false)

$banned_filename_re = new_RE( qr'\.[a-zA-Z][a-zA-Z0-9]{0,3}\.(vbs|pif|scr|bat|com|exe|dll)$'i,

However, there is no .zip there, and it seems to be rejecting zip files.

Read the reports more carefully... Note that exe *is* in your banned list.

...

For example, I see in a report bounced to me: |The message WAS NOT delivered to: |: | 550 5.7.1 Message content rejected, id=09888-09 - BANNED: .exe

Note the BANNED: .exe part.

...

|The message has been quarantined as: | /var/spool/amavis/virusmails/virus-20040705-115345-09888-09

I look at the quarantined file, and I see: |X-Amavis-Alert: BANNED FILENAME, message contains part named: .exe

And again, the .exe part...

...

|Content-Type: application/octet-stream; | name="Bill.zip"

Perhaps the file is actually called Bill.zip.exe, or maybe there are multiple attachments. But amavisd appears to be functioning correctly.

...

Then, I find it is trying to send back bounces to external addresses,

when it should _never_ do so: |nimrodel:/etc/postfix # mailq |-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- |22FE7DF675 5459 Mon Jul 5 11:59:10 MAILER-DAEMON |(Host or domain name not found. Name service error for |name=copamericaperu.com.org type=MX: Host not found, try again) | ipinasco at | copamericaperu.com.org

Looking at the contens of that mail, I find: |From: amavisd-new |To: <ipinasco at copamericaperu.com.org>

Double-check your amavisd.conf, there's a place in there to configure that behavior.

...

|BANNED CONTENTS ALERT | |Our content checker found | banned name: .exe |in email presumably from you (<ipinasco at copamericaperu.com.org>), to | the following recipient: |-> cer@localhost.nimrodel.valinor | |Delivery of the email was stopped!

¡I don't want amavis-new to send _any_ report, bounce, reject message or anything to any body whatsoever outside of my machine! I want it to report only to ME.

That's what I do. You just need to configure amavisd.conf properly.

...

I'm modifying the from addresses amavis uses:

$mailfrom_notify_admin = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_recip = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_spamadmin = "amavis_new.spam.police\@$mydomain";

$hdrfrom_notify_sender = '"amavisd-new.postmaster "';

Look for $warnvirussender and disable it. -- Jarod C. Wilson, RHCE jcw@wilsonet.com

Carlos E. R.

7 Jul 7 Jul

23:26

New subject: [SLE] I want to dissable amavis-new

The Tuesday 2004-07-06 at 10:59 -0700, Jarod Wilson wrote:

...

...
|Content-Type: application/octet-stream; | name="Bill.zip"

Perhaps the file is actually called Bill.zip.exe, or maybe there are multiple attachments. But amavisd appears to be functioning correctly.

No, that was not the problem. The "problem" is that amavis-new tries to be overtly clever by: 1) looking inside zip files for exe files and 2) not trusting filename extensions but instead using the output of the command "file". This behaviour can be dissabled, and I have done so: # set $bypass_decode_parts to true if you only do spam scanning, or if you # have a good virus scanner that can deal with compression and recursively # unpacking archives by itself, and save amavisd the trouble. # Disabling decoding also causes banned_files checking to only see # MIME names and MIME content types, not the content classification types # as provided by the file(1) utility. # It is a double-edged sword, make sure you know what you are doing! # #Cer $bypass_decode_parts = 1; # (defaults to false) ...

...

Double-check your amavisd.conf, there's a place in there to configure that behavior.

Unfortunately, that program should have a man page at least. Better, a documentation directory with samples. ...

...

Look for $warnvirussender and disable it.

It was already dissabled, by the default settings: #$warnvirussender = 1; # (defaults to false (undef)) I have explicitly dissabled it now - I can not trust the default being "false": $warnvirussender = 0; # (defaults to false (undef)) An that seems to work, but only with the help of the next trick: $mailfrom_notify_admin = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_recip = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_spamadmin = "amavis_new.spam.police\@$mydomain"; $hdrfrom_notify_sender = '"amavisd_new.postmaster" '; and then, in "/etc/postfix/access" I explicitly dissable those addresses from bein able to send: amavis_new.virusalert@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor amavis_new.spam.police@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor amavis_new.postmaster@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor Both things, the warnvirussender=0 and the redirect clauses ensure they don't get sent outside. -- Cheers, Carlos Robinson

Michael W.Cocke

8 Jul 8 Jul

12:04

New subject: [SLE] I want to dissable amavis-new

On Thu, 8 Jul 2004 01:26:05 +0200 (CEST), you wrote:

...

The Tuesday 2004-07-06 at 10:59 -0700, Jarod Wilson wrote:

...
...
|Content-Type: application/octet-stream; | name="Bill.zip"

Perhaps the file is actually called Bill.zip.exe, or maybe there are multiple attachments. But amavisd appears to be functioning correctly.

No, that was not the problem. The "problem" is that amavis-new tries to be overtly clever by: 1) looking inside zip files for exe files and 2) not trusting filename extensions but instead using the output of the command "file". This behaviour can be dissabled, and I have done so:

# set $bypass_decode_parts to true if you only do spam scanning, or if you # have a good virus scanner that can deal with compression and recursively # unpacking archives by itself, and save amavisd the trouble. # Disabling decoding also causes banned_files checking to only see # MIME names and MIME content types, not the content classification types # as provided by the file(1) utility. # It is a double-edged sword, make sure you know what you are doing! # #Cer $bypass_decode_parts = 1; # (defaults to false)

...

...
Double-check your amavisd.conf, there's a place in there to configure that behavior.

Unfortunately, that program should have a man page at least. Better, a documentation directory with samples.

...

...
Look for $warnvirussender and disable it.

It was already dissabled, by the default settings:

#$warnvirussender = 1; # (defaults to false (undef))

I have explicitly dissabled it now - I can not trust the default being "false":

$warnvirussender = 0; # (defaults to false (undef))

An that seems to work, but only with the help of the next trick:

$mailfrom_notify_admin = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_recip = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_spamadmin = "amavis_new.spam.police\@$mydomain"; $hdrfrom_notify_sender = '"amavisd_new.postmaster" ';

and then, in "/etc/postfix/access" I explicitly dissable those addresses from bein able to send:

amavis_new.virusalert@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor amavis_new.spam.police@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor amavis_new.postmaster@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor

Both things, the warnvirussender=0 and the redirect clauses ensure they don't get sent outside.

-- Cheers, Carlos Robinson

Why are you going to such lengths to disable a large part of your system security? There's an excellent reason why amavis "is overly clever". Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,

Jarod Wilson

9 Jul 9 Jul

19:36

New subject: [SLE] I want to dissable amavis-new

On Thursday 08 July 2004 05:04, Michael W.Cocke wrote:

...

On Thu, 8 Jul 2004 01:26:05 +0200 (CEST), you wrote:

...
The Tuesday 2004-07-06 at 10:59 -0700, Jarod Wilson wrote:

...
...
|Content-Type: application/octet-stream; | name="Bill.zip"

Perhaps the file is actually called Bill.zip.exe, or maybe there are multiple attachments. But amavisd appears to be functioning correctly.

No, that was not the problem. The "problem" is that amavis-new tries to be overtly clever by: 1) looking inside zip files for exe files

That's a good thing.

...

...
and 2) not trusting filename extensions but instead using the output of the command "file".

And so is that.

...

...
This behaviour can be dissabled, and I have done so:

But that really isn't. At least not if you want amavisd to be as effective as possible...

...

...
...
Look for $warnvirussender and disable it.

It was already dissabled, by the default settings:

#$warnvirussender = 1; # (defaults to false (undef))

I have explicitly dissabled it now - I can not trust the default being "false":

$warnvirussender = 0; # (defaults to false (undef))

An that seems to work, but only with the help of the next trick:

$mailfrom_notify_admin = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_recip = "amavis_new.virusalert\@$mydomain"; $mailfrom_notify_spamadmin = "amavis_new.spam.police\@$mydomain"; $hdrfrom_notify_sender = '"amavisd_new.postmaster" ';

and then, in "/etc/postfix/access" I explicitly dissable those addresses from bein able to send:

amavis_new.virusalert@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor amavis_new.spam.police@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor amavis_new.postmaster@nimrodel.valinor REDIRECT virusalert@nimrodel.valinor

Both things, the warnvirussender=0 and the redirect clauses ensure they don't get sent outside.

Why are you going to such lengths to disable a large part of your system security? There's an excellent reason why amavis "is overly clever".

My thoughts exactly... -- Jarod C. Wilson, RHCE jcw@wilsonet.com

Carlos E. R.

12 Jul 12 Jul

00:32

New subject: [SLE] I want to dissable amavis-new

The Thursday 2004-07-08 at 08:04 -0400, Michael W.Cocke wrote:

...

Why are you going to such lengths to disable a large part of your system security? There's an excellent reason why amavis "is overly clever".

For one thing, my system is Linux only, so it can not be damaged at all by windows viruses. For another, sending executables inside zip archives has been for a long time standard practice in many places - and I want to allow that. At most, I would like to be warned, but I don't want those zip files to be stopped. If I had to protect a network of windows users, then, yes, of course I would stop executables contained in zip files - and I would use things like banned_files_lovers instead. -- Cheers, Carlos Robinson

7229

Age (days ago)

7239

Last active (days ago)

List overview

Download

7 comments

4 participants

participants (4)

Carlos E. R.
Jarod Wilson
Michael W.Cocke
Theo v. Werkhoven