Capabilities

Gregory Sloop via amavis-users amavis-users at amavis.org
Thu May 22 04:29:46 CEST 2014 

I've done a fair bit of reading, both of the docs, web walk-throughs and the list archives.

However, I'm not sure if what I want to do is supported:

Given: Ununtu 12.04 / Postfix / Dovecot / Amavis-new [2.3.3]
Users are local users, not virtual. 
Not using LDAP or MySQL etc to handle users/configurations.

Needs:
Like everyone, we're getting more and more hostile attachments - which is the primary motivator for Amavis.
Up to now, we've used client side AV scanning etc. However, the attachments we're getting are zero-day exploits in most cases, where the AV engines simply don't recognize them yet. [Given a day or three, they are, but not when received.]

So, I need to start doing attachment filtering. As long as we're at it, we should have adequate capacity to also do ClamAV - which will get us a small leg-up, perhaps.
But I'm not counting on ClamAV to catch the problem attachments.

However, we can't just block every .zip file for example. Some zips from some senders are legit.
Further, I don't want to block mail without generating a bounce reply. [An alternative would be rejecting it before accept at the MTA]
But generating a bounce for blocked attachments will cause a host of back-scatter.

So, it seems the options are: Block completely, at the MTA, some attachments that we'll never accept. [.exe for example.]
I hope to use amavis to scan, for example, zip attachments for viruses, and if found quarantine them. [Though zips aren't the only one, this is simply an example.]

For some users, we'll quarantine all zip files. However, for other users [and/or, some senders] we'll accept those attachments. [And yes, I fully understand that the envelope sender can be forged, and can't be trusted. However, it probably is better than doing nothing.]

Finally, I'd like to scan archives for particular files. For example, we'll accept a zip, and even if the AV thinks it's clean, if the zip contains a .exe we should still quarantine.

Is this possible, in general? 
Any pointers as to how best to approach it? 
Any good example threads or web-pages?

TIA
-Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20140521/9e9edfd4/attachment.html>

More information about the amavis-users mailing list