Allow outcoming .EXE to a set of recipients

Mark Martinec Mark.Martinec+amavis at ijs.si
Mon Jan 23 19:23:20 CET 2012


Antonio,

> I would like to ask a question, I have set up a postfix+amavis-new+spam
> assassin server to filter incoming and outcoming email. Previously I was
> using an Ironport hardware to do this stuff.
> 
> I dont know if its possible to configure amavis-new to allow outcoming
> email with EXE attachments ONLY to a certain address. Is it possible?

Yes, possible. Depends what exactly you have in mind: either disable
banning checks altogether for outgoing mail, or switch between two
(or more) pre-configured banning settings.

1.
Disabling banning checks for mail originating from inside
(regardless of recipient being internal or extrenal):

$policy_bank{'MYNETS'} = {  # mail originating from @mynetworks
  originating => 1,
  bypass_banned_checks_maps => [1],
}


2.
Disabling banning checks for outgoing mail (i.e. for non-local
recipients):

@banned_filename_maps = ( {
  '.example.com' => 'DEFAULT',  # for each local domain
  '.example.net' => 'DEFAULT',
  '.' => undef,
} );


3.
Pre-configure banning policies giving a name to each, then
use these names in @banned_filename_maps (or on SQL or
LDAP lookups for the same):

%banned_rules = (
  'NO-MS-EXEC'=> new_RE( qr'^\.(exe-ms)$' ),
  'PASSALL'   => new_RE( [qr'^' => 0] ),
  'ALLOW_EXE' =>  # pass executables except if name ends in .vbs .pif .scr .bat
    new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ),
  'ALLOW_VBS' =>  # allow names ending in .vbs
    new_RE( [qr'.\.vbs$' => 0] ),
  'NO-VIDEO' => new_RE( qr'^\.movie$',
    qr'.\.(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ),
  'NO-MOVIES' => new_RE( qr'^\.movie$', qr'.\.(mpg|avi|mov)$'i, ),

  'MYNETS-DEFAULT' => new_RE(
    [ qr'^\.(rpm|cpio|tar)$' => 0 ],  # allow any in Unix-type archives
    qr'.\.(vbs|pif|scr)$'i,           # banned extension - rudimentary
    qr'^\.(exe-ms)$',                 # banned file(1) types
  ),
  'DEFAULT' => $banned_filename_re,
);

@banned_filename_maps = (
  { 'user1 at example.org' => 'NO-MS-EXEC,PASSALL',
    'user2 at example.net' => 'ALLOW_VBS',
    '.example.com' => 'DEFAULT',  # for each local domain
    '.example.net' => 'DEFAULT',
    '.' => 'ALLOW_EXE',
  },
);


Mark


More information about the amavis-users mailing list