Capabilities

Patrick Ben Koetter via amavis-users amavis-users at amavis.org
Thu May 22 06:37:06 CEST 2014


* Gregory Sloop via amavis-users <gregs at sloop.net>:
> I've done a fair bit of reading, both of the docs, web walk-throughs and the list archives.
> 
> However, I'm not sure if what I want to do is supported:
> 
> Given: Ununtu 12.04 / Postfix / Dovecot / Amavis-new [2.3.3]
> Users are local users, not virtual. 
> Not using LDAP or MySQL etc to handle users/configurations.
> 
> Needs:
> Like everyone, we're getting more and more hostile attachments - which is the primary motivator for Amavis.
> Up to now, we've used client side AV scanning etc. However, the attachments we're getting are zero-day exploits in most cases, where the AV engines simply don't recognize them yet. [Given a day or three, they are, but not when received.]
> 
> So, I need to start doing attachment filtering. As long as we're at it, we should have adequate capacity to also do ClamAV - which will get us a small leg-up, perhaps.
> But I'm not counting on ClamAV to catch the problem attachments.
> 
> However, we can't just block every .zip file for example. Some zips from some senders are legit.
> Further, I don't want to block mail without generating a bounce reply. [An alternative would be rejecting it before accept at the MTA]
> But generating a bounce for blocked attachments will cause a host of back-scatter.
> 
> So, it seems the options are: Block completely, at the MTA, some attachments that we'll never accept. [.exe for example.]

If you want to block files by suffix in general, you can do that with Postfix'
mime_header_checks and they will never enter your mailsystem. Be aware that
this works for files only that have a correct suffix name ending on e.g.
"exe".

> I hope to use amavis to scan, for example, zip attachments for viruses, and if found quarantine them. [Though zips aren't the only one, this is simply an example.]
> 
> For some users, we'll quarantine all zip files. However, for other users [and/or, some senders] we'll accept those attachments. [And yes, I fully understand that the envelope sender can be forged, and can't be trusted. However, it probably is better than doing nothing.]

You can quarantine banned file names in general and permit delivery to some
recipients via amavis' banned file name lovers feature.

> Finally, I'd like to scan archives for particular files. For example, we'll accept a zip, and even if the AV thinks it's clean, if the zip contains a .exe we should still quarantine.

Amavis can do that too.

> Is this possible, in general? 

yes.

> Any pointers as to how best to approach it? 

> Any good example threads or web-pages?

This enables the banned* features in general. For exceptions (some should get
it) read into @banned_files_lovers_maps.

#############################################################################
## BANNED POLICY
#
@bypass_banned_checks_maps = (
    \%bypass_banned_checks, \@bypass_banned_checks_acl, \$bypass_banned_checks_re);

%banned_rules = (
  'NO-MS-EXEC'=> new_RE( qr'^\.(exe-ms)$' ),
  'PASSALL'   => new_RE( [qr'^' => 0] ),
  'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ),
  'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ),
  'NO-VIDEO'  => new_RE( qr'^\.movie$', qr'.\.(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ),
  'NO-MOVIES' => new_RE( qr'^\.movie$', qr'.\.(mpg|avi|mov)$'i, ),
  'MYNETS-DEFAULT' => new_RE( [ qr'^\.(rpm|cpio|tar)$' => 0 ], qr'.\.(vbs|pif|scr)$'i, ),
  'DEFAULT' => $banned_filename_re,
);


# Default set of banned files
$banned_filename_re = new_RE(
    qr'^\.(exe-ms|dll)$',                   # banned file(1) types, rudimentary
    [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
    qr'.\.(pif|scr)$'i,                     # banned extensions - rudimentary
    qr'^application/x-msdownload$'i,        # block these MIME types
    qr'^application/x-msdos-program$'i,
    qr'^application/hta$'i,
    # block certain double extensions in filenames
    qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
    qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
);

# Reject message in client session
$final_banned_destiny = D_REJECT;

# Send message to quarantine
$banned_files_quarantine_method = 'local:banned-%m';

# Extend localpart of recipient address if message contains banned file
@addr_extension_banned_maps = ('banned');

# Don't send notification to sender
$warnbannedsender = 0;

# Send notification to recipient
$warnbannedrecip = 1;



> 
> TIA
> -Greg

-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
 


More information about the amavis-users mailing list