Capabilities
Patrick Ben Koetter via amavis-users
amavis-users at amavis.org
Thu May 22 06:37:06 CEST 2014
* Gregory Sloop via amavis-users <gregs at sloop.net>:
> I've done a fair bit of reading, both of the docs, web walk-throughs and the list archives.
>
> However, I'm not sure if what I want to do is supported:
>
> Given: Ununtu 12.04 / Postfix / Dovecot / Amavis-new [2.3.3]
> Users are local users, not virtual.
> Not using LDAP or MySQL etc to handle users/configurations.
>
> Needs:
> Like everyone, we're getting more and more hostile attachments - which is the primary motivator for Amavis.
> Up to now, we've used client side AV scanning etc. However, the attachments we're getting are zero-day exploits in most cases, where the AV engines simply don't recognize them yet. [Given a day or three, they are, but not when received.]
>
> So, I need to start doing attachment filtering. As long as we're at it, we should have adequate capacity to also do ClamAV - which will get us a small leg-up, perhaps.
> But I'm not counting on ClamAV to catch the problem attachments.
>
> However, we can't just block every .zip file for example. Some zips from some senders are legit.
> Further, I don't want to block mail without generating a bounce reply. [An alternative would be rejecting it before accept at the MTA]
> But generating a bounce for blocked attachments will cause a host of back-scatter.
>
> So, it seems the options are: Block completely, at the MTA, some attachments that we'll never accept. [.exe for example.]
If you want to block files by suffix in general, you can do that with Postfix'
mime_header_checks and they will never enter your mailsystem. Be aware that
this works for files only that have a correct suffix name ending on e.g.
"exe".
> I hope to use amavis to scan, for example, zip attachments for viruses, and if found quarantine them. [Though zips aren't the only one, this is simply an example.]
>
> For some users, we'll quarantine all zip files. However, for other users [and/or, some senders] we'll accept those attachments. [And yes, I fully understand that the envelope sender can be forged, and can't be trusted. However, it probably is better than doing nothing.]
You can quarantine banned file names in general and permit delivery to some
recipients via amavis' banned file name lovers feature.
> Finally, I'd like to scan archives for particular files. For example, we'll accept a zip, and even if the AV thinks it's clean, if the zip contains a .exe we should still quarantine.
Amavis can do that too.
> Is this possible, in general?
yes.
> Any pointers as to how best to approach it?
> Any good example threads or web-pages?
This enables the banned* features in general. For exceptions (some should get
it) read into @banned_files_lovers_maps.
#############################################################################
## BANNED POLICY
#
@bypass_banned_checks_maps = (
\%bypass_banned_checks, \@bypass_banned_checks_acl, \$bypass_banned_checks_re);
%banned_rules = (
'NO-MS-EXEC'=> new_RE( qr'^\.(exe-ms)$' ),
'PASSALL' => new_RE( [qr'^' => 0] ),
'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ),
'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ),
'NO-VIDEO' => new_RE( qr'^\.movie$', qr'.\.(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ),
'NO-MOVIES' => new_RE( qr'^\.movie$', qr'.\.(mpg|avi|mov)$'i, ),
'MYNETS-DEFAULT' => new_RE( [ qr'^\.(rpm|cpio|tar)$' => 0 ], qr'.\.(vbs|pif|scr)$'i, ),
'DEFAULT' => $banned_filename_re,
);
# Default set of banned files
$banned_filename_re = new_RE(
qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
qr'.\.(pif|scr)$'i, # banned extensions - rudimentary
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
# block certain double extensions in filenames
qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
);
# Reject message in client session
$final_banned_destiny = D_REJECT;
# Send message to quarantine
$banned_files_quarantine_method = 'local:banned-%m';
# Extend localpart of recipient address if message contains banned file
@addr_extension_banned_maps = ('banned');
# Don't send notification to sender
$warnbannedsender = 0;
# Send notification to recipient
$warnbannedrecip = 1;
>
> TIA
> -Greg
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the amavis-users
mailing list