Control mail attachment through iptables

sanjee · 01-05-2009, 03:59 AM

How to restrict through IPTABLES , any mail attachment packet .
Local users when sending outlook mail with attachment . I want to restrict the mail attachment will discarded through linux iptables firewall system .
The mail is situated in remote and don't have any access on it . Can I block attachment packet in my end .

billymayday · 01-05-2009, 04:02 AM

I doubt it - as far as I'm aware, the attachment is simply part of the body during transmission. Therefore iptables has no knowledge of the content.

Are you concerned about incoming or outgoing messages

sanjee · 01-05-2009, 04:21 AM

Yes . Because I don't have any access on remote mail server . But I have to set the restriction in such a way , so that local users can not send any attachment mail through outlook .
Is there any way .

billymayday · 01-05-2009, 04:34 AM

There seem to be a few methods mentioned around the place - do a search for postfix block attachment.

Here's one suggestion

Quote:

man header_checks, man regexp_table

Put something like the following in /etc/postfix/mime_header_checks.regexp

/filename=\"?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl)\"?$/
REJECT For security reasons we reject attachments of this type
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|h ta|jse?|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|xl))"?\s*$/
REJECT Attachment type not allowed. File "$2" has the unacceptable extension "$3"

Then add the following to /etc/postfix/main.cf

mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp

sanjee · 01-05-2009, 06:42 AM

Thanks for suggestion . But , those paramiter can be set in postfix mail configuration file . And I don't have access in mail server . Then please suggest how to overcome .

rweaver · 01-05-2009, 09:53 AM

Quote:

Originally Posted by sanjee

Thanks for suggestion . But , those paramiter can be set in postfix mail configuration file . And I don't have access in mail server . Then please suggest how to overcome .

About the only thing you could do is setup an internal mail server (with attachment blocking) and have the clients setup to authenticate and do email through there and then setup iptabes to deny all hosts except the internal mail server access to the outside world on port 25. Think smart host.

sanjee · 01-05-2009, 11:02 PM

I was thinking , if it could be possible through mail packer header etc .
Is their any way to find out the attachment type .