LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-14-2008, 08:35 AM   #1
hypernetics
Member
 
Registered: Oct 2003
Location: Berlin, GER
Posts: 35

Rep: Reputation: 15
Banned mails by amavis because of decipherable content


Hi there,

I'm running Postfix/SA/Amavis on Debian Etch.
When I send an email to my mailserver that contains an encrypted zip-file, the server complains that it cannot decipher the content:

"BANNED CONTENTS ALERT
Our content checker found banned name: multipart/mixed |
application/x-zip-compressed,.zip,ipscan.zip | ipscan.exe,UNDECIPHERABLE
"

I want amavis to block archives that contain executable files but not archives that are encrypted. In /etc/amavis/conf.d/20-debian_defaults I found two entries that are related to this:

1.) $banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components

2.) @keep_decoded_original_maps = (new_RE(
# qr'^MAIL$', # retain full original message for virus checking (can be slow)
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data', # don't trust Archive::Zip
));

I commented out "qr'^MAIL-UNDECIPHERABLE$'", restarted amavis but this didn't work. I just don't know what parameter I have to set.

Can somebody help me?

Greetings,
hypz
 
Old 02-14-2008, 10:20 AM   #2
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian stable
Posts: 5,908

Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
There appear to be several parts of amavisd.conf that are involved in deciding what to do with mail that has encrypted or executable content. Here are the parts, in the order they appear in my amavisd.conf:
Code:
$sa_spam_subject_tag = '***SPAM*** ';
$defang_virus  = 1;  # MIME-wrap passed infected mail
$defang_banned = 1;  # MIME-wrap passed mail containing banned name
SA flags virus and banned mails as SPAM.
Code:
 $final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_BOUNCE;
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_PASS;
What SA will do with mails which have been identified as undesirable.
Code:
@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$',   # retain full original message for virus checking (can be slow)
  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data',     # don't trust Archive::Zip
and
Code:
[$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components

  # block certain double extensions anywhere in the base name
  qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

# qr'[{}]',      # curly braces in names (serve as Class ID extensions - CLSID)

  qr'^application/x-msdownload$'i,                  # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,

# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types

 [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
 [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives

  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
#        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
#        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
#        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.

  qr'^\.(exe-ms)$',                       # banned file(1) types
# qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types
Rules to apply in identifying content as desirable or undesirable. These can be augmented with SA whitelist and blacklist files. See the SpamAssassin Wiki for a thorough set of rules filters and guides to setting up whitelists.

Last edited by bigrigdriver; 02-14-2008 at 10:26 AM.
 
Old 02-14-2008, 02:35 PM   #3
hypernetics
Member
 
Registered: Oct 2003
Location: Berlin, GER
Posts: 35

Original Poster
Rep: Reputation: 15
Thanks for your reply.

But I still don't know, which parameter I have to change to avoid amavis from blocking encrypted mails. Most of the parameters you mentioned relate to what kind of attachments should be blocked and/or how to deal with this.


Code:
@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$',   # retain full original message for virus checking (can be slow)
  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data',     # don't trust Archive::Zip
and
Code:
[$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
It seems to me that these lines are the only ones that deal with encrypted mails?!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix 2.3.3-1 - calling content filter for all mails not just inbound - ubuntu 6.10 swilliams2006 Linux - Server 1 10-16-2007 06:55 PM
STRANGE:mailserver receives mails but is not able to send mails outside nics Linux - Server 1 05-04-2007 01:44 AM
Sendmai can send mails but unable to receive mails satimis Linux - Server 2 02-15-2007 10:22 AM
Amavis-new to direct banned mail stomach Linux - General 0 03-08-2006 07:43 PM
Amavis "makes SPAM" of my Mails liqui Linux - Software 1 12-02-2005 04:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration