OT: "Freiwilligen gesucht" blocking .exe in Mails/Archiven

Django django at nausch.org
Mo Sep 28 00:55:25 CEST 2015 

Griasde Winfried,

Am 24.09.2015 um 10:52 schrieb Winfried Neessen:

Also, auch wenn es Sonntag/Montag und schon recht spät ist, habe ich
noch ein paar Sachen ausprobiert und validiert.

> Der Grund dafuer ist die amavisd Standardconfig. Im @decoders Array
> hat man die Moeglichkeit, fuer bestimmte Dateiendungen
> entsprechende Decoder festzulegen. Z. B. fuer .gz wird gzip
> benutzt. Hier gibt es auch einen Eintrag fuer .asc der aber per
> default auskommentiert ist:
> 
> [[qw(asc uue hqx ync)], \&do_ascii],  # not safe

O.K., ich hab auf meinem eigenen Mailserver, die betreffende Zeile
aktiviert und gegen den MXer die präparierte Nachricht gefeuert. Und
sieh da, die Nachricht wird abgelehnt:

$ telnet nausch.org 25
Trying 217.91.103.190...
Connected to nausch.org.
Escape character is '^]'.
220 mx01.nausch.org ESMTP Postfix
...

...
cCAyMDE1IENhc3BlciBXYXlzLmV4ZVBLBQYAAAAAAQABAFYAAAD8PgAAAAA=


--vavfkYi7oDNXSmoOmlo8Izb9C9l4pza480dG4o--

--==IFJRGLKFGIR5458UHRUHIHD--
.
554 5.7.0 Reject, id=02672-10 - BANNED: .exe,.exe-ms,agreement of 08
Sep 2015 Casper Ways.exe. Contact your postmaster/admin for technical
assistance. He can achieve our postmaster via email:
postmaster at nausch.org or via fax: +49 8121 883179. In any case, please
provide the following information in your problem report: This error
message, time (Sep 27 23:40:35), client (88.198.212.215) and server
(mx01.nausch.org).
quit
221 2.0.0 Bye
Connection closed by foreign host.

Der AMaViS schreibt dazu mit Loglevel 3:
Sep 27 23:40:35 vml000067 amavis[2672]: loaded policy bank "AM.PDP-SOCK"
Sep 27 23:40:35 vml000067 amavis[2672]: process_request: fileno
sock=13, STDIN=0, STDOUT=1
Sep 27 23:40:35 vml000067 amavis[2672]: policy protocol: request=AM.PDP
Sep 27 23:40:35 vml000067 amavis[2672]: policy protocol:
queue_id=2DD52C0008A
Sep 27 23:40:35 vml000067 amavis[2672]: policy protocol: sender=<>
Sep 27 23:40:35 vml000067 amavis[2672]: policy protocol:
recipient=<michael at nausch.org>
Sep 27 23:40:35 vml000067 amavis[2672]: policy protocol:
tempdir=/var/spool/amavisd/tmp/afXXXXjPI01Y
Sep 27 23:40:35 vml000067 amavis[2672]: policy protocol:
tempdir_removed_by=client
Sep 27 23:40:35 vml000067 amavis[2672]: policy protocol:
mail_file=/var/spool/amavisd/tmp/afXXXXjPI01Y/email.txt
Sep 27 23:40:35 vml000067 amavis[2672]: policy protocol:
delivery_care_of=client
Sep 27 23:40:35 vml000067 amavis[2672]: policy protocol:
client_address=88.198.212.215
Sep 27 23:40:35 vml000067 amavis[2672]: policy protocol:
client_name=mx1.piratenpartei-bayern.de
Sep 27 23:40:35 vml000067 amavis[2672]: policy protocol:
helo_name=mx1.piratenpartei-bayern.de
Sep 27 23:40:35 vml000067 amavis[2672]: policy protocol:
policy_bank=mx01.nausch.org
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) Request: AM.PDP
/var/spool/amavisd/tmp/afXXXXjPI01Y: <> -> <michael at nausch.org>
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) smtp connection
cache, dt: 107.6, state: 0
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) body hash:
07ccdddffea63e9fecc725b90ecca67e
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) trace: AM.PDP://x <
88.198.212.215
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) Checking:
OvZ7Onw-G8YN AM.PDP-SOCK [88.198.212.215] <> -> <michael at nausch.org>
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) 2822.From:
<postmaster at bbdouae.onmicrosoft.com>, 2821.Mail_From: <>
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) p004 1
Content-Type: multipart/report
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) p001 1/1
Content-Type: text/plain, size: 7331 B, name:
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) p002 1/2
Content-Type: message/delivery-status, size: 326 B, name:
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) p003 1/3
Content-Type: message/rfc822, size: 25549 B, name:
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) inspect_dsn: is a
DSN, struct: "standard DSN", part(3/4), <>
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) do_executable: not
an ARJ sfx, ignoring: do_unarj: not an ARJ archive? exit 9 at (eval
132) line 1300.
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) Checking for banned
types and filenames
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) collect banned
table[0]: michael at nausch.org, tables:
DEFAULT=>Amavis::Lookup::RE=ARRAY(0x35e8fa8)
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) p.path
michael at nausch.org: "P=p004,L=1,M=multipart/report |
P=p001,L=1/1,M=text/plain,T=asc"
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) p.path
michael at nausch.org: "P=p004,L=1,M=multipart/report |
P=p002,L=1/2,M=message/delivery-status,T=asc"
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) p.path BANNED:1
michael at nausch.org: "P=p004,L=1,M=multipart/report |
P=p003,L=1/3,M=message/rfc822,T=asc | P=p005,L=1/3/1,T=zip,N=contract
Urban Trail#SOjk7K7.zip | P=p006,L=1/3/1/1,T=exe,T=exe-ms,N=agreement
of 08 Sep 2015 Casper Ways.exe", matching_key="(?^:^\\.(exe-ms|dll)$)"
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) presenting full
original message to scanners as
/var/spool/amavisd/tmp/afXXXXjPI01Y/parts/p007
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) run_av Using
(ClamAV-clamd): (code) CONTSCAN
/var/spool/amavisd/tmp/afXXXXjPI01Y/parts\n
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) ClamAV-clamd:
Connecting to socket  /var/run/clamd.amavisd/clamd.sock
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) new socket by
IO::Socket::UNIX to /var/run/clamd.amavisd/clamd.sock, timeout set to 10
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) ClamAV-clamd:
Sending CONTSCAN /var/spool/amavisd/tmp/afXXXXjPI01Y/parts\n to socket
/var/run/clamd.amavisd/clamd.sock
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) rw_loop read: got eof
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) run_av
(ClamAV-clamd): CLEAN
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) run_av
(ClamAV-clamd) result: clean
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) bounce rescued by
domain (DSN), <> -> <michael at nausch.org>, date: Tue, 8 Sep 2015
12:39:15 +0200, from: "Johnston, Gottlieb and Dicki"
<michael at nausch.org>, message-id:
<Nk1qZ8XjlJCTRXCCBUrGJfF2M at nausch.org>, return-path: michael at nausch.org
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) blocking contents
category is (8) for michael at nausch.org, final_destiny -3
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) do_notify_and_quar:
ccat=Banned (8,0) ("8":Banned, "1,1":CleanTag, "1":Clean,
"0":CatchAll) ccat_block=(8), qar_mth=
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) delivery method is
1, recips: michael at nausch.org
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) status counters:
InMsgsStatus{Rejected,RejectedInbound}
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) Blocked BANNED
(.exe,.exe-ms,agreement of 08 Sep 2015 Casper Ways.exe)
{RejectedInbound}, AM.PDP-SOCK [88.198.212.215] [88.198.212.215] <> ->
<michael at nausch.org>, Queue-ID: 2DD52C0008A, Message-ID:
<Nk1qZ8XjlJCTRXCCBUrGJfF2M at nausch.org>, mail_id: OvZ7Onw-G8YN, Hits:
-, size: 38664, 172 ms
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) mail checking
ended: version_server=2\nlog_id=02672-10\nsetreply=554 5.7.0
Reject,%20id=02672-10%20-%20BANNED:%20.exe,.exe-ms,agreement%20of%2008%20Sep%202015%20Casper%20Ways.exe\nreturn_value=reject\nexit_code=69
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) size: 38664, TIMING
[total 178 ms] - got data: 0.0 (0%)0, check_init: 2.1 (1%)1,
digest_hdr: 1.1 (1%)2, digest_body_dkim: 0.5 (0%)2, collect_info: 1.5
(1%)3, mkdir parts: 0.9 (0%)3, mime_decode: 15 (9%)12, inspect_dsn:
0.7 (0%)13, get-file-type3: 36 (20%)32, decompose_part: 0.9 (0%)33,
decompose_part: 0.3 (0%)33, decompose_part: 1.5 (1%)34,
get-file-type1: 10 (5%)39, ren1-unl0-files1: 36 (20%)59,
decompose_part: 0.3 (0%)60, get-file-type1: 10 (6%)65, decompose_part:
29 (16%)81, parts_decode: 0.0 (0%)81, check_header: 0.5 (0%)82,
AV-scan-1: 17 (10%)91, decide_mail_destiny: 2.0 (1%)92, notif-quar:
0.5 (0%)93, prepare-dsn: 0.7 (0%)93, report: 1.3 (1%)94,
main_log_entry: 4.3 (2%)96, update_snmp: 5 (3%)99, rundown: 1.3 (1%)100
Sep 27 23:40:35 vml000067 amavis[2672]: (02672-10) load: 2 %, total
idle 161.008 s, busy 3.148 s

Ohne dem Eintrag "[[qw(asc uue hqx ync)], \&do_ascii]," bei den
Decoders sieht es wie folgt aus:

Sep 27 23:21:59 vml000067 amavis[442]: loaded policy bank "AM.PDP-SOCK"
Sep 27 23:21:59 vml000067 amavis[442]: process_request: fileno
sock=13, STDIN=0, STDOUT=1
Sep 27 23:21:59 vml000067 amavis[442]: policy protocol: request=AM.PDP
Sep 27 23:21:59 vml000067 amavis[442]: policy protocol:
queue_id=D8F9CC0008E
Sep 27 23:21:59 vml000067 amavis[442]: policy protocol: sender=<>
Sep 27 23:21:59 vml000067 amavis[442]: policy protocol:
recipient=<michael at nausch.org>
Sep 27 23:21:59 vml000067 amavis[442]: policy protocol:
tempdir=/var/spool/amavisd/tmp/afXXXXfMOAuw
Sep 27 23:21:59 vml000067 amavis[442]: policy protocol:
tempdir_removed_by=client
Sep 27 23:21:59 vml000067 amavis[442]: policy protocol:
mail_file=/var/spool/amavisd/tmp/afXXXXfMOAuw/email.txt
Sep 27 23:21:59 vml000067 amavis[442]: policy protocol:
delivery_care_of=client
Sep 27 23:21:59 vml000067 amavis[442]: policy protocol:
client_address=88.198.212.215
Sep 27 23:21:59 vml000067 amavis[442]: policy protocol:
client_name=mx1.piratenpartei-bayern.de
Sep 27 23:21:59 vml000067 amavis[442]: policy protocol:
helo_name=mx1.piratenpartei-bayern.de
Sep 27 23:21:59 vml000067 amavis[442]: policy protocol:
policy_bank=mx01.nausch.org
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) Request: AM.PDP
/var/spool/amavisd/tmp/afXXXXfMOAuw: <> -> <michael at nausch.org>
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) body hash:
07ccdddffea63e9fecc725b90ecca67e
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) trace: AM.PDP://x <
88.198.212.215
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) Checking:
F60OZ2yvf3f7 AM.PDP-SOCK [88.198.212.215] <> -> <michael at nausch.org>
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) 2822.From:
<postmaster at bbdouae.onmicrosoft.com>, 2821.Mail_From: <>
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) p004 1 Content-Type:
multipart/report
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) p001 1/1
Content-Type: text/plain, size: 7331 B, name:
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) p002 1/2
Content-Type: message/delivery-status, size: 326 B, name:
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) p003 1/3
Content-Type: message/rfc822, size: 25549 B, name:
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) inspect_dsn: is a
DSN, struct: "standard DSN", part(3/4), <>
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) Checking for banned
types and filenames
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) collect banned
table[0]: michael at nausch.org, tables:
DEFAULT=>Amavis::Lookup::RE=ARRAY(0x29dcc98)
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) p.path
michael at nausch.org: "P=p004,L=1,M=multipart/report |
P=p001,L=1/1,M=text/plain,T=asc"
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) p.path
michael at nausch.org: "P=p004,L=1,M=multipart/report |
P=p002,L=1/2,M=message/delivery-status,T=asc"
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) p.path
michael at nausch.org: "P=p004,L=1,M=multipart/report |
P=p003,L=1/3,M=message/rfc822,T=asc"
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) presenting full
original message to scanners as
/var/spool/amavisd/tmp/afXXXXfMOAuw/parts/p005
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) run_av Using
(ClamAV-clamd): (code) CONTSCAN
/var/spool/amavisd/tmp/afXXXXfMOAuw/parts\n
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) ClamAV-clamd:
Connecting to socket  /var/run/clamd.amavisd/clamd.sock
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) new socket by
IO::Socket::UNIX to /var/run/clamd.amavisd/clamd.sock, timeout set to 10
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) ClamAV-clamd:
Sending CONTSCAN /var/spool/amavisd/tmp/afXXXXfMOAuw/parts\n to socket
/var/run/clamd.amavisd/clamd.sock
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) rw_loop read: got eof
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) run_av
(ClamAV-clamd): CLEAN
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) run_av
(ClamAV-clamd) result: clean
Sep 27 23:21:59 vml000067 amavis[442]: (00442-06) calling SA parse
(0), SA vers 3.4.0, 3.004000, data as STRING_REF, recips_ind [0],
user: "amavis"
Sep 27 23:22:02 vml000067 amavis[442]: (00442-06) spam_scan:
score=3.764 autolearn=no autolearn_force=no
tests=[DATE_IN_PAST_96_XX=2.07,DSN_NO_MIMEVERSION=1.999,MIME_HEADER_CTYPE_ONLY=1.996,RCVD_IN_DNSWL_MED=-2.3,SPF_HELO_PASS=-0.001]
recips=0
Sep 27 23:22:02 vml000067 amavis[442]: (00442-06) bounce rescued by
domain (DSN), <> -> <michael at nausch.org>, date: Tue, 8 Sep 2015
12:39:15 +0200, from: "Johnston, Gottlieb and Dicki"
<michael at nausch.org>, message-id:
<Nk1qZ8XjlJCTRXCCBUrGJfF2M at nausch.org>, return-path: michael at nausch.org
Sep 27 23:22:02 vml000067 amavis[442]: (00442-06) do_notify_and_quar:
ccat=CleanTag (1,1) ("1,1":CleanTag, "1":Clean, "0":CatchAll)
ccat_block=(), qar_mth=
Sep 27 23:22:02 vml000067 amavis[442]: (00442-06) delivery method is
1, recips: michael at nausch.org
Sep 27 23:22:02 vml000067 amavis[442]: (00442-06) spam-tag, <> ->
<michael at nausch.org>, No, score=3.764 tagged_above=-1000 required=6.31
tests=[DATE_IN_PAST_96_XX=2.07, DSN_NO_MIMEVERSION=1.999,
MIME_HEADER_CTYPE_ONLY=1.996, RCVD_IN_DNSWL_MED=-2.3,
SPF_HELO_PASS=-0.001] autolearn=no autolearn_force=no
Sep 27 23:22:02 vml000067 amavis[442]: (00442-06) status counters:
InMsgsStatus{Accepted,AcceptedInbound}
Sep 27 23:22:02 vml000067 amavis[442]: (00442-06) Passed CLEAN
{AcceptedInbound}, AM.PDP-SOCK [88.198.212.215] [88.198.212.215] <> ->
<michael at nausch.org>, Queue-ID: D8F9CC0008E, Message-ID:
<Nk1qZ8XjlJCTRXCCBUrGJfF2M at nausch.org>, mail_id: F60OZ2yvf3f7, Hits:
3.764, size: 38664, 2661 ms
Sep 27 23:22:02 vml000067 amavis[442]: (00442-06) TIMING-SA total 2574
ms - parse: 2.6 (0.1%), extract_message_metadata: 47 (1.8%),
get_uri_detail_list: 10 (0.4%), tests_pri_-1000: 98 (3.8%),
tests_pri_-950: 1.38 (0.1%), tests_pri_-900: 7 (0.3%), tests_pri_-400:
1.22 (0.0%), tests_pri_0: 1396 (54.2%), check_dkim_adsp: 159 (6.2%),
check_spf: 29 (1.1%), poll_dns_idle: 995 (38.6%), check_razor2: 578
(22.4%), check_pyzor: 0.22 (0.0%), tests_pri_500: 1003 (39.0%),
get_report: 0.69 (0.0%)
Sep 27 23:22:02 vml000067 amavis[442]: (00442-06) mail checking ended:
version_server=2\nlog_id=00442-06\nsetreply=250 2.5.0
Ok,%20id=00442-06,%20continue%20delivery\ninsheader=0 X-Spam-Status
No,%20score=3.764%20tagged_above=-1000%20required=6.31%0a%09tests=[DATE_IN_PAST_96_XX=2.07,%20DSN_NO_MIMEVERSION=1.999,%0a%09MIME_HEADER_CTYPE_ONLY=1.996,%20RCVD_IN_DNSWL_MED=-2.3,%0a%09SPF_HELO_PASS=-0.001]%20autolearn=no%20autolearn_force=no\ninsheader=0
X-Spam-Level ***\ninsheader=0 X-Spam-Score 3.764\ninsheader=0
X-Spam-Flag NO\ninsheader=0 X-Virus-Scanned
amavisd-new%20at%20nausch.org\nreturn_value=continue\nexit_code=0
Sep 27 23:22:02 vml000067 amavis[442]: (00442-06) size: 38664, TIMING
[total 2668 ms] - got data: 0.0 (0%)0, check_init: 2.0 (0%)0,
digest_hdr: 1.1 (0%)0, digest_body_dkim: 0.5 (0%)0, collect_info: 1.5
(0%)0, mkdir parts: 0.9 (0%)0, mime_decode: 15 (1%)1, inspect_dsn: 0.7
(0%)1, get-file-type3: 35 (1%)2, parts_decode: 0.2 (0%)2,
check_header: 0.5 (0%)2, AV-scan-1: 16 (1%)3, spam-wb-list: 1.4 (0%)3,
SA msg read: 0.6 (0%)3, SA parse: 3.1 (0%)3, SA check: 2569 (96%)99,
decide_mail_destiny: 5 (0%)99, notif-quar: 0.4 (0%)99, prepare-dsn:
2.0 (0%)100, report: 1.3 (0%)100, main_log_entry: 5 (0%)100,
update_snmp: 4.9 (0%)100, rundown: 1.6 (0%)100
Sep 27 23:22:02 vml000067 amavis[442]: (00442-06) load: 3 %, total
idle 153.023 s, busy 4.581 s

> Der vermutliche Grund dafuer ist wohl das "not safe". Die Funktion 
> do_safe() versucht dann verschiedene Decoding-Methoden anzuwenden
> (uudecode, BinHex, Base64, etc.) Dies scheint aber wohl nicht
> wirklich verlaesslich zu sein.

Ich werd' dazu mal Marc befragen, mal sehen, was er uns dazu berichten
kann.

> Funktioniert aber ohne groessere Probleme im Fall des DSN.

Das kann ich mit dem eigenen System bestätigen. Warum aber das
Kundensystem tratz standardmäßiger Aktivierung des ASC-Decoders
trotzdem den gefakten bounce erkennt, ist mir gerade nicht sonderlich
klar.

Der Unterschied der beiden Systeme ist:

CentOS 6.7 mit amavisd-new 2.9.0 eingebunden als pre-queue-filter
(gemäß Peer Heinlein's Postfix-Buch) erkennt die exe nicht!

In der amavisd.conf ist definiert:

$banned_filename_re = new_RE(
  qr'^\.(exe-ms|dll)$',                   # banned file(1) types,
rudimentary
  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type
archives
  qr'.\.(pif|scr)$'i,                     # banned extensions -
rudimentary
archives
  qr'^application/x-msdownload$'i,        # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,

qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
  qr'.\.(exe|vbs|pif|scr|cpl)$'i,             # banned extension - basic
);


@decoders = (
  ['mail', \&do_mime_decode],
  ['asc',  \&do_ascii],
  ['uue',  \&do_ascii],
  ['hqx',  \&do_ascii],
  ['ync',  \&do_ascii],
  ['F',    \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
  ['Z',    \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
  ['gz',   \&do_uncompress,  'gzip -d'],
  ['gz',   \&do_gunzip],
  ['bz2',  \&do_uncompress,  'bzip2 -d'],
  ['lzo',  \&do_uncompress,  'lzop -d'],
  ['rpm',  \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
  ['cpio', \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['tar',  \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['deb',  \&do_ar,          'ar'],
# ['a',    \&do_ar,          'ar'],  # unpacking .a seems an overkill
  ['zip',  \&do_unzip],
  ['7z',   \&do_7zip,       ['7zr','7za','7z'] ],
  ['rar',  \&do_unrar,      ['rar','unrar'] ],
  ['arj',  \&do_unarj,      ['arj','unarj'] ],
  ['arc',  \&do_arc,        ['nomarch','arc'] ],
  ['zoo',  \&do_zoo,        ['zoo','unzoo'] ],
  ['lha',  \&do_lha,         'lha'],
# ['doc',  \&do_ole,         'ripole'],
  ['cab',  \&do_cabextract,  'cabextract'],
  ['tnef', \&do_tnef_ext,    'tnef'],
  ['tnef', \&do_tnef],
# ['sit',  \&do_unstuff,     'unstuff'],  # broken/unsafe decoder
  ['exe',  \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
);



CentOS 7.1 mit amavisd-new 2.10.1 eingebunden als pre-queue-filter als
MILTER mit Hilfe von amavisd-milter 1.6.0. Dieses System erkennt die
banned EXE.

Die amavisd.conf enthält folgende Zeilen:

$banned_filename_re = new_RE(
    # banned file(1) types, rudimentary
    qr'^\.(exe-ms|dll)$',
    # allow any in Unix-type archives
    [ qr'^\.(rpm|cpio|tar)$'       => 0 ],
    # banned extensions - rudimentary
    qr'.\.(pif|scr)$'i,
    # block these MIME types
    qr'^application/x-msdownload$'i,
    qr'^application/x-msdos-program$'i,
    qr'^application/hta$'i,
    # block certain double extensions in filenames

qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
    # banned extension - basic+cmd
    qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i,
);

@decoders = (
    ['mail', \&do_mime_decode],
    ['F',    \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
    ['Z',    \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
    ['gz',   \&do_uncompress, 'gzip -d'],
    ['gz',   \&do_gunzip],
    ['bz2',  \&do_uncompress, 'bzip2 -d'],
    ['xz',   \&do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
    ['lzma', \&do_uncompress, ['lzmadec', 'xz -dc --format=lzma',
            'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
    ['lrz',  \&do_uncompress, ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
    ['lzo',  \&do_uncompress, 'lzop -d'],
    ['rpm',  \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
    [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
    ['deb',  \&do_ar, 'ar'],
    ['rar',  \&do_unrar, ['unrar', 'rar'] ],
    ['arj',  \&do_unarj, ['unarj', 'arj'] ],
    ['arc',  \&do_arc,   ['nomarch', 'arc'] ],
    ['zoo',  \&do_zoo,   ['zoo', 'unzoo'] ],
    ['cab',  \&do_cabextract, 'cabextract'],
    ['tnef', \&do_tnef],
    [['zip','kmz'], \&do_7zip,  ['7za', '7z'] ],
    [['zip','kmz'], \&do_unzip],
    ['7z',   \&do_7zip,  ['7zr', '7za', '7z'] ],
    [[qw(7z zip gz bz2 Z tar)], \&do_7zip,  ['7za', '7z'] ],
    [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
\&do_7zip,  '7z' ],
    ['exe',  \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
    [[qw(asc uue hqx ync)], \&do_ascii],
);

So richtig will es sich mir gerade nicht erschließen, warum das CentOS
6 System hier Mucken macht und warum das CentOS 7 hier klaglos
arbeitet. :/

> Wenn man also do_ascii fuer .asc (oder auch andere Typen nutzt),
> kann man sich gegen solche Attachments in DSN schuetzen.

So ist es. 1.000 Dank erst mal für Deine sehr ausfürlichen und
hilfreichen Tips!


n8!
Django

Mehr Informationen über die Mailingliste Postfixbuch-users