Search found 63 matches
- 23 May 2017 18:36
- Forum: Discussion
- Topic: block spam getting through
- Replies: 4
- Views: 5401
Re: block spam getting through
You can also roll the dice by increasing the score for the default rules in /etc/mail/spamassassin/local.cf score LOTS_OF_MONEY 2.3 I've used that to ramp up some of the default SPF, DKIM, DMARC, and ADSP scores and to write custom rules for domains that we exchange mail with that are broken ( bad S...
- 23 May 2017 12:33
- Forum: How-to
- Topic: Setting up different smarthosts for outbound mail relays
- Replies: 9
- Views: 7326
Re: Setting up different smarthosts for outbound mail relays
So much depends on the reason that you have two internal mail servers and need to maintain separate paths. Can you elaborate on that some? It might help us see other solutions if we could understand the need better. Basically we have 2 shared hosting servers (described as A and B before, each serve...
- 23 May 2017 12:26
- Forum: Feature Requests
- Topic: New status fields & sa-learn
- Replies: 0
- Views: 2722
New status fields & sa-learn
I'm working on another addition to the UI/automation. Previously, I'd added new status fields and code to the listings to display deleted and released emails so visual indicators were present for users to inform them that action had been taken. Now I'm looking at automation for the filter so that re...
Re: YARA
So, I still think that adding a Python wrapper around Yara is going to be the way to go. It looks like we'll want to look at yara-extend, as well. Let's Yara process compressed archives. Seems useful. The wrapper above is making more sense to me, after looking at the python-policyd-spf implementatio...
- 18 May 2017 15:57
- Forum: How-to
- Topic: Setting up different smarthosts for outbound mail relays
- Replies: 9
- Views: 7326
Re: Setting up different smarthosts for outbound mail relays
I know that you can override transport maps with a filter based on client IP address. I know that you can also use sender dependent transport maps to route mail based on e-mail addresses. http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps I guess the real question should be, are ...
Re: YARA
So... I disabled all the rules throwing errors because of modules, globals, and undefined types. AND discovered that Yara has a rule called .../drumroll ... YARA.contentis_base64.UNOFFICIAL .../rimshot And then I remembered that I'd left index.yar in master.conf . 386 deleted email messages due to a...
Re: YARA
Good question. The clamav-unofficial-sigs project doesn't look very active. Where is the "Yara" package? I don't actually know anything about it, so I don't know what it can actually do. sudo yum search yara https://securityintelligence.com/signature-based-detection-with-yara/ http://reso...
Re: YARA
Okay, so I can pull down the index using wget with wget https://github.com/Yara-Rules/rules/raw/master/index.yar That gets me the raw file such that: /* Generated by Yara-Rules On 08-05-2017 */ include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar" include "./malware/RAT_...
Re: YARA
Additionally, there seems to be a problem in GitHub for the ClamAV-Unofficial-Sigs project:
https://github.com/extremeshok/clamav-u ... issues/133
Difficulty in pulling down files in subdirectories?
https://github.com/extremeshok/clamav-u ... issues/133
Difficulty in pulling down files in subdirectories?
Re: YARA
I see what you mean. You appear to be right. Needs investigation. I will look at it in a couple of days when I have time to debug this one, unless someone does it for me first. I can pull down the rules directory by installing git, etc. My guess is that I could either: Include the index.yar file an...
Re: YARA
which ones are not added? CVE_Rules/CVE-2012-0158.yar|MEDIUM # CVE 2012 0158 CVE_Rules/CVE-2015-1701.yar|MEDIUM # CVE 2015 1701 CVE_Rules/CVE-2015-2426.yar|MEDIUM # CVE 2015 2426 CVE_Rules/CVE-2016-5195.yar|MEDIUM # CVE 2016 5195 Additionally, [@mx clamav]$ ls -l *.yar -rw-r--r-- 1 clam clam 47013 ...
Re: YARA
It's already incorporated. Look at /etc/clamav-unofficial-sigs/master.conf This file includes the yara signatures as well as some others you can enable for your clamav instance. You can also control which yara rulesets you want to include. Perhaps this will give you what you are looking for? That's...
YARA
Is anyone using Yara as part of their eFa configuration? I've been following the WannCry malware saga, and have recently signed up for US-CERT alerts, which include Yara rulesets for some things. It's a tool I'm not familiar with, but I've been reading about it. It seems that you can plug Yara rules...
- 15 May 2017 12:27
- Forum: How-to
- Topic: Unable to release some blocked messages
- Replies: 26
- Views: 25563
Re: Unable to release some blocked messages
I've seen the same, but there was a setting I changed that made that happen. As for the blocked content, I discovered that Adobe Acrobat under Windows 10 does an unexpected thing in terms of naming PDF files that you Create PDF From Document . It uses the full old filename, such as word-document.doc...
- 12 May 2017 15:04
- Forum: How-to
- Topic: How to integrate E.F.A with Active Directory on 3.0.0.9
- Replies: 40
- Views: 345008
Re: How to integrate E.F.A with Active Directory on 3.0.0.9
Very nice script! I'd like to request a couple of feature changes though (if possible), I'd have a go myself but I'm totally lost with Python. I have a few distribution lists that would be nice to automatically import, I tried modifying the filter to include all members of a group but the script er...
- 12 May 2017 14:57
- Forum: How-to
- Topic: How to integrate E.F.A with Active Directory on 3.0.0.9
- Replies: 40
- Views: 345008
Re: How to integrate E.F.A with Active Directory on 3.0.0.9
Yikes! Sorry for the delay in response! I've been pulling cable in a new office and lots of construction going on so I've been negligent in checking the forums. I can do a configuration variable for ldap vs. ldaps pretty easily. I thought that I had distribution groups already supported in my filter...
- 21 Apr 2017 14:38
- Forum: How-to
- Topic: How to integrate E.F.A with Active Directory on 3.0.0.9
- Replies: 40
- Views: 345008
Re: How to integrate E.F.A with Active Directory on 3.0.0.9
If anyone is interested, here is the script I've been using to sync to AD. It's far from perfect... but it is serviceable for now... #!/usr/bin/python3 # Stuart.Smith@FosterFuels.com # v1.1 03/17/2017 # # TODO: # add publicDelegates property to user query, parse, and add results to filters # TODO: #...
- 21 Apr 2017 14:29
- Forum: 3.x Bugs
- Topic: Quarantine Summary Report and multiple recipients
- Replies: 2
- Views: 2917
Re: Quarantine Summary Report and multiple recipients
Awesome! What I ended up doing was: /usr/local/bin/mailwatch/tools/Cron_Jobs/quarantine_report.php 207 ((to_address LIKE %s) OR (to_domain LIKE %s)) 215 $result = dbquery(sprintf($sql, quote_smart("%" . $to_address . "%" ), quote_smart("%" . $to_domain . "%" )...
- 20 Apr 2017 18:44
- Forum: 3.x Bugs
- Topic: Quarantine Summary Report and multiple recipients
- Replies: 2
- Views: 2917
Quarantine Summary Report and multiple recipients
Looking at what for me is line 207 in /usr/local/bin/mailwatch/tools/Cron_jobs/quarantine_report.php I see: ((to_address=%s) OR (to_domain=%s)) which is a problem because I have confirmed it does not handle any Email with multiple recipients. The end result being that if something is caught in quara...
- 24 Mar 2017 12:15
- Forum: How-to
- Topic: self-signed certificate expired
- Replies: 5
- Views: 4976
Re: self-signed certificate expired
https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs and http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl I believe that the file that you need to edit is /etc/httpd/conf.d/ssl.conf 10...
- 23 Mar 2017 16:01
- Forum: How-to
- Topic: How to integrate E.F.A with Active Directory on 3.0.0.9
- Replies: 40
- Views: 345008
Re: How to integrate E.F.A with Active Directory on 3.0.0.9
I've got a working python script that I use to synchronize MailWatch to Active Directory. I have a few more items to fix and items to polish before I post it here for all to enjoy, but I need some feedback. Right now, I add filters to each user based on their group memberships and based on their exc...
- 23 Mar 2017 15:18
- Forum: How-to
- Topic: SPF problems?
- Replies: 5
- Views: 5191
Re: SPF problems?
Generaly there is hardly anything you can do as it is up to the senders mail admin, I try not to fix items in eFa but try to point mail admins to the SPF syntax page if their mail is marked as spam, and I instruct my users to call the sender and tell them their mails are not received because they h...
- 23 Mar 2017 12:56
- Forum: How-to
- Topic: How to integrate E.F.A with Active Directory on 3.0.0.9
- Replies: 40
- Views: 345008
Re: How to integrate E.F.A with Active Directory on 3.0.0.9
Hello, I have been installing E.F.A 3.0.1.8 and it work great. 8-) Need advise regarding query Active-Directory (LDAP) Domain for valid recipients. My config still not query Active-Directory. My Domain : contoso.local (only for internal) My Domain alias : contoso.com (for public) Error Log Mar 19 1...
- 22 Mar 2017 15:35
- Forum: How-to
- Topic: Greylisting - check against a higher subnet class?
- Replies: 7
- Views: 6149
Re: Greylisting - check against a higher subnet class?
You might be better off whitelisting Office 365/outlook.com... /etc/sqlgrey/clients_fqdn_whiteliest.local *.messagelabs.com messagelabs.com *.mxlogic.com mxlogic.com *.outbound.protection.outlook.com outbound.protection.outlook.com If you look at /etc/sqlgrey/clients_ip_whitelist you'll see examples...
- 17 Mar 2017 13:25
- Forum: Feature Requests
- Topic: Quarantine Reports Scheduling
- Replies: 0
- Views: 2560
Quarantine Reports Scheduling
I was thinking about e-mail this morning in the shower, as one does, and I had a thought. Because I'm a disguised variant of the BOFH, my quarantine summary reports are scheduled to run hourly. I have problems with some users who miss the notifications and/or have time-critical e-mail that gets lost...