Search found 63 matches

by stusmith
23 May 2017 18:36
Forum: Discussion
Topic: block spam getting through
Replies: 4
Views: 5354

Re: block spam getting through

You can also roll the dice by increasing the score for the default rules in /etc/mail/spamassassin/local.cf score LOTS_OF_MONEY 2.3 I've used that to ramp up some of the default SPF, DKIM, DMARC, and ADSP scores and to write custom rules for domains that we exchange mail with that are broken ( bad S...
by stusmith
23 May 2017 12:33
Forum: How-to
Topic: Setting up different smarthosts for outbound mail relays
Replies: 9
Views: 7258

Re: Setting up different smarthosts for outbound mail relays

So much depends on the reason that you have two internal mail servers and need to maintain separate paths. Can you elaborate on that some? It might help us see other solutions if we could understand the need better. Basically we have 2 shared hosting servers (described as A and B before, each serve...
by stusmith
23 May 2017 12:26
Forum: Feature Requests
Topic: New status fields & sa-learn
Replies: 0
Views: 2696

New status fields & sa-learn

I'm working on another addition to the UI/automation. Previously, I'd added new status fields and code to the listings to display deleted and released emails so visual indicators were present for users to inform them that action had been taken. Now I'm looking at automation for the filter so that re...
by stusmith
18 May 2017 19:05
Forum: How-to
Topic: YARA
Replies: 16
Views: 14671

Re: YARA

So, I still think that adding a Python wrapper around Yara is going to be the way to go. It looks like we'll want to look at yara-extend, as well. Let's Yara process compressed archives. Seems useful. The wrapper above is making more sense to me, after looking at the python-policyd-spf implementatio...
by stusmith
18 May 2017 15:57
Forum: How-to
Topic: Setting up different smarthosts for outbound mail relays
Replies: 9
Views: 7258

Re: Setting up different smarthosts for outbound mail relays

I know that you can override transport maps with a filter based on client IP address. I know that you can also use sender dependent transport maps to route mail based on e-mail addresses. http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps I guess the real question should be, are ...
by stusmith
17 May 2017 18:35
Forum: How-to
Topic: YARA
Replies: 16
Views: 14671

Re: YARA

So... I disabled all the rules throwing errors because of modules, globals, and undefined types. AND discovered that Yara has a rule called .../drumroll ... YARA.contentis_base64.UNOFFICIAL .../rimshot And then I remembered that I'd left index.yar in master.conf . 386 deleted email messages due to a...
by stusmith
17 May 2017 16:00
Forum: How-to
Topic: YARA
Replies: 16
Views: 14671

Re: YARA

Good question. The clamav-unofficial-sigs project doesn't look very active. Where is the "Yara" package? I don't actually know anything about it, so I don't know what it can actually do. sudo yum search yara https://securityintelligence.com/signature-based-detection-with-yara/ http://reso...
by stusmith
17 May 2017 14:53
Forum: How-to
Topic: YARA
Replies: 16
Views: 14671

Re: YARA

Okay, so I can pull down the index using wget with wget https://github.com/Yara-Rules/rules/raw/master/index.yar That gets me the raw file such that: /* Generated by Yara-Rules On 08-05-2017 */ include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar" include "./malware/RAT_...
by stusmith
17 May 2017 14:27
Forum: How-to
Topic: YARA
Replies: 16
Views: 14671

Re: YARA

Additionally, there seems to be a problem in GitHub for the ClamAV-Unofficial-Sigs project:

https://github.com/extremeshok/clamav-u ... issues/133

Difficulty in pulling down files in subdirectories?
by stusmith
17 May 2017 14:15
Forum: How-to
Topic: YARA
Replies: 16
Views: 14671

Re: YARA

I see what you mean. You appear to be right. Needs investigation. I will look at it in a couple of days when I have time to debug this one, unless someone does it for me first. I can pull down the rules directory by installing git, etc. My guess is that I could either: Include the index.yar file an...
by stusmith
17 May 2017 12:31
Forum: How-to
Topic: YARA
Replies: 16
Views: 14671

Re: YARA

which ones are not added? CVE_Rules/CVE-2012-0158.yar|MEDIUM # CVE 2012 0158 CVE_Rules/CVE-2015-1701.yar|MEDIUM # CVE 2015 1701 CVE_Rules/CVE-2015-2426.yar|MEDIUM # CVE 2015 2426 CVE_Rules/CVE-2016-5195.yar|MEDIUM # CVE 2016 5195 Additionally, [@mx clamav]$ ls -l *.yar -rw-r--r-- 1 clam clam 47013 ...
by stusmith
15 May 2017 13:20
Forum: How-to
Topic: YARA
Replies: 16
Views: 14671

Re: YARA

It's already incorporated. Look at /etc/clamav-unofficial-sigs/master.conf This file includes the yara signatures as well as some others you can enable for your clamav instance. You can also control which yara rulesets you want to include. Perhaps this will give you what you are looking for? That's...
by stusmith
15 May 2017 12:32
Forum: How-to
Topic: YARA
Replies: 16
Views: 14671

YARA

Is anyone using Yara as part of their eFa configuration? I've been following the WannCry malware saga, and have recently signed up for US-CERT alerts, which include Yara rulesets for some things. It's a tool I'm not familiar with, but I've been reading about it. It seems that you can plug Yara rules...
by stusmith
15 May 2017 12:27
Forum: How-to
Topic: Unable to release some blocked messages
Replies: 26
Views: 25422

Re: Unable to release some blocked messages

I've seen the same, but there was a setting I changed that made that happen. As for the blocked content, I discovered that Adobe Acrobat under Windows 10 does an unexpected thing in terms of naming PDF files that you Create PDF From Document . It uses the full old filename, such as word-document.doc...
by stusmith
12 May 2017 15:04
Forum: How-to
Topic: How to integrate E.F.A with Active Directory on 3.0.0.9
Replies: 40
Views: 343700

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Very nice script! I'd like to request a couple of feature changes though (if possible), I'd have a go myself but I'm totally lost with Python. I have a few distribution lists that would be nice to automatically import, I tried modifying the filter to include all members of a group but the script er...
by stusmith
12 May 2017 14:57
Forum: How-to
Topic: How to integrate E.F.A with Active Directory on 3.0.0.9
Replies: 40
Views: 343700

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Yikes! Sorry for the delay in response! I've been pulling cable in a new office and lots of construction going on so I've been negligent in checking the forums. I can do a configuration variable for ldap vs. ldaps pretty easily. I thought that I had distribution groups already supported in my filter...
by stusmith
21 Apr 2017 14:38
Forum: How-to
Topic: How to integrate E.F.A with Active Directory on 3.0.0.9
Replies: 40
Views: 343700

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

If anyone is interested, here is the script I've been using to sync to AD. It's far from perfect... but it is serviceable for now... #!/usr/bin/python3 # Stuart.Smith@FosterFuels.com # v1.1 03/17/2017 # # TODO: # add publicDelegates property to user query, parse, and add results to filters # TODO: #...
by stusmith
21 Apr 2017 14:29
Forum: 3.x Bugs
Topic: Quarantine Summary Report and multiple recipients
Replies: 2
Views: 2901

Re: Quarantine Summary Report and multiple recipients

Awesome! What I ended up doing was: /usr/local/bin/mailwatch/tools/Cron_Jobs/quarantine_report.php 207 ((to_address LIKE %s) OR (to_domain LIKE %s)) 215 $result = dbquery(sprintf($sql, quote_smart("%" . $to_address . "%" ), quote_smart("%" . $to_domain . "%" )...
by stusmith
20 Apr 2017 18:44
Forum: 3.x Bugs
Topic: Quarantine Summary Report and multiple recipients
Replies: 2
Views: 2901

Quarantine Summary Report and multiple recipients

Looking at what for me is line 207 in /usr/local/bin/mailwatch/tools/Cron_jobs/quarantine_report.php I see: ((to_address=%s) OR (to_domain=%s)) which is a problem because I have confirmed it does not handle any Email with multiple recipients. The end result being that if something is caught in quara...
by stusmith
24 Mar 2017 12:15
Forum: How-to
Topic: self-signed certificate expired
Replies: 5
Views: 4889

Re: self-signed certificate expired

https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs and http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl I believe that the file that you need to edit is /etc/httpd/conf.d/ssl.conf 10...
by stusmith
23 Mar 2017 16:01
Forum: How-to
Topic: How to integrate E.F.A with Active Directory on 3.0.0.9
Replies: 40
Views: 343700

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

I've got a working python script that I use to synchronize MailWatch to Active Directory. I have a few more items to fix and items to polish before I post it here for all to enjoy, but I need some feedback. Right now, I add filters to each user based on their group memberships and based on their exc...
by stusmith
23 Mar 2017 15:18
Forum: How-to
Topic: SPF problems?
Replies: 5
Views: 5151

Re: SPF problems?

Generaly there is hardly anything you can do as it is up to the senders mail admin, I try not to fix items in eFa but try to point mail admins to the SPF syntax page if their mail is marked as spam, and I instruct my users to call the sender and tell them their mails are not received because they h...
by stusmith
23 Mar 2017 12:56
Forum: How-to
Topic: How to integrate E.F.A with Active Directory on 3.0.0.9
Replies: 40
Views: 343700

Re: How to integrate E.F.A with Active Directory on 3.0.0.9

Hello, I have been installing E.F.A 3.0.1.8 and it work great. 8-) Need advise regarding query Active-Directory (LDAP) Domain for valid recipients. My config still not query Active-Directory. My Domain : contoso.local (only for internal) My Domain alias : contoso.com (for public) Error Log Mar 19 1...
by stusmith
22 Mar 2017 15:35
Forum: How-to
Topic: Greylisting - check against a higher subnet class?
Replies: 7
Views: 6116

Re: Greylisting - check against a higher subnet class?

You might be better off whitelisting Office 365/outlook.com... /etc/sqlgrey/clients_fqdn_whiteliest.local *.messagelabs.com messagelabs.com *.mxlogic.com mxlogic.com *.outbound.protection.outlook.com outbound.protection.outlook.com If you look at /etc/sqlgrey/clients_ip_whitelist you'll see examples...
by stusmith
17 Mar 2017 13:25
Forum: Feature Requests
Topic: Quarantine Reports Scheduling
Replies: 0
Views: 2543

Quarantine Reports Scheduling

I was thinking about e-mail this morning in the shower, as one does, and I had a thought. Because I'm a disguised variant of the BOFH, my quarantine summary reports are scheduled to run hourly. I have problems with some users who miss the notifications and/or have time-critical e-mail that gets lost...