Allowing compressed/archive attachments

Questions and answers about how to do stuff
Post Reply
stusmith
Posts: 63
Joined: 27 Jan 2017 15:24

Allowing compressed/archive attachments

Post by stusmith »

I'm having some trouble getting .zip and .gz files through MailScanner. I'm seeing a number of 5.7.1 message content rejected messages in /var/log/maillog.

I've updated the filename fules in MailScanner:

/etc/MailScanner/archives.filename.rules.conf

Code: Select all

# These are known to be mostly harmless.
allow   \.jpg$                  -       -
allow   \.gif$                  -       -
# .url is arguably dangerous, but I can't just ban it...
allow   \.url$                  -       -
allow   \.vcf$                  -       -
allow   \.txt$                  -       -
allow   \.zip$                  -       -
allow   \.t?gz$                 -       -
allow   \.gz$                   -       -
allow   \.7z$                   -       -
allow   \.bz2$                  -       -
# .xml.gz/zip/bz2 is the file format for the dmarc reports
allow   \.xml\.gz$              -       -
allow   \.xml\.zip$             -       -
allow   \.xml\.bz2$             -       -
allow   \.Z$                    -       -
allow   \.rpm$                  -       -
I've updated the content rules in MailScanner:

/etc/MailScanner/archives.filetype.rules.conf (IGNORE THE LINENUMBERS - THEY'RE FROM VIM)

Code: Select all

     20 allow   postscript      -                       -
     21 allow   application/zip -                       -
     22 allow   application/gzip        -                       -
     23 allow   application/x-zip       -                       -
     24 allow   application/x-gzip      -                       -

sudo grep -i '^Archives' /etc/MailScanner/MailScanner.conf

/etc/MailScanner/MailScanner.conf

Code: Select all

Archives Are = zip rar ole gzip gz z
Archives: Allow Filenames =
Archives: Deny Filenames =
Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf
Archives: Allow Filetypes =
Archives: Allow File MIME Types =
Archives: Deny Filetypes =
Archives: Deny File MIME Types =
Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf
/etc/postfix/Main.cf

Code: Select all

header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
smtp_header_checks = pcre:/etc/postfix/recipient_block
/etc/postfix/recipient_block

Code: Select all

/^To: noreply/          REJECT
/^To: no-reply/         REJECT
/etc/postfix/mime_header_checks

Code: Select all

/name=[^>]*\.(bat|com|exe|dll|vbs|js|jar)/      REJECT
/name=[^>]*\.(zip|gz|7z)/                       OK
/Content-Type\.*application\/(zip|gzip|x\-gzip|x\-zip)/         OK
/etc/postfix/header_checks
--default file--


examples of rejected messages in /var/log/maillog

Code: Select all

Feb 25 05:01:48 foster-spam postfix/cleanup[13803]: 757E2120152: reject: header Content-Disposition: attachment;? filename="bbt.com!fosterfuels.com!1487912402!1487998803.xml.gz" from mail5.bbandt.com[74.120.65.99]:18579; from=<DMARC_Alerts@bbt.com> to=<dmarc_aggrep@fosterfuels.com> proto=ESMTP helo=<wil-virnprtfw03.bbtnet.com>: 5.7.1 message content rejected
Feb 25 07:31:44 foster-spam postfix/cleanup[54283]: AD982120152: reject: header Content-Type: application/gzip;? name=comcast.net!fosterfuels.com!1487894400!1487980800.xml.gz from mdptxn-po-a7p.sys.comcast.net[69.252.193.223]:19014; from=<dmarc-support@alerts.comcast.net> to=<dmarc_aggrep@fosterfuels.com> proto=ESMTP helo=<mdptxn-po-a7p.sys.comcast.net>: 5.7.1 message content rejected
Feb 25 09:12:57 foster-spam postfix/cleanup[16684]: 86129120152: reject: header Content-Disposition: attachment; filename="emailsrvr.com!fosterfuels.com!1487894400!1487980800!f80f4af9-5771-4739-9326-132ff953519d.zip" from m71-9.mailgun.net[166.78.71.9]:24251; from=<bounce+4096ae.196cff-dmarc_aggrep=fosterfuels.com@reports.emailsrvr.com> to=<dmarc_aggrep@fosterfuels.com> proto=ESMTP helo=<m71-9.mailgun.net>: 5.7.1 message content rejected
Feb 25 10:22:32 foster-spam postfix/cleanup[35528]: 87620120152: reject: header Content-Type: application/zip; ??name="google.com!fosterfuels.com!1487894400!1487980799.zip" from mail-pg0-f73.google.com[74.125.83.73]:34420; from=<noreply-dmarc-support@google.com> to=<dmarc_aggrep@fosterfuels.com> proto=ESMTP helo=<mail-pg0-f73.google.com>: 5.7.1 message content rejected
Feb 25 14:14:25 foster-spam postfix/cleanup[35085]: 18C88120152: reject: header Content-Type: application/zip; name=hotmail.com!fosterfuels.com!1487988000!1488031200.zip from bay004-omc3s13.hotmail.com[65.54.190.151]:49166; from=<dmarcrep@microsoft.com> to=<dmarc_aggrep@fosterfuels.com> proto=ESMTP helo=<BAY004-OMC3S13.hotmail.com>: 5.7.1 message content rejected
Feb 25 16:04:24 foster-spam postfix/cleanup[800]: AA924120152: reject: header Content-Disposition: attachment; filename="yahoo.com!fosterfuels.com!1487894400!1487980799.zip" from n4-vm7.bullet.mail.ne1.yahoo.com[98.138.229.247]:59621; from=<noreply@dmarc.yahoo.com> to=<dmarc_aggrep@fosterfuels.com> proto=ESMTP helo=<n4-vm7.bullet.mail.ne1.yahoo.com>: 5.7.1 message content rejected
Feb 25 16:12:09 foster-spam postfix/cleanup[3592]: 36B77120152: reject: header Content-Type: application/gzip; ??name=aol.com!fosterfuels.com!1487894400!1487980800.xml.gz from smr-a04e.mx.aol.com[204.29.186.243]:45482; from=<abuse_dmarc@abuse.aol.com> to=<dmarc_aggrep@fosterfuels.com> proto=ESMTP helo=<smr-a04e.mx.aol.com>: 5.7.1 message content rejected
Feb 25 16:36:42 foster-spam postfix/cleanup[10826]: E398C120152: reject: header Content-Disposition: attachment;? filename="lidl.com!fosterfuels.com!1487718004!1487804405.xml.gz" from mail2.enc99-int.com[62.159.241.64]:48684; from=<MAILER-DAEMON@l-dz71.lidl.net> to=<dmarc_aggrep@fosterfuels.com> proto=ESMTP helo=<mail2.enc99-int.com>: 5.7.1 message content rejected
Feb 25 17:04:35 foster-spam postfix/cleanup[18217]: DFFCC120152: reject: header Content-Disposition: attachment;? filename="lidl.com!fosterfuels.com!1487890805!1487977205.xml.gz" from mail1.enc99-int.com[62.159.241.100]:59714; from=<MAILER-DAEMON@l-dz70.lidl.net> to=<dmarc_aggrep@fosterfuels.com> proto=ESMTP helo=<mail1.enc99-int.com>: 5.7.1 message content rejected
Feb 25 17:06:39 foster-spam postfix/cleanup[19499]: 02821120152: reject: header Content-Disposition: attachment;? filename="lidl.com!fosterfuels.com!1487890805!1487977205.xml.gz" from mail2.enc99-int.com[62.159.241.64]:59104; from=<MAILER-DAEMON@l-dz71.lidl.net> to=<dmarc_aggrep@fosterfuels.com> proto=ESMTP helo=<mail2.enc99-int.com>: 5.7.1 message content rejected
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Allowing compressed/archive attachments

Post by shawniverson »

Your rules are firing off because of your regex expressions.

For example:

Code: Select all

Feb 25 05:01:48 foster-spam postfix/cleanup[13803]: 757E2120152: reject: header Content-Disposition: attachment;? filename="bbt.com!fosterfuels.com!1487912402!1487998803.xml.gz" from mail5.bbandt.com[74.120.65.99]:18579; from=<DMARC_Alerts@bbt.com> to=<dmarc_aggrep@fosterfuels.com> proto=ESMTP helo=<wil-virnprtfw03.bbtnet.com>: 5.7.1 message content rejected
Notice that although the filename is a .gz, which is OK, part of the filename has bbt.com and fosterfuels.com which is rejected by this rule.

Code: Select all

/name=[^>]*\.(bat|com|exe|dll|vbs|js|jar)/      REJECT
So, you need to rework your regex expressions to avoid seeing .com TLDs leading up to the filename itself.
stusmith
Posts: 63
Joined: 27 Jan 2017 15:24

Re: Allowing compressed/archive attachments

Post by stusmith »

/facepalm :oops:

Do you think adding an EOL anchor to the regex would be sufficient?

Code: Select all

/name=[^>]*\.(bat|com|exe|dll|vbs|js|jar)$/    REJECT
zane93
Posts: 44
Joined: 08 Mar 2016 22:08

Re: Allowing compressed/archive attachments

Post by zane93 »

Is this still valid with the current release?
Post Reply