I'm trying to reproduce your problem.
What version of EFA are you running?
Can you look at the mail messages? How are the document names encoded in the email?
For example, I've sent myself 2 documents in 2 messages, and this is what I see
2020.03.31_contract_for_Mueller.docx
Code: Select all
Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document;
name="2020.03.31_contract_for_Mueller.docx"
Content-Disposition: attachment;
filename="2020.03.31_contract_for_Mueller.docx"
2020.03.31_contract_for_Müller.docx
Code: Select all
Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document;
name="=?UTF-8?B?MjAyMC4wMy4zMV9jb250cmFjdF9mb3JfTXXMiGxsZXIuZG9jeA==?="
Content-Disposition: attachment;
filename="=?UTF-8?B?MjAyMC4wMy4zMV9jb250cmFjdF9mb3JfTXXMiGxsZXIuZG9jeA==?="
Next, I've added the following ruleset into my filename.rule.conf file:
Code: Select all
# testing purposes only
deny \.STOP.doc$ Office Makro Documents Office Makro Documents
deny \.STOP.docm$ Office Makro Documents Office Makro Documents
deny \.STOP.dot$ Office Makro Documents Office Makro Documents
deny \.STOP.dotm$ Office Makro Documents Office Makro Documents
and then resent the files, after renaming them to to:
Code: Select all
2020.03.31_contract_for_Müller.STOP.docx
2020.03.31_contract_for_Mueller.STOP.docx
and they passed without problem
next, I renamed them to .doc and resent them expecting them to both be blocked
Code: Select all
2020.03.31_contract_for_Müller.STOP.doc
2020.03.31_contract_for_Mueller.STOP.doc
And as expected, they were both blocked with the following error message in the "Bad Filename Detected"
Code: Select all
Report: MailScanner: Office Makro Documents (2020.03.31_contract_for_Mueller.STOP.doc)
Report: MailScanner: Office Makro Documents (2020.03.31_con.doc)
Interesting - the document with the encoded filename has been mangled in the report, so it would appear that there is a bug of some sort in the handling of encoded filenames.
This doesn't reproduce your exact problem, but it may be related. There definitely seems to be some kind of bug. Also, why are you getting the rule triggered on your docx files - which shouldn't happen according to your rules. Please confirm both the base OS you are using for your EFA installation and the version of EFA you have running. (I'm running an old version, so don't take my results as a good example of how EFA currently is)
I don't have time to debug it further today, but the code I need to look at is
/usr/share/MailScanner/perl/MailScanner/SweepOther.pm
Shawn, if you read this, do you have any advice how I could run this check against already stored messages with the debug statements uncommented so I could see what is happening?