Winmail.dat contents extracted but not replaced

Bugs in eFa 4
Post Reply
victorburgos
Posts: 19
Joined: 13 May 2017 20:53

Winmail.dat contents extracted but not replaced

Post by victorburgos »

According to this logs, the contents inside winmail.dat were extracted and winmail.dat was removed.

Code: Select all

Feb 23 17:18:45 filtro MailScanner[15028]: Expanding TNEF archive at /var/spool/MailScanner/incoming/15028/4DlPPG112Dz3xBCt/winmail.dat
Feb 23 17:18:45 filtro MailScanner[15028]: Message 4DlPPG112Dz3xBCt added TNEF contents timage001.png,tX_20210223_529.pdf
Feb 23 17:18:45 filtro MailScanner[15028]: Message 4DlPPG112Dz3xBCt has had TNEF winmail.dat removed
Feb 23 17:18:50 filtro MailScanner[15028]: Requeue: 4DlPPG112Dz3xBCt to 4DlPPQ3kzPzxBCt
However, my customer receives winmail.dat

When I check the message, I see there is winmail.dat instead of timage001.png and tX_20210223_529.pdf.
winmail-dat.png
winmail-dat.png (26.6 KiB) Viewed 7597 times
This are my TNEF settings
tnef settings.png
tnef settings.png (8.8 KiB) Viewed 7597 times
This is my TNEF module version:

Code: Select all

0.18    Convert::TNEF
When I read "added TNEF contents timage001.png,tX_20210223_529.pdf" and then "TNEF winmail.dat removed", I suppose:
  • Customer will receive extracted files
  • Efa will store message with extracted files
  • There is no winmail.dat anymore

Is this expected or not?
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Winmail.dat contents extracted but not replaced

Post by shawniverson »

I remember dealing with this recently.....looking back at notes...
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Winmail.dat contents extracted but not replaced

Post by shawniverson »

https://github.com/E-F-A/v4/issues/255
https://github.com/MailScanner/v5/issues/525

What version of MailScanner do you show?

Code: Select all

rpm -qa | grep -i mailscanner
victorburgos
Posts: 19
Joined: 13 May 2017 20:53

Re: Winmail.dat contents extracted but not replaced

Post by victorburgos »

Code: Select all

rpm -qa | grep -i mailscanner
MailScanner-5.4.1-1.eFa.el7.noarch
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Winmail.dat contents extracted but not replaced

Post by shawniverson »

That is the right version for the fixes. I'm going to need to troubleshoot this further. I'll do some things on my end first to see if I can replicate it with a winmail.dat and keep you posted.
victorburgos
Posts: 19
Joined: 13 May 2017 20:53

Re: Winmail.dat contents extracted but not replaced

Post by victorburgos »

Thanks shawniverson for your help.
In the meantime, I will disable winmail.dat extraction and replacement.

Code: Select all

Expand TNEF = no
ashweb
Posts: 13
Joined: 05 Feb 2016 12:17

Re: Winmail.dat contents extracted but not replaced

Post by ashweb »

I am having the same issue, I have now turned off TNEF expanding.

The attachments are extracted but named as follows:

MailScanner: No programs allowed (900000.dat)
MailScanner: No programs allowed (900000.dat)

Then blocked as they are .dat files.

This email had a pdf and a docx file attached.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Winmail.dat contents extracted but not replaced

Post by shawniverson »

Troubleshooting this...

So...

MailScanner in Debug mode works...

MailScanner in Daemon mode doesn't work and the miltipart mime message is truncated at the first mime attachment...

:think:
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Winmail.dat contents extracted but not replaced

Post by shawniverson »

selinux...

Code: Select all

type=AVC msg=audit(1616970514.129:1580): avc:  denied  { rename } for  pid=537701 comm=4D61696C5363616E6E65723A206578 name="bookmark.htm" dev="tmpfs" ino=17131582 scontext=system_u:system_r:mscan_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(1616970514.130:1581): avc:  denied  { rename } for  pid=537701 comm=4D61696C5363616E6E65723A206578 name="zappa_av1.jpg" dev="tmpfs" ino=17131581 scontext=system_u:system_r:mscan_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
Looks like we need an update to the selinux rules
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Winmail.dat contents extracted but not replaced

Post by shawniverson »

Fix is in 4.0.4-11 update going out.
peter.barlabas
Posts: 10
Joined: 19 Apr 2021 15:28

Re: Winmail.dat contents extracted but not replaced

Post by peter.barlabas »

Hello!

I have similar problem. We got docx or pdf file, and the EFA transported to .bin file and blocked the message:

Report:
MailScanner: No programs allowed (160000.dat)
MailScanner: No programs allowed (160000.dat)

I've updated to 4.0.4-11 but the problem is persist.

Regards: Péter
Jakes
Posts: 5
Joined: 18 Feb 2020 11:58

Re: Winmail.dat contents extracted but not replaced

Post by Jakes »

I managed to get it to work with this work around in the meanwhile with this settings below, not ideal :oops:


# Expand TNEF attachments using an external program (or a Perl module)?
# This should be "yes" unless the scanner you are using (Sophos, McAfee) has
# the facility built-in. However, if you set it to "no", then the filenames
# within the TNEF attachment will not be checked against the filename rules.
Expand TNEF = no
#Deafult was yes


# Where the "file" command is installed.
# This is used for checking the content type of files, regardless of their
# filename.
# To disable Filetype checking, set this value to blank.
File Command =
#default /usr/bin/file


# The maximum depth to which zip archives, rar archives and Microsoft Office
# documents will be unpacked, to allow for checking filenames and filetypes
# within zip and rar archives and embedded within Office documents.
# Note: This setting does *not* affect virus scanning in archives at all.
# To disable this feature set this to 0.
# A common useful setting is this option = 0, and Allow Password-Protected
# Archives = no. That block password-protected archives but does not do
# any filename/filetype checks on the files within the archive.
# This can also be the filename of a ruleset.
Maximum Archive Depth = 0
#Default 3

# Find zip archives by filename or by file contents?
# Finding them by content is a far more reliable way of finding them, but
# it does mean that you cannot tell your users to avoid zip file checking
# by renaming the file from ".zip" to "_zip" and tricks like that.
# Only set this to no (i.e. check by filename only) if you don't want to
# reliably check the contents of zip files. Note this does not affect
# virus checking, but it will affect all the other checks done on the contents
# of the zip file.
# This can also be the filename of a ruleset.
Find Archives By Content = no
#default yes

# Do you want to unpack Microsoft "OLE" documents, such as *.doc, *.xls
# and *.ppt documents? This will extract any files which have been hidden
# by being embedded in these documents.
# There are one or two minor bugs in the third-party code that does the
# processing of these files, so it can cause MailScanner to hang in very
# rare cases.
# ClamAV has its own OLE unpacking code, so you can safely switch this off
# if you just rely on ClamAV for your virus-scanning. Note that this will,
# however, disabled all filename and filetype checking of embedded files.
# This can also be the filename of a ruleset.
Unpack Microsoft Documents = no
#default yes
Post Reply