Test the Mails in Quarantain again after a couple of hours (24 H)

[CABIT]

Hi,

is it possible to filter out specific emails with attachments like word and excel files to Quarantain?
And is it possible to rescan this files after a couple of ours (24 h) and if they are clean deliver them to the receipient?

And this should happen automatically not by hand.

Thanks

CABIT

[CABIT]

Is there a way to release mails from Quarantine by console script instead of webinterface?

Changing the /etc/Mailscanner/Mailscanner.conf
Quarantine Whole Messages As Queue Files = yes

Here we can copy the queue file directly in postfix queue

I think this could be handled by a script
As an example the ending .urg:

Add the Block to /etc/MailScanner/filename.rules.conf
deny \.urg$ - -

After this we find all mails under
/var/spool/MailScanner/quarantine/

With find we can get all mails in quarantine older than 1 day
find /var/spool/MailScanner/quarantine/ -mtime +1

with grep we find the message and the content file
grep -lR '\.urg' /var/spool/MailScanner/quarantine/
/var/spool/MailScanner/quarantine/20160506/1D5691203CB.A6E4E/1D5691203CB

We put this togehter:
find /var/spool/MailScanner/quarantine/ -mtime +1 | grep -lR '\.urg' /var/spool/MailScanner/quarantine/

After that we have alls mails which should be released from Quarantine.

cp $(find /var/spool/MailScanner/quarantine/ -mtime +1 | grep -lR '\.urg' /var/spool/MailScanner/quarantine/) /var/spool/postfix/incoming

chown postfix:postfix /var/spool/postfix/incoming/*
chmod +x /var/spool/postfix/incoming/*

but this releases the email without any checks.. we want a virus check again.

[CABIT]

Hi,

Is there a way to release blocked emails/content from the cli?
Because in the webinterface we can configure that some checks should be done on released mails like anti virus scan.

My Script can release the files directly to the postfix incoming folder. But in this folder there is no more scan action.
For that case i have added the av scan to the script.
It's not the best solution but in the first test it is working.

If you know improvements let me know it.

This is my script which i test at the moment.

Code: Select all

#!/bin/bash

#Variable
released=/var/spool/released/ #temp folder
releasequeue=/var/spool/postfix/incoming/ #postfix input folder
quarantine=/var/spool/MailScanner/quarantine/ # quarantine folder
egrepfiles='filename=.*\.doc|filename=.*\.xls|filename=.*\.docx|filename=.*\.xlsx|filename=.*\.urg'
egrepparam='-liRn'
delay='+1' #delay for release in days
cleanreleased='+35' #hold the released temp file in days
log='/var/spool/quarantine_release.log'
avprog='/opt/eset/esets/sbin/esets_scan'
avparam='--no-quarantine --no-log-console'


echo "begin release.." > $log

#find all emails with
for i in $(find $quarantine -mtime $delay | egrep $egrepparam  $egrepfiles $quarantine); do
#      filenam dirname variable
        fname=$(basename $i)
        dname=$(dirname $i)

#check if in the path name is spam included if so do nothing
if [[ "$dname" == *"spam"* ]];then
        echo "spam not deliverd" $i >> $log
else #if no spam = blocked files check them again

        #check if file already released from quarantine
        if [ -e $released$fname ];then
                echo "already delivered" $i >> $log
        else
       #av scan
        $avprog $avparam $i

#Exit codes:
#         0    no threat found
#         1    threat found and cleaned
#         10   some files could not be scanned (may be threats)
#         50   threat found
#         100  error

                #check exit codes 
                #from av when 0 everthing is ok and we can deliver if not we found a virus or a error occured
                if [ $? -ne 0 ];then
                        echo "virus or error occured" $i >> $log
                else
                # no virus and no error
                        #copy file to outqueue postfix
                       cp $i $releasequeue
                        #change permission and owner
                       chown postfix:postfix $releasequeue$fname
                       chmod +x $releasequeue$fname
                        #make temp file for already delivered mails
                        touch $released$fname
                        echo "delivered" $i >> $log
                fi
        fi
fi
done

#list temp files (already delivered mails)
#find $released -type f -mtime $cleanreleased -exec ls -lah {} \;
#delete temp files (already delivered mails)
#find $released -type f -mtime $cleanreleased -exec rm {} \;

[shawniverson]

Can you redirect the email to HOLD instead of incoming?

[CABIT]

Hi Shawniverson,

i have modified the script above.. varible "incoming" now is "releasequeue"

sure the release folder can be specified here:

releasequeue=/var/spool/postfix/incoming/ #postfix input folder

to release the mails to hold instead of incoming

releasequeue=/var/spool/postfix/hold/ #postfix input folder

The Problem with the hold folder is that the released mails will be checked again against all filters i think.
And then the mail filter for blocked attachements filters them out again.

Because the Mail is the original mail with no changed headers (no localhost or 127.0.0.1). So it will end up in quarantine on each release.
And the mailscanner rule to whitelist mails from the localhost will not take effect.

i have no idea at the moment how i could change this to use the hold folder for release.

[shawniverson]

I follow you. If time permits I will do a little research and see if some of the GUI features could be better implemented in CLI fashion.