Page 1 of 1
Test the Mails in Quarantain again after a couple of hours (24 H)
Posted: 16 Mar 2016 07:20
by CABIT
Hi,
is it possible to filter out specific emails with attachments like word and excel files to Quarantain?
And is it possible to rescan this files after a couple of ours (24 h) and if they are clean deliver them to the receipient?
And this should happen automatically not by hand.
Thanks
CABIT
Re: Test the Mails in Quarantain again after a couple of hours (24 H)
Posted: 06 May 2016 11:47
by CABIT
Is there a way to release mails from Quarantine by console script instead of webinterface?
Changing the /etc/Mailscanner/Mailscanner.conf
Quarantine Whole Messages As Queue Files = yes
Here we can copy the queue file directly in postfix queue
I think this could be handled by a script
As an example the ending .urg:
Add the Block to /etc/MailScanner/filename.rules.conf
deny \.urg$ - -
After this we find all mails under
/var/spool/MailScanner/quarantine/
With find we can get all mails in quarantine older than 1 day
find /var/spool/MailScanner/quarantine/ -mtime +1
with grep we find the message and the content file
grep -lR '\.urg' /var/spool/MailScanner/quarantine/
/var/spool/MailScanner/quarantine/20160506/1D5691203CB.A6E4E/1D5691203CB
We put this togehter:
find /var/spool/MailScanner/quarantine/ -mtime +1 | grep -lR '\.urg' /var/spool/MailScanner/quarantine/
After that we have alls mails which should be released from Quarantine.
cp $(find /var/spool/MailScanner/quarantine/ -mtime +1 | grep -lR '\.urg' /var/spool/MailScanner/quarantine/) /var/spool/postfix/incoming
chown postfix:postfix /var/spool/postfix/incoming/*
chmod +x /var/spool/postfix/incoming/*
but this releases the email without any checks.. we want a virus check again.
Re: Test the Mails in Quarantain again after a couple of hours (24 H)
Posted: 11 May 2016 12:22
by CABIT
Hi,
Is there a way to release blocked emails/content from the cli?
Because in the webinterface we can configure that some checks should be done on released mails like anti virus scan.
My Script can release the files directly to the postfix incoming folder. But in this folder there is no more scan action.
For that case i have added the av scan to the script.
It's not the best solution but in the first test it is working.
If you know improvements let me know it.
This is my script which i test at the moment.
Code: Select all
#!/bin/bash
#Variable
released=/var/spool/released/ #temp folder
releasequeue=/var/spool/postfix/incoming/ #postfix input folder
quarantine=/var/spool/MailScanner/quarantine/ # quarantine folder
egrepfiles='filename=.*\.doc|filename=.*\.xls|filename=.*\.docx|filename=.*\.xlsx|filename=.*\.urg'
egrepparam='-liRn'
delay='+1' #delay for release in days
cleanreleased='+35' #hold the released temp file in days
log='/var/spool/quarantine_release.log'
avprog='/opt/eset/esets/sbin/esets_scan'
avparam='--no-quarantine --no-log-console'
echo "begin release.." > $log
#find all emails with
for i in $(find $quarantine -mtime $delay | egrep $egrepparam $egrepfiles $quarantine); do
# filenam dirname variable
fname=$(basename $i)
dname=$(dirname $i)
#check if in the path name is spam included if so do nothing
if [[ "$dname" == *"spam"* ]];then
echo "spam not deliverd" $i >> $log
else #if no spam = blocked files check them again
#check if file already released from quarantine
if [ -e $released$fname ];then
echo "already delivered" $i >> $log
else
#av scan
$avprog $avparam $i
#Exit codes:
# 0 no threat found
# 1 threat found and cleaned
# 10 some files could not be scanned (may be threats)
# 50 threat found
# 100 error
#check exit codes
#from av when 0 everthing is ok and we can deliver if not we found a virus or a error occured
if [ $? -ne 0 ];then
echo "virus or error occured" $i >> $log
else
# no virus and no error
#copy file to outqueue postfix
cp $i $releasequeue
#change permission and owner
chown postfix:postfix $releasequeue$fname
chmod +x $releasequeue$fname
#make temp file for already delivered mails
touch $released$fname
echo "delivered" $i >> $log
fi
fi
fi
done
#list temp files (already delivered mails)
#find $released -type f -mtime $cleanreleased -exec ls -lah {} \;
#delete temp files (already delivered mails)
#find $released -type f -mtime $cleanreleased -exec rm {} \;
Re: Test the Mails in Quarantain again after a couple of hours (24 H)
Posted: 14 May 2016 15:40
by shawniverson
Can you redirect the email to HOLD instead of incoming?
Re: Test the Mails in Quarantain again after a couple of hours (24 H)
Posted: 23 May 2016 06:47
by CABIT
Hi Shawniverson,
i have modified the script above.. varible "incoming" now is "releasequeue"
sure the release folder can be specified here:
releasequeue=/var/spool/postfix/incoming/ #postfix input folder
to release the mails to hold instead of incoming
releasequeue=/var/spool/postfix/hold/ #postfix input folder
The Problem with the hold folder is that the released mails will be checked again against all filters i think.
And then the mail filter for blocked attachements filters them out again.
Because the Mail is the original mail with no changed headers (no localhost or 127.0.0.1). So it will end up in quarantine on each release.
And the mailscanner rule to whitelist mails from the localhost will not take effect.
i have no idea at the moment how i could change this to use the hold folder for release.
Re: Test the Mails in Quarantain again after a couple of hours (24 H)
Posted: 30 May 2016 13:17
by shawniverson
I follow you. If time permits I will do a little research and see if some of the GUI features could be better implemented in CLI fashion.