Releasing a password protected archive? (quarantine stored)

Questions and answers about how to do stuff
Post Reply
iglooo
Posts: 30
Joined: 25 Jan 2019 19:52

Releasing a password protected archive? (quarantine stored)

Post by iglooo » 07 Feb 2019 16:42

Hey,

Incoming password protected archives are automatically blocked which isn't a problem but we never receive the released message after *successfully* releasing them in mailwatch. The message doesn't show up in exchange server logs either. I also noticed that the "from" field gets changed to my email address instead of being kept as the original sender.
Feb 7 11:23:32 efaserv MailScanner[33516]: New Batch: Scanning 1 messages, 4646 bytes
Feb 7 11:23:32 efaserv MailScanner[33516]: Password-protected archive (dsaadsa.zip) in E17A410066B.A958B
Feb 7 11:23:32 efaserv MailScanner[33516]: Virus and Content Scanning: Starting
Feb 7 11:23:32 efaserv MailScanner[33516]: Viruses marked as silent: MailScanner: Message contained password-protected archive
Feb 7 11:23:32 efaserv MailScanner[33516]: Saved entire message to /var/spool/MailScanner/quarantine/20190207/E17A410066B.A958B
Feb 7 11:23:32 efaserv MailScanner[33516]: Saved infected "dsaadsa.zip" to /var/spool/MailScanner/quarantine/20190207/E17A410066B.A958B
Feb 7 11:23:32 efaserv MailScanner[33516]: Spam Checks: Starting
Feb 7 11:23:32 efaserv MailScanner[33516]: Message E17A410066B.A958B from 127.0.0.1 (myemail@ourdomain.ca) is whitelisted
Feb 7 11:23:32 efaserv postfix/pickup[11529]: 62EF910066E: uid=89 from=<myemail@ourdomain.ca>
Feb 7 11:23:32 efaserv postfix/cleanup[33765]: 62EF910066E: hold: header Received: by efaserv.local.domain (Postfix, from userid 89)??id 62EF910066E; Thu, 7 Feb 2019 11:23:32 -0500 (EST) from local; from=<myemail@ourdomain.ca>
Feb 7 11:23:32 efaserv postfix/cleanup[33765]: 62EF910066E: message-id=<20190207162332.62EF910066E@efaserv.local.domain>
Feb 7 11:23:32 efaserv MailScanner[33516]: Notices: Warned about 1 messages
Feb 7 11:23:32 efaserv MailScanner[33516]: Deleted 1 messages from processing-database
Where should I look next?
Attachments
Capture.PNG
Capture.PNG (29.98 KiB) Viewed 371 times

iglooo
Posts: 30
Joined: 25 Jan 2019 19:52

Re: Releasing a password protected archive? (quarantine stored)

Post by iglooo » 07 Feb 2019 20:30

I've tried adding a ruleset to allow localhost to receive password protected archives but that did nothing. Same with a ruleset to not scan viruses for localhost. Either way I just get a report about a blocked email, and maillog entries don't look any different no matter what I change

Also followed this guide https://docs.mailwatch.org/using/faq.html but that did nothing either for the archives

Feel like it's going to take someone way smarter than me to figure this one out

iglooo
Posts: 30
Joined: 25 Jan 2019 19:52

Re: Releasing a password protected archive? (quarantine stored)

Post by iglooo » 11 Feb 2019 22:27

Anyone? I don't get why it's not accepting rulesets. Same thing with double extensions getting blocked despite me allowing select few.

Is this a bug or something, or have I messed up the mailscanner config somewhere?

henk
Posts: 354
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Releasing a password protected archive? (quarantine stored)

Post by henk » 11 Feb 2019 22:55

As google shows some results on this ( site:forum.efa-project.org release protected archive )
As there are many posts on this issue, it just depends on the search keywords.

The main issue is, how do you know who you can trust :?:
viewtopic.php?t=1580
viewtopic.php?t=1072
viewtopic.php?t=491

Bottom line, I would try something like below

Code: Select all

/etc/MailScanner/MailScanner.conf 

Code: Select all

Allow Password-Protected Archives = %rules-dir%/hilary.archives.rules
Quarantine Whole Message = yes
Quarantine Whole Messages As Queue Files = no

Code: Select all

%rules-dir%/hilary.archives.rules

Code: Select all

#Allow mail from From: hilary.dnc.us with password protected archives.
From: /[\@\-]hilary\.dnc\.us$/ yes
From: default no
The whitespaces are tabs.

Another option could be to shortcut and whitelist specific users/domain.

iglooo
Posts: 30
Joined: 25 Jan 2019 19:52

Re: Releasing a password protected archive? (quarantine stored)

Post by iglooo » 11 Feb 2019 23:36

Appreciate the input as always, hank! I've read every single thread about password protected archives on here, as well as elsewhere, and nothing really helps.

Is there any chance the server needs a reboot for the changes to take effect, because clearly restarting the mailscanner service does nothing

henk
Posts: 354
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Releasing a password protected archive? (quarantine stored)

Post by henk » 11 Feb 2019 23:48

The name is henk :)

You should post your config ( replace email/domain with some bogus data), as it works fine on my efa 3.0.2.6)

I will check my config to see if I had an additional change I forgot to mention. or even better, have a look at the documentation :lol: :lol: :lol:

iglooo
Posts: 30
Joined: 25 Jan 2019 19:52

Re: Releasing a password protected archive? (quarantine stored)

Post by iglooo » 12 Feb 2019 00:00

Sorry henk :)

I've attached my mailscanner config, appreciate you taking the time to look at it!
Attachments
MailScanner.conf.zip
(37.74 KiB) Downloaded 9 times

henk
Posts: 354
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Releasing a password protected archive? (quarantine stored)

Post by henk » 12 Feb 2019 13:58

There are quite a lot of settings that contain a underscore as value????

Archives: Allow Filenames = _
Archive Mail = _
SpamAssassin Rule Actions = _
etc,etc

Do you have conf files in /etc/MailScanner/conf.d, as they will overrule the settings in /etc/MailScanner/MailScanner.conf ?

Allow Password-Protected Archives = %rules-dir%/pp.archive.rules
So you need to post the pp.archive.rules ( where did you put this file)

To do a quick test, ( exluding the settings in pp.archive.rules) just change

Code: Select all

Allow Password-Protected Archives = yes
Quarantine Silent Viruses = yes
and restart MailScanner

iglooo
Posts: 30
Joined: 25 Jan 2019 19:52

Re: Releasing a password protected archive? (quarantine stored)

Post by iglooo » 12 Feb 2019 14:22

Swear to god that wasn't me haha. It's a relatively fresh hyperv install of 3.0.2.6 and I've only changed a handful of things

Besides the default README file, there's nothing under /etc/MailScanner/conf.d

pp.archive.rules lives in /etc/MailScanner/rules/ and here's the contents:
FromOrTo: 127.0.0.1 yes
FromOrTo: default no
Making those 2 config changes you asked for does let password protected archives through but leaving it wide open isn't exactly ideal

Post Reply