|
List Info
Thread: Banned filter
|
|
| Banned filter |
 
Spain |
2007-08-20 05:31:53 |
HI all,
My goal is that my users (who are authenticated by SASL)
can't send any
.exe attached file. So, in my amavis.conf config file I've
got the next
code:
$policy_bank{'SASLBYPASS'} = { # mail from submission and
smtps ports
bypass_spam_checks_maps => [1], # don't spam-check
this mail
bypass_header_checks_maps => [1], # don't
header-check this mail
banned_filename_maps => [
new_RE(
# block double extensions in names:
qr'.[^./]*.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll).?$'i,
# allow any name or type (except viruses) within an
archive:
[
qr'^.(Z|gz|bz2|rpm|cpio|tar|zip|rar|arc|arj|zoo)$' =>
0],
# blocks MS executable file(1) types, unless
allowed above:
qr'^.(exe-ms)$',
),
],
};
When I'm testing that, Postfix maillog shows me:
Aug 20 12:29:57 mail postfix/smtpd[398]: A9CB6D50036:
client=unknown[192.168.1.17], sasl_method=PLAI
N, sasl_username=jordi.espasa opengea.org
Aug 20 12:29:57 mail postfix/cleanup[404]: A9CB6D50036:
message-id=<46C96D38.7080709opengea.org>
Aug 20 12:29:59 mail postfix/qmgr[27447]: A9CB6D50036:
from=<jordi.espasaopengea.org>, size=1401577
, nrcpt=1 (queue active)
Aug 20 12:29:59 mail postfix/smtpd[398]: disconnect from
unknown[192.168.1.17]
Aug 20 12:29:59 mail amavis[301]: (00301-02) ESMTP::10026
/var/amavis/tmp/amavis-20070820T122015-003
01: <jordi.espasaopengea.org> -> <sistemesintergrid.cat> SIZE=1401577
Received: from mail.opengea.
org ([127.0.0.1]) by localhost (tartarus.opengea.org
[127.0.0.1])
(amavisd-new, port 10026) with ESM
TP for <sistemesintergrid.cat>; Mon, 20 Aug 2007
12:29:59 +0200 (CEST)
Aug 20 12:29:59 mail amavis[301]: (00301-02) Checking:
hSDAJwrwiKYX
SASLBYPASS [192.168.1.17] <jordi
.espasaopengea.org> -> <sistemesintergrid.cat>
Aug 20 12:30:06 mail postfix/smtpd[437]: connect from
tartarus[127.0.0.1]
Aug 20 12:30:06 mail postfix/smtpd[437]: ECDE4D50054:
client=tartarus[127.0.0.1]
Aug 20 12:30:06 mail postfix/cleanup[404]: ECDE4D50054:
message-id=<46C96D38.7080709opengea.org>
Aug 20 12:30:07 mail postfix/qmgr[27447]: ECDE4D50054:
from=<jordi.espasaopengea.org>, size=1402036
, nrcpt=1 (queue active)
Aug 20 12:30:07 mail postfix/smtpd[437]: disconnect from
tartarus[127.0.0.1]
Aug 20 12:30:07 mail amavis[301]: (00301-02) FWD via SMTP:
<jordi.espasaopengea.org> -> <sistemesi
ntergrid.cat>,BODY=7BIT 250 2.6.0 Ok, id=00301-02, from
MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued
as ECDE4D50054
Aug 20 12:30:07 mail amavis[301]: (00301-02) Passed CLEAN,
SASLBYPASS
[192.168.1.17] [192.168.1.17]
<jordi.espasaopengea.org> -> <sistemesintergrid.cat>, Message-ID:
<46C96D38.7080709opengea.org>,
mail_id: hSDAJwrwiKYX, Hits: -, size: 1401577, queued_as:
ECDE4D50054,
7925 ms
Aug 20 12:30:07 mail postfix/smtp[406]: A9CB6D50036:
to=<sistemesintergrid.cat>, relay=127.0.0.1[12
7.0.0.1]:10026, delay=9.4, delays=1.5/0.01/0/7.9, dsn=2.0.0,
status=sent
(250 2.0.0 Ok: queued as EC
DE4D50054)
Aug 20 12:30:07 mail postfix/qmgr[27447]: A9CB6D50036:
removed
¿Why the .exe file I've send is not denegate?
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: Banned filter |
|
2007-08-20 13:33:42 |
On 8/20/07, Jordi Espasa Clofent <jordi.espasaopengea.org> wrote:
> HI all,
>
> My goal is that my users (who are authenticated by
SASL) can't send any
> .exe attached file. So, in my amavis.conf config file
I've got the next
> code:
>
> $policy_bank{'SASLBYPASS'} = { # mail from submission
and smtps ports
> bypass_spam_checks_maps => [1], # don't
spam-check this mail
> bypass_header_checks_maps => [1], # don't
header-check this mail
> banned_filename_maps => [
> new_RE(
> # block double extensions in names:
>
qr'.[^./]*.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll).?$'i,
> # allow any name or type (except viruses)
within an archive:
> [
qr'^.(Z|gz|bz2|rpm|cpio|tar|zip|rar|arc|arj|zoo)$' =>
0],
> # blocks MS executable file(1) types, unless
allowed above:
> qr'^.(exe-ms)$',
> ),
> ],
> };
>
> Aug 20 12:30:07 mail amavis[301]: (00301-02) Passed
CLEAN, SASLBYPASS
> [192.168.1.17] [192.168.1.17]
> <jordi.espasaopengea.org> -> <sistemesintergrid.cat>, Message-ID:
> <46C96D38.7080709opengea.org>,
> mail_id: hSDAJwrwiKYX, Hits: -, size: 1401577,
queued_as: ECDE4D50054,
> 7925 ms
For some reason I'm stuggling with this too. At log_level 5
I get:
Aug 20 11:45:21 mail amavis[1104]: (01104-01) skipping
banned check:
no applicable lookup tables
Aug 20 11:45:21 mail amavis[1104]: (01104-01) banned check:
any=0, all=N (1)
and mail passes clean.
--
Gary V
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: Banned filter |
Spain |
2007-08-20 15:57:01 |
> For some reason I'm stuggling with this too. At
log_level 5 I get:
>
> Aug 20 11:45:21 mail amavis[1104]: (01104-01) skipping
banned check:
> no applicable lookup tables
> Aug 20 11:45:21 mail amavis[1104]: (01104-01) banned
check: any=0, all=N (1)
>
> and mail passes clean.
Indeed the code I've posted is extracted from your excelent
docs
available at: http://www200.pai
r.com/mecham/spam/ (thanks Gary ;))
I've checked the syntax and it seems ok. In fact, log shows
that mails
are filtered under Amavisd-new, but banned rule doesn't work
properly.
At log_level 5 I get exactly the same message aqs you.
:S
Maybe Mark will answer it...
--
Thanks,
Jordi Espasa Clofent
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: Banned filter |
|
2007-08-20 16:49:26 |
On 8/20/07, Jordi Espasa Clofent <jordi.espasaopengea.org> wrote:
> > For some reason I'm stuggling with this too. At
log_level 5 I get:
> >
> > Aug 20 11:45:21 mail amavis[1104]: (01104-01)
skipping banned check:
> > no applicable lookup tables
> > Aug 20 11:45:21 mail amavis[1104]: (01104-01)
banned check: any=0, all=N (1)
> >
> > and mail passes clean.
>
> Indeed the code I've posted is extracted from your
excelent docs
> available at: http://www200.pai
r.com/mecham/spam/ (thanks Gary ;))
>
> I've checked the syntax and it seems ok. In fact, log
shows that mails
> are filtered under Amavisd-new, but banned rule doesn't
work properly.
>
> At log_level 5 I get exactly the same message aqs you.
>
> :S
>
> Maybe Mark will answer it...
>
> --
> Thanks,
> Jordi Espasa Clofent
>
That particular sample I took directly from:
http://www.ijs.si/software/amavisd/amavisd-new
-docs.html#pbanks-ex
I have not tested extensively, but it does not seem to pay
any
attention to anything I place in banned_filename_maps
--
Gary V
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: Banned filter |
|
2007-08-20 17:30:59 |
> > I've checked the syntax and it seems ok. In fact,
log shows that mails
> > are filtered under Amavisd-new, but banned rule
doesn't work properly.
> >
> > At log_level 5 I get exactly the same message aqs
you.
> >
> > :S
> >
> > Maybe Mark will answer it...
> >
> > --
> > Thanks,
> > Jordi Espasa Clofent
> >
>
> That particular sample I took directly from:
> http://www.ijs.si/software/amavisd/amavisd-new
-docs.html#pbanks-ex
>
> I have not tested extensively, but it does not seem to
pay any
> attention to anything I place in banned_filename_maps
>
I had better luck by doing this (for example):
%banned_rules = (
'BLOCK_EXE' => new_RE(
# block double extensions in names:
qr'.[^./]*.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll).?$'i,
# blocks MS executable file(1) types:
qr'^.(exe|exe-ms)$',
# block these MIME types
qr'^application/x-msdownload$'i,
qr'^application/x-msdos-program$'i,
),
'DEFAULT' => $banned_filename_re,
);
$policy_bank{'MYNETS'} = {
spam_lovers_maps => [1], # don't stop spam
final_spam_destiny => D_PASS,
banned_filename_maps => ['BLOCK_EXE'],
};
You have to place these after where $banned_filename_re is
set.
--
Gary V
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: Banned filter |
|
2007-08-20 17:46:35 |
> %banned_rules = (
> 'BLOCK_EXE' => new_RE(
> # block double extensions in names:
>
qr'.[^./]*.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll).?$'i,
> # blocks MS executable file(1) types:
> qr'^.(exe|exe-ms)$',
> # block these MIME types
> qr'^application/x-msdownload$'i,
> qr'^application/x-msdos-program$'i,
> ),
> 'DEFAULT' => $banned_filename_re,
> );
>
> $policy_bank{'MYNETS'} = {
> spam_lovers_maps => [1], # don't stop spam
> final_spam_destiny => D_PASS,
> banned_filename_maps => ['BLOCK_EXE'],
> };
>
BTW, the spam settings I show here are unrelated. I just
grabbed
something available.
--
Gary V
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
[1-6]
|
|