[Postfixbuch-users] amavis oder was?!

Martin Reczio martin at reczio.net
Fr Jan 20 13:33:26 CET 2006


Hallo

ich hoffe das mir einer Helfen kann!

Folgendes Problem
Mailserver mit Postfix, Spamassassin, Amavis-new. Clamav.
Erhalte ich Mails die einen gezippten Anhang enthalten, so wird der
Inhalt geprüft und für den Fall das z.B. eine exe oder mdb enthalten
ist, diese verworfen.
Der Benutzer erhält eine Meldung das aufgrund von Verboten der Anhang
verworfen wurde.
In dieser Mail, wobei ich nicht weiß welches System diese erzeugt, steht
auch das man dies umgehen kann indem man die zip Datei verschlüsselt.
Nun habe ich dies ausprobiert mit dem Ergebnis das der Anhang trotzdem
verworfen wird.
Was muß ich machen, um das im Internen Mailverkehr diese Regel gar nicht
ausgeführt wird und von extern die Verschlüsselten Anhänge nicht
verworfen werden.
Hier die Mail die ich vom System in beiden Fällen erhalte:



-----Ursprüngliche Nachricht-----
Von: Content-filter at aladin.kem.kliniken-essen-mitte.de
[mailto:postmaster at kliniken-essen-mitte.de]
Gesendet: Montag, 16. Januar 2006 12:50
An: benutzer at kliniken-essen-mitte.de
Betreff: BANNED (multipart/mixed |
application/x-zip-compressed,.zip,DatenbankDB.zip |
datenbankDB.mdb,UNDECIPHERABLE) IN MAIL FROM YOU


BANNED CONTENTS ALERT

Our content checker found
    banned name: multipart/mixed |
application/x-zip-compressed,.zip,DatenbankDB.zip |
datenbank.mdb,UNDECIPHERABLE
in email presumably from you (<benutzer at kliniken-essen-mitte.de>),
to the following recipient:
-> martin at reczio.net

According to the 'Received:' trace, the message originated at:
[172.20.1.128]
Our internal reference code for your message is 21871-07/BrsLg27OwBAM.

Delivery of the email was stopped!

The message has been blocked because it contains a component
(as a MIME part or nested within) with declared name
or MIME type or contents type violating our access policy.

To transfer contents that may be considered risky or unwanted
by site policies, or simply too large for mailing, please consider
publishing your content on the web, and only sending an URL of the
document to the recipient.

Depending on the recipient and sender site policies, with a little
effort it might still be possible to send any contents (including
viruses) using one of the following methods:

- encrypted using pgp, gpg or other encryption methods;

- wrapped in a password-protected or scrambled container or archive
  (e.g.: zip -e, arj -g, arc g, rar -p, or other methods)

Note that if the contents is not intended to be secret, the
encryption key or password may be included in the same message
for recipient's convenience.

We are sorry for inconvenience if the contents was not malicious.

The purpose of these restrictions is to cut the most common propagation
methods used by viruses and other malware. These often exploit automatic
mechanisms and security holes in more popular mail readers (Microsoft
mail readers and browsers are a common target). By requiring an explicit
and decisive action from the recipient to decode mail, the dangers of
automatic malware propagation is largely reduced.

For your reference, here are headers from your email:
------------------------- BEGIN HEADERS -----------------------------
Return-Path: <benutzer at kliniken-essen-mitte.de>
Received: from pc45762 (unknown [172.20.1.128])
	by aladin.kliniken-essen-mitte.de (Postfix) with SMTP id EBF4B1B0001
	for <martin at reczio.net>; Mon, 16 Jan 2006 12:49:34 +0100 (CET)
From: "Testbenutzer" <benutzer at kliniken-essen-mitte.de>
To: <martin at reczio.net>
Subject: datenbankDB
Date: Mon, 16 Jan 2006 12:48:24 +0100
Message-ID:
<DKEGKKFHDCGCBPNMJBFHIEBFCCAA.benutzer at kliniken-essen-mitte.de>
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0015_01C61A9B.234511E0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
-------------------------- END HEADERS ------------------------------



Anbei meine Config’s

Main.cf
myhostname = aladin.kem.kliniken-essen-mitte.de
mydomain = kliniken-essen-mitte.de
myorigin = $myhostname
unknown_local_recipient_reject_code = 550
mynetworks = 192.168.100.0/24, 127.0.0.1, 172.20.0.0/16
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = maildrop
inet_protocols = all
biff = no
mail_spool_directory = /var/mail
canonical_maps = hash:/etc/postfix/canonical
virtual_maps = hash:/etc/postfix/virtual
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
myhostname = aladin.kliniken-essen-mitte.de
program_directory = /usr/lib/postfix
masquerade_domains = kliniken-essen-mitte.de
mydestination = $myhostname,
localhost.$mydomain,$mydomain,kem.kliniken-essen-mitte.de,
kliniken-essen-mitte.de, 172.20.0.0
disable_dns_lookups = no
mailbox_command =
mailbox_transport =
strict_8bitmime = no
disable_mime_output_conversion = no
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_helo_required = yes
strict_rfc821_envelopes = no
smtpd_recipient_restrictions =
permit_mynetworks,reject_invalid_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_unauth_destination
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
smtp_use_tls = no
alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
message_size_limit = 30240000
myorigin = kliniken-essen-mitte.de
queue_run_delay = 700s
minimal_backoff_time = 500s
ignore_mx_lookup_error = yes

amavis.conf
use strict;
$max_servers = 6; # number of pre-forked children (2..15 is common)
$daemon_user = 'vscan';
$daemon_group = 'vscan';
$mydomain = 'kliniken-essen-mitte.de'; # a convenient default for other
settings
$MYHOME = '/var/spool/amavis';
$TEMPBASE = "$MYHOME/tmp"; # working directory, needs to be created
manually
$ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR
$QUARANTINEDIR = '/var/spool/amavis/virusmails';
@local_domains_maps = ( [".$mydomain"] );
$log_level = 3;              # verbosity 0..5
$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$SYSLOG_LEVEL = 'mail.debug';
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if
$enable_db=1
$inet_socket_port = 10024; # listen on this local TCP port(s) (see
$protocol)
$unix_socketname = "$MYHOME/amavisd.sock";  # when using sendmail milter
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that
level
$sa_tag2_level_deflt = 5.0;
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 9;    # spam level beyond which a DSN is not sent
$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is
larger
$sa_local_tests_only = 0; # only tests which do not require internet
access?
$sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant
$virus_admin = "virusalert\@$mydomain"; # notifications recip.
$mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender
$mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender
$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications
sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender
if undef
@addr_extension_virus_maps      = ('virus');
@addr_extension_spam_maps       = ('spam');
@addr_extension_banned_maps     = ('banned');
@addr_extension_bad_header_maps = ('badh');
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not
enforced)
$sa_spam_subject_tag = '***ACHTUNG SPAM-MAIL*** ';
$defang_virus  = 1;  # MIME-wrap passed infected mail
$defang_banned = 1;  # MIME-wrap passed mail containing banned name
$myhostname = 'aladin.kem.kliniken-essen-mitte.de'; # must be a
fully-qualified domain name!
$final_spam_destiny = D_PASS;
$remove_existing_spam_headers = 0;
@viruses_that_fake_sender_maps = (new_RE( [qr/^/ => 1], # true for
everything else
));

@keep_decoded_original_maps = (new_RE(
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains
  undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));
$banned_filename_re = new_RE(
qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
qr'^application/x-msdownload$'i, # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long
  qr'^\.(exe-ms)$',                       # banned file(1) types
);
@score_sender_maps = ({ # a by-recipient hash lookup table,
 '.' => [  # the _first_ matching sender determines the score boost

new_RE( # regexp-type lookup table, just happens to be all
   soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=>
    5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=>
    5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
[qr'^(your_friend|greatoffers)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
   ),

   { # a hash-type lookup table (associative array)
     'nobody at cert.org'                        => -3.0,
     'cert-advisory at us-cert.gov'              => -3.0,
     'owner-alert at iss.net'                    => -3.0,
     'slashdot at slashdot.org'                  => -3.0,
     'bugtraq at securityfocus.com'              => -3.0,
     'ntbugtraq at listserv.ntbugtraq.com'       => -3.0,
     'security-alerts at linuxsecurity.com'      => -3.0,
     'mailman-announce-admin at python.org'      => -3.0,
     'amavis-user-admin at lists.sourceforge.net'=> -3.0,
     'notification-return at lists.sophos.com'   => -3.0,
     'owner-postfix-users at postfix.org'        => -3.0,
     'owner-postfix-announce at postfix.org'     => -3.0,
     'owner-sendmail-announce at lists.sendmail.org'   => -3.0,
     'sendmail-announce-request at lists.sendmail.org' => -3.0,
     'donotreply at sendmail.org'                => -3.0,
     'ca+envelope at sendmail.org'               => -3.0,
     'noreply at freshmeat.net'                  => -3.0,
     'owner-technews at postel.acm.org'          => -3.0,
     'ietf-123-owner at loki.ietf.org'           => -3.0,
     'cvs-commits-list-admin at gnome.org'       => -3.0,
     'rt-users-admin at lists.fsck.com'          => -3.0,
     'clp-request at comp.nus.edu.sg'            => -3.0,
     'surveys-errors at lists.nua.ie'            => -3.0,
     'emailnews at genomeweb.com'                => -5.0,
     'yahoo-dev-null at yahoo-inc.com'           => -3.0,
     'returns.groups.yahoo.com'               => -3.0,
     'clusternews at linuxnetworx.com'           => -3.0,
     lc('lvs-users-admin at LinuxVirtualServer.org')    => -3.0,
     lc('owner-textbreakingnews at CNNIMAIL12.CNN.COM') => -5.0,
     'sender at example.net'                     =>  3.0,
     '.example.net'                           =>  1.0,

   },
  ],  # end of site-wide tables
});


@decoders = (
  ['mail', \&do_mime_decode],
  ['asc',  \&do_ascii],
  ['uue',  \&do_ascii],
  ['hqx',  \&do_ascii],
  ['ync',  \&do_ascii],
  ['F',    \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
  ['Z',    \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
  ['gz',   \&do_gunzip],
  ['gz',   \&do_uncompress,  'gzip -d'],
  ['bz2',  \&do_uncompress,  'bzip2 -d'],
  ['lzo',  \&do_uncompress,  'lzop -d'],
  ['rpm',  \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
  ['cpio', \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['tar',  \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['tar',  \&do_tar],
  ['deb',  \&do_ar,          'ar'],
# ['a',    \&do_ar,          'ar'],  # unpacking .a seems an overkill
  ['zip',  \&do_unzip],
  ['rar',  \&do_unrar,      ['rar','unrar'] ],
  ['arj',  \&do_unarj,      ['arj','unarj'] ],
  ['arc',  \&do_arc,        ['nomarch','arc'] ],
  ['zoo',  \&do_zoo,         'zoo'],
  ['lha',  \&do_lha,         'lha'],
  ['cab',  \&do_cabextract,  'cabextract'],
  ['tnef', \&do_tnef_ext,    'tnef'],
  ['tnef', \&do_tnef],
  ['exe',  \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
);


@av_scanners = (

### http://www.clamav.net/
 ['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "127.0.0.1:3310"],
   qr/\bOK$/, qr/\bFOUND$/,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

);
1;  # insure a defined return





Mehr Informationen über die Mailingliste Postfixbuch-users