In order to guard against malicious macros, we have banned all macro-enabled
Office document formats, i.e. added the following to $banned_filename_re:
# block macro-enabled office files
qr'.\.(xlsm|xltm|xlam|docm|dotm|pptm|potm|ppam|ppsm|sldm)$'i,
Since modern Office documents are technically zip-files, amavisd-new opens and
processes the zip archive. For originating (outgoing) messages we bounce the
banned emails so the poor sender can understand why his emails are not
delivered, but in this case amavisd-new does not report the actual office
document being banned but instead blames the first file inside the zip-archive.
This results in very cryptic error messages, like:
Subject: BANNED contents from you
(.txt,[Content_Types].xml)
Our content checker found
banned name: .txt,[Content_Types].xml
in email presumable from you
It seems amavisd has a small “optimization” that skips banned checks for
non-leaf nodes. I propose removing that so the actual office documents can be
directly banned and correctly reported:
--- amavisd 5 Apr 2016 06:30:18 -0000 1.24
+++ amavisd 5 Apr 2016 06:30:29 -0000
@@ -9912,7 +9912,9 @@
my(@path) = @{$part->path};
next if @path <= 1;
shift(@path); # ignore place-holder root node
- next if @{$part->children}; # ignore non-leaf nodes
+ # also process non-leaf nodes or we cannot block office documents
+ # without alert about wrong parts (blames the innocent zip member)
+ # next if @{$part->children}; # ignore non-leaf nodes
my(@descr_trad); # a part path: list of predecessors of a message part
my(@descr); # same, but in form suitable for check on banned_namepath_re
for my $p (@path) {
--
kai.ri...@arrak.fi GSM +358-40-7678282
Oy Arrak Software Ab http://www.arrak.fi
