On 9/16/2014 1:04 PM, li...@rhsoft.net wrote: > (yes i know it's not 100% perfect in any case) > > but anybody using "mime_header_checks" by one of the similar howtos out > there should review the configuration - without \" at the end of the > regex this is prone to false positives > > two examples from real world (.scr and .com wrongly rejected) > > * name="strace.Scripting-with-the-xss.pdf.txt" > * filename="BOOKING.COM: Hotel 342802.PDF" > > i think this was the one i followed > http://www.cyberciti.biz/tips/postfix-block-mime-attachment-files.html > _________________________________________________ > > cat /etc/postfix/mime_header_checks.cf > # Reject Attachment-Extensions > /name=[^>]*\.(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|msc|msi|msp|mst|ocx|pcd|pif|pl|reg|scr|script|sct|sh|shb|shs|sys|so|tlb|vb|vbe|vbs|wiz|wll|wpc|wsc|wsf|wsh)\"/ > REJECT 554 Attachment Blocked > >
Be aware the quote marks are optional, and there may be mime options following the file name. And maybe QP encoded too. Getting all the possible valid combinations is probably impossible without some sort of mime normalizer. I've used the below for a few years with good results. It's better, but surely not perfect. # block windows executables PCRE /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)( ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta| inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws| ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf| vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh))(\?=)?"?\s*$/x REJECT Attachment name "$2" not allowed -- Noel Jones
