Here is my suggestion: The idea is simple, don't allow attachments that can be executed by network users and scan everything else (such as docs).
For that, I use amavid-new with decoders, 7zip for .zip instead of the perl library used by amavisd-new (it fails on many .zip). I pretty much covered all file types and quarantined (not blocked) executables since ClamAV and another commercial AV missed few signatures (zero day protection may take 23 hours). With the help of header_check in Postfix I use a "passphrase" in subject in order to avoid the banning in amavis (redirect to a second amavis socket with a different policy map) whenever executables or encrypted files are needed to be sent in legit scenarios. Marius. -----Original Message----- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of li...@rhsoft.net Sent: Tuesday, September 16, 2014 9:38 PM To: postfix-users@postfix.org Subject: Re: FYI: blocking attachment extensions Am 16.09.2014 um 20:34 schrieb Wietse Venema: > li...@rhsoft.net: >> (yes i know it's not 100% perfect in any case) >> >> but anybody using "mime_header_checks" by one of the similar howtos >> out there should review the configuration - without \" at the end of >> the regex this is prone to false positives > > Caution: MIME allows names in this context without "", as long as > those names contain no whitespace etc. thanks for the hint i am open for suggestions how to optimize that in general without raise false positives - at the end there is clamd but "mime_header_checks" is "cheaper" >> two examples from real world (.scr and .com wrongly rejected) >> >> * name="strace.Scripting-with-the-xss.pdf.txt" >> * filename="BOOKING.COM: Hotel 342802.PDF" >> >> i think this was the one i followed >> http://www.cyberciti.biz/tips/postfix-block-mime-attachment-files.htm >> l _________________________________________________ >> >> cat /etc/postfix/mime_header_checks.cf >> # Reject Attachment-Extensions >> /name=[^>]*\.(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cnv|com|cpl| >> crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|msc|msi|msp|mst|o >> cx|pcd|pif|pl|reg|scr|script|sct|sh|shb|shs|sys|so|tlb|vb|vbe|vbs|wiz >> |wll|wpc|wsc|wsf|wsh)\"/ >> REJECT 554 Attachment Blocked
