Re: FYI: blocking attachment extensions
On Sep 18, 2014, at 7:45 AM, terrygalant.li...@fastest.cc wrote: I've been reading the discussion here and the various approaches to blocking extensions I'd gotten this from a friend awhile ago, and have been using it With postfix_header_checks = pcre:/path/to/custom_header_checks smtpd_sasl_authenticated_header = yes cat /path/to/custom_header_checks ... /filename=\?(.*)\.(exe|vbe)\?$/ REJECT attachment type forbidden /^\s*Content-(Disposition|Type).*name\s*=\s*?(.+\.(exe|vbe))?\s*$/ REJECT attachment type (File $2, Extension $3) forbidden ... seems to work fine t...@xxx.com : host mx.yyy.com[##.##.##.##] said: 550 5.7.1 REJECT attachment type forbidden (in reply to end of DATA command) Just checking -- is there any reason NOT to keep doing it this ^^ way? I don’t necessarily trust just the extension of the filename. I’d also look at the file’s magic (same as the OS does) as well as the content-type. Can’t be too thorough. -Philip
Re: FYI: blocking attachment extensions
Am 03.10.2014 um 19:13 schrieb Philip Prindeville: I don’t necessarily trust just the extension of the filename. I’d also look at the file’s magic (same as the OS does) as well as the content-type. Can’t be too thorough that topic is not a matter of trusting it's a matter of put different filters with differenct performance and security impact in the right order - if the client announces a banned extension you reject there is just nothing for file’s magic because you don't reveive it everybody knows that you must not rely on extensions but keep in mind that the file package not only once time had it's own security flaws and some of them short ago so receive the attachment and inspect even may lead in code execution on your server the same applies to virus scanners and other content inspection that's why you want to reject things you don't want to receive for sure instead touch them with complex software after receive data
Re: FYI: blocking attachment extensions
On 03 Oct 2014, at 11:26 , li...@rhsoft.net wrote: Am 03.10.2014 um 19:13 schrieb Philip Prindeville: I don’t necessarily trust just the extension of the filename. I’d also look at the file’s magic (same as the OS does) as well as the content-type. Can’t be too thorough that topic is not a matter of trusting Exactly. it's a matter of put different filters with differenct performance and security impact in the right order - if the client announces a banned extension you reject there is just nothing for file’s magic because you don't reveive it And checking the file’s magic is expensive (especially if it’s in an archive). everybody knows that you must not rely on extensions but keep in mind that the file package not only once time had it's own security flaws and some of them short ago so receive the attachment and inspect even may lead in code execution on your server The extension check is also the simplest way to exclude files that will automatically execute on a Windows system (at least historically, and on far too many existing Windows XP installs). -- And she was looking at herself And things were looking like a movie She had a pleasant elevation She's moving out in all directions
Re: FYI: blocking attachment extensions
I've been reading the discussion here and the various approaches to blocking extensions I'd gotten this from a friend awhile ago, and have been using it With postfix_header_checks = pcre:/path/to/custom_header_checks smtpd_sasl_authenticated_header = yes cat /path/to/custom_header_checks ... /filename=\?(.*)\.(exe|vbe)\?$/ REJECT attachment type forbidden /^\s*Content-(Disposition|Type).*name\s*=\s*?(.+\.(exe|vbe))?\s*$/ REJECT attachment type (File $2, Extension $3) forbidden ... seems to work fine t...@xxx.com : host mx.yyy.com[##.##.##.##] said: 550 5.7.1 REJECT attachment type forbidden (in reply to end of DATA command) Just checking -- is there any reason NOT to keep doing it this ^^ way?
Re: FYI: blocking attachment extensions
Am 18.09.2014 um 15:45 schrieb terrygalant.li...@fastest.cc: I've been reading the discussion here and the various approaches to blocking extensions I'd gotten this from a friend awhile ago, and have been using it With postfix_header_checks = pcre:/path/to/custom_header_checks smtpd_sasl_authenticated_header = yes cat /path/to/custom_header_checks ... /filename=\?(.*)\.(exe|vbe)\?$/ REJECT attachment type forbidden /^\s*Content-(Disposition|Type).*name\s*=\s*?(.+\.(exe|vbe))?\s*$/ REJECT attachment type (File $2, Extension $3) forbidden ... seems to work fine t...@xxx.com : host mx.yyy.com[##.##.##.##] said: 550 5.7.1 REJECT attachment type forbidden (in reply to end of DATA command) Just checking -- is there any reason NOT to keep doing it this ^^ way? yes - the checks affect any header of any message not only attachments likely not a problem but small wasting of ressources
Re: FYI: blocking attachment extensions
Am 16.09.2014 um 21:42 schrieb Viktor Dukhovni postfix-us...@dukhovni.org:
On Tue, Sep 16, 2014 at 09:28:11PM +0200, li...@rhsoft.net wrote:
# block windows executables PCRE
/^\s*Content-(?:Disposition|Type): # Header label
(?:.*?;)? \s* # Any prior attributes
(?:file)?name\s*=\s*? # name or filename
( # Capture name for response
.*?(\.|=2E)# File basename and .
(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|
inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|
ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf|
vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh)# Capture risky extensions
) # Close capture
(?:\?=)? # Trailer of ad-hoc RFC 2047
encoding
?# Optional close quote
\s*(;|$) # End of attribute or header
/x
[ untested ]
thanks!
interesting - none of both blocking a empty textfile renamed to test.exe
i have all 3 for now enabled and the 3rd one rejects (Thunderbird as MUA)
That's because Postfix does not support in-line comments in PCRE
patterns. The multi-line pattern is unfolded first, and the first
comment gobbles up all the remaining text. If you strip all the
comments:
$ postmap -q 'Content-Type: name=test.exe.txt; charset=us-ascii'
pcre:/tmp/foo.pcre
$ postmap -q 'Content-Type: name=test.exe; charset=us-ascii'
pcre:/tmp/foo.pcre
REJECT blocked filename test.exe
With /tmp/foo.pcre containing:
# block windows executables PCRE
/^Content-(?:Disposition|Type):
(?:.*?;)? \s*
(?:file)?name \s* = \s*?
(
.*?(\.|=2E)
(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|
inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|
ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf|
vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh)
)
(?:\?=)?
?
\s*(;|$)
/xREJECT blocked filename ${1}
--
Viktor.
I just wanted to give this a try, but it seems I have done something wrong. I
copied the comment-free version to a pcre-table-file and gave it a try, but
Postfix now tells me this in the logs:
postconf -c $PWD mime_header_checks
mime_header_checks = pcre:${map}/mime_header_checks.pcre
Sep 17 09:51:15 mx postfix-submission/cleanup[23573]: warning: pcre map
/etc/postfix-submission/maps/mime_header_checks.pcre, line 14: no closing
regexp delimiter /: ignoring this rule
Sep 17 09:51:15 mx postfix-submission/cleanup[23573]: warning: pcre map
/etc/postfix-submission/maps/mime_header_checks.pcre, line 16: no closing
regexp delimiter /: ignoring this rule
postconf -c $PWD mime_header_checks
mime_header_checks = pcre:${map}/mime_header_checks.pcre
cat maps/mime_header_checks.pcre
# block windows executables PCRE
/^Content-(?:Disposition|Type):
(?:.*?;)? \s*
(?:file)?name \s* = \s*?
(
.*?(\.|=2E)
(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|
inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|
ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf|
vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh)
)
(?:\?=)?
?
\s*(;|$)
/x REJECT blocked filename ${1}
Or do I have to make this all become one line?
It’s on Postfix 2.12_pre20140907
Kind regards
Christian
--
Bachelor of Science Informatik
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
smime.p7s
Description: S/MIME cryptographic signature
Re: FYI: blocking attachment extensions
Am 17.09.2014 um 10:02 schrieb Christian Rößner
c...@roessner-network-solutions.com:
/xREJECT blocked filename ${1}
Missing indention here. Got it. Thanks
Christian
--
Bachelor of Science Informatik
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
smime.p7s
Description: S/MIME cryptographic signature
Re: FYI: blocking attachment extensions
Am 17.09.2014 um 11:28 schrieb Christian Rößner:
Am 17.09.2014 um 10:02 schrieb Christian Rößner
c...@roessner-network-solutions.com:
/x REJECT blocked filename ${1}
Missing indention here. Got it. Thanks
i attached once again my final (appearing to work)
config file - may somebody review if there was no
harm by copypaste from mail / remove comments
thanks!
# Reject Attachment Extensions
/^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* =
\s*?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)??\s*(;|$)/x
REJECT 554 Attachment Blocked $1
Re: FYI: blocking attachment extensions
li...@rhsoft.net: /^Content-(?:Disposition|Type):stuff/x REJECT 554 Attachment Blocked $1 - What is $1 supposed to contain? - Use REJECT or 554, not both. Wietse
Re: FYI: blocking attachment extensions
Am 17.09.2014 um 13:20 schrieb Wietse Venema: li...@rhsoft.net: /^Content-(?:Disposition|Type):stuff/x REJECT 554 Attachment Blocked $1 - What is $1 supposed to contain? in fact the attachment name in the log as well as in the REJET response (Thunderbird dialog) excerpt from the logs 5.7.1 554 Attachment Blocked test.exe.txt.sh 5.7.1 554 Attachment Blocked bla test.com 5.7.1 554 Attachment Blocked bla .com.pif test.pif - Use REJECT or 554, not both OK
FYI: blocking attachment extensions
(yes i know it's not 100% perfect in any case) but anybody using mime_header_checks by one of the similar howtos out there should review the configuration - without \ at the end of the regex this is prone to false positives two examples from real world (.scr and .com wrongly rejected) * name=strace.Scripting-with-the-xss.pdf.txt * filename=BOOKING.COM: Hotel 342802.PDF i think this was the one i followed http://www.cyberciti.biz/tips/postfix-block-mime-attachment-files.html _ cat /etc/postfix/mime_header_checks.cf # Reject Attachment-Extensions /name=[^]*\.(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|msc|msi|msp|mst|ocx|pcd|pif|pl|reg|scr|script|sct|sh|shb|shs|sys|so|tlb|vb|vbe|vbs|wiz|wll|wpc|wsc|wsf|wsh)\/ REJECT 554 Attachment Blocked
Re: FYI: blocking attachment extensions
li...@rhsoft.net: (yes i know it's not 100% perfect in any case) but anybody using mime_header_checks by one of the similar howtos out there should review the configuration - without \ at the end of the regex this is prone to false positives Caution: MIME allows names in this context without , as long as those names contain no whitespace etc. Wietse two examples from real world (.scr and .com wrongly rejected) * name=strace.Scripting-with-the-xss.pdf.txt * filename=BOOKING.COM: Hotel 342802.PDF i think this was the one i followed http://www.cyberciti.biz/tips/postfix-block-mime-attachment-files.html _ cat /etc/postfix/mime_header_checks.cf # Reject Attachment-Extensions /name=[^]*\.(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|msc|msi|msp|mst|ocx|pcd|pif|pl|reg|scr|script|sct|sh|shb|shs|sys|so|tlb|vb|vbe|vbs|wiz|wll|wpc|wsc|wsf|wsh)\/ REJECT 554 Attachment Blocked
Re: FYI: blocking attachment extensions
Am 16.09.2014 um 20:34 schrieb Wietse Venema: li...@rhsoft.net: (yes i know it's not 100% perfect in any case) but anybody using mime_header_checks by one of the similar howtos out there should review the configuration - without \ at the end of the regex this is prone to false positives Caution: MIME allows names in this context without , as long as those names contain no whitespace etc. thanks for the hint i am open for suggestions how to optimize that in general without raise false positives - at the end there is clamd but mime_header_checks is cheaper two examples from real world (.scr and .com wrongly rejected) * name=strace.Scripting-with-the-xss.pdf.txt * filename=BOOKING.COM: Hotel 342802.PDF i think this was the one i followed http://www.cyberciti.biz/tips/postfix-block-mime-attachment-files.html _ cat /etc/postfix/mime_header_checks.cf # Reject Attachment-Extensions /name=[^]*\.(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|msc|msi|msp|mst|ocx|pcd|pif|pl|reg|scr|script|sct|sh|shb|shs|sys|so|tlb|vb|vbe|vbs|wiz|wll|wpc|wsc|wsf|wsh)\/ REJECT 554 Attachment Blocked
Re: FYI: blocking attachment extensions
On 9/16/2014 1:04 PM, li...@rhsoft.net wrote: (yes i know it's not 100% perfect in any case) but anybody using mime_header_checks by one of the similar howtos out there should review the configuration - without \ at the end of the regex this is prone to false positives two examples from real world (.scr and .com wrongly rejected) * name=strace.Scripting-with-the-xss.pdf.txt * filename=BOOKING.COM: Hotel 342802.PDF i think this was the one i followed http://www.cyberciti.biz/tips/postfix-block-mime-attachment-files.html _ cat /etc/postfix/mime_header_checks.cf # Reject Attachment-Extensions /name=[^]*\.(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|msc|msi|msp|mst|ocx|pcd|pif|pl|reg|scr|script|sct|sh|shb|shs|sys|so|tlb|vb|vbe|vbs|wiz|wll|wpc|wsc|wsf|wsh)\/ REJECT 554 Attachment Blocked Be aware the quote marks are optional, and there may be mime options following the file name. And maybe QP encoded too. Getting all the possible valid combinations is probably impossible without some sort of mime normalizer. I've used the below for a few years with good results. It's better, but surely not perfect. # block windows executables PCRE /^\s*Content-(Disposition|Type).*name\s*=\s*?(.*(\.|=2E)( ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta| inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws| ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf| vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh))(\?=)??\s*$/x REJECT Attachment name $2 not allowed -- Noel Jones
Re: FYI: blocking attachment extensions
On Tue, Sep 16, 2014 at 01:41:36PM -0500, Noel Jones wrote: I've used the below for a few years with good results. It's better, but surely not perfect. # block windows executables PCRE /^\s*Content-(Disposition|Type).*name\s*=\s*?(.*(\.|=2E)( ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta| inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws| ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf| vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh))(\?=)??\s*$/x This assumes that name or filename is the last attribute in the header. It might instead be followed by a ; and more attributes. So for a bit more generality, try the below: # block windows executables PCRE /^\s*Content-(?:Disposition|Type): # Header label (?:.*?;)? \s* # Any prior attributes (?:file)?name\s*=\s*?# name or filename (# Capture name for response .*?(\.|=2E)# File basename and . (ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta| inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws| ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf| vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh) # Capture risky extensions )# Close capture (?:\?=)? # Trailer of ad-hoc RFC 2047 encoding ? # Optional close quote \s*(;|$) # End of attribute or header /x [ untested ] -- Viktor.
Re: FYI: blocking attachment extensions
Am 16.09.2014 um 21:00 schrieb Viktor Dukhovni: On Tue, Sep 16, 2014 at 01:41:36PM -0500, Noel Jones wrote: I've used the below for a few years with good results. It's better, but surely not perfect. # block windows executables PCRE /^\s*Content-(Disposition|Type).*name\s*=\s*?(.*(\.|=2E)( ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta| inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws| ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf| vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh))(\?=)??\s*$/x This assumes that name or filename is the last attribute in the header. It might instead be followed by a ; and more attributes. So for a bit more generality, try the below: # block windows executables PCRE /^\s*Content-(?:Disposition|Type):# Header label (?:.*?;)? \s* # Any prior attributes (?:file)?name\s*=\s*? # name or filename ( # Capture name for response .*?(\.|=2E)# File basename and . (ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta| inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws| ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf| vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh) # Capture risky extensions ) # Close capture (?:\?=)? # Trailer of ad-hoc RFC 2047 encoding ? # Optional close quote \s*(;|$) # End of attribute or header /x [ untested ] thanks! interesting - none of both blocking a empty textfile renamed to test.exe i have all 3 for now enabled and the 3rd one rejects (Thunderbird as MUA) reject: header Content-Type: application/octet-stream;? name=test.exe 5.7.1 554 Attachment Blocked (Rule 3) [root@localhost:~]$ cat postfix/mime_header_checks.cf # Reject Attachment Extensions /^\s*Content-(Disposition|Type).*name\s*=\s*?(.*(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(\?=)??\s*$/x REJECT 554 Attachment Blocked (Rule 1) /^\s*Content-(?:Disposition|Type):(?:.*?;)?\s*(?:file)?name\s*=\s*?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)??\s*(;|$)/x REJECT 554 Attachment Blocked (Rule 2) /name=[^]*\.(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh)\/ REJECT 554 Attachment Blocked (Rule 3)
Re: FYI: blocking attachment extensions
On Tue, Sep 16, 2014 at 09:28:11PM +0200, li...@rhsoft.net wrote:
# block windows executables PCRE
/^\s*Content-(?:Disposition|Type): # Header label
(?:.*?;)? \s* # Any prior attributes
(?:file)?name\s*=\s*?# name or filename
(# Capture name for response
.*?(\.|=2E)# File basename and .
(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|
inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|
ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf|
vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh) # Capture risky extensions
)# Close capture
(?:\?=)? # Trailer of ad-hoc RFC 2047
encoding
? # Optional close quote
\s*(;|$) # End of attribute or header
/x
[ untested ]
thanks!
interesting - none of both blocking a empty textfile renamed to test.exe
i have all 3 for now enabled and the 3rd one rejects (Thunderbird as MUA)
That's because Postfix does not support in-line comments in PCRE
patterns. The multi-line pattern is unfolded first, and the first
comment gobbles up all the remaining text. If you strip all the
comments:
$ postmap -q 'Content-Type: name=test.exe.txt; charset=us-ascii'
pcre:/tmp/foo.pcre
$ postmap -q 'Content-Type: name=test.exe; charset=us-ascii'
pcre:/tmp/foo.pcre
REJECT blocked filename test.exe
With /tmp/foo.pcre containing:
# block windows executables PCRE
/^Content-(?:Disposition|Type):
(?:.*?;)? \s*
(?:file)?name \s* = \s*?
(
.*?(\.|=2E)
(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|
inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|
ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf|
vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh)
)
(?:\?=)?
?
\s*(;|$)
/x REJECT blocked filename ${1}
--
Viktor.
Re: FYI: blocking attachment extensions
Viktor Dukhovni: interesting - none of both blocking a empty textfile renamed to test.exe i have all 3 for now enabled and the 3rd one rejects (Thunderbird as MUA) That's because Postfix does not support in-line comments in PCRE patterns. The multi-line pattern is unfolded first, and the first comment gobbles up all the remaining text. If you strip all the comments: You can put the comment on the line before the code that the comment applies to. #comment code Wietse
Re: FYI: blocking attachment extensions
Am 16.09.2014 um 21:42 schrieb Viktor Dukhovni:
On Tue, Sep 16, 2014 at 09:28:11PM +0200, li...@rhsoft.net wrote:
# block windows executables PCRE
/^\s*Content-(?:Disposition|Type): # Header label
(?:.*?;)? \s* # Any prior attributes
(?:file)?name\s*=\s*?# name or filename
(# Capture name for response
.*?(\.|=2E)# File basename and .
(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|
inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|
ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf|
vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh) # Capture risky extensions
)# Close capture
(?:\?=)? # Trailer of ad-hoc RFC 2047
encoding
? # Optional close quote
\s*(;|$) # End of attribute or header
/x
[ untested ]
thanks!
interesting - none of both blocking a empty textfile renamed to test.exe
i have all 3 for now enabled and the 3rd one rejects (Thunderbird as MUA)
That's because Postfix does not support in-line comments in PCRE
patterns. The multi-line pattern is unfolded first, and the first
comment gobbles up all the remaining text. If you strip all the
comments:
$ postmap -q 'Content-Type: name=test.exe.txt; charset=us-ascii'
pcre:/tmp/foo.pcre
$ postmap -q 'Content-Type: name=test.exe; charset=us-ascii'
pcre:/tmp/foo.pcre
REJECT blocked filename test.exe
With /tmp/foo.pcre containing:
# block windows executables PCRE
/^Content-(?:Disposition|Type):
(?:.*?;)? \s*
(?:file)?name \s* = \s*?
(
.*?(\.|=2E)
(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|
inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|
ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf|
vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh)
)
(?:\?=)?
?
\s*(;|$)
/x REJECT blocked filename ${1}
uhm i removed all comments AFAIK
that are 3 single lines without any break not added by the mail-client
i now attached it as a file and still only (Rule 3) hits
# Reject Attachment Extensions
/^Content-(?:Disposition|Type):
(?:.*?;)? \s*
(?:file)?name \s* = \s*?
(
.*?(\.|=2E)
(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh)
)
(?:\?=)?
?
\s*(;|$)
/x REJECT 554 Attachment Blocked (Rule 0)
/^\s*Content-(Disposition|Type).*name\s*=\s*?(.*(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(\?=)??\s*$/x
REJECT 554 Attachment Blocked (Rule 1)
/^\s*Content-(?:Disposition|Type):(?:.*?;)?\s*(?:file)?name\s*=\s*?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)??\s*(;|$)/x
REJECT 554 Attachment Blocked (Rule 2)
/name=[^]*\.(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh)\/
REJECT 554 Attachment Blocked (Rule 3)
Re: FYI: blocking attachment extensions
On Tue, Sep 16, 2014 at 10:15:03PM +0200, li...@rhsoft.net wrote: I removed all comments AFAIK that are 3 single lines without any break not added by the mail-client I've copied the rule below into my test file, and it works: $ postmap -q 'Content-Type: name=test.exe; charset=us-ascii' pcre:/tmp/foo.pcre REJECT 554 Attachment Blocked (Rule 0) You've not posted your test input or postmap -q invocation with output. # Reject Attachment Extensions /^Content-(?:Disposition|Type): (?:.*?;)? \s* (?:file)?name \s* = \s*? ( .*?(\.|=2E) (386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh) ) (?:\?=)? ? \s*(;|$) /x REJECT 554 Attachment Blocked (Rule 0) /^\s*Content-(Disposition|Type).*name\s*=\s*?(.*(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(\?=)??\s*$/x REJECT 554 Attachment Blocked (Rule 1) /^\s*Content-(?:Disposition|Type):(?:.*?;)?\s*(?:file)?name\s*=\s*?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)??\s*(;|$)/x REJECT 554 Attachment Blocked (Rule 2) /name=[^]*\.(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh)\/ REJECT 554 Attachment Blocked (Rule 3) -- Viktor.
Re: FYI: blocking attachment extensions
Am 16.09.2014 um 22:28 schrieb Viktor Dukhovni: On Tue, Sep 16, 2014 at 10:15:03PM +0200, li...@rhsoft.net wrote: I removed all comments AFAIK that are 3 single lines without any break not added by the mail-client I've copied the rule below into my test file, and it works: $ postmap -q 'Content-Type: name=test.exe; charset=us-ascii' pcre:/tmp/foo.pcre REJECT 554 Attachment Blocked (Rule 0) You've not posted your test input or postmap -q invocation with output. i just created a new empty file, named it test.exe and attached it to a mail in Tunderbird, only Rule 3 hits - hence the numbering your input does not contain what thunderbird passes no idea what the ? is for in the log, i just can't reproduce only Rule 3 hitting like with using the MUA Sep 16 22:13:02 mail-gw postfix/cleanup[16214]: 3hyFxB6g0cz1y: reject: header Content-Type: application/octet-stream;? name=test.exe from *.*.*.*; from=*** to=*** proto=ESMTP helo=srv-rhsoft.rhsoft.net: 5.7.1 554 Attachment Blocked (Rule 3) [root@mail-gw:~]$ postmap -q 'Content-Type: name=test.exe; charset=us-ascii' pcre:/etc/postfix/mime_header_checks.cf REJECT 554 Attachment Blocked (Rule 0) [root@mail-gw:~]$ postmap -q 'Content-Type: application/octet-stream;? name=test.exe' pcre:/etc/postfix/mime_header_checks.cf REJECT 554 Attachment Blocked (Rule 1) [root@mail-gw:~]$ postmap -q 'Content-Type: application/octet-stream; name=test.exe' pcre:/etc/postfix/mime_header_checks.cf REJECT 554 Attachment Blocked (Rule 0) # Reject Attachment Extensions /^Content-(?:Disposition|Type): (?:.*?;)? \s* (?:file)?name \s* = \s*? ( .*?(\.|=2E) (386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh) ) (?:\?=)? ? \s*(;|$) /x REJECT 554 Attachment Blocked (Rule 0) /^\s*Content-(Disposition|Type).*name\s*=\s*?(.*(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(\?=)??\s*$/x REJECT 554 Attachment Blocked (Rule 1) /^\s*Content-(?:Disposition|Type):(?:.*?;)?\s*(?:file)?name\s*=\s*?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)??\s*(;|$)/x REJECT 554 Attachment Blocked (Rule 2) /name=[^]*\.(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh)\/ REJECT 554 Attachment Blocked (Rule 3)
Re: FYI: blocking attachment extensions
On Tue, Sep 16, 2014 at 10:41:01PM +0200, li...@rhsoft.net wrote: $ postmap -q 'Content-Type: name=test.exe; charset=us-ascii' pcre:/tmp/foo.pcre REJECT 554 Attachment Blocked (Rule 0) You've not posted your test input or postmap -q invocation with output. I just created a new empty file, named it test.exe and attached it to a mail in Thunderbird, only Rule 3 hits - hence the numbering. And where is your postmap -q test, with the verbatim header from the received message? no idea what the ? is for in the log, i just can't reproduce only It stands for a newline (\n). Rule 3 hitting like with using the MUA Sep 16 22:13:02 mail-gw postfix/cleanup[16214]: 3hyFxB6g0cz1y: reject: header Content-Type: application/octet-stream;? name=test.exe Then the cleanup you're using does not have the right pattern, test with: $ postmap -q $(printf 'Content-Type: application/octet-stream;\n\tname=test.exe; charset=us-ascii') pcre:/tmp/foo.pcre REJECT 554 Attachment Blocked (Rule 0) Perhaps you need to postfix reload or other pilot error. -- Viktor.
Re: FYI: blocking attachment extensions
MIMEDefang allows you to do all this, plus you can call Perl modules like File::Type on attachments to figure out if the file has been mistyped (i.e. the content-type disagrees with what the actual file header and/or file extension says it is). -Philip On Sep 16, 2014, at 12:04 PM, li...@rhsoft.net wrote: (yes i know it's not 100% perfect in any case) but anybody using mime_header_checks by one of the similar howtos out there should review the configuration - without \ at the end of the regex this is prone to false positives two examples from real world (.scr and .com wrongly rejected) * name=strace.Scripting-with-the-xss.pdf.txt * filename=BOOKING.COM: Hotel 342802.PDF i think this was the one i followed http://www.cyberciti.biz/tips/postfix-block-mime-attachment-files.html _ cat /etc/postfix/mime_header_checks.cf # Reject Attachment-Extensions /name=[^]*\.(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|msc|msi|msp|mst|ocx|pcd|pif|pl|reg|scr|script|sct|sh|shb|shs|sys|so|tlb|vb|vbe|vbs|wiz|wll|wpc|wsc|wsf|wsh)\/ REJECT 554 Attachment Blocked
Re: FYI: blocking attachment extensions
Am 17.09.2014 um 00:18 schrieb Philip Prindeville: MIMEDefang allows you to do all this, plus you can call Perl modules like File::Type on attachments to figure out if the file has been mistyped (i.e. the content-type disagrees with what the actual file header and/or file extension says it is). thanks - but the idea is not to add another layer there are already clamav and spamassassin as milter the intention is to avoid the additional layers in case of bad extensions current question is why a test.exe attached by Thunderbird works fine with Viktors rule with postmap but not in real operations while it was made sure the config file is used adn all reloaded On Sep 16, 2014, at 12:04 PM, li...@rhsoft.net wrote: (yes i know it's not 100% perfect in any case) but anybody using mime_header_checks by one of the similar howtos out there should review the configuration - without \ at the end of the regex this is prone to false positives two examples from real world (.scr and .com wrongly rejected) * name=strace.Scripting-with-the-xss.pdf.txt * filename=BOOKING.COM: Hotel 342802.PDF i think this was the one i followed http://www.cyberciti.biz/tips/postfix-block-mime-attachment-files.html _ cat /etc/postfix/mime_header_checks.cf # Reject Attachment-Extensions /name=[^]*\.(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|msc|msi|msp|mst|ocx|pcd|pif|pl|reg|scr|script|sct|sh|shb|shs|sys|so|tlb|vb|vbe|vbs|wiz|wll|wpc|wsc|wsf|wsh)\/ REJECT 554 Attachment Blocked
RE: FYI: blocking attachment extensions
Here is my suggestion: The idea is simple, don't allow attachments that can be executed by network users and scan everything else (such as docs). For that, I use amavid-new with decoders, 7zip for .zip instead of the perl library used by amavisd-new (it fails on many .zip). I pretty much covered all file types and quarantined (not blocked) executables since ClamAV and another commercial AV missed few signatures (zero day protection may take 23 hours). With the help of header_check in Postfix I use a passphrase in subject in order to avoid the banning in amavis (redirect to a second amavis socket with a different policy map) whenever executables or encrypted files are needed to be sent in legit scenarios. Marius. -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of li...@rhsoft.net Sent: Tuesday, September 16, 2014 9:38 PM To: postfix-users@postfix.org Subject: Re: FYI: blocking attachment extensions Am 16.09.2014 um 20:34 schrieb Wietse Venema: li...@rhsoft.net: (yes i know it's not 100% perfect in any case) but anybody using mime_header_checks by one of the similar howtos out there should review the configuration - without \ at the end of the regex this is prone to false positives Caution: MIME allows names in this context without , as long as those names contain no whitespace etc. thanks for the hint i am open for suggestions how to optimize that in general without raise false positives - at the end there is clamd but mime_header_checks is cheaper two examples from real world (.scr and .com wrongly rejected) * name=strace.Scripting-with-the-xss.pdf.txt * filename=BOOKING.COM: Hotel 342802.PDF i think this was the one i followed http://www.cyberciti.biz/tips/postfix-block-mime-attachment-files.htm l _ cat /etc/postfix/mime_header_checks.cf # Reject Attachment-Extensions /name=[^]*\.(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cnv|com|cpl| crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|msc|msi|msp|mst|o cx|pcd|pif|pl|reg|scr|script|sct|sh|shb|shs|sys|so|tlb|vb|vbe|vbs|wiz |wll|wpc|wsc|wsf|wsh)\/ REJECT 554 Attachment Blocked
Re: FYI: blocking attachment extensions
li...@rhsoft.net: Content-Type: application/octet-stream; name=test.exe To test multiline headers, use postmap -h -q Wietse
Re: FYI: blocking attachment extensions
On Tue, Sep 16, 2014 at 07:14:51PM -0400, Wietse Venema wrote: li...@rhsoft.net: Content-Type: application/octet-stream; name=test.exe To test multiline headers, use postmap -h -q That's of course with postmap -h -q - when reading messages (or message headers) from a file. When the header string is a command-line argument: postmap -q ...header data... pcre:/some/path.pcre the -h option is not needed and not available. -- Viktor.
Re: FYI: blocking attachment extensions
Am 17.09.2014 um 01:19 schrieb Viktor Dukhovni: On Tue, Sep 16, 2014 at 07:14:51PM -0400, Wietse Venema wrote: li...@rhsoft.net: Content-Type: application/octet-stream; name=test.exe To test multiline headers, use postmap -h -q That's of course with postmap -h -q - when reading messages (or message headers) from a file. When the header string is a command-line argument: postmap -q ...header data... pcre:/some/path.pcre the -h option is not needed and not available i still don't understand why postmap has a result but with postfix Viktors rule don't catch the attachment and so finally my one from the initial posting two lines below triggers
Re: FYI: blocking attachment extensions
Viktor Dukhovni: On Tue, Sep 16, 2014 at 07:14:51PM -0400, Wietse Venema wrote: li...@rhsoft.net: Content-Type: application/octet-stream; name=test.exe To test multiline headers, use postmap -h -q That's of course with postmap -h -q - when reading messages (or message headers) from a file. When the header string is a command-line argument: postmap -q ...header data... pcre:/some/path.pcre the -h option is not needed and not available. Multi-line arguments have resulted in privilege escalation with Sendmail. I'm not fond of multi-line command-line arguments, and consider it sloppiness that postmap allows them. To simulate multiline input, one can feed into stdin. printf whatever | postmap -q - ... Wietse
Re: FYI: blocking attachment extensions
On Wed, Sep 17, 2014 at 01:24:27AM +0200, li...@rhsoft.net wrote: I still don't understand why postmap has a result but with postfix Viktors rule don't catch the attachment and so finally my one from the initial posting two lines below triggers The live configuration must differ from the test configuration, or your test is flawed. Submit mail with sendmail(1): ( printf 'From: %s\n' $(id -nu) printf 'To: %s\n' $(id -nu) printf 'Subject: test %d\n' $(date +%s) printf 'MIME-Version: 1.0\n' printf 'Content-Type: application/octet-stream;\n' printf ' name=test.exe; charset=us-ascii\n' printf '\n' printf 'Hi there.\n' ) | /usr/sbin/sendmail -it Likewise: ( printf 'From: %s\n' $(id -nu) printf 'To: %s\n' $(id -nu) printf 'Subject: test %d\n' $(date +%s) printf 'MIME-Version: 1.0\n' printf 'Content-Type: application/octet-stream;\n' printf ' name=test.exe; charset=us-ascii\n' printf '\n' printf 'Hi there.\n' ) | postmap -h -q - $(postconf -hx mime_header_checks) Compare mail logs with command-line output. If not the same, something in your configuration is causing a different set of rules to be used. Perhaps you've multiple cleanup instances (different cleanup for submission). -- Viktor.
Re: FYI: blocking attachment extensions
On 16 Sep 2014, at 13:00 , Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Sep 16, 2014 at 01:41:36PM -0500, Noel Jones wrote: I've used the below for a few years with good results. It's better, but surely not perfect. # block windows executables PCRE /^\s*Content-(Disposition|Type).*name\s*=\s*?(.*(\.|=2E)( ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta| inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws| ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf| vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh))(\?=)??\s*$/x This assumes that name or filename is the last attribute in the header. It might instead be followed by a ; and more attributes. So for a bit more generality, try the below: # block windows executables PCRE /^\s*Content-(?:Disposition|Type): # Header label (?:.*?;)? \s*# Any prior attributes (?:file)?name\s*=\s*? # name or filename ( # Capture name for response .*?(\.|=2E)# File basename and . (ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta| inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws| ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf| vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh) # Capture risky extensions ) # Close capture (?:\?=)?# Trailer of ad-hoc RFC 2047 encoding ? # Optional close quote \s*(;|$)# End of attribute or header /x [ untested ] Hmm. I’ve been using the same check as Noel for many years. More than 10. I’ve never received an attachment in that list, so … -- The Earth is like a tiny grain of sand, only much, much heavier.
Re: FYI: blocking attachment extensions
Am 17.09.2014 um 01:42 schrieb Viktor Dukhovni: On Wed, Sep 17, 2014 at 01:24:27AM +0200, li...@rhsoft.net wrote: I still don't understand why postmap has a result but with postfix Viktors rule don't catch the attachment and so finally my one from the initial posting two lines below triggers The live configuration must differ from the test configuration, or your test is flawed. you may not believe it but there is no live / test - just one configuration the test is just send a mail with Thunderbird and a example attachment, in the case below a zerobyte file named test.exe.txt.sh, added to a new message with subject and body test Compare mail logs with command-line output. If not the same, something in your configuration is causing a different set of rules to be used. Perhaps you've multiple cleanup instances (different cleanup for submission) for sure not - there is no submission - just Port 25 and the config file is used because it reflects comment out rules and do the same test after reload postfix that was the reason to add (Rule XX) to the reject message __ that is the log: Sep 17 01:53:57 mail-gw postfix/cleanup[28448]: 3hyLr521BVz1l: reject: header Content-Type: application/x-shellscript;? name=test.exe.txt.sh from **; from=h.rei...@test.thelounge.net to= proto=ESMTP helo=srv-rhsoft.rhsoft.net: 5.7.1 554 Attachment Blocked (Rule 4) __ that is the content of the config - the config is used 100% for sure because befor the hitting rule had (Rule 3) and yours was on top with (Rule 0) now renumbered tu (Rule 1) [root@mail-gw:~]$ cat postfix/mime_header_checks.cf # Reject Attachment Extensions /^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* = \s*?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)??\s*(;|$)/x REJECT 554 Attachment Blocked (Rule 1) /^\s*Content-(Disposition|Type).*name\s*=\s*?(.*(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(\?=)??\s*$/x REJECT 554 Attachment Blocked (Rule 2) /^\s*Content-(?:Disposition|Type):(?:.*?;)?\s*(?:file)?name\s*=\s*?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)??\s*(;|$)/x REJECT 554 Attachment Blocked (Rule 3) /name=[^]*\.(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh)\/ REJECT 554 Attachment Blocked (Rule 4)
Re: FYI: blocking attachment extensions
*argh* regexp versus pcre i only replaced the regex without realite the different map type that's why i posted postconf -n :-( however, works now, thank you! Am 17.09.2014 um 01:59 schrieb li...@rhsoft.net: Am 17.09.2014 um 01:42 schrieb Viktor Dukhovni: On Wed, Sep 17, 2014 at 01:24:27AM +0200, li...@rhsoft.net wrote: I still don't understand why postmap has a result but with postfix Viktors rule don't catch the attachment and so finally my one from the initial posting two lines below triggers The live configuration must differ from the test configuration, or your test is flawed. you may not believe it but there is no live / test - just one configuration the test is just send a mail with Thunderbird and a example attachment, in the case below a zerobyte file named test.exe.txt.sh, added to a new message with subject and body test Compare mail logs with command-line output. If not the same, something in your configuration is causing a different set of rules to be used. Perhaps you've multiple cleanup instances (different cleanup for submission) for sure not - there is no submission - just Port 25 and the config file is used because it reflects comment out rules and do the same test after reload postfix that was the reason to add (Rule XX) to the reject message __ that is the log: Sep 17 01:53:57 mail-gw postfix/cleanup[28448]: 3hyLr521BVz1l: reject: header Content-Type: application/x-shellscript;? name=test.exe.txt.sh from **; from=h.rei...@test.thelounge.net to= proto=ESMTP helo=srv-rhsoft.rhsoft.net: 5.7.1 554 Attachment Blocked (Rule 4) __ that is the content of the config - the config is used 100% for sure because befor the hitting rule had (Rule 3) and yours was on top with (Rule 0) now renumbered tu (Rule 1) [root@mail-gw:~]$ cat postfix/mime_header_checks.cf # Reject Attachment Extensions /^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* = \s*?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)??\s*(;|$)/x REJECT 554 Attachment Blocked (Rule 1) /^\s*Content-(Disposition|Type).*name\s*=\s*?(.*(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(\?=)??\s*$/x REJECT 554 Attachment Blocked (Rule 2) /^\s*Content-(?:Disposition|Type):(?:.*?;)?\s*(?:file)?name\s*=\s*?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)??\s*(;|$)/x REJECT 554 Attachment Blocked (Rule 3) /name=[^]*\.(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh)\/ REJECT 554 Attachment Blocked (Rule 4)
