Loading ...
Sorry, an error occurred while loading the content.

block exe and other attachments

Expand Messages
  • Rowland Onobrauche
    I am currently using mime_header_checks to block certain attachments with such a string - /name=[^ ]* .(scr|pif|bat|exe|dll|vbs)/ REJECT This however does not
    Message 1 of 18 , Sep 16, 2013
    • 0 Attachment
      I am currently using mime_header_checks to block certain attachments with such a string - /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
      This however does not stop me from receiving 100s of exes and other suspect attachments - which are being blocked by mailscanner, however, i want these blocking at the smtp transaction stage.
      Can anyone suggest a better way of doing this, so that the checks are successful at smtp transaction?

      rowland
    • Wietse Venema
      ... You made a configuration error. Unfortunately, I am not telepathic. Wietse
      Message 2 of 18 , Sep 16, 2013
      • 0 Attachment
        Rowland Onobrauche:
        > I am currently using mime_header_checks to block certain attachments
        > with such a string - /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
        > This however does not stop me from receiving 100s of exes and other
        > suspect attachments - which are being blocked by mailscanner,
        > however, i want these blocking at the smtp transaction stage. Can
        > anyone suggest a better way of doing this, so that the checks are
        > successful at smtp transaction?

        You made a configuration error. Unfortunately, I am not telepathic.

        Wietse
      • Rowland Onobrauche
        ... Not very helpful. Does anyone else have any advice on this?
        Message 3 of 18 , Sep 16, 2013
        • 0 Attachment
          On 16 Sep 2013, at 11:38, Wietse Venema wrote:

          > Rowland Onobrauche:
          >> I am currently using mime_header_checks to block certain attachments
          >> with such a string - /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
          >> This however does not stop me from receiving 100s of exes and other
          >> suspect attachments - which are being blocked by mailscanner,
          >> however, i want these blocking at the smtp transaction stage. Can
          >> anyone suggest a better way of doing this, so that the checks are
          >> successful at smtp transaction?
          >
          > You made a configuration error. Unfortunately, I am not telepathic.
          >
          > Wietse

          Not very helpful.
          Does anyone else have any advice on this?
        • Wijatmoko U. Prayitno
          On Mon, 16 Sep 2013 12:01:38 +0100 ... show your configuration, as Wietse said we re not telepathic.. -- WUP
          Message 4 of 18 , Sep 16, 2013
          • 0 Attachment
            On Mon, 16 Sep 2013 12:01:38 +0100
            Rowland Onobrauche <secfocuslist@...> wrote:

            > > You made a configuration error. Unfortunately, I am
            > > not telepathic.
            > >
            > > Wietse
            >
            > Not very helpful.
            > Does anyone else have any advice on this?
            >
            show your configuration, as Wietse said we're not
            telepathic..

            --
            WUP
          • Leonardo Rodrigues
            ... given all the information (this is a joke) you provided, i would advice you to configure postfix correctly !! -- Atenciosamente / Sincerily, Leonardo
            Message 5 of 18 , Sep 16, 2013
            • 0 Attachment
              Em 16/09/13 08:01, Rowland Onobrauche escreveu:
              >
              > You made a configuration error. Unfortunately, I am not telepathic.
              >
              > Wietse
              > Not very helpful.
              > Does anyone else have any advice on this?

              given all the information (this is a joke) you provided, i would
              advice you to configure postfix correctly !!



              --


              Atenciosamente / Sincerily,
              Leonardo Rodrigues
              Solutti Tecnologia
              http://www.solutti.com.br

              Minha armadilha de SPAM, NÃO mandem email
              gertrudes@...
              My SPAMTRAP, do not email it
            • James Day
              ... Unfortunately you have not provided enough information. At very least you should be posting relevant logs and postconf -n output. Kind regards, James Day
              Message 6 of 18 , Sep 16, 2013
              • 0 Attachment
                > -----Original Message-----
                > From: owner-postfix-users@... [mailto:owner-postfix-
                > users@...] On Behalf Of Rowland Onobrauche
                > Sent: 16 September 2013 12:02
                > To: Postfix users
                > Subject: Re: block exe and other attachments
                >
                >
                > On 16 Sep 2013, at 11:38, Wietse Venema wrote:
                >
                > > Rowland Onobrauche:
                > >> I am currently using mime_header_checks to block certain attachments
                > >> with such a string - /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
                > >> This however does not stop me from receiving 100s of exes and other
                > >> suspect attachments - which are being blocked by mailscanner,
                > >> however, i want these blocking at the smtp transaction stage. Can
                > >> anyone suggest a better way of doing this, so that the checks are
                > >> successful at smtp transaction?
                > >
                > > You made a configuration error. Unfortunately, I am not telepathic.
                > >
                > > Wietse
                >
                > Not very helpful.
                > Does anyone else have any advice on this?

                Unfortunately you have not provided enough information. At very least you should be posting relevant logs and postconf -n output.

                Kind regards,

                James Day
              • Larry Stone
                ... Per the message you received when you subscribed to this list, TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail We re not mindreaders
                Message 7 of 18 , Sep 16, 2013
                • 0 Attachment
                  On Sep 16, 2013, at 6:01 AM, Rowland Onobrauche <secfocuslist@...> wrote:

                  >
                  > On 16 Sep 2013, at 11:38, Wietse Venema wrote:
                  >
                  >> Rowland Onobrauche:
                  >>> I am currently using mime_header_checks to block certain attachments
                  >>> with such a string - /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
                  >>> This however does not stop me from receiving 100s of exes and other
                  >>> suspect attachments - which are being blocked by mailscanner,
                  >>> however, i want these blocking at the smtp transaction stage. Can
                  >>> anyone suggest a better way of doing this, so that the checks are
                  >>> successful at smtp transaction?
                  >>
                  >> You made a configuration error. Unfortunately, I am not telepathic.
                  >>
                  >> Wietse
                  >
                  > Not very helpful.
                  > Does anyone else have any advice on this?


                  Per the message you received when you subscribed to this list,
                  TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

                  We're not mindreaders and if you do not provide the information requested, we can't tell you what you did wrong.

                  --
                  Larry Stone
                  lstone19@...
                  http://www.stonejongleux.com/
                • Rowland Onobrauche
                  ... Postfix config postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix
                  Message 8 of 18 , Sep 16, 2013
                  • 0 Attachment
                    On 16 Sep 2013, at 12:26, Larry Stone wrote:

                    >
                    > On Sep 16, 2013, at 6:01 AM, Rowland Onobrauche <secfocuslist@...> wrote:
                    >
                    >>
                    >> On 16 Sep 2013, at 11:38, Wietse Venema wrote:
                    >>
                    >>> Rowland Onobrauche:
                    >>>> I am currently using mime_header_checks to block certain attachments
                    >>>> with such a string - /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
                    >>>> This however does not stop me from receiving 100s of exes and other
                    >>>> suspect attachments - which are being blocked by mailscanner,
                    >>>> however, i want these blocking at the smtp transaction stage. Can
                    >>>> anyone suggest a better way of doing this, so that the checks are
                    >>>> successful at smtp transaction?
                    >>>
                    >>> You made a configuration error. Unfortunately, I am not telepathic.
                    >>>
                    >>> Wietse
                    >>
                    >> Not very helpful.
                    >> Does anyone else have any advice on this?
                    >
                    >
                    > Per the message you received when you subscribed to this list,
                    > TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
                    >
                    > We're not mindreaders and if you do not provide the information requested, we can't tell you what you did wrong.
                    >
                    > --
                    > Larry Stone
                    > lstone19@...
                    > http://www.stonejongleux.com/
                    >
                    >
                    >


                    Postfix config

                    postconf -n
                    alias_database = hash:/etc/aliases
                    alias_maps = hash:/etc/aliases
                    command_directory = /usr/sbin
                    config_directory = /etc/postfix
                    daemon_directory = /usr/libexec/postfix
                    data_directory = /var/lib/postfix
                    debug_peer_level = 2
                    disable_vrfy_command = yes
                    header_checks = regexp:/etc/postfix/header_checks
                    html_directory = no
                    inet_interfaces = localhost, $myhostname
                    inet_protocols = all
                    mail_owner = postfix
                    mailq_path = /usr/bin/mailq.postfix
                    manpage_directory = /usr/share/man
                    message_size_limit = 15728640
                    mime_header_checks = regexp:/etc/postfix/mime_header_checks
                    mydestination = $myhostname, localhost.$mydomain, localhost
                    mydomain = xx.uk
                    myhostname = xx.uk
                    mynetworks = 127.0.0.1, x.x.x.x.33
                    mynetworks_style = host
                    newaliases_path = /usr/bin/newaliases.postfix
                    queue_directory = /var/spool/postfix
                    readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
                    relay_domains = hash:/etc/postfix/relay_domains.cf
                    sample_directory = /usr/share/doc/postfix-2.6.6/samples
                    sendmail_path = /usr/sbin/sendmail.postfix
                    setgid_group = postdrop
                    smtpd_banner = $myhostname
                    smtpd_client_restrictions = reject_unknown_client, check_client_access regexp:/etc/postfix/client_restrictions
                    smtpd_delay_reject = yes
                    smtpd_helo_required = yes
                    smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/access_helo, permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
                    smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client smtp.dnsbl.sorbs.net, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client nomail.rhsbl.sorbs.net, reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client pbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client zombie.dnsbl.sorbs.net, whitelist_policy, permit
                    smtpd_restriction_classes = whitelist_policy,
                    smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_invalid_hostname, reject_unknown_sender_domain, permit
                    strict_rfc821_envelopes = no
                    transport_maps = hash:/etc/postfix/transports.cf
                    unknown_local_recipient_reject_code = 550
                    virtual_alias_maps = hash:/etc/postfix/virtual


                    cat mime_header_checks
                    /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
                  • Wijatmoko U. Prayitno
                    On Mon, 16 Sep 2013 12:41:08 +0100 ... Ok. ... Try.. /^s*Content­(Disposition|Type).*names*=s* ?(.+.(scr|pif|bat|exe|dll|vbs)) ?s*$/ REJECT Files attached to
                    Message 9 of 18 , Sep 16, 2013
                    • 0 Attachment
                      On Mon, 16 Sep 2013 12:41:08 +0100
                      Rowland Onobrauche <secfocuslist@...> wrote:

                      > mime_header_checks = regexp:/etc/postfix/mime_header_checks
                      >
                      Ok.

                      > cat mime_header_checks
                      > /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
                      >
                      Try..

                      /^s*Content­(Disposition|Type).*names*=s*"?(.+.(scr|pif|bat|exe|dll|vbs))"?s*$/ REJECT Files attached to emails that contain or end in "$3" are prohibited on this server as they may contain viruses. The file named "$2" was rejected

                      Don't forget to restart/reload your postfix. Good luck..

                      --
                      WUP
                    • DTNX Postmaster
                      ... [snip] ... http://www.postfix.org/header_checks.5.html The manpage gives a perfectly good example of how to do this, using a PCRE pattern. Have you tried
                      Message 10 of 18 , Sep 16, 2013
                      • 0 Attachment
                        On Sep 16, 2013, at 13:41, Rowland Onobrauche <secfocuslist@...> wrote:

                        > Postfix config
                        >
                        > postconf -n

                        [snip]

                        > mime_header_checks = regexp:/etc/postfix/mime_header_checks

                        > cat mime_header_checks
                        > /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT

                        http://www.postfix.org/header_checks.5.html

                        The manpage gives a perfectly good example of how to do this, using a
                        PCRE pattern. Have you tried that example? Has worked fine for us for
                        years.

                        Mvg,
                        Joni
                      • Wijatmoko U. Prayitno
                        On Mon, 16 Sep 2013 19:05:44 +0700 ... Revision the above pattern.. /^s*Content­.(Disposition|Type).*names*=s* ?(.+.(scr|pif|bat|exe|dll|vbs)) ?s*$/ REJECT
                        Message 11 of 18 , Sep 16, 2013
                        • 0 Attachment
                          On Mon, 16 Sep 2013 19:05:44 +0700
                          "Wijatmoko U. Prayitno" <koko@...> wrote:

                          > /^s*Content­(Disposition|Type).*names*=s*"?(.+.(scr|pif|bat|exe|dll|vbs))"?s*$/ REJECT Files attached to emails that contain or end in "$3" are prohibited on this server as they may contain viruses. The file named "$2" was rejected
                          >
                          Revision the above pattern..

                          /^s*Content­.(Disposition|Type).*names*=s*"?(.+.(scr|pif|bat|exe|dll|vbs))"?s*$/ REJECT Files attached to emails that contain or end in "$3" are prohibited on this server as they may contain viruses. The file named "$2" was rejected

                          Here the log..

                          Sep 16 19:59:10 mail postfix/cleanup[30773]: 52A22258253: reject: header Content-Type: application/x-msdos-program;? name="find.exe" from subdomain.domain.com [A.B.C.D]; from=<test@...> to=<test@...> proto=ESMTP helo=<subdomain.domain.com>: 5.7.1 Files attached to emails that contain or end in "exe" are prohibited on this server as they may contain viruses. The file named "find.exe" was rejected

                          --
                          WUP
                        • Leonardo Rodrigues
                          ... rules catches what they were written to catch which is not the same thing as you expect them to catch. If it s not catching what you want it to, that s
                          Message 12 of 18 , Sep 16, 2013
                          • 0 Attachment
                            Em 16/09/13 08:41, Rowland Onobrauche escreveu:
                            >
                            > cat mime_header_checks
                            > /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
                            >
                            >

                            rules catches what they were written to catch which is not the same
                            thing as you expect them to catch. If it's not catching what you want it
                            to, that's because the rule is not correct/incomplete.

                            as already stated by others, there are rules much more complete
                            that matches other kinds of file attachments and are much more effective
                            than yours.

                            i have strugled for quite a long time trying to reach the 'perfect'
                            PCRE expression for that until i gave up and let amavis do that. It's
                            simply easier and much more reliable/effective to do that on some piece
                            of software that 'understands' the MIME complication instead of doing on
                            postfix which doesnt.




                            --


                            Atenciosamente / Sincerily,
                            Leonardo Rodrigues
                            Solutti Tecnologia
                            http://www.solutti.com.br

                            Minha armadilha de SPAM, NÃO mandem email
                            gertrudes@...
                            My SPAMTRAP, do not email it
                          • Viktor Dukhovni
                            ... The above is broken, DO NOT use this. -- Viktor.
                            Message 13 of 18 , Sep 16, 2013
                            • 0 Attachment
                              On Mon, Sep 16, 2013 at 07:05:44PM +0700, Wijatmoko U. Prayitno wrote:

                              > Try..
                              >
                              > /^s*Content?(Disposition|Type).*names*=s*"?(.+.(scr|pif|bat|exe|dll|vbs))"?s*$/ REJECT Files attached to emails that contain or end in "$3" are prohibited on this server as they may contain viruses. The file named "$2" was rejected

                              The above is broken, DO NOT use this.

                              --
                              Viktor.
                            • Noel Jones
                              ... I m wondering the purpose of whitelist_policy, permit . That s far too late in processing for a whitelist. ... Your expression is broken. There s an
                              Message 14 of 18 , Sep 16, 2013
                              • 0 Attachment
                                On 9/16/2013 6:41 AM, Rowland Onobrauche wrote:

                                >
                                > Postfix config
                                >
                                > postconf -n
                                > smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client smtp.dnsbl.sorbs.net, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client nomail.rhsbl.sorbs.net, reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client pbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client zombie.dnsbl.sorbs.net, whitelist_policy, permit


                                I'm wondering the purpose of "whitelist_policy, permit". That's far
                                too late in processing for a whitelist.


                                >
                                > cat mime_header_checks
                                > /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT

                                Your expression is broken.

                                There's an excellent example on the header_checks(5) man page. Note
                                this is PCRE and not regexp.
                                http://www.postfix.org/header_checks.5.html

                                /etc/postfix/header_checks.pcre:
                                /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
                                ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
                                hlp|ht[at]|
                                inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|

                                \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
                                ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
                                vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
                                REJECT Attachment name "$2" may not end with ".$4"


                                If this expression doesn't catch something you think it should, show
                                the mime headers of the offending message.



                                -- Noel Jones
                              • Rowland Onobrauche
                                ... Ok, cheers noel. I have not tried the PCRE yet. And regarding the whitelist_policy - disregard it...it does not do what it sounds like it should.
                                Message 15 of 18 , Sep 16, 2013
                                • 0 Attachment
                                  On 16 Sep 2013, at 15:39, Noel Jones wrote:

                                  > On 9/16/2013 6:41 AM, Rowland Onobrauche wrote:
                                  >
                                  >>
                                  >> Postfix config
                                  >>
                                  >> postconf -n
                                  >> smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client smtp.dnsbl.sorbs.net, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client nomail.rhsbl.sorbs.net, reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client pbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client zombie.dnsbl.sorbs.net, whitelist_policy, permit
                                  >
                                  >
                                  > I'm wondering the purpose of "whitelist_policy, permit". That's far
                                  > too late in processing for a whitelist.
                                  >
                                  >
                                  >>
                                  >> cat mime_header_checks
                                  >> /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
                                  >
                                  > Your expression is broken.
                                  >
                                  > There's an excellent example on the header_checks(5) man page. Note
                                  > this is PCRE and not regexp.
                                  > http://www.postfix.org/header_checks.5.html
                                  >
                                  > /etc/postfix/header_checks.pcre:
                                  > /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
                                  > ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
                                  > hlp|ht[at]|
                                  > inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
                                  >
                                  > \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
                                  > ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
                                  > vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
                                  > REJECT Attachment name "$2" may not end with ".$4"
                                  >
                                  >
                                  > If this expression doesn't catch something you think it should, show
                                  > the mime headers of the offending message.
                                  >
                                  >
                                  >
                                  > -- Noel Jones
                                  Ok, cheers noel. I have not tried the PCRE yet. And regarding the whitelist_policy - disregard it...it does not do what it sounds like it should.
                                • Rowland Onobrauche
                                  ... thanks. i will try this out...
                                  Message 16 of 18 , Sep 16, 2013
                                  • 0 Attachment
                                    On 16 Sep 2013, at 14:03, Wijatmoko U. Prayitno wrote:

                                    > On Mon, 16 Sep 2013 19:05:44 +0700
                                    > "Wijatmoko U. Prayitno" <koko@...> wrote:
                                    >
                                    >> /^s*Content­(Disposition|Type).*names*=s*"?(.+.(scr|pif|bat|exe|dll|vbs))"?s*$/ REJECT Files attached to emails that contain or end in "$3" are prohibited on this server as they may contain viruses. The file named "$2" was rejected
                                    >>
                                    > Revision the above pattern..
                                    >
                                    > /^s*Content­.(Disposition|Type).*names*=s*"?(.+.(scr|pif|bat|exe|dll|vbs))"?s*$/ REJECT Files attached to emails that contain or end in "$3" are prohibited on this server as they may contain viruses. The file named "$2" was rejected
                                    >
                                    > Here the log..
                                    >
                                    > Sep 16 19:59:10 mail postfix/cleanup[30773]: 52A22258253: reject: header Content-Type: application/x-msdos-program;? name="find.exe" from subdomain.domain.com [A.B.C.D]; from=<test@...> to=<test@...> proto=ESMTP helo=<subdomain.domain.com>: 5.7.1 Files attached to emails that contain or end in "exe" are prohibited on this server as they may contain viruses. The file named "find.exe" was rejected
                                    >
                                    > --
                                    > WUP


                                    thanks. i will try this out...
                                  • Rowland Onobrauche
                                    ... Thanks to all that contributed to a possible resolution. I have decided to allow the attachments and leave them to mailscanner to filter/quarantine as some
                                    Message 17 of 18 , Sep 17, 2013
                                    • 0 Attachment
                                      On 16 Sep 2013, at 15:39, Noel Jones wrote:

                                      > On 9/16/2013 6:41 AM, Rowland Onobrauche wrote:
                                      >
                                      >>
                                      >> Postfix config
                                      >>
                                      >> postconf -n
                                      >> smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client smtp.dnsbl.sorbs.net, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client nomail.rhsbl.sorbs.net, reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client pbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client zombie.dnsbl.sorbs.net, whitelist_policy, permit
                                      >
                                      >
                                      > I'm wondering the purpose of "whitelist_policy, permit". That's far
                                      > too late in processing for a whitelist.
                                      >
                                      >
                                      >>
                                      >> cat mime_header_checks
                                      >> /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
                                      >
                                      > Your expression is broken.
                                      >
                                      > There's an excellent example on the header_checks(5) man page. Note
                                      > this is PCRE and not regexp.
                                      > http://www.postfix.org/header_checks.5.html
                                      >
                                      > /etc/postfix/header_checks.pcre:
                                      > /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
                                      > ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
                                      > hlp|ht[at]|
                                      > inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
                                      >
                                      > \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
                                      > ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
                                      > vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
                                      > REJECT Attachment name "$2" may not end with ".$4"
                                      >
                                      >
                                      > If this expression doesn't catch something you think it should, show
                                      > the mime headers of the offending message.
                                      >
                                      >
                                      >
                                      > -- Noel Jones


                                      Thanks to all that contributed to a possible resolution. I have decided to allow the attachments and leave them to mailscanner to filter/quarantine as some we are receiving are actually legit attachments.
                                      At least if they are quarantined, i have the option to release.


                                      thanks
                                    • Stan Hoeppner
                                      On 9/17/2013 5:08 AM, Rowland Onobrauche wrote: ... Have you ever been unable to see the forest because the trees are blocking your view of it? Those unwanted
                                      Message 18 of 18 , Sep 17, 2013
                                      • 0 Attachment
                                        On 9/17/2013 5:08 AM, Rowland Onobrauche wrote:
                                        ...
                                        > Thanks to all that contributed to a possible resolution. I have decided to allow the attachments and leave them to mailscanner to filter/quarantine as some we are receiving are actually legit attachments.
                                        > At least if they are quarantined, i have the option to release.

                                        Have you ever been unable to see the forest because the trees are
                                        blocking your view of it?

                                        Those unwanted attachments are a symptom of your problem, not the
                                        problem itself. They are the trees blocking your view of the forest.

                                        The forest here is bot spam. Snowshoe spammers don't typically send
                                        malware attachments. You may also see this come from compromised hosts
                                        or webmail accounts.

                                        To stop the bot spam you need to use one of

                                        1. Postscreen - requires Postfix 2.8 or later
                                        2. A greylisting policy daemon such as postgrey for your Postfix 2.6.6.
                                        3. fqrdns.pcre

                                        Google will give you information on all of these. After reading up,
                                        pick your poison. Mailscanner may do the job, but the above will do so
                                        without wasting machine resources (queue bandwidth, CPU time, RAM, etc).
                                        And don't forget, Mailscanner is not supported by Postfix, as it breaks
                                        API rules and acts directly on the queue.

                                        --
                                        Stan
                                      Your message has been successfully submitted and would be delivered to recipients shortly.