Filename rule question

[Glenn Steen]

On 04/07/07, Marco Induni <minduni at ti-edu.ch> wrote:
> Glenn Steen wrote:
> > On 03/07/07, Marco Induni <minduni at ti-edu.ch> wrote:
> >> Hi All,
> >> I try to deny some email attachments based just on the filename.
> >> So I setup the following test rule to deny all attachment for email
> >> sended to me at pluto.com (obviously just a real address)
> >>
> >> - in /etc/MailScanner/Mailscanner.conf
> >> -- Filename Rules = %rules-dir%/filename-rules.rules
> >>
> >> - in /etc/MailScanner/rules/filename-rules.rules
> >> -- To: me at pluto.com           /etc/MailScanner/filename-alldeny.conf
> >> -- FromOrTo: default
> >> /etc/MailScanner/filename-nocheck.rules.conf
> >>
> >> - in /etc/MailScanner/filename-alldeny.conf
> >> -- deny    .*      -            -
> >>
> >> - in /etc/MailScanner/filename-nocheck.rules.conf
> >> -- allow    .*      -           -
> >>
> >>
> >> So I expect that any attachment will be denied, but is not true.
> >> It seems that everything is passing through, and the rule is not
> >> matching anything.
> >> I've done MailScanner --lint and no syntax error appear.
> >> I've also tried the standard rules enclosed (deny .exe .reg,...), but
> >> didn't work.
> >
> > When  troubleshooting things like these, always doublecheck your
> > assumptions with MailScanner itself... Try "MailScanner --help" to see
> > the possible things you can do ... apart from the well-known --debug
> > and --lint (start by doing a lint... it'll show you any bad syntax
> > errors), you can also try any setting with any sender/receiver .... In
> > your case you'd test
> > MailScanner --value=filenamerules --from=anyone at example.net
> > --to=me at pluto.com
> > and perhaps some variations ... Replace with addresses valid to your
> > situation.
> >
> Glenn,
> thanks for the suggestions. I've verified with Mailscanner
> --value=filenamerules and the various address to be sure that the result
>   point to the rule that deny the attachment(see below)
>
> Looked up internal option name "filenamerules"
> With sender = root at xxx
>    recipient = xxx at xx
> Client IP =
> Virus =
> Result is "/etc/MailScanner/filename-alldeny.conf"
>
>
> But unfortunately the attachment are still allowed
> I've double checked to see if I've placed space instead of TAB on the
> rule, but all seems ok.
>
> Also the MailScanner --lint don't get any syntax error.
>
> Actually I've tested on MailScanner 4.58.9 and 4.61.7 with the same result.
>
> On the /etc/MailScanner/filename-alldeny.conf there is just
> deny    .*      -       -
>
> and in MailScanner.conf
>
> Allow Filenames =
> Deny Filenames =
> Filename Rules = %rules-dir%/filename-rules.rules
>
>
> No idea :-(
>
Just a thought, but your quotes of the files in your first message....
Do the begin with "--" or "allow/deny"? That is: are there 4 fields in
the file, separated by <TAB>, or five (I think the lint would caatch
this, so ... probably nothing...:-).

Also, you should pay extra attention to whether it is finame or
filetype rules kicking in (in the logs... Perhaps you have MailWatch?
Makes things ... easier to see:-).
I always try to make filenames and filetypes functionally equivalent:).
Paying attention to ones logs is never wrong anyway, so ... you
wouldn't have any log snippets to look at, for a relevant test run?

When you send these messages, or indeed any messages sent to you, if
the mail has more recipients than one... then the rules applicable to
the first recipient will "win" for all of them... So you might need
split messages/recipient (look in the wiki how to do this... At least
Postfix and Sendmail can do this for you), to be sure what rules will
trigger for a specific message/recipient combination.

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se