Filename rule question

Marco Induni minduni at ti-edu.ch
Wed Jul 4 16:45:29 IST 2007 

Glenn Steen wrote:
> On 04/07/07, Marco Induni <minduni at ti-edu.ch> wrote:
>> Glenn Steen wrote:
>> > On 03/07/07, Marco Induni <minduni at ti-edu.ch> wrote:
>> >> Hi All,
>> >> I try to deny some email attachments based just on the filename.
>> >> So I setup the following test rule to deny all attachment for email
>> >> sended to me at pluto.com (obviously just a real address)
>> >>
>> >> - in /etc/MailScanner/Mailscanner.conf
>> >> -- Filename Rules = %rules-dir%/filename-rules.rules
>> >>
>> >> - in /etc/MailScanner/rules/filename-rules.rules
>> >> -- To: me at pluto.com           /etc/MailScanner/filename-alldeny.conf
>> >> -- FromOrTo: default
>> >> /etc/MailScanner/filename-nocheck.rules.conf
>> >>
>> >> - in /etc/MailScanner/filename-alldeny.conf
>> >> -- deny    .*      -            -
>> >>
>> >> - in /etc/MailScanner/filename-nocheck.rules.conf
>> >> -- allow    .*      -           -
>> >>
>> >>
>> >> So I expect that any attachment will be denied, but is not true.
>> >> It seems that everything is passing through, and the rule is not
>> >> matching anything.
>> >> I've done MailScanner --lint and no syntax error appear.
>> >> I've also tried the standard rules enclosed (deny .exe .reg,...), but
>> >> didn't work.
>> >
>> > When  troubleshooting things like these, always doublecheck your
>> > assumptions with MailScanner itself... Try "MailScanner --help" to see
>> > the possible things you can do ... apart from the well-known --debug
>> > and --lint (start by doing a lint... it'll show you any bad syntax
>> > errors), you can also try any setting with any sender/receiver .... In
>> > your case you'd test
>> > MailScanner --value=filenamerules --from=anyone at example.net
>> > --to=me at pluto.com
>> > and perhaps some variations ... Replace with addresses valid to your
>> > situation.
>> >
>> Glenn,
>> thanks for the suggestions. I've verified with Mailscanner
>> --value=filenamerules and the various address to be sure that the result
>>   point to the rule that deny the attachment(see below)
>>
>> Looked up internal option name "filenamerules"
>> With sender = root at xxx
>>    recipient = xxx at xx
>> Client IP =
>> Virus =
>> Result is "/etc/MailScanner/filename-alldeny.conf"
>>
>>
>> But unfortunately the attachment are still allowed
>> I've double checked to see if I've placed space instead of TAB on the
>> rule, but all seems ok.
>>
>> Also the MailScanner --lint don't get any syntax error.
>>
>> Actually I've tested on MailScanner 4.58.9 and 4.61.7 with the same 
>> result.
>>
>> On the /etc/MailScanner/filename-alldeny.conf there is just
>> deny    .*      -       -
>>
>> and in MailScanner.conf
>>
>> Allow Filenames =
>> Deny Filenames =
>> Filename Rules = %rules-dir%/filename-rules.rules
>>
>>
>> No idea :-(
>>
> Just a thought, but your quotes of the files in your first message....
> Do the begin with "--" or "allow/deny"? That is: are there 4 fields in
> the file, separated by <TAB>, or five (I think the lint would caatch
> this, so ... probably nothing...:-).
> 
Hi Gleen,
unfortunately, the file is correct, I added the -- for ident on the mail 
only, but it look like a field.
Also as you said this error (and even the lost TAB) are catched by the 
--lint option.

> Also, you should pay extra attention to whether it is finame or
> filetype rules kicking in (in the logs... Perhaps you have MailWatch?
> Makes things ... easier to see:-).

Uhm, I don't have Mailwatch installed, but in the log i can't see the 
rules involved. I had to activate some flag, or there are special logs ?
The rules appear to be correct when i tested via the "MailScanner 
--value=filenamerules ...."


> I always try to make filenames and filetypes functionally equivalent:).
> Paying attention to ones logs is never wrong anyway, so ... you
> wouldn't have any log snippets to look at, for a relevant test run?
> 
> When you send these messages, or indeed any messages sent to you, if
> the mail has more recipients than one... then the rules applicable to
> the first recipient will "win" for all of them... So you might need
> split messages/recipient (look in the wiki how to do this... At least
> Postfix and Sendmail can do this for you), to be sure what rules will
> trigger for a specific message/recipient combination.

Good point, but in my test I'm the only recipient
> 
> Cheers

Grazie (Thank you)



-- 
Marco Induni
Universita` della Svizzera italiana
Servizi informatici / TI-EDU
Galleria 2
CH-6928 Manno (Switzerland)
E-mail: minduni at ti-edu.ch
Tel: +41 58 666 6656
Fax: +41 58 666 6650

More information about the MailScanner mailing list