Postfix + MailScanner : Attachment Filename check problem !!!!

Mãn Từ Ngọc tungocman at gmail.com
Fri Apr 17 16:38:11 IST 2009 

Hi everyone!

   I have setup an email system use: Postfix + MailScanner 4.67.6 (with Perl
version 5.008009 (5.8.9)) On FreeBSD 7.1-RELEASE

   Postfix run as user postfix
   MailScanner run as user postfix

   I config my Mailscanner to deny all attachments which have the filename
is .exe or .com

   Then I test it by sending an email include the attachment which have the
name is ATF-cleaner.exe,
   but the MailScanner have problem when check the attachment, MailScanner
report that File checker failed with real error,
   please see the log file below for more information

   but if i config MailScanner to run as user root then everything is OK,
   but i really don't want to allow MailScanner to run as user root.

   I post all my log file results, and all required information to debug
below.

Please help me!
Thanks!

------------------------
in my /etc/passwd:   I have user root, postfix, clamav, spamd
in my /etc/group:
   user root is the owner of group wheel
   user postfix, clamav, spamd are the members of group mail

-------------------------
/var/log/mailog -> MailScanner Log result:

Apr 17 11:46:40 ngthcm MailScanner[99877]: MailScanner E-Mail Virus Scanner
version 4.67.6 starting...
Apr 17 11:46:40 ngthcm MailScanner[99877]: Could not read Custom Functions
directory
Apr 17 11:46:40 ngthcm MailScanner[99877]: Read 814 hostnames from the
phishing whitelist
Apr 17 11:46:40 ngthcm MailScanner[99877]: Read 5511 hostnames from the
phishing blacklist
Apr 17 11:46:40 ngthcm MailScanner[99877]: SpamAssassin temporary working
directory is /var/spool/MailScanner/incomingwork/SpamAssassin-Temp
Apr 17 11:46:40 ngthcm MailScanner[99877]: Using SpamAssassin results cache
Apr 17 11:46:40 ngthcm MailScanner[99877]: Connected to SpamAssassin cache
database
Apr 17 11:46:40 ngthcm MailScanner[99877]: Enabling SpamAssassin
auto-whitelist functionality...
Apr 17 11:46:43 ngthcm MailScanner[99863]: Using locktype = flock
Apr 17 11:46:43 ngthcm MailScanner[99863]: New Batch: Scanning 1 messages,
72921 bytes
Apr 17 11:46:43 ngthcm MailScanner[99863]: SpamAssassin cache hit for
message AB0264AC26.475FA
Apr 17 11:46:43 ngthcm MailScanner[99881]: SafePipe in Message.pm :
/usr/local/bin/unrar v -p-
'/var/spool/MailScanner/incomingwork/99863/AB0264AC26.475FA/ATF-Cleaner.exe'
2>&1 failed with real error: Insecure dependency in exec while running with
-T switch at /usr/local/lib/MailScanner/MailScanner/Message.pm line 2888.
Apr 17 11:46:43 ngthcm MailScanner[99881]: Virus and Content Scanning:
Starting
Apr 17 11:46:44 ngthcm MailScanner[99881]: Filename Checks:
(AB0264AC26.475FA ATF-Cleaner.exe)
Apr 17 11:46:44 ngthcm MailScanner[99883]: File checker failed with real
error: Insecure dependency in exec while running with -T switch at
/usr/local/lib/MailScanner/MailScanner/SweepOther.pm line 356.


------------------------
/usr/local/etc/MailScanner/MailScanner.conf :

# Configuration directory containing this file
%etc-dir% = /usr/local/etc/MailScanner

# Set the directory containing all the reports in the required language
%report-dir% = /usr/local/etc/MailScanner/reports/en

# Rulesets directory containing your ".rules" files
%rules-dir% = /usr/local/etc/MailScanner/rules

Run As User = postfix
Run As Group = mail
Queue Scan Interval = 6
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
Run As User = postfix
Run As Group = mail
Incoming Work Dir = /var/spool/MailScanner/incomingwork
Quarantine Dir = /var/spool/MailScanner/quarantine
Incoming Work User =
InComing Work Group =
Incoming Work Permissions = 0660
Quarantine User =
Quarantine Group =
Quarantine Permissions = 0660
Allow Filenames =
Deny Filenames =
Filenames Rules = %etc-dir%/filename.rules.conf

-----------
/usr/local/etc/MailScanner/filename.rules.conf

# These 2 added by popular demand - Very often used by viruses
deny    \.com$          Windows/DOS Executable
deny    \.exe$          Windows/DOS Executable

-------------
ngthcm# ls -l /var/spool/
drwxrwxr-x   6 postfix  mail    512 Apr 17 12:01 MailScanner
drwxrwxr-x  17 root     mail    512 Apr 16 16:38 postfix

ngthcm# ls -l /var/spool/MailScanner/
-rw-------   1 postfix  mail  10240 Apr 17 12:02 SpamAssassin.cache.db
drwxrwxr-x  11 postfix  mail    512 Apr 17 12:02 incomingwork
drwxrwxr-x   2 postfix  mail    512 Apr 17 12:02 lockfile-dir
drwxrwxr-x   2 postfix  mail    512 Apr 13 15:26 quarantine
drwxrwxr-x   2 postfix  mail    512 Apr 16 12:42 spamassassin

ngthcm# ls -l /var/spool/postfix/
drwx------   2 postfix  mail      512 Apr 17 03:01 .spamassassin
drwxrwxr-x   2 postfix  mail      512 Apr 17 11:23 active
drwxrwxr-x   2 postfix  mail      512 Apr 17 11:23 bounce
drwxrwxr-x   2 postfix  mail      512 Feb 18 18:06 corrupt
drwxrwxr-x  14 postfix  mail      512 Apr  9 23:28 defer
drwxrwxr-x  14 postfix  mail      512 Apr  9 23:28 deferred
drwxrwxr-x   2 postfix  mail      512 Feb 18 18:06 flush
drwxrwxr-x   2 postfix  mail      512 Apr 17 11:25 hold
drwxrwxr-x   2 postfix  mail      512 Apr 17 11:25 incoming
drwxrwxr-x   2 postfix  maildrop  512 Apr 17 03:01 maildrop
drwxrwxr-x   2 root     mail      512 Apr  6 01:14 pid
drwxrwxr-x   2 postfix  mail      512 Apr 17 11:38 private
drwxrwxr-x   2 postfix  maildrop  512 Apr 17 11:38 public
drwxrwxr-x   2 postfix  mail      512 Feb 18 18:06 saved
drwxrwxr-x   2 postfix  mail      512 Feb 18 18:06 trace

ngthcm# ls -la /usr/local/lib/MailScanner/MailScanner
drwxrwxr-x  3 root  mail    1024 Apr  9 00:04 .
drwxrwxr-x  3 root  mail     512 Apr  9 00:04 ..
-r-xr-xr-x  1 root  mail    4357 Apr  9 00:04 BinHex.pm
-r-xr-xr-x  1 root  mail  104100 Apr  9 00:04 Config.pm
-r-xr-xr-x  1 root  mail   22104 Apr  9 00:04 ConfigDefs.pl
-r-xr-xr-x  1 root  mail   56745 Apr  9 00:04 CustomConfig.pm
drwxr-xr-x  2 root  mail     512 Apr  9 00:04 CustomFunctions
-r-xr-xr-x  1 root  mail   49221 Apr  9 00:04 Exim.pm
-r-xr-xr-x  1 root  mail   17799 Apr  9 00:04 EximDiskStore.pm
-r-xr-xr-x  1 root  mail    7772 Apr  9 00:04 GenericSpam.pm
-r-xr-xr-x  1 root  mail   12821 Apr  9 00:04 Lock.pm
-r-xr-xr-x  1 root  mail    5128 Apr  9 00:04 Log.pm
-r-xr-xr-x  1 root  mail   17369 Apr  9 00:04 MCP.pm
-r-xr-xr-x  1 root  mail   24524 Apr  9 00:04 MCPMessage.pm
-r-xr-xr-x  1 root  mail    2992 Apr  9 00:04 Mail.pm
-r-xr-xr-x  1 root  mail  273077 Apr 17 00:26 Message.pm
-r-xr-xr-x  1 root  mail   38942 Apr  9 00:04 MessageBatch.pm
-r-xr-xr-x  1 root  mail   27915 Apr  9 00:04 PFDiskStore.pm
-r-xr-xr-x  1 root  mail   65287 Apr  9 00:04 Postfix.pm
-r-xr-xr-x  1 root  mail   14565 Apr  9 00:04 QMDiskStore.pm
-r-xr-xr-x  1 root  mail   28039 Apr  9 00:04 Qmail.pm
-r-xr-xr-x  1 root  mail    8201 Apr  9 00:04 Quarantine.pm
-r-xr-xr-x  1 root  mail    1695 Apr  9 00:04 Queue.pm
-r-xr-xr-x  1 root  mail    9400 Apr  9 00:04 RBLs.pm
-r-xr-xr-x  1 root  mail   44737 Apr  9 00:04 SA.pm
-r-xr-xr-x  1 root  mail   19245 Apr  9 00:04 SMDiskStore.pm
-r-xr-xr-x  1 root  mail   38114 Apr  9 00:04 Sendmail.pm
-r-xr-xr-x  1 root  mail   30229 Apr  9 00:04 SweepContent.pm
-r-xr-xr-x  1 root  mail   27660 Apr  9 00:04 SweepOther.pm
-r-xr-xr-x  1 root  mail  128436 Apr  9 00:04 SweepViruses.pm
-r-xr-xr-x  1 root  mail    1446 Apr  9 00:04 SystemDefs.pm
-r-xr-xr-x  1 root  mail   11895 Apr  9 00:04 TNEF.pm
-r-xr-xr-x  1 root  mail    9840 Apr  9 00:04 WorkArea.pm
-r-xr-xr-x  1 root  mail   15231 Apr  9 00:04 ZMDiskStore.pm
-r-xr-xr-x  1 root  mail   33755 Apr  9 00:04 ZMailer.pm

-------------------------------
ngthcm# /usr/local/sbin/mailscanner -v
]Running on
FreeBSD ngthcm 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Thu Jan  1 14:37:25 UTC
2009     root at logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
This is Perl version 5.008009 (5.8.9)

This is MailScanner version 4.67.6
Module versions are:
1.00    AnyDBM_File
1.26    Archive::Zip
1.10    Carp
2.015   Compress::Zlib
1.119   Convert::BinHex
2.27    Date::Parse
1.02    DirHandle
1.06    Fcntl
2.77    File::Basename
2.13    File::Copy
2.01    FileHandle
2.07_02 File::Path
0.21    File::Temp
0.92    Filesys::Df
3.60    HTML::Entities
3.60    HTML::Parser
3.57    HTML::TokeParser
1.23    IO
1.14    IO::File
1.13    IO::Pipe
2.04    Mail::Header
1.89    Math::BigInt
3.07    MIME::Base64
5.427   MIME::Decoder
5.427   MIME::Decoder::UU
5.427   MIME::Head
5.427   MIME::Parser
3.07    MIME::QuotedPrint
5.427   MIME::Tools
0.13    Net::CIDR
1.15    POSIX
1.19    Scalar::Util
1.81    Socket
1.4     Sys::Hostname::Long
0.27    Sys::Syslog
1.9719  Time::HiRes
1.02    Time::localtime

Optional module versions are:
1.46    Archive::Tar
0.23    bignum
missing Business::ISBN
missing Business::ISBN::Data
missing Data::Dump
1.817   DB_File
1.14    DBD::SQLite
1.607   DBI
1.15    Digest
1.01    Digest::HMAC
2.37    Digest::MD5
2.11    Digest::SHA1
1.01    Encode::Detect
0.17015 Error
0.24    ExtUtils::CBuilder
2.19    ExtUtils::ParseXS
2.37    Getopt::Long
missing Inline
1.08    IO::String
1.09    IO::Zlib
missing IP::Country
missing Mail::ClamAV
3.002005        Mail::SpamAssassin
v2.006  Mail::SPF
missing Mail::SPF::Query
0.32    Module::Build
missing Net::CIDR::Lite
0.65    Net::DNS
v0.003  Net::DNS::Resolver::Programmable
missing Net::LDAP
 4.024  NetAddr::IP
missing Parse::RecDescent
missing SAVI
2.64    Test::Harness
missing Test::Manifest
1.98    Text::Balanced
1.37    URI
0.76    version
0.68    YAML
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090417/8d77d69d/attachment.html

More information about the MailScanner mailing list