Postfix + MailScanner : Attachment Filename check problem !!!!

Martin Hepworth maxsec at gmail.com
Fri Apr 17 16:58:02 IST 2009


Seems there's problems with perl 5.8.9 on FreeBSD - see earlier posts on
installing 5.8.8 from the ports system and using that instead.

2009/4/17 Mãn Từ Ngọc <tungocman at gmail.com>

> Hi everyone!
>
>    I have setup an email system use: Postfix + MailScanner 4.67.6 (with
> Perl version 5.008009 (5.8.9)) On FreeBSD 7.1-RELEASE
>
>    Postfix run as user postfix
>    MailScanner run as user postfix
>
>    I config my Mailscanner to deny all attachments which have the filename
> is .exe or .com
>
>    Then I test it by sending an email include the attachment which have the
> name is ATF-cleaner.exe,
>    but the MailScanner have problem when check the attachment, MailScanner
> report that File checker failed with real error,
>    please see the log file below for more information
>
>    but if i config MailScanner to run as user root then everything is OK,
>    but i really don't want to allow MailScanner to run as user root.
>
>    I post all my log file results, and all required information to debug
> below.
>
> Please help me!
> Thanks!
>
> ------------------------
> in my /etc/passwd:   I have user root, postfix, clamav, spamd
> in my /etc/group:
>    user root is the owner of group wheel
>    user postfix, clamav, spamd are the members of group mail
>
> -------------------------
> /var/log/mailog -> MailScanner Log result:
>
> Apr 17 11:46:40 ngthcm MailScanner[99877]: MailScanner E-Mail Virus Scanner
> version 4.67.6 starting...
> Apr 17 11:46:40 ngthcm MailScanner[99877]: Could not read Custom Functions
> directory
> Apr 17 11:46:40 ngthcm MailScanner[99877]: Read 814 hostnames from the
> phishing whitelist
> Apr 17 11:46:40 ngthcm MailScanner[99877]: Read 5511 hostnames from the
> phishing blacklist
> Apr 17 11:46:40 ngthcm MailScanner[99877]: SpamAssassin temporary working
> directory is /var/spool/MailScanner/incomingwork/SpamAssassin-Temp
> Apr 17 11:46:40 ngthcm MailScanner[99877]: Using SpamAssassin results cache
> Apr 17 11:46:40 ngthcm MailScanner[99877]: Connected to SpamAssassin cache
> database
> Apr 17 11:46:40 ngthcm MailScanner[99877]: Enabling SpamAssassin
> auto-whitelist functionality...
> Apr 17 11:46:43 ngthcm MailScanner[99863]: Using locktype = flock
> Apr 17 11:46:43 ngthcm MailScanner[99863]: New Batch: Scanning 1 messages,
> 72921 bytes
> Apr 17 11:46:43 ngthcm MailScanner[99863]: SpamAssassin cache hit for
> message AB0264AC26.475FA
> Apr 17 11:46:43 ngthcm MailScanner[99881]: SafePipe in Message.pm :
> /usr/local/bin/unrar v -p-
> '/var/spool/MailScanner/incomingwork/99863/AB0264AC26.475FA/ATF-Cleaner.exe'
> 2>&1 failed with real error: Insecure dependency in exec while running with
> -T switch at /usr/local/lib/MailScanner/MailScanner/Message.pm line 2888.
> Apr 17 11:46:43 ngthcm MailScanner[99881]: Virus and Content Scanning:
> Starting
> Apr 17 11:46:44 ngthcm MailScanner[99881]: Filename Checks:
> (AB0264AC26.475FA ATF-Cleaner.exe)
> Apr 17 11:46:44 ngthcm MailScanner[99883]: File checker failed with real
> error: Insecure dependency in exec while running with -T switch at
> /usr/local/lib/MailScanner/MailScanner/SweepOther.pm line 356.
>
>
> ------------------------
> /usr/local/etc/MailScanner/MailScanner.conf :
>
> # Configuration directory containing this file
> %etc-dir% = /usr/local/etc/MailScanner
>
> # Set the directory containing all the reports in the required language
> %report-dir% = /usr/local/etc/MailScanner/reports/en
>
> # Rulesets directory containing your ".rules" files
> %rules-dir% = /usr/local/etc/MailScanner/rules
>
> Run As User = postfix
> Run As Group = mail
> Queue Scan Interval = 6
> Incoming Queue Dir = /var/spool/postfix/hold
> Outgoing Queue Dir = /var/spool/postfix/incoming
> Run As User = postfix
> Run As Group = mail
> Incoming Work Dir = /var/spool/MailScanner/incomingwork
> Quarantine Dir = /var/spool/MailScanner/quarantine
> Incoming Work User =
> InComing Work Group =
> Incoming Work Permissions = 0660
> Quarantine User =
> Quarantine Group =
> Quarantine Permissions = 0660
> Allow Filenames =
> Deny Filenames =
> Filenames Rules = %etc-dir%/filename.rules.conf
>
> -----------
> /usr/local/etc/MailScanner/filename.rules.conf
>
> # These 2 added by popular demand - Very often used by viruses
> deny    \.com$          Windows/DOS Executable
> deny    \.exe$          Windows/DOS Executable
>
> -------------
> ngthcm# ls -l /var/spool/
> drwxrwxr-x   6 postfix  mail    512 Apr 17 12:01 MailScanner
> drwxrwxr-x  17 root     mail    512 Apr 16 16:38 postfix
>
> ngthcm# ls -l /var/spool/MailScanner/
> -rw-------   1 postfix  mail  10240 Apr 17 12:02 SpamAssassin.cache.db
> drwxrwxr-x  11 postfix  mail    512 Apr 17 12:02 incomingwork
> drwxrwxr-x   2 postfix  mail    512 Apr 17 12:02 lockfile-dir
> drwxrwxr-x   2 postfix  mail    512 Apr 13 15:26 quarantine
> drwxrwxr-x   2 postfix  mail    512 Apr 16 12:42 spamassassin
>
> ngthcm# ls -l /var/spool/postfix/
> drwx------   2 postfix  mail      512 Apr 17 03:01 .spamassassin
> drwxrwxr-x   2 postfix  mail      512 Apr 17 11:23 active
> drwxrwxr-x   2 postfix  mail      512 Apr 17 11:23 bounce
> drwxrwxr-x   2 postfix  mail      512 Feb 18 18:06 corrupt
> drwxrwxr-x  14 postfix  mail      512 Apr  9 23:28 defer
> drwxrwxr-x  14 postfix  mail      512 Apr  9 23:28 deferred
> drwxrwxr-x   2 postfix  mail      512 Feb 18 18:06 flush
> drwxrwxr-x   2 postfix  mail      512 Apr 17 11:25 hold
> drwxrwxr-x   2 postfix  mail      512 Apr 17 11:25 incoming
> drwxrwxr-x   2 postfix  maildrop  512 Apr 17 03:01 maildrop
> drwxrwxr-x   2 root     mail      512 Apr  6 01:14 pid
> drwxrwxr-x   2 postfix  mail      512 Apr 17 11:38 private
> drwxrwxr-x   2 postfix  maildrop  512 Apr 17 11:38 public
> drwxrwxr-x   2 postfix  mail      512 Feb 18 18:06 saved
> drwxrwxr-x   2 postfix  mail      512 Feb 18 18:06 trace
>
> ngthcm# ls -la /usr/local/lib/MailScanner/MailScanner
> drwxrwxr-x  3 root  mail    1024 Apr  9 00:04 .
> drwxrwxr-x  3 root  mail     512 Apr  9 00:04 ..
> -r-xr-xr-x  1 root  mail    4357 Apr  9 00:04 BinHex.pm
> -r-xr-xr-x  1 root  mail  104100 Apr  9 00:04 Config.pm
> -r-xr-xr-x  1 root  mail   22104 Apr  9 00:04 ConfigDefs.pl
> -r-xr-xr-x  1 root  mail   56745 Apr  9 00:04 CustomConfig.pm
> drwxr-xr-x  2 root  mail     512 Apr  9 00:04 CustomFunctions
> -r-xr-xr-x  1 root  mail   49221 Apr  9 00:04 Exim.pm
> -r-xr-xr-x  1 root  mail   17799 Apr  9 00:04 EximDiskStore.pm
> -r-xr-xr-x  1 root  mail    7772 Apr  9 00:04 GenericSpam.pm
> -r-xr-xr-x  1 root  mail   12821 Apr  9 00:04 Lock.pm
> -r-xr-xr-x  1 root  mail    5128 Apr  9 00:04 Log.pm
> -r-xr-xr-x  1 root  mail   17369 Apr  9 00:04 MCP.pm
> -r-xr-xr-x  1 root  mail   24524 Apr  9 00:04 MCPMessage.pm
> -r-xr-xr-x  1 root  mail    2992 Apr  9 00:04 Mail.pm
> -r-xr-xr-x  1 root  mail  273077 Apr 17 00:26 Message.pm
> -r-xr-xr-x  1 root  mail   38942 Apr  9 00:04 MessageBatch.pm
> -r-xr-xr-x  1 root  mail   27915 Apr  9 00:04 PFDiskStore.pm
> -r-xr-xr-x  1 root  mail   65287 Apr  9 00:04 Postfix.pm
> -r-xr-xr-x  1 root  mail   14565 Apr  9 00:04 QMDiskStore.pm
> -r-xr-xr-x  1 root  mail   28039 Apr  9 00:04 Qmail.pm
> -r-xr-xr-x  1 root  mail    8201 Apr  9 00:04 Quarantine.pm
> -r-xr-xr-x  1 root  mail    1695 Apr  9 00:04 Queue.pm
> -r-xr-xr-x  1 root  mail    9400 Apr  9 00:04 RBLs.pm
> -r-xr-xr-x  1 root  mail   44737 Apr  9 00:04 SA.pm
> -r-xr-xr-x  1 root  mail   19245 Apr  9 00:04 SMDiskStore.pm
> -r-xr-xr-x  1 root  mail   38114 Apr  9 00:04 Sendmail.pm
> -r-xr-xr-x  1 root  mail   30229 Apr  9 00:04 SweepContent.pm
> -r-xr-xr-x  1 root  mail   27660 Apr  9 00:04 SweepOther.pm
> -r-xr-xr-x  1 root  mail  128436 Apr  9 00:04 SweepViruses.pm
> -r-xr-xr-x  1 root  mail    1446 Apr  9 00:04 SystemDefs.pm
> -r-xr-xr-x  1 root  mail   11895 Apr  9 00:04 TNEF.pm
> -r-xr-xr-x  1 root  mail    9840 Apr  9 00:04 WorkArea.pm
> -r-xr-xr-x  1 root  mail   15231 Apr  9 00:04 ZMDiskStore.pm
> -r-xr-xr-x  1 root  mail   33755 Apr  9 00:04 ZMailer.pm
>
> -------------------------------
> ngthcm# /usr/local/sbin/mailscanner -v
> ]Running on
> FreeBSD ngthcm 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Thu Jan  1 14:37:25 UTC
> 2009     root at logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
> This is Perl version 5.008009 (5.8.9)
>
> This is MailScanner version 4.67.6
> Module versions are:
> 1.00    AnyDBM_File
> 1.26    Archive::Zip
> 1.10    Carp
> 2.015   Compress::Zlib
> 1.119   Convert::BinHex
> 2.27    Date::Parse
> 1.02    DirHandle
> 1.06    Fcntl
> 2.77    File::Basename
> 2.13    File::Copy
> 2.01    FileHandle
> 2.07_02 File::Path
> 0.21    File::Temp
> 0.92    Filesys::Df
> 3.60    HTML::Entities
> 3.60    HTML::Parser
> 3.57    HTML::TokeParser
> 1.23    IO
> 1.14    IO::File
> 1.13    IO::Pipe
> 2.04    Mail::Header
> 1.89    Math::BigInt
> 3.07    MIME::Base64
> 5.427   MIME::Decoder
> 5.427   MIME::Decoder::UU
> 5.427   MIME::Head
> 5.427   MIME::Parser
> 3.07    MIME::QuotedPrint
> 5.427   MIME::Tools
> 0.13    Net::CIDR
> 1.15    POSIX
> 1.19    Scalar::Util
> 1.81    Socket
> 1.4     Sys::Hostname::Long
> 0.27    Sys::Syslog
> 1.9719  Time::HiRes
> 1.02    Time::localtime
>
> Optional module versions are:
> 1.46    Archive::Tar
> 0.23    bignum
> missing Business::ISBN
> missing Business::ISBN::Data
> missing Data::Dump
> 1.817   DB_File
> 1.14    DBD::SQLite
> 1.607   DBI
> 1.15    Digest
> 1.01    Digest::HMAC
> 2.37    Digest::MD5
> 2.11    Digest::SHA1
> 1.01    Encode::Detect
> 0.17015 Error
> 0.24    ExtUtils::CBuilder
> 2.19    ExtUtils::ParseXS
> 2.37    Getopt::Long
> missing Inline
> 1.08    IO::String
> 1.09    IO::Zlib
> missing IP::Country
> missing Mail::ClamAV
> 3.002005        Mail::SpamAssassin
> v2.006  Mail::SPF
> missing Mail::SPF::Query
> 0.32    Module::Build
> missing Net::CIDR::Lite
> 0.65    Net::DNS
> v0.003  Net::DNS::Resolver::Programmable
> missing Net::LDAP
>  4.024  NetAddr::IP
> missing Parse::RecDescent
> missing SAVI
> 2.64    Test::Harness
> missing Test::Manifest
> 1.98    Text::Balanced
> 1.37    URI
> 0.76    version
> 0.68    YAML
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 
Martin Hepworth
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090417/a438e120/attachment-0001.html


More information about the MailScanner mailing list