Postfix + MailScanner : Attachment Filename check problem !!!!

Sat Apr 18 06:20:17 IST 2009

Hi Martin!
     Thanks for your reply, i will try as your idea, then will post the
results to u soon. Again, thanks for help!


On Fri, Apr 17, 2009 at 10:58 PM, Martin Hepworth <maxsec at gmail.com> wrote:
>
>> Seems there's problems with perl 5.8.9 on FreeBSD - see earlier posts on
>> installing 5.8.8 from the ports system and using that instead.
>>
>> 2009/4/17 Mãn Từ Ngọc <tungocman at gmail.com>
>>
>>> Hi everyone!
>>>
>>>    I have setup an email system use: Postfix + MailScanner 4.67.6 (with
>>> Perl version 5.008009 (5.8.9)) On FreeBSD 7.1-RELEASE
>>>
>>>    Postfix run as user postfix
>>>    MailScanner run as user postfix
>>>
>>>    I config my Mailscanner to deny all attachments which have the
>>> filename is .exe or .com
>>>
>>>    Then I test it by sending an email include the attachment which have
>>> the name is ATF-cleaner.exe,
>>>    but the MailScanner have problem when check the attachment,
>>> MailScanner report that File checker failed with real error,
>>>    please see the log file below for more information
>>>
>>>    but if i config MailScanner to run as user root then everything is OK,
>>>    but i really don't want to allow MailScanner to run as user root.
>>>
>>>    I post all my log file results, and all required information to debug
>>> below.
>>>
>>> Please help me!
>>> Thanks!
>>>
>>> ------------------------
>>> in my /etc/passwd:   I have user root, postfix, clamav, spamd
>>> in my /etc/group:
>>>    user root is the owner of group wheel
>>>    user postfix, clamav, spamd are the members of group mail
>>>
>>> -------------------------
>>> /var/log/mailog -> MailScanner Log result:
>>>
>>> Apr 17 11:46:40 ngthcm MailScanner[99877]: MailScanner E-Mail Virus
>>> Scanner version 4.67.6 starting...
>>> Apr 17 11:46:40 ngthcm MailScanner[99877]: Could not read Custom
>>> Functions directory
>>> Apr 17 11:46:40 ngthcm MailScanner[99877]: Read 814 hostnames from the
>>> phishing whitelist
>>> Apr 17 11:46:40 ngthcm MailScanner[99877]: Read 5511 hostnames from the
>>> phishing blacklist
>>> Apr 17 11:46:40 ngthcm MailScanner[99877]: SpamAssassin temporary working
>>> directory is /var/spool/MailScanner/incomingwork/SpamAssassin-Temp
>>> Apr 17 11:46:40 ngthcm MailScanner[99877]: Using SpamAssassin results
>>> cache
>>> Apr 17 11:46:40 ngthcm MailScanner[99877]: Connected to SpamAssassin
>>> cache database
>>> Apr 17 11:46:40 ngthcm MailScanner[99877]: Enabling SpamAssassin
>>> auto-whitelist functionality...
>>> Apr 17 11:46:43 ngthcm MailScanner[99863]: Using locktype = flock
>>> Apr 17 11:46:43 ngthcm MailScanner[99863]: New Batch: Scanning 1
>>> messages, 72921 bytes
>>> Apr 17 11:46:43 ngthcm MailScanner[99863]: SpamAssassin cache hit for
>>> message AB0264AC26.475FA
>>> Apr 17 11:46:43 ngthcm MailScanner[99881]: SafePipe in Message.pm :
>>> /usr/local/bin/unrar v -p-
>>> '/var/spool/MailScanner/incomingwork/99863/AB0264AC26.475FA/ATF-Cleaner.exe'
>>> 2>&1 failed with real error: Insecure dependency in exec while running with
>>> -T switch at /usr/local/lib/MailScanner/MailScanner/Message.pm line 2888.
>>> Apr 17 11:46:43 ngthcm MailScanner[99881]: Virus and Content Scanning:
>>> Starting
>>> Apr 17 11:46:44 ngthcm MailScanner[99881]: Filename Checks:
>>> (AB0264AC26.475FA ATF-Cleaner.exe)
>>> Apr 17 11:46:44 ngthcm MailScanner[99883]: File checker failed with real
>>> error: Insecure dependency in exec while running with -T switch at
>>> /usr/local/lib/MailScanner/MailScanner/SweepOther.pm line 356.
>>>
>>>
>>> ------------------------
>>> /usr/local/etc/MailScanner/MailScanner.conf :
>>>
>>> # Configuration directory containing this file
>>> %etc-dir% = /usr/local/etc/MailScanner
>>>
>>> # Set the directory containing all the reports in the required language
>>> %report-dir% = /usr/local/etc/MailScanner/reports/en
>>>
>>> # Rulesets directory containing your ".rules" files
>>> %rules-dir% = /usr/local/etc/MailScanner/rules
>>>
>>> Run As User = postfix
>>> Run As Group = mail
>>> Queue Scan Interval = 6
>>> Incoming Queue Dir = /var/spool/postfix/hold
>>> Outgoing Queue Dir = /var/spool/postfix/incoming
>>> Run As User = postfix
>>> Run As Group = mail
>>> Incoming Work Dir = /var/spool/MailScanner/incomingwork
>>> Quarantine Dir = /var/spool/MailScanner/quarantine
>>> Incoming Work User =
>>> InComing Work Group =
>>> Incoming Work Permissions = 0660
>>> Quarantine User =
>>> Quarantine Group =
>>> Quarantine Permissions = 0660
>>> Allow Filenames =
>>> Deny Filenames =
>>> Filenames Rules = %etc-dir%/filename.rules.conf
>>>
>>> -----------
>>> /usr/local/etc/MailScanner/filename.rules.conf
>>>
>>> # These 2 added by popular demand - Very often used by viruses
>>> deny    \.com$          Windows/DOS Executable
>>> deny    \.exe$          Windows/DOS Executable
>>>
>>> -------------
>>> ngthcm# ls -l /var/spool/
>>> drwxrwxr-x   6 postfix  mail    512 Apr 17 12:01 MailScanner
>>> drwxrwxr-x  17 root     mail    512 Apr 16 16:38 postfix
>>>
>>> ngthcm# ls -l /var/spool/MailScanner/
>>> -rw-------   1 postfix  mail  10240 Apr 17 12:02 SpamAssassin.cache.db
>>> drwxrwxr-x  11 postfix  mail    512 Apr 17 12:02 incomingwork
>>> drwxrwxr-x   2 postfix  mail    512 Apr 17 12:02 lockfile-dir
>>> drwxrwxr-x   2 postfix  mail    512 Apr 13 15:26 quarantine
>>> drwxrwxr-x   2 postfix  mail    512 Apr 16 12:42 spamassassin
>>>
>>> ngthcm# ls -l /var/spool/postfix/
>>> drwx------   2 postfix  mail      512 Apr 17 03:01 .spamassassin
>>> drwxrwxr-x   2 postfix  mail      512 Apr 17 11:23 active
>>> drwxrwxr-x   2 postfix  mail      512 Apr 17 11:23 bounce
>>> drwxrwxr-x   2 postfix  mail      512 Feb 18 18:06 corrupt
>>> drwxrwxr-x  14 postfix  mail      512 Apr  9 23:28 defer
>>> drwxrwxr-x  14 postfix  mail      512 Apr  9 23:28 deferred
>>> drwxrwxr-x   2 postfix  mail      512 Feb 18 18:06 flush
>>> drwxrwxr-x   2 postfix  mail      512 Apr 17 11:25 hold
>>> drwxrwxr-x   2 postfix  mail      512 Apr 17 11:25 incoming
>>> drwxrwxr-x   2 postfix  maildrop  512 Apr 17 03:01 maildrop
>>> drwxrwxr-x   2 root     mail      512 Apr  6 01:14 pid
>>> drwxrwxr-x   2 postfix  mail      512 Apr 17 11:38 private
>>> drwxrwxr-x   2 postfix  maildrop  512 Apr 17 11:38 public
>>> drwxrwxr-x   2 postfix  mail      512 Feb 18 18:06 saved
>>> drwxrwxr-x   2 postfix  mail      512 Feb 18 18:06 trace
>>>
>>> ngthcm# ls -la /usr/local/lib/MailScanner/MailScanner
>>> drwxrwxr-x  3 root  mail    1024 Apr  9 00:04 .
>>> drwxrwxr-x  3 root  mail     512 Apr  9 00:04 ..
>>> -r-xr-xr-x  1 root  mail    4357 Apr  9 00:04 BinHex.pm
>>> -r-xr-xr-x  1 root  mail  104100 Apr  9 00:04 Config.pm
>>> -r-xr-xr-x  1 root  mail   22104 Apr  9 00:04 ConfigDefs.pl
>>> -r-xr-xr-x  1 root  mail   56745 Apr  9 00:04 CustomConfig.pm
>>> drwxr-xr-x  2 root  mail     512 Apr  9 00:04 CustomFunctions
>>> -r-xr-xr-x  1 root  mail   49221 Apr  9 00:04 Exim.pm
>>> -r-xr-xr-x  1 root  mail   17799 Apr  9 00:04 EximDiskStore.pm
>>> -r-xr-xr-x  1 root  mail    7772 Apr  9 00:04 GenericSpam.pm
>>> -r-xr-xr-x  1 root  mail   12821 Apr  9 00:04 Lock.pm
>>> -r-xr-xr-x  1 root  mail    5128 Apr  9 00:04 Log.pm
>>> -r-xr-xr-x  1 root  mail   17369 Apr  9 00:04 MCP.pm
>>> -r-xr-xr-x  1 root  mail   24524 Apr  9 00:04 MCPMessage.pm
>>> -r-xr-xr-x  1 root  mail    2992 Apr  9 00:04 Mail.pm
>>> -r-xr-xr-x  1 root  mail  273077 Apr 17 00:26 Message.pm
>>> -r-xr-xr-x  1 root  mail   38942 Apr  9 00:04 MessageBatch.pm
>>> -r-xr-xr-x  1 root  mail   27915 Apr  9 00:04 PFDiskStore.pm
>>> -r-xr-xr-x  1 root  mail   65287 Apr  9 00:04 Postfix.pm
>>> -r-xr-xr-x  1 root  mail   14565 Apr  9 00:04 QMDiskStore.pm
>>> -r-xr-xr-x  1 root  mail   28039 Apr  9 00:04 Qmail.pm
>>> -r-xr-xr-x  1 root  mail    8201 Apr  9 00:04 Quarantine.pm
>>> -r-xr-xr-x  1 root  mail    1695 Apr  9 00:04 Queue.pm
>>> -r-xr-xr-x  1 root  mail    9400 Apr  9 00:04 RBLs.pm
>>> -r-xr-xr-x  1 root  mail   44737 Apr  9 00:04 SA.pm
>>> -r-xr-xr-x  1 root  mail   19245 Apr  9 00:04 SMDiskStore.pm
>>> -r-xr-xr-x  1 root  mail   38114 Apr  9 00:04 Sendmail.pm
>>> -r-xr-xr-x  1 root  mail   30229 Apr  9 00:04 SweepContent.pm
>>> -r-xr-xr-x  1 root  mail   27660 Apr  9 00:04 SweepOther.pm
>>> -r-xr-xr-x  1 root  mail  128436 Apr  9 00:04 SweepViruses.pm
>>> -r-xr-xr-x  1 root  mail    1446 Apr  9 00:04 SystemDefs.pm
>>> -r-xr-xr-x  1 root  mail   11895 Apr  9 00:04 TNEF.pm
>>> -r-xr-xr-x  1 root  mail    9840 Apr  9 00:04 WorkArea.pm
>>> -r-xr-xr-x  1 root  mail   15231 Apr  9 00:04 ZMDiskStore.pm
>>> -r-xr-xr-x  1 root  mail   33755 Apr  9 00:04 ZMailer.pm
>>>
>>> -------------------------------
>>> ngthcm# /usr/local/sbin/mailscanner -v
>>> ]Running on
>>> FreeBSD ngthcm 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Thu Jan  1 14:37:25
>>> UTC 2009     root at logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
>>> i386
>>> This is Perl version 5.008009 (5.8.9)
>>>
>>> This is MailScanner version 4.67.6
>>> Module versions are:
>>> 1.00    AnyDBM_File
>>> 1.26    Archive::Zip
>>> 1.10    Carp
>>> 2.015   Compress::Zlib
>>> 1.119   Convert::BinHex
>>> 2.27    Date::Parse
>>> 1.02    DirHandle
>>> 1.06    Fcntl
>>> 2.77    File::Basename
>>> 2.13    File::Copy
>>> 2.01    FileHandle
>>> 2.07_02 File::Path
>>> 0.21    File::Temp
>>> 0.92    Filesys::Df
>>> 3.60    HTML::Entities
>>> 3.60    HTML::Parser
>>> 3.57    HTML::TokeParser
>>> 1.23    IO
>>> 1.14    IO::File
>>> 1.13    IO::Pipe
>>> 2.04    Mail::Header
>>> 1.89    Math::BigInt
>>> 3.07    MIME::Base64
>>> 5.427   MIME::Decoder
>>> 5.427   MIME::Decoder::UU
>>> 5.427   MIME::Head
>>> 5.427   MIME::Parser
>>> 3.07    MIME::QuotedPrint
>>> 5.427   MIME::Tools
>>> 0.13    Net::CIDR
>>> 1.15    POSIX
>>> 1.19    Scalar::Util
>>> 1.81    Socket
>>> 1.4     Sys::Hostname::Long
>>> 0.27    Sys::Syslog
>>> 1.9719  Time::HiRes
>>> 1.02    Time::localtime
>>>
>>> Optional module versions are:
>>> 1.46    Archive::Tar
>>> 0.23    bignum
>>> missing Business::ISBN
>>> missing Business::ISBN::Data
>>> missing Data::Dump
>>> 1.817   DB_File
>>> 1.14    DBD::SQLite
>>> 1.607   DBI
>>> 1.15    Digest
>>> 1.01    Digest::HMAC
>>> 2.37    Digest::MD5
>>> 2.11    Digest::SHA1
>>> 1.01    Encode::Detect
>>> 0.17015 Error
>>> 0.24    ExtUtils::CBuilder
>>> 2.19    ExtUtils::ParseXS
>>> 2.37    Getopt::Long
>>> missing Inline
>>> 1.08    IO::String
>>> 1.09    IO::Zlib
>>> missing IP::Country
>>> missing Mail::ClamAV
>>> 3.002005        Mail::SpamAssassin
>>> v2.006  Mail::SPF
>>> missing Mail::SPF::Query
>>> 0.32    Module::Build
>>> missing Net::CIDR::Lite
>>> 0.65    Net::DNS
>>> v0.003  Net::DNS::Resolver::Programmable
>>> missing Net::LDAP
>>>  4.024  NetAddr::IP
>>> missing Parse::RecDescent
>>> missing SAVI
>>> 2.64    Test::Harness
>>> missing Test::Manifest
>>> 1.98    Text::Balanced
>>> 1.37    URI
>>> 0.76    version
>>> 0.68    YAML
>>>
>>>
>>>
>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>>
>> --
>> Martin Hepworth
>> Oxford, UK
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090418/6c46d38c/attachment.html