Need to allow blackberry EPT.DAT files
Glenn Steen
glenn.steen at gmail.com
Fri Sep 11 22:07:00 IST 2009
2009/9/11 Robert Lopez <rlopezcnm at gmail.com>:
> Some offices of the college are being affected by some blocked data
> files. They are .dat files and we do not want to unblock .dat files.
> I am told in this case the data files are part of syncing blackberry
> applications to desktop applications.
> I considered allowing EPT.DAT, but that seems like too much of an
> opportunity for the wrong persons.
>
> Here are some of the facts:
>
> Report: MailScanner: No programs allowed (ETP.DAT)
>
> Received: from mailrouter1104.na.blackberry.net
> (mailrouter1104.na.blackberry.net [204.187.87.55])
> by xxxx.cnm.edu (Postfix) with SMTP id 625296604E2
> for <slederle at cnm.edu>; Fri, 11 Sep 2009 06:56:02 -0600 (MDT)
> Received: from ETP1107.etp.prod.on.blackberry
> (etp1107.etp.prod.on.blackberry [172.23.40.50])
> by mailrouter1104.na.blackberry.net (Postfix) with ESMTP id 65EBA2E257F
> for <xxxxxx at cnm.edu>; Fri, 11 Sep 2009 12:55:46 +0000 (UTC)
>
> Would it take a custom modification to 'allow EPT.DAT files only from
> *.na.blackberry.net' or could a file rule accomplish it?
>
> The filename.rules.conf seems to not be able to deal with the domain
> restriction.
>
> Looking at CustomConfig.pm it seems there could be a
> /etc/MailScanner/spam.bydomain/whitelist/blackberry file if everything
> from na.blackberry.net and from prod.on.blackberry was wanted to be
> allowed. As I have no idea what mail could come from
> those it does not seem wise to just open for everything from them. [I
> have not found a way to ask blackberry/rim any questions.]
Not really a custom thing, but unpalatable any which way you look at it.
The problem isn't the filename, which is trivially handled via a
normal ruleset (multiple filename.rules.conf, where you can allow the
relevant filename for the blaberry domain (bevare the subdomains...
aieee!!! Yes, I truly hate RIM/blackberry for this lunacy), but the
fact that they send a BINARY file without ascii armor. Oh they send
that too, but that is entirely beside the point, since they rely on
the binary attachment getting through.
The problem is that the "encrypted stuff" in that file can (and will,
as you have noticed)trigger ANY filetype line. So one need use a
"filetypewhitelist" for the blackberry domain (they, of course, have
too many sending servers to be able to keep up with using only IPs, so
you need bare yourself to forgeries here... AAAARRRGH!). It is a PITA.
It is either this, or stop using blackberries... Try selling that to
the CEOs:-).
BTW, the file is for BB activations, not synchronization.
Cheers (yeah, Am slightly drunk, so ... letting some pent-up stem loose here:-)
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner
mailing list