MS don't process or filter/quarantine attachments anymore.]
Vincent Naïnemoutou
vincent at pearleyes.org
Wed Jul 25 15:16:39 IST 2012
Hi everybody,
I am vincent and run MS on my mail gateways for years with satisfaction,
and have acquired good level of knowledge until now.
I move my current mail gateways, to new machines and new version, and
noticed that MS does not quarantine attachment anymore. Nothing in the
quarantine directory for days confirmed by specific tests.
I tried several configuration options with the filename.rules.conf and
also denying directly in the "Deny Filenames" parameter without any
success, and also checked permissions on directories, etc.
Attachment are just going through and are delivered.
My config is : Centos 6.2, postfix-2.8.9, MailScanner-4.84.5-2,
clamav-0.97.4-1, Mail-SpamAssassin-3.3.2 . I have been carefull at
installation time and checked all the output including for perl modules.
There are no serious differences between the new MailScanner.conf file and
the older on except the new MS parameters.
I have checked everything (I think) on the configuration files, all
related file type, file name rules, read again the book :), and search a
lot on the web and can't identify any similarity.
Except the version numbers, what is different in my install, ist hat I
won't be able to get the whole working, using the SA-Clamav tarball,
probably due to the perl bug even with the last MS version. I have finally
installed SpamAssassin from the source package, and Clamav from the RPM
package. BTW, they both are working fine.
I have 2 mail gateways with the same configuration, the same behaviour. I
installed one from scratch, and my colleague did the other one also from
scratch, but with the document i wrote.
My next step are :
- To clone one the gateways and run MS in debug mode, so that I
can see what is happening.
- Run MS with perl -U !?
- Restore the old version :(
In the meanwhile do you have any idea ?
Thank you in advance for any suggestion.
Cheers, and sorry for this log email.
--Vincent N
Some data : (Some information have been anonymised)
Logs for big file : Attachment name : vntest2.pps
Jul 25 13:30:42 malgw10 MailScanner[29373]: Message A99FA86A820.ACB13
from 217.117.157.120 (vincent at p.o) to l.c is too big for spam checks
(903414 > 400000 bytes)
Log for small file: Attachment name : test2.pps
Jul 25 15:33:56 mailgw9 MailScanner[14148]: Message B057EB06382.ABB8F from
217.117.157.120 (vincent at p.o) to l.c is n'est pas un polluriel,
SpamAssassin (not cached, score=-1.9, requis 3, autolearn=not spam,
BAYES_00 -1.90)
# MailScanner -lint
===========================================
Trying to setlogsock(unix)
Reading configuration file /etc/MailScanner/MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/README
Read 869 hostnames from the phishing whitelist
Read 6572 hostnames from the phishing blacklists
Checking version numbers...
Version number in MailScanner.conf (4.84.5) is correct.
Your envelope_sender_header in spam.assassin.prefs.conf is correct.
MailScanner setting GID to (500)
MailScanner setting UID to (500)
Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Connected to Processing Attempts Database
Created Processing Attempts Database successfully
There are 0 messages in the Processing Attempts Database
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamav"
Found these virus scanners installed: clamav
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
./1/eicar.com: Eicar-Test-Signature FOUND
Virus Scanning: ClamAV found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
ClamAV said "eicar.com contains Eicar-Test-Signature"
If any of your virus scanners (clamav)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf
filename.rules.conf
========================
.....
# regardless of the final extension.
deny .{150,} Very long filename, possible OE attack
Very long filenames are good signs of
attacks against Microsoft e-mail packages
# JKF 10/08/2007 Adobe Acrobat nastiness
# JKF 04/01/2005 More Microsoft security vulnerabilities
deny \.ico$ Windows icon file security vulnerability
Possible buffer overflow in Windows
deny \.ani$ Windows animated cursor file security
vulnerability Possible buffer overflow in
Windows
deny \.cur$ Windows cursor file security vulnerability
Possible buffer overflow in Windows
#deny \.hlp$ Windows help file security vulnerability
Possible buffer overflow in Windows
.....
deny \.pls$ Unauthorized files
Unauthorized multimedia file
deny \.pps$ Unauthorized files
Unauthorized multimedia file
deny \.qt$ Unauthorized files
Unauthorized multimedia file
deny \.qtx$ Unauthorized files
Unauthorized multimedia file
.....
MailScanner.conf
===============================
...
Max Children = 10
Run As User = postfix
Run As Group = postfix
Queue Scan Interval = 6
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
Incoming Work Dir = /var/spool/MailScanner/incoming
Quarantine Dir = /var/spool/MailScanner/quarantine
PID file = /var/run/MailScanner.pid
Restart Every = 7200
MTA = postfix
Sendmail = /usr/sbin/sendmail
Sendmail2 = /usr/sbin/sendmail
Incoming Work User =
Incoming Work Group =
Incoming Work Permissions = 0600
Quarantine User =
Quarantine Group = apache
Quarantine Permissions = 0660
Max Unscanned Bytes Per Scan = 100m
Max Unsafe Bytes Per Scan = 50m
Max Unscanned Messages Per Scan = 30
Max Unsafe Messages Per Scan = 30
Max Normal Queue Size = 800
Scan Messages = yes
Reject Message = no
Maximum Processing Attempts = 6
Processing Attempts Database = /var/spool/MailScanner/incoming/Processing.db
Maximum Attachments Per Message = 200
Expand TNEF = yes
Use TNEF Contents = replace
Deliver Unparsable TNEF = no
TNEF Expander = /usr/bin/tnef --maxsize=100000000
TNEF Timeout = 120
File Command = /usr/bin/file
File Timeout = 120
Gunzip Command = /bin/gunzip
Gunzip Timeout = 50
Unrar Command = /usr/local/bin/unrar
Unrar Timeout = 50
Find UU-Encoded Files = no
Maximum Message Size = %rules-dir%/max.message.size.rules
Maximum Attachment Size = -1
Minimum Attachment Size = -1
Maximum Archive Depth = 20
Find Archives By Content = yes
Unpack Microsoft Documents = yes
Zip Attachments = no
Attachments Zip Filename = MessageAttachments.zip
Attachments Min Total Size To Zip = 100k
Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe
.mpeg .mp3 .rpm .htm .html .eml
Add Text Of Doc = no
Antiword = /usr/bin/antiword -f
Antiword Timeout = 50
Unzip Maximum Files Per Archive = 0
Unzip Maximum File Size = 50k
Unzip Filenames = *.txt *.ini *.log *.csv
Unzip MimeType = text/plain
Virus Scanning = yes
Virus Scanners = clamav
Virus Scanner Timeout = 300
Deliver Disinfected Files = no
...
Convert HTML To Text = no
Archives Are = zip rar ole
Filename Rules = %etc-dir%/filename.rules.conf
Filetype Rules = %etc-dir%/filetype.rules.conf
Archives: Allow Filenames =
Archives: Deny Filenames =
Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf
Archives: Allow Filetypes =
Archives: Allow File MIME Types =
Archives: Deny Filetypes =
Archives: Deny File MIME Types =
Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf
Default Rename Pattern = __FILENAME__.disarmed
Quarantine Infections = yes
Quarantine Silent Viruses = no
Quarantine Modified Body = no
Quarantine Whole Message = no
Quarantine Whole Messages As Queue Files = no
....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120725/51522136/attachment.html
More information about the MailScanner
mailing list