Filename Restrictions Not working

James Nelson James.Nelson at vgt.net
Wed Feb 18 22:42:45 GMT 2015 

Hey Kevin\Alex\Denis\Glenn,

Sorry, the slash direction was a typo as a result of responding on my phone.  They are forward slashes in the actual files.

Kevin—Yes, virus scanning works.  I’ve sent the EICAR file as a test, and additionally its caught legitimate viruses since installation.  I see the entries in the maillog for virus\spam scanning, but no mention of file scanning…no error there or in the system log.

Denis-  I’ve mostly been trying to make rulesets work for these purposes, but I did try explicitly defining the restrictions as a troubleshooting measure.  The information in the mailscanner.conf file seems to indicate that this is supported:

# To simplify web-based configuration systems, there are now two extra
# settings here. They are both intended for use with normal rulesets
# that you would expect to find in %rules-dir%. The first gives a list
# of patterns to match against the attachment filenames, and a filename
# is allowed if it matches any of these patterns. The second gives the
# the equivalent list for patterns that are used to deny filenames.
# If either of these match at all, then filename.rules.conf is ignored
# for that filename.
# So you can easily have a set like this:
# Allow Filenames = \.txt$ \.pdf$
# Deny  Filenames = \.com$ \.exe$ \.cpl$ \.pif$

Glenn—I have verified that MailScanner is processing these messages.  We’ve had it in place for a few months, and the SpamAssassin\ClamAV components are processing and catching mail as expected.  I can see all of MailScanner\SpamAssassin’s header info, and it states that it’s processed by postfix, as I Would expect.

I’ve run Mailscann –-lint and MailScanner --debug with no errors detected, but here’s the results anyway:

Trying to setlogsock(unix)

Reading configuration file /etc/MailScanner/MailScanner.conf
Read 876 hostnames from the phishing whitelist
Read 5890 hostnames from the phishing blacklists
Config: calling custom init function MailWatchLogging
Started SQL Logging child

Checking version numbers...
Version number in MailScanner.conf (4.84.6) is correct.

Your envelope_sender_header in spam.assassin.prefs.conf is correct.
MailScanner setting GID to  (89)
MailScanner setting UID to  (89)

Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Connected to Processing Attempts Database
Created Processing Attempts Database successfully
There are 0 messages in the Processing Attempts Database
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamd"
Found these virus scanners installed: clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED::Eicar-Test-Signature :: ./1/
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"

If any of your virus scanners (clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Config: calling custom end function MailWatchLogging

And debug log, using an external account I sent myself a ZIP file, which should be blocked.  The only thing I noticed where it even seemed to be looking at a file was this:

16:31:07 Feb 18 16:31:07.790 [5557] dbg: message: ---- MIME PARSER START ----
16:31:07 Feb 18 16:31:07.790 [5557] dbg: message: parsing multipart, got boundary: 047d7bdc131a7ef13b050f645fc3
16:31:07 Feb 18 16:31:07.790 [5557] dbg: message: found part of type multipart/alternative, boundary: 047d7bdc131a7ef134050f645fc1
16:31:07 Feb 18 16:31:07.790 [5557] dbg: message: added part, type: multipart/alternative
16:31:07 Feb 18 16:31:07.791 [5557] dbg: message: found part of type application/zip, boundary: 047d7bdc131a7ef13b050f645fc3
16:31:07 Feb 18 16:31:07.791 [5557] dbg: message: added part, type: application/zip
16:31:07 Feb 18 16:31:07.791 [5557] dbg: message: parsing multipart, got boundary: 047d7bdc131a7ef134050f645fc1
16:31:07 Feb 18 16:31:07.791 [5557] dbg: message: found part of type text/plain, boundary: 047d7bdc131a7ef134050f645fc1
16:31:07 Feb 18 16:31:07.791 [5557] dbg: message: added part, type: text/plain
16:31:07 Feb 18 16:31:07.791 [5557] dbg: message: found part of type text/html, boundary: 047d7bdc131a7ef134050f645fc1
16:31:07 Feb 18 16:31:07.792 [5557] dbg: message: added part, type: text/html
16:31:07 Feb 18 16:31:07.792 [5557] dbg: message: parsing normal part
16:31:07 Feb 18 16:31:07.792 [5557] dbg: message: parsing normal part
16:31:07 Feb 18 16:31:07.792 [5557] dbg: message: parsing normal part
16:31:07 Feb 18 16:31:07.792 [5557] dbg: message: ---- MIME PARSER END ----

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Glenn Steen
Sent: Wednesday, February 18, 2015 8:53 AM
To: MailScanner discussion
Subject: Re: Filename Restrictions Not working

Have you checked that there are headers in the delivered mails that indicate that MailScanner has been involved? If not, especially with some MTAs (like Postfix), it seems like you've gogofed your install a bit and there is still a "non-MS-aware MTA" running, which would just deliver/relay any mails....

Further... When you've fixed your typos (the back-forwardslash thing for example), do as Denis says and try a lint run. If that works, then do a debug run:
shut down MailScanner, then as the Run As user run:
MailScanner --debug
<generate some mail traffic, and let the debug run process the batch)...
Check output for errors...


Cheers
--
-- Glenn

On 18 February 2015 at 14:44, Denis Beauchemin <Denis.Beauchemin at usherbrooke.ca> wrote:
> Agreed : you should use forward slashes “/” in all MS config files 
> whenever you want to refer to a file path. And I’m also pretty sure 
> you can’t put “allow/deny” filetypes rules directly in MailScanner.conf.
>
>
>
> Have you tried “MailScanner --lint”? If so, don’t you have any errors?
>
>
>
> Denis
>
>
>
>
>
> De : mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] De la part de 
> James Nelson Envoyé : 17 février 2015 16:40 À : MailScanner discussion 
> Objet : RE: Filename Restrictions Not working
>
>
>
> Hi Kevin,
>
>
>
> I’ve tried with linking directly to filename.rules.conf, I’ve tried using a
> filename.rules that points FromOrTo:                default
> \etc\MailScanner\filename.rules.conf , but neither approach is working.
>
>
>
> What’s especially odd is if explicitly define a blocked file type…say,
> \.exe$ directly in MailScanner.conf, even THAT doesn’t work.
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>



-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list