From email at ace.net.au Mon Jan 19 05:07:05 2015 From: email at ace.net.au (Peter Nitschke) Date: Mon, 19 Jan 2015 15:37:05 +1030 Subject: Happy new year Message-ID: <201501191537050553.1C19D48B@web.ace.net.au> Hi, Happy new year. Just testing to see if the list is still working. Cheers, Peter From maxsec at gmail.com Mon Jan 19 10:19:56 2015 From: maxsec at gmail.com (Martin Hepworth) Date: Mon, 19 Jan 2015 10:19:56 +0000 Subject: Happy new year In-Reply-To: <201501191537050553.1C19D48B@web.ace.net.au> References: <201501191537050553.1C19D48B@web.ace.net.au> Message-ID: yes it still works and there's been quite a bit of traffic on it. -- Martin Hepworth, CISSP Oxford, UK On 19 January 2015 at 05:07, Peter Nitschke wrote: > Hi, > > Happy new year. > > Just testing to see if the list is still working. > > Cheers, > > Peter > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20150119/54e6456d/attachment.html From glenn.steen at gmail.com Wed Jan 21 08:51:10 2015 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed, 21 Jan 2015 09:51:10 +0100 Subject: archiving rules In-Reply-To: References:

Message-ID: Problem is that MS cannot make a difference between To: and Cc: (or even Bcc:) recipients... In the envelope (SMTP conversation) they are all RCPT TO:... So you'd need something else to do t ge distinction... SpamAssassin rule and the SA rule hit thing in MS should be sble to do the trick. Cheers! -- -- Glenn Den 23 dec 2014 15:43 skrev "Nerijus Baliunas" : > On Tue, 23 Dec 2014 15:11:32 +0200 Nerijus Baliunas > wrote: > > > Messages are archived correctly. The problem is, when the message is > sent like this: > > To: user1 at externaldomain.lt > > Cc: user2 at domain.lt > > > > The message is sent to both user1 at backup.domain.lt and > user2 at backup.domain.lt. > > Is it possible TOUSER in above rule to be used only if recipient domain > is local, i.e. domain.lt? > > I use postfix and have in main.cf: > virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/ > mysql_virtual_domains_maps.cf, backup.domain.lt > virtual_transport = dovecot > dovecot_destination_recipient_limit = 1 > backup_destination_recipient_limit = 1 > > transport: > backup.domain.lt backup: > > master.cf: > dovecot unix - n n - - pipe > flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/dovecot-lda -f > ${sender} -d ${user}@${nexthop} > > backup unix - n n - - pipe > flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/dovecot-lda -f > ${sender} -d backup at domain.lt -m ${user} > > So all the backup email goes to backup at domain.lt mailbox and subdirs > (named as > expanded _TOUSER_) are created because of -m ${user}. The problem is, that > subdirs are created even for external users, if a message is sent To: > user1 at externaldomain.lt > and Cc: user2 at domain.lt. > > Regards, > Nerijus > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20150121/c891bcff/attachment.html From glenn.steen at gmail.com Wed Jan 21 08:56:44 2015 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed, 21 Jan 2015 09:56:44 +0100 Subject: Have problem with MailScanner 4.84.6 Cannot Add inline signature In-Reply-To: References:

Message-ID: Actually... Easiest way to debug MS is not to edit the conf file... Just stop MS, then do: su - postfix -s /bin/bash MailScanner --debug --debug-sa ... With at least one message in your incoming postfix queue. Cheers! -- -- Glenn Den 23 dec 2014 10:16 skrev "Martin Hepworth" : > Debug is very command line > > Once you've made the changes to MailScanner.conf, stopped the service then > > "su -" to postfix user (make sure it has a valid shell first!), > run MailScanner from the command line > > it will run once then stop and dump the debug to the command line so you > can try and spot why the Signature rule isnt running. > > > > -- > Martin Hepworth, CISSP > Oxford, UK > > On 23 December 2014 at 01:03, t dara wrote: > >> Hi, >> >> On MailScanner.conf file I use run as user= postfix. >> To run debug mode I just change this 2 line >> Debug = no --> Debug = yes >> Debug SpamAssassin = no ---> Debug SpamAssassin = yes >> Finally I restart MailScanner by trying this 2 command >> - service MailScanner startin or >> - service MailScanner restart >> But when change to debug mode I didn't see any log run on >> /var/log/maillog. And my email cannot send or receive. >> >> Thanks, >> Sovandara >> >> >> >> On Sat, Dec 20, 2014 at 10:13 PM, Martin Hepworth >> wrote: >> >>> Ok that requeue aint good >>> >>> That debug run as the same user as 'run as' in the mailscanner.conf file? >>> >>> >>> >>> On Saturday, 20 December 2014, t dara wrote: >>> >>>> Hi, >>>> >>>> To Run a sessions in Debug mode we just change Debug = no to Debug = >>>> yes >>>> Please see the log file as in the attachment file. >>>> >>>> Thanks, >>>> Sovandara >>>> >>>> On Fri, Dec 19, 2014 at 5:41 PM, Martin Hepworth >>>> wrote: >>>> >>>>> Run a sessions in Debug mode and see what you get and any clues as to >>>>> why it's not attaching the signature. >>>>> >>>>> -- >>>>> Martin Hepworth, CISSP >>>>> Oxford, UK >>>>> >>>>> On 19 December 2014 at 09:44, t dara wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> Yes the report file exist. Normally if report file not exist it will >>>>>> show error message, but on my case I didn't see any error message. >>>>>> >>>>>> Thanks, >>>>>> Sovandara >>>>>> >>>>>> On Fri, Dec 19, 2014 at 2:24 PM, Martin Hepworth >>>>>> wrote: >>>>>>> >>>>>>> No errrors at all in the logs at MailScanner startup and those files >>>>>>> exist in the reports directory? >>>>>>> >>>>>>> -- >>>>>>> Martin Hepworth, CISSP >>>>>>> Oxford, UK >>>>>>> >>>>>>> On 18 December 2014 at 01:47, t dara wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> Do you have any idea? Please help. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Sovandara >>>>>>>> >>>>>>>> -- >>>>>>>> MailScanner mailing list >>>>>>>> mailscanner at lists.mailscanner.info >>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>>> >>>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>>> >>>>>>>> Support MailScanner development - buy the book off the website! >>>>>>>> >>>>>>>> >>>>>>> -- >>>>>>> MailScanner mailing list >>>>>>> mailscanner at lists.mailscanner.info >>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>> >>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>> >>>>>>> Support MailScanner development - buy the book off the website! >>>>>>> >>>>>>> >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner at lists.mailscanner.info >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>> >>>>>> Support MailScanner development - buy the book off the website! >>>>>> >>>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner at lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>> >>> >>> -- >>> -- >>> Martin Hepworth, CISSP >>> Oxford, UK >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20150121/9de19c24/attachment.html From glenn.steen at gmail.com Wed Jan 21 08:59:58 2015 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed, 21 Jan 2015 09:59:58 +0100 Subject: Have problem with MailScanner 4.84.6 Cannot Add inline signature In-Reply-To: References:

Message-ID: Looks like a syntax error to me. Cheers! -- -- Glenn Den 24 dec 2014 18:30 skrev "t dara" : > Hi, > > Please see the log when I run check_MailScanner command on debug mode and > I "su" to postfix user. > > Thanks, > Sovandara > > On Tue, Dec 23, 2014 at 3:49 PM, Martin Hepworth wrote: > >> Debug is very command line >> >> Once you've made the changes to MailScanner.conf, stopped the service then >> >> "su -" to postfix user (make sure it has a valid shell first!), >> run MailScanner from the command line >> >> it will run once then stop and dump the debug to the command line so you >> can try and spot why the Signature rule isnt running. >> >> >> >> -- >> Martin Hepworth, CISSP >> Oxford, UK >> >> On 23 December 2014 at 01:03, t dara wrote: >> >>> Hi, >>> >>> On MailScanner.conf file I use run as user= postfix. >>> To run debug mode I just change this 2 line >>> Debug = no --> Debug = yes >>> Debug SpamAssassin = no ---> Debug SpamAssassin = yes >>> Finally I restart MailScanner by trying this 2 command >>> - service MailScanner startin or >>> - service MailScanner restart >>> But when change to debug mode I didn't see any log run on >>> /var/log/maillog. And my email cannot send or receive. >>> >>> Thanks, >>> Sovandara >>> >>> >>> >>> On Sat, Dec 20, 2014 at 10:13 PM, Martin Hepworth >>> wrote: >>> >>>> Ok that requeue aint good >>>> >>>> That debug run as the same user as 'run as' in the mailscanner.conf >>>> file? >>>> >>>> >>>> >>>> On Saturday, 20 December 2014, t dara wrote: >>>> >>>>> Hi, >>>>> >>>>> To Run a sessions in Debug mode we just change Debug = no to Debug = >>>>> yes >>>>> Please see the log file as in the attachment file. >>>>> >>>>> Thanks, >>>>> Sovandara >>>>> >>>>> On Fri, Dec 19, 2014 at 5:41 PM, Martin Hepworth >>>>> wrote: >>>>> >>>>>> Run a sessions in Debug mode and see what you get and any clues as to >>>>>> why it's not attaching the signature. >>>>>> >>>>>> -- >>>>>> Martin Hepworth, CISSP >>>>>> Oxford, UK >>>>>> >>>>>> On 19 December 2014 at 09:44, t dara wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Yes the report file exist. Normally if report file not exist it will >>>>>>> show error message, but on my case I didn't see any error message. >>>>>>> >>>>>>> Thanks, >>>>>>> Sovandara >>>>>>> >>>>>>> On Fri, Dec 19, 2014 at 2:24 PM, Martin Hepworth >>>>>>> wrote: >>>>>>>> >>>>>>>> No errrors at all in the logs at MailScanner startup and those >>>>>>>> files exist in the reports directory? >>>>>>>> >>>>>>>> -- >>>>>>>> Martin Hepworth, CISSP >>>>>>>> Oxford, UK >>>>>>>> >>>>>>>> On 18 December 2014 at 01:47, t dara wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> Do you have any idea? Please help. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Sovandara >>>>>>>>> >>>>>>>>> -- >>>>>>>>> MailScanner mailing list >>>>>>>>> mailscanner at lists.mailscanner.info >>>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>>>> >>>>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>>>> >>>>>>>>> Support MailScanner development - buy the book off the website! >>>>>>>>> >>>>>>>>> >>>>>>>> -- >>>>>>>> MailScanner mailing list >>>>>>>> mailscanner at lists.mailscanner.info >>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>>> >>>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>>> >>>>>>>> Support MailScanner development - buy the book off the website! >>>>>>>> >>>>>>>> >>>>>>> -- >>>>>>> MailScanner mailing list >>>>>>> mailscanner at lists.mailscanner.info >>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>> >>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>> >>>>>>> Support MailScanner development - buy the book off the website! >>>>>>> >>>>>>> >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner at lists.mailscanner.info >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>> >>>>>> Support MailScanner development - buy the book off the website! >>>>>> >>>>>> >>>>> >>>> >>>> -- >>>> -- >>>> Martin Hepworth, CISSP >>>> Oxford, UK >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner at lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner at lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> -- >> MailScanner mailing list >> mailscanner at lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20150121/33b1b438/attachment.html From nerijusb at dtiltas.lt Wed Jan 21 22:20:56 2015 From: nerijusb at dtiltas.lt (Nerijus Baliunas) Date: Thu, 22 Jan 2015 00:20:56 +0200 Subject: archiving rules In-Reply-To: References:

Message-ID: On Wed, 21 Jan 2015 09:51:10 +0100 Glenn Steen wrote: > Problem is that MS cannot make a difference between To: and Cc: (or even > Bcc:) recipients... In the envelope (SMTP conversation) they are all RCPT > TO:... So you'd need something else to do t ge distinction... SpamAssassin > rule and the SA rule hit thing in MS should be sble to do the trick. My problem is not a difference between To or Cc, but "subdirs are created even for external users". I don't want subdirs for external users. Thanks, Nerijus > Den 23 dec 2014 15:43 skrev "Nerijus Baliunas" : > > > On Tue, 23 Dec 2014 15:11:32 +0200 Nerijus Baliunas > > wrote: > > > > > Messages are archived correctly. The problem is, when the message is > > sent like this: > > > To: user1 at externaldomain.lt > > > Cc: user2 at domain.lt > > > > > > The message is sent to both user1 at backup.domain.lt and > > user2 at backup.domain.lt. > > > Is it possible TOUSER in above rule to be used only if recipient domain > > is local, i.e. domain.lt? > > > > I use postfix and have in main.cf: > > virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/ > > mysql_virtual_domains_maps.cf, backup.domain.lt > > virtual_transport = dovecot > > dovecot_destination_recipient_limit = 1 > > backup_destination_recipient_limit = 1 > > > > transport: > > backup.domain.lt backup: > > > > master.cf: > > dovecot unix - n n - - pipe > > flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/dovecot-lda -f > > ${sender} -d ${user}@${nexthop} > > > > backup unix - n n - - pipe > > flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/dovecot-lda -f > > ${sender} -d backup at domain.lt -m ${user} > > > > So all the backup email goes to backup at domain.lt mailbox and subdirs > > (named as > > expanded TOUSER) are created because of -m ${user}. The problem is, that > > subdirs are created even for external users, if a message is sent To: > > user1 at externaldomain.lt > > and Cc: user2 at domain.lt. From kevin.miller at juneau.org Fri Jan 23 21:31:50 2015 From: kevin.miller at juneau.org (Kevin Miller) Date: Fri, 23 Jan 2015 21:31:50 +0000 Subject: filename/filetype not working properly Message-ID: <5c7c113e73164024a12b40c28bc0bf19@City-Exch-DB2.cbj.local> Recently, someone tried to send one of my users an MS Office document which was blocked due to a disallowed file (0000.dat). It turns out that we likely ran afoul of Microsoft's once again forgetting their not the only kid in the sandbox. See: https://social.technet.microsoft.com/Forums/sharepoint/en-US/287650b5-293c-48bc-90ec-9e13a61a46a6/office365-word-document-docx-banned-from-mailer-if-you-edit-properties-online-bug- (talk about an ugly URL!) I'm not sure why 0000.dat would be flagged as executable. The message wasn't quarantined - it was just dropped - so I can't examine it. Regardless, I expect we'll see this issue more in the future so I made the following changes in MailScanner.conf: Allow Filenames = [0-9a-f]{4}.dat$ Allow Filetypes = executable The verbiage above the "Allow Filenames" indicates that it's an "and" operation - that is, the filename has to match, *and* I need to allow executable filetypes. To test this, I copied /bin/grep, knowing it's an executable file that will otherwise be rejected, then sent it to myself with various filenames. The results of the test are as follows: grep allowed grep.exe blocked 0000.abc allowed 0000.dat allowed 0000.dot allowed 0000.com blocked 0000.pdf allowed 1234.abc allowed My understanding of the comments in MailScanner.conf is that both rules have to match for the attachment to be allowed but clearly this isn't the case. It's the same file. They should all be blocked except 0000.dat. Using the file command on all the files mentioned (all copies of /bin/grep) returns this (with their respective filename of course): $ file 0000.dot 0000.dot: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x0002e5c8a1687334639fcf1c24b850879fefbd37, stripped ELF files are disallowed in filetype.rules.conf (a MailScanner default setting). Since the attachment was named 0000.dot, not 0000.dat, it should have been disallowed. What am I missing here? Has anyone else run into the issue of Office 365 documents being filtered? How are you dealing with it? ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 From mailscanner-list at okla.com Sat Jan 24 00:14:01 2015 From: mailscanner-list at okla.com (Tracy Greggs) Date: Fri, 23 Jan 2015 18:14:01 -0600 Subject: filename/filetype not working properly In-Reply-To: <5c7c113e73164024a12b40c28bc0bf19@City-Exch-DB2.cbj.local> References: <5c7c113e73164024a12b40c28bc0bf19@City-Exch-DB2.cbj.local> Message-ID: <007901d0376a$ac1ac140$045043c0$@okla.com> I have had some fun with Office .xlsb and workbook.bin attachments in emails. The .xlsb files get through fine but the .bin files are detected as executables. My fix for this, right or wrong, was to upgrade the "file" command on Centos 6.6 from file-5.04 to the latest file-5.22. Bad thing is rpm-build on Centos 6.6 base repo requires file-5.04 Make install on the file-5.22 puts the "file" binary in /usr/local/bin instead of the stock location of /usr/bin, so If you try my fix, make sure you change the path to file in MailScanner.conf or perhaps make a symlink. Regards, Tracy Greggs -----Original Message----- From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Kevin Miller Sent: Friday, January 23, 2015 3:32 PM To: MailScanner List (mailscanner at lists.mailscanner.info) Subject: filename/filetype not working properly Recently, someone tried to send one of my users an MS Office document which was blocked due to a disallowed file (0000.dat). It turns out that we likely ran afoul of Microsoft's once again forgetting their not the only kid in the sandbox. See: https://social.technet.microsoft.com/Forums/sharepoint/en-US/287650b5-293c-4 8bc-90ec-9e13a61a46a6/office365-word-document-docx-banned-from-mailer-if-you -edit-properties-online-bug- (talk about an ugly URL!) I'm not sure why 0000.dat would be flagged as executable. The message wasn't quarantined - it was just dropped - so I can't examine it. Regardless, I expect we'll see this issue more in the future so I made the following changes in MailScanner.conf: Allow Filenames = [0-9a-f]{4}.dat$ Allow Filetypes = executable The verbiage above the "Allow Filenames" indicates that it's an "and" operation - that is, the filename has to match, *and* I need to allow executable filetypes. To test this, I copied /bin/grep, knowing it's an executable file that will otherwise be rejected, then sent it to myself with various filenames. The results of the test are as follows: grep allowed grep.exe blocked 0000.abc allowed 0000.dat allowed 0000.dot allowed 0000.com blocked 0000.pdf allowed 1234.abc allowed My understanding of the comments in MailScanner.conf is that both rules have to match for the attachment to be allowed but clearly this isn't the case. It's the same file. They should all be blocked except 0000.dat. Using the file command on all the files mentioned (all copies of /bin/grep) returns this (with their respective filename of course): $ file 0000.dot 0000.dot: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x0002e5c8a1687334639fcf1c24b850879fefbd37, stripped ELF files are disallowed in filetype.rules.conf (a MailScanner default setting). Since the attachment was named 0000.dot, not 0000.dat, it should have been disallowed. What am I missing here? Has anyone else run into the issue of Office 365 documents being filtered? How are you dealing with it? ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 -- MailScanner mailing list mailscanner at lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From kevin.miller at juneau.org Sat Jan 24 01:22:34 2015 From: kevin.miller at juneau.org (Kevin Miller) Date: Sat, 24 Jan 2015 01:22:34 +0000 Subject: filename/filetype not working properly In-Reply-To: <007901d0376a$ac1ac140$045043c0$@okla.com> References: <5c7c113e73164024a12b40c28bc0bf19@City-Exch-DB2.cbj.local> <007901d0376a$ac1ac140$045043c0$@okla.com> Message-ID: Thanks. While browsing around I saw Martin Hepworth posted in 2012 that he had changed the File Command from "file" to "file -i" for a similar problem. (See the last comment at http://community.spiceworks.com/topic/204481-release-banned-emails-from-amavisd-new) Not sure if that will cure this or not. Since the person sending the original problem message works outside my organization it's hard to do multiple tests with the offending file. I may have to see if I can get a copy outside of company email (i.e. ftp or something) My gateways are running on old SUSE boxes - I need to upgrade them as soon as I can find the time but updating file on them isn't doable. I'll have to check what version of file CentOS 7 uses - if I have to rebuild a box, I may as well use the latest/greatest... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner- > bounces at lists.mailscanner.info] On Behalf Of Tracy Greggs > Sent: Friday, January 23, 2015 3:14 PM > To: 'MailScanner discussion' > Subject: RE: filename/filetype not working properly > > I have had some fun with Office .xlsb and workbook.bin attachments in > emails. The .xlsb files get through fine but the .bin files are > detected as executables. > > My fix for this, right or wrong, was to upgrade the "file" command on > Centos 6.6 from file-5.04 to the latest file-5.22. > > Bad thing is rpm-build on Centos 6.6 base repo requires file-5.04 > > Make install on the file-5.22 puts the "file" binary in /usr/local/bin > instead of the stock location of /usr/bin, so If you try my fix, make > sure you change the path to file in MailScanner.conf or perhaps make a > symlink. > > Regards, > Tracy Greggs > > > > > -----Original Message----- > From: mailscanner-bounces at lists.mailscanner.info > [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Kevin > Miller > Sent: Friday, January 23, 2015 3:32 PM > To: MailScanner List (mailscanner at lists.mailscanner.info) > Subject: filename/filetype not working properly > > Recently, someone tried to send one of my users an MS Office document > which was blocked due to a disallowed file (0000.dat). It turns out > that we likely ran afoul of Microsoft's once again forgetting their not > the only kid in the sandbox. See: > https://social.technet.microsoft.com/Forums/sharepoint/en-US/287650b5- > 293c-4 > 8bc-90ec-9e13a61a46a6/office365-word-document-docx-banned-from-mailer- > if-you > -edit-properties-online-bug- > > (talk about an ugly URL!) > > I'm not sure why 0000.dat would be flagged as executable. The message > wasn't quarantined - it was just dropped - so I can't examine it. > Regardless, I expect we'll see this issue more in the future so I made > the following changes in MailScanner.conf: > > Allow Filenames = [0-9a-f]{4}.dat$ > Allow Filetypes = executable > > The verbiage above the "Allow Filenames" indicates that it's an "and" > operation - that is, the filename has to match, *and* I need to allow > executable filetypes. To test this, I copied /bin/grep, knowing it's an > executable file that will otherwise be rejected, then sent it to myself > with various filenames. > > The results of the test are as follows: > > grep allowed > grep.exe blocked > 0000.abc allowed > 0000.dat allowed > 0000.dot allowed > 0000.com blocked > 0000.pdf allowed > 1234.abc allowed > > My understanding of the comments in MailScanner.conf is that both rules > have to match for the attachment to be allowed but clearly this isn't > the case. > It's the same file. They should all be blocked except 0000.dat. > > Using the file command on all the files mentioned (all copies of > /bin/grep) returns this (with their respective filename of course): > > $ file 0000.dot > 0000.dot: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), > dynamically linked (uses shared libs), for GNU/Linux 2.6.26, > BuildID[sha1]=0x0002e5c8a1687334639fcf1c24b850879fefbd37, stripped > > ELF files are disallowed in filetype.rules.conf (a MailScanner default > setting). Since the attachment was named 0000.dot, not 0000.dat, it > should have been disallowed. > > What am I missing here? > > Has anyone else run into the issue of Office 365 documents being > filtered? > How are you dealing with it? > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: > 307357 > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website!