Filename/type rules

[gojensen]

On 16.11.2015 12:38, Antony Stone wrote:
> On Monday 16 November 2015 at 12:18:30, gojensen wrote:
>> Quick question... how can I verify that attachements are scanned for
>> "invalid" files? We keep getting .zip files with .scr executables inside
>> of them... not good.
>
> Your system should be looking inside the zip files to see what the content is,
> not just regarding it as "a zip file".

Then this must not be working... We got a .zip with a .scr inside and it 
just got through with no tagging or flagging... any idea how I can debug 
this?

As far as I can see from the mostly default mailscanner.conf it does 
treat .zip as archives and it uses the archives.filename.rules.conf 
which has a deny on .scr files.

#MailScanner.conf
Archives Are = zip rar ole
Filename Rules = %etc-dir%/filename.rules.conf
Filetype Rules = %etc-dir%/filetype.rules.conf
Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf
Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf

#both filename.rules.conf and archives.filename.rules.conf has this
deny    \.scr$          Possible virus hidden in a screensaver

I did notice Maximum Archive Depth was set to 0 (by default?) - does 
this totally disable archive scanning?! or just disable the limit on 
nested archive files?

> If you specify just a list of (static) filename rules, they go into the file
> %etc-dir%/filename.rules.conf
>
> If instead you specify a ruleset, then the filename containing that ruleset
> must end in .rules
>
> This is how MailScanner knows that one is a list of rules, and the other is a
> ruleset.
>
> Rulesets allow you to do different things based on sender and recipient
> addresses.  Static rules simply apply the same (filename, in this case) rules
> to all mail going through the system.

Thanks for that clarification Antony. We don't use advanced rulesets so 
that's why I was a bit confused I guess...

-- 
// gojensen