The issue of checking filename from mailscanner

zephyr zephyr at flytonet.com
Thu Mar 18 01:41:25 UTC 2021


Thanks Mark. The following are my settings~

=================================================
< MailScanner.conf >
Quarantine Whole Message = yes
Filename Subject Text = {***File Quarantine***}
=================================================

=================================================
< filename.rules.conf >
deny    \.zip$                  -       -
=================================================

=================================================
< release_Quarantine.sh>
#!/bin/sh

if [ -z "$1" ]; then
        echo "Syntax: release_Quarantine.sh <Message-ID> i.e.
5B604228086.932F0 (case sensitive)"
        exit
fi

#truncate the filename
mailname=`echo $1 | cut -d . -f 1`

#find the quarantined file and set permissions
quarantined_file=`find /var/spool/MailScanner/quarantine/ -name $mailname`
chmod u+x $quarantined_file
chown postfix.postfix $quarantined_file

#truncate the filename
#mailname=`echo $1 | cut -d . -f 1`

#lets get the first character
char=`echo $1 | cut -b 1-1`

echo 'source file name:'$quarantined_file
cp -p $quarantined_file /var/spool/postfix/incoming/$mailname
=================================================

If customer sent a email to my user with attachment of zip.MailScanner will
Quarantine Whole Message into "/var/spool/MailScanner/quarantine/" and add
"***File Quarantine***" to subject .
I can release original email when I review it as safe.(using
release_Quarantine.sh)
This is good for me,but process of MailScanner is spam test-->Virus
test->attachment test, so I cannot use specific words to block emails when
this email with low spam score. The user will still receive the email
without attachment.

If I change setting of filename.rules.conf => 「blacklist at domain.com  \.zip$
-       - 」,The email will forward to blacklist at domain.com if file has been
blocked, and then I can just use email client to forward message to user
when I review it later. This is not the original information of email,so
It’s inconvenient for me.

Is there a better way?
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------------------------------------------------------------------
--------------------------------------------------------

Message: 1
Date: Wed, 17 Mar 2021 09:45:30 +0800
From: "zephyr" <zephyr at flytonet.com>
To: <mailscanner at lists.mailscanner.info>
Subject: Re: The issue of checking filename from mailscanner
Message-ID: <000001d71acf$37417c70$a5c47550$@flytonet.com>
Content-Type: text/plain;	charset="us-ascii"

Thanks for your relply. Yes,I want know how to quarantine the whole message
if a file is blocked.

I can forward email to myblacklist account to achieve my goal. But I cannot
release original message as before.

Any idea?

-----Original Message-----

Message: 1
Date: Sun, 14 Mar 2021 10:02:44 -0400
From: Shawn Iverson <shawniverson at summitgrid.com>
To: mailscanner at lists.mailscanner.info
Subject: Re: The issue of checking filename from mailscanner
Message-ID: <0a733130-eade-3a9c-2eb5-7f1af2a580aa at summitgrid.com>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"

Are you wanting to quarantine the whole message if a file is blocked?

On 3/12/21 4:12 AM, zephyr wrote:
>
> I use filename.rules.conf to detect unallowed filenames,and setting 
> partameter such as ?deny \.iso$? to quarantine the email message that 
> contain the illegal file type.
>
> After checking it,I can release then original message to user.( cp -p 
> $quarantined_file /var/spool/postfix/incoming/$mailname)
>
> But this command still send the mail to the receiver but without the 
> quarantined file before I release the email.
>
> I am wondering if there is a command can quarantine this mail and stop 
> sending to user, until I checked and allow it to the recipient?
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210314/bf
138178/attachment-0001.html>

------------------------------

Subject: Digest Footer



--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner


------------------------------

End of MailScanner Digest, Vol 183, Issue 3
*******************************************



------------------------------

Message: 2
Date: Tue, 16 Mar 2021 19:16:56 -0700
From: Mark Sapiro <mark at msapiro.net>
To: mailscanner at lists.mailscanner.info
Subject: Re: The issue of checking filename from mailscanner
Message-ID: <4a83a3cf-5a45-0e29-650c-4f909ced8d23 at msapiro.net>
Content-Type: text/plain; charset=utf-8

On 3/16/21 6:45 PM, zephyr via MailScanner wrote:
> Thanks for your relply. Yes,I want know how to quarantine the whole 
> message if a file is blocked.


If you set Quarantine Whole Message = Yes, does that do it?

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


------------------------------

Message: 3
Date: Wed, 17 Mar 2021 09:04:29 +0200
From: aris fesarlis <fesarlis at gmail.com>
To: mailscanner at lists.mailscanner.info
Subject: Re: URGENT - SILENT VIRUSES EXCEPTIONS
Message-ID: <f8538569-b7ef-8135-fe80-76b815cf3c82 at gmail.com>
Content-Type: text/plain; charset="us-ascii"

An HTML attachment was scrubbed...
URL:
<http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210317/ec
5b0708/attachment-0001.html>

------------------------------

Message: 4
Date: Wed, 17 Mar 2021 08:48:27 +0000
From: "Andrews, Vincent" <v.andrews at noc.ac.uk>
To: "mailscanner at lists.mailscanner.info"
	<mailscanner at lists.mailscanner.info>
Subject: Moving an existing Mail Relay from one VM to another.
Message-ID: <140EA446-F3F5-4462-83D7-F88F7DC695F3 at noc.ac.uk>
Content-Type: text/plain; charset="utf-8"

Hello,

Our existing mail relay is in need OS change, we have created a new one
based around CentOS 7 an MailScanner V5.3.4.

Everything seems to check out ? ??lint? passes without error.

Because the new system is not a legitimate mail relay ? we cannot do any
further testing until we move the IP address over.

We moved the IP Address from the existing VM to the new and changed
/etc/hostname and rebooted.

Mail started to be accepted and was processed as we would expect ?
MailScanner was identifying Spam and passing everything as normal. The
messages were passed to sendmail for processing.

We then noticed that mail was being delayed by two key 365 domains. We left
it like that for about 40 minutes and then reverted to the existing server.
After which mail was processed correctly. The messages in /var/spool/mqueue
were moved to the existing system and within 10 minutes everything was
cleared.

Has anyone had a similar experience?

Could it be that the new VM ? having a different MAC address ? was being
flagged as an illegal mail relay?

Thank you for your help, and sorry about the essay.

Vincent Andrews.


This email and any attachments are intended solely for the use of the named
recipients. If you are not the intended recipient you must not use,
disclose, copy or distribute this email or any of its attachments and should
notify the sender immediately and delete this email from your system.
The National Oceanography Centre (NOC) has taken every reasonable precaution
to minimise risk of this email or any attachments containing viruses or
malware but the recipient should carry out its own virus and malware checks
before opening the attachments. NOC does not accept any liability for any
losses or damages which the recipient may sustain due to presence of any
viruses.
Opinions, conclusions or other information in this message and attachments
that are not related directly to NOC business are solely those of the author
and do not represent the views of NOC.

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210317/4e
68af49/attachment-0001.html>

------------------------------

Subject: Digest Footer



--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner


------------------------------

End of MailScanner Digest, Vol 183, Issue 4
*******************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6510 bytes
Desc: not available
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210318/67ffa057/attachment.bin>


More information about the MailScanner mailing list