[Dovecot] mime support for pigeonhole
is there any chance of rfc5703 (mime support/extension) being added to pigeonhole? I am trying to filter mail with .exe and .zip attachments, to no success. I have tried *header :contains "x-attached" [".zip", ".exe"] *but emails i'm getting don't have x-attached. a sample snippet is below.
Subject: testa1 Content-Type: multipart/mixed; boundary="------------020304040002050407030900"
This is a multi-part message in MIME format. --------------020304040002050407030900 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit
this has a compressed file added a1
--------------020304040002050407030900 Content-Type: application/x-zip-compressed; name="pinglog.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="pinglog.zip"
I have tried *header :contains ["Content-Type","name","filename"] ["application/x-zip-compressed",".zip",".exe"]*
but that doesn't work either.
I can't use body because that doesn't include the mime headers, so the only way I can see is to use mime (aka rfc5703) I am using dovecot 2.1.8 with pigeonhole 0.3.3 (and am about to use dovecot 2.2.9 with pigeonhole 0.4.2 on another server) If I'm just missing the point, or there is already support, please point me in the right direction.
Hi,
On 1/30/2014 7:50 PM, Tim Dickson wrote:
is there any chance of rfc5703 (mime support/extension) being added to pigeonhole?
There are plans for that, but there is no concrete timeline.
I am trying to filter mail with .exe and .zip attachments, to no success.
I can't use body because that doesn't include the mime headers, so the only way I can see is to use mime (aka rfc5703) I am using dovecot 2.1.8 with pigeonhole 0.3.3 (and am about to use dovecot 2.2.9 with pigeonhole 0.4.2 on another server) If I'm just missing the point, or there is already support, please point me in the right direction.
You only need to test for the existence of certain attachments:
require "body"; require "relational"; require "fileinto";
if body :count "gt" :content "application/x-zip-compressed" "0" { fileinto "Zip"; } else { fileinto "NoZip"; }
This tests whether there are more than zero message parts with content-type "application/x-zip-compressed".
Regards,
Stephan.
On 05/02/2014 00:21, Stephan Bosch wrote:
Hi,
On 1/30/2014 7:50 PM, Tim Dickson wrote:
is there any chance of rfc5703 (mime support/extension) being added to pigeonhole? There are plans for that, but there is no concrete timeline. hopefully soon :-) I am trying to filter mail with .exe and .zip attachments, to no success.
I can't use body because that doesn't include the mime headers, so the only way I can see is to use mime (aka rfc5703) I am using dovecot 2.1.8 with pigeonhole 0.3.3 (and am about to use dovecot 2.2.9 with pigeonhole 0.4.2 on another server) If I'm just missing the point, or there is already support, please point me in the right direction. You only need to test for the existence of certain attachments:
require "body"; require "relational"; require "fileinto";
if body :count "gt" :content "application/x-zip-compressed" "0" { fileinto "Zip"; } else { fileinto "NoZip"; }
This tests whether there are more than zero message parts with content-type "application/x-zip-compressed".
Regards,
Stephan.
many thanks for the reply.
I did previously try body :raw :contains ["application/x-zip-compressed","application/x-silverlight"],
which catches zip and scr files, but, does nothing for exe files (or pif ones). both of which share types with other file types. The ideal would be to scan the "filename" part of the attachment header. The line below does that roughly by brute force.
body :raw :regex ["filename=.*\.exe","filename=.*\.pif","filename=.*\.scr","filename=.*\.zip"]
This would let me test for other sorts of attachment easily as well.
Unless the :content test included filename, which rfc5173 doesn't seem to mention, :content does not let me identify exe as distinct from bin, class, dll, dmg,dms, lhs,lza .. etc. as they all have the same content type. It also doesn't help with pif files (which I didn't mention earlier, but are also common for malware) and which have a content type of text/plain with base64 encoding, which is odd for what amounts to a binary with executable capability.
hopefully, the :mime support will come soon :-) regards, Tim
On 2014-02-05 11:08, Tim Dickson wrote:
hopefully, the :mime support will come soon :-)
until that happends, why not add foxhole 3dr party signatures to clamav ?
On 30 Jan 2014, at 11:50 , Tim Dickson dickson.tim@googlemail.com wrote:
I am trying to filter mail with .exe and .zip attachments, to no success.
Are you using postfix with dovecot?
$ cat mime_headers.pcre /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|vb[esx]?|vxd|wsc|wsf|wsh))(\?=)?"?\s*(;|$)/x REJECT Attachment name "$2" may not end with ".$3” $ grep mime main.cf mime_header_checks = pcre:$config_directory/mime_headers.pcre
-- "Conservatives want live babies so they can raise them to be dead soldiers" ~Carlin
On 05/02/2014 03:50, LuKreme wrote:
On 30 Jan 2014, at 11:50 , Tim Dickson dickson.tim@googlemail.com wrote:
I am trying to filter mail with .exe and .zip attachments, to no success. Are you using postfix with dovecot? I am, (standard slackware) but I will be moving to dovecot-lda so that I can use sieve and imap with maildirs instead of mbox. $ cat mime_headers.pcre /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|vb[esx]?|vxd|wsc|wsf|wsh))(\?=)?"?\s*(;|$)/x REJECT Attachment name "$2" may not end with ".$3” $ grep mime main.cf mime_header_checks = pcre:$config_directory/mime_headers.pcre
Very useful blocking filter, many thanks. Does it generate backscatter.? I have come across a number of spam emails which have more than one address in the from field. Would this filter send the spam to those addresses by way of a mail bounce.?
The main reason for the filtering is because our broadband data allowance was maxed out due to spam, malware spam and backscatter. I am having to move my mail server functionality off-site and filter it on a vps running slackware, dovecot and pigeonhole, before collecting it per mailbox via my internal server.
Am 06.02.2014 10:41, schrieb Tim Dickson:
On 05/02/2014 03:50, LuKreme wrote:
On 30 Jan 2014, at 11:50 , Tim Dickson dickson.tim@googlemail.com wrote:
I am trying to filter mail with .exe and .zip attachments, to no success. Are you using postfix with dovecot? I am, (standard slackware) but I will be moving to dovecot-lda so that I can use sieve and imap with maildirs instead of mbox. $ cat mime_headers.pcre /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|vb[esx]?|vxd|wsc|wsf|wsh))(\?=)?"?\s*(;|$)/x REJECT Attachment name "$2" may not end with ".$3” $ grep mime main.cf mime_header_checks = pcre:$config_directory/mime_headers.pcre
Very useful blocking filter, many thanks. Does it generate backscatter.?
No , should reject at smtp income data stage, but look
http://www.postfix.org/header_checks.5.html
for more info
I have come across a number of spam emails which have more than one address in the from field. Would this filter send the spam to those addresses by way of a mail bounce.?
not sure if i understand... if it rejects at income smtp data stage, recipients are not a matter of interest
The main reason for the filtering is because our broadband data allowance was maxed out due to spam, malware spam and backscatter. I am having to move my mail server functionality off-site and filter it on a vps running slackware, dovecot and pigeonhole, before collecting it per mailbox via my internal server.
you should integrate clamav with sanesecurity antispam, and spamassassin and/or amavis, take the questions to the amamvis postfix list, questions fot filter sieve tagged mails go to dovecot list or have a look at
http://wiki2.dovecot.org/Pigeonhole/Sieve/Examples
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 6 Feb 2014, Robert Schetterer wrote:
Am 06.02.2014 10:41, schrieb Tim Dickson:
Very useful blocking filter, many thanks. Does it generate backscatter.?
No , should reject at smtp income data stage, but look ^^ I would say "must" in order to avoid backscatter. As soon as you've accepted the message, you must generate a bounce.
http://www.postfix.org/header_checks.5.html for more info
I have come across a number of spam emails which have more than one address in the from field. Would this filter send the spam to those
If you reject at SMTP transmission time, no bounce is generated at all, but a negative SMTP reply code.
addresses by way of a mail bounce.?
The "From" header of a message is not consulted, when the bounce message is generated. Bounces are sent to the envelope sender, either passed by the MTA or taken from the Return-Path header.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUvNh3XD1/YhP6VMHAQKBwwf/YJZJJcn16InR5jjeAcSI6yEedQM2Ko41 Fqud6W0IjZEiVNeQ3wjs6UdZMbLzXmLRjKeyfAuXqlXVIHeT+6YkEhQEJECYB4kk RqAIG4jfyqSKfT8mKvQGntDSOEzTv/U4EvZTUGkNZTciLdHsl9NMDlCAih1GTCZw ZXbm5EFuo8+nGgoyMkUPtetKVFsECQEQIfJUkpF/pH+btX86O6sy2FikA7otLNDz OL8nYWQwhK2dynb08ygzEdTsLarvSSH3OU/l0wOb55gY7nHtXQ69G1BO7JVrtrjx 7jqz8ZhzFkdyPsqis/rAbVEPfVp0RsZYsFmY10xnx+8VEU7s3Ngdvw== =Eiql -----END PGP SIGNATURE-----
participants (6)
-
Benny Pedersen
-
LuKreme
-
Robert Schetterer
-
Steffen Kaiser
-
Stephan Bosch
-
Tim Dickson