All I want to do is block zip files

davidep · September 3, 2015, 4:55pm

Hi @fasttech I’ve tried to reproduce the block of archives class (custom list disabled):



[root@vm3 ~]# config show amavisd

amavisd=service

BlockAttachmentClassList=Exec,Arch

BlockAttachmentCustomList=doc,odt

BlockAttachmentCustomStatus=disabled

BlockAttachmentStatus=enabled

SpamCheckStatus=disabled

SpamDsnLevel=20

[…]

status=enabled

It works as expected blocking a ZIP file on port 25:



Sep  3 16:38:27 vm3 amavis[5404]: (05404-01) Blocked BANNED (CLASS Arch:bootstrap-3.3.4/) {RejectedInternal,Quarantined}, MYNETS LOCAL [192.168.122.1]:60969 davide.principi@vnet1.tld → prova@vnet1.tld, Message-ID: 1441298293.2232.56.camel@vnet1.tld, mail_id: MO5ai8-BmI-Z, Hits: -, size: 4476433, 13773 ms

Sep  3 16:38:27 vm3 transfer/smtpd[5366]: proxy-reject: END-OF-MESSAGE: 554 5.7.0 Reject, id=05404-01 - BANNED: CLASS Arch:bootstrap-3.3.4/; from=davide.principi@vnet1.tld to=prova@vnet1.tld proto=ESMTP helo=<davidep1.nethesis.it>

Also on port 587, with SMTPAUTH:



Sep  3 16:41:29 vm3 submission/smtpd[5416]: NOQUEUE: client=unknown[192.168.122.1], sasl_method=PLAIN, sasl_username=davidep

Sep  3 16:41:31 vm3 amavis[5405]: (05405-01) Blocked BANNED (CLASS Arch:bootstrap-3.3.4/) {RejectedInternal,Quarantined}, SUBMISSION/MYNETS LOCAL [192.168.122.1]:45617 davide.principi@vnet1.tld → prova@vnet1.tld, Message-ID: 1441298489.2232.59.camel@vnet1.tld, mail_id: GgynetqKFJoI, Hits: -, size: 4476468, 2102 ms

Sep  3 16:41:31 vm3 submission/smtpd[5416]: proxy-reject: END-OF-MESSAGE: 554 5.7.0 Reject, id=05405-01 - BANNED: CLASS Arch:bootstrap-3.3.4/; from=davide.principi@vnet1.tld to=prova@vnet1.tld proto=ESMTP helo=<davidep1.nethesis.it>

As stated in the source fragment above, I can confirm the applied configuration is from /etc/amavisd.conf.

https://github.com/NethServer/nethserver-mail-filter/blob/master/root/etc/e-smith/templates/etc/amavisd.conf/30banned_files_ui#L20

Unfortunately the only chance of reproducibility was with the original ZIP file.

Edit: ~~My doubt is now: was it a real archive or only the name was ending with .zip?~~ the regexp above seems to match both file type and extension…

fasttech · September 3, 2015, 8:02pm

I’m really at a loss now. Here’s my current test results. Using the same zip file.

Disable Email > Filter > Custom List…

Emailed inbound, blocked at the gateway, disable gateway av.

Emailed inbound,

Sep  3 10:36:01 server9b amavis[23773]: (23773-02) Blocked INFECTED (Sanesecurity.Rogue.0hr.20150902-1354.UNOFFICIAL) {RejectedInbound,Quarantined}, [0.0.0.0]:54396 [0.0.0.0] <email@email.com> -> <email2@email2.com>, Message-ID: <CFBE9348-90DE-41A0-AA57-F9376FD48AE7@email.com>, mail_id: s__PXqzCTtBf, Hits: -, size: 26516, 2402 ms
Sep 3 10:36:01 server9b transfer/smtpd[23949]: proxy-reject: END-OF-MESSAGE: 554 5.7.0 Reject, id=23773-02 - INFECTED: Sanesecurity.Rogue.0hr.20150902-1354.UNOFFICIAL; from=email@email.com to=email2@email2.com proto=ESMTP helo=<navigator.domain.net>

Disable Email > Filter > Anti-virus

Email inbound,

    Sep  3 10:36:41 server9b amavis[24102]: (24102-01) Blocked BANNED (CLASS Exec:.exe,.exe-ms,orderMraz Skyway.exe) {RejectedInbound,Quarantined}, [0.0.0.0]:49238 [0.0.0.0] <email@email.com> -> <email2@email2.com>, Message-ID: <3E10E072-61CA-4B44-B300-1D0EF6FA5576@email.com>, mail_id: ZSkKU5IHV3Xo, Hits: -, size: 26516, 2310 ms
Sep  3 10:36:41 server9b transfer/smtpd[24125]: proxy-reject: END-OF-MESSAGE: 554 5.7.0 Reject, id=24102-01 - BANNED: CLASS Exec:.exe,.exe-ms,orderMraz Skyway.exe; from=<email@email.com> to=<email2@email2.com> proto=ESMTP helo=<navigator.domain.net>

And another clean zip being blocked by Archive.

Sep 3 10:30:55 server9b amavis[23771]: (23771-01) (!)do_unzip: not a zip: AZ_FORMAT_ERROR (3) Sep 3 10:30:55 server9b amavis[23771]: (23771-01) Blocked BANNED (CLASS Arch:application/zip,.zip,Harber GroupKkeo0.zip) {RejectedInbound,Quarantined}, [0.0.0.0]:30547 [0.0.0.0] email@email.com → email2@email2.com, Message-ID: 4BCEF9F7-2E8E-4334-9AC2-81E9E6015E52@email.com, mail_id: FmSXUvr6uJLz, Hits: -, size: 9751, 2335 ms Sep 3 10:30:55 server9b transfer/smtpd[23805]: proxy-reject: END-OF-MESSAGE: 554 5.7.0 Reject, id=23771-01 - BANNED: CLASS Arch:application/zip,.zip,Harber GroupKkeo0.zip; from=email@email.com to=email2@email2.com proto=ESMTP helo=<navigator.domain.net>

The original file does seem to be a zip.

I don’t get it.

I’m glad I refrained from applying the suggest config edits.

davidep · September 3, 2015, 8:28pm

I think we could be sure of what amavid does by increasing its log verbosity, as the template fragment suggest.

Your tests make me think the order of evaluation is:

inspect the file with clamd
if archive, explode and evaluate files inside it
check if file type is banned

Edit: the AV software can be configured to inspect archives recursively, thus the policy “ask AV first”.

fasttech · September 3, 2015, 8:56pm

I think at this point, and because this server is production, that I will run this test immediately after the next reboot, because I’m wondering, based on the original log I posted, if amavis was actually running in a state where it wasn’t seeing any attachments.
The only changes I’ve made were to turn options on and off in the gui, but it seems that as soon as amavis was restarted, it began to scan attachments.

Unless you have anything else, I’ll leave this as is for now.

Thank you @davidep

davidep · September 3, 2015, 9:50pm

I know the amavisd init.d script sometimes fails to restart amavisd. I never find a way to reproduce that state, so never filed a bug. Only know if it happens, amavisd must be TERMinated then started again.

Nas · September 3, 2015, 10:05pm

@davidep i have 2 or 3 mail servers with amavis " amavisd-new-2.7.1 " no problem at all. It is an issue because of template, make changes to it and put amavisd.conf to /etc/amavisd/amavisd.conf

davidep · September 3, 2015, 10:18pm

We could fix the .conf file position in 6.7!

Anyway I think the .conf position does not affect the daemon behavior. If you find some configuration option is harmful we can fix it, of course.

To address the restart problem that is hard to reproduce because occurs rarely, we can also override the init.d script and supervise amavisd with Upstart. A generic upstart template already exists.

fasttech · September 24, 2015, 11:37pm

grrrr…

I’ve got files today passing through the gateway av named as .zip and .pdf.zip also passed by amavis, (set to block Archive) and they’re triggered on by the client av, so I thought, 'well I can work with this to maybe figure out why amavis is passing these files but when I zip a .jpg and send it through amavis bans it.

smh.

filippo_carletti · September 25, 2015, 8:32am

I can’t reproduce your problems, you know.
We need to debug your system.
Let’s start with more verbose logging:

mkdir -p /etc/e-smith/templates-custom/etc/amavisd.conf
echo "$log_level = 2;" >/etc/e-smith/templates-custom/etc/amavisd.conf/99loglevel
service amavisd restart

You’ll find lines like the following in /var/log/maillog:

Sep 25 07:56:44 nethservice amavis[1848]: (01848-09) p003 1/2 Content-Type: application/zip, size: 87624 B, name: PDF_6325713364282.
DOC.zip

Nas · September 25, 2015, 8:38pm

@filippo_carletti welcome back from vacation
i have posted that better make restriction in :
$banned_filename_re =

filippo_carletti · September 25, 2015, 10:52pm

Thank you @Nas, I’m happy to be again in front of a computer.

AFAIK, banned_filename_re has been superseded by banned_namepath_re which we’re using now.

Nas · September 26, 2015, 7:21am

Those two options works together, i have already tested it.

fasttech · November 25, 2015, 5:47pm

The updated verbose logging is really nice. Thanks.