Amavis is now allowing docx and xlsx through and I don't know why

My users noticed that sometime… in the last week, docx attachments are coming through in the email though exe and archive filtering is selected, this server was upgraded around that time, and is on 6.8 final as of today.
It is blocking jpg’s that I zipped and is allowing docx and xlsx.

I’ve also rebooted it because I remember there was an intermitent thing with some amavis function not starting intermitently.

Jun 17 16:15:08 server9b amavis[2308]: (02308-04) Checking: 4na31nXAm4Xy [209.85.220.48] <thezing@gmail.com> -> <service@zing.com> Jun 17 16:15:08 server9b amavis[2308]: (02308-04) p003 1 Content-Type: multipart/mixed Jun 17 16:15:08 server9b amavis[2308]: (02308-04) p001 1/1 Content-Type: text/plain, size: 3 B, name: Jun 17 16:15:08 server9b amavis[2308]: (02308-04) p002 1/2 Content-Type: application/octet-stream, size: 4384 B, name: bob2.xlsx Jun 17 16:15:09 server9b amavis[2308]: (02308-04) mangling NO: 0 (was: disclaimer), discl_allowed=0, <thezing@gmail.com> -> <service@zing.com> Jun 17 16:15:09 server9b queue/smtpd[2915]: connect from localhost[127.0.0.1] Jun 17 16:15:09 server9b queue/smtpd[2915]: 08A89E1010: client=localhost[127.0.0.1], orig_client=mail-pa0-f48.google.com[209.85.220.48] Jun 17 16:15:09 server9b postfix/cleanup[2678]: 08A89E1010: message-id=<c86808d8-d795-62f1-6be5-0bd2a0eab42c@gmail.com> Jun 17 16:15:09 server9b postfix/qmgr[2157]: 08A89E1010: from=<thezing@gmail.com>, size=9525, nrcpt=1 (queue active) Jun 17 16:15:09 server9b amavis[2308]: (02308-04) 4na31nXAm4Xy FWD from <thezing@gmail.com> -> <service@zing.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 08A89E1010 Jun 17 16:15:09 server9b queue/smtpd[2915]: disconnect from localhost[127.0.0.1] Jun 17 16:15:09 server9b amavis[2308]: (02308-04) Passed CLEAN {RelayedInbound}, [209.85.220.48]:34107 [28.125.94.23] <thezing@gmail.com> -> <service@zing.com>, Message-ID: <c86808d8-d795-62f1-6be5-0bd2a0eab42c@gmail.com>, mail_id: 4na31nXAm4Xy, Hits: -, size: 9102, queued_as: 08A89E1010, 403 ms Jun 17 16:15:09 server9b amavis[2308]: (02308-04) size: 9102, TIMING [total 404 ms] - SMTP greeting: 1.0 (0%)0, SMTP EHLO: 0.3 (0%)0, SMTP pre-MAIL: 0.2 (0%)0, SMTP pre-DATA-flush: 6 (1%)2, SMTP DATA: 0.2 (0%)2, check_init: 1.9 (0%)2, digest_hdr: 0.3 (0%)2, digest_body: 0.1 (0%)2, collect_info: 1.1 (0%)3, mime_decode: 30 (7%)10, get-file-type2: 261 (65%)75, decompose_part: 0.4 (0%)75, parts_decode: 0.1 (0%)75, check_header: 0.3 (0%)75, AV-scan-1: 55 (14%)88, decide_mail_destiny: 0.5 (0%)89, notif-quar: 0.2 (0%)89, fwd-connect: 22 (5%)94, fwd-xforward: 0.2 (0%)94, fwd-mail-pip: 5 (1%)95, fwd-rcpt-pip: 0.1 (0%)95, fwd-data-chkpnt: 0.0 (0%)95, write-header: 0.4 (0%)95, fwd-data-contents: 0.1 (0%)96, fwd-end-chkpnt: 6 (1%)97, prepare-dsn: 0.4 (0%)97, report: 0.9 (0%)97, main_log_entry: 10 (3%)100, SMTP pre-response: 0.1 (0%)100, SMTP response: 0.1 (0%)100, unlink-2-files: 0.2 (0%)100, rundown: 0.6 (0%)100 Jun 17 16:15:09 server9b transfer/smtpd[2869]: proxy-accept: END-OF-MESSAGE: 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 08A89E1010; from=<thezing@gmail.com> to=<service@zing.com> proto=ESMTP helo=<mail-pa0-f48.google.com> Jun 17 16:15:09 server9b dovecot: lmtp(2917): Connect from local Jun 17 16:15:09 server9b transfer/smtpd[2869]: disconnect from mail-pa0-f48.google.com[209.85.220.48]

AFAIK amavis configuration and amavis itself didn’t change.

I heard from @filippo_carletti the file utility, used by amavis, was upgraded in 6.8 and is now capable of distinguishing docx and zip.

2 Likes

Would you look at that!

554 5.7.0 Reject, id=11469-06 - BANNED: CLASS Exec:application/vnd.openxmlformats-officedocument.wordprocessingml.document,.exe,.exe-ms,3KeePass.docx

In our previous discussions I was able to get ***x files through but they weren’t being scanned at all so renaming an exe to docx meant the exe was bypassed as well, as you can see, that’s not the case now, this is excellent.
I did search around some yesterday wondering if something was changed but I haven’t found any doc yet, my google foo is weak I suppose.