Amavisd blocking docx, how to allow?

fasttech · September 10, 2015, 5:25pm

So, now that the filter is working it’s blocking files we don’t want to block. Haha.

According to etc/amavisd.conf…

$banned_namepath_re = new_RE(
    qr/(?mix-s:(?#CLASS Exec) ^ (.*\t)? (T=|N=([^\.]+\.)+)(exe|exe-ms|vb[es]?|ws[cfh]|ms[cipt]|pif|scr|sct|bat|cmd|com|cpl|dll|jse?|inf) (\t.*)? $)/,
    qr/(?mix-s:(?#CLASS Arch) ^ (.*\t)? (T=|N=([^\.]+\.)+)(zip|7z|rar|tar|gz|cab|bz2?) (\t.*)? $)/
);

According to the log a docx is blocked…

Sep 10 09:58:09 server9b amavis[6586]: (06586-09) Blocked BANNED (CLASS Arch:.txt,_rels/.rels) {RejectedInbound,Quarantined}, [209.85.220.46]:34181 [2600:1011:b11a:4632:44bf:81ac:6fb0:dc42] <email@gmail.com> -> <service@email.com>, Message-ID: <A05A6280-232B-43FD-A609-3E2252D8BFEC@gmail.com>, mail_id: v0xe2apWnTsE, Hits: -, size: 645077, 1028 ms

So why is archive blocking docx if that extension isn’t explicitly stated?

zamboni · September 10, 2015, 5:28pm

because a docx is just a zip file with a changed estension…
try to rename in filename.zip and to open it with winzip …

fasttech · September 10, 2015, 5:37pm

Now, I turned off Archive, turned on Custom and added “zip,rar,tar,gz,cab,xlsx” but, as you say, it still blocks the docx because it sees it as a zip.

and according to the log…

Sep 10 10:29:28 server9b amavis[7936]: (07936-01) Blocked BANNED (CUSTOM:.txt,_rels/.rels) {RejectedInbound,Quarantined}, [209.85.220.41]:36199 [2600:1011:b11a:4632:44bf:81ac:6fb0:dc42] email@gmail.com -> service@email.com, Message-ID: FCE169AA-73CC-497B-B253-7BF553C58FEC@gmail.com, mail_id: Nb6aqfkegzID, Hits: -, size: 645418, 13036 ms

So this leads me to the business question of how can we blocks zip files without blocking docx?

fasttech · September 10, 2015, 5:43pm

Like so?

[ qr'(\.docx)$' => 0 ],

Which template would this be added to so the config survives reboot?

fasttech · September 10, 2015, 6:14pm

Would I add it here, like so?

    [root@server9b amavisd.conf]# cat 70banned_files
#
# 70banned_files
#

$banned_filename_re = undef;
$banned_namepath_re = new_RE(
[ qr'(\.docx)$' => 0 ],
    {
    join(",\n    ", map {Dumper($_)} @banned_namepath_re);
}
);

#
# Prepend custom file(1) type match for CDF MS-Office documents: will
# be evaluated before the default map that falls back into "dat" type.
#
unshift @map_full_type_to_short_type_maps, \new_RE(
    [qr/^(Composite\ Document\ File|CDF)\ V2\ Document.*Microsoft\ Office/ => 'doc'],
    [qr/^OpenDocument/ => ['odc', 'odt', 'odp', 'odb', 'odg', 'odf']],
);

giacomo · September 11, 2015, 7:06am

Maybe @davidep knows a how to handle the exception.

By the way, I know we already faced the problem and there is no a real work around.
As Stefano said, docx are zip files!

davidep · September 11, 2015, 7:44am

I agree with @giacomo. Indeed there can be anything good or bad inside an archive: it’s just like a container, an envelope.

Perhaps a good reason to have an “Archive” class shown on the UI is enabling it as a temporary workaround for a new malware epidemy, waiting for AV updates or other countermeasures.

Anyway it would be valuable if @fasttech finds the right regular espression to handle the .docx exception! I think he’s on the right track!

zamboni · September 11, 2015, 10:38am

I can’t help you with regexp… but I can remember you to create a custom fragment in /templates-custom tree, otherwise an update could delete your edit

zamboni · September 11, 2015, 10:41am

http://www.iredmail.org/forum/topic3118-iredmail-support-docxxlsxpptx-attachments-block-error.html

remember that ALL files coming from m$ office (docx, xlsx and so on) suffer the same issue…

fasttech · September 13, 2015, 5:48pm

So far I’ve tried several iterations of syntax as well as an override file without success.

Nas · September 13, 2015, 6:02pm

Add this to $banned_namepath_re

 # # allow true office docs
      [ qr'(?# SPECIAL ALLOW OFFICE - MAGIC NAMES)
           (.*\t)? T=(doc|mdb)
             \t(.*\t)? N=[^\t\n]* \. (doc|rtf|msg|mdb|ppt|mmp|prj|xls)
             (\t.*)? $'xmi => 0 ],

Nas · September 13, 2015, 9:54pm

@fasttech test my proposition pls, then i’ll try to implement

Nas · September 14, 2015, 10:04pm

so i think that is is preferable to use :
$banned_filename_re = new_RE(
[ qr’..(docx)$'i => 0 ],
);
I have tested it yet

zamboni · September 15, 2015, 5:02am

fasttech · April 22, 2016, 10:49pm

Today I looked into this again.

I changed the banned part of /etc/e-smith/templates/etc/amavisd.conf/70banned_files

from;

$banned_filename_re = undef;

to

$banned_filename_re = new_RE( [qr'(\.docx)$' => 0], );

…now it allows docx through and still bans xlsx and zip.

…but… I renamed an exe file’s ext from exe to docx and amavis lets that through to.
I renamed an exe file’s ext from exe to doc and that is banned as an exe so while it’s letting docx through, it’ll let anything with a docx ext through.

The point here is to exclude docx from being banned as an archive but still scanning the file so that an exe renamed as a docx would still be banned because it’s really an exe, meaning docx should still be scanned under all rules except the archive ban rule.

Boy oh boy.