Amavisd blocking docx, how to allow?

So, now that the filter is working it’s blocking files we don’t want to block. Haha.

According to etc/amavisd.conf…

$banned_namepath_re = new_RE(
    qr/(?mix-s:(?#CLASS Exec) ^ (.*\t)? (T=|N=([^\.]+\.)+)(exe|exe-ms|vb[es]?|ws[cfh]|ms[cipt]|pif|scr|sct|bat|cmd|com|cpl|dll|jse?|inf) (\t.*)? $)/,
    qr/(?mix-s:(?#CLASS Arch) ^ (.*\t)? (T=|N=([^\.]+\.)+)(zip|7z|rar|tar|gz|cab|bz2?) (\t.*)? $)/

According to the log a docx is blocked…

Sep 10 09:58:09 server9b amavis[6586]: (06586-09) Blocked BANNED (CLASS Arch:.txt,_rels/.rels) {RejectedInbound,Quarantined}, []:34181 [2600:1011:b11a:4632:44bf:81ac:6fb0:dc42] <> -> <>, Message-ID: <>, mail_id: v0xe2apWnTsE, Hits: -, size: 645077, 1028 ms

So why is archive blocking docx if that extension isn’t explicitly stated?

because a docx is just a zip file with a changed estension…
try to rename in and to open it with winzip …

Now, I turned off Archive, turned on Custom and added “zip,rar,tar,gz,cab,xlsx” but, as you say, it still blocks the docx because it sees it as a zip.

and according to the log…

Sep 10 10:29:28 server9b amavis[7936]: (07936-01) Blocked BANNED (CUSTOM:.txt,_rels/.rels) {RejectedInbound,Quarantined}, []:36199 [2600:1011:b11a:4632:44bf:81ac:6fb0:dc42] ->, Message-ID:, mail_id: Nb6aqfkegzID, Hits: -, size: 645418, 13036 ms

So this leads me to the business question of how can we blocks zip files without blocking docx?

Like so?

[ qr'(\.docx)$' => 0 ],

Which template would this be added to so the config survives reboot?

Would I add it here, like so?

    [root@server9b amavisd.conf]# cat 70banned_files
# 70banned_files

$banned_filename_re = undef;
$banned_namepath_re = new_RE(
[ qr'(\.docx)$' => 0 ],
    join(",\n    ", map {Dumper($_)} @banned_namepath_re);

# Prepend custom file(1) type match for CDF MS-Office documents: will
# be evaluated before the default map that falls back into "dat" type.
unshift @map_full_type_to_short_type_maps, \new_RE(
    [qr/^(Composite\ Document\ File|CDF)\ V2\ Document.*Microsoft\ Office/ => 'doc'],
    [qr/^OpenDocument/ => ['odc', 'odt', 'odp', 'odb', 'odg', 'odf']],

Maybe @davidep knows a how to handle the exception.

By the way, I know we already faced the problem and there is no a real work around.
As Stefano said, docx are zip files! :wink:

1 Like

I agree with @giacomo. Indeed there can be anything good or bad inside an archive: it’s just like a container, an envelope.

Perhaps a good reason to have an “Archive” class shown on the UI is enabling it as a temporary workaround for a new malware epidemy, waiting for AV updates or other countermeasures.

Anyway it would be valuable if @fasttech finds the right regular espression to handle the .docx exception! I think he’s on the right track!

1 Like

I can’t help you with regexp… but I can remember you to create a custom fragment in /templates-custom tree, otherwise an update could delete your edit

remember that ALL files coming from m$ office (docx, xlsx and so on) suffer the same issue…

So far I’ve tried several iterations of syntax as well as an override file without success.

Add this to $banned_namepath_re

 # # allow true office docs
           (.*\t)? T=(doc|mdb)
             \t(.*\t)? N=[^\t\n]* \. (doc|rtf|msg|mdb|ppt|mmp|prj|xls)
             (\t.*)? $'xmi => 0 ],

@fasttech test my proposition pls, then i’ll try to implement

so i think that is is preferable to use :
$banned_filename_re = new_RE(
[ qr’..(docx)$'i => 0 ],
I have tested it yet :slight_smile:


Today I looked into this again.

I changed the banned part of /etc/e-smith/templates/etc/amavisd.conf/70banned_files


$banned_filename_re = undef;


$banned_filename_re = new_RE( [qr'(\.docx)$' => 0], );

…now it allows docx through and still bans xlsx and zip.

…but… I renamed an exe file’s ext from exe to docx and amavis lets that through to.
I renamed an exe file’s ext from exe to doc and that is banned as an exe so while it’s letting docx through, it’ll let anything with a docx ext through.

The point here is to exclude docx from being banned as an archive but still scanning the file so that an exe renamed as a docx would still be banned because it’s really an exe, meaning docx should still be scanned under all rules except the archive ban rule.

Boy oh boy.