Rspamd blocks all archives, also whitelisted senders

Alik_Gusainov · June 16, 2022, 5:37am

Hello

NethServer Version: 7.9
RSpamD: 3.0.

Nested archives and executable files blocking enabled.
I have whitelisted senders like dmarc_support@corp.mail.ru, noreply-dmarc-support@google.com, noreply@dmarc.yahoo.com to receive reports.
Recently RSpamD started blocking all emails with archive attachments. Updated RspamD to version 3.2, no result. Recreating the white list did not help.

mrmarkuz · June 19, 2022, 9:13pm

Hi and welcome to NethServer Community,

I can confirm that attachments are blocked in any case, even if the sender is whitelisted.

If you add prefilter = true; to the FORBIDDEN_FILE_EXTENSION in /etc/rspamd/local.d/multimap.conf (line 135) and restart rspamd, whitelisted mail addresses/domains can send attachments but I don’t know if it conflicts with other settings/cases. /cc @stephdl

#reject email when the file extension is found
    FORBIDDEN_FILE_EXTENSION {
    type = "filename";
    filter = "extension";
    map = [
    "${CONFDIR}/forbidden_file_extension.map",
    ];
    prefilter = true;
    action = "reject";
    symbol = "FORBIDDEN_FILE_EXTENSION";
    description = "List of forbidden file extensions";
    message = "Forbidden attachment name extension";
}

stephdl · June 20, 2022, 1:49pm

no time yet, but thank, I will check it

davidep · June 21, 2022, 9:11am

I know this point is controversial, but the feature might behave like this by design:

Antivirus and antispam checks are skipped if an Allow rule matches – Email — NethServer 7 Final

That does not apply to attachment blocking, which can be intended as a company confidentiality policy in contrast to spam/virus countermeasures.

stephdl · June 21, 2022, 1:55pm

Maybe a custom template could help you to change this, indeed, if at a company level I decide to block archive or exe, if I allow a sender, I will accept his email with potential virus.

stephdl · June 22, 2022, 4:49am

I think here we could use a conditional map rather a prefilter.

https://rspamd.com/doc/modules/multimap.html#conditional-maps

stephdl · June 22, 2022, 7:29am

#reject email when the file extension is found
    FORBIDDEN_FILE_EXTENSION {
  require_symbols = "!IP_WHITELIST | !FROM_WHITELIST | !FROM_SUBDOMAINS_WHITELIST | !FROM_DOMAINS_WHITELIST";
    type = "filename";
    filter = "extension";
    map = [
    "${CONFDIR}/forbidden_file_extension.map",
    ];
    action = "reject";
    symbol = "FORBIDDEN_FILE_EXTENSION";
    description = "List of forbidden file extensions";
    message = "Forbidden attachment name extension";
}

adding this seems to fix the issue

require_symbols = "!IP_WHITELIST | !FROM_WHITELIST | !FROM_SUBDOMAINS_WHITELIST | !FROM_DOMAINS_WHITELIST";

stephdl · June 22, 2022, 8:38am

After internal discussion and because NS7 is at a feature freeze state…yes NS8 is coming
We reach the point that we could not add a new feature that it could change the current behavior of more than 10K servers in the world.

Maybe in your case @Alik_Gusainov the best option for you is to make a custom template

[root@prometheus ~]# mkdir /etc/e-smith/templates-custom//etc/rspamd/local.d/multimap.conf
[root@prometheus ~]# cp /etc/e-smith/templates/etc/rspamd/local.d/multimap.conf/10base /etc/e-smith/templates-custom//etc/rspamd/local.d/multimap.conf

modify the line

vim /etc/e-smith/templates-custom//etc/rspamd/local.d/multimap.conf/10base

expand the custom template and restart services

[root@prometheus ~]# signal-event nethserver-mail-filter-save