Preventing users from mailing out attachments selectively

Shrenik Bhura shrenik.bhura at intelliant.net
Wed Jun 24 08:53:21 CEST 2009 

Shrenik Bhura wrote:
> Hi!
>
> I was thinking of a peculiar requirement which could be of be very
> useful with respect to e-mail security.
>
> Is there a way in kolab to configure that only some designated users can
> send mails with attachments of certain types or up to a certain size
> while others can't?
> Does anyone have experience with postfix policy banks as this is one way
> I think this may be done?
>
> Is there a way that every mail satisfying a particular criterion such as
> having an attachment can be forwarded to a validation queue where once
> validated the same can move ahead and be delivered?
> May be sieve can help us do that? Can anyone pls validate my thought if
> this has already been done on kolab.
>
> Any other solutions/suggestions shall be highly appreciated.
>   

Still hunting my way around this -
Was following this link http://www200.pair.com/mecham/spam/bypassing.html#8

This concept works for me partially when I am testing with  .exe file 
as an attachment. But what I need is to ban attachments of all MS Office
documents or .txt from being sent out so I have made the following
modifications:

 in amavisd.conf.template -

$banned_filename_re = new_RE(
   qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
   qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, # double extension
  
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|xls|doc|xml|odt|ods|txt|rtf|xlsx|docx)$'i,
# banned extension - basic
   qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
         jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|
         vbe|vbs|wsc|wsf|wsh|xls|doc|odt|txt|rtf|xml|ods|xlsx|docx)$'ix,
# banned extension - long
   qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip
vulnerab.
   qr'^\.(zip|lha|tnef|cab)$'i,                      # banned file(1) types
   qr'^\.exe$'i,                                     # banned file(1) types
   qr'^application/x-msdownload$'i,                  # banned MIME types
   qr'^application/x-msdos-program$'i,
   qr'^multipart/mixed$'i,
   qr'^message/partial$'i, qr'^message/external-body$'i, # block rfc2046
);

%banned_rules = (
  'ALLOW_ATTACH' => new_RE(
   qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, # double extension
   qr'.\.(exe|vbs|pif|scr|bat|cmd|com)$'i, # banned extension - basic
   qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
         jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|
         vbe|vbs|wsc|wsf|wsh)$'ix, # banned extension - long
   qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip
vulnerab.
   qr'^\.(zip|lha|tnef|cab)$'i,                      # banned file(1) types
   qr'^\.exe$'i,                                     # banned file(1) types
   qr'^application/x-msdownload$'i,                  # banned MIME types
   qr'^application/x-msdos-program$'i,
   ),
  'DEFAULT' => $banned_filename_re,
);

-- snip --

$inet_socket_port = [10024,10028];        # accept SMTP on this local
TCP port
$interface_policy{'10028'} = 'ALLOWATTACH';

--snip --

@mynetworks = qw( @@@postfix-mynetworks|join( )@@@ );

$policy_bank{'ALLOWATTACH'} = {
  banned_filename_maps => ['ALLOW_ATTACH'],  # more permissive banning rules
};

$policy_bank{'MYUSERS'} = {  # mail from authenticated users on this system
  # Bounce only to local users
  final_virus_destiny      => D_BOUNCE,
  final_banned_destiny     => D_BOUNCE,
  warnvirusrecip_maps => undef, # (defaults to false (undef))
  warnbannedrecip_maps => undef,# (defaults to false (undef))
  warnvirussender => 1,
  warnbannedsender => 1,
};

in main.cf.template

smtpd_sender_restrictions = permit_mynetworks,
        check_policy_service unix:private/kolabpolicy,
        check_sender_access hash:/etc/postfix/amavis_allow_attach

and added /etc/postfix/amavis_allow_attach
id at dom.com FILTER smtp-amavis:[127.0.0.1]:10028

then did a
# postmap hash:/etc/postfix/amavis_allow_attach
# kolabconf -n

With this setup it allows person with id id at dom.com to send mails with
.exe attachments.
When I remove the id from amavis_allow_attach then it bounces the mail
with an .exe attachment but when I try the same thing with .xls or .doc,
it always allows the sender to sent the mail.
Hence it looks like there is something wrong with the way I have defined
the re. Any help of suggestion would be highly appreciated.

Thanks,
SB

More information about the users mailing list