1

Topic: Dangerous extension passing

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version: CentOS Linux release 7.3.1611 (Core
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx):NGINX
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Please assist am receiving dangerous attachment like .iso ,kindly assist on how can i block them.

2

Re: Dangerous extension passing

on CentOS, check parameter "$banned_namepath_re" in /etc/amavisd/amavisd.conf, just add your file extension and restart amavisd service.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: Dangerous extension passing

ZhangHuangbin wrote:

on CentOS, check parameter "$banned_namepath_re" in /etc/amavisd/amavisd.conf, just add your file extension and restart amavisd service.

Thanks Zhang,i have added the extension and restarted amavisd as per below ,but i still receive .iso files

  # Dangerous file name extensions
    [qr'N=.*\.(9|386|LeChiffre|aaa|abc|aepl|iso|ani|

Please assist on .

4

Re: Dangerous extension passing

Please turn on debug mode in Amavisd[1] and send one email with '.iso' file, then copy all Amavisd log relevant to this testing email and paste here for troubleshooting.

[1] Turn on debug mode in Amavisd: https://docs.iredmail.org/debug.amavisd.html

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

5

Re: Dangerous extension passing

debug mode is on

Mar  7 12:43:46 email postfix/10025/smtpd[11731]: 5CC62F0032E: client=email.simbanet.co.tz[127.0.0.1]
Mar  7 12:43:46 email postfix/cleanup[8812]: 5CC62F0032E: message-id=<20190307094315.990A19A1D7205FB6@evelatus.com>
Mar  7 12:43:46 email postfix/qmgr[17725]: 5CC62F0032E: from=<ketija.kokina@evelatus.com>, size=756561, nrcpt=1 (queue active)
Mar  7 12:43:46 email amavis[10800]: (10800-12) Passed BANNED (application/octet-stream,.dat,Quotation.iso) {RelayedTaggedInbound},  <ketija.kokina@evelatus.com> -> <bozra@simbanet.co.tz>, Queue-ID: ECDFFF00304, Message-ID: <20190307094315.990A19A1D7205FB6@evelatus.com>, mail_id: 60SLx-T0GYIT, Hits: 3.487, size: 756026, queued_as: 5CC62F0032E, 2681 ms, Tests: [DATE_IN_FUTURE_06_12=0.001,FREEMAIL_FORGED_REPLYTO=2.503,HTML_MESSAGE=0.001,SPF_SOFTFAIL=0.972,T_ISO_ATTACH=0.01]
Mar  7 12:43:46 email amavis[10800]: (10800-12) Passed BANNED (application/octet-stream,.dat,Quotation.iso), <ketija.kokina@evelatus.com> -> <bozra@simbanet.co.tz>, Hits: 3.487, tag=2, tag2=6.2, kill=6.9, queued_as:

6

Re: Dangerous extension passing

Bozra wrote:

Mar  7 12:43:46 email amavis[10800]: (10800-12) Passed BANNED (application/octet-stream,.dat,Quotation.iso) ...

It's detected, but amavisd is configured to bypass banned files.
You can change this with iRedAdmin-Pro: System -> Anti Spam -> Global Spam Policy, choose to quarantine email with banned files.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

7

Re: Dangerous extension passing

Thanks Zhang,its now working and attachements specified get blocked,but i see a strange beahvioe as it blocks some word documents as well.

BANNED, message contains application/vnd.openxmlformats-officedocument.wordprocessingml.document,.doc,UNHCRMeetingTakeOuts-28022019 (002).docx

How can i stop this ?

8

Re: Dangerous extension passing

Remove the file extension from Amavisd config file.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

9

Re: Dangerous extension passing

ZhangHuangbin wrote:

Remove the file extension from Amavisd config file.

is there a tutorial or guide from iredmail on how to allow this type of files??

The files are microsoft word files which i believe they are supposed to be allowed

10

Re: Dangerous extension passing

Bozra wrote:

is there a tutorial or guide from iredmail on how to allow this type of files??

Just remove it from the $banned_namepath_re, then it's allowed.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee