Flylib.com

Books Software

 
 
 

Category list


Similar pages

Recipe 21.7. Rejecting Messages with Attachments


Buy on amazon.com >>
Schroder C.
    << Previous page
    Table of contents
    Next page >>
     < Day Day Up > 

    Recipe 21.7. Rejecting Messages with Attachments

    21.7.1 Problem

    You want to block messages with certain attachments at the SMTP level.

    21.7.2 Solution

    Use Postfix's mime_header_checks , using the following regexp: 

    # this must be one unbroken line

/filename=\"?(.*)\.(batcmdcomdotexehtascrpifvbevbs)\"?$/   

REJECT keep your malware off my network

# this must be one unbroken line

/^\s*Content-(DispositionType).*name\s*=\s*"?(.+\.(asdhlpocxregbatc[ho]mcmdexevxd

pifscrhtajse?sh[mbs]vb[esx]ws[fh]))"?\s*$/

    REJECT Attachments that contain or end in "" are prohibited on this server. "" is 

the name of the rejected file

    Put this in a file and call it /etc/postfix/mime_header_checks .

    Then add it to main.cf : 

    mime_header_checks = regexp:/etc/postfix/mime_header_checks

    Remember to run postfix reload after changing main.cf .

    Edit the list of file types to suit your own needs. The list in the example does not include any MS Office document file formats, such as .xls, .xlk, .doc, .wdb, .wri, .wrs, .ppt , and so forth; you may wish to add some of these.

    21.7.3 Discussion

    You can, with one simple regexp, reject all messages with attachments: 

    /filename=\"/   REJECT all messages with attachments are rejected

    Just keep in mind that this will also reject messages with Vcards, messages with GPG signatures that are attached rather than inline, HTML messages that attach images as separate files, and Outlook/Outlook Express messages that use MS-TNEF (MS-TNEF is useless to anyone not running Outlook/Outlook Express, because it's a proprietary rich-text format that no one else can read). Keep in mind that even if you don't care about rejecting all these things, the senders will not know that their messages were rejected, unless they read their mail logs.

    Why list only Microsoft file types? That's up to youyou can list anything you want. Certainly, Windows is the hands-down winner at extending a warm, friendly welcome to malware via email.

    21.7.4 See Also

    • Postfix's SMTPD_ACCESS_README , and access (5)

    • Chapter 11 of Postfix: The Definitive Guide

    • Microsoft Knowledge Base Article, 291369, for Microsoft's own "Unsafe File List"

    • Appendix C , Microsoft File Types

     < Day Day Up > 
     < Day Day Up > 

    Recipe 21.8. Setting Up Clam Anti-Virus on a Postfix Server

    21.8.1 Problem

    You want a good anti-virus scanner on your Postfix mail server, to automatically scan all incoming mail and to reject infected mail.

    21.8.2 Solution

    Use Clam Anti-Virus and Amavisd-new on your Postfix server. Amavisd-new is a Perl wrapper that acts as an SMTP proxy, to manage the message flow between Clam AV and Postfix. Clam AV cannot directly scan incoming emails by itself.

    Note that this is a radical departure from the previous recipes that describe how to set up UBE controls and whitelists in Postfix. All of that will now be handled by Amavsid-new, not Postfix.

    RPM users need clamav and amavisd-new . Debian users need amavisd-new, clamav, clamav-base, clamav-daemon , and clamav-freshclam .

    Back up your configuration files before making any changes. Then set up Amavisd-new. Create /var/log/amavis.log , and assign ownership to the "amavis" user and group , which should have been created by the package manager.

    Next, edit /etc/amavis/amavisd.conf. In Section 1, set $mydomain and $myhostname to your own values, and uncomment the following lines: 

    $forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail

$notify_method = $forward_method; # where to submit notifications

    Disable virus quarantines in Section IV, because virus-infested messages will be rejected at the SMTP level. There's no point in saving them, as the vast majority are autogenerated with forged return addresses: 

    $QUARANTINEDIR = undef;

$virus_quarantine_to = undef;

    Also in Section IV, disable all auto-notifications to senders. Most return addresses are forged; it's pointless to send out "Hey, you sent me a virus!" notices. This rejects virus-infested messages without notification of any kind: 

    $final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)

    Next, find Section VII and uncomment the Clam AV section. Comment out all virus scanners you are not using: 

    ### http://www.clamav.net/

['Clam Antivirus-clamd',

  \&ask_daemon, ["CONTSCAN {  }\n", "/var/run/clamav/clamd.ctl"],

  qr/\bOK$/, qr/\bFOUND$/,

  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

    Now make sure Amavisd-new is stopped , and check the configuration with the built-in debugger: 

    
# /etc/init.d/amavis stop


# amavis debug

    This spits out a configuration summary; all you need to worry about are error messages. Next, start it back up and connect with telnet to confirm that Amavisd-new is running: 

    
# /etc/init.d/amavis start


$ telnet 127.0.0.1 10024

Trying 127.0.0.1...

Connected to 127.0.0.1.

Escape character is '^]'.

220 [127.0.0.1] ESMTP amavisd-new service ready

    Amvisd-new is running, so quit telnet : 

    
^]

telnet>

quit

Connection closed.

    Next, configure Postfix to use Amavisd-new, which will now function as an SMTP proxy server. Add this to the end of /etc/postfix/master.cf : 

    smtp-amavis unix -   -     n   -    2  smtp

    -o smtp_data_done_timeout=1200

    -o disable_dns_lookups=yes

127.0.0.1:10025 inet n - n - - smtpd

   -o content_filter=

   -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

   -o local_recipient_maps=

   -o relay_recipient_maps=

   -o smtpd_restriction_classes=

   -o smtpd_client_restrictions=

   -o smtpd_helo_restrictions=

   -o smtpd_sender_restrictions=

   -o smtpd_recipient_restrictions=permit_mynetworks,reject

   -o mynetworks=127.0.0.0/8

   -o smtpd_authorized_xforward_hosts=127.0.0.0/8

   -o strict_rfc821_envelopes=yes

    Then add this line to /etc/postfix/main.cf : 

    content_filter = smtp-amavis:[127.0.0.1]:10024

    And do a complete stop/start cycle for Postfix: 

    
# /etc/init.d/postfix stop


# /etc/init.d/postfix start

    The final step is to make the "amavis" user the owner of Clam AV. It won't work otherwise . First, open /etc/clamav/clamav.conf and /etc/amavis/amavisd.conf, and make sure that amavisd.conf references the "LocalSocket" file: 

    ## /etc/clamav/clamav.conf 

LocalSocket /var/run/clamav/clamd.ctl

   

## /etc/amavis/amavisd.conf

### http://www.clamav.net/

['Clam Antivirus-clamd',

  \&ask_daemon, ["CONTSCAN {  }\n", "/var/run/clamav/clamd.ctl"],

  qr/\bOK$/, qr/\bFOUND$/,

  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

    Now you must make the "amavis" user the owner of all directories that Clam AV uses. In this example, that is:

    • LogFile /var/log/clamav/clamav.log

    • PidFile /var/run/clamav/clamd.pid

    • DatabaseDirectory /var/lib/clamav/

    For example: 

    
# chown -R amavis:amavis /var/log/clamav/

    Be careful! Only change directories that belong only to Clam AV; any files in shared directories must be changed individually. Now open /etc/clamav/freshclam.conf , and do the same with any directories listed there. Finally, hunt down any files belonging to Clam AV in /etc/logrotate.d/ . For example:

    • /etc/logrotate.d/clamav-daemon

    • /etc/logrotate.d/clamav-freshclam

    The filenames may vary. Inside each file, find this line: 

    create 640 clamav adm

    Change it to: 

    create 640 clamav amavis

    Save your changes, and restart both clamd and freshclam. On Debian, use: 

    
# /etc/init.d/clamav-daemon reload


# /etc/init.d/clamav-freshclam reload

    On Red Hat and Fedora, use: 

    
# /etc/init.d/clamd reload


# /etc/init.d/freshclam reload

    And you're done. Now you can start sending test messages and watching your logs.

    21.8.3 Discussion

    You'll save yourself a lot of work if you install from packages, rather than sources. If you must install from sources, read all the documentation. You'll have to manually create all kinds of users, directories, and init scripts.

    The -o content_filter= and -o smtpd_xxx_restrictions= directives in master.cf override the directives in /etc/postfix/main.cf . You do not want duplications, because they will either waste system resources or create loops and Clam AV, together with SpamAssassin, will do a better, less error-prone job of filtering mail than the Postfix UBE checks described in the previous recipes.

    The two Clam AV components of greatest interest are clamd , the scanning daemon, and freshclam , which automatically fetches virus definition updates. These are configured in /etc/clamav/clamav.conf and / etc/clamav/freshclam.conf , respectively. The defaults should be fine, there really isn't much to tweak, except that you should find a different update mirror for freshclam.conf, at http://www.clamav.net/mirrors.html. Be kinddon't use the default mirror.

    21.8.4 See Also

    • The Postfix FILTER_README , which describes how mail is moved between Postfix and Amavisd-new in detail

    • Local Amavisd-new documentation ( /usr/share/doc/amavisd-new , amavisd-new(8) , and /usr/share/doc/amavisd-new/README.postfix )

    • Local Clam AV documentation ( /usr/share/doc/clamav )

    • Clam Anti-Virus (http://www.clamav.net)

    • Amavisd-new (http://www.ijs.si/software/amavisd)

     < Day Day Up > 

    Buy on amazon.com >>
    Schroder C.
      << Previous page
      Table of contents
      Next page >>

      Similar products

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy