Hi list,
i´ve got a problem with Banned File Rules on amavisd 2.3.2.
Here are the rules:
@banned_filename_maps = (); # to disable old-style
# new-style of banned lookup table
$banned_namepath_re = new_RE(
# block these MIME types
qr'(?#NO X-MSDOWNLOAD) ^(.*\t)? M=application/x-msdownload (\t.*)? $'xmi,
qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi,
qr'(?#NO HTA) ^(.*\t)? M=application/hta (\t.*)? $'xmi,
# # block rfc2046 MIME types
# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/partial (\t.*)? $'xmi,
# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/external-body (\t.*)? $'xmi,
# # within traditional Unix compressions allow any name and type
[ qr'(?#rule-3) ^ (.*\t)? T=(Z|gz|bz2) (\t.*)? $'xmi => 0 ], # allow
# within traditional Unix archives allow any name and type
[ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ], # allow
# # block anything within a zip
# qr'(?#rule-5) ^ (.*\t)? T=zip (\t.*)? (.*\n)+ .* $'xmi,
# block certain double extensions in filenames
qr'(?# BLOCK DOUBLE-EXTENSIONS )
^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \.
(exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi,
# # block Class ID (CLSID) extensions in filenames # qr'(?# BLOCK
CLSID-EXTENSIONS )
# ^ (.*\t)? N= [^\t\n]* \{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}? [^\t\n]*
(\t.*)? $'xmi,
# # banned declared names with three or more consecutive spaces # qr'(?# BLOCK
NAMES WITH SPACES )
# ^ (.*\t)? N= [^\t\n]* [ ]{3,} 'xmi,
# # within PC archives allow any types or names at any depth
[ qr'(?#rule-7) ^ (.*\t)? T=(zip|rar|arc|arj|zoo) (\t.*)? $'xmi => 0 ], # ok
# # within certain archives allow leaf members at any depth if crypted # [
qr'(?# ALLOW ENCRYPTED )
# ^ (.*\t)? T=(zip|rar|arj) (.*\n)+ (.*\t)? A=C (\t.*)? \z'xmi => 0 ],
# # allow crypted leaf members regardless of their name or type
# [ qr'(?# ALLOW IF ENCRYPTED ) ^ (.*\t)? A=C (\t.*)? \z'xmi => 0 ],
# # block if any component can not be decoded (is encrypted or bad archive) #
qr'(?# BLOCK IF UNDECIPHERABLE ) ^ (.*\t)? A=U (\t.*)? \z'xmi,
# [ qr'(?# SPECIAL ALLOWANCES - MAGIC NAMES)
# \A (.*\t)? T=(rpm|cpio|tar|zip|rar|arc|arj|zoo|Z|gz|bz2)
# \t(.*\t)* N=example\d+[^\t\n]*
# (\t.*)? $'xmi => 0 ],
# banned filename extensions (in declared names) anywhere - basic
qr'(?# BLOCK COMMON NAME EXENSIONS )
^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|bat|com|cpl) (\t.*)? $'xmi,
# # banned filename extensions (in declared names) anywhere - long
qr'(?# BLOCK MORE NAME EXTENSIONS )
^ (.*\t)? N= [^\t\n]* \. (
ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
wmf|wsc|wsf|wsh) (\t.*)? $'xmi,
# # banned filename extensions anywhere - WinZip vulnerability (pre-V9) #
qr'(?# BLOCK WinZip VULNERABILITY EXENSIONS )
# ^ (.*\t)? N= [^\t\n]* \. (mim|b64|bhx|hqx|xxe|uu|uue) (\t.*)? $'xmi,
# [ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM )
# ^ (.*\t)? M=application/octet-stream \t(.*\t)* T=empty (\t.*)? $'xmi
# => 'DISCARD' ],
# [ qr'(?# BLOCK EMPTY MIME PARTS )
# ^ (.*\t)? M= [^\t\n]+ \t(.*\t)* T=empty (\t.*)? $'xmi => 'DISCARD' ],
qr'(?# BLOCK Microsoft EXECUTABLES )
^ (.*\t)? T=exe-ms (\t.*)? $'xm, # banned file(1) type
# qr'(?# BLOCK ANY EXECUTABLE )
# ^ (.*\t)? T=exe (\t.*)? $'xm, # banned file(1) type
# qr'(?# BLOCK THESE TYPES )
# ^ (.*\t)? T=(exe|lha|tnef|cab|dll) (\t.*)? $'xm, # banned file(1) types
);
When I send a file test.zip with content:
Realvnc-3.3.7-x86_win32.zip
-> Realvnc-4_1_1-x86_win32.exe
Realvnc-4_1_1-x86_win32.zip
-> vnc-4_1_1-x86_win32.exe
I got an unwanted rule match. Heres the log entry:
Aug 9 17:16:57 uxsmtp12 amavis[15173]: (15173-02) p.path BANNED:1 [EMAIL
PROTECTED]: "P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/x-zip-compressed,T=zip,N=Test.zip |
P=p004,L=1/2/1,T=zip,N=Realvnc-3.3.7-x86_win32.zip |
P=p006,L=1/2/1/1,T=exe,T=exe-ms,N=Realvnc-3.3.7-x86_win32.exe",
matching_key="(?mix-s:(?# BLOCK DOUBLE-EXTENSIONS )\n ^ (.*\t)? N= [^\t\n]*
\\. [^./\t\n]* [A-Za-z] [^./\t\n]* \\.\n
(exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \\.? (\t.*)? $)"
Should not all content within the Test.zip archive be allowed.
I can send the Archives Realvnc-3.3.7-x86_win32.zip and
Realvnc-4_1_1-x86_win32.zip standalone and get not banned.
Did I missunderstand the rules or is here working something wrong ?
Mit freundlichen Grüßen / Kind regards
Daniel Siegers
Systemadministrator
Heinrich Bauer Dienstleistungs KG
Brieffach 4616
Burchardstraße 11
D-20077 Hamburg
Telefon +49 (40)-3019-1991
Fax +49 (40)-3019-140-1991
E-Mail [EMAIL PROTECTED]
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
