Since pcre evaluates in order you could add
/^Content-(Disposition|Type).*;??x-apple-part-url="[^"]+"$/x DUNNO
before the pcre that does the rejection.
Since "." is commonly "%2E" you could also change the "\." in the RE to
"(\.|%2E)".
That doesn't solve base64 encoding.
Disclaimer: I haven't tried this.
Curtis
On 04/06/16 22:02, Laz C. Peterson wrote:
This is great information.
It's very odd ... Apple has been responsible for the foundation of quite a few
RFC's but in our experience has actually made it difficult for our software to
both comply with the RFC as well as Apple's client software.
Thank you Cedric.
~ Laz Peterson
Paravis, LLC
On Apr 6, 2016, at 3:28 PM, Cedric Knight <[email protected]> wrote:
The documentation for header_checks includes an example to "block
attachments with bad file name extensions", and I expect many
installations have a similar rule to cut down on malware. This reads:
/^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
hlp|ht[at]|
inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
\{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
REJECT Attachment name "$2" may not end with ".$4"
Unfortunately, this can now block valid email from iPhone/iOS/ithing
users. The second ".*" can span multiple parameters. This shows up in
logs when searching for "x-apple-part-url" as follows:
postfix/cleanup[1234]: 123412341234: reject: header Content-Type:
application/vnd.ms-publisher;??name="redacted
redacted.pub";??x-apple-part-url="[email protected]"
What Apple has done seems legal under RFC 2045 but may make some of
their users' email undeliverable.
Rules can be amended to limit to "token" or "quoted-string" versions of
the filename like this:
/^Content-(Disposition|Type).*name\s*=\s*
("(?:[^"]|\\")*|[^();:,\/<>\@\"?=<>\[\]\ ]*)
((?:\.|=2E)(
ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
hlp|ht[at]|
inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
\{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
vb[esx]?|vxd|ws[cfh])(\?=)?"?)\s*(;|$)/x
REJECT Attachment name $2$3 may not end with ".$4"
A separate security point is that this doesn't actually block "bad"
extensions if the Content-Type name is base64 encoded and the filename
parameter in the Content-Disposition is percent-encoded.
Hope this is useful to some.
CK
