On 30/03/16 21:11, @lbutlr wrote: > On Wed Mar 30 2016 13:34:23 Alex <mysqlstud...@gmail.com> said: >> >> /^(Content-(Type|Disposition)\:|[[:space:]]+).*(file)?name="?.*\.doc"?;?$/ >> REJECT > > /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|vb[esx]?|vxd|wsc|wsf|wsh))(\?=)?"?\s*(;|$)/x > REJECT Attachment name "$2" may not end with ".$3”
I'd like to take the opportunity to warn that regexes like this (and the version in the Postfix documentation as "man header_checks") have started blocking email from iPhones. This is because some Apple email client adds a parameter to Content-Type that may end in ".com". The ".*\." can span between those parameters. If you block extensions in Postfix, check your logs for "x-apple-part-url" and you may see something like: server postfix/cleanup[1234]: 123412341234: reject: header Content-Type: application/vnd.ms-publisher;??name="redacted redacted.pub";??x-apple-part-url="abcd1234-1234-5678-9999-123412341...@yahoo.com" ("??" is the CRLF line break.) For postfix the rule can be rewritten to specify the parameter value to avoid this type of false positive: /^Content-(Disposition|Type).*name\s*=\s* ("(?:[^"]|\\")*|[^();:,\/<>\@\"?=<>\[\]\ ]*) ((?:\.|=2E)( ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| hlp|ht[at]| inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}| ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| vb[esx]?|vxd|ws[cfh])(\?=)?"?)\s*(;|$)/x REJECT Attachment name $2$3 may not end with ".$4" So far as I can see, no standard SpamAssassin rule checks for .com so shouldn't cause a false positive, but some rules that are intended to just check filename extensions and might hit other parts of the header include OBFU_TEXT_ATTACH, T_OBFU_DOC_ATTACH and __TVD_MIME_ATT_AOPDF. > Just add the MS Office file extensions to that. > > Then, when your users revolt and are banging on your door with pitchforks and > torches, take them out again. :) or staff the machiolations because you know best. Some that I seriously would add are .mso, .xl, .ocx and .jar. CK