Re: header_checks and regexes
On Sun, May 01, 2022 at 03:54:16PM -0400, Alex wrote: > > Conditional header checks require a milter or content filter that > > can make such fine distinctions. Postfix built-in header checks > > are global. > > I need to find a way to have different policies for different domains > on the same IP address, such as to be able to reject mail from one > sender to one domain but accept that sender to another. If by different domains, you mean different envelope recipients grouped by recipient domain, then you don't need or want "header_checks" for that. If the number of recipient domains is modest, you can use restriction classes. http://www.postfix.org/RESTRICTION_CLASS_README.html -- Viktor.
Re: header_checks and regexes
Hi, On Thu, Mar 10, 2022 at 5:23 PM Viktor Dukhovni wrote: > > > On 10 Mar 2022, at 3:48 pm, Alex wrote: > > > > Can I use sender_checks to bypass a host like mail.coupahost.com? The > > client IP will constantly change, but I can rely on the sending domain > > to remain the same. > > Conditional header checks require a milter or content filter that > can make such fine distinctions. Postfix built-in header checks > are global. I need to find a way to have different policies for different domains on the same IP address, such as to be able to reject mail from one sender to one domain but accept that sender to another. Are there existing content filters that can do this, or is the process explained somewhere? I've looked at a few examples but these distinctions don't seem to be made. Building a milter from scratch to do this sounds like a daunting process. The milter docs mention it's possible to analyze headers, but don't appear to provide any details on how this would even be done.
Re: header_checks and regexes
> On 10 Mar 2022, at 3:48 pm, Alex wrote: > > Can I use sender_checks to bypass a host like mail.coupahost.com? The > client IP will constantly change, but I can rely on the sending domain > to remain the same. Conditional header checks require a milter or content filter that can make such fine distinctions. Postfix built-in header checks are global. -- Viktor.
Re: header_checks and regexes
Hi,
I now have these mime_header_checks working properly, but it turns out
there are companies sending legitimate invoices as HTML attachments,
ugh.
Mar 8 07:49:05 xavier postfix-118/cleanup[2084042]: C01C310024593:
reject: header Content-Disposition: attachment;?
filename=purchase_order.html from
a31-88.smtp-out.amazonses.com[54.240.31.88];
from=<0100017f6993716e-42efe44-02df-4144-a0cb-35f9b82890b7-000...@mail.coupahost.com>
to= proto=ESMTP
helo=: 5.7.1 ".html" file attachment
types not allowed
Can I use sender_checks to bypass a host like mail.coupahost.com? The
client IP will constantly change, but I can rely on the sending domain
to remain the same.
If so, how do I control the ordering to be sure the mime_header_checks
are processed after the sender_checks?
On Fri, Mar 4, 2022 at 5:15 PM Alex wrote:
>
> Hi,
>
> > > I believe there's a dot missing in the first one, as in '.(386' but
> > > it's more than that, because I experimented with that too.
> >
> > No, it would have to be: \.(386|...)
> > otherwise '.' just matches any character. Your RE pattern is sloppy
> > in places, ... correct REs take some care.
>
> Yes, that is what I meant. I believe there were problems with the
> regex that I fixed, but I was also using header_checks instead of
> mime_header_checks.
>
> Just for completeness, here's what worked for me.
>
> Given the following attachment:
> --caef4405d964f4b8
> Content-Type: text/html; charset="US-ASCII"; name="download.html"
> Content-Disposition: attachment; filename="download.html"
> Content-Transfer-Encoding: base64
> Content-ID:
> X-Attachment-Id: f_l0chj96g0
>
> TWFpbGd1biBNYWduaWZpY2VudCBBUEk=
> --caef4405d964f4b8--
>
> $ postmap -c /etc/postfix -q 'Content-Disposition: attachment;
> filename="download.html"' pcre:/etc/postfix/mime_header_checks.pcre
> REJECT ".html" file attachment types not allowed
>
> mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre
>
> /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.(386|exe|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|html|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xlw|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/
> REJECT ".$3" file attachment types not allowed
>
> Can I also ask a more general question? How are other people handling
> attachments such as those I've listed which really have no purpose
> these days but to spread malware?
>
> The vast majority of HTML attachments we receive are not malicious,
> but just silently quarantining them was leading to too many support
> requests.
>
> Thanks so much for your help.
Re: header_checks and regexes
Hi,
> > I believe there's a dot missing in the first one, as in '.(386' but
> > it's more than that, because I experimented with that too.
>
> No, it would have to be: \.(386|...)
> otherwise '.' just matches any character. Your RE pattern is sloppy
> in places, ... correct REs take some care.
Yes, that is what I meant. I believe there were problems with the
regex that I fixed, but I was also using header_checks instead of
mime_header_checks.
Just for completeness, here's what worked for me.
Given the following attachment:
--caef4405d964f4b8
Content-Type: text/html; charset="US-ASCII"; name="download.html"
Content-Disposition: attachment; filename="download.html"
Content-Transfer-Encoding: base64
Content-ID:
X-Attachment-Id: f_l0chj96g0
TWFpbGd1biBNYWduaWZpY2VudCBBUEk=
--caef4405d964f4b8--
$ postmap -c /etc/postfix -q 'Content-Disposition: attachment;
filename="download.html"' pcre:/etc/postfix/mime_header_checks.pcre
REJECT ".html" file attachment types not allowed
mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre
/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.(386|exe|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|html|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xlw|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/
REJECT ".$3" file attachment types not allowed
Can I also ask a more general question? How are other people handling
attachments such as those I've listed which really have no purpose
these days but to spread malware?
The vast majority of HTML attachments we receive are not malicious,
but just silently quarantining them was leading to too many support
requests.
Thanks so much for your help.
Re: header_checks and regexes
> On 3 Mar 2022, at 10:06 pm, Alex wrote: > > I believe there's a dot missing in the first one, as in '.(386' but > it's more than that, because I experimented with that too. No, it would have to be: \.(386|...) otherwise '.' just matches any character. Your RE pattern is sloppy in places, ... correct REs take some care. -- Viktor.
Re: header_checks and regexes
Hi,
> > It's still not working, and I suspect the reason is that I somehow
> > screwed up when I pasted it. Can I ask you to take a look at the
> > attached?
>
> I don't see any rules below that would do that. There's a rule
> for "mhtml" files, and a rule for ".pdf.html" files, but I fail
> to see one for ".html".
>
> > /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?(386|exe|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xlw|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/
> > WARN ".$2" file attachment types not allowed
> > /^Content-(Disposition|Type):\s+.+?(file)?name="?[^"]+?\.com(\.\S{2,4})?(\?=)?"?(;|$)/
> > REJECT ".com" file attachment types not allowed
> > /^Content-(Disposition|Type):\s+.*?(file)?name="?.*?(your_details|application|document|screensaver|movie)\.zip/
> > REJECT jimsun1
> > /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.zip\b/ WARN jimsun1
> > /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.pdf\.html\b/
> > REJECT pdf.html not allowed
Now I feel silly because I was experimenting with adding "html" to the
first regex, but apparently left it out when I sent the email, but
neither the .pdf.html nor the html in the first regex works and I just
don't understand why.
I believe there's a dot missing in the first one, as in '.(386' but
it's more than that, because I experimented with that too.
Thanks so much,
Alex
Re: header_checks and regexes
On Thu, Mar 03, 2022 at 06:04:43PM -0500, Alex wrote:
> > > Content-Type: text/html; charset="US-ASCII"; name="download.html"
> > > Content-Disposition: attachment; filename="download.html"
It seems you're trying to block "mumble.html" attachments.
> It's still not working, and I suspect the reason is that I somehow
> screwed up when I pasted it. Can I ask you to take a look at the
> attached?
I don't see any rules below that would do that. There's a rule
for "mhtml" files, and a rule for ".pdf.html" files, but I fail
to see one for ".html".
> /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?(386|exe|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xlw|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/
> WARN ".$2" file attachment types not allowed
> /^Content-(Disposition|Type):\s+.+?(file)?name="?[^"]+?\.com(\.\S{2,4})?(\?=)?"?(;|$)/
> REJECT ".com" file attachment types not allowed
> /^Content-(Disposition|Type):\s+.*?(file)?name="?.*?(your_details|application|document|screensaver|movie)\.zip/
> REJECT jimsun1
> /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.zip\b/ WARN jimsun1
> /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.pdf\.html\b/REJECT
> pdf.html not allowed
--
Viktor.
Re: header_checks and regexes
Hi Viktor,
> > Content-Type: text/html; charset="US-ASCII"; name="download.html"
> > Content-Disposition: attachment; filename="download.html"
> >
> > And this is the regex I currently have. Hopefully it wraps properly.
>
> > /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\(386|exe|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|html|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xlw|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/
> > REJECT ".$2" file attachment types not allowed
>
> The above regular expression is malformed, instead of:
>
> /...name="?.+?\(386|.../
>
> it should be:
>
> /...name="?.+?(386|.../
>
> It works as expected without the extaneous "\".
It's still not working, and I suspect the reason is that I somehow
screwed up when I pasted it. Can I ask you to take a look at the
attached?
>
> --
> Viktor.
/^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?(386|exe|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xlw|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/
WARN ".$2" file attachment types not allowed
/^Content-(Disposition|Type):\s+.+?(file)?name="?[^"]+?\.com(\.\S{2,4})?(\?=)?"?(;|$)/
REJECT ".com" file attachment types not allowed
/^Content-(Disposition|Type):\s+.*?(file)?name="?.*?(your_details|application|document|screensaver|movie)\.zip/
REJECT jimsun1
/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.zip\b/WARN jimsun1
/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.pdf\.html\b/ REJECT
pdf.html not allowed
Re: header_checks and regexes
On Wed, Mar 02, 2022 at 08:57:51PM -0500, Alex wrote:
> Content-Type: text/html; charset="US-ASCII"; name="download.html"
> Content-Disposition: attachment; filename="download.html"
>
> And this is the regex I currently have. Hopefully it wraps properly.
> /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\(386|exe|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|html|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xlw|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/
> REJECT ".$2" file attachment types not allowed
The above regular expression is malformed, instead of:
/...name="?.+?\(386|.../
it should be:
/...name="?.+?(386|.../
It works as expected without the extaneous "\".
--
Viktor.
header_checks and regexes
Hi,
Many years ago I picked up a regex pattern that would reject different
attachment types, but it no longer seems to match properly. Perhaps
someone here can help me with the regex so I don't inadvertently start
rejecting mail that I shouldn't?
This is what the string that I'd like to reject looks like now:
--17a7a105d9467429
Content-Type: text/html; charset="US-ASCII"; name="download.html"
Content-Disposition: attachment; filename="download.html"
Content-Transfer-Encoding: base64
Content-ID:
X-Attachment-Id: f_l0abi2410
TWFpbGd1biBNYWduaWZpY2VudCBBUEk=
--17a7a105d9467429--
And this is the regex I currently have. Hopefully it wraps properly.
/^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\(386|exe|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|html|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xlw|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/
REJECT ".$2" file attachment types not allowed
Thanks so much,
Alex
