[Exim] discard and logging in DATA-ACL

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Reinhard Haller
Date:  
À: exim-users
Sujet: [Exim] discard and logging in DATA-ACL
This is a MIME message. If you are reading this text, you may want to
consider changing to a mail reader or gateway that understands how to
properly handle MIME multipart messages.
--
Hi,

we're using Exim 4.22_1 (FreeBSD 4.9) with Spamassassin 2.60 and ClamAV 0.60_1
mainly as a relay server.

We fetch the mails with fetchmail and forward them to the internal mail server.

With the outcome of the SWEN-Worm we installed Spamassassin + Clamav to stop
these messages.

Since we cannot reject the incoming mails, we discard all mails with viruses
and unknown sender and all messages with wormish file extensions.

To keep track what happens really we generate log-messages for all
discards.

Now we see that there are mails discarded without a log-message and
mails are passed that should be discarded.

How it's possible to accomplish the intended behaviour?

Our DATA-ACL:

acl_check_content:

  accept  hosts        = +clean_hosts
          endpass


  warn  message = X-Mime: This message contains a MIME error ($demime_reason)
        demime = *
        condition = ${if >{$demime_errorlevel}{2}{1}{0}}
        set acl_m0 = -MIME-


  warn  log_message = This message contains an unwanted file extension ($found_extension)
        demime = scr:vbs:bat:lnk:pif
        discard demime = scr:vbs:bat:lnk:pif


  # Reject virus infested messages.
  warn  message = X-Virus: This message contains malware ($malware_name)
        demime = *
        malware = *
        set acl_m1 = -VIRUS-


  warn  message = X-Viagra: This message matches a blacklisted regular expression ($regex_match_string)
        condition = ${if <{$message_size}{80k}{1}{0}}
        regex = [Vv] *[Ii] *[Aa] *[Gg] *[Rr] *[Aa]
        set acl_m3 = -BLACK-
  warn  message = X-Penis: This message matches a blacklisted regular expression ($regex_match_string)
        condition = ${if <{$message_size}{80k}{1}{0}}
        regex = [Pp] *[Ee] *[Nn] *[Ii] *[Ss]
        set acl_m3 = -BLACK-


  warn  message = X-Spam-Score: $spam_score ($spam_bar)
        condition = ${if <{$message_size}{80k}{1}{0}}
        spam = nobody:true
  warn  message = X-Spam-Report: $spam_report
        condition = ${if <{$message_size}{80k}{1}{0}}
        spam = nobody:true
  warn  message = X-Spam-Flag: YES
        condition = ${if <{$message_size}{80k}{1}{0}}
        spam = nobody
        set acl_m2 = -SPAM-


  warn  message = X-ACL-Header: ${if def:acl_m2 {$acl_m2 }}${if def:acl_m1 {$acl_m1 }}${if def:acl_m3 {$acl_m3 }}${if def:acl_m0 {$acl_m0 }}$h_subject:
        condition = ${if or {{def:acl_m0} {def:acl_m1} {def:acl_m2} {def:acl_m3} }{1}{0}}


  warn  log_message = This message contains a Virus and the header_syntax is not verified
        message = X-Verify-Sender: header syntax error
        condition = ${if def:acl_m1 {1}{0}}
        verify = header_syntax
  warn  log_message = This message contains a Virus and the sender is not verified
        message = X-Verify-Sender: sender error
        condition = ${if def:acl_m1 {1}{0}}
        verify = sender
  warn  log_message = This message contains a Virus and the header_sender is not verified
        message = X-Verify-Sender: header sender error
        condition = ${if def:acl_m1 {1}{0}}
        verify = header_sender
  discard condition = ${if def:acl_m1 {1}{0}}
        verify = header_syntax
        verify = sender
        verify = header_sender


# finally accept all the rest
accept

Samples of mainlog:

1) first message with logging before discarding, third message discarded without
logging

2003-10-06 06:03:58 1A6MbD-000GFQ-Qr H=localhost [127.0.0.1] Warning: This message contains a Virus and the header_syntax is not verified
2003-10-06 06:03:58 1A6MbD-000GFQ-Qr H=localhost [127.0.0.1] Warning: This message contains a Virus and the sender is not verified
2003-10-06 06:03:58 1A6MbD-000GFQ-Qr H=localhost [127.0.0.1] Warning: This message contains a Virus and the header_sender is not verified
2003-10-06 06:03:58 1A6MbD-000GFQ-Qr <= pauladeckers@??? H=localhost [127.0.0.1] P=esmtp S=157723 id=HNEXFE08nY9QzOs43ko0002bfa5@???
2003-10-06 06:03:58 1A6MbD-000GFQ-Qr => blackhole (DATA ACL discarded recipients)
2003-10-06 06:03:58 1A6MbD-000GFQ-Qr Completed
2003-10-06 06:04:09 1A6MbG-000GFQ-Cn <= suse-linux@??? H=localhost [127.0.0.1] P=esmtp S=3666 id=200310051830.10906.Manfred.Tremmel@???
2003-10-06 06:04:10 1A6MbG-000GFQ-Cn => x.y@??? R=local_network T=remote_smtp H=internal.mail.server
2003-10-06 06:04:10 1A6MbG-000GFQ-Cn Completed
2003-10-06 06:04:12 1A6MbS-000GFQ-4w <= pauladeckers@??? H=localhost [127.0.0.1] P=esmtp S=145463 id=HNEXFE07NPuBcljpybJ00041d3d@???
2003-10-06 06:04:12 1A6MbS-000GFQ-4w => blackhole (DATA ACL discarded recipients)
2003-10-06 06:04:12 1A6MbS-000GFQ-4w Completed

2) message not discarded, even if all conditions are met

2003-10-07 10:18:16 1A6n2r-000I7J-SF H=localhost [127.0.0.1] Warning: This message contains a Virus and the sender is not verified
2003-10-07 10:18:16 1A6n2r-000I7J-SF <= desmondlu@??? H=localhost [127.0.0.1] P=esmtp S=157865 id=20031007080321.EMCP1219.maxwell6.pacific.net.sg@qykaqnft
2003-10-07 10:18:16 1A6n2r-000I7J-SF => x.y@??? R=local_network T=remote_smtp H=internal.mail.server
2003-10-07 10:18:16 1A6n2r-000I7J-SF Completed

the message header of the above message contains:

Received: from qykaqnft ([210.24.227.82]) by maxwell6.pacific.net.sg
          with SMTP
          id <20031007080321.EMCP1219.maxwell6.pacific.net.sg@qykaqnft>;
          Tue, 7 Oct 2003 16:03:21 +0800
FROM: "Microsoft Technical Support" < @poTO: "Client" <cbrslsb_liynvahkbe@???>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="dqzotmsifslyoeapk"
Message-Id: <20031007080321.EMCP1219.maxwell6.pacific.net.sg@qykaqnft>
Date: Tue, 7 Oct 2003 16:03:30 +0800
Bcc:
X-Virus: This message contains malware (Worm.Gibe.F)
X-Verify-Sender: sender error
Subject: -VIRUS- Latest Internet Pack


--dqzotmsifslyoeapk

Thanks
Reinhard Haller

--
Dipl. Inform. Reinhard Haller
INTERACTIVE Network Systems GmbH
Hermann-Hesse-Str. 5
85551 Kirchheim b. München

Tel.: 089/904880-0
Mob.: 0171/8022551
Fax: 089/904880-22

mailto: reinhard.haller@???

--
[ Content of type text/x-vcard deleted ]
--