Re: [exim] Exim misses some attachments.

Top Page
Delete this message
Reply to this message
Author: pencho kuncho
Date:  
To: Exim-users
Subject: Re: [exim] Exim misses some attachments.
I found that message from Lena to one of ours members and wil try his solution.

Insert into the beggining of Exim config:

check_rfc2047_length = false
acl_smtp_mime = acl_check_mime
begin acl
acl_check_mime:
  deny message = Windows-executable attachments forbidden
      condition = ${if def:sender_host_address}
      !authenticated = *
      log_message = forbidden attachment: filename=$mime_filename, \
                    content-type=$mime_content_type, recipients=$recipients
      condition = ${if or{\
                          {match{$mime_content_type}{(?i)executable}}\
                          {match{$mime_filename}{\N(?i)\.(exe|com|vbs|bat|pif\
    |scr|hta|js|cmd|chm|cpl|jsp|reg|vbe|lnk|dll|sys|btm|dat|msi|prf|vb)$\N}}\
                          }}

  deny message = A .zip attachment contains a Windows-executable file - \
                blocked because we are afraid of new viruses \
                not recognized [yet] by antiviruses.
      condition = ${if match{$mime_filename}{\N(?i)\.zip$\N}}
      condition = ${if def:sender_host_address}
      !authenticated = *
      decode = default
      log_message = forbidden binary in attachment: filename=$mime_filename, \
                    recipients=$recipients
      condition = ${if match{${run{/usr/local/bin/unzip -l \
                                    $mime_decoded_filename}}}\
                            {\N(?i)\n .+\.(zip|exe|com|vbs|bat|pif|scr|hta\
          |js|cmd|chm|cpl|jsp|reg|vbe|lnk|dll|sys|btm|dat|msi|prf|vb)\n\N}}

  accept


      From: Always Learning <exim@???>
 To: Exim <exim-users@???> 
 Sent: Thursday, December 17, 2015 8:45 PM
 Subject: Re: [exim] Exim misses some attachments.



On Thu, 2015-12-17 at 17:11 +0000, Jeremy Harris wrote:

> On 17/12/15 16:42, Always Learning wrote:
> >
> > warn demime    = ace:bat:btm:cab:chm:cmd:com:cpl:dat:dll:exe:hta: \
> >                    js:jsp:lnk:msi:pif:prf:reg:scr:sys:url:vbe:vbs


> At a guess, the acl_smtp_mime equivalent:
>
>  warn condition = ${if match {$mime_filename} \
>                      {\\.(ace|bat|btm|cab|chm|cmd|com|\
>                            cpl|dat|dll|exe|hta|\
>                            js|jsp|lnk|msi|pif|prf|reg|scr|\
>                            sys|url|vbe|vbs)\$}}
> >
> > .... et cetera.


Thank you. It looks correct.

> ... assuming you don't need the content of the file.


No. Being exclusively, and happily, Linux (Centos) for the last 6? years
we reject everything M$ except for word processing and spreadsheets.

Unlike some, we have the freedom to successfully reject spam and other
crap before ACL Data (and now ACL Mime) so this mime defence may never
be deployed.

Thanks again.




--
Regards,

Paul.
England, EU.      England's place is in the European Union.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/