Instead of demime and clamav: :)
P7ZIP = /usr/local/bin/7z
# port archivers/p7zip in case of FreeBSD
BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs|ace
# more cautious: exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
# WinRAR can uncompress .ace, so trojans are sometimes compressed .ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
check_rfc2047_length = false
acl_smtp_mime = acl_check_mime
begin acl
acl_check_mime:
deny message = BINFORBIDDEN
log_message = forbidden attachment: filename=$mime_filename, \
content-type=$mime_content_type, recipients=$recipients
condition = ${if or{\
{match{$mime_content_type}\
{(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
}}
deny message = Compressed BINFORBIDDEN
condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
(octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
}}
condition = ${if <{$message_size}{1500K}}
decode = default
log_message = forbidden binary in attachment: filename=$mime_filename, \
recipients=$recipients
condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
{\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}
accept
