On Sat, 2020-11-07 at 20:29 +0000, Mike Tubby via Exim-users wrote:
>
> On 07/11/2020 20:10, Adam D. Barratt via Exim-users wrote:
> > On Sat, 2020-11-07 at 17:45 +0000, Mike Tubby via Exim-users wrote:
> > > 2. the return value 512 (really 2) is tripping on a password
> > > encrypted ZIP file for which there is no right thing to do:
> > >
> > > a) accept it because we can't decrypt it [might still
> > > have a virus]; or
> > >
> > > b) reject it because we can't decrypt it [might not
> > > have a virus but might be confidential customer data]
> > >
> > > appears to be a loose-loose ;-(
> > fwiw what we do for $dayjob is to freeze them and get a human to
> > make the delivery decision. It's not foolproof, and depends on how
> > many such mails you're dealing with, but it works well enough for
> > us.
> >
> > Regards,
> >
> > Adam
> >
>
> Do you have a recipe that you can share?
We use a (mostly working still AFIACS) body match rather than relying
on the AV scanner to detect them, but effectively:
warn log_message = XH_WARN: Encrypted zip attachments are not allowed
condition = ${if match{$message_body:}{ UEsDB....[Q-Za-fw-z0-9\+/]}}
[some local exceptions]
control = freeze
add_header = XH_WARN: Encrypted zip attachments are not allowed
(where XH_WARN is a macro that expands to a custom header name).
Regards,
Adam