Re: [exim] Exim and Sophos command line AV wrong exit codes?

Top Page
Delete this message
Reply to this message
Author: Adam D. Barratt
Date:  
To: exim-users
Subject: Re: [exim] Exim and Sophos command line AV wrong exit codes?
On Sat, 2020-11-07 at 20:29 +0000, Mike Tubby via Exim-users wrote:
>
> On 07/11/2020 20:10, Adam D. Barratt via Exim-users wrote:
> > On Sat, 2020-11-07 at 17:45 +0000, Mike Tubby via Exim-users wrote:
> > > 2. the return value 512 (really 2) is tripping on a password
> > > encrypted ZIP file for which there is no right thing to do:
> > >
> > >           a) accept it because we can't decrypt it [might still
> > > have a virus]; or

> > >
> > >           b) reject it because we can't decrypt it [might not
> > > have a virus but might be confidential customer data]

> > >
> > >       appears to be a loose-loose ;-(
> > fwiw what we do for $dayjob is to freeze them and get a human to
> > make the delivery decision. It's not foolproof, and depends on how
> > many such mails you're dealing with, but it works well enough for
> > us.

> >
> > Regards,
> >
> > Adam
> >
>
> Do you have a recipe that you can share?


We use a (mostly working still AFIACS) body match rather than relying
on the AV scanner to detect them, but effectively:

  warn   log_message = XH_WARN: Encrypted zip attachments are not allowed
         condition   = ${if match{$message_body:}{  UEsDB....[Q-Za-fw-z0-9\+/]}}
         [some local exceptions]
         control     = freeze
         add_header  = XH_WARN: Encrypted zip attachments are not allowed


(where XH_WARN is a macro that expands to a custom header name).

Regards,

Adam