amavisd blockiert definierten Anhänge nicht
Andreas Wass - Glas Gasperlmair
a.wass at glas-gasperlmair.at
Do Nov 10 11:00:29 CET 2016
Hallo Postfix und amavisd Profis!
Amavisd blockiert die definierten Anhänge nicht, obwohl diese definiert
und in den Policies AM.PDP-SOCK und MYSUBMITTERS lt. maillog ja auch
richtig angesprochen werden.
Woran kann das liegen?
Anbei meine Policies in der amavisd.conf und anschl. die beiden Auszüge
aus dem Maillog:
*Policy für MTA zu MTA*
$policy_bank{'AM.PDP-SOCK'} = {
protocol => 'AM.PDP',
auth_required_release => 0,
};
*
*
*Policy für Submission
*$policy_bank{'MYSUBMITTERS'} = {
originating => 1,
banned_filename_maps => ['DEFAULT'],
warnbadhsender => 1,
notify_method => 'smtp:[127.0.0.1]:10025',
forward_method => 'smtp:[127.0.0.1]:10025',
};
*Meine Definitionen*
%banned_rules = (
'NO-MS-EXEC'=> new_RE( qr'^\.(exe-ms)$' ),
'PASSALL' => new_RE( [qr'^' => 0] ),
'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' =>
0] ),
'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ),
'NO-VIDEO' => new_RE( qr'^\.movie$',
qr'.\.(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ),
'NO-MOVIES' => new_RE( qr'^\.movie$', qr'.\.(mpg|avi|mov)$'i, ),
'MYNETS-DEFAULT' => new_RE( [ qr'^\.(rpm|cpio|tar)$' => 0 ],
qr'.\.(zip|vbs|pif|scr)$'i, ),
'DEFAULT' => $banned_filename_re,
);
$banned_filename_re = new_RE(
# banned file(1) types, rudimentary
qr'^\.(exe-ms|dll)$',
# allow any in Unix-type archives
[ qr'^\.(rpm|cpio|tar)$' => 0 ],
# banned extensions - rudimentary
qr'.\.(pif|scr)$'i,
# block these MIME types
qr'^application/x-msdownload$'i,
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
# block certain double extensions in filenames
qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
# banned extension - basic+cmd
qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i,
qr'.\.(zip)$'i,
);
*
Gesendet über Submission port *
Nov 10 10:45:19 mail postfix/submission/smtpd[2771]: connect from
unknown[89.26.12.241]
Nov 10 10:45:19 mail postfix/submission/smtpd[2771]: Anonymous TLS
connection established from unknown[89.26.12.241]: TLSv1.2 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
Nov 10 10:45:19 mail postfix/submission/smtpd[2771]: D7B26209B6:
client=unknown[89.26.12.241], sasl_method=PLAIN, sasl_username=andi at wassa.at
Nov 10 10:45:19 mail postfix/cleanup[2784]: D7B26209B6:
message-id=<582441AF.90905 at wassa.at>
Nov 10 10:45:20 mail amavis[2769]: (02769-01) Checking: 1TlSqvTJaKWJ
AM.PDP-SOCK/MYSUBMITTERS [89.26.12.241] <andi at wassa.at> -> <andi at wassa.at>
Nov 10 10:45:20 mail amavis[2769]: (02769-01) p003 1 Content-Type:
multipart/mixed
Nov 10 10:45:20 mail amavis[2769]: (02769-01) p001 1/1 Content-Type:
text/plain, size: 1 B, name:
Nov 10 10:45:20 mail amavis[2769]: (02769-01) p002 1/2 Content-Type:
application/octet-stream, size: 38912 B, name: *AdapterTroubleshooter.exe*
Nov 10 10:45:20 mail amavis[2769]: (02769-01) spam-tag, <andi at wassa.at>
-> <andi at wassa.at>, No, score=-1 tagged_above=-1000 required=6.31
tests=[ALL_TRUSTED=-1] autolearn=ham autolearn_force=no
Nov 10 10:45:20 mail amavis[2769]: (02769-01) Passed CLEAN
{AcceptedInternal}, *AM.PDP-SOCK/MYSUBMITTERS* LOCAL [89.26.12.241]
[89.26.12.241] <andi at wassa.at> -> <andi at wassa.at>, Queue-ID: D7B26209B6,
Message-ID: <582441AF.90905 at wassa.at>, mail_id: 1TlSqvTJaKWJ, Hits: -1,
size: 54336, 694 ms
Nov 10 10:45:20 mail amavis[2769]: (02769-01) TIMING-SA total 570 ms -
parse: 5 (0.9%), extract_message_metadata: 9 (1.5%),
get_uri_detail_list: 0.25 (0.0%), tests_pri_-1000: 9 (1.6%),
tests_pri_-950: 2.5 (0.4%), tests_pri_-900: 1.69 (0.3%), tests_pri_-400:
1.27 (0.2%), tests_pri_0: 454 (79.7%), check_dkim_signature: 2.5 (0.4%),
check_dkim_adsp: 7 (1.2%), check_spf: 0.49 (0.1%), check_razor2: 400
(70.3%), check_pyzor: 0.21 (0.0%), tests_pri_500: 3.4 (0.6%), learn: 57
(10.1%), b_learn: 55 (9.7%), b_count_change: 6 (1.1%), get_report: 0.45
(0.1%)
Nov 10 10:45:20 mail amavis[2769]: (02769-01) size: 54336, TIMING [total
702 ms] - got data: 0.0 (0%)0, check_init: 5 (1%)1, digest_hdr: 1.1
(0%)1, digest_body: 0.8 (0%)1, collect_info: 3.4 (0%)1, mkdir parts: 22
(3%)5, mime_decode: 20 (3%)7, get-file-type2: 13 (2%)9, decompose_part:
15 (2%)12, parts_decode: 0.1 (0%)12, check_header: 0.7 (0%)12,
AV-scan-1: 27 (4%)15, spam-wb-list: 1.3 (0%)16, SA msg read: 0.8 (0%)16,
SA parse: 6 (1%)17, SA check: 563 (80%)97, decide_mail_destiny: 3.9
(1%)97, notif-quar: 0.6 (0%)97, prepare-dsn: 3.8 (1%)98, report: 1.6
(0%)98, main_log_entry: 5 (1%)99, update_snmp: 6 (1%)100, rundown: 1.3
(0%)100
Nov 10 10:45:20 mail postfix/qmgr[1102]: D7B26209B6:
from=<andi at wassa.at>, size=54430, nrcpt=1 (queue active)
Nov 10 10:45:20 mail dovecot: lmtp(2790): Connect from 127.0.0.1
Nov 10 10:45:20 mail postfix/submission/smtpd[2771]: disconnect from
unknown[89.26.12.241]
Nov 10 10:45:21 mail dovecot: lmtp(andi at wassa.at):
9+MNNrBBJFjmCgAAu6NIgg: msgid=<582441AF.90905 at wassa.at>: saved mail to INBOX
Nov 10 10:45:21 mail postfix/lmtp[2789]: D7B26209B6: to=<andi at wassa.at>,
relay=127.0.0.1[127.0.0.1]:24, delay=1.3, delays=1/0.01/0.01/0.23,
dsn=2.0.0, status=sent (250 2.0.0 <andi at wassa.at> 9+MNNrBBJFjmCgAAu6NIgg
Saved)
Nov 10 10:45:21 mail dovecot: lmtp(2790): Disconnect from 127.0.0.1:
Successful quit
Nov 10 10:45:21 mail postfix/qmgr[1102]: D7B26209B6: removed
*Gesendet von MTA ZU MTA*
Nov 10 10:46:08 mail postfix/postscreen[2791]: CONNECT from
[89.26.12.242]:39271 to [172.31.1.100]:25
Nov 10 10:46:08 mail postfix/postscreen[2791]: PASS OLD [89.26.12.242]:39271
Nov 10 10:46:09 mail postfix/smtpd[2795]: connect from
mail1.glasgasperlmair.at[89.26.12.242]
Nov 10 10:46:09 mail postfix/smtpd[2795]: 42FD0209BB:
client=mail1.glasgasperlmair.at[89.26.12.242]
Nov 10 10:46:09 mail postfix/cleanup[2784]: 42FD0209BB:
resent-message-id=<mm_8McFZG0iK-ai4up9dD03fx at mail1.glasgasperlmair.at>
Nov 10 10:46:09 mail postfix/cleanup[2784]: 42FD0209BB:
message-id=<582441CE.2020806 at glas-gasperlmair.at>
Nov 10 10:46:09 mail amavis[2770]: (02770-01) Checking: Xb0YiIeoenTQ
AM.PDP-SOCK [89.26.12.242] <a.wass at glas-gasperlmair.at> -> <andi at wassa.at>
Nov 10 10:46:09 mail amavis[2770]: (02770-01) p004 1 Content-Type:
multipart/mixed
Nov 10 10:46:09 mail amavis[2770]: (02770-01) p005 1/1 Content-Type:
multipart/alternative
Nov 10 10:46:09 mail amavis[2770]: (02770-01) p001 1/1/1 Content-Type:
text/plain, size: 265 B, name:
Nov 10 10:46:09 mail amavis[2770]: (02770-01) p002 1/1/2 Content-Type:
text/html, size: 622 B, name:
Nov 10 10:46:09 mail amavis[2770]: (02770-01) p003 1/2 Content-Type:
application/octet-stream, size: 38912 B, name: *AdapterTroubleshooter.exe*
Nov 10 10:46:10 mail amavis[2770]: (02770-01) spam-tag,
<a.wass at glas-gasperlmair.at> -> <andi at wassa.at>, No, score=0.001
tagged_above=-1000 required=6.31 tests=[HTML_MESSAGE=0.001]
autolearn=ham autolearn_force=no
Nov 10 10:46:10 mail amavis[2770]: (02770-01) Passed CLEAN
{AcceptedInbound}, *AM.PDP-SOCK* [89.26.12.242] [89.26.12.242]
<a.wass at glas-gasperlmair.at> -> <andi at wassa.at>, Queue-ID: 42FD0209BB,
Message-ID: <582441CE.2020806 at glas-gasperlmair.at>, Resent-Message-ID:
<mm_8McFZG0iK-ai4up9dD03fx at mail1.glasgasperlmair.at>, mail_id:
Xb0YiIeoenTQ, Hits: 0.001, size: 56550, 889 ms
Nov 10 10:46:10 mail amavis[2770]: (02770-01) TIMING-SA total 751 ms -
parse: 3.5 (0.5%), extract_message_metadata: 33 (4.4%),
get_uri_detail_list: 2.4 (0.3%), tests_pri_-1000: 31 (4.1%),
tests_pri_-950: 1.20 (0.2%), tests_pri_-900: 1.32 (0.2%),
tests_pri_-400: 0.97 (0.1%), tests_pri_0: 573 (76.3%),
check_dkim_signature: 3.3 (0.4%), check_dkim_adsp: 6 (0.8%), check_spf:
13 (1.8%), poll_dns_idle: 0.98 (0.1%), check_razor2: 457 (60.9%),
check_pyzor: 0.76 (0.1%), tests_pri_500: 6 (0.8%), learn: 80 (10.7%),
b_learn: 76 (10.1%), b_count_change: 20 (2.7%), get_report: 0.41 (0.1%)
Nov 10 10:46:10 mail amavis[2770]: (02770-01) size: 56550, TIMING [total
894 ms] - got data: 0.0 (0%)0, check_init: 4.6 (1%)1, digest_hdr: 1.3
(0%)1, digest_body: 0.7 (0%)1, collect_info: 7 (1%)2, mkdir parts: 1.6
(0%)2, mime_decode: 33 (4%)5, get-file-type3: 32 (4%)9, decompose_part:
16 (2%)11, parts_decode: 0.1 (0%)11, check_header: 0.8 (0%)11,
AV-scan-1: 26 (3%)14, spam-wb-list: 1.2 (0%)14, SA msg read: 0.6 (0%)14,
SA parse: 4.3 (0%)14, SA check: 745 (83%)98, decide_mail_destiny: 3.9
(0%)98, notif-quar: 0.5 (0%)98, prepare-dsn: 3.3 (0%)99, report: 1.7
(0%)99, main_log_entry: 5 (1%)99, update_snmp: 3.5 (0%)100, rundown: 1.4
(0%)100
Nov 10 10:46:10 mail postfix/qmgr[1102]: 42FD0209BB:
from=<a.wass at glas-gasperlmair.at>, size=56578, nrcpt=1 (queue active)
Nov 10 10:46:10 mail postfix/smtpd[2795]: disconnect from
mail1.glasgasperlmair.at[89.26.12.242]
Nov 10 10:46:10 mail dovecot: lmtp(2790): Connect from 127.0.0.1
Nov 10 10:46:10 mail dovecot: lmtp(andi at wassa.at):
AQyGE+JBJFjmCgAAu6NIgg: msgid=<582441CE.2020806 at glas-gasperlmair.at>:
saved mail to INBOX
Nov 10 10:46:10 mail postfix/lmtp[2789]: 42FD0209BB: to=<andi at wassa.at>,
relay=127.0.0.1[127.0.0.1]:24, delay=1.3, delays=1.2/0/0/0.11,
dsn=2.0.0, status=sent (250 2.0.0 <andi at wassa.at> AQyGE+JBJFjmCgAAu6NIgg
Saved)
Nov 10 10:46:10 mail dovecot: lmtp(2790): Disconnect from 127.0.0.1:
Successful quit
Nov 10 10:46:10 mail postfix/qmgr[1102]: 42FD0209BB: removed
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <http://de.postfix.org/pipermail/postfix-users/attachments/20161110/68b6998f/attachment.html>
Mehr Informationen über die Mailingliste postfix-users