elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed: Amavisd cannot detect '.exe' file in zipped attachment.

This commit is contained in:
Zhang Huangbin 2015-05-03 22:19:17 +08:00
parent a60c025597
commit 9d17fac2c5
2 changed files with 83 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
html/upgrade.iredmail.0.9.0-0.9.1.html
View File

@ -19,6 +19,7 @@
<li><a href="#upgrade-roundcube-webmail-to-the-latest-stable-release">Upgrade Roundcube webmail to the latest stable release</a></li>
<li><a href="#upgrade-iredapd-postfix-policy-server-to-the-latest-145">Upgrade iRedAPD (Postfix policy server) to the latest 1.4.5</a></li>
<li><a href="#fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender</a></li>
<li><a href="#fixed-amavisd-cannot-detect-exe-file-in-zipped-attachment">Fixed: Amavisd cannot detect .exe file in zipped attachment.</a></li>
<li><a href="#fixed-amavisd-cannot-detect-exe-file-in-rar-compressed-attachment">Fixed: Amavisd cannot detect .exe file in rar compressed attachment.</a></li>
<li><a href="#fixed-cannot-run-php-script-under-web-document-root-with-nginx">Fixed: Cannot run PHP script under web document root with Nginx.</a></li>
<li><a href="#fixed-incorrect-log-file-and-ownergroup-in-logrotate-config-file-etclogrotatedpolicyd">Fixed: Incorrect log file and owner/group in logrotate config file: /etc/logrotate.d/policyd</a></li>
@ -61,6 +62,7 @@
<p><strong>WARNING: Still working in progress, do <em>NOT</em> apply it.</strong></p>
<h2 id="changelog">ChangeLog</h2>
<ul>
<li>2015-05-03: [All backends] Fixed: Amavisd cannot detect <code>.exe</code> file in zipped attachment.</li>
<li>2015-04-21: [All backends] [Debian/Ubuntu] Fixed: Amavisd cannot detect <code>.exe</code> file in rar compressed attachment.</li>
<li>2015-04-21: [All backends] Fixed: Incorrect log file and owner/group in logrotate config file: /etc/logrotate.d/policyd.</li>
<li>2015-04-06: [All backends] Make Dovecot subscribe newly created folder automatically.</li>
@ -186,6 +188,44 @@ authenticated user but with null sender in <code>From:</code> header (<code>from
log). If your user's password was cracked by spammer, spammer can use this
account to bypass smtp authentication, but with a null sender in <code>From:</code>
header, throttling won't be triggered.</p>
<h3 id="fixed-amavisd-cannot-detect-exe-file-in-zipped-attachment">Fixed: Amavisd cannot detect <code>.exe</code> file in zipped attachment.</h3>
<p>Amavisd on some Linux/BSD distribution use <code>$banned_namepath_re</code>
instead of <code>$banned_filename_re</code> to check banned files, but it
(<code>$banned_namepath_re</code>) was not defined, so we define some blocked file
types here.</p>
<p>Please append below settings in Amavisd config file, above the last line
(<code>1; # insure a defined return</code>) in the same file:</p>
<ul>
<li>On RHEL/CentOS, OpenBSD, it's <code>/etc/amavisd/amavisd.conf</code>.</li>
<li>On Debian/Ubuntu, it's <code>/etc/amavis/conf.d/50-user</code>.</li>
<li>On FreeBSD, it's <code>/usr/local/etc/amavisd.conf</code>.</li>
</ul>
<pre><code># Amavisd on some Linux/BSD distribution use \$banned_namepath_re
# instead of \$banned_filename_re, so we define some blocked file
# types here.
#
# Sample input for $banned_namepath_re:
#
# P=p003\tL=1\tM=multipart/mixed\nP=p002\tL=1/2\tM=application/octet-stream\tT=dat\tN=my_docum.zip
#
# What it means:
# - T: type. e.g. zip archive.
# - M: MIME type. e.g. application/octet-stream.
# - N: suggested (MIME) name. e.g. my_docum.zip.
$banned_namepath_re = new_RE(
[qr'T=(exe|exe-ms|dat|lha|cab|dll)\t'xmi =&gt; 'DISCARD'], # banned file(1) types
[qr'T=(pif|scr)\t'xmi =&gt; 'DISCARD'], # banned extensions - rudimentary
[qr'T=ani\t'xmi =&gt; 'DISCARD'], # banned animated cursor file(1) type
[qr'T=(mim|b64|bhx|hqx|xxe|uu|uue)\t'xmi =&gt; 'DISCARD'], # banned extension - WinZip vulnerab.
[qr'M=application/x-msdownload\t'xmi =&gt; 'DISCARD'], # block these MIME types
[qr'M=application/x-msdos-program\t'xmi =&gt; 'DISCARD'],
[qr'M=application/hta\t'xmi =&gt; 'DISCARD'],
[qr'M=(application/x-msmetafile|image/x-wmf)\t'xmi =&gt; 'DISCARD'], # Windows Metafile MIME type
);
</code></pre>
<p>Restarting Amavisd service is required.</p>
<h3 id="fixed-amavisd-cannot-detect-exe-file-in-rar-compressed-attachment">Fixed: Amavisd cannot detect <code>.exe</code> file in rar compressed attachment.</h3>
<p>Note: This fix is applicable to RHEL/CentOS, Debian and Ubuntu.</p>
<ul>

43
upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
View File

@ -7,6 +7,7 @@ __WARNING: Still working in progress, do _NOT_ apply it.__
## ChangeLog
* 2015-05-03: [All backends] Fixed: Amavisd cannot detect `.exe` file in zipped attachment.
* 2015-04-21: [All backends] [Debian/Ubuntu] Fixed: Amavisd cannot detect `.exe` file in rar compressed attachment.
* 2015-04-21: [All backends] Fixed: Incorrect log file and owner/group in logrotate config file: /etc/logrotate.d/policyd.
* 2015-04-06: [All backends] Make Dovecot subscribe newly created folder automatically.
@ -149,6 +150,48 @@ log). If your user's password was cracked by spammer, spammer can use this
account to bypass smtp authentication, but with a null sender in `From:`
header, throttling won't be triggered.
### Fixed: Amavisd cannot detect `.exe` file in zipped attachment.
Amavisd on some Linux/BSD distribution use `$banned_namepath_re`
instead of `$banned_filename_re` to check banned files, but it
(`$banned_namepath_re`) was not defined, so we define some blocked file
types here.
Please append below settings in Amavisd config file, above the last line
(`1; # insure a defined return`) in the same file:
* On RHEL/CentOS, OpenBSD, it's `/etc/amavisd/amavisd.conf`.
* On Debian/Ubuntu, it's `/etc/amavis/conf.d/50-user`.
* On FreeBSD, it's `/usr/local/etc/amavisd.conf`.
```
# Amavisd on some Linux/BSD distribution use \$banned_namepath_re
# instead of \$banned_filename_re, so we define some blocked file
# types here.
#
# Sample input for $banned_namepath_re:
#
# P=p003\tL=1\tM=multipart/mixed\nP=p002\tL=1/2\tM=application/octet-stream\tT=dat\tN=my_docum.zip
#
# What it means:
# - T: type. e.g. zip archive.
# - M: MIME type. e.g. application/octet-stream.
# - N: suggested (MIME) name. e.g. my_docum.zip.
$banned_namepath_re = new_RE(
[qr'T=(exe|exe-ms|dat|lha|cab|dll)\t'xmi => 'DISCARD'], # banned file(1) types
[qr'T=(pif|scr)\t'xmi => 'DISCARD'], # banned extensions - rudimentary
[qr'T=ani\t'xmi => 'DISCARD'], # banned animated cursor file(1) type
[qr'T=(mim|b64|bhx|hqx|xxe|uu|uue)\t'xmi => 'DISCARD'], # banned extension - WinZip vulnerab.
[qr'M=application/x-msdownload\t'xmi => 'DISCARD'], # block these MIME types
[qr'M=application/x-msdos-program\t'xmi => 'DISCARD'],
[qr'M=application/hta\t'xmi => 'DISCARD'],
[qr'M=(application/x-msmetafile|image/x-wmf)\t'xmi => 'DISCARD'], # Windows Metafile MIME type
);
```
Restarting Amavisd service is required.
### Fixed: Amavisd cannot detect `.exe` file in rar compressed attachment.
Note: This fix is applicable to RHEL/CentOS, Debian and Ubuntu.