Howto stop scanning outgoing mail?

Discussion in 'Installation/Configuration' started by AlArenal, Jul 16, 2010.

  1. AlArenal

    AlArenal New Member

    Hi!

    How can I stop ISPC3 / amavisd-new from scanning outgoing mail? A client of mine often needs to send EXE or ZIP files but those mails don't get through, becuse the system bans them.

    Reconfiguring the mailbox filter does not work, whitelisting in ISPC3 does not work either, ...

    Thanks for your support,
    Alex
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Normally .zip and exe files dont get banned by amavisd, I sent them regularily. Please post the headers of such a banned email.
     
  3. AlArenal

    AlArenal New Member

    Hi Till,

    here is the top part of the message including headers we get sent back:


    Return-Path: <MAILER-DAEMON>
    Delivered-To: [email protected]
    Received: from localhost (localhost [127.0.0.1])
    by server1.domain.tld (Postfix) with ESMTP id 10908F00C1
    for <[email protected]>; Fri, 16 Jul 2010 11:56:31 +0200 (CEST)
    Content-Type: multipart/report; report-type=delivery-status;
    boundary="----------=_1279274191-2222-0"
    Content-Transfer-Encoding: 7bit
    MIME-Version: 1.0
    Subject: BANNED message from you (multipart/mixed |
    application/x-msdownload,.exe,.exe-ms,instmsia.exe)
    In-Reply-To: <[email protected]>
    Message-ID: <[email protected]>
    From: "Content-filter at server1.domain.tld" <[email protected]>
    To: <[email protected]>
    Date: Fri, 16 Jul 2010 11:56:29 +0200 (CEST)

    This is a multi-part message in MIME format...

    ------------=_1279274191-2222-0
    Content-Type: text/plain; charset="iso-8859-1"
    Content-Disposition: inline
    Content-Transfer-Encoding: 7bit

    BANNED CONTENTS ALERT

    Our content checker found
    banned name: multipart/mixed |
    application/x-msdownload,.exe,.exe-ms,instmsia.exe

    in email presumably from you <[email protected]>
    to the following recipient:
    -> [email protected]

    Our internal reference code for your message is 02222-01/dL86sQc6hjc9

    First upstream SMTP client IP address: [79.227.35.252]
    p4FE323FC.dip.t-dialin.net
    According to a 'Received:' trace, the message originated at: [79.227.35.252],
    [192.168.178.20] p4FE323FC.dip.t-dialin.net [79.227.35.252] Authenticated
    sender: [email protected]

    Return-Path: <[email protected]>
    Message-ID: <[email protected]>
    Subject: Fwd: testmail mit exe

    Delivery of the email was stopped!

    The message has been blocked because it contains a component
    (as a MIME part or nested within) with declared name
    or MIME type or contents type violating our access policy.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    There are several options:

    1) Set "banned files lover" to "yes" in the spamfilter policy settings and / or modify the amavisd.conf file to allow binary files in general.

    2) Alternatively yreconfigure amavisd and postfix to bypass the scanner. Here are several examples:

    http://www200.pair.com/mecham/spam/bypassing.html
     
  5. AlArenal

    AlArenal New Member

    - Setting policies has no effect.
    - There is no such file as amavisd.conf, but a directory /etc/amavisd/conf.d (Debian Lenny)
    - I edited /etc/amavisd/conf.d/50-user and added these two lines, restartet amavis afterwards and still get banned:

    @bypass_banned_checks_maps = ( [qw( domain.de domain.com )] );
    @banned_files_lovers_maps = ( [qw( domain.de domain.com )] );

    I must admit the bypassing document confuses me more than it actually helps me. Maybe its still to hot here in Germany...

    Any suggestions as to why these changes did not have any effect?

    Thanks,
    Alex
     
  6. dar_ek

    dar_ek New Member

    Solved

    My opinion:

    ISPConfig mailbox-filter options are for email directed to client mailbox/domain (eg. from [email protected] to [email protected]), not for outgoing mails (from client to outside).

    The best way to allow our clients send exe's (and without touch options for received mailbox fiters) is to tell clients to use not 25 (smtpd) port in his MUA (eg. outlooks) but port 587 (submission).

    Submission port (587) is especially reserved for MUA to accept mail from users MUA, and that port are suggested to use rather that port 25 (for MTA).
    Read this RFC2476.

    If you client will use submission port you may very simply bypass some amavis functions. I do it in that way:

    1. tell amavis that must listen on two ports not one.

    Code:
    #$inet_socket_port = 10024;   # default listening socket
    $inet_socket_port = [10024, 10026]; # added 10026
    2. tell amavis that port 10026 are for bypass some (in my conf bypass banned and bad header, but may spam control bypass too):

    Code:
    $interface_policy{'10026'} = 'SASLBYPASS';
    
    $policy_bank{'SASLBYPASS'} = {  # mail from submission and smtps ports
       originating => 1,  # Since amavisd-new 2.5.0
                          # declare that mail was submitted by our smtp client
    #   bypass_spam_checks_maps   => [1],  # don't spam-check this mail
       bypass_banned_checks_maps => [1],  # don't banned-check this mail
       bypass_header_checks_maps => [1],  # don't header-check this mail..
    };
    
    3. tell postfix that mails from Submission port must go to amavis 10026 not default 10024 (/etc/postfix/master.cf):

    Code:
    submission      inet  n       -       -       -       -       smtpd
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o content_filter=amavis:[127.0.0.1]:10026
    
    (warning in some master.cf submission is in numeric as 587)

    Watch that in submission we accept ONLY sasl_authenticated (-o smtpd_client_restrictions=permit_sasl_authenticated,reject)
    You may do this coz this port are only for users, not for MTA.
    It's very important, because if we dont restricts this, spammers may use that port to bypass amavis rules.

    Of course you leave port 25 functionality as you have.
    WE dont touch port 25 configuration so you dont need to move all you clients MUA to 587 but only this one who needs to bypass bannedfiles filter.

    ps. you may bypass_spam_checks_maps for 587 too, authenticated users rather dont send spam (to speedup system) if you wish.

    Till- I think that configuration needs to be default in ISPconfig install, what do you think?

    (sorry for my bad-english :p )
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The ISPConfig spam scanning options are intended for incoming and outgoing emails.

    What you did not take in account in your setup that most spam is sent by clients unintendedly because there desktop PC's have a virus. So scanning outgoing mail is intended as it protects the mail sdrvers of the ISP.Normal email sent by clients is not affected but if a client PC gets infected by a virus, the mailfilter system in ispconfig will protect the server from being banned by other ISP's for sending spam.
     
  8. dar_ek

    dar_ek New Member

    Till you dont read carefully my post.

    I dont propose to bypass spam or virus control.

    I only suggest how to bypass
    - banned files (mostly exe)
    - or bad headers

    So even hacked smtp accounts will be checked for spam/virus.

    For now client dont may send executables at all (even zip-archived), and doesn't have to possibility to change this in isp-panel (ispconfig controls only are for incoming emails!).

    It's hard to tell client that's for his safety.
    Eg. he may want to send to someone: drivers, self-extract archives with files...

    And he may has right because our ispconfig mail server has antivirus control (clam-av/amavis), so why dont enable send exe's in email? (once again: only for outgoing emails, and only for smtp-auth clients).

    think about it, plz.

    best regards
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    I've added your request to the bugtracker.
     
  10. Ovidiu

    Ovidiu Active Member

    where would I edit the list of banned files?
    It looks like .pdf files are banned too :-(

    Running Debian Squeeze here.

    What good is this and how can I use it?
    Is this a generic info? The mail only contained a .pdf
    here is a sample that got stopped!

     

Share This Page