Amavis sets UNCHECKED title for encrypted messages or attachments

Discussion in 'Server Operation' started by liane, Mar 5, 2017.

  1. liane

    liane Member HowtoForge Supporter

    Amavis tags messages with ***UNCHECKED*** when it is not able to uncompress/decrypt any part of it.

    That's fine as long as it is warning for password protected zip files, as they *could* contain a virus.

    When that's not fine anymore, it's when it does it even for logged users (submission port 587), and if they dare send a password protected file, or even worse, a PGP encrypted message, the message will end up with that nice tag in front of the title: ***UNCHECKED***.
    Needless to say, that ain't that friendly, and that defeats the entire purpose of sending PGP encrypted messages for security reasons.

    I found some hacks that just sets this string to blank, always, no questions asked, but apart that it seems to be undocumented, then it won't appear anymore anywhere, even for incoming mails that might contain virus, or if there's a problem in Clamav, so it is a hack, no more, and a security flaw.

    I even found a worse one that modified the Amavis code, something that won't survive any update.

    I'm looking for a *clean* way to tell Amavis to *not* check for UNCHECKED-ENCRYPTED mails if they are coming from *regular users*.

    disclaimer: That's not a problem related to any HowTo or ISPC, I'm asking here first because I believe it's more responsive, I'm just looking for clues, thanks in advance for any

    P.S. refs stripped, I don't want to advertise bad practices
    Last edited: Mar 5, 2017
  2. liane

    liane Member HowtoForge Supporter

    answering to myself:
    the perfect server ISPC (at least 3.1.2, dunno for previous) already sets a special amavis policy_bank for incoming messages (those from submission port 587), so it is just a matter to mix the hack I previously found that sets the string to blank only for this policy.
    To stay on the safe side (survive updates), create a new amavis conf file (for ex 99-my_conf) in /etc/amavis/conf.d, with this:
    # disabled unchecked tag for originating mails (port 587)
    $policy_bank{'ORIGINATING'}{'undecipherable_subject_tag'} = '';
    you can put whatever you want in the string (ex '***PRIVATE*** '), it will only be displayed for mails sent by your users, mails from outside will still display '***UNCHECKED*** '
    then restart amavis
    /etc/init.d/amavis restart

Share This Page