We are running CenOS 6.5 and ISPConfig 3.0.5.4p3 I need to block only outgoing e-mail with a .MKV (and others in future) attachment; with a reject message to the sender. I tried 2 solutions but they are not working: 1. postfix I edited the "/etc/postfix/main.cf" file: Code: [...] smtp_header_checks = pcre:/etc/postfix/smtp_mime_header_checks.pcre smtp_mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks.pcre smtp_nested_header_checks = pcre:/etc/postfix/smtp_mime_header_checks.pcre # also tried header_checks = pcre:/etc/postfix/smtp_mime_header_checks.pcre mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks.pcre nested_header_checks = pcre:/etc/postfix/smtp_mime_header_checks.pcre [...] with this "/etc/postfix/smtp_mime_header_checks.pcre" file: Code: /^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)( mkv ))(\?=)?"?\s*(;|$)/x REJECT Attachment type ".$4" not allowed and restarted postfix. No luck... 2. amavis-new I edited the "/etc/amavisd/amavisd.conf" file: Code: $policy_bank{'MYNETS'} = { # mail originating from @mynetworks originating => 1, # is true in MYNETS by default, but let's make it explicit allow_disclaimers => 1, os_fingerprint_method => undef, # don't query p0f for internal clients banned_namepath_re => new_RE( qr'T=(mkv|avi)'xmi, qr'.\.(mkv|avi)$'i, ), }; and tried both the rules inside "banned_namepath_re". I tried also the same rules inside the block "$policy_bank{'ORIGINATING'}" with no luck (after restarting amavisd). The only rule working in "/etc/amavisd/amavisd.conf" file is the following: Code: [...] $banned_filename_re = new_RE( qr'.\.(mkv|avi)$'i, # banned extensions - rudimentary [...] but it rejects outbound and also inbound emails. Any help? Thanks, tode
Solved with postfix. First, the content of the "/etc/postfix/smtp_mime_header_checks.pcre" file must be on two lines, like: Code: "/^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)(mkv))(\?=)?"?\s*(;|$)/x REJECT Attachment type ".$4" not allowed and, after a postfix reload, it blocks outgoing and ingoing e-mail (with correct message to sender). To restrict the filter only for the outgoing e-mail you can disable this filter in the "/etc/postfix/master.cf" file Code: [...] smtp inet n - n - - smtpd -o receive_override_options=no_header_body_checks [...] then run "postfix reload" and the block will work. So the filter will work only for submission process and not for normal email receiving on standard port 25. smtp_*_checks filters are useless for this goal. Hope this help someone, tode
