Blocking encrypted attachments with Amavis

Discussion in 'Server Operation' started by EvilFury, Jan 14, 2021.

  1. EvilFury

    EvilFury New Member

    I'm having a problem with amavis on my Centos 7 machine (amavisd-new 2.12.0, postfix 2.10.1, ISPConfig Version: 3.1dev).

    I'm trying to configure amavis so that it discards emails with encrypted .zip or .rar files attached. (sender gets a notification of undelivered email because of non-allowed content and a notification is also sent to virusalert-at-machine-domain.com as notification of what happened. The alias of virusalert is already configured, I receive those emails in my mailbox).

    At the moment, amavis detects the encrypted package attached to an email, but it forwards it to the recipient anyway and it sends to virusalert mailbox a notification of what has been done.

    Here's the message I receive from virusalert-at-machine-domain.com:
    (I've sent an email from our internal mail server, that uses the one with amavis configured as relay, to my personal mailbox)

    Code:
       No viruses were found.
     
        Content type: UncheckedEncrypted
     
        Internal reference code for the message is 21621-04/VDsYr4oLBKP5
     
        First upstream SMTP client IP address: [Sender IP]:7555
     
        Sender rDNS
     
        Received trace: ESMTPA://[Sender IP]:7555 <
     
          Microsoft_SMTP_Server://InternalServerIP < mapi://
     
        Return-Path: <me-at-mydomain.com>
     
        From: "My user"
     
          <me-at-mydomain.com>
     
        Message-ID: <81c03676859d4503bf70c4e14de4cb4e-at-mydomain.com>
     
        Subject: Test encrypted archive
     
        Not quarantined.
     
     
        The message WILL BE relayed to:
     
        <me-at-my-test-domain.com>
    
    Postfix's log shows the following:

    Code:
     
        postfix/smtpd[21623]: connect from myhost[myIP]
        postfix/smtpd[21623]: NOQUEUE: filter: RCPT from myhost[myIP]: <me-at-mydomain.com>: Sender address triggers FILTER amavis:          [127.0.0.1]:10026; from=<me-at-mydomain.com> to=<me-at-my-test-domain.com> proto=ESMTP helo=<SMTP.local>
        postfix/smtpd[21623]: 53BFA7FB: myhost[myIP], sasl_method=LOGIN, sasl_username=myusername
        postfix/cleanup[21634]: 53BFA7FB: message-id=<81c03676859d4503bf70c4e14de4cb4e-at-mydomain.com>
        postfix/qmgr[20232]: 53BFA7FB: from=<me-at-mydomain.com>, size=28650, nrcpt=1 (queue active)
        postfix/smtpd[21623]: disconnect from myhost[myIP]
        postfix/smtpd[21639]: connect from localhost[127.0.0.1]
        postfix/smtpd[21639]: C04406DC: client=localhost[127.0.0.1]
        postfix/cleanup[21647]: C04406DC: message-id=<VAVDsYr4oLBKP5-at-machine-domain.com>
        postfix/qmgr[20232]: C04406DC: from=<postmaster-at-machine-domain.com>, size=3126, nrcpt=1 (queue active)
        postfix/smtpd[21639]: disconnect from localhost[127.0.0.1]
        postfix/cleanup[21634]: CA805A93: message-id=<VAVDsYr4oLBKP5-at-machine-domain.com>
        postfix/qmgr[20232]: CA805A93: from=<postmaster-at-machine-domain.com>, size=3261, nrcpt=1 (queue active)
        postfix/local[21678]: C04406DC: to=<virusalert-at-machine-domain.com>, relay=local, delay=0.05, delays=0.02/0.03/0/0.01, dsn=2.0.0, status=sent (forwarded as CA805A93)
        postfix/qmgr[20232]: C04406DC: removed
        postfix/smtpd[21646]: connect from localhost[127.0.0.1]
        postfix/smtpd[21646]: D5426A67: client=localhost[127.0.0.1]
        postfix/cleanup[21647]: D5426A67: message-id=<81c03676859d4503bf70c4e14de4cb4e-at-domain.com>
        postfix/qmgr[20232]: D5426A67: from=<me-at-mydomain.com>, size=29603, nrcpt=1 (queue active)
        postfix/smtpd[21646]: disconnect from localhost[127.0.0.1]
        amavis[21621]: (21621-04) Passed UNCHECKED-ENCRYPTED {RelayedOutbound}, ORIGINATING LOCAL [myIP]:7555 [myIP] <me-at-mydomain.com> -> <me-at-my-test-domain.com>, Queue-ID: 53BFA7FB, Message-ID: <81c03676859d4503bf70c4e14de4cb4e-at-mydomain.com>, mail_id: VDsYr4oLBKP5, Hits: -0.998, size: 28650, queued_as: D5426A67, dkim_new=default:domain.com, 2477 ms
        postfix/smtp[21635]: 53BFA7FB: to=<me-at-my-test-domain.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.6, delays=0.08/0/0/2.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as D5426A67)
        postfix/qmgr[20232]: 53BFA7FB: removed
        dovecot: lda(me-at-mydomain.com): sieve: msgid=<VAVDsYr4oLBKP5-at-machine-domain.com>: stored mail into mailbox 'INBOX'
        postfix/pipe[21679]: CA805A93: to=<me-at-mydomain.com>, orig_to=<virusalert-at-machine-domain.com>, relay=dovecot, delay=0.08, delays=0.01/0.02/0/0.06, dsn=2.0.0, status=sent (delivered via dovecot service)
        postfix/qmgr[20232]: CA805A93: removed
    
    Why amavis detects the emails correctly but it just marks them as ***Passed UNCHECKED-ENCRYPTED*** and forwards them to the recipient anyway?

    I've researched online for the correct configuration to stop forwarding messages that attach encrypted archives (or gets marked as unchecked-encrypted by amavis), but so far nothing fully works.

    Can someone help me?

    Thanks a lot
     
    Last edited: Jan 14, 2021

Share This Page