amavis-user March 2012 archive
Main Archive Page > Month Archives  > amavis-user archives
amavis-user: Re: Release banned emails from amavisd-new?

Re: Release banned emails from amavisd-new?

From: Mark Martinec <Mark.Martinec+amavis_at_nospam>
Date: Wed Mar 07 2012 - 12:16:02 GMT
To: amavis-users@amavis.org

Justin,

> I am using Postfix + amavisd-new + clamav + spamassasin and I am having
> an issue with one external user outside of my company being able to send
> meeting invitations to one of our presidents. It seems as it is being
> blocked by amavisd-new. It reads
>
> No viruses were found.
>
> Banned name: .exe,.exe-ms,[trash]/0000.dat Content type: Banned Internal
> reference code for the message is 15727-01/WgqssgY9ghce

Looks like the file(1) utility considers the 0000.dat a Microsoft executable.

> I have whitelisted many people/domains but no matter what I try or where
> I put this sender it still gets blocked.
> I have also tried whitelisting by IP. His normal emails get through; only
> his outlook meetinginvitations are getting blocked.

Whitelisting only applies to spam checks,
it has no influence on virus and banned checks.

To let infected or banned mail pass, one can use a heavier cannon:
sender domain's DKIM-based whitelistiing. If the problematic mail
comes signed with a DKIM sigature, this may be the easiest and
most reliable solution (using @author_to_policy_bank_maps).
More on that in release notes, search for @author_to_policy_bank_maps.

To let banned mail pass, one can also use per-recipient banning rules
through @banned_filename_maps and %banned_rules.

The %banned_rules associative array serves to give names to
different banning rules, e.g.:

%banned_rules = (
  'ALLOW_EXE' => # pass exec except if name ends in .vbs .pif .scr .bat
    new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ),
  'ALLOW_VBS' => # allow names ending in .vbs
    new_RE( [qr'.\.vbs$' => 0] ),
  'NO-VIDEO' => new_RE( qr'^\.movie$',
    qr'.\.(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ),
  'NO-MOVIES' => new_RE( qr'^\.movie$', qr'.\.(mpg|avi|mov)$'i, ),
  'DEFAULT' => $banned_filename_re,
);

Then associate these ruleset names with recipients:

@banned_filename_maps = (
 {
   'user1@example.com' => 'NO-MS-EXEC,PASSALL',
   'user2@example.com' => 'ALLOW_EXE',
   'user3@example.net' => 'ALLOW_VBS,ALLOW_EXE',
   '.' => 'DEFAULT',
 },
);

More on that in release notes.

Or in your case, it is possible (or even likely) that a file(1) utility
made an incorrect conclusion and the mail part in question was
not a MS executable. Trying with a newer version and/or sending
a sample to the maintainer may be in order.

> When amavisd-new bans messages, are they just dropped or are they stored
> somewhere where I can then forward the message?
> Has anybody else had problems with just a single user/domain not getting
> through even though they are on multiple whitelists?

Depends on your configuration. It is common that blocked messages
are stored in a quarantine. Your log will probably tell.

So if such blocked messages are infrequent, it may suffice to
manually release each such message from a quarantine.

  Mark