[Chugalug] amavisd-new woes
dwrudy at gmail.com
Fri Sep 21 16:58:49 UTC 2012
In case anyone was interested, I found the solution:
The "blocked anywhere" directive included this line:
qr'^\.(exe|lha|cab|tnef|dll)$'. I reexamined the logs, bounce messages, and
the info I pasted into this question, and saw a consistent theme: they all
contained something with a .tnef extension. I researched it, and it turns
out its coming from Microsoft Outlook, and was considered a potential
security vulnerability. I'm researching now how "unsafe" it would be for me
to turn it off, but in the mean time, I have done so.
- Me, about a week ago (on
Thus far, my (limited) research indicates that this was a security
vulnerability in older versions of Outlook, but that Microsoft released a
patch and fixed this a long time ago. I suppose it makes sense to still
block them by default.... but for now, I'm not blocking tnef files unless I
read a really good reason not to in the future.
Ok, I need to get back to getting ready to go out of town.... lots to do,
little time to do it in (headed out soon for a week+).
On Thu, Sep 6, 2012 at 6:34 PM, David White <dwrudy at gmail.com> wrote:
> I occasionally have a client who tries to email me and says his email gets
> blocked by my server. When I check the logs, I see this:
> *Sep 6 18:12:52 myers amavis: (15197-08) p.path BANNED:1
> david at smoothstoneservices.com: "P=p003,L=1,M=multipart/mixed |
> P=p002,L=1/2,M=application/ms-tnef,T=tnef,N=winmail.dat |
> And then a little later...
> *Sep 6 18:12:58 myers amavis: (15197-08) Blocked BANNED
> (.image,.gif,image001.gif,image001.gif), [184.108.40.206] [220.127.116.11]
> <client at emailaddress.com> -*
> *> <david at smoothstoneservices.com>, quarantine: banned-g4QhZGvwJvDF,
> Message-ID <
> 6A9596BE385EC1499F83E464FA9ECCA20C668320 at BY2PRD0611MB417.namprd06.prod.outlook.com>,
> mail_id: g4QhZGvwJvDF, Hits: -, size: 20916, 8439 ms*
> From this and the bounce that he forwards me (to a different address I
> give him), I determine that its bouncing because of the file in his
> signature (image001.gif). However, that does NOT match the "key" in this
> part of the log: matching_key="(?-xism:^\\.(exe|lha|tnef|cab|dll)$)"
> Furthermore, the .gif extension is nowhere to be found in the
> /etc/amavisd.conf file (i.e. I'm not blocking emails because they contain
> .gif images).
> Am I missing something here? This is strange... and annoying.
> - David White -
> Smooth Stone Services *(soon to be CENTS)*
> *Computing, Equipping, Networking, Training & Supporting *
> *Nonprofit Organizations Worldwide*
> Existing Website: http://www.smoothstoneservices.com
> New Website (coming soon): http://developCENTS.com
- David White -
Smooth Stone Services *(soon to be CENTS)*
*Computing, Equipping, Networking, Training & Supporting *
*Nonprofit Organizations Worldwide*
Existing Website: http://www.smoothstoneservices.com
New Website (coming soon): http://developCENTS.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Chugalug