[Chugalug] amavisd-new woes

David White dwrudy at gmail.com
Fri Sep 21 16:58:49 UTC 2012


In case anyone was interested, I found the solution:

The "blocked anywhere" directive included this line:
qr'^\.(exe|lha|cab|tnef|dll)$'. I reexamined the logs, bounce messages, and
the info I pasted into this question, and saw a consistent theme: they all
contained something with a .tnef extension. I researched it, and it turns
out its coming from Microsoft Outlook, and was considered a potential
security vulnerability. I'm researching now how "unsafe" it would be for me
to turn it off, but in the mean time, I have done so.

- Me, about a week ago (on
http://serverfault.com/questions/426885/amavisd-postfix-dovecot-blocks-gif-images
 )

Thus far, my (limited) research indicates that this was a security
vulnerability in older versions of Outlook, but that Microsoft released a
patch and fixed this a long time ago. I suppose it makes sense to still
block them by default.... but for now, I'm not blocking tnef files unless I
read a really good reason not to in the future.

Ok, I need to get back to getting ready to go out of town.... lots to do,
little time to do it in (headed out soon for a week+).

On Thu, Sep 6, 2012 at 6:34 PM, David White <dwrudy at gmail.com> wrote:

> I occasionally have a client who tries to email me and says his email gets
> blocked by my server. When I check the logs, I see this:
>
> *Sep  6 18:12:52 myers amavis[15197]: (15197-08) p.path BANNED:1
> david at smoothstoneservices.com: "P=p003,L=1,M=multipart/mixed |
> P=p002,L=1/2,M=application/ms-tnef,T=tnef,N=winmail.dat |
> P=p004,L=1/2/1,T=image,T=gif,N=image001.gif,N=image001.gif",
> matching_key="(?-xism:^\\.(exe|lha|tnef|cab|dll)$)"*
>
> And then a little later...
>
> *Sep  6 18:12:58 myers amavis[15197]: (15197-08) Blocked BANNED
> (.image,.gif,image001.gif,image001.gif), [213.199.154.205] [157.56.236.229]
> <client at emailaddress.com> -*
> *> <david at smoothstoneservices.com>, quarantine: banned-g4QhZGvwJvDF,
> Message-ID <
> 6A9596BE385EC1499F83E464FA9ECCA20C668320 at BY2PRD0611MB417.namprd06.prod.outlook.com>,
> mail_id: g4QhZGvwJvDF, Hits: -, size: 20916, 8439 ms*
>
> From this and the bounce that he forwards me (to a different address I
> give him), I determine that its bouncing because of the file in his
> signature (image001.gif). However, that does NOT match the "key" in this
> part of the log: matching_key="(?-xism:^\\.(exe|lha|tnef|cab|dll)$)"
>
> Furthermore, the .gif extension is nowhere to be found in the
> /etc/amavisd.conf file (i.e. I'm not blocking emails because they contain
> .gif images).
>
> Am I missing something here? This is strange... and annoying.
>
> --
> - David White -
> Smooth Stone Services *(soon to be CENTS)*
> *Computing, Equipping, Networking, Training & Supporting *
> *Nonprofit Organizations Worldwide*
>
> Existing Website: http://www.smoothstoneservices.com
> New Website (coming soon): http://developCENTS.com
>
>


-- 
- David White -
Smooth Stone Services *(soon to be CENTS)*
*Computing, Equipping, Networking, Training & Supporting *
*Nonprofit Organizations Worldwide*

Existing Website: http://www.smoothstoneservices.com
New Website (coming soon): http://developCENTS.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20120921/4ec12435/attachment.html>


More information about the Chugalug mailing list