[Mimedefang] exempt user problem
Luke Worthy
l.worthy at netspan.com.au
Tue May 2 20:48:18 EDT 2006
Sorry about my previous post, I now realize that we need to keep some
other features of this filter (it keeps a copy of everyones email as
well as the exemption thinggy).
So below is my original post, and the listing of the filter code.
============================
To: mimedefang at lists.roaringpenguin.com
Recently I have started with a new company, and they have deployed
MIMEDefang on a few different sites, with a custom filter, that has
exemption lists. Unfortunately the custom exemption list only works
sometimes. IANAPP (I Am Not A Perl Programmer), and would really like
some help on either how to fix this current filter.
Here are the logs from me sending a "Movie.wmv" to an exempt user.
May 1 12:05:45 mail sendmail[20621]: k412XBf0020621:
from=<l.worthy at netspan.com.au>, size=3898524, class=0, nrcpts=1,
msgid=<44557366.4080300 at netspan.com.au>, proto=ESMTP, daemon=MTA,
relay=cpe-61-9-140-241.vic.bigpond.net.au [61.9.140.241]
May 1 12:05:45 mail mimedefang.pl[9050]: MDLOG,k412XBf0020621,exempt
user,,0,<l.worthy at netspan.com.au>,<netspan at domainname.com.au>,testing
May 1 12:05:45 mail mimedefang.pl[9050]: MDLOG,k412XBf0020621,exempt
user,,0,<l.worthy at netspan.com.au>,<netspan at domainname.com.au>,testing
May 1 12:05:45 mail mimedefang.pl[9050]:
MDLOG,k412XBf0020621,bad_filename,Movie.wmv,video/x-ms-wmv,<l.worthy at netspan.com.au>,<netspan at domainname.com.au>,testing
May 1 12:05:45 mail mimedefang.pl[9050]:
MDLOG,k412XBf0020621,mail_in,,,<l.worthy at netspan.com.au>,<netspan at domainname.com.au>,testing
May 1 12:05:45 mail mimedefang.pl[9050]: filter: k412XBf0020621:
append_text_boilerplate=1 drop_with_warning=1
May 1 12:05:45 mail sendmail[20642]: k412XBf0020621:
to=<netspan at watterssa.com.au>, delay=00:02:33, xdelay=00:00:00,
mailer=local, pri=61316, dsn=2.0.0, stat=Sent
It kinda looks like it's going through twice.
Luke
===========================
mimedefang-filter
===========================
# -*- Perl -*-
#***********************************************************************
#
# mimedefang-filter
#
# Suggested minimum-protection filter for Microsoft Windows clients, plus
# SpamAssassin checks if SpamAssassin is installed.
#
# Copyright (C) 2002 Roaring Penguin Software Inc.
#
# This program may be distributed under the terms of the GNU General
# Public License, Version 2, or (at your option) any later version.
#
# $Id: suggested-minimum-filter-for-windows-clients,v 1.82 2005/02/14
16:56:24 dfs Exp $
#***********************************************************************
#***********************************************************************
# Set administrator's e-mail address here. The administrator receives
# quarantine messages and is listed as the contact for site-wide
# MIMEDefang policy. A good example would be 'defang-admin at mydomain.com'
#***********************************************************************
$AdminAddress = 'admin at domainname.com.au';
$AdminName = "Admin";
#***********************************************************************
# Set the e-mail address from which MIMEDefang quarantine warnings and
# user notifications appear to come. A good example would be
# 'mimedefang at mydomain.com'. Make sure to have an alias for this
# address if you want replies to it to work.
#***********************************************************************
$DaemonAddress = 'mimedefang at domainname.com.au';
#***********************************************************************
# If you set $AddWarningsInline to 1, then MIMEDefang tries *very* hard
# to add warnings directly in the message body (text or html) rather
# than adding a separate "WARNING.TXT" MIME part. If the message
# has no text or html part, then a separate MIME part is still used.
#***********************************************************************
$AddWarningsInline = 1;
#***********************************************************************
# To enable syslogging of virus and spam activity, add the following
# to the filter:
# md_graphdefang_log_enable();
# You may optionally provide a syslogging facility by passing an
# argument such as: md_graphdefang_log_enable('local4'); If you do
this, be
# sure to setup the new syslog facility (probably in /etc/syslog.conf).
# An optional second argument causes a line of output to be produced
# for each recipient (if it is 1), or only a single summary line
# for all recipients (if it is 0.) The default is 1.
# Comment this line out to disable logging.
#***********************************************************************
md_graphdefang_log_enable('mail', 1);
#***********************************************************************
# To set whether there is an exempt user in the list
#
#***********************************************************************
$exempt_user = 0;
$debug_loglevel = 0;
#***********************************************************************
# Uncomment this to block messages with more than 50 parts. This will
# *NOT* work unless you're using Roaring Penguin's patched version
# of MIME tools, version MIME-tools-5.411a-RP-Patched-02 or later.
#
# WARNING: DO NOT SET THIS VARIABLE unless you're using at least
# MIME-tools-5.411a-RP-Patched-02; otherwise, your filter will fail.
#***********************************************************************
# $MaxMIMEParts = 50;
#***********************************************************************
# Set various stupid things your mail client does below.
#***********************************************************************
# Set the next one if your mail client cannot handle multiple "inline"
# parts.
$Stupidity{"NoMultipleInlines"} = 0;
# Detect and load Perl modules
detect_and_load_perl_modules();
# The next lines force SpamAssassin modules to be loaded and rules
# to be compiled immediately. This may improve performance on busy
# mail servers. Comment the lines out if you don't like them.
if ($Features{"SpamAssassin"}) {
spam_assassin_init()->compile_now(1) if defined(spam_assassin_init());
# If you want to use auto-whitelisting:
# if (defined($SASpamTester)) {
# use Mail::SpamAssassin::DBBasedAddrList;
# my $awl = Mail::SpamAssassin::DBBasedAddrList->new();
# $SASpamTester->set_persistent_address_list_factory($awl) if
defined($awl);
# }
}
# This procedure returns true for entities with bad filenames.
sub filter_bad_filename ($) {
my($entity) = @_;
my($bad_exts, $re);
# Bad extensions
$bad_exts =
'(mov|wmv|ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]+\})';
# Turn off most extension
# $bad_exts = '(exe)';
# Do not allow:
# - CLSIDs {foobarbaz}
# - bad extensions (possibly with trailing dots) at end
$re = '\.' . $bad_exts . '\.*$';
return 1 if (re_match($entity, $re));
# Look inside ZIP files
# if (re_match($entity, '\.zip$') and
# $Features{"Archive::Zip"}) {
# my $bh = $entity->bodyhandle();
# if (defined($bh)) {
# my $path = $bh->path();
# if (defined($path)) {
# return re_match_in_zip_directory($path, $re);
# }
# }
# }
return 0;
}
sub filter_bad_fileattach ($$) {
my($entity, $bad_attach_exts) = @_;
my($attach_re);
# Do not allow:
# - CLSIDs {foobarbaz}
# - bad extensions (possibly with trailing dots) at end
$attach_re = '\.' . $bad_attach_exts . '\.*$';
return 1 if (re_match($entity, $attach_re));
# Look inside ZIP files
if (re_match($entity, '\.zip$') and
$Features{"Archive::Zip"}) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
return re_match_in_zip_directory($path, $attach_re);
}
}
}
return 0;
}
#################################
# Per User Code #
#################################
# Maybe log to syslog
sub debug_log($$) {
my ($level,$msg) = @_;
if ($level<=$debug_loglevel) {
md_syslog('info',$msg);
}
}
# Strip strings
sub address_strip_nc($) {
my($a) = @_;
$a = "" if (!defined($a));
$a =~ s/^[<\[]//;
$a =~ s/[>\]]$//;
return $a;
}
sub address_strip($) {
my($a) = @_;
return lc(address_strip_nc($a));
}
# Check exempt user
sub check_exempt_user_list($$) {
my ($addr,$list) = @_;
return 0 if (!($list && @{$list}));
$addr = address_strip($addr);
debug_log(3,"Checking for $addr");
foreach $line (@{$list}) {
my $x = '*';
$line =~ s/^(\n?\s*)(.*)(\s*\n?)$/$2/;
$line = lc($line);
if ($line =~ /^(\S+)\s+(\S+.*)$/) {
$x = $1;
$line = $2;
}
$x = '*' if ($x eq '?');
$x =~ s/gray/grey/g;
next unless ($x && $line);
debug_log(3,"addrmatch") if ($addr =~ /^$line$/);
if ( $addr =~ /^$line$/) {
debug_log(3,"Matched $addr against $line");
return 1
}
}
return 0;
}
# Check if recipient(s) address is in exempt list
sub check_recipient_exempt ($) {
my ($addr) = @_;
my $cfdata = read_list_file('/etc/mail/mimedefang-users');
return check_exempt_user_list($addr,$cfdata)
}
# Read file into array
sub read_list_file($) {
my ($fn) = @_;
debug_log(4,"Checking list: $fn");
if (open(CF,"<$fn")) {
debug_log(5,"Reading list: $fn");
my @cfdata = <CF>;
close CF;
debug_log(3,"Read list: $fn, $#cfdata");
return \@cfdata;
}
return \@undef;
}
#***********************************************************************
# %PROCEDURE: filter_sender
# %ARGUMENTS:
# sender, ip, host, helo
# %RETURNS:
# action
# %DESCRIPTION:
# Called just after MAIL FROM
# Requires -s
#***********************************************************************
sub filter_sender {
my ($sender, $ip, $hostname, $helo) = @_;
# Check if the host is in external whitelist
if (check_recipient_exempt($sender)) {
debug_log(2, "filter_sender: Exempt user, $sender");
return ('ACCEPT_AND_NO_MORE_FILTERING', "Ok, $sender is exempt, go
ahead.");
}
return ('CONTINUE', "Ok, go ahead.");
}
#***********************************************************************
# %PROCEDURE: filter_recipient
# %ARGUMENTS:
# recipient, sender, ip, host, first, helo, rcpt_mailer, rcpt_host,
rcpt_addr
# %RETURNS:
# action
# %DESCRIPTION:
# Called just after RCPT TO
# Requires -t
#***********************************************************************
sub filter_recipient {
my ($recipient, $ip, $hostname, $helo) = @_;
# Check if the host is in external whitelist
if (check_recipient_exempt($recipient)) {
$exempt_user = 1;
debug_log(2, "filter_recipient: Exempt user,
$recipient, exempt_user is $exempt_user");
return ('CONTINUE', "Ok, go ahead. exempt_user set.");
# return ('ACCEPT_AND_NO_MORE_FILTERING', "Ok, $sender is
exempt, go ahead.");
}
md_graphdefang_log('filter_recipient', $recipient );
return ('CONTINUE', "Ok, go ahead.");
}
#***********************************************************************
# %PROCEDURE: filter_begin
# %ARGUMENTS:
# None
# %RETURNS:
# Nothing
# %DESCRIPTION:
# Called just before e-mail parts are processed
#***********************************************************************
sub filter_begin () {
# Stream by Domain
if(stream_by_domain()) {
return;
}
# Check if exempt user in list of recipients, split up if true
if( $exempt_user eq 1 ) {
if(stream_by_recipient()) {
$exempt_user = 0;
return;
}
}
# ALWAYS drop messages with suspicious chars in headers
if ($SuspiciousCharsInHeaders) {
md_graphdefang_log('suspicious_chars');
# action_quarantine_entire_message("Message quarantined because of
suspicious characters in headers");
# Do NOT allow message to reach recipient(s)
return action_discard();
}
# Copy original message into work directory as an "mbox" file for
# virus-scanning
md_copy_orig_msg_to_work_dir_as_mbox_file();
# Scan for viruses if any virus-scanners are installed
my($code, $category, $action) = message_contains_virus();
# Lower level of paranoia - only looks for actual viruses
$FoundVirus = ($category eq "virus");
# Higher level of paranoia - takes care of "suspicious" objects
# $FoundVirus = ($action eq "quarantine");
if ($FoundVirus) {
md_graphdefang_log('virus', $VirusName, $RelayAddr);
md_syslog('warning', "Discarding because of virus $VirusName");
return action_discard();
}
if ($action eq "tempfail") {
action_tempfail("Problem running virus-scanner");
md_syslog('warning', "Problem running virus scanner: code=$code,
category=$category, action=$action");
}
}
#***********************************************************************
# %PROCEDURE: filter
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools documentation for
details)
# fname -- the suggested filename, taken from the MIME Content-Disposition:
# header. If no filename was suggested, then fname is ""
# ext -- the file extension (everything from the last period in the name
# to the end of the name, including the period.)
# type -- the MIME type, taken from the Content-Type: header.
#
# NOTE: There are two likely and one unlikely place for a filename to
# appear in a MIME message: In Content-Disposition: filename, in
# Content-Type: name, and in Content-Description. If you are paranoid,
# you will use the re_match and re_match_ext functions, which return true
# if ANY of these possibilities match. re_match checks the whole name;
# re_match_ext checks the extension. See the sample filter below for
usage.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This function is called once for each part of a MIME message.
# There are many action_*() routines which can decide the fate
# of each part; see the mimedefang-filter man page.
#***********************************************************************
sub filter ($$$$) {
my($entity, $fname, $ext, $type) = @_;
my($warnmsg) = "An attachment named $fname was removed from this
document as it\nconstituted a security hazard. If you require this
document, please contact\nthe sender and arrange an alternate means of
receiving it.\n";
return if message_rejected(); # Avoid unnecessary work
# Block message/partial parts
if (lc($type) eq "message/partial") {
md_graphdefang_log('message/partial');
action_bounce("MIME type message/partial not accepted here");
return action_discard();
}
if($Domain eq "domainname.com.au") {
md_graphdefang_log('exempt user', $recipient, $exempt_user);
if( $exempt_user eq 1 ) {
$bad_attach_exts = '(exe)';
if (filter_bad_fileattach($entity, $bad_attach_exts)) {
md_graphdefang_log('bad_filename', $fname, $type);
return action_drop_with_warning($warnmsg);
}
# eml is bad if it's not multipart
if (re_match($entity, '\.eml')) {
md_graphdefang_log('non_multipart');
return action_drop_with_warning("A non-multipart attachment
named $fname was removed from this document as it\nconstituted a
security hazard. If you require this document, please contact\nthe
sender and arrange an alternate means of receiving it.\n");
}
# Clean up HTML if Anomy::HTMLCleaner is installed.
if ($Features{"HTMLCleaner"}) {
if ($type eq "text/html") {
return anomy_clean_html($entity);
}
}
return action_accept();
} elsif (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
return action_drop_with_warning($warnmsg);
}
# } elseif($Domain eq "test.com.au") {
# #Filter actions for test.com.au
#
} else {
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
return action_drop_with_warning($warnmsg);
}
# eml is bad if it's not multipart
if (re_match($entity, '\.eml')) {
md_graphdefang_log('non_multipart');
return action_drop_with_warning("A non-multipart attachment named
$fname was removed from this document as it\nconstituted a security
hazard. If you require this document, please contact\nthe sender and
arrange an alternate means of receiving it.\n");
}
# Clean up HTML if Anomy::HTMLCleaner is installed.
if ($Features{"HTMLCleaner"}) {
if ($type eq "text/html") {
return anomy_clean_html($entity);
}
}
}
return action_accept();
}
#***********************************************************************
# %PROCEDURE: filter_multipart
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools documentation for
details)
# fname -- the suggested filename, taken from the MIME Content-Disposition:
# header. If no filename was suggested, then fname is ""
# ext -- the file extension (everything from the last period in the name
# to the end of the name, including the period.)
# type -- the MIME type, taken from the Content-Type: header.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This is called for multipart "container" parts such as message/rfc822.
# You cannot replace the body (because multipart parts have no body),
# but you should check for bad filenames.
#***********************************************************************
sub filter_multipart ($$$$) {
my($entity, $fname, $ext, $type) = @_;
return if message_rejected(); # Avoid unnecessary work
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
action_notify_administrator("A MULTIPART attachment of type $type,
named $fname was dropped.\n");
return action_drop_with_warning("An attachment of type $type, named
$fname was removed from this document as it\nconstituted a security
hazard. If you require this document, please contact\nthe sender and
arrange an alternate means of receiving it.\n");
}
# eml is bad if it's not message/rfc822
if (re_match($entity, '\.eml') and ($type ne "message/rfc822")) {
md_graphdefang_log('non_rfc822',$fname);
return action_drop_with_warning("A non-message/rfc822 attachment named
$fname was removed from this document as it\nconstituted a security
hazard. If you require this document, please contact\nthe sender and
arrange an alternate means of receiving it.\n");
}
# Block message/partial parts
if (lc($type) eq "message/partial") {
md_graphdefang_log('message/partial');
action_bounce("MIME type message/partial not accepted here");
return;
}
return action_accept();
}
#***********************************************************************
# %PROCEDURE: defang_warning
# %ARGUMENTS:
# oldfname -- the old file name of an attachment
# fname -- the new "defanged" name
# %RETURNS:
# A warning message
# %DESCRIPTION:
# This function customizes the warning message when an attachment
# is defanged.
#***********************************************************************
sub defang_warning ($$) {
my($oldfname, $fname) = @_;
return
"An attachment named '$oldfname' was converted to '$fname'.\n" .
"To recover the file, right-click on the attachment and Save As\n" .
"'$oldfname'\n";
}
# If SpamAssassin found SPAM, append report. We do it as a separate
# attachment of type text/plain
sub filter_end ($) {
my($entity) = @_;
# If you want quarantine reports, uncomment next line
# send_quarantine_notifications();
# IMPORTANT NOTE: YOU MUST CALL send_quarantine_notifications() AFTER
# ANY PARTS HAVE BEEN QUARANTINED. SO IF YOU MODIFY THIS FILTER TO
# QUARANTINE SPAM, REWORK THE LOGIC TO CALL
send_quarantine_notifications()
# AT THE END!!!
# No sense doing any extra work
return if message_rejected();
# Spam checks if SpamAssassin is installed
if ($Features{"SpamAssassin"}) {
if (-s "./INPUTMSG" < 100*1024) {
# Only scan messages smaller than 100kB. Larger messages
# are extremely unlikely to be spam, and SpamAssassin is
# dreadfully slow on very large messages.
my($hits, $req, $names, $report) = spam_assassin_check();
my($score);
if ($hits < 40) {
$score = "*" x int($hits);
} else {
$score = "*" x 40;
}
# We add a header which looks like this:
# X-Spam-Score: 6.8 (******) NAME_OF_TEST,NAME_OF_TEST
# The number of asterisks in parens is the integer part
# of the spam score clamped to a maximum of 40.
# MUA filters can easily be written to trigger on a
# minimum number of asterisks...
if ($hits >= $req) {
action_change_header("X-Spam-Score", "$hits ($score) $names");
md_graphdefang_log('spam', $hits, $RelayAddr);
# If you find the SA report useful, add it, I guess...
action_add_part($entity, "text/plain", "-suggest",
"$report\n",
"SpamAssassinReport.txt", "inline");
} else {
# Delete any existing X-Spam-Score header?
action_delete_header("X-Spam-Score");
}
}
}
# I HATE HTML MAIL! If there's a multipart/alternative with both
# text/plain and text/html parts, nuke the text/html. Thanks for
# wasting our disk space and bandwidth...
# If you want to strip out HTML parts if there is a corresponding
# plain-text part, uncomment the next line.
# remove_redundant_html_parts($entity);
md_graphdefang_log('mail_in');
# Deal with malformed MIME.
# Some viruses produce malformed MIME messages that are misinterpreted
# by mail clients. They also might slip under the radar of MIMEDefang.
# If you are worried about this, you should canonicalize all
# e-mail by uncommenting the action_rebuild() line. This will
# force _all_ messages to be reconstructed as valid MIME. It will
# increase the load on your server, and might break messages produced
# by marginal software. Your call.
# action_rebuild();
# Send copy of mail to backup mbox
add_recipient('mboxbackup at domainname.com.au');
# Set exempt_user back to 0
$exempt_user = 0;
}
# DO NOT delete the next line, or Perl will complain.
1;
More information about the MIMEDefang
mailing list