[Mimedefang] Dropping Attachment from one User (thank you for any and all help)
Aaron Enders
aenders24 at comcast.net
Fri Jun 3 12:03:36 EDT 2011
My apologies, here is mimedefang-filter. ---- I believe it might be an
issue with winmail.dat. as I've found this in the mail.info log...
Question is, how can I ignore the winmail.dat and still recieve the pdf?
If this is indeed the problem. I've asked our client to send in plain
text for the time being but this is happening more and more frequently.
Do I not need the sub extract_tnef( $ ) at the end?
Jun 2 14:58:55 smtp1 mimedefang.pl[2032]: ytnef didn't find any
attachments, but we are dropping the winmail.dat mime part anyway
Greped out most comments with # to make it smaller....
$AdminAddress = 'postmaster at localhost';
$AdminName = "MIMEDefang Administrator's Full Name";
$DaemonAddress = 'mimedefang at localhost';
$AddWarningsInline = 0;
md_graphdefang_log_enable('mail', 1);
$Stupidity{"NoMultipleInlines"} = 0;
detect_and_load_perl_modules();
sub filter_bad_filename {
my($entity) = @_;
my($bad_exts, $re);
# Bad extensions
#$bad_exts =
'(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wmf|wms|wmz|wsc|wsf|wsh|\{[^\}]+\})';
$bad_exts =
'(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mde|mp3|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wmf|wms|wmz|wsc|wsf|wsh|\{[^\}]+\})';
# Do not allow:
# - CLSIDs {foobarbaz}
# - bad extensions (possibly with trailing dots) at end
$re = '\.' . $bad_exts . '\.*$';
return 1 if (re_match($entity, $re));
# Look inside ZIP files
if (re_match($entity, '\.zip$') and
$Features{"Archive::Zip"}) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
return re_match_in_zip_directory($path, $re);
}
}
}
return 0;
}
sub filter_begin {
my($entity) = @_;
# ALWAYS drop messages with suspicious chars in headers
if ($SuspiciousCharsInHeaders) {
md_graphdefang_log('suspicious_chars');
# action_quarantine_entire_message("Message quarantined because of
suspicious characters in headers");
# Do NOT allow message to reach recipient(s)
return action_discard();
}
# Copy original message into work directory as an "mbox" file for
# virus-scanning
md_copy_orig_msg_to_work_dir_as_mbox_file();
# Scan for viruses if any virus-scanners are installed
my($code, $category, $action) = message_contains_virus();
# Lower level of paranoia - only looks for actual viruses
$FoundVirus = ($category eq "virus");
# Higher level of paranoia - takes care of "suspicious" objects
# $FoundVirus = ($action eq "quarantine");
if ($FoundVirus) {
md_graphdefang_log('virus', $VirusName, $RelayAddr);
md_syslog('warning', "Discarding because of virus $VirusName");
return action_discard();
}
if ($action eq "tempfail") {
action_tempfail("Problem running virus-scanner");
md_syslog('warning', "Problem running virus scanner: code=$code,
category=$category, action=$action");
}
}
sub filter {
my($entity, $fname, $ext, $type) = @_;
return if message_rejected(); # Avoid unnecessary work
# Block message/partial parts
if (lc($type) eq "message/partial") {
md_graphdefang_log('message/partial');
action_bounce("MIME type message/partial not accepted here");
return action_discard();
}
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
return action_drop_with_warning("An attachment named $fname was
removed from this document as it\nconstituted a security hazard. If you
require this document, please contact\nthe sender and arrange an
alternate means of receiving it.\n");
}
# eml is bad if it's not multipart
if (re_match($entity, '\.eml')) {
md_graphdefang_log('non_multipart');
return action_drop_with_warning("A non-multipart attachment named
$fname was removed from this document as it\nconstituted a security
hazard. If you require this document, please contact\nthe sender and
arrange an alternate means of receiving it.\n");
}
# This will clean up HTML if Anomy::HTMLCleaner is installed.
# NOTE: We consider Anomy::HTMLCleaner to be TOO BUGGY for
# production use. Uncomment the next lines at your peril!
#if ($Features{"HTMLCleaner"}) {
# if ($type eq "text/html") {
# return anomy_clean_html($entity);
# }
#}
# if this is a application/ms-tnef message then extract and delete it
if (lc($type) eq "application/ms-tnef") {
@tnef_files = extract_tnef( $entity );
my $tnef_file_qty = @tnef_files;
if( $tnef_file_qty > 0 ){
md_syslog( 'info', "ytnef extracted some files so we are now
dropping the winmail.dat mime part" );
} else {
md_syslog( 'info', "ytnef didn't find any attachments, but we
are dropping the winmail.dat mime part anyway" );
}
return action_drop();
}
return action_accept();
}
sub filter_multipart {
my($entity, $fname, $ext, $type) = @_;
return if message_rejected(); # Avoid unnecessary work
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
action_notify_administrator("A MULTIPART attachment of type $type,
named $fname was dropped.\n");
return action_drop_with_warning("An attachment of type $type, named
$fname was removed from this document as it\nconstituted a security
hazard. If you require this document, please contact\nthe sender and
arrange an alternate means of receiving it.\n");
}
# eml is bad if it's not message/rfc822
if (re_match($entity, '\.eml') and ($type ne "message/rfc822")) {
md_graphdefang_log('non_rfc822',$fname);
return action_drop_with_warning("A non-message/rfc822 attachment
named $fname was removed from this document as it\nconstituted a
security hazard. If you require this document, please contact\nthe
sender and arrange an alternate means of receiving it.\n");
}
# Block message/partial parts
if (lc($type) eq "message/partial") {
md_graphdefang_log('message/partial');
action_bounce("MIME type message/partial not accepted here");
return;
}
return action_accept();
}
sub defang_warning {
my($oldfname, $fname) = @_;
return
"An attachment named '$oldfname' was converted to '$fname'.\n" .
"To recover the file, right-click on the attachment and Save As\n" .
"'$oldfname'\n";
}
sub filter_end {
my($entity) = @_;
# If you want quarantine reports, uncomment next line
# send_quarantine_notifications();
# IMPORTANT NOTE: YOU MUST CALL send_quarantine_notifications() AFTER
# ANY PARTS HAVE BEEN QUARANTINED. SO IF YOU MODIFY THIS FILTER TO
# QUARANTINE SPAM, REWORK THE LOGIC TO CALL
send_quarantine_notifications()
# AT THE END!!!
# No sense doing any extra work
return if message_rejected();
# Astro Modification: Change/Add the correct Reply-To for these
shared mailboxes
foreach $recip (@Recipients) {
if(grep(/custrequest-andrea/i,$recip)) {
action_change_header("Reply-To",
"custrequest-andrea\@example.com");
}
if(grep(/custrequest-kim/i,$recip)) {
action_change_header("Reply-To",
"custrequest-kim\@example.com");
}
if(grep(/custrequest-mary/i,$recip)) {
action_change_header("Reply-To",
"custrequest-mary\@example.com");
}
if(grep(/custrequest-teri/i,$recip)) {
action_change_header("Reply-To",
"custrequest-teri\@example.com");
}
if(grep(/custrequest-tara/i,$recip)) {
action_change_header("Reply-To",
"custrequest-tara\@example.com");
}
}
# add the tnef files to the message
foreach my $fname ( @tnef_files ) {
local($/) = undef;
open(FILE, "$fname");
my $file = <FILE>;
close(FILE);
$file =~ s:^.*[\\/]::;
action_add_part($entity, "application/octet-stream", "base64",
$file, $fname, "attachment");
md_syslog('info', "Added file $fname to message because it was
extracted from the winmail.dat");
}
@tnef_files = ();
# Spam checks if SpamAssassin is installed
if ($Features{"SpamAssassin"} && !(grep(/192.168.100/,$RelayAddr))) {
if (-s "./INPUTMSG" < 500*1024) {
$SALocalTestsOnly = 0;
my $hits;
my $req;
my $names = "...";
my $report;
#if($RelayAddr =~ /^192\.168\.100\./) {
#$hits = int(0);
#} else {
($hits, $req, $names, $report) = spam_assassin_check();
#}
if ($hits < 40) {
$score = "*" x int($hits);
} else {
$score = "*" x 40;
}
action_change_header("X-Spam-Score", "$hits ($score) $names");
if ($hits >= 15) {
md_graphdefang_log('spam', $hits, $RelayAddr);
#if (($hits >= 6) && ($hits < 12) &&
!(grep(/192.168.100/,$RelayAddr))) {
#action_add_header("X-Orig-Rcpts", join(",
", at Recipients));
#foreach $recip (@Recipients) {
# delete_recipient($recip);
#}
#add_recipient("spam\@example.com");
#open(FILE,">>/var/log/mimedefang.discardjunk");
#print FILE "Score:$hits || $Subject\n";
#close(FILE);
#}
#elsif (($hits >= 12) && !(grep(/192.168.100/,$RelayAddr))) {
foreach $recip (@Recipients) {
delete_recipient($recip);
}
open(FILE,">>/var/log/mimedefang.discardjunk");
print FILE "Score:$hits || $Subject\n";
close(FILE);
#}
# If you find the SA report useful, add it, I guess...
#action_add_part($entity, "text/plain", "-suggest",
# "$report\n",
# "SpamAssassinReport.txt", "inline");
} #else {
# md_graphdefang_log('ham', $hits, $RelayAddr);
#if ( !(grep(/192.168.100/,$RelayAddr))) {
# add_recipient("ham\@example.com");
#}
#}
}
}
# I HATE HTML MAIL! If there's a multipart/alternative with both
# text/plain and text/html parts, nuke the text/html. Thanks for
# wasting our disk space and bandwidth...
# If you want to strip out HTML parts if there is a corresponding
# plain-text part, uncomment the next line.
# remove_redundant_html_parts($entity);
#md_graphdefang_log('mail_in');
# Deal with malformed MIME.
# Some viruses produce malformed MIME messages that are misinterpreted
# by mail clients. They also might slip under the radar of MIMEDefang.
# If you are worried about this, you should canonicalize all
# e-mail by uncommenting the action_rebuild() line. This will
# force _all_ messages to be reconstructed as valid MIME. It will
# increase the load on your server, and might break messages produced
# by marginal software. Your call.
# action_rebuild();
}
sub extract_tnef( $ ) {
my ( $entity ) = @_;
my ( $body ) = $entity->bodyhandle;
my @tnef_files = ();
if( ! defined( $body ) ){
return @tnef_files;
}
# Get filename
my ( $path ) = $body->path;
if( ! defined( $path ) ){
return @tnef_files;
}
@new_files = `/usr/local/bin/ytnef -f Work $path`;
foreach my $file ( @new_files ){
chomp( $file );
push( @tnef_files, $file );
md_syslog( 'info', "Found file $file in winmail.dat attachment" );
}
return @tnef_files;
}
1;
On 06/03/2011 11:37 AM, David F. Skoll wrote:
> On Fri, 03 Jun 2011 10:32:41 -0400
> Aaron Enders<aenders24 at comcast.net> wrote:
>
>> Issue: From external user mimedefang dropping the attachment. I can't
>> put a reason to this. I am hoping someone can help out. The source is
>> sending email as html(from outlook) with an inline jpg in their
>> signature. The attachment is supposed to be a PDF. Below is mail.log
>> extract and two email source, one worked one didn't.. Thank you for
>> any and all help!
> It's completely impossible to diagnose this without seeing your
> MIMEDefang filter.
>
> Regards,
>
> David.
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID. You may ignore it.
>
> Visit http://www.mimedefang.org and http://www.roaringpenguin.com
> MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
More information about the MIMEDefang
mailing list