[Mimedefang] Operating on attachments - choosing which attachment to operate on

Michael Lazar Michael.Lazar at pkware.com
Thu Apr 24 13:27:18 EDT 2014


Hello all,

I am new to working with MIMEDefangŠ

I am trying to integrate MIMEDefang into a Data Loss Prevention
Environment (DLP).  The environment cannot process password protected
(encrypted) zip files (it is unable to decrypt and scan them).

So far using MIMEDefang I have made progress with Œcapturing¹ and
decrypting the ZIP files (password provided or when a certificate was used
to encrypt it)

My thought is to perform the following actions:

1) An email with an encrypted ZIP file is received
2) Copy the attachment and use action_external_filter to decrypt the
attachment and re-compress it
3) Rename the new attachment to a static name (i.e. clear.zip)
3) Add the newly decrypted zip file to the original email (now the email
has two zip files - the original encrypted and the unencrypted version)
4) Allow the email to continue to the DLP infrastructure where the
unencrypted zip will be scanned normally and if allowed will be stripped
off
5) The message continues as normal


I am having difficulty preserving the original attachment.

Via filter I am testing for $type eq 'application/zip¹ (so now I am
operating on the attachment)

I am able to duplicate the original attachment with action_add_entity and
decrypt it and via action_external and then rename the attachment via
action_defang.  However I am finding that both the original attachment and
the new attachment are both acted on (both are renamed).

Any advice or thoughts on how to preserve the original attachment,
duplicate it, perform action_external (decrypte it) on only the second
Œattachment¹, rename the attachment and have the new attachment become
part of the original message would be greatly appreciated.

‹sample‹

sub filter{
if (lc($type) eq 'application/zip' ) {

action_add_entity($entity,-1);

my $cmd = 'zipc -silent -extract -directories FILTERINPUT extractf
-keypass=xxxxxxxx; zipc -silent -add FILTEROUTPUT ./extractf/*.*';

    action_external_filter($entity, $cmd);

my $name=Œclear.zip';
     my $fname=Œclear.zip';
     my $type='application/zip';
     action_defang($entity, $name, $fname, $type);

     #undocumented hack to preserve body
     pop(@Warnings);

}



Thanks,
Michael




More information about the MIMEDefang mailing list