| Home | Documentation | Mailinglist | Download | License |
check_attachment - check attachments and content types
This module parses a MIME message into its components and compares the content types and attachment extensions of all parts with the contents of /etc/qpsmtpd/check_attachment. It returns OK, DENY or DECLINED on the first match, or DECLINED if there is no match.
It is an extension to the module check_content_type by Peter J. Holzer
- see http://www.hjp.at/projekte/qpsmtpd/check_content_type/ - so your
old config rules can be copied and should work as well.
Added are configurable messages for denied mails and a special config format for file extension. The creation of the check subroutine on startup might be a performance gain.
In the main configuration file check_attachment should be placed as
first plugin after check_loop - thus before any other content
checking plugins like spamassassin etc. will fire: You can omit the
virus check of an exe file, if you deny it anyway or you can save a
lot of heavy spam filtering by denying html mails at all.
After changing the configuration in /etc/qpsmtpd/check_attachment, qpsmtpd must be restartet, because the creation of the check subroutine from the configuration is done once on startup.
On errors in /etc/qpsmtpd/check_attachment qpsmtpd won't start.
The config file uses two forms of lines: The classical regular expression and the shorthand extension form for attachments.
The shipped example config file gives all extensions the author could find - but there is no limit on dangerous or unwanted files or content M$ can think of ;-)
So please edit the config and tell me about your findings.
Moreover: Just comment out the files, you want to recieve.
regex rule [message]
e.g.
m{text/html}i DENY Content type "html" not allowed. Possible virus infection or spam.
m{image/gif}i DENY Content type "gif" not allowed. Possible spam.
m/name\s*=\s*"?.{64,}"?\s*$/ DENY Very long filename. Possible attack.
The message text is returned as is to qpsmtpd and thus to the sender of the mail.
If no text is present, the standard response "5xx Message denied" is used.
extension rule [message]
e.g.
.doc DENY Word Document .exe DENY Executable File .gif SPAM GIF-Image .bat DENY .html SPAM
The responses from the above example become:
Attachment type ".doc" not allowed. Possible virus infection. (Word Document) Attachment type ".exe" not allowed. Possible virus infection. (Executable File) Attachment type ".gif" not allowed. Possible spam. (GIF-Image) Attachment type ".bat" not allowed. Possible virus infection. Attachment type ".html" not allowed. Possible spam.
For .gif and .html the spam-response is used due to the rule
SPAM. The last two lines omit the parentheses, because no message has
been configured, and return only the built-in response according to
the rule.
Maybe this will save you a lot of typing ;-)
Given the config:
.html SPAM
.jpg DECLINED
check_attachment won't reject the mail due to the .html rule,
if the .jpg rule is triggered before! You can't rely on the order
of headers found by MIME::Parser. So be careful with your OK and
DECLINED rules.
RULE / RESULT values are:
"5xx reason of deny" response.
See /etc/qpsmtpd/check_attachment how to the configured message is used.
"5xx reason of deny" response.
See /etc/qpsmtpd/check_attachment how to the configured message is used.
RESULT-ONLY values are issued by the plugin and are not configurable:
"4xx Internal error - try later" response.
This will happen on errors, e.g.: The MIME stream (the headers of the message) can't be parsed.
You can look at the log file (if loglevel is at least LOGINFO) with
cat /var/log/qpsmtpd/qpsmtpd.log | grep 'not matched'
to find new mime types or extensions, which should be blocked as well.
check_attachment requires the Perl module MIME::Parser.
The patterns are used to construct a sub which is then compiled and executed. Thus anyone with write access to the /etc/qpsmtpd/check_attachment file can execute arbitrary code as user smtpd. This doesn't matter since presumably the person who can write this file can add arbitrary plugins, anyway, but if this module is ever changed to permit per-user configuration, proper checking must be added.
data_post: check_attachment ( $self, $transaction )
None known yet.
Thanks to Ask Bjoern Hansen for qpsmtpd.
And Peter J. Holzer for the original plugin.
http://www.hjp.at/projekte/qpsmtpd/
Following people have contributed suggestions or patches, as listed in the change log:
Radu Greab
(c) Ernesto 2007, ernest@dienstleistung-kultur.de
http://dienstleistung-kultur.de/qpsmtpd/
As per the qpsmtpd license.