Home

| Home | Documentation | Mailinglist | Download | License |

qpsmtpd - Plugin check_attachment Documentation


NAME

check_attachment - check attachments and content types

go top


VERSION 2008.0

go top


DESCRIPTION

This module parses a MIME message into its components and compares the content types and attachment extensions of all parts with the contents of /etc/qpsmtpd/check_attachment. It returns OK, DENY or DECLINED on the first match, or DECLINED if there is no match.

It is an extension to the module check_content_type by Peter J. Holzer - see http://www.hjp.at/projekte/qpsmtpd/check_content_type/ - so your old config rules can be copied and should work as well.

Added are configurable messages for denied mails and a special config format for file extension. The creation of the check subroutine on startup might be a performance gain.

go top


CONFIGURATION

/etc/qpsmtpd/plugins

In the main configuration file check_attachment should be placed as first plugin after check_loop - thus before any other content checking plugins like spamassassin etc. will fire: You can omit the virus check of an exe file, if you deny it anyway or you can save a lot of heavy spam filtering by denying html mails at all.

After changing the configuration in /etc/qpsmtpd/check_attachment, qpsmtpd must be restartet, because the creation of the check subroutine from the configuration is done once on startup.

On errors in /etc/qpsmtpd/check_attachment qpsmtpd won't start.

/etc/qpsmtpd/check_attachment

The config file uses two forms of lines: The classical regular expression and the shorthand extension form for attachments.

The shipped example config file gives all extensions the author could find - but there is no limit on dangerous or unwanted files or content M$ can think of ;-)

So please edit the config and tell me about your findings.

Moreover: Just comment out the files, you want to recieve.

Form 1: Complete regular expression
This form of a config line is made of
 regex rule [message]

e.g.

 m{text/html}i  DENY    Content type "html" not allowed. Possible virus infection or spam.
 m{image/gif}i  DENY    Content type "gif" not allowed. Possible spam.
 m/name\s*=\s*"?.{64,}"?\s*$/   DENY    Very long filename. Possible attack.

The message text is returned as is to qpsmtpd and thus to the sender of the mail.

If no text is present, the standard response "5xx Message denied" is used.

Form 2: Attachment extension only
This form of a config line always starts with a dot (.) and is made of
 extension rule [message]

e.g.

 .doc   DENY    Word Document
 .exe   DENY    Executable File
 .gif   SPAM    GIF-Image
 .bat   DENY
 .html  SPAM

The responses from the above example become:

 Attachment type ".doc" not allowed. Possible virus infection. (Word Document)
 Attachment type ".exe" not allowed. Possible virus infection. (Executable File)
 Attachment type ".gif" not allowed. Possible spam. (GIF-Image)
 Attachment type ".bat" not allowed. Possible virus infection.
 Attachment type ".html" not allowed. Possible spam.

For .gif and .html the spam-response is used due to the rule SPAM. The last two lines omit the parentheses, because no message has been configured, and return only the built-in response according to the rule.

Maybe this will save you a lot of typing ;-)

CAUTION: Order doesn't matter!

Given the config:

        .html   SPAM
        .jpg    DECLINED

check_attachment won't reject the mail due to the .html rule, if the .jpg rule is triggered before! You can't rely on the order of headers found by MIME::Parser. So be careful with your OK and DECLINED rules.

go top


RULE / RESULT VALUES

RULE / RESULT values are:

DENY / DENY
reject the message with a "5xx reason of deny" response.

See /etc/qpsmtpd/check_attachment how to the configured message is used.

SPAM / DENY
reject the message with a "5xx reason of deny" response.

See /etc/qpsmtpd/check_attachment how to the configured message is used.

DECLINED / DECLINED
pass the mail over to the next plugin. No dangerous content found.

OK / OK
accept the message and skip all further plugins which might want to inspect the contents of the message. This could be used to skip virus filters for text/plain messages, for example.

go top


RESULT-ONLY VALUES

RESULT-ONLY values are issued by the plugin and are not configurable:

DENYSOFT
reject temporarily the message with a "4xx Internal error - try later" response.

This will happen on errors, e.g.: The MIME stream (the headers of the message) can't be parsed.

go top


NEW MIME TYPES / EXTENSIONS

You can look at the log file (if loglevel is at least LOGINFO) with

 cat /var/log/qpsmtpd/qpsmtpd.log | grep 'not matched'

to find new mime types or extensions, which should be blocked as well.

go top


REQUIREMENTS

check_attachment requires the Perl module MIME::Parser.

go top


SECURITY CONCERNS

The patterns are used to construct a sub which is then compiled and executed. Thus anyone with write access to the /etc/qpsmtpd/check_attachment file can execute arbitrary code as user smtpd. This doesn't matter since presumably the person who can write this file can add arbitrary plugins, anyway, but if this module is ever changed to permit per-user configuration, proper checking must be added.

go top


HOOKS

data_post: check_attachment ( $self, $transaction )

go top


BUGS

None known yet.

go top


CREDITS

Thanks to Ask Bjoern Hansen for qpsmtpd.

http://smtpd.develooper.com/

And Peter J. Holzer for the original plugin.

http://www.hjp.at/projekte/qpsmtpd/

Following people have contributed suggestions or patches, as listed in the change log:

Radu Greab

go top


COPYRIGHT

(c) Ernesto 2007, ernest@dienstleistung-kultur.de

http://dienstleistung-kultur.de/qpsmtpd/

go top


LICENCE

As per the qpsmtpd license.

go top


This is a service of dienstleistung-kultur.de            Mailsystem QPSMTPD            Comments to Ernesto at ernesto@dienstleistung-kultur.de            Impressum