1

I'm using Amavis with my mail server and I noticed it's blocking emails that have CSV attachments.

It's allowing everything else people usually use in business environments and is blocking file types that it should (like bat, exe etc).

I'm using Ubuntu 14.04.5 LTS with the LTS Kernel (4.4.0-47-generic x86_64) and the OS is patched up to date.

I assumed there was a content filter rule in one of the files under:

/etc/amavis/conf.d/

Specifically this file: 20-debian_defaults which contains the $banned_filename variables.

But there are no entries that block either the CSV file type, or the CSV mime-type (text/csv).

When I send a test message from my work domain (where the problem is) to my personal email, it fails.

This is the log entry.

Feb 24 06:14:30 mail2 postfix/smtps/smtpd[24045]: connect from my-isp-external-hostname.someisp.com[000.000.000.202]
Feb 24 06:14:30 mail2 postfix/smtps/smtpd[24045]: Anonymous TLS connection established from my-isp-external-hostname.someisp.com[000.000.000.202]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb 24 06:14:30 mail2 postfix/smtps/smtpd[24045]: A3FCD3A0794: client=my-isp-external-hostname.someisp.com[000.000.000.202], sasl_method=PLAIN, sasl_username=rob@workdomain.ca
Feb 24 06:14:30 mail2 postfix/cleanup[24049]: A3FCD3A0794: message-id=<A8CF2FE8-F203-454C-8811-E3E191684672@workdomain.ca>
Feb 24 06:14:31 mail2 opendkim[2108]: A3FCD3A0794: can't determine message sender; accepting
Feb 24 06:14:31 mail2 postfix/qmgr[2223]: A3FCD3A0794: from=<rob@workdomain.ca>, size=120673, nrcpt=1 (queue active)
Feb 24 06:14:37 mail2 amavis[22663]: (22663-10) Blocked SPAM {DiscardedOpenRelay,Quarantined}, [000.000.000.202]:49600 <rob@workdomain.ca> -> <rob@personaldomain.ca>, quarantine: Q/spam-Q1kQ3q1__N33.gz, Queue-ID: A3FCD3A0794, Message-ID: <A8CF2FE8-F203-454C-8811-E3E191684672@workdomain.ca>, mail_id: Q1kQ3q1__N33, Hits: 7.046, size: 120728, 6466 ms
Feb 24 06:14:37 mail2 postfix/smtp[24051]: A3FCD3A0794: to=<rob@personaldomain.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.3, delays=0.85/0.01/0/6.5, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=22663-10 - spam)
Feb 24 06:14:37 mail2 postfix/qmgr[2223]: A3FCD3A0794: removed

This is the banned_filename variable from my Amavis config (there's no CSV entry):

$banned_filename_re = new_RE(
  qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
  qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict
  qr'^application/x-msdownload$'i,                  # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,
  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
  qr'^\.(exe-ms)$',                       # banned file(1) types
);

This is a somewhat out of the box setup. I'm not overly experienced with mail servers (and I know I have a problem with my DKIM setup which the log is also noting, but for the moment I think that's not related to Amavis.

I've been researching this and all paths seem to lead to this $banned_filenames variable which for me, is a dead end right now.

It's also a little worrying that the log entry contains the term DiscardedOpenRelay. I test my server with MailRadar after every config change and it passes all their tests every time. I wonder if this term refers to the 'relay' that exists between PostFix and Amavis..

It only says this when it's rejecting a message.

Any help is much appreciated.

OH, I also noticed in the log, that when an attachment is specifically blocked, the log entry looks like this:

Feb 24 06:56:12 mail2 amavis[24722]: (24722-01) Blocked BANNED (application/octet-stream,.asc,test.bat) {DiscardedOpenRelay,Quarantined}, [142.161.177.202]:49882 <rob@workdomain.ca> -> <rob@personaldomain.ca>, quarantine: 0/banned-0BueXRbbZ4ys, Queue-ID: 8E03D3A075C, Message-ID: <5EE9C990-EF50-4FBC-9F5C-EF76366B17CF@workdomain.ca>, mail_id: 0BueXRbbZ4ys, Hits: -, size: 705, 87 ms
Feb 24 06:56:12 mail2 postfix/smtp[24885]: 8E03D3A075C: to=<rob@personaldomain.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.33, delays=0.23/0.01/0.01/0.08, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=24722-01 - BANNED: application/octet-stream,.asc,test.bat)

This was a BAT file and I wanted to see the difference between the 'correct' behaviour the problem I have.

Amavis calls my CSV file SMAM for some reason... I think this is the direction I need to persue. The blocking might be working correctly.

Rob Watts
  • 111
  • 4
  • I've done some additional testing and it seems that small CSV files can pass but larger ones cannot. The "large" one is 110KB and the small one was 800 bytes. – Rob Watts Mar 02 '17 at 16:34
  • The logs do not show file size based rejection or something else that makes sense, amavis shows it as SPAM – Rob Watts Mar 02 '17 at 16:34
  • I'm staring to think this is a DKIM issue. I used mail-tester.com to validate my DKIM and it tells me that the signature is valid and signed but the headers of my test emails show otherwise. ```dkim=permerror (bad message/signature format)```. I can't tell if it's a bad format or a bad message... The error isn't clear. – Rob Watts Mar 02 '17 at 17:00
  • More news. It seems like this is a header issue in Apple's mail client. When I use round cube to send a message with the same "problem" attachment, it works fine. I'm not pretty convinced this is a problem in opendkim config. Probably something with the headers. – Rob Watts Mar 09 '17 at 19:01

0 Answers0