starred/modoboa-modoboa

Fork 0

mirror of https://github.com/modoboa/modoboa.git synced 2026-04-25 08:56:02 +03:00

[GH-ISSUE #1013] Reject mail with zip files #860

New issue

Closed

opened 2026-02-27 11:13:58 +03:00 by kerem · 5 comments

kerem commented

2026-02-27 11:13:58 +03:00

Owner

Originally created by @fpiccinali on GitHub (Jan 28, 2017).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/1013

What do you think about restrincting mail with malicious embeded files.

Most of ransomware are spread via zip files.

It could be useful to have this default configuration :

In /etc/postfix/main.cf :

mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp

In /etc/postfix/mime_header_checks.regexp

/name=([^>]*\.(ade|adp|bat|chm|cmd|com|cpl|dll|exe|hta|ins|isp|jar|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh|zip))/ REJECT Files attached to emails that contain or end in "$2" are prohibited on this server as they may contain viruses. The file named $1 was rejected

We also need to remove no_header_body_checks in /etc/postfix/master.cf in line:

receive_override_options=no_header_body_checks,no_unknown_recipient_checks

In modoboa config page, we could have a checkbox to activate or not this feature ?

Otherwise one can be satisfied with a tutorial in the doc.

Originally created by @fpiccinali on GitHub (Jan 28, 2017). Original GitHub issue: https://github.com/modoboa/modoboa/issues/1013 What do you think about restrincting mail with malicious embeded files. Most of ransomware are spread via zip files. It could be useful to have this default configuration : * In /etc/postfix/main.cf : ```` mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp ```` * In /etc/postfix/mime_header_checks.regexp ```` /name=([^>]*\.(ade|adp|bat|chm|cmd|com|cpl|dll|exe|hta|ins|isp|jar|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh|zip))/ REJECT Files attached to emails that contain or end in "$2" are prohibited on this server as they may contain viruses. The file named $1 was rejected ```` * We also need to remove `no_header_body_checks` in /etc/postfix/master.cf in line: ```` receive_override_options=no_header_body_checks,no_unknown_recipient_checks ```` In modoboa config page, we could have a checkbox to activate or not this feature ? Otherwise one can be satisfied with a tutorial in the doc.

kerem

2026-02-27 11:13:58 +03:00

closed this issue
added the
question
label

kerem commented

2026-02-27 11:13:59 +03:00

Author

Owner

@ghost commented on GitHub (Jan 28, 2017):

IMHO, rejecting only by file extension it's not the smart way to deal with this kind of threat. As it can be easily bypassed. So this will only give a false sense of security.

This is also redundant, as it's already checked in a better way by Amavis/SA and/or ClamAV.

@ghost commented on GitHub (Jan 28, 2017): IMHO, rejecting only by file extension it's not the smart way to deal with this kind of threat. As it can be easily bypassed. So this will only give a false sense of security. This is also redundant, as it's already checked in a better way by Amavis/SA and/or ClamAV.

kerem commented

2026-02-27 11:13:59 +03:00

Author

Owner

@fpiccinali commented on GitHub (Jan 31, 2017):

@csmk :
Rejecting by file extensions is less cpu intensive than antivirus.

I agree that amavis or clamav are better, but with the default configuration of modoboa some ransomware pass through the wall.

Do you have any tips for improving default conf ? Or a better filter than mime_header ?

@fpiccinali commented on GitHub (Jan 31, 2017): @csmk : Rejecting by file extensions is less cpu intensive than antivirus. I agree that amavis or clamav are better, but with the default configuration of modoboa some ransomware pass through the wall. Do you have any tips for improving default conf ? Or a better filter than mime_header ?

kerem commented

2026-02-27 11:13:59 +03:00

Author

Owner

@tonioo commented on GitHub (Jan 31, 2017):

@fpiccinali I've recently tried an amavis configuration which seems to provide good results:

$banned_namepath_re = new_RE(
    # Compressed files.
    [qr'M=application/(zip|rar|arc|arj|zoo|gz|bz2)(,|\t).*T=dat(,|\t)'xmi => 'DISCARD'],

    # Dangerous file types on Windows.
    [qr'M=(9|386|LeChiffre|aaa|abc|aepl|aru|atm|aut|bat|bhx|bin|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mjg|mjz|mp3|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|wmf|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxx|xyz|zix|zvz|zzz)(,|\t)'xmi => 'DISCARD'],
    [qr'N=.*(9|386|LeChiffre|aaa|abc|aepl|aru|atm|aut|bat|bhx|bin|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mjg|mjz|mp3|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|wmf|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxx|xyz|zix|zvz|zzz)$'xmi => 'DISCARD'],

    [qr'T=(pif|scr)(,|\t)'xmi => 'DISCARD'],                      # banned extensions - rudimentary
    [qr'T=ani(,|\t)'xmi => 'DISCARD'],                            # banned animated cursor file(1) type
    [qr'T=(mim|b64|bhx|hqx|xxe|uu|uue)(,|\t)'xmi => 'DISCARD'],   # banned extension - WinZip vulnerab.
    [qr'M=application/x-msdownload(,|\t)'xmi => 'DISCARD'],       # block these MIME types
    [qr'M=application/x-msdos-program(,|\t)'xmi => 'DISCARD'],
    [qr'M=application/hta(,|\t)'xmi => 'DISCARD'],
    [qr'M=(application/x-msmetafile|image/x-wmf)(,|\t)'xmi => 'DISCARD'],  # Windows Metafile MIME type
);

I think I'll include it to the default configuration deployed by the installer.

@tonioo commented on GitHub (Jan 31, 2017): @fpiccinali I've recently tried an amavis configuration which seems to provide good results: ```perl $banned_namepath_re = new_RE( # Compressed files. [qr'M=application/(zip|rar|arc|arj|zoo|gz|bz2)(,|\t).*T=dat(,|\t)'xmi => 'DISCARD'], # Dangerous file types on Windows. [qr'M=(9|386|LeChiffre|aaa|abc|aepl|aru|atm|aut|bat|bhx|bin|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mjg|mjz|mp3|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|wmf|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxx|xyz|zix|zvz|zzz)(,|\t)'xmi => 'DISCARD'], [qr'N=.*(9|386|LeChiffre|aaa|abc|aepl|aru|atm|aut|bat|bhx|bin|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mjg|mjz|mp3|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|wmf|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxx|xyz|zix|zvz|zzz)$'xmi => 'DISCARD'], [qr'T=(pif|scr)(,|\t)'xmi => 'DISCARD'], # banned extensions - rudimentary [qr'T=ani(,|\t)'xmi => 'DISCARD'], # banned animated cursor file(1) type [qr'T=(mim|b64|bhx|hqx|xxe|uu|uue)(,|\t)'xmi => 'DISCARD'], # banned extension - WinZip vulnerab. [qr'M=application/x-msdownload(,|\t)'xmi => 'DISCARD'], # block these MIME types [qr'M=application/x-msdos-program(,|\t)'xmi => 'DISCARD'], [qr'M=application/hta(,|\t)'xmi => 'DISCARD'], [qr'M=(application/x-msmetafile|image/x-wmf)(,|\t)'xmi => 'DISCARD'], # Windows Metafile MIME type ); ``` I think I'll include it to the default configuration deployed by the installer.

kerem commented

2026-02-27 11:13:59 +03:00

Author

Owner

@tonioo commented on GitHub (Feb 8, 2017):

@fpiccinali Have you tried this config?

@tonioo commented on GitHub (Feb 8, 2017): @fpiccinali Have you tried this config?

kerem commented

2026-02-27 11:13:59 +03:00

Author

Owner

@tonioo commented on GitHub (Mar 17, 2017):