I'm using Amavis with my mail server and I noticed it's blocking emails that have CSV attachments.
It's allowing everything else people usually use in business environments and is blocking file types that it should (like bat, exe etc).
I'm using Ubuntu 14.04.5 LTS with the LTS Kernel (4.4.0-47-generic x86_64) and the OS is patched up to date.
I assumed there was a content filter rule in one of the files under:
/etc/amavis/conf.d/
Specifically this file: 20-debian_defaults which contains the $banned_filename variables.
But there are no entries that block either the CSV file type, or the CSV mime-type (text/csv).
When I send a test message from my work domain (where the problem is) to my personal email, it fails.
This is the log entry.
Feb 24 06:14:30 mail2 postfix/smtps/smtpd[24045]: connect from my-isp-external-hostname.someisp.com[000.000.000.202]
Feb 24 06:14:30 mail2 postfix/smtps/smtpd[24045]: Anonymous TLS connection established from my-isp-external-hostname.someisp.com[000.000.000.202]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb 24 06:14:30 mail2 postfix/smtps/smtpd[24045]: A3FCD3A0794: client=my-isp-external-hostname.someisp.com[000.000.000.202], sasl_method=PLAIN, sasl_username=rob@workdomain.ca
Feb 24 06:14:30 mail2 postfix/cleanup[24049]: A3FCD3A0794: message-id=<A8CF2FE8-F203-454C-8811-E3E191684672@workdomain.ca>
Feb 24 06:14:31 mail2 opendkim[2108]: A3FCD3A0794: can't determine message sender; accepting
Feb 24 06:14:31 mail2 postfix/qmgr[2223]: A3FCD3A0794: from=<rob@workdomain.ca>, size=120673, nrcpt=1 (queue active)
Feb 24 06:14:37 mail2 amavis[22663]: (22663-10) Blocked SPAM {DiscardedOpenRelay,Quarantined}, [000.000.000.202]:49600 <rob@workdomain.ca> -> <rob@personaldomain.ca>, quarantine: Q/spam-Q1kQ3q1__N33.gz, Queue-ID: A3FCD3A0794, Message-ID: <A8CF2FE8-F203-454C-8811-E3E191684672@workdomain.ca>, mail_id: Q1kQ3q1__N33, Hits: 7.046, size: 120728, 6466 ms
Feb 24 06:14:37 mail2 postfix/smtp[24051]: A3FCD3A0794: to=<rob@personaldomain.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.3, delays=0.85/0.01/0/6.5, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=22663-10 - spam)
Feb 24 06:14:37 mail2 postfix/qmgr[2223]: A3FCD3A0794: removed
This is the banned_filename variable from my Amavis config (there's no CSV entry):
$banned_filename_re = new_RE(
qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
qr'^\.(exe-ms)$', # banned file(1) types
);
This is a somewhat out of the box setup. I'm not overly experienced with mail servers (and I know I have a problem with my DKIM setup which the log is also noting, but for the moment I think that's not related to Amavis.
I've been researching this and all paths seem to lead to this $banned_filenames variable which for me, is a dead end right now.
It's also a little worrying that the log entry contains the term DiscardedOpenRelay. I test my server with MailRadar after every config change and it passes all their tests every time. I wonder if this term refers to the 'relay' that exists between PostFix and Amavis..
It only says this when it's rejecting a message.
Any help is much appreciated.
OH, I also noticed in the log, that when an attachment is specifically blocked, the log entry looks like this:
Feb 24 06:56:12 mail2 amavis[24722]: (24722-01) Blocked BANNED (application/octet-stream,.asc,test.bat) {DiscardedOpenRelay,Quarantined}, [142.161.177.202]:49882 <rob@workdomain.ca> -> <rob@personaldomain.ca>, quarantine: 0/banned-0BueXRbbZ4ys, Queue-ID: 8E03D3A075C, Message-ID: <5EE9C990-EF50-4FBC-9F5C-EF76366B17CF@workdomain.ca>, mail_id: 0BueXRbbZ4ys, Hits: -, size: 705, 87 ms
Feb 24 06:56:12 mail2 postfix/smtp[24885]: 8E03D3A075C: to=<rob@personaldomain.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.33, delays=0.23/0.01/0.01/0.08, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=24722-01 - BANNED: application/octet-stream,.asc,test.bat)
This was a BAT file and I wanted to see the difference between the 'correct' behaviour the problem I have.
Amavis calls my CSV file SMAM for some reason... I think this is the direction I need to persue. The blocking might be working correctly.
