I am wondering if anyone would have any ideas as to why my mailscanners (I have 4 in total) would not block / quarantine attachments like .exe etc. I have been through all the configs and log files but I can’t find anything that points to a problem in my setup.
I am running Mailscanner on Centos 6. MailScanner is version 4.84.6 and ClamAV is the Anti-Virus installed. Once the MailScanner works its magic on the incoming emails they are then relayed internally to an Exchange Server.
I have not really changed much in the standard MailScanner.conf file. I have verified :
Filename Rules = %etc-dir%/filename.rules.conf
Filetype Rules = %etc-dir%/filetype.rules.conf
And the 2 “default” Rules files exist and are standard out of the box.
They contain :
# These 2 added by popular demand - Very often used by viruses
deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
My testing has so far been to use an external mail server to send an attached windows executable file (.exe) to an internal exchange account. I have tried both using an outlook external client and also a native Linux based web client with the same result (i.e. the exe file is delivered to the exchange account).
The maillog contains the follow entries when I send the test email in:
Nov 14 09:14:04 mailscanner postfix/smtpd: connect from unknown[XXX.XXX.XXX.XXX]
Nov 14 09:14:05 mailscanner postfix/smtpd: B32DF300F7A: client=unknown[XXX.XXX.XXX.XXX]
Nov 14 09:14:06 mailscanner postfix/cleanup: B32DF300F7A: hold: header Received: from XXXXX.XXX (unknown [XXX.XXX.XXX.XXX])??by mailscanner.XXXXX.XXX (Postfix) with SMTP id B32DF300F7A??for <jyoung <at> XXXXX.XXX>; Thu, 14 Nov 2013 09:14:05 +100 from unknown[XXX.XXX.XXX.XXX]; from=<jason <at> XXXXX.XXX> to=<jyoung <at> XXXXX.XXX> proto=SMTP helo=<XXXXX.XXXXX.XXX>
Nov 14 09:14:06 mailscanner postfix/cleanup: B32DF300F7A: message-id=<70df8fbcea6253ccee9a2a40329f09ce.squirrel <at> webmail.XXXXX.XXX>
Nov 14 09:14:08 mailscanner postfix/smtpd: disconnect from unknown[XXX.XXX.XXX.XXX]
Nov 14 09:14:09 mailscanner MailScanner: New Batch: Found 1 messages waiting
Nov 14 09:14:09 mailscanner MailScanner: New Batch: Scanning 1 messages, 151691 bytes
Nov 14 09:14:09 mailscanner MailScanner: Virus and Content Scanning: Starting
Nov 14 09:14:10 mailscanner MailScanner: Requeue: B32DF300F7A.AE0C2 to CCE03300F7F
Nov 14 09:14:10 mailscanner MailScanner: Uninfected: Delivered 1 messages
Nov 14 09:14:10 mailscanner postfix/qmgr: CCE03300F7F: from=<jason <at> XXXXX.XXX>, size=151040, nrcpt=1 (queue active)
Nov 14 09:14:10 mailscanner MailScanner: Deleted 1 messages from processing-database
Nov 14 09:14:10 mailscanner MailScanner: Logging message B32DF300F7A.AE0C2 to SQL
Nov 14 09:14:10 mailscanner MailScanner: B32DF300F7A.AE0C2: Logged to MailWatch SQL
Nov 14 09:14:11 mailscanner postfix/smtp: CCE03300F7F: to=<jyoung <at> XXXXX.XXX>, relay=10.10.10.12[10.10.10.12]:25, delay=5.9, delays=5.1/0/0/0.78, dsn=2.6.0, status=sent (250 2.6.0 <70df8fbcea6253ccee9a2a40329f09ce.squirrel <at> webmail.XXXXX.XXX> [InternalId=20096151978059] Queued mail for delivery)
Nov 14 09:14:11 mailscanner postfix/qmgr: CCE03300F7F: removed
And the email that arrives has the following header (extract):
Content-Type: multipart/mixed; boundary="----=_20131114101356_40730"
X-Priority: 3 (Normal)
X-SXXXXXXXX-MailScanner-Information: Please contact the ISP for more information
X-SXXXXXXXX-MailScanner: Found to be clean
X-SXXXXXXXX-MailScanner-From: jason <at> XXXXX.XXX
X-Spam-Status: No, No
X-RXXXXXXXX -MailScanner-Information: Please contact the ISP for more information
X-RXXXXXXXX -MailScanner-ID: B32DF300F7A.AE0C2
X-RXXXXXXXX -MailScanner: Found to be clean
X-RXXXXXXXX -MailScanner-From: jason <at> XXXXX.XXX
Running MailScanner –lint gives the following output :
[root <at> mailscanner ~]# MailScanner --lint
Trying to setlogsock(unix)
Reading configuration file /etc/MailScanner/MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/README
Read 872 hostnames from the phishing whitelist
Read 6957 hostnames from the phishing blacklists
Config: calling custom init function MailWatchLogging
Started SQL Logging child
Checking version numbers...
Version number in MailScanner.conf (4.84.6) is correct.
Your envelope_sender_header in spam.assassin.prefs.conf is correct.
MailScanner setting GID to (48)
MailScanner setting UID to (89)
Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Connected to Processing Attempts Database
Created Processing Attempts Database successfully
There are 4 messages in the Processing Attempts Database
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamd"
Found these virus scanners installed: clamd
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED::Eicar-Test-Signature :: ../1/
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"
If any of your virus scanners (clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Config: calling custom end function MailWatchLogging
Does anyone have any ideas or suggestions as to why the attached files inbound are not being blocked. I am of course making the assumption that .exe file should by default be blocked J