Mailing List Archive: demime -> acl_smtp_mime

demime -> acl_smtp_mime

exim-users at exim

Sep 12, 2018, 9:28 AM

Post #1 of 8 (1583 views)

I'm a bit later but...

I've to rewrite my 'data' ACL that use the old 'demime' condition. One is:

deny
message = .$found_extension files are not accepted here
demime = ADE:ADP:ASP:BAS:BAT:CAB:CHM:CMD:COM:CPL:CRT:EXE:HLP:HTA:INF:INS:ISP:JS:JSE:LNK:MDB:MDE:MSC:MSI:MSP:MST:PCD:PIF:REG:SCR:SCT:SHB:SHS:URL:VB:VBE:VBS:WS:WSC:WSF:WSH

and is relatively simple, i think something like:

deny
message = '$mime_filename' file are not accepted here
condition = ${if match {${uc:$mime_filename}} {[.] *(ADE|ADP|ASP|BAS|BAT|CAB|CHM|CMD|COM|CPL|CRT|EXE|HLP|HTA|INF|INS|ISP|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSP|MST|PCD|PIF|REG|SCR|SCT|SHB|SHS|URL|VB|VBE|VBS|WS|WSC|WSF|WSH)\$}}

but a condition like:

deny
message = Serious MIME defect detected ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}

how can be converted in 'acl_smtp_mime' lingo?

Thanks.

--
Una volta qualcuno chiese al Mahatma Gandhi cosa ne pensasse della civilt?
in occidente. ?Credo che sarebbe una buona idea?, rispose.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: demime -> acl_smtp_mime [ In reply to ]

exim-users at exim

Sep 13, 2018, 4:38 AM

Post #2 of 8 (1582 views)

> From: Marco Gaiarin <gaio@lilliput.linux.it>

> but a condition like:
>
> deny
> message = Serious MIME defect detected ($demime_reason)
> demime = *
> condition = ${if >{$demime_errorlevel}{2}{1}{0}}
>
> how can be converted in 'acl_smtp_mime' lingo?

No way I think. I'm curious: how often did you see messages triggering
this rejection?

More elaborate checks:

P7ZIP = /usr/local/bin/7z
# port archivers/p7zip in case of FreeBSD
GREP = /usr/bin/grep
SHELL = /bin/sh
BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs|ace
# more cautious: exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
# WinRAR can uncompress .ace, so trojans are sometimes compressed .ace
# Perhaps "jar" should be added.
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z|tar
check_rfc2047_length = false
acl_smtp_mime = acl_check_mime

begin acl
acl_check_mime:
deny message = BINFORBIDDEN
log_message = forbidden attachment: filename=$mime_filename, \
content-type=$mime_content_type, recipients=$recipients
condition = ${if or{\
{match{$mime_content_type}\
{(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
}}

deny message = Compressed BINFORBIDDEN
condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
(octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
}}
condition = ${if <{$message_size}{1500K}}
decode = default
log_message = forbidden binary in attachment: filename=$mime_filename, \
recipients=$recipients
condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
{\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}

deny message = Windows-executable inside an Office file attachment
condition = ${if or{\
{match{$mime_content_type}{(?i)openxmlformats-officedocument}}\
{match{$mime_filename}{\N(?i)\.(doc|xls|ppt)(x|m)$\N}}\
}}
decode = default
log_message = forbidden binary in Office file attachment: \
filename=$mime_filename, recipients=$recipients
set acl_m_ud = ${sg{$mime_decoded_filename}{[^/]+\$}{}}
condition = ${run{SHELL -c \
"cd $acl_m_ud; \
P7ZIP x -y $mime_decoded_filename; \
GREP -r -a -s -E \
'rundll32|This program cannot be run in DOS mode|\
This program must be run under|Embedded Object|\
WScript\\.Sh|Shell\\.Application|Location: file:' \
$acl_m_ud"}{1}{0}}

accept

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: demime -> acl_smtp_mime [ In reply to ]

exim-users at exim

Sep 13, 2018, 8:45 AM

Post #3 of 8 (1582 views)

Mandi! Lena--- via Exim-users
In chel di` si favelave...

> No way I think. I'm curious: how often did you see messages triggering
> this rejection?

Oh, probably never... but indeed seems good to reject messages with a
defective MIME structure...

> More elaborate checks:

Thanks for the hint. Very interesting recipe... but still the question
remain.

My current mime ACL is:

acl_smtp_mime:

# Decode MIME parts to disk.
warn
decode = default

# Unpack MIME containers and reject file extensions used by worms.
.ifdef LOCAL_FORBIDDEN_EXTENSIONS
deny
message = '$mime_filename' files are not accepted here
!acl = acl_local_deny_exceptions
condition = ${if match {${uc:$mime_filename}}{[.] *(LOCAL_FORBIDDEN_EXTENSIONS)\$}}
.endif

# accept otherwise
accept

So probably the first instance can be simply converted to:

# Decode MIME parts to disk. Deny on errors.
deny
message = Serious MIME defect detected
decode = default

but i suppose it, and also i'm asking if there's some 'status' on decode
error, as '$demime_reason' was.

Thanks.

--
La guerra e` un'avventura senza ritorno.
(Giovanni Paolo II)

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: demime -> acl_smtp_mime [ In reply to ]

exim-users at exim

Sep 25, 2018, 4:35 PM

Post #4 of 8 (1572 views)

Marco Gaiarin via Exim-users wrote on 13.09.2018 18:45:
> Mandi! Lena--- via Exim-users
> In chel di` si favelave...
>
>> No way I think. I'm curious: how often did you see messages triggering
>> this rejection?
>
> Oh, probably never... but indeed seems good to reject messages with a
> defective MIME structure...
>
>
>> More elaborate checks:
>
> Thanks for the hint. Very interesting recipe... but still the question
> remain.

Try to use $mime_anomaly_level and $mime_anomaly_text

> My current mime ACL is:
>
> acl_smtp_mime:
>
> # Decode MIME parts to disk.
> warn
> decode = default
>
> # Unpack MIME containers and reject file extensions used by worms.
> .ifdef LOCAL_FORBIDDEN_EXTENSIONS
> deny
> message = '$mime_filename' files are not accepted here
> !acl = acl_local_deny_exceptions
> condition = ${if match {${uc:$mime_filename}}{[.] *(LOCAL_FORBIDDEN_EXTENSIONS)\$}}
> .endif
>
> # accept otherwise
> accept
>
>
> So probably the first instance can be simply converted to:
>
> # Decode MIME parts to disk. Deny on errors.
> deny
> message = Serious MIME defect detected
> decode = default
>
> but i suppose it, and also i'm asking if there's some 'status' on decode
> error, as '$demime_reason' was.
>
> Thanks.
>

--
Best wishes
Victor Ustugov mailto:victor@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc
Skype ID: corvax_nb JID: victor@corvax.kiev.ua

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: demime -> acl_smtp_mime [ In reply to ]

exim-users at exim

Sep 28, 2018, 5:30 AM

Post #5 of 8 (1570 views)

Mandi! Victor Ustugov via Exim-users
In chel di` si favelave...

> Try to use $mime_anomaly_level and $mime_anomaly_text

Bingo! I've wrote:

deny
message = Serious MIME defect detected ($mime_anomaly_text)
condition = ${if > {$mime_anomaly_level}{1} {true}{false}}

looking at the code (seems that 'feature' are undocumented):

struct anom {
int level;
const uschar * text;
} anom[] = { {1, CUS"Broken Quoted-Printable encoding detected"},
{2, CUS"Broken BASE64 encoding detected"} };

now i accept broken quoted-printable mime parts but not broken base64 mime
parts.

Thanks!

--
Lettera da Marsala, solo tre righe di biglietto
il resto l'ho pensato e non l'ho scritto. (R. Vecchioni)

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: demime -> acl_smtp_mime [ In reply to ]

exim-users at exim

Sep 28, 2018, 2:03 PM

Post #6 of 8 (1570 views)

Marco Gaiarin via Exim-users wrote on 28.09.2018 15:30:
> Mandi! Victor Ustugov via Exim-users
> In chel di` si favelave...
>
>> Try to use $mime_anomaly_level and $mime_anomaly_text
>
> Bingo! I've wrote:
>
> deny
> message = Serious MIME defect detected ($mime_anomaly_text)
> condition = ${if > {$mime_anomaly_level}{1} {true}{false}}

It's better to insert "decode = default" before "message"

> looking at the code (seems that 'feature' are undocumented):
>
> struct anom {
> int level;
> const uschar * text;
> } anom[] = { {1, CUS"Broken Quoted-Printable encoding detected"},
> {2, CUS"Broken BASE64 encoding detected"} };

Yes, mime_anomaly_level and mime_anomaly_text are not documented.

> now i accept broken quoted-printable mime parts but not broken base64 mime
> parts.
>
> Thanks!

Welcome.

--
Best wishes
Victor Ustugov mailto:victor@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc
Skype ID: corvax_nb JID: victor@corvax.kiev.ua

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: demime -> acl_smtp_mime [ In reply to ]

exim-users at exim

Sep 28, 2018, 2:10 PM

Post #7 of 8 (1570 views)

On 9/28/18 10:03 PM, Victor Ustugov via Exim-users wrote:
>> looking at the code (seems that 'feature' are undocumented):
>>
>> struct anom {
>> int level;
>> const uschar * text;
>> } anom[] = { {1, CUS"Broken Quoted-Printable encoding detected"},
>> {2, CUS"Broken BASE64 encoding detected"} };
>
> Yes, mime_anomaly_level and mime_anomaly_text are not documented.

Patches always welcome, even for docs...
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: demime -> acl_smtp_mime [ In reply to ]

exim-users at exim

Oct 1, 2018, 5:01 AM

Post #8 of 8 (1564 views)

Mandi! Victor Ustugov via Exim-users
In chel di` si favelave...

>> deny
>> message = Serious MIME defect detected ($mime_anomaly_text)
>> condition = ${if > {$mime_anomaly_level}{1} {true}{false}}
> It's better to insert "decode = default" before "message"

Oh, yes, sorry: my full ACL is:

acl_smtp_mime:

warn
decode = default

deny
message = Serious MIME defect detected ($mime_anomaly_text)
condition = ${if > {$mime_anomaly_level}{1} {true}{false}}

[other acl stanzas...]

accept

--
La tua tana sta in collina, Dr. Dobermann, seimilioni a metro quadro
e tua moglie sembra proprio una regina,
pero` e` la moglie di un ladro. (F. De Gregori)

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/