[SOLVED] Modify Content Filter

[sgrzy01]

We are getting alot of banned mail because of the embedded .wmf's that are in office 2007 docx's, un-be-knownst to the users who are sending the docs...

and our users are starting to complain...

How can I remove or at least alter this rule?

Thanx...

NE 601

[ArcaneMagus]

Which "rule" are you talking about that is causing these banned messages? A spamassasin rule?

How are these messages "banned"?

[sgrzy01]

Sorry.. should have put more detail in the message....

Which rule.. that is part of my problem.. I don't know which package is actaully doing the rejection...

Here is what I get as an admin (w/ header)
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Return-Path: admin@xxx.net
Received: from zimbra.xxx.net (LHLO
zimbra.xxx.net) (X.X.X.X) by zimbra.xxx.net
with LMTP; Thu, 22 Oct 2009 11:02:43 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zimbra.xxx.net (Postfix) with ESMTP id 34297290034
for <steveg@yyy.com>; Thu, 22 Oct 2009 11:02:43 -0400 (EDT)
MIME-Version: 1.0
From: "Content-filter at zimbra.xxx.net"
<admin@xxx.net>
Date: Thu, 22 Oct 2009 11:02:42 -0400 (EDT)
Subject: BANNED contents (.wmf,word/media/image1.wmf) in mail TO YOU from
<zzz@citrix.com>
To: "'steveg@yyy.com'" <steveg@yyy.com>
Message-ID: <VRKE0K4GM+nPw5@zimbra.xxx.net>
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

BANNED CONTENTS ALERT

Our content checker found
banned name: .wmf,word/media/image1.wmf

in an email to you from:
zzz@citrix.com

Content type: Banned
Our internal reference code for your message is 28786-09/KE0K4GM+nPw5

First upstream SMTP client IP address: [66.165.176.63] smtp02.citrix.com
According to a 'Received:' trace, the message apparently originated at:
[66.165.176.63], FTLPMAILBOX01.citrite.net [10.13.98.208]

Return-Path: <zzz@citrix.com>
From: Daria Robinson <zzz@citrix.com>
Message-ID:
<F40D1F28D0945448B4FFE861BFD8FD6E777E662E5E@FTLPMA ILBOX01.citrite.net>
Subject: FW: Citrix Technical Support Renewal
Networks
The message has been quarantined as: banned-KE0K4GM+nPw5

Please contact your system administrator for details.
~~~~~~~~~~~~~~~~~

Thanx....

[uxbod]

Check in Admin GUI -> Global Settings -> Currently Blocked Extensions to see if wmf has been listed by somebody.

[sgrzy01]

thanx... should have been able to find that myself.. sigh... :-)

[pkar]

Hello,
is this solution (allowing wmf from extensions) ok "security wise" ?
I mean could it be a security risk by allowing it globally ?
Is there any other way to allow it per user (zimbra account) or per domain ?

Thank you,
Panagiotis

[mario]

wmf are blocked by the following rule in amavis.conf

Code:

$banned_filename_re = new_RE(
  # banned extension - basic
  qr'.\.(asd|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|mov|ocx|pif|reg|rm|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wav|wmf|wsf|wsh|xl)$'i,
);

the modified rule should be

Code:

$banned_filename_re = new_RE(
  # banned extension - basic
  qr'.\.(asd|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|mov|ocx|pif|reg|rm|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wav|wsf|wsh|xl)$'i,
 [ qr'.\.(docx|pptx)$'=> 0 ],  # allow docx and pptx
 qr'.\.wmf$'i,  # ban wmf
);

So wmf are checked after allowing docx or pptx.

You can do that in 3 steps:

1) from admin panel remove wmf from attachment ban

2) edit /opt/zimbra/conf/amavis.conf.in and change the following lines

Code:

$banned_filename_re = new_RE(
  # banned extension - basic
  %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list  VAR:zimbraMtaBlockedExtension |%%)$'i,
);

to

Code:

$banned_filename_re = new_RE(
  # banned extension - basic
  %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list VAR:zimbraMtaBlockedExtension |%%)$'i, 
xtension |%%)$'i, 
 [ qr'.\.(docx|pptx)$'=> 0 ],  # allow docx and pptx
 qr'.\.wmf$'i,  # ban wmf
);

3) as zimbra execute zmamavisdctl reload to reload amavis

Done.

Now if a docx or a pptx has inside a wmf it is allowed.

Remember to check after upgrade if the rule has been overwritten.

A special thanks to Samuele Tognini ( not a forum member ) for support and suggestions.

Mario

[pkar]

wmf are blocked by the following rule in amavis.conf

Code:

$banned_filename_re = new_RE(
  # banned extension - basic
  qr'.\.(asd|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|mov|ocx|pif|reg|rm|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wav|wmf|wsf|wsh|xl)$'i,
);

the modified rule should be

Code:

$banned_filename_re = new_RE(
  # banned extension - basic
  qr'.\.(asd|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|mov|ocx|pif|reg|rm|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wav|wsf|wsh|xl)$'i,
 [ qr'.\.(docx|pptx)$'=> 0 ],  # allow docx and pptx
 qr'.\.wmf$'i,  # ban wmf
);

So wmf are checked after allowing docx or pptx.

You can do that in 3 steps:

1) from admin panel remove wmf from attachment ban

2) edit /opt/zimbra/conf/amavis.conf.in and change the following lines

Code:

$banned_filename_re = new_RE(
  # banned extension - basic
  %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list  VAR:zimbraMtaBlockedExtension |%%)$'i,
);

to

Code:

$banned_filename_re = new_RE(
  # banned extension - basic
  %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list VAR:zimbraMtaBlockedExtension |%%)$'i, 
xtension |%%)$'i, 
 [ qr'.\.(docx|pptx)$'=> 0 ],  # allow docx and pptx
 qr'.\.wmf$'i,  # ban wmf
);

3) as zimbra execute zmamavisdctl reload to reload amavis

Done.

Now if a docx or a pptx has inside a wmf it is allowed.

Remember to check after upgrade if the rule has been overwritten.

A special thanks to Samuele Tognini ( not a forum member ) for support and suggestions.

Mario

Hello,
tried to edit the file, but I got the following error when reload amavis

*************
Starting amavisd...Scalar found where operator expected at /opt/zimbra/conf/amavisd.conf line 209, near ")$'i"
(Missing operator before $'i?)
Error in config file "/opt/zimbra/conf/amavisd.conf": syntax error at /opt/zimbra/conf/amavisd.conf line 209, near ")$'i"
*************

Any idea what went wrong ?

I need also to enable wmf extensions ONLY when inside docx/pptx files, not everywhere, and I found this topic very useful

If someone could help would be greatly appreciated,

Regards

[mario]

Hello Pkar,

the error is in the code, the right code is this:

Code:

$banned_filename_re = new_RE(
  # banned extension - basic
  %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list VAR:zimbraMtaBlockedExtension |%%)$'i, 
 [ qr'.\.(docx|pptx)$'=> 0 ],  # allow docx and pptx
 qr'.\.wmf$'i,  # ban wmf
);

That was a "cut and glue" mistake, the wrong line is the following

Code:

xtension |%%)$'i,

Mario