Blocking docx with rar

[koby]

Hello Guys ,
I would like to ask please , why block rules with ==> application/vnd\.rar (rar)
Is block *.docx....

One more question please :

Where I can find why mail was blocking exactly ,
Because currently I was needed to eliminate one at the time to find out which one causing me trouble.

Thanks,
Koby Peleg Hen

 

[Stoiko Ivanov]

I would like to ask please , why block rules with ==> application/vnd\.rar (rar)

it should not - afaik docx and rar have nothing in common

Where I can find why mail was blocking exactly ,

you should be able to see which rule caused a mail to be blocked/quarantined/accepted in the mail.log (/var/log/mail.log, or `journalctl -b`)

I hope this helps!

 

[koby]

I think it is a bug , Please check it yourself.

 

[tom]

I think it is a bug , Please check it yourself.

I doubt that we can magically find your wrong configuration without any logs from you.

 

[koby]

From where I can get this list ?

 

[koby]

I doubt that we can magically find your wrong configuration without any logs from you.

From where I can get this list ?

 

[koby]

Hello Guys ,
I would you to check this please ,
I was setting a rule name " Block Archive file Type" which ment to be blocking all king of archive (zip , rar etc..)
By all mean not for blacking docx file type.

Here is my mail.log :
"
Oct 1 16:45:20 smg01 postfix/smtpd[39356]: connect from localhost[127.0.0.1]
Oct 1 16:45:20 smg01 postfix/smtpd[39356]: 25C8260E1E: client=localhost[127.0.0.1]
Oct 1 16:45:20 smg01 postfix/cleanup[39357]: 25C8260E1E: message-id=<20201001134520.25C8260E1E@smg01.mksoft.co.il>
Oct 1 16:45:20 smg01 postfix/qmgr[34827]: 25C8260E1E: from=<postmaster@smg01.mksoft.co.il>, size=2073, nrcpt=1 (queue active)
Oct 1 16:45:20 smg01 pmg-smtp-filter[33364]: 60DDB5F75DD6F1193E: notify <koby@mksoft.co.il> (rule: Block On Archive FileType, 25C8260E1E)
Oct 1 16:45:20 smg01 postfix/smtpd[39356]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 commands=4
Oct 1 16:45:20 smg01 pmg-smtp-filter[33364]: 60DDB5F75DD6F1193E: moved mail for <koby@mksoft.co.il> to spam quarantine - 60F545F75DD702D5E9 (rule: Block On Archive FileType)
Oct 1 16:45:20 smg01 pmg-smtp-filter[33364]: 60DDB5F75DD6F1193E: processing time: 1.119 seconds (0.947, 0.048, 0)
Oct 1 16:45:20 smg01 postfix/smtpd[39347]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (60DDB5F75DD6F1193E); from=<kph.hunter@gmail.com> to=<koby@mksoft.co.il> proto=ESMTP helo=<mail-yb1-f17
1.google.com>
Oct 1 16:45:20 smg01 postfix/smtpd[39347]: disconnect from mail-yb1-f171.google.com[209.85.219.171] ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5
Oct 1 16:45:21 smg01 pmgmirror[16631]: starting cluster syncronization
Oct 1 16:45:21 smg01 pmgmirror[16631]: cluster syncronization finished (0 errors, 0.02 seconds (files 0.00, database 0.02, config 0.00))
Oct 1 16:45:21 smg01 postfix/smtp[39358]: 25C8260E1E: to=<koby@mksoft.co.il>, relay=mksoft-co-il.mail.protection.outlook.com[104.47.17.74]:25, delay=1.6, delays=0.04/0.05/0.81/0.72, dsn=2.6
.0, status=sent (250 2.6.0 <20201001134520.25C8260E1E@smg01.mksoft.co.il> [InternalId=1245540522025, Hostname=DB7PR05MB5018.eurprd05.prod.outlook.com] 9368 bytes in 0.119, 76.556 KB/sec Queu
ed mail for delivery)
Oct 1 16:45:21 smg01 postfix/qmgr[34827]: 25C8260E1E: removed
"


Here is my quarantine blocking log
"
Delivered-To: koby@mksoft.co.il
Return-Path: kph.hunter@gmail.com
Received: from mail-yb1-f180.google.com (mail-yb1-f180.google.com [209.85.219.180])
by smg01.mksoft.co.il (Proxmox) with ESMTP
for <koby@mksoft.co.il>; Thu, 1 Oct 2020 16:53:45 +0300 (IDT)
Received: by mail-yb1-f180.google.com with SMTP id h9so4081008ybm.4
for <koby@mksoft.co.il>; Thu, 01 Oct 2020 06:53:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=GWuCx1AdrDfgEX0b88qQmmiM5jr+NjtUSpGSR7UHBIc=;
b=h82OPNknqCM7EtF+SJgukhmuMja09tBjE5zl58v0kedSRUfEhd459+KG0NpC6F5F+r
hnjBHT91IAJtQRt7AiTaJlGdIivHc4uJyRhsBB+9pMmYpueUsDHpfjosboEG+hXFK8mY
Wx4hNVEvAyXeNy2TT4PdqAuyB1JiE5RP7cGrRbi2/EEW0Ao1GDizSKQkXJbB0ZjoC/is
dmm62ZBaOnv43T+fPmQastuMs8CsUwyYdHBWa2to5bDBdAPNm/cjdd5+l7XM0wWoVcvY
8zCUQHLvMWyWurgtWw2LLabDcAMp8+39Brfst9d4mNo+SSm+Su99YiHTwG4PEkG/jkEt
CIVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=GWuCx1AdrDfgEX0b88qQmmiM5jr+NjtUSpGSR7UHBIc=;
b=rFbnCI+M6lqFdUKUOh/6N3YQHlbR4l9YN9/+z/jrdHys2Z4jqpTPD3XDbf8HM+P1s3
wIR4kZ7QsqylAJZuxIYG8OkotcmrszxOD8x5Az/1iCzhGmbmosPdhuKEz1k9QUHWlsFa
vT2K278IFXvXvKqNNxM0b1clsNQXqK3mZW5ND0tgAfWTYkyYFYEVFHznlekN2Uhf49r4
EYpgQPVcOj/OrSDfLhv783+av3ZIL5OWYNgAPJtHRKBquQcnkIvRXhU9jMD1W7mRpuuk
z95JmcGFrREF/AjbbrMkrsxQBDijy4x7I1spO5Mg6lKbM8FvtYuEH91ktFzznF7EzWtk
EIdA==
X-Gm-Message-State: AOAM5318TL+KH1oDyXGKA3dVPdANxQE5H3ZYafL61FYEV34fAlYpoXj7
Ck1A4Z6f0CdtQYNlvXEoHttO/mHH/xgleVHyhguWJdFkrvY=
X-Google-Smtp-Source: ABdhPJxIdGGxkWow4IbKfee7lkwj0vHVHdjAxPRiKZV8aGbkmJe3FOzkoxaObNxD1r+BUNxlWfEtQyrfD42eSlD+iFA=
X-Received: by 2002:a25:ae9e:: with SMTP id b30mr9755905ybj.281.1601560423896;
Thu, 01 Oct 2020 06:53:43 -0700 (PDT)
MIME-Version: 1.0
From: =?UTF-8?B?16fXldeR15kg16TXnNeSINeX158=?= <kph.hunter@gmail.com>
Date: Thu, 1 Oct 2020 16:53:32 +0300
Message-ID: <CA+MqEvMDaXrPn3MrY5F7zH1fdsuxfjRD5kds9torhAnc0MT+pQ@mail.gmail.com>
Subject: e1
To: koby <koby@mksoft.co.il>
Content-Type: multipart/mixed; boundary="0000000000002774f205b09c5851"
X-SmgPro: Checked & Verified by SmgPro - Mksoft Systems


--0000000000002774f205b09c5851
Content-Type: multipart/alternative; boundary="0000000000002774ef05b09c584f"

--0000000000002774ef05b09c584f
Content-Type: text/plain; charset="UTF-8"

--0000000000002774ef05b09c584f
Content-Type: text/html; charset="UTF-8"

<div dir="rtl"><br></div>

--0000000000002774ef05b09c584f--

--0000000000002774f205b09c5851
Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document;
name="MAMRAM_HOURS_07_2020.docx"
Content-Disposition: attachment; filename="MAMRAM_HOURS_07_2020.docx"
Content-Transfer-Encoding: base64
Content-ID: <f_kfqvpu5r0>
X-Attachment-Id: f_kfqvpu5r0
"

And here is the pic of my rule for you to see :






Does anyone have the same issue ?
Thank for any help.

Koby Pleg Hen

 

[Stoiko Ivanov]

Thanks for sharing your config, the mail and the logs - with this I could reproduce the issue:
docx is basically a zipped xml - see https://en.wikipedia.org/wiki/Office_Open_XML
so the content type filter matches.
The content type matches zip files (which are different and have a different mime-type from .rar files)

You have the following possibilities:
* create a rule with a higher priority, which accepts mails with docx/xlsx filetypes ('application/vnd\.openxmlformats-officedocument.*' should work)
* maybe a bit more robust - create the rule matching for the filename '.*.docx'

* change the Block ArchiveFile Type to match for the filename as well

(of course there is the difference between filename (which is provided by the mail-sender (or their client) and the mime-type (which is deduced from the file contents (roughly what `file(1)` does) )

I hope this explains it!