Attachment content-type filtering rules

C

cavel

New Member
Apr 15, 2021
2
0
1
39
Hello everybody,

Just wondering if you can help on this issue or if you have seen similar problems with filtering of archive attachments.
We are currently in a process of adding additional filtering rules on incoming mails that should block various type of content. The same should apply to content that is present within archive attachments such as .zip and .rar.

However what I have found so far is that when defining Archive filtering it's not always blocking the files based on their content-type.
For example - imagine a scenario where you want to block VBS files that are delivered in .zip or .rar archives. You would go and create 4 different "Archive filters" based on content-type which in this case should be something like the ones below (based on public available info this should be the correct content-type for VBS files):

Application/x-vbs
Application/x-vbscript
text/vbs
text/vbscript

However this doesn't appear the work and it seems like it's not able to recognize the content-type. For other types it works as expected.
The same issue appears also with .HTA files which should be having content-type of "application/hta"

As the issue seems to be caused by the PMG not being able to recognize these content-types is there a way to manually add/define them?

Also as far as I know there is no way to add filtering based on file names within archives?

Regards
 
cavel said:
Also as far as I know there is no way to add filtering based on file names within archives?
Click to expand...
yes there is in recent version a 'match archive filename'

also you can check the detected filetype of a file with 'file --mime-type <file>' this should match what we detect
 
Hi dcsapak,

Thanks for the reply.
The "Match archive filename" matches name of the archive, not name of file that is present in the archive so it's not applicable here.
And about the content-type - based on the test files I created these appear to be detected as text/plain altough they contain valid VBS or HTML code.
Isn't this matching it also based on the extension?

Update: "Match Archive Filename" filter now filtered properly the VBS within the archive after restart of the services, so probably an issue with PMG locally. Thanks for the assistance
 
Last edited:
Hello everybody!
PMG can't catch vbs in the gz archive (gz). I try to use "Match Archive Filename" and "Archive filter" but without result.
It catch exe in gz - without problems, vbs - no...
My PMG version is 7.2-4
Dangerous archive and my rules attached
 

Attachments

Kot Degt said:
Hello everybody!
PMG can't catch vbs in the gz archive (gz). I try to use "Match Archive Filename" and "Archive filter" but without result.
It catch exe in gz - without problems, vbs - no...
My PMG version is 7.2-4
Dangerous archive and my rules attached
Click to expand...
can you post the log for that mail?

EDIT: our code works by unpackng the file, which currently does not look at the gzip header for the original filename (so the vbs extension is not there) and 'mimetype' says the mime type is text/plain then

you can open an enhancement request here that we can try to honor the original filename of gz files: https://bugzilla.proxmox.com
 
Last edited:
Thank you for your reply!

dcsapak said:
EDIT: our code works by unpackng the file, which currently does not look at the gzip header for the original filename (so the vbs extension is not there) and 'mimetype' says the mime type is text/plain then

you can open an enhancement request here that we can try to honor the original filename of gz files: https://bugzilla.proxmox.com
Click to expand...
Yes sir! Gonna bugzilla now.

That's log of this case:

Feb 17 13:12:10 mailgw postfix/smtpd[28612]: connect from mail.source.org[111.111.111.111]
Feb 17 13:12:11 mailgw postfix/smtpd[28612]: 4056A1A01A: client=mail.source.org[111.111.111.111]
Feb 17 13:12:11 mailgw postfix/cleanup[28771]: 4056A1A01A: message-id=<b8472fce-4592-29e1-9a6e-d20c8f42b82c@source.org>
Feb 17 13:12:11 mailgw postfix/smtpd[28612]: disconnect from mail.source.org[111.111.111.111] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Feb 17 13:12:11 mailgw postfix/qmgr[414]: 4056A1A01A: from=<admin@source.org>, size=389133, nrcpt=1 (queue active)
Feb 17 13:12:11 mailgw pmg-smtp-filter[28643]: 1A01B63EEF08B5651D: new mail message-id=<b8472fce-4592-29e1-9a6e-d20c8f42b82c@source.org>#012
Feb 17 13:12:11 mailgw pmg-smtp-filter[28643]: 1A01B63EEF08B5651D: found archive 'FESCO - Updated SOA 2301303084-1.gz' (application/gzip)
Feb 17 13:12:11 mailgw pmg-smtp-filter[28643]: 1A01B63EEF08B5651D: unpack archive 'FESCO - Updated SOA 2301303084-1.gz' done (5 ms)
Feb 17 13:12:11 mailgw pmg-smtp-filter[28643]: 1A01B63EEF08B5651D: SA score=0/5 time=0.095 bayes=0.00 autolearn=ham autolearn_force=no hits=AWL(0.185),BAYES_00(-1.5)
Feb 17 13:12:11 mailgw postfix/smtpd[28776]: connect from localhost[127.0.0.1]
Feb 17 13:12:11 mailgw postfix/smtpd[28776]: A9C7B19FE2: client=localhost[127.0.0.1], orig_client=mail.source.org[111.111.111.111]
Feb 17 13:12:11 mailgw postfix/cleanup[28771]: A9C7B19FE2: message-id=<b8472fce-4592-29e1-9a6e-d20c8f42b82c@source.org>
Feb 17 13:12:11 mailgw postfix/qmgr[414]: A9C7B19FE2: from=<admin@source.org>, size=389507, nrcpt=1 (queue active)
Feb 17 13:12:11 mailgw pmg-smtp-filter[28643]: 1A01B63EEF08B5651D: accept mail to <admin@dest.org> (A9C7B19FE2) (rule: default-accept)
Feb 17 13:12:11 mailgw postfix/smtpd[28776]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Feb 17 13:12:11 mailgw pmg-smtp-filter[28643]: 1A01B63EEF08B5651D: processing time: 0.367 seconds (0.095, 0.167, 0)
Feb 17 13:12:11 mailgw postfix/lmtp[28772]: 4056A1A01A: to=<admin@dest.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.49, delays=0.08/0.02/0/0.39, dsn=2.5.0, status=sent (250 2.5.0 OK (1A01B63EEF08B5651D))
Feb 17 13:12:11 mailgw postfix/qmgr[414]: 4056A1A01A: removed
Feb 17 13:12:11 mailgw postfix/smtp[28777]: A9C7B19FE2: to=<admin@dest.org>, relay=192.168.111.230[192.168.111.230]:25, delay=0.25, delays=0.03/0.03/0.07/0.12, dsn=2.0.0, status=sent (250 OK id=1pSrAR-0001tV-Qg)
Feb 17 13:12:11 mailgw postfix/qmgr[414]: A9C7B19FE2: removed
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom