[SOLVED] Remove compressed attachments example (.zip) that contain .exe, .msi, .aspx in the .zip file

poetry

Active Member
May 28, 2020
206
57
33
Hello,
Can some help out how to configure proxmox to remove compressed attachments that contain .exe, .msi or other executable, dangerous files?

Right now I have a huge list of attachments that get removed but I would also like to apply this rule to all compressed attachments that contain files I have on remove list:

Code:
.*\.(ade|ade|adp|apk|app|application|appref-ms|appx|appxbundle|arj|asp|aspx|asx|bas|bat|bgi|bz|cab|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|dll|dmg|ex|ex_|exe|fxp|gadget|grp|hlp|hpj|hta|htc|img|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|lz|lzh|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msix|msixbundle|msp|mst|msu|nsh|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|py|pyc|pyo|pyw|pyz|pyzw|r00|r01|rar|reg|scf|scr|sct|shb|shs|sys|tar|theme|tmp|url|vb|vbe|vbp|vbs|vhd|vhdx|vps|vsmacros|vss|vst|vsw|vxd|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|xz)

pmg-attachments.png

I would like to have a separate rule so I can see what rule is working. What is the easiest way to add all this file types?

Thanks for the help as always!

EDIT:

What is the difference between
1667406198310.png

and
1667406220742.png

And
1667406263455.png

Will this work the same?

EDIT: can someone also explain this rule
Match Filename:
Filename: .*\.\{.+\}

This is probably unnecessary for what I am doing right?

1667406632103.png


----------

EDIT3
Is this the correct solution or will I break something?
Match Archive Filename:
Code:
.*\.(ade|ade|adp|apk|app|application|appref-ms|appx|appxbundle|arj|asp|aspx|asx|bas|bat|bgi|bz|cab|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|dll|dmg|ex|ex_|exe|fxp|gadget|grp|hlp|hpj|hta|htc|img|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|lz|lzh|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msix|msixbundle|msp|mst|msu|nsh|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|py|pyc|pyo|pyw|pyz|pyzw|r00|r01|rar|reg|scf|scr|sct|shb|shs|sys|tar|theme|tmp|url|vb|vbe|vbp|vbs|vhd|vhdx|vps|vsmacros|vss|vst|vsw|vxd|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|xz)


1667407228480.png
 
Last edited:
From the manual
1667407990674.png

This looks my final solution. One rule to replace them all

Match Archive Filename:
Filename:
Code:
.*\.(ade|ade|adp|apk|app|application|appref-ms|appx|appxbundle|arj|asp|aspx|asx|bas|bat|bgi|bz|cab|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|dll|dmg|ex|ex_|exe|fxp|gadget|grp|hlp|hpj|hta|htc|img|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|lz|lzh|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msix|msixbundle|msp|mst|msu|nsh|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|py|pyc|pyo|pyw|pyz|pyzw|r00|r01|rar|reg|scf|scr|sct|shb|shs|sys|tar|theme|tmp|url|vb|vbe|vbp|vbs|vhd|vhdx|vps|vsmacros|vss|vst|vsw|vxd|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|xz)

Is this correct or I will see any abnormal behavior if I use just this rule?

1667408979664.png


EDIT interesting note that once this rule is activated we see in the logs additional lines that will indicate attachments that have been unpacked and checked.

Code:
Nov 2 17:54:12 pmg-smtp-filter[88291]: 1215406362A0B378390: found archive '.xlsx' (application/zip)
Nov 2 17:54:12 pmg-smtp-filter[88291]: 1215406362A0B378390: unpack archive '.xlsx' done (72 ms)


Is there a way to show additional log for attachments that are not archived to see on all messages what attachments have been detected.

EDIT2 already seeing some abnormal behavior in the logs:
Code:
Nov 2 18:16:53 pmg-smtp-filter[90229]: 1215586362A60546765: new mail message-id=<202211021716.2A2HGqv71895009@>#012
Nov 2 18:16:53 pmg-smtp-filter[90229]: 1215586362A60546765: found archive 'msg-90229-20.txt' (message/rfc822)
Nov 2 18:16:53 pmg-smtp-filter[90229]: 1215586362A60546765: unpack failed - unexpected number of files '0' at /usr/share/perl5/PMG/Unpack.pm line 481.
Nov 2 18:16:53 pmg-smtp-filter[90229]: 1215586362A60546765: unpack archive 'msg-90229-20.txt' done (3 ms)

EDIT3 I am guessing password protected file:
Code:
Nov 2 19:01:16 pmg-smtp-filter[959]: 1215736362B06C1CD02: new mail message-id=<36401782.4761.1667412075269>#012
Nov 2 19:01:16 pmg-smtp-filter[959]: 1215736362B06C1CD02: found archive '1.zip' (application/zip)
Nov 2 19:01:16 pmg-smtp-filter[959]: 1215736362B06C1CD02: unpack failed - child '1034' failed: 512
Nov 2 19:01:16 pmg-smtp-filter[959]: 1215736362B06C1CD02: unpack archive '1.zip' done (245 ms)

EDIT4: how high does it make sense to set Virus Detector - Max files? Right now have it set all 1000
Code:
Nov 2 17:36:34 pmg-smtp-filter[86365]: 12154163629C928CB9A: new mail message-id=<03f001d8eed8$e124c6a0$a36e53e0>#012
Nov 2 17:36:42 pmg-smtp-filter[86365]: 12154163629C928CB9A: found archive '.pptx' (application/zip)
Nov 2 17:36:43 pmg-smtp-filter[86365]: 12154163629C928CB9A: unpack failed - too many files in archive (> 1000) at /usr/share/perl5/PMG/Unpack.pm line 486, <GEN10229> line 3919.
Nov 2 17:36:43 pmg-smtp-filter[86365]: 12154163629C928CB9A: unpack archive '.pptx' done (622 ms)
 
Last edited:
I have configured What Object to detect compressed and non compressed attachments Match Archive Filename.
I want to detect all this attachments and in the archives and if it matches the attachment type then it should block.

Filename
Code:
.*\.(ade|ade|adp|apk|app|application|appref-ms|appx|appxbundle|arj|asp|aspx|asx|bas|bat|bgi|bz|cab|cer|chm|cmd|cnt|com|cpl|csh|der|diagcab|dll|dmg|ex|ex_|exe|fxp|gadget|grp|hlp|hpj|hta|htc|img|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|lz|lzh|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msix|msixbundle|msp|mst|msu|nsh|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|py|pyc|pyo|pyw|pyz|pyzw|r00|r01|rar|reg|scf|scr|sct|shb|shs|sys|tar|theme|tmp|url|vb|vbe|vbp|vbs|vhd|vhdx|vps|vsmacros|vss|vst|vsw|vxd|webpnp|website|wim|ws|wsc|wsf|wsh|xbap|xll|xnk|xz)

1669210089195.png

I am noticing in the logs that it is detecting files for example .docx as application/zip. This seems strange. Is this normal behavior or?
Is it possible because it's scanning all the files then they are shown in the logs

Code:
Nov 23 13:34:36 server postfix/smtpd[216408]: connect from sender-server[1.2.3.4]
Nov 23 13:34:36 server postfix/smtpd[216408]: Anonymous TLS connection established from sender-server[1.2.3.4]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Nov 23 13:34:36 server postfix/smtpd[216408]: NOQUEUE: client=sender-server[1.2.3.4]
Nov 23 13:34:37 server pmg-smtp-filter[217179]: 121374637E135D19847: new mail message-id=<11d68aae-f0f1-2334-0faf-b89a1f2e7183@sender>#012
Nov 23 13:34:37 server pmg-smtp-filter[217179]: 121374637E135D19847: found archive 'anon.docx' (application/zip)
Nov 23 13:34:37 server pmg-smtp-filter[217179]: 121374637E135D19847: unpack archive 'anon.docx' done (62 ms)
Nov 23 13:34:38 server pmg-smtp-filter[217179]: 121374637E135D19847: SA score=0/5 time=0.966 bayes=undefined autolearn=disabled hits=HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.25)
Nov 23 13:34:38 server postfix/smtpd[215484]: connect from localhost.localdomain[127.0.0.1]
Nov 23 13:34:38 server postfix/smtpd[215484]: 7203A12130C: client=localhost.localdomain[127.0.0.1], orig_client=sender-server[1.2.3.4]
Nov 23 13:34:38 server postfix/cleanup[216702]: 7203A12130C: message-id=<11d68aae-f0f1-2334-0faf-b89a1f2e7183@sender>
Nov 23 13:34:38 server postfix/qmgr[945]: 7203A12130C: from=<sender>, size=225842, nrcpt=1 (queue active)
Nov 23 13:34:38 server postfix/smtpd[215484]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Nov 23 13:34:38 server pmg-smtp-filter[217179]: 121374637E135D19847: accept mail to <receiver> (7203A12130C) (rule: default-accept)
Nov 23 13:34:38 server postfix/smtp[216228]: Untrusted TLS connection established to 5.6.7.8[5.6.7.8]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 23 13:34:38 server pmg-smtp-filter[217179]: 121374637E135D19847: processing time: 1.415 seconds (0.966, 0.182, 0.08)
Nov 23 13:34:38 server postfix/smtpd[216408]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (121374637E135D19847); from=<sender> to=<receiver> proto=ESMTP helo=<mail.sender>
Nov 23 13:34:38 server postfix/smtpd[216408]: disconnect from sender-server[1.2.3.4] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov 23 13:34:38 server postfix/smtp[216228]: 7203A12130C: to=<receiver>, relay=5.6.7.8[5.6.7.8]:25, delay=0.27, delays=0.06/0/0.02/0.19, dsn=2.6.0, status=sent (250 2.6.0 <11d68aae-f0f1-2334-0faf-b89a1f2e7183@sender> [InternalId=124300648513640, Hostname=receiver] 227156 bytes in 0.120, 1833,830 KB/sec Queued mail for delivery)
Nov 23 13:34:38 server postfix/qmgr[945]: 7203A12130C: removed
 
Last edited:
I am noticing in the logs that it is detecting files for example .docx as application/zip. This seems strange. Is this normal behavior or?
Is it possible because it's scanning all the files then they are shown in the logs
docx files are zipped xml files - so this is not unusual
 
  • Like
Reactions: poetry
I am getting undesirable behavior with my solution.
It's matching on files like rosenbauer.com!example.com!58005.xml.gz (this is matching my rule) looks like it's matching on .com
In that archive it's just a file rosenbauer.com!example.com!58005.xml (this is not matching)

I see in the logs
Nov 23 22:13:40 server pmg-smtp-filter[282412]: 12117B637E8D040EDDC: found archive 'rosenbauer-1.com.gz' (application/gzip)
Nov 23 22:13:40 server pmg-smtp-filter[282412]: 12117B637E8D040EDDC: unpack archive 'rosenbauer-1.com.gz' done (5 ms)

How to fix this? I want to block .com files but I don't want to block file rosenbauer.com!example.com!58005.xml.gz I am guessing only two sub file attachment types down like .com.gz should still detect .com but not any deeper I guess? How to do this?

Right now I am using:
Match Archive Filename with Filename
Code:
.*\.(ade|ade|adp|apk|app|application|appref-ms|appx|appxbundle|arj|asp|aspx|asx|bas|bat|bgi|bz|cab|cer|chm|cmd|cnt|com|cpl|csh|der|diagcab|dll|dmg|ex|ex_|exe|fxp|gadget|grp|hlp|hpj|hta|htc|img|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|lz|lzh|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msix|msixbundle|msp|mst|msu|nsh|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|py|pyc|pyo|pyw|pyz|pyzw|r00|r01|rar|reg|scf|scr|sct|shb|shs|sys|tar|theme|tmp|url|vb|vbe|vbp|vbs|vhd|vhdx|vps|vsmacros|vss|vst|vsw|vxd|webpnp|website|wim|ws|wsc|wsf|wsh|xbap|xll|xnk|xz)
 
Last edited:
How to fix this? I want to block .com
the filename (and archivefilename filters) match regex - so if you want to only match a file-ending/extension - add a '$' at the end of your regex
(I'd suggest after the parantheses: '(xx|yy|zz|....)$'

I hope this helps!
 
  • Like
Reactions: poetry
the filename (and archivefilename filters) match regex - so if you want to only match a file-ending/extension - add a '$' at the end of your regex
(I'd suggest after the parantheses: '(xx|yy|zz|....)$'

I hope this helps!
This works for just file-ending/extension.
What if I want to block also also example .com.xml (detect .com) then how to do it? I see some extensions that have more then just file-ending so that would be also helpful to detect I guess.
 
the regex for that would be '.*\.com\.xml$' ?

Thanks for the help I will give up on this for now. I should of been more clear before I want to add all the extensions I am blocking so they will be blocked as file extension and subfile extension like .ade.apk, .rar.plg but I am hitting Parameter verification failed. (400) regex: value may only be 1024 characters long I probably should of split the rules then it might work.

This does not seem to be the right sytax for this and it's too long:
.*\.(ade|ade|adp|apk|app|application|appref-ms|appx|appxbundle|arj|asp|aspx|asx|bas|bat|bgi|bz|cab|cer|chm|cmd|cnt|com|cpl|csh|der|diagcab|dll|dmg|ex|ex_|exe|fxp|gadget|grp|hlp|hpj|hta|htc|img|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|lz|lzh|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msix|msixbundle|msp|mst|msu|nsh|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|py|pyc|pyo|pyw|pyz|pyzw|r00|r01|rar|reg|scf|scr|sct|shb|shs|sys|tar|theme|tmp|url|vb|vbe|vbp|vbs|vhd|vhdx|vps|vsmacros|vss|vst|vsw|vxd|webpnp|website|wim|ws|wsc|wsf|wsh|xbap|xll|xnk|xz)\.(ade|ade|adp|apk|app|application|appref-ms|appx|appxbundle|arj|asp|aspx|asx|bas|bat|bgi|bz|cab|cer|chm|cmd|cnt|com|cpl|csh|der|diagcab|dll|dmg|ex|ex_|exe|fxp|gadget|grp|hlp|hpj|hta|htc|img|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|lz|lzh|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msix|msixbundle|msp|mst|msu|nsh|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|py|pyc|pyo|pyw|pyz|pyzw|r00|r01|rar|reg|scf|scr|sct|shb|shs|sys|tar|theme|tmp|url|vb|vbe|vbp|vbs|vhd|vhdx|vps|vsmacros|vss|vst|vsw|vxd|webpnp|website|wim|ws|wsc|wsf|wsh|xbap|xll|xnk|xz)$
 
Not sure what you're trying to achieve here - but if you want to block filenames matching '\.<extensions>$' and then also files matching
'\.<extensions>\.<extensions>$' the second part is not necessary (the first one would already block the second one..)

and yes - 1024 is a rather large limit for a regex- maybe try a different approach - if it's really necessary in your environment - consider allowing only certain attachments (accept action on a higher prio), and then removing all other attachments (remove attachments (with quarantine) with a lower prio)

I hope this helps!
 
  • Like
Reactions: poetry

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!