1 Topic by drosalevan (edited by drosalevan 2016-07-03 03:50:07)

  • drosalevan
  • Member
  • Offline
  • Registered: 2015-06-11
  • Posts: 14

Topic: Banned attachment notification for user

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
- Linux/BSD distribution name and version: Debian 8.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
====

Hello!

When user send mail with banned atachment he doesn't get any error and feedback from mail server. User thinks that mail has been delivered to recipient, but mail was banned.

Is it possible to notify(for example via MailerDaemon) users who sent messages with banned atachments(*.exe)

Jul  2 22:26:23 mail postfix/qmgr[12543]: 1D24221447: from=<a@tele.com>, size=41065648, nrcpt=1 (queue active)
...
Jul  2 22:26:28 mail amavis[17461]: (17461-08) Blocked BANNED (application/x-msdownload,.exe,.exe-ms,FoxitReader606.0722_enu_Setup.exe) {DiscardedInternal,Quarantined}, LOCAL [37.91.135.128]:64985 [37.91.135.128] <a@tele.com> -> <a@din.ru>, quarantine: fowKXf12cPW7, Queue-ID: 1D24221447, Message-ID: <57649729.20160702222635@tele.com>, mail_id: fowKXf12cPW7, Hits: -, size: 41065648, 5642 ms
Jul  2 22:26:28 mail postfix/smtp[21627]: 1D24221447: to=<a@din.ru>, relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=9.2/0.02/0.01/5.7, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=17461-08 - BANNED: application/x-msdownload,.exe,.exe-ms,FoxitReader606.0722_enu_Setup.exe)
Jul  2 22:26:28 mail postfix/qmgr[12543]: 1D24221447: removed

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Online
  • Registered: 2009-05-06
  • Posts: 30,787

Re: Banned attachment notification for user

Check Amavisd config file, do you have setting like below?

$policy_bank{'ORIGINATING'} = {
    ...
    warnbannedsender => 1,
    ...
};

3 Reply by drosalevan

  • drosalevan
  • Member
  • Offline
  • Registered: 2015-06-11
  • Posts: 14

Re: Banned attachment notification for user

ZhangHuangbin wrote:

Check Amavisd config file, do you have setting like below?

$policy_bank{'ORIGINATING'} = {
    ...
    warnbannedsender => 1,
    ...
};

Yes this option is set, but no notification to user.
Don't understand where I wrong in config

mail log

Jul  3 13:09:16 mail postfix/cleanup[12533]: 7958322270: message-id=<148958338.20160703130943@mydomain.com>
Jul  3 13:09:16 mail postfix/qmgr[12129]: 7958322270: from=<da@mydomain.com>, size=992105, nrcpt=1 (queue active)
Jul  3 13:09:17 mail amavis[12493]: (12493-01) Blocked BANNED (application/x-msdownload,.exe,.exe-ms,Profwiz.exe) {DiscardedInternal}, LOCAL [37.91.135.128]:50356 [37.91.135.128] <da@mydomain.com> -> <a@gmail.com>, Queue-ID: 7958322270, Message-ID: <148958338.20160703130943@mydomain.com>, mail_id: IL0r-1jocWx1, Hits: -, size: 992105, 401 ms
Jul  3 13:09:17 mail postfix/smtp[12538]: 7958322270: to=<a@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.79, delays=0.35/0.02/0.03/0.39, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=12493-01 - BANNED: application/x-msdownload,.exe,.exe-ms,Profwiz.exe)
Jul  3 13:09:17 mail postfix/qmgr[12129]: 7958322270: removed

cat /etc/amavis/conf.d/50-user

use strict;

#
# Place your configuration directives here.  They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#


#------------ Do not modify anything below this line -------------
#{1}

#$allowed_added_header_fields{lc('Received')} = 0;

chomp($mydomain = "mail.mydomain.com");
@local_domains_maps = 1;
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
                  10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );

# listen on multiple TCP ports. 9998 is used for releasing quarantined mails.
$inet_socket_port = [10024, 10026, 9998];

# Enable virus check.
@bypass_virus_checks_maps = (
   \%bypass_virus_checks,
   \@bypass_virus_checks_acl,
   $bypass_virus_checks_re,
   );

# Enable spam check.
@bypass_spam_checks_maps = (
    \%bypass_spam_checks,
    \@bypass_spam_checks_acl,
    $bypass_spam_checks_re,
    );

$mailfrom_notify_admin = "root\@$mydomain";
$mailfrom_notify_recip = "root\@$mydomain";
$mailfrom_notify_spamadmin = "root\@$mydomain";

# Mail notify.
$mailfrom_notify_admin     = "root\@$mydomain";  # notifications sender
$mailfrom_notify_recip     = "root\@$mydomain";  # notifications sender
$mailfrom_notify_spamadmin = "root\@$mydomain"; # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef

# Disable defang banned mail.
$defang_banned = 0;  # MIME-wrap passed mail containing banned name

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients
  allow_disclaimers => 1,  # enables disclaimer insertion if available
};

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
    originating => 1,  # declare that mail was submitted by our smtp client
    allow_disclaimers => 1,  # enables disclaimer insertion if available
    # notify administrator of locally originating malware
    virus_admin_maps => ["root\@$mydomain"],
    spam_admin_maps  => [],
    bad_header_admin_maps => [],
    banned_admin_maps => ["root\@$mydomain"],
    warnbadhsender   => 0,
    warnbannedsender => 1,

    # forward to a smtpd service providing DKIM signing service
    forward_method => 'smtp:[amavis]:10027',
    # force MTA conversion to 7-bit (e.g. before DKIM signing)
    smtpd_discard_ehlo_keywords => ['8BITMIME'],
    #bypass_banned_checks_maps => [1],  # allow sending any file names and types
    terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};

# SpamAssassin debugging. Default if off(0).
# Note: '$log_level' variable above is required for SA debug.
$log_level = 0;              # verbosity 0..5, -d
$sa_debug = 0;

# Set hostname.
$myhostname = "mail.mydomain.com";

# Set listen IP/PORT.
$notify_method  = 'smtp:[127.0.0.1]:10025';
$forward_method = 'smtp:[127.0.0.1]:10025';

@av_scanners = (
    #### [url]http://www.clamav.net/[/url]
    ['ClamAV-clamd',
    \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
    qr/\bOK$/, qr/\bFOUND$/,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

@av_scanners_backup = (
    ### [url]http://www.clamav.net/[/url]   - backs up clamd or Mail::ClamAV
    ['ClamAV-clamscan', 'clamscan',
    "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1],
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);


# Apply to mails which coming from internal networks or authenticated users.
# mail supposedly originating from our users
#$policy_bank{'MYUSERS'} = {
#    # declare that mail was submitted by our smtp client
#    originating => 1,
#
#    # enables disclaimer insertion if available
#    allow_disclaimers => 1,
#
#    # notify administrator of locally originating malware
#    virus_admin_maps => ["root\@$mydomain"],
#    spam_admin_maps => [],
#    bad_header_admin_maps => [],
#    banned_admin_maps => ["root\@$mydomain"],
#
#    # notify sender of malware
#    warnbadhsender => 0,
#    warnbannedsender => 0,
#
#    # forward to a smtpd service providing DKIM signing service
#    #forward_method => 'smtp:[127.0.0.1]:10027',
#
#    # force MTA conversion to 7-bit (e.g. before DKIM signing)
#    smtpd_discard_ehlo_keywords => ['8BITMIME'],
#
#    # don't remove NOTIFY=SUCCESS option
#    terminate_dsn_on_notify_success => 0,
#
#    # don't perform spam/virus/header check.
#    #bypass_spam_checks_maps => [1],
#    bypass_virus_checks_maps => [1],
#    #bypass_header_checks_maps => [1],
#
#    # allow sending any file names and types
#    bypass_banned_checks_maps => [1],
#
#    # Quarantine clean messages
#    #clean_quarantine_method => 'sql:',
#    #final_destiny_by_ccat => {CC_CLEAN, D_DISCARD},
#};

#
# Port used to release quarantined mails.
#
$interface_policy{'10026'} = 'ORIGINATING';

$interface_policy{'9998'} = 'AM.PDP-INET';
$policy_bank{'AM.PDP-INET'} = {
    protocol => 'AM.PDP',       # select Amavis policy delegation protocol
    inet_acl => [qw( 127.0.0.1 [::1] )],    # restrict access to these IP addresses
    auth_required_release => 1,    # 0 - don't require secret_id for amavisd-release
    #log_level => 4,
    #always_bcc_by_ccat => {CC_CLEAN, 'admin@example.com'},
};

# Set default action.
# Available actions: D_PASS, D_BOUNCE, D_REJECT, D_DISCARD.
$final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_DISCARD;
$final_spam_destiny       = D_DISCARD;
$final_bad_header_destiny = D_DISCARD;

#########################
# Quarantine mails.
#

# Where to store quarantined mail message:
#   - 'local:spam-%i-%m', quarantine mail on local file system.
#   - 'sql:', quarantine mail in SQL server specified in @storage_sql_dsn.
#   - undef, do not quarantine mail.

# Bad header.
#$bad_header_quarantine_method = undef;
$bad_header_quarantine_method = 'sql:';
$bad_header_quarantine_to = 'bad-header-quarantine';

# SPAM.
#$spam_quarantine_method = undef;
$spam_quarantine_method = 'sql:';
$spam_quarantine_to = 'spam-quarantine';

# Virus
$virus_quarantine_to     = 'virus-quarantine';
$virus_quarantine_method = 'sql:';

# Banned
$banned_files_quarantine_method = undef;
#$banned_files_quarantine_method = 'sql:';
#$banned_quarantine_to = 'banned-quarantine';

#########################
# Quarantine CLEAN mails.
# Don't forget to enable clean quarantine in policy bank 'MYUSERS'.
#
#$clean_quarantine_method = 'sql:';
#$clean_quarantine_to = 'clean-quarantine';

$sql_allow_8bit_address = 1;
$timestamp_fmt_mysql = 1;

# a string to prepend to Subject (for local recipients only) if mail could
# not be decoded or checked entirely, e.g. due to password-protected archives
#$undecipherable_subject_tag = '***UNCHECKED*** ';  # undef disables it
$undecipherable_subject_tag = undef;
# Hope to fix 'nested MAIL command' issue on high load server.
$smtp_connection_cache_enable = 0;

# The default set of header fields to be signed can be controlled
# by setting %signed_header_fields elements to true (to sign) or
# to false (not to sign). Keys must be in lowercase, e.g.:
# 0 -> off
# 1 -> on
$signed_header_fields{'received'} = 0;
$signed_header_fields{'to'} = 1;

# Make sure it sings all inbound mails, avoid error log like this:
# 'dkim: not signing inbound mail'.
$originating = 1;

# Add dkim_key here.
dkim_key("mydomain.com", "dkim", "/var/lib/dkim/mydomain.pem");

# Note that signing mail for subdomains with a key of a parent
# domain is treated by recipients as a third-party key, which
# may 'hold less merit' in their eyes. If one has a choice,
# it is better to publish a key for each domain (e.g. host1.a.cn)
# if mail is really coming from it. Sharing a pem file
# for multiple domains may be acceptable, so you don't need
# to generate a different key for each subdomain, but you
# do need to publish it in each subdomain. It is probably
# easier to avoid sending addresses like host1.a.cn and
# always use a parent domain (a.cn) in 'From:', thus
# avoiding the issue altogether.
#dkim_key("host1.mydomain.com", "dkim", "/var/lib/dkim/mydomain.pem");
#dkim_key("host3.mydomain", "dkim", "/var/lib/dkim/mydomain.pem");

# Add new dkim_key for other domain.
#dkim_key('Your_New_Domain_Name', 'dkim', 'Your_New_Pem_File');

@dkim_signature_options_bysender_maps = ( {
 .....
} );
$enable_dkim_verification = 1;  # enable DKIM signatures verification
$enable_dkim_signing = 1;    # load DKIM signing code, keys defined by dkim_key
# ------------ Disclaimer Setting ---------------
# Uncomment this line to enable singing disclaimer in outgoing mails.
#$defang_maps_by_ccat{+CC_CATCHALL} = [ 'disclaimer' ];

# Program used to signing disclaimer in outgoing mails.
$altermime = '/usr/bin/altermime';

# Disclaimer in plain text formart.
@altermime_args_disclaimer = qw(--disclaimer=/etc/postfix/disclaimer/_OPTION_.txt --disclaimer-html=/etc/postfix/disclaimer/_OPTION_.txt --force-for-bad-html);

@disclaimer_options_bysender_maps = ({
    # Per-domain disclaimer setting: /etc/postfix/disclaimer/host1.iredmail.org.txt
    #'host1.iredmail.org' => 'host1.iredmail.org',

    # Sub-domain disclaimer setting: /etc/postfix/disclaimer/iredmail.org.txt
    #'.iredmail.org'      => 'iredmail.org',

    # Per-user disclaimer setting: /etc/postfix/disclaimer/boss.iredmail.org.txt
    #'boss@iredmail.org'  => 'boss.iredmail.org',

    # Catch-all disclaimer setting: /etc/postfix/disclaimer/default.txt
    '.' => 'default',
},);
# ------------ End Disclaimer Setting ---------------
# Reporting and quarantining.
@storage_sql_dsn = (
    ['DBI:mysql:database=amavisd;host=127.0.0.1;port=3306', 'amavisd', '4NJLto8wPnGs2t6S8OXRWv7SjdVjAK'],
);

# Lookup for per-recipient, per-domain and global policy.
@lookup_sql_dsn = @storage_sql_dsn;
# Don't send email with subject "UNCHECKED contents in mail FROM xxx".
delete $admin_maps_by_ccat{&CC_UNCHECKED};

# Do not notify administrator about SPAM/VIRUS from remote servers.
$virus_admin = undef;
$spam_admin = undef;
$banned_admin = undef;
$bad_header_admin = undef;
# Num of pre-forked children.
# WARNING: it must match (equal to or larger than) the number set in
# /etc/postfix/master.cf "maxproc" column for the 'smtp-amavis' service.
$max_servers = 4;

$localhost_name = $myhostname;

# Custom Amavisd log template to always log SpamAssassin testing results,
# useful for troubleshooting. if you want more verbose log, replace it by:
#
#   $log_templ = $log_verbose_templ;
#
# WARNING: $log_verbose_templ will log mail subject, this may be illegal
#          according to the laws in some countries.
#
# Note: You can find the original log template at the bottom of
#       /usr/sbin/amavisd-new.
$log_templ = '
[?%#D|#|Passed #
[? [:ccat|major] |#
OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER-[:ccat|minor]|SPAMMY|SPAM|\
UNCHECKED[?[:ccat|minor]||-ENCRYPTED|]|BANNED (%F)|INFECTED (%V)]#
 {[:actions_performed]}#
,[?%p|| %p][?%a||[?%l|| LOCAL] [:client_addr_port]][?%e|| \[%e\]] [:mail_addr_decode_octets|%s] -> [%D|[:mail_addr_decode_octets|%D]|,]#
[? %q ||, quarantine: %q]#
[? %Q ||, Queue-ID: %Q]#
[? %m ||, Message-ID: [:mail_addr_decode_octets|%m]]#
[? %r ||, Resent-Message-ID: [:mail_addr_decode_octets|%r]]#
[? %i ||, mail_id: %i]#
, Hits: [:SCORE]#
, size: %z#
[? [:partition_tag] ||, pt: [:partition_tag]]#
[~[:remote_mta_smtp_response]|["^$"]||[", queued_as: "]]\
[remote_mta_smtp_response|[~%x|["queued as ([0-9A-Za-z]+)$"]|["%1"]|["%0"]]|/]#
#, Subject: [:dquote|[:mime2utf8|[:header_field_octets|Subject]|100|1]]#
#, From: [:uquote|[:mail_addr_decode_octets|[:rfc2822_from]]]#
[? [:dkim|sig_sd]    ||, dkim_sd=[:dkim|sig_sd]]#
[? [:dkim|newsig_sd] ||, dkim_new=[:dkim|newsig_sd]]#
, %y ms#
[? %#T ||, Tests: \[[%T|,]\]]#
]
[?%#O|#|Blocked #
[? [:ccat|major|blocking] |#
OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER-[:ccat|minor]|SPAMMY|SPAM|\
UNCHECKED[?[:ccat|minor]||-ENCRYPTED|]|BANNED (%F)|INFECTED (%V)]#
 {[:actions_performed]}#
,[?%p|| %p][?%a||[?%l|| LOCAL] [:client_addr_port]][?%e|| \[%e\]] [:mail_addr_decode_octets|%s] -> [%O|[:mail_addr_decode_octets|%O]|,]#
[? %q ||, quarantine: %q]#
[? %Q ||, Queue-ID: %Q]#
[? %m ||, Message-ID: [:mail_addr_decode_octets|%m]]#
[? %r ||, Resent-Message-ID: [:mail_addr_decode_octets|%r]]#
[? %i ||, mail_id: %i]#
, Hits: [:SCORE]#
, size: %z#
[? [:partition_tag] ||, pt: [:partition_tag]]#
#, Subject: [:dquote|[:mime2utf8|[:header_field_octets|Subject]|100|1]]#
#, From: [:uquote|[:mail_addr_decode_octets|[:rfc2822_from]]]#
[? [:dkim|sig_sd]    ||, dkim_sd=[:dkim|sig_sd]]#
[? [:dkim|newsig_sd] ||, dkim_new=[:dkim|newsig_sd]]#
, %y ms#
[? %#T ||, Tests: \[[%T|,]\]]#
]';

1;  # insure a defined return

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Online
  • Registered: 2009-05-06
  • Posts: 30,787

Re: Banned attachment notification for user

Does it work if you add "warnbannedsender" in "$policy_bank{'MYNETS'}"?

5 Reply by drosalevan

  • drosalevan
  • Member
  • Offline
  • Registered: 2015-06-11
  • Posts: 14

Re: Banned attachment notification for user

Problem was in $final_banned_destiny which was set in D_DISCARD
after changing it to D_BOUNCE; all work great!