[TriLUG] Blocking Attachments in Exim/A really wack network admin
Jon Carnes
jonc at nc.rr.com
Tue Apr 13 09:25:08 EDT 2004
This site details how to add content scanning to Exim's ACLs. The checks
are designed to be run after the SMTP DATA phase, while the sending host
is waiting for the final response to the end-of-data marker. This allows
Exim to reject messages containing unwanted content immediately while
still connected to the site that is dropping off the email.
http://duncanthrax.net/exiscan-acl/
This functionality was added specifically due to the recent onslaught of
spoofing viruses.
===
If you want to stick to a more traditional format then please read:
http://www.exim.org/exim-html-4.30/doc/html/spec.html
Exim 4 (unlike previous versions of Exim) implements policy controls on
incoming SMTP mail by means of Access Control Lists (ACLs). Each list is
a series of statements that may either grant or deny access. The
sysadmin can specify conditions for accepting or rejecting individual
recipients or the entire message, respectively, at these two points (see
chapter 38). Denial of access results in an SMTP error code.
When a message has been received, either from a remote host or from the
local host, but before the final acknowledgement has been sent, a
locally supplied C function called local_scan() can be run to inspect
the message and decide whether to accept it or not (see chapter 39). If
the message is accepted, the list of recipients can be modified by the
function.
After a message has been accepted, a further checking mechanism is
available in the form of the system filter (see chapter 40). This runs
at the start of every delivery process.
===
If using Exim's system filtering, you can use something akin to :
deliver null at localhost
(where null at localhost expands to /dev/null)
Note: using "fail" will always result in a bounce message being sent
http://www.exim.org/exim-html-4.30/doc/html/filter_3.html
===
If you are using Sieve rules to bounce/reject then you would use
something akin to:
fileinto "/dev/null"
Good Luck - Jon Carnes
On Mon, 2004-04-12 at 20:12, Joshua Gitlin wrote:
> First, let me apologize to David, Jon, Tanner, and everyone else --
> Before I dealt with this situation I contacted my ISP, and they assured
> me that (as Matthew said) what my server is doing is the same as what
> "most" servers are configured to do. This gave me an invalid sense that
> I was in the right, and the tone of my message was harsh. I accept that
> what I'm doing isn't the right solution, but my questions still remain
> unanswered. Jon -- I'd like to "get a clue" and be more responsible.
> That's why I posted in the first place...
>
> It seems that the consensus is that I should just drop messages with
> these potantal virus attachments, instead of bouncing them or rejecting
> them at SMTP time. Currently, my exim's antivirus file looks like this:
>
> if $message_body matches <a variety of rules...>
> then
> fail text "This message has been rejected because it has\n\
> a potentially executable attachment $1\n\
> This form of attachment has been used by\n\
> recent viruses or other malware.\n\
> If you meant to send this file then please\n\
> package it up as a zip file and resend it."
> seen finish
> endif
>
> What do I use instead of "fail text"? Is the best option really just to
> /dev/null these messages? And if so, what command do I use?
>
> Thanks again for all your help guys.
>
> -Josh
>
> ______________________________________________________________________
>
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
More information about the TriLUG
mailing list