Qpsmtpd:exe filter

From SME Server
Revision as of 13:26, 30 July 2017 by Mmccarn (talk | contribs) (Created page with "<span id="_top">Qpsmtpd#Plugins</span> = NAME = exe_filter = DESCRIPTION = exe_filter blocks executable (and other) attachments by matching the ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Qpsmtpd#Plugins

NAME

exe_filter

DESCRIPTION

exe_filter blocks executable (and other) attachments by matching the first body line of each MIME part in a message against a set of known signatures. If a match is found, the email is denied.

Signatures are stored one per line in signature files in the qpsmtpd config directory. exe_filter currently supports 'signature_exe' and 'signature_zip' files.

This version uses Simon Cozen's Email::MIME module, rather than reimplementing the MIME wheel.

CONFIG

The following parameters can be passed to exe_filter, or set in a 'exe_filter' config file.

check <suffixes>

where <suffixes> is a comma-separated list of suffixes to check e.g.

  check exe,zip

A corresponding 'signature_<suffix>' file should exist for each supplied suffix.

Default: 'check exe'.

Note: this argument used to be called 'deny', which is now deprecated but still functional.

action <action>

The action to take when a signature match is found. Valid values are 'deny' (the default), to DENY the mail, and 'note', to record a transaction note for some later plugin (and then DECLINE). If action is 'note', the default note name is 'virus_score', with a default value of 1. These defaults can be modified using an extended note syntax - 'note:NAME=VALUE' e.g.

  action note:virus_score=1                # default settings
  action note:exe_filter=virus_found       # random example

Numeric note values are accumulated, not replaced.

Default: 'action deny'.

The following parameter can be passed to exe_filter in config/plugins (but not set via a config file):

per_recipient 1
Allow per-recipient configs to be used (using the per_user_config plugin). Default: 0.

BUGS AND LIMITATIONS

exe_filter is a simple mime part filter - it does not unpack and scan archives for executables like a full-blown virus scanner. Likewise, zip filtering blocks *all* zip files, not just those that contain a virus. You should use a proper virus scanner if that's what you need.

exe_filter slurps the entire email into memory and uses Email::MIME to do the mime parsing, so it's reasonably memory hungry. You may find you need to increase your memory softlimits if running under tcpserver.

Because exe_filter is a post_data plugin, it cannot handle different configurations in per_recipient mode. This means that if you want to use per_recipient configurations, you should also enforce that only compatible recipients occur in a single mail (e.g. using a plugin like denysoft_multi_rcpt).

AUTHOR

Written by Gavin Carr <gavin@openfusion.com.au>, inspired by Russ Nelson's viruscan patch to qmail-smtpd (http://www.qmail.org/qmail-smtpd-viruscan-1.2.patch).