Previous Section  < Day Day Up >  Next Section

Recipe 21.7. Rejecting Messages with Attachments

21.7.1 Problem

You want to block messages with certain attachments at the SMTP level.

21.7.2 Solution

Use Postfix's mime_header_checks, using the following regexp:

# this must be one unbroken line

/filename=\"?(.*)\.(bat|cmd|com|dot|exe|hta|scr|pif|vbe|vbs)\"?$/   

REJECT keep your malware off my network

# this must be one unbroken line

/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|vxd

|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|))"?\s*$/

    REJECT Attachments that contain or end in "$3" are prohibited on this server. "$2" is 

the name of the rejected file

Put this in a file and call it /etc/postfix/mime_header_checks.

Then add it to main.cf:

mime_header_checks = regexp:/etc/postfix/mime_header_checks

Remember to run postfix reload after changing main.cf.

Edit the list of file types to suit your own needs. The list in the example does not include any MS Office document file formats, such as .xls, .xlk, .doc, .wdb, .wri, .wrs, .ppt, and so forth; you may wish to add some of these.

21.7.3 Discussion

You can, with one simple regexp, reject all messages with attachments:

/filename=\"/   REJECT all messages with attachments are rejected

Just keep in mind that this will also reject messages with Vcards, messages with GPG signatures that are attached rather than inline, HTML messages that attach images as separate files, and Outlook/Outlook Express messages that use MS-TNEF (MS-TNEF is useless to anyone not running Outlook/Outlook Express, because it's a proprietary rich-text format that no one else can read). Keep in mind that even if you don't care about rejecting all these things, the senders will not know that their messages were rejected, unless they read their mail logs.

Why list only Microsoft file types? That's up to you—you can list anything you want. Certainly, Windows is the hands-down winner at extending a warm, friendly welcome to malware via email.

21.7.4 See Also

  • Postfix's SMTPD_ACCESS_README, and access (5)

  • Chapter 11 of Postfix: The Definitive Guide

  • Microsoft Knowledge Base Article, 291369, for Microsoft's own "Unsafe File List"

  • Appendix C, Microsoft File Types

    Previous Section  < Day Day Up >  Next Section