Search

Page tree
Skip to end of metadata
Go to start of metadata

Description

While Locky spreading in the wild, i blocked every office document with AmavisD.

Yes it 100% protects my users against this method to get infected but it also has the side effect of false positives, i have to solve by amavisd-release.

And because i am a lazy guy, i threw that job back to my users (smile)

Simple and dirty bash script and postfix modifications

/etc/postfix/process_unban_mail.sh
#!/bin/bash
LOGFILE=/tmp/unban.log
ALLOWED_SENDERS="user1@example.com"
TIMSTAMP="$(date +%Y%m%d-%H%M%S)"
FROM=""
SUBJECT=""


while read -r line
do
    if [ "$(echo $line | grep '^From: ')" != "" ]; then
      FROM="$(echo $line | grep '^From: ' | cut -d '<' -f 2 | tr -d '>')"
    fi
    if [ "$(echo $line | grep '^Subject: ')" != "" ]; then
      SUBJECT="$(echo $line | grep '^Subject: ' | cut -d ':' -f 2 )"
    fi
    #echo "$line" >> $LOGFILE
done < <(cat "$@")


echo "##################" >> $LOGFILE
echo $TIMSTAMP >> $LOGFILE


if [ "$(echo $ALLOWED_SENDERS | grep $FROM )" != "" ];then
  echo "Sender $FROM is allowed" >> $LOGFILE
  if [ "$(echo $SUBJECT | grep -E '^banned-[a-zA-Z_0-9-]{12}$')" != "" ]; then
    UNBAN_CODE=$(echo $SUBJECT | grep -E '^banned-[a-zA-Z_0-9-]{12}$')
    echo "Unban code $UNBAN_CODE found" >> $LOGFILE
    UNBAN_TEXT=$(/usr/sbin/amavisd-release $UNBAN_CODE 2>&1 )
    echo "$UNBAN_TEXT" >> $LOGFILE
  else
    echo "No unban code in $SUBJECT found" >> $LOGFILE
  fi
else
  echo "Sender $FROM not allowed" >> $LOGFILE
fi
/etc/postfix/virtual
unban_mail@example.com    unban_mail@unban.example.com
unban-mail@example.com    unban_mail@unban.example.com
unbanmail@example.com     unban_mail@unban.example.com 
/etc/aliases
unban_mail: "|/etc/postfix/process_unban_mail.sh"
/etc/postfix/main.cf
mydestination = unban.example.com 
alias_maps = hash:/etc/aliases
virtual_alias_maps = hash:/etc/postfix/virtual

AmavisD

Because i wasn't able to connect as postfix user to the amavisd socket, i switched from socket to tcp port and activated the recipient notification.

$interface_policy{'9998'} = 'AM.PDP';
$policy_bank{'AM.PDP'} = { protocol=>'AM.PDP', auth_required_release => 0, };
$inet_socket_port = [10024,9998];


#$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname
#$policy_bank{'AM.PDP-SOCK'} = {
#  protocol => 'AM.PDP',
#  auth_required_release => 0,  # do not require secret_id for amavisd-release
#};
 
 
$warnvirusrecip = 1;
$warnbannedrecip = 1;
$warnbadhrecip = 1;

The error i recieved while trying with the socket was

: Command died with status 13:
    "/etc/postfix/process_unban_mail.sh". Command output: Can't connect to UNIX
    socket /var/spool/amavis/amavisd.sock: Permission denied at
    /usr/sbin/amavisd-release line 213.

Quick and dirty solution

chmod 2777 /var/run/amavisd/amavisd.sock

Or better switch to the TCP socket

vi /bin/amavisd-release
### USER CONFIGURABLE:

$log_level = 2;
$socketname = '127.0.0.1:9998';
#  $socketname = '/var/run/amavisd/amavisd.sock';