The sanitizer is primarily intended to process messages being
delivered on the mail server itself, where the mail server software is
running on the same system as the user mailboxes. This is called
"local delivery". In this case, procmail is probably already the
default local delivery agent, and adding in the sanitizer is very
simple.
Running the sanitizer on a mail server that passes messages on to
another server for final delivery is called "mail relay".
Mail being passed from many domains on the Internet to server(s) on
your local network that support one or a few domains (e.g. from the
public sendmail gateway to the corporate Microsoft Exchange server)
is called "inbound relay". When mail originates on your local network
and is being passed on to many other domains on the Internet it is
called "outbound relay".
Please note that the outbound instructions call for two servers.
Configuring sanitizing of inbound and outbound mail on a single server
is still being tested. (If anyone has something like this already set
up, please let me know!)
- MANGLE_EXTENSIONS: List of
filename
extensions to mangle and possibly poison.
This list of extensions must follow a specific format. If it is not
correct bad things can happen, including the sanitizer going into
infinite loops.
The format of this string is:
ext|ext|ext|ex[ts]|etc
Include filename extensions, without the period, separated by vertical
bars. DO NOT put a vertical bar at the beginning or end of the
list and DO NOT put two vertical bars next to each other with no
extension between them.
If you want to include a list of similar extensions, for example
DOC for Word document files and DOT for Word
document templates, you can merge them like this: do[ct] This
means "DOC or DOT".
Note that the MANGLE_EXTENSIONS list you enter must all be
on one line.
Any attached file whose name ends in one of these extensions will have
its filename mangled. This is done for two reasons:
- It prevents the recipient from executing the attachment by simply
double-clicking on it. Executing an attachment in this manner can
bypass virus scanning. If the recipient has to save the attachment and
rename it before they can run it, then their antivirus software will
have a chance to scan it.
- It changes the attachment's name so that if some script code in
the message is looking for the attachment it won't be found. This
makes it harder for some automatically-executing nastygrams to do
anything.
You do not have to specify any MANGLE_EXTENSIONS list. The
sanitizer ships with an extensive list of dangerous filename
extensions which are used if you do not specify a different list.
You may override the default list of extensions to mangle by setting
MANGLE_EXTENSIONS to a new list.
Note that what you specify completely replaces the default list.
The default list is:
MANGLE_EXTENSIONS='html?|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|as[dfx]|c[ip]l|pps|wm[avszdf]|vcf|nws|wsz|\{[-0-9a-f]+\}'
As you can see, the default MANGLE_EXTENSIONS list is extensive, so
a default installation of the sanitizer will be rather paranoid. You
will probably want to permit Office documents and the .EML, .VCF and
.HTML extensions if you are using the sanitizer in an ISP setting.
MANGLE_EXTENSIONS can be customized to provide different levels of
security for different purposes. For example, you may not wish to
mangle Word documents and Excel spreadsheets that are being sent
within your domain, but you still want to mangle them when they come
in from the Internet.
To do this, you would add something like the following to your
/etc/procmailrc before the
INCLUDERC=/etc/procmail/html-trap.procmail call:
:0
* ^From:.*<[a-z0-9]+@mydomain.com>
* ^To:.*<[a-z0-9]+@mydomain.com>
{
# Do not mangle Office documents
MANGLE_EXTENSIONS='html?|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|dot|xl[wt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|as[dfx]|c[ip]l|pps|asx|wm[avszdf]|vcf|nws|wsz|\{[-0-9a-f]+\}'
}
Note that "doc" and "xls" do not appear in this custom
MANGLE_EXTENSIONS list.
This sort of thing can become arbitratrily complex, specifying
different mangle lists based on any number of message sources and
destinations and any other criteria.
In the current release of the sanitizer only those extensions that
appear in the MANGLE list are considered for stripping or poisoning.
Removing an extension from the MANGLE list means you will not be able to
strip or poison files with that extension.
NOTE: Certain extensions are "special" and are always
considered for stripping or poisoning, regardless of whether they are being
mangled. Microsoft Office files (.DOC, .DOT, .XLS, .RTF, etc.) and ZIP
and RAR archives (.ZIP, .RAR) will still be checked for stripping and poisoning
even if they are not in the MANGLE list. The "ZIP" and "RAR" extensions will
never be added to the default MANGLE list.
NOTE: This model will change soon someday to be much
more flexible and easier to customize. See
the Future Directions
document for more info.
IMPORTANT NOTE: The CLSID match "\{[-0-9a-f]+\}"
MUST NOT be used with sanitizers prior to 1.130 - it will cause
them to crash. If you want to mangle/poison CLSID-named files, you
must upgrade to 1.130 or newer.
An
"opt-out" preprocessor that simplifies setting up
MANGLE_EXTENSIONS is available. Please take a look at it if you
are using the sanitizer in an ISP setting or in any application where you
wish the users to be able to choose their own security level. If someone
wants to create a web interface to this, I'm sure lots of people would be
grateful...
- POISONED_EXECUTABLES: Name of policy file containing filespecs of files to poison.
This variable specifies the name of a file containing a list of
attachment filenames to consider "poisoned". These filenames can
contain wildcards. See the discussion of SECURITY_QUARANTINE for how
poisoned messages are handled.
The filename specification may be followed by comments. Separate the
comments from the filename spec using spaces or TABs. If you wish to
include space(s) in a filename specification, use the token
"\s" rather than using an actual space character.
For future compatibility you should begin comment text with a
"#" character (standard shell quoting syntax). See below
for examples.
The current version of the sanitizer only checks the poisoned
filenames list if the filename extension appears in the
MANGLE_EXTENSIONS list. Filenames whose extensions do not appear in
the MANGLE_EXTENSIONS list cannot be poisoned, except for Microsoft
Office files, which are "special". See the discussion of
MANGLE_EXTENSIONS.
The recommended
contents of this file can be downloaded. A brief sample:
*.asd
*.bat
*.chm # Compiled help files - scriptable
*.com
*.dll
*.exe
*.ocx
*.hlp # Help files - scriptable
*.hta
*.js
*.pif # Program Information Files - like shortcuts
*.scr # Screen saver programs
*.shb
*.shs
*.vb
*.vbe
*.vbs # Microsoft Visual BASIC (Beginner's All-purpose Symbolic
Infection Code)
*.wsf
*.wsh
IBMls.exe
anti_cih.exe
antivirus.exe
aol4free.com # Trojan horse
avp_updates.exe # Trojan horse
babylonia.exe
badass.exe
buhh.exe
jesus.exe
list.doc
lovers.exe
navidad.exe
navidad[0-9]+.exe
path.xls
photos17.exe
picture.exe
pretty park.exe
prettypark.exe
qi_test.exe
seicho_no_ie.exe
serialz.hlp
setup.exe
story.doc
suppl.doc
surprise!.exe
x-mas.exe
y2kcount.exe
yahoo.exe
zipped_files.exe
As viruses or worms with specific filenames are announced, those
filenames can be added to the
poisoned
files list. If you want to set up automatic retrieval of the
poisoned files list that I maintain, it is at
http://www.impsec.org/email-tools/poisoned-files
(please use your nearest mirror.)
The wildcard format is the standard
Regular
Expression syntax modified slightly to look more like regular
filename globbing:
a period is considered an explicit period, not a match-any-character
token; a question mark is the "match any character" token, and an
asterisk is a "match any number of characters" token. This leads to
familiar wildcard filename specs like "*.*" and
"*.exe", but also supports more complex filespecs such as
"happy[0-9]+.exe" and "*.[a-z][a-z][a-z]".
The Perl (?...) regular expression construct is also
supported as of 1.131. See the
recommended
poison list for an example of how this may be used to match all filenames
except those with certain extensions. Also see the Perl regular
expressions manual (man perlex).
The filenames in the poisoned list are not case sensitive:
"IBMLS.EXE" matches "ibmls.exe".
Example:
POISONED_EXECUTABLES="/etc/procmail/poisoned"
NOTE:
This model will change soon to be much more flexible and easier to
modify.
- STRIPPED_EXECUTABLES: Name of policy file containing filespecs of files to strip.
This variable specifies the name of a file containing a list of
attachment filenames to strip off the message. These filenames can
contain wildcards in the same manner as the poison list.
The filename specification may be followed by comments. Separate the
comments from the filename spec using spaces or TABs. If you wish to
include space(s) in a filename specification, use the token
"\s" rather than using an actual space character.
For future compatibility you should begin comment text with a
"#" character (standard shell quoting syntax).
The current version of the sanitizer only checks the stripped
filenames list if the filename extension appears in the
MANGLE_EXTENSIONS list. Filenames whose extensions do not appear in
the MANGLE_EXTENSIONS list cannot be stripped, except for Microsoft
Office files, which are "special". See the discussion of
MANGLE_EXTENSIONS.
Stripping occurs before poisoning, and stripping an attachment does not
poison the message.
Stripped attachments cannot be recovered.
The filenames in the strip list are not case sensitive:
"IBMLS.EXE" matches "ibmls.exe".
Example:
STRIPPED_EXECUTABLES="/etc/procmail/stripped"
- STRIPPED_MIME_TYPES: Name of policy file containing MIME types to strip. (1.152+)
This variable specifies the name of a file containing a list of
MIME body-part types to strip off the message. These types can
contain wildcards in the same manner as the poison list.
The MIME type specification may be followed by comments. Separate the
comments from the MIME type spec using spaces or TABs.
For future compatibility you should begin comment text with a
"#" character (standard shell quoting syntax).
Stripping occurs before poisoning, and stripping an attachment does not
poison the message.
Stripped attachments cannot be recovered.
The MIME types in the strip list are not case sensitive.
Poisoning of MIME types APPLICATION/X-MSDOWNLOAD and APPLICATION/X-MS-DOWNLOAD
is independent of this list. You can add those types to the strip list and they
will be stripped rather than poisoned, but omitting them from the strip list
does not imply they are to be trusted.
Example:
STRIPPED_MIME_TYPES="/etc/procmail/stripped_mime_types"
Example contents:
application/vnd.ms-tnef # duplicate $SECURITY_STRIP_MSTNEF functionality
APPLICATION/X-MSDOWNLOAD # strip rather than poison
APPLICATION/X-MS-DOWNLOAD # strip rather than poison
application/*script* # no scripting, please
- TRUSTED_MIME_TYPES: Name of policy file containing MIME types to trust. (1.152+)
This optional variable specifies the name of a file containing a list of
MIME body-part types to trust within the message. These types can
contain wildcards in the same manner as the poison list.
The MIME type specification may be followed by comments. Separate the
comments from the MIME type spec using spaces or TABs.
For future compatibility you should begin comment text with a
"#" character (standard shell quoting syntax).
If you wish to implement a tighter security policy that lists the MIME types
you will accept rather than filtering out MIME types and other content you
consider hostile, you can define $TRUSTED_MIME_TYPES. Any message with a body
part having a MIME type that is NOT in the trusted list will be poisoned.
If you do not define $TRUSTED_MIME_TYPES then messages will not be poisoned by
MIME type (apart from APPLICATION/X-MSDOWNLOAD and APPLICATION/X-MS-DOWNLOAD).
If a MIME type appears in the strip list, the body part will be stripped regardless
of whether it appears in the trust list.
Omitting "TEXT/PLAIN", "TEXT/HTML", "MESSAGE/RFC822", "MULTIPART/ALTERNATIVE"
and "MULTIPART/MIXED" from the trusted MIME types list is a good way to poison
100% of your email.
The MIME types in the trust list are not case sensitive.
Poisoning of MIME types APPLICATION/X-MSDOWNLOAD and APPLICATION/X-MS-DOWNLOAD
is independent of this list. You can add those types to the trust list, but
they will still poison the message unless you also set
$SECURITY_TRUST_MS_DOWNLOAD. Those types are dangerous enough and unusual
enough to warrant special handling.
The IANA registers MIME types, and they publish
a reference to all
registered MIME media types.
On *nix systems, you can see /etc/mime.types for a more
useable list of compiled MIME types.
Example:
TRUSTED_MIME_TYPES="/etc/procmail/trusted_mime_types"
TRUSTED_MIME_TYPES="/etc/mime.types" # trust everything - simpler to just not define $TRUSTED_MIME_TYPES
- SECURITY_POISON_WINEXE: Check attachments for Windows Executable magic strings, poison if found.
Certain Windows tools, when presented with a file whose filename or MIME type
does not accurately reflect the actual file type (e.g. a file named
"SOMETHING.WAV" - indicating it is a sound file - that is actually an
executable program) will scan the file for "magic strings" to
identify the file type, and will execute the file if it is a program.
The sanitizer has a simple Windows Executable magic strings scanner that can be
enabled as another layer of security. If a message's attachments are not
poisoned by filename, they can also be scanned for Windows Executable magic
strings and poisoned if any are found. This scanner is enabled by setting
SECURITY_POISON_WINEXE to any value.
Note that if you are permitting executable attachments through for for certain
senders, you will also want to unset SECURITY_POISON_WINEXE for those senders
as well.
Example:
SECURITY_POISON_WINEXE=YES
:0
* ^From: trusted@partner.example.com
{
POISONED_EXECUTABLES=/etc/procmail/poison-list-for-trusted-senders
SECURITY_POISON_WINEXE=
}
- DISABLE_MACRO_CHECK: Disable scanning of Microsoft Office
file attachments for dangerous macros.
The sanitizer contains a rudimentary scanner that checks Microsoft
Office document attachments (Word documents, Excel spreadsheets,
PowerPoint presentations, etc.) for embedded
VBA
macros that appear to be doing questionable things - for example,
modifying security settings, making changes to the registry, or
writing macros to the Standard Document template.
Documents will be scanned for macros even if their extensions do not
appear in the MANGLE_EXTENSIONS list. This means you can remove .DOC
and .XLS from the MANGLE_EXTENSIONS list to make your users happy, but
still be protected by the scanner against macro-based attacks.
If you do not wish this macro scanning to take place, set
DISABLE_MACRO_CHECK to any value. Alternatively you could use the
version of the sanitizer that has the macro scanning code removed.
This would be slightly faster, as that code no longer has to be
compiled for each message being processed.
If you do wish to scan document attachments, you will need to install
two extra tools:
- a BASE64 decoder like mimencode, which is a part of the
metamail package.
(see BASE64_DECODER and USE_CPAN below)
- mktemp, from the
OpenBSD
software archives.
(or see USE_CPAN below)
Both of these tools ship with most Linux distributions. For other
operating systems you may have to download the source and compile them
yourself.
It appears that many commercial virus scanners do not actually delete
evil macros; instead, they are mangled enough to disable them and are
left in place. The sanitizer will very likely detect enough fragments
of the macros to consider the document as still infected. If this
happens, suggest to the sender of the document that the document
should be saved in a format that does not support macros at all, such
as Rich
Text (RTF), and send that instead. Alternatively, the sender can
compress the document using a tool such as Winzip or gzip. When the
recipient uncompresses the document, the virus scanner will have an
opportunity to examine it.
Suggestions for what to consider dangerous in a macro are welcome, as are
samples of macro-infected documents.
Example:
DISABLE_MACRO_CHECK=YES
- POISONED_SCORE: Macro scanner score at which to consider the attachment poisoned.
For every fragment of questionable macro code detected, the scanner
score is incremented by a varying amount. When the scan is completed,
the document is considered poisoned if the total score exceeds
POISONED_SCORE.
The minimum POISONED_SCORE is 5, which is very low. The default value
is 25. Most macro viruses will generate a score of 100 or more.
Example:
POISONED_SCORE=25
- SCORE_HISTORY: Where to log macro scanner scores.
If you would like to keep a history of macro scores for profiling to
see whether or not your POISONED_SCORE is set to a reasonable value,
set SCORE_HISTORY to the name of a file. The score of each scanned
document will be saved to this file.
This file must exist with permissions rw--w--w- so that all
users will be able to record their scanner scores, or each user must have their
own personal log file. The sanitizer drops privileges before scanning the
message, so this log file must be writable by the user receiving the message.
It is a very good idea to test writing to a global log file as a regular
user after you've created it as root, to ensure all of the permissions on
it and its parent directories are correct.
Example:
SCORE_HISTORY="/var/spool/mail/macro-scanner-scores"
- SCORE_DETAILS: How was the macro score calculated?
If you would like to see how the scanner calculated the macro score,
set SCORE_DETAILS to any value. The details about each part of the
scoring of the document will be included in the message. If you
quarantine poisoned messages, you'll have to look in the quarantine
mailbox.
Example:
SCORE_DETAILS=YES
- SCORE_ONLY: Only scan for scoring, do not poison based on score.
If you wish to scan and record scores, but never poison documents
based on the scan, then set SCORE_ONLY to any value.
This is not recommended, as it will let macro worms and viruses
through. Instead, set POISONED_SCORE to a high value (75 to 100),
which will trap obviously infected documents while allowing you to
profile borderline documents.
Example:
SCORE_ONLY=YES
- SECURITY_OFFICE_EMBED_SCORE: Score to assign embedded files and URLs
Microsoft Office files (Word documents and Excel spreadsheets) can include
references to external files and URLs.
Hidden
references to external files can be used to steal files from your computer,
and
references
to URLs can be used to "bug" a document to trace its location.
The macro scanner checks for embedded files and URLs and assigns them a
score. The score is 99 by default, which is enough to poison the document
in most cases. If you wish to reduce the paranoia level of the scanner, set
SECURITY_OFFICE_EMBED_SCORE to a number lower than 99.
Example:
SECURITY_OFFICE_EMBED_SCORE=20
- SECURITY_QUARANTINE: Where to save poisoned messages.
This environment variable specifies a file on the mail gateway. If a
message has poisoned attachments (either documents poisoned by
scanning or attachments poisoned by filename), the entire message is
delivered into this file rather than being sent on to the intended
recipient.
Quarantining a message prevents delivery of messages with
poisoned attachments to the intended recipient. This is the only case
where the sanitizer is a "delivering recipe" - in all other
cases it is merely a filter.
Because the sanitizer drops all privileges before scanning the
message, this file must already exist (the sanitizer cannot reliably
create it on-the-fly) and must have permissions rw--w--w-, or each
user must have their own personal quarantine file.
It is a very good idea to test writing to a global quarantine file as a
regular user after you've created it as root, to ensure all of the
permissions on it and its parent directories are correct.
This file is a standard Berkeley-format mailbox file and can be
manipulated using any Unix mail program, or edited using a text
editor, to unmangle and recover
quarantined messages.
If you would rather see quarantined messages as one-message-per-file,
then point SECURITY_QUARANTINE at a directory instead of a file. The
directory must already exist and must have permissions rwx-wx-wx,
or each user must have their own personal quarantine directory.
If SECURITY_QUARANTINE is not specified, messages will be delivered to
their intended recipients even if they contain hazardous attachments.
This is probably not a good idea unless you are an ISP.
Example:
SECURITY_QUARANTINE=/var/spool/mail/quarantine
- SECURITY_QUARANTINE_OPTIONAL: If quarantine of a message fails, don't bounce it.
If for some reason quarantining a poisoned message in
SECURITY_QUARANTINE fails, the message will be bounced and the
SECURITY_NOTIFY list notified of the failure.
If quarantining a poisoned message fails and
SECURITY_QUARANTINE_OPTIONAL is set to any value, the message will
instead be delivered to the intended recipient.
Example:
SECURITY_QUARANTINE_OPTIONAL=YES
- SECURITY_QUARANTINE_LOCKFILE: Use a non-default lockfile when writing to the quarantine.
If for some reason the default quarantine lockfile cannot be created (i.e.
regular users don't have write permission to the directory) and you see
warnings like "Lock failure on /var/spool/mail/security.lock" in your
procmail log file, you can specify a lockfile in a world-writable location
using SECURITY_QUARANTINE_LOCKFILE.
Example:
SECURITY_QUARANTINE_LOCKFILE="/var/tmp/quarantine.lock"
- SECURITY_NOTIFY: Who to notify if an attack is detected.
This environment variable contains a comma-delimited list of email
addresses to which a brief notification is sent when a poisoned
message is trapped.
The notification will include the message headers from the trapped
message.
Make sure you use quotes if you put spaces in the list of names.
The SECURITY_NOTIFY list is also notified if quarantining a poisoned
message fails.
Example:
SECURITY_NOTIFY="postmaster, dilbert@example.com"
- SECURITY_NOTIFY_VERBOSE: Who to notify if an attack is detected.
SECURITY_NOTIFY_VERBOSE is just like SECURITY_NOTIFY, except that the
entire poisoned message is included in the notification instead of
just the headers.
This could be used instead of a quarantine file, though the format is
not as friendly.
Example:
SECURITY_NOTIFY_VERBOSE="wally@example.com, phb@example.com"
- SECURITY_NOTIFY_SENDER: Should the sender of the attack message be notified?
If SECURITY_NOTIFY_SENDER is set to any value, a warning message will be sent
to the person who originated the poisoned message. For this to happen,
SECURITY_NOTIFY must also be set.
If you wish to provide a custom warning message instead of the simple
one included in the sanitizer, set SECURITY_NOTIFY_SENDER to the name of
the file that contains the body of your warning message. You may wish
to explain your site security policy, and give a contact address for
questions.
Since the sanitizer is expecting a filename in SECURITY_NOTIFY_SENDER,
it requires special caution. If you want to notify the sender but do
not wish to customize the message, make sure that whatever value you
set SECURITY_NOTIFY_SENDER to does not represent an actual
file. "SECURITY_NOTIFY_SENDER=YES" is good.
"SECURITY_NOTIFY_SENDER=/etc/passwd" would be a poor choice.
If you want to explicitly suppress sender notification, set
SECURITY_NOTIFY_SENDER to the empty string:
SECURITY_NOTIFY_SENDER=""
With Smart Reply Suppression enabled and proper information in
SECURITY_TRUSTED_MTAS it should be safe to enable this option
without fear of generating a large amount of "backscatter" due to
forged email addresses. However, MAKE SURE that you are running
at least version 1.140 of the Sanitizer!
Example:
SECURITY_NOTIFY_SENDER=YES
SECURITY_NOTIFY_SENDER="/etc/procmail/policy-note.txt"
Here is a sample sender notification message
you may use or modify as needed.
- SECURITY_NOTIFY_SENDER_POSTMASTER: Should the postmaster of the sender's domain be notified?
If SECURITY_NOTIFY_SENDER_POSTMASTER is set to any value, the
postmaster of the sender's domain will also be notified. This is
useful if the message originates from a company, but is probably
pointless if the message is from a large ISP such as MSN or AT&T.
Example:
SECURITY_NOTIFY_SENDER_POSTMASTER=YES
- SECURITY_NOTIFY_SENDER_ABUSE: Should abuse@ at the sender's domain be notified?
If SECURITY_NOTIFY_SENDER_POSTMASTER and SECURITY_NOTIFY_SENDER_ABUSE are
set to any value, the postmaster of the sender's domain will also be
notified. This may be useful if the message originates from a large ISP
such as MSN or AT&T. Note that SECURITY_NOTIFY_SENDER_ABUSE depends on
SECURITY_NOTIFY_SENDER_POSTMASTER being set.
Example:
SECURITY_NOTIFY_SENDER_ABUSE=YES
- SECURITY_DISABLE_SMART_REPLY: Should Smart Reply Suppression be disabled?
Many attack messages have forged sender addresses in an attempt to obscure
the actual origin of the attack and make it harder to find and clean up
infected computers. Sending an attack notification to some unrelated third
party does not help, and in fact increases the overall load on the Internet
that the worm is generating.
To reduce the liklihood of sending a notification to a forged or
inappropriate sender address, the sender address is compared to the
Reverse DNS domains in the trusted Received: header(s) - see the
discussion of SECURITY_TRUSTED_MTAS below. If the trusted
Received: header(s) do not appear to support the sender's domain,
no notification is sent back to the sender of the poisoned message.
Also, if the message appears to have come via a mailing list, notification
is suppressed.
If you wish to notify the sender regardless of whether the sender's address
looks valid or whether the message was received via a mailing list,
set SECURITY_DISABLE_SMART_REPLY to some value. Doing this is not
recommended as worms forge sender addresses and dumb replies will victimize
innocent third parties.
Example:
SECURITY_DISABLE_SMART_REPLY=YES
- SECURITY_TRUSTED_MTAS: Base Smart Reply Suppression on which
Received: headers? (1.140+)
Many attack messages have forged Received: headers in an attempt
to obscure the actual origin of the attack. The only Received:
headers you can trust are those inserted by MTAs under your control, or
under the control of those you trust (such as your ISP).
SECURITY_TRUSTED_MTAS lists the MTAs whose Received: headers you
trust to be correct. If you do not set it, it defaults to the computer the
sanitizer is running on. If the MTA that receives your mail from the
Internet is a different machine (e.g. a bastion host or an ISP mail
server), then add that machine's name to SECURITY_TRUSTED_MTAS.
Look in your Received: headers to determine the name(s) for this
variable. For example, if your Received: headers were this (sample
from a worm attack message):
Received: from localhost (IDENT:root@localhost [127.0.0.1])
by gypsy.impsec.org (8.9.3/8.8.8) with ESMTP id NAA04022
for ; Mon, 26 Jan 2004 13:21:35 -0800
Received: from localhost
by localhost with POP3 (fetchmail-5.2.4)
for jhardin@localhost (single-drop); Mon, 26 Jan 2004 13:21:35 -0800 (PST)
Received: from sylmic.com (rtss13.ssss.gouv.qc.ca [199.243.239.13])
by hq.impsec.org (8.11.6/8.9.3) with ESMTP id i0QLKq827621
for ; Mon, 26 Jan 2004 13:20:54 -0800
...you would put "hq.impsec.org" into your
SECURITY_TRUSTED_MTAS variable. It is the system you trust that is closest
to the Internet. (Note how the HELO domain name and the reverse DNS name in
the hq.impsec.org Received: header do not match. This message
appears to be a forgery and will not be replied to.)
Format notes:
- Escape periods in the hostname with backslashes: \.
- Separate multiple hostnames with vertical bars: |
- There must be no whitespace.
- The list must not begin or end with a vertical bar.
You do not need to set this variable if the sanitizer is running on
an MTA that is receiving email directly from the Internet. The sanitizer
by default trusts the computer it is running on.
Example:
SECURITY_TRUSTED_MTAS="hq\.impsec\.org|mail\.myisp\.com"
- SECURITY_LOCAL_POSTMASTER: Override the from address on notification messages.
By default, notification messages are from "postmaster". The sanitizer
leaves the domain off in the assumption that the local MTA will add the
correct local domain as it processes the notification messages.
If you wish to override the notification sender address, for example to
have the messages come from "abuse@yourdomain.com" instead of
"postmaster@yourdomain.com" or to provide an explicit domain name,
set SECURITY_LOCAL_POSTMASTER to the desired from address. A domain name is
not required and will be provided by your MTA if omitted.
Please don't specify a domain you are not responsible for.
Example:
SECURITY_LOCAL_POSTMASTER="abuse"
SECURITY_LOCAL_POSTMASTER="postmaster@bighostingcompany.com"
- SECURITY_NOTIFY_RECIPIENT: Should the intended recipient of the attack message be notified?
If you wish to notify the recipient of a message that a message to
them was poisoned and quarantined, set SECURITY_NOTIFY_RECIPIENT to
some value. It can represent a filename in the same way as
SECURITY_NOTIFY_SENDER.
SECURITY_NOTIFY_RECIPIENT has not been well tested on a sanitizing
relay, so if the sanitizing machine is a relay (vs. delivering mail
locally), you should not use SECURITY_NOTIFY_RECIPIENT.
Example:
SECURITY_NOTIFY_RECIPIENT="/etc/procmail/quarantined.txt"
- SECURITY_STRIP_MSTNEF: Strip MS-TNEF attachments completely.
Microsoft Outlook and Microsoft Exchange support sending email using a
format called "Outlook Rich Text". Among other things, this has the
effect of bundling all file attachments, as well as other data, into a
proprietary Microsoft-format attachment, usually with the name
"WINMAIL.DAT". This format is called "MS-TNEF",
and is not generally understandable by non-Microsoft mail programs.
MS-TNEF attachments cannot be scanned or sanitized and may contain
hazardous content that the sanitizer cannot detect or defang.
Configuration information about the sender's computer is also embedded
in the "WINMAIL.DAT" file, which can leak security-sensitive
details to outsiders.
Microsoft suggests that MS-TNEF attachments are only suitable for
use within your own company, and recommends that it not be used for
Internet mail.
If you set SECURITY_STRIP_MSTNEF to any value, these attachments will
be stripped off the message, and it will be delivered to the intended
recipient with a notice that this happened. The message will not be
poisoned. The file attachments will not be recoverable, since they were
contained in the stripped MS-TNEF attachment.
See
http://support.microsoft.com/support/kb/articles/Q241/5/38.ASP,
http://support.microsoft.com/support/kb/articles/Q138/0/53.ASP
and
http://www.microsoft.com/TechNet/exchange/2505ch10.asp for more information.
Example:
SECURITY_STRIP_MSTNEF=YES
- STRIPPED_WARNING: Text to include when attachments (except MS-TNEF) are stripped
Stripping attachments does not poison the message, so the recipient will
receive the message. This variable contains the text of the warning note
inserted into the message in place of the stripped attachment, and may be
overridden to use a non-english language or to give the user pointers to
site-specific information about your security policy.
Example:
STRIPPED_WARNING="
SECURITY ALERT!
Attachment stripped from message and discarded.
To receive future attachments, bring donuts to your postmaster right away.
"
- POISONED_WARNING: Text to include when attachments are poisoned
If you are not quarantining poisoned messages, the recipient will
receive the message with a mangled attachment. The descriptive text
included before the mangled attachment may be overridden to use a
non-english language or to give the user pointers to site-specific
information about your security policy and how to react to a mangled
attachment.
Example:
POISONED_WARNING="
SECURITY ALERT!
Somebody is attacking you!
Run in circles! Scream and shout!
"
- TNEF_WARNING: Text to include when MS-TNEF attachments are stripped
If you are stripping MS-TNEF attachments, the recipient will
receive a notice that the attachment was removed. The descriptive text
included may be overridden to use a non-english language or to give
the user pointers to site-specific information about your security
policy.
Example:
TNEF_WARNING="
SECURITY ALERT!
TNEF is the Devil's Spawn.
"
- SECURITY_DEFANG_SIGNED: Defang signed messages
Messages can be cryptographically signed to detect alterations. The
sanitizer has no way to re-sign a message, so in order to avoid
warnings about failed signatures it does not attempt to defang the
content of signed messages.
If you are willing to accept the "failed signature test" warnings in
order to improve security, you can tell the sanitizer to defang signed
messages as well.
Example:
SECURITY_DEFANG_SIGNED=Y
- SECURITY_TRUST_HTML: Trust HTML code in messages
Disable all security processing of HTML content. Scripts will not be
defanged. Web bugs will not be defanged. Style tags will not be
defanged.
Example:
SECURITY_TRUST_HTML=Y
- DEFANG_WEBBUGS: Disable inline images and sounds.
"Web
bugs" are small images (typically only one pixel in size)
that are used to track an email message. Identifying information is
included in the image URL, and when an HTML-enabled mail program
attempts to display the message the location of the message can be
tracked (since the mail client will attempt to retrieve the image from
the web server given in the webbug URL) and logged.
One common use for this is to determine whether or not a SPAM message
has reached a real person, so that email addresses can be validated
for future use by the spammer. Another is to track the propagation of
a message as it is forwarded from person to person.
The same can be done using background sound files, and through
image links embedded in Microsoft Office documents.
If you consider this a violation of your privacy, you can set
DEFANG_WEBBUGS to any value and the sanitizer will defang all
<IMAGE> and <BGSOUND> tags to prevent
this. You can still retrieve the URL from the message body and decide whether
or not you wish to view the image or hear the sound.
Unfortunately this will not strip webbugs from Office documents. In the future
the sanitizer may scan for the presence of bugged documents and add a warning.
Example:
DEFANG_WEBBUGS=YES
- SECURITY_TRUST_STYLE_TAGS: Disable style tag defanging.
<STYLE> tags allow the author fine control over the
appearance of the HTML content when it is displayed. It is used
extensively by HTML-enabled mail programs, but is a possible attack
vector exploited through supplying scripting commands instead of
appearance settings.
By default the sanitizer defangs <STYLE> tags, but this
may leave an extra HTML end-comment tag ("-->") visible
in the body of the message. You may wish to trust
<STYLE> tags on locally-generated mail while still
defanging them in mail received from the Internet.
Trusting <STYLE> tags on mail received from the Internet
is not recommended.
Example:
:0
* ^From:.*@mydomain.com>
* ^To:.*@mydomain.com>
{
SECURITY_TRUST_STYLE_TAGS=YES
}
- SECURITY_NONOTIFY_LONGSUBJECT: Don't notify on Excessively Long subjects
If you don't care when someone sends you an excessively long Subject:
header, define this to any value. The subject header will still be
truncated, but the SECURITY_NOTIFY list won't be told about it.
Example:
SECURITY_NONOTIFY_LONGSUBJECT=Y
- SECRET: A short (20 characters or so) string chosen at random.
This is a short string of random text (letters and numbers - avoid
punctuation marks) that is used in a couple of places to make it
difficult for someone to forge a message that will bypass certain
parts of the sanitizer.
When you install the sanitizer set SECRET to some random gibberish,
and change the gibberish every so often.
This is not a critical feature.
Example:
SECRET="hgsfd9734965q34o2ldgbl"
- LOGFILE: Where to save the sanitizer log messages.
Again, since the sanitizer drops privileges before scanning messages,
this file must be writable by the recipient of the message. It
typically is set to "$HOME/procmail.log" (which puts it in
the recipient's home directory), but you can set up a centralized log
file that all users log to. If you do this, make sure it exists and
the permissions are
rw--w--w-.
If you put the log file in the user's home directory, put
DROPPRIVS=YES before the LOGFILE= line as procmail
opens the logfile as soon as you tell it where the log file goes, and
if it needs to be created it should be created with the user's
permissions.
If you use a global log file, it is a very good idea to test writing to it
as a regular user after you've created it as root, to ensure all of the
permissions on it and its parent directories are correct. If the log file
is not writable, the sanitizer will fail to scan messages.
Example:
DROPPRIVS=YES
LOGFILE="$HOME/procmail.log"
- DEBUG: Enable output of some debugging information from the sanitizer.
Example:
DEBUG=YES
- DEBUG_VERBOSE: Turn on verbose debugging of the sanitizer.
This is equivalent to saying "VERBOSE=YES" in
/etc/procmailrc. Since dropping privileges resets verbose
procmail debugging, you need to set DEBUG_VERBOSE to some value to
tell the sanitizer to turn VERBOSE back on after dropping privileges.
Example:
DEBUG_VERBOSE=YES
- POISONED_WARNING: Change the embedded "poisoned attachment" warning text
When the sanitizer poisons an attachment, the attachment format is
mangled to make it difficult for the recipient to retrieve the attachment.
A warning message is also inserted. If you set POISONED_WARNING
to a quoted multiline string, it will replace the default text of:
SECURITY WARNING!
The mail system has detected that the following
attachment may contain hazardous program code, is
a suspicious file type, or has a suspicious file name.
Do not trust it. Contact your system administrator immediately.
You can use this to customise the contact message, point to local
documentation describing how to un-mangle the attachment, or translate
the warning to a different language.
Example:
POISONED_WARNING="
EEEK! Icky Microsoft Outlook worm detected! Turn off your computer RIGHT NOW!"
- TNEF_WARNING: Change the embedded warning text for stripped MS-TNEF attachments
When the sanitizer strips an MS-TNEF attachment, the attachment is
replaced with a warning message. If you set TNEF_WARNING
to a quoted multiline string, it will replace the default text of:
SECURITY NOTICE:
The mail system has removed a Microsoft attachment for security reasons.
The sender should disable sending Rich Text format in Outlook and
disable sending TNEF to the Internet from their Microsoft Exchange gateway.
See http://support.microsoft.com/support/kb/articles/Q241/5/38.ASP
and http://www.microsoft.com/TechNet/exchange/2505ch10.asp
for more information.
Example:
TNEF_WARNING="
MS-TNEF is the Devil's spawn."
- MTA_FLAGS_CMDLN: Set the MTA command line flags, "get addresses
from command line" mode
The sanitizer is designed and tested with an older version of sendmail as
the MTA. If you are using a newer version of sendmail, or a completely
different MTA, you may need to adjust the command-line options passed to
the send-a-message program that is used when the sanitizer generates
notification messages.
The sanitizer generates two types of messages: where the recipients
are specified explicitly on the command line, and where the recipients must
be gathered from the headers of the message being sent. The command-line
options for these modes of submitting messages may differ.
To change the command-line options used to submit a message with the
recipient address(es) taken from the mailer command line, set
MTA_FLAGS_CMDLN appropriately for your MTA. To specify "no
options", use an empty string " " (quote-blank-quote)
rather than a null string "" (quote-nothing-quote).
Example:
MTA_FLAGS_CMDLN="-U"
MTA_FLAGS_CMDLN=" " (no options are needed by your mailer)
If you are getting errors like
"sendmail: illegal option -- U"
you will have to put the second (empty) example above into your
/etc/procmailrc file before calling the sanitizer.
- MTA_FLAGS_HDRS: Set the MTA command line flags, "get addresses
from message headers" mode
To change the command-line options used to submit a message with the
recipient address(es) taken from the headers of the message being
submitted, set MTA_FLAGS_HDRS appropriately for your MTA.
Note that this is only used when generating the sender notification
message. If you wish to explicitly specify the envelope from address, and a
command line option is needed to do that, include that option here.
Example:
MTA_FLAGS_HDRS="-oi -t -f$SECURITY_LOCAL_POSTMASTER"
- SECURITY_MSGID_LOG: Log poisoned message IDs.
If you want to keep a log of the Message-IDs of poisoned messages, define
SECURITY_MSGID_LOG to point to a world-writable file.
This may be useful for things where you don't want to have to dig through
the quarantine or procmail log files to see what's been going on. For
example, you might want to do a "wc -l" on this file every five minutes for
MRTG to graph poisoned message traffic.
Example:
SECURITY_MSGID_LOG="/var/log/poisoned.log"
- ZIPPED_EXECUTABLES: Name of policy file containing
filespecs of files within ZIP or RAR archives that cause quarantine. (1.141+)
This variable specifies the name of a file containing a list of
filenames to consider "poisoned" if they appear within ZIP or RAR archive
attachments. These filenames can contain wildcards. See the
discussion of POISONED_EXECUTABLES for the wildcard syntax. See the
discussion of SECURITY_QUARANTINE for how poisoned messages are
handled.
ZIP and RAR archives containing poisoned filenames will only be
quarantined. You cannot strip archive attachments based on their contents,
but archives are now "special" in the same way Microsoft Office
documents are "special" - the entire archive can be poisoned or
stripped based on the archive (ZIP or RAR file) name. This means that if you
put "*.zip" in your POISONED_EXECUTABLES or STRIPPED_EXECUTABLES files
you won't get any ZIP archive attachments!
Archive attachments are only scanned one layer deep. Scanning is not recursive.
The MANGLE_EXTENSIONS restriction DOES NOT APPLY to archive
contents - any extension can be specified in the ZIPPED_EXECUTABLES
list.
If ZIPPED_EXECUTABLES is not specified, it will default to the same as
POISONED_EXECUTABLES (to provide a default-secure policy rather than
default-insecure).
It is strongly recommended that you configure a separate
ZIPPED_EXECUTABLES policy file, and add "*.html?",
"*.eml" and "*.msg" to it. There are worms
that rely on multiple layers of obfuscation: a zipped attachment
containing an HTML page that contains a base64-encoded .EXE file, and
the original message contains active HTML that automatically opens the
.ZIP file.
The recommended
contents of this file can be downloaded.
If you wish to scan ZIP and RAR archive attachments, you will need to install
four extra tools:
- a BASE64 decoder like mimencode, which is a part of the
metamail package.
(see BASE64_DECODER and USE_CPAN below)
- mktemp, from the
OpenBSD
software archives.
(or see USE_CPAN below)
- unzip.
- unrar.
All of these tools except unrar ship with most Linux
distributions. For other operating systems you may have to download the source
and compile them yourself.
If you will be accepting archived executables from known sources (e.g.
.DLL files from a consultant) then you should create a filespec list
that does not include "*.dll" and use that for ZIPPED_EXECUTABLES if the
message is from that source.
Example:
ZIPPED_EXECUTABLES=/etc/procmail/zipped_poison
:0
* ^From: trusted@partner.example.com
{
ZIPPED_EXECUTABLES=/etc/procmail/trusted_zipped_poison
}
- DISABLE_ZIP_SCAN: Disable scanning of ZIP archive
attachments. (1.141+)
If you do not wish ZIP archive scanning to take place, set
DISABLE_ZIP_SCAN to any value.
Example:
DISABLE_ZIP_SCAN=YES
- ZIPPED_WARNING: Change the embedded warning text for
ZIP archive attachments poisoned for their contents. (1.141+)
When the sanitizer poisons a ZIP archive attachment based on the files
it contains, the email has a warning message inserted into it. If you
set ZIPPED_WARNING to a quoted multiline string, it will
replace the default text of:
SECURITY WARNING!
The mail system has detected that the preceding ZIP archive
attachment contains suspicious files.
Do not trust it. Contact your system administrator immediately.
The suspicious files in the archive are:
Example:
ZIPPED_WARNING="
Foiled an attempt to bypass security via a ZIP file. It contained:
"
Note that the list of filenames in the ZIP archive that matched
filespecs in the ZIPPED_EXECUTABLES list will be added, so you should
end your message with appropriate text.
- ZIP_MAGIC_WARNING: Change the embedded warning text for
bogus ZIP archive attachments. (1.141+)
When the sanitizer attempts to scan a ZIP archive attachment, it first
checks for a valid ZIP archive identity string. If this string is not
found, it considers the ZIP archive to be bogus and poisons the
message, and a warning is inserted into the message. If you set
ZIP_MAGIC_WARNING
to a quoted multiline string, it will replace the default text of:
SECURITY WARNING!
The mail system has detected that the preceding attachment
claims to be a ZIP archive, but it does not have a valid ZIP
archive signature.
Do not trust it. Contact your system administrator immediately.
Example:
ZIP_MAGIC_WARNING="
Foiled an attempt to bypass security via a bogus ZIP file."
- DISABLE_RAR_SCAN: Disable scanning of RAR archive
attachments. (1.149+)
If you do not wish RAR archive scanning to take place, set
DISABLE_RAR_SCAN to any value.
Example:
DISABLE_RAR_SCAN=YES
- RARRED_WARNING: Change the embedded warning text for
RAR archive attachments poisoned for their contents. (1.149+)
When the sanitizer poisons a RAR archive attachment based on the files
it contains, the email has a warning message inserted into it. If you
set RARRED_WARNING to a quoted multiline string, it will
replace the default text of:
SECURITY WARNING!
The mail system has detected that the preceding RAR archive
attachment contains suspicious files.
Do not trust it. Contact your system administrator immediately.
The suspicious files in the archive are:
Example:
RARRED_WARNING="
Foiled an attempt to bypass security via a RAR file. It contained:
"
Note that the list of filenames in the RAR archive that matched
filespecs in the ZIPPED_EXECUTABLES list will be added, so you should
end your message with appropriate text.
- RAR_MAGIC_WARNING: Change the embedded warning text for
bogus RAR archive attachments. (1.149+)
When the sanitizer attempts to scan a RAR archive attachment, it first
checks for a valid RAR archive identity string. If this string is not
found, it considers the RAR archive to be bogus and poisons the
message, and a warning is inserted into the message. If you set
RAR_MAGIC_WARNING
to a quoted multiline string, it will replace the default text of:
SECURITY WARNING!
The mail system has detected that the preceding attachment
claims to be a RAR archive, but it does not have a valid RAR
archive signature.
Do not trust it. Contact your system administrator immediately.
Example:
RAR_MAGIC_WARNING="
Foiled an attempt to bypass security via a bogus RAR file."
- BAD_BASE64_WARNING: Change the embedded warning text for
hostile base64 encoding on ZIP and RAR archive attachments. (1.144+)
When the sanitizer attempts to scan a ZIP or RAR archive attachment, it first
decodes the base64 encoding of the binary file. If the base64 encoding
is invalid when read line-by-line (i.e. lines shorter than 3
characters are present), the message is poisoned and a warning is
inserted into the message. An attachment encoded by a legitimate email
client will not have such very short lines.
If you set
BAD_BASE64_WARNING
to a quoted multiline string, it will replace the default text of:
SECURITY WARNING!
The mail system has detected that the preceding attachment
was encoded in a manner intended to bypass security filtering.
Do not trust it. Contact your system administrator immediately.
Example:
BAD_BASE64_WARNING="
Trapped hostile BASE64 encoding on a ZIP file attachment."
- DISABLE_JPEG_SCAN: Disable scanning of JPEG image
attachments. (1.147+)
If you do not wish JPEG image scanning to take place, set
DISABLE_JPEG_SCAN to any value.
Example:
DISABLE_JPEG_SCAN=YES
If you wish to scan JPEG image attachments, you will need to install
three extra tools:
- a BASE64 decoder like mimencode, which is a part of the
metamail package.
(see BASE64_DECODER and USE_CPAN below)
- mktemp, from the
OpenBSD
software archives.
(or see USE_CPAN below)
- libjpeg (specifically,
the rdjpgcom utility).
All of these tools ship with most Linux distributions. For other
operating systems you may have to download the source and compile them
yourself.
- BAD_JPEG_WARNING: Change the embedded warning text for
JPEG attachments with a possible Buffer Overflow attack. (1.147+)
If you set
BAD_JPEG_WARNING
to a quoted multiline string, it will replace the default text of:
SECURITY WARNING!
The mail system has detected that the preceding attachment
appears to be a JPEG image containing a Microsoft buffer overflow attack.
Do not trust it. Contact your system administrator immediately.
Example:
BAD_JPEG_WARNING="
Trapped hostile or corrupt JPEG attachment."
- SECURITY_POISON_WMF: Enable poisoning of WMF image
attachments. (1.149+)
If you wish to poison all WMF image attachments, set
SECURITY_POISON_WMF to any value.
Setting this option is strongly recommended due to the severity
of the security hazard presented by .WMF files. They are not traditional image
files containing bitmaps, but rather are something more along the lines of
scripting for the Windows UI layer - and any scripting language can carry an
attack.
Example:
SECURITY_POISON_WMF=YES
If you wish to poison WMF image attachments, you will need to install
three extra tools:
- a BASE64 decoder like mimencode, which is a part of the
metamail package.
(see BASE64_DECODER and USE_CPAN below)
- mktemp, from the
OpenBSD
software archives.
(or see USE_CPAN below)
-
The Octal Dump program
/usr/bin/od -
it must be a version that supports the -N and -t arguments.
All of these tools ship with most Linux distributions. For other
operating systems you may have to download the source and compile them
yourself.
- WMF_WARNING: Change the embedded warning text for
WMF attachments. (1.149+)
If you set
WMF_WARNING
to a quoted multiline string, it will replace the default text of:
SECURITY WARNING!
The mail system has detected that the preceding attachment
appears to be a WMF image. It has been blocked for security reasons.
Contact your system administrator immediately.
Example:
WMF_WARNING="
Trapped suspicious WMF attachment."
- MACRO_WARNING: Change the embedded warning text for
poisoned Microsoft Office attachments (1.141+)
When the sanitizer poisons a Microsoft Office attachment for a high
macro score, the email has a warning message inserted into it. If you
set MACRO_WARNING to a quoted multiline string, it will
replace the default text of:
SECURITY WARNING!
The mail delivery system has detected that the preceding
document attachment appears to contain hazardous macro code.
Macro Scanner score:
Example:
MACRO_WARNING="
Evil macros in that Office attachment! It scored: "
Note that the macro score will be appended to the message, so you
should end your message with appropriate text.
- SECURITY_TRUST_MS_DOWNLOAD: Trust attachments with MIME type
APPLICATION/X-MSDOWNLOAD (1.151+)
Starting with the 1.151 release, the sanitizer will automatically poison all
attachments with MIME types APPLICATION/X-MSDOWNLOAD and
APPLICATION/X-MS-DOWNLOAD. To disable this poisoning set
SECURITY_TRUST_MS_DOWNLOAD to any value.
This is a stopgap until full MIME-type handling is implemented; it is possible
that this behavior will remain the default once that is in place.
Example:
SECURITY_TRUST_MS_DOWNLOAD=Y
- BASE64_DECODER: Specify external tool to decode
BASE64-encoded attachments. (1.152+)
The sanitizer can use any command-line BASE64 decoder that will accept
a BASE64-encoded file on standard input and accepts an argument with the
output filename.
By default the external BASE64 decoder is the "mimencode" program, which is a
part of the
metamail
package. (Note: this is NOT the same as the "mimeencode" perl program!)
To specify a different external BASE64 decoder, for example
the one in the widely-available OpenSSL package, set BASE64_DECODER to the
command line for that tool that specifies decoding BASE64 from standard input
to a file. The sanitizer will append the destination filename to the command line.
Example:
BASE64_DECODER="openssl base64 -d -out"
- USE_CPAN: Use CPAN Perl modules rather than external
programs for scanning attachments. (1.141+)
The sanitizer can use the
CPAN modules
MIME::Base64
and
File::MkTemp
to replace the external BASE64 decoder and "mktemp" programs. Set
USE_CPAN to any value if you wish to do this. (Note: You still need
the external "unzip" program to scan ZIP archive attachments; using a
CPAN module for ZIP files is a future feature.)
See the CPAN FAQ
for more information, particularly about
how
to install CPAN Perl modules.
Example:
USE_CPAN=YES
- PVT_CPAN: Specify a private (non-system) CPAN library directory. (1.141+)
If you don't have administrative control over the computer the
sanitizer is running on (e.g. you're running it on your ISP's
mailserver, where you have a shell account), you probably won't be
able to install CPAN Perl modules in the system library directories if
they aren't already available.
If you can't get the system administrator to install the CPAN modules
for you, you can install them in a directory under your control and
put that directory name in PVT_CPAN. The directory in PVT_CPAN will be
added to the Perl library search path before the CPAN modules are
linked in.
Example:
PVT_CPAN="$HOME/my_cpan"
You should also read the Procmail man pages to see what environment
variables control the behavior of procmail itself. Some of those
environment variables are also recognized by the sanitizer.
The way you implement this is by providing different settings of the
configuration variables based on the message that is being processed. For
example, if you wanted to suppress the mangling of Word documents within your
domain, you would add the following somewhere before the
INCLUDERC=html-trap.procmail that runs the sanitizer:
Please note that the "From:" header in email is trivially easy to
forge. If you wish to implement a less-restrictive policy for internal
email, you should base your "source" rule on your local-network IP
address appearing in a Received: header. For example, if you use
10.20.30.nn for your local network, you might do something
like:
The exact format of your local Received: header will vary depending on
what your local MTA software is. Please look at the headers of real
local messages to determine what you should be looking for.
If you wanted to provide a means for the administrator to bypass
sanitization completely, for example, to make it easier to recover quarantined messages and deliver
them to the intended recipient, you might replace the plain
INCLUDERC=html-trap.procmail with:
For example, one variant of a current worm sends itself out as a
randomly-named attachment to a message with no subject at all. To
create a custom rule for the sanitizer to detect and trap this attack
without simply poisoning all .EXE attachments, you'd
do this:
If you don't wish to keep quarantine copies of messages trapped in
this manner, change the action from QUARANTINE to DISCARD.
If you don't want to be notified, but you still want the sender of the
message to be notified, change the handling from NOTIFY to NONOTIFY.
For example:
If you don't want to quarantine, don't want to be notified, and don't want
to notify the sender, then simply discard the message by sending it to
/dev/null:
I'd be very interested in hearing from people who'd be willing to translate this page.
Best viewed with
Any Browser