[Esd-l] Qmail+Sanitizer

bobk at dwcinet.com bobk at dwcinet.com
Mon Nov 26 11:37:00 PST 2001


I currently am trying to implement the sanitizer on a
qmail+vpopmail+qmailadmin+sqwebmail test mailserver.

I keep running into some problems.
When I test the server by emailing it a poisoned executable I get this in
my procmail.log

Sanitizing MIME attachment headers in "test" from <bobk at dwcinet.com> to
vpopmail
msgid=<Pine.LNX.4.33.0111261422050.20060-101000 at subgenius.dwcinet.com>
Checking "dodohead.pif".
 Trapped poisoned executable "dodohead.pif".
 Mangling executable filename "dodohead.pif".
 Mangling executable filename "dodohead.pif".

NOTIFY root at qmail.dwcinet.com

NOTIFY root at qmail.dwcinet.com

NOTIFY SENDER
procmail: Lock failure on "/var/quarantine.lock"
procmail: Error while writing to "/var/quarantine"

QUARANTINE FAILED!
>From bobk at dwcinet.com Mon Nov 26 19:24:27 2001
 Subject: test
  Folder:  ( \           echo "To: $SECURITY_NOTIFY";\           echo '    1100
>From vpopmail at qmail.dwcinet.com Mon Nov 26 19:24:28 2001
 Subject: Re: test
  Folder: /home/vpopmail/Maildir/new/_DR.sbpA8.qmail                       1277
>From vpopmail at qmail.dwcinet.com Mon Nov 26 19:24:29 2001
 Subject: SECURITY WARNING - possible email attack
  Folder: /home/vpopmail/Maildir/new/_LR.tbpA8.qmail                       3365
>From vpopmail at qmail.dwcinet.com Mon Nov 26 19:24:30 2001
 Subject: SECURITY WARNING - quarantine failed!
  Folder: /home/vpopmail/Maildir/new/_SR.ubpA8.qmail                       1998
>From vpopmail at qmail.dwcinet.com Mon Nov 26 19:24:30 2001
 Subject: SECURITY WARNING - possible email attack
  Folder: /home/vpopmail/Maildir/new/_cR.ubpA8.qmail                       1846
>From MAILER-DAEMON Mon Nov 26 19:24:30 2001
 Subject: failure notice
  Folder: /home/vpopmail/Maildir/new/_fR.ubpA8.qmail                       1826
>From MAILER-DAEMON Mon Nov 26 19:24:31 2001
 Subject: failure notice
  Folder: /home/vpopmail/Maildir/new/_mR.vbpA8.qmail                       3914
>From MAILER-DAEMON Mon Nov 26 19:24:32 2001
 Subject: failure notice
  Folder: /home/vpopmail/Maildir/new/_vR.wbpA8.qmail                       2547
>From #@[] Mon Nov 26 19:24:32 2001
 Subject: failure notice
  Folder: /home/vpopmail/Maildir/new/_0R.wbpA8.qmail                       4401
>From MAILER-DAEMON Mon Nov 26 19:24:33 2001
 Subject: failure notice
  Folder: /home/vpopmail/Maildir/new/__R.xbpA8.qmail                       2395
>From #@[] Mon Nov 26 19:24:33 2001
 Subject: failure notice
  Folder: /home/vpopmail/Maildir/new/_BS.xbpA8.qmail                       2313
>From #@[] Mon Nov 26 19:24:33 2001
 Subject: failure notice
  Folder: /home/vpopmail/Maildir/new/_HS.xbpA8.qmail                       3034
>From #@[] Mon Nov 26 19:24:33 2001
 Subject: failure notice
  Folder: /home/vpopmail/Maildir/new/_OS.xbpA8.qmail                       2882

I am having problems finding somewhere to put quarantine as well as some
other bugs.

Here is what my procmailrc looks like.

PATH="/usr/bin:$PATH:/usr/local/bin:/var/qmail/bin"
SHELL=/bin/sh

POISONED_EXECUTABLES="/etc/procmail/poisoned-files"
SECURITY_NOTIFY="root at qmail.dwcinet.com"
SECURITY_NOTIFY_VERBOSE="root at qmail.dwcinet.com"
SECURITY_NOTIFY_SENDER="/etc/procmail/policy.note"
SECRET="sdflksjas"

ORGMAIL=
MAILDIR=$HOME/Maildir
DEFAULT=$MAILDIR/
SECURITY_TRUST_HTML=N
DEFANG_WEBBUGS=NO
SECURITY_QUARANTINE=/var/quarantine
POISONED_SCORE=135
SCORE_HISTORY="/var/log/macro-scanner-scores"
SCORE_DETAILS=YES
DROPPRIVS=YES
LOGFILE=/var/log/procmail.log

:0
       * ^From:.*
       * ^To:.*
       {
           MANGLE_EXTENSIONS='exe|com|cmd|bat|pif|sc[rt]|dll|ocx|dot|xl[wt]|vb[$
       }

# Finished setting up, now run the sanitizer...
INCLUDERC=/etc/procmail/html-trap.procmail
# Reset some things to avoid leaking info to
# the users...
POISONED_EXECUTABLES=
SECURITY_NOTIFY=
SECURITY_NOTIFY_VERBOSE=
SECURITY_NOTIFY_SENDER=
SECURITY_QUARANTINE=
SECRET=

If someone would be so kind as to enlighten me as to what I am doing
wrong. I have run the sanitizer for over a year on multiple sendmail
servers but never tried it on qmail till now.

bob

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
| Bob Ketterhagen
| Systems Security Administrator
| bobk at dwcinet.com
|_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
| Digital Wireless Communications
| http://www.dwcinet.com
| 216 W. Broughton St.
| Suite 302
| Savannah, Georgia 31401
| Office 912.525.1859
| Cell 912.210.4904
|_-_-_-_-_-_-_-_-_-_-



More information about the esd-l mailing list