Enhancement #2689

Let amavisd PASS unchecked content

Added by Davide Principi over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-mail-filter
Target version:v6.5-final
Resolution: NEEDINFO:No

Description

A content is considered unchecked when some part is either:
- encrypted/scrambled/password protected
- an archive cannot be decoded, e.g when it is damaged
- further decoding is cancled because file or recursion
sanity limits are exceeded
- all virus scanners failed (this one is new with 2.7.0)

Mark Martinec

We currently set CC_UNCHECKED destiny to TEMPFAIL. Thus encrypted attachments never reach their destination.

We must let them PASS, as defined by the default Amavis policy, and add the *** UNCHECKED *** prefix to them.
Also consider Google Mail: delivering of unchecked messages is allowed, provided that a warning is displayed to the user.

Moreover the virus_scanners_failure_is_fatal flag should restore the temporary failure error, if all AV scanners fail (for instance on clamd restarts).

Associated revisions

Revision d48c188f
Added by Davide Principi over 6 years ago

Pass CC_UNCHECKED content. Refs #2689

Restored amavis default policy:
- The UNCHECKED tag is added to the message subject
- Message is delivered

And a temporary failure is returned to SMTP client if all AV scanners
fail.

History

#1 Updated by Davide Principi over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#2 Updated by Davide Principi over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case 1

  • Create a password protected zip file
  • Attach it to a mail message
  • Send the message to nethserver-mail-filter

The message must be delivered with *** UNCHECKED *** subject

Test case 2

  • Create a password protected zip file
  • Attach it to a mail message
  • Stop clamd on the server
  • Send the message to nethserver-mail-filter

A temporary error must be returned to the SMTP client

#3 Updated by Davide Principi over 6 years ago

In nethserver-testing:
nethserver-mail-filter-1.1.5-1.0gitd48c188f.ns6.noarch.rpm

#4 Updated by Davide Principi over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

#5 Updated by Alessio Fattorini over 6 years ago

  • Assignee set to Alessio Fattorini

#6 Updated by Alessio Fattorini over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Davide Principi wrote:

Test case 1

  • Create a password protected zip file
  • Attach it to a mail message
  • Send the message to nethserver-mail-filter

Created authorized_keys.zip protected with pwd

./swaks --server botolo.nethesis.it --to --helo alessio.nethesis.it --from --attach authorized_keys.zip

botolo amavis[13782]: (13782-01) Passed CLEAN {RelayedInternal}, MYNETS LOCAL [192.168.5.19]:58158 [192.168.5.19] <pippo@nethesis.it> -> <alessio@nethesis.it>, mail_id: hbDf9S1SlbY5, Hits: -0.87, size: 1756, queued_as: C9E1441601, 1385 ms
Mar 14 12:33:59 botolo postfix/smtpd[14115]: proxy-accept: END-OF-MESSAGE: 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as C9E1441601; from=<pippo@nethesis.it> to=<alessio@nethesis.it> proto=ESMTP helo=<alessio.nethesis.it>

PASSED

Test case 2

  • Create a password protected zip file
  • Attach it to a mail message
  • Stop clamd on the server
  • Send the message to nethserver-mail-filter

Stopped clamav, i obtain this line in maillog

Mar 14 12:36:18 botolo amavis[13785]: (13785-01) (!)WARN: all primary virus scanners failed, considering backups
Mar 14 12:36:18 botolo amavis[13785]: (13785-01) (!!)AV: ALL VIRUS SCANNERS FAILED
Mar 14 12:36:18 botolo amavis[13785]: (13785-01) (!!)TROUBLE in check_mail: virus_scan FAILED: AV: ALL VIRUS SCANNERS FAILED
Mar 14 12:36:18 botolo postfix/smtpd[14146]: proxy-reject: END-OF-MESSAGE: 451 4.5.0 Error in processing, id=13785-01, virus_scan FAILED: AV: ALL VIRUS SCANNERS FAILED; from=<pippo@nethesis.it> to=<alessio@nethesis.it> proto=ESMTP helo=<alessio.nethesis.it>
Mar 14 12:36:18 botolo postfix/smtpd[14146]: disconnect from alessio.nethesis.it[192.168.5.19]
Mar 14 12:36:18 botolo amavis[13785]: (13785-01) (!)PRESERVING EVIDENCE in /var/spool/amavisd/tmp/amavis-20140314T123611-13785-vaVed9q2

On my client this warning:

<** 451 4.5.0 Error in processing, id=13785-01, virus_scan FAILED: AV: ALL VIRUS SCANNERS FAILED
 -> QUIT
<-  221 2.0.0 Bye

Temporary 451 received

VERIFIED

#7 Updated by Alessio Fattorini over 6 years ago

  • Assignee deleted (Alessio Fattorini)

#8 Updated by Davide Principi over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-mail-filter-1.1.6-1.ns6.noarch.rpm

Also available in: Atom PDF