From: paul.ockleford on
Hi,

Hopefully someone on this list can help me out. I am trying to set up mime-header checking to only allow through emails with a particular file extension, that is I want to block any email without this attachment type or any other attachment type.

I have created the map file with postmap and it picks up my regexp ok, when I send emails through and look in the mail log though it warns on all emails and it also appears to be matching on other lines in the header such as Content-Transfer-Encoding, below are the regexp's I have tried and also the extract from my mail log.

I would be grateful if anybody is able to offer some assistance.

mime_header_checks

#!/^\s*Content-(Disposition|Type).*name\s*=\s*"{1,1}.+\.(ecf)"{1,1}\s*$/!/name=[^>]*\.(ecf)/
WARN Would normally reject this message
#!/^[[:space:]]*content-(type|disposition):.*name[[:space:]]*=.*\.(ecf)/
# WARN Bad attachment file name extension

/var/log/maillog extract

Jun 8 11:46:57 hriapp1 postfix/cleanup[10213]: 5CB123D8499: message-id=<494C599007DDA542A4811051B82E39DA540A7F603D(a)NHS-PCLI-MBC015.AD1.NHS.NET>
Jun 8 11:46:57 hriapp1 postfix/cleanup[10213]: 5CB123D8499: warning: header Content-Type: multipart/alternative;??boundary="_000_494C599007DDA542A4811051B82E39DA540A7F603DNHSPCLIMBC015_" from unknown[xx.xx.xx.xx]; from=<paul.ockleford(a)nhs.net> to=<xx.xx(a)xx.xx.uk> proto=SMTP helo=<relay.xx..uk>: Would normally reject this message
Jun 8 11:46:57 hriapp1 postfix/cleanup[10213]: 5CB123D8499: warning: header MIME-Version: 1.0 from unknown[xx.xx.xx.xx]; from=<xx.xx(a)xx.net> to=<xx.xx(a)xx.xx.uk> proto=SMTP helo=<relay.xx.uk>: Would normally reject this message
Jun 8 11:46:57 hriapp1 postfix/cleanup[10213]: 5CB123D8499: warning: header Content-Type: text/plain; charset="us-ascii" from unknown[xx.xx.xx.xx]; from=<xx.xx(a)xx.net> to=<xx.xx(a)xx.xx.uk> proto=SMTP helo=<relay.xx.uk>: Would normally reject this message
Jun 8 11:46:57 hriapp1 postfix/cleanup[10213]: 5CB123D8499: warning: header Content-Transfer-Encoding: quoted-printable from unknown[xx.xx.xx.xx]; from=<xx.xx(a)xx.net> to=<xx.xx(a)xx.xx.uk> proto=SMTP helo=<relay.xx.uk>: Would normally reject this message
Jun 8 11:46:57 hriapp1 postfix/cleanup[10213]: 5CB123D8499: warning: header Content-Type: text/html; charset="us-ascii" from unknown[xx.xx.xx.xx]; from=<xx.xx(a)xx.xx> to=<xx.xx(a)xx.xx.uk> proto=SMTP helo=<relay.xx.uk>: Would normally reject this message
Jun 8 11:46:57 hriapp1 postfix/cleanup[10213]: 5CB123D8499: warning: header Content-Transfer-Encoding: quoted-printable from unknown[xx.xx.xx.xx]; from=<xx.xx(a)xx.xx> to=<xx.xxs(a)xx.xx.uk> proto=SMTP helo=<relay.xx.uk>: Would normally reject this message

Thanks,

Paul

********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.

Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSI recipients
NHSmail provides an email address for your career in the NHS and can be accessed anywhere
For more information and to find out how you can switch, visit www.connectingforhealth.nhs.uk/nhsmail

********************************************************************************************************************
From: Simon Waters on
On Tuesday 08 June 2010 12:04:36 Ockleford Paul (NHS Connecting for Health)
wrote:
> I would be grateful if anybody is able to offer some assistance.
>
> mime_header_checks
>
> #!/^\s*Content-(Disposition|Type).*name\s*=\s*"{1,1}.+\.(ecf)"{1,1}\s*$/!/n
>ame=[^>]*\.(ecf)/ WARN Would normally reject this message
> #!/^[[:space:]]*content-(type|disposition):.*name[[:space:]]*=.*\.(ecf)/
> # WARN Bad attachment file name extension
>

I have one scrounged from the list:

regexp:headercheck

/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(cpl|asd|hlp|ocx|reg|bat|
c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|xl))"?
\s*$/ REJECT Attachment type not allowed. File "$2" has the unacceptable
extension "$3"

Which is tested in battle.

There is an example for pcre in the Postfix docs.

http://www.postfix.org/header_checks.5.html

Isn't immediately apparent why your regexp fails to me, but I'd suggest not
reinventing regexp here. Be careful to distinguish if it is regexp: or pcre:

Simon

From: Wietse Venema on
Ockleford Paul (NHS Connecting for Health):
> Hi,
>
> Hopefully someone on this list can help me out. I am trying to
> set up mime-header checking to only allow through emails with a
> particular file extension, that is I want to block any email
> without this attachment type or any other attachment type.

First, you need to ensure that the rule is applied only to
Content-Type/Disposition headers and not to other MIME headers.

Second, negative matching can be tricky. It may be easier to
eliminate the good cases first, as shown below.

Untested PCRE example:

if /^Content-(Disposition|Type):/
/name\s*=\s*"?(.*(\.|=2E)(aaa|bbb))(\?=)?"?\s*(;|$)/x DUNNO
/./ REJECT Attachment name must end in ".aaa" or ".bbb"
endif

Wietse

From: paul.ockleford on
Ok thanks, I'm not sure I completely understand the syntax of the perl reg ex.

Do you know why even testing the example I was sent through this user list it still applies the reg ex to other mime headers? I understood that this expression was tested in production by users but when I look in my mail log I still see the check being applied to other mime headers. Is this something to do with the negative matching aspect?

Paul
-----Original Message-----
From: owner-postfix-users(a)postfix.org [mailto:owner-postfix-users(a)postfix.org] On Behalf Of Wietse Venema
Sent: 08 June 2010 13:16
To: Postfix users
Subject: Re: Setting mime-header checking

Ockleford Paul (NHS Connecting for Health):
> Hi,
>
> Hopefully someone on this list can help me out. I am trying to
> set up mime-header checking to only allow through emails with a
> particular file extension, that is I want to block any email
> without this attachment type or any other attachment type.

First, you need to ensure that the rule is applied only to
Content-Type/Disposition headers and not to other MIME headers.

Second, negative matching can be tricky. It may be easier to
eliminate the good cases first, as shown below.

Untested PCRE example:

if /^Content-(Disposition|Type):/
/name\s*=\s*"?(.*(\.|=2E)(aaa|bbb))(\?=)?"?\s*(;|$)/x DUNNO
/./ REJECT Attachment name must end in ".aaa" or ".bbb"
endif

Wietse


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.

Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSI recipients
NHSmail provides an email address for your career in the NHS and can be accessed anywhere
For more information and to find out how you can switch, visit www.connectingforhealth.nhs.uk/nhsmail

********************************************************************************************************************

From: Wietse Venema on
Ockleford Paul (NHS Connecting for Health):
> Ok thanks, I'm not sure I completely understand the syntax of the perl reg ex.
>
> Do you know why even testing the example I was sent through this
> user list it still applies the reg ex to other mime headers? I
> understood that this expression was tested in production by users
> but when I look in my mail log I still see the check being applied
> to other mime headers. Is this something to do with the negative
> matching aspect?

You could burn more taxpayer money wondering why some example did
not work out, or you could use my example that by design does not
match other MIME headers.

Wietse

> Paul
> -----Original Message-----
> From: owner-postfix-users(a)postfix.org [mailto:owner-postfix-users(a)postfix.org] On Behalf Of Wietse Venema
> Sent: 08 June 2010 13:16
> To: Postfix users
> Subject: Re: Setting mime-header checking
>
> Ockleford Paul (NHS Connecting for Health):
> > Hi,
> >
> > Hopefully someone on this list can help me out. I am trying to
> > set up mime-header checking to only allow through emails with a
> > particular file extension, that is I want to block any email
> > without this attachment type or any other attachment type.
>
> First, you need to ensure that the rule is applied only to
> Content-Type/Disposition headers and not to other MIME headers.
>
> Second, negative matching can be tricky. It may be easier to
> eliminate the good cases first, as shown below.
>
> Untested PCRE example:
>
> if /^Content-(Disposition|Type):/
> /name\s*=\s*"?(.*(\.|=2E)(aaa|bbb))(\?=)?"?\s*(;|$)/x DUNNO
> /./ REJECT Attachment name must end in ".aaa" or ".bbb"
> endif
>
> Wietse
>
>
> ********************************************************************************************************************
>
> This message may contain confidential information. If you are not the intended recipient please inform the
> sender that you have received the message in error before deleting it.
> Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:
> to do so is strictly prohibited and may be unlawful.
>
> Thank you for your co-operation.
>
> NHSmail is the secure email and directory service available for all NHS staff in England and Scotland
> NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSI recipients
> NHSmail provides an email address for your career in the NHS and can be accessed anywhere
> For more information and to find out how you can switch, visit www.connectingforhealth.nhs.uk/nhsmail
>
> ********************************************************************************************************************
>
>
>