Whitelisting an email sender and/or files

How about whitelisting the server's IP, or would that permit too much?
I'm running MS between the Internet and an Exchange server. We scan
inbound mail for spam but exempt mail sent from Exchange with

From: 10.10.10.10 yes

in spam.whitelist.rules.

Peter

Post by GÃ¶tz Reinicke - IT Koordinator
Hi,
we got a new server software, which sends messages for notifications.
But it currently attaches some files, which are marked by the spam rules.
I tried to whitemask/allow the files (in archives.filename.rules.conf)
and the sender address (in spam.whitelist.rules), but both fails.
I dont see why.
Any help and/or suggestion for solving this is welcome.
Thanks and regards . G?tz

Götz Reinicke - IT Koordinator

2014-04-22 08:55:46 UTC

Hi,

I whitelisted the servers IP, but still get the files send by it marked.

MailScanner: Attempt to hide real filename extension (likes.like.png) ...

Any idea or suggestion how to allow the file?

Regards . G?tz

Post by Peter Lemieux
How about whitelisting the server's IP, or would that permit too much?
I'm running MS between the Internet and an Exchange server. We scan
inbound mail for spam but exempt mail sent from Exchange with
From: 10.10.10.10 yes
in spam.whitelist.rules.
Peter

--
G?tz Reinicke
IT-Koordinator

Tel. +49 7141 969 82 420
E-Mail goetz.reinicke at filmakademie.de

Filmakademie Baden-W?rttemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016

Vorsitzender des Aufsichtsrats: J?rgen Walter MdL
Staatssekret?r im Ministerium f?r Wissenschaft,
Forschung und Kunst Baden-W?rttemberg

Gesch?ftsf?hrer: Prof. Thomas Schadt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5306 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140422/74c84f75/attachment.bin

Antony Stone

2014-04-22 09:42:11 UTC

Post by GÃ¶tz Reinicke - IT Koordinator
Hi,
I whitelisted the servers IP

What configuration parameter did you set to whitelist the IP?

Post by GÃ¶tz Reinicke - IT Koordinator
but still get the files send by it marked.
MailScanner: Attempt to hide real filename extension (likes.like.png) ...
Any idea or suggestion how to allow the file?

Make sure you're setting the rule for "filename extensions" when whitelisting
the address.

Regards,

Antony.

--
Normal people think "If it ain't broke, don't fix it".
Engineers think "If it ain't broke, it doesn't have enough features yet".

Please reply to the list;
please don't CC me.

Götz Reinicke - IT Koordinator

2014-04-22 11:33:02 UTC

Hi,

Post by GÃ¶tz Reinicke - IT Koordinator
Hi,
I whitelisted the servers IP

What configuration parameter did you set to whitelist the IP?

/etc/MailScanner/rules/spam.whitelist.rules

From: 172.17.20.58 yes

Make sure you're setting the rule for "filename extensions" when whitelisting
the address.

hmm .. where/how do I set that?

Thanks and regards . G?tz
--
G?tz Reinicke
IT-Koordinator

Tel. +49 7141 969 82 420
E-Mail goetz.reinicke at filmakademie.de

Filmakademie Baden-W?rttemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016

Vorsitzender des Aufsichtsrats: J?rgen Walter MdL
Staatssekret?r im Ministerium f?r Wissenschaft,
Forschung und Kunst Baden-W?rttemberg

Gesch?ftsf?hrer: Prof. Thomas Schadt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5306 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140422/1a7977ef/attachment.bin

Antony Stone

2014-04-22 12:28:30 UTC

Post by GÃ¶tz Reinicke - IT Koordinator
Hi,
I whitelisted the servers IP

What configuration parameter did you set to whitelist the IP?

/etc/MailScanner/rules/spam.whitelist.rules
From: 172.17.20.58 yes

So, that defines what to do if the mail gets identified as spam.

Blocked filenames are not the same as spam.

Post by Antony Stone
Make sure you're setting the rule for "filename extensions" when
whitelisting the address.

hmm .. where/how do I set that?

/etc/MailScanner/rules/filename.rules.conf

Regards,

Antony.

--
You can spend the whole of your life trying to be popular,
but at the end of the day the size of the crowd at your funeral
will be largely dictated by the weather.

- Frank Skinner

Please reply to the list;
please don't CC me.

Götz Reinicke - IT Koordinator

2014-04-22 15:00:41 UTC

Post by GÃ¶tz Reinicke - IT Koordinator
Hi,
I whitelisted the servers IP

What configuration parameter did you set to whitelist the IP?

/etc/MailScanner/rules/spam.whitelist.rules
From: 172.17.20.58 yes

So, that defines what to do if the mail gets identified as spam.
Blocked filenames are not the same as spam.

Post by Antony Stone
Make sure you're setting the rule for "filename extensions" when
whitelisting the address.

hmm .. where/how do I set that?

/etc/MailScanner/rules/filename.rules.conf

Thanks, at first I edited the wrong file :-/ ... now I'm in the right one:

# f?r Confluence
allow \likes.like.png$ - -
allow \confluence.mail.templates.view.page.png$ - -

But confluence.mail.templates.view.page.png is still catched as hiding
real filename.

Or is the syntax wrong? dose it has to have the regex \...$ ?

Thanks onece moer & regards . G?tz
--
G?tz Reinicke
IT-Koordinator

Tel. +49 7141 969 82 420
E-Mail goetz.reinicke at filmakademie.de

Filmakademie Baden-W?rttemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016

Vorsitzender des Aufsichtsrats: J?rgen Walter MdL
Staatssekret?r im Ministerium f?r Wissenschaft,
Forschung und Kunst Baden-W?rttemberg

Gesch?ftsf?hrer: Prof. Thomas Schadt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5306 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140422/74af1ced/attachment.bin

Antony Stone

2014-04-22 16:04:53 UTC

Post by GÃ¶tz Reinicke - IT Koordinator
# f?r Confluence
allow \likes.like.png$ - -
allow \confluence.mail.templates.view.page.png$ - -
But confluence.mail.templates.view.page.png is still catched as hiding
real filename.
Or is the syntax wrong? dose it has to have the regex \...$ ?

--
"640 kilobytes (of RAM) should be enough for anybody."

- Bill Gates

Please reply to the list;
please don't CC me.

Denis Beauchemin

2014-04-22 18:08:41 UTC

Don't forget that there are 2 different mechanisms for checking the attachments: the first one checks the name of the attachment and the second one check the contents of the attachment with the "file" command.

# Set where to find the attachment filename ruleset.
# The structure of this file is explained elsewhere, but it is used to
# accept or reject file attachments based on their name, regardless of
# whether they are infected or not.
#
# This can also point to a ruleset, but the ruleset filename must end in
# ".rules" so that MailScanner can determine if the filename given is
# a ruleset or not!
Filename Rules = %etc-dir%/filename.rules.conf

# Where the "file" command is installed.
# This is used for checking the content type of files, regardless of their
# filename.
# To disable Filetype checking, set this value to blank.
File Command = /usr/bin/file
# Set where to find the attachment filetype ruleset.
# The structure of this file is explained elsewhere, but it is used to
# accept or reject file attachments based on their content as determined
# by the "file" command, regardless of whether they are infected or not.
#
# This can also point to a ruleset, but the ruleset filename must end in
# ".rules" so that MailScanner can determine if the filename given is
# a ruleset or not!
#
# To disable this feature, set this to just "Filetype Rules =" or set
# the location of the file command to a blank string.
Filetype Rules = %etc-dir%/filetype.rules.conf

I also found this third mechanism:
# Allow any attachment MIME types matching any of the patterns listed here.
# If this setting is empty, it is ignored and no matches are made.
# This can also be the filename of a ruleset.
Allow File MIME Types =
# Deny any attachment MIME types matching any of the patterns listed here.
# If this setting is empty, it is ignored and no matches are made.
# This can also be the filename of a ruleset.
Deny File MIME Types =

And don't forget the settings for files within archives!

Denis

-----Message d'origine-----
De?: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] De la part de Antony Stone
Envoy??: 22 avril 2014 12:13
??: MailScanner discussion
Objet?: Re: Whitelisting an email sender and/or files

Do the above rules come before or after something more generic, which would also match the filename?

As far as I recall, the rules in this file are processed in order, first match wins, so you'd need to make sure your rules for Confluence come before the rules for generic filenames.

Regards,

Antony.

--
"640 kilobytes (of RAM) should be enough for anybody."

- Bill Gates

Please reply to the list;
please don't CC me.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

Götz Reinicke - IT Koordinator

2014-04-23 07:21:40 UTC

Hi Thanks,

I checked, all config files, but still get a warning, which is confusing
to me:

Confluence sends a message with a lot of pictures/icons:

e.g.

likes.like.png
avatar_5aa2c6294a72d4e8d7c83ec33ae.png
page-icon.png

confluence.mail.templates.add.comment.png <- is allowed

confluence.mail.templates.view.page.png <- is denied and I get the
warning message

in my filename.rules.conf I have at the top (first rules) with tabs - -.

# f?r Confluence
allow \likes.like.png$ - -
allow \confluence.mail.templates.view.page.png$ - -

and a bit later

allow \.png$ - -

Any more hints?

Thanks and Regards . G?tz

Post by Denis Beauchemin
Don't forget that there are 2 different mechanisms for checking the attachments: the first one checks the name of the attachment and the second one check the contents of the attachment with the "file" command.

<...>

Post by Denis Beauchemin
And don't forget the settings for files within archives!
Denis

Jerry Benton

2014-04-23 08:08:12 UTC

Check filenames.rules.conf for the length of file names. It should be 150
by default.

On Wed, Apr 23, 2014 at 9:21 AM, G?tz Reinicke - IT Koordinator <

Post by GÃ¶tz Reinicke - IT Koordinator
Hi Thanks,
I checked, all config files, but still get a warning, which is confusing
e.g.
likes.like.png
avatar_5aa2c6294a72d4e8d7c83ec33ae.png
page-icon.png
confluence.mail.templates.add.comment.png <- is allowed
confluence.mail.templates.view.page.png <- is denied and I get the
warning message
in my filename.rules.conf I have at the top (first rules) with tabs - -.
# f?r Confluence
allow \likes.like.png$ - -
allow \confluence.mail.templates.view.page.png$ - -
and a bit later
allow \.png$ - -
Any more hints?
Thanks and Regards . G?tz

Post by Denis Beauchemin
Don't forget that there are 2 different mechanisms for checking the

attachments: the first one checks the name of the attachment and the second
one check the contents of the attachment with the "file" command.
<...>

Post by Denis Beauchemin
And don't forget the settings for files within archives!
Denis

--
G?tz Reinicke
IT-Koordinator
Tel. +49 7141 969 82 420
E-Mail goetz.reinicke at filmakademie.de
Filmakademie Baden-W?rttemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de
Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzender des Aufsichtsrats: J?rgen Walter MdL
Staatssekret?r im Ministerium f?r Wissenschaft,
Forschung und Kunst Baden-W?rttemberg
Gesch?ftsf?hrer: Prof. Thomas Schadt
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!

--
--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140423/823c68dd/attachment.html

Götz Reinicke - IT Koordinator

2014-04-23 08:31:19 UTC

Hi,

its still the 150 default value.

/G?tz

Post by Jerry Benton
Check filenames.rules.conf for the length of file names. It should be
150 by default.
On Wed, Apr 23, 2014 at 9:21 AM, G?tz Reinicke - IT Koordinator
<goetz.reinicke at filmakademie.de <mailto:goetz.reinicke at filmakademie.de>>
Hi Thanks,
I checked, all config files, but still get a warning, which is confusing
e.g.
likes.like.png
avatar_5aa2c6294a72d4e8d7c83ec33ae.png
page-icon.png
confluence.mail.templates.add.comment.png <- is allowed
confluence.mail.templates.view.page.png <- is denied and I get the
warning message
in my filename.rules.conf I have at the top (first rules) with tabs - -.
# f?r Confluence
allow \likes.like.png$ - -
allow \confluence.mail.templates.view.page.png$ - -
and a bit later
allow \.png$ - -
Any more hints?
Thanks and Regards . G?tz

<..>
--
G?tz Reinicke
IT-Koordinator

Tel. +49 7141 969 82 420
E-Mail goetz.reinicke at filmakademie.de

Filmakademie Baden-W?rttemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016

Vorsitzender des Aufsichtsrats: J?rgen Walter MdL
Staatssekret?r im Ministerium f?r Wissenschaft,
Forschung und Kunst Baden-W?rttemberg

Gesch?ftsf?hrer: Prof. Thomas Schadt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5306 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140423/e9cf52fc/attachment.bin

Martin Hepworth

2014-04-23 08:13:37 UTC

Can you not add the confluence ipaddress to the "do not scan" ruleset?

If this is an internal system why are you pushing this through the scanner
and not direct to the the email server?

Martin

On Wednesday, 23 April 2014, G?tz Reinicke - IT Koordinator <

Post by Denis Beauchemin
Don't forget that there are 2 different mechanisms for checking the

attachments: the first one checks the name of the attachment and the second
one check the contents of the attachment with the "file" command.
<...>

Post by Denis Beauchemin
And don't forget the settings for files within archives!
Denis

--
G?tz Reinicke
IT-Koordinator
Tel. +49 7141 969 82 420
E-Mail goetz.reinicke at filmakademie.de <javascript:;>
Filmakademie Baden-W?rttemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de
Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzender des Aufsichtsrats: J?rgen Walter MdL
Staatssekret?r im Ministerium f?r Wissenschaft,
Forschung und Kunst Baden-W?rttemberg
Gesch?ftsf?hrer: Prof. Thomas Schadt

--
--
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140423/036be698/attachment.html

Götz Reinicke - IT Koordinator

2014-04-23 08:39:24 UTC

Hi,

yes, I could whitelist the whole server; it is in
rules/spam.whitelist.rules already, but the rule dose not catche ...

From: 172.17.20.58 yes

Is that the same as your "do not scan" ruleset ?
Or wher is that?

/G?tz

Post by Martin Hepworth
Can you not add the confluence ipaddress to the "do not scan" ruleset?
If this is an internal system why are you pushing this through the
scanner and not direct to the the email server?
Martin
On Wednesday, 23 April 2014, G?tz Reinicke - IT Koordinator
<goetz.reinicke at filmakademie.de <mailto:goetz.reinicke at filmakademie.de>>
Hi Thanks,
I checked, all config files, but still get a warning, which is confusing
e.g.
likes.like.png
avatar_5aa2c6294a72d4e8d7c83ec33ae.png
page-icon.png
confluence.mail.templates.add.comment.png <- is allowed
confluence.mail.templates.view.page.png <- is denied and I get the
warning message
in my filename.rules.conf I have at the top (first rules) with tabs - -.
# f?r Confluence
allow \likes.like.png$ - -
allow \confluence.mail.templates.view.page.png$ - -
and a bit later
allow \.png$ - -
Any more hints?
Thanks and Regards . G?tz

Post by Denis Beauchemin
Don't forget that there are 2 different mechanisms for checking

the attachments: the first one checks the name of the attachment and
the second one check the contents of the attachment with the "file"
command.
<...>

Post by Denis Beauchemin
And don't forget the settings for files within archives!
Denis

a
--
G?tz Reinicke
IT-Koordinator
Tel. +49 7141 969 82 420
E-Mail goetz.reinicke at filmakademie.de <javascript:;>
Filmakademie Baden-W?rttemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de <http://www.filmakademie.de>
Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzender des Aufsichtsrats: J?rgen Walter MdL
Staatssekret?r im Ministerium f?r Wissenschaft,
Forschung und Kunst Baden-W?rttemberg
Gesch?ftsf?hrer: Prof. Thomas Schadt
--
--
Martin Hepworth, CISSP
Oxford, UK

Martin Hepworth

2014-04-23 14:25:45 UTC