[Rspamd-Users] Finetune MIME_BAD_EXTENSION reject

Sandy Drobic rspamd at drobic.de
Wed Feb 24 21:43:14 UTC 2021 


Am 24.02.2021 um 14:18 schrieb C. Bernard:
>
> Hi
>
> Zitat von Sandy Drobic <rspamd at drobic.de>:
>
>> Am 24.02.2021 um 12:39 schrieb Carsten Rosenberg:
>>> On 24.02.21 11:06, Sandy Drobic wrote:
>>> Hey,
>>> Best option is not to use the mime_types plugin to reject bad
>>> extensions. Setting high scores here will end up in learning mails from
>>> good senders with bad attachments.
>>>
>>> Use multimap to match extensions and use the mime_types plugin with
>>> default settings. The multimap extension filter also matches on file
>>> extenstions and mime_types.
>>>
>>> -- 
>>> Carsten
>> Hello Carsten,
>>
>> thanks for the hint. You mean something like what google found for me:
>>
>> local.d/multimap.conf:
>> FORBIDDEN_FILE_EXTENSION {
>>    type = "filename";
>>    filter = "extension";
>>    map = ["${CONFDIR}/forbidden_file_extension.map",];
>>    action = "reject";
>>    symbol = "FORBIDDEN_FILE_EXTENSION";
>>    description = "List of forbidden file extensions";
>> }
>>
>> And then add all the extensions to be rejected to
>> forbidden_file_extension.map:
>>
>> vbs
>> exe
>> scr
>>
>>
>> Can I just list them or do I need regexp?
>>
>> Greetings
>> Sandy
>
> I have something like this:
>
>
> root at beastly /usr/local/etc/rspamd/local.d]# cat file_extensions.map
> doc
> docm
> xls
> xlsm
> scr
> lnk
>
> and in multimap.conf:
>
> filename_blacklist {
>   type = "filename";
>   filter = "extension";
>   map = "/${LOCAL_CONFDIR}/file_extensions.map";
>   symbol = "FILENAME_BLACKLISTED";
>   prefilter = true;
>   action = "reject";
> }
>
> Which looks almost the same as your example, except for map = line....
>
> Cheers
> Christian
>

Hello Christian, I got it working, thanks!

Though there is a small typo in the map line. The leading slash resolves to a
double slash when the variable are put in.

"rspamadm configdump" is my best friend at the moment to find out where the path actually leads to.  
My map now resolves to /etc/rspamd/local.d/file_extension.map.
I put it in the local.d subdirectory to make it portable.

file_extension_blacklist {
  type = "filename";
  filter = "extension";
  map = "${LOCAL_CONFDIR}/local.d/file_extensions.map";
  symbol = "FILE_EXTENSION_BLACKLISTED";
  prefilter = true;
  action = "reject";
  message = "attachment type not allowed";
}

Greetings 
Sandy

More information about the Users mailing list