[Rspamd-Users] Finetune MIME_BAD_EXTENSION reject

C. Bernard rspamd_users_ml at cmb.ch
Wed Feb 24 22:09:54 UTC 2021 

Zitat von Sandy Drobic <rspamd at drobic.de>:

> Am 24.02.2021 um 14:18 schrieb C. Bernard:
>>
>> Hi
>>
>> Zitat von Sandy Drobic <rspamd at drobic.de>:
>>
>>> Am 24.02.2021 um 12:39 schrieb Carsten Rosenberg:
>>>> On 24.02.21 11:06, Sandy Drobic wrote:
>>>> Hey,
>>>> Best option is not to use the mime_types plugin to reject bad
>>>> extensions. Setting high scores here will end up in learning mails from
>>>> good senders with bad attachments.
>>>>
>>>> Use multimap to match extensions and use the mime_types plugin with
>>>> default settings. The multimap extension filter also matches on file
>>>> extenstions and mime_types.
>>>>
>>>> --
>>>> Carsten
>>> Hello Carsten,
>>>
>>> thanks for the hint. You mean something like what google found for me:
>>>
>>> local.d/multimap.conf:
>>> FORBIDDEN_FILE_EXTENSION {
>>>    type = "filename";
>>>    filter = "extension";
>>>    map = ["${CONFDIR}/forbidden_file_extension.map",];
>>>    action = "reject";
>>>    symbol = "FORBIDDEN_FILE_EXTENSION";
>>>    description = "List of forbidden file extensions";
>>> }
>>>
>>> And then add all the extensions to be rejected to
>>> forbidden_file_extension.map:
>>>
>>> vbs
>>> exe
>>> scr
>>>
>>>
>>> Can I just list them or do I need regexp?
>>>
>>> Greetings
>>> Sandy
>>
>> I have something like this:
>>
>>
>> root at beastly /usr/local/etc/rspamd/local.d]# cat file_extensions.map
>> doc
>> docm
>> xls
>> xlsm
>> scr
>> lnk
>>
>> and in multimap.conf:
>>
>> filename_blacklist {
>>   type = "filename";
>>   filter = "extension";
>>   map = "/${LOCAL_CONFDIR}/file_extensions.map";
>>   symbol = "FILENAME_BLACKLISTED";
>>   prefilter = true;
>>   action = "reject";
>> }
>>
>> Which looks almost the same as your example, except for map = line....
>>
>> Cheers
>> Christian
>>
>
> Hello Christian, I got it working, thanks!
>
> Though there is a small typo in the map line. The leading slash resolves to a
> double slash when the variable are put in.
>
> "rspamadm configdump" is my best friend at the moment to find out  
> where the path actually leads to.
> My map now resolves to /etc/rspamd/local.d/file_extension.map.
> I put it in the local.d subdirectory to make it portable.
>
> file_extension_blacklist {
>   type = "filename";
>   filter = "extension";
>   map = "${LOCAL_CONFDIR}/local.d/file_extensions.map";
>   symbol = "FILE_EXTENSION_BLACKLISTED";
>   prefilter = true;
>   action = "reject";
>   message = "attachment type not allowed";
> }
>
> Greetings
> Sandy

When I wrote the email today I thought it looks strange somehow.. but  
thought that
/path/to/file and
//path to file
should be tha same for a unix system...
But I removed the / now. It came from copy paste from a similar  
multimap above in the file...

Gruess
Christian

More information about the Users mailing list