From 3e45a791cf39a57ed290a02ae94dc1fc20ce7057 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 23 Nov 2022 15:42:46 +0100 Subject: [PATCH 01/28] Implement oletools to filter out bad macros --- .github/workflows/build_test_deploy.yml | 4 +- core/base/requirements-dev.txt | 4 ++ core/base/requirements-prod.txt | 5 +- core/oletools/Dockerfile | 31 +++++++++++ core/rspamd/conf/composites.conf | 12 +++++ core/rspamd/conf/external_services.conf | 61 ++++++++++++++++++++++ core/rspamd/start.py | 1 + setup/flavors/compose/docker-compose.yml | 20 +++++++ tests/build.hcl | 10 ++++ tests/compose/core/docker-compose.yml | 13 +++++ tests/compose/fetchmail/docker-compose.yml | 13 +++++ tests/compose/filters/docker-compose.yml | 13 +++++ tests/compose/webdav/docker-compose.yml | 13 +++++ tests/compose/webmail/docker-compose.yml | 13 +++++ towncrier/newsfragments/2510.feature | 1 + 15 files changed, 211 insertions(+), 3 deletions(-) create mode 100644 core/oletools/Dockerfile create mode 100644 core/rspamd/conf/composites.conf create mode 100644 core/rspamd/conf/external_services.conf create mode 100644 towncrier/newsfragments/2510.feature diff --git a/.github/workflows/build_test_deploy.yml b/.github/workflows/build_test_deploy.yml index 4d10e4ca..a7eb4e85 100644 --- a/.github/workflows/build_test_deploy.yml +++ b/.github/workflows/build_test_deploy.yml @@ -394,7 +394,7 @@ jobs: strategy: fail-fast: false matrix: - target: ["setup", "docs", "fetchmail", "webmail", "admin", "traefik-certdumper", "radicale", "clamav", "rspamd", "postfix", "dovecot", "unbound", "nginx"] + target: ["setup", "docs", "fetchmail", "webmail", "admin", "traefik-certdumper", "radicale", "clamav", "rspamd", "oletools", "postfix", "dovecot", "unbound", "nginx"] steps: - uses: actions/checkout@v3 - name: Retrieve global variables @@ -439,7 +439,7 @@ jobs: strategy: fail-fast: false matrix: - target: ["setup", "docs", "fetchmail", "webmail", "admin", "traefik-certdumper", "radicale", "clamav", "rspamd", "postfix", "dovecot", "unbound", "nginx"] + target: ["setup", "docs", "fetchmail", "webmail", "admin", "traefik-certdumper", "radicale", "clamav", "rspamd", "oletools", "postfix", "dovecot", "unbound", "nginx"] steps: - uses: actions/checkout@v3 - name: Retrieve global variables diff --git a/core/base/requirements-dev.txt b/core/base/requirements-dev.txt index 92d34fdb..35e1cc9b 100644 --- a/core/base/requirements-dev.txt +++ b/core/base/requirements-dev.txt @@ -46,6 +46,10 @@ watchdog # core/postfix postfix-mta-sts-resolver +# core/oletools +python-magic +oletools + # optional/fetchmail requests diff --git a/core/base/requirements-prod.txt b/core/base/requirements-prod.txt index 716f848e..db6f2b9b 100644 --- a/core/base/requirements-prod.txt +++ b/core/base/requirements-prod.txt @@ -42,6 +42,7 @@ marshmallow==3.18.0 marshmallow-sqlalchemy==0.28.1 multidict==6.0.2 mysql-connector-python==8.0.31 +oletools==0.60.1 packaging==21.3 passlib==1.7.4 podop @ file:///app/libs/podop @@ -52,7 +53,9 @@ pycares==4.2.2 pycparser==2.21 Pygments==2.13.0 pyOpenSSL==22.1.0 -pyparsing==3.0.9 +pyparsing==2.4.7 +python-dateutil==2.8.2 +python-magic==0.4.27 python-dateutil==2.8.2 pytz==2022.6 PyYAML==6.0 diff --git a/core/oletools/Dockerfile b/core/oletools/Dockerfile new file mode 100644 index 00000000..8bb98cd9 --- /dev/null +++ b/core/oletools/Dockerfile @@ -0,0 +1,31 @@ +# syntax=docker/dockerfile-upstream:1.4.3 + +# oletools image +FROM base + +ARG VERSION=local +LABEL version=$VERSION + +RUN set -euxo pipefail \ + ; apk add --no-cache netcat-openbsd libmagic libffi \ + ; curl -sLo olefy.py https://raw.githubusercontent.com/HeinleinSupport/olefy/f8aac6cc55283886d153e89c8f27fae66b1c24e2/olefy.py \ + ; chmod 755 olefy.py + +RUN echo $VERSION >/version + +HEALTHCHECK --start-period=60s CMD echo PING|nc -q1 127.0.0.1 11343|grep "PONG" +EXPOSE 11343/tcp + +USER nobody:nobody + +ENV \ + OLEFY_BINDADDRESS="0.0.0.0" \ + OLEFY_BINDPORT="11343" \ + OLEFY_OLEVBA_PATH="/app/venv/bin/olevba" \ + OLEFY_PYTHON_PATH="/app/venv/bin/python3" \ + OLEFY_TMPDIR="/dev/shm/" \ + OLEFY_MINLENGTH="300" \ + OLEFY_DEL_TMP="1" \ + OLEFY_DEL_TMP_FAILED="1" + +CMD /app/olefy.py diff --git a/core/rspamd/conf/composites.conf b/core/rspamd/conf/composites.conf new file mode 100644 index 00000000..d7031520 --- /dev/null +++ b/core/rspamd/conf/composites.conf @@ -0,0 +1,12 @@ +OLETOOLS_MACRO_MRAPTOR { + expression = "(OLETOOLS_A & OLETOOLS_W) | (OLETOOLS_A & OLETOOLS_X) | (OLETOOLS_W & OLETOOLS_X)"; + message = "Rejected (malicious macro - mraptor)"; + policy = "leave"; + score = 20.0; +} +OLETOOLS_MACRO_SUSPICIOUS { + expression = "OLETOOLS & OLETOOLS_SUSPICIOUS"; + message = "Rejected (malicious macro)"; + policy = "leave"; + score = 20.0; +} diff --git a/core/rspamd/conf/external_services.conf b/core/rspamd/conf/external_services.conf new file mode 100644 index 00000000..2a918caa --- /dev/null +++ b/core/rspamd/conf/external_services.conf @@ -0,0 +1,61 @@ +oletools { + # default olefy settings + servers = "{{ OLETOOLS_ADDRESS }}" + + # needs to be set explicitly for Rspamd < 1.9.5 + scan_mime_parts = true; + extended = true; + max_size = 3145728; + timeout = 20.0; + retransmits = 1; + + patterns { + OLETOOLS_MACRO = '^.....M..$'; + OLETOOLS_AUTOEXEC = '^A....M..$'; + OLETOOLS_SUSPICIOUS = '^.....MS.$'; +# see https://github.com/decalage2/oletools/blob/master/oletools/mraptor.py + OLETOOLS_A = '(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)|NewDocument|Workbook(?:_Open|_Activate|_Close|_BeforeClose)|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload|NavigateComplete2|NavigateError|ProgressChange|PropertyChange|SetSecureLockIcon|StatusTextChange|TitleChange|MouseMove|MouseEnter|MouseLeave|OnConnecting))|Auto_Ope\b'; + OLETOOLS_W = '(?i)\b(?:FileCopy|CopyFile|Kill|CreateTextFile|VirtualAlloc|RtlMoveMemory|URLDownloadToFileA?|AltStartupPath|WriteProcessMemory|ADODB\.Stream|WriteText|SaveToFile|SaveAs|SaveAsRTF|FileSaveAs|MkDir|RmDir|SaveSetting|SetAttr)\b|(?:\bOpen\b[^\n]+\b(?:Write|Append|Binary|Output|Random)\b)'; + OLETOOLS_X = '(?i)\b(?:Shell|CreateObject|GetObject|SendKeys|RUN|CALL|MacScript|FollowHyperlink|CreateThread|ShellExecuteA?|ExecuteExcel4Macro|EXEC|REGISTER|SetTimer)\b|(?:\bDeclare\b[^\n]+\bLib\b)'; + } + + # mime-part regex matching in content-type or filename + mime_parts_filter_regex { + #UNKNOWN = "application\/octet-stream"; + DOC2 = "application\/msword"; + DOC3 = "application\/vnd\.ms-word.*"; + XLS = "application\/vnd\.ms-excel.*"; + PPT = "application\/vnd\.ms-powerpoint.*"; + GENERIC = "application\/vnd\.openxmlformats-officedocument.*"; + } + # mime-part filename extension matching (no regex) + mime_parts_filter_ext { + doc = "doc"; + dot = "dot"; + docx = "docx"; + dotx = "dotx"; + docm = "docm"; + dotm = "dotm"; + xls = "xls"; + xlt = "xlt"; + xla = "xla"; + xlsx = "xlsx"; + xltx = "xltx"; + xlsm = "xlsm"; + xltm = "xltm"; + xlam = "xlam"; + xlsb = "xlsb"; + ppt = "ppt"; + pot = "pot"; + pps = "pps"; + ppa = "ppa"; + pptx = "pptx"; + potx = "potx"; + ppsx = "ppsx"; + ppam = "ppam"; + pptm = "pptm"; + potm = "potm"; + ppsm = "ppsm"; + slk = "slk"; + } +} diff --git a/core/rspamd/start.py b/core/rspamd/start.py index 37de1df9..b285ca03 100755 --- a/core/rspamd/start.py +++ b/core/rspamd/start.py @@ -14,6 +14,7 @@ log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING")) os.environ["REDIS_ADDRESS"] = system.get_host_address_from_environment("REDIS", "redis") os.environ["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin") +os.environ["OLETOOLS_ADDRESS"] = system.get_host_address_from_environment("OLETOOLS", "oletools:11343") if os.environ.get("ANTIVIRUS") == 'clamav': os.environ["ANTIVIRUS_ADDRESS"] = system.get_host_address_from_environment("ANTIVIRUS", "antivirus:3310") diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml index b6c99ca5..773fddd2 100644 --- a/setup/flavors/compose/docker-compose.yml +++ b/setup/flavors/compose/docker-compose.yml @@ -103,16 +103,33 @@ services: - {{ dns }} {% endif %} + oletools: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-{{ version }}} + hostname: oletools + restart: always + networks: + - noinet + depends_on: + {% if resolver_enabled %} + - resolver + dns: + - {{ dns }} + {% endif %} + antispam: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}} hostname: antispam restart: always env_file: {{ env }} + networks: + - default + - noinet volumes: - "{{ root }}/filter:/var/lib/rspamd" - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro" depends_on: - front + - oletools {% if resolver_enabled %} - resolver dns: @@ -199,3 +216,6 @@ networks: {% if ipv6_enabled %} - subnet: {{ subnet6 }} {% endif %} + noinet: + driver: bridge + internal: true diff --git a/tests/build.hcl b/tests/build.hcl index d657cbb7..f5893b8c 100644 --- a/tests/build.hcl +++ b/tests/build.hcl @@ -34,6 +34,7 @@ group "default" { "antispam", "front", "imap", + "oletools", "smtp", "webmail", @@ -152,6 +153,15 @@ target "front" { tags = tag("nginx") } +target "oletools" { + inherits = ["defaults"] + context = "core/oletools/" + contexts = { + base = "target:base" + } + tags = tag("oletools") +} + target "imap" { inherits = ["defaults"] context = "core/dovecot/" diff --git a/tests/compose/core/docker-compose.yml b/tests/compose/core/docker-compose.yml index 1f9d6730..8d56a443 100644 --- a/tests/compose/core/docker-compose.yml +++ b/tests/compose/core/docker-compose.yml @@ -65,10 +65,20 @@ services: depends_on: - front + oletools: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-local} + hostname: oletools + restart: always + networks: + - noinet + antispam: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local} restart: always env_file: mailu.env + networks: + - default + - noinet volumes: - "/mailu/filter:/var/lib/rspamd" - "/mailu/dkim:/dkim" @@ -96,3 +106,6 @@ networks: driver: default config: - subnet: 192.168.203.0/24 + noinet: + driver: bridge + internal: true diff --git a/tests/compose/fetchmail/docker-compose.yml b/tests/compose/fetchmail/docker-compose.yml index c1a1a55c..067532fa 100644 --- a/tests/compose/fetchmail/docker-compose.yml +++ b/tests/compose/fetchmail/docker-compose.yml @@ -65,10 +65,20 @@ services: depends_on: - front + oletools: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-local} + hostname: oletools + restart: always + networks: + - noinet + antispam: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local} restart: always env_file: mailu.env + networks: + - default + - noinet volumes: - "/mailu/filter:/var/lib/rspamd" - "/mailu/dkim:/dkim" @@ -103,3 +113,6 @@ networks: driver: default config: - subnet: 192.168.203.0/24 + noinet: + driver: bridge + internal: true diff --git a/tests/compose/filters/docker-compose.yml b/tests/compose/filters/docker-compose.yml index 41908a40..3eb2d84c 100644 --- a/tests/compose/filters/docker-compose.yml +++ b/tests/compose/filters/docker-compose.yml @@ -65,10 +65,20 @@ services: depends_on: - front + oletools: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-local} + hostname: oletools + restart: always + networks: + - noinet + antispam: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local} restart: always env_file: mailu.env + networks: + - default + - noinet volumes: - "/mailu/filter:/var/lib/rspamd" - "/mailu/dkim:/dkim" @@ -102,3 +112,6 @@ networks: driver: default config: - subnet: 192.168.203.0/24 + noinet: + driver: bridge + internal: true diff --git a/tests/compose/webdav/docker-compose.yml b/tests/compose/webdav/docker-compose.yml index 5dfa6bc8..1391b68d 100644 --- a/tests/compose/webdav/docker-compose.yml +++ b/tests/compose/webdav/docker-compose.yml @@ -65,10 +65,20 @@ services: depends_on: - front + oletools: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-local} + hostname: oletools + restart: always + networks: + - noinet + antispam: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local} restart: always env_file: mailu.env + networks: + - default + - noinet volumes: - "/mailu/filter:/var/lib/rspamd" - "/mailu/dkim:/dkim" @@ -103,3 +113,6 @@ networks: driver: default config: - subnet: 192.168.203.0/24 + noinet: + driver: bridge + internal: true diff --git a/tests/compose/webmail/docker-compose.yml b/tests/compose/webmail/docker-compose.yml index 14d1dae9..5e106105 100644 --- a/tests/compose/webmail/docker-compose.yml +++ b/tests/compose/webmail/docker-compose.yml @@ -65,10 +65,20 @@ services: depends_on: - front + oletools: + image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-local} + hostname: oletools + restart: always + networks: + - noinet + antispam: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local} restart: always env_file: mailu.env + networks: + - default + - noinet volumes: - "/mailu/filter:/var/lib/rspamd" - "/mailu/dkim:/dkim" @@ -104,3 +114,6 @@ networks: driver: default config: - subnet: 192.168.203.0/24 + noinet: + driver: bridge + internal: true diff --git a/towncrier/newsfragments/2510.feature b/towncrier/newsfragments/2510.feature new file mode 100644 index 00000000..a6ad675b --- /dev/null +++ b/towncrier/newsfragments/2510.feature @@ -0,0 +1 @@ +Implement OLETools and block bad macros in office documents From 7e1ab7978eec83ebb9a6be2d1b4baeb58e5097d6 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 23 Nov 2022 18:56:16 +0100 Subject: [PATCH 02/28] Block VBA Stomping too --- core/rspamd/conf/composites.conf | 2 +- core/rspamd/conf/external_services.conf | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/core/rspamd/conf/composites.conf b/core/rspamd/conf/composites.conf index d7031520..28a3e9c3 100644 --- a/core/rspamd/conf/composites.conf +++ b/core/rspamd/conf/composites.conf @@ -5,7 +5,7 @@ OLETOOLS_MACRO_MRAPTOR { score = 20.0; } OLETOOLS_MACRO_SUSPICIOUS { - expression = "OLETOOLS & OLETOOLS_SUSPICIOUS"; + expression = "OLETOOLS_SUSPICIOUS | OLETOOLS_VBASTOMP"; message = "Rejected (malicious macro)"; policy = "leave"; score = 20.0; diff --git a/core/rspamd/conf/external_services.conf b/core/rspamd/conf/external_services.conf index 2a918caa..267a9d80 100644 --- a/core/rspamd/conf/external_services.conf +++ b/core/rspamd/conf/external_services.conf @@ -13,6 +13,7 @@ oletools { OLETOOLS_MACRO = '^.....M..$'; OLETOOLS_AUTOEXEC = '^A....M..$'; OLETOOLS_SUSPICIOUS = '^.....MS.$'; + OLETOOLS_VBASTOMP = '^.....M.V$'; # see https://github.com/decalage2/oletools/blob/master/oletools/mraptor.py OLETOOLS_A = '(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)|NewDocument|Workbook(?:_Open|_Activate|_Close|_BeforeClose)|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload|NavigateComplete2|NavigateError|ProgressChange|PropertyChange|SetSecureLockIcon|StatusTextChange|TitleChange|MouseMove|MouseEnter|MouseLeave|OnConnecting))|Auto_Ope\b'; OLETOOLS_W = '(?i)\b(?:FileCopy|CopyFile|Kill|CreateTextFile|VirtualAlloc|RtlMoveMemory|URLDownloadToFileA?|AltStartupPath|WriteProcessMemory|ADODB\.Stream|WriteText|SaveToFile|SaveAs|SaveAsRTF|FileSaveAs|MkDir|RmDir|SaveSetting|SetAttr)\b|(?:\bOpen\b[^\n]+\b(?:Write|Append|Binary|Output|Random)\b)'; From 1327f34c2c89c2e48715014b16b1acc33e5b9359 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 10:48:25 +0100 Subject: [PATCH 03/28] Add tests to ensure we block macros --- tests/compose/filters/03_email_macro.sh | 14 ++++ .../2003x32_word_msgbox_stomped_fakecode.doc | Bin 0 -> 28672 bytes tests/compose/filters/excel4_sample_macro.slk | 68 ++++++++++++++++++ 3 files changed, 82 insertions(+) create mode 100755 tests/compose/filters/03_email_macro.sh create mode 100644 tests/compose/filters/2003x32_word_msgbox_stomped_fakecode.doc create mode 100644 tests/compose/filters/excel4_sample_macro.slk diff --git a/tests/compose/filters/03_email_macro.sh b/tests/compose/filters/03_email_macro.sh new file mode 100755 index 00000000..c91d1363 --- /dev/null +++ b/tests/compose/filters/03_email_macro.sh @@ -0,0 +1,14 @@ +# Malicious macros should be blocked +# see https://github.com/clr2of8/VBAstomp and https://github.com/decalage2/oletools/wiki/mraptor +python3 tests/email_test.py message-macro-stomp "tests/compose/filters/2003x32_word_msgbox_stomped_fakecode.doc" +if [ $? -eq 25 ]; then + exit 0 +else + exit 1 +fi +python3 tests/email_test.py message-autoexec-macro "tests/compose/filters/excel4_sample_macro.slk" +if [ $? -eq 25 ]; then + exit 0 +else + exit 1 +fi diff --git a/tests/compose/filters/2003x32_word_msgbox_stomped_fakecode.doc b/tests/compose/filters/2003x32_word_msgbox_stomped_fakecode.doc new file mode 100644 index 0000000000000000000000000000000000000000..f6d78e458fb3c8d0f00017f8d7a87e0744291da2 GIT binary patch literal 28672 zcmeHQeRN#Kb)WZkSC(YSUdhJTV9ZJ~U>i&9u2!;STcFi`ST>SZwrm`VVrwO>EZLG) zXxCtuU=~bTACjIrg~Lb7X`IxYegVgPB!!fm8n=JY78>_JI6!;AwF*PLchAw;fabEF)P=n%sqCF^E?6M7vjVnP!)X>w0m>fy52gBWup{c`ACB)sL z6O*7{rli1|jQJt#n)AwR!_?x?h9RjR({B_qILYcn5V174F)=QAny6rVSnXCYH;IS{ zVaBoAh}eOOf`~JvTUM)LT$^=S@zhe=M7!9CykV3GiR~yKfh5WcBDM|O7-}Lh_mdViX&*lj5To7b=38ucv0Mc|G|I|70~(s%2M~d9f)59EcU$qPzA@y zdS{$3xxI_Lm1nc_aTDGm#2HKkY%T9AgtT*n+#X%Vc*$lf&G6N*b#1usJ(%@0Iiu3# z49Iv~#*8&>x{)%97h(RUkZTxahhVU+F|z`j*cz}kU~9nEz-6HU?i08!!MDK9!q|Ot z*Uilm&vpI_Sc-6&87~K&2b>S&KBEH2wPgWtA@B;|BH)$4#X!oq3iN6q*H7*kmjStV z_W-Ma%u@rp9C#h@df*Mf6~L81rr!v<8dwXg1KtGm0)0TH*Mnlo77f5glLxj97tw%r z%kvpcj=Uzkt91QHi5Op4)b0=u=wjfE(}{_&RCG-w_ayq$t}PsrR()ZSzOdyPy>yN~ zqAe^gsw~kfGo6n;wX;H$>6!pi?HjzpXxRWD^oAo8qnH`Y3>qM6*$Hw8hox-t7 z^lZ4t>-GA*#{>1=T2btDhD51DpQlxNy@AGiYlOefTjQ+>tra~xhQ|hycc(;8_kq-o z*p5bLpvRH$*QH1LL`|$C;tB3cXOg4w^l)-a^g4uoD6%;@F&ZCnA&?2l1B5M^=se-c zRFq`2Rb@RPM`dZz`;R`g(^)JIRmBDehx;oY+#M5x8EkF(uXtehvCOr9_(0W$d;B6C zZ3=q>p<2<<77f<=yuQ}9+O}|{A+tNUCzweDGA{q&-I?#<^dLU!i4Kn>M9Q;be^cYi zp4L!ubTm2UDCrTM!~GM5g`iNt{DiAAFuLlK|w^>lW}>cSmm9W}q}KGfy$ z`Rd$WPpt3$k31d2y?qn$i38$>jF?}ce?=DyPHK+?muM#kw+#)a!by0MqlvNf2C>+6 zqGVg^kn}DqS~r1zViTOp?XBZi{nK3kdvlkbsKnjb-lq9ZKJ-@(+(^sXbj`K;WL4yy zP1SA1H@0a@gx0&+ow&O*uHC#rR7Ntc&6(Tb;bunq!*EuvONpz#R^q?8aeda`` zr)son?#X2#kNc!$SBv{@w(#(+s}5+=k{DjOmh%c}nTWj78#Y2NctrXBG(qohRZqwm z`HAf;kpW8~jN3u5rXZSrFe$`+$R-V!;b3aHZMkODD*Ar<-14<&_q6}PeHHI@y!FI# zR0eTGZpjJ8p$yInU@NV69MfLr1)v@F$VSrOZZX|y<{dYZWjReW=Te0D&`fcOm(7-# zj2!vr0@{C$_B;=;hZGeUe`(#eL~_#$j8H~C`%mwL1!!M+*3UIyw)UUCld}JmqwGJ! z9;A_0n{+v7KKs84{0rHC`a8=0Qy%UA8ekK!8Mqd>4oL5)1$Z+M?v!W+27ztB5HJj6 z`6%cHU^{Rla1-!WU}}a0oaI+ymST909U@Jlnvuh36*3oxllT3dpp5CcWFFU|kTt zw&MCjf0lguLvtRZ)D!?)=dhdhMw%N;6`j*!Gpz;fnhpl{3+6I`GLC<9f(bYwuObQ= zI+yIw+Mcehu?<^;2mL*vSZ8N!^FbKEjiIfvZUk;?3lbY~i8R6{c3^hus7`>18>@5) zXDfg`VuRU=pvn7llX6oq32ck2WNKUHLnx;M+cJ^dt?afk+sam_J#t-0C`(O4y(6|Y zTo>zTV~^Q@9m$CSHVnsg64D(8gVdjdb7Q8?Y zmQ$>za?NAqMaX8bSp7=s2*B#i+Qb%<_k>9~Sto(jcbxi<+F#vqwfp-&7Jnha?{CF6 zPLCi<0lgTjnOx#hJ(Ef@)-$V;xSDmSMjAR~Bh?AL(MY3JJ}MFL_a^O?F?CTg3k?6;KNDO!a zH~AZH@_T*Fp1uQ~cxrSwJ%szCnEPS#9;wUSJatCz`Yy3AM*B06tPol|_!Uzccj`u4 z6?K^ULoO58AE+Or4;wRUedgDnJ6A8ycnx5696KlW`S&v-*B#L-1bvLS=9%Xih7dhDU-`qf7x?!gmoi)_3M6i)uLk(SVWr zVpn#UlDT-(6jCNZ)7WK(_Jd9;9g%!sRNslakVRCpm{T?O1B4i7Q-8Ctg3S<(rECR5 z`ubwCZTkAMT*ydOtv5Cw zD5%_{449zu%YyPEa9T;D`Jf!9YJ@I+&l(C>q(p$y+kTQ1;JVKXvl{;h(8ybca=0-KBmY=qVz-Yh<#yi0|1|DZvO z)%O=mT}mk#;~f#+00Lp20W3Ddt3c&wnt6H=ccLs?t!@iV8%OL>CpE)ejjW?iYg_dtV4tqR&S3I4-arnMI`jL1DH=Y<Yl3V^3sTNY(RSrc?9i`b`~N(La%6l-ZSmb$B3(4 zxM6=H@37)OLF6#<<+DFVvyeDzV5cr_f7J9UDBifsW@3MMhyP|_1$v>2?rKA6n&`&E zS~;pY9&M7rQ}##00frCz_sO>k>ac6i|5%pF+7HyU3~S18cg@+8&B~fJLsv-3X@X&8 zp~@;e(n1;aPtBvsC@KZx;=~<~g^JyhGQEhY@`i=sL^437sdOcy5MQOM{FI`2*0AC! zs!K1!urOcPbU3G)4w!<~sGEvbWrIY@8ZhZ(7;`R6eNE6w~1A)mg;?rAQ z{7RbT4dNcyLjL)I0X%Jw;w;nPc&CIyCU-Jbbn{-=z5q@^y`as&5Io!-c%yvk zzX8{vIEY$$z>mRS?ZkC6I6iPX;m@i!2Mmt!G_c2fD%glT^CCSTDjmy(iJv5^a4O4or`dW*2 z8sQ7;p$YA*M;oaNr3b#MVZ6;VD%&`Wmf=_q;T5=}o6xtFQWtD3^QM3}nnOBH0P#nD z0y$#nUsP%=0__?4>xO3^gO0&eo)6yx z;M+%-Ll$@??~JL3j7eQsLo?Hq-<&a%n%aSOkD-lxQv-*q@;!)@?B5RPC;$$RZq1Wh z%&0oVM$m^E+4Bf`q+VR%8(M1AEggYV!7&d_vAFqoJc^|mAOv#r1c$HCe-o~p_aXGY z0s4-j)>>%Q3v5HE4e62GED9pkxK9Em-!JbMw*J!QNeKEG#UE!hXS|wCyqnISLETtQ zIHC#YtGOD@NXKy|Xep@MT#=|{8bQOV(;!X-O{P!f z6^=3Yba*7lm!=A>tP3$h^%ya=F>Qpd5@^u^y>OXqmfI%@=#9W3HVRZ?VoiS!i^9*} z^=7k6^?bRr*(!L2gvAuQ9t*J1Q%!3Eqj0Y;Ek&*D*3zul8n?s$cQmlM#s9P6&_8y( zQu5sPH~#gZ@33W@?{6$Q-E;0opKbo5?|1bbzU|((6rYrvl?)I^D%t{(6^F0K_QuJR z!td;L3x^YDnZNvzTezG!&9!d)-&4mf9w_|XhqiH5W6CG#YgtR$yxj^$_wKG$p`Ns{2=^o zWH8R?uGmM3oymcHBMDz$1MF{p&{QbYYMImMTkZjO&8TB^+{02%Fxk?~M+ES=b&X5C(}Zc9w0@aPiTqK?;EM*@{Poc_(QvfQifmg~TT68?6pS=B1bvb4 zn#M@PK%{L5wNy9xo4kRx=BVEr#53EVHylMmdFdVP$yC}C*`H2~4J0N!8^;EdUoJ1r zb;;LqPkmFpKinAb)`p_Z-ddk86oqmE^|f9I2{rqCUT;J2-gP+fUzaQ8m6CDG>`jfw z`x6joRalF^VYP?otM~a=dl~|`Ku_vvM2mN|C-*NzAN@jL6zc%8&Cl~0Q6c#0 zQ?H6Ud+EKLt^6A!6Q%IDOumghPxS5S+jD2von1zv^;+UwB$|+W!CFlsecuZ~Hj76u zCKL**^kXt`jAt4EQfpZ8rc<6iDR>`cXaXKW-w63AA8kE~bW&Io2}jWLpCR7ewX+BZF2@e5JPwStnTs4A!O zsQ4z7;~PG&oBEkfnUB+Qx}528>cIIYYkD&7HG%eUkQ(r2s(v93-{Ho+CNlHJg zhi`7Fek!W!S8+vE`9f6Xn@-hyRJ2fe#iu?@)hJe8I=vnhS9(_QLR1M=_Q6WSNQ|N# zq*gx5s5sLJFTozsKD`dg=W_3XGD+!qrj#oMioumA%gr&yZLl>kdkw(L@N}oKbHroo z?)d2VNFuknC@-JAIJ?Bwis_`8gXlyHOw{{r{;A7$#mhe zK2z>u(7fk%;I{(B&Qs5mwDQvPQV~xJWcYiBUuKxPMAxKF*$&2+m=weYTLZQRYz^2N zur*+7z}A4R0b2vM25b%38n87mYYkk;|JQ%`#t)yYyW0KmWAOi1fBr1}fBNq9hv}aV z0qK{I1L^PMSBKKye-M;s1YZa8J0SQ)gZ%2@lc4n9j{)hwKMmxY1TO;V@ALeCvd;jm zem#9)g4Hip{xN-i@;|y_uB?Ok=JEoVPM4u_mSdR0hs(~Kfj7o_4ECW*#hdH zb^m$(bi}O4TEBm`l_Njv=h++YshRfwTIAgZBv|XOH(0Z}UP}L~P(#wJ<@_IT&#HR- zqC%JN@o-FM+W#8lJ!p=9q2H*_v=vvGTcY{~u|)_10UmKZ!o`%X4qMbLL3irPaFrf04Rb gc6$A9|I5U&+FyLO@$rv8`0nl9-?%-Wd~5yx4WHm&)&Kwi literal 0 HcmV?d00001 diff --git a/tests/compose/filters/excel4_sample_macro.slk b/tests/compose/filters/excel4_sample_macro.slk new file mode 100644 index 00000000..3bd187ca --- /dev/null +++ b/tests/compose/filters/excel4_sample_macro.slk @@ -0,0 +1,68 @@ +ID;PWXL;N;E +P;PGeneral +P;P0 +P;P0.00 +P;P#,##0 +P;P#,##0.00 +P;P#,##0;;\-#,##0 +P;P#,##0;;[Red]\-#,##0 +P;P#,##0.00;;\-#,##0.00 +P;P#,##0.00;;[Red]\-#,##0.00 +P;P#,##0\ "$";;\-#,##0\ "$" +P;P#,##0\ "$";;[Red]\-#,##0\ "$" +P;P#,##0.00\ "$";;\-#,##0.00\ "$" +P;P#,##0.00\ "$";;[Red]\-#,##0.00\ "$" +P;P0% +P;P0.00% +P;P0.00E+00 +P;P##0.0E+0 +P;P#" "?/? +P;P#" "??/?? +P;Pdd/mm/yyyy +P;Pdd\-mmm\-yy +P;Pdd\-mmm +P;Pmmm\-yy +P;Ph:mm\ AM/PM +P;Ph:mm:ss\ AM/PM +P;Phh:mm +P;Phh:mm:ss +P;Pdd/mm/yyyy\ hh:mm +P;Pmm:ss +P;Pmm:ss.0 +P;P@ +P;P[h]:mm:ss +P;P_-* #,##0\ "$"_-;;\-* #,##0\ "$"_-;;_-* "-"\ "$"_-;;_-@_- +P;P_-* #,##0_-;;\-* #,##0_-;;_-* "-"_-;;_-@_- +P;P_-* #,##0.00\ "$"_-;;\-* #,##0.00\ "$"_-;;_-* "-"??\ "$"_-;;_-@_- +P;P_-* #,##0.00_-;;\-* #,##0.00_-;;_-* "-"??_-;;_-@_- +P;FCalibri;M220;L9 +P;FCalibri;M220;L9 +P;FCalibri;M220;L9 +P;FCalibri;M220;L9 +P;ECalibri;M220;L9 +P;ECalibri Light;M360;L55 +P;ECalibri;M300;SB;L55 +P;ECalibri;M260;SB;L55 +P;ECalibri;M220;SB;L55 +P;ECalibri;M220;L18 +P;ECalibri;M220;L21 +P;ECalibri;M220;L61 +P;ECalibri;M220;L63 +P;ECalibri;M220;SB;L64 +P;ECalibri;M220;SB;L53 +P;ECalibri;M220;L53 +P;ECalibri;M220;SB;L10 +P;ECalibri;M220;L11 +P;ECalibri;M220;SI;L24 +P;ECalibri;M220;SB;L9 +P;ECalibri;M220;L10 +P;ESegoe UI;M200;L9 +F;P0;DG0G8;E;M292 +B;Y2;X1;D0 0 1 0 +O;L;E;D;V0;K47;G100 0.001 +F;W1 1 17 +F;W2 16384 9 +NN;NAuto_Open;ER1C1 +C;Y1;X1;KFALSE;EALERT("This is a sample Excel 4 macro") +C;Y2;KTRUE;EHALT() +E From d793c5eed8c87a7aa7cc1cc93f8493ebafe3e22d Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 11:01:12 +0100 Subject: [PATCH 04/28] Dup symbol --- core/rspamd/conf/external_services.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/rspamd/conf/external_services.conf b/core/rspamd/conf/external_services.conf index 267a9d80..97ec1dba 100644 --- a/core/rspamd/conf/external_services.conf +++ b/core/rspamd/conf/external_services.conf @@ -10,7 +10,7 @@ oletools { retransmits = 1; patterns { - OLETOOLS_MACRO = '^.....M..$'; + OLETOOLS_MACRO_FOUND= '^.....M..$'; OLETOOLS_AUTOEXEC = '^A....M..$'; OLETOOLS_SUSPICIOUS = '^.....MS.$'; OLETOOLS_VBASTOMP = '^.....M.V$'; From e43effab63a56326a3242831933f31dfadd148e3 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 11:08:13 +0100 Subject: [PATCH 05/28] Glad there is a test --- core/rspamd/conf/external_services.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/rspamd/conf/external_services.conf b/core/rspamd/conf/external_services.conf index 97ec1dba..f43fcb0f 100644 --- a/core/rspamd/conf/external_services.conf +++ b/core/rspamd/conf/external_services.conf @@ -13,7 +13,7 @@ oletools { OLETOOLS_MACRO_FOUND= '^.....M..$'; OLETOOLS_AUTOEXEC = '^A....M..$'; OLETOOLS_SUSPICIOUS = '^.....MS.$'; - OLETOOLS_VBASTOMP = '^.....M.V$'; + OLETOOLS_VBASTOMP = '^VBA Stomping$'; # see https://github.com/decalage2/oletools/blob/master/oletools/mraptor.py OLETOOLS_A = '(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)|NewDocument|Workbook(?:_Open|_Activate|_Close|_BeforeClose)|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload|NavigateComplete2|NavigateError|ProgressChange|PropertyChange|SetSecureLockIcon|StatusTextChange|TitleChange|MouseMove|MouseEnter|MouseLeave|OnConnecting))|Auto_Ope\b'; OLETOOLS_W = '(?i)\b(?:FileCopy|CopyFile|Kill|CreateTextFile|VirtualAlloc|RtlMoveMemory|URLDownloadToFileA?|AltStartupPath|WriteProcessMemory|ADODB\.Stream|WriteText|SaveToFile|SaveAs|SaveAsRTF|FileSaveAs|MkDir|RmDir|SaveSetting|SetAttr)\b|(?:\bOpen\b[^\n]+\b(?:Write|Append|Binary|Output|Random)\b)'; From 32d44b96c37bd38b36fcfd91b0e27251e10d0bed Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 11:22:43 +0100 Subject: [PATCH 06/28] Fix the logic --- tests/compose/filters/03_email_macro.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/tests/compose/filters/03_email_macro.sh b/tests/compose/filters/03_email_macro.sh index c91d1363..8ecad31d 100755 --- a/tests/compose/filters/03_email_macro.sh +++ b/tests/compose/filters/03_email_macro.sh @@ -1,14 +1,12 @@ # Malicious macros should be blocked # see https://github.com/clr2of8/VBAstomp and https://github.com/decalage2/oletools/wiki/mraptor python3 tests/email_test.py message-macro-stomp "tests/compose/filters/2003x32_word_msgbox_stomped_fakecode.doc" -if [ $? -eq 25 ]; then - exit 0 -else +if [ $? -ne 25 ]; then exit 1 fi python3 tests/email_test.py message-autoexec-macro "tests/compose/filters/excel4_sample_macro.slk" -if [ $? -eq 25 ]; then - exit 0 -else +if [ $? -ne 25 ]; then exit 1 fi + +exit 0 From 3bdc57adbcf4e4a6643f114c4ea6b1b5f41c96e0 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 11:40:10 +0100 Subject: [PATCH 07/28] Forgot this --- core/rspamd/conf/external_services_group.conf | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 core/rspamd/conf/external_services_group.conf diff --git a/core/rspamd/conf/external_services_group.conf b/core/rspamd/conf/external_services_group.conf new file mode 100644 index 00000000..bed44eea --- /dev/null +++ b/core/rspamd/conf/external_services_group.conf @@ -0,0 +1,10 @@ +# local.d/external_services_group.conf + +description = "Oletools content rules"; +symbols = { + "OLETOOLS" { + weight = 1.0; + description = "OLETOOLS found a Macro"; + one_shot = true; + }, +} From 709023ab5a1ef93cba472772cec1d85ab47cba30 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 12:04:03 +0100 Subject: [PATCH 08/28] dimitri said "block it" So let's block any macro with AUTOEXEC --- core/rspamd/conf/composites.conf | 2 +- tests/compose/filters/03_email_macro.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/core/rspamd/conf/composites.conf b/core/rspamd/conf/composites.conf index 28a3e9c3..912061af 100644 --- a/core/rspamd/conf/composites.conf +++ b/core/rspamd/conf/composites.conf @@ -5,7 +5,7 @@ OLETOOLS_MACRO_MRAPTOR { score = 20.0; } OLETOOLS_MACRO_SUSPICIOUS { - expression = "OLETOOLS_SUSPICIOUS | OLETOOLS_VBASTOMP"; + expression = "OLETOOLS_SUSPICIOUS | OLETOOLS_VBASTOMP | OLETOOLS_AUTOEXEC"; message = "Rejected (malicious macro)"; policy = "leave"; score = 20.0; diff --git a/tests/compose/filters/03_email_macro.sh b/tests/compose/filters/03_email_macro.sh index 8ecad31d..484fd5ff 100755 --- a/tests/compose/filters/03_email_macro.sh +++ b/tests/compose/filters/03_email_macro.sh @@ -4,6 +4,7 @@ python3 tests/email_test.py message-macro-stomp "tests/compose/filters/2003x32_w if [ $? -ne 25 ]; then exit 1 fi +# This does Auto_Open + Alert() python3 tests/email_test.py message-autoexec-macro "tests/compose/filters/excel4_sample_macro.slk" if [ $? -ne 25 ]; then exit 1 From 612db96209c5651ee40376319bad4ce4986194fa Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 12:09:15 +0100 Subject: [PATCH 09/28] Block executable file extensions (closes #2511) --- core/rspamd/conf/forbidden_file_extension.map | 28 +++++++++++++++++++ core/rspamd/conf/multimap.conf | 13 +++++++++ 2 files changed, 41 insertions(+) create mode 100644 core/rspamd/conf/forbidden_file_extension.map diff --git a/core/rspamd/conf/forbidden_file_extension.map b/core/rspamd/conf/forbidden_file_extension.map new file mode 100644 index 00000000..15b12851 --- /dev/null +++ b/core/rspamd/conf/forbidden_file_extension.map @@ -0,0 +1,28 @@ +scr +lnk +exe +msi +msp +mst +msu +jar +com +bat +cmd +ps1 +cab +vbs +vbe +vbscript +hta +shs +wsc +wsf +wsh +iso +img +bin +cpl +jse +ace +arj diff --git a/core/rspamd/conf/multimap.conf b/core/rspamd/conf/multimap.conf index dd25c08e..7b929ef5 100644 --- a/core/rspamd/conf/multimap.conf +++ b/core/rspamd/conf/multimap.conf @@ -9,3 +9,16 @@ IS_LOCAL_DOMAIN_E { selector = "from('smtp'):domain"; map = "http://{{ ADMIN_ADDRESS }}/internal/rspamd/local_domains"; } + +FORBIDDEN_FILE_EXTENSION { + type = "filename"; + filter = "extension"; + map = [ + "/etc/rspamd/override.d/forbidden_file_extension.map", + ]; + prefilter = true; + action = "reject"; + symbol = "FORBIDDEN_FILE_EXTENSION"; + description = "List of forbidden file extensions"; + message = "Forbidden attachment extension"; +} From a8061f3ed361670e7e267f416ace05b354718193 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 12:25:41 +0100 Subject: [PATCH 10/28] doh --- core/rspamd/conf/composites.conf | 2 +- core/rspamd/conf/external_services_group.conf | 28 +++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/core/rspamd/conf/composites.conf b/core/rspamd/conf/composites.conf index 912061af..eaf48d8e 100644 --- a/core/rspamd/conf/composites.conf +++ b/core/rspamd/conf/composites.conf @@ -5,7 +5,7 @@ OLETOOLS_MACRO_MRAPTOR { score = 20.0; } OLETOOLS_MACRO_SUSPICIOUS { - expression = "OLETOOLS_SUSPICIOUS | OLETOOLS_VBASTOMP | OLETOOLS_AUTOEXEC"; + expression = "OLETOOLS_SUSPICIOUS | OLETOOLS_VBASTOMP | OLETOOLS_A"; message = "Rejected (malicious macro)"; policy = "leave"; score = 20.0; diff --git a/core/rspamd/conf/external_services_group.conf b/core/rspamd/conf/external_services_group.conf index bed44eea..ac032fbc 100644 --- a/core/rspamd/conf/external_services_group.conf +++ b/core/rspamd/conf/external_services_group.conf @@ -7,4 +7,32 @@ symbols = { description = "OLETOOLS found a Macro"; one_shot = true; }, + "OLETOOLS_MACRO_FOUND" { + weight = 0.0; + one_shot = true; + }, + "OLETOOLS_AUTOEXEC" { + weight = 0.0; + one_shot = true; + }, + "OLETOOLS_SUSPICIOUS" { + weight = 0.0; + one_shot = true; + }, + "OLETOOLS_VBASTOMP" { + weight = 0.0; + one_shot = true; + }, + "OLETOOLS_A" { + weight = 0.0; + one_shot = true; + }, + "OLETOOLS_W" { + weight = 0.0; + one_shot = true; + }, + "OLETOOLS_X" { + weight = 0.0; + one_shot = true; + }, } From d77bf119f8bd03bee0dca422adb08d0b5df5a9a6 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 12:47:13 +0100 Subject: [PATCH 11/28] towncrier --- towncrier/newsfragments/2511.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 towncrier/newsfragments/2511.misc diff --git a/towncrier/newsfragments/2511.misc b/towncrier/newsfragments/2511.misc new file mode 100644 index 00000000..b584e3c4 --- /dev/null +++ b/towncrier/newsfragments/2511.misc @@ -0,0 +1 @@ +Block executable file formats by default. Ask your users to zip them up if required. From b08d940d0960780b903e42bf2fccad58a307a37d Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 13:06:59 +0100 Subject: [PATCH 12/28] See https://github.com/decalage2/oletools/issues/659 --- core/rspamd/conf/external_services.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/rspamd/conf/external_services.conf b/core/rspamd/conf/external_services.conf index f43fcb0f..170b2b00 100644 --- a/core/rspamd/conf/external_services.conf +++ b/core/rspamd/conf/external_services.conf @@ -15,7 +15,7 @@ oletools { OLETOOLS_SUSPICIOUS = '^.....MS.$'; OLETOOLS_VBASTOMP = '^VBA Stomping$'; # see https://github.com/decalage2/oletools/blob/master/oletools/mraptor.py - OLETOOLS_A = '(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)|NewDocument|Workbook(?:_Open|_Activate|_Close|_BeforeClose)|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload|NavigateComplete2|NavigateError|ProgressChange|PropertyChange|SetSecureLockIcon|StatusTextChange|TitleChange|MouseMove|MouseEnter|MouseLeave|OnConnecting))|Auto_Ope\b'; + OLETOOLS_A = '(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)|NewDocument|Workbook(?:_Open|_Activate|_Close|_BeforeClose)|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload|NavigateComplete2|NavigateError|ProgressChange|PropertyChange|SetSecureLockIcon|StatusTextChange|TitleChange|MouseMove|MouseEnter|MouseLeave|OnConnecting))\b|Auto_Ope\b'; OLETOOLS_W = '(?i)\b(?:FileCopy|CopyFile|Kill|CreateTextFile|VirtualAlloc|RtlMoveMemory|URLDownloadToFileA?|AltStartupPath|WriteProcessMemory|ADODB\.Stream|WriteText|SaveToFile|SaveAs|SaveAsRTF|FileSaveAs|MkDir|RmDir|SaveSetting|SetAttr)\b|(?:\bOpen\b[^\n]+\b(?:Write|Append|Binary|Output|Random)\b)'; OLETOOLS_X = '(?i)\b(?:Shell|CreateObject|GetObject|SendKeys|RUN|CALL|MacScript|FollowHyperlink|CreateThread|ShellExecuteA?|ExecuteExcel4Macro|EXEC|REGISTER|SetTimer)\b|(?:\bDeclare\b[^\n]+\bLib\b)'; } From 02f2679dc4719ed85cd4035a2abde98d3f2d09b5 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 13:51:54 +0100 Subject: [PATCH 13/28] name collision --- core/rspamd/conf/composites.conf | 2 +- core/rspamd/conf/external_services.conf | 2 +- core/rspamd/conf/external_services_group.conf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/core/rspamd/conf/composites.conf b/core/rspamd/conf/composites.conf index eaf48d8e..62236081 100644 --- a/core/rspamd/conf/composites.conf +++ b/core/rspamd/conf/composites.conf @@ -5,7 +5,7 @@ OLETOOLS_MACRO_MRAPTOR { score = 20.0; } OLETOOLS_MACRO_SUSPICIOUS { - expression = "OLETOOLS_SUSPICIOUS | OLETOOLS_VBASTOMP | OLETOOLS_A"; + expression = "OLETOOLS_FLAG | OLETOOLS_VBASTOMP | OLETOOLS_A"; message = "Rejected (malicious macro)"; policy = "leave"; score = 20.0; diff --git a/core/rspamd/conf/external_services.conf b/core/rspamd/conf/external_services.conf index 170b2b00..678cdb96 100644 --- a/core/rspamd/conf/external_services.conf +++ b/core/rspamd/conf/external_services.conf @@ -12,7 +12,7 @@ oletools { patterns { OLETOOLS_MACRO_FOUND= '^.....M..$'; OLETOOLS_AUTOEXEC = '^A....M..$'; - OLETOOLS_SUSPICIOUS = '^.....MS.$'; + OLETOOLS_FLAG = '^.....MS.$'; OLETOOLS_VBASTOMP = '^VBA Stomping$'; # see https://github.com/decalage2/oletools/blob/master/oletools/mraptor.py OLETOOLS_A = '(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)|NewDocument|Workbook(?:_Open|_Activate|_Close|_BeforeClose)|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload|NavigateComplete2|NavigateError|ProgressChange|PropertyChange|SetSecureLockIcon|StatusTextChange|TitleChange|MouseMove|MouseEnter|MouseLeave|OnConnecting))\b|Auto_Ope\b'; diff --git a/core/rspamd/conf/external_services_group.conf b/core/rspamd/conf/external_services_group.conf index ac032fbc..a22c5878 100644 --- a/core/rspamd/conf/external_services_group.conf +++ b/core/rspamd/conf/external_services_group.conf @@ -15,7 +15,7 @@ symbols = { weight = 0.0; one_shot = true; }, - "OLETOOLS_SUSPICIOUS" { + "OLETOOLS_FLAG" { weight = 0.0; one_shot = true; }, From f1e5044dbe264761a4c5454a4916909e567a36e2 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 14:39:12 +0100 Subject: [PATCH 14/28] Add to the list, sort it --- core/rspamd/conf/forbidden_file_extension.map | 86 +++++++++++++++---- 1 file changed, 68 insertions(+), 18 deletions(-) diff --git a/core/rspamd/conf/forbidden_file_extension.map b/core/rspamd/conf/forbidden_file_extension.map index 15b12851..e808eac6 100644 --- a/core/rspamd/conf/forbidden_file_extension.map +++ b/core/rspamd/conf/forbidden_file_extension.map @@ -1,28 +1,78 @@ -scr -lnk +ace +ade +adp +apk +appx +appxbundle +arj +bat +bin +cab +cab +chm +class +cmd +cmd +com +cpl +diagcab +diagcfg +diagpack +dll +ex +ex_ exe +hlp +hta +img +ins +iso +isp +jar +jar +jnlp +js +jse +jse +lib +lnk +lnk +lzh +mde +msc msi +msi +msix +msixbundle msp mst msu -jar -com -bat -cmd +nsh +ocx +ovl +pif ps1 -cab -vbs -vbe -vbscript -hta +r01 +r14 +r18 +r25 +scr +sct +shb shs +sys +vb +vbe +vbe +vbs +vbscript +vdl +vhd +vxd +wsc wsc wsf +wsf wsh -iso -img -bin -cpl -jse -ace -arj +wsh +xll From 4c3c628ca4fc91811308d0cbdd1fbdd99db31d41 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 14:59:11 +0100 Subject: [PATCH 15/28] dedup --- core/rspamd/conf/forbidden_file_extension.map | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/core/rspamd/conf/forbidden_file_extension.map b/core/rspamd/conf/forbidden_file_extension.map index e808eac6..bc584455 100644 --- a/core/rspamd/conf/forbidden_file_extension.map +++ b/core/rspamd/conf/forbidden_file_extension.map @@ -8,11 +8,9 @@ arj bat bin cab -cab chm class cmd -cmd com cpl diagcab @@ -29,19 +27,15 @@ ins iso isp jar -jar jnlp js jse -jse lib lnk -lnk lzh mde msc msi -msi msix msixbundle msp @@ -63,16 +57,12 @@ shs sys vb vbe -vbe vbs vbscript vdl vhd vxd wsc -wsc wsf -wsf -wsh wsh xll From 8cba0125465e337c87bfd17d0f6c247130579076 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 16:55:14 +0100 Subject: [PATCH 16/28] Rspamd needs redis too. --- setup/flavors/compose/docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml index 773fddd2..11af9eff 100644 --- a/setup/flavors/compose/docker-compose.yml +++ b/setup/flavors/compose/docker-compose.yml @@ -130,6 +130,7 @@ services: depends_on: - front - oletools + - redis {% if resolver_enabled %} - resolver dns: From 77d770a2d257d661d36b099937bceb5f7b1fb369 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 19 Dec 2022 11:24:22 +0100 Subject: [PATCH 17/28] doh --- core/rspamd/conf/multimap.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/rspamd/conf/multimap.conf b/core/rspamd/conf/multimap.conf index 7b929ef5..7ee6669e 100644 --- a/core/rspamd/conf/multimap.conf +++ b/core/rspamd/conf/multimap.conf @@ -14,7 +14,7 @@ FORBIDDEN_FILE_EXTENSION { type = "filename"; filter = "extension"; map = [ - "/etc/rspamd/override.d/forbidden_file_extension.map", + "/etc/rspamd/local.d/forbidden_file_extension.map", ]; prefilter = true; action = "reject"; From b70be294034b21a12fe7486a9c347434f65549e4 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 19 Dec 2022 11:37:59 +0100 Subject: [PATCH 18/28] document --- docs/antispam.rst | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/docs/antispam.rst b/docs/antispam.rst index 3873be64..299d6d88 100644 --- a/docs/antispam.rst +++ b/docs/antispam.rst @@ -155,3 +155,26 @@ For more information on using the multimap filter see the official `multimap doc .. _`1438`: https://github.com/Mailu/Mailu/issues/1438 .. _`1167`: https://github.com/Mailu/Mailu/issues/1167 .. _`1566`: https://github.com/Mailu/Mailu/issues/1566 + +Can I change the list of authorized file attachments? +----------------------------------------------------- + +Mailu rejects emails with file attachements it deems to be "executable" or otherwise dangerous. If you would like to tweak the block list, you can do so using the following commands: + + .. code-block:: bash + + docker-compose exec antispam cat /etc/rspamd/local.d/forbidden_file_extension.map > overrides/rspamd/forbidden_file_extension.map + docker-compose restart antispam + + +Mailu rejects emails with documents attached containing some macros. How can I fix it? +-------------------------------------------------------------------------------------- + +If configured to do so, Mailu uses a lightweight tool called `mraptor from oletools`_ to scan documents containing macros. By default only macros deemed potentially harmful are blocked but there may be false positives. If you want to change the default behaviour, you may need to override the ``/etc/rspamd/local.d/composites.conf`` file in the antispam container. The following commands may be useful: + + .. code-block:: bash + + docker-compose exec antispam cat /etc/rspamd/local.d/composites.conf > overrides/rspamd/composites.conf + docker-compose restart antispam + +.. _`mraptor from oletools`: https://github.com/decalage2/oletools/wiki/mraptor From 44c064ff38a432686798671fb49cbed6821180f7 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 19 Dec 2022 11:53:05 +0100 Subject: [PATCH 19/28] make it configurable --- docs/configuration.rst | 6 ++++++ setup/flavors/compose/docker-compose.yml | 8 ++++++++ setup/flavors/compose/mailu.env | 3 +++ setup/templates/steps/compose/02_services.html | 9 +++++++++ 4 files changed, 26 insertions(+) diff --git a/docs/configuration.rst b/docs/configuration.rst index 1a40bf65..fee15737 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -100,6 +100,12 @@ by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidd internet facing hosts according to e.g. `RFC 3207`_ , because this prevents MTAs without STARTTLS support or e.g. mismatching TLS versions to deliver emails to Mailu. +The ``SCAN_MACROS`` (default: True) setting controls whether Mailu will endavour +to reject emails containing documents with malicious macros. Under the hood, it uses +`mraptor from oletools`_ to determine whether a macro is malicious or not. + +.. _`mraptor from oletools`: https://github.com/decalage2/oletools/wiki/mraptor + .. _`RFC 3207`: https://tools.ietf.org/html/rfc3207 .. _fetchmail: diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml index 11af9eff..fe766c0d 100644 --- a/setup/flavors/compose/docker-compose.yml +++ b/setup/flavors/compose/docker-compose.yml @@ -103,6 +103,7 @@ services: - {{ dns }} {% endif %} +{% if oletools_enabled %} oletools: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-{{ version }}} hostname: oletools @@ -115,21 +116,26 @@ services: dns: - {{ dns }} {% endif %} +{% endif %} antispam: image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}} hostname: antispam restart: always env_file: {{ env }} +{% if oletools_enabled %} networks: - default - noinet +{% endif %} volumes: - "{{ root }}/filter:/var/lib/rspamd" - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro" depends_on: - front +{% if oletools_enabled %} - oletools +{% endif %} - redis {% if resolver_enabled %} - resolver @@ -217,6 +223,8 @@ networks: {% if ipv6_enabled %} - subnet: {{ subnet6 }} {% endif %} +{% if oletools_enabled %} noinet: driver: bridge internal: true +{% endif %} diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env index cc99912e..980788ce 100644 --- a/setup/flavors/compose/mailu.env +++ b/setup/flavors/compose/mailu.env @@ -58,6 +58,9 @@ WEBDAV={{ webdav_enabled or 'none' }} # Antivirus solution (value: clamav, none) ANTIVIRUS={{ antivirus_enabled or 'none' }} +# Scan Macros solution (value: true, false) +SCAN_MACROS={{ oletools_enabled or 'false' }} + ################################### # Mail settings ################################### diff --git a/setup/templates/steps/compose/02_services.html b/setup/templates/steps/compose/02_services.html index a801f807..cb9ba807 100644 --- a/setup/templates/steps/compose/02_services.html +++ b/setup/templates/steps/compose/02_services.html @@ -55,6 +55,15 @@ the security implications caused by such an increase of attack surface.

Fetchmail allows users to retrieve mail from an external mail-server via IMAP/POP3 and puts it in their inbox. +

+ + + Oletools scans documents in email attachements for malicious macros. It has a much lower memory footprint than a full-fledged anti-virus. +
+ From 43bf068be2cf5dcb7457f2300c9703fa238b089f Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 19 Dec 2022 11:53:52 +0100 Subject: [PATCH 20/28] Enable admin by default --- setup/templates/steps/config.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/templates/steps/config.html b/setup/templates/steps/config.html index 74a45800..601bd740 100644 --- a/setup/templates/steps/config.html +++ b/setup/templates/steps/config.html @@ -93,7 +93,7 @@ Or in plain english: if receivers start to classify your mail as spam, this post manage your email domains, users, etc.

- +
From f04be00798b35865145c0615e1f4af118f65efea Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 19 Dec 2022 12:00:18 +0100 Subject: [PATCH 21/28] doc --- README.md | 2 +- docs/index.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0fd737b6..4fa574c1 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Main features include: - **Web access**, multiple Webmails and administration interface - **User features**, aliases, auto-reply, auto-forward, fetched accounts - **Admin features**, global admins, announcements, per-domain delegation, quotas -- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner +- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, block malicious attachments - **Antispam**, auto-learn, greylisting, DMARC and SPF, anti-spoofing - **Freedom**, all FOSS components, no tracker included diff --git a/docs/index.rst b/docs/index.rst index 5c004dc1..bc10bb80 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -28,7 +28,7 @@ Main features include: - **Web access**, multiple Webmails and administration interface - **User features**, aliases, auto-reply, auto-forward, fetched accounts - **Admin features**, global admins, announcements, per-domain delegation, quotas -- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner +- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, block malicious attachments - **Antispam**, auto-learn, greylisting, DMARC and SPF, anti-spoofing - **Freedom**, all FOSS components, no tracker included From 6241fbeb787747dcf80348da0e9d1195cf9d4d5c Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 19 Dec 2022 12:12:50 +0100 Subject: [PATCH 22/28] actually make it optional --- core/rspamd/conf/composites.conf | 2 ++ core/rspamd/conf/external_services.conf | 2 ++ core/rspamd/conf/external_services_group.conf | 2 ++ 3 files changed, 6 insertions(+) diff --git a/core/rspamd/conf/composites.conf b/core/rspamd/conf/composites.conf index 62236081..68e03073 100644 --- a/core/rspamd/conf/composites.conf +++ b/core/rspamd/conf/composites.conf @@ -1,3 +1,4 @@ +{% if SCAN_MACROS == 'True' %} OLETOOLS_MACRO_MRAPTOR { expression = "(OLETOOLS_A & OLETOOLS_W) | (OLETOOLS_A & OLETOOLS_X) | (OLETOOLS_W & OLETOOLS_X)"; message = "Rejected (malicious macro - mraptor)"; @@ -10,3 +11,4 @@ OLETOOLS_MACRO_SUSPICIOUS { policy = "leave"; score = 20.0; } +{% endif %} diff --git a/core/rspamd/conf/external_services.conf b/core/rspamd/conf/external_services.conf index 678cdb96..00285984 100644 --- a/core/rspamd/conf/external_services.conf +++ b/core/rspamd/conf/external_services.conf @@ -1,3 +1,4 @@ +{% if SCAN_MACROS == 'True' %} oletools { # default olefy settings servers = "{{ OLETOOLS_ADDRESS }}" @@ -60,3 +61,4 @@ oletools { slk = "slk"; } } +{% endif %} diff --git a/core/rspamd/conf/external_services_group.conf b/core/rspamd/conf/external_services_group.conf index a22c5878..0b44b229 100644 --- a/core/rspamd/conf/external_services_group.conf +++ b/core/rspamd/conf/external_services_group.conf @@ -1,3 +1,4 @@ +{% if SCAN_MACROS == 'True' %} # local.d/external_services_group.conf description = "Oletools content rules"; @@ -36,3 +37,4 @@ symbols = { one_shot = true; }, } +{% endif %} From 26858b110a1b65f28e13ade0f3cc38bed0384537 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 19 Dec 2022 12:17:13 +0100 Subject: [PATCH 23/28] Required for the tests to pass now --- tests/compose/core/mailu.env | 3 +++ tests/compose/fetchmail/mailu.env | 3 +++ tests/compose/filters/mailu.env | 3 +++ tests/compose/webdav/mailu.env | 3 +++ tests/compose/webmail/mailu.env | 3 +++ 5 files changed, 15 insertions(+) diff --git a/tests/compose/core/mailu.env b/tests/compose/core/mailu.env index 0b034008..7ea86f56 100644 --- a/tests/compose/core/mailu.env +++ b/tests/compose/core/mailu.env @@ -65,6 +65,9 @@ WEBDAV=none #Antispam solution ANTISPAM=none +# Scan Macros solution (value: true, false) +SCAN_MACROS=True + ################################### # Mail settings ################################### diff --git a/tests/compose/fetchmail/mailu.env b/tests/compose/fetchmail/mailu.env index 573acf20..0355f168 100644 --- a/tests/compose/fetchmail/mailu.env +++ b/tests/compose/fetchmail/mailu.env @@ -65,6 +65,9 @@ WEBDAV=none #Antispam solution ANTISPAM=none +# Scan Macros solution (value: true, false) +SCAN_MACROS=True + ################################### # Mail settings ################################### diff --git a/tests/compose/filters/mailu.env b/tests/compose/filters/mailu.env index 89309641..cf9f7f2d 100644 --- a/tests/compose/filters/mailu.env +++ b/tests/compose/filters/mailu.env @@ -65,6 +65,9 @@ ANTIVIRUS=clamav #Antispam solution ANTISPAM=none +# Scan Macros solution (value: true, false) +SCAN_MACROS=True + ################################### # Mail settings ################################### diff --git a/tests/compose/webdav/mailu.env b/tests/compose/webdav/mailu.env index c2fcc4cf..b7a9b718 100644 --- a/tests/compose/webdav/mailu.env +++ b/tests/compose/webdav/mailu.env @@ -65,6 +65,9 @@ WEBDAV=radicale #Antispam solution ANTISPAM=none +# Scan Macros solution (value: true, false) +SCAN_MACROS=True + ################################### # Mail settings ################################### diff --git a/tests/compose/webmail/mailu.env b/tests/compose/webmail/mailu.env index f87f3262..ddc845fa 100644 --- a/tests/compose/webmail/mailu.env +++ b/tests/compose/webmail/mailu.env @@ -65,6 +65,9 @@ WEBDAV=none #Antispam solution ANTISPAM=none +# Scan Macros solution (value: true, false) +SCAN_MACROS=True + ################################### # Mail settings ################################### From 49d458a0f3d898c37ea095d5ba12f9396430a4d0 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 19 Dec 2022 12:27:24 +0100 Subject: [PATCH 24/28] try renaming the file --- tests/compose/filters/01_email_test.sh | 4 ++-- tests/compose/filters/{eicar.com => eicar.com.txt} | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename tests/compose/filters/{eicar.com => eicar.com.txt} (100%) diff --git a/tests/compose/filters/01_email_test.sh b/tests/compose/filters/01_email_test.sh index 5af395c4..50e904f8 100755 --- a/tests/compose/filters/01_email_test.sh +++ b/tests/compose/filters/01_email_test.sh @@ -1,6 +1,6 @@ -python3 tests/email_test.py message-virus "tests/compose/filters/eicar.com" +python3 tests/email_test.py message-virus "tests/compose/filters/eicar.com.txt" if [ $? -eq 99 ]; then exit 0 else exit 1 -fi \ No newline at end of file +fi diff --git a/tests/compose/filters/eicar.com b/tests/compose/filters/eicar.com.txt similarity index 100% rename from tests/compose/filters/eicar.com rename to tests/compose/filters/eicar.com.txt From ef123f1b53ceb3b594da1068826c78fb56d6e2ce Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 19 Dec 2022 12:41:21 +0100 Subject: [PATCH 25/28] doh --- core/rspamd/conf/external_services.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/rspamd/conf/external_services.conf b/core/rspamd/conf/external_services.conf index 00285984..d299ed89 100644 --- a/core/rspamd/conf/external_services.conf +++ b/core/rspamd/conf/external_services.conf @@ -1,7 +1,7 @@ {% if SCAN_MACROS == 'True' %} oletools { # default olefy settings - servers = "{{ OLETOOLS_ADDRESS }}" + servers = "{{ OLETOOLS_ADDRESS }}:11343" # needs to be set explicitly for Rspamd < 1.9.5 scan_mime_parts = true; From 6370d03f801d93786114e3c911d0f1a89683aa79 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 20 Dec 2022 09:40:29 +0100 Subject: [PATCH 26/28] merge snafu --- setup/flavors/compose/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml index 1c3c968f..6eb4c409 100644 --- a/setup/flavors/compose/docker-compose.yml +++ b/setup/flavors/compose/docker-compose.yml @@ -133,6 +133,7 @@ services: - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro" depends_on: - front + - redis {% if oletools_enabled %} - oletools {% endif %} @@ -141,7 +142,6 @@ services: {% endif %} {% if resolver_enabled %} - resolver - - redis dns: - {{ dns }} {% endif %} From 33497c8e31d10bad5ddc7b828b843035fd2e4168 Mon Sep 17 00:00:00 2001 From: Dimitri Huisman Date: Thu, 22 Dec 2022 15:50:42 +0000 Subject: [PATCH 27/28] Small extra clarification for new documentation --- docs/antispam.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/antispam.rst b/docs/antispam.rst index 299d6d88..8eea4038 100644 --- a/docs/antispam.rst +++ b/docs/antispam.rst @@ -166,15 +166,18 @@ Mailu rejects emails with file attachements it deems to be "executable" or other docker-compose exec antispam cat /etc/rspamd/local.d/forbidden_file_extension.map > overrides/rspamd/forbidden_file_extension.map docker-compose restart antispam +Now the file `overrides/rspamd/forbidden_file_extension.map` can be edited, to make changes to the forbidden file extensions list. Mailu rejects emails with documents attached containing some macros. How can I fix it? -------------------------------------------------------------------------------------- -If configured to do so, Mailu uses a lightweight tool called `mraptor from oletools`_ to scan documents containing macros. By default only macros deemed potentially harmful are blocked but there may be false positives. If you want to change the default behaviour, you may need to override the ``/etc/rspamd/local.d/composites.conf`` file in the antispam container. The following commands may be useful: +If configured to do so, Mailu uses a lightweight tool called `mraptor from oletools`_ to scan documents containing macros. By default only macros deemed potentially harmful are blocked, but there may be false positives. If you want to change the default behaviour, you may need to override the ``/etc/rspamd/local.d/composites.conf`` file in the antispam container. The following commands may be useful: .. code-block:: bash docker-compose exec antispam cat /etc/rspamd/local.d/composites.conf > overrides/rspamd/composites.conf docker-compose restart antispam +Now the file `overrides/rspamd/composites.conf` can be edited, to override the mraptor configuration in rspamd. + .. _`mraptor from oletools`: https://github.com/decalage2/oletools/wiki/mraptor From 6d87fa423c92e1680060d7ef48a8b5c1beaa5b17 Mon Sep 17 00:00:00 2001 From: Dimitri Huisman Date: Thu, 22 Dec 2022 16:01:30 +0000 Subject: [PATCH 28/28] Mention you must restart rspamd for the changes to take effect. --- docs/antispam.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/antispam.rst b/docs/antispam.rst index 8eea4038..fb97e66a 100644 --- a/docs/antispam.rst +++ b/docs/antispam.rst @@ -167,6 +167,7 @@ Mailu rejects emails with file attachements it deems to be "executable" or other docker-compose restart antispam Now the file `overrides/rspamd/forbidden_file_extension.map` can be edited, to make changes to the forbidden file extensions list. +For the changes to take effect, rspamd must be restarted. Mailu rejects emails with documents attached containing some macros. How can I fix it? -------------------------------------------------------------------------------------- @@ -179,5 +180,6 @@ If configured to do so, Mailu uses a lightweight tool called `mraptor from oleto docker-compose restart antispam Now the file `overrides/rspamd/composites.conf` can be edited, to override the mraptor configuration in rspamd. +For the changes to take effect, rspamd must be restarted. .. _`mraptor from oletools`: https://github.com/decalage2/oletools/wiki/mraptor