2528: Implement #2510: oletools integration r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

OLETools now flags documents with macros and rejects suspicious ones. We also block executable file extensions by default (but don't perform inspection in archives: you can tell users to zip-up whatever needs sending).

### Related issue(s)
- closes #2510
- closes #2511

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
main
bors[bot] 2 years ago committed by GitHub
commit 8d2bd6d9ff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -394,7 +394,7 @@ jobs:
strategy:
fail-fast: false
matrix:
target: ["setup", "docs", "fetchmail", "webmail", "admin", "traefik-certdumper", "radicale", "clamav", "rspamd", "postfix", "dovecot", "unbound", "nginx"]
target: ["setup", "docs", "fetchmail", "webmail", "admin", "traefik-certdumper", "radicale", "clamav", "rspamd", "oletools", "postfix", "dovecot", "unbound", "nginx"]
steps:
- uses: actions/checkout@v3
- name: Retrieve global variables
@ -439,7 +439,7 @@ jobs:
strategy:
fail-fast: false
matrix:
target: ["setup", "docs", "fetchmail", "webmail", "admin", "traefik-certdumper", "radicale", "clamav", "rspamd", "postfix", "dovecot", "unbound", "nginx"]
target: ["setup", "docs", "fetchmail", "webmail", "admin", "traefik-certdumper", "radicale", "clamav", "rspamd", "oletools", "postfix", "dovecot", "unbound", "nginx"]
steps:
- uses: actions/checkout@v3
- name: Retrieve global variables

@ -22,7 +22,7 @@ Main features include:
- **Web access**, multiple Webmails and administration interface
- **User features**, aliases, auto-reply, auto-forward, fetched accounts
- **Admin features**, global admins, announcements, per-domain delegation, quotas
- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, [Snuffleupagus](https://github.com/jvoisin/snuffleupagus/)
- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, [Snuffleupagus](https://github.com/jvoisin/snuffleupagus/), block malicious attachments
- **Antispam**, auto-learn, greylisting, DMARC and SPF, anti-spoofing
- **Freedom**, all FOSS components, no tracker included

@ -27,6 +27,7 @@ ENV \
FRONT_ADDRESS="front" \
SMTP_ADDRESS="smtp" \
IMAP_ADDRESS="imap" \
OLETOOLS_ADDRESS="oletools" \
REDIS_ADDRESS="redis" \
ANTIVIRUS_ADDRESS="antivirus" \
ANTISPAM_ADDRESS="antispam" \

@ -45,6 +45,10 @@ watchdog
# core/postfix
postfix-mta-sts-resolver
# core/oletools
python-magic
oletools
# optional/fetchmail
requests

@ -41,6 +41,7 @@ MarkupSafe==2.1.1
marshmallow==3.18.0
marshmallow-sqlalchemy==0.28.1
multidict==6.0.2
oletools==0.60.1
mysql-connector-python==8.0.29
packaging==21.3
passlib==1.7.4
@ -51,7 +52,10 @@ psycopg2-binary==2.9.5
pycares==4.2.2
pycparser==2.21
Pygments==2.13.0
pyparsing==3.0.9
pyOpenSSL==22.1.0
pyparsing==2.4.7
python-dateutil==2.8.2
python-magic==0.4.27
python-dateutil==2.8.2
pytz==2022.6
PyYAML==6.0

@ -0,0 +1,31 @@
# syntax=docker/dockerfile-upstream:1.4.3
# oletools image
FROM base
ARG VERSION=local
LABEL version=$VERSION
RUN set -euxo pipefail \
; apk add --no-cache netcat-openbsd libmagic libffi \
; curl -sLo olefy.py https://raw.githubusercontent.com/HeinleinSupport/olefy/f8aac6cc55283886d153e89c8f27fae66b1c24e2/olefy.py \
; chmod 755 olefy.py
RUN echo $VERSION >/version
HEALTHCHECK --start-period=60s CMD echo PING|nc -q1 127.0.0.1 11343|grep "PONG"
EXPOSE 11343/tcp
USER nobody:nobody
ENV \
OLEFY_BINDADDRESS="0.0.0.0" \
OLEFY_BINDPORT="11343" \
OLEFY_OLEVBA_PATH="/app/venv/bin/olevba" \
OLEFY_PYTHON_PATH="/app/venv/bin/python3" \
OLEFY_TMPDIR="/dev/shm/" \
OLEFY_MINLENGTH="300" \
OLEFY_DEL_TMP="1" \
OLEFY_DEL_TMP_FAILED="1"
CMD /app/olefy.py

@ -0,0 +1,14 @@
{% if SCAN_MACROS == 'True' %}
OLETOOLS_MACRO_MRAPTOR {
expression = "(OLETOOLS_A & OLETOOLS_W) | (OLETOOLS_A & OLETOOLS_X) | (OLETOOLS_W & OLETOOLS_X)";
message = "Rejected (malicious macro - mraptor)";
policy = "leave";
score = 20.0;
}
OLETOOLS_MACRO_SUSPICIOUS {
expression = "OLETOOLS_FLAG | OLETOOLS_VBASTOMP | OLETOOLS_A";
message = "Rejected (malicious macro)";
policy = "leave";
score = 20.0;
}
{% endif %}

@ -0,0 +1,64 @@
{% if SCAN_MACROS == 'True' %}
oletools {
# default olefy settings
servers = "{{ OLETOOLS_ADDRESS }}:11343"
# needs to be set explicitly for Rspamd < 1.9.5
scan_mime_parts = true;
extended = true;
max_size = 3145728;
timeout = 20.0;
retransmits = 1;
patterns {
OLETOOLS_MACRO_FOUND= '^.....M..$';
OLETOOLS_AUTOEXEC = '^A....M..$';
OLETOOLS_FLAG = '^.....MS.$';
OLETOOLS_VBASTOMP = '^VBA Stomping$';
# see https://github.com/decalage2/oletools/blob/master/oletools/mraptor.py
OLETOOLS_A = '(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)|NewDocument|Workbook(?:_Open|_Activate|_Close|_BeforeClose)|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload|NavigateComplete2|NavigateError|ProgressChange|PropertyChange|SetSecureLockIcon|StatusTextChange|TitleChange|MouseMove|MouseEnter|MouseLeave|OnConnecting))\b|Auto_Ope\b';
OLETOOLS_W = '(?i)\b(?:FileCopy|CopyFile|Kill|CreateTextFile|VirtualAlloc|RtlMoveMemory|URLDownloadToFileA?|AltStartupPath|WriteProcessMemory|ADODB\.Stream|WriteText|SaveToFile|SaveAs|SaveAsRTF|FileSaveAs|MkDir|RmDir|SaveSetting|SetAttr)\b|(?:\bOpen\b[^\n]+\b(?:Write|Append|Binary|Output|Random)\b)';
OLETOOLS_X = '(?i)\b(?:Shell|CreateObject|GetObject|SendKeys|RUN|CALL|MacScript|FollowHyperlink|CreateThread|ShellExecuteA?|ExecuteExcel4Macro|EXEC|REGISTER|SetTimer)\b|(?:\bDeclare\b[^\n]+\bLib\b)';
}
# mime-part regex matching in content-type or filename
mime_parts_filter_regex {
#UNKNOWN = "application\/octet-stream";
DOC2 = "application\/msword";
DOC3 = "application\/vnd\.ms-word.*";
XLS = "application\/vnd\.ms-excel.*";
PPT = "application\/vnd\.ms-powerpoint.*";
GENERIC = "application\/vnd\.openxmlformats-officedocument.*";
}
# mime-part filename extension matching (no regex)
mime_parts_filter_ext {
doc = "doc";
dot = "dot";
docx = "docx";
dotx = "dotx";
docm = "docm";
dotm = "dotm";
xls = "xls";
xlt = "xlt";
xla = "xla";
xlsx = "xlsx";
xltx = "xltx";
xlsm = "xlsm";
xltm = "xltm";
xlam = "xlam";
xlsb = "xlsb";
ppt = "ppt";
pot = "pot";
pps = "pps";
ppa = "ppa";
pptx = "pptx";
potx = "potx";
ppsx = "ppsx";
ppam = "ppam";
pptm = "pptm";
potm = "potm";
ppsm = "ppsm";
slk = "slk";
}
}
{% endif %}

@ -0,0 +1,40 @@
{% if SCAN_MACROS == 'True' %}
# local.d/external_services_group.conf
description = "Oletools content rules";
symbols = {
"OLETOOLS" {
weight = 1.0;
description = "OLETOOLS found a Macro";
one_shot = true;
},
"OLETOOLS_MACRO_FOUND" {
weight = 0.0;
one_shot = true;
},
"OLETOOLS_AUTOEXEC" {
weight = 0.0;
one_shot = true;
},
"OLETOOLS_FLAG" {
weight = 0.0;
one_shot = true;
},
"OLETOOLS_VBASTOMP" {
weight = 0.0;
one_shot = true;
},
"OLETOOLS_A" {
weight = 0.0;
one_shot = true;
},
"OLETOOLS_W" {
weight = 0.0;
one_shot = true;
},
"OLETOOLS_X" {
weight = 0.0;
one_shot = true;
},
}
{% endif %}

@ -0,0 +1,68 @@
ace
ade
adp
apk
appx
appxbundle
arj
bat
bin
cab
chm
class
cmd
com
cpl
diagcab
diagcfg
diagpack
dll
ex
ex_
exe
hlp
hta
img
ins
iso
isp
jar
jnlp
js
jse
lib
lnk
lzh
mde
msc
msi
msix
msixbundle
msp
mst
msu
nsh
ocx
ovl
pif
ps1
r01
r14
r18
r25
scr
sct
shb
shs
sys
vb
vbe
vbs
vbscript
vdl
vhd
vxd
wsc
wsf
wsh
xll

@ -9,3 +9,16 @@ IS_LOCAL_DOMAIN_E {
selector = "from('smtp'):domain";
map = "http://{{ ADMIN_ADDRESS }}/internal/rspamd/local_domains";
}
FORBIDDEN_FILE_EXTENSION {
type = "filename";
filter = "extension";
map = [
"/etc/rspamd/local.d/forbidden_file_extension.map",
];
prefilter = true;
action = "reject";
symbol = "FORBIDDEN_FILE_EXTENSION";
description = "List of forbidden file extensions";
message = "Forbidden attachment extension";
}

@ -155,3 +155,31 @@ For more information on using the multimap filter see the official `multimap doc
.. _`1438`: https://github.com/Mailu/Mailu/issues/1438
.. _`1167`: https://github.com/Mailu/Mailu/issues/1167
.. _`1566`: https://github.com/Mailu/Mailu/issues/1566
Can I change the list of authorized file attachments?
-----------------------------------------------------
Mailu rejects emails with file attachements it deems to be "executable" or otherwise dangerous. If you would like to tweak the block list, you can do so using the following commands:
.. code-block:: bash
docker-compose exec antispam cat /etc/rspamd/local.d/forbidden_file_extension.map > overrides/rspamd/forbidden_file_extension.map
docker-compose restart antispam
Now the file `overrides/rspamd/forbidden_file_extension.map` can be edited, to make changes to the forbidden file extensions list.
For the changes to take effect, rspamd must be restarted.
Mailu rejects emails with documents attached containing some macros. How can I fix it?
--------------------------------------------------------------------------------------
If configured to do so, Mailu uses a lightweight tool called `mraptor from oletools`_ to scan documents containing macros. By default only macros deemed potentially harmful are blocked, but there may be false positives. If you want to change the default behaviour, you may need to override the ``/etc/rspamd/local.d/composites.conf`` file in the antispam container. The following commands may be useful:
.. code-block:: bash
docker-compose exec antispam cat /etc/rspamd/local.d/composites.conf > overrides/rspamd/composites.conf
docker-compose restart antispam
Now the file `overrides/rspamd/composites.conf` can be edited, to override the mraptor configuration in rspamd.
For the changes to take effect, rspamd must be restarted.
.. _`mraptor from oletools`: https://github.com/decalage2/oletools/wiki/mraptor

@ -100,6 +100,12 @@ by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidd
internet facing hosts according to e.g. `RFC 3207`_ , because this prevents MTAs without STARTTLS
support or e.g. mismatching TLS versions to deliver emails to Mailu.
The ``SCAN_MACROS`` (default: True) setting controls whether Mailu will endavour
to reject emails containing documents with malicious macros. Under the hood, it uses
`mraptor from oletools`_ to determine whether a macro is malicious or not.
.. _`mraptor from oletools`: https://github.com/decalage2/oletools/wiki/mraptor
.. _`RFC 3207`: https://tools.ietf.org/html/rfc3207
.. _fetchmail:

@ -28,7 +28,7 @@ Main features include:
- **Web access**, multiple Webmails and administration interface
- **User features**, aliases, auto-reply, auto-forward, fetched accounts
- **Admin features**, global admins, announcements, per-domain delegation, quotas
- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, Snuffleupagus
- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, [Snuffleupagus](https://github.com/jvoisin/snuffleupagus/), block malicious attachments
- **Antispam**, auto-learn, greylisting, DMARC and SPF, anti-spoofing
- **Freedom**, all FOSS components, no tracker included

@ -103,16 +103,40 @@ services:
- {{ dns }}
{% endif %}
{% if oletools_enabled %}
oletools:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-{{ version }}}
hostname: oletools
restart: always
networks:
- noinet
depends_on:
{% if resolver_enabled %}
- resolver
dns:
- {{ dns }}
{% endif %}
{% endif %}
antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}}
hostname: antispam
restart: always
env_file: {{ env }}
{% if oletools_enabled %}
networks:
- default
- noinet
{% endif %}
volumes:
- "{{ root }}/filter:/var/lib/rspamd"
- "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro"
depends_on:
- front
- redis
{% if oletools_enabled %}
- oletools
{% endif %}
{% if antivirus_enabled %}
- antivirus
{% endif %}
@ -202,3 +226,8 @@ networks:
{% if ipv6_enabled %}
- subnet: {{ subnet6 }}
{% endif %}
{% if oletools_enabled %}
noinet:
driver: bridge
internal: true
{% endif %}

@ -58,6 +58,9 @@ WEBDAV={{ webdav_enabled or 'none' }}
# Antivirus solution (value: clamav, none)
ANTIVIRUS={{ antivirus_enabled or 'none' }}
# Scan Macros solution (value: true, false)
SCAN_MACROS={{ oletools_enabled or 'false' }}
###################################
# Mail settings
###################################

@ -55,6 +55,15 @@ the security implications caused by such an increase of attack surface.<p>
<i>Fetchmail allows users to retrieve mail from an external mail-server via IMAP/POP3 and puts it in their inbox.</i>
</div>
<div class="form-check form-check-inline">
<label class="form-check-label">
<input class="form-check-input" type="checkbox" name="oletools_enabled" value="true" checked>
Enable oletools
</label>
<i>Oletools scans documents in email attachements for malicious macros. It has a much lower memory footprint than a full-fledged anti-virus.</i>
</div>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<script type="text/javascript" src="{{ url_for('static', filename='render.js') }}"></script>

@ -82,7 +82,7 @@ Or in plain english: if receivers start to classify your mail as spam, this post
manage your email domains, users, etc.</p>
<div class="form-group">
<input type="checkbox" name="admin_enabled" value="true" id="admin">
<input type="checkbox" name="admin_enabled" value="true" id="admin" checked>
<label>Enable the admin UI (and path to the admin UI)</label>
<input class="form-control" type="text" name="admin_path" id="admin_path" style="display: none">
</div>

@ -34,6 +34,7 @@ group "default" {
"antispam",
"front",
"imap",
"oletools",
"smtp",
"webmail",
@ -152,6 +153,15 @@ target "front" {
tags = tag("nginx")
}
target "oletools" {
inherits = ["defaults"]
context = "core/oletools/"
contexts = {
base = "target:base"
}
tags = tag("oletools")
}
target "imap" {
inherits = ["defaults"]
context = "core/dovecot/"

@ -65,10 +65,20 @@ services:
depends_on:
- front
oletools:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-local}
hostname: oletools
restart: always
networks:
- noinet
antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local}
restart: always
env_file: mailu.env
networks:
- default
- noinet
volumes:
- "/mailu/filter:/var/lib/rspamd"
- "/mailu/dkim:/dkim"
@ -96,3 +106,6 @@ networks:
driver: default
config:
- subnet: 192.168.203.0/24
noinet:
driver: bridge
internal: true

@ -65,6 +65,9 @@ WEBDAV=none
#Antispam solution
ANTISPAM=none
# Scan Macros solution (value: true, false)
SCAN_MACROS=True
###################################
# Mail settings
###################################

@ -65,10 +65,20 @@ services:
depends_on:
- front
oletools:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-local}
hostname: oletools
restart: always
networks:
- noinet
antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local}
restart: always
env_file: mailu.env
networks:
- default
- noinet
volumes:
- "/mailu/filter:/var/lib/rspamd"
- "/mailu/dkim:/dkim"
@ -103,3 +113,6 @@ networks:
driver: default
config:
- subnet: 192.168.203.0/24
noinet:
driver: bridge
internal: true

@ -65,6 +65,9 @@ WEBDAV=none
#Antispam solution
ANTISPAM=none
# Scan Macros solution (value: true, false)
SCAN_MACROS=True
###################################
# Mail settings
###################################

@ -1,4 +1,4 @@
python3 tests/email_test.py message-virus "tests/compose/filters/eicar.com"
python3 tests/email_test.py message-virus "tests/compose/filters/eicar.com.txt"
if [ $? -eq 99 ]; then
exit 0
else

@ -0,0 +1,13 @@
# Malicious macros should be blocked
# see https://github.com/clr2of8/VBAstomp and https://github.com/decalage2/oletools/wiki/mraptor
python3 tests/email_test.py message-macro-stomp "tests/compose/filters/2003x32_word_msgbox_stomped_fakecode.doc"
if [ $? -ne 25 ]; then
exit 1
fi
# This does Auto_Open + Alert()
python3 tests/email_test.py message-autoexec-macro "tests/compose/filters/excel4_sample_macro.slk"
if [ $? -ne 25 ]; then
exit 1
fi
exit 0

@ -65,10 +65,20 @@ services:
depends_on:
- front
oletools:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-local}
hostname: oletools
restart: always
networks:
- noinet
antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local}
restart: always
env_file: mailu.env
networks:
- default
- noinet
volumes:
- "/mailu/filter:/var/lib/rspamd"
- "/mailu/dkim:/dkim"
@ -102,3 +112,6 @@ networks:
driver: default
config:
- subnet: 192.168.203.0/24
noinet:
driver: bridge
internal: true

@ -0,0 +1,68 @@
ID;PWXL;N;E
P;PGeneral
P;P0
P;P0.00
P;P#,##0
P;P#,##0.00
P;P#,##0;;\-#,##0
P;P#,##0;;[Red]\-#,##0
P;P#,##0.00;;\-#,##0.00
P;P#,##0.00;;[Red]\-#,##0.00
P;P#,##0\ "$";;\-#,##0\ "$"
P;P#,##0\ "$";;[Red]\-#,##0\ "$"
P;P#,##0.00\ "$";;\-#,##0.00\ "$"
P;P#,##0.00\ "$";;[Red]\-#,##0.00\ "$"
P;P0%
P;P0.00%
P;P0.00E+00
P;P##0.0E+0
P;P#" "?/?
P;P#" "??/??
P;Pdd/mm/yyyy
P;Pdd\-mmm\-yy
P;Pdd\-mmm
P;Pmmm\-yy
P;Ph:mm\ AM/PM
P;Ph:mm:ss\ AM/PM
P;Phh:mm
P;Phh:mm:ss
P;Pdd/mm/yyyy\ hh:mm
P;Pmm:ss
P;Pmm:ss.0
P;P@
P;P[h]:mm:ss
P;P_-* #,##0\ "$"_-;;\-* #,##0\ "$"_-;;_-* "-"\ "$"_-;;_-@_-
P;P_-* #,##0_-;;\-* #,##0_-;;_-* "-"_-;;_-@_-
P;P_-* #,##0.00\ "$"_-;;\-* #,##0.00\ "$"_-;;_-* "-"??\ "$"_-;;_-@_-
P;P_-* #,##0.00_-;;\-* #,##0.00_-;;_-* "-"??_-;;_-@_-
P;FCalibri;M220;L9
P;FCalibri;M220;L9
P;FCalibri;M220;L9
P;FCalibri;M220;L9
P;ECalibri;M220;L9
P;ECalibri Light;M360;L55
P;ECalibri;M300;SB;L55
P;ECalibri;M260;SB;L55
P;ECalibri;M220;SB;L55
P;ECalibri;M220;L18
P;ECalibri;M220;L21
P;ECalibri;M220;L61
P;ECalibri;M220;L63
P;ECalibri;M220;SB;L64
P;ECalibri;M220;SB;L53
P;ECalibri;M220;L53
P;ECalibri;M220;SB;L10
P;ECalibri;M220;L11
P;ECalibri;M220;SI;L24
P;ECalibri;M220;SB;L9
P;ECalibri;M220;L10
P;ESegoe UI;M200;L9
F;P0;DG0G8;E;M292
B;Y2;X1;D0 0 1 0
O;L;E;D;V0;K47;G100 0.001
F;W1 1 17
F;W2 16384 9
NN;NAuto_Open;ER1C1
C;Y1;X1;KFALSE;EALERT("This is a sample Excel 4 macro")
C;Y2;KTRUE;EHALT()
E

@ -65,6 +65,9 @@ ANTIVIRUS=clamav
#Antispam solution
ANTISPAM=none
# Scan Macros solution (value: true, false)
SCAN_MACROS=True
###################################
# Mail settings
###################################

@ -65,10 +65,20 @@ services:
depends_on:
- front
oletools:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-local}
hostname: oletools
restart: always
networks:
- noinet
antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local}
restart: always
env_file: mailu.env
networks:
- default
- noinet
volumes:
- "/mailu/filter:/var/lib/rspamd"
- "/mailu/dkim:/dkim"
@ -103,3 +113,6 @@ networks:
driver: default
config:
- subnet: 192.168.203.0/24
noinet:
driver: bridge
internal: true

@ -65,6 +65,9 @@ WEBDAV=radicale
#Antispam solution
ANTISPAM=none
# Scan Macros solution (value: true, false)
SCAN_MACROS=True
###################################
# Mail settings
###################################

@ -65,10 +65,20 @@ services:
depends_on:
- front
oletools:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-local}
hostname: oletools
restart: always
networks:
- noinet
antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local}
restart: always
env_file: mailu.env
networks:
- default
- noinet
volumes:
- "/mailu/filter:/var/lib/rspamd"
- "/mailu/dkim:/dkim"
@ -104,3 +114,6 @@ networks:
driver: default
config:
- subnet: 192.168.203.0/24
noinet:
driver: bridge
internal: true

@ -65,6 +65,9 @@ WEBDAV=none
#Antispam solution
ANTISPAM=none
# Scan Macros solution (value: true, false)
SCAN_MACROS=True
###################################
# Mail settings
###################################

@ -0,0 +1 @@
Implement OLETools and block bad macros in office documents

@ -0,0 +1 @@
Block executable file formats by default. Ask your users to zip them up if required.
Loading…
Cancel
Save