Macromilter auf den Frontmailservern

This python based milter for the Sendmail and Postfix e-mail servers (mail-filter) checks an incoming mail for MS 20xx Office attachments. If a MS Office file is attached to the mail it will be scanned for suspicious VBA macro code. Documents with malicious macros are removed and replaced by harmless text files or will be rejected to the sender (see config.ini).

Supported Office formats: Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm) Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb) PowerPoint 97-2003 (.ppt), PowerPoint 2007+ (.pptm, .ppsm) Word 2003 XML (.xml) Word/Excel Single File Web Page / MHTML (.mht) Publisher (.pub)

cat /etc/macromilter/config.ini

[Milter]
# at postfix smtpd_milters = inet:127.0.0.1:3690
# bind to unix or tcp socket "inet:port@ip" or "/<path>/<to>/<something>.sock"
SOCKET = inet:3690@127.0.0.1 
# Set umask for unix socket, e.g. 0077 for group writable
UMASK = 0077
# Milter timout in seconds
TIMEOUT = 30  
# Define the max size for each message in bytes (~50MB)
MAX_FILESIZE = 50000000
# Reject error message
MESSAGE = ERROR - Attachment contains unallowed office macros!
# Reject the mail if a malware macro is detected (yes/no)
REJECT_MESSAGE = yes
# Max nested archive depth - recommendation = 5
MAX_ZIP = 5

[Logging]
LOGFILE_DIR = /var/log/macromilter
LOGFILE_NAME = macromilter.log
# Loglevels are: 1 = Debug (default) , 2 = Info, 3 = Warning/Error
LOGLEVEL = 1

[Whitelist]
# Add (comma separated json format) some whitelisted recipients or sender to the list to skip the VBA parsing ["xyz@example.de","test@test.de"]
Recipients = ["", ""]
# Add a SHA256 hash from the macro code - to obtain these hash please see in the log for "INFO: [ID] The macro hash is: [..]XYZ[..]"
# example: 05357f85049ba05fb9c7cdc9c6e979b0cb9db600a78eaf98a39344db2f6a6473
# Please define as json: ["hash#1","hash#2"]
Macrohash = []

LOG unter:

/var/log/macromilter/macromilter.log

oder im maillog Server:

maillog:~# grep -i milter-reject /var/log/mail.log.1
Sep 30 12:28:19 fmail1 postfix/cleanup[24286]: 3CE522023C: milter-reject: END-OF-MESSAGE from dd18512.kasserver.com[85.13.139.4]: 5.7.1 ERROR - Attachment contains unallowed office macros!; from=<nandor.krisko@dointernational.eu> to=<sabine.wagenblass@hs-bremen.de> proto=ESMTP helo=<dd18512.kasserver.com>
Sep 30 13:25:23 fmail3 postfix/cleanup[1140]: 3F4AD201A8: milter-reject: END-OF-MESSAGE from securemail-pl-omx12.synaq.com[196.35.198.117]: 5.7.1 ERROR - Attachment contains unallowed office macros!; from=<epr.manager@autozone.co.za> to=<lena.wenke@hs-bremen.de> proto=ESMTP helo=<securemail-pl-omx12.synaq.com>
Sep 30 13:25:36 fmail3 postfix/cleanup[32111]: 28C12201A8: milter-reject: END-OF-MESSAGE from gateway33.websitewelcome.com[192.185.146.195]: 5.7.1 ERROR - Attachment contains unallowed office macros!; from=<o.aisosa@averynigeria.com> to=<maja.hoffmann@hs-bremen.de> proto=ESMTP helo=<gateway33.websitewelcome.com>
Sep 30 14:14:27 fmail3 postfix/cleanup[1963]: 177EE2026D: milter-reject: END-OF-MESSAGE from mailhost05.i3c.co.ug[50.22.208.130]: 5.7.1 ERROR - Attachment contains unallowed office macros!; from=<operations@freshhandling.com> to=<sabine.wagenblass@hs-bremen.de> proto=ESMTP helo=<mailhost05.i3c.co.ug>

eingebunden in Postfix über Milter:

aus /etc/postfix/main.cf smtpd_milters = inet:localhost:8892, inet:localhost:3690, inet:127.0.0.1:60001 # inet:localhost:3690 → macromilter

Test mit lokaler Datei

olevba Dokumente/emailcheck-m.doc

Siehe auch

start/mail/macromilter.txt · Zuletzt geändert: 2019/10/01 09:06 von jans
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0