Whitelist excel sheet with macros from one email to another

Discussion in 'Installation/Configuration' started by rob_morin, May 30, 2018.

  1. rob_morin

    rob_morin Member HowtoForge Supporter

    Hello, I have a client that needs to receive excel sheet with macros in it for business purposes. But they keep getting blocked. How do i enable it for this one client?

    so [email protected] needs to be let in for [email protected]

    I tried using the "Spamfilter WhiteList" in ispconfig, but that did not work.

    Suggestions?
    Thanks and have a nice day!
     
  2. Taleman

    Taleman Active Member HowtoForge Supporter

    Spamfilter whitelist means sender IP is not blocked, if I have understood it correctly. Spamfilter policy controls what virus and spam blocking is done.
    Set permissive virus policy for that user.
     
  3. rob_morin

    rob_morin Member HowtoForge Supporter

    Thanks for quick reply Taleman, but you are talking about Spamfilter under User/Domain ? As under Whitelist there is not any selection for policy.
    Please clarify... :)
    Thanks..
     
  4. Taleman

    Taleman Active Member HowtoForge Supporter

  5. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    you'd need to turn off spam protection alltogether I think... clamav has an option to allow macros, but not very customizable I think.
    So basically as soon as amavis sends it to clamav ... gone, dunno if I forgot a setting to explicitly disable clamav. But disabling spamfilter alltogether should work, for that account.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess it should be enough to select a spam policy without antivirus functions to let thee excel sheet pass without the need to disable spam filtering like @Taleman suggested, so I would try that first before you disable spam filtering completely.
     
    ztk.me likes this.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Try e.g. the 'Wants viruses' policy.
     
  8. rob_morin

    rob_morin Member HowtoForge Supporter

    Ok great, did not even know there was that option per mailbox, so very cool..
    :) I put the mailbox in question to wants viruses. Lets see what happens... THANKS!
     
  9. rob_morin

    rob_morin Member HowtoForge Supporter

    Ya, so changing the users policy to "wants viruses", did not work.. the excel sheet still gets blocked and deleted.
    What should i try next?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    You can try the non-paying or uncensored policy instead. and ensure that you send to the exact email address of the mailbox and not an alias.
     
  11. rob_morin

    rob_morin Member HowtoForge Supporter

    i set to non paying and the excel still gets blocked... Not sure what to do next... any ideas?
    Thanks Till
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    And what about uncensored policy?
     
  13. rob_morin

    rob_morin Member HowtoForge Supporter

    A no go with uncensored:
    Jun 1 10:21:55 mail2 postfix/qmgr[1644]: BF106B000A4: from=<[email protected]_1.com>, size=173857, nrcpt=1 (queue active)
    Jun 1 10:21:55 mail2 amavis[11470]: (11470-14) ESMTP< MAIL FROM:<[email protected]_1.com> SIZE=173857\r\n
    Jun 1 10:21:55 mail2 amavis[11470]: (11470-14) lookup [debug_sender] => undef, "[email protected]_1.com" does not match
    Jun 1 10:21:55 mail2 amavis[11470]: (11470-14) ESMTP> 250 2.1.0 Sender <[email protected]_1.com> OK
    Jun 1 10:21:55 mail2 amavis[11470]: (11470-14) ESMTP [127.0.0.1]:10024 /var/lib/amavis/tmp/amavis-20180601T101114-11470-NPdNHam2: <[email protected]_1.com> -> <[email protected]_2> SIZE=173857 Received: from mail2.domain_2 ([127.0.0.1]) by localhost (mail2.domain_2 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <[email protected]_2>; Fri, 1 Jun 2018 10:21:55 -0400 (EDT)
    Jun 1 10:21:55 mail2 amavis[11470]: (11470-14) lookup [AuthToPB,author_to_policy_bank] => undef, "[email protected]_1.com" does not match
    Jun 1 10:21:55 mail2 amavis[11470]: (11470-14) dkim: VALID third-party signature by d=domain_1-com.20150623.gappssmtp.com, From: <[email protected]_1.com>, a=rsa-sha256, c=relaxed/relaxed, s=20150623, [email protected]_1-com.20150623.gappssmtp.com
    Jun 1 10:21:55 mail2 amavis[11470]: (11470-14) Checking: 6zibOND9aOid [209.85.214.46] <[email protected]_1.com> -> <[email protected]_2>
    Jun 1 10:21:55 mail2 amavis[11470]: (11470-14) 2822.From: <[email protected]_1.com>
    Jun 1 10:21:55 mail2 amavis[11470]: (11470-14) lookup [spam_dsn_cutoff_level_bysender] => true, "[email protected]_1.com" matches, result="100", matching_key="(constant:100)"
    Jun 1 10:21:55 mail2 amavis[11470]: (11470-14) DSN: FILTER 554 Virus, suppress reason: INFECTED, <[email protected]_1.com> -> <[email protected]_2>
    Jun 1 10:21:55 mail2 amavis[11470]: (11470-14) Blocked INFECTED (Heuristics.OLE2.ContainsMacros) {NoBounceInbound}, [209.85.214.46]:55241 [207.115.98.186] <[email protected]_1.com> -> <[email protected]_2>, Queue-ID: BF106B000A4, Message-ID: <[email protected]_1.com>, mail_id: 6zibOND9aOid, Hits: -, size: 173857, dkim_sd=20150623:domain_1-com.20150623.gappssmtp.com, 278 ms
     
  14. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    you can adjust the cutoff values, to do that, change the settings for the different filter settings. but then it just prevents some false positives. or you can adjust clamav config for everyone to allow macros
     
  15. rob_morin

    rob_morin Member HowtoForge Supporter

    Ya nothing works... i tried adjusting the virus's settings for "wants all viruses" email still gets block. how would i turn off macro blocking for everyone?
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    The settings should work, to me it looks as if the policies don't get applied at all. Try to set a higher debug level in amavis to see which policy gets applied to that email.
     
  17. rob_morin

    rob_morin Member HowtoForge Supporter

    Here is part the logs with debug on, that i think is relevant..

    Jun 4 08:58:48 mail2 amavis[19843]: (19843-02) lookup [message_size_limit] => false, "[email protected]" matches, result="0", matching_key="id=>"201", sys_userid=>"1", sys_groupid=>"0", sys_perm_user=>"riud", sys_perm_group=>"riud", sys_p
    erm_other=>"r", server_id=>"2", priority=>"5", policy_id=>"5", email=>"@domain1.com", fullname=>"@domain1.com", local=>"Y", id=>"201", sys_userid=>"1", sys_groupid=>"0", sys_perm_user=>"riud", sys_perm_group=>"riud", sys_perm_other=>"r", policy_
    name=>"Normal", virus_lover=>"N", spam_lover=>"N", banned_files_lover=>"N", bad_header_lover=>"N", bypass_virus_checks=>"N", bypass_spam_checks=>"N", bypass_banned_checks=>"N", bypass_header_checks=>"N", spam_modifies_subj=>"Y", virus_qu
    arantine_to=>"", spam_quarantine_to=>"", banned_quarantine_to=>"", bad_header_quarantine_to=>"", clean_quarantine_to=>"", other_quarantine_to=>"", spam_tag_level=>"-999", spam_tag2_level=>"4.8", spam_kill_level=>"8", spam_dsn_cutoff_leve
    l=>"0", spam_quarantine_cutoff_level=>"0", addr_extension_virus=>"...

    Jun 4 08:58:48 mail2 amavis[19843]: (19843-02) ...", addr_extension_spam=>"", addr_extension_banned=>"", addr_extension_bad_header=>"", warnvirusrecip=>"Y", warnbannedrecip=>"Y", warnbadhrecip=>"N", newvirus_admin=>"", virus_admin=>"",
    banned_admin=>"", bad_header_admin=>"", spam_admin=>"", spam_subject_tag=>"", spam_subject_tag2=>"***SPAM ***", message_size_limit=>"0", banned_rulenames=>"", policyd_quota_in=>"-1", policyd_quota_in_period=>"24", policyd_quota_out=>"-1
    ", policyd_quota_out_period=>"24", policyd_greylist=>"N", id=>"201""
     
  18. rob_morin

    rob_morin Member HowtoForge Supporter

    Oh, maybe this too...


    Jun 4 08:58:48 mail2 amavis[19843]: (19843-02) virus_scan: (Heuristics.OLE2.ContainsMacros), detected by 1 scanners: ClamAV-clamd
    Jun 4 08:58:48 mail2 amavis[19843]: (19843-02) lookup_re("Heuristics.OLE2.ContainsMacros") matches key "(?^:.*)", result="1"
    Jun 4 08:58:48 mail2 amavis[19843]: (19843-02) lookup [viruses_that_fake_sender] => true, "Heuristics.OLE2.ContainsMacros" matches, result="1", matching_key="(?^:.*)"
    Jun 4 08:58:48 mail2 amavis[19843]: (19843-02) Virus Heuristics.OLE2.ContainsMacros matches (?^:.*), sender addr ignored
    Jun 4 08:58:48 mail2 amavis[19843]: (19843-02) oldest_public_ip_addr_from_received: xxx.xxx.xxx.xxx
    Jun 4 08:58:48 mail2 amavis[19843]: (19843-02) lookup_sql_field(virus_lover) rec=0, "[email protected]" result: "0"
    Jun 4 08:58:48 mail2 amavis[19843]: (19843-02) lookup [Lovers1,virus_lovers] => false, "[email protected]" matches, result="0", matching_key="/cached/"
    Jun 4 08:58:48 mail2 amavis[19843]: (19843-02) bypassing of spam checks, message will be blocked anyway due to 9
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    The policy that got applies to this email is the 'Normal' policy, this policy got applied for the whole domain @domain1.com as there was no policy set for this specific email address "[email protected]", the Normal policy does not allow viruses and therefore the attachment was blocked.
     
  20. rob_morin

    rob_morin Member HowtoForge Supporter

    But it's set for wants viruses?? shorner-1_LI.jpg
     

Share This Page