Skip to main content

  debian,  amavis,  virus inside archive  


One my client asked informed me, that amavis skips some files types. mail server configuration is really simple: Postfix as SMTP server and  amavis working as context filter. Also amavis runs spamassasin and clamd antivirus. Amavis gets files from attachment and unpack it. lha file is not detected.

short investigation

First I deceided to run amavis  in debug mode and verify how virus passed postix+amavis. 

root@newserver:/var/lib/amavis# /etc/init.d/amavis stop
[ ok ] Stopping amavis (via systemctl): amavis.service.
root@newserver:/var/lib/amavis# /etc/init.d/amavis debug 
Trying to run amavisd-new in debug mode.

Debug mode inform about loaded plugins:
'
Nov 13 22:07:23.335 newserver.  /usr/sbin/amavisd-new[40334]: Found decoder for    .cpio at /bin/pax
Nov 13 22:07:23.336 newserver.  /usr/sbin/amavisd-new[40334]: Found decoder for    .tar  at /bin/pax
Nov 13 22:07:23.336 newserver.  /usr/sbin/amavisd-new[40334]: Found decoder for    .deb  at /usr/bin/ar
Nov 13 22:07:23.336 newserver.  /usr/sbin/amavisd-new[40334]: No ext program for   .rar, tried: unrar-free
Nov 13 22:07:23.336 newserver.  /usr/sbin/amavisd-new[40334]: Found decoder for    .arj  at /usr/bin/arj
Nov 13 22:07:23.336 newserver.  /usr/sbin/amavisd-new[40334]: No ext program for   .arc, tried: nomarch, arc
Nov 13 22:07:23.336 newserver.  /usr/sbin/amavisd-new[40334]: No ext program for   .zoo, tried: zoo
Nov 13 22:07:23.336 newserver.  /usr/sbin/amavisd-new[40334]: Found decoder for    .doc  at /usr/bin/ripole
Nov 13 22:07:23.336 newserver.  /usr/sbin/amavisd-new[40334]: Found decoder for    .cab  at /usr/bin/cabextract
Nov 13 22:07:23.336 newserver.  /usr/sbin/amavisd-new[40334]: Internal decoder for .tnef
Nov 13 22:07:23.336 newserver.  /usr/sbin/amavisd-new[40334]: No ext program for   .zip, tried: 7za, 7z
Nov 13 22:07:23.336 newserver.  /usr/sbin/amavisd-new[40334]: No ext program for   .kmz, tried: 7za, 7z
Nov 13 22:07:23.336 newserver.  /usr/sbin/amavisd-new[40334]: Internal decoder for .zip 
Nov 13 22:07:23.336 newserver.  /usr/sbin/amavisd-new[40334]: Internal decoder for .kmz 
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: Found decoder for    .7z   at /usr/bin/7zr
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No ext program for   .jar, tried: 7z
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No ext program for   .rar, tried: 7z
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No ext program for   .swf, tried: 7z
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No ext program for   .lha, tried: 7z
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No ext program for   .iso, tried: 7z
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No ext program for   .rpm, tried: 7z
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: Found decoder for    .exe  at /usr/bin/arj
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No decoder for       .F   
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No decoder for       .arc 
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No decoder for       .iso 
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No decoder for       .jar 
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No decoder for       .lha 
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No decoder for       .lrz 
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No decoder for       .lz4 
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No decoder for       .lzo 
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No decoder for       .rar 
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No decoder for       .rpm 
Nov 13 22:07:23.337 newserver.  /usr/sbin/amavisd-new[40334]: No decoder for       .swf 
Nov 13 22:07:23.338 newserver.  /usr/sbin/amavisd-new[40334]: No decoder for       .zoo 

 No decoder for lha ! But lha is installed in the system.  Looks like problem with paths or chroot is misconfigured. amavis search arj but cannot find lha in the same directory, also chroot is not set up (I have not seen amavis chroot howto for linux, it is a good subject for next post).  Checking code was my last step. Amavis  has next code:

    ['tnef', \&Amavis::Unpackers::do_tnef],
#   ['lha',  \&Amavis::Unpackers::do_lha,   \$lha],  # not safe, use 7z instead
#   ['sit',  \&Amavis::Unpackers::do_unstuff, \$unstuff],  # not safe
    [['zip','kmz'], \&Amavis::Unpackers::do_7zip,  ['7za', '7z'] ],
  

Amavis  uses not lha it  uses 7z .  and solution is simple :
root@newserver:/home/serg# aptitude search 7z
p   i7z                                                                              - reporting tool for i7, i5, i3 CPUs                                                         
p   i7z:i386                                                                         - reporting tool for i7, i5, i3 CPUs                                                         
p   i7z-gui                                                                          - GUI for i7z, a reporting tool for i7, i5, i3 CPUs                                          
p   i7z-gui:i386                                                                     - GUI for i7z, a reporting tool for i7, i5, i3 CPUs                                          
i   p7zip                                                                            - 7zr file archiver with high compression ratio                                              
p   p7zip:i386                                                                       - 7zr file archiver with high compression ratio                                              
p   p7zip-full                                                                       - 7z and 7za file archivers with high compression ratio                                      
p   p7zip-full:i386                                                                  - 7z and 7za file archivers with high compression ratio                                      
p   p7zip-rar                                                                        - non-free rar module for p7zip                                                              
p   p7zip-rar:i386                                                                   - non-free rar module for p7zip                                                              
root@newserver:/home/serg# aptitude install p7zip-full
Наступні НОВІ пакунки будуть встановлені:    
  p7zip-full 
0 пакунків оновлено, 1 нових встановлено, 0 видалено і 745 не оновлено.
Потрібно отримати 1 115 kb архівів. Після розпакування 4 513 kb буде зайнято.
Отр: 1 http://deb.debian.org/debian stretch/main amd64 p7zip-full amd64 16.02+dfsg-3+deb9u1 [1 115 kB]
Стягнено 1 115 kb за 0с (1 953 kb/s)
Selecting previously unselected package p7zip-full.
(Reading database ... 74600 files and directories currently installed.)
Preparing to unpack .../p7zip-full_16.02+dfsg-3+deb9u1_amd64.deb ...
Unpacking p7zip-full (16.02+dfsg-3+deb9u1) ...
Processing triggers for man-db (2.7.4-1) ...
Setting up p7zip-full (16.02+dfsg-3+deb9u1) ...

after this amavis unpacks lha archives and clamd can catch viruses!

Comments

Popular posts from this blog

Update grub using dracut

Fixing grub using dracut Last kernel update was not successful to me. Centos can not boot with next messages:  [ 180.098802] dracut-initqueue[376]: Warning: dracut-initqueue timeout - starting timeout scripts [ 180.610167] dracut-initqueue[376]: Warning: dracut-initqueue timeout - starting timeout scripts [ 181.121619] dracut-initqueue[376]: Warning: dracut-initqueue timeout - starting timeout scripts [ 181.633093] dracut-initqueue[376]: Warning: dracut-initqueue timeout - starting timeout scripts [ 182.144831] dracut-initqueue[376]: Warning: dracut-initqueue timeout - starting timeout scripts [ 182.656146] dracut-initqueue[376]: Warning: dracut-initqueue timeout - starting timeout scripts [ 183.167306] dracut-initqueue[376]: Warning: dracut-initqueue timeout - starting timeout scripts [ 183.678755] dracut-initqueue[376]: Warning: dracut-initqueue timeout - starting timeout scripts  Of course simples way  is creating  linux  usb stick  and fix it. But dracut

Postfix can not start via systemd (simple fix)

Solving problem related to systemd process I like postfix.   This is really smart and secure mail server. I'm helping above  dozen clients around the world and  tunning  postfix is really fun task. This morning I was downgrading postfix  to the stable version for one of the my friends and come across interesting issue.  root@newserver:/etc/init.d# systemctl status postfix ● postfix.service Loaded: masked (/dev/null; bad) Active: inactive (dead) since вт 2017-06-13 14:35:41 EEST; 1h 48min ago Main PID: 25145 (code=exited, status=0/SUCCESS) чер 13 14:47:09 newserver systemd[1]: Stopped postfix.service. чер 13 14:47:29 newserver systemd[1]: Stopped postfix.service. чер 13 14:58:22 newserver systemd[1]: Stopped postfix.service. чер 13 14:58:23 newserver systemd[1]: Stopped postfix.service. чер 13 15:05:20 newserver systemd[1]: Stopped postfix.service. чер 13 15:29:06 newserver systemd[1]: Stopped postfix.service. чер 13 15:29:06 newserver systemd[1]: Stopp