This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Received external Signed Messages will be Suspect all the time

Hello,

we have a problem since we start with the PureMessage Unix several years ago and the problem is, that any signed messages we receive will be declared as suspect :(

Did anyone have an idea how we can make singned messages to be trust?

Our PureMessage Unix Version is 6.4.3 at CentOS 7

Thanks

Dirk

This thread was automatically locked due to age.

Parents

0 Red_Warrior over 6 years ago

Hi Dirk,

Can you clarify the "signed" part.. were you referring to PGP or DKIM or some other message singing?

Guessing your seeing this:

https://community.sophos.com/products/puremessage/f/sophos-puremessage/102265/puremessage-for-unix-now-detects-openpgp-gpg
Cancel
Vote Up 0 Vote Down

Cancel
0 Dirk L over 6 years ago in reply to Red_Warrior

Hi Red_Warrior,

booth types will be seen as suspect, the SMIME:

Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

and the PGP Signature:

Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP

I will test the 132007 from the Knowledge Base and write the result here, thank for inform me about the article.

Thanks

Dirk
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Dirk L over 6 years ago in reply to Red_Warrior

Hi Red_Warrior,

booth types will be seen as suspect, the SMIME:

Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

and the PGP Signature:

Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP

I will test the 132007 from the Knowledge Base and write the result here, thank for inform me about the article.

Thanks

Dirk
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Dirk L over 6 years ago in reply to Dirk L

Hi Red_Warrior,

it´s me again, i have updated to the newest Puremessage Version 6.4.4 and put the cantscan Rules in the policy for the Suspect Rule:

# attr NAME=Suspicious attachments
    if pmx_suspect_attachment :tft {
         # Either there is a suspect attachment OR
         # the AV engine encountered an error while classifying the attachments
         # attr NAME=Deliver and mark mail containing unscannable attachments
         if pmx_cantscan {
                     # the AV engine encountered an error while classifying the attachments
                     pmx_replace_header :index 0 "Subject" "[POTENTIAL SUSPECT ATTACHMENT] %%SUBJECT%%";
                     pmx_mark "pmx_reason" "Unscannable";
         }
         # attr NAME=Quarantine mail containing suspicious attachments
         else {
         # There is a suspect attachment
                     pmx_mark "pmx_reason" "Suspect";
                     pmx_quarantine "Suspect";
                     stop;
         }
     }
     # attr NAME=Deliver there is no suspect attachment
     else {
         # there is no suspect attachment
     }

But it will not work :(

The pmx_log writes: quarantine: Suspect

Is it possible that the "Suspect attachment types" are the reason for the Suspect declaration?

We have the Suspect attachment types:
message/external-body
message/partial

Thanks

Dirk
Cancel
Vote Up 0 Vote Down

Cancel
0 Red_Warrior over 6 years ago in reply to Dirk L

Yes that is a possibility, PMX will run policy in the exact order of your .siv file

the other thing here is exactly how is this email scanning. you could could get some further insite into the file by looking at the folling

create a test sample:

sudo su - pmx6

cd /tmp

touch test.eml

vi test.eml

i

shift + insert

:wq!

conduct a policy inject:

pmx-policy inject test.eml --relay external --dry-run -v -v -v >output.txt

this will inject the email into the milter process and output to output.txt .. then just grep the file or open it up and have a read through it.. it will be in order and contain RULE HIT: with the rules.. this will help you determine exactly what rule and the order they are hitting. It will also give you a sample for support.

Test the file:

pmx-list-true-filetypes test.eml

Test vs av scanning:

step #1 enable daemon mode

cp -p /opt/pmx6/etc/virus.d/sophos.conf /opt/pmx6/etc/virus.d/sophos.conf.bak

vi /opt/pmx6/etc/virus.d/sophos.conf

change "daemon" from = __DEFAULT__

to : daemon = on

:wq!

pmx restart

pmx-vscan scan test.eml

this will ensure the file is unscanable ..

Notes:

You may wish to output all of the results to files and at that point open a support case.. I don not recommend posting configuration or results of these test to the forums.

from what your saying I'm guessing these 3 tests will allow you to ensure the file types and order are been scanned correctly.. along with the modification of the can't scan rule.

Other things you could do is create a general rule to scan for the pgp marker (or a specific marker) then use that rule context in your cant scan rule as ! rule..

so your basically saying, pmx cant scan.. except if you see --pgp begin-- or something along those lines..

to revert to on-access scanning just replace the config file and restart pmx .. or if you want to run the scanner all the time and get a lot of files to scan you may wish to leave it in daemon mode. up to you.
Cancel
Vote Up 0 Vote Down

Cancel